Synthesizing bounded-delay communication protocols for decentralized discrete-event systems

4th IFAC Workshop on Dependable Control of Discrete Systems The International Federation of Automatic Control September 4-6, 2013. University of York, York, UK

Synthesizing bounded-delay communication protocols for decentralized discrete-event systems J.D. Maguire S.L. Ricker Dept. of Mathematics & Computer Science, Mount Allison University, Sackville, NB, Canada (e-mail: {jdmaguire,lricker}@mta.ca) Abstract: A strategy for synthesizing communication protocols for a given upper-bounded delay d is proposed for decentralized discrete-event control. Previous work in the control domain has examined circumstances when all observations are communicated, under conditions of bounded delay, as well as determining whether or not a synchronous communication protocol is robust w.r.t. a given bounded delay. We are interested, without resorting to fully timed models, in the direct synthesis of communication protocols for a given upper-bounded delay [0, d], where d ∈ N0 . 1. INTRODUCTION

message arrives as early as zero delay or as late as the upper bound d.

Synchronous communication between discrete-event agents (e.g., controllers, diagnosers, prognosticators) has been introduced to allow the decision makers to correctly solve problems when such decisions cannot be reached in the absence of communication. There are certain architectures where synchronous communication is acceptable, for instance, in time-triggered architectures (Kopetz and Bauer (2003)); however, we are interested in communication protocols where delay in the arrival of messages is unavoidable. Initial investigations of delayed communication focused on the case when all observable events were communicated (Tripakis (2004); Hiraishi (2009)). More recently, the robustness of synchronous communication protocols, where not all observations are communicated, was examined under conditions of bounded delay (Sadid et al. (2012)).

The paper is organized as follows. We begin with a brief review of decentralized discrete-event control and synchronous communication protocols in this domain. Subsequently, we present some algorithms and notation that will allow the introduction of the observational property we are interested when communication occurs under conditions of uncertain but bounded delay. We then describe a procedure for synthesizing communication protocols that solves the control problem when subjected to bounded delay and illustrate our strategy on an example. 2. PRELIMINARIES We follow the framework for supervisory control of discrete-event systems as introduced in Ramadge and Wonham (1987). Hence, we model a discrete-event system using a finite-state automaton ML = (Q, Σ, TL , q0 ), where Q is a finite set of states, TL ⊆ Q × Σ × Q is a transition relation, and q0 ∈ Q is the initial state. The transition relation is easily extended to Σ∗ and we say L ∶= {s ∈ Σ∗ ∣ ∃q ∈ Q s.t. (q0 , s, q) ∈ TL }. For L ⊆ Σ∗ , we have L ∶= {v ∈ Σ∗ ∣ ∃w ∈ Σ∗ , u ∈ L such that u = vw}. Then L is prefix-closed if L = L. We assume prefix-closed languages from now on. The regular language L generated by ML describes the behaviour of the uncontrolled system. In addition, the alphabet Σ is the disjoint union of two types of events: (i) observable and unobservable events Σ = Σo ⊎ Σuo ; and (ii) controllable and uncontrollable events Σ = Σc ⊎ Σuc .

We are interested in the direct synthesis of a communication protocol when the delay is roughly known: given a delay with an upper bound of d, we want to synthesize a communication protocol that will allow discrete-event agents to take the correct decisions. Instead of the additional complexity of setting the problem in a decentralized timed DES framework (e.g., Nomura and Takai (2012)), we perform the modelling in an untimed system, but assume that there is a global clock and incorporate a “tick” event, denoted by τ , to indicate the passage of a clock cycle. Although we consider this to be an untimed model, τ is used solely to measure the number of events that occur between clock cycles. The key idea is that although the uncontrolled system is oblivious to the communication protocol, we augment each decentralized agent’s view of the uncontrolled system with new events that represent messages it must send and messages that it will “eventually” receive (anywhere between 0 and d clock cycles). The propagation of delayed messages is performed by composing rational transducers. We will synthesize a communication protocol that allows the correct control decisions to be taken whether the 978-3-902823-49-6/2013 © IFAC

The decentralized control problem arises when controllers cooperate by fusing their local control decisions about certain behaviours (e.g., disable or enable a specific event) to issue global control decisions so that a specification language K ⊆ L is recognized (and we have the corresponding automaton MK ⊑ ML ). We also assume that we can identify transitions in the following way: TL = TGood ∪ TBad , 55

10.3182/20130904-3-UK-4041.00040

2013 IFAC DCDS September 4-6, 2013. York, UK

a

1

e

3

f

5

b

7

c

9

g

11

σ

When I = {1}, this property is called observability.

