12th IFAC/IEEE Workshop on Discrete Event Systems

Cachan, France. May 14-16, 2014

Generalised Search for the Observer

Property in Discrete Event Systems 1
H. J. Bravo ∗ P. N. Pena ∗∗ A. E. C. da Cunha ∗∗∗
R. Malik ∗∗∗∗ J. E. R. Cury †
∗
Programa de Pós-Graduação em Engenharia Elétrica, Universidade
Federal de Minas Gerais, Brazil (e-mail: hugobravoc@ufmg.br)
∗∗
Departamento de Engenharia Eletrônica, Universidade Federal de
Minas Gerais, Brazil (e-mail:ppena@ufmg.br)
∗∗∗
Seção de Engenharia Elétrica, Instituto Militar de Engenharia,
Brazil (email: carrilho@ime.eb.br)
∗∗∗∗
Department of Computer Science, The University of Waikato,
New Zealand, (e-mail: robi@waikato.ac.nz)
†
Departamento de Automação e Sistemas, Universidade Federal de
Santa Catarina, Brazil (e-mail: cury@das.ufsc.br)

Abstract: This paper proposes a procedure to compute abstractions with the observer
property (OP) for discrete event systems. The procedure is a generalisation of an algorithm
proposed before by the authors, which is based on a quadratic algorithm to test whether a given
projection has the observer property. The new version proposed in this paper supports systems
that have cycles of non-relevant events, thus removing a restriction of the previous version.
Nevertheless, it retains its cubic complexity, which means that the method is asymptotically
faster than other methods proposed in the literature to solve the same problem.

Keywords: Discrete Event Systems, Natural Projections, Observer Property.

1. INTRODUCTION be applied only to systems with no cycles of non-relevant

The Observer Property (OP) is fundamental for the con-
sistency of abstractions of Discrete Event Systems in Su-
pervisory Control Theory (Ramadge and Wonham, 1989),
in particular for hierarchical control (Wong and Wonham,
1996; Hill and Tilbury, 2006; da Cunha and Cury, 2007;
Feng and Wonham, 2008; Schmidt et al., 2008; Schmidt
and Breindl, 2011) and for the verification of the absence
of conflicts in modular control (Hill and Tilbury, 2006;
Flordal and Malik, 2009; Pena et al., 2009).
The problem of searching for abstractions obtained by
natural projections with OP consists of the refinement of a
given system and its natural projection that do not satisfy
the OP until the OP is satisfied for the refined system and
the projection. The refinement can be performed either by
selecting and turning a non-relevant event or particular
transition into relevant. Some approaches that deal with
the search of the OP for projections are (Schmidt and
Moor, 2006; Feng and Wonham, 2010; Pena et al., 2010).
On the other hand, in (Wong and Wonham, 2004), a
similar problem is treated for causal reporter maps (Zhong
and Wonham, 1990).
Particularly, the approach (Pena et al., 2010) proposes a
search algorithm based on the OP-verifier (Pena et al.,
2008), which determines whether or not an abstraction has
the Observer Property. The OP-verifier has a restriction to
1 This work has been supported by the Brazilian agencies CAPES,
FAPEMIG and CNPq. The fifth author is supported in part by CNPq
grant 300953/93-3.
events, and the OP-search algorithm (Pena et al., 2010)
has the same restriction.
Recently, Pena et al. (2014) presented a generalisation of
the OP-verifier algorithm that overcomes the limitation
on the cycles of non-relevant events. As shown in this
paper, the verifier (Pena et al., 2014) does not exhibit
the properties of the verifier (Pena et al., 2008) that were
exploited in the OP-search (Pena et al., 2010). Therefore,
in this paper, we propose a modification of the verifier
(Pena et al., 2014), a structure named hybrid verifier,
which has favourable properties that make it possible to
implement a new OP-search algorithm.
This paper is organised as follows. Section 2 introduces
preliminary concepts necessary to the development of the
paper. Section 3 describes the OP-verifier (Pena et al.,
2014) and some related properties. Section 4 introduces
the hybrid verifier and discusses its properties. Section 5
introduces a new version of the OP-search that exploits
the properties of the hybrid verifier, presents an example
and complexity analysis. The results are summarised in
Section 6.
2. PRELIMINARIES
In this section, some basic concepts of the Supervisory
Control Theory (Ramadge and Wonham, 1989) are revis-
ited. The reader is referred to Cassandras and Lafortune
(2008) for a detailed introduction to the theory.

