METHODS for the SUPERVISORY CONTROL of CONCURRENT SYSTEMS BASED on PETRI NET ABSTRACTIONS a Dissertation Submitted to the Gradua

Home , Live For

METHODS FOR THE SUPERVISORY CONTROL OF CONCURRENT

SYSTEMS BASED ON PETRI NET ABSTRACTIONS

A Dissertation

Submitted to the Graduate School

of the University of Notre Dame

in Partial Fulﬁllment of the Requirements

for the Degree of

Doctor of Philosophy

Marian Valentin Iordache, B.S.E.E., M.S.E.E.

Panos J. Antsaklis, Director

Graduate Program in Electrical Engineering

Notre Dame, Indiana

December 2003 METHODS FOR THE SUPERVISORY CONTROL OF CONCURRENT

SYSTEMS BASED ON PETRI NET ABSTRACTIONS

Abstract

Marian Valentin Iordache

This dissertation proposes new methodologies for the supervisory control of concurrent systems. The focus of this work is on discrete-event concurrent systems.

However, the extension of the discrete-event methods to concurrent systems with continuous dynamics is also approached. Petri nets are a convenient discrete-event representation of concurrent systems, and are used here for the modeling of concurrent systems.

Several discrete-event supervisory control problems are approached here. First, the enforcement of speciﬁcations described as linear inequalities in terms of three

Petri net parameters is considered. Then, the decentralized supervisory control problem is considered for speciﬁcations described by linear marking inequalities.

The decentralized supervision problem is approached in three settings: no communication, unrestricted communication, and restricted communication. Finally, procedures for deadlock prevention and liveness enforcement are presented. Addi- tionally, new results relating deadlock and liveness to the structure of a Petri net are also presented. The main feature of the supervision methods proposed in this dissertation is that they rely on the structure of the Petri net. This structural approach has computational beneﬁts and allows the supervisor design to be independent of the initial state of the system. The methods are given in a general supervision Marian Valentin Iordache setting, which makes no assumptions on the structure of the Petri nets and allows partial controllability and partial observability to be present.

This dissertation addresses also the supervisory control problem in the more general framework of hybrid systems, that is, systems involving both discrete-event and continuous dynamics. A two-level approach is proposed. The lower level design is concerned with the development of controllers for the continuous part of the hybrid systems. The higher level design is concerned with the design of a supervisor coordinating the operation of the lower level controllers, according to given discrete- event speciﬁcations. At the higher level the controlled hybrid systems are abstracted as Petri nets. Petri net methodologies can then be applied to design the appropriate supervisor. The discrete-event setting here is extended to model some of the hard constraints arising in the supervision of hybrid systems. Extensions of discrete-event methods to this setting are also approached. Finally, the controller design at the lower level is considered in a discrete-time setting. The controller design produces both a controller and a Petri net abstraction for the higher level.

This dissertation aims to contribute to the automated design of controllers for complex systems. This work is believed to be relevant for applications in a variety of areas, including automated manufacturing, robotics, computer networks, and traﬃc control. “To God belong wisdom and power; counsel and understanding are his.”

Job 12:13 [NIV translation] CONTENTS

TABLES...... viii

FIGURES...... ix

SYMBOLS...... xiii

ACKNOWLEDGMENTS...... xv

CHAPTER1:INTRODUCTION...... 1 1.1ContributionandBackground...... 1 1.2OutlineoftheDissertation...... 5

CHAPTER2:ANINTRODUCTIONTOPETRINETS...... 9

CHAPTER 3: THE SUPERVISION OF PETRI NETS ...... 14 3.1Introduction...... 14 3.2Preliminaries...... 18 3.3NotationandDeﬁnitions...... 20 3.4RelatedWork...... 21 3.5 Background: Supervision Based on Place Invariants ...... 28 3.5.1 FullyControllableandObservablePetriNets...... 29 3.5.2 Petri Nets with Uncontrollable and Unobservable Transitions . 30 3.6AdmissibleandFeasibleSetsofConstraints...... 32 3.7EnforcingGeneralizedLinearConstraints...... 35 3.7.1 OntheSigniﬁcanceoftheConstraints...... 35 3.7.2 Supervisor Design in the Fully Controllable and Observable Case...... 39 3.7.3 Admissibility ...... 41 3.7.4 Supervisor Design in the Partially Controllable and Observ- ableCase...... 45 3.7.5 Example...... 57 3.7.6 AnOptimalStructuralApproach...... 60

iv CHAPTER 4: DECENTRALIZED SUPERVISION OF PETRI NETS .... 74 4.1Introduction...... 74 4.2RelatedWork...... 78 4.3Preliminaries...... 85 4.4TheModel...... 87 4.5 Decentralized Admissibility ...... 88 4.5.1 DeﬁnitionandApplication...... 88 4.5.2 Signiﬁcance of D-Admissibility ...... 96 4.6DesignwithDistributionofCentralSupervisoryPolicies...... 101 4.7DesignwithConstraintTransformations...... 107 4.7.1 SupervisionwithoutCommunication...... 107 4.7.2 SupervisionwithCommunication...... 110 4.7.3 LivenessConstraints...... 111 4.8Example...... 112

CHAPTER 5: GENERALIZED CONDITIONS FOR DEADLOCK PREVEN- TION AND LIVENESS ENFORCEMENT IN PETRI NETS ...... 117 5.1Introduction...... 117 5.2Preliminaries...... 120 5.3Results...... 123 5.3.1 Conditions for Deadlock Prevention and Liveness Enforcement 123 5.3.2 Deadlock and (T -)Liveness Characterization Based on Active Subnets ...... 133 5.4ImplicationsandDiscussion...... 144 5.4.1 DeadlockPrevention...... 144 5.4.2 LeastRestrictiveDeadlockPrevention...... 147 5.4.3 T -livenessEnforcement...... 149 5.5Algorithms...... 150 5.5.1 The Computation of Active Subnets ...... 150 5.5.2 Transformation of Petri Nets to PT-ordinary Petri Nets . . . 152 5.5.3 Transformation of Petri Nets to EAC Nets...... 153

CHAPTER 6: DEADLOCK PREVENTION AND T-LIVENESS ENFORCE- MENTINPETRINETS–PARTI...... 158 6.1Introduction...... 158 6.2RelatedWork...... 162 6.3ProblemStatement...... 166 6.3.1 DeadlockPrevention...... 166 6.3.2 T -livenessEnforcement...... 167 6.4Motivation...... 168 6.4.1 TheRoleofLinearMarkingInequalities...... 169 6.4.2 TheRoleofIterations...... 170 6.4.3 TheNeedforNetTransformations...... 172 6.5ProcedureDeﬁnition...... 173 6.5.1 Deﬁnition...... 173 6.5.2 SiphonsNotNeedingControl...... 178

v 6.5.3 Generating the Sets of Inequalities (L, b)and(L0,b0) .....179 6.5.4 PetriNetTransformations...... 180 6.5.5 The Eﬀect of Net Transformation on Marking Constraints . . 183 6.5.6 The Computation of a T -minimal Active Subnet ...... 185 6.6Examples...... 186 6.7Properties...... 191 6.7.1 Preliminaries...... 191 6.7.2 ProofofCorrectness...... 194 6.7.3 PermissivenessProperties...... 197 6.8ExtendingthePermissivenessoftheProcedure...... 202

CHAPTER 7: DEADLOCK PREVENTION AND T-LIVENESS ENFORCE- MENTINPETRINETS–PARTII...... 205 7.1Introduction...... 205 7.2ProblemStatement...... 205 7.2.1 DeadlockPrevention...... 206 7.2.2 T -livenessEnforcement...... 207 7.3Motivation...... 208 7.3.1 PartiallyControllableandObservablePetriNets...... 208 7.3.2 ConstraintTransformationsandDeadlock...... 209 7.3.3 The Set T 0 ...... 211 7.3.4 TheUseofInitialConstraints...... 212 7.4ProcedureDeﬁnition...... 213 7.4.1 Description...... 213 7.4.2 Deﬁnition...... 215 7.4.3 TransformingConstraintstoAdmissibleConstraints...... 220 7.4.4 The Computation of The Active Subnet ...... 224 7.5Examples...... 225 7.6Properties...... 230 7.6.1 Preliminaries...... 231 7.6.2 ProofofCorrectness...... 231 7.6.3 Permissiveness...... 232 7.7ExtendingPermissiveness...... 238 7.8ConvergenceIssues...... 242 7.8.1 TerminationIssues...... 242 7.8.2 ComputationalComplexity...... 246 7.9Applications...... 248 7.9.1 DeadlockPreventioninaManufacturingSystem...... 248 7.9.2 MinimizationoftheNumberofResources...... 251 7.9.3 ResourcePreallocation...... 254

CHAPTER 8: DES LEVEL CONTROL OF CONCURRENT HYBRID SYS- TEMS...... 256 8.1Introduction...... 256 8.2RelatedWork...... 260 8.3Modeling...... 261 8.3.1 TheDESRepresentationofHybridSystems...... 262

vi 8.3.2 CouplingAmongHybridSystems...... 263 8.3.3 TransitionTypes...... 264 8.3.4 ModelingNondeterminism...... 266 8.3.5 Self-Loops...... 267 8.3.6 Synchronization...... 267 8.3.7 ModelingExample...... 268 8.3.8 SupervisionExample...... 270 8.4DESLevelSupervision...... 271 8.4.1 Case1:AllPlacesHaveControllableorFNISelf-Loops....274 8.4.2 Case 2: Not All Places Have Controllable or FNI Self-Loops . 275 8.4.3 Decentralized Control ...... 278 8.4.4 DealingwithNFNITransitions...... 279

CHAPTER 9: HYBRID SYSTEM LEVEL CONTROL ...... 282 9.1Introduction...... 282 9.2RelatedWork...... 284 9.3TheHybridAutomatonModel...... 287 9.4ExtractingtheDESAbstraction...... 290 9.5ComputationoftheControllableInvariantSets...... 298 9.5.1 TheControlledInvarianceContext...... 298 9.5.2 TheIdeaoftheApproach...... 299 9.5.3 TheComputation...... 300 9.6ComputationofthePredecessor...... 306

CHAPTER10:CONCLUSIONS...... 309

BIBLIOGRAPHY...... 315

INDEX...... 330

vii TABLES

7.1 SUMMARYOFOPERATIONSINEXAMPLE7.6...... 228 7.2 COMPLEXITYOFTHEPROCEDURESTEPS...... 246

8.1 TRANSITIONTYPES...... 264 8.2 MODELINGSUMMARY...... 281

viii FIGURES

2.1Petrinetexamples...... 10

3.1Illustrationfortheconstraints(3.2)...... 17 3.2 Deﬁning the controllability and observability of transitions...... 20 3.3(a)Petrinet;(b)closed-loop...... 31 3.4Illustrationforinadmissiblebutfeasibleconstraints...... 34 3.5Implementationofanadmissiblesetofconstraints...... 34 3.6PetrinetsforExample3.2...... 36 3.7Acontrolplacethatisnotinaplaceinvariant...... 38 3.8 The coverability graph may hide admissibility relevant information. . 42 3.9IllustrationoftheC-transformation...... 46 3.10ExamplefortheH-transformation...... 49 3.11Illustrationofthetransitionsplitoperation...... 50 3.12PlantPetrinetintheexample...... 57 3.13Closed-loopPetrinet...... 58

4.1 Robotic manufacturing system...... 87 4.2 A Petri net model of the robotic manufacturing system...... 88 4.3 Centralized control versus decentralized control...... 90 4.4 Decentralized control with communication...... 105 4.5 Decentralized control example...... 107 4.6 A manufacturing system...... 113 4.7 Petri net model of the system...... 114 4.8 Decentralized supervision...... 115

ix 5.1 A Petri net which is live for the initial marking µ0 shownin(a)and not even deadlock-free for the initial marking µ ≥ µ0 shown in (b). . . 123 5.2ExamplesforTheorems5.10and5.11...... 131 5.3 Two Petri nets, (a) and (c), and their active subnets, (b) and (d), respectively...... 134 5.4 Examples of T -minimal active subnets...... 139 5.5 (a) A Petri net which is not an EAC net; (b) an EAC net...... 143 5.6 Deadlock illustrations...... 145 5.7Deadlockpreventionexamples...... 147 5.8 Examples for T -livenessenforcement...... 149 5.9 Illustration of the transition split: (a) initial configuration; (b) the effect of the PT-transformation; (c) initial configuration; (d) the effect oftheEAC-transformation...... 154 5.10Exampleforthestep5(c)oftheEAC-transformation...... 156

6.1Motivatingthelinearmarkinginequalities...... 168 6.2Siphoncontrolmaycausenewsiphonsthatneedcontrol...... 170 6.3Moremotivatingexamples...... 171 6.4 Siphon control may change an ordinary net to a nonordinary net. Here, C controls the siphon {p1,p2,p3}...... 173

A 6.5 The illustration of Examples 6.4 and 6.6 (a) N0;(b)N1;(c)N1 ,the A A same as N2 and N3 ;(d)N1 and the added control place; (e) N2 and added control place; (f) N3;(g)N0 supervised for T -liveness...... 182

6.6 The Petri nets in the Example 6.8: (a) N0;(b)N1 (c) N2...... 186

6.7 Petri nets in Example 6.10: (a) N0;(b)N1;(c)N2...... 189

6.8 Petri nets in Example 6.10: (a) N3;(b)N4...... 190 6.9 The target Petri nets in Example 6.8 (left) and Example 6.10 (right) withtheirlivenessenforcingsupervisors...... 191

6.10 (a) A Petri net with two {t1}-minimal active subnets; (b) Resulting supervisor after selecting one of the two active subnets...... 203

7.1PartiallycontrollableandobservablePetrinets...... 208 7.2Constrainttransformationsmayleadtodeadlock...... 209

x 7.3Usinginitialconstraints...... 212 7.4Exampleoftheproposedconstrainttransformations...... 223

7.5 The Petri nets of the Example 7.4: (a) N0; (b) the ﬁnal Petri net supervisedforliveness...... 226

7.6 The Petri nets of the Example 7.5: (a) N0; (b) the ﬁnal Petri net supervised for liveness; (c) N2;(d)N1 with the control places added intheﬁrstiterationaftertheprocedureisrestarted...... 227

7.7 The Petri nets of the Example 7.6: (a) N0;(b)N1;(c)N2;(d)the ﬁnalPetrinetsupervisedforliveness...... 229 7.8 A Petri net for which the dp-procedure does not terminate unless appropriateinitialconstraintsaregiven...... 244 7.9 A Petri net for which the least restrictive liveness enforcing supervisor cannotbeexpressedbylinearmarkinginequalities...... 245 7.10 In the worst case, the number of minimal siphons has an exponential dependenceofthesizeofthePetrinet...... 248 7.11 The manufacturing system of Example 7.16...... 249 7.12 Petri nets in Example 7.16: (a) Target Petri net, (b) the Petri net afterﬁveiterations,and(c)thesupervisedPetrinet...... 250 7.13 Target Petri net (left) and supervised Petri net (right) in Example 7.17.252 7.14 The manufacturing system of Example 7.18...... 255

8.1 Concurrent system ...... 257 8.2TheControlArchitecture...... 257 8.3Illustrationsfortwosupervisoryproblems...... 259 8.4ExamplesofPetrinetDESmodels...... 262 8.5Illustrationofthetransitiontypes...... 265 8.6Modelingnondeterminism...... 266 8.7Self-loopexamples...... 267 8.8Modelingsynchronization...... 268 8.9 Modeling of (a) cylinder dynamics in a four-stroke engine; (b) clutch andfour-cylinderengine...... 269 8.10 Petri net abstraction of three subsystems...... 270 8.11 Illustration of a diﬃculty arising in the supervision of abstractions. . 271

xi 8.12Illustrationofthetransformation...... 277 8.13 Decentralized Control Architecture...... 279

9.1 Illustration of a desirable situation in the controlled behavior of a hybrid system. (a) A hybrid system mode with input set I and output sets O1, O2 and O3 corresponding to the thick lines, controlled invariant set J and Pre(O1), Pre(O2), Pre(O3)andPre(J) represented through the shaded areas. (b) Equivalent DES abstraction of the mode, where the self-loop corresponds to J and the other transitions to the transitions exiting O1, O2 and O3...... 291 9.2 Illustration of another desirable situation in the controlled behavior of a hybrid system. (a) A hybrid system mode with input set I and output sets O1, O2 and O3 corresponding to the thick lines, controllable invariant set J and Pre(O1), Pre(O2), Pre(O3)andPre(J) represented through the shaded areas. (b) Equivalent DES abstraction of the mode, where the self-loop corresponds to J and the other transitions to the transitions exiting O1, O2 and O3...... 292 9.3 Illustration of the situation in which no adequate controllable or controlled invariant set exists. (a) A hybrid system mode with input set I and output sets O1, O2 and O3 corresponding to the thick lines, and Pre(O1), Pre(O2), and Pre(O3) represented through the shaded areas. (b) Equivalent DES abstraction of the mode. Note that the abstractionhasnoself-loop...... 293 9.4Illustrationoftheabstractionprocedure...... 297

9.5 Illustration of the (inclusion) relation among the sets Jδ, J,andJ. . . 305

xii SYMBOLS

N the set of nonnegative integers

N∗ the set of positive integers

Z the set of integers

R the set of real numbers

≥ x ≥ y,wherex, y ∈ Rn,ifx(i) ≥ y(i) for i =1...n

A ≥ B,whereA, B ∈ Rm×n,ifA(i, j) ≥ B(i, j) for i =1...m, j =1...n

\ set minus: A \ B = {x : x ∈ A, x∈ / B}

⊂ A ⊂ B if A is a proper subset of the set B.

⊆ A ⊆ B if A is a proper subset of the set B or if A = B.

AT the transpose of the matrix A bxc the largest integer less or equal to the real number x. dxe the smallest integer greater or equal to the real number x. kxk the support of a place invariant x or of a transition invariant x

|x| the absolute value of the real number x.

|A| [|A(i, j)|]i,j for a matrix A. |X| thenumberofelementsofthesetX.

2X the set of all subsets of the set X.

•p the set of transitions entering the place p

•t the set of places that are input to the transition t p• the set of transitions departing from the place p t• the set of places that are output to the transition t

xiii D usually the incidence matrix of a Petri net: D = D+ − D−.

D+ the input matrix (taken with respect to incoming transition arcs).

D− the output matrix (taken with respect to outgoing transition arcs).

F usually the set of transition arcs of a Petri net

µ amarking

µi µ(pi) P µ(A) µ(p), where A is a set of places p∈A µ[t the marking µ enables the transition t

µ[t>µ0 µ enables the transition t and µ0 is reached by ﬁring t

µ →t µ0 µ enables the transition t and µ0 is reached by ﬁring t

µ[σ>µ0 µ enables the ﬁring sequence σ and µ0 is reached by ﬁring σ

µ →σ µ0 µ enables the ﬁring sequence σ and µ0 is reached by ﬁring σ

µ|N the marking µ restricted to the places of the net N

µ|S the marking µ restricted to the places in the set S N a Petri net structure.

(N ,µ0) a Petri net with initial marking µ0. pi the place whose marking is on the row i of the marking vector P usually the set of places of a Petri net q usually a ﬁring vector

R(N ,µ0) the set of reachable markings in the Petri net (N ,µ0)

σ usually a ﬁring sequence ti the transition that corresponds to column i of the incidence matrix T usually the set of transitions of a Petri net

W usually the weight function

Ξasupervisor

xiv ACKNOWLEDGMENTS

It has been so good doing my PhD work at Notre Dame. I am so thankful for the time I have spent here.

My advisor, Dr. Panos J. Antsaklis, has guided me all the way. I am very grateful for his guidance and support. Dr. Antsaklis helped me so much to grow as a researcher. Under his direction I have learned to do research work and write publishable papers.

I have started my research work at Notre Dame with a study on the deadlock and liveness problem on Petri nets, based on an idea of Dr. John O. Moody. I would like to thank Dr. John O. Moody for his comments and suggestions.

I desire to thank also the readers of my dissertation, Dr. Peter H. Bauer, Dr.

Michael D. Lemmon and Dr. Michael K. Sain.

I would like to acknowledge here also the sources of my ﬁnancial support: the

Graduate School and the Center for Applied Mathematics at the University of Notre

Dame, the National Science Foundation (ECS95-31485, ECS99-12458 and CCR01-

13131), the Army Research Oﬃce (DAAG55-98-1-0199), the DARPA/ITO-NEST

Program (AF-F30602-01-2-0526) and the Lockheed Martin Corporation.

My parents Dan and Viorica Iordache have always been supportive. I thank them and also my sister, Cristina.

I have been supported in prayer by so many people. I am grateful to all. Prayer in the name of Jesus is powerful and eﬀective. I am thankful also for meeting Jim and Ruth Banner through the family friendship program.

xv During my time here at Notre Dame I came to know Jesus as my Lord and

Savior. I am thankful for Dale Archer, the pastor of my church, City Chapel, an

Evangelical-Free Church in South Bend, Indiana. I appreciate so much the entire body of the church. Jesus has blessed my work with focus, purpose, increased diligence and discipline, and ...ideas. “Wisdomandpowerarehis. Herevealsdeep and hidden things; he knows what lies in darkness” (Daniel 2:20,22). “I will praise you forever for what you have done; in your name I will hope, for your name is good” (Psalm 52:9).

xvi CHAPTER 1

INTRODUCTION

1.1 Contribution and Background

Technological advances in our world have increasingly required new techniques for the synthesis and verification of complex systems. Typically, real-world systems involve both continuous and discrete/logical signals. At the same time, it is often the case that in a system there are more activities carried out in parallel. This work addresses the supervisory control of concurrent systems, that is systems which include subsystems operating in parallel (i.e. at the same time). The supervisory control problem consists of designing a supervisor which coordinates the activities of the subsystems such that the overall system satisfies given specifications. This work could be relevant for applications within fields such as automated manufacturing, robotics, communication networks, traffic control systems, and others.

The goal of this work is to provide systematic ways to generate supervisors which coordinate the operation of the subsystems of concurrent systems, so that given specifications are satisfied. For systems which can be readily represented in a logical form as discrete event systems (DES), new methodologies are proposed for the synthesis of supervisors. For more general systems involving both continuous and discrete/logical dynamics, a two-level design approach is proposed. Design at the higher level involves logical specifications and is carried out using DES methodologies. Design at the lower level involves hybrid systems methodologies, as this

1 level considers both the continuous and the discrete dynamics of each subsystem.

The goal of the lower level design is to obtain controllers for each of the subsystems and to abstract the controlled subsystem to a logical model to be used at the higher level design. The goal of the higher level design is to generate a supervisor, which by selecting appropriate inputs for the subsystem controllers, ensures that the requirements on the (global) system are satisﬁed.

In this work, Petri nets are used to represent the DES. Compared to ﬁnite automata, which are extensively used in the DES framework, Petri nets oﬀer a compact representation of DES, as they do not represent explicitly the state space of the system. Further, Petri nets model concurrency, as they allow more than one event to occur at the same time. This work contributes to the theory of Petri nets and to the supervisory control of Petri nets as follows:

- New results related to Petri net liveness have been developed. Liveness is the

quality of a system that from any system state any system action (event) can

eventually occur again.

- New methodologies for the design of liveness enforcing supervisors are devel-

oped. A liveness enforcing supervisor restricts the operation of a system to

ensure liveness.

- An eﬃcient method for the design of supervisors enforcing a class of safety

constraints has been extended to a larger class of speciﬁcations and to a de-

centralized supervision setting.

This work approaches also the hybrid systems, and in particular the concurrent hybrid systems. Hybrid systems are systems that involve both continuous and DES dynamics. The contribution of this work to the theory of hybrid systems is as follows:

2 - A new design framework is provided, in which the supervisor design for con-

current hybrid systems is decomposed into a DES (Petri net) supervisor design

problem, and hybrid system controller design problem.

- New results helpful to the design of controllers for hybrid systems. Computa-

tional methods are also provided for linear discrete-time dynamics.

Discrete event systems (DES) are systems with dynamics driven by event occurrences. In the context of Control Systems, the control of DES has been studied

first by Ramadge and Wonham [142]. In this framework, supervisors are designed to ensure that a desired specification is satisfied. The specification is given as a language that the controlled DES should achieve. Then, based on the observation of the occurrence of observable events, the supervisor is to disable the controllable events that would eventually lead to strings not in the specification language. The

DES in [142] as well as in much of the literature are represented as automata.

In this dissertation, the DES are represented as Petri nets. Petri nets originate from the work of C.A. Petri [133, 134, 135], who formulated a general theory for discrete parallel systems. Among the many varieties of Petri nets in the literature, this dissertation considers the Petri nets as deﬁned in the survey paper of

Murata [128]. This type of Petri nets is also known as Place/Transition (P/T) nets, as in the textbook by Reisig [143]. Unlike automata, Petri nets can represent events occurring at the same time. The supervisory control of Petri nets has also been studied, and a survey can be found in [57]. In the context of the supervision of Petri nets, two classes of specifications have been considered: forbidden state specifications [45, 58, 106, 107, 124, 176, 190] and language specifications [28, 106].

Among the supervision techniques for the enforcement of forbidden state specifications, the supervision based on place invariants (SBPI) is a very efficient technique [45, 124, 125, 190]. This technique can enforce specifications consisting of

3 linear constraints on the state (marking) of the Petri net. SBPI has a central role in this dissertation, as many of the DES methods that are proposed here either use or generalize the SBPI.

A concurrent system may have deadlock states. Deadlock may arise when the subsystems of the concurrent system are interdependent. A deadlock is a state from which the system (or a part of the system) has no feasible sequence of operations to continue its execution. Therefore, the system (or the part of the system that is involved) halts when it reaches a deadlock state. Liveness is the quality of a system that has no deadlocks. A survey of deadlock prevention results on Petri net models can be found in [57]. Deadlock prevention has been studied first in the context of computer operating systems. A survey of the early results can be found in [31]. Deadlock prevention has also been studied in the context of resource allocation in flexible manufacturing systems. In this context, numerous papers have used Petri net modeling, such as [12, 13, 42, 60, 130]. A general feature of these papers is that they use restricted classes of Petri net models. Further, they assume the system is fully controllable and observable. An exception is [131], which assumes partial controllability. A liveness enforcement approach for more general Petri net models appears in [54]. This dissertation considers liveness enforcement without any assumptions on the Petri net structure. Partial controllability and observability is also allowed. Unlike most previous results, the supervisor design approach presented here is independent of the initial state. These benefits come at the cost of a design procedure that does not have guaranteed termination.

Hybrid systems are systems with both continuous and discrete-event dynamics.

In the emerging area of Hybrid Systems, signiﬁcant research eﬀort has been carried out, beginning with the 1990’s: [50, 6, 2, 7, 5]. Hybrid Systems surveys include

[9, 10], and tutorials include [8, 151, 104]. The major hybrid systems approaches

4 can be found in [4]. The hybrid automata [1] represent the most popular class of hybrid system models. They extend the DES automata by adding continuous dynamics. Petri nets have also been extended to the Hybrid Systems framework, such as in [52, 92]. Other references on hybrid Petri nets can be found in the survey paper [10] and the special issue [56] with the references therein. Note that hybrid

Petri nets are not used in this dissertation. Rather, the supervisor design problem for concurrent hybrid systems is approached by decomposing it into hybrid system controller design and Petri net supervisor design.

1.2 Outline of the Dissertation

Chapter 2: This chapter presents a brief introduction to Petri nets.

Chapter 3: This chapter extends the supervision based on place invariants (SBPI) [124,

125, 190] to an extended class of linear constraints, involving the marking of the

Petri net, the ﬁring vector, and the Parikh vector. It is shown that this extended class of constraints can describe any control place connected to a Petri net. Then a reduction technique is proposed for the supervisor design. This technique reduces the supervisor design problem to the design of supervisors enforcing linear marking constraints, for which eﬃcient methods are available [124, 125]. Part of the material of this chapter has been published in [68, 80] and appears in the technical report [69].

A brief overview of the SBPI is also included in this chapter.

Chapter 4: The SBPI is extended here to a decentralized setting, in which decentralized supervisors are to achieve a global speciﬁcation on the state of the system.

A decentralized admissibility concept is introduced. It is shown that decentralized admissible specifications can be enforced as easily as the centralized admissible specifications of the SBPI. Specifications that are not decentralized admissible can become admissible by enabling communication between supervisors. An algorithm

5 is provided for the design of decentralized supervisors with communication. Finally, an integer linear programming approach is proposed in order to deal with the cases in which the communication is restricted or unavailable, and the speciﬁcation is decentralized inadmissible. The material of this chapter appears in [70, 72, 71] and the technical report [66]. An extensive review of the work on the decentralized control of DES is also included in this chapter.

Chapter 5: This chapter contributes to the theory of Petri nets with new results on liveness, liveness of a subset of transitions, and deadlock in Petri nets. Liveness is seen as a particular case of T -liveness, which means that all transitions in a set

T are live. The first results of this chapter characterize the relation between supervisors enforcing liveness or T -liveness with supervisors preventing deadlock. Then a class of Petri net subnets is introduced. This class of subnets are used to extend two well known results in the Petri net literature. Specifically, the result relating deadlock to siphons is generalized to a powerful necessary condition for deadlock and to a sufficient condition for deadlock. Further, the Commoner’s Theorem is also extended. The final part of the chapter shows how these new results can be used for deadlock prevention, least restrictive total-deadlock prevention, and least restrictive T -liveness enforcement. The material of this chapter appears also in [65] and the technical reports [74, 75].

Chapter 6: This chapter presents a procedure that can be used for deadlock prevention or T -liveness enforcement. T -liveness means that the transitions in the given set T are live. T -liveness enforcement corresponds to full liveness enforcement when

T equals the total set of transitions. Rather than assuming a given initial marking, this procedure generates at every iteration a convex set of admissible initial markings. In the case of full liveness enforcement and under certain conditions also in thecaseofT -liveness enforcement, the convex set of each iteration includes the set

6 of markings for which liveness/T -liveness can be enforced. The T -liveness enforcing version of the procedure has the following property. If the procedure terminates, the ﬁnal convex set contains only markings for which T -liveness can be enforced.

Then, the supervisor keeping the Petri net marking in this convex set can be easily designed using the place invariant based approach. The deadlock prevention version of the procedure is typically not guaranteed to produce a T -liveness enforcing supervisor. However, it has the beneﬁt of faster convergence. This chapter focuses on the fully controllable and observable Petri nets. The next chapter considers the partially controllable and observable case. The material of this chapter has appeared in [77, 64, 78, 79] and the technical reports [74, 75]. Earlier versions of this work have appeared in [76], the thesis [63], and the technical report [73].

Chapter 7: The procedure introduced in the previous chapter is extended here in several directions. First, the procedure is extended to deal with partial controllability and observability. Further, the procedure accepts additional constraints on the Petri net state. Such constraints can be used to help the procedure converge.

Finally, the procedure is also extended to handle the case when the set of transitions

T cannot be made live. In this case, the T -liveness version of the procedure guarantees liveness only for a subset T 0 of T . The material of this chapter has appeared in [77, 78, 79] and the technical reports [74, 75].

Chapter 8: This chapter extends the DES framework toward the description of concurrency in Hybrid Systems. Specifically, several implicit assumptions of the DES modeling are removed. Thus, it is no longer assumed that a supervisor is allowed to keep at will, for arbitrarily long times, the system in a certain state. Rather, a supervisor should be designed such that it enables at least one transition moving the system from such an “unstable” state when the state is reached. Transition uncontrollability is also further refined, to distinguish between inability to force a firing,

7 inability to disable a ﬁring, or both. Then, several supervisory control problems are formulated in this framework. These problems can be solved using methods of the traditional DES framework. The material of this chapter is more recent, and is not yet published at this time.

Chapter 9: This chapter presents hybrid system methods that can be used in the process of abstracting concurrent hybrid systems to the DES setting of Chapter 8.

The focus is on hybrid systems with discrete-time dynamics. In particular, an eﬃ- cient method for the computation of a class of controlled invariant sets is proposed.

The material of this chapter is more recent, and is not yet published at this time.

8 CHAPTER 2

AN INTRODUCTION TO PETRI NETS

Petri nets are a suitable description of concurrent DES. They are able to represent such systems without an explicit enumeration of the system states. State machines or automata can be viewed as a particular class of Petri nets. Finite state machines are an appropriate description for sequential systems. However, their usage for concurrent systems is limited due to the state explosion problem. This problem appears since a ﬁnite state machine explicitly enumerates all possible states a system may reach.

Petri nets have been extensively studied in the literature. Survey papers and books include [35, 128] and [132, 143]. Petri net models have been used in various contexts, including distributed algorithms [144, 145], program speciﬁcation [118, 24], communication protocols [32, 166, 19], manufacturing [40, 39, 138, 194], digital circuits [188, 187], and robotics [119].

A Petri net structure is a quadruple N =(P, T, F, W)whereP is the set of places, T the set of transitions, F ⊆ (P × T ) ∪ (T × P )isthesetoftransition arcs and W : F → N \{0} is a weight function.Amarking µ of the Petri net structure is amapµ : P → N. A Petri net structure N with initial marking µ0 is called a Petri net, and will be denoted by (N ,µ0). For simplicity, we may sometimes simply call

Petri net a Petri net structure. Note that this deﬁnition of Petri nets follows the survey paper by Murata [128], and corresponds to the deﬁnition of P/T nets in the

9 p1 p2 p12p p p 2 2 p 1 2 t t 3 1 1 2 t 2 t 3 t 2 t 3 t 2 t t t t 1 4 2 3 3 3 t p t p3 p4 p3 3 p4 2 1 1 3 p p 4 p p 5 5 p2 3 4

(a) (b) (c) (d)

Figure 2.1. Petri net examples.

book of Reisig [143]. Sometimes it is convenient to represent Petri nets in terms of input and output matrices D+ and D−,asN =(P, T, D−,D+). This representation is equivalent to N =(P, T, F, W) and will be discussed later.

It is useful to consider a marking both as a map and as a vector. The marking

T vector is deﬁned as [µ(p1),µ(p2),...µ(pn)] ,wherep1,p2,...pn are the places of the net enumerated in a chosen (but ﬁxed) order and µ the current marking. The same symbol µ will denote a marking vector. The marking vector of a Petri net may be regarded as the state variable of the Petri net. An equivalent way of saying that place p has the marking µ(p)isthatp has µ(p) tokens. For convenience, sometimes

µi will be used as a shorthand of µ(pi). Figure 2.1 could be used to illustrate the graphical representation of Petri nets.

Places are represented by circles, transitions with thick lines and transition arcs with arrows. A token is represented by a small dark ﬁlled circle and the weights greater than one are indicated above the arcs. The marking vector in Figure 2.1(c) is [0, 1, 1]T . An arc weight is indicated near the arc when it is not one. For instance, in Figure 2.1(c) W (p3,t1)=2andW (t2,p2)=4.

The preset of a place p is the set of incoming transitions to p: •p = {t ∈ T :

(t, p) ∈ F }.Thepostset of a place p is the set of outcoming transitions from p: p• = {t ∈ T :(p, t) ∈ F }. p is a source place if •p = ∅ and a sink place if p• = ∅.

10 Similar definitions apply for transitions. They are also extended for sets of places S S or transitions; for instance, if A ⊆ P , •A = •p, A• = p•. p∈A p∈A The marking µ enables the transition t if ∀p ∈•t: µ(p) ≥ W (p, t). When µ enables t and t fires, the marking is changed. Let µ0 be the next reached marking; we formally express this by µ −→t µ0.Themarkingµ0 satisfies:    µ(p)ifp/∈•t ∪ t•    µ(p)+W (t, p)ifp ∈ t •\•t µ0(p)=   µ(p) − W (p, t)ifp ∈•t \ t•   µ(p) − W (p, t)+W (t, p)ifp ∈•t ∩ t•

For instance, ﬁring t1 in Figure 2.1(a) produces the marking shown in Figure 2.1(b).

0 The marking µ is reachable from µ if there is a sequence of markings µ1,...µk, 0 −→ti1 −→tik 0 µk = µ , and a sequence of transitions σ = ti1 ,...tik s.t. µ µ1 ... µ .This is also written as µ −→σ µ0.Theset of reachable markings of a Petri net (N ,µ)

(i.e. the set of markings reachable from the initial marking µ) will be denoted by

R(N ,µ).

In a Petri net N =(P, T, F, W)withm places and n transitions, the incidence × + − − + matrix is an m n matrix deﬁned by D = D D , where the elements dij and − + − dij of D and D are + ∈ + dij = W (tj,pi)if(tj,pi) F and dij =0otherwise; − ∈ − dij = W (pi,tj)if(pi,tj) F and dij =0otherwise. The matrices D+ and D− are called the input matrix and the output matrix, respectively. They provide an alternative representation of a Petri net structure as

N =(P, T, D−,D+). It is convenient to view D+ and D− also as functions: D− :

P × T → N|P |×|T | and D+ : P × T → N|P |×|T |. The relation to the N =(P, T, F, W) representation is as follows: (p, t) ∈ F ⇔ D−(p, t) =0and(6 t, p) ∈ F ⇔ D+(p, t) =6

0; also, (p, t) ∈ F ⇒ D−(p, t)=W (p, t)and(t, p) ∈ F ⇒ D+(p, t)=W (t, p).

11 The incidence matrix allows an algebraic description of the marking change of a

Petri net:

µk = µk−1 + Dqk (2.1) where qk is called firing vector, and its elements are all zero excepting qk,i =1,where i corresponds to the transition ti that fired. Note that when multiple transitions are allowed to fire at the same time, qk is an integer vector in which for all i, qk,i indicates how many times the transition ti fires at the instant k. Further, qk is enabled (may be fired) when

− µk−1 ≥ D qk (2.2)

We will also denote by firing vector or Parikh vector or firing count vector a vector v associated with a sequence of transitions that have fired, whose entries record how many times each transition appears in the sequence. If v is the Parikh vector of the transition sequence that led the Petri net from the marking vector µ0 to µk:

µk = µ0 + Dv (2.3)

A vector x is called place invariant if xT D = 0. A vector x is called transition invariant if Dx =0.Thesupport of a transition invariant x is ||x|| = {tj ∈ T : x(j) =06 }.

A Petri net (N ,µ0)issaidtobedeadlock-free if for any reachable marking µ there is an enabled transition. (N ,µ)isindeadlock if no transition is enabled at marking µ. For instance the Petri net of Figure 2.1(c) is in deadlock, but the Petri net of Figure 2.1(d) is deadlock-free.

Let (N ,µ0) be a Petri net. A transition t is said to be live if ∀µ ∈R(N ,µ0)

∃µ0 ∈R(N ,µ) such that t is enabled by µ0. A transition t is dead at marking µ if

0 no marking µ ∈R(N ,µ) enables t.(N ,µ0)issaidtobelive if every transition is live. For instance, in Figure 2.1(d) t2 and t4 are live, while t1 and t3 are dead.

12 A nonempty set of places S ⊆ P is called a siphon if •S ⊆ S• and trap if S•⊆•S.

In particular, S = P may be a siphon. An empty siphon with respect to a Petri net P marking µ is a siphon S such that µ(p) = 0. The attribute “empty” refers to the p∈S fact that S has no tokens. A siphon has the property that if for some marking it is empty, it will be so for all subsequent reachable markings. A trap has the property that if at some marking it has one token, then for all subsequent reachable markings it will have at least one token. In Figure 2.1(a), {p1,p3} and {p2,p4} are traps. S is a minimal siphon if there is no other siphon S0 (by deﬁnition, S0 =6 ∅) such that

0 S ⊂ S. {p1,p3} in Figure 2.1(d) is a minimal siphon. Given a Petri net with an initial marking, we say that a siphon is controlled if for all reachable markings it contains at least one token; given a Petri net structure and a set of initial markings we also say that a siphon is controlled if the siphon is controlled for each of the initial markings. A siphon which is not controlled is said to be uncontrolled.

13 CHAPTER 3

THE SUPERVISION OF PETRI NETS

3.1 Introduction

In this chapter we consider a supervisory control problem for discrete event systems (DES) modeled as Petri nets, in which we desire to enforce a certain type of specifications. Thus we have a plant which is a abstracted as a Petri net, and a specification on the behavior of the Petri net plant. We desire to find a supervisor such that the closed-loop of the plant and the supervisor satisfies the specification.

A feature of this chapter is that the main results will be derived in a concurrency setting, allowing multiple transition ﬁrings at the same time. In practice, this could correspond to the situation in which the supervisor is not as fast as the plant.

Thus, when the supervisor issues control decisions allowing multiple firings, the plant is not slowed down to fire transitions at the same pace the supervisor issues the control decisions. In this chapter we restrict our attention to supervisors which can be represented as Petri nets, and to specifications in the form of conjunctions of inequalities involving the marking, the firing vector and the Parikh vector of the plant Petri net. The specification is described next.

Eﬃcient methods have been proposed in [45, 125, 124, 190] for the synthesis of supervisors enforcing that the marking µ of a Petri net satisﬁes constraints

Lµ ≤ b (3.1)

14 where L ∈ Znc×m, b ∈ Znc , Z is the set of integers, m is the number of places, and nc the number of constraints. The methods address both the fully controllable and observable Petri nets and the Petri nets which may have uncontrollable and unobservable transitions. Constraints of the form (3.1) can describe (generalized) mutual exclusion, deadlock prevention constraints, and others [124]. The constraints

(3.1) have been extended in [124, 190] to the form below

Lµ + Hq ≤ b (3.2) which adds a ﬁring vector term, where H ∈ Nnc×n, N is the set of nonnegative integers and n is the number of transitions. (Without loss of generality, H has been assumed to have nonnegative elements.) In such constraints, an element qi of the

ﬁring vector q is set to 1 if the transition ti is to be ﬁred next from µ;elseqi =0.

Alternatively, if multiple firings are allowed at the same time, the elements qi of q represent how many times the transition ti is fired at the next firing instance. The constraint is interpreted as follows. A supervisor enforcing (3.2) ensures that:

ti 0 (i) all markings µ must satisfy (3.1); (ii) if µ −→ µ , ti is allowed to ﬁre only if Lµ + Hq ≤ b and Lµ0 ≤ b. The more general description of the supervisor allowing for concurrency is as follows: (i) all markings µ must satisfy (3.1); (ii) q is allowed to

fire only if (3.2) is satisfied at all intermediary states reached while firing q,thatis,

q0 for all q0,q00 ≥ 0 such that q0 +q00 ≤ q,wehaveLµ0 +Hq00 ≤ b,whereµ −→ µ0.(Note that (i) is implied by (ii) for q0 = q00 = 0.) The form (3.2) describes constraints on the enabling of transitions (as opposed to the constraints on the state, naturally described by (3.1)). Several applications can be found in [124, 46]. For instance, in

Figure 3.1, the constraint that a railway track should only contain trains going in the same direction can be expressed by mq3 + µ1 ≤ m and mq2 + µ2 ≤ m,wherem is the maximum number of trains on the track and µ1 (µ2) is the number of trains on the track that come from the left (right).

15 In this chapter we consider constraints which add to (3.2) a Parikh vector term:

Lµ + Hq + Cv ≤ b (3.3)

nc×n where C ∈ Z . In (3.3) v is the Parikh vector, that is vi counts how many times the transition ti has ﬁred. A supervisor enforcing (3.3) ensures that: (i) all states (µ, v) satisfy Lµ + Cv ≤ b; (ii) if µ −→ti µ0,andv0 = v + q,thenLµ + Hq + Cv ≤ b and Lµ0 + Cv0 ≤ b. The concurrency interpretation of (3.3) is similar to that of

(3.2). The Parikh vector term can be viewed as a marking term in a Petri net extended with sink places on transitions. Regardless of the viewpoint, whether we look at the constraints as involving Parikh vector terms or marking terms involving additional sink places, it is apparent that such constraints need to be considered, as they eﬀectively increase the expressivity power of the constraints (3.2). In fact, we will show that (3.3) can represent any supervisor implemented as additional places

(control places) connected to the transitions of a plant Petri net. This means that the operation of any Petri net can be entirely described by constraints (3.3), with a one-to-one correspondence between each place and each inequality of (3.3). We also show that (3.3) are as expressive as the constraints of the form

Hq + Cv ≤ b (3.4)

While the marking term in (3.3) does not make (3.3) more expressive, in practice it may be more intuitive to write constraints that involve also the marking. This is one reason we consider constraints of the form (3.3) instead of just (3.4). Finally, note that Parikh vector terms can be used to describe fairness requirements, such as the constraint that the diﬀerence between the number of ﬁrings of two transitions is limited by one.

The contribution of this chapter is as follows. In section 3.7.1 we show that any place of a Petri net can be seen as a supervisor place enforcing a constraint of the

16 p t 1 1 t 2

t 3 t 4

Figure 3.1. Illustration for the constraints (3.2).

form (3.4). Previously this property was known for constraints of the form Cv ≤ b and Petri nets without self-loops [107]. Then we show how to obtain supervisors enforcing constraints (3.3) in Petri nets. We first give the solution for the case of fully controllable and observable Petri nets in section 3.7.2. Then, in section 3.7.4 we turn our attention to Petri nets which may have uncontrollable and unobservable transitions. There we first define admissible constraints as the constraints for which the method for fully controllable and observable Petri nets can still be used.

Admissibility tests are provided. Then, by using net transformations, we reduce our problem to the supervisory synthesis problem for constraints of the form (3.1), for which eﬀective methods exist. Our approach also extends the indirect method of

[124] on enforcing constraints (3.2), as both coupled and uncoupled constraints can be considered. An example is included in section 3.7.5.

The chapter is organized as follows. A basic introduction to the supervisory control problem is included in section 3.2. The notation and deﬁnitions used in this chapter are provided in section 3.3 at page 20. Related work is discussed in section 3.4 at page 21. A brief overview of the supervision based on place invariants is given in section 3.5 at page 28. The concepts of admissibility and feasibility are introduced in section 3.6 at page 32. The supervisor design for the constraints (3.3) is presented in section 3.7 at page 35.

17 3.2 Preliminaries

A supervisor of a DES restricts the operation of the system such that a given specification is satisfied. The supervisor is different from a controller in the sense that a controller dictates the input applied to the system, while the supervisor only restricts the set of possibly applicable inputs. A performance criterion for supervisors is about how restrictive they are. According to this criterion, the optimal supervisor is the least restrictive (or maximally permissive) supervisor. The least restrictive supervisor forbids only the inputs which may unavoidably lead to the violation of the specification.

When the DES is a Petri net, a supervisor restricts the operation of the net by restricting the set of enabled transitions which may ﬁre at a given state of the Petri net. Thus, a supervisor is a function mapping the values of a state variable of the net (such as the marking) into subsets of the set of transitions, where such a subset represents the transitions allowed by the supervisor to ﬁre.

The supervision of Petri nets can be applied in the real-world as follows. Given a plant with discrete-event driven dynamics, a Petri net model is extracted. We call the extracted model plant Petri net. In the plant Petri net, the occurrence of an event in the physical plant is modeled by the firing of a transition. The (observable) transition firings of the plant are the information available to the supervisor. A transition firing may trigger a change in the state of the supervisor, while a change in the supervisor state can change the set of plant events disabled by the supervisor.

Physically, the event disablement can be done by restricting the range of the inputs of the plant. This chapter presents various techniques of supervisor design. As the supervisor is driven by events (transition ﬁrings), no state parameters of the plant

Petri net (such as the marking) are directly available to the supervisor, with the exception of the initial marking. The initial marking is assumed to be known, as it

18 represents the initial state of the plant. Nonetheless, the supervisor can have access to state parameters of the plant by using a Petri net observer. Note that the system consisting of the plant and the supervisor is called the closed-loop.

The design of a supervisor typically involves the following requirements:

1. if possible, the closed-loop should be representable as a Petri net.

2. if the exact implementation of the speciﬁcation is impossible, transform the

speciﬁcation to a more restrictive form that is implementable.

3. if possible, ﬁnd a least restrictive supervisor.

When the ﬁrst requirement is satisﬁed, Petri net methods can be used for the analysis of the closed-loop. The second requirement matters in the case of systems with uncontrollable and/or unobservable transitions. With regard to the third requirement, note that a least restrictive supervisor may not exist when the system has unobservable transitions.

In a Petri net, a transition is uncontrollable if the supervisors are not given the ability to directly inhibit it. Otherwise, the transition is controllable. A transition is unobservable if the supervisors are not given the ability to directly detect its ﬁring.

Otherwise, the transition is observable. The firing of uncontrollable (unobservable) transitions corresponds to the occurrence of uncontrollable (unobservable) events. In our paradigm the supervisors observe transition firings, not markings. For instance, consider the Petri net of Figure 3.2. First assume that t1 is controllable and t2 is uncontrollable. This means that t2 cannot be directly controlled. So, in case (a) t2 cannot be directly inhibited; it will eventually fire. However in case (b) t2 can be indirectly prevented to fire by inhibiting t1. Now assume that t2 is unobservable and t3 is observable. This means that we cannot detect when t2 fires. In other words, the

19 t 1 t 2 t 3 t 1 t 2 t 3

(a) (b)

Figure 3.2. Deﬁning the controllability and observability of transitions.

state of a supervisor is not changed by firing t2. However we can indirectly detect that t2 has fired, by detecting the firing of t3.

3.3 Notation and Deﬁnitions

This section presents the notation and several important deﬁnitions used in

− + this chapter. Given a Petri net N =(P, T, D ,D ), let Tuc and Tuo denote the sets of uncontrollable transitions and unobservable transitions, respectively. Let

|T | |T \Tuo| Po : N → N be the projection excluding from the Parikh vector v the entries corresponding to unobservable transitions. Let M denote a set of initial markings.

A supervisor canbedefinedasamapΞ:M×T ∗ → 2T . Thus, given an initial marking µ0 and a firing sequence σ, the next transition t to be fired is required to satisfy t ∈ Ξ(µ0,σ). This definition of a supervisor can be naturally extended to the concurrency case, allowing for multiple concurrent firings. Of special interest in this chapter will be the supervisors that depend only on µ0 and v,thatis,thatcan

|T \Tuo| T \Tuc be deﬁned as Ξ : M×N → 2 . When Ξ supervises (N ,µ0), a controllable transition t is enabled at the state (µ, v)(whereµ = µ0 + Dv)ift ∈ Ξ(µ0,Po(v)) and µ0 ∈M. For simplicity, we also call supervisor the Petri net implementation of a supervisor Ξ.

N is in closed-loop with a supervisor Ξ when Ξ supervises the operation of N .We denote by (N ,µ0, Ξ) the Petri net (N ,µ0) in closed-loop with Ξ, and by R(N ,µ0, Ξ)

20 the set of all reachable states (µ, v)of(N ,µ0, Ξ). A supervisor Ξ enforces (3.3) on

(N ,µ0)if∀(µ, v) ∈R(N ,µ0, Ξ): (3.3) is satisﬁed.

A control place is a place of the Petri net implementation of a supervisor. For instance, in Figure 3.3 at page 31, the places C1 and C2 are the control places of a supervisor enforcing 2µ1 + µ3 ≥ 1and2µ2 + µ3 ≥ 1.

3.4 Related Work

The supervisory control of discrete event systems (DES) has been introduced by

Ramadge and Wonham [142]. In the work of Ramadge and Wonham, automata are used to represent DES. In the context of DES represented as Petri nets, two types of specifications have been considered: language specifications and state specifications.

The language specifications describe a language that the closed-loop should achieve, as in the Ramadge and Wonham work. On the other hand, state specifications are most often used to indicate a set of forbidden states (markings) of the plant that a supervisor should avoid. This chapter considers a class of specifications that extend the state specifications. Note that language specifications are more general than state specifications. However, note also that language specifications are most often considered in a no concurrency setting, in which only one event (transition firing) can occur at a time. In [106], in a no concurrency framework, it is shown that any language specification can be realized by a state specification when the plant is enhanced with a (possibly infinite) memory.

There are also two versions of partial controllability and partial observability in the Petri net literature. The ﬁrst view of partial controllability is that the plant allows the supervisors to disable certain events (transitions), called controllable events (controllable transitions). This view appears for instance in [106, 107, 124,

125]. The second view is that the plant allows the supervisor to disable certain

21 control sets. The control sets are given and are ﬁxed. Disabling a control set means disabling all events (transitions) of the control set. This view appears in [97, 58, 98].

The ﬁrst view is the special case of the second when the control sets are singletons.

The two views on partial observability arise from two diﬀerent views on the operation of the supervisors. The ﬁrst view is that a supervisor observes the occurrence of certain plant events (transitions), called observable events (observable transitions).

This view follows [142] and appears for instance in [124, 125]. The second view is that a supervisor observes the state (marking) of the plant through an observation map. This view appears for instance in [47, 27, 106]. These two views are equivalent in the case of full observability, but otherwise the second is more general. Note that it is possible to construct a state observer based on event observation [47].

Three types of concurrency are considered in the literature on the supervision of

Petri nets. The no concurrency assumption means that only one event (transition

ﬁring) may occur at a time. No concurrency is assumed for instance in [106, 107].

The strict concurrency assumption means that only distinct event (ﬁrings of distinct transitions) may occur at the same time. Strict concurrency is assumed for instance in [97, 58, 108]. The concurrency assumption is the most general, placing no restriction on the events that may occur at the same time and their multiplicity.

The three forms of concurrency have been considered in [164].

Various approaches have been proposed for the supervision of Petri nets. A survey can be found in [57]. Work in this ﬁeld was done ﬁrst by Ichikawa et al [62, 61].

In [62], the specification is to reach a target state (target marking) from the initial state (initial marking), and then to stay there. The paper solves this problem for a class of ordinary Petri nets called structurally conflict-free Petri nets. The solution finds a set of control places that ensure this specification is achieved. [61] considers an extended class of Petri nets and an additional specification, requiring

22 a certain firing sequence to be achieved. The solution is to find an appropriate initial marking or to control the firings of certain transitions. Partial controllability is not considered, in the sense that the design of the supervisor is not constrained by inability to control certain transitions. With regard to partial observability, note that for certain approaches or under certain firing assumptions (e.g. assuming that the firing time of an enabled transition is bounded) no observation is necessary.

The presentation of the results has been done under an implicit assumption of strict concurrency. However, the results appear to be valid in the more general concurrency setting.

An approach for the enforcement of forbidden state speciﬁcations in Petri nets appears in [97, 58, 98]. This work assumes the supervisor can disable control sets and that the state is fully observable. Strict concurrency is assumed. The Petri net models are assumed to be bounded. Further, in [58, 98] the authors restrict the models to safe Petri nets in the class of marked graphs. The speciﬁcation is given in the form of a set of forbidden states. [98] uses the algorithm of [141] for the computation of the maximal control invariant set. Then it is shown that the optimal supervisor may not be unique, due to concurrency. Finally, a method for the computation of all deterministic optimal supervisors is presented. Note that the maximally permissive supervisor is nondeterministic [57]. A nondeterministic supervisor selects “randomly” the control sets it disables from a set of admissible choices. This work is further developed in [58] for marked graphs. In [58] the construction of the reachability graph is avoided. Instead, predicates based on the structure of the marked graph are used to derive the maximally permissive control. This result is further extended in [98]. In [98], the forbidden state set is described by linear marking inequalities. Still another extension appears in [59], in which conditions on the forbidden state set are derived to ensure that liveness

23 can be enforced. Under the conditions given in [59], liveness is enforced when the nondeterministic supervisor selects control sets for which at least one transition is closed-loop enabled. Extensions of the approach of [97, 58] to partial observability and decentralized control appear in [193] and [27], respectively.

In [106], the theory of [142] is extended to Petri nets, with emphasis on state speciﬁcations. The work of [106] is done under the no concurrency assumption.

The extension to the strict concurrency framework appears in [108]. The Petri net models are assumed to be pure, that is, without self-loops. Each transition of the

Petri net corresponds to an unique event. As in [142], the supervisor is allowed to disable events from a set of controllable events. However, partial observability refers to partial observation of the state (marking) of the Petri net. Note that the Petri nets are assumed to have a fixed initial marking. This observation is important because not all results can be directly applied to the case when the initial marking is viewed as a variable. Two kinds of problems are considered: static state- feedback control and dynamic state-feedback control. Static state-feedback control to specifications described by predicates in terms of the state (marking) of the system. For instance, enforcing (3.1) would be seen as a static state-feedback control in [106]. On the other hand, dynamic state-feedback control corresponds to the enforcement of specifications that refer to the history of the event occurrences in the plant. As an example, enforcing Cv ≤ b would be seen as a dynamic state-feedback in [106]. In the context of static state-feedback control, it is shown that a predicate can be exactly enforced if and only if it is controllable and observable, where the notions of controllability and observability are defined in the paper. (A supervisor exactly enforcing a predicate ensures that the reachable set equals the set of states satisfying the predicate.) The dynamic state-feedback control is reduced to the static case by extending the plant with a memory. The memory is basically a DES

24 that accepts the language of the specification. Thus the memory is finite if its DES representation is finite. Note that [106] considers also the particular specifications

Cv ≤ b. In this chapter, the memory extension of [106] for the enforcement of

Cv ≤ b corresponds to the extension of the Petri net by the C-transformation.

Note that constraints Cv ≤ b have arisen prior to [106] in the context of the

Synchrony Theory of Petri nets; see [44], pages 132–134. The Synchrony Theory [44,

49, 136] deals with the dependence between ﬁring various transitions in a Petri net.

In that context, the constraints Cv ≤ b result from speciﬁcations requiring upper bounds on synchronic distances.

In [108], the work of [106] is extended to the strict concurrency framework. How- ever, [108] does not address partial observability. The authors show first that the controllability and concurrent well-posedness of a state predicate is necessary and sufficient for the existence of a deterministic supervisor that exactly enforces the predicate. Controllability is defined the same way as under the no concurrency assumption, while concurrent well-posedness is a rather technical condition. Further, the authors show that controllability alone is necessary and sufficient for the existence of a nondeterministic supervisor exactly enforcing a state predicate. Finally, the authors show how to construct the most permissive nondeterministic supervisor.

Of particular interest in this chapter are the approaches for the enforcement of constraints (3.1). The constraints (3.1) are powerful enough to describe various speciﬁcations [124]. In particular, in the case of safe Petri nets any state speciﬁca- tion can be written in the form (3.1) [189, 45] and the derivation of (3.1) from a

Boolean expression can be carried out rather easily [189, 190]. In the supervisory control literature, various researchers have considered the constraints (3.1). His- torically, the ﬁrst published papers on the topic are [189, 98, 45, 107]. In [189] a constrained optimal control problem is considered. The objective is to reach a ﬁ-

25 nal state from a given initial state. The constraints on the inputs (the controllable transitions) and the state (marking) are described by inequalities of the form (3.1) and (3.2). In [98] a particular form of constraints (3.1) has been used in order to simplify the speciﬁcation of forbidden states. Later, the enforcement of the constraints (3.1) has been considered in [45]. Subsequently, computationally eﬃcient methods for the enforcement of (3.1) in partially controllable Petri nets appeared in [107]. Apparently, the role of (3.1) in [106, 107] has been to provide an example of tractable computation of a supremal controllable subpredicate.

The reference [45] considers the enforcement of constraints (3.1) when all elements of L and b are nonnegative. Note that the results can easily extend to the general case, in which L and b have integer elements [190, 124, 125]. The paper deals with the redundancy, equivalence and modeling power of the speciﬁcations (3.1), and the enforcement of (3.1) for fully controllable Petri nets. The paper shows also that in the case of partially controllable Petri nets the enforcement problem is more diﬃcult, as the optimal solution requires solving a general forbidden state problem.

The reference [190] presents the construction of the supervisors of (3.1) and emphasizes the qualities of this solution. Thus the supervisor consists only of control places, such that the closed-loop system is still a Petri net. Further, the number of control places equals the number of inequalities in (3.1) and the design of the supervisor only involves matrix multiplications. It is also shown that for safe Petri nets any logic constraints on the state can be written as constraints (3.1). Moreover, a method to transform constraints (3.1) into constraints (3.1) is presented. The presentation of [190] focuses on the fully controllable and observable case, in the sense that all transitions that need to be controlled/observed are assumed to be controllable/observable. The extension of the results to the partially controllable and observable case appears in [124, 125].

26 The references [124, 125] propose the design of supervisors of (3.1) under partial controllability and partial observability. Partial controllability and observability here means that not all transitions are controllable and observable. The design methods rely on the notion of admissibility, which is introduced in these works. Ad- missible constraints can be enforced as in the fully controllable and observable case.

For inadmissible constraints, [124, 125] proposes transformations to constraints (3.1) that are at least as restrictive as the original constraints. This guarantees that the supervisor enforcing the transformed constraints causes the state to stay within the feasible set of the original constraints. Note that [124, 125] is one of the few works that shows how to enforce a speciﬁcation on a Petri net under partial observability.

One of the main features of the work of [124, 125] is that the solutions are computationally efficient. The supervisor design involves integer linear programming in the worst case. However, the work of [16] may suggest that integer linear programming can always be avoided. Note that computational efficiency comes at the expense of suboptimality. (A solution is suboptimal if it is not least restrictive.) Finally, note that the approaches of [45, 190, 124, 125] are valid under any concurrency assumptions. A formal study of the effect of the various concurrency assumptions in this framework of supervision of Petri nets appears in [164].

As mentioned before, the approach of [124, 125] may not produce least restrictive

(or optimal) solutions. Methods guaranteeing more permissive supervisor design solutions appear in [164] for constraints (3.1) with L and b in which all elements on a row have the same sign. Approaches for the optimal design of supervisors have also been proposed. They work under speciﬁc assumptions, which make the problem tractable. Thus, a computational eﬃcient solution appears in [107]. The success of the approach of [107] depends on the constraints to be enforced and the structure of the uncontrollable subnet of the Petri net. In [107], the Petri

27 nets are fully observable, without self-loops, and ordinary. One of the observations of [107] is that the optimal supervisor may not be representable as a conjunction of inequalities (3.1). Such supervisors do not have a Petri net representation.

In [26] another method is proposed for the enforcement of constraints (3.1) with

L and b consisting of nonnegative elements. The Petri nets are assumed to be partially controllable and without self-loops. The method relies on S-decreases of the uncontrollable subnet of the Petri net. An S-decrease is a vector x such that xD ≤ 0, where D is the incidence matrix. The approach is to replace each inequality of (3.1) by the disjunction of minimal S-decrease inequalities covering it. Suﬃcient conditions on the uncontrollable subnet that guarantee maximal permissiveness appear in [29, 25]. The work of [26] is clearly a solution for the assumed class of constraints.

However, an extension to the general constraints (3.1) is not obvious. Nonetheless, this supervision approach can also account for partial observability, by assuming the unobservable transitions to be uncontrollable. This follows from the fact that the generated supervisors are not connected to any of the uncontrollable transitions.

The paper is written in a concurrency framework.

This chapter extends the approach of [45, 190, 124, 125] to constraints (3.3).

No assumptions are made about the structure of the Petri net or the form of the constraints (3.3). The Petri nets are partially controllable and observable, where this means that a supervisor can only disable controllable transitions and detect observable transitions.

3.5 Background: Supervision Based on Place Invariants

This section reviews brieﬂy an eﬀective approach used for the enforcement of linear marking constraints (3.1) called supervision based on place invariants. Liter- ature references describing this approach include [45, 124, 125, 190]. The case when

28 all transitions of the plant Petri net are controllable and observable is presented ﬁrst.

Then, the extension to Petri nets with uncontrollable and unobservable transitions is also presented.

3.5.1 Fully Controllable and Observable Petri Nets

The control problem considered here is to enforce a set of nc linear constraints

Lµ ≤ b (3.5)

In other words, we desire the supervisor to prevent the system reaching markings which do not satisfy (3.5). The notations are as follows: L is an integer nc × n matrix (nc - the number of constraints, n - the number of places of the given Petri net), b is an integer column vector and µ is the Petri net marking. Let µc be a vector of nc nonnegative slack variables, deﬁned as:

µc = b − Lµ (3.6)

Let D be the incidence matrix and µc0 = b − Lµ0,whereµ0 is the initial marking of the Petri net. Then it can be veriﬁed that the least restrictive supervisor is the Petri net of marking µc, initial marking µc0, and incidence matrix Dc = −LD. That is, the closed-loop Petri net (the supervisor plus the original Petri net) has the

T T T T T T incidence matrix Dcl =[D ,Dc ] and the marking µcl =[µ ,µc ] . This result is summarized in the following theorem [124, 190]:

Theorem 3.1

Let a Petri net with incidence matrix D and initial marking µ0 be given. A

set of nc linear constraints Lµ ≤ b aretobeimposed.IfLµ0 − b ≤ 0 then

a Petri net supervisor with incidence matrix Dc = −LD and initial marking

µc0 = b − Lµ0 enforces the constraint Lµ ≤ b when included in the closed-loop

T T T system Dcl =[D ,Dc ] . Furthermore, the supervision is least restrictive.

29 As mentioned earlier in the chapter, the places of the supervisor Petri net are called control places. Note that each control place is in one of the place invariants described by (3.6).

3.5.2 Petri Nets with Uncontrollable and Unobservable Transitions

This section describes the extension of the approach of section 3.5.1 to Petri nets with uncontrollable and unobservable transitions. In section 3.5.1, the Petri net supervisor is implemented in the form of control places connected to the plant

Petri net. To deal with uncontrollable and unobservable transitions, it is necessary to ensure that no control place ever attempts to inhibit an uncontrollable transition enabled in the plant Petri net, and no control place marking is varied by ﬁring unobservable transitions enabled in the closed-loop Petri net. To this end, it is suﬃcient to have the set of constraints satisfy the following relations of [124, 125]:

LDuc ≤ 0 (3.7)

LDuo =0 (3.8)

where Duc and Duo are matrices containing the columns of the incidence matrix corresponding to uncontrollable and unobservable transitions, respectively. All sets of constraints Lµ ≤ b satisfying (3.7) and (3.8) may be enforced as in section 3.5.1.

The relation (3.7) ensures that there is no arc from a control place of the supervisor to an uncontrollable transitions. Relation (3.8) ensures that there is no arc between a control place of the supervisor and an unobservable transition.

In order to be able to deal with constraints Lµ ≤ b which do not satisfy (3.7) and (3.8), constraint transformation approaches have been used [124, 125, 164]. In a constraint transformation, the constraints Lµ ≤ b are replaced by a new set of constraints L0µ ≤ b0 such that (i) L0 satisﬁes (3.7) and (3.8), and (ii) ∀µ ∈ Nnp :

0 0 np 0 0 L µ ≤ b ⇒ Lµ ≤ b.(np is the number of places of N .) Unless ∀µ ∈ N : L µ ≤ b

30 p1 p2 p12p

t t t 1 t 1 2 223 t 2 t 3

C C 2 p3 1 p3

(a) (b)

Figure 3.3. (a) Petri net; (b) closed-loop.

⇔ Lµ ≤ b, this approach of enforcing Lµ ≤ b may not be optimal, in the sense that there may be supervisors enforcing Lµ ≤ b in a less restrictive way. (Note that the supervisors designed as in section 3.5.1 are maximally permissive.)

For instance, consider the Petri net of Figure 3.3(a), where t1 is unobservable.

We have:      −110  −1          D =  −101 Duo =  −1      2 −1 −1 2

The matrix Duc is empty. Assume that we want to enforce (3.5) for      101  1  L = −   b = −   011 1

Then we can transform (3.5) to the constraints L0µ ≤ b0, for      201  1  L0 = −   b0 = −   021 1

By enforcing L0µ ≤ b0 with the approach of section 3.5.1 we obtain the closed-loop

Petri net of Figure 3.3(b). The transition arcs of the supervisor are represented with dashed lines. The control places are C1 and C2; they correspond to the ﬁrst and second rows of L0D, respectively.

31 3.6 Admissible and Feasible Sets of Constraints

This section introduces two concepts: admissible sets of constraints and feasible sets of constraints. While these concepts are introduced here in the context of marking constraints Lµ ≤ b, they are general, and are extended as appropriate in the next section for more general constraints. Note also that the concept of admissibility used in this work is diﬀerent from that of [124, 125] (while still being related).

We deﬁne as feasible constraints the constraints that can be exactly implemented via supervision. In other words, the feasible constraints have the property that a supervisor inhibiting only enabled transitions that lead to states violating the constraints, never inhibits uncontrollable transitions and does not need to detect

ﬁrings of unobservable transitions. The formalization of feasibility is more involved, and follows next.

Let N be a Petri net of set of transitions T , set of uncontrollable transitions

Tuc ⊆ T and set of unobservable transitions Tuo ⊆ T . Furthermore, let To = T \ Tuo

∗ T and Tc = T \ Tuc. Given a supervisor Ξ : M×T → 2 and µ0 ∈M, we write σ (µ, σ) ∈Rs(N ,µ0, Ξ) if µ0 −→ µ and ﬁring σ from µ0 is allowed in the closed-loop of (N ,µ0)andΞ.

A set of constraints Lµ ≤ b is feasible with respect to (N ,µ0)ifLµ0 ≤ b and

∗ T there is a supervisor Ξ : M×T → 2 with µ0 ∈Msuch that

∗ 1. ∀σ ∈ T : Tuc ⊆ Ξ(σ)

∀ ∈ ∗ | | ⇒ 2. σ1,σ2 T : σ1 To = σ2 To Ξ(σ1)=Ξ(σ2).

3. ∀(µ, σ) ∈Rs(N ,µ0, Ξ): Lµ ≤ b.

t 0 0 4. ∀(µ, σ) ∈Rs(N ,µ0, Ξ): t/∈ Ξ(σ) ⇒ (µ −→ µ ∧ Lµ 6≤ b).

32 A set of constraints Lµ ≤ b is feasible with respect to N if feasible with respect to

(N ,µ0) for all initial markings µ0 such that Lµ0 ≤ b.

Furthermore, we are interested in the sets of constraints that can be implemented as if all transitions were controllable and observable. For such constraints the method of section 3.5.1 designs a feasible supervisor, in the sense that the supervisor never disables uncontrollable transitions and never observes unobservable transitions. The constraints with this property are said to be admissible.

Formally, a set of constraints Lµ ≤ b is admissible with respect to (N ,µ0)if

1. Lµ0 ≤ b

2. For all markings µn, n ≥ 0, reachable from µ0 through any path of consecu-

tively reached markings µ0 → µ1 → ...µn such that Lµi ≤ b ∀i =0...n, µn satisﬁes that

t (a) ∀t ∈ Tuc: µn −→ µ =⇒ Lµ ≤ b.

t (b) ∀t ∈ Tuo:(µn −→ µ ∧ Lµ ≤ b)=⇒ Lµ = Lµn.

A set of constraints Lµ ≤ b is admissible with respect to N if admissible with respect to (N ,µ0) for all initial markings µ0 such that Lµ0 ≤ b.

It can be noticed that the requirements of the above definition ensure that the control places resulted by enforcing the constraints as in section 3.5.1 never disable plant-enabled uncontrollable transitions and that their marking is not affected by the firing of closed-loop enabled unobservable transitions.

Note that all admissible constraints are feasible. The converse is not true. To see this, let’s consider again the Petri net of Figure 3.3(a), with t1 uncontrollable and unobservable, and t2 and t3 controllable and observable. The constraint µ1 + µ3 ≥ 1 is not admissible. However, note that 2µ1 + µ3 ≥ 1 is both admissible and feasible.

As µ1 + µ3 ≥ 1and2µ1 + µ3 ≥ 1 are equivalent, that is the set of legal markings

33 t 1

t 3 pp 1 t 2 2

Figure 3.4. Illustration for inadmissible but feasible constraints.

t 11t t 2 t 2

p p p p 1 t 3 2 1 t 3 2 C 1 2

t 4 t 4 2 p3 p3 C 2 C 3 (a) (b)

Figure 3.5. Implementation of an admissible set of constraints.

speciﬁed by µ1 +µ3 ≥ 1equalsthatof2µ1 +µ3 ≥ 1, we can conclude that µ1 +µ3 ≥ 1 is feasible, even though not admissible. Another example is the Petri net (N ,µ0)of

Figure 3.4, in which t1 and t2 are controllable and observable, while t3 is controllable and unobservable. The constraint µ1 + µ2 ≤ 1 is feasible, as a supervisor will only have to disable t3. However, it is not admissible.

