Sampled-data supervisory control

Discrete Event Dyn SystDOI 10.1007/s10626-013-0172-4

Sampled-data supervisory control

Ryan J. Leduc Yu Wang Fahim Ahmed

Received: 10 April 2011 / Accepted: 10 October 2013 Springer Science+Business Media New York 2013

Abstract This paper focuses on the issues related to the implementation of theo-retical timed discrete-event systems (TDES) supervisors, and the concurrency andtiming delay issues involved. In particular, we examine issues related to implement-ing TDES as sampled-data (SD) controllers. An SD controller is driven by a periodicclock and sees the system as a series of inputs and outputs. On each clock edge (tickevent), it samples its inputs, changes state, and updates its outputs. We identify a setof existing TDES properties that will be useful to our work, but not sufficient. Weextend the TDES controllability definition to a new definition, SD controllability,which captures several new properties that will be useful in dealing with concurrencyissues, as well as make it easier to translate a TDES supervisor into an SD controller.We present controllability and non-blocking results for SD controllers.

Keywords Timed discrete-event systems Supervisory control Sampled-data controller Moore finite state machine

1 Introduction

In the area of discrete-event systems (DES) (Ramadge and Wonham 1987; Wonhamand Ramadge 1987; Wonham 2008), a lot of effort has been devoted to studyingstandard properties such as nonblocking and controllability in a theoretical setting.

Initial work on this topic was begun during Leducs doctorate under Prof. W. M. Wonham,and in collaboration with Dr. Bertil A. Brandin.

R. J. Leduc (B) Y. Wang F. AhmedDepartment of Computing and Software, McMaster University, Hamilton, ON, Canadae-mail: [email protected]

Y. Wange-mail: [email protected]

F. Ahmede-mail: [email protected]

Discrete Event Dyn Syst

However, limited effort has been made in investigating what an implementation ofa DES supervisor would be like, whether we can guarantee that it will retain thecontrollability and nonblocking properties of the theoretical supervisor, and how tohandle timing delay and concurrency issues inherent in an implementation.

1.1 Sampled-data controllers

A good implementation method for DES supervisors would be as sampled-data (SD)controllers. An SD controller is driven by a periodic clock and sees the system as aseries of inputs and outputs. On each clock edge, it samples its inputs, changes state,and updates its outputs. An example of an SD controller is a Moore synchronousfinite state machine (FSM) (Brown and Vranesic 2008). For simplicity, we willassume inputs and outputs of an SD controller can take the values of true orfalse. In this paper, we will focus on the timing and concurrency issues involved inimplementing timed DES (TDES) (Brandin 1993; Brandin and Wonham 1994) asSD controllers.

When we are using an SD controller to manage a given system, we associate aninput with each event, and an output with each non-tick controllable event. Weconsider an event to have occurred when its corresponding input has gone trueduring a given clock period. We consider a controllable event to be enabled when itscorresponding output has been set true by the controller, disabled otherwise. Finally,we associate the clock edge that drives the SD controller with the TDES tick ( )event.

These definitions have several ramifications. For an SD controller, its outputs area function of its current state. As the controller only changes state on a clock edge,this means its enablement and forcing information changes on the clock edge andthen must stay constant for the entire clock period.

Also, an SD controller does not know an event has occurred until the next clockedge, and then it has no information on the order or number of occurrences of events.The only ordering information that remains is which sampling period (clock period)a given event occurred in.

As an example, consider Fig. 1. We see on the third rising edge of the clock, the SDcontroller knows that both events Event1 and Event2 have occurred, but not whichcame first. This means that the SD controller cant tell the difference between thestrings Event1-Event2- , or Event2-Event1- . This means the controller must takethe same control action after both strings, now and in the future.

Fig. 1 Event samplingexample


Concurrency and timing issues arise when implementing TDES as SD controllerssince TDES assume that events occur in an interleaving fashion (i.e. we can al-ways determine event ordering), we know immediately when events occur, andenablement and forcing occur immediately (i.e. no communication delay). Theseassumptions are false in general for SD controllers. Also, due to variations in how anSD controller is implemented, the occurrence of a forced event in a specified clockperiod will vary and could possibly occur in any order relative to the other eventsoccurring in the same clock period. These issues have ramifications with respect tocontrollability, plant model correctness, and the SD controllers ability to determinewhich state the TDES system currently is in.

Another issue is which event (when there is a choice) should the controllergenerate/force, and in which clock period should the event be forced? If there aremultiple events to choose from, how does the controller choose which to forceand in which order? This is important as different choices could affect whether thecontroller blocks or not. If an event is enabled for multiple sampling periods, howdoes the controller decide in which sampling period to force the event? Besidesblocking issues, this uncertainty makes the translation from TDES supervisor tocontroller ambiguous, which is undesirable.

Finally, if an SD controller is forcing multiple events (say and ) to occur inthe same clock period, these events may only actually occur (due to design or timingconstraints) in a specific order (say only), even though the TDES model saysthey can occur in multiple orderings (say as well). This means a TDES could benonblocking, but its SD controller implementation could block.

In this paper, we examine a system consisting of a TDES plant G and a TDES su-pervisor S. For this system, we will introduce a new set of properties that will addressthe above issues. They will also make our TDES supervisors more consistent withSD controllers, making them easy to translate. These properties provide sufficientconditions, but in general they are not necessary conditions as one can find specificexamples that fail the conditions but still can be implemented safely. The goal was tofind a set of reasonable conditions that would provide the desired results for a broadrange of systems.

In Section 2, we discuss TDES preliminaries, including introducing some existingTDES related properties that we will need. Section 3 introduces the sampled-datasetting, including an informal translation method to convert our supervisor, S, intoan SD controller, C. We also introduce a new property, sampled-data controllability,which is the focus of this paper and our primary means to address the concerns raisedin this section.

In Section 4, we present our main controllability and nonblocking results for SDcontrollers. Since an SD controller only changes state when a tick occurs, its controlaction is difficult to relate directly to strings. The simplest way to capture the controlaction of our SD controller C, in terms of strings, was to define a correspondingsupervisor control, V. V expresses the enablement and forcing behavior of our SDcontroller, not that of S. As our earlier discussion shows, the control action of ourcontroller could be quite different than that of S. We then show that if our TDESplant and supervisor satisfy our new properties, then the closed-loop behavior of Gand our SD controller, represented as L(V/G), will be the same as the closed-loopbehavior of S and G.

Also in this section we show that if our TDES plant and supervisor satisfy our newproperties and the TDES system is nonblocking, then our plant and SD controller


together will also be nonblocking. This is true even if our TDES model says thatmultiple strings, identical up to event ordering, are possible in a given samplingperiod, but only some of those strings are physically possible under the SD controller.The results of this section tell us that if our TDES plant and supervisor satisfy ournew properties, then the resulting SD controller will behave as we expect with respectto nonblocking and control action.

We conclude the paper with our conclusions and suggestions for future work.

1.2 Related work

For a discussion on early results for communication and concurrency issues foruntimed DES, see Li (1986) and Pai (1990). In the sampled-data setting, if the sameevent occurs once or multiple times in the same sampling period, an SD controllerwill not be able to detect the difference. In Basile and Chiacchio (2007), the authorsrequire that the system have the property that an event cannot be generated morethan once during a sampling period. The paper also discussed the loss of orderinginformation when events occur in the same sampling period. To handle these timingrelated issues, the author adds a dispatcher to the existing supervisor to solve theproblems that could occur when event ordering cannot be ignored. The modelis implemented based on Petri nets and an algorithm to translate the Petri Netimplementation into a programming language is provided.

In Brandin et al. (1991), Brandin (1993, 1996), the authors describe an industrialapplication of applying DES theory to manufacturing cells. In Leduc (1996), theauthor investigated implementing DES as Moore finite state machines (FSM) andcreated a programmable logic controller (PLC) (Bolton 2006) implementation byhand for his example. The idea of implementing TDES as SD controllers wasmotivated by this work. Many of the implementation issues that are addressed inthis paper were identified by Leduc while working on Leduc (1996). Nourelfath andNiel (2004) discuss translating DES into PLC programs. They first convert automatainto the Grafcet language, which describes the specification of logic controllers. Theythen translate the Grafcet language into a PLC program.

In Fabian and Hellgren (1998), the authors discussed the implementation ofuntimed supervisory control theory (SCT) for PLC based control systems. Theypointed out five main concerns when moving from asynchronous, finite automata tothe synchronous nature of PLC system. They are the avalanche effect (a single eventoccurrence is incorrectly recognized as multiple occurrences), the simultaneous eventproblem (events occurring close together such that event ordering is lost), causality(who generates a specific event, the plant or controller?), choice (when multipleevents can be generated, the controller must make a choice), and inexact synchro-nization (delay between when an event occurs in the plant and is observed by thesupervisor). The authors believe that it is likely that a correct PLC implementationwill only be possible if and only if the supervisor has a delay insensitive (Balemi 1992)and interleave insensitive (Fabian and Hellgren 1998) language.

In Roussel and Giua (2005), the authors discuss issues related to implementingDES on programmable logic controllers. In particular, they asserted that a properlevel of abstraction is required in order to translate the DES models into controllers.They presented a technique to verify if the abstraction level chosen for the plantmodel is correct while applying SCT to the design of a controller for an automatic


gate. An important aspect of their approach is that only events that correspond toinputs and outputs of the PLC should appear in the plant model.

In Cantillo et al. (2007), the authors discussed the application of SCT and coloredPetri nets formalism for modeling a flexible manufacturing system. The paper showsa good integration of both formalisms where SCT is used to synthesize supervisorsand colored Petri nets are used to introduce determinism to the transport system andmanage the routing of each product.

In de Queiroz and Cury (2002), the authors discussed a local modular approach togenerate the control program for the PLC controlled manufacturing cell. The authorspropose a three-level program structure that is applied to the reduced, local, modularsupervisors. This approach, along with a supervisor minimization algorithm, wasused to produce advantageous results for synthesis and implementation of optimalsupervisory control programs. However, the test for modularity would likely notscale well.

In Dragert et al. (2008), DES theory is used as a tool to assist in the development ofconcurrent software. The authors describe an approach to generate program sourcecode for currency control from specifications. The approach takes portions of codethat do not contain concurrency control code, but instead contain markup thatdescribes the behavior of events in the code that are relevant to the specification. Asupervisor is generated from this information and then converted into concurrencycontrol code.

