- Email: [email protected]
Controllability Revisited: A Generalization for the Modular Approach
Copyright © IFAC Informatio~ Control Problems in Manufacturing, Salvador, BrazIl, 2004
ELSEVIER
IFAC PUBLICATIONS www.cisevicr.comllocale/ifac
CONTROLLABILITY REVISITED: A GENERALIZATION FOR THE MODULAR APPROACH H. Flordal' M. Fabian' K. Akesson' A. Hellgren'
• Department of Signals and Systems, Chalmers University of Technology, SE-412 96 Gothenburg, Sweden {hugo,fabian,ka,andh }@s2.chalmers.se Abstract: In the Supervisory Control Theory, originally presented by Ramadge and Wonham, Ramadge and Wonham (1989), an important property is controllability. The definition of controllability as originally presented assumed equal event sets, alphabets, in the specification and the plant. When this assumption does not hold, it has been argued that the differences in the alphabets can easily be removed . However, no matter how we choose to handle the differences, pursuing verification with the original definition will lead to false conjectures in some cases. A few examples on this is presented in this paper. In order to overcome the problem, a generalized controllability definition, allowing non-equal alphabets, is presented. It is of great importance to be able to verify controllability of subsystems with different alphabets when exploiting the modularity of discrete event systems for computationally efficient verification and synthesis. Copyright © 2004 IFAC Keywords: Discrete Event Systems, Modular Supervisory Control Theory, Controllability, Finite Automata, Formal Methods
1. INTRODUCTION
plant, a DES describing the uncontrolled behavior, and a specification for the controlled behavior, a supervisor can be automatically synthesized to control the plant to stay within the specification. The supervisor controls the plant by dynamically disabling events that the plant otherwise might have generated. However, a subset of the plant events are not subject to supervisor disablement , they are uncontrollable, and the supervisor must be such that it never tries to disable an uncontrollable event that is enabled in the plant; the supervisor must be controllable with respect to the plant. It is known that a unique controllable and maximally permissive (in terms of event disablement) supervisor does exist for any given plant and specification. The synthesis task concerns finding this supervisor. Given a candidate supervisor, it is also of importance to verify whether this candiate is controllable or not .
Discrete Event Systems (DESs) are a useful modeling abstraction for certain, mainly man-made, systems, such as manufacturing systems and communication networks. The main characteristic of such systems is that at each time instant they occupy a discrete symbolic-valued state, and perform state-changes on the occurrence of events. Events occur asynchronously and instantaneously at discrete intervals of time. Thus , a DESs behavior is described by the sequences of events that occur, and the sequences of states visited consequently. Typically, this behavior can be described by regular languages and/or finite state automata. The Supervisory Control Theory (SCT) Ramadge and Wonham (1989) is a general approach to the synthesis of control systems for DESs. Given a
279
Industrially, the SCT has not yet been accepted on a large scale. One reason for this is that industrially interesting cases typically encompass enormous state-spaces. On the other hand , models of industrial systems are typically also modular in the sense that they can be described as sets of interacting subsystems. Modular approaches to supervisor verification and synthesis can beneficially exploit the modularity to circumvent the statespace explosion. Approaches showing promising results include among others Queiroz and Cury (2000) , Brandin et al. (2000) , Akesson et al. (2002) , Leduc (2002) and Flordal (2001) . In these articles, there are a couple of different approaches to the problems of unequal alphabets. In Akesson et al. (2002), the problem is solved by using a generalized definition of controllability. In this paper, this new definition is further examined and its importance stressed. In its original formulation, the SCT assumes that the plant and the supervisor have the same alphabet. In modular systems, though, this is rarely the case. It has been argued that the modules in such systems can always be treated as alphabetically equal, for example by adding the missing events as self-loops. However, in the modular case this assumption is sometimes contra-productive, as this paper aims to show.
•
•
•
•
•
Mainly these problems appear in modular synthesis and verification approaches where different alphabets appear naturally. The problems concern false conjectures that the original definition of controllability Ramadge and Wonham (1989) result in when the assumption of equal alphabets does not hold .
controllable events, respectively. Also , E = Eu U Ec . In figures , an exclamation mark (!) before an event 's name indicates that the event is uncontrollable. E* is the set of all finite sequences of events over the alphabet E including the empty sequence, c. For an automaton A, L(A) is the set of all event sequences possible from the initial state of A , that is, L(A) denotes the (prefix closed ) language of A . The construct L(A)Eu represents the con catenation of all traces of L(A) with all events in Eu' ProjEA is the natural projection onto the alphabet EA , ProjEA : E* -+ (EA)* ; the projection removes all occurences of events in the set E \ EA . LEA (B) will be used as an abbreviation of ProjEA(L(B)) . ProjE;" is the inverse natural projection from the alphabet EA onto the alphabet E, ProjE;" : (EA)* -+ E* . In the automaton representation of a language, the inverse projection adds selfioops in all states for the events in the set E \ EA . LE~ (A) , or simply L -1 (A) , will be used as an abbreviation of ProjE;" (L(A)) . Also, sE l = ProjEl(s) . The synchronous composition of the automata A and B will be denoted AIIB , see for example Akesson et al. (2002). This composition operator models that mutual events occur in the composition if and only if they can occur simultaneously in both automata. In general, L(AIIB) = LE;" (A) n LE1 (B) .
