Controllability for Nondeterministic Finite Automata with Variables

Jasen Markovski Department of Mechanical Engineering, Eindhoven University of Technology, Den Dolech 2, 5612MH, Eindhoven, The Netherlands

Keywords: Supervisory Control Theory, Controllability, Finite Automata with Variables, Partial Bisimulation.

Abstract: Supervisory control theory deals with automated synthesis of models of supervisory controllers that ensure safe coordinated discrete-event behavior of a given system. To increase the expressivity of the framework and provide for a greater modeling convenience, several extensions with variables have been proposed. One of the most prominent such extensions is implemented by means of extended finite automata with variables. We revisit the notion of controllability for nondeterministic finite automata with variables, which defines conditions under which a model of a supervisory controller can be synthesized. We will show that the existing notion of controllability for extended finite automata does not have desirable algebraic properties, i.e., it is not a preorder. We propose to employ an extension of controllability for nondeterministic discrete-event system based on a behavioral relation termed partial bisimulation, which we show that subsumes the existing notion of controllability for extended finite automata.

1 INTRODUCTION chronizing processes in line with (Ramadge and Won- ham, 1987; Cassandras and Lafortune, 2004). The Development of quality control software is becom- model of the uncontrolled system is typically referred ing an increasingly difficult task due to high com- to as plant and it is restricted by the model of the su- plexity of high-tech systems, promoting the former as pervisory controller, which referred to as supervisor. an important bottleneck in the design and production The coupling of the supervisor and the plant, results process as already noted in (Leveson, 1990). Tradi- in the supervised plant, which models the supervisory tional techniques are not able to satisfactorily cope control loop, i.e., it specifies the behavior of the con- with the challenge due to the frequent design changes trolled system. in the control requirements, which gave rise to super- Traditionally, the activities of the machine are visory control theory of discrete-event systems postu- modeled as discrete events, whereas the supervisor lated in (Ramadge and Wonham, 1987; Cassandras is a process that synchronizes with the plant. The and Lafortune, 2004). Supervisory control theory supervisor can enable or disable available events in studies automatic synthesis of models of supervisory the plant by synchronizing or not synchronizing with control software that provide for safe and nonblock- them, respectively. The events are split into control- ing behavior of the controlled system by coordinating high-level discrete-event behavior of the concurrent system components. User Supervisory controllers rely on discrete-event ob- Supervisory servations made regarding the discrete-event system Coordinating Processing Tasks control behavior by using sensory information, as depicted in Figure 1. Based upon the observed signals, these con- Resource Driving Conditioning trollers decide which activities are allowed to be car- control ried out safely and do not lead to potentially danger- Resources ous or otherwise undesired situations, and send back Transducers Actuators Sensors control signals to the hardware actuators. Under the assumption that the supervisory controller can react sufficiently fast on machine input, one can model this Main structure supervisory control feedback loop as a pair of syn- Figure 1: Supervisory control architecture.

438 Markovski J.. Controllability for Nondeterministic Finite Automata with Variables. DOI: 10.5220/0004430604380446 In Proceedings of the 8th International Joint Conference on Software Technologies (ICSOFT-PT-2013), pages 438-446 ISBN: 978-989-8565-68-6 Copyright c 2013 SCITEPRESS (Science and Technology Publications, Lda.) ControllabilityforNondeterministicFiniteAutomatawithVariables