978-3-902823-61-8/2014 © IFAC 350 10.3182/20140514-3-FR-4046.00079

WODES 2014
Cachan, France. May 14-16, 2014

In this framework, the behaviour of a Discrete Event θ(st0 ) = θ(s)t and st0 ∈ L, then θ(L) has the observer
System is described by strings of events taken from a property (OP).
finite alphabet Σ. The set of all finite strings of events
in Σ, including the empty string ε, is denoted by Σ∗ . A In words, if a projection satisfies the observer property
subset L ⊆ Σ∗ is called a language. The concatenation then the tasks that are performed in the abstracted,
of strings s, u ∈ Σ∗ is written as su. A string s ∈ Σ∗ is i.e., projected, automaton correspond uniquely to marked
called a prefix of t ∈ Σ∗ , written s ≤ t, if there exists strings in the original automaton. The observer property is
u ∈ Σ∗ such that su = t. The prefix-closure L of a also applied to automata: θ(G) is called an OP-abstraction
language L ⊆ Σ∗ is the set of all prefixes of strings in L, if θ(Lm (G)) has the observer property (Pena et al., 2008).
i.e., L = { s ∈ Σ∗ | s ≤ t for some t ∈ L }.
In this paper, finite-state automata are used to represent 3. VERIFICATION OF THE OBSERVER PROPERTY
languages. A (nondeterministic) finite-state automaton is
a tuple G = (Σ, Q, →, Q◦ ), where Σ is the finite set of In this section, the verifier introduced in (Pena et al., 2014)
events, Q is the set of states, →− ⊆ Q × Σ × Q is the is described along with some of its properties and their use
transition relation, and Q◦ ⊆ Q is the set of initial states. in the search of the observer property.
The automaton G is said to be deterministic if |Q◦ | ≤ 1
σ σ
and x → y1 and x → y2 imply that y1 = y2 . 3.1 Constructing the Automaton Gnr
The transition relation is extended to strings over Σ∗ by
ε sσ s
making x → x for every x ∈ Q and x → z if x → y and In order to deal with systems with cycles of non-relevant
σ s s
y → z for some y ∈ Q. Also, x → means x → y for some events, an automaton Gnr is introduced. Let G =
s (Σ, Q, →, Q◦ ) be a deterministic nonblocking automaton,
y ∈ Q and x → y means x → y for some s ∈ Σ∗ . The nr
notation x9y represents that there is no s ∈ Σ∗ such that and let Σ = Σr ∪ Σnr . The relation → ⊆ Q × Q is defined
s s
x → y, and x 9 if there is no y ∈ Q such that x → y.
s as follows:
nr s
The notation can also be used in sets of states or automata x → y ⇐⇒ x → y for some s ∈ Σ∗nr ; (2)
s s
such as: X → Y for X, Y ⊆ Q means that x → y for some nr nr
x ↔ y ⇐⇒ x → y and y → x .
nr
(3)
s ◦ s
x ∈ X and y ∈ Y , and G → means Q →. nr
If x ↔ y, then the states x and y are called strongly
The generated language of G is defined as L(G) = { s ∈ Σnr -connected states. If G does not have two distinct Σnr -
s
Σ∗ | Q◦ → }. To express the marking of strings, the connected states, then it is said to be Σnr -acyclic. Any
alphabet Σ is assumed to contain the special event ω ∈ Σ, set of strongly Σnr -connected states is called a strongly
ω
which may only appear on selfloops, i.e., x → y implies Σnr -connected component (Σnr -SCC) of G.
x = y. The marked states of G are indicated by selfloops
If each Σnr -SCC of G is contracted into a single state,
labelled with the event ω, and the marked language of G
the resulting automaton is a Σnr -acyclic automaton, and
is defined as Lm (G) = { s ∈ (Σ \ {ω})∗ | sω ∈ L(G) }. A
tw is called the strongly Σnr -connected component automa-
state x ∈ Q is accessible if G → x, and co-accessible if x → ton Gnr . Formally, it is the quotient automaton
∗
for some t ∈ Σ . An automaton G is said to be accessible nr
if all states are accessible and nonblocking if all accessible Gnr = G/↔ = (Σ, Qnr , → nr , Q◦nr ) . (4)
states are co-accessible. By construction, Gnr does not have cycles of non-relevant
nr
Let G = (Σ, Q, →, Q◦ ) be an automaton and ∼ ⊆ Q × Q events (except for selfloops), namely, if [x] ↔ [y] then
be an equivalence relation on Q. The quotient automaton [x] = [y]. Also, for y ∈ Q, [y] is a terminal component if,
σ
of G is for all σ ∈ Σnr and all z ∈ Q such that [y] → [z], it is true
that [y] = [z].
e◦ ) ,
G/∼ = (Σ, Q/∼, →/∼, Q (1) Example 2. The strongly connected components automa-
0 σ
ton Gnr constructed from G in Fig. 1 for Σr = {λ, ω} is
such that →/∼ = { ([x], σ, [y]) | x → y 0 for some x0 ∈ [x] shown in Fig. 2. The states 1, 2, and 3 form the Σnr -SCC
and y 0 ∈ [y] } and Q e ◦ = { [x◦ ] | x◦ ∈ Q◦ }. Here, [1] = {1, 2, 3} in Gnr . Also, [0] = {0} and [4] = {4}.
[x] = { x ∈ Q | x ∼ x0 } denotes an equivalence class
of x ∈ Q and Q/∼ = { [x] | x ∈ Q } is the set that includes
all equivalence classes.
In this paper, Σ is partitioned as Σ = Σr ∪Σnr , where Σr is
the set of relevant events and Σnr is the set of non-relevant
events. For Σr ⊆ Σ, the natural projection θ : Σ∗ → Σ∗r Fig. 1. Automaton G.
maps sequences of events in Σ∗ to sequences of events in Σ∗r
by erasing events that are not in Σr . This concept can be
extended to languages by θ(L) = { t ∈ Σ∗r | t = θ(s) for
some s ∈ L }. A property that characterises the natural
projection is presented in the following.
Definition 1. (Wong et al., 2000) Let L ⊆ Σ∗ and θ : Σ∗ →
Σ∗r be the natural projection. If for all s ∈ L and all t ∈ Σ∗r Fig. 2. Automaton Gnr .
such that θ(s)t ∈ θ(L), there exists t0 ∈ Σ∗ such that