3. CONTROLLABILITY
This paper is organized as follows. Section 2 give the notational conventions used. Section 3 then present the original controllability definition together with an alternative definition also found in the literature. In section 4 the revised definition of controllability is presented, a definition that allows the alphabets to be non-equal. In section 5, a number of examples where the false conjectures arise are presented. In section 6, the results are discussed and finally, section 7 presents the conclusions.
A supervisor controls a plant by dynamically disabling events, as in the Ramadge and Wonham framework, that the plant otherwise might generate. However, the supervisor must be such that it never tries to disable an uncontrollable event that is enabled in the plant; the supervisor must be controllable with respect to the plant. Controllability can be used to express safety properties. If safety critical events are modelled as uncontrollable, a controllability test verifies wether they are confined tf> occur only in states where the control function is prepared, i.e. does not disable the event.
2. PRELIMINARIES This section presents the conventions used in this paper. The universe of discourse is deterministic finite automata and regular languages.
3.1 Controllability definition
• A deterministic finite automaton is a 4-tuple A = (QA , EA , rSA, q~) where QA is the set of states, EA the set of events, rS A the transition function and q~ the initial state of A. • E is the universal alphabet of events. Eu and Ec are the sets of uncontrollable and
Definition 1. If ES = E P , S is controllable with respect to P if L(S)Eu n L(P) <;;; L(S) .
280
•
Alternatively, using synchronous composition to model the closed-loop system, SliP, the following definition can be used . Definition 2. If r;S ~ r;P, S is controllable with respect to P if L(SIIP)r;u
n L(P)
~ L(S IIP) .
•
Both definitions exist in the literature, and when the alphabets are equal the definitions are equivalent, a simple proof that is left out here.
and the plant share all events would prohibit this optimization . To exploit the modularity efficiently, it is important to have a meaningful definition of controllability for supervisors and plants with different alphabets . Even if the system is not modular, it is unnecessary to demand a supervisor to contain all events of the plant it is supposed to control. Some events may be irrelevant for control reasons. For example, in a sequence of events without possible branches, it is sometimes enough to consider the initial and final event of the sequence in the supervisor, i.e. the supervisor can be working at a higher level of abstraction .
4. REVISED DEFINITION
We propose a new definition of controllability, suitable for modular approaches. In the next section, motive for using this definition will be given by a couple of examples where intuition suggests that definition 1 is wrong. Definition 3. S is controllable with respect to P if
LE~(s)r;~ n L E1(p) ~ LE~(S), where r;f: = r;u
n r;p.
•
This definition can also be found as definition 5 in Akesson et al. (2002) . In Heymann (1990), controllability is defined using the prioritized synchronous composition operator, defined in the same article. This produced a very compact definition - S is controllable with respect to P if PIIS = PEllEcS - this also implied equal languages, but the definition can be modified slightly to match definition 3, by using PIIS = PEPIIESS instead . c
5.1 Modular verifiction
In modular verification, the general setting is a plant composed of subplants, P = P& .. llPm and a specification composed of subspecifications, S = Stll ... IISn, with no general assumptions on the subautomatas alphabets. In general, it can not even be expected that r;P = r;s . In Akesson et al. (2002) , it is shown that if each subspecification Si is controllable with respect to the plants with which it shares uncontrollable events, then S is controllable with respect to P . Thus, in the best case, there is only need to compose each subspec with a subset of the plant automata and never compose the whole state space. It is also shown that even smaller sets of automata can be composed since it is enough to consider one uncontrollable event at a time and even one plant at a time in a similar manner . This means that it will be necessary to verify controllability of specifications and plants where the alphabets can be very different and not much can be assumed . In general, it is important to be able to decide whether subautomata Si and Pj will cause any problems without having to build a model (by synchronous composition) of the entire system. Due to state space explosion, representing such a model may be impossible.
Note that, trivially, definition 3 is equivalent to definition 1 when r;s = r;p .
5. DIFFERENT ALPHABETS
To use definition 1, the alphabets must be adjusted somehow so that the problem fits the definition. When doing this, care must be taken not to introduce or hide uncontrollability in the system. To guarantee that there will be no false conjectures, definition 3 is necessary.
Focus will be put on problems associated with the use of definition 1. Using definition 2 solves some, but not all of these problems, as explained in section 6.1. Definition 1 assumes the alphabets of Sand P to be equal. This, however , cannot generally be expected. Discrete event systems are often built up of modules, representing different aspects of a process or a control specification. These modules potentially have very different alphabets . The modules are, of course, intended to interact but verification and synthesis can actually be performed modularly. Requiring that the supervisor
Modular verification much relies on the implicit relations, the modular structure between automata, induced by the way events are shared or not shared. By naively equating the alphabets in one way or another, the modular structure is destroyed . The problem can be said to arise in the relation between languages and automata. When discussing languages , equal alphabets is very im-
281
portant whereas in an automaton approach , it is not . This can be illustrated by the compactness of the "automata based" controllability definition in section 4. For more on modular verification, see Queiroz and Cury (2000) , Brandin et al. (2000), Leduc (2002), Flordal (2001) and Akesson et al. (2002) . On modular synthesis, see Flordal (2001) and Akesson et al. (2002) .