An admissible set of constraints can be enforced by performing just a few matrix multiplications (section 3.5.1). However, checking whether a set of constraints is admissible or not may involve reachability analysis, which is computationally expensive. For this reason the suﬃcient condition of relations (3.7) and (3.8) is valuable,

34 as it provides a computationally simple test to verify that a set of constraints is admissible. This test insures that the supervisor based on place invariants does not have arcs to the uncontrollable transitions, and has no arcs to or from unobservable transitions. Note that the constraints (3.7) and (3.8) are not necessary for Lµ ≤ b to be admissible with respect to a Petri net (N ,µ0)oraPetrinetstructureN .For instance, consider the Petri net structure of Figure 3.5(a), where all transitions are controllable and observable, except for t4, which is uncontrollable and unobservable.

Note that the set of constraints

µ1 + µ2 ≤ 1

−µ1 − µ2 ≤−1

µ3 ≤ 0 is admissible with respect to the Petri net structure, in spite of the fact that (3.7) and (3.8) are not satisﬁed. The set of constraints is admissible because there is no marking satisfying the constraints such that t4 is plant-enabled. Indeed, this is enough to guarantee that the supervisor never attempts to inhibit or observe the transition t4 (Figure 3.5(b)).

3.7 Enforcing Generalized Linear Constraints 3.7.1 On the Signiﬁcance of the Constraints

In this section it is shown that any place of a Petri net can be seen as a control place enforcing a constraint of the form (3.4). We will denote by D the incidence matrix, and by D+ and D− its components corresponding to weights of arcs from transitions to places, and weights of arcs from places to transitions, respectively.

The common algebraic Petri net representation is via the following state equation:

µ = µ0 + Dv (3.9)

35 p1 p2 p1 p2

t 1 t 2 t 3 t 1 t 2 t 3

t 1 t 2 t 3 p3 p3

(a) (b) (c)

Figure 3.6. Petri nets for Example 3.2.

where µ0 is the initial marking. The operation of a Petri net can also be described through inequalities of the form (3.4). Indeed, from (3.9) we derive:

(−D)v ≤ µ0 (3.10)

Let C = −D. The inequality Cv ≤ µ0 determines the operation of a Petri net only if the net has no self-loops and we are in the no concurrency framework. To deal with self-loops and concurrency, an additional term is introduced:

Hq + Cv ≤ µ0 (3.11)

− where H = D .NotethatHi,j ≥ 0 for all indices i and j. The constraints (3.11) completely describe the operation of a Petri net, regardless of whether it has self- loops or not. Indeed, after we ﬁre from µ0 a sequence σ of Parikh vector v,the

(i) (i) transition ti is enabled if and only if Hq + Cv ≤ µ0 and C(v + q ) ≤ µ0.(Note

− (i) (i) that as H = D and C = −D,wehavethatHq + Cv ≤ µ0 ⇒ C(v + q ) ≤ µ0.)

Example 3.2

Consider the Petri nets of Figure 3.6. The Petri net (a) is not restricted: the

ﬁrings of t1, t2 and t3 are free. Thus H and C are empty matrices. By adding the

36 places p1, p2 and p3 as in the Petri net (b), we obtain the following inequalities

for (3.11):

v1 ≤ 3 (3.12)

v2 − v3 ≤ 0 (3.13)

−v2 + v3 ≤ 1 (3.14)

where the inequalities are generated, in this order, by p1, p2,andp3.Thein-

equalities of the Petri net (c) are:

q1 + v2 ≤ 3 (3.15)

v2 − v3 ≤ 0 (3.16)

−2v1 − v2 + v3 ≤ 1 (3.17)

Note that both µ and v can describe the state of a Petri net. We choose to

σ denote by R(N ,µ0) all pairs (µ, v) such that µ0 −→ µ, and the Parikh vector of the

ﬁring sequence σ is v.

In the literature it has been noticed that Petri nets without self-loops correspond to inequalities Cv ≤ m0 [107].

To see that the generalized type of constraints (3.3) is more expressive than

(3.2), note that in the Petri net of Figure 3.7 there is no place invariant involving the control place C. Therefore, C cannot be described by (3.2). However the following constraint in the form (3.3) describes it:

−v1 + v2 + v3 ≤ 1

In fact, every place of a Petri net can be seen as a control place restricting the ﬁrings of the net transitions. This result is stated next.

37 p1

t 1 t 3

p2 p3

C t 2

Figure 3.7. A control place that is not in a place invariant.

Proposition 3.3

Every place of a Petri net can be seen as a control place enforcing a single

inequality of the form (3.3).

Proof: The proof follows immediately from (3.11): the constraint of each place ≤ − + 2 pi is hq + cv µ0i,whereh and c are the i’th rows of D and D .

An immediate consequence of Proposition 3.3 is that we can identify redundant places in a Petri net by ﬁnding the redundant constraints of a set of constraints (3.3) describing the Petri net. This gives an interesting interpretation to the literature approaches for the identiﬁcation of redundant places, such as that of [154].

Finally, note that without loss of generality the entries of H in (3.3) can be assumed nonnegative. This is especially easy to see in the no concurrency case. In- deed, let max be the maximum operator taken element by element (Z =max(X, Y )

⇒ Zij =max(Xij,Yij)). Let H+ =max(H, 0). By the definition of the generalized constraints, Lµ + Hq + Cv ≤ b is satisfied only if Lµ + Cv ≤ b is also satisfied. Then note that Lµ + H+q + Cv =max(Lµ + Cv,Lµ+ Hq + Cv) ≤ b and

Lµ+Hq+Cv ≤ Lµ+H+q+Cv. Therefore Lµ+Hq+Cv ≤ b ⇐⇒ Lµ+H+q+Cv ≤ b.

So the negative elements of H can be ignored.

38 3.7.2 Supervisor Design in the Fully Controllable and Observable Case

In the case of Petri nets in which all transitions are controllable and observable, it is possible to optimally enforce constraints of the form (3.3). We ﬁrst deﬁne

+ − − Dlc =max(0, LD C) (3.18)

− Dlc =max(0,LD+ C) (3.19)

Then let

+ + − − Dc = Dlc +max(0,H Dlc) (3.20)

− − Dc =max(Dlc,H) (3.21)

Note that in the equations (3.18-3.21) the operator max is taken element by element.

That is, Y =max(0,X)meansYij =max(0,Xij)andZ =max(X, Y )means

Zij =max(Xij,Yij).

+ − The matrices Dc and Dc describe a Petri net structure with the same transitions as the plant. This Petri net structure represents the Petri net implementation of the supervisor. The initial marking µc0 of the supervisor depends on the initial marking

µ0 of the plant as follows:

µc0 = b − Lµ0 − Cv0 (3.22)

Note that b − Lµ0 − Cv0 ≥ 0 is a consequence of the fact that (3.3) is satisﬁed at the initialization of the plant.

Theorem 3.4 Optimality of the Supervisor Design

+ − The supervisor deﬁned by the incidence matrices Dc and Dc of (3.20) and (3.21) and of initial marking given by (3.22) enforces (3.3) and is least restrictive.

Proof: Note that a supervisor enforcing (3.3) enforces that

0 ≤ b − Lµ − Cv (3.23)

39 Hq ≤ b − Lµ − Cv (3.24)

(LD + C)q ≤ b − Lµ − Cv (3.25) where the last inequality results from the constraint that the state (µ0,v0) reached after ﬁring q satisﬁes (3.23). Note also that in the no concurrency case, (3.23–3.25) expresses fully the interpretation of (3.3) and can be written compactly as

− ≤ − − Dc q b Lµ Cv (3.26)

− since Dc =max(0,H,LD+ C). It can be shown that (3.26) expresses (3.3) also in the concurrency case, but the proof is omitted here. It can be easily checked from

(3.18–3.21) that + − − − − Dc Dc = LD C (3.27)

Further, (3.22) and (3.27) imply that the supervisor marking µc satisﬁes

µc = b − Cv − Lµ (3.28) at all reachable states (µ, v). Next, note that the supervisor enables a ﬁring vector ≥ − ≥ − q if and only if µc Dc q. However, in view of (3.28), µc Dc q isthesameas (3.26)! This proves that the supervisor enforces (3.3) and that it is least restrictive. 2

The proof of the theorem has shown that the supervisor marking µc always satisﬁes (3.28). This implies that the supervisors we build for (3.3) may not create a place invariant. Note that if we substitute (3.22) and µ = µ0 + Dv in (3.28), we have that

µc = µc0 − (C + LD)v (3.29)

Finally, the fact that negative entries in H do not increase the expressivity of (3.3) or (3.2) can be seen from (3.20) and (3.21). Indeed, due to the max operators, the

− + value of a negative entry in H has no eﬀect on Dc and Dc .

40 3.7.3 Admissibility

This section studies the admissibility of the constraints (3.3). First, the admissibility concept deﬁned in section 3.6 for constraints (3.1) is extended to the constraints (3.3). Then, admissibility tests are proposed.

The admissible constraints have been deﬁned as the type of constraints that can be enforced as if all transitions were controllable and observable. This means that once we know a set of constraints is admissible, we can optimally enforce it as in section 3.7.2. A formal deﬁnition of the admissibility of (3.3) follows.

Definition 3.5 Admissibility of Generalized Constraints

Given a set of constraints (3.3) on a Petri net (N ,µ0), consider the construction

of section 3.7.2. The set of constraints (3.3) is admissible if for all reachable

states (µ, v) of the closed-loop net it is true that:

1 1. If t is uncontrollable and µ|N enables t in N ,thenµ enables t in the

closed-loop net.

+ · − · 2. If t is unobservable and µ enables t,thenDc ( ,t)=Dc ( ,t).

Note that the condition 2 in the deﬁnition corresponds to the requirement that the unobservable transitions which are not dead at the initial marking of the closed-loop + − − + − net, have null columns in Dc = Dc Dc (where Dc and Dc are deﬁned in (3.20) and (3.21)). For general Petri nets it may not be easy to check whether a constraint is admissible. However, when the supervisor part of the closed-loop Petri net is bounded, we have the following algorithm:

1. Construct the coverability graph of the closed-loop Petri net. (The usual

construction is proposed; see [82, p. 171] or [143, pp. 66-71].) 1 We denote by µ|N the restriction of µ to the places of N .

41 2 1 0 t C 1 t 1 p1 4 t , t ω ω 1 2 3 t 2 4

Figure 3.8. The coverability graph may hide admissibility relevant information.

2. For every node of the graph check the following:

Let µ be the marking labeling the current graph node

(a) Is any uncontrollable transition not enabled by µ, but enabled by µ|N in

N ? Then exit and declare that the constraints are inadmissible.

(b) Is any unobservable transition enabled by µ such that ﬁring t changes the

marking of the control places? Then exit and declare that the constraints

are inadmissible.

3. Declare the constraints admissible.

The example of Figure 3.8 shows that it is not easy to extend the algorithm when the supervisor part of the closed-loop Petri net is unbounded. In the example, t2 is uncontrollable and C is the control place corresponding to the constraint 4q2−v1 ≤ 0.

It can be seen that we cannot detect from the coverability graph of the closed- loop net (constructed with the usual approach [82, 143]) that the constraint is inadmissible.

Reachability analysis is usually time expensive. Alternatively, we may attempt to do a structural admissibility analysis. Structural admissibility analysis attempts to prove admissibility properties based on the structure of the Petri net, rather than

42 the initial marking. Thus, from the structural perspective, the question is whether the constraints are admissible for all initial markings satisfying them.

A computationally simple test for marking constraints Lµ ≤ b to be admissible is that LDuc ≤ 0andLDuo = 0 [124, 125], where Duc and Duo are the restrictions of the incidence matrix D of the plant to the uncontrollable and unobservable transitions, respectively. In terms of the Petri net representing the supervisor of Theorem 3.1, this corresponds to

− · ∀ ∈ · ∀ ∈ Dc ( ,t)=0 t Tuc and Dc( ,t)=0 t Tuo (3.30)

It can be easily seen that (3.30) is also a suﬃcient condition for admissibility in the

− case of the general constraints (3.3) when Dc and Dc correspond to the supervisor (3.20–3.22). This is formally stated in the following proposition.

Proposition 3.6 Structural test for admissibility

+ − Let Dc and Dc be deﬁned by (3.20) and (3.21). Then (3.3) is admissible if (3.30) is satisﬁed.

Note that the condition Dc(·,t) = 0 ensures that for any unobservable transition t, a control place is either not connected to it, or is connected to it with input and − · output arcs of equal weight. The condition Dc ( ,t) = 0 insures that no control place is in the preset of an uncontrollable transition. { ∈ − · 6 } { ∈ · 6 } Let Tr,uc = t Tuc : Dc ( ,t) =0 and Tr,uo = t Tuo : Dc( ,t) =0.

For a ﬁxed v0 (e.g. v0 = 0), the following algorithm could be used to identify constraints that are inadmissible for some admissible initial markings, where an initial marking µ0 is admissible if it satisﬁes the initial marking requirement of (3.3)

(that is, Lµ0 + Cv0 ≤ b).

43 1. Construct the supervisor deﬁned by (3.20–3.22).

2. Assume v = v0 and check whether there are initial markings µ of the plant

such that

(a) (3.3) is satisﬁed.

(b) ∃t ∈ Tr,uc: t is enabled by the plant and disabled by the supervisor.

If such markings µ exist, exit and declare that the constraints (3.3) are inad-

missible for some admissible initial markings.

3. Assume v = v0 and check whether there are initial markings µ of the plant

such that

(a) (3.3) is satisﬁed.

(b) ∃t ∈ Tr,uo: t is enabled in the closed-loop.

If such markings µ exist, exit and declare that the constraints (3.3) are inad-

missible for some initial markings.

4. Repeat the checks from the steps 2 and 3 for v ≥ v0 rather than v = v0.If

no µ and v exist such that the conditions of either of step 2 or 3 are satisﬁed,

declare the constraints (3.3) admissible for all admissible initial markings.

At step 4, note that we can no longer say that (3.3) are inadmissible for some markings if a (µ, v), v =6 v0, is found that satisﬁes one of the checks of the steps 2 and 3. This is because we don’t know whether (µ, v) is reachable. Note also that the operations of the steps 2 and 3 require integer linear programming. Overall, the algorithm involves at most 2|Tr,uc| +2|Tr,uo| integer linear programs. In summary, this section has extended the admissibility deﬁnition to constraints

(3.3) and has proposed various tests to check admissibility. When the initial marking

44 is ﬁxed, a coverability graph approach can be used to check admissibility. This approach requires building the coverability graph of the closed-loop of the plant

Petri net with the supervisor deﬁned by (3.20–3.22). If no control place has a “ω” marking in the coverability graph, this approach can say whether the constraints

(3.3) are admissible or not. The second admissibility test has been given in (3.30).

The condition (3.30) is easy to check, however only suﬃcient. If satisﬁed, (3.3) is admissible with respect to all initial markings satisfying (3.3). Finally, an algorithm has been proposed to check whether a set of constraints is admissible for all initial markings satisfying (3.3). Unlike the condition (3.30), which gives a “yes” or “don’t know” answer, this algorithm is a more powerful test which gives a “yes”, “no” or

“don’t know” answer. However, the algorithm requires integer linear programming.

3.7.4 Supervisor Design in the Partially Controllable and Observable Case

This section proposes an approach that reduces the supervisor design problem from the enforcement of constraints (3.3) to the enforcement of constraints (3.1).

This approach is convenient because computationally eﬃcient methods for the enforcement of (3.1) are available. A brief overview of the available methods has been included in section 3.4. Since the proposed reduction technique involves simple constraint and net transformations, this section demonstrates that the supervisors of

(3.3) can be designed as eﬃciently as the supervisors of (3.1).

When a constraint is admissible, it can be enforced as in section 3.7.2. However, as shown in section 3.7.3, checking admissibility can be computationally expensive.

To avoid this difficulty, this section proposes the sufficient condition (3.30) as a test for admissibility. Then, if (3.30) is satisfied, the approach of section 3.7.2 can be used. If not, the reduction technique of this section can be applied to reduce the problem to the enforcement of constraints (3.1) in partially controllable and

45 p1 p1

tt2 t 3 2 t 3 p t 1 t 1 5 p23ppp4 p2 3

(a) (b)

Figure 3.9. Illustration of the C-transformation.

observable Petri nets. Given a set of constraints (3.3) on a Petri net (N ,µ0), the reduction technique is used to ﬁnd a set of admissible constraints

Laµ + Haq + Cav ≤ ba (3.31) such that if Ξ is a supervisor enforcing (3.31) on (N ,µ0), then ∀(µ, v) ∈R(N ,µ0, Ξ):

(3.3) is satisﬁed. The reduction approach uses four transformations: the C- and

H-transformations, and the C−1-andH−1-transformations. The ﬁrst two transformations are used to map a set of constraints (3.3) into a set of marking constraints

−1 −1 LHCµ ≤ b in terms of a transformed Petri net NHC.TheinverseC -andH - transformations are used to map a set of constraints LHC,aµ ≤ ba admissible with respect to NHC into a set of constraints (3.31) admissible with respect to N .The transformations are deﬁned next.

The idea of the C-transformation is illustrated on an example. Consider the Petri net of Figure 3.9(a), and assume that we desire to enforce the following constraint:

µ1 + q1 + v2 − v3 ≤ 3 (3.32)

The idea is to transform the net such that the Cv term is transformed into a marking term. Thus, by transforming the net as in Figure 3.9(b), (3.32) can be written without referring to v:

µ1 + q1 + µ4 − µ5 ≤ 3 (3.33)

46 The Petri net of Figure 3.9(b) and the constraint (3.33) are the C-transformation of the Petri net of Figure 3.9(a) and of (3.32). Note that the extension of the Petri net through the C-transformation corresponds to the one dimensional memory of [106] that is used for the enforcement of linear dynamic speciﬁcations Cv ≤ b.

The inverse C-transformation is also possible. Given the constraint

µ1 − 3µ4 +2µ5 + q1 ≤ 5 (3.34) on the Petri net of Figure 3.9(b), we can map it to

µ1 + q1 − 3v4 +2v5 ≤ 5 (3.35) in the original Petri net. We proceed next to formally deﬁne the direct and inverse transformations.

The C-Transformation

Input: The Petri net (N ,Tuc,Tuo), the constraints Lµ+Hq+Cv ≤ b, and optionally the initial marking µ0, the initial Parikh vector v0,andasetTs,C ⊆ T (by default,

Ts,C = ∅).

Output: The C-transformed Petri net (NC ,Tuc,Tuo), the C-transformed constraint

LC µC + Hq ≤ b, and the initial marking µ0C of NC .

1. Initialize NC to equal N , LC to L,andµ0C to µ0.

2. For all t ∈ T such that either C(·,t) is not zero or t ∈ Ts,C:

(a) Add a new place p to NC such that p• = ∅ and •p = {t}.

(b) Set LC (·,p)=C(·,t)andµ0C (p)=v0(t).

47 The C−1-Transformation

N − + N − + Input: The Petri net =(P, T, D ,D ), the C-transformed net C =(PC ,T,DC ,DC ), and a set of constraints LC µC + Hq ≤ b on NC .

Output: The C−1-transformed constraint Lµ + Hq + Cv ≤ b.

1. Set L(·,p)=LC (·,p) ∀p ∈ P and C to the null matrix.

2. For all p ∈ PC \ P :

(a) Let t be the transition such that •p = {t}.

(b) Set C(·,t)=LC (·,p).

Lemma 3.7

Consider the notation of the C-transformation. We have that:

1. Lµ + Hq + Cv ≤ b is admissible in (N ,µ0) if LC µC + Hq ≤ b is admissible

in (NC ,µ0C ).

2. Let L1µ + H1q + C1v ≤ b1 be a set of constraints in N ,andLC1µC +

H1q ≤ b1 the corresponding constraints in the C-transformed net NC .Let

LC2µC + H2q ≤ b2 be a set of admissible constraints in (NC,µ0C ),and

−1 L2µ + H2q + C2v ≤ b2 be the C -transformation of LC2µC + H2q ≤ b2.Let

ΞC be a supervisor optimally enforcing LC2µC + H2q ≤ b2 in (NC ,µ0C ),and

Ξ a supervisor optimally enforcing L2µ + H2q + C2v ≤ b2 in (N ,µ0).Then

(∀(µC ,vC ) ∈R(NC ,µ0C , ΞC ): LC1µC +H1q ≤ b1) ⇒ (∀(µ, v) ∈R(N ,µ0, Ξ):

L1µ + H1q + C1v ≤ b1).

Note that the statement of part two is the formalization of “if ΞC enforces

LC1µC + H1q ≤ b1, then Ξ enforces L1µ + H1q + C1v ≤ b1.” The proof of the

48 t 1 p1 p4 t 5 t 1 p1 p45t 2 t 3 2 t 3 p5 t 6 t 2 p2 p3 t 4 t 2 p2 p3 t 4

(a) (b)

Figure 3.10. Example for the H-transformation.

lemma can be carried out similarly to the proof of Lemma 3.9, which is presented later in this section.

The H-transformation is a modiﬁcation of the indirect method for enforcing

ﬁring vector constraints in [125]. The idea of the transformation is illustrated on the following example. Consider the Petri net of Figure 3.10(a). Assume that we desire to enforce

µ1 + µ2 +2µ3 + q3 ≤ 5 (3.36)

Then we can transform the Petri net as shown in Figure 3.10(b). The transformation adds a place and a transition which correspond to the factor q3.Then

µ1 + µ2 +2µ3 +4µ5 ≤ 5 (3.37) is the transformed constraint, where the term 4µ5 is obtained as follows. Consider

t3 0 ﬁring t3 in the transformed net. If µ −→ µ and a is the coeﬃcient of µ5,wedesire

0 0 0 a + µ1 + µ2 +2µ3 =1+µ1 + µ2 +2µ3 where the factor 1 is the coeﬃcient of q3 in (3.36). Thus we obtain a =4.

The H-Transformation

− + Input: The Petri net (N ,Tuc,Tuo)withN =(P, T, D ,D ), the constraints Lµ +

Hq ≤ b, and optionally the initial marking µ0 and a set Ts,H ⊆ T (by default,

Ts,H = ∅).

49 Input: Output: Output: The h -rnfre constraint H-transformed the n e fconstraints of set a and .Frall For 2. .Iiilz ( Initialize 1. H edﬁe as deﬁned be i b Set (b) a d e place new a Add (a) − h er net Petri The or 1 h -rnfre er e ( net Petri H-transformed The h H The -Transformation t include ∈ iue31.Ilsrto ftetasto pi operation. split transition the of Illustration 3.11. Figure t T i L − s,H ∈ N H 1 ... tasomdconstraint -transformed T ( ,and ... H t · ,p j H ,T uhta either that such N in t t d k H,uc i i ( )= =( · H T ,t L H,uc ,T d H )=max( ... H (

,T D T, P, ... µ · H,uo p ,t d H k ( ( L otherwise. 0 = ) · T n e transition new a and ,t ≤ H H,uo )to( (b) (a) i µ b )+ − H on LD ,D )if H ≤ LD N N + d N ( b t ( ,T · ,teHtasomdnet H-transformed the ), H i · n h nta marking initial the and , ,t H 50 − ,t sin is ,T Lµ uc . ( )

i ... · ,H sntzr or zero not is ) ,T ,t H,uc ... + i uo ( )and T · Hq ,T ,t t t uc ), i i ) H,uo L ( , ≤ T )i either if 0) H p t µ uo j k )with 0 b p to ). H to . k ( p L N t k j ,and t )=0. H N ∈ si iue31,and 3.11, Figure in as t H T j H s,H N =( µ ( ... µ ,t i, 0 H H : 0 ... P H =( ) H to > of ,T P µ o some for 0 N H H 0 .Let ,D ,T H . H H − ,D ,D H H − H + d ,D ), H + ), 1. Set L(·,p)=LH (·,p) ∀p ∈ P and H to the null matrix.

2. For all pk ∈ PH \ P

(a) Let ti be the transition such that {ti} = •pk.

· · − − · (b) Set H( ,ti)=LH ( ,pk) LH DH ( ,ti).

Note several properties of the H- and H−1-transformations. To simplify our notation, assume single constraints lµ + hq ≤ b and lH µH ≤ b. Then, note that if lH µH ≤ b is the H-transformation of lµ + hq ≤ b:    l(p)ifp ∈ P lH (p)= (3.38)  − hd(•p)+lD (·, •p)ifp ∈ PH \ P

In addition, the relation between NH and N is such that    D−(p, t) for p ∈ P ∀t ∈ T \•(P \ P ): D− (p, t)= (3.39) H H  0 for p ∈ PH \ P    D+(p, t) for p ∈ P D+ (p, t)= (3.40) H  0 for p ∈ PH \ P    D−(p, t) for p ∈ P ∀t ∈ T ∩•(P \ P ): D− (p, t)= (3.41) H H  0 for p/∈ PH \ P   0 for p/∈ (PH \ P ) ∩ t• D+ (p, t)= (3.42) H  1 for p =(PH \ P ) ∩ t•    0 for p =6 •t ∀ ∈ \ − t TH T : DH (p, t)=  (3.43)  1 for p = •t    + •• ∈ + D (p, t) for p P DH (p, t)=  (3.44)  0 for p/∈ P

51 −1 Furthermore, if lµ + hq ≤ b is the H -transformation of lH µH ≤ b

∀ ∈ l(p)=lH (p) p P (3.45)  − lH (p) − lH D (·,t)ift •∩(PH \ P )=p h(t)= H (3.46)  0ift •∩(PH \ P )=∅

Before giving the equivalent of the Lemma 3.7 for the H-transformation, the notion of admissibility is redeﬁned for the constraints LH µH ≤ b in terms of the

H-transformed net NH .

Definition 3.8 Admissibility for Constraints on NH

Given a set of constraints LH µH ≤ b on (NH,µH0), consider the construction of section 3.7.2. The set of constraints (3.3) is admissible if for all reachable states

µ of the closed-loop net it is true that:

1. If t is uncontrollable and µ|N enables t in N ,thenµ enables t in the closed-

loop net.

∈ \• \ + · − · 2. If t T (PH P ) is unobservable and µ enables t,thenDc ( ,t)=Dc ( ,t); ∈ ∩• \ + · •• if t T (PH P ) is unobservable and µ enables t,thenDc ( ,t )= − · Dc ( ,t).

Note that compared to Deﬁnition 3.5, the deﬁnition above relaxes the observability requirement in NH . For instance, in the situation of Figure 3.11(a) we would have + · − · + · − · + · − · just Dc ( ,tj)=Dc ( ,ti) instead of Dc ( ,ti)=Dc ( ,ti)andDc ( ,tj)=Dc ( ,tj).

Lemma 3.9

Consider the notation of the H-transformation. We have that:

1. Lµ+Hq ≤ b is admissible in (N ,µ0) if LH µH ≤ b is admissible in (NH ,µ0H ).

52 2. Let L1µ + H1q ≤ b1 be a set of constraints in N ,andLH1µH ≤ b1 the

corresponding constraints in the H-transformed net NH .LetLH2µH ≤ b2

be a set of admissible constraints in (NH ,µ0H ) and L2µ + H2q ≤ b2 be

−1 the H -transformation of LH2µH ≤ b2.LetΞH be a supervisor optimally

enforcing LH2µH ≤ b2 in (NH ,µ0H),andΞ a supervisor optimally enforcing

L2µ + H2q ≤ b2 in (N ,µ0).Then(∀(µH ,vH ) ∈R(NH ,µ0H , ΞH ): LH1µH ≤

b1) ⇒ (∀(µ, v) ∈R(N ,µ0, Ξ): L1µ + H1q ≤ b1).

Proof: First, we introduce the following notation. If a transition ti is split in the H-transformation as in Figure 3.11, let σH (ti) be the ﬁring sequence titj.Ifa transition ti is not split, let σH (ti)equalti. Further, we also use σH for ﬁring vectors:

0 0 σH (q)=qH qH ,whereqH (ti)=qH (tj)=q(ti) for a transition ti split in ti and tj, 0 ∀ ∈ qH (ti)=q(ti) for a transition ti that is not split, qH (ti)=0 ti T and qH (tj)=0

∀tj ∈ TH \ T .Ifσ = q1q2 ...is a ﬁring sequence in N ,letσH (σ)=σH (q1)σH (q2) .... 1. The proof is by contradiction. Assume that Lµ+Hq ≤ b is not admissible. Let

Ξ be the supervisor of (N ,µ0) in Deﬁnition 3.5. Similarly, let ΞH be the supervisor of (NH ,µ0H ) in Deﬁnition 3.8. Then there is a (possibly empty) sequence σ =

q1 q2 qk q1q2 ...qk in (N ,µ0, Ξ) such that µ0 −→ µ1 −→ µ2 ... −→ µk, µk does not satisfy the requirements 1 and/or 2 of Deﬁnition 3.5, but all of µ0 ... µk−1 satisfy them.

σH (σ) Then it can be seen that in (NH ,µ0H , ΞH )wehavethatµ0H −→ µkH,where

µkH(p)=0∀p ∈ PH \ P and µk = µkH|N .

Case 1: µk does not satisfy the requirement 1 of Deﬁnition 3.5. Then there is an uncontrollable transition ti of N such that at the marking µk we have that ti is disabled by Ξ and ti is enabled in the plant N .Letµk+1 and µk+1,H be the markings obtained by ﬁring ti and σH (ti) in the plants N and NH , respectively. Note that:

Lµk = LH µkH and Lµk+1 = LH µk+1,H. We have two possibilities: (a) σH (ti)=ti;

(b) σH (ti)=titj. In case (a), Lµk+1 6≤ b,soLH µk+1,H 6≤ b. Therefore ΞH has to

53 disable the uncontrollable transition ti, which is a contradiction, since LH µH ≤ b is 0 N −→ti 0 admissible. In case (b), let µkH be the marking of H such that µkH µkH.We

(i) (i) have that either (i) Lµk + Hq 6≤ b or (ii) Lµk+1 6≤ b,whereq is the ﬁring vector

0 (i) associated to a single ﬁring of ti.NotethatLH µkH = Lµk + Hdq .(Thiscanbe

0 (i) seen either by inspecting Figure 3.11(a) or algebraically from µkH = µkH + DH q ,

(i) (3.38) and (3.41–3.42)). Further, LH µk+1,H = Lµk+1,and[Lµk + Hq 6≤ b ⇒ (i) 6≤ 0 6≤ 6≤ Lµk+Hdq b]. It follows that in case (i) LH µkH b andincase(ii)LH µk+1,H b.

Since LH µkH ≤ b, (i) implies that ΞH must disable the uncontrollable transition ti, while (ii) implies ΞH disables either of ti and tj.Sincetj is also uncontrollable and

LH µH ≤ b was assumed to be admissible, we have reached a contradiction.

Case 2: µk does not satisfy the requirement 2 of Deﬁnition 3.5. Then there is an unobservable transition ti of N such that µk enables ti, Ξ allows ti to ﬁre,

ti µk −→ µk+1,andLµk =6 Lµk+1.SoΞH and µkH allow ti to ﬁre in NH . The following show that this contradicts the second admissibility requirement of Deﬁnition 3.8.

First, note that Lµk − Lµk+1 = LD(·,ti), and so LD(·,ti) =0.Therearetwo6 + · − cases: σH (ti)=ti and σH (ti)=titj.IfσH (ti)=ti,wecheckthatDc ( ,ti) − · 6 + · − − · Dc ( ,ti) = 0 in Deﬁnition 3.8. Indeed, by (3.20–3.21), Dc ( ,ti) Dc ( ,ti)= − · − · + · − − · − max(0, LH DH ( ,ti)) max(0,LH DH ( ,ti)), so Dc ( ,ti) Dc ( ,ti)= LH DH . + · − − · − · 6 Then, by (3.38–3.40) Dc ( ,ti) Dc ( ,ti)= LD( ,ti) =0.IfσH (ti)=titj,we + · − − · 6 · check that Dc ( ,tj) Dc ( ,ti) = 0. Indeed, by (3.38) and (3.43–3.44), LH DH ( ,tj)=

LD(·,ti) − Hd(·,ti) ≤ 0. Also, by (3.38) and (3.41–3.42) LH DH (·,ti)=Hd(·,ti) ≥ + · − − · − · − · 0. As Dc ( ,tj) Dc ( ,ti)=max(0, LH DH ( ,tj)) max(0,LH DH ( ,ti)), we get + · − − · − · 6 Dc ( ,ti) Dc ( ,ti)= LD( ,ti) = 0. This shows that part 2 of Deﬁnition 3.8 is not satisﬁed, contradicting the admissibility of LH µH ≤ b.

2. The proof is by contradiction. So we assume that ΞH enforces LH1µH ≤ b1 and Ξ does not enforce L1µ + H1q ≤ b. Then there is a (possibly empty) sequence

54 q1 q2 qk σ = q1q2 ...qk in (N ,µ0, Ξ) such that µ0 −→ µ1 −→ µ2 ... −→ µk,andµk is the only one of µ0 ...µk such that L1µk 6≤ b1 and/or L1µk +H1q 6≤ b1 for some q enabled at µk and allowed by Ξ to ﬁre. Note that σH (σ) is enabled by µ0H in (NH ,µ0H , ΞH ). 6≤ 0 6≤ Using the notations from part 1, we have that LH1µkH b1, and/or LH1µkH b1, 0 2 since LH1µkH = L1µk + H1dq. Both are contradictions.

In the following developments, it will be useful to guarantee that the successive

−1 application of the H - and H-transformations to a set of constraints LH µH ≤ b produces the same set of constraints LH µH ≤ b. To this end, the sets of constraints

LH µH ≤ b will be constrained to satisfy    L (·,p) ≥ L D+ (·,p•) ∀ ∈ \ H H H p PH P :  (3.47)  · ≥ − · • LH ( ,p) LH DH ( , p)

The following theorem summarizes the properties of (3.47).

Theorem 3.10

(a) The H-transformation of any set of constraints (3.2) satisﬁes (3.47).

(b) Given an H-transformed net NH and a set of constraints LH µH ≤ b,let(3.2) −1 ≤ 0 0 ≤ N 0 denote the H -transformation of LH µH b and let LH µH b and H denote

the H-transformation of (3.2). If LH satisﬁes (3.47) and the H-transformation 0 0 ≤ • \ N N 0 generating LH µH b has the parameter Ts,H = (PH P ),then H and H are 0 identical, and LH = LH .

Proof: (a) By deﬁnition, Hd(·, •p)=max(0,LD(·, •p),H(·, •p)) ∀p ∈ PH \ · • + · • − − · • P . Further, by (3.41) and (3.44), LD( , p)=LH DH ( ,p ) LH DH ( , p)and − · • − · • − ∀ ∈ \ LD ( , p)=LH DH ( , p). Substituting Hd, LD,andLD in p PH P : − LH (·,p)=Hd(·, •p)+LD (·, •p), where this expression is true by (3.38), we get (3.47).

55 (b) By deﬁnition, Hd(·,t)=max(LD(·,t),H(·,t), 0) for t ∈ Ts,H ∪{t : H(·,t) > } · · + · •• − − · 0 and Hd( ,t) = 0 otherwise. In view of LD( ,t)=LH DH ( ,t ) LH DH ( ,t), · · • − − · · · H( ,t)=LH ( ,t ) LH DH ( ,t) (by (3.46)), and (3.47), we obtain Hd( ,t)=H( ,t) for t ∈ Ts,H ∪{t : H(·,t) =06 } and Hd(·,t) = 0 otherwise, i.e., Hd = H. Then, 0 · · ∀ ∈ 0 ⇒ by (3.47) and (3.38) we get LH ( ,p)=LH ( ,p) p PH .NotethatHd = H 0 ⊆ 0 • \ 2 PH PH ; PH = PH is guaranteed by Ts,H = (PH P ).

Given a Petri net (N ,Tuc,Tuo), the constraints (3.3), and optionally the initial marking µ0, the following algorithm can be used for the supervisor design.

Algorithm 3.11

1. Apply the C-transformation and then the H-transformation. Let (NHC,

THC,uc,THC,uo), LHCµHC ≤ b,andµHC0 be the transformed net, constraints, and initial marking.

2. Find admissible constraints LHCaµHC ≤ ba that satisfy (3.47) such that

∀µHC: LHCaµHC ≤ ba ⇒ LHCµHC ≤ b. If such admissible constraints could not be found, declare failure and exit.

−1 −1 3. Apply to LHCaµHC ≤ ba the H -transformation and then the C -trans-

formation. Let Laµ + Haq + Cav ≤ ba be the result.

Theorem 3.12 Correctness of Supervisor Design

The set of constraints Laµ + Haq + Cav ≤ ba is admissible, and any supervisor enforcing it enforces also Lµ + Hq + Cv ≤ b.

Proof: The proof is an immediate consequence of Theorem 3.10(b) and Lem- mas 3.7 and 3.9. 2

In view of Theorem 3.12, a supervisor enforcing Lµ + Hq + Cv ≤ b is the supervisor of Laµ + Haq + Cav ≤ ba constructed as in section 3.7.2. Note that at the

56 p7 p8 t Restricted t t 13 14 t 3 Access 6 t t 4 Area 5

t 1 p1 t 2 p2 p3 t 7 p4 t 8 t 9 t 10 t 15 t 11 t 12

p5 p6 t 16

Figure 3.12. Plant Petri net in the example.

step 2 of the previous algorithm, approaches generating disjunctive constraints can also be used, by applying the step 3 to each component of the disjunction. In fact, any method of transformation to admissible constraints can be used. In section 3.7.6 the step 2 will be customized for the use of methods that test the admissibility of a set of constraints Lµ ≤ b with the sufficient conditions LDuc ≤ 0andLDuo =0,such as the methods of [124, 125, 164]. (Duc and Duo are the restrictions of the incidence matrix to the uncontrollable and unobservable transitions, respectively.) It will be shown there that this transformation approach is optimal with respect to these admissibility conditions. However, it is known that these admissibility conditions are only sufficient, not necessary. Therefore, overall the approach is suboptimal, as it trades off optimality for simplified computation.

3.7.5 Example

Consider the plant Petri net of Figure 3.12. Here we assume the framework without concurrency (i.e. no transitions ﬁre at the same time). The example corresponds to a region of a factory cell in which autonomous vehicles (AV) access a restricted area (RA). The number of AVs which may be at the same time in the RA

57 n n C C 9 8

C 6

C 5

p7 m C 3 t t p m 13 m 14 8 t t C 3 C 6 4 t 4 7 t 5 t t p t p 2 p 7 p t 1 1 2 2 m C 2 2 3 4 8 m

C 1 t 9 t 10 t 15 t 11 t 12

p5 p6 t 16

Figure 3.13. Closed-loop Petri net.

is limited. The AVs enter the RA from two directions: left and right; AVs coming ontheleftsideenterviat4 or t13, and AVs coming on the right side via t5 or t14.

The AVs exit the restricted area via t9 or t10. The total marking of p1, p2 and p7 corresponds to the number of left AVs waiting in line to enter the RA; only one AV should be in the states p2 and p7,thatisµ2 + µ7 ≤ 1. The marking of p3, p4,and p8 has a similar meaning.

Let m be the maximum number of AVs which can be at the same time in the

RA; note that the number of AVs in the RA is v13 + v14 + v4 + v5 − v9 − v10. When the number of vehicles in the restricted area is m − 1andbothaleftandaright

AV attempt to enter the restricted area (i.e. both µ2 + µ7 =1andµ3 + µ8 =1), arbitration is required. When an AV is in p2 and no arbitration is required, it can

58 enter the RA without stopping. When arbitration is required, it stops (enters the state p7) and waits the arbitration result. The same apply to p3 and p8.Wedesire the following. When an AV enters the RA, if an arbitration was required to decide that it may enter, the AV should enter via t13 or t14; if no arbitration was required, it should enter via t4 or t5. These constraints can be written as follows:

2q5 + µ2 + µ7 ≤ m − (v13 + v14 + v4 + v5 − v9 − v10) + 1 (3.48)

2q4 + µ3 + µ8 ≤ m − (v13 + v14 + v4 + v5 − v9 − v10) + 1 (3.49)

mq3 ≤ µ3 + µ8 + v13 + v14 + v4 + v5 − v9 − v10 (3.50)

mq6 ≤ µ2 + µ7 + v13 + v14 + v4 + v5 − v9 − v10 (3.51)

In addition we have the requirements that

µ2 + µ7 ≤ 1 (3.52)

µ3 + µ8 ≤ 1 (3.53)

The requirement on the maximum number of AVs in the RA is

v13 + v14 + v4 + v5 − v9 − v10 ≤ m (3.54)

We add the fairness constraints

v3 − v6 ≤ n (3.55)

−v3 + v6 ≤ n (3.56)

As t1,t8,t9,t10 are uncontrollable and t9,t10 unobservable, the constraints (3.48−3.51) and (3.54) are inadmissible. However, they can be transformed to the admissible constraints

2q5 + µ2 + µ5 + µ6 + µ7 + v13 + v14 + v4 + v5 − v9 − v10 ≤ m + 1 (3.57)

2q4 + µ3 + µ5 + µ6 + µ8 + v13 + v14 + v4 + v5 − v9 − v10 ≤ m + 1 (3.58)

59 mq3 − µ3 − µ8 − µ5 − µ6 − (v13 + v14 + v4 + v5 − v9 − v10) ≤ 0 (3.59)

mq6 − µ2 − µ7 − µ5 − µ6 − (v13 + v14 + v4 + v5 − v9 − v10) ≤ 0 (3.60)

v13 + v14 + v4 + v5 − v9 − v10 + µ5 + µ6 ≤ m (3.61)

Note that the constraints (3.50) and (3.51) cannot be transformed by any method to admissible constraints that are at least as restrictive as (3.50) and (3.51). This is due to the fact that the Petri net model does not relate in any way the ﬁrings of the transitions t9 and t10 with the ﬁrings of the transitions t4, t5, t13 and t14.Thus

(3.59) and (3.60) are admissible relaxations of the constraints (3.50) and (3.51).

The closed-loop Petri net is shown next to the plant in Figure 3.13, where the control places C1 ...C9 correspond to the constraints (3.57), (3.58), (3.59), (3.60),

(3.52), (3.53), (3.61), (3.55), and (3.56), in this order.

3.7.6 An Optimal Structural Approach

Here, the Algorithm 3.11 is specialized for the use of the admissibility conditions

LDuc ≤ 0andLDuo = 0 for the design of the admissible constraints LHCaµHC ≤ ba.

(Duc and Duo are the restrictions of the incidence matrix to the uncontrollable and unobservable transitions, respectively.) Speciﬁcally, (3.30) is proposed to check the admissibility of (3.3), and the admissibility constraints

LHCaA ≤ 0, LHCaB = 0 (3.62)

are proposed for the design of the constraints LHCaµHC ≤ ba. A and B are obtained as follows. Let DHC,uc and DHC,uo be the restriction of the incidence matrix DHC of

NHC to the sets of uncontrollable and unobservable transitions, respectively. Then, the admissibility test

LHCaDHC,uc ≤ 0andLHCaDHC,uo = 0 (3.63)

60 is changed to account for the situation of Figure 3.11(b), in which a control place could be connected through a self-loop to an unobservable but controllable transition ti ∈ T . The change is that we replace LHCaDHC(·,ti)=0andLHCaDHC(·,tj)=0 with the less restrictive LDHC(·,ti)+LDHC(·,tj) = 0. We let (3.62) denote the constraints (3.63) after performing this change for all ti ∈ Tuo \ Tuc. Constraints

LHCaµHC ≤ ba that satisfy (3.62) can be obtained using methods from [124, 125, 164].

The next results shows that the conditions (3.62) are the correspondent of the admissibility test (3.30) on constraints (3.3) on N .

Theorem 3.13

(a) If the constraints (3.3) satisfy the admissibility condition (3.30), then the H-

and C-transformed constraints LHCµHC ≤ b satisfy LHCA ≤ 0 and LHCB =0.

−1 −1 (b) If LHCµHC ≤ b satisfy LHCA ≤ 0 and LHCB =0, then the C -andH - transformed constraints (3.3) satisfy the admissibility condition (3.30).

Proof: The proof is a consequence of the Lemma 3.15 and of the Lemma 3.16, presented next. 2

Corollary 3.14

The constraints (3.3) satisfy the admissibility condition (3.30) if and only if the H-

and C-transformed constraints LHCµHC ≤ b satisfy LHCA ≤ 0 and LHCB =0.

Proof: Only the “if” part is not explicitly stated in the statement of Theo- rem 3.13. It can be shown that the inverse H- and C- transformation of LHCµHC ≤ b is Lµ + Hdq + Cv ≤ b. Then, by Theorem 3.13(b), Lµ + Hdq + Cv ≤ b satisﬁes (3.30). Finally, by (3.18–3.21), it follows that (3.3) satisﬁes also (3.30). 2

61 Lemma 3.15

(a) If (3.3) satisfy (3.30), then the C-transformed constraints LC µc + Hq ≤ b satisfy (3.30).

−1 (b) If LC µc + Hq ≤ b satisfy (3.30), then the C -transformed constraints (3.3) satisfy (3.30).

−1 Proof: In view of the C/C -transformation: LC (p)=L(p) ∀p ∈ PC ∩ P and

LC (p)=C(•p) ∀p ∈ PC \ P . Further, DC (p, t)=D(p, t)ifp ∈ PC ∩ P , DC (p, t)=0 if p ∈ PC \ P and •p =6 t,andDC (p, t)=1ifp ∈ PC \ P and •p = t. This implies that LD + C = LC DC . Therefore, in view of (3.18-3.21), the conclusions follow. 2

Lemma 3.16

(a) If the constraints (3.2) satisfy (3.30), then the H-transformed constraints

LH µH ≤ b satisfy LH A ≤ 0 and LH B =0.

−1 (b) If LH µH ≤ b satisfy LH A ≤ 0 and LH B =0, then the H -transformed constraints (3.2) satisfy (3.30).

Proof: To simplify the notation, the result is proved for single constraints lµ + hq ≤ b. The proof for sets of constraints (3.2) is identical, once l, h, l(p)andh(t) are replaced by L, H, L(·,p)andH(·,t). Let Ts ⊆ T be the set of transitions split by the H-transformation. For instance, in Figure 3.11(a), ti ∈ Ts, tj ∈/ Ts but tj ∈ Ts ••.NotethatTs = •(PH \ P ). Note also that throughout the proof the preset/postset operator • is taken with respect to the H-transformed net.

(a) Each constraint of LH A ≤ 0andLH B = 0 corresponds to a transition t of NH that is uncontrollable and/or unobservable. Thus, for t ∈ TH,uc we have to check that LH DH (·,t) ≤ 0. For t ∈ TH,uo ∩ TH,uc we check that LH DH (·,t)=0.

62 Finally, for t ∈ TH,uo \ TH,uc we check that LH DH (·,ti)+LH DH (·,tj)=0,where ti = t and tj = t ••if t ∈ T ,andti = ••t and tj = t if t/∈ T .

Case A.1.a, t ∈ (TH,uc ∩ Tuc) \ Ts: From (3.38), (3.39), and (3.40), lH DH (·,t)=lD(·,t). ∈ − · · ≤ By t Tuc and (3.30), Dc ( ,t) = 0. Then, by (3.21), lD( ,t) 0, and so lH DH (·,t) ≤ 0.

− Case A.1.b, t ∈ TH,uc ∩ Tuc ∩ Ts: Let p = t•. By (3.38), lH (p)=hd(t)+lD (·,t). · − · Then, by (3.38), (3.41) and (3.42) lH DH ( ,t)=hd(t). By (3.30), Dc ( ,t)=0,so hd(t)=0andlH DH (·,t)=0≤ 0.

0 0 Case A.1.c, t ∈ TH,uc \ Tuc: Let t = ••t. In view of the H-transformation, t ∈ ∩ ∩ 0 + · TH,uc Tuc Ts, and so, by case A.1.b, hd(t ) = 0. By (3.38) and (3.44), lH DH ( ,t)= + · 0 − · 0 − · 0 · lD ( ,t). By (3.38) and (3.43), lH DH ( ,t)=hd(t )+lD ( ,t). So lH DH ( ,t)= 0 0 0 lD(·,t). Then, by t ∈ Tuc and (3.30) we get lD(·,t) ≤ 0.

Case A.2.a, t ∈ (TH,uo ∩ Tuo) \ Ts: From (3.38), (3.39), and (3.40), lH DH (·,t)=lD(·,t). ∈ − · + · · By t Tuo and (3.30), Dc ( ,t)=Dc ( ,t). Then, by (3.18–3.21), lD( ,t)=0.

Therefore, lH DH (·,t)=0.

Case A.2.b, t ∈ TH,uo ∩ TH,uc ∩ Tuo ∩ Ts: As in case A.1.b, lH DH (·,t)=0.

0 0 Case A.2.c, t ∈ (TH,uo ∩ TH,uc) \ Tuo: Let t = ••t. As in case A.1.b, t ∈ Tuc ⇒

0 0 0 0 hd(t ) = 0. Then, as in case A.1.c, lH DH (·,t)=lD(·,t) − hd(t ). From t ∈ Tuo,

0 0 (3.30), (3.18–3.21) and hd(t ) = 0 we derive lD(·,t)=0.SolH DH (·,t)=0.

Case A.3, t ∈ (TH,uo \ TH,uc) ∩ (Ts ∪ Ts ••): (Note that the other transitions t ∈

(TH,uo\TH,uc) have been included in the case A.2.a.) If t ∈ Tuo,letti = t and tj = t••.

Otherwise, if t/∈ Tuo,lettj = t and ti = ••t. As before, we have lH DH (·,ti)=hd(ti) and lH DH (·,tj)=lD(·,ti) − hd(ti). So, lH DH (·,ti)+lH DH (·,tj)=lD(·,ti). Then, it can be checked that ti ∈ Tuo, (3.30), and (3.18–3.21) imply lD(·,ti)=0.

(b) Here we are to check that (3.2) satisﬁes (3.30), that is, that for all t ∈ Tuc: − · ∈ − · + · Dc ( ,t) = 0 and for all t Tuo: Dc ( ,t)=Dc ( ,t).

63 Case B.1.a, t ∈ Tuc \ Ts: Then t ∈ TH,uc and so lH DH (·,t) ≤ 0. By (3.46), h(t)=

0 and by (3.45), (3.39) and (3.40) lH DH (·,t)=lD(·,t). So, in view of (3.21), − · Dc ( ,t)=0. 0 0 Case B.1.b, t ∈ Tuc ∩ Ts: Let t ∈ TH \ T be the transition such that t = t ••.In

0 0 view of the H-transformation t, t ∈ TH,uc.ThenlH DH (·,t) ≤ 0andlH DH (·,t) ≤ 0.

By (3.41), (3.42) and (3.46), lH DH (·,t)=h(t); so, h(t) ≤ 0. By (3.43) and (3.44),

0 + + − lH DH (·,t)=lD (·,t) − lH (t•); so lD (·,t) ≤ lH (t•). By subtracting lD (·,t)from · ≤ ≤ − · both sides and by (3.46), we get lD( ,t) h(t). Since h(t) 0, Dc ( ,t) = 0 follows from (3.21).

Case B.2.a, t ∈ (Tuo ∩ Tuc) \ Ts: Then lH DH (·,t) = 0. By (3.46), h(t)=0and · · − · by (3.45), (3.39) and (3.40) lH DH ( ,t)=lD( ,t). So, by (3.18–3.21), Dc ( ,t)= + · Dc ( ,t)=0. 0 0 Case B.2.b, t ∈ Tuo ∩ Tuc ∩ Ts: Let t ∈ TH \ T be the transition such that t = t ••.

0 0 Then, as t, t ∈ TH,uc ∩ TH,uo, lH DH (·,t)=0andlH DH (·,t) = 0. By (3.41), (3.42)

0 and (3.46), lH DH (·,t)=h(t); so, h(t) = 0. By (3.43) and (3.44), lH DH (·,t)=

+ + − lD (·,t) − lH (t•); so lD (·,t)=lH (t•). By subtracting lD (·,t)frombothsides · − · + · and by (3.46), we get lD( ,t)=h(t). Since h(t)=0,Dc ( ,t)=Dc ( ,t) follows from (3.18–3.21).

Case B.3.a, t ∈ (Tuo \ Tuc) \ Ts: The proof is identical to that in case B.2.a.

0 0 Case B.3.b, t ∈ (Tuo \ Tuc) ∩ Ts: Let t ∈ TH \T be the transition such that t = t••.

0 0 Then, as t, t ∈ TH,uc \ TH,uo, lH DH (·,t)+lH DH (·,t) = 0. Then, by (3.41–3.44), · + · − · 2 lD( ,t) = 0. Hence, by (3.18–3.21), Dc ( ,t)=Dc ( ,t)=max(0,h(t)).

Let S be a set of constraints Lµ + Hq + Cv ≤ b and S0 a set of constraints

L0µ + H0q + C0v ≤ b0. In a permissiveness comparison of S and S0, we are concerned with entries µ and q such that µ ≥ D−q, i.e. q is enabled by µ. Furthermore, due to the way the constraints (3.3) are interpreted (see (3.23–3.25)), we do not say that S

64 is at least as restrictive as S0 if (Lµ+Hq+Cv ≤ b ⇒ L0µ+H0q+C0v ≤ b0), but rather − ≤ ⇒ 0 −0 0 ≤ 0 − if (Lµ + Dc q + Cv b L µ + Dc q + C v b ), where Dc =max(H, LD + C, 0) −0 0 0 0 and Dc =max(H ,LD + C , 0).

Definition 3.17 Supervisor Permissiveness

S is at least as restrictive as S0 (or equivalently, S0 is at least as permissive as S)

if for all µ ∈ N|P |, q ∈ N|T | and v ∈ N|T | that satisfy µ ≥ D−q:

− ≤ ⇒ 0 −0 0 ≤ 0 Lµ + Dc q + Cv b L µ + Dc q + C v b (3.64)

S is more restrictive than S0 (or equivalently, S0 is more permissive than S)ifS

is at least as restrictive as S0 and there are µ ∈ N|P |, q ∈ N|T |, v ∈ N|T |, such that ≥ − ∧ − 6≤ ∧ 0 −0 0 ≤ 0 µ D q Lµ + Dc q + Cv b L µ + Dc q + C v b .

Remark 1: Note that for constraints of the type (3.1), (3.64) can be replaced by

(Lµ ≤ b ⇒ L0µ ≤ b0), provided we are in the no concurrency case. Obviously, ≤ ⇒ 0 ≤ 0 − −0 ≥ (3.64) implies (Lµ b L µ b ), since Dc q, Dc q 0. On the other hand, if ≤ ⇒ 0 ≤ 0 ≥ − ∧ − ≤ (Lµ b L µ b ), let µx and q be such that µx D q Lµx + Dc q b.Then 0 0 − Lµx ≤ b ⇒ L µx ≤ b .Letµy be the marking reached by ﬁring q.Thenµx ≥ D q ∧ − ≤ ⇒ ≤ ⇒ 0 ≤ 0 ⇒ 0 −0 ≤ 0 Lµx + Dc q b Lµy b L µy b L µx + Dc q b . Remark 2: Under the assumption that v must be zero at the initialization of the

− system, this deﬁnition of permissiveness has the following weakness: Lµ + Dc q +

Cv ≤ b may not imply there is a ﬁring sequence from some initial state (µ0, 0) to − ≤ (µn,vn) such that µn = µ, vn = v,andLµi + Dc qi + Cvi b at every intermediary step (µi,qi,vi), i =0...n− 1. Next, the joint H- and C-transformations are introduced. The joint transformations allow us to compare the permissiveness of the constraints resulted through C- and H-transformations. A C-transformation is a joint C-transformation of S and S0

65 0 if its parameter Ts,C is ﬁxed to some value Ts,C ⊇{t ∈ T : C(·,t) =06 ∨ C (·,t) =6

0}. When Ts,C is ﬁxed to such a value, the same Petri net is produced by C- transforming S and by C-transforming S0. So, the constraints resulted through the C-transformation of S and S0 can be compared. Similarly, given a Petri net

N =(P, T, D−,D+), a joint H-transformation of Lµ + Hq ≤ b and L0µ + H0q ≤ b0 denotes the H-transformation with a ﬁxed parameter Ts,H ⊇{t ∈ T : Hd(·,t) =6 ∨ 0 · 6 } 0 Hd( ,t) =0 .

Theorem 3.18

S S0 S S0 Let HC and HC be the sets of constraints and after joint C- and H- 0 transformations. S is at least as restrictive as S iﬀ SHC is at least as restrictive S0 S S0 S as HC. Furthermore, is more restrictive than iﬀ HC is more restrictive S0 than HC.

Proof: The proof is a consequence of Lemma 3.19 and Lemma 3.20. 2

Lemma 3.19

S S0 S S0 Let C and C be the sets of constraints and after a joint C-transformation. S S0 S S0 is at least as restrictive as iﬀ C is at least as restrictive as C . Furthermore, S S0 S S0 is more restrictive than iﬀ C is more restrictive than C .

Proof: The proof is given only for the “⇒” direction, since the proof of the other direction is very similar. First, we prove by contradiction that SC is at least as S0 − ≤ restrictive as C . Assuming the contrary, let µC and q be such that LC µC +Dc q b 0 −0 6≤ 0 ∈• \ and LC µC +Dc q b .Letv be deﬁned as v(t) = 0 for t/ (PC P )andv(t)=µC (p) ∈ \ • | − ≤ for p PC P and p = t. Also, let µ = µC P .ThenLµ + Dc q + Cv b and 0 −0 0 6≤ 0 S S0 L µ + Dc q + C v b . This contradicts that is at least as restrictive as . S S0 S S0 Next we prove that C is more restrictive than C if is more restrictive than .

66 S − 6≤ Since is more restrictive, there are µ and v such that Lµ + Dc q + Cv b and 0 −0 0 ≤ 0 | | L µ+Dc q +C v b . Using the substitutions v = µC PC \P and µ = µC P , it follows − 6≤ 0 −0 ≤ 0 2 that LC µC + Dc q b and LC µC + Dc q b , q.e.d.

Lemma 3.20

Let S and S0 denote the sets of constraints Lµ + Hq ≤ b and L0µ + H0q ≤ b0,and S S0 let H and H be the constraints obtained after a joint H-transformation. Then S S0 S S0 is at least as restrictive as iﬀ H is at least as restrictive as H . Furthermore, S S0 S S0 is more restrictive than iﬀ H is more restrictive than H .

Proof: The proof of the “only if” part shows first that SH is at least as restrictive S0 S S0 S S0 as H and then that H is more restrictive than H if is more restrictive than . ∗ ∗ The first part is proven by contradiction. So, assume there are µH and qH such that ∗ − ∗ ≤ 0 ∗ −0 ∗ 6≤ 0 ∃ ≤ ∗ 0 LH µH + Dc,HqH b and LH µH + Dc,HqH b . Then, qH qH such that if µH is 0 ≤ 0 ∗ 6≤ 0 0 0 6≤ 0 reached by firing qH ,wehavethatLH µH b and either LH µH b or LH µH b .In ≤ 0 6≤ 0 either case, there is µH such that LH µH b and LH µH b .Letµ and q be defined as follows: q(t)=µH(t•)ift ∈•(PH \ P )andq(t)=0otherwise;µ(p)=µH (p)+ D−(p, ·)q ∀p ∈ P . (Throughout the proof, the operator • is taken with respect to

NH ,notN .) According to the H-transformation, L(·,p)=LH (·,p) ∀p ∈ P and P − Hd(·,t)=LH (·,t•) − LD (·,t) ∀t ∈•(PH \ P ). Then LH µH = LH (·,p)µH(p)+ P P p∈P − LH (·,p)µH(p) ⇒ LH µH = Lµ−LD q + LH (·,t•)µH (t•) ⇒ LH µH = p∈PH \P t∈•(PH \P ) · − · ∀ ∈• \ Lµ + Hdq. By deﬁnition, Hd( ,t)=Dc ( ,t) t (PH P ). On the other hand, ∀ ∈• \ − − q(t)=0 t/ (PH P ). It follows that Hdq = Dc q and LH µH = Lµ + Dc q. 0 0 −0 ≤ 0 6≤ 0 S Similarly, LH µH = L µ + Dc q. Then, LH µH b and LH µH b contradict that is at least as restrictive as S0. S S0 Moreover, to prove that H is more restrictive than H , we can select q and ≥ − − 6≤ 0 −0 ≤ 0 µ D q such that Lµ + Dc q b and L µ + Dc q b .Itcanbeshownthat

67 0 − 6≤ ∃ 0 00 ≥ 0 00 ≤ →q 0 0 00 6≤ Lµ + Dc q b implies q ,q 0, q + q q, such that µ µ and Lµ + Hq b. 0 00 6≤ 0 −0 ≤ 0 0 0 00 ≤ 0 So, Lµ + Hdq b. On the other hand, L µ + Dc q b implies L µ + H q b 0 0 00 ≤ 0 0 00 6≤ ∧ 0 0 0 00 ≤ 0 and L µ + Hdq b . Therefore, [Lµ + Hdq b L µ + Hdq b ]. This proves ≥ ≥ − 6≤ ∧ 0 0 ≤ 0 that there are q0 0andµ D q0 such that [Lµ + Hdq0 b L µ + Hdq0 b ]. · 6 ∨ 0 · 6 ⇒ ∈• \ 0 Now, note that [Hd( ,t) =0 Hd( ,t) =0] t (PH P ), since Hd and Hd are obtained by a joint H-transformation. Therefore, we may cancel the entries q0(t) ∈• \ ≥ − 6≤ ∧ 0 0 ≤ 0 with t/ (PH P ), and obtain q such that µ D q,[Lµ+Hdq b L µ+Hdq b ] − and q(t)=0∀t/∈•(PH \ P ). Let µH be defined by µH (p)=µ(p) −D (p, ·)q ∀p ∈ P and µH (p)=q(•p) ∀p ∈ PH \P . As in the first part of the proof, LH µH = Lµ+Hdq 0 0 0 6≤ 0 ≤ 0 S and LH µH = L µ + Hdq.ThenLH µH bH and LH µH bH , showing that H is S0 more restrictive than H . The proof of the “if” part is similar. Assume there are q and µ ≥ D−q such − ≤ 0 −0 6≤ 0 that Lµ + Dc q b and L µ + Dc q b . As in the “only if” part, this implies ≥ − ≤ ∧ 0 0 6≤ 0 that we can find q and µ D q such that [Lµ + Hdq b L µ + Hdq b ]and − q(t)=0∀t/∈•(PH \ P ). Again, we define µH by µH (p)=µ(p) − D (p, ·)q ∀p ∈ P and µH (p)=q(•p) ∀p ∈ PH \ P . As in the “only if” part, LH µH = Lµ + Hdq and 0 0 0 ≤ 0 6≤ 0 S LH µH = L µ + Hdq.ThenLH µH bH and LH µH bH , which contradicts that H S0 S S0 is at least as restrictive as H . This proves that is at least as restrictive as . 0 To prove that S is more restrictive than S ,letµH be a marking such that 6≤ 0 ≤ 0 • LH µH bH and LH µH bH .Letµ and q be defined as follows: q(t)=µH (t )if − t ∈•(PH \ P )andq(t) = 0 otherwise; µ(p)=µH (p)+D (p, ·)q ∀p ∈ P .Asin

− 0 0 −0 the ﬁrst part of the “only if” proof, LH µH = Lµ + Dc q and LH µH = L µ + Dc q. − 6≤ 0 −0 ≤ 2 Therefore, Lµ + Dc q b and L µ + Dc q b, q.e.d.

68 Theorem 3.21

Let SHC be the C- and H-transformation of S,andNHC the Petri net of SHC. S0 N S0 Let HC be another set of constraints of type (3.1) on HC and be the inverse S0 S0 S S0 H- and C-transformation of HC.Then is at least as restrictive as if HC is

at least as restrictive as SHC.

Proof: See Lemma 3.22 and Lemma 3.23. 2

Note that Theorem 3.21 is a suﬃcient condition instead of a necessary and S0 suﬃcient condition because the constraints HC are not restricted to satisfy (3.47).

Lemma 3.22

S S N S S0 Let C be the C-transformation of ,and C the Petri net of C .Let C be 0 −1 another set of constraints of type (3.2) on NC and S be the C -transformation S0 S0 S S0 S of C .Then is at least as restrictive as iﬀ C is at least as restrictive as C .

Proof: See the proof of Lemma 3.19. 2

Lemma 3.23

S S N S S0 Let H be the H-transformation of ,and H the Petri net of H .Let H be 0 −1 another set of constraints of type (3.1) on NH and S be the H -transformation S0 S0 S S0 S of H .Then is at least as restrictive as if H is at least as restrictive as H .

Proof: The proof is by contradiction. So assume there are q and µ ≥ D−q such − 6≤ 0 −0 ≤ 0 that Lµ + Dc q b and L µ + Dc q b . Then, as in the “only if” part of the − proof of Lemma 3.20, it can be shown that there are q0 and µ ≥ D q0 such that 6≤ 0 −0 ≤ 0 ∀ ∈• \ Lµ + Hdq0 b and L µ + Dc q0 b .Letq be such that q(t)=q0(t) t (PH P ) and q(t) = 0 otherwise. Since Hd(·,t)=0∀t/∈•(PH \ P ), it follows that we found q ≥ − 6≤ 0 −0 ≤ 0 ∀ ∈• \ and µ D q such that Lµ+Hdq b, L µ+Dc q b ,andq(t)=0 t/ (PH P ).

69 By relating µH to µ and q as in the proof of Lemma 3.20, we get LH µH = Lµ + Hdq 0 0 0 −0 ≥ 0 and LH µH = L µ + H q. However, by (3.21), Dc H , where the comparison 0 −0 ≤ 0 ⇒ 0 0 ≤ 0 is taken element by element. So, L µ + Dc q b L µ + H q b . Therefore, 6≤ 0 ≤ 0 S0 S LH µH b and LH µH b , which contradicts that H is at least as restrictive as H . 2

The total C-transformation is the version of the C-transformation that adds a sink place to all transitions t, regardless of whether C(·,t)iszeroornot.So,the total C-transformation has the argument Ts,C = T .Thetotal H-transformation is the version of the H-transformation that splits all transitions t, regardless of whether

Hd(·,t)iszeroornot.SoTs,H = T . In the approach proposed in this paper, given a speciﬁcation (3.3) on a Petri net N , the C- and H-transformations are applied to transform the speciﬁcation into LHCµHC ≤ b on a Petri net NHC. Then, various methods available in the literature can be applied to generate a set of constraints LHCaµHC ≤ ba satisfying the admissibility requirement (3.62) and that

LHCaµHC ≤ ba ⇒ LHCµHC ≤ b (3.65)

−1 −1 Then the constraints LHCaµHC ≤ ba are transformed through the H -andC - transformations to constraints

Laµ + Haq + Cav ≤ ba (3.66) in terms of N . The following result shows ﬁrst that (3.66) satisfy the admissibility condition (3.30) and that a supervisor enforcing (3.66) enforces (3.3) as well, that is − ≤ ⇒ − ≤ Laµ + Dc,aq + Cav ba Lµ + Dc q + Cv b (3.67)

70 Then, in the case of the total H- and C-transformations, it is shown that the optimality of Laµ + Haq + Cav ≤ ba depends only on the optimality of the constraints

LHCaµHC ≤ ba.

Theorem 3.24 Optimality of Supervisor Design.

The following holds true:

(a) Laµ + Haq + Cav ≤ ba satisﬁes (3.67) and the admissibility condition (3.30).

Assume the H- and C-transformations are total and that LHCa satisﬁes (3.47). Then:

0 ≤ 0 (b) If there is no other solution LHCaµHC ba satisfying (3.62), (3.65), and

(3.47) that is less restrictive than LHCaµHC ≤ ba, there is no other solution 0 0 0 ≤ Laµ + Haq + Cav ba satisfying (3.30) and (3.67) that is less restrictive

than Laµ + Haq + Cav ≤ ba.

(3.65) and (3.47), then Laµ + Haq + Cav ≤ ba is least restrictive among the constraints satisfying (3.30) and (3.67).

Proof: Let SHCa (SHC)denoteLHCaµHC ≤ b (LHCµHC ≤ b), Sa denote Laµ +

Haq + Cav ≤ ba, S denote (3.3), and so on.

(a) By Theorem 3.21, Sa is at least as restrictive as S, and so (3.67) is satisﬁed. Further, (3.30) is satisﬁed by Theorem 3.13(b).

−1 −1 (b) Since Sa results from the H -andC -transformations of SHCa,thesame

SHCa is obtained through the C- and H-transformation of Sa, by Theorem 3.10(b). S0 S0 Let be another solution satisfying (3.30) and (3.67). Let HC denote the C- S0 S0 and H-transformation of . HC satisﬁes (3.47) by Theorem 3.10(a), (3.62) by

71 S0 Theorem 3.13(a), and (3.65) by Theorem 3.18. Since HC cannot be less restrictive 0 than SHCa, S cannot be either less restrictive than Sa, by Theorem 3.18. (c) The proof is similar to that of (b). Any another solution S0 has the property S0 S0 that HC satisﬁes (3.47), (3.62), and (3.67). Therefore HC is at least as restrictive 0 as SHCa. Then, by Theorem 3.18, S is at least as restrictive as Sa. 2

Remark 1: Note that the approach is guaranteed to be optimal when the total C- and H-transformations are used. This means that NHC has three times as many places and two times as many transitions as N .

Remark 2: The optimal approach restricts the solution LHCaµHC ≤ ba not only to the admissibility condition (3.62) but also to the inequalities (3.47). Since (3.62) and (3.47) are of the same type, the approaches of [124, 125, 164] can still be used to compute LHCaµHC ≤ ba.

Remark 3: Note the trade-off of this approach. The benefits are that the supervisor design can be done in a computationally efficient manner and independently of the initial marking (of course, the designed supervisors still depend on the initial marking). The drawback is that a least restrictive design may not be achieved.

The following are the sources of loss of permissiveness. First, condition (3.30) is only sufficient for admissibility. Second, optimality can be further traded-off for computational benefits in the selection of the particular method used to compute

LHCaµHC ≤ ba.

Remark 4: The approach proposed here has considered the general concurrency framework, in which arbitrary nonnegative ﬁring vectors q could be ﬁred (if enabled).

To adapt this approach to strict concurrency (meaning that q is restricted to q ≤ 1), better solutions LHCaµHC ≤ ba may be found if we take in account that µ(p) ≤ 1

∀p ∈ PH \ P . Further, to adapt it to the no concurrency framework (meaning that

72 only one transition may ﬁre at a time), the design of LHCaµHC ≤ ba could be done P to take advantage of µ(p) ≤ 1. p∈PH \P

73 CHAPTER 4

DECENTRALIZED SUPERVISION OF PETRI NETS

4.1 Introduction

The decentralized control of discrete event systems (DES) has received consider- able attention in the recent years [147]. The current research eﬀort has been focused on the automata setting, and has considered both versions of decentralized control, with communication and with no communication. This chapter considers the decentralized control of Petri nets by means of the supervision based on place invariants

(SBPI) [45, 125, 190]. A brief description of the SBPI appears also in section 3.5.

Using Petri nets rather than automata has the major benefit that Petri nets are compact models of concurrent systems, as they do not represent explicitly the state space of the system. Further, using Petri net methods relying on the structure of the net rather than the state space is of special interest, as the size of the state space, when finite, can be exponentially related to the size of the net. Among the structural methods, the SBPI offers an efficient technique for the design of supervisors enforcing on Petri nets the class of state predicates described by linear marking inequalities

(see (3.1) at page 14). Note that this class of constraints can represent any state predicate of a safe1 Petri net [190]. Furthermore, without loss of any of its beneﬁts, the SBPI has been extended in the previous chapter to handle any constraints that can be enforced by control (monitor) places. While SBPI has been considered so far 1A Petri net is safe if for all reachable markings no place has more than one token.