351
WODES 2014
Cachan, France. May 14-16, 2014
3.2 OP-verifier
The OP-verifier VG for G (Pena et al., 2014) is a nonde-
terministic automaton defined as follows:
VG = (Σ, QV , → V , Q◦V ) (5)
where
• QV = {P ⊆ Qnr | 1 ≤ |P | ≤ 2} ∪ {⊥} is the set of
states, that includes the subsets of Qnr of cardinality
1 or 2, along with a special state ⊥.
• → V ⊆ QV × Σ × QV is defined as follows:
σ σ
· {[x], [y]} →V {[x0 ], [y 0 ]} if σ ∈ Σr , [x] →nr [x0 ],
σ 0
and [y] →nr [y ];
σ σ
· {[x], [y]} →V {[x0 ], [y]} if σ ∈ Σnr and [x] →nr
0
[x ]; and
σ σ σ {[x]} →1 {[x1 ], [y1 ]} →2 · · · →
· {[x], [y]} →V ⊥ if σ ∈ Σr , [x] →nr , [y] 9nr , and
[y] is terminal.
• Q◦V = {Q◦nr } is the set of initial states of VG .
The set QV of verifier states contains singletons {[x]} and
pairs {[x], [y]} of Σnr -SCCs. Note that pairs consisting of
two identical components are singletons, {[x], [x]} = {[x]}:
this fact is used in the definition of → V .
Example 3. To illustrate VG , consider Gnr as shown in
Fig. 2. The set of relevant events of Gnr is Σr =
{λ, ω}. The OP-verifier contains the following transi-
λ λ λ
tions: {[0]} →V {[1]}, {[1]} →V {[1]}, {[1]} →V {[4]},
λ ω β a nondeterministic automaton (Pena et al., 2010). More
{[1]} →V {[1], [4]}, {[4]} →V {[4]}, {[1]} →V {[1]},
γ β
{[1]} →V {[1]}, {[1], [4]} →V {[1], [4]}, {[1], [4]} →V
λ ω
{[1], [4]}, {[1], [4]} →V ⊥, and {[1], [4]} →V ⊥.
The verifier VG is shown in Fig. 3.
Fig. 3. OP-verifier VG .
The following theorem shows the main result regarding the
OP-verifier VG .
Theorem 4. (Pena et al., 2014) The state ⊥ is accessible
in VG , if and only if θ(G) is not an OP-abstraction.
3.3 Properties of the OP-verifier
We now present some additional properties of VG , fol-
lowing the guidelines in (Pena et al., 2010), in order to
establish some useful results for the search of an OP-
abstraction.
As in (Pena et al., 2010), the set of states QV of VG is
partitioned into the following subsets:
QsV = { {[x], [y]} ∈ QV \ {⊥} | {[x], [y]} 9V ⊥ } , (6)
the set of safe states, that do not reach the state ⊥, and
Qus
V = { {[x], [y]} ∈ QV \ {⊥} | {[x], [y]} →V ⊥} , (7)
the set of unsafe states, that reach the state ⊥. In exam-
ple 3, QsV = {{[4]}} and Qus V = {{[0]}, {[1]}, {[1, 4]}}.
The following propositions present similar results to (Pena
et al., 2010).
Proposition 5. Let {[x]}, {[y]} ∈ QV be two verifier states
σ
such that [x] 6= [y], and let σ ∈ Σ. If {[x]} →V {[y]} then
σ ∈ Σr .
Proposition 5 indicates that, if there is a transition in VG
between two different states with cardinality one, the event
of this transition must be relevant. It can be shown that
this follows from the fact that Qnr is a partition of Q and
from the definition for the evolution of non-relevant events
in the transition function →V .
Proposition 6. If ⊥ is accessible in VG , then there exists a
state x ∈ Q and a path
σ σ σ σn+1
n
{[xn ], [yn ]} −−−→ ⊥ (8)
such that [xi ] 6= [yi ] for i = 1, . . . , n.
Proposition 6 shows that every path to state ⊥ in the veri-
fier must originate from some singleton verifier state {[x]},
and all following verifier states on the path to ⊥ are proper
pairs. The OP-Search algorithm (Pena et al., 2010) uses
these paths to perform modifications of the set of relevant
events and turn an abstraction into OP.
If the start component [x] of the path (8) is a one-
state component, [x] = {x}, then the first event σ1 of
the path must be non-relevant, as otherwise G would be
σ
γ precisely, it holds that x = x1 and x →1 y1 with σ1 ∈ Σnr .
Based on this fact, the OP-Search algorithm (Pena et al.,
σ
2010) chooses such a transition x →1 y1 and replaces
the non-relevant event σ1 on this transition by a new
relevant event. This removes one of the causes that violate
OP. The OP-Search algorithm continues to construct a
new verifier for the modified automaton G, and if OP is
still not satisfied, the procedure starts over and chooses
another transition to replace. In the worst-case, all non-
relevant transitions will be turned into relevant transitions,
so eventually an OP-abstraction will result.
This idea relies on the assumption that the start com-
ponent [x] is a singleton component. The OP-Search al-
gorithm (Pena et al., 2010) is based on the OP-Verifier
(Pena et al., 2008), both of which assume that the input
automaton G is Σnr -acyclic. In this case, all strongly Σnr -
connected components are singletons.
If the start component [x] is not a singleton, the above
idea no longer works. For instance, in VG of Fig. 3, the
paths from {[1]} to ⊥ all start with relevant events.
In the next section, a modification of the verifier VG is
proposed to solve this problem and make the OP-Search
idea applicable to input automata with cycles of non-
relevant events. The idea is to expand some of the verifier
states {[x]} using the original states forming the strongly
connected component [x].
4. THE HYBRID VERIFIER
In this section, given a deterministic nonblocking automa-
ton G, the set of relevant events Σr , and the verifier VG
as in Section 3, we propose a new structure, named hybrid
352
WODES 2014
Cachan, France. May 14-16, 2014

