Petri Nets

as Discrete Event Models
for Supervisory Control
by Alessandro Giua
A Thesis Submitted to the Graduate Faculty of Rensselaer Polytechnic Institute in
Partial Fulfillment of the Requirement for the Degree of Doctor of Philosophy. Major
Subject: Computer and Systems Engineering.
Rensselaer Polytechnic Institute (Troy, New York)
July 1992
ii
Este, que ves, engaño colorido,
que del arte ostentando los primores,
con falsos silogismos de colores
es cauteloso engaño del sentido.
This coloured counterfeit that thou beholdest,
vainglorious with the excellencies of art,
is, in fallacious syllogisms of colour,
nought but a cunning dupery of sense.
Inundación Castálida, II, 1-4
Juana de Asbaje y Ramírez,
Sor Juana Inés de la Cruz (1651-1695)
Contents
1 INTRODUCTION 1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Background and Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2.1 Discrete Event Systems and Models . . . . . . . . . . . . . . . . . . . . 1
1.2.2 Evaluation of Discrete Event Models . . . . . . . . . . . . . . . . . . . 3
1.2.3 Petri Net Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.4 Supervisory Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Objectives of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 LITERATURE REVIEW 10
2.1 Supervisory Control Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Logical Models for Discrete Event Systems . . . . . . . . . . . . . . . . . . . . 11
2.2.1 Transition Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.2 Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.3 Communicating Processes . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.4 Controlled Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 Petri Net Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 Incidence Matrix Analysis of Petri Nets . . . . . . . . . . . . . . . . . . . . . . 13
2.5 Synthesis and Reduction of Petri Nets Models . . . . . . . . . . . . . . . . . . . 14
3 BASIC NOTATION 15
3.1 Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.1 Place/Transition Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.2 Marked Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2 Formal Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.3 Petri Net Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.4 Supervisory Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4 ON THE EXISTENCE OF PETRI NET SUPERVISORS 19
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 Petri Nets and Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.4 Existence of Petri Net Supervisors . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.5 Petri Net Languages and Supremal Controllable Sublanguage . . . . . . . . . . . 25
4.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
iii
CONTENTS iv
5 SUPERVISORY DESIGN USING PETRI NETS 28
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2 Monolithic Supervisor Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2.1 Design Using Concurrent Composition . . . . . . . . . . . . . . . . . . 32
5.3 Monolithic Design Using Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . 32
5.4 Petri Nets and State Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6 INCIDENCE MATRIX ANALYSIS 38
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.2 Incidence Matrix Analysis for State Machines . . . . . . . . . . . . . . . . . . . 39
6.2.1 State Equation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.2.2 Defining the Set of Reachable Markings . . . . . . . . . . . . . . . . . . 41
6.3 Composition of State Machines Modules . . . . . . . . . . . . . . . . . . . . . . 44
6.3.1 State Equation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.3.2 Defining the Set of Reachable Markings . . . . . . . . . . . . . . . . . . 47
6.4 Supervisory Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.4.1 Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.4.2 Controllability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
7 GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 56
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
7.2 GMEC and Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.2.1 Generalized Mutual Exclusion Constraints . . . . . . . . . . . . . . . . 57
7.2.2 Modeling Power of Generalized Mutual Exclusion Constraints . . . . . . 59
7.2.3 Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
7.2.4 Nets With Uncontrollable Transitions . . . . . . . . . . . . . . . . . . . 65
7.3 Generalized Mutual Exclusion Constraints on Marked Graphs . . . . . . . . . . 66
7.3.1 Marked Graphs with Monitors . . . . . . . . . . . . . . . . . . . . . . . 66
7.3.2 Control Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
7.3.3 Control Safe Places . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.4 Fully Compiled Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
7.4.1 Model 1: Monitor-based Controller . . . . . . . . . . . . . . . . . . . . 71
7.4.2 Model 2: Compiled Supervisor . . . . . . . . . . . . . . . . . . . . . . . 73
7.5 Partially Compiled Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
7.5.1 Model 3: Non-Deterministic Partially Compiled Supervisor . . . . . . . 75
7.5.2 Model 4: Deterministic Partially Compiled Supervisor . . . . . . . . . . 76
7.6 Comparison of the Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
7.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
8 CONCLUSIONS AND FUTURE RESEARCH 79
8.1 Original Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8.1.1 Petri Net Languages for Supervisory Control . . . . . . . . . . . . . . . 79
8.1.2 Supervisory Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
8.1.3 Validation of Petri Net Supervisors . . . . . . . . . . . . . . . . . . . . . 80
8.1.4 Efficient Construction of Control Structure . . . . . . . . . . . . . . . . 80
8.2 Future Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
8.2.1 Petri Net Languages for Supervisory Control . . . . . . . . . . . . . . . 81
8.2.2 Supervisory Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
CONTENTS v
8.2.3 Validation of Petri Net Supervisors . . . . . . . . . . . . . . . . . . . . . 82
8.2.4 Efficient Construction of Control Structure . . . . . . . . . . . . . . . . 82
APPENDICES 90
A PETRI NET LANGUAGES 90
A.1 Petri Net Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
A.2 Classes of Petri Net Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
A.3 Deterministic Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
A.4 Closure Properties and Relations with Other Classes . . . . . . . . . . . . . . . . 92
A.5 Concurrent Composition and System Structure . . . . . . . . . . . . . . . . . . 93
B AN INTRODUCTION TO SUPERVISORY CONTROL 95
B.1 Discrete Event Systems and Properties . . . . . . . . . . . . . . . . . . . . . . . 95
B.2 Controllable Events and Supervisor . . . . . . . . . . . . . . . . . . . . . . . . 96
B.3 Supervisory Control Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
B.4 Supremal Controllable Sublanguage . . . . . . . . . . . . . . . . . . . . . . . . 101
C NOTATION 103
Acknowledgement
Frank DiCesare has guided me in a spirit of friendship through my Master’s and Ph.D. thesis,
providing learning, encouragement, and support all at once.
Manuel Silva has given me the wonderful opportunity of visiting the University of Zaragoza
and of working with his group. Part of this research has been inspired by him.
Alan A. Desrochers, David R. Musser, and Badrinath Roysam have provided additional guid-
ance as members of my doctoral committee.
The Petri net group meetings at Rensselaer have been a fruitful learning experience. I acknowl-
edge the many discussions with Padma Akella, Tiehua Cao, Xin Chen, Mu-Der Jeng, Jagdish
Joshi, Hauke Jungnitz, Jongwook Kim, Inseon Koh, Doo Yong Lee, Jim Watson, Mengchu Zhou.
I am grateful to the Computer Integrated Manufacturing project of the Center for Manufactur-
ing Productivity and Technology Transfer which has supported the research of this thesis during
the last two years.
The years of my graduate studies have been a period of freedom and carelessness, marking the
transition between youth and maturity. Never will love be more poignant or friends more dear; the
memories will last forever. For this I have to thank Philippe Jeanne, Thanos Tsolkas, Ermanno
Astorino, Antonio De Dominicis, Gloria-Deo Agbasi, Hauke Jungnitz, Giampiero Beroggi and
Penny Spring, Agostino Abbate and Josefina Quiles, Didier Laporte, Elisabetta Bruzzone, Nora
Si-Ahmed, Amitava Maulik, Persefone Vouyoukas, Doo Yong Lee, Josep Tornero, Markus Vincze,
Michael Eppinger, Rolf Münger, Keith Hanna, Alejandro Beascoechea, Markus Hoerler, Carlos
Garcia, Leonardo Lanari, Scott Bieber, Brady Richter, Cristina Gesto, Andreas Glatzl, Jose Neira,
Maria Angeles Salas, Antonio Ramírez, Enrique Teruel, Joaquin Ezpeleta, Bruno Gaujal, and
Rogerio Rodriguez.
vi
Abstract
Discrete event systems represents a new field of control theory of increasing importance in the
domains of manufacturing, communications, and robotics. Supervisory Control theory, based on
formal languages, is a well established framework for the study of discrete event systems.
The thesis discusses the use of Petri nets in Supervisory Control. Place/Transition nets have
been used by several authors to represent discrete event systems. In our approach, the supervisor,
i.e., the control agent that restricts the behavior of a system within a legal behavior, is represented
as a Place/Transition net as well. The advantage of such a supervisor, as opposed to a supervi-
sor given as a feedback function, is that a closed loop model of the controlled system may be
constructed and analyzed using the techniques pertaining to Petri net models.
We show that a Petri net supervisor may not exist if the system’s behavior or the legal behavior
are nonregular Petri net languages. By defining a new class of Petri net languages, called deter-
ministic P-closed, it is possible to derive necessary and sufficient conditions for the existence of
supervisors as nets.
The thesis presents an algorithm, based on the concurrent composition operator, for the design
of Petri net supervisors and discusses how a composed net may be validated. In a first approach,
based on incidence matrix analysis, important properties of the net, such as controllability or such
as the absence of blocking states, may be studied by Integer Programming techniques. In a second
approach, we consider a class of specifications, called generalized mutual exclusion constraints,
and discuss several possible structures for the supervisor capable of enforcing them.
vii
Chapter 1
INTRODUCTION
1.1 Introduction
The object of the study of traditional control theory have been systems of continuous and syn-
chronous discrete variables, modeled by differential or difference equations. However, as the
scope of control theory is being extended into the domains of manufacturing, robotics, computer
and communication networks, and so on, there is an increasing need for different models, capable
of describing systems that evolve in accordance with the abrupt occurrence, at possibly unknown
irregular intervals, of physical events. Such systems, whose states have logical or symbolic, rather
than numerical, values that change in response to events which may also be described in non-
numerical terms, are called discrete event systems (DES) [Ramadge 89b] and the corresponding
models are called discrete event models (DEM) [Inan 88].
These systems require control and coordination to ensure the orderly flow of events. As con-
trolled (or potentially controllable) dynamic systems, DES qualify as a proper subject for control
theory. Hence a twofold issue presents itself: we need a powerful class of DEM, capable of cap-
turing the essential features of discrete, asynchronous and possibly nondeterministic systems, and
a unifying theory for their control.
The goal of the present research is that of applying a Petri net model within the framework
of Supervisory Control, a control theory for DES introduced recently by Ramadge and Wonham
[Ramadge 83, Ramadge 87]. We study how Petri net models may be used to solve supervisory
control problems, i.e, the design of a supervisor capable of restricting the behavior of a system
within a legal behavior.
1.2 Background and Motivation
In this section we rather informally discuss the motivation of this research. We want to show why
Petri nets are a good discrete event model and a powerful tool for Supervisory Control.
1.2.1 Discrete Event Systems and Models
A DES is a dynamic system with a discrete state space and piecewise constant state trajectories
(see Figure 1.1); the time instant at which state transitions occur, as well as the actual transitions,
will in general be unpredictable.
The state transitions of a DES are called events and may be labeled with the elements of some
alphabet Σ. These labels usually indicate the physical phenomenon that caused the change in state.
For example, in a manufacturing environment typical event labels are “machine 1 starts working
on part A”, “machine 1 breaks down”, etc.
1
CHAPTER 1. INTRODUCTION 2
time
t1 t2 t3 t4
x1
x2
x3
x4
a
b
a c
state


Figure 1.1: State trajectories for a Discrete Event System.
Model Classification
The many areas in which DES arise and the different aspects of behavior relevant in each area have
led to the development of a variety of DEM. We have the following classification [Ramadge 86,
Ramadge 89b].
1. Logical DEM, in which a common simplifying assumption is to ignore the times of occur-
rence of the events and consider only the order in which they occur. This simplification is
justified when the model is to be used to study properties of the event dynamics that are
independent of specific timing assumptions.
2. Timed or performance DEM, which are intended for the study of properties explicitly de-
pendent on interevent timing. These models can be further classified as:
a) nonstochastic: if the timing is known a priori;
b) stochastic: if the timing is not known a priori due to random delays or random occur-
rences of events.
Logical Models
The behavior captured in a logical model is the sequences of discrete events or traces that a system
generates [Inan 88]. Let Σ be the set of discrete events labels and let Σ

be the set of all finite
sequences of events in Σ (including the empty trace λ). Thus a possible evolution of the system
may be represented, as in Figure 1.1, by
w = abac . . . ,
where w ∈ Σ

and a, b, c ∈ Σ.
There are two main assumptions here.
1. We are interested in the order in which the events occur but not in the real time at which
they occur;
2. An event is atomic, i.e., it is considered to occur in a single step, even if in the real system
it may be implemented as a sequence of instructions.
CHAPTER 1. INTRODUCTION 3
In a logical model, the behavior of a given system is thus given by a subset language L ⊂ Σ

,
consisting of all the traces (or strings) that the system can generate. In most systems of interest,
L will be an infinite set so that it cannot be given simply by listing all the traces. We will study
systems that allow a logical model.
1.2.2 Evaluation of Discrete Event Models
A great number of logical DEM have been proposed. In order to evaluate and compare their
suitability for control applications, different properties have to be considered [Inan 88].
Descriptive power
The descriptive power of a DEM has different facets. Inan and Varaya [Inan 88] have used the
terms language complexity and algebraic complexity to denote two aspects of the descriptive
power. We will call these two aspects language power and algebraic power. Additionally, we
will consider a third aspect that we call representational power.
A discrete event model must give a means to specify the set of admissible event trajectories.
This may be done using different formalisms.
• A state transition structure is used by automata and net models such as finite state machines,
Petri nets, Büchi automata [Ramadge 89a].
• A set of equations is used by boolean models [Aveyard 74], communicating sequential pro-
cesses [Hoare 85], finitely recursive processes [Inan 88].
• Logical calculus is used in temporal logic models [Pnueli 79].
Two different models may represent the same behavior although they use different formalisms. It
is often the case, however, that some behavior can be easily modeled with one particular formalism
and not so easily modeled with a different one. We call this qualitative aspect representational
power. In the following section, we will compare different models with Petri nets with the aim
of showing that the representational power of Petri nets is fairly large. In fact, Petri nets are not
subject to the representational shortcoming typical of other models.
We have seen that the logical behavior of a system is represented in the model by a language
L ⊂ Σ

. In general, different formalisms generate different classes of languages, i.e., each model
has its own language power. As an example, the class of languages generated by finitely recursive
processes is a superset of Petri net languages that in turn are a superset of regular languages (the
class of languages generated by finite state machines). It is desirable that the language power of
a model be as large as possible, so that the model may be used to represent a large variety of
systems. However, formal language theory shows that the analysis complexity grows with the
language power of a model. The extreme case is that of Turing machines that have the largest
language complexity but whose languages have many undecidable properties.
Complex systems can be regarded as being built out of interacting subsystems. A modeling
formalism will be useful if it contains operators that combine one or more models in ways that
reflect the ways in which systems are connected. In our view of a DEM as a language generator,
these operators, union, intersection, concurrent composition, etc., are defined on languages. The
class of operators related to each model define its algebraic power.
Performance Evaluation
Once we are sure that a model has captured the essential features of a system, we want to use
that model for determining whether the system has the desired properties or whether it is free of
abnormal behavior.
CHAPTER 1. INTRODUCTION 4
This can be done in two steps. Firstly, “translate” the desirable properties of the system into
properties of the model. Secondly, “derive effective algorithmic, analytical, or simulation methods
to verify that the model possesses the desired properties” [Inan 88].
In this last step, the issue of computational complexity is a key concern. For example, the num-
ber of states in a transition structure for specifying the admissible event trajectories may depend
exponentially on some system parameter. In such cases simple algorithms for verification or syn-
thesis, e.g., an exhaustive search over the state space, rapidly become computationally intractable.
Thus one tries to mitigate the complexity by the use of aggregation or modularity, or by exploiting
hierarchical or other special structures.
Control Implementation
The modeling and analysis of systems is only the first step in the study of DES. The final goal
is to modify (by control action) the set of admissible trajectories so that each event trajectory has
the desired properties. A model should then find application in the framework of a control theory.
It should also provide a guide to constructing a controller. At best, this is done by an automatic
compilation of the model into control code; at worst, “ad hoc” solutions must be studied.
1.2.3 Petri Net Models
In this work we study a particular Petri net (PN) model: Place/Transition (P/T) nets. Petri nets
satisfy all the requirements that a good DEM should have [Giua 92a].
1. Descriptive power
Petri nets have great descriptive power. They have been designed specifically to model sys-
tems with interacting components and as such are able to capture many characteristics of
an event driven system, namely concurrency, asynchronous operations, deadlocks, conflicts,
etc. Furthermore, the PN formalism permits description of logical models (P/T nets, Col-
ored PN), timed models (Timed PN) and performance models (Stochastic PN, Generalized
Stochastic PN).
When logical models are considered, classes of languages generated by Petri nets, called
Petri nets languages, may be defined. These classes are supersets of regular languages
and with the introduction of a great number of operators define an algebra. However, PN
languages do not have all the nice closure properties of, say, regular languages.
The basic P/T net cannot model a condition of the form: “Fire transition t if place p is
empty”. Hence a P/T Petri net cannot simulate a register machine which in turn is equiv-
alent to a Turing machine [Ichikawa 88a]. It is possible to extend the formalism with the
introduction of inhibitory arcs, i.e., arcs from places to transitions that prevent the firing of
a transition if the input place is marked. However we note that the descriptive power of P/T
nets is large enough for most common applications, and often even more restricted models
are considered, such as conservative PN.
Conservative PN are essentially equivalent to finite state machines, since the number of
reachable markings (i.e., the number of ’states’ of the model) is finite. However, they still
make use of the full representational power of Petri nets. In fact, since the states of a
PN are represented by the possible markings and not by the places, they allow a compact
description, i.e., the structure of the net may be maintained small in size even if the number
of the markings grows.
2. Performance Evaluation
The desired properties of a system map fairly well into properties of the corresponding Petri
CHAPTER 1. INTRODUCTION 5
net model. Many algorithms, with a well developed mathematical and practical foundation,
have been developed to study these properties.
The analysis techniques for Petri nets may be divided into the following groups (see [Silva 85]).
• Analysis by enumeration. It requires the construction of the reachability tree repre-
senting the set of reachable markings and transition firings. If this set is not finite, a
finite coverability tree may be constructed.
• Analysis by transformation. A net N
1
is transformed, according to particular rules,
into a net N
2
while maintaining the properties of interest. The analysis of the net N
2
is assumed to be simpler than the analysis of the net N
1
. Examples of this analysis
technique are reduction methods, that permit the simplification of the structure of a
net.
• Structural analysis. It permits the demonstration of several properties almost indepen-
dently of the initial marking. Structural analysis may be based on the study of the state
equation of the net or on the study of the net graph.
• Simulation analysis. It is useful for timed nets and to study the behavior of nets that
interact with an external environment.
Petri nets also represent a hierarchical modeling tool and allow reduction of the compu-
tational complexity of analysis by exploiting modular synthesis. With modular synthesis,
complex systems may be constructed by aggregation of simpler modules while preserving
the properties of interest.
3. Control Implementation
Petri nets languages offer a simple means of applying control-theoretical ideas and in this
thesis we will show that they are consistent with Supervisory Control theory.
Petri net based controllers may be implemented in both hardware and software. Programmable
Logic Controllers [Silva 89b, Silva 83] and Petri-net like languages [Murata 86] have been
used in different applications.
In [Crockett 87, Kasturia 88] a Petri net interpreter is implemented using a mixture of ap-
plication dependent and independent code. However, it is necessary to point out that there
exists no general technique for compiling a Petri net description into a control system.
It may be worth comparing the representational power of PN with that of other models for
concurrent systems [Best 91]. It is possible to partition the current approaches into: a) models in
which the basic notion is that of state, such as state machines; b) models in which the basic notion
is that of action, such as interleaving models. Petri nets show more flexibility in this respect, since
states and actions are treated on equal footing and both step and interleaving semantics can be
defined on Petri nets [Best 91].
In the next example, we will see that Petri nets give a very compact description of systems
which, due to concurrent behavior, have a large state space.
Example 1.1. Suppose we have a cyclic process where five jobs may be in four different stages.
In Figure 1.2 we have a Petri net where each token represents a job and each place represents a
different stage. Although the number of reachable markings is 56, the PN model is very simple
compared to a state machine model where we need to explicitly represent all states.
Models based on actions do not suffer from this state space explosion, since they do not re-
quire the explicit enumeration of all the states. As an example, an interleaving model of the
system considered in this example may be described as follows. Let L
1
be the behavior of the
cyclic process with a single job, i.e., a single token. Then possible evolutions of the system are:
CHAPTER 1. INTRODUCTION 6
Figure 1.2: Petri net in Example 1.1.
Figure 1.3: Petri net in Example 1.2.
λ, t
1
, t
1
t
2
, t
1
t
2
t
3
, . . ., i.e., L
1
= (t
1
t
2
t
3
t
4
)

; here the bar stands for the prefix operator and ∗
is the Kleene star operator. Then the behavior of the process when five jobs are been processed
concurrently is given by
L
5
= L
1
| L
1
| L
1
| L
1
| L
1
,
where | is the concurrent composition operator.
The shortcoming of models based on actions lies in the cumbersome way in which specifica-
tions involving counters and semaphores are modeled.
Example 1.2. Consider the Petri net in Figure 1.3. Here we have two sequences (t
2
t
1
) and (t
3
t
4
)
that can be run up to a total of n times, n being the number of tokens in p
3
. Using an interleaving
model to represent this process is awkward: we have to explicitly specify all concurrent firing
sequences. In fact, for n = 1 the behavior is
L
1
= t
2
t
1
+t
3
t
4
.
For n = 2 we have
L
2
= (t
2
t
1
)
2
+ (t
2
t
1
) | (t
3
t
4
) + (t
3
t
4
)
2
.
For a generic n
L
n
= (t
2
t
1
)
n
+ (t
2
t
1
)
n−1
| (t
3
t
4
) +. . . (t
2
t
1
) | (t
3
t
4
)
n−1
+ (t
3
t
4
)
n
.
CHAPTER 1. INTRODUCTION 7
1.2.4 Supervisory Control
Ramadge and Wonham provide a unifying framework for the control of discrete event systems
[Ramadge 89b], and so far their Supervisory Control Theory is the most general and comprehen-
sive theory presented for logical DES. An introduction to the theory is presented in Appendix B.
Here we simply discuss those aspects of Supervisory Control that have motivated this research.
We may distinguish three different areas of interest in the supervisory control approach.
1. The formal language level is concerned with theoretical issues. Qualitative properties of
DES, such as stability [Brave 90], controllability [Ramadge 87], observability [Cieslak 91,
Özveren 90], nonblockingness [Ramadge 87], etc., are defined from a very general perspec-
tive as properties of languages. This “abstract” perspective has made possible the creation
of a model-independent theory.
At this level, new language operators, that will play a central role in solving the control
problem, are also defined. Examples of these operators are the supremal controllable sub-
language (SCS) [Wonham 87], infimal controllable superlanguage (ICS) [Lafortune 90a],
etc. The closure properties of different classes of languages under these operators are also
discussed. The class of regular languages is closed under the SCS and ICS operators, as
shown by Ramadge and Wonham [Wonham 87], and Lafortune and Chen [Lafortune 90a].
No results have been published on Petri net languages.
Finally, language theory provides a rigorous formalism for proving important theorems on
the existence of supervisors. The existence of finite state supervisors have been discussed
by Ramadge and Wonhan [Wonham 87] and Ushio [Ushio 90]. Some results on Petri net
supervisors with inhibitory arcs have been presented by Sreenivas and Krogh [Sreenivas 92].
2. The system level deals with the concept of DES, seen as a language generator over an al-
phabet of events Σ. One the most important features is the partition of Σ into two disjoints
sets: the set of controllable events Σ
c
, and the set of uncontrollable events Σ
u
. The uncon-
trollable events are those which cannot be disabled by a control action.
The basic control problem is the following. We are given a DES G generating the language
L(G) and a specification, i.e., a legal language L. We want to restrict the behavior of the
system, by disabling only controllable transitions, within the limits of the legal language.
The control structure that restricts the behavior of the system is called a supervisor. The
supervisor receives as input the sequence of events generated by G and determines a control
input that specifies which events are to be disabled in G. If we consider the system G as
the plant (or the object to be controlled) and the supervisor as the controlling agent, it is
often possible to realize a supervisor simply as another DES S. S and G are supposed to
run in parallel and the closed loop structure is again a DES, denoted by S/G, the action of
S on G. It has been noted [Cieslak 91] that this approach allows us to evaluate and compare
the effect of different control policies on the behavior of the uncontrolled system, since
open loop plant and controller are treated separately; previous approaches require a separate
model for each control policy and only permit models of closed loop systems.
Design algorithms have been devised to compute the control structure of a supervisor for a
given control problem, given the knowledge of the system and of the specification. These
algorithms are based on language operators, thus they are model independent.
3. At the model level a particular model is chosen to describe the physical device to be con-
trolled. In classical control theory there exist different models for, say, linear systems, such
as transfer function, state variables, matrix-fraction description, polynomial matrix descrip-
tion, etc., all capable of describing systems whose behavior is defined by a differential linear
CHAPTER 1. INTRODUCTION 8
equation. In the case of a discrete event system, the behavior is defined as a formal language;
hence the models used are language generators.
In Section 1.2.2, we have already discussed the good properties that a discrete event model
should feature.
1.3 Objectives of the Thesis
Supervisory Control is so far the most complete theory for the control of DES. It has a sound
mathematical foundation, based on formal languages; it provides exact algorithms to design a
supervisor for large classes of control problems; it captures the physical constraints the controller
must satisfy, since it assume that only a subset of the events is controllable; it is sufficiently general
to be applied to different models.
Another issue of paramount importance is the complexity involved in solving a control prob-
lem. Here the choice of one model rather than another one is a key factor that may drastically
affect the class of problems that can be solved.
Firstly, since the language power of each model is limited, there may exist systems whose
behavior may not be expressed with a given model. It is often assumed that physical systems have
a finite state space. However there are cases where it may be necessary to use a model such as
Petri nets, with a possibly infinite number of states.
Secondly, the representational power of a model may not be specifically tailored to represent a
given system’s behavior. The exponential growth of the state space of a model with the number of
interconnected modules is a well known blight in the study of concurrent systems which makes the
use of simple models, such as finite state machines, impracticable. We have seen, in the previous
discussion, that Petri nets reduce this complexity by means of its representation power. Thus Petri
nets may potentially be viewed as an effective means to realize supervisory controllers, allowed
by language theory but in practice until now unattainable because of the state space explosion
problem.
Thirdly, each model has its own tool-set of design and analysis techniques, which may be used
more or less efficiently for the solution of a control problem. Petri nets provide a compact represen-
tation of systems, but a brute force analysis of the model may often require the exhaustive search
of the reachability tree, thus making its computational complexity exponential as well. There are
ways to mitigate the complexity involved in the analysis of the model by using techniques that
are primarily based on the structure of a net rather than on its behavior. Examples of these tech-
niques are incidence matrix analysis and modular synthesis. Although these techniques have been
extensively investigated in the Petri net literature, so far they have been used in the context of
Supervisory Control only by Holloway and Krogh [Holloway 90, Krogh 91, Holloway 92a].
We are finally ready to state the goal of this research: “Investigate the use of Petri nets models
within the framework of Supervisory Control.”
The fulfillment of this goal requires several steps.
1. At the formal language level, we need to study Petri net languages in the context of Super-
visory Control. This will allow us to characterize the class of control problems that may
be solved by Petri net models, i.e., the class of problems for which a Petri net supervisor
exists. In particular, we need to consider the closure properties of Petri net languages under
the operators used in Supervisory Control theory.
2. At the discrete event system level, we need to study the counterpart on a Petri net structure
of the linguistic operators required in the design of a supervisor. Wonham has proposed
an algorithm which uses three different operators: shuffle, selfloop and intersection. We
propose an alternative design that requires only one operator: concurrent composition. The
CHAPTER 1. INTRODUCTION 9
counterpart of this operator on the net structure can be easily defined and preserves the
modularity of the overall system.
It is often the case that once the coarse structure of a supervisor has been obtained, by
concurrent composition of the system and specification modules, we need to refine the net,
to avoid reaching a set of undesirable markings. We need to derive refinement procedures
which preserve the modular structure of the net in this step as well.
3. At the model level, we need to make full use of the Petri net analysis techniques to efficiently
validate a Petri net supervisor, i.e., to prove that the supervisor has the desired properties.
We will explore two different techniques. The first one is based on incidence matrix analysis,
in which the reachability set of a marked net is represented by the integer solutions of a set
of linear inequalities. Classic incidence matrix analysis is based on the solution of the state
equation of a net. This approach, however, has been shown useless [Colom 89] in determin-
ing some properties of net systems such as the existence of home markings, i.e., markings
that may be reached by any marking in the reachability set of a Petri net. Determining the
existence of home markings is a problem essentially equivalent to that of determining if a
net is nonblocking, which is an important property of discrete event systems. Thus, we need
to modify this approach in order to be able to use this analysis technique in the context of
Supervisory Control.
A second area of our research is the use of modular synthesis techniques for nets with
uncontrollable transitions, i.e., transitions that may not be prevented from firing by a control
agent. We will explore a class of specification, called mutual exclusion constraints, that
have also been considered in [Krogh 91]. Our aim is that of efficiently deriving a Petri net
structure for a supervisor for this class of problems.
1.4 Organization of the Thesis
This chapter has introduced the topic of the thesis and stated the objectives of research.
Chapter 2 discusses in depth the literature relevant to the present research.
Chapter 3 introduces the basic notation on Petri nets, formal languages and Supervisory Con-
trol.
Chapter 4 discusses the use of Petri nets in the framework of Supervisory Control. Firstly,
it is shown that the trimming of an unbounded Petri net is not always possible; this leads to the
definition of a class of Petri net languages, that may be generated by nonblocking generators.
Secondly, necessary and sufficient conditions for the existence of a Petri net supervisor under
the hypothesis that the system’s behavior and the legal behavior are both Petri net languages are
derived. Finally, by means of an example, it is shown that Petri net languages are not closed under
the supremal controllable sublanguage operator.
Chapter 5 shows how Petri nets may be used to design a supervisor. The design requires two
steps. In the first step, a coarse structure for a supervisor is synthesized by means of concurrent
composition of different modules. In the second step, the structure is refined to avoid reaching
forbidden markings. We show that for conservative Petri nets there exists a standard refinement
procedure that only requires introducing new arcs and possibly duplicating some transitions, i.e.,
no new places are introduced. In both steps, the use of Petri nets allows us to keep the structure of
the model ‘small’.
Chapter 6 discusses how incidence matrix analysis for Petri net models may be used to validate
supervisors. A new class of P/T nets, called Elementary Composed State Machine nets, is defined.
The reachability problem for this class can be solved by incidence matrix analysis. In fact it is
possible to derive a set of linear inequalities that exactly defines the set of reachable markings.
CHAPTER 1. INTRODUCTION 10
Thus, important properties of discrete event systems, such as the absence of blocking states or
controllability, may be analyzed by Integer Programming techniques.
Chapter 7 defines a class of specifications, called generalized mutual exclusion constraints, for
discrete event systems modeled using P/T nets. These specifications may be easily enforced on a
net systemwhere all transitions are controllable, by a set of places called monitors. However, when
some of the transitions of the net are uncontrollable this technique is not always applicable. For
some classes of nets, we prove that mutual exclusion constraints may always be enforced by mon-
itors, even in the presence of uncontrollable transitions. For one of these classes, marked graphs
with control safe places, we compare a monitor-based solution of mutual exclusion problems with
several supervisory based solutions.
Chapter 8 concludes the thesis with a discussion of the original contributions and listing pos-
sible further directions of research.
Appendix A reviews some basic concepts of formal languages and Petri net languages.
Appendix B is a short introduction to Supervisory Control and supervisory design techniques.
Appendix C is a glossary of the notation used in the thesis.
Chapter 2
LITERATURE REVIEW
The literature of interest to this research covers different topics. Firstly, we reviewthe work done in
Supervisory Control. This provides the theoretical basis of our research. Secondly, it is interesting
to compare PN with other logical models that have been used in Supervisory Control. Thirdly,
since our approach is based on formal languages, we review the work on Petri net languages.
Finally, we consider the efficient validation of PN models, using techniques based on incidence
matrix analysis, reduction rules, and synthesis operators.
2.1 Supervisory Control Theory
The supervisory theory by Ramadge and Wonham is so far the most comprehensive theory for
the control of discrete event systems. It is based on the concept of a supervisor [Ramadge 83,
Ramadge 87], i.e., an agent that is capable of disabling the controllable transitions of a DES in
response to the traces of events generated. The Supervisory Control Problem (SCP) consists in
designing a supervisor which restricts the traces generated by the system within a legal behavior.
If the legal behavior is a controllable language [Wonham 87] a supervisor exists. If the legal
behavior is not controllable, we have to further restrict the system’s behavior to the supremal
controllable sublanguage for which a supervisor exists. The authors prove in these seminal papers
that the supremal controllable sublanguage always exists (but may be the empty language), and in
the regular case may be determined with a finite procedure.
In [Lafortune 90a] a new control problem is studied: the Supervisory Control Problem with
Blocking (SCPB). Here it is assumed that in some cases the solution to the SCP (supremal control-
lable sublanguage) may be too conservative. A dual concept is defined — the infimal controllable
superlanguage — and is used to determine a supervisor that may also permit blocking in order
to achieve a larger behavior. In [Lafortune 90a] Lafortune and Chen introduce two performance
measures (in terms of satisficing and blocking), and techniques to improve each of these two con-
flicting measures. An extension of this work is [Lafortune 91] where the Supervisory Control
Problem with Tolerance (SCPT) is defined. Given a desired and tolerated behavior, the problem
is that of designing a controller such that the controlled system never goes beyond the tolerated
behavior and achieves as much as possible of the desired behavior. Under very general hypotheses
on desired and tolerated behavior, Lafortune and Lin show that a solution to SCPT exists and is
unique, but may be blocking. A non blocking solution exists but is not necessarily unique.
In [Cieslak 91] Cieslak et al., discuss and solve the Supervisory Control and Observation
Problem (SCOP) and the Decentralized Supervisory Control Problem (DSCP). In SCOP the as-
sumption is that a mask is present between the controlled system and supervisor, so that the super-
visor cannot observe all the transitions, or cannot distinguish between some of them. In DSCP it
is assumed that the control action is enforced by local supervisors that control only subsystems. In
11
CHAPTER 2. LITERATURE REVIEW 12
[Lin 88, Lin 90] Lin and Wonham discuss the Decentralized SCOP (DSCOP) where both partial
observations and decentralized control are incorporated into the control structure. However, the
only mask operator considered in this paper is the language projection operator.
In [Brave 90] Brave and Heymann define stabilization as the ability of a discrete event process
to reach a set of target states from an arbitrary initial state and then remain there indefinitely. A
slightly different problem that the authors examine is recovery under control failure. In both cases
they present design algorithms for controllers that improve the stabilization of processes.
In [Ushio 90] Ushio discusses the conditions under which a finite state supervisor (FSS) may
be constructed to solve a SCP. From [Ramadge 87] it was known that a FSS exists when both
system’s behavior and specification language are regular. Here the author derives necessary and
sufficient conditions for the general case.
The case of the infinite state supervisor is discussed by Sreenivas and Krogh [Sreenivas 92].
They use Petri nets with inhibitory arcs (PNIA), which are known to have a modeling power
equivalent to Turing machines, to describe infinite state systems. Thus, they prove that a PNIA
supervisor exists if the system’s and specification behaviors are Turing computable languages.
However, important properties, such as determining if the behavior of a PNIA is controllable, are
undecidable.
In [Ramadge 86, Wonham 88b] a modular approach to the design of supervisors is consid-
ered. The specification language is composed of different specifications, each enforced by a single
supervisor. A global control law can be enforced by the conjunction of all the supervisors. Unfor-
tunately in the general case the resulting system may be blocking. When the languages controlled
by each supervisor are non-conflicting, however, the non-blocking condition is assured as well.
In [Ramadge 89b, Tadmor 89, Tsitsiklis 87] different problems of computation and the re-
lated issue of computational complexity are considered. A review of the theory is presented in
[Ramadge 88, Ramadge 89b, Wonham 88a].
2.2 Logical Models for Discrete Event Systems
Numerous approaches to the modeling of discrete event systems have appeared in the literature.
2.2.1 Transition Models
Aveyard [Aveyard 74] presents a Boolean matrix equation model for a class of DES in which
the state change associated with each event occurrence is deterministic, and in which all units or
entities are permanent. The model, one of the first to be presented, permits checking of simple
properties such as whether the system is deterministic and if it will hang or cycle.
Ramadge [Ramadge 89a] introduces Büchi automata in the modeling of DES. The model is
used to extend the concept of controllable language to non-finite strings and to derive conditions
for the existence of a supervisor to implement a prescribed closed-loop behavior. Several inter-
esting control synthesis problems have a computationally tractable solution when Büchi automata
models are used.
2.2.2 Temporal Logic
Hailpern and Owicki [Hailpern 83] use temporal logic (a formalismintroduced by Pnueli [Pnueli 79]
for formalizing the semantics of concurrent programs) to model computer communication proto-
cols. The model is used for the modular verification of safety and liveness for parallel processes.
The temporal logic formalism is applied by Ostroff and Wonham [Ostroff 90b, Ostroff 90a]
to the control of real-time discrete event systems. Temporal logic is a useful tool in the formal-
CHAPTER 2. LITERATURE REVIEW 13
ization of the control problem. However the validation of the model is based on theorem proving
techniques and is difficult to perform.
2.2.3 Communicating Processes
Milne and Milner [Milne 79] define concurrent processes by means of a net algebra and define a
minimal set of operations for composing processes. The final result of this research is presented
in [Milner 80], where the Calculus of Communicating Systems (CCS) is introduced. CCS is one
of the standard models for concurrent systems on which recent and on-going research is focused.
In [De Cindio 83] De Cindio et al. compare CCS with Petri nets. They prove that CCS defines a
class of concurrent systems composed of interacting sequential automata. In fact the CCS models
are isomorphic to a subclass of Petri nets, Superposed Automata Nets defined in [De Cindio 82].
Inan and Varaiya [Inan 88] present a class of discrete event models called finitely recur-
sive processes whose formal structure is based on Hoare’s communicating sequential processes
[Hoare 85]. The descriptive power of the model and its use in performance evaluation is also in-
vestigated. The authors prove that their formalism can easily model any Petri net. However the
proof is limited to ordinary Petri nets: when the multiplicity of the arcs is greater than one, the
complexity of the finitely recursive process grows and nondeterminism needs to be introduced.
2.2.4 Controlled Petri Nets
Several authors have used a particular Petri net model, called controlled Petri nets, within the
framework of Supervisory Control. Controlled PN have been introduced by Ichikawa and Hi-
raishi [Ichikawa 88a] to study the input-output behavior of discrete event models. This model is
a standard PN with the addition of external input places, whose marking is given by an external
function. It is furthermore assumed that only the marking of a set of so called external output
places may be observed. In the paper, Ichikawa and Hiraishi restrict the firing policy on the net to
be decision-free, i.e., all enabled transitions should fire simultaneously. Under these hypotheses
the modeling power of the net is increased by the capability of detecting whether a place is empty;
they can prove that this model is equivalent to Turing machines.
Krogh [Krogh 87] applies controlled PN to Supervisory Control. He assumes that each tran-
sition is associated to at most one external input place and studies how the behavior of the net
can be restricted within a certain behavior by a particular marking function for the external input
places, i.e., a particular control law. This control law is implementing a state feedback rather than
a trace feedback, i.e., it is a function of the actual marking of the system rather than a function of
the string of events generated by the system. The author defines the control law that generates the
supremal controllable sublanguage as the maximally permissible feedback. He also notices that
the maximally permissible feedback may not be unique because of the particular firing policy that
permits the simultaneous firing of enabled transitions.
Ushio and Matsumoto [Ushio 88] derive necessary and sufficient conditions for the uniqueness
of the maximally permissible feedback on controlled PN. In a subsequent paper [Ushio 89], Ushio
also derives necessary and sufficient conditions for the existence of a control law that satisfies a
given specification.
Holloway and Krogh [Holloway 90, Krogh 91] show that, for restricted classes of nets and
restricted specifications, the control problem may be solved with great computational efficiency
by analysis of the net structure. The class of controlled Petri nets considered is cyclic marked
graphs and the admissible specifications consist of forbidden markings that simultaneously assign
tokens to one or more set of places. Although these restrictions are certainly heavy, the authors
show an interesting manufacturing example that requires the coordination of automated guidance
vehicles. Liveness properties under control are discussed in [Holloway 92a].
CHAPTER 2. LITERATURE REVIEW 14
The main characteristic of the controlled PN approach to supervisory control is the fact that
no transition structure for a controller is given. The control law is a function of the actual marking
of the net, but need to be computed at each step, whereas if a transition structure is given for a
supervisor, a closed-loop model can be constructed and analyzed to ensure that it has the desired
properties.
2.3 Petri Net Languages
Baker [Baker 72] is one of the first to introduce the basic idea of associating a language with a Petri
net and using this language to describe the behavior of the net. In his Master’s thesis [Baker 73],
Petri nets are considered in the context of formal language theory, and their prefix language is
studied.
In Hack [Hack 75a, Hack 75b], two basic language classes are distinguished: the prefix lan-
guage and the marked language. Different languages which result fromdifferent types of transition
labeling are also considered. For each of these classes, simple closure properties, characterizations
and decidability problems (e.g., for membership, emptiness, and finiteness) are obtained.
A survey and tutorial on Petri net languages is presented in [Peterson 81] Chapter 6. Here
the definition and classification of these languages is given; the closure properties of Petri net
languages under several form of composition (union, intersection, concatenation, concurrency,
and substitution) and under some operations (reversal, complement, and indefinite concatenation)
are examined; the relationship between Petri net languages and other classes of formal languages
are investigated.
Another comprehensive tutorial on Petri net languages is a paper by Jantzen [Jantzen 87].
Closure properties and relationship among the different classes of Petri net languages are reported
with additional results, not presented by Peterson.
Parigot and Peltz [Parigot 86] have characterized PN languages in terms of logical formalism.
The language power of Petri nets is shown to be greater than that of finite automata as a result
of the additional ability of Petri nets to test if a string of parentheses is well formed. The logical
formalism may be used to prove that a given language is a Petri net language and to construct a
Petri net having a given finite behavior. Peltz [Peltz 86] has also extended the study to the infinite
sequential behavior of Petri nets.
2.4 Incidence Matrix Analysis of Petri Nets
Incidence matrix and related analysis techniques are used by several authors to validate properties
of P/T nets.
Colom [Colom 89] develops a methodology for the verification of assertions on P/T nets in
terms of markings and firing count vectors. This approach is extremely general, i.e., can be applied
to any P/T net but, unfortunately, can only guarantee necessary or sufficient conditions. There
exists assertions, such as determining if a marking is a home state, for which neither a necessary
nor a sufficient condition can be given. Within this framework, Silva and Colom [Silva 89a] give
algorithms to efficiently compute the structural synchronic invariants of P/T nets.
Berthomieu [Berthomieu 87] uses the set of linear equations given by the P-semiflows to rep-
resent the space of reachable markings. In this case, only properties that depend on the markings
can be proved. However, the author also shows that it is possible to prove some properties that
depend on the firing count vector by adding to the net new places whose marking indicates the
number of times a given transition has fired.
Johnen [Johnen 87] uses an hybrid approach, based partly on incidence matrix analysis and
partly on the analysis of the state space, to verify that a given marking is a home state.
CHAPTER 2. LITERATURE REVIEW 15
Ichikawa and Hiraishi study under which conditions a firing count vector σ, satisfying the state
equation of a Petri net, yields a firing sequence. In [Ichikawa 88b], as reported in [Murata 89], they
prove that in acyclic nets, σ always yields a firing sequence. In [Ichikawa 88a, Murata 89] other
classes of nets, such as trap-circuit nets, trap-containing-circuit nets, etc., are considered. For these
classes, there exist necessary and sufficient conditions, based on the analysis of the firing subnet,
to determine if σ gives a firing sequence. Murata also discusses reachability in marked graphs in
[Murata 77].
Avrunin et al. [Avrunin 91] use a formalism similar to Petri net incidence matrix analysis for
verifying properties of concurrent systems described as finite state automata.
2.5 Synthesis and Reduction of Petri Nets Models
In the synthesis of Petri net models there are two main approaches: bottom-up and top-down. Fol-
lowing the first approach a complete net is constructed combining subnets under given operators;
in the second approach, transition and places in a net can be replaced by a more detailed subnet.
In both cases the synthesis rules are such as to preserve some properties of the original modules.
A complementary approach is that of defining reduction rules that preserve the properties of
interest, while simplifying the structure of the net to make analysis easier.
Berthelot [Berthelot 86, Berthelot 87] has presented several reduction rules. In [Berthelot 86]
he also discusses the composition of nets by common transitions as a complementary technique to
the reduction methods. The classes of reduction rules include: place transformations, that reduce
the net structure by eliminating redundant places but do not modify the state space; transition
transformations, which by fusing transitions reduce both structure and state space of the net. The
properties preserved by these transformations are: covering with P-semiflows (i.e., conservative-
ness), proper termination, home states and liveness. The author also proves that there are classes
of nets to which these transformations can be repeatedly applied to reduce the net to a single tran-
sition. Two such classes are: live and bounded marked graphs (a structural class); live, bounded,
and persistent nets (a behavioral class).
Best and Fernández [Best 86] define the notion of S-net, a net in which each transition has at
most one input place and one output place. An S-decomposition is a partition of a net into S-net
components.
Hack [Hack 72, Hack 74] studies the composition of state machines, defining a state machine
decomposable net as a net constructed by composition of strongly connected state machines along
common transitions.
The class of nets obtained by composition of state machine modules is named Superposed
Automata Nets by De Cindio, et al. [De Cindio 82].
Narahari and Viswanadham [Narahari 85] define a union operator
1
for pure Petri nets, i.e., PN
with no selflooping transitions. Two theorems are presented, stating that the P-semiflows and/or
the T-semiflows of the union of two Petri nets can be immediately expressed — in specific cases
— in terms of the invariants of the two subnets. The invariants are used to analyze important
qualitative aspects of the system such as absence/existence of deadlocks. Finally, the authors
illustrate how this technique may be applied to the modeling of flexible manufacturing systems.
Beck and Krogh [Krogh 86] present a methodology for constructing a class of P/T nets for
modeling discrete processes. The synthesis of Petri nets is realized by joining subnets along
common simple elementary paths. This composition maintains the properties of safeness and
liveness; the P-semiflows of the resulting net can also be easily found in term of the P-semiflows
1
This operator is different from the union operator as defined in [Peterson 81], which given two Petri nets generating,
respectively, languages L
1
and L
2
constructs a Petri net generating the language L = L
1
∪ L
2
.
CHAPTER 2. LITERATURE REVIEW 16
of the subnets. The authors introduce a modified Petri net model [Beck 86] more suitable for the
modeling of manufacturing systems by means of the synthesis approach they propose.
Datta and Gosh [Datta 84, Datta 86] present a technique for the modular synthesis of PN. The
nets being considered are regular nets, i.e., nets where forks and joins are symmetrical, and where
the subnets between a fork and a join are marked graphs. The modules are connected through a
set of input/output places, that act as mailboxes. Finally, it is possible to give rules to connect the
modules in a way that preserves liveness and boundedness.
Zhou [Zhou 90] has studied a formal methodology for the synthesis of Petri nets in manu-
facturing. The approach followed is called hybrid, in the sense that it is partially top-down and
partially bottom-up. The author has also discussed how liveness properties for systems with shared
resources depend on the value of the initial marking of the net.
Koh [Koh 92] has studied the compositions of live and bounded circuits along paths. The
composition allows the fusion of overlapping paths, and has been extended to colored Petri nets.
The author has studied under which conditions the composed system is live and bounded.
Chapter 3
BASIC NOTATION
3.1 Petri Nets
3.1.1 Place/Transition Nets
A Place/Transition net (P/T net) is a structure N = (P, T, Pre, Post) where:
• P is a set of places represented by circles, [P[ = m;
• T is a set of transitions represented by bars, [T[ = n;
• Pre : P T → IN is the pre-incidence function that specifies the arcs directed from places
to transitions;
• Post : P T → IN is the post-incidence function that specifies the arcs directed from
transitions to places.
Here IN = ¦0, 1, 2, . . .¦. It is assumed that P ∩ T = ∅ and P ∪ T ,= ∅.
A net is pure if it has no selfloops, i.e., if [Pre(p, t) = 0 ∨ Post(p, t) = 0] for every place p
and for every transition t. If a net is pure the incidence functions can be represented by a single
matrix, the incidence matrix of the net, defined as C(p, t) = Post(p, t) −Pre(p, t).
The preset and postset of a transition t are respectively

t = ¦p ∈ P [ Pre(p, t) > 0¦,
t

= ¦p ∈ P [ Post(p, t) > 0¦.
The preset and postset of a place p are respectively

p = ¦t ∈ T [ Post(p, t) > 0¦,
p

= ¦t ∈ T [ Pre(p, t) > 0¦.
A trap is a set of places T ⊆ P such that
_
p∈T
p


_
p∈T

p.
A trap is minimal if it is not the superset of another trap. A trap is basic if it is not the union of
other traps.
A siphon is a set of places o ⊆ P such that
_
p∈S

p ⊆
_
p∈S
p

.
17
CHAPTER 3. BASIC NOTATION 18
A P-semiflow (or nonnegative P-invariant) is a vector Y : P → IN, such that Y ≥

0 and
Y
T
C =

0. The support of Y is Q
Y
= ¦p ∈ P [ Y (p) > 0¦.
The reversal of N = (P, T, Pre, Post) is the net N
R
= (P, T, Post, Pre), i.e., a new net
where the direction of all arcs of N is reversed.
A state machine is a P/T net such that each transition has exactly one input arc and one output
arc. A marked graph is a P/T net such that each place has exactly one input arc and one output
arc.
A P/T net is connected if in the underlying graph
1
there exists a path (not necessarily directed)
from any vertex to all others; strongly connected if there exists a directed path from any vertex to
all others; acyclic if no directed path forms a cycle.
3.1.2 Marked Nets
A marking is a vector M : P → IN that assigns to each place of a P/T net a non-negative integer
number of tokens, represented by black dots. M(p) denotes the number of tokens assigned by
marking M to place p. The set of all markings defined on a net N = (P, T, Pre, Post) is IN
|P|
.
A net system or marked net ¸N, M
0
) is a net N with an initial marking M
0
.
A transition t ∈ T is enabled at a marking M if M ≥ Pre(, t). If t is enabled at M, then t
may fire yielding a new marking M

with M

= M + C(, t). We will write M [t) M

to denote
that t may fire at M yielding M

.
A firing sequence from M
0
is a (possibly empty) sequence of transitions σ = t
1
. . . t
k
such
that M
0
[t
1
) M
1
[t
2
) M
2
[t
k
) M
k
. We will also write M
0
[σ) M
k
to denote that we may fire
σ at M
0
yielding M
k
.
A marking M is reachable in ¸N, M
0
) if there exists a firing sequence σ such that M
0
[σ) M.
Given a marked net ¸N, M
0
), the set of firing sequences (also called language of the net) is
denoted L(N, M
0
) and the set of reachable markings (also called reachability set of the net) is
denoted R(N, M
0
).
Let marking M be reachable from marking M
0
by firing a sequence of transitions σ. Then
the following state equation is satisfied: M = M
0
+ C σ, where σ : T → IN is a vector of
non-negative integers, called the firing count vector. σ(t) represents the number of times tran-
sition t appears in σ. The set of markings M such that there exists a vector σ satisfying the
previous state equation is called the potentially reachable set and is denoted PR(N, M
0
). Note
that PR(N, M
0
) ⊇ R(N, M
0
).
The firing subnet given by a firing count vector σ consists of all the transitions t ÷ σ(t) ≥ 0,
and of their input and output places.
Let B be a basis of P-semiflows of the net N. A marking M ∈ PR(N, M
0
) satisfies the fol-
lowing systemof equations: B
T
M = B
T
M
0
. The set of markings satisfying the previous system
of equations is denoted PR
B
(N, M
0
) [Colom 89]. Note that PR
B
(N, M
0
) ⊇ PR(N, M
0
).
A marked net ¸N, M
0
) is:
• Bounded, if there exists a nonnegative integer k such that M(p) ≤ k for every place p and
for every marking M ∈ R(N, M
0
);
• Safe (or 1-bounded), if M(p) ≤ 1 for every place p and for every marking M ∈ R(N, M
0
);
• Conservative, if there exists a vector of positive integers Y such that Y
T
M = Y
T
M
0
for every marking M ∈ R(N, M
0
);
• Live, if from every marking M ∈ R(N, M
0
) there exists a firing sequence containing all
transitions;
1
The graph underlying a Petri net has as vertices places and transitions, and as directed edges the arcs specified by
Pre and Post.
CHAPTER 3. BASIC NOTATION 19
• Reversible, if the initial marking M
0
is reachable from every reachable marking M ∈
R(N, M
0
).
A place p of a marked net ¸N, M
0
) is implicit [Silva 85] if L(N, M
0
) = L(N

, M

0
), where
¸N

, M

0
) is the marked net obtained from ¸N, M
0
) by removing place p and all its input/output
arcs. A place p of a net N is structurally implicit if there exists an initial marking M
0
such that p
is implicit in ¸N, M
0
).
3.2 Formal Languages
Let Σ be an alphabet, i.e., a set of symbols. A language L over Σ is a set of strings composed with
symbols in Σ, i.e., L ⊆ Σ

.
Let Σ
1
, . . . , Σ
n
be alphabets and let Σ = Σ
1
∪. . . ∪Σ
n
. Given a string w ∈ Σ

, the projection
(or restriction) of w on Σ
i
is the string w ↑
i
obtained from w by deleting all the symbols not
belonging to Σ
i
. Formally the projection operator is a mapping from Σ

to Σ

i
.
Let Σ
1
, . . . , Σ
n
be alphabets; let L
1
, . . . , L
n
be languages defined on them; let Σ = Σ
1
∪. . . ∪
Σ
n
. The concurrent composition (or synchronization) of L
1
, . . . , L
n
, denoted L = L
1
| . . . | L
n
,
is the language over Σ defined as
L = ¦w ∈ Σ

[ w ↑
i
= w
i
∈ L
i
, i = 1, . . . , n¦.
As a particular case, when the alphabets Σ
1
, . . . , Σ
n
are disjoint, i.e., Σ
i
∩ Σ
j
= ∅ (i ,= j), L
is called a shuffle language and is denoted by L = L
1
|
d
. . . |
d
L
n
.
Let L be a language on Σ, and let Σ
e
be a disjoint alphabet. The selfloop of L with respect to
Σ
e
is the language
L

= L |
d
Σ

e
.
Let Σ
1
, . . . , Σ
n
be alphabets; let L
1
, . . . , L
n
be languages defined on them; let Σ = Σ
1
∩. . . ∩
Σ
n
. The intersection of L
1
, . . . , L
n
, denoted L = L
1
∩ . . . ∩ L
n
, is the language over Σ defined
as
L = ¦w ∈ Σ

[ w ∈ L
i
, i = 1, . . . , n¦.
3.3 Petri Net Languages
This section presents the notation used for Petri net languages. A more detailed review of Petri net
languages is presented in Appendix A.
We will represent a discrete event system (DES) as a labeled Petri net (or Petri net generator)
[Jantzen 87, Peterson 81], i.e., as a 4-tuple G = (N, , M
0
, F) where
• N = (P, T, Pre, Post) is a Petri net structure;
• : T → Σ is a labeling function that assigns to each transition a label from the alphabet of
events Σ and will be extended to a mapping T

→ Σ

as shown in Appendix A.1;
• M
0
is an initial marking;
• F is a finite set of final markings.
The two languages associated with G are the L-language (also called marked behavior in
the context of Supervisory Control) and the P-language (also called closed behavior) defined as
follows [Peterson 81].
CHAPTER 3. BASIC NOTATION 20
Given a DES G = (N, , M
0
, F), the L-type language of G is
L
m
(G) = ¦(σ) ∈ Σ

[ σ ∈ T

, M
0
[σ) M ∈ F¦,
and the P-type language of G is
L(G) = ¦(σ) ∈ Σ

[ σ ∈ T

, ∃M

÷ M
0
[σ) M

¦.
Note that in this definition of labeled net we are assuming that is a λ-free labeling function,
according to the terminology of [Peterson 81], i.e., no transition is labeled with the empty string λ
and two (or more) transitions may have the same label. The classes of L-type and P-type languages
generated by labeled nets is denoted L and T respectively.
A deterministic PN generator [Jantzen 87] is such that the string of events generated from
the initial marking uniquely determines the sequence of transitions fired. Formally, a DES G =
(N, , M
0
, F) is deterministic if ∀t, t

∈ T, with t ,= t

and ∀M ∈ R(N, M
0
), M [t) ∧
M [t

) =⇒ (t) ,= (t

). We will always assume that the generators considered here are determin-
istic. The classes of L-type and P-type PN languages generated by deterministic PN generators are
denoted, respectively, L
d
and T
d
. Note that T
d
⊂ T and L
d
⊂ L (strict inclusion) [Jantzen 87].
3.4 Supervisory Control
This section presents the language notation used for Supervisory Control. A more detailed review
of Supervisory Control is presented in Appendix B.
Let L be a language on alphabet Σ. Its prefix closure is the set of all prefixes of strings in L:
L = ¦σ ∈ Σ

[ ∃τ ∈ Σ

÷ στ ∈ L¦. A language L is said to be closed if L = L.
Two languages L
1
and L
2
are said to be non-conflicting [Wonham 88b] if L
1
∩ L
2
= L
1
∩L
2
.
In the following, let G = (N, , M
0
, F) be a DES with alphabet of events Σ.
G is nonblocking if any string that belongs to its closed behavior may be completed to a
string that belongs to the marked behavior. A deterministic DES is non-blocking if and only if
L(G) = L
m
(G).
Alanguage K ⊂ Σ

is said to be L
m
(G)-closed if K∩L
m
(G) = K∩L
m
(G). In the case that
K ⊆ L
m
(G), this definition is reduced to the usual definition of L
m
(G)-closed: K = K∩L
m
(G)
[Ramadge 89b].
The alphabet of events Σ is partitioned into two disjoint subsets: Σ
c
, the set of controllable
events, and Σ
u
, the set of uncontrollable events. The controllable events may be disabled by a
controlling agent in order to restrict the behavior of the system within a legal behavior, while
uncontrollable events may never be disabled.
A language K ⊂ Σ

is said to be controllable with respect to L(G) if KΣ
u
∩ L(G) ⊆ K
[Ramadge 87]. The set of all languages controllable wrt L(G) is denoted ((G).
If a language L ⊂ Σ

is not controllable with respect to L(G) we may compute its supremal
controllable sublanguage [Wonham 87] defined as: L

= sup¦K ⊆ L [ K ∈ ((G)¦.
Chapter 4
ON THE EXISTENCE OF PETRI NET
SUPERVISORS
4.1 Introduction
This chapter discusses some theoretical issues related to the use of Petri nets in Supervisory Con-
trol Theory. We are interested in obtaining necessary and sufficient conditions for the existence of
a Petri net supervisor under the hypothesis that the system’s behavior and the legal behavior are
both Petri net languages.
In the case of systems and specifications modeled by finite state machines (i.e., by generators
of regular languages), Ramadge and Wonham [Wonham 87] have proved that the supervisor may
also be modeled as a finite state machine. The PN models generally considered in Supervisory
Control are conservative PN, a subclass of P/T nets whose set of reachable markings is finite. Thus
the class of languages generated by these models is equivalent to the class of regular languages,
and all the results for regular languages may apply to them as well.
Here we discuss the use of more general models with a possibly infinite set of reachable
markings. We consider three problems [Giua 92c].
• The first problem regards the trimming of a blocking system, i.e., the modification of its
structure in order that no blocking state may be reached while preserving its marked behav-
ior. We prove that the trimming of a PN is not always possible and we define a new class of
PN languages that may be generated by nonblocking generators.
• The second problem regards the existence of a PN supervisor, i.e., a supervisor whose con-
trol action is implicit in its net structure. The advantage of such a supervisor, as opposed to a
supervisor given as a feedback function, is that a closed loop model of the controlled system
may be constructed and analyzed using the same PN analysis techniques that are used to
analyze the system. By suitable modification of the results given by Ramadge and Wonham
[Ramadge 87, Ramadge 89b] we are able to derive necessary and sufficient conditions for
the existence of supervisors as net systems.
• The final problem regards the closure of PN languages under extraction of the supremal
controllable sublanguage. In this case, by means of an example, we show that PN languages
are not closed under this operator.
4.2 Petri Nets and Blocking
A first issue when using Petri nets as discrete events models for supervisory control regards the
trimming of blocking net systems. The problem is the following: given a PN generator G with
21
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 22
Figure 4.1: Blocking system in Example 4.1.
Figure 4.2: Trimmed system in Example 4.1.
marked behavior L
m
(G) and closed behavior L(G) ⊃ L
m
(G) we want to modify the structure
of the net so that no blocking markings may be reached, i.e., so that L(G) = L
m
(G).
On a simple model such as a state machine this may be done, trivially, by removing all states
that are reachable but not coreachable (i.e., no final state may be reached from them) and all their
input and output transitions.
On Petri net models the trimming may be more complex. In Chapter 5 is discussed the case of
conservative nets. If the Petri net is conservative the trimming may be done without major changes
of the net structure, in the sense that we have to add new arcs and possibly duplicate transitions
without introducing new places.
As the following example shows, unbounded Petri net models may require more extensive
changes of the net structure.
Example 4.1. Let G be the PN generator in Figure 4.1, with M
0
= (100)
T
and set of final
markings F = ¦(001)
T
¦. The behaviors of this system are: L
m
(G) = ¦a
m
cb
n
[ m = rn, n ≥ 0¦
and L(G) = ¦a
m
cb
n
[ m ≥ rn, n ≥ 0¦. The system is clearly blocking, since the string
w = a
r+1
c ∈ L(G), for example, cannot be completed to a string in L
m
(G) (assuming r > 1).
To avoid reaching a blocking state we require that p
2
contain a multiple of r tokens when the
transition labeled c is allowed to fire. A possible solution is shown in Figure 4.2, where we have
introduced r −1 new places and new transitions labeled a.
There are some cases, furthermore, in which the trimming of a net system is not possible. The
reason for this is given by the following theorem.
Theorem 4.1. There exist L-type Petri net languages whose prefix closure is not a P-type Petri net
language, i.e., ∃L ∈ L ÷ L ,∈ T.
The proof of this theorem will be given by means of the next example and the following
proposition.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 23
Figure 4.3: Blocking system G in Example 4.2.
Example 4.2. Let G be the PN generator in Figure 4.3.(a), with M
0
= (1000)
T
and set of final
markings F = ¦(0001)
T
¦. The behaviors of this system are: L
m
(G) = ¦a
m
ba
m
b [ m ≥ 0¦
and L(G) = ¦a
m
ba
n
b [ m ≥ n ≥ 0¦. From the reachability tree of the system, shown in
Figure 4.3.(b), it is clear that the system is blocking. To avoid reaching a blocking state we require
that p
2
be empty before firing the transition inputting into p
4
. However, since p
2
is unbounded
this may not be done with a simple P/T structure. It is possible to introduce an inhibitor arc from
p
2
to the transition inputting into p
4
. Inhibitor arcs increase the modeling power, and the analysis
complexity, of Petri nets to that of a Turing machine, thus we cannot properly consider these
models as P/T nets. Petri nets with inhibitory arcs have been studied in the context of Supervisory
Control by Sreenivas and Krogh [Sreenivas 92].
We may formally prove that the prefix closure of the marked language of the system G dis-
cussed in Example 4.2 is not a P-type Petri net language. The proof is based on the pumping
lemma for P-type PN languages, given in [Jantzen 87].
Lemma 4.1 (Pumping lemma). Let L ∈ T. Then there exist numbers k, l such that any string
w ∈ L, with [ w [≥ k, has a decomposition w = xyz with 1 ≤[ y [≤ l such that xy
i
z ∈ L, ∀i ≥ 1.
Proposition 4.1. L = ¦a
m
ba
m
b [ m ≥ 0¦ is not a P-type Petri net language.
Proof . Given k and l according to the pumping lemma, let w = a
k
ba
k
b. Consider a partition
w = xyz, with 1 ≤[ y [≤ l. Clearly b ,∈ y, since in this case xy
i
z ,∈ L for i ,= 1. However
if w = a
n
.¸¸.
x
a
p
.¸¸.
y
a
q
ba
k
b
. ¸¸ .
z
, (n + p + q = k), or if w = a
k
ba
n
. ¸¸ .
x
a
p
.¸¸.
y
a
q
b
.¸¸.
z
, (n + p + q = k), then
xy
i
z ,∈ L for i ,= 1. Hence L is not a P-type Petri net language.
We conclude this section with the definition of a new class of L-type Petri net languages whose
prefix closure can be generated by a deterministic nonblocking Petri net generator. This class will
play an important role in characterizing the existence of Petri net supervisors, as we will discuss
in the next section.
Definition 4.1. A language L ∈ L (not necessarily deterministic) is said to be deterministic P-
closed (DP-closed for short) if and only if its prefix closure is a deterministic P-type Petri net
language, i.e., L ∈ T
d
. The class of DP-closed Petri net languages is denoted L
DP
.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 24
As a side note, we point out that the class L
DP
that we have defined does not coincide with
any of the classes of PN languages generally considered in the literature [Jantzen 87]. The proof
follows from the fact that L
DP
is not closed under intersection, as we show in Example 4.5, while
all previously defined classes of PN languages are closed under intersection.
4.3 Supervisor
A supervisor [Ramadge 87] is an agent that disables the controllable transitions of a system in
order to restrict its behavior within a legal behavior. Here we recall the fundamental definitions,
pointing to Appendix B.2 for a more detailed discussion.
Let us define a control input as a subset γ ⊆ Σ satisfying Σ
u
⊆ γ (i.e., all the uncontrollable
events are present in the control input). If a ∈ γ, the event a is enabled by γ (permitted to occur),
otherwise a is disabled by γ (prohibited from occurring); the uncontrollable events are always
enabled. Let Γ ⊆ 2
Σ
denote the set of all the possible control inputs. Formally, a supervisor is
a map f : L(G) → Γ specifying, for each possible string of events w ∈ L(G) generated by
the system G, the control input γ = f(w) to be applied at that point. It is often the case that a
supervisor is given as another discrete event system S that runs in parallel with G. The control
input at a given moment is represented by the events that are enabled in S, thus the function f is
implicit in the structure of S.
The objective is to design a supervisor that selects control inputs in such a way that the con-
trolled system’s behavior is restricted within a legal specification language. We consider the case
in which both the system G and the supervisor S are given as discrete event systems. The closed
loop system under control is denoted S/G. Its closed behavior is L(S/G) = L(S) ∩ L(G) and
its controlled behavior is L
m
(S/G) = L(S/G) ∩ L
m
(G) = L(S) ∩ L
m
(G). Note that we are
assuming that the supervisor does not mark strings, i.e., the marked strings of the system under
control are all and only the marked strings of the uncontrolled system that survive under control.
The following two theorems, also reported in Appendix B.3, are due to Ramadge and Wonham
[Ramadge 87, Ramadge 89b] and give necessary and sufficient conditions for the existence of a
supervisor.
Theorem 4.2 ([Ramadge 87], P. 5.1). For nonempty L ⊆ L(G) there exists a supervisor S such
that L(S/G) = L if and only if L is prefix closed and controllable.
Theorem 4.3 ([Ramadge 87], T. 6.1). For nonempty L ⊆ L
m
(G) there exists a nonblocking
supervisor S such that L
m
(S/G) = L if and only if L is L
m
(G)-closed and controllable.
If the system and the supervisor are Petri net generators, it is possible to construct a PN model
of the closed loop system under control S/G using the net counterpart of the intersection oper-
ator on languages [Peterson 81]. If S and G are deterministic generators (as we always assume)
S/G is deterministic as well. Note also that while the closed behavior of S/G is L(S/G), the
marked behavior of S/G is not defined since the controlled behavior L
m
(S/G) is not necessarily
a deterministic L-type PN language.
4.4 Existence of Petri Net Supervisors
In this section, we present some theorems which give necessary and sufficient conditions for the
existence of PN supervisors. In fact, although Theorem 4.2 and Theorem 4.3 specify under which
conditions there exist supervisors for a given control problem, it may well be the case that these
supervisors cannot be represented as Petri net generators, even if the system’s behavior and the
legal behavior are Petri net languages.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 25
Figure 4.4: System G in Example 4.3 and Example 4.5.
The first two theorems regard the case in which we want to restrict the closed behavior of G
within the limits of a legal behavior L.
Theorem 4.4. Let G be a nonblocking PN and let L ⊆ L(G) be a nonempty language. There
exists a PN supervisor S such that L(S/G) = L if and only if L is a controllable deterministic
P-type PN language, i.e., L ∈ T
d
∩ ((G).
Proof . (If) Since L ∈ T
d
then there exists a PN generator S ÷ L(S) = L. S is the desired
supervisor. In fact, since L ∈ ((G) then S, running in parallel with G, will never block an
uncontrollable transition of G and L(S/G) = L(S) ∩ L(G) = L. (Only if) Since L(S/G) = L
then L is a P-type language for the PN representing the closed loop system and L ∈ T
d
. Also L is
controllable according to Theorem 4.2.
It may be interesting to consider the case in which the legal behavior L is not a subset of L(G).
In this case we are interested in restricting the system’s behavior to L∩L(G), and we simply need
to check whether L ∩ L(G) satisfies the conditions of the previous theorem. It may well be the
case that L ,∈ T
d
∩ ((G) but L ∩ L(G) ∈ T
d
∩ ((G), i.e., a PN supervisor for this problem may
exist even if L is not a PN language or if L is not closed and controllable. However, if L ∈ T
d
we
have the following theorem.
Theorem 4.5. Let G be a nonblocking PN and let L ⊆ Σ