5.2 Adjusting the Alphabets When the alphabets are not equal, they need to be adjusted in order to fit definition 1. In general, we have two languages, LA ~ (~A)* and LB ~ (~B). where ~A C ~B. There are basically three ways to make non-equal alphabets equal; disablement, restriction and expansion. They will be presented in greater detail in sections 5.2.1, 5.2.2 and 5.2.3, respectively. Note that it might seem that the case of incomparable alphabets has been left out. But without loss of generality, this case needs no special treatment since the problems that arise are the same. To make the alphabets equal, a combination of the above strategies must be used and uncontrollabilities may appear or disappear in the same ways.
5.3 Problem Cases None of the above strategies are universal solutions. They may work in some cases but not always, as will be shown by the following very minimalistic examples. Each example starts with a discussion on whether the example reasonably should be considered controllable or uncontrollable , without actually applying any formal controllability definitions. This aims to produce an understanding of what the correct answer should be. After this, definition 1 is applied and the result is discussed. Note that in all the following examples, in figures 1 to 5, the alphabets of the automata consist of exactly the events that are explicitly represented in each automaton. Uncontrollable events have exclamation marks in front of them .
5.3.1. Disablement of ~p \ ~s In figure 1, the plant executes a controllable event followed by an arbitrary number of executions of an uncontrollable event. But the supervisor only enables the uncontrollable event once. S might, for example, come from the informal specification "u must happen only once" and in such a specification, the event c is irrelevant. Therefore, S must be considered uncontrollable with respect to P . If it is simply assumed that ~s = ~P, S will disable the controllable event c at all times and S is thus falsely considered controllable with respect to P .
5.2.1 . Disablement Perhaps the simplest way to get equal alphabets is to simply set ~A = ~B without changing the language LA . This effectively disables all the events in ~B \ ~A .
There is also the perhaps less obvious case depicted in figure 2, the supervisor never disables u as the event is not represented in S's alphabet. Therefore, S must be considered controllable with respect to P .
5.2.2. Restriction Another way to get equal alphabets is to restrict LB to the alphabet of LA, making (~B)' = ~A . The restriction of LB is
If definition 1 is used, by naively treating the alphabets as being equal, it is found that the sequence c in S followed by the uncontrollable event u , which is in L(P), is not included in L(8) and S is falsely considered uncontrollable with respect to P.
(1)
Note that this operation may cause an automaton to turn non-deterministic but as long as languages are considered, this can be ignored. In practice, it would be necessary to make the automaton deterministic, which is a potentially costly operation.
•
5.2.3. Expansion The third way to get equal alphabets, is to expand LA to contain all events in the alphabet of LB , making (~A)' = ~B . The expansion of LA is (2)
Applied to the automaton representing LA , this operation adds selftoops in all states for the events in the set ~B \ ~A .
Fig. 1. To make the alphabets of 8 and P equal, simply set ~s = ~p .
282
P
J pi
Te 'P2 'D ' u
S /
"
J si
"
T s2
Fig. 5. To make the alphabets of Sand P equal, the alphabet of P is expanded by taking the inverse projection of L(P) .
Fig. 2. To make the alphabets of Sand P equal, simply set I;s = I;P .
time and S is falsely considered controllable with respect to P .
5.3.4. Expansion of I;P In figure 5, the supervisor happens to allow an uncontrollable event in the state s2, an uncontrollable event that is not present in P . This must be appropriate, since the plant will never attempt to execute the event. Therefore, S must be considered controllable with respect to P .
Fig. 3. To make the alphabets of Sand P equal, simply set I;P = I;s.
5.3.2. Disablement of I;S \ I;P In figure 3, the event a does not exist in P, but S specifies that a must occur before P can be allowed to start its execution. Thus, S disables b until a has occurred and when a has occured, the supervisor disables the uncontrollable event u . Therefore, S must be considered uncontrollable with respect to P.
To make the alphabets equal, we may expand P's alphabet to I;s so that LE~(P) = {c,u·,u·cu·}. Since the uncontrollable event u is now enabled in P 's initial state, while it is still disabled in S's initial state, S is falsely considered uncontrollable.
If definition 1 is used, neither S nor P can leave their initial states since P disables a and S disables b. The automata are blocked in their initial states and nothing bad can happen, thus S is falsely considered controllable with respect to P.
6. DISCUSSION Most importantly, if the examples in the last section are reexamined using definition 3, this gives the same results as the discussions in all five examples.
5.3.3. Restriction of I;s In figure 4, the supervisor disables the uncontrollable event u in the initial state. Only after the occurence of the event c, is u enabled. Since P can execute the uncontrollable event u in the initial state, S must be considered uncontrollable with respect to P .
