Supervisory control of discrete event systems with distinguishers

Automatica 56 (2015) 93–104

Contents lists available at ScienceDirect

Automatica journal homepage: www.elsevier.com/locate/automatica

Supervisory control of discrete event systems with distinguishers✩ José E.R. Cury a , Max Hering de Queiroz a , Gustavo Bouzon b , Marcelo Teixeira a a

Departamento de Automação e Sistemas, Universidade Federal de Santa Catarina, Florianópolis, Brazil

b

Optimale Engenharia e Soluções Tecnológicas, Campo Grande, Brazil

article

info

Article history: Received 4 September 2012 Received in revised form 25 November 2014 Accepted 19 March 2015

Keywords: Discrete event systems Supervisory control Distinguishers Approximations

abstract This paper deals with two relevant aspects of the Supervisory Control Problem (SCP) of Discrete Event Systems (DES): the degree of difficulty faced when modeling specifications to be fulfilled by the system under control, and the computational complexity of the synthesis procedure. The presented approach consists in refining the set of events of a DES model into a new set. Each refinement is properly chosen to identify a particular instance of the original event in the system, which may simplify the modeling of specifications. A map named Distinguisher is then proposed to establish the relationship between strings of the original and refined alphabets. It is initially shown that using a refined set of events to solve a SCP directly leads to the optimal control solution, yet without providing computational advantages in synthesis with respect to the nonrefined method. Then, we propose the use of outer-approximations for the refined DES model as a way to reduce the cost of synthesis, while preserving controllability, least restrictiveness and nonblocking of the control solution. Two examples of manufacturing systems illustrate our results. © 2015 Elsevier Ltd. All rights reserved.

1. Introduction Information is a key issue to be considered in the Supervisory Control Problem (SCP) for Discrete Event Systems (DES) (Ramadge & Wonham, 1987), since it affects several aspects of the problem resolution. Three of those aspects are: the conditions for the existence of solutions to the problem; the computational complexity of the synthesis procedure; and the degree of difficulty faced when modeling specifications to be fulfilled by the system under control. On one hand, restrictions imposed to the information channels connecting a plant to controller agents may induce partial observability in the system. This may happen due to the lack of specific sensors (Cieslak, Desclaux, Fawaz, & Varaiya, 1988; Huang, Rudie,

✩ This work was supported by the Brazilian National Council for Scientific and Technological Development (CNPq) under grants 307655/2014-8 and 554056/2009-7. The material in this paper was partially presented at the 9th International Workshop on Discrete Event Systems, May 28–30, 2008, Göteborg, Sweden and at the 7th IEEE International Conference on Control and Automation, December 9–11, 2009, Christchurch, New Zealand. This paper was recommended for publication in revised form by Associate Editor Jan Komenda under the direction of Editor Ian R. Petersen. E-mail addresses: [email protected] (J.E.R. Cury), [email protected] (M.H. de Queiroz), [email protected] (G. Bouzon), [email protected] (M. Teixeira).

http://dx.doi.org/10.1016/j.automatica.2015.03.025 0005-1098/© 2015 Elsevier Ltd. All rights reserved.

& Lin, 2008; Lin & Wonham, 1988, 1990) or by the use of decentralized control structures where local supervisors have access only to local subsets of the whole set of events generated by the plant (Lin & Wonham, 1990; Rudie & Wonham, 1992; Yoo & Lafortune, 2002). Partial observability of events leads to changes in the conditions under which a solution can exist for the SCP, compared to the case of total observability. In this sense, some authors have considered the problem of computing sets of events that should be made observable in order to assure the existence of solutions to the SCP (Haji-Valizadeh & Loparo, 1996; Khuller, Kortsarz, & Rohloff, 2004; Yoo & Lafortune, 2002). Moreover, whenever a solution exists, partial observability implies modifications in the supervisor synthesis and associated computational complexity. Information can also be examined from another perspective: the abstraction level used to represent a plant model can be suitable to express certain specifications, yet inadequate for others. Consider a particular occurrence of an observable event in the system evolution. Depending on the abstraction level assumed in the DES model, a control designer may have to keep track of previous event traces leading to the occurrence of a specific event, in order to completely assess the state information brought by that event. For example, modeling the underflow requirement for workpieces in a buffer with events ‘‘pick-up’’ and ‘‘insert’’ requires keeping track of the whole trace of such events in order to distinguish the occurrences of events that make the buffer empty.

94

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

Extensions of the hierarchical control abstract the original system model into a higher-level model in such a way that previously complex specifications can be expressed using high-level symbols. Two of these extensions are in general seen in the literature: one that builds abstractions by erasing some events of the original lowlevel model through natural projections (da Cunha & Cury, 2007; Feng & Wonham, 2008; Schmidt, Moor, & Perk, 2008); and another, that assigns to the abstracted model its own set of events, and the high-level model is obtained by a map that reports the occurrence of particular high-level events, whenever the original model reaches some specific states (Wong & Wonham, 1996; Zhong & Wonham, 1990). In this sense, events of the abstracted model represent actually strings in the original low-level model. In opposition to the bottom-up approach considered in hierarchical control, in many situations it may happen that the abstraction level of a DES model, available for the resolution of a particular SCP, is too high. Then, representing a specification may become a too hard engineering task. In fact, while the ability to manage a modeling task is usually limited to a few dozens of states, an automaton model for a single specification may involve hundreds of states. In these cases, refining the original model by enriching information on occurrences of some events in the system can facilitate or make modeling tasks feasible. This paper proposes an approach to modify a given model in order to simplify the design of originally complex specifications. It subsumes preliminary results in Bouzon, de Queiroz, and Cury (2008, 2009). The presented method is based on the refinement of the original set of events, along with the concept of a Distinguisher, a map of each string of original system events to strings of refined events, representing occurrences of the original events with particular semantics. By suitably refining a model using a Distinguisher, a complex specification modeling task can be turned into a much easier one, by an appropriate use of the distinguished set of events. We show, then, that the optimal solution of the SCP can be obtained by incorporating the distinguisher in the plant model. We also show that refining a model does not imply increasing the computational complexity of synthesis. Although this approach allows the designer to more easily express specifications, the synthesis effort may remain an obstacle to solve the SCP. Then, a further contribution of this paper is to show how distinguishers can be used to construct outer-approximations of a refined model, such that a solution to the SCP is synthesized with computational gains. Conditions to guarantee controllability, least restrictiveness and nonblocking are also derived. The idea of events distinction, as presented in this paper, has already been adopted in the literature for specific purposes. For example, inspired on the results in Bouzon et al. (2008, 2009), a distinguisher has been used as a step of the compositional synthesis to avoid nondeterminism of automata (Mohajerani, Malik, & Fabian, 2014). This improves the construction of abstractions to be used in synthesis, which may gratefully reduce its computational cost. In contrast, modeling tasks are addressed in Oliveira, Cury, and Kaestner (2004), Chen and Lin (2001), Kumar and Garg (2005), Ouedraogo, Kumar, Malik, and Akesson (2011), by extending a standard automaton with the addition of variables. In Chen and Lin (2001); Kumar and Garg (2005); Oliveira et al. (2004), infinite states systems are handled, with forbidden state specifications being expressed as predicates defined on the variables, while non-blocking issues are addressed only by Ouedraogo et al. (2011). None of these works, however, deals with the idea of using approximations as a way to alleviate the computational cost of synthesis. The results of this paper are illustrated in the context of two examples. The first example describes a manufacturing system with material feedback, which contains a particular (complex) specification. The modeling is addressed with the help of a distinguisher and the synthesis complexity is reduced by using an approximation for the plant. This approach leads, firstly, to a sub-optimal

solution. Then an intermediate approximation is proposed, which finally leads to the optimal solution, while keeping important computational gains. The second example exploits the overflow and underflow control of a buffering system. The modeling is again handled using distinguishers and the synthesis with approximations (coarsest), in this case, directly leads to the optimal solution. The paper is structured as follows. Notation, preliminary concepts and the SCP are introduced in Section 2. Section 3 presents the SCP with distinguishers and introduces a manufacturing system example. Key results regarding the efficient solution to this problem are presented in Section 4 and illustrated using the same example. An additional example is presented in Section 4.4 and some conclusions are discussed in Section 5. 2. Preliminaries Some notations related to the Supervisory Control Theory (Ramadge & Wonham, 1987) are presented. Let Σ be a finite set of symbols, named alphabet. Σ ∗ denotes the set of finite strings formed with elements of Σ , including the empty string ϵ . The length of a string s is denoted by |s|. Given two strings s, t ∈ Σ ∗ , s is a prefix of t (s ≤ t) if there is u ∈ Σ ∗ such that the concatenation su = t. Any subset of Σ ∗ is a language on Σ . A language L is prefixclosed if L = L, where L = {u ∈ Σ ∗ : u ≤ s, s ∈ L} is the prefix closure of L. We say that an event σ ∈ Σ is eligible after a string s in a language L if sσ ∈ L. Two languages L and M are nonconflicting when L ∩ M = L ∩ M. The open-loop behavior of a DES (plant) is modeled by an automaton G = (Σ , X , g , x0 , Xm ), where Σ is the alphabet of events, X is the set of states, x0 ∈ X is the initial state, Xm ⊆ X is the subset of marked states and g : X × Σ → X , the transition function, is a partial function defined in each state of X for a subset of Σ . The behavior of a plant G is represented by the generated language L(G) ⊆ Σ ∗ , a prefix-closed language containing all the sequences of events that can be generated by the plant, and by the marked language Lm (G) ⊆ L(G), containing strings that represent complete tasks. The parallel composition (Cassandras & Lafortune, 2008) of two automata, G1 and G2 , is denoted by G1 ||G2 and the same notation is used for the parallel composition of languages. The control structure of G is defined by a partition Σ = Σc ∪ Σu , where Σc is the set of controllable events, whose occurrence can be disabled, and Σu is the set of uncontrollable events, that cannot be disabled. A (marker) supervisor S is a map S : L(G) → 2Σ together with a language LS ⊆ Lm (G) such that, for each string s generated by G, the control action of S over G (denoted by S /G) enables events of S (s) ⊆ Σ , with Σu ⊆ S (s), and marks strings s ∈ LS . The generated closed-loop behavior, given by the language L(S /G), corresponds to the set of strings of L(G) that survive under control; it can be recursively defined as (i) ϵ ∈ L(S /G), and (ii) sσ ∈ L(S /G) ⇔ s ∈ L(S /G) ∧ sσ ∈ L(G) ∧ σ ∈ S (s). On the other hand, the marked closed-loop behavior is given by Lm (S /G) = L(S /G) ∩ LS . S is said to be nonblocking when L(S /G) = Lm (S /G). Now, the supervisory control problem can be presented as follows. Problem 1 ([SCP] Ramadge & Wonham, 1987). Given a plant G defined on Σ and a specification E ⊆ Σ ∗ for G, defining a desired behavior K = E ∩ Lm (G), find a nonblocking supervisor S such that Lm (S /G) ⊆ K . A language K ⊆ Σ ∗ is said to be controllable with respect to (wrt) L when K Σu ∩ L ⊆ K . Controllability of a nonempty language K ⊆ Lm (G) is a necessary and sufficient condition for the existence of a nonblocking supervisor S such that Lm (S /G) = K (Ramadge & Wonham, 1987). In this case, S such that Lm (S /G) = K may be implemented by any automaton V such that K = Lm (V ) ∩ Lm (G) and K = L(V ) ∩ L(G). The control action of S is implemented by disabling eligible events in L(G) that are not eligible in L(V ), after a