verifier, that can be exploited in the search for the observer Input and Output Transitions. Given an unsafe root state
property in the presence of cycles of non-relevant events. {ui } ∈ Qur
V , we furthermore define the set of input/output
transitions
in/out
→i ⊆ ((QV \ Qur ur
V ) ∪ Ωtotal ) × Σ × ((QV \ QV ) ∪ Ωtotal )
4.1 Constructing the Hybrid Verifier
for σ ∈ Σ, {x, y} ∈ Ωi , {[z], [w]} ∈ QV \ Qur ur
V , {uj } ∈ QV ,
with j 6= i, and {x0 , y 0 } ∈ Ωj as follows:
Unsafe Root States. To construct the hybrid verifier, the
start states of the paths in Proposition 6 are examined σ in/out σ
(i) {[z], [w]} →i {x, y}, if {[z], [w]} →V {ui } and
more closely. Given a verifier VG , the set Qur
V of unsafe either:
root states is defined as follows: σ
• σ ∈ Σr , ∃z 0 ∈ [z] such that z 0 → x and ∃w0 ∈ [w]
Qur
V = { {[x]} ∈ QV \ {⊥} | (9) σ
such that w0 → y; or
{[x]} is the start state of a path (8) } . σ
• σ ∈ Σnr , ∃z 0 ∈ [z] such that z 0 → x and y ∈ [w];
In words, unsafe root states are singleton verifier states σ in/out σ
(ii) {x, y} →i {[z], [w]}, if {ui } →V {[z], [w]} and
that initiate paths composed only of states of cardinality
either:
two that reach the state ⊥. We denote the unsafe root σ
• σ ∈ Σr , ∃z 0 ∈ [z] such that x → z 0 and ∃w0 ∈ [w]
states in Qur
V by {ui } where ui = [xi ] is a Σnr -SCC of G. σ
Thus, the set Qur such that y → w0 ; or
V of unsafe root states can also be written σ
as Qur ur
V = {{u1 }, . . . , {un }} where n = |QV |. In example 3,
• σ ∈ Σnr and ∃z 0 ∈ [z] such that x → z 0 and
there is only one unsafe root state, so that Qur V = {{u1 }}
y ∈ [w];
with u1 = [1]. σ in/out σ σ
(iii) {x, y} →i {x0 , y 0 }, if {ui } →V {uj }, x → x0 , and
σ
Given an unsafe root state {ui } ∈ Qur V , we define the y → y0 .
expansion of {ui } as the following structure: in/out
The transitions → i link expanded states in a set Ωi to
(Ωi , →i ) (10) other states. (i) represents transitions from states {[z], [w]}
where that are not unsafe root states into Ωi , and (ii) represents
transitions from Ωi to states that are not unsafe root
• Ωi = { P ⊆ ui | 1 ≤ |P | ≤ 2 } is a set with elements states. The last case (iii) represents transitions between
of the type {x, y} or {x}, with x, y ∈ ui . the expansions Ωi and Ωj of two different unsafe root
• → i ⊆ Ωi × Σ × Ωi is a transition relation, defined for states {ui } =
6 {uj }. It is justified by Proposition 5, where
{x, y}, {x0 , y 0 } ∈ Ωi and σ ∈ Σ as: transitions in VG that connect states of the form {ui }