, with L(G) ∩ L ,= ∅, and L ∈ T
d
.
There exists a PN supervisor S such that L(S/G) = L ∩ L(G) if and only if L ∈ ((G).
Proof . (If) The sets T
d
and ((G) are closed under intersection, as proved, respectively, in
[Jantzen 87, Ramadge 87]. Hence L ∩ L(G) ∈ T
d
∩ ((G) and by Theorem 4.4 there exists a PN
supervisor S ÷ L(S/G) = L∩L(G). (Only if) Since L(S/G) = L∩L(G) then L∩L(G) ∈ T
d
.
Also L∩L(G) is controllable by Theorem 4.2, i.e., [L ∩ L(G)]Σ
u
∩L(G) ⊆ L ∩ L(G) ⊆ L =⇒
[L∩L(G)]Σ
u
∩L(G) ⊆ L (since languages in T
d
are prefix closed) =⇒ LΣ
u
∩L(G) ⊆ L, =⇒

u
∩ L(G) ⊆ L (since L ∈ T
d
), hence L ∈ ((G).
Let us consider now the case in which we want to restrict the marked behavior of G within
the limits of a legal behavior L. In this case, unfortunately, the necessary requirements that L be
controllable and L
m
(G)−closed (by Theorem 4.3) are not sufficient to insure the existence of a
nonblocking PN supervisor even if L ∈ L
d
. The following example discusses this case.
Example 4.3. Let G be the PN generator in Figure 4.4, with Σ
u
= ∅, M
0
= (100)
T
, and set
of final markings F = ¦(001)
T
¦. The marked behavior of this system is: L
m
(G) = ¦a

ba

b¦.
Assume now that we want to restrict the marked behavior of G to L = ¦a
m
ba
m
b [ m ≥ 0¦ that is
clearly controllable and L
m
(G)−closed. However, since L ,∈ L
DP
(Proposition 4.1) there exists
no PN whose P-type language is L. L is the L-type language of the system E in Figure 4.3.(a)
with set of final marking F = ¦(0001)¦, that however does not qualify as a supervisor for this
problem, since L
m
(E/G) = L(E) ∩ L
m
(G) ⊃ L.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 26
captionSystem G in Example 5.2.
The example shows the need to introduce the further requirement that the legal behavior L be
DP-closed for insuring the existence of a PN supervisor.
Theorem 4.6. Let G be a nonblocking PN and let L ⊆ L
m
(G) be a nonempty language. There
exists a nonblocking PN supervisor S such that L
m
(S/G) = L if and only if L ∈ L
DP
∩ ((G)
and L is L
m
(G)−closed.
Proof . (If) Since L ∈ L
DP
then there exists a PN S ÷ L(S) = L ⊆ L(G). S is the desired
supervisor. In fact: since L ∈ ((G), then clearly L ∈ ((G); since L is L
m
(G)−closed, then
L
m
(S/G) = L(S) ∩ L
m
(G) = L ∩ L
m
(G) = L; S is nonblocking, since L(S/G) = L(S) ∩
L(G) = L ∩ L(G) = L = L(S/G). (Only if) Since S is a nonblocking supervisor, then L ∈
((G) and L is L
m
(G)−closed, by Theorem 4.3. We need to prove that L = L
m
(S/G) = L(S)∩
L
m
(G) ∈ L
DP
. First note that L(S) ∈ T
d
, hence L(S) ∈ L ⊃ T ⊃ T
d
[Jantzen 87]. (Note
that L(S) although a deterministic P-type language may be a nondeterministic L-type language.)
Since L is closed under intersection [Jantzen 87], then L ∈ L. Also L = L(S/G) by the non
blocking hypothesis, hence L ∈ T
d
(since it is the deterministic P-type language of closed loop
PN generator). It follows that L ∈ L
DP
.
Theorem 4.6 does not require L to be deterministic. In fact we want to restrict the marked
behavior of G to L by means of a non marking deterministic supervisor, that effectively solely
constrains the closed behavior of G. Hence it is sufficient that Lbe a deterministic P-type language
in order to construct a deterministic supervisor. The following example will clarify this point.
Example 4.4. Let G be the PN generator in Figure 4.5, with Σ
u
= ¦b¦, M
0
= (10)
T
, and set
of final markings F = ¦(01)
T
¦. The marked behavior of this system is: L
m
(G) = ¦a

ba

¦.
Assume now that we want to restrict the marked behavior of G to L = ¦a
m
ba
n
[ m ≥ n ≥ 0¦.
L is an L-type PN language and it can be proved that it is not deterministic, i.e., it cannot be
accepted by a deterministic generator with a finite set of final states F. However L ∈ L
DP
, since
L is the deterministic P-type language of the marked net S in Figure 4.6. Since L is controllable
and L
m
(G)−closed, S is a proper supervisor and is such that L
m
(S/G) = L.
We would like to extend Theorem 4.6 to the case in which the legal behavior L is not a subset
of L
m
(G). Unfortunately in this case the hypotheses of Theorem 4.6 are not sufficient to insure
the existence of a PN supervisor. In fact, it may be possible that, although L ∈ L
DP
, L∩L
m
(G) ,∈
L
DP
.
Proposition 4.2. The class of DP-closed PN languages L
DP
is not closed under intersection.
The proof of the proposition follows from the following example.
Example 4.5. Let G be the PN generator in Figure 4.4, M
0
= (100)
T
, and set of final markings
F = ¦(001)
T
¦. The marked behavior of this systemis: L
m
(G) = ¦a

ba

b¦ ∈ L
DP
. Consider the
language L = ¦a
m
b(bc)

(a(bc)

)
m
b [ m ≥ 0¦. Clearly L ∈ L
DP
since it is the marked behavior
of the nonblocking generator E in Figure 4.7, with the set of final markings F = ¦(0001)
T
¦.
Unfortunately L ∩ L
m
(G) = ¦a
m
ba
m
b [ m ≥ 0¦ ,∈ L
DP
, as we have shown in Proposition 4.1.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 27
Figure 4.5: Supervisor S in Example 5.2.
Figure 4.6: Generator E in Example 4.5 and Example 4.6.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 28
The problem in the previous example is that L and L
m
(G) are conflicting, i.e., L∩L
m
(G) ⊃
L ∩ L
m
(G). Hence, while L ∩ L
m
(G) ∈ T
d
(since T
d
is closed under intersection) it may be
the case that L ∩ L
m
(G) ,∈ T
d
. If however the two languages are not conflicting, we have that
L ∩ L
m
(G) = L ∩ L
m
(G) ∈ T
d
.
Theorem 4.7. Let G be a nonblocking PN and let L ⊆ Σ

, with L
m
(G) ∩ L ,= ∅. There exists
a nonblocking PN supervisor S such that L
m
(S/G) = L ∩ L
m
(G) if L ∈ L
DP
∩ ((G), L is
L
m
(G)−closed, L and L
m
(G) are not conflicting.
Proof . The class L and the set ((G) are closed under intersection [Jantzen 87, Ramadge 87].
Also, by the non-conflicting hypothesis, L ∩ L
m
(G) ∈ T
d
. Hence L ∩ L
m
(G) ∈ L
DP
∩ ((G).
Finally since L is also L
m
(G)−closed we can write: L ∩ L
m
(G) ∩ L
m
(G) = L ∩ L
m
(G) ∩
L
m
(G) = L∩L
m
(G) = L∩L
m
(G), i.e., L∩L
m
(G) is L
m
(G)−closed. By Theorem 4.6 there
exists a nonblocking supervisor S ÷ L
m
(S/G) = L ∩ L
m
(G).
The last theorem gives a sufficient, but not necessary, condition for the existence of a PN
supervisor. In fact while: L ∈ ((G) =⇒ L ∩ L
m
(G) ∈ ((G) and L is L
m
(G)−closed =⇒
L ∩ L
m
(G) is L
m
(G)−closed, the converse is not true. A necessary and sufficient condition for
the existence of a PN supervisor in the case the legal behavior L is not a subset of L
m
(G) may be
given, as a trivial corollary of Theorem 4.6, requiring that L ∩ L
m
(G) ∈ L
DP
∩ ((G) and that
L ∩ L
m
(G) be L
m
(G)−closed.
4.5 Petri Net Languages and Supremal Controllable Sublanguage
Our final result regards the closure of PN languages under the supremal controllable sublanguage
operator

[Wonham 87]. This result has been known, at least partially, by the control community
but has never been published before to the best of our knowledge.
Proposition 4.3. The classes T
d
and L
DP
of PN languages are not closed under the

operator.
The proof of this proposition will be given by means of the following example.
Example 4.6. Let G be the PN generator in Figure 4.8, with Σ
u
= ¦a¦, M
0
= (1000)
T
, and
set of final markings F = ¦(0001)
T
¦. Consider now the generator E in Figure 4.7 with the set
of final markings F = ¦(0001)
T
¦. The two languages L(E) ∈ T
d
and L
m
(E) ∈ L
DP
are
not controllable. To show this we have drawn, in Figure 4.9, the reachability tree of the two
systems; since E refines G, we have represented the arcs that belong to the reachability tree of
both marked nets with continuous lines, while the arcs that only belong to the reachability tree of
G have been represented by dotted lines. L(E) and L
m
(E) are not controllable because of the
presence of the dotted arcs associated to the uncontrollable transition a. If we apply the

operator,
we obtain the two supremal controllable sublanguages: L(E)

= ¦a
m
ba
m
(bc)

b [ m ≥ 0¦ and
L
m
(E)

= ¦a
m
ba
m
(bc)

b [ m ≥ 0¦, that are the closed and marked behavior of the generator in
Figure 4.10. L(E)

,∈ T
d
, as can be proved using the pumping lemma in the same way we have
done in Proposition 4.1 (the string w = a
k
ba
k
b may be used to prove that no pumping is possible).
L
m
(E)

,∈ L
DP
, since L
m
(E)

= L(E)

,∈ T
d
.
4.6 Conclusions
The results of this chapter show that although unbounded PN do not have all desirable properties
from the point of view of supervisory control, there are cases in which PN supervisors may be
constructed.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 29
Figure 4.7: Generator G in Example 4.6.
Figure 4.8: Reachability tree of G and E in Example 4.6.
Figure 4.9: Generator of L(E)

and L
m
(E)

in Example 4.6.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 30
The main difficulties when using Petri nets as discrete event models for supervisory control
stems out from the fact that not all L-type PN languages are DP-closed and from the fact that the
class L
DP
of DP-closed languages is not closed under intersection. Another undesirable property
is given by the fact that the classes T
d
and L
DP
are not closed under the

operator.
In the remaining part of the thesis we will consider simpler Petri net models, whose reachabil-
ity set is finite.
Chapter 5
SUPERVISORY DESIGN USING
PETRI NETS
5.1 Introduction
In this chapter we discuss how Petri net models may be used to design supervisors within the
framework of Supervisory Control. The purpose is that of applying a model that has a great
representational power in the theoretical approach of Ramadge and Wonham. The discussion is
focused at the model level: we discuss the supervisory design algorithm and its counterpart on the
structure of a Petri net [DiCesare 91, Giua 91]. The design requires two steps. In the first step, a
coarse structure for a supervisor is synthesized by means of concurrent composition of different
modules. In the second step, the structure is refined to avoid reaching undesirable markings.
The chapter is structured as follows. In Section 5.2, we review the monolithic supervisory
design as formulated by Wonham and present a design based on the concurrent composition op-
erator. In Section 5.3, we show that this design is well suited for Petri nets models. In particular,
we discuss how to refine a coarse structure for a supervisor, by introducing new arcs (and possibly
duplicating transitions) to avoid reaching undesirable markings. This procedure may always be
applied when the net is conservative. In Section 5.4, we discuss the advantages of PN over state
machines, as far as the transition structure of the model is concerned.
5.2 Monolithic Supervisor Design
A supervisory design algorithm has been presented by Wonham [Wonham 88a]. The algorithm
is based on language operators and it may be implemented using different models. The only
requirement is that the model specify the closed and marked behavior of a system. We also require
that the linguistic operators introduced in Section 3.2 be extended to the model. For example,
given two DES G
1
, G
2
, with closed behaviors L(G
1
), L(G
2
) and marked behaviors L
m
(G
1
),
L
m
(G
2
) we denote: G = G
1
| G
2
the DES whose behaviors are: L(G) = L(G
1
) | L(G
2
) and
L
m
(G) = L
m
(G
1
) | L
m
(G
2
). In a similar fashion, we can extend other linguistic operators to
operators on the systems.
Assume we are given m nonblocking DES G
1
, . . . , G
m
working concurrently. The alphabet
of these systems are Σ
1
, . . . , Σ
m
and they are disjoint, i.e., Σ
i
∩ Σ
j
= ∅ for every i ,= j. We want
to enforce some specifications on the joint behavior of these systems, represented by n different
nonblocking generators H
1
, . . . , H
n
. Each specification generator H
j
is defined on an alphabet
Σ
H
j
⊆ Σ
1
∪ . . . ∪ Σ
m
and effectively constrains only the events that belong to its alphabet.
A monolithic supervisor may be constructed using the following algorithm [Wonham 88a].
Algorithm 5.1. Wonham Supervisory Design
31
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 32
1. Construct by shuffling G = G
1
|
d
. . . |
d
G
m
. G models the joint concurrent behavior
of the overall system under the assumption that the actions of the single subsystems are
asynchronous and independent. The alphabet of G is Σ = Σ
1
∪ . . . ∪ Σ
m
.
2. Augment the specifications, selflooping each H
j
with the event labels present in G but un-
constrained by H
j
, i.e., the labels in Σ
e
j
= Σ¸Σ
H
j
. Call these newgenerators H

1
, . . . , H

n
.
3. Construct by intersection H = H

1
∩ . . . ∩ H

n
. H represents the global specification we
want to enforce on the behavior of G.
4. Construct by intersection E = H ∩ G. E represents the largest behavior of the overall
system that satisfies all the constraints imposed by the specifications.
5. The generator E obtained through the above construction, in the general case does not rep-
resent a proper supervisor, since the following two properties are not automatically ensured:
• nonblockingness, i.e., the generator E may contain blocking states from which a final
state cannot be reached;
• controllability, i.e., the language L(E) may not be controllable with respect to L(G).
This means that when G and E run in parallel it may be possible to reach a state from
which an uncontrollable event is enabled in G but is not enabled in E.
We have to further minimally restrict the behavior of E, to obtain a nonblocking and control-
lable generator S. This is the counterpart, on the DES structure, of the supremal controllable
sublanguage operator.
The system S obtained through this procedure gives us the transition structure of a supervisor.
We will give an example of this construction using state machine models.
Example 5.1. Consider the systems G
1
and G
2
in Figure 5.1 and the specification H. We may
think of G
1
as a robot that picks up one part (event a) and loads the part on a machine (event b).
G
2
is a machine that may start working (event c) and may output the produced part on conveyor A
or B (respectively events d and e) before returning to the idle state. The specification we consider,
represented by the generator H, specifies that the machine may start working only after it has been
loaded (events b and c must occur alternatively), and that the robot may load a new part on the
machine only after the previously loaded part has been outputted on conveyor A (events d and b
must occur alternatively). We will assume that the only uncontrollable event for this problem is
event b.
The first step of design requires the construction of G = G
1
|
d
G
2
, shown in Figure 5.2.
In the second step we construct the augmented specification H

, shown in Figure 5.3, by
selflooping H with the unconstrained events, i.e., with a, e. Since H is the only specification
generator, step 3 is not required in this example.
In the fourth step we construct the system E = G∩ H

, shown in Figure 5.4. The system E
is not a supervisor, because it contains blocking states (from which the final marking may not be
reached), and also non controllable states. As an example, after Ghas executed the string of events
w = aba, events b and c may occur in G while the control pattern computed by E contains only
the event c. Since b is an uncontrollable event, the language generated by E is not controllable.
If we remove the blocking and noncontrollable states, we obtain the nonblocking and control-
lable generator S in Figure 5.5, which is a proper supervisor for this problem.
The supervisor S constructed using Algorithm 5.1 is called monolithic, because it represents
both a supervisor and a closed loop model of the system under control. In fact L(S) = L(S/G).
It is often the case that a simpler supervisor exists. For the control problem in Example 5.1, a
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 33
Figure 5.1: Systems and specification for the control problem in Example 5.1.
Figure 5.2: Shuffle system G = G
1
|
d
G
2
in Example 5.1.
Figure 5.3: Specification generator H

in Example 5.1.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 34
Figure 5.4: System E = G∩ H

for the control problem in Example 5.1.
Figure 5.5: Monolithic supervisor S for control problem in Example 5.1.
Figure 5.6: A reduced structure supervisor S’ for the control problem in Example 5.1.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 35
reduced structure supervisor S

is shown in Figure 5.6. We may easily check that L(S/G) =
L(S

/G) ⊂ L(S

).
Note also that since we have associated a final state with the specification H, the supervisor
we have constructed is a marking supervisor according to the terminology in Appendix B.2.
5.2.1 Design Using Concurrent Composition
We propose an alternative design for a supervisor, where only one operator, the concurrent com-
position operator, is used to construct the generator E. The algorithm is the following.
Algorithm 5.2. Concurrent Composition Supervisory Design
1. Construct by concurrent composition
E = G
1
| . . . | G
m
| H
1
| . . . | H
n
;
2. Refine E so that it is nonblocking and controllable.
It is easy to see that the two approaches are equivalent. In fact with Algorithm 5.1 we construct
a system generating the language
E
1
= [L(G
1
) |
d
. . . |
d
L(G
m
)] ∩ [L(H
1
) |
d
Σ

e
1
] ∩ . . . ∩ [L(H
n
) |
d
Σ

e
n
],
and with Algorithm 5.2 we construct a system generating the language
E
2
= L(G
1
) | . . . | L(G
m
) | L(H
1
) | . . . | L(H
n
).
Since (∀w ∈ Σ

) w ∈ [L(H
j
) |
d
Σ

ej
] ⇐⇒ w ↑
H
j
∈ L(H
j
) (here w ↑
H
j
is the projection of
string w on alphabet Σ
H
j
), we can see that:
E
1
= ¦w [ w ∈ [L(G
1
) |
d
. . . |
d
L(G
m
)], w ∈ [L(H
j
) |
d
Σ

ej
] (j = 1, . . . , n)¦
= ¦w [ w ↑
i
∈ L(G
i
) (i = 1, . . . , m), w ↑
H
j
∈ L(H
j
) (j = 1, . . . , n)¦
= E
2
.
The concurrent composition design is simpler, since it requires only one operator. We will
show in the following section how it may be easily implemented using Petri net models.
5.3 Monolithic Design Using Petri Nets
In this section, we will use Petri net models in the design of a supervisor, following the Algo-
rithm 5.2. The coarse structure for a supervisor, i.e., the system E, may be efficiently constructed
and the properties of nonblockingness and controllability may be expressed as properties of the
net system E. Secondly, we will discuss how E may be refined to obtain a supervisor S without
major changes in its structure.
The net counterpart of the concurrent composition operator, described in Appendix A.5, re-
quires merging transitions with the same label. This construction is based on the structure of the
net and does not require the explicit enumeration of its state space.
Example 5.2. For the control problem discussed in Example 5.1 we have represented in Figure 5.7
the systems and specification as Petri nets. The systemE = G
1
| G
2
| H obtained by concurrent
composition is shown in Figure 5.8.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 36
Figure 5.7: Systems and specifications as Petri nets for the control problem in Example 5.2.
Figure 5.8: System E = G
1
| G
2
| H as a Petri net for the control problem in Example 5.2.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 37
It is important to note how the properties of interest, namely nonblockingness and controllabil-
ity, may be expressed in terms of net properties. We will use the notation for concurrent systems
presented in Appendix A.5. Let G = G
1
| . . . | G
m
and H = H
1
| . . . | H
n
, be the system
and specification components of E. Assume that E = (N, , M
0
, F), G = (N
1
,
1
, M
0,1
, F
1
),
and H = (N
2
,
2
, M
0,2
, F
2
).
The system E is nonblocking if and only if a final marking may be reached from any reachable
marking, i.e., if and only if
(∀M ∈ R(N, M
0
)) (∃M
f
∈ F) [M
f
∈ R(N, M)].
Conversely, any reachable marking M

such that (,∃M
f
∈ F) [M
f
∈ R(N, M

)] is a blocking
marking, and we should prevent the system from reaching it.
Let T
u
⊆ T be the set of uncontrollable transitions of E, i.e., the transitions labeled by uncon-
trollable events. Given a marking M ∈ R(N, M
0
), let M ↑
1
(M ↑
2
) be the restriction of M to the
places of G (H). Then E will be controllable if and only if it is not possible to reach a marking
M such that an uncontrollable transition t is enabled by M ↑
1
in G, but it is not enabled by M ↑
2
in H. In other words, E is controllable if and only if
(∀t ∈ T
u
) (,∃M ∈ R(N, M
0
)) [M ↑
2
,≥ Pre
2
(, t) ∧ M ↑
1
≥ Pre
1
(, t)].
Once the coarse structure of a candidate supervisor is constructed by means of concurrent
composition, we need to refine it to obtain a nonblocking and controllable generator. We have to
remove a set of undesirable states and all the transitions leading to them. We assume in this section
that the knowledge of which states are undesirable, and which are the transitions leading to them,
is given.
The next example shows the problems involved in the refinement of a net.
Example 5.3. Let us consider the system E constructed in Example 5.2. Here the controllable
event set is Σ
c
= ¦a, c, d, e¦ and the uncontrollable event set is Σ
u
= ¦b¦. E is blocking and
uncontrollable. The undesirable markings, that should be removed, are those shown in the reach-
ability tree in Figure 5.9, equivalent to the state machine model in Figure 5.4. Refining the PN
is complex. First, we should certainly remove the transition labeled by e since its firing always
leads to an undesirable state and it is controllable. After removal of this transition, the transition
labeled by a will be enabled by the following reachable markings: M

= (1010010)
T
, M

=
(1001010)
T
, M

= (1000101)
T
. We want to block the transition labeled a when the markings
M

and M

are reached. Since
M

(p
3
) = 1 > M

(p
3
) = M

(p
3
) = 0,
we can add an arc from p
3
to a and from a to p
3
as in Figure 5.10.
The following algorithm can be given for the refinement of a net.
Algorithm 5.3. Let t be a transition to be controlled, i.e., a transition leading from an admissible
marking to an undesirable marking. Let a be its label.
1. Determine the set of admissible reachable markings that enable t, and partition this set
into the disjoint subsets M
e
(the markings from which t should be allowed to fire), and M
d
(the markings from which t should not be allowed to fire, to avoid reaching an undesirable
marking). If M
e
= ∅ remove t and stop, else continue.
2. Determine a construct in the form:
|(M) = [(M(p
1
1
) ≥ n
1
1
) ∧ . . . ∧ (M(p
1
k1
) ≥ n
1
k1
)]∨
. . .
∨[(M(p
l
1
) ≥ n
l
1
) ∧ . . . ∧ (M(p
l
kl
) ≥ n
l
kl
)],
such that |(M) = TRUE if M ∈ M
e
, and |(M) = FALSE if M ∈ M
d
.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 38
Figure 5.9: Reachability tree of the system E in Example 5.2 and Example 5.3.
Figure 5.10: Supervisor S as a Petri net for the control problem in Example 5.2 and Example 5.3.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 39
3. Replace transition t with l transitions t
1
, . . . , t
l
labeled a. The input (output) arcs of transi-
tion t
j
, j = 1, . . . , l, will be those of transition t plus n
j
i
arcs inputting from (outputting to)
place p
j
i
, i = 1, . . . , k
j
.
It is clear that following this construction there is an enabled transition labeled a for any
marking in M
e
, while none of these transitions are enabled by a marking in M
d
. We also note that
in general several constructs of this form may be determined. The one which requires the minimal
number of transitions, i.e., the one with smaller l, is preferable.
The following theorem gives a sufficient condition for the applicability of the algorithm.
Theorem 5.1. The construct of Algorithm 5.3 can always be determined if the net is conservative.
Proof: A net is conservative if there exists an integer vector Y >

0 such that for any two
markings M and M

reachable from the initial marking Y
T
M = Y
T
M

. Hence if M ,= M

there
exists a place p such that M(p) > M

(p). Also the set of reachable markings is finite.
On a conservative net, consider M
i
∈ M
e
, M
j
∈ M
d
. We have that M
e
and M
d
are finite
sets and also there exists a place p
ij
such that M
i
(p
ij
) = n
ij
> M
j
(p
ij
). Hence
|(M) =

i∈M
e
_
_

j∈M
d
(M(p
ij
) ≥ n
ij
)
_
_
is a construct for Algorithm 5.3.
According to this Theorem we may always find a refinement construct for conservative nets.
Unfortunately, the construct may contain up to [M
e
[ OR clauses, i.e., up to [M
e
[ transitions may be
substituted for a single transition to control. Note, however, that it is often possible to determine a
simpler construct as in Example 5.3, where the construct for the transition labeled a was |(M) =
[M(p
3
) ≥ 1].
5.4 Petri Nets and State Machines
The design using concurrent composition appears to be highly efficient when using Petri net struc-
tures. Here we would like to discuss the main advantages of using Petri nets rather than state
machines in the supervisory design.
1. PN have a higher language complexity than state machines. Hence they have the possibility
of describing a larger class of systems.
The concurrent composition design algorithm may be used to construct the systemE even if
we consider Petri net models with infinite state space, since it is based on the finite structure
of the net. However, as suggested by Theorem 5.1, since systems with infinite state space are
not conservative it may be impossible to refine the net in step 2 of the algorithm. This was
also expected from the results of Chapter 4 since the nonblocking generator of the supremal
controllable sublanguage of E may not have a Petri net representation.
2. Suppose we restrict ourselves to consider only conservative Petri net models. Conservative
PN are essentially equivalent to state machines, since the number of reachable markings
(i.e., the number of “states” of the model) is finite. However, since the states of a PN are
represented by the possible markings and not by the places, they allow a compact descrip-
tion, i.e., the structure of the net may be maintained small in size even if the number of the
markings grows.
To express the difference between the two approaches in quantitative terms, assume that we
start with bottom level modules that are state machines. Furthermore assume that in each
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 40
module each symbol labels at most one transition. Consider k modules G
1
, . . . , G
k
, and let
m
i
and n
i
be the number of states (i.e., places) and transitions of each of them. The system
G = G
1
| . . . | G
k
can be constructed as a state machine or as an ordinary Petri net.
• When G is constructed as a state machine the number m of states and the number n of
transitions will be:
m ≤
k

i=1
m
i
, n ≤
k

i=1
_
_
n
i

j=i
m
j
_
_
The upper bound is reached when the alphabets of the modules are disjoint; in this case
the coupling of the modules is so weak that the overall state set will be identical to the
cartesian product of the states of the modules. The bound gives however a clear idea
of the exponential growth of the model even in the general case when the alphabets of
the modules are not disjoint [Tadmor 89].
• When Gis constructed as an ordinary Petri net, following the algorithmin Appendix A.5,
we have a number of places equal to: m =

k
i=1
m
i
and a number of transitions:
n = |Σ| ≤

k
i=1
n
i
where Σ is the alphabet associated to G.
However, it is necessary to point out that in the phase of the refinement of the coarse
structure of the supervisor the number of transitions introduced in Algorithm 5.3 may
in the worst case approach the size of M
e
as suggested by Theorem 5.1.
3. Petri nets allow modular synthesis, i.e., the net can be considered as composed of inter-
related subnets, in the same way as a complex systems can be regarded as composed of
interacting subsystems. In Figure 5.8, e.g., we may still recognize the individual modules
that compose the system E, while in the state machine representation in Figure 5.4 this is
not possible. This permits us to express controllability as a property of the generator E.
5.5 Conclusions
We can summarize the results of this chapter as follows:
• For regular languages, Ramadge and Wonham have proved that it is always possible to
determine the supremal controllable sublanguage of a given configuration of systems and
specifications with a finite procedure (See Appendix B, Theorem B.3).
• For DES modeled with conservative Petri nets (that generate regular languages) we can
always refine the net in order that the supremal controllable behavior is achieved. In the
refinement, following Algorithm 5.3, the modular structure of the net is preserved (but in
some cases it may be necessary to introduce a large number of transitions).
Hence conservative Petri nets may be used within the framework of supervisory control, providing
a more compact representation in terms of transition structure when compared with state machine
models.
There is, however, another problem to be addressed. In this chapter we have assumed that
the set of undesirable markings is given. In practice, a brute force approach to determine this set
requires the construction of the reachability tree. PN may offer means to solve this problem in
more efficient ways.
• Use incidence matrix analysis to determine whether undesirable markings are reachable.
Although in the general case this analysis gives only a necessary condition for reachabil-
ity, there are classes of nets such that a necessary and sufficient condition may be derived
[Giua 90b, Murata 89].
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 41
• Derive synthesis procedures that insure the desired properties for the composed system.
In this case we have efficient “closed form solutions” at the cost of limiting our design to
special classes of nets [Datta 84, Datta 86, Krogh 86, Krogh 91].
These approaches will be investigated in the next chapters.
Chapter 6
INCIDENCE MATRIX ANALYSIS
6.1 Introduction
This chapter discusses how incidence matrix analysis for Petri net models may be used to validate
supervisors for the control of discrete event systems. We will consider a class of P/T nets called
Elementary Composed State Machines (ECSM). The most interesting property of this class of nets
lies in the fact that the set of reachable markings is an (integer) convex set and that the set of linear
inequalities A M ≥ A M
0
which defines it may be computed from the analysis of the simple
state machine modules that compose the net.
In classic incidence matrix analysis, the set of reachable markings of a system ¸N, M
0
) is
approximated by the solutions of the state equation, i.e., by the set
PR(N, M
0
) = ¦M ∈ IN
|P|
[ (∃σ ∈ IN
|T|
)[M = M
0
+C σ]¦,
where C is the incidence matrix of the net. In another approach, a basis of P-semiflows B is used
to approximate the reachability set, defining the set
PR
B
(N, M
0
) = ¦M ∈ IN
|P|
[ B
T
M = B
T
M
0
¦.
The first approximation is generally better, in the sense that
R(N, M
0
) ⊆ PR(N, M
0
) ⊆ PR
B
(N, M
0
)
However, the computation of PR
B
(N, M
0
) does not involve the firing count vector σ, and this
feature has additional advantages that we will discuss in the following.
We propose an approach similar to the computation of PR
B
(N, M
0
) where we use, in addition
to the equations derived from the P-semiflows, inequalities derived from the basic traps of the net
and we define
PR
A
(N, M
0
) = ¦M ∈ IN
|P|
[ A M ≥ A M
0
¦.
The matrix A is computed from the analysis of the structure of net N. Furthermore, we show
that for ECSM, the class of nets that we consider here, PR
A
(N, M
0
) = R(N, M
0
), i.e., the set
of integer solutions of the inequality A M ≥ A M
0
is exactly the set of reachable markings
[Giua 92d].
There are significant differences between our approach and the analysis based on the state
equation.
• The use of the incidence matrix does not permit verifying propositions such as
(∀M ∈ PR(N, M
0
))[M
f
∈ PR(N, M)]
42
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 43
with a linear algebraic formalism; this proposition, as we will see, expresses the nonblocking
property of a system. This is because the set PR(N, M
0
) is defined in terms of linear
equations containing the variables M and σ. We define the set of reachable markings as the
solution of a set of inequalities which do not contain the firing count vector σ, and we will
be able to write simple integer programming problems to study nonblocking properties of
systems.
• For the class of ECSM nets, the state equation gives only necessary but not sufficient condi-
tions for reachability, since it may contain spurious solutions (solutions which do not corre-
spond to reachable markings), i.e., in general it holds PR(N, M
0
) ⊃ R(N, M
0
). However,
for the same class of nets there exists a matrix A such that PR
A
(N, M
0
) = R(N, M
0
), i.e.,
the reachability set of an ECSM may be exactly described by a set of linear inequalities,
without spurious solutions.
• Note that since the domain PR
A
(N, M
0
) represents the integer solutions of a set of lin-
ear inequalities, it is a convex set of integers. Thus, there exists a matrix A such that
PR
A
(N, M
0
) = R(N, M
0
) if and only if the reachability set of system ¸N, M
0
) is a con-
vex set. If a net is such that the state equation does not contain spurious solutions, this does
not imply that its reachability set is a convex set. As an example, it has been proved that
the state equation of acyclic nets does not contain spurious solutions [Murata 89]. The net
we will discuss in Example 6.2 is acyclic but does not have a convex reachability set. This
means that there are classes of nets such that PR(N, M
0
) = R(N, M
0
) and such that there
does not exist a matrix A such that PR
A
(N, M
0
) = R(N, M
0
).
In our approach determining if a marking is reachable requires the use of Integer Programming.
Integer Programming problems may not be solved, in general, in polynomial time. However, it is
possible to relax the constraint that the solution of A M ≥ A M
0
be integer to obtain a sufficient
condition for the validation of the net. Thus, we may use Linear Programming techniques to prove
that a given undesirable marking is not reachable.
The model considered in this chapter is based on state machine P/T nets with multiple tokens.
State machines may model choice, since a place may have more that one outgoing arc, but strongly
limit the possibility of modeling concurrency, since the only concurrent behavior is given by the
presence of multiple tokens in the net. To describe concurrent systems, the model is extended by
composing the state machine modules through concurrent composition, an operator that requires
the merging of common transitions.
In this approach it is necessary to restrict the type of compositions considered, in order to
guarantee some important properties [Giua 90b]. The final model, called Elementary Composed
State Machines (ECSM nets), can model both choice and concurrent behavior, and at the same
time has the property that the space of reachable markings is a linear integer convex set, i.e., it is
given by the integer solutions of a set of linear inequalities.
Section 2 deals with state machines and reachability using incidence matrix analysis and shows
how it is possible to derive the set of linear inequalities that defines the space of reachable mark-
ings. In Section 3 is defined the class of Elementary Composed State Machine nets and the results
derived in Section 2 are extended to this class. Section 4 finally shows how this approach may be
applied to the validation of supervisors for the control of discrete event systems.
6.2 Incidence Matrix Analysis for State Machines
In this section we discuss two ways of determining if a marking of a state machine is reachable
from the initial marking. In the first approach we consider the state equation of the net. In the
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 44
second we show how the reachability set may be described by a set of equations that do not
involve the firing count vector.
State machines represent a very simple PN model that has been extensively investigated. For
instance, Murata [Murata 89] reports several results on the liveness and reachability characteri-
zation of this class of nets. However, the focus is generally on live state machines (i.e., strongly
connected state machines). In the framework of Supervisory Control, the requirement that the
model be live is not important, while it is required that the system be nonblocking, i.e., that from
any reachable marking it may be possible to reach a final marking. This motivates the attention
given in this chapter to state machines that are not necessarily live.
6.2.1 State Equation
The use of the state equation for characterizing the reachability set of a PN is based on the follow-
ing observation.
Note 6.1. Let ¸N, M
0
) be a marked net and C its incidence matrix.
M ∈ R(N, M
0
) =⇒ (∃σ ∈ IN
m
) [M = M
0
+C σ].
The existence of a vector σ satisfying the previous state equation gives a necessary but not
sufficient condition for the reachability of a given marking. In the general case, a solution M and
σ may exist for the previous equation, but σ yields no firable sequence of transitions and M cannot
be reached.
For state machines, however, the following theorem holds.
Theorem 6.1. Let ¸N, M
0
) be a marked state machine.
M ∈ R(N, M
0
) ⇐⇒ (∃σ ∈ IN
m
) [M = M
0
+C σ].
Proof : Only ⇐= needs to be proved. At least one of the transitions given by σ may fire if
M
0
,= M. In fact, consider a place p
i
÷ M
0
(p
i
) > M(p
i
) ≥ 0. (The existence of such a place is
ensured because state machines are conservative.) Since
M(p
i
) −M
0
(p
i
) =
m

j=1
c
ij
σ
j
< 0,
there exists a transition t
j
such that σ(t
j
) > 0 and c
ij
= −1 , i.e., t
j
outputs from p
i
. Since
M
0
(p
i
) > 0, t
j
may fire reaching a marking M

such that: M = M

+ C σ

, where σ

< σ.
Repeating the previous reasoning it is possible to conclude that eventually M will be reached.
In [Murata 89] is presented the same result in the case of strongly connected state machines.
Ichikawa and Hiraishi [Ichikawa 88b] have shown that for acyclic nets, i.e., nets whose un-
derlying graph has no directed circuits, a vector σ solution of the state equation yields a firable
sequence of transitions. Theorem 6.1 does not imply this stronger property.
Example 6.1. Consider the net in Figure 6.1, where M
0
= (2 0 0 0 0)
T
and M = (1 0 1 0 0)
T
.
The incidence matrix of the net is
C =
_
¸
¸
¸
¸
_
−1 0 −1 0 0 0
1 −1 0 0 0 0
0 1 0 1 0 0
0 0 1 −1 −1 1
0 0 0 0 1 −1
_
¸
¸
¸
¸
_
.
The state equation is satisfied by: σ = (1 1 0 0 1 1)
T
. While σ does not yield a firable sequence
of transitions, M can always be reached: just consider the vector σ

= (1 1 0 0 0 0)
T
(< σ) that
yields the firable sequence: σ

= t
1
t
2
.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 45
Figure 6.1: State machine in Example 6.1.
Figure 6.2: Firing subnet in Example 6.1.
The problem, as the previous example shows, is that the firing count vector could be counting,
in addition to the sequence of transitions that needs to be fired to go from M
0
to M, a cycle that
cannot be fired because it is not marked by a token. Hence the following two theorems hold.
Theorem 6.2. Let ¸N, M
0
) be a marked state machine and M be a marking of N. A vector
(σ ∈ IN
m
) [M = M
0
+ C σ] yields a firable sequence of transitions from M
0
if (,∃σ


IN
m
) [M = M
0
+C σ

, σ

< σ].
Proof : If σ is the minimal vector satisfying the state equation for M and M
0
, then the firing
subnet given by σ is acyclic and all transitions may fire, as proved in [Ichikawa 88b].
Note that Theorem 6.2 gives a sufficient but not necessary condition. In Example 6.1, consider
the vector σ = (0 0 1 1 1 1)
T
solution of the state equation. σ is not minimal but yields a firable
sequence σ = t
3
t
5
t
6
t
4
.
Theorem 6.3. Let ¸N, M
0
) be a marked state machine and M be a marking of N. A vector
(σ ∈ IN
m
) [M = M
0
+ C σ] yields a firable sequence of transitions from M
0
if and only if in
the firing subnet given by σ each connected component is marked by M
0
.
Proof : The presence of a token in each connected component ensures that the cycles eventually
present in σ can be executed.
The firing subnet for Example 6.1 is in Figure 6.2; here there are two connected components
¦p
1
, p
2
, p
3
¦ and ¦p
4
, p
5
¦, the second of which is not marked; hence its transitions cannot fire.
6.2.2 Defining the Set of Reachable Markings
Theorem 6.4. Let ¸N, M
0
) be a marked state machine. The set of reachable markings R(N, M
0
)
is an integer linear convex set, i.e., can be defined as the integer solutions of a set of linear
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 46
Figure 6.3: Net in Example 6.2, with a non convex reachability set.
inequalities.
Proof : Follows from Algorithm 6.1 presented below.
This property does not hold in general for ordinary P/T nets.
Example 6.2. On the net in Figure 6.3, an ordinary conservative PN, M = (0 1 0 2) can be
reached fromM
0
= (2 1 0 0) but M

=
M
0
+M
2
= (1 1 0 1), which is a linear convex combination
of M
0
and M, cannot be reached.
To determine the set of linear inequalities that the set of reachable markings of a state machine
must satisfy, the following algorithm may be used. Note first that a connected (not necessarily
strongly connected) state machine has a single P-semiflow whose support contains all the places.
Algorithm 6.1. Let ¸N, M
0
) be a marked state machine, and T
i
= ¦p
i
1
, . . . , p
i
k
¦ a trap of N.
Define M(T
i
) = M(p
i
1
) +. . . +M(p
i
k
).
1. Consider all basic traps
1
of the net along with the support of the P-semiflow T
0
.
2. For each trap T
i
write the inequality: M(T
i
) ≥ n
i
, where n
i
is the number of tokens
assigned to T
i
by the initial marking. For T
0
write the equation: M(T
0
) = n
0
, where n
0
is the total number of tokens in the net.
3. If for a trap T
i
(i ,= 0) the number of tokens is n
i
= 0, the inequality for T
i
can be
removed.
4. If T
i
⊂ T
j
(j ,= 0) and n
i
= n
j
, the inequality for T
j
can be removed, since it is implied
by the inequality for T
i
.
5. The remaining set of inequalities plus the inequalities: M ≥

0, gives the set of markings
reachable from the initial marking. These inequalities will be indicated as /(N).
According to this Algorithm, the reachability set of a state machine ¸N, M
0
) can be represent
by the set PR
A
(N, M
0
) = ¦M ∈ IN
|P|
[ A M ≥ A M
0
¦, where each row of the matrix A is
the characteristic vector of the P-semiflow of the net or of one of the basic traps of the net.
Here is an example of application for the algorithm.
Example 6.3. Consider the net in Figure 6.4. Here the basic traps are:
T
0
= ¦p
1
, p
2
, p
3
, p
4
, p
5
, p
6
¦,
T
1
= ¦p
2
¦,
T
2
= ¦p
5
¦,
T
3
= ¦p
6
¦,
T
4
= ¦p
1
, p
2
, p
5
¦,
T
5
= ¦p
3
, p
5
, p
6
¦,
T
6
= ¦p
3
, p
4
, p
5
, p
6
¦.
1
A trap is basic if it is not the union of other traps.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 47
Figure 6.4: State machine in Example 6.3.
Note, e.g., that the trap ¦p
2
, p
5
¦ is not considered, since it is given by the union of T
1
and T
2
.
The corresponding set of linear inequalities is:
(1) M(p
1
) +M(p
2
) +M(p
3
) +M(p
4
) +M(p
5
) +M(p
6
) = 4,
(2) M(p
2
) ≥ 0,
(3) M(p
5
) ≥ 0,
(4) M(p
6
) ≥ 1,
(5) M(p
1
) +M(p
2
) +M(p
5
) ≥ 2,
(6) M(p
3
) +M(p
5
) +M(p
6
) ≥ 2,
(7) M(p
3
) +M(p
4
) +M(p
5
) +M(p
6
) ≥ 2.
Inequality (2) and (3) will be removed in step 3 of the algorithm, inequality (7) will be removed
in step 4 as it is implied by (6). Finally the set of markings reachable from the initial marking is
given by:
M(p
1
) +M(p
2
) +M(p
3
) +M(p
4
) +M(p
5
) +M(p
6
) = 4,
M(p
6
) ≥ 1,
M(p
1
) +M(p
2
) +M(p
5
) ≥ 2,
M(p
3
) +M(p
5
) +M(p
6
) ≥ 2,
M ≥

0.
Note 6.2. Given a trap T , the complement P ¸ T is a siphon, i.e., there is a siphon o
i
= P ¸ T
i
corresponding to each trap T
i
, (i ,= 0) considered in the Algorithm 6.1. Hence the inequality
for T
i
may be rewritten as M(o
i
) ≤ n
0
−n
i
.
In fact siphons and traps are dual concepts and a dual algorithm, in terms of siphons, may be
given for determining the linear inequalities satisfied by the reachable markings.
Note 6.3. Let ¸N, M
0
) be a marked strongly connected state machine. Then the set of equations
/(N) trivially reduces to:
M(T
0
) = n
0
,
M ≥

0.
Finally, it is necessary to discuss the correctness of the algorithm, i.e., the fact that the set of
markings that satisfy the linear inequalities required by Algorithm 6.1 is exactly the reachability
set. The idea is to show that a description of a state machine in term of traps captures the behavior
of the net. This will be proven through the following propositions.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 48
Proposition 6.1. Let T be a trap of a state machine. The number of tokens in T is nondecreasing.
Proof : On state machines, the firing of any transition preserves the total number of tokens.
Also a transition has a single input and output arc. Hence no transition may output from a place in
T to a place not in T .
Proposition 6.2. Let T be a minimal trap
2
of a state machine. Then a token in T can move to any
place in T .
Proof : For state machines, it is sufficient to prove that all places in T are strongly connected,
i.e., there is a path from any place to all others. This is trivially true if T consist of a single place.
Assume T consists of k places. Consider a place p
1
∈ T . There must be a transition from p
1
to some place p
2
∈ T , otherwise ¦p
1
¦ is a trap and T is not minimal. Consider ¦p
1
, p
2
¦. With
the same reasoning it is possible to infer that there must be a transition leading from ¦p
1
, p
2
¦ to a
place p
3
∈ T . This reasoning can be carried out until ¦p
1
, p
2
, ...p
k
¦ = T is reached. Hence p
1
is
connected to all places in T . Since this reasoning can be applied to any place p
i
∈ T , the proof is
complete.
Proposition 6.3. Let T be a trap, and let T

= ¦p ∈ T [ p ∈ T

, T

⊂ T , T

is a trap ¦. Then
a token in T ¸ T

can move to any place in T .
Proof : Similar to the proof of Proposition 6.2.
The soundness of the algorithm is then proved by the following reasoning. The marking of the
traps is strictly nondecreasing (Proposition 6.1). The tokens initially present in a minimal trap may
freely move to any place of the trap (Proposition 6.2). The tokens initially present in a trap that
is not minimal are free to move to any place of the trap provided they also satisfy the constraints
enforced by the traps contained in the non minimal trap (Proposition 6.3). These are the only
constraints that the set of reachable markings must satisfy and these constraints are captured by
Algorithm 6.1.
We point out that while in general the number of basic traps of Petri net may be exponential in
the number of places, for state machines the number of basic traps is at most equal to the number
of places. This may be proved by the following inductive reasoning. Consider a state machine with
n places and no transitions; clearly there are n basic traps each one containing a single place. Now
assume we have a state machine with its set of basic traps, and assume we add a new transition
from place p to place p

. Then all the basic traps that do not contain p or that contain p

are still
basic traps. All the basic traps that contain p and do not contain p

will not be traps in the new
net and we need to add to each of them the minimal trap containing p

(there is only one such
minimal trap) to obtain new basic traps. After the new traps are computed, it may well be the case
that two of them are identical, that is the number of basic traps may only decrease when we add a
transition.
6.3 Composition of State Machines Modules
The section discusses how the properties studied in Section 2 for state machines are preserved by
concurrent composition. We will consider a restricted class of compositions.
Let us first introduce the following definitions.
Definition 6.1. A simple path of a net N is a sequence θ = t
0
p
1
t
1
. . . p
r
t
r
of transitions and
places such that
(∀i = 1, . . . , r) [

p
i
= ¦t
i−1
¦, p

i
= ¦t
i
¦, t

i−1
= ¦p
i
¦,

t
i
= ¦p
i
¦].
We assume that (∀i, j = 0, . . . , r ∧ i ,= j)[t
i
,= t
j
]. Note also that a single transition may be
considered as a simple path with no places.
2
A trap is minimal if it is not the superset of another trap.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 49
Figure 6.5: Two state machines composed along a simple path in Example 6.4.
Definition 6.2. Given a net N, and k simple paths θ
i
= t
i,0
. . . , t
i,r
i
(i = 1, . . . , k), the k paths
are looped in N if
(∃p ∈ P) (∀i = 1, . . . , k) [

t
i,0
= t

i,r
i
= ¦p¦, Pre(p, t
i,0
) = Post(p, t
i,r
i
) = 1].
In simple words, the k paths are looped if there exists a place p such that the initial (and final)
transitions of all paths only input from (and only output to) place p with a single arc.
In this chapter, we will consider compositions of subnets that share: 1) a simple path; 2) a set
of simple paths provided all paths are looped in one of the nets. We assume that the marking of
the places along the composed paths are the same on all subnets.
For this class of compositions we will slightly change the definition of composition given in
Appendix A.5. In fact here we are looking at composition based on the structure of the net rather
that on the language generated by the net.
Example 6.4. The two nets in Figure 6.5 are composed along the simple path θ
1
= t
1
p
2
t
2
. The
composed net is shown in Figure 1.b.
The two nets in Figure 6.6 are composed along the simple paths θ
1
= t
1
p
2
t
2
and θ
2
= t
3
p
3
t
4
.
Paths θ
1
and θ
2
are looped in N
2
.
A net N obtained by composition of subnets N
1
and N
2
is denoted N = N
1
| N
2
.
We also recall the notation used for composed systems. Let N be a composed system N =
N
1
| . . . | N
n
, and let M be a marking, σ be a firing count vector, and σ a firing sequence defined
on it. The projection of M on N
i
, denoted M ↑
i
, is the vector obtained from M by removing all
the components associated to places not present in N
i
. The projection of σ on N
i
, denoted σ ↑
i
,
is the vector obtained by σ removing all the components associated to transitions not present in
N
i
. The projection of σ on N
i
, denoted σ ↑
i
, is the firing sequence obtained by σ removing all the
transitions not present in N
i
.
6.3.1 State Equation
Let N = N
1
| . . . | N
n
be a composed net, and let σ be the firing count vector solution of
M = M
0
+ C σ, where C is the incidence matrix of N. Assume that on each module N
i
(∀i = 1, . . . , n), the firing count vector σ ↑
i
yields a firable sequence σ
i
, i.e., M
0

i

i
) M ↑
i
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 50
Figure 6.6: Two state machines composed along two simple paths in Example 6.4.
, (i = 1, . . . , n). This does not imply, however, that on the composed net σ yields a firable
sequence σ such that M
0
[σ) M.
There exist particular compositions, however, such that the reachability of a marking of the
overall net may be determined simply by the analysis of the modules that compose it. These
compositions, called elementary, are used to define the following class of P/T nets.
Definition 6.3. Elementary Composed State Machine (ECSM) nets are the minimal class of P/T
nets that is a superset of the class of state machines and is closed under the following composi-
tions:
1. Composition of two nets sharing a single transition (or a simple path);
2. Composition of two nets through a set T
s
of k transitions (or a set Θ of k simple paths) when
the transitions (or simple paths) are looped in one of the nets.
Although the two compositions we used to define ECSM may appear exceedingly simple, they
permit the modular synthesis of realistic systems. As an example, the first kind of compositions
may be used to construct the model of several systems connected through buffers or channels. The
second kind of composition may be used to represent shared resources.
Theorem 6.5. Let ¸N, M
0
) be a marked net where N = N
1
| N
2
and assume that N
1
and N
2
have been composed by means of one of the compositions used to define the class of ECSM. A
firing count vector for N yields a firable sequence if and only if on each module N
i
the projection
of the firing count vector yields a firable sequence σ
i
.
Proof : The “only if” part is trivial. Let us prove the “if” part for single transitions (i.e., not
simple path) composition. In the case of simple path compositions the proof is substantially the
same (see also [Giua 90b]).
• Composition of two nets sharing one transition t.
Consider a solution σ of the state equation M = M
0
+ C σ. By hypothesis on N
1
and
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 51
N
2
, σ ↑
i
yields a firable sequence σ
i
such that M
0

i

i
) M ↑
i
, (i = 1, 2). Let the
component of σ associated to the transition t have the value k, i.e., there are k occurrences
of t in each σ
i
. Then σ
i
may be written as
σ
i
= x
0
i
t x
1
i
t . . . x
k−1
i
t x
k
i
, (i = 1, 2).
Now let
σ = x
0
1
x
0
2
t x
1
1
x
1
2
t . . . x
k−1
2
t x
k
1
x
k
2
.
Clearly σ is a firable sequence given by the firing count vector σ.
• Composition of two net sharing a set of transitions T
s
looped in one of the nets.
Consider a solution σ of the state equation M = M
0
+C σ. By hypothesis on N
1
and N
2
,
σ ↑
i
yields a firable sequence σ
i
such that M
0

i

i
) M ↑
i
, (i = 1, 2). Let t
j
i
be the j-th
occurrence in σ
i
of a transition in T
s
. Then σ
i
may be written as
σ
i
= x
0
i
t
1
i
x
1
i
t
2
i
. . . x
k−1
i
t
k
i
x
k
i
, (i = 1, 2).
Let N
2
be the looped net. Then any time a transition t ∈ T
s
fires any other transition in T
s
may fire. Hence the following is a firable sequence for N
2
as well
σ

2
= x
0
2
t
1
1
x
1
2
t
2
1
. . . x
k−1
2
t
k
1
x
k
2
.
Now let
σ = x
0
1
x
0
2
t
1
1
x
1
1
x
1
2
t
2
1
. . . x
k−1
2
t
k
1
x
k
1
x
k
2
.
Clearly σ is a firable sequence given by the firing count vector σ.
Corollary 6.1. Let ¸N, M
0
) be a marked ECSM net where N = N
1
| | N
n
and N
i
, (i =
1, . . . n), is a state machine. A firing count vector for N yields a firable sequence if and only if on
each module N
i
the projection of the firing count vector yields a firable sequence.
Proof: By recursive application of Theorem 6.5.
Theorem 6.2 and Theorem 6.3 may be restated in this form for ECSM nets.
Theorem 6.6. Let ¸N, M
0
) be a marked ECSM net and M be a marking of N. N = N
1
| . . . |
N
n
and N
i
, (i = 1, . . . , n), is a state machine.
A vector (σ ∈ IN
m
) [M = M
0
+C σ] yields a firable sequence of transitions if
(∀i = 1, . . . , n)(,∃σ

i
) [M ↑
i
= M
0

i
+C
i
σ

i
, σ

i
< σ ↑
i
].
Proof : Under these hypotheses, on each module σ ↑
i
yields a firable sequence (by Theo-
rem 6.2). Hence by Corollary 6.1 σ yields a firable sequence for N.
Theorem 6.7. Let ¸N, M
0
) be a marked ECSM net and M be a marking of N. N = N
1
| . . . |
N
n
and N
i
, (i = 1, . . . , n), is a state machine.
A vector (σ ∈ IN
m
) [M = M
0
+ C σ] yields a firable sequence of transitions if and only if
in the firing subnet given by σ ↑
i
(i = 1, . . . , n) each connected component is marked by M
0
.
Proof : On module N
i
, the firing count vector σ ↑
i
yields a firable sequence if and only if in the
firing subnet all connected components are marked (by Theorem 6.3). Hence by Corollary 6.1 σ
yields a firable sequence for N if and only if in the firing subnet for each module N
i
all connected
components are marked.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 52
6.3.2 Defining the Set of Reachable Markings
This subsection will show how it is possible to derive the set of linear inequalities that defines
the set of reachable markings in ECSM nets. Firstly, the case of two state machines, composed
through a single transition or a set of looped transitions, is discussed. Then these results will be
extended to the composition of ECSM through simple paths.
Definition 6.4. Let ¸N, M
0
) be a marked state machine where M
0
assigns all the tokens to a place
p
0
, and let M
p
be a marking that assigns a single token to place p and no token elsewhere. Given
a transition t, it is possible to define the following two sets of places on the net:
P
t
= ¦p ∈ P [ (∃σ) [σ(t) > 0, M
p
0
[σ) M
p
]¦,
P
t
= ¦p ∈ P [ (∃σ) [σ(t) = 0, M
p
0
[σ) M
p
]¦.
In simple words, the set P
t
contains the places that may be marked by firing t at least once by
an initial marking that assigns a token to the initial place p
0
and no tokens to the other places. The
set P
t
contains the places that may be marked without firing t by an initial marking that assigns a
token to the initial place p
0
and no tokens to the other places.
Similarly, given a set of transitions T
s
, it is possible to define the following two sets of places
on the net:
P
T
s
= ¦p ∈ P [ (∃σ) (∃t ∈ T
s
) [σ(t) > 0, M
p
0
[σ) M
p
]¦,
P
T
s
= ¦p ∈ P [ (∃σ) (∀t ∈ T
s
) [σ(t) = 0, M
p
0
[σ) M
p
]¦.
Proposition 6.4. (Firing Bounds) Let ¸N, M
0
) be a marked state machine where M
0
assigns all
the tokens to a place p
0
. Now given a marking M ∈ R(N, M
0
), the number of times t has fired to
reach M may vary and can assume any integer value in the range [ρ
min
(M, t), ρ
max
(M, t)], where
ρ
min
(M, t) =

p∈P
t
\P
t
M(p);
ρ
max
(M, t) =
_
¸
¸
¸
¸
¸
¸
¸
¸
_
¸
¸
¸
¸
¸
¸
¸
¸
_

p∈P
t
M(p) if there is no cycle containing t,
0 if there is a cycle containing t
and

p∈P
t
M(p) = 0,
∞ if there is a cycle containing t
and

p∈P
t
M(p) > 0.
ρ
min
(M, t) and ρ
max
(M, t) are called the firing bounds of t for marking M.
Proof : For each token in P
t
¸P
t
transition t must have fired at least once, while for each token
in P
t
transition t may have fired once if there is no cycle containing t or an arbitrary large number
of times if there is a cycle containing t.
Note, also, that
ρ
min
(M, t) ≤

p∈P
M
0
(p),
and that when there is a cycle containing t a good approximate bound — that will be used in the
following — for ρ
max
(M, t) is
ρ

max
(M, t) = h

p∈P
t
M(p) ≤ ρ
max
(M, t),
where h is any integer large enough.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 53
Figure 6.7: State machine in Example 6.4.
Proposition 6.4 is restricted to the case of an initial marking that assigns all tokens to a single
place. This requirement is fair, in the sense that in the application cases of interest here, such as
manufacturing systems, etc., the presence of multiple tokens in a state machine module indicates a
multiplicity of identical resources, such as buffer spaces or identical machines. Hence the multiple
tokens initially should be assigned to the same place. The following example will clarify the
necessity for this restriction.
Example 6.5. In the net N
1
in Figure 6.7, ρ
max
cannot be expressed as a simple linear function
of a marking M but may be defined as
ρ
max
(M, t) = min¦ M(p
2
), M(p
2
) +M(p
3
) −1,
M(p
2
) +M(p
4
) −1, M(p
2
) +M(p
3
) +M(p
4
) −2¦.
The problem here is that the sets P
t
and P
t
are different for the different places marked by the
initial marking. However, whenever these sets are identical for all the places marked by the initial
marking, even if they are more than one, the results of Proposition 6.4 are valid. We will assume
in the following, unless explicitly stated otherwise, that this initial marking condition is verified
on all state machine modules considered.
When two nets N
i
(i = 1, 2) are composed through a single transition t, the marking of the
overall net will be a subset of the cartesian product of the markings of the two modules. Given
a reachable marking M
i
on the net N
i
, the marking M = [M
T
1
M
T
2
]
T
will be reachable on the
composed net if and only if there is a sequence σ
i
reaching M
i
on the net N
i
(i = 1, 2), and
σ
1
(t) = σ
2
(t). If N
1
and N
2
are state machines, this requires that

1
min
(M
1
, t), ρ
1
max
(M
1
, t)]


2
min
(M
2
, t), ρ
2
max
(M
2
, t)] ,= ∅.
where the exponent i in ρ
i
min
(M
i
, t) and ρ
i
max
(M
i
, t) denotes that the firing bound is computed on
the net N
i
. Clearly the two intervals will not be disjoint if and only if: ρ
1
min
(M
1
, t) ≤ ρ
2
max
(M
2
, t),
and ρ
2
min
(M
2
, t) ≤ ρ
1
max
(M
1
, t).
Theorem 6.8. When two state machines N
1
and N
2
are composed through a single transition t
the set of markings reachable from the initial marking M
0
for the composed net N = N
1
| N
2
is
given by the following set of linear inequalities /(N):
/(N
1
),
/(N
2
),

p∈P
1
t
\P
1
t
M(p) ≤ h
2

p∈P
2
t
M(p),
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 54
Figure 6.8: ECSM net in Example 6.6.

