Are you sure?
This action might not be possible to undo. Are you sure you want to continue?
as Discrete Event Models
for Supervisory Control
by Alessandro Giua
A Thesis Submitted to the Graduate Faculty of Rensselaer Polytechnic Institute in
Partial Fulﬁllment of the Requirement for the Degree of Doctor of Philosophy. Major
Subject: Computer and Systems Engineering.
Rensselaer Polytechnic Institute (Troy, New York)
July 1992
ii
Este, que ves, engaño colorido,
que del arte ostentando los primores,
con falsos silogismos de colores
es cauteloso engaño del sentido.
This coloured counterfeit that thou beholdest,
vainglorious with the excellencies of art,
is, in fallacious syllogisms of colour,
nought but a cunning dupery of sense.
Inundación Castálida, II, 14
Juana de Asbaje y Ramírez,
Sor Juana Inés de la Cruz (16511695)
Contents
1 INTRODUCTION 1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Background and Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2.1 Discrete Event Systems and Models . . . . . . . . . . . . . . . . . . . . 1
1.2.2 Evaluation of Discrete Event Models . . . . . . . . . . . . . . . . . . . 3
1.2.3 Petri Net Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.4 Supervisory Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Objectives of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 LITERATURE REVIEW 10
2.1 Supervisory Control Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Logical Models for Discrete Event Systems . . . . . . . . . . . . . . . . . . . . 11
2.2.1 Transition Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.2 Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.3 Communicating Processes . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.4 Controlled Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 Petri Net Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 Incidence Matrix Analysis of Petri Nets . . . . . . . . . . . . . . . . . . . . . . 13
2.5 Synthesis and Reduction of Petri Nets Models . . . . . . . . . . . . . . . . . . . 14
3 BASIC NOTATION 15
3.1 Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.1 Place/Transition Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.2 Marked Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2 Formal Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.3 Petri Net Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.4 Supervisory Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4 ON THE EXISTENCE OF PETRI NET SUPERVISORS 19
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 Petri Nets and Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.4 Existence of Petri Net Supervisors . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.5 Petri Net Languages and Supremal Controllable Sublanguage . . . . . . . . . . . 25
4.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
iii
CONTENTS iv
5 SUPERVISORY DESIGN USING PETRI NETS 28
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2 Monolithic Supervisor Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2.1 Design Using Concurrent Composition . . . . . . . . . . . . . . . . . . 32
5.3 Monolithic Design Using Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . 32
5.4 Petri Nets and State Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6 INCIDENCE MATRIX ANALYSIS 38
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.2 Incidence Matrix Analysis for State Machines . . . . . . . . . . . . . . . . . . . 39
6.2.1 State Equation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.2.2 Deﬁning the Set of Reachable Markings . . . . . . . . . . . . . . . . . . 41
6.3 Composition of State Machines Modules . . . . . . . . . . . . . . . . . . . . . . 44
6.3.1 State Equation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.3.2 Deﬁning the Set of Reachable Markings . . . . . . . . . . . . . . . . . . 47
6.4 Supervisory Veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.4.1 Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.4.2 Controllability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
7 GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 56
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
7.2 GMEC and Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.2.1 Generalized Mutual Exclusion Constraints . . . . . . . . . . . . . . . . 57
7.2.2 Modeling Power of Generalized Mutual Exclusion Constraints . . . . . . 59
7.2.3 Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
7.2.4 Nets With Uncontrollable Transitions . . . . . . . . . . . . . . . . . . . 65
7.3 Generalized Mutual Exclusion Constraints on Marked Graphs . . . . . . . . . . 66
7.3.1 Marked Graphs with Monitors . . . . . . . . . . . . . . . . . . . . . . . 66
7.3.2 Control Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
7.3.3 Control Safe Places . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.4 Fully Compiled Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
7.4.1 Model 1: Monitorbased Controller . . . . . . . . . . . . . . . . . . . . 71
7.4.2 Model 2: Compiled Supervisor . . . . . . . . . . . . . . . . . . . . . . . 73
7.5 Partially Compiled Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
7.5.1 Model 3: NonDeterministic Partially Compiled Supervisor . . . . . . . 75
7.5.2 Model 4: Deterministic Partially Compiled Supervisor . . . . . . . . . . 76
7.6 Comparison of the Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
7.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
8 CONCLUSIONS AND FUTURE RESEARCH 79
8.1 Original Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8.1.1 Petri Net Languages for Supervisory Control . . . . . . . . . . . . . . . 79
8.1.2 Supervisory Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
8.1.3 Validation of Petri Net Supervisors . . . . . . . . . . . . . . . . . . . . . 80
8.1.4 Efﬁcient Construction of Control Structure . . . . . . . . . . . . . . . . 80
8.2 Future Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
8.2.1 Petri Net Languages for Supervisory Control . . . . . . . . . . . . . . . 81
8.2.2 Supervisory Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
CONTENTS v
8.2.3 Validation of Petri Net Supervisors . . . . . . . . . . . . . . . . . . . . . 82
8.2.4 Efﬁcient Construction of Control Structure . . . . . . . . . . . . . . . . 82
APPENDICES 90
A PETRI NET LANGUAGES 90
A.1 Petri Net Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
A.2 Classes of Petri Net Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
A.3 Deterministic Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
A.4 Closure Properties and Relations with Other Classes . . . . . . . . . . . . . . . . 92
A.5 Concurrent Composition and System Structure . . . . . . . . . . . . . . . . . . 93
B AN INTRODUCTION TO SUPERVISORY CONTROL 95
B.1 Discrete Event Systems and Properties . . . . . . . . . . . . . . . . . . . . . . . 95
B.2 Controllable Events and Supervisor . . . . . . . . . . . . . . . . . . . . . . . . 96
B.3 Supervisory Control Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
B.4 Supremal Controllable Sublanguage . . . . . . . . . . . . . . . . . . . . . . . . 101
C NOTATION 103
Acknowledgement
Frank DiCesare has guided me in a spirit of friendship through my Master’s and Ph.D. thesis,
providing learning, encouragement, and support all at once.
Manuel Silva has given me the wonderful opportunity of visiting the University of Zaragoza
and of working with his group. Part of this research has been inspired by him.
Alan A. Desrochers, David R. Musser, and Badrinath Roysam have provided additional guid
ance as members of my doctoral committee.
The Petri net group meetings at Rensselaer have been a fruitful learning experience. I acknowl
edge the many discussions with Padma Akella, Tiehua Cao, Xin Chen, MuDer Jeng, Jagdish
Joshi, Hauke Jungnitz, Jongwook Kim, Inseon Koh, Doo Yong Lee, Jim Watson, Mengchu Zhou.
I am grateful to the Computer Integrated Manufacturing project of the Center for Manufactur
ing Productivity and Technology Transfer which has supported the research of this thesis during
the last two years.
The years of my graduate studies have been a period of freedom and carelessness, marking the
transition between youth and maturity. Never will love be more poignant or friends more dear; the
memories will last forever. For this I have to thank Philippe Jeanne, Thanos Tsolkas, Ermanno
Astorino, Antonio De Dominicis, GloriaDeo Agbasi, Hauke Jungnitz, Giampiero Beroggi and
Penny Spring, Agostino Abbate and Joseﬁna Quiles, Didier Laporte, Elisabetta Bruzzone, Nora
SiAhmed, Amitava Maulik, Persefone Vouyoukas, Doo Yong Lee, Josep Tornero, Markus Vincze,
Michael Eppinger, Rolf Münger, Keith Hanna, Alejandro Beascoechea, Markus Hoerler, Carlos
Garcia, Leonardo Lanari, Scott Bieber, Brady Richter, Cristina Gesto, Andreas Glatzl, Jose Neira,
Maria Angeles Salas, Antonio Ramírez, Enrique Teruel, Joaquin Ezpeleta, Bruno Gaujal, and
Rogerio Rodriguez.
vi
Abstract
Discrete event systems represents a new ﬁeld of control theory of increasing importance in the
domains of manufacturing, communications, and robotics. Supervisory Control theory, based on
formal languages, is a well established framework for the study of discrete event systems.
The thesis discusses the use of Petri nets in Supervisory Control. Place/Transition nets have
been used by several authors to represent discrete event systems. In our approach, the supervisor,
i.e., the control agent that restricts the behavior of a system within a legal behavior, is represented
as a Place/Transition net as well. The advantage of such a supervisor, as opposed to a supervi
sor given as a feedback function, is that a closed loop model of the controlled system may be
constructed and analyzed using the techniques pertaining to Petri net models.
We show that a Petri net supervisor may not exist if the system’s behavior or the legal behavior
are nonregular Petri net languages. By deﬁning a new class of Petri net languages, called deter
ministic Pclosed, it is possible to derive necessary and sufﬁcient conditions for the existence of
supervisors as nets.
The thesis presents an algorithm, based on the concurrent composition operator, for the design
of Petri net supervisors and discusses how a composed net may be validated. In a ﬁrst approach,
based on incidence matrix analysis, important properties of the net, such as controllability or such
as the absence of blocking states, may be studied by Integer Programming techniques. In a second
approach, we consider a class of speciﬁcations, called generalized mutual exclusion constraints,
and discuss several possible structures for the supervisor capable of enforcing them.
vii
Chapter 1
INTRODUCTION
1.1 Introduction
The object of the study of traditional control theory have been systems of continuous and syn
chronous discrete variables, modeled by differential or difference equations. However, as the
scope of control theory is being extended into the domains of manufacturing, robotics, computer
and communication networks, and so on, there is an increasing need for different models, capable
of describing systems that evolve in accordance with the abrupt occurrence, at possibly unknown
irregular intervals, of physical events. Such systems, whose states have logical or symbolic, rather
than numerical, values that change in response to events which may also be described in non
numerical terms, are called discrete event systems (DES) [Ramadge 89b] and the corresponding
models are called discrete event models (DEM) [Inan 88].
These systems require control and coordination to ensure the orderly ﬂow of events. As con
trolled (or potentially controllable) dynamic systems, DES qualify as a proper subject for control
theory. Hence a twofold issue presents itself: we need a powerful class of DEM, capable of cap
turing the essential features of discrete, asynchronous and possibly nondeterministic systems, and
a unifying theory for their control.
The goal of the present research is that of applying a Petri net model within the framework
of Supervisory Control, a control theory for DES introduced recently by Ramadge and Wonham
[Ramadge 83, Ramadge 87]. We study how Petri net models may be used to solve supervisory
control problems, i.e, the design of a supervisor capable of restricting the behavior of a system
within a legal behavior.
1.2 Background and Motivation
In this section we rather informally discuss the motivation of this research. We want to show why
Petri nets are a good discrete event model and a powerful tool for Supervisory Control.
1.2.1 Discrete Event Systems and Models
A DES is a dynamic system with a discrete state space and piecewise constant state trajectories
(see Figure 1.1); the time instant at which state transitions occur, as well as the actual transitions,
will in general be unpredictable.
The state transitions of a DES are called events and may be labeled with the elements of some
alphabet Σ. These labels usually indicate the physical phenomenon that caused the change in state.
For example, in a manufacturing environment typical event labels are “machine 1 starts working
on part A”, “machine 1 breaks down”, etc.
1
CHAPTER 1. INTRODUCTION 2
time
t1 t2 t3 t4
x1
x2
x3
x4
a
b
a c
state
Figure 1.1: State trajectories for a Discrete Event System.
Model Classiﬁcation
The many areas in which DES arise and the different aspects of behavior relevant in each area have
led to the development of a variety of DEM. We have the following classiﬁcation [Ramadge 86,
Ramadge 89b].
1. Logical DEM, in which a common simplifying assumption is to ignore the times of occur
rence of the events and consider only the order in which they occur. This simpliﬁcation is
justiﬁed when the model is to be used to study properties of the event dynamics that are
independent of speciﬁc timing assumptions.
2. Timed or performance DEM, which are intended for the study of properties explicitly de
pendent on interevent timing. These models can be further classiﬁed as:
a) nonstochastic: if the timing is known a priori;
b) stochastic: if the timing is not known a priori due to random delays or random occur
rences of events.
Logical Models
The behavior captured in a logical model is the sequences of discrete events or traces that a system
generates [Inan 88]. Let Σ be the set of discrete events labels and let Σ
∗
be the set of all ﬁnite
sequences of events in Σ (including the empty trace λ). Thus a possible evolution of the system
may be represented, as in Figure 1.1, by
w = abac . . . ,
where w ∈ Σ
∗
and a, b, c ∈ Σ.
There are two main assumptions here.
1. We are interested in the order in which the events occur but not in the real time at which
they occur;
2. An event is atomic, i.e., it is considered to occur in a single step, even if in the real system
it may be implemented as a sequence of instructions.
CHAPTER 1. INTRODUCTION 3
In a logical model, the behavior of a given system is thus given by a subset language L ⊂ Σ
∗
,
consisting of all the traces (or strings) that the system can generate. In most systems of interest,
L will be an inﬁnite set so that it cannot be given simply by listing all the traces. We will study
systems that allow a logical model.
1.2.2 Evaluation of Discrete Event Models
A great number of logical DEM have been proposed. In order to evaluate and compare their
suitability for control applications, different properties have to be considered [Inan 88].
Descriptive power
The descriptive power of a DEM has different facets. Inan and Varaya [Inan 88] have used the
terms language complexity and algebraic complexity to denote two aspects of the descriptive
power. We will call these two aspects language power and algebraic power. Additionally, we
will consider a third aspect that we call representational power.
A discrete event model must give a means to specify the set of admissible event trajectories.
This may be done using different formalisms.
• A state transition structure is used by automata and net models such as ﬁnite state machines,
Petri nets, Büchi automata [Ramadge 89a].
• A set of equations is used by boolean models [Aveyard 74], communicating sequential pro
cesses [Hoare 85], ﬁnitely recursive processes [Inan 88].
• Logical calculus is used in temporal logic models [Pnueli 79].
Two different models may represent the same behavior although they use different formalisms. It
is often the case, however, that some behavior can be easily modeled with one particular formalism
and not so easily modeled with a different one. We call this qualitative aspect representational
power. In the following section, we will compare different models with Petri nets with the aim
of showing that the representational power of Petri nets is fairly large. In fact, Petri nets are not
subject to the representational shortcoming typical of other models.
We have seen that the logical behavior of a system is represented in the model by a language
L ⊂ Σ
∗
. In general, different formalisms generate different classes of languages, i.e., each model
has its own language power. As an example, the class of languages generated by ﬁnitely recursive
processes is a superset of Petri net languages that in turn are a superset of regular languages (the
class of languages generated by ﬁnite state machines). It is desirable that the language power of
a model be as large as possible, so that the model may be used to represent a large variety of
systems. However, formal language theory shows that the analysis complexity grows with the
language power of a model. The extreme case is that of Turing machines that have the largest
language complexity but whose languages have many undecidable properties.
Complex systems can be regarded as being built out of interacting subsystems. A modeling
formalism will be useful if it contains operators that combine one or more models in ways that
reﬂect the ways in which systems are connected. In our view of a DEM as a language generator,
these operators, union, intersection, concurrent composition, etc., are deﬁned on languages. The
class of operators related to each model deﬁne its algebraic power.
Performance Evaluation
Once we are sure that a model has captured the essential features of a system, we want to use
that model for determining whether the system has the desired properties or whether it is free of
abnormal behavior.
CHAPTER 1. INTRODUCTION 4
This can be done in two steps. Firstly, “translate” the desirable properties of the system into
properties of the model. Secondly, “derive effective algorithmic, analytical, or simulation methods
to verify that the model possesses the desired properties” [Inan 88].
In this last step, the issue of computational complexity is a key concern. For example, the num
ber of states in a transition structure for specifying the admissible event trajectories may depend
exponentially on some system parameter. In such cases simple algorithms for veriﬁcation or syn
thesis, e.g., an exhaustive search over the state space, rapidly become computationally intractable.
Thus one tries to mitigate the complexity by the use of aggregation or modularity, or by exploiting
hierarchical or other special structures.
Control Implementation
The modeling and analysis of systems is only the ﬁrst step in the study of DES. The ﬁnal goal
is to modify (by control action) the set of admissible trajectories so that each event trajectory has
the desired properties. A model should then ﬁnd application in the framework of a control theory.
It should also provide a guide to constructing a controller. At best, this is done by an automatic
compilation of the model into control code; at worst, “ad hoc” solutions must be studied.
1.2.3 Petri Net Models
In this work we study a particular Petri net (PN) model: Place/Transition (P/T) nets. Petri nets
satisfy all the requirements that a good DEM should have [Giua 92a].
1. Descriptive power
Petri nets have great descriptive power. They have been designed speciﬁcally to model sys
tems with interacting components and as such are able to capture many characteristics of
an event driven system, namely concurrency, asynchronous operations, deadlocks, conﬂicts,
etc. Furthermore, the PN formalism permits description of logical models (P/T nets, Col
ored PN), timed models (Timed PN) and performance models (Stochastic PN, Generalized
Stochastic PN).
When logical models are considered, classes of languages generated by Petri nets, called
Petri nets languages, may be deﬁned. These classes are supersets of regular languages
and with the introduction of a great number of operators deﬁne an algebra. However, PN
languages do not have all the nice closure properties of, say, regular languages.
The basic P/T net cannot model a condition of the form: “Fire transition t if place p is
empty”. Hence a P/T Petri net cannot simulate a register machine which in turn is equiv
alent to a Turing machine [Ichikawa 88a]. It is possible to extend the formalism with the
introduction of inhibitory arcs, i.e., arcs from places to transitions that prevent the ﬁring of
a transition if the input place is marked. However we note that the descriptive power of P/T
nets is large enough for most common applications, and often even more restricted models
are considered, such as conservative PN.
Conservative PN are essentially equivalent to ﬁnite state machines, since the number of
reachable markings (i.e., the number of ’states’ of the model) is ﬁnite. However, they still
make use of the full representational power of Petri nets. In fact, since the states of a
PN are represented by the possible markings and not by the places, they allow a compact
description, i.e., the structure of the net may be maintained small in size even if the number
of the markings grows.
2. Performance Evaluation
The desired properties of a system map fairly well into properties of the corresponding Petri
CHAPTER 1. INTRODUCTION 5
net model. Many algorithms, with a well developed mathematical and practical foundation,
have been developed to study these properties.
The analysis techniques for Petri nets may be divided into the following groups (see [Silva 85]).
• Analysis by enumeration. It requires the construction of the reachability tree repre
senting the set of reachable markings and transition ﬁrings. If this set is not ﬁnite, a
ﬁnite coverability tree may be constructed.
• Analysis by transformation. A net N
1
is transformed, according to particular rules,
into a net N
2
while maintaining the properties of interest. The analysis of the net N
2
is assumed to be simpler than the analysis of the net N
1
. Examples of this analysis
technique are reduction methods, that permit the simpliﬁcation of the structure of a
net.
• Structural analysis. It permits the demonstration of several properties almost indepen
dently of the initial marking. Structural analysis may be based on the study of the state
equation of the net or on the study of the net graph.
• Simulation analysis. It is useful for timed nets and to study the behavior of nets that
interact with an external environment.
Petri nets also represent a hierarchical modeling tool and allow reduction of the compu
tational complexity of analysis by exploiting modular synthesis. With modular synthesis,
complex systems may be constructed by aggregation of simpler modules while preserving
the properties of interest.
3. Control Implementation
Petri nets languages offer a simple means of applying controltheoretical ideas and in this
thesis we will show that they are consistent with Supervisory Control theory.
Petri net based controllers may be implemented in both hardware and software. Programmable
Logic Controllers [Silva 89b, Silva 83] and Petrinet like languages [Murata 86] have been
used in different applications.
In [Crockett 87, Kasturia 88] a Petri net interpreter is implemented using a mixture of ap
plication dependent and independent code. However, it is necessary to point out that there
exists no general technique for compiling a Petri net description into a control system.
It may be worth comparing the representational power of PN with that of other models for
concurrent systems [Best 91]. It is possible to partition the current approaches into: a) models in
which the basic notion is that of state, such as state machines; b) models in which the basic notion
is that of action, such as interleaving models. Petri nets show more ﬂexibility in this respect, since
states and actions are treated on equal footing and both step and interleaving semantics can be
deﬁned on Petri nets [Best 91].
In the next example, we will see that Petri nets give a very compact description of systems
which, due to concurrent behavior, have a large state space.
Example 1.1. Suppose we have a cyclic process where ﬁve jobs may be in four different stages.
In Figure 1.2 we have a Petri net where each token represents a job and each place represents a
different stage. Although the number of reachable markings is 56, the PN model is very simple
compared to a state machine model where we need to explicitly represent all states.
Models based on actions do not suffer from this state space explosion, since they do not re
quire the explicit enumeration of all the states. As an example, an interleaving model of the
system considered in this example may be described as follows. Let L
1
be the behavior of the
cyclic process with a single job, i.e., a single token. Then possible evolutions of the system are:
CHAPTER 1. INTRODUCTION 6
Figure 1.2: Petri net in Example 1.1.
Figure 1.3: Petri net in Example 1.2.
λ, t
1
, t
1
t
2
, t
1
t
2
t
3
, . . ., i.e., L
1
= (t
1
t
2
t
3
t
4
)
∗
; here the bar stands for the preﬁx operator and ∗
is the Kleene star operator. Then the behavior of the process when ﬁve jobs are been processed
concurrently is given by
L
5
= L
1
 L
1
 L
1
 L
1
 L
1
,
where  is the concurrent composition operator.
The shortcoming of models based on actions lies in the cumbersome way in which speciﬁca
tions involving counters and semaphores are modeled.
Example 1.2. Consider the Petri net in Figure 1.3. Here we have two sequences (t
2
t
1
) and (t
3
t
4
)
that can be run up to a total of n times, n being the number of tokens in p
3
. Using an interleaving
model to represent this process is awkward: we have to explicitly specify all concurrent ﬁring
sequences. In fact, for n = 1 the behavior is
L
1
= t
2
t
1
+t
3
t
4
.
For n = 2 we have
L
2
= (t
2
t
1
)
2
+ (t
2
t
1
)  (t
3
t
4
) + (t
3
t
4
)
2
.
For a generic n
L
n
= (t
2
t
1
)
n
+ (t
2
t
1
)
n−1
 (t
3
t
4
) +. . . (t
2
t
1
)  (t
3
t
4
)
n−1
+ (t
3
t
4
)
n
.
CHAPTER 1. INTRODUCTION 7
1.2.4 Supervisory Control
Ramadge and Wonham provide a unifying framework for the control of discrete event systems
[Ramadge 89b], and so far their Supervisory Control Theory is the most general and comprehen
sive theory presented for logical DES. An introduction to the theory is presented in Appendix B.
Here we simply discuss those aspects of Supervisory Control that have motivated this research.
We may distinguish three different areas of interest in the supervisory control approach.
1. The formal language level is concerned with theoretical issues. Qualitative properties of
DES, such as stability [Brave 90], controllability [Ramadge 87], observability [Cieslak 91,
Özveren 90], nonblockingness [Ramadge 87], etc., are deﬁned from a very general perspec
tive as properties of languages. This “abstract” perspective has made possible the creation
of a modelindependent theory.
At this level, new language operators, that will play a central role in solving the control
problem, are also deﬁned. Examples of these operators are the supremal controllable sub
language (SCS) [Wonham 87], inﬁmal controllable superlanguage (ICS) [Lafortune 90a],
etc. The closure properties of different classes of languages under these operators are also
discussed. The class of regular languages is closed under the SCS and ICS operators, as
shown by Ramadge and Wonham [Wonham 87], and Lafortune and Chen [Lafortune 90a].
No results have been published on Petri net languages.
Finally, language theory provides a rigorous formalism for proving important theorems on
the existence of supervisors. The existence of ﬁnite state supervisors have been discussed
by Ramadge and Wonhan [Wonham 87] and Ushio [Ushio 90]. Some results on Petri net
supervisors with inhibitory arcs have been presented by Sreenivas and Krogh [Sreenivas 92].
2. The system level deals with the concept of DES, seen as a language generator over an al
phabet of events Σ. One the most important features is the partition of Σ into two disjoints
sets: the set of controllable events Σ
c
, and the set of uncontrollable events Σ
u
. The uncon
trollable events are those which cannot be disabled by a control action.
The basic control problem is the following. We are given a DES G generating the language
L(G) and a speciﬁcation, i.e., a legal language L. We want to restrict the behavior of the
system, by disabling only controllable transitions, within the limits of the legal language.
The control structure that restricts the behavior of the system is called a supervisor. The
supervisor receives as input the sequence of events generated by G and determines a control
input that speciﬁes which events are to be disabled in G. If we consider the system G as
the plant (or the object to be controlled) and the supervisor as the controlling agent, it is
often possible to realize a supervisor simply as another DES S. S and G are supposed to
run in parallel and the closed loop structure is again a DES, denoted by S/G, the action of
S on G. It has been noted [Cieslak 91] that this approach allows us to evaluate and compare
the effect of different control policies on the behavior of the uncontrolled system, since
open loop plant and controller are treated separately; previous approaches require a separate
model for each control policy and only permit models of closed loop systems.
Design algorithms have been devised to compute the control structure of a supervisor for a
given control problem, given the knowledge of the system and of the speciﬁcation. These
algorithms are based on language operators, thus they are model independent.
3. At the model level a particular model is chosen to describe the physical device to be con
trolled. In classical control theory there exist different models for, say, linear systems, such
as transfer function, state variables, matrixfraction description, polynomial matrix descrip
tion, etc., all capable of describing systems whose behavior is deﬁned by a differential linear
CHAPTER 1. INTRODUCTION 8
equation. In the case of a discrete event system, the behavior is deﬁned as a formal language;
hence the models used are language generators.
In Section 1.2.2, we have already discussed the good properties that a discrete event model
should feature.
1.3 Objectives of the Thesis
Supervisory Control is so far the most complete theory for the control of DES. It has a sound
mathematical foundation, based on formal languages; it provides exact algorithms to design a
supervisor for large classes of control problems; it captures the physical constraints the controller
must satisfy, since it assume that only a subset of the events is controllable; it is sufﬁciently general
to be applied to different models.
Another issue of paramount importance is the complexity involved in solving a control prob
lem. Here the choice of one model rather than another one is a key factor that may drastically
affect the class of problems that can be solved.
Firstly, since the language power of each model is limited, there may exist systems whose
behavior may not be expressed with a given model. It is often assumed that physical systems have
a ﬁnite state space. However there are cases where it may be necessary to use a model such as
Petri nets, with a possibly inﬁnite number of states.
Secondly, the representational power of a model may not be speciﬁcally tailored to represent a
given system’s behavior. The exponential growth of the state space of a model with the number of
interconnected modules is a well known blight in the study of concurrent systems which makes the
use of simple models, such as ﬁnite state machines, impracticable. We have seen, in the previous
discussion, that Petri nets reduce this complexity by means of its representation power. Thus Petri
nets may potentially be viewed as an effective means to realize supervisory controllers, allowed
by language theory but in practice until now unattainable because of the state space explosion
problem.
Thirdly, each model has its own toolset of design and analysis techniques, which may be used
more or less efﬁciently for the solution of a control problem. Petri nets provide a compact represen
tation of systems, but a brute force analysis of the model may often require the exhaustive search
of the reachability tree, thus making its computational complexity exponential as well. There are
ways to mitigate the complexity involved in the analysis of the model by using techniques that
are primarily based on the structure of a net rather than on its behavior. Examples of these tech
niques are incidence matrix analysis and modular synthesis. Although these techniques have been
extensively investigated in the Petri net literature, so far they have been used in the context of
Supervisory Control only by Holloway and Krogh [Holloway 90, Krogh 91, Holloway 92a].
We are ﬁnally ready to state the goal of this research: “Investigate the use of Petri nets models
within the framework of Supervisory Control.”
The fulﬁllment of this goal requires several steps.
1. At the formal language level, we need to study Petri net languages in the context of Super
visory Control. This will allow us to characterize the class of control problems that may
be solved by Petri net models, i.e., the class of problems for which a Petri net supervisor
exists. In particular, we need to consider the closure properties of Petri net languages under
the operators used in Supervisory Control theory.
2. At the discrete event system level, we need to study the counterpart on a Petri net structure
of the linguistic operators required in the design of a supervisor. Wonham has proposed
an algorithm which uses three different operators: shufﬂe, selﬂoop and intersection. We
propose an alternative design that requires only one operator: concurrent composition. The
CHAPTER 1. INTRODUCTION 9
counterpart of this operator on the net structure can be easily deﬁned and preserves the
modularity of the overall system.
It is often the case that once the coarse structure of a supervisor has been obtained, by
concurrent composition of the system and speciﬁcation modules, we need to reﬁne the net,
to avoid reaching a set of undesirable markings. We need to derive reﬁnement procedures
which preserve the modular structure of the net in this step as well.
3. At the model level, we need to make full use of the Petri net analysis techniques to efﬁciently
validate a Petri net supervisor, i.e., to prove that the supervisor has the desired properties.
We will explore two different techniques. The ﬁrst one is based on incidence matrix analysis,
in which the reachability set of a marked net is represented by the integer solutions of a set
of linear inequalities. Classic incidence matrix analysis is based on the solution of the state
equation of a net. This approach, however, has been shown useless [Colom 89] in determin
ing some properties of net systems such as the existence of home markings, i.e., markings
that may be reached by any marking in the reachability set of a Petri net. Determining the
existence of home markings is a problem essentially equivalent to that of determining if a
net is nonblocking, which is an important property of discrete event systems. Thus, we need
to modify this approach in order to be able to use this analysis technique in the context of
Supervisory Control.
A second area of our research is the use of modular synthesis techniques for nets with
uncontrollable transitions, i.e., transitions that may not be prevented from ﬁring by a control
agent. We will explore a class of speciﬁcation, called mutual exclusion constraints, that
have also been considered in [Krogh 91]. Our aim is that of efﬁciently deriving a Petri net
structure for a supervisor for this class of problems.
1.4 Organization of the Thesis
This chapter has introduced the topic of the thesis and stated the objectives of research.
Chapter 2 discusses in depth the literature relevant to the present research.
Chapter 3 introduces the basic notation on Petri nets, formal languages and Supervisory Con
trol.
Chapter 4 discusses the use of Petri nets in the framework of Supervisory Control. Firstly,
it is shown that the trimming of an unbounded Petri net is not always possible; this leads to the
deﬁnition of a class of Petri net languages, that may be generated by nonblocking generators.
Secondly, necessary and sufﬁcient conditions for the existence of a Petri net supervisor under
the hypothesis that the system’s behavior and the legal behavior are both Petri net languages are
derived. Finally, by means of an example, it is shown that Petri net languages are not closed under
the supremal controllable sublanguage operator.
Chapter 5 shows how Petri nets may be used to design a supervisor. The design requires two
steps. In the ﬁrst step, a coarse structure for a supervisor is synthesized by means of concurrent
composition of different modules. In the second step, the structure is reﬁned to avoid reaching
forbidden markings. We show that for conservative Petri nets there exists a standard reﬁnement
procedure that only requires introducing new arcs and possibly duplicating some transitions, i.e.,
no new places are introduced. In both steps, the use of Petri nets allows us to keep the structure of
the model ‘small’.
Chapter 6 discusses how incidence matrix analysis for Petri net models may be used to validate
supervisors. A new class of P/T nets, called Elementary Composed State Machine nets, is deﬁned.
The reachability problem for this class can be solved by incidence matrix analysis. In fact it is
possible to derive a set of linear inequalities that exactly deﬁnes the set of reachable markings.
CHAPTER 1. INTRODUCTION 10
Thus, important properties of discrete event systems, such as the absence of blocking states or
controllability, may be analyzed by Integer Programming techniques.
Chapter 7 deﬁnes a class of speciﬁcations, called generalized mutual exclusion constraints, for
discrete event systems modeled using P/T nets. These speciﬁcations may be easily enforced on a
net systemwhere all transitions are controllable, by a set of places called monitors. However, when
some of the transitions of the net are uncontrollable this technique is not always applicable. For
some classes of nets, we prove that mutual exclusion constraints may always be enforced by mon
itors, even in the presence of uncontrollable transitions. For one of these classes, marked graphs
with control safe places, we compare a monitorbased solution of mutual exclusion problems with
several supervisory based solutions.
Chapter 8 concludes the thesis with a discussion of the original contributions and listing pos
sible further directions of research.
Appendix A reviews some basic concepts of formal languages and Petri net languages.
Appendix B is a short introduction to Supervisory Control and supervisory design techniques.
Appendix C is a glossary of the notation used in the thesis.
Chapter 2
LITERATURE REVIEW
The literature of interest to this research covers different topics. Firstly, we reviewthe work done in
Supervisory Control. This provides the theoretical basis of our research. Secondly, it is interesting
to compare PN with other logical models that have been used in Supervisory Control. Thirdly,
since our approach is based on formal languages, we review the work on Petri net languages.
Finally, we consider the efﬁcient validation of PN models, using techniques based on incidence
matrix analysis, reduction rules, and synthesis operators.
2.1 Supervisory Control Theory
The supervisory theory by Ramadge and Wonham is so far the most comprehensive theory for
the control of discrete event systems. It is based on the concept of a supervisor [Ramadge 83,
Ramadge 87], i.e., an agent that is capable of disabling the controllable transitions of a DES in
response to the traces of events generated. The Supervisory Control Problem (SCP) consists in
designing a supervisor which restricts the traces generated by the system within a legal behavior.
If the legal behavior is a controllable language [Wonham 87] a supervisor exists. If the legal
behavior is not controllable, we have to further restrict the system’s behavior to the supremal
controllable sublanguage for which a supervisor exists. The authors prove in these seminal papers
that the supremal controllable sublanguage always exists (but may be the empty language), and in
the regular case may be determined with a ﬁnite procedure.
In [Lafortune 90a] a new control problem is studied: the Supervisory Control Problem with
Blocking (SCPB). Here it is assumed that in some cases the solution to the SCP (supremal control
lable sublanguage) may be too conservative. A dual concept is deﬁned — the inﬁmal controllable
superlanguage — and is used to determine a supervisor that may also permit blocking in order
to achieve a larger behavior. In [Lafortune 90a] Lafortune and Chen introduce two performance
measures (in terms of satisﬁcing and blocking), and techniques to improve each of these two con
ﬂicting measures. An extension of this work is [Lafortune 91] where the Supervisory Control
Problem with Tolerance (SCPT) is deﬁned. Given a desired and tolerated behavior, the problem
is that of designing a controller such that the controlled system never goes beyond the tolerated
behavior and achieves as much as possible of the desired behavior. Under very general hypotheses
on desired and tolerated behavior, Lafortune and Lin show that a solution to SCPT exists and is
unique, but may be blocking. A non blocking solution exists but is not necessarily unique.
In [Cieslak 91] Cieslak et al., discuss and solve the Supervisory Control and Observation
Problem (SCOP) and the Decentralized Supervisory Control Problem (DSCP). In SCOP the as
sumption is that a mask is present between the controlled system and supervisor, so that the super
visor cannot observe all the transitions, or cannot distinguish between some of them. In DSCP it
is assumed that the control action is enforced by local supervisors that control only subsystems. In
11
CHAPTER 2. LITERATURE REVIEW 12
[Lin 88, Lin 90] Lin and Wonham discuss the Decentralized SCOP (DSCOP) where both partial
observations and decentralized control are incorporated into the control structure. However, the
only mask operator considered in this paper is the language projection operator.
In [Brave 90] Brave and Heymann deﬁne stabilization as the ability of a discrete event process
to reach a set of target states from an arbitrary initial state and then remain there indeﬁnitely. A
slightly different problem that the authors examine is recovery under control failure. In both cases
they present design algorithms for controllers that improve the stabilization of processes.
In [Ushio 90] Ushio discusses the conditions under which a ﬁnite state supervisor (FSS) may
be constructed to solve a SCP. From [Ramadge 87] it was known that a FSS exists when both
system’s behavior and speciﬁcation language are regular. Here the author derives necessary and
sufﬁcient conditions for the general case.
The case of the inﬁnite state supervisor is discussed by Sreenivas and Krogh [Sreenivas 92].
They use Petri nets with inhibitory arcs (PNIA), which are known to have a modeling power
equivalent to Turing machines, to describe inﬁnite state systems. Thus, they prove that a PNIA
supervisor exists if the system’s and speciﬁcation behaviors are Turing computable languages.
However, important properties, such as determining if the behavior of a PNIA is controllable, are
undecidable.
In [Ramadge 86, Wonham 88b] a modular approach to the design of supervisors is consid
ered. The speciﬁcation language is composed of different speciﬁcations, each enforced by a single
supervisor. A global control law can be enforced by the conjunction of all the supervisors. Unfor
tunately in the general case the resulting system may be blocking. When the languages controlled
by each supervisor are nonconﬂicting, however, the nonblocking condition is assured as well.
In [Ramadge 89b, Tadmor 89, Tsitsiklis 87] different problems of computation and the re
lated issue of computational complexity are considered. A review of the theory is presented in
[Ramadge 88, Ramadge 89b, Wonham 88a].
2.2 Logical Models for Discrete Event Systems
Numerous approaches to the modeling of discrete event systems have appeared in the literature.
2.2.1 Transition Models
Aveyard [Aveyard 74] presents a Boolean matrix equation model for a class of DES in which
the state change associated with each event occurrence is deterministic, and in which all units or
entities are permanent. The model, one of the ﬁrst to be presented, permits checking of simple
properties such as whether the system is deterministic and if it will hang or cycle.
Ramadge [Ramadge 89a] introduces Büchi automata in the modeling of DES. The model is
used to extend the concept of controllable language to nonﬁnite strings and to derive conditions
for the existence of a supervisor to implement a prescribed closedloop behavior. Several inter
esting control synthesis problems have a computationally tractable solution when Büchi automata
models are used.
2.2.2 Temporal Logic
Hailpern and Owicki [Hailpern 83] use temporal logic (a formalismintroduced by Pnueli [Pnueli 79]
for formalizing the semantics of concurrent programs) to model computer communication proto
cols. The model is used for the modular veriﬁcation of safety and liveness for parallel processes.
The temporal logic formalism is applied by Ostroff and Wonham [Ostroff 90b, Ostroff 90a]
to the control of realtime discrete event systems. Temporal logic is a useful tool in the formal
CHAPTER 2. LITERATURE REVIEW 13
ization of the control problem. However the validation of the model is based on theorem proving
techniques and is difﬁcult to perform.
2.2.3 Communicating Processes
Milne and Milner [Milne 79] deﬁne concurrent processes by means of a net algebra and deﬁne a
minimal set of operations for composing processes. The ﬁnal result of this research is presented
in [Milner 80], where the Calculus of Communicating Systems (CCS) is introduced. CCS is one
of the standard models for concurrent systems on which recent and ongoing research is focused.
In [De Cindio 83] De Cindio et al. compare CCS with Petri nets. They prove that CCS deﬁnes a
class of concurrent systems composed of interacting sequential automata. In fact the CCS models
are isomorphic to a subclass of Petri nets, Superposed Automata Nets deﬁned in [De Cindio 82].
Inan and Varaiya [Inan 88] present a class of discrete event models called ﬁnitely recur
sive processes whose formal structure is based on Hoare’s communicating sequential processes
[Hoare 85]. The descriptive power of the model and its use in performance evaluation is also in
vestigated. The authors prove that their formalism can easily model any Petri net. However the
proof is limited to ordinary Petri nets: when the multiplicity of the arcs is greater than one, the
complexity of the ﬁnitely recursive process grows and nondeterminism needs to be introduced.
2.2.4 Controlled Petri Nets
Several authors have used a particular Petri net model, called controlled Petri nets, within the
framework of Supervisory Control. Controlled PN have been introduced by Ichikawa and Hi
raishi [Ichikawa 88a] to study the inputoutput behavior of discrete event models. This model is
a standard PN with the addition of external input places, whose marking is given by an external
function. It is furthermore assumed that only the marking of a set of so called external output
places may be observed. In the paper, Ichikawa and Hiraishi restrict the ﬁring policy on the net to
be decisionfree, i.e., all enabled transitions should ﬁre simultaneously. Under these hypotheses
the modeling power of the net is increased by the capability of detecting whether a place is empty;
they can prove that this model is equivalent to Turing machines.
Krogh [Krogh 87] applies controlled PN to Supervisory Control. He assumes that each tran
sition is associated to at most one external input place and studies how the behavior of the net
can be restricted within a certain behavior by a particular marking function for the external input
places, i.e., a particular control law. This control law is implementing a state feedback rather than
a trace feedback, i.e., it is a function of the actual marking of the system rather than a function of
the string of events generated by the system. The author deﬁnes the control law that generates the
supremal controllable sublanguage as the maximally permissible feedback. He also notices that
the maximally permissible feedback may not be unique because of the particular ﬁring policy that
permits the simultaneous ﬁring of enabled transitions.
Ushio and Matsumoto [Ushio 88] derive necessary and sufﬁcient conditions for the uniqueness
of the maximally permissible feedback on controlled PN. In a subsequent paper [Ushio 89], Ushio
also derives necessary and sufﬁcient conditions for the existence of a control law that satisﬁes a
given speciﬁcation.
Holloway and Krogh [Holloway 90, Krogh 91] show that, for restricted classes of nets and
restricted speciﬁcations, the control problem may be solved with great computational efﬁciency
by analysis of the net structure. The class of controlled Petri nets considered is cyclic marked
graphs and the admissible speciﬁcations consist of forbidden markings that simultaneously assign
tokens to one or more set of places. Although these restrictions are certainly heavy, the authors
show an interesting manufacturing example that requires the coordination of automated guidance
vehicles. Liveness properties under control are discussed in [Holloway 92a].
CHAPTER 2. LITERATURE REVIEW 14
The main characteristic of the controlled PN approach to supervisory control is the fact that
no transition structure for a controller is given. The control law is a function of the actual marking
of the net, but need to be computed at each step, whereas if a transition structure is given for a
supervisor, a closedloop model can be constructed and analyzed to ensure that it has the desired
properties.
2.3 Petri Net Languages
Baker [Baker 72] is one of the ﬁrst to introduce the basic idea of associating a language with a Petri
net and using this language to describe the behavior of the net. In his Master’s thesis [Baker 73],
Petri nets are considered in the context of formal language theory, and their preﬁx language is
studied.
In Hack [Hack 75a, Hack 75b], two basic language classes are distinguished: the preﬁx lan
guage and the marked language. Different languages which result fromdifferent types of transition
labeling are also considered. For each of these classes, simple closure properties, characterizations
and decidability problems (e.g., for membership, emptiness, and ﬁniteness) are obtained.
A survey and tutorial on Petri net languages is presented in [Peterson 81] Chapter 6. Here
the deﬁnition and classiﬁcation of these languages is given; the closure properties of Petri net
languages under several form of composition (union, intersection, concatenation, concurrency,
and substitution) and under some operations (reversal, complement, and indeﬁnite concatenation)
are examined; the relationship between Petri net languages and other classes of formal languages
are investigated.
Another comprehensive tutorial on Petri net languages is a paper by Jantzen [Jantzen 87].
Closure properties and relationship among the different classes of Petri net languages are reported
with additional results, not presented by Peterson.
Parigot and Peltz [Parigot 86] have characterized PN languages in terms of logical formalism.
The language power of Petri nets is shown to be greater than that of ﬁnite automata as a result
of the additional ability of Petri nets to test if a string of parentheses is well formed. The logical
formalism may be used to prove that a given language is a Petri net language and to construct a
Petri net having a given ﬁnite behavior. Peltz [Peltz 86] has also extended the study to the inﬁnite
sequential behavior of Petri nets.
2.4 Incidence Matrix Analysis of Petri Nets
Incidence matrix and related analysis techniques are used by several authors to validate properties
of P/T nets.
Colom [Colom 89] develops a methodology for the veriﬁcation of assertions on P/T nets in
terms of markings and ﬁring count vectors. This approach is extremely general, i.e., can be applied
to any P/T net but, unfortunately, can only guarantee necessary or sufﬁcient conditions. There
exists assertions, such as determining if a marking is a home state, for which neither a necessary
nor a sufﬁcient condition can be given. Within this framework, Silva and Colom [Silva 89a] give
algorithms to efﬁciently compute the structural synchronic invariants of P/T nets.
Berthomieu [Berthomieu 87] uses the set of linear equations given by the Psemiﬂows to rep
resent the space of reachable markings. In this case, only properties that depend on the markings
can be proved. However, the author also shows that it is possible to prove some properties that
depend on the ﬁring count vector by adding to the net new places whose marking indicates the
number of times a given transition has ﬁred.
Johnen [Johnen 87] uses an hybrid approach, based partly on incidence matrix analysis and
partly on the analysis of the state space, to verify that a given marking is a home state.
CHAPTER 2. LITERATURE REVIEW 15
Ichikawa and Hiraishi study under which conditions a ﬁring count vector σ, satisfying the state
equation of a Petri net, yields a ﬁring sequence. In [Ichikawa 88b], as reported in [Murata 89], they
prove that in acyclic nets, σ always yields a ﬁring sequence. In [Ichikawa 88a, Murata 89] other
classes of nets, such as trapcircuit nets, trapcontainingcircuit nets, etc., are considered. For these
classes, there exist necessary and sufﬁcient conditions, based on the analysis of the ﬁring subnet,
to determine if σ gives a ﬁring sequence. Murata also discusses reachability in marked graphs in
[Murata 77].
Avrunin et al. [Avrunin 91] use a formalism similar to Petri net incidence matrix analysis for
verifying properties of concurrent systems described as ﬁnite state automata.
2.5 Synthesis and Reduction of Petri Nets Models
In the synthesis of Petri net models there are two main approaches: bottomup and topdown. Fol
lowing the ﬁrst approach a complete net is constructed combining subnets under given operators;
in the second approach, transition and places in a net can be replaced by a more detailed subnet.
In both cases the synthesis rules are such as to preserve some properties of the original modules.
A complementary approach is that of deﬁning reduction rules that preserve the properties of
interest, while simplifying the structure of the net to make analysis easier.
Berthelot [Berthelot 86, Berthelot 87] has presented several reduction rules. In [Berthelot 86]
he also discusses the composition of nets by common transitions as a complementary technique to
the reduction methods. The classes of reduction rules include: place transformations, that reduce
the net structure by eliminating redundant places but do not modify the state space; transition
transformations, which by fusing transitions reduce both structure and state space of the net. The
properties preserved by these transformations are: covering with Psemiﬂows (i.e., conservative
ness), proper termination, home states and liveness. The author also proves that there are classes
of nets to which these transformations can be repeatedly applied to reduce the net to a single tran
sition. Two such classes are: live and bounded marked graphs (a structural class); live, bounded,
and persistent nets (a behavioral class).
Best and Fernández [Best 86] deﬁne the notion of Snet, a net in which each transition has at
most one input place and one output place. An Sdecomposition is a partition of a net into Snet
components.
Hack [Hack 72, Hack 74] studies the composition of state machines, deﬁning a state machine
decomposable net as a net constructed by composition of strongly connected state machines along
common transitions.
The class of nets obtained by composition of state machine modules is named Superposed
Automata Nets by De Cindio, et al. [De Cindio 82].
Narahari and Viswanadham [Narahari 85] deﬁne a union operator
1
for pure Petri nets, i.e., PN
with no selﬂooping transitions. Two theorems are presented, stating that the Psemiﬂows and/or
the Tsemiﬂows of the union of two Petri nets can be immediately expressed — in speciﬁc cases
— in terms of the invariants of the two subnets. The invariants are used to analyze important
qualitative aspects of the system such as absence/existence of deadlocks. Finally, the authors
illustrate how this technique may be applied to the modeling of ﬂexible manufacturing systems.
Beck and Krogh [Krogh 86] present a methodology for constructing a class of P/T nets for
modeling discrete processes. The synthesis of Petri nets is realized by joining subnets along
common simple elementary paths. This composition maintains the properties of safeness and
liveness; the Psemiﬂows of the resulting net can also be easily found in term of the Psemiﬂows
1
This operator is different from the union operator as deﬁned in [Peterson 81], which given two Petri nets generating,
respectively, languages L
1
and L
2
constructs a Petri net generating the language L = L
1
∪ L
2
.
CHAPTER 2. LITERATURE REVIEW 16
of the subnets. The authors introduce a modiﬁed Petri net model [Beck 86] more suitable for the
modeling of manufacturing systems by means of the synthesis approach they propose.
Datta and Gosh [Datta 84, Datta 86] present a technique for the modular synthesis of PN. The
nets being considered are regular nets, i.e., nets where forks and joins are symmetrical, and where
the subnets between a fork and a join are marked graphs. The modules are connected through a
set of input/output places, that act as mailboxes. Finally, it is possible to give rules to connect the
modules in a way that preserves liveness and boundedness.
