An Engineering Perspective on Model-Based Design of Supervisors

14th IFAC Workshop on Discrete Event Systems 14th IFAC Workshop on Discrete Event Systems May - June 1, 2018.on Sorrento Italy 14th IFAC Workshop Discrete Event Systems 14th 30 IFAC Workshop DiscreteCoast, Event Systemsonline at www.sciencedirect.com May 30 - June 1, 2018.on Sorrento Coast, Italy Available May 30 30 June 1, 2018. 2018.on Sorrento Coast, Italy 14th IFAC Workshop DiscreteCoast, EventItaly Systems May -- June 1, Sorrento May 30 - June 1, 2018. Sorrento Coast, Italy

ScienceDirect

IFAC PapersOnLine 51-7 (2018) 257–264

An An Engineering Engineering Perspective Perspective on on An Engineering Perspective on Model-Based Design of Supervisors An Engineering Perspective on Model-Based Design of Supervisors Model-Based Design of Supervisors Model-Based of Mortel-Fronczak Supervisors M.A. Reniers and Design J.M. van de

M.A. Reniers and J.M. van de Mortel-Fronczak M.A. M.A. Reniers Reniers and and J.M. J.M. van van de de Mortel-Fronczak Mortel-Fronczak M.A. Reniers and J.M. van de Eindhoven Mortel-Fronczak Department of Mechanical Engineering, University of of Department of Mechanical Engineering, Eindhoven University Department of Mechanical Engineering, Eindhoven University Technology, 5612 AZ Eindhoven, The Netherlands Department of Mechanical Engineering, Eindhoven University of of Technology, 5612 Eindhoven, The Department of Mechanical Eindhoven University of Technology, 5612 AZ AZEngineering, Eindhoven, The Netherlands Netherlands (e-mail: {m.a.reniers, j.m.v.d.mortel}@tue.nl) Technology, 5612 AZ Eindhoven, The Netherlands {m.a.reniers, j.m.v.d.mortel}@tue.nl) (e-mail: Technology, 5612 AZ Eindhoven, The Netherlands (e-mail: j.m.v.d.mortel}@tue.nl) (e-mail: {m.a.reniers, {m.a.reniers, j.m.v.d.mortel}@tue.nl) (e-mail: {m.a.reniers, j.m.v.d.mortel}@tue.nl) Abstract: Several Several tools tools exist exist providing providing support support for for model-based model-based design design of of supervisors supervisors in in highhighAbstract: Abstract: Several tools exist providing support for model-based design of supervisors in hightech and cyber-physical systems. On the one hand, specifically tools based on finite automata Abstract: Several tools exist providing support for model-based design of supervisors in hightech and cyber-physical systems. On thesupport one hand, tools based on finite automata Abstract: Several tools exist providing for specifically model-based design of supervisors incan hightech cyber-physical systems. On one specifically based on are of ofand interest as they they allow to synthesize synthesize correct supervisors fromtools which implementations be tech and cyber-physical systems. On the thecorrect one hand, hand, specifically tools based on finite finite automata automata are interest as allow to supervisors from which implementations can be tech cyber-physical systems. On thecorrect one hand, specifically based on techniques finite automata are ofand interest as theywith allow to synthesize synthesize correct supervisors fromtools which implementations can be generated. To cope synthesis complexity, various decentralized synthesis have are of interest as they allow to supervisors from which implementations can be generated. To cope with synthesis complexity, various decentralized synthesis techniques have are interest allow to synthesize correct supervisors from which implementations can be generated. To as cope with synthesis complexity, various decentralized synthesis techniques have beenofproposed. proposed. Inthey recent years, extensions were defined defined to deal with automata and requirements generated. To cope with synthesis complexity, various decentralized synthesis techniques have been In recent years, extensions were to deal with automata and requirements generated. To cope with synthesis complexity, various decentralized synthesis techniques have been proposed. In recent years, extensions were defined to deal with automata and requirements in which which variables may beyears, used. On On the other other hand, as the thetosynthesis synthesis result depends on the validity validity been proposed. In may recent extensions were defined deal withresult automata andon requirements in variables be used. the hand, as depends the been In may recent extensions were defined deal with automata andon requirements in variables be used. the hand, as the result depends the of which theproposed. models used as its its input,On other model-based techniques such as simulation, simulation, testing, and in which variables may beyears, used. On the other other hand, astechniques thetosynthesis synthesis result depends on the validity validity of the models used as input, other model-based such as testing, and in which variables be used. the other hand, as the synthesis result depends ontesting, the validity of the models models usedmay as its input,On other model-based techniques such as simulation, simulation, testing, and verification provide complementary support in the design process. This is especially meaningful of the used as its input, other model-based techniques such as and verification provide complementary support in the design process. This is especiallytesting, meaningful of thedealing models usedsynthesis as its input, other model-based techniques as simulation, and verification provide complementary support in the process. is when with of supervisors supervisors for large systems. In such thisThis paper, the design designmeaningful process is verification provide complementary support inlarge the design design process. This is especially especially meaningful when dealing with synthesis of for systems. In this paper, the process is verification provide complementary support in the design process. This is especially meaningful when dealing with synthesis of supervisors for large systems. In this paper, design process is discussed with a focus on modeling, simulation, and synthesis. Additionally, the functionalities of when dealing with synthesis of supervisors for large systems. In this paper, design process is discussed with a focus on modeling, simulation, and synthesis. Additionally, the functionalities of when dealing with synthesis of supervisors forrelation large systems. In this paper, design is discussed with a on modeling, simulation, and Additionally, the of the available available synthesis tools are presented in to this this process. process. To explain explain modelsprocess relevant discussed withsynthesis a focus focus on modeling, simulation, and synthesis. synthesis. Additionally, the functionalities functionalities of the tools are presented in relation to To models relevant discussed withsynthesis a afocus on modeling, simulation, andissynthesis. Additionally, the functionalities of the available synthesis tools are presented presented in relation to this this process. To explain explain models relevant in this context, container terminal scale system used as a case study. This system consists the available tools are in relation to process. To models relevant in this context, a container terminal scale system is used asprocess. aa case study. This system consists the available synthesis toolssensors are presented in relation to this To explain models relevant in context, a terminal scale system is used This system consists of this 35 components (mostly and actuators) and 35 as requirements. The design process is in this context, a container container terminal scale system isand used as a case case study. study. Thisdesign system consists of 35 components (mostly sensors and actuators) 35 requirements. The process is in this context, a container terminal scale system is used as a case study. This system consists of 35 components (mostly sensors and actuators) and 35 requirements. The design process is evaluated and missing functionality is identified. of 35 components (mostly sensors and actuators) and 35 requirements. The design process is evaluated and missing functionality is identified. of 35 components (mostly sensors and actuators) and 35 requirements. The design process is evaluated and functionality is evaluated and missing missing functionality is identified. identified. © 2018, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. evaluated and missing functionality is identified. Keywords: Model-based Model-based systems systems engineering, engineering, discrete-event discrete-event and and continuous-time continuous-time systems, systems, Keywords: Keywords: Model-based Model-based systems engineering, discrete-event discrete-event and and continuous-time continuous-time systems, systems, supervisory control, formal methods. Keywords: systems engineering, supervisory control, formal methods. Keywords: Model-based systems engineering, discrete-event and continuous-time systems, supervisory control, formal methods. supervisory control, formal methods. supervisory control, formal methods. 