p∈P
2
t
\P
2
t
M(p) ≤ h
1

p∈P
1
t
M(p),
where:
• /(N
i
) (i = 1, 2), is the set of inequalities for the net N
i
(as derived with Algorithm 6.1);
• the set of places P
i
t
and P
i
t
belongs to N
i
(i = 1, 2), and are determined as in Definition 6.4;
• h
1
= 1 (h
2
= 1), if there is no cycle containing t in N
1
(N
2
), else h
1
(h
2
) is equal to the
number of tokens contained in net N
2
(N
1
). As noted before, we are using an approximated
linear bound for ρ
i
max
(M
i
, t).
Proof: Follows from Proposition 6.4 and the fact that if the last two inequalities are satisfied
there exists a firable sequence σ
i
for both modules that reaches M ↑
i
firing t an equal number of
times. Hence the vector
(σ ∈ IN
m
) [σ ↑
1
= σ
1
, σ ↑
2
= σ
2
]
is a firing count vector for N and by Theorem 6.5 there exists a firable sequence for the overall
net.
Example 6.6. Consider the composed system of Figure 6.8. The set of places of interest are:
P
1
t
= ¦p
2
¦,
P
1
t
= ¦p
1
¦,
P
2
t
= ¦p
4
, p
5
, p
6
, p
7
¦,
P
2
t
= ¦p
3
, p
4
, p
7
¦.
Since there is no cycle containing t in N
1
, then h
1
= 1, while, since there is a cycle containing t
in N
2
, h
2
= 3. The linear inequalities that define the space of reachable markings on N
1
is:
M(p
1
) +M(p
2
) = 3,
M(p
1
), M(p
2
) ≥ 0,
and on N
2
:
M(p
3
) +M(p
4
) +M(p
5
) +M(p
6
) +M(p
7
) = 2,
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 55
M(p
3
), M(p
4
), M(p
5
), M(p
6
), M(p
7
) ≥ 0.
Hence the set of reachable markings on the composed system is defined by:
M(p
1
) +M(p
2
) = 3,
M(p
3
) +M(p
4
) +M(p
5
) +M(p
6
) +M(p
7
) = 2,
M(p
2
) ≤ 3(M(p
4
) +M(p
5
) +M(p
6
) +M(p
7
)),
M(p
5
) +M(p
6
) ≤ M(p
2
),
M ≥

0.
Note 6.4. The inequalities derived in Theorem 6.8 may not always be necessary. Suppose that on
one of the modules, say N
1
, one of the following conditions holds:
1. P
1
t
¸ P
1
t
= ∅. Hence
0 =

p∈P
1
t
\P
1
t
M(p) ≤ h
2

p∈P
2
t
M(p)
is always verified.
2. P
1
t
= P
1
. Here P
1
is the set of places of N
1
. In this case there is a cycle containing t and p
0
(the place marked by M
0
), and t may fire infinitely often in N
1
for each reachable marking.
Hence

p∈P
2
t
\P
2
t
M(p) ≤ h
1

p∈P
1
t
M(p)
is always verified.
In the following example we will show an example of a system in which the initial marking
marks more than one place.
Example 6.7. In the net N
1
in Figure 6.7, discussed in Example 6.5, we have
ρ
1
max
(M, t) = min¦ M(p
2
), M(p
2
) +M(p
3
) −1,
M(p
2
) +M(p
4
) −1, M(p
2
) +M(p
3
) +M(p
4
) −2¦,
ρ
1
min
(M, t) = 0.
Hence, when composing the module through transition t with another module N
2
the following
inequalities should be considered
/(N
1
),
/(N
2
),
ρ
2
min
(M, t) ≤ M(p
2
),
ρ
2
min
(M, t) ≤ M(p
2
) +M(p
3
) −1,
ρ
2
min
(M, t) ≤ M(p
2
) +M(p
4
) −1,
ρ
2
min
(M, t) ≤ M(p
2
) +M(p
3
) +M(p
4
) −2.
The case of a composition of two state machines through a set of transitions T
s
is now consid-
ered.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 56
Theorem 6.9. When two state machines N
1
and N
2
are composed through a set T
s
of transitions
and these transitions are looped in one of the nets, say N
2
, the set of markings reachable from the
initial marking M
0
for the composed net N = N
1
| N
2
is given by the following set of linear
inequalities /(N):
/(N
1
),
/(N
2
),

p∈P
1
T
s
\P
1
T
s
M(p) ≤ h

p∈P
2
T
s
M(p),
where:
• /(N
i
) (i = 1, 2), is the set of inequalities for the net N
i
(as derived with Algorithm 6.1);
• the sets of places P
i
T
s
and P
i
T
s
(i = 1, 2), belongs to N
i
, and are determined as in Defini-
tion 6.4;
• h is equal to the number of tokens contained in N
1
.
Proof: Given the special structure of N
2
, any reachable marking M
2
of N
2
may be reached
without firing any transition in T
s
. Hence it is never possible, as suggested by the previous note,
that a firing sequence on N
2
may require the firing of more transitions in T
s
than a firing sequence
on N
1
. Also, if a marking M

2
of N
2
may be reached by firing a transition in T
s
, then any sequence
of transitions in T
s
may also be fired. Hence the only constraint imposed by the composition of the
two modules is that for any marking M = [M
T
1
M
T
2
]
T
, if reaching M
1
requires the firing of one
or more transition in T
s
, M
2
may be also be reached by firing a transition in T
s
. This constraint is
expressed by the third inequality of /(N).
The following two theorems generalize Theorem 6.8 and Theorem 6.9 to the composition
of two ECSM (not only state machines) along simple paths (not only single transitions). These
theorems will be given without proof.
When two ECSM nets are composed along a simple path it is necessary to consider the pos-
sibility that the path may belong to more than one state machine module on each net. Also the
places determined in Definition 6.4 are computed with respect to the first transition of the path.
Theorem 6.10. Let N
1
and N
2
be two ECSM nets, i.e., N
i
= N
i,1
| . . . | N
i,n
i
(i = 1, 2), where
N
i,j
is a state machine. Assume N
1
and N
2
are to be composed through a simple path of transitions
θ = t
0
p
1
t
1
. . . p
r
t
r
that belongs to modules N
1,q
(q ∈ J
1
) and to modules N
2,s
(s ≤ J
2
). The set
of markings reachable from the initial marking M
0
for the composed net N = N
1
| N
2
is given
by the following set of linear inequalities /(N):
/(N
1
),
/(N
2
),

p∈P
1,q
t
0
\P
1,q
t
0
M(p) ≤ h
q,s
2

p∈P
2,s
t
0
M(p), (q ∈ J
1
, s ∈ J
2
),

p∈P
2,s
t
0
\P
2,s
t
0
M(p) ≤ h
q,s
1

p∈P
1,q
t
0
M(p), (q ∈ J
1
, s ∈ J
2
),
where:
• /(N
i
) is the set of inequalities for the net N
i
;
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 57
• the sets of places P
i,j
t
and P
i,j
t
(i = 1, 2; j ∈ J
i
),belongs to N
i,j
, and are determined as in
Definition 6.4;
• h
q,s
1
= 1 (h
q,s
2
= 1) if there does not exist a cycle containing the path θ in the net N
1,q
(N
2,s
). Else h
q,s
1
(h
q,s
2
) is equal to the number of tokens contained in the net N
2,s
(N
1,q
).
When two ECSM nets are composed along k simple paths, the paths are looped in one of
the nets, hence they belong to only one state machine module of the looped net. However, it is
necessary to consider the possibility that each path may belong to more than one state machine
module on the net that is not looped.
Theorem 6.11. Let N
1
and N
2
be two ECSM nets, i.e., N
i
= N
i,1
| . . . | N
i,n
i
(i = 1, 2),
where N
i,j
is a state machine. Assume N
1
and N
2
are to be composed through a k simple path
of transitions θ
j
= t
j
0
p
j
1
t
j
1
. . . t
j
r
j
(j = 1, . . . , k), and let T
s
= ¦t
1
0
, . . . , t
k
0
¦. Assume furthermore
that path θ
j
belongs to modules N
1,q
(q ∈ J
j
) and that all paths are looped in the module N
2,1
.
The set of markings reachable from the initial marking M
0
for the composed net N = N
1
| N
2
is
given by the following set of linear inequalities /(N):
/(N
1
),
/(N
2
),

p∈P

1
M(p) ≤ h

p∈P

2
M(p),
where:
• /(N
i
) is the set of inequalities for the net N
i
;
• P

1
is the set of places in N
1
that may be marked only by firing a transition t ∈ T
s
:
P

1
=
k
_
j=1
_
q∈J
j
_
P
1,q
t
j
0
¸ P
1,q
t
j
0
_
,
while P

2
is the set of places in N
2
that may be marked firing a transition t ∈ T
s
:
P

2
= P
2,1
T
s
;
• h is equal to the sum of the tokens contained in the nets N
1,q
(q ∈ J
j
) (j = 1, . . . , k).
We conclude this section pointing out that when state machines modules are composed to form
an ECSM, the number of equations of that defines the reachability set grows, in the worst case,
more than linearly. In the case of Theorem 6.10 we have to add 2 [J
1
[ [J
2
[ equations.
6.4 Supervisory Verification
In this section the results developed so far are applied to the validation of supervisors for the
control of discrete event systems (DES).
Consider m discrete event systems, represented by the state machines N
1
, . . . , N
m
, working
concurrently. It is generally assumed that the set of transitions of all these systems are disjoint.
The specifications to be enforced on the joint behavior of these systems are represented by n
different state machines H
1
, . . . , H
n
, whose transitions are a subset of all the transitions of the N’s.
The procedure for determining a monolithic supervisor requires the construction, by concurrent
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 58
composition, of the net E = N
1
| . . . | N
m
| H
1
| . . . | H
n
. Recall that there exists a set of
final markings associated to the N’s and H’s.
E and the nets N
i
(i = 1, . . . , n) will run in parallel, i.e., whenever a transition fires on
one of the nets N
i
, it is also fired in E. Furthermore, the transitions enabled in E at a given
marking represent the transitions that are allowed to fire in the nets N
i
, while all other transitions
are disabled. The net E will represent a proper supervisor, if the following two properties are
ensured.
• Nonblockingness: the reachability set of the net E does not contain blocking markings, i.e.,
markings from which a final marking cannot not be reached;
• Controllability: it is not possible to reach a marking fromwhich an uncontrollable transition,
belonging to the net N
i
, is enabled in N
i
but is not enabled in E.
In the following subsection it is discussed how these properties may be verified by Integer
Programming techniques in the case that E is an ECSM net. Clearly these restrictions heavily limit
the class of control problems that can be solved by our approach. However, it is possible to check
for these properties in more efficient ways than by brute force state space search. Additionally,
as will be shown below, it may be the case that the model may be validated by simple Linear
Programming.
6.4.1 Blocking
Let ¸N, M
0
) be a marked net, and M
f
be a final marking associated to it. For the sake of simplicity
assume that M
f
is the only final marking of the net. The net N will be blocking if and only if
(∃M) [M ∈ R(N, M
0
), M
f
,∈ R(N, M)]
Now the set R(N, M
0
) of an ECSM net can be given as a convex linear set, as shown in
Section 3. Similarly the coreachability set of M
f
, i.e., the set ¦M [ M
f
∈ R(N, M)¦, can be
given in this form, according to the following proposition.
Proposition 6.5. Let N = (P, T, I, O) be a net. Given a marking M
f
of N, the coreachability set
of M
f
is identical to the reachability set from M
f
in the reversed net N
R
= (P, T, O, I), that is,
¦M [ M
f
∈ R(N, M)¦ = R(N
R
, M
f
).
Finally it is possible to check for the existence of blocking markings as follows.
Proposition 6.6. Let ¸N, M
0
) be a marked ECSM net and let M
f
be the final marking associated
with it. Assume the reachability set of M
0
is given by the set PR
A
0
(N, M
0
) = ¦M ∈ IN
|P|
[
A
0
M ≥ A
0
M
0
¦, and the coreachability set of M
f
is given by the set PR
A
f
(N, M
f
) = ¦M ∈
IN
|P|
[ A
f
M ≥ A
f
M
f
¦, where
A
f
=
_
_
a
1
f
. . .
a
k
f
_
_
.
Then there exist a blocking marking M if and only if one or more of the following Constraint Sets
has an integer feasible solution (∀i = 1, . . . , k):
A
0
M ≥ A
0
M
0
, CS1
i
a
i
f
M ≤a
i
f
M
f
−1,
M ≥

0.
Proof: M is a blocking marking ⇐⇒ M ∈ R(N, M
0
) ∧ M
f
,∈ R(N, M) ⇐⇒ [A
0
M ≥
A
0
M
0
] ∧ [A
f
M ≥ A
f
M
f
] ⇐⇒ [A
0
M ≥ A
0
M
0
] ∧ [
_
k
i=1
a
i
f
M < a
i
f
M
f
] ⇐⇒
(∃i)[(A
0
M ≥ A
0
M
0
) ∧ (a
i
f
a
i
f
M
f
−1)].
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 59
Note that each constraint a
i
f
M <a
i
f
M
f
has been rewritten in the equivalent forma
i
f
M ≤
a
i
f
M
f
−1.
It is possible to relax the constraint that the vector M be integer and obtain a sufficient con-
dition for the validation of the net. In fact, if no real vector M satisfies the previous systems of
inequalities no blocking marking may be reached.
Note also that some of the constraints a
i
f
M ≥a
i
f
M
f
may be trivially verified by any marking
in R(N, M
0
). This is the case, for instance, for the constraints coming from the P-semiflows of
the net that are satisfied by the reachable and coreachable markings. Thus, we need not solve the
corresponding CS1
i
, as it clearly has no feasible solution.
6.4.2 Controllability
Consider the net E constructed by concurrent composition of all the systems and specification
modules. Let t
q
∈ T
u
be an uncontrollable transition and assume that t
q
belongs to the system net
N
i
. (By the hypothesis that all the systems have disjoint transitions, a transition may belong to
only one net N, although it may belong to more than one specification net H.) Let the preset of t
q
be:

t
q
= ¦p
0
q
, . . . , p
k
q
q
¦, where p
0
q
is a place of N
i
and p
j
q
(j > 0) is a place of some specification
net H.
E is not controllable if and only if it is possible to reach a marking M such that an uncontrol-
lable transition t
q
is enabled by M ↑
i
in N
i
, but it is not enabled by M in E. In other words, E is
not controllable if and only if
(∃t
q
∈ T
u
) (∃M) [M ∈ R(E, M
0
) ∧ M(p
0
q
) ≥ 1 ∧ (
k
q

j=1
M(p
j
q
) ≤ 0)].
Proposition 6.7. Let the reachability set of E be given by the set PR
A
(E, M
0
) = ¦M ∈ IN
|P|
[
AM ≥ AM
0
¦. Then E will not be controllable if and only if one or more of following Constraint
Sets has an integer feasible solution (∀t
q
∈ T
u
and ∀p
j
q


t
q
j > 0)
A M ≥ A M
0
, CS2
q,j
M(p
0
q
) ≥ 1,
M(p
j
q
) ≤ 0,
M ≥

0.
Proof: E is not controllable ⇐⇒
(∃t
q
∈ T
u
) (∃M) [M ∈ R(E, M
0
) ∧ M(p
0
q
) ≥ 1 ∧ (
_
k
q
j=1
M(p
j
q
) ≤ 0)] ⇐⇒
(∃t
q
∈ T
u
) (∃M) (∃j) [A M ≥ A M
0
∧ M(p
0
q
) ≥ 1 ∧ M(p
j
q
) ≤ 0].
Also if the constraint that M be integer is relaxed, we may use Linear Programming to derive
a sufficient condition for E to be controllable.
6.5 Conclusions
In this chapter we have defined a class of P/T net, called Elementary Composed State Machine
nets. The reachability problem for this class can be solved by incidence matrix analysis. We
have shown how it is possible to derive a set of linear inequalities that exactly define the set of
reachable markings. Important properties of the net, such as the absence of blocking states or
controllability, may be studied by Integer Programming techniques. This approach may be used
to validate supervisors for the control of discrete event systems.
The main drawbacks of this approach is summarized as follows:
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 60
• Integer Programming problems may be not be solved, in general, in polynomial time. How-
ever we have also shown that it is possible to use Linear Programming techniques to derive
sufficient conditions for supervisory validation.
• The model is limited, in the sense that there exist monolithic supervisors that cannot be
modeled as ECSM nets.
• Although a procedure to validate a supervisor is given here, the control problem is not di-
rectly solved, in the sense that if the model does not have the desired properties the approach
does not directly lead to the construction of a proper supervisor.
Chapter 7
GENERALIZED MUTUAL
EXCLUSION CONSTRAINTS
7.1 Introduction
Mutual exclusion constraints are a natural way of expressing the concurrent use of a finite number
of resources, shared among different processes. In the framework of Petri nets and from a very
general perspective, we define a generalized mutual exclusion constraint (GMEC) as a condition
that limits a weighted sum of tokens contained in a subset of places [Giua 92b]. Let ¸N, M
0
) be a
net system with set of places P. A constraint ( w, k) defines a set of legal markings:
/( w, k) = ¦M ∈ IN
|P|
[ w
T
M ≤ k¦,
where w is a weight vector of nonnegative integers, and k is a positive integer. Markings in IN
|P|
that are not legal will be denoted forbidden markings.
In the first part of this chapter we present a methodology, based on linear algebraic techniques
[Silva 92], to compare and simplify GMEC. An equivalence notion among GMEC is introduced
and studied from the point of view of structural net theory.
In traditional Petri net modeling all transitions are assumed to be controllable, i.e., may be
prevented from firing by a control agent. A problem addressed for those systems with shared
resources has been that of deadlock prevention or avoidance [Banaszak 90, Viswanadham 90,
Zhou 91]. A single GMEC may be easily implemented by a monitor, i.e., a place whose initial
marking represents the available units of a resource and whose outgoing and incoming transitions
represent, respectively, the acquisition and release of units of the resource.
In the framework of Supervisory Control [Golaszewski 88], the complexity of enforcing a
GMEC is enhanced by the presence of uncontrollable transitions, i.e., transitions that may be
observed but not prevented from firing by a control agent. To enforce a given GMEC, it is nec-
essary to prevent the system from reaching a superset of the forbidden markings, containing all
those markings from which a forbidden one may be reached by firing a sequence of uncontrollable
transitions. Unfortunately, in this case we prove that the set of legal markings cannot always be
represented by a linear domain in the marking space, thus there exist problems which do not have
a “monitor-based” solution.
In this context, the second part of this chapter discusses GMEC for systems represented as
marked graphs. The goal is that of constructing a supervisor capable of enforcing the constraints.
A solution to this problem has been given by Holloway and Krogh [Holloway 90, Holloway 92a,
Krogh 91]. In their approach, which may be defined as fully interpreted, the control policy is
efficiently computed by an on-line controller as a feedback function of the marking of the system.
In this work, instead, we are interested in deriving a net based structure for the supervisor. We
61
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 62
will discuss and compare several solutions. Some of these models will be fully compiled, i.e., the
corresponding supervisor is represented by a P/T net, others will be partially compiled, i.e., the
corresponding supervisor is given as an interpreted net in which the firing of some transitions not
only depends on the marking of the net but on the value of some boolean expressions as well.
The advantages of fully compiling the supervisor action in a net structure are:
• The computation of the control action is faster, since it does not require separate on-line
computation.
• The same Petri net system execution algorithms may be used for both the original system
and the supervisor.
• A closed-loop model of the system under control may be built with standard net composition
constructions, and analyzed for properties of interest. Moreover, the structural theory of
Petri nets may be used to prove, without an exhaustive state space search, that the system
under control enjoys the properties.
On the other hand, partially compiled models are more flexible in the sense that some inter-
pretations may be used to implement complex control policies, whose corresponding net structure
may be exceedingly large.
The chapter is structured as follows. In Section 7.2, generalized mutual exclusions constraints
are defined. If all transitions of the net are controllable, these constraints may be enforced by a
monitor place. If some of the transitions are uncontrollable, it is possible to prove that a monitor-
based solution may not exist. In Section 7.3, we study the properties of marked graphs with the
addition of monitor places. In particular, we discuss a sub-class of marked graphs for which there
is always a monitor-based solution, corresponding to a set of GMEC, even when some transitions
are uncontrollable. In Section 7.4, we present two different P/T structures for the supervisor
capable of enforcing GMEC for this sub-class of marked graphs. In Section 7.5, we present two
different partially compiled net structures for the supervisor capable of enforcing GMEC for this
sub-class of marked graphs. In Section 7.6, we compare the advantages and disadvantages of the
different control structures.
7.2 GMEC and Monitors
In this section we define a generalized mutual exclusion constraint (GMEC) as a condition that
limits the weighted sum of tokens in a set of places. We discuss the modeling power of this kind
of constraint and prove that only for restricted classes of systems a forbidden marking problem
may be expressed as a mutual exclusion problem. Then we study how GMEC may be enforced by
adding additional control structure, in the form of new places called monitors, to the net.
7.2.1 Generalized Mutual Exclusion Constraints
Definition 7.1. Let ¸N, M
0
) be a net system with set of places P. A single generalized mutual
exclusion constraint ( w, k) defines a set of legal markings
/( w, k) = ¦M ∈ IN
|P|
[ w
T
M ≤ k¦,
where w : P → IN is a weight vector, and k ∈ IN
+
. The support of w is the set Q
w
= ¦p ∈ P [
w(p) > 0¦.
A set of generalized mutual exclusion constraints (W,

k), with W = [ w
1
. . . w
m
] and

k =
(k
1
. . . k
m
)
T
, defines a set of legal markings
/(W,

k) =
m

i=1
/( w
i
, k
i
) = ¦M ∈ IN
|P|
[ W
T
M ≤

k¦.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 63
As a particular case, when w ≤

1, i.e., w(p) = 1 (∀p ∈ Q
w
), the unweighted GMEC ( w, k)
is reduced to the set condition considered in [Krogh 91].
In the following we will discuss the redundancy and equivalence between constraints.
Definition 7.2. Let ¸N, M
0
) be a system. A GMEC ( w, k) is redundant with respect to (wrt) a set
of markings A ⊆ IN
|P|
if A ⊆ /( w, k).
A GMEC ( w, k) is redundant wrt a system ¸N, M
0
) if R(N, M
0
) ⊆ /( w, k).
A set of GMEC (W,

k), where W = [ w
1
. . . w
m
] and

k = (k
1
. . . k
m
)
T
, is redundant wrt
¸N, M
0
) if ( w
i
, k
i
) is redundant for all i = 1, . . . , m.
Linear programming techniques may be used to derive sufficient conditions for redundancy.
Proposition 7.1. If the following Linear Programming Problem (LPP) has optimal solution x

<
k + 1 then the GMEC ( w, k) is redundant wrt ¸N, M
0
):
x = max w
T
M
s.t. M = M
0
+C σ,
M, σ ≥

0.
Proof: If x

< k + 1 then PR(N, M
0
) ⊆ /( w, k) and this implies that R(N, M
0
) ⊆
/( w, k).
The proposition gives a sufficient condition for redundancy. There are classes of nets, such as
marked graphs (see Proposition 7.3), for which the condition is necessary and sufficient [Colom 89].
Also for the nets for which PR(N, M
0
) = PR
B
(N, M
0
) we may equivalently check for redun-
dancy solving the following linear programming problem:
x = max w
T
M
s.t. B
T
M = B
T
M
0
,
M ≥

0.
where B is a basis of P-semiflows of the net.
Definition 7.3. Two sets of GMEC(W
1
,

k
1
) and (W
2
,

k
2
) are equivalent wrt ¸N, M
0
) if R(N, M
0
)∩
/(W
1
,

k
1
) = R(N, M
0
) ∩ /(W
2
,

k
2
).
We may check for equivalence between constraints using the same approach we used to check
for redundancy. In fact from the definition it follows that two sets of GMEC(W
1
,

k
1
) and (W
2
,

k
2
)
are equivalent wrt ¸N, M
0
) if and only if (W
1
,

k
1
) is redundant wrt R(N, M
0
) ∩/(W
2
,

k
2
), and
(W
2
,

k
2
) is redundant wrt R(N, M
0
) ∩ /(W
1
,

k
1
).
Example 7.1. Consider the system in Figure 7.1a whose set of reachable markings is R(N, M
0
) =
¦M [

1
T
M = 3¦. Let ( w
1
, k
1
) and ( w
2
, k
2
) be two GMEC with: w
1
= (1330)
T
, k
1
= 5, and
w
2
= (0110)
T
, k
2
= 1.
To prove that the two constraints are equivalent wrt the system considered we may proceed as
follows. The LPP
x
1
= max w
T
1
M
s.t.

1
T
M = 3,
w
T
2
M ≤ 1,
M ≥

0,
has optimal value x

1
= 5 < k
1
+ 1, hence by Proposition 7.1 R(N, M
0
) ∩ /( w
2
, k
2
) ⊆
/( w
1
, k
1
). The LPP
x
2
= max w
T
2
M
s.t.

1
T
M = 3,
w
T
1
M ≤ 5,
M ≥

0,
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 64
Figure 7.1: System in Example 7.1.
has optimal value x

2
=
5
3
< k
2
+ 1, hence R(N, M
0
) ∩ /( w
1
, k
1
) ⊆ /( w
2
, k
2
). This proves
that the two constraints are equivalent for the given system.
The equivalence between constraints leads to the idea of simplification of a constraint. Given
a constraint ( w, k), we may look for a simpler, but equivalent, constraint. A constraint ( w

, k

)
is simpler than ( w, k) if w

< w. In the next subsection we will see that simpler constraints
require simpler control structure to be enforced. The next example shows another advantage of
simplifying constraints.
Example 7.2. For the system in Figure 7.1a consider, in addition to the two constraints discussed
in Example 7.1, the constraint ( w
3
, k
3
) with: w
3
= (0330)
T
, k
3
= 5. By definition, ( w
2
, k
2
)
is simpler than ( w
3
, k
3
) that is simpler than ( w
1
, k
1
). It is immediate to see that /( w
3
, k
3
) =
/( w
2
, k
2
), i.e., ( w
3
, k
3
) is equivalent to ( w
2
, k
2
) wrt ¸N, M
0
). Since we have proved in Exam-
ple 7.1 that ( w
1
, k
1
) is equivalent to ( w
2
, k
2
), the equivalence between ( w
1
, k
1
) and ( w
3
, k
3
) also
follows.
Note, however, that if we try to use a LPP to prove that ( w
1
, k
1
) is redundant wrt R(N, M
0
) ∩
( w
3
, k
3
) we have an inconclusive answer. In fact the LPP
x
1
= max w
T
1
M
s.t.

1
T
M = 3,
w
T
3
M ≤ 5,
M ≥

0,
has optimal value: x

1
=
19
3
> 6, hence we cannot conclude that ( w
1
, k
1
) is redundant wrt
R(N, M
0
) ∩ ( w
3
, k
3
).
It is important, in the previous example, to pinpoint the advantage of using the simpler un-
weighted constraint ( w
2
, k
2
) rather than the weighted one ( w
3
, k
3
) to prove equivalence to ( w
1
, k
1
).
The system considered in the example is a live marked graph, and the constraint set that defines
the set of reachable markings has integer extremal points, hence any optimal solution of the Lin-
ear Programming Program is also a solution of the corresponding Integer Programming Problem.
This property is preserved if we add any number of unweighted constraints to the constraint set
that defines the set of reachable markings.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 65
Figure 7.2: Reachable markings in Example 7.5.
7.2.2 Modeling Power of Generalized Mutual Exclusion Constraints
In this subsection we discuss the modeling power of GMEC, both weighted and unweighted.
The use of weights in the definition of ( w, k) may be a useful way to compactly express
more than one unweighted constraint, i.e., it may be the case that a weighted constraint may be
decomposed into a set of unweighted ones.
Example 7.3. In the case of safe (i.e., 1-bounded) systems, the constraint ( w, k) with w =
(1234)
T
and k = 5 is equivalent to the set of constraints (W,

k) with
W =
_
_
1 1 1 0
0 1 0 1
0 0 1 1
_
_
,
and

k = (211)
T
. In fact /( w, k) ∩ ¦0, 1¦
4
= /(W,

k) ∩ ¦0, 1¦
4
.
We point out that there does not always exist a set of unweighted constraints equivalent to a
set of weighted ones.
Example 7.4. Consider again the system in Figure 7.1a. Let ( w, k) be a GMEC with: w =
(1200)
T
, k = 4. In Figure 7.2 we have represented the projection of the reachability set on the
first two components, M(p
1
) and M(p
2
). Markings M
1
= (2100)
T
and M
2
= (0210)
T
are legal,
while marking M
3
= (1200)
T
is forbidden by ( w, k).
If there exists a set of unweighted constraints (W,

k) equivalent to ( w, k), then one of the
constraints in this set must be ( w

, k

), with w

=

1, such that M
1
, M
2
∈ /( w

, k

), and M
3
,∈
/( w

, k

). We will prove, by contradiction, that no such ( w

, k

) may exists. In fact, w

M
1
<
w

M
3
=⇒ w

(p
1
) < w

(p
2
), and w

M
2
< w

M
3
=⇒ w

(p
3
) < w

(p
1
). That is, in order
to have an unweighted constraint that forbids M
3
but that does not forbid M
1
and M
2
we need
to chose a w

such that (∀p) w

(p) ∈ ¦0, 1¦ and w

(p
3
) < w

(p
1
) < w

(p
2
). This is clearly
impossible.
For safe systems, however, the following theorem proves that any weighted constraint is equiv-
alent to a set of unweighted constraints.
Theorem 7.1. Let ¸N, M
0
) be a safe system with set of places P and ( w, k) a weighted GMEC.
There exists a set of unweighted constraints (W,

k) equivalent to ( w, k) wrt ¸N, M
0
).
Proof: Consider the set of vectors V such that ∀v ∈ V the following conditions are verified:
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 66
C1. v ∈ ¦0, 1¦
|P|
;
C2. Q
v
⊆ Q
w
;
C3. w
T
v > k;
C4. (∀v

∈ ¦0, 1¦
|P|
, v

< v) w
T
v

≤ k.
Let (W,

k) be such that W = ( w
1
. . . w
r
) and

k = (k
1
. . . k
r
)
T
, where
r
_
i=1
¦ w
i
¦ = V,
and where (i = 1, . . . , r) k
i
=[Q
w
i
[ −1.
a) Let us prove R(N, M
0
) ∩ /( w, k) ⊆ /(W,

k).
M ∈ R(N, M
0
) ∩ /( w, k) =⇒ M ≤

1 ∧ w
T
M ≤ k =⇒ M ≤

1 ∧ (∀v ∈ V ) ∃p ∈ Q
v
÷
M(p) = 0 =⇒ (∀v ∈ V ) v
T
M ≤ k
i
=⇒ M ∈ /(W,

k).
b) Let us prove R(N, M
0
)∩/(W,

k) ⊆ /( w, k). It is enough to prove that M ∈ R(N, M
0
)∧
M ,∈ /( w, k) =⇒ M ,∈ /(W,

k).
M ∈ R(N, M
0
) ∧ M ,∈ /( w, k) =⇒ M ≤

1 ∧ w
T
M > k. Let v
0
be defined as: if
p ∈ Q
w
then v
0
(p) = M(p) else v
0
(p) = 0. Clearly v
0
satisfies conditions C1-C3 listed above.
We will show that there exists vector v
j
≤ v
0
and such that v
j
∈ V . Consider p

∈ Q
v
0
÷
(∀p ∈ Q
v
0
)w(p

) ≤ w(p). Let v
1
be a new vector such that: if p ,= p

then v
1
(p) = v
0
(p) else
v
1
(p) = 0. If w
T
v
1
≤ k stop else repeating this procedure construct v
2
, , v
j+1
such that
M ≥ v
0
> v
1
> > v
j+1
and w
T
v
j+1
≤ k while w
T
v
j
> k. This means that v
j
∈ V ,
hence v
T
j
M =[Q
v
j
[=⇒ M ,∈ /(W,

k).
In the rest of this subsection we will compare GMEC with the most general kind of constraint
that can be defined on the markings of a system, the forbidden markings constraint [Holloway 92a].
A forbidden marking constraint consists of an explicit list of markings F that we want to forbid.
Let us now consider a net system ¸N, M
0
) and let F be any set of forbidden markings. Is it
possible to find a set of GMEC(W,

k) equivalent to F, i.e., such that R(N, M
0
)¸F = R(N, M
0
)∩
/(W,

k)? In general the answer is no. In fact given three markings M
1
, M
2
, M
3
∈ R(N, M
0
)
with M
3
= (M
1
+ M
2
)/2 we have that M
1
, M
2
∈ /(W,

k) =⇒ M
3
∈ /(W,

k), since
/(W,

k) is a convex set. However F may be chosen such that M
1
, M
2
,∈ F and M
3
∈ F. This
proves that there may not exist an GMEC equivalent to a forbidden marking constraint.
However it is possible to prove that for some classes of nets there exists an GMEC equivalent
to any forbidden marking constraint.
Theorem 7.2. Let ¸N, M
0
) be a safe and conservative net system. Then given a set of forbidden
markings F there exists a set of GMEC (W,

k) such that R(N, M
0
) ¸F = R(N, M
0
) ∩/(W,

k).
Proof: Let us first state two obvious facts.
1. If a net is safe there does not exist two different markings with the same support, i.e.,
M, M

∈ R(N, M
0
) ∧ Q
M
= Q
M
=⇒ M = M

.
2. If a net is conservative no marking is covering another one, i.e., (∀M ∈ R(N, M
0
)) ,∃M


R(N, M
0
) ÷ M < M

.
Then, given a set of forbidden markings F we may forbid any M ∈ F with a constraint ( w, k)
where: w(p) = 1 if p ∈ Q
M
else w(p) = 0, and k =[Q
M
[ −1. Clearly M ,∈ /( w, k) and any
other marking M

∈ R(N, M
0
) is such that M

∈ /( w, k). Thus (W,

k) may be constructed as
the union of all the GMEC constraints forbidding a marking in F.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 67
Figure 7.3: System in Example 7.6.
The requirement that the net be conservative may be shown necessary by the following exam-
ple.
Example 7.5. Consider the 1-bounded but not conservative system in Figure 7.3. The two possible
markings of the system are M
1
= (1) and M
2
= (0). Clearly for a set of forbidden markings
F = ¦(0)¦ it is not possible to find an equivalent GMEC since (∀ w, k) w
T
M
2
≤ w
T
M
1
≤ k.
7.2.3 Monitors
A GMEC may be enforced on a system by a monitor.
Definition 7.4. Given a system ¸N, M
0
), with N = (P, T, Pre, Post), and a GMEC ( w, k), the
monitor that enforces this constraint is a new place S to be added to N. The resulting system is
denoted ¸N
S
, M
S
0
), with
N
S
= (P ∪ ¦S¦, T, Pre
S
, Post
S
).
Let C be the incidence matrix of N. Then N
S
will have incidence matrix
C
S
=
_
C
− w
T
C
_
.
We are assuming that there are no selfloops containing S in N
S
, hence Pre
S
and Post
S
may be
uniquely determined by C
S
. The initial marking of ¸N
S
, M
S
0
) is
M
S
0
=
_
M
0
k − w
T
M
0
_
.
We assume that the initial marking M
0
of the system satisfies the constraint ( w, k).
As an example, in Figure 7.1b we have represented the two monitors corresponding to the two
constraints discussed in Example 7.1.
We will use the following notation for system with monitors. Let X : P ∪ ¦S¦ → IN be a
vector. The projection of X on P is the restriction of X to P and will be denoted X ↑
P
. This
definition is extended in the usual way to the projection of a set of vectors A, i.e., A ↑
P
= ¦X ↑
P
[
X ∈ A¦.
Proposition 7.2. Let ¸N, M
0
) be a system, ( w, k) a GMEC, and ¸N
S
, M
S
0
) the system with the
addition of the corresponding monitor S.
1. The monitor S ensures that the projection on P of the reachability set of ¸N
S
, M
S
0
) is
contained in the set of legal reachable markings of ¸N, M
0
), i.e.,
R(N
S
, M
S
0
) ↑
P
⊆ R(N, M
0
) ∩ /( w, k).
2. The monitor S ensures that the projection on P of the potentially reachable set of ¸N
S
, M
S
0
)
is identical to the set of legal potentially reachable markings of ¸N, M
0
), i.e.,
PR(N
S
, M
S
0
) ↑
P
= PR(N, M
0
) ∩ /( w, k).
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 68
3. The monitor S minimally restricts the behavior of ¸N
S
, M
S
0
), in the sense that it prevents
only transition firings that yield forbidden markings.
4. The monitor S is a structurally implicit place in N
S
if and only if all places in Q
w
are
structurally bounded.
5. The monitor S is an implicit place in ¸N
S
, M
S
0
) if and only if ( w, k) is redundant in
¸N, M
0
).
Proof:
1] Clearly R(N
S
, M
S
0
) ↑
P
⊆ R(N, M
0
), since the addition of a place can only further con-
strain the behavior of a system. To prove R(N
S
, M
S
0
) ↑
P
⊆ /( w, k), let M
S
∈ R(N
S
, M
S
0
) and
M = M
S

P
. Then M
S
= M
S
0
+C
S
σ or, equivalently,
M = M
0
+C σ,
M
S
(S) = M
S
0
(S) − w
T
C σ = k − w
T
(M
0
+C σ) ≥ 0.
Hence w
T
M = w
T
(M
0
+C σ) ≤ k, i.e., M ∈ /( w, k).
2] With the same reasoning of the previous point we can immediately conclude that PR(N
S
, M
S
0
) ↑
P

PR(N, M
0
) ∩ /( w, k). Let us prove the reverse inclusion. Let M ∈ PR(N, M
0
) ∩ /( w, k),
i.e., ∃σ ≥ 0 such that
M = M
0
+C σ,
w
T
M ≤ k.
This implies that w
T
(M
0
+C σ) ≤ k, i.e., k − w
T
(M
0
+C σ) ≥ 0. Then we also have that
M
S
=
_
M
k − w
T
(M
0
+C σ)
_
is a non negative solution of M
S
= M
S
0
+C
S
σ, i.e., M
S
∈ PR(N
S
, M
S
0
).
3] Let σt ∈ L(N, M
0
) be such that: M
0
[σ)M[t)M

and σ ∈ L(N
S
, M
S
0
) be such that:
M
S
0
[σ)M
S
. We need to prove that σt ,∈ L(N
S
, M
S
0
) =⇒ w
T
M

> k. Let C(, t) be the column
of C corresponding to transition t. Then Pre
S
(S, t) −Post
S
(t, S) = −C
S
(S, t) = w
T
C(, t).
Since t is not enabled by marking M
S
and since there are no selfloops containing S, it follows
that
0 ≤ M
S
(S) < Pre
S
(S, t) =⇒ Post
S
(t, S) = 0,
i.e., Pre
S
(S, t) = w
T
C(, t). Then
k − w
T
M = M
S
(S) < Pre
S
(S, t) = w
T
C(, t),
from which follows
w
T
M

= w
T
[M +C(, t)] > k.
4] As shown in [Colom 89], S is structurally implicit in N
S
if and only if ∃Y ≥

0 such that
Y
T
C
S
≤ C
S
(S, ), where C
S
(S, ) = − w
T
C is the incidence vector of S in C
S
. Then: All
places in Q
w
are structurally bounded ⇐⇒ ∃Y



0 such that Q
Y
⊇ Q
w
, Y

T
C ≤

0 ⇐⇒
∃a ∈ IR
+
such that Y = (aY

− w) ≥

0, Y
T
C
S
≤ − w
T
C ⇐⇒ S is structurally implicit in
N
S
.
5] Only if. S is implicit ⇐⇒L(N, M
0
) = L(N
S
, M
S
0
) =⇒R(N, M
0
) = R(N
S
, M
S
0
) ↑
P

/( w, k) ⇐⇒( w, k) is redundant in ¸N, M
0
).
If. We just need to prove that if ( w, k) is redundant in ¸N, M
0
) then L(N, M
0
) = L(N
S
, M
S
0
).
Clearly L(N, M
0
) ⊇ L(N
S
, M
S
0
), so we will prove that redundancy implies L(N, M
0
) ⊆ L(N
S
, M
S
0
).
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 69
Figure 7.4: A system not live under constraint.
Let σt ∈ L(N, M
0
) be such that: M
0
[σ)M[t)M

and σ ∈ L(N
S
, M
S
0
) be such that: M
S
0
[σ)M
S
.
Note that redundancy implies w
T
M

= w
T
[M +C(, t)] ≤ k. Then M
S
(S) = k − w
T
M ≥
w
T
C(, t) = Pre
S
(S, t)−Post
S
(t, S) and by the hypothesis that S is not contained in a selfloop
we have: M
S
(S) ≥ Pre
S
(S, t). This proves that σt ∈ L(N
S
, M
S
0
).
The addition of a monitor to the net structure modifies the behavior of a system, in order to
avoid reaching markings that do not satisfy the corresponding GMEC. We pinpoint three facts:
• The addition of a monitor does not always preserve liveness of the system. In the system in
Figure 7.4, e.g., a monitor has been added to enforce the constraint M(p
3
) + M(p
4
) ≤ 1.
The system reaches a deadlock after the firing of a single transition.
• Not all markings that satisfy the GMEC may be reached on the net with the addition of a
monitor. In the net in Figure 7.4, e.g., the marking (000011)
T
may not be reached even if
it satisfies the constraint M(p
3
) + M(p
4
) ≤ 1 because the net reaches a deadlock. In the
net in Figure 7.5, a monitor has been added to enforce the constraint M(p
1
) +M(p
3
) ≤ 1.
From the initial marking M
S
0
= (000111)
T
the marking M
S
= (100010)
T
will never be
reached even if the net is live.
• Even if liveness is preserved, the system may lose reversibility, as shown in the system in
Figure 7.5. In the same figure is shown the reachability graph of the original system (all
arcs and states) and of the system with monitor (only continuous arcs). The initial marking,
that satisfies the constraint, will never be reached again in the system with monitor.
7.2.4 Nets With Uncontrollable Transitions
We assume, now, that the set of transitions T of a net is partitioned into the two disjoints subsets
T
u
, the set of uncontrollable transitions, and T
c
, the set of controllable transitions. A controllable
transition may be disabled by the supervisor, a controlling agent which ensures that the behavior
of the system is within a legal behavior. An uncontrollable transition represents an event which
may not be prevented from occurring by a supervisor.
Given a system ¸N, M
0
) and a set of GMEC (W,

k), the set of legal markings is given as a
linear domain:
/(W,

k) = ¦M ∈ IN
|P|
[ W
T
M ≤

k¦.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 70
Figure 7.5: A system not reversible under constraint.
In the presence of uncontrollable transitions, we need to further restrict the behavior of the sys-
tem, avoiding all those markings from which a forbidden marking may be reached by firing only
uncontrollable transitions. The set of legal marking is in this case:
/
c
(W,

k) = /(W,

k) ¸ ¦M ∈ IN
|P|
[ ∃M

,∈ /(W,

k) ÷ M[σ)M

∧ σ ∈ T

u
¦,
i.e., we do not consider legal the markings that satisfy (W,

k) but from which a forbidden marking
may be reached by firing only uncontrollable transitions. We need to introduce this restriction
because a firing sequence σ ∈ T

u
may not be prevented by a controlling agent.
It is possible to prove that there does not always exist a GMEC (W,

k) such that R(N, M
0
) ∩
/(W,

k) = R(N, M
0
) ∩ /
c
( w, k). Thus we may have cases in which does not exist a monitor-
based solution to a given mutual exclusion problem.
Example 7.6. In the net in Figure 7.6, we have represented as empty boxes the controllable tran-
sitions t
1
, t
2
, t
5
. Assume we want to enforce a constraint ( w, k) with w = (00100010)
T
and
k = 1, i.e., such that M(p
5
) +M(p
7
) ≤ 1. Is is easy to see that the markings M
1
= (2002001)
T
and M
2
= (0220001)
T
are in /
c
( w, k), but M = (1111001)
T
= (M
1
+ M
2
)/2 is not. This
proves that there does not exists a GMEC (W,

k) such that R(N, M
0
∩ /(W,

k) = R(N, M
0
) ∩
/
c
( w, k).
This shows that in presence of uncontrollable transitions, a problem of mutual exclusion is
transformed into a more general forbidden marking problem, which is a qualitatively different
problem, in the sense that it may not always be solved with the same techniques used in the case
that all transitions are controllable. Note, however, that for safe and conservative systems the result
of Theorem 7.2 ensures that, even if some transitions are not controllable, ( w, k) may be enforced
by a set of monitors.
We also discuss the concept of maximally permissible control policy [Krogh 87]. When all
transitions are controllable, we have proved that a monitor is capable of enforcing a given GMEC
( w, k), in the sense that it can ensure that only markings in /( w, k) will be reached by the system
under control (Proposition 7.2, part 1). It is also the case that whenever a transition t is prevented
from firing by the monitor at a given marking M then M[t)M

∧M

,∈ /( w, k) (Proposition 7.2,
part 3). Thus any transition firing that yields a legal marking is not forbidden and the behavior of
the system under control is the largest behavior that satisfies the constraint. We call this behaviour
maximally permissible following [Krogh 87].
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 71
Figure 7.6: Amutual exclusion problemwith uncontrollability that does not admit a monitor-based
solution.
In the case of uncontrollable transitions, the maximally permissible control policy should en-
sure that: a) only markings in /
c
( w, k) will be reached by the system under control; b) all
transition firings that yield a marking in /
c
( w, k) should be allowed.
7.3 Generalized Mutual Exclusion Constraints on Marked Graphs
In this section we focus on a class of nets, the marked graphs (MG). In the first subsection we
study the properties of marked graphs with the addition of monitors. In the second subsection
we present a general formalism for enforcing generalized mutual exclusion constraints on MG
with uncontrollable transitions. In the third subsection we restrict our attention to a particular
subclass of MG for which a solution to a mutual exclusion problem may be efficiently derived. In
Section 7.4 and Section 7.5 we will showseveral control structure capable of enforcing generalized
mutual exclusion constraints, in the presence of uncontrollable transitions, for this subclass.
7.3.1 Marked Graphs with Monitors
In the rest of this chapter, we will consider systems whose underlying net is a strongly connected
marked graph (MG). Strongly connected MG are structurally live and bounded.
Proposition 7.3 ([Murata 89]). Let ¸N, M
0
) be a MG system. Then
PR(N, M
0
) = B(N, M
0
).
If ¸N, M
0
) is a live MG system, then we also have that
R(N, M
0
) = PR(N, M
0
).
Proposition 7.4. Let ¸N, M
0
) be an MG system, (W,

k) be a set of GMEC, and let ¸N
S
, M
S
0
) be
the systemwith the addition of the corresponding monitors. Then PR(N
S
, M
S
0
) ↑
P
= B(N, M
0
)∩
/(W,

k).
Proof: Follows from Proposition 7.2, part 2, and Propositon 7.3.
According to this proposition it is possible to represent the potential reachability set of ¸N
S
, M
S
0
)
as a set of linear inequalities where the firing count vector σ does not appear.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 72
Proposition 7.5 ([Murata 89]). A connected MG has a single minimal t-semiflow, X =

1.
The introduction of a set of monitors corresponding to a set of GMEC does not change this
property. The resulting net will be a mono-t-semiflow net [Campos 91]. For mono-t-semiflow nets
deadlock-freeness is equivalent to liveness. The following proposition gives a sufficient condition
for liveness.
Proposition 7.6. Let ¸N, M
0
) be a live MG system, (W,

k) a set of GMEC, and ¸N
S
, M
S
0
) the
system with the addition of the corresponding monitors. ¸N
S
, M
S
0
) is live if ∀M ∈ B(N, M
0
) ∩
/(W,

k), M is not a dead marking.
Proof: If no dead marking exists in PR(N
S
, M
S
0
) then no dead marking exists in R(N
S
, M
S
0
)
and the system is deadlock-free. This in turn implies liveness, since the net is a mono-t-semiflow
net.
Note that there may exist dead markings in B(N, M
0
) ∩ /(W,

k) that are not reachable
under control. These markings are called killing spurious markings in structural jargon. Thus the
previous proposition gives a sufficient but not necessary condition for liveness. The next example
shows that, unfortunately, killing spurious markings may exists on marked graphs with monitors.
Example 7.7. Consider the system in Figure 7.7, whose reachability graph is also shown. Assume
we want to enforce the two constraints: 3M(p
1
) + M(p
3
) ≤ 9, and M(p
2
) + 3M(p
4
) ≤ 9.
The legal marking of this system under the constraints are shown in Figure 7.8. Let the initial
marking be M
0
= (2130)
T
. The dead marking M = (3003)
T
is in PR(N
S
, M
S
0
) ↑
P
, since
M ∈ B(N, M
0
) ∩ /(W,

k), but since it is never reachable the system is live.
Proving reversibility for a MG with monitors ¸N
S
, M
S
0
) is a harder task. Liveness and the
existence of repetitive sequence firable from M
0
are not sufficient conditions for reversibility, as
shown in the following example.
Example 7.8. In the system in Figure 7.7 we want to enforce the two constraints: 2M(p
1
) +
3M(p
4
) ≤ 9, and 2M(p
2
) +3M(p
3
) ≤ 9. The legal marking of this system under the constraints
are shown in Figure 7.9. The system is live from any legal initial marking. However, from initial
marking M
0
= (0303)
T
the system is not reversible, even if there exist a repetitive sequence
firable from M
0
.
7.3.2 Control Subnet
In this subsection we discuss a general methodology for enforcing constraints on systems with
uncontrollable transitions. To enforce a constraint we need to prevent some transition firing. Un-
fortunately, we cannot prevent the firing of an uncontrollable transition t ∈ T
u
. We may, however,
prevent the firing of a set of controllable transitions (called control transitions of t) whose firing is
required prior to the firing of t.
Definition 7.5. Let N = (P, T, Pre, Post) be a net, and let t
i
∈ T
u
be an uncontrollable transi-
tion.
The control subnet for t
i
is the subnet N
i
= (P
i
, T
i
, Pre
i
, Post
i
) where P
i
⊆ P is the set of
places connected to t by a path containing only uncontrollable transitions, T
i
=

P
i
∩ P

i
, and
Pre
i
= Pre ∩ (P
i
T
i
), Post
i
= Post ∩ (P
i
T
i
).
The set of control transitions for t is the set A
i
=

P
i
¸ P

i
. It is obvious that A
i
⊆ T
c
.
We may extend this definition to controllable transitions as well. Given a net N = (P, T, Pre, Post)
and a controllable transition t
i
∈ T
c
, the control subnet for t
i
is not defined but the set of control
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 73
Figure 7.7: A marked graph system and its reachability graph.
Figure 7.8: Legal markings for the system in Figure 7 under the set of constraints shown.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 74
Figure 7.9: Legal markings for the system in Figure 7 under the set of constraints shown.
transitions for t
i
is the set A
i
= ¦t
i
¦, i.e., the transition itself. This will allows us, in the following,
to use the same formalism for both controllable and uncontrollable transitions.
For marked graphs systems if it possible to analytically compute the dependency between the
firing of an uncontrollable transition and the firing of its control transitions. The advantage is that
this computation may be done on the structure of net, without resorting to the construction of the
space of reachable markings.
Proposition 7.7. Let ¸N, M
0
) be an MGsystemand t
i
one of its transitions. Let N
i
= (P
i
, T
i
, Pre
i
, Post
i
)
be the control subnet for t
i
, and let A
i
be the set of control transitions for t
i
.
1. T
i
⊆ T
u
. This means that A
i
∩ T
i
= ∅.
2. Given a marking M ∈ R(N, M
0
), the maximum number of times we may fire t
i
without
firing any transition in A
i
(the deviation bound between t
i
and A
i
) is
DB(M, t
i
, A
i
) = min¦td(M, t

, t
i
) [ t

∈ A
i
¦,
where td(M, t

, t
i
) is the token distance between transitions t

and t
i
, i.e., the minimum
token content among all possible direct paths from t

to t
i
at marking M.
Proof:
1] By contradiction, if t

∈ T
i
∩T
c
, then the input place of t

cannot be in P
i
, as its only output
transition is controllable, hence t

,∈ T
i
.
2] See Murata [Murata 89]. Note that the token distance DB(M, t, A
i
) may be computed
solely from the analysis of N
i
and its marking. Note also that if t
i
is controllable DB(M, t
i
, A
i
) =
DB(M, t
i
, t
i
) = 0.
We want to apply the ideas developed so far to the problem of enforcing GMEC on marked
graph systems. Given a constraint ( w, k), the problem is that of controlling the firing of the input
transition of all places in Q
w
to ensure that the constraint is always verified. We will use the
following notation. Given a place p
i
∈ Q
w
we will denote:
• t
o
i
its output transition;
• t
i
its input transition;
• N
i
= (P
i
, T
i
, Pre
i
, Post
i
) the control subnet for t
i
;
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 75
Figure 7.10: Control subnets for the input transitions of places p
1
, p
2
, p
3
.
• A
i
= ¦t
1
i
, , t
n
i
i
¦ the set of control transitions for t
i
.
Example 7.9. In Figure 7.10 places p
1
, p
2
, p
3
belong to the support of a GMEC. We have rep-
resented the control subnets for their input transitions, with the corresponding control transitions.
The remaining structure of the marked graph is not shown.
The deviation bound between an uncontrollable transition and its set of control transitions may
be used to define the set of legal markings /
c
( w, k) for a GMEC ( w, k) on marked graphs, under
the hypothesis discussed in the following.
Proposition 7.8. Let ¸N, M
0
) be an MG system and ( w, k) a GMEC. For each place p
i
∈ Q
w
, let
its input transition be t
i
. Assume that: (

p
i
∈Q
w
P
i
) ∩ Q
w
= ∅. Then the set of legal markings is
/
c
( w, k) = ¦M ∈ IN
|P|
[ w
T
(M +D
M
) ≤ k¦,
where D
M
(p
i
) = DB(M, t
i
, A
t
i
) if p
i
∈ Q
w
else D
M
(p
i
) = 0.
Proof: Proposition 7.7, part 1, and the assumption that no place p
i
belongs to the subnet of
any t
i
, implies that by firing only uncontrollable transitions we may reach a new marking M

such
that M

(p
i
) = M(p
i
) +D
M
(p
i
).
The previous proposition may be used to define the maximally permissible control policy that
enforces the constraint ( w, k). Given a marked graph system ¸N, M
0
), the maximally permissible
control may be computed step by step as follows. Let A = (

p
i
∈Q
w
A
i
). Then from any marking
M ∈ R(N, M
0
):
• For each firable t ∈ A, compute M

÷ M[t)M

. If w
T
(M

+D
M
) ≤ k then t should be
left free to fire else it should be disabled;
• All transitions in T
c
¸ A may be left free to fire.
7.3.3 Control Safe Places
We will consider in the following a special class of MG systems introduced in the next definition.
Definition 7.6. A place p
i
of an MG system ¸N, M
0
) is said to be control safe if given its input
transition t
i
and its output transition t
o
i
, the deviation bound between any control transition in A
i
and both t
i
and t
o
i
is at most one for any reachable marking, i.e.,
(∀M ∈ R(N, M
0
) ∧ ∀t

∈ A
i
) [DB(M, t

, t
i
) ≤ 1 ∧ DB(M, t

, t
o
i
) ≤ 1].
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 76
It is possible to check for control safeness of a place, based solely on the net structure.
Proposition 7.9. Let ¸N, M
0
) be a live and bounded MG system. A place p
i
is control safe if and
only if ∀t ∈ A
i
there exists a cycle that contains p
i
and t and this cycle is marked with a single
token.
Given a GMEC ( w, k), we will assume that the places in Q
w
are control safe. We have
seen that if the net is safe there exists a monitor-based solution to any GMEC, even if not all
transitions are controllable. The restriction that the places in Q
w
be control safe has a similar
purpose. It will permit a simplification of the problem, in the sense that will allow us to derive
other control structures, often more efficient than a set of monitors. The different solutions are
shown in Section 7.4 and Section 7.5.
The idea here is that to check whether a place p
i
∈ Q
w
may be marked by a firing sequence
of uncontrollable transitions we need to check only how many firings of transitions in A
i
have
occurred.
Proposition 7.10. Let ¸N, M
0
) be a MG system, and p
i
a control safe place of N. Let t
i
be the
input transition of p
i
, t
o
i
the output transition of p
i
, and A
i
the set of control transitions of t
i
, with
n
i
=[A
i
[. Then ∀M ∈ R(N, M
0
):
1. (∀t ∈ A
i
)[td(M, t, t
o
i
) ≤ 1];
2. M(p
i
) +D
M
(p
i
) ≤ 1;
3. M(p
i
) +D
M
(p
i
) = 1 ⇐⇒ (∀t ∈ A
i
)[td(M, t, t
o
i
) = 1].
Proof: Follows from the definition of control safe place.
We discuss a particular case that may arise for a given constraint ( w, k). Assume that p
j
1
∈ Q
w
is in the control subnet of place p
j
2
∈ Q
w
. Then p
j
1
and p
j
2
are in structural mutual exclusion,
i.e., by the hypothesis that their are control safe, they will never be marked simultaneously. Hence
/(w, k) = /( w
1
, k) ∩ /( w
2
, k), where: w
i
(p) = 0 if p = p
j
1
else w
i
(p) = w(p), i.e., the
constraint ( w, k) is equivalent to the set of constraints (W, k

1) = ¦( w
1
, k), ( w
2
, k)¦. Proof:
Trivially /( w, k) ⊆ /( w
1
, k) ∩ /( w
2
, k). To prove the reverse inclusion, assume M ∈
/( w
1
, k) ∩ /( w
2
, k). Then: if M(p
j
2
) > 0 then M(p
j
1
) = 0, and M ∈ /( w
1
, k) =⇒ M ∈
/( w, k) else M ∈ /( w
2
, k) =⇒ M ∈ /( w, k).
In the next section we will assume, without loss of generality, that no place p in Q
w
, p belongs
to the control subnet of another place p

in Q
w
.
7.4 Fully Compiled Models
In this section we present two different ways of enforcing a GMEC on MG systems with control
safe places. Both solutions are fully compiled, i.e., the corresponding control structure is a net
system as well.
7.4.1 Model 1: Monitor-based Controller
Definition 7.7. Let ¸N, M
0
) be a MG system and ( w, k) be an unweighted mutual exclusion
constraint, i.e., w ≤

1, defined on it. We assume that M
0
∈ /
c
( w, k). Let Q
w
= ¦p
1
, . . . , p
r
¦
be a set of control safe places of N and assume that r =[ Q
w
[= k + 1. Given p
i
∈ Q
w
let
A
i
= ¦t
1
i
, . . . , t
n
i
i
¦ be the set of control transitions for t
i
and t
o
i
be the output transition of p
i
. The
monitor that enforces this constraint consists of a place S to be added to the original net with arcs
as follows:
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 77
Figure 7.11: Example of monitor.
• Pre(S, t) = 1 if t ∈ A
i
else Pre(S, t) = 0;
• Post(S, t) = n
i
if t = t
o
i
else Post(S, t) = 0.
The initial marking will assign s −1 tokens to place S where
s =[ ¦t [ t ∈ A
i
∧ td(M
0
, t, t
o
i
) = 0¦ [
i.e., s counts the number of control transitions that must fire prior to the marking of all places in
Q
w
.
The previous definition assume that no transition will be selflooped with the monitor place.
E.g., a transition t will be selflooped if ∃i, j ÷ t = t
o
i
∧ t ∈ A
j
. In this case we need to eliminate
the arcs in selfloop from the pre-incidence and post-incidence matrices.
Example 7.10. In Figure 7.11 we want to enforce the constraint
M(p
1
) +M(p
2
) +M(p
3
) ≤ 2
over the net in Figure 7.10. We have added a place S to the original system with the arcs shown
in dotted lines.
It is easy to see that a monitor constructed as in Definition 7.7 enforces the maximally permis-
sible policy that ensures that the constraint ( w, k) will be satisfied. In fact the monitor prevents
only transition firings that lead to all markings M such that
(∀i = 1, . . . , r)(∀t ∈ A
i
)[td(M, t, t
o
i
) = 1],
which by Proposition 7.10 are the only illegal markings for unweighted constraints of this kind.
A set of constraints (W,

k) of this form may be enforced by adding several monitors.
Assume now ( w, k), with w ≤

1, is such that [Q
w
[> k + 1. The previous construction may
not be used. However the original constraint may be rewritten as a set of constraints according to
the following proposition.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 78
Proposition 7.11. Let ( w, k) be a mutual exclusion constraint, with w ≤

1, and [Q
w
[> k + 1.
Then,
/( w, k) =

w

∈I
k+1
/( w

, k),
where I
k+1
= ¦ w ∈ ¦0, 1¦
P
[ w

≤ w, [Q
w
[= k + 1¦.
Proof: (⊆) is trivial. Let us prove (⊇). Any marking M ∈

w

∈I
k+1
/( w

, k) marks at most
k places in Q
w
, otherwise there exists w

∈ I
k+1
÷ Q
w
⊆ ¦p [ M(p) > 0¦ and M ,∈ /( w

, k).
Let w

∈ I
k+1
, be a weight vector whose support contains all the places marked by M. Clearly
M ∈ /( w

, k) =⇒ M ∈ /( w, k).
The previous proposition shows that the unweighted constraint ( w, k), with w ≤

1 and [Q
w
[>
k + 1, is equivalent to the set of constraints (W, k

1) = ¦( w

, k) [ w

∈ I
k+1
¦, hence may be
enforced by a set of monitors. However the problem is that there are
_
[Q
w
[
k + 1
_
different subsets
of Q
w
of cardinality k + 1. Thus in the worst case the number of monitors is exponential with
respect to the cardinality of Q
w
.
The monitor based construction may also be used, when the weight of the places is not unitary,
explicitly rewriting the set of unweighted constraints equivalent to the single weighted constraint.
We have proved in Theorem 7.1 that this is always possible for the class of nets considered here.
7.4.2 Model 2: Compiled Supervisor
In this section we consider a net supervisor, capable of enforcing a set of GMEC. We assume that
the supervisor observes the execution of the unconstrained systemand at any given instant provides
a control pattern, i.e., specifies which controllable transitions are allowed to fire. The control
pattern is implicit in the transition structure of the supervisor, in the sense that a controllable
transition that belongs to the supervisor structure is enabled by the control pattern if and only if it
is enabled by the marking of the supervisor net.
Definition 7.8. Let ¸N, M
0
) be a MG system and ( w, k) be a GMEC. We assume that M
0

/
c
( w, k). Let Q
w
= ¦p
1
, . . . , p
r
¦ be a set of control safe places. Given p
i
∈ Q
w
let A
i
=
¦t
1
i
, . . . , t
n
i
i
¦ be the set of control transitions for t
i
and t
o
i
be the output transition of p
i
. The
compiled supervisor that enforces this constraint is S = (P
S
, T
S
, Pre
S
, Post
S
) with:
• P
S
= ¦p
0
, p

1
, p

1
, p

1
, p

2
, . . . , p

r
, p

r
, p

r
¦;
• T
S
= A

1
∪ A

1
∪ A

2
. . . ∪ A

r
∪ A

r
∪ ¦t
o
1
, . . . , t
o
r
¦ where A

i
and A

i
are sets of transitions
synchronized with A
i
;
• Pre
S
and Post
S
are such that:
– Pre
S
(p
0
, t) = w(p
i
) if t ∈ A

i
else Pre
S
(p
0
, t) = 0;
– Post
S
(p
0
, t) = w(p
i
) if t = t
o
i
else Post
S
(p
0
, t) = 0;
– Pre
S
(p

i
, t) = 1 if t ∈ A

i
else Pre
S
(p

i
, t) = 0;
– Post
S
(p

i
, t) = n
i
−1 if t = t
o
i
else Post
S
(p

i
, t) = 0;
– Pre
S
(p

i
, t) = n
i
−1 if t ∈ A

i
else Pre
S
(p

i
, t) = 0;
– Post
S
(p

i
, t) = 1 if t ∈ A

i
else Post
S
(p

i
, t) = 0;
– Pre
S
(p

i
, t) = 1 if t = t
o
i
else Pre
S
(p

i
, t) = 0;
– Post
S
(p

i
, t) = 1 if t ∈ A

i
else Post
S
(p

i
, t) = 0.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 79
Figure 7.12: Example of compiled supervisor.
The initial marking of S is M
S
0
such that, ∀i = 1, . . . , r,
if [M
0
(p
i
) +D
M
0
(p
i
) = 1]
then [M
S
0
(p

i
) = M
S
0
(p

i
) = 0 ∧ M
S
0
(p

i
) = 1]
else [M
S
0
(p

i
) =[ ¦t ∈ A
i
[ td(M
0
, t, t
o
i
) = 0¦ [ −1
∧M
S
0
(p

i
) = n
i
−1 −M
S
0
(p

i
)
∧M
S
0
(p

i
) = 0],
and M
S
0
(p
0
) = k −

r
i=1
w(p
i
)M
S
0
(p

i
).
Example 7.11. In Figure 7.12 we show the supervisor that may be used to enforce the constraint
w(p
1
)M(p
1
) +w(p
2
)M(p
2
) +w(p
3
)M(p
3
) ≤ k over the net shown in Figure 7.10.
In the example in Figure 7.12 we have represented the set of parallel transitions A

i
and A

i
as
a single transition. Whenever the system executes a transition t ∈ A
i
, the corresponding transition
in A

i
or A

i
will fire. Note that the behavior is deterministic, since if a transition in A

i
is enabled,
the corresponding transition in A

i
is not, and conversely. For the computation of the control
pattern, a transition in A
i
is enabled by the control pattern if the corresponding transition in A

i
or
in A

i
is enabled.
In the previous definition we have assumed that:
• (∀i = 1, . . . , r) n
i
> 1. If n
i
= 1 we may remove the places p

i
and p

i
and the set of
transitions A

i
.
• (∀i ,= j) A
i
∩A
j
= ∅. If this is not the case, we need to slightly change the structure of the
supervisor by merging the transitions of A

i
and A

i
in common with A

j
and A

j
We want to show that the supervisor constructed according to Definition 7.8 enforces the
required maximally permissible policy. We note first that given a marking M of the system and a
corresponding marking M
S
of the supervisor we have that (∀i = 1, . . . , r)[M(p
i
) + D
M
(p
i
) =
M
S
(p

i
)]. Since the place p
0
is enforcing the constraint

r
i=1
w(p
i
)M
S
(p

i
) ≤ k we have, by
Proposition 7.8, that the supervisor enforces the required policy.
In the case of a set of constraints (W,
¯
k) = ¦( w
1
, k
1
), . . . , ( w
m
, k
m
)¦ we need to construct a
supervisor for each single constraint ( w
i
, k
i
). Should a controllable transition belong to more that
one supervisor, say S
i
1
and S
i
2
, it will be enabled by the control pattern if and only if it is enabled
on both S
i
1
and S
i
2
.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 80
7.5 Partially Compiled Models
The net structure of the supervisor may be further simplified. For instance we may avoid repeating
the set of transitions A
i
. However we need to add additional control structure by introducing
transitions with an associated interpretation. This partially destroys the possibility of analyzing
the net with traditional PN techniques. The advantage, however, is that the “partially interpreted”
supervisors that we discuss here may be easily modified to enforce constraints on any kind of MG
system. We will not discuss these modifications.
7.5.1 Model 3: Non-Deterministic Partially Compiled Supervisor
Definition 7.9. Let ¸N, M
0
) be a MG system and ( w, k) be a GMEC. We assume that M
0