13

The idea is that at least one controller, with the authority to control σ, can definitively determine, based only on its partial observation of system behaviour, that σ takes the system out of K.

0 e 2

f

4

a

6

g

8

b

10

c

12

σ

14

When K is not co-observable, but is observable and controllable, we can design a synchronous communication protocol so that the correct control decisions are taken. The principle behind the design of a communication protocol is to identify information that, when communicated and received, allows the recipient, a previously-confused controller, to take the correct control decision. The strategy we adopt involves the identification of specific transitions (Ricker (2008)) to indicate positions where observational disambiguation can occur through communication of the transition label.

Fig. 1. Joint ML (all transitions) and MK (collection of solid transitions) where TGood = TK and TBad = TL ∖ TK . For decentralized systems, we assume the presence of n ≥ 2 controllers. In the classic formulation of the problem, there is no communication among controllers (Rudie and Wonham (1992)). In the event that a control solution cannot be found in one of the various decentralized architectures (Rudie and Wonham (1992); Yoo and Lafortune (2004); Chakib and Khoumsi (2011)), there are conditions under which decentralized communication protocols can be synthesized, allowing synchronously communicating controllers to reach a control decision (e.g.,Wong and van Schuppen (1996); Barrett and Lafortune (2000); Ricker (2008)).

The synthesis of a communication protocol produces a set of communication transitions for each controller i ∈ I: ! ! Ti! = ⋃j∈I∖{i} Ti,j ⊆ To,i , where Ti,j identifies when i sends a message to j. Definition 3. Given a language L over alphabet Σ. For every i ∈ I, we define a communication protocol for ! ! ! controller i as Π!i = ⟨πi,1 , . . . , πi,n ⟩, with πi,j ∶ L → Σo,i ∪{ε}

A decentralized control problem is characterized by each controller’s set of local events it observes Σo,i ⊆ Σo ⊆ Σ and a set of local events it controls Σc,i ⊆ Σc ⊆ Σ, for i ∈ {1, . . . , n}. We can similarly classify transitions: To,i ⊆ To ⊆ T , where To,i ∶= {(q, σ, q ′ ) ∈ T ∣ σ ∈ Σo,i } and To ∶= {(q, σ, q ′ ) ∈ T ∣ σ ∈ Σo }; Tc,i ⊆ Tc ⊆ T , where Tc,i ∶= {(q, σ, q ′ ) ∈ T ∣ σ ∈ Σc,i } and Tc ∶= {(q, σ, q ′ ) ∈ T ∣ σ ∈ Σc }. For notational convenience, we let I = {1, . . . , n}, Ic (σ) = {i ∣ σ ∈ Σc,i }, and Io (σ) = {i ∈ I ∣ σ ∈ Σo,i }. We introduce a running example, shown in Fig. 1, that we will use to illustrate our strategy in the sequel. Let I = {1, 2} where Σo,1 = {a,b,c, σ}, Σo,2 = {e,f,g, σ} and Σc,1 = Σc,2 = {σ}.

s

σ

(j ∈ I ∖ {i}) defined as follows. For all q0 z→ q ′ Ð → q ′′ ∈ TL σ, ! πi,j (sσ) = { ε,

! if (q ′ , σ, q ′′ ) ∈ Ti,j ; otherwise.

The overall communication protocol is then defined as Π! = (Π!i )i∈I . Communication must be sent in an observationallyequivalent fashion, called feasibility (Rudie et al. (2003)), regardless of the delay in the reception of the messages. Thus we simply want to ensure that a controller communicates consistently w.r.t. its observations. Definition 4. A communication protocol is feasible iff ! (s) = (∀i ∈ I)(∀s, s′ ∈ K)πi (s) = πi (s′ ) ⇒ (∀j ∈ I)πi,j ! ′ πi,j (s ).