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

95

string s ∈ L(S /G). Marking action corresponds to marking strings that are marked in both V and G. Let C (K , G) = {L ⊆ K | L is controllable wrtL(G)}. C (K , G) has a unique supremal element denoted by supC (K , G), which represents the least restrictive behavior possible to be implemented by a nonblocking supervisor S controlling G. In this case S, such that Lm (S /G) = supC (K , G) and L(S /G) = supC (K , G), is an optimal solution to the SCP.

That is, a distinguisher D is a prefix-preserving map that replaces every string in Σ ∗ by a nonempty set of strings in ∆∗ , representing instances of the original sequences of events in the refined alphabet. Strings in ∆∗ are constructed by replacing every mask of strings in Σ ∗ by corresponding refined events. It follows that the map Π −1 is a particular case of a distinguisher and D(s) ⊆ Π −1 (s), ∀s ∈ Σ ∗ . A distinguisher may be extended to any language L ⊆ Σ ∗ , by

3. Supervisory control with distinguishers

D(L) = {r ∈ ∆∗ | ∃s ∈ L, r ∈ D(s)}.

In this section we present the concept of a Distinguisher (Bouzon et al., 2008, 2009), used to enrich the model of a DES by distinctly naming particular occurrences of events in the system. We show that a richer alphabet may allow to express control specifications in a simpler manner. Then, we reformulate the SCP to consider the use of distinguishers and show how the problem can be optimally solved in the refined alphabet. An example of a manufacturing system illustrates our approach. 3.1. Distinguishers

∗

Proposition 1. For a distinguisher D : Σ ∗ → 2∆ , with a masking map Π : ∆∗ → Σ ∗ , and any language L ⊆ Σ ∗ , it follows that Π (D(L)) = L. Proof. Since D(L) ⊆ Π −1 (L), we have Π (D(L)) ⊆ Π (Π −1 (L)) = L. Now let s ∈ L ⊆ Σ ∗ and t ∈ D(s) ⊆ Π −1 (s). Then t ∈ D(L) and s = Π (t ) ∈ Π (D(L)). ∗

Given a DES with events in Σ , let us assume that each element σ ∈ Σ is a mask for events of a set ∆σ ̸= ∅, chosen in a manner to identify particular instances of σ in the system behavior. For masks σ1 , σ2 ∈ Σ , such that σ1 ̸= σ2 , let us also assume that ∆σ1 ∩ ∆σ2 = ∅ . Thus Σ is a set of masks for events in the refined alphabet ∆ = ˙ σ ∈Σ ∆σ . The relationship between the alphabets Σ and ∆ is defined by a map, as follows. Definition 1 (Masking Map). A masking map Π : ∆∗ → Σ ∗ is recursively defined by

Π (ϵ) = ϵ, Π (t δ) = Π (t )σ ,

From the above definition, the following propositions can be stated:

σ

for t ∈ ∆ , δ ∈ ∆ and σ ∈ Σ . ∗

That is, Π is a map that assigns to every string of refined events the corresponding string in the original alphabet Σ . Π can be extended to any language Ld ⊆ ∆∗ by

Π (Ld ) = {s ∈ Σ ∗ | ∃t ∈ Ld , Π (t ) = s}. The masking map is a particular case of the reporter map (Zhong & Wonham, 1990), a causal map introduced within the context of hierarchical control of DES to model the information channel which summarizes behaviors from the low-level process to the manager (high-level system). The masking map has, as a particular aspect, the fact that the last high-level event is always the abstraction (mask) of the last low-level event; moreover, every low-level event is reported (there are no ‘‘silent’’ transitions). As a reporter map, it is prefix-preserving (if s ≤ t, then Π (s) ≤ Π (t )) and commutes with prefix-closure (Wong & Wonham, 1996), that is, for Ld ⊆ ∆∗ , Π (Ld ) = Π (Ld ). Definition 2 (Inverse Masking Map). The inverse masking map Π −1 : ∗

Σ ∗ → 2∆ is defined by

Π −1 (s) = {t ∈ ∆∗ | Π (t ) = s}. Π −1 can be extended to any language L ⊆ Σ ∗ by Π −1 (L) = {t ∈ ∆∗ | Π (t ) ∈ L}. Now, we formally present a distinguisher, as follows. Definition 3 (Distinguisher). Given an alphabet Σ and a refined  ∗ alphabet ∆ = ˙ σ ∈Σ ∆σ , a map D : Σ ∗ → 2∆ is a distinguisher if ∗ ∗ ∀s ∈ Σ , σ ∈ Σ , r ∈ ∆ and δ ∈ ∆

(i) D(ϵ) = {ϵ}; (ii) r δ ∈ D(sσ ) ⇒ r ∈ D(s) ∧ δ ∈ ∆σ ; (iii) r ∈ D(s) ⇒ ∃δ ′ ∈ ∆σ , r δ ′ ∈ D(sσ ).

Proposition 2. For a distinguisher D : Σ ∗ → 2∆ and any language L ⊆ Σ ∗ , it follows that D(L) = D(L). Proof. Let r ∈ D(L). There exist u ∈ ∆∗ and t ∈ L such that ru ∈ D(t ). Then items (i) and (ii) of Definition 3 imply, by induction on the length of r, that there exists s ∈ Σ ∗ , with s ≤ t, such that r ∈ D(s). Since s ∈ L, r ∈ D(L). Now, let r ∈ D(L). There exists s, t ∈ Σ ∗ such that st ∈ L and r ∈ D(s). Item (iii) of Definition 3 implies, by induction on the length of r, that there exists u ∈ ∆∗ such that ru ∈ D(st ) ⊆ D(L). Thus, r ∈ D(L). A particular language that can be associated to the use of a distinguisher is defined as follows. Definition 4. For D as in Definition 3, the distinguisher language LD ⊆ ∆∗ is defined by LD = D(Σ ∗ ). For a particular distinguisher D, LD = LD ⊆ ∆∗ is a prefix-closed language with all possible distinctions of Σ ∗ . It elects at least one refined string of ∆∗ for each original string of Σ ∗ . Observe that Π (LD ) = Σ ∗ follows directly from Proposition 1. From the above definitions, the effect of D over a language can be rewritten as follows: Proposition 3. Let a distinguisher D and a language LD be respectively as in Definitions 3 and 4. For a language L ⊆ Σ ∗ , the effect of D over L is such that D(L) = Π −1 (L) ∩ LD . Proof. ⊂ Let r ∈ D(L), then r ∈ Π −1 (L), since D(L) ⊆ Π −1 (L), by definition. Moreover, ∃ s ∈ L | r ∈ D(s), which implies that r ∈ LD , since LD = D(Σ ∗ ) and s ∈ L ⊆ Σ ∗ . Therefore, D(L) ⊆ Π −1 (L) ∩ LD . ⊃ Let r ∈ Π −1 (L) ∩ LD . From r ∈ LD = D(Σ ∗ ), we have r ∈ D(s) and Π (r ) = s, for some s ∈ Σ ∗ . But, since r also belongs to Π −1 (L), then Π (r ) = s ∈ L ⊆ Σ ∗ . As r ∈ D(s) and s ∈ L, then r ∈ D(L) and D(L) ⊃ Π −1 (L) ∩ LD . Proposition 3 implies that a distinguisher D can be identified by its distinguisher language LD . As (by Definition 4) LD is prefixclosed and (by Definition 3) the map Π −1 is a particular case of a distinguisher D, then it follows (by Proposition 2) that LD and Π −1 (L) are nonconflicting, for any language L ⊆ Σ ∗ . This is formalized by the following proposition. Proposition 4. For LD and Π −1 respectively as in Definitions 2 and 4 it follows, for any language L ⊆ Σ ∗ , that Π −1 (L) ∩ LD = Π −1 (L)∩ LD .

96

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

single refined event, for each mask eligible in the plant. As a result, there exists s ∈ Σ ∗ , such that |D(s)| > 1. For example, for s = αα , it follows that D(s) = {αB αB , αB αW , αW αB , αW αW }. Fig. 1. Events flow when using a distinguisher in a plant.