A real world application of DES supervisory control is given in Giua and Seatzu(2008), where Petri Nets are used to model railway networks.

In Malik (2003), the authors note that even if the untimed DES supervisor isnonblocking for the plant, this does not mean that the controller implementationis nonblocking as well. To ensure a controller is nonblocking, the authors studiedseveral different methods for implementing controllers. The author suggested condi-tions to be satisfied for the implemented controllers to be nonblocking.

Another practical issue for implementing controllers is communication. InSchmidt and Schmidt (2008), the authors study the communication between modularand decentralized supervisors on a switched network. In Xu and Kumar (2008), theauthors resolve communication issues by introducing an asynchronous implementation.

An alternate approach for dealing with timing and concurrency is to use synchronouslanguages (Halbwachs 1993; Benveniste et al. 2003), such as Signal, Esterel, andLustre. These languages use a common mathematical foundation that unites de-terministic concurrency with synchrony (time is divided into distinct units) and arecommonly used to model, specify, validate, and implement real-time embedded systems.

2 Preliminaries

Below, we present a summary of the DES terminology that we use in this paper.Please see Wonham (2008) for more details.

2.1 Strings and languages

Let be a finite set of distinct symbols (events), and let + be the set of nonempty,finite sequences of events. Let := + {}, where is the empty string. Let L


be a language over . A string t is a prefix of s (written t s) if s = tu, forsome u . The pref ix closure of language L (denoted L) is defined as L = {t | t s for some s L}. Let Pwr() denote the set of all possible subsets of .

For , natural projection P : denotes the operation that deletesall events not in from strings. For language L , the eligibility operator EligL : Pwr() is given by EligL(s) := { |s L} for s .

Definition 2.1 The Nerode equivalence relation over mod L is defined for s, t as: s L t iff (u )su L tu L.

2.2 Timed DES

Timed DES (TDES) (Brandin 1993; Brandin and Wonham 1994) extends untimedDES theory by adding a new tick ( ) event, corresponding to the tick of a globalclock. The event set of a TDES contains the tick event as well as other non-tickevents called activity events (act).

A TDES automaton is represented as a 5-tuple G = (Q, , , qo, Qm) whereQ is the state set, = act { } is the event set, the partial function : Q Q is the transition function, qo is the initial state, and Qm is the set ofmarker states. We extend to : Q Q in the natural way. The notation(q, s)! means the transition is defined. The closed behavior of G is defined to beL(G) := {s | (qo, s)!}. The marked behavior is defined as Lm(G) := {s L(G)|(qo, s) Qm}.

Definition 2.2 A DES G is said to be nonblocking if

Lm(G) = L(G)

TDES contain forcible (for), and prohibitable events (hib). Forcible events arenon-tick events which can be relied upon to preempt tick, when needed. The methodused by a TDES supervisor to indicate that an event for should be forced(made to occur before the next tick) at a given state, is to disable tick at this state.This has the effect of removing the now impossible behavior that tick could occurbefore .

Prohibitable events are non-tick events that can be disabled. The set of control-lable events are c = hib { }, and the uncontrollable events are u = c. Indiagrams, controllable events are indicated by a slash across the transition arrow.

The reachable state subset of DES G, denoted Qr, is: Qr := {q Q| (s ) (qo, s) = q}. A DES G is reachable if Qr = Q. We will always assume that aDES is reachable, has a finite state and event set, and is deterministic.

Definition 2.3 For Gi = (Qi, , i, qo,i, Qm,i) (i = 1, 2), we define the product of thetwo DES as:

G1 G2 := (Q1 Q2, , 1 2, (qo,1, qo,2), Qm,1 Qm,2),where 1 2 : Q1 Q2 Q1 Q2 is given by (1 2)((q1, q2), ) :=(1(q1, ), 2(q2, )), whenever 1(q1, )! and 2(q2, )!.


We note that L(G1 G2) = L(G1) L(G2) and Lm(G1 G2) = Lm(G1) Lm(G2).

Definition 2.4 For Gi = (Qi, i, i, qo,i, Qm,i) (i = 1, 2), we define the synchronousproduct G = G1||G2 of the two DES as:

G := (Q1 Q2, 1 2, , (qo,1, qo,2), Qm,1 Qm,2),where ((q1, q2), ) is only defined and equals

(q1, q2) if (1 2), 1(q1, ) = q1, 2(q2, ) = q2 or

(q1, q2) if 1 2, 1(q1, ) = q1 or(q1, q2) if 2 1, 2(q2, ) = q2.

For the definitions given in this paper, we assume that our plant G and supervisorS are always combined with the product DES operator, thus our closed-loop systemis G S. If we instead combined G and S with the synchronous product operator,our closed-loop system would be G||S. To use our definitions in this setting, wecan construct G and S by adding selfloops to each DES to extend them over thecombined alphabet . We can then apply, for example, Definition 3.5 to thesenew DES.

Definition 2.5 Language K L(G) is controllable with respect to G if for all s K,

EligK(s){

EligL(G)(s)(u{ }) if EligK(s) for =EligL(G)(s) u if EligK(s) for =

Definition 2.6 Supervisor S is controllable with respect to G if for all s L(S) L(G),

EligL(S)(s){

EligL(G)(s)(u{ }) if EligL(S)L(G)(s) for =EligL(G)(s) u if EligL(S)L(G)(s) for =

Definition 2.7 A supervisory control for G is a map V : L(G) Pwr(), such that,for each s L(G),

V(s) {

u ({ } EligL(G)(s)) if V(s) EligL(G)(s) for = u if V(s) EligL(G)(s) for =

Definition 2.8 We write V/G to represent G = (Y, , , yo, Ym) under the supervi-sion of V. The closed behavior of V/G is defined to be L(V/G) L(G) such that1. L(V/G);2. if s L(V/G), V(s) and s L(G), then s L(V/G);3. no other strings are in L(V/G).

2.3 TDES properties

We now introduce several existing TDES conditions that will be useful. The firstensures that TDES do not allow a tick event to be indefinitely preempted byactivity events.


Definition 2.9 TDES G = (Q, , , q0, Qm) is activity-loop-free (ALF) if(q Qr)(s +act)(q, s) = q

An example that fails the ALF property is shown in Fig. 2 where the loop couldindefinitely preempt the tick event from occurring.

The proposition below states that if each TDES is ALF, their synchronous productwill also be ALF. This allows us to check each TDES separately. As the product DESoperator is a special case of the synchronous product, this result applies to it as well.

Proposition 2.1 For TDES G1 = (Q1, 1, 1, q0,1, Qm,1) and G2 = (Q2, 2,2, q0,2, Qm,2), if G1 and G2 are each ALF, then their synchronous productG = G1||G2, is ALF.

Proof See proof in Wang (2009). unionsq

The proposition below says that if one TDES is ALF and contains all events in theevent set of the second TDES, then the synchronous product of the two is also ALF.This is useful as typically the plant is ALF, but the supervisor is not. Combined withthe above proposition, this means that as long as the supervisor does not introduceany new events, we can simply check that each plant component is ALF.

Proposition 2.2 Let G1 = (Q1, 1, 1, qo,1, Qm,1) and G2 = (Q2, 2, 2, qo,2, Qm,2)be two TDES. If G1 is ALF and 1 2, then G1||G2 is also ALF.


We will also require that our plant TDES have proper time behavior, as definedby Wong and Wonham (1996).

Definition 2.10 TDES G has proper time behavior if

(q Qr)( u { }) (q, )!

In other words, at each reachable state either a tick event or an uncontrollableevent must be possible. This ensures that a TDES can never express that a pro-hibitable event must occur before the next tick since a supervisor could disable thatprohibitable event, thus stopping the clock.

Figure 3 shows a portion of a plant TDES that does not have proper time behavior.The reason is that after the first tick event, neither an uncontrollable event or a tickare possible, only the prohibitable event which could be disabled by a supervisor.

Fig. 2 System with activityloop


Fig. 3 Non proper time behavior example

Our next proposition says that the stated conditions are sufficient to guaranteethat at every reachable state of the TDES, we can always do a tick event after atmost a finite number of activity events. In other words, our plant TDES will neverstop the clock.

Proposition 2.3 If a TDES G = (Q, , , q0, Qm) has a f inite state space, is ALF andhas proper time behavior, then

(q Qr)(s act) (q, s)!

Proof Assume that G has a finite state space, is ALF, and has proper time behavior.Let q Qr.As G has a finite, nonempty, state space: (n {1, 2, . . .}) n = |Q|As G is ALF, it follows that:

(s act)(q Qr) [|s| n 1] [(q, s) = q] [( act) (q, ) !]As u act and G has proper time behavior, we have: (q, s)! unionsq

We now provide a result that says that the stated conditions are sufficient toguarantee that for the closed-loop behavior, we can always do a tick event after atmost a finite number of activity events.

Proposition 2.4 If TDES plant G = (Y, , , y0, ym) and TDES supervisor S =(X, , , xo, Xm) both have f inite state spaces, G has proper time behavior, G S =(Q, , , q0, Qm) is ALF, and S is controllable for G, then

(q Qr)(s act) (q, s)!

Proof Assume initial conditions.Let q Qr.As G and S have finite, nonempty state spaces, it follows that G S has a finite,

nonempty state space. Let n = |Q|.As G S is ALF, it follows that:

(s act)(q Qr) [|s| n 1] [(q, s) = q] [( act) (q, ) !]As u act, we have: ( u) (q, ) !.As S is controllable for G, this implies G has no uncontrollable events defined

at q.As G has proper time behavior, it thus has defined at q.As for act and S is controllable for G, S cant disable at this state, thus:

(q, s)! unionsq

Controllable events often are part of the supervisors implementation and canoccur when we want them to Balemi (1994). However, a plant might be modeled


more restrictively in order to make the system easier to model or understand. Wehave modified Balemis definition to only use prohibitable events.

Definition 2.11 Let TDES G be a plant and TDES S be a supervisor. G is completefor S if

(s L(G) L(S))( hib)s L(S) s L(G)

3 Sampled-data controllers

In this section, we will examine the behavior of SD controllers in more detail.