74 in a centralized setting, this paper proposes extensions of SBPI to a decentralized setting.

The decentralized setting of this chapter follows that of the previous works in the ﬁeld (e.g. [150, 147]). Thus, a global plant model is given, together with a speciﬁcation that is to be enforced by the joint operation of n supervisors Si, i =

1 ...n. Each supervisor Si may control/observe a subset of the plant events Tc,i/To,i. Both versions of the decentralized supervision problem are considered here, with and without communication. Here, communication allows a local supervisor Si to observe events that are (directly) observed by other supervisors, and to send to other supervisors requests to disable events that are not locally accessible (controllable).

Admissibility is a key concept in the SBPI of Petri nets with uncontrollable and unobservable transitions. When dealing with such Petri nets, the SBPI approach classifies the specifications as admissible and inadmissible, where the former can be directly enforced, and the latter are first transformed to an admissible form and then enforced. In the automata setting [142], admissibility corresponds to controllability and observability, and the transformation to an admissible form to the computation of a controllable and observable sublanguage.

The main contributions of this chapter are as follows. First, we define d- admissibility (decentralized admissibility), as an extension of admissibility to the decentralized setting. D-admissibility extends the centralized admissibility while allowing the supervisors enforcing d-admissible constraints to be designed with very low computational complexity (the complexity of matrix multiplication), just as in the SBPI. The trade-off is that d-admissibility identifies constraints for which the supervisors can be easily computed, rather than the constraints for which supervisors can be computed. Thus, d-admissibility does not parallel controllability and co-observability in the automata setting [150]. An algorithm for the design of super-

75 visors enforcing d-admissible constraints and an algorithm testing d-admissibility are provided. Unlike the former, the algorithm testing d-admissibility is computationally more complex, as it may require some reachability analysis. To overcome this difficulty, a simplification is proposed, similar to the structural admissibility test in the SBPI [125], allowing again very low computational effort. The trade-off is that only a subclass of d-admissible constraints is identified, called globally d-admissible constraints. Results concerning this class of constraints are also presented. Next, to deal with constraints that are not d-admissible, we provide two supervisor design approaches. The first one involves two stages. The first stage solves the problem in a centralized setting, by assuming all locally observable and controllable transitions as centrally available. The solution is then distributed in the second stage to the local supervisors, by means of communication. An integer programming approach for the design of a communication strategy with minimum cost is also included. The second approach dealing with constraints that are not d-admissible uses constraint transformations. The constraint transformations replace the specification, which is not d-admissible, with a (more restrictive) d-admissible specification. The solution here is obtained via integer programming. This approach can handle both design with and without communication. Further, the design process can incorporate communication constraints, such as limits on the average network traffic, and minimize a communication cost function.

Comparing the two supervisor design approaches, note the following. In theory, the ﬁrst approach is expected to generate more permissive solutions than the second.

However, the ﬁrst is intended for problems with unrestricted communication, while the second for problems with restricted or no communication. Decentralization is useful in the ﬁrst case, as it may result in a solution with a better communication cost. In the second case a decentralized solution is unavoidable, due to the absence

76 or restriction of the means of communication. With regard to our use of integer programming, note that while the development of alternative methods that are less computationally intensive are a direction for future research, in the automata setting it was shown that a decentralized solution cannot be found with polynomial complexity [147]. Note also that the size of the integer program depends on the size of the Petri net structure, and not on the size of its state space (i.e. the size of its equivalent automaton), which may not be ﬁnite.

Apparently, except for [27], the decentralized supervisory control of Petri nets has not been yet considered in the literature. In [27], distributed supervisors and a central coordinator are designed for specifications that are given from the beginning in a distributed form. In our approach there is no central coordinator and the specifications are not required to be given in a distributed form. In the automata setting, the work on decentralized control can be found in [147] and the references therein. In particular, we mention [150] for the decentralized control with no communication and [15, 148] for decentralized control with communication. Our communication setting differs from that of most papers in that the communication involves events rather than state estimates [15] or sequences of events [178]. Ap- parently, the communication of control decisions has not been yet considered in the automata setting. Other related work includes [178], which approaches the problem of finding a decentralized solution with the same performance as a centralized solution when communication is available. The vast majority of the decentralized control papers consider language specifications. In this paper we focus our attention on the particular class of state predicate specifications supported by SBPI.

In the automata setting, the existence of a decentralized solution enforcing state predicates is studied in [168]. Literature on SBPI or closely related to it is found in [45, 190, 125, 164, 106, 107] and the references therein.

77 The chapter is organized as follows. A detailed literature review is given in section 4.2. Section 4.3 describes the notation and outlines the SBPI. Section 4.4 describes the decentralized setting of our approach. D-admissibility is deﬁned in section 4.5. There, the properties of d-admissibility and the related algorithms are presented. The ﬁrst approach for the enforcement of constraints that are not d-admissible is presented in section 4.6. This approach assumes communication available and does not incorporate communication constraints. The second approach, which can deal with the remaining situations, namely no communication or restricted communication, is presented in section 4.7. Finally, a manufacturing example adapted from [111] is presented in section 4.8.

4.2 Related Work

A survey on some of the current results on the decentralized control of DES can be found in [147]. The current work has been done in the supervisory control framework of Ramadge and Wonham [142]. The current models consider a plant G that is to be controlled by using local supervisors S1 ... Sn, where the supervisor

Si observes the subset of events Σo,i of G, and controls the subset of events Σc,i of G. Based on the observation that results for two supervisors extend to results on n supervisors, the problems in the literature are often formulated in terms of only two local supervisors S1 and S2. In the following, L(G) will denote the language generated by G, Lm(G) the marked language of G,andE the preﬁx closure of a language E. Note that the general setting of decentralized control does not require the system to be physically divided into subsystems, each supervisor Si corresponding to such a subsystem. However, in the following it is convenient to denote as subsystem i the plant G with set of controllable events Σc,i and set of observable events Σo,i.

78 The case in which the specification is already given in a decomposed form for each supervisor Si to implement is studied in [111]. When additional requirements, not included in the decomposed specification, are to be enforced, the authors propose to use a central coordinator. Depending on the application, all or some of the locally controllable/observable events can be included in the set of controllable/observable events of the coordinator. It is argued that by implementing the decomposed specification with the local supervisors, the control actions of the central coordinator are significantly reduced. As a motivation for their work, the authors notice the significant decrease in complexity (number of states) of the decentralized supervisor as compared with the centralized supervisor. The decomposed specification is given in the form of languages Ai and Ei, where a supervisor Si is to satisfy

Ai ⊆L(Si/Gi) ⊆ Ei and Gi is G restricted to the events accessible to Si.The problem of ﬁnding each of Si can then be reduced to the centralized control problem [110]. The same approach can also be applied to the coordinator. However, note that this solution is not guaranteed to be nonblocking.2

In [30] a suﬃcient condition is given for the existence of decentralized supervisors

Si such that S1 ∧S2 ∧ ...Sn implements exactly a given language. Note that the framework of [30] is more general, as a supervisor Si does not observe the events directly, but through an observation function Mi. The observation function maps plant events to supervisor events or to the empty string. This allows the possibility that two or more observable events create the same supervisor event, that is, the supervisor cannot distinguish between them. (The observable events are the events that are not mapped to the empty string.) 2Note that the nonblocking property is diﬀerent from deadlock-freedom or liveness. A closed- loop system is nonblocking if from any reachable state a marked state can be reached. This implies neither liveness nor deadlock-freedom. Furthermore, the nonblocking property is implied by liveness, but is not implied by deadlock-freedom. We can conclude that supervision with liveness enforcement in our Petri net setting is a stronger requirement than nonblocking supervision in the automata setting.

79 In [183] a particular model of the system is assumed, for which the paper presents conditions guaranteeing that decentralized supervision can achieve the same performance as the optimal centralized supervision. The assumptions are as follows. The system consists of subsystems operating in parallel. Each subsystem i has a local set of events Σi.ThesetΣiu of uncontrollable local events of subsystem i, is assumed to satisfy Σiu ∩ Σj = ∅ for all j =6 i. All events available for observation to a local supervisor are local. The case in which there are local unobservable events is not studied.

In [150] it is shown that a necessary and suﬃcient condition for the existence of decentralized supervisors exactly implementing a given language E ⊆Lm(G)isthat E is controllable and co-observable. Controllability is deﬁned as in the centralized case [142], and is taken with respect to the set Σuc that contains the events that are

3 uncontrollable to all supervisors Si. Essentially , co-observability corresponds to the property of the system that for all s ∈ E and all events σ such that sσ ∈L(G) \ E, there is i such that in the subsystem i the observation of s is distinct from the observations of all s0 ∈ E with s0σ ∈ E. The authors study also the problem of the V existence of decentralized supervisors implementing a language L( Si/G) bounded V i by lower and upper bounds A and E: A ⊆L( Si/G) ⊆ E, for A ⊆ E ⊆L(G). i Naturally, a solution exists if and only if there is K controllable and co-observable such that A ⊆ K ⊆ E.

The complexity involved in the decentralized control problems of [150] is studied in [149]. The results of [149] extend complexity results for centralized control [175] to decentralized control. The paper considers the case of two local supervisors and shows that co-observability can be decided in polynomial time. However, decentralized supervisors enforcing a co-observable and controllable language cannot be 3 An additional requirement is necessary when E =6 E ∩Lm(G).

80 computed in polynomial time. Furthermore, the authors notice that the existence of a co-observable language K bounded by A ⊆ K ⊆ E cannot be decided in polynomial time.

Another version of a problem of [150] has been shown in [173] to be undecidable.

The problem is to check whether there are two supervisors S1 and S2 such that

S1 ∧S2 is nonblocking and Lm(S1 ∧S2/G) ⊆ E, for some regular language E.Note that in view of [150, 149], the problems of [150] are decidable, and so we can conclude that this problem is also decidable when it can be reduced to one of the problems of [150]. As an example, this is the case when E ∩Lm(G)=E. [101] is written in the framework of supervisory control for specifications represented as infinite traces of events [170, 171] (ω-languages). The following decentralized control problem is shown to be undecidable. Let S(G) denote the set of all infinite strings that can be executed by G.GivenA ⊆ E ⊆ S(G), the problem is to find the supervisors S1 and S2 such that S1 ∧S2 avoids deadlock, A ⊆ S(S1 ∧S2/G) ⊆ E, and other technical conditions are satisfied.

Given a co-observable and controllable language, the decentralized supervisor enforcing it can be constructed as in [150]. An alternative method appears in [99]. The main result of [99] is that the infimal prefix-closed controllable and co-observable4 superlanguage of a language K is the intersection of the infimal prefix-closed controllable and observable superlanguages of K with respect to each of the subsystems i.

Then, given K ⊆L(G) controllable, co-observable, and prefix-closed, K is exactly implemented when the local supervisors implement the infimal prefix-closed controllable and observable superlanguages of K. The authors show also how to separate the computation of a infimal prefixed-closed controllable and observable superlanguage into the computations of a infimal prefix-closed controllable superlanguage 4The co-observability definition of [99] is slightly less general than that of [150], as it is not effective to specifications K ⊆Lm(G)withK =6 K ∩Lm(G).

81 and of a inﬁmal preﬁx-closed observable superlanguage. As in [30], the results are given in a more general setting in which the local supervisors observe the events through masks (observation functions).

The main result of [99] is applied in [84] to various decentralized control problems.

To reduce the computational burden, the authors propose to work with local models

Gi of the plant G.AplantGi contains only the dynamics of G that is related to the subset of events relevant in subsystem i. Then, the supervisors Si can be computed as the inﬁmal preﬁx-closed controllable and observable superlanguages with respect to the plants Gi, rather than with respect to the larger plant G. Further developments appear in [83].

Most papers on decentralized control consider an architecture in which a controllable event is enabled if and only if it is enabled by all local supervisors. Different enabling rules have been considered in [137, 191, 192]. Thus [191, 192] consider an architecture in which some controllable events are enabled by the conjunction of the decisions of the supervisors, and the other controllable events by the disjunction of the supervisor decisions. This partition of the controllable events is part of the design process, and can be optimally done in polynomial time [192]. Co-observability in the context of this architecture has been defined, and is also verifiable in polynomial time [191]. This architecture generalizes the conventional architecture in which conjunction is the enabling rule. The benefit of the more general architecture is that the set of languages that can be implemented by decentralized supervisors is increased [191].

In [129], the decentralized control problem is considered for two local supervisors in a cooperative game theoretic framework. The supervisors are to enforce liveness and a safety speciﬁcation. The design approach is semidecidable.

82 In [96], the fully-decentralized control problem is studied. In this problem, there is no communication between the local supervisors and between the agents designing the supervisors. This means that a local supervisor does not rely on other supervisors to disable illegal sequences, as the way the other supervisors are designed is unknown. The requirement on the local supervisors is that they enforce together a language K satisfying K = K ∩Lm(G)andA ⊆ K ∩Lm(G) ⊆ E, where A ⊆ E ⊆Lm(G) are given. Note that a fully-decentralized solution is less likely to exist than a decentralized solution. Furthermore, fully-decentralized supervision tends to be overrestrictive. The main advantage of the approach is reduced computational complexity.

Decentralized supervision with communication between supervisors has also been considered. Communication between supervisors allows a larger class of languages to be implemented. In [184] an asymmetric supervision problem involving two supervisors is studied. Given a specification and a unidirectional communication channel from one supervisor to the other, the problem is to decide whether the supervisors can be designed such that the specification is implemented. A necessary and sufficient condition is found. The approach of [184] is extended in [178]. In [178], information structures are associated with each supervisor in order to help them achieve the same performance as a given centralized supervisor. Note that the centralized supervisor is designed under the assumption that all locally controllable/observable events are globally controllable/observable. The information structure specifies for each local supervisor the supervisors that send information to it, and the kind of information they send. Thus a local supervisor is able to receive observation strings from selected other local supervisors. The design problem is to obtain a set of minimal information structures for which the decentralized solution is equivalent to the centralized solution.

83 Decentralized supervision with communication has also been considered in [15].

In this approach, the supervisors broadcast estimates of their state. An optimal communication problem is set up, in which the cost reflects how often the supervisors send their state estimates. The following is the design problem addressed in the paper. Given a specification language, find control policies and communication policies for the supervisors such that the specification is exactly implemented.

[148] considers also decentralized supervision with communication. The work can be applied when the control policies of the supervisors are given, and the communication between them is to be minimized. In the setting of the paper event occurrences are communicated, rather than state estimates or observation strings.

Decentralized control with communication and delays is studied in [174]. The paper considers the case of two supervisors with a fixed communication policy and a simplified type of specifications. The communication policy is that each supervisor broadcasts the events it observes. When the communication delay is bounded by k, the set of problems for which a solution exists is denoted by DCCk. When the delays are allowed to be unbounded, the set of problems for which a solution exists is denoted by DCUC. The paper shows that DC ⊂ DCUC ⊂ · · ·DCC2 ⊂DCC1 ⊂

DCC0 = CC,whereDC is the corresponding set of problems for the case of control with no communication, and CC for the case of centralized control. Undecidability is proved for the existence of controllers in the cases DCUC and DC. Note that the undecidability result relies on the type of speciﬁcation that has been chosen. For instance, the more common versions of the decentralized control problem with no communication are decidable [150, 149].

Decentralized supervision with speciﬁcation given in the form of state predicates has been studied in [168]. Note that the supervision of DES based on state predicates is described in [109, 106]. A suﬃcient condition is given for the existence of a

84 solution. According to [168], when the plant is modeled by a ﬁnite automaton, it takes polynomial time to check the condition and to construct the solution.

In [169] a problem of reliable decentralized supervisory control is considered.

A decentralized supervisor consisting of n local supervisors is said to be k-reliable if it exactly achieves a speciﬁcation under possible failures of n − k supervisors.

Necessary and sufficient conditions are given for a supervisor to be k-reliable. Then algorithms to synthesize a k-reliable supervisor for a sublanguage of the specification are given, when no k-reliable supervisor exactly implements the specification.

Examples found in the decentralized control literature are as follows. In the context of [111], a manufacturing system model is used to illustrate the supervisor design approach. In [30], a model of the alternating bit protocol is considered together with a speciﬁcation to be enforced via supervision. Results of the paper are applied to verify that the speciﬁcation can be implemented. Other versions of the alternating bit protocol are considered in [139]. A simple manufacturing system is used in [83] to illustrate existence results developed in that paper.

4.3 Preliminaries

In this chapter, a Petri net structure is denoted by N =(P, T, F, W), where P is the set of places, T the set of transitions, F the set of transition arcs, and W the weight function. The incidence matrix of N is denoted by D. A place (transition) denoted by pj (ti) is the place (transition) corresponding to the j’th (i’th) row (column) of the incidence matrix.

Recall, the speciﬁcation of the SBPI [45, 125, 190] consists of the state constraints

Lµ ≤ b (4.1) where L ∈ Znc×|P |, b ∈ Znc ,andµ is the marking of N . To distinguish between the case nc =1andnc > 1, we say that (4.1) represents a constraint when nc =1,and

85 that (4.1) represents a set of constraints when nc > 1. Note that N represents the plant. Recall also that the SBPI provides a supervisor in the form of a Petri net

Ns =(Ps,T,Fs,Ws)with

Ds = −LD (4.2)

µ0,s = b − Lµ0 (4.3)

where Ds is the incidence matrix of the supervisor, µ0,s the initial marking of the supervisor, and µ0 is the initial marking of N . The places of the supervisor are called control places.

Let µc be the marking of the closed-loop, and let µc|N denote µc restricted to the plant N .Lett ∈ T be a transition. t is closed-loop enabled if µc enables t. t is plant-enabled,ifµc|N enables t in N .Thesupervisordetects t if t is closed-loop enabled at some reachable marking µc and ﬁring t changes the marking of some control place. The supervisor controls t if there is a reachable marking µc such that t is plant-enabled but not closed-loop enabled. Given µc,thesupervisordisables t if there is a control place C such that (C, t) ∈ Fs and µc(C)

86 Parts Assembly Parts bin area bin

Computer Computer

Network Connection

Figure 4.1. Robotic manufacturing system.

net N with sets of uncontrollable and unobservable transitions Tuc and Tuo will be denoted by (N ,Tuc,Tuo). The decentralized setting is deﬁned next.

4.4 The Model

The system is given as a Petri net model N =(P, T, F, W). A decentralized supervisor consists of a set of local supervisors S1, S2,...Sn,eachactinguponin- dividual parts of the system, called subsystems, where the simultaneous operation of the local supervisors achieves a global speciﬁcation. A local supervisor Si observes the system through the set of locally observable transitions To,i, and controls it through the set of locally controllable transitions Tc,i. So, from the viewpoint of

Si, the sets of uncontrollable and unobservable transitions are Tuc,i = T \ Tc,i and

Tuo,i = T \ To,i. This is the design problem: Given a global speciﬁcation and the sets of uncontrollable and unobservable transitions Tuc,1, Tuc,2, ... Tuc,n and Tuo,1, Tuo,2,

... Tuo,n, find a set of local supervisors S1, S2,...Sn whose simultaneous operation guarantees that the global specification is satisfied, where each Si can control T \Tuc,i

87 PARTS t ASSEMBLY t PARTS BIN1 AREA 3 BIN t 1 t 3 t 3 t 1

p2 p1 p34p p2 p1 p3 p4

t 2 t 4 t 2 t 4 t 4 t 2 (a) − Global system (b) − Left subsystem (c) − Right subsystem

Figure 4.2. A Petri net model of the robotic manufacturing system.

and observe T \ Tuo,i. A system N with subsystems of uncontrollable and unobservable transitions Tuc,i and Tuo,i will be denoted by (N ,Tuc,1,...Tuc,n,Tuo,1,...Tuo,n). As an illustration, consider a manufacturing example in which two robots trans- port parts to a common assembly area [89]. The system is shown in Figure 4.1. The

Petri net model of the system is shown in Figure 4.2(a). Note that µ2 =1(µ4 =1) when the left (right) robot is in the assembly area, and µ1 =1(µ3 = 1) when the left (right) robot is in the parts bin. The set of controllable transitions of the left

(right) subsystem may be taken as Tc,1 = {t1,t2} (Tc,2 = {t3,t4}). Assume that the subsystem of each robot knows when the other robot enters or leaves the parts bin.

Then each subsystem contains the controllable transitions of the other subsystem as observable transitions; a possible graphical representation of the subsystems is shown in Figure 4.2(b) and (c).

4.5 Decentralized Admissibility 4.5.1 Deﬁnition and Application

This section introduces a decentralized admissibility concept, called d-admissibility.

Admissibility in the centralized case will be denoted here as c-admissibility.Thus, c-admissibility is taken with respect to a Petri net (N ,µ0) of controllable transitions

Tc and observable transitions To. Recall, this is the signiﬁcance of c-admissibility: a

88 c-admissible set of constraints (4.1) can be implemented with the simple construction of (4.2–4.3), as in the fully controllable and observable case.

In the decentralized case, we are interested to deﬁne admissibility with respect to a Petri net (N ,µ0), and the sets of controllable and observable transitions of the subsystems: Tc,1 ... Tc,n and To,1 ... To,n. Admissibility in the decentralized case is called d-admissibility . As in the case of c-admissibility, we would like d-admissibility to guarantee that the (decentralized) supervisor can be easily constructed. This is achieved by the following deﬁnition.

Definition 4.1

A constraint is d-admissible with respect to (N ,µ0,Tc,1 ...Tc,n,To,1 ...To,n),if there is a collection of subsystems C⊆{1, 2,...n}, C6= ∅, such that the con- S straint is c-admissible with respect to (N ,µ0,Tc,To),whereTc = Tc,i and T i∈C To = To,i. A set of constraints is d-admissible if each of its constraints is i∈C d-admissible.

To illustrate the deﬁnition, assume that we have a constraint that is c-admissible only with respect to the ﬁrst subsystem. Then, it is d-admissible, as we can select

C = 1. Note also that when each subsystem has full observability of the net and every transition is controllable with respect to some subsystem, any constraint is d-admissible.

The construction of a decentralized supervisor, given a d-admissible set of constraints, is illustrated on the Petri net of Figure 4.2. The mutual exclusion constraint

µ1 + µ3 ≤ 1 (4.4) is to be enforced. The centralized control solution is shown in Figure 4.3. In the case of decentralized supervision, there are two subsystems: the ﬁrst one has Tuo,1 = ∅

89 C C 1 C 2 t t t 1 t 3 3 1 t 1 t 3 p p p p p2 p1 p3 p4 2 1 3 4 t 2 t 4 t t t 2 t 4 4 2 Subsystem 1 Subsystem 2 Centralized control Decentralized control

Figure 4.3. Centralized control versus decentralized control.

and Tuc,1 = {t3,t4}, and the other has Tuo,2 = ∅ and Tuc,2 = {t1,t2}. Note that (4.4) is not c-admissible with respect to any of (N ,Tc,1,To,1)or(N ,Tc,2,To,2). However, it is d-admissible for C = {1, 2}. Given two variables x1,x2 ∈ N, a decentralized supervisor S1 ∧S2 enforcing (4.4) can be deﬁned by the following rules:

The supervisor S1: The supervisor S2:

• initialize x1 to 0. • initialize x2 to 0.

• disable t1 if x1 =0 • disable t4 if x2 =0

• increment x1 if t2 or t3 ﬁres. • increment x2 if t2 or t3 ﬁres.

• decrement x1 if t1 or t4 ﬁres. • decrement x2 if t1 or t4 ﬁres.

Note that S1 and S2 diﬀer only in the second rule: one disables t1, while the other t4.

AgraphicalrepresentationofS1 and S2 is possible, as shown in Figure 4.3. Thus,

S1 is represented by C1 and S2 by C2; x1 is the marking of C1 and x2 the marking of C2. Graphically, C1 and C2 are copies of the control place C of the centralized supervisor. Note that (C1,t4)and(C2,t1) model observation, not control. This is due to the fact that S1 never disables t4 and S2 never disables t1.AsC1 and C2 have the same initial marking as C, their markings stay equal at all times. So, whenever

90 t1 should be disabled, the disablement action is implemented by C1, and whenever

t4 is to be disabled, the disablement action is implemented by C2.

In the general case, the construction of a supervisor enforcing a d-admissible

constraint lµ ≤ c (l ∈ N1×|P | and c ∈ N) is as follows. (Note that the notation of

Deﬁnition 4.1 is used.)

Algorithm 4.2 Supervisor Design for a D-admissible Constraint

1. Let µ0 the initial marking of N , C the control place of the centralized

SBPI supervisor Ns =(Ps,T,Fs,Ws) enforcing lµ ≤ c,andC the set of Deﬁnition 4.1.

2. For all i ∈C,letxi ∈ N be a state variable of Si.

3. Deﬁne Si, for i ∈C, by the following rules:

• Initialize xi to c − lµ0.

• If t ∈ Tc,i, t ∈ C• and xi

• If t ﬁres, t ∈ To,i and t ∈•C,thenxi = xi + Ws(t, C).

• If t ﬁres, t ∈ To,i and t ∈ C•,thenxi = xi − Ws(C, t).

To enforce a d-admissible set of constraints Lµ ≤ b, the construction above is

repeated for each constraint lµ ≤ c. Note that in the graphical representation the

supervisors Si correspond to |C| copies of the control place C of the centralized supervisor, where each copy has the same initial marking as C.Nextweprove

that the resulting decentralized supervisor of Algorithm 4.2 is feasible (physically

implementable) and as permissive as possible.

Remark 4.3 The SBPI construction (4.2–4.3) presents the best supervision can

achieve: a transition t is disabled iﬀ ﬁring t leads to a marking µ for which Lµ 6≤ b.

Therefore, we are interested in identifying conditions under which this supervision

91 performance can be achieved under decentralization (with partial controllability and partial observability). As it turns out, d-admissibility is a suﬃcient condition for this optimal performance, as proven in the next result. 2

In the following, we denote by S the supervisor of (4.2–4.3). For simplicity, the same notation S is used both for the enforcement of sets of constraints Lµ ≤ b and the enforcement of single constraints lµ ≤ c. Further, let Sd denote the V decentralized supervisor. For instance, in Algorithm 4.2 Sd is the conjunction Si i∈C of the supervisors Si for i ∈C. Feasibility is deﬁned as follows. Sd is feasible if all Si are feasible. Si is feasible if Si only observes transitions t ∈ To,i and disables ∈ ∗ → ∗ transitions t only if not plant-enabled or if t Tc,i.LetPi : T To.i denote the projection of a ﬁring sequence σ on To,i. The fact that Si observes only t ∈ To.i means

∗ that for all ﬁring sequences σ1,σ2 ∈ T ,ifPi(σ1)=Pi(σ2)thenSi(σ1)=Si(σ2).

Note that Si(σ) denotes the set of transitions enabled by Si once σ has been ﬁred from the initial state of the system.

Theorem 4.4

The decentralized supervisor Sd constructed in Algorithm 4.2 is feasible, enforces the desired constraint, and is as permissive as the centralized supervisor S.

Proof: Feasibility is an immediate consequence of the construction of Algo- rithm 4.2. To prove the remaining part of the theorem, we consider ﬁring sequences

σ that are plant-enabled at an initial marking µ0,andweshowthatσ is enabled by S at the initial marking µ0 iff σ is enabled by Sd at the initial marking µ0.The proof uses the notation of the Algorithm 4.2 and of Definition 4.1. Given a firing

sequence σ = ti1 ti2 ...tik enabled from µ0, let’s denote by µj the markings reached

ti1 ti2 ti3 in N while ﬁring σ: µ0 −→ µ1 −→ µ2 −→ ...µk.

92 S First, note that for all ﬁring sequences σ = ti1 ti2 ...tik enabled by both and

Sd from µ0,wehavethatatallmarkingsµj reached while ﬁring σ

xi = c − lµj ∀i ∈C (4.5)

This is proven by induction. For i = 0, (4.5) is satisﬁed, due to the way the variables xi are initialized. Assume (4.5) satisﬁed for j

There are two cases: (a) lµj = lµj+1 and (b) lµj =6 lµj+1. Incase(a),inviewof

(4.2), Ws(C, tij )=Ws(tij ,C) = 0. Therefore, neither the marking of C, nor any of the xi’s is changed by firing tij . Hence, (4.5) is satisfied at µj+1. In case (b), note that by Definition 4.1, the d-admissibility of lµ ≤ c implies that S is c-admissible N 6 ∈ with respect to ( ,µ0,Tc,To). Then, since tij is not dead and lµj = lµj+1: tij To. ∈ ⇒ ∀ ∈C ∈ S However, tij To ( i ) tij To,i. Hence, tij is observable to all i,andsoall xi are changed in the same way. Moreover, according to the SBPI, firing tij changes the marking of C thesamewayasxi are changed. From the SBPI we know that the new marking of C is c − lµj+1. It follows that when µj+1 is reached, xi = c − lµj+1 ∀i ∈C.

Finally, we prove by contradiction that the ﬁring sequences enabled by S from

µ0 are the ﬁring sequences enabled by Sd from µ0. Assume the contrary, that there is σ that is enabled by one supervisor and not enabled by the other. We decompose

σ into σ = σxtxσy, tx ∈ T ,whereσx is enabled by both supervisors and σxtx is not.

σx If µ0 −→ µx, then (4.5) is satisﬁed at µj = µx;themarkingofC is also c − lµx.

There are two cases: (a) tx enabled by C;(b)tx not enabled by C. Case (a) implies tx ∈/ C• or Ws(C, tx) ≤ c−lµx. Then, by construction, Sd must enable also tx,which contradicts the assumption that not both S and Sd enable tx. In case (b), according to the SBPI, we have that Ws(C, tx) >c− lµx and tx ∈ Tc, by the d-admissibility of lµ ≤ c. It follows that there is i ∈Csuch that Si disables tx, and hence that Sd

93 does not enable tx. This contradicts the assumption that one of S and Sd enables the transition tx. 2

M S M Let To be the set of transitions detected by and Tc the set of transitions S M { } M { } controlled by . For instance, in Figure 4.3 Tc = t1,t4 and To = t1,t2,t3,t4 . The d-admissibility of a constraint can be tested as follows:

Algorithm 4.5 Checking whether a Constraint is D-admissible

M M 1. Find To and Tc .

C ∀ ∈C ⊇ M 2. Find the largest set of subsystems such that i : To,i To .

3. If C = ∅, declare that the constraint is not d-admissible and exit. S 4. Deﬁne Tc = Tc,i. i∈C ⊇ M 5. Does Tc satisfy Tc Tc ? If yes, declare the constraint d-admissible. Oth- erwise, declare that the constraint is not d-admissible.

Note that a d-admissible constraint can be implemented for a minimal set Cmin ⊆C S M ⊆ containing the minimal number of subsystems such that Tc Tc,i.Notealso i∈Cmin that checking whether a set of constraints is d-admissible involves checking each constraint individually.

Proposition 4.6

The algorithm checking d-admissibility is correct.

Proof: C6 ∅ ⊇ M A constraint is declared d-admissible if = and Tc Tc . The deﬁnition M M N of To and Tc implies that the constraint is c-admissible with respect to ( ,Tc,To) T (where To = To,i). Then, in view of Deﬁnition 4.1, the algorithm is right to i∈C declare the constraint d-admissible.

94 Next, assume a d-admissible constraint. Then, there is a set of subsystems C0 6 ∅ N 0 0 = such that the constraint is c-admissible with respect to ( ,Tc,To)(where S T 0 0 0 ⊇ M 0 ⊇ M 0 ⊇ M ⇒C0 ⊆C Tc = Tc,i and To = To,i). Then To To and Tc Tc ; To To i∈C0 i∈C0 ⇒ ⊇ 0 ⇒ ⊇ M Tc Tc Tc Tc . Consequently, the algorithm declares the constraint to be d-admissible. 2

M M In general, it may be diﬃcult to compute the sets Tc and To ,asthismay e ⊇ M e ⊇ M involve some reachability analysis. Alternatively, estimates Tc Tc and To To

M M can be used instead of Tc and To . However, in this case the algorithm only checks a suﬃcient condition for d-admissibility, and so it can no longer detect constraints that

are not d-admissible. In the case of the SBPI, a constraint lµ ≤ c is implemented

e by a control place C, as described by (4.2–4.3). Obviously, some estimates Tc and e e • e • ∪ • e M ∈ • To are Tc = C and To = C C . Here, Tc diﬀers from Tc if there is t C that N S e is never both plant-enabled and closed-loop disabled in ( ,µ0, ). Also, To diﬀers M ∈• ∪ • N S from To if there is some t C C that is dead in ( ,µ0, ).

Remark 4.7 e • e • ∪ • When the estimates Tc = C and To = C C are used instead

M M of Tc and To , the Algorithm 4.5 is the decentralized equivalent of the structural

admissibility conditions lDuc ≤ 0andlDuo = 0 of [125] for centralized supervision. In this dissertation, these conditions are introduced in section 3.5.2 at page 30.

Duc and Duo are the restrictions of the incidence matrix of the plant to the sets of uncontrollable and unobservable transitions, respectively. 2

Note that when it is possible and convenient to communicate in a reliable fashion

with each subsystem of a decentralized system, a centralized solution with Tc = S S Tc,i and To = To,i is possible. Note also that in the implementation of d- i=1...n i=1...n

admissible constraints, each supervisor Si with i ∈Crelies on the proper operation

of the other supervisors Sj with j ∈C. By itself, a local supervisor may not be able

95 to implement a d-admissible constraint or its implementation may be overrestrictive.

For instance, in the example of Figure 4.2, the supervisor of the ﬁrst subsystem can only enforce µ1 + µ3 ≤ 1byitselfbyimposingµ1 = 0. However, this solution is overrestrictive. D-admissibility illustrates the fact that more can be achieved when supervisors cooperate to achieve a given task, rather than when a supervisor tries on its own to achieve it (cf. “two heads better than one” in [150]).

4.5.2 Signiﬁcance of D-Admissibility

D-admissibility is clearly a sufficient condition for a specification to be exactly implementable by some supervisor. D-admissibility appears to be also necessary under most circumstances, however this may be difficult to formally prove. We provide here a necessity proof for a stronger d-admissibility concept, that we call global d-admissibility and a related supervision problem. Thus, instead of looking at the relation between d-admissibility and the feasibility of the decentralized supervision for a given initial marking µ0, we look at global d-admissibility and the decentralized supervision problem for all markings µ0 and all free terms b in (4.1).

That is, N , Tc,i, To,i, i =1...n,andL are given and fixed, while µ0 and b are seen as variables. This approach allows us not only to shed some light on the necessity of d-admissibility, but also to establish the sense in which optimality is achieved when constraints are identified as d-admissible based on the simplified test of Remark 4.7.

Definition 4.8

The family of single constraints lµ ≤ c with ﬁxed l is globally d-admissible if

there is C⊆{1, 2,...n} such that for all µ0 and c ≥ lµ0, lµ ≤ c is d-admissible

with respect to (N ,µ0,Tc,1 ...Tc,n,To,1 ...To,n) and C. The family of constraints Lµ ≤ b with ﬁxed L is globally d-admissible if every single constraint lµ ≤ c of

Lµ ≤ b is globally d-admissible.

96 Given Lµ ≤ b,letS denote the supervisor corresponding to the construction of

(4.2–4.3). When Lµ ≤ b consists of a single constraint lµ ≤ c,thesupervisorS is implemented by a single control place C. To simplify our notation, the marking of

C at the plant marking µ is denoted by µ(C) instead of µs(C). If σ is the transition sequence ﬁred since the initialization of the system and S enables t, we write S(σ)[t; otherwise, we write S(σ)6 [t. For simplicity, let’s write S[t (respectively S6 [t)ifno transition has been ﬁred (i.e., if σ is empty).

Let Sd = S1 ∧S2 ∧...∧Sn denote the decentralized supervisor consisting of local supervisors Si.

Lemma 4.9

If C•6= ∅ and for all µ0 and c ≥ lµ0 there is a feasible Sd as permissive as S, Sn Sn then C•⊆ Tc,i and •C ∪ C•⊆ To,i. i=1 i=1

Proof: The proof relies on the following two observations, identifying general controllability and observability requirements for an exact implementation of a spec- iﬁcation. First, if there are t ∈ T and σ ∈ T ∗ such that σt is plant enabled, and σ is legal (according to the speciﬁcation lµ ≤ c)andσt is not legal, then t must be controllable. Second, if there are t ∈ T and σ, σ0 ∈ T ∗ such that σtσ0 is plant-enabled,

σσ0 is plant-enabled, and one and only one of σtσ0 and σσ0 is legal, then t must be observable. Sn Sn Let Tc = Tc,i and To = Tc,i. We prove ﬁrst that t ∈ C•⇒t ∈ Tc and i=1 i=1 t ∈ To.Givent ∈ C•, by selecting an appropriate µ0 the plant enables σ = tt.

Further, we can select µ0(C) such that S[t and S6 [tt. (Note that c can be found as c = µ0(C)+lµ0.) Since Sd is as permissive as S: Sd[t and Sd6 [tt. Then, based on our two observations we ﬁnd that t must be controllable and observable. Since Tc,i and To,i, i =1...n, are the transitions Sd may control and observe, it follows that

97 t ∈ Tc and t ∈ To. It remains to show that •C ⊆ To.Weprovet ∈•C ⇒ t ∈ To.

0 0 0 Let t ∈•C and t ∈ C•. For appropriate µ0 and µ0(C), tt and t are plant enabled,

0 0 but S6 [t and S[tt .SinceSd is as permissive as S, it follows that t is observable. This concludes the proof. 2

The family of constraints lµ ≤ c (with l ﬁxed) is said to be proper if C•6=0.

Further, Lµ ≤ b is proper if each of its constraints lµ ≤ c is proper. By (4.2), lµ ≤ c is proper iﬀ lD 6≤ 0, where D is the incidence matrix. Thus, the constraints that are not proper do not need supervision: they stay enforced at all times, if the initial marking satisﬁes them.

Proposition 4.10

Let lµ ≤ c proper be given. lµ ≤ c is globally d-admissible iﬀ there is C⊆ S T {1, 2,...n} such that C•⊆ Tc,i and •C ∪ C•⊆ To,i. i∈C i∈C

Proof: “⇐” The d-admissibility of lµ ≤ c at any µ0 and c ≥ lµ0 follows trivially by the definition of d-admissibility (Definition 4.1) and the definition of c-admissibility. S T “⇒”LetC be the set of Definition 4.8, Tc = Tc,i and To = To,i.By i∈C i∈C Definition 4.1, lµ ≤ c is c-admissible with respect to (N ,µ0,Tc,To) for all µ0 and c ≥ lµ0. Hence, S is admissible with respect to (N ,µ0,Tc,To) for all µ0 and c ≥ lµ0. From this point on, the proof is similar to that of Lemma 4.9. 2

Theorem 4.11

Let Lµ ≤ b proper be given. Lµ ≤ b is globally d-admissible iﬀ a feasible Sd as

permissive as S exists for all µ0 and b ≥ Lµ0.

Proof: Note that it is enough to prove this result on single constraints lµ ≤ c.

Then, the necessity is an immediate consequence of Proposition 4.10, since Sd can be constructed as in Algorithm 4.2.

98 The proof of the suﬃciency is by contradiction. Assume that lµ ≤ c is not

• { o o o } • { } globally d-admissible. Let C = t1,t2,...tf and C = t1,t2,...tg .Inviewof the SBPI, •C ∩ C• = ∅.Notethatg ≥ 1, as lµ ≤ c is proper. Let k1, k2, ..., kg and r1, r2, ... rf be positive integers such that

k1W (C, t1)=k2W (C, t2)=...= kgW (C, tg)

o o o r1W (t1,C)=r2W (t2,C)=...= rf W (tf ,C) where, to simplify our notation, W (C, t)/W (t, C) stand for Ws(C, t)/Ws(t, C). We constrain also the coeﬃcients ki to ki ≥ 2, i =1...g. Further, if f ≥ 1, ki and ri are also constrained to

o o o k2W (C, t2)+k3W (C, t3)+...+kgW (C, tg)=r1W (t1,C)+r2W (t2,C)+...+rf W (tf ,C)

Note that k1W (C, t1) is missing in the previous expression. t1 will have a special role Sn in the proof, as described in the following. In view of Lemma 4.9, C•⊆ Tc,i and i=1 Sn •C ∪ C•⊆ To,i.Sincelµ ≤ c is not globally d-admissible, by Proposition 4.10, i=1 there is t ∈ C• such that for all i =1...n,ift ∈ Tc,i then •C ∪ C•6⊆To,i. Without loss of generality, let t1 be that transition t. Let the initial marking of C be   k2W (C, t2)+...+ kgW (C, tg)+W (C, t1)iff =0 µ 0(C)= s  W (C, t1)iff ≥ 1

o o o o o Let σi = ti ti ...ti (ti is repeated ri times) and σj = tjtj ...tj (tj is repeated kj times), for i =1...f and j =1...g. Assume that the initial marking µ0 of the plant is large enough to enable all ﬁring sequences that will be considered in the following. (Given µ0 and µs0(C), the parameter c can be found as c = lµ0 +µs0(C).) S o o o S6 o o o Note that [σ1σ2 ...σf σ2σ3 ...σgt1, but [σ1σ2 ...σf σ2σ3 ...σgσ1.(Inthecase

o o o f = 0, we assume that σ1σ2 ...σf = ε,whereε is the empty sequence.) Next, we S o o o reach a contradiction by showing that d[σ1σ2 ...σf σ2σ3 ...σgσ1.First,notethat

99 S 3 o o o only i with Tc,i t1 may disable σ1 after σ1σ2 ...σf σ2σ3 ...σg is ﬁred. For all such

Si, we have the following cases.

Case A, t1 ∈ To,i: Then, there is tj ∈/ To,i and tj ∈•C ∪C•. There are two situations: ∈ • S o o o Case A.1, tj C : Then, i cannot distinguish between d = σ1σ2 ...σf σ2 ...σg and o o o S ≡S S a = σ1σ2 ...σf σ2 ...σj−1σj+1 ...σg. Hence, i(a) i(d). Therefore, since (a)[σ1 and Sd is as permissive as S,wehavethatSi(d)[σ1.

Case A.2, tj ∈•C: Then, Si cannot distinguish between d (deﬁned above) and h =

o o o o o o o o σ1σ2 ...σj−1eσj+1 ...σf σ2 ...σgσ1,wheree = σj σj ...σj , e repeating enough many o S S ≡S S times σj to ensure [hσ1.Now, i(d) i(h), and so i(d)[σ1.

Case B, t1 ∈/ To,i: Then, Si cannot distinguish between dσ1 and dt1.SinceS[dt1,it follows that Si(d)[σ1.

The cases above show that all supervisors Si that are able to disable t1, enable o o o S σ1 after σ1σ2 ...σf σ2σ3 ...σg. However, since does not enable it, it follows that

Sd does not implement the same speciﬁcation (it is not as permissive as S). This is a contradiction. Therefore, lµ ≤ c must be globally d-admissible. 2

Global d-admissibility for lµ ≤ c means that there is C such that for all µ0 and c ≥ lµ0, lµ ≤ c is d-admissible with respect to the collection of subsystems C.A natural question is whether global d-admissibility is equivalent to d-admissibility at all µ0 and c ≥ lµ0 with sets C that may depend on µ0 and c. The answer is positive, as stated by the following consequence of Theorem 4.11.

Corollary 4.12

Let Lµ ≤ b proper be given. Lµ ≤ b is globally d-admissible iﬀ for all µ0 and

b ≥ Lµ0, Lµ ≤ b is d-admissible.

Proof: The necessity is obvious. For the suﬃciency proof, the supervisor Sd of Theorem 4.11 can be constructed using the Algorithm 4.2. Then, Theorem 4.4

100 guarantees that Sd is feasible and as permissive as S. Finally, the conclusion follows by Theorem 4.11. 2

Remarks:

1. Theorem 4.11 reveals the signiﬁcance of global d-admissibility. It shows that

supervisors achieving the optimal performance of S exist for all µ0 and b (with

b ≥ Lµ0)iﬀLµ ≤ b is globally d-admissible. In fact, given Lµ ≤ b that is not

globally d-admissible, the proof of Theorem 4.11 can also be used to identify

an inﬁnite set of pairs (µ0,b) for which Lµ ≤ b cannot be exactly implemented

by any supervisors of (N ,µ0,Tc,1 ...Tc,n,To,1 ...To,n).

e 2. Recall, Algorithm 4.5 has a negligible complexity when the estimates Tc = • e • ∪ • M M C and To = C C are used instead of Tc and To . Note that under this circumstance the class of constraints identiﬁed by Algorithm 4.5 as d-

admissible is precisely the class of globally d-admissible constraints. In this

light, the results of this section reveal the signiﬁcance of a class of constraints

that is important from a computational viewpoint.

4.6 Design with Distribution of Central Supervisory Policies

The previous section has shown that the design of supervisors enforcing d- admissible constraints can be done easily, as in Algorithm 4.2. It remains to consider the enforcement of constraints that are not d-admissible. Two main approaches are possible here. One is to solve the problem ﬁrst in a centralized setting, by assuming all locally observable and controllable transitions as observable and controllable to a central supervisor. Then, a communication policy could be used for a decentralized implementation of the centralized solution. Alternatively, another approach is to solve the problem directly in the decentralized setting. While the ﬁrst approach

101 is expected to result in more permissive supervisors, the second approach could be used to obtain solutions with less or no communication. The ﬁrst approach is considered in this section, while the second will be treated in section 4.7.

In our decentralized setting, communication can be used to increase the sets

Tc,i and To,i of controllable and observable transitions in a subsystem i.Thisis achieved by transmitting control decisions/transition ﬁrings to/from a subsystem in which the transition of interest is controllable/observable. Note that given a set T C, communication cannot increase To = To,i above the attainable upper bound S i∈C S To ⊇ To,whereTo = To,i.Inthesameway,Tc = Tc,i cannot be increased S i=1...n i∈C above Tc = Tc,i. Indeed, T \ Tc (T \ To) is the set of transitions uncontrollable i=1...n (unobservable) in all subsystems.

As an illustration, consider the system of Figure 4.2 with Tc,1 = To,1 = {t1,t2} and Tc,2 = To,2 = {t3,t4}. Then, the constraint µ1 + µ3 ≤ 1 is clearly not d- admissible. However, by communicating the ﬁrings of the transitions t1 and t2 to the right subsystem and of t3 and t4 to the left subsystem, the sets of locally 0 0 { } observable transitions become To,1 = To,2 = t1,t2,t3,t4 , the constraint becomes d-admissible, and the supervisory solution of Figure 4.3 can be again used.

We begin with an algorithm that uses only the communication of transition

ﬁrings, without resorting to the transmission of control decisions. In the algorithm, asetC is found such that Tc contains all transitions that need to be controlled.

Then, To is increased, as needed, by communication.

Algorithm 4.13 Decentralized Supervisor Design With Local Control

1. Is the speciﬁcation c-admissible with respect to (N , Tc, To)? If not, transform it to be c-admissible (for instance, an approach of [125] could be used).

102 2. Let S be the centralized SBPI supervisor enforcing the speciﬁcation. Let

Tcs be the set of transitions controlled by S and Tos the set of transitions detected by S. S 5 3. Find a set C such that Tc = Tc,i ⊇ Tcs. i∈C T 4. In view of the d-admissibility requirement that To,i ⊇ Tos, the communi- Si∈C cation is designed as follows: for all t ∈ Tos ∩ ( Tuo,i), a subsystem j such i∈C that t ∈ To,j transmits the ﬁrings of t to all supervisors Sk with t ∈ Tuo,k and k ∈C.

5. Design the decentralized supervisor by applying Algorithm 4.2 to N , C and

To,i = To,i ∪ Tos ∀i ∈C.

Remarks: S 1. No communication arises when Tos ∩ ( Tuo,i)=∅. i∈C

2. The algorithm does not take in account communication limitations, such as

bandwidth limitations of the communication channel. Bandwidth limitations

can be considered in the approach described in the next section.

3. In this solution communication is used only to make some locally unobservable

transitions observable; there is no remote control of locally uncontrollable

transitions.

4. This solution tends to require less communication than a centralized solution.

Indeed, a central supervisor not only needs to send the control decisions to

the local subsystems, but also to remotely observe all transitions in Tos. 5At least one solution exists, C = {1 ...n}. This can be seen from the fact that S admissible S w.r.t. (N , Tc, To) implies Tcs ⊆ Tc, and from Tc = Tc,i. i=1...n

103 5. The only way the algorithm can fail is at step 1, when the speciﬁcation is

inadmissible and the transformations to an admissible form fail.

Proposition 4.14

The decentralized supervisor is feasible and equally permissive to the centralized

supervisor S enforcing the speciﬁcation on (N , Tc, To).

Proof: Since S is admissible, Tcs ⊆ Tc and Tos ⊆ To. Communication ensures 0 ∪ that the sets of locally unobservable transitions become To,i = To,i Tos. It follows N 0 0 that the speciﬁcation is d-admissible with respect to ( ,Tc,1,...Tc,n,To,1,...To,n) and so the conclusion follows by Theorem 4.4. 2

Note that equivalent solutions that use a diﬀerent communication strategy are possible. For instance, in the example of Figure 4.2, assume Tc,1 = To,1 = {t1,t2} and Tc,2 = To,2 = {t3,t4}. To enforce (4.4), the Algorithm 4.13 produces C =

{1, 2} and requires subsystem 1 to communicate t1 and t2 to subsystem 2, and subsystem 2 t3 and t4 to subsystem 1. This solution is illustrated in Figure 4.4(a).

However, the solution of Figure 4.4(b) is also possible. In Figure 4.4(b), subsystem 1 remotely controls t4 and subsystem 2 communicates the transitions t3 and t4 to subsystem 1. Either of the two solutions could be better depending on the relative cost of communicating transitions versus the remote control of locally inaccessible transitions. Next, we show how the best solution can be found by minimizing a cost function.

To characterize communication, let αij and εij be binary variables deﬁned as follows:

αij = 1 iﬀ the transition tj is communicated to Si.

εij = 1 iﬀ the transition tj is remotely controlled by Si.

104 Broadcast: t 1, t 2 Broadcast: t 3, t 4 Broadcast: Broadcast: t 3, t 4

Remotely control: Remotely control: Remotely control: t 4 Remotely control:

C 1 CC21C 2 t 3 t 1 t 3

t 1 t 3 t 1 t 3 p2 p1 p3 p4 p2 p1 p3 p4

t 2 t 4 t 2 t 4

t 4 t 2 t 4

(a) (b)

Figure 4.4. Decentralized control with communication.

Recall, Si denotes the supervisor of the subsystem i, i =1...n. Note that in the broadcast case αij = αj ∀i,andεij = εj ∀i, where the latter means that either all or none of the supervisors Si are allowed to remotely control tj.Notethatinpractice remote control could be implemented by allowing the supervisors to announce when their control decision (tj enabled or tj disabled) changes. ≤ k Assume that the speciﬁcation Lµ b is proper and has nc constraints. Let Tc

k (To ) be the set of transitions that the centralized SBPI supervisor enforcing the k ⊆ k ⊆ k-th constraint controls (observes). Note that Tc Tcs and To Tos.Letδik denote binary variables indicating whether Si implements a control action for the constraint k. For instance, in Figure 4.4 there is only one constraint (namely (4.4)), so k = 1. In Figure 4.4(a) δ11 = δ21 = 1, while in Figure 4.4(b), δ11 =1andδ21 =0, because S2 controls nothing.

If Si implements a control action for the constraint k (i.e. if δik = 1), then

k d-admissibility requires it to observe all transitions in To . This is written as

≥ ∀ ∈{ ∈ k \ } ∀ ∀ αij δik j j : tj To To,i , i =1...n, k =1...nc (4.6)

105 ∈ k S S Further, every transition t Tc needs to be controlled by some i.If i controls ∈ k ∈ ∀ ∈ k ∃ tj Tc and tj / Tc,i, then we need εij = 1. Formally, tj Tc i =1...n: δik =1

∧ [tj ∈ Tc,i ∨ (tj ∈/ Tc,i ∧ εij = 1)]. This can be written as:

Xn δik ≥ 1 ∀k =1...nc (4.7) i=1 X ≤ ∀ ∀ ∈{ ∈ k} ∀ δxk εxj + δik x =1...n, j j : tj Tc , k =1...nc (4.8) i∈Ij

where Ij = {i : tj ∈ Tc,i}. Then we can use integer linear programming to minimize a cost of the form X X X min αijcij + εijfij + δikhik (4.9) i,j i,j i,k which penalizes communication and the number of supervisors implementing con-

trol. Now we can enhance Algorithm 4.13 with the following optimal communication

policy:

Algorithm 4.15 Design with Optimal Communication Strategy

1. Is the speciﬁcation c-admissible with respect to (N , Tc, To)? If not, transform it to be c-admissible (for instance, an approach of [125] could be used).

2. Solve (4.9) subject to (4.6–4.8).

3. For each k =1...nc, apply Algorithm 4.2 on N with C = {i : δik =1},

Tc,i = Tc,i ∪{tj : εij =1},andTo,i = To,i ∪{tj : αij =1}.

Remark 4.16 The decentralization approach of this section can be used for more

general speciﬁcations. For instance, for a modular language speciﬁcation L1 ∧L2 ∧

...∧Lp, the Algorithm 4.15 changes as follows. The ﬁrst step would insure the

speciﬁcation is controllable and observable with respect to (N , Tc, To). The second

k k step would be identical, once we let Tc (To ) denote the transitions that need to be

controlled (observed) for the centralized enforcement of Lk. Then, at the step 3, an

106 C 1 C 2

t 1 t 3 p2 p1 p3 p4 t 2 t 4

Figure 4.5. Decentralized control example.

algorithm similar to Algorithm 4.2 would be used to create “copies” of the centralized supervisor enforcing Lk at each subsystem i with i ∈C. 2

4.7 Design with Constraint Transformations 4.7.1 Supervision without Communication

In this section we propose a method for the transformation of constraints that are not d-admissible to constraints that are d-admissible. To ensure the speciﬁcation will be satisﬁed, the new d-admissible constraints are to be at least as restrictive as the original constraints. As an illustration, consider the Petri net of Figure 4.2(a),

T this time with the initial marking µ0 =[0, 3, 0, 3] , Tc,1 = To,1 = {t1,t2}, Tc,2 =

To,2 = {t3,t4}, and the desired constraint µ1 + µ3 ≤ 2. There is no way to transform

µ1 + µ3 ≤ 2 to a single d-admissible constraint. However, we can transform it to two d-admissible constraints: µ1 ≤ 1andµ3 ≤ 1, where the ﬁrst is d-admissible for

C = {1} and the second for C = {2}. This solution is shown in Figure 4.5.

In the general case, the problem can be stated as follows: Given a set of constraints Lµ ≤ b that is not d-admissible and the subsystem clusters C1, C2, ... Cm,

ﬁnd sets of constraints L1µ ≤ b1 ... Lmµ ≤ bm d-admissible with respect to C1, C2,

... Cm, respectively, such that

(L1µ ≤ b1 ∧ L2µ ≤ b2 ∧ ...Lmµ ≤ bm) ⇒ Lµ ≤ b (4.10)

107 Remarks:

1. This framework includes the case when not all constraints Liµ ≤ bi are neces-

sary to implement Lµ ≤ b, by allowing Li =0andbi =0.

2. Note that C1 ... Cm are given, rather than calculated. This is not really a

limitation. Indeed, there is a ﬁnite number of possible groups Ci,namely 2|P | − 1. So, including all groups would guarantee that no possible solution of

the form (4.10) is excluded. However, note that we may not need to include

all Ci’s. Indeed, it is to be expected that in practice most Ci’s would have T (i) To = To,j = ∅. (A supervisor of such a Ci observes no transitions, and so j∈Ci its control may only consist of disabling at all times some transitions; such a

supervisor may often be undesirable.) For instance, if To,i ∩ To,j = ∅ for all

(i) i =6 j,atmostn groups Ci have To =6 ∅,namelyCi = {i} for i =1...n.

3. More restrictive solutions than in the centralized case are expected here. Note

that any solution of (4.10) can be implemented in a centralized fashion. Indeed,

if Liµ ≤ bi is d-admissible with respect to Ci,thenLiµ ≤ bi is c-admissible in Sn Sn (N , Tc,i, To,i). i=1 i=1

Our problem is more tractable if we replace (4.10) with the stronger condition below: " # Xm Xm αiLiµ ≤ αibi ⇒ Lµ ≤ b (4.11) i=1 i=1

6 where αi are nonnegative scalars. Without loss of generality, (4.11) assumes that

L1 ... Lm have the same number of rows. Again, without loss of generality, (4.11) can be replaced by " # Xm Xm Liµ ≤ bi ⇒ Lµ ≤ b (4.12) i=1 i=1 6In the literature, a relaxation of a hard problem that is similar to the relaxation from (4.10) to (4.11) is the S-procedure mentioned in [180] at page 62.

108 We further simplify our problem to

L1 + L2 + ...Lm = R1 + R2L (4.13)

b1 + b2 + ...bm = R2(b +1)− 1 (4.14) for R1 with nonnegative integer elements and R2 diagonal with positive integers on the diagonal. Note that [(R1 + R2L)µ ≤ R2(b +1)− 1] ⇒ Lµ ≤ b has been proved in [125].

It is known that a suﬃcient condition for the c-admissibility of a set of constraints

Lµ ≤ b is that LDuc ≤ 0andLDuo =0,whereDuc and Duo are the restrictions of the incidence matrix D to the sets of uncontrollable and unobservable transitions [125].

The admissibility requirements in our setting can then be written as

(i) ≤ LiDuc 0 (4.15)

(i) LiDuo = 0 (4.16) T (i) (i) (i) (i) where Duc and Duo are the restrictions of D to the sets Tuc = Tuc,i and Tuo = S i∈Ci Tuo,i. i∈Ci Integer programming can be used to find a feasible solution to (4.13–4.16), where the unknowns are R1, R2, Li,andbi. In general it is difficult to find constraints or a cost function that guarantee that the least restrictive solution is found, when a least restrictive solution exists. However, given a finite set MI of markings of interest, it is possible to insure that the feasible space of the solution will include the markings of MI by using the constraints:

T LiM ≤ bi1 i =1...m (4.17) where ≤ means that each element of LiM is less or equal to the element of the same

T T indices in bi1 , M is a matrix whose columns are the markings of MI ,and1 is a row vector of appropriate dimension in which all elements are 1. The next result is an immediate consequence of our previous considerations.

109 Proposition 4.17

Any sets of constraints Liµ ≤ bi satisfying (4.13–4.17) are d-admissible and V [Liµ ≤ bi] ⇒ Lµ ≤ b. i=1...n

4.7.2 Supervision with Communication

Here we extend the procedure of section 4.7.1 to the case in which communication is possible. Communication is used to relax the admissibility constraints

(4.15) and (4.16) by reducing the number of locally uncontrollable or unobservable transitions. However, this reduction may be limited by various communication constraints, such as bandwidth limitations. The framework of this section allows communication constraints to be incorporated in the design process, and can be used to minimize communication by deﬁning a cost function.

As in section 4.6, we use the binary variables αij and εij to describe the communication. Recall, αij = 1 iff the firings of tj are communicated to Si,andεij =1iff

Si can remotely control the ﬁrings of tj. Note that we have the following constraints:

∀tj ∈ T \ To : αij = 0 (4.18)

Sn for To = To,i,whereT \ To is the set of transitions that cannot be observed i=1 anywhere in the system. Similarly,

∀tj ∈ T \ Tc : εij = 0 (4.19)

Sn i i for Tc = Tc,i.LetBL and BU be lower and upper bounds of LiD. Then (4.16) i=1 can be relaxed to

L D(·,t ) ≤ Bi (·,t )α i j U j xj ∀ ∈ (i) ∀ ∈{ ∈C ∈ } tj Tuo , x x i : tj / To,x (4.20) · ≥ i · LiD( ,tj) BL( ,tj)αxj

(i) This relaxes LiDuo = 0 by eliminating the constraints corresponding to the transi-

(i) tions of Tuo that have their ﬁrings communicated to the supervisors of Ci.

110 Similarly, (4.15) can also be relaxed by allowing the supervisors to remotely

(i) control transitions. Thus, if tj ∈ Tuc , the admissibility requirement with respect to tj can be relaxed when the remote control of tj is allowed. Then, instead of (4.15) we have: X · ≤ i · C ∩{ ∈ } ∅ LiD( ,tj) BU ( ,tj) εxj if i x : tj Tc,x = (4.21) x∈Ci Communication constraints stating that certain transitions cannot be remotely observed or controlled, can be incorporated by setting coefficients αij and εij to zero. Constraints limiting the average network traffic can be incorporated as constraints of the form: X X αijgij + εijhij ≤ p (4.22) i,j i,j where gij, hij and p are scalars. As an example, the coefficients gij could reflect average firing counts of the transitions over the operation of the system.

We may also choose to minimize the amount of communication involved in the system. Then we can formulate our problem as X X min αijcij + εijfij (4.23) i,j i,j where the variables are Li, bi, αij, εij, R1 and R2, the coeﬃcients cij and fij are given, and the minimization is subject to the constraints (4.13–4.14), (4.17), (4.18–

|T | 4.21), and αij,εij ∈{0, 1} . This problem can be solved using integer linear programming.

4.7.3 Liveness Constraints

A diﬃculty of this approach is that the permissiveness of the generated constraints can be hard to control. In the worst case, the generated constraints may cause parts of the system to unavoidably deadlock. Such a situation can be prevented by using a special kind of constraints, that we call liveness constraints.

111 A liveness constraint consists of a vector x such that for all i: Lix ≤ 0. A possible way to obtain such constraints is described next. Given a finite firing sequence σ, let xσ be a vector such that xσ(i) is the number of occurrences of the transition ti in σ. Given the Petri net of incidence matrix D and the constraints Lµ ≤ b,lety be a nonnegative integer vector such that Dy ≥ 0and−LDy ≥ 0. A vector y satisfying these inequalities has the following property. If σ is a firing sequence such that (a) σ canbefiredwithoutviolatingLµ ≤ b and (b) xσ = y,thenσ can be fired infinitely often without violating Lµ ≤ b. However, if the decentralized control algorithm generates a constraint Liµ ≤ bi such that LiDy 6≤ 0, then any firing sequence σ having xσ = y cannot be infinitely often fired in the closed-loop. If such a situation is undesirable, the matrices Li can be required to satisfy Lix ≤ 0 for x = Dy.An illustration will be given in section 4.8.

4.8 Example

This section illustrates the approach of section 4.7 on a manufacturing example adapted7 from [111]. The system is shown in Figure 4.6. It consists of two machines (M1 and M2), four robots (H1 ...H4), and four buﬀers of ﬁnite capacity (B1

... B4). The events associated with the movement of the parts within the system are marked with Greek letters. There are two types of parts. The manufacturing process of the ﬁrst type of parts is represented by the following sequence of events:

γ1τ1π1α3τ3π3α1η1. The manufacturing process of the second kind of parts is represented by γ2τ4π4α2τ2π2α4η2. These processes can be represented by the Petri net of 7Compared to the original example of [111], some changes have been made here to illustrate better our approach. We have followed closely the original example of [111] in [72], for (a) the overflow specification and (b) the fairness specification (with η1, α1 uncontrollable). By solving the integer programs of section 4.7, a solution as permissive as that of [111] was found for (a), but a more permissive solution was found for (b). (This is explained by the fact that the solution proposed in [111] for (b) was based on intuition and not on the computation of the supremal controllable sublanguage.)

112 η 1 M γ 1 1 τ τ 2 1 α α 2 1

H 2 H 1 B 4 B 3 π π 2 1 π π 4 3

B 2 B 1 H 4 H 3 α α τ τ 4 3 4 3 γ M2 2 η 2

Figure 4.6. A manufacturing system.

Figure 4.7. In the Petri net, the transitions are labeled by the events they represent, and the places by the names of the manufacturing components. For instance, a token in p16 indicates that M2 is idle, and a token in p8 indicates that M2 is working on a part of type 2 that has just entered the system. Furthermore, the number of parts in a buﬀer is the marking of the place modeling the buﬀer; for instance, µ13 represents the number of parts in B2 at the marking µ. The number of parts the machines M1 and M2 can process at the same time is µ1 + µ7 + µ11 + µ15 = n1 and

µ4 + µ8 + µ14 + µ16 = n2, respectively. In [111], n1 = n2 =1.

The first supervisory requirements are that the buffers do not overflow. Assuming that the buffers B1 and B2 share common space, the requirement can be written as:

µ3 + µ13 ≤ 2k (4.24)

where 2k is the maximum number of parts that can be in B1 and B2 at the same time. Similarly, if the buﬀers B3 and B4 share a common space of the same capacity, the constraint is

µ6 + µ10 ≤ 2k (4.25)

113 η α π τ α πγτ [ 2 ] [ M 2 ] [ 4 ] [ B 2 ] [ 2 ] [ H 2 ] [ 2 ] [ M 1 ] [ 2 ] [ B 4 ] [ 4 ] [ H 4 ] [ 4 ] [ M 2 ] [ 2 ] t 16 p14 tt15 p13 14 p12 t 13 p11 tt12 p1011 p9 t 10 p 8 t 9

p16 [ M 2 ]

p15 [ M 1 ]

t 1 p1 t 2 pp2 t 3 3 t 4 p4 tt5 p5 6 p6 t 7 p7 t 8 γ τ π α τ π α η [ 1 ] [ M 1 ] [ 1 ] [ H 1 ] [ 1 ] [ B 1 ] [ 3 ] [ M 2 ] [ 3 ] [ H 3 ] [ 3 ] [ B 3 ] [ 1 ] [ M 1 ] [ 1 ]

Figure 4.7. Petri net model of the system.

Another requirement is that the number of completed parts of type 1 is about the same as the number of completed parts of type 2:

v8 − v16 ≤ u (4.26)

v16 − v8 ≤ u (4.27)

where v8 and v16 denote the number of ﬁrings of t8 and t16, respectively. In [111], u = 2. Note that constraints involving the vector v can be easily represented as marking constraints in a transformed Petri net, as shown in section 3.7.4 at page 45.

The constraints (4.24–4.25) are to be enforced assuming the following subsystems: Tc,1 = {t1} and To,1 = {t1,t2,t3,t4}, Tc,2 = {t4} and To,2 = {t4,t5,t6,t7,t8},

Tc,3 = {t9} and To,3 = {t9,t10,t11,t12}, Tc,4 = {t12,t15} and To,4 = {t12,t13,t14,t15,t16}.

We take Ci = {i} for i =1...4. Enforcing (4.24–4.25) for k = 2 results in the control places C1, C2, C3,andC4 shown in Figure 4.8. They correspond to the subsystems

1, 2, 3 and 4, respectively, and enforce µ1 + µ2 + µ3 ≤ 2, µ4 + µ5 + µ6 ≤ 2,

µ8 + µ9 + µ10 ≤ 2, and µ11 + µ12 + µ13 ≤ 2.

114 C 4 C 3 η α π τ α π τ γ [ 24 ] [ ] [ 2 ] [ 2 ][ 2 ] [ 4 ] [ 4 ] [ 2 ] t 16 p14 t 15 p13 t 14 p12 t 13 p11 t 12 p10 t 11 p9 t 10 p8 t 9

p16

C 5 C 6

p15

t 1 p12t 2 p t 3 p3 t 4 p4 t 5 p5 t 6 p6 t 7 p7 t 8 γ τ π α τ π α η [ 1 ] [ 1 ] [ 1 ] [ 3 ] [ 3 ] [ 3 ] [ 1 ] [ 1 ]

C 1 C 2

Figure 4.8. Decentralized supervision.

In order to enforce (4.26–4.27), we need communication of events. Indeed, without communication there is no acceptable solution. For instance, a solution is to enforce µ4 + µ5 + µ6 + µ7 + v8 ≤ u in subsystem 2 and µ14 + v16 ≤ u in subsystem 4.

However, this implies that the manufacturing system is constrained to produce no more than 2u parts! To exclude such solutions to the integer program (IP), we can introduce liveness constraints. In this example, we can add the liveness constraints

T Lix ≤ 0 for x = Dy and y =[1, 1,...1] . This is to prevent the constraints generated by the algorithm from blocking the ﬁring sequence t1t2 ...t16 to occur inﬁnitely often. However, with this liveness constraint and no communication, the problem becomes infeasible. Therefore, since communication is necessary, we are interested to minimize it. Assuming broadcast (αij = αj, εij = εj, for all i) and that the cost of remote control and remote observation is nonzero and equal (i.e., in (4.23) cij = fij), the following is an optimal solution:

µ4 + µ5 + µ6 + µ7 + v8 − v16 ≤ 2 (4.28)

115 µ14 + v16 − v8 ≤ 2 (4.29)

which involves communicating the occurrences of t8 and t16. The constraint (4.28) is implemented in the subsystem 2, and the constraint (4.29) in the subsystem 4.

In Figure 4.8, the two constraints are enforced by the control places C5 and C6.

Finally, note that in general the IP may have several solutions of the same cost.

Further, some may be more restrictive than others. For instance, in our example we could have µ11 + µ12 + µ13 + µ14 + v16 − v8 ≤ 2 instead of (4.29). Then, a second

IP could be used to select a better solution, by minimizing the sum of the positive coefficients of the constraints, while requiring the other coefficients to stay less or equal to zero (the second IP is also subject to the constraints of the first IP and to a constraint that fixes the communication cost to the minimal value previously computed.)

116 CHAPTER 5

GENERALIZED CONDITIONS FOR DEADLOCK PREVENTION AND

LIVENESS ENFORCEMENT IN PETRI NETS

5.1 Introduction

This chapter presents new results characterizing deadlock, liveness, and T - liveness in Petri nets. These results can be useful when dealing with the corresponding supervision problems: deadlock prevention, liveness enforcement, and T - liveness enforcement. T -liveness enforcement means ensuring that all transitions in a transition subset T of a Petri net are live. Deadlock prevention corresponds to preventing the system from reaching a state of total deadlock. Liveness corresponds to the stronger requirement that no local deadlock occurs, or in other words, all transitions are live. T -liveness means that all transition in the set T are live. The concept of T -liveness is useful in problems in which some transitions correspond to undesirable system events (such as faults) or when the system model contains transitions modeling an initialization process. Unless otherwise stated, supervision in this chapter assumes all transitions controllable and observable. Note that this does not aﬀect the generality of the main results of the chapter, as they deal with structural net properties rather than supervision.

A way to study the liveness properties of a Petri net uses the reachability graph.

However, such an approach can only handle bounded Petri nets, needs the initial marking to be known, and requires reasonably small Petri nets, due to the state

117 explosion problem. Unfolding has been proposed to reduce the computational burden [53], however the other two limitations remain. In this chapter we consider the structural approach to the liveness problem. The structural approach relies on the algebraic properties of the incidence matrix. Thus the initial marking is regarded as a parameter and unbounded Petri nets can be tackled. This work has been inspired by the incidence matrix properties of repetitive Petri nets (e.g. [128]). Related work includes [14], presenting among others an extension of the relation between deadlocked Petri nets and siphons for generalized Petri nets, and a generalization of the extension to asymmetric choice Petri nets of the Commoner’s Theorem. However, our supervisory perspective, our concern on T -liveness and our consideration of arbitrary Petri nets, including nonrepetitive Petri nets, diﬀerentiate this work from previous results.

The contribution of this chapter is described in sections 5.3, 5.4, and 5.5. We begin in section 5.3.1 by characterizing the relation which exists among deadlock prevention, T -liveness enforcement and liveness enforcement. Thus we answer the following questions: (a) Which are the Petri nets in which deadlock prevention, or T - liveness enforcement, or liveness enforcement is possible? and (b) When deadlock prevention is equivalent to T -liveness enforcement or liveness enforcement? We answer question (a) in Proposition 5.8, and question (b) in Theorems 5.10 and 5.11.