/
c
( w, k). Let Q
w
= ¦p
1
, . . . , p
r
¦ be a set of control safe places. Given p
i
∈ Q
w
let A
i
=
¦t
1
i
, . . . , t
n
i
i
¦ be the set of control transitions for t
i
and t
o
i
be the output transition of p
i
. The non-
deterministic partially compiled supervisor that enforces this constraint is S = (P
S
, T
S
, Pre
S
, Post
S
)
with:
• P
S
= ¦p
0
, p

1
, p

1
, p

1
, p

2
, . . . , p

r
, p

r
, p

r
¦;
• T
S
= A
1
∪A
2
∪. . . ∪A
r
∪¦t
o
1
, . . . , t
o
r
¦ ∪¦π
1
, π
2
, . . . , π
r
¦ where each π
i
is a transition to
which a predicate is associated;
• Pre
S
and Post
S
are such that:
– Pre
S
(p
0
, t) = w(p
i
) if t = π
i
else Pre
S
(p
0
, t) = 0;
– Post
S
(p
0
, t) = w(p
i
) if t = t
o
i
else Post
S
(p
0
, t) = 0;
– Pre
S
(p

i
, t) = 1 if t = π
i
else Pre
S
(p

i
, t) = 0;
– Post
S
(p

i
, t) = 1 if t = t
o
i
else Post
S
(p

i
, t) = 0;
– Pre
S
(p

i
, t) = 1 if t ∈ A
i
else Pre
S
(p

i
, t) = 0;
– Post
S
(p

i
, t) = n
i
−1 if t = t
o
i
else [Post
S
(p

i
, t) = 1 if t = π
i
else Post
S
(p

i
, t) = 0];
– Pre
S
(p

i
, t) = n
i
if t = t
o
i
else Pre
S
(p

i
, t) = 0;
– Post
S
(p

i
, t) = 1 if t ∈ A
i
else Post
S
(p

i
, t) = 0;
The initial marking of S is M
S
0
such that, ∀i = 1, . . . , r,
if [M
0
(p
i
) +D
M
0
(p
i
) = 1]
then [M
S
0
(p

i
) = M
S
0
(p

i
) = 0 ∧ M
S
0
(p

i
) = n
i
]
else [M
S
0
(p

i
) = 1
∧M
S
0
(p

i
) =[ ¦t ∈ A
i
[ td(M
0
, t, t
o
i
) = 0¦ [ −1
∧M
S
0
(p

i
) = n
i
−M
S
0
(p

i
) −M
S
0
(p

i
)],
and M
S
0
(p
0
) = k −

j∈J
w(p
i
), where J = ¦i [ M
S
0
(p

i
) = 0¦.
The predicate associated to the transitions π
i
are used to implement the control policy. The
firing of transition π
i
will allow place p
i
to be marked.
Example 7.12. In Figure 7.13 we show the supervisor that may be used to enforce the constraint
w(p
1
)M(p
1
) +w(p
2
)M(p
2
) +w(p
3
)M(p
3
) ≤ k over the net shown in Figure 7.10.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 81
Figure 7.13: Example of non-deterministic partially compiled supervisor.
The supervisor constructed according to Definition 7.9 will permit the system to reach only
legal markings. In fact, given a marking M of the system and a corresponding marking M
S
of the
supervisor we have that (∀i = 1, . . . , r)[M(p
i
) + D
M
(p
i
) = 1 ⇐⇒ M
S
(p

i
) = n
i
]. Since the
place p
0
is enforcing the constraint

i∈J
w(p
i
) ≤ k, with J = ¦i [ M
S
(p

i
) + M
S
(p

i
) = n
i
¦,
we have, by Proposition 7.8, that the supervisor will allow only legal markings to be reached.
This control policy is also maximally permissible, as shown in [Krogh 91], if two or more control
transitions may fire simultaneously.
The supervisor has been called non-deterministic because we decide a priori which place in
Q
w
will be allowed to be marked.
7.5.2 Model 4: Deterministic Partially Compiled Supervisor
Definition 7.10. Let ¸N, M
0
) be a MG system and ( w, k) be a GMEC. We assume that M
0

/
c
( w, k). Let Q
w
= ¦p
1
, . . . , p
r
¦ be a set of control safe places. Given p
i
∈ Q
w
let A
i
=
¦t
1
i
, . . . , t
n
i
i
¦ be the set of control transitions for t
i
and t
o
i
be the output transition of p
i
. The deter-
ministic partially compiled supervisor that enforces this constraint is S = (P
S
, T
S
, Pre
S
, Post
S
)
with:
• P
S
= ¦p
0
, p

1
, p

1
, p

2
, . . . , p

r
, p

r
¦;
• T
S
= A
1
∪ A
2
∪ . . . ∪ A
r
∪ ¦t
o
1
, . . . , t
o
r
¦ ∪ ¦π

1
, π

1
, π

2
, . . . , π

r
, π

r
¦ where π

i
and π

i
are
transitions to which a predicate is associated;
• Pre
S
and Post
S
are such that:
– Pre
S
(p
0
, t) = 1 if t = π

i
else Pre
S
(p
0
, t) = 0;
– Post
S
(p
0
, t) = 1 if [t = t
o
i
or t = π

i
] else Post
S
(p
0
, t) = 0;
– Pre
S
(p

i
, t) = 1 if t ∈ A
i
else Pre
S
(p

i
, t) = 0;
– Post
S
(p

i
, t) = n
i
−1 if t = t
o
i
else [Post
S
(p

i
, t) = 1 if t = π

i
else Post
S
(p

i
, t) = 0];
– Pre
S
(p

i
, t) = n
i
if t = t
o
i
else Pre
S
(p

i
, t) = 0;
– Post
S
(p

i
, t) = 1 if t ∈ A
i
else Post
S
(p

i
, t) = 0;
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 82
Figure 7.14: Example of deterministic partially compiled supervisor.
The initial marking of S is M
S
0
such that, ∀i = 1, . . . , r,
if [M
0
(p
i
) +D
M
0
(p
i
) = 1]
then [M
S
0
(p

i
) = 0 ∧ M
S
0
(p

i
) = n
i
]
else M
S
0
(p

i
) =[ ¦t ∈ A
i
[ td(M
0
, t, t
o
i
) = 0¦ [ −1
∧M
S
0
(p

i
) = n
i
−M
S
0
(p

i
)],
and M
S
0
(p
0
) = r− [ ¦i [ M
S
0
(p

i
) = n
i
¦ [.
The predicate associated to the transitions π

1
and π

1
are used to implement the control policy.
Let J = ¦i [ M(p

i
) = n
i
¦ and let v =

i∈J
w(p
i
). Then:
• π

i
= TRUE if [M(p

i
) +M(p

i
) = n
i
−1] ∧ [v +w(p
i
) ≤ k] else π

i
= FALSE;
• π

i
= TRUE if [M(p

i
) +M(p

i
) = n
i
] ∧ [v +w(p
i
) > k] else π

i
= FALSE.
Example 7.13. In Figure 7.14 we show the supervisor that may be used to enforce the constraint
w(p
1
)M(p
1
) + w(p
2
)M(p
2
) + w(p
3
)M(p
3
) ≤ k over the net shown in Figure 7.10. Note that
the structure of the supervisor does not depend on the weight vector w and on the integer k, that
affect only the value of the predicates π

1
and π

1
.
It is difficult to show that this supervisor is actually implementing the maximally permissible
control policy because of the predicates associated to the transitions π

i
and π

i
. Note however that
given a marking M of the system and a corresponding marking M
S
of the supervisor, we have
that (∀i = 1, . . . , r)[M(p
i
) + D
M
(p
i
) = 1 ⇐⇒ M
S
(p

i
) = n
i
]. The transitions π

i
will remove
the token necessary to reach M
S
(p

i
) = n
i
whenever the marking of place p
i
would violate the
constraint.
7.6 Comparison of the Models
The monitor-based controller is an extension to systems with uncontrollable transitions of the
controller studied in Section 7.2 for nets with only controllable transitions. Thus all the structural
properties of monitors may be used to analyze the system under control. The drawback is that it
may require an exceedingly large number of monitors. However, in those cases in which it may
be used efficiently, it is the simpler and most straightforward solution.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 83
The compiled supervisor has the advantage of always requiring a compact structure that grows
linearly with the number of places in the support of the weight vector. However, since it requires
all control transitions to be represented twice, it leads to a closed-loop model which is difficult to
analyze.
The non-deterministic partially compiled supervisor implements a policy slightly different
from all other models. This policy is the same derived by Holloway and Krogh [Holloway 92a].
However our model does not require on-line computation, since the structure of the supervisor
ensures that only legal markings may be reached. The predicates associated to the transitions may
be used to implement different run-time policies, as suggested in [Krogh 91].
The deterministic partially compiled supervisor has the simpler structure but its behavior
strongly depends on the predicates associated to the transitions. Thus it is at the same time the
simpler model to implement and the most difficult to analyze.
7.7 Conclusions
We have presented and studied a class of specifications, called generalized mutual exclusion con-
straints. These specifications on a net system where all transitions are controllable may be easily
enforced by a set of places called monitors. Unfortunately, we have shown that this technique is
not always applicable when some of the transitions of the net are uncontrollable.
For some classes of nets, we have proved that GMEC may always be enforced by monitors,
even in the presence of uncontrollable transitions. For one of these particular classes, marked
graphs with control safe places, we compared a monitor-based solution of mutual exclusion prob-
lems with several supervisory based solutions.
Chapter 8
CONCLUSIONS AND FUTURE
RESEARCH
8.1 Original Contributions
The thesis has discussed the use of Petri nets as discrete event models for Supervisory Control. The
approach we have followed is different from previous Petri net based approaches [Holloway 90,
Ushio 89]. In fact, we use Petri net models to represent not only the system under control but the
supervisor as well.
The original contributions consist of four major parts.
1. Petri net languages for Supervisory Control.
2. Design of supervisors.
3. Validation of Petri net supervisors.
4. Efficient construction of control structure.
8.1.1 Petri Net Languages for Supervisory Control
We have explored the closure properties of Petri net languages under the operators used in Super-
visory Control: prefix closure, and supremal controllable sublanguage. Our results show that Petri
net languages are not closed under these operators.
It was known from previous work [Wonham 87] that regular languages are closed under these
operators. Thus, we face a trade-off. If we restrict ourselves to the use of bounded or conservative
PN models, which have a finite reachability set and generate regular languages, we are sure to
have a Petri net supervisor for any given control problem. If we want to use of the full language
power of Petri nets models, we may consider unbounded Petri net models, but now not all control
problems may be solved by a Petri net supervisor.
We have also defined a new class of Petri net languages, called DP-closed languages and
denoted L
DP
. The languages in this class are those L-type Petri net languages (terminal Petri net
languages) whose prefix language is a P-type Petri net language (prefix Petri net language). Unlike
all other known classes of Petri net languages, the class L
DP
is not closed under intersection.
As a final result, we have given necessary and sufficient conditions for the existence of Petri
net supervisors when the system’s behavior and the legal behavior are deterministic Petri net lan-
guages.
The closed behavior L(G) of system G may be restricted to a legal behavior L ⊆ L(G) if and
only if L is: a) a prefix Petri net language; b) deterministic; c) controllable. The marked behavior
84
CHAPTER 8. CONCLUSIONS AND FUTURE RESEARCH 85
L
m
(G) of system G may be restricted to a legal behavior L ⊆ L
m
(G) if and only if L is: a) a
DP-closed Petri net language; b) L
m
(G)-closed; c) controllable.
8.1.2 Supervisory Design
Based on the monolithic supervisory design, as formulated in [Wonham 88a], we have presented
a design based on the concurrent composition operator. This design is well suited for Petri nets
models.
The design requires two steps. In the first step, a coarse structure for a supervisor is synthe-
sized by means of concurrent composition of different modules, representing the system and the
specifications we want to enforce on the system’s behavior.
This composition may be easily performed, using Petri net models, by merging transitions
labeled by the same symbols. Since the composition is performed on the structure of the net, the
same finite procedure may be used to compose nets with finite or infinite reachability sets. The
final Petri net model represents a closed loop model of the controlled system in which it is still
possible to identify the composed modules.
The generator constructed in the first step of the algorithm will be a proper supervisor if it
is nonblocking and if the language it generates is controllable. These properties may be easily
expressed in term of net properties, as we have seen.
In the second step, the generator constructed in the first step of the algorithm is refined to
obtain a nonblocking and controllable generator. In particular, we have discussed how to refine
a coarse structure for a supervisor, by introducing new arcs and possibly duplicating transitions,
to avoid reaching undesirable markings.. This procedure may always be applied when the net is
conservative. In this refinement, the modular structure of the net is preserved, but in some cases it
may be necessary to introduce a large number of transitions.
We have also compared Petri nets and state machines models, showing the advantages of using
Petri nets for the design of supervisors.
8.1.3 Validation of Petri Net Supervisors
A well known Petri net analysis technique is based on the incidence matrix analysis. We have stud-
ied how this technique may be used to validate supervisors obtained by concurrent composition of
several modules.
We have defined a class of P/T net, called Elementary Composed State Machine (ECSM) nets,
showing how to derive a set of linear inequalities that exactly define the set of reachable markings.
ECSM nets are nets obtained by concurrent composition of state machine modules. We restrict the
type of compositions considered, in order to guarantee some important properties. The two basic
compositions are: a) compositions of nets along a simple path; b) compositions of nets along a
set of simple paths that are looped in one of the nets. The class of Elementary Composed State
Machines can model both choice and concurrent behavior.
We have also discussed the difference of our approach with respect to other classical methods
based on incidence matrix analysis. We use a set of linear inequalities to define the reachability set;
these inequalities are obtained by the computation of the basic traps of the state machine modules
that compose an ECSM, and by the firing bounds of the composed transitions.
Important properties of the net, such as the absence of blocking states or controllability, may
be studied by Integer Programming techniques. We have shown how this approach may be used
to validate ECSM supervisors.
CHAPTER 8. CONCLUSIONS AND FUTURE RESEARCH 86
8.1.4 Efficient Construction of Control Structure
We have presented and studied a class of specifications for Petri net models, called generalized
mutual exclusion constraints (GMEC), that may be used to express the concurrent use of a finite
number of resources, shared among different processes.
A GMEC limits a weighted sum of tokens contained in a subset of places; all markings that
do not satisfy the constraint are called forbidden. GMEC are a mild generalization of mutual
exclusion constraints considered by other authors [Krogh 91, Zhou 91], due to the fact that the
weights we consider are defined in IN, rather than in ¦0, 1¦. We have presented a methodology,
based on linear algebraic techniques, to compare and simplify GMEC. An equivalence notion
among GMEC has been introduced and studied from the point of view of structural net theory.
A single GMEC may be easily implemented by a monitor, i.e., a place whose initial marking
represents the available units of a resource and whose outgoing and incoming transitions represent,
respectively, the acquisition and release of units of the resource.
In the framework of Supervisory Control, the complexity of enforcing a GMEC is enhanced by
the presence of uncontrollable transitions, i.e., transitions that may be observed but not prevented
from firing by a control agent. To enforce a given GMEC, it is necessary to prevent the system
from reaching a superset of the forbidden markings, containing all those markings from which a
forbidden one may be reached by firing a sequence of uncontrollable transitions. Unfortunately,
in this case we have proven that the set of legal markings cannot always be represented by a linear
domain in the marking space, thus there exist problems which do not have a “monitor-based”
solution.
In this context, we have discussed GMEC for systems represented as marked graphs with con-
trol safe places. The goal is that of constructing a supervisor capable of enforcing the constraints.
A solution to this problem has been given by Holloway and Krogh [Krogh 91]. In their approach,
which may be defined as fully interpreted, the control policy is efficiently computed by an on-line
controller as a feedback function of the marking of the system. We have studied, instead, how
a net structure for the supervisor may be constructed. We have discussed and compared several
solutions. Some of these models are fully compiled, i.e., the corresponding supervisor is repre-
sented by a P/T net, others are partially compiled, i.e., the corresponding supervisor is given as an
interpreted net in which the firing of some transitions depends not only on the marking of the net
but on the value of some boolean expressions as well.
The advantages of fully compiling the supervisor action in a net structure are:
• The computation of the control action is faster, since it does not require separate on-line
computation.
• The same Petri net system execution algorithms may be used for both the original system
and the supervisor.
• A closed-loop model of the system under control may be built with standard net composition
constructions and analyzed for properties of interest. Moreover, structure theory of Petri
nets may be used to prove, without an exhaustive state space search, that the system under
control enjoys the properties.
On the other hand, partially compiled models are more flexible in the sense that some inter-
pretations may be used to implement complex control policies, whose corresponding net structure
may be exceedingly large.
CHAPTER 8. CONCLUSIONS AND FUTURE RESEARCH 87
8.2 Future Research
It may be possible to extend this research in several parts. We give a list of the problems that may
be addressed in the future.
8.2.1 Petri Net Languages for Supervisory Control
Find a characterization of the class L
DP
in terms of some pumping lemma, or other particular
properties of these languages.
Characterize the class of nonregular Petri net languages that are closed under the supremal
controllable sublanguage operator.
8.2.2 Supervisory Design
Determine a refinement procedure based on the coverability tree of a Petri net, rather than on its
reachability tree. Since the coverability tree is always finite, this may permit the refinement of nets
with infinite reachability set in all those cases in which the refined model may be given as a Petri
net.
8.2.3 Validation of Petri Net Supervisors
Extend the method used to study the reachability set of ECSM to a larger class of nets. In particu-
lar, the method may be extended to other types of compositions, following the approach presented
by [Koh 92] where the composition of partially overlapping paths is considered. Additionally, it
may be interesting to consider the composition Macroplace/Macrotransition nets [Jungnitz 92],
which are a superset of state machines.
8.2.4 Efficient Construction of Control Structure
Derive the supervisory structure for enforcing GMEC on classes of nets more general than control
safe place marked graphs. Here the use of interpreted nets should prove a key factor in deriving a
simple supervisory structure.
Consider classes of specification different fromGMEC, e.g., sequencing specifications [Holloway 92b],
and derive the corresponding supervisor using a structural based approach.
Bibliography
[Aveyard 74] R.L. Aveyard, “A Boolean Model for a Class of Discrete Event Systems,”
IEEE Trans. on Systems, Man, and Cybernetics, Vol. SMC-4, No. 3, pp. 249–
258, May, 1974.
[Avrunin 91] G.S. Avrunin, U.A. Buy, J.C. Corbett, L.K. Dillon, J.C. Wileden, “Automated
Analysis of Concurrent Systems with the Constrained Expression Toolset,”
IEEE Trans. Software Engineering, Vol. 17, No. 11, pp. 1204–1222, Novem-
ber, 1991.
[Baker 72] H. Baker, Jr., “Petri Nets and Languages,” Computation Structures Group
Memo 68, Project MAC, Massachusetts Institute of Technology (Cambridge,
Massachusetts), May, 1972.
[Baker 73] H. Baker, Jr., “Equivalence Problems of Petri Nets,” Master’s thesis, Dept. of
Electrical Engineering, Massachusetts Institute of Technology (Cambridge,
Massachusetts), May, 1973.
[Banaszak 90] Z.A. Banaszak, B.H. Krogh, “Deadlock Avoidance in Flexible Manufactur-
ing Systems with Concurrently Competing Process Flows,” IEEE Trans. on
Robotics and Automation, Vol. RA-6, No. 6, pp. 724–734, December, 1990.
[Beck 86] C.L Beck, B.H. Krogh, “Models for Simulation and Discrete Control of Man-
ufacturing Systems,” IEEE Int. Conf. Robotics and Automation, pp. 305–310,
April, 1986.
[Berthelot 86] G. Berthelot, “Checking Properties of Nets Using Transformations,” Advances
in Petri Nets 1985, G. Rosenberg (ed.), Lecture Notes in Computer Sciences,
Vol. 85, pp. 19–40, Springer-Verlag, 1986.
[Berthelot 87] G. Berthelot, “Transformations and Decompositions of Nets,” Petri Nets:
Central Models and Their Properties, Advances in Petri Nets 1986, W. Brauer,
W. Reisig and G. Rosenberg (eds.), Lecture Notes in Computer Sciences, Vol.
254-I, pp. 359–376, Springer-Verlag, 1987.
[Berthomieu 87] B. Berthomieu, “Methods for Carrying Proofs on Petri Nets Using their Struc-
tural Properties,” Technical Report, Laboratoire d’Automatique et d’Analyse
des Systèmes du CNR (Toulouse, France), January, 1987.
[Best 86] E. Best, C. Fernández, “Notation and Terminology on Petri Net Theory,”
Arbeitspapiere der Gesellschaft für Math. und Datenverarbeitung, No. 195,
1986.
[Best 91] E. Best, “Design Methods Based on Nets: Esprit Basic Research Action
DEMON” Advances in Petri nets, 1990, G. Rozenberg (ed.), pp. 487–506,
Springer-Verlag, 1991.
88
BIBLIOGRAPHY 89
[Brave 90] Y. Brave, M. Heymann, “Stabilization of Discrete-Event Processes,” Int. J.
Control, Vol. 51, No. 50, pp. 1101–1117, 1990.
[Campos 91] J. Campos, G. Chiola, M. Silva, “Ergodicity and Throughput Bounds of Petri
Nets with Unique Consistent Firing Count Vector,” IEEE Trans. on Software
Engineering, Vol. SE-17, No. 2, pp. 117–125, February, 1991.
[Cieslak 91] R. Cieslak, C. Desclaux, A.S. Fawaz, P. Varaiya, “Supervisory Control of
Discrete-Event Processes with Partial Observations,” IEEE Trans. on Auto-
matic Control, Vol. AC-33, No. 3, pp. 249–260, March, 1991.
[Chen 91] E. Chen, S. Lafortune, “Dealing with Blocking in Supervisory Control of Dis-
crete Event Systems,” to appear in IEEE Trans. on Automatic Control, 1991.
[Colom 89] J.M. Colom, “Análisis Estructural de Redes de Petri, Programación Lineal
y Geometria Convexa,” Tesis Doctoral, Universidad de Zaragoza (Zaragoza,
Spain), 1989.
[Crockett 87] D. Crockett, A. Desrochers, F. DiCesare, T. Ward, “Implementation of a
Petri Net Controller for a Machining Workstation,” Proc. IEEE Int. Conf. on
Robotics and Automation (Raleigh, North Carolina), pp. 1861–1867, April,
1987.
[Datta 84] A.K. Datta, S. Gosh, “Synthesis of a Class of Deadlock-Free Petri Nets,” Jour.
of the Association for Computing Machinery, Vol. 31, No. 3, pp. 486-506,
July, 1984.
[Datta 86] A.K. Datta, S. Gosh, “Modular Synthesis of Deadlock-Free Control Struc-
tures,” Foundation of Software Technology and Theoretical Computer Sci-
ence, Vol. 241, G. Goos and J. Hartmanis (eds.), Springer-Verlag, pp. 288–
318,1986.
[De Cindio 82] F. De Cindio, G. De Michelis, L. Pomello, C. Simone, “Superposed Automata
Nets,” Application and Theory of Petri Nets, C. Girault and W. Reisig (eds.),
Informatik-Fachberichte, Vol. 52, pp. 269–279, Springer-Verlag, 1982.
[De Cindio 83] F. De Cindio, G. De Michelis, L. Pomello, C. Simone, “Milner’s Commu-
nicating Systems and Petri Nets,” Application and Theory of Petri Nets, A.
Pagnoni and G. Rozenberg (eds.), Informatik-Fachberichte, Vol. 66, pp. 40–
59, Springer-Verlag, 1983.
[DiCesare 91] F. DiCesare, A. Fanni, A. Giua, “Controllo dei sistemi ad eventi discreti me-
diante reti di Petri,” Ricerca Operativa, No. 58, pp. 2–47, 1991.
[Giua 90a] A. Giua, “Petri Net Languages for the Control of Discrete Event Systems,”
Master’s Thesis, Dept. Electrical Computer and Systems Engineering, Rens-
selaer Polytechnic Institute (Troy, New York), 1990.
[Giua 90b] A. Giua, F. DiCesare, “Easy Synchronized Petri Nets as Discrete Event Mod-
els,” Proc. 29th IEEE Int. Conf. on Decision and Control (Honolulu, Hawaii),
pp. 2839–2844, December, 1990.
[Giua 91] A. Giua, F. DiCesare, “Supervisory Design Using Petri Nets,” Proc. 30th
IEEE Int. Conf. on Decision and Control (Brighton, England), pp. 385–390,
December, 1991.
BIBLIOGRAPHY 90
[Giua 92a] A. Giua, F. DiCesare, “GRAFCET and Petri Nets in Manufacturing,” will ap-
pear in Programming Environments for Computer Integrated Manufacturing,
W.A. Gruver and J.C. Boudreaux (Eds.), Springer-Verlag, 1992.
[Giua 92b] A. Giua, F. DiCesare, M. Silva, “Generalized Mutual Exclusion Constraints
for Petri Nets with Uncontrollable Transitions,” will appear in Proc. 1992
IEEE Int. Conf. on Systems, Man, and Cybernetics (Chicago, Illinois), Octo-
ber, 1992.
[Giua 92c] A. Giua, F. DiCesare, “On the Existence of Petri Nets Supervisors,” submitted
to 31th IEEE Int. Conf. on Decision and Control (Tucson, Arizona), Decem-
ber, 1992.
[Giua 92d] A. Giua, F. DiCesare, “Petri Net Incidence Matrix Analysis for Supervisory
Control,” Working Paper, Rensselaer Polytechnic Institute (Troy, New York),
1992.
[Golaszewski 88] C.H. Golaszewski, P.J. Ramadge, “Mutual Exclusion Problems for Discrete
Event Systems with Shared Events,” Proc. IEEE 27th Int. Conf. on Decision
and Control (Austin, Texas), pp. 234–239, December, 1988.
[Hack 72] M. Hack, “Analysis of Production Schemata by Petri Nets,” Technical Report
94, Project MAC, Massachusetts Institute of Technology (Cambridge, Mas-
sachusetts), February, 1972.
[Hack 74] M. Hack, “Extended State Machine Allocatable Nets, an Extension of
Free Choice Petri Nets Results,” Computation Structures Group Memo 78-
1, Project MAC, Massachusetts Institute of Technology (Cambridge, Mas-
sachusetts), 1974.
[Hack 75a] M. Hack, “Petri Nets Languages,” Computation Structures Group Memo
124, Project MAC, Massachusetts Institute of Technology (Cambridge, Mas-
sachusetts), June, 1975.
[Hack 75b] M. Hack, “Decidability Questions for Petri Nets,” Ph.D. dissertation, Dept.
of Electrical Engineering, Massachusetts Institute of Technology (Cambridge,
Massachusetts), December, 1975.
[Hailpern 83] B.T. Hailpern, S.S. Owicki, “Modular Verification of Computer Communica-
tion Protocols,” IEEE Trans. on Communication, Vol. COM-31, No. 1, pp.
56–68, January, 1983.
[Heymann 90] M. Heymann, “Concurrency and Discrete Event Control,” IEEE Control Sys-
tems Magazine, pp. 103–112, June, 1990.
[Holloway 90] L.E. Holloway, B.H. Krogh, “Synthesis of Feedback Control Logic for a Class
of Controlled Petri Nets,” IEEE Trans. on Automatic Control, Vol. AC-35, No.
5, pp. 514–523, May, 1990.
[Holloway 92a] L.E. Holloway, B.H. Krogh, “On Closed-loop Liveness of Discrete Event Sys-
tems Under Maximally Permissible Control,” IEEE Trans. on Automatic Con-
trol, Vol. AC-37, No. 5, pp. 692–697, May, 1992.
[Holloway 92b] L.E. Holloway, F. Hossain, “Feedback Control for Sequencing Specifications
in Controlled Petri Nets,” 3rd Int. Conf. on Computer Integrated Manufactur-
ing (Troy, New York), pp. 242–251, May, 1992.
BIBLIOGRAPHY 91
[Hoare 85] C. A. R. Hoare, “Communicating Sequential Processes,” Prentice-Hall, 1985.
[Ichikawa 85] A. Ichikawa, K. Yokoyama, S. Kurogy, “Reachability and Control of Discrete
Event Systems Represented by Conflict-Free Petri Net,” Proc. IEEE Int. Symp.
Circuits and Systems (Kyoto, Japan), pp. 487–490, May, 1985.
[Ichikawa 88a] A. Ichikawa, K. Hiraishi, “Analysis and Control of Discrete Event Systems
Represented by Petri Nets,” Discrete Events Systems: Models and Applica-
tions, P. Varaiya and A.B. Kurzhanski (eds.), Lecture Notes in Control and
Information Sciences, Vol. 103, pp. 115–134, Springer-Verlag, 1988.
[Ichikawa 88b] A. Ichikawa, K. Hiraishi, “A Class of Petri Nets That a Necessary and Suffi-
cient Condition for Reachability is Obtainable,” Trans. Society of Instrument
and Control Engineers, SICE (in Japanese), Vol. 24, No. 6, 1988.
[Inan 88] K. Inan, P. Varaiya, “Finitely Recursive Process Models for Discrete Event
Systems,” IEEE Trans. on Automatic Control, Vol. AC-33, No. 7, pp. 626–
639, July, 1988.
[Johnen 87] C. Johnen, “Analyse Algorithmique des Réseaux de Petri: Verification
d’Espace d’Accueil, Systemès de Réécriture,” Thèse Doctoral, Université
Paris–Sud (Paris, France), 1987.
[Jantzen 87] M. Jantzen, “Language Theory of Petri Nets,” Petri Nets: Central Models and
Their Properties, Advances in Petri Nets 1986, W. Brauer, W. Reisig and G.
Rosenberg (eds.), Lecture Notes in Computer Sciences, Vol. 254-I, pp. 397–
412, Springer-Verlag, 1987.
[Jungnitz 92] H. Jungnitz, “Approximation Methods for Stochastic Petri Nets,” Ph.D. The-
sis, Rensselaer Polytechnic Institute (Troy, New York), May, 1992.
[Kasturia 88] E. Kasturia, F. DiCesare, A. Desrochers, “Real Time Control of Multilevel
Manufacturing Systems Using Colored Petri Nets,” Proc. IEEE Int. Conf. on
Robotics and Automation (Philadelphia, Pennsylvania), pp. 1114–1119, April,
1988.
[Koh 92] I. Koh, “A Transformation Theory for Petri Nets and Their Applications to
Manufacturing Automation,” Ph.D. Thesis, Rensselaer Polytechnic Institute
(Troy, New York), December, 1991.
[Krogh 86] B.H. Krogh, C.L Beck, “ Synthesis of Place/Transition Nets for the Simula-
tion and Control of Manufacturing Systems,” Proc. 4th IFAC/IFORS Symp. on
Large Scale Systems (Zurich, Switzerland), August, 1986.
[Krogh 87] B.H. Krogh, “Controlled Petri Nets and Maximally Permissible Feedback
Logic,” Proc. 25th Allerton Conf. on Communications, Control, and Com-
puting (Urbana-Champaign, Illinois), pp. 317–326, September, 1987.
[Krogh 91] B.H. Krogh, L.E. Holloway, “Synthesis of Feedback Control Logic for Dis-
crete Manufacturing Systems,” Automatica, Vol. 27, No. 4, pp. 641–651, July-
August, 1991.
[Lafortune 90a] S. Lafortune, E. Chen, “The Infimal Closed Controllable Superlanguage and
Its Application in Supervisory Control,” IEEE Trans. on Automatic Control,
Vol. AC-35, No. 4, pp. 398–405, April, 1990.
BIBLIOGRAPHY 92
[Lafortune 90b] S. Lafortune, H. Yoo, “Some Results on Petri net Languages,” IEEE Trans. on
Automatic Control, Vol. AC-35, No. 4, pp. 482–485, April, 1990.
[Lafortune 91] S. Lafortune, F. Lin, “On Tolerable and Desirable Behaviors in Supervisory
Control of Discrete Event Systems,” J. of Discrete Event Dynamic Systems,
January, 1991.
[Li 88] Y. Li, W.M. Wonham, “Controllability and Observability in the State-
Feedback Control of Discrete-Event Systems,” Proc. 27th IEEE Conf. De-
cision and Control (Austin, TX), pp. 203–208, December, 1988.
[Lin 88] F. Lin, W.M. Wonham, “Decentralized Control and Coordination of Discrete-
Event Systems,” Proc. 27th IEEE Conf. Decision and Control (Austin, TX),
pp. 1125–1130, December, 1988.
[Lin 90] F. Lin, W.M. Wonham, “Decentralized Control and Coordination of Discrete-
Event Systems with Partial Observation,” IEEE Trans. on Automatic Control,
Vol. AC-35, No. 12, pp. 1330–1337, December, 1990.
[Milne 79] G. Milne, R. Milner, “Concurrent Processes and Their Syntax,” Jour. ACM,
Vol. 26, No. 2, pp. 302–321, April, 1979.
[Milner 80] R. Milner, “A Calculus of Communicating Systems,” Lecture Notes in Com-
puter Science 92, Springer-Verlag, 1980.
[Murata 77] T. Murata, “Circuit Theoretic Analysis and Synthesis of Marked Graphs,”
IEEE Trans. on Circuits and Systems, Vol. CAS-24, No. 7, pp. 400–405, July,
1977.
[Murata 86] T. Murata, N. Komoda, K. Matsumoto, K. Haruna, “A Petri Net-Based Con-
troller for Flexible and Maintainable Sequence Control and its Application in
Factory Automation,” IEEE Trans. on Industrial Electronics, Vol. IE-33, No.
1, pp. 1–8, February, 1986.
[Murata 89] T. Murata, “ Petri Nets: Properties, Analysis and Applications,” Proceedings
IEEE, Vol. PROC-77, No. 4, pp. 541–580, April, 1989.
[Narahari 85] Y. Narahari, N. Viswanadham, “A Petri Net Approach to the Modeling and
Analysis of Flexible Manufacturing Systems,” Annals of Operations Re-
search, Vol. 3, pp. 449–472, 1985.
[Ostroff 90a] J.S. Ostroff, W.M. Wonham, “A Framework for Real-Time Discrete Event
Control,” IEEE Trans. on Automatic Control, Vol. AC-35, No. 4, pp. 386–
397, April, 1990.
[Ostroff 90b] J.S. Ostroff, “A logic for Real-Time Discrete Event Processes,” IEEE Control
Systems Magazine, pp. 95–102, June, 1990.
[Özveren 90] C.M. Özveren, A.S. Willsky, “Observability of Discrete Event Dynamic Sys-
tems,” IEEE Trans. on Automatic Control, Vol. AC-35, No. 7, pp. 797–806,
July, 1990.
[Parigot 86] M. Parigot, E. Peltz, “A Logical Formalism for the Study of the Finite Behav-
ior of Petri Nets,” Advances in Petri Nets 1985, Lecture Notes in Computer
Science 222, G. Rozenberg (ed.), Springer-Verlag, pp. 346–361, 1986.
BIBLIOGRAPHY 93
[Peltz 86] E. Peltz, “Infinitary Languages of Petri Nets and Logical Sentences,” Proc.
7th European Workshop on Application and Theory of Petri Nets (Oxford,
England), Sheffield City Polytech., pp. 224–237, 1986.
[Peterson 81] J.L. Peterson, “Petri Net Theory and the Modeling of Systems,” Prentice-Hall,
1981.
[Pnueli 79] A. Pnueli, “The Temporal Semantics of Concurrent Programs,” Proc. Int.
Symposium on Semantics of Concurrent Computation (Evian, France), Lec-
ture Notes in Computer Science 70, Springer-Verlag, pp. 1–20, 1979.
[Ramadge 83] P.J. Ramadge, “Control and Supervision of Discrete Event Processes,” Ph.D.
Thesis, Dept. Electrical Engineering, Univ. Toronto (Toronto, Ontario), 1983.
[Ramadge 86] P.J. Ramadge, W.M. Wonham, “Modular Supervisory Control of Discrete-
Event Systems,” Proc. 7th Int. Conf. Analysis and Optimization of Systems
(Antibes, France), pp. 202–214, June, 1986.
[Ramadge 87] P.J. Ramadge, W.M. Wonham, “Supervisory Control of a Class of Discrete-
Event Processes,” SIAM Jour. Control and Optimization, Vol. 25, No. 1, pp.
206–230, January, 1987.
[Ramadge 88] P.J. Ramadge, “Supervisory Control of Discrete Event Systems: A Survey
and Some New Results,” Discrete Event Systems: Models and Applications,
Varaiya and Kurzhanski (eds.), Lecture Notes in Control and Information Sci-
ences, N. 103, pp. 69-80, Springer-Verlag, 1988.
[Ramadge 89a] P.J. Ramadge, “Some Tractable Supervisory Control Problem for Discrete-
Event Systems Modeled by Büchi Automata,” IEEE Trans. on Automatic Con-
trol, Vol. AC-34, No. 1, pp. 10–19, January, 1989.
[Ramadge 89b] P.J. Ramadge, W.M. Wonham, “The Control of Discrete Event Systems,” Pro-
ceedings IEEE, Vol. PROC-77, No. 1, pp. 81–98, January, 1989.
[Reisig 85] W. Reisig, “Petri Nets: An Introduction,” EATCS Monographs on Theoretical
Computer Science, Vol. 4, W. Brauer, G. Rozenberg and A. Salomaa (eds.),
Springer-Verlag, 1885.
[Silva 80] M. Silva, “Simplification des rèseaux de Petri par elimination des places im-
plicites,” Digital Processes, Vol. 6, pp. 245–256, 1980.
[Silva 83] M. Silva, S. Velilla, “Programmable Logic Controllers and Petri nets: a com-
parative study,” IFAC Conference on Software for Computer Control, E.A.
Puente and Ferrate (Eds.), pp. 83–88, Pergamon Press, 1983.
[Silva 85] M. Silva, Las redes de Petri en la Automatica y la Informatica, Ed. AC,
Madrid, Spain, 1985.
[Silva 89a] M. Silva, J.M. Colom, “On the Computation of Structural Synchronic Invari-
ants in P/T Nets” Advances in Petri nets, 1988, G. Rozenberg ed., pp. 386–
417, Springer-Verlag, 1989.
[Silva 89b] M. Silva, “Logic Controllers,” Proc. IFAC Int. Symp. on Low Cost Automation
(Milan, Italy), pp. 157–165 bis, November, 1989.
BIBLIOGRAPHY 94
[Silva 92] M. Silva, J.M. Colom, J. Campos, “Linear Algebraic Techniques for the Anal-
ysis of Petri Nets,” Proc. Int. Symp. on Mathematical Theory of Networks and
Systems, MITA Press (Tokyo, Japan), (to appear) 1992.
[Sreenivas 92] R.S. Sreenivas, B.H. Krogh, “On Petri Net Models of Infinite State Supervi-
sors,” IEEE Trans. on Automatic Control, Vol. AC-37, No. 2, pp. 274–277,
February, 1992.
[Tadmor 89] G. Tadmor, O. Maimon, “Control of Large Discrete Event Systems: Construc-
tive Algorithms,” IEEE Trans. on Automatic Control, Vol. AC-34, No. 11, pp.
1164–1168, November, 1989.
[Tsitsiklis 87] J.N. Tsitsiklis, “On the Control of Discrete-Event Dynamical Systems,” Proc.
26th IEEE Int. Conf. Decision and Control (Los Angeles, California), pp.
419–422, December, 1987.
[Ushio 88] T. Ushio, R. Matsumoto, “State Feedback and Modular Control Synthesis in
Controlled Petri Nets,” Proc. 27th Int. Conf. Decision and Control (Austin,
Texas), pp. 1502–1507, December, 1988.
[Ushio 89] T. Ushio, “On the Controllability of Controlled Petri Nets,” Control-Theory
and Advanced Technology, Vol. 5, No. 3, pp. 265–275, September, 1989.
[Ushio 90] T. Ushio, “On The Existence of Finite State Supervisors in Discrete-Event
Systems,” Proc. 29th IEEE Int. Conf. Decision and Control (Honolulu,
Hawaii), pp. 2857–2860, December, 1990.
[Viswanadham 90] N. Viswanadham, Y. Narahari, T.J. Johnson, “Deadlock Prevention and Dead-
lock Avoidance in Flexible Manufacturing Systems Using Petri Net Models,”
IEEE Trans. on Robotics and Automation, Vol. RA-6, No. 6, pp. 713–723,
December, 1990.
[Wonham 87] W.M. Wonham, P.J. Ramadge, “On the Supremal Controllable Sublanguage
of a Given Language,” SIAM Jour. Control and Optimization, Vol. 25, No. 3,
pp. 637–659, May, 1987.
[Wonham 88a] W.M. Wonham, “A Control Theory for Discrete-Event Systems,” Advanced
Computing Concepts and Techniques in Control Engineering, M.J. Denham
and A.J. Laub (eds.), Springer-Verlag, pp. 129–169, 1988.
[Wonham 88b] W.M. Wonham, P.J. Ramadge, “Modular Supervisory Control of Discrete-
Event Systems,” Math. Control Signals Systems, Vol. 1, No. 1, pp. 13–30,
1988.
[Zhou 90] M.C. Zhou, “A Theory for the Synthesis and Augmentation of Petri Nets
in Automation,” Ph.D. Thesis, Rensselaer Polytechnic Institute (Troy, New
York), May, 1990.
[Zhou 91] M.C. Zhou, F. DiCesare, “Parallel and Sequential Mutual Exclusions for
Petri Net Modeling of Manufacturing Systems with Shared Resources,” IEEE
Trans. on Robotics and Automation, Vol. RA-7, No. 4, pp. 515–527, August,
1991.
Appendix A
PETRI NET LANGUAGES
A.1 Petri Net Generators
A labeled Petri net (or Petri net generator) is a 4-tuple G = (N, , M
0
, F) where [Jantzen 87,
Peterson 81]:
• N = (P, T, Pre, Post) is a Petri net structure;
• : T → Σ ∪ ¦λ¦ is a labeling function that assigns to each transition a label from the
alphabet of events Σ or assigns the empty string as a label;
• M
0
is an initial marking;
• F is a finite set of final markings.
We will use Petri net generators to represent discrete event systems. Thus we will use the word
system to refer to a Petri net generator.
Three different type of labeling functions are usually considered.
• In a free-labeled PN all transitions are labeled distinctly and none is labeled λ, i.e., (∀t, t


T) [t ,= t

=⇒ (t) ,= (t

)] and (∀t ∈ T) [(t) ,= λ].
• In a λ-free labeled PN no transition is labeled λ.
• In a arbitrary labeled PN no restriction is posed on .
The labeling function may be extended to a function : T

→ Σ

defining: (λ) = λ and
(∀t ∈ T, ∀σ ∈ T

) [(σt) = (σ)(t)].
Four languages are associated with G depending on the different notions of terminal strings.
• The L-type or terminal language
1
is defined as the set of strings generated by firing se-
quences that reach a final marking, i.e.,
L
L
(G) = ¦(σ) [ M
0
[σ) M
f
∈ F¦.
• The G-type or covering language or weak language is defined as the set of strings generated
by firing sequences that reach a marking M covering a final marking, i.e.,
L
G
(G) = ¦(σ) [ M
0
[σ) M ≥ M
f
∈ F¦.
The D-type or deadlock language is defined as the set of strings generated by firing se-
quences that reach a marking at which no transition is enabled, i.e.,
L
D
(G) = ¦(σ) [ M
0
[σ) M ∧ (∀t ∈ T)M [t)¦.
1
This language is called marked behavior in the framework of Supervisory Control and is denoted L
m
(G).
95
APPENDIX A. PETRI NET LANGUAGES 96
Figure A.1: Free-labeled system G in Example A.1.
• The P-type or prefix language
2
is defined as the set of strings generated by any firing se-
quence, i.e.,
L
P
(G) = ¦(σ) [ M
0
[σ) ¦.
Example A.1. The system G in Figure A.1 is free-labeled. The initial marking, also shown in
the figure, is M
0
= (1000)
T
. The set of final markings is F = ¦(0010)
T
¦. The languages of this
system are:
L
L
(G) = ¦a
m
cb
m
[ m ≥ 0¦;
L
G
(G) = ¦a
m
cb
n
[ m ≥ n ≥ 0¦;
L
D
(G) = ¦a
m
cb
n
d [ m ≥ n ≥ 0¦;
L
P
(G) = ¦a
m
[ m ≥ 0¦ ∪ ¦a
m
cb
n
[ m ≥ n ≥ 0¦ ∪ ¦a
m
cb
n
d [ m ≥ n ≥ 0¦.
A.2 Classes of Petri Net Languages
The classes of Petri net languages are denoted as follows.
• L
f
(resp. (
f
, T
f
, T
f
) denotes the class of terminal (resp. covering, deadlock, prefix) lan-
guages generated by free-labeled PN generators.
• L (resp. (, T, T) denotes the class of terminal (resp. covering, deadlock, prefix) languages
generated by λ-free labeled PN generators.
• L
λ
(resp. (
λ
, T
λ
, T
λ
) denotes the class of terminal (resp. covering, deadlock, prefix) lan-
guages generated by arbitrary labeled PN generators.
The following table shows the relationship among these classes. Here →represents set inclu-
sion ⊇.
Some of these relations are easily proved. As an example, any P-type language of a generator
G may also be obtained as a G-type language defining as a set of final markings F = ¦

0¦.
2
This language is called closed behavior in the framework of Supervisory Control and is denoted L(G).
APPENDIX A. PETRI NET LANGUAGES 97
L
λ
→ L → L
f
↓↑ ↓↑
T
λ
→ T → T
f
↓ ↓
(
λ
→ ( → (
f
↓ ↓ ↓
T
λ
→ T → T
f
Table A.1: Known relations among classes of Petri net languages. An arc → represents the set
inclusion.
Figure A.2: Nondeterministic system G

in Example A.2.
A.3 Deterministic Languages
A PN generator G is deterministic if the labeling function and the behavior of G are such that
∀t, t

∈ T, with t ,= t

and ∀M ∈ R(N, M
0
), M [t)∧M [t

) =⇒ [(t) ,= (t

), (t) ,= λ, (t

) ,=
λ].
This means that the knowledge of the string generated by the system from the initial marking
is sufficient to determine the actual marking of the system.
We can then define twelve new classes of PN languages. For each of the previously defined
classes we will denote with the subscript d the corresponding deterministic subclass. Thus L
d
will
denote the subclass of L generated by deterministic Petri nets, etc.
The relations among the subclasses of deterministic languages are different from those re-
ported in Table A.1 for the general classes. Table A.1 shows that T ⊂ L. However, the next
example shows that T
d
,⊂ L
d
.
Example A.2. Consider again the deterministic system G in Figure A.1 with set of final markings
F = ¦(0001)
T
¦. Here L
P
(G) = ¦a
m
[ m ≥ 0¦ ∪ ¦a
m
cb
n
[ m ≥ n ≥ 0¦ ∪ ¦a
m
cb
n
d [ m ≥
n ≥ 0¦ is a deterministic P − type PN language. We want to construct a new system G

such
that L
L
(G

) = L
P
(G). A possible solution is the system in Figure A.2 with set of final states
F = ¦(1000)
T
, (0010)
T
, (0001)
T
¦. However G

is nondeterministic, since the two transitions
labeled a are both enabled at the initial marking. It is intuitively clear that no deterministic Petri
net may generate L
P
(G) as a terminal language if F is finite.
In the framework of Supervisory Control, we will consider the L − type and P − type lan-
guage generated by deterministic systems. A new subclass of L, called deterministic P-closed is
discussed in Chapter 4. This class, denoted L
DP
, will play a major role in deriving necessary
and sufficient conditions for the existence of supervisors represented as deterministic Petri net
generators.
APPENDIX A. PETRI NET LANGUAGES 98
Figure A.3: Relations among the class L and other classes of formal languages.
A.4 Closure Properties and Relations with Other Classes
Parigot and Peltz have defined PN languages as regular languages with the additional capability of
determining if a string of parenthesis is well formed. If we consider the class L of PN languages,
it is possible to prove that L is a strict superset of regular languages and a strict subset of context-
sensitive languages. In the diagram in Figure A.3, the set L is denoted “L PN languages”.
It is possible to prove that L and the class of context-free languages are not commensurable.
An example of a language in L that is not context-free: L = ¦a
m
b
m
c
m
[ m ≥ 0¦. An example of
a language that is context-free but is not in L: L = ¦ww
R
[ w ∈ Σ

¦
3
if [Σ[ > 1.
The class L is closed under: concatenation, union, intersection, concurrent composition. The
class L is not closed under: Kleene star, prefix closure
4
.
A.5 Concurrent Composition and System Structure
In this section we will review the counterpart of language operators on the structure of a PN
generator. We will consider only the concurrent composition operator, since other operators of
interest, such as the intersection and shuffle operators may be considered as a special case of
concurrent composition.
Let G
1
= (N
1
,
1
, M
0,1
, F
1
) and G
2
= (N
2
,
2
, M
0,2
, F
2
) be two PN generators. Their
concurrent composition, denoted also G = G
1
| G
2
, is the system G = (N, , M
0
, F) that
generates L
L
(G) = L
L
(G
1
) | L
L
(G
2
) and L
P
(G) = L
P
(G
1
) | L
P
(G
2
).
The structure of G may be determined as follows. Let P
i
, T
i
and Σ
i
(i = 1, 2) be the place
set, transition set, and the alphabet of G
i
.
• The place set P of N is the union of the place sets of N
1
and N
2
, i.e., P = P
1
∪ P
2
.
• The transition set T of N and the corresponding labels are computed as follows.
– Let a ∈ Σ
1
¸ Σ
2
(a ∈ Σ
2
¸ Σ
1
) be the label of a transition t ∈ T
1
(t ∈ T
2
). Then a
labels a transition in T with the same input and output bag of t.
– Let a ∈ Σ
1
∩ Σ
2
be labeling m
1
transitions in T
1
and m
2
transitions in T
2
. Then
m
1
m
2
transitions in T will be labeled a. The input (output) bag of each of these
transitions is the sum of the input (output) bags of one transition in T
1
and of one
transition in T
2
.
• M
0
= [M
T
0,1
M
T
0,2
]
T
.
3
The string w
R
is the reversal of string w.
4
As proved in Section 4.2.
APPENDIX A. PETRI NET LANGUAGES 99
Figure A.4: Two systems G
1
, G
2
and their concurrent composition G in Example A.3.
• F is the cartesian product of F
1
and F
2
, i.e., F = ¦[M
T
1
M
T
2
]
T
[ M
1
∈ F
1
, M
2
∈ F
2
¦.
Note that while the set of places grows linearly, the set of transitions and of final markings may
grow faster. The composition of more than two systems may computed by repeated application of
the procedure for composing two systems.
Example A.3. Let G
1
= (N
1
,
1
, M
0,1
, F
1
) and G
2
= (N
2
,
2
, M
0,2
, F
2
) be two systems in
Figure A.4. Here F
1
= ¦(10)
T
¦ and F
2
= ¦(10)
T
, (01)
T
¦. Their concurrent composition G =
G
1
| G
2
is also shown in Figure A.4. The initial marking of G is M
0
= (1010)
T
and its set of
final markings is F = ¦(1010)
T
, (1001)
T
¦.
We will use the following structural notation for composed systems.
Let G
1
= (N
1
,
1
, M
0,1
, F
1
) and G
2
= (N
2
,
2
, M
0,2
, F
2
) be two PN generators and G =
G
1
| G
2
= (N, , M
0
, F) their concurrent composition. Let N = (P, T, Pre, Post) and N
i
=
(P
i
, T
i
, Pre
i
, Post
i
), (i = 1, 2). We define:
• The projection of P on net N
i
, (i = 1, 2), as P ↑
i
= P
i
.
• The projection of T on net N
i
, (i = 1, 2), as T ↑
i
= ¦t ∈ T [ (

t ∪ t

) ∩ P ↑
i
,= ∅¦. Note
that T ↑
i
may be different from T
i
, since additional transitions may have been introduced
by composing systems in which the same symbol is labeling more than one transition.
• The projection of Pre on net N
i
, (i = 1, 2), denoted Pre ↑
i
, as the restriction of Pre to
P ↑
i
T ↑
i
.
• The projection of Post on net N
i
, (i = 1, 2), denoted Post ↑
i
, as the restriction of Post to
P ↑
i
T ↑
i
.
Also let M be a marking, σ be a firing count vector, and σ a firing sequence defined on net N.
The projection of M on N
i
, (i = 1, 2), denoted M ↑
i
, is the vector obtained from M by removing
APPENDIX A. PETRI NET LANGUAGES 100
all the components associated to places not present in N
i
. The projection of σ over N
i
, (i = 1, 2),
denoted σ ↑
i
, is the vector obtained by σ removing all the components associated to transitions not
present in N
i
. The projection of σ on N
i
, (i = 1, 2), denoted σ ↑
i
, is the firing sequence obtained
by σ removing all the transitions not present in N
i
.
Appendix B
AN INTRODUCTION TO
SUPERVISORY CONTROL
B.1 Discrete Event Systems and Properties
In the supervisory control theory developed by Ramadge, Wonham, et al., a DES is simply a
generator of a formal language, defined on an alphabet Σ. The two languages associated with a
DES G are:
• The closed behavior L(G) ⊆ Σ

, a prefix-closed language that represents the possible
evolutions of the system.
• The marked behavior L
m
(G) ⊆ L(G), that represents the evolutions corresponding to the
completion of certain tasks.
Although Ramadge and Wonham have used in their seminal papers a state machine based rep-
resentation for DES, the theory they built is very general. Any other formalism that can represent
the closed and marked behavior of a system may be used in this framework. In the examples pre-
sented in this section we will use state machine models to be consistent with the original notation.
When relevant, however, we will mention Petri nets.
Example B.1. The state machine in Figure B.1 represents a discrete event system G. The initial
state is denoted by an arrow, the final states (just one in this example) are denoted by a double
circle. The languages associate to G are:
L
m
(G) = ¦abc
n
[ n ≥ 0¦ = abc

;
L(G) = ¦λ¦ ∪ ¦a¦ ∪ ¦abc
n
[ n ≥ 0¦ = abc

= L
m
(G),
where the overline bar represent the prefix closure operator.
We have discussed in Appendix A how the closed and marked behavior may be associated
with a Petri net.
Figure B.1: A discrete event system modeled by a finite state machine.
101
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 102
Figure B.2: A blocking discrete event system and its trimmed structure in Example B.1.
A DES is said to be nonblocking if any string w ∈ L(G) can be completed into a string
wx ∈ L
m
(G), i.e., into a string that belongs to the marked language. More formally, a DES G is
nonblocking if L
m
(G) = L(G).
This property may be restated for state machines as follows. Let us define as reachable a state
that may be reached from the initial state, and as coreachable a state from which it is possible
to reach a final state. Then a state machine is nonblocking if and only if all reachable states are
coreachable.
Example B.2. In Figure B.2 we have a blocking system G
1
. The strings “ab” and “aca” cannot
be completed into a string that belongs to the marked language. Equivalently, from state q it is not
possible to reach a final marking.
Note that the DES may be trimmed removing the state q and the transitions entering it. In this
case we obtain the new DES G
2
with
L
m
(G
2
) = L
m
(G
1
),
L(G
2
) = L
m
(G
2
) = L
m
(G
1
) ⊂ L(G
1
).
Similarly, a Petri net is nonblocking if from any reachable marking it is possible to reach a fi-
nal marking. Note that this property is significantly different from deadlock-freeness and liveness.
Deadlock-freeness means that the reachability set does not contain a dead marking, i.e., a marking
that enables no transition. However a nonblocking system may have a dead marking (if it is a final
marking). Liveness implies that from any reachable marking there exists a firing sequence con-
taining all transitions. The following example shows nets with different combinations of liveness
and nonblocking properties (deadlock-freeness is implied by liveness, so we will not discuss it).
Example B.3. In Figure B.3 are shown: a) a live and nonblocking system; b) a non-live and
nonblocking system; c) a live and blocking system; d) a nonlive and blocking system. The set of
final markings F is also given in the figure for each net.
B.2 Controllable Events and Supervisor
The events labels in Σ are partitioned into two disjoint subsets: the set Σ
c
of controllable events
(that can be disabled if desired), and the set Σ
u
of uncontrollable events (that cannot be disabled
by an external agent).
It often required to restrict the behavior of a system within the limits of a specification lan-
guage. We may only enable and disable the controllable events to achieve this behavior. The agent
who specifies which events are to be enabled and disabled is called a supervisor.
Let us define a control input as a subset γ ⊆ Σ satisfying Σ
u
⊆ γ (i.e., all the uncontrollable
events are present in the control input). If a ∈ γ, the event a is enabled by γ (permitted to occur),
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 103
Figure B.3: Combinations of nonblocking and liveness properties for Petri nets with set of final
markings F in Example B.2.
Figure B.4: A closed loop controlled discrete event system.
otherwise a is disabled by γ (prohibited from occurring); the uncontrollable events are always
enabled. Let Γ ⊆ 2
Σ
denote the set of all the possible control inputs.
A supervisor controls a DES G by switching the control input through a sequence of elements
γ
1
, γ
2
, . . . ∈ Γ, in response to the observed string of previously generated events.
A closed loop block diagram showing a system under supervision is shown in Figure B.4. A
point that should be stressed is the fact that the supervisor is implementing a trace feedback, rather
than a state feedback. That is, the control input is not a function of the present state of the system,
but of the string of events generated. If the system is deterministic, as generally assumed, it is
possible to reconstruct its state from the string of events generated. Thus trace feedback is more
general than state feedback.
Example B.4. Consider the system in Figure B.5, where Σ
c
= ¦a, c¦ and Σ
u
= ¦b¦. The
controllable transitions are denoted with a “:”. Assume we want a terminal string to contain the
event b exactly twice. Table B.1 summarizes the required control input γ after a string w has been
generated, and the corresponding state of the system. Note that in state q
0
the control input is
different depending on the value of w.
A supervisor may be given as a function f : L(G) → Γ specifying the control input f(w)
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 104
Figure B.5: System in Example B.4
state w γ
q
0
λ ¦a, b¦
q
1
a ¦a, b, c¦
q
0
ab ¦a, b¦
q
1
aba ¦a, b, c¦
q
0
abab ¦b, c¦
q
2
ababc ¦b, c¦
Table B.1: Control inputs in Example B.4.
to be applied for each possible string of events w generated by the system G. It also possible to
represent a supervisor as another DES S, that runs in parallel with the system G, i.e., whenever an
event occurs in G the same event will be executed by S. The events enabled at a given instant on
S determine the control input.
Example B.5. In Example B.4 the supervisor has been described in tabular format. A transition
structure for the same supervisor is shown in Figure B.6.
The closed loop system under control will be denoted S/G and may be considered as a new
discrete event system [Ramadge 87]. Let us assume in the following that the supervisor is given
as a DES S. Then, the closed behavior of S/G is
L(S/G) = L(G) ∩ L(S),
i.e., the subset of the uncontrolled behavior that survives under supervision. For what regards the
language accepted by S/G there are two possible definitions. If S has a set of final states we may
define as marked behavior of S/G as
L
m
(S/G) = L
m
(G) ∩ L
m
(S),
i.e., all marked strings of G that are also marked by S. If we assume that the supervisor does not
mark strings, i.e., it has no final states, L
m
(S) is not defined. In this case, we call the supervisor
non marking and we define L
m
(S/G) as
L
m
(S/G) = L
m
(G) ∩ L(S/G),
Figure B.6: Supervisor in Example B.5
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 105
Figure B.7: Closed loop system S/G in Example B.6.
Figure B.8: Systems G, S
1
, and S
2
in Example B.7.
i.e., the subset of the uncontrolled marked behavior that survives under supervision, and call it
controlled behavior
1
.
Example B.6. The DES in Figure B.7 represented the closed loop system S/G for the system
and supervisor discussed in Example B.5. Here the closed and marked behavior of S/G are
L(S/G) = ababc, and L
m
(S/G) = abab + ababc, as can be derived from the figure. If we had
considered a supervisor with no final states, we would have considered, in place of the marked
behavior, the controlled behavior L
m
(S/G) = λ +ab +abab +ababc.
Now let us assume that we are given two DES G and S. S qualifies as a proper supervisor for
G if the two following properties are ensured.
• controllability: S does not disable any uncontrollable event that may occur in G, i.e., (∀w ∈
L(S/G), ∀a ∈ Σ
u
) [wa ∈ L(G) =⇒ wa ∈ L(S/G)].
• nonblockingness (or properness): the behavior of the system under supervision must be
nonblocking, i.e., L(S/G) = L
m
(S/G).
Example B.7. Let G, S
1
, and S
2
be the DES in Figure B.8. Here Σ
c
= ¦b, c¦. S
1
is not a
supervisor for G because in the initial state it disables the uncontrollable event a that is enabled
in the initial state of G. S
2
is not a proper supervisor for G because if the event a is executed it
prevents the system from reaching the final state (in fact the event b is never enabled).
B.3 Supervisory Control Problem
Controlling a DES consists in restricting its open loop behavior within a given specification lan-
guage. Thus we may state the two following Supervisory Control Problems.
1
The notation is unfortunately ambiguous. In [Ramadge 87] L
m
(S/G) denotes the marked behavior of S/G, while
L
c
(S/G) denotes the controlled behavior. In [Ramadge 89b] and in the work of other authors, however, L
m
(S/G) has
been used to denote the controlled behavior of S/G, since only non marking supervisors are considered. We will use
L
m
(S/G) to denote the language accepted by the closed loop system, specifying whenever necessary if it represents
the marked or controlled behavior.
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 106
Figure B.9: System to control in Example B.8.
SCP1 Given a DES G and a specification language L ⊆ L(G), there exists a supervisor S such
that L(S/G) = L?
SCP2 Given a DES G and a specification language L ⊆ L
m
(G), there exists a nonblocking
supervisor S such that L
m
(S/G) = L? (Here we assume that S does not mark strings, i.e.,
L
m
(S/G) is the controlled behavior of S/G.)
The solution of these two problems is based on the notions of controllable language and
L
m
(G)-closure, defined in the following.
Alanguage K ⊂ Σ

is said to be controllable (with respect to L(G) and Σ
u
) if KΣ
u
∩L(G) ⊆
K. This means that it is always possible, preventing the occurrence of controllable transitions, to
restrict L(G) within K.
A language K ⊂ L
m
(G) is said to be L
m
(G)-closed if K = K ∩ L
m
(G). This means that
any marked string of G that is the prefix of some string of K is also a string of K.
The following two theorems, due to Ramadge and Wonham [Ramadge 87, Ramadge 89b],
give necessary and sufficient conditions for the existence of a supervisor.
Theorem B.1 ([Ramadge 87], P. 5.1). For nonempty L ⊆ L(G) there exists a supervisor S such
that L(S/G) = L if and only if L is prefix closed and controllable.
Theorem B.2 ([Ramadge 87], T. 6.1). For nonempty L ⊆ L
m
(G) there exists a nonblocking
supervisor S such that L
m
(S/G) = L if and only if L is L
m
(G)-closed and controllable.
Example B.8. The DES G in Figure B.9 has closed behavior L(G) = (a(b +cd))

, and marked
behavior L
m
(G) = (a(b +cd))