3.1 Assumptions

We make the following assumptions about our system. It is the designers responsi-bility to ensure that they are met.

1. The set of prohibitable events is exactly equal to the set of forcible events (i.e.for = hib) for our system. This is a reasonable assumption that will greatlysimplify things. This is essentially a modeling issue. For example, we can alwaysmodel our forcing signal to the plant as the forcible, controllable event. Theoriginal event becomes an uncontrollable event that cant occur before ourforcing signal occurs, and then it must occur before the next clock tick.

2. Enabling a prohibitable event means we should force the event during thecurrent clock period. We only allow it to occur once per clock period.

3. Our SD controllers will be implemented centrally with a common clock, suchthat they all sample inputs, and update outputs at the same time. We also assumethat our controllers generate all prohibitable events thus we dont have to worryabout communication delay with respect to event enablement/disablement.Again, this is essentially a modeling issue.

4. We assume an event has occurred when its input goes true unless this occursso close to the clock edge, it shows up in the next sampling period. In that case, itoccurs immediately after the clock edge. This should be reflected in the systemmodel.

5. When we force an event in a given sampling period, it occurs sometime duringthat clock period. We make no assumptions about exactly when during theclock period the event occurs, and note that timing may vary by controllerimplementation.

6. The length of a given input pulse for an event is such that the controller willnever miss it (i.e. pulse length was shorter than clock period and falls betweenclock edges), or interpret the event as occurring more times than intended (i.e.event physically occurs once but pulse length was longer than clock period and isseen at two or more clock edges). This might require the designer to preprocessthe input signal to satisfy this constraint. Figure 4 shows a correct input pulse(Event 1), one that is too short (Event 2), and one that is too long (Event 3).

Applicable systems should not find Assumptions 1, 2, 5, and 6 very restrictive.Assumptions 3 and 4 partially address timing delay issues and likely will be removedin future work.


Fig. 4 Assumption 6 example

Clock

Event 1

Event 2

Event 3

3.2 Sampled-data preliminaries

For SD controllers, we identify a tick event with the clock edge that the SD controlleruses for sampling and state change. This means the strings an SD controller canobserve are and strings ending with a tick. The reason is included is that itrepresents the initial state of the system, which is usually known. We refer to thesestrings as sampled strings, defined as:

Lsamp = . {}

An SD controller changes state after each clock edge (tick). Its next state isdetermined by all the strings that can occur containing a single tick event at the end,since the last tick event. We refer to such strings as concurrent strings, defined as:

Lconc = act. LsampWe note that if events occur in different sampling periods, we can distinguish

which event occurred first. However, if two events occur in the same concurrentstring, we cant distinguish order. This means we only consider events in the sameconcurrent string as occurring concurrently.

Sampled strings represent observable points in the system. If the controller isimplementing TDES supervisor S = (X, , , xo, Xm), states reached from the initialstate by sampled strings represent states in S that are at least partially observable. Werefer to such states as sampled states, defined as:

Xsamp = {x X| (s L(S) Lsamp) x = (xo, s)}

However, if two concurrent strings contain the exact same events but in differentorder and/or number, they are indistinguishable to the controller. To capture thisuncertainty, we define the occurrence operator. It takes a string and returns the setof events (the occurrence image) that make up the string.

Definition 3.1 For s , the occurrence operator, Occu : Pwr(), is defined as:

Occu(s) := { | s ..}

In the SD controller definition below, we represent the input and output ofthe controller as Boolean vectors. A Boolean vector is a vector whose individualelements can only be assigned the values of true (1) or false (0).


Definition 3.2 We define an SD controller C as the tuple

C = (I, Z , Q, ,, qres)where:

I is the set of possible Boolean vectors that the inputs to our controller can takeon. Each vector i = [i0, i1, .., iv1] I has v input variables. Each element of icorresponds to a unique activity event in our system. When an element is set to1, this means the corresponding event has occurred at least once in the previousclock period, otherwise it is set to 0.

Z is the set of possible Boolean vectors that the controller outputs can take on.Each vector z = [z0, z1, .., zr1] Z has r output variables. Each element of zcorresponds to a unique prohibitable event in our system. When an element isset to 1, this means that corresponding event is enabled and that the controllerwill make the event occur before the next clock tick, where 0 means it is disabled.Note that for the controller, both enabling and forcing a prohibitable eventare indicated by setting the corresponding element of z to 1. Also, forcing andenablement of an event is constant for the controller for the given samplingperiod.

Q is the set of possible Boolean vectors that the state of the controller can takeon. Each vector q = [q0, q1, .., ql1] Q has l state variables.

State qres Q is the initial (reset) state for when the controller starts operatingor is reset.

: Q I Q is the next-state function and is a total function. : Q Z is the state-to-output map.

Essentially, we are modelling the SD controllers as Moore synchronous finite statemachine (FSM) (Brown and Vranesic 2008). For an example of how an SD controllermight be implemented on a programmable logic controller (PLC) (Bolton 2006),see Leduc (1996). For a detailed discussion of the SD controllers formal model, seeWang and Leduc (2012). In Wang and Leduc (2012), one will also find a detailedformal translation method to convert a TDES supervisor into an SD controller. Wewill only present an informal translation method here which should be sufficient forour purposes. We will use the supervisor shown in Fig. 5a to illustrate the translationsteps.

Translation method

1. To convert TDES S = (X, , , xo, Xm) into SD controller C, our first step isto define the input and output sets, I, and Z . As they represent all possibleassignments of Boolean vectors, we first need to define the size (number of ele-ments/variables) of each vector. The size of each input vector i I is defined tobe v = |act|. The size of each output vector z Z is defined to be r = |hib|. Thenext step is to identify each element of vectors i = [i0, i1, .., iv1] I to a uniqueactivity event, and to identify each element of vectors z = [z0, z1, .., zr1] Z toa unique prohibitable event.For the example in Fig. 5a, we have act = {1, 2, 1, 2, , }, and hib ={1, 2, 1, 2}. This gives v = 6 and r = 4. We identify the elements i0, i1, .., i5with 1, 2, 1, 2, , and the elements z0, z1, .., z3 with 1, 2, 1, 2. For


Q=[0, 0]Z=[1,1,0,0]

Reset

DEF

Q=[0, 1]Z=[0,0,0,0]

[1,1,0,0,0,0] [0,0,0,0,1,0]

DEF

Q=[1, 0]Z=[0,0,1,1]

[0,0,0,0,0,1]

[0,0,1,1,0,0]

DEF

(a) Original TDES (b) FSM Translation

Fig. 5 SD controller translation example

example, input vector [1, 1, 0, 0, 0, 0] I means that only events 1, and 2occurred since the last clock tick. Also, output vector [0, 0, 1, 1] Z means thatonly prohibitable events 1, and 2 are enabled in the current clock period.

2. Next we define the controllers state set, Q. We need to define the size of thestate vectors, l, so that a state vector is large enough to encode a value for eachsampled state x Xsamp X. We thus choose l to satisfy 2l1 < |Xsamp| 2l . Wethen identify each sampled state x Xsamp of our supervisor with a unique stateq Q. We note that if |Xsamp| < 2l , then Q will contain some vector assignmentsthat do not correspond to sampled states, but they will be unreachable. Next, wedefine the controllers initial state, qres, to be equal to the state q Q that weassociated with the supervisors initial state, xo. Finally, we can define the stateset mapping function, : Xsamp Q, which has (xo) = qres. For simplicity, wewill typically assume that Q has no unused states and that is bijective. If Qdoes have unused states, we can restrict to the set of controller states we haveassociated with sampled states, and we get our desired bijective function.We see that the sampled states of the supervisor in Fig. 5a are states I (initialstate), W and D (only other states with incoming tick event). As 21 < 3 22, wetake l = 2. We then equate the states of our SD controller (FSM) in Fig. 5b asqres = [0, 0] to I, [0, 1] to W and [1, 0] to D. We note that the remaining fourthstate, [1, 1] I, is unused.

3. We next define our state-to-output map, . For a given sampled state x Xsamp of our supervisor, let enb := { hib| (x, )!}. If state q Q is thecontroller state that corresponds to state x, we would then define (q) = z =[z0, z1, .., zr1] such that each element zi (i = 0, . . . , r 1) would be set to zerounless i enb, where i the the corresponding prohibitable event for zi, inwhich case zi would be set to one.In Fig. 5a, the only prohibitable events defined at sampled state I are 1, and2. We thus set ([0, 0]) = [1, 1, 0, 0]. The remaining values of for states [0, 1]


and [1, 0] can be seen in Fig. 5b. We can set ([1, 1]) arbitrarily as state [1, 1] isunused and unreachable.

4. Finally, we define our next-state function, . For each sampled state x Xsampof our supervisor, let q Q be the unique controller state associated with x(i.e. (x) = q). Let CB(x) := {s Lconc| (x, s)!} be the set of concurrent stringsdefined at state x. For each string s CB(x), let i = [i0, i1, .., iv1] I be the inputvector that corresponds to the occurrence image of s, Occu(s). This means thateach element i j ( j = 0, . . . , v 1) of i would be set to zero unless j Occu(s),where j the the corresponding activity event for i j, in which case i j wouldbe set to one. We would then define (q, i) = ((x, s)). We note that anyremaining combinations of q Q and i I not defined in the above processrepresent either unused states in the controller, or combinations of concurrentstrings that can not occur at the corresponding sampled state. We can thus define(q, i) arbitrarily. If q is associated with a sampled state, we typically define(q, i) = q to make the design more robust.Examining state I ([0, 0]) in Fig. 5a, we see that the only concurrent stringsleaving it are 12 and 21 , which takes us to state W ([0, 1]). As Occu(12) = Occu(21) = {2, 1, }, the corresponding input vector is [1, 1, 0, 0,0, 0]. We would thus define ([0, 0], [1, 1, 0, 0, 0, 0]) = [0, 1]. The remainingtransitions for defined sampled state and concurrent string pairs are shown inFig. 5b. The transitions leaving unused state [1, 1] are defined arbitrarily. As isa total function, we usually have to add to diagrams a DEF, or default transition,to cover input combinations that we have not explicitly specified (i.e. it matchesall remaining unspecified input combinations), as shown in Fig. 5b. This is donesolely as a shorthand to keep the diagram uncluttered.

