Controllability for Nondeterministic Finite Automata with Variables
Jasen Markovski
Department of Mechanical Engineering, Eindhoven University of Technology,
Den Dolech 2, 5612MH, Eindhoven, The Netherlands
Keywords:
Supervisory Control Theory, Controllability, Finite Automata with Variables, Partial Bisimulation.
Abstract:
Supervisory control theory deals with automated synthesis of models of supervisory controllers that ensure
safe coordinated discrete-event behavior of a given system. To increase the expressivity of the framework
and provide for a greater modeling convenience, several extensions with variables have been proposed. One
of the most prominent such extensions is implemented by means of extended finite automata with variables.
We revisit the notion of controllability for nondeterministic finite automata with variables, which defines
conditions under which a model of a supervisory controller can be synthesized. We will show that the existing
notion of controllability for extended finite automata does not have desirable algebraic properties, i.e., it is not
a preorder. We propose to employ an extension of controllability for nondeterministic discrete-event system
based on a behavioral relation termed partial bisimulation, which we show that subsumes the existing notion
of controllability for extended finite automata.
1 INTRODUCTION
Development of quality control software is becom-
ing an increasingly difficult task due to high com-
plexity of high-tech systems, promoting the former as
an important bottleneck in the design and production
process as already noted in (Leveson, 1990). Tradi-
tional techniques are not able to satisfactorily cope
with the challenge due to the frequent design changes
in the control requirements, which gave rise to super-
visory control theory of discrete-event systems postu-
lated in (Ramadge and Wonham, 1987; Cassandras
and Lafortune, 2004). Supervisory control theory
studies automatic synthesis of models of supervisory
control software that provide for safe and nonblock-
ing behavior of the controlled system by coordinating
high-level discrete-event behavior of the concurrent
system components.
Supervisory controllers rely on discrete-event ob-
servations made regarding the discrete-event system
behavior by using sensory information, as depicted in
Figure 1. Based upon the observed signals, these con-
trollers decide which activities are allowed to be car-
ried out safely and do not lead to potentially danger-
ous or otherwise undesired situations, and send back
control signals to the hardware actuators. Under the
assumption that the supervisory controller can react
sufficiently fast on machine input, one can model this
supervisory control feedback loop as a pair of syn-
chronizing processes in line with (Ramadge and Won-
ham, 1987; Cassandras and Lafortune, 2004). The
model of the uncontrolled system is typically referred
to as plant and it is restricted by the model of the su-
pervisory controller, which referred to as supervisor.
The coupling of the supervisor and the plant, results
in the supervised plant, which models the supervisory
control loop, i.e., it specifies the behavior of the con-
trolled system.
Traditionally, the activities of the machine are
modeled as discrete events, whereas the supervisor
is a process that synchronizes with the plant. The
supervisor can enable or disable available events in
the plant by synchronizing or not synchronizing with
them, respectively. The events are split into control-
Coordinating Processing
Driving Conditioning
Actuators Sensors
Tasks
Resources
Resource
control
Supervisory
control
Transducers
User
Main structure
Figure 1: Supervisory control architecture.
438
Markovski J..
Controllability for Nondeterministic Finite Automata with Variables.
DOI: 10.5220/0004430604380446
In Proceedings of the 8th International Joint Conference on Software Technologies (ICSOFT-PT-2013), pages 438-446
ISBN: 978-989-8565-68-6
Copyright
c
2013 SCITEPRESS (Science and Technology Publications, Lda.)
Figure 2: Supervisory control feedback loop with data-
based observations.
lable and uncontrollable events, the former typically
modeling interaction with actuators, whereas the lat-
ter model observation of sensory information. There-
fore, the supervisor is allowed to disable controllable
events, e.g., if the boiler pressure is above the safe
threshold, then the heater should be switched off, but
it is not allowed to disable any available uncontrol-
lable events, e.g., by ignoring the pressure sensor of
the boiler, one reaches a potentially dangerous situa-
tion.
Additionally, the supervised plant must also sat-
isfy a given set of control requirements, which model
the safe or allowed behavior of the machine. Fur-
thermore, it is typically required that the supervised
plant is nonblocking, meaning that it comprises no
deadlock and no livelock behavior. To this end, ev-
ery state is required to be able to reach a so-called
marked or final state, following the notation of (Ra-
madge and Wonham, 1987; Cassandras and Lafor-
tune, 2004), which denotes the situation that the plant
is considered to have successfully completed its ex-
ecution. The conditions that define the existence of
such a supervisor are referred to as (nonblocking)
controllability conditions. In the setting of this paper
we will not consider in detail the process of modeling
and ensuring that the (nonblocking) control require-
ments hold for the given plant and, instead we refer
the reader to the model-based engineering framework
of (Schiffelers et al., 2009; Markovski et al., 2010).