6.1 Table of Errors Table 1 shows that there is no universal solution for using definition 1. It will cause problems in some cases. Note that the symbols in the table correspond to the five examples above and actually appear in the same order.
When the alphabet of S is restricted, all occurences of events not represented in P are removed from L(S). That is, S only keeps its initial state with the self-loop of u, LEP(S) = {c, u·}. In other words, S now accepts u to occur at any
In the case where I;P c ES, none of the mentioned methods can guarantee a correct result.
If definition 2 is used instead, the two problems in the first row of the table disappears. Simply because the alphabets of SliP and P becomes equal. Table 1. Table of when incorrect results can be expected from using definition 1. !u stands for risk of falsely uncontrollable result and !c for risk of falsely controllable result . Fig. 4. To make the alphabets of Sand P equal, the alphabet of S is restricted by projecting L(S) onto I;P.
r;S C r;P r;P C r;s
283
disable !c, !u !c
restrict
!c
expand
!u
instead of ~1J ' as in definition 1, situations where uncontrollable events in S affect P are avoided. This solves problems of the kind represented in figure 5. By using LE~(S) instead of L(S) , figures 1 and 2 type problems are solved and by using L~)(P) instead of L(P), figures 3 and 4 type problems are solved.
But the three problems in the second row remain, as can be shown by the same three examples. Apparently, as indicated by the two empty cells in the table, when ~s C ~P, both restriction and expansion solves the problem. We will prove this by showing that the projection of interest will yield the same result as definition 3.
In short, definition 3 expands both alphabets to the union alphabet but avoids situations like the one in figure 5 by using ~~ instead of ~u .
Proposition 1. When ~s C ~P, using LEs(P) instead of L(P) in definition 1 gives the same 0 result as using definition 3.
7. CONCLUSIONS
Proof. To prove the proposition, it must be shown that L(S)~1J
n LEs(P)
~
L(S)
In this paper, a generalized controllability definition was presented for the purpose of verification and synthesis of controllability in modular systems. Modular systems appear naturally in many application areas, e.g. manufacturing systems, traffic management systems and telecommunication networks.
(3)
~
LE~(S)~~nL~)(p) ~ LE~(S),
(4)
Since ~s C ~P, we have that ~~ = ~u and LE~(P) = L(P). Thus, the last expression can be rewritten to LE~(S)~1J n L(P) ~ LE~(S) , To show the equivalence, it is enough to show that whenever (3) holds or does not hold, the same goes for (4). If (3) holds, it must be so that 'rIs E L(S) and 'rIu E ~u such that su E LEs (P) it must also hold that su E L(S) . However, since L(P) is prefix closed, it must also be so that 3s'u E L(P) such that the projection of s'u onto ~s is exactly suo Now, ~s c ~p implies that s' E sE~ for all such s', i.e. s'u E sE~u ~ LE~(S) which proves that (4) also holds.
Future research will consider approaches to modular nonblocking synthesis and verification. REFERENCES Akesson, K., H. Flordal and M. Fabian (2002). Exploiting modularity for synthesis and verification of supervisors. In: Proc. of the 15th Triennial World Congress of the International Federation of Automatic Control. Barcelona, Spain. Brandin, B. , R. Malik and P. Dietrich (2000) . Incremental system verification and synthesis of minimally restrictive behaviors. In: Proc.of the 2000 American Control Conference. Chicago, USA . pp. 4056-4061. Flordal, H. (2001). Modular controllability verification and synthesis of discrete event systems. Master's thesis. Chalmers University of Technology, Department of Signals and Systems. Heymann, M. (1990) . Concurrency and discrete event control. IEEE Control Systems Magazine 10( 4), 103-112. • Leduc, R . J. (2002) . Hierarchical Interface-based Supervisory Control. PhD thesis. University of Toronto, Canada. Queiroz, M.H . de and J .E .R . Cury (2000). Modular control of composed systems. In: Proceedings of the American Control Conference. pp. 40514055. Ramadge, P. and W.M. Wonham (1989). The control of discrete event systems. Proc. of IEEE 77(1),81-98.
Conversely, if (3) does not hold, 3s E L(S) and 3u E ~u such that su E LEs(P) but su tf. L(S) . Note also that su E LEs (P) => u E ~s . Similarly to the previous, 3s' u E L( P) with s' E sE~ but now, since su tf. L( S) and u E ES, it holds that s' u tf. LE~ (S). This proves that (4) does not hold • either and this proves the proposition. Proposition 2. When ~s C ~P, using LE~ (S) instead of L(S) in definition 1 gives the same result as using definition 3. 0
Proof. Since ~s C ~P, it is also so that L(P) = LE~(P) and ~u = ~~. This trivially implies that
LE~(S)~U n L(P) ~ LE~(S) ~
LE~(S)~~nLE~(p) ~ LE~(S),
The need for a generalized definition was motivated by a few examples of situations where the intuitive controllability status of a system proved to be opposite to what the standard controllability definition would suggest. Conditions were also given for when the original defiRition will work.