We note that our translation method states that enablement and forcing informa-tion for a sampling period is completely defined by the sampled state reached by thelast tick event. Essentially, every prohibitable event enabled at this state is enabledfor the entire sampling period, and the controller will force every one of them tooccur before the next tick. This makes it easy to extract this information from thesupervisor and ensures that if multiple prohibitable events are available to be forced,there is no uncertainty on which one to generate; they all must occur.

Clearly, our translation method will not work if two concurrent strings withthe same occurrence image are possible at a given sampled state, but they leadto different states in S. To ensure this doesnt happen, we require our TDES beconcurrent string deterministic. This will ensure that our translated controller willbe deterministic.

Definition 3.3 A TDES S = (X, , , xo, Xm) is concurrent string (CS) determinis-tic, if

(s L(S) Lsamp)(s, s Lconc) [ss, ss L(S) Occu(s) = Occu(s)]

[ss L(S) ss ss Lm(S) ss (xo, ss) = (xo, ss)]

In Fig. 6, we see part of a TDES that is not CS deterministic. For this example, wecan merge states xand x and use the minimal version for our translation. If the twostates were not equivalent, we would not be able to translate it at present.


(a) (b)Fig. 6 CS deterministic example

We can now present the proposition below which will be useful later in provingTheorem 4.1.

Proposition 3.1 For CS deterministic supervisor S = (X, , , xo, Xm), let C =(I, Z , Q, ,, qres) be the SD controller that is constructed from S.

(s L(S) Lsamp)String s will take C to state q = ((xo, s)) with outputs q = EligL(S)(s) hibset to true.

Proof Assume initial conditions and let : Xsamp Q be our state set mappingfunction defined during our translation process.

Let s L(S) Lsamp.If s = , we have (xo, ) = xo. As C starts in state qres, we have by definition

(xo) = qres and we are done.We can thus assume s = .As s Lsamp, we have for n 1: (s1, . . . , sn Lconc) s := s1 . . . snThis would generate the following sequence of sampled states for S:

xi = (xi1, si), x0 = xo, i = 1, . . . , nClearly, xn = (xo, s).By definition, the initial state of C is qres = (xo), so q0 = qres.By the translation method, Occu(s1) will take C from q0 to q1 = (x1). We know

that q1 is unambiguous as S is CS deterministic.Similarly, Occu(s1) will take C from q1 to q2 = (x2).Extending the logic, we get Occu(sn) will take C from qn1 = (xn1) to qn =

(xn).We thus have string s takes C to state q = qn = (xn) = ((xo, s)).As state q corresponds to sampled state (xo, s) of S, it follows from the translation

method and definition of the eligibility operator that q = EligL(S)(s) hib. unionsq

As stated in our assumptions, controllers only allow prohibitable events to occuronce per sampling period. We thus want our TDES plant G to reflect this.


Definition 3.4 For TDES G and TDES S, we say that G has S-singular prohibitablebehavior if

(s L(S) L(G) Lsamp)(s act)ss L(S) L(G) ( Occu(s) hib) EligL(G)(ss)

In the example below, marked states are indicated by a gray circle, and the initialstate has a thick outline. Uncontrollable event names begin with an ! mark. For thesystem in Fig. 7, the S-singular prohibitable behavior property is satisfied for statestwo to three as the prohibitable event is only allowed to occur once in the samplingperiod. The property is not satisfied during states four to seven as the prohibitableevent is allowed to occur twice in the same sampling period.

3.3 SD controllable supervisors

So far, we have required that our TDES system have a finite state space, be ALFand nonblocking, that our plant have proper time behavior and be complete for oursupervisor, and that our supervisor be controllable for our plant. However, theseconditions are not sufficient to address the concerns that we raised in Section 1.1.In particular, even though the above conditions are met, our actual system behaviorunder the control of the corresponding SD controller could block, violate our controllaw, or even exhibit behavior not contained in our plant model.

To address these issues, we now introduce a new concept called SD controllable.Let G = (Q, , , q0, Qm) be our plant and S = (X, , , xo, Xm) be our supervisor.Note that implicit in the definition is the assumption for = hib.

Definition 3.5 TDES S is SD controllable with respect to TDES G if, s L(S) L(G), the following statements are satisfied:

(i) EligL(G)(s) u EligL(S)(s)(ii) If EligL(G)(s) then

EligL(S)(s) EligL(S)L(G)(s) hib = (iii) If s Lsamp then

1. (s act)[ss L(S) L(G)] [EligL(S)L(G)(ss) Occu(s)] hib = EligL(S)L(G)(s) hib

2. (s, s Lconc) [ss, ss L(S) L(G) Occu(s) = Occu(s)] ss L(S)L(G) ss ss Lm(S)Lm(G) ss

(iv) Lm(S) Lm(G) Lsamp

Plant, Sup tick

1

tick tick3 5 64 72

Fig. 7 S-singular prohibitable behavior example


Point i: This is standard untimed controllability.Point ii: The () direction and Point i imply standard TDES controllability. The

() part says that if we enable a prohibitable event, we must disable tick. This isto capture the notion that we only enable a prohibitable event when we want toforce it. This makes converting TDES S into an SD controller less ambiguous aswe are required to specify at which state a prohibitable event is to be generated.This also ensures that our TDES behaviour is closer to that of the implementationby removing the behavior of the forcing options that are not actually used.

In Fig. 8, supervisor Sup1 does not satisfy () of Point ii at states 12 as we haveboth a tick and a prohibitable event enabled at the same state. This makes Sup1difficult to convert to an SD controller as we dont know whether we should forceevent at state 1, 2, or state three. Supervisor Sup2 does satisfy () of Point ii.It is essentially Sup1 with the decision made to force at state 2 and the unusedbehavior removed.

Point iii: These sub points apply to the clock period delineated by the sampled strings and the next tick event.

Point iii.1: This point says that when a prohibitable event is possible in a clockperiod, it must be possible immediately after the tick and stay possible for theperiod until it occurs. This captures the notion that the enablement informationfor an SD controller is constant for the clock period. It also captures the ideathat when a controller forces a prohibitable event, the event must occur beforethe next tick, but we dont know when. This means that the event must bepossible in the plant for the entire clock period till it occurs, and must be ableto interleave with the other events occurring in the clock period. Otherwise, wecould get behavior not in our plant model.

This point is key to making our TDES to SD controller translation methodwork with respect to setting enablement outputs for the controller. It guar-antees that if a prohibitable event is enabled sometime during the samplingperiod, it must also be enabled immediately after the tick event, and thus atthe corresponding sampled state. This means that it is sufficient to just lookat the events enabled at the sampled state. It also ensures that the event willstay enabled for the entire sampling period so that it is safe to keep the SDcontrollers enablement outputs constant for the sampling period.

For the example shown in Fig. 9, we have an open door and a cannonset to fire through the door. We note that supervisor Sup1 is controllableand nonblocking with Plant1, but fails Point iii.1 at state 3. This is becauseprohibitable event f ire was possible at state 2 immediately after the tick, butis not possible at state 3 despite the fact it has not yet occurred. Essentially,

Plant Sup1 Sup2

tick tick tick

tick tick ticktick tick1 1 13 32 2 2

4 4 3

Fig. 8 Example for Point ii


Plant1

Plant2

tick

tick

tick

tick

tick

tick

tick

tick

1

1

3

3

2

2

4

4

tick

tick

!close

!close

!close

!close

fire

fire

fire

fire

fire

5

5

6

6

Sup1

tick

tick

tick1 32

!close

!closefire

4 5

Sup3

tick

tick1 32

!close

fire

4

tickSup2

tick

tick1 32

!close

fire

4

Fig. 9 Example for Point iii.1

Sup1 is saying to fire the cannon this clock cycle but only if the door has notyet closed. As we have no information about when the cannon will fire andwhen the door will close during the clock cycle, they could occur arbitrary closetogether meaning there is no way we can ensure that the cannon wont fire afterthe door closes, violating our control law! Worse, the SD controller wont evenknow the door has closed until after the next tick, at which point it will be toolate to react. Its important to note that despite the fact that Sup1 is controllableand nonblocking with Plant1, our implementation would still have been unsafe.

Supervisor Sup2 also is controllable and nonblocking with Plant1, but failsPoint iii.1 at state 3. It has the problem that prohibitable event f ire was notpossible at the start of the sampling period (state 2), but is enabled and forcedat state 3. Essentially, Sup2 is saying to wait until the door closes and then thecannon must be fired before the next tick. However, the SD controller wontknow that the door has closed until after the next tick. This will be too late tomeet the required deadline, violating our control law.

Supervisor Sup3 is controllable and nonblocking with Plant1, and it satisfiesPoint iii.1. It shows us that if we want to ensure a prohibitable event occurs ina specific order relative to another event, then the two events must occur inseparate clock periods.

Finally, consider the combination of Plant2 and Sup1. They are also control-lable and nonblocking, but fail Point iii.1 at state 3. However, this time the plantmodel is asserting that prohibitable event f ire cant occur at state 3. Clearly theevent could occur and our plant model is invalid and will give the designer afalse sense of security.

Point iii.2: This point says that if two concurrent strings with the same occurrenceimage can occur, they must have the same future with respect to the systemsclosed behavior (i.e. we take same control action now and in the future forboth strings), and with respect to its marked behavior (i.e. the strings areinterchangeable with respect to reaching future marked states). If G S isminimal, this means that the strings lead to the same state.


In Fig. 10, supervisor Sup1 is controllable and nonblocking with Plant, butfails Point iii.2 at states 4 and 7. The reason is that concurrent strings tickand tick have the same occurrence image, but are not Nerode equivalentwith respect to the closed-loop systems closed behavior. In particular, wesee that Sup1 enables after tick, but enables after tick. As an SDcontroller would not be able to tell the difference between these two strings, itwould not know which action to take thus Sup1 can not be implemented as anSD Controller.

We next note that supervisor Sup2 is also controllable and nonblocking withPlant, but fails Point iii.2 at states 4 and 7. The reason is that concurrentstring tick can be extended to a marked string by adding a while string tick can not. Consider the case that in the physical system, we might onlyget string tick and never tick. This might be due to a choice during theimplementation of our controller or the fact that in our specific controllerimplementation, event always takes less time to complete than event . Insuch a situation, our physical system would block despite the fact our TDESmodel is nonblocking. If we moved the marker state of Sup2 from state 8 tostate 1, the system would now pass Point iii.2 and our physical system would benonblocking even if only one of strings tick and tick was possible.