Proof. Π −1 (L) ∩ LD = D(L) = D(L) = Π −1 (L) ∩ LD = Π −1 (L) ∩ LD . Considering a DES modeled by an automaton G, D(L(G)) = Π −1 (L(G)) ∩ LD and D(Lm (G)) = Π −1 (Lm (G)) ∩ LD represent the effect of D over G. That is, a distinguisher D refines strings of L(G) into strings in ∆∗ , through Π −1 (L(G)), and distinguishes their occurrence according to LD . An automaton for Π −1 (L(G)) can be obtained simply by replacing the events of each transition in G by the corresponding sets of refined events. A step-guide for the construction of D is presented in Section 3.2 and illustrated in Sections 3.3 and 4.4, together with examples of how to design an automaton HD that models D, such that L(HD ) = LD . The introduction of a distinguisher in a system modeled by G is outlined by Fig. 1, which contextualizes the interaction between distinguisher and plant in terms of events flowing through a cascade of stages. We assume that events σ ∈ Σ spontaneously occur in G. Then, each event is mapped in a subset of refined events ∆σ , through Π −1 , and filtered by the distinguisher language LD , establishing which refined event is in fact eligible.1 Distinguishers can further be split in two different classes, as follows. Definition 5 (Predictable Distinguisher). A Distinguisher D : Σ ∗ → ∗ 2∆ is predictable if, for all s ∈ Σ ∗ , |D(s)| = 1. Otherwise, D is said to be unpredictable. In words, D is predictable if any string in Σ ∗ is mapped into a set with exactly one string in ∆∗ , i.e., if after every string r ∈ LD there is exactly one eligible event for each mask σ ∈ Σ . Thus the language LD allows to always predict the next distinction of any mask. The following example illustrates these classes of distinguishers. Example 1. Let G be the plant model of a device that picks up workpieces from a buffer C . Let Σ = {α}, where α represents the event ‘‘machine picked up a workpiece from C ’’. The system behavior is then given by L(G) = Σ ∗ . Predictable distinguisher: Let us design a distinguisher that signalizes whenever an even number of elements is picked up from C . Then, we can define ∆ = ∆α = {αE , αO } in order to distinguish α in the events αE , ‘‘machine picked up an even number of workpieces from C ’’, and αO , ‘‘machine picked up an odd number of workpieces from C ’’. For this example LD = (αO αE )∗ (ϵ + αO ). In this case, D is clearly predictable, since for any s ∈ Σ ∗ , |D(s)| = 1, i.e., any string in Σ ∗ has exactly one associated string in ∆∗ . For s = αα , for example, it follows that D(s) = {αO αE } and we can predict that the next occurrence of α after αα is αO . Unpredictable distinguisher: For the same example, let us assume that a distinguisher is now used to identify the color of a workpiece randomly removed from C . To represent the information brought by this distinguisher, we can define ∆ = ∆α = {αB , αW } in order to refine α in the events αB , ‘‘machine picked up a black workpiece from C ’’, and αW , ‘‘machine picked up a white workpiece from C ’’. For this example LD = (αB + αW )∗ clearly illustrates a situation of unpredictability, since LD cannot prescribe the occurrence of a

1 Although the maps Π and D have not been defined for events, we assume in Figs. 1 and 8 that events correspond to strings of length 1.

Observe that, in practice, designing a distinguisher D can always be done in a way that the occurrences of events in Σ are univocally distinguished in ∆, or equivalently, each string in Σ ∗ is associated to a single string in ∆∗ . In this sense, for the sake of simplicity and without losing generality, we assume in the following that we are dealing only with predictable distinguishers. 3.2. Building a distinguisher For many practical problems, it may be easier to model control specifications using events of a refined alphabet ∆ than original events in Σ . For that, however, one has to define which events must be refined and how they will be refined, based on the meaning assigned for each refinement (instance) and on the sequences of instances the refined plant may generate. This is basically the idea behind the distinguishers approach. Building a distinguisher is by nature an engineering task that, therefore, depends mostly on the designer’s expertise. Nevertheless, we present in the following what could in many cases be a guideline to help with this construction. (i) Identifying an initial set of events to be refined: the first step to build a distinguisher is to identify events in Σ which, if properly refined, could simplify the modeling of a given specification. (ii) Defining instances of refinements: following the previous step, one has to determine the different instances of events associated to each original refined event. Such instances intend to model different circumstances under which the original event may occur; each instance created for an event carries a particular semantic, that needs to be implemented by the distinguisher model (step (iv)). (iii) Completing the set ∆: given the initial set of events to be refined and their associated sets of refined events, the construction of a model that distinguishes their different instances of occurrence may lead to the convenience of refining other events; in fact, the semantic of a particular occurrence of a refined event may depend on the occurrence of other events which, therefore, might be also refined in order to simplify the distinguisher modeling. When this is the case, steps (i) and (ii) should be revisited in order to completely characterize the distinguished alphabet ∆. (iv) Modeling the distinguisher: the final step consists of building a set of automata which model the interdependency of instances of events in ∆; this can, in many cases, be done in a modular way. Given a textual description of the specification and a plant originally modeled using events from Σ , this guideline provides a distinguisher by defining ∆ and LD . The desired specification can then be modeled using events from ∆. Notice, therefore, that for the same plant model, the distinguisher may differ based on the required specification. Sections 3.3 and 4.4 illustrate how to follow these steps to build distinguishers for two simple control settings. 3.3. Example of a manufacturing system We now provide an example that will be used to explore the concepts presented in this paper. Consider a manufacturing system with material feedback, as shown in Fig. 2. The system is composed by a robot (R), two machines (M1 and M2 ) and a test unit TU, linked by unitary buffers B1 , B2 and B3 . The

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

Fig. 2. Small factory with material feedback.

Fig. 3. Models for the subsystems R, M1 , M2 and TU.

Fig. 4. Models for the specifications E1 , E2 and E3 .

robot R takes workpieces from a storage (event a) and places them on the buffer B1 (event b). Machines M1 and M2 manufacture them and TU test their quality, which determines their approval (event y), rejection (event n) or rework in M1 (event r). The automata G1 , G2 , G3 and G4 presented in Fig. 3, respectively model the subsystems R, M1 , M2 and TU. In G1 , G2 and G3 are modeled events of start and finish of operation in each respective machine. In G4 , both g and h are eligible in the initial state, modeling that TU may start with two different operations: with an event g, representing a general test that results an approval or a rework in M2 (y or r); or with an event h, modeling a final test which indicates that there are no more reworks available and so the workpiece must be approved (y) or rejected (n). The open-loop behavior of the system is represented by the composition G = G1 ∥G2 ∥G3 ||G4 , with Σ = {a, b, c , d, e, f , g , h, r , y, n}, where it is assumed that Σc = {a, c , e, g , h} and Σu = {b, d, f , n, y, r }. As the control objective for the system, let us consider:

• Ei , i = 1, 2, 3: to avoid overflow and underflow in each buffer Bi ;

• E4 : to allow the final test (event h) for each workpiece only when it has been rejected twice in the general test (event g); to allow event g only otherwise. Fig. 4 illustrates how the specifications E1 , E2 and E3 can be modeled using events in the alphabet Σ . For the sake of clarity, we remove from each automaton the self-loops containing the events not required to express the specification. For the results that follow, however, we consider the specification language in Σ ∗ . While the models for E1 , E2 and E3 require only two states each to be represented in the original alphabet, modeling E4 with events in Σ turns out to be a very complex task, when considering that the system could concurrently process multiple workpieces. In addition, this specification could be modified to allow more than two rework cycles or even to consider extra workstations in the process, which would further complexify the design of E4 . However, this modeling task can be considerably simplified if we use a distinguisher, as follows. 3.3.1. Modeling the distinguisher We follow the guideline proposed in Section 3.2 in order to build a distinguisher for the example, as follows. (i) Designing E4 consists of disabling events g or h after occurrences of f . Complexity arises from the fact that choosing between g or h to be disabled, depends on the number of times that f occurs for a same workpiece, i.e., h is disabled after first and second occurrences of f ; and g, otherwise. Thus, simplifying E4 requires to refine the event f .

97

Fig. 5. Preliminary model for the specification Ed4 .

(ii) Event f occurs up to 3 times for a same workpiece (first cycle plus 2 reworks). Then, we create 3 instances for f , identified by f0 , f1 and f2 ; f0 stands for f occurring for the first time for a workpiece (no reworks), while f1 and f2 model f during the first and second reworks, respectively. With the refinement of f , E4 can be easily modeled as in the automaton shown in Fig. 5. (iii) Note that distinguishing instances of f depends on the identification of each cycle for each workpiece. A cycle starts in B1 , with the events b (starting a new cycle) or r (restarting a cycle). Since all machines and buffers within the cycle have unit capacity, each event that follows b and r carries the semantic (number of reworks) to the following event within the workflow. Therefore, for the instances of f to be distinguished, additional events must be also refined, as follows: ∆c = {c0 , c1 , c2 }; ∆d = {d0 , d1 , d2 }; ∆e = {e0 , e1 , e2 }; ∆g = {g0 , g1 }; ∆r = {r1 , r2 }; ∆σ = {σ }, ∀σ ∈ {a, b, h, n, y}. These new refinements carry equivalent semantic as defined  for f and the refined alphabet is given by ∆ = ˙ σ ∈Σ ∆σ . (iv) It remains to model the relationship between the refinements in ∆. This is the role of the distinguisher model, which aims to point out which instance of each event is actually eligible in each workcycle, without imposing any constraint over the system. For x ∈ {c , d, e, f , g , r }, we modularly design a distinguisher Hx , as shown in Fig. 6. Module Hc distinguishes the event c0 from c1 and c2 in the initial state, and c1 and c2 from the others after the first and second reworks (r1 and r2 ), respectively. This means, for example, that when the robot R feeds B1 with a workpiece for the first time (event b), there is no instance of c but c0 eligible. In its turn, Hd distinguishes d0 , d1 and d2 according to the predecessor event c0 , c1 or c2 . Similarly, modules He , Hf , Hg and Hr distinguish the events with mask in e, f , g and r, according to the predecessor events. Note that the distinguisher in Fig. 6 is non prohibitive, in the sense that each distinguisher module elects, in each state, at least one instance of the events aimed to be distinguished, and all the instances of the remaining events. By composing the modular automata in Fig. 6 we obtain the model HD = Hc ∥Hd ∥He ∥Hf ∥Hg ∥Hr ∥H∆ , where Lm (H∆ ) = ∆∗ . H∆ is an automaton with a single marked state self-looping a transition labeled with ∆, complementing the alphabet in HD . For this particular example, HD is an automaton with 308 states. Moreover, since each distinguisher module (Hc , Hd , He , Hf , Hg and Hr ) in each state only elects one of the events it refines (e.g., only one of the events c1 , c2 or c3 is eligible in each state of Hc ), HD actually models a predictable distinguisher, as in Definition 5. Finally, we modify the automaton of Fig. 5 to obtain the model of specification E4 , now in ∆, as shown in Fig. 7. This model prohibits the general test (events g0 and g1 ) when the third buffer has a workpiece rejected twice and disables the final test (event h in the initial state) otherwise. For E1 , E2 and E3 , which had been initially modeled in Σ , we just map them in ∆, i.e., Ed1 = Π −1 (E1 ), Ed2 = Π −1 (E2 ) and Ed3 = Π −1 (E3 ). In practice, the inverse masking map can be implemented on automata by simply replacing each mask of every transition by the corresponding set of refined events. Remark that the control objective could be further modified to allow extra workcycles or even to consider additional capacity in the buffers. Suppose, for example, that E4 is now intended to allow up to 4 workcycles. It can be shown that an automaton for this specification modeled with events from Σ would now

98

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

Fig. 6. Modular representation of the distinguisher HD .