of resource and supervisory control is unified, e.g., by employing shared variables or publisher/subscriber services, which is typical for implementations in the artificial intelligence domain. The event-based ap- proach suggests direct observation of activities of the system, which are typically triggered by the system to be supervised, relying on some input/output inter- Figure 2: Supervisory control feedback loop with data- face. The extensions of supervisory control theory based observations. with variables and data aim at a two-fold improve- ment: more concise specification due to parametriza- lable and uncontrollable events, the former typically tion of the systems, as suggested in (Chen and Lin, modeling interaction with actuators, whereas the lat- 2000; Miremadi et al., 2008) and greater expressive- ter model observation of sensory information. There- ness and modeling convenience, as shown in (Skold- fore, the supervisor is allowed to disable controllable stam et al., 2007; Gaudin and Deussen, 2007). The events, e.g., if the boiler pressure is above the safe extensions range over the most prominent models threshold, then the heater should be switched off, but of discrete-event systems like finite-state machines it is not allowed to disable any available uncontrol- developed in (Chen and Lin, 2000), labeled transi- lable events, e.g., by ignoring the pressure sensor of tion systems, considered in (Markovski, 2012b), and the boiler, one reaches a potentially dangerous situa- automata extensions, provided in (Skoldstam et al., tion. 2007; Gaudin and Deussen, 2007). Additionally, the supervised plant must also sat- With the development of new models, the origi- isfy a given set of control requirements, which model nal notion of controllability for deterministic discrete- the safe or allowed behavior of the machine. Fur- event systems of (Ramadge and Wonham, 1987; Cas- thermore, it is typically required that the supervised sandras and Lafortune, 2004) is subsequently ex- plant is nonblocking, meaning that it comprises no tended to the corresponding settings with variables deadlock and no livelock behavior. To this end, ev- and data parameters. We note that the controllabil- ery state is required to be able to reach a so-called ity is originally defined as a language-based prop- marked or final state, following the notation of (Ra- erty and, thus, meant for deterministic discrete-event madge and Wonham, 1987; Cassandras and Lafor- systems. Extensions of controllability for parame- tune, 2004), which denotes the situation that the plant terized languages are proposed in (Chen and Lin, is considered to have successfully completed its ex- 2000; Gaudin and Deussen, 2007). For nonde- ecution. The conditions that define the existence of terministic discrete-event systems, there are several such a supervisor are referred to as (nonblocking) proposed notions, relying on commonly observed controllability conditions. In the setting of this paper traces in (Fabian and Lennartson, 1996; Zhou et al., we will not consider in detail the process of modeling 2006), failure semantics in (Overkamp, 1997), or and ensuring that the (nonblocking) control require- (bi)simulation semantics in (Baeten et al., 2011b). ments hold for the given plant and, instead we refer For nondeterministic extended finite automata with the reader to the model-based engineering framework variables, introduced in (Skoldstam et al., 2007), of (Schiffelers et al., 2009; Markovski et al., 2010). the proposed notion of so-called state controllabil- Depending on the observational power of the su- ity of (Miremadi et al., 2008) relies on an exten- pervisor, we deal with event-based supervision, stud- sion of the work of (Fabian and Lennartson, 1996). ied in (Ramadge and Wonham, 1987), state-based Both works of (Overkamp, 1997) and (Baeten et al., supervision as studied in (Ma and Wonham, 2005; 2011b) rely on preorder behavioral relations to for- Markovski et al., 2010), or data-based supervision mulate the notion of controllability, the former rely- along the lines of (Miremadi et al., 2008; Markovski, ing on failure-trace semantics, whereas the latter is 2012b), respectively. The first approach relies on (bi)simulation-based. Even though, it has been argued building a history of observed events to deduce the that refinements based on these two types of seman- state of the system as suggested in (Cassandras and tics have similar properties, cf. (Eshuis and Fokkinga, Lafortune, 2004), whereas the second and the third 2002), (bi)simulation-based refinements are finer no- approaches employ observers and guards that directly tions that are supported by more efficient algorithms, convey the state of the system to the supervisor in the like (Markovski, 2012a), which have already been vein of (Ma and Wonham, 2005; Markovski, 2012b), employed in a supervisory control setting (Barrett and as depicted in Figure 2. With respect to the control Lafortune, 1998). architecture of Figure 1, the second and the third ap- To capture the notion of controllability, we rely proach suggest that the interface between the layers