σ σ
· {x, y} →i {x0 , y 0 } if σ ∈ Σr , x → x0 such that and {uj } are labelled only by relevant events.
σ
x0 ∈ ui , and y → y 0 such that y 0 ∈ ui ;
σ σ The complete set of input and output transitions for the
· {x, y} →i {x0 , y} if σ ∈ Σnr and x → x0 such that set of unsafe root states Qur
0 V is then:
x ∈ ui . [n
in/out in/out
→ total = →i . (14)
Again, if x = y, then a pair {x, y} ∈ Ωi is simply written i=1
as {x}. For instance, the input and output transitions for the un-
λ in/out
The structure (Ωi , → i ) can be obtained from {ui } ∈ Qur
V safe root state {ui } = {[1]} in example 3 are {[0]} →i
by arbitrarily choosing an element {x, y}, with x, y ∈ ui , λ in/out λ in/out
and applying recursively and exhaustively the definition {1}, {1, 3} →i {[1], [4]}, and {3} →i {[4]}.
of the transition relation → i . In the trivial case, where
Old Transitions. The set of old transitions, defined as
ui = {xi } is one-state Σnr -SCC, the structure (Ωi , → i )
consists of only the state xi . → old = { (A, σ, B) ∈ → V | A ∈ Qur ur
V or B ∈ QV } (15)
consists of all transitions of the verifier VG that are linked
For instance, expansion of the unsafe root state {ui } =
to an unsafe root state in Qur V . These transitions are re-
{[1]} in example 3 gives the set Ωi = {{1}, {2}, {3}, {1, 2}, in/out
λ β moved and replaced by the transitions in → i and → i
{1, 3}, {2, 3}} and the transitions {1} →i {1}, {1} →i to construct the hybrid verifier.
β γ γ
{1, 2}, {1, 2} →i {2}, {1, 2} →i {1, 3}, {2} →i {2, 3},
γ β γ γ
The old transitions for the unsafe root state {ui } = {[1]}
{1, 3} →i {1}, {1, 3} →i {2, 3}, {2, 3} →i {1, 2}, {2, 3} →i λ λ
γ in Example 3 are {[0]} →old {[1]}, {[1]} →old {[1]},
{3} and {3} →i {1, 3}. β γ λ
{[1]} →old {[1]}, {[1]} →old {[1]}, {[1]} →old {[4]} and
Each expansion (Ωi , → i ) corresponds to a unique unsafe λ
{[1]} →old {[1], [4]}.
root state {ui } ∈ Qur V . Moreover, it can be shown that
(Ωi , → i ) forms a Σnr -SCC (Bravo, 2012). Thus, we define Hybrid Verifier. Given the above definitions, the hybrid
a new structure in the following way: verifier is the automaton VH = (Σ, QH , → H , Q◦H ) where:
(Ωtotal , →total ) (11)
• QH = (QV \ QurV ) ∪ Ωtotal ;
where in/out
• → H = (→ V \ → old ) ∪ → total ∪ → total ; and
[n ◦
Ωtotal = Ωi (12) • If QV ∈ ur ◦ ◦
/ QV , then QH = QV , otherwise Q◦H = {Q◦ }.
[ni=1 To build the hybrid verifier VH from VG , G and Σr , the
→ total = →i . (13)
i=1 first step is to identify the set of unsafe root states {ui }