Zhou [Zhou 90] has studied a formal methodology for the synthesis of Petri nets in manu
facturing. The approach followed is called hybrid, in the sense that it is partially topdown and
partially bottomup. The author has also discussed how liveness properties for systems with shared
resources depend on the value of the initial marking of the net.
Koh [Koh 92] has studied the compositions of live and bounded circuits along paths. The
composition allows the fusion of overlapping paths, and has been extended to colored Petri nets.
The author has studied under which conditions the composed system is live and bounded.
Chapter 3
BASIC NOTATION
3.1 Petri Nets
3.1.1 Place/Transition Nets
A Place/Transition net (P/T net) is a structure N = (P, T, Pre, Post) where:
• P is a set of places represented by circles, [P[ = m;
• T is a set of transitions represented by bars, [T[ = n;
• Pre : P T → IN is the preincidence function that speciﬁes the arcs directed from places
to transitions;
• Post : P T → IN is the postincidence function that speciﬁes the arcs directed from
transitions to places.
Here IN = ¦0, 1, 2, . . .¦. It is assumed that P ∩ T = ∅ and P ∪ T ,= ∅.
A net is pure if it has no selﬂoops, i.e., if [Pre(p, t) = 0 ∨ Post(p, t) = 0] for every place p
and for every transition t. If a net is pure the incidence functions can be represented by a single
matrix, the incidence matrix of the net, deﬁned as C(p, t) = Post(p, t) −Pre(p, t).
The preset and postset of a transition t are respectively
•
t = ¦p ∈ P [ Pre(p, t) > 0¦,
t
•
= ¦p ∈ P [ Post(p, t) > 0¦.
The preset and postset of a place p are respectively
•
p = ¦t ∈ T [ Post(p, t) > 0¦,
p
•
= ¦t ∈ T [ Pre(p, t) > 0¦.
A trap is a set of places T ⊆ P such that
_
p∈T
p
•
⊆
_
p∈T
•
p.
A trap is minimal if it is not the superset of another trap. A trap is basic if it is not the union of
other traps.
A siphon is a set of places o ⊆ P such that
_
p∈S
•
p ⊆
_
p∈S
p
•
.
17
CHAPTER 3. BASIC NOTATION 18
A Psemiﬂow (or nonnegative Pinvariant) is a vector Y : P → IN, such that Y ≥
0 and
Y
T
C =
0. The support of Y is Q
Y
= ¦p ∈ P [ Y (p) > 0¦.
The reversal of N = (P, T, Pre, Post) is the net N
R
= (P, T, Post, Pre), i.e., a new net
where the direction of all arcs of N is reversed.
A state machine is a P/T net such that each transition has exactly one input arc and one output
arc. A marked graph is a P/T net such that each place has exactly one input arc and one output
arc.
A P/T net is connected if in the underlying graph
1
there exists a path (not necessarily directed)
from any vertex to all others; strongly connected if there exists a directed path from any vertex to
all others; acyclic if no directed path forms a cycle.
3.1.2 Marked Nets
A marking is a vector M : P → IN that assigns to each place of a P/T net a nonnegative integer
number of tokens, represented by black dots. M(p) denotes the number of tokens assigned by
marking M to place p. The set of all markings deﬁned on a net N = (P, T, Pre, Post) is IN
P
.
A net system or marked net ¸N, M
0
) is a net N with an initial marking M
0
.
A transition t ∈ T is enabled at a marking M if M ≥ Pre(, t). If t is enabled at M, then t
may ﬁre yielding a new marking M
with M
= M + C(, t). We will write M [t) M
to denote
that t may ﬁre at M yielding M
.
A ﬁring sequence from M
0
is a (possibly empty) sequence of transitions σ = t
1
. . . t
k
such
that M
0
[t
1
) M
1
[t
2
) M
2
[t
k
) M
k
. We will also write M
0
[σ) M
k
to denote that we may ﬁre
σ at M
0
yielding M
k
.
A marking M is reachable in ¸N, M
0
) if there exists a ﬁring sequence σ such that M
0
[σ) M.
Given a marked net ¸N, M
0
), the set of ﬁring sequences (also called language of the net) is
denoted L(N, M
0
) and the set of reachable markings (also called reachability set of the net) is
denoted R(N, M
0
).
Let marking M be reachable from marking M
0
by ﬁring a sequence of transitions σ. Then
the following state equation is satisﬁed: M = M
0
+ C σ, where σ : T → IN is a vector of
nonnegative integers, called the ﬁring count vector. σ(t) represents the number of times tran
sition t appears in σ. The set of markings M such that there exists a vector σ satisfying the
previous state equation is called the potentially reachable set and is denoted PR(N, M
0
). Note
that PR(N, M
0
) ⊇ R(N, M
0
).
The ﬁring subnet given by a ﬁring count vector σ consists of all the transitions t ÷ σ(t) ≥ 0,
and of their input and output places.
Let B be a basis of Psemiﬂows of the net N. A marking M ∈ PR(N, M
0
) satisﬁes the fol
lowing systemof equations: B
T
M = B
T
M
0
. The set of markings satisfying the previous system
of equations is denoted PR
B
(N, M
0
) [Colom 89]. Note that PR
B
(N, M
0
) ⊇ PR(N, M
0
).
A marked net ¸N, M
0
) is:
• Bounded, if there exists a nonnegative integer k such that M(p) ≤ k for every place p and
for every marking M ∈ R(N, M
0
);
• Safe (or 1bounded), if M(p) ≤ 1 for every place p and for every marking M ∈ R(N, M
0
);
• Conservative, if there exists a vector of positive integers Y such that Y
T
M = Y
T
M
0
for every marking M ∈ R(N, M
0
);
• Live, if from every marking M ∈ R(N, M
0
) there exists a ﬁring sequence containing all
transitions;
1
The graph underlying a Petri net has as vertices places and transitions, and as directed edges the arcs speciﬁed by
Pre and Post.
CHAPTER 3. BASIC NOTATION 19
• Reversible, if the initial marking M
0
is reachable from every reachable marking M ∈
R(N, M
0
).
A place p of a marked net ¸N, M
0
) is implicit [Silva 85] if L(N, M
0
) = L(N
, M
0
), where
¸N
, M
0
) is the marked net obtained from ¸N, M
0
) by removing place p and all its input/output
arcs. A place p of a net N is structurally implicit if there exists an initial marking M
0
such that p
is implicit in ¸N, M
0
).
3.2 Formal Languages
Let Σ be an alphabet, i.e., a set of symbols. A language L over Σ is a set of strings composed with
symbols in Σ, i.e., L ⊆ Σ
∗
.
Let Σ
1
, . . . , Σ
n
be alphabets and let Σ = Σ
1
∪. . . ∪Σ
n
. Given a string w ∈ Σ
∗
, the projection
(or restriction) of w on Σ
i
is the string w ↑
i
obtained from w by deleting all the symbols not
belonging to Σ
i
. Formally the projection operator is a mapping from Σ
∗
to Σ
∗
i
.
Let Σ
1
, . . . , Σ
n
be alphabets; let L
1
, . . . , L
n
be languages deﬁned on them; let Σ = Σ
1
∪. . . ∪
Σ
n
. The concurrent composition (or synchronization) of L
1
, . . . , L
n
, denoted L = L
1
 . . .  L
n
,
is the language over Σ deﬁned as
L = ¦w ∈ Σ
∗
[ w ↑
i
= w
i
∈ L
i
, i = 1, . . . , n¦.
As a particular case, when the alphabets Σ
1
, . . . , Σ
n
are disjoint, i.e., Σ
i
∩ Σ
j
= ∅ (i ,= j), L
is called a shufﬂe language and is denoted by L = L
1

d
. . . 
d
L
n
.
Let L be a language on Σ, and let Σ
e
be a disjoint alphabet. The selﬂoop of L with respect to
Σ
e
is the language
L
= L 
d
Σ
∗
e
.
Let Σ
1
, . . . , Σ
n
be alphabets; let L
1
, . . . , L
n
be languages deﬁned on them; let Σ = Σ
1
∩. . . ∩
Σ
n
. The intersection of L
1
, . . . , L
n
, denoted L = L
1
∩ . . . ∩ L
n
, is the language over Σ deﬁned
as
L = ¦w ∈ Σ
∗
[ w ∈ L
i
, i = 1, . . . , n¦.
3.3 Petri Net Languages
This section presents the notation used for Petri net languages. A more detailed review of Petri net
languages is presented in Appendix A.
We will represent a discrete event system (DES) as a labeled Petri net (or Petri net generator)
[Jantzen 87, Peterson 81], i.e., as a 4tuple G = (N, , M
0
, F) where
• N = (P, T, Pre, Post) is a Petri net structure;
• : T → Σ is a labeling function that assigns to each transition a label from the alphabet of
events Σ and will be extended to a mapping T
∗
→ Σ
∗
as shown in Appendix A.1;
• M
0
is an initial marking;
• F is a ﬁnite set of ﬁnal markings.
The two languages associated with G are the Llanguage (also called marked behavior in
the context of Supervisory Control) and the Planguage (also called closed behavior) deﬁned as
follows [Peterson 81].
CHAPTER 3. BASIC NOTATION 20
Given a DES G = (N, , M
0
, F), the Ltype language of G is
L
m
(G) = ¦(σ) ∈ Σ
∗
[ σ ∈ T
∗
, M
0
[σ) M ∈ F¦,
and the Ptype language of G is
L(G) = ¦(σ) ∈ Σ
∗
[ σ ∈ T
∗
, ∃M
÷ M
0
[σ) M
¦.
Note that in this deﬁnition of labeled net we are assuming that is a λfree labeling function,
according to the terminology of [Peterson 81], i.e., no transition is labeled with the empty string λ
and two (or more) transitions may have the same label. The classes of Ltype and Ptype languages
generated by labeled nets is denoted L and T respectively.
A deterministic PN generator [Jantzen 87] is such that the string of events generated from
the initial marking uniquely determines the sequence of transitions ﬁred. Formally, a DES G =
(N, , M
0
, F) is deterministic if ∀t, t
∈ T, with t ,= t
and ∀M ∈ R(N, M
0
), M [t) ∧
M [t
) =⇒ (t) ,= (t
). We will always assume that the generators considered here are determin
istic. The classes of Ltype and Ptype PN languages generated by deterministic PN generators are
denoted, respectively, L
d
and T
d
. Note that T
d
⊂ T and L
d
⊂ L (strict inclusion) [Jantzen 87].
3.4 Supervisory Control
This section presents the language notation used for Supervisory Control. A more detailed review
of Supervisory Control is presented in Appendix B.
Let L be a language on alphabet Σ. Its preﬁx closure is the set of all preﬁxes of strings in L:
L = ¦σ ∈ Σ
∗
[ ∃τ ∈ Σ
∗
÷ στ ∈ L¦. A language L is said to be closed if L = L.
Two languages L
1
and L
2
are said to be nonconﬂicting [Wonham 88b] if L
1
∩ L
2
= L
1
∩L
2
.
In the following, let G = (N, , M
0
, F) be a DES with alphabet of events Σ.
G is nonblocking if any string that belongs to its closed behavior may be completed to a
string that belongs to the marked behavior. A deterministic DES is nonblocking if and only if
L(G) = L
m
(G).
Alanguage K ⊂ Σ
∗
is said to be L
m
(G)closed if K∩L
m
(G) = K∩L
m
(G). In the case that
K ⊆ L
m
(G), this deﬁnition is reduced to the usual deﬁnition of L
m
(G)closed: K = K∩L
m
(G)
[Ramadge 89b].
The alphabet of events Σ is partitioned into two disjoint subsets: Σ
c
, the set of controllable
events, and Σ
u
, the set of uncontrollable events. The controllable events may be disabled by a
controlling agent in order to restrict the behavior of the system within a legal behavior, while
uncontrollable events may never be disabled.
A language K ⊂ Σ
∗
is said to be controllable with respect to L(G) if KΣ
u
∩ L(G) ⊆ K
[Ramadge 87]. The set of all languages controllable wrt L(G) is denoted ((G).
If a language L ⊂ Σ
∗
is not controllable with respect to L(G) we may compute its supremal
controllable sublanguage [Wonham 87] deﬁned as: L
↑
= sup¦K ⊆ L [ K ∈ ((G)¦.
Chapter 4
ON THE EXISTENCE OF PETRI NET
SUPERVISORS
4.1 Introduction
This chapter discusses some theoretical issues related to the use of Petri nets in Supervisory Con
trol Theory. We are interested in obtaining necessary and sufﬁcient conditions for the existence of
a Petri net supervisor under the hypothesis that the system’s behavior and the legal behavior are
both Petri net languages.
In the case of systems and speciﬁcations modeled by ﬁnite state machines (i.e., by generators
of regular languages), Ramadge and Wonham [Wonham 87] have proved that the supervisor may
also be modeled as a ﬁnite state machine. The PN models generally considered in Supervisory
Control are conservative PN, a subclass of P/T nets whose set of reachable markings is ﬁnite. Thus
the class of languages generated by these models is equivalent to the class of regular languages,
and all the results for regular languages may apply to them as well.
Here we discuss the use of more general models with a possibly inﬁnite set of reachable
markings. We consider three problems [Giua 92c].
• The ﬁrst problem regards the trimming of a blocking system, i.e., the modiﬁcation of its
structure in order that no blocking state may be reached while preserving its marked behav
ior. We prove that the trimming of a PN is not always possible and we deﬁne a new class of
PN languages that may be generated by nonblocking generators.
• The second problem regards the existence of a PN supervisor, i.e., a supervisor whose con
trol action is implicit in its net structure. The advantage of such a supervisor, as opposed to a
supervisor given as a feedback function, is that a closed loop model of the controlled system
may be constructed and analyzed using the same PN analysis techniques that are used to
analyze the system. By suitable modiﬁcation of the results given by Ramadge and Wonham
[Ramadge 87, Ramadge 89b] we are able to derive necessary and sufﬁcient conditions for
the existence of supervisors as net systems.
• The ﬁnal problem regards the closure of PN languages under extraction of the supremal
controllable sublanguage. In this case, by means of an example, we show that PN languages
are not closed under this operator.
4.2 Petri Nets and Blocking
A ﬁrst issue when using Petri nets as discrete events models for supervisory control regards the
trimming of blocking net systems. The problem is the following: given a PN generator G with
21
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 22
Figure 4.1: Blocking system in Example 4.1.
Figure 4.2: Trimmed system in Example 4.1.
marked behavior L
m
(G) and closed behavior L(G) ⊃ L
m
(G) we want to modify the structure
of the net so that no blocking markings may be reached, i.e., so that L(G) = L
m
(G).
On a simple model such as a state machine this may be done, trivially, by removing all states
that are reachable but not coreachable (i.e., no ﬁnal state may be reached from them) and all their
input and output transitions.
On Petri net models the trimming may be more complex. In Chapter 5 is discussed the case of
conservative nets. If the Petri net is conservative the trimming may be done without major changes
of the net structure, in the sense that we have to add new arcs and possibly duplicate transitions
without introducing new places.
As the following example shows, unbounded Petri net models may require more extensive
changes of the net structure.
Example 4.1. Let G be the PN generator in Figure 4.1, with M
0
= (100)
T
and set of ﬁnal
markings F = ¦(001)
T
¦. The behaviors of this system are: L
m
(G) = ¦a
m
cb
n
[ m = rn, n ≥ 0¦
and L(G) = ¦a
m
cb
n
[ m ≥ rn, n ≥ 0¦. The system is clearly blocking, since the string
w = a
r+1
c ∈ L(G), for example, cannot be completed to a string in L
m
(G) (assuming r > 1).
To avoid reaching a blocking state we require that p
2
contain a multiple of r tokens when the
transition labeled c is allowed to ﬁre. A possible solution is shown in Figure 4.2, where we have
introduced r −1 new places and new transitions labeled a.
There are some cases, furthermore, in which the trimming of a net system is not possible. The
reason for this is given by the following theorem.
Theorem 4.1. There exist Ltype Petri net languages whose preﬁx closure is not a Ptype Petri net
language, i.e., ∃L ∈ L ÷ L ,∈ T.
The proof of this theorem will be given by means of the next example and the following
proposition.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 23
Figure 4.3: Blocking system G in Example 4.2.
Example 4.2. Let G be the PN generator in Figure 4.3.(a), with M
0
= (1000)
T
and set of ﬁnal
markings F = ¦(0001)
T
¦. The behaviors of this system are: L
m
(G) = ¦a
m
ba
m
b [ m ≥ 0¦
and L(G) = ¦a
m
ba
n
b [ m ≥ n ≥ 0¦. From the reachability tree of the system, shown in
Figure 4.3.(b), it is clear that the system is blocking. To avoid reaching a blocking state we require
that p
2
be empty before ﬁring the transition inputting into p
4
. However, since p
2
is unbounded
this may not be done with a simple P/T structure. It is possible to introduce an inhibitor arc from
p
2
to the transition inputting into p
4
. Inhibitor arcs increase the modeling power, and the analysis
complexity, of Petri nets to that of a Turing machine, thus we cannot properly consider these
models as P/T nets. Petri nets with inhibitory arcs have been studied in the context of Supervisory
Control by Sreenivas and Krogh [Sreenivas 92].
We may formally prove that the preﬁx closure of the marked language of the system G dis
cussed in Example 4.2 is not a Ptype Petri net language. The proof is based on the pumping
lemma for Ptype PN languages, given in [Jantzen 87].
Lemma 4.1 (Pumping lemma). Let L ∈ T. Then there exist numbers k, l such that any string
w ∈ L, with [ w [≥ k, has a decomposition w = xyz with 1 ≤[ y [≤ l such that xy
i
z ∈ L, ∀i ≥ 1.
Proposition 4.1. L = ¦a
m
ba
m
b [ m ≥ 0¦ is not a Ptype Petri net language.
Proof . Given k and l according to the pumping lemma, let w = a
k
ba
k
b. Consider a partition
w = xyz, with 1 ≤[ y [≤ l. Clearly b ,∈ y, since in this case xy
i
z ,∈ L for i ,= 1. However
if w = a
n
.¸¸.
x
a
p
.¸¸.
y
a
q
ba
k
b
. ¸¸ .
z
, (n + p + q = k), or if w = a
k
ba
n
. ¸¸ .
x
a
p
.¸¸.
y
a
q
b
.¸¸.
z
, (n + p + q = k), then
xy
i
z ,∈ L for i ,= 1. Hence L is not a Ptype Petri net language.
We conclude this section with the deﬁnition of a new class of Ltype Petri net languages whose
preﬁx closure can be generated by a deterministic nonblocking Petri net generator. This class will
play an important role in characterizing the existence of Petri net supervisors, as we will discuss
in the next section.
Deﬁnition 4.1. A language L ∈ L (not necessarily deterministic) is said to be deterministic P
closed (DPclosed for short) if and only if its preﬁx closure is a deterministic Ptype Petri net
language, i.e., L ∈ T
d
. The class of DPclosed Petri net languages is denoted L
DP
.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 24
As a side note, we point out that the class L
DP
that we have deﬁned does not coincide with
any of the classes of PN languages generally considered in the literature [Jantzen 87]. The proof
follows from the fact that L
DP
is not closed under intersection, as we show in Example 4.5, while
all previously deﬁned classes of PN languages are closed under intersection.
4.3 Supervisor
A supervisor [Ramadge 87] is an agent that disables the controllable transitions of a system in
order to restrict its behavior within a legal behavior. Here we recall the fundamental deﬁnitions,
pointing to Appendix B.2 for a more detailed discussion.
Let us deﬁne a control input as a subset γ ⊆ Σ satisfying Σ
u
⊆ γ (i.e., all the uncontrollable
events are present in the control input). If a ∈ γ, the event a is enabled by γ (permitted to occur),
otherwise a is disabled by γ (prohibited from occurring); the uncontrollable events are always
enabled. Let Γ ⊆ 2
Σ
denote the set of all the possible control inputs. Formally, a supervisor is
a map f : L(G) → Γ specifying, for each possible string of events w ∈ L(G) generated by
the system G, the control input γ = f(w) to be applied at that point. It is often the case that a
supervisor is given as another discrete event system S that runs in parallel with G. The control
input at a given moment is represented by the events that are enabled in S, thus the function f is
implicit in the structure of S.
The objective is to design a supervisor that selects control inputs in such a way that the con
trolled system’s behavior is restricted within a legal speciﬁcation language. We consider the case
in which both the system G and the supervisor S are given as discrete event systems. The closed
loop system under control is denoted S/G. Its closed behavior is L(S/G) = L(S) ∩ L(G) and
its controlled behavior is L
m
(S/G) = L(S/G) ∩ L
m
(G) = L(S) ∩ L
m
(G). Note that we are
assuming that the supervisor does not mark strings, i.e., the marked strings of the system under
control are all and only the marked strings of the uncontrolled system that survive under control.
The following two theorems, also reported in Appendix B.3, are due to Ramadge and Wonham
[Ramadge 87, Ramadge 89b] and give necessary and sufﬁcient conditions for the existence of a
supervisor.
Theorem 4.2 ([Ramadge 87], P. 5.1). For nonempty L ⊆ L(G) there exists a supervisor S such
that L(S/G) = L if and only if L is preﬁx closed and controllable.
Theorem 4.3 ([Ramadge 87], T. 6.1). For nonempty L ⊆ L
m
(G) there exists a nonblocking
supervisor S such that L
m
(S/G) = L if and only if L is L
m
(G)closed and controllable.
If the system and the supervisor are Petri net generators, it is possible to construct a PN model
of the closed loop system under control S/G using the net counterpart of the intersection oper
ator on languages [Peterson 81]. If S and G are deterministic generators (as we always assume)
S/G is deterministic as well. Note also that while the closed behavior of S/G is L(S/G), the
marked behavior of S/G is not deﬁned since the controlled behavior L
m
(S/G) is not necessarily
a deterministic Ltype PN language.
4.4 Existence of Petri Net Supervisors
In this section, we present some theorems which give necessary and sufﬁcient conditions for the
existence of PN supervisors. In fact, although Theorem 4.2 and Theorem 4.3 specify under which
conditions there exist supervisors for a given control problem, it may well be the case that these
supervisors cannot be represented as Petri net generators, even if the system’s behavior and the
legal behavior are Petri net languages.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 25
Figure 4.4: System G in Example 4.3 and Example 4.5.
The ﬁrst two theorems regard the case in which we want to restrict the closed behavior of G
within the limits of a legal behavior L.
Theorem 4.4. Let G be a nonblocking PN and let L ⊆ L(G) be a nonempty language. There
exists a PN supervisor S such that L(S/G) = L if and only if L is a controllable deterministic
Ptype PN language, i.e., L ∈ T
d
∩ ((G).
Proof . (If) Since L ∈ T
d
then there exists a PN generator S ÷ L(S) = L. S is the desired
supervisor. In fact, since L ∈ ((G) then S, running in parallel with G, will never block an
uncontrollable transition of G and L(S/G) = L(S) ∩ L(G) = L. (Only if) Since L(S/G) = L
then L is a Ptype language for the PN representing the closed loop system and L ∈ T
d
. Also L is
controllable according to Theorem 4.2.
It may be interesting to consider the case in which the legal behavior L is not a subset of L(G).
In this case we are interested in restricting the system’s behavior to L∩L(G), and we simply need
to check whether L ∩ L(G) satisﬁes the conditions of the previous theorem. It may well be the
case that L ,∈ T
d
∩ ((G) but L ∩ L(G) ∈ T
d
∩ ((G), i.e., a PN supervisor for this problem may
exist even if L is not a PN language or if L is not closed and controllable. However, if L ∈ T
d
we
have the following theorem.
Theorem 4.5. Let G be a nonblocking PN and let L ⊆ Σ
∗
, with L(G) ∩ L ,= ∅, and L ∈ T
d
.
There exists a PN supervisor S such that L(S/G) = L ∩ L(G) if and only if L ∈ ((G).
Proof . (If) The sets T
d
and ((G) are closed under intersection, as proved, respectively, in
[Jantzen 87, Ramadge 87]. Hence L ∩ L(G) ∈ T
d
∩ ((G) and by Theorem 4.4 there exists a PN
supervisor S ÷ L(S/G) = L∩L(G). (Only if) Since L(S/G) = L∩L(G) then L∩L(G) ∈ T
d
.
Also L∩L(G) is controllable by Theorem 4.2, i.e., [L ∩ L(G)]Σ
u
∩L(G) ⊆ L ∩ L(G) ⊆ L =⇒
[L∩L(G)]Σ
u
∩L(G) ⊆ L (since languages in T
d
are preﬁx closed) =⇒ LΣ
u
∩L(G) ⊆ L, =⇒
LΣ
u
∩ L(G) ⊆ L (since L ∈ T
d
), hence L ∈ ((G).
Let us consider now the case in which we want to restrict the marked behavior of G within
the limits of a legal behavior L. In this case, unfortunately, the necessary requirements that L be
controllable and L
m
(G)−closed (by Theorem 4.3) are not sufﬁcient to insure the existence of a
nonblocking PN supervisor even if L ∈ L
d
. The following example discusses this case.
Example 4.3. Let G be the PN generator in Figure 4.4, with Σ
u
= ∅, M
0
= (100)
T
, and set
of ﬁnal markings F = ¦(001)
T
¦. The marked behavior of this system is: L
m
(G) = ¦a
∗
ba
∗
b¦.
Assume now that we want to restrict the marked behavior of G to L = ¦a
m
ba
m
b [ m ≥ 0¦ that is
clearly controllable and L
m
(G)−closed. However, since L ,∈ L
DP
(Proposition 4.1) there exists
no PN whose Ptype language is L. L is the Ltype language of the system E in Figure 4.3.(a)
with set of ﬁnal marking F = ¦(0001)¦, that however does not qualify as a supervisor for this
problem, since L
m
(E/G) = L(E) ∩ L
m
(G) ⊃ L.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 26
captionSystem G in Example 5.2.
The example shows the need to introduce the further requirement that the legal behavior L be
DPclosed for insuring the existence of a PN supervisor.
Theorem 4.6. Let G be a nonblocking PN and let L ⊆ L
m
(G) be a nonempty language. There
exists a nonblocking PN supervisor S such that L
m
(S/G) = L if and only if L ∈ L
DP
∩ ((G)
and L is L
m
(G)−closed.
Proof . (If) Since L ∈ L
DP
then there exists a PN S ÷ L(S) = L ⊆ L(G). S is the desired
supervisor. In fact: since L ∈ ((G), then clearly L ∈ ((G); since L is L
m
(G)−closed, then
L
m
(S/G) = L(S) ∩ L
m
(G) = L ∩ L
m
(G) = L; S is nonblocking, since L(S/G) = L(S) ∩
L(G) = L ∩ L(G) = L = L(S/G). (Only if) Since S is a nonblocking supervisor, then L ∈
((G) and L is L
m
(G)−closed, by Theorem 4.3. We need to prove that L = L
m
(S/G) = L(S)∩
L
m
(G) ∈ L
DP
. First note that L(S) ∈ T
d
, hence L(S) ∈ L ⊃ T ⊃ T
d
[Jantzen 87]. (Note
that L(S) although a deterministic Ptype language may be a nondeterministic Ltype language.)
Since L is closed under intersection [Jantzen 87], then L ∈ L. Also L = L(S/G) by the non
blocking hypothesis, hence L ∈ T
d
(since it is the deterministic Ptype language of closed loop
PN generator). It follows that L ∈ L
DP
.
Theorem 4.6 does not require L to be deterministic. In fact we want to restrict the marked
behavior of G to L by means of a non marking deterministic supervisor, that effectively solely
constrains the closed behavior of G. Hence it is sufﬁcient that Lbe a deterministic Ptype language
in order to construct a deterministic supervisor. The following example will clarify this point.
Example 4.4. Let G be the PN generator in Figure 4.5, with Σ
u
= ¦b¦, M
0
= (10)
T
, and set
of ﬁnal markings F = ¦(01)
T
¦. The marked behavior of this system is: L
m
(G) = ¦a
∗
ba
∗
¦.
Assume now that we want to restrict the marked behavior of G to L = ¦a
m
ba
n
[ m ≥ n ≥ 0¦.
L is an Ltype PN language and it can be proved that it is not deterministic, i.e., it cannot be
accepted by a deterministic generator with a ﬁnite set of ﬁnal states F. However L ∈ L
DP
, since
L is the deterministic Ptype language of the marked net S in Figure 4.6. Since L is controllable
and L
m
(G)−closed, S is a proper supervisor and is such that L
m
(S/G) = L.
We would like to extend Theorem 4.6 to the case in which the legal behavior L is not a subset
of L
m
(G). Unfortunately in this case the hypotheses of Theorem 4.6 are not sufﬁcient to insure
the existence of a PN supervisor. In fact, it may be possible that, although L ∈ L
DP
, L∩L
m
(G) ,∈
L
DP
.
Proposition 4.2. The class of DPclosed PN languages L
DP
is not closed under intersection.
The proof of the proposition follows from the following example.
Example 4.5. Let G be the PN generator in Figure 4.4, M
0
= (100)
T
, and set of ﬁnal markings
F = ¦(001)
T
¦. The marked behavior of this systemis: L
m
(G) = ¦a
∗
ba
∗
b¦ ∈ L
DP
. Consider the
language L = ¦a
m
b(bc)
∗
(a(bc)
∗
)
m
b [ m ≥ 0¦. Clearly L ∈ L
DP
since it is the marked behavior
of the nonblocking generator E in Figure 4.7, with the set of ﬁnal markings F = ¦(0001)
T
¦.
Unfortunately L ∩ L
m
(G) = ¦a
m
ba
m
b [ m ≥ 0¦ ,∈ L
DP
, as we have shown in Proposition 4.1.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 27
Figure 4.5: Supervisor S in Example 5.2.
Figure 4.6: Generator E in Example 4.5 and Example 4.6.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 28
The problem in the previous example is that L and L
m
(G) are conﬂicting, i.e., L∩L
m
(G) ⊃
L ∩ L
m
(G). Hence, while L ∩ L
m
(G) ∈ T
d
(since T
d
is closed under intersection) it may be
the case that L ∩ L
m
(G) ,∈ T
d
. If however the two languages are not conﬂicting, we have that
L ∩ L
m
(G) = L ∩ L
m
(G) ∈ T
d
.
Theorem 4.7. Let G be a nonblocking PN and let L ⊆ Σ
∗
, with L
m
(G) ∩ L ,= ∅. There exists
a nonblocking PN supervisor S such that L
m
(S/G) = L ∩ L
m
(G) if L ∈ L
DP
∩ ((G), L is
L
m
(G)−closed, L and L
m
(G) are not conﬂicting.
Proof . The class L and the set ((G) are closed under intersection [Jantzen 87, Ramadge 87].
Also, by the nonconﬂicting hypothesis, L ∩ L
m
(G) ∈ T
d
. Hence L ∩ L
m
(G) ∈ L
DP
∩ ((G).
Finally since L is also L
m
(G)−closed we can write: L ∩ L
m
(G) ∩ L
m
(G) = L ∩ L
m
(G) ∩
L
m
(G) = L∩L
m
(G) = L∩L
m
(G), i.e., L∩L
m
(G) is L
m
(G)−closed. By Theorem 4.6 there
exists a nonblocking supervisor S ÷ L
m
(S/G) = L ∩ L
m
(G).
The last theorem gives a sufﬁcient, but not necessary, condition for the existence of a PN
supervisor. In fact while: L ∈ ((G) =⇒ L ∩ L
m
(G) ∈ ((G) and L is L
m
(G)−closed =⇒
L ∩ L
m
(G) is L
m
(G)−closed, the converse is not true. A necessary and sufﬁcient condition for
the existence of a PN supervisor in the case the legal behavior L is not a subset of L
m
(G) may be
given, as a trivial corollary of Theorem 4.6, requiring that L ∩ L
m
(G) ∈ L
DP
∩ ((G) and that
L ∩ L
m
(G) be L
m
(G)−closed.
4.5 Petri Net Languages and Supremal Controllable Sublanguage
Our ﬁnal result regards the closure of PN languages under the supremal controllable sublanguage
operator
↑
[Wonham 87]. This result has been known, at least partially, by the control community
but has never been published before to the best of our knowledge.
Proposition 4.3. The classes T
d
and L
DP
of PN languages are not closed under the
↑
operator.
The proof of this proposition will be given by means of the following example.
Example 4.6. Let G be the PN generator in Figure 4.8, with Σ
u
= ¦a¦, M
0
= (1000)
T
, and
set of ﬁnal markings F = ¦(0001)
T
¦. Consider now the generator E in Figure 4.7 with the set
of ﬁnal markings F = ¦(0001)
T
¦. The two languages L(E) ∈ T
d
and L
m
(E) ∈ L
DP
are
not controllable. To show this we have drawn, in Figure 4.9, the reachability tree of the two
systems; since E reﬁnes G, we have represented the arcs that belong to the reachability tree of
both marked nets with continuous lines, while the arcs that only belong to the reachability tree of
G have been represented by dotted lines. L(E) and L
m
(E) are not controllable because of the
presence of the dotted arcs associated to the uncontrollable transition a. If we apply the
↑
operator,
we obtain the two supremal controllable sublanguages: L(E)
↑
= ¦a
m
ba
m
(bc)
∗
b [ m ≥ 0¦ and
L
m
(E)
↑
= ¦a
m
ba
m
(bc)
∗
b [ m ≥ 0¦, that are the closed and marked behavior of the generator in
Figure 4.10. L(E)
↑
,∈ T
d
, as can be proved using the pumping lemma in the same way we have
done in Proposition 4.1 (the string w = a
k
ba
k
b may be used to prove that no pumping is possible).
L
m
(E)
↑
,∈ L
DP
, since L
m
(E)
↑
= L(E)
↑
,∈ T
d
.
4.6 Conclusions
The results of this chapter show that although unbounded PN do not have all desirable properties
from the point of view of supervisory control, there are cases in which PN supervisors may be
constructed.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 29
Figure 4.7: Generator G in Example 4.6.
Figure 4.8: Reachability tree of G and E in Example 4.6.
Figure 4.9: Generator of L(E)
↑
and L
m
(E)
↑
in Example 4.6.
CHAPTER 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 30
The main difﬁculties when using Petri nets as discrete event models for supervisory control
stems out from the fact that not all Ltype PN languages are DPclosed and from the fact that the
class L
DP
of DPclosed languages is not closed under intersection. Another undesirable property
is given by the fact that the classes T
d
and L
DP
are not closed under the
↑
operator.
In the remaining part of the thesis we will consider simpler Petri net models, whose reachabil
ity set is ﬁnite.
Chapter 5
SUPERVISORY DESIGN USING
PETRI NETS
5.1 Introduction
In this chapter we discuss how Petri net models may be used to design supervisors within the
framework of Supervisory Control. The purpose is that of applying a model that has a great
representational power in the theoretical approach of Ramadge and Wonham. The discussion is
focused at the model level: we discuss the supervisory design algorithm and its counterpart on the
structure of a Petri net [DiCesare 91, Giua 91]. The design requires two steps. In the ﬁrst step, a
coarse structure for a supervisor is synthesized by means of concurrent composition of different
modules. In the second step, the structure is reﬁned to avoid reaching undesirable markings.
The chapter is structured as follows. In Section 5.2, we review the monolithic supervisory
design as formulated by Wonham and present a design based on the concurrent composition op
erator. In Section 5.3, we show that this design is well suited for Petri nets models. In particular,
we discuss how to reﬁne a coarse structure for a supervisor, by introducing new arcs (and possibly
duplicating transitions) to avoid reaching undesirable markings. This procedure may always be
applied when the net is conservative. In Section 5.4, we discuss the advantages of PN over state
machines, as far as the transition structure of the model is concerned.
5.2 Monolithic Supervisor Design
A supervisory design algorithm has been presented by Wonham [Wonham 88a]. The algorithm
is based on language operators and it may be implemented using different models. The only
requirement is that the model specify the closed and marked behavior of a system. We also require
that the linguistic operators introduced in Section 3.2 be extended to the model. For example,
given two DES G
1
, G
2
, with closed behaviors L(G
1
), L(G
2
) and marked behaviors L
m
(G
1
),
L
m
(G
2
) we denote: G = G
1
 G
2
the DES whose behaviors are: L(G) = L(G
1
)  L(G
2
) and
L
m
(G) = L
m
(G
1
)  L
m
(G
2
). In a similar fashion, we can extend other linguistic operators to
operators on the systems.
Assume we are given m nonblocking DES G
1
, . . . , G
m
working concurrently. The alphabet
of these systems are Σ
1
, . . . , Σ
m
and they are disjoint, i.e., Σ
i
∩ Σ
j
= ∅ for every i ,= j. We want
to enforce some speciﬁcations on the joint behavior of these systems, represented by n different
nonblocking generators H
1
, . . . , H
n
. Each speciﬁcation generator H
j
is deﬁned on an alphabet
Σ
H
j
⊆ Σ
1
∪ . . . ∪ Σ
m
and effectively constrains only the events that belong to its alphabet.
A monolithic supervisor may be constructed using the following algorithm [Wonham 88a].
Algorithm 5.1. Wonham Supervisory Design
31
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 32
1. Construct by shufﬂing G = G
1

d
. . . 
d
G
m
. G models the joint concurrent behavior
of the overall system under the assumption that the actions of the single subsystems are
asynchronous and independent. The alphabet of G is Σ = Σ
1
∪ . . . ∪ Σ
m
.
2. Augment the speciﬁcations, selﬂooping each H
j
with the event labels present in G but un
constrained by H
j
, i.e., the labels in Σ
e
j
= Σ¸Σ
H
j
. Call these newgenerators H
1
, . . . , H
n
.
3. Construct by intersection H = H
1
∩ . . . ∩ H
n
. H represents the global speciﬁcation we
want to enforce on the behavior of G.
4. Construct by intersection E = H ∩ G. E represents the largest behavior of the overall
system that satisﬁes all the constraints imposed by the speciﬁcations.
5. The generator E obtained through the above construction, in the general case does not rep
resent a proper supervisor, since the following two properties are not automatically ensured:
• nonblockingness, i.e., the generator E may contain blocking states from which a ﬁnal
state cannot be reached;
• controllability, i.e., the language L(E) may not be controllable with respect to L(G).
This means that when G and E run in parallel it may be possible to reach a state from
which an uncontrollable event is enabled in G but is not enabled in E.
We have to further minimally restrict the behavior of E, to obtain a nonblocking and control
lable generator S. This is the counterpart, on the DES structure, of the supremal controllable
sublanguage operator.
The system S obtained through this procedure gives us the transition structure of a supervisor.
We will give an example of this construction using state machine models.
Example 5.1. Consider the systems G
1
and G
2
in Figure 5.1 and the speciﬁcation H. We may
think of G
1
as a robot that picks up one part (event a) and loads the part on a machine (event b).
G
2
is a machine that may start working (event c) and may output the produced part on conveyor A
or B (respectively events d and e) before returning to the idle state. The speciﬁcation we consider,
represented by the generator H, speciﬁes that the machine may start working only after it has been
loaded (events b and c must occur alternatively), and that the robot may load a new part on the
machine only after the previously loaded part has been outputted on conveyor A (events d and b
must occur alternatively). We will assume that the only uncontrollable event for this problem is
event b.
The ﬁrst step of design requires the construction of G = G
1

d
G
2
, shown in Figure 5.2.
In the second step we construct the augmented speciﬁcation H
, shown in Figure 5.3, by
selﬂooping H with the unconstrained events, i.e., with a, e. Since H is the only speciﬁcation
generator, step 3 is not required in this example.
In the fourth step we construct the system E = G∩ H
, shown in Figure 5.4. The system E
is not a supervisor, because it contains blocking states (from which the ﬁnal marking may not be
reached), and also non controllable states. As an example, after Ghas executed the string of events
w = aba, events b and c may occur in G while the control pattern computed by E contains only
the event c. Since b is an uncontrollable event, the language generated by E is not controllable.
If we remove the blocking and noncontrollable states, we obtain the nonblocking and control
lable generator S in Figure 5.5, which is a proper supervisor for this problem.
The supervisor S constructed using Algorithm 5.1 is called monolithic, because it represents
both a supervisor and a closed loop model of the system under control. In fact L(S) = L(S/G).
It is often the case that a simpler supervisor exists. For the control problem in Example 5.1, a
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 33
Figure 5.1: Systems and speciﬁcation for the control problem in Example 5.1.
Figure 5.2: Shufﬂe system G = G
1

d
G
2
in Example 5.1.
Figure 5.3: Speciﬁcation generator H
in Example 5.1.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 34
Figure 5.4: System E = G∩ H
for the control problem in Example 5.1.
Figure 5.5: Monolithic supervisor S for control problem in Example 5.1.
Figure 5.6: A reduced structure supervisor S’ for the control problem in Example 5.1.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 35
reduced structure supervisor S
is shown in Figure 5.6. We may easily check that L(S/G) =
L(S
/G) ⊂ L(S
).
Note also that since we have associated a ﬁnal state with the speciﬁcation H, the supervisor
we have constructed is a marking supervisor according to the terminology in Appendix B.2.
5.2.1 Design Using Concurrent Composition
We propose an alternative design for a supervisor, where only one operator, the concurrent com
position operator, is used to construct the generator E. The algorithm is the following.
Algorithm 5.2. Concurrent Composition Supervisory Design
1. Construct by concurrent composition
E = G
1
 . . .  G
m
 H
1
 . . .  H
n
;
2. Reﬁne E so that it is nonblocking and controllable.
It is easy to see that the two approaches are equivalent. In fact with Algorithm 5.1 we construct
a system generating the language
E
1
= [L(G
1
) 
d
. . . 
d
L(G
m
)] ∩ [L(H
1
) 
d
Σ
∗
e
1
] ∩ . . . ∩ [L(H
n
) 
d
Σ
∗
e
n
],
and with Algorithm 5.2 we construct a system generating the language
E
2
= L(G
1
)  . . .  L(G
m
)  L(H
1
)  . . .  L(H
n
).
Since (∀w ∈ Σ
∗
) w ∈ [L(H
j
) 
d
Σ
∗
ej
] ⇐⇒ w ↑
H
j
∈ L(H
j
) (here w ↑
H
j
is the projection of
string w on alphabet Σ
H
j
), we can see that:
E
1
= ¦w [ w ∈ [L(G
1
) 
d
. . . 
d
L(G
m
)], w ∈ [L(H
j
) 
d
Σ
∗
ej
] (j = 1, . . . , n)¦
= ¦w [ w ↑
i
∈ L(G
i
) (i = 1, . . . , m), w ↑
H
j
∈ L(H
j
) (j = 1, . . . , n)¦
= E
2
.
The concurrent composition design is simpler, since it requires only one operator. We will
show in the following section how it may be easily implemented using Petri net models.
5.3 Monolithic Design Using Petri Nets
In this section, we will use Petri net models in the design of a supervisor, following the Algo
rithm 5.2. The coarse structure for a supervisor, i.e., the system E, may be efﬁciently constructed
and the properties of nonblockingness and controllability may be expressed as properties of the
net system E. Secondly, we will discuss how E may be reﬁned to obtain a supervisor S without
major changes in its structure.
The net counterpart of the concurrent composition operator, described in Appendix A.5, re
quires merging transitions with the same label. This construction is based on the structure of the
net and does not require the explicit enumeration of its state space.
Example 5.2. For the control problem discussed in Example 5.1 we have represented in Figure 5.7
the systems and speciﬁcation as Petri nets. The systemE = G
1
 G
2
 H obtained by concurrent
composition is shown in Figure 5.8.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 36
Figure 5.7: Systems and speciﬁcations as Petri nets for the control problem in Example 5.2.
Figure 5.8: System E = G
1
 G
2
 H as a Petri net for the control problem in Example 5.2.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 37
It is important to note how the properties of interest, namely nonblockingness and controllabil
ity, may be expressed in terms of net properties. We will use the notation for concurrent systems
presented in Appendix A.5. Let G = G
1
 . . .  G
m
and H = H
1
 . . .  H
n
, be the system
and speciﬁcation components of E. Assume that E = (N, , M
0
, F), G = (N
1
,
1
, M
0,1
, F
1
),
and H = (N
2
,
2
, M
0,2
, F
2
).
The system E is nonblocking if and only if a ﬁnal marking may be reached from any reachable
marking, i.e., if and only if
(∀M ∈ R(N, M
0
)) (∃M
f
∈ F) [M
f
∈ R(N, M)].
Conversely, any reachable marking M
such that (,∃M
f
∈ F) [M
f
∈ R(N, M
)] is a blocking
marking, and we should prevent the system from reaching it.
Let T
u
⊆ T be the set of uncontrollable transitions of E, i.e., the transitions labeled by uncon
trollable events. Given a marking M ∈ R(N, M
0
), let M ↑
1
(M ↑
2
) be the restriction of M to the
places of G (H). Then E will be controllable if and only if it is not possible to reach a marking
M such that an uncontrollable transition t is enabled by M ↑
1
in G, but it is not enabled by M ↑
2
in H. In other words, E is controllable if and only if
(∀t ∈ T
u
) (,∃M ∈ R(N, M
0
)) [M ↑
2
,≥ Pre
2
(, t) ∧ M ↑
1
≥ Pre
1
(, t)].
Once the coarse structure of a candidate supervisor is constructed by means of concurrent
composition, we need to reﬁne it to obtain a nonblocking and controllable generator. We have to
remove a set of undesirable states and all the transitions leading to them. We assume in this section
that the knowledge of which states are undesirable, and which are the transitions leading to them,
is given.
The next example shows the problems involved in the reﬁnement of a net.
Example 5.3. Let us consider the system E constructed in Example 5.2. Here the controllable
event set is Σ
c
= ¦a, c, d, e¦ and the uncontrollable event set is Σ
u
= ¦b¦. E is blocking and
uncontrollable. The undesirable markings, that should be removed, are those shown in the reach
ability tree in Figure 5.9, equivalent to the state machine model in Figure 5.4. Reﬁning the PN
is complex. First, we should certainly remove the transition labeled by e since its ﬁring always
leads to an undesirable state and it is controllable. After removal of this transition, the transition
labeled by a will be enabled by the following reachable markings: M
= (1010010)
T
, M
=
(1001010)
T
, M
= (1000101)
T
. We want to block the transition labeled a when the markings
M
and M
are reached. Since
M
(p
3
) = 1 > M
(p
3
) = M
(p
3
) = 0,
we can add an arc from p
3
to a and from a to p
3
as in Figure 5.10.
The following algorithm can be given for the reﬁnement of a net.
Algorithm 5.3. Let t be a transition to be controlled, i.e., a transition leading from an admissible
marking to an undesirable marking. Let a be its label.
1. Determine the set of admissible reachable markings that enable t, and partition this set
into the disjoint subsets M
e
(the markings from which t should be allowed to ﬁre), and M
d
(the markings from which t should not be allowed to ﬁre, to avoid reaching an undesirable
marking). If M
e
= ∅ remove t and stop, else continue.
2. Determine a construct in the form:
(M) = [(M(p
1
1
) ≥ n
1
1
) ∧ . . . ∧ (M(p
1
k1
) ≥ n
1
k1
)]∨
. . .
∨[(M(p
l
1
) ≥ n
l
1
) ∧ . . . ∧ (M(p
l
kl
) ≥ n
l
kl
)],
such that (M) = TRUE if M ∈ M
e
, and (M) = FALSE if M ∈ M
d
.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 38
Figure 5.9: Reachability tree of the system E in Example 5.2 and Example 5.3.
Figure 5.10: Supervisor S as a Petri net for the control problem in Example 5.2 and Example 5.3.
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 39
3. Replace transition t with l transitions t
1
, . . . , t
l
labeled a. The input (output) arcs of transi
tion t
j
, j = 1, . . . , l, will be those of transition t plus n
j
i
arcs inputting from (outputting to)
place p
j
i
, i = 1, . . . , k
j
.
It is clear that following this construction there is an enabled transition labeled a for any
marking in M
e
, while none of these transitions are enabled by a marking in M
d
. We also note that
in general several constructs of this form may be determined. The one which requires the minimal
number of transitions, i.e., the one with smaller l, is preferable.
The following theorem gives a sufﬁcient condition for the applicability of the algorithm.
Theorem 5.1. The construct of Algorithm 5.3 can always be determined if the net is conservative.
Proof: A net is conservative if there exists an integer vector Y >
0 such that for any two
markings M and M
reachable from the initial marking Y
T
M = Y
T
M
. Hence if M ,= M
there
exists a place p such that M(p) > M
(p). Also the set of reachable markings is ﬁnite.
On a conservative net, consider M
i
∈ M
e
, M
j
∈ M
d
. We have that M
e
and M
d
are ﬁnite
sets and also there exists a place p
ij
such that M
i
(p
ij
) = n
ij
> M
j
(p
ij
). Hence
(M) =
i∈M
e
_
_
j∈M
d
(M(p
ij
) ≥ n
ij
)
_
_
is a construct for Algorithm 5.3.