1. INTRODUCTION INTRODUCTION At the the same same time, time, the the Extended Extended Finite Finite Automata Automata (EFA) (EFA) 1. At 1. INTRODUCTION At the same same time, the theisExtended Extended Finite Automata (EFA) (EFA) modeling formalism introduced in Skoldstam et al. al. 1. INTRODUCTION At the time, Finite Automata modeling formalism is introduced in Skoldstam et 1. INTRODUCTION At the allowing same time, theis Finite Automata (EFA) modeling formalism isExtended introduced in Skoldstam Skoldstam et al. al. (2007) for compact representation of large models modeling formalism introduced in et (2007) allowing for compact representation of large models The task task of of supervisory supervisory control control in in high-tech high-tech and and cybercyber- (2007) modeling formalism is introduced in Skoldstam et utial. (2007) allowing for compact representation of large large models models and giving giving rise for to compact EFA-based synthesis approaches allowing representation of The and rise to EFA-based synthesis approaches utiThe task of supervisory control in high-tech and cyberphysical systems consisting of large numbers of compo(2007) allowing for compact representation of large models and giving rise to EFA-based synthesis approaches utilizing abstractions, discussed in Miremadi et al. (2012); The task of supervisory control in high-tech and cyberand giving rise to EFA-based synthesis approaches utiphysical systems consisting of large numbers of compolizing abstractions, discussed in Miremadi et al. (2012); The ofprovide supervisory control in functionality high-tech cyberphysical systems consisting of large large numbers and of incompocomponentstask is to to specified system a safe safe and giving riseal.to(2011); EFA-based approaches lizing abstractions, discussed insynthesis Miremadi et al. al. (2012); Ouedraogo et Shoaei et al. (2012), (2012), and(2012); anutiefphysical systems consisting of numbers of lizing abstractions, discussed in Miremadi et nents is provide specified system functionality in a Ouedraogo et al. (2011); Shoaei et al. and an efphysical systems consisting of large numbers of components is to to provide specified system system functionality in aa safe safe lizing way by suitable coordination. Based on the Supervisory abstractions, discussed in Miremadi et al. (2012); Ouedraogo et al. (2011); Shoaei et al. (2012), and an ef˚ nents is provide specified functionality in ficient BDD-based implementation ( A kesson et al., 2006). Ouedraogo et al. (2011); Shoaei et al. (2012), and an efway by suitable coordination. Based on the Supervisory ˚ ficient BDD-based implementation (A kesson et al., 2006). nents is Theory to provide specified and system functionality in a safe Ouedraogo way by suitable coordination. Based on the the Supervisory Control ofcoordination. Ramadge Wonham (1987), model ˚ ettoal.align (2011); et in (2012), an efficient BDD-based implementation Awhich kesson et and al.,specifi2006). way by suitable Based on Supervisory Additionally, withShoaei the way way safety ˚ ficient BDD-based implementation ((al. A kesson et al., 2006). Control Theory of Ramadge and Wonham (1987), aaa model Additionally, to align with the in which safety specifiway by suitable coordination. Based on the Supervisory Control Theory of Ramadge and Wonham (1987), model ˚ for the supervisor can be synthesized from models of the ficient BDD-based implementation ( A kesson et al., 2006). Additionally, to align with the way in which safety specifiControl Theory of Ramadge and Wonham (1987), a model cations are drawn up for systems with supervisory control Additionally, to align with the way in which safety specififor the supervisor can be synthesized from models of the cations are drawn up for systems with supervisory control Control Theory of Ramadge and plant), Wonham for the supervisor supervisor can be synthesized synthesized from modelsa model of the the Additionally, uncontrolled system (called the and(1987), to with theFlordal waywith in which safety specifications are drawn drawn up for for systems with supervisory control for the can be from models of and inspired inspired byalign Malik and (2008), state-based cations are up systems supervisory control uncontrolled system (called the plant), and models of the and by Malik and Flordal (2008), state-based for the supervisor can be synthesized from models of the uncontrolled system (called system the plant), plant), andsatisfy. requirements system the controlled controlled should Followare drawn up for systems with supervisory control and inspired by been Malik and Flordal (2008), state-based uncontrolled (called the and modelsFollowof the cations expressions have proposed in Markovski et al. (2010) and inspired by Malik and Flordal (2008), state-based requirements the system should satisfy. expressions have been proposed in Markovski et al. (2010) uncontrolled system (called system the(2007), plant), andsynthesized modelsFollowof the requirements theand controlled system should satisfy. Following Cassandras Cassandras Lafortune the su- and by format Malik and requirement Flordal (2008), expressions have been proposed in Markovski Markovski etstate-based al. (2010) (2010) requirements the controlled should satisfy. as an aninspired intuitive for definition. This expressions have been proposed in et al. ing and Lafortune (2007), the synthesized suas intuitive format for requirement definition. This requirements theand controlled system should satisfy. Following Cassandras and Lafortune (2007), the synthesized synthesized su- expressions pervisor is called safe (undesired plant states are not reachhave been proposed in Markovski et al. (2010) as an intuitive format for requirement definition. This ing Cassandras Lafortune (2007), the suformat is illustrated in Reijnen et al. (2017). as an intuitive format for requirement definition. This pervisor is called safe (undesired plant states are not reachformat is illustrated in Reijnen et al. (2017). ing Cassandras (2007), the synthesized su- as pervisor is called calledand safeLafortune (undesired plant states arereachable), not reachreachable), non-blocking (marked plant states are an intuitive format for requirement definition. This format is illustrated illustrated in Reijnen Reijnen et al. al. (2017). (2017). pervisor is safe (undesired plant states are not format is in et able), non-blocking (marked plant states are reachable), In cyber-physical systems, the interaction of dynamic dynamic pervisor is called safe (undesired plant states are not reachable), non-blocking (marked plant states are reachable), controllable (undesired plant behavior is prevented by only format is illustrated in Reijnen et al. (2017). able), non-blocking (marked plant states are reachable), In cyber-physical systems, the interaction of controllable (undesired plant behavior is prevented by only In cyber-physical systems, theresource interaction of dynamic dynamic component behavior (including controllers) with able), non-blocking (marked plant states are reachable), controllable (undesired plant behavior is prevented by only In cyber-physical systems, the interaction of disabling controllable events), and minimally restrictive controllable (undesired events), plant behavior is prevented by only component behavior (including resource controllers) with disabling controllable and minimally restrictive In cyber-physical systems, the interaction of dynamic component behavior (including resource controllers) with supervisory control plays an important role. Therefore, it controllable (undesired plant behavior is prevented by only disabling controllable events), and minimally restrictive component behavior (including resource controllers) with (only undesired plant behaviours are excluded). disabling controllable events), and minimally