Fig. 7. Specification Ed4 , designed with events in ∆.

require 15.803 states, which illustrates how much modeling effort this task may require. Yet, in this case, a refined alphabet and the corresponding distinguisher model would remain simple to be obtained and, in this particular case, the distinguisher could still be designed by modular automata with, at most, 5 states each module. 3.4. SCP with distinguishers We develop here the main ideas that show how a SCP containing specifications that are complex to be modeled with the original alphabet Σ can be solved using a distinguisher. The distinguisher expands the set of events Σ into a set of refined events ∆ and distinguishes different occurrences of the original events. Specifications are then modeled using ∆ and information brought by the distinguisher. Finally, a supervisor Sd for a distinguished plant model Gd , defined in ∆, is to be found in such a way that a solution to the original problem could be obtained from Sd . Formally, for a plant G and a predictable distinguisher D, we denote by Gd (or D(G)) an automaton such that L(Gd ) = D(L(G)) and Lm (Gd ) = D(Lm (G)), and by Ed a specification defined in ∆. Also, we define a control structure  in the refined alphabet  as given by ∆ = ∆c ∪ ∆u , where ∆u = σ ∈Σu ∆σ and ∆c = σ ∈Σc ∆σ . Now, for a supervisor Sd defined by a map Sd : L(Gd ) → 2∆ together with a language LSd ⊆ Lm (Gd ) we define a supervisor Π (Sd ) as a map Π (Sd ) : L(G) → 2Σ and a language LS ⊆ Lm (G), with

Π (Sd )(s) = {Π (σ ) ∈ Σ | σ ∈ Sd (t ), {t } = D(s)}, LS = Π (LSd ).

and

Fig. 8. Supervisory control with distinguishers.

a solution to the SCP for the original plant G and corresponding undistinguished specification K = Π (Kd ). Observe that, in general Kd ⊆ D(Π (Kd )) = D(K ), since Kd ⊆ Π −1 (Π (Kd )) and Kd ⊆ Lm (Gd ) ⊆ LD . Nevertheless, the equality always holds when using predictable distinguishers, as shows the following proposition. Proposition 5. Let G, D, Gd and Kd = Ed ∩ Lm (Gd ) be as given in the SCP-D. If D is predictable then Kd = D(Π (Kd )). Proof. First, we recall that Kd ⊆ D(Π (Kd )). To show the converse inclusion, let s ∈ D(Π (Kd )). Then s ∈ D(t ) for a t ∈ Π (Kd ), so that Π (s) = t. Now, since t ∈ Π (Kd ), there exists r ∈ Kd such that Π (r ) = t. But r ∈ Kd implies r ∈ D(Π (Kd )) or yet r ∈ D(t ). Finally, as D is predictable |D(t )| = 1 which implies that s = r ∈ Kd . We will show in the following that a solution for the SCP-D can be found by solving a corresponding SCP for Gd and Kd . Theorem 1. Let G, D, Gd and Kd = Ed ∩ Lm (Gd ) be given as in the SCPD. Let Sd : ∆∗ → 2∆ , be computed as a nonblocking supervisor for Gd such that Lm (Sd /Gd ) ⊆ Kd . Then Π (Sd ) is a nonblocking supervisor for G, with Lm (Π (Sd )/G) = Π (Lm (Sd /Gd )) ⊆ Π (Kd ). Proof. We show that L(Π (Sd )/G) = Π (L(Sd /Gd )). For that we use induction on s ∈ Σ ∗ . Observe that ϵ ∈ L(Π (Sd )/G) and ϵ ∈ Π (L(Sd /Gd )). Now assume that s ∈ L(Π (Sd )/G) if and only if s ∈ Π (L(Sd /Gd )). Thus, sσ ∈ L(Π (Sd )/G)

From the above definition, Π (Sd ) can be seen as the undistinguished version of the supervisor Sd . After a string s ∈ L(G), Π (Sd ) will enable the set of masks of events in Sd (t ), with t being the distinguished version of s. Also, the string s is marked by Π (Sd ) if t is marked by Sd . Observe that, since we are considering predictable distinguishers, the set Π (Sd )(s) will be univocally associated to a string t ∈ L(Gd ). Fig. 8 illustrates the relationship between Sd and Π (Sd ). Now, we are in a position to introduce a new problem, corresponding to the SCP, modified to consider the use of a distinguisher.

⇔ s ∈ L(Π (Sd )/G) ∧ sσ ∈ L(G) ∧ σ ∈ Π (Sd )(s) ⇔ s ∈ Π (L(Sd /Gd )) ∧ sσ ∈ Π (L(Gd )) ∧ σ ∈ {Π (δ) ∈ Σ | δ ∈ Sd (t ), {t } = D(s)} ⇔ sσ ∈ Π ({t δ | t ∈ L(Sd /Gd )}) ∧ sσ ∈ Π ({t δ | t δ ∈ L(Gd )}) ∧ sσ ∈ Π ({t δ | δ ∈ Sd (t )}) ⇔ sσ ∈ Π ({t δ | t ∈ L(Sd /Gd ) ∧ t δ ∈ L(Gd ) ∧ δ ∈ Sd (t )}) ⇔ sσ ∈ Π (L(Sd /Gd )).

Problem 2 (SCP-D). Given G and a predictable distinguisher D, let Gd be such that L(Gd ) = D(L(G)) and Lm (Gd ) = D(Lm (G)). For a specification Ed ⊆ ∆∗ , defining a desired behavior Kd = Ed ∩ Lm (Gd ), find a supervisor Sd for Gd , such that Π (Sd ) is a nonblocking supervisor for G, with Lm (Π (Sd )/G) ⊆ Π (Kd ).

We also have that

The idea behind the SCP-D is the following. The original plant G is distinguished by D in a way that the specification could be written as Ed , or equivalently, Kd = Ed ∩ Lm (Gd ). Then, using the distinguished model of the plant, Gd , Sd is to be synthesized such that the undistinguished version of Sd , Π (Sd ), corresponds to

Lm (Π (Sd )/G) = L(Π (Sd )/G) ∩ Π (LSd )

= Π (L(Sd /Gd )) ∩ Π (LSd ) = Π (L(Sd /Gd ) ∩ LSd ) = Π (Lm (Sd /Gd )) ⊆ Π (Kd ). Finally, L(Π (Sd )/G) = Π (L(Sd /Gd )) = Π (Lm (Sd /Gd ))

= Π (Lm (Sd /Gd )) = Lm (Π (Sd )/G).

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

Although Theorem 1 shows a way to solve the SCP-D, it does not say anything about the degree of optimality of the solution. The following theorem addresses this issue. Theorem 2. Let G, D, Gd and Kd = Ed ∩ Lm (Gd ) be as given in the SCP-D. Then

Π (supC (Kd , Gd )) = supC (K , G) and supC (Kd , Gd ) = D(supC (K , G))

(1) (2)

where K = Π (Kd ) To prove Theorem 2, we propose the following lemmas. Lemma 1. Under the conditions of Theorem 2, we have Π (supC (Kd , Gd )) ∈ C (K , G). Proof. First, observe that supC (Kd , Gd ) ⊆ Kd ⇒ Π (supC (Kd , Gd )) ⊆ Π (Kd ) = K . For σu ∈ Σu , let s be such that s ∈ Π (supC (Kd , Gd ))σu ∩ L(G) = Π (supC (Kd , Gd ))σu ∩ L(G). Also, let t ∈ supC (Kd , Gd ) be such that s = Π (t )σu . Since t ∈ Kd = Π −1 (K ) ∩ LD ⊆ LD , and LD = D(Σ ∗ ), then there exists δu ∈ ∆σu such that t δu ∈ LD . But Π (t δu ) = Π (t )σu = s ∈ L(G). Then, t δu ∈ Π −1 (L(G)) ∩ LD = L(Gd ). Thus, by the controllability of supC (Kd , Gd ), t δu ∈ supC (Kd , Gd ) and then s = Π (t δu ) ∈ Π (supC (Kd , Gd )) = Π (supC (Kd , Gd )). Lemma 2. Under the conditions of Theorem 2, we also have D(supC (K , G)) ∈ C (Kd , Gd ). Proof. Now, observe that D(supC (K , G)) ⊆ D(K ) = Kd (by Proposition 5). Also, for δu ∈ ∆u , with Π (δu ) = σu , we have

{D(supC (K , G))}δu ∩ L(Gd ) = {D(supC (K , G))}δu ∩ L(Gd ) (Proposition 2) = {Π −1 (supC (K , G)) ∩ LD }δu ∩ L(Gd ) ( Proposition 3) ⊆ {Π −1 (supC (K , G))}δu ∩ L(Gd ) ⊆ Π −1 (supC (K , G))Π −1 (σu ) ∩ L(Gd ) = Π −1 (supC (K , G)σu ) ∩ L(Gd ) = Π −1 (supC (K , G)σu ) ∩ Π −1 (L(G)) ∩ LD = Π −1 (supC (K , G)σu ∩ L(G)) ∩ LD ⊆ Π −1 (supC (K , G)) ∩ LD (controllab. of supC (K , G)) = D(supC (K , G)) (Proposition 3) = D(supC (K , G)) (Proposition 2). Proof of Theorem 2. (1) From Lemma 1 we have Π (supC (Kd , Gd )) ⊆ supC (K , G). From Proposition 1 and Lemma 2, it follows that supC (K , G) = Π (D(supC (K , G))) ⊆ Π (supC (Kd , Gd )). Therefore, Π (supC (Kd , Gd )) = supC (K , G). (2) From Lemma 2, we have D(supC (K , G)) ⊆ supC (Kd , Gd ). But, since supC (Kd , Gd ) ⊆ Π −1 (Π (supC (Kd , Gd ))) and supC (Kd , Gd ) ⊆ L(Gd ) ⊆ LD it follows that supC (Kd , Gd ) ⊆ D(Π (supC (Kd , Gd ))) = D(supC (K , G)) (by the first part of the proof). Therefore, supC (Kd , Gd ) = D(supC (K , G)). Finally, we have: Corollary 1. Let G, D, Gd and Kd = Ed ∩ Lm (Gd ) be as given in the SCP-D. Then Sd computed such that it is nonblocking for Gd and such that Lm (Sd /Gd ) = supC (Kd , Gd ), is an optimal solution for the SCP-D.