According to this Theorem we may always ﬁnd a reﬁnement construct for conservative nets.
Unfortunately, the construct may contain up to [M
e
[ OR clauses, i.e., up to [M
e
[ transitions may be
substituted for a single transition to control. Note, however, that it is often possible to determine a
simpler construct as in Example 5.3, where the construct for the transition labeled a was (M) =
[M(p
3
) ≥ 1].
5.4 Petri Nets and State Machines
The design using concurrent composition appears to be highly efﬁcient when using Petri net struc
tures. Here we would like to discuss the main advantages of using Petri nets rather than state
machines in the supervisory design.
1. PN have a higher language complexity than state machines. Hence they have the possibility
of describing a larger class of systems.
The concurrent composition design algorithm may be used to construct the systemE even if
we consider Petri net models with inﬁnite state space, since it is based on the ﬁnite structure
of the net. However, as suggested by Theorem 5.1, since systems with inﬁnite state space are
not conservative it may be impossible to reﬁne the net in step 2 of the algorithm. This was
also expected from the results of Chapter 4 since the nonblocking generator of the supremal
controllable sublanguage of E may not have a Petri net representation.
2. Suppose we restrict ourselves to consider only conservative Petri net models. Conservative
PN are essentially equivalent to state machines, since the number of reachable markings
(i.e., the number of “states” of the model) is ﬁnite. However, since the states of a PN are
represented by the possible markings and not by the places, they allow a compact descrip
tion, i.e., the structure of the net may be maintained small in size even if the number of the
markings grows.
To express the difference between the two approaches in quantitative terms, assume that we
start with bottom level modules that are state machines. Furthermore assume that in each
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 40
module each symbol labels at most one transition. Consider k modules G
1
, . . . , G
k
, and let
m
i
and n
i
be the number of states (i.e., places) and transitions of each of them. The system
G = G
1
 . . .  G
k
can be constructed as a state machine or as an ordinary Petri net.
• When G is constructed as a state machine the number m of states and the number n of
transitions will be:
m ≤
k
i=1
m
i
, n ≤
k
i=1
_
_
n
i
j=i
m
j
_
_
The upper bound is reached when the alphabets of the modules are disjoint; in this case
the coupling of the modules is so weak that the overall state set will be identical to the
cartesian product of the states of the modules. The bound gives however a clear idea
of the exponential growth of the model even in the general case when the alphabets of
the modules are not disjoint [Tadmor 89].
• When Gis constructed as an ordinary Petri net, following the algorithmin Appendix A.5,
we have a number of places equal to: m =
k
i=1
m
i
and a number of transitions:
n = Σ ≤
k
i=1
n
i
where Σ is the alphabet associated to G.
However, it is necessary to point out that in the phase of the reﬁnement of the coarse
structure of the supervisor the number of transitions introduced in Algorithm 5.3 may
in the worst case approach the size of M
e
as suggested by Theorem 5.1.
3. Petri nets allow modular synthesis, i.e., the net can be considered as composed of inter
related subnets, in the same way as a complex systems can be regarded as composed of
interacting subsystems. In Figure 5.8, e.g., we may still recognize the individual modules
that compose the system E, while in the state machine representation in Figure 5.4 this is
not possible. This permits us to express controllability as a property of the generator E.
5.5 Conclusions
We can summarize the results of this chapter as follows:
• For regular languages, Ramadge and Wonham have proved that it is always possible to
determine the supremal controllable sublanguage of a given conﬁguration of systems and
speciﬁcations with a ﬁnite procedure (See Appendix B, Theorem B.3).
• For DES modeled with conservative Petri nets (that generate regular languages) we can
always reﬁne the net in order that the supremal controllable behavior is achieved. In the
reﬁnement, following Algorithm 5.3, the modular structure of the net is preserved (but in
some cases it may be necessary to introduce a large number of transitions).
Hence conservative Petri nets may be used within the framework of supervisory control, providing
a more compact representation in terms of transition structure when compared with state machine
models.
There is, however, another problem to be addressed. In this chapter we have assumed that
the set of undesirable markings is given. In practice, a brute force approach to determine this set
requires the construction of the reachability tree. PN may offer means to solve this problem in
more efﬁcient ways.
• Use incidence matrix analysis to determine whether undesirable markings are reachable.
Although in the general case this analysis gives only a necessary condition for reachabil
ity, there are classes of nets such that a necessary and sufﬁcient condition may be derived
[Giua 90b, Murata 89].
CHAPTER 5. SUPERVISORY DESIGN USING PETRI NETS 41
• Derive synthesis procedures that insure the desired properties for the composed system.
In this case we have efﬁcient “closed form solutions” at the cost of limiting our design to
special classes of nets [Datta 84, Datta 86, Krogh 86, Krogh 91].
These approaches will be investigated in the next chapters.
Chapter 6
INCIDENCE MATRIX ANALYSIS
6.1 Introduction
This chapter discusses how incidence matrix analysis for Petri net models may be used to validate
supervisors for the control of discrete event systems. We will consider a class of P/T nets called
Elementary Composed State Machines (ECSM). The most interesting property of this class of nets
lies in the fact that the set of reachable markings is an (integer) convex set and that the set of linear
inequalities A M ≥ A M
0
which deﬁnes it may be computed from the analysis of the simple
state machine modules that compose the net.
In classic incidence matrix analysis, the set of reachable markings of a system ¸N, M
0
) is
approximated by the solutions of the state equation, i.e., by the set
PR(N, M
0
) = ¦M ∈ IN
P
[ (∃σ ∈ IN
T
)[M = M
0
+C σ]¦,
where C is the incidence matrix of the net. In another approach, a basis of Psemiﬂows B is used
to approximate the reachability set, deﬁning the set
PR
B
(N, M
0
) = ¦M ∈ IN
P
[ B
T
M = B
T
M
0
¦.
The ﬁrst approximation is generally better, in the sense that
R(N, M
0
) ⊆ PR(N, M
0
) ⊆ PR
B
(N, M
0
)
However, the computation of PR
B
(N, M
0
) does not involve the ﬁring count vector σ, and this
feature has additional advantages that we will discuss in the following.
We propose an approach similar to the computation of PR
B
(N, M
0
) where we use, in addition
to the equations derived from the Psemiﬂows, inequalities derived from the basic traps of the net
and we deﬁne
PR
A
(N, M
0
) = ¦M ∈ IN
P
[ A M ≥ A M
0
¦.
The matrix A is computed from the analysis of the structure of net N. Furthermore, we show
that for ECSM, the class of nets that we consider here, PR
A
(N, M
0
) = R(N, M
0
), i.e., the set
of integer solutions of the inequality A M ≥ A M
0
is exactly the set of reachable markings
[Giua 92d].
There are signiﬁcant differences between our approach and the analysis based on the state
equation.
• The use of the incidence matrix does not permit verifying propositions such as
(∀M ∈ PR(N, M
0
))[M
f
∈ PR(N, M)]
42
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 43
with a linear algebraic formalism; this proposition, as we will see, expresses the nonblocking
property of a system. This is because the set PR(N, M
0
) is deﬁned in terms of linear
equations containing the variables M and σ. We deﬁne the set of reachable markings as the
solution of a set of inequalities which do not contain the ﬁring count vector σ, and we will
be able to write simple integer programming problems to study nonblocking properties of
systems.
• For the class of ECSM nets, the state equation gives only necessary but not sufﬁcient condi
tions for reachability, since it may contain spurious solutions (solutions which do not corre
spond to reachable markings), i.e., in general it holds PR(N, M
0
) ⊃ R(N, M
0
). However,
for the same class of nets there exists a matrix A such that PR
A
(N, M
0
) = R(N, M
0
), i.e.,
the reachability set of an ECSM may be exactly described by a set of linear inequalities,
without spurious solutions.
• Note that since the domain PR
A
(N, M
0
) represents the integer solutions of a set of lin
ear inequalities, it is a convex set of integers. Thus, there exists a matrix A such that
PR
A
(N, M
0
) = R(N, M
0
) if and only if the reachability set of system ¸N, M
0
) is a con
vex set. If a net is such that the state equation does not contain spurious solutions, this does
not imply that its reachability set is a convex set. As an example, it has been proved that
the state equation of acyclic nets does not contain spurious solutions [Murata 89]. The net
we will discuss in Example 6.2 is acyclic but does not have a convex reachability set. This
means that there are classes of nets such that PR(N, M
0
) = R(N, M
0
) and such that there
does not exist a matrix A such that PR
A
(N, M
0
) = R(N, M
0
).
In our approach determining if a marking is reachable requires the use of Integer Programming.
Integer Programming problems may not be solved, in general, in polynomial time. However, it is
possible to relax the constraint that the solution of A M ≥ A M
0
be integer to obtain a sufﬁcient
condition for the validation of the net. Thus, we may use Linear Programming techniques to prove
that a given undesirable marking is not reachable.
The model considered in this chapter is based on state machine P/T nets with multiple tokens.
State machines may model choice, since a place may have more that one outgoing arc, but strongly
limit the possibility of modeling concurrency, since the only concurrent behavior is given by the
presence of multiple tokens in the net. To describe concurrent systems, the model is extended by
composing the state machine modules through concurrent composition, an operator that requires
the merging of common transitions.
In this approach it is necessary to restrict the type of compositions considered, in order to
guarantee some important properties [Giua 90b]. The ﬁnal model, called Elementary Composed
State Machines (ECSM nets), can model both choice and concurrent behavior, and at the same
time has the property that the space of reachable markings is a linear integer convex set, i.e., it is
given by the integer solutions of a set of linear inequalities.
Section 2 deals with state machines and reachability using incidence matrix analysis and shows
how it is possible to derive the set of linear inequalities that deﬁnes the space of reachable mark
ings. In Section 3 is deﬁned the class of Elementary Composed State Machine nets and the results
derived in Section 2 are extended to this class. Section 4 ﬁnally shows how this approach may be
applied to the validation of supervisors for the control of discrete event systems.
6.2 Incidence Matrix Analysis for State Machines
In this section we discuss two ways of determining if a marking of a state machine is reachable
from the initial marking. In the ﬁrst approach we consider the state equation of the net. In the
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 44
second we show how the reachability set may be described by a set of equations that do not
involve the ﬁring count vector.
State machines represent a very simple PN model that has been extensively investigated. For
instance, Murata [Murata 89] reports several results on the liveness and reachability characteri
zation of this class of nets. However, the focus is generally on live state machines (i.e., strongly
connected state machines). In the framework of Supervisory Control, the requirement that the
model be live is not important, while it is required that the system be nonblocking, i.e., that from
any reachable marking it may be possible to reach a ﬁnal marking. This motivates the attention
given in this chapter to state machines that are not necessarily live.
6.2.1 State Equation
The use of the state equation for characterizing the reachability set of a PN is based on the follow
ing observation.
Note 6.1. Let ¸N, M
0
) be a marked net and C its incidence matrix.
M ∈ R(N, M
0
) =⇒ (∃σ ∈ IN
m
) [M = M
0
+C σ].
The existence of a vector σ satisfying the previous state equation gives a necessary but not
sufﬁcient condition for the reachability of a given marking. In the general case, a solution M and
σ may exist for the previous equation, but σ yields no ﬁrable sequence of transitions and M cannot
be reached.
For state machines, however, the following theorem holds.
Theorem 6.1. Let ¸N, M
0
) be a marked state machine.
M ∈ R(N, M
0
) ⇐⇒ (∃σ ∈ IN
m
) [M = M
0
+C σ].
Proof : Only ⇐= needs to be proved. At least one of the transitions given by σ may ﬁre if
M
0
,= M. In fact, consider a place p
i
÷ M
0
(p
i
) > M(p
i
) ≥ 0. (The existence of such a place is
ensured because state machines are conservative.) Since
M(p
i
) −M
0
(p
i
) =
m
j=1
c
ij
σ
j
< 0,
there exists a transition t
j
such that σ(t
j
) > 0 and c
ij
= −1 , i.e., t
j
outputs from p
i
. Since
M
0
(p
i
) > 0, t
j
may ﬁre reaching a marking M
such that: M = M
+ C σ
, where σ
< σ.
Repeating the previous reasoning it is possible to conclude that eventually M will be reached.
In [Murata 89] is presented the same result in the case of strongly connected state machines.
Ichikawa and Hiraishi [Ichikawa 88b] have shown that for acyclic nets, i.e., nets whose un
derlying graph has no directed circuits, a vector σ solution of the state equation yields a ﬁrable
sequence of transitions. Theorem 6.1 does not imply this stronger property.
Example 6.1. Consider the net in Figure 6.1, where M
0
= (2 0 0 0 0)
T
and M = (1 0 1 0 0)
T
.
The incidence matrix of the net is
C =
_
¸
¸
¸
¸
_
−1 0 −1 0 0 0
1 −1 0 0 0 0
0 1 0 1 0 0
0 0 1 −1 −1 1
0 0 0 0 1 −1
_
¸
¸
¸
¸
_
.
The state equation is satisﬁed by: σ = (1 1 0 0 1 1)
T
. While σ does not yield a ﬁrable sequence
of transitions, M can always be reached: just consider the vector σ
= (1 1 0 0 0 0)
T
(< σ) that
yields the ﬁrable sequence: σ
= t
1
t
2
.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 45
Figure 6.1: State machine in Example 6.1.
Figure 6.2: Firing subnet in Example 6.1.
The problem, as the previous example shows, is that the ﬁring count vector could be counting,
in addition to the sequence of transitions that needs to be ﬁred to go from M
0
to M, a cycle that
cannot be ﬁred because it is not marked by a token. Hence the following two theorems hold.
Theorem 6.2. Let ¸N, M
0
) be a marked state machine and M be a marking of N. A vector
(σ ∈ IN
m
) [M = M
0
+ C σ] yields a ﬁrable sequence of transitions from M
0
if (,∃σ
∈
IN
m
) [M = M
0
+C σ
, σ
< σ].
Proof : If σ is the minimal vector satisfying the state equation for M and M
0
, then the ﬁring
subnet given by σ is acyclic and all transitions may ﬁre, as proved in [Ichikawa 88b].
Note that Theorem 6.2 gives a sufﬁcient but not necessary condition. In Example 6.1, consider
the vector σ = (0 0 1 1 1 1)
T
solution of the state equation. σ is not minimal but yields a ﬁrable
sequence σ = t
3
t
5
t
6
t
4
.
Theorem 6.3. Let ¸N, M
0
) be a marked state machine and M be a marking of N. A vector
(σ ∈ IN
m
) [M = M
0
+ C σ] yields a ﬁrable sequence of transitions from M
0
if and only if in
the ﬁring subnet given by σ each connected component is marked by M
0
.
Proof : The presence of a token in each connected component ensures that the cycles eventually
present in σ can be executed.
The ﬁring subnet for Example 6.1 is in Figure 6.2; here there are two connected components
¦p
1
, p
2
, p
3
¦ and ¦p
4
, p
5
¦, the second of which is not marked; hence its transitions cannot ﬁre.
6.2.2 Deﬁning the Set of Reachable Markings
Theorem 6.4. Let ¸N, M
0
) be a marked state machine. The set of reachable markings R(N, M
0
)
is an integer linear convex set, i.e., can be deﬁned as the integer solutions of a set of linear
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 46
Figure 6.3: Net in Example 6.2, with a non convex reachability set.
inequalities.
Proof : Follows from Algorithm 6.1 presented below.
This property does not hold in general for ordinary P/T nets.
Example 6.2. On the net in Figure 6.3, an ordinary conservative PN, M = (0 1 0 2) can be
reached fromM
0
= (2 1 0 0) but M
=
M
0
+M
2
= (1 1 0 1), which is a linear convex combination
of M
0
and M, cannot be reached.
To determine the set of linear inequalities that the set of reachable markings of a state machine
must satisfy, the following algorithm may be used. Note ﬁrst that a connected (not necessarily
strongly connected) state machine has a single Psemiﬂow whose support contains all the places.
Algorithm 6.1. Let ¸N, M
0
) be a marked state machine, and T
i
= ¦p
i
1
, . . . , p
i
k
¦ a trap of N.
Deﬁne M(T
i
) = M(p
i
1
) +. . . +M(p
i
k
).
1. Consider all basic traps
1
of the net along with the support of the Psemiﬂow T
0
.
2. For each trap T
i
write the inequality: M(T
i
) ≥ n
i
, where n
i
is the number of tokens
assigned to T
i
by the initial marking. For T
0
write the equation: M(T
0
) = n
0
, where n
0
is the total number of tokens in the net.
3. If for a trap T
i
(i ,= 0) the number of tokens is n
i
= 0, the inequality for T
i
can be
removed.
4. If T
i
⊂ T
j
(j ,= 0) and n
i
= n
j
, the inequality for T
j
can be removed, since it is implied
by the inequality for T
i
.
5. The remaining set of inequalities plus the inequalities: M ≥
0, gives the set of markings
reachable from the initial marking. These inequalities will be indicated as /(N).
According to this Algorithm, the reachability set of a state machine ¸N, M
0
) can be represent
by the set PR
A
(N, M
0
) = ¦M ∈ IN
P
[ A M ≥ A M
0
¦, where each row of the matrix A is
the characteristic vector of the Psemiﬂow of the net or of one of the basic traps of the net.
Here is an example of application for the algorithm.
Example 6.3. Consider the net in Figure 6.4. Here the basic traps are:
T
0
= ¦p
1
, p
2
, p
3
, p
4
, p
5
, p
6
¦,
T
1
= ¦p
2
¦,
T
2
= ¦p
5
¦,
T
3
= ¦p
6
¦,
T
4
= ¦p
1
, p
2
, p
5
¦,
T
5
= ¦p
3
, p
5
, p
6
¦,
T
6
= ¦p
3
, p
4
, p
5
, p
6
¦.
1
A trap is basic if it is not the union of other traps.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 47
Figure 6.4: State machine in Example 6.3.
Note, e.g., that the trap ¦p
2
, p
5
¦ is not considered, since it is given by the union of T
1
and T
2
.
The corresponding set of linear inequalities is:
(1) M(p
1
) +M(p
2
) +M(p
3
) +M(p
4
) +M(p
5
) +M(p
6
) = 4,
(2) M(p
2
) ≥ 0,
(3) M(p
5
) ≥ 0,
(4) M(p
6
) ≥ 1,
(5) M(p
1
) +M(p
2
) +M(p
5
) ≥ 2,
(6) M(p
3
) +M(p
5
) +M(p
6
) ≥ 2,
(7) M(p
3
) +M(p
4
) +M(p
5
) +M(p
6
) ≥ 2.
Inequality (2) and (3) will be removed in step 3 of the algorithm, inequality (7) will be removed
in step 4 as it is implied by (6). Finally the set of markings reachable from the initial marking is
given by:
M(p
1
) +M(p
2
) +M(p
3
) +M(p
4
) +M(p
5
) +M(p
6
) = 4,
M(p
6
) ≥ 1,
M(p
1
) +M(p
2
) +M(p
5
) ≥ 2,
M(p
3
) +M(p
5
) +M(p
6
) ≥ 2,
M ≥
0.
Note 6.2. Given a trap T , the complement P ¸ T is a siphon, i.e., there is a siphon o
i
= P ¸ T
i
corresponding to each trap T
i
, (i ,= 0) considered in the Algorithm 6.1. Hence the inequality
for T
i
may be rewritten as M(o
i
) ≤ n
0
−n
i
.
In fact siphons and traps are dual concepts and a dual algorithm, in terms of siphons, may be
given for determining the linear inequalities satisﬁed by the reachable markings.
Note 6.3. Let ¸N, M
0
) be a marked strongly connected state machine. Then the set of equations
/(N) trivially reduces to:
M(T
0
) = n
0
,
M ≥
0.
Finally, it is necessary to discuss the correctness of the algorithm, i.e., the fact that the set of
markings that satisfy the linear inequalities required by Algorithm 6.1 is exactly the reachability
set. The idea is to show that a description of a state machine in term of traps captures the behavior
of the net. This will be proven through the following propositions.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 48
Proposition 6.1. Let T be a trap of a state machine. The number of tokens in T is nondecreasing.
Proof : On state machines, the ﬁring of any transition preserves the total number of tokens.
Also a transition has a single input and output arc. Hence no transition may output from a place in
T to a place not in T .
Proposition 6.2. Let T be a minimal trap
2
of a state machine. Then a token in T can move to any
place in T .
Proof : For state machines, it is sufﬁcient to prove that all places in T are strongly connected,
i.e., there is a path from any place to all others. This is trivially true if T consist of a single place.
Assume T consists of k places. Consider a place p
1
∈ T . There must be a transition from p
1
to some place p
2
∈ T , otherwise ¦p
1
¦ is a trap and T is not minimal. Consider ¦p
1
, p
2
¦. With
the same reasoning it is possible to infer that there must be a transition leading from ¦p
1
, p
2
¦ to a
place p
3
∈ T . This reasoning can be carried out until ¦p
1
, p
2
, ...p
k
¦ = T is reached. Hence p
1
is
connected to all places in T . Since this reasoning can be applied to any place p
i
∈ T , the proof is
complete.
Proposition 6.3. Let T be a trap, and let T
= ¦p ∈ T [ p ∈ T
, T
⊂ T , T
is a trap ¦. Then
a token in T ¸ T
can move to any place in T .
Proof : Similar to the proof of Proposition 6.2.
The soundness of the algorithm is then proved by the following reasoning. The marking of the
traps is strictly nondecreasing (Proposition 6.1). The tokens initially present in a minimal trap may
freely move to any place of the trap (Proposition 6.2). The tokens initially present in a trap that
is not minimal are free to move to any place of the trap provided they also satisfy the constraints
enforced by the traps contained in the non minimal trap (Proposition 6.3). These are the only
constraints that the set of reachable markings must satisfy and these constraints are captured by
Algorithm 6.1.
We point out that while in general the number of basic traps of Petri net may be exponential in
the number of places, for state machines the number of basic traps is at most equal to the number
of places. This may be proved by the following inductive reasoning. Consider a state machine with
n places and no transitions; clearly there are n basic traps each one containing a single place. Now
assume we have a state machine with its set of basic traps, and assume we add a new transition
from place p to place p
. Then all the basic traps that do not contain p or that contain p
are still
basic traps. All the basic traps that contain p and do not contain p
will not be traps in the new
net and we need to add to each of them the minimal trap containing p
(there is only one such
minimal trap) to obtain new basic traps. After the new traps are computed, it may well be the case
that two of them are identical, that is the number of basic traps may only decrease when we add a
transition.
6.3 Composition of State Machines Modules
The section discusses how the properties studied in Section 2 for state machines are preserved by
concurrent composition. We will consider a restricted class of compositions.
Let us ﬁrst introduce the following deﬁnitions.
Deﬁnition 6.1. A simple path of a net N is a sequence θ = t
0
p
1
t
1
. . . p
r
t
r
of transitions and
places such that
(∀i = 1, . . . , r) [
•
p
i
= ¦t
i−1
¦, p
•
i
= ¦t
i
¦, t
•
i−1
= ¦p
i
¦,
•
t
i
= ¦p
i
¦].
We assume that (∀i, j = 0, . . . , r ∧ i ,= j)[t
i
,= t
j
]. Note also that a single transition may be
considered as a simple path with no places.
2
A trap is minimal if it is not the superset of another trap.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 49
Figure 6.5: Two state machines composed along a simple path in Example 6.4.
Deﬁnition 6.2. Given a net N, and k simple paths θ
i
= t
i,0
. . . , t
i,r
i
(i = 1, . . . , k), the k paths
are looped in N if
(∃p ∈ P) (∀i = 1, . . . , k) [
•
t
i,0
= t
•
i,r
i
= ¦p¦, Pre(p, t
i,0
) = Post(p, t
i,r
i
) = 1].
In simple words, the k paths are looped if there exists a place p such that the initial (and ﬁnal)
transitions of all paths only input from (and only output to) place p with a single arc.
In this chapter, we will consider compositions of subnets that share: 1) a simple path; 2) a set
of simple paths provided all paths are looped in one of the nets. We assume that the marking of
the places along the composed paths are the same on all subnets.
For this class of compositions we will slightly change the deﬁnition of composition given in
Appendix A.5. In fact here we are looking at composition based on the structure of the net rather
that on the language generated by the net.
Example 6.4. The two nets in Figure 6.5 are composed along the simple path θ
1
= t
1
p
2
t
2
. The
composed net is shown in Figure 1.b.
The two nets in Figure 6.6 are composed along the simple paths θ
1
= t
1
p
2
t
2
and θ
2
= t
3
p
3
t
4
.
Paths θ
1
and θ
2
are looped in N
2
.
A net N obtained by composition of subnets N
1
and N
2
is denoted N = N
1
 N
2
.
We also recall the notation used for composed systems. Let N be a composed system N =
N
1
 . . .  N
n
, and let M be a marking, σ be a ﬁring count vector, and σ a ﬁring sequence deﬁned
on it. The projection of M on N
i
, denoted M ↑
i
, is the vector obtained from M by removing all
the components associated to places not present in N
i
. The projection of σ on N
i
, denoted σ ↑
i
,
is the vector obtained by σ removing all the components associated to transitions not present in
N
i
. The projection of σ on N
i
, denoted σ ↑
i
, is the ﬁring sequence obtained by σ removing all the
transitions not present in N
i
.
6.3.1 State Equation
Let N = N
1
 . . .  N
n
be a composed net, and let σ be the ﬁring count vector solution of
M = M
0
+ C σ, where C is the incidence matrix of N. Assume that on each module N
i
(∀i = 1, . . . , n), the ﬁring count vector σ ↑
i
yields a ﬁrable sequence σ
i
, i.e., M
0
↑
i
[σ
i
) M ↑
i
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 50
Figure 6.6: Two state machines composed along two simple paths in Example 6.4.
, (i = 1, . . . , n). This does not imply, however, that on the composed net σ yields a ﬁrable
sequence σ such that M
0
[σ) M.
There exist particular compositions, however, such that the reachability of a marking of the
overall net may be determined simply by the analysis of the modules that compose it. These
compositions, called elementary, are used to deﬁne the following class of P/T nets.
Deﬁnition 6.3. Elementary Composed State Machine (ECSM) nets are the minimal class of P/T
nets that is a superset of the class of state machines and is closed under the following composi
tions:
1. Composition of two nets sharing a single transition (or a simple path);
2. Composition of two nets through a set T
s
of k transitions (or a set Θ of k simple paths) when
the transitions (or simple paths) are looped in one of the nets.
Although the two compositions we used to deﬁne ECSM may appear exceedingly simple, they
permit the modular synthesis of realistic systems. As an example, the ﬁrst kind of compositions
may be used to construct the model of several systems connected through buffers or channels. The
second kind of composition may be used to represent shared resources.
Theorem 6.5. Let ¸N, M
0
) be a marked net where N = N
1
 N
2
and assume that N
1
and N
2
have been composed by means of one of the compositions used to deﬁne the class of ECSM. A
ﬁring count vector for N yields a ﬁrable sequence if and only if on each module N
i
the projection
of the ﬁring count vector yields a ﬁrable sequence σ
i
.
Proof : The “only if” part is trivial. Let us prove the “if” part for single transitions (i.e., not
simple path) composition. In the case of simple path compositions the proof is substantially the
same (see also [Giua 90b]).
• Composition of two nets sharing one transition t.
Consider a solution σ of the state equation M = M
0
+ C σ. By hypothesis on N
1
and
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 51
N
2
, σ ↑
i
yields a ﬁrable sequence σ
i
such that M
0
↑
i
[σ
i
) M ↑
i
, (i = 1, 2). Let the
component of σ associated to the transition t have the value k, i.e., there are k occurrences
of t in each σ
i
. Then σ
i
may be written as
σ
i
= x
0
i
t x
1
i
t . . . x
k−1
i
t x
k
i
, (i = 1, 2).
Now let
σ = x
0
1
x
0
2
t x
1
1
x
1
2
t . . . x
k−1
2
t x
k
1
x
k
2
.
Clearly σ is a ﬁrable sequence given by the ﬁring count vector σ.
• Composition of two net sharing a set of transitions T
s
looped in one of the nets.
Consider a solution σ of the state equation M = M
0
+C σ. By hypothesis on N
1
and N
2
,
σ ↑
i
yields a ﬁrable sequence σ
i
such that M
0
↑
i
[σ
i
) M ↑
i
, (i = 1, 2). Let t
j
i
be the jth
occurrence in σ
i
of a transition in T
s
. Then σ
i
may be written as
σ
i
= x
0
i
t
1
i
x
1
i
t
2
i
. . . x
k−1
i
t
k
i
x
k
i
, (i = 1, 2).
Let N
2
be the looped net. Then any time a transition t ∈ T
s
ﬁres any other transition in T
s
may ﬁre. Hence the following is a ﬁrable sequence for N
2
as well
σ
2
= x
0
2
t
1
1
x
1
2
t
2
1
. . . x
k−1
2
t
k
1
x
k
2
.
Now let
σ = x
0
1
x
0
2
t
1
1
x
1
1
x
1
2
t
2
1
. . . x
k−1
2
t
k
1
x
k
1
x
k
2
.
Clearly σ is a ﬁrable sequence given by the ﬁring count vector σ.
Corollary 6.1. Let ¸N, M
0
) be a marked ECSM net where N = N
1
  N
n
and N
i
, (i =
1, . . . n), is a state machine. A ﬁring count vector for N yields a ﬁrable sequence if and only if on
each module N
i
the projection of the ﬁring count vector yields a ﬁrable sequence.
Proof: By recursive application of Theorem 6.5.
Theorem 6.2 and Theorem 6.3 may be restated in this form for ECSM nets.
Theorem 6.6. Let ¸N, M
0
) be a marked ECSM net and M be a marking of N. N = N
1
 . . . 
N
n
and N
i
, (i = 1, . . . , n), is a state machine.
A vector (σ ∈ IN
m
) [M = M
0
+C σ] yields a ﬁrable sequence of transitions if
(∀i = 1, . . . , n)(,∃σ
i
) [M ↑
i
= M
0
↑
i
+C
i
σ
i
, σ
i
< σ ↑
i
].
Proof : Under these hypotheses, on each module σ ↑
i
yields a ﬁrable sequence (by Theo
rem 6.2). Hence by Corollary 6.1 σ yields a ﬁrable sequence for N.
Theorem 6.7. Let ¸N, M
0
) be a marked ECSM net and M be a marking of N. N = N
1
 . . . 
N
n
and N
i
, (i = 1, . . . , n), is a state machine.
A vector (σ ∈ IN
m
) [M = M
0
+ C σ] yields a ﬁrable sequence of transitions if and only if
in the ﬁring subnet given by σ ↑
i
(i = 1, . . . , n) each connected component is marked by M
0
.
Proof : On module N
i
, the ﬁring count vector σ ↑
i
yields a ﬁrable sequence if and only if in the
ﬁring subnet all connected components are marked (by Theorem 6.3). Hence by Corollary 6.1 σ
yields a ﬁrable sequence for N if and only if in the ﬁring subnet for each module N
i
all connected
components are marked.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 52
6.3.2 Deﬁning the Set of Reachable Markings
This subsection will show how it is possible to derive the set of linear inequalities that deﬁnes
the set of reachable markings in ECSM nets. Firstly, the case of two state machines, composed
through a single transition or a set of looped transitions, is discussed. Then these results will be
extended to the composition of ECSM through simple paths.
Deﬁnition 6.4. Let ¸N, M
0
) be a marked state machine where M
0
assigns all the tokens to a place
p
0
, and let M
p
be a marking that assigns a single token to place p and no token elsewhere. Given
a transition t, it is possible to deﬁne the following two sets of places on the net:
P
t
= ¦p ∈ P [ (∃σ) [σ(t) > 0, M
p
0
[σ) M
p
]¦,
P
t
= ¦p ∈ P [ (∃σ) [σ(t) = 0, M
p
0
[σ) M
p
]¦.
In simple words, the set P
t
contains the places that may be marked by ﬁring t at least once by
an initial marking that assigns a token to the initial place p
0
and no tokens to the other places. The
set P
t
contains the places that may be marked without ﬁring t by an initial marking that assigns a
token to the initial place p
0
and no tokens to the other places.
Similarly, given a set of transitions T
s
, it is possible to deﬁne the following two sets of places
on the net:
P
T
s
= ¦p ∈ P [ (∃σ) (∃t ∈ T
s
) [σ(t) > 0, M
p
0
[σ) M
p
]¦,
P
T
s
= ¦p ∈ P [ (∃σ) (∀t ∈ T
s
) [σ(t) = 0, M
p
0
[σ) M
p
]¦.
Proposition 6.4. (Firing Bounds) Let ¸N, M
0
) be a marked state machine where M
0
assigns all
the tokens to a place p
0
. Now given a marking M ∈ R(N, M
0
), the number of times t has ﬁred to
reach M may vary and can assume any integer value in the range [ρ
min
(M, t), ρ
max
(M, t)], where
ρ
min
(M, t) =
p∈P
t
\P
t
M(p);
ρ
max
(M, t) =
_
¸
¸
¸
¸
¸
¸
¸
¸
_
¸
¸
¸
¸
¸
¸
¸
¸
_
p∈P
t
M(p) if there is no cycle containing t,
0 if there is a cycle containing t
and
p∈P
t
M(p) = 0,
∞ if there is a cycle containing t
and
p∈P
t
M(p) > 0.
ρ
min
(M, t) and ρ
max
(M, t) are called the ﬁring bounds of t for marking M.
Proof : For each token in P
t
¸P
t
transition t must have ﬁred at least once, while for each token
in P
t
transition t may have ﬁred once if there is no cycle containing t or an arbitrary large number
of times if there is a cycle containing t.
Note, also, that
ρ
min
(M, t) ≤
p∈P
M
0
(p),
and that when there is a cycle containing t a good approximate bound — that will be used in the
following — for ρ
max
(M, t) is
ρ
max
(M, t) = h
p∈P
t
M(p) ≤ ρ
max
(M, t),
where h is any integer large enough.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 53
Figure 6.7: State machine in Example 6.4.
Proposition 6.4 is restricted to the case of an initial marking that assigns all tokens to a single
place. This requirement is fair, in the sense that in the application cases of interest here, such as
manufacturing systems, etc., the presence of multiple tokens in a state machine module indicates a
multiplicity of identical resources, such as buffer spaces or identical machines. Hence the multiple
tokens initially should be assigned to the same place. The following example will clarify the
necessity for this restriction.
Example 6.5. In the net N
1
in Figure 6.7, ρ
max
cannot be expressed as a simple linear function
of a marking M but may be deﬁned as
ρ
max
(M, t) = min¦ M(p
2
), M(p
2
) +M(p
3
) −1,
M(p
2
) +M(p
4
) −1, M(p
2
) +M(p
3
) +M(p
4
) −2¦.
The problem here is that the sets P
t
and P
t
are different for the different places marked by the
initial marking. However, whenever these sets are identical for all the places marked by the initial
marking, even if they are more than one, the results of Proposition 6.4 are valid. We will assume
in the following, unless explicitly stated otherwise, that this initial marking condition is veriﬁed
on all state machine modules considered.
When two nets N
i
(i = 1, 2) are composed through a single transition t, the marking of the
overall net will be a subset of the cartesian product of the markings of the two modules. Given
a reachable marking M
i
on the net N
i
, the marking M = [M
T
1
M
T
2
]
T
will be reachable on the
composed net if and only if there is a sequence σ
i
reaching M
i
on the net N
i
(i = 1, 2), and
σ
1
(t) = σ
2
(t). If N
1
and N
2
are state machines, this requires that
[ρ
1
min
(M
1
, t), ρ
1
max
(M
1
, t)]
[ρ
2
min
(M
2
, t), ρ
2
max
(M
2
, t)] ,= ∅.
where the exponent i in ρ
i
min
(M
i
, t) and ρ
i
max
(M
i
, t) denotes that the ﬁring bound is computed on
the net N
i
. Clearly the two intervals will not be disjoint if and only if: ρ
1
min
(M
1
, t) ≤ ρ
2
max
(M
2
, t),
and ρ
2
min
(M
2
, t) ≤ ρ
1
max
(M
1
, t).
Theorem 6.8. When two state machines N
1
and N
2
are composed through a single transition t
the set of markings reachable from the initial marking M
0
for the composed net N = N
1
 N
2
is
given by the following set of linear inequalities /(N):
/(N
1
),
/(N
2
),
p∈P
1
t
\P
1
t
M(p) ≤ h
2
p∈P
2
t
M(p),
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 54
Figure 6.8: ECSM net in Example 6.6.
p∈P
2
t
\P
2
t
M(p) ≤ h
1
p∈P
1
t
M(p),
where:
• /(N
i
) (i = 1, 2), is the set of inequalities for the net N
i
(as derived with Algorithm 6.1);
• the set of places P
i
t
and P
i
t
belongs to N
i
(i = 1, 2), and are determined as in Deﬁnition 6.4;
• h
1
= 1 (h
2
= 1), if there is no cycle containing t in N
1
(N
2
), else h
1
(h
2
) is equal to the
number of tokens contained in net N
2
(N
1
). As noted before, we are using an approximated
linear bound for ρ
i
max
(M
i
, t).
Proof: Follows from Proposition 6.4 and the fact that if the last two inequalities are satisﬁed
there exists a ﬁrable sequence σ
i
for both modules that reaches M ↑
i
ﬁring t an equal number of
times. Hence the vector
(σ ∈ IN
m
) [σ ↑
1
= σ
1
, σ ↑
2
= σ
2
]
is a ﬁring count vector for N and by Theorem 6.5 there exists a ﬁrable sequence for the overall
net.
Example 6.6. Consider the composed system of Figure 6.8. The set of places of interest are:
P
1
t
= ¦p
2
¦,
P
1
t
= ¦p
1
¦,
P
2
t
= ¦p
4
, p
5
, p
6
, p
7
¦,
P
2
t
= ¦p
3
, p
4
, p
7
¦.
Since there is no cycle containing t in N
1
, then h
1
= 1, while, since there is a cycle containing t
in N
2
, h
2
= 3. The linear inequalities that deﬁne the space of reachable markings on N
1
is:
M(p
1
) +M(p
2
) = 3,
M(p
1
), M(p
2
) ≥ 0,
and on N
2
:
M(p
3
) +M(p
4
) +M(p
5
) +M(p
6
) +M(p
7
) = 2,
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 55
M(p
3
), M(p
4
), M(p
5
), M(p
6
), M(p
7
) ≥ 0.
Hence the set of reachable markings on the composed system is deﬁned by:
M(p
1
) +M(p
2
) = 3,
M(p
3
) +M(p
4
) +M(p
5
) +M(p
6
) +M(p
7
) = 2,
M(p
2
) ≤ 3(M(p
4
) +M(p
5
) +M(p
6
) +M(p
7
)),
M(p
5
) +M(p
6
) ≤ M(p
2
),
M ≥
0.
Note 6.4. The inequalities derived in Theorem 6.8 may not always be necessary. Suppose that on
one of the modules, say N
1
, one of the following conditions holds:
1. P
1
t
¸ P
1
t
= ∅. Hence
0 =
p∈P
1
t
\P
1
t
M(p) ≤ h
2
p∈P
2
t
M(p)
is always veriﬁed.
2. P
1
t
= P
1
. Here P
1
is the set of places of N
1
. In this case there is a cycle containing t and p
0
(the place marked by M
0
), and t may ﬁre inﬁnitely often in N
1
for each reachable marking.
Hence
p∈P
2
t
\P
2
t
M(p) ≤ h
1
p∈P
1
t
M(p)
is always veriﬁed.
In the following example we will show an example of a system in which the initial marking
marks more than one place.
Example 6.7. In the net N
1
in Figure 6.7, discussed in Example 6.5, we have
ρ
1
max
(M, t) = min¦ M(p
2
), M(p
2
) +M(p
3
) −1,
M(p
2
) +M(p
4
) −1, M(p
2
) +M(p
3
) +M(p
4
) −2¦,
ρ
1
min
(M, t) = 0.
Hence, when composing the module through transition t with another module N
2
the following
inequalities should be considered
/(N
1
),
/(N
2
),
ρ
2
min
(M, t) ≤ M(p
2
),
ρ
2
min
(M, t) ≤ M(p
2
) +M(p
3
) −1,
ρ
2
min
(M, t) ≤ M(p
2
) +M(p
4
) −1,
ρ
2
min
(M, t) ≤ M(p
2
) +M(p
3
) +M(p
4
) −2.
The case of a composition of two state machines through a set of transitions T
s
is now consid
ered.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 56
Theorem 6.9. When two state machines N
1
and N
2
are composed through a set T
s
of transitions
and these transitions are looped in one of the nets, say N
2
, the set of markings reachable from the
initial marking M
0
for the composed net N = N
1
 N
2
is given by the following set of linear
inequalities /(N):
/(N
1
),
/(N
2
),
p∈P
1
T
s
\P
1
T
s
M(p) ≤ h
p∈P
2
T
s
M(p),
where:
• /(N
i
) (i = 1, 2), is the set of inequalities for the net N
i
(as derived with Algorithm 6.1);
• the sets of places P
i
T
s
and P
i
T
s
(i = 1, 2), belongs to N
i
, and are determined as in Deﬁni
tion 6.4;
• h is equal to the number of tokens contained in N
1
.
Proof: Given the special structure of N
2
, any reachable marking M
2
of N
2
may be reached
without ﬁring any transition in T
s
. Hence it is never possible, as suggested by the previous note,
that a ﬁring sequence on N
2
may require the ﬁring of more transitions in T
s
than a ﬁring sequence
on N
1
. Also, if a marking M
2
of N
2
may be reached by ﬁring a transition in T
s
, then any sequence
of transitions in T
s
may also be ﬁred. Hence the only constraint imposed by the composition of the
two modules is that for any marking M = [M
T
1
M
T
2
]
T
, if reaching M
1
requires the ﬁring of one
or more transition in T
s
, M
2
may be also be reached by ﬁring a transition in T
s
. This constraint is
expressed by the third inequality of /(N).
The following two theorems generalize Theorem 6.8 and Theorem 6.9 to the composition
of two ECSM (not only state machines) along simple paths (not only single transitions). These
theorems will be given without proof.
When two ECSM nets are composed along a simple path it is necessary to consider the pos
sibility that the path may belong to more than one state machine module on each net. Also the
places determined in Deﬁnition 6.4 are computed with respect to the ﬁrst transition of the path.
Theorem 6.10. Let N
1
and N
2
be two ECSM nets, i.e., N
i
= N
i,1
 . . .  N
i,n
i
(i = 1, 2), where
N
i,j
is a state machine. Assume N
1
and N
2
are to be composed through a simple path of transitions
θ = t
0
p
1
t
1
. . . p
r
t
r
that belongs to modules N
1,q
(q ∈ J
1
) and to modules N
2,s
(s ≤ J
2
). The set
of markings reachable from the initial marking M
0
for the composed net N = N
1
 N
2
is given
by the following set of linear inequalities /(N):
/(N
1
),
/(N
2
),
p∈P
1,q
t
0
\P
1,q
t
0
M(p) ≤ h
q,s
2
p∈P
2,s
t
0
M(p), (q ∈ J
1
, s ∈ J
2
),
p∈P
2,s
t
0
\P
2,s
t
0
M(p) ≤ h
q,s
1
p∈P
1,q
t
0
M(p), (q ∈ J
1
, s ∈ J
2
),
where:
• /(N
i
) is the set of inequalities for the net N
i
;
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 57
• the sets of places P
i,j
t
and P
i,j
t
(i = 1, 2; j ∈ J
i
),belongs to N
i,j
, and are determined as in
Deﬁnition 6.4;
• h
q,s
1
= 1 (h
q,s
2
= 1) if there does not exist a cycle containing the path θ in the net N
1,q
(N
2,s
). Else h
q,s
1
(h
q,s
2
) is equal to the number of tokens contained in the net N
2,s
(N
1,q
).
When two ECSM nets are composed along k simple paths, the paths are looped in one of
the nets, hence they belong to only one state machine module of the looped net. However, it is
necessary to consider the possibility that each path may belong to more than one state machine
module on the net that is not looped.
Theorem 6.11. Let N
1
and N
2
be two ECSM nets, i.e., N
i
= N
i,1
 . . .  N
i,n
i
(i = 1, 2),
where N
i,j
is a state machine. Assume N
1
and N
2
are to be composed through a k simple path
of transitions θ
j
= t
j
0
p
j
1
t
j
1
. . . t
j
r
j
(j = 1, . . . , k), and let T
s
= ¦t
1
0
, . . . , t
k
0
¦. Assume furthermore
that path θ
j
belongs to modules N
1,q
(q ∈ J
j
) and that all paths are looped in the module N
2,1
.
The set of markings reachable from the initial marking M
0
for the composed net N = N
1
 N
2
is
given by the following set of linear inequalities /(N):
/(N
1
),
/(N
2
),
p∈P
1
M(p) ≤ h
p∈P
2
M(p),
where:
• /(N
i
) is the set of inequalities for the net N
i
;
• P
1
is the set of places in N
1
that may be marked only by ﬁring a transition t ∈ T
s
:
P
1
=
k
_
j=1
_
q∈J
j
_
P
1,q
t
j
0
¸ P
1,q
t
j
0
_
,
while P
2
is the set of places in N
2
that may be marked ﬁring a transition t ∈ T
s
:
P
2
= P
2,1
T
s
;
• h is equal to the sum of the tokens contained in the nets N
1,q
(q ∈ J
j
) (j = 1, . . . , k).
We conclude this section pointing out that when state machines modules are composed to form
an ECSM, the number of equations of that deﬁnes the reachability set grows, in the worst case,
more than linearly. In the case of Theorem 6.10 we have to add 2 [J
1
[ [J
2
[ equations.
6.4 Supervisory Veriﬁcation
In this section the results developed so far are applied to the validation of supervisors for the
control of discrete event systems (DES).
Consider m discrete event systems, represented by the state machines N
1
, . . . , N
m
, working
concurrently. It is generally assumed that the set of transitions of all these systems are disjoint.
The speciﬁcations to be enforced on the joint behavior of these systems are represented by n
different state machines H
1
, . . . , H
n
, whose transitions are a subset of all the transitions of the N’s.
The procedure for determining a monolithic supervisor requires the construction, by concurrent
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 58
composition, of the net E = N
1
 . . .  N
m
 H
1
 . . .  H
n
. Recall that there exists a set of
ﬁnal markings associated to the N’s and H’s.
E and the nets N
i
(i = 1, . . . , n) will run in parallel, i.e., whenever a transition ﬁres on
one of the nets N
i
, it is also ﬁred in E. Furthermore, the transitions enabled in E at a given
marking represent the transitions that are allowed to ﬁre in the nets N
i
, while all other transitions
are disabled. The net E will represent a proper supervisor, if the following two properties are
ensured.
• Nonblockingness: the reachability set of the net E does not contain blocking markings, i.e.,
markings from which a ﬁnal marking cannot not be reached;
• Controllability: it is not possible to reach a marking fromwhich an uncontrollable transition,
belonging to the net N
i
, is enabled in N
i
but is not enabled in E.
In the following subsection it is discussed how these properties may be veriﬁed by Integer
Programming techniques in the case that E is an ECSM net. Clearly these restrictions heavily limit
the class of control problems that can be solved by our approach. However, it is possible to check
for these properties in more efﬁcient ways than by brute force state space search. Additionally,
as will be shown below, it may be the case that the model may be validated by simple Linear
Programming.
6.4.1 Blocking
Let ¸N, M
0
) be a marked net, and M
f
be a ﬁnal marking associated to it. For the sake of simplicity
assume that M
f
is the only ﬁnal marking of the net. The net N will be blocking if and only if
(∃M) [M ∈ R(N, M
0
), M
f
,∈ R(N, M)]
Now the set R(N, M
0
) of an ECSM net can be given as a convex linear set, as shown in
Section 3. Similarly the coreachability set of M
f
, i.e., the set ¦M [ M
f
∈ R(N, M)¦, can be
given in this form, according to the following proposition.
Proposition 6.5. Let N = (P, T, I, O) be a net. Given a marking M
f
of N, the coreachability set
of M
f
is identical to the reachability set from M
f
in the reversed net N
R
= (P, T, O, I), that is,
¦M [ M
f
∈ R(N, M)¦ = R(N
R
, M
f
).
Finally it is possible to check for the existence of blocking markings as follows.
Proposition 6.6. Let ¸N, M
0
) be a marked ECSM net and let M
f
be the ﬁnal marking associated
with it. Assume the reachability set of M
0
is given by the set PR
A
0
(N, M
0
) = ¦M ∈ IN
P
[
A
0
M ≥ A
0
M
0
¦, and the coreachability set of M
f
is given by the set PR
A
f
(N, M
f
) = ¦M ∈
IN
P
[ A
f
M ≥ A
f
M
f
¦, where
A
f
=
_
_
a
1
f
. . .
a
k
f
_
_
.