Depending on the observational power of the su-
pervisor, we deal with event-based supervision, stud-
ied in (Ramadge and Wonham, 1987), state-based
supervision as studied in (Ma and Wonham, 2005;
Markovski et al., 2010), or data-based supervision
along the lines of (Miremadi et al., 2008; Markovski,
2012b), respectively. The first approach relies on
building a history of observed events to deduce the
state of the system as suggested in (Cassandras and
Lafortune, 2004), whereas the second and the third
approaches employ observers and guards that directly
convey the state of the system to the supervisor in the
vein of (Ma and Wonham, 2005; Markovski, 2012b),
as depicted in Figure 2. With respect to the control
architecture of Figure 1, the second and the third ap-
proach suggest that the interface between the layers
of resource and supervisory control is unified, e.g., by
employing shared variables or publisher/subscriber
services, which is typical for implementations in the
artificial intelligence domain. The event-based ap-
proach suggests direct observation of activities of the
system, which are typically triggered by the system
to be supervised, relying on some input/output inter-
face. The extensions of supervisory control theory
with variables and data aim at a two-fold improve-
ment: more concise specification due to parametriza-
tion of the systems, as suggested in (Chen and Lin,
2000; Miremadi et al., 2008) and greater expressive-
ness and modeling convenience, as shown in (Skold-
stam et al., 2007; Gaudin and Deussen, 2007). The
extensions range over the most prominent models
of discrete-event systems like finite-state machines
developed in (Chen and Lin, 2000), labeled transi-
tion systems, considered in (Markovski, 2012b), and
automata extensions, provided in (Skoldstam et al.,
2007; Gaudin and Deussen, 2007).
With the development of new models, the origi-
nal notion of controllability for deterministic discrete-
event systems of (Ramadge and Wonham, 1987; Cas-
sandras and Lafortune, 2004) is subsequently ex-
tended to the corresponding settings with variables
and data parameters. We note that the controllabil-
ity is originally defined as a language-based prop-
erty and, thus, meant for deterministic discrete-event
systems. Extensions of controllability for parame-
terized languages are proposed in (Chen and Lin,
2000; Gaudin and Deussen, 2007). For nonde-
terministic discrete-event systems, there are several
proposed notions, relying on commonly observed
traces in (Fabian and Lennartson, 1996; Zhou et al.,
2006), failure semantics in (Overkamp, 1997), or
(bi)simulation semantics in (Baeten et al., 2011b).
For nondeterministic extended finite automata with
variables, introduced in (Skoldstam et al., 2007),
the proposed notion of so-called state controllabil-
ity of (Miremadi et al., 2008) relies on an exten-
sion of the work of (Fabian and Lennartson, 1996).
Both works of (Overkamp, 1997) and (Baeten et al.,
2011b) rely on preorder behavioral relations to for-
mulate the notion of controllability, the former rely-
ing on failure-trace semantics, whereas the latter is
(bi)simulation-based. Even though, it has been argued
that refinements based on these two types of seman-
tics have similar properties, cf. (Eshuis and Fokkinga,
2002), (bi)simulation-based refinements are finer no-
tions that are supported by more efficient algorithms,
like (Markovski, 2012a), which have already been
employed in a supervisory control setting (Barrett and
Lafortune, 1998).
To capture the notion of controllability, we rely
ControllabilityforNondeterministicFiniteAutomatawithVariables
439
s
a
7− s
, v
δ
(γ(s, a, s
)) = T, δ
(X) =
e
δ
(α((s, a, s
), X)), if ((s, a, s
), X) D(α)
δ(X), otherwise
(s, δ)
a
(s
, δ
)
Figure 3: Operational semantics of finite automata with variables
on a behavioral preorder termed partial bisimulation,
first introduced in the co-algebraic characterization
of (Rutten, 2000) and, subsequently, lifted to a pro-
cess theory in (Baeten et al., 2011b). In essence,
we employ this preorder to state a relation between
the supervised plant and the original plant allowing
controllable events to be simulated, while requiring
that uncontrollable event are bisimulated. This en-
sures that the supervisor does not disable uncontrol-
lable events, while preserving the branching structure
of the plant. We will show that this notion subsumes
the notion of state controllability for finite automata
with variables. Moreover, we will show that state
controllability is not a preorder and that some plants
are considered as uncontrollable, even though there
exist suitable supervisory controllers. Finally, by em-
ploying the proposed notion of controllability, we will
show that it is possible to eliminate spurious plant
nondeterminism, i.e., nondeterminism can be elimi-
nated without sacrificing supervised plant behavior.
2 FINITE AUTOMATA WITH
VARIABLES
In order to directly relate our notion of controlla-
bility with previous work, we model nondetermin-
istic discrete-event systems by means of finite au-
tomata with variables. For a full treatment of su-
pervisory control theory in a process-theoretic set-
ting, we refer to (Baeten et al., 2011b; Baeten et al.,
2011a; Markovski, 2012b) for event-, state-, and data-
based supervision, respectively. In general, we al-
low arbitrary variable domains, even though variables
with finite domains can be eliminated in order to em-
ploy more efficientsynthesis procedures, as suggested
in (Skoldstam et al., 2007). We suppose that the vari-
ables are given by the set V, where given a variable
X V, its domain is denoted by D(X). (Standard
arithmetical) expressions over a set of variablesV V
are denoted by F(V) and they are evaluated with re-
spect to e
δ
: F(V) D(V), where δ: V D(V) holds
the variable assignments. We note that for the sake
of clarity of presentation, we do not take into con-
sideration the expressions that do not evaluate within
the variable domain and extensions to inconsistent
processes can be handled by a straightforward exten-
sion of the approach of (Baeten et al., 2011a). By
B(V) we denote Boolean expression over the set of
variables V V where the atomic propositions are
given by some set of predefined predicates, the log-
ical constants false F and true T, and the set of stan-
dard logical operators. The obtained Boolean expres-
sions are evaluated with respect to a given valuation
v
δ
: B(V) {F, T}, where again δ: V D(V).