99

Table 1 Number of states and transitions of the automata used to solve the SCP-D (first row) and the SCP (second row). Gd (2160, 10 800)

Ed (12, 96)

Kd (7220, 20 234)

Vd (212,495)

G (24, 120)

E (1080, 4608)

K (7220, 20 234)

V (212, 495)

Proof. From Theorems 1 and 2 we have that Π (Sd ) is nonblocking and Lm (Π (Sd )/G) = Π (supC (Kd , Gd )) = supC (Π (Kd ), G). For the SCP and SCP-D, let n (nd ) and m (md ) be respectively the number of states of the automata that model the plant G (Gd ) and the specification E (Ed ). The control solutions for these problems (computation of the supremal controllable languages) have order of growth O[(n.m)2 ] (O[(nd .md )2 ]) in time. Notice that, in general, md < m but nd > n, i.e., if on one hand using refined information allows to simplify the modeling of specifications, on the other hand the refined plant becomes more complex by considering the distinguisher model. What we expect is, in general, O[(n.m)2 ] = O[(nd .md )2 ], i.e., SCP and SCP-D require the same computational effort to be solved. In fact, since D is predictable, for every state in the automaton modeling Kd there is at most one eligible event for each mask, and thus the automata modeling Kd and K = Π (Kd ) have exactly the same number of states and transitions. 3.5. Control solution for the manufacturing system Now, we obtain the optimal control solution for the example presented at Section 3.3. The first row of Table 1 presents the number of states and transitions of the automata used to model: the refined plant Gd = D(G); the specification Ed = Ed1 ∥Ed2 ∥Ed3 ||Ed4 ; the global specification Kd = Ed ∩ Lm (Gd ) and the supervisor supC (Kd , Gd ), which is modeled by the automata Vd such that Lm (Vd ) = supC (Kd , Gd ). We also solve the SCP to exemplify its equivalence wrt the SCP-D. The automata used in synthesis have number of states and transitions as in Table 1, second row. Note that, the global specifications and supervisors have the same number and transitions of states in both versions of the problem. The only difference is that, in SCP-D, the computational load is transferred from the specification to the plant, while globally these problems are equivalent. We highlight that, when solving the SCP, it was not feasible to directly model the specification E4 in the alphabet Σ , by the same reasons discussed along this example. However, since we have modeled Ed4 in ∆, it becomes possible to obtain a correspondent specification in Σ , by composing the automaton modeling Ed4 with the distinguisher model HD , and mapping this composition into the alphabet Σ , i.e., E4 = Π (Ed4 ||LD ). In this particular case, E4 is modeled by an automaton with 560 states. 4. Exploiting approximations in the SCP-D In Section 3 we have shown how to reformulate the SCP to consider the introduction of a distinguisher (SCP-D). This approach allows to express complex control specifications in a simpler manner and leads to a solution equivalent to the SCP, as exemplified by the previous example. On the other hand, the SCP-D does not provide computational savings in synthesis. In fact, by comparing the number of states and transitions of the automata for K and Kd (Table 1—rows 1 and 2), we can see that the gains brought by simpler specifications are compensated by introducing the distinguisher model in the plant, in a way that the overall computational cost to resolve any version of the problems, is equivalent.

100

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

However, under certain conditions, it may be possible to obtain an efficient solution for the SCP-D, by resolving a simpler control problem, considering a specification Ed as in SCP-D, but using an approximation Ga for the plant Gd . The question that comes at this point is: Given a control problem with distinguishers (SCP-D), under which conditions is it possible to solve this problem (and consequently the original SCP), using an approximation Ga for Gd , such that it might also provide computational advantages? Aiming to address the above question, we first propose a way to build suitable approximations Ga for Gd , assuming that Gd is such that L(Gd ) = D(L(G)), where D is a predictable distinguisher. Then, we discuss how these approximations lead to a solution for the SCP-D, obtained with less computational effort of synthesis. Finally, we also provide sufficient conditions under which least restrictiveness of approximated supervisors is guaranteed. 4.1. Constructing approximations We start by showing how to construct approximations Ga for the plant Gd . We are actually interested on a particular class of approximations that are suitable for synthesis, defined as follows. Definition 6 (D-Approximation). For a plant G and a predictable distinguisher D, if Da is a distinguisher with LD ⊆ LDa ⊆ ∆∗ , then Ga = Da (G) is a D-Approximation for Gd = D(G). Definition 6 provides a class of distinguishers which preserve the strings distinguished by D. Naturally, when applied over a plant G of a DES, Da produces an outer-approximation Ga for Gd , namely, L(Gd ) ⊆ L(Ga ) and Lm (Gd ) ⊆ Lm (Ga ). It remains to show how a distinguisher Da can be modeled in a way that, if applied over the plant G, it produces a D-Approximation Ga as in Definition 6. Assuming that the automaton HD , such that L(HD ) = LD , is obtained by the composition of a set of modular automata (as in the example in Section 3.3), then the composition of any subset of those automata can be used to model Da , since LD ⊆ LDa . A special case is the D-Approximation obtained from the distinguisher Dca modeled by H∆ , i.e., when all distinguisher modules are omitted from the synthesis. In this case, LDca = ∆∗ , which actually produces the coarsest D-Approximation Gca of Gd , such that L(Gca ) = Π −1 (L(G)). The use of heuristic search (Aguiar, Cunha, Cury, & Queiroz, 2013) may help the designer to choose specific modules of HD to be composed, in face to the synthesis result. A D-Approximation Ga can be used to synthesize a computationally efficient solution to the SCP-D. This assertion is supported by the results presented in the following, for which the concept of Λ-Preserving plays an essential role. Definition 7 (Λ-Preserving). Given L1 ⊆ L2 ⊆ ∆∗ , a masking map Π : ∆∗ → Σ ∗ and a set of masks Λ ⊆ Σ , L1 is Λ-Preserving wrt L2 if, ∀σ ∈ Λ and t ∈ L1 , t ∆σ ∩ L2 ̸= ∅ ⇒ t ∆σ ∩ L1 ̸= ∅. That is, L1 is Λ-Preserving wrt L2 if, for every mask σ ∈ Λ, whenever a refined event in ∆σ is eligible in L2 , at least one instance of ∆σ is also eligible in L1 . Definition 7 implies that, for L1 ⊆ L2 ⊆ ∆∗ , if L1 is Λ-Preserving wrt L2 , then L1 is also Λ′ -Preserving wrt L2 , for any subset of masks Λ′ ⊆ Λ. For languages L1 and L2 in ∆∗ and Λ ⊆ Σ , define the set PΛ (L1 , L2 ) = {K ⊆ L1 | K is Λ-Preserving wrt L2 }. It can be shown that PΛ (L1 , L2 ) has a supremal element, denoted supPΛ (L1 , L2 ), which can be computed in polynomial time in the number of states of the automata models for L1 and L2 (see Appendix).

4.2. Solving the SCP-D using approximations Now, we show how a solution to the SCP-D can be obtained by using a D-Approximation Ga in the synthesis, instead of the plant Gd . For that, we establish the relationship between Ga and Gd , as follows. ∗

Proposition 6. For two any distinguishers D1 , D2 : Σ ∗ → 2∆ and a language L ⊆ Σ ∗ such that D1 (L) ⊆ D2 (L), D1 (L) is Σ -Preserving wrt D2 (L). Proof. First, note that ∀ σ ∈ Σ and ∀ t ∈ D1 (L), t ∈ D1 (Π (t )) and, by Definition 3(iii), there exists δ ∈ ∆σ , such that t δ ∈ D1 (Π (t )σ ). Then, t ∆σ ∩ D2 (L) ̸= ∅ implies Π (t )σ ∈ L, which implies that there exists δ ∈ ∆σ , such that t δ ∈ D1 (Π (t )σ ) ⊆ D1 (L). Therefore, t ∆σ ∩ D1 (L) ̸= ∅. From Proposition 6 it is easy to see that L(Gd ) is Σu -Preserving wrt L(Ga ). The following theorem uses the above properties to show that we can solve the SCP-D by using a D-Approximation, although this approach may lead to a suboptimal control solution. If the result is more restrictive, we also provide an upper bound to the optimal solution, which can then be used to ascertain least restrictiveness. Theorem 3. Given Gd and Ed as in SCP-D, let Ga be a D-Approximation for Gd . For Ka = Ed ∩ Lm (Ga ), if supC (Ka , Ga ) and LD are nonconflicting, a nonblocking supervisor Sa such that Lm (Sa /Gd ) = supC (Ka , Ga ) ∩ LD is a solution for SCP-D. Moreover, supC (Ka , Ga ) ∩ LD ⊆ supC (Kd , Gd )

⊆ supPΣu (Ka , L(Ga )) ∩ LD . The following two lemmas are proposed to prove Theorem 3. Lemma 3. Given languages L1 , L2 ⊆ ∆∗ , with L1 ⊆ L2 , if L1 is controllable wrt L2 , L1 is Σu -Preserving wrt L2 . Proof. From the control structure of the refined alphabet, it follows that for every ∆σ ⊆ ∆u , Π (∆σ ) ∈ Σu . Let L1 be controllable wrt L2 . Then, for each ∆σ ⊆ ∆u and s ∈ L1 , s∆σ ∩ L2 ⊆ L1 . This implies that s∆σ ∩ L2 = s∆σ ∩ L2 ∩ L1 = s∆σ ∩ L1 . Thus, s∆σ ∩ L2 ̸= ∅ implies s∆σ ∩ L1 ̸= ∅ and the result follows. From Lemma 3, it follows that supC (Kd , Gd ) ⊆ supPΣu (Kd , L(Gd )). Lemma 4. Consider the map Π : ∆∗ → Σ ∗ , an alphabet Λ ⊆ Σ and languages L1 ⊆ L2 ⊆ L3 ⊆ ∆∗ . If L1 is Λ-Preserving wrt L2 and L2 is Λ-Preserving wrt L3 , then L1 is also Λ-Preserving wrt L3 . Proof. For all s ∈ L1 and all σ ∈ Λ, s∆σ ∩ L3 ̸= ∅ implies s∆σ ∩ L2 ̸= ∅ which implies s∆σ ∩ L1 = ̸ ∅. Proof of Theorem 3. • supC (Kd , Gd ) ⊆ supPΣu (Ka , L(Ga )) ∩ LD : supC (Kd , Gd ) is controllable wrt L(Gd ). Then supC (Kd , Gd ) is Σu -Preserving wrt L(Gd ), by Lemma 3. Since Ga is a D-Approximation for Gd , then L(Gd ) ⊆ L(Ga ) by Definition 6, and L(Gd ) is Σu Preserving wrt L(Ga ) by Proposition 6. Since supC (Kd , Gd ) ⊆ L(Gd ) ⊆ L(Ga ) then supC (Kd , Gd ) is also Σu -Preserving wrt L(Ga ), by Lemma 4. Moreover, since supC (Kd , Gd ) ⊆ Ka , it is true that supC (Kd , Gd ) ⊆ supPΣu (Ka , L(Ga )). Finally, supC (Kd , Gd ) ⊆ L(Gd ) implies supC (Kd , Gd ) ⊆ supPΣu (Ka , L(Ga )) ∩ L(Gd )

= supPΣu (Ka , L(Ga )) ∩ Π −1 (L(G)) ∩ LD ∩ LDa = supPΣu (Ka , L(Ga )) ∩ L(Ga ) ∩ LD = supPΣu (Ka , L(Ga )) ∩ LD .