Then there exist a blocking marking M if and only if one or more of the following Constraint Sets
has an integer feasible solution (∀i = 1, . . . , k):
A
0
M ≥ A
0
M
0
, CS1
i
a
i
f
M ≤a
i
f
M
f
−1,
M ≥
0.
Proof: M is a blocking marking ⇐⇒ M ∈ R(N, M
0
) ∧ M
f
,∈ R(N, M) ⇐⇒ [A
0
M ≥
A
0
M
0
] ∧ [A
f
M ≥ A
f
M
f
] ⇐⇒ [A
0
M ≥ A
0
M
0
] ∧ [
_
k
i=1
a
i
f
M < a
i
f
M
f
] ⇐⇒
(∃i)[(A
0
M ≥ A
0
M
0
) ∧ (a
i
f
a
i
f
M
f
−1)].
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 59
Note that each constraint a
i
f
M <a
i
f
M
f
has been rewritten in the equivalent forma
i
f
M ≤
a
i
f
M
f
−1.
It is possible to relax the constraint that the vector M be integer and obtain a sufﬁcient con
dition for the validation of the net. In fact, if no real vector M satisﬁes the previous systems of
inequalities no blocking marking may be reached.
Note also that some of the constraints a
i
f
M ≥a
i
f
M
f
may be trivially veriﬁed by any marking
in R(N, M
0
). This is the case, for instance, for the constraints coming from the Psemiﬂows of
the net that are satisﬁed by the reachable and coreachable markings. Thus, we need not solve the
corresponding CS1
i
, as it clearly has no feasible solution.
6.4.2 Controllability
Consider the net E constructed by concurrent composition of all the systems and speciﬁcation
modules. Let t
q
∈ T
u
be an uncontrollable transition and assume that t
q
belongs to the system net
N
i
. (By the hypothesis that all the systems have disjoint transitions, a transition may belong to
only one net N, although it may belong to more than one speciﬁcation net H.) Let the preset of t
q
be:
•
t
q
= ¦p
0
q
, . . . , p
k
q
q
¦, where p
0
q
is a place of N
i
and p
j
q
(j > 0) is a place of some speciﬁcation
net H.
E is not controllable if and only if it is possible to reach a marking M such that an uncontrol
lable transition t
q
is enabled by M ↑
i
in N
i
, but it is not enabled by M in E. In other words, E is
not controllable if and only if
(∃t
q
∈ T
u
) (∃M) [M ∈ R(E, M
0
) ∧ M(p
0
q
) ≥ 1 ∧ (
k
q
j=1
M(p
j
q
) ≤ 0)].
Proposition 6.7. Let the reachability set of E be given by the set PR
A
(E, M
0
) = ¦M ∈ IN
P
[
AM ≥ AM
0
¦. Then E will not be controllable if and only if one or more of following Constraint
Sets has an integer feasible solution (∀t
q
∈ T
u
and ∀p
j
q
∈
•
t
q
j > 0)
A M ≥ A M
0
, CS2
q,j
M(p
0
q
) ≥ 1,
M(p
j
q
) ≤ 0,
M ≥
0.
Proof: E is not controllable ⇐⇒
(∃t
q
∈ T
u
) (∃M) [M ∈ R(E, M
0
) ∧ M(p
0
q
) ≥ 1 ∧ (
_
k
q
j=1
M(p
j
q
) ≤ 0)] ⇐⇒
(∃t
q
∈ T
u
) (∃M) (∃j) [A M ≥ A M
0
∧ M(p
0
q
) ≥ 1 ∧ M(p
j
q
) ≤ 0].
Also if the constraint that M be integer is relaxed, we may use Linear Programming to derive
a sufﬁcient condition for E to be controllable.
6.5 Conclusions
In this chapter we have deﬁned a class of P/T net, called Elementary Composed State Machine
nets. The reachability problem for this class can be solved by incidence matrix analysis. We
have shown how it is possible to derive a set of linear inequalities that exactly deﬁne the set of
reachable markings. Important properties of the net, such as the absence of blocking states or
controllability, may be studied by Integer Programming techniques. This approach may be used
to validate supervisors for the control of discrete event systems.
The main drawbacks of this approach is summarized as follows:
CHAPTER 6. INCIDENCE MATRIX ANALYSIS 60
• Integer Programming problems may be not be solved, in general, in polynomial time. How
ever we have also shown that it is possible to use Linear Programming techniques to derive
sufﬁcient conditions for supervisory validation.
• The model is limited, in the sense that there exist monolithic supervisors that cannot be
modeled as ECSM nets.
• Although a procedure to validate a supervisor is given here, the control problem is not di
rectly solved, in the sense that if the model does not have the desired properties the approach
does not directly lead to the construction of a proper supervisor.
Chapter 7
GENERALIZED MUTUAL
EXCLUSION CONSTRAINTS
7.1 Introduction
Mutual exclusion constraints are a natural way of expressing the concurrent use of a ﬁnite number
of resources, shared among different processes. In the framework of Petri nets and from a very
general perspective, we deﬁne a generalized mutual exclusion constraint (GMEC) as a condition
that limits a weighted sum of tokens contained in a subset of places [Giua 92b]. Let ¸N, M
0
) be a
net system with set of places P. A constraint ( w, k) deﬁnes a set of legal markings:
/( w, k) = ¦M ∈ IN
P
[ w
T
M ≤ k¦,
where w is a weight vector of nonnegative integers, and k is a positive integer. Markings in IN
P
that are not legal will be denoted forbidden markings.
In the ﬁrst part of this chapter we present a methodology, based on linear algebraic techniques
[Silva 92], to compare and simplify GMEC. An equivalence notion among GMEC is introduced
and studied from the point of view of structural net theory.
In traditional Petri net modeling all transitions are assumed to be controllable, i.e., may be
prevented from ﬁring by a control agent. A problem addressed for those systems with shared
resources has been that of deadlock prevention or avoidance [Banaszak 90, Viswanadham 90,
Zhou 91]. A single GMEC may be easily implemented by a monitor, i.e., a place whose initial
marking represents the available units of a resource and whose outgoing and incoming transitions
represent, respectively, the acquisition and release of units of the resource.
In the framework of Supervisory Control [Golaszewski 88], the complexity of enforcing a
GMEC is enhanced by the presence of uncontrollable transitions, i.e., transitions that may be
observed but not prevented from ﬁring by a control agent. To enforce a given GMEC, it is nec
essary to prevent the system from reaching a superset of the forbidden markings, containing all
those markings from which a forbidden one may be reached by ﬁring a sequence of uncontrollable
transitions. Unfortunately, in this case we prove that the set of legal markings cannot always be
represented by a linear domain in the marking space, thus there exist problems which do not have
a “monitorbased” solution.
In this context, the second part of this chapter discusses GMEC for systems represented as
marked graphs. The goal is that of constructing a supervisor capable of enforcing the constraints.
A solution to this problem has been given by Holloway and Krogh [Holloway 90, Holloway 92a,
Krogh 91]. In their approach, which may be deﬁned as fully interpreted, the control policy is
efﬁciently computed by an online controller as a feedback function of the marking of the system.
In this work, instead, we are interested in deriving a net based structure for the supervisor. We
61
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 62
will discuss and compare several solutions. Some of these models will be fully compiled, i.e., the
corresponding supervisor is represented by a P/T net, others will be partially compiled, i.e., the
corresponding supervisor is given as an interpreted net in which the ﬁring of some transitions not
only depends on the marking of the net but on the value of some boolean expressions as well.
The advantages of fully compiling the supervisor action in a net structure are:
• The computation of the control action is faster, since it does not require separate online
computation.
• The same Petri net system execution algorithms may be used for both the original system
and the supervisor.
• A closedloop model of the system under control may be built with standard net composition
constructions, and analyzed for properties of interest. Moreover, the structural theory of
Petri nets may be used to prove, without an exhaustive state space search, that the system
under control enjoys the properties.
On the other hand, partially compiled models are more ﬂexible in the sense that some inter
pretations may be used to implement complex control policies, whose corresponding net structure
may be exceedingly large.
The chapter is structured as follows. In Section 7.2, generalized mutual exclusions constraints
are deﬁned. If all transitions of the net are controllable, these constraints may be enforced by a
monitor place. If some of the transitions are uncontrollable, it is possible to prove that a monitor
based solution may not exist. In Section 7.3, we study the properties of marked graphs with the
addition of monitor places. In particular, we discuss a subclass of marked graphs for which there
is always a monitorbased solution, corresponding to a set of GMEC, even when some transitions
are uncontrollable. In Section 7.4, we present two different P/T structures for the supervisor
capable of enforcing GMEC for this subclass of marked graphs. In Section 7.5, we present two
different partially compiled net structures for the supervisor capable of enforcing GMEC for this
subclass of marked graphs. In Section 7.6, we compare the advantages and disadvantages of the
different control structures.
7.2 GMEC and Monitors
In this section we deﬁne a generalized mutual exclusion constraint (GMEC) as a condition that
limits the weighted sum of tokens in a set of places. We discuss the modeling power of this kind
of constraint and prove that only for restricted classes of systems a forbidden marking problem
may be expressed as a mutual exclusion problem. Then we study how GMEC may be enforced by
adding additional control structure, in the form of new places called monitors, to the net.
7.2.1 Generalized Mutual Exclusion Constraints
Deﬁnition 7.1. Let ¸N, M
0
) be a net system with set of places P. A single generalized mutual
exclusion constraint ( w, k) deﬁnes a set of legal markings
/( w, k) = ¦M ∈ IN
P
[ w
T
M ≤ k¦,
where w : P → IN is a weight vector, and k ∈ IN
+
. The support of w is the set Q
w
= ¦p ∈ P [
w(p) > 0¦.
A set of generalized mutual exclusion constraints (W,
k), with W = [ w
1
. . . w
m
] and
k =
(k
1
. . . k
m
)
T
, deﬁnes a set of legal markings
/(W,
k) =
m
i=1
/( w
i
, k
i
) = ¦M ∈ IN
P
[ W
T
M ≤
k¦.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 63
As a particular case, when w ≤
1, i.e., w(p) = 1 (∀p ∈ Q
w
), the unweighted GMEC ( w, k)
is reduced to the set condition considered in [Krogh 91].
In the following we will discuss the redundancy and equivalence between constraints.
Deﬁnition 7.2. Let ¸N, M
0
) be a system. A GMEC ( w, k) is redundant with respect to (wrt) a set
of markings A ⊆ IN
P
if A ⊆ /( w, k).
A GMEC ( w, k) is redundant wrt a system ¸N, M
0
) if R(N, M
0
) ⊆ /( w, k).
A set of GMEC (W,
k), where W = [ w
1
. . . w
m
] and
k = (k
1
. . . k
m
)
T
, is redundant wrt
¸N, M
0
) if ( w
i
, k
i
) is redundant for all i = 1, . . . , m.
Linear programming techniques may be used to derive sufﬁcient conditions for redundancy.
Proposition 7.1. If the following Linear Programming Problem (LPP) has optimal solution x
∗
<
k + 1 then the GMEC ( w, k) is redundant wrt ¸N, M
0
):
x = max w
T
M
s.t. M = M
0
+C σ,
M, σ ≥
0.
Proof: If x
∗
< k + 1 then PR(N, M
0
) ⊆ /( w, k) and this implies that R(N, M
0
) ⊆
/( w, k).
The proposition gives a sufﬁcient condition for redundancy. There are classes of nets, such as
marked graphs (see Proposition 7.3), for which the condition is necessary and sufﬁcient [Colom 89].
Also for the nets for which PR(N, M
0
) = PR
B
(N, M
0
) we may equivalently check for redun
dancy solving the following linear programming problem:
x = max w
T
M
s.t. B
T
M = B
T
M
0
,
M ≥
0.
where B is a basis of Psemiﬂows of the net.
Deﬁnition 7.3. Two sets of GMEC(W
1
,
k
1
) and (W
2
,
k
2
) are equivalent wrt ¸N, M
0
) if R(N, M
0
)∩
/(W
1
,
k
1
) = R(N, M
0
) ∩ /(W
2
,
k
2
).
We may check for equivalence between constraints using the same approach we used to check
for redundancy. In fact from the deﬁnition it follows that two sets of GMEC(W
1
,
k
1
) and (W
2
,
k
2
)
are equivalent wrt ¸N, M
0
) if and only if (W
1
,
k
1
) is redundant wrt R(N, M
0
) ∩/(W
2
,
k
2
), and
(W
2
,
k
2
) is redundant wrt R(N, M
0
) ∩ /(W
1
,
k
1
).
Example 7.1. Consider the system in Figure 7.1a whose set of reachable markings is R(N, M
0
) =
¦M [
1
T
M = 3¦. Let ( w
1
, k
1
) and ( w
2
, k
2
) be two GMEC with: w
1
= (1330)
T
, k
1
= 5, and
w
2
= (0110)
T
, k
2
= 1.
To prove that the two constraints are equivalent wrt the system considered we may proceed as
follows. The LPP
x
1
= max w
T
1
M
s.t.
1
T
M = 3,
w
T
2
M ≤ 1,
M ≥
0,
has optimal value x
∗
1
= 5 < k
1
+ 1, hence by Proposition 7.1 R(N, M
0
) ∩ /( w
2
, k
2
) ⊆
/( w
1
, k
1
). The LPP
x
2
= max w
T
2
M
s.t.
1
T
M = 3,
w
T
1
M ≤ 5,
M ≥
0,
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 64
Figure 7.1: System in Example 7.1.
has optimal value x
∗
2
=
5
3
< k
2
+ 1, hence R(N, M
0
) ∩ /( w
1
, k
1
) ⊆ /( w
2
, k
2
). This proves
that the two constraints are equivalent for the given system.
The equivalence between constraints leads to the idea of simpliﬁcation of a constraint. Given
a constraint ( w, k), we may look for a simpler, but equivalent, constraint. A constraint ( w
, k
)
is simpler than ( w, k) if w
< w. In the next subsection we will see that simpler constraints
require simpler control structure to be enforced. The next example shows another advantage of
simplifying constraints.
Example 7.2. For the system in Figure 7.1a consider, in addition to the two constraints discussed
in Example 7.1, the constraint ( w
3
, k
3
) with: w
3
= (0330)
T
, k
3
= 5. By deﬁnition, ( w
2
, k
2
)
is simpler than ( w
3
, k
3
) that is simpler than ( w
1
, k
1
). It is immediate to see that /( w
3
, k
3
) =
/( w
2
, k
2
), i.e., ( w
3
, k
3
) is equivalent to ( w
2
, k
2
) wrt ¸N, M
0
). Since we have proved in Exam
ple 7.1 that ( w
1
, k
1
) is equivalent to ( w
2
, k
2
), the equivalence between ( w
1
, k
1
) and ( w
3
, k
3
) also
follows.
Note, however, that if we try to use a LPP to prove that ( w
1
, k
1
) is redundant wrt R(N, M
0
) ∩
( w
3
, k
3
) we have an inconclusive answer. In fact the LPP
x
1
= max w
T
1
M
s.t.
1
T
M = 3,
w
T
3
M ≤ 5,
M ≥
0,
has optimal value: x
∗
1
=
19
3
> 6, hence we cannot conclude that ( w
1
, k
1
) is redundant wrt
R(N, M
0
) ∩ ( w
3
, k
3
).
It is important, in the previous example, to pinpoint the advantage of using the simpler un
weighted constraint ( w
2
, k
2
) rather than the weighted one ( w
3
, k
3
) to prove equivalence to ( w
1
, k
1
).
The system considered in the example is a live marked graph, and the constraint set that deﬁnes
the set of reachable markings has integer extremal points, hence any optimal solution of the Lin
ear Programming Program is also a solution of the corresponding Integer Programming Problem.
This property is preserved if we add any number of unweighted constraints to the constraint set
that deﬁnes the set of reachable markings.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 65
Figure 7.2: Reachable markings in Example 7.5.
7.2.2 Modeling Power of Generalized Mutual Exclusion Constraints
In this subsection we discuss the modeling power of GMEC, both weighted and unweighted.
The use of weights in the deﬁnition of ( w, k) may be a useful way to compactly express
more than one unweighted constraint, i.e., it may be the case that a weighted constraint may be
decomposed into a set of unweighted ones.
Example 7.3. In the case of safe (i.e., 1bounded) systems, the constraint ( w, k) with w =
(1234)
T
and k = 5 is equivalent to the set of constraints (W,
k) with
W =
_
_
1 1 1 0
0 1 0 1
0 0 1 1
_
_
,
and
k = (211)
T
. In fact /( w, k) ∩ ¦0, 1¦
4
= /(W,
k) ∩ ¦0, 1¦
4
.
We point out that there does not always exist a set of unweighted constraints equivalent to a
set of weighted ones.
Example 7.4. Consider again the system in Figure 7.1a. Let ( w, k) be a GMEC with: w =
(1200)
T
, k = 4. In Figure 7.2 we have represented the projection of the reachability set on the
ﬁrst two components, M(p
1
) and M(p
2
). Markings M
1
= (2100)
T
and M
2
= (0210)
T
are legal,
while marking M
3
= (1200)
T
is forbidden by ( w, k).
If there exists a set of unweighted constraints (W,
k) equivalent to ( w, k), then one of the
constraints in this set must be ( w
, k
), with w
=
1, such that M
1
, M
2
∈ /( w
, k
), and M
3
,∈
/( w
, k
). We will prove, by contradiction, that no such ( w
, k
) may exists. In fact, w
M
1
<
w
M
3
=⇒ w
(p
1
) < w
(p
2
), and w
M
2
< w
M
3
=⇒ w
(p
3
) < w
(p
1
). That is, in order
to have an unweighted constraint that forbids M
3
but that does not forbid M
1
and M
2
we need
to chose a w
such that (∀p) w
(p) ∈ ¦0, 1¦ and w
(p
3
) < w
(p
1
) < w
(p
2
). This is clearly
impossible.
For safe systems, however, the following theorem proves that any weighted constraint is equiv
alent to a set of unweighted constraints.
Theorem 7.1. Let ¸N, M
0
) be a safe system with set of places P and ( w, k) a weighted GMEC.
There exists a set of unweighted constraints (W,
k) equivalent to ( w, k) wrt ¸N, M
0
).
Proof: Consider the set of vectors V such that ∀v ∈ V the following conditions are veriﬁed:
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 66
C1. v ∈ ¦0, 1¦
P
;
C2. Q
v
⊆ Q
w
;
C3. w
T
v > k;
C4. (∀v
∈ ¦0, 1¦
P
, v
< v) w
T
v
≤ k.
Let (W,
k) be such that W = ( w
1
. . . w
r
) and
k = (k
1
. . . k
r
)
T
, where
r
_
i=1
¦ w
i
¦ = V,
and where (i = 1, . . . , r) k
i
=[Q
w
i
[ −1.
a) Let us prove R(N, M
0
) ∩ /( w, k) ⊆ /(W,
k).
M ∈ R(N, M
0
) ∩ /( w, k) =⇒ M ≤
1 ∧ w
T
M ≤ k =⇒ M ≤
1 ∧ (∀v ∈ V ) ∃p ∈ Q
v
÷
M(p) = 0 =⇒ (∀v ∈ V ) v
T
M ≤ k
i
=⇒ M ∈ /(W,
k).
b) Let us prove R(N, M
0
)∩/(W,
k) ⊆ /( w, k). It is enough to prove that M ∈ R(N, M
0
)∧
M ,∈ /( w, k) =⇒ M ,∈ /(W,
k).
M ∈ R(N, M
0
) ∧ M ,∈ /( w, k) =⇒ M ≤
1 ∧ w
T
M > k. Let v
0
be deﬁned as: if
p ∈ Q
w
then v
0
(p) = M(p) else v
0
(p) = 0. Clearly v
0
satisﬁes conditions C1C3 listed above.
We will show that there exists vector v
j
≤ v
0
and such that v
j
∈ V . Consider p
∈ Q
v
0
÷
(∀p ∈ Q
v
0
)w(p
) ≤ w(p). Let v
1
be a new vector such that: if p ,= p
then v
1
(p) = v
0
(p) else
v
1
(p) = 0. If w
T
v
1
≤ k stop else repeating this procedure construct v
2
, , v
j+1
such that
M ≥ v
0
> v
1
> > v
j+1
and w
T
v
j+1
≤ k while w
T
v
j
> k. This means that v
j
∈ V ,
hence v
T
j
M =[Q
v
j
[=⇒ M ,∈ /(W,
k).
In the rest of this subsection we will compare GMEC with the most general kind of constraint
that can be deﬁned on the markings of a system, the forbidden markings constraint [Holloway 92a].
A forbidden marking constraint consists of an explicit list of markings F that we want to forbid.
Let us now consider a net system ¸N, M
0
) and let F be any set of forbidden markings. Is it
possible to ﬁnd a set of GMEC(W,
k) equivalent to F, i.e., such that R(N, M
0
)¸F = R(N, M
0
)∩
/(W,
k)? In general the answer is no. In fact given three markings M
1
, M
2
, M
3
∈ R(N, M
0
)
with M
3
= (M
1
+ M
2
)/2 we have that M
1
, M
2
∈ /(W,
k) =⇒ M
3
∈ /(W,
k), since
/(W,
k) is a convex set. However F may be chosen such that M
1
, M
2
,∈ F and M
3
∈ F. This
proves that there may not exist an GMEC equivalent to a forbidden marking constraint.
However it is possible to prove that for some classes of nets there exists an GMEC equivalent
to any forbidden marking constraint.
Theorem 7.2. Let ¸N, M
0
) be a safe and conservative net system. Then given a set of forbidden
markings F there exists a set of GMEC (W,
k) such that R(N, M
0
) ¸F = R(N, M
0
) ∩/(W,
k).
Proof: Let us ﬁrst state two obvious facts.
1. If a net is safe there does not exist two different markings with the same support, i.e.,
M, M
∈ R(N, M
0
) ∧ Q
M
= Q
M
=⇒ M = M
.
2. If a net is conservative no marking is covering another one, i.e., (∀M ∈ R(N, M
0
)) ,∃M
∈
R(N, M
0
) ÷ M < M
.
Then, given a set of forbidden markings F we may forbid any M ∈ F with a constraint ( w, k)
where: w(p) = 1 if p ∈ Q
M
else w(p) = 0, and k =[Q
M
[ −1. Clearly M ,∈ /( w, k) and any
other marking M
∈ R(N, M
0
) is such that M
∈ /( w, k). Thus (W,
k) may be constructed as
the union of all the GMEC constraints forbidding a marking in F.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 67
Figure 7.3: System in Example 7.6.
The requirement that the net be conservative may be shown necessary by the following exam
ple.
Example 7.5. Consider the 1bounded but not conservative system in Figure 7.3. The two possible
markings of the system are M
1
= (1) and M
2
= (0). Clearly for a set of forbidden markings
F = ¦(0)¦ it is not possible to ﬁnd an equivalent GMEC since (∀ w, k) w
T
M
2
≤ w
T
M
1
≤ k.
7.2.3 Monitors
A GMEC may be enforced on a system by a monitor.
Deﬁnition 7.4. Given a system ¸N, M
0
), with N = (P, T, Pre, Post), and a GMEC ( w, k), the
monitor that enforces this constraint is a new place S to be added to N. The resulting system is
denoted ¸N
S
, M
S
0
), with
N
S
= (P ∪ ¦S¦, T, Pre
S
, Post
S
).
Let C be the incidence matrix of N. Then N
S
will have incidence matrix
C
S
=
_
C
− w
T
C
_
.
We are assuming that there are no selﬂoops containing S in N
S
, hence Pre
S
and Post
S
may be
uniquely determined by C
S
. The initial marking of ¸N
S
, M
S
0
) is
M
S
0
=
_
M
0
k − w
T
M
0
_
.
We assume that the initial marking M
0
of the system satisﬁes the constraint ( w, k).
As an example, in Figure 7.1b we have represented the two monitors corresponding to the two
constraints discussed in Example 7.1.
We will use the following notation for system with monitors. Let X : P ∪ ¦S¦ → IN be a
vector. The projection of X on P is the restriction of X to P and will be denoted X ↑
P
. This
deﬁnition is extended in the usual way to the projection of a set of vectors A, i.e., A ↑
P
= ¦X ↑
P
[
X ∈ A¦.
Proposition 7.2. Let ¸N, M
0
) be a system, ( w, k) a GMEC, and ¸N
S
, M
S
0
) the system with the
addition of the corresponding monitor S.
1. The monitor S ensures that the projection on P of the reachability set of ¸N
S
, M
S
0
) is
contained in the set of legal reachable markings of ¸N, M
0
), i.e.,
R(N
S
, M
S
0
) ↑
P
⊆ R(N, M
0
) ∩ /( w, k).
2. The monitor S ensures that the projection on P of the potentially reachable set of ¸N
S
, M
S
0
)
is identical to the set of legal potentially reachable markings of ¸N, M
0
), i.e.,
PR(N
S
, M
S
0
) ↑
P
= PR(N, M
0
) ∩ /( w, k).
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 68
3. The monitor S minimally restricts the behavior of ¸N
S
, M
S
0
), in the sense that it prevents
only transition ﬁrings that yield forbidden markings.
4. The monitor S is a structurally implicit place in N
S
if and only if all places in Q
w
are
structurally bounded.
5. The monitor S is an implicit place in ¸N
S
, M
S
0
) if and only if ( w, k) is redundant in
¸N, M
0
).
Proof:
1] Clearly R(N
S
, M
S
0
) ↑
P
⊆ R(N, M
0
), since the addition of a place can only further con
strain the behavior of a system. To prove R(N
S
, M
S
0
) ↑
P
⊆ /( w, k), let M
S
∈ R(N
S
, M
S
0
) and
M = M
S
↑
P
. Then M
S
= M
S
0
+C
S
σ or, equivalently,
M = M
0
+C σ,
M
S
(S) = M
S
0
(S) − w
T
C σ = k − w
T
(M
0
+C σ) ≥ 0.
Hence w
T
M = w
T
(M
0
+C σ) ≤ k, i.e., M ∈ /( w, k).
2] With the same reasoning of the previous point we can immediately conclude that PR(N
S
, M
S
0
) ↑
P
⊆
PR(N, M
0
) ∩ /( w, k). Let us prove the reverse inclusion. Let M ∈ PR(N, M
0
) ∩ /( w, k),
i.e., ∃σ ≥ 0 such that
M = M
0
+C σ,
w
T
M ≤ k.
This implies that w
T
(M
0
+C σ) ≤ k, i.e., k − w
T
(M
0
+C σ) ≥ 0. Then we also have that
M
S
=
_
M
k − w
T
(M
0
+C σ)
_
is a non negative solution of M
S
= M
S
0
+C
S
σ, i.e., M
S
∈ PR(N
S
, M
S
0
).
3] Let σt ∈ L(N, M
0
) be such that: M
0
[σ)M[t)M
and σ ∈ L(N
S
, M
S
0
) be such that:
M
S
0
[σ)M
S
. We need to prove that σt ,∈ L(N
S
, M
S
0
) =⇒ w
T
M
> k. Let C(, t) be the column
of C corresponding to transition t. Then Pre
S
(S, t) −Post
S
(t, S) = −C
S
(S, t) = w
T
C(, t).
Since t is not enabled by marking M
S
and since there are no selﬂoops containing S, it follows
that
0 ≤ M
S
(S) < Pre
S
(S, t) =⇒ Post
S
(t, S) = 0,
i.e., Pre
S
(S, t) = w
T
C(, t). Then
k − w
T
M = M
S
(S) < Pre
S
(S, t) = w
T
C(, t),
from which follows
w
T
M
= w
T
[M +C(, t)] > k.
4] As shown in [Colom 89], S is structurally implicit in N
S
if and only if ∃Y ≥
0 such that
Y
T
C
S
≤ C
S
(S, ), where C
S
(S, ) = − w
T
C is the incidence vector of S in C
S
. Then: All
places in Q
w
are structurally bounded ⇐⇒ ∃Y
≥
0 such that Q
Y
⊇ Q
w
, Y
T
C ≤
0 ⇐⇒
∃a ∈ IR
+
such that Y = (aY
− w) ≥
0, Y
T
C
S
≤ − w
T
C ⇐⇒ S is structurally implicit in
N
S
.
5] Only if. S is implicit ⇐⇒L(N, M
0
) = L(N
S
, M
S
0
) =⇒R(N, M
0
) = R(N
S
, M
S
0
) ↑
P
⊆
/( w, k) ⇐⇒( w, k) is redundant in ¸N, M
0
).
If. We just need to prove that if ( w, k) is redundant in ¸N, M
0
) then L(N, M
0
) = L(N
S
, M
S
0
).
Clearly L(N, M
0
) ⊇ L(N
S
, M
S
0
), so we will prove that redundancy implies L(N, M
0
) ⊆ L(N
S
, M
S
0
).
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 69
Figure 7.4: A system not live under constraint.
Let σt ∈ L(N, M
0
) be such that: M
0
[σ)M[t)M
and σ ∈ L(N
S
, M
S
0
) be such that: M
S
0
[σ)M
S
.
Note that redundancy implies w
T
M
= w
T
[M +C(, t)] ≤ k. Then M
S
(S) = k − w
T
M ≥
w
T
C(, t) = Pre
S
(S, t)−Post
S
(t, S) and by the hypothesis that S is not contained in a selﬂoop
we have: M
S
(S) ≥ Pre
S
(S, t). This proves that σt ∈ L(N
S
, M
S
0
).
The addition of a monitor to the net structure modiﬁes the behavior of a system, in order to
avoid reaching markings that do not satisfy the corresponding GMEC. We pinpoint three facts:
• The addition of a monitor does not always preserve liveness of the system. In the system in
Figure 7.4, e.g., a monitor has been added to enforce the constraint M(p
3
) + M(p
4
) ≤ 1.
The system reaches a deadlock after the ﬁring of a single transition.
• Not all markings that satisfy the GMEC may be reached on the net with the addition of a
monitor. In the net in Figure 7.4, e.g., the marking (000011)
T
may not be reached even if
it satisﬁes the constraint M(p
3
) + M(p
4
) ≤ 1 because the net reaches a deadlock. In the
net in Figure 7.5, a monitor has been added to enforce the constraint M(p
1
) +M(p
3
) ≤ 1.
From the initial marking M
S
0
= (000111)
T
the marking M
S
= (100010)
T
will never be
reached even if the net is live.
• Even if liveness is preserved, the system may lose reversibility, as shown in the system in
Figure 7.5. In the same ﬁgure is shown the reachability graph of the original system (all
arcs and states) and of the system with monitor (only continuous arcs). The initial marking,
that satisﬁes the constraint, will never be reached again in the system with monitor.
7.2.4 Nets With Uncontrollable Transitions
We assume, now, that the set of transitions T of a net is partitioned into the two disjoints subsets
T
u
, the set of uncontrollable transitions, and T
c
, the set of controllable transitions. A controllable
transition may be disabled by the supervisor, a controlling agent which ensures that the behavior
of the system is within a legal behavior. An uncontrollable transition represents an event which
may not be prevented from occurring by a supervisor.
Given a system ¸N, M
0
) and a set of GMEC (W,
k), the set of legal markings is given as a
linear domain:
/(W,
k) = ¦M ∈ IN
P
[ W
T
M ≤
k¦.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 70
Figure 7.5: A system not reversible under constraint.
In the presence of uncontrollable transitions, we need to further restrict the behavior of the sys
tem, avoiding all those markings from which a forbidden marking may be reached by ﬁring only
uncontrollable transitions. The set of legal marking is in this case:
/
c
(W,
k) = /(W,
k) ¸ ¦M ∈ IN
P
[ ∃M
,∈ /(W,
k) ÷ M[σ)M
∧ σ ∈ T
∗
u
¦,
i.e., we do not consider legal the markings that satisfy (W,
k) but from which a forbidden marking
may be reached by ﬁring only uncontrollable transitions. We need to introduce this restriction
because a ﬁring sequence σ ∈ T
∗
u
may not be prevented by a controlling agent.
It is possible to prove that there does not always exist a GMEC (W,
k) such that R(N, M
0
) ∩
/(W,
k) = R(N, M
0
) ∩ /
c
( w, k). Thus we may have cases in which does not exist a monitor
based solution to a given mutual exclusion problem.
Example 7.6. In the net in Figure 7.6, we have represented as empty boxes the controllable tran
sitions t
1
, t
2
, t
5
. Assume we want to enforce a constraint ( w, k) with w = (00100010)
T
and
k = 1, i.e., such that M(p
5
) +M(p
7
) ≤ 1. Is is easy to see that the markings M
1
= (2002001)
T
and M
2
= (0220001)
T
are in /
c
( w, k), but M = (1111001)
T
= (M
1
+ M
2
)/2 is not. This
proves that there does not exists a GMEC (W,
k) such that R(N, M
0
∩ /(W,
k) = R(N, M
0
) ∩
/
c
( w, k).
This shows that in presence of uncontrollable transitions, a problem of mutual exclusion is
transformed into a more general forbidden marking problem, which is a qualitatively different
problem, in the sense that it may not always be solved with the same techniques used in the case
that all transitions are controllable. Note, however, that for safe and conservative systems the result
of Theorem 7.2 ensures that, even if some transitions are not controllable, ( w, k) may be enforced
by a set of monitors.
We also discuss the concept of maximally permissible control policy [Krogh 87]. When all
transitions are controllable, we have proved that a monitor is capable of enforcing a given GMEC
( w, k), in the sense that it can ensure that only markings in /( w, k) will be reached by the system
under control (Proposition 7.2, part 1). It is also the case that whenever a transition t is prevented
from ﬁring by the monitor at a given marking M then M[t)M
∧M
,∈ /( w, k) (Proposition 7.2,
part 3). Thus any transition ﬁring that yields a legal marking is not forbidden and the behavior of
the system under control is the largest behavior that satisﬁes the constraint. We call this behaviour
maximally permissible following [Krogh 87].
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 71
Figure 7.6: Amutual exclusion problemwith uncontrollability that does not admit a monitorbased
solution.
In the case of uncontrollable transitions, the maximally permissible control policy should en
sure that: a) only markings in /
c
( w, k) will be reached by the system under control; b) all
transition ﬁrings that yield a marking in /
c
( w, k) should be allowed.
7.3 Generalized Mutual Exclusion Constraints on Marked Graphs
In this section we focus on a class of nets, the marked graphs (MG). In the ﬁrst subsection we
study the properties of marked graphs with the addition of monitors. In the second subsection
we present a general formalism for enforcing generalized mutual exclusion constraints on MG
with uncontrollable transitions. In the third subsection we restrict our attention to a particular
subclass of MG for which a solution to a mutual exclusion problem may be efﬁciently derived. In
Section 7.4 and Section 7.5 we will showseveral control structure capable of enforcing generalized
mutual exclusion constraints, in the presence of uncontrollable transitions, for this subclass.
7.3.1 Marked Graphs with Monitors
In the rest of this chapter, we will consider systems whose underlying net is a strongly connected
marked graph (MG). Strongly connected MG are structurally live and bounded.
Proposition 7.3 ([Murata 89]). Let ¸N, M
0
) be a MG system. Then
PR(N, M
0
) = B(N, M
0
).
If ¸N, M
0
) is a live MG system, then we also have that
R(N, M
0
) = PR(N, M
0
).
Proposition 7.4. Let ¸N, M
0
) be an MG system, (W,
k) be a set of GMEC, and let ¸N
S
, M
S
0
) be
the systemwith the addition of the corresponding monitors. Then PR(N
S
, M
S
0
) ↑
P
= B(N, M
0
)∩
/(W,
k).
Proof: Follows from Proposition 7.2, part 2, and Propositon 7.3.
According to this proposition it is possible to represent the potential reachability set of ¸N
S
, M
S
0
)
as a set of linear inequalities where the ﬁring count vector σ does not appear.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 72
Proposition 7.5 ([Murata 89]). A connected MG has a single minimal tsemiﬂow, X =
1.
The introduction of a set of monitors corresponding to a set of GMEC does not change this
property. The resulting net will be a monotsemiﬂow net [Campos 91]. For monotsemiﬂow nets
deadlockfreeness is equivalent to liveness. The following proposition gives a sufﬁcient condition
for liveness.
Proposition 7.6. Let ¸N, M
0
) be a live MG system, (W,
k) a set of GMEC, and ¸N
S
, M
S
0
) the
system with the addition of the corresponding monitors. ¸N
S
, M
S
0
) is live if ∀M ∈ B(N, M
0
) ∩
/(W,
k), M is not a dead marking.
Proof: If no dead marking exists in PR(N
S
, M
S
0
) then no dead marking exists in R(N
S
, M
S
0
)
and the system is deadlockfree. This in turn implies liveness, since the net is a monotsemiﬂow
net.
Note that there may exist dead markings in B(N, M
0
) ∩ /(W,
k) that are not reachable
under control. These markings are called killing spurious markings in structural jargon. Thus the
previous proposition gives a sufﬁcient but not necessary condition for liveness. The next example
shows that, unfortunately, killing spurious markings may exists on marked graphs with monitors.
Example 7.7. Consider the system in Figure 7.7, whose reachability graph is also shown. Assume
we want to enforce the two constraints: 3M(p
1
) + M(p
3
) ≤ 9, and M(p
2
) + 3M(p
4
) ≤ 9.
The legal marking of this system under the constraints are shown in Figure 7.8. Let the initial
marking be M
0
= (2130)
T
. The dead marking M = (3003)
T
is in PR(N
S
, M
S
0
) ↑
P
, since
M ∈ B(N, M
0
) ∩ /(W,
k), but since it is never reachable the system is live.
Proving reversibility for a MG with monitors ¸N
S
, M
S
0
) is a harder task. Liveness and the
existence of repetitive sequence ﬁrable from M
0
are not sufﬁcient conditions for reversibility, as
shown in the following example.
Example 7.8. In the system in Figure 7.7 we want to enforce the two constraints: 2M(p
1
) +
3M(p
4
) ≤ 9, and 2M(p
2
) +3M(p
3
) ≤ 9. The legal marking of this system under the constraints
are shown in Figure 7.9. The system is live from any legal initial marking. However, from initial
marking M
0
= (0303)
T
the system is not reversible, even if there exist a repetitive sequence
ﬁrable from M
0
.
7.3.2 Control Subnet
In this subsection we discuss a general methodology for enforcing constraints on systems with
uncontrollable transitions. To enforce a constraint we need to prevent some transition ﬁring. Un
fortunately, we cannot prevent the ﬁring of an uncontrollable transition t ∈ T
u
. We may, however,
prevent the ﬁring of a set of controllable transitions (called control transitions of t) whose ﬁring is
required prior to the ﬁring of t.
Deﬁnition 7.5. Let N = (P, T, Pre, Post) be a net, and let t
i
∈ T
u
be an uncontrollable transi
tion.
The control subnet for t
i
is the subnet N
i
= (P
i
, T
i
, Pre
i
, Post
i
) where P
i
⊆ P is the set of
places connected to t by a path containing only uncontrollable transitions, T
i
=
•
P
i
∩ P
•
i
, and
Pre
i
= Pre ∩ (P
i
T
i
), Post
i
= Post ∩ (P
i
T
i
).
The set of control transitions for t is the set A
i
=
•
P
i
¸ P
•
i
. It is obvious that A
i
⊆ T
c
.
We may extend this deﬁnition to controllable transitions as well. Given a net N = (P, T, Pre, Post)
and a controllable transition t
i
∈ T
c
, the control subnet for t
i
is not deﬁned but the set of control
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 73
Figure 7.7: A marked graph system and its reachability graph.
Figure 7.8: Legal markings for the system in Figure 7 under the set of constraints shown.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 74
Figure 7.9: Legal markings for the system in Figure 7 under the set of constraints shown.
transitions for t
i
is the set A
i
= ¦t
i
¦, i.e., the transition itself. This will allows us, in the following,
to use the same formalism for both controllable and uncontrollable transitions.
For marked graphs systems if it possible to analytically compute the dependency between the
ﬁring of an uncontrollable transition and the ﬁring of its control transitions. The advantage is that
this computation may be done on the structure of net, without resorting to the construction of the
space of reachable markings.
Proposition 7.7. Let ¸N, M
0
) be an MGsystemand t
i
one of its transitions. Let N
i
= (P
i
, T
i
, Pre
i
, Post
i
)
be the control subnet for t
i
, and let A
i
be the set of control transitions for t
i
.
1. T
i
⊆ T
u
. This means that A
i
∩ T
i
= ∅.
2. Given a marking M ∈ R(N, M
0
), the maximum number of times we may ﬁre t
i
without
ﬁring any transition in A
i
(the deviation bound between t
i
and A
i
) is
DB(M, t
i
, A
i
) = min¦td(M, t
, t
i
) [ t
∈ A
i
¦,
where td(M, t
, t
i
) is the token distance between transitions t
and t
i
, i.e., the minimum
token content among all possible direct paths from t
to t
i
at marking M.
Proof:
1] By contradiction, if t
∈ T
i
∩T
c
, then the input place of t
cannot be in P
i
, as its only output
transition is controllable, hence t
,∈ T
i
.
2] See Murata [Murata 89]. Note that the token distance DB(M, t, A
i
) may be computed
solely from the analysis of N
i
and its marking. Note also that if t
i
is controllable DB(M, t
i
, A
i
) =
DB(M, t
i
, t
i
) = 0.
We want to apply the ideas developed so far to the problem of enforcing GMEC on marked
graph systems. Given a constraint ( w, k), the problem is that of controlling the ﬁring of the input
transition of all places in Q
w
to ensure that the constraint is always veriﬁed. We will use the
following notation. Given a place p
i
∈ Q
w
we will denote:
• t
o
i
its output transition;
• t
i
its input transition;
• N
i
= (P
i
, T
i
, Pre
i
, Post
i
) the control subnet for t
i
;
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 75
Figure 7.10: Control subnets for the input transitions of places p
1
, p
2
, p
3
.
• A
i
= ¦t
1
i
, , t
n
i
i
¦ the set of control transitions for t
i
.
Example 7.9. In Figure 7.10 places p
1
, p
2
, p
3
belong to the support of a GMEC. We have rep
resented the control subnets for their input transitions, with the corresponding control transitions.
The remaining structure of the marked graph is not shown.
The deviation bound between an uncontrollable transition and its set of control transitions may
be used to deﬁne the set of legal markings /
c
( w, k) for a GMEC ( w, k) on marked graphs, under
the hypothesis discussed in the following.
Proposition 7.8. Let ¸N, M
0
) be an MG system and ( w, k) a GMEC. For each place p
i
∈ Q
w
, let
its input transition be t
i
. Assume that: (
p
i
∈Q
w
P
i
) ∩ Q
w
= ∅. Then the set of legal markings is
/
c
( w, k) = ¦M ∈ IN
P
[ w
T
(M +D
M
) ≤ k¦,
where D
M
(p
i
) = DB(M, t
i
, A
t
i
) if p
i
∈ Q
w
else D
M
(p
i
) = 0.
Proof: Proposition 7.7, part 1, and the assumption that no place p
i
belongs to the subnet of
any t
i
, implies that by ﬁring only uncontrollable transitions we may reach a new marking M
such
that M
(p
i
) = M(p
i
) +D
M
(p
i
).
The previous proposition may be used to deﬁne the maximally permissible control policy that
enforces the constraint ( w, k). Given a marked graph system ¸N, M
0
), the maximally permissible
control may be computed step by step as follows. Let A = (
p
i
∈Q
w
A
i
). Then from any marking
M ∈ R(N, M
0
):
• For each ﬁrable t ∈ A, compute M
÷ M[t)M
. If w
T
(M
+D
M
) ≤ k then t should be
left free to ﬁre else it should be disabled;
• All transitions in T
c
¸ A may be left free to ﬁre.
7.3.3 Control Safe Places
We will consider in the following a special class of MG systems introduced in the next deﬁnition.
Deﬁnition 7.6. A place p
i
of an MG system ¸N, M
0
) is said to be control safe if given its input
transition t
i
and its output transition t
o
i
, the deviation bound between any control transition in A
i
and both t
i
and t
o
i
is at most one for any reachable marking, i.e.,
(∀M ∈ R(N, M
0
) ∧ ∀t
∈ A
i
) [DB(M, t
, t
i
) ≤ 1 ∧ DB(M, t
, t
o
i
) ≤ 1].
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 76
It is possible to check for control safeness of a place, based solely on the net structure.
Proposition 7.9. Let ¸N, M
0
) be a live and bounded MG system. A place p
i
is control safe if and
only if ∀t ∈ A
i
there exists a cycle that contains p
i
and t and this cycle is marked with a single
token.
Given a GMEC ( w, k), we will assume that the places in Q
w
are control safe. We have
seen that if the net is safe there exists a monitorbased solution to any GMEC, even if not all
transitions are controllable. The restriction that the places in Q
w
be control safe has a similar
purpose. It will permit a simpliﬁcation of the problem, in the sense that will allow us to derive
other control structures, often more efﬁcient than a set of monitors. The different solutions are
shown in Section 7.4 and Section 7.5.
The idea here is that to check whether a place p
i
∈ Q
w
may be marked by a ﬁring sequence
of uncontrollable transitions we need to check only how many ﬁrings of transitions in A
i
have
occurred.
Proposition 7.10. Let ¸N, M
0
) be a MG system, and p
i
a control safe place of N. Let t
i
be the
input transition of p
i
, t
o
i
the output transition of p
i
, and A
i
the set of control transitions of t
i
, with
n
i
=[A
i
[. Then ∀M ∈ R(N, M
0
):
1. (∀t ∈ A
i
)[td(M, t, t
o
i
) ≤ 1];
2. M(p
i
) +D
M
(p
i
) ≤ 1;
3. M(p
i
) +D
M
(p
i
) = 1 ⇐⇒ (∀t ∈ A
i
)[td(M, t, t
o
i
) = 1].
Proof: Follows from the deﬁnition of control safe place.
We discuss a particular case that may arise for a given constraint ( w, k). Assume that p
j
1
∈ Q
w
is in the control subnet of place p
j
2
∈ Q
w
. Then p
j
1
and p
j
2
are in structural mutual exclusion,
i.e., by the hypothesis that their are control safe, they will never be marked simultaneously. Hence
/(w, k) = /( w
1
, k) ∩ /( w
2
, k), where: w
i
(p) = 0 if p = p
j
1
else w
i
(p) = w(p), i.e., the
constraint ( w, k) is equivalent to the set of constraints (W, k
1) = ¦( w
1
, k), ( w
2
, k)¦. Proof:
Trivially /( w, k) ⊆ /( w
1
, k) ∩ /( w
2
, k). To prove the reverse inclusion, assume M ∈
/( w
1
, k) ∩ /( w
2
, k). Then: if M(p
j
2
) > 0 then M(p
j
1
) = 0, and M ∈ /( w
1
, k) =⇒ M ∈
/( w, k) else M ∈ /( w
2
, k) =⇒ M ∈ /( w, k).
In the next section we will assume, without loss of generality, that no place p in Q
w
, p belongs
to the control subnet of another place p
in Q
w
.
7.4 Fully Compiled Models
In this section we present two different ways of enforcing a GMEC on MG systems with control
safe places. Both solutions are fully compiled, i.e., the corresponding control structure is a net
system as well.
7.4.1 Model 1: Monitorbased Controller
Deﬁnition 7.7. Let ¸N, M
0
) be a MG system and ( w, k) be an unweighted mutual exclusion
constraint, i.e., w ≤
1, deﬁned on it. We assume that M
0
∈ /
c
( w, k). Let Q
w
= ¦p
1
, . . . , p
r
¦
be a set of control safe places of N and assume that r =[ Q
w
[= k + 1. Given p
i
∈ Q
w
let
A
i
= ¦t
1
i
, . . . , t
n
i
i
¦ be the set of control transitions for t
i
and t
o
i
be the output transition of p
i
. The
monitor that enforces this constraint consists of a place S to be added to the original net with arcs
as follows:
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 77
Figure 7.11: Example of monitor.
• Pre(S, t) = 1 if t ∈ A
i
else Pre(S, t) = 0;
• Post(S, t) = n
i
if t = t
o
i
else Post(S, t) = 0.
The initial marking will assign s −1 tokens to place S where
s =[ ¦t [ t ∈ A
i
∧ td(M
0
, t, t
o
i
) = 0¦ [
i.e., s counts the number of control transitions that must ﬁre prior to the marking of all places in
Q
w
.
The previous deﬁnition assume that no transition will be selﬂooped with the monitor place.
E.g., a transition t will be selﬂooped if ∃i, j ÷ t = t
o
i
∧ t ∈ A
j
. In this case we need to eliminate
the arcs in selﬂoop from the preincidence and postincidence matrices.