Theorem 5.10 considers the case of the deadlock prevention supervisors which are not more restrictive than liveness or T -liveness supervisors; Theorem 5.11 considers the general case. We conclude the ﬁrst part of the chapter with Theorem 5.12, which states that the transitions of a Petri net can be divided in two classes: transitions which can be made live under an appropriate supervisor for some initial markings, and transitions which cannot be made live under any circumstances. Theorem 5.12 is very important for the further developments of the chapter.

118 The most important part of the chapter is section 5.3.2. In this section we show how to characterize Petri nets for deadlock prevention and liveness enforcement based on a special type of subnets. Thus we begin by defining what we call the active subnets of a Petri net. Then we define a special class of siphons, which we call active siphons. Proposition 5.17 is a necessary condition for deadlock which generalizes the known result that a deadlocked ordinary Petri net contains an empty siphon. Proposition 5.18 is a further extension, as it gives a sufficient condition in terms of empty active siphons for deadlock to be unavoidable. Commoner’s Theorem on free-choice Petri nets has been extended to asymmetric-choice Petri nets [36]; see also [14]. We further extend the result in Theorem 5.19: we show that each dead transition is in the postset of an uncontrolled siphon. Then in Theorem 5.21 we give a necessary condition and a sufficient conditions for T -liveness in an asymmetric choice Petri net. These results apply also to EAC Petri nets, a new extension of asymmetric choice Petri nets defined in this chapter. Polynomial complexity algorithms for the computation of the active subnets are included in section 5.5.

In section 5.4 we discuss the signiﬁcance of our results for deadlock prevention and T -liveness enforcement. Examples are included. In sections 5.4.1 and 5.4.3 we consider deadlock prevention and T -liveness enforcement. In section 5.4.2 we include Theorem 5.25, which shows how to do least restrictive deadlock prevention.

We conclude this chapter with section 5.5, that presents a number of algorithms.

Thus, section 5.5.1 presents algorithms for the computation of the various types of active subnets. Then, sections 5.5.2 and 5.5.3 present algorithms for the transformation of general Petri nets into the form required by some of the results introduced in section 5.3.2. All these algorithms are used in chapter 6, which presents procedures for deadlock prevention and T -liveness enforcement. Finally, note that the material of this chapter represents the theoretical background of chapter 6.

119 5.2 Preliminaries

We denote a Petri net by N =(P, T, F, W), where P is the set of places, T the set of transitions, F the set of transition arcs and W the transition arc weight function. We use the symbol µ to denote a marking and we write (N ,µ0)whenwe consider the Petri net N with the initial marking µ0. The incidence matrix of a

Petri net is denoted by D, where the rows correspond to places and the columns to transitions. Also, by denoting a place by pi or a transition by tj, we assume that pi corresponds to the i’th row of D and tj to the j’th column of D.Weusethe notation µ −→σ µ0 to express that the marking µ enables the ﬁring sequence σ and

µ0 is reached by ﬁring σ.

A Petri net N =(P, T, F, W)isordinary if ∀f ∈ F : W (f) = 1. We will refer to slightly more general Petri nets in which only the arcs from places to transitions have weights equal to one. We are going to call such Petri nets PT-ordinary, because all arcs (p, t)fromaplacep to a transition t satisfy the requirement of an ordinary

Petri net that W (p, t)=1.

Definition 5.1 PT-ordinary Petri nets

Let N =(P, T, F, W) be a Petri net. We call N PT-ordinary if ∀p ∈ P ∀t ∈

T, if (p, t) ∈ F then W (p, t)=1.

An asymmetric choice Petri net is deﬁned by the property that ∀p1,p2 ∈ P if p1 •∩p2•6= ∅ then p1•⊆p2• or p2•⊆p1•.

A siphon is a set of places S ⊆ P , S =6 ∅, such that •S ⊆ S•. A siphon S is minimal if there is no siphon S0 ⊂ S. A siphon is empty at a marking µ if it contains no tokens. Given a Petri net (N ,µ0), a controlled siphon is a siphon which is not empty at any reachable marking. A well known necessary condition for deadlock [143] is that a deadlocked ordinary Petri net contains at least one empty

120 siphon. It can easily be seen that the proof of this result also is valid for PT-ordinary

Petri nets.

Proposition 5.2

A deadlocked PT-ordinary Petri net contains at least one empty siphon.

In general we may not want all transitions to be live. For instance some transitions of a Petri net may model faults and we want to ensure that some other transitions are live. This is the motivation of the next deﬁnition.

Definition 5.3 T -liveness

Let (N ,µ0) be a Petri net and T a subset of the set of transitions. We say that

the Petri net is T -live if all transitions t ∈T are live.

A live transition is not the opposite of a dead transition. That is, a transition may be neither live nor dead. Indeed, a transition is live if there is no reachable marking for which it is dead. Note also that T -liveness corresponds to liveness when the set T equals the set of all Petri net transitions. The supervisors of this chapter are deﬁned as follows.

Definition 5.4 General Supervisors and Marking Based Supervisors

Let N =(P, T, F, W) be a Petri net, M the set of all markings of N , M0 ⊆M

1 ∗ 2 and U ⊆M×T such that ∀µ0 ∈M0: (µ0,ε) ∈ U. A supervisor is a map

Ξ:U → 2T such that ∀(µ, σ) ∈ U ∀t ∈ Ξ(µ, σ),ifµ −→t µ0,then(µ0,σt) ∈ U.We

say that M0 is the set of initial markings for which Ξ is deﬁned. We also say that

Ξ is a marking based supervisor if Ξ(µ, σ) depends only on µ and ∀(µ, σ) ∈ U:

{µ}×T ∗ ⊆ U. 1T ∗ is the set of all ﬁring sequences with transitions in T 2ε ∈ T ∗ denotes the empty ﬁring sequence

121 A Petri net (N ,µ0) supervised by Ξ operates as follows: at every marking µ

σ reached by ﬁring some σ from µ0 (µ0 −→ µ), only transitions in Ξ(µ, σ)mayﬁre.

We denote by (N ,µ0, Ξ) the supervised Petri net and by R(N ,µ0, Ξ) its set of reachable markings. A marking based supervisor is memoryless, as it only depends on the marking. We say that Ξ1 is less restrictive (or more permissive )thanΞ2 w.r.t. (N ,µ0) if the set of firing sequences fireable from µ0 in (N ,µ0, Ξ2)isaproper subset of the set of firing sequences fireable from µ0 in (N ,µ0, Ξ1). We say that deadlock can be prevented in a Petri net N if there is an initial marking µ0 and a supervisor Ξ such that (N ,µ0, Ξ) is deadlock-free. We say that liveness (T -liveness) can be enforced in N if there is an initial marking µ0 and a supervisor Ξ such that

(N ,µ0, Ξ) is live (T -live). It is known that if (N ,µ0) is live, then (N ,µ)withµ ≥ µ0 may not be live. The same is true for deadlock-freedom, as shown in Figure 5.1.

The next result shows that if liveness (T -livenss) is enforcible at marking µ or if deadlock can be prevented at µ, then the same is true for all markings µ0 ≥ µ.

Proposition 5.5

If a supervisor Ξ:U → 2T which prevents deadlock (enforces (T -)liveness) in

(N ,µ0) exists, then for all µ ≥ µ0 there is a supervisor which prevents deadlock

(enforces (T -)liveness) in (N ,µ).

Proof: Let µ1 ≥ µ0. A deadlock prevention supervisor of (N ,µ1)isΞ1 deﬁned by    Ξ(µ, σ) for (µ, σ) ∈ U − Ξ1(µ + µ1 µ0,σ)=  ∅ otherwise 2

As we prove in the next section, the Petri net structures in which liveness can be enforced (for some initial markings) are the repetitive Petri nets, and the Petri

122 p3 p5 p3 p5 t 1 t 1 p1 p1 t 2 t 2 p p t 3 6 t 3 6 p2 p4 pp2 4 t 4 t 4

(a) (b)

Figure 5.1. A Petri net which is live for the initial marking µ0 shown in (a) and not even deadlock-free for the initial marking µ ≥ µ0 shown in (b).

net structures in which deadlock can be prevented are the partially repetitive Petri nets. We include below their formal deﬁnition from [128].

Definition 5.6 (Partially) repetitive Petri nets

A Petri net is said to be (partially) repetitive if there is a marking µ0 and a ﬁring

sequence σ from µ0 such that every (some) transition occurs inﬁnitely often in σ.

The following theorem can be found in [128]. It provides a convenient means to check whether a Petri net is (partially) repetitive, based on the incidence matrix D.

Linear programming techniques can be used to implement the test.

Theorem 5.7

A Petri net is (partially) repetitive if and only if a vector x of positive (nonneg-

ative) integers exists, such that Dx ≥ 0 and x =06 .

5.3 Results 5.3.1 Conditions for Deadlock Prevention and Liveness Enforcement

The analysis of this section ignores controllability and observability issues. There- fore, some of the results introduced here are restricted to fully controllable and observable Petri nets.

123 In general it may not be possible to enforce liveness or to prevent deadlock in an arbitrary given Petri net. This may happen because the initial marking is inappropriate or because the structure of the Petri net is incompatible with such a supervision purpose. The next proposition characterizes the structure of Petri nets which allow supervision for deadlock prevention and liveness enforcement, respectively. It shows that Petri nets in which liveness is enforcible are repetitive, and

Petri nets in which deadlock is avoidable are partially repetitive. Part (b) of the proposition also appears in [157].

Proposition 5.8

Let N =(P, T, F, W) be a Petri net.

(a) Initial markings µ0 exist such that deadlock can be prevented in (N ,µ0) if

and only if N is partially repetitive.

(b) Initial markings µ0 exist such that liveness can be enforced in (N ,µ0) if and

only if N is repetitive.

and only if there is an initial marking µ0 enabling an inﬁnite ﬁring sequence

in which all transitions of T appear inﬁnitely often.

Proof: (a) If deadlock can be avoided in (N ,µ0)thenµ0 enables some inﬁnite

firing sequence σ, and by definition N is partially repetitive. If N is partially repetitive, then let µ0 and σ be as in Definition 5.6; we define Ξ such that it only allows σ to fire from µ0. Then Ξ prevents deadlock.

(b) and (c) The proof is similar to (a). 2

If N is partially repetitive, a constructive way to obtain an initial marking for which deadlock can be prevented or (T -)liveness can be enforced is implied by

124 Theorem 5.7. Let x be as in Theorem 5.7 and σx = tx,1 ...tx,k a firing sequence associated to a Parikh vector v = x.Letv1 denote the Parikh vector after the first transition of σx fired, v2 after the first two fired, and so on to vk = v.Iftherowsof T T T ∈ • D are d1 , d2 , ..., d|P |, δi,j = W (pi,tx,j)iftx,j pi and δi,j = 0 otherwise, then a marking which enables σx is

{ − T } | | µ0(pi)=max 0,δi,1, max (δi,j+1 di vj) i =1... P (5.1) j=1...k−1

At least one deadlock prevention strategy exists for µ0: to allow only the firing sequence σx,σx,σx,...to fire. This infinite firing sequence is enabled by µ0 because

µ0 + Dx ≥ µ0 and µ0 enables σx.

Note that if a deadlock prevention supervisor Ξ exists for (N ,µ0), then a marking based deadlock prevention supervisor Ξm exists for (N ,µ0) such that Ξ is at least as restrictive as Ξm. The same is true for liveness and T -liveness enforcing supervisors.

(j) (j) (j) (j) Indeed, let σ = t1 t2 t3 ..., for j =1, 2,..., be the infinite firing sequences which N (j) can fire from µ0 in ( ,µ0, Ξ); for all i, j =1, 2 ... let µi be the marking reached (j) (j) (j) (j) (j) { ∃ ≥ after firing t1 ...ti from µ0 and σi,∞ = ti ti+1 ....WetakeΞm(µ)= t : i, j (j) (j)} ∀ ∈RN ∃ (j) 1 such that µ = µi−1 and t = ti . Hence µ ( ,µ0, Ξm): i, j such that σi,∞ is fireable from µ in (N ,µ0, Ξm). From a marking based supervisory perspective, it is known that if a liveness enforcing supervisor exists, the least restrictive liveness enforcing supervisor also exists [157]. The same is true for deadlock prevention and T -liveness enforcing supervisors. This is true also for the more general supervisors of Definition 5.4.

This follows easily from the fact that given Ξ1 and Ξ2, a supervisor at least as permissive as each of Ξ1 and Ξ2 is Ξ = Ξ1 ∨ Ξ2 which allows a transition to ﬁre if either of Ξ1 or Ξ2 allows it.

Next we introduce a technical result which is necessary in order to prove some of the main results in this chapter.

125 Lemma 5.9

Let N =(P, T, F, W) be a Petri net of incidence matrix D. Assume that there is

an initial marking µI which enables an infinite firing sequence σ.LetU ⊆ T be the set of transitions which appear infinitely often in σ. There is a nonnegative

integer vector x satisfying (a) and (b) below:

(a) Dx ≥ 0, ∀ti ∈ U: x(i) =06 and ∀ti ∈ T \ U: x(i)=0.

(b) there is a ﬁring sequence σx containing only the transitions with x(i) =06 ,

∗ ∗ ∗ σx ∗ such that ∃µ1,µ2 ∈R(N ,µI): µ1 −→ µ2, each transition ti appears x(i)

σa ∗ times in σx, σ can be written as σ = σaσxσb,andµI −→ µ1.

0 0 Proof: Note that σ can be written as σ0σ ,whereσ0 is ﬁnite and σ contains only

σ0 transitions in U.Letµ0 be the marking such that µI −→ µ0. We further decompose

0 σ in σ1σ2 ...σk ... such that each σk isﬁniteandineachσk all transitions of U

σk appear at least once. Let µ1, µ2, ...µk, ...be such that µk−1 −→ µk for k =1, 2,....

By Dickson’s Lemma (see Lemma 17 in [37]) ∃j, k, j 0

∀ti ∈ U and x(i)=0∀ti ∈ T \ U. Also we take σa = σ0σ1 ...σj, σx = σj+1 ...σk,

∗ ∗ σb = σk+1σk+2 ..., µ1 = µj,andµ2 = µk. 2

In order to characterize the supervisors which prevent deadlock, or enforce liveness or T -liveness, we deﬁne the properties P1, P2 and P3 below, in which

N =(P, T, F, W) is a Petri net, T⊆T and σ denotes a nonempty ﬁring sequence.

0 σ 0 0 (P1)(∃σ ∃µ1,µ1 ∈R(N ,µ): µ1 −→ µ1 and µ1 ≥ µ1)

0 σ 0 0 (P2)(∃σ ∃µ1,µ1 ∈R(N ,µ): µ1 −→ µ1,µ1 ≥ µ1 and all transitions of T appear in σ)

126 0 σ 0 0 (P3)(∃σ ∃µ1,µ1 ∈R(N ,µ): µ1 −→ µ1,µ1 ≥ µ1 and all transitions of T appear

in σ)

In general, supervisors guaranteed to prevent deadlock are easier to obtain than supervisors guaranteed to enforce liveness or T -liveness. For some problems, obtaining certain deadlock prevention supervisors is enough to guarantee they are also liveness or T -liveness enforcing supervisors. The following theorem addresses this situation, by characterizing the relations existing between supervisors preventing deadlock and supervisors enforcing (T -)liveness. In general, we may expect deadlock prevention supervisors to be at least as permissive as the supervisors enforcing the stronger requirement of liveness or T -liveness. These are the kind of deadlock prevention supervisors considered in the parts (d) and (e) of the following theorem.

Theorem 5.10 Deadlock prevention versus (T -)liveness enforcement

Let N =(P, T, F, W) be a Petri net and T⊆T .

(a) Deadlock can be prevented in (N ,µ) if and only if (P1) is true.

(b) Liveness can be enforced in (N ,µ) if and only if (P2) is true.

(d) Let µ0 be an arbitrary marking for which liveness can be enforced, ΞL the

least restrictive liveness enforcing supervisor of (N ,µ0),andS the set of

all deadlock prevention supervisors of (N ,µ0) at least as permissive as ΞL.

Then all Ξ ∈Senforce liveness in (N ,µ0) if and only if ∀µ ∈R(N ,µ0):

(P1) ⇒ (P2).

(e) Let µ0 be an arbitrary marking for which T -liveness can be enforced, ΞL the

least restrictive T -liveness enforcing supervisor of (N ,µ0),andS the set of

all deadlock prevention supervisors of (N ,µ0) at least as permissive as ΞL.

127 Then all Ξ ∈Senforce T -liveness in (N ,µ0) if and only if ∀µ ∈R(N ,µ0):

(P1) ⇒ (P3).

Proof: (a) If (P1) is true, then a deadlock prevention strategy is to first allow only a firing sequence that leads from µ to µ1, and then only the infinite firing sequence

σ,σ,σ,.... On the other hand, if deadlock can be prevented, there is an inﬁnite

ﬁring sequence enabled by the initial marking. Then, by Lemma 5.9, it follows that

(P1) is true.

(b) This is a particular case of (c) for T = T .

(c) The first part of the proof is similar to (a). If T -liveness can be enforced, there is an infinite firing sequence σ enabled by the initial marking, and the transitions in T appear infinitely often in σ. Then, (P3) follows by Lemma 5.9.

(d) This is a particular case of (e) for T = T .

(e) (⇒) Assume the contrary: ∃µ ∈R(N ,µ0) such that (P1) is true and (P3)is not. Note that the least restrictive deadlock prevention supervisor of (N ,µ0), ΞD,is in S. By part (a), deadlock can be prevented at the marking µ,soµ ∈R(N ,µ0, ΞD).

However, by part (c), (N ,µ) cannot be made T -live, so ΞD does not enforce T - liveness, which is a contradiction.

(⇐)SinceT -liveness can be enforced at µ0, deadlock can be prevented at µ0,so

S is nonempty. Let Ξ ∈S. The proof checks that for all µ ∈R(N ,µ0, Ξ) there is a ﬁring sequence enabled by µ, accepted by Ξ, and which includes all transitions in

T .Letµ ∈R(N ,µ0, Ξ). Since deadlock is prevented, (P3) is true as (P1) is true.

Let Ξx be the supervisor that enforces T -liveness in (N ,µ0)byﬁringσ1σ2σσσ . . .,

σ1 σ2 where µ0 −→ µ −→ µ1,andσ, µ and µ1 are the variables from (P3). Since Ξ is at least as permissive as ΞL, Ξ is at least as permissive as Ξx. Thus Ξ allows σ2σ to ﬁre from µ. Therefore all transitions of T appear in some ﬁring sequence enabled by µ and allowed by Ξ. 2

128 In practice it may be diﬃcult to check (P1) ⇒ (P2)or(P1) ⇒ (P3) in order to see whether a deadlock prevention supervisor will also enforce liveness or T -liveness.

In contrast, the conditions of the next theorem can be easily veriﬁed using linear programming.

Theorem 5.11

Let N =(P, T, F, W) be a Petri net, D its incidence matrix, T⊆T , n = |T | the

number of transitions, M = {x ∈ Nn : x =06 ,Dx ≥ 0}, N = {x ∈ M : ∀i =

1 ...n: x(i) =06 } and P = {x ∈ M : ∀ti ∈T : x(i) =06 }.

(a) The following statements are equivalent:

(i) M =6 ∅ and M = N

(ii) supervisors which prevent deadlock exist for some initial marking, and

for all such initial markings µ0 all supervisors preventing deadlock in

(N ,µ0) enforce also liveness in (N ,µ0)

(b) The following statements are equivalent:

(i) M =6 ∅ and M = P

(ii) supervisors which prevent deadlock exist for some initial marking, and

for all such initial markings µ0 all supervisors preventing deadlock in

(N ,µ0) enforce also T -liveness in (N ,µ0)

(i) N =6 ∅ and N = P

(ii) supervisors which enforce T -liveness exist for some initial marking, and

for all such initial markings µ0 all supervisors enforcing T -liveness in

(N ,µ0) enforce also liveness in (N ,µ0)

Proof: (a) This is a particular case of (b) for T = T .

129 (b) [(i)⇒(ii)] Since M =6 ∅,amarkingµ0 for which a deadlock prevention supervisor exists can be found as in equation (5.1). Let µ0 be an initial marking for which deadlock prevention supervisors exist and Ξ a deadlock prevention supervisor of (N ,µ0). We show that there is no reachable marking such that a transition in T is dead. Let µ ∈R(N ,µ0, Ξ). Since Ξ prevents deadlock, there is an inﬁnite ﬁring sequence σ enabled by µ and allowed by Ξ. Using Lemma 5.9 for µI = µ,wesee

∗ ∗ that while ﬁring σ amarkingµ1 is reached such that µ1 enables σx corresponding to x ∈ M.ButM = P , so all transitions in T appear in σx. Therefore no transition in T is dead at µ, so Ξ also enforces T -liveness.

[(ii)⇐(i)] Assume the contrary. Then there is a nonnegative integer vector x, x =6 0, such that Dx ≥ 0andx(i) = 0 for some ti ∈T.LetΞbeadeadlock prevention supervisor for (N ,µ0), where µ0 is such that it enables a ﬁring sequence

σx defined as follows: ti appears in σx if and only if x(i) =0,inwhichcaseit6 appears x(i) times. If Ξ is defined to only allow firing σxσxσx ..., then deadlock is prevented but T -liveness is not enforced, as σx does not include all transitions of T . Contradiction.

(c) The proof is identical to (b) if we substitute in (b) T with T ,deadlock prevention with T -liveness enforcement, M with P ,andP with N. 2

Figure 5.2(a) shows an example for Theorem 5.11(a): all nonnegative vectors x such that Dx ≥ 0 are a linear combination with nonnegative coeﬃcients of

[1, 2, 1, 1]T and [2, 3, 3, 3]T . Figure 5.2(b) shows an example for Theorem 5.10(d).

Indeed, all markings µ that enable any of t1, t2 or t4 satisfy (P2). Also, a marking that enables only t3 either leads to deadlock or enables the sequence t3, t4 and hence satisﬁes (P2). Note that the deadlock prevention supervisor that repeatedly

ﬁres t2, t1 does not enforce liveness because it does not satisfy the requirement of

Theorem 5.10(d) to be at least as permissive as any liveness enforcing supervisor.

130 t 3 p2 3 p3 t 3 p p1 4 t 4 3 t t t 1 t p 2 24 3 2 p5 1

p2 3 t 1

(a) (b)

Figure 5.2. Examples for Theorems 5.10 and 5.11

With regard to Theorem 5.10(d-e), note that designing deadlock prevention supervisors at least as permissive as liveness enforcing supervisors has been demon- strated for instance in [73, 74, 76, 102]. A deadlock prevention technique satisfying this property will also be deﬁned in chapter 6.

The following theorem is a technical result necessary in the developments of the next subsection. The theorem shows that given a Petri net structure that is not repetitive, the transitions of the net can be divided in two categories:

1. Transitions that cannot be made live regardless of the initial marking;

2. Transitions that can together be made live for appropriate initial markings.

This means that it is impossible to have that (a) two transitions t1 and t2 exist such that t1 can be made live for some initial marking, t2 can be made live for some initial marking, but t1 and t2 cannot be together made live for any initial marking; or (b) for all transitions t there is an initial marking allowing t to be made live (while not all transitions can be made live at the same time, as the net is nonrepetitive.)

Theorem 5.12

Consider a Petri net N =(P, T, F, W) which is not repetitive. At least one

transition exists such that for any initial marking it cannot ﬁre inﬁnitely often.

131 Let TD be the set of all such transitions. There are initial markings µ0 and a

supervisor Ξ such that ∀µ ∈R(N ,µ0, Ξ) no transition in T \ TD is dead.

Proof: Let kxk be the support of the vector x,thatiskxk = {i : x(i) =06 }.

There is an integer vector x ≥ 0withmaximum support such that Dx ≥ 0, that is, for all integer vectors w ≥ 0 such that Dw ≥ 0: kwk⊆kxk. Indeed if y,z ≥ 0, are integer vectors and Dy ≥ 0andDz ≥ 0, then D(z + y) ≥ 0, y + z ≥ 0, and kyk, kzk⊆ky + zk.

If tj ∈ T can be made live, there is a marking that enables an infinite firing sequence σ such that tj appears infinitely often in σ. Therefore by Lemma 5.9 ∃y ≥ 0 such that Dy ≥ 0andy(j) > 0. Since x has maximum support, kyk⊆kxk and so tj ∈kxk. This proves that all transitions that can be made live are in kxk.

Moreover, only the transitions that can be made live are in kxk. Indeed, let σx be a ﬁring sequence such that (a) ti appears in σx if and only if x(i) =0;and(b)6 ti appears x(i) times in σx if x(i) =6 0. Then, there is a marking µ0 given by equation

(5.1) that enables the infinite firing sequence σl = σxσxσx ....WemaychooseΞto only allow σl to fire from µ0, and we note that all transitions in kxk are live. However

T 6⊆ kxk,orelseσl contains all transitions of T and so N is repetitive. Therefore T \kxk6= ∅.Sincekxk contains the transitions that can be made live, T \kxk6= ∅ contains the transitions that cannot be made live under any circumstances. So we have TD = T \kxk and TD =6 ∅. 2

A special case in Theorem 5.12 is T \ TD = ∅, when the Petri net is not even partially repetitive, and so deadlock cannot be avoided for any marking. It was already shown that only repetitive Petri nets can be made live (Proposition 5.8).

Theorem 5.12 shows that the set of transitions of a partially repetitive Petri net can be uniquely divided in transitions that can be made live and transitions that

132 cannot be made live. So the liveness property of partially repetitive Petri nets is that all transitions that can be made live are live ({T \ TD}-liveness). For an example, consider the Petri nets of Figure 5.6(a) and (b) at page 145. For the ﬁrst one TD = {t4,t5}, and for the second one TD = {t1,t2,t3}.

5.3.2 Deadlock and (T -)Liveness Characterization Based on Active Subnets

We denote by the active subnet a part of a Petri net which can be made live for appropriate markings by supervision. In the following deﬁnition we use the notation from Theorem 5.12.

Definition 5.13 Active subnets

Let N =(P, T, F, W) be a Petri net, D the incidence matrix and TD ⊆ T be the set of all transitions that cannot be made live for any initial marking.

N A =(P A,TA,FA,WA) is an active subnet of N if P A = T A•, F A = F ∩{(T A ×

P A)∪(P A×T A)}, W A is the restriction of W to F A and T A is the set of transitions

with nonzero entry in some nonnegative vector x =06 satisfying Dx ≥ 0. N A

A A is the maximal active subnet of N if T = T \ TD and T \ TD =6 ∅. N is a

A A A A A minimal active subnet if there is no other active subnet N1 =(P1 ,T1 ,F1 ,W1 )

A A such that T1 ⊆ T .

Definition 5.14 Active siphons

Given an active subnet N A of a Petri net N , a siphon of N is said to be an active

siphon (with respect to N A) if it is or includes a siphon of N A. An active siphon

is minimal if it does not include another active siphon (with respect to the same

active subnet.)

In Figure 5.3(a) and (c) two Petri nets are given. Figure 5.3(b) shows the minimal active subnets of the Petri net in Figure 5.3(a). The union of the two

133 p7 p7 p p p t 7 t 7 1 2 3 p8 t 9 p8 t 9 t p t 6 p6 p t 6 p6 t 5 5 5 5 t 6

p1 t p p4 p5 p4 p5 4 4 p6 p6 t t t t 3 1 3 8 p p t 2 t 3 t 4 t 2 t 3 t 4 2 2 t 3 t 3 t t 1 1 2 p3 2 p3 p7 p7

(a) (b) (c) (d)

Figure 5.3. Two Petri nets, (a) and (c), and their active subnets, (b) and (d), respectively.

subnets is the maximal active subnet. Figure 5.3(d) shows the only active subnet of the Petri net of Figure 5.3(c). The minimal active siphons of the Petri net in Fig-

A ure 5.3(a) with respect to the active subnet having T = {t6,t7,t9} are {p1,p5,p6,p7} and {p6,p7,p8}. The minimal active siphons of the Petri net of Figure 5.3(c) are

{p1,p4,p7}, {p2,p5,p7}, {p3,p5,p7} and {p6,p7}.

Proposition 5.15

A siphon which contains places from an active subnet is an active siphon with

respect to that subnet.

Proof: We use the notation from Deﬁnition 5.13. Let σx be a ﬁring sequence such that a transition ti appears in σx if and only if x(i) =6 0, in which case it appears x(i) times. Let S be a siphon such that S ∩ P A =6 ∅. We are to prove that there is a siphon s of N A such that s ⊆ S. •S ⊆ S• implies that •S ∩ T A ⊆ S •∩T A.

Using the construction of equation (5.1) there is a marking enabling σxσxσx .... Since T A = kxk and P A = T A• (by deﬁnition), we have that ∀t ∈ T A: •t ⊆ P A.

Hence S •∩T A ⊆ (S ∩ P A)• and so S •∩T A =(S ∩ P A) •∩T A.Notealsothat

134 •(S ∩ P A) ∩ T A ⊆•S ∩ T A. Therefore •S ∩ T A ⊆ S •∩T A implies •(S ∩ P A) ∩ T A ⊆

(S ∩ P A) •∩T A, which proves that s = S ∩ P A is a siphon of N A. 2

The signiﬁcance of the active subnets for deadlock prevention can be seen in the following propositions. First we prove a technical result.

Lemma 5.16

Let N A =(P A,TA,FA,WA) be an active subnet of N .Givenamarkingµ of N

and µA its restriction to N A,ift ∈ T A is enabled in N A,thent is enabled in N .

Proof: By deﬁnition, there is a nonnegative integer vector x ≥ 0 such that

A Dx ≥ 0(D is the incidence matrix) and x(i) > 0 for ti ∈ T and x(i) = 0 for

A A ti ∈ T \ T . This implies that there are markings such that the transitions of T can fire infinitely often, without firing other transitions (see equation (5.1).) The proof is by contradiction. Assume that t is not enabled in N .Ast is enabled in N A,

∃p ∈•t: p/∈ P A. (The preset/postset operators • are taken with respect to N ,not

N A.) Note that p/∈ P A implies •p∩T A = ∅.If•p = ∅, t cannot fire infinitely often, which contradicts the definition of T A (Definition 5.13), since t ∈ T A.If•p =6 ∅, the transitions of T A cannot fire infinitely often without firing one or more of the

A transitions tx ∈•p (inﬁnitely often), which again contradicts the deﬁnition of T . Therefore t is also enabled in N . 2

Note that in a repetitive Petri net all siphons are active with respect to the maximal active subnet. The next result is a generalization of the well known Propo- sition 5.2. It is a more powerful result since it not only states that deadlock implies an empty siphon, but also that for any active subnet N A there is an empty active siphon with respect to N A.

135 Proposition 5.17 Necessary condition for deadlock

Let N A be an arbitrary active subnet of a PT-ordinary Petri net N .Ifµ is a

deadlock marking of N , then there is at least one empty minimal active siphon

with respect to N A.

Proof: Since µ is a deadlock marking and N =(P, T, F, W) is PT-ordinary,

∀t ∈ T ∃p ∈•t: µ(p) = 0. The active subnet is built in such a way that if the marking µ restricted to the active subnet enables a transition t,thenµ enables t in the total net (Lemma 5.16.) Therefore, because the total net (N ,µ)isindeadlock, the active subnet is too. In view of Proposition 5.2, let s be an empty minimal siphon of the active subnet. Consider s in the total net. If s is a siphon of the total net, then s is also a minimal active siphon; therefore the net has a minimal active siphon which is empty. If s is not a siphon of the total net: •s\T A =6 ∅.LetS be the set inductively constructed as follows: S0 = s, Si = Si−1 ∪{p ∈•(•Si−1 \ Si−1•):µ(p)=0},where µ is the (deadlock) marking of the net. In other words S is a completion of s with places with null marking such that S is a siphon. By construction S is an active siphon and is empty for the marking µ. Hence an empty minimal active siphon exists. 2

The practical signiﬁcance of Proposition 5.17 is that it can be used for deadlock prevention, since deadlock is not possible when all active siphons with respect to an active subnet cannot become empty.

Proposition 5.18 Suﬃcient condition for deadlock

Deadlock is unavoidable for the marking µ if for all minimal active subnets N A

there is an empty active siphon with respect to N A.

Proof: All transitions in the postset of an empty siphon are dead. Therefore every minimal active subnet has some dead transitions. The proof is by contradic-

136 tion. Assume that deadlock is avoidable. Then, in view of Lemma 5.9, after some transitions firings a marking can be reached which enables σσσ...σ...,whereσ is a finite firing sequence. Let v be the firing count vector for σ.ThenDv ≥ 0. If the active subnet for q is minimal, we let x = q, but if it is not, there is x such that kxk⊂kvk, x =0,6 x ≥ 0, Dx ≥ 0 and the active subnet associated to x is minimal. But there must be an empty active siphon with regard to that active subnet, therefore not all of the transitions of kxk can fire, which implies that not all of the transitions of σ can fire, which is a contradiction. 2

Propositions 5.17 and 5.18 generalize Proposition 5.2. Thus a Petri net will certainly enter deadlock if for all minimal active subnets N A there is an empty active siphon with respect to N A. Conversely a deadlock state implies that for each active subnet there is an empty active siphon with regard to that subnet. Propo- sitions 5.17 and 5.18 suggest an approach for least restrictive deadlock prevention, and we consider it in section 5.4.2.

Next, the relation between T -liveness and active subnets is considered. An ordinary Petri net N =(P, T, F, W) is a free-choice net if for all pi,pj ∈ P , pi •

∩pj•6= ∅⇒|pi •|= |pj •|= 1. A result known as Commoner’s Theorem, states that a free-choice net is live if and only if all its siphons contain some marked trap.

While Commoner’s Theorem is a necessary and suﬃcient condition, its extension to asymmetric choice Petri nets is usually presented as a suﬃcient condition (e.g.

Theorem 10.4 in [36]). The reason for this is that attention has been restricted to trap controlled siphons, which is only a particular class of controlled siphons.

In terms of the general notion of controlled siphons, the extension of Commoner’s

Theorem is a necessary and suﬃcient condition (see Corollary 27 in [14]). The next result further extends Commoner’s Theorem as follows: the result not only states that a dead transition t implies an empty siphon for some reachable marking, but

137 also that there is such an empty siphon S with t ∈ S•. This fact is important when we try to verify or ensure that t is live, since we only have to look at the siphons S such that t ∈ S•.

Theorem 5.19

Consider a PT-ordinary asymmetric choice Petri net N and a marking µ such

that a transition t is dead. Then there is µ0 ∈R(N ,µ) such that S is an empty

siphon for the marking µ0 and t ∈ S•.

Proof: It is known that if a transition t of an ordinary Petri net with asymmetric choice is dead at a marking µ,then∃µ1 ∈R(N ,µ) ∃p1 ∈•t ∀µx ∈R(N ,µ1):

µx(p1) = 0. This is proved for instance in Lemma 10.2 of [36], and the proof applies without change to PT-ordinary asymmetric choice Petri nets. We inductively use this property to construct S. Note that all transitions in •p1 are dead at µ1.Let

S0 = ∅ and S1 = {p1}. We inductively construct S by generating S2,...Sn+1 and the markings µ2,...µn+1. Si for i ≥ 1 is such that all transitions in •Si are dead for some marking µi. The construction in a iteration is as follows. Let Ti = •(Si \ Si−1) and µi+1 ∈R(N ,µi) such that ∀tx ∈ Ti ∀µx ∈R(N ,µi+1) ∃p ∈•tx: µx(p)=0. S Then we let Gi = {p ∈•tx : ∀µx ∈R(N ,µi+1):µx(p)=0} and Si+1 = Si ∪ Gi. tx∈Ti There is n such that Sn+1 = Sn, for the Petri net has a ﬁnite number of places. We

0 let S = Sn and µ = µn. By construction S is a siphon (note that •Si ⊆ Si+1• for

0 0 i =0...n), S is empty at µ , µ ∈R(N ,µ), and t ∈ S• (since p1 ∈ S). 2

The next deﬁnition introduces a new class of active subnets that are very convenient in characterizing T -liveness.

Definition 5.20 T -minimal active subnets

Let N be a Petri net, T a nonempty subset of the set of transitions and N A =

(P A,TA,FA,WA) an active subnet. We say that N A is T -minimal if T⊆T A

138 p1 p3 p1 p1 p3

t 5 t 5 t 1 t 2 2 t 3 t 4 t 1 t 2 t 2 2 t 4 p5 p5

p2 t 6 t 7 p4 p2 p2 t 7 p4

Petri net {t 1 , t 2}−minimal active subnet {t 5 , t 6 , t 7}−minimal active subnet

Figure 5.4. Examples of T -minimal active subnets.

A 6⊆ A N A A A A A and Tx T for any other active subnet x =(Px ,Tx ,Fx ,Wx ) such that T⊆ A Tx .

For examples of T -minimal active subnets, consider the Petri net shown in Fig-

A A A ure 5.4. N1 with P1 = {p1,p2} and T1 = {t1,t2} is the {t1,t2}-minimal active

A A A subnet. N2 with P2 = {p1,...p5} and T2 = {t2,t4,t5,t6,t7} is the {t5,t6,t7}- minimal active subnet. Note that a T -minimal active subnet may not be unique.

A A Indeed, both N1 and N2 are {t2}-minimal active subnets. Nonetheless, an active subnet N A =(P A,TA,FA,WA) is always the only T A-minimal active subnet.

The next theorem gives necessary and suﬃcient conditions for T -liveness in terms of the T -minimal active subnets.

Theorem 5.21 Necessary and suﬃcient conditions for T -liveness

Given a PT-ordinary asymmetric choice Petri net N ,letT be a set of transitions

and N A a T -minimal active subnet which contains the transitions in T .Ifall

the minimal siphons with respect to N A are controlled, the Petri net is T -live

(and T A-live). If the Petri net is T -live, there is no reachable marking such that

for each T -minimal active subnet N A there is an empty minimal active siphon

with respect to N A.

139 Proof: For the ﬁrst part, the proof is by contradiction. Assume that there is a reachable marking such that a transition t ∈ T A is dead. Since T⊆T A,by

Theorem 5.19 there is a reachable marking such that a siphon S is empty and t ∈ S•. However, t ∈ S• implies S ∩ P A =6 ∅, and by Proposition 5.15 S is an active siphon. Finally, S empty contradicts the fact that all active siphons are controlled.

N A T For the second part, let i denote a -minimal active subnet, i =1...k,where k is the number of T -minimal active subnets. First, note that if there is an empty

N A active siphon Si with respect to i , there is a nonempty set of dead transitions N A •∩ A in i . Indeed, let µ be a marking such Si is empty. Let Ti = Si Ti ,where A N A Ti is the set of transitions of i .SinceSi is active, Ti is nonempty; because Si is empty, the transitions of Ti are dead. Next, we prove the second part of the theorem by contradiction. Assume that there is an infinite firing sequence σx such that all transitions of T appear infinitely often in σx, and after a part of σx is fired, (let T N A µx be the marking reached) all -minimal active subnets i have an empty active siphon Si.Letσ be the remaining part of σx which is enabled by µ. All transitions of T appear infinitely often in σ. Therefore, by Lemma 5.9, there is x ≥ 0 such that

Dx ≥ 0(D is the incidence matrix) and T⊆kxk. However, kxk does not contain

T N A ⊆ A \k k all transitions of any of the -minimal subnets i : Ti Ti x , for i =1...k. This implies that kxk deﬁnes another T -minimal active subnet, which contradicts

N A T 2 the fact that i i =1...k are all the -minimal active subnets.

In the particular case in which there is a single T -minimal active subnet, Theo- rem 5.21 shows that the net is T -live if and only if all siphons are controlled. When

T equals the total set of transitions of the net and the Petri net is repetitive, the

T -minimal active subnet exists, is unique, and equals the total net; in this case we obtain the extension of the Commoner’s Theorem to asymmetric choice nets.

140 A natural question is whether we can extend the results from asymmetric choice

Petri nets to more general Petri nets. Theorem 5.21 relies on Theorem 5.19, while the proof of Theorem 5.19 only requires Petri nets N with the property that if a transition t is dead at a marking µ,then∃µ1 ∈R(N ,µ) ∃p1 ∈•t ∀µx ∈R(N ,µ1):

µx(p1) = 0. Verifying this property may be hard in general. A class of Petri nets more general than asymmetric choice nets satisfying this property is given in the following deﬁnition.

Definition 5.22 EAC nets

Let N =(P, T, F, W) be a Petri net. Given an arbitrary t ∈ T , consider the

following notation. Let TD be the set of transitions which cannot be made live

0 0 when t is dead (where t ∈ TD), and PL = {p ∈•t : ∃t ∈ (•t) •\TD and p ∈•t }. Furthermore let N 0 be the Petri net obtained by removing from N the transitions

in TD.ThenN is said to be an EAC net if T = ∅, or for all transitions t ∈ T one of the following conditions is satisﬁed:

(a) ∀pi,pj ∈•t: pi•⊆pj• or pj•⊆pi•.

0 (b) PL = ∅,orinN it is true that ∀pi,pj ∈ PL: pi•⊆pj• or pj•⊆pi•.

0 0 0 0 (c) There is t in N such that PL = •t and N is an EAC net.

In the previous deﬁnition, EAC net stands for extended asymmetric choice net,

0 since all asymmetric choice nets are EAC nets. Note that a transition t is in TD if for all markings for which t is dead, t0 is dead or will certainly die. In order to show that Theorems 5.19 and 5.21 apply also to EAC nets, we only need to prove the following result.

141 Proposition 5.23

Let N be an EAC net and t a transition dead at the marking µ.Then∃µ1 ∈

R(N ,µ) ∃p1 ∈•t ∀µx ∈R(N ,µ1): µx(p1)=0.

Proof: We consider the markings reachable from µ0 ∈R(N ,µ) such that at µ0 all transitions in TD are dead. If t satisﬁes (a) in Deﬁnition 5.22, then the proof is the same as that in Lemma 10.2 of [36].

If t satisﬁes (b), ﬁrst consider the situation in which PL = ∅. Then the marking of the places in •t can never decrease, and since t is dead, there is a place p ∈•t such that for all reachable markings µx we have that µx(p) = 0. Now consider PL =6 ∅.To prove the proposition in this case it is enough to show that if there is no reachable marking µx such that ∃p ∈•t \ PL, ∀µy ∈R(N ,µx): µy(p) = 0, then there is a reachable marking µ1 such that ∃p ∈ PL, ∀µy ∈R(N ,µ1): µy(p)=0.Themarking of the places p ∈•t \ PL cannot decrease; therefore, if there is no reachable marking

0 µx such that ∃p ∈•t \ PL, ∀µy ∈R(N ,µx): µy(p)=0,thereisµz ∈R(N ,µ)such that ∀p ∈•t\PL: µz(p) ≥ 1. Furthermore, this implies ∀p ∈•t\PL, ∀µ ∈R(N ,µz):

µ(p) ≥ 1. Then, note that the case when there is no marking µ1 ∈R(N ,µz)such that for some p ∈ PL ∀µx ∈R(N ,µ1): µx(p) = 0 is impossible. Indeed, if it would be possible, it would imply ∃µ2 ∈R(N ,µz) such that µ2(p) ≥ 1 ∀p ∈ PL (see the proof of Lemma 10.2 in [36]). However, since µ2 ∈R(N ,µz), t is enabled, which is contradicts that t is dead. This completes the proof for case (b).

Now assume that t satisﬁes (c). Then N 0 is also an EAC net. Using a similar reasoning as at (b), if there is no reachable marking µx such that ∃p ∈•t\PL, ∀µy ∈

0 R(N ,µx): µy(p) = 0, then there is µz ∈R(N ,µ) such that ∀p ∈•t\PL: µz(p) ≥ 1. Then t0 is dead (or else t would not be dead), and so the problem is reduced to

0 0 proving the proposition for the smaller net (N ,µz) and the dead transition t . Thus, we eventually reach the conclusion by backtracking. 2

142 p1 p2

t 1 2

t 2 2 t 1 t 2 t 5 p3 p1 p2 p3 t 3

t 4 t 3 p4 (a) (b)

Figure 5.5. (a) A Petri net which is not an EAC net; (b) an EAC net.

Corollary 5.24

Theorems 5.19 and 5.21 apply also to EAC nets.

As an example, consider the Petri nets of Figure 5.5. The Petri net in Fig- ure 5.5(a) is not an EAC net, as the transition t3 does not satisfy any of the cases

(a), (b), and (c) of Definition 5.22. To see this, note that for t3 we have that TD = ∅ and PL = {p1,p3}. Case (a) is not satisfied, as p1,p3 ∈•t3, p1• = {t2,t3} and p3• = {t1,t3}.AsPL =6 ∅, case (b) is not satisfied for the same reason as (a). Case

0 0 (c) is not satisﬁed as there is no transition t satisfying •t = PL. The Petri net of

Figure 5.5(b) is an EAC net, as it can be seen in what follows. The transitions t2, t3 and t5 satisfy case (a) in Deﬁnition 5.22. The transition t1 satisﬁes case (b) in

Deﬁnition 5.22. Indeed, for all markings for which t1 is dead, the transitions t3, t4, and t5 are dead or eventually die. So TD = {t1,t3,t4,t5}.ThesetPL is PL = {p2}.

Then we can see that t1 satisﬁes case (b). Note that transition t1 also satisﬁes case

(c). In the case of t4 we have the same TD and PL = ∅.Sot4 satisﬁes case (b). Note that the net is not an asymmetric choice net.

143 5.4 Implications and Discussion

In this section we discuss our results and show how they relate to the supervisory problems of deadlock prevention, liveness enforcement and T -liveness enforcement.

Some of the theoretical results of this chapter consider only particular classes of Petri nets, speciﬁcally PT-ordinary and asymmetric choice nets. However, for our supervisory problems this is a surmountable diﬃculty, since it is possible to transform a

Petri net to a PT-ordinary or PT-ordinary asymmetric choice Petri net; then, it is possible to derive a deadlock prevention (or a (T -)liveness enforcement) supervisor from a supervisor for deadlock prevention (or (T -)liveness enforcement) of the transformed net [78, 75, 155]. Brieﬂy, a possible solution for our supervisory problems is as follows: given a target net N0, generate a sequence of increasingly enhanced nets

N1, N2 ... until we reach a net Nk, such that we can use Proposition 5.17 or The- orem 5.21 on Nk to guarantee deadlock-freedom or (T -)liveness; then a supervisor for N0 is derived based on the construction of Nk. Such an approach has been used in [74, 75, 76, 77, 64, 78], and is presented in chapter 6.

5.4.1 Deadlock Prevention

Proposition 5.2 implies that if the marking of any of the minimal siphons of a

PT-ordinary Petri net can never become zero, the Petri net is deadlock-free. This is an useful property for repetitive Petri nets, but not always for nonrepetitive

Petri nets. For partially repetitive Petri nets Proposition 5.17 is much more useful.

For instance, consider the Petri net of Figure 5.6(a). The only active subnet has

A T = {t1,t2,t3}.Afterﬁringt4, {p4} is an empty siphon. However, there is no empty active siphon (the minimal active siphons are {p1,p3,p4}, {p2,p3,p5} and

{p2,p3,p6}), and thus we can see from Proposition 5.17 that the Petri net is not in deadlock, while this cannot be ascertained from Proposition 5.2. The same is

144 true for the Petri net in Figure 5.6(b): {p1,p3} is an empty siphon, but the only minimal active siphon, {p4,p5,p6,p7}, is not empty, and therefore the Petri net is not in deadlock by Proposition 5.17.

p p5 p 4 6 p1 t 7 p2 p1 p p4 p7 3 t 4 t 5 t t p1 p2 t 2 t 5 4 6 t 1 t 2 2 t 3 t 4 t 2 p t 1 t 3 5 t 1 t 3 2 p5 p3 p6 t 5 p2 t 6 t 7 p4 p3

(a) (b) (c)

Figure 5.6. Deadlock illustrations.

Proposition 5.17 is more useful than Proposition 5.2 even for repetitive Petri nets, as seen in Figure 5.6(c). The Petri net of Figure 5.6(c) has several active subnets. While with respect to some of them there are empty active siphons, if we

A A take the active subnet N deﬁned by T = {t1,t2}, the only minimal active siphon

A with respect to N is {p1,p2,p5}, which is not empty. Thus we are able to detect based on Proposition 5.17 that the Petri net is not in deadlock.

In the applications in which deadlock prevention is desired to approximate liveness enforcement, Proposition 5.17 can be used for the maximal active subnet. Thus it would be desirable that no active siphon with respect to the maximal active subnet ever become empty. Indeed, if an active siphon S with respect to the maximal active subnet is empty, all transitions in S• are dead; this would be undesirable, as

S• contains one or more of the transitions that could be made live.

For the applications in which least restrictive deadlock prevention is desired rather than a liveness approximation, see the next section.

145 Proposition 5.17 can be used for deadlock prevention by extending the target

Petri net to a net in which all siphons are controlled. The usual technique for siphon control involves adding a new place to each siphon to be controlled, such that place invariants are created. Such additional places can be seen as implementing a

(marking based) supervisor for deadlock prevention. We have designed a deadlock prevention methodology based on Proposition 5.17. This methodology is presented in chapter 6 and in [74, 78]. The methodology produces two sets of constraints: Lµ ≥ b and L0µ ≥ b0. The constraints Lµ ≥ b deﬁne the supervisor (the set of additional places ensuring that all active siphons are invariant controlled). The constraints

L0µ ≥ b0 are used to deﬁne the initial markings for which the supervisor operates.

Thus, the supervisor is deﬁned for all initial markings µ0 satisfying Lµ0 ≥ b and

L0µ0 ≥ b0. For an example, consider the Petri nets in Figure 5.7(a) and (b). The additional places deﬁning the supervisor are, in both cases, the places C1, C2 and

C3. It can be easily checked that all minimal active siphons are invariant controlled in both cases. In the case (a) the inequalities Lµ ≥ b are µ(p1)+µ(p3)+µ(p4) ≥ 1

(so µ(C1)=µ(p1)+µ(p3)+µ(p4) − 1), µ(p2)+µ(p3)+µ(p5) ≥ 1(µ(C2)=µ(p2)+

µ(p3)+µ(p5) −1) and µ(p2)+µ(p3)+µ(p6) ≥ 1(µ(C3)=µ(p2)+µ(p3)+µ(p6) −1);

L0µ0 ≥ b0 contains the inequalities µ0(p1)+µ0(p2)+µ0(p3)+µ0(p4)+µ0(p5) ≥ 2 and µ0(p1)+µ0(p2)+µ0(p3)+µ0(p4)+µ0(p6) ≥ 2. In the case (b), the inequalities

Lµ ≥ b are µ(p1)+µ(p2) ≥ 1(µ(C1)=µ(p1)+µ(p2)−1), µ(p3)+µ(p4) ≥ 1(µ(C2)=

µ(p3)+µ(p4)−1) and µ(p1)+µ(p2)+µ(p3)+µ(p4) ≥ 3(µ(C3)=µ(C1)+µ(C2)−1); there are no constraints L0µ0 ≥ b0. Moreover, by Theorem 5.11, the supervisors also enforce {t1,t2,t3}-liveness in case (a), and liveness in case (b).

146 t p1 1 p3 p p p 3 4 5 6 p6 p7 t 8 t 9 t t 4 5 t 5 p1 p3 p1 p2 t 2 t 4 2 t t 2 5 2 t 1 t 2 t 3 t 4 t 1 t 3 C 1 C C 2 3 p5 2 p2 2 p4 C C 2 p3 1 p2 t 6 t 7 p4 C 3 t 3

(a) (b) (c)

Figure 5.7. Deadlock prevention examples.

5.4.2 Least Restrictive Deadlock Prevention

Assume that we have u supervisors for deadlock prevention in N0:Ξ1,Ξ2, ...

Ξu. Each supervisor can prevent deadlock if the initial marking is in the sets M1, S M2, ... Mu, respectively. Let Ξ be the supervisor defined on M = Mi, i=1...u which allows a transition to fire only if at least one of the supervisors Ξi, defined for the current marking, allows that transition to fire. We denote the supervisor by Wu Ξ= Ξi. Obviously, Ξ is a deadlock prevention supervisor, and Ξ is at least as i=1 permissive as any of Ξi.

Theorem 5.25

N N A N Let 0 be a Petri net and i , for i =1...u, the minimal active subnets of 0. N A Let Ti denote the set of transitions of i and let Ξi, for i =1...u,bedeadlock

prevention supervisors. Assume that each Ξi is deﬁned for all initial markings

A for which Ti -liveness can be enforced and that each Ξi is at least as permissive Wu A as any Ti -liveness enforcing supervisor. Then Ξ= Ξi is the least restrictive i=1 deadlock prevention supervisor of N0.

147 Proof: The only thing which is to be proved is that a marking unacceptable to Ξ leads to deadlock. Consider such a marking µ.Letx1, x2, ...xu be the nonnegative N A N A N A A k k integer vectors deﬁning 1 , 2 , ... u in Deﬁnition 5.13. Thus Ti = xi for i =1...u.Sinceµ is unacceptable to all of Ξi and each Ξi is at least as permissive as

A A any Ti -liveness enforcing supervisors, for all i =1...unot all transitions of Ti can be made live given the marking µ. We prove by contradiction that µ is a marking from which deadlock cannot be avoided. Assume the contrary, that deadlock can be prevented at µ. Then, there is an inﬁnite ﬁring sequence σ enabled by µ.Let

Tx be the set of transitions which appear inﬁnitely often in σ. By Lemma 5.9 there is a nonnegative integer vector x such that Tx = kxk and Dx ≥ 0, where D is the N A N A N A N incidence matrix. Since 1 , 2 , ... u are all the minimal active subnets of 0, there is j ∈{1, 2,...u} such that kxjk⊆kxk. But this contradicts the fact that not all transitions of kxjk canbemadeliveatµ. 2

Each of the supervisors Ξi satisfying the requirements of the theorem above can be found with the procedure for deadlock prevention that we present in chapter 6

N A and [78], by starting it with an initial active subnet i . As an example, consider the

A A A Petri net of Figure 5.7(c). There are three minimal active subnets N1 , N2 and N3 ,

A A A deﬁned by T1 = {t1,t2}, T2 = {t3,t4} and T3 = {t2,t4,t5,t6,t7,t8,t9}, respectively.

A A A Three deadlock prevention supervisors corresponding to N1 , N2 and N3 are Ξ1,Ξ2 and Ξ3, deﬁned as follows. For simplicity of notation, we let µi = µ(pi). Ξ1 requires

µ1 +µ2 +µ5 +µ6 ≥ 1 ∧ µ1 +µ2 +µ3 +µ4 +µ5 +µ7 ≥ 1 (the inequalities correspond to

A the two minimal active siphons with respect to N1 ); Ξ2 requires µ3 +µ4 +µ5 +µ7 ≥

1∧µ1+µ2+µ3+µ4+µ5+µ6 ≥ 1; Ξ3 requires µ1+µ2+µ5+µ6 ≥ 1∧µ3+µ4+µ5+µ7 ≥ 1, P and the initial marking µ0 to satisfy in addition µ0,i ≥ 2. It can be easily seen i=1...7 that Ξ = Ξ1 ∨ Ξ2 ∨ Ξ3 is the least restrictive deadlock prevention supervisor. In this particular case Ξ1 ∨ Ξ2 ∨ Ξ3 =Ξ1 ∨ Ξ2.

148 t 7 t 7 t 14 p10 p1 p4 p1 p4

t 1 p7 t 4 t 1 p7 t 4

t t t t t t t t 3 p 8 9 6 3 p 8 9 6 2 p5 2 p5 t 2 t 5 t 2 t 10 t 5 t p8 10 t 12 p3 p6 p3 p6 t 11 t 11 p9 t 13

(a) (b)

Figure 5.8. Examples for T -liveness enforcement.

5.4.3 T -liveness Enforcement

Based on Theorem 5.21, it is possible to enforce T -liveness in a Petri net. This will be shown in detail in chapter 6. Our results can also be found in [64, 75].

Consider the Petri net of Figure 5.8(a), in which it is desired to ensure T -liveness for T = {t1,t2,t3}. For the displayed marking, all of t1, t2 and t3 are dead. How- ever, we cannot use Theorem 5.19, as the Petri net is not with asymmetric choice.

Figure 5.8(b) shows the same Petri net transformed to be with asymmetric choice.

Theorem 5.19 is veriﬁed, as the minimal active siphon S = {p1,p2,p3,p4,p5,p6,p7}

(with respect to the active subnet with set of transitions T ) is uncontrolled. In- deed, by ﬁring t4, t5 and t13, S becomes empty. The Petri net of Figure 5.8(a) is not

T -live for most initial markings. By applying our T -liveness enforcement approach

(chapter 6 and [64, 75]), the least restrictive T -liveness supervisor of the Petri net of Figure 5.8(a) enforces 2µ1 +2µ2 +2µ3 + µ4 + µ5 + µ6 +2µ7 ≥ 2.

149 5.5 Algorithms 5.5.1 The Computation of Active Subnets

The following algorithm computes the maximal active subnet which does not contain the transitions in a set X.

Algorithm 5.26 Computation of the maximal active subnet

Input: The Petri net N =(P, T, F, W) and its incidence matrix D; optionally, a

set X of transitions to be excluded from the active subnet (default is X = ∅).

Output: The active subnet N A =(P A,TA,FA,WA).

\ Let M = T X and xs =0|T |×1

While M =6 ∅ do P 1. Check feasibility of Dx ≥ 0 subject to x ≥ 0, x(i) ≥ 1 and x(i)=0 ti∈M ∀ti ∈ X.

∗ ∗ ∗ 2. If feasible then let x be a solution; M = M \kx k and xs = x + xs.

Else M = ∅.

End while

A A A A A A A A A The active subnet is N =(P ,T ,F ,W ), T = kxsk, P = T •, F = F ∩{(T A × P A) ∪ (P A × T A)} and W A is the restriction of W to F A.

The next algorithm computes a T -minimal active subnet of a Petri net. Note that this algorithm can also be used to compute the minimal active subnets of the net, since all minimal active subnets are generated by computing the t-minimal active subnets of the Petri net for all transitions t.

150 Algorithm 5.27 Computation of T -minimal active subnets

Input: The Petri net N =(P, T, F, W) and its incidence matrix D; a nonempty

set of transitions T⊆T ; optionally, a set X of transitions which must not appear

in the T -minimal active subnet (by default X = ∅.)

Output: The active subnet N A =(P A,TA,FA,WA).

1. Check the feasibility of Dx ≥ 0 subject to x ≥ 0, x(i) ≥ 1 ∀ti ∈T and

x(i)=0∀ti ∈ X.

A If feasible, then let x0 be a solution; T = minactn(T , x0, D, T )

else T A = maxactn(T , D, T , X) (no T -minimal solution exists, and so

an approximation is constructed)

2. The active subnet is N A =(P A,TA,FA,WA), P A = T A•, F A = F ∩{(T A ×

P A) ∪ (P A × T A)} and W A is the restriction of W to F A.

minactn(T , x0, D, T )

Let M = kx0k and xs = x0.

For ti ∈ M \T do

Check feasibility of Dx ≥ 0 subject to x ≥ 0, x(i)=0, x(j)=0

∀tj ∈ T \ M and x(j) ≥ 1 ∀tj ∈T.

∗ ∗ ∗ If feasible then let x be a solution; M = kx k and xs = x .

Return kxsk

maxactn(T , D, T , X) T Let M = and xs =0|T |×1

While M =6 ∅ do

151 P Check feasibility of Dx ≥ 0 subject to x ≥ 0, x(i) ≥ 1 and x(i)=0 ti∈M ∀ti ∈ X.

∗ ∗ ∗ If feasible then let x be a solution; M = M \kx k and xs = x + xs.

Else M = ∅.

N = minactn(T , xs, D, T∩kxsk)

Return N

The algorithms presented in this section only involve linear programming. Note that the algorithms can be performed with polynomial complexity.

5.5.2 Transformation of Petri Nets to PT-ordinary Petri Nets

We use a modiﬁed form of the similar transformation from [102], and we call it the PT-transformation.LetN =(P, T, F, W) be a Petri net. Transitions tj ∈ T such that W (p, tj) > 1 for some p ∈•tj may be split (decomposed) in several new transitions according to the following algorithm.

A transition tj is split in m = n(tj) transitions: tj,0, tj,1, tj,2, ... tj,m−1,where

n(tj)=max{W (p, tj):(p, tj) ∈ F }. Also, m − 1 new places are added: pj,1,

pj,2, ... pj,m−1. The connections are as follows:

(i) •pj,i = tj,i, tj,i• = pj,i and pj,i• = tj,i−1, for i =1...m− 1

(ii) •tj,i = {p ∈•tj : W (p, tj) >i}, for i =0...m− 1

(iii) tj,0• = tj•

Note that tj resembles very much tj,0: tj,0 has all the connections of tj plus

one additional transition arc. After the split is performed, we denote tj,0 by

tj.

152 The PT-transformation consists in splitting all transitions t such that W (p, t) > 1 for some p ∈•t. In this way the transformed Petri net is PT-ordinary. Note that:

|pj,i •|= |•pj,i| =1 i =1...m− 1 (5.2)

|tj,i •|=1 i =1...m− 1 (5.3)

We use the convention that a split transition tj is also a transition of the PT- transformed net, since we denote tj,0 by tj. A transition split example is illustrated in Figure 5.9(a-b).

5.5.3 Transformation of Petri Nets to EAC Nets

This section presents an algorithm that can be used to transform a Petri net to an EAC-net or to an asymmetric-choice Petri net. The transformation of a Petri net to an EAC-net is called the EAC-transformation, and the transformation to an asymmetric-choice Petri net is called the AC-transformation.

Let N =(P, T, F, W) be a Petri net and N 0 =(P 0,T0,F0,W0) be the transformed

Petri net, where P ⊆ P 0, T ⊆ T 0. The idea of the transformation is as follows. Given the transition t, the conditions (a), (b), and (c) of Definition 5.22 are checked. If none is satisfied, for all pi and pj such that pi ∈•t, pj ∈•t, pi•6⊆pj•,andpj•6⊆pi•, remove t from either the postset of pi or that of pj by adding an additional place and transition. This insures that part (a) of Definition 5.22 is satisfied for t in the transformed net. The idea is illustrated in Figure 5.9(c-d) for t = t2.Note that the transformation of the original net consists of performing a modified form of transition split operations (where transition splits have been defined in section 5.5.2).

The same is true of the AC-transformation. In fact, the EAC-transformation and the AC-transformation only diﬀer in the set of transitions that are split; the EAC- transformation is used to reduce the number of transitions that are split.

153 t 1,2 t 44t 5 t t 5 p2 p3 p1,2 p1 p2 p3 p1 p p p p t 1 2 1 2 23 p 1,1 1,1 t 6 t 1 p3 t t 1 t 2 t 3 t 1 t 3 1 t 2 (a)(b) (c) (d)

Figure 5.9. Illustration of the transition split: (a) initial configuration; (b) the effect of the PT-transformation; (c) initial configuration; (d) the effect of the EAC- transformation.

Algorithm 5.28 The AC-Transformation and the EAC-Transformation

Input: N =(P, T, F, W), type ∈{AC, EAC} indicating the transformation

type, and optionally M ⊆ P ; the default value of M is M = P .

Output: N 0

Initialize N 0 to be identical with N .

Let x be a vector indexed by the transitions of T . For all t ∈ T set x(t)=1if

|•t| > 1 and x(t)=0otherwise.

While kxk6= ∅ do

1. Select a transition t ∈kxk and set x(t)=0.

2. If type = AC, then let

U = {(pi,pj) ∈ P × P : pi ∈•t, pj ∈•t, pi•6⊆pj • and pj•6⊆pi•};

Else, let U = eactest(N ,t).

3. If U is empty, then continue with the next iteration.

4. Let Q := ∅.

5. For every (pi,pj) ∈ U

154 (a) A place p ∈{pi,pj}∩M is selected. If two choices are possible:

i. p = pi (or p = pj)ifpi (or pj) has been previously selected for another element of U.

ii. otherwise p is chosen such that p appears in other element of U.If

both pi and pj satisfy this property, select p ∈{pi,pj} such that

|p •|=max{|pi •|, |pj •|}.

iii. if none of pi and pj appears in another element of U, select p ∈

{pi,pj} such that |p •|=max{|pi •|, |pj •|}.

(b)Ifaplacep could be selected (i.e. if {pi,pj}∩M =6 ∅)thenQ := Q∪{p}.

6. For all p ∈ Q, delete from N 0 the transition arc (p, t) and add a new place

p0 and a new transition t0 such that •t0 = {p}, t0• = {p0}, p0• = {t},

W 0(p, t0)=W 0(t0,p0)=1, W 0(p0,t)=W (p, t),andx(t0)=0. eactest(N , t)

Let D be the incidence matrix of N .

Construct U = {(pi,pj) ∈ P ×P : pi ∈•t, pj ∈•t, pi•6⊆pj • and pj•6⊆pi•}.

If U is empty, then return ∅.

Let V =(•t) •\{t} and TD = {t}.

While V =6 ∅ do P Check feasibility of Dx ≥ 0 subject to x ≥ 0, x(i) ≥ 1 and x(i)=0 ti∈V for ti = t.

If feasible then let x∗ be a solution; V = V \kx∗k.

Else TD = TD ∪ V ,andV = ∅.

155 p1 p2 p3 p4

t 1 t 3 t 2

Figure 5.10. Example for the step 5(c) of the EAC-transformation.

Construct U = {(pi,pj) ∈ P × P : pi ∈•t, pj ∈•t, (pi •\TD) 6⊆ (pj •

\TD) and (pj •\TD) 6⊆ (pi •\TD)}.

If U is empty, then return ∅.

0 0 Let PL = {p ∈•t : ∃t ∈ (•t) •\TD and p ∈•t }.

0 0 If there is t such that •t = PL then

Let N1 be N after removing the transitions in TD.

0 U = eactest(N1,t)

Return U

Note that the only diﬀerence between the AC-transformation and the EAC- transformation is the way the set U is computed at step 2. Note also, the original

Petri net is only modiﬁed by transition splits. The transition splits are performed in the step 6 of the algorithm. These transition splits are diﬀerent from the transition splits of the PT-transformation. In fact, as seen in Figure 5.9(d), it is more precise to say that transition arcs are split. M, the second argument of the transformation, is used to select the transition arcs to be split. Indeed, in general the choice of transitions/transition arcs to be split is not unique. In the next chapter, the parameter

M will be used to prevent the algorithm from splitting certain transitions.

The usefulness of step 5(c) may not be immediately apparent. To see it, consider the following scenario. Figure 5.10 shows a part of a Petri net. The algorithm checks

156 the transitions t1, t2,andt3, in this order. The transitions t1 and t2 are found to be satisfactory (they yield U = ∅). However, after t3 is checked, the arcs (p2,t3)and

(p3,t3) are split. Without step 5(c), t2 would not be rechecked, even though the split of (p2,t3)and(p3,t3)causest2 to no longer satisfy Deﬁnition 5.22(a)!

The fact that the algorithm terminates can be seen from the following fact: each transition split reduces the number of arcs (p, t) of the net that satisfy |p •|≥ 1and

|•t|≥1. As the initial number of such arcs is ﬁnite, the algorithm terminates.

The eactest subroutine operates as follows. First, it checks whether case (a) of

Definition 5.22 is satisfied. If not, it checks case (b), and computes a set U ⊂ P × P with the following property: if for all (pi,pj) ∈ U either of (pi,t)or(pj,t) is split, then case (b) is satisfied for t in the resulting net. Finally, if none of (a) and (b) is satisfied, eactest tests (c). If (c) is not satisfied, eactest returns the set U computed when working at case (b). Note that due to case (c), eactest is a recursive function.

However, if we renounce checking case (c), the eactest becomes signiﬁcantly faster, as it is no longer recursive. A computer implementation may favor the latter situation.

157 CHAPTER 6

DEADLOCK PREVENTION AND T-LIVENESS ENFORCEMENT IN PETRI

NETS–PART I

6.1 Introduction

This chapter presents procedures for the automated design of deadlock prevention supervisors and T -liveness enforcing supervisors for Petri nets. Deadlock reﬂects a state of a Petri net in which no transition is enabled. A deadlock prevention supervisor ensures that the closed-loop system never enters a state of deadlock. A

T -liveness enforcing supervisor ensures that the closed-loop system never enters a state from which a transition in T can never be ﬁred. Liveness enforcing denotes

T -liveness enforcing in the case when the set T equals the total set of the Petri net transitions. Note that our use of deadlock prevention is as an approximation of

T -liveness enforcement, as it is easier to obtain a deadlock prevention supervisor. In fact, our procedure for the design of deadlock prevention supervisors may generate supervisors that enforce T -liveness as well. However, to guarantee that T -liveness is enforced, the T -liveness enforcing procedure can be used instead. The procedure for the design of deadlock prevention supervisors will be called the dp-procedure, while the procedure for the design of T -liveness supervisors will be called the le-procedure.

The procedures we propose operate on arbitrary Petri net structures. Conse- quently, the plant Petri net may be structurally unbounded, generalized, partially repetitive, and with uncontrollable and unobservable transitions. The procedures

158 do not rely on initial marking knowledge; instead, they generate supervisors having a parametric dependence on the initial marking of the plant. The supervisors are described by two sets of marking constraints Lµ ≥ b and L0µ ≥ b0.Asupervi- sor can be used for all initial markings µ0 of the plant that satisfy Lµ0 ≥ b and

L0µ0 ≥ b0. Furthermore, a supervisor is implemented by enforcing Lµ ≥ b on the plant via supervision based on place invariants. Note that the procedures guarantee that Lµ ≥ b is admissible with respect to the set of uncontrollable and unobservable transitions of the plant.

The procedures are able to take advantage on knowledge of the reachable markings, when such information is available. This information can be communicated to the procedures via optional arguments describing initial constraints and/or initial- marking constraints. Initial constraints are given in the form LI µ ≥ bI , meaning that the plant will only be used for initial markings such that all reachable markings µ satisfy LI µ ≥ bI . Initial-marking constraints are given in the form LI0µ ≥ bI0,meaning that the plant will only be used for initial markings µ0 satisfying LI0µ0 ≥ bI0. In the case of fully controllable and observable Petri nets with no initial constraints and no initial-marking constraints, the performance of the dp-procedure is as follows. If it terminates, it generates a deadlock prevention supervisor if one exists, or signals if none exists. If a supervisor is generated, the closed-loop is guaranteed to be deadlock-free for all initial markings µ0 of the plant satisfying Lµ0 ≥ b and L0µ0 ≥ b0. Finally, if deadlock prevention is used as an approximation to

T -liveness, a suﬃcient condition for the supervisor to be at least as permissive as the least restrictive T -liveness enforcing supervisor is that the plant has a unique

T -minimal active subnet.

In the case of fully controllable and observable Petri nets with no initial constraints and no initial-marking constraints, the performance of the le-procedure is

159 as follows. Upon termination, the procedure generates the constraints Lµ0 ≥ b and

0 0 L0µ0 ≥ b0,andasetT ⊆T. If the procedure terminates, it generates a T -liveness enforcing supervisor, where (a) T 0 = T if a T -liveness enforcing supervisor exists,

(b) T 0 ⊂T if no T -liveness enforcing supervisor exists, and (c) T 0 = ∅ if deadlock prevention is impossible. Furthermore, when a T -liveness enforcing supervisor exists, the supervisor is least restrictive if the plant has a single T -minimal active subnet. In particular, this means that in the case of liveness enforcement the supervisors generated by the procedure are always least restrictive, as the whole net is the unique T -minimal active subnet.

In the general case, the performance of the dp-procedure is as follows. If it terminates without declaring failure, it generates a deadlock prevention supervisor.

The supervisor satisﬁes that the closed-loop is guaranteed to be deadlock-free for all initial markings µ0 of the plant satisfying Lµ0 ≥ b and L0µ0 ≥ b0. Results concerning the analysis of the cases when the procedure declares failure are provided. Finally, if deadlock prevention is used as an approximation to T -liveness, we provide suﬃcient conditions ensuring that the generated supervisors are at least as permissive as the least restrictive T -liveness enforcing supervisor.