439 ICSOFT2013-8thInternationalJointConferenceonSoftwareTechnologies

α ′ ′ α a ′ ′ ′ eδ( ((s,a,s ),X)), if ((s,a,s ),X) ∈ D( ) s −→ s , vδ(γ(s,a,s )) = T, δ (X)= δ(X), otherwise a (s,δ) −→ (s′,δ′) Figure 3: Operational semantics of finite automata with variables on a behavioral preorder termed partial bisimulation, B(V ) we denote Boolean expression over the set of first introduced in the co-algebraic characterization variables V ⊂ V where the atomic propositions are of (Rutten, 2000) and, subsequently, lifted to a pro- given by some set of predefined predicates, the log- cess theory in (Baeten et al., 2011b). In essence, ical constants false F and true T, and the set of stan- we employ this preorder to state a relation between dard logical operators. The obtained Boolean expres- the supervised plant and the original plant allowing sions are evaluated with respect to a given valuation controllable events to be simulated, while requiring vδ : B(V ) →{F,T}, where again δ: V → D(V). that uncontrollable event are bisimulated. This en- Definition 1. A finite automaton with vari- sures that the supervisor does not disable uncontrol- ables G is given by the tuple G = (S,A,V,−→, lable events, while preserving the branching structure γ,α,(s ,δ )), where of the plant. We will show that this notion subsumes 0 0 the notion of state controllability for finite automata • S is a finite set of states; with variables. Moreover, we will show that state • A is a finite set of event labels; controllability is not a preorder and that some plants • V ⊂ V is a finite set of variables; are considered as uncontrollable, even though there exist suitable supervisory controllers. Finally, by em- • −→ ⊂ S × A × S is a labeled transition relation; ploying the proposed notion of controllability, we will • γ: −→→ B(V ) are transition guards; show that it is possible to eliminate spurious plant • α: (−→×V) ⇀ F(V ) is a partial updating func- nondeterminism, i.e., nondeterminism can be elimi- tion; and nated without sacrificing supervised plant behavior. • (s0,δ0) is the initial state s0 ∈ S and initial data assignment δ0 : V → D(V). If the set of variables of a finite automaton with 2 FINITE AUTOMATA WITH variables G, as given by Definition 1, is empty, then G VARIABLES is a standard automaton with labeled transitions. For the transition relations, we will employ infix notation a In order to directly relate our notion of controlla- and write s −→ s′ for (s,a,s′) ∈ −→. bility with previous work, we model nondetermin- The dynamics of the finite automaton with vari- istic discrete-event systems by means of finite au- ables G is given by the transition relation −→ ⊆ tomata with variables. For a full treatment of su- S × (V → D(V)) × A × S × (V → D(V)), which is de- pervisory control theory in a process-theoretic set- termined by the actual evaluation of the guards with ting, we refer to (Baeten et al., 2011b; Baeten et al., respect to the value assignments. In order to keep 2011a; Markovski, 2012b) for event-, state-, and data- track of the updated variable values, we employ the based supervision, respectively. In general, we al- data assignment function δ: V → D(V). Now, the se- low arbitrary variable domains, even though variables mantics of G is given by −→, where initially the au- with finite domains can be eliminated in order to em- tomaton is in state s0 with environment δ0, denoted by ploy more efficient synthesis procedures, as suggested (s0,δ0). The dynamics of (s,δ) is captured by the op- in (Skoldstam et al., 2007). We suppose that the vari- erational rule depicted in Figure 3, following the no- ables are given by the set V, where given a variable tation of structural operational semantics of (Baeten X ∈ V, its domain is denoted by D(X). (Standard et al., 2010), where the premise must hold, so that the arithmetical) expressions over a set of variables V ⊂ V bottom transition can be taken. are denoted by F(V ) and they are evaluated with re- The rule states that a transition is possible if such spect to eδ : F(V) → D(V), where δ: V → D(V) holds labeled transition is defined in the automaton, the the variable assignments. We note that for the sake guard of that transition evaluates to true, whereas the of clarity of presentation, we do not take into con- variables are updated accordingto the partial updating sideration the expressions that do not evaluate within function. It is not difficult to observe that the transi- the variable domain and extensions to inconsistent tion relation −→ induces a labeled transition system processes can be handled by a straightforward exten- with state space S × D(V), set of labels A, and initial sion of the approach of (Baeten et al., 2011a). By state (s0,δ0).

440 ControllabilityforNondeterministicFiniteAutomatawithVariables

′ a ′ (s1,s2), if s1 −→1 s1,a ∈ A1 \ A2 a  ′ a ′ (s1,s2) −→ (s1,s2), if s2 −→2 s2,a ∈ A2 \ A1  ′ ′ a ′ a ′ (s1,s2), if s1 −→1 s1,s2 −→2 s2,a ∈ A1 ∩ A2 γ ′ a ′ 1(s1,a,s1), if s1 −→1 s1,a ∈ A1 \ A2 ′ ′ ′ a ′ γ((s ,s ),a,(s ,s )) =  γ2(s2,a,s ), if s2 −→2 s ,a ∈ A2 \ A1 1 2 1 2  2 2  γ ′ γ ′ a ′ a ′ 1(s1,a,s1) ∧ 2(s2,a,s2) , if s1 −→1 s1,s2 −→2 s2,a ∈ A1 ∩ A2 α ′ ′ (((s1,s2),a,(s1,s2)),X)= α ′ ′ α ′ α 1((s1,a,s1),X), if ((s1,a,s1),X) ∈ D( 1),((s2,a,s2),X) ∈ D( 2) α ′ ′ α ′ α  2((s2,a,s2),X), if ((s2,a,s2),X) ∈ D( 2),((s1,a,s1),X) ∈ D( 1) ′ α ′ α  α ′ ((s1,a,s1),X) ∈ D( 1),((s2,a,s2),X) ∈ D( 2), 1((s1,a,s1),X), if α ′ α ′ 1((s1,a,s1),X)= 2((s2,a,s2),X)  Figure 4: Definition of −→, γ, and α of Definition 3.

′ δ′ δ δ a ′ δ′ ((s1, 1),(s2, 2)), if (s1, 1) −→1 (s1, 1),a ∈ A1 \ A2 a ′ ′ a ′ ′ ((s1,δ1),(s2,δ2)) −→  ((s ,δ ),(s ,δ )), if (s ,δ ) −→ (s ,δ ),a ∈ A \ A .  1 1 2 2 2 2 2 2 2 2 1  ′ δ′ ′ δ′ δ a ′ δ′ δ a ′ δ′ ((s1, 1),(s2, 2)), if (s1, 1) −→1 (s1, 1),(s2, 2) −→2 (s2, 2),a ∈ A1 ∩ A2  Figure 5: Definition of −→ of Proposition 1.