353
WODES 2014
Cachan, France. May 14-16, 2014

of VG . These states are removed and replaced by their Algorithm 1 OP-Search

expansions Ωi . At the same time, the old transition → old
1: Input: G = (Σ, Q, →, Q◦ ) and Σr ⊆ Σ
connected to the unsafe root states are replaced by new
in/out 2: Build VG from G and Σr
transitions from → total and → total . The hybrid verifier 3: while VG →V ⊥ do
may contain states of the type {x, y} and {[w], [z]} at 4: Build VH from VG , G, and Σr
the same time, because only the unsafe root states are 5: Find and select state q ∈ Q and event η ∈ Σnr that
expanded while other verifier states are left unchanged. satisfy proposition 9 for VH
6: Create new relevant event η 0
4.2 Properties of the Hybrid Verifier η
b by changing transition q → η0
7: Build G to q →
8: Make Σ b r ← Σr ∪ {η 0 }
In the following, we present some properties of the hybrid
verifier VH , which will be useful to the search for the OP. 9: Build VbGb from G and Σr
b b
Proposition 7. If Qur
V = ∅, then VH = VG .
10: VG ← VGb
b, G ← G, Σr ← Σr
b b
Proposition 8. State ⊥ is accessible in VH , if and only if 11: end while
θ(G) is not an OP-abstraction. 12: Output: Abstraction G and extended event set Σr

The following proposition lifts the results from Proposi-

tion 6 to the hybrid verifier, making it possible to identify
the causes that lead to violation of the OP as in (Pena
et al., 2010).
Proposition 9. If ⊥ is accessible in VH , then there exists a
state q ∈ Q and a path in VH ,
σ σ σ σn+1
{[q]} →1 {A1 , B1 } →2 · · · →
n
{An , Bn } −−−→ ⊥ (16)
such that σ1 ∈ Σnr and Ai 6= Bi for i = 1, . . . , n.