.
1. Let L = (ab)

be the desired closed behavior of the closed loop system.
(a) If Σ
u
= ¦a, d¦, L is controllable and may be enforced by a supervisor. The supervisor
simply needs to disable the controllable event c whenever the system is in state q
1
.
(b) If Σ
u
= ¦b, c¦, L is not controllable and cannot be enforced by a supervisor. In fact the
supervisor cannot disable the event c, which is now uncontrollable, when the system
is in state q
1
.
2. Let L = (abab)

be the desired controlled behavior of the closed loop system and assume
Σ
u
= ¦a, d¦. L is controllable, but is not L
m
(G)-closed. Hence there does not exit a
supervisor S such that L
m
(S/G) = L.
This can be also be shown by contradiction in this particular example. By definition of
controlled language, L
m
(S/G) = L
m
(G) ∩ L(S/G). Now assume L
m
(S/G) = L;
then w = abab ∈ L
m
(S/G) ⊆ L(S/G) and w

= ab ,∈ L
m
(S/G). However w ∈
L(S/G) =⇒ w

∈ L(S/G), i.e., w

∈ L
m
(G) ∩ L(S/G) = L
m
(S/G), a contradiction.
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 107
Another important result due to Ramadge and Wonham is concerned with the existence of
finite state machine supervisors.
Theorem B.3 ([Wonham 87], T. 3.1). Let G be a finite state machine (i.e., its closed and marked
behavior are regular languages) and let L be a regular specification language. If L satisfies the
conditions of Theorem B.1, the supervisor S such that L(S/G) = L may be represented as a
finite state machine. If L satisfies the conditions of Theorem B.2, the supervisor S

such that
L
m
(S

/G) = L may be represented as a finite state machine.
B.4 Supremal Controllable Sublanguage
Assume we want to restrict the closed behavior of a system G within the limits of a legal language
L that is not controllable. By Theorem B.1 a supervisor S such that L(S/G) = L does not
exist. However we may consider a controllable sublanguage K ⊆ L that may be enforced by a
supervisor S

. Thus the behavior of the closed loop system is now L(S

/G) = K ⊂ L, i.e., it is a
subset of the legal behavior.
We also want to minimally restrict the behavior of the system, i.e., we want to construct the
supervisor which allows the largest behavior of the system within the limits given by the specifi-
cation L. This behavior is called the supremal controllable sublanguage.
Let us define ((G) = ¦K [ KΣ
u
∩ L(G) ⊆ K¦ as the set of all languages controllable with
respect to L(G) and Σ
u
. Given a language Lwe will define the supremal controllable sublanguage
of L as
L

= sup¦K [ K ⊆ L, K ∈ ((G)¦
Theorem B.4 ([Ramadge 87], P. 7.1). The supremal controllable sublanguage for a given super-
visory control problem exists and is unique.
However it may well be the case that L

contains only the empty string or is even the empty
language.
Example B.9. For the problem in Example B.8.1b L

= ¦λ¦.
Since the supremal controllable sublanguage may be too restrictive, other controllable approx-
imations to L have been defined. An extension by Lafortune and Chen [Lafortune 90a] to the
standard Supervisory Control Problem, called SCPB (SCP with Blocking) considers a different
approximation of the desired behaviour in terms of Infimal Controllable Superlanguage defined as
L

= inf¦K [ K ⊇ L, K ∈ ((G)¦.
This may, however, generate blocking. We will not consider SCPB in this thesis.
Ramadge and Wonham have also shown that in the regular case (i.e., when both the system be-
havior and the specification behavior are regular languages) the supremal controllable sublanguage
is a regular language and can be computed in a finite number of steps.
As a final remark, we note that the supremal controllable sublanguage is optimal from a logical
point of view but not necessarily from the performance point of view.
Example B.10. The Petri net system in Figure B.10 has a delay associated with each event (i.e.,
each transition). The place p
0
represents the effect of the supervisor that ensures that places p
2
and p
6
are never marked at the same time. In order to minimally restrict the behavior we allow the
initial firing of either “ab” or “de”. Assume the delays are the following.
event a b c d e f
delay [s] 0 10 10 0 8 4
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 108
Figure B.10: A timed Petri net model in Example B.10.
If the sequence “ab” is initially executed, we have that the required time to reach the final marking
(0001001)
T
is 22 seconds, while if the sequence “de” is initially executed the final marking is
reached in 28 seconds. Clearly, if it is required that the system reaches the final marking in the
shortest time, it would be better to further restrict the system’s behavior allowing only the firing of
the sequence “ab” from the initial marking.
Appendix C
NOTATION
a, b, c, . . . Symbols of an alphabet, events.
B A basis of nonnegative P-invariants.
C = Post −Pre The incidence matrix of a P/T net.
((G) The set of languages controllable with respect to L(G) and Σ
u
, i.e., the
set ¦K [ KΣ
u
∩ L(G) ⊆ K¦.
E = G | H Discrete event system G constrained by specification H
F A set of final markings of a P/T net.
G A discrete event system. A Petri net model of a discrete event system is
G = (N, , M
0
, F).
H A discrete event system representing a specification.
K A controllable language.
: T → Σ A labeling function that assigns to each transition of a net a label from
the alphabet Σ.
L A language.
L The prefix-closure of language L.
L

The supremal controllable sublanguage of language L.
L(N, M
0
) The set of firing sequence of ¸N, M
0
).
L(G) The closed behavior of the discrete event system G. If G is given as
a Petri net model, the closed behavior is also called P-type Petri net
language of G.
L
m
(G) The marked behavior of the discrete event system G. If G is given as
a Petri net model, the marked behavior is also called L-type Petri net
language of G.
L, L
d
, L
DP
The sets of L-type, deterministic L-type, and DP-closed Petri net lan-
guages.
M : P → IN A marking of a P/T net (M
0
is an initial marking, M
f
is a final marking).
/( w, k) The set of marking satisfying a generalized mutual exclusion constraint,
i.e., the set ¦M ∈ IN
|P|
[ w
T
M ≤ k¦.
N = (P, T, Pre, Post) A P/T net.
N
R
The reversal of a P/T net N.
109
APPENDIX C. NOTATION 110
N
S
A P/T net N with the addition of a monitor place S, i.e. the net (P ∪
¦S¦, T, Pre
S
, Post
S
).
IN The set of nonnegative integers.
¸N, M
0
) A marked net, i.e., a net N with initial marking M
0
.
p A place of a P/T net.

p, p

The sets of input and output transitions of place p.
P A set of places of a P/T net.
Post : P T → IN The post-incidence matrix of a P/T net.
Pre : P T → IN The pre-incidence matrix of a P/T net.
PR(N, M
0
) The set of markings ¦M ∈ IN
|P|
[ (∃σ ∈ IN
|T|
)[M = M
0
+ C σ¦
(potentially reachable set).
PR
A
(N, M
0
) The set of markings ¦M ∈ IN
|P|
[ A M ≥ A M
0
¦.
PR
B
(N, M
0
) The set of markings ¦M ∈ IN
|P|
[ B
T
M = B
T
M
0
¦.
T, T
d
The sets of P-type, and deterministic P-type Petri net languages.
Q
X
The support of a vector X : A → IN, i.e., the set ¦a ∈ A [ X(a) > 0¦.
R(N, M
0
) The set of reachable markings of ¸N, M
0
) (reachability set).
S A supervisor.
o A siphon of a P/T net.
S/G The closed-loop system composed by the system G under the action of
supervisor S.
t A transition of a P/T net.

t, t

The sets of input and output places of transition t.
T A set of transitions of a P/T net.
T A trap of a P/T net.
w, x, y, z Strings of a language, sequences of events.
( w, k) A generalized mutual exclusion constraint.
(W,

k) A set of generalized mutual exclusion constraints.
X : A → IN A vector.
Y A nonnegative P-invariant (P-semiflow) of a P/T net.
γ A control input determined by a supervisor.
Γ The set of all possible control inputs determined by a supervisor.
θ A simple path of a P/T net.
λ The empty string.
σ A firing vector of transitions.
σ : T → IN A firing count vector of a marked net.
Σ An alphabet. Σ
c
is an alphabet of controllable events; Σ
u
is an alphabet
of uncontrollable events.
Σ

The Kleene star of alphabet Σ, i.e., the language containing all strings
composed with symbols in Σ and the empty string λ.
APPENDIX C. NOTATION 111
↑ The projection operator.
| The concurrent composition operator.
|
d
The shuffle operator (concurrent composition over disjoint alphabets).
Denotes the end of a proof.

ii

Este, que ves, engaño colorido, que del arte ostentando los primores, con falsos silogismos de colores es cauteloso engaño del sentido. This coloured counterfeit that thou beholdest, vainglorious with the excellencies of art, is, in fallacious syllogisms of colour, nought but a cunning dupery of sense. Inundación Castálida, II, 1-4 Juana de Asbaje y Ramírez, Sor Juana Inés de la Cruz (1651-1695)

Contents
1 INTRODUCTION 1.1 Introduction . . . . . . . . . . . . . . . . . . 1.2 Background and Motivation . . . . . . . . . 1.2.1 Discrete Event Systems and Models . 1.2.2 Evaluation of Discrete Event Models 1.2.3 Petri Net Models . . . . . . . . . . . 1.2.4 Supervisory Control . . . . . . . . . 1.3 Objectives of the Thesis . . . . . . . . . . . . 1.4 Organization of the Thesis . . . . . . . . . . 2 LITERATURE REVIEW 2.1 Supervisory Control Theory . . . . . . . . . 2.2 Logical Models for Discrete Event Systems . 2.2.1 Transition Models . . . . . . . . . . 2.2.2 Temporal Logic . . . . . . . . . . . . 2.2.3 Communicating Processes . . . . . . 2.2.4 Controlled Petri Nets . . . . . . . . . 2.3 Petri Net Languages . . . . . . . . . . . . . . 2.4 Incidence Matrix Analysis of Petri Nets . . . 2.5 Synthesis and Reduction of Petri Nets Models 3 BASIC NOTATION 3.1 Petri Nets . . . . . . . . . . 3.1.1 Place/Transition Nets 3.1.2 Marked Nets . . . . 3.2 Formal Languages . . . . . 3.3 Petri Net Languages . . . . . 3.4 Supervisory Control . . . . . 1 1 1 1 3 4 6 7 9 10 10 11 11 11 12 12 13 13 14 15 15 15 16 17 17 18 19 19 19 22 22 25 27

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

4 ON THE EXISTENCE OF PETRI NET SUPERVISORS 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Petri Nets and Blocking . . . . . . . . . . . . . . . . . . . . 4.3 Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Existence of Petri Net Supervisors . . . . . . . . . . . . . . 4.5 Petri Net Languages and Supremal Controllable Sublanguage 4.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

iii

CONTENTS
5 SUPERVISORY DESIGN USING PETRI NETS 5.1 Introduction . . . . . . . . . . . . . . . . . . . 5.2 Monolithic Supervisor Design . . . . . . . . . 5.2.1 Design Using Concurrent Composition 5.3 Monolithic Design Using Petri Nets . . . . . . 5.4 Petri Nets and State Machines . . . . . . . . . 5.5 Conclusions . . . . . . . . . . . . . . . . . . . 6 INCIDENCE MATRIX ANALYSIS 6.1 Introduction . . . . . . . . . . . . . . . . . . . 6.2 Incidence Matrix Analysis for State Machines . 6.2.1 State Equation . . . . . . . . . . . . . 6.2.2 Defining the Set of Reachable Markings 6.3 Composition of State Machines Modules . . . . 6.3.1 State Equation . . . . . . . . . . . . . 6.3.2 Defining the Set of Reachable Markings 6.4 Supervisory Verification . . . . . . . . . . . . 6.4.1 Blocking . . . . . . . . . . . . . . . . 6.4.2 Controllability . . . . . . . . . . . . . 6.5 Conclusions . . . . . . . . . . . . . . . . . . .

iv 28 28 28 32 32 36 37 38 38 39 40 41 44 45 47 53 54 54 55 56 56 57 57 59 62 65 66 66 69 70 71 71 73 74 75 76 77 78 79 79 79 80 80 80 81 81 82

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

7 GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 GMEC and Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.1 Generalized Mutual Exclusion Constraints . . . . . . . . . . 7.2.2 Modeling Power of Generalized Mutual Exclusion Constraints 7.2.3 Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.4 Nets With Uncontrollable Transitions . . . . . . . . . . . . . 7.3 Generalized Mutual Exclusion Constraints on Marked Graphs . . . . 7.3.1 Marked Graphs with Monitors . . . . . . . . . . . . . . . . . 7.3.2 Control Subnet . . . . . . . . . . . . . . . . . . . . . . . . . 7.3.3 Control Safe Places . . . . . . . . . . . . . . . . . . . . . . . 7.4 Fully Compiled Models . . . . . . . . . . . . . . . . . . . . . . . . . 7.4.1 Model 1: Monitor-based Controller . . . . . . . . . . . . . . 7.4.2 Model 2: Compiled Supervisor . . . . . . . . . . . . . . . . . 7.5 Partially Compiled Models . . . . . . . . . . . . . . . . . . . . . . . 7.5.1 Model 3: Non-Deterministic Partially Compiled Supervisor . 7.5.2 Model 4: Deterministic Partially Compiled Supervisor . . . . 7.6 Comparison of the Models . . . . . . . . . . . . . . . . . . . . . . . 7.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 CONCLUSIONS AND FUTURE RESEARCH 8.1 Original Contributions . . . . . . . . . . . . . . . . 8.1.1 Petri Net Languages for Supervisory Control 8.1.2 Supervisory Design . . . . . . . . . . . . . . 8.1.3 Validation of Petri Net Supervisors . . . . . . 8.1.4 Efficient Construction of Control Structure . 8.2 Future Research . . . . . . . . . . . . . . . . . . . . 8.2.1 Petri Net Languages for Supervisory Control 8.2.2 Supervisory Design . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

CONTENTS
8.2.3 8.2.4 APPENDICES A PETRI NET LANGUAGES A.1 Petri Net Generators . . . . . . . . . . . . . . . . . A.2 Classes of Petri Net Languages . . . . . . . . . . . . A.3 Deterministic Languages . . . . . . . . . . . . . . . A.4 Closure Properties and Relations with Other Classes . A.5 Concurrent Composition and System Structure . . . B AN INTRODUCTION TO SUPERVISORY CONTROL B.1 Discrete Event Systems and Properties . . . . . . . . B.2 Controllable Events and Supervisor . . . . . . . . . B.3 Supervisory Control Problem . . . . . . . . . . . . . B.4 Supremal Controllable Sublanguage . . . . . . . . . C NOTATION Validation of Petri Net Supervisors . . . . . . . . . . . . . . . . . . . . . Efficient Construction of Control Structure . . . . . . . . . . . . . . . .

v 82 82 90 90 90 91 91 92 93

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

95 . 95 . 96 . 100 . 101 103

Acknowledgement
Frank DiCesare has guided me in a spirit of friendship through my Master’s and Ph.D. thesis, providing learning, encouragement, and support all at once. Manuel Silva has given me the wonderful opportunity of visiting the University of Zaragoza and of working with his group. Part of this research has been inspired by him. Alan A. Desrochers, David R. Musser, and Badrinath Roysam have provided additional guidance as members of my doctoral committee. The Petri net group meetings at Rensselaer have been a fruitful learning experience. I acknowledge the many discussions with Padma Akella, Tiehua Cao, Xin Chen, Mu-Der Jeng, Jagdish Joshi, Hauke Jungnitz, Jongwook Kim, Inseon Koh, Doo Yong Lee, Jim Watson, Mengchu Zhou. I am grateful to the Computer Integrated Manufacturing project of the Center for Manufacturing Productivity and Technology Transfer which has supported the research of this thesis during the last two years. The years of my graduate studies have been a period of freedom and carelessness, marking the transition between youth and maturity. Never will love be more poignant or friends more dear; the memories will last forever. For this I have to thank Philippe Jeanne, Thanos Tsolkas, Ermanno Astorino, Antonio De Dominicis, Gloria-Deo Agbasi, Hauke Jungnitz, Giampiero Beroggi and Penny Spring, Agostino Abbate and Josefina Quiles, Didier Laporte, Elisabetta Bruzzone, Nora Si-Ahmed, Amitava Maulik, Persefone Vouyoukas, Doo Yong Lee, Josep Tornero, Markus Vincze, Michael Eppinger, Rolf Münger, Keith Hanna, Alejandro Beascoechea, Markus Hoerler, Carlos Garcia, Leonardo Lanari, Scott Bieber, Brady Richter, Cristina Gesto, Andreas Glatzl, Jose Neira, Maria Angeles Salas, Antonio Ramírez, Enrique Teruel, Joaquin Ezpeleta, Bruno Gaujal, and Rogerio Rodriguez.

vi

i. for the design of Petri net supervisors and discusses how a composed net may be validated. In our approach.Abstract Discrete event systems represents a new field of control theory of increasing importance in the domains of manufacturing. The thesis presents an algorithm. The thesis discusses the use of Petri nets in Supervisory Control. In a second approach. communications. Supervisory Control theory. We show that a Petri net supervisor may not exist if the system’s behavior or the legal behavior are nonregular Petri net languages. called generalized mutual exclusion constraints.. we consider a class of specifications. based on the concurrent composition operator. is a well established framework for the study of discrete event systems.e. Place/Transition nets have been used by several authors to represent discrete event systems. In a first approach. it is possible to derive necessary and sufficient conditions for the existence of supervisors as nets. such as controllability or such as the absence of blocking states. important properties of the net. and discuss several possible structures for the supervisor capable of enforcing them. and robotics. called deterministic P-closed. By defining a new class of Petri net languages. based on incidence matrix analysis. the control agent that restricts the behavior of a system within a legal behavior. the supervisor. vii . based on formal languages. The advantage of such a supervisor. as opposed to a supervisor given as a feedback function. is that a closed loop model of the controlled system may be constructed and analyzed using the techniques pertaining to Petri net models. is represented as a Place/Transition net as well. may be studied by Integer Programming techniques.

etc. Such systems.2 Background and Motivation In this section we rather informally discuss the motivation of this research. at possibly unknown irregular intervals. “machine 1 breaks down”. The state transitions of a DES are called events and may be labeled with the elements of some alphabet Σ. 1.Chapter 1 INTRODUCTION 1. of physical events. However. robotics. are called discrete event systems (DES) [Ramadge 89b] and the corresponding models are called discrete event models (DEM) [Inan 88].1 Introduction The object of the study of traditional control theory have been systems of continuous and synchronous discrete variables. These systems require control and coordination to ensure the orderly flow of events. modeled by differential or difference equations. We study how Petri net models may be used to solve supervisory control problems. DES qualify as a proper subject for control theory. computer and communication networks. Ramadge 87]. For example. i. 1. capable of capturing the essential features of discrete. the time instant at which state transitions occur. and a unifying theory for their control. 1 . whose states have logical or symbolic. there is an increasing need for different models. a control theory for DES introduced recently by Ramadge and Wonham [Ramadge 83. capable of describing systems that evolve in accordance with the abrupt occurrence. The goal of the present research is that of applying a Petri net model within the framework of Supervisory Control. in a manufacturing environment typical event labels are “machine 1 starts working on part A”. will in general be unpredictable. As controlled (or potentially controllable) dynamic systems. We want to show why Petri nets are a good discrete event model and a powerful tool for Supervisory Control. These labels usually indicate the physical phenomenon that caused the change in state.1 Discrete Event Systems and Models A DES is a dynamic system with a discrete state space and piecewise constant state trajectories (see Figure 1. Hence a twofold issue presents itself: we need a powerful class of DEM. the design of a supervisor capable of restricting the behavior of a system within a legal behavior.e. as well as the actual transitions. values that change in response to events which may also be described in nonnumerical terms. rather than numerical.1). as the scope of control theory is being extended into the domains of manufacturing. and so on.2. asynchronous and possibly nondeterministic systems.

These models can be further classified as: a) nonstochastic: if the timing is known a priori. An event is atomic. Ramadge 89b]. c ∈ Σ. as in Figure 1. by w = abac . . Logical DEM. 2. Model Classification The many areas in which DES arise and the different aspects of behavior relevant in each area have led to the development of a variety of DEM.e. We are interested in the order in which the events occur but not in the real time at which they occur. it is considered to occur in a single step. . Thus a possible evolution of the system may be represented. b. . in which a common simplifying assumption is to ignore the times of occurrence of the events and consider only the order in which they occur. i. This simplification is justified when the model is to be used to study properties of the event dynamics that are independent of specific timing assumptions. 2. Timed or performance DEM.CHAPTER 1.1. where w ∈ Σ∗ and a. even if in the real system it may be implemented as a sequence of instructions. 1.. We have the following classification [Ramadge 86. There are two main assumptions here. b) stochastic: if the timing is not known a priori due to random delays or random occurrences of events. Logical Models The behavior captured in a logical model is the sequences of discrete events or traces that a system generates [Inan 88]. Let Σ be the set of discrete events labels and let Σ∗ be the set of all finite sequences of events in Σ (including the empty trace λ). which are intended for the study of properties explicitly dependent on interevent timing. INTRODUCTION state 2 x4 b x3 a x2 x1 a c t1 t2 t3 t4 time Figure 1. 1. .1: State trajectories for a Discrete Event System.

. Inan and Varaya [Inan 88] have used the terms language complexity and algebraic complexity to denote two aspects of the descriptive power. we want to use that model for determining whether the system has the desired properties or whether it is free of abnormal behavior. The class of operators related to each model define its algebraic power. • Logical calculus is used in temporal logic models [Pnueli 79]. In fact. finitely recursive processes [Inan 88]. Complex systems can be regarded as being built out of interacting subsystems. However. the behavior of a given system is thus given by a subset language L ⊂ Σ∗ . In general. however. consisting of all the traces (or strings) that the system can generate. INTRODUCTION 3 In a logical model. The extreme case is that of Turing machines that have the largest language complexity but whose languages have many undecidable properties. This may be done using different formalisms. Petri nets. We call this qualitative aspect representational power. intersection. We have seen that the logical behavior of a system is represented in the model by a language L ⊂ Σ∗ . concurrent composition. each model has its own language power. union. Descriptive power The descriptive power of a DEM has different facets. different formalisms generate different classes of languages. We will call these two aspects language power and algebraic power.2 Evaluation of Discrete Event Models A great number of logical DEM have been proposed. As an example.2. Additionally. A modeling formalism will be useful if it contains operators that combine one or more models in ways that reflect the ways in which systems are connected. In most systems of interest. • A set of equations is used by boolean models [Aveyard 74]. In the following section.CHAPTER 1. Two different models may represent the same behavior although they use different formalisms. so that the model may be used to represent a large variety of systems. different properties have to be considered [Inan 88]. It is often the case. 1. L will be an infinite set so that it cannot be given simply by listing all the traces. we will compare different models with Petri nets with the aim of showing that the representational power of Petri nets is fairly large. these operators. Büchi automata [Ramadge 89a]. communicating sequential processes [Hoare 85]. are defined on languages. In order to evaluate and compare their suitability for control applications. Performance Evaluation Once we are sure that a model has captured the essential features of a system. . we will consider a third aspect that we call representational power. that some behavior can be easily modeled with one particular formalism and not so easily modeled with a different one. Petri nets are not subject to the representational shortcoming typical of other models. • A state transition structure is used by automata and net models such as finite state machines. We will study systems that allow a logical model. A discrete event model must give a means to specify the set of admissible event trajectories.e. It is desirable that the language power of a model be as large as possible. i.. etc. formal language theory shows that the analysis complexity grows with the language power of a model. the class of languages generated by finitely recursive processes is a superset of Petri net languages that in turn are a superset of regular languages (the class of languages generated by finite state machines). In our view of a DEM as a language generator.

Hence a P/T Petri net cannot simulate a register machine which in turn is equivalent to a Turing machine [Ichikawa 88a]. timed models (Timed PN) and performance models (Stochastic PN. Conservative PN are essentially equivalent to finite state machines. since the number of reachable markings (i. Secondly. an exhaustive search over the state space. may be defined. Descriptive power Petri nets have great descriptive power. the issue of computational complexity is a key concern. this is done by an automatic compilation of the model into control code. These classes are supersets of regular languages and with the introduction of a great number of operators define an algebra. e. i. Furthermore. In fact. Performance Evaluation The desired properties of a system map fairly well into properties of the corresponding Petri . INTRODUCTION 4 This can be done in two steps. or by exploiting hierarchical or other special structures. It is possible to extend the formalism with the introduction of inhibitory arcs. the PN formalism permits description of logical models (P/T nets.e. For example. namely concurrency. Petri nets satisfy all the requirements that a good DEM should have [Giua 92a]. deadlocks. the structure of the net may be maintained small in size even if the number of the markings grows. asynchronous operations. When logical models are considered. Colored PN). PN languages do not have all the nice closure properties of.2. In such cases simple algorithms for verification or synthesis. However. or simulation methods to verify that the model possesses the desired properties” [Inan 88]. “derive effective algorithmic. They have been designed specifically to model systems with interacting components and as such are able to capture many characteristics of an event driven system. say. 1. etc. called Petri nets languages. “ad hoc” solutions must be studied. they still make use of the full representational power of Petri nets.. 2.. since the states of a PN are represented by the possible markings and not by the places. at worst. It should also provide a guide to constructing a controller.CHAPTER 1. regular languages. i.e. However we note that the descriptive power of P/T nets is large enough for most common applications. rapidly become computationally intractable.. “translate” the desirable properties of the system into properties of the model. At best. A model should then find application in the framework of a control theory.. arcs from places to transitions that prevent the firing of a transition if the input place is marked. the number of states in a transition structure for specifying the admissible event trajectories may depend exponentially on some system parameter. classes of languages generated by Petri nets. they allow a compact description. In this last step. Firstly. The final goal is to modify (by control action) the set of admissible trajectories so that each event trajectory has the desired properties. Thus one tries to mitigate the complexity by the use of aggregation or modularity. However.e. and often even more restricted models are considered. such as conservative PN. conflicts.3 Petri Net Models In this work we study a particular Petri net (PN) model: Place/Transition (P/T) nets. analytical. 1. The basic P/T net cannot model a condition of the form: “Fire transition t if place p is empty”. the number of ’states’ of the model) is finite. Generalized Stochastic PN). Control Implementation The modeling and analysis of systems is only the first step in the study of DES.g.

In Figure 1. Petri net based controllers may be implemented in both hardware and software. It requires the construction of the reachability tree representing the set of reachable markings and transition firings. The analysis techniques for Petri nets may be divided into the following groups (see [Silva 85]). With modular synthesis. Let L1 be the behavior of the cyclic process with a single job. Kasturia 88] a Petri net interpreter is implemented using a mixture of application dependent and independent code.CHAPTER 1. A net N1 is transformed. we will see that Petri nets give a very compact description of systems which. b) models in which the basic notion is that of action. a finite coverability tree may be constructed. It permits the demonstration of several properties almost independently of the initial marking. The analysis of the net N2 is assumed to be simpler than the analysis of the net N1 . It may be worth comparing the representational power of PN with that of other models for concurrent systems [Best 91]. As an example. • Analysis by enumeration. INTRODUCTION 5 net model. It is useful for timed nets and to study the behavior of nets that interact with an external environment. due to concurrent behavior. Control Implementation Petri nets languages offer a simple means of applying control-theoretical ideas and in this thesis we will show that they are consistent with Supervisory Control theory. Models based on actions do not suffer from this state space explosion. Suppose we have a cyclic process where five jobs may be in four different stages. such as interleaving models.e. Petri nets show more flexibility in this respect. In [Crockett 87. If this set is not finite. a single token. that permit the simplification of the structure of a net. It is possible to partition the current approaches into: a) models in which the basic notion is that of state. • Structural analysis. • Simulation analysis. into a net N2 while maintaining the properties of interest. with a well developed mathematical and practical foundation. Examples of this analysis technique are reduction methods. In the next example. Petri nets also represent a hierarchical modeling tool and allow reduction of the computational complexity of analysis by exploiting modular synthesis.1. Then possible evolutions of the system are: . it is necessary to point out that there exists no general technique for compiling a Petri net description into a control system. complex systems may be constructed by aggregation of simpler modules while preserving the properties of interest. Structural analysis may be based on the study of the state equation of the net or on the study of the net graph. Silva 83] and Petri-net like languages [Murata 86] have been used in different applications. However. since states and actions are treated on equal footing and both step and interleaving semantics can be defined on Petri nets [Best 91]. i. such as state machines. Although the number of reachable markings is 56. Many algorithms. have a large state space. Example 1. have been developed to study these properties. since they do not require the explicit enumeration of all the states. 3..2 we have a Petri net where each token represents a job and each place represents a different stage. • Analysis by transformation. Programmable Logic Controllers [Silva 89b. the PN model is very simple compared to a state machine model where we need to explicitly represent all states. an interleaving model of the system considered in this example may be described as follows. according to particular rules.

i.2. t1 t2 . Then the behavior of the process when five jobs are been processed concurrently is given by L5 = L1 L1 L1 L1 L1 .3.2: Petri net in Example 1. . The shortcoming of models based on actions lies in the cumbersome way in which specifications involving counters and semaphores are modeled. In fact.. For n = 2 we have L2 = (t2 t1 )2 + (t2 t1 ) For a generic n Ln = (t2 t1 )n + (t2 t1 )n−1 (t3 t4 ) + . . t1 t2 t3 ..3: Petri net in Example 1. . . L1 = (t1 t2 t3 t4 )∗ . (t3 t4 ) + (t3 t4 )2 . Here we have two sequences (t2 t1 ) and (t3 t4 ) that can be run up to a total of n times.CHAPTER 1. where is the concurrent composition operator.1. INTRODUCTION 6 Figure 1.e. Figure 1. n being the number of tokens in p3 . t1 .2. . for n = 1 the behavior is L1 = t2 t1 + t3 t4 . Consider the Petri net in Figure 1. Example 1. Using an interleaving model to represent this process is awkward: we have to explicitly specify all concurrent firing sequences. (t2 t1 ) (t3 t4 )n−1 + (t3 t4 )n . λ. here the bar stands for the prefix operator and ∗ is the Kleene star operator. .

The class of regular languages is closed under the SCS and ICS operators. Qualitative properties of DES.2. all capable of describing systems whose behavior is defined by a differential linear . within the limits of the legal language. The basic control problem is the following. language theory provides a rigorous formalism for proving important theorems on the existence of supervisors. matrix-fraction description. etc. We may distinguish three different areas of interest in the supervisory control approach. Design algorithms have been devised to compute the control structure of a supervisor for a given control problem. It has been noted [Cieslak 91] that this approach allows us to evaluate and compare the effect of different control policies on the behavior of the uncontrolled system. given the knowledge of the system and of the specification. 1.4 Supervisory Control Ramadge and Wonham provide a unifying framework for the control of discrete event systems [Ramadge 89b].e.. Here we simply discuss those aspects of Supervisory Control that have motivated this research. a legal language L. by disabling only controllable transitions. controllability [Ramadge 87]. i. These algorithms are based on language operators. An introduction to the theory is presented in Appendix B. thus they are model independent. linear systems. S and G are supposed to run in parallel and the closed loop structure is again a DES. infimal controllable superlanguage (ICS) [Lafortune 90a]. At this level. state variables. since open loop plant and controller are treated separately. new language operators. The closure properties of different classes of languages under these operators are also discussed. the action of S on G. Özveren 90]. denoted by S/G.. In classical control theory there exist different models for. say. Finally. We are given a DES G generating the language L(G) and a specification. and the set of uncontrollable events Σu . The existence of finite state supervisors have been discussed by Ramadge and Wonhan [Wonham 87] and Ushio [Ushio 90]. and Lafortune and Chen [Lafortune 90a]. One the most important features is the partition of Σ into two disjoints sets: the set of controllable events Σc . etc. are also defined. and so far their Supervisory Control Theory is the most general and comprehensive theory presented for logical DES. polynomial matrix description. The uncontrollable events are those which cannot be disabled by a control action. INTRODUCTION 7 1. such as stability [Brave 90]. such as transfer function. The supervisor receives as input the sequence of events generated by G and determines a control input that specifies which events are to be disabled in G. nonblockingness [Ramadge 87]. Examples of these operators are the supremal controllable sublanguage (SCS) [Wonham 87]. are defined from a very general perspective as properties of languages. This “abstract” perspective has made possible the creation of a model-independent theory. We want to restrict the behavior of the system. 3. 2. No results have been published on Petri net languages. seen as a language generator over an alphabet of events Σ.. At the model level a particular model is chosen to describe the physical device to be controlled. as shown by Ramadge and Wonham [Wonham 87]. The formal language level is concerned with theoretical issues. Some results on Petri net supervisors with inhibitory arcs have been presented by Sreenivas and Krogh [Sreenivas 92]. etc. The control structure that restricts the behavior of the system is called a supervisor. observability [Cieslak 91. If we consider the system G as the plant (or the object to be controlled) and the supervisor as the controlling agent. previous approaches require a separate model for each control policy and only permit models of closed loop systems. The system level deals with the concept of DES. it is often possible to realize a supervisor simply as another DES S.CHAPTER 1. that will play a central role in solving the control problem.

CHAPTER 1. we need to study the counterpart on a Petri net structure of the linguistic operators required in the design of a supervisor. the class of problems for which a Petri net supervisor exists. Thus Petri nets may potentially be viewed as an effective means to realize supervisory controllers. it is sufficiently general to be applied to different models. The exponential growth of the state space of a model with the number of interconnected modules is a well known blight in the study of concurrent systems which makes the use of simple models. At the formal language level. such as finite state machines. Wonham has proposed an algorithm which uses three different operators: shuffle.3 Objectives of the Thesis Supervisory Control is so far the most complete theory for the control of DES.. allowed by language theory but in practice until now unattainable because of the state space explosion problem. We propose an alternative design that requires only one operator: concurrent composition. We have seen. the behavior is defined as a formal language. in the previous discussion. but a brute force analysis of the model may often require the exhaustive search of the reachability tree. 1. Here the choice of one model rather than another one is a key factor that may drastically affect the class of problems that can be solved. Another issue of paramount importance is the complexity involved in solving a control problem. Krogh 91. we need to consider the closure properties of Petri net languages under the operators used in Supervisory Control theory. Secondly. INTRODUCTION 8 equation. There are ways to mitigate the complexity involved in the analysis of the model by using techniques that are primarily based on the structure of a net rather than on its behavior. In particular. Although these techniques have been extensively investigated in the Petri net literature. At the discrete event system level. since it assume that only a subset of the events is controllable. so far they have been used in the context of Supervisory Control only by Holloway and Krogh [Holloway 90. 2.e. selfloop and intersection. This will allow us to characterize the class of control problems that may be solved by Petri net models. it captures the physical constraints the controller must satisfy. We are finally ready to state the goal of this research: “Investigate the use of Petri nets models within the framework of Supervisory Control. Holloway 92a]. In Section 1. since the language power of each model is limited. each model has its own tool-set of design and analysis techniques. we have already discussed the good properties that a discrete event model should feature. we need to study Petri net languages in the context of Supervisory Control. there may exist systems whose behavior may not be expressed with a given model. Examples of these techniques are incidence matrix analysis and modular synthesis. i. Firstly. with a possibly infinite number of states. Thirdly. thus making its computational complexity exponential as well. The . impracticable.2. which may be used more or less efficiently for the solution of a control problem. hence the models used are language generators. that Petri nets reduce this complexity by means of its representation power. In the case of a discrete event system. 1. based on formal languages. it provides exact algorithms to design a supervisor for large classes of control problems. However there are cases where it may be necessary to use a model such as Petri nets.” The fulfillment of this goal requires several steps. the representational power of a model may not be specifically tailored to represent a given system’s behavior.2. It has a sound mathematical foundation. It is often assumed that physical systems have a finite state space. Petri nets provide a compact representation of systems.

has been shown useless [Colom 89] in determining some properties of net systems such as the existence of home markings. by concurrent composition of the system and specification modules. to avoid reaching a set of undesirable markings.. in which the reachability set of a marked net is represented by the integer solutions of a set of linear inequalities.. i. Thus. the use of Petri nets allows us to keep the structure of the model ‘small’. we need to make full use of the Petri net analysis techniques to efficiently validate a Petri net supervisor. In the first step. The reachability problem for this class can be solved by incidence matrix analysis.e. We will explore two different techniques.CHAPTER 1. a coarse structure for a supervisor is synthesized by means of concurrent composition of different modules. that may be generated by nonblocking generators. that have also been considered in [Krogh 91]. This approach.e. transitions that may not be prevented from firing by a control agent. . called Elementary Composed State Machine nets. called mutual exclusion constraints. we need to modify this approach in order to be able to use this analysis technique in the context of Supervisory Control. The design requires two steps. Chapter 5 shows how Petri nets may be used to design a supervisor. INTRODUCTION 9 counterpart of this operator on the net structure can be easily defined and preserves the modularity of the overall system. formal languages and Supervisory Control. Finally. by means of an example. Secondly. we need to refine the net. necessary and sufficient conditions for the existence of a Petri net supervisor under the hypothesis that the system’s behavior and the legal behavior are both Petri net languages are derived.. At the model level.e. the structure is refined to avoid reaching forbidden markings. markings that may be reached by any marking in the reachability set of a Petri net. In fact it is possible to derive a set of linear inequalities that exactly defines the set of reachable markings. it is shown that the trimming of an unbounded Petri net is not always possible. A new class of P/T nets. i. no new places are introduced.4 Organization of the Thesis This chapter has introduced the topic of the thesis and stated the objectives of research. 3. In both steps. Firstly. We need to derive refinement procedures which preserve the modular structure of the net in this step as well. Chapter 6 discusses how incidence matrix analysis for Petri net models may be used to validate supervisors. it is shown that Petri net languages are not closed under the supremal controllable sublanguage operator. A second area of our research is the use of modular synthesis techniques for nets with uncontrollable transitions. however. It is often the case that once the coarse structure of a supervisor has been obtained. Determining the existence of home markings is a problem essentially equivalent to that of determining if a net is nonblocking. i. to prove that the supervisor has the desired properties. In the second step. Chapter 3 introduces the basic notation on Petri nets. i. Our aim is that of efficiently deriving a Petri net structure for a supervisor for this class of problems.e. Classic incidence matrix analysis is based on the solution of the state equation of a net. 1. which is an important property of discrete event systems. We show that for conservative Petri nets there exists a standard refinement procedure that only requires introducing new arcs and possibly duplicating some transitions. Chapter 4 discusses the use of Petri nets in the framework of Supervisory Control.. is defined. Chapter 2 discusses in depth the literature relevant to the present research. this leads to the definition of a class of Petri net languages. We will explore a class of specification. The first one is based on incidence matrix analysis.

such as the absence of blocking states or controllability. we compare a monitor-based solution of mutual exclusion problems with several supervisory based solutions. . For one of these classes. when some of the transitions of the net are uncontrollable this technique is not always applicable. marked graphs with control safe places. Chapter 8 concludes the thesis with a discussion of the original contributions and listing possible further directions of research. important properties of discrete event systems. However. INTRODUCTION 10 Thus. may be analyzed by Integer Programming techniques. for discrete event systems modeled using P/T nets. called generalized mutual exclusion constraints. Appendix C is a glossary of the notation used in the thesis. These specifications may be easily enforced on a net system where all transitions are controllable.CHAPTER 1. For some classes of nets. Appendix A reviews some basic concepts of formal languages and Petri net languages. Chapter 7 defines a class of specifications. Appendix B is a short introduction to Supervisory Control and supervisory design techniques. even in the presence of uncontrollable transitions. we prove that mutual exclusion constraints may always be enforced by monitors. by a set of places called monitors.

discuss and solve the Supervisory Control and Observation Problem (SCOP) and the Decentralized Supervisory Control Problem (DSCP). In 11 . since our approach is based on formal languages. i. A dual concept is defined — the infimal controllable superlanguage — and is used to determine a supervisor that may also permit blocking in order to achieve a larger behavior. An extension of this work is [Lafortune 91] where the Supervisory Control Problem with Tolerance (SCPT) is defined. or cannot distinguish between some of them. The authors prove in these seminal papers that the supremal controllable sublanguage always exists (but may be the empty language). This provides the theoretical basis of our research. Firstly. In [Lafortune 90a] a new control problem is studied: the Supervisory Control Problem with Blocking (SCPB). the problem is that of designing a controller such that the controlled system never goes beyond the tolerated behavior and achieves as much as possible of the desired behavior. an agent that is capable of disabling the controllable transitions of a DES in response to the traces of events generated. In SCOP the assumption is that a mask is present between the controlled system and supervisor. so that the supervisor cannot observe all the transitions. It is based on the concept of a supervisor [Ramadge 83. Thirdly. The Supervisory Control Problem (SCP) consists in designing a supervisor which restricts the traces generated by the system within a legal behavior. it is interesting to compare PN with other logical models that have been used in Supervisory Control. Finally. reduction rules. Here it is assumed that in some cases the solution to the SCP (supremal controllable sublanguage) may be too conservative. Under very general hypotheses on desired and tolerated behavior. Secondly. and synthesis operators. we review the work on Petri net languages. 2. we consider the efficient validation of PN models. If the legal behavior is not controllable.1 Supervisory Control Theory The supervisory theory by Ramadge and Wonham is so far the most comprehensive theory for the control of discrete event systems. In [Lafortune 90a] Lafortune and Chen introduce two performance measures (in terms of satisficing and blocking).. and techniques to improve each of these two conflicting measures.e. Ramadge 87].Chapter 2 LITERATURE REVIEW The literature of interest to this research covers different topics. we review the work done in Supervisory Control. In DSCP it is assumed that the control action is enforced by local supervisors that control only subsystems. but may be blocking. A non blocking solution exists but is not necessarily unique. using techniques based on incidence matrix analysis. Lafortune and Lin show that a solution to SCPT exists and is unique. we have to further restrict the system’s behavior to the supremal controllable sublanguage for which a supervisor exists. If the legal behavior is a controllable language [Wonham 87] a supervisor exists. In [Cieslak 91] Cieslak et al.. Given a desired and tolerated behavior. and in the regular case may be determined with a finite procedure.

one of the first to be presented. 2.1 Transition Models Aveyard [Aveyard 74] presents a Boolean matrix equation model for a class of DES in which the state change associated with each event occurrence is deterministic. However. A slightly different problem that the authors examine is recovery under control failure. Several interesting control synthesis problems have a computationally tractable solution when Büchi automata models are used. Here the author derives necessary and sufficient conditions for the general case. Ostroff 90a] to the control of real-time discrete event systems. and in which all units or entities are permanent. Wonham 88a]. Tadmor 89. A review of the theory is presented in [Ramadge 88.2 Logical Models for Discrete Event Systems Numerous approaches to the modeling of discrete event systems have appeared in the literature. The model is used to extend the concept of controllable language to non-finite strings and to derive conditions for the existence of a supervisor to implement a prescribed closed-loop behavior. to describe infinite state systems. which are known to have a modeling power equivalent to Turing machines. they prove that a PNIA supervisor exists if the system’s and specification behaviors are Turing computable languages. are undecidable. however. When the languages controlled by each supervisor are non-conflicting.2 Temporal Logic Hailpern and Owicki [Hailpern 83] use temporal logic (a formalism introduced by Pnueli [Pnueli 79] for formalizing the semantics of concurrent programs) to model computer communication protocols. A global control law can be enforced by the conjunction of all the supervisors. each enforced by a single supervisor. In [Brave 90] Brave and Heymann define stabilization as the ability of a discrete event process to reach a set of target states from an arbitrary initial state and then remain there indefinitely. The temporal logic formalism is applied by Ostroff and Wonham [Ostroff 90b.2. Tsitsiklis 87] different problems of computation and the related issue of computational complexity are considered. such as determining if the behavior of a PNIA is controllable. Ramadge [Ramadge 89a] introduces Büchi automata in the modeling of DES. Wonham 88b] a modular approach to the design of supervisors is considered. In [Ramadge 89b. The model is used for the modular verification of safety and liveness for parallel processes. 2. In [Ramadge 86. Unfortunately in the general case the resulting system may be blocking. However.2. the only mask operator considered in this paper is the language projection operator. They use Petri nets with inhibitory arcs (PNIA). The specification language is composed of different specifications. Ramadge 89b. permits checking of simple properties such as whether the system is deterministic and if it will hang or cycle. The model. the non-blocking condition is assured as well. In [Ushio 90] Ushio discusses the conditions under which a finite state supervisor (FSS) may be constructed to solve a SCP. Thus.CHAPTER 2. LITERATURE REVIEW 12 [Lin 88. 2. important properties. Lin 90] Lin and Wonham discuss the Decentralized SCOP (DSCOP) where both partial observations and decentralized control are incorporated into the control structure. From [Ramadge 87] it was known that a FSS exists when both system’s behavior and specification language are regular. In both cases they present design algorithms for controllers that improve the stabilization of processes. Temporal logic is a useful tool in the formal- . The case of the infinite state supervisor is discussed by Sreenivas and Krogh [Sreenivas 92].

The descriptive power of the model and its use in performance evaluation is also investigated. it is a function of the actual marking of the system rather than a function of the string of events generated by the system. The class of controlled Petri nets considered is cyclic marked graphs and the admissible specifications consist of forbidden markings that simultaneously assign tokens to one or more set of places. the complexity of the finitely recursive process grows and nondeterminism needs to be introduced.CHAPTER 2. The author defines the control law that generates the supremal controllable sublanguage as the maximally permissible feedback. they can prove that this model is equivalent to Turing machines.4 Controlled Petri Nets Several authors have used a particular Petri net model. Ushio and Matsumoto [Ushio 88] derive necessary and sufficient conditions for the uniqueness of the maximally permissible feedback on controlled PN. the authors show an interesting manufacturing example that requires the coordination of automated guidance vehicles. called controlled Petri nets. This model is a standard PN with the addition of external input places. However the proof is limited to ordinary Petri nets: when the multiplicity of the arcs is greater than one. Controlled PN have been introduced by Ichikawa and Hiraishi [Ichikawa 88a] to study the input-output behavior of discrete event models. Holloway and Krogh [Holloway 90. CCS is one of the standard models for concurrent systems on which recent and on-going research is focused. Krogh [Krogh 87] applies controlled PN to Supervisory Control. Under these hypotheses the modeling power of the net is increased by the capability of detecting whether a place is empty. He also notices that the maximally permissible feedback may not be unique because of the particular firing policy that permits the simultaneous firing of enabled transitions. The authors prove that their formalism can easily model any Petri net. 2. Although these restrictions are certainly heavy.2.e. Ichikawa and Hiraishi restrict the firing policy on the net to be decision-free.3 Communicating Processes Milne and Milner [Milne 79] define concurrent processes by means of a net algebra and define a minimal set of operations for composing processes. They prove that CCS defines a class of concurrent systems composed of interacting sequential automata. i. He assumes that each transition is associated to at most one external input place and studies how the behavior of the net can be restricted within a certain behavior by a particular marking function for the external input places. Inan and Varaiya [Inan 88] present a class of discrete event models called finitely recursive processes whose formal structure is based on Hoare’s communicating sequential processes [Hoare 85]. In fact the CCS models are isomorphic to a subclass of Petri nets. It is furthermore assumed that only the marking of a set of so called external output places may be observed. the control problem may be solved with great computational efficiency by analysis of the net structure. Liveness properties under control are discussed in [Holloway 92a]. In [De Cindio 83] De Cindio et al. 2. i.e.. The final result of this research is presented in [Milner 80]. i. for restricted classes of nets and restricted specifications. However the validation of the model is based on theorem proving techniques and is difficult to perform. a particular control law. . Superposed Automata Nets defined in [De Cindio 82]. compare CCS with Petri nets.e. In the paper. In a subsequent paper [Ushio 89]. Ushio also derives necessary and sufficient conditions for the existence of a control law that satisfies a given specification.2. whose marking is given by an external function. within the framework of Supervisory Control.. This control law is implementing a state feedback rather than a trace feedback. all enabled transitions should fire simultaneously. where the Calculus of Communicating Systems (CCS) is introduced. Krogh 91] show that. LITERATURE REVIEW 13 ization of the control problem..

In Hack [Hack 75a. intersection. concatenation. simple closure properties. For each of these classes. Closure properties and relationship among the different classes of Petri net languages are reported with additional results.CHAPTER 2. Colom [Colom 89] develops a methodology for the verification of assertions on P/T nets in terms of markings and firing count vectors.e. unfortunately. to verify that a given marking is a home state. The control law is a function of the actual marking of the net. such as determining if a marking is a home state. and indefinite concatenation) are examined. for which neither a necessary nor a sufficient condition can be given. and finiteness) are obtained. Petri nets are considered in the context of formal language theory. concurrency. Parigot and Peltz [Parigot 86] have characterized PN languages in terms of logical formalism. the closure properties of Petri net languages under several form of composition (union. the author also shows that it is possible to prove some properties that depend on the firing count vector by adding to the net new places whose marking indicates the number of times a given transition has fired. 2. This approach is extremely general. not presented by Peterson. In his Master’s thesis [Baker 73]. complement. can only guarantee necessary or sufficient conditions. Berthomieu [Berthomieu 87] uses the set of linear equations given by the P-semiflows to represent the space of reachable markings. can be applied to any P/T net but. whereas if a transition structure is given for a supervisor. but need to be computed at each step. based partly on incidence matrix analysis and partly on the analysis of the state space. The language power of Petri nets is shown to be greater than that of finite automata as a result of the additional ability of Petri nets to test if a string of parentheses is well formed.4 Incidence Matrix Analysis of Petri Nets Incidence matrix and related analysis techniques are used by several authors to validate properties of P/T nets. However.g. Different languages which result from different types of transition labeling are also considered. LITERATURE REVIEW 14 The main characteristic of the controlled PN approach to supervisory control is the fact that no transition structure for a controller is given. . Johnen [Johnen 87] uses an hybrid approach. Peltz [Peltz 86] has also extended the study to the infinite sequential behavior of Petri nets. The logical formalism may be used to prove that a given language is a Petri net language and to construct a Petri net having a given finite behavior. Here the definition and classification of these languages is given. There exists assertions. A survey and tutorial on Petri net languages is presented in [Peterson 81] Chapter 6. Another comprehensive tutorial on Petri net languages is a paper by Jantzen [Jantzen 87]. In this case. a closed-loop model can be constructed and analyzed to ensure that it has the desired properties.3 Petri Net Languages Baker [Baker 72] is one of the first to introduce the basic idea of associating a language with a Petri net and using this language to describe the behavior of the net.. Silva and Colom [Silva 89a] give algorithms to efficiently compute the structural synchronic invariants of P/T nets. Within this framework. the relationship between Petri net languages and other classes of formal languages are investigated. only properties that depend on the markings can be proved. two basic language classes are distinguished: the prefix language and the marked language. and their prefix language is studied. for membership. emptiness. 2. and substitution) and under some operations (reversal. i. characterizations and decidability problems (e.. Hack 75b].

The classes of reduction rules include: place transformations.e. in the second approach. [De Cindio 82]. while simplifying the structure of the net to make analysis easier. This composition maintains the properties of safeness and liveness. Berthelot [Berthelot 86. to determine if σ gives a firing sequence.5 Synthesis and Reduction of Petri Nets Models In the synthesis of Petri net models there are two main approaches: bottom-up and top-down. In [Ichikawa 88a. are considered. PN with no selflooping transitions. trap-containing-circuit nets. 2. In [Berthelot 86] he also discusses the composition of nets by common transitions as a complementary technique to the reduction methods. Beck and Krogh [Krogh 86] present a methodology for constructing a class of P/T nets for modeling discrete processes. bounded. yields a firing sequence. Two such classes are: live and bounded marked graphs (a structural class). stating that the P-semiflows and/or the T-semiflows of the union of two Petri nets can be immediately expressed — in specific cases — in terms of the invariants of the two subnets. based on the analysis of the firing subnet. Best and Fernández [Best 86] define the notion of S-net. In [Ichikawa 88b]. 1 .CHAPTER 2. Narahari and Viswanadham [Narahari 85] define a union operator 1 for pure Petri nets. and persistent nets (a behavioral class). proper termination. For these classes. there exist necessary and sufficient conditions.. satisfying the state equation of a Petri net. respectively.. [Avrunin 91] use a formalism similar to Petri net incidence matrix analysis for verifying properties of concurrent systems described as finite state automata. they prove that in acyclic nets. the authors illustrate how this technique may be applied to the modeling of flexible manufacturing systems. home states and liveness.e. A complementary approach is that of defining reduction rules that preserve the properties of interest. Finally. Following the first approach a complete net is constructed combining subnets under given operators. Hack [Hack 72. transition transformations. The synthesis of Petri nets is realized by joining subnets along common simple elementary paths. Two theorems are presented. The author also proves that there are classes of nets to which these transformations can be repeatedly applied to reduce the net to a single transition. The class of nets obtained by composition of state machine modules is named Superposed Automata Nets by De Cindio. live. σ always yields a firing sequence. languages L1 and L2 constructs a Petri net generating the language L = L1 ∪ L2 . which by fusing transitions reduce both structure and state space of the net. The invariants are used to analyze important qualitative aspects of the system such as absence/existence of deadlocks. i.. a net in which each transition has at most one input place and one output place. defining a state machine decomposable net as a net constructed by composition of strongly connected state machines along common transitions. et al. which given two Petri nets generating. conservativeness). etc. that reduce the net structure by eliminating redundant places but do not modify the state space. Avrunin et al. the P-semiflows of the resulting net can also be easily found in term of the P-semiflows This operator is different from the union operator as defined in [Peterson 81]. such as trap-circuit nets. transition and places in a net can be replaced by a more detailed subnet. Berthelot 87] has presented several reduction rules. In both cases the synthesis rules are such as to preserve some properties of the original modules. The properties preserved by these transformations are: covering with P-semiflows (i. Murata also discusses reachability in marked graphs in [Murata 77]. Hack 74] studies the composition of state machines. as reported in [Murata 89]. An S-decomposition is a partition of a net into S-net components. LITERATURE REVIEW 15 Ichikawa and Hiraishi study under which conditions a firing count vector σ. Murata 89] other classes of nets.

Koh [Koh 92] has studied the compositions of live and bounded circuits along paths. i. LITERATURE REVIEW 16 of the subnets. and where the subnets between a fork and a join are marked graphs.e. The author has studied under which conditions the composed system is live and bounded. The composition allows the fusion of overlapping paths. Finally. The modules are connected through a set of input/output places. Zhou [Zhou 90] has studied a formal methodology for the synthesis of Petri nets in manufacturing. The nets being considered are regular nets. nets where forks and joins are symmetrical. The authors introduce a modified Petri net model [Beck 86] more suitable for the modeling of manufacturing systems by means of the synthesis approach they propose. The author has also discussed how liveness properties for systems with shared resources depend on the value of the initial marking of the net. in the sense that it is partially top-down and partially bottom-up.. . and has been extended to colored Petri nets. that act as mailboxes. Datta 86] present a technique for the modular synthesis of PN. Datta and Gosh [Datta 84. it is possible to give rules to connect the modules in a way that preserves liveness and boundedness.CHAPTER 2. The approach followed is called hybrid.

t) − P re(p. Here I = {0. 17 . t) = 0] for every place p and for every transition t. t) > 0}. defined as C(p. N A net is pure if it has no selfloops. A trap is minimal if it is not the superset of another trap. 1. • P re : P × T → I is the pre-incidence function that specifies the arcs directed from places N to transitions. A trap is basic if it is not the union of other traps. If a net is pure the incidence functions can be represented by a single matrix. A siphon is a set of places S ⊆ P such that • p∈S p⊆ p∈S p• . t) > 0}. |T| = n. A trap is a set of places T ⊆ P such that p• ⊆ p∈T p∈T • p. if [P re(p.1 Place/Transition Nets A Place/Transition net (P/T net) is a structure N = (P. t• = {p ∈ P | P ost(p. .. .Chapter 3 BASIC NOTATION 3. P ost) where: • P is a set of places represented by circles. • T is a set of transitions represented by bars. the incidence matrix of the net.1. It is assumed that P ∩ T = ∅ and P ∪ T = ∅. T. i.e. t). . p• = {t ∈ T | P re(p. t) = 0 ∨ P ost(p. 2.1 Petri Nets 3. P re.}. N • P ost : P × T → I is the post-incidence function that specifies the arcs directed from transitions to places. t) > 0}. |P| = m. t) > 0}. The preset and postset of a transition t are respectively • t = {p ∈ P | P re(p. t) = P ost(p. The preset and postset of a place p are respectively • p = {t ∈ T | P ost(p.

t). • Live. i. P ost. T. if from every marking M ∈ R(N. σ(t) represents the number of times transition t appears in σ. A P/T net is connected if in the underlying graph1 there exists a path (not necessarily directed) from any vertex to all others. A marked graph is a P/T net such that each place has exactly one input arc and one output arc. t). T. A marking M ∈ P R(N. Let B be a basis of P-semiflows of the net N . M0 ). M0 if there exists a firing sequence σ such that M0 [σ M . M0 ). The set of all markings defined on a net N = (P. P ost) is the net N R = (P. M0 ). the set of firing sequences (also called language of the net) is denoted L(N. M0 ) satisfies the following system of equations: B T ·M = B T ·M0 . Let marking M be reachable from marking M0 by firing a sequence of transitions σ. M0 ) ⊇ R(N. M0 ).CHAPTER 3. if there exists a nonnegative integer k such that M (p) ≤ k for every place p and for every marking M ∈ R(N. • Safe (or 1-bounded). T 3.e. M0 ). 1 The graph underlying a Petri net has as vertices places and transitions. M0 is: • Bounded. A firing sequence from M0 is a (possibly empty) sequence of transitions σ = t1 . called the firing count vector. strongly connected if there exists a directed path from any vertex to all others.1. M0 ) ⊇ P R(N. The reversal of N = (P. acyclic if no directed path forms a cycle. such that Y ≥ 0 and N Y · C = 0. and of their input and output places. The firing subnet given by a firing count vector σ consists of all the transitions t σ(t) ≥ 0. . • Conservative. A state machine is a P/T net such that each transition has exactly one input arc and one output arc. then t may fire yielding a new marking M with M = M + C(·. where σ : T → I is a vector of N non-negative integers. P re. A transition t ∈ T is enabled at a marking M if M ≥ P re(·. P ost) is I |P | . M0 ). We will write M [t M to denote that t may fire at M yielding M . The set of markings M such that there exists a vector σ satisfying the previous state equation is called the potentially reachable set and is denoted P R(N. A marked net N. BASIC NOTATION 18 A P-semiflow (or nonnegative P-invariant) is a vector Y : P → I . T. The support of Y is QY = {p ∈ P | Y (p) > 0}. and as directed edges the arcs specified by P re and P ost. if M (p) ≤ 1 for every place p and for every marking M ∈ R(N. tk such that M0 [t1 M1 [t2 M2 · · · [tk Mk . M0 ) [Colom 89]. represented by black dots. M0 ) there exists a firing sequence containing all transitions. Note that P R(N. A marking M is reachable in N. M0 . M0 ). Then the following state equation is satisfied: M = M0 + C · σ. a new net where the direction of all arcs of N is reversed. We will also write M0 [σ Mk to denote that we may fire σ at M0 yielding Mk . P re.. P re). If t is enabled at M .2 Marked Nets A marking is a vector M : P → I that assigns to each place of a P/T net a non-negative integer N number of tokens. . if there exists a vector of positive integers Y such that Y T · M = Y T · M0 for every marking M ∈ R(N. M (p) denotes the number of tokens assigned by marking M to place p. M0 ) and the set of reachable markings (also called reachability set of the net) is denoted R(N. M0 is a net N with an initial marking M0 . Given a marked net N. Note that P RB (N. . N A net system or marked net N. The set of markings satisfying the previous system of equations is denoted P RB (N.

e. ∩ Σn .. M0 by removing place p and all its input/output arcs. Σn be alphabets and let Σ = Σ1 ∪ . d Ln . . let Σ = Σ1 ∩ . . . let L1 . Let Σ1 . . . P ost) is a Petri net structure. M0 ) = L(N . and let Σe be a disjoint alphabet. . . . i. a set of symbols. A language L over Σ is a set of strings composed with symbols in Σ. • M0 is an initial marking. .. • F is a finite set of final markings. i. .e.e. . L is called a shuffle language and is denoted by L = L1 d . T. .. . ∪ Σn . . Ln be languages defined on them. The selfloop of L with respect to Σe is the language L = L d Σ∗ . . The two languages associated with G are the L-language (also called marked behavior in the context of Supervisory Control) and the P-language (also called closed behavior) defined as follows [Peterson 81]. as a 4-tuple G = (N. F ) where • N = (P. . let Σ = Σ1 ∪ . n}.. A place p of a marked net N. The intersection of L1 . . . Ln . As a particular case. . M0 is the marked net obtained from N. i = 1. . i = 1. ∩ Ln . . . Let L be a language on Σ. . . denoted L = L1 ∩ . P re. is the language over Σ defined as L = {w ∈ Σ∗ | w ∈ Li . . . the projection (or restriction) of w on Σi is the string w ↑i obtained from w by deleting all the symbols not belonging to Σi . . BASIC NOTATION 19 • Reversible. M0 . ∪ Σn . . . M0 is implicit [Silva 85] if L(N. n}. . denoted L = L1 .e. Ln . . . M0 ). . . . . e Let Σ1 . A place p of a net N is structurally implicit if there exists an initial marking M0 such that p is implicit in N. Given a string w ∈ Σ∗ . Peterson 81]. . i Let Σ1 . 3. . when the alphabets Σ1 .CHAPTER 3. . . . . • : T → Σ is a labeling function that assigns to each transition a label from the alphabet of events Σ and will be extended to a mapping T ∗ → Σ∗ as shown in Appendix A. Formally the projection operator is a mapping from Σ∗ to Σ∗ . . .1. .3 Petri Net Languages This section presents the notation used for Petri net languages. Σn are disjoint. i. Σn be alphabets. The concurrent composition (or synchronization) of L1 . . M0 . Σi ∩ Σj = ∅ (i = j). . where N . M0 ). is the language over Σ defined as L = {w ∈ Σ∗ | w ↑i = wi ∈ Li . . i. We will represent a discrete event system (DES) as a labeled Petri net (or Petri net generator) [Jantzen 87. Ln be languages defined on them. . . L ⊆ Σ∗ . . let L1 . if the initial marking M0 is reachable from every reachable marking M ∈ R(N. A more detailed review of Petri net languages is presented in Appendix A.2 Formal Languages Let Σ be an alphabet. . Ln . Σn be alphabets. . . 3.

In the following. BASIC NOTATION Given a DES G = (N. this definition is reduced to the usual definition of Lm (G)-closed: K = K∩Lm (G) [Ramadge 89b]. . 20 Note that in this definition of labeled net we are assuming that is a λ-free labeling function. Ld and Pd .4 Supervisory Control This section presents the language notation used for Supervisory Control. M0 . In the case that K ⊆ Lm (G). t ∈ T . M [t ∧ M [t =⇒ (t) = (t ). A language L is said to be closed if L = L. F ) is deterministic if ∀t. F ). M0 [σ M ∈ F }. . no transition is labeled with the empty string λ and two (or more) transitions may have the same label. Let L be a language on alphabet Σ. with t = t and ∀M ∈ R(N.. the set of controllable events. 3. The set of all languages controllable wrt L(G) is denoted C(G). . A more detailed review of Supervisory Control is presented in Appendix B. M0 . The controllable events may be disabled by a controlling agent in order to restrict the behavior of the system within a legal behavior.CHAPTER 3. and Σu . A deterministic PN generator [Jantzen 87] is such that the string of events generated from the initial marking uniquely determines the sequence of transitions fired. We will always assume that the generators considered here are deterministic.e. A deterministic DES is non-blocking if and only if L(G) = Lm (G). Note that Pd ⊂ P and Ld ⊂ L (strict inclusion) [Jantzen 87]. the L-type language of G is Lm (G) = { (σ) ∈ Σ∗ | σ ∈ T ∗ . F ) be a DES with alphabet of events Σ. respectively. If a language L ⊂ Σ∗ is not controllable with respect to L(G) we may compute its supremal controllable sublanguage [Wonham 87] defined as: L↑ = sup{K ⊆ L | K ∈ C(G)}. ∃M M0 [σ M }. Its prefix closure is the set of all prefixes of strings in L: L = {σ ∈ Σ∗ | ∃τ ∈ Σ∗ στ ∈ L}. . The classes of L-type and P-type languages generated by labeled nets is denoted L and P respectively. G is nonblocking if any string that belongs to its closed behavior may be completed to a string that belongs to the marked behavior. The classes of L-type and P-type PN languages generated by deterministic PN generators are denoted. according to the terminology of [Peterson 81]. Two languages L1 and L2 are said to be non-conflicting [Wonham 88b] if L1 ∩ L2 = L1 ∩ L2 . while uncontrollable events may never be disabled. M0 . The alphabet of events Σ is partitioned into two disjoint subsets: Σc . a DES G = (N. Formally. the set of uncontrollable events. let G = (N. i. and the P-type language of G is L(G) = { (σ) ∈ Σ∗ | σ ∈ T ∗ . M0 ). A language K ⊂ Σ∗ is said to be Lm (G)-closed if K ∩Lm (G) = K ∩Lm (G). A language K ⊂ Σ∗ is said to be controllable with respect to L(G) if KΣu ∩ L(G) ⊆ K [Ramadge 87].