The partial observation a controller has of system behaviour is defined by the natural projection πi ∶ Σ∗ → Σ∗o,i , which simply removes occurrences of any events in Σ ∖ Σo,i from a sequence s ∈ Σ∗ . The inverse projection ∗ is πi−1 ∶ Σ∗o,i → 2Σ and captures all the sequences s that produce the same natural projection for controller i. For readability, we will denote πi−1 [πi (s)] by [s]i , where s ∈ Σ∗ . We similarly define partial observation over Σo by π ∶ Σ∗ → Σ∗o and assume an equivalent diminuation for π −1 [π(s)], where s ∈ Σ∗ . Finally, we say that q1 , q2 ∈ Q are equivalent with respect to i, denoted q1 ∼i q2 , if ∃s1 , s2 ∈ Σ∗ such that (q0 , s1 , q1 ), (q0 , s2 , q2 ) ∈ T and πi (s1 ) = πi (s2 ).

Thus, after determining the initial sets Ti! , we must ensure that this set is closed under equivalence (i.e., ∼i ). We use a special product that we call synchronized composition, denoted by ×S , which is defined as follows. Assume that we have n finite-state automata M1 , . . . , Mn , where Mj = (Qj , Σεj , Tj , q0,j ), for j = 1, 2, . . . , n, Σε = Σ ∪ {ε} and Tj includes selfloops of ε at every state in Qj . Then M×S = M1 ×S M2 ×S . . .×S Mn = (QS , ΣS , TS , ⟨q0,1 , q0,2 , . . . , q0,n ⟩), where QS ⊆ Q1 × Q2 × . . . × Qn ; ΣS ⊆ Σ1 × Σ2 × . . . × Σn ; and TS ⊆ QS × ΣS × QS . To synthesize communication protocols, we will take the synchronized composition of ML (to which self-loops of ε have been added for the synchronized composition), and n augmented copies of ML , customized for each i ∈ I, to which potential communication events have been added. The specifics of this construction are presented in the next section.

To find decentralized discrete-event controllers to ensure that the controlled system performs K ⊆ L, we require K to be controllable and co-observable: Definition 1. (Ramadge and Wonham (1987)) A language K ⊆ L is controllable wrt L and Σuc iff KΣuc ∩ L ⊆ K. That is, an uncontrollable event cannot take the system out of the specification. Definition 2. (adapted from Rudie and Wonham (1992)) A language K ⊆ L = L is co-observable with respect to L, πi and Σc iff

Rational transducers are often used for rewriting systems, and are generalizations of automata. We will use transducers to incorporate communication information into a decentralized controller’s view of the system behaviour.

(∀s ∈ K)(∀σ ∈ Σc ) sσ ∈ L ∖ K ⇒ (∃i ∈ Ic (σ)) [s]i σ ∩ K = ∅. 56

2013 IFAC DCDS September 4-6, 2013. York, UK

The rational transducers we use here are defined by T = (Q, Σ, Γ, E, q0 ), where Q is a finite set of states; Σ is the input alphabet; Γ is the output alphabet; E ⊆ Q × Σ × Γ × Q is the transition relation; and q0 ∈ Q is the initial state. Note that we can convert our automaton ML into a transducer by adding an empty output alphabet, i.e., Γ = {ε}. We compose two rational transducers as follows: TA = (Q, Σ, Γ, α, q0 ) and TB = (P, Γ, ∆, β, p0 ). Then TC = TA ○ TB = (Q × P, Σ, ∆, ω, (q0 , p0 )) where ω = {((q, p), (σ, δ), (q ′ , p′ )) ∣ (∃γ ∈ Γ)(q, (σ, γ), q ′ ) ∈ α and (p, (γ, δ), p′ ) ∈ β}. The composition of two rational transducers is also rational and generates a regular language (see Rozenberg and Salomaa (1997) for details).

and Ti? (received messages), we update ML for controller i, according to Algorithm 1, to produce M!? i . To build the set of potential communication transitions, we use a somewhat brute-force strategy: given a value for d, we simply choose messages for controller i to send to controller j, all events in Σo,i ∖ Σo,j that occur at least d events before a violation of co-observability. In Fig. 1, K is not co-observable, since no controller in Ic (σ) can distinguish aefbcg from efagbc. Thus, a violation of co-observability occurs at state 11 and state 12. Let d = 2, then the set of initial communication ! ! transitions is T1,2 = {(0, a, 1), (5, b, 7), (4, a, 6)} and T2,1 = {(1, e, 3), (3, f, 5), (1, e, 2), (2, f, 4), (6, e, 8)}. Although not explicitly stated, we assume that Ti,i = ∅, for i ∈ I. To achieve a feasible initial communication protocol, we ! add transitions (7, c, 9), (8, b, 10), (10, c, 12) to T1,2 and ! (9, g, 11) to T2,1 .