Point iv: This point says marked strings must be sampled strings ( or end in a tick).Combined with Point iii.2, this ensures that if G S is nonblocking, then ourplant and SD controller will be nonblocking even if only a single concurrent stringis actually possible in our physical system at a given sampled state, despite ourTDES model saying multiple concurrent strings with the same occurrence imageare possible.

Plant

Sup3

Sup1

Sup2

tick

tick

,

tick

tick

tick

tick

tick

tick

tick

tick

tick

tick

1

1

1

1

3

3

3

3

6

6

4

4

4

4

9

9

2

2

2

2

tick tick

5

5

5

5

6

6

8

8

7

7

Fig. 10 Example for Point iii.2 and iv


In Fig. 10 we see that for the above situation, despite the fact that supervisorSup3 is controllable and nonblocking with Plant and passes Point iii.2, its imple-mentation would still block if only tick could occur. However, Sup3 fails Pointiv at point 5 as string is marked and is not a sampled string. Moving the markerstate from state 5 to state 4 would solve the problem.

It is worth noting that Points iii and iv of SD Controllability apply both to thesupervisor and the plant. The definition can not only identify potential timing andconcurrency issues in the design of the supervisor, but also in the modelling ofthe plant.

It is tempting to consider increasing the SD controllers sampling frequency as away to address the concerns presented in this paper. While this may improve thingsfor some systems, it will likely increase the size of the systems state space and maynot be feasible in practice due to technical or financial limitations. We would alsostill have to check that the resulting system satisfies the properties presented in thispaper in order to see if we had increased the sampling frequency enough.

However, raising the sampling frequency does not in general resolve the situation.Consider two plant components, G1 and G2, that have no physical connectionbetween them. This means that an event from G1 can occur arbitrarily close toan event from G2. If and occurring in the same sampling period was causingissues, then no matter how much we increased the sampling frequency, it would stillbe possible that they could occur in the same sampling period.

Finally, please see Wang and Leduc (2012) for an example based on the untimedflexible manufacturing system (FMS) from Hill (2008) to which we applied thesampled-data theory. This includes a detailed discussion of its design and how thesampled-data properties discussed in this paper were applied to the example. Alsoin Wang and Leduc (2012), one will find a discussion of the conversion of the TDESsupervisors into SD controllers as well as the resulting controllers.

4 Controllability and non-blocking verification

In this section, we examine how the control action of an SD controller comparesto that of the TDES controller it was converted from. Let G = (Y, , , yo, Ym)be our plant, S = (X, , , xo, Xm) our supervisor, and let both have finite statespaces. For the rest of this section, we will require plant G to be complete for S,have proper time behavior and S-singular prohibitable behavior, and that G Sbe ALF. Also, that S be CS deterministic and SD controllable with respect to G.Let C = (I, Z , Q, ,, qres) be an SD controller translated from S as described inSection 3.2.

These conditions ensure that for any string s L(G) L(S), we will always beable to reach a state where tick is possible after at most a finite number of activityevents, as stated in Proposition 2.4. In other words, we will not stop the clock. Thisis important as it ensures that after a sampled string, all new behavior in our systemcan be represented as a series of concurrent strings.

4.1 SD controller as a supervisory control

In the following section, we wish to compare the enablement and forcing action ofour supervisor, S, to that of its SD controller, C. Since an SD controller only changes


state when a tick occurs, its control action is difficult to relate directly to strings.The simplest way to capture the control action of our SD controller C, in terms ofstrings, was to define a corresponding supervisor control, V. In particular, we wish tocapture the idea that enablement information changes immediately after a tick eventand then stays constant till the next tick. We also want to express that as soon as aprohibitable event is enabled, the controller will force the event to occur before thenext tick.

Supervisor control V expresses the enablement and forcing behavior of our SDcontroller, not that of the TDES supervisor. As our discussions in Sections 1.1 and 3.3show, the control action of our controller could be quite different than that of S. Forexample, consider the discussion of SD controllability Point iii.1, in Section 3.3. Herewe learned that behavior of the SD controller for Sup1 acting on Plant1 (see Fig. 9)would allow the event f ire to still occur after the event close, even though it wasdisabled by Sup1.

We use Algorithm 1 to capture the SD controllers enablement and forcingbehavior as a supervisory control. We then use the algorithms definition to argueabout our controllers behavior in the proofs in later sections. In the algorithmdescription, variable Pend is a list structure, where operation push adds the itemto the front of the list, while operation pop removes the front item from the list.Please refer to Wang (2009) for a detailed discussion of the algorithm. In Wang(2009), we also show that map V is well defined.

To simplify part of the algorithm, we first present the definition below whichspecifies which concurrent strings our plant will allow to follow a given sampledstring.

Definition 4.1 For TDES G = (Y, , , yo, Ym), the concurrent behavior of G isdefined to be a map CBG : L(G) Lsamp Lconc, such that for s L(G) Lsamp,

CBG(s) := {s Lconc|ss L(G)}

In the algorithm that follows, we will start with the empty string ( Lsamp) andthe initial state of our controller, which we label qres. We will then process theconcurrent strings that our plant allows to follow to determine new sampled strings,and the corresponding states of our controller reached by these strings. We note that,as per line 10, we will only explore concurrent strings that contain no events disabledby the controller and that are accepted by our supervisor. The latter is to ensure wecan later prove that V is a supervisory control for G and we will justify this restrictionin the proposition that follows next.

Proposition 4.1 For plant G and supervisor S, let S be CS deterministic and SDcontrollable for G, and let G be complete for S, and have S-singular prohibitablebehavior. Let C be the SD controller that is constructed from S.

(s L(S) L(G) Lsamp)(s CBG(s))

If s takes C to state q and ss L(S) then C will reject s.


Algorithm 1 Obtaining V from controller C, acting on plant G1: For each s L(G) : V(s) u { } // set default value for V(s)2: Pend {(, qres)}3: while Pend = do4: (s, q) pop(Pend)5: Let q be the hib events enabled at state q6: if q = then {disable to force events}7: V(s) (V(s) q) { }8: end if9: for all s CBG(s) do

10: if (Occu(s) hib q) (ss L(S)) then11: Let q be the next state of C, reached from q via Occu(s)12: push(Pend, (ss, q))13: for all < s < s do {process all nonempty prefixes of s}14: if Occu(s) hib q then {there are still events to force}15: V(ss) (V(ss) q) { }16: else17: V(ss) (V(ss) q)18: end if19: end for20: end if21: end for22: end while23: return V

Proof Assume initial conditions.

(1) As S is SD controllable for G and ss L(S), we have:(s act)( c) (s s) (ss L(S)) (ss L(S))

s L(G) and s CBG(s)) ss L(G)(2) As L(G) is prefix closed and s s, we have: ss, ss L(G)

We have two cases: = and =

Case 1) = By (2), we have EligL(G)(ss).By (1), we have: ss L(S).

EligL(S)(ss)By Point ii of SD controllability definition, we can thus conclude:

EligL(S)L(G)(ss) hib =

Let = EligL(S)L(G)(ss) hib.


(3) As G has S-singular prohibitable behavior, we have: Occu(s) = By (1), (2), and Point iii.1 of SD controllability, we have:

[EligL(S)L(G)(ss) Occu(s)] hib = EligL(S)L(G)(s) hib EligL(S)L(G)(s) EligL(S)(s)

By controller translation method, this implies that C enables every event in atstate q and will force them to occur before the next tick.

As Occu(s) = (by (3)) these events did not occur during s, and thus ourcontroller will force them to occur before the next tick; thus tick could not occur atthis point with our controller.

Case 2) = hib by (1).

By (2) and fact G has S-singular prohibitable behavior, we have: Occu(s)By (1), (2), and Point iii.1 of SD controllability, we have:

[EligL(S)L(G)(ss) Occu(s)] hib = EligL(S)L(G)(s) hibAs Occu(s) and EligL(S)(ss) (by (1)), it follows that:

EligL(S)L(G)(s) EligL(S)(s) as G is complete for S.

By controller translation method, this implies that C will disable at state q.By cases 1 and 2, C will reject , thus C will reject s, as required. unionsq

The next proposition will be useful in proving Theorem 4.1 in the next section.By V(s) will be re-evaluated in the proposition definition below, we mean that inAlgorithm 1 either s will be added to Pend if s Lsamp or V(s) will be re-assigned atlines 15 or 17.

Proposition 4.2 For plant G and supervisor S, let S be CS deterministic and SDcontrollable for G, and let G be complete for S, and have S-singular prohibitablebehavior. Let C be the SD controller that is constructed from S, and let V be the mapthat is constructed from C using Algorithm 1.

(s L(S) L(G))V(s) will be re-evaluated in Algorithm 1.


Let s L(S) L(G).From definition of Lsamp, it follows that:

(s Lsamp)(s act) s = ss


We will first show that s is always added to Pend in Algorithm 1, and then use thisfact to show that V(s) will be re-evaluated.

1) Show s will be added to Pend.We note that if s = , it is added to Pend on line 2 of the algorithm.We can thus assume that s = .

s .

(n 1)(s1, s2, .., sn Lconc) s = s1 . . . sn

Let s0 = . From lines 9 and 10 of algorithm, it is sufficient to show that:

(k {1, 2, . . . , n})

(s0s1 . . . sk L(S) L(G)) (Occu(sk) hib qk1)

where qk1 is the state in C reached by string s0s1 . . . sk1 Lsamp.As s0s1 . . . sk s, we have s0s1 . . . sk L(S) L(G) as L(S) and L(G) are prefixclosed.From Proposition 3.1, we have that qk1 = ((xo, s0s1 . . . sk1)) with qk1 =EligL(S)(s0s1 . . . sk1) hib.Thus it is sufficient to show that Occu(sk) hib EligL(S)(s0s1 . . . sk1).By Point iii.1 of SD controllability, we have (t < sk):[EligL(S)L(G)(s0..sk1t) Occu(t)] hib = EligL(S)L(G)(s0..sk1) hib

(t < sk) Occu(t) hib EligL(S)L(G)(s0..sk1)

(t < sk) Occu(t) hib EligL(S)(s0..sk1) Occu(sk) hib EligL(S)(s0s1 . . . sk1) as sk Lconc = act.