In the general case, the performance of the le-procedure is as follows. If it terminates without declaring failure, it generates a T 0-liveness enforcing supervisor, for T 0 ⊆T. (The procedure attempts to maximize the set T 0.) The supervisor

0 satisﬁes that the closed-loop is guaranteed to be T -live for all initial markings µ0 of the plant satisfying Lµ0 ≥ b and L0µ0 ≥ b0. Results concerning the analysis of the cases when the procedure declares failure are provided. Suﬃcient conditions for

T 0 = T and for the supervisor to be least restrictive are provided.

The procedures may perform computationally complex operations at every iteration. However, once a supervisor has been designed, the computations involved

160 in running it in real-time are trivial. In general, the termination of the procedures cannot be guaranteed. In fact, examples are provided for which the procedures are guaranteed to iterate forever.

For the sake of simplicity, the presentation of the procedures has been divided in two parts. This chapter presents simpliﬁed procedures, developed under the assumptions that the target Petri nets are fully controllable and observable and that there are no initial constraints or initial-marking constraints. The next chapter presents the general procedures.

The simpliﬁed procedures presented in this chapter operate as follows. As they do not have the output T 0, they terminate immediately if the target net cannot be made T -live for any initial marking. Otherwise, if the net can be made T -live and the procedures terminate, we have the following. The dp-procedure generates the constraints Lµ ≥ b and L0µ ≥ b0 such that the supervisor enforcing Lµ ≥ b prevents deadlock for all initial markings µ0 satisfying Lµ0 ≥ b and L0µ0 ≥ b0.

Moreover, the supervisor is at least as permissive as the least restrictive T -liveness enforcing supervisor when the target net has a single T -minimal active subnet. The le-procedure generates the constraints Lµ ≥ b and L0µ ≥ b0 such that the supervisor enforcing Lµ ≥ b enforces T -liveness for all initial markings µ0 satisfying Lµ0 ≥ b and L0µ0 ≥ b0. Further, the supervisor is the least restrictive T -liveness enforcing supervisor when the target net has a single T -minimal active subnet.

The chapter is organized as follows. Section 6.2 presents related work in the literature. Section 6.3 states the deadlock prevention and T -liveness enforcement problems of this chapter. Section 6.4 provides a motivation for the stages of the proposed procedures. Section 6.5 deﬁnes the dp-procedure and the le-procedure.

Section 6.6 provides examples illustrating the operation of the procedures. Finally, section 6.7 contains theoretical results on the performance of the procedures.

161 6.2 Related Work

This section presents related work on deadlock prevention and liveness enforcement. In this dissertation, deadlock prevention refers to the prevention of total deadlock, while liveness enforcement to the prevention of all deadlocks. However, note that many literature papers do not make this distinction. In such papers deadlock prevention is the same as liveness enforcement, referring to the prevention of all deadlocks.

Historically, the study of deadlocks has arisen in the development of operating systems for computers. In this context, deadlock can arise when concurrent tasks enter a “circular wait”, in which each task waits for another for the release of

“resources”. A survey of the early work on system deadlocks can be found in [31].

A more recent review with emphasis on data-base applications appeared in [81].

There has been also work on deadlock avoidance in communication networks [121,

122, 21]. A result of the early work are the conditions of Coﬀman [31], which are necessary and suﬃcient for deadlocks to occur. Based on these conditions, various methods have been proposed to ensure liveness. As models of concurrent systems,

Petri nets have also been studied in the context of system deadlocks. Petri nets can conveniently represent the sequence in which tasks take and release resources.

However, since Petri nets have a fixed (static) structure, they offer limited support for resource allocation in operating systems, in which tasks appear and disappear according to the programs that are executed. On the other hand, the approaches of computer operating systems, which are intended for concurrent systems with variable structure, tend to be too restrictive when applied to concurrent systems with fixed structure [12], naturally modeled by Petri nets.

The typical application for the study of system deadlocks in concurrent systems with ﬁxed structure is the resource allocation problem in ﬂexible manufacturing.

162 More recently, it was shown that the supervision of railway networks can be studied in the same framework [46]. The study of deadlocks is also important when additional constraints are imposed on the behavior of concurrent systems, such as mutual exclusion; the additional constraints can be a source of deadlocks. In section 8.4.2 it will be shown that the system deadlock framework can also be applied to the supervisory enforcement of a certain real-time constraint.

In the context of manufacturing systems, the liveness enforcement problem has been approached for restricted classes of Petri net models. These models incorporate the assumptions regarding the interaction between jobs and resources, and belong to subclasses of repetitive and conservative Petri nets. In [12] a liveness enforcement approach is proposed for a class of Petri nets modeling jobs that can hold one resource unit at a time. A less restrictive approach is proposed in [60] for a more general model, allowing a job to hold units from multiple resources at the same time. Another approach for liveness enforcement for a virtually identical class of

Petri nets appears in [42]. This approach is further generalized in [130] to allow alternative job routes and multiple units of the same resource to be hold by a single job. Notably, this results in Petri nets that are no longer ordinary (that is, they have integer weights on the transition arcs). An approach applying to systems with single unit resources and jobs holding a single resource unit at a time appears in [43].

The approach of [43] uses digraphs, but can be converted to the equivalent class of

Petri nets. Another liveness enforcement procedure for Petri nets that are virtually identical to those of [12] appears in [186]. Under certain conditions, the proposed supervision is shown to be least restrictive. In a computer science context, least restrictive liveness enforcing in processes with resource allocation appears in the early works of [103, 165]. In addition to several technical conditions, it is assumed that a process does not request again units of a resource after it has started releasing

163 units of that resource. Since multiple units of the same resources can be allocated, the Petri net models are not ordinary. Excepting the integer arc weights, the Petri net model of [103, 165] can be seen as a restriction of that of [60].

Liveness enforcement has also been studied in the general context of Petri nets, that is, without a speciﬁc application in mind. Note that for bounded Petri nets, given an initial marking, one can build the reachability graph and then design a supervisor that avoids the states from which liveness cannot be maintained. How- ever, this approach is computationally complex, as the size of the reachability graph can be exponentially related to the size of the Petri net. Note that building the reachability graph corresponds to the construction of an automaton with the same language (DES dynamics) as the Petri net initialized at the given initial marking.

To avoid this computational problem, reachability analysis based on the unfolding of the net has been proposed in [54] for the design of liveness enforcing supervisors.

This approach requires bounded Petri nets. Computational savings arise when the reachable states allow several transitions to ﬁre at the same time. Another approach to reduce the computational burden is found in [159]. The paper identiﬁes a class of Petri nets that can be reduced to Petri nets involving less places and transitions. Liveness enforcement is then reduced to liveness enforcement in the smaller

Petri net, which is naturally less complex. Other computational savings can be obtained for Petri nets consisting of subnets interconnected by single places or single transitions [160]. Alternatively, structural methods can be applied in order to avoid building the reachability graph. In [156], it is shown that for a subclass of free-choice

Petri nets, called Independent Increasing Free-Choice Petri nets (II-FCPN), liveness can be achieved by ensuring that certain siphons are properly marked. Of course, this property is typically not true for general Petri nets. The result of [156] has been extended in [158] to Petri nets with a free-choice equivalent that is a II-FCPN.

164 In the literature there are only few results related to liveness enforcing in Petri nets which may have uncontrollable and unobservable transitions. The unfolding approach of [54] considers partially controllable Petri nets. In [131], liveness enforcement under partial controllability is considered for the Petri net models of [130, 172].

The existence of liveness enforcing supervisors for Petri nets with uncontrollable transitions has been considered in [157]. In [123] it has been noticed that for some

Petri nets with uncontrollable and unobservable transitions, liveness enforcement and deadlock prevention can be achieved by enforcing linear marking constraints.

In [161] it is shown that in a partially controlled free-choice Petri net in which liveness is enforcible for some initial markings, there is a set of minimal markings which can be used to check whether liveness is enforcible at a given initial marking and to synthesize the least restrictive liveness enforcing supervisor. Apparently, to date there is no work on liveness enforcement in Petri nets under partial observability.

Liveness is a special case of T -liveness, as it means that all transitions in a Petri net are live. In the literature there is little work on T -liveness. Note that the supervisory problem solved by our procedure cannot be solved with ﬁnite automata based approaches. Indeed, since we consider Petri net structures rather than a Petri net with an initial marking, an automaton which would have the behavior of the

Petri net for any initial marking would have an inﬁnite number of states. Of course, this is not the case for the approaches which consider a single initial marking and a bounded Petri net. Applications which may beneﬁt from considering the initial marking to be unknown are in the area of Flexible Manufacturing, as part of the initial marking corresponds to the number of available resources. The problem of characterizing the set of markings for which a Petri net can be made T -live is decidable in the case of Petri nets with controllable and observable transitions [177].

The algorithm proposed in [177] searches the marking space to ﬁnd a set of minimal

165 markings; based on this set the least restrictive T -liveness enforcing supervisor can be immediately derived. However, the approach of [177] is not very practical for two reasons: (a) the coverability graph is to be evaluated for every marking considered during the search; (b) the number of minimal markings may be large

(e.g. exponential in the size of the net).

The T -liveness enforcement procedure of this dissertation is iterative, at every iteration correcting new deadlock situations. Using iterations to correct deadlock situations has also been used in [102, 172]. In our procedure we employ supervisory control based on place invariants [45, 124, 190], which is also described in chapter 3 at page 28. We also use a transformation to almost ordinary Petri nets and a transformation to asymmetric-choice nets. The ﬁrst transformation was inspired by a similar transformation in [102]. A transformation to free-choice nets, a particular class of asymmetric-choice nets, has been used in [155, 158]. Note also that the use of control places for liveness enforcement has appeared ﬁrst in [103, 165].

6.3 Problem Statement

This section presents the main problems approached in this chapter. Section 6.3.1 presents the problem statement for deadlock prevention, while section 6.3.2 presents the problem statement for T -liveness enforcement.

6.3.1 Deadlock Prevention

The following describes the problem statement for deadlock prevention of this chapter. Given a Petri net N and a set of transitions T , the problem is to ﬁnd, if possible, two sets of marking constraints Lµ ≥ b and L0µ ≥ b0 such that:

1. For all initial markings µ0 that satisfy Lµ0 ≥ b and L0µ0 ≥ b0,thesupervisor

enforcing Lµ ≥ b via supervision based on place invariants prevents deadlock.

166 2. The supervisor is not overly restrictive.

3. The supervisor is a good approximation of a T -liveness enforcement supervi-

sor.

Finally, the case when T -liveness enforcement is impossible at all initial markings should be identiﬁed.

The requirements two and three are not to be taken strictly. The third requirement states that our purpose is not to do least restrictive deadlock prevention (i.e. to allow any local deadlocks to occur as long as the system is not totally deadlocked), but rather to approximate T -liveness enforcement. Such an approximation is of interest because deadlock prevention supervisors are (computationally) easier to obtain than T -liveness enforcement supervisors. In our dp-procedure, approximating T -liveness enforcement means that if local deadlock possibilities leading to loss of T -liveness are identiﬁed, the designed supervisor will avoid them. However, the dp-procedure is not guaranteed to identify all such possibilities; the le-procedure, described next, can be used for this purpose.

6.3.2 T -liveness Enforcement

The following describes the problem statement for T -liveness enforcement of this chapter. Given a Petri net N and a set of transitions T , the problem is to ﬁnd, if possible, two sets of marking constraints Lµ ≥ b and L0µ ≥ b0 such that:

1. For all initial markings µ0 that satisfy Lµ0 ≥ b and L0µ0 ≥ b0,thesupervisor

enforcing Lµ ≥ b via supervision based on place invariants enforces T -liveness.

2. The supervisor is not overly restrictive.

Finally, the case when T -liveness enforcement is impossible at all initial markings should be identiﬁed.

167 p1 p2 p1 p2 p12p

t t t t 1 t t 2 1 t t 2 1 t 2 3 3 2 3 2 3 2 3 2 3

p3 p3 p3 C 2 C 3 C 1 C 2 C 1 (a)(b) (c)

Figure 6.1. Motivating the linear marking inequalities.

With regard to the second requirement, note that the le-procedure aims to generate least restrictive supervisors. The supervisors generated by the le-procedure are guaranteed for certain plant Petri nets to be least restrictive. An extension of the le-procedure will be proposed to generate the least restrictive supervisor when the supervisors generated by the le-procedure are not guaranteed to be least restrictive.

6.4 Motivation

The intention of this section is to motivate our approach to deadlock prevention and T -liveness enforcement. Our approach can be seen as an iterative procedure that controls at every iteration active siphons of the net and performs net transformations. Iterations are necessary because controlling siphons may generate new uncontrolled siphons. The procedure terminates when no more uncontrolled active siphons remain. Upon termination, it generates the two sets of linear marking constraints Lµ ≥ b and L0µ ≥ b0.

This section is organized as follows. Section 6.4.1 illustrates the use of linear marking constraints as a compact description of the set of markings for which a

Petri net can be made live. Section 6.4.2 shows on an example why iterations are necessary. Section 6.4.3 explains the need for net transformations.

168 6.4.1 The Role of Linear Marking Inequalities

This section illustrates the constraints Lµ ≥ b and L0µ ≥ b0 on the Petri net of Figure 6.1(a). It can be noticed that the following set of marking inequalities characterizes all initial markings for which liveness can be enforced:

µ1 + µ3 ≥ 1 (6.1)

µ2 + µ3 ≥ 1 (6.2)

µ1 + µ2 + µ3 ≥ 2 (6.3)

Furthermore, each inequality is necessary; by removing any of the inequalities we can ﬁnd an initial marking satisfying the remaining inequalities for which liveness cannot be enforced. Once we have come up with the set of initial markings for which liveness can be enforced, we can create a supervisor enforcing liveness via supervision based on place invariants (see Theorem 3.1). The supervised Petri net is shown in Figure 6.1(b), where the control places C1, C2 and C3 correspond to the inequalities (6.1), (6.2), and (6.3). The initial marking of the control places depends on the initial marking µ0 of the Petri net as follows

− µ0,C1 = µ0,1 + µ0,3 1 (6.4)

− µ0,C2 = µ0,2 + µ0,3 1 (6.5)

− µ0,C3 = µ0,1 + µ0,2 + µ0,3 2 (6.6)

However, it can be noticed that by removing the control place C3 liveness is still enforced (Figure 6.1(c)) for all initial markings satisfying (6.1), (6.2), and (6.3).

Then, we can write (6.1) and (6.2) as a matrix inequality Lµ ≥ b, and (6.3) as matrix inequality L0µ ≥ b0. With these notations we can say that liveness is enforced for all initial markings µ0 satisfying Lµ0 ≥ b and L0µ0 ≥ b0 by the supervisor enforcing

Lµ ≥ b.

169 p p 1 t 8 1 t 8

p6 p6 t 1 t 1 t 7 t 7

t 2 t 4 t 2 t 4

p p p p 2 p3 4 2 p3 4 t 3 t 5 t 3 t 5 p5 p5

t 6 t 6 2 C (a) (b)

Figure 6.2. Siphon control may cause new siphons that need control.

Finally, note that in some problems the set of markings for which T -liveness can be enforced cannot be represented as a conjunction of linear marking inequalities.

Such a set of markings cannot be represented by the sets of inequalities Lµ ≥ b and

L0µ ≥ b0. For such problems the le-procedure of this paper can behave in two ways:

(i) it does not converge; (ii) it does not generate the least restrictive T -liveness enforcing supervisor. Note that we prove that behavior (ii) may happen only if the

Petri net has more than one T -minimal active subnets. As an example, consider the Petri net of Figure 6.3(c). For both markings µ0 =[2, 0, 0, 0] and µ1 =[0, 2, 0, 0] liveness can be enforced, however µ2 =0.5µ0 +0.5µ1 is a deadlock marking; therefore no conjunction of linear marking inequalities can describe the set of initial markings for which liveness can be enforced.

6.4.2 The Role of Iterations

This section explains based on the example of Figure 6.2 why our approach needs to be iterative. In our approach minimal active siphons are controlled, as deadlock and loss of T -liveness has been related to empty active siphons (see Proposition 5.17

170 t 5

2 p1 p1 t 4 p2 t 3 2 3 t 6 t 1 t 2 p t 1 3 3 p4 t 2 t 3 2 22 t 4 2 2 t 5 p2

p3 (a) (b)

Figure 6.3. More motivating examples.

and Theorem 5.21). However, it is known that the control of siphons can generate new siphons, and so new possibilities of deadlock [42, 102, 13]. This is shown in the example of Figure 6.2. To control the siphon {p1,p2,p3,p4,p5}, the control place C is generated. By adding C to the net two new minimal siphons appear: {C, p1,p5} and {C, p1,p6}. Note that for the marking shown in Figure 6.2(b), the siphon

{C, p1,p5} is uncontrolled. So, controlling {p1,p2,p3,p4,p5}, creates new siphons to control. Therefore, in order to obtain Petri nets with no uncontrolled active siphons, our procedure iteratively controls the minimal active siphons until no uncontrolled active siphons remain.

Finally, our interest is to find, if possible, all initial markings for which a Petri net can be made T -live. In this context, the definition of a controlled siphon differs from that in the literature. In our case, a siphon S will be considered controlled,if for all markings for which the previous siphons controlled by the procedure are not empty, S is not empty.

171 6.4.3 The Need for Net Transformations

This section explains the need for net transformations in our approach. Consider the Petri net of Figure 6.3(a). It can be seen that only the transitions t4 and t5 can be made live. So there are no initial markings for which liveness is enforcible.

However there are initial markings for which {t4,t5}-liveness is enforcible. These initial markings can be described by the inequality

2µ1 +2µ2 + µ3 ≥ 2 (6.7)

The only active subnet of the net is deﬁned by the set of transitions {t4,t5},and the only siphon of the net equals the total set of places of the Petri net. For all nonzero initial markings this siphon is controlled. However, a nonzero initial marking does not imply that (6.7) is always satisﬁed. This suggests that the empty siphon criterion for deadlock is not very useful for T -liveness enforcement in Petri nets which are not PT-ordinary and with asymmetric choice, as is the case for our Petri net. Furthermore, this would also suggest the use of transformations to asymmetric-choice and PT-ordinary nets, in order to be able to use Theorem 5.21.

Note also that controlling siphons may cause an ordinary Petri net to become a generalized Petri net. This is an additional motivation for considering transformations to PT-ordinary nets in the procedures. An example is shown in Figure 6.4.

Controlling the siphon {p1,p2,p3} with the control place C results in the weight

W (C, t4)=2> 1, showing that the supervised net is no longer ordinary. Finally, it is also true that siphon control may cause a net to be no longer with asymmetric- choice.

172 p1 p1 t t 1 t 2 1 t 2 t t 3 p 3 p 2 p3 2

p3 2 t 4 C t 4

t 5 t 6 t 7 t 5 t 6 t 7

p4 p5 p6 p7 p4 p5 p6 p7

t 8 t 8 (a) (b)

Figure 6.4. Siphon control may change an ordinary net to a nonordinary net. Here, C controls the siphon {p1,p2,p3}.

6.5 Procedure Deﬁnition 6.5.1 Deﬁnition

In this section the dp-procedure and the le-procedure are deﬁned. Due to the fact that they share many common operations, they are deﬁned as a single procedure with an input argument selecting between deadlock prevention and T -liveness enforcement. From now on, this procedure will be denoted as the procedure;depending on its input argument, the procedure can be either of the dp-procedure or the le-procedure.

Given a target Petri net N0, the procedure generates a sequence of Petri nets

N1, N2, ... Nk, increasingly enhanced for T -liveness. In the case of deadlock prevention, N1, N2, ...Nk are PT-ordinary. In the case of T -liveness enforcement, N1,

N2, ... Nk are with asymmetric-choice and PT-ordinary. The Petri net N1 is N0 transformed to be PT-ordinary or PT-ordinary and with asymmetric-choice. The

Petri nets Ni are deﬁned as follows. In each iteration i, the uncontrolled minimal active siphons of Ni are controlled. Then, if needed, the Petri net is transformed

173 to be PT-ordinary or PT-ordinary and with asymmetric-choice. The result is the P net Ni+1. Controlling a siphon S involves enforcing the inequality µ(p) ≥ 1via p∈S supervision based on place invariants. A siphon S is controlled if for all markings for which the previously controlled siphons are not empty, S is not empty. Otherwise,

S is uncontrolled. The active siphons are taken with respect to a T -minimal active

N N A subnet. For each i, that subnet is denoted by i . The procedure terminates at the iteration k for which Nk has no uncontrolled active siphons.

The constraints Lµ ≥ b and L0µ ≥ b0 are obtained as follows. At every iteration P i, when a siphon S is controlled, a marking constraint corresponding to µ(p) ≥ 1 p∈S is derived, and added to either of Lµ ≥ b or L0µ ≥ b0. Let’s denote by Liµ ≥ bi and L0,iµ ≥ b0,i the constraints Lµ ≥ b and L0µ ≥ b0 after the iteration i. The ﬁnal constraints Lµ ≥ b and L0µ ≥ b0 are obtained from Lkµ ≥ bk and L0,kµ ≥ b0,k by restricting them to the places of N0.

In the procedure:

- µp is the marking of the places which are not control places

- µc is the marking of the control places

- The Petri net of iteration i is Ni =(Pi,Ti,Fi,Wi).

N N A A A A A - The active subnet of i is i =(Pi ,Ti ,Fi ,Wi )

The procedure notation is such that equation

µc = Lµp − b (6.8) describes the invariants enforced by the control places at any iteration. We denote a set of constraints Xµ ≥ x as (X, x). We give the detailed description of the speciﬁc steps of the procedure in the following subsections. Thus we annotate the procedure

174 steps with the number of the subsection in which we describe in detail the speciﬁc operation.

Procedure 6.1 Deadlock Prevention/T -Liveness Enforcement

Input: The target Petri net N0, a nonempty set of transitions T ,andtype ∈

{DP, LE}, identifying the design type: deadlock prevention (DP)or

T -liveness enforcement (LE).

Output: Two sets of constraints (L, b) and (L0,b0).

A. N0 is transformed to be PT-ordinary if type = DP, and asymmetric choice

PT-ordinary if type = LE (the transformations appear in section 5.5.2 at

page 152 and in Algorithm 5.28 at page 154)1. Let the transformed net be

N1.Leti =1, P = P1,andC = ∅.

A B. A T -minimal active subnet N1 is computed for N1 (Algorithm 5.27 at

page 151). If none exists, the procedure terminates and declares that T -

liveness cannot be enforced for any initial marking.

C. While true do

1. Let (A, d) and (A0,d0) be empty sets of marking constraints.

2. If no uncontrolled minimal active siphon is found (section 6.5.2), the next

step is D.2

3. For every uncontrolled minimal active siphon S: 1The transformation to PT-ordinary Petri nets has no eﬀect if the Petri net is already PT- ordinary; the same is true of the transformation to asymmetric-choice nets. 2In the worst case, the number of uncontrolled minimal siphons depends exponentially of the size of the net. Checking whether a siphon is uncontrolled may involve solving a linear integer program.

175 P Test whether µ(p) ≥ 1 needs control place enforcement (section 6.5.2 p∈S P at page 178). If it does, include µ(p) ≥ 1 in (A, d). Else include P p∈S µ(p) ≥ 1 in (A0,d0). p∈S N 0 0 0 0 0 4. Let i =(Pi ,Ti ,Fi ,Wi ) be the Petri net structure obtained by enforcing

Aµ ≥ d in Ni via supervision based on place invariants (see Theorem 3.1 at page 29), and let AI µ0 = d be the corresponding place invariant equations

(see equation (6.8)).

N 0 5. If type = DP, i is transformed to be PT-ordinary; if type = LE,the Petri net is transformed to be PT-ordinary and with asymmetric-choice

(section 5.5.2 at page 152 and Algorithm 5.28 at page 154)1; note that the 0 \ N argument M of the Algorithm 5.28 is set to M = Pi Pi.Let i+1 be the transformed net.

6. Update AI according to the net transformations performed at step 5 (sec-

tion 6.5.5 at page 183). Let Au be the updated AI (this means that AI µ0 = d

N 0 u N 0 N 0 in i corresponds to A µ = d in i+1,whereµ and µ are markings of i

and Ni+1).

∪ \ 0 Co C C Co ∪ 0 \ 3 | 7. Let P = P (Pi+1 Pi ), = ,and = (Pi Pi).Let µp = µ P | N \ 0 and µc = µ C, for any marking µ of i+1. For each place in Pi+1 Pi add

a null column to each of L and L0,tomatchthesizeofµ. Similarly, add

4 u null columns to A0 to match the size of µ.Let Ap = A |P , Ap0 = A0|P ,

u Ac = A |Co ,andAc0 = A0|Co .

8. If (L, b) is empty, include Apµp ≥ d in (L, b) and Ap0µp ≥ d0 in (L0,b0).

Else, do the following 3 Given a set of places X, µ|X is the restriction of µ to the places of X. 4 u u u A |P is the restriction of A to the columns corresponding to places in P ; A0|P , A |Co , ..., have a similar meaning.

176 (a) If (A0,d0) is not empty, include (Ap0 + Ac0L)µp0 ≥ d0 + Ac0b in (L0,b0).

(b) If (A, d) is not empty, include (Ap + AcL)µp ≥ d + Acb in (L, b).

N A 9. Compute the new active subnet i+1 (section 6.5.6 at page 185). Let i = i +1. The next step is C.1.

D. The constraints (L, b) and (L0,b0) are restricted to the columns corresponding

to the places of N0. 5 E. Optionally, the redundant constraints of (L, b) and (L0,b0) are removed.

Remarks: Note that the ﬁnal constraints (L, b)and(L0,b0) are such that:

• If type = LE, T -liveness is enforced for all initial markings µ0 such that

Lµ0 ≥ b and L0µ0 ≥ b0 when (N0,µ0) is supervised according to Lµ ≥ b.

• If type = DP, deadlock is prevented for all initial markings µ0 such that

Lµ0 ≥ b and L0µ0 ≥ b0 when (N0,µ0) is supervised according to Lµ ≥ b.

Note also that in the case of T -liveness enforcement, the transformations to asymmetric choice Petri nets could be replaced by transformations to EAC Petri nets

(Algorithm 5.28 at page 154). Experimental results indicate the procedure is more likely to converge when transformations to EAC Petri nets are used. 2

We proceed by describing the speciﬁc operations involved in the procedure that have not yet been (completely) deﬁned.

5This operation may involve integer programming.

177 6.5.2 Siphons Not Needing Control

Here the step C.3 of the procedure is discussed. First, the uncontrolled siphons

are explicitly deﬁned. Then, the situation in which an uncontrolled siphon does not

need a control place is explained. A siphon S is uncontrolled if X µ(p) ≥ 1 (6.9) p∈S

is not implied by µc = Lµp − b, L0µp ≥ b0, Aµ ≥ d,andA0µ ≥ d0. In other words,

S is uncontrolled iﬀ the system of µ|S =0,µc = Lµp − b, L0µp ≥ b0, Aµ ≥ d,and

A0µ ≥ d0 has an integer solution µ ≥ 0. We design the procedure, in particular the

transformation to PT-ordinary asymmetric-choice Petri nets, in such a way that an

uncontrolled siphon is always a siphon which did not exist at a previous iteration.

Thus at step C.3 it is enough to check only the new siphons which appeared due to

the steps C.4 and C.5 of the previous iteration. It can be seen that checking whether

a siphon is uncontrolled may involve solving an integer program. When this check

is not done the procedure remains correct, however it may converge more slowly or

even diverge.

There are siphons S which satisfy (6.9) at all reachable markings if (6.9) is

satisﬁed at the initial marking. Such siphons do not need a control place to ensure

that (6.9) is satisﬁed. We identify that an uncontrolled siphon S does not need a

control place C by checking whether C would satisfy C•⊆•S. When this is the

case, (6.9) is included in (A0,d0), which contains constraints on the initial marking.

Example 6.2 Consider the Petri net of Figure 6.1(a) at page 168, and assume that

we apply the dp-procedure to it and that T = {t1,t2,t3}. At the ﬁrst iteration

there are two minimal siphons: S1 = {p1,p3} and S2 = {p2,p3}. Assume that the

procedure considers them in this order: ﬁrst S1,thenS2.Since(L, b), (L0,b0), (A, d)

and (A0,d0)areempty,S1 is uncontrolled. The control place C1 controlling S1 is

178 needed, as C1•6⊆•S1; see Figure 6.1(c). Therefore (A, d) becomes µ1+µ3 ≥ 1. Next, when S2 is considered, S2 is also uncontrolled, since (L, b), (L0,b0), and (A0,d0)are empty, and the system of µ1 + µ3 ≥ 1andµ2 + µ3 = 0 has a nonnegative integer solution. The control place C2 of S2 is also needed, as C2•6⊆•S2. At the second iteration we have two new minimal siphons: S3 = {p1,C2} and S4 = {p2,C1}.

Assume that the procedure considers ﬁrst S3 and then S4. The constraints (L, b)at the second iteration are µ1 + µ3 ≥ 1andµ2 + µ3 ≥ 1, while (L0,b0)areempty.The siphon S3 is uncontrolled, since the system of µ1 + µ(C2)=0,µ(C1)=µ1 + µ3 − 1,

µ(C2)=µ2 + µ3 − 1 has a nonnegative integer solution, and (L0,b0), (A, d)and

(A0,d0) are empty. The control place C3 that results for S3 is not needed, as it satisﬁes C3•⊆•S3; see Figure 6.1(b). Consequently, (A0,d0) becomes µ1 + µ(C2) ≥

1. Next, note that the siphon S4 is controlled, since the system of µ2 + µ(C1)=0,

µ1 + µ(C2) ≥ 1, µ(C1)=µ1 + µ3 − 1, and µ(C2)=µ2 + µ3 − 1 has no solution. 2

6.5.3 Generating the Sets of Inequalities (L, b)and(L0,b0)

This section explains the meaning of the step C.8. The marking constraints generated by the procedure correspond to the constraints (6.9) on the uncontrolled minimal active siphons of each iteration. These constraints are ﬁrst stored in (A, d) and (A0,d0), and then the constraints of (A, d) are added to those of (L, b), and those of (A0,d0)to(L0,b0). The step C.8 also insures that the constraints are added to

(L, b)and(L0,b0) not as they are, but after writing them in terms of the places of the net that are not control places. Indeed, the procedure is set up such that all constraints (L, b)and(L0,b0) are written only in terms of µp, the marking of the places that are not control places. In this way the Petri net of each iteration satisﬁes that µc = Lµp − b (and so Lµp ≥ b) for all reachable markings if µc = Lµp − b is satisﬁed at the initial marking.

179 The constraints Lµp ≥ b are recursively obtained as follows. The siphons in a iteration i may contain control places added in previous iterations. Thus (6.9) may

involve not only places of the target net N0, but also control places. However, the

marking of the control places appearing in (6.9) can be eliminated by using µc =

Lµp − b. Thus the operations in the step C.8 correspond to adding new constraints

to (L, b)and(L0,b0), after substituting in them the control place markings given

by µc = Lµp − b.

Example 6.3 Here we continue the Example 6.2. After the siphons S3 and S4 have

been considered, the procedure adds the constraint µ1 + µ(C2) ≥ 1of(A0,d0)tothe

empty set of constraints (L0,b0). The current constraints in (L, b)areµ1 + µ3 ≥ 1

and µ2 + µ3 ≥ 1, that is,      101  1  L =   and b =   011 1

As µc = Lµp −b, µ(C2) is substituted with µ2 +µ3 −1; thus µ1 +µ(C2) ≥ 1 becomes

µ1 + µ2 + µ3 ≥ 2, which is the inequality added to (L0,b0). The constraints (L0,b0)

are:

L0 = 111 and b0 = 2 2

6.5.4 Petri Net Transformations

This section describes the Petri net transformations performed at the step C.5.

The transformation to PT-ordinary nets (the PT-transformation) has been described

in section 5.5.2 at page 152. The transformation to asymmetric-choice Petri nets (the

AC-transformation) is described in the Algorithm 5.28 at page 5.28. Note that in the

case of T -liveness enforcement, the procedure applies ﬁrst the PT-transformation

and then the AC-transformation. There are many ways in which these transforma-

tions could be done. Our concern has been to design the transformations so that

180 we can prove the procedure generates deadlock prevention/T -liveness enforcing supervisors, and that the supervisors are permissive. To this end we impose three requirements R1, R2,and R3, which we state below. With regard to the requirements below, recall that the transformations we use employ transition splits,where a transition is split when decomposed into a sequence of places and transitions. The requirements we impose are written in terms of the notation of the procedure. The requirements are:

R1 No control place in C is in the postset of a transition created by a transition

split.

R2 Any set of inequalities Xµ ≥ x which hold true in Ni, hold true also in Ni+1, for i ≥ 1.6

7 R3 The constraints Aµ ≥ d enforced on Ni in step C.4 are satisﬁed in Ni+1.

The argument M of the AC-transformation is used to select the transitions to be split. Indeed, in general there are many ways to transform a net to an asymmetric- 0 \ choice net by splitting transitions. The procedure sets M = Pi Pi in order that the requirement R2 may be satisﬁed, thus ensuring that the constraints added in 0 \ the previous iterations remain enforced. Note that Pi Pi equals the set of control places resulted by enforcing Aµ ≥ d at step C.4. The fact that the transformation N 0 ∈ 0 \ of i to an asymmetric-choice net requires only splitting arcs (p, t)withp Pi Pi, results from the fact that Ni has asymmetric-choice. Note that M is not used at the AC-transformation of the step A of the procedure. When M is not used, the

Algorithm 5.28 is given no preference with regard to what transitions to split. 6 That is, for all markings µ0 of Ni satisfying (∀µ ∈R(Ni,µ0): Xµ ≥ x), we have that for all markings µ0,i+1 of Ni+1 such that µ0,i+1|Ni = µ0,(∀µi+1 ∈R(Ni+1,µ0,i+1): Xµi+1|Ni ≥ x) holds true. 7 u If µi+1 denotes a marking of Ni+1, this corresponds to ∀µi+1: A µi+1 = d ⇒ Aµi+1|Ni ≥ d.

181 t 5 t 5 t 5

p p p2 t 5 1 t 4 2 p1 t 4 p1,1 p1 t 4 p2 p1,1 t 1,1 t 1,1 t 1 t 1 p2 t 3 p1 t 4 t 1 t t t t 2 t 3 2 p 3 2 p3 2 2 3 p p p p2,1 t t 3,1 p3 2,1 t 2,1 t 3,1 3,1 2,1 3,1 (c) C (a) (b) 1

t 5 t 5 (d) t c,1 pc,1 C 2 C 2 t 4 t 4 p1 t p1 t 5 p1,1 p2 c,2 p1,1 p2 pc,2 t 1,1 t 1,1 t 4 t c,3 t 1 t t 1 t pp1 2 p1,2 3 p1,2 3 C t 2 t 2 p3 p3 t t t 3 1,2 2,1 t t 1,2 2,1 t p 3,1 p 3,1 t 2,1 p3,1 2,1 p3,1 t 2 1 t 3

t 2,2 p2,2 p3,2 t 2,2 p2,2 p3,2 2 2 pc,3 C 1 C 1 p t t 3 3,2 (e) 3,2 (f) (g)

A Figure 6.5. The illustration of Examples 6.4 and 6.6 (a) N0;(b)N1;(c)N1 ,the A A same as N2 and N3 ;(d)N1 and the added control place; (e) N2 andaddedcontrol place; (f) N3;(g)N0 supervised for T -liveness.

Example 6.4 This example illustrates the PT and AC-transformations on the Petri

net of Figure 6.5(a). The supervision purpose is {t4,t5}-liveness enforcement. The

{t4,t5}-minimal active subnet is shown in Figure 6.5(c). At the step A, N0 is PT-

transformed, and then AC-transformed. The resulting Petri net is N1,shownin

Figure 6.5(b). The places and transitions generated by the PT-transformation are

p2,1, p3,1, t2,1 and t3,1. The AC-transformation generates p1,1 and t1,1. At the ﬁrst

iteration, the control place C1 is added to control the siphon {p1,p2,p3}. The net no

longer has asymmetric-choice, due to C1. The following AC-transformation is ap-

0 plied at the step C.5 with the argument M = P1 \P1,namely,M = {C1}. Therefore,

the transition arcs (C1,t1,1), (C1,t2,1)and(C1,t3,1) are split; the places p1,2, p2,2,

and p3,2 and the transitions t1,2, t2,2,andt3,2 result (Figure 6.5(e)). At the second

182 iteration, {p1,p2,p2,1,p3,1,p2,2,p3,2,C1} is the only new minimal active siphon. Con- trolling the siphon results in the control place C2 violating the asymmetric-choice requirement. The following AC-transformation at the step C.5 transforms the net asshowninFigure6.5(f). 2

6.5.5 The Eﬀect of Net Transformation on Marking Constraints

This section considers the operations done at the step C.6 of the procedure. It also shows that the net transformations satisfy the requirements R1, R2, and R3.

Note that the way we implement the PT- and AC-transformations ensures that for all i ≥ 1, Ni+1 can be seen as Ni connected to another Petri net via additional arcs to the transitions of Ni (not unlike the connection between a plant Petri net and a supervisor Petri net). Thus the marking constraints already enforced in Ni are not disturbed, and so requirement R2 is satisﬁed.

Let N be a Petri net and assume that N is PT-transformed and then AC-

T transformed; let Nt be the resulting Petri net. Let l µ ≥ b be a marking constraint enforced in N for initial markings in some set MI. It can be checked that the form T ≥ N T ≥ T ≥ of l µ b in t is lt µt bt, obtained from l µ b with the substitution Xr Xk mXi−1 −→ µ(p) µt(p)+ µt(pz)+ jµt(pi,mi−j) (6.10) z=1 i=1 j=1 for each place p of N ,wherek and mi are determined in N : k = |p•|, mi = W (p, ti)

∀ti ∈ p•. The places pi,j are the places resulted by splitting the transitions ti ∈ p•, where the notation of section 5.5.2 is used. The places pz are the places resulting from the AC-transformation which satisfy ••pz = p. According to supervision based on place invariants, when a control place C is P added to enforce µ(p) ≥ 1 in a siphon S, the following place invariant is created: p∈S X µ(C)=−1+ µ(p) (6.11) p∈S

183 Consider an equality (6.11) enforced in step C.4. Then (6.10) can be used to derive the form of (6.11) in Ni+1. Accordingly, (6.11) is transformed to

Xr Xk mXi−1 X − µ(C)+ µ(pz)+ jµ(pi,mi−j)= 1+ µ(p) (6.12) z=1 i=1 j=1 p∈S where the notation is similar to (6.10): k = |C •|, mi = W (C, ti) ∀ti ∈ C•, pi,j are the places resulted by splitting the transitions ti ∈ C•,andpz are the places resulting from the AC-transformation such that ••pz = C. Note that the siphon S remains P controlled, that is, (6.12) implies that µ(p) ≥ 1 is still satisﬁed. Therefore the p∈S requirement R3 is satisﬁed.

The considerations above showed that the PT and AC-transformations satisfy the requirements R2 and R3. The next result states that R1 is also satisﬁed.

Proposition 6.5

At every iteration i, the requirement R1 is satisﬁed.

Proof: • •0 N N 0 Let i and i denote the preset/postset operators in i and i , respectively. First, note that the transitions of Ni obtained through transitions splits form the set Ti \ T0. Note also that if R1 is not satisﬁed, there is a control place C and a transition t ∈ Ti \ T0 such that C ∈ t•i. However, C ∈ t•i implies |t •i |≥2.

So we prove by induction that for all i and ∀t ∈ Ti \ T0: |t •i | =1.Ati =1we have ∀t ∈ T1 \ T0: |t •1 | = 1, by construction. Given an iteration number i, assume

∀t ∈ Ti \ T0: |t •i | =1.Weprove∀t ∈ Ti+1 \ T0: |t •i+1 | = 1. Assume the contrary, that ∃t ∈ Ti+1 \ T0: |t •i+1 | > 1. Then t ∈ Ti \ T0 and there is a control place C ∈ •0 added in step C.4 of iteration i such that C t i.LetS be the siphon controlled by

C. It follows that t ∈•iS, and ﬁring t in Ni from some enabling marking increases the total marking of S. However this contradicts t ∈ S•i (since S is a siphon) and

|t •i | =1inNi. The conclusion follows. 2

184 Example 6.6 This example illustrates the constraint transformations, and refers

to the Petri net of Figure 6.5(a) and to the Example 6.4. At the ﬁrst iteration, the

siphon {p1,p2,p3} is controlled, and so µ1 + µ2 + µ3 ≥ 1 is added to (A, d). The

I 0 control place C1 is added at the step C.4, and the invariant A µ = d is µ(C1)=

µ1 +µ2 +µ3 −1. The transformed net N2 is shown in the Figure 6.5(e). The updated

u invariant A µ = d of N2 is

µ1 + µ2 + µ3 − µ(C1) − µ1,2 − µ2,2 − µ3,2 = 1 (6.13)

Note that the invariant is changed due to the AC-transformation, as the PT-

transformation does not change the net. The constraint Apµp ≥ d added at the

step C.8 to (L, b)isµ1 + µ2 + µ3 − µ1,2 − µ2,2 − µ3,2 ≥ 1. At the second iteration, the

siphon {p1,p2,p2,1,p3,1,p2,2,p3,2,C1} is controlled, and so µ1 +µ2 +µ2,1 +µ3,1 +µ2,2 +

µ3,2+µ(C1) ≥ 1 is added to (A, d) and the control place C2 to the net (Figure 6.5(e)).

0 The invariant of C2 in N2 is µ1 + µ2 + µ2,1 + µ3,1 + µ2,2 + µ3,2 + µ(C1) − µ(C2)=1.

u Then, the updated invariant A µ = d of N3 is

µ1 + µ2 + µ2,1 + µ3,1 + µ2,2 + µ3,2 + µ(C1) − µ(C2) − µc,1 − µc,2 − µc,3 = 1 (6.14)

where the changes occur due to the PT-transformation (the AC-transformation has

no eﬀect on the net). Therefore, the inequality Apµp ≥ d added at the step C.8 to

(L, b)is2µ1 +2µ2 + µ3 + µ2,1 + µ3,1 − µc,1 − µc,2 − µc,3 − µ1,2 ≥ 2. 2

6.5.6 The Computation of a T -minimal Active Subnet

This section discusses the operations done at the step B and at the step C.9. The

computation of a T -minimal active subnet has been presented in the Algorithm 5.27

at page 151. However, it is not necessary to compute that way the active subnet

at every iteration. In fact, it is enough to use the Algorithm 5.27 only once, at

185 p p p p p t 1 p 1 t 1 3 3 1 t 1 3 3 1 3 3

t t t 5 5 5 t 4 t 2 t 4 2 t 2 t 4 2 t 2

C C C C 2 1 2 1 C 3

p2 2 p4 p2 2 p4 p2 2 p4

t 3 t 3 t 3

(a) (b) (c)

Figure 6.6. The Petri nets in the Example 6.8: (a) N0;(b)N1 (c) N2.

the step B. Then, during the iterations, the computation at the step C.9 can be performed using the update algorithm below:

Algorithm 6.7 Update of the Active Subnet

N A A A A A N Input: i−1 =(Pi−1,Ti−1,Fi−1,Wi−1), i =(Pi,Ti,Fi,Wi) and the sets Σ(t),

denoting for each t ∈ Ti−1 which has been split the set of the new transitions in

Ti \ Ti−1 which appeared by splitting t.

N A A A A A Output: i =(Pi ,Ti ,Fi ,Wi ).

A A ∪{ ∈ ∃ ∈ A ∈ } 1. Ti = Ti−1 t Ti : tu Ti−1 and t Σ(tu)

N A A A A A A A• A ∩{ A × 2. The active subnet is i =(Pi ,Ti ,Fi ,Wi ), Pi = Ti , Fi = Fi (Ti A ∪ A × A } A A Pi ) (Pi Ti ) and Wi is the restriction of Wi to Fi .

The step C.9 uses the Algorithm 6.7. Using Algorithm 6.7 rather than Algo- rithm 5.27, has computational advantages, as the former is a lot simpler.

6.6 Examples

This section presents examples illustrating the operation of the dp-procedure and of the le-procedure.

186 Example 6.8 In this example the dp-procedure is applied to the Petri net of

Figure 6.6 with the parameter T = T0. At the ﬁrst iteration, the control places

C1 and C2 are added with respect to the uncontrolled siphons {p1,p2} and {p3,p4},

respectively. Consequently, the inequalities µ1 +µ2 ≥ 1andµ3 +µ4 ≥ 1 are added to

(L, b). At the second iteration, the only uncontrolled siphon is {C1,C2}; the control

place C3 results, and the inequality µ(C1)+µ(C2) ≥ 1 is added to (A, d). At the

following step C.8, we have Ap =[0000], Ac =[00], and      1100  1  L =   and b =   0011 1

Therefore, µ1 + µ2 + µ3 + µ4 ≥ 3isaddedto(L, b). Note that the calculations at the

step C.8 correspond to the substitution of µ(C1)=µ1+µ2−1andµ(C2)=µ3+µ4−1

in µ(C1)+µ(C2) ≥ 1. At the third iteration there is no uncontrolled siphon. The

procedure terminates with empty constraints (L0,b0)and      1100  1          L =  0011 and b =  1      1111 3

The supervised Petri net is shown in Figure 6.9. The supervisor not only prevents

deadlock, but is also a least restrictive liveness enforcing supervisor. 2

Example 6.9 This example concludes our discussion on T -liveness enforcing on the

Petri net of Figure 6.5(a). As discussed in the Examples 6.4 and 6.6, two constraints

are added during the iterations: µ1 + µ2 + µ3 ≥ 1andµ1 + µ2 + µ2,1 + µ3,1 + µ2,2 +

µ3,2 + µ(C1) ≥ 1. At the third iteration the procedure terminates, as there is no uncontrolled minimal active siphon with respect to the active subnet. Recall, the

A active subnet is given by the set of transitions T = {t4,t5}. Again, as shown in

187 Example 6.6, the constraints in (L, b) at the third iteration are: µ1 +µ2 +µ3 −µ1,2 −

µ2,2 − µ3,2 ≥ 1and2µ1 +2µ2 + µ3 + µ2,1 + µ3,1 − µ1,2 − µc,1 − µc,2 − µc,3 ≥ 2, while

(L0,b0) is empty. Consequently, the constraints (L, b) after the step D are:

µ1 + µ2 + µ3 ≥ 1 (6.15)

2µ1 +2µ2 + µ3 ≥ 2 (6.16)

The ﬁrst constraint is redundant, so only the last constraint remains after the step E.

The procedure ends with L = 221 and b = 2

and empty constraints (L0,b0). This means that the target Petri net is {t4,t5}-live

for all initial markings µ0 satisfying 2µ01 +2µ02 +µ03 ≥ 2, when supervised according

to Lµ ≥ b. The supervisor enforcing Lµ ≥ b is shown in Figure 6.5(g). It is the

least restrictive {t4,t5}-liveness enforcing supervisor. 2

Example 6.10 In this example the le-procedure is applied to the Petri net of

Figure 6.7(a) for full liveness enforcement. The intermediary Petri nets N1, N2, N3,

and N4 are represented in Figure 6.7 and Figure 6.8, where the control places added

to N1, N2 and N3 are connected with dashed lines.

In the ﬁrst iteration there is a single minimal siphon, {p1,p2,p3,p4},andthe

control place p7 is added. In the second iteration there are two new minimal

siphons: {p4,p5,p7,p8} and {p4,p6,p7,p9} and two control places p10 and p11, respec-

tively, are thus added. In the third iteration there are two new minimal siphons:

{p4,p6,p9,p10,p15} and {p4,p5,p8,p11,p14}, and so the control places p16 and p17,

respectively, are added. At the fourth iteration no new minimal siphons are found,

and so the procedure terminates. Note that the places p5, p6, p8, p9, p12, ... p15,

p18, ... p21 and the transitions t8, t9, ... t19 result through the transitions splits of

188 t 3 t 5 tt3 5 t 3 t 5 2 p1 p2 p3 p1 p2 p3 p1 p2 p3 t 1 t 6 t 1 t 6 t t 4 4 2 1 6 4

t 8 t 9 t 2 t 8 t 9 p6 p6 t t 4 t t p5 t p5 t 2 7 2 7 p8 7 t 4 t 4

p4 p4 p4 3 t p7 3 11 p9 t 10 (a) (b) p7

p11 p10

(c)

Figure 6.7. Petri nets in Example 6.10: (a) N0;(b)N1;(c)N2.

the AC-transformations. At the fourth iteration there are no constraints in (L0,b0); the constraints Lµ ≥ b are:

µ1 + µ2 + µ3 + µ4 − µ8 − µ9 ≥ 1

µ1 + µ2 + µ3 +2µ4 + µ5 − µ9 − µ12 − µ15 ≥ 2

µ1 + µ2 + µ3 +2µ4 + µ6 − µ8 − µ13 − µ14 ≥ 2

µ1 + µ2 + µ3 +3µ4 + µ5 + µ6 − µ12 − µ18 − µ20 ≥ 3

µ1 + µ2 + µ3 +3µ4 + µ5 + µ6 − µ13 − µ19 − µ21 ≥ 3

The constraints above are enforced by p7, p10, p11, p16 and p17, respectively. After removing the redundant constraints, the supervisor of N0 is deﬁned by L =[1, 1, 1, 3] and b = 3, and is the least restrictive liveness enforcing supervisor. There are no constraints (L0,b0).

Finally, note that the Petri net of this example serves also as an illustration of the diﬀerence that may exist between the supervisors designed by the le-procedure and the dp-procedure. Indeed, when the dp-procedure is applied to this net, it

189 t 3 t 5 t 3 t 5

p1 p2 p3 2 p1 p2 p3 2 t t t t 1 6 42 1 6 4 2

t 2 t 8 t 9 t 2 t 8 t 9 p6 p6 p5 t p5 t p8 7 p8 7 t 4 t 4 p4 p4 3 3 t 11 t 11 p9 t 10 p9 t 10 p p p 7 t 15 p 7 t 15 14 p 14 p p t 15 p t 15 12 t 12 14 12 t 12 14

p10 p20 p10 p t p t 13 13 p11 13 13 p11 p21 t 19 p17 p16 p17 t 18 p t 18 16 p16 p19 t (a) (b) 17

Figure 6.8. Petri nets in Example 6.10: (a) N3;(b)N4.

terminates in two iterations. At the ﬁrst iteration we have that N1 is identical to

N0, as the dp-procedure does not use AC-transformations. N1 has only one siphon:

S = P0, and so the inequality µ1 + µ2 + µ3 + µ4 ≥ 1isaddedto(L0,b0). At the second iteration the net is unchanged, and so no new siphon is found. Therefore the dp-procedure terminates with µ1 + µ2 + µ3 + µ4 ≥ 1in(L0,b0), and empty constraints (L, b). This means that the Petri net is deadlock-free for all initial markings µ0 satisfying L0µ0 ≥ b0. However, as it can be easily noticed, the Petri net is not live. The le-procedure has the advantage that the supervisors it designs are guaranteed to enforce T -liveness. The supervisors of the dp-procedure are only guaranteed for deadlock prevention, however the dp-procedure is faster and more likely to converge. Nonetheless, note that the dp-procedure may often generate T - liveness enforcing supervisors. For instance, the dp-procedure generates a liveness

190 enforcing supervisor in Example 6.8. Another such instance appears when the dp- procedure is applied to the Petri net of Figure 6.5(a), as it generates the same supervisor as the le-procedure. 2

p t 1 p t 3 t 5 1 3 3

p1 p23p t 5 t 1 t 6 4 t 4 2 t 2 t C C 2 1 C 3 2 t 4 t 7

p2 2 p4 p4 C t 3 2

Figure 6.9. The target Petri nets in Example 6.8 (left) and Example 6.10 (right) with their liveness enforcing supervisors.

6.7 Properties

This section proves that the procedure is correct, and derives permissiveness results for the supervisors generated by the procedure. First, additional notation and deﬁnitions are introduced in section 6.7.1. Then, the correctness proofs are presented in section 6.7.2. Finally, section 6.7.3 proves permissiveness results for the supervisors generated by the procedure.

6.7.1 Preliminaries

In principle, the intermediary Petri nets Ni generated in the iterations of the procedure could be arbitrarily marked. However, there is a special class of markings of interest in our analysis, that we deﬁne below.

191 Definition 6.11 Valid Markings

Amarkingµ of Ni is valid if it satisﬁes the following:

(a) for all control places added in the iterations 1 ...i−1 the invariant equations

of the form (6.12) at page 184 hold true;

(b) µ(p)=0for all places p that are not control places or places of N0.

When a marking is valid, the control places in the net are marked in accordance with the supervision based on invariants method, which is used to generate the control places. This is the requirement (a) of the deﬁnition. The requirement (b) introduces the additional restriction that only control places and places of the target net may have nonzero markings. This allows comparing markings of N0 with markings of Ni.

As an example, consider the Petri net N3 in Figure 6.5(f) at page 182. The control places are C1 and C2, while the places of N0 are p1, p2, p3. The invariants (6.12) of

C1 and C2 are (6.13) and (6.14), respectively (see Example 6.6 at page 185). Let µ the marking of N3 in Figure 6.5(f). Then it can be easily checked that µ is valid. 0 0 6 However, µ reached by ﬁring t1,1 from µ is not valid, as µ1,1 = 0. Furthermore, a 00 00 00 marking µ diﬀering from µ only in µ1 = 2 is not valid, as µ does not satisfy (6.13) and (6.14).

Definition 6.12 Equivalent Markings

Two valid markings µi and µj of Ni and Nj are equivalent if µi(p)=µj(p) for all

places p of N0.

Recall, the procedure generates Petri nets Ni such that P0 ⊆ P1 ⊆ P2 ⊆ ...Pi .... The equivalence relation deﬁned above allows us to compare markings of diﬀerent nets Ni and Nj. Finally, a notation for the sequences of split transitions is introduced. Both the

PT- and AC-transformations (section 6.5.4) perform transition splits. A transition

192 ti may be split in more than just one iteration, and the transitions ti,k resulted by splitting ti may also be split in subsequent iterations. Given a transition t of N0 and an iteration j,letσ0,j(t) denote an arbitrary transition sequence of Nj such that (a) σ0,j(t) enumerates the transitions (including t itself) in which t of N0 is successively split until (and including) the iteration j − 1, and (b) valid markings µ of Nj exist such that µ enables σ0,j(t). In this way ﬁring σ0,j(t)inNj corresponds to ﬁring t in N0.Ift is not split, we let σ0,j(t)=t. The notation σi,j(t) for i

σi,j(σ)=σi,j(t1)σi,j(t2)σi,j(t3) .... For instance, in Figure 6.5 at page 182, σ0,2(t2)= t2,1t2, and in Figure 6.7, σ0,1(t4)isanyoft8t9t4 and t9t8t4 and σ2,3(t10)=t14t10. The technical result below is used in the correctness proofs that follow next.

Proposition 6.13

Let µ be a valid marking of Nk, σ an enabled ﬁring sequence and t ∈ T0. Assume

that t appears in σ. Then each transition ti =6 t of σ0,k(t) appears in σ before the ﬁrst occurrence of t in σ;lets be the sequence in which these transitions appear

in σ before the ﬁrst occurrence of t in σ. There is a subsequence s0 of s such that

the sequence s0t equals a σ0,k(t).

Proof: Let PR be the set of places resulted through split operations in the iterations 1 ...k− 1. The marking µ is valid, so t cannot be ﬁred unless the places

•t∩PR are marked, which cannot become marked unless the transitions in •(•t∩PR) are ﬁred. Next, let Tx1 = •(•t ∩ PR). The transitions of Tx1 cannot ﬁre unless the places •Tx1 ∩ PR are marked, which cannot happen unless the transitions in

•(•Tx1 ∩ PR) ﬁre before. Let Tx2 = •(•Tx1 ∩ PR). We continue in the same way until we get Txk = ∅. This proves the ﬁrst part of the proposition, as the transitions of

σ0,k(t)are{t}∪Tx1 ∪ ...∪ Txk−1.

193 Given a transition ti,letTx(ti)=•(•ti ∩ PR). Let t1 be the last transition from

Tx(t) appearing in s before t.Lett2 be the last transition from (Tx(t) ∪ Tx(t1)) \

{t1} appearing in s before t1.Lett3 be the last transition from (Tx(t) ∪ Tx(t1) ∪

Tx(t2)) \{t1,t2} appearing in s before t2. We continue this way until tm such that Sm (Tx(t) ∪ Tx(ti)) \{t1,t2,...tm} = ∅.Lets0 be the sequence tm,tm−1,...t1,t.By i=1 construction, s0 is a sequence σ0,k(t). 2

6.7.2 Proof of Correctness

The next result proves that the supervisors generated by the dp-procedure prevent deadlock, and that the supervisors generated by the le-procedure enforce T - liveness. The assumptions are that a T -liveness enforcement is possible for some initial marking, and that the procedure terminates. In view of Deﬁnition 5.13 at page 133 and Lemma 5.9 at page 126, the ﬁrst assumption ensures that a T -minimal active subnet exists. When no T -minimal active subnet exists, the procedure terminates at step B and declares that there is no initial marking for which T -liveness can be enforced.

Theorem 6.14 Correctness of the DP- and LE-Procedures

Assume that a T -liveness enforcing supervisor exists for some initial marking of

N0. Then:

(a) If the dp-procedure terminates, (N0,µ0) supervised according to Lµ ≥ b is

deadlock-free for all initial markings µ0 satisfying Lµ0 ≥ b and L0µ0 ≥ b0.

(b) If the le-procedure terminates, (N0,µ0) supervised according to Lµ ≥ b is

T -live for all initial markings µ0 satisfying Lµ0 ≥ b and L0µ0 ≥ b0.

Proof: (a) The proof is organized as follows. Let k be the number of the last iteration. First it is proved that for any marking µ of N0 satisfying Lµ ≥ b and

194 L0µ ≥ b0, the equivalent marking µk of Nk exists, and (Nk,µk) is deadlock-free.

Then it is proved that assuming (N0,µ) in deadlock contradicts that (Nk,µk)is deadlock-free.

Let (Lk,bk)and(L0,k,b0,k) be the sets of constraints (L, b)and(L0,b0)attheend of iteration k − 1. The ﬁnal sets of constraints (L, b)and(L0,b0) is obtained from | 8 | (Lk N0 ,bk) and (L0,k N0 ,b0,k), after removing redundant constraints at step E. Let N N | | µ be a marking of 0, µk a marking of k, µk,p = µk Pk\C and µk,c = µk C. Assume | ∀ ∈ \ ∪C ≥ ≥ that µk P0 = µ and µk(p)=0 p Pk (P0 ). Then Lµ b and L0µ b0 imply Lkµp,k ≥ bk and L0,kµp,k ≥ b0,k. Furthermore, Lkµp,k ≥ bk implies that we can deﬁne µk,c = Lkµp,k − bk.Thusµk is by construction valid and equivalent to µ.

Since the procedure terminates at iteration k, Nk contains no uncontrolled active siphons, and so (Nk,µk) is deadlock-free by Proposition 5.17.

Let NS be the closed-loop of N0 and the supervisor enforcing Lµ ≥ b (Theo- rem 3.1 at page 29). Assume that from an initial marking µ0 of N0 satisfying Lµ0 ≥ b and L0µ0 ≥ b0, the supervised net can reach a marking µS of total deadlock. We | show that this leads to contradiction. Let µ = µS N0 ,andletµ0,k and µk be the equivalent markings of µ0 and µ in Nk.Since(Nk,µk) is deadlock-free, µk enables an infinite firing sequence σ.LetTR = Tk \ T0, i.e. TR is the set of transitions that appeared by transition split operations in all iterations. Firing any transition tx ∈ TR always reduces the marking of some places in P0 ∪C (Proposition 6.5 at page 6.5), while firing tx ∈ T0 may increase the marking of some places in P0 ∪C.

Because the total marking of P0 ∪C is ﬁnite, σ must include transitions tx ∈ T0.Let

0 t1 be the ﬁrst transition in T0 that appears in σ.Thenwecanwriteσ as σ = σ1σ1, where t1 appears only once in σ1. By Proposition 6.13, σ1 contains a subsequence

σ0,k(t1). Since all transition of σ before t1 are in TR, and ﬁring them only decrease 8 Lk|N0 is Lk restricted to the columns corresponding to the places of N0.

195 markings of P0 ∪C, σ0,k(t1) is enabled by µk. But this implies that µ enables t1 in

NS, which contradicts that (NS,µS)isindeadlock. (b) The proof is similar to that of part (a) and shares the notation of part (a).

The proof is organized as follows. As shown in part (a), for any marking µ of N0 satisfying Lµ ≥ b and L0µ ≥ b0, the equivalent marking µk of Nk exists; here it is shown that (Nk,µk)isT -live. Then it is proved that assuming (N0,µ)notT -live contradicts that (Nk,µk)isT -live.

Let µk be the valid marking constructed at the beginning of the proof of part (a) to be equivalent to an arbitrary marking µ of N0 satisfying Lµ ≥ b and L0µ ≥ b0.

Since the procedure terminates at iteration k, Nk contains no uncontrolled active siphons, and so (Nk,µk)isT -live by Theorem 5.21 at page 139.

Assume that from an initial marking µ0 of N0 satisfying Lµ0 ≥ b and L0µ0 ≥ b0, the supervised net NS can reach a marking µS for which a transition t ∈T is dead. | We show that this leads to contradiction. Let µ = µS N0 ,andletµ0,k and µk be the equivalent markings of µ0 and µ in Nk.Since(Nk,µk)isT -live, µk enables a transition sequence σ in Nk which includes t.Lett1 be the ﬁrst transition in

0 T0 that appears in σ.Thenwecanwriteσ as σ = σ1σ1,wheret1 appears only once in σ1. By Proposition 6.13, σ1 contains a subsequence σ0,k(t1). Since all transition of σ before t1 are in TR, and ﬁring them only decrease markings of P0 ∪C

(Proposition 6.5), σ0,k(t1) is enabled by µk.Lett2 be the next transition of σ in T0.

Similarly, σ0,k(t1)σ0,k(t2) is enabled by µk. We continue this way and eventually ﬁnd tj in σ and in T0 such that tj = t.Wehavethatµk enables σ0,k(t1)σ0,k(t2) ...σ0,k(tj).

But this implies that µ enables t1t2 ...tj in NS, and since tj = t, t is not dead in

(NS,µS), which is a contradiction. 2

196 6.7.3 Permissiveness Properties

The supervisors generated by the procedure are at least as permissive as the least restrictive T -liveness enforcing supervisor for a large class of Petri nets. This class of Petri nets includes the Petri nets with a single T -minimal active subnet, as shown in the next theorem. Before stating the formal result, the notion of a least restrictive supervisor needs to be clarified, as the supervisors generated by our procedure are defined on a set of initial markings rather than on a single initial marking. We say that a supervisor generated by the procedure is at least as permissive as the least restrictive T -liveness enforcing supervisor when for all initial markings µ0 of N0 the following are satisfied:

-ifLµ0 6≥ b or L0µ0 6≥ b0,noT -liveness enforcing supervisor of (N0,µ0) exists.

-ifLµ0 ≥ b and L0µ0 ≥ b0, the supervisor enforcing Lµ ≥ b is at least as

permissive as the least restrictive T -liveness enforcing supervisor of (N0,µ0).

We say that a supervisor generated by the procedure is least restrictive when for all initial markings µ0 of N0 the following are satisﬁed:

-ifLµ0 6≥ b or L0µ0 6≥ b0,noT -liveness enforcing supervisor of (N0,µ0) exists.

-ifLµ0 ≥ b and L0µ0 ≥ b0, the supervisor enforcing Lµ ≥ b is the least

restrictive T -liveness enforcing supervisor of (N0,µ0).

As usual, in the next theorem the procedure can be either of the dp-procedure or the le-procedure, depending which operation is selected by the input arguments.

Thus, for the case in which the procedure is used as the dp-procedure, the theorem gives a suﬃcient condition for the generated supervisor to be at least as permissive as the least restrictive T -liveness enforcing supervisor. This does not mean that the generated supervisor enforces T -liveness, but only that the supervisor is not more

197 restrictive than the least restrictive T -liveness enforcing supervisor. Finally, in the case of the le-procedure, the theorem gives a suﬃcient condition for the generated supervisor to be the least restrictive T -liveness enforcing supervisor.

Theorem 6.15

Assume that the procedure terminates and N1 has a single T -minimal active

subnet. Then the procedure provides a supervisor at least as permissive as the

least restrictive T -liveness enforcing supervisor.

Proof: The proof is organized as follows. Let µ0 be a marking of N0 and µ0,i an equivalent marking of Ni. We prove that (N0,µ0) cannot be made T -live if

(Ni,µ0,i)cannotbemadeT -live. Then we use this fact to prove that no T -liveness supervisors exist for the initial markings µ0 which do not satisfy Lµ0 ≥ b and

L0µ0 ≥ b0. Finally, given µ0 satisfying Lµ0 ≥ b and L0µ0 ≥ b0, we prove that the supervisor enforcing Lµ ≥ b is at least as permissive as the least restrictive T - liveness enforcing supervisor of N0. Note that the existence of a (least restrictive)

T -liveness enforcing supervisor is guaranteed by the fact that N1 has a T -minimal active subnet; see Theorem 5.12 at page 131 and Deﬁnition 5.20 at page 138.

To prove our first claim, we prove by contradiction that (Ni,µ0,i)cannotbe made T -live if (Ni+1,µ0,i+1) cannot be made T -live, where i ≥ 0andµ0,i+1 is the equivalent marking of µ0,i.Fori = 0, assume that (N0,µ0)canbemadeT - live when (N1,µ0,1) cannot be made T -live. Then µ0 enables an infinite transition sequence σ in which all transitions of T appear infinitely often. But this implies that σ0,1(σ) is also enabled by µ0,1, contradicting the assumption that (N1,µ0,1) cannot be made T -live. For i ≥ 1, assume that (Ni,µ0,i)canbemadeT -live when (Ni+1,µ0,i+1) cannot be made T -live. Let σ be an infinite firing sequence enabled by µ0,i such that all transitions of T occur infinitely often in σ.Since

198 0 (Ni+1,µ0,i+1)cannotbemadeT -live, σ = σi,i+1(σ) is not enabled in Ni+1.Then ( ) σ1 σi,i+1 σ1 0 0 σ = σ1t1σ2, µ0,i −→ µ1, µ0,i+1 −→ µ1, µ1 enables t1, but µ1 does not enable

σi,i+1(t1). This corresponds to the following: Ni has an active siphon S1 which

0 is controlled in Ni+1 with C1 and µ1(C1) does not allow σi,i+1(t1) to ﬁre. Hence t1 ∈ C1• was satisﬁed when C1 was added to Ni. This implies t1 ∈ S1•. Firing

σi,i+1(t1)inNi+1 produces the same marking change for the places in Pi as ﬁring

0 t1 in Ni.Sinceσi,i+1(t1) is not allowed by µ1(C1) to ﬁre, ﬁring t1 from µ1 empties

S1.Sincet1 is ﬁred in the sequence σ = σ1t1σ2, S1 is an empty active siphon of (Ni,µ1). An empty active siphon implies a set Tx of dead transitions from the active subnet. Therefore the transitions in Tx do not appear inﬁnitely often in σ. { ∈ A ∃ ∈ ∈ } N A Let Tx1 = t T1 : tu σ1,i(t)andtu Tx . The active subnets i for i>1 are computed using the update algorithm of section 6.5.6, so Tx1 =6 ∅.Usingthe same construction as in the proof of Theorem 6.14(b), the projection of σ on T1

1 (let it be σ ) is enabled by µ1,0,whereµ1,0 is the restriction of µi,0 to the places of

1 P1. Note that the transitions of Tx1 do not appear infinitely often in σ . We apply N 1 A k k Lemma 5.9 for 1 and σ , and using the notation of Lemma 5.9, we let Tx = x ; A T⊆ A T Tx defines an active subnet and Tx , as all transitions of appear infinitely 1 A A ⊆ A \ A N A often in σ . However T1 is not a subset of Tx , for Tx1 T1 Tx . Therefore 1 is not the single T -minimal subnet, which contradicts the theorem assumptions.

The second part of the proof, showing that all T -liveness enforcing supervisors forbid the markings such that Lµ 6≥ b or L0µ 6≥ b0, is also by contradiction. Assume that N0 can be made T -live for a marking µ0 which does not satisfy all constraints

Lµ ≥ b and L0µ ≥ b0.Let(Ld,bd)and(L0,d,b0,d) be the constraints (L, b)and

(L0,b0) before step D. Since step D only removes redundant constraints, µ0 does not satisfy all constraints of Ldµ ≥ bd and L0,dµ ≥ b0,d.Leti be the ﬁrst iteration in

0 which an inequality l1µ ≥ b1 is added such that its restriction l1µ ≥ b1 to P0 is one

199 of the inequalities of Ldµ ≥ bd and L0,dµ ≥ b0,d not satisﬁed by µ0.Themarkings forbidden at every iteration i are those for which there are empty active siphons.

Therefore Ni has an empty active siphon for µ0,i,whereµ0,i is the equivalent marking of µ0 in Ni. As shown in the previous paragraph, this implies that (Ni,µ0,i) cannot be made T -live. Then (N0,µ0) cannot be made T -live, which is a contradiction.

Finally, let µ0 be a marking satisfying Lµ0 ≥ b and L0µ0 ≥ b0.LetΞ0 be the supervisor enforcing Lµ ≥ b on (N0,µ0). Assume there is a T -liveness enforcing supervisor Ξ less restrictive than Ξ0. We show that this leads to contradiction. Let

(N0,µ0, Ξ0)and(N0,µ0, Ξ) be the closed-loops of (N0,µ0)withΞ0 and Ξ, respectively. Then there is a (possibly empty) ﬁring sequence σ enabled from µ0 in both

σ (N0,µ0, Ξ0)and(N0,µ0, Ξ), such that µ0 −→ µ and ∃t ∈ T0, t is enabled by µ, t is allowed to fire at µ by Ξ, and t is not allowed to fire at µ by Ξ0. Then the marking µ0 such that µ −→t µ0 satisfies Lµ0 6≥ b. Therefore, by the previous part

0 of the proof, T -liveness cannot be enforced in (N0,µ). Then Ξ is not a T -liveness enforcing supervisor of (N0,µ0), which is a contradiction. 2

Note that in case of liveness enforcement, T equals the whole set of transitions

T0 of N0. Then the only possible T -minimal active subnet is the whole net. Conse- quently, in view of Theorem 6.14(b), Theorem 6.15 has the following corollary.

Corollary 6.16 Least Restrictive Liveness Enforcement

Assume that liveness is enforcible in N0 for some initial marking and that the

le-procedure terminates. If T = T0, the le-procedure provides the least restrictive

liveness enforcing supervisor.

The previous corollary can be stated in a more general form, allowing to characterize the permissiveness of the supervisors in the case when N1 has more than a

A A A single T -minimal active subnet. Let T = T1 ∩T0,whereT1 is the set of transitions

200 A of the T -minimal active subnet N1 of N1 that is computed at the step B. Then,

A even though N1 may not be the only T -minimal active subnet of N1, it is still

A A the only T1 -minimal active subnet, and also the only T -minimal active subnet.

Thence the next corollary follows. (Note that T⊆T A.)

Corollary 6.17

Assume that T -liveness is enforcible in N0 for some initial marking and that the

procedure terminates. The generated supervisor is at least as permissive as the

least restrictive T A-liveness enforcing supervisor.

An important consequence of Theorem 6.15 and Theorem 6.14(b) is that the le-procedure will not terminate for a Petri net N0 with a single T -minimal subnet when the set of markings for which T -liveness can be enforced cannot be represented as a conjunction of linear marking inequalities.

