output automata

Author's Accepted Manuscript

Control Design for Nondeterministic Input/ Output Automata Yannick Nke, Jan Lunze

www.elsevier.com/locate/ejcon

PII: DOI: Reference:

S0947-3580(14)00092-2 http://dx.doi.org/10.1016/j.ejcon.2014.11.001 EJCON102

To appear in:

European Journal of Control

Received date: 19 February 2014 Revised date: 25 November 2014 Accepted date: 25 November 2014 Cite this article as: Yannick Nke, Jan Lunze, Control Design for Nondeterministic Input/Output Automata, European Journal of Control, http://dx.doi.org/ 10.1016/j.ejcon.2014.11.001 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting galley proof before it is published in its final citable form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Control Design for Nondeterministic Input/Output Automata ✩ Yannick Nke, Jan Lunze1 Ruhr-Universit¨at Bochum, Institute of Automation and Computer Control, Germany

Abstract This paper presents a new control design approach for discrete-event systems described by Input/Output automata. A formal design method guarantees the fulfillment of the specifications for the closed-loop system including the system safety. Necessary and sufficient conditions for the well-posedness of the control loop and the controllability of the plant with respect to the specification are proved. The control of a batch process is used to illustrate the results. Keywords: Discrete-event systems, input/output automata, supervisory control.

✩

A short version of this paper was presented at the 18th IFAC World Congress, 2011 in Milano, Italy. Email address: [email protected], [email protected] (Yannick Nke, Jan Lunze) 1 Corresponding author: Jan Lunze.

Preprint submitted to European Journal of Control

December 5, 2014

1. Introduction 1.1. Control aim and literature survey The aim of this paper is to propose a new control design approach for discrete-event systems modeled by nondeterministic Input/Output (I/O) automata N p (Fig. 1). In this framework, the plant Np is in the state zp and the controller C in the state zc . For a given input vp = wc generated by the controller, the plant reacts with an output w p = vc and a state transition to a new state zp . For finite number of steps ke , the specifications S on the safety and on operating constraints are given in terms of a final state zF = zp (ke ), a state sequence Zs = (zp (0), . . . , zp (ke )) or an output sequence Ws = (wp (0), . . . , wp (ke )). The design aim is to find a controller C such that the control loop depicted in Fig. 1 satisfies the selected specification z F , Zs or Ws , respectively.

Figure 1: Control loop of I/O automata

Several approaches to control design exist in literature and a comparative overview is given in [32]. All these methods have the common goal that the controller is designed so as to avoid dangerous events or to suppress forbidden states in order to satisfy safety requirements. The differences to the approach proposed in this paper lie in the way how the controller is derived for operating constraints and how the specification S is modeled. A widely used control design approach for standard automata was developed in [33], which is often referred to as RW-Theory (RWT). Instead of standard automata, I/O automata are used in this article because they explicitly describe the action-reaction principle (causality) which is a fundamental property of technological systems. [3, 11, 19, 23, 30] are other examples of references from the discrete-event system literature in which an explicit distinction between inputs and outputs of automata is also made. Some RWT-based approaches for I/O automata were proposed in the references [4, 30, 31], which show important limitations of the RW-Theory for I/O 2

automata regarding the automatic synthesis. Implementation and complexity issues are presented in [9, 12, 36]. The approach proposed in this paper contributes to the automatic controller synthesis for a given specification and provides sufficient information for the implementation of the controller obtained. Even though the computational complexity is not the main concern of this paper, it is addressed in Section 7. The main difference between the I/O automata handled by RWT-based approaches and those presented here lies the interpretation of the I/O transitions. References [4, 7, 33] consider an I/O transition as a succession of an input event σ i and an output event σo in a sequence of three states, e.g. 1 → 3 → 2 in Fig. 2(a). The I/O automata used in this paper are more compact because only one state transition and two states are taken into account for each I/O transition labeled by v/w (Fig. 2(b)), where v denotes the input symbol and w the output symbol.

(a) I/O supervisor

(b) I/O control law

Figure 2: Difference between a supervisor and a control law

The I/O control law developed in [30] and [31] is a Moore automaton. In the framework of this paper, it would lead to an open-loop control structure in Fig. 1 at time step k, because the control signals wc (k) would be generated regardless of the current plant output w p (k) depending only on the internal state zc (k) of the controller due to the Moore property. The approach proposed in this paper handles the plant N p and the controller C as two well distinguished entities. Hence, z F is the specified goal state for the plant only, whereas Z s or Ws are state or output sequences which have to be executed or generated by the plant, respectively (Fig. 1). However, two key properties are required for the control loop: determinism and nonblockingness. This comparison of the new method proposed in this article and RWT-based methods proposed in literature will be extended in Section 5.5. The strong model-matching problem for deterministic and completely defined I/O automata 3

is studied in [5]. It consists of finding a controller for a given open-loop system with a desired closed-loop behavior. The controller synthesis proposed here is designed for the closed loop (Fig. 1) even though it can run in an open-loop manner e.g. if the control law fulfills the Moore property. An I/O controller of sequential machines is proposed in [13] under the assumption of a deterministic control loop, whereas this paper uses the notion of weak well-posedness to catch the nondeterminism of the plant with a deterministic controller. Furthermore, the existence condition of a controller is given in [13] by nonempty entries in a Boolean reachability matrix called skeleton matrix. In this paper, the presence of a nonempty entry in such a reachability matrix is not sufficient to guarantee the achievement of the specification by the controller because of the nondeterministic behavior of the plant. The notion of safe feasibility will be introduced to solve this issue. 1.2. Problem definition For a given plant modeled by an I/O automaton N p and a specification S, the problem is to find a controller C with the following requirements: 1. Fulfillment of the specification S by the closed-loop system. 2. Nonblockingness of the control loop. This property will be called weak well-posedness of the control loop in eqn. (19). 3. Determinism of the control output w c at any time step. This property is called W -determinism of the controller in Lemma 1. A specification S for which such a controller C with the control law N c exists is called safely feasible. This paper proposes • a new design method of a discrete-event control law Nc , • an explicit realization scheme of the feedback controller C, • a controllability condition for the existence of the controller N c .

4

Key issues regarding the feasibility of a specification and the determinism of the control output function were initially addressed in [27]. The feasibility is extended in this paper in the sense that necessary and sufficient conditions are given for each specification type considered. Furthermore, the notion of determinism will be combined with the feasibility property in the controllability analysis. Section 2 presents basic notions. A batch process introduced in Section 3 is used for illustration. Section 4 presents the specification modeling. The derived specification automaton is used in Section 5 for the control design method. Experimental results illustrate the applicability of the approach in Section 6. An overview of the used notation is given in Appendix A. 2. Preliminaries 2.1. Nondeterministic automata A nondeterministic autonomous automaton A = (Z, λ, z0 )

(1)

is defined by the following components: • Z − Set of states • λ − State transition function • z0 − Initial state. The dynamics of the automaton is given by the characteristic function ⎧ ⎨ 1, (z  , z)! λ : Z × Z → {0, 1} with λ(z  , z) = ⎩ 0, else, where (z  , z)! means that the system can carry out a state transition from z to z  . A nondeterministic I/O automaton N = (Z, V, W, L, z 0 ) has the following additional elements: • V − Set of control inputs 5

• W − Set of control outputs • L − Characteristic function. The dynamics of the automaton is given by the function L : Z × W × Z × V → {0, 1} ⎧ ⎨ 1, if (z  , w, z, v)! L(z  , w, z, v) = ⎩ 0, else, where (z  , w, z, v)! means that the automaton N can move from state z with the input v to state z  while generating the output w. Z(0 · · · k e ) = (Z(0), Z(1), · · · , Z(ke )) represents a state sequence of ke + 1 elements denoted by Z(k) with k = 0 · · · ke . Z(0 · · · Ke ) is the set of state sequences Zi (0 · · · kei ), where Ke = {ke1, . . . , ke|Z(0···Ke )| } is the set of the corresponding time horizons. If Ke is a singleton, i.e. Ke = {ke }, then all corresponding state sequences have the same length ke + 1. An infinite repetition of a state sequence is characterized by the ∗ symbol as Z ∗ (0 · · · ke ). The symbols ∧ and ∨ represent the Boolean AND and OR operations. Since the characteristic functions L and λ can only have the value 1 or 0, they will be used sometimes with both Boolean   and arithmetic operators like and . Definition 1 (Sub-automata and superautomata). The I/O automaton N2 = (Z2 , V2 , W2 , L2 , Z02 ) is a sub-automaton of an I/O automaton N 1 = (Z1 , V1 , W1 , L1 , Z01 ) if Z2 ⊆ Z1 , V2 ⊆ V1 , W2 ⊆ W1 hold and if L2 is a restriction of L1 to the set Z2 × W2 × Z2 × V2 in the sense of [14]. The restriction means that the behavior of N 2 is included in the behavior of N 1 , which is symbolized by N2 ⊆ N1 . As in [17], N1 is said to be a superautomaton of N 2 . Active states, active inputs or active outputs are states, inputs or outputs, respectively, which can be reached, accepted or generated by the considered I/O automaton under specific conditions. The sets

6

Va (z) = {v ∈ V :

Z  W  z

Va (z  , z) = {v ∈ V : Va (z, w) = {v ∈ V : Wa (z) = {w ∈ W :

w W 

w Z Z  z z Z V  z

Wa (z  , z) = {w ∈ W : Wa (z, v) = {w ∈ W :

L(z  , w, z, v) > 0} L(z  , w, z, v) > 0} L(z  , w, z, v) > 0} L(z  , w, z, v) > 0}

v V  v Z 

L(z  , w, z, v) > 0} L(z  , w, z, v) > 0}

(2)

z

Za (z) = {z  ∈ Z :

W  V  w

Za (z, v) = {z  ∈ Z :

v W 

L(z  , w, z, v) > 0} L(z  , w, z, v) > 0}

(3)

w

are called the active input set, the active output set or the active next states set of N for a state z, a state pair (z  , z), a state-output pair (z, w) or a state-input pair (z, v), respectively. According to the context, the subscript “x” of Nx will be written as “c” for the control law, “s” for the specification or “p” for the plant. For example, Vac (zp ) denotes the active input set for state zp in the automaton Nc . The output degree od(z) of the state z represents the

Output degree and transition degree.

number of transitions leaving the state z [17]: 

od(z) =



(z ,z) Wa (z ,z) Z Va   z

vi

wi

7

L(z  , wi , z, vi ).