In (16), the states Ai and Bi are either states of the original

automaton, Ai = xi ∈ Q, or strongly Σnr -connected
nr
components, Ai = [xi ] ∈ Q/→. The main difference
between Propositions 6 and 9 is that the latter ensures
that the first step of the path (16) to ⊥ is a non-relevant
event, so it can be changed to a relevant event as in the
original OP-Search algorithm (Pena et al., 2010).
The proofs of Propositions 7, 8, and 9 are given in (Bravo,
2012).
5. SEARCH OF THE OBSERVER PROPERTY
Following the guidelines in (Pena et al., 2010), we propose
in this section an algorithm that exploits the properties of
the hybrid verifier to obtain an OP-abstraction.
The OP-search algorithm presented in Algorithm 1 follows
the idea of the algorithm in (Pena et al., 2010), but based
on the verifier in (Pena et al., 2014) and exploiting the
properties of the hybrid verifier presented in this paper.
As a consequence, this new OP-search can be applied to
systems that have cycles of non-relevant events.
The following theorem confirms the correctness of Algo-
rithm 1.
Theorem 10. (Bravo, 2012) Let G e and Σ e r be the results
of Algorithm 1 and θe be the natural projection of Σ
e in Σ
er,
then θ(
e G)
e is an OP-abstraction.
5.1 Example
Fig. 4. Hybrid Verifier VH .
the lines of Section 4, we build the hybrid verifier VH shown
in Fig. 4.
By analysing VH we select state 3 of G and event γ
that satisfy the conditions of Proposition 9, defining the
γλλ
path {3} → H ⊥ in VH . We then create the new relevant
event γ1, producing Σb r = {λ, ω, γ1}, and substitute the
γ γ1
transition 3 → 1 by 3 → 1 in G. This results in the new
automaton G b in Fig. 5.
Fig. 5. Automaton G.
b
Following Algorithm 1, we build the verifier VbG b and check
if ⊥ is accessible. It can be shown that ⊥ is still accessible
in VbG
b. In a second iteration, we select state 1 and event
β1
β, creating the transition 1 → 2. In this iteration, the
resulting automaton G, b shown in Fig. 6, with new relevant
events Σr = {λ, ω, γ1, β1}, produces the verifier VbH
b
b shown
in Fig. 7. In this case, ⊥ is no more accessible in VbHb , and
the resulting pair of G e=G b and Σer = Σ
b r is such that the
corresponding abstraction θ( e G)
e is OP.

Consider G, Gnr and VG shown in Figs. 1, 2 and 3. The 5.2 Complexity

set of relevant events is Σr = {λ, ω}, defining the natural
projection θ. As shown in Example 3, VG →V ⊥, and by Algorithm 1 runs in the same complexity as the OP-Search
Theorem 4, θ(G) is not OP. Applying Algorithm 1, we first algorithm (Pena et al., 2010) for automata without cycles
identify that {[1]} is an unsafe root state of VG . Following of non-relevant events. Each iteration of the main loop