t Definition 2. Given an automaton with variables By (s,δ) −→∗ we denote that there exists (s′,δ′) γ α δ t G = (S,A,V,−→, , ,(s0, 0)), we define the in- such that (s,δ) −→∗ (s′,δ′). Now, the language gen- duced labeled transition system by T(G) = (S × erated by the automaton G is given by L(G), where δ D(V),A,−→,(s0, 0)), where: ∗ t ∗ L(G)= {t ∈ A | (s0,δ0) −→ }. • S × D(V) is a set of states; In order to couple the plant and the supervisor, we • A is the set of events taken over from G; define a synchronous composition of two automata • −→⊆ S × (V → D(V)) × A × S × (V → D(V )) that synchronizes on transitions with the same labels is the instantiated labeled transition relation as and interleaves on the other transitions. We note that, given by the operational rule of Figure 3; and in general, the synchronous composition cannot be • (s ,δ ) is the initial state of the labeled transition defined due to conflicts induced by the partial assign- 0 0 α system induced by the initial state of G and its ini- ment functions . A simple counterexample is the tial variable valuation. situation where two automata need to synchronize on transitions with the same label that update the same If the set of variables is empty, i.e., V 0/, then = variable to two different values, as noted in (Skold- and coincide, provided that the (then trivial) −→ −→ stam et al., 2007). Again, for the sake of clarity, we transition guards are set to be true, and G reduces to a do not consider conflicting situations, which are eas- standard automaton. ily detectable as none of the conditions for the partial In order to define the language generated by au- updating functions in Definition 3 apply. tomaton G, we extend the transition relation −→ to a multistep transition relation −→∗. By A∗ we define the Definition 3. Let G1 = (S1,A1,V1,−→1, γ α δ set of strings made from the labels in A that label the 1, 1,(s01, 0)) and G2 = (S2,A2,V2,−→2, γ α δ transitions of −→∗, where ε denotes the empty string 2, 2,(s02, 0)). The synchronous composi- and st denotes the concatenation of the strings s and t tion of G1 and G2 is given by G1 G2 = γ α δ for s,t ∈ A∗. Now, the multistep transition relation is (S1 × S2,A1 ∪ A2,V1 ∪ V2,−→, , ,((s01,s02), 0)), given by the operation rules (1): where −→, γ, and α are defined in Figure 4, where ∧ denotes logical conjunction. Definition 3 is given directly in terms of automata ε (s,δ) −→∗ (s,δ) with variables, unlike the work of (Skoldstam et al., 2007), where it is given in terms of the underlying δ t ∗ ′′ δ′′ ′′ δ′′ a ′ δ ′ ∗ (s, ) −→ (s , ), (s , ) −→ (s , ) , t ∈ A , a ∈ A labeled transition system. Now, given two finite au- ta . (s,δ) −→∗ (s′,δ′) tomata with variables G1 and G2, we can derive the (1) underlying transition systems T(G1) and T(G2). It is

441 ICSOFT2013-8thInternationalJointConferenceonSoftwareTechnologies

not difficult to show that T(G1 G2) coincides with that keeps the history of the plant as in the original T(G1) T(G2), where the synchronization on the re- setting of (Ramadge and Wonham, 1987; Cassandras lation −→ is defined as for −→. and Lafortune, 2004) or on data observation from Proposition 1. Let G = the plant to make supervision decisions in the vein i of (Miremadi et al., 2008; Markovski, 2012b). In both (Si,Ai,Vi,−→i,γi,αi,(s0i,δ0)) for i ∈ {1,2} be such that G G is well-defined. Let cases, we can assume that the supervisor is given as 1 2 an deterministic automaton (Si × δi,Ai,−→i,(s0i,δ0)) be the underlying la- beled transition systems, where −→i is induced by S = (SS,AS,VS,−→S,γS,0/,(s0S,δ0)), (3) the operational rule of Figure 3 and δi : Vi → D(Vi), for i ∈ {1,2}. Let T(G1) T(G2) = ((S1 × δ1) × where C ⊆ AS ⊆ AP, VS ⊆ VP, and the labeled transi- a ′ a (S2 × δ2),A1 ∪ A2,−→,((s01,δ0),(s02,δ0))), where tion function −→S is such that if s −→S s and s −→S ′′ ′ ′′ ′ ′′ −→ is defined as in Figure 5. Then, T(G1 G2) is s , then s = s for every s,s ,s ∈ SS and a ∈ AS. isomorphic to T(G1) T(G2). We note that the supervisor can choose not to syn- chronize on some uncontrollable event from the plant, The proof of Proposition 1 is meticulous, but but its alphabet must comprise all controllable events straightforward, by showing that the constructions as the supervisor must supply the control signals. Fur- given in Definition 3 form an isomorphic transition thermore, the supervisor has no need of additional system as the one defined in the proposition. It variables, as it does not update any variables, i.e., is worthwhile noting that the definition of −→ in α = 0/. Consequently, there is never a conflict in the Proposition 1 does not impose an additional con- S synchronization between the plant and the supervisor, δ δ a dition for the situation when ((s1, 1),(s2, 2)) −→ and the composition P S is well-defined. If the su- ′ δ′ ′ δ′ δ′ δ′ ((s1, 1),(s2, 2)) that 1 and 2 should coincide on pervisor does not rely on data-based observations, but the common updated variables. This is directly im- employs synchronization of events to keep track of plied by the construction of α in Definition 3. ′ the state of the plant, then additionally γS(s,a,s )= T A direct corollary of Definition 3 and Proposi- for all (s,a,s′) ∈ −→. tion 1 is that the language of the synchronization is an The composition P S models the supervised intersection of the languages of the components of the plant, i.e., the behavior of the controlled system as composition, i.e., L(G1 G2)= L(G1) ∩ L(G2). This given by the supervisory feedback loop of Figure 2. enables a connection with the original supervisory We note that the transition system control theory of finite automata of (Ramadge and Wonham, 1987; Cassandras and Lafortune, 2004). T(P S) = (SP ×SS ×δP,AP,−→,(s0P,s0S,δ0)), (4)