(4)

The transition degree td(z  , z) from state z to the adjacent z  is the number of transitions connecting both states: td(z  , z) = |{(v, w) ∈ Va (z  , z) × Wa (z  , z) : L(z  , w, z, v) = 1}|

(5)

Va (z  ,z) Wa (z  ,z)

=





vi

wi

L(z  , wi , z, vi ).

(6)

Since the powers of adjacency matrices provide information about state sequences in the corresponding graph [1, 17], they are adapted now to the I/O automata used in this paper. Numerical adjacency matrices. The weighted adjacency matrix A of an automaton N is defined as A = (aij )|Z|×|Z| with aij = td(i, j), 1 ≤ i, j ≤ |Z|.

(7)

Symbolic adjacency matrices. Consider the set of state adjacency matrices Az , the set of input adjacency matrices Av and the set of output adjacency matrices Aw . For the rings (Az , ∪, ×), (Av , ∪, ×) and (Aw , ∪, ×), the three weighted adjacency matrices Az ∈ Az , Av ∈ Av , Aw ∈ Aw of an I/O automaton N are defined as follows: • Az = (aij ) with aij = {j} ∩ Za (i). • Av = (aij ) with aij = Va (j, i). • Aw = (aij ) with aij = Wa (j, i). Note that the interpretation of the entries of A z , Av and Aw is transposed compared to the numerical adjacency matrix A. This transposition is necessary to obtain correctly ordered sequences of states, inputs and outputs in the matrices A kz , Akv and Akw with k > 1. The symbol × represents the Cartesian product operator which is equivalent to a non-commutative concatenation of symbols. That is, for two matrix entries a and b, the following equivalent notations are used: a × b = {a} × {b} = {(a, b)} = ab = a · b. The operator ∪ is the commutative union operator. Since the element aij of the matrices above are symbols, the following subrings 8

(Z, ∪, ×), (V, ∪, ×) and (W, ∪, ×) of the rings defined above are considered for the matrix multiplication. For two matrix entries a and b, a ∪ b = {a} ∪ {b} = {a, b} holds. Hence, the entries a ij of the products Akz , Akv and Akw consists of sets of state, input or output sequences of the length k from state i to state j. The product of matrices is applied according to the following rule: 

|Z| a1,μν × a2,μλ = (a3,μλ ) = A3 with μ, λ = 1 . . . |Z|. A1 A2 = ν=1

This rule is similar to the well-known matrix multiplication where the Cartesian product × acts as a non-commutative multiplication and the operator ∪ as an addition. W -determinism. The output generation of an automaton N is said to be deterministic if for all state-input pairs (z, v), the output w is uniquely defined. An I/O automaton N with a deterministic output generation for all state-input pairs is said to be W -deterministic. Lemma 1. A nondeterministic I/O automaton N is W -deterministic iff ∀ (z, v) ∈ Z × V : Za (z, v) = ∅ ⇒ |Wa (z, v)| = 1.

(8)

Proof. (by contradiction). Assume the nondeterministic I/O automaton N is W -deterministic and the negation of (8) holds, thus, ¬(∀ (z, v) ∈ Z × V : Za (z, v) = ∅ ⇒ |Wa (z, v)| = 1) ⇔

∃ (z, v) ∈ Z × V : ¬(Za (z, v) = ∅ ⇒ |Wa (z, v)| = 1)

⇔

∃ (z, v) ∈ Z × V : ¬(¬(Za (z, v) = ∅) ∨ (|Wa (z, v)| = 1))

⇔

∃ (z, v) ∈ Z × V : ¬(Za (z, v) = ∅ ∨ |Wa (z, v)| = 1)

⇔

∃ (z, v) ∈ Z × V : ¬(Za (z, v) = ∅) ∧ ¬(|Wa (z, v)| = 1)

⇔

∃ (z, v) ∈ Z × V : Za (z, v) = ∅ ∧ |Wa (z, v)| = 1

⇔ ∃ (z, v) ∈ Z × V : Za (z, v) = ∅ ∧ (|Wa (z, v)| < 1 ∨ |Wa (z, v)| > 1) ⇔

∃ (z, v) ∈ Z × V : (Za (z, v) = ∅ ∧ (|Wa (z, v)| < 1) ∨ (Za (z, v) = ∅ ∧ |Wa (z, v)| > 1) .     (I)

(II)

9

(9)

The term (I) from (9) is absurd w.r.t. (2) and (3). The term (II) from (9) contradicts the assumption 

and concludes the proof. 2.2. Model of the control loop

The control loop is modeled by a nondeterministic autonomous automaton N l = Nc /Np , where Nc /Np is the symbol for the closed-loop system. The building method of N l is based on the assumption that N c is W-deterministic. The control loop Nl = (Zl , W, Ll , Z0l )

(10)

has the components Zl = Zc × Zp Wl = Wp Z0l = (z0c × z0p )T ⎛ ⎞⎞ ⎛⎛ ⎞ Vp  zc zc Ll ⎝⎝ ⎠ , wp , ⎝ ⎠⎠ = Lc (zc , vp , zc , wp ) · Lp (zp , wp , zp , vp ).  zp zp vp Note that Nl is a generator since it has no input but only state transitions and outputs. 2.3. Control loop analysis A nondeterministic I/O automaton N is said to block if the characteristic function L vanishes for some state-input combination (z, v). A control loop (Fig. 1) is said to be blocking whenever either the plant Np , the control law Nc or both block. This matter is handled by the following definition. Definition 2 (Blocking automaton). A nondeterministic I/O automaton N is said to be blocking for an input sequence V (0 · · · ke ) = (V (0), V (1), · · · , V (ke )), if ke  W  Z Z  

L(zk+1 , wk , zk , V (k)) = 0.

k=0 zk+1 wk zk

10

(11)

If (11) does not hold, N is said to be nonblocking for the input sequence V (0 · · · k e ). Blocking control loop. A control loop blocks in the state (z c , zp )T if ⎛ ⎞⎞ ⎛⎛ ⎞ ⎛ ⎞ zc zc zc Ll ⎝⎝ ⎠ , wp , ⎝ ⎠⎠ = 0, ∀ ⎝ ⎠ ∈ Zc × Zp , ∀ wp ∈ Wp . zp zp zp This is the case if the plant Np or the control law Nc blocks at a given step k, a given state zc (k) or zp (k) for a given input vc (k) or vp (k) according to Definition 2. In other words, there exists a state pair (zc (k), zp (k)) for which any given input combination (v c (k), vp (k)) leads to a blocking plant automaton Np , a blocking control law automaton N c or both. Well-posedness of a control loop. The specific case of I/O automata with a deterministic output generation is now considered to explain this concept. In the feedback connection of the plant and the controller, for which wp = vc ∧ wc = vp

(12)

holds, an “algebraic loop” may emerge as follows. Consider the output function H : Z × V → W of an I/O automaton with a deterministic output generation so that w = H(z, v) holds. In the control loop of Fig. 1, Lp (zp , wp , zp , vp ) = 1 must hold for Np whereas Lc (zc , wc , zc , vc ) = 1 must hold for Nc . These equations imply that w p = Hp (zp , vp ) and wc = Hc (zc , vc ) are valid. Based on (12), the relations wc = Hc (zc , wp ) = Hc (zc , Hp (zp , vp )) = Hc (zc , Hp (zp , wc ))

(13)

show that the output w c depends on itself through Hc and Hp for a given state pair (zc , zp ). Similarly, the algebraic loop for wp is given by wp = Hp (zp , Hc (zc , wp )). 11

(14)

The implication

⎧ ⎨ L (z  , w , z , w ) = 1 p p p p c (13) and (14) ⇒ ⎩ L (z  , w , z , w ) = 1 c c c c p

(15)

reflects the situation where the plant and the control law should switch from the states z p and zc to the states zp or zc , respectively. The tuple (wp , wc ) triggering this transition also solves eqn. (15) ˆ c (zc , zp ) and W ˆ p (zc , zp ) are defined to include all fixed and is, therefore, a fixed point. The sets W points of the algebraic loops (13) and (14) for a state couple (z c , zp ): ˆ c (zc , zp ) = { wc ∈ Wc : wc = Hc (zc , Hp (zp , wc )) ∧ W Lp (zp , wp , zp , wc ) = Lc (zc , wc , zc , wp ) = 1, (zc , zp ) ∈ Zc × Zp , wp = Hp (zp , Hc (zc , wp ))}

(16)

ˆ p (zc , zp ) = { wp ∈ Wp : wp = Hp (zc , Hc (zp , wp )) ∧ W Lp (zp , wp , zp , wc ) = Lc (zc , wc , zc , wp ) = 1, (zc , zp ) ∈ Zc × Zp , wc = Hc (zc , Hp (zp , wc ))}.