Corollary 6.18 Divergence of the LE-Procedure

Assume that N1 has a single T -minimal active subnet and that the markings

of N0 for which T -liveness enforcement is possible cannot be represented as the

markings µ satisfying a set of linear inequalities Mµ ≥ g. Then the le-procedure

diverges.

Note that the divergence condition of the previous corollary is only suﬃcient.

It will be shown later that the le-procedure can diverge in other conditions as well.

The dp-procedure can also diverge. For instance, for Petri nets for which it can be proved that the dp-procedure generates T -liveness enforcing supervisors if it terminates, the dp-procedure diverges when the assumptions of Corollary 6.18 apply.

The discussion on the procedure convergence will be carried out in more detail in section 7.8 at page 242.

201 Finally, note that two classes of Petri nets for which the supervisors generated by the dp-procedure are guaranteed to enforce T -liveness are characterized in The- orem 5.10 at page 127 and Theorem 5.11 at page 129. Identifying such Petri nets is of interest, as using the dp-procedure instead of the le-procedure has computational advantages.

6.8 Extending the Permissiveness of the Procedure

Theorem 6.15 and also Corollary 6.16 show that for a large class of Petri nets and liveness speciﬁcations, the procedure generates supervisors at least as permissive as the least restrictive T -liveness enforcing supervisor. The natural question whether we can use our procedure to ensure this property for an even larger class of Petri nets has a positive answer, as we show in this section. We consider the case when

A,1 A,2 A,p A,1 A,2 N1 has the T -minimal active subnets N1 , N1 , ... N1 .LetN0 , N0 , ...

A,p N0 be the corresponding T -minimal active subnets in N0. Theorem 6.15 does not apply, as we have p (p>1) T -minimal subnets. However, if T were equal to any

A,i A,i of T0 , Theorem 6.15 would apply, as there is a single T0 -minimal active subnet:

A,i A,i A,i N1 .(T0 denotes the set of transitions of N0 for i =1...p.) Assume that the

A,i procedure terminates for all i =1...p when the input argument T is set to T0 .

(i) (i) (i) (i) Let L µ ≥ b and L0 µ ≥ b0 be the generated constraints for each i =1...p.

Let Ξ be the supervisor deﬁned as follows. Ξ requires the initial marking µ0 to be in the set M,where [p n o (i) (i) (i) (i) M = µ : L µ ≥ b and L0 µ ≥ b0 i=1 Furthermore, Ξ allows a transition to ﬁre only if the next reached marking is in M.

Clearly, regardless of which of the dp- or le-procedure was used for i =1...p,Ξ prevents deadlock. Furthermore, Ξ enforces T -liveness if the le-procedure was used for all i =1...p.

202 t 2 t 3 t 2 t 3

ppp p p1 p 3 1 2 3 2 C 1 t 1 t 1 2 2 2 2

t 4 p4 t 5 t 4 p4 t 5 (a) (b)

Figure 6.10. (a) A Petri net with two {t1}-minimal active subnets; (b) Resulting supervisor after selecting one of the two active subnets.

Theorem 6.19

Assume that for each i =1...p the procedure terminates. Then Ξ is at least as

permissive as the least restrictive T -liveness enforcing supervisor.

Proof: The proof is by contradiction. Assume that there is µ0 ∈M/ such that µ0

enables a ﬁring sequence σ which includes all transitions in T inﬁnitely often. In

the notation of Lemma 5.9, let T A = kxk.ThenT A deﬁnes an active subnet, and

A A,i note that T⊆T .SinceN0 , i =1...p,arealltheT -minimal active subnets of

A,j A N0,thereisj,1≤ j ≤ p, such that T0 ⊆ T . This leads to contradiction, since

A,j by Theorem 6.15 not all transitions of T0 can be made live for µ0 ∈M/ ,andso

not all of them can appear in σ inﬁnitely often. 2

Example 6.20 Here we consider an example in which the supervisor generated by

the le-procedure is not least restrictive due to the existence of several T -minimal

active subnets. The Petri net of Figure 6.10(a) has two {t1}-minimal active subnets,

A A A A N1 and N2 .TheyaregivenbyT1 = {t1,t3,t5} and T2 = {t1,t2,t4}, respectively.

A A There are two cases, depending on which of N1 or N2 is selected by the procedure

at the step B.

203 A If the procedure selects N1 as the T -minimal active subnet, we have the following constraints:

µ2 ≥ 1 (6.17) which is implemented by C1 in Figure 6.10(b), and

µ1 + µ2 + µ3 + µ4 ≥ 2 (6.18)

which is an (L0,b0) type constraint.

A If the procedure selects N2 as the T -minimal active subnet, the outcome is similar, except that instead of (6.17) we have

µ3 ≥ 1 (6.19)

Thus it can be seen that neither case produces the least restrictive supervisor.

Nonetheless, the least restrictive supervisor can be obtained from the disjunction of the two supervisors corresponding to the two T -minimal active subnets. Thus, the least restrictive {t1}-liveness enforcing supervisor enforces

µ2 ≥ 1 ∨ µ3 ≥ 1 (6.20)

and requires the initial marking µ0 to satisfy (6.18) and (6.20). 2

204 CHAPTER 7

DEADLOCK PREVENTION AND T-LIVENESS ENFORCEMENT IN PETRI

NETS–PART II

7.1 Introduction

The previous chapter has introduced the simpliﬁed dp- and le-procedures. This chapter presents the dp- and le-procedures in their general form. As discussed in the introduction of the previous chapter, the procedures in their general form are able to deal with partially controllable and observable Petri nets, and they accept initial constraints and initial-marking constraints.

The chapter is organized as follows. Section 7.2 presents the problem statement.

Section 7.3 presents a motivation for the procedure features that are present only in the general form of the procedures. Section 7.4 deﬁnes the dp-procedure and the le-procedure. Section 7.5 provides examples illustrating the operation of the procedures. Section 7.6 contains theoretical results characterizing the performance of the procedures. Section 7.8 describes convergence issues.

7.2 Problem Statement

This section presents the purpose of the dp- and le-procedures deﬁned in this chapter. Section 7.2.1 presents the problem statement for deadlock prevention, while section 7.2.2 presents the problem statement for T -liveness enforcement.

205 7.2.1 Deadlock Prevention

In the deadlock prevention problem of this chapter, the input is a Petri net

N , and optionally any of the following: a set of transitions T , initial constraints

LI µ ≥ bI , and initial-marking constraints LI0µ ≥ bI0. The output consists of the

0 two sets of marking constraints Lµ ≥ b and L0µ ≥ b0,andasetT . They are to satisfy that:

1. The constraints Lµ ≥ b are admissible with respect to the uncontrollable and

unobservable transitions of the net.

2. The supervisor enforcing Lµ ≥ b via supervision based on place invariants

prevents deadlock for all initial markings µ0 that satisfy Lµ0 ≥ b, L0µ0 ≥ b0,

LI µ0 ≥ bI and LI0µ0 ≥ bI0.

3. The supervisor is not overly restrictive.

4. The supervisor is a good approximation of a T -liveness enforcement supervi-

sor.

5. The set T 0 ⊆T excludes any transitions of T that have been detected as

having the property that they cannot be live in the closed-loop.

Finally, the case when T -liveness enforcement is impossible at all initial markings should be identiﬁed.

Note that the first and the fifth requirements are in addition to the requirements given in the problem statement of the previous chapter. The first requirement is necessary in order for the supervision to be feasible in partially controllable and observable Petri nets. The fifth requirement means the following. During the supervisor design process, it may be possible to identify transitions of T that the supervisor would cause to be dead in the closed-loop. There are four factors that

206 may cause such situations to arise: the partial controllability and observability of the net, the structure of the net, the initial constraints, and the initial-marking constraints. For instance, examples can easily be found to show that inappropriate initial constraints and initial-marking constraints may not allow T -liveness enforcement in a Petri net.

7.2.2 T -liveness Enforcement

In the T -liveness enforcement problem of this chapter, the input is a Petri net

N , and optionally any of the following: a set of transitions T , initial constraints

LI µ ≥ bI , and initial-marking constraints LI0µ ≥ bI0. The output consists of the

0 two sets of marking constraints Lµ ≥ b and L0µ ≥ b0,andasetT . They are to satisfy that:

1. The constraints Lµ ≥ b are admissible with respect to the uncontrollable and

unobservable transitions of the net.

2. The supervisor enforcing Lµ ≥ b via supervision based on place invariants

0 enforces T -liveness for all initial markings µ0 that satisfy Lµ0 ≥ b, L0µ0 ≥ b0,

LI µ0 ≥ bI and LI0µ0 ≥ bI0.

3. The supervisor is not overly restrictive.

4. The set T 0 ⊆T should be as large as possible.

Finally, the case when T -liveness enforcement is impossible at all initial markings should be identiﬁed.

Compared to the problem statements presented so far, the second and the last requirement are diﬀerent. The second requirement mentions T 0-liveness instead of

T -liveness, as the latter may not be enforcible. Four factors that may cause T - liveness enforcement to be impossible are: the partial controllability and observabil-

207 t 1 t 1 p1 p2 p1 p2 p1 p2 C t t t t t t 4 2 5 2 5 t 1 t t 2 2 3 4 p3 p3 t 3 t 3 p3

(a) (b) (c)

Figure 7.1. Partially controllable and observable Petri nets.

ity of the net, the structure of the net, the initial constraints, and the initial-marking constraints. The last requirement is not to be taken in a strict sense; the procedure of this chapter is not designed to ﬁnd the largest subset T 0 for which T 0-liveness enforcement is possible.

7.3 Motivation

Section 6.4 has motivated our approach for the case of fully controllable and observable Petri nets. Here, a motivation of the additional features of the procedures in the general case is presented. Section 7.3.1 illustrates the need for constraint transformations in the case of partially controllable and observable Petri nets. Sec- tion 7.3.2 shows that constraint transformations can be a source of deadlock. Sec- tion 7.3.3 illustrates the use of the set T 0. Finally, section 7.3.4 illustrates the use of initial constraints.

7.3.1 Partially Controllable and Observable Petri Nets

This section shows that constraint transformations are necessary in the procedures when the target Petri net is partially controllable and observable. Consider the Petri net of Figure 7.1(a), where the transition t1 is unobservable. As shown

208 t 9 2 t 9 t 9

p p p 22p p p 1 t 1 2 1 t 1 2 1 t 1 2

C C t p t 2 t p t 2 t p t C 3 3 2 3 3 2 C 1 3 3 2 1

t t 5 4 t t t 6 t 6 t 5 4 t 6 t 5 4

p4 p4 p4 t 8 t 8 t 8 p6 p6 p6 t 7 t 7 t 7

p5 p5 p5

(a) (b) (c)

Figure 7.2. Constraint transformations may lead to deadlock.

in section 6.4.1 at page 169, liveness is enforced by ensuring that (6.1) and (6.2) are satisﬁed at all reachable markings. However, the constraints (6.1) and (6.2) are inadmissible, because enforcing them via supervision based on place invariants (see

Theorem 3.1 at page 29) requires observing the ﬁring of t1. Nonetheless they can be transformed without loss of permissiveness to the admissible constraints

2µ1 + µ3 ≥ 1 (7.1)

2µ2 + µ3 ≥ 1 (7.2)

This example has shown that for partially controllable and observable Petri nets, inadmissible constraints may arise. For this reason the procedures include a function that checks the admissibility of the constraints and that transforms the constraints to an admissible form when they are inadmissible.

7.3.2 Constraint Transformations and Deadlock

The previous chapter has presented procedures for deadlock prevention and T - liveness enforcement for fully controllable and observable Petri nets. On the other

209 hand, transformations to admissible constraints are readily available in the literature [124, 125]. This may suggest that the procedures of the previous chapter can be extended as follows to partially controllable and observable Petri nets: apply

ﬁrst the dp-/le-procedures, and then transform the resulting constraints Lµ ≥ b to be admissible. This section shows that such an approach can be inappropriate, as constraint transformations may cause new deadlock possibilities.

The Petri net of Figure 7.2(a) has all transitions controllable and observable, except for t4, which is uncontrollable. Assume that a liveness enforcing supervisor is to be designed. If t4 were controllable, it would be enough to control the siphons

{p1,p2,p3,p6} and {p1,p2,p3,p4,p5}. The resulting control places would be C1 and

C2 showninFigure7.2(b),enforcing:

µ1 + µ2 + µ3 + µ6 ≥ 1 (7.3) and

µ1 + µ2 + µ3 + µ4 + µ5 ≥ 1 (7.4)

As t4 is uncontrollable, we have that (7.3) is inadmissible, while (7.4) is admissible.

The constraint (7.3) can be transformed to the admissible constraint

µ1 + µ2 + µ6 ≥ 1 (7.5)

The control place C1 enforcing the transformed constraint is shown in Figure 7.2(c).

However, note that enforcing (7.4) and (7.5) fails to enforce liveness. Indeed, let µ be the marking shown in Figure 7.2(a); µ satisﬁes both (7.4) and (7.5). As expected, the closed-loop of Figure 7.2(b) is live at the marking µ. However, the closed-loop of Figure 7.2(c) is in deadlock at the same marking! This shows that the constraint transformation of (7.3) to the admissible form (7.5) creates a deadlock possibility that did not exist for the original constraint (7.3). To cope with this problem, the

210 procedures presented in this chapter perform the constraint transformation during the iterations that remove the deadlock possibilities, rather than after completing those iterations.

7.3.3 The Set T 0

This section illustrates the role of the set T 0 generated by the procedures together with the constraints Lµ ≥ b and L0µ ≥ b0. In the case of the fully controllable and observable Petri nets with no initial constraints and no initial-marking constraints, the set of transitions that can be made live depends only on the structure of the

Petri net. However, in the general case, removing deadlock possibilities may come at the cost of accepting some (less important) deadlocks in the system. The Petri net of Figure 7.1(b) is an example. All transitions are controllable and observable except for t3, which is uncontrollable and observable. Assume that the supervisory purpose is T -liveness with T = {t1,t2,t4,t5}. Deadlock occurs in the system when the siphon S = {p1,p2,p3} is emptied of tokens. To prevent it, the constraint

µ1 + µ2 + µ3 ≥ 1 (7.6) is to be enforced. However, this constraint is inadmissible, and it can be transformed to the admissible constraint

µ1 + µ2 ≥ 1 (7.7)

Figure 7.1(c) shows the control place C enforcing (7.7). Note that C only enforces

{t1,t2}-liveness. In fact, it can be seen that this is the most that can be done to prevent deadlocks in our Petri net. Indeed, the only way in which the number of tokens of the system can be preserved is by avoiding the states which enable the uncontrollable transition t3. However, this implies avoiding the ﬁring of t4,and

0 hence of t5.SowecansaythatC enforces T -liveness instead of T -liveness, for

0 T = {t1,t2}.

211 C 1

t 1 t 1 p1 p1

t t 5 2 t 5 t 2

p7 p3 p7 p3 p5 p2 p5 p2

t 6 t 7 t 6 t 3 t 4 t 7 t 3 t 4

p6 p4 C 2 p6 p4

(a) (b)

Figure 7.3. Using initial constraints.

The way in which a set T 0 is estimated by the procedures will be discussed in more detail in section 7.4. In this example, the procedures will declare a siphon control failure when attempting to control the siphon {p3,C}. A siphon control failure is an instance in which the procedures cannot or will not control a siphon

S. This means that the siphon S is allowed to be emptied, and so the transitions

0 t ∈ S• are allowed to die. Then, T can be estimated as T\{p3,C}•, and hence

0 T = {t1,t2} results.

7.3.4 The Use of Initial Constraints

This section illustrates the use of initial constraints. Consider the Petri net of

Figure 7.3(a), adapted from [124], pp.122-129. The Petri net represents the model of an unreliable machine [39, 124]. The transitions t2 and t5 are uncontrollable. The

Petri net is live for all initial markings µ which satisfy

µ3 + µ4 ≥ 1 (7.8)

µ6 + µ7 ≥ 1 (7.9)

212 Assume that we desire to enforce the following constraints

µ1 + µ2 + µ5 ≤ 1 (7.10)

µ3 + µ7 ≤ 1 (7.11)

The supervisor enforcing these two constraints is shown in Figure 7.3(b). Note that starting from the initial marking shown in the ﬁgure, the ﬁring sequence t1, t2, t7 leads to deadlock. This shows that enforcing constraints on a live Petri net may introduce deadlock possibilities. Therefore, once a supervisor enforcing desired safety constraints is generated, it is useful to run a liveness enforcing procedure to add constraints ensuring liveness properties. When our dp- and le-procedures have as input the closed-loop of a plant Petri net and a Petri net supervisor, we can have them take advantage of the fact that not all markings are possible by using initial constraints. For instance, in the example of Figure 7.3(b) for all reachable markings

− − − µC1 =1 µ1 µ2 µ5 (7.12)

− − µC2 =1 µ3 µ7 (7.13)

These can be used as initial constraints for our procedure when applied to the closed-loop Petri net of Figure 7.3(b).

Initial-marking constraints can also be used to restrict the initial markings considered in the procedures. For instance, if the system shown in Figure 7.3(a) is always started with a nonzero marking in p6, then the initial-marking constraint

µ6 ≥ 1canbeused.

7.4 Procedure Deﬁnition 7.4.1 Description

This section describes the usage of the dp- and le-procedures. As in the case of the simpliﬁed dp- and le-procedures deﬁned in section 6.5 at page 173, the two

213 procedures are deﬁned as a single procedure in which an input argument type selects between deadlock prevention design and T -liveness enforcement design. Thus type = DP requests deadlock prevention design, and type = LE requests T -liveness enforcement design.

The input of the procedure consists of: type, the target Petri net N0,thesetof uncontrollable transitions of N0, the set of unobservable transitions of N0,theset

T , and optionally a set of initial constraints LI µ ≥ bI and a set of initial-marking constraints LI0µ ≥ bI0. The output of the procedure consists of a set of transitions T 0,andtwosetsof constraints Lµ ≥ b and L0µ ≥ b0. The procedure generates this output if it terminates (converges) and if it does not declare a failure. The output of the procedure satisﬁes the following. Let M be the set of initial markings of N0 for which all reachable markings satisfy the initial constraints, i.e., M = {µ0 : ∀µ ∈R(N0,µ0):

LI µ ≥ bI }. Then:

0 • If type = LE, T -liveness is enforced for all initial markings µ0 ∈Msuch that

Lµ0 ≥ b and L0µ0 ≥ b0,when(N0,µ0) is supervised according to Lµ ≥ b.

• If type = DP, deadlock is prevented for all initial markings µ0 ∈Msuch that

Lµ0 ≥ b and L0µ0 ≥ b0,when(N0,µ0) is supervised according to Lµ ≥ b.

• Regardless of type,markingsµ0 satisfying LI0µ0 ≥ bI0, Lµ0 ≥ b and L0µ0 ≥ b0 exist.

• Lµ ≥ b are admissible constraints.

If initial constraints are given to the procedure, note that unless the feasible set of the initial-marking constraints is a subset of M, there may be no markings µ0 satisfying all of µ0 ∈M, LI0µ0 ≥ bI0, Lµ0 ≥ b and L0µ0 ≥ b0. This is normal, as M is not known in the procedure.

214 The set T 0 is a subset of T . Ideally, T 0 = T . The following four factors may cause T 0 =6 T :

- the partial controllability and observability of the net

- the initial constraints are overrestrictive

- the initial-marking constraints are overrestrictive

- the Petri net structure N0 does not allow T -liveness enforcement.

To enforce liveness for as many transitions as possible, the argument T may be set to T0, the total set of transitions. Unlike the simpliﬁed procedure of the previous chapter, this procedure won’t declare a failure when it detects that T -liveness enforcement is impossible. Instead, it will attempt T 0-liveness enforcement for T 0 ⊂T and report the set T 0 for which the generated supervisor is designed. Failure is declared when the procedure terminates without ﬁnding such a nonempty set T 0.

The next section formally deﬁnes the procedure.

7.4.2 Deﬁnition

This section defines the dp- and le-procedures in their general form. As previously mentioned, the two procedures are defined as a single procedure in which an input argument selects between deadlock prevention design and T -liveness enforcement design. This procedure is similar to the procedure of section 6.5. Naturally, the same notations are used. The following changes appear in the procedure defined in this section:

• During any iteration i and given any uncontrolled minimal active siphon S of

Ni, the procedure enforces X µ(p) ≥ 1 (7.14) p∈S

215 only if (7.14) is admissible with respect to N0, the target Petri net. A con-

straint (7.14) is admissible with respect to N0 if its contribution to the ﬁnal

constraints Lµ ≥ b is an admissible constraint with respect to the uncontrol-

lable and unobservable transitions of N0. This concept is discussed in more

detail in section 7.4.3. When (7.14) is not admissible with respect to N0, (7.14)

is transformed, if possible, to be so.

• The procedure stores in a variable X the transitions in the postset of any

active siphon that it cannot control. An instance in which the procedure

cannot control a siphon is said to be a siphon control failure.

• The simpliﬁed procedure converges when it reaches an intermediary net Nk in which all active siphons are controlled. This is also true of the procedure of this

section. However, note that rather than terminating when a siphon control

failure occurs, the procedure shrinks the active subnet such that the active

siphons causing failures are no longer active. This is done by recomputing the

active subnet such that it excludes the transitions in X.

• Siphon control failures, when they occur, cause the le-procedure to generate

supervisors enforcing T 0-liveness instead of T -liveness. The subset T 0 of T

is an additional output of the procedure. In the case of the dp-procedure,

the output T 0 indicates that the designed supervisor approximates or enforces

T 0-liveness.

• To avoid generating overrestrictive T 0-liveness enforcing supervisors, the pro-

cedure may restart itself with an adjusted argument T when certain siphon

control failures occur.

Note that siphon control failures cannot occur in the simpliﬁed procedure. They may occur in the general procedure when a constraint (7.14) cannot be transformed

216 to an admissible form, or when (7.14) conﬂicts with the initial constraints or the initial-marking constraints. Thus, siphon control failures may occur due to any of the following three factors: the net is only partially controllable and/or observable, the initial constraints are overrestrictive, and the initial-marking constraints are overrestrictive. The formal deﬁnition of the procedure follows.

Procedure 7.1 Deadlock Prevention/T -Liveness Enforcement

Input: The target Petri net N0, a nonempty set of transitions T ,thesetof

uncontrollable transitions Tuc, the set of unobservable transitions Tuo,

type ∈{DP, LE}, and optionally a set of initial constraints LI µ ≥ bI

and a set of initial-marking constraints LI0µ0 ≥ bI0.

0 Output: Two sets of constraints Lµ ≥ b and L0µ ≥ b0, and a set of transitions T .

A. (L0,b0) is initialized to (LI ,bI ) and (L, b) to be empty. N0 is transformed to be PT-ordinary if type = DP, and asymmetric-choice PT-ordinary if type = LE

(the transformations appear in section 5.5.2 at page 152 and in Algorithm 5.28

1 at page 154) . Let the transformed net be N1. The initial constraints (L0,b0),

if any, are updated according to the transformations (refer to equation (6.10)

at page 183). If not previously deﬁned, let X = ∅.Leti =1, P = P1,and

C = ∅.

A B. A T -minimal active subnet N1 is computed for N1 such that the transitions

in X are not included (Algorithm 5.27 at page 151). When none exists,

Algorithm 5.27 computes a Tx-minimal active subnet such that Tx ⊂T and

the transitions in X are not included. If no such Tx =6 ∅ exists, the procedure

0 A terminates and declares failure. Let T = T∩T1 . 1The transformation to PT-ordinary Petri nets has no eﬀect if the Petri net is already PT- ordinary; the same is true of the transformation to asymmetric-choice nets.

217 C. While true do

1. Let (A, d) and (A0,d0) be empty sets of marking constraints.

2. If no uncontrolled minimal active siphon is found (section 6.5.2 at page 178),

the next step is D.2

3. For every uncontrolled minimal active siphon S:

(a) Test whether (7.14) needs control place enforcement (section 6.5.2 at

page 178).

(b) If (7.14) needs not control place enforcement, include (7.14) in (A0,d0).

i. transform3 (7.14) to an inequality lµ ≥ c which is admissible with

4 respect to N0, Tuc, and Tuo (section 7.4.3).

ii. if the procedure could not transform (7.14) to an admissible con-

straint (l, c),letX = X ∪ S• and continue with the next siphon at

step C.3.a.

iii. else include (l, c) to (A, d).

5 (d) Let µp = µ|P and µc = µ|C. Check whether the system µc = Lµp − b, ≥ ≥ ≥ | ≥ | L0µp b0, Aµ d, A0µ d0, LI0µ P0 bI0,andµp Pi\P0 =0is feasible. If not feasible, let X = X ∪ S•,remove(l, c) from (A, d) if the

last step was C.3.c.iii, and remove (7.14) from (A0,d0) if the last step

was C.3.b. 2In the worst case, the number of uncontrolled minimal siphons depends exponentially of the size of the net. Checking whether a siphon is uncontrolled may involve solving a linear integer program. 3In our implementation, this operation may involve integer programming. 4lµ ≥ c is the same as (7.14) if the latter is admissible; in particular, (7.14) is always admissible for fully controllable and observable Petri nets, i.e., for Tuc = Tuo = ∅. Furthermore, note that we are only interested in having ﬁnal constraints (L, b) admissible in N0; this is why the observability or controllability of the transitions of Ni for i ≥ 1 does not matter in our approach. 5 Given a set of places X, µ|X is the restriction of µ to the places of X.

218 N 0 0 0 0 0 4. Let i =(Pi ,Ti ,Fi ,Wi ) be the Petri net structure obtained by enforcing

Aµ ≥ d in Ni via supervision based on place invariants (see Theorem 3.1 at page 29), and let AI µ0 = d be the corresponding place invariant equations

(see equation (6.8) at page 174).

N 0 5. If type = DP, i is transformed to be PT-ordinary; if type = LE,the Petri net is transformed to be PT-ordinary and with asymmetric-choice

(section 5.5.2 at page 152 and Algorithm 5.28 at page 154)1; note that the 0 \ N argument M of the Algorithm 5.28 is set to M = Pi Pi.Let i+1 be the transformed net.

6. Update AI according to the net transformations performed at step 5 (sec-

tion 6.5.5 at page 183). Let Au be the updated AI (this means that AI µ0 = d

N 0 u N 0 N 0 in i corresponds to A µ = d in i+1,whereµ and µ are markings of i

and Ni+1).

∪ \ 0 Co C C Co ∪ 0 \ | 7. Let P = P (Pi+1 Pi ), = ,and = (Pi Pi).Letµp = µ P and | N \ 0 µc = µ C, for any marking µ of i+1. For each place in Pi+1 Pi add a null

column to L and L0,tomatchthesizeofµ. Similarly, add null columns to

6 u u A0 to match the size of µ.Let Ap = A |P , Ap0 = A0|P , Ac = A |Co ,and

Ac0 = A0|Co .

8. If (L, b) is empty, include Apµp ≥ d in (L, b) and Ap0µp ≥ d0 in (L0,b0).

Else, do the following

(a) If (A0,d0) is not empty, include (Ap0 + Ac0L)µp0 ≥ d0 + Ac0b in (L0,b0).

(b) If (A, d) is not empty, include (Ap + AcL)µp ≥ d + Acb in (L, b).

6 u u u A |P is the restriction of A to the columns corresponding to places in P ; A0|P , A |Co , ..., have a similar meaning.

219 N A 9. Compute the new active subnet i+1 such that it does not contain the T 0 T∩ A T 0 ∅ transitions in X (section 7.4.4). Let = Ti+1.If = ,exitand declare failure.

10. If an infeasibility occurred at a step C.3.d of the current iteration, let X =

\ A T0 Ti+1, and the procedure is restarted at the step A with this value of X.

11. Else let i = i +1. The next step is C.1.

D. The constraints (L, b) and (L0,b0) are restricted to the columns corresponding

to the places in N0.

E. Optionally, the redundant constraints of (L, b) and (L0,b0) are removed. The

constraints of (LI ,bI ) appearing in (L0,b0) are removed from (L0,b0).

We proceed by describing the speciﬁc operations involved in the procedure that have not yet been (completely) deﬁned.

7.4.3 Transforming Constraints to Admissible Constraints

This section describes the step C.3.c.i of the procedure. In this step, (7.14) is transformed to a constraint lµ ≥ c admissible with respect to N0,wherel is an integer row vector. The admissibility requirement is that the constraint lµ ≥ c is admissible in N0 when written in terms of the places of N0.Thatis,((lp + | ≥ N | | lcL)µp) N0 c + lcb is to be admissible in 0, for lc = l C and lp = l P .This section presents an algorithm to generate the constraints lµ ≥ c such that lµ ≥ c is admissible and satisﬁes additional constraints. Let i denote the iteration number of the algorithm.

The admissibility requirement can be written as follows. Let Duc and Duo be the restrictions of the incidence matrix of N0 to the uncontrollable transitions and unobservable transitions, respectively. Let N be the matrix deﬁned by the relation

220 | lN =(lp + lcL) N0 . Then, the suﬃcient admissibility conditions in terms of Duc and

Duo [124, 125] can be written as

lNDuc ≥ 0 (7.15)

lNDuo = 0 (7.16)

The requirements R1, R2, and R3 stated in section 6.5.4 at page 181 for the simplified procedure, are to be satisfied by the general procedure as well. The only requirement that can be affected by constraint transformations is the requirement

R1. The requirement R1 states that no control place is in the postset of a transition t generated by transition splits, that is, a transition t/∈ T0.LetC be the ≥ N 0 control place enforcing lµ c in i . The requirement R1 for C can be written as

C/∈ (Ti \ T0)•, which corresponds to

lDs ≤ 0 (7.17)

where Ds is the restriction of the incidence matrix Di of Ni to the columns corresponding to the transitions of Ti \ T0. Ensuring that the control places enforcing transformed constraints satisfy R1 is enough to guarantee that the control places enforcing constraints that do not need admissibility transformations satisfy also R1.

To see this, the reader is referred to the proof of Proposition 6.5 at page 184.

To ensure that (7.14) is satisﬁed for all markings satisfying lµ ≥ c,weimpose:

l(p) ≥ 0 ∀p ∈ S (7.18)

l(p) ≤ 0 ∀p ∈ Pi \ S (7.19) X l(p) ≥ 1 (7.20) p∈S c = 1 (7.21)

221 One situation which may cause the T -liveness procedure to diverge is when l ends up with a single nonzero entry; that entry is positive, in view of (7.20). To avoid this, the algorithm declares failure if l contains a single nonzero entry.

The following algorithm ﬁnds the constraints lµ ≥ c satisfying the constraints above.

Algorithm 7.2 Constraint Transformation

Input: N0 =(P0,T0,F0,W0), Tuc - the set of uncontrollable transitions of N0,

Tuo - the set of unobservable transitions of N0, Pi - the set of places at

the current iteration i, the current constraints Lµ ≥ b and L0µ ≥ b0,and

the siphon S.

Output: A constraint lµ ≥ c admissible with respect to N0.

1. Let c =1, l(p)=1∀p ∈ S,andl(p)=0∀p/∈ S.

2. If (7.15) and (7.16) are satisﬁed then exit and return l and c.

3. Let f = TRUE and A = S.

4. While f is TRUE P (a) Check7 the feasibility of l(p) ≥ 1 with the additional constraints p∈A (7.15–7.20).

(b) If infeasible, set f = FALSE.

5. If |S \ A| < 2thendeclare siphon control failure and exit.8 P P 6. Solve the linear integer program min( l(p) − l(p)) subject to l(p) ≥ 1 l p∈S p/∈S ∀p ∈ S \ A and (7.15–7.20).

7The feasibility check involves solving a linear program. 8|S \ A| denotes the number of elements of S \ A.

222 p7

p4 p4 p4 t p 5 p6 5 p5 2 t 4 t 4 t 4 p1 p1 p1 t 3 p2 p2 t 3 t 3 p2 t t t 2 2 t 2 t 1 2 t 1 221

p3 p3 p3

(a) −N 01(b) − N (c) −N 2

Figure 7.4. Example of the proposed constraint transformations.

Example 7.3 To illustrate the transformation, consider the Petri net of Fig-

ure 7.4(a), in which all transitions but t2 are controllable and observable, and t2

is controllable and unobservable. When the procedure is applied for {t1}-liveness,

the control place p5 is added at the ﬁrst iteration, to enforce the admissible con-

straint 2µ1 + µ3 ≥ 1 (Figure 7.4(b)). Then, as W (p5,t3)=2,t3 is split, and so the

place p6 is generated (Figure 7.4(c)). We illustrate the transformation to admis-

sible constraints on the constraint (7.14) for the active siphon S = {p2,p3,p4,p5}

obtained at the second iteration. At the second iteration the matrices L0 and b0 are

empty, while: L = 2010−1 b = 1

At step 1 of the transformation, l =[0, 1, 1, 1, 1, 0] and c =1.Atstep2,lp =

[l1,l2,l3,l4,l6] (i.e. lp =[0, 1, 1, 1, 0]), lc = l5 (i.e. lc = 1). Let Lx be L restricted

T T to the ﬁrst four columns. Then N =[I4,Lx , 04×1] and lN =[2, 1, 2, 1]. There are no inequalities (7.15) to check, as there are no uncontrollable transitions. The

T inequality of (7.16) is not satisﬁed, as Duo =[−1, −1, 2, 0] . Therefore (7.14) is not

admissible with respect to N0. Further, at step 4, the constraints (7.15–7.20) are:

223 −l1 − l2 +2l3 = 0 as (7.16), −l5 + l6 ≤ 0 as (7.17), li ≥ 0 for i =2...5 as (7.18), li ≤ 0 for i =1, 6 as (7.19), and l2 + l3 + l4 + l5 ≥ 1 as (7.20). In constraint (7.17)

T Ds =[0, 0, 0, 0, −1, 1] is the restriction of the incidence matrix to the transition t5, which is the only transition of the net generated by transition splits. Thus step 4 generates A = ∅,andlµ ≥ b at step 6 has l =[0, 2, 1, 1, 1, 0] and c =1.The ≥ N | ≥ N constraint lµ c in 2 corresponds to ((lp + lcL)µp) N0 c + lcb in 0,thatis

2µ1 +2µ2 +2µ3 + µ4 ≥ 2, which is indeed admissible. When lµ ≥ c is enforced, the control place p7 of Figure 7.4(c) is generated. 2

7.4.4 The Computation of The Active Subnet

This section discusses the computation of the active subnet at the step B and at the step C.9. The computation at the step B is similar to that of the simpliﬁed procedure, as the same Algorithm 5.27 is used. However, there are two diﬀerences.

Recall, the Algorithm 5.27 finds a T -minimal active subnet if one exist, or else it computes a T 0-minimal active subnet for the largest subset T 0 of T for which a T 0- minimal active subnet exists. The first difference occurs when there is no T -minimal active subnet; this situation is detected by checking whether all transitions in T are contained in the computed active subnet. In this situation, the simplified procedure terminates, declaring that T -liveness enforcement is impossible. In contrast, the general procedure defined in this chapter continues its computations with the T 0- minimal active subnet if T 0 =6 ∅, and terminates otherwise. The second difference is that the general procedure uses the optional argument X of the Algorithm 5.27.

The argument X is used to ensure that all transitions in X are excluded from the active subnet. Note that X at the step B is nonempty if and only if the step B has been reached after a restart at the step C.10.

224 The computation at the step C.9 is similar to that presented in section 6.5.6 at

page 185. However, there is a diﬀerence when siphon control failures occur during

the iteration. Siphon control failures change the set X. When no siphon control

failures occur in the iteration, X is unchanged, and so the update algorithm 6.7

at page 186 can be used. However, when siphon control failures occur, the active

subnet needs to be recomputed using the Algorithm 5.27, to insure that the newly

added transitions to X are excluded from the active subnet. Note that the simpliﬁed

procedure uses exclusively the update algorithm 6.7 at the step C.9.

7.5 Examples

This section illustrates the operation of the procedure on Petri nets with uncon-

trollable and/or unobservable transitions, and in the presence of initial constraints.

Example 7.4 Consider the repetitive Petri net of Figure 7.5(a), where t1 is unob-

servable. In the ﬁrst iteration we have that N1 is identical with N0,sinceN0 is a

PT-ordinary asymmetric-choice Petri net. At the ﬁrst iteration there are two mini-

mal siphons: {p1,p3} and {p2,p3}. The marking constraint for {p1,p3} is µ1+µ3 ≥ 1.

The constraint needs control place enforcement and is not admissible. Therefore it

is transformed to the admissible constraint 2µ1 + µ3 ≥ 1, which is added to (L, b).

0 The control place enforcing this constraint in N1 is C1, and its corresponding place

invariant is µ(C1)=2µ1 + µ3 −1. Similarly, for the siphon {p2,p3} the control place

C2 is added to enforce 2µ(p2)+µ(p3) ≥ 1, which is the other constraint added to

0 (L, b); the invariant of C2 is µ(C2)=2µ2 + µ3 − 1. Since N1 is PT-ordinary and

0 with asymmetric choice, N2 is the same as N1, and is shown in Figure 7.5(b).

At the second iteration there is a single new minimal siphon: {C1,C2}.The

control place which would result by enforcing µ(C1)+µ(C2) ≥ 1isC3 such that

C3• = ∅. Therefore, {C1,C2} does not need control, and so µ(C1)+µ(C2) ≥ 1is

225 p1 p2 p12p

t t t 1 t 1 2 223 t 2 t 3

C C p3 1 p3 2

(a) (b)

Figure 7.5. The Petri nets of the Example 7.4: (a) N0; (b) the ﬁnal Petri net supervised for liveness.

added to (A0,d0) in the the step C.3.b. Hence, 2µ(p1)+2µ(p2)+2µ(p3) ≥ 3is

added to (L0,b0)atthestepC.7.a.

The procedure terminates at the third iteration, since there is no uncontrolled

siphon. The ﬁnal matrices (L, b)and(L0,b0)are:      201  1  L =   b =   L0 = 222 b0 = 3 021 1

The supervised net is shown in Figure 7.5(b). For all initial markings µ0 such that

Lµ0 ≥ b and L0µ0 ≥ b0, liveness is enforced in a least restrictive manner. 2

Example 7.5 Consider the Petri net of Figure 7.6(a), and assume that the procedure

is started with the initial constraint µ1 + µ2 + µ3 + µ4 + µ5 ≤ 1. Recall, an initial

constraint speciﬁes a constraint satisﬁed by all markings reached from the set of

initial markings that are of interest in a speciﬁc application. In this example T is

set to equal the whole set of transitions. At the ﬁrst iteration N1 equals N0.At

step B, no active subnet including T exists, since the structure of the Petri net does

not allow t4 to be live. Therefore the largest Tx-minimal active subnet is computed

A A A such that Tx ⊆T;thusN1 is deﬁned by T1 = {t1,t2,t3,t5,t6} and Tx = T1 .

226 p1 p2 p1 p2 p1 p2 p1 p2

t 1 t 1 t 1 t 2 t 1 t 3 2 t 2 2 t 3 t 2 22t 3 t 2 t 3 p3 p3 p3 p3

p9 t 4 t 4 t 4 p t 4 p7 p6 p7 8 p7 p6 t 8 p4 p4 p4 p4 t 7 t 6 t 5 t 6 t 5 t 6 t 6 t 5

t 5 p p5 p5 p5 6 p5

(a) (b)(c) (d)

Figure 7.6. The Petri nets of the Example 7.5: (a) N0; (b) the ﬁnal Petri net supervised for liveness; (c) N2;(d)N1 with the control places added in the ﬁrst iteration after the procedure is restarted.

At the ﬁrst iteration there are two minimal active siphons: {p1,p3} and {p2,p3}.

0 Therefore the control places p6 and p7 are added; their place invariants in N1 are

0 µ6 = µ1 + µ3 − 1andµ7 = µ2 + µ3 − 1; N1 is shown in Figure 7.6(b). Then, after

transforming the Petri net to be with asymmetric-choice, N2 is obtained and shown

u in Figure 7.6(c). The invariants of A µ = d in N2 are µ6 = µ1 + µ3 − µ8 − µ9 − 1

and µ7 = µ2 + µ3 − 1.

At the second iteration there are two new minimal siphons: {p1,p7} and {p2,

p6,p9}. When the procedure considers {p1,p7}, the system at step C.3.d is: µ6 =

µ1 + µ3 − µ8 − µ9 − 1, µ7 = µ2 + µ3 − 1, µ1 + µ2 + µ3 + µ4 + µ5 ≤ 1, µ1 + µ7 ≥ 1,

µ8 =0,andµ9 = 0. This system is infeasible, so X is set to X = {p1,p7}•,that

is X = {t1,t2,t4}. Thus, the attempt to control {p1,p7} results in a siphon control

failure due to the initial constraint. The same happens for the siphon {p2,p6,p9}:

at the step C.3.d we have the system µ6 = µ1 + µ3 − µ8 − µ9 − 1, µ7 = µ2 + µ3 − 1,

µ1 + µ2 + µ3 + µ4 + µ5 ≤ 1, µ2 + µ6 + µ9 ≥ 1, µ8 =0,andµ9 =0,whichalsois

infeasible. Then X is set to X = X ∪{p2,p6,p9}•,soX = {t1,t2,t3,t4,t7,t8}.Since

227 TABLE 7.1. SUMMARY OF OPERATIONS IN EXAMPLE 7.6

i min. siphon constraint added to c. place 1 {p3,p4} µ3 + µ4 ≥ 1 (A0,d0) — {p1,p3,p5,p8,p9} µ3 + µ5 + µ8 + µ9 ≥ 1 (A, d) p10 {p6,p7} µ6 + µ7 ≥ 1 (A0,d0) — {p1,p2,p7,p8,p9} µ2 + µ7 + µ8 + µ9 ≥ 1 (A, d) p11 2 {p1,p2,p5,p11} µ1 + µ2 + µ5 + µ11 ≥ 1 (A, d) p15 {p1,p2,p5,p10,p12} µ1 + µ2 + µ5 + µ10 + µ12 ≥ 1 (A, d) p16 {p1,p2,p7,p9,p10,p14} µ1 + µ2 + µ7 + µ9 + µ10 + µ14 ≥ 1 (A, d) p17

N N N A no other siphons appear, 3 is the same as 2.AtstepC.9 i+1 is computed to A { } T 0 { } exclude the transitions of X,andsoTi+1 = t5,t6 and = t5,t6 .AtstepC.10

X is set to {t1,t2,t3,t4}, and the procedure is restarted with this value of X.

A As the procedure is restarted with X = {t1,t2,t3,t4}, the active subnet N1 is

A given by T1 = {t5,t6}. At the ﬁrst iteration there are only two minimal active

A siphons with respect to N1 : {p1,p3,p4,p5} and {p2,p3,p4,p5}. The control places

p6 and p7 are added as in Figure 7.6(d). At the second iteration N2 is the same

0 as N1 (Figure 7.6(d)), and there are no new minimal active siphons. (Indeed, even

though adding p6 and p7 generate the minimal siphons {p1,p7} and {p2,p6},they

do not generate new minimal active siphons.) Thus the procedure terminates with

0 T = {t5,t6},empty(L0,b0), and      10111  1  L =   b =   (7.22) 01111 1

The supervisor enforcing Lµ ≥ b enforces {t5,t6}-liveness and is least restrictive. 2

Example 7.6 Here we consider liveness enforcement for the motivating example of

Figure 7.1(b-c). Thus we start with the Petri net N0 shown in Figure 7.7(a) and the

initial constraints µ1 +µ2 +µ5 +µ9 =1andµ3 +µ7 +µ8 = 1. The transitions t2 and t5

228 p9 p9

t 1

t 1 p1

t p1 t t 5 t 2 5 2 p7 p3 p7 p5 p10 p11 p p3 p5 p2 2 t t 6 t t t t 7 3 4 7 t 6 t 3 4

p p8 p6 8 p4 p6 p4

(a) (b)

p9 p9

p12 t 1 p14 t 10 t p13 t 8 9 t 1 C C 2 p1 1

p p1 p 16 15 t 5 t t 5 t 2 2 p7 p p10 p11 p p3 p7 p3 5 2 pp5 2

t 6 t 7 t 6 t 3 t 4 t 7 t 3 t 4 p17 p p p6 8 p4 p6 8 p4

Figure 7.7. The Petri nets of the Example 7.6: (a) N0;(b)N1;(c)N2; (d) the ﬁnal Petri net supervised for liveness.

are uncontrollable. The operations performed by the procedure are summarized in

Table 7.1, where the iteration number appears on the first column, the uncontrolled minimal active siphons on the second column, the associated constraint on the third column, and the control places on the fifth column. At the first iteration N1 is the same as N0 and two control places p10 and p11 are added (Figure 7.7(b)). At the second iteration the control places p15, p16,andp17 are added (Figure 7.7(c)). No control places are added at the third iteration, and so the procedure terminates.

229 In the first iteration there are two siphons for which the transformation to admissible constraints is required: {p1,p3,p5,p8,p9} and {p1,p2,p7,p8,p9}; their transformed constraints appear in the third column of Table 7.1. The initial constraints help the procedure converge. Indeed, some siphons are identified as not uncontrolled due to the initial constraints. For instance, at the first iteration the minimal siphon

{p1,p2,p5,p9} is not uncontrolled, since one initial constraint is µ1 +µ2 +µ5 +µ9 =1.

After removing the redundant constraints, the procedure terminates with the constraints

µ1 +2µ2 + µ5 + µ7 + µ8 + µ9 ≥ 2 (7.23)

µ1 + µ2 + µ3 +2µ5 + µ8 + µ9 ≥ 2 (7.24) in (L, b), and the constraints

µ3 + µ4 ≥ 1 (7.25)

µ6 + µ7 ≥ 1 (7.26)

in (L0,b0). Note that by substituting µ8 and µ9 from the initial constraints, (7.23) and (7.24) become

µ2 − µ3 ≥ 0 (7.27)

µ5 − µ7 ≥ 0 (7.28)

The supervisor enforces liveness. The supervised Petri net is shown in Figure 7.7(d). 2

7.6 Properties

This section proves that the procedure is correct, and derives permissiveness results for the supervisors generated by the procedure. The majority of the results

230 presented here can be seen as extensions to the general procedure of the results presented in section 6.7 at page 191 for the simpliﬁed procedure. The notation is described in section 7.6.1. The correctness proofs are presented in section 7.6.2.

Section 7.6.3 proves permissiveness results for the supervisors generated by the procedure.

7.6.1 Preliminaries

The notation and deﬁnitions assumed in section 6.7.1 at page 191 for the simpli-

ﬁed procedure are maintained for the general procedure of this chapter. In addition the following notation is introduced.

In our results we will refer to the sets M0 and MI , which we deﬁne as follows.

Let MI be the set of initial markings of interest if initial constraints LI µ ≥ bI are given to the procedure (recall, this means that MI satisﬁes that ∀µ0 ∈MI

|P0| ∀µ ∈R(N0,µ0): LI µ ≥ bI ), or MI = N otherwise. Then we deﬁne M0 = MI if no initial-marking constraints are given, and M0 = MI ∩{µ : LI0µ ≥ bI0} otherwise.

The meaning of the set M0 is that the procedure generates supervisors such that they can be used for some initial markings µ0 ∈M0; recall, the supervisors are deﬁned for all initial markings µ0 satisfying µ0 ∈MI, Lµ0 ≥ b and L0µ0 ≥ b0. Finally, recall that a siphon control failure is the situation in which a siphon cannot be controlled. This happens when no admissible constraint is found at step C.3.c.i, or when an infeasibility occurs at the step C.3.d.

7.6.2 Proof of Correctness

As mentioned in the procedure description, if the procedure detects that it fails to generate a T -liveness enforcing supervisor, it attempts to generate a T 0-liveness enforcing supervisor, for T 0 ⊆T (and T 0 =6 ∅). Thus the procedure returns the

0 parameter T together with the constraints (L, b)and(L0,b0). Furthermore, note

231 that the procedure may terminate at any of the steps B, C.9 or E. The procedure terminates at the steps B or C.9 if it fails, and it terminates at the step E if it is successful. The next result shows that if the procedure terminates at the step E, it generates a T 0-liveness enforcing supervisor when the procedure is used as the le- procedure, and a deadlock prevention supervisor when the procedure is used as the dp-procedure. From the procedure it can be easily seen that when no siphon control failures occur in the steps C.3.c.i and C.3.d, the value of T 0 is as follows: T 0 = T if the problem is well formulated, i.e. there is a T -liveness enforcing supervisor for

0 A some initial marking, or T = T∩T1 otherwise.

Theorem 7.7 Correctness of the DP- and LE-Procedures

(a) If the dp-procedure terminates at the step E, (N0,µ0) supervised according

to Lµ ≥ b is deadlock-free for all initial markings µ0 ∈MI satisfying Lµ0 ≥

b and L0µ0 ≥ b0.

(b) If the le-procedure terminates at the step E, (N0,µ0) supervised according

0 to Lµ ≥ b is T -live for all initial markings µ0 ∈MI satisfying Lµ0 ≥ b and

L0µ0 ≥ b0.

Proof: N A Let k be the Petri net of the last iteration and Tk the set of transitions N A of its active subnet k . Then the same proof as that of Theorem 6.14 at page 194 T 0 T 0 A ∩T 2 can be used to prove -liveness enforcement for = Tk .

As an example, Theorem 7.7 applies in the Examples 7.4–7.6, as the procedure terminates at the step E.

7.6.3 Permissiveness

The simpliﬁed procedure has been proved to generate supervisors that are at least as permissive as the least restrictive T -liveness enforcing supervisor when N1

232 has a single T -minimal active subnet. This result is not aﬀected by the initial/initial- marking constraint extension. However, when uncontrollable and unobservable transitions exist, the result can easily be proved only for a particular situation. This situation is characterized by the following conditions:

C1 The procedure terminates.

C2 The procedure does not terminate by declaring failure.

C3 No siphon control failures occur in the procedure.

C4 For every siphon S considered at a step C.3.c.i., the inequality lµ ≥ c at that

step is such that l(p) > 0 ∀p ∈ S,andl(p)=0∀p/∈ S.

A C5 N1 has a single T -minimal active subnet.

For fully controllable and observable Petri nets, condition C4 is always satisfied, while the conditions C2 and C3 are also satisfied if the problem is well formulated, i.e. if T -liveness enforcement does not conflict with the initial/initial-marking constraints. Condition C.5 can be violated if there are more than one T -minimal active subnets or if there is no T -minimal active subnet. In the latter case the problem is not well formulated, since T -liveness cannot be enforced for any initial marking.

Before presenting our results, we need a new deﬁnition. First, note that a supervisor enforcing T -liveness in a Petri net under partial controllability and observability assumptions, will tend to be more restrictive than a T -liveness enforcing supervisor of the same Petri net under a full controllability and observability assumption. Furthermore, while a least restrictive T -liveness enforcing supervisor always exists for a fully observable Petri net allowing T -liveness enforcement, a least restrictive T -liveness enforcing supervisor may not exist for a partially observable

Petri net allowing T -liveness enforcement. The following permissiveness results will

233 compare the supervisors generated by the procedure to the supervisor that enforces

T -liveness in the net in a least restrictive fashion under the full controllability and observability assumption. For ease of notation, we denote the latter as the least restrictive T -liveness enforcing fco-supervisor.

Definition 7.8 FCO-Supervisors

A supervisor relying on the assumption that the Petri net is fully controllable

and observable is said to be a fco-supervisor.

The next result states that under the assumptions C1–C5 the procedure generates a supervisor that is at least as permissive as the least restrictive T -liveness enforcing fco-supervisor. As discussed in section 6.7.3 at page 197, this means that no T -liveness enforcing fco-supervisor exists for any of the markings µ0 which do not satisfy L0µ0 ≥ b0 or Lµ0 ≥ b, and that for all initial markings µ0 satisfying

L0µ0 ≥ b0 and Lµ0 ≥ b, the supervisor enforcing Lµ ≥ b is at least as permissive as the least restrictive T -liveness enforcing fco-supervisor of (N0,µ0).

Theorem 7.9

Assuming the conditions C1–C5 satisﬁed, the procedure generates a supervisor

at least as permissive as the least restrictive T -liveness enforcing fco-supervisor.

Proof: The proof is identical with the proof of Theorem 6.15 at page 198, once it is noticed that all minimal active siphons are controlled in a least restrictive way. Indeed, the transformation to admissible constraints generates constraints with c = 1, and so C4 implies that lµ ≥ c is not satisﬁed only if S is empty. 2

Note that under the assumptions C1–C5, Theorem 7.7(b) guarantees that the le- procedure generates a supervisor enforcing T -liveness for all initial markings µ0 ∈

MI satisfying L0µ0 ≥ b0 and Lµ ≥ b. Recall, MI is the set of initial markings

234 for which the initial constraints are satisﬁed. However, MI does not appear in Theorem 7.9 or its proof. The reason is that under the assumptions C1–C5, the le- procedure generates a supervisor satisfying the following: (a) T -liveness enforcement

(even under the full controllability and observability assumption) is impossible for all initial markings µ0 that do not satisfy L0µ0 ≥ b0 and Lµ0 ≥ b; (b) for all initial markings allowing T -liveness enforcement, the le-procedure generated supervisor is at least as permissive as any of the T -liveness enforcing supervisors. Moreover, the set of initial markings MT for which T -liveness enforcement is possible is guaranteed to satisfy ML ⊆MT ⊆MU , for MU = {µ0 : Lµ0 ≥ b and L0µ0 ≥ b0} and

ML = MI ∩MU . To illustrate the application of Theorem 7.9, note that in Example 7.4 the assumptions C1–C5 hold true. However, Theorem 7.9 does not apply in the Exam- ples 7.5 and 7.6. It does not apply to Example 7.5 due to assumption C.3, as siphon control failures occur when the procedure attempts to control the siphons {p1,p7} and {p2,p6,p9}. It also does not apply to Example 7.6, as the constraints enforced for the siphons {p1,p3,p5,p8,p9} and {p1,p2,p7,p8,p9} (see Table 7.1) do not satisfy assumption C4.

The next result is a consequence of Theorem 7.9, and it deals with the question of whether there is some supervisor enforcing T -liveness when the supervisor generated by our procedure enforces T 0-liveness with T 0 ⊂T, or when the procedure declares failure. (Recall, T 0 =6 T if and only if siphon control failures occur or the Petri net structure does not allow T -liveness enforcement.)

Proposition 7.10

A Consider T1 at the ﬁrst step B (i.e., not a step B reached by the procedure

restarting itself at a step C.10). T -liveness is not enforcible in N0 for any initial

A marking if T6⊆T1 . Assume that the condition C5 is satisﬁed, siphon control

235 failures occur, their ﬁrst occurrence is at a step C.3.d, and the condition C4 is

satisﬁed in all iterations previous to this occurrence. Then, for no initial marking

µ0 ∈M0 is T -liveness enforcible in N0.

Proof: The ﬁrst part is a consequence of Theorem 5.12 at page 131, as the

Algorithm 5.27 at page 151 for the computation of the active subnets does not fail to ﬁnd a T -minimal active subnet if such a subnet exists. For the second part, as

A C5 is satisfied, there is a T -minimal active subnet, and so T⊆T1 .Letj be the iteration in which the first siphon control failure occurs. Since conditions C3–C5 apply at the iterations 1, 2,...j− 1, we can show as in Theorem 6.15 at page 198 that if µ0 is a marking of N0, i ∈{1, 2,...j− 1}, the equivalent marking µ0,i of µ0 in Ni exists, and (Ni,µ0,i)cannotbemadeT -live, then (N0,µ0)cannotbemade T -live. The facts that C4 has been satisfied before the first siphon control failure and that the failure takes place at a step C.3.d. indicate that the procedure has been given initial constraints LI µ ≥ bI and/or initial-marking constraints LI0µ0 ≥ bI0.

Let µ0 ∈M0 be an initial marking of N0. If no equivalent marking µ0,j of Nj exists, there is i ∈{1, 2,...j− 1} such that the equivalent marking µ0,i of Ni exists and an active siphon of (Ni,µ0,i) is empty. This implies that (Ni,µ0,i) cannot be made T -live, and so (N0,µ0)cannotbemadeT -live. If an equivalent marking

µ0,j of Nj exists, we reach the same conclusion as follows. The ﬁrst siphon control failure occurs at step C.3.d; this failure implies that there is an active siphon Sx of Nj which, due to (LI0,bI0)and(LI ,bI ), must be empty for all valid markings | ≥ | ≥ µj such that LI µj N0 bI and LI0µj N0 bI0. Therefore Sx is empty at µ0,j,so

(Nj,µ0,j)cannotbemadeT -live, which implies (N0,µ0)cannotbemadeT -live. This concludes our proof. 2

236 In view of Theorem 7.9 and Proposition 7.10, corollaries similar to the Corol- laries 6.16–6.18 (pages 200–201) of the simpliﬁed procedure can be deﬁned. The corollaries refer the set M0, which, as mentioned in the preliminaries, is the set of markings in MI that satisfy the initial-marking constraints.

Corollary 7.11

Assume that liveness is enforcible in N0 for some initial marking µ0 ∈M0, N0

is fully controllable and observable, and the le-procedure terminates. If T = T0,

the le-procedure provides the least restrictive liveness enforcing supervisor.

The previous corollary extends Corollary 6.16 to the case of initial constraints and initial marking constraints. The next corollary extends Corollary 6.17 to the

A A A same case. As in Corollary 6.17, we denote by T the set of transitions T = T1 ∩T0,

A A where T1 is the set of transitions of the active subnet N1 of N1.

Corollary 7.12

Assume that T -liveness is enforcible in N0 for some initial marking µ0 ∈M0, N0

is fully controllable and observable, and the procedure terminates. The generated

supervisor is at least as permissive as the least restrictive T A-liveness enforcing

supervisor.

The corollary stating a suﬃcient condition for divergence to occur is stated next.

In the corollary, an integer convex set is a set of integer vectors that can be expressed as the set of integer vectors x satisfying a matrix inequality Mx ≥ g,whereM and g have rational elements.

Corollary 7.13 Divergence of the LE-Procedure

Assume that N1 has a single T -minimal active subnet, N0 is fully controllable and

observable, T -liveness enforcement is possible for some initial marking µ0 ∈M0,

237 and the markings µ0 ∈MI for which T -liveness enforcement is possible cannot

be represented as the intersection of MI with an integer convex set. Then the le-procedure diverges.

Proof: Assume the contrary, that the le-procedure terminates. In view of Propo- sition 7.10, no siphon control failures can occur, and so T 0 = T . Then, by Theo- rem 7.7(b), the supervisor enforcing Lµ ≥ b is a T -liveness enforcing supervisor for all initial markings µ0 ∈ML, for ML = MI ∩MU and MU = {µ : Lµ ≥ b ∧ L0µ ≥ b0}. The corollary statement explicitly guarantees that the assumptions C1 and C5 are satisﬁed. Because of Proposition 7.10, it can be seen that the corollary statement implies that C2–C4 are also satisﬁed. Therefore, Theorem 7.9 applies. By Theo- rem 7.9, T -liveness enforcement is impossible for all initial markings µ0 ∈M/ U .

Then, it follows that the set of markings of MI for which T -liveness is enforcible is the set ML = MI ∩MU . This contradicts the last corollary assumption, and so concludes the proof. 2

The conditions of the previous corollary are suﬃcient only. Compared to Corol- lary 6.18 of the simpliﬁed procedure, this corollary suggests that initial constraints may be used to help convergence for a Petri net for which divergence is guaranteed when no initial constraints are used. A more detailed discussion of the termination issues follows in section 7.8 at page 242.

Finally, note that checking the conditions C2–C5 is trivial on a computer. The procedure can be easily extended to check these conditions in order to report in the end which of the results of this section apply.

7.7 Extending Permissiveness

It was shown in section 6.8 at page 202 that the simpliﬁed procedure can be extended to improve permissiveness when N1 has more than one T -minimal active

238 subnets. This section considers a similar extension for the general procedure. Recall, the assumption that N1 has a single T -minimal active subnet has been denoted as the condition C5 in the list of conditions C1–C5 (page 233) for Theorem 7.9. This section considers the case when the condition C5 is not satisﬁed, and shows how the procedure can be extended to guarantee the permissiveness property of Theorem 7.9 in this case.

A,1 A,2 A,p A,1 Let N1 , N1 , ... N1 be the T -minimal active subnets of N1,andletN0 ,

A,2 A,p N0 , ... N0 be the corresponding T -minimal active subnets of N0. Theorem 7.9 does not apply, as we have p (p>1) T -minimal subnets. However, it may apply for

A,i A,i A,i A,i T0 -liveness, as there is a single T0 -minimal active subnet: N1 (wedenotebyT0

A,i the set of transitions of N0 and i =1...p). Assume that the procedure terminates

A,i for all i =1...pwhen used to enforce T0 -liveness. Let u ∈{0, 1,...p}, and assume that the T -minimal active subnets are ordered such that for i ∈{j ∈ N :1≤ j ≤ u}

A,i the procedure has no siphon control failures when used for T0 -liveness, but for each i ∈{j ∈ N : u +1 ≤ j ≤ p} it has some siphon control failures. (In particular, if u = 0 siphon control failures occur for all i =1...p,andifu = p no siphon

(i) (i) (i) (i) control failure occurs for any i.) Let L µ ≥ b and L0 µ ≥ b0 be the generated constraints for all i =1...u. Let Ξ be the supervisor deﬁned as follows. Ξ requires the initial marking µ0 to be in the set M,whereM = ∅ for u =0and [u n o (i) (i) (i) (i) M = µ : L µ ≥ b and L0 µ ≥ b0 (7.29) i=1 for u ≥ 1. Furthermore, Ξ allows a transition to ﬁre only if the next reached marking is in M. By construction and Theorem 7.7, Ξ is a T -liveness enforcing supervisor for all initial markings µ0 ∈MI ∩M. (Of course, for u = 0 we have M = ∅,in which case no such initial markings µ0 exist.) The next theorem states that Ξ is at least as permissive as the least restrictive fco-supervisor with respect to initial markings in M0. This means that no T -liveness enforcing supervisors exist for

239 initial markings µ0 ∈M0 \M and that Ξ is at least as permissive as any T -liveness enforcing supervisor for initial markings µ0 ∈M0 ∩M.

Theorem 7.14

Assume that for each i =1...uthe procedure satisﬁes C1-C4. Assume also that

for each i = u+1...pC1 is satisﬁed, the ﬁrst siphon control failure occurs at the

step C.3.d, and C4 is satisﬁed in all iterations previous to the ﬁrst siphon control

failure. If u>0, Ξ is at least as permissive as the least restrictive T -liveness

enforcing fco-supervisor for initial markings in M0. Otherwise, if u =0,thereis

no T -liveness enforcing supervisor for any initial marking µ0 ∈M0.

Proof: The assumptions of the theorem ensure that for any i = u +1...p,the

ﬁrst failure at the step C.3.d is only possible when initial and/or initial-marking

A,i constraints are given. Then, by Proposition 7.10, T0 -liveness cannot be enforced for all i = u +1...p for the given constraints. The proof of the theorem is by contradiction. Let µ0 ∈M0, and assume there is a T -liveness enforcing supervisor allowing a marking µ/∈Mto be reached; then µ enables a firing sequence σ which includes all transitions in T infinitely often. Let U be the set of transitions appearing infinitely often in σ,andD the incidence matrix of N0. By Lemma 5.9 at page 126, there is x ≥ 0 such that Dx ≥ 0, x(i) > 0 ∀ti ∈ U and x(i)=0∀ti ∈ T0 \ U;let

A A A A,i T = kxk.ThenT deﬁnes an active subnet, and note that T⊆T .SinceN0 , i =1...p,arealltheT -minimal active subnets, there is j,1≤ j ≤ p, such that

A,j A T0 ⊆ T .Ifj ≤ u, we have contradiction, since by Theorem 7.9 not all transitions

A,j of T0 can be made live for µ/∈M, and so not all of them can appear in σ.If j>uwe again have contradiction, since for all initial markings µ0 ∈M0 not all transitions of T A,j can be made live. 2

240 While the construction of Ξ yields a supervisor more permissive than the supervisors generated by the procedure itself, it is not so clear whether Ξ is admissible.

The problem arises as follows. Let Duc and Duo be the restrictions of the incidence matrix D of N0 to the uncontrollable and unobservable transitions, respectively. The admissibility transformation used by the procedure (see section 7.4.3 at page 220)

(i) (i) guarantees that L Duc ≥ 0andL Duo = 0 (see equations (7.15) and (7.16)) for all

(i) i =1...u. A consequence of L Duo = 0 is that given the initial state, it is possible

(i) (i) to monitor at all times the value of xi = L µ−b ,asitsvalueisonlyaﬀectedbythe

(i) ﬁrings of observable transitions. However, there is no guarantee that L0 Duo =0.

(i) (i) Therefore, it may not be possible to monitor the value of xi,0 = L0 µ − b0 .Note that xi,0 ≥ 0 is guaranteed at a given state µk if there is a prior state µk−j in which xi,0 ≥ 0, xi,0 ≥ 0, and all subsequent states µk−j+1 ...µk satisfy that xi ≥ 0. As this condition may not be satisﬁed in the context of (7.29), it may be necessary to

(i) monitor xi,0, in order to know whether xi,0 ≥ 0 or not. However, when L0 Duo =0,6 ﬁring some unobservable transitions may cause uncertainty with regard to whether xi,0 ≥ 0 is satisﬁed or not. For this reason, the exact implementation of Ξ may not always be possible.

Note that the admissibility requirement with regard to the uncontrollable tran-

(i) sitions is always satisﬁed. Indeed, L Duc ≥ 0 guarantees that only controllable transitions need to be disabled in order to ensure that L(i)µ ≥ b(i) is not violated.

Therefore Ξ is always admissible if the net has no unobservable transitions. To guarantee in general that Ξ is admissible, the step C.3.a of the procedure can be changed to prevent an inequality to be added to (A0,d0) when that inequality writ-

9 ten in terms of N0 is lµ ≤ c such that lDuo =6 0. (This change will cause such an inequality to be transformed to be admissible (step C.3.c.i), added to (A, d), 9 Recall, an inequality liµ ≥ ci of Ni is lµ ≥ c when written in terms of N0 if l = li|P0 + li|CL|P0 and c = ci + li|Cb.

241 (i) and enforced with a control place.) This will ensure that both L Duo =0and

(i) L0 Duo = 0, and so that Ξ is admissible. Then Ξ could be implemented as the T T (i)T (i) T (i)T (i) T disjunction of the supervisors Ξi enforcing [L ,L0 ] µ ≥ [b ,b0 ] .

7.8 Convergence Issues

This section considers issues regarding whether the procedure can provide in a reasonable amount of time a supervisor. From a theoretical viewpoint, the procedure does not have a guaranteed termination. From a practical viewpoint, computational complexity may further limit the usage of the procedure. We discuss the ﬁrst issue in section 7.8.1 and the second one in section 7.8.2.

7.8.1 Termination Issues

The procedure does not have guaranteed termination. In the cases when the procedure does not terminate, it may be possible to help it terminate by using initial constraints. This topic is discussed ﬁrst. Then, an example is used to illustrate how initial constraints can help termination. Finally, other termination results are discussed.

Initial constraints can help the procedure terminate, as they may cause some of the siphons generated during the iterations to be controlled (as the reachable markings are restricted to the markings satisfying the initial constraints). Intu- itively, less uncontrolled siphons implies less control places, less control places implies that less new possibilities of deadlock are introduced in the system, which in turn implies faster termination. Example 7.6 at page 228 illustrates this point. In

Example 7.6, the same control places are added in the ﬁrst iteration, regardless of whether initial constraints are given or not. However, at the second iteration, ﬁve additional control places are generated when no initial constraints are given; they correspond to the siphons {p1,p3,p5,p8,p11}, {p1,p3,p5,p8,p10,p12}, {p1,p2,p7,p8,p11},

242 {p1,p2,p7,p8,p10,p12},and{p1,p2,p7,p10,p11,p14}. Note that the additional control

places cause 167 additional minimal active siphons at the next iteration.

A particular case is when we are only interested in a ﬁnite set of initial markings

and the target Petri net is bounded. Then initial constraints can be chosen to deﬁne

a bounded set including all markings reachable from the initial markings of interest.

Then, if the procedure is started with these initial constraints, assuming that no

transition splits occur during the iterations (which in practice is often the case for

the dp-procedure), the procedure terminates. Termination occurs because each time

a new constraint is added to (L, b)or(L0,b0) in the procedure, at least one new

marking is forbidden, and the number of markings which can be forbidden is ﬁnite

due to the initial constraints. To summarize, given a target Petri net N :

• Find a set of constraints LI µ ≥ bI with bounded feasible set F such that for

all initial markings µ0 of interest for N : R(N ,µ0) ⊆F.LetMI be the set of initial markings of interest.

• Apply the procedure on N with initial constraints (LI ,bI ).

• The resulting supervisor can be used for the initial markings µ0 ∈MI sat-

isfying Lµ0 ≥ b and L0µ0 ≥ b0,where(L, b)and(L0,b0) are the two sets of

constraints generated by the procedure.

Example 7.15 Consider the Petri net of Figure 7.8 for deadlock prevention with

T = T0. At the ﬁrst iteration the uncontrolled siphons are: S1 = {p1,p3,p5}, S2 =

{p1,p2,p3,p4},andS3 = {p5,p6}. The control place C1 is added to control S1;the

inequality µ1+µ3+µ5 ≥ 1 is added to (L, b). However S2 and S3 do not need a control

place, so µ1 + µ2 + µ3 + µ4 ≥ 1andµ5 + µ6 ≥ 1areaddedto(L0,b0). At the second

iteration, there is a single uncontrolled siphon, {p1,p2,C1,p4}, and the control place

243 C p1 2 C p 1 p 6 t 1 5 t p 2 p p2 3 4

t 3 t 4 t 5

Figure 7.8. A Petri net for which the dp-procedure does not terminate unless appropriate initial constraints are given.

C2 results. At the third iteration the uncontrolled siphons are {p1,p3,C2} and

{C2,p6}.NotethatC2 has the same connections as p5, and so the siphon {p1,p3,C2} corresponds to S1 = {p1,p3,p5},and{C2,p6} to S3 = {p5,p6}. The procedure diverges. At each iteration it adds a control place as follows: (a) at an iteration n =2k,thecontrolplaceCn is added to control the siphon {p1,p2,Cn−1,p4},and

(b) at an iteration n =2k +1,thecontrolplaceCn is added to control the siphon

{p1,p3,Cn−1}. Then it can be noticed that Cn, for n =1, 2,...enforces: j k l m j k n n n nµ1 + µ2 + µ3 + µ4 + µ5 ≥ n (7.30) 2 2 2

It can be shown that the system of inequalities (7.30) for n =1andn = n1 implies

(7.30) for n = n1 − 1, for all n1 ≥ 3. Furthermore, it can also easily be shown that the new markings forbidden by adding (7.30) at the iteration n are as follows:

(a) for n =2k, µ1 = µ2 = µ4 =0,µ3 =1andµ5 = k − 1; (b) for n =2k +1,

µ1 = µ3 =0,µ2 + µ4 =1andµ5 = k. Now assume that we start with the initial constraints µi ≤ 4 for all i =1...6. Recall, the usage of initial constraints assumes that for all initial markings of interest µ0 ∈MI , all reachable markings µ satisfy

T T the initial constraints. For instance, MI could be {[1, 0, 0, 0, 0, 1] , [0, 0, 1, 1, 0, 1] } for our initial constraints. Note that the markings forbidden at the iteration n =11 if (7.30) would be enforced are µ1 = µ3 =0,µ2 + µ4 =1andµ5 = 5. However,

244 p 2 1 t t 3 2 3 6 t 1 t 2 p3 p4 t 3 2 t 4 2 2 5

Figure 7.9. A Petri net for which the least restrictive liveness enforcing supervisor cannot be expressed by linear marking inequalities.

according to the initial constraints, these markings can never be reached, so the siphon {p1,p3,C10} is controlled. Therefore, no control place is added at the iteration n = 11, and so the procedure terminates. After removing the redundant constraints, the procedure terminates with:      101010  1  L =   b =   (7.31) 1055510 10 and (L0,b0) containing µ5 +µ6 ≥ 1. Deadlock prevention is guaranteed for all initial markings of interest µ0 ∈MI that satisfy Lµ0 ≥ b and L0µ0 ≥ b0. 2

There are situations in which it is clear that the procedure will not terminate.