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

• supC (Ka , Ga ) ∩ LD ⊆ supC (Kd , Gd ). From L(Gd ) ⊆ L(Ga ), we have that supC (Ka , Ga ) is controllable wrt L(Gd ), since supC (Ka , Ga )∆u ∩ L(Gd ) ⊆ supC (Ka , Ga )∆u ∩ L(Ga ) ⊆ supC (Ka , Ga ). Also, as L(Gd ) ⊆ LD , LD is controllable wrt L(Gd ). Then, the nonconflict between supC (Ka , Ga ) and LD implies that supC (Ka , Ga ) ∩ LD is controllable wrt L(Gd ). Moreover, supC (Ka , Ga ) ∩ LD ⊆ Ka ∩ LD = Kd . Thus, supC (Ka , Ga ) ∩ LD ⊆ supC (Kd , Gd ).

• Sa is a solution for SCP-D: From the controllability of supC (Ka , Ga ) ∩ LD wrt L(Gd ), and the nonconflict of supC (Ka , Ga ) and LD , there exists a supervisor Sa such that Lm (Sa /Gd ) = supC (Ka , Ga ) ∩ LD ⊆ supC (Kd , Gd ) ⊆ Kd . Finally, by Theorem 1, Π (Sa ) is a nonblocking supervisor for G with Lm (Π (Sa /G)) = Π (Lm(Sa /Gd )) ⊆ Π (Kd ). Theorem 3 shows that a supervisor Sa such that Lm (Sa /Gd ) = supC (Ka , Ga ) ∩ LD is a solution for SCP-D, although it may be suboptimal in the sense that Lm (Π (Sa )/G) ⊆ supC (Π (Kd ), G). Besides, the proximity between supC (Ka , Ga ) and supPΣu (Ka , L(Ga )) gives a measure of how far supC (Ka , Ga ) ∩ LD can be from the optimal solution supC (Kd , Gd ). In particular, if supC (Ka , Ga ) equals supPΣu (Ka , L(Ga )), the solution obtained with the approximation Ga is optimal, as stated by the following corollary. Corollary 2. Given Gd , Ed and Ga as in Theorem 3, if supC (Ka , Ga ) and LD are nonconflicting, then supC (Ka , Ga ) = supPΣu (Ka , L(Ga )) implies supC (Kd , Gd ) = supC (Ka , Ga ) ∩ LD . Corollary 3 states another sufficient condition for the optimality of a solution obtained with a D-Approximation. Corollary 3. Given Gd , Ed , Ga and Ka = Ed ∩ Lm (Ga ) as in Theorem 3, then if Ka is controllable wrt Ga and nonconflicting with LD , then Kd = Ka ∩ LD is controllable wrt Gd , and so a supervisor Sa that implements Ka ∩ LD is an optimal solution for the SCP-D. Proof. First observe that Ka ∩ LD = Ed ∩ Π −1 (Lm (G)) ∩ LDa ∩ LD = Ed ∩ Π −1 (Lm (G)) ∩ LD = Ed ∩ Lm (Gd ) = Kd . Then, since Ka is controllable wrt Ga and nonconflicting with LD , Kd = Ka ∩ LD = supC (Ka , Ga ) ∩ LD ⊆ supC (Kd , Gd ) (Theorem 3). Since Kd ⊃ supC (Kd , Gd ) by definition, then supC (Kd , Gd ) = Kd . Therefore Kd is controllable and Lm (Sa /Gd ) = Ka ∩ LD = Kd . Remark that implementing a supervisor Sa that solves SCP-D, does not require to explicitly calculate the intersection supC (Ka , Ga ) ∩ LD . Instead, the controller may be implemented by two (or more, as HD can be modularly exploited) concurrent nonblocking automata, Va and HD , such that Lm (Va ) = supC (Ka , Ga ) and Lm (HD ) = LD . These automata are driven by the events generated by G and distinguished by D. The resulting control action is such that, after a string in L(Sa /Gd ), Sa enables the events that are eligible in both HD and Va . Finally Π (Sa ) enables the corresponding masks of these events in G. Since supC (Ka , Ga ) and LD are nonconflicting, Sa is nonblocking. The nonconflict test is the only operation that really takes the entire LD model into account. Even so, this test does not necessarily require the full parallel composition of the models, as it can be simplified by the use of projections of languages (Pena, Cury, & Lafortune, 2009) or compositional verification (Flordal & Malik, 2009), for example. From Theorem 3, it follows that the SCP-D can be solved using a D-Approximation Ga for the plant Gd . The coarsest DApproximation Gca , such that LDca = ∆∗ , is an automaton with the same number of states as G. So Ka = Ed ∩ L(Gca ) = Ed ∩ Π −1 (L(G)) can be modeled by an automaton with fewer states

101

Table 2 Synthesis with approximations. Gd (2160, 10 800)

Ed (12, 96)

Kd (7220, 20 234)

Vd (212, 495)

Vd ||HD (212, 495)

Gca (24, 232)

Ed (12, 96)

Kca (288, 1488)

Vca (62, 250)

Vca ||HD (196, 447)

Ga (48, 392)

Ed (12, 96)

Ka (576, 2616)

Va (92, 344)

Va ||HD (212, 495)

than Kd = Ed ∩ Π −1 (L(G)) ∩ LD . The opposite bound is obtained by the distinguisher D, which leads to Kd with the same number of states than K , as discussed in Section 3.4. We may initially attempt to solve the problem with the simplest approximation Gca . If this approach fails or leads to a suboptimal solution, one can improve the result by incrementally refining the approximated model. When the distinguisher HD is modularly designed (as in the example in Section 3.3), intermediate approximations can be obtained by gradually introducing modules of HD in the corresponding distinguisher model, as illustrated in the sequence. Remark that the computational gains of SCP-D with approximations depend not only on the number of states but also on the number of transitions of the automaton for Ka , specially when considering space complexity. Although the number of events in ∆ is larger than in Σ , Kd has always the same number of states and transitions than K , since D is predictable. When the approximation Ga for Gd is obtained by disregarding part of the distinguisher model HD , it would be reasonable to expect that Ka is a simpler language than Kd . However, if the number of refined events grows without restriction, the model of Ka can have more transitions than K , even with fewer states. This issue means that care must be taken to avoid introducing unnecessary refinements to the distinguisher. Nevertheless the following examples show that in practical cases the use of approximations can lead to large time and space computational gains. 4.3. Control solutions for the manufacturing system using DApproximations We revisit the example presented in Sections 3.3 and 3.5, in order to solve it using D-Approximations. We start by using the coarsest D-Approximation Gca of the plant Gd . Gca is constructed by applying a distinguisher Dca over the original plant G, such that Dca is modeled only by H∆ . It follows that LD ⊆ LDca = ∆∗ , which fulfills the Definition 6 and, then, Gca is a D-Approximation. In this case, it also follows that L(Gca ) = Dca (L(G)) = Π −1 (L(G)). Then, the global specification is given by Kca = Ed ∩ Lm (Gca ) and Vca is an automaton for supC (Kca , Gca ). It is possible to show that supC (Kca , Gca ) and LD are nonconflicting. Therefore, Vca and HD (with L(HD ) = LD ) can be used to implement a supervisor Π (Sca ) for G. Table 2, second row, presents the number of states and transitions of the automata used in the synthesis with the coarsest approximation. The synthesis without approximations, first row, is reproduced from Table 1. We observe that the computation of Vca is less complex in time and space than the computation of Vd , as the automaton for Kca has only 288 states and 1488 transitions, whereas Kd has 7.220 states and 20 234 transitions. However, it can be shown that supC (Kca , Gca ) ̸= supPΣu (Kca , L(Gca )). Since conditions of the Corollary 2 are not satisfied, we cannot state whether or not the approximated solution is optimal, i.e., Sca may be more restrictive than Sd . In fact, since the distinguisher model has been omitted from the synthesis, the supervisor Sca does not receive the information that only event f2 follows e2 . Therefore, new arrivals of workpieces in the system must be prevented by Sca until that f 2 effectively occurs,

102

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

Fig. 11. EdO and EdU modeling EO and EU in ∆.

Fig. 9. Small factory with intermediate buffering.