Example 7.10. In Figure 7.11 we want to enforce the constraint
M(p
1
) +M(p
2
) +M(p
3
) ≤ 2
over the net in Figure 7.10. We have added a place S to the original system with the arcs shown
in dotted lines.
It is easy to see that a monitor constructed as in Deﬁnition 7.7 enforces the maximally permis
sible policy that ensures that the constraint ( w, k) will be satisﬁed. In fact the monitor prevents
only transition ﬁrings that lead to all markings M such that
(∀i = 1, . . . , r)(∀t ∈ A
i
)[td(M, t, t
o
i
) = 1],
which by Proposition 7.10 are the only illegal markings for unweighted constraints of this kind.
A set of constraints (W,
k) of this form may be enforced by adding several monitors.
Assume now ( w, k), with w ≤
1, is such that [Q
w
[> k + 1. The previous construction may
not be used. However the original constraint may be rewritten as a set of constraints according to
the following proposition.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 78
Proposition 7.11. Let ( w, k) be a mutual exclusion constraint, with w ≤
1, and [Q
w
[> k + 1.
Then,
/( w, k) =
w
∈I
k+1
/( w
, k),
where I
k+1
= ¦ w ∈ ¦0, 1¦
P
[ w
≤ w, [Q
w
[= k + 1¦.
Proof: (⊆) is trivial. Let us prove (⊇). Any marking M ∈
w
∈I
k+1
/( w
, k) marks at most
k places in Q
w
, otherwise there exists w
∈ I
k+1
÷ Q
w
⊆ ¦p [ M(p) > 0¦ and M ,∈ /( w
, k).
Let w
∈ I
k+1
, be a weight vector whose support contains all the places marked by M. Clearly
M ∈ /( w
, k) =⇒ M ∈ /( w, k).
The previous proposition shows that the unweighted constraint ( w, k), with w ≤
1 and [Q
w
[>
k + 1, is equivalent to the set of constraints (W, k
1) = ¦( w
, k) [ w
∈ I
k+1
¦, hence may be
enforced by a set of monitors. However the problem is that there are
_
[Q
w
[
k + 1
_
different subsets
of Q
w
of cardinality k + 1. Thus in the worst case the number of monitors is exponential with
respect to the cardinality of Q
w
.
The monitor based construction may also be used, when the weight of the places is not unitary,
explicitly rewriting the set of unweighted constraints equivalent to the single weighted constraint.
We have proved in Theorem 7.1 that this is always possible for the class of nets considered here.
7.4.2 Model 2: Compiled Supervisor
In this section we consider a net supervisor, capable of enforcing a set of GMEC. We assume that
the supervisor observes the execution of the unconstrained systemand at any given instant provides
a control pattern, i.e., speciﬁes which controllable transitions are allowed to ﬁre. The control
pattern is implicit in the transition structure of the supervisor, in the sense that a controllable
transition that belongs to the supervisor structure is enabled by the control pattern if and only if it
is enabled by the marking of the supervisor net.
Deﬁnition 7.8. Let ¸N, M
0
) be a MG system and ( w, k) be a GMEC. We assume that M
0
∈
/
c
( w, k). Let Q
w
= ¦p
1
, . . . , p
r
¦ be a set of control safe places. Given p
i
∈ Q
w
let A
i
=
¦t
1
i
, . . . , t
n
i
i
¦ be the set of control transitions for t
i
and t
o
i
be the output transition of p
i
. The
compiled supervisor that enforces this constraint is S = (P
S
, T
S
, Pre
S
, Post
S
) with:
• P
S
= ¦p
0
, p
1
, p
1
, p
1
, p
2
, . . . , p
r
, p
r
, p
r
¦;
• T
S
= A
1
∪ A
1
∪ A
2
. . . ∪ A
r
∪ A
r
∪ ¦t
o
1
, . . . , t
o
r
¦ where A
i
and A
i
are sets of transitions
synchronized with A
i
;
• Pre
S
and Post
S
are such that:
– Pre
S
(p
0
, t) = w(p
i
) if t ∈ A
i
else Pre
S
(p
0
, t) = 0;
– Post
S
(p
0
, t) = w(p
i
) if t = t
o
i
else Post
S
(p
0
, t) = 0;
– Pre
S
(p
i
, t) = 1 if t ∈ A
i
else Pre
S
(p
i
, t) = 0;
– Post
S
(p
i
, t) = n
i
−1 if t = t
o
i
else Post
S
(p
i
, t) = 0;
– Pre
S
(p
i
, t) = n
i
−1 if t ∈ A
i
else Pre
S
(p
i
, t) = 0;
– Post
S
(p
i
, t) = 1 if t ∈ A
i
else Post
S
(p
i
, t) = 0;
– Pre
S
(p
i
, t) = 1 if t = t
o
i
else Pre
S
(p
i
, t) = 0;
– Post
S
(p
i
, t) = 1 if t ∈ A
i
else Post
S
(p
i
, t) = 0.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 79
Figure 7.12: Example of compiled supervisor.
The initial marking of S is M
S
0
such that, ∀i = 1, . . . , r,
if [M
0
(p
i
) +D
M
0
(p
i
) = 1]
then [M
S
0
(p
i
) = M
S
0
(p
i
) = 0 ∧ M
S
0
(p
i
) = 1]
else [M
S
0
(p
i
) =[ ¦t ∈ A
i
[ td(M
0
, t, t
o
i
) = 0¦ [ −1
∧M
S
0
(p
i
) = n
i
−1 −M
S
0
(p
i
)
∧M
S
0
(p
i
) = 0],
and M
S
0
(p
0
) = k −
r
i=1
w(p
i
)M
S
0
(p
i
).
Example 7.11. In Figure 7.12 we show the supervisor that may be used to enforce the constraint
w(p
1
)M(p
1
) +w(p
2
)M(p
2
) +w(p
3
)M(p
3
) ≤ k over the net shown in Figure 7.10.
In the example in Figure 7.12 we have represented the set of parallel transitions A
i
and A
i
as
a single transition. Whenever the system executes a transition t ∈ A
i
, the corresponding transition
in A
i
or A
i
will ﬁre. Note that the behavior is deterministic, since if a transition in A
i
is enabled,
the corresponding transition in A
i
is not, and conversely. For the computation of the control
pattern, a transition in A
i
is enabled by the control pattern if the corresponding transition in A
i
or
in A
i
is enabled.
In the previous deﬁnition we have assumed that:
• (∀i = 1, . . . , r) n
i
> 1. If n
i
= 1 we may remove the places p
i
and p
i
and the set of
transitions A
i
.
• (∀i ,= j) A
i
∩A
j
= ∅. If this is not the case, we need to slightly change the structure of the
supervisor by merging the transitions of A
i
and A
i
in common with A
j
and A
j
We want to show that the supervisor constructed according to Deﬁnition 7.8 enforces the
required maximally permissible policy. We note ﬁrst that given a marking M of the system and a
corresponding marking M
S
of the supervisor we have that (∀i = 1, . . . , r)[M(p
i
) + D
M
(p
i
) =
M
S
(p
i
)]. Since the place p
0
is enforcing the constraint
r
i=1
w(p
i
)M
S
(p
i
) ≤ k we have, by
Proposition 7.8, that the supervisor enforces the required policy.
In the case of a set of constraints (W,
¯
k) = ¦( w
1
, k
1
), . . . , ( w
m
, k
m
)¦ we need to construct a
supervisor for each single constraint ( w
i
, k
i
). Should a controllable transition belong to more that
one supervisor, say S
i
1
and S
i
2
, it will be enabled by the control pattern if and only if it is enabled
on both S
i
1
and S
i
2
.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 80
7.5 Partially Compiled Models
The net structure of the supervisor may be further simpliﬁed. For instance we may avoid repeating
the set of transitions A
i
. However we need to add additional control structure by introducing
transitions with an associated interpretation. This partially destroys the possibility of analyzing
the net with traditional PN techniques. The advantage, however, is that the “partially interpreted”
supervisors that we discuss here may be easily modiﬁed to enforce constraints on any kind of MG
system. We will not discuss these modiﬁcations.
7.5.1 Model 3: NonDeterministic Partially Compiled Supervisor
Deﬁnition 7.9. Let ¸N, M
0
) be a MG system and ( w, k) be a GMEC. We assume that M
0
∈
/
c
( w, k). Let Q
w
= ¦p
1
, . . . , p
r
¦ be a set of control safe places. Given p
i
∈ Q
w
let A
i
=
¦t
1
i
, . . . , t
n
i
i
¦ be the set of control transitions for t
i
and t
o
i
be the output transition of p
i
. The non
deterministic partially compiled supervisor that enforces this constraint is S = (P
S
, T
S
, Pre
S
, Post
S
)
with:
• P
S
= ¦p
0
, p
1
, p
1
, p
1
, p
2
, . . . , p
r
, p
r
, p
r
¦;
• T
S
= A
1
∪A
2
∪. . . ∪A
r
∪¦t
o
1
, . . . , t
o
r
¦ ∪¦π
1
, π
2
, . . . , π
r
¦ where each π
i
is a transition to
which a predicate is associated;
• Pre
S
and Post
S
are such that:
– Pre
S
(p
0
, t) = w(p
i
) if t = π
i
else Pre
S
(p
0
, t) = 0;
– Post
S
(p
0
, t) = w(p
i
) if t = t
o
i
else Post
S
(p
0
, t) = 0;
– Pre
S
(p
i
, t) = 1 if t = π
i
else Pre
S
(p
i
, t) = 0;
– Post
S
(p
i
, t) = 1 if t = t
o
i
else Post
S
(p
i
, t) = 0;
– Pre
S
(p
i
, t) = 1 if t ∈ A
i
else Pre
S
(p
i
, t) = 0;
– Post
S
(p
i
, t) = n
i
−1 if t = t
o
i
else [Post
S
(p
i
, t) = 1 if t = π
i
else Post
S
(p
i
, t) = 0];
– Pre
S
(p
i
, t) = n
i
if t = t
o
i
else Pre
S
(p
i
, t) = 0;
– Post
S
(p
i
, t) = 1 if t ∈ A
i
else Post
S
(p
i
, t) = 0;
The initial marking of S is M
S
0
such that, ∀i = 1, . . . , r,
if [M
0
(p
i
) +D
M
0
(p
i
) = 1]
then [M
S
0
(p
i
) = M
S
0
(p
i
) = 0 ∧ M
S
0
(p
i
) = n
i
]
else [M
S
0
(p
i
) = 1
∧M
S
0
(p
i
) =[ ¦t ∈ A
i
[ td(M
0
, t, t
o
i
) = 0¦ [ −1
∧M
S
0
(p
i
) = n
i
−M
S
0
(p
i
) −M
S
0
(p
i
)],
and M
S
0
(p
0
) = k −
j∈J
w(p
i
), where J = ¦i [ M
S
0
(p
i
) = 0¦.
The predicate associated to the transitions π
i
are used to implement the control policy. The
ﬁring of transition π
i
will allow place p
i
to be marked.
Example 7.12. In Figure 7.13 we show the supervisor that may be used to enforce the constraint
w(p
1
)M(p
1
) +w(p
2
)M(p
2
) +w(p
3
)M(p
3
) ≤ k over the net shown in Figure 7.10.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 81
Figure 7.13: Example of nondeterministic partially compiled supervisor.
The supervisor constructed according to Deﬁnition 7.9 will permit the system to reach only
legal markings. In fact, given a marking M of the system and a corresponding marking M
S
of the
supervisor we have that (∀i = 1, . . . , r)[M(p
i
) + D
M
(p
i
) = 1 ⇐⇒ M
S
(p
i
) = n
i
]. Since the
place p
0
is enforcing the constraint
i∈J
w(p
i
) ≤ k, with J = ¦i [ M
S
(p
i
) + M
S
(p
i
) = n
i
¦,
we have, by Proposition 7.8, that the supervisor will allow only legal markings to be reached.
This control policy is also maximally permissible, as shown in [Krogh 91], if two or more control
transitions may ﬁre simultaneously.
The supervisor has been called nondeterministic because we decide a priori which place in
Q
w
will be allowed to be marked.
7.5.2 Model 4: Deterministic Partially Compiled Supervisor
Deﬁnition 7.10. Let ¸N, M
0
) be a MG system and ( w, k) be a GMEC. We assume that M
0
∈
/
c
( w, k). Let Q
w
= ¦p
1
, . . . , p
r
¦ be a set of control safe places. Given p
i
∈ Q
w
let A
i
=
¦t
1
i
, . . . , t
n
i
i
¦ be the set of control transitions for t
i
and t
o
i
be the output transition of p
i
. The deter
ministic partially compiled supervisor that enforces this constraint is S = (P
S
, T
S
, Pre
S
, Post
S
)
with:
• P
S
= ¦p
0
, p
1
, p
1
, p
2
, . . . , p
r
, p
r
¦;
• T
S
= A
1
∪ A
2
∪ . . . ∪ A
r
∪ ¦t
o
1
, . . . , t
o
r
¦ ∪ ¦π
1
, π
1
, π
2
, . . . , π
r
, π
r
¦ where π
i
and π
i
are
transitions to which a predicate is associated;
• Pre
S
and Post
S
are such that:
– Pre
S
(p
0
, t) = 1 if t = π
i
else Pre
S
(p
0
, t) = 0;
– Post
S
(p
0
, t) = 1 if [t = t
o
i
or t = π
i
] else Post
S
(p
0
, t) = 0;
– Pre
S
(p
i
, t) = 1 if t ∈ A
i
else Pre
S
(p
i
, t) = 0;
– Post
S
(p
i
, t) = n
i
−1 if t = t
o
i
else [Post
S
(p
i
, t) = 1 if t = π
i
else Post
S
(p
i
, t) = 0];
– Pre
S
(p
i
, t) = n
i
if t = t
o
i
else Pre
S
(p
i
, t) = 0;
– Post
S
(p
i
, t) = 1 if t ∈ A
i
else Post
S
(p
i
, t) = 0;
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 82
Figure 7.14: Example of deterministic partially compiled supervisor.
The initial marking of S is M
S
0
such that, ∀i = 1, . . . , r,
if [M
0
(p
i
) +D
M
0
(p
i
) = 1]
then [M
S
0
(p
i
) = 0 ∧ M
S
0
(p
i
) = n
i
]
else M
S
0
(p
i
) =[ ¦t ∈ A
i
[ td(M
0
, t, t
o
i
) = 0¦ [ −1
∧M
S
0
(p
i
) = n
i
−M
S
0
(p
i
)],
and M
S
0
(p
0
) = r− [ ¦i [ M
S
0
(p
i
) = n
i
¦ [.
The predicate associated to the transitions π
1
and π
1
are used to implement the control policy.
Let J = ¦i [ M(p
i
) = n
i
¦ and let v =
i∈J
w(p
i
). Then:
• π
i
= TRUE if [M(p
i
) +M(p
i
) = n
i
−1] ∧ [v +w(p
i
) ≤ k] else π
i
= FALSE;
• π
i
= TRUE if [M(p
i
) +M(p
i
) = n
i
] ∧ [v +w(p
i
) > k] else π
i
= FALSE.
Example 7.13. In Figure 7.14 we show the supervisor that may be used to enforce the constraint
w(p
1
)M(p
1
) + w(p
2
)M(p
2
) + w(p
3
)M(p
3
) ≤ k over the net shown in Figure 7.10. Note that
the structure of the supervisor does not depend on the weight vector w and on the integer k, that
affect only the value of the predicates π
1
and π
1
.
It is difﬁcult to show that this supervisor is actually implementing the maximally permissible
control policy because of the predicates associated to the transitions π
i
and π
i
. Note however that
given a marking M of the system and a corresponding marking M
S
of the supervisor, we have
that (∀i = 1, . . . , r)[M(p
i
) + D
M
(p
i
) = 1 ⇐⇒ M
S
(p
i
) = n
i
]. The transitions π
i
will remove
the token necessary to reach M
S
(p
i
) = n
i
whenever the marking of place p
i
would violate the
constraint.
7.6 Comparison of the Models
The monitorbased controller is an extension to systems with uncontrollable transitions of the
controller studied in Section 7.2 for nets with only controllable transitions. Thus all the structural
properties of monitors may be used to analyze the system under control. The drawback is that it
may require an exceedingly large number of monitors. However, in those cases in which it may
be used efﬁciently, it is the simpler and most straightforward solution.
CHAPTER 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 83
The compiled supervisor has the advantage of always requiring a compact structure that grows
linearly with the number of places in the support of the weight vector. However, since it requires
all control transitions to be represented twice, it leads to a closedloop model which is difﬁcult to
analyze.
The nondeterministic partially compiled supervisor implements a policy slightly different
from all other models. This policy is the same derived by Holloway and Krogh [Holloway 92a].
However our model does not require online computation, since the structure of the supervisor
ensures that only legal markings may be reached. The predicates associated to the transitions may
be used to implement different runtime policies, as suggested in [Krogh 91].
The deterministic partially compiled supervisor has the simpler structure but its behavior
strongly depends on the predicates associated to the transitions. Thus it is at the same time the
simpler model to implement and the most difﬁcult to analyze.
7.7 Conclusions
We have presented and studied a class of speciﬁcations, called generalized mutual exclusion con
straints. These speciﬁcations on a net system where all transitions are controllable may be easily
enforced by a set of places called monitors. Unfortunately, we have shown that this technique is
not always applicable when some of the transitions of the net are uncontrollable.
For some classes of nets, we have proved that GMEC may always be enforced by monitors,
even in the presence of uncontrollable transitions. For one of these particular classes, marked
graphs with control safe places, we compared a monitorbased solution of mutual exclusion prob
lems with several supervisory based solutions.
Chapter 8
CONCLUSIONS AND FUTURE
RESEARCH
8.1 Original Contributions
The thesis has discussed the use of Petri nets as discrete event models for Supervisory Control. The
approach we have followed is different from previous Petri net based approaches [Holloway 90,
Ushio 89]. In fact, we use Petri net models to represent not only the system under control but the
supervisor as well.
The original contributions consist of four major parts.
1. Petri net languages for Supervisory Control.
2. Design of supervisors.
3. Validation of Petri net supervisors.
4. Efﬁcient construction of control structure.
8.1.1 Petri Net Languages for Supervisory Control
We have explored the closure properties of Petri net languages under the operators used in Super
visory Control: preﬁx closure, and supremal controllable sublanguage. Our results show that Petri
net languages are not closed under these operators.
It was known from previous work [Wonham 87] that regular languages are closed under these
operators. Thus, we face a tradeoff. If we restrict ourselves to the use of bounded or conservative
PN models, which have a ﬁnite reachability set and generate regular languages, we are sure to
have a Petri net supervisor for any given control problem. If we want to use of the full language
power of Petri nets models, we may consider unbounded Petri net models, but now not all control
problems may be solved by a Petri net supervisor.
We have also deﬁned a new class of Petri net languages, called DPclosed languages and
denoted L
DP
. The languages in this class are those Ltype Petri net languages (terminal Petri net
languages) whose preﬁx language is a Ptype Petri net language (preﬁx Petri net language). Unlike
all other known classes of Petri net languages, the class L
DP
is not closed under intersection.
As a ﬁnal result, we have given necessary and sufﬁcient conditions for the existence of Petri
net supervisors when the system’s behavior and the legal behavior are deterministic Petri net lan
guages.
The closed behavior L(G) of system G may be restricted to a legal behavior L ⊆ L(G) if and
only if L is: a) a preﬁx Petri net language; b) deterministic; c) controllable. The marked behavior
84
CHAPTER 8. CONCLUSIONS AND FUTURE RESEARCH 85
L
m
(G) of system G may be restricted to a legal behavior L ⊆ L
m
(G) if and only if L is: a) a
DPclosed Petri net language; b) L
m
(G)closed; c) controllable.
8.1.2 Supervisory Design
Based on the monolithic supervisory design, as formulated in [Wonham 88a], we have presented
a design based on the concurrent composition operator. This design is well suited for Petri nets
models.
The design requires two steps. In the ﬁrst step, a coarse structure for a supervisor is synthe
sized by means of concurrent composition of different modules, representing the system and the
speciﬁcations we want to enforce on the system’s behavior.
This composition may be easily performed, using Petri net models, by merging transitions
labeled by the same symbols. Since the composition is performed on the structure of the net, the
same ﬁnite procedure may be used to compose nets with ﬁnite or inﬁnite reachability sets. The
ﬁnal Petri net model represents a closed loop model of the controlled system in which it is still
possible to identify the composed modules.
The generator constructed in the ﬁrst step of the algorithm will be a proper supervisor if it
is nonblocking and if the language it generates is controllable. These properties may be easily
expressed in term of net properties, as we have seen.
In the second step, the generator constructed in the ﬁrst step of the algorithm is reﬁned to
obtain a nonblocking and controllable generator. In particular, we have discussed how to reﬁne
a coarse structure for a supervisor, by introducing new arcs and possibly duplicating transitions,
to avoid reaching undesirable markings.. This procedure may always be applied when the net is
conservative. In this reﬁnement, the modular structure of the net is preserved, but in some cases it
may be necessary to introduce a large number of transitions.
We have also compared Petri nets and state machines models, showing the advantages of using
Petri nets for the design of supervisors.
8.1.3 Validation of Petri Net Supervisors
A well known Petri net analysis technique is based on the incidence matrix analysis. We have stud
ied how this technique may be used to validate supervisors obtained by concurrent composition of
several modules.
We have deﬁned a class of P/T net, called Elementary Composed State Machine (ECSM) nets,
showing how to derive a set of linear inequalities that exactly deﬁne the set of reachable markings.
ECSM nets are nets obtained by concurrent composition of state machine modules. We restrict the
type of compositions considered, in order to guarantee some important properties. The two basic
compositions are: a) compositions of nets along a simple path; b) compositions of nets along a
set of simple paths that are looped in one of the nets. The class of Elementary Composed State
Machines can model both choice and concurrent behavior.
We have also discussed the difference of our approach with respect to other classical methods
based on incidence matrix analysis. We use a set of linear inequalities to deﬁne the reachability set;
these inequalities are obtained by the computation of the basic traps of the state machine modules
that compose an ECSM, and by the ﬁring bounds of the composed transitions.
Important properties of the net, such as the absence of blocking states or controllability, may
be studied by Integer Programming techniques. We have shown how this approach may be used
to validate ECSM supervisors.
CHAPTER 8. CONCLUSIONS AND FUTURE RESEARCH 86
8.1.4 Efﬁcient Construction of Control Structure
We have presented and studied a class of speciﬁcations for Petri net models, called generalized
mutual exclusion constraints (GMEC), that may be used to express the concurrent use of a ﬁnite
number of resources, shared among different processes.
A GMEC limits a weighted sum of tokens contained in a subset of places; all markings that
do not satisfy the constraint are called forbidden. GMEC are a mild generalization of mutual
exclusion constraints considered by other authors [Krogh 91, Zhou 91], due to the fact that the
weights we consider are deﬁned in IN, rather than in ¦0, 1¦. We have presented a methodology,
based on linear algebraic techniques, to compare and simplify GMEC. An equivalence notion
among GMEC has been introduced and studied from the point of view of structural net theory.
A single GMEC may be easily implemented by a monitor, i.e., a place whose initial marking
represents the available units of a resource and whose outgoing and incoming transitions represent,
respectively, the acquisition and release of units of the resource.
In the framework of Supervisory Control, the complexity of enforcing a GMEC is enhanced by
the presence of uncontrollable transitions, i.e., transitions that may be observed but not prevented
from ﬁring by a control agent. To enforce a given GMEC, it is necessary to prevent the system
from reaching a superset of the forbidden markings, containing all those markings from which a
forbidden one may be reached by ﬁring a sequence of uncontrollable transitions. Unfortunately,
in this case we have proven that the set of legal markings cannot always be represented by a linear
domain in the marking space, thus there exist problems which do not have a “monitorbased”
solution.
In this context, we have discussed GMEC for systems represented as marked graphs with con
trol safe places. The goal is that of constructing a supervisor capable of enforcing the constraints.
A solution to this problem has been given by Holloway and Krogh [Krogh 91]. In their approach,
which may be deﬁned as fully interpreted, the control policy is efﬁciently computed by an online
controller as a feedback function of the marking of the system. We have studied, instead, how
a net structure for the supervisor may be constructed. We have discussed and compared several
solutions. Some of these models are fully compiled, i.e., the corresponding supervisor is repre
sented by a P/T net, others are partially compiled, i.e., the corresponding supervisor is given as an
interpreted net in which the ﬁring of some transitions depends not only on the marking of the net
but on the value of some boolean expressions as well.
The advantages of fully compiling the supervisor action in a net structure are:
• The computation of the control action is faster, since it does not require separate online
computation.
• The same Petri net system execution algorithms may be used for both the original system
and the supervisor.
• A closedloop model of the system under control may be built with standard net composition
constructions and analyzed for properties of interest. Moreover, structure theory of Petri
nets may be used to prove, without an exhaustive state space search, that the system under
control enjoys the properties.
On the other hand, partially compiled models are more ﬂexible in the sense that some inter
pretations may be used to implement complex control policies, whose corresponding net structure
may be exceedingly large.
CHAPTER 8. CONCLUSIONS AND FUTURE RESEARCH 87
8.2 Future Research
It may be possible to extend this research in several parts. We give a list of the problems that may
be addressed in the future.
8.2.1 Petri Net Languages for Supervisory Control
Find a characterization of the class L
DP
in terms of some pumping lemma, or other particular
properties of these languages.
Characterize the class of nonregular Petri net languages that are closed under the supremal
controllable sublanguage operator.
8.2.2 Supervisory Design
Determine a reﬁnement procedure based on the coverability tree of a Petri net, rather than on its
reachability tree. Since the coverability tree is always ﬁnite, this may permit the reﬁnement of nets
with inﬁnite reachability set in all those cases in which the reﬁned model may be given as a Petri
net.
8.2.3 Validation of Petri Net Supervisors
Extend the method used to study the reachability set of ECSM to a larger class of nets. In particu
lar, the method may be extended to other types of compositions, following the approach presented
by [Koh 92] where the composition of partially overlapping paths is considered. Additionally, it
may be interesting to consider the composition Macroplace/Macrotransition nets [Jungnitz 92],
which are a superset of state machines.
8.2.4 Efﬁcient Construction of Control Structure
Derive the supervisory structure for enforcing GMEC on classes of nets more general than control
safe place marked graphs. Here the use of interpreted nets should prove a key factor in deriving a
simple supervisory structure.
Consider classes of speciﬁcation different fromGMEC, e.g., sequencing speciﬁcations [Holloway 92b],
and derive the corresponding supervisor using a structural based approach.
Bibliography
[Aveyard 74] R.L. Aveyard, “A Boolean Model for a Class of Discrete Event Systems,”
IEEE Trans. on Systems, Man, and Cybernetics, Vol. SMC4, No. 3, pp. 249–
258, May, 1974.
[Avrunin 91] G.S. Avrunin, U.A. Buy, J.C. Corbett, L.K. Dillon, J.C. Wileden, “Automated
Analysis of Concurrent Systems with the Constrained Expression Toolset,”
IEEE Trans. Software Engineering, Vol. 17, No. 11, pp. 1204–1222, Novem
ber, 1991.
[Baker 72] H. Baker, Jr., “Petri Nets and Languages,” Computation Structures Group
Memo 68, Project MAC, Massachusetts Institute of Technology (Cambridge,
Massachusetts), May, 1972.
[Baker 73] H. Baker, Jr., “Equivalence Problems of Petri Nets,” Master’s thesis, Dept. of
Electrical Engineering, Massachusetts Institute of Technology (Cambridge,
Massachusetts), May, 1973.
[Banaszak 90] Z.A. Banaszak, B.H. Krogh, “Deadlock Avoidance in Flexible Manufactur
ing Systems with Concurrently Competing Process Flows,” IEEE Trans. on
Robotics and Automation, Vol. RA6, No. 6, pp. 724–734, December, 1990.
[Beck 86] C.L Beck, B.H. Krogh, “Models for Simulation and Discrete Control of Man
ufacturing Systems,” IEEE Int. Conf. Robotics and Automation, pp. 305–310,
April, 1986.
[Berthelot 86] G. Berthelot, “Checking Properties of Nets Using Transformations,” Advances
in Petri Nets 1985, G. Rosenberg (ed.), Lecture Notes in Computer Sciences,
Vol. 85, pp. 19–40, SpringerVerlag, 1986.
[Berthelot 87] G. Berthelot, “Transformations and Decompositions of Nets,” Petri Nets:
Central Models and Their Properties, Advances in Petri Nets 1986, W. Brauer,
W. Reisig and G. Rosenberg (eds.), Lecture Notes in Computer Sciences, Vol.
254I, pp. 359–376, SpringerVerlag, 1987.
[Berthomieu 87] B. Berthomieu, “Methods for Carrying Proofs on Petri Nets Using their Struc
tural Properties,” Technical Report, Laboratoire d’Automatique et d’Analyse
des Systèmes du CNR (Toulouse, France), January, 1987.
[Best 86] E. Best, C. Fernández, “Notation and Terminology on Petri Net Theory,”
Arbeitspapiere der Gesellschaft für Math. und Datenverarbeitung, No. 195,
1986.
[Best 91] E. Best, “Design Methods Based on Nets: Esprit Basic Research Action
DEMON” Advances in Petri nets, 1990, G. Rozenberg (ed.), pp. 487–506,
SpringerVerlag, 1991.
88
BIBLIOGRAPHY 89
[Brave 90] Y. Brave, M. Heymann, “Stabilization of DiscreteEvent Processes,” Int. J.
Control, Vol. 51, No. 50, pp. 1101–1117, 1990.
[Campos 91] J. Campos, G. Chiola, M. Silva, “Ergodicity and Throughput Bounds of Petri
Nets with Unique Consistent Firing Count Vector,” IEEE Trans. on Software
Engineering, Vol. SE17, No. 2, pp. 117–125, February, 1991.
[Cieslak 91] R. Cieslak, C. Desclaux, A.S. Fawaz, P. Varaiya, “Supervisory Control of
DiscreteEvent Processes with Partial Observations,” IEEE Trans. on Auto
matic Control, Vol. AC33, No. 3, pp. 249–260, March, 1991.
[Chen 91] E. Chen, S. Lafortune, “Dealing with Blocking in Supervisory Control of Dis
crete Event Systems,” to appear in IEEE Trans. on Automatic Control, 1991.
[Colom 89] J.M. Colom, “Análisis Estructural de Redes de Petri, Programación Lineal
y Geometria Convexa,” Tesis Doctoral, Universidad de Zaragoza (Zaragoza,
Spain), 1989.
[Crockett 87] D. Crockett, A. Desrochers, F. DiCesare, T. Ward, “Implementation of a
Petri Net Controller for a Machining Workstation,” Proc. IEEE Int. Conf. on
Robotics and Automation (Raleigh, North Carolina), pp. 1861–1867, April,
1987.
[Datta 84] A.K. Datta, S. Gosh, “Synthesis of a Class of DeadlockFree Petri Nets,” Jour.
of the Association for Computing Machinery, Vol. 31, No. 3, pp. 486506,
July, 1984.
[Datta 86] A.K. Datta, S. Gosh, “Modular Synthesis of DeadlockFree Control Struc
tures,” Foundation of Software Technology and Theoretical Computer Sci
ence, Vol. 241, G. Goos and J. Hartmanis (eds.), SpringerVerlag, pp. 288–
318,1986.
[De Cindio 82] F. De Cindio, G. De Michelis, L. Pomello, C. Simone, “Superposed Automata
Nets,” Application and Theory of Petri Nets, C. Girault and W. Reisig (eds.),
InformatikFachberichte, Vol. 52, pp. 269–279, SpringerVerlag, 1982.
[De Cindio 83] F. De Cindio, G. De Michelis, L. Pomello, C. Simone, “Milner’s Commu
nicating Systems and Petri Nets,” Application and Theory of Petri Nets, A.
Pagnoni and G. Rozenberg (eds.), InformatikFachberichte, Vol. 66, pp. 40–
59, SpringerVerlag, 1983.
[DiCesare 91] F. DiCesare, A. Fanni, A. Giua, “Controllo dei sistemi ad eventi discreti me
diante reti di Petri,” Ricerca Operativa, No. 58, pp. 2–47, 1991.
[Giua 90a] A. Giua, “Petri Net Languages for the Control of Discrete Event Systems,”
Master’s Thesis, Dept. Electrical Computer and Systems Engineering, Rens
selaer Polytechnic Institute (Troy, New York), 1990.
[Giua 90b] A. Giua, F. DiCesare, “Easy Synchronized Petri Nets as Discrete Event Mod
els,” Proc. 29th IEEE Int. Conf. on Decision and Control (Honolulu, Hawaii),
pp. 2839–2844, December, 1990.
[Giua 91] A. Giua, F. DiCesare, “Supervisory Design Using Petri Nets,” Proc. 30th
IEEE Int. Conf. on Decision and Control (Brighton, England), pp. 385–390,
December, 1991.
BIBLIOGRAPHY 90
[Giua 92a] A. Giua, F. DiCesare, “GRAFCET and Petri Nets in Manufacturing,” will ap
pear in Programming Environments for Computer Integrated Manufacturing,
W.A. Gruver and J.C. Boudreaux (Eds.), SpringerVerlag, 1992.
[Giua 92b] A. Giua, F. DiCesare, M. Silva, “Generalized Mutual Exclusion Constraints
for Petri Nets with Uncontrollable Transitions,” will appear in Proc. 1992
IEEE Int. Conf. on Systems, Man, and Cybernetics (Chicago, Illinois), Octo
ber, 1992.
[Giua 92c] A. Giua, F. DiCesare, “On the Existence of Petri Nets Supervisors,” submitted
to 31th IEEE Int. Conf. on Decision and Control (Tucson, Arizona), Decem
ber, 1992.
[Giua 92d] A. Giua, F. DiCesare, “Petri Net Incidence Matrix Analysis for Supervisory
Control,” Working Paper, Rensselaer Polytechnic Institute (Troy, New York),
1992.
[Golaszewski 88] C.H. Golaszewski, P.J. Ramadge, “Mutual Exclusion Problems for Discrete
Event Systems with Shared Events,” Proc. IEEE 27th Int. Conf. on Decision
and Control (Austin, Texas), pp. 234–239, December, 1988.
[Hack 72] M. Hack, “Analysis of Production Schemata by Petri Nets,” Technical Report
94, Project MAC, Massachusetts Institute of Technology (Cambridge, Mas
sachusetts), February, 1972.
[Hack 74] M. Hack, “Extended State Machine Allocatable Nets, an Extension of
Free Choice Petri Nets Results,” Computation Structures Group Memo 78
1, Project MAC, Massachusetts Institute of Technology (Cambridge, Mas
sachusetts), 1974.
[Hack 75a] M. Hack, “Petri Nets Languages,” Computation Structures Group Memo
124, Project MAC, Massachusetts Institute of Technology (Cambridge, Mas
sachusetts), June, 1975.
[Hack 75b] M. Hack, “Decidability Questions for Petri Nets,” Ph.D. dissertation, Dept.
of Electrical Engineering, Massachusetts Institute of Technology (Cambridge,
Massachusetts), December, 1975.
[Hailpern 83] B.T. Hailpern, S.S. Owicki, “Modular Veriﬁcation of Computer Communica
tion Protocols,” IEEE Trans. on Communication, Vol. COM31, No. 1, pp.
56–68, January, 1983.
[Heymann 90] M. Heymann, “Concurrency and Discrete Event Control,” IEEE Control Sys
tems Magazine, pp. 103–112, June, 1990.
[Holloway 90] L.E. Holloway, B.H. Krogh, “Synthesis of Feedback Control Logic for a Class
of Controlled Petri Nets,” IEEE Trans. on Automatic Control, Vol. AC35, No.
5, pp. 514–523, May, 1990.
[Holloway 92a] L.E. Holloway, B.H. Krogh, “On Closedloop Liveness of Discrete Event Sys
tems Under Maximally Permissible Control,” IEEE Trans. on Automatic Con
trol, Vol. AC37, No. 5, pp. 692–697, May, 1992.
[Holloway 92b] L.E. Holloway, F. Hossain, “Feedback Control for Sequencing Speciﬁcations
in Controlled Petri Nets,” 3rd Int. Conf. on Computer Integrated Manufactur
ing (Troy, New York), pp. 242–251, May, 1992.
BIBLIOGRAPHY 91
[Hoare 85] C. A. R. Hoare, “Communicating Sequential Processes,” PrenticeHall, 1985.
[Ichikawa 85] A. Ichikawa, K. Yokoyama, S. Kurogy, “Reachability and Control of Discrete
Event Systems Represented by ConﬂictFree Petri Net,” Proc. IEEE Int. Symp.
Circuits and Systems (Kyoto, Japan), pp. 487–490, May, 1985.
[Ichikawa 88a] A. Ichikawa, K. Hiraishi, “Analysis and Control of Discrete Event Systems
Represented by Petri Nets,” Discrete Events Systems: Models and Applica
tions, P. Varaiya and A.B. Kurzhanski (eds.), Lecture Notes in Control and
Information Sciences, Vol. 103, pp. 115–134, SpringerVerlag, 1988.
[Ichikawa 88b] A. Ichikawa, K. Hiraishi, “A Class of Petri Nets That a Necessary and Sufﬁ
cient Condition for Reachability is Obtainable,” Trans. Society of Instrument
and Control Engineers, SICE (in Japanese), Vol. 24, No. 6, 1988.
[Inan 88] K. Inan, P. Varaiya, “Finitely Recursive Process Models for Discrete Event
Systems,” IEEE Trans. on Automatic Control, Vol. AC33, No. 7, pp. 626–
639, July, 1988.
[Johnen 87] C. Johnen, “Analyse Algorithmique des Réseaux de Petri: Veriﬁcation
d’Espace d’Accueil, Systemès de Réécriture,” Thèse Doctoral, Université
Paris–Sud (Paris, France), 1987.
[Jantzen 87] M. Jantzen, “Language Theory of Petri Nets,” Petri Nets: Central Models and
Their Properties, Advances in Petri Nets 1986, W. Brauer, W. Reisig and G.
Rosenberg (eds.), Lecture Notes in Computer Sciences, Vol. 254I, pp. 397–
412, SpringerVerlag, 1987.
[Jungnitz 92] H. Jungnitz, “Approximation Methods for Stochastic Petri Nets,” Ph.D. The
sis, Rensselaer Polytechnic Institute (Troy, New York), May, 1992.
[Kasturia 88] E. Kasturia, F. DiCesare, A. Desrochers, “Real Time Control of Multilevel
Manufacturing Systems Using Colored Petri Nets,” Proc. IEEE Int. Conf. on
Robotics and Automation (Philadelphia, Pennsylvania), pp. 1114–1119, April,
1988.
[Koh 92] I. Koh, “A Transformation Theory for Petri Nets and Their Applications to
Manufacturing Automation,” Ph.D. Thesis, Rensselaer Polytechnic Institute
(Troy, New York), December, 1991.
[Krogh 86] B.H. Krogh, C.L Beck, “ Synthesis of Place/Transition Nets for the Simula
tion and Control of Manufacturing Systems,” Proc. 4th IFAC/IFORS Symp. on
Large Scale Systems (Zurich, Switzerland), August, 1986.
[Krogh 87] B.H. Krogh, “Controlled Petri Nets and Maximally Permissible Feedback
Logic,” Proc. 25th Allerton Conf. on Communications, Control, and Com
puting (UrbanaChampaign, Illinois), pp. 317–326, September, 1987.
[Krogh 91] B.H. Krogh, L.E. Holloway, “Synthesis of Feedback Control Logic for Dis
crete Manufacturing Systems,” Automatica, Vol. 27, No. 4, pp. 641–651, July
August, 1991.
[Lafortune 90a] S. Lafortune, E. Chen, “The Inﬁmal Closed Controllable Superlanguage and
Its Application in Supervisory Control,” IEEE Trans. on Automatic Control,
Vol. AC35, No. 4, pp. 398–405, April, 1990.
BIBLIOGRAPHY 92
[Lafortune 90b] S. Lafortune, H. Yoo, “Some Results on Petri net Languages,” IEEE Trans. on
Automatic Control, Vol. AC35, No. 4, pp. 482–485, April, 1990.
[Lafortune 91] S. Lafortune, F. Lin, “On Tolerable and Desirable Behaviors in Supervisory
Control of Discrete Event Systems,” J. of Discrete Event Dynamic Systems,
January, 1991.
[Li 88] Y. Li, W.M. Wonham, “Controllability and Observability in the State
Feedback Control of DiscreteEvent Systems,” Proc. 27th IEEE Conf. De
cision and Control (Austin, TX), pp. 203–208, December, 1988.
[Lin 88] F. Lin, W.M. Wonham, “Decentralized Control and Coordination of Discrete
Event Systems,” Proc. 27th IEEE Conf. Decision and Control (Austin, TX),
pp. 1125–1130, December, 1988.
[Lin 90] F. Lin, W.M. Wonham, “Decentralized Control and Coordination of Discrete
Event Systems with Partial Observation,” IEEE Trans. on Automatic Control,
Vol. AC35, No. 12, pp. 1330–1337, December, 1990.
[Milne 79] G. Milne, R. Milner, “Concurrent Processes and Their Syntax,” Jour. ACM,
Vol. 26, No. 2, pp. 302–321, April, 1979.
[Milner 80] R. Milner, “A Calculus of Communicating Systems,” Lecture Notes in Com
puter Science 92, SpringerVerlag, 1980.
[Murata 77] T. Murata, “Circuit Theoretic Analysis and Synthesis of Marked Graphs,”
IEEE Trans. on Circuits and Systems, Vol. CAS24, No. 7, pp. 400–405, July,
1977.
[Murata 86] T. Murata, N. Komoda, K. Matsumoto, K. Haruna, “A Petri NetBased Con
troller for Flexible and Maintainable Sequence Control and its Application in
Factory Automation,” IEEE Trans. on Industrial Electronics, Vol. IE33, No.
1, pp. 1–8, February, 1986.
[Murata 89] T. Murata, “ Petri Nets: Properties, Analysis and Applications,” Proceedings
IEEE, Vol. PROC77, No. 4, pp. 541–580, April, 1989.
[Narahari 85] Y. Narahari, N. Viswanadham, “A Petri Net Approach to the Modeling and
Analysis of Flexible Manufacturing Systems,” Annals of Operations Re
search, Vol. 3, pp. 449–472, 1985.
[Ostroff 90a] J.S. Ostroff, W.M. Wonham, “A Framework for RealTime Discrete Event
Control,” IEEE Trans. on Automatic Control, Vol. AC35, No. 4, pp. 386–
397, April, 1990.
[Ostroff 90b] J.S. Ostroff, “A logic for RealTime Discrete Event Processes,” IEEE Control
Systems Magazine, pp. 95–102, June, 1990.
[Özveren 90] C.M. Özveren, A.S. Willsky, “Observability of Discrete Event Dynamic Sys
tems,” IEEE Trans. on Automatic Control, Vol. AC35, No. 7, pp. 797–806,
July, 1990.
[Parigot 86] M. Parigot, E. Peltz, “A Logical Formalism for the Study of the Finite Behav
ior of Petri Nets,” Advances in Petri Nets 1985, Lecture Notes in Computer
Science 222, G. Rozenberg (ed.), SpringerVerlag, pp. 346–361, 1986.
BIBLIOGRAPHY 93
[Peltz 86] E. Peltz, “Inﬁnitary Languages of Petri Nets and Logical Sentences,” Proc.
7th European Workshop on Application and Theory of Petri Nets (Oxford,
England), Shefﬁeld City Polytech., pp. 224–237, 1986.
[Peterson 81] J.L. Peterson, “Petri Net Theory and the Modeling of Systems,” PrenticeHall,
1981.
[Pnueli 79] A. Pnueli, “The Temporal Semantics of Concurrent Programs,” Proc. Int.
Symposium on Semantics of Concurrent Computation (Evian, France), Lec
ture Notes in Computer Science 70, SpringerVerlag, pp. 1–20, 1979.
[Ramadge 83] P.J. Ramadge, “Control and Supervision of Discrete Event Processes,” Ph.D.
Thesis, Dept. Electrical Engineering, Univ. Toronto (Toronto, Ontario), 1983.
[Ramadge 86] P.J. Ramadge, W.M. Wonham, “Modular Supervisory Control of Discrete
Event Systems,” Proc. 7th Int. Conf. Analysis and Optimization of Systems
(Antibes, France), pp. 202–214, June, 1986.
[Ramadge 87] P.J. Ramadge, W.M. Wonham, “Supervisory Control of a Class of Discrete
Event Processes,” SIAM Jour. Control and Optimization, Vol. 25, No. 1, pp.
206–230, January, 1987.
[Ramadge 88] P.J. Ramadge, “Supervisory Control of Discrete Event Systems: A Survey
and Some New Results,” Discrete Event Systems: Models and Applications,
Varaiya and Kurzhanski (eds.), Lecture Notes in Control and Information Sci
ences, N. 103, pp. 6980, SpringerVerlag, 1988.
[Ramadge 89a] P.J. Ramadge, “Some Tractable Supervisory Control Problem for Discrete
Event Systems Modeled by Büchi Automata,” IEEE Trans. on Automatic Con
trol, Vol. AC34, No. 1, pp. 10–19, January, 1989.
[Ramadge 89b] P.J. Ramadge, W.M. Wonham, “The Control of Discrete Event Systems,” Pro
ceedings IEEE, Vol. PROC77, No. 1, pp. 81–98, January, 1989.
[Reisig 85] W. Reisig, “Petri Nets: An Introduction,” EATCS Monographs on Theoretical
Computer Science, Vol. 4, W. Brauer, G. Rozenberg and A. Salomaa (eds.),
SpringerVerlag, 1885.
[Silva 80] M. Silva, “Simpliﬁcation des rèseaux de Petri par elimination des places im
plicites,” Digital Processes, Vol. 6, pp. 245–256, 1980.
[Silva 83] M. Silva, S. Velilla, “Programmable Logic Controllers and Petri nets: a com
parative study,” IFAC Conference on Software for Computer Control, E.A.
Puente and Ferrate (Eds.), pp. 83–88, Pergamon Press, 1983.
[Silva 85] M. Silva, Las redes de Petri en la Automatica y la Informatica, Ed. AC,
Madrid, Spain, 1985.
[Silva 89a] M. Silva, J.M. Colom, “On the Computation of Structural Synchronic Invari
ants in P/T Nets” Advances in Petri nets, 1988, G. Rozenberg ed., pp. 386–
417, SpringerVerlag, 1989.
[Silva 89b] M. Silva, “Logic Controllers,” Proc. IFAC Int. Symp. on Low Cost Automation
(Milan, Italy), pp. 157–165 bis, November, 1989.
BIBLIOGRAPHY 94
[Silva 92] M. Silva, J.M. Colom, J. Campos, “Linear Algebraic Techniques for the Anal
ysis of Petri Nets,” Proc. Int. Symp. on Mathematical Theory of Networks and
Systems, MITA Press (Tokyo, Japan), (to appear) 1992.
[Sreenivas 92] R.S. Sreenivas, B.H. Krogh, “On Petri Net Models of Inﬁnite State Supervi
sors,” IEEE Trans. on Automatic Control, Vol. AC37, No. 2, pp. 274–277,
February, 1992.
[Tadmor 89] G. Tadmor, O. Maimon, “Control of Large Discrete Event Systems: Construc
tive Algorithms,” IEEE Trans. on Automatic Control, Vol. AC34, No. 11, pp.
1164–1168, November, 1989.
[Tsitsiklis 87] J.N. Tsitsiklis, “On the Control of DiscreteEvent Dynamical Systems,” Proc.
26th IEEE Int. Conf. Decision and Control (Los Angeles, California), pp.
419–422, December, 1987.
[Ushio 88] T. Ushio, R. Matsumoto, “State Feedback and Modular Control Synthesis in
Controlled Petri Nets,” Proc. 27th Int. Conf. Decision and Control (Austin,
Texas), pp. 1502–1507, December, 1988.
[Ushio 89] T. Ushio, “On the Controllability of Controlled Petri Nets,” ControlTheory
and Advanced Technology, Vol. 5, No. 3, pp. 265–275, September, 1989.
[Ushio 90] T. Ushio, “On The Existence of Finite State Supervisors in DiscreteEvent
Systems,” Proc. 29th IEEE Int. Conf. Decision and Control (Honolulu,
Hawaii), pp. 2857–2860, December, 1990.
[Viswanadham 90] N. Viswanadham, Y. Narahari, T.J. Johnson, “Deadlock Prevention and Dead
lock Avoidance in Flexible Manufacturing Systems Using Petri Net Models,”
IEEE Trans. on Robotics and Automation, Vol. RA6, No. 6, pp. 713–723,
December, 1990.