restrictive supervisory control plays an important role. Therefore, it (only undesired plant behaviours are excluded). behavior (including resource controllers) with supervisory control plays an important role. Therefore, it is beneficial to incorporate hybrid model simulation in the disabling controllable events), and (only undesired undesired plant behaviours behaviours areminimally excluded).restrictive component supervisory control plays an important role. Therefore, it (only plant are excluded). is beneficial to incorporate hybrid model simulation in the Industrial applications of supervisory supervisory control synthesis call call supervisory plays an important role. Therefore, it is beneficial beneficial control to incorporate incorporate hybrid model simulation in the the design process as aa validation validation step. (only undesired plant behaviours are control excluded). is to hybrid model simulation in Industrial applications of synthesis supervisory control design process as step. Industrial applications of supervisory control synthesis call for advanced techniques to overcome the state-explosion is beneficial control to incorporate hybrid model simulationstep. in the supervisory control design process process as aa validation validation step. Industrial applications of supervisory control synthesis call supervisory design as for advanced techniques to overcome the state-explosion The objective objective of this thisdesign paper is is to investigate investigate and summarize summarize Industrial applications of have supervisory control synthesis for advanced techniques to overcome overcome the state-explosion state-explosion problem. Several of them them been introduced introduced recently.call In supervisory control process as a validation step. for advanced techniques to the The of paper to and problem. Several of have been recently. In The objective of this paper is to investigate and summarize the available tool support for a model-based design of of for advanced techniques to overcome the state-explosion problem. Several of them have been introduced recently. In The objective of thissupport paper isfor to investigate and summarize Ma and Wonham (2006), a synthesis approach is proposed problem. Several of them have been introduced recently. In the available tool a model-based design Ma and Wonham (2006), a synthesis approach is proposed The objectivecontrol. of thissupport paper isfor to investigate and summarize the available tool support for a illustrates model-based design of supervisory The paper the involved problem. Several of them have been introduced recently. In Ma and Wonham (2006), a synthesis approach is proposed the available tool a model-based design of based on state-tree structures and binary decision diaMa andonWonham (2006), a synthesis approach is proposed supervisory control. The paper illustrates the involved based state-tree structures and binary decision diaavailable tool for model-based design of supervisory control. The paper paper illustrates the involved process stepscontrol. on aa support realistic casea illustrates study. Thethe case study Ma andencoding (2006), synthesis approach is proposed based onWonham state-tree structures andperformance. binary decision decision dia- the supervisory The involved grams states foraefficient efficient In Leduc Leduc based on state-tree structures and binary diaprocess steps on realistic case study. The case study grams encoding states for performance. In R  supervisory control. The paper illustrates the involved process steps on a realistic case study. The case study is a LEGO scale model of a container terminal built based on state-tree structures and binary decision diagrams encoding states for efficient efficient performance. In Leduc Leduc R on a realistic case study. The case study  steps et al. al. (2005), (2005), anstates interface-based hierarchical approach is process grams encoding for performance. In is a LEGO R scale model of a container terminal built  et an interface-based hierarchical approach is R on  steps a by realistic study.(nowadays The case Altran study is LEGO scale model of aa container terminal built and used NSPYRE B.V. grams encoding for efficient performance. In Leduc et al. (2005), (2005), anstates interface-based hierarchical approach is process is aa regularly LEGO scale model ofcase container terminal built provided allowing for system decoupling and moving the et al. an interface-based hierarchical approach is and regularly by NSPYRE B.V. (nowadays Altran  provided allowing for system decoupling and moving the is a regularly LEGO Ra used scale model of a container terminal built and regularly used by NSPYRE B.V. (nowadays Altran Nederland, company providing support for automaet al. (2005), an interface-based hierarchical approach is provided allowing for system decoupling and moving the and used by NSPYRE B.V. (nowadays Altran synthesis to decoupled components, under interface invariprovided allowing for system decoupling and moving the Nederland, a company providing support for automasynthesis to decoupled components, under interface invariand regularly used by NSPYRE B.V. (nowadays Altran Nederland, a company providing support for automation of software engineering processes, see altran.com/nl/ provided allowing for system decoupling and moving the synthesis to decoupled components, under interface invariNederland, a company providing support for automaance. Distributed synthesis approaches based on model synthesis to decoupled components, underbased interface invarition of software engineering processes, see altran.com/nl/ ance. Distributed synthesis approaches on model a company providing support for automation of engineering processes, see en/integrated_solution/automated-software-engineering/ )) for synthesis to techniques decoupled components, under interface invariance. Distributed synthesis approaches based on Thistle model Nederland, tion of software software engineering processes, see altran.com/nl/ altran.com/nl/ abstraction are presented presented in e.g. e.g. Su and and ance. Distributed synthesis approaches based on model en/integrated_solution/automated-software-engineering/ abstraction techniques are in Su Thistle tion of software engineering processes, see altran.com/nl/ en/integrated_solution/automated-software-engineering/ )) for for research and demonstration purposes related to modelance. Distributed synthesis approaches based on model abstraction techniques are presented in e.g. Su and Thistle for (2006); Feng Fengtechniques and Wonham Wonham (2006a); in Hill et Su al.and (2008); Su en/integrated_solution/automated-software-engineering/ abstraction are presented e.g. Thistle research and demonstration purposes related to model(2006); and (2006a); Hill et al. (2008); Su en/integrated_solution/automated-software-engineering/ ) for research and demonstration purposes related to modelbased engineering techniques. It is a simplified and realistic abstraction techniques are presented in e.g. Su and Thistle (2006); Feng and Wonham (2006a); Hill et al. (2008); Su research and demonstration purposes related to modelet al. (2010). In Mohajerani et al. (2013), compositional (2006); Feng and Wonham (2006a); Hill et al. (2008); Su based engineering techniques. It is a simplified and realistic et al. (2010). In Mohajerani et al. (2013), compositional and demonstration purposes related to realistic modelbased engineering techniques. It is and representation of aa real-life behavior in terminals where (2006); Feng and Wonham (2006a); Hill et compositional al. (2008); Su research et al. (2010). (2010). In Mohajerani Mohajerani et al. al. (2013), (2013), compositional based engineering techniques. It is aa simplified simplified and realistic synthesis approaches are introduced. introduced. et al. In et representation of real-life behavior in terminals where synthesis approaches are based engineering techniques. It is a simplified and realistic representation of a real-life behavior in terminals et al. (2010). In Mohajerani et al. (2013), compositional synthesis approaches approaches are are introduced. introduced. representation of a real-life behavior in terminals where where synthesis representation of a real-life behavior in terminals where synthesis are introduced. 2405-8963 ©approaches 2018, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved.