Definition 1. A finite automaton with vari-
ables G is given by the tuple G = (S, A,V, 7−,
γ, α, (s
0
, δ
0
)), where
S is a finite set of states;
A is a finite set of event labels;
V V is a finite set of variables;
7− S× A× S is a labeled transition relation;
γ: 7− B(V) are transition guards;
α: (7− ×V) F(V) is a partial updating func-
tion; and
(s
0
, δ
0
) is the initial state s
0
S and initial data
assignment δ
0
: V D(V).
If the set of variables of a finite automaton with
variables G, as given by Definition 1, is empty, then G
is a standard automaton with labeled transitions. For
the transition relations, we will employ infix notation
and write s
a
7− s
for (s, a, s
) 7−.
The dynamics of the finite automaton with vari-
ables G is given by the transition relation
S× (V D(V)) × A× S × (V D(V)), which is de-
termined by the actual evaluation of the guards with
respect to the value assignments. In order to keep
track of the updated variable values, we employ the
data assignment function δ: V D(V). Now, the se-
mantics of G is given by , where initially the au-
tomaton is in state s
0
with environment δ
0
, denoted by
(s
0
, δ
0
). The dynamics of (s, δ) is captured by the op-
erational rule depicted in Figure 3, following the no-
tation of structural operational semantics of (Baeten
et al., 2010), where the premise must hold, so that the
bottom transition can be taken.
The rule states that a transition is possible if such
labeled transition is defined in the automaton, the
guard of that transition evaluates to true, whereas the
variables are updated according to the partial updating
function. It is not difficult to observe that the transi-
tion relation induces a labeled transition system
with state space S × D(V), set of labels A, and initial
state (s
0
, δ
0
).
ICSOFT2013-8thInternationalJointConferenceonSoftwareTechnologies
440
(s
1
, s
2
)
a
7−
(s
1
, s
2
), if s
1
a
7−
1
s
1
, a A
1
\ A
2
(s
1
, s
2
), if s
2
a
7−
2
s
2
, a A
2
\ A
1
(s
1
, s
2
), if s
1
a
7−
1
s
1
, s
2
a
7−
2
s
2
, a A
1
A
2
γ((s
1
, s
2
), a, (s
1
, s
2
)) =
γ
1
(s
1
, a, s
1
), if s
1
a
7−
1
s
1
, a A
1
\ A
2
γ
2
(s
2
, a, s
2
), if s
2
a
7−
2
s
2
, a A
2
\ A
1
γ
1
(s
1
, a, s
1
) γ
2
(s
2
, a, s
2
)
, if s
1
a
7−
1
s
1
, s
2
a
7−
2
s
2
, a A
1
A
2
α(((s
1
, s
2
), a, (s
1
, s
2
)), X) =
α
1
((s
1
, a, s
1
), X), if ((s
1
, a, s
1
), X) D(α
1
), ((s
2
, a, s
2
), X) 6∈ D(α
2
)
α
2
((s
2
, a, s
2
), X), if ((s
2
, a, s
2
), X) D(α
2
), ((s
1
, a, s
1
), X) 6∈ D(α
1
)
α
1
((s
1
, a, s
1
), X), if
((s
1
, a, s
1
), X) D(α
1
), ((s
2
, a, s
2
), X) 6∈ D(α
2
),
α
1
((s
1
, a, s
1
), X) = α
2
((s
2
, a, s
2
), X)
Figure 4: Definition of 7−, γ, and α of Definition 3.
((s
1
, δ
1
), (s
2
, δ
2
))
a
((s
1
, δ
1
), (s
2
, δ
2
)), if (s
1
, δ
1
)
a
1
(s
1
, δ
1
), a A
1
\ A
2
((s
1
, δ
1
), (s
2
, δ
2
)), if (s
2
, δ
2
)
a
2
(s
2
, δ
2
), a A
2
\ A
1
((s
1
, δ
1
), (s
2
, δ
2
)), if
(s
1
, δ
1
)
a
1
(s
1
, δ
1
), (s
2
, δ
2
)
a
2
(s
2
, δ
2
), a A
1
A
2
.
Figure 5: Definition of of Proposition 1.
Definition 2. Given an automaton with variables
G = (S, A,V, 7−, γ, α, (s
0
, δ
0
)), we define the in-
duced labeled transition system by T(G) = (S ×
D(V), A, , (s
0
, δ
0
)), where:
S× D(V) is a set of states;
A is the set of events taken over from G;
S × (V D(V)) × A × S × (V D(V))
is the instantiated labeled transition relation as
given by the operational rule of Figure 3; and
(s
0
, δ
0
) is the initial state of the labeled transition
system induced by the initial state of G and its ini-
tial variable valuation.