[Wonham 87] W.M. Wonham, P.J. Ramadge, “On the Supremal Controllable Sublanguage
of a Given Language,” SIAM Jour. Control and Optimization, Vol. 25, No. 3,
pp. 637–659, May, 1987.
[Wonham 88a] W.M. Wonham, “A Control Theory for DiscreteEvent Systems,” Advanced
Computing Concepts and Techniques in Control Engineering, M.J. Denham
and A.J. Laub (eds.), SpringerVerlag, pp. 129–169, 1988.
[Wonham 88b] W.M. Wonham, P.J. Ramadge, “Modular Supervisory Control of Discrete
Event Systems,” Math. Control Signals Systems, Vol. 1, No. 1, pp. 13–30,
1988.
[Zhou 90] M.C. Zhou, “A Theory for the Synthesis and Augmentation of Petri Nets
in Automation,” Ph.D. Thesis, Rensselaer Polytechnic Institute (Troy, New
York), May, 1990.
[Zhou 91] M.C. Zhou, F. DiCesare, “Parallel and Sequential Mutual Exclusions for
Petri Net Modeling of Manufacturing Systems with Shared Resources,” IEEE
Trans. on Robotics and Automation, Vol. RA7, No. 4, pp. 515–527, August,
1991.
Appendix A
PETRI NET LANGUAGES
A.1 Petri Net Generators
A labeled Petri net (or Petri net generator) is a 4tuple G = (N, , M
0
, F) where [Jantzen 87,
Peterson 81]:
• N = (P, T, Pre, Post) is a Petri net structure;
• : T → Σ ∪ ¦λ¦ is a labeling function that assigns to each transition a label from the
alphabet of events Σ or assigns the empty string as a label;
• M
0
is an initial marking;
• F is a ﬁnite set of ﬁnal markings.
We will use Petri net generators to represent discrete event systems. Thus we will use the word
system to refer to a Petri net generator.
Three different type of labeling functions are usually considered.
• In a freelabeled PN all transitions are labeled distinctly and none is labeled λ, i.e., (∀t, t
∈
T) [t ,= t
=⇒ (t) ,= (t
)] and (∀t ∈ T) [(t) ,= λ].
• In a λfree labeled PN no transition is labeled λ.
• In a arbitrary labeled PN no restriction is posed on .
The labeling function may be extended to a function : T
∗
→ Σ
∗
deﬁning: (λ) = λ and
(∀t ∈ T, ∀σ ∈ T
∗
) [(σt) = (σ)(t)].
Four languages are associated with G depending on the different notions of terminal strings.
• The Ltype or terminal language
1
is deﬁned as the set of strings generated by ﬁring se
quences that reach a ﬁnal marking, i.e.,
L
L
(G) = ¦(σ) [ M
0
[σ) M
f
∈ F¦.
• The Gtype or covering language or weak language is deﬁned as the set of strings generated
by ﬁring sequences that reach a marking M covering a ﬁnal marking, i.e.,
L
G
(G) = ¦(σ) [ M
0
[σ) M ≥ M
f
∈ F¦.
The Dtype or deadlock language is deﬁned as the set of strings generated by ﬁring se
quences that reach a marking at which no transition is enabled, i.e.,
L
D
(G) = ¦(σ) [ M
0
[σ) M ∧ (∀t ∈ T)M [t)¦.
1
This language is called marked behavior in the framework of Supervisory Control and is denoted L
m
(G).
95
APPENDIX A. PETRI NET LANGUAGES 96
Figure A.1: Freelabeled system G in Example A.1.
• The Ptype or preﬁx language
2
is deﬁned as the set of strings generated by any ﬁring se
quence, i.e.,
L
P
(G) = ¦(σ) [ M
0
[σ) ¦.
Example A.1. The system G in Figure A.1 is freelabeled. The initial marking, also shown in
the ﬁgure, is M
0
= (1000)
T
. The set of ﬁnal markings is F = ¦(0010)
T
¦. The languages of this
system are:
L
L
(G) = ¦a
m
cb
m
[ m ≥ 0¦;
L
G
(G) = ¦a
m
cb
n
[ m ≥ n ≥ 0¦;
L
D
(G) = ¦a
m
cb
n
d [ m ≥ n ≥ 0¦;
L
P
(G) = ¦a
m
[ m ≥ 0¦ ∪ ¦a
m
cb
n
[ m ≥ n ≥ 0¦ ∪ ¦a
m
cb
n
d [ m ≥ n ≥ 0¦.
A.2 Classes of Petri Net Languages
The classes of Petri net languages are denoted as follows.
• L
f
(resp. (
f
, T
f
, T
f
) denotes the class of terminal (resp. covering, deadlock, preﬁx) lan
guages generated by freelabeled PN generators.
• L (resp. (, T, T) denotes the class of terminal (resp. covering, deadlock, preﬁx) languages
generated by λfree labeled PN generators.
• L
λ
(resp. (
λ
, T
λ
, T
λ
) denotes the class of terminal (resp. covering, deadlock, preﬁx) lan
guages generated by arbitrary labeled PN generators.
The following table shows the relationship among these classes. Here →represents set inclu
sion ⊇.
Some of these relations are easily proved. As an example, any Ptype language of a generator
G may also be obtained as a Gtype language deﬁning as a set of ﬁnal markings F = ¦
0¦.
2
This language is called closed behavior in the framework of Supervisory Control and is denoted L(G).
APPENDIX A. PETRI NET LANGUAGES 97
L
λ
→ L → L
f
↓↑ ↓↑
T
λ
→ T → T
f
↓ ↓
(
λ
→ ( → (
f
↓ ↓ ↓
T
λ
→ T → T
f
Table A.1: Known relations among classes of Petri net languages. An arc → represents the set
inclusion.
Figure A.2: Nondeterministic system G
in Example A.2.
A.3 Deterministic Languages
A PN generator G is deterministic if the labeling function and the behavior of G are such that
∀t, t
∈ T, with t ,= t
and ∀M ∈ R(N, M
0
), M [t)∧M [t
) =⇒ [(t) ,= (t
), (t) ,= λ, (t
) ,=
λ].
This means that the knowledge of the string generated by the system from the initial marking
is sufﬁcient to determine the actual marking of the system.
We can then deﬁne twelve new classes of PN languages. For each of the previously deﬁned
classes we will denote with the subscript d the corresponding deterministic subclass. Thus L
d
will
denote the subclass of L generated by deterministic Petri nets, etc.
The relations among the subclasses of deterministic languages are different from those re
ported in Table A.1 for the general classes. Table A.1 shows that T ⊂ L. However, the next
example shows that T
d
,⊂ L
d
.
Example A.2. Consider again the deterministic system G in Figure A.1 with set of ﬁnal markings
F = ¦(0001)
T
¦. Here L
P
(G) = ¦a
m
[ m ≥ 0¦ ∪ ¦a
m
cb
n
[ m ≥ n ≥ 0¦ ∪ ¦a
m
cb
n
d [ m ≥
n ≥ 0¦ is a deterministic P − type PN language. We want to construct a new system G
such
that L
L
(G
) = L
P
(G). A possible solution is the system in Figure A.2 with set of ﬁnal states
F = ¦(1000)
T
, (0010)
T
, (0001)
T
¦. However G
is nondeterministic, since the two transitions
labeled a are both enabled at the initial marking. It is intuitively clear that no deterministic Petri
net may generate L
P
(G) as a terminal language if F is ﬁnite.
In the framework of Supervisory Control, we will consider the L − type and P − type lan
guage generated by deterministic systems. A new subclass of L, called deterministic Pclosed is
discussed in Chapter 4. This class, denoted L
DP
, will play a major role in deriving necessary
and sufﬁcient conditions for the existence of supervisors represented as deterministic Petri net
generators.
APPENDIX A. PETRI NET LANGUAGES 98
Figure A.3: Relations among the class L and other classes of formal languages.
A.4 Closure Properties and Relations with Other Classes
Parigot and Peltz have deﬁned PN languages as regular languages with the additional capability of
determining if a string of parenthesis is well formed. If we consider the class L of PN languages,
it is possible to prove that L is a strict superset of regular languages and a strict subset of context
sensitive languages. In the diagram in Figure A.3, the set L is denoted “L PN languages”.
It is possible to prove that L and the class of contextfree languages are not commensurable.
An example of a language in L that is not contextfree: L = ¦a
m
b
m
c
m
[ m ≥ 0¦. An example of
a language that is contextfree but is not in L: L = ¦ww
R
[ w ∈ Σ
∗
¦
3
if [Σ[ > 1.
The class L is closed under: concatenation, union, intersection, concurrent composition. The
class L is not closed under: Kleene star, preﬁx closure
4
.
A.5 Concurrent Composition and System Structure
In this section we will review the counterpart of language operators on the structure of a PN
generator. We will consider only the concurrent composition operator, since other operators of
interest, such as the intersection and shufﬂe operators may be considered as a special case of
concurrent composition.
Let G
1
= (N
1
,
1
, M
0,1
, F
1
) and G
2
= (N
2
,
2
, M
0,2
, F
2
) be two PN generators. Their
concurrent composition, denoted also G = G
1
 G
2
, is the system G = (N, , M
0
, F) that
generates L
L
(G) = L
L
(G
1
)  L
L
(G
2
) and L
P
(G) = L
P
(G
1
)  L
P
(G
2
).
The structure of G may be determined as follows. Let P
i
, T
i
and Σ
i
(i = 1, 2) be the place
set, transition set, and the alphabet of G
i
.
• The place set P of N is the union of the place sets of N
1
and N
2
, i.e., P = P
1
∪ P
2
.
• The transition set T of N and the corresponding labels are computed as follows.
– Let a ∈ Σ
1
¸ Σ
2
(a ∈ Σ
2
¸ Σ
1
) be the label of a transition t ∈ T
1
(t ∈ T
2
). Then a
labels a transition in T with the same input and output bag of t.
– Let a ∈ Σ
1
∩ Σ
2
be labeling m
1
transitions in T
1
and m
2
transitions in T
2
. Then
m
1
m
2
transitions in T will be labeled a. The input (output) bag of each of these
transitions is the sum of the input (output) bags of one transition in T
1
and of one
transition in T
2
.
• M
0
= [M
T
0,1
M
T
0,2
]
T
.
3
The string w
R
is the reversal of string w.
4
As proved in Section 4.2.
APPENDIX A. PETRI NET LANGUAGES 99
Figure A.4: Two systems G
1
, G
2
and their concurrent composition G in Example A.3.
• F is the cartesian product of F
1
and F
2
, i.e., F = ¦[M
T
1
M
T
2
]
T
[ M
1
∈ F
1
, M
2
∈ F
2
¦.
Note that while the set of places grows linearly, the set of transitions and of ﬁnal markings may
grow faster. The composition of more than two systems may computed by repeated application of
the procedure for composing two systems.
Example A.3. Let G
1
= (N
1
,
1
, M
0,1
, F
1
) and G
2
= (N
2
,
2
, M
0,2
, F
2
) be two systems in
Figure A.4. Here F
1
= ¦(10)
T
¦ and F
2
= ¦(10)
T
, (01)
T
¦. Their concurrent composition G =
G
1
 G
2
is also shown in Figure A.4. The initial marking of G is M
0
= (1010)
T
and its set of
ﬁnal markings is F = ¦(1010)
T
, (1001)
T
¦.
We will use the following structural notation for composed systems.
Let G
1
= (N
1
,
1
, M
0,1
, F
1
) and G
2
= (N
2
,
2
, M
0,2
, F
2
) be two PN generators and G =
G
1
 G
2
= (N, , M
0
, F) their concurrent composition. Let N = (P, T, Pre, Post) and N
i
=
(P
i
, T
i
, Pre
i
, Post
i
), (i = 1, 2). We deﬁne:
• The projection of P on net N
i
, (i = 1, 2), as P ↑
i
= P
i
.
• The projection of T on net N
i
, (i = 1, 2), as T ↑
i
= ¦t ∈ T [ (
•
t ∪ t
•
) ∩ P ↑
i
,= ∅¦. Note
that T ↑
i
may be different from T
i
, since additional transitions may have been introduced
by composing systems in which the same symbol is labeling more than one transition.
• The projection of Pre on net N
i
, (i = 1, 2), denoted Pre ↑
i
, as the restriction of Pre to
P ↑
i
T ↑
i
.
• The projection of Post on net N
i
, (i = 1, 2), denoted Post ↑
i
, as the restriction of Post to
P ↑
i
T ↑
i
.
Also let M be a marking, σ be a ﬁring count vector, and σ a ﬁring sequence deﬁned on net N.
The projection of M on N
i
, (i = 1, 2), denoted M ↑
i
, is the vector obtained from M by removing
APPENDIX A. PETRI NET LANGUAGES 100
all the components associated to places not present in N
i
. The projection of σ over N
i
, (i = 1, 2),
denoted σ ↑
i
, is the vector obtained by σ removing all the components associated to transitions not
present in N
i
. The projection of σ on N
i
, (i = 1, 2), denoted σ ↑
i
, is the ﬁring sequence obtained
by σ removing all the transitions not present in N
i
.
Appendix B
AN INTRODUCTION TO
SUPERVISORY CONTROL
B.1 Discrete Event Systems and Properties
In the supervisory control theory developed by Ramadge, Wonham, et al., a DES is simply a
generator of a formal language, deﬁned on an alphabet Σ. The two languages associated with a
DES G are:
• The closed behavior L(G) ⊆ Σ
∗
, a preﬁxclosed language that represents the possible
evolutions of the system.
• The marked behavior L
m
(G) ⊆ L(G), that represents the evolutions corresponding to the
completion of certain tasks.
Although Ramadge and Wonham have used in their seminal papers a state machine based rep
resentation for DES, the theory they built is very general. Any other formalism that can represent
the closed and marked behavior of a system may be used in this framework. In the examples pre
sented in this section we will use state machine models to be consistent with the original notation.
When relevant, however, we will mention Petri nets.
Example B.1. The state machine in Figure B.1 represents a discrete event system G. The initial
state is denoted by an arrow, the ﬁnal states (just one in this example) are denoted by a double
circle. The languages associate to G are:
L
m
(G) = ¦abc
n
[ n ≥ 0¦ = abc
∗
;
L(G) = ¦λ¦ ∪ ¦a¦ ∪ ¦abc
n
[ n ≥ 0¦ = abc
∗
= L
m
(G),
where the overline bar represent the preﬁx closure operator.
We have discussed in Appendix A how the closed and marked behavior may be associated
with a Petri net.
Figure B.1: A discrete event system modeled by a ﬁnite state machine.
101
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 102
Figure B.2: A blocking discrete event system and its trimmed structure in Example B.1.
A DES is said to be nonblocking if any string w ∈ L(G) can be completed into a string
wx ∈ L
m
(G), i.e., into a string that belongs to the marked language. More formally, a DES G is
nonblocking if L
m
(G) = L(G).
This property may be restated for state machines as follows. Let us deﬁne as reachable a state
that may be reached from the initial state, and as coreachable a state from which it is possible
to reach a ﬁnal state. Then a state machine is nonblocking if and only if all reachable states are
coreachable.
Example B.2. In Figure B.2 we have a blocking system G
1
. The strings “ab” and “aca” cannot
be completed into a string that belongs to the marked language. Equivalently, from state q it is not
possible to reach a ﬁnal marking.
Note that the DES may be trimmed removing the state q and the transitions entering it. In this
case we obtain the new DES G
2
with
L
m
(G
2
) = L
m
(G
1
),
L(G
2
) = L
m
(G
2
) = L
m
(G
1
) ⊂ L(G
1
).
Similarly, a Petri net is nonblocking if from any reachable marking it is possible to reach a ﬁ
nal marking. Note that this property is signiﬁcantly different from deadlockfreeness and liveness.
Deadlockfreeness means that the reachability set does not contain a dead marking, i.e., a marking
that enables no transition. However a nonblocking system may have a dead marking (if it is a ﬁnal
marking). Liveness implies that from any reachable marking there exists a ﬁring sequence con
taining all transitions. The following example shows nets with different combinations of liveness
and nonblocking properties (deadlockfreeness is implied by liveness, so we will not discuss it).
Example B.3. In Figure B.3 are shown: a) a live and nonblocking system; b) a nonlive and
nonblocking system; c) a live and blocking system; d) a nonlive and blocking system. The set of
ﬁnal markings F is also given in the ﬁgure for each net.
B.2 Controllable Events and Supervisor
The events labels in Σ are partitioned into two disjoint subsets: the set Σ
c
of controllable events
(that can be disabled if desired), and the set Σ
u
of uncontrollable events (that cannot be disabled
by an external agent).
It often required to restrict the behavior of a system within the limits of a speciﬁcation lan
guage. We may only enable and disable the controllable events to achieve this behavior. The agent
who speciﬁes which events are to be enabled and disabled is called a supervisor.
Let us deﬁne a control input as a subset γ ⊆ Σ satisfying Σ
u
⊆ γ (i.e., all the uncontrollable
events are present in the control input). If a ∈ γ, the event a is enabled by γ (permitted to occur),
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 103
Figure B.3: Combinations of nonblocking and liveness properties for Petri nets with set of ﬁnal
markings F in Example B.2.
Figure B.4: A closed loop controlled discrete event system.
otherwise a is disabled by γ (prohibited from occurring); the uncontrollable events are always
enabled. Let Γ ⊆ 2
Σ
denote the set of all the possible control inputs.
A supervisor controls a DES G by switching the control input through a sequence of elements
γ
1
, γ
2
, . . . ∈ Γ, in response to the observed string of previously generated events.
A closed loop block diagram showing a system under supervision is shown in Figure B.4. A
point that should be stressed is the fact that the supervisor is implementing a trace feedback, rather
than a state feedback. That is, the control input is not a function of the present state of the system,
but of the string of events generated. If the system is deterministic, as generally assumed, it is
possible to reconstruct its state from the string of events generated. Thus trace feedback is more
general than state feedback.
Example B.4. Consider the system in Figure B.5, where Σ
c
= ¦a, c¦ and Σ
u
= ¦b¦. The
controllable transitions are denoted with a “:”. Assume we want a terminal string to contain the
event b exactly twice. Table B.1 summarizes the required control input γ after a string w has been
generated, and the corresponding state of the system. Note that in state q
0
the control input is
different depending on the value of w.
A supervisor may be given as a function f : L(G) → Γ specifying the control input f(w)
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 104
Figure B.5: System in Example B.4
state w γ
q
0
λ ¦a, b¦
q
1
a ¦a, b, c¦
q
0
ab ¦a, b¦
q
1
aba ¦a, b, c¦
q
0
abab ¦b, c¦
q
2
ababc ¦b, c¦
Table B.1: Control inputs in Example B.4.
to be applied for each possible string of events w generated by the system G. It also possible to
represent a supervisor as another DES S, that runs in parallel with the system G, i.e., whenever an
event occurs in G the same event will be executed by S. The events enabled at a given instant on
S determine the control input.
Example B.5. In Example B.4 the supervisor has been described in tabular format. A transition
structure for the same supervisor is shown in Figure B.6.
The closed loop system under control will be denoted S/G and may be considered as a new
discrete event system [Ramadge 87]. Let us assume in the following that the supervisor is given
as a DES S. Then, the closed behavior of S/G is
L(S/G) = L(G) ∩ L(S),
i.e., the subset of the uncontrolled behavior that survives under supervision. For what regards the
language accepted by S/G there are two possible deﬁnitions. If S has a set of ﬁnal states we may
deﬁne as marked behavior of S/G as
L
m
(S/G) = L
m
(G) ∩ L
m
(S),
i.e., all marked strings of G that are also marked by S. If we assume that the supervisor does not
mark strings, i.e., it has no ﬁnal states, L
m
(S) is not deﬁned. In this case, we call the supervisor
non marking and we deﬁne L
m
(S/G) as
L
m
(S/G) = L
m
(G) ∩ L(S/G),
Figure B.6: Supervisor in Example B.5
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 105
Figure B.7: Closed loop system S/G in Example B.6.
Figure B.8: Systems G, S
1
, and S
2
in Example B.7.
i.e., the subset of the uncontrolled marked behavior that survives under supervision, and call it
controlled behavior
1
.
Example B.6. The DES in Figure B.7 represented the closed loop system S/G for the system
and supervisor discussed in Example B.5. Here the closed and marked behavior of S/G are
L(S/G) = ababc, and L
m
(S/G) = abab + ababc, as can be derived from the ﬁgure. If we had
considered a supervisor with no ﬁnal states, we would have considered, in place of the marked
behavior, the controlled behavior L
m
(S/G) = λ +ab +abab +ababc.
Now let us assume that we are given two DES G and S. S qualiﬁes as a proper supervisor for
G if the two following properties are ensured.
• controllability: S does not disable any uncontrollable event that may occur in G, i.e., (∀w ∈
L(S/G), ∀a ∈ Σ
u
) [wa ∈ L(G) =⇒ wa ∈ L(S/G)].
• nonblockingness (or properness): the behavior of the system under supervision must be
nonblocking, i.e., L(S/G) = L
m
(S/G).
Example B.7. Let G, S
1
, and S
2
be the DES in Figure B.8. Here Σ
c
= ¦b, c¦. S
1
is not a
supervisor for G because in the initial state it disables the uncontrollable event a that is enabled
in the initial state of G. S
2
is not a proper supervisor for G because if the event a is executed it
prevents the system from reaching the ﬁnal state (in fact the event b is never enabled).
B.3 Supervisory Control Problem
Controlling a DES consists in restricting its open loop behavior within a given speciﬁcation lan
guage. Thus we may state the two following Supervisory Control Problems.
1
The notation is unfortunately ambiguous. In [Ramadge 87] L
m
(S/G) denotes the marked behavior of S/G, while
L
c
(S/G) denotes the controlled behavior. In [Ramadge 89b] and in the work of other authors, however, L
m
(S/G) has
been used to denote the controlled behavior of S/G, since only non marking supervisors are considered. We will use
L
m
(S/G) to denote the language accepted by the closed loop system, specifying whenever necessary if it represents
the marked or controlled behavior.
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 106
Figure B.9: System to control in Example B.8.
SCP1 Given a DES G and a speciﬁcation language L ⊆ L(G), there exists a supervisor S such
that L(S/G) = L?
SCP2 Given a DES G and a speciﬁcation language L ⊆ L
m
(G), there exists a nonblocking
supervisor S such that L
m
(S/G) = L? (Here we assume that S does not mark strings, i.e.,
L
m
(S/G) is the controlled behavior of S/G.)
The solution of these two problems is based on the notions of controllable language and
L
m
(G)closure, deﬁned in the following.
Alanguage K ⊂ Σ
∗
is said to be controllable (with respect to L(G) and Σ
u
) if KΣ
u
∩L(G) ⊆
K. This means that it is always possible, preventing the occurrence of controllable transitions, to
restrict L(G) within K.
A language K ⊂ L
m
(G) is said to be L
m
(G)closed if K = K ∩ L
m
(G). This means that
any marked string of G that is the preﬁx of some string of K is also a string of K.
The following two theorems, due to Ramadge and Wonham [Ramadge 87, Ramadge 89b],
give necessary and sufﬁcient conditions for the existence of a supervisor.
Theorem B.1 ([Ramadge 87], P. 5.1). For nonempty L ⊆ L(G) there exists a supervisor S such
that L(S/G) = L if and only if L is preﬁx closed and controllable.
Theorem B.2 ([Ramadge 87], T. 6.1). For nonempty L ⊆ L
m
(G) there exists a nonblocking
supervisor S such that L
m
(S/G) = L if and only if L is L
m
(G)closed and controllable.
Example B.8. The DES G in Figure B.9 has closed behavior L(G) = (a(b +cd))
∗
, and marked
behavior L
m
(G) = (a(b +cd))
∗
.
1. Let L = (ab)
∗
be the desired closed behavior of the closed loop system.
(a) If Σ
u
= ¦a, d¦, L is controllable and may be enforced by a supervisor. The supervisor
simply needs to disable the controllable event c whenever the system is in state q
1
.
(b) If Σ
u
= ¦b, c¦, L is not controllable and cannot be enforced by a supervisor. In fact the
supervisor cannot disable the event c, which is now uncontrollable, when the system
is in state q
1
.
2. Let L = (abab)
∗
be the desired controlled behavior of the closed loop system and assume
Σ
u
= ¦a, d¦. L is controllable, but is not L
m
(G)closed. Hence there does not exit a
supervisor S such that L
m
(S/G) = L.
This can be also be shown by contradiction in this particular example. By deﬁnition of
controlled language, L
m
(S/G) = L
m
(G) ∩ L(S/G). Now assume L
m
(S/G) = L;
then w = abab ∈ L
m
(S/G) ⊆ L(S/G) and w
= ab ,∈ L
m
(S/G). However w ∈
L(S/G) =⇒ w
∈ L(S/G), i.e., w
∈ L
m
(G) ∩ L(S/G) = L
m
(S/G), a contradiction.
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 107
Another important result due to Ramadge and Wonham is concerned with the existence of
ﬁnite state machine supervisors.
Theorem B.3 ([Wonham 87], T. 3.1). Let G be a ﬁnite state machine (i.e., its closed and marked
behavior are regular languages) and let L be a regular speciﬁcation language. If L satisﬁes the
conditions of Theorem B.1, the supervisor S such that L(S/G) = L may be represented as a
ﬁnite state machine. If L satisﬁes the conditions of Theorem B.2, the supervisor S
such that
L
m
(S
/G) = L may be represented as a ﬁnite state machine.
B.4 Supremal Controllable Sublanguage
Assume we want to restrict the closed behavior of a system G within the limits of a legal language
L that is not controllable. By Theorem B.1 a supervisor S such that L(S/G) = L does not
exist. However we may consider a controllable sublanguage K ⊆ L that may be enforced by a
supervisor S
. Thus the behavior of the closed loop system is now L(S
/G) = K ⊂ L, i.e., it is a
subset of the legal behavior.
We also want to minimally restrict the behavior of the system, i.e., we want to construct the
supervisor which allows the largest behavior of the system within the limits given by the speciﬁ
cation L. This behavior is called the supremal controllable sublanguage.
Let us deﬁne ((G) = ¦K [ KΣ
u
∩ L(G) ⊆ K¦ as the set of all languages controllable with
respect to L(G) and Σ
u
. Given a language Lwe will deﬁne the supremal controllable sublanguage
of L as
L
↑
= sup¦K [ K ⊆ L, K ∈ ((G)¦
Theorem B.4 ([Ramadge 87], P. 7.1). The supremal controllable sublanguage for a given super
visory control problem exists and is unique.
However it may well be the case that L
↑
contains only the empty string or is even the empty
language.
Example B.9. For the problem in Example B.8.1b L
↑
= ¦λ¦.
Since the supremal controllable sublanguage may be too restrictive, other controllable approx
imations to L have been deﬁned. An extension by Lafortune and Chen [Lafortune 90a] to the
standard Supervisory Control Problem, called SCPB (SCP with Blocking) considers a different
approximation of the desired behaviour in terms of Inﬁmal Controllable Superlanguage deﬁned as
L
↓
= inf¦K [ K ⊇ L, K ∈ ((G)¦.
This may, however, generate blocking. We will not consider SCPB in this thesis.
Ramadge and Wonham have also shown that in the regular case (i.e., when both the system be
havior and the speciﬁcation behavior are regular languages) the supremal controllable sublanguage
is a regular language and can be computed in a ﬁnite number of steps.
As a ﬁnal remark, we note that the supremal controllable sublanguage is optimal from a logical
point of view but not necessarily from the performance point of view.
Example B.10. The Petri net system in Figure B.10 has a delay associated with each event (i.e.,
each transition). The place p
0
represents the effect of the supervisor that ensures that places p
2
and p
6
are never marked at the same time. In order to minimally restrict the behavior we allow the
initial ﬁring of either “ab” or “de”. Assume the delays are the following.
event a b c d e f
delay [s] 0 10 10 0 8 4
APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 108
Figure B.10: A timed Petri net model in Example B.10.
If the sequence “ab” is initially executed, we have that the required time to reach the ﬁnal marking
(0001001)
T
is 22 seconds, while if the sequence “de” is initially executed the ﬁnal marking is
reached in 28 seconds. Clearly, if it is required that the system reaches the ﬁnal marking in the
shortest time, it would be better to further restrict the system’s behavior allowing only the ﬁring of
the sequence “ab” from the initial marking.
Appendix C
NOTATION
a, b, c, . . . Symbols of an alphabet, events.
B A basis of nonnegative Pinvariants.
C = Post −Pre The incidence matrix of a P/T net.
((G) The set of languages controllable with respect to L(G) and Σ
u
, i.e., the
set ¦K [ KΣ
u
∩ L(G) ⊆ K¦.
E = G  H Discrete event system G constrained by speciﬁcation H
F A set of ﬁnal markings of a P/T net.
G A discrete event system. A Petri net model of a discrete event system is
G = (N, , M
0
, F).
H A discrete event system representing a speciﬁcation.
K A controllable language.
: T → Σ A labeling function that assigns to each transition of a net a label from
the alphabet Σ.
L A language.
L The preﬁxclosure of language L.
L
↑
The supremal controllable sublanguage of language L.
L(N, M
0
) The set of ﬁring sequence of ¸N, M
0
).
L(G) The closed behavior of the discrete event system G. If G is given as
a Petri net model, the closed behavior is also called Ptype Petri net
language of G.
L
m
(G) The marked behavior of the discrete event system G. If G is given as
a Petri net model, the marked behavior is also called Ltype Petri net
language of G.
L, L
d
, L
DP
The sets of Ltype, deterministic Ltype, and DPclosed Petri net lan
guages.
M : P → IN A marking of a P/T net (M
0
is an initial marking, M
f
is a ﬁnal marking).
/( w, k) The set of marking satisfying a generalized mutual exclusion constraint,
i.e., the set ¦M ∈ IN
P
[ w
T
M ≤ k¦.
N = (P, T, Pre, Post) A P/T net.
N
R
The reversal of a P/T net N.
109
APPENDIX C. NOTATION 110
N
S
A P/T net N with the addition of a monitor place S, i.e. the net (P ∪
¦S¦, T, Pre
S
, Post
S
).
IN The set of nonnegative integers.
¸N, M
0
) A marked net, i.e., a net N with initial marking M
0
.
p A place of a P/T net.
•
p, p
•
The sets of input and output transitions of place p.
P A set of places of a P/T net.
Post : P T → IN The postincidence matrix of a P/T net.
Pre : P T → IN The preincidence matrix of a P/T net.
PR(N, M
0
) The set of markings ¦M ∈ IN
P
[ (∃σ ∈ IN
T
)[M = M
0
+ C σ¦
(potentially reachable set).
PR
A
(N, M
0
) The set of markings ¦M ∈ IN
P
[ A M ≥ A M
0
¦.
PR
B
(N, M
0
) The set of markings ¦M ∈ IN
P
[ B
T
M = B
T
M
0
¦.
T, T
d
The sets of Ptype, and deterministic Ptype Petri net languages.
Q
X
The support of a vector X : A → IN, i.e., the set ¦a ∈ A [ X(a) > 0¦.
R(N, M
0
) The set of reachable markings of ¸N, M
0
) (reachability set).
S A supervisor.
o A siphon of a P/T net.
S/G The closedloop system composed by the system G under the action of
supervisor S.
t A transition of a P/T net.
•
t, t
•
The sets of input and output places of transition t.
T A set of transitions of a P/T net.
T A trap of a P/T net.
w, x, y, z Strings of a language, sequences of events.
( w, k) A generalized mutual exclusion constraint.
(W,
k) A set of generalized mutual exclusion constraints.
X : A → IN A vector.
Y A nonnegative Pinvariant (Psemiﬂow) of a P/T net.
γ A control input determined by a supervisor.
Γ The set of all possible control inputs determined by a supervisor.
θ A simple path of a P/T net.
λ The empty string.
σ A ﬁring vector of transitions.
σ : T → IN A ﬁring count vector of a marked net.
Σ An alphabet. Σ
c
is an alphabet of controllable events; Σ
u
is an alphabet
of uncontrollable events.
Σ
∗
The Kleene star of alphabet Σ, i.e., the language containing all strings
composed with symbols in Σ and the empty string λ.
APPENDIX C. NOTATION 111
↑ The projection operator.
 The concurrent composition operator.

d
The shufﬂe operator (concurrent composition over disjoint alphabets).
Denotes the end of a proof.
ii
Este, que ves, engaño colorido, que del arte ostentando los primores, con falsos silogismos de colores es cauteloso engaño del sentido. This coloured counterfeit that thou beholdest, vainglorious with the excellencies of art, is, in fallacious syllogisms of colour, nought but a cunning dupery of sense. Inundación Castálida, II, 14 Juana de Asbaje y Ramírez, Sor Juana Inés de la Cruz (16511695)
Contents
1 INTRODUCTION 1.1 Introduction . . . . . . . . . . . . . . . . . . 1.2 Background and Motivation . . . . . . . . . 1.2.1 Discrete Event Systems and Models . 1.2.2 Evaluation of Discrete Event Models 1.2.3 Petri Net Models . . . . . . . . . . . 1.2.4 Supervisory Control . . . . . . . . . 1.3 Objectives of the Thesis . . . . . . . . . . . . 1.4 Organization of the Thesis . . . . . . . . . . 2 LITERATURE REVIEW 2.1 Supervisory Control Theory . . . . . . . . . 2.2 Logical Models for Discrete Event Systems . 2.2.1 Transition Models . . . . . . . . . . 2.2.2 Temporal Logic . . . . . . . . . . . . 2.2.3 Communicating Processes . . . . . . 2.2.4 Controlled Petri Nets . . . . . . . . . 2.3 Petri Net Languages . . . . . . . . . . . . . . 2.4 Incidence Matrix Analysis of Petri Nets . . . 2.5 Synthesis and Reduction of Petri Nets Models 3 BASIC NOTATION 3.1 Petri Nets . . . . . . . . . . 3.1.1 Place/Transition Nets 3.1.2 Marked Nets . . . . 3.2 Formal Languages . . . . . 3.3 Petri Net Languages . . . . . 3.4 Supervisory Control . . . . . 1 1 1 1 3 4 6 7 9 10 10 11 11 11 12 12 13 13 14 15 15 15 16 17 17 18 19 19 19 22 22 25 27
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
4 ON THE EXISTENCE OF PETRI NET SUPERVISORS 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Petri Nets and Blocking . . . . . . . . . . . . . . . . . . . . 4.3 Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Existence of Petri Net Supervisors . . . . . . . . . . . . . . 4.5 Petri Net Languages and Supremal Controllable Sublanguage 4.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
iii
CONTENTS
5 SUPERVISORY DESIGN USING PETRI NETS 5.1 Introduction . . . . . . . . . . . . . . . . . . . 5.2 Monolithic Supervisor Design . . . . . . . . . 5.2.1 Design Using Concurrent Composition 5.3 Monolithic Design Using Petri Nets . . . . . . 5.4 Petri Nets and State Machines . . . . . . . . . 5.5 Conclusions . . . . . . . . . . . . . . . . . . . 6 INCIDENCE MATRIX ANALYSIS 6.1 Introduction . . . . . . . . . . . . . . . . . . . 6.2 Incidence Matrix Analysis for State Machines . 6.2.1 State Equation . . . . . . . . . . . . . 6.2.2 Deﬁning the Set of Reachable Markings 6.3 Composition of State Machines Modules . . . . 6.3.1 State Equation . . . . . . . . . . . . . 6.3.2 Deﬁning the Set of Reachable Markings 6.4 Supervisory Veriﬁcation . . . . . . . . . . . . 6.4.1 Blocking . . . . . . . . . . . . . . . . 6.4.2 Controllability . . . . . . . . . . . . . 6.5 Conclusions . . . . . . . . . . . . . . . . . . .
iv 28 28 28 32 32 36 37 38 38 39 40 41 44 45 47 53 54 54 55 56 56 57 57 59 62 65 66 66 69 70 71 71 73 74 75 76 77 78 79 79 79 80 80 80 81 81 82
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
7 GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 GMEC and Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.1 Generalized Mutual Exclusion Constraints . . . . . . . . . . 7.2.2 Modeling Power of Generalized Mutual Exclusion Constraints 7.2.3 Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.4 Nets With Uncontrollable Transitions . . . . . . . . . . . . . 7.3 Generalized Mutual Exclusion Constraints on Marked Graphs . . . . 7.3.1 Marked Graphs with Monitors . . . . . . . . . . . . . . . . . 7.3.2 Control Subnet . . . . . . . . . . . . . . . . . . . . . . . . . 7.3.3 Control Safe Places . . . . . . . . . . . . . . . . . . . . . . . 7.4 Fully Compiled Models . . . . . . . . . . . . . . . . . . . . . . . . . 7.4.1 Model 1: Monitorbased Controller . . . . . . . . . . . . . . 7.4.2 Model 2: Compiled Supervisor . . . . . . . . . . . . . . . . . 7.5 Partially Compiled Models . . . . . . . . . . . . . . . . . . . . . . . 7.5.1 Model 3: NonDeterministic Partially Compiled Supervisor . 7.5.2 Model 4: Deterministic Partially Compiled Supervisor . . . . 7.6 Comparison of the Models . . . . . . . . . . . . . . . . . . . . . . . 7.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 CONCLUSIONS AND FUTURE RESEARCH 8.1 Original Contributions . . . . . . . . . . . . . . . . 8.1.1 Petri Net Languages for Supervisory Control 8.1.2 Supervisory Design . . . . . . . . . . . . . . 8.1.3 Validation of Petri Net Supervisors . . . . . . 8.1.4 Efﬁcient Construction of Control Structure . 8.2 Future Research . . . . . . . . . . . . . . . . . . . . 8.2.1 Petri Net Languages for Supervisory Control 8.2.2 Supervisory Design . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
CONTENTS
8.2.3 8.2.4 APPENDICES A PETRI NET LANGUAGES A.1 Petri Net Generators . . . . . . . . . . . . . . . . . A.2 Classes of Petri Net Languages . . . . . . . . . . . . A.3 Deterministic Languages . . . . . . . . . . . . . . . A.4 Closure Properties and Relations with Other Classes . A.5 Concurrent Composition and System Structure . . . B AN INTRODUCTION TO SUPERVISORY CONTROL B.1 Discrete Event Systems and Properties . . . . . . . . B.2 Controllable Events and Supervisor . . . . . . . . . B.3 Supervisory Control Problem . . . . . . . . . . . . . B.4 Supremal Controllable Sublanguage . . . . . . . . . C NOTATION Validation of Petri Net Supervisors . . . . . . . . . . . . . . . . . . . . . Efﬁcient Construction of Control Structure . . . . . . . . . . . . . . . .
v 82 82 90 90 90 91 91 92 93
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
95 . 95 . 96 . 100 . 101 103
Acknowledgement
Frank DiCesare has guided me in a spirit of friendship through my Master’s and Ph.D. thesis, providing learning, encouragement, and support all at once. Manuel Silva has given me the wonderful opportunity of visiting the University of Zaragoza and of working with his group. Part of this research has been inspired by him. Alan A. Desrochers, David R. Musser, and Badrinath Roysam have provided additional guidance as members of my doctoral committee. The Petri net group meetings at Rensselaer have been a fruitful learning experience. I acknowledge the many discussions with Padma Akella, Tiehua Cao, Xin Chen, MuDer Jeng, Jagdish Joshi, Hauke Jungnitz, Jongwook Kim, Inseon Koh, Doo Yong Lee, Jim Watson, Mengchu Zhou. I am grateful to the Computer Integrated Manufacturing project of the Center for Manufacturing Productivity and Technology Transfer which has supported the research of this thesis during the last two years. The years of my graduate studies have been a period of freedom and carelessness, marking the transition between youth and maturity. Never will love be more poignant or friends more dear; the memories will last forever. For this I have to thank Philippe Jeanne, Thanos Tsolkas, Ermanno Astorino, Antonio De Dominicis, GloriaDeo Agbasi, Hauke Jungnitz, Giampiero Beroggi and Penny Spring, Agostino Abbate and Joseﬁna Quiles, Didier Laporte, Elisabetta Bruzzone, Nora SiAhmed, Amitava Maulik, Persefone Vouyoukas, Doo Yong Lee, Josep Tornero, Markus Vincze, Michael Eppinger, Rolf Münger, Keith Hanna, Alejandro Beascoechea, Markus Hoerler, Carlos Garcia, Leonardo Lanari, Scott Bieber, Brady Richter, Cristina Gesto, Andreas Glatzl, Jose Neira, Maria Angeles Salas, Antonio Ramírez, Enrique Teruel, Joaquin Ezpeleta, Bruno Gaujal, and Rogerio Rodriguez.
vi
i. for the design of Petri net supervisors and discusses how a composed net may be validated. In our approach.Abstract Discrete event systems represents a new ﬁeld of control theory of increasing importance in the domains of manufacturing. The thesis presents an algorithm. The thesis discusses the use of Petri nets in Supervisory Control. In a second approach. communications. Supervisory Control theory. We show that a Petri net supervisor may not exist if the system’s behavior or the legal behavior are nonregular Petri net languages. called generalized mutual exclusion constraints.. we consider a class of speciﬁcations. based on the concurrent composition operator. is a well established framework for the study of discrete event systems.e. Place/Transition nets have been used by several authors to represent discrete event systems. In a ﬁrst approach. it is possible to derive necessary and sufﬁcient conditions for the existence of supervisors as nets. such as controllability or such as the absence of blocking states. important properties of the net. and discuss several possible structures for the supervisor capable of enforcing them. and robotics. called deterministic Pclosed. By deﬁning a new class of Petri net languages. based on incidence matrix analysis. the control agent that restricts the behavior of a system within a legal behavior. the supervisor. vii . based on formal languages. The advantage of such a supervisor. as opposed to a supervisor given as a feedback function. is that a closed loop model of the controlled system may be constructed and analyzed using the techniques pertaining to Petri net models. is represented as a Place/Transition net as well. may be studied by Integer Programming techniques.
etc. Such systems.2 Background and Motivation In this section we rather informally discuss the motivation of this research. at possibly unknown irregular intervals. “machine 1 breaks down”. The state transitions of a DES are called events and may be labeled with the elements of some alphabet Σ. 1.Chapter 1 INTRODUCTION 1. of physical events. However. robotics. are called discrete event systems (DES) [Ramadge 89b] and the corresponding models are called discrete event models (DEM) [Inan 88].1 Introduction The object of the study of traditional control theory have been systems of continuous and synchronous discrete variables. These systems require control and coordination to ensure the orderly ﬂow of events. modeled by differential or difference equations. We study how Petri net models may be used to solve supervisory control problems. DES qualify as a proper subject for control theory. computer and communication networks. Ramadge 87]. For example. i. 1. capable of capturing the essential features of discrete. the time instant at which state transitions occur. and a unifying theory for their control. 1 . whose states have logical or symbolic. there is an increasing need for different models. a control theory for DES introduced recently by Ramadge and Wonham [Ramadge 83. capable of describing systems that evolve in accordance with the abrupt occurrence. The goal of the present research is that of applying a Petri net model within the framework of Supervisory Control. in a manufacturing environment typical event labels are “machine 1 starts working on part A”. will in general be unpredictable. As controlled (or potentially controllable) dynamic systems. We want to show why Petri nets are a good discrete event model and a powerful tool for Supervisory Control. These labels usually indicate the physical phenomenon that caused the change in state.1 Discrete Event Systems and Models A DES is a dynamic system with a discrete state space and piecewise constant state trajectories (see Figure 1. Hence a twofold issue presents itself: we need a powerful class of DEM. the design of a supervisor capable of restricting the behavior of a system within a legal behavior.e. as well as the actual transitions. values that change in response to events which may also be described in nonnumerical terms. rather than numerical.1). as the scope of control theory is being extended into the domains of manufacturing. and so on.2. asynchronous and possibly nondeterministic systems.
These models can be further classiﬁed as: a) nonstochastic: if the timing is known a priori. An event is atomic. Ramadge 89b]. c ∈ Σ. as in Figure 1. by w = abac . . Logical DEM. 2. Model Classiﬁcation The many areas in which DES arise and the different aspects of behavior relevant in each area have led to the development of a variety of DEM.e. We are interested in the order in which the events occur but not in the real time at which they occur. it is considered to occur in a single step. . Thus a possible evolution of the system may be represented. b. . in which a common simplifying assumption is to ignore the times of occurrence of the events and consider only the order in which they occur. i. This simpliﬁcation is justiﬁed when the model is to be used to study properties of the event dynamics that are independent of speciﬁc timing assumptions. 2. Timed or performance DEM.CHAPTER 1.1. where w ∈ Σ∗ and a. even if in the real system it may be implemented as a sequence of instructions. 1.. We have the following classiﬁcation [Ramadge 86. There are two main assumptions here. b) stochastic: if the timing is not known a priori due to random delays or random occurrences of events. Logical Models The behavior captured in a logical model is the sequences of discrete events or traces that a system generates [Inan 88]. Let Σ be the set of discrete events labels and let Σ∗ be the set of all ﬁnite sequences of events in Σ (including the empty trace λ). which are intended for the study of properties explicitly dependent on interevent timing. INTRODUCTION state 2 x4 b x3 a x2 x1 a c t1 t2 t3 t4 time Figure 1. 1. .1: State trajectories for a Discrete Event System.
. Inan and Varaya [Inan 88] have used the terms language complexity and algebraic complexity to denote two aspects of the descriptive power. we want to use that model for determining whether the system has the desired properties or whether it is free of abnormal behavior. The class of operators related to each model deﬁne its algebraic power. • Logical calculus is used in temporal logic models [Pnueli 79]. In fact. ﬁnitely recursive processes [Inan 88]. Complex systems can be regarded as being built out of interacting subsystems. However. the behavior of a given system is thus given by a subset language L ⊂ Σ∗ . In general. however. consisting of all the traces (or strings) that the system can generate. INTRODUCTION 3 In a logical model. The extreme case is that of Turing machines that have the largest language complexity but whose languages have many undecidable properties. This may be done using different formalisms. Petri nets. We call this qualitative aspect representational power. intersection. We have seen that the logical behavior of a system is represented in the model by a language L ⊂ Σ∗ . concurrent composition. each model has its own language power. union. Descriptive power The descriptive power of a DEM has different facets. different formalisms generate different classes of languages. We will call these two aspects language power and algebraic power.2 Evaluation of Discrete Event Models A great number of logical DEM have been proposed. As an example.2. Additionally. A modeling formalism will be useful if it contains operators that combine one or more models in ways that reﬂect the ways in which systems are connected. In most systems of interest. • A set of equations is used by boolean models [Aveyard 74]. In the following section.CHAPTER 1. Two different models may represent the same behavior although they use different formalisms. so that the model may be used to represent a large variety of systems. different properties have to be considered [Inan 88]. It is often the case. 1. L will be an inﬁnite set so that it cannot be given simply by listing all the traces. we will compare different models with Petri nets with the aim of showing that the representational power of Petri nets is fairly large. these operators. Büchi automata [Ramadge 89a]. communicating sequential processes [Hoare 85]. are deﬁned on languages. In order to evaluate and compare their suitability for control applications. Performance Evaluation Once we are sure that a model has captured the essential features of a system. . we will consider a third aspect that we call representational power. that some behavior can be easily modeled with one particular formalism and not so easily modeled with a different one. Petri nets are not subject to the representational shortcoming typical of other models. • A state transition structure is used by automata and net models such as ﬁnite state machines. We will study systems that allow a logical model. A discrete event model must give a means to specify the set of admissible event trajectories.e. It is desirable that the language power of a model be as large as possible. i.. etc. formal language theory shows that the analysis complexity grows with the language power of a model. the class of languages generated by ﬁnitely recursive processes is a superset of Petri net languages that in turn are a superset of regular languages (the class of languages generated by ﬁnite state machines). In our view of a DEM as a language generator.