3. SYNTHESIS OF UPPER-BOUNDED DELAY COMMUNICATION PROTOCOLS We are interested in directly synthesizing [0, d]-bounded communication protocols. In doing so, we will adapt some of the techniques and definitions introduced for the synthesis of synchronous communication protocols (Ricker (2008)) and for testing the robustness of a synchronous communication protocol (Sadid et al. (2012)).

Algorithm 1 Augment MLi with potential communication transitions and message receptions. 1:

The one significant difference between the synthesis of a synchronous communication protocol and one with anticipated delay is that each controller has a potentially different perspective of the system behaviour in light of the incoming messages from other controllers, as well as the uncertainty in the timing of the reception of these messages. To that end, we must differentiate between a sent message and a received message. We introduce communication events for all i ∈ I, where we prepend ! to an event σ ∈ Σo,i to denote the sending of a message with contents σ from controller i, while a prefix of ? denotes the reception of a message with contents σ by controller i. These events are considered private and observable only to controller i. Note that only certain occurrences of σ will be “decorated” in this way, namely, those transitions in Ti! and Ti? and those observationally-equivalent to the transitions therein. Thus we also define Σ!i ∶= {!σ ∣ ∃(q, σ, q ′ ) ∈ Ti! }, where ! }, where Σ! = ⋃i∈I Σ!i , and Σ?i ∶= {?σ ∣ ∃(q, σ, q ′ ) ∈ ⋃j∈I Tj,i ? ? Σ = ⋃i∈I Σi .

2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17:

! ? procedure Build M!? i (ML ,i, Ti , Ti ) !? Mi ← ML Σ!i = Σ?i ← ∅ for (q, σ, q ′ ) ∈ Ti! do Σ!i ← Σ!i ∪ {!σ} T ← T ∪ {(q, !σ, q ′ )}; T ← T ∖ {(q, σ, q ′ )} end for for j ∈ I ∖ {i} do for (q, σ, q ′ ) ∈ Ti? do if σ ∈/ Σo,i then Σ?i ← Σ?i ∪ {?σ} T ← T ∪ {(q, ?σ, q ′ )}; T ← T ∖ {(q, σ, q ′ )} end if end for end for ! ? return M!? i = (Q, Σ ∪ Σi ∪ Σi , {ε}, T, q0 ) end procedure

We define a transducer that generates Li (≤ d), for a given upper bound d:

To determine if a [0, d]-delay communication protocol is effective, it must be the case that despite the delayed arrival of messages, there must exist a controller that can take can definitively prevent the system from performing behaviour outside of the specification. The languages we will construct are denoted by Li (≤ d) and its corresponding specification Ki (≤ d), for all i ∈ I. Further, the rewriting of a sequence s ∈ L into Li (≤ d) is denoted by s(≤ d). We present the strategy for transforming L and K into Li (≤ d) and Ki (≤ d), languages that incorporate when messages are sent by controller i and all possibilities for the reception of delayed messages.

Mi (≤ d) = M!? i ○ T0 (d) ○ T (≤ d) ○ T (≤ d − 1) ○ . . . ○ T (≤ 1).

3.1 Rewriting L for [0, d]-delay communication: Li (≤ d)

The second part of the construction of Mi (≤ d) uses non-deterministic transducer T (≤ n), shown in Fig. 2(b), to perform the propagation of the delay of the received messages. Note that we interpret ?(0)σ to be a message sent with zero delay and it reduces to σ. A portion of M1 (≤ 2) for our ongoing example is shown in Fig. 3.

The purpose of transducer T0 (d), shown in Fig. 2(a), is twofold: (i) to expand the sending of a message to the subsequence of the observation of the event and the sending of the message about the occurrence of that event; and (ii) expanding the reception of a message into the occurrence of the event and a temporary indication of the number of times the reception of the message must be propagated. It also takes into account that a potential communication is not taken, and that all noncommunication events are unaffected.