Copyright © 2018 IFAC 257 Copyright © under 2018 IFAC 257 Control. Peer review responsibility of International Federation of Automatic Copyright © 2018 2018 IFAC IFAC 257 Copyright © 257 10.1016/j.ifacol.2018.06.310 Copyright © 2018 IFAC 257

IFAC WODES 2018 258 30 - June 1, 2018. Sorrento Coast, Italy M.A. Reniers et al. / IFAC PapersOnLine 51-7 (2018) 257–264 May

containers are loaded and unloaded, used to study the applicability of different modeling approaches and languages, as shown in van der Meer et al. (2014). 2. OVERVIEW MODEL-BASED DESIGN OF SUPERVISORY CONTROL Several automata-based tools have been developed to provide support for the model-based design of supervisors. Initially, the focus was on modeling, supervisory control synthesis and verification. Several tools supporting various synthesis techniques have been developed in this context, representative examples being: TCT (Feng and Wonham, 2006b), DESTool (Moor et al., 2008), DESUMA (Ricker et al., 2006), Supremica (Malik et al., 2017), and CIF (van Beek et al., 2014). They differ in the way in which the user interface is provided, the types of automata, the representation of the requirements, or additional functionality. Inspired by van Beek et al. (2014) and Zaytoon and Riera (2017), and by several industrial case studies, e.g. Forschelen et al. (2012) and Theunissen et al. (2014), the types of models relevant for this approach are identified. For an overview of types of models (dashed boxes) essential for supervisor design, along with the relevant process steps (solid boxes) and their relationships, see Fig. 1. This Modeling

Requirements

Code gener.

Tests gener.

Hybrid plant

Synthesis

Supervisor

Image

Abstraction

DE plant

Verification

(5) Again, simulation and simulation-based visualization of the supervisor together with the hybrid plant, can be used to validate the DE plant and the requirement models. (6) Based on the supervisor model, a real-time implementation or test cases can be generated. Table 1 summarizes functionality of the tools considered in this section according to the listed aspects. Some additional comments are given next. All the considered tools use finite automata (FA) for modelling plants and requirements. CIF and Supremica allow extended finite automata (EFA). CIF is the only tool in this list that allows the modeling of CT aspects by means of hybrid automata. Both Supremica and CIF support definition-instantiation mechanisms to ease modelling large systems. CIF allows the use of certain types of logical expressions for modelling the requirements, most notably event conditions and invariants. Even though CIF allows hybrid models for simulation, it does not provide any support for abstraction to a DE plant. Of course, all tools mentioned support monolithic synthesis for their types of discrete-event models. The nonmonolithic synthesis techniques that are supported are mentioned in the table. All tools offer model abstraction techniques (language or automaton based) needed to achieve decentralized synthesis, but only Supremica offers support for EFA. Supremica also offers compositional synthesis (Mohajerani et al., 2014). Supremica and CIF are the only two tools that allow validation using simulation and simulation-based visualization. With CIF, this is also possible for hybrid models.

Simulation

Fig. 1. Overview of the model-based design phases. overview can also be interpreted as the following work flow: (1) To start with, hybrid models containing discreteevent (DE) and continuous-time (CT) behavior of (physical) system components are developed, called hybrid plant. These models describe all possible behaviors the components can exhibit, not restricted for a specific system function. Hybrid observers that abstract information from sensors and feedback controllers by events or discrete variables are also included. Simulation and simulation-based visualization (using an image model of the system) can be used to validate these models. Simultaneously models of requirements (related to the function the system should fulfil) are defined. (2) From the hybrid plant, the DE plant is abstracted. (3) Based on the DE plant and the requirements, the supervisor is synthesized. (4) If there are desired properties that could not be expressed using automata (other than controllability and nonblocking), the supervisor together with the DE plant, called controlled system, can be subjected to verification using model checking techniques (Baier and Katoen, 2008). 258

All tools support verification of properties related to supervisory control, such as controllability and nonblocking. Only in Supremica, these verification procedures are also implemented for EFA. To our knowledge, the considered tools neither allow for tests generation nor directly support verification using model checking. However, CIF allows automatic transformation of a DE model to mCRL2, where verification of behavioral properties specified in the modal µ-calculus can be performed (Cranen et al., 2013). Additionally, DESTool and DESUMA include functionality related to diagnosis of discrete-event systems. More recently, in the previously mentioned industrial case studies, the importance of simulation-based visualization for the purpose of model validation and code generation functionality was also recognized (Forschelen et al., 2012; Theunissen et al., 2014). Among the tools discussed above, Supremica and CIF provide the most complete support for the model-based design process. Therefore, in the remainder of this paper we will focus on the use of these tools in model-based design of a supervisor. In the case study, steps 1-3 and 5 of the method are illustrated. Examples of cases where the implementation step was considered are given in Flordal et al. (2007); Korssen et al. (2018). 3. CASE STUDY: CONTAINER TERMINAL SYSTEM The Container Terminal System (see Fig. 2), CTS in the sequel, consists of a load platform, a truck, three cranes

IFAC WODES 2018 May 30 - June 1, 2018. Sorrento Coast, Italy M.A. Reniers et al. / IFAC PapersOnLine 51-7 (2018) 257–264