Ramadge and Wonham [Wonham 87] have proved that the supervisor may also be modeled as a finite state machine.Chapter 4 ON THE EXISTENCE OF PETRI NET SUPERVISORS 4. 4. a subclass of P/T nets whose set of reachable markings is finite. is that a closed loop model of the controlled system may be constructed and analyzed using the same PN analysis techniques that are used to analyze the system. In the case of systems and specifications modeled by finite state machines (i. By suitable modification of the results given by Ramadge and Wonham [Ramadge 87.. by generators of regular languages). • The second problem regards the existence of a PN supervisor.1 Introduction This chapter discusses some theoretical issues related to the use of Petri nets in Supervisory Control Theory. We prove that the trimming of a PN is not always possible and we define a new class of PN languages that may be generated by nonblocking generators. i. In this case.e. • The first problem regards the trimming of a blocking system.e. Ramadge 89b] we are able to derive necessary and sufficient conditions for the existence of supervisors as net systems. • The final problem regards the closure of PN languages under extraction of the supremal controllable sublanguage. The problem is the following: given a PN generator G with 21 .e.. Thus the class of languages generated by these models is equivalent to the class of regular languages. Here we discuss the use of more general models with a possibly infinite set of reachable markings. as opposed to a supervisor given as a feedback function. by means of an example.2 Petri Nets and Blocking A first issue when using Petri nets as discrete events models for supervisory control regards the trimming of blocking net systems. We consider three problems [Giua 92c]. the modification of its structure in order that no blocking state may be reached while preserving its marked behavior. we show that PN languages are not closed under this operator. a supervisor whose control action is implicit in its net structure. i. The advantage of such a supervisor. and all the results for regular languages may apply to them as well. The PN models generally considered in Supervisory Control are conservative PN.. We are interested in obtaining necessary and sufficient conditions for the existence of a Petri net supervisor under the hypothesis that the system’s behavior and the legal behavior are both Petri net languages.

Let G be the PN generator in Figure 4. . where we have introduced r − 1 new places and new transitions labeled a.2. furthermore. If the Petri net is conservative the trimming may be done without major changes of the net structure. unbounded Petri net models may require more extensive changes of the net structure. On Petri net models the trimming may be more complex. in which the trimming of a net system is not possible.. In Chapter 5 is discussed the case of conservative nets. cannot be completed to a string in Lm (G) (assuming r > 1). i. n ≥ 0} and L(G) = {am cbn | m ≥ rn.e. The reason for this is given by the following theorem. The behaviors of this system are: Lm (G) = {am cbn | m = rn.. The system is clearly blocking. for example. since the string w = ar+1 c ∈ L(G).. To avoid reaching a blocking state we require that p2 contain a multiple of r tokens when the transition labeled c is allowed to fire.1.2: Trimmed system in Example 4.1: Blocking system in Example 4. no final state may be reached from them) and all their input and output transitions. n ≥ 0}.e. Figure 4. by removing all states that are reachable but not coreachable (i.1.1. ∃L ∈ L L ∈ P. ON THE EXISTENCE OF PETRI NET SUPERVISORS 22 Figure 4. There exist L-type Petri net languages whose prefix closure is not a P-type Petri net language. A possible solution is shown in Figure 4. The proof of this theorem will be given by means of the next example and the following proposition. On a simple model such as a state machine this may be done. Example 4. i. marked behavior Lm (G) and closed behavior L(G) ⊃ Lm (G) we want to modify the structure of the net so that no blocking markings may be reached. with M0 = (100)T and set of final markings F = {(001)T }. so that L(G) = Lm (G). There are some cases.CHAPTER 4.1.e. trivially. Theorem 4. As the following example shows. in the sense that we have to add new arcs and possibly duplicate transitions without introducing new places.1.

(a). i. (n + p + q = k).CHAPTER 4. The behaviors of this system are: Lm (G) = {am bam b | m ≥ 0} and L(G) = {am ban b | m ≥ n ≥ 0}. . Proposition 4. The class of DP-closed Petri net languages is denoted LDP . with | w |≥ k. since p2 is unbounded this may not be done with a simple P/T structure. L = {am bam b | m ≥ 0} is not a P-type Petri net language. Given k and l according to the pumping lemma.. thus we cannot properly consider these models as P/T nets. Let L ∈ P. L ∈ Pd .3. Clearly b ∈ y. Consider a partition w = xyz. We may formally prove that the prefix closure of the marked language of the system G discussed in Example 4.3. This class will play an important role in characterizing the existence of Petri net supervisors. Lemma 4. with M0 = (1000)T and set of final markings F = {(0001)T }. Let G be the PN generator in Figure 4. From the reachability tree of the system. A language L ∈ L (not necessarily deterministic) is said to be deterministic Pclosed (DP-closed for short) if and only if its prefix closure is a deterministic P-type Petri net language. However. Example 4. let w = ak bak b. Inhibitor arcs increase the modeling power. given in [Jantzen 87]. and the analysis complexity.(b). ∀i ≥ 1. with 1 ≤| y |≤ l.2. ON THE EXISTENCE OF PETRI NET SUPERVISORS 23 Figure 4.1 (Pumping lemma).3: Blocking system G in Example 4. To avoid reaching a blocking state we require that p2 be empty before firing the transition inputting into p4 . it is clear that the system is blocking. (n + p + q = k). since in this case xy i z ∈ L for i = 1. The proof is based on the pumping lemma for P-type PN languages. has a decomposition w = xyz with 1 ≤| y |≤ l such that xy i z ∈ L. of Petri nets to that of a Turing machine. Hence L is not a P-type Petri net language. then x y z x y z xy i z ∈ L for i = 1.2 is not a P-type Petri net language. Proof . as we will discuss in the next section. Definition 4. We conclude this section with the definition of a new class of L-type Petri net languages whose prefix closure can be generated by a deterministic nonblocking Petri net generator.1.2. Then there exist numbers k. However if w = an ap aq bak b. or if w = ak ban ap aq b . shown in Figure 4. l such that any string w ∈ L.1. Petri nets with inhibitory arcs have been studied in the context of Supervisory Control by Sreenivas and Krogh [Sreenivas 92]. It is possible to introduce an inhibitor arc from p2 to the transition inputting into p4 .e.

for each possible string of events w ∈ L(G) generated by the system G. we present some theorems which give necessary and sufficient conditions for the existence of PN supervisors. T. the marked strings of the system under control are all and only the marked strings of the uncontrolled system that survive under control. For nonempty L ⊆ Lm (G) there exists a nonblocking supervisor S such that Lm (S/G) = L if and only if L is Lm (G)-closed and controllable. are due to Ramadge and Wonham [Ramadge 87. 4. Ramadge 89b] and give necessary and sufficient conditions for the existence of a supervisor. the uncontrollable events are always enabled.1).e. all the uncontrollable events are present in the control input). It is often the case that a supervisor is given as another discrete event system S that runs in parallel with G. although Theorem 4. as we show in Example 4.1). it is possible to construct a PN model of the closed loop system under control S/G using the net counterpart of the intersection operator on languages [Peterson 81]. Here we recall the fundamental definitions. also reported in Appendix B. Its closed behavior is L(S/G) = L(S) ∩ L(G) and its controlled behavior is Lm (S/G) = L(S/G) ∩ Lm (G) = L(S) ∩ Lm (G). Theorem 4. the event a is enabled by γ (permitted to occur). pointing to Appendix B. For nonempty L ⊆ L(G) there exists a supervisor S such that L(S/G) = L if and only if L is prefix closed and controllable. The following two theorems. even if the system’s behavior and the legal behavior are Petri net languages.CHAPTER 4. If a ∈ γ. the marked behavior of S/G is not defined since the controlled behavior Lm (S/G) is not necessarily a deterministic L-type PN language.2 for a more detailed discussion. The control input at a given moment is represented by the events that are enabled in S. thus the function f is implicit in the structure of S. 6.3 specify under which conditions there exist supervisors for a given control problem.2 and Theorem 4. Let Γ ⊆ 2Σ denote the set of all the possible control inputs.. it may well be the case that these supervisors cannot be represented as Petri net generators. The closed loop system under control is denoted S/G. If S and G are deterministic generators (as we always assume) S/G is deterministic as well.3. 5. 4.3 Supervisor A supervisor [Ramadge 87] is an agent that disables the controllable transitions of a system in order to restrict its behavior within a legal behavior.3 ([Ramadge 87]. Theorem 4. If the system and the supervisor are Petri net generators. a supervisor is a map f : L(G) → Γ specifying. Formally.e. i.5.4 Existence of Petri Net Supervisors In this section.2 ([Ramadge 87]. P. otherwise a is disabled by γ (prohibited from occurring). while all previously defined classes of PN languages are closed under intersection. Note that we are assuming that the supervisor does not mark strings. Note also that while the closed behavior of S/G is L(S/G). we point out that the class LDP that we have defined does not coincide with any of the classes of PN languages generally considered in the literature [Jantzen 87]. We consider the case in which both the system G and the supervisor S are given as discrete event systems. . The objective is to design a supervisor that selects control inputs in such a way that the controlled system’s behavior is restricted within a legal specification language. the control input γ = f (w) to be applied at that point. ON THE EXISTENCE OF PETRI NET SUPERVISORS 24 As a side note. Let us define a control input as a subset γ ⊆ Σ satisfying Σu ⊆ γ (i. The proof follows from the fact that LDP is not closed under intersection.. In fact.

Let G be a nonblocking PN and let L ⊆ Σ∗ . i. (Only if) Since L(S/G) = L then L is a P-type language for the PN representing the closed loop system and L ∈ Pd . L is the L-type language of the system E in Figure 4. The first two theorems regard the case in which we want to restrict the closed behavior of G within the limits of a legal behavior L. will never block an uncontrollable transition of G and L(S/G) = L(S) ∩ L(G) = L. respectively. with L(G) ∩ L = ∅. M0 = (100)T . Example 4. as proved. Assume now that we want to restrict the marked behavior of G to L = {am bam b | m ≥ 0} that is clearly controllable and Lm (G)−closed.(a) with set of final marking F = {(0001)}. Proof . since Lm (E/G) = L(E) ∩ Lm (G) ⊃ L. Proof . and L ∈ Pd . There exists a PN supervisor S such that L(S/G) = L if and only if L is a controllable deterministic P-type PN language. It may be interesting to consider the case in which the legal behavior L is not a subset of L(G). Hence L ∩ L(G) ∈ Pd ∩ C(G) and by Theorem 4.3. In this case. Let G be the PN generator in Figure 4. if L ∈ Pd we have the following theorem. The marked behavior of this system is: Lm (G) = {a∗ ba∗ b}. Theorem 4. running in parallel with G. that however does not qualify as a supervisor for this problem. Theorem 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 25 Figure 4.5. Also L is controllable according to Theorem 4. Ramadge 87].. in [Jantzen 87. i. unfortunately.e. S is the desired supervisor. since L ∈ C(G) then S.e. [L ∩ L(G)]Σu ∩L(G) ⊆ L ∩ L(G) ⊆ L =⇒ [L ∩ L(G)]Σu ∩ L(G) ⊆ L (since languages in Pd are prefix closed) =⇒ LΣu ∩ L(G) ⊆ L. with Σu = ∅.CHAPTER 4. Let us consider now the case in which we want to restrict the marked behavior of G within the limits of a legal behavior L. and we simply need to check whether L ∩ L(G) satisfies the conditions of the previous theorem. It may well be the case that L ∈ Pd ∩ C(G) but L ∩ L(G) ∈ Pd ∩ C(G). the necessary requirements that L be controllable and Lm (G)−closed (by Theorem 4. since L ∈ LDP (Proposition 4.4.2. Also L∩L(G) is controllable by Theorem 4. i. and set of final markings F = {(001)T }.1) there exists no PN whose P-type language is L. In fact. However. . =⇒ LΣu ∩ L(G) ⊆ L (since L ∈ Pd ). hence L ∈ C(G).2. In this case we are interested in restricting the system’s behavior to L ∩ L(G).4 there exists a PN supervisor S L(S/G) = L∩L(G). a PN supervisor for this problem may exist even if L is not a PN language or if L is not closed and controllable. Let G be a nonblocking PN and let L ⊆ L(G) be a nonempty language. (Only if) Since L(S/G) = L∩L(G) then L∩L(G) ∈ Pd .3) are not sufficient to insure the existence of a nonblocking PN supervisor even if L ∈ Ld .. The following example discusses this case. (If) The sets Pd and C(G) are closed under intersection.3 and Example 4.e.5.3. L ∈ Pd ∩ C(G).4. There exists a PN supervisor S such that L(S/G) = L ∩ L(G) if and only if L ∈ C(G).4: System G in Example 4. However.. (If) Since L ∈ Pd then there exists a PN generator S L(S) = L.

Example 4.4. (If) Since L ∈ LDP then there exists a PN S L(S) = L ⊆ L(G). The proof of the proposition follows from the following example. Hence it is sufficient that L be a deterministic P-type language in order to construct a deterministic supervisor.4. and set of final markings F = {(001)T }.e. hence L ∈ Pd (since it is the deterministic P-type language of closed loop PN generator). We need to prove that L = Lm (S/G) = L(S) ∩ Lm (G) ∈ LDP . and set of final markings F = {(01)T }. since L(S/G) = L(S) ∩ L(G) = L ∩ L(G) = L = L(S/G). The following example will clarify this point. Let G be the PN generator in Figure 4.1.CHAPTER 4.6. M0 = (10)T .6 to the case in which the legal behavior L is not a subset of Lm (G). it cannot be accepted by a deterministic generator with a finite set of final states F . Consider the language L = {am b(bc)∗ (a(bc)∗ )m b | m ≥ 0}. L is an L-type PN language and it can be proved that it is not deterministic.2. that effectively solely constrains the closed behavior of G. although L ∈ LDP .) Since L is closed under intersection [Jantzen 87]. (Only if) Since S is a nonblocking supervisor.2. by Theorem 4. Proposition 4. Let G be a nonblocking PN and let L ⊆ Lm (G) be a nonempty language. In fact. However L ∈ LDP . then Lm (S/G) = L(S) ∩ Lm (G) = L ∩ Lm (G) = L. (Note that L(S) although a deterministic P-type language may be a nondeterministic L-type language. Theorem 4. First note that L(S) ∈ Pd . as we have shown in Proposition 4. since L is Lm (G)−closed. Since L is controllable and Lm (G)−closed. It follows that L ∈ LDP . We would like to extend Theorem 4.3. Proof . i.6 does not require L to be deterministic. hence L(S) ∈ L ⊃ P ⊃ Pd [Jantzen 87]. In fact we want to restrict the marked behavior of G to L by means of a non marking deterministic supervisor. L∩Lm (G) ∈ LDP .7. In fact: since L ∈ C(G). There exists a nonblocking PN supervisor S such that Lm (S/G) = L if and only if L ∈ LDP ∩ C(G) and L is Lm (G)−closed. Assume now that we want to restrict the marked behavior of G to L = {am ban | m ≥ n ≥ 0}. then L ∈ L. M0 = (100)T . Let G be the PN generator in Figure 4. Also L = L(S/G) by the non blocking hypothesis. S is nonblocking.6 are not sufficient to insure the existence of a PN supervisor. Theorem 4. since L is the deterministic P-type language of the marked net S in Figure 4.6. then clearly L ∈ C(G). then L ∈ C(G) and L is Lm (G)−closed. The class of DP-closed PN languages LDP is not closed under intersection. . Clearly L ∈ LDP since it is the marked behavior of the nonblocking generator E in Figure 4. Unfortunately in this case the hypotheses of Theorem 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 26 captionSystem G in Example 5.5.. Example 4. with Σu = {b}. Unfortunately L ∩ Lm (G) = {am bam b | m ≥ 0} ∈ LDP . S is the desired supervisor. The example shows the need to introduce the further requirement that the legal behavior L be DP-closed for insuring the existence of a PN supervisor. The marked behavior of this system is: Lm (G) = {a∗ ba∗ b} ∈ LDP . it may be possible that. The marked behavior of this system is: Lm (G) = {a∗ ba∗ }. with the set of final markings F = {(0001)T }.5. S is a proper supervisor and is such that Lm (S/G) = L.

2. .5 and Example 4. Figure 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 27 Figure 4.5: Supervisor S in Example 5.CHAPTER 4.6.6: Generator E in Example 4.

by the control community but has never been published before to the best of our knowledge. as a trivial corollary of Theorem 4. If we apply the ↑ operator.9. The class L and the set C(G) are closed under intersection [Jantzen 87. 4. since Lm (E)↑ = L(E)↑ ∈ Pd . This result has been known. The proof of this proposition will be given by means of the following example. but not necessary.6 Conclusions The results of this chapter show that although unbounded PN do not have all desirable properties from the point of view of supervisory control. i. i. while the arcs that only belong to the reachability tree of G have been represented by dotted lines. Hence L ∩ Lm (G) ∈ LDP ∩ C(G). . there are cases in which PN supervisors may be constructed. since E refines G. M0 = (1000)T . To show this we have drawn. L ∩ Lm (G) ⊃ L ∩ Lm (G). The classes Pd and LDP of PN languages are not closed under the ↑ operator. Proof . L ∩ Lm (G) ∈ Pd . 4. Let G be the PN generator in Figure 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 28 The problem in the previous example is that L and Lm (G) are conflicting.e.5 Petri Net Languages and Supremal Controllable Sublanguage Our final result regards the closure of PN languages under the supremal controllable sublanguage operator ↑ [Wonham 87]. L is Lm (G)−closed.. Lm (E)↑ ∈ LDP . we have that L ∩ Lm (G) = L ∩ Lm (G) ∈ Pd . requiring that L ∩ Lm (G) ∈ LDP ∩ C(G) and that L ∩ Lm (G) be Lm (G)−closed. Let G be a nonblocking PN and let L ⊆ Σ∗ . condition for the existence of a PN supervisor. Theorem 4. L ∩ Lm (G) is Lm (G)−closed.6. The last theorem gives a sufficient. If however the two languages are not conflicting. we have represented the arcs that belong to the reachability tree of both marked nets with continuous lines.10. with Lm (G) ∩ L = ∅. Consider now the generator E in Figure 4. Finally since L is also Lm (G)−closed we can write: L ∩ Lm (G) ∩ Lm (G) = L ∩ Lm (G) ∩ Lm (G) = L ∩ Lm (G) = L ∩ Lm (G).3.CHAPTER 4.1 (the string w = ak bak b may be used to prove that no pumping is possible). Proposition 4. There exists a nonblocking PN supervisor S such that Lm (S/G) = L ∩ Lm (G) if L ∈ LDP ∩ C(G). with Σu = {a}.7. Ramadge 87]. in Figure 4. the reachability tree of the two systems.6 there exists a nonblocking supervisor S Lm (S/G) = L ∩ Lm (G). the converse is not true. by the non-conflicting hypothesis. we obtain the two supremal controllable sublanguages: L(E)↑ = {am bam (bc)∗ b | m ≥ 0} and Lm (E)↑ = {am bam (bc)∗ b | m ≥ 0}.6.7 with the set of final markings F = {(0001)T }. A necessary and sufficient condition for the existence of a PN supervisor in the case the legal behavior L is not a subset of Lm (G) may be given. In fact while: L ∈ C(G) =⇒ L ∩ Lm (G) ∈ C(G) and L is Lm (G)−closed =⇒ L ∩ Lm (G) is Lm (G)−closed. By Theorem 4.e. L and Lm (G) are not conflicting.. The two languages L(E) ∈ Pd and Lm (E) ∈ LDP are not controllable. L(E) and Lm (E) are not controllable because of the presence of the dotted arcs associated to the uncontrollable transition a. and set of final markings F = {(0001)T }. L(E)↑ ∈ Pd . while L ∩ Lm (G) ∈ Pd (since Pd is closed under intersection) it may be the case that L ∩ Lm (G) ∈ Pd . as can be proved using the pumping lemma in the same way we have done in Proposition 4. Example 4. at least partially. Hence. Also.8. that are the closed and marked behavior of the generator in Figure 4.

CHAPTER 4.8: Reachability tree of G and E in Example 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 29 Figure 4. Figure 4.9: Generator of L(E)↑ and Lm (E)↑ in Example 4.6.6.7: Generator G in Example 4. .6. Figure 4.

CHAPTER 4. Another undesirable property is given by the fact that the classes Pd and LDP are not closed under the ↑ operator. whose reachability set is finite. ON THE EXISTENCE OF PETRI NET SUPERVISORS 30 The main difficulties when using Petri nets as discrete event models for supervisory control stems out from the fact that not all L-type PN languages are DP-closed and from the fact that the class LDP of DP-closed languages is not closed under intersection. . In the remaining part of the thesis we will consider simpler Petri net models.

represented by n different nonblocking generators H1 . .Chapter 5 SUPERVISORY DESIGN USING PETRI NETS 5. we can extend other linguistic operators to operators on the systems. we discuss the advantages of PN over state machines. The purpose is that of applying a model that has a great representational power in the theoretical approach of Ramadge and Wonham. by introducing new arcs (and possibly duplicating transitions) to avoid reaching undesirable markings. Lm (G2 ) we denote: G = G1 G2 the DES whose behaviors are: L(G) = L(G1 ) L(G2 ) and Lm (G) = Lm (G1 ) Lm (G2 ). The alphabet of these systems are Σ1 . Assume we are given m nonblocking DES G1 . This procedure may always be applied when the net is conservative.4. . ∪ Σm and effectively constrains only the events that belong to its alphabet. We want to enforce some specifications on the joint behavior of these systems. given two DES G1 . The design requires two steps. The only requirement is that the model specify the closed and marked behavior of a system.e. In a similar fashion. The discussion is focused at the model level: we discuss the supervisory design algorithm and its counterpart on the structure of a Petri net [DiCesare 91. Wonham Supervisory Design 31 . . . The algorithm is based on language operators and it may be implemented using different models.2. In the second step. G2 . . . . . the structure is refined to avoid reaching undesirable markings.2 Monolithic Supervisor Design A supervisory design algorithm has been presented by Wonham [Wonham 88a].1.1 Introduction In this chapter we discuss how Petri net models may be used to design supervisors within the framework of Supervisory Control. Each specification generator Hj is defined on an alphabet ΣHj ⊆ Σ1 ∪ . A monolithic supervisor may be constructed using the following algorithm [Wonham 88a]. as far as the transition structure of the model is concerned. a coarse structure for a supervisor is synthesized by means of concurrent composition of different modules. . In Section 5. Gm working concurrently. i. In particular. In Section 5. we review the monolithic supervisory design as formulated by Wonham and present a design based on the concurrent composition operator. Σi ∩ Σj = ∅ for every i = j. with closed behaviors L(G1 ). Giua 91]. For example.2 be extended to the model. we show that this design is well suited for Petri nets models. In the first step. Algorithm 5.3. We also require that the linguistic operators introduced in Section 3. In Section 5. . . .. The chapter is structured as follows. 5. Hn . L(G2 ) and marked behaviors Lm (G1 ). . Σm and they are disjoint. we discuss how to refine a coarse structure for a supervisor. .

. Example 5.. which is a proper supervisor for this problem. because it represents both a supervisor and a closed loop model of the system under control. because it contains blocking states (from which the final marking may not be reached). the labels in Σej = Σ\ΣHj . Construct by intersection H = H1 ∩ . It is often the case that a simpler supervisor exists.CHAPTER 5. d Gm . the generator E may contain blocking states from which a final state cannot be reached. . i.5. shown in Figure 5. . H represents the global specification we want to enforce on the behavior of G. The specification we consider. i. Call these new generators H1 . Construct by shuffling G = G1 d . . a . . after G has executed the string of events w = aba. Augment the specifications. The generator E obtained through the above construction. G2 is a machine that may start working (event c) and may output the produced part on conveyor A or B (respectively events d and e) before returning to the idle state. the language L(E) may not be controllable with respect to L(G). Hn . As an example. and also non controllable states. since the following two properties are not automatically ensured: • nonblockingness.2. In the second step we construct the augmented specification H . In the fourth step we construct the system E = G ∩ H . This means that when G and E run in parallel it may be possible to reach a state from which an uncontrollable event is enabled in G but is not enabled in E. E represents the largest behavior of the overall system that satisfies all the constraints imposed by the specifications. by selflooping H with the unconstrained events. . • controllability.. Consider the systems G1 and G2 in Figure 5. 3. This is the counterpart. represented by the generator H.1 is called monolithic. In fact L(S) = L(S/G). . i. with a. The first step of design requires the construction of G = G1 d G2 . we obtain the nonblocking and controllable generator S in Figure 5. The supervisor S constructed using Algorithm 5. For the control problem in Example 5. Since H is the only specification generator. Construct by intersection E = H ∩ G.e. The system S obtained through this procedure gives us the transition structure of a supervisor. in the general case does not represent a proper supervisor. If we remove the blocking and noncontrollable states. G models the joint concurrent behavior of the overall system under the assumption that the actions of the single subsystems are asynchronous and independent. the language generated by E is not controllable. e.. The system E is not a supervisor. ∪ Σm .e. of the supremal controllable sublanguage operator.1 and the specification H. 4. i. . We will give an example of this construction using state machine models. selflooping each Hj with the event labels present in G but unconstrained by Hj . and that the robot may load a new part on the machine only after the previously loaded part has been outputted on conveyor A (events d and b must occur alternatively). Since b is an uncontrollable event. specifies that the machine may start working only after it has been loaded (events b and c must occur alternatively). 5.e. We have to further minimally restrict the behavior of E. . shown in Figure 5. on the DES structure.3.4. step 3 is not required in this example. events b and c may occur in G while the control pattern computed by E contains only the event c.e. to obtain a nonblocking and controllable generator S. 2. We will assume that the only uncontrollable event for this problem is event b.1. shown in Figure 5. . The alphabet of G is Σ = Σ1 ∪ .. ∩ Hn .1. SUPERVISORY DESIGN USING PETRI NETS 32 1. We may think of G1 as a robot that picks up one part (event a) and loads the part on a machine (event b).

1.CHAPTER 5.1.1: Systems and specification for the control problem in Example 5.1. Figure 5.2: Shuffle system G = G1 d G2 in Example 5.3: Specification generator H in Example 5. SUPERVISORY DESIGN USING PETRI NETS 33 Figure 5. Figure 5. .

1. .1.6: A reduced structure supervisor S’ for the control problem in Example 5.4: System E = G ∩ H for the control problem in Example 5.5: Monolithic supervisor S for control problem in Example 5. Figure 5.1. Figure 5. SUPERVISORY DESIGN USING PETRI NETS 34 Figure 5.CHAPTER 5.

Gm H1 .1 we have represented in Figure 5. . i. we will discuss how E may be refined to obtain a supervisor S without major changes in its structure. requires merging transitions with the same label.1 Design Using Concurrent Composition We propose an alternative design for a supervisor. Construct by concurrent composition E = G1 . Concurrent Composition Supervisory Design 1. Hn . .6. d L(Gm )] ∩ [L(H1 ) d Σ∗1 ] ∩ . The net counterpart of the concurrent composition operator.2. Refine E so that it is nonblocking and controllable. 2. following the Algorithm 5.2. Example 5. L(Hn ). n)} ej = {w | w ↑i ∈ L(Gi ) (i = 1. Note also that since we have associated a final state with the specification H. . The concurrent composition design is simpler. we can see that: E1 = {w | w ∈ [L(G1 ) d . ...e.. the concurrent composition operator. The algorithm is the following. w ∈ [L(Hj ) d Σ∗ ] (j = 1. The coarse structure for a supervisor. Since (∀w ∈ Σ∗ ) w ∈ [L(Hj ) d Σ∗ ] ⇐⇒ w ↑Hj ∈ L(Hj ) (here w ↑Hj is the projection of ej string w on alphabet ΣHj ). n)} = E2 .2. We may easily check that L(S/G) = L(S /G) ⊂ L(S )..8. . For the control problem discussed in Example 5. . ∩ [L(Hn ) e d Σ∗n ]. This construction is based on the structure of the net and does not require the explicit enumeration of its state space.. L(Gm ) L(H1 ) .2.CHAPTER 5. may be efficiently constructed and the properties of nonblockingness and controllability may be expressed as properties of the net system E. . described in Appendix A. m). . . 5. w ↑Hj ∈ L(Hj ) (j = 1. In fact with Algorithm 5. we will use Petri net models in the design of a supervisor. e and with Algorithm 5. . where only one operator. since it requires only one operator.. SUPERVISORY DESIGN USING PETRI NETS 35 reduced structure supervisor S is shown in Figure 5. . We will show in the following section how it may be easily implemented using Petri net models.1 we construct a system generating the language E1 = [L(G1 ) d .2 we construct a system generating the language E2 = L(G1 ) . . . The system E = G1 G2 H obtained by concurrent composition is shown in Figure 5.. . d L(Gm )].. It is easy to see that the two approaches are equivalent. . Secondly. . ..2. 5.. is used to construct the generator E. the supervisor we have constructed is a marking supervisor according to the terminology in Appendix B.3 Monolithic Design Using Petri Nets In this section.7 the systems and specification as Petri nets.5. Algorithm 5. the system E..

7: Systems and specifications as Petri nets for the control problem in Example 5.2.8: System E = G1 G2 H as a Petri net for the control problem in Example 5. SUPERVISORY DESIGN USING PETRI NETS 36 Figure 5. Figure 5.CHAPTER 5. .2.

and M d (the markings from which t should not be allowed to fire. . We will use the notation for concurrent systems presented in Appendix A. . M0 ). d. 2. 1 1 kl kl such that U(M ) = TRUE if M ∈ M e . a transition leading from an admissible marking to an undesirable marking. 1 . The following algorithm can be given for the refinement of a net. Once the coarse structure of a candidate supervisor is constructed by means of concurrent composition. Let Tu ⊆ T be the set of uncontrollable transitions of E. t)]. M0. if and only if (∀M ∈ R(N. to avoid reaching an undesirable marking). the transitions labeled by uncontrollable events. Hn . we can add an arc from p3 to a and from a to p3 as in Figure 5. M )] is a blocking marking. and U(M ) = FALSE if M ∈ M d . M0. we need to refine it to obtain a nonblocking and controllable generator. G = (N1 . may be expressed in terms of net properties. and H = (N2 . If M e = ∅ remove t and stop. SUPERVISORY DESIGN USING PETRI NETS 37 It is important to note how the properties of interest. ∧ (M (pl ) ≥ nl )]. namely nonblockingness and controllability. F2 ). be the system and specification components of E. Since M (p3 ) = 1 > M (p3 ) = M (p3 ) = 0.. Let t be a transition to be controlled. i. ∧ (M (p1 ) ≥ n1 )]∨ 1 1 k1 k1 . M )]. . else continue.CHAPTER 5.2 . any reachable marking M such that ( ∃Mf ∈ F ) [Mf ∈ R(N. . Gm and H = H1 .3. . that should be removed. Let us consider the system E constructed in Example 5. Let G = G1 . Then E will be controllable if and only if it is not possible to reach a marking M such that an uncontrollable transition t is enabled by M ↑1 in G. M0 )) [M ↑2 ≥ P re2 (·. and partition this set into the disjoint subsets M e (the markings from which t should be allowed to fire). . is given. E is controllable if and only if (∀t ∈ Tu ) ( ∃M ∈ R(N. M0 )) (∃Mf ∈ F ) [Mf ∈ R(N. t) ∧ M ↑1 ≥ P re1 (·.e.10. M0 . Determine a construct in the form: U(M ) = [(M (p1 ) ≥ n1 ) ∧ .. but it is not enabled by M ↑2 in H. equivalent to the state machine model in Figure 5. First. Let a be its label. Algorithm 5.4. c. M = (1001010)T . We assume in this section that the knowledge of which states are undesirable...2. After removal of this transition. Conversely. we should certainly remove the transition labeled by e since its firing always leads to an undesirable state and it is controllable. E is blocking and uncontrollable. .e. Refining the PN is complex. 2 . i. and we should prevent the system from reaching it. Assume that E = (N. i.9. e} and the uncontrollable event set is Σu = {b}. F1 ). ∨[(M (pl ) ≥ nl ) ∧ . and which are the transitions leading to them..3. . The undesirable markings. are those shown in the reachability tree in Figure 5. We want to block the transition labeled a when the markings M and M are reached.5. let M ↑1 (M ↑2 ) be the restriction of M to the places of G (H).1 . the transition labeled by a will be enabled by the following reachable markings: M = (1010010)T . 1. Given a marking M ∈ R(N. The system E is nonblocking if and only if a final marking may be reached from any reachable marking. F ). .e. The next example shows the problems involved in the refinement of a net. We have to remove a set of undesirable states and all the transitions leading to them. In other words. . Example 5. Determine the set of admissible reachable markings that enable t. M = (1000101)T . Here the controllable event set is Σc = {a.

3.3. . SUPERVISORY DESIGN USING PETRI NETS 38 Figure 5.2 and Example 5.10: Supervisor S as a Petri net for the control problem in Example 5. Figure 5.9: Reachability tree of the system E in Example 5.CHAPTER 5.2 and Example 5.

assume that we start with bottom level modules that are state machines. kj . however. PN have a higher language complexity than state machines. . Furthermore assume that in each . On a conservative net. However. the number of “states” of the model) is finite.. . since it is based on the finite structure of the net. Conservative PN are essentially equivalent to state machines. i. The one which requires the minimal number of transitions. i. Hence   U(M ) = i∈M e  j∈M d (M (pij ) ≥ nij ) is a construct for Algorithm 5. . The following theorem gives a sufficient condition for the applicability of the algorithm. Proof: A net is conservative if there exists an integer vector Y > 0 such that for any two markings M and M reachable from the initial marking Y T M = Y T M . Hence if M = M there exists a place p such that M (p) > M (p). that it is often possible to determine a simpler construct as in Example 5. the construct may contain up to |M e| OR clauses.. i It is clear that following this construction there is an enabled transition labeled a for any marking in M e . will be those of transition t plus nj arcs inputting from (outputting to) i place pj . 2. We have that M e and M d are finite sets and also there exists a place pij such that Mi (pij ) = nij > Mj (pij ). .CHAPTER 5. We also note that in general several constructs of this form may be determined. SUPERVISORY DESIGN USING PETRI NETS 39 3. consider Mi ∈ M e .3.. Also the set of reachable markings is finite. . However. up to |M e| transitions may be substituted for a single transition to control. . j = 1. . According to this Theorem we may always find a refinement construct for conservative nets. . The input (output) arcs of transition tj .e. Note.3. since systems with infinite state space are not conservative it may be impossible to refine the net in step 2 of the algorithm. Hence they have the possibility of describing a larger class of systems. they allow a compact description. Mj ∈ M d . The construct of Algorithm 5. while none of these transitions are enabled by a marking in M d . . The concurrent composition design algorithm may be used to construct the system E even if we consider Petri net models with infinite state space. Theorem 5. is preferable.3 can always be determined if the net is conservative. since the number of reachable markings (i. tl labeled a. i. Here we would like to discuss the main advantages of using Petri nets rather than state machines in the supervisory design.1. the structure of the net may be maintained small in size even if the number of the markings grows. since the states of a PN are represented by the possible markings and not by the places. Suppose we restrict ourselves to consider only conservative Petri net models.. . the one with smaller l. This was also expected from the results of Chapter 4 since the nonblocking generator of the supremal controllable sublanguage of E may not have a Petri net representation.e. l. 5. . To express the difference between the two approaches in quantitative terms. Replace transition t with l transitions t1 . as suggested by Theorem 5. .1.e. Unfortunately. 1. i = 1.e.4 Petri Nets and State Machines The design using concurrent composition appears to be highly efficient when using Petri net structures. where the construct for the transition labeled a was U(M ) = [M (p3 ) ≥ 1].

another problem to be addressed.3). the net can be considered as composed of interrelated subnets.3 may in the worst case approach the size of M e as suggested by Theorem 5. there are classes of nets such that a necessary and sufficient condition may be derived [Giua 90b. PN may offer means to solve this problem in more efficient ways. Theorem B. Consider k modules G1 . . In Figure 5. In the refinement.. . we may still recognize the individual modules that compose the system E. The bound gives however a clear idea of the exponential growth of the model even in the general case when the alphabets of the modules are not disjoint [Tadmor 89]. a brute force approach to determine this set requires the construction of the reachability tree. n≤ i=1 ni j=i mj  The upper bound is reached when the alphabets of the modules are disjoint. • When G is constructed as an ordinary Petri net. however. it is necessary to point out that in the phase of the refinement of the coarse structure of the supervisor the number of transitions introduced in Algorithm 5. i.. k we have a number of places equal to: m = i=1 mi and a number of transitions: k n = Σ ≤ i=1 ni where Σ is the alphabet associated to G. 3. following Algorithm 5. In this chapter we have assumed that the set of undesirable markings is given. Although in the general case this analysis gives only a necessary condition for reachability.e. Gk . the modular structure of the net is preserved (but in some cases it may be necessary to introduce a large number of transitions). 5. Hence conservative Petri nets may be used within the framework of supervisory control. • For DES modeled with conservative Petri nets (that generate regular languages) we can always refine the net in order that the supremal controllable behavior is achieved. In practice. .1.CHAPTER 5. However.5 Conclusions We can summarize the results of this chapter as follows: • For regular languages. while in the state machine representation in Figure 5. places) and transitions of each of them. Murata 89]. . There is.4 this is not possible. • Use incidence matrix analysis to determine whether undesirable markings are reachable. This permits us to express controllability as a property of the generator E.8. Ramadge and Wonham have proved that it is always possible to determine the supremal controllable sublanguage of a given configuration of systems and specifications with a finite procedure (See Appendix B.. Petri nets allow modular synthesis. . in the same way as a complex systems can be regarded as composed of interacting subsystems. SUPERVISORY DESIGN USING PETRI NETS 40 module each symbol labels at most one transition. . The system G = G1 . in this case the coupling of the modules is so weak that the overall state set will be identical to the cartesian product of the states of the modules.5. e.e. . providing a more compact representation in terms of transition structure when compared with state machine models. and let mi and ni be the number of states (i. Gk can be constructed as a state machine or as an ordinary Petri net. following the algorithm in Appendix A. • When G is constructed as a state machine the number m of states and the number n of transitions will be:   k k m≤ i=1 mi .3.g.

Datta 86. In this case we have efficient “closed form solutions” at the cost of limiting our design to special classes of nets [Datta 84. .CHAPTER 5. These approaches will be investigated in the next chapters. SUPERVISORY DESIGN USING PETRI NETS 41 • Derive synthesis procedures that insure the desired properties for the composed system. Krogh 86. Krogh 91].

In classic incidence matrix analysis. M0 ) = {M ∈ I |P | | B T · M = B T · M0 }. the set of reachable markings of a system N. a basis of P-semiflows B is used to approximate the reachability set. i.. M0 ))[Mf ∈ P R(N. P RA (N. the set of integer solutions of the inequality A · M ≥ A · M0 is exactly the set of reachable markings [Giua 92d]. Furthermore. There are significant differences between our approach and the analysis based on the state equation. M0 ) where we use.Chapter 6 INCIDENCE MATRIX ANALYSIS 6. M0 ) However. We propose an approach similar to the computation of P RB (N. defining the set P RB (N.e. In another approach. and this feature has additional advantages that we will discuss in the following. M0 ) ⊆ P RB (N. M0 is approximated by the solutions of the state equation. the computation of P RB (N. M0 ). by the set P R(N.. M0 ) = {M ∈ I |P | | (∃σ ∈ I |T | )[M = M0 + C · σ]}. N N where C is the incidence matrix of the net. M )] 42 . M0 ) does not involve the firing count vector σ.1 Introduction This chapter discusses how incidence matrix analysis for Petri net models may be used to validate supervisors for the control of discrete event systems. We will consider a class of P/T nets called Elementary Composed State Machines (ECSM). • The use of the incidence matrix does not permit verifying propositions such as (∀M ∈ P R(N. inequalities derived from the basic traps of the net and we define P RA (N. i.e. N The matrix A is computed from the analysis of the structure of net N . in addition to the equations derived from the P-semiflows. we show that for ECSM. the class of nets that we consider here. M0 ) ⊆ P R(N. N The first approximation is generally better. The most interesting property of this class of nets lies in the fact that the set of reachable markings is an (integer) convex set and that the set of linear inequalities A · M ≥ A · M0 which defines it may be computed from the analysis of the simple state machine modules that compose the net. M0 ) = {M ∈ I |P | | A · M ≥ A · M0 }. M0 ) = R(N. in the sense that R(N.

• Note that since the domain P RA (N. as we will see. in general it holds P R(N.e. INCIDENCE MATRIX ANALYSIS 43 with a linear algebraic formalism. In our approach determining if a marking is reachable requires the use of Integer Programming. Thus. In the first approach we consider the state equation of the net. i. the model is extended by composing the state machine modules through concurrent composition. it is possible to relax the constraint that the solution of A · M ≥ A · M0 be integer to obtain a sufficient condition for the validation of the net. and at the same time has the property that the space of reachable markings is a linear integer convex set.. The model considered in this chapter is based on state machine P/T nets with multiple tokens.e. In this approach it is necessary to restrict the type of compositions considered. This is because the set P R(N. To describe concurrent systems. Section 4 finally shows how this approach may be applied to the validation of supervisors for the control of discrete event systems. but strongly limit the possibility of modeling concurrency. M0 ) = R(N. we may use Linear Programming techniques to prove that a given undesirable marking is not reachable. We define the set of reachable markings as the solution of a set of inequalities which do not contain the firing count vector σ. The net we will discuss in Example 6. M0 ) = R(N. • For the class of ECSM nets.2 Incidence Matrix Analysis for State Machines In this section we discuss two ways of determining if a marking of a state machine is reachable from the initial marking. in order to guarantee some important properties [Giua 90b]. 6. for the same class of nets there exists a matrix A such that P RA (N.CHAPTER 6. it is a convex set of integers. it has been proved that the state equation of acyclic nets does not contain spurious solutions [Murata 89]. As an example. M0 ) = R(N. This means that there are classes of nets such that P R(N. since a place may have more that one outgoing arc. M0 ) represents the integer solutions of a set of linear inequalities. in general. can model both choice and concurrent behavior. The final model. M0 ) is defined in terms of linear equations containing the variables M and σ. this proposition. M0 ). M0 ) if and only if the reachability set of system N. this does not imply that its reachability set is a convex set. Thus. State machines may model choice. M0 ). it is given by the integer solutions of a set of linear inequalities. without spurious solutions.2 is acyclic but does not have a convex reachability set. since the only concurrent behavior is given by the presence of multiple tokens in the net. called Elementary Composed State Machines (ECSM nets).. there exists a matrix A such that P RA (N. i. the reachability set of an ECSM may be exactly described by a set of linear inequalities.. an operator that requires the merging of common transitions. However. If a net is such that the state equation does not contain spurious solutions. In the . Integer Programming problems may not be solved. However. M0 ) = R(N. In Section 3 is defined the class of Elementary Composed State Machine nets and the results derived in Section 2 are extended to this class. in polynomial time. since it may contain spurious solutions (solutions which do not correspond to reachable markings). Section 2 deals with state machines and reachability using incidence matrix analysis and shows how it is possible to derive the set of linear inequalities that defines the space of reachable markings. i. M0 ). M0 is a convex set. M0 ) and such that there does not exist a matrix A such that P RA (N.e. expresses the nonblocking property of a system. M0 ) ⊃ R(N. the state equation gives only necessary but not sufficient conditions for reachability. and we will be able to write simple integer programming problems to study nonblocking properties of systems.

CHAPTER 6. INCIDENCE MATRIX ANALYSIS

44

second we show how the reachability set may be described by a set of equations that do not involve the firing count vector. State machines represent a very simple PN model that has been extensively investigated. For instance, Murata [Murata 89] reports several results on the liveness and reachability characterization of this class of nets. However, the focus is generally on live state machines (i.e., strongly connected state machines). In the framework of Supervisory Control, the requirement that the model be live is not important, while it is required that the system be nonblocking, i.e., that from any reachable marking it may be possible to reach a final marking. This motivates the attention given in this chapter to state machines that are not necessarily live.

6.2.1 State Equation
The use of the state equation for characterizing the reachability set of a PN is based on the following observation. Note 6.1. Let N, M0 be a marked net and C its incidence matrix. M ∈ R(N, M0 ) =⇒ (∃σ ∈ I m ) [M = M0 + C · σ]. N The existence of a vector σ satisfying the previous state equation gives a necessary but not sufficient condition for the reachability of a given marking. In the general case, a solution M and σ may exist for the previous equation, but σ yields no firable sequence of transitions and M cannot be reached. For state machines, however, the following theorem holds. Theorem 6.1. Let N, M0 be a marked state machine. M ∈ R(N, M0 ) ⇐⇒ (∃σ ∈ I m ) [M = M0 + C · σ]. N Proof : Only ⇐= needs to be proved. At least one of the transitions given by σ may fire if M0 = M . In fact, consider a place pi M0 (pi ) > M (pi ) ≥ 0. (The existence of such a place is ensured because state machines are conservative.) Since
m

M (pi ) − M0 (pi ) =
j=1

cij σ j < 0,

there exists a transition tj such that σ(tj ) > 0 and cij = −1 , i.e., tj outputs from pi . Since M0 (pi ) > 0, tj may fire reaching a marking M such that: M = M + C · σ , where σ < σ. Repeating the previous reasoning it is possible to conclude that eventually M will be reached. In [Murata 89] is presented the same result in the case of strongly connected state machines. Ichikawa and Hiraishi [Ichikawa 88b] have shown that for acyclic nets, i.e., nets whose underlying graph has no directed circuits, a vector σ solution of the state equation yields a firable sequence of transitions. Theorem 6.1 does not imply this stronger property. Example 6.1. Consider the net in Figure 6.1, where M0 = (2 0 0 The incidence matrix of the net is  −1 0 −1 0 0 0  1 −1 0 0 0 0   0 1 0 1 0 0 C=  0 0 1 −1 −1 1 0 0 0 0 1 −1 0 0)T and M = (1 0 1 0 0)T .    .  

The state equation is satisfied by: σ = (1 1 0 0 1 1)T . While σ does not yield a firable sequence of transitions, M can always be reached: just consider the vector σ = (1 1 0 0 0 0)T (< σ) that yields the firable sequence: σ = t1 t2 .

CHAPTER 6. INCIDENCE MATRIX ANALYSIS

45

Figure 6.1: State machine in Example 6.1.

Figure 6.2: Firing subnet in Example 6.1. The problem, as the previous example shows, is that the firing count vector could be counting, in addition to the sequence of transitions that needs to be fired to go from M0 to M , a cycle that cannot be fired because it is not marked by a token. Hence the following two theorems hold. Theorem 6.2. Let N, M0 be a marked state machine and M be a marking of N . A vector (σ ∈ I m ) [M = M0 + C · σ] yields a firable sequence of transitions from M0 if ( ∃σ ∈ N I m ) [M = M0 + C · σ , σ < σ]. N Proof : If σ is the minimal vector satisfying the state equation for M and M0 , then the firing subnet given by σ is acyclic and all transitions may fire, as proved in [Ichikawa 88b]. Note that Theorem 6.2 gives a sufficient but not necessary condition. In Example 6.1, consider the vector σ = (0 0 1 1 1 1)T solution of the state equation. σ is not minimal but yields a firable sequence σ = t3 t5 t6 t4 . Theorem 6.3. Let N, M0 be a marked state machine and M be a marking of N . A vector (σ ∈ I m ) [M = M0 + C · σ] yields a firable sequence of transitions from M0 if and only if in N the firing subnet given by σ each connected component is marked by M0 . Proof : The presence of a token in each connected component ensures that the cycles eventually present in σ can be executed. The firing subnet for Example 6.1 is in Figure 6.2; here there are two connected components {p1 , p2 , p3 } and {p4 , p5 }, the second of which is not marked; hence its transitions cannot fire.

6.2.2 Defining the Set of Reachable Markings
Theorem 6.4. Let N, M0 be a marked state machine. The set of reachable markings R(N, M0 ) is an integer linear convex set, i.e., can be defined as the integer solutions of a set of linear

CHAPTER 6. INCIDENCE MATRIX ANALYSIS

46

Figure 6.3: Net in Example 6.2, with a non convex reachability set. inequalities. Proof : Follows from Algorithm 6.1 presented below. This property does not hold in general for ordinary P/T nets. Example 6.2. On the net in Figure 6.3, an ordinary conservative PN, M = (0 1 0 2) can be +M reached from M0 = (2 1 0 0) but M = M02 = (1 1 0 1), which is a linear convex combination of M0 and M , cannot be reached. To determine the set of linear inequalities that the set of reachable markings of a state machine must satisfy, the following algorithm may be used. Note first that a connected (not necessarily strongly connected) state machine has a single P-semiflow whose support contains all the places. Algorithm 6.1. Let N, M0 be a marked state machine, and T i = {pi , . . . , pi } a trap of N . 1 k Define M (T i ) = M (pi ) + . . . + M (pi ). 1 k 1. Consider all basic traps1 of the net along with the support of the P-semiflow T 0 . 2. For each trap T i write the inequality: M (T i ) ≥ ni , where ni is the number of tokens assigned to T i by the initial marking. For T 0 write the equation: M (T 0 ) = n0 , where n0 is the total number of tokens in the net. 3. If for a trap T i (i = 0) the number of tokens is ni = 0, the inequality for T i can be removed. 4. If T i ⊂ T j (j = 0) and ni = nj , the inequality for T j can be removed, since it is implied by the inequality for T i . 5. The remaining set of inequalities plus the inequalities: M ≥ 0, gives the set of markings reachable from the initial marking. These inequalities will be indicated as A(N ). According to this Algorithm, the reachability set of a state machine N, M0 can be represent by the set P RA (N, M0 ) = {M ∈ I |P | | A · M ≥ A · M0 }, where each row of the matrix A is N the characteristic vector of the P-semiflow of the net or of one of the basic traps of the net. Here is an example of application for the algorithm. Example 6.3. Consider the net in Figure 6.4. Here the basic traps are: T0 T1 T2 T3 T4 T5 T6
1

= {p1 , p2 , p3 , p4 , p5 , p6 }, = {p2 }, = {p5 }, = {p6 }, = {p1 , p2 , p5 }, = {p3 , p5 , p6 }, = {p3 , p4 , p5 , p6 }.

A trap is basic if it is not the union of other traps.

there is a siphon S i = P \ T i corresponding to each trap T i ..g. e. M (p6 ) ≥ 1.3. that the trap {p2 .e. i. INCIDENCE MATRIX ANALYSIS 47 Figure 6. the complement P \ T is a siphon. This will be proven through the following propositions. p5 } is not considered.2.e. In fact siphons and traps are dual concepts and a dual algorithm. Finally. . may be given for determining the linear inequalities satisfied by the reachable markings. since it is given by the union of T 1 and T 2 . i. the fact that the set of markings that satisfy the linear inequalities required by Algorithm 6. Then the set of equations A(N ) trivially reduces to: M (T 0 ) = n0 . Note. M (p3 ) + M (p5 ) + M (p6 ) ≥ 2. M (p3 ) + M (p4 ) + M (p5 ) + M (p6 ) ≥ 2. (i = 0) considered in the Algorithm 6. Given a trap T . M (p2 ) ≥ 0.3. M ≥ 0. in terms of siphons. Note 6. M ≥ 0.. Note 6. The corresponding set of linear inequalities is: (1) (2) (3) (4) (5) (6) (7) M (p1 ) + M (p2 ) + M (p3 ) + M (p4 ) + M (p5 ) + M (p6 ) = 4. Finally the set of markings reachable from the initial marking is given by: M (p1 ) + M (p2 ) + M (p3 ) + M (p4 ) + M (p5 ) + M (p6 ) = 4. it is necessary to discuss the correctness of the algorithm.. M (p3 ) + M (p5 ) + M (p6 ) ≥ 2. M (p5 ) ≥ 0. M (p1 ) + M (p2 ) + M (p5 ) ≥ 2. Inequality (2) and (3) will be removed in step 3 of the algorithm.CHAPTER 6. inequality (7) will be removed in step 4 as it is implied by (6). Hence the inequality for T i may be rewritten as M (S i ) ≤ n0 − ni . M (p1 ) + M (p2 ) + M (p5 ) ≥ 2.1.1 is exactly the reachability set. M0 be a marked strongly connected state machine. M (p6 ) ≥ 1.4: State machine in Example 6. Let N. The idea is to show that a description of a state machine in term of traps captures the behavior of the net.

With the same reasoning it is possible to infer that there must be a transition leading from {p1 . .1. . Consider a state machine with n places and no transitions.e.2. We point out that while in general the number of basic traps of Petri net may be exponential in the number of places. Then The soundness of the algorithm is then proved by the following reasoning.. Then all the basic traps that do not contain p or that contain p are still basic traps. i. This is trivially true if T consist of a single place. and assume we add a new transition from place p to place p .pk } = T is reached. Let T be a trap of a state machine. .2).1. The marking of the traps is strictly nondecreasing (Proposition 6. Proof : Similar to the proof of Proposition 6. Note also that a single transition may be considered as a simple path with no places. Proposition 6.. it may well be the case that two of them are identical. otherwise {p1 } is a trap and T is not minimal. INCIDENCE MATRIX ANALYSIS 48 Proposition 6. . ⊂ T .1. . . Then a token in T can move to any place in T . clearly there are n basic traps each one containing a single place.2. p2 . p2 }.1). the firing of any transition preserves the total number of tokens. Let T be a minimal trap2 of a state machine. A simple path of a net N is a sequence θ = t0 p1 t1 . p2 } to a place p3 ∈ T . T a token in T \ T can move to any place in T . . Definition 6. Proof : For state machines. p• = {ti }. Hence no transition may output from a place in T to a place not in T . the proof is complete. Consider a place p1 ∈ T . This may be proved by the following inductive reasoning. for state machines the number of basic traps is at most equal to the number of places. . pr tr of transitions and places such that (∀i = 1. j = 0. Assume T consists of k places.3. t• = {pi }. Proposition 6.• ti = {pi }].CHAPTER 6. The tokens initially present in a trap that is not minimal are free to move to any place of the trap provided they also satisfy the constraints enforced by the traps contained in the non minimal trap (Proposition 6. 6. i i−1 We assume that (∀i. All the basic traps that contain p and do not contain p will not be traps in the new net and we need to add to each of them the minimal trap containing p (there is only one such minimal trap) to obtain new basic traps. . Since this reasoning can be applied to any place pi ∈ T . Let us first introduce the following definitions. T is a trap }.3 Composition of State Machines Modules The section discusses how the properties studied in Section 2 for state machines are preserved by concurrent composition. 2 A trap is minimal if it is not the superset of another trap. that is the number of basic traps may only decrease when we add a transition. Proof : On state machines. and let T = {p ∈ T | p ∈ T . r ∧ i = j)[ti = tj ]. it is sufficient to prove that all places in T are strongly connected.3). there is a path from any place to all others. Also a transition has a single input and output arc. r) [• pi = {ti−1 }. Hence p1 is connected to all places in T . . There must be a transition from p1 to some place p2 ∈ T . . The number of tokens in T is nondecreasing. . The tokens initially present in a minimal trap may freely move to any place of the trap (Proposition 6.. These are the only constraints that the set of reachable markings must satisfy and these constraints are captured by Algorithm 6. Consider {p1 . Now assume we have a state machine with its set of basic traps. After the new traps are computed. This reasoning can be carried out until {p1 . We will consider a restricted class of compositions. Let T be a trap.

2. 6. The projection of M on Ni . For this class of compositions we will slightly change the definition of composition given in Appendix A. 2) a set of simple paths provided all paths are looped in one of the nets.1 State Equation Let N = N1 . . . and let M be a marking.4. . is the vector obtained from M by removing all the components associated to places not present in Ni .ri (i = 1. Example 6. Assume that on each module Ni (∀i = 1.ri ) = 1]. k) [• ti. A net N obtained by composition of subnets N1 and N2 is denoted N = N1 N2 .. the firing count vector σ ↑i yields a firable sequence σi . ti. and σ a firing sequence defined on it.5. M0 ↑i [σi M ↑i . is the vector obtained by σ removing all the components associated to transitions not present in Ni . σ be a firing count vector. The composed net is shown in Figure 1. denoted σ ↑i . ti. . Paths θ1 and θ2 are looped in N2 .0 . Given a net N . . P re(p. Nn . We also recall the notation used for composed systems. and k simple paths θi = ti.3. Let N be a composed system N = N1 . denoted σ ↑i .b. the k paths are looped in N if (∃p ∈ P ) (∀i = 1. denoted M ↑i . . INCIDENCE MATRIX ANALYSIS 49 Figure 6. Nn be a composed net.5: Two state machines composed along a simple path in Example 6.4. where C is the incidence matrix of N .r In simple words. The two nets in Figure 6. In this chapter.0 = t• i = {p}. . . k). is the firing sequence obtained by σ removing all the transitions not present in Ni . . ti. . .CHAPTER 6.0 ) = P ost(p. We assume that the marking of the places along the composed paths are the same on all subnets. . i. . the k paths are looped if there exists a place p such that the initial (and final) transitions of all paths only input from (and only output to) place p with a single arc. i. n). we will consider compositions of subnets that share: 1) a simple path. .6 are composed along the simple paths θ1 = t1 p2 t2 and θ2 = t3 p3 t4 . and let σ be the firing count vector solution of M = M0 + C · σ. The two nets in Figure 6. . .e. The projection of σ on Ni . In fact here we are looking at composition based on the structure of the net rather that on the language generated by the net. .5 are composed along the simple path θ1 = t1 p2 t2 . . The projection of σ on Ni . . Definition 6.

. however. are used to define the following class of P/T nets. Elementary Composed State Machine (ECSM) nets are the minimal class of P/T nets that is a superset of the class of state machines and is closed under the following compositions: 1. n). • Composition of two nets sharing one transition t. the first kind of compositions may be used to construct the model of several systems connected through buffers or channels. not simple path) composition. By hypothesis on N1 and . This does not imply. A firing count vector for N yields a firable sequence if and only if on each module Ni the projection of the firing count vector yields a firable sequence σ i . INCIDENCE MATRIX ANALYSIS 50 Figure 6.5. such that the reachability of a marking of the overall net may be determined simply by the analysis of the modules that compose it. As an example. Composition of two nets through a set Ts of k transitions (or a set Θ of k simple paths) when the transitions (or simple paths) are looped in one of the nets. Let N. .6: Two state machines composed along two simple paths in Example 6.4. There exist particular compositions. M0 be a marked net where N = N1 N2 and assume that N1 and N2 have been composed by means of one of the compositions used to define the class of ECSM. Definition 6. 2.CHAPTER 6. . (i = 1.3. Let us prove the “if” part for single transitions (i..e. Composition of two nets sharing a single transition (or a simple path). Proof : The “only if” part is trivial. . however. they permit the modular synthesis of realistic systems. These compositions. . Although the two compositions we used to define ECSM may appear exceedingly simple. called elementary. Consider a solution σ of the state equation M = M0 + C · σ. Theorem 6. The second kind of composition may be used to represent shared resources. In the case of simple path compositions the proof is substantially the same (see also [Giua 90b]). that on the composed net σ yields a firable sequence σ such that M0 [σ M .

.2). . 2 1 2 1 1 2 2 Now let σ = x0 x0 t1 x1 x1 t2 . . Corollary 6. Hence the following is a firable sequence for N2 as well σ2 = x0 t1 x1 t2 . n). INCIDENCE MATRIX ANALYSIS 51 N2 . . Let tj be the j-th i occurrence in σi of a transition in Ts . . Proof : Under these hypotheses. Proof : On module Ni . 1 2 1 2 1 2 2 Clearly σ is a firable sequence given by the firing count vector σ. i. . . (i = 1. A vector (σ ∈ I m ) [M = M0 + C · σ] yields a firable sequence of transitions if N (∀i = 1. A vector (σ ∈ I m ) [M = M0 + C · σ] yields a firable sequence of transitions if and only if N in the firing subnet given by σ ↑i (i = 1. . . (i = 1. Theorem 6. Theorem 6.6.CHAPTER 6. is a state machine.2 and Theorem 6. xk−1 t xk xk . (i = 1. Consider a solution σ of the state equation M = M0 + C · σ.. . Proof: By recursive application of Theorem 6. 2).1 σ yields a firable sequence for N . . n) each connected component is marked by M0 . σ i < σ ↑i ]. By hypothesis on N1 and N2 . . i i i i Now let σ = x0 x0 t x1 x1 t . Let N. 2). M0 be a marked ECSM net where N = N1 · · · Nn and Ni . n). .5. is a state machine. . there are k occurrences of t in each σi . N = N1 Nn and Ni . Then σi may be written as σi = x0 t x1 t . i i i i i i i Let N2 be the looped net. . . M0 be a marked ECSM net and M be a marking of N . . Hence by Corollary 6. σ ↑i yields a firable sequence σi such that M0 ↑i [σi M ↑i . Theorem 6. xk−1 tk xk xk . (i = 1. . Then any time a transition t ∈ Ts fires any other transition in Ts may fire. 1 2 1 1 2 1 1 1 2 2 Clearly σ is a firable sequence given by the firing count vector σ. 2). Let the component of σ associated to the transition t have the value k. σ ↑i yields a firable sequence σi such that M0 ↑i [σi M ↑i . 2).e. Nn and Ni . N = N1 . . n)( ∃σ i ) [M ↑i = M0 ↑i +Ci · σ i . . . . Let N. . the firing count vector σ ↑i yields a firable sequence if and only if in the firing subnet all connected components are marked (by Theorem 6. . .3). (i = 1. on each module σ ↑i yields a firable sequence (by Theorem 6.. Hence by Corollary 6. (i = 1.. . .1. . . .7. xk−1 t xk . (i = 1. . Then σi may be written as σi = x0 t1 x1 t2 . is a state machine.3 may be restated in this form for ECSM nets. . n). xk−1 tk xk . A firing count vector for N yields a firable sequence if and only if on each module Ni the projection of the firing count vector yields a firable sequence. xk−1 tk xk .1 σ yields a firable sequence for N if and only if in the firing subnet for each module Ni all connected components are marked. M0 be a marked ECSM net and M be a marking of N . Let N. . • Composition of two net sharing a set of transitions Ts looped in one of the nets.

it is possible to define the following two sets of places on the net: Pt = {p ∈ P | (∃σ) [σ(t) > 0. Note. that ρmin (M. Let N.4. (Firing Bounds) Let N.CHAPTER 6. t) = M (p) if there is no cycle containing t. t) is ρmax (M. and that when there is a cycle containing t a good approximate bound — that will be used in the following — for ρmax (M. p∈Pt 0       ∞    if there is a cycle containing t and p∈Pt M (p) = 0. the case of two state machines. In simple words. t) and ρmax (M. INCIDENCE MATRIX ANALYSIS 52 6. t). t) = h p∈Pt M (p) ≤ ρmax (M.4. The set Pt contains the places that may be marked without firing t by an initial marking that assigns a token to the initial place p0 and no tokens to the other places. if there is a cycle containing t and p∈Pt M (p) > 0. Mp0 [σ Mp ]}. while for each token in Pt transition t may have fired once if there is no cycle containing t or an arbitrary large number of times if there is a cycle containing t. given a set of transitions Ts . Definition 6. Then these results will be extended to the composition of ECSM through simple paths. Similarly. the set Pt contains the places that may be marked by firing t at least once by an initial marking that assigns a token to the initial place p0 and no tokens to the other places. where h is any integer large enough. also. is discussed. composed through a single transition or a set of looped transitions. Given a transition t. ρmin (M.           ρmax (M. M0 be a marked state machine where M0 assigns all the tokens to a place p0 . t) ≤ p∈P M0 (p). the number of times t has fired to reach M may vary and can assume any integer value in the range [ρmin (M. Pt = {p ∈ P | (∃σ) [σ(t) = 0. Mp0 [σ Mp ]}. ρmax (M.2 Defining the Set of Reachable Markings This subsection will show how it is possible to derive the set of linear inequalities that defines the set of reachable markings in ECSM nets. t) are called the firing bounds of t for marking M . t)]. Mp0 [σ Mp ]}. M0 be a marked state machine where M0 assigns all the tokens to a place p0 . Now given a marking M ∈ R(N. Proof : For each token in Pt \ Pt transition t must have fired at least once. .3. Firstly. t). it is possible to define the following two sets of places on the net: PTs = {p ∈ P | (∃σ) (∃t ∈ Ts ) [σ(t) > 0. and let Mp be a marking that assigns a single token to place p and no token elsewhere. M0 ). Mp0 [σ Mp ]}. where ρmin (M. PT s = {p ∈ P | (∃σ) (∀t ∈ Ts ) [σ(t) = 0. t) = p∈Pt \Pt M (p). Proposition 6.

such as buffer spaces or identical machines.. 2). etc. whenever these sets are identical for all the places marked by the initial marking. When two state machines N1 and N2 are composed through a single transition t the set of markings reachable from the initial marking M0 for the composed net N = N1 N2 is given by the following set of linear inequalities A(N ): A(N1 ). We will assume in the following. t) denotes that the firing bound is computed on max min the net Ni . min max where the exponent i in ρi (Mi . t). max min and ρ2 (M2 . t)] min max [ρ2 (M2 . this requires that [ρ1 (M1 .4 are valid. Given T T a reachable marking Mi on the net Ni . Clearly the two intervals will not be disjoint if and only if: ρ1 (M1 . M (p2 ) + M (p3 ) + M (p4 ) − 2}. ρ2 (M2 . 2) are composed through a single transition t.5. ρmax cannot be expressed as a simple linear function of a marking M but may be defined as ρmax (M.7. M (p2 ) + M (p4 ) − 1. When two nets Ni (i = 1. t) ≤ ρ2 (M2 . Example 6. INCIDENCE MATRIX ANALYSIS 53 Figure 6. unless explicitly stated otherwise. Proposition 6. the marking of the overall net will be a subset of the cartesian product of the markings of the two modules. t). the presence of multiple tokens in a state machine module indicates a multiplicity of identical resources.4 is restricted to the case of an initial marking that assigns all tokens to a single place. If N1 and N2 are state machines.8. M (p2 ) + M (p3 ) − 1. Hence the multiple tokens initially should be assigned to the same place. that this initial marking condition is verified on all state machine modules considered. t). t) ≤ ρ1 (M1 . in the sense that in the application cases of interest here. However.CHAPTER 6. In the net N1 in Figure 6. the results of Proposition 6. . t)] = ∅. M (p) ≤ h2 1 1 p∈Pt \Pt 2 p∈Pt M (p). This requirement is fair.4. even if they are more than one. t) and ρi (Mi . ρ1 (M1 . t). max min Theorem 6. and σ1 (t) = σ2 (t).7: State machine in Example 6. such as manufacturing systems. The problem here is that the sets Pt and Pt are different for the different places marked by the initial marking. t) = min{ M (p2 ). The following example will clarify the necessity for this restriction. A(N2 ). the marking M = [M1 M2 ]T will be reachable on the composed net if and only if there is a sequence σi reaching Mi on the net Ni (i = 1.

since there is a cycle containing t in N2 . h2 = 3. p7 }. Consider the composed system of Figure 6. p6 . INCIDENCE MATRIX ANALYSIS 54 Figure 6. while. • the set of places Pti and Pti belongs to Ni (i = 1.4. Example 6. if there is no cycle containing t in N1 (N2 ). M (p2 ) ≥ 0. The set of places of interest are: Pt1 = {p2 }. max Proof: Follows from Proposition 6. we are using an approximated linear bound for ρi (Mi .8: ECSM net in Example 6. The linear inequalities that define the space of reachable markings on N1 is: M (p1 ) + M (p2 ) = 3. where: • A(Ni ) (i = 1. • h1 = 1 (h2 = 1). 2). t). 2). M (p1 ). then h1 = 1. and are determined as in Definition 6. Pt1 = {p1 }. σ ↑2 = σ 2 ] N is a firing count vector for N and by Theorem 6.8. Pt2 = {p4 . M (p) ≤ h1 2 2 p∈Pt \Pt 1 p∈Pt M (p).1). Hence the vector (σ ∈ I m ) [σ ↑1 = σ 1 . Since there is no cycle containing t in N1 . p5 . and on N2 : M (p3 ) + M (p4 ) + M (p5 ) + M (p6 ) + M (p7 ) = 2. is the set of inequalities for the net Ni (as derived with Algorithm 6. p4 . Pt2 = {p3 . As noted before.5 there exists a firable sequence for the overall net. else h1 (h2 ) is equal to the number of tokens contained in net N2 (N1 ).CHAPTER 6. .4 and the fact that if the last two inequalities are satisfied there exists a firable sequence σi for both modules that reaches M ↑i firing t an equal number of times.6.6. p7 }.