(17)

A control loop Nl is said to be well-posed if for every state combination z l = (zc , zp )T there is a unique input combination (v c , vp ) = (wˆp , wˆc ) resulting from (16) and (17). Reference [29] proposed the concept of weak well-posedness which is adapted now to the control design discussed here. In the case of the weak well-posedness it is sufficient to exclude the trivial solution ∅ from the solutions of (16) and (17). A control loop is said to be ill-posed if the set of fix points is empty. These concepts are summarized in the following definition. Definition 3 (Well-posedness). A control loop which consists of a plant N p and a feedback controller with the control law N c is • well-posed iff ˆ c (zc , zp )| = |W ˆ p (zc , zp )| = 1, |W 12

(18)

• weakly well-posed iff ˆ c (zc , zp )| > 0 ∧ |W ˆ p (zc , zp )| > 0, |W

(19)

ˆ p (zc , zp )| = 0, ˆ c (zc , zp )| = 0 ∨ |W |W

(20)

• and ill-posed iff

ˆ p (zc , zp ) defined in (16) and (17). ˆ c (zc , zp ) and W with W Well-posedness and blocking. Now it is possible to make a statement on the blocking property of a control loop. A control loop is nonblocking if it is either well-posed w.r.t. (18) or weakly well-posed w.r.t. (19). A control loop is blocking whenever it is ill-posed w.r.t. (20), i. e. the plant and the control law cannot perform a conjoint state transition from their respective state z c and zp . According to Definition 2 there is no output sequence from the plant N p which can be evaluated by the control law Nc in a way that it responds with an input sequence to the plant so that both components perform state transitions. From their current state z c and zp , the plant Np , the control law Nc or both satisfy (11) for any input sequence Wp (0 · · · ke ) ∈ Wpke +1 and Wc (0 · · · ke ) ∈ Wcke +1 respectively. The characteristic function Ll of the nonblocking control loop can never be equal to zero during the considered horizon 0 · · · ke : Zap (zp ) Wap(zp ) wl

zp

Zap Vp (zp ) Wap(zp )  zp

wl

vp

Ll ((zc , zp )T , wl , (zc , zp )T ) > 0

Lc (zp , vp , zp , wl ) · Lp (zp , wl , zp , vp ) > 0.

(21)

(22)

Recall that Zc ⊆ Zp . Thus, the states of the control law and those of the plant share the same  labels zp and zp . Otherwise, it would be necessary to add operators for the states of Nc in (22). ˆ c (zc , zp )| = 1 in [28]. Now Remark. Condition (19) is less conservative than the condition | W (19) also includes W -deterministic maximally permissive control laws N c for which there exists a state zc for which (8) and |Vac (zc )| > 1 hold. Figure 3 shows the example where the control law generates a unique control output sequence (1, 2) despite the different measurements (2, 4) or (3, 5) from the plant to reach state 4. 13

Figure 3: A W -deterministic control law with |V ac (1)| > 1

3. Case study Consider the part of a chemical plant shown in Fig. 4, which should perform a mixture preparation process. The control objective of the process is to fill the tank T 1 from level 0 up to level 4, then to empty the tank down to level 1 and to fill it back to level 4 in a cyclic way. The model of the

Figure 4: Mixture preparation process

plant depicted in Fig. 5 is now described. The pump P 1 and the valves V2 and V3 are the relevant actuators of the system controlled by the signal v p . The input vp = 0 represents the command “deactivate all actuators” (close all valves) whereas vp = i is the command “activate actuator i and deactivate the others” (open valve Vi and close all other valves). The states zp of the plant Np model the states of the tank T1 which vary from 0 (empty) up to 5 (full). Five level sensors (LS) permit a discrete measurement which is the output w p of the level of the tank T1 at each step. Let wp model the result of an inflow or an outflow of the educt, so that w p = zp holds. The I/O automaton labeled with vp /wp is obtained as depicted in Fig. 5. 14

Figure 5: I/O automaton graph of the tank T 1

4. Specification 4.1. Types of specifications considered A specification S describes how the plant Np should behave under the influence of the controller C. S is represented as follows by means of the “models” symbol |=: • S |= Zs : The plant should follow a given state sequence Z s (0 · · · ke ) = z0p × Zs (1 . . . ke ), where z0p is the initial state of Np . • S |= zF : The plant should reach the final state zF from the initial state z0p . This specification is equivalent to the marked state concept widely used in automata theory. • S |= Ws : The plant should generate a given output sequence W s (0 · · · ke ). Although a combination of types of specifications is possible, it will not be considered here. Instead, the specification S should be of exactly one type. 4.2. Specification automaton design 4.2.1. Design steps As an intermediate step towards the controller design, this paper introduces the notion of the specification automaton. The specification automaton N s is obtained in the three steps depicted in Fig. 6 and explained below: 1. Extract the state sequences set Zs (0 · · · Ke ) for a given specification S: S =⇒ Zs (0 · · · Ke ). 2. Derive the characteristic function λs (·) of the test automaton As from Zs (0 · · · Ke ). 15

(23)

3. Build the product of both characteristic functions λ s (·) and Lp (·) to obtain the characteristic function Ls (·) of the specification automaton Ns Ls (zp , w, zp , v) = Lp (zp , w, zp , v) · λs (zp , zp ).

(24)

Figure 6: Design flow of the specification automaton

Note that Fig. 6 solely describes the main steps, whereas intermediate steps such as the determination of the states sets Zs , input sets Vs and output sets Ws are trivial, hence, not explicitly represented in the figure. Only the first and the second design step of the specification automaton are now explained in detail. The third step is to determine the product (24) which does not require further explanation. 4.2.2. State sequences set extraction This section presents the extraction procedure of the set Z s (0 · · · Ke ) of state sequences for the state sequence specification S |= Zs , the final state specification S |= zF and the output sequence specification S |= Ws . 16

Zs (0 · · · Ke ) extraction for S |= Zs . The naive solution in this case would be to choose the state set simply as the singleton Z s (0 · · · Ke ) = {Zs (0 · · · ke )}, where Zs (0...ke ) denotes the given state sequence. However, it has to be tested that all state transitions given by the system designer are possible in Np . The following equation accepts Zs (0 · · · ke ) only if every transition is feasible in Np : Zs (0 · · · Ke ) =

ke

×{Z (k) ∩ Z

ap (Zs (k

s

− 1))} with Zap (Zs (−1)) = z0p .

(25)

k=0

Note that, through the Cartesian product, (25) implies Z s (0 · · · Ke ) = {Zs (0 · · · ke )} if the state sequence is feasible or Zs (0 · · · Ke ) = ∅ otherwise. Zs (0 · · · Ke ) extraction for S |= zF . The determination of the set of all the state sequences that are consistent with zF is based on the following facts: • Every state sequence Zsi (0 · · · kei ) ∈ Zs (0 · · · Ke ) should end in zF , i.e. Zsi (kei ) = {zF }, i = 1 . . . |Zs (0 · · · Ke )|. • The state sequences Zsi (0 · · · kei ) ∈ Zs (0 · · · Ke ) must not have the same length (which is the case for the specification types S |= Zs or S |= Ws ). In order to simplify the nomenclature, it is assumed that z F is reachable from z0p . Let |Zp |−1

Az =



Akz

(26)

k=1

be the symbolic reachability matrix of N p . Recall the following: 1. The ∪ operation in (26) is similar to the common matrix addition. 2. The matrix entry Az (i, j) is the set of all state sequences from state i to state j with at most |Zp | − 1 transitions. Hence, the state sequence set is obtained as Zs (0 · · · Ke ) = Az (z0p , zF ). 17

(27)

For instance, based on the state set Zp = {0, 1, 2, 3, 4, 5}, the entry Az (1, 4) contains every possible trace from the first state (zp = 0) to the fourth state (zp = 3) within at most 5 steps in N p as shown in Fig. 5, e.g. (0, 1, 2, 1, 2, 3). Zs (0 · · · Ke ) extraction for S |= Ws .