If the set of variables is empty, i.e., V =
/
0, then
7− and coincide, provided that the (then trivial)
transition guards are set to be true, and G reduces to a
standard automaton.
In order to define the language generated by au-
tomaton G, we extend the transition relation to a
multistep transition relation
. By A
we define the
set of strings made from the labels in A that label the
transitions of
, where ε denotes the empty string
and st denotes the concatenation of the strings s and t
for s, t A
. Now, the multistep transition relation is
given by the operation rules (1):
(s, δ)
ε
(s, δ)
(s, δ)
t
(s
′′
, δ
′′
), (s
′′
, δ
′′
)
a
(s
, δ)
, t A
, a A
(s, δ)
ta
(s
, δ
)
.
(1)
By (s, δ)
t
we denote that there exists (s
, δ
)
such that (s, δ)
t
(s
, δ
). Now, the language gen-
erated by the automaton G is given by L(G), where
L(G) = {t A
| (s
0
, δ
0
)
t
}.
In order to couple the plant and the supervisor, we
define a synchronous composition of two automata
that synchronizes on transitions with the same labels
and interleaves on the other transitions. We note that,
in general, the synchronous composition cannot be
defined due to conflicts induced by the partial assign-
ment functions α. A simple counterexample is the
situation where two automata need to synchronize on
transitions with the same label that update the same
variable to two different values, as noted in (Skold-
stam et al., 2007). Again, for the sake of clarity, we
do not consider conflicting situations, which are eas-
ily detectable as none of the conditions for the partial
updating functions in Definition 3 apply.
Definition 3. Let G
1
= (S
1
, A
1
,V
1
, 7−
1
,
γ
1
, α
1
, (s
01
, δ
0
)) and G
2
= (S
2
, A
2
,V
2
, 7−
2
,
γ
2
, α
2
, (s
02
, δ
0
)). The synchronous composi-
tion of G
1
and G
2
is given by G
1
k G
2
=
(S
1
× S
2
, A
1
A
2
,V
1
V
2
, 7−, γ, α, ((s
01
, s
02
), δ
0
)),
where 7−, γ, and α are defined in Figure 4, where
denotes logical conjunction.
Definition 3 is given directly in terms of automata
with variables, unlike the work of (Skoldstam et al.,
2007), where it is given in terms of the underlying
labeled transition system. Now, given two finite au-
tomata with variables G
1
and G
2
, we can derive the
underlying transition systems T(G
1
) and T(G
2
). It is
ControllabilityforNondeterministicFiniteAutomatawithVariables
441
not difficult to show that T(G
1
k G
2
) coincides with
T(G
1
) k T(G
2
), where the synchronization on the re-
lation is defined as for 7−.
Proposition 1. Let G
i
=
(S
i
, A
i
,V
i
, 7−
i
, γ
i
, α
i
, (s
0i
, δ
0
)) for i {1, 2}
be such that G
1
k G
2
is well-defined. Let
(S
i
× δ
i
, A
i
,
i
, (s
0i
, δ
0
)) be the underlying la-
beled transition systems, where
i
is induced by
the operational rule of Figure 3 and δ
i
: V
i
D(V
i
),
for i {1, 2}. Let T(G
1
) k T(G
2
) = ((S
1
× δ
1
) ×
(S
2
× δ
2
), A
1
A
2
, , ((s
01
, δ
0
), (s
02
, δ
0
))), where
is defined as in Figure 5. Then, T(G
1
k G
2
) is
isomorphic to T(G
1
) k T(G
2
).
The proof of Proposition 1 is meticulous, but
straightforward, by showing that the constructions
given in Definition 3 form an isomorphic transition
system as the one defined in the proposition. It
is worthwhile noting that the definition of in
Proposition 1 does not impose an additional con-
dition for the situation when ((s
1
, δ
1
), (s
2
, δ
2
))
a
((s
1
, δ
1
), (s
2
, δ
2
)) that δ
1
and δ
2
should coincide on
the common updated variables. This is directly im-
plied by the construction of α in Definition 3.
A direct corollary of Definition 3 and Proposi-
tion 1 is that the language of the synchronization is an
intersection of the languages of the components of the
composition, i.e., L(G
1
k G
2
) = L(G
1
) L(G
2
). This
enables a connection with the original supervisory
control theory of finite automata of (Ramadge and
Wonham, 1987; Cassandras and Lafortune, 2004).
3 CONTROLLABILITY
Given an automaton with a set of labels A, we split
the labels to set of controllable C and uncontrollable
U labels such thatCU =
/
0 andCU = A. To model
the plant we can take an unrestricted finite automaton
with variables
P = (S
P
, A
P
,V
P
, 7−
P
, γ
P
, α
P
, (s
0P
, δ
0
)), (2)
as the uncontrolled system is allowed to have every
possible type of behavior. We note that the plant is
typically obtained as a (well-defined) parallel compo-
sition of multiple concurrent components, which ulti-
mately results in the process modeled by P.