We thus have s added to Pend, as required.2) Show that V(s) will be re-evaluated.

We first note that if s Lsamp, we have s = s and we are done.We can thus assume s Lsamp, thus s = .From part 1, we have s will be added to pending.By lines 9 and 10 of algorithm, it is sufficient to show that:

(t Lconc) (s t) (st L(S) L(G)) (Occu(t) hib q) ()

where q is the state in C reached by string s Lsamp.(1) From Proposition 3.1, we have that q = ((xo, s)) with q =

EligL(S)(s) hib.

As SD controllability implies standard timed controllability, we can applyProposition 2.4 and conclude: (t act) sst L(S) L(G).


We thus take t = st and we have t Lconc, s t and st L(S) L(G).All that remains to show for () is: Occu(t) hib qFrom (1), it is sufficient to show: Occu(t) hib EligL(S)(s)By Point iii.1 of SD controllability, we have (t < t):

[EligL(S)L(G)(st) Occu(t)] hib = EligL(S)L(G)(s) hib

(t < t) Occu(t) hib EligL(S)L(G)(s)

(t < t) Occu(t) hib EligL(S)(s)

Occu(t) hib EligL(S)(s) as t Lconc = act.

It thus follows that V(s) = V(ss) will get re-evaluated at lines 15 or 17 of thealgorithm. unionsq

4.2 SD controllers and controllability

We will now show that if our TDES plant and supervisor satisfy the specifiedproperties, then the closed-loop behavior of G and our SD controller, representedas L(V/G), will be the same as the closed-loop behavior of S and G. This is despitethe fact that S can change its enablement and forcing actions at any time, while theSD controller can only do so immediately after a tick, and then they must remainconstant until the next tick occurs. This means that we can implement our TDESsupervisor as an SD controller and get our expected closed-loop behavior, at leastwith respect to the required enablement and forcing actions of the controller.

Theorem 4.1 For plant G = (Y, , , yo, Ym) and CS deterministic supervisor S =(X, , , xo, Xm) that is SD controllable for G, let both TDES have f inite state spaces,let G be complete for S, have proper time and S-singular prohibitable behavior, letG S be ALF, let C = (I, Z , Q, ,, qres) be the SD controller that is constructedfrom S, and let V be the map that is constructed from C using Algorithm 1. Then,

L(V/G) = L(S) L(G)

Proof See proof in Appendix. unionsq

We are now ready to show that the V we constructed in Algorithm 1, is indeed aTDES supervisory control.

Proposition 4.3 For plant G = (Y, , , yo, Ym) and CS deterministic supervisor S =(X, , , xo, Xm) that is SD controllable for G, let both TDES have f inite state spaces,let G be complete for S, have proper time and S-singular prohibitable behavior, letG S be ALF, let C = (I, Z , Q, ,, qres) be the SD controller that is constructedfrom S and let V be the map that is constructed from C using Algorithm 1. Then mapV is a TDES supervisory control for G.


Proof Assume initial conditions.Let s L(G).

1. Show V(s) uThis is automatic as V(s) = u { } is set at line 1 of Algorithm 1, and no u isever removed.

2. Show [( EligL(G)(s)) (V(s) EligL(G)(s) hib = )] V(s)(1) Assume EligL(G)(s) and V(s) EligL(G)(s) hib =

We note that V(s) = u { } is set at line 1 of Algorithm 1 and can onlybe removed at lines 7 and 15.From lines 2, 9 and 10, we see we start at string and only process strings inL(S) L(G).It is thus sufficient to only consider s L(S) L(G).

(2) By Theorem 4.1, we can conclude: L(V/G) = L(S) L(G). s L(V/G)

By definition of L(V/G) and (1), we have: ( hib) s L(V/G) EligL(S)L(G)(s) hib =

By Point ii of SD controllability, we have: EligL(S)(s). EligL(S)L(G)(s), by (1). s L(V/G), by (2). V(s) by definition of L(V/G). unionsq

4.3 SD controllers and event generation

In a typical system, prohibitable events are often a part of a supervisors imple-mentation and the resulting controller can cause these events to occur at any time,possibly even when our plant model says they cant. For example, the occurrence ofa prohibitable event could be equated to an output of the controller going true, orthe execution of a software routine. We will now show that if the system satisfies theindicated conditions, the controller can not generate a prohibitable event when theplant model wont accept it.

Theorem 4.2 For plant G = (Y, , , yo, Ym) and CS deterministic supervisor S =(X, , , xo, Xm) that is SD controllable for G, let both TDES have f inite state spaces,let G be complete for S, have proper time and S-singular prohibitable behavior, letG S be ALF, let C = (I, Z , Q, ,, qres) be the SD controller that is constructedfrom S, and let V be the map that is constructed from C using Algorithm 1.

(s L(V/G) Lsamp)(s act)( hib)If ss L(V/G) and then physically occurs after ss and before any other events canoccur, then ss L(G).

Proof Assume initial conditions.

(1) Let s L(V/G) Lsamp, s act, and hib.


Assume ss L(V/G) and then physically occurs after ss and before anyother events can occur.By Theorem 4.1, we have: L(V/G) = L(S) L(G).

(2) We thus have s L(S) L(G) Lsamp and ss L(S) L(G).As occurred, Cs output must be true for this sample period. By assumption,events occur in the sampling period they are forced in thus was enabled bythe supervisor in this sample period. s L(S) by the controller translation method in Section 3.2. s L(G) as G is complete for S.

(3) s L(S) L(G) EligL(S)L(G)(s) hibBy (1) and (2), we have s L(S) L(G) Lsamp, s act, hib, and ss L(S) L(G).By Point iii.1 of SD controllability, we have:

[EligL(S)L(G)(ss) Occu(s)] hib = EligL(S)L(G)(s) hib

[EligL(S)L(G)(ss) Occu(s)], by (3).We have Occu(s) as occurred after s and controllers, by assumption,only allow prohibitable events to occur once per clock period. EligL(S)L(G)(ss) ss L(G) as required unionsq

4.4 SD controllers and nonblocking

We now present our nonblocking results for SD controllers. First, we need to definea marked behavior for SD controllers. For plant G, and CS deterministic supervisorS that is SD controllable for G, let C be the SD controller that is constructed from S,and V be the map that is constructed from C using Algorithm 1. The marked behaviorof V/G is defined to be

Lm(V/G) := L(V/G) Lm(S) Lm(G)

We say V is nonblocking for G if Lm(V/G) = L(V/G).We now show that if our TDES plant and supervisor satisfy the specified proper-

ties, then the closed-loop behavior of G and our SD controller is nonblocking if andonly if the closed-loop behavior of S and G is nonblocking.

Proposition 4.4 For plant G = (Y, , , yo, Ym) and CS deterministic supervisor S =(X, , , xo, Xm) that is SD controllable for G, let both TDES have f inite state spaces,let G be complete for S, have proper time and S-singular prohibitable behavior, letG S be ALF, let C = (I, Z , Q, ,, qres) be the SD controller that is constructedfrom S, and let V be the map that is constructed from C using Algorithm 1. Then V isnon-blocking for G if and only if G S is non-blocking.

Proof Sufficient to show that L(V/G) = L(S) L(G), and Lm(V/G) = Lm(S) Lm(G).

By Theorem 4.1, we have: L(V/G) = L(S) L(G).


By definition, we have:

Lm(V/G) = L(V/G) Lm(S) Lm(G)= L(S) L(G) Lm(S) Lm(G)= Lm(S) Lm(G)

unionsq

We also want to ensure that if G S is nonblocking, then our plant and SDcontroller will be nonblocking even if only a single concurrent string is actuallypossible in our physical system at a given sampled state, despite our TDES modelsaying multiple concurrent strings with the same occurrence image are possible. Wewish to be robust with respect to such variations and nonblocking.

For example, consider the behavior in Fig. 11. If the top part represented ourTDES system, then we would expect that if we ran our physical system (i.e. Gtogether with C) enough times, we would see both and strings occur.However, due to different possible designs and timing behaviors of our controllerimplementation, it might be the case that sequence will never occur. If string took us to the only marked state in our system, our TDES system would benonblocking but out physical system would block.

We will frame our argument in terms of supervisory control maps. We will useV to represent the expected behavior of our SD controller (i.e. all variations of theexpected concurrent strings possible), and V to represent restricted implementationsas described in the following definition.

Definition 4.2 Let G = (Q, , , qo, Qm) be a TDES and let V and V be supervisorycontrols for G. We say V is concurrent supervisory control equivalent (CSCE) to V if

1. (s L(G))V (s) V(s)

Fig. 11 An example for CSCE


2. (s L(V /G) Lsamp)(s Lconc)ss L(V/G)(s Lconc)ss L(V /G)Occu(s) = Occu(s)

The first point essentially guarantees that L(V /G) L(V/G). The second pointsays that if V /G accepts sampled string s, and then V/G accepts concurrent strings, then V /G must accept a concurrent string s that has the same occurrence imageas s. Figure 11 shows a CSCE example. Here, V/G has two paths with the sameoccurrence image but V /G only one, but that is sufficient.

Proposition 4.5 For TDES plant G = (Q, , , qo, Qm), let V and V be supervisorycontrols for G. If V is concurrent supervisory control equivalent to V, then

L(V /G) L(V/G)


We now present our main nonblocking result for SD controllers. It says that ifour TDES plant and supervisor satisfy the specified properties and the closed-loopbehavior of G and our SD controller is nonblocking, then any CSCE variation willalso be nonblocking.

It is important to note that Point iii.1 of the SD controllability definition ensuresthat our TDES system model will allow a generated (forced) event to occur in anyorder with respect to the other events occurring in its sampling period. This meansthat however we implement our SD controller, its resulting behavior will match oneof these variations. The problem is that when we choose a specific implementation,it will likely only allow a subset of these variations, which could potentially cause ourphysical system to block. The following result says that our properties guarantee thatwont happen.