259

Table 1. Tool functionality overview. Tool

Plant model representation

Parametrization

Requirements representation

Supported synthesis techniques

Graphical simulation

Support for model checking

Code generation

TCT

FA

No

FA

No

No

No

DESTool

FA

No

FA

No

No

PLC

DESUMA Supremica

FA FA/EFA

FA FA/EFA

No DE based

No No

CIF

FA/EFA /HA

No Definition-instantiation mechanism Definition-instantiation mechanism

decentralized and hierarchical decentralized and multi level decentralized decentralized and compositional decentralized, aggregative and coordinated

DE-CT based

via translation to mCRL2

No PLC, ANSI C and Java bytecode PLC, Java, C99

FA/EFA /Expressions

and three storage positions (dumb, unload 1 and 2), as schematically depicted in Fig. 3. In the dumb storage,

Fig. 2. Container Terminal System. containers not intended for transport to an unload storage are collected. The destination of a container is user-defined based on its color. For example, red containers should be transported to unload storage 1, blue containers to unload storage 2 and all other containers to the dumb storage. New containers arrive at the load platform, consisting of two coupled conveyors. When containers reach the end of the second conveyor they have to wait until the load crane picks them up. When a container is intended for one of the unload storages, the load crane loads it on the truck. Otherwise, the load crane transports it to the dumb storage. The load platform represents a vehicle (truck, ship or train) that delivers containers to the terminal. The truck transports the containers. After being loaded with a container, the truck moves to the required destination. It waits until the container is picked up by the unload crane and moves back to the load platform to transport the next container. The unload crane places the container picked up from the truck in the unload storage. The desired system behavior should additionally satisfy the following high-level requirements.

• The load platform handles the containers one by one so that collisions between them are prevented. • The three cranes safely pick up and place containers. • The three cranes only pick up a container if it is possible to release it at another position so that they do not unnecessarily hold containers. • The system handles input of containers automatically.

In the CTS, three component types can be used for achieving the defined functionality: motors, color sensors, and R R switch sensors from the LEGO MINDSTORMS NXT kit (Rinderknecht, 2006). These components are connected to NXT Brick, a brick-shaped computer, responsible for the communication between them and the control software. To support implementation of model-based controllers, in a previous project a Hardware Abstraction Layer is designed, which provides standard communication interfaces for each CTS component. At the load platform, two conveyors are used to transport containers, each powered by a conveyor motor. Both conveyors are running when containers arrive. At the beginning of the second conveyor, a color sensor is placed. If a container reaches the position of this sensor, the first conveyor should be stopped to prevent collisions. The second conveyor moves the container to the end of the load platform, where it is signaled by the switch sensor positioned there. Then the conveyor should be stopped and the container can be picked up by the load crane. Both conveyors can be turned on again when the switch sensor is no longer actuated (so the container is removed), and the process is repeated. The cranes contain three motors and three sensors. Moving the crane between the truck and the unload storage or load platform is done using the track motor. The relevant positions – load, unload 1 and unload 2 – are uniquely R marked by a colored LEGO brick. The track color sensor detects the corresponding position. If the crane is at a certain position and needs to pick up or place a container, the gripper motor and the lift motor are used. The gripper is moved up or down using the lift motor and the gripper motor is used to open or close the gripper. These two operations are monitored using two sensors: the gripper switch sensor and the lift switch sensor. The gripper switch sensor is used to determine the state of the gripper (open/closed) and the lift switch sensor to determine the position of the gripper (up/down). The truck moves between the three locations and transports containers from the load lane to an unload lane. The truck contains a track motor to move forward or backward and a track color sensor, similar to the one used at a crane, to detect the positions relevant for the truck.

Fig. 3. Schematic representation, top view, of the CTS. 259

IFAC WODES 2018 260 30 - June 1, 2018. Sorrento Coast, Italy M.A. Reniers et al. / IFAC PapersOnLine 51-7 (2018) 257–264 May

Again, these positions are uniquely marked by a colored R LEGO brick. The truck waits for a new container to be placed by the load crane. When a container is placed, it moves to the position corresponding to the container destination, which is based on the color of the container. At the specified unload position, the unload crane picks up the container from the truck and the truck can return to the load position. 4. MODEL-BASED DESIGN OF THE CONTAINER TERMINAL SYSTEM Given the size of the case study, in terms of number of (physical) components involved and number of requirements, it is impossible nor useful to discuss the complete model in detail. For illustration purposes we only discuss (part of) one of the subsystems identified in Volmer (2015), the load crane picking subsystem or gripper. The gripper is moved up and down using the lift motor and the gripper motor may be used to open and close the gripper. A gripper switch sensor is used to determine the status of the gripper (open/closed), and the lift switch sensor is used to determine the vertical position of the gripper (up/down). The discussion of the case study is restricted to the modelling, abstraction, synthesis and simulation steps mentioned in Section 2. 4.1 Modelling hybrid plant and requirements As mentioned in Section 2, hybrid models of the physical system components are developed. The main purpose of this model is to create a realistic context (to some extent) in which a supervisory controller may be validated after it has been obtained. From the tools considered in this paper, only CIF allows explicit modeling of continuoustime concepts. In order to pick or place a container, the lift motor and gripper motor are needed. The behavior of these two actuators are similar and therefore only the hybrid plant of the lift motor, see Fig. 4, is discussed. abs degrees ≥ degrees u at position v := 0.0, situation := DOWN Idle

c move backward v := −lift speed Lifting

c rotateAbsoluteDegrees v := lift speed abs degrees := 0.0

Next, the hybrid model of a switch sensor is discussed. It can be instantiated to play the role of both switch sensors that are present in the gripper subsystem. The model is given in Fig. 5. After the sensor receives a request for a notification (c notifyWhenClosed ), the sensor reacts with a notification when the Boolean variable Close is true. The variable Close is an input parameter that is defined in another part of the CIF model to have the value true when the container is at the conveyor end position. c notifyWhenClosed Reply

Idle

Close u closed

Many components are modeled in CIF as plant definitions. Instantiations can be created from these definitions. For example, the motors to control the movement of the truck, the load crane, the unload crane 1 and unload crane 2 are all instances of the same plant definition. This type of reuse is beneficial in managing the complexity of the model.

c stop

u stopped v := 0.0 situation := UP Stop

Fig.

Lifting the gripper is achieved by rotating the lift motor backwards resulting in an upward movement of the gripper. The action starts with the event c move backward followed by a c stop event to stop lifting the gripper. The lift motor responds with the event u stopped when it actually stopped. The input parameters of the lift motor make it possible to change the initial position of the gripper, the lifting speed and the number of degrees to rotate when moving down.