354
WODES 2014
Cachan, France. May 14-16, 2014
Fig. 6. Automaton G.
b architecture for discrete-event systems. IEEE Trans.
Fig. 7. Hybrid Verifier VbH
b.
except the last changes one non-relevant transition to a
relevant transition, so there are at most |Q||Σnr | + 1 itera-
tions. Each iteration involves the construction of a hybrid
verifier VH , a search to determine whether the state ⊥ is
accessible and to find an unsafe root state, a modification
of the input automaton G, and the construction of a new
verifier VG . The complexity of these steps is determined
by the number of transitions of the verifiers VG and VH .
In the worst case, the size of both verifiers is determined
by the size of the input automaton G, with the number of
transitions bounded by O(|Q|2 |Σ|) (Pena et al., 2010). This
results in an worst-case time complexity for Algorithm 1
of
O(|Q||Σnr ||Q|2 |Σ|) = O(|Q|3 |Σ|2 ) , (17)
which is the same as the complexity of the OP-Search
algorithm (Pena et al., 2010).
In comparison, the method (Wong and Wonham, 2004),
which computes an optimal reporter map, has a worst-case
time complexity of O(|Q|5 |Σ|), and the algorithm (Feng
and Wonham, 2010), which determines a suitable relevant
event set only by choosing events from the given alphabet,
runs in O(|Q|7 |Σ|2 ).
6. CONCLUSIONS
A modified version of the OP-Search algorithm has been
proposed, which computes abstractions with the observer
property for discrete event systems. The modified algo-
rithm combines results from (Pena et al., 2010, 2014). The
proposed method works by constructing a hybrid verifier
by expanding some of the component states (Pena et al.,
2014) in order to identify transitions that cause violation
of the observer property. Unlike the previous version (Pena
et al., 2010), the proposed method can be applied to auto-
mata with cycles of non-relevant events, while maintaining
the same polynomial complexity class.
REFERENCES
Bravo, H. (2012). Verificação e Busca da Propriedade de
Observador em Sistemas a Eventos Discretos. Master’s
thesis, Instituto Militar de Engenharia, Rio de Janeiro,
Brasil.
Cassandras, C.G. and Lafortune, S. (2008). Introduction
to Discrete Event Systems. Springer, 2 edition.
355
da Cunha, A.E.C. and Cury, J.E.R. (2007). Hierarchical
Supervisory Control Based on Discrete Event Systems
with Flexible Marking. IEEE Trans. Autom. Control,
52(12), 2242–2253.
Feng, L. and Wonham, W.M. (2008). Supervisory control
Autom. Control, 53(6), 1449–1461.
Feng, L. and Wonham, W.M. (2010). On the computation
of natural observers in discrete-event systems. Discrete
Event Dynamic Systems, 20(1), 63–102.
Flordal, H. and Malik, R. (2009). Compositional veri-
fication in supervisory control. SIAM J. Control and
Optimization, 48(3), 1914–1938.
Hill, R.C. and Tilbury, D.M. (2006). Modular Supervisory
Control of Discrete Event Systems with Abstraction
and Incremental Hierarchical Construction. In 8th
International Workshop on Discrete Event Systems,
WODES ’06, 399–406. Ann Arbor, MI, USA.
Pena, P.N., Bravo, H.J., da Cunha, A.E.C., Malik, R.,
Lafortune, S., and Cury, J.E.R. (2014). Verifica-
tion of the Observer Property in discrete event sys-
tems. IEEE Transactions on Automatic Control. doi:
10.1109/TAC.2014.2298985. To appear.
Pena, P.N., Cury, J.E.R., and Lafortune, S. (2008).
Polynomial-Time Verification of the Observer Property
in Abstractions. In Proceedings of the 2008 American
Control Conference, ACC’08, 465–470. Seattle, USA.
Pena, P.N., Cury, J.E.R., and Lafortune, S. (2009). Verifi-
cation of Nonconflict of Supervisors Using Abstractions.
IEEE Trans. Autom. Control, 54(12), 2803–2815.
Pena, P.N., Cury, J.E.R., Malik, R., and Lafortune, S.
(2010). Efficient Computation of Observer Projections
using OP-Verifiers. In 10th International Workshop on
Discrete Event Systems, WODES ’10, 416–421. Berlin,
Germany.
Ramadge, P.J.G. and Wonham, W.M. (1989). The Control
of Discrete Event Systems. Proc. IEEE, 77(1), 81–98.
Schmidt, K. and Moor, T. (2006). Marked-String Ac-
cepting Observers for the Hierarchical and Decentralized
Control of Discrete Event Systems. In 8th International
Workshop on Discrete Event Systems, 2006, 413–418.
Schmidt, K., Moor, T., and Perk, S. (2008). Nonblocking
hierarchical control of decentralized discrete event sys-
tems. IEEE Trans. Autom. Control, 53(10), 2252–2265.
doi:10.1109/TAC.2008.2006817.
Schmidt, K. and Breindl, C. (2011). Maximally Permissive
Hierarchical Control of Decentralized Discrete Event
Systems. IEEE Trans. Autom. Control, 56(4), 723–737.
Wong, K.C., Thistle, J.G., Malhamé, R.P., and Hoang,
H.H. (2000). Supervisory Control of Distributed Sys-
tems: Conflict Resolution. Discrete Event Dynamic
Systems, 10, 131–186.
Wong, K.C. and Wonham, W.M. (1996). Hierarchical
Control of Discrete-Event Systems. Discrete Event
Dynamic Systems, 6(3), 241–273.
Wong, K.C. and Wonham, W.M. (2004). On the Compu-
tation of Observers in Discrete-Event Systems. Discrete
Event Dynamical Systems, 14(1), 55–107.
Zhong, H. and Wonham, W.M. (1990). On the Consistency
of Hierarchical Supervision in Discrete-Event Systems.
IEEE Transactions on Automatic Control, 35(10), 1125–
1134.