The reception of delayed messages scrambles the partial view of system behaviour of controller i. We use two transducers, variations of those introduced in Sadid et al. (2012), to transform L when we have a communication protocol where messages are delayed with a bound of [0, d]. The first step involves updating ML : given a set of potential communication transitions Ti! (sent messages)

We will extend the natural projection to include received messages for each controller πi? ∶ Σ∗ → (Σo,i ∪ Σ?i )∗ . 57

2013 IFAC DCDS September 4-6, 2013. York, UK

Σ! ⊆ Σo , and a bounded delay of [0, d] construct a feasible communication protocol Π! = ⟨π1! , . . . , πi! , . . . , πn! ⟩ (for i ∈ I) such that K is [0,d]-communication observable wrt L, πi? (for i ∈ I), and Σc .

∀σ ∈ Σ ∶ σ/σ

∀!σ ∈ Σ! ∶!σ/σ!σ

∀!σ ∈ Σ! ∶!σ.α/α

0 ∀?σ ∈ Σ? ∶?σ/σ?(d)σ

3.2 Synthesizing a [0, d]-delay communication protocol

∀?σ ∈ Σ? ∶?σ.α/σ.α

Although we are not explicitly using timed DES, we follow the strategy introduced in Sadid et al. (2012) whereby we use τ as a modelling device to simply note the passage of a clock without any explicit timing information. Effectively, we are modelling “logical” time. We consider τ to be an unobservable event. To that end, the components of our synchronized composition, for purposes of synthesizing a communication protocol, must be augmented with τ events. To ML , we add τ after the number of events that can be performed during a single clock cycle and denote this by ML (τ ) whereas for each copy Mi (≤ d), we add self-loops of τ at every state.

(a) T0 (d)

∀!σ ∈ Σ! ∶!σ/!σ ∀σ ∈ Σ ∶ σ/σ

∀?σ ∈ Σ? ∶?(n)σ.α/α.?(n − 1)σ

0

∀?σ ∈ Σ? ∶?(n)σ.α/?σ.α (b) T (≤ n)

Fig. 2. Transducers for calculating Li (≤ d). 1!

e

3!

f

5!

b

7!

c

g

9!

σ

11!

13!

U(≤ d, τ ) = ML (τ ) ×S M1 (≤ d) ×S . . . ×S Mn (≤ d),

c

7!C

We define the structure on which we will synthesize communication protocols:

9!C

= (Y, A ∪ {τ }, TS , y0 , B∧ ), where Y is the finite set of states; A is the alphabet, defined below; TS is the transition relation; y0 is the initial state ; and B∧ is a set of illegal configurations, also defined below, that encode violations of communication observability. The alphabet A is a set of vector labels Arnold (1994). We define four types of labels: (i) the occurrence and observation of an event in Σo ; (ii) events that are not officially observed, i.e., events in Σ∖Σo,i (where Σo,0 = Σo ); (iii) messages sent by controller i, which are observed only by i; and (iv) messages received by controller i, which are observed only by i:

?f c

7!B

9!B !c

?e

!a ′′

5

b

?f

!b 7

′′

7!A

c

9!A

!b ?f ′

3

f

?e 0

a

1

e

?f ′

5

b

?e 3

f

7

′

c

′

?e 5

b

!c

g

9

11

′

σ

13

′

?f 7

c

9

g

11

σ

13

Fig. 3. Small portion of M1 (≤ 2) for ML in Fig. 1.

(i) (∀σ ∈ Σo ) ` = ⟨π(σ), π1 (σ), . . . , πn (σ)⟩;

We can now define the condition under which we can synthesize communicating decentralized controllers that operate under conditions of upper-bounded delay for intercontroller message transmission. Definition 5. We say that K is [0, d]-communication observable w.r.t. L, Σo,i ∪ Σ?i and Σc,i , (i ∈ I) iff

(ii) (∀i ∈ I0 )(∀σ ∈ Σ ∖ Σo,i ) ` = ⟨ε, . . . , ε, `(i) = σ, ε, . . . , ε⟩; (iii) (∀i ∈ I)(∀!σ ∈ Σ!i ) ` = ⟨ε, . . . , ε, `(i) =!σ, ε, . . . , ε⟩; (iv) (∀i ∈ I)(∀?σ ∈ Σ?i ) ` = ⟨ε, . . . , ε, `(i) =?σ, ε, . . . , ε⟩. We assume w.l.o.g. that we can identify whether or not relevant transitions in ML (τ ) and Mi (≤ d) correspond to transitions in TBad or TGood . We will use γ ∶ (Ti )i∈I0 → (TBad ∪TGood ), where T0 is the transition relation for M (τ ) and Ti , for i ∈ I, is the transition relation for Mi (≤ d).