where δP : VP → D(VP) and −→ is defined by the op- erational rule of Figure 3. 3 CONTROLLABILITY To state that the supervisor has no control over the uncontrollable events, the language-based controlla- Given an automaton with a set of labels A, we split bility of the original setting of (Ramadge and Won- the labels to set of controllable C and uncontrollable ham, 1987; Cassandras and Lafortune, 2004) is stated U labels such that C∩U = 0/ and C∪U = A. To model as: the plant we can take an unrestricted finite automaton L(P S)U ∩ L(P) ⊆ L(P S), (5) with variables where L(P S)U denotes the concatenationof the lan- guage of the supervised plant and the set of uncon- trollable labels. Intuitively, the controllability rela- P = (SP,AP,VP,−→P,γP,αP,(s0P,δ0)), (2) tion (5) demands that all uncontrollable events avail- as the uncontrolled system is allowed to have every able in reachable states of the original plant by traces possible type of behavior. We note that the plant is enabled by the supervisor, must also be available in typically obtained as a (well-defined) parallel compo- the supervised plant. This ensures that the supervi- sition of multiple concurrent components, which ulti- sor does not disable any uncontrollable events when mately results in the process modeled by P. forming the supervised plant. The supervisor, however, is required to be a deter- This definition has been subsequently extended ministic process, as it has to send unambiguous feed- to so-called state controllability in (Fabian and back to the plant and it is not allowed to alter the state Lennartson, 1996; Zhou et al., 2006; Miremadi of the plant, i.e., it must not comprise variable assign- et al., 2008) for nondeterministic discrete-events sys- ments, as suggested in (Markovski, 2012b). The su- tems (with variables). Given an automaton G = pervisor can rely either on synchronization of events (S,A,V,−→,γ,α,(s0,δ0)) with a transition relation