Contrary to the previous specification types, the dif-

ficulty of this one emerges from the fact that it is no longer sufficient to consider single state transitions, but to test successions of transitions to be consistent with W s (0 · · · ke ). The set of all possible state sequences Zs (0 · · · ke + 1) that fulfill the specification S |= Ws (0 · · · ke ) is obtained as follows: ke +1 (z0p , j) which includes 1. Build the set Zj of the indices j of the adjacency matrix entries Aw

Ws (0 · · · ke ) as an element: ke +1 (z0p , j)}. Zj = {j ∈ {1, . . . , |Zp |} : Ws (0 · · · ke ) ∈ Aw

(28)

2. Compute the set Zs (0 · · · Ke ) = {Zs (0 · · · ke + 1) ∈ Akz e +1 (z0p , j), ∀j ∈ Zj : Ws (0 · · · ke ) ∈

ke

×

Wap (Zs (k + 1), Zs (k))}.

(29)

k=0

To summarize this section, for all the three types of specifications considered in this paper, the set of state sequences that the plant should follow can always be extracted whenever it exists. 4.2.3. Test automaton construction This section presents the construction of the test automaton A s , which is the second step during the design of the specification automaton described in Fig. 6. Definition 4 (Test automaton). For a set of state sequences Z s (0 · · · Ke ), a test automaton A s is an autonomous automaton (1) with A s = (Zs , λs , z0s ) with the property ∃ zs ∈ Zs |



λs (zs , zs ) > 0.

zs ∈Zs

18

(30)

The characteristic function λs is built by ignoring the I/O’s but solely considering the specified state transition sequences Zs (0 · · · Ke ). For a state pair (zs , zs ), the relation λs (zs , zs ) = 1 holds iff the transition (zs , zs ) is specified in a state sequence of Zs (0 · · · Ke ). Note that (30) reflects the possible nondeterminism of A s . For a state sequence set Zs (0 · · · Ke ) the characteristic function of As is determined by λs (zs , zs ) =

Zs (0...K  e ) |Zsi|−2 Zsi

k=0

[(Zsi (k) ≡ zs ) ∧ (Zsi (k + 1) ≡ zs )] ∀(zs , zs ) ∈ Zp2 .

(31)

The state set is given by Zs = {z ∈ Zp | ∃z  ∈ Zp : λs (z  , z) ∨ λs (z, z  ) = 1}.

(32)

If Zs (0 · · · Ke ) = ∅ w.r.t. (25), then λs (zs , zs ) = 0 ∀(zs , zs ) ∈ Zp2 when (31) is applied. In this case, the test automaton does not exist and the specification is, therefore, infeasible in N p . Equation (32) concludes the second design step of the specification automaton mentioned on page 15. Recall that the third design step does not require further explanations, because the product of the characteristic functions of Np and As yield the value of the characteristic function of Ns according to (24). 4.2.4. Specification automaton for the batch process The verbal description of the mixture preparation process in Section 3 leads to the specification of the state sequence Zs = (0, (1, . . . , 4, . . . , 2)∗ ), where the ∗ denotes an infinite repetition of the given subsequence. The following state sequence satisfies this specification: S |= Zs (0 · · · 7) = (0, 1, 2, 3, 4, 3, 2, 1).

(33)

By applying (25), Zs (0 · · · Ke ) = Zs (0 . . . 7) = {Zs (0 . . . 7)} = ∅ results. The latter will be used in Section 4.3 to study the feasibility of the specification. The characteristic function of the test automaton is obtained according to (31) as follows: λs (zs , zs )

=

6 

[(Zs (k) ≡ zs ) ∧ (Zs (k + 1) ≡ zs )],

∀(zs , zs ) ∈ Zp2 .

(34)

k=0

For instance, λs (2, 3) = [Zs (5) ≡ 3] ∧ [Zs (6) ≡ 2] = 1. Once every transition has been processed with (31), the characteristic function λs of the test automaton As is ready to be multiplied with L p 19

to obtain the characteristic function Ls of the specification automaton Ns according to (24). The result is the specification automaton N s depicted in Fig. 7. The specification automaton contains the expected behavior of the plant under control. Thus, it is sufficient to use this specification automaton to design the control law. Note that a specification automaton does not exactly reflect the specification S. Since the architecture of the controller shown in Fig. 9 includes a component generating the specified state sequence Z s (0 · · · ke ), it is sufficient to have every transition of S included in N s for the controller design described below.

Figure 7: Specification automaton graph of the mixture preparation process

4.3. Feasibility of a specification Before a possibly intensive computation of the controller, it is important to test if the required specification can be achieved by the system in a closed loop with the controller. In the positive case, the specification is said to be feasible in the system otherwise it is infeasible. This section discusses the feasibility conditions of a specification S in a given plant N p . Two properties are now introduced: the basic feasibility and the safe feasibility of a specification. Definition 5 (Basic feasibility). For a plant Np , a specification S |= Zs , S |= zF or S |= Ws is basically feasible iff the test automaton A s exists or, equivalently, iff there exists an input sequence Vs (0 · · · ke ) through which the specification S can be achieved. Thus, the basic feasibility is fulfilled for specifications which can be achieved by the plant N p . This is equivalent to the fact that the set of state sequences Z s (0 · · · Ke ) is nonempty as expressed by the following lemma. Lemma 2. For a given plant Np , a specification S |= Zs , S |= zF or S |= Ws is basically feasible iff Zs (0 · · · Ke ) = ∅ w.r.t (25), (27) or (29) respectively.

20

Proof. The proof follows from the fact that Z s (0 · · · Ke ) = ∅ is equivalent with λs (zs , zs ) = 0 ∀(zs , zs ) ∈ Zp2 w.r.t. (31) for all the types of specification considered above. The characteristic function Ls of the specification automaton N s then vanishes for every transition (z p , wp , zp , vp ) of 

Np because of (24).

Since the plant is modeled by a nondeterministic automaton, the property of basic feasibility ensures that the plant can achieve the specification with a controller, but it does not guarantee that the plant will always achieve the specification with that controller. The requirement that the plant must always achieve the specification is called safety, which is defined here similarly to [2, 20]. Definition 6 (Safe feasibility). For a plant Np , a specification S |= Zs , S |= zF or S |= Ws is said to be safely feasible if it is basically feasible and no input sequence V s (0 . . . k) with k > 0 can also lead to another state sequence Z s = Zs , another final state zF  = zF or a another output sequence Ws = Ws , respectively. The basic feasibility condition derived in [27] requires the existence of a homomorphism from Ns to Np . This property is extended here to the safe feasibility which means that there exists a control law Nc that will never block with N p and enforce S to be achieved in the closed loop. Theorem 1 (Safe feasibility for S |= Zs ). A specification Zs (0 · · · ke ) is safely feasible in the plant Np iff 1. Zs is basically feasible for N p w.r.t. Lemma 2 and 2. the plant cannot deviate from Z s due to its nondeterminism   \zsk Wp Vap (zsk k e −1 Zp   ,zsk )

k=0

zp

wp

Lp (zp , wp , zsk , vs ) = 0

(35)

vs

 = Zs (k + 1). with zsk = Zs (k) and zsk

Proof. As safe feasibility is a stronger property than basic feasibility, condition 1 of the theorem is necessary. Under the assumption that basic feasibility (condition 1) of Z s is given, only safety (condition 2) needs to be proved. The following shows that it is impossible for N p to deviate from 21

Zs despite its nondeterminism iff (35) holds. (=⇒) The negation of (35) is   \zsk W ke −1 Zp sk ,zsk ) p Vap (z

k=0

wp

zp

vs

Lp (zp , wp , zsk , vs ) = 1

  ⇔ ∃k ∈ [0, ke − 1], vs ∈ Vap (zsk , zsk ), zp ∈ Zp \ zsk ,

and wp ∈ Wp : Lp (zp , wp , zsk , vs ) = 1

(36)

Since Zs is assumed to be basically feasible,  ∃wp ∈ Wp : Lp (zsk , wp , zsk , vs ) = 1

(37)

 and vs as in (36). The fact that (36) and (37) simultanealso hold for the same arguments z sk , zsk   ⇒ zp = zsk reflects a deviation of the plant from Z s (k) to zp ously hold although z p ∈ Zp \ zsk  instead of zsk = Zs (k + 1).

(⇐=) Assume that Zs is safely feasible then the following holds:   ∃(wp1 , wp2) ∈ Wp2 , z ∈ Zp , k ∈ [0, ke − 1], vs ∈ Vap (zsk , zsk ) : Lp (zsk , wp1 , zsk , vs ) = 1

and Lp (z , wp2, zsk , vs ) = 1.