(∀s ∈ K)(∀σ ∈ Σc )sσ ∈ L ∖ K ⇒ (∃i ∈ Ic (σ))[s(≤ d)]?i σ ∩ Ki (≤ d) = ∅. Note that it is not necessary that the same controller has the ability to make the correct control decision throughout the different values of the delay; we just require the existence of at least one controller that can make the correct control decision for each value in the range of 0 to d.

We define illegal configurations as follows: B∧ = {(y1 , `, y2 ) ∈ TS ∣γ((y1 (0), `(0), y2 (0))) ∈ TBad and (∀i ∈ Ic (`(0)))γ((y1 (i), `(i), y2 (i))) ∈ TGood }. Our goal, as it is whenever we use a structure based on synchronized composition, is to remove certain transitions so that illegal configurations are unreachable.

The decentralized control problem with upper-bounded delayed communication that we consider is formally stated as follows. Problem 1. Given regular languages K, L defined over a common alphabet Σ (where K ⊆ L ⊆ Σ∗ is controllable wrt L, Σuc , observable wrt L, π, Σc and not co-observable wrt L, πi , Σc,i ), controllable events Σc,1 , . . . , Σc,n ⊆ Σ, observable events Σo,1 , . . . , Σo,n ⊆ Σ, a finite set of messages

The difference with synthesizing a delay-sensitive communication protocol, as opposed to one with zero delay, is that we require the system to contain some memory of whether or not the “guess” that an unobservable event has occurred (i.e., a label ` = ⟨ε, . . . , ε, `(i) = σ, ε, . . . , ε⟩ such that `(i) ∈ Σo ∖Σo,i ) is ever confirmed by a communication. 58

2013 IFAC DCDS September 4-6, 2013. York, UK

the system has generated a sequence after which σ must be enabled. Since our fusion rule for local decision making is ∧ in this class of problems, the resulting global decision will incorrectly instruct the system to enable σ. By backtracking from an illegal configuration to a state where taking a communication transition will steer the system away from this scenario, we can conclude that a pruned structure U(≤ d, τ ) with no illegal configurations, will satisfy [0, d]communication observability. The full proof mirrors those in Ricker (2008) and Sadid et al. (2012).

When the system reaches an illegal configuration, it is because all of the controllers (involved in the control decision at the illegal configuration) have all made incorrect guesses about events occurring in the uncontrolled system. So we first want to propagate this local information throughout Mi (≤ d). We will use a simply binary variable confirmed to determine whether or not a guess has been confirmed by a communication. When (q, σ, q ′ ), where σ ∈ Σo ∖ Σo,i occurs, the value of confirmed(σ) at state q is propagated to state q ′ . If instead, σ ∈ Σ?i , then confirmed(σ) is true at state q ′ .

3.3 Example 1 concluded

The basic idea is that we want to prune paths leading to an illegal configuration if the “guess” of a controller about an event it cannot observe has not been confirmed with a communication that arrives before the illegal configuration is reached. Then if a controller reaches an illegal configuration without such a confirmation, we determine that the guess was incorrect and we want to see if there are other states reachable from this guess, not along the path to the illegal configuration, where the guess is confirmed. If this is not the case, then we choose a new guess to examine. If we do find a reachable state where the guess is confirmed, then we prune all transitions from the guess to the illegal configuration. This process is described in the first part of Algorithm 2.