442 ControllabilityforNondeterministicFiniteAutomatawithVariables

−→, let E(s,δ) denote the set of enabled transitions Now, putting in parallel plant P and supervised of the state (s,δ) for s ∈ S and δ: V → D(V), i.e., plant P S, leads to automaton P (P S) as de- a E(s,δ)= {a ∈ A | (s,δ) −→}. picted in Figure 6. This parallel composition reveals that states p of P and (p ,s ) of P S are reachable Definition 4. Let P and S be finite automata with 2 3 2 by the same trace. However, state (p ,0/) of the transi- variables, representing the plant and the supervi- 2 tion system T(P) enables the uncontrollable transition sor. A state (s ,(s ,s ),δ ) of the transition system P P S P labeled by u , whereas state ((p ,s ),0/) of transition T(P (P S)) is defined as controllable, if it holds 1 3 2 system T(P S) enables only the uncontrollable tran- that sition labeled by u2. This directly implies that plant P AS ∩U ∩ E(sP,δP) ⊆ E((sP,sS),δP). is state uncontrollable with respect to P S, i.e., it is not state controllable with respect to itself. Thus, state A plant P is state controllable with respect to S if and controllability is not a preorder relation, as plants that only if all reachable states of T(P (P S)) are state have states that enable different sets of uncontrollable controllable. events in states that can be reached by the same trace Intuitively, the parallel composition between of are deemed uncontrollable, despite the existence of a the plant and the supervised plant helps identify all trivial supervisor that enables all transitions. states in the original and the supervised plant that can be reached by the same trace. According to Defini- tion 4, controllable states ensure that all uncontrol- lable events that are synchronized between the plant 4 PARTIAL BISIMULATION and the supervisor, given by A ∩U, that are also en- S We propose to employ the behavioral relation termed abled in the reached plant state (s ,δ ) by following P P partial bisimulation to defined controllability for fi- the same trace, must be enabled in the reached super- nite automata with variables. Partial bisimulation was vised plant state ((s ,s ),δ ). Note that both states P S P first introduced in (Rutten, 2000) to capture language must have the same variable assignment function δ P controllability in a coalgebraic setting. It was lifted as the supervisor has an empty updating function, so in (Baeten et al., 2011b) to a process theory for super- it does not influence the updating of the variables. visory control of nondeterministic discrete-event sys- We note that the definition relies on the underlying tems. Here, we provide an interpretation for finite au- transition system, employing it to identify the neces- tomata with variables and discuss its relationship with sary control actions. It is not difficult to show that state controllability. state controllability implies language controllability, Partial bisimulation is parameterized by a so- as given in (5), for deterministic automata, see (Skold- called bisimulation action set B. The relation requires stam et al., 2007). The key observation is that P P that the labeled transitions of the first transition sys- coincides with P for deterministic systems, implying tem are simulated by the second transition system, that P S can act as a supervisor and lead to the same whereas only the labels of the second transition sys- supervised behavior as S. tem that are in the bisimulation action set B are bisim- Here, we take a closer look at the state control- ulated back by the first one. The intuition behind this lability condition for nondeterministic plants. Con- definition is that the bisimulation action set plays the dition (4) essentially requires that all states that are role of the uncontrollable actions that must always be reachable by the same trace, must also enable the enabled both in the original and the supervised plant, same uncontrollable events. This proves to be too whereas it is sufficient to only simulate controllable strict in some situations. Consider the automata de- events, as these can be restricted by the supervisor. picted in Figure 6, where state names are given in- side the circles, all guards are set to be true, there are Definition 5. Let Ti = (Si,Ai,−→i,s0i) for i ∈{1,2} no variables, the event labeled by c is controllable, be two transition systems. A relation R ⊆ S1 × S2 is whereas the events labeled by u1 and u2 are uncon- said to be a partial bisimulation with respect to a trollable. Suppose that a plant is given by automaton bisimulation action set B ⊆ A2, if for all (s1,s2) ∈ R, P and a supervisor by automaton S. As the supervi- it holds that: a ′ ′ sor does not disable any events, we can assume that 1. if s1 −→ s1 for a ∈ A1 and s1 ∈ S1, then there the control requirements do not restrict the behavior ′ a ′ exist a ∈ A2 and s2 ∈ S2 such that s2 −→ s2 and of the plant, i.e., the supervised plant depicted by au- (s′ ,s′ ) ∈ R; tomaton P S coincides with the plant. In such reflex- 1 2 b ′ ′ ive situations, it is always possible to find a supervi- 2. if s2 −→ s2 for b ∈ B and s2 ∈ S2, then there ex- ′ a ′ sor that simply allows all events of the plant, trivially ist b ∈ A1 and s1 ∈ S1 such that s1 −→ s1 and ′ ′ “controlling” the plant. (s1,s2) ∈ R;

443 ICSOFT2013-8thInternationalJointConferenceonSoftwareTechnologies

P =p1 S =s1 P || S = p1s1 P || (P || S) = p1p1s1

c c c c c cc c

p2 p3 s2 p2s2 p3s2 p2p2s2 p2p3s2 p3p3s2 p3p2s2 u1 u2 u1 u2 u1 u2 u1 u2

p4 p5 s3 s4 p4s3 p5s4 p4p4s3 p5p5s4

Figure 6: A nondeterministic plant P, a deterministic supervisor S, and the resulting state uncontrollable nondeterministic supervised plant P S.