Fig. 5. Hybrid plant Switch Sensor (alg bool Close).

Lowering

y˙ = v ˙ =v abs degrees

motor is activated to rotate a pre-defined number of degrees, defined by the input parameter degrees. The event c rotateAbsoluteDegrees is used for this, which changes the vertical velocity of the gripper. The continuous variable abs degrees is included to keep track of the rotating degrees. This variable is set to zero when the lift motor starts to lower the gripper. As a result the motor should send the u at position event when it rotated the pre-defined number of degrees. This is modeled using a guard that compares the continuous variable abs degrees with the input parameter degrees. The values of the variables v and situation are changed by certain events to keep track of the velocity and current state of the lift motor. The variable v is used to connect the visualization to the model and the variable situation to define (state-based) requirements.

4. Hybrid plant Crane Lift Motor (alg real init pos gripper, lift speed ; alg int degrees). The declarations of the variables and the specification of their initial values are omitted from the graphical representation.

For moving the gripper down, no sensor is available to detect if it has reached its position. Therefore, the lift 260

Many requirements come in the form of event conditions where the occurrence of an event is only allowed under specific conditions. For the subsystem discussed here, examples are that the events c notifyWhenClosed of the switch sensors of the lift and the gripper may only occur if the loadcrane lift motor is lifting and the gripper motor is opening, respectively. CIF allows specification of these by means of the following expressions: → { lift switch sensor.c notifyWhenClosed } ⇒ lift Motor.Lifting ↓ → { gripper switch sensor.c notifyWhenClosed } ⇒ gripper Motor.Opening ↓

IFAC WODES 2018 May 30 - June 1, 2018. Sorrento Coast, Italy M.A. Reniers et al. / IFAC PapersOnLine 51-7 (2018) 257–264

261

Such requirement specifications can easily be captured by using automata as well, but at the expense of notational overhead (initial state, marked state).

with 2280 states and 13.404 transitions within 7 minutes. Currently, we cannot transform this supervisor model from Supremica to CIF.

Another type of requirements is one that expresses that certain events may only occur in specific orders. For specifying such requirements traditionally automata are used. The lift and gripper motor should only be able to stop (event u stopped ) when the corresponding switch sensor sends a notification (event u closed ). The corresponding automaton for the gripper is provided in Fig. 6.

Although monolithic synthesis proved possible (in Supremica), it is well known that scalability issues with supervisory control synthesis mostly result in the impossibility to use monolithic synthesis for larger synthesis problems. Therefore, we felt the need to investigate the possibilities for non-monolithic synthesis techniques.

Loadcrane gripper switch sensor.u closed Stop Move

Loadcrane gripper Motor.u stopped

Fig. 6. Requirement automaton for the gripper. A different option to model requirements in CIF are (state) invariants. This type of requirement is used to define statebased expressions that need to hold in every system state. It is not possible to specify such invariants in Supremica directly, though they can always be translated into an automaton that expresses the same requirements. For an invariant that couples state information from many plants, worst case this would require an automaton of the size of the synchronous product of the involved plant automata. In this case study, invariants have not been used. 4.2 Abstraction to a DE plant The model of the DE plant is obtained by removing all continuous-time aspects from the hybrid plant. In the case of the lift motor this is easily achieved by removing the continuous variables y en abs degrees. Consequently, in order not to remove possibly relevant behavior, the guard abs degrees ≥ degrees is omitted (replaced by the guard true). As we have no further use of the variable v, it is also omitted. Similarly, a discrete-event model may be obtained for each of the hybrid models. Note that it is necessary to validate the abstraction made in this step by considering the supervisor obtained from the discrete-event models in combination with the hybrid model in a later step. For the complete discrete-event model for the CTS, 35 system components are identified and 35 requirements are derived from the high-level requirements, as shown in more detail in Volmer (2015). Each of the plant models is of low complexity. All but one have 2 or 3 locations. The one exception has 5 locations. The requirements have similar size and many of these only describe conditions on the occurrence of events. 4.3 Synthesis of a supervisor Monolithic synthesis An attempt to synthesize a monolithic supervisor using CIF was terminated after 4 days of computing on a laptop with 32 GB allocated to the Eclipse application. It has been reported that the synthesis capabilities of Supremica are better than those of most other tools (Malik et al., 2017). Therefore, we have transformed the CIF model of the plants and requirements to Supremica with a built-in transformation offered by CIF. Monolithic synthesis in Supremica results in a supervisor 261

Non-monolithic synthesis using CIF The CIF tool set does not offer tool support for non-monolithic synthesis techniques for extended finite automata. Nevertheless, in Volmer (2015), it has been shown that using the possibilities offered by CIF for finite automata a set of local supervisors and coordinators can be achieved that together achieve the control purpose. An overview of this approach is given in Fig. 7. In this approach the system is decomposed into a number of modules according to its physical structure. For each module, a local supervisor is achieved using monolithic synthesis. The details of this figure are discussed below. As a first step, eight subsystems have been created, mostly inspired by the geographical distribution of the system. These subsystems are mentioned in the lowest level in Fig. 7. Note that in order to be able to apply monolithic supervisory control synthesis to such a subsystem it cannot refer to any variable or location that is defined in another subsystem. In the plants used in this case study, all events are declared locally in a plant. Therefore, the subsystems are also not allowed to share any events. Any requirements that involve concepts from different subsystems are included as global requirements for consideration in the top-level synthesis step. We have used the possibilities offered by CIF for reuse in the form of instantiating parameterised automata definitions. The plant definitions and plant instances that are included in these subsystems are indicated in Fig. 7. For each subsystem only those requirements were considered for the synthesis of a local supervisor that restrict the plant models of that subsystem. The nature of the exact requirements is not visible in Fig. 7, but the number of included requirements is faithfully represented by the number of small red circles. For each subsystem with associated requirements, using the monolithic data-based synthesis option provided by CIF, a supervisor is created that is both proper and minimally restrictive. The time it takes CIF to synthesize each of these local supervisors is less than a second. Each of the resulting local supervisors is represented by a network consisting of the plant automata, the requirement automata, and an additional automaton defining restrictions that need to be enforced on the controllable events to induce a controllable and nonblocking supervision. Since each of the local supervisors is proper and minimally restrictive, and the local supervisors do not share events and variables, the composition of these local supervisors is also proper and minimally restrictive. In further steps these local supervisors, together with some more global plants and requirements are used as input

IFAC WODES 2018 262 30 - June 1, 2018. Sorrento Coast, Italy M.A. Reniers et al. / IFAC PapersOnLine 51-7 (2018) 257–264 May