Continuing with our example, we are assuming τ = 1 and d = 2. We build U(≤ 2, 1) to establish violations of communication observability. Our protocol must provide a solution whether the messages arrive with a delay of 0, 1 or 2. Space constraints affect the ability to illustrate effectively the output of Algorithm 2, namely the pruned U(≤ 2, 1), that yields solutions; however, we will attempt to explain our strategy via a few select cases. An illegal configuration arises in this example when the system generates efagbc but both controllers believe that the system has actually generated aefbcg. One possible scenario is the following sequence of labels: ⟨ε, ε, a⟩, ⟨e, ε, e⟩, ⟨f, ε, f⟩, ⟨ε, ε, b⟩, ⟨a, a, ε⟩, ⟨ε, ε, c⟩, ⟨ε, e, ε⟩, ⟨g, ε, g⟩, ⟨ε, f, ε⟩, ⟨b, b, ε⟩, ⟨c, c, ε⟩, ⟨ε, g, ε⟩. An illegal configuration results with the occurrence of ⟨σ, σ, σ⟩ as the next transition. No communication has occurred along this particular path, so all values for confirmed(Σ) are false at all associated local states. One way to begin is to simply backtrack from the illegal configuration and find the first “unconfirmed guess”, which happens to be g for controller 1. There are no reachable states from this point where g is communicated (note that this is largely due to the fact that this guess occurs within 2τ events of the illegal configuration). So we mark this transition as visited and continue with the next closest guess, which would be f, also for controller 1. The algorithm proceeds until we find a guess that satisfies line 14, which allows us to make the illegal configuration unreachable from state yk+1 , and we require further testing at line 20 to determine if this has rendered the illegal configuration completely unreachable.

One final step is to make all communication labels feasible. After ensuring that all illegal configurations are unreachable, we must examine all labels that correspond to the sending of a message for controller i at state y, choose these labels and choose them also at all other states indistinguishable from y according to controller i. Definition 6. Two states y = (y(0), . . . , y(n)), y ′ = (y ′ (0), . . . , y ′ (n)) ∈ Y are indistinguishable to controller i, denoted y ≈i y ′ , where ≈i is the least equivalence relation such that ⟨`(0),...,`(i)=ε,...,`(n)⟩

i. y ÐÐÐÐÐÐÐÐÐÐÐÐ→ y ′ ⇒ y(i) ≈i y ′ (i); ⟨ε,...,ε,`(i)≠ε,ε,...,ε⟩

ii. y ÐÐÐÐÐÐÐÐÐÐÐ→ y ′ ⇒ y(i) ≈i y ′ (i); iii. if y ≈i y ′ and (y, `, y ′′ ), (y ′ , `, y ′′′ ) ∈ TS ⇒ y ′′ ≈i y ′′′ . The communication protocol can be derived by the transitions labelled with ? and ! that survive the pruning in Algorithm 2.

Note that there are a variety of possible communication protocols that solve parts of the problem; there is a type of hierarchy that defines solutions. For instance, when d = 0, then two possible communication protocols involve controller 2 communicating every occurrence of e to controller 1 or controller 1 communicating every occurrence of a to controller 2. But these same protocols fail if d = 1. For [0, 1], a protocol of controller 1 communicating every occurrence of b to controller 2 will work; however, this same protocol fails when the delay is upper-bounded by 2. One communication protocol that does work for d ∈ [0, 2] is when controller 1 communicates occurrences of a and b to controller 2. That is, ! ! T1,2 = {(0, a, 1), (4, a, 6), (5, b, 7), (8, b, 10)} and T2,1 = ∅.

We further assume that the observation of an event and the sending of a message regarding its occurrence occurs without delay, i.e., within the same clock cycle in which the event occurs. Because Algorithm 2 returns a structure that contains no illegal configurations, we know that the communication protocol embedded within will provide a control solution for a delay ranging anywhere between [0, d]. Further, we have the following theorem: Theorem 1. B∧ = ∅ iff K is [0, d]-communication observable. Proof Sketch: Recall that B∧ encodes violations of communication observability: each element in the set represents an evolution of the system where the next controllable event σ must be disabled according to the specification, but all controllers responsible for its control believe that

The computational complexity of the approach is largely dominated by the construction of the structure that requires synchronized composition. This operation can be performed in O(∣Q∣n+1 ∣Σ∣n+1 ), where Q and Σ simply rep59