Hence a P/T Petri net cannot simulate a register machine which in turn is equivalent to a Turing machine [Ichikawa 88a]. timed models (Timed PN) and performance models (Stochastic PN. Conservative PN are essentially equivalent to ﬁnite state machines. since the number of reachable markings (i. Secondly. an exhaustive search over the state space. may be deﬁned. Descriptive power Petri nets have great descriptive power. the issue of computational complexity is a key concern. this is done by an automatic compilation of the model into control code. These classes are supersets of regular languages and with the introduction of a great number of operators deﬁne an algebra. e. i. Furthermore. In fact. Performance Evaluation The desired properties of a system map fairly well into properties of the corresponding Petri . INTRODUCTION 4 This can be done in two steps. or by exploiting hierarchical or other special structures. It is possible to extend the formalism with the introduction of inhibitory arcs. the PN formalism permits description of logical models (P/T nets.e. For example. namely concurrency. Petri nets satisfy all the requirements that a good DEM should have [Giua 92a]. deadlocks. the structure of the net may be maintained small in size even if the number of the markings grows. asynchronous operations. When logical models are considered. Colored PN). PN languages do not have all the nice closure properties of.2. In such cases simple algorithms for veriﬁcation or synthesis. However. or simulation methods to verify that the model possesses the desired properties” [Inan 88]. “derive effective algorithmic. They have been designed speciﬁcally to model systems with interacting components and as such are able to capture many characteristics of an event driven system. say. 1. etc. called Petri nets languages. “ad hoc” solutions must be studied. they still make use of the full representational power of Petri nets.. 2.. since the states of a PN are represented by the possible markings and not by the places. at worst. It should also provide a guide to constructing a controller.CHAPTER 1. regular languages. i.e. However we note that the descriptive power of P/T nets is large enough for most common applications. rapidly become computationally intractable.. “translate” the desirable properties of the system into properties of the model. At best. A model should then ﬁnd application in the framework of a control theory.. arcs from places to transitions that prevent the ﬁring of a transition if the input place is marked. the number of states in a transition structure for specifying the admissible event trajectories may depend exponentially on some system parameter. classes of languages generated by Petri nets. they allow a compact description. In this last step. Firstly. The ﬁnal goal is to modify (by control action) the set of admissible trajectories so that each event trajectory has the desired properties. Thus one tries to mitigate the complexity by the use of aggregation or modularity. However.e. and often even more restricted models are considered. such as conservative PN. conﬂicts.3 Petri Net Models In this work we study a particular Petri net (PN) model: Place/Transition (P/T) nets. analytical. 1. The basic P/T net cannot model a condition of the form: “Fire transition t if place p is empty”. the number of ’states’ of the model) is ﬁnite. Generalized Stochastic PN). Control Implementation The modeling and analysis of systems is only the ﬁrst step in the study of DES.g.
In Figure 1. Petri net based controllers may be implemented in both hardware and software. It requires the construction of the reachability tree representing the set of reachable markings and transition ﬁrings. The analysis techniques for Petri nets may be divided into the following groups (see [Silva 85]). With modular synthesis. Let L1 be the behavior of the cyclic process with a single job. Kasturia 88] a Petri net interpreter is implemented using a mixture of application dependent and independent code.CHAPTER 1. A net N1 is transformed. we will see that Petri nets give a very compact description of systems which. b) models in which the basic notion is that of action. a ﬁnite coverability tree may be constructed. It permits the demonstration of several properties almost independently of the initial marking. The analysis of the net N2 is assumed to be simpler than the analysis of the net N1 . It may be worth comparing the representational power of PN with that of other models for concurrent systems [Best 91]. As an example. • Analysis by enumeration. INTRODUCTION 5 net model. It is useful for timed nets and to study the behavior of nets that interact with an external environment. due to concurrent behavior. Control Implementation Petri nets languages offer a simple means of applying controltheoretical ideas and in this thesis we will show that they are consistent with Supervisory Control theory. Models based on actions do not suffer from this state space explosion. Suppose we have a cyclic process where ﬁve jobs may be in four different stages. such as interleaving models.e. Petri nets show more ﬂexibility in this respect. In [Crockett 87. If this set is not ﬁnite. a single token. that permit the simpliﬁcation of the structure of a net. It is possible to partition the current approaches into: a) models in which the basic notion is that of state. • Structural analysis. • Simulation analysis. into a net N2 while maintaining the properties of interest. with a well developed mathematical and practical foundation. Examples of this analysis technique are reduction methods. In the next example. Petri nets also represent a hierarchical modeling tool and allow reduction of the computational complexity of analysis by exploiting modular synthesis.1. Then possible evolutions of the system are: . it is necessary to point out that there exists no general technique for compiling a Petri net description into a control system. complex systems may be constructed by aggregation of simpler modules while preserving the properties of interest. Structural analysis may be based on the study of the state equation of the net or on the study of the net graph. Silva 83] and Petrinet like languages [Murata 86] have been used in different applications. However. since states and actions are treated on equal footing and both step and interleaving semantics can be deﬁned on Petri nets [Best 91]. i. such as state machines. Although the number of reachable markings is 56. Many algorithms. have a large state space. Example 1. have been developed to study these properties. since they do not require the explicit enumeration of all the states. 3..2 we have a Petri net where each token represents a job and each place represents a different stage. • Analysis by transformation. Programmable Logic Controllers [Silva 89b. the PN model is very simple compared to a state machine model where we need to explicitly represent all states. an interleaving model of the system considered in this example may be described as follows. according to particular rules.
i.2. t1 t2 . Then the behavior of the process when ﬁve jobs are been processed concurrently is given by L5 = L1 L1 L1 L1 L1 .3.2: Petri net in Example 1. . The shortcoming of models based on actions lies in the cumbersome way in which speciﬁcations involving counters and semaphores are modeled. In fact.. For n = 2 we have L2 = (t2 t1 )2 + (t2 t1 ) For a generic n Ln = (t2 t1 )n + (t2 t1 )n−1 (t3 t4 ) + . . t1 t2 t3 ..3: Petri net in Example 1. . . L1 = (t1 t2 t3 t4 )∗ . (t3 t4 ) + (t3 t4 )2 . Here we have two sequences (t2 t1 ) and (t3 t4 ) that can be run up to a total of n times.CHAPTER 1. where is the concurrent composition operator.1. INTRODUCTION 6 Figure 1.e. Figure 1. n being the number of tokens in p3 . t1 .2. . for n = 1 the behavior is L1 = t2 t1 + t3 t4 . Consider the Petri net in Figure 1. Example 1. Using an interleaving model to represent this process is awkward: we have to explicitly specify all concurrent ﬁring sequences. (t2 t1 ) (t3 t4 )n−1 + (t3 t4 )n . λ. here the bar stands for the preﬁx operator and ∗ is the Kleene star operator. .
The class of regular languages is closed under the SCS and ICS operators. Qualitative properties of DES.2. all capable of describing systems whose behavior is deﬁned by a differential linear . within the limits of the legal language. The basic control problem is the following. language theory provides a rigorous formalism for proving important theorems on the existence of supervisors. matrixfraction description. etc. We may distinguish three different areas of interest in the supervisory control approach. Design algorithms have been devised to compute the control structure of a supervisor for a given control problem. It has been noted [Cieslak 91] that this approach allows us to evaluate and compare the effect of different control policies on the behavior of the uncontrolled system. given the knowledge of the system and of the speciﬁcation. 1.4 Supervisory Control Ramadge and Wonham provide a unifying framework for the control of discrete event systems [Ramadge 89b].e.. Here we simply discuss those aspects of Supervisory Control that have motivated this research. a legal language L. by disabling only controllable transitions. controllability [Ramadge 87]. i. These algorithms are based on language operators. An introduction to the theory is presented in Appendix B. thus they are model independent. linear systems. S and G are supposed to run in parallel and the closed loop structure is again a DES. inﬁmal controllable superlanguage (ICS) [Lafortune 90a]. At this level. state variables. since open loop plant and controller are treated separately. new language operators. The closure properties of different classes of languages under these operators are also discussed. the action of S on G. Özveren 90]. denoted by S/G.. In classical control theory there exist different models for. say. Finally. We are given a DES G generating the language L(G) and a speciﬁcation. and the set of uncontrollable events Σu . The existence of ﬁnite state supervisors have been discussed by Ramadge and Wonhan [Wonham 87] and Ushio [Ushio 90]. and Lafortune and Chen [Lafortune 90a]. One the most important features is the partition of Σ into two disjoints sets: the set of controllable events Σc . etc. are also deﬁned. and so far their Supervisory Control Theory is the most general and comprehensive theory presented for logical DES. polynomial matrix description. The uncontrollable events are those which cannot be disabled by a control action. INTRODUCTION 7 1. such as stability [Brave 90]. such as transfer function. The supervisor receives as input the sequence of events generated by G and determines a control input that speciﬁes which events are to be disabled in G. nonblockingness [Ramadge 87]. Examples of these operators are the supremal controllable sublanguage (SCS) [Wonham 87]. are deﬁned from a very general perspective as properties of languages. This “abstract” perspective has made possible the creation of a modelindependent theory. We want to restrict the behavior of the system. 3. 2. No results have been published on Petri net languages. seen as a language generator over an alphabet of events Σ.. At the model level a particular model is chosen to describe the physical device to be controlled. as shown by Ramadge and Wonham [Wonham 87]. The formal language level is concerned with theoretical issues. Some results on Petri net supervisors with inhibitory arcs have been presented by Sreenivas and Krogh [Sreenivas 92]. etc. The control structure that restricts the behavior of the system is called a supervisor. observability [Cieslak 91. If we consider the system G as the plant (or the object to be controlled) and the supervisor as the controlling agent. previous approaches require a separate model for each control policy and only permit models of closed loop systems. The system level deals with the concept of DES. it is often possible to realize a supervisor simply as another DES S.CHAPTER 1. that will play a central role in solving the control problem.
CHAPTER 1. we need to study the counterpart on a Petri net structure of the linguistic operators required in the design of a supervisor. the class of problems for which a Petri net supervisor exists. Thus Petri nets may potentially be viewed as an effective means to realize supervisory controllers. it is sufﬁciently general to be applied to different models. The exponential growth of the state space of a model with the number of interconnected modules is a well known blight in the study of concurrent systems which makes the use of simple models. At the formal language level. such as ﬁnite state machines. Wonham has proposed an algorithm which uses three different operators: shufﬂe.3 Objectives of the Thesis Supervisory Control is so far the most complete theory for the control of DES.. allowed by language theory but in practice until now unattainable because of the state space explosion problem. We propose an alternative design that requires only one operator: concurrent composition. We have seen. the behavior is deﬁned as a formal language. in the previous discussion. but a brute force analysis of the model may often require the exhaustive search of the reachability tree. 1. Here the choice of one model rather than another one is a key factor that may drastically affect the class of problems that can be solved. Another issue of paramount importance is the complexity involved in solving a control problem. Krogh 91. we need to consider the closure properties of Petri net languages under the operators used in Supervisory Control theory. Secondly. INTRODUCTION 8 equation. There are ways to mitigate the complexity involved in the analysis of the model by using techniques that are primarily based on the structure of a net rather than on its behavior. In particular. Although these techniques have been extensively investigated in the Petri net literature. At the discrete event system level. since it assume that only a subset of the events is controllable. so far they have been used in the context of Supervisory Control only by Holloway and Krogh [Holloway 90. 2.e. selﬂoop and intersection. This will allow us to characterize the class of control problems that may be solved by Petri net models. it captures the physical constraints the controller must satisfy. We are ﬁnally ready to state the goal of this research: “Investigate the use of Petri nets models within the framework of Supervisory Control. Holloway 92a]. In Section 1. since the language power of each model is limited. each model has its own toolset of design and analysis techniques. we have already discussed the good properties that a discrete event model should feature. we need to study Petri net languages in the context of Supervisory Control. there may exist systems whose behavior may not be expressed with a given model. Examples of these techniques are incidence matrix analysis and modular synthesis. i. Firstly. with a possibly inﬁnite number of states. Thirdly. thus making its computational complexity exponential as well. The . impracticable.2. which may be used more or less efﬁciently for the solution of a control problem. hence the models used are language generators. that Petri nets reduce this complexity by means of its representation power. In the case of a discrete event system. 1. based on formal languages. it provides exact algorithms to design a supervisor for large classes of control problems. However there are cases where it may be necessary to use a model such as Petri nets.” The fulﬁllment of this goal requires several steps. the representational power of a model may not be speciﬁcally tailored to represent a given system’s behavior.2. It has a sound mathematical foundation. It is often assumed that physical systems have a ﬁnite state space. Petri nets provide a compact representation of systems.
has been shown useless [Colom 89] in determining some properties of net systems such as the existence of home markings. by concurrent composition of the system and speciﬁcation modules. to avoid reaching a set of undesirable markings.. in which the reachability set of a marked net is represented by the integer solutions of a set of linear inequalities.. i. Thus. the use of Petri nets allows us to keep the structure of the model ‘small’. we need to make full use of the Petri net analysis techniques to efﬁciently validate a Petri net supervisor. In the ﬁrst step. The reachability problem for this class can be solved by incidence matrix analysis.e. We will explore two different techniques.CHAPTER 1. a coarse structure for a supervisor is synthesized by means of concurrent composition of different modules. that may be generated by nonblocking generators. that have also been considered in [Krogh 91]. This approach.e. transitions that may not be prevented from ﬁring by a control agent. . called Elementary Composed State Machine nets. called mutual exclusion constraints. we need to modify this approach in order to be able to use this analysis technique in the context of Supervisory Control. The design requires two steps. Chapter 5 shows how Petri nets may be used to design a supervisor. INTRODUCTION 9 counterpart of this operator on the net structure can be easily deﬁned and preserves the modularity of the overall system. formal languages and Supervisory Control. Finally. by means of an example. Secondly. we need to reﬁne the net. necessary and sufﬁcient conditions for the existence of a Petri net supervisor under the hypothesis that the system’s behavior and the legal behavior are both Petri net languages are derived.. At the model level.e. the structure is reﬁned to avoid reaching forbidden markings. markings that may be reached by any marking in the reachability set of a Petri net. In fact it is possible to derive a set of linear inequalities that exactly deﬁnes the set of reachable markings. it is shown that the trimming of an unbounded Petri net is not always possible. A new class of P/T nets. i. no new places are introduced.4 Organization of the Thesis This chapter has introduced the topic of the thesis and stated the objectives of research. 3. In both steps. Firstly. We need to derive reﬁnement procedures which preserve the modular structure of the net in this step as well. Chapter 6 discusses how incidence matrix analysis for Petri net models may be used to validate supervisors. it is shown that Petri net languages are not closed under the supremal controllable sublanguage operator. A second area of our research is the use of modular synthesis techniques for nets with uncontrollable transitions. however. It is often the case that once the coarse structure of a supervisor has been obtained. Determining the existence of home markings is a problem essentially equivalent to that of determining if a net is nonblocking. i. to prove that the supervisor has the desired properties. In the second step. Chapter 3 introduces the basic notation on Petri nets. i. Our aim is that of efﬁciently deriving a Petri net structure for a supervisor for this class of problems.e. Classic incidence matrix analysis is based on the solution of the state equation of a net. 1. which is an important property of discrete event systems. We show that for conservative Petri nets there exists a standard reﬁnement procedure that only requires introducing new arcs and possibly duplicating some transitions. Chapter 4 discusses the use of Petri nets in the framework of Supervisory Control.. is deﬁned. Chapter 2 discusses in depth the literature relevant to the present research. this leads to the deﬁnition of a class of Petri net languages. We will explore a class of speciﬁcation. The ﬁrst one is based on incidence matrix analysis.
such as the absence of blocking states or controllability. we compare a monitorbased solution of mutual exclusion problems with several supervisory based solutions. . For one of these classes. when some of the transitions of the net are uncontrollable this technique is not always applicable. marked graphs with control safe places. Chapter 8 concludes the thesis with a discussion of the original contributions and listing possible further directions of research. important properties of discrete event systems. However. INTRODUCTION 10 Thus. may be analyzed by Integer Programming techniques. for discrete event systems modeled using P/T nets. called generalized mutual exclusion constraints. Appendix C is a glossary of the notation used in the thesis. These speciﬁcations may be easily enforced on a net system where all transitions are controllable.CHAPTER 1. For some classes of nets. Appendix A reviews some basic concepts of formal languages and Petri net languages. Chapter 7 deﬁnes a class of speciﬁcations. Appendix B is a short introduction to Supervisory Control and supervisory design techniques. even in the presence of uncontrollable transitions. we prove that mutual exclusion constraints may always be enforced by monitors. by a set of places called monitors.
discuss and solve the Supervisory Control and Observation Problem (SCOP) and the Decentralized Supervisory Control Problem (DSCP). In 11 . since our approach is based on formal languages. i. A dual concept is deﬁned — the inﬁmal controllable superlanguage — and is used to determine a supervisor that may also permit blocking in order to achieve a larger behavior. An extension of this work is [Lafortune 91] where the Supervisory Control Problem with Tolerance (SCPT) is deﬁned. or cannot distinguish between some of them. The authors prove in these seminal papers that the supremal controllable sublanguage always exists (but may be the empty language). This provides the theoretical basis of our research. Firstly. In [Lafortune 90a] a new control problem is studied: the Supervisory Control Problem with Blocking (SCPB). the problem is that of designing a controller such that the controlled system never goes beyond the tolerated behavior and achieves as much as possible of the desired behavior. an agent that is capable of disabling the controllable transitions of a DES in response to the traces of events generated. In SCOP the assumption is that a mask is present between the controlled system and supervisor. so that the supervisor cannot observe all the transitions. It is based on the concept of a supervisor [Ramadge 83. Thirdly. The Supervisory Control Problem (SCP) consists in designing a supervisor which restricts the traces generated by the system within a legal behavior. it is interesting to compare PN with other logical models that have been used in Supervisory Control. Finally. reduction rules. Here it is assumed that in some cases the solution to the SCP (supremal controllable sublanguage) may be too conservative. Under very general hypotheses on desired and tolerated behavior. Secondly. and synthesis operators. we review the work on Petri net languages. 2. we consider the efﬁcient validation of PN models. If the legal behavior is not controllable.1 Supervisory Control Theory The supervisory theory by Ramadge and Wonham is so far the most comprehensive theory for the control of discrete event systems. In [Lafortune 90a] Lafortune and Chen introduce two performance measures (in terms of satisﬁcing and blocking).. and techniques to improve each of these two conﬂicting measures.e. Ramadge 87].Chapter 2 LITERATURE REVIEW The literature of interest to this research covers different topics. we review the work done in Supervisory Control. In DSCP it is assumed that the control action is enforced by local supervisors that control only subsystems. but may be blocking. A non blocking solution exists but is not necessarily unique. using techniques based on incidence matrix analysis. Lafortune and Lin show that a solution to SCPT exists and is unique. we have to further restrict the system’s behavior to the supremal controllable sublanguage for which a supervisor exists. If the legal behavior is a controllable language [Wonham 87] a supervisor exists. In [Cieslak 91] Cieslak et al.. Given a desired and tolerated behavior. and in the regular case may be determined with a ﬁnite procedure.
one of the ﬁrst to be presented. 2.1 Transition Models Aveyard [Aveyard 74] presents a Boolean matrix equation model for a class of DES in which the state change associated with each event occurrence is deterministic. However. A slightly different problem that the authors examine is recovery under control failure. Several interesting control synthesis problems have a computationally tractable solution when Büchi automata models are used. Here the author derives necessary and sufﬁcient conditions for the general case. Ostroff 90a] to the control of realtime discrete event systems. and in which all units or entities are permanent. Wonham 88a]. Tadmor 89. A review of the theory is presented in [Ramadge 88.2 Logical Models for Discrete Event Systems Numerous approaches to the modeling of discrete event systems have appeared in the literature. The model is used to extend the concept of controllable language to nonﬁnite strings and to derive conditions for the existence of a supervisor to implement a prescribed closedloop behavior. to describe inﬁnite state systems. which are known to have a modeling power equivalent to Turing machines. they prove that a PNIA supervisor exists if the system’s and speciﬁcation behaviors are Turing computable languages. are undecidable. however. When the languages controlled by each supervisor are nonconﬂicting.2 Temporal Logic Hailpern and Owicki [Hailpern 83] use temporal logic (a formalism introduced by Pnueli [Pnueli 79] for formalizing the semantics of concurrent programs) to model computer communication protocols. A global control law can be enforced by the conjunction of all the supervisors. each enforced by a single supervisor. In [Brave 90] Brave and Heymann deﬁne stabilization as the ability of a discrete event process to reach a set of target states from an arbitrary initial state and then remain there indeﬁnitely. The temporal logic formalism is applied by Ostroff and Wonham [Ostroff 90b.2. Tsitsiklis 87] different problems of computation and the related issue of computational complexity are considered. such as determining if the behavior of a PNIA is controllable. Ramadge [Ramadge 89a] introduces Büchi automata in the modeling of DES. Wonham 88b] a modular approach to the design of supervisors is considered. In [Ramadge 89b. The model is used for the modular veriﬁcation of safety and liveness for parallel processes. 2. In [Ramadge 86. Unfortunately in the general case the resulting system may be blocking. However.2. the only mask operator considered in this paper is the language projection operator. They use Petri nets with inhibitory arcs (PNIA). The speciﬁcation language is composed of different speciﬁcations. Ramadge 89b. permits checking of simple properties such as whether the system is deterministic and if it will hang or cycle. The model. the nonblocking condition is assured as well. In [Ushio 90] Ushio discusses the conditions under which a ﬁnite state supervisor (FSS) may be constructed to solve a SCP. Thus.CHAPTER 2. LITERATURE REVIEW 12 [Lin 88. 2. important properties. Lin 90] Lin and Wonham discuss the Decentralized SCOP (DSCOP) where both partial observations and decentralized control are incorporated into the control structure. From [Ramadge 87] it was known that a FSS exists when both system’s behavior and speciﬁcation language are regular. In both cases they present design algorithms for controllers that improve the stabilization of processes. Temporal logic is a useful tool in the formal . The case of the inﬁnite state supervisor is discussed by Sreenivas and Krogh [Sreenivas 92].
The descriptive power of the model and its use in performance evaluation is also investigated. it is a function of the actual marking of the system rather than a function of the string of events generated by the system. The class of controlled Petri nets considered is cyclic marked graphs and the admissible speciﬁcations consist of forbidden markings that simultaneously assign tokens to one or more set of places. the complexity of the ﬁnitely recursive process grows and nondeterminism needs to be introduced.CHAPTER 2. The author deﬁnes the control law that generates the supremal controllable sublanguage as the maximally permissible feedback. they can prove that this model is equivalent to Turing machines.4 Controlled Petri Nets Several authors have used a particular Petri net model. Ushio and Matsumoto [Ushio 88] derive necessary and sufﬁcient conditions for the uniqueness of the maximally permissible feedback on controlled PN. the authors show an interesting manufacturing example that requires the coordination of automated guidance vehicles. called controlled Petri nets. This model is a standard PN with the addition of external input places. However the proof is limited to ordinary Petri nets: when the multiplicity of the arcs is greater than one. Controlled PN have been introduced by Ichikawa and Hiraishi [Ichikawa 88a] to study the inputoutput behavior of discrete event models. Holloway and Krogh [Holloway 90. CCS is one of the standard models for concurrent systems on which recent and ongoing research is focused. Krogh [Krogh 87] applies controlled PN to Supervisory Control. Under these hypotheses the modeling power of the net is increased by the capability of detecting whether a place is empty. He also notices that the maximally permissible feedback may not be unique because of the particular ﬁring policy that permits the simultaneous ﬁring of enabled transitions. The authors prove that their formalism can easily model any Petri net. 2. Although these restrictions are certainly heavy.2.e. Ichikawa and Hiraishi restrict the ﬁring policy on the net to be decisionfree.3 Communicating Processes Milne and Milner [Milne 79] deﬁne concurrent processes by means of a net algebra and deﬁne a minimal set of operations for composing processes. They prove that CCS deﬁnes a class of concurrent systems composed of interacting sequential automata. i. He assumes that each transition is associated to at most one external input place and studies how the behavior of the net can be restricted within a certain behavior by a particular marking function for the external input places. Inan and Varaiya [Inan 88] present a class of discrete event models called ﬁnitely recursive processes whose formal structure is based on Hoare’s communicating sequential processes [Hoare 85]. In fact the CCS models are isomorphic to a subclass of Petri nets. It is furthermore assumed that only the marking of a set of so called external output places may be observed. the control problem may be solved with great computational efﬁciency by analysis of the net structure. Liveness properties under control are discussed in [Holloway 92a]. In [De Cindio 83] De Cindio et al. 2. i.e.. The ﬁnal result of this research is presented in [Milner 80]. i. for restricted classes of nets and restricted speciﬁcations. However the validation of the model is based on theorem proving techniques and is difﬁcult to perform. a particular control law. . Superposed Automata Nets deﬁned in [De Cindio 82]. compare CCS with Petri nets.e. In the paper. In a subsequent paper [Ushio 89]. Ushio also derives necessary and sufﬁcient conditions for the existence of a control law that satisﬁes a given speciﬁcation.2. whose marking is given by an external function. within the framework of Supervisory Control.. This control law is implementing a state feedback rather than a trace feedback. all enabled transitions should ﬁre simultaneously. where the Calculus of Communicating Systems (CCS) is introduced. Krogh 91] show that. LITERATURE REVIEW 13 ization of the control problem..
In Hack [Hack 75a. intersection. concatenation. simple closure properties. For each of these classes. Closure properties and relationship among the different classes of Petri net languages are reported with additional results.CHAPTER 2. Colom [Colom 89] develops a methodology for the veriﬁcation of assertions on P/T nets in terms of markings and ﬁring count vectors.e. unfortunately. to verify that a given marking is a home state. The control law is a function of the actual marking of the net. such as determining if a marking is a home state. and indeﬁnite concatenation) are examined. for which neither a necessary nor a sufﬁcient condition can be given. and ﬁniteness) are obtained. Petri nets are considered in the context of formal language theory. concurrency. Parigot and Peltz [Parigot 86] have characterized PN languages in terms of logical formalism. the closure properties of Petri net languages under several form of composition (union. the author also shows that it is possible to prove some properties that depend on the ﬁring count vector by adding to the net new places whose marking indicates the number of times a given transition has ﬁred. 2. This approach is extremely general. not presented by Peterson. In his Master’s thesis [Baker 73]. complement. can only guarantee necessary or sufﬁcient conditions. Berthomieu [Berthomieu 87] uses the set of linear equations given by the Psemiﬂows to represent the space of reachable markings. can be applied to any P/T net but. whereas if a transition structure is given for a supervisor. but need to be computed at each step. based partly on incidence matrix analysis and partly on the analysis of the state space. The language power of Petri nets is shown to be greater than that of ﬁnite automata as a result of the additional ability of Petri nets to test if a string of parentheses is well formed.4 Incidence Matrix Analysis of Petri Nets Incidence matrix and related analysis techniques are used by several authors to validate properties of P/T nets. However.g. Different languages which result from different types of transition labeling are also considered. LITERATURE REVIEW 14 The main characteristic of the controlled PN approach to supervisory control is the fact that no transition structure for a controller is given. . Johnen [Johnen 87] uses an hybrid approach. Peltz [Peltz 86] has also extended the study to the inﬁnite sequential behavior of Petri nets. The logical formalism may be used to prove that a given language is a Petri net language and to construct a Petri net having a given ﬁnite behavior. Here the deﬁnition and classiﬁcation of these languages is given. There exists assertions. A survey and tutorial on Petri net languages is presented in [Peterson 81] Chapter 6. Another comprehensive tutorial on Petri net languages is a paper by Jantzen [Jantzen 87]. In this case. a closedloop model can be constructed and analyzed to ensure that it has the desired properties.3 Petri Net Languages Baker [Baker 72] is one of the ﬁrst to introduce the basic idea of associating a language with a Petri net and using this language to describe the behavior of the net.. Silva and Colom [Silva 89a] give algorithms to efﬁciently compute the structural synchronic invariants of P/T nets. Within this framework. the relationship between Petri net languages and other classes of formal languages are investigated. only properties that depend on the markings can be proved. two basic language classes are distinguished: the preﬁx language and the marked language. and their preﬁx language is studied. for membership. emptiness. 2. and substitution) and under some operations (reversal. i. characterizations and decidability problems (e.. Hack 75b].
The classes of reduction rules include: place transformations.e. in the second approach. [De Cindio 82]. while simplifying the structure of the net to make analysis easier. This composition maintains the properties of safeness and liveness. Berthelot [Berthelot 86. to determine if σ gives a ﬁring sequence.5 Synthesis and Reduction of Petri Nets Models In the synthesis of Petri net models there are two main approaches: bottomup and topdown. In [Ichikawa 88a. are considered. PN with no selﬂooping transitions. trapcontainingcircuit nets. 2. In [Berthelot 86] he also discusses the composition of nets by common transitions as a complementary technique to the reduction methods. Beck and Krogh [Krogh 86] present a methodology for constructing a class of P/T nets for modeling discrete processes. bounded. yields a ﬁring sequence. Two such classes are: live and bounded marked graphs (a structural class). stating that the Psemiﬂows and/or the Tsemiﬂows of the union of two Petri nets can be immediately expressed — in speciﬁc cases — in terms of the invariants of the two subnets. based on the analysis of the ﬁring subnet. Best and Fernández [Best 86] deﬁne the notion of Snet. In [Ichikawa 88b]. 1 .CHAPTER 2. Narahari and Viswanadham [Narahari 85] deﬁne a union operator 1 for pure Petri nets. and persistent nets (a behavioral class). proper termination. For these classes. there exist necessary and sufﬁcient conditions.. satisfying the state equation of a Petri net. respectively.. [Avrunin 91] use a formalism similar to Petri net incidence matrix analysis for verifying properties of concurrent systems described as ﬁnite state automata. they prove that in acyclic nets. the authors illustrate how this technique may be applied to the modeling of ﬂexible manufacturing systems. home states and liveness.e. A complementary approach is that of deﬁning reduction rules that preserve the properties of interest. Finally. Following the ﬁrst approach a complete net is constructed combining subnets under given operators. Hack [Hack 72. transition transformations. The synthesis of Petri nets is realized by joining subnets along common simple elementary paths. Two theorems are presented. The author also proves that there are classes of nets to which these transformations can be repeatedly applied to reduce the net to a single transition. The class of nets obtained by composition of state machine modules is named Superposed Automata Nets by De Cindio. live. σ always yields a ﬁring sequence. languages L1 and L2 constructs a Petri net generating the language L = L1 ∪ L2 . which by fusing transitions reduce both structure and state space of the net. The invariants are used to analyze important qualitative aspects of the system such as absence/existence of deadlocks. i.. a net in which each transition has at most one input place and one output place. deﬁning a state machine decomposable net as a net constructed by composition of strongly connected state machines along common transitions. et al. which given two Petri nets generating. conservativeness). etc. that reduce the net structure by eliminating redundant places but do not modify the state space. Avrunin et al. the Psemiﬂows of the resulting net can also be easily found in term of the Psemiﬂows This operator is different from the union operator as deﬁned in [Peterson 81]. such as trapcircuit nets. transition and places in a net can be replaced by a more detailed subnet. Berthelot 87] has presented several reduction rules. In both cases the synthesis rules are such as to preserve some properties of the original modules. The properties preserved by these transformations are: covering with Psemiﬂows (i. Murata also discusses reachability in marked graphs in [Murata 77]. Hack 74] studies the composition of state machines. as reported in [Murata 89]. An Sdecomposition is a partition of a net into Snet components. LITERATURE REVIEW 15 Ichikawa and Hiraishi study under which conditions a ﬁring count vector σ. Murata 89] other classes of nets.
Koh [Koh 92] has studied the compositions of live and bounded circuits along paths. i. LITERATURE REVIEW 16 of the subnets. and where the subnets between a fork and a join are marked graphs.e. The author has studied under which conditions the composed system is live and bounded. The composition allows the fusion of overlapping paths. Finally. The modules are connected through a set of input/output places. Zhou [Zhou 90] has studied a formal methodology for the synthesis of Petri nets in manufacturing. The nets being considered are regular nets. nets where forks and joins are symmetrical. The authors introduce a modiﬁed Petri net model [Beck 86] more suitable for the modeling of manufacturing systems by means of the synthesis approach they propose. The author has also discussed how liveness properties for systems with shared resources depend on the value of the initial marking of the net. in the sense that it is partially topdown and partially bottomup.. . and has been extended to colored Petri nets. that act as mailboxes. Datta 86] present a technique for the modular synthesis of PN. Datta and Gosh [Datta 84. it is possible to give rules to connect the modules in a way that preserves liveness and boundedness.CHAPTER 2. The approach followed is called hybrid.
t) − P re(p. Here I = {0. 17 . t) = 0] for every place p and for every transition t. t) > 0}. deﬁned as C(p. N A net is pure if it has no selﬂoops. A trap is minimal if it is not the superset of another trap. 1. • P re : P × T → I is the preincidence function that speciﬁes the arcs directed from places N to transitions. A trap is basic if it is not the union of other traps. If a net is pure the incidence functions can be represented by a single matrix. A siphon is a set of places S ⊆ P such that • p∈S p⊆ p∈S p• . t) > 0}. T = n. A trap is a set of places T ⊆ P such that p• ⊆ p∈T p∈T • p. if [P re(p.1 Place/Transition Nets A Place/Transition net (P/T net) is a structure N = (P. t• = {p ∈ P  P ost(p. .. .Chapter 3 BASIC NOTATION 3. P ost) where: • P is a set of places represented by circles. • T is a set of transitions represented by bars. the incidence matrix of the net.1. It is assumed that P ∩ T = ∅ and P ∪ T = ∅. T. i.e. t). . p• = {t ∈ T  P re(p. t) = 0 ∨ P ost(p. 2.1 Petri Nets 3. P re.}. N • P ost : P × T → I is the postincidence function that speciﬁes the arcs directed from transitions to places. t) > 0}. P = m. t) > 0}. The preset and postset of a transition t are respectively • t = {p ∈ P  P re(p. t) = P ost(p. The preset and postset of a place p are respectively • p = {t ∈ T  P ost(p.
t). • Live. i. P ost. T. if from every marking M ∈ R(N. σ(t) represents the number of times transition t appears in σ. A P/T net is connected if in the underlying graph1 there exists a path (not necessarily directed) from any vertex to all others. A marked graph is a P/T net such that each place has exactly one input arc and one output arc. t). T. A marking M ∈ P R(N. Let B be a basis of Psemiﬂows of the net N . M0 ). M0 if there exists a ﬁring sequence σ such that M0 [σ M . M0 ). The set of all markings deﬁned on a net N = (P. P ost) is the net N R = (P. M0 ). the set of ﬁring sequences (also called language of the net) is denoted L(N. M0 ) satisﬁes the following system of equations: B T ·M = B T ·M0 . Let marking M be reachable from marking M0 by ﬁring a sequence of transitions σ. M0 ) ⊇ R(N. M0 ).CHAPTER 3. if there exists a nonnegative integer k such that M (p) ≤ k for every place p and for every marking M ∈ R(N. • Safe (or 1bounded). T 3.e. M0 ). 1 The graph underlying a Petri net has as vertices places and transitions. M0 is: • Bounded. A ﬁring sequence from M0 is a (possibly empty) sequence of transitions σ = t1 . called the ﬁring count vector. strongly connected if there exists a directed path from any vertex to all others.1. M0 ) ⊇ P R(N. The reversal of N = (P. acyclic if no directed path forms a cycle. such that Y ≥ 0 and N Y · C = 0. and of their input and output places. The ﬁring subnet given by a ﬁring count vector σ consists of all the transitions t σ(t) ≥ 0. . • Conservative. A state machine is a P/T net such that each transition has exactly one input arc and one output arc. then t may ﬁre yielding a new marking M with M = M + C(·. where σ : T → I is a vector of N nonnegative integers. P re. A transition t ∈ T is enabled at a marking M if M ≥ P re(·. P ost) is I P  . M0 ). We will write M [t M to denote that t may ﬁre at M yielding M . The set of markings M such that there exists a vector σ satisfying the previous state equation is called the potentially reachable set and is denoted P R(N. A marked net N. BASIC NOTATION 18 A Psemiﬂow (or nonnegative Pinvariant) is a vector Y : P → I . T. The support of Y is QY = {p ∈ P  Y (p) > 0}. and as directed edges the arcs speciﬁed by P re and P ost. if M (p) ≤ 1 for every place p and for every marking M ∈ R(N. tk such that M0 [t1 M1 [t2 M2 · · · [tk Mk . M0 ) [Colom 89]. represented by black dots. M0 ) there exists a ﬁring sequence containing all transitions. Note that P R(N. A marking M is reachable in N. M0 . M0 ). Then the following state equation is satisﬁed: M = M0 + C · σ. a new net where the direction of all arcs of N is reversed. We will also write M0 [σ Mk to denote that we may ﬁre σ at M0 yielding Mk . P re.. P re). If t is enabled at M .2 Marked Nets A marking is a vector M : P → I that assigns to each place of a P/T net a nonnegative integer N number of tokens. . if there exists a vector of positive integers Y such that Y T · M = Y T · M0 for every marking M ∈ R(N. M (p) denotes the number of tokens assigned by marking M to place p. M0 ) and the set of reachable markings (also called reachability set of the net) is denoted R(N. M0 is a net N with an initial marking M0 . Given a marked net N. Note that P RB (N. . N A net system or marked net N. The set of markings satisfying the previous system of equations is denoted P RB (N.
e. ∩ Σn .. M0 by removing place p and all its input/output arcs. Σn be alphabets and let Σ = Σ1 ∪ . d Ln . . let Σ = Σ1 ∩ . . . let L1 . Let Σ1 . . . P ost) is a Petri net structure. M0 ) = L(N . and let Σe be a disjoint alphabet. . . . i. a set of symbols. A language L over Σ is a set of strings composed with symbols in Σ. • M0 is an initial marking. .. • F is a ﬁnite set of ﬁnal markings. i. .e.e. . L is called a shufﬂe language and is denoted by L = L1 d . T. .. . ∪ Σn . . Ln be languages deﬁned on them. The selﬂoop of L with respect to Σe is the language L = L d Σ∗ . . The two languages associated with G are the Llanguage (also called marked behavior in the context of Supervisory Control) and the Planguage (also called closed behavior) deﬁned as follows [Peterson 81]. as a 4tuple G = (N. F ) where • N = (P. . let Σ = Σ1 ∪ . n}.. A place p of a marked net N. The intersection of L1 . . . Ln . As a particular case. . M0 is the marked net obtained from N. i = 1. . i = 1. ∩ Ln . . . Let L be a language on Σ. . . denoted L = L1 ∩ . P re. is the language over Σ deﬁned as L = {w ∈ Σ∗  w ∈ Li . . . the projection (or restriction) of w on Σi is the string w ↑i obtained from w by deleting all the symbols not belonging to Σi . . BASIC NOTATION 19 • Reversible. M0 . ∪ Σn . . . M0 is implicit [Silva 85] if L(N. n}. . denoted L = L1 .e. Ln . . . M0 ). . . . . e Let Σ1 . A place p of a net N is structurally implicit if there exists an initial marking M0 such that p is implicit in N. Given a string w ∈ Σ∗ . Peterson 81]. . i Let Σ1 . 3. . when the alphabets Σ1 .CHAPTER 3. . . . . • : T → Σ is a labeling function that assigns to each transition a label from the alphabet of events Σ and will be extended to a mapping T ∗ → Σ∗ as shown in Appendix A. Formally the projection operator is a mapping from Σ∗ to Σ∗ . . .1. .3 Petri Net Languages This section presents the notation used for Petri net languages. Σn are disjoint. i. Σn be alphabets. The concurrent composition (or synchronization) of L1 . . M0 . Σi ∩ Σj = ∅ (i = j). . where N . M0 ). is the language over Σ deﬁned as L = {w ∈ Σ∗  w ↑i = wi ∈ Li . . i. We will represent a discrete event system (DES) as a labeled Petri net (or Petri net generator) [Jantzen 87. Ln be languages deﬁned on them. . . L ⊆ Σ∗ . . let L1 . if the initial marking M0 is reachable from every reachable marking M ∈ R(N. A more detailed review of Petri net languages is presented in Appendix A.2 Formal Languages Let Σ be an alphabet. . Ln . Σn be alphabets. . . 3.
In the following. BASIC NOTATION Given a DES G = (N. this deﬁnition is reduced to the usual deﬁnition of Lm (G)closed: K = K∩Lm (G) [Ramadge 89b]. . 20 Note that in this deﬁnition of labeled net we are assuming that is a λfree labeling function. Ld and Pd .4 Supervisory Control This section presents the language notation used for Supervisory Control. M0 . In the case that K ⊆ Lm (G). t ∈ T . M [t ∧ M [t =⇒ (t) = (t ). A language L is said to be closed if L = L. F ) is deterministic if ∀t. F ). M0 [σ M ∈ F }. . no transition is labeled with the empty string λ and two (or more) transitions may have the same label. Let L be a language on alphabet Σ. with t = t and ∀M ∈ R(N.. the set of controllable events. 3. The set of all languages controllable wrt L(G) is denoted C(G). . A more detailed review of Supervisory Control is presented in Appendix B. M0 . The controllable events may be disabled by a controlling agent in order to restrict the behavior of the system within a legal behavior.CHAPTER 3. and Σu . A deterministic PN generator [Jantzen 87] is such that the string of events generated from the initial marking uniquely determines the sequence of transitions ﬁred. We will always assume that the generators considered here are deterministic.e. A deterministic DES is nonblocking if and only if L(G) = Lm (G). Note that Pd ⊂ P and Ld ⊂ L (strict inclusion) [Jantzen 87]. the Ltype language of G is Lm (G) = { (σ) ∈ Σ∗  σ ∈ T ∗ . F ) be a DES with alphabet of events Σ. respectively. If a language L ⊂ Σ∗ is not controllable with respect to L(G) we may compute its supremal controllable sublanguage [Wonham 87] deﬁned as: L↑ = sup{K ⊆ L  K ∈ C(G)}. ∃M M0 [σ M }. Its preﬁx closure is the set of all preﬁxes of strings in L: L = {σ ∈ Σ∗  ∃τ ∈ Σ∗ στ ∈ L}. . The classes of Ltype and Ptype languages generated by labeled nets is denoted L and P respectively. G is nonblocking if any string that belongs to its closed behavior may be completed to a string that belongs to the marked behavior. The classes of Ltype and Ptype PN languages generated by deterministic PN generators are denoted. according to the terminology of [Peterson 81]. Two languages L1 and L2 are said to be nonconﬂicting [Wonham 88b] if L1 ∩ L2 = L1 ∩ L2 . while uncontrollable events may never be disabled. M0 . The alphabet of events Σ is partitioned into two disjoint subsets: Σc . a DES G = (N. Formally. the set of uncontrollable events. let G = (N. i. and the Ptype language of G is L(G) = { (σ) ∈ Σ∗  σ ∈ T ∗ . M0 ). A language K ⊂ Σ∗ is said to be Lm (G)closed if K ∩Lm (G) = K ∩Lm (G). A language K ⊂ Σ∗ is said to be controllable with respect to L(G) if KΣu ∩ L(G) ⊆ K [Ramadge 87].
Ramadge and Wonham [Wonham 87] have proved that the supervisor may also be modeled as a ﬁnite state machine.Chapter 4 ON THE EXISTENCE OF PETRI NET SUPERVISORS 4. 4. a subclass of P/T nets whose set of reachable markings is ﬁnite. is that a closed loop model of the controlled system may be constructed and analyzed using the same PN analysis techniques that are used to analyze the system. In the case of systems and speciﬁcations modeled by ﬁnite state machines (i. By suitable modiﬁcation of the results given by Ramadge and Wonham [Ramadge 87.. by generators of regular languages). • The second problem regards the existence of a PN supervisor.1 Introduction This chapter discusses some theoretical issues related to the use of Petri nets in Supervisory Control Theory. We prove that the trimming of a PN is not always possible and we deﬁne a new class of PN languages that may be generated by nonblocking generators. i. In this case.e. • The ﬁrst problem regards the trimming of a blocking system.e. Ramadge 89b] we are able to derive necessary and sufﬁcient conditions for the existence of supervisors as net systems. • The ﬁnal problem regards the closure of PN languages under extraction of the supremal controllable sublanguage. The problem is the following: given a PN generator G with 21 .e.. Thus the class of languages generated by these models is equivalent to the class of regular languages. Here we discuss the use of more general models with a possibly inﬁnite set of reachable markings. as opposed to a supervisor given as a feedback function. by means of an example.2 Petri Nets and Blocking A ﬁrst issue when using Petri nets as discrete events models for supervisory control regards the trimming of blocking net systems. We consider three problems [Giua 92c]. the modiﬁcation of its structure in order that no blocking state may be reached while preserving its marked behavior. we show that PN languages are not closed under this operator. a supervisor whose control action is implicit in its net structure. i. The advantage of such a supervisor. and all the results for regular languages may apply to them as well. The PN models generally considered in Supervisory Control are conservative PN.. We are interested in obtaining necessary and sufﬁcient conditions for the existence of a Petri net supervisor under the hypothesis that the system’s behavior and the legal behavior are both Petri net languages.
Let G be the PN generator in Figure 4. . where we have introduced r − 1 new places and new transitions labeled a.2. furthermore. If the Petri net is conservative the trimming may be done without major changes of the net structure. unbounded Petri net models may require more extensive changes of the net structure. On Petri net models the trimming may be more complex. in which the trimming of a net system is not possible.. In Chapter 5 is discussed the case of conservative nets. cannot be completed to a string in Lm (G) (assuming r > 1). i. n ≥ 0} and L(G) = {am cbn  m ≥ rn.e. The reason for this is given by the following theorem. The behaviors of this system are: Lm (G) = {am cbn  m = rn.. The system is clearly blocking. for example. since the string w = ar+1 c ∈ L(G).. To avoid reaching a blocking state we require that p2 contain a multiple of r tokens when the transition labeled c is allowed to ﬁre.1.2: Trimmed system in Example 4.1: Blocking system in Example 4. no ﬁnal state may be reached from them) and all their input and output transitions. n ≥ 0}.e. Figure 4. by removing all states that are reachable but not coreachable (i.1.1. ∃L ∈ L L ∈ P. ON THE EXISTENCE OF PETRI NET SUPERVISORS 22 Figure 4. There exist Ltype Petri net languages whose preﬁx closure is not a Ptype Petri net language. A possible solution is shown in Figure 4. The proof of this theorem will be given by means of the next example and the following proposition. On a simple model such as a state machine this may be done. Example 4. i. marked behavior Lm (G) and closed behavior L(G) ⊃ Lm (G) we want to modify the structure of the net so that no blocking markings may be reached. with M0 = (100)T and set of ﬁnal markings F = {(001)T }. so that L(G) = Lm (G). There are some cases.CHAPTER 4.1.e. trivially. Theorem 4. As the following example shows. in the sense that we have to add new arcs and possibly duplicate transitions without introducing new places.1.