Fig. 7. Structure of the synthesis process as applied to the CTS. for another monolithic synthesis step. The complexity of this synthesis step depends on the size of these local supervisors. The state space of these local supervisors consists of approximately 8.6 ·1013 states. The next two steps are involved with reducing the state spaces of these local supervisors. CIF offers some automaton-size reducing transformations such as projection (for creating natural observers) and DFA minimization in order to reduce the computational burden of synthesizing a supervisor for a very large plant and in order to obtain a supervisor of smaller size. Therefore, first we needed to remove the variables from the local supervisors. The CIF tools that can be used to reduce the state spaces of the local supervisors require that first all variables are removed from these local supervisors, which in CIF currently can only be achieved by computing the state space of each local supervisor. The size of the resulting representations of the local supervisors in terms of the number of locations and transitions are mentioned in Fig. 7 next to the symbols representing the variable-free supervisors. In the next step, we create a much smaller state space before applying the global supervisor synthesis step. The well known technique of natural observers (Lin and Wonham, 1988) is used to obtain smaller local supervisors. All local supervisors are projected to a subset of the events such that the observability property is satisfied. The appropriate set of projected events is determined experimentally. 262

The CIF tool set allows to verify the observability property on the result of a projection. After application of projection, the state space of five out of the eight supervisors is reduced drastically. The local supervisors that result from computing these natural observers are provided in Fig. 7. For the other three local supervisors there was no projected version with a smaller state space. The overall state space is reduced to 2.7 ·1011 states. A second size reduction is obtained by applying DFA minimization functionality. For a given deterministic finite automaton, DFA minimization provides a deterministic finite automaton with a minimal number of states that has the same behavior as the input automaton. After application of minimization the state space of the 8 supervisors is reduced. Again the size reductions can be seen in Fig. 7. The overall state space is then reduced to 3.4 ·108 states. Based on Feng and Wonham (2008), the obtained collection of minimized local supervisors is used to synthesize the coordinator on the top level. In the top-level synthesis, the size-reduced local supervisors, two additional global plants, and nine global requirements are synthesized to a global supervisor. It should be noted that these global requirements are stated in terms of locations and variables from the lowlevel plants. The computation of the state spaced of the local supervisors resulted in automata in which the

IFAC WODES 2018 May 30 - June 1, 2018. Sorrento Coast, Italy M.A. Reniers et al. / IFAC PapersOnLine 51-7 (2018) 257–264

location names from the plants are no longer available and in which the variables are absent. Therefore, in the top-level synthesis, all low-level plants that are referenced in the global requirements have to be re-introduced in the synthesis step. The plant models for which this is necessary are mentioned close to the size-reduced local supervisors in Fig. 7. For example, the plant models identified by the blue squares with numbers 2 and 4 of the “Loadplatform” subsystem are needed to properly state some of the global requirements. In an approach in which the elimination of variables would not have been necessary, this could have been avoided, as the relevant plant models would still be present in the local supervisor model. Compositional synthesis using Supremica Supremica implements more advanced synthesis techniques such as compositional synthesis (Mohajerani et al., 2014). For this type of synthesis, Supremica offers a supervisor within a second for the complete container terminal system. The synthesis results in 10 supervisors that vary from 1 to 35 states and from 0 to 175 transitions. Currently, we are not able to export the Supremica supervisor to CIF, which makes it hard to perform the validation of this supervisor with respect to the hybrid model of the uncontrolled plant. 4.4 Simulation As a result of the non-monolithic synthesis in CIF, we have obtained a collection of supervisors that together control the plant as described by the requirements. At this stage, we apply simulation-based visualization to validate whether the controlled system behaves as expected. If not, then we must look for mistakes in the plants and/or requirements, and reiterate some of the previous steps. This simulation-based visualization is carried out by simulating the model of the controlled system and visualizing effects of events in an SVG picture of the CTS. For this purpose, the controlled system consists of hybrid models of the plant and the supervisor models. The graphical representation used for this step is shown in Fig. 8.

263

components is illustrated by a realistic case study. To this end, the CIF tool set has shown to be very useful in crafting the hybrid and discrete-event models for the plant. The possibilities for modeling, simulating and visualizing hybrid automata are useful in validating the plant and requirement models. This is of importance as having an appropriate model is fundamental to successful application of synthesis. Obtaining the DE plant from the hybrid plant is a tedious, error prone, time-consuming manual transformation. The applicability of the CIF tool set would be greatly enhanced with the availability of (semi-)automated abstraction functions. At present, the synthesis capabilities of Supremica are much better than those offered by CIF. A transformation of CIF DE models to Supremica is available, but a transformation back from Supremica to CIF is missing. Although we succeeded in applying monolithic and compositional synthesis using Supremica, it was impossible to validate the resulting supervisor(s) in its hybrid (CIF) context and to use the verification possibilities that are available via CIF (but which are not discussed in this paper). For the non-monolithic synthesis in CIF, grouping of components in subsystems is based on its physical structure. The decomposition possibilities are restricted to those in which the subsystems do not refer to each others variables and locations. Currently, we are investigating automated techniques for clustering components into subsystems based on design structure matrices (Goorden et al., 2017). Future research should indicate if application of such techniques to the CTS is beneficial for obtaining a smaller supervisor. We investigated the possibilities offered by automatonsize reducing transformations such as projection (for creating natural observers) and DFA minimization in order to reduce the computational burden of synthesizing a supervisor for a very large plant and in order to obtain a supervisor of smaller size. This paper shows that this was possible, with some serious drawbacks. Although the CIF tool set has synthesis capabilities for automata with variables, it does not support projection and minimization for such automata. Therefore, we needed to remove the variables from the local supervisors. In the future, we hope to provide implementations of these functions (projection and minimization) that also work for automata with variables. Then, the need for elimination of variables disappears and the reintroduction of low-level plants in the top-level synthesis step is prevented. ACKNOWLEDGEMENTS The authors thank Bartjan Volmer, Rachid Kherrazi and Ivan Kurtev for their cooperation in the master project described in Volmer (2015) that contributed to the results presented in this paper.

Fig. 8. SVG picture of CTS used for simulation-based visualization. 5. CONCLUDING REMARKS The systematic approach to model-based design of supervisory control starting with hybrid models of physical 263

REFERENCES ˚ Akesson, K., Fabian, M., Flordal, H., and Malik, R. (2006). Supremica - an integrated environment for verification, synthesis and simulation of discrete event systems. In Proc. of WODES, 384–385. Baier, C. and Katoen, J. (2008). Principles of model checking. MIT Press.