2013 IFAC DCDS September 4-6, 2013. York, UK

Algorithm 2 Calculating a k-delay communication protocol for k ∈ [0, d] 1: procedure FindComProtocol(U(≤ d, τ )) ▷ Assume states are decorated with values for confirmed(Σ) 2: ▷ trim returns the reachable part of U wrt a given set of states 3: ▷ reachable returns the set of state forward reachable from a given state 4: for (yb , `, y) ∈ B∧ do 5: U(yb ) ← Trim(U, {yb }) 6: P ← {p = (y0 , w, yb ) ∈ T U (yb ) ∣ p is acyclic} 7: correctedGuess← false 8: while ¬correctedGuess do 9: Choose p = (y0 , w, yb ) ∈ P 10: Mark all transitions along this path unvisited ▷ Let w = `0 . . . `∣w∣ 11: Choose unvisited (yk , `k , yk+1 ) ∈ p s.t. (∃i ∈ I)`k = ⟨ε, . . . , ε, `k (i) ∈ Σo ∖ Σo,i , ε, . . . , ε⟩ 12: if ¬confirmed(`k (i)) at state yk+1 (i) then 13: if reachable(yk+1 ) contains a state where confirmed(`k (i)) then 14: Remove all transitions along p from yk+1 to yb 15: else 16: Mark (yk , `k , yk+1 ) visited 17: end if 18: end if 19: if yb ∈/ reachable(y0 ) then 20: B∧ ← B∧ ∖ {(yb , `, y)} 21: correctedGuess← true 22: end if 23: end while 24: end for 25: ▷ Identify when messages are sent by matching up received messages with corresponding sent messages 26: for (y1 , `, y2 ) s.t. (∃i ∈ I)`(i) ∈ Σ?i do 27: Perform backwards reachability from y1 to find (y1′ , `′ , y2′ ) s.t. (∃j ∈ I)`′ (j) ∈ Σ!j,i 28: Remove non-communication transitions at y1′ 29: Choose `′ at all states indistinguishable from y1′ according to j 30: end for 31: ▷ Pruned structure has no reachable illegal configurations and communications are feasible 32: return U(≤ d, τ ) 33: end procedure resent the state set and the alphabet, respectively, for the underlying automaton involved in the composition.

of the 9th International Workshop on Discrete Event Systems, 486–491. Goteburg, Sweden. Rozenberg, G. and Salomaa, A. (eds.) (1997). Handbook of Formal Languages Volume 1: Word, Language, Grammar. Springer-Verlag, New York. Rudie, K., Lafortune, S., and Lin, F. (2003). Minimal communication in a distributed discrete-event system. IEEE Trans. Autom. Control, 48(6), 957–975. Rudie, K. and Wonham, W.M. (1992). Think globally, act locally: Decentralized supervisory control. IEEE Trans. Autom. Control, 37(11), 1692–1708. Sadid, W.H., Ricker, S.L., and Hashtrudi-Zad, S. (2012). Robust synchronous communication with bounded delay for decentralized discrete-event control. In Proceedings of 11th International Workshop On Discrete Event Systems. Tripakis, S. (2004). Decentralized control of discrete event systems with bounded or unbounded delay communication. IEEE Trans. Autom. Control, 49(9), 1489–1501. Wong, K.C. and van Schuppen, J.H. (1996). Decentralized supervisory control of discrete-event systems with communication. In Proc. Int. Workshop on Discrete Event Systems, 284–289. Yoo, T.S. and Lafortune, S. (2004). Decentralized supervisory control with conditional decisions: supervisor existence. IEEE Trans. Autom. Control, 49(11), 1886– 1904.

REFERENCES Arnold, A. (1994). Finite transition systems. Prentice– Hall. Barrett, G. and Lafortune, S. (2000). Decentralized supervisory control with communicating controllers. IEEE Trans. Automat. Control, 45(9), 1620–1638. Chakib, H. and Khoumsi, A. (2011). Multi-decision supervisory control: Parallel decentralized architectures cooperating for controlling discrete event systems. IEEE Trans. Automat. Control, 56(11), 2608–2622. Hiraishi, K. (2009). On solvability of a decentralized supervisory control problem with communication. IEEE Trans. Automat. Control, 54(3), 468–480. Kopetz, H. and Bauer, G. (2003). The time triggered architecture. Proc. IEEE, 91(1), 112–126. Nomura, M. and Takai, S. (2012). Decentralized supervisory control of timed discrete event systems. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Science, E-95A(5), 952–960. Ramadge, P.J. and Wonham, W.M. (1987). Supervisory control of a class of discrete event processes. SIAM J. Control Optim., 25(1), 206–230. Ricker, S.L. (2008). Asymptotic minimal communication for decentralized discrete-event control. In Proceedings 60