The supervisor, however, is required to be a deter-
ministic process, as it has to send unambiguous feed-
back to the plant and it is not allowed to alter the state
of the plant, i.e., it must not comprise variable assign-
ments, as suggested in (Markovski, 2012b). The su-
pervisor can rely either on synchronization of events
that keeps the history of the plant as in the original
setting of (Ramadge and Wonham, 1987; Cassandras
and Lafortune, 2004) or on data observation from
the plant to make supervision decisions in the vein
of (Miremadi et al., 2008; Markovski, 2012b). In both
cases, we can assume that the supervisor is given as
an deterministic automaton
S = (S
S
, A
S
,V
S
, 7−
S
, γ
S
,
/
0, (s
0S
, δ
0
)), (3)
where C A
S
A
P
, V
S
V
P
, and the labeled transi-
tion function 7−
S
is such that if s
a
7−
S
s
and s
a
7−
S
s
′′
, then s
= s
′′
for every s, s
, s
′′
S
S
and a A
S
.
We note that the supervisor can choose not to syn-
chronize on some uncontrollable event from the plant,
but its alphabet must comprise all controllable events
as the supervisor must supply the control signals. Fur-
thermore, the supervisor has no need of additional
variables, as it does not update any variables, i.e.,
α
S
=
/
0. Consequently, there is never a conflict in the
synchronization between the plant and the supervisor,
and the composition P k S is well-defined. If the su-
pervisor does not rely on data-based observations, but
employs synchronization of events to keep track of
the state of the plant, then additionally γ
S
(s, a, s
) = T
for all (s, a, s
) 7−.
The composition P k S models the supervised
plant, i.e., the behavior of the controlled system as
given by the supervisory feedback loop of Figure 2.
We note that the transition system
T(P k S) = (S
P
×S
S
×δ
P
, A
P
, , (s
0P
, s
0S
, δ
0
)), (4)
where δ
P
: V
P
D(V
P
) and is defined by the op-
erational rule of Figure 3.
To state that the supervisor has no control over the
uncontrollable events, the language-based controlla-
bility of the original setting of (Ramadge and Won-
ham, 1987; Cassandras and Lafortune, 2004) is stated
as:
L(P k S)U L(P) L(P k S), (5)
where L(P k S)U denotes the concatenationof the lan-
guage of the supervised plant and the set of uncon-
trollable labels. Intuitively, the controllability rela-
tion (5) demands that all uncontrollable events avail-
able in reachable states of the original plant by traces
enabled by the supervisor, must also be available in
the supervised plant. This ensures that the supervi-
sor does not disable any uncontrollable events when
forming the supervised plant.
This definition has been subsequently extended
to so-called state controllability in (Fabian and
Lennartson, 1996; Zhou et al., 2006; Miremadi
et al., 2008) for nondeterministic discrete-events sys-
tems (with variables). Given an automaton G =
(S, A,V, 7−, γ, α, (s
0
, δ
0
)) with a transition relation
ICSOFT2013-8thInternationalJointConferenceonSoftwareTechnologies
442
, let E(s, δ) denote the set of enabled transitions
of the state (s, δ) for s S and δ: V D(V), i.e.,
E(s, δ) = {a A | (s, δ)
a
}.
Definition 4. Let P and S be finite automata with
variables, representing the plant and the supervi-
sor. A state (s
P
, (s
P
, s
S
), δ
P
) of the transition system
T(P k (P k S)) is defined as controllable, if it holds
that
A
S
U E(s
P
, δ
P
) E((s
P
, s
S
), δ
P
).
A plant P is state controllable with respect to S if and
only if all reachable states of T(P k (P k S)) are state
controllable.
Intuitively, the parallel composition between of
the plant and the supervised plant helps identify all
states in the original and the supervised plant that can
be reached by the same trace. According to Defini-
tion 4, controllable states ensure that all uncontrol-
lable events that are synchronized between the plant
and the supervisor, given by A
S
U, that are also en-
abled in the reached plant state (s
P
, δ
P
) by following
the same trace, must be enabled in the reached super-
vised plant state ((s
P
, s
S
), δ
P
). Note that both states
must have the same variable assignment function δ
P
as the supervisor has an empty updating function, so
it does not influence the updating of the variables.
We note that the definition relies on the underlying
transition system, employing it to identify the neces-
sary control actions. It is not difficult to show that
state controllability implies language controllability,
as given in (5), for deterministic automata, see (Skold-
stam et al., 2007). The key observation is that P k P
coincides with P for deterministic systems, implying
that P k S can act as a supervisor and lead to the same
supervised behavior as S.
Here, we take a closer look at the state control-
lability condition for nondeterministic plants. Con-
dition (4) essentially requires that all states that are
reachable by the same trace, must also enable the
same uncontrollable events. This proves to be too
strict in some situations. Consider the automata de-
picted in Figure 6, where state names are given in-
side the circles, all guards are set to be true, there are
no variables, the event labeled by c is controllable,
whereas the events labeled by u
1
and u
2
are uncon-
trollable. Suppose that a plant is given by automaton
P and a supervisor by automaton S. As the supervi-
sor does not disable any events, we can assume that
the control requirements do not restrict the behavior
of the plant, i.e., the supervised plant depicted by au-
tomaton P k S coincides with the plant. In such reflex-
ive situations, it is always possible to find a supervi-
sor that simply allows all events of the plant, trivially
“controlling” the plant.