(38)

The last expression of (38) can be written as  ,z ) Vap (zsk sk



Lp (z , wp2 , zsk , vs ) = 1,

vs

which is a negation of (35). This negation contradicts the assumption and concludes the proof.  Theorem 2 (Safe feasibility for S |= zF or S |= Ws ). A specification S |= zF or S |= Ws is safely feasible for the plant N p iff every state sequence Zs (0 · · · ke ) ∈ Zs (0 · · · Ke ) is safely feasible by applying (35). Proof. Recall that Zs (0 · · · Ke ) is the state sequence set which is in line with S |= z F or S |= Ws . The conditions to be fulfilled by a single state sequence Z s ∈ Zs (0 · · · Ke ) have already been proved in Theorem 1. The goal here is to show that it is necessary and sufficient for all state sequences of Zs (0 · · · Ke ) to be safely feasible w.r.t. Theorem 1 in order for the corresponding 22

specification S |= zF or S |= Ws to be safely feasible. (=⇒) First, Zs (0 · · · Ke ) is derived from S |= zF or S |= Ws with (27) or (29), respectively. Since Definition 6 does not tolerate any violation of S |= z F or S |= Ws during its fulfillment in Np , it obviously concerns every state sequence Zs ∈ Zs (0 · · · Ke ) which is in line with S |= zF or S |= Ws . Thus, the following holds: ∀Z s ∈ Zs (0 · · · Ke ), Zs is safely feasible in Np w.r.t. Theorem 1. (⇐=) Assume that ∃Zs ∈ Zs (0 · · · Ke ) which is not safely feasible w.r.t. Theorem 1. Then, eqns. (36)-(37) hold. As mentioned in the proof of Theorem 1, eqns.(36) and (37) reflect a deviation from the specification. This is a case of violation excluded by Definition 6. Hence, the corresponding specification S |= zF or S |= Ws is not safely feasible.



5. Feedback control design 5.1. Main idea The specification S is represented by the specification automaton N s . The main idea of the control design procedure is to keep the same structure of the specification automaton N s but to reverse the input/output events vs /ws to get the controller automaton N c , i.e, vc /wc = ws /vs . To keep the same structure of the specification automaton means to use the same state labels and state transitions. The resulting I/O automaton is N c = (Zc , Vc , Wc , Lc , z0c ) with Lc (zc , wc , zc , vc ) = Ls (zc , vc , zc , wc ), ∀(zc , wc , zc , vc ) ∈ Zs × Vs × Zs × Ws .

(39)

However, this straightforward approach does not reveal how to derive a control law and how to explicitly enforce a control output to the plant. These steps are addressed in the following. 5.2. Procedural description of the design method 5.2.1. Two ways of solution Denote the i-th path through the graph N c from the initial state z0c = Zc (0) towards the final (i)

state Zc (ke ) by Ac (i = 1 . . . ν). Since the control law Ac is represented by a subgraph of Nc , Nc is a supergraph of Ac : Ac ⊆ Nc (cf. Definition 1). Nc is, therefore, called supercontrol law or 23

maximally permissive control law in the following. A supercontrol law N c may consist of several (i)

control laws Ac . This paper proposes two controller design steps: (i)

1. Maximally permissive control law synthesis: The control laws A c are derived from Ns and the specification S. Then the maximally permissive control law N c is obtained by (i)

merging all the control laws A c together (Fig. 8(a)). 2. Control law synthesis through supercontrol law decomposition: First, the maximally permissive controller Nc is obtained by inverting the inputs and outputs of N s . Then Nc is (i)

decomposed into several control laws A c according to the specification S (Fig. 8(b)). Since the specifications S |= zF and S |= Ws can be expressed by sets of state sequences Zs , the latter is used in the following as a canonical specification type for the control design. Np

Np

S

S

Spec(.)

Spec(.)

Ns

Ns

Con(.)

I/O inversion

Ac(1) Ac(2) ... Ac(n)

Nc

Synthesis

Decomposition

Nc

Ac(1) Ac(2) ... Ac(n)

(a) Maximally permis-

(b) Control law synthesis

sive control law synthesis Figure 8: Control design procedures

24

5.2.2. Maximally permissive control law synthesis For a specified state sequence Zs (0 · · · ke ) which should be enforced by the controller, the number ν of such paths is given by ν=

k e −1 Was (Zs (k+1),Z  s (k)) Vas(Zs (k+1),Z  s (k)) wi

k=0

Ls (Zs (k + 1), wi , Zs (k), vi ).

(40)

vi

Equation (40) computes the product of the number of possible transitions for each state combination (Zs (k + 1), Zs (k)) along the sequence Zs (0 · · · ke ). Example. For the specification automaton shown in Fig. 7 and the specified state sequence of (33), eqn. (40) yields ν =

6 Was (Zs (k+1),Z   s (k)) Vas(Zs (k+1),Z  s (k)) k=0

wi

Ls (Zs (k + 1), wi , Zs (k), vi )

vi

= Ls (1, 1, 0, 1) · Ls (2, 2, 1, 1) · Ls (3, 3, 2, 1) · Ls (4, 4, 3, 1) · [Ls (3, 3, 4, 2) + Ls (3, 3, 4, 3)] · [Ls (2, 2, 3, 2) + Ls (2, 2, 3, 3)] · [Ls (1, 1, 2, 2) + Ls (1, 1, 2, 3)] = 1 · 1 · 1 · 1 · 23 = 8.

(41) (i)

Thus, there are 8 different control automata Ac , (i = 1 . . . 8). This number is due to the fact that it is possible to use either valves V 2 or V3 in 3 different states namely 2, 3, and 4 to implement the controller for the batch process. In summary, the design of a supercontrol law N c = (Zc , Vc , Wc , Lc , z0c ) consists of the following steps: 1. Build the specification automaton N s according to (24). (1)

(ν)

2. Find the control laws Ac , . . . , Ac by means of Ac(i) = Con(Ns , S) with i = 1 . . . ν, where the Con(·) operator represents Algorithm 1 shown below. 25

(42)

3. Build the supercontrol law Nc with the characteristic function

Lc (zc , wc , zc , vc ) = with wc ∈

(i) {wc , i

ν  i=1

(i)

(i)

(i)

Lc (zc , wc , zc , vc ) = 1

(43)

(i)

= 1 . . . ν} and vc ∈ {vc , i = 1 . . . ν}.

Nc may become nondeterministic even though it fulfills the specification S that includes a deterministic behavior. This is acceptable only if the nondeterminism of N c solely concerns the internal state transitions but not the output generation. That is, N c must be at least W -deterministic w.r.t Lemma 1. However, the W -determinism of N c does not guarantee the uniqueness of the control output. Now the operator Con(·) used in eqn. (42) is defined for the first and third requirements stated in Section 1.2 as follows: • Given: – A plant model Np – A specification S expressed in the canonical state sequence Zˆs (0 · · · ke ) • Find: A control law Ac which generates a unique input to the plant at each step k while fulfilling Zˆs (0 · · · ke ). (i)

Since the control law Ac represents a unique state sequence and a unique output sequence through the supercontrol law Nc , the Con(·) operator consists of a central routine which guarantees the uniqueness of these sequences. This routine represented in Algorithm 1 generates all possible (i) control laws Ac related to a specified state sequence Zˆs (0 · · · ke ). (i)

The Con(·) operator described in Algorithm 1 generates control laws A c for a given state sequence Zˆs , which is given for the considered specification type. The following explains how to specify such state sequences: • Con(Ns , zF ): find all state sequences Zˆs ∈ Zs (0 · · · Ke ) in Ns from z0s to zF by means of (27). • Con(Ns , Zs ): find the longest state sequence Zˆs ⊆ Zs with at most one cycle. 26

Algorithm 1 Control design for a state sequence specification. Input: Ns , Zˆs (0 · · · ke ) (i)

Init: i = 1, compute ν with (40), VW z  z = [ ], Lc (z  , w, z, v) = 0, ∀(z  , w, z, v) ∈ Zs × Ws × Zs × Vs , i = 1 . . . ν 1:

for k = 0 to ke − 1 do

2:

z = Zˆs (k), z  = Zˆs (k + 1)

3:

VWasz z = Vas (z  , z) × Was (z  , z)

4:

VW z  z = {(v, w) ∈ VWasz z : Ls (z  , w, z, v) = 1}

5:

for each (˜ v, w) ˜ ∈ VW z  z do

6:

i=1

7:

while i ≤ ν do

8:

(i)

if ∀(v, w) ∈ V × W, Lc (z  , w, z, v) == 0 then (i)

Lc (z  , v˜, z, w) ˜ = 1, i = i + |VW z  z |

9: 10:

else i=i+1

11: 12:

end if

13:

end while

14:

end for

15:

end for

16:

Output: Ac (i = 1 . . . ν)

(i)

• Con(Ns , Ws ): find all state sequences Zˆs ∈ Zs (0 · · · Ke ) which are consistent with Ws by means of (29). (i)

After Algorithm 1 has generated all possible control laws A c , the maximally permissive control law Nc is obtained by eqn. (43). 5.2.3. Supercontrol law decomposition into single control laws The decomposition consists of applying the following steps for every state transition of N s to generate all the control laws: 27

1. For S |= Zs , S |= zF or S |= Ws , derive the set Zs (0 · · · Ke ) of possible state sequences, which is to be executed in order to achieve S w.r.t. (25), (27) and (29). In the sequel, the specification S |= Zs is used as canonical specification. 2. Compute the number ν of control laws: (a) Build the (0, td)-adjacency matrix A defined in eqn. (7). (b) Find the number of control laws with Zs (0···Ke ) kei −1

ν=





A(Zsi (k + 1), Zsi (k)).

(44)

Zsi (0···kei ) k=0

Equation (44) is more general than (40), because it permits to determine the number of control laws that are able to enforce a specification S represented by Zs (0 · · · Ke ), whereas (40) is applicable for a single state sequence Zs (0 · · · ke ) only. 3. Compute the control laws by decomposing N c with Algorithm 2. Example.