Theorem 4.3 For plant G = (Y, , , yo, Ym) and CS deterministic supervisor S =(X, , , xo, Xm) that is SD controllable for G, let both TDES have f inite state spaces,let G be complete for S, have proper time and S-singular prohibitable behavior, letG S = (Q, , , qo, Qm) be ALF, let C = (I, Z , Q, ,, qres) be the SD controllerthat is constructed from S, and let V be the map that is constructed from C usingAlgorithm 1. Let V be a supervisory control for G. If V is nonblocking for G andV is CSCE to V, then V is also nonblocking for G.

Proof See proof in Appendix. unionsq

5 Conclusions

This paper focuses on concurrency and timing issues related to implementing timeddiscrete-event systems (TDES) as sampled-data (SD) controllers. We first deter-mined existing TDES properties that our system needed to satisfy.

To these existing conditions we added the new requirement that our plant haveS-singular prohibitable behavior. We then extended TDES controllability to SDcontrollability, which captures several new properties that are useful in dealing with


concurrency issues, as well as makes it easier to translate a supervisor into an SDcontroller.

Using these properties, we were able to show that the closed-loop behavior ofthe SD controller and the plant is the same as that of the plant and the originalTDES supervisor, at least as far as enablement and forcing goes. We also showedthat our method is robust with respect to nonblocking and certain variations in theactual behavior of our physical system. In other words, the resulting SD controllerwill behave as we expect with respect to nonblocking and control action.

6 Future work

In this paper, we only partly deal with timing delay issues which we have left asfuture work due to time constraints. We have tried to mitigate potential problems bythe assumptions given in Section 3.1. Here, we have required that our controllers beimplemented on a single machine, so they have a common clock and their inputs andoutputs change at the same time. These address timing issues caused by a distributedimplementation.

Another potential timing delay problem is the difference between when an eventphysically occurs, and when a controller sees that the event has occurred. We havetried to compensate for this by our fourth assumption.

Whereas the steps we have taken to compensate for timing delay are not ideal,they should handle the more pressing issues. However, research needs to be done toaddress such issues directly in a more flexible manner.

Appendix: Proofs of selected theorems

Theorem 4.1


1. Show L(V/G) L(S) L(G).We have L(V/G) L(G) automatically by definition of L(V/G) and the fact G

contains an initial state.We now only need to show L(V/G) L(S).Let s L(V/G).We will use induction on length of s to show s L(S).

Base Case: s = . We have L(S) as S contains an initial state.Inductive Step:

(1) We assume that s = 1 . . . k L(V/G) L(S) and sk+1 L(V/G) for somek 0.We now show this implies: sk+1 L(S)

(2) We first note that: sk+1 L(V/G) sk+1 L(G).By (1), (2), and fact that L(G) is closed, we have: s L(S) L(G).


From definition of Lsamp, it follows that:(3) (s Lsamp)(s act) s = ss

As L(S) and L(G) are prefix closed, we have:(4) s L(S) L(G) Lsamp(5) From Proposition 3.1, we have that q = ((xo, s)) with q = EligL(S)(s)

hib. Here, q is the state in C reached by string s Lsamp.Since = u hib { } by definition of TDES, we have 3 cases to consider.

(1.1) Case k+1 uAs S is SD controllable for G and by (2), we have: sk+1 L(S).

(1.2) Case k+1 = From (1) and definition of L(V/G), we have: V(s)From (2), we have: EligL(G)(s)By Point ii of SD controllability, to conclude s L(S) it is sufficientto show:

EligL(S)L(G)(s) hib =

By default, is included in V(s) at line 1 of Algorithm 1. In thealgorithm, is only removed at line 7 if s Lsamp or at line 15 ifs Lsamp.

(6) By Proposition 4.2, we know that V(s) and V(s) will be re-evaluated.As was not removed, this tells us the condition for line 7 or line 15 was testedbut not met.We have two case now to consider: s Lsamp or s Lsamp.(1.2.1) Case s Lsamp.

s Lsamp s = sBy (6), we know s was added to Pend in the algorithm. This means swas evaluated by lines 48.Line 6 thus implies that: q = . EligL(S)(s) hib = by (5). EligL(S)L(G)(s) hib = , as required.

(1.2.2) Case s Lsamp.By (6), we know s was added to Pend in the algorithm, and that V(ss)will be re-assigned at lines 15 or 17.By lines 9 and 10, this implies:

(s Lconc) (s


By Point iii.1 of SD controllability, we have: [EligL(S)L(G)(ss) Occu(s)] hib = EligL(S)L(G)(s) hib EligL(S)L(G)(ss) hib EligL(S)L(G)(s) hib EligL(S)(s) hib EligL(S)L(G)(ss) hib q by (5).Combining with (8), we get: EligL(S)L(G)(ss) hib = EligL(S)L(G)(s) hib = (by (3)), as required.By parts 1.2.1 and 1.2.2, we have EligL(S)L(G)(s) hib = , and thus concludes L(S), as required.

(1.3) Case k+1 hibFrom (1) and definition of L(V/G), we have: k+1 V(s).At line 1 of Algorithm 1, V(s) is initially set to u { }. It follows thatk+1 was added at line 7, 15, or 17.In either case, we have that: k+1 q. k+1 EligL(S)(s) hib by (5). k+1 EligL(G)(s) as G is complete for S. k+1 EligL(S)L(G)(s)As s L(S) L(G) Lsamp by (4), s act and ss L(S) L(G)by (3), we can conclude by Point iii.1 of SD controllability:

[EligL(S)L(G)(ss) Occu(s)] hib = EligL(S)L(G)(s) hib k+1 [EligL(S)L(G)(ss) Occu(s)] hib

By (2) and (3), we have: ssk+1 L(G). k+1 Occu(s) as G has S-singular prohibitable behavior. k+1 EligL(S)L(G)(ss) k+1 EligL(S)L(G)(s) by (3). sk+1 L(S), as required.By 1.11.3, we have shown sk+1 L(S), thus our inductive step iscomplete.We have proven our base case and inductive step, so we now concludeby induction that s L(S) L(G) for arbitrary s L(V/G).

2. Show L(S) L(G) L(V/G)Let s L(S) L(G).We will now use proof by induction to show that: s L(V/G).

Base Case: s = Automatic by definition of L(V/G).

(9) Inductive Step: We assume that s = 1 . . . k L(V/G) L(S) L(G) andsk+1 L(S) L(G) for some k 0.

We will now show this implies sk+1 L(V/G).(10) From definition of Lsamp, it follows that:

(s Lsamp)(s act) s = ss

(11) As L(S) and L(G) are prefix closed, we have:

s L(S) L(G) Lsamp(12) From Proposition 3.1, we have that q = ((xo, s)) with q = EligL(S)(s)

hib. Here, q is the state in C reached by string s Lsamp.


(13) By Proposition 4.2, we know that V(s) and V(s) will be re-evaluated.By definition of L(V/G), it is sufficient to show that: k+1 V(s).As = u hib { }, we have 3 cases to consider.

(2.1) Case k+1 uWe have k+1 V(s) automatically as V(s) = u { } is set at line 1of Algorithm 1, and no u is ever removed.

(2.2) Case k+1 = By (9), we have: s L(S) L(G).

(14) By Point ii of SD controllability, we thus have:

EligL(S)L(G)(s) hib = (15) EligL(S)(s) hib = as G is complete for S.

By default, is included in V(s) at line 1 of Algorithm 1. It is thus sufficient toshow that is not removed at line 7 if s Lsamp or at line 15 if s Lsamp.We thus have two cases to consider: s Lsamp or s Lsamp.

(16) (2.2.1) Case s Lsamps Lsamp s = s

By (13), we know s was added to Pend in the algorithm. This means s wasevaluated by lines 48.By line 6, it is thus sufficient to show: q = .This follows immediately from (12), (15), and (16).

(2.2.2) Case s / LsampBy (13), we know s was added to Pend in the algorithm, and that V(ss) willbe re-assigned at lines 15 or 17.By line 14, it is sufficient to show: [Occu(s) hib q].It is thus sufficient to show that: Occu(s) hib = qAs s L(S) L(G) Lsamp by (11), s act and ss L(S) L(G) by (9)and (10), we can conclude by Point iii.1 of SD controllability:

[EligL(S)L(G)(ss) Occu(s)] hib = EligL(S)L(G)(s) hib(17) From (10) and (14), we have: EligL(S)L(G)(ss) hib =

Occu(s) hib = EligL(S)L(G)(s) hibWe next note that EligL(S)L(G)(s) hib EligL(S)(s) hib.We also have EligL(S)(s

) hib EligL(S)L(G)(s) hib by definition of eli-gibility operator and fact that G is complete for S. EligL(S)L(G)(s) hib = EligL(S)(s) hib = q by (12). Occu(s) hib = q by (17), as required.By 2.2.1 and 2.2.2, we have shown V(s).

(18) (2.3) Case k+1 hib k+1 EligL(S)L(G)(s) hibby (9).

At line 1 of Algorithm 1, V(s) is initially set to u { }. It follows that k+1can only be added at line 7 if s Lsamp or at line 15 or 17 if s Lsamp.


It is thus sufficient to show that V(s) is re-evaluated and that: k+1 q.By (13), we know s was added to Pend in the algorithm, and that V(ss) willbe re-evaluated.By (12), we have: q = EligL(S)(s) hib.It is thus sufficient to show that: k+1 EligL(S)(s) hib.As s L(S) L(G) Lsamp by (11), s act and ss L(S) L(G) by (9)and (10), we can conclude by Point iii.1 of SD controllability:

[EligL(S)L(G)(ss) Occu(s)] hib = EligL(S)L(G)(s) hibBy (10) and (18), we have: k+1 EligL(S)L(G)(ss) hib k+1 EligL(S)L(G)(s) hib k+1 EligL(S)(s) hib, as required.By 2.12.3, we have k+1 V(s), thus our inductive step is complete.We have proven our base case and inductive step, so we now conclude byinduction that s L(V/G) for arbitrary s L(S) L(G).By parts 1 and 2, we have L(V/G) L(S) L(G) and L(S) L(G) L(V/G).We thus conclude L(V/G) = L(S) L(G). unionsq

Theorem 4.3

Proof Assume initial conditions.It is sufficient to show this implies: L(V /G) = L(V /G) Lm(S) Lm(G)

1. Show L(V /G) Lm(S) Lm(G) L(V /G).Automatic as L(V /G) Lm(S) Lm(G) L(V /G) and L(V /G) is prefixclosed.

2. Show L(V /G) L(V /G) Lm(S) Lm(G)(1) Let s L(V /G).

It is sufficient to show: (s ) ss L(V /G) Lm(S) Lm(G).We note that if s Lm(S) Lm(G), we can take s = and we have immedi-ately: ss L(V /G) Lm(S) Lm(G).