Now, putting in parallel plant P and supervised
plant P k S, leads to automaton P k (P k S) as de-
picted in Figure 6. This parallel composition reveals
that states p
2
of P and (p
3
, s
2
) of P k S are reachable
by the same trace. However, state (p
2
,
/
0) of the transi-
tion system T(P) enables the uncontrollable transition
labeled by u
1
, whereas state ((p
3
, s
2
),
/
0) of transition
system T(P k S) enables only the uncontrollable tran-
sition labeled by u
2
. This directly implies that plant P
is state uncontrollable with respect to P k S, i.e., it is
not state controllable with respect to itself. Thus, state
controllability is not a preorder relation, as plants that
have states that enable different sets of uncontrollable
events in states that can be reached by the same trace
are deemed uncontrollable, despite the existence of a
trivial supervisor that enables all transitions.
4 PARTIAL BISIMULATION
We propose to employ the behavioral relation termed
partial bisimulation to defined controllability for fi-
nite automata with variables. Partial bisimulation was
first introduced in (Rutten, 2000) to capture language
controllability in a coalgebraic setting. It was lifted
in (Baeten et al., 2011b) to a process theory for super-
visory control of nondeterministic discrete-event sys-
tems. Here, we provide an interpretation for finite au-
tomata with variables and discuss its relationship with
state controllability.
Partial bisimulation is parameterized by a so-
called bisimulation action set B. The relation requires
that the labeled transitions of the first transition sys-
tem are simulated by the second transition system,
whereas only the labels of the second transition sys-
tem that are in the bisimulation action set B are bisim-
ulated back by the first one. The intuition behind this
definition is that the bisimulation action set plays the
role of the uncontrollable actions that must always be
enabled both in the original and the supervised plant,
whereas it is sufficient to only simulate controllable
events, as these can be restricted by the supervisor.
Definition 5. Let T
i
= (S
i
, A
i
,
i
, s
0i
) for i {1, 2}
be two transition systems. A relation R S
1
× S
2
is
said to be a partial bisimulation with respect to a
bisimulation action set B A
2
, if for all (s
1
, s
2
) R,
it holds that:
1. if s
1
a
s
1
for a A
1
and s
1
S
1
, then there
exist a A
2
and s
2
S
2
such that s
2
a
s
2
and
(s
1
, s
2
) R;
2. if s
2
b
s
2
for b B and s
2
S
2
, then there ex-
ist b A
1
and s
1
S
1
such that s
1
a
s
1
and
(s
1
, s
2
) R;
ControllabilityforNondeterministicFiniteAutomatawithVariables
443
p
1
p
2
p
3
p
5
p
4
c c
u
1
u
2
p
1
s
1
p
2
s
2
p
3
s
2
p
5
s
4
p
4
s
3
c c
u
1
u
2
s
1
s
2
s
4
s
3
c
u
1
u
2
P = S = P || S =
c c
u
1
u
2
P || (P || S) =
p
1
p
1
s
1
p
2
p
2
s
2
p
3
p
3
s
2
p
4
p
4
s
3
p
5
p
5
s
4
p
2
p
3
s
2
p
3
p
2
s
2
c
Figure 6: A nondeterministic plant P, a deterministic supervisor S, and the resulting state uncontrollable nondeterministic
supervised plant P k S.
If R is a partial bisimulation relation such that
(s
01
, s
02
) R, then T
1
is partially bisimilar to T
2
with
respect to B and we write T
1
B
T
2
. If T
2
B
T
1
holds
as well, we write T
1
=
B
T
2
.
We note that due to condition 1. of Definition 5, it
must hold that A
1
A
2
, whereas due to condition 2.
it holds that B A
1
as well. It is not difficult to show
that partial bisimilarity is a preorder relation (Baeten
et al., 2011b). In addition, following the guidelines
of (Rutten, 2000), it can be shown that
B
is a par-
tial bisimulation relation with respect to B. Thus,
we obtain standard results for the partial bisimulation
preorder and equivalence, similarly as for the simu-
lation preorder and equivalence of (Glabbeek, 2001).
Moreover, the partial bisimulation preorder is shown
a precongruencefor the most prominent processes op-
erations following the guidelines of (Baeten et al.,
2011b). Finally, we note that T
1
=
A
1
A
2
T
2
amounts to
bisimulation, whereas T
1
/
0
T
2
reduces to simulation
preorder and T
1
=
/
0
T
2
reduces to simulation equiva-
lence, as noted in (Baeten et al., 2011b).