Table 3 No of states and transitions of the automata used to solve the SCP, the SCP-D, and the SCP-D with approximation. Fig. 10. Models for the subsystems M1 and M2 .

which then guarantees (by Ed4 ) that a final test will be performed and the workpiece will leave the system. As a consequence, Sca is more conservative than Sd . Nevertheless, we can supply this information in synthesis by partially considering the distinguisher model, more precisely, the module Hf . Let Ga be then the approximation for Gd obtained by applying the distinguisher Da over G, with Da being defined by the automaton Hf ||H∆ . For LDa = L(Hf ||H∆ ), it follows that LD ⊆ LDa ⊆ ∆∗ . Therefore, Ga is a D-Approximation as in Definition 6 and L(Ga ) = Da (L(G)) = Π −1 (L(G)) ∩ LDa . The automaton modeling the specification Ka = Ed ∩ L(Ga ) has 576 states and 2616 transitions, and Va such that Lm (Va ) = supC (Ka , Ga ) has 92 states and 344 transitions, as shows the third row of Table 2. By checking that Va ||HD is nonblocking, we know that supC (Ka , Ga ) and LD are nonconflicting. Therefore, supC (Ka , Ga ) ∩ LD is a solution for SCP-D, by Theorem 3. Moreover, now we have supC (Ka , Ga ) = supPΣu (Ka , L(Ga )). This ensures, by Corollary 2, that Va and HD can be used to implement an optimal control solution for the manufacturing system, such that Lm (Π (Sa )/Gd ) = Π (supC (Ka , Ga ) ∩ LD ) = supC (Π (Kd ), G). 4.4. Another example We further present another example, aiming to illustrate the computational advantages of using distinguishers and approximations in synthesis. Consider the small manufacturing system presented in Fig. 9. The system is composed by two machines (M1 and M2 ) operating sequentially, intermediated by a buffer B. Fig. 10 presents the automata G1 and G2 modeling respectively M1 and M2 . Events a and c respectively model when M1 and M2 start to operate, while b and d model when they finish. The open-loop behavior of the system is represented by the composition G = G1 ||G2 , with Σ = {a, b, c , d}, where it is assumed that Σc = {a, c } and Σu = {b, d}. For this example, let us consider that the control objective is to avoid overflow (EO ) and underflow (EU ) in B. The question that comes at this point is: ‘‘how EO and EU can be modeled using the original events, i.e., those naturally provided by the plant?’’ In fact, this task requires, for each specification, structuring the whole combination of pick-ups/drop-offs events in the buffer, which means to model an automaton with n + 1 states. Obtaining such models with n + 1 states with events in Σ , in this particular case, is straightforward in terms of modeling effort. Nonetheless, the number of states of EO and EU depends on the buffer size n; the models for EO and EU are not directly suitable for modularization; and also, the control synthesis can be complex for large buffers. The use of a distinguisher can help to overcome these drawbacks, as shown in the following. 4.4.1. Modeling the distinguisher We apply the guideline presented in Section 3.2 in order to construct a distinguisher for this example, as follows:

G (4, 8)

E (n + 1, 2n)

(4n + 4, 8n + 4)

K

V (4n + 2, 8n)

Gd (4n + 4, 8n + 8)

Ed (4, 20)

Kd (4n + 4, 8n + 4)

Vd (4n + 2, 8n)

Ga (4, 20)

Ed (4, 20)

Ka (16, 72)

Va (12, 47)

(i) modeling EU and EO requires to respectively know when the buffer becomes empty or full; for that, we refine Σ in a way to identify c when it removes the last workpiece (c1 ) and to identify b when the buffer becomes full (bn ). Further, c0 and bn+1 are used to represent underflow and overflow events, respectively. The automata EdO and EdU in Fig. 11 model the specifications EO and EU using only two states; (ii) based on the previous step, we further refine b and c such that ∆b = {b1 , bint , bn , bn+1 } and ∆c = {c0 , c1 , cint , cn }, where bint and cint respectively model when a workpiece is dropped-off in B and picked-up from B in one of its intermediate positions; (iii) as a and d are not required to be refined, then we define ∆a = {a} and ∆d = {d}, and finally ∆ = ∆a ∪ ∆b ∪ ∆c ∪ ∆d ; (iv) a distinguisher that implements the semantic for the refined events is presented in Fig. 12. HD results from the composition of distinguisher modules that can be individually designed by automata with only 2 states, independently on n. We obtain the models Ga1 with L(Ga1 ) = Π −1 (L(G1 )) and Ga2 with L(Ga2 ) = Π −1 (L(G2 )) by replacing the original events by the corresponding set of refined ones, as shown in Fig. 13. 4.4.2. Synthesis with approximation Now, we obtain a control solution for the presented example, by solving both SCP, and SCP-D with approximation. In the SCP, the plant is given by G = G1 ||G2 and the global specification is given by K = E ∩ Lm (G), where it is assumed that the automaton for E is designed in the original alphabet, structuring the whole traces of events. The optimal solution supC (K , G) is modeled by the nonblocking automaton V . In the SCP-D with approximation, the plant is given by Ga = Ga1 ||Ga2 , such that L(Ga ) = Π −1 (L(G)), and the global specification is given by Ka = Ed ∩ Lm (Ga ), where Ed is the language of the automaton EdO |EdU . Va is a nonblocking automaton such that Lm (Va ) = supC (Ka , Ga ). Table 3 presents a comparison of the automata obtained in the synthesis approaches for a buffer with size n. Observe that, while the computational complexity in time and space of the synthesis grows with n for the SCP and SCP-D, it does not depend on n with the use of the coarsest D-Approximation Ga . By Theorem 3, Va and HD can be used to implement a nonblocking supervisor Π (Sa ) for G if supC (Ka , Ga ) and LD are nonconflicting. Furthermore, since we have that supC (Ka , Ga ) = supPΣu (Ka , L(Ga )), by Corollary 2, nonconflict also implies that Sa is an optimal supervisor. Remark that the automaton HD with n + 1 states is needed only to test nonconflict with Va and to implement the corresponding supervisor Sa . In fact, nonconflict is true for all large n we have tested. If we assume that nonconflict holds for any n, Va , with 12 states and 47 transitions, represents an optimal solution of the SCP-D for the small manufacturing system with buffers of any size.

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

103

Fig. 12. Distinguisher model HD = H1 ∥Hint ∥Hn ||H∆ .

• Lm ( H ) = L1 , • Y ⊆ X × (Q ∪ {dump}) and • s ̸∈ L2 ↔ h(y0 , s) = (x, dump), for some x ∈ X . Fig. 13. Models for the plants Ga1 and Ga2 , in ∆.

5. Conclusion This paper presents the concept of distinguishers as a way to simplify the synthesis of supervisors for DES. It has been shown that a distinguisher allows to represent complex control specifications in a simpler manner, without losing optimality of the resulting supervisor. The price of this simplification is that plant models become more complex when incorporating the distinguisher model. Although the behavior of the distinguisher is necessary to implement the supervision system, we have shown that, under certain conditions, it can be disregarded from its synthesis. In this context, we have introduced a class of approximations for the plant model, that tends to be simpler, in terms of number of states and transitions, while compact specifications can still be used in synthesis. As a result, the computational effort required to compute a control solution is reduced. We have introduced conditions under which this approach leads to a solution for the supervisory control problem. We also have provided a way to test the optimality of the solution obtained with approximations. The use of our approach in two manufacturing system examples has shown to be practically sound and computationally advantageous. Current works conducted by our research group have extended the use of distinguishers to the modular control framework. Preliminary results have shown that a distinguisher can be selectively applied to modules of the control system (Teixeira, Cury, & de Queiroz, 2011), and that approximations are also suitable for modular control (Teixeira, Cury, & de Queiroz, 2013). Future research aims to derive conditions under which the nonconflict between approximated supervisor and distinguisher language could be ensured, by construction. We also intend to assess the use of distinguishers in face to another alternatives of modeling, such as the use of extended automata (Teixeira, Malik, Cury, & de Queiroz, 2014). Appendix In this appendix, we show how to compute supPΛ (L1 , L2 ). For languages L1 and L2 in ∆∗ , define the set PΛ (L1 , L2 ) = {K ⊆ L1 |K is Λ-Preserving wrt L2 }. Proposition 7. The set PΛ (L1 , L2 ) is closed under unions. Proof. Let K1 , K2 ⊆ Λ(L1 , L2 ). Then, for any ∆σ with σ ∈ Λ and s ∈ K1 ∪ K2 = K1 ∪ K2 , s∆σ ∩ L2 ̸= ∅ implies s∆σ ∩ K1 ̸= ∅ and s∆σ ∩ K2 ̸= ∅. Thus s∆σ ∩ K1 ∪ K2 = s∆σ ∩ (K1 ∪ K2 ) = (s∆σ ∩ K1 ) ∪ (s∆σ ∩ K2 ) ̸= ∅. Therefore, PΛ (L1 , L2 ) has a supremal element, denoted supPΛ (L1 , L2 ), that can be computed as follows. Assume that L1 and L2 are regular languages in ∆∗ . Let F = (X , ∆, f , x0 , Xm ), with Lm (F ) = L1 , G = (Q , ∆, g , q0 , Qm ), with Lm (G) = L2 , and H = (Y , ∆, h, y0 , Ym ), be nonblocking finite state automata, where H is built such that

For Z ⊆ Y define (Z )Λ−Pres = {(x, q) ∈ Z |(q = dump) or Π (Γ (G, q)) ∩ Λ ⊆ Π (Γ (F , x) ∩ Γ (G, q))}. (Y )Λ−Pres is the set of states of H that are reachable by strings in L1 −L2 or states reachable by strings in L2 such that any continuation with a mask in Λ keeps at least one representative in L1 . Thus, (Y )coh is the set of states of H satisfying Λ-Preser v ing of L1 wrt L2 (‘‘good states’’). Then we can define an operator P Λ (H ) that erases ‘‘bad states’’ of H as follows. P Λ (H ) = Trim(Y ′ , ∆, h′ y′0 , Ym ∩ Y ′ ) where Y ′ = (Y )Λ-Pres , y′0 =



y0 , undefined

if y0 ∈ Y ′ ; otherwise.

and h (y, δ) = ′

h(y, δ), undefined,



if h(y, δ) ∈ Y ′ ; otherwise.

Note that the Trim operation can turn some states of (Y )Λ−Pres into ‘‘bad states’’. Therefore, we define the sequence:



H0 = H , Hi+1 = P Λ (Hi ),

i = 0, 1, . . . .