If R is a partial bisimulation relation such that of partial bisimulation is a coarser notion than state (s01,s02) ∈ R, then T1 is partially bisimilar to T2 with controllability of Definition 4. respect to B and we write T1 ≤B T2. IfT2 ≤B T1 holds Theorem 1. Let P and S be finite automata with vari- as well, we write T1 =B T2. ables representing the plant and the supervisor. If P is We note that due to condition 1. of Definition 5, it state controllable with respect to S according to Defi- must hold that A1 ⊆ A2, whereas due to condition 2. nition 4, then relation (6) holds. it holds that B ⊆ A1 as well. It is not difficult to show that partial bisimilarity is a preorder relation (Baeten Proof. Let us assume that P = γ α δ et al., 2011b). In addition, following the guidelines (SP,AP,VP,−→P, P, P,(s0P, 0)) and S = (S ,A ,V ,−→ ,γ ,0/,(s ,δ )). We define of (Rutten, 2000), it can be shown that ≤B is a par- S S S S S 0S 0 tial bisimulation relation with respect to B. Thus, the relation we obtain standard results for the partial bisimulation R = {(((p,s),δP),(p,δP)) | preorder and equivalence, similarly as for the simu- ∗ t ∗ ∃t ∈ A : (p0,(p0,s0),δ0) −→ (p,(p,s),δP)}. lation preorder and equivalence of (Glabbeek, 2001). P Moreover, the partial bisimulation preorder is shown We show that R is a partial bisimulation rela- a precongruencefor the most prominent processes op- tion between T(P S) and T(P) with respect to erations following the guidelines of (Baeten et al., the uncontrollable labels U ⊆ AP. Suppose that δ δ δ 2011b). Finally, we note that T1 =A1∪A2 T2 amounts to (((p,s), P),(p, P)) ∈ R for some states ((p,s), P) ∈ bisimulation, whereas T1 ≤0/ T2 reduces to simulation SP × SS × (VP → D(VP)) and (p,δP) ∈ SP × (VP → preorder and T1 =0/ T2 reduces to simulation equiva- D(VP)). lence, as noted in (Baeten et al., 2011b). δ a ′ ′ δ′ Let ((p,s), P) −→ ((p ,s ), P) for some a ∈ AP. Now, suppose that as before, the plant is given by Then, according to Definition 3 and the operational finite automaton with variables P, whereas the super- rule of Figure 3, either a ∈ AP \ AS or a ∈ AS. In visor is given by S, and the supervised plant is given ′ a the former case, we have that s = s , so (p,δP) −→ by P S. Then, the supervisor may restrict some con- ′ δ′ ′ δ′ ′ δ′ (p , P) and (((p ,s), P),(p , P)) ∈ R. In the lat- trollable events from the plant, whereas all available a ter case, we have that ((p,s),δ ) −→ ((p′,s′),δ′ ) for uncontrollableevents in the reachable states should be P P some s′ ∈ S . However, since the updating function enabled. This can be expressed by requesting that the S of the supervisor S is empty and the action a ∈ A is transition system of the supervised plant is partially S δ a ′ δ′ bisimulated by the transition system of the original synchronizing, we have that again (p, P)−→ (p , P) ′ ′ δ′ ′ δ′ plant with respect to the uncontrollable events, i.e., with (((p ,s ), P),(p , P)) ∈ R. u ′ ′ Now, suppose that (p,δP) −→ (p ,δ ) for some T P S T P . (6) P ( ) ≤U ( ) u ∈ U. Again, either u ∈ U \ AS or u ∈ U. If u ∈ A , then u is not a synchronizing la- It is immediate that T(P)≤U T(P), when P S co- S δ u ′ δ′ incides with P as in the example of Figure 6. It is also bel, implying that ((p,s), P) −→ ((p ,s), P) with ′ δ′ ′ δ′ not difficult to show that for deterministic processes, (((p ,s), P),(p , P)) ∈ R. If u is a synchronizing relation (6) reduces to language controllability of (5), label, then by the condition for controllable states see (Rutten, 2000; Baeten et al., 2011b). Next, we of Definition 4, we have u ∈ E((sP,sS),δP), i.e., δ u ′ ′ δ′ ′ ′ δ′ show that controllability as defined in (6) by means ((p,s), P) −→ ((p ,s ), P) for some ((p ,s ), P) ∈

444 ControllabilityforNondeterministicFiniteAutomatawithVariables

Porig = 1 Pdet = 1

start start

2 2

scan scan pay scan pay reset reset reset next 3 4 next 4≤3

put cancel put cancel put 5 5

Figure 7: Checkout scanner of (Zhou et al., 2006) - A plant with spurious nondeterminism.

′ ′ δ′ ′ δ′ SP ×SS ×(VP → D(VP)) and (((p ,s ), P),(p , P)) ∈ of (Zhou et al., 2006) that employs state controllabil- R, which completes the proof. ity for nondeterministic discrete-event systems, this observation was not possible and the plant Porig is We have shown that every state controllable plant treated as nondeterministic. is also controllable with respect to condition (6). That the inclusion is strict follows immediately from the counterexample of Figure 6. 5 CONCLUDING REMARKS Condition (6) additionally implies that the same supervised behavior given by P S is preserved for We defined a notion of controllability for finite au- ′ ′ every plant P such that P =U P, i.e., we have that tomata with variables based on the behavioral pre- ′ P S =U P S, which is the basis of the algorithms order termed partial bisimulation. We showed that developed in (Markovski, 2012a). This enables us to the proposed notion of controllability subsumes the detect spurious nondeterministic behavior for which prominent previous notion of state controllability, state controllability cannot be applied in general. We which was specifically tailored for nondeterministic given an example from the literature of such nonde- finite automata with variables. Moreover, we showed terministic behavior. that state controllability is not a preorder and that In Figure 7, plant Porig represents a model of a there exist state-uncontrollable plants for which it is faulty automated scanner that makes a shopping list possible to synthesize viable supervisory controllers. of items to be purchased by the user. The scanner is This situation was remedied by the new definition, faulty as sometimes it does not give an option to can- which does not exclude the investigated cases. More- cel a scanned item, e.g., when the user wants to return over, we showed that the proposed setting enables de- the product or just wants to check the price, and in tection of spurious nondeterministic behavior, i.e., it that case the scanner needs to be reset. As suggested is possible to eliminate nondeterministic behavior that in (Zhou et al., 2006) the set of uncontrollable events does not contribute to the behavior of the supervised is given by U = {pay} as payment cannot be avoided, system. even though we also suggest to treat the event put as uncontrollable. The interpretation is that if there is no cancelation ACKNOWLEDGEMENTS of some scanned product, after a possible timeout, it should automatically be placed on the shopping list. The work presented in this paper is sup- It is easily observed that state 4 is partially bisimu- ported by Dutch NWO project ProThOS, no. lated by state 3 and, thus, state 3 can be safely re- 600.065.120.11N124. moved without any loss in behavior (the only situation where state 3 could not be removed arises if the event cancel is uncontrollable, which here is not the case). The resulting deterministic plant Pdet reveals that Porig actually contains no real nondeterministic behavior with respect to controllability. In the original setting