Now, suppose that as before, the plant is given by
finite automaton with variables P, whereas the super-
visor is given by S, and the supervised plant is given
by P k S. Then, the supervisor may restrict some con-
trollable events from the plant, whereas all available
uncontrollable eventsin the reachable states should be
enabled. This can be expressed by requesting that the
transition system of the supervised plant is partially
bisimulated by the transition system of the original
plant with respect to the uncontrollable events, i.e.,
T(P k S)
U
T(P). (6)
It is immediate that T(P)
U
T(P), when P k S co-
incides with P as in the example of Figure 6. It is also
not difficult to show that for deterministic processes,
relation (6) reduces to language controllability of (5),
see (Rutten, 2000; Baeten et al., 2011b). Next, we
show that controllability as defined in (6) by means
of partial bisimulation is a coarser notion than state
controllability of Definition 4.
Theorem 1. Let P and S be finite automata with vari-
ables representing the plant and the supervisor. If P is
state controllable with respect to S according to Defi-
nition 4, then relation (6) holds.
Proof. Let us assume that P =
(S
P
, A
P
,V
P
, 7−
P
, γ
P
, α
P
, (s
0P
, δ
0
)) and
S = (S
S
, A
S
,V
S
, 7−
S
, γ
S
,
/
0, (s
0S
, δ
0
)). We define
the relation
R = {(((p, s), δ
P
), (p, δ
P
)) |
t A
P
: (p
0
, (p
0
, s
0
), δ
0
)
t
(p, (p, s), δ
P
)}.
We show that R is a partial bisimulation rela-
tion between T(P k S) and T(P) with respect to
the uncontrollable labels U A
P
. Suppose that
(((p, s), δ
P
), (p, δ
P
)) R for some states ((p, s), δ
P
)
S
P
× S
S
× (V
P
D(V
P
)) and (p, δ
P
) S
P
× (V
P
D(V
P
)).
Let ((p, s), δ
P
)
a
((p
, s
), δ
P
) for some a A
P
.
Then, according to Definition 3 and the operational
rule of Figure 3, either a A
P
\ A
S
or a A
S
. In
the former case, we have that s = s
, so (p, δ
P
)
a
(p
, δ
P
) and (((p
, s), δ
P
), (p
, δ
P
)) R. In the lat-
ter case, we have that ((p, s), δ
P
)
a
((p
, s
), δ
P
) for
some s
S
S
. However, since the updating function
of the supervisor S is empty and the action a A
S
is
synchronizing, we have that again (p, δ
P
)
a
(p
, δ
P
)
with (((p
, s
), δ
P
), (p
, δ
P
)) R.
Now, suppose that (p, δ
P
)
u
(p
, δ
P
) for some
u U. Again, either u U \ A
S
or u U.
If u 6∈ A
S
, then u is not a synchronizing la-
bel, implying that ((p, s), δ
P
)
u
((p
, s), δ
P
) with
(((p
, s), δ
P
), (p
, δ
P
)) R. If u is a synchronizing
label, then by the condition for controllable states
of Definition 4, we have u E((s
P
, s
S
), δ
P
), i.e.,
((p, s), δ
P
)
u
((p
, s
), δ
P
) for some ((p
, s
), δ
P
)
ICSOFT2013-8thInternationalJointConferenceonSoftwareTechnologies
444
1
P
orig
=
2
3
4
5
start
scan
scan
put
reset
reset
cancel
put
next
pay
1
P
det
=
2
43
5
start
scan
reset
cancel
put
next
pay
Figure 7: Checkout scanner of (Zhou et al., 2006) - A plant with spurious nondeterminism.
S
P
× S
S
× (V
P
D(V
P
)) and (((p
, s
), δ
P
), (p
, δ
P
))
R, which completes the proof.
We have shown that every state controllable plant
is also controllable with respect to condition (6). That
the inclusion is strict follows immediately from the
counterexample of Figure 6.
Condition (6) additionally implies that the same
supervised behavior given by P k S is preserved for
every plant P
such that P
=
U
P, i.e., we have that
P
k S =
U
P k S, which is the basis of the algorithms
developed in (Markovski, 2012a). This enables us to
detect spurious nondeterministic behavior for which
state controllability cannot be applied in general. We
given an example from the literature of such nonde-
terministic behavior.
In Figure 7, plant P
orig
represents a model of a
faulty automated scanner that makes a shopping list
of items to be purchased by the user. The scanner is
faulty as sometimes it does not give an option to can-
cel a scanned item, e.g., when the user wants to return
the product or just wants to check the price, and in
that case the scanner needs to be reset. As suggested
in (Zhou et al., 2006) the set of uncontrollable events
is given byU = {pay} as payment cannot be avoided,
even though we also suggest to treat the event put as
uncontrollable.
The interpretation is that if there is no cancelation
of some scanned product, after a possible timeout, it
should automatically be placed on the shopping list.
It is easily observed that state 4 is partially bisimu-
lated by state 3 and, thus, state 3 can be safely re-
moved without any loss in behavior (the only situation
where state 3 could not be removed arises if the event
cancel is uncontrollable, which here is not the case).
The resulting deterministic plant P
det
reveals that P
orig
actually contains no real nondeterministic behavior
with respect to controllability. In the original setting
of (Zhou et al., 2006) that employs state controllabil-
ity for nondeterministic discrete-event systems, this
observation was not possible and the plant P
orig
is
treated as nondeterministic.