Such a situation has been characterized by the Corollary 6.18 at page 201 for the simpliﬁed procedure, and by the Corollary 7.13 at page 237 for the general procedure.

This situation may arise when the set of initial markings for which the Petri net can be made T -live is not an integer convex set. Then, it is clear that the least restrictive T -liveness enforcing supervisor cannot be represented by any constraints

Lµ ≥ b and L0µ ≥ b0. This is illustrated on the Petri net of Figure 7.9. The

Petri net has the property that a deadlock marking, µ3 =[1, 1, 0, 0], is a linear combination of two markings µ1 =[2, 0, 0, 0] and µ2 =[0, 2, 0, 0] for which liveness

245 TABLE 7.2. COMPLEXITY OF THE PROCEDURE STEPS

Computation Involves Complexity T -minimal active subnet linear programming polynomial PT-transformation/AC-transformation polynomial Finding the minimal active siphons search exponential Checking whether a siphon is uncontrolled integer programming exponential Admissibility Transformation integer programming exponential Feasibility check at step C.3.d integer programming exponential Removal of Redundant Constraints integer programming exponential

can be enforced: µ3 =0.5µ1 +0.5µ2. This means that the least restrictive liveness enforcing supervisor cannot be represented by any constraints Lµ ≥ b and L0µ ≥ b0.

Note that even if we restrict our attention to the single initial marking µ0 = µ1,the least restrictive liveness enforcing supervisor cannot be represented by constraints

Lµ ≥ b,asbothµ2 and µ3 are reachable from µ1.

7.8.2 Computational Complexity

Due to the great variety of Petri net structures, it is not possible to characterize the computational complexity for all cases as a function of the size of the net. In other words, we can ﬁnd very large nets for which the procedure converges quickly, and small nets for which the procedure gets itself into serious computational problems. However, we may attempt to characterize the operations of the procedure by a worst case complexity. Furthermore, experiments may be used to obtain average complexities for various classes of Petri nets.

The computational complexity of the major operations that may be performed in an iteration is shown in Table 7.2. Some operations admit a “suboptimal” solution, and so allow replacing integer programming by linear programming. This is the case of the operation checking whether a siphon is uncontrolled. Using linear

246 programming will cause more siphons to be declared “uncontrolled”. This would only aﬀect the convergence of the procedure, as the procedure may have to control more siphons. The removal of redundant constraints is another operation that allows replacing integer programming by linear programming. Of course, this may cause some redundant constraints to remain undetected, and so to have a more complex supervisor. Further research may also lead to an admissibility transformation that employs linear programming instead of integer programming. On the other side, removing the feasibility check of the step C.3.d or using linear programming there instead of integer programming may have more serious consequences. The step C.3.d is used to ensure that there are initial markings µ satisfying the constraints Lµ ≥ b, L0µ ≥ b0, LI µ ≥ bI and LI0µ ≥ bI0. Without a proper feasibility check at step C.3.d, it is hard or impossible to guarantee that Lµ ≥ b and L0µ ≥ b0 are feasible, even when no initial/initial-marking constraints are given. This is due to the fact that the ﬁnal matrices L and L0 may contain negative elements. Note that the matrices L and L0 are guaranteed to have only nonnegative elements if the admissibility transformation of step C.3.c.i is changed to generate constraints lµ ≥ c with l(p) ≥ 0 for all places p.

Experimentally, ﬁnding the minimal active siphons tends to be the most time- expensive computation. The computational of this operation obviously depends on the number of minimal siphons. It can be noticed that the number of siphons is exponential in the worst case. To see this, consider a Petri net with m places and n transitions. The maximal number of distinct subsets of places is 2m,sowe know that the number of minimal siphons cannot exceed 2m. On the other hand, consider the free-choice Petri net constructed as shown in Figure 7.10. The Petri net m has 2k places and k transitions, where k may be set to k =min 2 2 ,n .Note that the Petri net can be extended to have m places and n transitions by adding

247 . . . p p p p 1,1 2,1 3,1 . . . k,1

. . . t 1 t 2 t 3 t 4 p p p p 1,2 2,2 3,2 . . . k,2

Figure 7.10. In the worst case, the number of minimal siphons has an exponential dependence of the size of the Petri net.

disconnected places and disconnected transitions, as necessary. Note that the Petri

k { } ∈{ } net has 2 minimal siphons of the form p1,i1 ,p2,i2 ,...pk,ik , for i1 ...ik 1, 2 . This proves that the maximal number of minimal siphons that a Petri net with m

places and n transitions may have, is lower bounded by 2k and upper bounded by 2m, m for k =min 2 2 ,n . Finally, note that the experimental results indicate that the dp-procedure is

signiﬁcantly more likely to converge than the le-procedure.

7.9 Applications 7.9.1 Deadlock Prevention in a Manufacturing System

This section illustrates how the procedure can be used for deadlock preven-

tion/liveness enforcement in manufacturing systems.

Example 7.16 Consider the target Petri net structure of Figure 7.12(a) for deadlock

prevention (T = T0). The Petri net may be seen as the representation of the

manufacturing system shown in Figure 7.11. The manufacturing system is described

next. The system has four work areas, WA1 ...WA4 and three machine areas

MA1, MA2, and MA3. In WA1 two parts are assembled, and this operation

involves two machines from MA1andonefromMA2; upon completion, all three

machines should be in MA2. Work in WA2 involves one part, one machine from

248 PARTS IN PARTS OUT WA 1 WA 3 WA 4

PARTS ()p ()p (p ) PARTS IN 5 4 8 OUT

MA 1 MA 2 MA 3 DISCARD

(()(p6) p3 p7)

WA 2

PARTS (p ) OUT 1 PARTS IN

Figure 7.11. The manufacturing system of Example 7.16.

MA2, and one from MA1; upon completion, both machines should be in MA1.

Work in WA3 involves one part which may be of two diﬀerent types, and one machine from MA3; upon completion, the machine returns to MA3. Optionally, the operation in WA3 is continued with an additional operation in WA4; when this is the case, the machine of MA3 is released when the process in WA4 is completed.

If no failure occurs in WA4, the machine returns to MA3. When a failure occurs, the machine no longer may be used in MA3, but it can still be used in MA1or

MA2, and is moved to MA2. The marking of the places p3, p6 and p7 corresponds to available machines. The marking of the places p5, p1, p4,andp8 corresponds to the number of working processes in WA1 ...WA4. The markings of p2, p9, p10, p11, p12,andp13 represent the number of parts in buﬀer areas. The uncontrollable transition t10 models the failure in WA4.

In the ﬁrst iteration, the Petri net structure N1 =(P1,T1,F1,W1)isthatof

Figure 7.12(b), but without the control places C1, ... C4 and their transition arcs.

The place p2,1 and the transition t2,1 appear by splitting t1. The maximal active

249 t 12 t 13 t t 13 t 12 C t 13 12 C 1 2 p 1 p p p12 9 p 9 p12 9 12 t 1 p p6 p p6 t 2,1 p2,1 p p6 1 2 22 1 1 222 t t t t 1 t 1 t 2 4 t 2 t 4 t 4 t 15 15 C 3 15 C t 2 t 3 C 4 t 2 p p 3 3 p p13 3 p p p 3 5 2 5 5 13 2 t 3 p t 8 3 2 p t 8 3 p 3 t p2 3 t 8 t p13 11 p 11 p 4 p t p p 4 t 6 7 11 4 t 6 7 t t 6 t 5 C p 5 C 2 2 7 t 10 t t 5 t 10 p10 t 7 10 t 7 p10 t 7 p11 p11 p11 p p10 p p t 8 t 8 t t 8 t 9 14 t 9 14 9 14

(a) (b) (c)

Figure 7.12. Petri nets in Example 7.16: (a) Target Petri net, (b) the Petri net after ﬁve iterations, and (c) the supervised Petri net.

subnet has the transitions in T1 \{t9,t10}. There are two minimal active siphons:

{p1,p6} and {p4,p7,p8}. They are controlled with two new control places: C1 and C2 respectively, where the constraint of C2 is transformed to (7.33), which is admissible.

In the second iteration, the maximal active subnet still has the transitions T1 \

{t9,t10} and the only uncontrolled minimal active siphon is {C2,p8}. No admissible constraint is found for the control of {C2,p8}.(µ(C2) ≥ 1 is not acceptable; see step 5 of the constraint transformation algorithm 7.2 at page 222.) Therefore X, the set of transitions which should not appear in the active subnets of the following iterations, is set to X = {t5,t7,t10}.

In the third iteration and the remaining iterations the active subnet has the set of transitions T1 \{t5,t7,t9,t10}. The only uncontrolled minimal active siphon is P S = {C2,p8,p3,p5}. The constraint µ(p) ≥ 1 is admissible, and the control place p∈S enforcing it is C3.

In the fourth iteration the only uncontrolled minimal active siphon is {p1,C1,p5,C3}, and so the control place C4 is added.

250 In the ﬁfth iteration the only uncontrolled minimal active siphon is S = {C4,p2,1,p5}. Since the control place which would control this siphon satisﬁes C•⊆•S, no control place is added, and so its constraint is included in (A0,d0).

The procedure terminates at the sixth iteration, as there is no uncontrolled minimal active siphon left. The constraints after the step D of the procedure are:

µ1 + µ6 ≥ 1 (7.32)

µ4 + µ7 ≥ 1 (7.33)

µ3 + µ4 + µ5 + µ7 + µ8 ≥ 2 (7.34)

2µ1 + µ3 + µ4 +2µ5 + µ6 + µ7 + µ8 ≥ 4 (7.35)

2µ1 + µ3 + µ4 +3µ5 + µ6 + µ7 + µ8 ≥ 5 (7.36)

The inequalities (7.32-7.35) are included in Lµ ≥ b, and correspond to C1 ... C4 in this order, while the inequality (7.36) is written as L0µ ≥ b0. The inequality (7.35) is redundant, and so it can be omitted. The Petri net supervised for deadlock freedom is obtained by enforcing the constraints (L, b) on the target net (Figure 7.12(c)). 2

7.9.2 Minimization of the Number of Resources

In some manufacturing applications, it may be of interest to know the minimal number of resources for which a manufacturing process can operate. In principle, this problem is nontrivial, as even for particular classes of manufacturing systems, the realizability problem is NP-complete [146]. In terms of Petri nets, the realizability problem corresponds to checking whether a given initial marking allows liveness enforcement or not. This section illustrates the fact that the supervisors generated by the procedure of this chapter allow the designer to obtain the minimal number of resources for which the system has no deadlocks. Of course, when the supervisors

251 t 1 t 1

p7 p7 p11 p11 t t 11 t t t 11 6 t 6 2 2 p12 p12 p p p p p p p 15 2 3 9 15 2 p3 9

t t 3 t 7 t 3 t 10 7 C 2 t 10 p p p 1 13 p 1 C p p 10 p 4 10 5 p4 5 p4 p13 t 4 t 4 t 9 t 9 p14 p14 C 3 p6 p8 p6 p8

t 5 t 8 t 5 t 8

C 1

Figure 7.13. Target Petri net (left) and supervised Petri net (right) in Example 7.17.

are not least restrictive, we only obtain an upper bound of the minimal number of

resources.

Typically, the Petri net models of manufacturing systems associate a place with

each kind of resource. Furthermore, the number of idle resources of a kind is rep-

resented by the marking of the corresponding resource place. Assuming that all

resources are idle at the initialization of the system, the initial state of the sys-

tem can be represented by an initial marking in which only the resource places are

marked. This constraint on the initial marking together with the constraints Lµ ≥ b

and L0µ ≥ b0 generated by the procedure can be used in an integer linear program

to ﬁnd the minimal number of resources. This idea is illustrated in the following

example.

Example 7.17 The Petri net in Figure 7.13 is used to model a simple manufac-

turing system in [42]. In this example the le-procedure is applied to the Petri net

252 model. The resulting supervisor has the control places shown in Figure 7.13. They correspond to the constraints of Lµ ≥ b:

µ4 + µ6 + µ13 + µ14 ≥ 1 (7.37)

µ5 + µ9 + µ12 + µ13 ≥ 1 (7.38)

µ6 + µ9 + µ12 + µ13 + µ14 ≥ 1 (7.39)

2µ4 +2µ5 + µ6 + µ9 + µ12 +2µ13 + µ14 ≥ 3 (7.40)

The constraints of L0µ ≥ b0 are:

µ6 + µ8 + µ14 ≥ 1 (7.41)

µ2 + µ15 ≥ 1 (7.42)

µ1 + µ2 + µ3 + µ5 + µ6 + µ7 ≥ 1 (7.43)

µ4 + µ5 + µ13 ≥ 1 (7.44)

µ3 + µ9 + µ12 ≥ 1 (7.45)

µ7 + µ11 ≥ 1 (7.46)

µ4 + µ8 + µ9 + µ10 ≥ 1 (7.47)

The places p11, p12, p13, p14 and p15 are resource places. At the initial marking only the resource places are marked. This can be written as

µ1 + µ2 + ...+ µ10 = 0 (7.48)

To ﬁnd the minimum number of resources for which the system remains live, the following integer program can be solved:

min µ11 + µ12 + µ13 + µ14 + µ15

subject to Lµ ≥ b, L0µ ≥ b0,and(7.48).

The solution to the integer program is µ11 = µ12 = ...= µ15 = 1. This shows that the minimal number of resources for which the system can operate is reached when there is a single resource of each kind. 2

253 7.9.3 Resource Preallocation

In practice, it may be desirable to automatize the initialization of a manufac-

turing system. When resources of the same type can be used for various tasks at

various locations in the plant, a problem that may arise is to allocate such resources

to the diﬀerent locations in a way which guarantees that the system can operate

without deadlocks. For instance, given the manufacturing system of Example 7.16,

assume that at the initialization there are n machines that can be (irreversibly)

dedicated as either machines of MA1, MA2, or MA3. The problem is to allocate

machines to the locations MA1, MA2, and MA3, such that the system can op-

erate. In principle, we could ﬁnd a solution by solving a linear integer program

constrained by the constraints Lµ ≥ b and L0µ ≥ b0 generated by the procedure in

Example 7.16. Alternatively, as proposed in this section, the initialization problem

can be solved together with the liveness enforcement/deadlock prevention problem,

in which case the supervisor will disable any allocation decisions that would lead to

deadlock. This solution is illustrated in the following example.

Example 7.18 Consider the Petri net of Figure 7.14. The initialization problem

discussed above can be included in the deadlock prevention problem of Example 7.16

by adding the source place p14 of initial marking n. The place p14 is connected

through the transitions t16, t17,andt18 to the places p6, p7,andp3, corresponding

to MA1, MA3, and MA2, respectively.

This problem is more complex than that of Example 7.16, as signiﬁcantly more

active siphons appear. After the dp-procedure is run, the following constraints are

obtained:

µ1 + µ6 + µ14 ≥ 1 (7.49)

µ4 + µ7 + µ14 ≥ 1 (7.50)

254 t 16 t 12 t 13 p9 p12 p p6 1 2 22 t 1 t 4 t 2 p14 t 15 n t 3 p 3 p p13 2 5 t p3 8

t 11 p4 t 6 t p7 5 t 17 t 10 p10 t 7 p11 p 8 t 18 t 9 t 14

Figure 7.14. The manufacturing system of Example 7.18.

µ1 + µ4 + µ6 + µ7 + µ14 ≥ 2 (7.51)

µ3 + µ4 + µ5 + µ7 + µ8 + µ14 ≥ 2 (7.52)

2µ1 + µ3 + µ4 +3µ5 + µ6 + µ7 + µ8 + µ14 ≥ 5 (7.53)

The inequalities (7.49-7.52) are in Lµ ≥ b, while the inequality (7.36) is in L0µ ≥ b0.

The closed-loop Petri net has a more involved graphical representation, which is omitted. 2

255 CHAPTER 8

DES LEVEL CONTROL OF CONCURRENT HYBRID SYSTEMS

8.1 Introduction

This chapter extends the DES framework toward the description of concurrency in hybrid systems. Concurrency could arise in various ways in hybrid systems.

A possible paradigm is presented in Figures 8.1 and 8.2. Figure 8.1 presents n subsystems operating in parallel. Figure 8.2 presents a two-level control architecture.

The lower level consists of the controllers C1, C2, ...Cn. The role of the controllers is to govern the hybrid dynamics of the subsystems. The lower level design generates the controllers C1, C2, ... Cn and obtains a logical model for each closed-loop of a controller and a subsystem. The logical models are composed to form the global logical model of the system. This global model of the system is used when the supervisor is generated at the higher-level design step. In Figure 8.2 the global model is implemented (for instance as a computer program), and the variables of the global model are updated (according to the rules of the global model) when a subsystem generates an event. The supervisor uses the global model variables in order to decide which controller inputs are appropriate. The control input of a controller Ci dictates the region where the state of the controlled subsystem should be. Given a state of the system, the supervisor may have more than one choice in selecting the inputs of the controllers, and so an operator (for instance another computer program) can select a speciﬁc input according to some optimization criteria.

256 Subsystem 1 Subsystem 2 . . . Subsystem n

Figure 8.1. Concurrent system

Supervisor Operator

commands

Controller Controller Controller C1 C2 Cn logical variables Interface 1 Interface 2 . . . Interface n

Subsystem 1Subsystem 2 Subsystem n

events

Global logical model

Figure 8.2. The Control Architecture

The material of this chapter corresponds to the upper-level design in the architecture of Figure 8.2. The lower-level design is approached in the next chapter.

Here, an extended DES framework is presented for the representation of the global logical model. As in the rest of the dissertation, Petri net modeling is used. The speciﬁcations considered here involve safety and liveness requirements. Safety refers to restricting the space of Petri net markings by linear marking inequalities. The liveness requirements are given as a set of actions (transitions) which are to be live.

The design problem is to synthesize a supervisor enforcing the speciﬁcations.

This chapter extends the traditional DES framework in two directions. First, it is no longer assumed that a supervisor has always the ability to keep indeﬁnitely long the system in any of the DES states. DES states with this property are called

257 unstable. Thus, when an unstable state is reached, the supervisor is to enable at least one of the transitions moving the system from that state. Otherwise, the system would still move out of the unstable state, but according to unmodeled dynamics.

In hybrid system terms, an unstable state corresponds to a mode that does not have a controlled invariant.

A second extension is that the uncontrollability of transitions is refined to distinguish between transitions that cannot be forced to fire and transitions that cannot be prevented to fire (when enabled). Further distinction is made between the uncontrollable transitions that can be guaranteed to fire (eventually or in a timely fashion) when enabled, and the uncontrollable transitions with no such guarantee.

In the traditional DES framework, the supervision based on place invariants

[124, 125, 190] solves the problem of enforcing linear marking inequalities. Further, liveness can be enforced using the procedure of chapters 6 and 7 or other methods from the literature. However, in the following it is shown that these approaches cannot be applied directly to the extended DES framework.

First, consider the enforcement of safety speciﬁcations, such as the linear marking inequalities. Clearly, we may generate the supervisor as in the traditional framework when we can have the system stay as long as desired in each state. Indeed, for this kind of constraints, staying in a state (as long as the state is not forbidden) is always a legal choice. Therefore, a supervisor avoiding forbidden states has always at least a legal choice. However, when there are unstable states, it may be possible to reach a situation with no legal choices. In such a situation the supervisor can do nothing to stop the constraints from being violated. As an example, Figure 8.3(a) displays the part of a Petri net model describing a hybrid system mode m. The fact that the mode has no self-loop indicates that it represents an unstable state. Thus, once the mode m is entered, the supervisor has to choose one of t1, t2 or t3.Ifchoosingany

258 t 2 t t 4 1 t 2 t m 5 t 3 t 1 (a) (b)

Figure 8.3. Illustrations for two supervisory problems

of t1, t2 or t3 violates the specifications, the supervisor is not well defined, as it does not satisfy the specifications. In traditional supervisory problems it is assumed that we can inhibit all of t1, t2 and t3 until the global state changes so that it is safe to

ﬁre one of them. However, in our setting this is not a choice: if no control policy is selected, the hybrid system of mode m will continue anyway to run (we cannot have it freeze its continuous dynamics until circumstances change), but according to some dynamics not modeled in the DES abstraction. When we can keep the system in mode m at will, we may add in Figure 8.3(a) an action t6 which is a self-loop (starts from m and enters m). When all modes of all component (hybrid) systems have this property, we have a traditional supervisory problem. Of course, we could still use the traditional framework by modeling t1, t2 and t3 as uncontrollable. However, this may create an overly restrictive supervisor.

The enforcement of liveness speciﬁcations has also the same problem. (For instance, recall that the liveness enforcement approach of the previous chapters generates a supervisor enforcing linear marking inequalities.) In addition, note that removing the assumption that an enabled uncontrollable transition eventually ﬁres creates the following problem. Consider the Petri net of Figure 8.3(b), in which t1 is uncontrollable and t2 is controllable. In the traditional DES framework the system

259 is live. However, in this framework, the system may not be live, since t1 may never

fire. Note also that such uncontrollable transitions cannot be either deleted from the model, since their firing, if it occurs, affects the state of the system.

This chapter is organized as follows. A brief overview of the related work is given is section 8.2. The Petri net modeling in the extended DES framework is presented in section 8.3. Approaches for supervisory speciﬁcations in this framework are considered in section 8.4.

8.2 Related Work

Petri nets have been used to generalize the hybrid automaton model. The resulting model has been called Programmable Timed Petri Net (PTPN) and is described in [105, 52]. PTPNs have been used in a number of other works. Using supervisory control based on place invariants for the control of systems modeled by PTPNs has been considered in [93, 90]. Examples include a power system [91] and a gas storage system [88]. When PTPNs have been used, it has been usually assumed that the state gradually moves from an equilibrium point to another by switching between the subsystems (or modes), where the switching policies are described by the Petri net structure [87]. However, this chapter considers also the case when the state does not always move through equilibrium points.

Signiﬁcant research eﬀort has been made in the area of Hybrid Petri Nets [56].

Two types of hybrid Petri nets have been considered: the combination of traditional

Petri nets and continuous Petri nets [34], and Petri nets enhanced with continuous variables satisfying diﬀerential equations (such as Programmable Timed Petri Nets).

The study of such Petri nets requires Hybrid Systems methodologies. However, the approach in this chapter is diﬀerent. It attempts to decompose the problem into a pure DES problem and problems requiring Hybrid Systems methodologies. This

260 approach takes advantage of existing DES methodologies and simpliﬁes the problems to be solved at the hybrid system level.

Other work on the Petri net modeling of continuous systems includes [113].

There, a Petri net model is obtained by composing state machine models, each representing logic sequences between various situations that may occur in the plant.

The approach there seems to be aimed for the untimed diagnosis of faults. A related but diﬀerent approach appears also in [94]. There, a timed Petri net modeling of complex hybrid systems is proposed. The Petri net is used as a reference model for fault diagnosis. The hybrid systems there are complex in that they consist of a large number of components.

In the context of the automata representation of DES, forcible events have been incorporated in [48] and in the timed setting of [23].

8.3 Modeling

This section describes the global Petri net model of Figure 8.2. Several issues are of interest: (a) the type of information stored in the model, (b) the way in which behaviors of interest are modeled, (c) ways in which to reduce the amount of nondeterminism contained by a model, and (d) ways in which to reduce the size of the model.

The global Petri net model is a composition of DES abstractions for each individual hybrid system. The DES models assumed for the individual systems are described in section 8.3.1. The individual systems may be coupled in several ways; this is considered in section 8.3.2. The Petri net transitions are classiﬁed in section 8.3.3 according to their controllability attributes. Section 8.3.4 describes how nondeterminism can be incorporated. The use of self-loops is described in section 8.3.5. Note that a self-loop attached to a place modeling a hybrid system mode describes the

261 ON

t 1 t 2 t 1 t 3 t 2

OFF

(a) (b)

Figure 8.4. Examples of Petri net DES models

ability to force the hybrid system to stay in that mode. Finally, synchronization is treated in section 8.3.6. The modeling approach of this section is outlined in

Table 8.2 at page 281. Examples are given in section 8.3.7 and section 8.3.8.

8.3.1 The DES Representation of Hybrid Systems

The transitions between the modes of a hybrid system can be represented by a state machine or a more general Petri net. (The state machines are a particular class of Petri nets [128].) For instance a system with two modes ON and OFF can be represented by the state machine of Figure 8.4(a).

In the case of a state machine model, places correspond to modes, the total marking is always one, and the marked place corresponds to the current mode of operation. However, multiple identical systems can be represented by a single state machine with total marking greater than one. Then each token would correspond to one of the systems. Thus the number of tokens in a place would be the number of systems in the mode corresponding to that place.

A hybrid system could also be represented by Petri nets that are not state machines, such as the Petri net of Figure 8.4(b). A typical way in which such Petri net models arise is by composing hybrid systems with state machine representation.

262 Finally, note that in the Petri net representation of a hybrid system, the continuous dynamics of the hybrid system depends on the Petri net marking.

8.3.2 Coupling Among Hybrid Systems

Here, coupling refers to the interdependence between hybrid system components.

Three types of couplings could be considered: state, mode and transition couplings.

State coupling is due to constraints involving the continuous state variables and modes of two or more systems. Mode couplings are the state couplings that can be written as constraints involving only the modes of two or more systems. For instance, if the system #1 should not be in mode #3 when the system #2 is in mode #4, the two systems are mode coupled. Two or more systems are transition coupled when they share one or more common transitions.

State coupling seems diﬃcult to consider at the DES level. Rather, it may be more convenient to consider state coupled systems as a single system and deal with the state constraints at the hybrid system level. Thus, only mode and transition couplings are considered in this chapter. Note also that the mode couplings that can be expressed as linear marking inequalities are of special interest here.

Finally, note that state machine methods may not be the most appropriate approach to the supervision at the DES level. Indeed, the global Petri net model

(composing the DES models of the component hybrid systems) may not be a state machine even if all components are state machines. This is due to the transition couplings. Further, even when the global model is a state machine, the Petri net resulting after enforcing some constraints (such as linear marking constraints) is no longer a state machine.

263 TABLE 8.1. TRANSITION TYPES

can inhibit firing cannot inhibit firing can force firing FI FNI cannot force firing NFI NFNI

8.3.3 Transition Types

Here, the concept of uncontrollability is reﬁned to distinguish between inability to disable a transition and inability to force a transition to ﬁre. Table 8.1 outlines the notation. Thus, the controllable transitions are the transitions of type FI, that is, the transitions that can be forced/inhibited. The uncontrollable transitions are the transitions of the types NFI, FNI, and NFNI. An NFI transition can be inhibited but not forced, an FNI transition can be forced but not inhibited, and an NFNI transition can be neither forced nor inhibited.

It is important to note the various options a supervisor may have depending on the controllability of the transitions that are plant enabled. This is done by means of the example of Figure 9.1(a). First, recall that contrary to the traditional DES setting, in this setting a supervisor has to ensure some transition is ﬁred once a mode is entered. Thus, at every plant state that is reached, a supervisor has to choose one out of several possible actions that keep the plant operation within the speciﬁcation. This decision is taken randomly or at the hierarchical level above the supervisor. Further, the possible actions available at a certain reachable state are determined at the time of the supervisor design (not online).

In the example of Figure 9.1(a), tFI has the type FI, tNFI has the type NFI, and so on. When the place p marked, the supervisor has only two possibilities: it can choose to force tFI or tFNI. Assuming the supervisor chooses to ﬁre tFI,ithas to do the following: force tFI and inhibit tNFI. This does not guarantee tFI will

264 t t 4 t 5 t 5 t 4

p1 p1,1 p1,2

t FI t NFI t FNI t NFNI t 1 t 2 t 3 t 1 t 2,1 t 2,2 t 3 (a) (b) (c)

Figure 8.5. Illustration of the transition types.

occur, but does ensure that if tNFNI and tFNI do not occur during the process of

firing tFI, tFI will occur. The other possibility is to force tFNI.Inthiscase,tFNI is to be forced and tFI and tNFI are to be inhibited. This does not guarantee tFNI will occur, but does ensure that if tNFNI does not occur during the process of firing tFNI, tFNI will occur. Of course, the firing would always be guaranteed if tNFNI were missing from the model.

Note also the following. The transitions of the type NFI can be excluded from a DES model, since they can be disabled at will, but they cannot be forced to ﬁre.

Consequently, the DES models are assumed to have no transitions of the type NFI.

Referring back to the example of Figure 8.3(b), notice that a transition whose ﬁring cannot be guaranteed is a transition of the type NFNI. Finally, as in the traditional

DES framework, the transitions can be classiﬁed as observable or unobservable,depending on whether their ﬁring can be detected or not.

Sometimes there is a better way to deal with the NFI transitions rather than just deleting them from the net. For instance consider the Petri net of Figure 8.5(b) and assume that all of t1, t2 and t3 can be inhibited, t2 can always be fired, t1 may not always be fireable if the mode p1 was entered through t4,andt3 may not always be fireable if the mode was entered through t5. Then, t1 and t3 are of type NFI.

265 p1 p1

t 3 p4 t 1 t 2 t 1 t 2

p2 p3 pp2 3

(a) (b)

Figure 8.6. Modeling nondeterminism

However, we can refine the Petri net as in Figure 8.5(c), where both p1,1 and p1,2 correspond to the mode p1,botht2,1 and t2,2 correspond to t2,andalloft1, t2,1, t2,2 and t3 are FI. Another similar transformation is illustrated in Figure 8.7, in which ti,1 ... ti,k correspond to a subset of t1, t2, ... tn which can be fired after firing t0, and ti,0 corresponds to t0.

8.3.4 Modeling Nondeterminism

It may be possible that a mode of a hybrid system may switch nondeterminis- tically to a mode within a set of modes. Such nondeterministic switching is represented by a number of uncontrollable transitions. This corresponds to Figure 8.6(a), which illustrates a nondeterministic switch from p1 to either of p2 and p3; the transitions t1 and t2 are uncontrollable. However, if we can inhibit the nondeterministic switch, it is better to use the model of Figure 8.6(b). In Figure 8.6(b) we have modeled through the controllable transition t3 that we can inhibit the nondeterministic switch. (t3 is of type FI, as in the case NFI we do not need to include t1 and t2 in the

DES model, as discussed in section 8.3.3.) A similar example is given in Figure 8.7, in which the nondeterminism is caused by t0.

266 p1 t 0 p1i1t 0 p t i0

...... t 1 t 2nt n t 1 t 2 t t i1 t i2 t ik (a) (b)

Figure 8.7. Self-loop examples

8.3.5 Self-Loops

We may or may not have the ability to have a hybrid system stay in a certain mode for an unlimited amount of time. A self-loop is a transition t which starts from a place p and returns to the same place p: p ∈•t∩t•. However, we restrict the deﬁnition of a self-loop to a transition t such that t• = •t = {p}.Asanexample, consider Figure 8.7(a), in which the transition t0 is a self-loop. A FI or FNI self- loop indicates that we can have the hybrid system stay inﬁnitely long in the mode represented by p. The possibility that we may not be able to have a system leave a mode at will can be modeled by a self-loop of type FNI or NFNI.

When a place p does not have a self-loop, we do not have the ability to keep the system in the mode corresponding to p for an unlimited amount of time. This means that the supervisor cannot disable all transitions in p• at the same time.

The simplest way to incorporate this constraint in the global Petri net model is to consider all transitions in p• as uncontrollable (the type FNI or NFNI). However, in section 8.4.2 a better solution is suggested.

8.3.6 Synchronization

Considerthecaseinwhichaplacep has a controllable self-loop and there is a transition t ∈ p• such that |•t| > 1. When the marking µ is reached such that µ(p)

267 p

p t'

t t

Figure 8.8. Modeling synchronization.

becomes 1 but t is not enabled, the supervisor has the choice of staying in the mode p by ﬁring the self-loop, until t is enabled; then it can choose to ﬁre t. However, if the place p does not have a controllable self-loop, we may include in the Petri net model the case when the supervisor has the option to wait until t is enabled.

This corresponds to Figure 8.8. In Figure 8.8, the transition t0 models the decision to wait until t is enabled; the controllable self-loop of p0 indicates the ability of the system to wait until t is enabled.

8.3.7 Modeling Example

This section illustrates the proposed modeling technique on an automotive example from [11]. The example involves a four-stroke combustion engine. Every cylinder of the engine cycles through the following runs: intake (I), combustion, expansion, and exhaust (H). The compression phase preceding the ignition spark is denoted by BS (before spark). When the spark is generated before the piston reaches the top of the cylinder, the next phase is denoted by PS (positive spark).

If the spark is generated after the piston reaches the top, the next phase is denoted by NS (negative spark). After the fuel is ignited, a torque generating phase (TG) is entered during the expansion. A Petri net model of the cylinder dynamics is shown in Figure 8.9(a).

268 Cylinder Clutch 4−cylinder engine (I, PS, TG, H) t 1 NS t 2 ON (no spark) (spark)

t I t H t 3 4 5 (I, BS, TG, H) BS TG

t 6 t 7 OFF (I, BS, NS, H) (spark) PS (a) (b)

Figure 8.9. Modeling of (a) cylinder dynamics in a four-stroke engine; (b) clutch and four-cylinder engine.

In a four cylinder engine, there is always one cylinder in each of the four runs.

Therefore, because of the symmetry, the discrete dynamics of the engine can be described by three discrete states, corresponding to the three possible combinations of cylinder phases. (A fourth state (I, PS, NS, H) cannot occur, because two cylinders cannot be in PS and NS, respectively, at the same time: PS occurs at the end of the compression phase, while NS at the beginning of the expansion phase.) The discrete model is shown in Figure 8.9(b). Further, Figure 8.9(b) displays also the model of the clutch.

Note that the systems of Figure 8.9(b) are state coupled, as the engagement or disengagement of the clutch aﬀects the mode dynamics of the engine. Further, if the lower level controller has the freedom to engage or disengage the clutch, self-loops can be added in the clutch model, as in Figure 8.9(b).

The model of Figure 8.9(a) can be used to illustrate that a supervisor may not be able to keep a system in a certain mode, at will. Consider the mode BS. Note that the transitions t1 and t6 are controllable, in the sense that a controller can chose

269 t 12

HS#1 HS#3 HS#2 t 3 t 16 p 5 t 7 t t p 5 6 1 p6 p3 t 1 t 2 t 14 t 15 t 8 t 9

p2 p4 p7 p8

t 4 t 10 t 11 t 13

Figure 8.10. Petri net abstraction of three subsystems.

which should be the next state: NS or PS. However, if none of t1 or t6 is enabled, that is, no spark is ignited, the mode will move anyway to NS (since the crankshaft keeps rotating), and then to H (exhaust of the ...unburned fuel). Note that the transition from NS to H is unmodeled dynamics!

8.3.8 Supervision Example

Figure 8.10 shows the Petri net models of three systems, in which all transitions are controllable. Note that the place p6 does not have a self-loop, and therefore a supervisor cannot force HS#3 to stay in the mode p6. This complicates the synthesis of the supervisor, as we show next. Let’s assume the speciﬁcation

µ2 + µ7 ≤ 1 (8.1)

µ4 + µ8 ≤ 1 (8.2)

A supervisor enforcing them by supervision based on place invariants is shown in

Figure 8.11. However, note that for the marking displayed in the ﬁgure none of the

270 t 12

HS#1 HS#3 HS#2 t 3 t 16 p 5 t 7 t 5 t 6 p1 p p3 t 6 1 t 15 t t 2 8 t 9 t 14

p24p7 p8 p

t 4 t 10 t 11 t 13 C 1 C 2

Figure 8.11. Illustration of a diﬃculty arising in the supervision of abstractions.

transitions t8 and t9 can ﬁre, even though p6 is marked. Therefore, the supervision is inadequate, as it attempts to keep HS#2 in the mode p6 (until either of HS#1 or HS#2 change their state). It can be veriﬁed that this problem can be avoided by enforcing the additional constraint

µ2 + µ4 + µ6 + µ7 + µ8 ≤ 2 (8.3)

8.4 DES Level Supervision

This section presents several types of supervisory speciﬁcations for the extended

DES framework of this chapter. Recall, a system is in deadlock when it has reached a state from which no further execution is possible. This is also called a global deadlock. A local deadlock corresponds to a deadlock which appears only in a part of the system. A system is live when no state of local deadlock can be reached.

A transition t of a system is live if no state of local deadlock involving t can be reached. A system is T -live if all transitions in the set T are live.

271 Assume that we have a number of linear marking constraints on the total DES model of the hybrid systems. They could represent mode constraints, such as safety requirements. Let N be the total Petri net model of the hybrid systems and NS the Petri net obtained by enforcing the linear marking constraints on N using supervision based on place invariants.

An important question is whether it is possible to have an execution such that at every time, for every component hybrid system, we may select at least one control input that insures the DES level constraints to be satisﬁed. Consider a state in which there is a component for which no such control inputs are desirable; in other words, for all applied inputs the next marking will not satisfy the marking constraints.

Such a state is a deadlock for the supervisor. In fact, we can derive from NS a Petri net which is in deadlock for such a state. A supervisor without such deadlocks is said to be nonblocking. Another question is whether it can be insured not only that the marking constraints are satisﬁed, but also that a number of actions can be repeated inﬁnitely often. The actions correspond to transitions in the total

Petri net. Therefore, this is a T -liveness enforcing problem. Thus, depending on the type of speciﬁcations we have, we may be interested in either of a deadlock prevention supervisor or a T -liveness enforcing supervisor. (Note that T -liveness implies deadlock-freedom.)

Two kinds of failures may occur in this approach. First, only admissible constraints can be enforced (see section 3.6 at page 32). Inadmissible constraints can be transformed to admissible constraints for instance by using methods from [124, 125].

However, a failure occurs if we cannot obtain such admissible constraints. Second, deadlock prevention or the T -liveness enforcement approaches may fail. In both cases, the failures tend to occur because of excessive uncontrollability or unobserv- ability of the Petri net. So, when such failures occur, we need to reﬁne the hybrid

272 system models, in order to reduce the nondeterminism of the model (manifested through excessive uncontrollability).

As discussed before, a supervisor should be nonblocking. This requirement can be formally described as follows

Requirement 1. Let TF be the set of transitions that can be forced to fire if enabled. The supervisor must ensure that for all markings µ reached under its supervision, there is a closed-loop enabled firing vector q such that for all places p ∈•TF with P µ(p) ≥ 1: (a) q(t) ≥ µ(p), and (b) for all firing vectors q1,q2 ...qk satisfying t∈p•∩TF q1 + q2 + ...qk ≤ q, the sequence q1,q2 ...qk is closed-loop enabled.

|T | Here, a supervisor ΞofaPetrinetmodelisamapΞ:M→2N that associates to each marking of M a set of firing vectors allowed to fire. Note that the Require- ment 1 is consistent with the supervision based on place invariants, which ensures that any firing sequence q1,q2 ...qk is enabled in the closed-loop if q1 +q2 +...qk ≤ q and q is enabled in the closed-loop. Ensuring this for other supervision techniques is necessary for the following reason. A concurrent firing command at the logic level may actually occur as a sequential firing at the physical level. Therefore, the specification should be satisfied by any firing sequence of Parikh vector less or equal to q. Second, note that the Requirement 1 is adequate also for Petri net models in which a place models the mode of several identical hybrid system, and hence, can have a marking greater than one. Recall, if a place p corresponds to a certain mode of multiple identical hybrid systems, a marking µ(p) indicates that a number of µ(p) systems are in the mode of p. In this situation a supervisor should ensure that for all markings µ reached under its supervision, there is a valid control input that can beappliedtoeachoftheµ(p) systems.

273 Let Lcµ ≥ bc be marking constraints. We assume them admissible; if not, we can transform them to admissible constraints, using one of the approaches from

[124, 125]. The two safety and liveness problems mentioned earlier in this section can be formally stated as below.

Problem 1. Find a supervisor satisfying Requirement 1 such that the constraints

Lcµ ≥ bc are enforced in N .

Problem 2. Find a supervisor satisfying Requirement 1 such that the constraints

Lcµ ≥ bc and T -liveness are enforced in N .

Problem 3. Find decentralized supervisors satisfying Requirement 1 for the Prob- lems 1 and 2, respectively.

The Problems 1 and 2 are addressed ﬁrst in the sections 8.4.1 and 8.4.2. The approaches in these two sections can be generalized to the Problem 3, discussed in section 8.4.3. As noted in the introduction, in the example of Figure 8.3(b), deadlock prevention/T -liveness enforcement can be problematic when the NFNI transitions are not guaranteed to eventually ﬁre (when enabled). Section 8.4.4 approaches this problem.

8.4.1 Case 1: All Places Have Controllable or FNI Self-Loops

The Petri net models of this case have a controllable or FNI self-loop at every place. This case allows an immediate reduction of the problem to the design of supervisors in the traditional DES framework. Recall, the self-loops we consider are transitions t such that •t = t• = {p} and W (t, p)=W (p, t) = 1. In the traditional

DES framework, the supervision based on place invariants produces supervisors that enable at all times the self-loops. This is also the case for the T -liveness enforcing procedure of the previous chapters, as it relies on the supervision based on place

274 invariants. Further, this is also true for most approaches in the literature for the enforcement of forbidden state or liveness specifications. Therefore, the design of the supervisor for Problem 1 or Problem 2 can be reduced to the design in the traditional DES framework of a supervisor enforcing Lcµ ≤ bc or Lcµ ≤ bc and T -liveness. The Requirement 1 is automatically satisfied, due to the fact that the self-loops are always enabled by the supervisor, and so they can be forced to fire each time they are enabled by the plant. Further, note that a self-loop plays no role in the synthesis of a supervisor in the traditional DES setting, so it can be deleted during the design process. In summary, this is the procedure:

0 0 0 0 1. Let N =(P, T ,F ,W )beN without self-loops. Let Tuc and Tuo be the sets of uncontrollable and unobservable transitions of N , respectively.

2. Design in the traditional DES framework a supervisor S0 of N 0 such that

Lcµ ≤ bc (or Lcµ ≤ bc and T -liveness) is enforced. The sets of uncontrollable

0 0 0 and unobservable transitions of N are Tuc ∩ T and Tuo ∩ T .

3. The supervisor S of N is obtained from S0 by enabling at all times the self-

loops.

Because Requirement 1 is satisﬁed, the supervisor S has at all times a valid control command for each of the component hybrid systems.

8.4.2 Case 2: Not All Places Have Controllable or FNI Self-Loops

In this case some places may have a NFNI self-loop or no self-loop at all. Two diﬀerent approaches are proposed.

Solution 1: increase the number of uncontrollable transitions

Consider the places p without self-loops of types FI or FNI. The solution is to change the attributes of all transitions t ∈ p• to NI. Then, the supervisor S designed

275 as in the Case 1 will never attempt to inhibit any transition in p•. Therefore, the

Requirement 1 is satisﬁed. Finally, note that each time p contains a token, the supervisor S will have to force one of the forcible transitions in p• to ﬁre. However, since the transitions in p• are taken of type NI, the supervisor design assumes the supervisor will not be able to guarantee that the transition it selects will actually

ﬁre. As this may not be the case (such as when all t ∈ p• are FI), this solution is suboptimal.

Solution 2: transform the problem into a deadlock prevention problem

This solution assumes that the supervisor is signiﬁcantly faster than the dynamics of the hybrid systems it controls. It also assumes ordinary Petri nets. Let P be the set of places p without self-loops of types FI or FNI. To satisfy the Require- ment 1, a supervisor is to ﬁnd a control decision for each token entering the places

P. The idea is that the supervisor can ﬁnd the control decisions by considering the tokens separately, one at a time.

The solution is to transform the Petri net N into a new Petri net N 0 such that the nonblockingness requirement on the supervisor of N becomes a deadlock prevention specification in N 0. The transformation is illustrated first in Figure 8.12. The transformation affects the places p ∈Pand the transitions t ∈P•that are controllable. (Throughout this description, the operator • is taken with respect to N ,not

N 0.) In Figure 8.12(a) p ∈P,asp does not have a self-loop. For this illustration,

0 the transitions ti, i =1, 2, 3 are assumed controllable. In the transformation to N , anewplaceREADY is added. It is initially marked with one token. Further, p is replaced by PEND(p), ACK(p), tack(p), td(p, t1), td(p, t2), and td(p, t3). tack(p)is uncontrollable, while td(p, t1), td(p, t2), and td(p, t3) are controllable. Moreover, each transition ti, i =1, 2, 3, is enhanced with a place pd(ti) and its controllability type is

276 t READY PEND(p) t t ack (p) ACK(p)

t (p, t ) t (p, t ) t (p, t ) p d 1 d 2 d 3

p ( t ) p ( t ) p ( t ) t 1 t 2 t 3 d 1 d 2 d 3

t 1 t 2 t 3

(a) (b)

Figure 8.12. Illustration of the transformation.

changed to NI. Note that a token entering pd(ti)fromtd(p, ti) models the choice of the supervisor to fire ti. For instance, in Figure 8.12(b) the choice is between firing t1, t2,ort3. In order to have deadlock when the supervisor has no choice td(p, ti) for which the specification will stay satisfied, self-loops are added as follows. The remaining transitions t of N that were not enhanced with a place pd are connected to READY through self-loops (i.e. by both arcs (READY, t)and(t, READY )).

The places added in the transformation have intuitive meanings. Thus, ﬁring tack(p) signiﬁes that the supervisor acknowledges a new token has entered p. When the place ACK(p) is marked, the supervisor works exclusively to select one of the possible choices td(p, ti). Once a choice has been made, a place pd(ti)ismarkedand the supervisor is released to consider other requests (READY is marked again).

277 The general description of the transformation is as follows. The places p ∈P and the transitions t ∈P•that are controllable undergo the transformation of

Figure 8.12. As Figure 8.12 makes the assumptions that the transitions ti are controllable and satisfy |•ti| = 1, we have the following enhancements. When some of the transitions t ∈ p• are uncontrollable, we do the construction above only for the controllable transitions, and we connect to each pd(t) a copy of each of the uncontrollable transitions in p•. If all transitions of p• are uncontrollable, the transformation of Figure 8.12(b) is not done for p.Now,inthecase|•ti| > 1 for some

0 0 controllable ti ∈ p•,thearcs(p ,td(p, ti)) or (PEND(p ),td(p, ti)), as appropriate,

0 are added for all p ∈•ti \{p}. On the other hand, the case |•ti| > 1 is treated the same way as |•ti| =1ifti is uncontrollable. Finally, the speciﬁcation on N is transformed as follows. For each p that is transformed (as in Figure 8.12), µ(p) is substituted by the sum of the markings of

PEND(p), ACK(p) and of the places pd(t). By construction, the Problems 1 and 2 correspond in the transformed Petri net to the solution to the design of a supervisor for the enforcement of Lcµ ≤ bc with deadlock prevention, and the enforcement of

Lcµ ≤ bc with T -liveness enforcement, respectively.

8.4.3 Decentralized Control

Decentralized control corresponds to the architecture shown in Figure 8.13. In this case we have several global Petri net models which diﬀer only by the fact that each has diﬀerent sets of controllable and observable transitions. Thus we have groups of hybrid systems, and each group has one of the global Petri net models associated to it.

The decentralized control problem can be solved by using the approach of chapter 4 on the Petri net resulted after either of the transformations of section 8.4.2.

278 Operator Operator

Supervisor 1 . . . Supervisor m

commands logical Controller 1 Controllerj 1 variables Controller j m−1 +1 Controller n

...... Interface 1. . . Interface j 1 Interface j m−1 +1 Interface n

Subsystem 1 Subsystem j 1 Subystem j m−1 +1 Subsystem n

events

Global Petri net model 1 . . . Global Petri net model m

Figure 8.13. Decentralized Control Architecture.

In the setting of chapter 4, each group of hybrid systems corresponds to a subsystem. Note that in the decentralized setting the deadlock prevention and T -liveness enforcement problems are of increased diﬃculty. The deadlock prevention and T - liveness enforcement procedures proposed in this dissertation can be extended to the decentralized setting as follows. Each constraint for the control of a siphon is transformed to be d-admissible with respect to the Petri net model. This involves changing the transformation of section 7.4.3 to produce d-admissible instead of c-admissible constraints. Recall, d-admissibility is deﬁned in chapter 4.

8.4.4 Dealing with NFNI Transitions

As shown in the example of Figure 8.3(b) in the introduction, transitions of the type NFNI affect deadlock prevention and T -liveness enforcement, as there is no guarantee they would eventually fire. Here, in the case of T -liveness, it is assumed that no NFNI transition is in T . For the procedures of this dissertation, the dependence of the supervisor on the fireability of the NFNI transitions can be

279 eliminated as follows. Let N be the Petri net model and N 0 be N without the NFNI transitions. Then, the deadlock prevention/T -liveness enforcement supervisor of N can be computed by applying the procedures to N 0 and by ensuring that: (a) the generated constraints are admissible with respect to N (not N 0)and(b)in section 6.5.2, page 178, the check C•⊆•S is done with respect to N (not N 0).

Note that the admissibility requirement can be easily achieved by including the

NFNI transitions in Duc and Duo at page 221. The requirement (b) means that the arcs between the NFNI transitions and the places of N are introduced in Ni when C•⊆•S is tested (and C is computed).

To see that the supervisors produced this way prevent deadlock/enforce T - liveness, note the following. Let Tu be the set of the NFNI transitions and Lµ ≥ b and L0µ ≥ b0 be the sets of constraints produced by the procedure. Given a ﬁring sequence of N ,letPu(σ) denote the projection of σ that removes the transitions in

Tu. The requirement (a) ensures that no ﬁring of a transition in Tu can decrease Lµ. (This results from the fact that the transformation to admissible constraints ensures that no arc exists from a control place to an uncontrollable transition.) The

t requirement (b) ensures that if t ∈ Tu, L0µ ≥ b0,andµ −→ µx,thenL0µx ≥ b0.

Given the initial marking µ0 such that Lµ0 ≥ b and L0µ0 ≥ b0, these two facts imply that for all reachable markings of the closed-loop, the plant N satisﬁes Lµ ≥ b

0 and L0µ ≥ b0. Since the closed-loop of N with Lµ ≥ b is deadlock-free/T -live, it follows that regardless of the transitions in Tu that may ﬁre in N , the following is true of the closed-loop of N : in the case of deadlock prevention no reachable state is a deadlock state, and in the case of T -liveness enforcement there is no reachable state with dead transitions in T .

280 TABLE 8.2. MODELING SUMMARY

ON A hybrid system mode is represented by a place. A switching action is represented by a transition. A TURN TURN mode is active when it has a token. A place may ON OFF have more tokens when we model several identical systems with the same abstraction. OFF

Controllable transitions exiting a place indicate p that the controller always has the ability to select between them, no matter how the mode has been t t entered. 1 2 An uncontrollable transition exiting a place indi- p cates that the controller may not have the ability to select between output transitions. Uncontrollable transitions can be used to model nondeterminism. t 1 t 2 A controllable self-loop indicates the ability of the controller to keep the hybrid system (indeﬁnitely long) in the current mode.

HS#1 HS#2 Synchronization (which we call transition coupling) reﬂects the situation in which an action cannot be taken unless another system (or systems) are in certain mode (modes).

Example: Mutual exclusion

We denote by mode coupling desirable constraints HS#1 HS#2 which forbid certain combinations of modes of dif- p p ferent hybrid systems to be active at the same time. 1 2 Mode coupling corresponds to marking constraints. µ + µ < 1 1 2

281 CHAPTER 9

HYBRID SYSTEM LEVEL CONTROL

9.1 Introduction

This dissertation proposes a two-level approach for the supervision of concurrent hybrid systems. This approach has been illustrated in Figure 8.2 at page 257. Thus, at the upper level, a supervisor controls the DES behavior of the system, where the supervisor is designed based on the DES abstractions of the lower level. At the lower level, each hybrid subsystem of the concurrent system has a controller. The controllers implement the control decisions taken at the upper level. Note that the

DES abstraction of the lower level is formed by composing the abstractions of the controlled hybrid subsystems. (A controlled hybrid subsystem is the closed-loop of a hybrid subsystem with its controller.)

The DES modeling of the lower level and the design of the supervisor of the upper level has been approached in chapter 8. This chapter approaches the design of the controllers of the lower level, and the DES abstraction of the controlled hybrid subsystems. The goal of the DES abstraction is to obtain DES models within the extended DES framework described in section 8.3 of the previous chapter. The role of the controllers is to ensure that the lower level behaves according to its abstraction, as long as the supervisor outputs commands consistent with the DES abstraction. The hybrid subsystems are assumed to be given in the form of hybrid automata [115, 116]. Then, the DES abstraction and controllers can be obtained

282 based on methods for the computation of predecessor sets, controlled invariant sets, and controllable invariant sets. Note that the concept of controllable invariant sets is introduced here, in this chapter.

While the computation of predecessor sets and controlled invariant sets has been approached in the literature in several settings, this chapter will focus on the discrete-time setting. Thus, the dynamics of each hybrid system mode will be assumed to be linear in the state variable, input, and disturbance. In this setting, the computation of the maximal controlled invariant sets has been approached and solved in [182]. The computation of the predecessor sets appears also in [87, 182].

Unfortunately, the predecessor computation may not terminate. Nonetheless, the computation of the predecessor set over a ﬁnite time horizon terminates, though it may not scale well with the length of the horizon. Some preliminary results on suboptimal but scalable approaches will be considered in this chapter. Further, this chapter deﬁnes also the controllable invariant sets and presents a method for their computation.

The controllable invariant sets are interesting for several reasons. First, they are a class of controlled invariant sets. As this chapter will show that controllable invariants can be computed in a non-recursive fashion, a natural implication is that we can compute controlled invariant sets non-recursively. However, this is generally not true of the maximal controlled invariant sets, because they may not be controllable invariants. Another beneﬁt of controllable invariance is that it has the property that from any “large enough” connected region of the set it is possible to reach any such other region of the set, regardless of disturbances. Note that in general controlled invariants do not have this property.

While this chapter suggests the discrete-time setting for the computation of predecessor sets, controlled invariants and controllable invariants, note that the

283 proposed abstraction approach is general. The abstraction approach can be applied in any setting in which the predecessors and the controlled/controllable invariants are computable. This assumes also that it is possible to perform basic set operations, such as union and complement. The abstraction approach receives as input a hybrid automaton with control inputs, and outputs a state machine. This approach has the property that any switching sequence that can be induced in the abstraction can be induced also in the hybrid automaton, regardless of disturbances. While the abstraction procedure does not have a guaranteed termination, it can be terminated before its convergence, in which case the abstraction will still be valid, though incomplete (not all regions of interest of the state space would be mapped into the abstraction).

The chapter is organized as follows. Related work is presented in section 9.2. A description of the hybrid automata from which the DES abstraction is extracted is given in section 9.3. Deﬁnitions necessary in the subsequent developments are included there as well. An approach for the DES abstraction is proposed in section 9.4.

Section 9.5 presents a method for the computation of the controllable invariant sets.

Then, in section 9.6, the computation of the predecessor sets is considered.

9.2 Related Work

A signiﬁcant amount of work has been done in the area of hybrid systems [50, 6,

2, 7, 5, 9, 10, 4]. Some of the methods that use DES abstractions for the control of hybrid systems appear in the following references. In [162, 163, 95], the controller is designed in the Ramadge-Wonham framework [142] based on a DES abstraction of the plant. The control architecture consists of the plant, the interface, and the controller. The interface consists of an actuator that maps the discrete commands into (possibly time-varying) control inputs, and a generator that generates events

284 depending on the continuous state of the system. Other similar approaches appear in [33, 114, 140]. A different approach of discrete-event abstraction is to use bisimulations [55, 100, 3]. The goal of the bisimulation approach is to map the hybrid dynamics into DES dynamics described by a finite transition system (finite automaton) such that certain properties of interest are preserved by the transformation.

This is achieved by a semidecidable procedure, proposed in [85, 22], that builds a bisimilar system. While most work so far has used bisimulations for veriﬁcation purposes, there is also more recent work on the use of bisimulations for abstractions

ﬁt for supervisory control. Thus, in [167] supervision can be applied to abstractions of controllable discrete-time linear systems.

Compared to the DES abstraction approaches existing in the literature, the approach presented here is designed for supervisory control. Thus, the main concern here has been to be able to generate physically all switching sequences that can be induced in the abstraction, regardless of disturbances or uncertainties in the physical model. In this setting uncertainties could arise from the reset maps; at this stage, discrete disturbances have not been considered. Since the construction of the abstraction has a supervisory control purpose, this work is related to [162, 163, 95].

On the other hand, since reachability analysis is used to derive the abstraction, the works on bisimulations are also related [55, 100, 3]. Moreover, the fact that invariants are also computed in the process of abstraction, relates this work to the controlled invariance literature. Note also that a distinguishing feature of this approach is that the DES abstractions model the closed-loop of a controller with a hybrid system, and not just the hybrid system. Here, the goal of the abstractions is to facilitate the enforcement of higher level speciﬁcations. Thus, in our approach the controller is not designed based on the DES abstraction, but rather at the same time as the abstraction, and the abstraction is based on the operation of the controller.

285 In the area of hybrid systems, the study of controlled invariant sets has been done mostly in the context of the enforcement of safety speciﬁcations. Safety spec- iﬁcations describe a set of forbidden states that a hybrid system should not reach.

Thus, the maximal controlled invariant set is of interest in order to compute the least restrictive controller. In [117] a Dynamic Game Theory approach is used for this; the game is between the controller (to be designed) and the disturbance. Such an approach involves challenging problems, including the computational problem of obtaining steady state solutions of Hamilton-Jacobi equations. A new approach appeared in [153], in which it is shown that for some classes of hybrid systems with linear dynamics, the synthesis of the least restrictive controller is semidecidable.

In [153], solving Hamilton-Jacobi equations is avoided. There are approaches for the computation of controlled invariants which take advantage of particular types of systems. For instance, for linear discrete-time systems, a method for invariant computation appears in [51]. For the same class of systems, the computation of the maximal controlled invariant set is shown to be decidable under certain conditions [182]. A decidable procedure for some classes of linear continuous-time systems for the computation of the maximal controlled invariant set appears also in [152].

Note that the approach of this chapter will propose the use of controllable invariant sets. The controllable invariant sets, which are deﬁned in this chapter, are subsets of the maximal controlled invariant sets. They have the property that every

“region” of the controllable set can be reached from any other “region” of the set.

This invariant concept resembles the idea that a system could gradually progress from the neighborhood of an equilibrium point to another (e.g. section 6.2 in [120]).

The computation approach we propose applies to linear discrete-time dynamics with disturbances. This approach is related to the approaches used in [87, 181] for predecessor operator computations and in [41, 182] for the computation of the

286 maximal controlled invariant set. Related approaches in a non-hybrid context include [86, 20]. Note that some model uncertainties could also be incorporated in this framework [112].

There are also other methods for the synthesis of controllers for hybrid systems, such as the following. In the context of the Viability Theory, [38] shows a controller synthesis method for hybrid systems in which the mode dynamics is described by differential inclusions. A procedure for the synthesis of controllers has been shown also in [185] for linear hybrid automata. Note that in a linear hybrid automaton the continuous dynamics requires the derivative of the state to satisfy a finite and mode dependent set of linear inequalities. A very different approach to the control of hybrid systems appears in [18], which uses discrete-time modeling and integer programming for controller design. The controllability of hybrid systems has also been studied [17, 179].

9.3 The Hybrid Automaton Model

In this chapter, the hybrid systems are assumed to be given as hybrid automata.

The deﬁnition of hybrid automata below corresponds to that of [115, 116].

A hybrid automaton is H =(Q,X,V,Init,f,Inv,Edg,G,Res,φ)where

1. Q is the set of modes (discrete states)

2. X ⊆ Rn is the domain of the continuous state variable, denoted by x

3. V = U × D × ΣC is the domain of the input, where U is the domain of

the control input, D is the domain of the disturbances and ΣC is the set of controllable events (or discrete inputs). A control input is denoted by u,a

disturbance by d and a controllable event by α. The null event is denoted by

, and we consider that /∈ ΣC .

287 4. Init is the set of initial states (modes)

5. f : Q×X ×U ×D → Rn is the right-hand side of the continuous state equation

x˙ = f(q, x, u, d) (9.1)

6. Inv : Q → 2X maps to each q a set in which the x must be when the system

is in the state q. (For instance, Inv(q)maybethesetofx for which the

dynamics of the continuous state is described by (9.1).)

7. Edg ⊆ Q × Q is the set of transitions (edges) between modes; (Q, Edg)isa

state machine.

8. G : Edg → 2X×U×ΣC maps to each transition a guard, meaning that a tran-

sition e ∈ Edg mayoccuronlyif(x, u, α) ∈ G(e). In particular, when

G(e) does not depend on u and α, the transition e is uncontrollable.It

will be assumed that a transition e occurs if (x, u, α) ∈ G(e)(where(u, α)

is the input applied to the system). Note that nondeterminism arises when

G(q, q1) ∩ G(q, q2) =6 ∅ and q1 =6 q2, as the system may switch to either of q1

or q2 when (x, u, α) ∈ G(q, q1) ∩ G(q, q2).

9. Res : Edg × X × U → 2X is the reset map, mapping (e, x, u), (x, u) ∈ G(e),

to the set in which x may be after the transition e occurs.

10. φ : Q × X → 2U×D identiﬁes the admissible inputs at every state.

The following notation is used:

• Pre represents the controlled predecessor.Thatis,Pre(M)isthesetof

continuous states from which M can be robustly reached. In other words,

∀x0 ∈ Pre(M) there is a feedback control policy which, no matter of distur-

bances, leads the continuous state x from x0 to some xf ∈ M.

288 • The preset/postset symbol • is used as in the Petri net notation: •q = {e :

e =(q0,q) for (q0,q) ∈ Edg,}, q• = {e : e =(q, q0) for (q, q0) ∈ Edg}, •e =

{q : e =(q, q0)} and e• = {q : e =(q0,q)}.

• For some q ∈ Q,wesaythatI ⊆ Inv(q)isacontrolled invariant set if for all

x ∈ I there is an admissible feedback control law taking values in U ×ΣC such that for all subsequent times t: x(t) ∈ I, regardless of the disturbance input.

• Let Reach : X →P(P(X)), where for M ⊂ X we have M ∈ Reach(x)ifitis

possible to robustly reach M starting from x (i.e. no matter of disturbances,

it is possible to reach M from x.)1 In other words Reach(x) is the collection

of sets M with the property that it is possible to robustly reach M from x.

n n • Given a set Ω ⊂ R ,letΩx = {z ∈ R : ∃y ∈ Ω:z = y + x}. Further, let Ωo denote the interior of Ω. For some q ∈ Q we say that I ⊆ Inv(q)isa

controllable invariant set if a connected compact set Ω ⊂ Rn exists such that

0 ∈ Ωo and

1. ∀x ∈ I:Ωx is a controlled invariant set S 2. Ωx ⊆ Inv(q) x∈I ∀ ∈ ∀ ∈ ∈ 3. x1,x2 I, x Ωx1 :Ωx2 Reach(x).

Note that we have deﬁned Pre, Reach and the controlled and controllable invariant sets with respect to the dynamics of a single mode. The deﬁnitions could be extended by using Q × X instead of X.

1P(Y )={E : E ⊆ Y } denotes the collection of all subsets of Y .

289 A class of hybrid systems for which the interesting problems are more tractable computationally, are the systems in which equation (9.1) is discrete-time and aﬃne in x, u and d. Then, the dynamics in any mode q can be described by

x(t +1)=A(q)x(t)+B(q)u(t)+E(q)d(t) (9.2)

9.4 Extracting the DES Abstraction

This section approaches the extraction of DES dynamics from controlled hybrid dynamics. The extraction process produces a model in the DES framework of section 8.3 at page 261. This model represents also the (feasible) speciﬁcation for the design of a hybrid system controller. Indeed, referring to the illustration of

Figure 8.2 at page 257, the DES model obtained here abstracts the behavior of the closed-loop of a controller and a hybrid subsystem.

A hybrid subsystem is assumed to be given in the form of a hybrid automaton. If the abstraction process does not attempt to reﬁne this model, the DES abstraction will result in a subnet of the state machine (Q, Edg) of the hybrid automaton. Note that the notation of section 9.3 is used here.

The process of DES abstraction has two favorable situations which we consider below. First we deﬁne for every mode q ∈ Q the following sets:

(i) Jq ⊆ Inv(q) ∩ Safe(q), where Safe(q) is the set specifying the safety speciﬁ- cation for the mode q (that is, Inv(q) \ Safe(q) is the forbidden state set of

the mode q.)

0 (ii) For every (q, q ) ∈ Edg,letOq→q0 ⊆ Inv(q) ∩ Safe(q) denote the continuous states for which there is an input leading the system from q to q0, no matter

of disturbances.

290 I

Pre(J) J J

Pre(O3 ) O1 O2 O3 Pre(O1 ) Pre(O2 )

OO1 O2 3

(a) (b)

Figure 9.1. Illustration of a desirable situation in the controlled behavior of a hybrid system. (a) A hybrid system mode with input set I and output sets O1, O2 and O3 corresponding to the thick lines, controlled invariant set J and Pre(O1), Pre(O2), Pre(O3)andPre(J) represented through the shaded areas. (b) Equivalent DES abstraction of the mode, where the self-loop corresponds to J and the other transitions to the transitions exiting O1, O2 and O3.

(iii) Let Iq the set of continuous states in which the mode q may be entered from

the modes qc such that (qc,q) ∈ Edg.

Note that the set Iq could be reduced by an appropriate control law. An ideal situation for the DES abstraction is when for all q ∈ Q there is Jq such that:

(a) Jq is a controlled invariant set.

(b) Iq ⊆ Pre(Jq). T (c) Jq ⊆ Pre(Oq→q0). q0∈q••

This situation is illustrated in Figure 9.1, together with the DES abstraction of the mode. Thus, once we have the sets Iq and Oq→q0 , we are interested to compute the maximal controlled invariant set Jq satisfying (i) and (c). Indeed, if the maximal controlled invariant set does not satisfy (b), there is no controlled invariant set Jq

291 I

Pre(J) J J Pre(O ) Pre(O1 ) 3 O1 O2 O3 Pre(O2 )

O1 O2 O3

(a) (b)

Figure 9.2. Illustration of another desirable situation in the controlled behavior of a hybrid system. (a) A hybrid system mode with input set I and output sets O1, O2 and O3 corresponding to the thick lines, controllable invariant set J and Pre(O1), Pre(O2), Pre(O3)andPre(J) represented through the shaded areas. (b) Equivalent DES abstraction of the mode, where the self-loop corresponds to J and the other transitions to the transitions exiting O1, O2 and O3.

satisfying (a-c). However, even when (b) is not satisﬁed, we may still be able to reduce the set Iq (through a control law) such that (b) is satisﬁed. An interesting variant of the requirements (a-c) is given below:

S 0 (a ) Jq is a controllable invariant set with a set Ω such that Ωx ⊆ Inv(q) ∩ x∈Jq Safe(q).

0 (b ) Iq ⊆ Pre(Jq).

0 0 (c ) ∀q ∈ q ••∃x ∈ Jq:Ωx ⊆ Pre(Oq→q0 ).

This situation is illustrated in Figure 9.2, together with the DES abstraction of the mode. Again, once we have the sets Iq and Oq→q0 , we are interested to compute

0 0 a controllable invariant set Jq satisfying (a )and(c). This can be achieved by computing a maximal controllable invariant set satisfying (a0). Then, if (c0)isnot

292 I

Pre(J)

Pre(O3 ) O1 O2 O3 Pre(O1 ) Pre(O2 )

O1 O2 O3

(a) (b)

Figure 9.3. Illustration of the situation in which no adequate controllable or controlled invariant set exists. (a) A hybrid system mode with input set I and output sets O1, O2 and O3 corresponding to the thick lines, and Pre(O1), Pre(O2), and Pre(O3) represented through the shaded areas. (b) Equivalent DES abstraction of the mode. Note that the abstraction has no self-loop.

0 0 0 satisfied and Jq is maximal no solution to (a -c ) exists, but if (b ) is not satisfied, we may still be able to reduce the set Iq. Note that the conditions (a0-c0) are a variant of (a-c). Indeed, by the definition of the controllable invariant set, (c) implies Jq ⊆ Pre(Oq→q0 ). Thus Jq ⊆ T Pre(Oq→q0 ). Further, every controllable invariant set is a controlled invariant q0∈q•• set. (However, the converse is not true.) The (a0-c0) variant may be computationally advantageous when it is not easy to compute Pre(Oq→q0 ); then we do not need to compute the whole sets Pre(Oq→q0 ), but only to show that they intersect Jq as shown at (c0). This quality may be of interest especially in the discrete-time case, in which the computation of the predecessor is iterative and may not terminate. Note also that here the controllable invariant set is computed first, and then the predecessor sets. On the other hand, in the previous situation the maximal controlled invariant set was computed only after the computation of the predecessor sets.

293 0 0 When no invariant set Jq satisfying (a-c) or (a -c ) can be found, we could still abstract the mode by considering the inclusion relations between Iq on one side and

Pre(Oq→q0) on the other, or among Iq, Pre(Jq), Jq and Pre(Oq→q0 ). A situation in which a mode has no invariant sets is illustrated in Figure 9.3.

In principle, the following abstraction procedure could be used. The procedure assumes there are no discrete disturbances (refer to the point 8 of the deﬁnition of the hybrid automaton, at page 288; note that continuous disturbances are allowed).

This assumption could be removed in future work. First, the notation is deﬁned.

• A hybrid automaton H =(Q,X,V,Init,f,Inv,Edg,G,Res,φ) is assumed to

be given. This is the input of the procedure.

• The output of the procedure is a state machine (S, →), where S is the set of

states and →⊆ S × S is the transition relation.

• Similar to Inv(q) in the hybrid automaton, let’s deﬁne also Inv : S → X for

the states q0 of the abstraction. Further, the map C : S → Q is deﬁned, to

associate a mode q ∈ Q to each q0 ∈ S.Thus,eachq0 ∈ S corresponds to a

region (C(q0),Inv(q0)) of the hybrid system, where Inv(q0) ⊆ Inv(C(q0)).

• Let Resq0→q denote the area in which the state is reset when switching from

0 0 U q to q for q ,q ∈ Q. Technically, let φu be the restriction of φ to 2 (that

is, φu(p, x) is the set of inputs that can be applied when the mode is p and S 0 0 { | ∃ ∈ the state x.) Then Resq →q = (x,u)∈V Res((q ,q),x,u) for V = (x, u) ( α 0 0 0 ΣC :(x, u, α) ∈ G(q ,q)) ∧ x ∈ Inv(q ) ∧ u ∈ φu(q ,x)}.

• ⊆ −1 0 ∈ Given I Inv(q), the set Gq0→q(I), q ,q Q, denotes the set of states x in mode q0 from which there is an input leading to the mode q with the state x −1 { ∈ 0 |∃ ∈ 0 ∃ ∈ reset within I. Formally, Gq0→q(I)= x Inv(q ) u φu(q ,x), α ΣC : Res((q0,q),x,u) ⊆ I ∧ (x, u, α) ∈ G(q0,q)}.

294 • The predecessor Pre is deﬁned with respect to each mode q ∈ Q.Letψ(t)

denote the solution tox ˙ = f(q, x, u, d)orx(t +1)=f(q, x(t),u,d), assuming

it exists. Let ψt denote ψ(t). Formally, Pre(M)={z ∈ X : ∃t>0, ∃u :

m p [0,t] × X → R , ∀d :[0,t] → R :[∀τ ∈ [0,t],u(τ,ψτ ) ∈ φu(q, ψτ )] ∧ [(∀τ ∈

[0,t],d(τ) ∈ φd(q, ψτ )) ⇒ (∃τ ∈ [0,t],ψτ ∈ M)] ∧ ψ(0) = z}. Similarly to

D φu, φd denotes the restriction of φ to 2 .Inwords,Pre(M) denotes the set of states x from which it is possible to reach M regardless of disturbances,

assuming the dynamics of the mode q.