(2) We can thus assume: s / Lm(S) Lm(G).(3) By Theorem 4.1, we have: L(V/G) = L(S) L(G).(4) Lm(G) Lm(S) L(V/G)(5) By Proposition 4.5 we have L(V /G) L(V/G).

We have two cases to consider: s Lsamp and s / Lsamp.(6) (2.1) Case s Lsamp

By (1) and (5), we have: s L(V/G).(7) By assumption, V is nonblocking for G, thus:

(s ) ss L(V/G) Lm(S) Lm(G)By Point iv of SD controllability, we have: Lm(S) Lm(G) Lsamp.As s Lsamp (by (6)) and s / Lm(S) Lm(G) (by (2)), we have for n 1:

(8) (s1, . . . , sn Lconc) s := s1 . . . sn(9) (ss1 . . . sn L(V/G)) (ss1 . . . sn Lm(S) Lm(G))


Using s1, . . . , sn, we will now construct s

1, . . . , s

n Lconc such that ss1 . . . sn

L(V /G) Lm(S) Lm(G).(10) Using proof by induction, we will now show that for all k {2, 3, . . . , n},

(s1, . . . , sk1 Lconc)

[ss1 . . . sk1sk . . . sn Lm(S) Lm(G)] [ss1 . . . sk1 L(V /G)]

(sk Lconc) [ss1 . . . sksk+1..sn Lm(S) Lm(G)] [ss1 . . . sk L(V /G)]Base case Show (s1 Lconc) [ss1 . . . sn Lm(S) Lm(G)]

[ss1 L(V /G)]By (8), (9) and fact L(V/G) is prefix closed, we have: s1 Lconc and ss1 L(V/G).By (1) and (6), we have: s L(V /G) Lsamp.

(11) As V is CSCE to V, we can conclude:

(s1 Lconc) [ss1 L(V /G)] [Occu(s1) = Occu(s1)] ss1 L(V/G) by (5).As s, ss1, ss

1 L(V/G), we have by (3): s, ss1, ss1 L(S) L(G).

By Point iii.2 of SD controllability, we have: ss1 Lm(S)Lm(G) ss1 ss1s2 . . . sn Lm(S) Lm(G) by (9).We have thus shown:

(s1 Lconc)[ss1s2..sn Lm(S) Lm(G)] [ss1 L(V /G)]Inductive step

Let k {2, 3, . . . , n} and assume:(s1, . . . , sk1 Lconc)

(12) [ss1 . . . sk1sk . . . sn Lm(S) Lm(G)] [ss1 . . . sk1 L(V /G)]We will now show this implies condition (10) is satisfied for this k.

(13) We note that as sk1 Lconc, we have:ss1 . . . s

k1 L(V /G) Lsamp.

By (4) and (12), we have: ss1 . . . sk1s

k . . . s

n L(V/G).

(14) As L(V/G) is prefix closed and by (8), we have:

ss1 . . . sk1s

k L(V/G) and sk Lconc

(15) As V is CSCE to V, we can conclude:

(sk Lconc) [ss1 . . . sk L(V /G)] [Occu(sk) = Occu(sk)] ss1 . . . sk L(V/G) by (5).From (5) and (13), we have: ss1 . . . s

k1 L(V/G) Lsamp. ss1 . . . sk1 L(S) L(G) Lsamp by (3).

By (3), (14), and (15), we can conclude:

ss1 . . . sk1s

k, ss

1 . . . s

k1s

k L(S) L(G)


By Point iii.2 of SD controllability, we have:

ss1 . . . sk1s

k Lm(S)Lm(G) ss1 . . . sk1sk

ss1 . . . sksk+1..sn Lm(S) Lm(G) by (12).We have thus shown:

(sk Lconc) [ss1 . . . sksk+1..sn Lm(S) Lm(G)] [ss1 . . . sk L(V /G)]We can now conclude by induction that:

(s1, . . . , sn Lconc) ss1 . . . sn Lm(S) Lm(G) L(V /G)We take s = s1 . . . sn and part 2.1 is complete.(2.2) Case s / LsampAs we want to reuse the result from part 2.1 for this part, we first need toextend s to a string in L(V /G) Lsamp.As G and S have finite, nonempty state spaces, it follows that G S has afinite, nonempty state space. Let n = |Q|.As G S is ALF, it follows that:

(t act)(q Qr) [|t| n 1] [(qo, st ) = q] [( act) (q, ) !]By (3) and (5), we have: L(V /G) L(V/G) = L(S) L(G).

(16) It thus follows that:

(t act) (st L(V /G)) (EligL(V/G)(st) act = )If (16) was false, then we could extend s L(V /G) L(S) L(G) by anarbitrary length activity string which would violate fact that G S is ALF andhas a finite, state space.We will now show that: st L(V /G) Lsamp.By definition of L(V /G), we have:

EligL(V/G)(st) = V (st) EligL(G)(st)

(17) V (st) EligL(G)(st) act = As u act and V is a supervisory control, we have:

EligL(G)(st) u =

(18) EligL(G)(st) as G has proper time behavior.As hib act, we have by (17):

V (st) EligL(G)(st) hib = V (st) as V is a supervisory controlCombining with (16) and (18), gives: st L(V /G).Taking t = st , we note that if t Lm(S) Lm(G) we can take s = t and wehave immediately: ss L(V /G) Lm(S) Lm(G)We can thus assume t / Lm(S) Lm(G).We next note that as t = st , we have: t L(V /G) Lsamp.With t as our starting place, we can use the logic of part 2.1, and conclude:

(s1, . . . , sn Lconc)ts1 . . . sn Lm(S) Lm(G) L(V /G)


We thus take s = t s1 . . . sn and part 2.2 is complete.By parts 2.1 and 2.2, we have constructed s with ss Lm(S) Lm(G) L(V /G), as required.By parts 1 and 2, we thus have: L(V /G) = L(V /G) Lm(S) Lm(G). unionsq

References

Balemi S (1992) Control of discrete event systems: theory and application. PhD thesis, Swiss FederalInstitute of Technology, Zurich, Switzerland

Balemi S (1994) Input/output discrete event processes and communication delays. Discrete EventDyn Syst 4(1):4185

Basile F, Chiacchio P (2007) On the implementation of supervised control of discrete event systems.IEEE Trans Control Syst Technol 15(4):725739

Benveniste A, Caspi P, Edwards SA, Halbwachs N, Guernic PL, de Simone R (2003) The synchro-nous languages 12 years later. Proc IEEE 91(1):6483

Bolton W (2006) Programmable logic controllers, 4th edn. ElsevierBrandin B, Wonham WM (1994) Supervisory control of timed discrete-event systems. IEEE Trans

Autom Control 39(2):329342Brandin B, Wonham WM, Benhabib B (1991) Discrete-event systems supervisory control applied

to the management of manufacturing workcells. In: 7th international conference on computeraided manufacturing engineering. Cookeville, Elsevier, pp 527536

Brandin BA (1993) Real-time supervisory control of automated manufacturing systems. PhD thesis,Department of Electrical Engineering, University of Toronto

Brandin BA (1996) The real-time supervisory control of an experimental manufacturing cell. IEEETrans Robot Autom 12(1):114

Brown S, Vranesic Z (2008) Fundamentals of digital logic with VHDL design, 3rd edn. McGraw HillHigher Education

Cantillo JR, Busetti MA, Santos EAP, Loures E (2007) An approach for a manufacturing systembased on supervisory control theory and colored petri nets. In: 19th international conference onproduction research. Valparaiso, Chile

Dragert C, Dingel J, Rudie K (2008) Generation of concurrency control code using discrete-eventsystems theory. In: Proc. of the 16th ACM SIGSOFT int. symp. on foundations of sftw eng.ACM, Atlanta, GA, pp 146157

Fabian M, Hellgren A (1998) PLC based implementation of supervisory control for discrete eventsystems. In: Proc. of the 37th IEEE conference on decision and control, vol 3. Tampa, FL,pp 33053310

Giua A, Seatzu C (2008) Modeling and supervisory control of railway networks using petri nets.IEEE Trans Autom Sci Eng 5(3):431445

Halbwachs N (1993) Synchronous programming of reactive systems. Kluwer Academic Publishers,Netherlands

Hill RC (2008) Modular verification and supervisory controller design for discrete-event systemsusing abstraction and incremental construction. PhD thesis, Department of Mechanical Engi-neering, University of Michigan

Leduc R (1996) PLC implementation of a DES supervisor for a manufacturing testbed: an implemen-tation perspective. Masters thesis, Department of Elec and Comp Eng, University of Toronto,Toronto, OT

Li Y (1986) Supervisory control of real-time discrete-event systems. Masters thesis, Department ofElectrical Engineering, University of Toronto, Toronto, OT

Malik P (2003) From supervisory control to nonblocking controllers for discrete event systems.PhD thesis, Department of Computer Science, University of Kaiserslautern, Kaiserslautern

Nourelfath M, Niel E (2004) Modular supervisory control of an experimental automated manufac-turing system. Control Eng Pract 12(2):205216

Pai T (1990) Real-time implementation of discrete-event controllers. Masters thesis, Department ofElectrical Engineering, University of Toronto, Toronto, OT

de Queiroz MH, Cury JER (2002) Synthesis and implementation of local modular supervisorycontrol for a manufacturing cell. In: Proc. of WODES 2002. Zaragoza, SPAIN, pp 377382


Ramadge P, Wonham WM (1987) Supervisory control of a class of discrete-event processes. SIAMJ Control Optim 25(1):206230

Roussel JM, Giua A (2005) Designing dependable logic controllers usin

Date post:	23-Dec-2016
Category:	Documents
Upload:	fahim
View:	216 times
Download:	1 times

Sampled-data supervisory control

Documents