To illustrate the computation of the number ν, consider the example of Fig. 5 with

the state set Zp = {0, 1, 2, 3, 4, 5}. According to the position of each state in Z p , the numerical adjacency matrix is

⎡ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ A=⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎣

3 2 0 0 0 0 1 1 2 0 0 0 0 1 1 2 0 0 0 0 1 1 2 0 0 0 0 1 1 2

⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎦

0 0 0 0 1 2 and the state sequence (33) is translated into Zs (0 · · · 7) = (1, 2, 3, 4, 5, 4, 3, 2).

28

Equation (44) yields ν =

6 

A(Zs (k + 1), Zs (k))

k=0

= A(2, 1) · A(3, 2) · A(4, 3) · . . . · A(2, 3) = 1 · 1 · 1 · 1 · 23 = 8

(45)

which is identical to (41). The main steps of Algorithm 2 can be summarized in the sentence “Distribute each input/output (i)

transition (z  , w, z, v) of Zs (0 · · · Ke ) among the control laws Ac , (i = 1, . . . , ν)”. The procedure is explained now in detail: 1. Go through each transition (z, z  ) included in Zs and read the I/O transitions v/w to decide which control laws the transition (z  , w, z, v) should be distributed (Lines 3-5). 2. Go through every completed control law obtained so far until the number of expected control laws for the considered transition is reached (Line 8). (i)

(a) If the transition (z  , w, z, v) is not yet saved in the current control law A c , then save it with the corresponding index i into AcIdx z0 ze , otherwise take the next control law by incrementing i (Lines 11-13, 18). (b) Should the current control law be incomplete, then check if there is another control law sharing the transition (z, z  ) with another I/O pair (v, w) by incrementing iz0 ze and i (Lines 15-16). (i)

(c) If the control law Ac is already completed, then just increment i but not i z0 ze , otherwise the current I/O transition would be skipped as if it would have been saved for the (i)

considered Ac . Go back to Step (a) (Lines 15 and 18). 3. Save the newly completed control laws index AcIdxz0 ze in compAcIdx. (Line 26)

29

For a given set of state sequence Zs (0 · · · Ke ), a controller automaton Nc and the number of control laws ν, Algorithm 2 is summarized by the equation: ⎧ ⎪ ⎪ 1 ∀ Zs (0 · · · ke ) ∈ Zs (0 · · · Ke ), ∀k ∈ [0, |Zs | − 1], ⎪ ⎪ ⎪ ⎪ ⎨ (v, w) ∈ Vc × Wc : (i) Lc (Zs (k + 1), w, Zs(k), v) = (i) ⎪ ⎪ (tdc (Zs (k + 1), Zs (k)) = 1) ∧ 1 ≤ i ≤ ν ⎪ ⎪ ⎪ ⎪ ⎩ 0 else. (46)

30

(i)

Algorithm 2 Decomposition of Nc into control laws Ac Input: Nc , Zˆs (0 · · · ke ), compute ν with (44) 1:

compAcIdx = {} // Set of indices of completed control laws

2:

AcIdxz0 ze = {} // Set of indices of currently processed control laws from Zˆs (0) to Zˆs (ke )

3:

for k = 0 to ke − 1 do

4:

z = Zˆs (k), z  = Zˆs (k + 1)

5:

VWacz z = Vac (z  , z) × Wac (z  , z)

6:

VW z  z = {(v, w) ∈ VWacz z : Lc (z  , w, z, v) = 1}

7:

i = 1; iz0 ze = 1

8:

while i ≤ ν & iz0 ze ≤ ν do

9: 10:

for each (v, w) ∈ VW z  z do if Lc (z  , w, z, v) == 1 then (i)

if Lc (z  , w, z, v) == 0 & i ∈ / compAcIdx then

11:

(i)

12:

Lc (z  , w, z, v) = 1

13:

AcIdxz0 ze = AcIdxz0 ze ∪ i

14:

end if

15:

if i ∈ / compAcIdx then iz0 ze = iz0 ze + 1

16:

else

17: 18:

i=i+1

19:

break // to avoid useless runs

20:

end if

21:

i=i+1

22:

end if

23:

end for

24:

end while

25:

end for

26:

compAcIdx = compAcIdx ∪ AcIdxz0 ze

27:

Output: Ac , i = 1, . . . , ν

(i)

31

5.3. Realization of the feedback controller When implementing the controller, the following requirements must be taken into account: (i)

• The control laws Ac can be used if the resulting control loop is strictly well-posed w.r.t. (18). • The supercontrol law Nc can be used if the resulting control loop is strictly or weakly wellposed w.r.t. (19). The latter is used here to explain the realization scheme because it offers a general solution. The problem to be solved when realizing a feedback controller is to find a structure that enforces a specific control output wc required by the control law Nc for the plant Np so that the plant responds with an output wp . The output wp = vc received by the controller C triggers its state transition only if the control loop is at least weakly well-posed w.r.t. Definition 3. Otherwise the control loop is blocking.

Figure 9: Realization of the feedback controller

The controller realization scheme presented in Fig. 9 is summarized by the following equations: • For a given final state zF to be reached, a state trajectory Zs to be followed or an output sequence Ws to be generated, select a trajectory Z¯s (0 · · · ke ) ∈ Zs (0 · · · Ke ). 32

(47)

• The counter kc is a pointer along the set trajectory. It is incremented only if the measured output of the plant wp matches with an expected value from Vˆc (k): kc = kc + (wc (k) ∈ Vˆc (k)).

(48)

• The current state zc and the current target state zc are consecutive elements of Z¯s i.e. zc = Z¯s (kc ) and zc = Z¯s (kc + 1).

(49)

• The control signal wc (k) and the expected outputs Vˆc (k) from the plant required to perform the state transition from zc to zc are obtained by means of the active output and active input operators as follows: wc (k) = Wac (zc , zc ) and

(50)

Vˆc (k) = Vac (zc , zc ).

(51)

5.4. Controllability conditions W -Determinism of the feedback controller. This section proposes an answer to the question: Under what conditions is the output generation of the controller deterministic? The following theorem from [27] states a criterion based on the specification automaton. Theorem 3 (W -Determinism of Nc ). For a feasible specification S, described by the automaton Ns , there exists a W -deterministic control law N c iff ∀(zs , ws ) ∈ Zs × Ws , |Vas (zs , ws )| = 1.

(52)

The theorem holds obviously also for safely feasible specifications S since (52) concerns N s only. Controllability. The controllability of a plant for a given specification should describe the possibility to find a feedback controller with the requirements stated in Section 1.2. 33

Definition 7 (Controllability of a plant). A plant N p is said to be controllable w.r.t. a specification S iff there exists a W -deterministic feedback control law N c for which S is fulfilled and the control loop is weakly well-posed. Since the first step of the control design method is to build the specification automaton N s , a necessary and sufficient condition for the existence of a control law N c for a plant is to require the safe feasibility of the considered specification w.r.t Theorems 1 and 2. However, the safe feasibility does not guarantee the W -determinism of N c . Therefore, Theorem 3 gives a necessary and sufficient condition on the specification automaton under which it is possible to obtain a W deterministic control law Nc . Hence, it states an additional condition for the controllability of a plant. This fact is summarized by the following theorem. Theorem 4 (Controllability). A plant Np is controllable w.r.t. a specification S iff S is safely feasible for Np and eqn. (52) holds. Proof. (=⇒) If (52) does not hold, then Nc is not W -deterministic. If S is not safely feasible w.r.t. Theorems 1 and 2, there is no control law that can enforce S in N p ; consequently there is no controller Nc . In both cases Np is not controllable w.r.t. S according to Definition 7. (⇐=) According to Definition 7, if N p is not controllable w.r.t. S then N c is not W -deterministic or the control loop is not weakly well-posed. N c being not W -deterministic means that (52) does not hold. Theorem 3 then implies that S is not safely feasible. The control loop not being weakly well-posed means that it is either well-posed or ill-posed. Without loss of generality, wellposedness is not possible without weakly well-posedness which is a relaxed property. The case of ˆ c | = 0 ⇔ ∃(zs , ws ) ∈ the ill-posedness described through (20) contradicts (52) because e.g. | W Zs × Ws : |Vˆas (zs , ws )| = 0 by means of (12) and (24). This shows that (52) does not hold also in this case. Since the right-hand side of the negated (⇐=) predicate to be proved is “S not safely 

feasible or (52) does not hold”, the fact that the latter yields TRUE concludes the proof. (i)

The controllability condition proposed above is not based on the control laws A c but on the supercontrol law Nc only. Note that a control loop N c /Np will never block because (52) (i)

is fulfilled. On the contrary, a control loop A c /Np may block because the plant may generate 34