The procedure starts with a number of sets of interest (q, J) speciﬁed by the user, where q ∈ Q, J ⊆ Inv(q), and J represents a set of interest in the mode q.The abstraction procedure is deﬁned next.

1. Initialize S = ∅ and →= ∅.

2. For all sets of interest (q, J), create a state q0 ∈ S with C(q0)=q and let

Inv(q0):=Pre(J) ∩ Inv(q). If J is a controlled invariant, add (q0,q0)to→.

3. Initialize ModeList := S.

4. While ModeList =6 ∅ do

(a) For all q ∈ ModeList

i. Compute Ip→q = Inv(q)∩Resp→C(q) for all p ∈ Q such that (p, C(q)) ∈ Edg.

−1 ii. For each Ip→q computed above ﬁnd Op→q = Gp→C(q)(Ip→q).

iii. For all Op→q computed above, if Op→q =6 ∅,addOp→q to the list L(p).

(b) Set ModeList = ∅.

295 0 0 0 i. For all p ∈ Q, Op→q ∈ L(p), and q ∈ S,ifC(q )=p and Inv(q ) ⊆

0 Pre(Op→q) ∩ Inv(p), then add (q ,q)to→.

ii. Distribute the states q with Op→q ∈ L(p)intok disjoint groups Γ1...

Γk, such that Invi =6 ∅ for i =1...k and Invi =6 Invj for i =6 j, T ∩ → where Invi := Inv(p) ( q∈Γi Pre(Op q)).

0 0 iii. Let q1...q2k be new discrete states.

iv. Let cinv(Invi) denote the maximal controlled invariant set included

in Invi.

0 0 2 v. For all i =1...k,letInv(qi)=cinv(Invi)andInv(qi+k)=Invi. 0 ∈ vi. For all i =1...2k,ifInv(qi)=Inv(q) for some q S,thenset 0 ≡ qi q. { 0 6 ∅} ∈ 0 ∈ 0 vii. Let Γ = i : Inv(qi) = . For all i Γ, if qi / S then add qi to S 0 and ModeList,andsetC(qi)=p. ∈ ≤ 0 0 → 0 → viii. For all i Γwithi k,add(qi,qi)to and (qi,q)to for all

q ∈ Γi. ∈ ∈ 0 → ix. For all i Γwithi>k, for all q Γi−k,add(qi,q)to .

(d) Set L(p)=∅ for all p ∈ Q.

The procedure is graphically illustrated in Figure 9.4. Note that the abstraction procedure does not assume a set of initial states. Rather, the abstraction could be used to determine the states in which the system could be initialized.

The abstraction is done in such a way that its (controllable) transitions can always be enforced by a controller. Formally, a controller is deﬁned as follows.

2 0 0 0 0 However, if cinv(Invi)=Invi,wesetqi+k to be identical to qi: qi+k ≡ qi.

296

Inv(q’) Step 2: U J J Inv(q’) = Pre(J) Inv(q) qq C(q’) = q

Opq p Step 4.a:

Computation of Opq

Inv(q) I pq J C(q)

Inv(q’) U Pre( O p q ) Inv(p) p

Step 4.c.i: q’ q’

Inv(q) Adds the arc (q’,q) to I pq J C(q) q q

Step 4.c.ii: Γ U

1 = {q 1 }, Inv 1 = Inv(p) Pre( O p q1 ) Γ UU 2 = {q 2 , q 3 }, Inv 2 = Inv(p) Pre( O pq2 ) Pre( O pq3 )

Opq1Opq2Opq3

Steps 4.c.iii−−ix: The abstraction after the step 4.c.ix: Inv(q’1 ) Inv(q’4 ) Inv(q’1 ) = cinv( Inv 1 ) q’ q’ Inv(q’2 ) = cinv( Inv 2 ) = 0 1 4 q’3 Inv(q’3 ) = Inv1

Inv(q’4 ) = Inv2 Γ Inv(q’3 ) = {1, 3, 4}

q 1 q 2 q 3

Figure 9.4. Illustration of the abstraction procedure.

297 Let γ : Q × X → Rm be the observation of the continuous state x available to the controller. Let Y be the range of γ. The controller is viewed as a set valued map

U×ΣC κ : QC × Q × Q × Y → QC × 2 . where QC is a ﬁnite set of discrete states of the controller. For a current state

0 observation y,modeq, current controller state qc, and next desired mode q ,we have

0 0 κ(qc,q,q,y)=(qc,Z)

0 where qc is the next state of the controller (which may be the same as qc), and

U×ΣC Z ∈ 2 can be decomposed in Z = ZU × ZΣ; the controller requests a control input u ∈ ZU and discrete input α ∈ ZΣ. When we want to stay in a mode q,we let q0 = q.Notethatq0 is an external input, as it is not generated by the hybrid system or the controller. Through this input the user can steer the operation of the controlled hybrid system.

9.5 Computation of the Controllable Invariant Sets 9.5.1 The Controlled Invariance Context

Controllable invariant sets are a class of controlled invariant sets. For this reason, a brief discussion of controlled invariance is included here. In the literature, recursive approaches have been proposed for the computation of the maximal controlled invariant sets. This recursive computation is more tractable when done for single modes (rather than for the whole state space of the hybrid system) and for particular types of dynamics. Of particular interest in this section are mode dynamics of the form

x(t +1)=Ax(t)+Bu(t)+Ed(t) (9.3)

298 where u denotes the control input and d the disturbance input, and mode invariants of the form

Rx ≤ r (9.4)

Thus, we are interested in the maximal controlled invariant set that is a subset of the set given by (9.4). For mode dynamics (9.3), the recursive computation of the maximal controlled invariant set is guaranteed to terminate under certain assumptions [182]. However, each iteration of the recursive computation suﬀers from the double-exponential complexity of the Fourier-Motzkin elimination of variables.

In this section we will present a non-recursive method for the computation of controllable invariant sets. The mode dynamics (9.3) will be assumed, where the input u takes values in a convex domain U, and the disturbance d takes values in a bounded set D. Since disturbances are allowed, the model (9.3) is not very particular, as nonlinearities could be incorporated in the disturbance term. In fact, future work may incorporate piecewise linear dynamics and some of the polytopic uncertainties of [112].

Note that compared to controlled invariants, the maximal controlled invariant may not be a controllable invariant. Nonetheless, it may be that in practice we are only interested in the part of the, maximal controlled invariant that is “controllable”.

This may be especially the case when we are interested in “reversible” behavior, where reversibility here refers to the ability to return to a neighborhood around some initial state.

9.5.2 The Idea of the Approach

Considering again dynamics of the form (9.3), if the system is stabilizable, there is a state feedback controller u = Kx such that the system is stable. Furthermore, for each u = Kx+r,wherer is a constant, there is an equilibrium point x∗ to which

299 (in the absence of disturbances) the state converges. Intuitively it is clear that around that equilibrium point there is a region of attraction, such that no matter of the bounded disturbances, that region is invariant. Furthermore, if each equilibrium point has such a region of attraction, we can go from one region to another. Indeed,

∗ if we are in the region of (x1,r1), by applying the control u = Kx+r2 we move to the

∗ region of (x2,r2). Also, in order to keep the control u = Kx+r within its admissible domain U, we can “slowly” change r from r1 to r2. Therefore the controllable invariant set would correspond to the set of equilibrium points x∗. While linear state feedback was used in this illustration, we are not going to refer to it in what follows. We consider a more general state feedback solution. Also, we will continue to use the notation x∗, but this may no longer denote an equilibrium point.

9.5.3 The Computation

We consider the dynamics of equation (9.3) and sets Ω (see the deﬁnition of controllable invariant sets at page 289) of the form Ω = {x : |x|≤b} where b ∈ Rn

∗ ∗ and b>0. Recall, given x ,Ωx∗ = {x : |x − x |≤b}.LetU denote the domain of the control input and D the (bounded) domain of the disturbance.

∗ ∗ ∃ ∈U ∀ ∈ ∗ ∈ Given x1,thesetofpointsx2 satisfying that u(t) x(t) Ωx1 : x(t +1)

∗ Ωx2 can be expressed as   + ∗ Ax + Bu + d ≤ x2 + b ∃ ∈U ∀ ∈ ∗ u , x Ωx1 : (9.5)  − ∗ Ax + Bu − d ≥ x2 − b where x = x(t), u = u(t), d+ =maxEd,andd− = − min Ed and the maxi- d∈D d∈D mum/minimum is taken separately on each row of Ed. Note that the requirement

∗ ∗ ∗ that Ωx1 be invariant corresponds to (9.5) when x2 = x1.

300 Assuming a convex domain U = {u : Luu ≤ bu}, the input u can be eliminated from (9.5) using the Fourier-Motzkin elimination (FME) [127]. The result is of the form:

∗ ∀ ∈ ∗ ≤ x Ωx1 : Gx + Hb + Mx2 g (9.6) or

∗ ∀α ∈ [−b, b]:(G + M)x1 + Gα + Hb + Mβ ≤ g (9.7)

∗ ∗ ∗ where α = x−x1 and β = x2−x1.Notethatα can too be eliminated, as max Gα = α∈[−b, b]

|G|b, where the maximum is taken separately on each row of Gα,and|G| =[|Gij|] denotes the absolute value of G. We obtain:

∗ (G + M)x1 +(|G| + H)b + Mβ ≤ g (9.8)

To satisfy (9.8) for all β ∈ [−δ, δ], where δ ∈ Rn, δ ≥ 0, is given, the following constraint is obtained:

∗ (G + M)x1 +(|G| + H)b + |M|δ ≤ g (9.9)

∗ ∗ Note that (9.9) describes the set of points x1 such that Ωx1 is a controlled invariant ∗ ∗ ∈ ∗ ∗ | − |≤ and from all points x Ωx1 it is possible to reach any Ωx2 with x2 x1 δ in one ∗ time step. Obviously, we would like this set of points x1 to be as large as possible.

At the same time, we are also interested in having the sets Ωx∗ as small as possible (i.e., b as small as possible). In view of (9.5) the minimum value of b is: d+ + d− b ≥ (9.10) 2 On the other hand, the minimum value of δ is 0. From (9.9) with δ = 0 we derive the controllable invariant set

(G + M)x +(|G| + H)b

Note that < denotes strict inequality on all elements, that is, y

301 Example 9.1

Assume a system described by the dynamics

x(t +1)=ax(t)+u(t)+d(t) (9.12)

+ − where a ∈ R. Assume d = d = d0 and the control input domain −u0 ≤ u ≤ u0.

The relation (9.5) can be written as   ∗ ax + u + d0 ≤ x2 + b ∃ ∈U ∀ ∈ ∗ u , x Ωx1 : (9.13)  ∗ −ax − u + d0 ≤−x2 + b

Then (9.6) becomes    d0 ≤ b  ∀x ∈ Ω ∗ : ≤ ∗ (9.14) x1  ax + d0 x2 + u0 + b   ∗ −ax + d0 ≤−x2 + u0 + b

while (9.9) is    d0 ≤ b  − ∗ | |− ≤  (a 1)x1 +(a 1)b + δ + d0 u0 (9.15)   ∗ (−a +1)x1 +(|a|−1)b + δ + d0 ≤ u0

We see that there is no solution unless |a|d0

are satisﬁed, the controllable invariant is given by:   (a − 1)x +(|a|−1)b + d0

for a b such that b ≥ d0 and (|a|−1)b + d0

The following results establish properties of the controllable invariant sets computed this way. Notably, we prove that (9.11) describes a controllable invariant set and that, with the possible exception of (some of) its boundary, it coincides with the

302 maximal controllable invariant set with Ω = [−b, b]. For the moment, Inv(q)=Rn is assumed in the deﬁnition of the controllable invariant sets.

Let Jδ = {x :(G + M)x +(|G| + H)b + |M|δ ≤ g}, where the notation of (9.9) is used.

Proposition 9.2

The set Jδ is a controllable invariant of set Ω=[−b, b].

∗ Proof: The proof is divided in three parts. Part (a) shows that ∀x1 ∈ Jδ

∗ ∗ ∗ ∀ ∈ − ∀ ∈ ∗ ∃ ∈U ∀ ∈D ∈ ∗ x2 [x1 δ, x1 + δ] x(t) Ωx1 u d : x(t +1) Ωx2 .Part(b)shows ∗ ∗ ∗ that Ωx∗ is a controlled invariant for all x ∈ Jδ.Part(c)showsthat∀x1,x2 ∈ Jδ

∀ ∈ ∗ ∗ ∈ x Ωx1 :Ωx2 Reach(x). ∗ ∗ ∗ (a) Let α = x − x1 and β = x2 − x1.Fromβ ≤ δ we get that Mβ ≤|M|δ.

∗ Since x1 satisﬁes (9.9), it follows that (9.8) is also satisﬁed. Similarly, we derive

∗ ∗ (G + M)x1 + Gα + Hb+ Mβ ≤ g,andsoGx + Hb+ Mx2 ≤ g. However, this is the projection of   + ∗ Ax + Bu + d ≤ x2 + b (9.17)  − ∗ Ax + Bu − d ≥ x2 − b that removes the variable u ∈U. Therefore, there is u ∈Usuch that (9.17) is

∗ satisﬁed for the given x and x2 ∀d ∈D. However, (9.17) is precisely the condition

∈ ∗ that some x(t +1) Ωx2 is reached from x(t)=x by applying the input u. ∗ ∗ ∗ (b) This results from (a) for x1 = x2 = x .

∗ ∗ (c) Let x1,x2 ∈ Jδ be chosen arbitrarily. Let n>0 be an integer such that | ∗ − ∗|≤ ∗ ∗ ∗ ∗ k ∗ n−k ∗ x2 x1 nδ.Letz0 , z1 , ...zn be such that zk = n x1 + n x2 for k =0...n.Since ∗ ∈ | ∗ − ∗|≤ − Jδ is convex, zk Jδ for all k =0...n. Further, zk+1 zk δ for k =0...n 1.

∗ ∈ ∗ ∗ Then, in view of (a), we reach Ωx2 in n steps by going from x(t) Ωx1 to Ωz1 ,then

∗ ∗ 2 to Ωz2 ,andsoontoΩzn .

303 Proposition 9.3

∗ ∗ x satisﬁes (G+M)x +(|G|+H)b ≤ g if and only if Ωx∗ is a controlled invariant.

∗ ∗ Proof: “⇒”Letx ∈ Ωx∗ .From(G+M)x +(|G|+H)b ≤ g and G(x−x ) ≤|G|b we get Gx + Hb + Mx∗ ≤ g.SinceGx + Hb + Mx∗ ≤ g is the projection of    Ax + Bu + d+ ≤ x∗ + b  (9.18)  Ax + Bu − d− ≥ x∗ − b that removes the variable u ∈U, it follows that there is u ∈Usuch that when x(t)=x ∈ Ωx∗ , ∀d ∈D: x(t +1)∈ Ωx∗ .

∗ ∗ ∗ “⇐”IfΩx∗ is a controlled invariant, then (9.5) is satisﬁed for x1 = x2 = x . This is also true of (9.6) and (9.8) with β = 0. So the conclusion follows. 2

Proposition 9.4

The set J = {x :(G + M)x +(|G| + H)b

Proof: By Proposition 9.3, Ωx is a controlled invariant for all x ∈ J.Itremains

∗ ∗ ∗ ∗ to show that any x2 ∈ J can be reached from any x1 ∈ J.Letx1,x2 ∈ J.Notethat

∗ ∗ ∃δ1,δ2 > 0: (G+M)x1 +(|G|+H)b+|M|δ1 ≤ g and (G+M)x2 +(|G|+H)b+|M|δ2 ≤

∗ ∗ g.Letδ =min(δ1,δ2). It follows that x1,x2 ∈ Jδ, and so the conclusion follows by Proposition 9.2. 2

Proposition 9.5

All controllable invariant sets of set Ω=[−b, b] are subsets of the set J = {x :

(G + M)x +(|G| + H)b ≤ g}.

Proof: For any controllable invariant set I,thesetΩx for x ∈ I should be a controlled invariant. Therefore, the conclusion follows immediately from Proposi- tion 9.3. 2

304 Jδ3

Jδ2

Jδ1

J, J

δ1 < δ2 < δ3, J = int(J)

Figure 9.5. Illustration of the (inclusion) relation among the sets Jδ, J,andJ.

Propositions 9.4 and 9.5 indicate that the construction of the controllable set J in (9.11) is nearly optimal, as all controllable invariant sets I of set Ω satisfy I ⊆ J.

Further, if the maximal controllable set Jm exists, it satisﬁes J ⊆ Jm ⊆ J.Note that J is the interior of J.SoJ is a very tight approximation of the optimum.

The computation of the set J has been done assuming Inv(q)=Rn.Inthe general case, a controllable invariant set can be computed as follows. Let M =

{x ∈ Inv(q):Ωx ⊆ Inv(q)}. Assuming M to be connected, note that a controllable invariant set is J0 = J ∩M. This construction ensures that regardless of the current

0 state x,aslongasx ∈ Ωx0 for some x ∈ J0, the state can be kept inside Inv(q). Finally, note that the computation steps have polynomial complexity, except for the step from (9.5) to (9.6), involving the Fourier-Motzkin elimination. That step, in the worst case, has double-exponential complexity in the number of controls

(i.e. the size of u). However, in practice intensive computation can be avoided by removing all redundant constraints (which has polynomial complexity in the number of constraints) after each component ui of u is eliminated.

305 9.6 Computation of the Predecessor

The computation of the predecessor sets for dynamics of the form (9.3) or piecewise linear dynamics has been described at length in [87]. We propose to use the approach of [87]. There, the one-step predecessor Pre1 can be computed by quantiﬁer elimination. The one-step predecessor is deﬁned by x ∈ Pre1(I)if

∃u(t) ∈U, ∀d(t) ∈D, x(t +1) ∈ I. Of course, we are more interested in an

N-step predecessor, recursively deﬁned as PreN (I)=Pre1(PreN−1(I)), if not on

Pre(I) = lim PreN (I). The main diﬃculty here is that the number of constraints N→∞ for computing PreN may increase exponentially with N. Therefore, it is of interest to have a suboptimal computation of PreN that has a polynomial complexity in

N. Preliminary results are presented in this section. In future work, the algorithms presented here could be further refined for improved performance. The idea is to fix anumberm, and then whenever we have a convex set described by n>n1 linear inequalities, where n1 ≥ m is a fixed number, we approximate it with m linear inequalities. A possible underapproximation algorithm is given below. Although the algorithm starts with a convex set, it can be easily extended to nonconvex sets.

Algorithm 9.6

Input: AconvexsetI, an integer N0 > 0 and an integer n1 > 0

Let V = I and N =1

Compute J = Pre1(I) (the predecessor of I in one step)

Remove3 the redundant constraints of J.

While N

1. Let V = J, N → N +1and J → Pre1(J) 3For n constraints this operation involves at most n feasibility problems (which are solvable via linear programming)

306 2. Remove the redundant constraints of J.

3. Let n be the number of constraints of J.

4. If n>n1 then ﬁnd a convex set K ⊆ J described by m

and set J = K.

Note that by limiting the number of inequalities to n1, the computation is linear in N. There are several ways in which we can find a subset of J described by a given number of linear inequalities. In what follows we propose two simple methods involving little computational effort. The methods assume J to be bounded, but they may be extendable to the case when J is unbounded. Let LJ x ≤ bJ be the set of inequalities describing the convex set J. The first method computes a set K of the form of an interval [a1,c1] × [a2,c2] × ...[av,cv], and is given by the linear

T T program below, in which we let a =[a1 ...av] and c =[c1 ...cv] : Xv max (ci − ai) subject to  i=1  (LJ + |LJ |)c +(LJ −|LJ |)a ≤ 2bJ   a ≤ c

Given the number of variables v, the second approach ﬁnds v+1 vertices of LJ x ≤ bJ . Then the set K is the polytope having the v +1 vertices, and each of the v +1 facets can be easily computed. The algorithm is given below:

Algorithm 9.7

Find v +1vertices. This is done as follows:

4 1. Select v +1distinct groups of v linear independent rows of LJ , {i1,...iv}.

2. For each group restrict LJ and bJ to the rows {i1,...iv}. Let LJ,k and bJ,k be the restrictions for each group k =1...v+1. 4The v + 1 groups exist since J is assumed to be nonempty and bounded. Finding the v +1 groups can be carried out with polynomial complexity.

307 3. For k =1...v +1 solve LJ,kx = bJ,k. The solutions are v +1 vertices

x1 ...xv+1.

For u =1...v+1let Hu be [x1 ...xv+1] without the column xu.

T T T For u =1...v+1let [fu ,du] be a nonzero solution of fu Hu + du1 =0,where

v T fu ∈ R , du ∈ R and 1 is a row vector of elements 1 and appropriate dimension.

The set K is given by the inequalities in x

T T ≥ (fu x + du)(fu xu + du) 0 (9.19)

for u =1...v+1.

In the algorithm above note that by construction every halfspace in (9.19) contains all vertices x1 ...xv+1, therefore K, which is the intersection of the halfspaces, is nonempty.

The algorithms presented in this section represent preliminary results toward a more eﬃcient computation of the predecessor sets. Their application or extension to a precise approximation of predecessor sets is a matter of further research.

Finally, note that these algorithms only attempt to speed up the (recursive) computation of the predecessor sets. An approach detecting when it is no longer useful to continue the recursive computation is given in [87]. There, the termination condition uses a quantization grid. The termination test ﬁrst underapproximates the current predecessor set as a union of quantization cells. Then, it compares this underapproximation to underapproximations of past iterations. When no more diﬀerences are observed, the computation is terminated. Note that underapproximations are not used for the computation of the actual predecessor sets. They are only used to evaluate when the recursive computation could be terminated.

308 CHAPTER 10

CONCLUSIONS

This dissertation presents new methods for the supervision of Petri nets. These new results contribute to the areas of Computer Science and Control Systems. The results could be be classiﬁed as follows.

Contributions to the Theory of Petri Nets: The relation between the structure of

Petri nets and deadlock, liveness, and T -liveness has been dealt with in chapter 5.

Based on the concept of active subnets, new results were derived, relating the structure of Petri net to deadlock by necessary conditions and sufficient conditions. One of the well-known literature results relating liveness to the structure of asymmetric- choice Petri nets is the Commoner’s Theorem. Here, the Commoner’s Theorem was generalized to a necessary condition and a sufficient condition for T -liveness. (Note that T -liveness generalizes liveness.) Then, EAC Petri nets were defined, as a generalization of asymmetric-choice Petri nets. As shown in chapter 5, the Commoner’s

Theorem and its T -liveness extension apply for the more general EAC Petri nets as well.

Contributions to the Supervisory Control of Petri Nets: The supervisory control of

Petri nets has been approached ﬁrst in chapter 3, for a class of linear constraints that can describe arbitrary Petri nets. Then, the problem of decentralized supervision for linear marking constraints was approached in chapter 4 under three settings: no communication, restricted communication, and unrestricted communication. Next,

309 the problem of T -liveness enforcement and deadlock prevention was considered in chapters 5, 6 and 7. Finally, the supervision of Petri net abstractions of hybrid systems was approached in chapter 8. The contributions to the supervisory control of Petri nets could be classiﬁed as follows:

1. Enforcement of Generalized Linear Constraints: The supervision based on

place invariants (SBPI) is an eﬃcient approach for the enforcement of linear

marking constraints in Petri nets. In chapter 3, this technique is extended to

the generalized linear constraints. This new class of constraints is shown to

be able to capture the operation of arbitrary Petri nets. Then the supervisor

design problem is approached. While the least restrictive supervisor can be

rather easily designed under full controllability and observability, the problem

is a lot more challenging under partial controllability and observability. The

latter case is solved by means of Petri net and constraint transformations,

which reduce the problem to the design of supervisors in the setting of the

SBPI. Several results are proven, showing this approach to be correct and

optimal, in the sense that supervisors can be designed this way without loss

of permissiveness.

2. Decentralized Supervision of Petri Nets: In the literature, the decentralized

supervision problem has been approached in the automata framework. Here,

the problem is considered for Petri nets and linear marking inequalities. The

results are presented in chapter 4. A concept of decentralized admissibility

(d-admissibility) is defined first. This concept is sufficient to guarantee a

decentralized speciﬁcation can be enforced in the decentralized setting with

the same permissiveness as in the centralized setting that assumes all tran-

sitions controllable and observable. A simple algorithm for the enforcement

of d-admissible speciﬁcations is then presented. Note that the enforcement

310 of d-admissible speciﬁcations does not require communication. Then, the en-

forcement of speciﬁcations that are not d-admissible is approached. In the

setting with unrestricted communication, a simple solution is to communicate

events between local supervisors in order to satisfy d-admissibility. The com-

munication is allowed to involve both transmissions of event occurrences and

remote controls of event enablings. Since several equally permissive solutions

are possible, an integer linear programming approach is proposed to select the

one involving the least cost. The problem is more challenging in the settings

with no communication or restricted communication. To deal with these, a

suboptimal approach is proposed, based on integer linear programming. Note

that in the restricted communication setting the availability of communication

links between pairs of local supervisors can be incorporated in the speciﬁca-

tion. Bounds on the (average) communication traﬃc can also be imposed.

3. Deadlock Prevention and Liveness Enforcement: The tasks of deadlock pre-

vention and liveness enforcement are compared in chapter 5. Results there

identify conditions under which deadlock prevention leads to liveness. Such

conditions are useful because in general it is more diﬃcult to design liveness

enforcing supervisors than deadlock prevention supervisors. Procedures for

deadlock prevention and T -liveness enforcement are presented in chapters 6

and 7. The main distinguishing features of these procedures is the fact that

they can approach arbitrary Petri net structures, they treat the initial mark-

ing as a parameter (i.e. as an unknown), and they do not require the Petri

net to be fully controllable and observable. At this time, among the litera-

ture approaches on liveness enforcement there is no other approach that can

support unobservable transitions, but there are a few other approaches that

can support uncontrollable transitions. The procedures proposed here are

311 shown to exhibit very good permissiveness properties in the fully controllable

and observable case. In particular, the T -liveness enforcement procedure is

shown to generate least restrictive supervisors when the Petri net has a unique

T -minimal active subnet. This is always true in the case of full liveness en-

forcement. The main drawbacks of the proposed procedures are that they are

undecidable (that is, they do not have guaranteed termination), and that some

of the operations they perform may be computationally intensive.

4. Supervision of Petri Net Abstractions: Petri net models can be obtained by

abstracting hybrid system behavior. In this work, the plant consists of hybrid

subsystems, and the control is divided in a two level hierarchy. The closed-loop

of the subsystems with the low level controllers is abstracted as a Petri net,

and the Petri net is then used to design a supervisor at the higher level. In

chapter 8 it is shown that the design of supervisors for such abstractions can

be more diﬃcult. The reason is that in this setting a supervisor may no longer

be allowed to (temporarily) disable at will any combinations of transitions.

Disabling certain combinations of transitions may disable all possible actions

implemented by a lower level controller, causing the corresponding hybrid sub-

system to operate in open-loop. The supervisor design under this setting is

approached in chapter 8. One approach is to consider certain transitions un-

controllable, in order to avoid disabling critical combinations of transitions.

However, this may yield supervisors that are too restrictive. An alternative ap-

proach is to reduce the design problem to deadlock prevention in a transformed

net. However, this has the computational drawbacks of deadlock prevention.

Contributions to Hybrid Systems: The main contributions to the ﬁeld of Hybrid

Systems are an approach for the abstraction of hybrid systems and the computation of a class of controlled invariants. The abstraction setting is introduced ﬁrst in

312 chapter 8. There, it is shown how Petri net abstractions can model hybrid system behaviors. The abstraction approach is then presented in chapter 9. The input of the abstraction procedure is a controlled hybrid automaton, deﬁned in its general form. At this stage it has been assumed that there are no discrete disturbances.

Continuous disturbances are however allowed. The output of the procedure is a state machine, in which every state corresponds to a region of the state space of the hybrid automaton. The abstracted Petri net is obtained by composing the state machines abstracted from each subsystem. The abstraction has the property that any switching sequence that can be induced in the abstraction can also be induced in the abstracted system, regardless of uncertainties and disturbances.

Controlled invariance has an important role in the abstraction process, as the presence of controlled invariants improves the performance of the supervisor enforcing the higher level specification. In chapter 8 an approach for the computation of controllable invariant sets is given for discrete-time linear systems. Note that the controllable invariant sets are a class of controlled invariant sets. This new invariance concept is defined as follows. Let Ω be a neighborhood of the origin and Ωx be the neighborhood Ω around x.ThenI is a controllable invariant if Ωx is a controlled invariant for all x ∈ I and it is possible to reach any Ωy with y ∈ I from any point in z ∈ Ωx, regardless of disturbances. A computation approach for linear discrete-time systems and rectangular neighborhoods Ω is proposed. The computation is nearly optimal and not recursive. The fact that the computation is not recursive differ- entiates this approach from literature approaches for the computation of controlled invariant sets, which are recursive and often not decidable.

Final Remarks: This dissertation has focused on the supervision of Petri nets based on their structural properties. The supervisory problems approached are often more general than those that can be handled with ﬁnite automata, due to the fact that the

313 initial markings are parameters and the Petri nets are allowed to be unbounded (i.e., with infinite reachability space for some initial markings). Further, since reachability analysis is avoided, there may be computational advantages even when the problem can be approached in the automata setting. (Note that for a fixed initial marking, the equivalent automaton of a Petri net is the reachability graph of the Petri net; when finite, the size of the reachability graph may depend exponentially on the size of the Petri net.) On the other hand, many problems that can be handled in the automata setting cannot be handled in this setting, because the specifications have been limited here to linear constraints. The specifications modeled by linear constraints are neither a subset nor a superset of the regular languages.

Finally, the approaches presented here allow to fully automate the design of supervisors. All procedures are computer implementable, except for the abstraction procedure, which can be computer implemented only for the classes of hybrid systems for which predecessors and controlled invariants are computable. Several of the supervisor design procedures are already implemented as a MATLAB toolbox [67].

314 BIBLIOGRAPHY

[1] R. Alur, C. Courcoubetis, N. Halbwachs, T. Henzinger, P.-H. Ho, X. Nicollin, A. Oliveiro, J. Sifakis, and S. Yovine. The algorithmic analysis of hybrid systems. Theoretical and Computer Science, 138:3–34, 1995. [2] R. Alur, T. Henzinger, and E. Sontag, editors. Hybrid Systems III,volume 1066 of Lecture Notes in Computer Science. Springer-Verlag, 1996. [3] R. Alur, T.A. Henzinger, G. Laﬀerriere, and G.J. Pappas. Discrete abstractions of hybrid systems. Proceedings of the IEEE, 88(7):971–984, 2000. [4] P. Antsaklis, editor. Proceedings of the IEEE, Special Issue on Hybrid Systems: Theory and Applications, volume 88. July 2000. [5] P. Antsaklis, W. Kohn, M. Lemmon, A. Nerode, and S. Sastry, editors. Hybrid Systems V, volume 1567 of Lecture Notes in Computer Science. Springer- Verlag, 1999. [6] P. Antsaklis, W. Kohn, A. Nerode, and S. Sastry, editors. Hybrid Systems II, volume 999 of Lecture Notes in Computer Science. Springer-Verlag, 1995. [7] P. Antsaklis, W. Kohn, A. Nerode, and S. Sastry, editors. Hybrid Systems IV, volume 1273 of Lecture Notes in Computer Science. Springer-Verlag, 1997. [8] P. Antsaklis and X. Koutsoukos. Hybrid system control. In Encyclopedia of Physical Science and Technology, volume 7, pages 445–458. Academic Press, third edition, 2002. Appears also as ISIS Technical Report ISIS-2001-003, February, 2001. [9] P. Antsaklis and X. Koutsoukos. Hybrid dynamical systems: Review and recent progress. In T. Samad and G. Balas, editors, Software-Enabled Control: Information Technologies for Dynamical Systems. John Wiley & Sons, 2003. [10] P. Antsaklis, X. Koutsoukos, and J. Zaytoon. On hybrid control of complex systems: A survey. European Journal of Automation, 32(9–10):1023–1045, 1998. [11] A. Balluchi, L. Benvenuti, M. D. Di Benedetto, G. M. Miconi, U. Pozzi, T. Villa, H. Wong-Toi, and A. L. Sangiovanni-Vincentelli. Maximal safe set computation for idle speed control of an automotive engine. In Nancy Lynch and Bruce Krogh, editors, Hybrid Systems: Computation and Control,volume 1790 of Lecture Notes in Computer Science, pages 32–44. Springer-Verlag, 2000.

315 [12] Z. Banaszak and B. Krogh. Deadlock avoidance in flexible manufacturing systems with concurrently competing process flows. IEEE Trans. on Robotics and Automation, 6(6):724–734, 1990. [13] K. Barkaoui and I. Abdallah. Deadlock avoidance in fmss based on structural theory of Petri nets. In IEEE Symposium on Emerging Technologies and Factory Automation, 1995. [14] K. Barkaoui and J. F. Pradat-Peyre. On liveness and controlled siphons in Petri nets. In Lecture Notes in Computer Science: 17th International Confer- ence in Application and Theory of Petri Nets (ICATPN’96), Osaka, Japan, volume 1091, pages 57–72. Springer-Verlag, June 1996. [15] G. Barrett and S. Lafortune. Decentralized supervisory control with communicating controllers. IEEE Transactions on Automatic Control, 45(9):1620–1638, 2000. [16] F. Basile, P. Chiacchio, and A. Giua. On the choice of suboptimal monitor places for supervisory control of Petri nets. In Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, pages 752–757, 1998. [17] A. Bemporad, G. Ferrari-Trecate, and M. Morari. Observability and controllability of piecewise affine and hybrid systems. IEEE Transactions on Automatic Control, 45(10):1864–1876, 2000. [18] A. Bemporad and M. Morari. Control of systems integrating logic, dynamics, and constraints. Automatica, 35(3):407–427, 1999. [19] J. Billington. Protocol specification using P-graphs, a technique based on coloured Petri nets. In Reisig, W. and Rozenberg, G., editors, Lectures on Petri Nets II: Applications, volume 1492 of Lecture Notes in Computer Sci- ence, pages 293–330. Springer-Verlag, 1998. [20] F. Blanchini and W. Ukovich. A linear programming approach to the control of discrete-time periodic system with state and control bounds in the presence of disturbance. Journal of Optimization Theory and Applications, 73(3):523– 539, 1993. [21] J. Blazewicz, D. Bovet, and G. Gambosi. Deadlock-resistant flow control procedures for store-and-forward networks. IEEE Transactions on Communi- cations, 32(8):884– 887, 1984. [22] A. Bouajjani, J.-C. Fernandez, and N. Halbwachs. Minimal model genera- tion. In Computer-Aided Verification, volume 531 of LNCS, pages 197–203. Springer, 1990. [23] B. A. Brandin and W. M. Wonham. Supervisory control of timed discrete- event systems. IEEE Transactions on Automatic Control, 39(2):329–342, 1994. [24] U. A. Buy and R. H. Sloan. Automatic real-time analysis of reactive systems with the PARTS toolset. Automated Software Engineering, 23(4):227–273, 2001.

316 [25] H. Chen. Synthesis of feedback control logic for controlled Petri nets with forward and backward conflict-free uncontrolled subnet. In Proceedings of the 33rd IEEE Conference on Decision and Control, 1994. [26] H. Chen. Control synthesis of Petri nets based on s-decreases. Discrete Event Dynamic Systems: Theory and Applications, 10(3):233–250, 2000. [27] H. Chen and H. Baosheng. Distributed control of discrete event systems described by a class of controlled Petri nets. In Preprints of IFAC International Symposium on Distributed Intelligence Systems, 1991. [28] H. Chen and H. Baosheng. Control of discrete event systems with their dynamics and legal behavior specified by Petri nets. In Proceedings of the 32nd IEEE Conference on Decision and Control, pages 239–240, 1993. [29] H. Chen and B. Hu. Monitor-based control of a class of controlled Petri nets. In Proceedings of the 3rd International Conference on Automation, Robotics and Computer Vision, 1994. [30] R. Cieslak, C. Desclaux, A. Fawaz, and P. Varayia. Supervisory control of discrete-event processes with partial observations. IEEE Transactions on Au- tomatic Control, 33(3):249–260, 1988. [31] E. Coffman, M. Elphick, and A. Shaoshani. System deadlocks. Computing Surveys, 3:67–78, 1971. [32] J.-P. Courtiat, J. M. Ayache, and B. Algayres. Petri nets are good for protocols. In ACM, SIGCOMM’84 Tutorials and Symposium, Communications Architectures and Protocols, pages 66–74, 1984. [33] J. Cury, B. Krogh, and T. Niinomi. Synthesis of supervisory controllers for hybrid systems based on approximating automata. IEEE Transactions on Automatic Control, 43(4):564–568, 1998. [34] R. David and H. Alla. Continuous Petri nets. In 8th European Workshop on Application and Theory of Petri Nets, 1987. [35] R. David and A. Hassane. Petri nets for modeling of dynamic systems - a survey. Automatica, 32(2):175–202, 1994. [36] J. Desel and J. Esparza. Free Choice Petri nets. Number 40 in Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 1995. [37] J. Desel and W. Reisig. Place/transition petri nets. Lecture Notes in Computer Science: Lectures on Petri Nets I: Basic Models, 1491:122–173, 1998. [38] A. Deshpande and P. Varaiya. Viable control of hybrid systems. In P. Antsaklis and et al., editors, Hybrid Systems II, volume 999 of Lecture Notes in Com- puter Science, pages 128–147. Springer-Verlag, 1995. [39] A.A. Desrochers and R.Y. Al’Jaar. Applications of Petri nets in Manufac- turing Systems: Modelling, Control and Performance Analysis. IEEE Press, 1995.

317 [40] F. DiCesare, G. Harhalakis, J.M. Proth, M. Silva, and F.B. Vernadat. Practice of Petri Nets in Manufacturing. Chapman and Hall, 1993. [41] C. Dórea and J. Hennet. (A,B)-Invariant polyhedral sets of linear discrete time systems. Journal of Optimization Theory and Applications, 103(3):521–542, 1999. [42] J. Ezpeleta, J. M. Colom, and J. Martínez. A Petri net based deadlock prevention policy for flexible manufacturing systems. IEEE Trans. on Robotics and Automation, 11(2):173–184, 1995. [43] M. Fanti, B. Maione, S. Mascolo, and B. Turchiano. Event-based feedback control for deadlock avoidance in flexible production systems. IEEE Trans. on Robotics and Automation, 13(3), 1997. [44] H. J. Genrich, K. Lautenbach, and P. S. Thiagarajan. Elements of general net theory. In Brauer, W., editor, Net Theory and Applications,volume84of Lecture Notes in Computer Science, pages 21–163. Springer-Verlag, 1980. [45] A. Giua, F. DiCesare, and M. Silva. Generalized mutual exclusion constraints on nets with uncontrollable transitions. In Proceedings of the IEEE Interna- tional Conference on Systems, Man and Cybernetics, pages 974–979, 1992. [46] A. Giua and C. Seatzu. Supervisory control of railway networks with Petri nets. In Proceedings of the 40’th IEEE Conference on Decision and Control, pages 5004–5009, December 2001. [47] A. Giua and C. Seatzu. Observability of place/transition nets. IEEE Trans- actions on Automatic Control, 47(9):1424–1437, 2002. [48] C. H. Golaszewski and P. J. Ramadge. Control of discrete event processes with forced events. In Proceedings of the 26th IEEE Conference on Decision and Control, pages 247–251, 1987. [49] U. Goltz. Synchronic distance. In Brauer, W., Reisig, W., and Rozenberg, G., editors, Petri Nets: Central Models and Their Properties, Advances in Petri Nets 1986, Part I, volume 254 of Lecture Notes in Computer Science, pages 338–358. Springer-Verlag, 1987. [50] R. Grossman, A. Nerode, A. Ravn, and H. Rischel, editors. Hybrid Systems, volume 736 of Lecture Notes in Computer Science. Springer-Verlag, 1993. [51] P. Gutman and M. Cwikel. An algorithm to find maximal state constraint sets for discrete-time linear dynamical systems with bounded controls and states. IEEE Transactions on Automatic Control, 32(3):251–254, 1987. [52] K. He and M. Lemmon. Modelling hybrid control systems using programmable timed Petri nets. European Journal of Automation, 32(9–10):1187–1208, 1998. [53] K. X. He and M. D. Lemmon. Liveness verification of discrete event systems modeled by n-safe ordinary Petri nets. In Nielsen, M. and Simpson, D., editors, Lecture Notes in Computer Science: 21st International Conference on

318 Application and Theory of Petri Nets (ICATPN 2000), Aarhus, Denmark, June 2000, volume 1825, pages 227–243. Springer-Verlag, 2000. [54] K.X. He and M.D. Lemmon. Liveness-enforcing supervision of bounded ordinary Petri nets using partial order methods. IEEE Transactions on Automatic Control, 47(7):1042–1055, 2002. [55] T. Henzinger. Hybrid automata with finite bisimulations. In Z. Füllöp and G. Gécgeg, editors, ICALP’95: Automata, Languages, and Programming. Springer-Verlag, 1995. [56] Y.C. Ho, editor. Discrete Event Dynamic Systems: Theory and Application, Special Issue on Hybrid Petri Nets, volume 11(1/2). Kluwer Academic Press, 2001. [57] L. E. Holloway, B. H. Krogh, and A. Giua. A survey of Petri net methods for controlled discrete event systems. Discrete Event Dynamic Systems, 7(2):151– 190, 1997. [58] L.E. Holloway and B.H. Krogh. Synthesis of feedback control logic for a class of controlled Petri nets. IEEE Transactions on Automatic Control, 35(5):514– 523, 1990. [59] L.E. Holloway and B.H. Krogh. On closed-loop liveness of discrete-event systems under maximally permissive control. IEEE Transactions on Automatic Control, 37(5):692–697, 1992. [60] F.-S. Hsieh and S.-C. Chang. Dispatching-driven deadlock avoidance controller synthesis for flexible manufacturing systems. IEEE Transactions on Robotics and Automation, 10(2):196–209, 1994. [61] A. Ichikawa and K. Hiraishi. Analysis and control of discrete event systems represented by Petri nets. In P. Varaiya and A. B. Kurzhanski, editors, Dis- crete Event Systems: Models and Applications, volume 103 of Lecture Notes in Control and Information Sciences, pages 115–134. Springer Verlag, 1988. [62] A. Ichikawa, K. Yokoyama, and S. Kurogi. Reachability and control of discrete event systems represented by conflict-free Petri nets. In Internationl Symposium on Circuits and Systems, Proceedings, pages 487–490, 1985. [63] M. V. Iordache. Deadlock Prevention in Discrete Event Systems Using Petri Nets. Master’s thesis, University of Notre Dame, 1999. [64] M. V. Iordache and P. J. Antsaklis. T -liveness enforcement in Petri nets based on structural net properties. In Proceedings of the 40th IEEE International Conference on Decision and Control., pages 4984–4989, December 2001. [65] M. V. Iordache and P. J. Antsaklis. Generalized conditions for liveness enforcement and deadlock prevention in Petri nets. In Colom, J.M. and Koutny, M., editors, Lecture Notes in Computer Science: 22nd International Conference on Application and Theory of Petri Nets (ICATPN 2001), Newcastle upon Tyne, UK, June 2001, volume 2075, pages 184–203. Springer-Verlag, 2001.

319 [66] M. V. Iordache and P. J. Antsaklis. Decentralized control of DES using Petri nets. Technical report isis-2002-005, University of Notre Dame, September 2002. [67] M. V. Iordache and P. J. Antsaklis. Software tools for the supervisory control of Petri nets based on place invariants. Technical report isis-2002-003, University of Notre Dame, April 2002. [68] M. V. Iordache and P. J. Antsaklis. Synthesis of supervisors enforcing general linear vector constraints in Petri nets. In Proceedings of the 2002 American Control Conference, pages 154–159, 2002. [69] M. V. Iordache and P. J. Antsaklis. Synthesis of supervisors enforcing general linear vector constraints in Petri nets. Technical report isis-2002-002, University of Notre Dame, February 2002. [70] M. V. Iordache and P. J. Antsaklis. Admissible decentralized control of Petri nets. In Proceedings of the 2003 American Control Conference, pages 332–337, 2003. [71] M. V. Iordache and P. J. Antsaklis. Decentralized control of Petri nets. In Proceedings of the Workshop on Discrete Event Systems Control, of the In- ternational Conference on the Application and Theory of Petri Nets (ATPN 2003), pages 143–158, 2003. [72] M. V. Iordache and P. J. Antsaklis. Decentralized control of Petri nets with constraint transformations. In Proceedings of the 2003 American Control Con- ference, pages 314–319, 2003. [73] M. V. Iordache, J. O. Moody, and P. J. Antsaklis. A method for deadlock prevention in discrete event systems using Petri nets. Technical report of the isis group, isis-99-006, University of Notre Dame, July 1999. [74] M. V. Iordache, J. O. Moody, and P. J. Antsaklis. Automated synthesis of deadlock prevention supervisors using Petri nets. Technical report of the isis group, isis-2000-003, University of Notre Dame, May 2000. [75] M. V. Iordache, J. O. Moody, and P. J. Antsaklis. Automated synthesis of liveness enforcement supervisors using Petri nets. Technical report of the isis group, isis-2000-004, University of Notre Dame, September 2000. [76] M. V. Iordache, J. O. Moody, and P. J. Antsaklis. A method for the synthesis of deadlock prevention controllers in systems modeled by Petri nets. In Proceedings of the 2000 American Control Conference, pages 3167–3171, June 2000. [77] M. V. Iordache, J. O. Moody, and P. J. Antsaklis. A method for the synthesis of liveness enforcing supervisors in Petri nets. In Proceedings of the 2001 American Control Conference, pages 4943–4948, June 2001. [78] M. V. Iordache, J. O. Moody, and P. J. Antsaklis. Synthesis of deadlock prevention supervisors using Petri nets. IEEE Transactions on Robotics and Automation, 18(1):59–68, February 2002.

320 [79] M.V. Iordache and P.J. Antsaklis. Design of T-liveness enforcing supervisors in Petri nets. IEEE Transactions on Automatic Control, 48(11):1962–1974, 2003. [80] M.V. Iordache and P.J. Antsaklis. Synthesis of supervisors enforcing general linear vector constraints in Petri nets. IEEE Transactions on Automatic Control, 48(11):2036–2039, 2003. [81] S. S. Isloor and T. A. Marsland. The deadlock problem: An overview. Com- puter, 13(9):58–78, 1980. [82] M. Jantzen and R. Valk. Formal properties of place/transition nets. In Brauer, W., editor, Lecture Notes in Computer Science: Net Theory and Applications, Proc. of the Advanced Course on General Net Theory of Processes and Sys- tems, Hamburg, 1979, volume 84, pages 165–212, Berlin, Heidelberg, New York, 1980. Springer-Verlag. [83] S. Jiang, V. Chandra, and R. Kumar. Decentralized control of discrete event systems with multiple local specilizations. In Proceedings of 2001 American Control Conference, 2001. [84] S. Jiang and R. Kumar. Decentralized control of discrete event systems with specializations to local control and concurrent systems. IEEE Transactions on Systems, Man and Cybernetics, Part B, 30(5):653–660, 2000. [85] P.C. Kanellakis and S.A. Smolka. CCS expressions, ﬁnite-state processes, and three problems of equivalence. Information and Computation, 86:43–68, 1990. [86] S. Keerthi and E. Gilbert. Computation of minimum-time feedback control laws for discrete-time systems with state-control constraints. IEEE Transac- tions on Automatic Control, 32(5):432–435, 1987. [87] X. Koutsoukos. Analysis and Design of Piecewise Linear Hybrid Dynamical Systems. PhD thesis, University of Notre Dame, 2000. [88] X. Koutsoukos and P. Antsaklis. Supervisory control design of hybrid systems modeled by timed Petri nets based on invariant properties. In Proc. of the 8th IFAC/IFORMS/IMACS/IFIP/ Symposium on Large Scale Systems: Theory and Applications LSS’98, Rio, Greece, July 1998. [89] X. Koutsoukos and P. Antsaklis. Hybrid control of a robotic manufacturing system. In Proceedings of the 7th IEEE Mediterranean Conference on Control and Automation, pages 144–159, 1999. [90] X. Koutsoukos and P. Antsaklis. Hybrid control systems using timed Petri nets: Supervisory control design based on invariant properties. In Springer- Verlag, editor, P. Antsaklis, W. Kohn, M. Lemmon, A. Nerode, and S. Sastry, editors, Hybrid Systems V, volume 1567 of Lecture Notes in Computer Science, pages 142–162, 1999.

321 [91] X. Koutsoukos, P. Antsaklis, K. He, and M. Lemmon. Programmable timed Petri nets in the analysis and design of hybrid control systems. In Proceed- ings of the 37th IEEE Conference on Decision and Control, pages 1617–1622, Tampa, FL, December 1998. [92] X. Koutsoukos, K. He, M. Lemmon, and P. Antsaklis. Timed Petri nets in hybrid systems: Stability and supervisory control. Journal of Discrete Event Dynamic Systems: Theory and Applications, 8(2):137–173, 1998. [93] X. Koutsoukos, K. He, M. Lemmon, and P. Antsaklis. Timed Petri nets in hybrid systems: Stability and supervisory control. Journal of Discrete Event Dynamic Systems: Theory and Applications, 8(2):137–173, 1998. [94] X. Koutsoukos, F. Zhao, H. Haussecker, J. Reich, and P. Cheung. Fault modeling for monitoring and diagnosis of sensor-rich hybrid systems. In Proceedings of the 40th IEEE Conference on Decision and Control, pages 793–801, 2001. [95] X.D. Koutsoukos, P.J. Antsaklis, J.A. Stiver, and M.D. Lemmon. Supervisory control of hybrid systems. Proceedings of the IEEE, pages 1026–1049, July 2000. [96] P. Kozak and W.M. Wonham. Fully decentralized solutions of supervisory control problems. IEEE Transactions on Automatic Control, 40(12):2094– 2097, 1995. [97] B. Krogh. Controlled Petri nets and maximally permissive feedback logic. In Proceedings of the 25th Annual Allerton Conference, University of Illinois, Urbana, 1987. [98] B.H. Krogh and L.E. Holloway. Synthesis of feedback control logic for manufacturing systems. Automatica, 27(4):641–651, 1991. [99] R. Kumar and M. Shayman. Formulae relating controllability, observability, and co-observability. Automatica, 34(2):211–215, 1998. [100] G. Lafferriere. Hybrid systems with finite bisimulations. In P. Antsaklis, W. Kohn, M. Lemmon, A. Nerode, and S. Sastry, editors, Hybrid Systems V, volume 1567 of Lecture Notes in Computer Science, pages 186–203. Springer- Verlag, 1999. [101] H. Lamouchi and J. Thistle. Effective control synthesis for des under partial observations. In Proceedings of the 39th IEEE Conference on Decision and Control, pages 22–28, 2000. [102] K. Lautenbach and H. Ridder. The linear algebra of deadlock avoidance – a Petri net approach. Technical report, University of Koblenz, Institute for Computer Science, 1996. [103] K. Lautenbach and P. S. Thiagarajan. Analysis of a resource allocation problem using Petri nets. In Proceedings of the 1st European Conference on Parallel and Distributed Processing, pages 260–266. Cepadues Editions, 1979.

322 [104] M. D. Lemmon, K.X He, and I. Markovsky. Supervisory hybrid systems. IEEE Control Systems Magazine, 19(4):42–55, 1999. [105] M.D. Lemmon, K.X. He, and C.J. Bett. Modeling Hybrid Control Sys- tems Using Programmable Timed Petri Nets. In 3rd International Confer- ence ADMP’98, Automation of Mixed Processes: Dynamic Hybrid Systems, (ADPM’98), pages 177–184, Rheims, France, March 1998. [106] Y. Li and W. Wonham. Control of Vector Discrete-Event Systems I - The Base Model. IEEE Transactions on Automatic Control, 38(8):1214–1227, 1993. [107] Y. Li and W. Wonham. Control of Vector Discrete-Event Systems II - Con- troller Synthesis. IEEE Transactions on Automatic Control, 39(3):512–530, 1994. [108] Y. Li and W. Wonham. Concurrent vector discrete-event systems. IEEE Transactions on Automatic Control, 40(4):628–638, 1995. [109] Y. Li and W.M. Wonham. Controllability and observability in the state feedback control of discrete-event systems. In Proceedings of the 27th IEEE Con- ferenece on Decision and Control, pages 203–208, 1988. [110] F. Lin and W. Wonham. On observability of discrete-event systems. Infor- mation Sciences, 44(3):173–198, 1988. [111] F. Lin and W. Wonham. Decentralized control and coordination of discrete- event systems with partial observation. IEEE Transactions on Automatic Control, 35(12):1330–1337, 1990. [112] H. Lin and P. Antsaklis. Controller synthesis for a class of uncertain piecewise linear hybrid dynamical systems. In Proceedings of the 41’st IEEE Conference on Decision and Control, pages 3188–3193, 2002. [113] J. Lunze. A Petri-net approach to qualitative modelling of continuous dynamical systems. Systems Analysis, Modelling, Simulation, 9:89–111, 1992. [114] J. Lunze, B. Nixdorf, and J. Schroder. Deterministic discrete-vent representa- tions of linear continuous-variable systems. Automatica, 35(3):396–406, 1999. [115] J. Lygeros, D. Godbole, and S. Sastry. Veriﬁed hybrid controllers for automated vehicles. IEEE Transactions on Automatic Control, 43(4):522–539, 1998. [116] J. Lygeros and S. Sastry. EE291E – Hybrid Systems. Modeling, Analysis and Control. University of California at Berkley, 1999. [117] J. Lygeros, C. Tomlin, and S. Sastry. Controllers for reachability speciﬁcations for hybrid systems. Automatica, 35(3):349–370, 1999. [118] D. Mandrioli, R. Zicari, C. Ghezzi, and F. Tisato. Modeling the Ada task system by Petri nets. Computer Languages, 10(1):43–61, 1985.

323 [119] B.J. McCarragher and H. Asada. The discrete event modeling and trajectory planning of robotic assembly tasks. Transactions of the ASME–Journal of Dynamic Systems, Measurement and Control, 117(3):394–400, 1995. [120] N.H. McClamroch, I. Kolmanovsky, and M. Reyhanoglu. Hybrid closed loop systems: A nonlinear control perspective. In Proceedings of the 36th Confer- ence on Decision and Control, pages 114–119, 1997. [121] A. Merlin and S. Schweitzer. Deadlock avoidance in store-and-forward networks–I: Store-and-forward deadlock. IEEE Transactions on Communi- cations, 28(3):345–354, 1980. [122] A. Merlin and S. Schweitzer. Deadlock avoidance in store-and-forward networks–II: Other deadlock types. IEEE Transactions on Communications, 28(3):355–360, 1980. [123] J. O. Moody and P. J. Antsaklis. Deadlock avoidance in Petri nets with uncontrollable transitions. In Proc. American Control Conference, Philadelphia, PA, pages 1257–1258, 1998. [124] J. O. Moody and P. J. Antsaklis. Supervisory Control of Discrete Event Sys- tems Using Petri Nets. Kluwer Academic Publishers, 1998. [125] J. O. Moody and P. J. Antsaklis. Petri net supervisors for DES with uncontrollable and unobservable transitions. IEEE Transactions on Automatic Control, 45(3):462–476, 2000. [126] J. O. Moody, M. V. Iordache, and P. J. Antsaklis. Enforcement of event-based supervisory constraints using state-based methods. In Proceedings of the 38th IEEE Conference on Decision and Control, pages 1743–1748, 1999. [127] T. Motzkin. The theory of linear inequalities. Rand Corp., Santa Monica, CA, 1952. [128] T. Murata. Petri nets: Properties, analysis and applications. In Proceedings of the IEEE, pages 541–580, April 1989. [129] A. Overkamp and J.H. van Schuppen. Maximal solutions in decentralized supervisory control. SIAM Journal of Control and Optimization, 39(2):492– 511, 2000. [130] J. Park and S. Reveliotis. Deadlock avoidance in sequential resource allocation systems with multiple resource acquisitions and ﬂexible routings. IEEE Transactions on Automatic Control, 46(10):1572–1583, 2001. [131] J. Park and S. Reveliotis. Liveness-enforcing supervision for resource allocation systems with uncontrollable behavior and forbidden states. IEEE Transactions on Robotics and Automation, 18(2):234–240, 2002. [132] J. L. Peterson. Petri Net Theory and the Modeling of Systems. Englewood Cliﬀs, New Jersey: Prentice Hall, Inc., 1981.

324 [133] C. A. Petri. Kommunikation mit Automaten. Bonn: Institut für Instru- mentelle Mathematik, Schriften des IIM Nr. 2, 1962. [134] C. A. Petri. Fundamentals of a theory of asynchronous information flow. In Proc. of IFIP Congress 62, pages 386–390, Amsterdam, 1963. North Holland Publ. Comp. [135] C. A. Petri. Kommunikation mit automaten. New York: Griffiss Air Force Base, Technical Report RADC-TR-65–377, 1:Suppl. 1, 1966. English translation. [136] C. A. Petri. Interpretations of Net Theory. St. Augustin: Gesellschaft für Mathematik und Datenverarbeitung Bonn, Interner Bericht ISF-75–07, Sec- ond Edition, December 1976. [137] J.H. Prosser, M. Kam, and H.G. Kwanty. Decision fusion and supervisor synthesis in decentralized discrete event systems. In Proceedings of the 1997 American Control Conference, pages 2251–2255, 1997. [138] J.-M. Proth and X. Xie. Petri Nets: A Tool for Design and Management of Manufacturing Systems. John Wiley & Sons, 1997. [139] A. Puri, S. Tripakis, and P. Varaiya. Problems and examples of decentralized observation and control for discrete event systems. In Symposium on the Supervisory Control of Discrete Event Systems, 2001. [140] J. Raisch and S. O’Young. Discrete approximation and supervisory control of continuous systems. IEEE Transactions on Automatic Control, 4(43):568–573, 1998. [141] P. Ramadge and W. Wonham. Supervisory control of a class of discrete event processes. SIAM Journal on Control and Optimization, 25(1):206–230, 1987. [142] P. Ramadge and W. Wonham. The control of discrete event systems. Pro- ceedings of the IEEE, 77(1):81–98, 1989. [143] W. Reisig. Petri Nets, volume 4 of EATCS Monographs on Theoretical Com- puter Science. Springer-Verlag, 1985. [144] W. Reisig. Elements of Distributed Algorithms: Modeling and Analysis with Petri nets. Springer-Verlag, 1998. [145] W. Reisig, E. Kindler, T. Vesper, and H. Völzer. Distributed algorithms for networks of agents. In Reisig, W. and Rozenberg, G., editors, Lectures on Petri Nets II: Applications, volume 1492 of Lecture Notes in Computer Science, pages 331–385. Springer-Verlag, 1998. [146] E. Roszkowska and R. Wojcik. Problems of process flow feasibility in fas. In IFAC CIM in Process and Manufacturing Industries, pages 115–121, 1992. [147] K. Rudie. The current state of decentralized discrete-event control systems. In Proceedings of the 10th Mediteranean Conference on Control and Automation, 2002.

325 [148] K. Rudie, S. Lafortune, and F. Lin. Minimal communication in a distributed discrete-event system. In Proceedings of the 1999 American Control Confer- ence, pages 1965–1970, 1999. [149] K. Rudie and J.C. Willems. The computational complexity of decentralized discrete-event control problems. IEEE Transactions on Automatic Control, 40(7):1313–1319, 1995. [150] K. Rudie and W. Wonham. Think globally, act locally: Decentralized supervisory control. IEEE Transactions on Automatic Control, 37(11):1692–1708, 1992. [151] A. van der Schaft and H. Schumacher. An Introduction to Hybrid Dynamical Systems, volume 251 of Lecture Notes in Control and Information Sciences. Springer Verlag, London, 2000. [152] O. Shakernia, G. Pappas, and S. Sastry. Decidable controller synthesis for classes of linear systems. In N. Lynch and et al., editors, Hybrid Systems: Computation and Control, number 1790 in Lecture Notes in Computer Science, pages 407–420. Springer-Verlag, 2000. [153] O. Shakernia, G. Pappas, and S. Sastry. Semidecidable controller synthesis for classes of linear hybrid systems. In Proceedings of the 39’th IEEE Conference on Decision and Control, 2000. [154] M. Silva, E. Teruel, and J. M. Colom. Linear algebraic and linear programming techniques for the analysis of place/transition net systems. Lecture Notes in Computer Science: Lectures on Petri Nets I: Basic Models, 1491:309–373, 1998. [155] R. S. Sreenivas. On a free-choice equivalent of a Petri net. In Proceedings of the 36th IEEE Conference on Decision and Control, pages 4092–4097, San Diego, California, December 1997. [156] R. S. Sreenivas. On commoner’s liveness theorem and supervisory policies that enforce liveness in free-choice petri nets. Systems & Control Letters, pages 41–48, 1997. [157] R. S. Sreenivas. On the existence of supervisory policies that enforce liveness in discrete event dynamic systems modeled by controlled Petri nets. IEEE Transactions on Automatic Control, 42(7):928–945, July 1997. [158] R. S. Sreenivas. An application of independent, increasing, free-choice Petri nets to the synthesis of policies that enforce liveness in arbitrary Petri nets. Automatica, 44(12):1613–1615, December 1998. [159] R. S. Sreenivas. On supervisory policies that enforce liveness in a class of completely controlled Petri nets obtained via reﬁnement. IEEE Transactions on Automatic Control, 44(1):173–177, 1999. [160] R. S. Sreenivas. On supervisory policies that enforce liveness in completely controlled petri nets with directed cut-places and cut-transitions. IEEE Trans- actions on Automatic Control, 44(6):1221–1225, 1999.

326 [161] R. S. Sreenivas. On a minimally restrictive supervisory policy that enforces liveness in partially controlled free choice petri nets. In Proceedings of the 39th IEEE Conference on Decision and Control, pages 2651–2656, Sydney, Australia, December 2000. [162] J.A. Stiver, P.J. Antsaklis, and M.D. Lemmon. Interface and controller design for hybrid control systems. In P. Antsaklis, W. Kohn, A. Nerode, and S. Sastry, editors, Hybrid Systems II, volume 999 of Lecture Notes in Computer Science, pages 462–492. Springer-Verlag, 1995. [163] J.A. Stiver, P.J. Antsaklis, and M.D. Lemmon. A logical des approach to the design of hybrid control systems. Mathematical and Computer Modelling, pages 55–76, 1996. [164] G. Stremersch. Supervision of Petri Nets. Kluwer Academic Publishers, 2001. [165] Z. Suraj. Resource allocation problem. In Proc. of the 3rd Symp. on Math. Foundations of Comput. Science, Zaborow 1980, ICS PAS Reports, pages 83– 86, 1980. [166] T. Suzuki, S. M. Shatz, and T. Murata. A protocol modeling and verification approach based on a specification language and Petri nets. IEEE Transactions on Software Engineering, 16(5):523–536, 1990. [167] P. Tabuada and G. Pappas. Model checking LTL over controllable linear systems is decidable. In Hybrid Systems: Computation and Control,volume 2623 of LNCS, pages 498–513. Springer, 2003. [168] S. Takai and S. Kozama. Decentralized state feedback control of discrete event systems. Systems & Control Letters, 22(5):369–375, 1994. [169] S. Takai and T. Ushio. Reliable decentralized supervisory control of discrete event systems. IEEE Transactions on Systems, Man, and Cybernetics-Part B: Cybernetics, 30(5):661–667, 2000. [170] J. G. Thistle and W. M. Wonham. Control of infinite behavior of finite automata. SIAM Journal on Control and Optimization, 32(4):1075–1097, 1994. [171] J. G. Thistle and W. M. Wonham. Supervision of infinite behavior of discrete- event systems. SIAM Journal on Control and Optimization, 32(4):1098 – 1113, 1994. [172] F. Tricas, F. Garcia-Valles, J. M. Colom, and J. Ezpeleta. New methods for deadlock prevention and avoidance in concurrent systems. Actasdelas Jornadas de Concurrencia 2000, pages 97–110, June 2000. [173] S. Tripakis. Undecidable problems of decentralized observation and control. In Proceedings of the 40’th IEEE Conference on Decision and Control, pages 4104–4109, 2001. [174] S. Tripakis. Decentralized control of discrete event systems with bounded or unbounded delay communication. In 6th International Workshop on Discrete Event Systems, 2002.

327 [175] J.N. Tsitsiklis. On the control of discrete event dynamical systems. Mathe- matics of Control, Signals and Systems, 2(2):95–107, 1989. [176] T. Ushio. Maximally permissive feedback and modular control synthesis in Petri nets with external input. IEEE Trans. on Automatic Control, 35(7):844– 848, 1990. [177] R. Valk and M. Jantzen. The residue of vector sets with applications to decidability problems in Petri nets. Acta Informatica, 21:643–674, 1985. [178] J.H. van Schuppen. Decentralized supervisory control with information structures. In Proceedings of the International Workshop on Discrete Event Systems (WODES98), pages 36–41, 1998. [179] J.H. van Schuppen. A sufficient condition for controllability of a class of hybrid systems. In Hybrid Systems: Computation and Control, volume 1386 of LNCS, pages 374–383. Springer, 1998. [180] L. Vandenberge and S. Boyd. Semidefinite programming. SIAM Review, 38(1):49–95, 1996. [181] R. Vidal, S. Schaffert, J. Lygeros, and S. Sastry. Controlled invariance of discrete time systems. In N. Lynch and B. Krogh, editors, Hybrid Systems: Computation and Control, volume 1790 of Lecture Notes in Computer Science, pages 437–450. Springer Verlag, 2000. [182] R. Vidal, S. Schaffert, O. Shakernia, J. Lygeros, and S. Sastry. Decidable and semi-decidable controller synthesis for classes of discrete time hybrid systems. In Proceedings of the 40’th IEEE Conference on Decision and Control, pages 1243–1248, 2001. [183] Y. Willner and M. Heymann. Supervisory control of concurrent discrete-event systems. International Journal of Control, 54(5):1143–1169, 1991. [184] K.C. Wong and J.H. van Schuppen. Decentralized supervisory control of discrete-event systems with communication. In Proceedings International Workshop on Discrete Event Systems (WODES96), pages 284–289, 1996. [185] H. Wong-Toi. The synthesis of controllers for linear hybrid automata. In Proceedings of the 36’th IEEE Conference on Decision and Control, pages 4607–4612, 1997. [186] K. Xing, B. Hu, and H. Chen. Deadlock avoidance policy for Petri net modeling of flexible manufacturing systems with shared resources. IEEE Transac- tions on Automatic Control, 41(2):289–295, February 1996. [187] A. Yakovlev, L. Gomes, and L. Lavagno, editors. Hardware Design and Petri Nets. Kluwer, 2000. [188] A. Yakovlev and A. Koelmans. Petri nets and digital hardware design. In Reisig, W. and Rozenberg, G., editors, Lectures on Petri Nets II: Applications, volume 1492 of Lecture Notes in Computer Science, pages 154–236. Springer- Verlag, 1998.

328 [189] E. Yamalidou and J. Kantor. Modeling and optimal control of discrete-event chemical processes using Petri nets. Computers and Chemical Engineering, 15(7):503–519, 1991. [190] E. Yamalidou, J. O. Moody, P. J. Antsaklis, and M. D. Lemmon. Feedback control of Petri nets based on place invariants. Automatica, 32(1):15–28, 1996. [191] T. Yoo and S. Lafortune. A general architecture for decentralized supervisory control of discrete-event systems. In Proceedings of WODES 2000, Discrete Event Systems: Analysis and Control, pages 111–118, 2000. [192] T. Yoo and S. Lafortune. New results on decentralized supervisory control of discrete-event systems. In Proceedings of the 39’th IEEE Conference on Decision and Control, 2000. [193] L. Zhang and L. E. Holloway. Forbidden state avoidance in controlled Petri nets under partial observation. In Proceedings of the 33rd Annual Allerton Conference on Communications, Control, and Computing, pages 146–155, 1995. [194] M. Zhou and K. Venkatesh. Modeling, Simulation, and Control of Flexi- ble Manufacturing Systems : A Petri Net Approach, volume 6 of Series in Intelligent Control and Intelligent Automation. World Scientiﬁc Publishing Company, 1999.

329 INDEX

AC-transformation, 153 d-admissible, 89 active siphon, 133 dead transition, 12

minimal, 133 deadlock, 12, 158 active subnet, 133 deadlock prevention, 158

maximal, 133 deadlock-free, 12

minimal, 133 detecting a transition, 86

T-minimal, 138 disabling a transition, 86 admissible, 33, 41, 52, 86 dp-procedure, 158 asymmetric choice Petri net, 120 EAC net, 141 c-admissibility, 88 EAC-transformation, 153

C-transformation, 47 empty siphon, 13

joint, 65 enforcing

total, 70 a specification, 21 closed-loop enabled, 86 liveness, 122 closed-loop of a Petri net, 19, 20 T-liveness, 122 control place, 21, 30, 86 equivalent marking, 192 controllable invariant, 289 fco-supervisor, 234 controllable transition, 19, 264 feasible constraints, 32, 33 controlled invariant, 289 feasible supervisor, 92 controlled siphon, 13, 120, 171, 174 firing count vector, 12 controlling a transition, 86 firing vector, 12

330 globally d-admissible, 96 equivalent, 192

valid, 192 H-transformation, 49 vector, 10 joint, 66 marking based supervisor, 121 total, 70 maximal active subnet, 133 hybrid automaton, 287 minimal active siphon, 133 incidence matrix, 11 minimal active subnet, 133 initial constraints, 159 minimal siphon, 13 initial marking, 9 mode coupling, 263 initial-marking constraints, 159 nonblocking supervisor, 272 input matrix, 11 integer convex set, 237 observable transition, 19, 265 invariant ordinary Petri net, 120

place, 12 output matrix, 11

transition, 12 Parikh vector, 12 invariant set partially repetitive, 123 controllable, 289 Petri net, 9 controlled, 289 asymmetric choice, 120 joint C-transformation, 65 ordinary, 120 joint H-transformation, 66 PT-ordinary, 120

structure, 9 le-procedure, 158 place invariant, 12 live, 12 plant Petri net, 18, 86 live transition, 12 plant-enabled, 86 liveness enforcing, 158 postset, 10 marking, 9 predecessor of a set, 288

331 preset, 10 T-liveness enforcing, 158 proper constraints, 98 tokens, 10

PT-ordinary Petri net, 120 total C-transformation, 70

PT-transformation, 152, 153 total H-transformation, 70

transition reachable marking, 11 arc, 9 repetitive, 123 controllable, 19, 264 partially, 123 dead, 12 self-loop, 267 enabled, 11 set of places, 9 ﬁring, 11 set of reachable markings, 11 live, 12 set of transitions, 9 observable, 19, 265 sink place, 10 split, 152, 156 siphon, 13, 120 uncontrollable, 19, 264

active, 133 unobservable, 19, 265

controlled, 13, 120, 171, 174 transition coupling, 263

empty, 13 transition invariant, 12

minimal, 13 support of, 12

uncontrolled, 13, 174, 178 trap, 13 source place, 10 uncontrollable transition, 19, 264 split transitions, 152 uncontrolled siphon, 13, 174, 178 state coupling, 263 unobservable transition, 19, 265 supervisor, 18, 20, 121, 273 unstable state of a DES, 258 support

of a transition invariant, 12 valid marking, 192

T-liveness, 121 weight function, 9

332