Clearly this sequence preserves regularity and converges in a finite Λ number of steps for a finite H. Then, we can define P∞ (H ) = Λ limi→∞ Hi . It can be shown that Lm (P∞ (H )) = supPΛ (L1 , L2 ). Lemma 5. For languages L1 and L2 in ∆∗ , and the automaton H defined as above, let H ′ ⊑ H (H ′ is a subautomaton of H) and K ⊆ Lm (H ′ ). If K is Λ − Preser v ing w.r.t. L2 then K ⊆ Lm (P Λ (H ′ )). Proof. Suppose K is Λ − Preser v ing w.r.t. L2 and there exists s ∈ K such that s ̸∈ Lm (P Λ (H ′ )). Since s ∈ Lm (H ′ ), there exists t ≤ s such that f ′ ((x0 , q0 ), t ) = (x, q), (x, q) ∈ Y , (x, q) ̸∈ (Y )(Π )coh . By consequence, q ̸= dump and Π (Γ (G, q)) ∩ Λ ̸⊆ Π (Γ (F , x) ∩ Γ (G, q)). Therefore s ∈ L2 and there exists σ ∈ Λ such that t ∆σ ∩ L2 ̸= ∅ and t ∆σ ∩ L1 = ∅, what contradicts the assumption that K is Λ − Preser v ing w.r.t. L2 . Λ Proposition 8. For L1 , L2 and H defined as above, Lm (P∞ (H )) = supPΛ (L1 , L2 ). Λ Λ (H )) ⊆ Lm (H ) = Proof. (1) P∞ (H ) ⊑ H implies that Lm (P∞ Λ L1 . Since all states of P∞ (H ) satisfy Λ − Preser v ing of L1 w.r.t. Λ Λ L2 , Lm (P∞ (H )) is Λ − Preser v ing w.r.t. L2 . Thus, Lm (P∞ (H )) ⊆ supPΛ (L1 , L2 ). (2) supPΛ (L1 , L2 ) ⊆ L1 = Lm (H ) = Lm (H0 ). Assume that supPΛ (L1 , L2 ) ⊆ Lm (Hi ). By Lemma 5, we have supPΛ (L1 , L2 ) ⊆ Lm (P Λ (Hi )) = Lm (Hi+1 ). By induction on i, it follows that Λ supPΛ (L1 , L2 ) ⊆ Lm (P∞ (H )).

Assuming that |X | = m and |Q | = n, the algorithm above computes supPΛ (L1 , L2 ) with complexity O(m2 n2 ) in time.

104

J.E.R. Cury et al. / Automatica 56 (2015) 93–104

References Aguiar, R. S. S., Cunha, A. E. C., Cury, J. E. R., & Queiroz, M. H. (2013). Heuristic search of supervisors by approximated distinguishers. In IFAC workshop on dependable control of discrete systems (pp. 121–126). York, England. Bouzon, G., de Queiroz, M. H., & Cury, J. E. R. (2008). Supervisory control of DES with distinguishing sensors. In Proc. 9th international workshop on discrete event systems (pp. 390–391). Gothenburg, Sweden. Bouzon, G., de Queiroz, M. H., & Cury, J. E. R. (2009). Exploiting distinguishing sensors in supervisory control of DES. In Proc. 7th IEEE international conference on control and automation (pp. 442–447) Christchurch, New Zealand. Cassandras, C. G., & Lafortune, S. (2008). Introduction to discrete event systems (2nd ed.). NY: Springer Science. Chen, Y. L., & Lin, F. (2001). Safety control of discrete event systems using finite state machines with parameters. In Proc. american control conference (pp. 975–980). Arlington, VA. Cieslak, R., Desclaux, C., Fawaz, A. S., & Varaiya, P. (1988). Supervisory control of discrete-event processes with partial observations. IEEE Transactions on Automatic Control, 33(3), 249–260. da Cunha, A. E. C., & Cury, J. E. R. (2007). Hierarchical supervisory control based on discrete event systems with flexible marking. IEEE Transactions on Automatic Control, 52(Dec.), 2242–2253. Feng, L., & Wonham, W. M. (2008). Supervisory control architecture for discreteevent systems. IEEE Transactions on Automatic Control, 53(6), 1449–1461. Flordal, H., & Malik, R. (2009). Compositional verification in supervisory control. SIAM Journal on Control and Optimization, 48(3), 1914–1938. Haji-Valizadeh, A., & Loparo, K. A. (1996). Minimizing the cardinality of an events set for supervisors of discrete-event dynamical systems. IEEE Transactions on Automatic Control, 41(11), 1579–1593. Huang, Y., Rudie, K., & Lin, F. (2008). Decentralized control of discrete-event systems when supervisors observe particular event occurrences. IEEE Transactions on Automation Control, 53(1), 384–388. Khuller, S., Kortsarz, G., & Rohloff, K. (2004). Approximating the minimal sensor selection for supervisory control. In Proc. 7th international workshop on discrete event systems, Reims, France. Kumar, R., & Garg, V. K. (2005). On computation of state avoidance control for infinite state systems in assignment program framework. IEEE Transactions on Automation Science and Engineering, 2(1), 87–91. Lin, F., & Wonham, W. M. (1988). On observability of discrete-event systems. Information Sciences, 44(3), 173–198. Lin, F., & Wonham, W. M. (1990). Decentralized control and coordination of discrete-event systems with partial observation. IEEE Transactions on Automatic Control, 35(12), 1330–1337. Mohajerani, S., Malik, R., & Fabian, M. (2014). A framework for compositional synthesis of modular nonblocking supervisors. IEEE Transaction on Automatic Control, 59(1), 150–162. Oliveira, C., Cury, J. E. R., & Kaestner, C. A. A. (2004). Discrete event systems with guards. In Proc. 11th IFAC symposium on information control problems in manufacturing (pp. 90–95). Salvador, Brazil. Ouedraogo, L., Kumar, R., Malik, R., & Akesson, K. (2011). Nonblocking and safe control of discrete-event systems modeled as extended finite automata. IEEE Transactions on Automation Science and Engineering, 8(3), 560–569. Pena, P. N., Cury, J. E. R., & Lafortune, S. (2009). Verification of nonconflict of supervisors using abstractions. IEEE Transactions on Automatic Control, 54(12), 2803–2815. Ramadge, P. J., & Wonham, W. M. (1987). Supervisory control of a class of discrete event processes. SIAM Journal on Control and Optimization, 25(1), 206–230. Rudie, K., & Wonham, W. M. (1992). Think globally, act locally: Decentralized supervisory control. IEEE Transactions on Automatic Control, 37(11), 1692–1708. Schmidt, K., Moor, T., & Perk, S. (2008). Nonblocking hierarchical control of decentralized discrete event systems. IEEE Transactions on Automatic Control, 53(10), 2252–2265. Teixeira, M., Cury, J. E. R., & de Queiroz, M. H. (2011). Local modular supervisory control of DES with distinguishers. In Proc. 16th IEEE international conference on emerging technologies and factory automation (pp. 1–8). Toulouse, France. Teixeira, M., Cury, J. E. R., & de Queiroz, M. H. (2013). Local modular control with distinguishers applied to a manufacturing system. In 2013 IFAC international conference on manufacturing modelling, management and control, Saint Petersburg, Russia. Teixeira, M., Malik, R., Cury, J. E. R., & de Queiroz, M. H. (2014). Supervisory control of des with extended finite-state machines and variable abstraction. IEEE Transactions on Automatic Control, 60(1), 118–129. Wong, K. C., & Wonham, W. M. (1996). Hierarchical control of discrete-event systems. Discrete Event Dynamic Systems: Theory and Applications, 6(3), 241–273.

Yoo, T., & Lafortune, S. (2002). A general architecture for decentralized supervisory control of discrete-event systems. Discrete Event Dynamic Systems: Theory and Applications, 12(3), 335–377. Yoo, T., & Lafortune, S. (2002). NP-completeness of sensor selection problems arising in partially-observed discrete-event systems. IEEE Transactions on Automatic Control, 47(9), 1495–1499. Zhong, H., & Wonham, W. M. (1990). On the consistency of hierarchical supervision in discrete-event systems. IEEE Transactions on Automatic Control, 35(10), 1125–1134.

José E. R. Cury received the B.S. degree in electrical engineering from the National University of Brasilia (UnB), Brazil, in 1975, the M.S. degree from the State University of Campinas (UNICAMP), Brazil, in 1979, and the ‘‘Doctorat D’état Es Sciences’’ from the Paul Sabatier University, Toulouse, France, in 1983. Currently he is a full professor at the Department of Automation and Systems of the Federal University of Santa Catarina (UFSC), Brazil. He has been a visiting researcher at Carnegie Mellon University (1995–96) and at the Universities of Angers (2005) and Nantes (2006 and 2007–08). He has been Associated Editor of the IEEE Transactions on Automatic Control (2005–2008) and of the European Journal of Automation (2008-). José has participated in several conference committees as WODES, IFAC World Conf, CDC, CCA, DCDS and others. Areas of expertise include Supervisory Control of Discrete Event and Hybrid Systems, with applications in Manufacturing Systems, Transportation Systems and Systems Biology. Max Hering de Queiroz graduated in Automation and Control Engineering in 1998 and received his master and doctorate in Electrical Engineering at the Federal University of Santa Catarina, Brazil, in 2000 and 2004, respectively. From November 2002 to August 2003 he was a visiting student in the Systems Control Group at the University of Toronto, Canada. From 2004 to 2006 he was with the Federal Center of Technological Education of Santa Catarina as a professor of the Technology Undergraduate Course on Industrial Automation. In 2006, he joined the Department of Automation and Systems at the Federal University of Santa Catarina, where he is currently Associate Professor and a Full Member of the Graduate Program on Systems and Automation Engineering (PGEAS). His current research interests are in the theory and applications of discrete-event systems in various domains, including manufacturing systems, industrial informatics, robotics, scheduling, oil and gas industry and systems biology.

Gustavo Bouzon was born in Brazil in 1978. He received the B.Sc. degree from Universidade Federal de Santa Catarina (UFSC) in 2002 in Automation and Control Engineering and the M.Sc. degree in Electrical Engineering from the same institution in 2004. From 2005 to 2012 he held different software engineering duties in the automation industry (ranging from embedded software to SCADA applications). He holds since 2012 a position as a Finance and IT Analyst at the Office of the Comptroller General.

Marcelo Teixeira received his B.Sc. degree in Computer Science from the University of Passo Fundo, Brazil, in 2007, his M.Sc. degree in Computer Engineering from the University of Pernambuco, Brazil, in 2009, and his Ph.D. degree in Automation and Systems Engineering from the Federal University of Santa Catarina, Brazil, in 2013. From May 2012 to February 2013 he was with the Research Group on Formal Methods, at the Department of Computer Science at the University of Waikato in Hamilton, New Zealand, for a doctoral stage. Since 2013, he has been a faculty member of the Department of Informatics at the Federal University of Technology Paraná, Brazil. His current research interests include Discrete Event Systems, Manufacturing Systems, Service-Oriented Architectures and modeling approaches.