IFAC WODES 2018 264 May 30 - June 1, 2018. Sorrento Coast, ItalyM.A. Reniers et al. / IFAC PapersOnLine 51-7 (2018) 257–264

Cassandras, C. and Lafortune, S. (2007). Introduction to Discrete Event Systems. Springer. Cranen, S., Groote, J., Keiren, J., Stappers, F., de Vink, E., Wesselink, W., and Willemse, T. (2013). An overview of the mCRL2 toolset and its recent advances. In Proc. of TACAS, 199–213. Feng, L. and Wonham, W. (2006a). Computationally efficient supervisor design: abstraction and modularity. In Proc. of WODES, 3–8. Feng, L. and Wonham, W. (2006b). TCT: A computation tool for supervisory control synthesis. In Proc. of WODES, 388–389. Feng, L. and Wonham, W. (2008). Supervisory control architecture for discrete-event systems. IEEE Trans. on Automatic Control, 53(6), 1449–1461. Flordal, H., Fabian, M., ˚ Akesson, K., and Spensieri, D. (2007). Automatic model generation and plc-code implementation for interlocking policies in industrial robot cells. Control Engineering Practice, 15(11), 1416–1426. Forschelen, S., van de Mortel-Fronczak, J., Su, R., and Rooda, J. (2012). Application of supervisory control theory to theme park vehicles. Discrete Event Dynamic Systems, 22(4), 511–540. Goorden, M., van de Mortel-Fronczak, J., Reniers, M., and Rooda, J. (2017). Structuring multilevel discrete-event systems with dependency structure matrices. In Proc. of CDC, 558–564. Hill, R., Tilbury, D., and Lafortune, S. (2008). Modular supervisory control with equivalence-based conflict resolution. In Proc. of ACC, 491–498. Korssen, T., Dolk, V., van de Mortel-Fronczak, J., Reniers, M., and Heemels, M. (2018). Systematic model-based design and implementation of supervisors for advanced driver assistance systems. IEEE Trans. on Intelligent Transportation Systems, 19(2), 533–544. Leduc, R., Lawford, M., and Wonham, W. (2005). Hierarchical interface-based supervisory control-part II: parallel case. IEEE Trans. on Automatic Control, 50(9), 1336–1348. Lin, F. and Wonham, W. (1988). On observability of discrete-event systems. Information Sciences, 44(2), 173–198. Ma, C. and Wonham, W. (2006). Nonblocking supervisory control of state tree structures. IEEE Trans. on Automatic Control, 51(5), 782–793. Malik, R., ˚ Akesson, K., Flordal, H., and Fabian, M. (2017). Supremica — an efficient tool for large-scale discrete event systems. In Proc. of IFAC World Congress, 5794– 5799. Malik, R. and Flordal, H. (2008). Yet another approach to compositional synthesis of discrete event systems. In Proc. of WODES, 16–21. Markovski, J., Jacobs, K., van Beek, D., Somers, L., and Rooda, J. (2010). Coordination of resources using generalized state-based requirements. In Proc. of WODES, 287–292. Miremadi, S., Lennartson, B., and ˚ Akesson, K. (2012). A BDD-based approach for modeling plant and supervisor by extended finite automata. IEEE Trans. on Control Systems Technology, 20(6), 1421–1435. Mohajerani, S., Malik, R., and Fabian, M. (2013). Compositional nonblocking verification for extended finite-state automata using partial unfolding. In Proc. of CASE, 264

930–935. Mohajerani, S., Malik, R., and Fabian, M. (2014). A framework for compositional synthesis of modular nonblocking supervisors. IEEE Trans. on Automatic Control, 59(1), 150–162. Moor, T., Schmidt, K., and Perk, S. (2008). libFaudes — an open source C++ library for discrete event systems. In Proc. of WODES, 125–130. Ouedraogo, L., Kumar, R., Malik, R., and ˚ Akesson, K. (2011). Nonblocking and safe control of discrete-event systems modeled as extended finite automata. IEEE Trans. on Automation Science and Engineering, 8(3), 560–569. Ramadge, P. and Wonham, W. (1987). Supervisory control of a class of discrete event processes. SIAM Journal on Control and Optimization, 25(1), 206–230. Reijnen, F., Goorden, M., van de Mortel-Fronczak, J., and Rooda, J. (2017). Supervisory control synthesis for a waterway lock. In Proc. of CCTA, 1562–1568. Ricker, L., Lafortune, S., and Genc, S. (2006). DESUMA: A tool integrating GIDDES and UMDES. In Proc. of WODES, 392–393. Rinderknecht, M. (2006). Tutorial for programming R Mindstorms NXT. the LEGO URL http://www. legoengineering.com/wp-content/uploads/2013/ 06/download-tutorial-pdf-2.4MB.pdf. Shoaei, M.R., Feng, L., and Lennartson, B. (2012). Abstractions for nonblocking supervisory control of extended finite automata. In Proc. of CASE, 364–370. Skoldstam, M., ˚ Akesson, K., and Fabian, M. (2007). Modeling of discrete event systems using finite automata with variables. In Proc. of CDC, 3387–3392. Su, R. and Thistle, J. (2006). A distributed supervisor synthesis approach based on weak bisimulation. In Proc. of WODES, 64–69. Su, R., van Schuppen, J., and Rooda, J. (2010). Aggregative synthesis of distributed supervisors based on automaton abstraction. IEEE Trans. on Automatic Control, 55(7), 1627–1640. Theunissen, R., Petreczky, M., Schiffelers, R., van Beek, D., and Rooda, J. (2014). Application of supervisory control synthesis to a patient support table of a magnetic resonance imaging scanner. IEEE Trans. on Automation Science and Engineering, 11(1), 20–32. van Beek, D., Fokkink, W., Hendriks, D., Hofkamp, A., Markovski, J., van de Mortel-Fronczak, J., and Reniers, M. (2014). CIF 3: Model-Based Engineering of Supervisory Controllers. In Proc. of TACAS, 575–580. van der Meer, A., Kherrazi, R., and Hamilton, M. (2014). Using formal specifications to support model based testing ASDSpec: a tool combining the best of two techniques. In Proc. of MBT, 1–13. Volmer, B. (2015). Supervisory controller design for a Container Terminal System. Master’s thesis, Eindhoven University of Technology. URL https://pure.tue.nl/ ws/files/46923418/840339-1.pdf. Zaytoon, J. and Riera, B. (2017). Synthesis and implementation of logic controllers - a review. Annual Reviews in Control, 43, 152–168.