(i)

different outputs than those expected by A c , whereas this would not happen with N c as a control (i)

law. This is the reason why control laws A c are used only in strictly well-posed control loops for the controller realization (Section 5.3). 5.5. Comparison with RW-Theory A crucial difference between the control design method presented here and RWT [33] lies in the interpretation of the role of the controller. In RWT, the controller is a supervisor which is supposed to enable or disable the controllable events of the plant in order to satisfy the specification. The enforcement of a certain event is indirectly achieved by disabling others [16], by defining at most one controllable event at each state of the controller [35], by using forced events [8, 10, 12, 16, 18] or by introducing temporal conditions [21]. The objective of the controller developed here is to directly and transparently enforce a control input w c to the plant in order to fulfill the specification. This objective is emphasized through a transparent examination of the control loop regarding the well-posedness property (see Definition 3) and the controller realization scheme (Fig. 9). It is important to note that the feedback connection between the RWT-based supervisor and the plant is considered only for design purposes. In fact the obtained supervisor is not in an explicit feedback connection with the plant but is merged with the plant by using the synchronous product or the parallel composition. The automaton composed in this way is a generator with the language of the plant under control. This is the reason why a classical RWT-based supervisor is not applicable to I/O automata in its original version and cannot be directly used as a controller C in Fig. 1. Regarding the complexity, it should be noticed that the I/O control law developed here is less complex than an equivalent I/O supervisor as shown in Fig. 2. Strictly from a state space perspective, the I/O control law in Fig. 2(b) has three states whereas the I/O supervisor in Fig. 2(a) has five states. If |Zcon | and |Zsup | respectively represent the number of states of the I/O control law and the number of states of the I/O supervisor, the following relation can be easily proved, without considering selfloops: |Zsup | = 2|Zcon | − 1. By including selfloops, it should be considered that a selfloop in an I/O control law leads to an additional state in an I/O supervisor. Hence, the ratio 35

|Zsup |/|Zcon | with selfloops is definitely higher than two, which is without selfloops. For many applications which usually have much more states than in Fig. 2, the relation mentioned above can be simplified to |Zsup | = 2|Zcon |. Therefore, it can be stated that an I/O supervisor is almost twice more complex than an I/O control law. Strictly from a transition space perspective, a similar statement as the former can also be made. However, this is only an aspect of the complexity for comparison purposes. In general, the specification contributes to make the supervisor synthesis in RWT an NP-hard problem [15]. In this framework, the specification rather reduces the complexity of the control law by means of the product operation while building the specification automaton (see Fig. 6). An extended complexity analysis of the control design method developed in this paper given in Section 7 shows that the problem has a complexity of O(n) for Algorithm 2 (Decomposition of Nc ). References [6, 8, 10, 12, 16, 18, 24, 34] proposed an approach to extract a controller as a Mealy automaton out of a RWT-based supervisor. In order to use this approach in the context of I/O automata, it would be necessary to first convert I/O automata into standard automata, then to translate the specification into a language, build the supervisor and finally extract the needed controller. Instead, a straightforward method to get a controller which is ready to be used and easy to be implemented is proposed in this work. 6. Application The control design method proposed here has been experimentally applied to the 3-Tank system depicted on Fig. 10 at the Institute of Automation and Computer Control (Ruhr-Universit¨at Bochum). The experimental apparatus consists of 3 tanks with a maximal filling height of 0.5 m. The tanks are equipped each with 5 differential pressure sensors and a manual outflow valve as e.g. V3 (Fig. 10) to empty each tank down to the collecting tank T C. The tank T 2 is connected with T1 and T3 through electrically controlled valves like V 2 which can be opened or closed. The pumps P1 and P2 are use to fill T1 and T3 with water from T C. Actuator and sensor signals are connected with a PLC of type SIMATIC C7-633 over a PROFIBUS communication. The PLC program exchanges those data with a personal computer (PC) in a 100 36

Mbit/s Ethernet network with a User Datagramm Protocol (UDP) communication. The control law depicted in Fig. 11 is implemented w.r.t. Fig. 9 by means of the MATLAB/Simulink toolbox IDEFICS [25] with a sampling time of 0.5 s.

Figure 10: Apparatus setup of the 3-Tank system for experimental level control

Feedback controller synthesis. Recall that (33) is the state sequence to consider. According to (1)

(41) and (45), there are ν = 8 control laws able to enforce (33) in Np . The first control law Ac

obtained by Algorithm 2 is depicted in Fig. 11 as an example. The resulting maximally permissive

(1)

Figure 11: Control law automaton A c

control law Nc obtained by the subsequent application of Algorithm 1 and (43) is depicted in Fig. 12.

Figure 12: Feedback controller automaton of the chemical plant

Experimental results.

(1)

The execution of the control loop is done w.r.t. the control law A c

enforcing (33) which is loaded in the generator Z¯s (0 · · · ke ) of Fig. 9. Figure 13 illustrates the 37

(1)

behavior of the plant under control of Ac shown in Fig. 11. The first and second plot shows how the controller alternates between the pump P 1 and the valve V2 through wc = 1 to fill T1 and wc = 2 to empty it. The third plot represents the set trajectory Z¯s (0 · · · ke ) of the controller as explained in Fig. 9. It is equivalent to the state sequence of the level of T 1 as specified by (33). The peaks from state 4 to 5 or from state 1 to 0 are visible because of the very short rising or falling edges of the level sensors L4 or L1 correspondingly. The registered rising or falling edges show that state 4 or 1 has been reached and the pump P1 and the valve V2 must be switched on or off according to the control law. The last plot shows the continuous evolution of the level of T 1 .

Figure 13: Experimental realization of the level control process

These experiments demonstrate the theoretical correctness of the feedback controller and its applicability in an industrial environment. A video of the process is available on the website [25]. 7. Complexity analysis This section shows that the controller design problem is tractable when the main design procedures summarized in Algorithms 1 and 2 are analyzed. Firstly, the space complexity of the controller in both cases is obviously bounded, at worst, by the size |Z p | of the state space of the plant. Secondly, a worst-case time complexity estimation is represented in the following by two functions f1 (n) and f2 (n) for the aforementioned algorithms. In both cases, the maximal number 38

of input/output combinations |V s | · |Ws | of the specification automaton Ns is represented by the variable n ∈ N in order to express the complexity of the problem: n = |V s | · |Ws |. In addition, assignments are assumed to require 1 execution time unit. Only relevant parts of the algorithms are explained next to justify the results: 1. Algorithm 1 (Control law design): First the computation of ν by means of (40) in the initialization step requires k e (|Vs | + |Ws |) executions in the worst case. The first for loop in Line 1 is executed ke times and the second one in Line 5, n times. The while loop in Line 7 is run ν + 1 times. The if statement and the subsequent assignments require n + 1 steps (Lines 8-12). In summary, the complexity of the whole algorithm is f1 (n) = 2 + ke (|Vs | + |Ws |) + ke [2 + 2n + n(1 + (ν + 1)(n + 1))] = ke (ν + 1)n2 + 4ke n + (|Vs | + |Ws | + 2)ke + 2. ⇒ f1 (n) ∈ O(n2 )

(53) (54)

2. Algorithm 2 (Decomposition of Nc ): The computation of ν by means of (44) is not relevant in this algorithm because it is assumed to be given. However, for comparison purposes with  e| Algorithm 1, note that it requires |K i=1 kei steps. Both for loops (Line 3 and Line 9) have the same complexity as in Algorithm 1. The while loop in Line 8 needs 2(ν + 1) executions. The following complexity is deducted for this algorithm: f2 (n) = 2 + ke [4 + 2n + 2(ν + 1)(n + 8)] = 2ke (ν + 2)n + 20ke + 16ν + 2. ⇒ f2 (n) ∈ O(n)

(55) (56)

Equations (54) and (56) show that Algorithm 1 and 2 have a quadratic and a linear time complexity. Both estimations permit to conclude that the control design problem stated in Section 1.2 is deterministically tractable at worst in polynomial time. Note that the complexity estimation given above can be improved in specific cases. In fact, n = |Vs |·|Ws | is an over-approximation which will rarely be necessary. It relies on the assumption that every input/output combination (v s , ws ) of the specification automaton Ns is active at every 39

state zs . In the sense of [22], this is clearly a pessimistic estimation of the actual bound of the needed executions. 8. Conclusion The paper has presented a feedback control design method for plants described by nondeterministic I/O automata. Final states, state sequences and output sequences are the main specification types handled in this paper. Necessary and sufficient conditions for the safe feasibility of a specification are proposed. They guarantee that the control loop never blocks while fulfilling S. The presented control design method enables to compute a maximally permissive control law (i)

Nc as well as control laws Ac by decomposing the former w.r.t. the specification S. The state sequence specification served as a canonical specification because the final state and output sequence specification can be reformulated as sets of state sequences. It has been shown under which conditions each type of control law can be used to guarantee the nonblockingness of the control loop and the achievement of the specification. Control laws A c are to be used in strictly well-posed control loops whereas the supercontrol law N c can be used in weakly well-posed control loops also. This paper proposed an implementation-friendly realization scheme of the controller for each considered specification type. Working with symbolic adjacency matrices as presented here has the advantage to guarantee consistency of the results with a strong formalism. However, these matrices may be large. The development of efficient algorithms for matrix multiplication is still subject of ongoing research. Nevertheless, the applicability of the approach has been demonstrated on the level control of a 3-Tank system. The controller design method of this paper constitutes an intermediate step towards controller reconfiguration for systems subject of faults. Formal reconfiguration methods that permit to recover the nonblockingness of the control loop and the achievement of the specification after a fault remain an actual research topic [26].