445 ICSOFT2013-8thInternationalJointConferenceonSoftwareTechnologies

REFERENCES Overkamp, A. (1997). Supervisory control using failure se- mantics and partial specifications. IEEE Transactions on Automatic Control, 42(4):498–510. Baeten, J., van Beek, D., van Hulst, A., and Markovski, J. (2011a). A process algebra for supervisory coordi- Ramadge, P. J. and Wonham, W. M. (1987). Supervisory nation. In Proceedings of PACO 2011, volume 60 of control of a class of discrete-event processes. SIAM EPTCS, pages 36–55. Open Publishing Association. Journal on Control and Optimization, 25(1):206–230. Baeten, J. C. M., Basten, T., and Reniers, M. A. (2010). Rutten, J. J. M. M. (2000). Coalgebra, concurrency, and Process Algebra: Equational Theories of Communi- control. In Proceedings of WODES 2000, pages 31– cating Processes, volume 50 of Cambridge Tracts in 38. Kluwer. Theoretical Computer Science. Cambridge University Schiffelers, R. R. H., Theunissen, R. J. M., Beek, D. A. v., Press. and Rooda, J. E. (2009). Model-based engineering of supervisory controllers using CIF. Electronic Com- Baeten, J. C. M., van Beek, D. A., Luttik, B., Markovski, munications of the EASST, 21:1–10. J., and Rooda, J. E. (2011b). A process-theoretic ap- proach to supervisory control theory. In Proceedings Skoldstam, M., Akesson, K., and Fabian, M. (2007). Mod- of ACC 2011, pages 4496–4501. IEEE. eling of discrete event systems using finite automata with variables. In Proceedings of CDC 2007, pages Barrett, G. and Lafortune, S. (1998). Bisimulation, the su- 3387–3392. IEEE. pervisory control problem and strong model matching for finite state machines. Discrete Event Dynamic Sys- Zhou, C., Kumar, R., and Jiang, S. (2006). Control of non- tems, 8(4):377–429. deterministic discrete-event systems for bisimulation equivalence. IEEE Transactions on Automatic Con- Cassandras, C. and Lafortune, S. (2004). Introduction to trol, 51(5):754–765. discrete event systems. Kluwer Academic Publishers. Chen, Y.-L. and Lin, F. (2000). Modeling of discrete event systems using finite state machines with parameters. In Proceedings of CCA 2000, pages 941 –946. Eshuis, R. and Fokkinga, M. M. (2002). Comparing refine- ments for failure and bisimulation semantics. Funda- menta Informaticae, 52(4):297–321. Fabian, M. and Lennartson, B. (1996). On non- deterministic supervisory control. Proceedings of the 35th IEEE Decision and Control, 2:2213–2218. Gaudin, B. and Deussen, P. (2007). Supervisory control on concurrent discrete event systems with variables. In Proceedings of ACC 2007, pages 4274 –4279. Glabbeek, R. J. v. (2001). The linear time–branching time spectrum I. Handbook of Process Algebra, pages 3– 99. Leveson, N. (1990). The challenge of building process- control software. IEEE Software, 7(6):55–62. Ma, C. and Wonham, W. M. (2005). Nonblocking Super- visory Control of State Tree Structures, volume 317 of Lecture Notes in Control and Information Sciences. Springer. Markovski, J. (2012a). Coarsest controllability-preserving plant minimization. In Proceedings of WODES 2012, pages 251–258. IFAC. Markovski, J. (2012b). Communicating processes with data for supervisory coordination. In Proceedings of FO- CLASA 2012, volume 91 of EPTCS, pages 97–111. Open Publishing Association. Markovski, J., van Beek, D. A., Theunissen, R. J. M., Ja- cobs, K. G. M., and Rooda, J. E. (2010). A state-based framework for supervisory control synthesis and ver- ification. In Proceedings of CDC 2010, pages 3481– 3486. IEEE. Miremadi, S., Akesson, K., and Lennartson, B. (2008). Extraction and representation of a supervisor using guards in extended finite automata. In Proceedings of WODES 2008, pages 193–199. IEEE.

446