•
6.2 Explanation
The reason for why definition 3 can be used will now be explained informally. Firstly, by using ~~
284
ELSEVIER
IFAC PUBLICATIONS www.cisevicr.comllocale/ifac
CONTROLLABILITY REVISITED: A GENERALIZATION FOR THE MODULAR APPROACH H. Flordal' M. Fabian' K. Akesson' A. Hellgren'
• Department of Signals and Systems, Chalmers University of Technology, SE-412 96 Gothenburg, Sweden {hugo,fabian,ka,andh }@s2.chalmers.se Abstract: In the Supervisory Control Theory, originally presented by Ramadge and Wonham, Ramadge and Wonham (1989), an important property is controllability. The definition of controllability as originally presented assumed equal event sets, alphabets, in the specification and the plant. When this assumption does not hold, it has been argued that the differences in the alphabets can easily be removed . However, no matter how we choose to handle the differences, pursuing verification with the original definition will lead to false conjectures in some cases. A few examples on this is presented in this paper. In order to overcome the problem, a generalized controllability definition, allowing non-equal alphabets, is presented. It is of great importance to be able to verify controllability of subsystems with different alphabets when exploiting the modularity of discrete event systems for computationally efficient verification and synthesis. Copyright © 2004 IFAC Keywords: Discrete Event Systems, Modular Supervisory Control Theory, Controllability, Finite Automata, Formal Methods
1. INTRODUCTION
plant, a DES describing the uncontrolled behavior, and a specification for the controlled behavior, a supervisor can be automatically synthesized to control the plant to stay within the specification. The supervisor controls the plant by dynamically disabling events that the plant otherwise might have generated. However, a subset of the plant events are not subject to supervisor disablement , they are uncontrollable, and the supervisor must be such that it never tries to disable an uncontrollable event that is enabled in the plant; the supervisor must be controllable with respect to the plant. It is known that a unique controllable and maximally permissive (in terms of event disablement) supervisor does exist for any given plant and specification. The synthesis task concerns finding this supervisor. Given a candidate supervisor, it is also of importance to verify whether this candiate is controllable or not .
Discrete Event Systems (DESs) are a useful modeling abstraction for certain, mainly man-made, systems, such as manufacturing systems and communication networks. The main characteristic of such systems is that at each time instant they occupy a discrete symbolic-valued state, and perform state-changes on the occurrence of events. Events occur asynchronously and instantaneously at discrete intervals of time. Thus , a DESs behavior is described by the sequences of events that occur, and the sequences of states visited consequently. Typically, this behavior can be described by regular languages and/or finite state automata. The Supervisory Control Theory (SCT) Ramadge and Wonham (1989) is a general approach to the synthesis of control systems for DESs. Given a
279
Industrially, the SCT has not yet been accepted on a large scale. One reason for this is that industrially interesting cases typically encompass enormous state-spaces. On the other hand , models of industrial systems are typically also modular in the sense that they can be described as sets of interacting subsystems. Modular approaches to supervisor verification and synthesis can beneficially exploit the modularity to circumvent the statespace explosion. Approaches showing promising results include among others Queiroz and Cury (2000) , Brandin et al. (2000) , Akesson et al. (2002) , Leduc (2002) and Flordal (2001) . In these articles, there are a couple of different approaches to the problems of unequal alphabets. In Akesson et al. (2002), the problem is solved by using a generalized definition of controllability. In this paper, this new definition is further examined and its importance stressed. In its original formulation, the SCT assumes that the plant and the supervisor have the same alphabet. In modular systems, though, this is rarely the case. It has been argued that the modules in such systems can always be treated as alphabetically equal, for example by adding the missing events as self-loops. However, in the modular case this assumption is sometimes contra-productive, as this paper aims to show.
•
•
•
•
•
Mainly these problems appear in modular synthesis and verification approaches where different alphabets appear naturally. The problems concern false conjectures that the original definition of controllability Ramadge and Wonham (1989) result in when the assumption of equal alphabets does not hold .
controllable events, respectively. Also , E = Eu U Ec . In figures , an exclamation mark (!) before an event 's name indicates that the event is uncontrollable. E* is the set of all finite sequences of events over the alphabet E including the empty sequence, c. For an automaton A, L(A) is the set of all event sequences possible from the initial state of A , that is, L(A) denotes the (prefix closed ) language of A . The construct L(A)Eu represents the con catenation of all traces of L(A) with all events in Eu' ProjEA is the natural projection onto the alphabet EA , ProjEA : E* -+ (EA)* ; the projection removes all occurences of events in the set E \ EA . LEA (B) will be used as an abbreviation of ProjEA(L(B)) . ProjE;" is the inverse natural projection from the alphabet EA onto the alphabet E, ProjE;" : (EA)* -+ E* . In the automaton representation of a language, the inverse projection adds selfioops in all states for the events in the set E \ EA . LE~ (A) , or simply L -1 (A) , will be used as an abbreviation of ProjE;" (L(A)) . Also, sE l = ProjEl(s) . The synchronous composition of the automata A and B will be denoted AIIB , see for example Akesson et al. (2002). This composition operator models that mutual events occur in the composition if and only if they can occur simultaneously in both automata. In general, L(AIIB) = LE;" (A) n LE1 (B) .