5 CONCLUDING REMARKS
We defined a notion of controllability for finite au-
tomata with variables based on the behavioral pre-
order termed partial bisimulation. We showed that
the proposed notion of controllability subsumes the
prominent previous notion of state controllability,
which was specifically tailored for nondeterministic
finite automata with variables. Moreover, we showed
that state controllability is not a preorder and that
there exist state-uncontrollable plants for which it is
possible to synthesize viable supervisory controllers.
This situation was remedied by the new definition,
which does not exclude the investigated cases. More-
over, we showed that the proposed setting enables de-
tection of spurious nondeterministic behavior, i.e., it
is possible to eliminate nondeterministic behavior that
does not contribute to the behavior of the supervised
system.
ACKNOWLEDGEMENTS
The work presented in this paper is sup-
ported by Dutch NWO project ProThOS, no.
600.065.120.11N124.
ControllabilityforNondeterministicFiniteAutomatawithVariables
445
REFERENCES
Baeten, J., van Beek, D., van Hulst, A., and Markovski, J.
(2011a). A process algebra for supervisory coordi-
nation. In Proceedings of PACO 2011, volume 60 of
EPTCS, pages 36–55. Open Publishing Association.
Baeten, J. C. M., Basten, T., and Reniers, M. A. (2010).
Process Algebra: Equational Theories of Communi-
cating Processes, volume 50 of Cambridge Tracts in
Theoretical Computer Science. Cambridge University
Press.
Baeten, J. C. M., van Beek, D. A., Luttik, B., Markovski,
J., and Rooda, J. E. (2011b). A process-theoretic ap-
proach to supervisory control theory. In Proceedings
of ACC 2011, pages 4496–4501. IEEE.
Barrett, G. and Lafortune, S. (1998). Bisimulation, the su-
pervisory control problem and strong model matching
for nite state machines. Discrete Event Dynamic Sys-
tems, 8(4):377–429.
Cassandras, C. and Lafortune, S. (2004). Introduction to
discrete event systems. Kluwer Academic Publishers.
Chen, Y.-L. and Lin, F. (2000). Modeling of discrete event
systems using nite state machines with parameters.
In Proceedings of CCA 2000, pages 941 –946.
Eshuis, R. and Fokkinga, M. M. (2002). Comparing refine-
ments for failure and bisimulation semantics. Funda-
menta Informaticae, 52(4):297–321.
Fabian, M. and Lennartson, B. (1996). On non-
deterministic supervisory control. Proceedings of the
35th IEEE Decision and Control, 2:2213–2218.
Gaudin, B. and Deussen, P. (2007). Supervisory control on
concurrent discrete event systems with variables. In
Proceedings of ACC 2007, pages 4274 –4279.
Glabbeek, R. J. v. (2001). The linear time–branching time
spectrum I. Handbook of Process Algebra, pages 3–
99.
Leveson, N. (1990). The challenge of building process-
control software. IEEE Software, 7(6):55–62.
Ma, C. and Wonham, W. M. (2005). Nonblocking Super-
visory Control of State Tree Structures, volume 317
of Lecture Notes in Control and Information Sciences.
Springer.
Markovski, J. (2012a). Coarsest controllability-preserving
plant minimization. In Proceedings of WODES 2012,
pages 251–258. IFAC.
Markovski, J. (2012b). Communicating processes with data
for supervisory coordination. In Proceedings of FO-
CLASA 2012, volume 91 of EPTCS, pages 97–111.
Open Publishing Association.
Markovski, J., van Beek, D. A., Theunissen, R. J. M., Ja-
cobs, K. G. M., and Rooda, J. E. (2010). A state-based
framework for supervisory control synthesis and ver-
ification. In Proceedings of CDC 2010, pages 3481–
3486. IEEE.
Miremadi, S., Akesson, K., and Lennartson, B. (2008).
Extraction and representation of a supervisor using
guards in extended finite automata. In Proceedings
of WODES 2008, pages 193–199. IEEE.
Overkamp, A. (1997). Supervisory control using failure se-
mantics and partial specifications. IEEE Transactions
on Automatic Control, 42(4):498–510.
Ramadge, P. J. and Wonham, W. M. (1987). Supervisory
control of a class of discrete-event processes. SIAM
Journal on Control and Optimization, 25(1):206–230.
Rutten, J. J. M. M. (2000). Coalgebra, concurrency, and
control. In Proceedings of WODES 2000, pages 31–
38. Kluwer.
Schiffelers, R. R. H., Theunissen, R. J. M., Beek, D. A. v.,
and Rooda, J. E. (2009). Model-based engineering of
supervisory controllers using CIF. Electronic Com-
munications of the EASST, 21:1–10.
Skoldstam, M., Akesson, K., and Fabian, M. (2007). Mod-
eling of discrete event systems using nite automata
with variables. In Proceedings of CDC 2007, pages
3387–3392. IEEE.
Zhou, C., Kumar, R., and Jiang, S. (2006). Control of non-
deterministic discrete-event systems for bisimulation
equivalence. IEEE Transactions on Automatic Con-
trol, 51(5):754–765.
ICSOFT2013-8thInternationalJointConferenceonSoftwareTechnologies
446