. we have ρ1 (M. 1 (M. t) ≤ M (p2 ) + M (p3 ) − 1. Suppose that on one of the modules. and t may fire infinitely often in N1 for each reachable marking. Here P1 is the set of places of N1 . M (p6 ).7. t) = 0. t) ≤ M (p2 ) + M (p3 ) + M (p4 ) − 2. In the net N1 in Figure 6. min ρ2 (M. M ≥ 0. t) ≤ M (p2 ) + M (p4 ) − 1. M (p2 ) ≤ 3(M (p4 ) + M (p5 ) + M (p6 ) + M (p7 )).7. In this case there is a cycle containing t and p0 (the place marked by M0 ). ρ2 (M. one of the following conditions holds: 1. 55 Note 6. 2. Example 6. M (p3 ) + M (p4 ) + M (p5 ) + M (p6 ) + M (p7 ) = 2. M (p5 ). t) = min{ M (p2 ). Pt1 \ Pt1 = ∅. min ρ2 (M.4. M (p4 ). Hence 0= 1 1 p∈Pt \Pt M (p) ≤ h2 2 p∈Pt M (p) is always verified. min ρ2 (M. Hence M (p) ≤ h1 M (p) 2 2 p∈Pt \Pt 1 p∈Pt is always verified. t) ≤ M (p2 ). M (p7 ) ≥ 0.CHAPTER 6. ρmin Hence. INCIDENCE MATRIX ANALYSIS M (p3 ).8 may not always be necessary. M (p2 ) + M (p3 ) + M (p4 ) − 2}. The inequalities derived in Theorem 6. In the following example we will show an example of a system in which the initial marking marks more than one place. max M (p2 ) + M (p4 ) − 1. M (p2 ) + M (p3 ) − 1. Pt1 = P1 . min The case of a composition of two state machines through a set of transitions Ts is now considered. Hence the set of reachable markings on the composed system is defined by: M (p1 ) + M (p2 ) = 3.5. say N1 . when composing the module through transition t with another module N2 the following inequalities should be considered A(N1 ). A(N2 ). M (p5 ) + M (p6 ) ≤ M (p2 ). discussed in Example 6.

These theorems will be given without proof. where: • A(Ni ) is the set of inequalities for the net Ni . the set of markings reachable from the initial marking M0 for the composed net N = N1 N2 is given by the following set of linear inequalities A(N ): A(N1 ). Proof: Given the special structure of N2 .s 2 1. .4. . if a marking M2 of N2 may be reached by firing a transition in Ts .q p∈Pt \Pt 0 0 2. as suggested by the previous note.10. 2). . • h is equal to the number of tokens contained in N1 . M (p) ≤ hq.ni (i = 1. say N2 .q 1.8 and Theorem 6. Ni. any reachable marking M2 of N2 may be reached without firing any transition in Ts . i. This constraint is expressed by the third inequality of A(N ). Hence the only constraint imposed by the composition of the T T two modules is that for any marking M = [M1 M2 ]T .q (q ∈ J1 ) and to modules N2.e. Ni = Ni. Theorem 6. Let N1 and N2 be two ECSM nets. and are determined as in Definis tion 6.s 1 2.s p∈Pt \Pt 0 0 1.j is a state machine.4 are computed with respect to the first transition of the path. 2). When two state machines N1 and N2 are composed through a set Ts of transitions and these transitions are looped in one of the nets. s ∈ J2 ).q p∈Pt 0 M (p).1). s ∈ J2 ). (q ∈ J1 . then any sequence of transitions in Ts may also be fired.9 to the composition of two ECSM (not only state machines) along simple paths (not only single transitions). 2). M2 may be also be reached by firing a transition in Ts . A(N2 ).1 . Assume N1 and N2 are to be composed through a simple path of transitions θ = t0 p1 t1 . . .CHAPTER 6..9. Also the places determined in Definition 6.s (s ≤ J2 ). belongs to Ni . if reaching M1 requires the firing of one or more transition in Ts . M (p) ≤ h 1 p∈PTs \P 1 Ts 2 p∈PTs M (p). The following two theorems generalize Theorem 6. The set of markings reachable from the initial marking M0 for the composed net N = N1 N2 is given by the following set of linear inequalities A(N ): A(N1 ). M (p) ≤ hq. Also. is the set of inequalities for the net Ni (as derived with Algorithm 6. INCIDENCE MATRIX ANALYSIS 56 Theorem 6. where: • A(Ni ) (i = 1. (q ∈ J1 . that a firing sequence on N2 may require the firing of more transitions in Ts than a firing sequence on N1 . When two ECSM nets are composed along a simple path it is necessary to consider the possibility that the path may belong to more than one state machine module on each net. Hence it is never possible. i i • the sets of places PTs and PT (i = 1. A(N2 ).s 2. pr tr that belongs to modules N1. where Ni.s p∈Pt 0 M (p).

k). . 6. Ni. . Assume N1 and N2 are to be composed through a k simple path of transitions θj = tj pj tj . .q (q ∈ Jj ) and that all paths are looped in the module N2. hence they belong to only one state machine module of the looped net. the paths are looped in one of the nets.e. • hq. more than linearly. j ∈ Ji ).j .s = 1 (hq. A(N2 ).1 . where Ni. working concurrently. 2. Let N1 and N2 be two ECSM nets.1 . The procedure for determining a monolithic supervisor requires the construction..q 1 2 (N2. INCIDENCE MATRIX ANALYSIS 57 • the sets of places Pti.10 we have to add 2 × |J1| × |J2| equations. Hn .s (N1. . Consider m discrete event systems.j and Pti.q (q ∈ Jj ) (j = 1. . tk }. We conclude this section pointing out that when state machines modules are composed to form an ECSM. In the case of Theorem 6.1 P2 = PTs . represented by the state machines N1 . 1 2 When two ECSM nets are composed along k simple paths. . 2). . • P1 is the set of places in N1 that may be marked only by firing a transition t ∈ Ts : k P1 = j=1 q∈Jj P 1.j is a state machine. and let Ts = {t1 . The set of markings reachable from the initial marking M0 for the composed net N = N1 N2 is given by the following set of linear inequalities A(N ): A(N1 ). tj j (j = 1. Else hq. whose transitions are a subset of all the transitions of the N ’s. The specifications to be enforced on the joint behavior of these systems are represented by n different state machines H1 .s (hq. . Theorem 6. where: • A(Ni ) is the set of inequalities for the net Ni . in the worst case. . . M (p) ≤ h p∈P1 p∈P2 M (p). . . . .q ).s ) is equal to the number of tokens contained in the net N2.q \ P 1.CHAPTER 6. Ni = Ni. it is necessary to consider the possibility that each path may belong to more than one state machine module on the net that is not looped. . It is generally assumed that the set of transitions of all these systems are disjoint. . and are determined as in Definition 6.11. . the number of equations of that defines the reachability set grows. However. .s ). • h is equal to the sum of the tokens contained in the nets N1.q . Nm .4 Supervisory Verification In this section the results developed so far are applied to the validation of supervisors for the control of discrete event systems (DES).ni (i = 1. . . . .belongs to Ni. by concurrent . j j t0 t0 while P2 is the set of places in N2 that may be marked firing a transition t ∈ Ts : 2. Assume furthermore r 0 0 0 1 1 that path θj belongs to modules N1.4.s = 1) if there does not exist a cycle containing the path θ in the net N1. . i. .j (i = 1. k).

e. Given a marking Mf of N . the transitions enabled in E at a given marking represent the transitions that are allowed to fire in the nets Ni . M ) ⇐⇒ [A0 · M ≥ A0 · M0 ] ∧ ¬[Af · M ≥ Af · Mf ] ⇐⇒ [A0 · M ≥ A0 · M0 ] ∧ [ k ai · M < ai · Mf ] ⇐⇒ i=1 f f (∃i)[(A0 · M ≥ A0 · M0 ) ∧ (ai · ai · Mf − 1)]. where N  1  af  . i. M0 ) ∧ Mf ∈ R(N. Finally it is possible to check for the existence of blocking markings as follows. . Mf ). . Assume the reachability set of M0 is given by the set P RA0 (N. M0 ). the coreachability set of Mf is identical to the reachability set from Mf in the reversed net N R = (P.. CS1i Proof: M is a blocking marking ⇐⇒ M ∈ R(N. Nm H1 . belonging to the net Ni . n) will run in parallel. k): A0 · M ≥ A0 · M0 .CHAPTER 6. O. the set {M | Mf ∈ R(N. M0 ) of an ECSM net can be given as a convex linear set. it is possible to check for these properties in more efficient ways than by brute force state space search. E and the nets Ni (i = 1. . INCIDENCE MATRIX ANALYSIS 58 composition. is enabled in Ni but is not enabled in E. . f f M ≥ 0. .1 Blocking Let N. M )} = R(N R . • Nonblockingness: the reachability set of the net E does not contain blocking markings. I. Additionally. i. I). . Similarly the coreachability set of Mf .. T. and the coreachability set of Mf is given by the set P RAf (N. it is also fired in E. . while all other transitions are disabled. as will be shown below. M )] Now the set R(N. and Mf be a final marking associated to it. {M | Mf ∈ R(N. In the following subsection it is discussed how these properties may be verified by Integer Programming techniques in the case that E is an ECSM net. .6. if the following two properties are ensured. it may be the case that the model may be validated by simple Linear Programming. markings from which a final marking cannot not be reached. T. Proposition 6. Clearly these restrictions heavily limit the class of control problems that can be solved by our approach. . O) be a net. as shown in Section 3. . 6.e. For the sake of simplicity assume that Mf is the only final marking of the net. Hn . that is. Mf ∈ R(N. Let N.e. . according to the following proposition. However. i. Mf ) = {M ∈ I |P | | Af · M ≥ Af · Mf }. f f . Af = ak f Then there exist a blocking marking M if and only if one or more of the following Constraint Sets has an integer feasible solution (∀i = 1. The net E will represent a proper supervisor.5. M0 ) = {M ∈ I |P | | N A0 · M ≥ A0 · M0 }. M )}. M0 be a marked net. .. Furthermore. of the net E = N1 . Let N = (P. Recall that there exists a set of final markings associated to the N ’s and H’s. • Controllability: it is not possible to reach a marking from which an uncontrollable transition.. whenever a transition fires on one of the nets Ni . .4. M0 be a marked ECSM net and let Mf be the final marking associated with it. can be given in this form. The net N will be blocking if and only if (∃M ) [M ∈ R(N. Proposition 6.. ai · M ≤ ai · Mf − 1.

(By the hypothesis that all the systems have disjoint transitions. although it may belong to more than one specification net H. Then E will not be controllable if and only if one or more of following Constraint Sets has an integer feasible solution (∀tq ∈ Tu and ∀pj ∈ • tq j > 0) q A · M ≥ A · M0 . 6. pq q }. INCIDENCE MATRIX ANALYSIS 59 Note that each constraint ai · M < ai · Mf has been rewritten in the equivalent form ai · M ≤ f f f ai · Mf − 1. . .7. M0 ) ∧ M (p0 ) ≥ 1 ∧ ( q (∃tq ∈ Tu ) (∃M ) (∃j) [A · M ≥ A · M0 ∧ M (p0 ) q ≥ CS2q. Note also that some of the constraints ai ·M ≥ ai ·Mf may be trivially verified by any marking f f in R(N. E is not controllable if and only if it is possible to reach a marking M such that an uncontrollable transition tq is enabled by M ↑i in Ni . Proof: E is not controllable ⇐⇒ (∃tq ∈ Tu ) (∃M ) [M ∈ R(E. M (p0 ) ≥ 1. such as the absence of blocking states or controllability. We have shown how it is possible to derive a set of linear inequalities that exactly define the set of reachable markings. where p0 is a place of Ni and pj (j > 0) is a place of some specification q q q net H. f It is possible to relax the constraint that the vector M be integer and obtain a sufficient condition for the validation of the net. The reachability problem for this class can be solved by incidence matrix analysis. for the constraints coming from the P-semiflows of the net that are satisfied by the reachable and coreachable markings. q ⇐⇒ Also if the constraint that M be integer is relaxed. Thus.) Let the preset of tq k be: • tq = {p0 . as it clearly has no feasible solution. In fact. Let the reachability set of E be given by the set P RA (E. may be studied by Integer Programming techniques. called Elementary Composed State Machine nets. 6.4. M0 ) ∧ M (p0 ) q ≥1∧( j=1 M (pj ) ≤ 0)].5 Conclusions In this chapter we have defined a class of P/T net. we may use Linear Programming to derive a sufficient condition for E to be controllable.CHAPTER 6. a transition may belong to only one net N . for instance.2 Controllability Consider the net E constructed by concurrent composition of all the systems and specification modules. . q M (pj ) ≤ 0. q M ≥ 0. E is not controllable if and only if kq (∃tq ∈ Tu ) (∃M ) [M ∈ R(E. . This is the case. Let tq ∈ Tu be an uncontrollable transition and assume that tq belongs to the system net Ni . This approach may be used to validate supervisors for the control of discrete event systems. M0 ) = {M ∈ I |P | | A·M ≥ A·M0 }. but it is not enabled by M in E. Important properties of the net. if no real vector M satisfies the previous systems of inequalities no blocking marking may be reached. we need not solve the corresponding CS1i . The main drawbacks of this approach is summarized as follows: . In other words. M0 ). q N Proposition 6.j kq j j=1 M (pq ) ≤ 0)] 1 ∧ M (pj ) ≤ 0].

in the sense that if the model does not have the desired properties the approach does not directly lead to the construction of a proper supervisor.CHAPTER 6. INCIDENCE MATRIX ANALYSIS 60 • Integer Programming problems may be not be solved. in polynomial time. • The model is limited. in general. However we have also shown that it is possible to use Linear Programming techniques to derive sufficient conditions for supervisory validation. the control problem is not directly solved. in the sense that there exist monolithic supervisors that cannot be modeled as ECSM nets. • Although a procedure to validate a supervisor is given here. .

the acquisition and release of units of the resource. In their approach. k) defines a set of legal markings: M(w. Viswanadham 90. transitions that may be observed but not prevented from firing by a control agent. the second part of this chapter discusses GMEC for systems represented as marked graphs. The goal is that of constructing a supervisor capable of enforcing the constraints. the complexity of enforcing a GMEC is enhanced by the presence of uncontrollable transitions. A single GMEC may be easily implemented by a monitor. Zhou 91]. thus there exist problems which do not have a “monitor-based” solution.Chapter 7 GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 7.e.e. A problem addressed for those systems with shared resources has been that of deadlock prevention or avoidance [Banaszak 90. A constraint (w.1 Introduction Mutual exclusion constraints are a natural way of expressing the concurrent use of a finite number of resources. In the framework of Supervisory Control [Golaszewski 88]. in this case we prove that the set of legal markings cannot always be represented by a linear domain in the marking space. M0 be a net system with set of places P . In this context. shared among different processes. Let N. based on linear algebraic techniques [Silva 92].. In this work. k) = {M ∈ I |P | | wT · M ≤ k}. containing all those markings from which a forbidden one may be reached by firing a sequence of uncontrollable transitions. instead. i. we are interested in deriving a net based structure for the supervisor. may be prevented from firing by a control agent. We 61 . which may be defined as fully interpreted. a place whose initial marking represents the available units of a resource and whose outgoing and incoming transitions represent. In traditional Petri net modeling all transitions are assumed to be controllable. Unfortunately. N where w is a weight vector of nonnegative integers. An equivalence notion among GMEC is introduced and studied from the point of view of structural net theory.. i. we define a generalized mutual exclusion constraint (GMEC) as a condition that limits a weighted sum of tokens contained in a subset of places [Giua 92b]. it is necessary to prevent the system from reaching a superset of the forbidden markings. Krogh 91]. to compare and simplify GMEC. In the first part of this chapter we present a methodology. A solution to this problem has been given by Holloway and Krogh [Holloway 90. and k is a positive integer.. i. respectively. In the framework of Petri nets and from a very general perspective. To enforce a given GMEC. Markings in I |P | N that are not legal will be denoted forbidden markings.e. the control policy is efficiently computed by an on-line controller as a feedback function of the marking of the system. Holloway 92a.

Moreover. In Section 7. generalized mutual exclusions constraints are defined. we study the properties of marked graphs with the addition of monitor places. to the net.e. we present two different P/T structures for the supervisor capable of enforcing GMEC for this sub-class of marked graphs. i. In Section 7.2.1 Generalized Mutual Exclusion Constraints Definition 7. km )T . Let N. . 7. k) = i=1 M(wi . Some of these models will be fully compiled. N . The advantages of fully compiling the supervisor action in a net structure are: • The computation of the control action is faster.CHAPTER 7. wm ] and k = (k1 . it is possible to prove that a monitorbased solution may not exist.4. the corresponding supervisor is represented by a P/T net. • A closed-loop model of the system under control may be built with standard net composition constructions. In Section 7. Then we study how GMEC may be enforced by adding additional control structure. and k ∈ I + . partially compiled models are more flexible in the sense that some interpretations may be used to implement complex control policies. In particular. since it does not require separate on-line computation.2 GMEC and Monitors In this section we define a generalized mutual exclusion constraint (GMEC) as a condition that limits the weighted sum of tokens in a set of places. N where w : P → I is a weight vector. in the form of new places called monitors. . . whose corresponding net structure may be exceedingly large. without an exhaustive state space search.. i.6. corresponding to a set of GMEC. that the system under control enjoys the properties. M0 be a net system with set of places P .e. the corresponding supervisor is given as an interpreted net in which the firing of some transitions not only depends on the marking of the net but on the value of some boolean expressions as well. On the other hand. k) defines a set of legal markings M(w. we discuss a sub-class of marked graphs for which there is always a monitor-based solution. . and analyzed for properties of interest. • The same Petri net system execution algorithms may be used for both the original system and the supervisor.3. If some of the transitions are uncontrollable. k). even when some transitions are uncontrollable. In Section 7. In Section 7. We discuss the modeling power of this kind of constraint and prove that only for restricted classes of systems a forbidden marking problem may be expressed as a mutual exclusion problem. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 62 will discuss and compare several solutions. the structural theory of Petri nets may be used to prove. 7. defines a set of legal markings m M(W. we compare the advantages and disadvantages of the different control structures. k) = {M ∈ I |P | | wT · M ≤ k}. others will be partially compiled. these constraints may be enforced by a monitor place.2. A single generalized mutual exclusion constraint (w.5.. ki ) = {M ∈ I |P | | W T · M ≤ k}. If all transitions of the net are controllable. The chapter is structured as follows. The support of w is the set Qw = {p ∈ P | N N w(p) > 0}. we present two different partially compiled net structures for the supervisor capable of enforcing GMEC for this sub-class of marked graphs. A set of generalized mutual exclusion constraints (W. with W = [w1 .1.

. Example 7. 1 T · M = 3. M0 ) ⊆ M(w.. The proposition gives a sufficient condition for redundancy. . M0 if R(N. Let (w1 . k2 ) be two GMEC with: w1 = (1330)T . k) is reduced to the set condition considered in [Krogh 91]. M0 ) ∩ M(w2 . k). k2 ) ⊆ 1 M(w1 . k2 = 1. M0 if and only if (W1 .1a whose set of reachable markings is R(N. k). k). k) is redundant wrt a system N.CHAPTER 7. and w2 = (0110)T . M0 ) ∩ M(W2 . k1 ). B T · M = B T · M0 . k1 ) and (W2 . k2 ).1.3).t. The LPP x2 = max wT · M 2 s. M0 ) = {M | 1 T · M = 3}. is redundant wrt N. 1 T · M = 3. k1 = 5. k) is redundant with respect to (wrt) a set of markings A ⊆ I |P | if A ⊆ M(w. . w(p) = 1 (∀p ∈ Qw ). ki ) is redundant for all i = 1. .e.t. There are classes of nets. Definition 7. k) is redundant wrt N. has optimal value x∗ = 5 < k1 + 1. Two sets of GMEC (W1 . . M. wm ] and k = (k1 . Consider the system in Figure 7. M0 ) ⊆ M(w. . 1 M ≥ 0. M0 ) ∩ M(W1 . such as marked graphs (see Proposition 7. k1 ) and (w2 . Proof: If x∗ < k + 1 then P R(N. . Also for the nets for which P R(N. where B is a basis of P-semiflows of the net. The LPP x1 = max wT · M 1 s. σ ≥ 0. when w ≤ 1. wT · M ≤ 1.t. k2 ) are equivalent wrt N. M0 be a system. . M0 : x = max wT · M s. A set of GMEC (W. M0 )∩ M(W1 .1. M0 ) = P RB (N. k1 ) is redundant wrt R(N. k). k1 ) = R(N. wT · M ≤ 5. 2 M ≥ 0. M0 if (wi . N A GMEC (w. for which the condition is necessary and sufficient [Colom 89]. i. k) and this implies that R(N. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 63 As a particular case. Let N. A GMEC (w. k2 ) is redundant wrt R(N. M0 if R(N. m. M0 ) ∩ M(W2 . If the following Linear Programming Problem (LPP) has optimal solution x∗ < k + 1 then the GMEC (w. In the following we will discuss the redundancy and equivalence between constraints. Linear programming techniques may be used to derive sufficient conditions for redundancy.t. M0 ) we may equivalently check for redundancy solving the following linear programming problem: x = max wT · M s. km )T . the unweighted GMEC (w.1 R(N. Definition 7.3.2. k2 ). Proposition 7. k1 ) and (W2 . . and (W2 . hence by Proposition 7. k2 ) are equivalent wrt N. k1 ). M = M0 + C · σ. We may check for equivalence between constraints using the same approach we used to check for redundancy. where W = [w1 . In fact from the definition it follows that two sets of GMEC (W1 . To prove that the two constraints are equivalent wrt the system considered we may proceed as follows. M0 ) ⊆ M(w. M ≥ 0.

k1 ) is redundant wrt R(N. k3 ) = M(w2 . k2 ) is simpler than (w3 ..e. This property is preserved if we add any number of unweighted constraints to the constraint set that defines the set of reachable markings.1. k3 ). hence any optimal solution of the Linear Programming Program is also a solution of the corresponding Integer Programming Problem. M0 ) ∩ M(w1 . k1 ) is equivalent to (w2 . The equivalence between constraints leads to the idea of simplification of a constraint. the equivalence between (w1 . M0 ) ∩ (w3 . It is immediate to see that M(w3 . Note. k1 ). has optimal value: x∗ = 1 R(N.1a consider. wT · M ≤ 5. 5 has optimal value x∗ = 3 < k2 + 1. . For the system in Figure 7. and the constraint set that defines the set of reachable markings has integer extremal points. Since we have proved in Example 7. constraint. k3 ) to prove equivalence to (w1 . M0 ) ∩ (w3 .2. k2 ). The system considered in the example is a live marked graph. The next example shows another advantage of simplifying constraints. 3 M ≥ 0. Example 7. k) if w < w. A constraint (w . k3 ) we have an inconclusive answer. k2 ) wrt N. in addition to the two constraints discussed in Example 7. 1 T · M = 3. Given a constraint (w. k2 ). in the previous example. but equivalent. hence we cannot conclude that (w1 . k2 ). k3 ) with: w3 = (0330)T .t. M0 . k1 ) ⊆ M(w2 .1: System in Example 7. to pinpoint the advantage of using the simpler unweighted constraint (w2 . that if we try to use a LPP to prove that (w1 . k3 ) also follows.1 that (w1 . k1 ) and (w3 . we may look for a simpler. hence R(N. 19 3 > 6. k2 ) rather than the weighted one (w3 . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 64 Figure 7. k3 = 5. the constraint (w3 . k3 ) is equivalent to (w2 . k1 ) is redundant wrt It is important.1. This proves 2 that the two constraints are equivalent for the given system. k3 ) that is simpler than (w1 . k1 ). (w2 . (w3 . In fact the LPP x1 = max wT · M 1 s. By definition.CHAPTER 7. In the next subsection we will see that simpler constraints require simpler control structure to be enforced. k ) is simpler than (w. i. k). however.

Consider again the system in Figure 7. This is clearly impossible. k) be a GMEC with: w = (1200)T . 1-bounded) systems. Let N. k).3.4. in order to have an unweighted constraint that forbids M3 but that does not forbid M1 and M2 we need to chose a w such that (∀p) w (p) ∈ {0. k) ∩ {0. We will prove.e. i. That is.2: Reachable markings in Example 7. In the case of safe (i. We point out that there does not always exist a set of unweighted constraints equivalent to a set of weighted ones. k ). and M3 ∈ M(w . k). then one of the constraints in this set must be (w . k) wrt N. 1}4 . k) equivalent to (w. the constraint (w. it may be the case that a weighted constraint may be decomposed into a set of unweighted ones. k ).CHAPTER 7. M0 . by contradiction. k) with w = (1234)T and k = 5 is equivalent to the set of constraints (W. 1} and w (p3 ) < w (p1 ) < w (p2 ). There exists a set of unweighted constraints (W. k ) may exists. 0 0 1 1 and k = (211)T . In fact. In Figure 7. Let (w.5. Theorem 7. k) ∩ {0.. In fact M(w.. the following theorem proves that any weighted constraint is equivalent to a set of unweighted constraints. Markings M1 = (2100)T and M2 = (0210)T are legal. k ). and w · M2 < w · M3 =⇒ w (p3 ) < w (p1 ).2. Example 7. If there exists a set of unweighted constraints (W.1a. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 65 Figure 7. k) may be a useful way to compactly express more than one unweighted constraint.1. k = 4. M2 ∈ M(w . M0 be a safe system with set of places P and (w. while marking M3 = (1200)T is forbidden by (w. Proof: Consider the set of vectors V such that ∀v ∈ V the following conditions are verified: . that no such (w . 7. both weighted and unweighted.2 Modeling Power of Generalized Mutual Exclusion Constraints In this subsection we discuss the modeling power of GMEC. such that M1 . M (p1 ) and M (p2 ). 1}4 = M(W. The use of weights in the definition of (w. k) a weighted GMEC.2 we have represented the projection of the reachability set on the first two components. For safe systems. with w = 1. Example 7. however. k) with   1 1 1 0 W =  0 1 0 1 .e. k) equivalent to (w. w · M1 < w · M3 =⇒ w (p1 ) < w (p2 ).

j In the rest of this subsection we will compare GMEC with the most general kind of constraint that can be defined on the markings of a system. k) where: w(p) = 1 if p ∈ QM else w(p) = 0. wT · v > k. and k =|QM | −1. . k) =⇒ M3 ∈ M(W. M0 ) ∧ M ∈ M(w. 1}|P | . M0 ) ∧ QM = QM =⇒ M = M . If wT · v 1 ≤ k stop else repeating this procedure construct v 2 . M0 )∩M(W. k). a) Let us prove R(N. k) =⇒ M ≤ 1 ∧ wT · M > k. v j+1 such that M ≥ v 0 > v 1 > · · · > v j+1 and wT · v j+1 ≤ k while wT · v j > k. M0 ) ∩ M(w. . M2 ∈ M(W. wr ) and k = (k1 .CHAPTER 7. k) and any other marking M ∈ R(N. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS C1. Let N. k). k) ⊆ M(W. M0 ) ∩ M(w. kr )T . . the forbidden markings constraint [Holloway 92a]. (∀v ∈ {0. 1. given a set of forbidden markings F we may forbid any M ∈ F with a constraint (w. However it is possible to prove that for some classes of nets there exists an GMEC equivalent to any forbidden marking constraint. k). . . Let v 1 be a new vector such that: if p = p then v1 (p) = v0 (p) else v1 (p) = 0. k) equivalent to F . M2 . k) =⇒ M ≤ 1 ∧ wT · M ≤ k =⇒ M ≤ 1 ∧ (∀v ∈ V ) ∃p ∈ Qv M (p) = 0 =⇒ (∀v ∈ V ) v T · M ≤ ki =⇒ M ∈ M(W. k). In fact given three markings M1 . · · · . Then. However F may be chosen such that M1 . M0 )\F = R(N.e. C3. M. Thus (W. A forbidden marking constraint consists of an explicit list of markings F that we want to forbid. C4.. M0 ) ∩ M(W. It is enough to prove that M ∈ R(N. This means that v j ∈ V . k). such that R(N. Qv ⊆ Qw . k) ⊆ M(w. . M0 ) \ F = R(N. Let (W.. . M0 ) M < M . M0 )∩ M(W. This proves that there may not exist an GMEC equivalent to a forbidden marking constraint. Let v 0 be defined as: if p ∈ Qw then v0 (p) = M (p) else v0 (p) = 0. M ∈ R(N. Clearly v 0 satisfies conditions C1-C3 listed above. r) ki =|Qwi | −1. We will show that there exists vector v j ≤ v 0 and such that v j ∈ V . k) is a convex set. Then given a set of forbidden markings F there exists a set of GMEC (W. v ∈ {0. M0 be a safe and conservative net system. 2. i. hence v T · M =|Qvj |=⇒ M ∈ M(W. 1}|P | . M0 )∧ M ∈ M(w. . M2 ∈ F and M3 ∈ F .e.e. If a net is safe there does not exist two different markings with the same support. . M0 )) ∃M ∈ R(N. If a net is conservative no marking is covering another one. i=1 and where (i = 1. i. where r 66 {wi } = V. since M(W. k).. (∀M ∈ R(N. C2. k) may be constructed as the union of all the GMEC constraints forbidding a marking in F . k) such that R(N.2. M0 and let F be any set of forbidden markings. v < v) wT · v ≤ k. k) be such that W = (w1 . M3 ∈ R(N. Clearly M ∈ M(w. k)? In general the answer is no. Consider p ∈ Qv0 (∀p ∈ Qv0 )w(p ) ≤ w(p). Let us now consider a net system N. k) =⇒ M ∈ M(W. M0 ) is such that M ∈ M(w. M0 ) with M3 = (M1 + M2 )/2 we have that M1 . i. k). M ∈ R(N. M ∈ R(N. Proof: Let us first state two obvious facts. k). Is it possible to find a set of GMEC (W. b) Let us prove R(N. Theorem 7.

M0 ) ↑P ⊆ R(N. and N S . M0 is identical to the set of legal potentially reachable markings of N. (w. and a GMEC (w. P ostS ).4. M0 is S M0 = M0 k − wT · M0 .1.1b we have represented the two monitors corresponding to the two constraints discussed in Example 7. i. The resulting system is S denoted N S .6.2. P re.e. Given a system N.. i. M0 ) ∩ M(w. k).. M0 . M0 is contained in the set of legal reachable markings of N. Then N S will have incidence matrix CS = C −wT · C .e. The monitor S ensures that the projection on P of the reachability set of N S . M0 be a system. The initial marking of N S . The projection of X on P is the restriction of X to P and will be denoted X ↑P . M0 . We are assuming that there are no selfloops containing S in N S .e. M0 ) ∩ M(w. The requirement that the net be conservative may be shown necessary by the following example. The two possible markings of the system are M1 = (1) and M2 = (0). GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 67 Figure 7. k). with N S = (P ∪ {S}. . S 2. k). M0 the system with the addition of the corresponding monitor S. We will use the following notation for system with monitors. We assume that the initial marking M0 of the system satisfies the constraint (w.CHAPTER 7. Let C be the incidence matrix of N . S R(N S . M0 ) ↑P = P R(N. S Proposition 7. P reS . This definition is extended in the usual way to the projection of a set of vectors X . T. k) wT · M2 ≤ wT · M1 ≤ k. X ↑P = {X ↑P | X ∈ X }. S 1.3 Monitors A GMEC may be enforced on a system by a monitor. Example 7. Clearly for a set of forbidden markings F = {(0)} it is not possible to find an equivalent GMEC since (∀w. Definition 7. 7. M0 . M0 . T. k). Consider the 1-bounded but not conservative system in Figure 7. i. The monitor S ensures that the projection on P of the potentially reachable set of N S . Let X : P ∪ {S} → I be a N vector.3: System in Example 7. in Figure 7. the monitor that enforces this constraint is a new place S to be added to N . P ost).2. S P R(N S .3. with N = (P. As an example. k) a GMEC. hence P reS and P ostS may be S uniquely determined by C S .5. Let N..

S) = −C S (S. The monitor S is an implicit place in N S . M0 .CHAPTER 7.. it follows that 0 ≤ M S (S) < P reS (S. M0 ). i. Y T · C ≤ 0 ⇐⇒ ∃a ∈ I + such that Y = (aY − w) ≥ 0. i. 4] As shown in [Colom 89]. k) ⇐⇒ (w. 4. M0 ) be such that: S [σ M S .e. in the sense that it prevents only transition firings that yield forbidden markings. k). ·). Hence wT · M = wT · (M0 + C · σ) ≤ k. M0 ) ⊇ L(N 0 0 0 T .e. t) = wT · C(·. t) be the column M0 0 of C corresponding to transition t. M0 ) = L(N S . We just need to prove that if (w. M0 ) ↑P ⊆ P R(N. S 2] With the same reasoning of the previous point we can immediately conclude that P R(N S .e. Y T · C S ≤ −wT · C ⇐⇒ S is structurally implicit in R S. M0 ) ∩ M(w.e. Then k − wT · M = M S (S) < P reS (S.. M0 ). GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 68 S 3. t). S 3] Let σt ∈ L(N. t) = wT · C(·. t) = wT · C(·.. M0 ) and S ↑ . k) is redundant in N.. S) = 0. t) − P ostS (t. S is implicit ⇐⇒ L(N. M S ∈ P R(N S . M0 then L(N. This implies that wT (M0 + C · σ) ≤ k. The monitor S minimally restricts the behavior of N S . To prove R(N S . i. Then M S = M S + C S · σ or. Clearly L(N. M0 ) = L(N S . Proof: S 1] Clearly R(N S . k) is redundant in N. from which follows wT · M = wT · [M + C(·. S . Then we also have that MS = M k − w · (M0 + C · σ) T S S is a non negative solution of M S = M0 + C S · σ. The monitor S is a structurally implicit place in N S if and only if all places in Qw are structurally bounded. M0 ). i. M S ). Then: All places in Qw are structurally bounded ⇐⇒ ∃Y ≥ 0 such that QY ⊇ Qw . ·) = −wT · C is the incidence vector of S in C S . i.. t). M0 ) be such that: M0 [σ M [t M and σ ∈ L(N S . M =M P 0 M = M0 + C · σ. Let C(·. M0 ) ↑P ⊆ R(N. equivalently. k). M0 ) = R(N S . Let M ∈ P R(N. M0 ) ↑P ⊆ M(w. t) =⇒ P ostS (t. M0 ) =⇒ R(N. M0 . M S ) =⇒ w T · M > k. M S ). t)] > k. wT · M ≤ k. since the addition of a place can only further conS S strain the behavior of a system. P reS (S. Let us prove the reverse inclusion. let M S ∈ R(N S . k − wT · (M0 + C · σ) ≥ 0. S 5. M0 . M0 ) ↑P ⊆ M(w. S M S (S) = M0 (S) − wT · C · σ = k − wT · (M0 + C · σ) ≥ 0. S is structurally implicit in N S if and only if ∃Y ≥ 0 such that Y · C S ≤ C S (S.e. k) is redundant in N. where C S (S. M0 if and only if (w. Then P reS (S. Since t is not enabled by marking M S and since there are no selfloops containing S. M ∈ M(w. M0 ) ∩ M(w. N S S 5] Only if. M ) ⊆ L(N S . We need to prove that σt ∈ L(N S . k). t). so we will prove that redundancy implies L(N. ∃σ ≥ 0 such that M = M0 + C · σ. k). S If.

In the same figure is shown the reachability graph of the original system (all arcs and states) and of the system with monitor (only continuous arcs). An uncontrollable transition represents an event which may not be prevented from occurring by a supervisor. as shown in the system in Figure 7. the system may lose reversibility. k). that satisfies the constraint.2. A controllable transition may be disabled by the supervisor. M0 ).5. Given a system N. the set of controllable transitions.g. S) and by the hypothesis that S is not contained in a selfloop S we have: M S (S) ≥ P reS (S. In the net in Figure 7. a monitor has been added to enforce the constraint M (p3 ) + M (p4 ) ≤ 1. N . • Even if liveness is preserved. t) = P reS (S. • Not all markings that satisfy the GMEC may be reached on the net with the addition of a monitor. will never be reached again in the system with monitor.. S From the initial marking M0 = (000111)T the marking M S = (100010)T will never be reached even if the net is live. M0 and a set of GMEC (W. In the system in Figure 7.4. k) = {M ∈ I |P | | W T · M ≤ k}. The addition of a monitor to the net structure modifies the behavior of a system. a monitor has been added to enforce the constraint M (p1 ) + M (p3 ) ≤ 1. S S Let σt ∈ L(N. a controlling agent which ensures that the behavior of the system is within a legal behavior. that the set of transitions T of a net is partitioned into the two disjoints subsets Tu . Then M wT ·C(·. e.4: A system not live under constraint. We pinpoint three facts: • The addition of a monitor does not always preserve liveness of the system. The initial marking. t)−P ostS (t. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 69 Figure 7. in order to avoid reaching markings that do not satisfy the corresponding GMEC.4. The system reaches a deadlock after the firing of a single transition. M0 ) be such that: M0 [σ M [t M and σ ∈ L(N S . the marking (000011)T may not be reached even if it satisfies the constraint M (p3 ) + M (p4 ) ≤ 1 because the net reaches a deadlock. This proves that σt ∈ L(N S . M0 ) be such that: M0 [σ M S .g. 7. T T S (S) = k − w T · M ≥ Note that redundancy implies w · M = w · [M + C(·. the set of uncontrollable transitions. e. now..4 Nets With Uncontrollable Transitions We assume. In the net in Figure 7. the set of legal markings is given as a linear domain: M(W. t). t)] ≤ k. and Tc .CHAPTER 7.5.

Thus any transition firing that yields a legal marking is not forbidden and the behavior of the system under control is the largest behavior that satisfies the constraint.. Assume we want to enforce a constraint (w. in the sense that it may not always be solved with the same techniques used in the case that all transitions are controllable. We call this behaviour maximally permissible following [Krogh 87]. k) = M(W. We need to introduce this restriction ∗ because a firing sequence σ ∈ Tu may not be prevented by a controlling agent. M0 ) ∩ M(W. When all transitions are controllable. t2 . such that M (p5 ) + M (p7 ) ≤ 1. a problem of mutual exclusion is transformed into a more general forbidden marking problem. (w.2. we need to further restrict the behavior of the system. Note. Is is easy to see that the markings M1 = (2002001)T and M2 = (0220001)T are in Mc (w. The set of legal marking is in this case: Mc (W. however.2 ensures that. k) but from which a forbidden marking may be reached by firing only uncontrollable transitions. we have represented as empty boxes the controllable transitions t1 .6. k) N ∗ M [σ M ∧ σ ∈ Tu }. i. k) such that R(N. k) (Proposition 7. k) will be reached by the system under control (Proposition 7. but M = (1111001)T = (M1 + M2 )/2 is not. even if some transitions are not controllable. We also discuss the concept of maximally permissible control policy [Krogh 87].6. avoiding all those markings from which a forbidden marking may be reached by firing only uncontrollable transitions. In the net in Figure 7. we have proved that a monitor is capable of enforcing a given GMEC (w. M0 ∩ M(W. Example 7. k) = R(N.. . t5 . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 70 Figure 7.e. This shows that in presence of uncontrollable transitions. in the sense that it can ensure that only markings in M(w. part 1).CHAPTER 7. It is possible to prove that there does not always exist a GMEC (W. k).2. k). k). M0 ) ∩ Mc (w. k). k) such that R(N. k) = R(N. that for safe and conservative systems the result of Theorem 7. which is a qualitatively different problem. we do not consider legal the markings that satisfy (W. i. This proves that there does not exists a GMEC (W. M0 ) ∩ Mc (w. k) may be enforced by a set of monitors. It is also the case that whenever a transition t is prevented from firing by the monitor at a given marking M then M [t M ∧ M ∈ M(w. part 3).e.5: A system not reversible under constraint. In the presence of uncontrollable transitions. k) \ {M ∈ I |P | | ∃M ∈ M(W. k) with w = (00100010)T and k = 1. Thus we may have cases in which does not exist a monitorbased solution to a given mutual exclusion problem.

Let N. Then P R(N 0 P 0 M(W. Proposition 7.5 we will show several control structure capable of enforcing generalized mutual exclusion constraints. Let N. Then P R(N.4 and Section 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 71 Figure 7. we will consider systems whose underlying net is a strongly connected marked graph (MG).2. the marked graphs (MG). k) will be reached by the system under control. Proof: Follows from Proposition 7. Strongly connected MG are structurally live and bounded. M0 is a live MG system. M0 ). S According to this proposition it is possible to represent the potential reachability set of N S . In the third subsection we restrict our attention to a particular subclass of MG for which a solution to a mutual exclusion problem may be efficiently derived. k). M0 as a set of linear inequalities where the firing count vector σ does not appear. M S ) ↑ = B(N. .1 Marked Graphs with Monitors In the rest of this chapter.4. the maximally permissible control policy should ensure that: a) only markings in Mc (w. M0 be S . M0 ) = P R(N. and Propositon 7.3. S Proposition 7. In Section 7. 7.3.3 ([Murata 89]). k) be a set of GMEC. In the case of uncontrollable transitions. M0 ). 7. If N. M )∩ the system with the addition of the corresponding monitors.3 Generalized Mutual Exclusion Constraints on Marked Graphs In this section we focus on a class of nets. M0 be a MG system. in the presence of uncontrollable transitions. b) all transition firings that yield a marking in Mc (w.CHAPTER 7. part 2. In the first subsection we study the properties of marked graphs with the addition of monitors. and let N S . for this subclass. M0 be an MG system. then we also have that R(N. k) should be allowed. M0 ) = B(N.6: A mutual exclusion problem with uncontrollability that does not admit a monitor-based solution. (W. In the second subsection we present a general formalism for enforcing generalized mutual exclusion constraints on MG with uncontrollable transitions.

3. k). However.5 ([Murata 89]). The control subnet for ti is the subnet Ni = (Pi . X = 1. M0 ) ∩ M(W.2 Control Subnet In this subsection we discuss a general methodology for enforcing constraints on systems with uncontrollable transitions. Definition 7. P re. For mono-t-semiflow nets deadlock-freeness is equivalent to liveness. Ti = • Pi ∩ Pi• . Consider the system in Figure 7.CHAPTER 7. The set of control transitions for t is the set Ai = • Pi \ Pi• . The dead marking M = (3003)T is in P R(N S . Example 7.9.8. M S is live if ∀M ∈ B(N.5. Assume we want to enforce the two constraints: 3M (p1 ) + M (p3 ) ≤ 9. and N S . Given a net N = (P. as shown in the following example. Thus the previous proposition gives a sufficient but not necessary condition for liveness. T. from initial marking M0 = (0303)T the system is not reversible. unfortunately. and let ti ∈ Tu be an uncontrollable transition. Let the initial S marking be M0 = (2130)T . k). To enforce a constraint we need to prevent some transition firing. These markings are called killing spurious markings in structural jargon. and 2M (p2 ) + 3M (p3 ) ≤ 9. P osti ) where Pi ⊆ P is the set of places connected to t by a path containing only uncontrollable transitions. the control subnet for ti is not defined but the set of control . The system is live from any legal initial marking. M0 ) ∩ M(W. The legal marking of this system under the constraints are shown in Figure 7. Let N. 72 The introduction of a set of monitors corresponding to a set of GMEC does not change this property. 7. We may extend this definition to controllable transitions as well. M0 be a live MG system. The resulting net will be a mono-t-semiflow net [Campos 91]. since M ∈ B(N. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS Proposition 7.7. since the net is a mono-t-semiflow net. Liveness and the existence of repetitive sequence firable from M0 are not sufficient conditions for reversibility. The legal marking of this system under the constraints are shown in Figure 7. It is obvious that Ai ⊆ Tc . however. prevent the firing of a set of controllable transitions (called control transitions of t) whose firing is required prior to the firing of t. M0 ) and the system is deadlock-free. whose reachability graph is also shown. The following proposition gives a sufficient condition for liveness. but since it is never reachable the system is live. P ost) and a controllable transition ti ∈ Tc . M0 ) ↑P . Example 7. A connected MG has a single minimal t-semiflow. we cannot prevent the firing of an uncontrollable transition t ∈ Tu . Unfortunately. M0 is a harder task. We may. This in turn implies liveness. k) a set of GMEC. and M (p2 ) + 3M (p4 ) ≤ 9.8. T. S S Proof: If no dead marking exists in P R(N S . even if there exist a repetitive sequence firable from M0 . The next example shows that. M0 the S . Ti . P re.7 we want to enforce the two constraints: 2M (p1 ) + 3M (p4 ) ≤ 9. and P rei = P re ∩ (Pi × Ti ). P ost) be a net. k) that are not reachable under control. (W. In the system in Figure 7. S Proposition 7. M is not a dead marking.6. killing spurious markings may exists on marked graphs with monitors. Note that there may exist dead markings in B(N. M0 ) then no dead marking exists in R(N S . P osti = P ost ∩ (Pi × Ti ). M ) ∩ system with the addition of the corresponding monitors.7. P rei . N 0 0 M(W. Let N = (P. S Proving reversibility for a MG with monitors N S .

CHAPTER 7. Figure 7.7: A marked graph system and its reachability graph. .8: Legal markings for the system in Figure 7 under the set of constraints shown. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 73 Figure 7.

ti ) = 0. if t ∈ Ti ∩ Tc . t . Note that the token distance DB(M. t. Ti . The advantage is that this computation may be done on the structure of net.. ti . ti . i. in the following. Proposition 7. This will allows us. the minimum token content among all possible direct paths from t to ti at marking M . P rei . 2] See Murata [Murata 89]. M0 be an MG system and ti one of its transitions. transitions for ti is the set Ai = {ti }. Let Ni = (Pi . We want to apply the ideas developed so far to the problem of enforcing GMEC on marked graph systems.7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 74 Figure 7. Ti ⊆ Tu . . to use the same formalism for both controllable and uncontrollable transitions. Given a marking M ∈ R(N. as its only output transition is controllable. 2. P osti ) be the control subnet for ti . P rei .e. Ai ) = min{td(M. • Ni = (Pi . Proof: 1] By contradiction. the problem is that of controlling the firing of the input transition of all places in Qw to ensure that the constraint is always verified. i.CHAPTER 7. For marked graphs systems if it possible to analytically compute the dependency between the firing of an uncontrollable transition and the firing of its control transitions. the maximum number of times we may fire ti without firing any transition in Ai (the deviation bound between ti and Ai ) is DB(M. ti ) | t ∈ Ai }. ti ) is the token distance between transitions t and ti . M0 ). We will use the following notation. Given a constraint (w.e. where td(M. and let Ai be the set of control transitions for ti . Ti . Note also that if ti is controllable DB(M. without resorting to the construction of the space of reachable markings. Given a place pi ∈ Qw we will denote: • to its output transition. This means that Ai ∩ Ti = ∅. ti .9: Legal markings for the system in Figure 7 under the set of constraints shown. 1.. P osti ) the control subnet for ti . then the input place of t cannot be in Pi . hence t ∈ Ti . Let N. k). i • ti its input transition. the transition itself. t . Ai ) = DB(M. Ai ) may be computed solely from the analysis of Ni and its marking.

Proposition 7. The deviation bound between an uncontrollable transition and its set of control transitions may be used to define the set of legal markings Mc (w. Definition 7. M0 . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 75 Figure 7. t . Let N. k) = {M ∈ I |P | | wT · (M + DM ) ≤ k}. to ) ≤ 1].10: Control subnets for the input transitions of places p1 .7. under the hypothesis discussed in the following. • Ai = {t1 . A place pi of an MG system N. k) a GMEC. · · · . Let A = ( pi ∈Qw Ai ). the maximally permissible control may be computed step by step as follows. M0 be an MG system and (w. ti ) ≤ 1 ∧ DB(M. p3 . with the corresponding control transitions. p2 .CHAPTER 7. implies that by firing only uncontrollable transitions we may reach a new marking M such that M (pi ) = M (pi ) + DM (pi ). Then the set of legal markings is Mc (w. let its input transition be ti . i . We have represented the control subnets for their input transitions.3 Control Safe Places We will consider in the following a special class of MG systems introduced in the next definition.10 places p1 . If wT · (M + DM ) ≤ k then t should be left free to fire else it should be disabled. k) for a GMEC (w. and the assumption that no place pi belongs to the subnet of any ti .. M0 ) ∧ ∀t ∈ Ai ) [DB(M. N where DM (pi ) = DB(M.6. • All transitions in Tc \ A may be left free to fire. ti . M0 ): • For each firable t ∈ A. Given a marked graph system N. i i Example 7.e. In Figure 7. i (∀M ∈ R(N. Proof: Proposition 7. the deviation bound between any control transition in Ai i and both ti and to is at most one for any reachable marking. p2 . At ) if pi ∈ Qw else DM (pi ) = 0. M0 is said to be control safe if given its input transition ti and its output transition to . The remaining structure of the marked graph is not shown.9. t . tni } the set of control transitions for ti . p3 belong to the support of a GMEC. i 7. i. k). Then from any marking M ∈ R(N. The previous proposition may be used to define the maximally permissible control policy that enforces the constraint (w. Assume that: ( pi ∈Qw Pi ) ∩ Qw = ∅.3.8. part 1. compute M M [t M . For each place pi ∈ Qw . k) on marked graphs.

often more efficient than a set of monitors. that no place p in Qw . Let ti be the input transition of pi . i 2. Then pj1 and pj2 are in structural mutual exclusion. . k) =⇒ M ∈ M(w.. k) be an unweighted mutual exclusion constraint. k). M0 be a live and bounded MG system. t.e. i.1 Model 1: Monitor-based Controller Definition 7. k) else M ∈ M(w2 . k)}. 3. i Proof: Follows from the definition of control safe place. to the output transition of pi . in the sense that will allow us to derive other control structures. k). based solely on the net structure. M0 be a MG system. .e. Then: if M (pj2 ) > 0 then M (pj1 ) = 0. they will never be marked simultaneously. and pi a control safe place of N . Let N. i. pr } be a set of control safe places of N and assume that r =| Qw |= k + 1. (w2 . . k). . Assume that pj1 ∈ Qw is in the control subnet of place pj2 ∈ Qw . where: wi (p) = 0 if p = pj1 else wi (p) = w(p). k). Let N. k). w ≤ 1. Let Qw = {p1 . tni } be the set of control transitions for ti and to be the output transition of pi . i.4 and Section 7.5. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS It is possible to check for control safeness of a place. Let N. In the next section we will assume. Proof: Trivially M(w. t. It will permit a simplification of the problem. M (pi ) + DM (pi ) = 1 ⇐⇒ (∀t ∈ Ai )[td(M. 76 Proposition 7. i. assume M ∈ M(w1 .4 Fully Compiled Models In this section we present two different ways of enforcing a GMEC on MG systems with control safe places. Hence M(w. k) ∩ M(w2 .9. Then ∀M ∈ R(N. The restriction that the places in Qw be control safe has a similar purpose. . the corresponding control structure is a net system as well.. . . k). k). The i i i monitor that enforces this constraint consists of a place S to be added to the original net with arcs as follows: . p belongs to the control subnet of another place p in Qw . We have seen that if the net is safe there exists a monitor-based solution to any GMEC. k) = M(w1 . M (pi ) + DM (pi ) ≤ 1.7. defined on it. to ) = 1]. by the hypothesis that their are control safe. Proposition 7.e. We assume that M0 ∈ Mc (w. A place pi is control safe if and only if ∀t ∈ Ai there exists a cycle that contains pi and t and this cycle is marked with a single token. even if not all transitions are controllable. We discuss a particular case that may arise for a given constraint (w. k) ∩ M(w2 . (∀t ∈ Ai )[td(M.10. To prove the reverse inclusion. k) =⇒ M ∈ M(w.. M0 ): 1. M0 be a MG system and (w. to ) ≤ 1]. Given a GMEC (w. without loss of generality.. and M ∈ M(w1 . we will assume that the places in Qw are control safe.e. the constraint (w. . k). with i ni =|Ai|. Given pi ∈ Qw let Ai = {t1 .4. 7. 7. k) ⊆ M(w1 . k · 1) = {(w1 . k) ∩ M(w2 . The idea here is that to check whether a place pi ∈ Qw may be marked by a firing sequence of uncontrollable transitions we need to check only how many firings of transitions in Ai have occurred.CHAPTER 7. The different solutions are shown in Section 7. and Ai the set of control transitions of ti . k) is equivalent to the set of constraints (W. Both solutions are fully compiled.

. E.e. .10 are the only illegal markings for unweighted constraints of this kind. The previous construction may not be used. Example 7. i which by Proposition 7. k) of this form may be enforced by adding several monitors.g. • P ost(S. t) = 0. a transition t will be selflooped if ∃i. We have added a place S to the original system with the arcs shown in dotted lines.. . • P re(S. The previous definition assume that no transition will be selflooped with the monitor place. However the original constraint may be rewritten as a set of constraints according to the following proposition. Assume now (w. is such that |Qw |> k + 1. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 77 Figure 7.11 we want to enforce the constraint M (p1 ) + M (p2 ) + M (p3 ) ≤ 2 over the net in Figure 7. to ) = 0} | i i.CHAPTER 7. t.11: Example of monitor. j t = to ∧ t ∈ Aj . t.7 enforces the maximally permissible policy that ensures that the constraint (w. s counts the number of control transitions that must fire prior to the marking of all places in Qw . It is easy to see that a monitor constructed as in Definition 7. t) = ni if t = to else P ost(S. In Figure 7.10. k) will be satisfied. . to ) = 1]. A set of constraints (W. t) = 1 if t ∈ Ai else P re(S. t) = 0.. In this case we need to eliminate i the arcs in selfloop from the pre-incidence and post-incidence matrices. r)(∀t ∈ Ai )[td(M. k). . with w ≤ 1. i The initial marking will assign s − 1 tokens to place S where s =| {t | t ∈ Ai ∧ td(M0 .10. In fact the monitor prevents only transition firings that lead to all markings M such that (∀i = 1.

p1 . pr . . Proof: (⊆) is trivial. |Qw |= k + 1}. p2 . pr } be a set of control safe places. t) = 1 if t = to else P reS (pi . tni } be the set of control transitions for ti and to be the output transition of pi . . . k). We assume that M0 ∈ Mc (w. . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 78 Proposition 7.2 Model 2: Compiled Supervisor In this section we consider a net supervisor. k).4.e. Definition 7. . k) be a GMEC. k) = M(w .11. t) = 0. k) marks at most k places in Qw . Let us prove (⊇). • P reS and P ostS are such that: – P reS (p0 . t) = 0. where Ik+1 = {w ∈ {0. – P ostS (pi . The previous proposition shows that the unweighted constraint (w. ∪ Ar ∪ Ar ∪ {to . . otherwise there exists w ∈ Ik+1 Qw ⊆ {p | M (p) > 0} and M ∈ M(w . . k). The i i i compiled supervisor that enforces this constraint is S = (PS . t) = 0. i – P reS (pi . i. with w ≤ 1. and |Qw |> k + 1. t) = ni − 1 if t ∈ Ai else P reS (pi .. t) = 1 if t ∈ Ai else P ostS (pi . k). TS . k) | w ∈ Ik+1 }. 1}P | w ≤ w. – P ostS (pi . Clearly M ∈ M(w . k) =⇒ M ∈ M(w. The control pattern is implicit in the transition structure of the supervisor. pr }. Let w ∈ Ik+1 . We have proved in Theorem 7. Let Qw = {p1 . be a weight vector whose support contains all the places marked by M . . t) = w(pi ) if t ∈ Ai else P reS (p0 . p1 . However the problem is that there are different subsets k+1 of Qw of cardinality k + 1. Any marking M ∈ 7. i – P reS (pi . explicitly rewriting the set of unweighted constraints equivalent to the single weighted constraint. t) = 0. k). . . Let N. – P ostS (p0 . t) = 0. t) = 0. The monitor based construction may also be used. . . with w ≤ 1 and |Qw|> k + 1. Given pi ∈ Qw let Ai = {t1 . . t) = ni − 1 if t = to else P ostS (pi . Then. t) = 0. P reS . p1 .CHAPTER 7. i – P ostS (pi . hence may be |Qw| enforced by a set of monitors. . pr . when the weight of the places is not unitary. to } where Ai and Ai are sets of transitions r 1 synchronized with Ai . t) = 1 if t ∈ Ai else P ostS (pi . . M(w. Thus in the worst case the number of monitors is exponential with respect to the cardinality of Qw . t) = w(pi ) if t = to else P ostS (p0 . specifies which controllable transitions are allowed to fire. . k · 1) = {(w . . M0 be a MG system and (w. in the sense that a controllable transition that belongs to the supervisor structure is enabled by the control pattern if and only if it is enabled by the marking of the supervisor net. Let (w.1 that this is always possible for the class of nets considered here.8. P ostS ) with: • PS = {p0 . t) = 0. w ∈Ik+1 w ∈Ik+1 M(w . We assume that the supervisor observes the execution of the unconstrained system and at any given instant provides a control pattern. • TS = A1 ∪ A1 ∪ A2 . k) be a mutual exclusion constraint. capable of enforcing a set of GMEC. . is equivalent to the set of constraints (W. – P reS (pi . . t) = 1 if t ∈ Ai else P reS (pi .

In Figure 7. . . to ) = 0} | −1 else [M0 i i 0 i S S ∧M0 (pi ) = ni − 1 − M0 (pi ) S ∧M0 (pi ) = 0].8 enforces the required maximally permissible policy. k) = {(w1 . . • (∀i = j) Ai ∩ Aj = ∅.12: Example of compiled supervisor. since if a transition in Ai is enabled. the corresponding transition in Ai is not. . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 79 Figure 7. the corresponding transition in Ai or Ai will fire. . If this is not the case. . ki ). . . and conversely. (wm . we need to slightly change the structure of the supervisor by merging the transitions of Ai and Ai in common with Aj and Aj We want to show that the supervisor constructed according to Definition 7. . Whenever the system executes a transition t ∈ Ai . Note that the behavior is deterministic. ¯ In the case of a set of constraints (W. . . that the supervisor enforces the required policy. S and M0 (p0 ) = k − r S i=1 w(pi )M0 (pi ). . r)[M (pi ) + DM (pi ) = M S (pi )]. ∀i = 1. say Si1 and Si2 . k1 ).10. if [M0 (pi ) + DM0 (pi ) = 1] S S S then [M0 (pi ) = M0 (pi ) = 0 ∧ M0 (pi ) = 1] S (p ) =| {t ∈ A | td(M . it will be enabled by the control pattern if and only if it is enabled on both Si1 and Si2 . For the computation of the control pattern. If ni = 1 we may remove the places pi and pi and the set of transitions Ai . Example 7.12 we show the supervisor that may be used to enforce the constraint w(p1 )M (p1 ) + w(p2 )M (p2 ) + w(p3 )M (p3 ) ≤ k over the net shown in Figure 7. km )} we need to construct a supervisor for each single constraint (wi . In the example in Figure 7. . r) ni > 1. Should a controllable transition belong to more that one supervisor.12 we have represented the set of parallel transitions Ai and Ai as a single transition. a transition in Ai is enabled by the control pattern if the corresponding transition in Ai or in Ai is enabled. In the previous definition we have assumed that: • (∀i = 1. S The initial marking of S is M0 such that. r. . . t. We note first that given a marking M of the system and a corresponding marking M S of the supervisor we have that (∀i = 1.CHAPTER 7. by i=1 Proposition 7. . Since the place p0 is enforcing the constraint r w(pi )M S (pi ) ≤ k we have.11. .8.

t) = 0.5. . i – P ostS (pi . t) = w(pi ) if t = πi else P reS (p0 . pr }. . . t) = ni if t = to else P reS (pi . We assume that M0 ∈ Mc (w. pr . r. . – P ostS (p0 . if [M0 (pi ) + DM0 (pi ) = 1] S S S then [M0 (pi ) = M0 (pi ) = 0 ∧ M0 (pi ) = ni ] S (p ) = 1 else [M0 i S ∧M0 (pi ) =| {t ∈ Ai | td(M0 . t) = ni − 1 if t = to i else [P ostS (pi . . . . . t) = 0. t) = 1 if t = πi else P reS (pi .13 we show the supervisor that may be used to enforce the constraint w(p1 )M (p1 ) + w(p2 )M (p2 ) + w(p3 )M (p3 ) ≤ k over the net shown in Figure 7. t) = 1 if t = to else P ostS (pi . Example 7. p2 . i – P reS (pi . pr . pr } be a set of control safe places. Given pi ∈ Qw let Ai = {t1 . For instance we may avoid repeating the set of transitions Ai .1 Model 3: Non-Deterministic Partially Compiled Supervisor Definition 7. We will not discuss these modifications. . • TS = A1 ∪ A2 ∪ . However we need to add additional control structure by introducing transitions with an associated interpretation. . . This partially destroys the possibility of analyzing the net with traditional PN techniques. πr } where each πi is a transition to r 1 which a predicate is associated.5 Partially Compiled Models The net structure of the supervisor may be further simplified. P reS . • P reS and P ostS are such that: – P reS (p0 . The firing of transition πi will allow place pi to be marked. to ) = 0} | −1 i S S S ∧M0 (pi ) = ni − M0 (pi ) − M0 (pi )]. p1 . t) = 0. . . M0 be a MG system and (w. . is that the “partially interpreted” supervisors that we discuss here may be easily modified to enforce constraints on any kind of MG system. t) = 0. p1 . where J = {i | M0 (pi ) = 0}.12. ∀i = 1. t) = 0]. . . TS . t) = 0. S The initial marking of S is M0 such that. to } ∪ {π1 . S S and M0 (p0 ) = k − j∈J w(pi ). t) = 1 if t ∈ Ai else P reS (pi . t) = w(pi ) if t = to else P ostS (p0 . – P ostS (pi . . . Let N. The predicate associated to the transitions πi are used to implement the control policy. however. p1 . ∪ Ar ∪ {to . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 80 7. k). . . t) = 0. . – P ostS (pi . In Figure 7. π2 .CHAPTER 7. k) be a GMEC. t) = 1 if t ∈ Ai else P ostS (pi . . t) = 0. Let Qw = {p1 . . The advantage.9. P ostS ) with: • PS = {p0 .10. – P reS (pi . i – P reS (pi . The noni i i deterministic partially compiled supervisor that enforces this constraint is S = (PS . . 7. . tni } be the set of control transitions for ti and to be the output transition of pi . . t) = 1 if t = πi else P ostS (pi . t. .