3. CONTROLLABILITY
This paper is organized as follows. Section 2 give the notational conventions used. Section 3 then present the original controllability definition together with an alternative definition also found in the literature. In section 4 the revised definition of controllability is presented, a definition that allows the alphabets to be non-equal. In section 5, a number of examples where the false conjectures arise are presented. In section 6, the results are discussed and finally, section 7 presents the conclusions.
A supervisor controls a plant by dynamically disabling events, as in the Ramadge and Wonham framework, that the plant otherwise might generate. However, the supervisor must be such that it never tries to disable an uncontrollable event that is enabled in the plant; the supervisor must be controllable with respect to the plant. Controllability can be used to express safety properties. If safety critical events are modelled as uncontrollable, a controllability test verifies wether they are confined tf> occur only in states where the control function is prepared, i.e. does not disable the event.
2. PRELIMINARIES This section presents the conventions used in this paper. The universe of discourse is deterministic finite automata and regular languages.
3.1 Controllability definition
• A deterministic finite automaton is a 4-tuple A = (QA , EA , rSA, q~) where QA is the set of states, EA the set of events, rS A the transition function and q~ the initial state of A. • E is the universal alphabet of events. Eu and Ec are the sets of uncontrollable and
Definition 1. If ES = E P , S is controllable with respect to P if L(S)Eu n L(P) <;;; L(S) .
280
•
Alternatively, using synchronous composition to model the closed-loop system, SliP, the following definition can be used . Definition 2. If r;S ~ r;P, S is controllable with respect to P if L(SIIP)r;u
n L(P)
~ L(S IIP) .
•
Both definitions exist in the literature, and when the alphabets are equal the definitions are equivalent, a simple proof that is left out here.
and the plant share all events would prohibit this optimization . To exploit the modularity efficiently, it is important to have a meaningful definition of controllability for supervisors and plants with different alphabets . Even if the system is not modular, it is unnecessary to demand a supervisor to contain all events of the plant it is supposed to control. Some events may be irrelevant for control reasons. For example, in a sequence of events without possible branches, it is sometimes enough to consider the initial and final event of the sequence in the supervisor, i.e. the supervisor can be working at a higher level of abstraction .
4. REVISED DEFINITION
We propose a new definition of controllability, suitable for modular approaches. In the next section, motive for using this definition will be given by a couple of examples where intuition suggests that definition 1 is wrong. Definition 3. S is controllable with respect to P if
LE~(s)r;~ n L E1(p) ~ LE~(S), where r;f: = r;u
n r;p.
•
This definition can also be found as definition 5 in Akesson et al. (2002) . In Heymann (1990), controllability is defined using the prioritized synchronous composition operator, defined in the same article. This produced a very compact definition - S is controllable with respect to P if PIIS = PEllEcS - this also implied equal languages, but the definition can be modified slightly to match definition 3, by using PIIS = PEPIIESS instead . c
5.1 Modular verifiction
In modular verification, the general setting is a plant composed of subplants, P = P& .. llPm and a specification composed of subspecifications, S = Stll ... IISn, with no general assumptions on the subautomatas alphabets. In general, it can not even be expected that r;P = r;s . In Akesson et al. (2002) , it is shown that if each subspecification Si is controllable with respect to the plants with which it shares uncontrollable events, then S is controllable with respect to P . Thus, in the best case, there is only need to compose each subspec with a subset of the plant automata and never compose the whole state space. It is also shown that even smaller sets of automata can be composed since it is enough to consider one uncontrollable event at a time and even one plant at a time in a similar manner . This means that it will be necessary to verify controllability of specifications and plants where the alphabets can be very different and not much can be assumed . In general, it is important to be able to decide whether subautomata Si and Pj will cause any problems without having to build a model (by synchronous composition) of the entire system. Due to state space explosion, representing such a model may be impossible.
Note that, trivially, definition 3 is equivalent to definition 1 when r;s = r;p .
5. DIFFERENT ALPHABETS
To use definition 1, the alphabets must be adjusted somehow so that the problem fits the definition. When doing this, care must be taken not to introduce or hide uncontrollability in the system. To guarantee that there will be no false conjectures, definition 3 is necessary.
Focus will be put on problems associated with the use of definition 1. Using definition 2 solves some, but not all of these problems, as explained in section 6.1. Definition 1 assumes the alphabets of Sand P to be equal. This, however , cannot generally be expected. Discrete event systems are often built up of modules, representing different aspects of a process or a control specification. These modules potentially have very different alphabets . The modules are, of course, intended to interact but verification and synthesis can actually be performed modularly. Requiring that the supervisor
Modular verification much relies on the implicit relations, the modular structure between automata, induced by the way events are shared or not shared. By naively equating the alphabets in one way or another, the modular structure is destroyed . The problem can be said to arise in the relation between languages and automata. When discussing languages , equal alphabets is very im-
281
portant whereas in an automaton approach , it is not . This can be illustrated by the compactness of the "automata based" controllability definition in section 4. For more on modular verification, see Queiroz and Cury (2000) , Brandin et al. (2000), Leduc (2002), Flordal (2001) and Akesson et al. (2002) . On modular synthesis, see Flordal (2001) and Akesson et al. (2002) .