40

References [1] T. Aardenne-Ehrenfest and N.G. de Bruijn. Circuits and trees in oriented linear graphs. In I. Gessel and G.-C. Rota, editors, Classic Papers in Combinatorics, Modern Birkhuser Classics, pages 149–163. Birkhuser Boston, 1987. [2] B. Alpern and F.B. Schneider. Recognizing safety and liveness. Distributed Computing, 2:117–126, 1987. [3] A. Arnold, A. Vincent, and I. Walukiewicz. Games for synthesis of controllers with partial observation. Theoretical Computer Science, 303(1):7–34, 2003. [4] S. Balemi, G.J. Hoffmann, P. Gyugyi, H. Wong-Toi, and G.F. Franklin. Supervisory control of a rapid thermal multiprocessor. IEEE Transactions on Automatic Control, 38(7):1040–1059, Jul. 1993. [5] G. Barrett and S. Lafortune. Bisimulation, the supervisory control problem and strong model matching for finite state machines. Discrete Event Dynamic Systems, 8:377–429, 1998. [6] M. Cantarelli and J.-M. Roussel. Reactive control system design using the supervisory control theory: evaluation of possibilities and limits. In Proceedings of the 9th International Workshop on Discrete Event Systems, pages 200–205, G¨oteborg, 2008. [7] C.G. Cassandras and S. Lafortune. Introduction to discrete event systems. Springer Science and Business Media, LLC, New York, 2008. [8] F. Charbonnier, H. Alla, and R. David. Discrete-event dynamic systems. IEEE Transactions on Control Systems Technology, 7(2):175–187, 1999. [9] M.H. De Queiroz and J. E R Cury. Synthesis and implementation of local modular supervisory control for a manufacturing cell. In 6th Int. Workshop on Discrete Event Systems, pages 377–382, 2002. [10] P. Dietrich, R. Malik, W.M. Wonham, and B.A. Brandin. Implementation considerations in supervisory control. In Benot Caillaud, Philippe Darondeau, Luciano Lavagno, and Xiaolan Xie, editors, Synthesis and Control of Discrete Event Systems, pages 185–201. Springer US, 2002. [11] Liang Du, S.L. Ricker, and P. Gohari. Decentralized supervisory control and communication for reactive discrete-event systems. In American Control Conference, 2006. [12] M. Fabian and A. Hellgren. Plc-based implementation of supervisory control for discrete event systems. In Decision and Control, 1998. Proceedings of the 37th IEEE Conference on, volume 3, pages 3305–3310, 1998. [13] X. Geng and J. Hammer. Input/output control of asynchronous sequential machines. IEEE Transactions on Automatic Control, 50(12):1956–1970, Dec. 2005. [14] V.-M. Glushkov. The abstract theory of automata. Russian Mathematical Surveys, 16(5):1–53, Oct. 1961. translation from Uspekhi Matematicheskikh Nauk 16:5 (1961), pp. 3–62. [15] P. Gohari and W.M. Wonham. On the complexity of supervisory control design in the rw framework. IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics, 30(5):643–652, Oct. 2000. [16] C.H. Golaszewski and P.J. Ramadge. Control of discrete event processes with forced events. In 26th IEEE

41

Conference on Decision and Control, pages 247–251, Dec. 1987. [17] F. Harary. Graph theory. Perseus Book Publishing, L.L.C., Boulder, 1969. [18] J. Huang and R. Kumar. An optimal directed control framework for discrete event systems. IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans, 37(5):780–791, sep. 2007. [19] T. Jeron, H. Marchand, V. Rusu, and V. Tschaen. Ensuring the conformance of reactive discrete-event systems using supervisory control. In 42nd IEEE Conference on Decision and Control, volume 3, pages 2692–2697, 2003. [20] L. Lamport. Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng., SE-3:125–143, Mar. 1977. [21] G.-L. Li. State feedback control of vector discrete event systems with forced events. In International Conference on Machine Learning and Cybernetics, pages 469–471, Aug. 2007. [22] Y.-T.S. Li and S. Malik. Performance analysis of embedded software using implicit path enumeration. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 16(12):1477–1487, Dec. 1997. [23] P. Mahdavinezhad, P. Gohari, and A.G. Aghdam. Supervisory control of discrete-event systems with output: Application to hybrid systems. In American Control Conference, 2007. ACC ’07, pages 4291–4296, 2007. [24] A. Morgenstern and K. Schneider. Synthesizing deterministic controllers in supervisory control. In J. Filipe, J.L. Ferrier, J. Cetto, and M. Carvalho, editors, Informatics in Control, Automation and Robotics II, pages 95–102. Springer Netherlands, 2007. [25] Y. Nke. http://www.atp.rub.de/ftcdes, Dec. 2012. [26] Y. Nke. Fault-Tolerant Control Of Nondeterministic Input/Output Automata. PhD thesis, Ruhr-Universit¨at Bochum, 2013. [27] Y. Nke and J. Lunze. Fault-tolerant control of nondeterministic input/output automata subject to actuator faults. In 10th International Workshop on Discrete Event Systems, pages 360–365, Berlin, Sep. 2010. [28] Y. Nke and J. Lunze. Control design for nondeterministic input/output automata. In Proceedings of the 18th IFAC Congress, pages 6994–6999, Milan, 2011. [29] Y. Nke, S. Dr¨uppel, and J. Lunze. Direct feedback in asynchronous networks of input-output automata. In Proceedings of the 10th European Control Conference, pages 2608–2613, Budapest, 2009. [30] S. Perk, T. Moor, and K. Schmidt. Controller synthesis for an i/o-based hierarchical system architecture. In Proceedings of the 9th International Workshop on Discrete Event Systems, pages 474–479, G¨oteborg, 2008. [31] M. Petreczky, R.J.M. Theunissen, R. Su, D.A. van Beek, J.H. van Schuppen, and J.E. Rooda. Control of input/output discrete-event systems. In Proceedings of the 10th European Control Conference, pages 1967– 1972, Budapest, 2009. [32] L. E. Pinzon, H.-M. Hanisch, M. A. Jafari, and T. Boucher. A comparative study of synthesis methods for discrete event controllers. Formal Methods in System Design, 15(2):123–167, Sep. 1999.

42

[33] P.J. Ramadge and W.M. Wonham. The control of discrete event systems. Proceedings of the IEEE, 77(1):81–98, Jan. 1989. [34] J.-M. Roussel and A. Giua. Designing dependable logic controllers using the supervisory control theory. In Proceedings of the 16th IFAC Congress, Prague, 2005. [35] A. Sanchez, G. Rotstein, N. Alsop, and S. Macchietto. Synthesis and implementation of procedural controllers for event-driven operations. AIChE Journal, 45(8):1753–1775, 1999. [36] M. R. Shoaei, L. Feng, and B. Lennartson. Supervisory control of extended finite automata using transition projection. In 51st IEEE Conference on Decision and Control, Maui, Hawaii, pages 7259–7266, 2012.

Appendix A. Notation Symbol

Description

p ,s ,c

Subscripts related to the plant (p ), the specification (s ) or the controller (c ) automaton

Ax

Deterministic automaton related to x ∈ { p ,s ,c }

Nx

Nondeterministic automaton related to x ∈ { p ,s ,c }

zx

State of the automaton Nx or Ax

vx

Input of the automaton Nx or Ax

wx

Output of the automaton N x or Ax

ke

Maximal number of steps of a sequence

Ke

Ordered set of maximal indices kei of state sequences with i ∈ N

Zx (0 · · · ke )

State sequence of ke steps

Zx (0 · · · Ke )

Set of state sequences Zxi (0 · · · kei ) with kei ∈ Ke

Zax (·)

Active state set operator of the automaton N x or Ax

Vax (·)

Active input set operator of the automaton N x or Ax

Wax (·)

Active output set operator of the automaton N x or Ax

ν X 

Number of control laws

x

L(·),

X  x

L(·) Iteratively build the ∨ or ∧ operation of L(·) for all x ∈ X . This is   or and also hold for other big operators. equivalent with x∈X

x∈X

Table A.1: List of notation

43

Author Biographies Yannick Nke received the Diploma in Electrical Engineering and Information Sciences from the Ruhr-Universit¨at Bochum in 2008. From 2008 to 2013 he was a scientific co-worker at the Institute of Automation and Computer Control, where he obtained his PhD. His research was focused on control design, diagnosis and control reconfiguration of discrete-event systems.

Jan Lunze is Professor of Automatic Control and head of the Institute of Automation and Computer Control at the Ruhr-Universit¨at Bochum, Germany, where he teaches systems and control theory. His research interests are in fault-tolerant control theory, hybrid dynamical systems, and discreteevent systems. He is author and co-author of numerous research papers and has written several monographs and textbooks including Diagnosis and Fault-Tolerant Control (Springer 2003, 2006), Automatisierungstechnik (Oldenbourg 2012), Regelungstechnik (Springer, several editions since 1996), and Ereignisdiskrete Systeme (Oldenbourg 2012).

44