P reS . Since the place p0 is enforcing the constraint i∈J w(pi ) ≤ k. P ostS ) with: • PS = {p0 . . . if two or more control transitions may fire simultaneously. given a marking M of the system and a corresponding marking M S of the supervisor we have that (∀i = 1. p1 . pr } be a set of control safe places. t) = 1 if t ∈ Ai else P ostS (pi . . . tni } be the set of control transitions for ti and to be the output transition of pi . – P reS (pi . t) = 0]. . Let Qw = {p1 . π1 . t) = 1 if t = πi else P reS (p0 . . Let N. . p2 . • TS = A1 ∪ A2 ∪ . . . t) = 1 if [t = to or t = πi ] else P ostS (p0 . . r)[M (pi ) + DM (pi ) = 1 ⇐⇒ M S (pi ) = ni ]. i – P ostS (pi . – P ostS (p0 . We assume that M0 ∈ Mc (w. . Given pi ∈ Qw let Ai = {t1 . – P ostS (pi . by Proposition 7.CHAPTER 7. t) = 0. with J = {i | M S (pi ) + M S (pi ) = ni }. t) = 0. t) = 0. π2 .8. In fact. t) = 0. ∪ Ar ∪ {to . t) = 1 if t = πi else P ostS (pi . we have. k) be a GMEC. . k). t) = ni − 1 if t = to i else [P ostS (pi . TS .5. • P reS and P ostS are such that: – P reS (p0 . .10. . . πr } where πi and πi are r 1 transitions to which a predicate is associated. . πr . pr . The deteri i i ministic partially compiled supervisor that enforces this constraint is S = (PS . pr }. t) = 1 if t ∈ Ai else P reS (pi . t) = ni if t = to else P reS (pi . . . The supervisor has been called non-deterministic because we decide a priori which place in Qw will be allowed to be marked. p1 . . .9 will permit the system to reach only legal markings.2 Model 4: Deterministic Partially Compiled Supervisor Definition 7. M0 be a MG system and (w. as shown in [Krogh 91]. . . i – P reS (pi . . t) = 0. to } ∪ {π1 . that the supervisor will allow only legal markings to be reached. . The supervisor constructed according to Definition 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 81 Figure 7. . .13: Example of non-deterministic partially compiled supervisor. This control policy is also maximally permissible. . 7.

that affect only the value of the predicates π1 and π1 . . t. The predicate associated to the transitions π1 and π1 are used to implement the control policy. 7.2 for nets with only controllable transitions. It is difficult to show that this supervisor is actually implementing the maximally permissible control policy because of the predicates associated to the transitions πi and πi . Then: • πi = TRUE if [M (pi ) + M (pi ) = ni − 1] ∧ [v + w(pi ) ≤ k] else πi = FALSE. . . S S and M0 (p0 ) = r− | {i | M0 (pi ) = ni } |. S The initial marking of S is M0 such that. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 82 Figure 7. we have that (∀i = 1. ∀i = 1. r.14: Example of deterministic partially compiled supervisor. • πi = TRUE if [M (pi ) + M (pi ) = ni ] ∧ [v + w(pi ) > k] else πi = FALSE. . . .6 Comparison of the Models The monitor-based controller is an extension to systems with uncontrollable transitions of the controller studied in Section 7. Note however that given a marking M of the system and a corresponding marking M S of the supervisor.13. Example 7. Thus all the structural properties of monitors may be used to analyze the system under control. .CHAPTER 7. .10. The transitions πi will remove the token necessary to reach M S (pi ) = ni whenever the marking of place pi would violate the constraint. Note that the structure of the supervisor does not depend on the weight vector w and on the integer k. In Figure 7. r)[M (pi ) + DM (pi ) = 1 ⇐⇒ M S (pi ) = ni ].14 we show the supervisor that may be used to enforce the constraint w(p1 )M (p1 ) + w(p2 )M (p2 ) + w(p3 )M (p3 ) ≤ k over the net shown in Figure 7. However. if [M0 (pi ) + DM0 (pi ) = 1] S S then [M0 (pi ) = 0 ∧ M0 (pi ) = ni ] S else M0 (pi ) =| {t ∈ Ai | td(M0 . it is the simpler and most straightforward solution. Let J = {i | M (pi ) = ni } and let v = i∈J w(pi ). to ) = 0} | −1 i S S ∧M0 (pi ) = ni − M0 (pi )]. The drawback is that it may require an exceedingly large number of monitors. . in those cases in which it may be used efficiently.

we have proved that GMEC may always be enforced by monitors. Thus it is at the same time the simpler model to implement and the most difficult to analyze. marked graphs with control safe places. even in the presence of uncontrollable transitions. we compared a monitor-based solution of mutual exclusion problems with several supervisory based solutions. These specifications on a net system where all transitions are controllable may be easily enforced by a set of places called monitors. The deterministic partially compiled supervisor has the simpler structure but its behavior strongly depends on the predicates associated to the transitions. For one of these particular classes. since the structure of the supervisor ensures that only legal markings may be reached. as suggested in [Krogh 91]. since it requires all control transitions to be represented twice. For some classes of nets.7 Conclusions We have presented and studied a class of specifications. The non-deterministic partially compiled supervisor implements a policy slightly different from all other models. it leads to a closed-loop model which is difficult to analyze. 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 83 The compiled supervisor has the advantage of always requiring a compact structure that grows linearly with the number of places in the support of the weight vector.CHAPTER 7. This policy is the same derived by Holloway and Krogh [Holloway 92a]. The predicates associated to the transitions may be used to implement different run-time policies. we have shown that this technique is not always applicable when some of the transitions of the net are uncontrollable. called generalized mutual exclusion constraints. However our model does not require on-line computation. . However. Unfortunately.

1.1 Petri Net Languages for Supervisory Control We have explored the closure properties of Petri net languages under the operators used in Supervisory Control: prefix closure. The original contributions consist of four major parts.Chapter 8 CONCLUSIONS AND FUTURE RESEARCH 8. The marked behavior 84 . we have given necessary and sufficient conditions for the existence of Petri net supervisors when the system’s behavior and the legal behavior are deterministic Petri net languages. we use Petri net models to represent not only the system under control but the supervisor as well. b) deterministic.1 Original Contributions The thesis has discussed the use of Petri nets as discrete event models for Supervisory Control. 3. 2. the class LDP is not closed under intersection. If we restrict ourselves to the use of bounded or conservative PN models. c) controllable. and supremal controllable sublanguage. but now not all control problems may be solved by a Petri net supervisor. We have also defined a new class of Petri net languages. Validation of Petri net supervisors. we may consider unbounded Petri net models. Ushio 89]. we face a trade-off. In fact. The closed behavior L(G) of system G may be restricted to a legal behavior L ⊆ L(G) if and only if L is: a) a prefix Petri net language. Unlike all other known classes of Petri net languages. As a final result. called DP-closed languages and denoted LDP . we are sure to have a Petri net supervisor for any given control problem. 8.1. The languages in this class are those L-type Petri net languages (terminal Petri net languages) whose prefix language is a P-type Petri net language (prefix Petri net language). Petri net languages for Supervisory Control. Efficient construction of control structure. The approach we have followed is different from previous Petri net based approaches [Holloway 90. Thus. Our results show that Petri net languages are not closed under these operators. If we want to use of the full language power of Petri nets models. which have a finite reachability set and generate regular languages. It was known from previous work [Wonham 87] that regular languages are closed under these operators. 4. Design of supervisors.

in order to guarantee some important properties. This composition may be easily performed. The class of Elementary Composed State Machines can model both choice and concurrent behavior. showing the advantages of using Petri nets for the design of supervisors. ECSM nets are nets obtained by concurrent composition of state machine modules. 8.1. b) compositions of nets along a set of simple paths that are looped in one of the nets. We have also compared Petri nets and state machines models.3 Validation of Petri Net Supervisors A well known Petri net analysis technique is based on the incidence matrix analysis. the generator constructed in the first step of the algorithm is refined to obtain a nonblocking and controllable generator. by introducing new arcs and possibly duplicating transitions. the modular structure of the net is preserved. the same finite procedure may be used to compose nets with finite or infinite reachability sets. we have discussed how to refine a coarse structure for a supervisor. these inequalities are obtained by the computation of the basic traps of the state machine modules that compose an ECSM. The final Petri net model represents a closed loop model of the controlled system in which it is still possible to identify the composed modules. We have also discussed the difference of our approach with respect to other classical methods based on incidence matrix analysis. We restrict the type of compositions considered. we have presented a design based on the concurrent composition operator. Since the composition is performed on the structure of the net. In particular. using Petri net models. showing how to derive a set of linear inequalities that exactly define the set of reachable markings. . called Elementary Composed State Machine (ECSM) nets.1. b) Lm (G)-closed. We have shown how this approach may be used to validate ECSM supervisors. to avoid reaching undesirable markings. a coarse structure for a supervisor is synthesized by means of concurrent composition of different modules. and by the firing bounds of the composed transitions. by merging transitions labeled by the same symbols. In this refinement. representing the system and the specifications we want to enforce on the system’s behavior. This procedure may always be applied when the net is conservative.CHAPTER 8. as we have seen. We use a set of linear inequalities to define the reachability set. may be studied by Integer Programming techniques. as formulated in [Wonham 88a]. These properties may be easily expressed in term of net properties. 8. Important properties of the net. such as the absence of blocking states or controllability.. We have defined a class of P/T net. In the first step. This design is well suited for Petri nets models. We have studied how this technique may be used to validate supervisors obtained by concurrent composition of several modules. The design requires two steps. but in some cases it may be necessary to introduce a large number of transitions. c) controllable. CONCLUSIONS AND FUTURE RESEARCH 85 Lm (G) of system G may be restricted to a legal behavior L ⊆ Lm (G) if and only if L is: a) a DP-closed Petri net language. The generator constructed in the first step of the algorithm will be a proper supervisor if it is nonblocking and if the language it generates is controllable. The two basic compositions are: a) compositions of nets along a simple path. In the second step.2 Supervisory Design Based on the monolithic supervisory design.

rather than in {0. On the other hand. A GMEC limits a weighted sum of tokens contained in a subset of places. since it does not require separate on-line computation. i. structure theory of Petri nets may be used to prove.. shared among different processes. A solution to this problem has been given by Holloway and Krogh [Krogh 91]. CONCLUSIONS AND FUTURE RESEARCH 86 8. the corresponding supervisor is represented by a P/T net. called generalized mutual exclusion constraints (GMEC). Unfortunately. Zhou 91]. An equivalence notion among GMEC has been introduced and studied from the point of view of structural net theory. The advantages of fully compiling the supervisor action in a net structure are: • The computation of the control action is faster. to compare and simplify GMEC. respectively. the complexity of enforcing a GMEC is enhanced by the presence of uncontrollable transitions. i. In this context. the corresponding supervisor is given as an interpreted net in which the firing of some transitions depends not only on the marking of the net but on the value of some boolean expressions as well. To enforce a given GMEC. Moreover.e. In the framework of Supervisory Control.. a place whose initial marking represents the available units of a resource and whose outgoing and incoming transitions represent. others are partially compiled. Some of these models are fully compiled. transitions that may be observed but not prevented from firing by a control agent.CHAPTER 8. containing all those markings from which a forbidden one may be reached by firing a sequence of uncontrollable transitions. The goal is that of constructing a supervisor capable of enforcing the constraints.4 Efficient Construction of Control Structure We have presented and studied a class of specifications for Petri net models. in this case we have proven that the set of legal markings cannot always be represented by a linear domain in the marking space.. all markings that do not satisfy the constraint are called forbidden. we have discussed GMEC for systems represented as marked graphs with control safe places. partially compiled models are more flexible in the sense that some interpretations may be used to implement complex control policies. i. the acquisition and release of units of the resource. it is necessary to prevent the system from reaching a superset of the forbidden markings. A single GMEC may be easily implemented by a monitor. that may be used to express the concurrent use of a finite number of resources. • A closed-loop model of the system under control may be built with standard net composition constructions and analyzed for properties of interest. i. GMEC are a mild generalization of mutual exclusion constraints considered by other authors [Krogh 91. • The same Petri net system execution algorithms may be used for both the original system and the supervisor. the control policy is efficiently computed by an on-line controller as a feedback function of the marking of the system. We have studied..e. that the system under control enjoys the properties. 1}. whose corresponding net structure may be exceedingly large.e.1. thus there exist problems which do not have a “monitor-based” solution. which may be defined as fully interpreted. . In their approach. instead.e. due to the fact that the weights we consider are defined in I . without an exhaustive state space search. We have presented a methodology. N based on linear algebraic techniques. how a net structure for the supervisor may be constructed. We have discussed and compared several solutions.

sequencing specifications [Holloway 92b]. it may be interesting to consider the composition Macroplace/Macrotransition nets [Jungnitz 92].3 Validation of Petri Net Supervisors Extend the method used to study the reachability set of ECSM to a larger class of nets. the method may be extended to other types of compositions.2. In particular. and derive the corresponding supervisor using a structural based approach. Here the use of interpreted nets should prove a key factor in deriving a simple supervisory structure. Additionally. CONCLUSIONS AND FUTURE RESEARCH 87 8.CHAPTER 8. .2..g.4 Efficient Construction of Control Structure Derive the supervisory structure for enforcing GMEC on classes of nets more general than control safe place marked graphs.1 Petri Net Languages for Supervisory Control Find a characterization of the class LDP in terms of some pumping lemma. We give a list of the problems that may be addressed in the future. Consider classes of specification different from GMEC. 8.2 Future Research It may be possible to extend this research in several parts. rather than on its reachability tree. this may permit the refinement of nets with infinite reachability set in all those cases in which the refined model may be given as a Petri net. following the approach presented by [Koh 92] where the composition of partially overlapping paths is considered. which are a superset of state machines.2. 8. or other particular properties of these languages.2. Characterize the class of nonregular Petri net languages that are closed under the supremal controllable sublanguage operator. Since the coverability tree is always finite. e. 8.2 Supervisory Design Determine a refinement procedure based on the coverability tree of a Petri net. 8.

1986. 17. 88 [Avrunin 91] [Baker 72] [Baker 73] [Banaszak 90] [Beck 86] [Berthelot 86] [Berthelot 87] [Berthomieu 87] [Best 86] [Best 91] . Man. G.” IEEE Trans. 85. Berthelot. 19–40. Reisig and G. 487–506. Banaszak.H. Vol. J. RA-6. 1986.” Advances in Petri Nets 1985. J. 1204–1222. E.L Beck. Springer-Verlag. 254-I. Laboratoire d’Automatique et d’Analyse des Systèmes du CNR (Toulouse. und Datenverarbeitung. “A Boolean Model for a Class of Discrete Event Systems. Massachusetts). G. Springer-Verlag. Jr.” Arbeitspapiere der Gesellschaft für Math. pp. 1972. “Notation and Terminology on Petri Net Theory. 1973.” IEEE Int. Baker. Massachusetts Institute of Technology (Cambridge. “Checking Properties of Nets Using Transformations. Software Engineering. “Methods for Carrying Proofs on Petri Nets Using their Structural Properties. on Robotics and Automation. Massachusetts). and Cybernetics. “Petri Nets and Languages.” Computation Structures Group Memo 68. Massachusetts Institute of Technology (Cambridge.). Fernández. January. pp. 1974.K. 195. Project MAC.” IEEE Trans. 6. pp. on Systems. No. B. Aveyard. Advances in Petri Nets 1986. 1991. Vol. Jr.” Master’s thesis.” Technical Report. C. W. May.A.S. Baker. Rozenberg (ed. 3.A.). November. of Electrical Engineering. Robotics and Automation. Wileden. December. Avrunin. France). 1986. “Automated Analysis of Concurrent Systems with the Constrained Expression Toolset. Vol. Corbett. 724–734.” Petri Nets: Central Models and Their Properties. pp. No. Vol. C. “Deadlock Avoidance in Flexible Manufacturing Systems with Concurrently Competing Process Flows. Z.H. Krogh. Best. “Transformations and Decompositions of Nets. L. W. 249– 258. 1987. Conf..). SMC-4. Best. Lecture Notes in Computer Sciences. Springer-Verlag. B. Buy. 1990. pp.C. Berthomieu. No. Dept.Bibliography [Aveyard 74] R. Lecture Notes in Computer Sciences. 1991. Brauer. H. G. 1987. U. 305–310. Dillon. Berthelot. “Design Methods Based on Nets: Esprit Basic Research Action DEMON” Advances in Petri nets. B. Rosenberg (eds. “Models for Simulation and Discrete Control of Manufacturing Systems.” IEEE Trans. May. pp. Vol. H. Rosenberg (ed. “Equivalence Problems of Petri Nets. 359–376. Krogh.. May.L. G. 1990. E. April. G. 11. pp. No.C.

March. 3. “Supervisory Control of Discrete-Event Processes with Partial Observations.” IEEE Trans. 1991. 1991. Fanni. M. S.” Tesis Doctoral. Heymann. “Análisis Estructural de Redes de Petri. Cieslak. on Decision and Control (Brighton. Vol. J. “Ergodicity and Throughput Bounds of Petri Nets with Unique Consistent Firing Count Vector. pp. 1991. L. A. S. Dept. 1101–1117.” IEEE Trans. Lafortune. Simone. “Easy Synchronized Petri Nets as Discrete Event Models. Springer-Verlag. Girault and W. on Automatic Control. IEEE Int. pp. No. Rensselaer Polytechnic Institute (Troy. C. December. “Milner’s Communicating Systems and Petri Nets. Rozenberg (eds. F. Pomello.” to appear in IEEE Trans. 1991. pp. Datta. De Michelis.). Vol. Conf. pp. Varaiya. April.” Application and Theory of Petri Nets. “Synthesis of a Class of Deadlock-Free Petri Nets. Chiola. “Dealing with Blocking in Supervisory Control of Discrete Event Systems. Gosh. Conf. S. Springer-Verlag. “Stabilization of Discrete-Event Processes. 1989. pp.” Proc. 1990. De Cindio. 241. G. pp. England). Desrochers. No. Springer-Verlag. F. F. 1987. Pomello. Control. pp. A. “Supervisory Design Using Petri Nets. R. Goos and J. Datta. New York). Desclaux. C. No. Giua.” Master’s Thesis. DiCesare. SE-17. pp. “Modular Synthesis of Deadlock-Free Control Structures. [Cieslak 91] [Chen 91] [Colom 89] [Crockett 87] [Datta 84] [Datta 86] [De Cindio 82] [De Cindio 83] [DiCesare 91] [Giua 90a] [Giua 90b] [Giua 91] . Campos. 58. Vol. G. 40– 59. A. on Robotics and Automation (Raleigh. 1861–1867. 2–47. Pagnoni and G. No. 486-506. J. F. on Decision and Control (Honolulu. 249–260. Giua. Hawaii). Silva. Reisig (eds. pp. DiCesare. Vol. Giua. M. on Software Engineering. D. pp. AC-33. 269–279.M. 288– 318.” Proc.K. A. T. F. Hartmanis (eds. Spain). 29th IEEE Int. C. Vol.” Ricerca Operativa. De Cindio. “Superposed Automata Nets. A. “Petri Net Languages for the Control of Discrete Event Systems. “Implementation of a Petri Net Controller for a Machining Workstation. A. G.” Jour. 52. Universidad de Zaragoza (Zaragoza. of the Association for Computing Machinery. 30th IEEE Int. 50. 1990. 1984. G. Chen. Gosh. 2. Simone. P. E. February. December. L. Electrical Computer and Systems Engineering. 3. on Automatic Control.” Application and Theory of Petri Nets. Giua.S. A.” Int. Brave. F. 1983. 385–390. 1991.). 51. Crockett. Ward. DiCesare. July. 1990.BIBLIOGRAPHY [Brave 90] [Campos 91] 89 Y. Programación Lineal y Geometria Convexa. Informatik-Fachberichte. J. 117–125.1986. DiCesare.). 2839–2844.” Foundation of Software Technology and Theoretical Computer Science. pp. A. “Controllo dei sistemi ad eventi discreti mediante reti di Petri.” Proc. Colom.K. C. Fawaz. Conf. Informatik-Fachberichte. No. 1982. 66. Vol. A. Vol. De Michelis. North Carolina). 31. A.

pp. Conf. Boudreaux (Eds. December. June. Holloway. pp. Krogh. Silva. Massachusetts Institute of Technology (Cambridge. 1992. 56–68.” Ph. 1990. Massachusetts Institute of Technology (Cambridge. on Decision and Control (Austin.” will appear in Programming Environments for Computer Integrated Manufacturing.E. 1975. Hossain. 5. “Extended State Machine Allocatable Nets.H. May. Illinois). Holloway. Conf. Project MAC. Giua. Gruver and J. Project MAC. on Systems. “Generalized Mutual Exclusion Constraints for Petri Nets with Uncontrollable Transitions. A. “On the Existence of Petri Nets Supervisors. A. Vol.A. Giua. 1992. L. 1992. December. M. Hack. DiCesare. Arizona). and Cybernetics (Chicago. 1990. B. Hack. pp.H. 514–523. F. New York). 1992 IEEE Int. COM-31. Massachusetts). pp.” IEEE Trans.E. M. “Mutual Exclusion Problems for Discrete Event Systems with Shared Events.” IEEE Trans. 1972. on Computer Integrated Manufacturing (Troy.C.H.” Technical Report 94. Krogh. DiCesare. “Petri Net Incidence Matrix Analysis for Supervisory Control. 5.” Computation Structures Group Memo 781. P. Texas). 1992.” IEEE Trans. F. M. of Electrical Engineering. DiCesare. Owicki. June. B.” Working Paper. 1992. on Communication. Heymann. IEEE 27th Int. No. F. 1.T.” Proc. F.” IEEE Control Systems Magazine. Dept. dissertation. “Analysis of Production Schemata by Petri Nets. 242–251. pp. M. January. Hailpern. Hack. “Decidability Questions for Petri Nets. Hack. “On Closed-loop Liveness of Discrete Event Systems Under Maximally Permissible Control. L. 234–239. Ramadge. 1992. C. Giua. on Automatic Control. pp. Golaszewski. “Petri Nets Languages. May.” Computation Structures Group Memo 124. on Automatic Control. 1975. Conf. Massachusetts Institute of Technology (Cambridge. Massachusetts). an Extension of Free Choice Petri Nets Results. AC-35.” 3rd Int. December. February. DiCesare. Conf. Project MAC. Giua. 103–112.J. 1983. Man. October. Massachusetts). No. A.S. “Modular Verification of Computer Communication Protocols. Massachusetts Institute of Technology (Cambridge. May.). 692–697.D. “Concurrency and Discrete Event Control. Holloway. B. M. [Giua 92b] [Giua 92c] [Giua 92d] [Golaszewski 88] [Hack 72] [Hack 74] [Hack 75a] [Hack 75b] [Hailpern 83] [Heymann 90] [Holloway 90] [Holloway 92a] [Holloway 92b] . Springer-Verlag.” will appear in Proc. No. Rensselaer Polytechnic Institute (Troy. W. L. AC-37. “Synthesis of Feedback Control Logic for a Class of Controlled Petri Nets. 1974. Vol. “GRAFCET and Petri Nets in Manufacturing.” submitted to 31th IEEE Int. S. on Decision and Control (Tucson. M. 1988. Vol.BIBLIOGRAPHY [Giua 92a] 90 A. Massachusetts). “Feedback Control for Sequencing Specifications in Controlled Petri Nets. F.E. New York).

pp. AC-33.” Trans. L. Japan). pp. Brauer.B. “Analysis and Control of Discrete Event Systems Represented by Petri Nets. SICE (in Japanese).H. No. Kurzhanski (eds.” Thèse Doctoral. Krogh.” IEEE Trans. Rensselaer Polytechnic Institute (Troy. New York). 1988. Varaiya. JulyAugust. Johnen. “Approximation Methods for Stochastic Petri Nets. Springer-Verlag. 641–651. on Large Scale Systems (Zurich.H. C.” Petri Nets: Central Models and Their Properties. Illinois). Hoare. Thesis. H.BIBLIOGRAPHY [Hoare 85] [Ichikawa 85] 91 C.” Prentice-Hall. IEEE Int. 1985. France). W. “Controlled Petri Nets and Maximally Permissible Feedback Logic. Ichikawa. S. Switzerland). 6. 24. No. Yokoyama. 1114–1119.). A. May. 398–405. Ichikawa. on Robotics and Automation (Philadelphia. Lecture Notes in Control and Information Sciences. on Automatic Control. 1987. “Language Theory of Petri Nets.” Proc. A.H.L Beck. Kurogy. A. No. 1991. July.” Ph. B. E. No. 254-I. 1991. Chen. Université Paris–Sud (Paris. Systemès de Réécriture. 1987. Rosenberg (eds. “ Synthesis of Place/Transition Nets for the Simulation and Control of Manufacturing Systems. “A Transformation Theory for Petri Nets and Their Applications to Manufacturing Automation. September. 1985.E. K. Pennsylvania). pp.” Discrete Events Systems: Models and Applications. 115–134. Krogh. A. Conf. C. Desrochers. 487–490. Rensselaer Polytechnic Institute (Troy. 7. Inan. R. 1987. Springer-Verlag. Holloway.” Proc. I. Vol. 1988.” Proc. 397– 412. Symp. “Finitely Recursive Process Models for Discrete Event Systems. pp. P. Circuits and Systems (Kyoto. 4. AC-35. December. Krogh.). Vol. 317–326. 1992.” Proc. Ichikawa. Varaiya and A.” IEEE Trans. pp. B. B. Hiraishi. P. and Computing (Urbana-Champaign. 27. on Automatic Control. “A Class of Petri Nets That a Necessary and Sufficient Condition for Reachability is Obtainable. pp. 1988. “The Infimal Closed Controllable Superlanguage and Its Application in Supervisory Control. “Communicating Sequential Processes. M. Vol. pp. K. Vol. [Ichikawa 88a] [Ichikawa 88b] [Inan 88] [Johnen 87] [Jantzen 87] [Jungnitz 92] [Kasturia 88] [Koh 92] [Krogh 86] [Krogh 87] [Krogh 91] [Lafortune 90a] . 1988. Jungnitz. August. 4th IFAC/IFORS Symp. Thesis. “Synthesis of Feedback Control Logic for Discrete Manufacturing Systems. Lecture Notes in Computer Sciences. 626– 639. Advances in Petri Nets 1986. “Analyse Algorithmique des Réseaux de Petri: Verification d’Espace d’Accueil. April. E. Vol. 4. New York). IEEE Int.D. A. May. Society of Instrument and Control Engineers. W. 1990. Vol. S. Jantzen. DiCesare. Reisig and G.D. Control. Lafortune. pp.” Ph. 25th Allerton Conf. “Reachability and Control of Discrete Event Systems Represented by Conflict-Free Petri Net. “Real Time Control of Multilevel Manufacturing Systems Using Colored Petri Nets. 1986. K. K. 103. Koh. Hiraishi.” Automatica. Kasturia. April. F. on Communications.

S.S.BIBLIOGRAPHY [Lafortune 90b] [Lafortune 91] 92 S. Vol. December. Milne. No. Rozenberg (ed. Yoo. 26. Vol. “A Calculus of Communicating Systems. 302–321.” Proc. 346–361. “Observability of Discrete Event Dynamic Systems. H. pp. Ostroff. “ Petri Nets: Properties. Lafortune. Vol.M.” Annals of Operations Research. April. F. Peltz. Lin. on Automatic Control.” J. No. Decision and Control (Austin.” Proceedings IEEE.S. 1–8. IE-33. Decision and Control (Austin. ACM.” Proc. 1330–1337. Y. 203–208. T. Lecture Notes in Computer Science 222. pp. 1986. 449–472. 797–806. Özveren. 7. “Decentralized Control and Coordination of DiscreteEvent Systems with Partial Observation. pp. 1988.” Lecture Notes in Computer Science 92. 1977. January. pp.M.). AC-35. Lin. 1988.” IEEE Trans.” Jour. C. of Discrete Event Dynamic Systems. [Li 88] [Lin 88] [Lin 90] [Milne 79] [Milner 80] [Murata 77] [Murata 86] [Murata 89] [Narahari 85] [Ostroff 90a] [Ostroff 90b] [Özveren 90] [Parigot 86] . “A Petri Net-Based Controller for Flexible and Maintainable Sequence Control and its Application in Factory Automation. 4. 1990. J. R. No.” IEEE Control Systems Magazine. 1986. G. T. “Decentralized Control and Coordination of DiscreteEvent Systems. “Circuit Theoretic Analysis and Synthesis of Marked Graphs. F. K. April. Springer-Verlag. pp. Li. Wonham.M. Narahari. pp. 1. “Some Results on Petri net Languages. W. AC-35. on Automatic Control. R. 4. February. pp. 1990. Parigot. Vol. No. No. 1990. A. 4. “Concurrent Processes and Their Syntax. G. TX). AC-35. pp. 1979.” Advances in Petri Nets 1985.” IEEE Trans. “A Petri Net Approach to the Modeling and Analysis of Flexible Manufacturing Systems. Komoda. 7. April. December.” IEEE Trans. on Industrial Electronics. W.” IEEE Trans. No. on Automatic Control. K. 95–102. 12. Haruna. pp. 541–580. pp. E. 400–405. July. Analysis and Applications. T. S. W.M. N. Wonham. No. Lafortune. “A Logical Formalism for the Study of the Finite Behavior of Petri Nets. Y. 1125–1130. 482–485. Ostroff. Lin. Viswanadham. 1989. Wonham. 1985.M. Murata. N. 27th IEEE Conf. Springer-Verlag. 27th IEEE Conf. 1990. on Automatic Control. “On Tolerable and Desirable Behaviors in Supervisory Control of Discrete Event Systems. Vol. “Controllability and Observability in the StateFeedback Control of Discrete-Event Systems. 1990. 3. 1991. Matsumoto. TX). Vol.” IEEE Trans. on Circuits and Systems. July. M. Vol. CAS-24. Milner. W. 1980. June. Wonham.” IEEE Trans. pp. Milner. Willsky. “A logic for Real-Time Discrete Event Processes. December. Murata. pp. Murata. F. Vol. AC-35. J. pp. No. April. PROC-77. 386– 397. Vol. “A Framework for Real-Time Discrete Event Control. 2.

M. J. 1989. 1980. 1989. Springer-Verlag. W. Vol. P. pp. 7th European Workshop on Application and Theory of Petri Nets (Oxford. A. 1981. No. pp. N. Vol. P. Springer-Verlag.. 1885. on Automatic Control. M. Italy). Vol. Reisig.L. Ramadge. No. Silva. Dept. Symposium on Semantics of Concurrent Computation (Evian.M. Salomaa (eds. Control and Optimization. Sheffield City Polytech. pp. Ontario). Pnueli. Toronto (Toronto. 1. “Programmable Logic Controllers and Petri nets: a comparative study.” SIAM Jour.” Discrete Event Systems: Models and Applications.A. “Petri Nets: An Introduction. J. on Low Cost Automation (Milan. IFAC Int. Vol. 7th Int. Analysis and Optimization of Systems (Antibes. pp. Pergamon Press. AC-34. S. 224–237. Rozenberg and A. 4. Peterson. 1989.” Digital Processes.). 25.M. Ramadge.M. pp. November. 1983. “Supervisory Control of a Class of DiscreteEvent Processes. 1. Symp. Lecture Notes in Computer Science 70. 1988. Vol. Puente and Ferrate (Eds. “Infinitary Languages of Petri Nets and Logical Sentences. M.). “Logic Controllers. January.” Proc. 1987. Rozenberg ed. G. No. Lecture Notes in Control and Information Sciences. “Control and Supervision of Discrete Event Processes. 103. January.” Proc.” IFAC Conference on Software for Computer Control. “The Temporal Semantics of Concurrent Programs. “Simplification des rèseaux de Petri par elimination des places implicites. Wonham. France). 386– 417. Silva. Varaiya and Kurzhanski (eds.. pp. 10–19.J.J. pp. E. 1986. P.” Proceedings IEEE. “The Control of Discrete Event Systems. 1985. 1989. G.” Proc. Electrical Engineering.” IEEE Trans. Univ. “Modular Supervisory Control of DiscreteEvent Systems. AC. Conf. England). Ed. Madrid. Wonham. “Petri Net Theory and the Modeling of Systems. Springer-Verlag. [Peterson 81] [Pnueli 79] [Ramadge 83] [Ramadge 86] [Ramadge 87] [Ramadge 88] [Ramadge 89a] [Ramadge 89b] [Reisig 85] [Silva 80] [Silva 83] [Silva 85] [Silva 89a] [Silva 89b] . PROC-77. P. pp. Ramadge. pp. M. Silva. P.). January. Spain.” Prentice-Hall. Ramadge. 1983. France).” Ph. Las redes de Petri en la Automatica y la Informatica. Peltz. 6.J. Silva. Ramadge. 206–230. Velilla.BIBLIOGRAPHY [Peltz 86] 93 E. Silva.J. Ramadge. 245–256. 83–88. W. Brauer. W.” EATCS Monographs on Theoretical Computer Science.M. “Some Tractable Supervisory Control Problem for DiscreteEvent Systems Modeled by Büchi Automata. Thesis.” Proc. M.J. pp. Int.D. W. 1–20. Colom. pp. “On the Computation of Structural Synchronic Invariants in P/T Nets” Advances in Petri nets. 1. W. 1988. 1986. 81–98. Wonham. June. 202–214. 69-80.J. 157–165 bis. Springer-Verlag. P. 1979. “Supervisory Control of Discrete Event Systems: A Survey and Some New Results.

J. 1164–1168. May. (to appear) 1992. Texas). 1992. Matsumoto. pp. M.” Proc. M. Vol. Sreenivas. J. Ushio. 2857–2860. New York). 419–422. RA-6. No. AC-34. Control Signals Systems. “On the Control of Discrete-Event Dynamical Systems. 1990. “Modular Supervisory Control of DiscreteEvent Systems.” IEEE Trans. Laub (eds. February. Maimon. W. [Sreenivas 92] [Tadmor 89] [Tsitsiklis 87] [Ushio 88] [Ushio 89] [Ushio 90] [Viswanadham 90] N. pp.” IEEE Trans. Krogh. B.” IEEE Trans. T. 1987. Conf. 29th IEEE Int. Ushio. O. 2. pp. Vol. 1. 27th Int. December. pp. 6.” SIAM Jour. F. 1991. “On The Existence of Finite State Supervisors in Discrete-Event Systems. 713–723. P. Colom. 265–275.” Proc. November.J. G. Narahari. pp. “Parallel and Sequential Mutual Exclusions for Petri Net Modeling of Manufacturing Systems with Shared Resources.” Proc. Conf. “State Feedback and Modular Control Synthesis in Controlled Petri Nets.M. 1.N. on Automatic Control. 1988. M. R. [Wonham 87] W.M. “A Theory for the Synthesis and Augmentation of Petri Nets in Automation. 515–527. 5. No.” Control-Theory and Advanced Technology. RA-7. No.C. P. “On the Controllability of Controlled Petri Nets. Ramadge.” Proc. Tadmor. Silva. December.D.). “Deadlock Prevention and Deadlock Avoidance in Flexible Manufacturing Systems Using Petri Net Models. 11. Thesis. J. W. December. Hawaii). 4. pp. December. T. Campos.” IEEE Trans. No. Denham and A. Viswanadham. 1989. on Robotics and Automation.” Advanced Computing Concepts and Techniques in Control Engineering. “Linear Algebraic Techniques for the Analysis of Petri Nets. 3.J. May.” Math. pp. T. pp. AC-37. 1989. “A Control Theory for Discrete-Event Systems. T.” Ph. Vol. on Mathematical Theory of Networks and Systems. pp.M. No. MITA Press (Tokyo. Ramadge. Decision and Control (Austin. Symp. August. on Robotics and Automation. [Wonham 88a] [Wonham 88b] [Zhou 90] [Zhou 91] . “On the Supremal Controllable Sublanguage of a Given Language. “On Petri Net Models of Infinite State Supervisors. Vol. Y. Johnson. pp. Wonham. on Automatic Control. 3. Wonham. Vol.C. Decision and Control (Honolulu. Vol. 1990. 25. Conf. pp.M. 1988.BIBLIOGRAPHY [Silva 92] 94 M. Decision and Control (Los Angeles.J. 637–659. 274–277. California). R. “Control of Large Discrete Event Systems: Constructive Algorithms. Vol. Japan). Int.J. Rensselaer Polytechnic Institute (Troy. Zhou. 1987. No. Tsitsiklis. DiCesare. 1990. 26th IEEE Int.H. 1988. Zhou. Springer-Verlag. Control and Optimization. No. 13–30. Ushio.S. Wonham. 1502–1507.J. 129–169. September.

The D-type or deadlock language is defined as the set of strings generated by firing sequences that reach a marking at which no transition is enabled... i. • : T → Σ ∪ {λ} is a labeling function that assigns to each transition a label from the alphabet of events Σ or assigns the empty string as a label.e.e. T. • The G-type or covering language or weak language is defined as the set of strings generated by firing sequences that reach a marking M covering a final marking. 95 .e. Peterson 81]: • N = (P. • In a λ-free labeled PN no transition is labeled λ. (∀t. LD (G) = { (σ) | M0 [σ M ∧ (∀t ∈ T )¬M [t }. t ∈ T ) [t = t =⇒ (t) = (t )] and (∀t ∈ T ) [ (t) = λ]. 1 This language is called marked behavior in the framework of Supervisory Control and is denoted Lm (G).. • In a arbitrary labeled PN no restriction is posed on . • F is a finite set of final markings.Appendix A PETRI NET LANGUAGES A. . ∀σ ∈ T ∗ ) [ (σt) = (σ) (t)]. LL (G) = { (σ) | M0 [σ Mf ∈ F }. i. Three different type of labeling functions are usually considered.e. M0 .1 Petri Net Generators A labeled Petri net (or Petri net generator) is a 4-tuple G = (N. • In a free-labeled PN all transitions are labeled distinctly and none is labeled λ. P ost) is a Petri net structure.. • The L-type or terminal language1 is defined as the set of strings generated by firing sequences that reach a final marking. i. F ) where [Jantzen 87. i. The labeling function may be extended to a function : T ∗ → Σ∗ defining: (λ) = λ and (∀t ∈ T. • M0 is an initial marking. Thus we will use the word system to refer to a Petri net generator. LG (G) = { (σ) | M0 [σ M ≥ Mf ∈ F }. We will use Petri net generators to represent discrete event systems. Four languages are associated with G depending on the different notions of terminal strings. P re.

i. D. G f .e.1 is free-labeled.1. deadlock. A. Some of these relations are easily proved. deadlock. prefix) languages generated by λ-free labeled PN generators. LP (G) = { (σ) | M0 [σ }. Example A. The initial marking. prefix) languages generated by arbitrary labeled PN generators. P f ) denotes the class of terminal (resp. . LP (G) = {am | m ≥ 0} ∪ {am cbn | m ≥ n ≥ 0} ∪ {am cbn d | m ≥ n ≥ 0}. • The P-type or prefix language2 is defined as the set of strings generated by any firing sequence. The languages of this system are: LL (G) = {am cbm | m ≥ 0}. The set of final markings is F = {(0010)T }. PETRI NET LANGUAGES 96 Figure A.2 Classes of Petri Net Languages The classes of Petri net languages are denoted as follows. deadlock. P λ ) denotes the class of terminal (resp.1: Free-labeled system G in Example A. Here → represents set inclusion ⊇. The following table shows the relationship among these classes. 2 This language is called closed behavior in the framework of Supervisory Control and is denoted L(G). is M0 = (1000)T . covering. Dλ .. • Lλ (resp. covering. LG (G) = {am cbn | m ≥ n ≥ 0}. G λ .APPENDIX A. • Lf (resp. As an example. G. The system G in Figure A. any P-type language of a generator G may also be obtained as a G-type language defining as a set of final markings F = {0}. LD (G) = {am cbn d | m ≥ n ≥ 0}. also shown in the figure. prefix) languages generated by free-labeled PN generators. Df . • L (resp. P) denotes the class of terminal (resp.1. covering.

1 for the general classes.2 with set of final states F = {(1000)T . Thus Ld will denote the subclass of L generated by deterministic Petri nets. This means that the knowledge of the string generated by the system from the initial marking is sufficient to determine the actual marking of the system. Example A.1: Known relations among classes of Petri net languages. since the two transitions labeled a are both enabled at the initial marking.1 shows that P ⊂ L. . We can then define twelve new classes of PN languages. PETRI NET LANGUAGES Lλ ↓↑ Dλ ↓ Gλ ↓ Pλ → → → → L ↓↑ D ↓ G ↓ P → → → → Lf Df Gf ↓ Pf 97 Table A. (t ) = λ]. M [t ∧ M [t =⇒ [ (t) = (t ). called deterministic P-closed is discussed in Chapter 4. the next example shows that Pd ⊂ Ld . This class. Table A. (0001)T }. we will consider the L − type and P − type language generated by deterministic systems. Here LP (G) = {am | m ≥ 0} ∪ {am cbn | m ≥ n ≥ 0} ∪ {am cbn d | m ≥ n ≥ 0} is a deterministic P − type PN language. A.1 with set of final markings F = {(0001)T }.2. However G is nondeterministic. An arc → represents the set inclusion. In the framework of Supervisory Control. However. etc. It is intuitively clear that no deterministic Petri net may generate LP (G) as a terminal language if F is finite. with t = t and ∀M ∈ R(N. (0010)T .2. For each of the previously defined classes we will denote with the subscript d the corresponding deterministic subclass. (t) = λ. t ∈ T .3 Deterministic Languages A PN generator G is deterministic if the labeling function and the behavior of G are such that ∀t. A new subclass of L. We want to construct a new system G such that LL (G ) = LP (G). will play a major role in deriving necessary and sufficient conditions for the existence of supervisors represented as deterministic Petri net generators. Consider again the deterministic system G in Figure A.2: Nondeterministic system G in Example A.APPENDIX A. denoted LDP . M0 ). The relations among the subclasses of deterministic languages are different from those reported in Table A. Figure A. A possible solution is the system in Figure A.

The class L is closed under: concatenation.APPENDIX A. Let G1 = (N1 . M0. 3 4 The string wR is the reversal of string w. since other operators of interest. Then a labels a transition in T with the same input and output bag of t. 2) be the place set. The class L is not closed under: Kleene star. is the system G = (N. i. Their concurrent composition. F2 ) be two PN generators. prefix closure4 . concurrent composition. denoted also G = G1 G2 . If we consider the class L of PN languages.3. A. Let Pi . 1 . intersection.2 . 2 .2.1 . . Ti and Σi (i = 1. it is possible to prove that L is a strict superset of regular languages and a strict subset of contextsensitive languages.5 Concurrent Composition and System Structure In this section we will review the counterpart of language operators on the structure of a PN generator. P = P1 ∪ P2 . M0. M0 . F1 ) and G2 = (N2 . We will consider only the concurrent composition operator. union. PETRI NET LANGUAGES 98 Figure A. Then m1 × m2 transitions in T will be labeled a. F ) that generates LL (G) = LL (G1 ) LL (G2 ) and LP (G) = LP (G1 ) LP (G2 ). It is possible to prove that L and the class of context-free languages are not commensurable. – Let a ∈ Σ1 \ Σ2 (a ∈ Σ2 \ Σ1 ) be the label of a transition t ∈ T1 (t ∈ T2 ). and the alphabet of Gi . The input (output) bag of each of these transitions is the sum of the input (output) bags of one transition in T1 and of one transition in T2 . A. The structure of G may be determined as follows.e. • The place set P of N is the union of the place sets of N1 and N2 .4 Closure Properties and Relations with Other Classes Parigot and Peltz have defined PN languages as regular languages with the additional capability of determining if a string of parenthesis is well formed. • The transition set T of N and the corresponding labels are computed as follows.. . transition set. In the diagram in Figure A. T T • M0 = [M0. An example of a language that is context-free but is not in L: L = {wwR | w ∈ Σ∗ }3 if |Σ| > 1. – Let a ∈ Σ1 ∩ Σ2 be labeling m1 transitions in T1 and m2 transitions in T2 . An example of a language in L that is not context-free: L = {am bm cm | m ≥ 0}.1 M0.2 ]T . the set L is denoted “L PN languages”. As proved in Section 4. such as the intersection and shuffle operators may be considered as a special case of concurrent composition.3: Relations among the class L and other classes of formal languages.

We will use the following structural notation for composed systems.4: Two systems G1 . denoted P re ↑i . F1 ) and G2 = (N2 .1 .. denoted P ost ↑i . Ti . The composition of more than two systems may computed by repeated application of the procedure for composing two systems. P rei .3. Let N = (P. (i = 1. • The projection of P re on net Ni . Note that while the set of places grows linearly. 2). F ) their concurrent composition. M0. σ be a firing count vector. (i = 1. as the restriction of P re to P ↑i ×T ↑i . (i = 1. Also let M be a marking. i. .4. 2 . P osti ). The initial marking of G is M0 = (1010)T and its set of final markings is F = {(1010)T . and σ a firing sequence defined on net N . 2). T T • F is the cartesian product of F1 and F2 . (i = 1. 2). We define: • The projection of P on net Ni .e. as P ↑i = Pi . M0. F2 ) be two PN generators and G = G1 G2 = (N. Note that T ↑i may be different from Ti . Let G1 = (N1 . PETRI NET LANGUAGES 99 Figure A. 2). as the restriction of P ost to P ↑i ×T ↑i .3. • The projection of T on net Ni . Their concurrent composition G = G1 G2 is also shown in Figure A. (i = 1. Let G1 = (N1 . Here F1 = {(10)T } and F2 = {(10)T . 2). 1 .2 . Example A. (i = 1. P re. M0 . since additional transitions may have been introduced by composing systems in which the same symbol is labeling more than one transition.APPENDIX A. 2). P ost) and Ni = (Pi . as T ↑i = {t ∈ T | (• t ∪ t• ) ∩ P ↑i = ∅}.1 . The projection of M on Ni . F1 ) and G2 = (N2 . F2 ) be two systems in Figure A. (1001)T }. M2 ∈ F2 }. denoted M ↑i . (01)T }. is the vector obtained from M by removing . M0. • The projection of P ost on net Ni . 2 .2 . M0.4. F = {[M1 M2 ]T | M1 ∈ F1 . 1 . the set of transitions and of final markings may grow faster. T. G2 and their concurrent composition G in Example A.

2). (i = 1.APPENDIX A. denoted σ ↑i . The projection of σ on Ni . PETRI NET LANGUAGES 100 all the components associated to places not present in Ni . denoted σ ↑i . The projection of σ over Ni . (i = 1. . is the vector obtained by σ removing all the components associated to transitions not present in Ni . is the firing sequence obtained by σ removing all the transitions not present in Ni . 2).

The initial state is denoted by an arrow. Figure B. Example B. we will mention Petri nets. The two languages associated with a DES G are: • The closed behavior L(G) ⊆ Σ∗ . a prefix-closed language that represents the possible evolutions of the system. that represents the evolutions corresponding to the completion of certain tasks. The state machine in Figure B. a DES is simply a generator of a formal language.1 represents a discrete event system G. We have discussed in Appendix A how the closed and marked behavior may be associated with a Petri net. Wonham. L(G) = {λ} ∪ {a} ∪ {abcn | n ≥ 0} = abc∗ = Lm (G). where the overline bar represent the prefix closure operator. The languages associate to G are: Lm (G) = {abcn | n ≥ 0} = abc∗ . defined on an alphabet Σ. 101 .Appendix B AN INTRODUCTION TO SUPERVISORY CONTROL B. the theory they built is very general.1.. In the examples presented in this section we will use state machine models to be consistent with the original notation. Although Ramadge and Wonham have used in their seminal papers a state machine based representation for DES. When relevant. • The marked behavior Lm (G) ⊆ L(G). et al. Any other formalism that can represent the closed and marked behavior of a system may be used in this framework.1 Discrete Event Systems and Properties In the supervisory control theory developed by Ramadge. the final states (just one in this example) are denoted by a double circle. however.1: A discrete event system modeled by a finite state machine.

. The following example shows nets with different combinations of liveness and nonblocking properties (deadlock-freeness is implied by liveness. and the set Σu of uncontrollable events (that cannot be disabled by an external agent).2: A blocking discrete event system and its trimmed structure in Example B. a Petri net is nonblocking if from any reachable marking it is possible to reach a final marking. Deadlock-freeness means that the reachability set does not contain a dead marking. so we will not discuss it). The agent who specifies which events are to be enabled and disabled is called a supervisor. If a ∈ γ. Then a state machine is nonblocking if and only if all reachable states are coreachable. It often required to restrict the behavior of a system within the limits of a specification language. More formally. Equivalently.2 we have a blocking system G1 . all the uncontrollable events are present in the control input). into a string that belongs to the marked language.2 Controllable Events and Supervisor The events labels in Σ are partitioned into two disjoint subsets: the set Σc of controllable events (that can be disabled if desired). AN INTRODUCTION TO SUPERVISORY CONTROL 102 Figure B. In this case we obtain the new DES G2 with Lm (G2 ) = Lm (G1 ). Let us define a control input as a subset γ ⊆ Σ satisfying Σu ⊆ γ (i. Similarly. i. from state q it is not possible to reach a final marking.3 are shown: a) a live and nonblocking system. and as coreachable a state from which it is possible to reach a final state. d) a nonlive and blocking system.. Note that the DES may be trimmed removing the state q and the transitions entering it. a marking that enables no transition. Example B. B.e..e.APPENDIX B. The set of final markings F is also given in the figure for each net. c) a live and blocking system. This property may be restated for state machines as follows. a DES G is nonblocking if Lm (G) = L(G).e.3. In Figure B.. L(G2 ) = Lm (G2 ) = Lm (G1 ) ⊂ L(G1 ). Liveness implies that from any reachable marking there exists a firing sequence containing all transitions. However a nonblocking system may have a dead marking (if it is a final marking). Note that this property is significantly different from deadlock-freeness and liveness. Example B. In Figure B. Let us define as reachable a state that may be reached from the initial state. A DES is said to be nonblocking if any string w ∈ L(G) can be completed into a string wx ∈ Lm (G). the event a is enabled by γ (permitted to occur).2.1. b) a non-live and nonblocking system. We may only enable and disable the controllable events to achieve this behavior. i. The strings “ab” and “aca” cannot be completed into a string that belongs to the marked language.

That is. . rather than a state feedback.APPENDIX B. where Σc = {a. but of the string of events generated. Example B. A supervisor controls a DES G by switching the control input through a sequence of elements γ1 . γ2 . Figure B.4. A supervisor may be given as a function f : L(G) → Γ specifying the control input f (w) .4. Note that in state q0 the control input is different depending on the value of w. If the system is deterministic. the uncontrollable events are always enabled. Consider the system in Figure B. Assume we want a terminal string to contain the event b exactly twice. Thus trace feedback is more general than state feedback. it is possible to reconstruct its state from the string of events generated.3: Combinations of nonblocking and liveness properties for Petri nets with set of final markings F in Example B. A point that should be stressed is the fact that the supervisor is implementing a trace feedback. Let Γ ⊆ 2Σ denote the set of all the possible control inputs. A closed loop block diagram showing a system under supervision is shown in Figure B. .4: A closed loop controlled discrete event system. otherwise a is disabled by γ (prohibited from occurring).5. Table B. as generally assumed.1 summarizes the required control input γ after a string w has been generated. The controllable transitions are denoted with a “:”. in response to the observed string of previously generated events. c} and Σu = {b}.2. AN INTRODUCTION TO SUPERVISORY CONTROL 103 Figure B. ∈ Γ. and the corresponding state of the system. the control input is not a function of the present state of the system. .

all marked strings of G that are also marked by S. whenever an event occurs in G the same event will be executed by S. it has no final states. Let us assume in the following that the supervisor is given as a DES S.5 .APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 104 Figure B.e.e. For what regards the language accepted by S/G there are two possible definitions. Lm (S) is not defined. Then. the subset of the uncontrolled behavior that survives under supervision. that runs in parallel with the system G. It also possible to represent a supervisor as another DES S.4 state q0 q1 q0 q1 q0 q2 w λ a ab aba abab ababc γ {a.5. The closed loop system under control will be denoted S/G and may be considered as a new discrete event system [Ramadge 87]. c} {a..6: Supervisor in Example B.1: Control inputs in Example B. we call the supervisor non marking and we define Lm (S/G) as Lm (S/G) = Lm (G) ∩ L(S/G). i. i. The events enabled at a given instant on S determine the control input.6.. c} {b.. c} Table B. b. Example B. In this case. b. b} {a..4. i. b} {a. i. A transition structure for the same supervisor is shown in Figure B. If we assume that the supervisor does not mark strings. the closed behavior of S/G is L(S/G) = L(G) ∩ L(S). Figure B. to be applied for each possible string of events w generated by the system G.e. If S has a set of final states we may define as marked behavior of S/G as Lm (S/G) = Lm (G) ∩ Lm (S).5: System in Example B.4 the supervisor has been described in tabular format. In Example B.e. c} {b.

6. B.. c}. and S2 in Example B.e. S1 . Here the closed and marked behavior of S/G are L(S/G) = ababc. S qualifies as a proper supervisor for G if the two following properties are ensured. since only non marking supervisors are considered. Lm (S/G) has been used to denote the controlled behavior of S/G.7: Closed loop system S/G in Example B. S1 is not a supervisor for G because in the initial state it disables the uncontrollable event a that is enabled in the initial state of G. 1 The notation is unfortunately ambiguous. If we had considered a supervisor with no final states. however.7. S2 is not a proper supervisor for G because if the event a is executed it prevents the system from reaching the final state (in fact the event b is never enabled). . We will use Lm (S/G) to denote the language accepted by the closed loop system. AN INTRODUCTION TO SUPERVISORY CONTROL 105 Figure B. i. In [Ramadge 89b] and in the work of other authors.APPENDIX B. as can be derived from the figure. Example B.8: Systems G. L(S/G) = Lm (S/G). ∀a ∈ Σu ) [wa ∈ L(G) =⇒ wa ∈ L(S/G)].3 Supervisory Control Problem Controlling a DES consists in restricting its open loop behavior within a given specification language. the subset of the uncontrolled marked behavior that survives under supervision.e.5.7 represented the closed loop system S/G for the system and supervisor discussed in Example B. specifying whenever necessary if it represents the marked or controlled behavior. Now let us assume that we are given two DES G and S. in place of the marked behavior. the controlled behavior Lm (S/G) = λ + ab + abab + ababc. while Lc (S/G) denotes the controlled behavior. and Lm (S/G) = abab + ababc. In [Ramadge 87] Lm (S/G) denotes the marked behavior of S/G.7. Figure B. and S2 be the DES in Figure B. and call it controlled behavior1 . • controllability: S does not disable any uncontrollable event that may occur in G. i.6.e. we would have considered. i.8. The DES in Figure B.. S1 . (∀w ∈ L(S/G). Example B. Thus we may state the two following Supervisory Control Problems.. Let G. • nonblockingness (or properness): the behavior of the system under supervision must be nonblocking. Here Σc = {b.

i. A language K ⊂ Lm (G) is said to be Lm (G)-closed if K = K ∩ Lm (G).1). Hence there does not exit a supervisor S such that Lm (S/G) = L.e. The DES G in Figure B. T. For nonempty L ⊆ Lm (G) there exists a nonblocking supervisor S such that Lm (S/G) = L if and only if L is Lm (G)-closed and controllable. However w ∈ L(S/G) =⇒ w ∈ L(S/G). which is now uncontrollable. i. a contradiction. This means that any marked string of G that is the prefix of some string of K is also a string of K. Let L = (ab)∗ be the desired closed behavior of the closed loop system. . and marked behavior Lm (G) = (a(b + cd))∗ .2 ([Ramadge 87]. w ∈ Lm (G) ∩ L(S/G) = Lm (S/G). preventing the occurrence of controllable transitions. defined in the following. This means that it is always possible.9: System to control in Example B.. For nonempty L ⊆ L(G) there exists a supervisor S such that L(S/G) = L if and only if L is prefix closed and controllable. By definition of controlled language. c}. Let L = (abab)∗ be the desired controlled behavior of the closed loop system and assume Σu = {a. The supervisor simply needs to disable the controllable event c whenever the system is in state q1 .e. 5.8. then w = abab ∈ Lm (S/G) ⊆ L(S/G) and w = ab ∈ Lm (S/G). A language K ⊂ Σ∗ is said to be controllable (with respect to L(G) and Σu ) if KΣu ∩L(G) ⊆ K. there exists a supervisor S such that L(S/G) = L? SCP2 Given a DES G and a specification language L ⊆ Lm (G). (b) If Σu = {b. there exists a nonblocking supervisor S such that Lm (S/G) = L? (Here we assume that S does not mark strings. Theorem B. Theorem B. 2. Lm (S/G) = Lm (G) ∩ L(S/G).1). 6. (a) If Σu = {a. Now assume Lm (S/G) = L. L is controllable and may be enforced by a supervisor. but is not Lm (G)-closed. to restrict L(G) within K. when the system is in state q1 . In fact the supervisor cannot disable the event c. due to Ramadge and Wonham [Ramadge 87.8..APPENDIX B. d}. P. AN INTRODUCTION TO SUPERVISORY CONTROL 106 Figure B. This can be also be shown by contradiction in this particular example. The following two theorems. give necessary and sufficient conditions for the existence of a supervisor. Example B.) The solution of these two problems is based on the notions of controllable language and Lm (G)-closure. Ramadge 89b].9 has closed behavior L(G) = (a(b + cd))∗ . Lm (S/G) is the controlled behavior of S/G. L is controllable. 1. L is not controllable and cannot be enforced by a supervisor.1 ([Ramadge 87]. SCP1 Given a DES G and a specification language L ⊆ L(G). d}.

e. Assume the delays are the following.8. Thus the behavior of the closed loop system is now L(S /G) = K ⊂ L. it is a subset of the legal behavior. Ramadge and Wonham have also shown that in the regular case (i. However we may consider a controllable sublanguage K ⊆ L that may be enforced by a supervisor S . Given a language L we will define the supremal controllable sublanguage of L as L↑ = sup{K | K ⊆ L. We also want to minimally restrict the behavior of the system. Theorem B.e. If L satisfies the conditions of Theorem B. Example B. the supervisor S such that L(S/G) = L may be represented as a finite state machine. Let G be a finite state machine (i. However it may well be the case that L↑ contains only the empty string or is even the empty language. By Theorem B. For the problem in Example B.1). its closed and marked behavior are regular languages) and let L be a regular specification language. B..4 ([Ramadge 87]. event delay [s] a 0 b 10 c 10 d 0 e 8 f 4 .. K ∈ C(G)} Theorem B. An extension by Lafortune and Chen [Lafortune 90a] to the standard Supervisory Control Problem. the supervisor S such that Lm (S /G) = L may be represented as a finite state machine. The Petri net system in Figure B. If L satisfies the conditions of Theorem B. we note that the supremal controllable sublanguage is optimal from a logical point of view but not necessarily from the performance point of view. The place p0 represents the effect of the supervisor that ensures that places p2 and p6 are never marked at the same time. generate blocking. 3. T.3 ([Wonham 87].1 a supervisor S such that L(S/G) = L does not exist. We will not consider SCPB in this thesis. Since the supremal controllable sublanguage may be too restrictive.APPENDIX B. Let us define C(G) = {K | KΣu ∩ L(G) ⊆ K} as the set of all languages controllable with respect to L(G) and Σu .10. we want to construct the supervisor which allows the largest behavior of the system within the limits given by the specification L. each transition).1b L↑ = {λ}.9. 7.1.10 has a delay associated with each event (i. In order to minimally restrict the behavior we allow the initial firing of either “ab” or “de”.e. As a final remark. i. called SCPB (SCP with Blocking) considers a different approximation of the desired behaviour in terms of Infimal Controllable Superlanguage defined as L↓ = inf{K | K ⊇ L.1)..e.. i. however. other controllable approximations to L have been defined. This behavior is called the supremal controllable sublanguage. AN INTRODUCTION TO SUPERVISORY CONTROL 107 Another important result due to Ramadge and Wonham is concerned with the existence of finite state machine supervisors. This may. K ∈ C(G)}.e. P.. when both the system behavior and the specification behavior are regular languages) the supremal controllable sublanguage is a regular language and can be computed in a finite number of steps. The supremal controllable sublanguage for a given supervisory control problem exists and is unique.2.4 Supremal Controllable Sublanguage Assume we want to restrict the closed behavior of a system G within the limits of a legal language L that is not controllable. Example B.

If the sequence “ab” is initially executed. we have that the required time to reach the final marking (0001001)T is 22 seconds. Clearly. .10.10: A timed Petri net model in Example B. while if the sequence “de” is initially executed the final marking is reached in 28 seconds.APPENDIX B. it would be better to further restrict the system’s behavior allowing only the firing of the sequence “ab” from the initial marking. AN INTRODUCTION TO SUPERVISORY CONTROL 108 Figure B. if it is required that the system reaches the final marking in the shortest time.

If G is given as a Petri net model. the set {K | KΣu ∩ L(G) ⊆ K}. c. N A P/T net. A Petri net model of a discrete event system is G = (N. . The set of marking satisfying a generalized mutual exclusion constraint. . M0 . The sets of L-type. 109 Lm (G) L. Mf is a final marking). Ld . The reversal of a P/T net N . .Appendix C NOTATION a. events. Discrete event system G constrained by specification H A set of final markings of a P/T net. The set of languages controllable with respect to L(G) and Σu . deterministic L-type. A marking of a P/T net (M0 is an initial marking.e. If G is given as a Petri net model. M0 ) L(G) H Symbols of an alphabet. the set {M ∈ I |P | | wT · M ≤ k}. i. The closed behavior of the discrete event system G. A labeling function that assigns to each transition of a net a label from the alphabet Σ. The prefix-closure of language L. The incidence matrix of a P/T net. F ). P ost) NR . . and DP-closed Petri net languages. LDP M :P →I N M(w.. The set of firing sequence of N. A basis of nonnegative P-invariants. k) N = (P. A discrete event system representing a specification. The marked behavior of the discrete event system G. The supremal controllable sublanguage of language L. B C = P ost − P re C(G) E=G F G H K :T →Σ L L L↑ L(N. the closed behavior is also called P-type Petri net language of G. A controllable language. P re. A language. M0 . i. T.e. A discrete event system. b.. the marked behavior is also called L-type Petri net language of G.

A siphon of a P/T net. y. M0 ) S S S/G t • t. sequences of events. A set of places of a P/T net. Pd QX R(N. i. A nonnegative P-invariant (P-semiflow) of a P/T net. M0 p • p. A marked net. NOTATION NS I N N. N The set of reachable markings of N. T. the net (P ∪ {S}. Strings of a language. the set {a ∈ A | X(a) > 0}. i. The pre-incidence matrix of a P/T net. The Kleene star of alphabet Σ. Σu is an alphabet of uncontrollable events. P ostS ). a net N with initial marking M0 . M0 ) P. Σc is an alphabet of controllable events. i. A set of generalized mutual exclusion constraints. The set of all possible control inputs determined by a supervisor. The post-incidence matrix of a P/T net. A firing count vector of a marked net.APPENDIX C.. x. and deterministic P-type Petri net languages. M0 ) P RB (N. The empty string. A place of a P/T net. M0 (reachability set). A transition of a P/T net. A set of transitions of a P/T net. A supervisor. N The set of markings {M ∈ I |P | | B T · M = B T · M0 }. P P ost : P × T → I N P re : P × T → I N P R(N. The closed-loop system composed by the system G under the action of supervisor S. P reS . The support of a vector X : A → I . i. t• T T w.e. M0 ) P RA (N... A vector. The set of markings {M ∈ I |P | | A · M ≥ A · M0 }. the language containing all strings composed with symbols in Σ and the empty string λ. A generalized mutual exclusion constraint. An alphabet. A trap of a P/T net. N The sets of P-type. k) X:A→I N Y γ Γ θ λ σ σ:T →I N Σ Σ∗ . k) (W. A simple path of a P/T net.e.e.e. p• 110 A P/T net N with the addition of a monitor place S. z (w. The sets of input and output transitions of place p. A firing vector of transitions. The set of markings {M ∈ I |P | | (∃σ ∈ I |T | )[M = M0 + C · σ} N N (potentially reachable set). The set of nonnegative integers. The sets of input and output places of transition t. A control input determined by a supervisor.

d 111 The shuffle operator (concurrent composition over disjoint alphabets). .APPENDIX C. The concurrent composition operator. NOTATION ↑ The projection operator. Denotes the end of a proof.

Sign up to vote on this title
UsefulNot useful