5.2 Adjusting the Alphabets When the alphabets are not equal, they need to be adjusted in order to fit definition 1. In general, we have two languages, LA ~ (~A)* and LB ~ (~B). where ~A C ~B. There are basically three ways to make non-equal alphabets equal; disablement, restriction and expansion. They will be presented in greater detail in sections 5.2.1, 5.2.2 and 5.2.3, respectively. Note that it might seem that the case of incomparable alphabets has been left out. But without loss of generality, this case needs no special treatment since the problems that arise are the same. To make the alphabets equal, a combination of the above strategies must be used and uncontrollabilities may appear or disappear in the same ways.
5.3 Problem Cases None of the above strategies are universal solutions. They may work in some cases but not always, as will be shown by the following very minimalistic examples. Each example starts with a discussion on whether the example reasonably should be considered controllable or uncontrollable , without actually applying any formal controllability definitions. This aims to produce an understanding of what the correct answer should be. After this, definition 1 is applied and the result is discussed. Note that in all the following examples, in figures 1 to 5, the alphabets of the automata consist of exactly the events that are explicitly represented in each automaton. Uncontrollable events have exclamation marks in front of them .
5.3.1. Disablement of ~p \ ~s In figure 1, the plant executes a controllable event followed by an arbitrary number of executions of an uncontrollable event. But the supervisor only enables the uncontrollable event once. S might, for example, come from the informal specification "u must happen only once" and in such a specification, the event c is irrelevant. Therefore, S must be considered uncontrollable with respect to P . If it is simply assumed that ~s = ~P, S will disable the controllable event c at all times and S is thus falsely considered controllable with respect to P .
5.2.1 . Disablement Perhaps the simplest way to get equal alphabets is to simply set ~A = ~B without changing the language LA . This effectively disables all the events in ~B \ ~A .
There is also the perhaps less obvious case depicted in figure 2, the supervisor never disables u as the event is not represented in S's alphabet. Therefore, S must be considered controllable with respect to P .
5.2.2. Restriction Another way to get equal alphabets is to restrict LB to the alphabet of LA, making (~B)' = ~A . The restriction of LB is
If definition 1 is used, by naively treating the alphabets as being equal, it is found that the sequence c in S followed by the uncontrollable event u , which is in L(P), is not included in L(8) and S is falsely considered uncontrollable with respect to P.
(1)
Note that this operation may cause an automaton to turn non-deterministic but as long as languages are considered, this can be ignored. In practice, it would be necessary to make the automaton deterministic, which is a potentially costly operation.
•
5.2.3. Expansion The third way to get equal alphabets, is to expand LA to contain all events in the alphabet of LB , making (~A)' = ~B . The expansion of LA is (2)
Applied to the automaton representing LA , this operation adds selftoops in all states for the events in the set ~B \ ~A .
Fig. 1. To make the alphabets of 8 and P equal, simply set ~s = ~p .
282
P
J pi
Te 'P2 'D ' u
S /
"
J si
"
T s2
Fig. 5. To make the alphabets of Sand P equal, the alphabet of P is expanded by taking the inverse projection of L(P) .
Fig. 2. To make the alphabets of Sand P equal, simply set I;s = I;P .
time and S is falsely considered controllable with respect to P .
5.3.4. Expansion of I;P In figure 5, the supervisor happens to allow an uncontrollable event in the state s2, an uncontrollable event that is not present in P . This must be appropriate, since the plant will never attempt to execute the event. Therefore, S must be considered controllable with respect to P .
Fig. 3. To make the alphabets of Sand P equal, simply set I;P = I;s.
5.3.2. Disablement of I;S \ I;P In figure 3, the event a does not exist in P, but S specifies that a must occur before P can be allowed to start its execution. Thus, S disables b until a has occurred and when a has occured, the supervisor disables the uncontrollable event u . Therefore, S must be considered uncontrollable with respect to P.
To make the alphabets equal, we may expand P's alphabet to I;s so that LE~(P) = {c,u·,u·cu·}. Since the uncontrollable event u is now enabled in P 's initial state, while it is still disabled in S's initial state, S is falsely considered uncontrollable.
If definition 1 is used, neither S nor P can leave their initial states since P disables a and S disables b. The automata are blocked in their initial states and nothing bad can happen, thus S is falsely considered controllable with respect to P.
6. DISCUSSION Most importantly, if the examples in the last section are reexamined using definition 3, this gives the same results as the discussions in all five examples.
5.3.3. Restriction of I;s In figure 4, the supervisor disables the uncontrollable event u in the initial state. Only after the occurence of the event c, is u enabled. Since P can execute the uncontrollable event u in the initial state, S must be considered uncontrollable with respect to P .
6.1 Table of Errors Table 1 shows that there is no universal solution for using definition 1. It will cause problems in some cases. Note that the symbols in the table correspond to the five examples above and actually appear in the same order.
When the alphabet of S is restricted, all occurences of events not represented in P are removed from L(S). That is, S only keeps its initial state with the self-loop of u, LEP(S) = {c, u·}. In other words, S now accepts u to occur at any
In the case where I;P c ES, none of the mentioned methods can guarantee a correct result.
If definition 2 is used instead, the two problems in the first row of the table disappears. Simply because the alphabets of SliP and P becomes equal. Table 1. Table of when incorrect results can be expected from using definition 1. !u stands for risk of falsely uncontrollable result and !c for risk of falsely controllable result . Fig. 4. To make the alphabets of Sand P equal, the alphabet of S is restricted by projecting L(S) onto I;P.
r;S C r;P r;P C r;s
283
disable !c, !u !c
restrict
!c
expand
!u
instead of ~1J ' as in definition 1, situations where uncontrollable events in S affect P are avoided. This solves problems of the kind represented in figure 5. By using LE~(S) instead of L(S) , figures 1 and 2 type problems are solved and by using L~)(P) instead of L(P), figures 3 and 4 type problems are solved.
But the three problems in the second row remain, as can be shown by the same three examples. Apparently, as indicated by the two empty cells in the table, when ~s C ~P, both restriction and expansion solves the problem. We will prove this by showing that the projection of interest will yield the same result as definition 3.
In short, definition 3 expands both alphabets to the union alphabet but avoids situations like the one in figure 5 by using ~~ instead of ~u .
Proposition 1. When ~s C ~P, using LEs(P) instead of L(P) in definition 1 gives the same 0 result as using definition 3.
7. CONCLUSIONS
Proof. To prove the proposition, it must be shown that L(S)~1J
n LEs(P)
~
L(S)
In this paper, a generalized controllability definition was presented for the purpose of verification and synthesis of controllability in modular systems. Modular systems appear naturally in many application areas, e.g. manufacturing systems, traffic management systems and telecommunication networks.
(3)
~
LE~(S)~~nL~)(p) ~ LE~(S),
(4)
Since ~s C ~P, we have that ~~ = ~u and LE~(P) = L(P). Thus, the last expression can be rewritten to LE~(S)~1J n L(P) ~ LE~(S) , To show the equivalence, it is enough to show that whenever (3) holds or does not hold, the same goes for (4). If (3) holds, it must be so that 'rIs E L(S) and 'rIu E ~u such that su E LEs (P) it must also hold that su E L(S) . However, since L(P) is prefix closed, it must also be so that 3s'u E L(P) such that the projection of s'u onto ~s is exactly suo Now, ~s c ~p implies that s' E sE~ for all such s', i.e. s'u E sE~u ~ LE~(S) which proves that (4) also holds.
Future research will consider approaches to modular nonblocking synthesis and verification. REFERENCES Akesson, K., H. Flordal and M. Fabian (2002). Exploiting modularity for synthesis and verification of supervisors. In: Proc. of the 15th Triennial World Congress of the International Federation of Automatic Control. Barcelona, Spain. Brandin, B. , R. Malik and P. Dietrich (2000) . Incremental system verification and synthesis of minimally restrictive behaviors. In: Proc.of the 2000 American Control Conference. Chicago, USA . pp. 4056-4061. Flordal, H. (2001). Modular controllability verification and synthesis of discrete event systems. Master's thesis. Chalmers University of Technology, Department of Signals and Systems. Heymann, M. (1990) . Concurrency and discrete event control. IEEE Control Systems Magazine 10( 4), 103-112. • Leduc, R . J. (2002) . Hierarchical Interface-based Supervisory Control. PhD thesis. University of Toronto, Canada. Queiroz, M.H . de and J .E .R . Cury (2000). Modular control of composed systems. In: Proceedings of the American Control Conference. pp. 40514055. Ramadge, P. and W.M. Wonham (1989). The control of discrete event systems. Proc. of IEEE 77(1),81-98.
Conversely, if (3) does not hold, 3s E L(S) and 3u E ~u such that su E LEs(P) but su tf. L(S) . Note also that su E LEs (P) => u E ~s . Similarly to the previous, 3s' u E L( P) with s' E sE~ but now, since su tf. L( S) and u E ES, it holds that s' u tf. LE~ (S). This proves that (4) does not hold • either and this proves the proposition. Proposition 2. When ~s C ~P, using LE~ (S) instead of L(S) in definition 1 gives the same result as using definition 3. 0
Proof. Since ~s C ~P, it is also so that L(P) = LE~(P) and ~u = ~~. This trivially implies that
LE~(S)~U n L(P) ~ LE~(S) ~
LE~(S)~~nLE~(p) ~ LE~(S),
The need for a generalized definition was motivated by a few examples of situations where the intuitive controllability status of a system proved to be opposite to what the standard controllability definition would suggest. Conditions were also given for when the original defiRition will work.
•
6.2 Explanation
The reason for why definition 3 can be used will now be explained informally. Firstly, by using ~~
284