(a). i. (n + p + q = k).CHAPTER 4. The behaviors of this system are: Lm (G) = {am bam b  m ≥ 0} and L(G) = {am ban b  m ≥ n ≥ 0}. . Proposition 4. The class of DPclosed Petri net languages is denoted LDP . with  w ≥ k. since p2 is unbounded this may not be done with a simple P/T structure. L = {am bam b  m ≥ 0} is not a Ptype Petri net language. Given k and l according to the pumping lemma.. thus we cannot properly consider these models as P/T nets. Let L ∈ P. L ∈ Pd .3. Clearly b ∈ y. Consider a partition w = xyz. We may formally prove that the preﬁx closure of the marked language of the system G discussed in Example 4.3. This class will play an important role in characterizing the existence of Petri net supervisors. Lemma 4. with M0 = (1000)T and set of ﬁnal markings F = {(0001)T }. Let G be the PN generator in Figure 4. From the reachability tree of the system. A language L ∈ L (not necessarily deterministic) is said to be deterministic Pclosed (DPclosed for short) if and only if its preﬁx closure is a deterministic Ptype Petri net language. However. Example 4. let w = ak bak b. Inhibitor arcs increase the modeling power. given in [Jantzen 87]. and the analysis complexity.(b). ∀i ≥ 1. with 1 ≤ y ≤ l.2. ON THE EXISTENCE OF PETRI NET SUPERVISORS 23 Figure 4.1 (Pumping lemma).3: Blocking system G in Example 4. To avoid reaching a blocking state we require that p2 be empty before ﬁring the transition inputting into p4 . it is clear that the system is blocking. (n + p + q = k). since in this case xy i z ∈ L for i = 1. The proof is based on the pumping lemma for Ptype PN languages. has a decomposition w = xyz with 1 ≤ y ≤ l such that xy i z ∈ L. of Petri nets to that of a Turing machine. Hence L is not a Ptype Petri net language. then x y z x y z xy i z ∈ L for i = 1.2 is not a Ptype Petri net language. Proof . as we will discuss in the next section. Deﬁnition 4. We conclude this section with the deﬁnition of a new class of Ltype Petri net languages whose preﬁx closure can be generated by a deterministic nonblocking Petri net generator.1.2. Then there exist numbers k. However if w = an ap aq bak b. or if w = ak ban ap aq b . shown in Figure 4. l such that any string w ∈ L.1. Petri nets with inhibitory arcs have been studied in the context of Supervisory Control by Sreenivas and Krogh [Sreenivas 92]. It is possible to introduce an inhibitor arc from p2 to the transition inputting into p4 .e.
for each possible string of events w ∈ L(G) generated by the system G. we present some theorems which give necessary and sufﬁcient conditions for the existence of PN supervisors. T. the marked strings of the system under control are all and only the marked strings of the uncontrolled system that survive under control. For nonempty L ⊆ Lm (G) there exists a nonblocking supervisor S such that Lm (S/G) = L if and only if L is Lm (G)closed and controllable. are due to Ramadge and Wonham [Ramadge 87. 4. Ramadge 89b] and give necessary and sufﬁcient conditions for the existence of a supervisor. the uncontrollable events are always enabled.1).e. all the uncontrollable events are present in the control input). It is often the case that a supervisor is given as another discrete event system S that runs in parallel with G. although Theorem 4. as we show in Example 4.1). it is possible to construct a PN model of the closed loop system under control S/G using the net counterpart of the intersection operator on languages [Peterson 81]. Here we recall the fundamental deﬁnitions. also reported in Appendix B. Its closed behavior is L(S/G) = L(S) ∩ L(G) and its controlled behavior is Lm (S/G) = L(S/G) ∩ Lm (G) = L(S) ∩ Lm (G). Theorem 4. the event a is enabled by γ (permitted to occur). pointing to Appendix B. For nonempty L ⊆ L(G) there exists a supervisor S such that L(S/G) = L if and only if L is preﬁx closed and controllable. The following two theorems. even if the system’s behavior and the legal behavior are Petri net languages.CHAPTER 4. If a ∈ γ. the marked behavior of S/G is not deﬁned since the controlled behavior Lm (S/G) is not necessarily a deterministic Ltype PN language.2 for a more detailed discussion. The control input at a given moment is represented by the events that are enabled in S. thus the function f is implicit in the structure of S. 6.3 specify under which conditions there exist supervisors for a given control problem.2 and Theorem 4. Let Γ ⊆ 2Σ denote the set of all the possible control inputs.. it may well be the case that these supervisors cannot be represented as Petri net generators. The closed loop system under control is denoted S/G. If S and G are deterministic generators (as we always assume) S/G is deterministic as well.3. 5. 4.3 Supervisor A supervisor [Ramadge 87] is an agent that disables the controllable transitions of a system in order to restrict its behavior within a legal behavior.3 ([Ramadge 87]. Theorem 4. If the system and the supervisor are Petri net generators. a supervisor is a map f : L(G) → Γ specifying. Formally.e. i.5.4 Existence of Petri Net Supervisors In this section.2 ([Ramadge 87]. P. otherwise a is disabled by γ (prohibited from occurring). while all previously deﬁned classes of PN languages are closed under intersection. Note that we are assuming that the supervisor does not mark strings. Note also that while the closed behavior of S/G is L(S/G). we point out that the class LDP that we have deﬁned does not coincide with any of the classes of PN languages generally considered in the literature [Jantzen 87]. We consider the case in which both the system G and the supervisor S are given as discrete event systems. . The objective is to design a supervisor that selects control inputs in such a way that the controlled system’s behavior is restricted within a legal speciﬁcation language. the control input γ = f (w) to be applied at that point. ON THE EXISTENCE OF PETRI NET SUPERVISORS 24 As a side note. Let us deﬁne a control input as a subset γ ⊆ Σ satisfying Σu ⊆ γ (i. The proof follows from the fact that LDP is not closed under intersection.. In fact.
Let G be a nonblocking PN and let L ⊆ Σ∗ . i. (Only if) Since L(S/G) = L then L is a Ptype language for the PN representing the closed loop system and L ∈ Pd . L is the Ltype language of the system E in Figure 4. The ﬁrst two theorems regard the case in which we want to restrict the closed behavior of G within the limits of a legal behavior L. will never block an uncontrollable transition of G and L(S/G) = L(S) ∩ L(G) = L. respectively. with L(G) ∩ L = ∅. M0 = (100)T . Example 4. as proved. Assume now that we want to restrict the marked behavior of G to L = {am bam b  m ≥ 0} that is clearly controllable and Lm (G)−closed.(a) with set of ﬁnal marking F = {(0001)}. Proof . since Lm (E/G) = L(E) ∩ Lm (G) ⊃ L. Proof . and L ∈ Pd . There exists a PN supervisor S such that L(S/G) = L if and only if L is a controllable deterministic Ptype PN language. It may be interesting to consider the case in which the legal behavior L is not a subset of L(G). Hence L ∩ L(G) ∈ Pd ∩ C(G) and by Theorem 4.3. In this case. Let G be the PN generator in Figure 4. if L ∈ Pd we have the following theorem. The marked behavior of this system is: Lm (G) = {a∗ ba∗ b}. Theorem 4. running in parallel with G. that however does not qualify as a supervisor for this problem. Theorem 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 25 Figure 4.5. Also L is controllable according to Theorem 4. Ramadge 87].. in [Jantzen 87. i. unfortunately.e. S is the desired supervisor. since L ∈ C(G) then S.e. [L ∩ L(G)]Σu ∩L(G) ⊆ L ∩ L(G) ⊆ L =⇒ [L ∩ L(G)]Σu ∩ L(G) ⊆ L (since languages in Pd are preﬁx closed) =⇒ LΣu ∩ L(G) ⊆ L. with Σu = ∅.CHAPTER 4. Let us consider now the case in which we want to restrict the marked behavior of G within the limits of a legal behavior L. and we simply need to check whether L ∩ L(G) satisﬁes the conditions of the previous theorem. It may well be the case that L ∈ Pd ∩ C(G) but L ∩ L(G) ∈ Pd ∩ C(G). the necessary requirements that L be controllable and Lm (G)−closed (by Theorem 4. since L ∈ LDP (Proposition 4.4.2. Also L∩L(G) is controllable by Theorem 4. i. and set of ﬁnal markings F = {(001)T }.1) there exists no PN whose Ptype language is L. In fact. However. . =⇒ LΣu ∩ L(G) ⊆ L (since L ∈ Pd ). hence L ∈ C(G).2. In this case we are interested in restricting the system’s behavior to L ∩ L(G).4 there exists a PN supervisor S L(S/G) = L∩L(G). a PN supervisor for this problem may exist even if L is not a PN language or if L is not closed and controllable. Let G be a nonblocking PN and let L ⊆ L(G) be a nonempty language. (Only if) Since L(S/G) = L∩L(G) then L∩L(G) ∈ Pd .3) are not sufﬁcient to insure the existence of a nonblocking PN supervisor even if L ∈ Ld .. The following example discusses this case. (If) The sets Pd and C(G) are closed under intersection.3 and Example 4.e.5.3. L ∈ Pd ∩ C(G).4. There exists a PN supervisor S such that L(S/G) = L ∩ L(G) if and only if L ∈ C(G).4: System G in Example 4. However.. (If) Since L ∈ Pd then there exists a PN generator S L(S) = L.
Example 4.4. (If) Since L ∈ LDP then there exists a PN S L(S) = L ⊆ L(G). The proof of the proposition follows from the following example. Hence it is sufﬁcient that L be a deterministic Ptype language in order to construct a deterministic supervisor.4. and set of ﬁnal markings F = {(001)T }.e. hence L ∈ Pd (since it is the deterministic Ptype language of closed loop PN generator). We need to prove that L = Lm (S/G) = L(S) ∩ Lm (G) ∈ LDP . and set of ﬁnal markings F = {(01)T }. since L(S/G) = L(S) ∩ L(G) = L ∩ L(G) = L = L(S/G). The following example will clarify this point. Let G be the PN generator in Figure 4.1.CHAPTER 4.6. M0 = (10)T .6 to the case in which the legal behavior L is not a subset of Lm (G). it cannot be accepted by a deterministic generator with a ﬁnite set of ﬁnal states F . Consider the language L = {am b(bc)∗ (a(bc)∗ )m b  m ≥ 0}. L is an Ltype PN language and it can be proved that it is not deterministic.2. that effectively solely constrains the closed behavior of G. although L ∈ LDP .) Since L is closed under intersection [Jantzen 87]. (Only if) Since S is a nonblocking supervisor.2. by Theorem 4. Proposition 4. Let G be a nonblocking PN and let L ⊆ Lm (G) be a nonempty language. In fact. However L ∈ LDP . then Lm (S/G) = L(S) ∩ Lm (G) = L ∩ Lm (G) = L. (Note that L(S) although a deterministic Ptype language may be a nondeterministic Ltype language. Theorem 4. First note that L(S) ∈ Pd . as we have shown in Proposition 4. since L is Lm (G)−closed. Since L is controllable and Lm (G)−closed. It follows that L ∈ LDP . We would like to extend Theorem 4.3. Proof . i.6 does not require L to be deterministic. hence L(S) ∈ L ⊃ P ⊃ Pd [Jantzen 87]. In fact we want to restrict the marked behavior of G to L by means of a non marking deterministic supervisor. L∩Lm (G) ∈ LDP .7. In fact: since L ∈ C(G). There exists a nonblocking PN supervisor S such that Lm (S/G) = L if and only if L ∈ LDP ∩ C(G) and L is Lm (G)−closed. Assume now that we want to restrict the marked behavior of G to L = {am ban  m ≥ n ≥ 0}. then L ∈ L. M0 = (100)T . Let G be the PN generator in Figure 4. Also L = L(S/G) by the non blocking hypothesis. S is nonblocking.6 are not sufﬁcient to insure the existence of a PN supervisor. Theorem 4. since L is the deterministic Ptype language of the marked net S in Figure 4.6. then clearly L ∈ C(G). then L ∈ C(G) and L is Lm (G)−closed. The class of DPclosed PN languages LDP is not closed under intersection. . Clearly L ∈ LDP since it is the marked behavior of the nonblocking generator E in Figure 4. Unfortunately in this case the hypotheses of Theorem 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 26 captionSystem G in Example 5.5.. Example 4. with Σu = {b}. Unfortunately L ∩ Lm (G) = {am bam b  m ≥ 0} ∈ LDP . S is the desired supervisor. The example shows the need to introduce the further requirement that the legal behavior L be DPclosed for insuring the existence of a PN supervisor. The marked behavior of this system is: Lm (G) = {a∗ ba∗ b} ∈ LDP . it may be possible that. The marked behavior of this system is: Lm (G) = {a∗ ba∗ }. with the set of ﬁnal markings F = {(0001)T }.5. S is a proper supervisor and is such that Lm (S/G) = L.
2. .5 and Example 4. Figure 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 27 Figure 4.5: Supervisor S in Example 5.CHAPTER 4.6.6: Generator E in Example 4.
by the control community but has never been published before to the best of our knowledge. as a trivial corollary of Theorem 4. If we apply the ↑ operator.9. The class L and the set C(G) are closed under intersection [Jantzen 87. 4. since Lm (E)↑ = L(E)↑ ∈ Pd . This result has been known. The proof of this proposition will be given by means of the following example. but not necessary.6 Conclusions The results of this chapter show that although unbounded PN do not have all desirable properties from the point of view of supervisory control. i. i. while the arcs that only belong to the reachability tree of G have been represented by dotted lines. Hence L ∩ Lm (G) ∈ LDP ∩ C(G). . there are cases in which PN supervisors may be constructed. since E reﬁnes G. M0 = (1000)T . To show this we have drawn. L ∩ Lm (G) ⊃ L ∩ Lm (G). The classes Pd and LDP of PN languages are not closed under the ↑ operator. Proof . L ∩ Lm (G) ∈ Pd . 4. Let G be the PN generator in Figure 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 28 The problem in the previous example is that L and Lm (G) are conﬂicting.e.5 Petri Net Languages and Supremal Controllable Sublanguage Our ﬁnal result regards the closure of PN languages under the supremal controllable sublanguage operator ↑ [Wonham 87]. L is Lm (G)−closed.. Lm (E)↑ ∈ LDP . we have that L ∩ Lm (G) = L ∩ Lm (G) ∈ Pd . requiring that L ∩ Lm (G) ∈ LDP ∩ C(G) and that L ∩ Lm (G) be Lm (G)−closed. Let G be a nonblocking PN and let L ⊆ Σ∗ . condition for the existence of a PN supervisor. Theorem 4. L ∩ Lm (G) is Lm (G)−closed.6. The last theorem gives a sufﬁcient. If however the two languages are not conﬂicting. we have represented the arcs that belong to the reachability tree of both marked nets with continuous lines.10. with Lm (G) ∩ L = ∅. Consider now the generator E in Figure 4. Finally since L is also Lm (G)−closed we can write: L ∩ Lm (G) ∩ Lm (G) = L ∩ Lm (G) ∩ Lm (G) = L ∩ Lm (G) = L ∩ Lm (G).3.CHAPTER 4.1 (the string w = ak bak b may be used to prove that no pumping is possible). Proposition 4. There exists a nonblocking PN supervisor S such that Lm (S/G) = L ∩ Lm (G) if L ∈ LDP ∩ C(G). with Σu = {a}.7. Ramadge 87]. in Figure 4. the reachability tree of the two systems.6 there exists a nonblocking supervisor S Lm (S/G) = L ∩ Lm (G). the converse is not true. by the nonconﬂicting hypothesis. we obtain the two supremal controllable sublanguages: L(E)↑ = {am bam (bc)∗ b  m ≥ 0} and Lm (E)↑ = {am bam (bc)∗ b  m ≥ 0}.6.7 with the set of ﬁnal markings F = {(0001)T }. A necessary and sufﬁcient condition for the existence of a PN supervisor in the case the legal behavior L is not a subset of Lm (G) may be given. In fact while: L ∈ C(G) =⇒ L ∩ Lm (G) ∈ C(G) and L is Lm (G)−closed =⇒ L ∩ Lm (G) is Lm (G)−closed. By Theorem 4.e. L and Lm (G) are not conﬂicting.. The two languages L(E) ∈ Pd and Lm (E) ∈ LDP are not controllable. L(E) and Lm (E) are not controllable because of the presence of the dotted arcs associated to the uncontrollable transition a. and set of ﬁnal markings F = {(0001)T }. L(E)↑ ∈ Pd . while L ∩ Lm (G) ∈ Pd (since Pd is closed under intersection) it may be the case that L ∩ Lm (G) ∈ Pd . as can be proved using the pumping lemma in the same way we have done in Proposition 4. Example 4. at least partially. Hence. Also.8. that are the closed and marked behavior of the generator in Figure 4.
CHAPTER 4.8: Reachability tree of G and E in Example 4. ON THE EXISTENCE OF PETRI NET SUPERVISORS 29 Figure 4. Figure 4.9: Generator of L(E)↑ and Lm (E)↑ in Example 4.6.6.7: Generator G in Example 4. .6. Figure 4.
CHAPTER 4. Another undesirable property is given by the fact that the classes Pd and LDP are not closed under the ↑ operator. whose reachability set is ﬁnite. ON THE EXISTENCE OF PETRI NET SUPERVISORS 30 The main difﬁculties when using Petri nets as discrete event models for supervisory control stems out from the fact that not all Ltype PN languages are DPclosed and from the fact that the class LDP of DPclosed languages is not closed under intersection. . In the remaining part of the thesis we will consider simpler Petri net models.
represented by n different nonblocking generators H1 . .Chapter 5 SUPERVISORY DESIGN USING PETRI NETS 5. we can extend other linguistic operators to operators on the systems. we discuss the advantages of PN over state machines. The purpose is that of applying a model that has a great representational power in the theoretical approach of Ramadge and Wonham. by introducing new arcs (and possibly duplicating transitions) to avoid reaching undesirable markings. Lm (G2 ) we denote: G = G1 G2 the DES whose behaviors are: L(G) = L(G1 ) L(G2 ) and Lm (G) = Lm (G1 ) Lm (G2 ). The alphabet of these systems are Σ1 . Assume we are given m nonblocking DES G1 . This procedure may always be applied when the net is conservative.4. . ∪ Σm and effectively constrains only the events that belong to its alphabet. We want to enforce some speciﬁcations on the joint behavior of these systems. given two DES G1 . The design requires two steps. The only requirement is that the model specify the closed and marked behavior of a system.e. In a similar fashion. The discussion is focused at the model level: we discuss the supervisory design algorithm and its counterpart on the structure of a Petri net [DiCesare 91. Wonham Supervisory Design 31 . . . The algorithm is based on language operators and it may be implemented using different models.2. In the second step. G2 . . . . . the structure is reﬁned to avoid reaching undesirable markings.2 Monolithic Supervisor Design A supervisory design algorithm has been presented by Wonham [Wonham 88a].1.1 Introduction In this chapter we discuss how Petri net models may be used to design supervisors within the framework of Supervisory Control. Each speciﬁcation generator Hj is deﬁned on an alphabet ΣHj ⊆ Σ1 ∪ . A monolithic supervisor may be constructed using the following algorithm [Wonham 88a]. as far as the transition structure of the model is concerned. a coarse structure for a supervisor is synthesized by means of concurrent composition of different modules. . In Section 5. Gm working concurrently. i. In particular. In Section 5. we review the monolithic supervisory design as formulated by Wonham and present a design based on the concurrent composition operator. Σi ∩ Σj = ∅ for every i = j. with closed behaviors L(G1 ). Giua 91]. For example.2 be extended to the model. we show that this design is well suited for Petri nets models. In the ﬁrst step. Algorithm 5.3. We also require that the linguistic operators introduced in Section 3. In Section 5. . . .. The chapter is structured as follows. 5. Hn . L(G2 ) and marked behaviors Lm (G1 ). . Σm and they are disjoint. we discuss how to reﬁne a coarse structure for a supervisor. .
. Example 5.. which is a proper supervisor for this problem. because it represents both a supervisor and a closed loop model of the system under control. because it contains blocking states (from which the ﬁnal marking may not be reached). the labels in Σej = Σ\ΣHj . Construct by intersection H = H1 ∩ . It is often the case that a simpler supervisor exists.CHAPTER 5. d Gm . the generator E may contain blocking states from which a ﬁnal state cannot be reached. . i.5. shown in Figure 5. . H represents the global speciﬁcation we want to enforce on the behavior of G. The speciﬁcation we consider. i. Call these new generators H1 . Construct by shufﬂing G = G1 d . . a . . after G has executed the string of events w = aba. Augment the speciﬁcations. The generator E obtained through the above construction. G2 is a machine that may start working (event c) and may output the produced part on conveyor A or B (respectively events d and e) before returning to the idle state. the language L(E) may not be controllable with respect to L(G). Hn . As an example. and also non controllable states. since the following two properties are not automatically ensured: • nonblockingness.2. In the second step we construct the augmented speciﬁcation H . In the fourth step we construct the system E = G ∩ H . This means that when G and E run in parallel it may be possible to reach a state from which an uncontrollable event is enabled in G but is not enabled in E. E represents the largest behavior of the overall system that satisﬁes all the constraints imposed by the speciﬁcations. by selﬂooping H with the unconstrained events. . • controllability.. Consider the systems G1 and G2 in Figure 5. 3. This is the counterpart. represented by the generator H.1 is called monolithic. In fact L(S) = L(S/G). . i. with a. The ﬁrst step of design requires the construction of G = G1 d G2 . we obtain the nonblocking and controllable generator S in Figure 5. The supervisor S constructed using Algorithm 5. For the control problem in Example 5. Since H is the only speciﬁcation generator. Construct by intersection E = H ∩ G.e. The system S obtained through this procedure gives us the transition structure of a supervisor. in the general case does not represent a proper supervisor. If we remove the blocking and noncontrollable states. G models the joint concurrent behavior of the overall system under the assumption that the actions of the single subsystems are asynchronous and independent. the language generated by E is not controllable. e.. The system E is not a supervisor. ∪ Σm .e. of the supremal controllable sublanguage operator.1 and the speciﬁcation H. 4. i. . We will give an example of this construction using state machine models. selﬂooping each Hj with the event labels present in G but unconstrained by Hj . and that the robot may load a new part on the machine only after the previously loaded part has been outputted on conveyor A (events d and b must occur alternatively). Since b is an uncontrollable event. speciﬁes that the machine may start working only after it has been loaded (events b and c must occur alternatively). 5.e. We have to further minimally restrict the behavior of E. . shown in Figure 5. on the DES structure.3.4. step 3 is not required in this example. events b and c may occur in G while the control pattern computed by E contains only the event c.e. to obtain a nonblocking and controllable generator S. 2. We will assume that the only uncontrollable event for this problem is event b.1. shown in Figure 5. . The alphabet of G is Σ = Σ1 ∪ .. ∩ Hn .1. SUPERVISORY DESIGN USING PETRI NETS 32 1. We may think of G1 as a robot that picks up one part (event a) and loads the part on a machine (event b).
1.CHAPTER 5.1.1: Systems and speciﬁcation for the control problem in Example 5.1. Figure 5.2: Shufﬂe system G = G1 d G2 in Example 5.3: Speciﬁcation generator H in Example 5. SUPERVISORY DESIGN USING PETRI NETS 33 Figure 5. Figure 5. .
1. .1.6: A reduced structure supervisor S’ for the control problem in Example 5.4: System E = G ∩ H for the control problem in Example 5.5: Monolithic supervisor S for control problem in Example 5. Figure 5.1. Figure 5. SUPERVISORY DESIGN USING PETRI NETS 34 Figure 5.CHAPTER 5.
Gm H1 .1 we have represented in Figure 5. . i. we will discuss how E may be reﬁned to obtain a supervisor S without major changes in its structure. requires merging transitions with the same label.1 Design Using Concurrent Composition We propose an alternative design for a supervisor. Construct by concurrent composition E = G1 . Concurrent Composition Supervisory Design 1. Hn . .6. d L(Gm )] ∩ [L(H1 ) d Σ∗1 ] ∩ . The net counterpart of the concurrent composition operator.2. Reﬁne E so that it is nonblocking and controllable. 2. following the Algorithm 5.2. Example 5. L(Hn ). n)} ej = {w  w ↑i ∈ L(Gi ) (i = 1. Note also that since we have associated a ﬁnal state with the speciﬁcation H. . The concurrent composition design is simpler. we can see that: E1 = {w  w ∈ [L(G1 ) d . ...e.. the concurrent composition operator. The algorithm is the following. w ∈ [L(Hj ) d Σ∗ ] (j = 1. The coarse structure for a supervisor. Since (∀w ∈ Σ∗ ) w ∈ [L(Hj ) d Σ∗ ] ⇐⇒ w ↑Hj ∈ L(Hj ) (here w ↑Hj is the projection of ej string w on alphabet ΣHj ). n)} = E2 .2. We may easily check that L(S/G) = L(S /G) ⊂ L(S )..8. . For the control problem discussed in Example 5. . ∩ [L(Hn ) e d Σ∗n ]. This construction is based on the structure of the net and does not require the explicit enumeration of its state space.. L(Gm ) L(H1 ) .2.CHAPTER 5. may be efﬁciently constructed and the properties of nonblockingness and controllability may be expressed as properties of the net system E. . described in Appendix A. m). . . 5. w ↑Hj ∈ L(Hj ) (j = 1. In fact with Algorithm 5. we will use Petri net models in the design of a supervisor. e and with Algorithm 5. . where only one operator. since it requires only one operator.. SUPERVISORY DESIGN USING PETRI NETS 35 reduced structure supervisor S is shown in Figure 5. . We will show in the following section how it may be easily implemented using Petri net models.1 we construct a system generating the language E1 = [L(G1 ) d .2 we construct a system generating the language E2 = L(G1 ) . . . The system E = G1 G2 H obtained by concurrent composition is shown in Figure 5.. . d L(Gm )].. It is easy to see that the two approaches are equivalent. . Secondly. . ..2. 5.. is used to construct the generator E. the supervisor we have constructed is a marking supervisor according to the terminology in Appendix B.3 Monolithic Design Using Petri Nets In this section.7 the systems and speciﬁcation as Petri nets.5. Algorithm 5. the system E..
7: Systems and speciﬁcations as Petri nets for the control problem in Example 5.2.8: System E = G1 G2 H as a Petri net for the control problem in Example 5. SUPERVISORY DESIGN USING PETRI NETS 36 Figure 5. Figure 5.CHAPTER 5. .2.
and M d (the markings from which t should not be allowed to ﬁre. . We will use the notation for concurrent systems presented in Appendix A. . M0 ). d. 2. 1 1 kl kl such that U(M ) = TRUE if M ∈ M e . a transition leading from an admissible marking to an undesirable marking. 1 . The following algorithm can be given for the reﬁnement of a net. Once the coarse structure of a candidate supervisor is constructed by means of concurrent composition. Let Tu ⊆ T be the set of uncontrollable transitions of E. t)]. M0. if and only if (∀M ∈ R(N. to avoid reaching an undesirable marking). the transitions labeled by uncontrollable events. Hn . we can add an arc from p3 to a and from a to p3 as in Figure 5. M )] is a blocking marking. and U(M ) = FALSE if M ∈ M d . M0. we need to reﬁne it to obtain a nonblocking and controllable generator. G = (N1 . may be expressed in terms of net properties. and H = (N2 . If M e = ∅ remove t and stop. SUPERVISORY DESIGN USING PETRI NETS 37 It is important to note how the properties of interest. ∧ (M (pl ) ≥ nl )]. namely nonblockingness and controllability. F2 ). be the system and speciﬁcation components of E. Since M (p3 ) = 1 > M (p3 ) = M (p3 ) = 0.. Let t be a transition to be controlled. i. ∧ (M (p1 ) ≥ n1 )]∨ 1 1 k1 k1 . M )]. . else continue.CHAPTER 5.2 . any reachable marking M such that ( ∃Mf ∈ F ) [Mf ∈ R(N. . Gm and H = H1 .3. . that should be removed. Let us consider the system E constructed in Example 5. Let G = G1 . Then E will be controllable if and only if it is not possible to reach a marking M such that an uncontrollable transition t is enabled by M ↑1 in G. M0 )) [M ↑2 ≥ P re2 (·. and partition this set into the disjoint subsets M e (the markings from which t should be allowed to ﬁre). . is given. E is controllable if and only if (∀t ∈ Tu ) ( ∃M ∈ R(N. M0 )) (∃Mf ∈ F ) [Mf ∈ R(N. t) ∧ M ↑1 ≥ P re1 (·.e.10. M0 . Determine a construct in the form: U(M ) = [(M (p1 ) ≥ n1 ) ∧ .. but it is not enabled by M ↑2 in H. equivalent to the state machine model in Figure 5. First. Let a be its label. Algorithm 5.4. c. M = (1001010)T . We assume in this section that the knowledge of which states are undesirable...2. After removal of this transition. Conversely. we should certainly remove the transition labeled by e since its ﬁring always leads to an undesirable state and it is controllable. E is blocking and uncontrollable. .e. Reﬁning the PN is complex. 2 . i. and we should prevent the system from reaching it. Assume that E = (N. i.9. e} and the uncontrollable event set is Σu = {b}. F1 ). ∨[(M (pl ) ≥ nl ) ∧ . and which are the transitions leading to them..3. . The undesirable markings. are those shown in the reachability tree in Figure 5. We want to block the transition labeled a when the markings M and M are reached.5. let M ↑1 (M ↑2 ) be the restriction of M to the places of G (H).1 . the transition labeled by a will be enabled by the following reachable markings: M = (1010010)T . 1. Given a marking M ∈ R(N. The system E is nonblocking if and only if a ﬁnal marking may be reached from any reachable marking. F ). .e. The next example shows the problems involved in the reﬁnement of a net. We have to remove a set of undesirable states and all the transitions leading to them. In other words. . Example 5. Determine the set of admissible reachable markings that enable t. M = (1000101)T . Here the controllable event set is Σc = {a.
3.3. . SUPERVISORY DESIGN USING PETRI NETS 38 Figure 5.2 and Example 5.10: Supervisor S as a Petri net for the control problem in Example 5. Figure 5.9: Reachability tree of the system E in Example 5.CHAPTER 5.2 and Example 5.
assume that we start with bottom level modules that are state machines. kj . however. PN have a higher language complexity than state machines. . Furthermore assume that in each . On a conservative net. However. the number of “states” of the model) is ﬁnite.. . since it is based on the ﬁnite structure of the net. Conservative PN are essentially equivalent to state machines. i. The one which requires the minimal number of transitions. i. Hence U(M ) = i∈M e j∈M d (M (pij ) ≥ nij ) is a construct for Algorithm 5. . The following theorem gives a sufﬁcient condition for the applicability of the algorithm. Proof: A net is conservative if there exists an integer vector Y > 0 such that for any two markings M and M reachable from the initial marking Y T M = Y T M . Hence if M = M there exists a place p such that M (p) > M (p). that it is often possible to determine a simpler construct as in Example 5. the construct may contain up to M e OR clauses.. i It is clear that following this construction there is an enabled transition labeled a for any marking in M e . will be those of transition t plus nj arcs inputting from (outputting to) i place pj . 2. We have that M e and M d are ﬁnite sets and also there exists a place pij such that Mi (pij ) = nij > Mj (pij ). .CHAPTER 5. We also note that in general several constructs of this form may be determined. SUPERVISORY DESIGN USING PETRI NETS 39 3. consider Mi ∈ M e .3.. Also the set of reachable markings is ﬁnite. . However. up to M e transitions may be substituted for a single transition to control. . j = 1. . According to this Theorem we may always ﬁnd a reﬁnement construct for conservative nets. . The input (output) arcs of transition tj .e. Note.3. since systems with inﬁnite state space are not conservative it may be impossible to reﬁne the net in step 2 of the algorithm. Hence they have the possibility of describing a larger class of systems. they allow a compact description. Mj ∈ M d . The construct of Algorithm 5. while none of these transitions are enabled by a marking in M d . . The concurrent composition design algorithm may be used to construct the system E even if we consider Petri net models with inﬁnite state space. Theorem 5. is preferable.3 can always be determined if the net is conservative. since the number of reachable markings (i. tl labeled a. i. Here we would like to discuss the main advantages of using Petri nets rather than state machines in the supervisory design.1. the structure of the net may be maintained small in size even if the number of the markings grows. since the states of a PN are represented by the possible markings and not by the places. Suppose we restrict ourselves to consider only conservative Petri net models.. . the one with smaller l. This was also expected from the results of Chapter 4 since the nonblocking generator of the supremal controllable sublanguage of E may not have a Petri net representation.e. l. 5. . To express the difference between the two approaches in quantitative terms. Replace transition t with l transitions t1 . as suggested by Theorem 5. .1.e. Unfortunately. 1. i = 1.e.4 Petri Nets and State Machines The design using concurrent composition appears to be highly efﬁcient when using Petri net structures. where the construct for the transition labeled a was U(M ) = [M (p3 ) ≥ 1].
another problem to be addressed.3). the net can be considered as composed of interrelated subnets.3 may in the worst case approach the size of M e as suggested by Theorem 5. there are classes of nets such that a necessary and sufﬁcient condition may be derived [Giua 90b. PN may offer means to solve this problem in more efﬁcient ways. Theorem B. Consider k modules G1 . . In Figure 5. In the reﬁnement.. . we may still recognize the individual modules that compose the system E. The bound gives however a clear idea of the exponential growth of the model even in the general case when the alphabets of the modules are not disjoint [Tadmor 89]. a brute force approach to determine this set requires the construction of the reachability tree. n≤ i=1 ni j=i mj The upper bound is reached when the alphabets of the modules are disjoint. • When G is constructed as an ordinary Petri net. however. it is necessary to point out that in the phase of the reﬁnement of the coarse structure of the supervisor the number of transitions introduced in Algorithm 5. i.. k we have a number of places equal to: m = i=1 mi and a number of transitions: k n = Σ ≤ i=1 ni where Σ is the alphabet associated to G. 3. following Algorithm 5. In this chapter we have assumed that the set of undesirable markings is given. Although in the general case this analysis gives only a necessary condition for reachability.e. Gk . the modular structure of the net is preserved (but in some cases it may be necessary to introduce a large number of transitions). 5. Hence conservative Petri nets may be used within the framework of supervisory control. • For DES modeled with conservative Petri nets (that generate regular languages) we can always reﬁne the net in order that the supremal controllable behavior is achieved. In practice. .1.CHAPTER 5. However.5 Conclusions We can summarize the results of this chapter as follows: • For regular languages. while in the state machine representation in Figure 5. places) and transitions of each of them. Murata 89]. . There is.4 this is not possible. • Use incidence matrix analysis to determine whether undesirable markings are reachable. This permits us to express controllability as a property of the generator E.8. Ramadge and Wonham have proved that it is always possible to determine the supremal controllable sublanguage of a given conﬁguration of systems and speciﬁcations with a ﬁnite procedure (See Appendix B.. Petri nets allow modular synthesis. . in the same way as a complex systems can be regarded as composed of interacting subsystems. SUPERVISORY DESIGN USING PETRI NETS 40 module each symbol labels at most one transition. . The system G = G1 . in this case the coupling of the modules is so weak that the overall state set will be identical to the cartesian product of the states of the modules.5. e.e. . providing a more compact representation in terms of transition structure when compared with state machine models. and let mi and ni be the number of states (i. Gk can be constructed as a state machine or as an ordinary Petri net. following the algorithm in Appendix A. • When G is constructed as a state machine the number m of states and the number n of transitions will be: k k m≤ i=1 mi .3.g.
Datta 86. In this case we have efﬁcient “closed form solutions” at the cost of limiting our design to special classes of nets [Datta 84. .CHAPTER 5. These approaches will be investigated in the next chapters. SUPERVISORY DESIGN USING PETRI NETS 41 • Derive synthesis procedures that insure the desired properties for the composed system. Krogh 86. Krogh 91].
In classic incidence matrix analysis. M0 ) = {M ∈ I P   B T · M = B T · M0 }. the set of reachable markings of a system N. a basis of Psemiﬂows B is used to approximate the reachability set. i.. M0 ))[Mf ∈ P R(N. P RA (N. the set of integer solutions of the inequality A · M ≥ A · M0 is exactly the set of reachable markings [Giua 92d]. Furthermore. There are signiﬁcant differences between our approach and the analysis based on the state equation. M0 ) where we use.Chapter 6 INCIDENCE MATRIX ANALYSIS 6. M0 ) However. We propose an approach similar to the computation of P RB (N. deﬁning the set P RB (N.e. In another approach. and this feature has additional advantages that we will discuss in the following. M0 ) ⊆ P RB (N. M0 is approximated by the solutions of the state equation. the computation of P RB (N. M0 ). by the set P R(N.. M0 ) = {M ∈ I P   (∃σ ∈ I T  )[M = M0 + C · σ]}. N N where C is the incidence matrix of the net. M )] 42 . M0 ) does not involve the ﬁring count vector σ.1 Introduction This chapter discusses how incidence matrix analysis for Petri net models may be used to validate supervisors for the control of discrete event systems. We will consider a class of P/T nets called Elementary Composed State Machines (ECSM). • The use of the incidence matrix does not permit verifying propositions such as (∀M ∈ P R(N. inequalities derived from the basic traps of the net and we deﬁne P RA (N. i.e. N The matrix A is computed from the analysis of the structure of net N . in addition to the equations derived from the Psemiﬂows. we show that for ECSM. the class of nets that we consider here. M0 ) ⊆ P R(N. N The ﬁrst approximation is generally better. The most interesting property of this class of nets lies in the fact that the set of reachable markings is an (integer) convex set and that the set of linear inequalities A · M ≥ A · M0 which deﬁnes it may be computed from the analysis of the simple state machine modules that compose the net. M0 ) = {M ∈ I P   A · M ≥ A · M0 }. M0 ) = R(N. in the sense that R(N.
• Note that since the domain P RA (N. as we will see. in general it holds P R(N.e. INCIDENCE MATRIX ANALYSIS 43 with a linear algebraic formalism. In our approach determining if a marking is reachable requires the use of Integer Programming. Thus. In the ﬁrst approach we consider the state equation of the net. i. the model is extended by composing the state machine modules through concurrent composition. it is possible to relax the constraint that the solution of A · M ≥ A · M0 be integer to obtain a sufﬁcient condition for the validation of the net. and at the same time has the property that the space of reachable markings is a linear integer convex set.. The model considered in this chapter is based on state machine P/T nets with multiple tokens.e. In this approach it is necessary to restrict the type of compositions considered. This is because the set P R(N. To describe concurrent systems. Section 4 ﬁnally shows how this approach may be applied to the validation of supervisors for the control of discrete event systems. but strongly limit the possibility of modeling concurrency. M0 ) = R(N. we may use Linear Programming techniques to prove that a given undesirable marking is not reachable. We deﬁne the set of reachable markings as the solution of a set of inequalities which do not contain the ﬁring count vector σ. The net we will discuss in Example 6. M0 ) = R(N. • For the class of ECSM nets.2 Incidence Matrix Analysis for State Machines In this section we discuss two ways of determining if a marking of a state machine is reachable from the initial marking. in order to guarantee some important properties [Giua 90b]. 6. for the same class of nets there exists a matrix A such that P RA (N.CHAPTER 6. it is a convex set of integers. it has been proved that the state equation of acyclic nets does not contain spurious solutions [Murata 89]. As an example. M0 ) = R(N. This means that there are classes of nets such that P R(N. since a place may have more that one outgoing arc. M0 ) represents the integer solutions of a set of linear inequalities. in general. can model both choice and concurrent behavior. The ﬁnal model. M0 ) is deﬁned in terms of linear equations containing the variables M and σ. this proposition. M0 ). M0 ) if and only if the reachability set of system N. this does not imply that its reachability set is a convex set. Thus. State machines may model choice. M0 ). it is given by the integer solutions of a set of linear inequalities. without spurious solutions.2 is acyclic but does not have a convex reachability set. since the only concurrent behavior is given by the presence of multiple tokens in the net. called Elementary Composed State Machines (ECSM nets).. there exists a matrix A such that P RA (N. i. the reachability set of an ECSM may be exactly described by a set of linear inequalities.. an operator that requires the merging of common transitions. However. If a net is such that the state equation does not contain spurious solutions. In the . Integer Programming problems may not be solved. However. M0 ) = R(N. In Section 3 is deﬁned the class of Elementary Composed State Machine nets and the results derived in Section 2 are extended to this class. in polynomial time. since it may contain spurious solutions (solutions which do not correspond to reachable markings). Section 2 deals with state machines and reachability using incidence matrix analysis and shows how it is possible to derive the set of linear inequalities that deﬁnes the space of reachable markings. i. M0 ). M0 is a convex set. M0 ) and such that there does not exist a matrix A such that P RA (N.e. expresses the nonblocking property of a system. M0 ) ⊃ R(N. the state equation gives only necessary but not sufﬁcient conditions for reachability. and we will be able to write simple integer programming problems to study nonblocking properties of systems.
CHAPTER 6. INCIDENCE MATRIX ANALYSIS
44
second we show how the reachability set may be described by a set of equations that do not involve the ﬁring count vector. State machines represent a very simple PN model that has been extensively investigated. For instance, Murata [Murata 89] reports several results on the liveness and reachability characterization of this class of nets. However, the focus is generally on live state machines (i.e., strongly connected state machines). In the framework of Supervisory Control, the requirement that the model be live is not important, while it is required that the system be nonblocking, i.e., that from any reachable marking it may be possible to reach a ﬁnal marking. This motivates the attention given in this chapter to state machines that are not necessarily live.
6.2.1 State Equation
The use of the state equation for characterizing the reachability set of a PN is based on the following observation. Note 6.1. Let N, M0 be a marked net and C its incidence matrix. M ∈ R(N, M0 ) =⇒ (∃σ ∈ I m ) [M = M0 + C · σ]. N The existence of a vector σ satisfying the previous state equation gives a necessary but not sufﬁcient condition for the reachability of a given marking. In the general case, a solution M and σ may exist for the previous equation, but σ yields no ﬁrable sequence of transitions and M cannot be reached. For state machines, however, the following theorem holds. Theorem 6.1. Let N, M0 be a marked state machine. M ∈ R(N, M0 ) ⇐⇒ (∃σ ∈ I m ) [M = M0 + C · σ]. N Proof : Only ⇐= needs to be proved. At least one of the transitions given by σ may ﬁre if M0 = M . In fact, consider a place pi M0 (pi ) > M (pi ) ≥ 0. (The existence of such a place is ensured because state machines are conservative.) Since
m
M (pi ) − M0 (pi ) =
j=1
cij σ j < 0,
there exists a transition tj such that σ(tj ) > 0 and cij = −1 , i.e., tj outputs from pi . Since M0 (pi ) > 0, tj may ﬁre reaching a marking M such that: M = M + C · σ , where σ < σ. Repeating the previous reasoning it is possible to conclude that eventually M will be reached. In [Murata 89] is presented the same result in the case of strongly connected state machines. Ichikawa and Hiraishi [Ichikawa 88b] have shown that for acyclic nets, i.e., nets whose underlying graph has no directed circuits, a vector σ solution of the state equation yields a ﬁrable sequence of transitions. Theorem 6.1 does not imply this stronger property. Example 6.1. Consider the net in Figure 6.1, where M0 = (2 0 0 The incidence matrix of the net is −1 0 −1 0 0 0 1 −1 0 0 0 0 0 1 0 1 0 0 C= 0 0 1 −1 −1 1 0 0 0 0 1 −1 0 0)T and M = (1 0 1 0 0)T . .
The state equation is satisﬁed by: σ = (1 1 0 0 1 1)T . While σ does not yield a ﬁrable sequence of transitions, M can always be reached: just consider the vector σ = (1 1 0 0 0 0)T (< σ) that yields the ﬁrable sequence: σ = t1 t2 .
CHAPTER 6. INCIDENCE MATRIX ANALYSIS
45
Figure 6.1: State machine in Example 6.1.
Figure 6.2: Firing subnet in Example 6.1. The problem, as the previous example shows, is that the ﬁring count vector could be counting, in addition to the sequence of transitions that needs to be ﬁred to go from M0 to M , a cycle that cannot be ﬁred because it is not marked by a token. Hence the following two theorems hold. Theorem 6.2. Let N, M0 be a marked state machine and M be a marking of N . A vector (σ ∈ I m ) [M = M0 + C · σ] yields a ﬁrable sequence of transitions from M0 if ( ∃σ ∈ N I m ) [M = M0 + C · σ , σ < σ]. N Proof : If σ is the minimal vector satisfying the state equation for M and M0 , then the ﬁring subnet given by σ is acyclic and all transitions may ﬁre, as proved in [Ichikawa 88b]. Note that Theorem 6.2 gives a sufﬁcient but not necessary condition. In Example 6.1, consider the vector σ = (0 0 1 1 1 1)T solution of the state equation. σ is not minimal but yields a ﬁrable sequence σ = t3 t5 t6 t4 . Theorem 6.3. Let N, M0 be a marked state machine and M be a marking of N . A vector (σ ∈ I m ) [M = M0 + C · σ] yields a ﬁrable sequence of transitions from M0 if and only if in N the ﬁring subnet given by σ each connected component is marked by M0 . Proof : The presence of a token in each connected component ensures that the cycles eventually present in σ can be executed. The ﬁring subnet for Example 6.1 is in Figure 6.2; here there are two connected components {p1 , p2 , p3 } and {p4 , p5 }, the second of which is not marked; hence its transitions cannot ﬁre.
6.2.2 Deﬁning the Set of Reachable Markings
Theorem 6.4. Let N, M0 be a marked state machine. The set of reachable markings R(N, M0 ) is an integer linear convex set, i.e., can be deﬁned as the integer solutions of a set of linear
CHAPTER 6. INCIDENCE MATRIX ANALYSIS
46
Figure 6.3: Net in Example 6.2, with a non convex reachability set. inequalities. Proof : Follows from Algorithm 6.1 presented below. This property does not hold in general for ordinary P/T nets. Example 6.2. On the net in Figure 6.3, an ordinary conservative PN, M = (0 1 0 2) can be +M reached from M0 = (2 1 0 0) but M = M02 = (1 1 0 1), which is a linear convex combination of M0 and M , cannot be reached. To determine the set of linear inequalities that the set of reachable markings of a state machine must satisfy, the following algorithm may be used. Note ﬁrst that a connected (not necessarily strongly connected) state machine has a single Psemiﬂow whose support contains all the places. Algorithm 6.1. Let N, M0 be a marked state machine, and T i = {pi , . . . , pi } a trap of N . 1 k Deﬁne M (T i ) = M (pi ) + . . . + M (pi ). 1 k 1. Consider all basic traps1 of the net along with the support of the Psemiﬂow T 0 . 2. For each trap T i write the inequality: M (T i ) ≥ ni , where ni is the number of tokens assigned to T i by the initial marking. For T 0 write the equation: M (T 0 ) = n0 , where n0 is the total number of tokens in the net. 3. If for a trap T i (i = 0) the number of tokens is ni = 0, the inequality for T i can be removed. 4. If T i ⊂ T j (j = 0) and ni = nj , the inequality for T j can be removed, since it is implied by the inequality for T i . 5. The remaining set of inequalities plus the inequalities: M ≥ 0, gives the set of markings reachable from the initial marking. These inequalities will be indicated as A(N ). According to this Algorithm, the reachability set of a state machine N, M0 can be represent by the set P RA (N, M0 ) = {M ∈ I P   A · M ≥ A · M0 }, where each row of the matrix A is N the characteristic vector of the Psemiﬂow of the net or of one of the basic traps of the net. Here is an example of application for the algorithm. Example 6.3. Consider the net in Figure 6.4. Here the basic traps are: T0 T1 T2 T3 T4 T5 T6
1
= {p1 , p2 , p3 , p4 , p5 , p6 }, = {p2 }, = {p5 }, = {p6 }, = {p1 , p2 , p5 }, = {p3 , p5 , p6 }, = {p3 , p4 , p5 , p6 }.
A trap is basic if it is not the union of other traps.
there is a siphon S i = P \ T i corresponding to each trap T i ..g. e. M (p6 ) ≥ 1.3. that the trap {p2 .e. i. INCIDENCE MATRIX ANALYSIS 47 Figure 6. the complement P \ T is a siphon. This will be proven through the following propositions. p5 } is not considered.2.e. In fact siphons and traps are dual concepts and a dual algorithm. Finally. . may be given for determining the linear inequalities satisﬁed by the reachable markings. since it is given by the union of T 1 and T 2 . i. the fact that the set of markings that satisfy the linear inequalities required by Algorithm 6. Then the set of equations A(N ) trivially reduces to: M (T 0 ) = n0 . Note. M (p3 ) + M (p5 ) + M (p6 ) ≥ 2. M (p3 ) + M (p4 ) + M (p5 ) + M (p6 ) ≥ 2. (i = 0) considered in the Algorithm 6. Given a trap T . M (p2 ) ≥ 0.3. M ≥ 0. in terms of siphons. Note 6. M ≥ 0.. Note 6. The corresponding set of linear inequalities is: (1) (2) (3) (4) (5) (6) (7) M (p1 ) + M (p2 ) + M (p3 ) + M (p4 ) + M (p5 ) + M (p6 ) = 4. Finally the set of markings reachable from the initial marking is given by: M (p1 ) + M (p2 ) + M (p3 ) + M (p4 ) + M (p5 ) + M (p6 ) = 4. it is necessary to discuss the correctness of the algorithm.. M (p3 ) + M (p5 ) + M (p6 ) ≥ 2. M (p5 ) ≥ 0. M (p1 ) + M (p2 ) + M (p5 ) ≥ 2. Inequality (2) and (3) will be removed in step 3 of the algorithm.CHAPTER 6. inequality (7) will be removed in step 4 as it is implied by (6). Hence the inequality for T i may be rewritten as M (S i ) ≤ n0 − ni . M (p1 ) + M (p2 ) + M (p5 ) ≥ 2.1.1 is exactly the reachability set. M0 be a marked strongly connected state machine. M (p6 ) ≥ 1.4: State machine in Example 6. Let N. The idea is to show that a description of a state machine in term of traps captures the behavior of the net.
With the same reasoning it is possible to infer that there must be a transition leading from {p1 . .1. . Consider a state machine with n places and no transitions.e.2. We point out that while in general the number of basic traps of Petri net may be exponential in the number of places. Then The soundness of the algorithm is then proved by the following reasoning.. Then all the basic traps that do not contain p or that contain p are still basic traps. i. This is trivially true if T consist of a single place. and assume we add a new transition from place p to place p .pk } = T is reached. Let T be a trap of a state machine. .2).1. The marking of the traps is strictly nondecreasing (Proposition 6. Proof : Similar to the proof of Proposition 6. Note also that a single transition may be considered as a simple path with no places. Proposition 6.. it may well be the case that two of them are identical. otherwise {p1 } is a trap and T is not minimal. INCIDENCE MATRIX ANALYSIS 48 Proposition 6. . ⊂ T .1. . . Then a token in T can move to any place in T . clearly there are n basic traps each one containing a single place.2. p2 . p2 }.1). the ﬁring of any transition preserves the total number of tokens. Let T be a minimal trap2 of a state machine. A simple path of a net N is a sequence θ = t0 p1 t1 . p2 } to a place p3 ∈ T . T a token in T \ T can move to any place in T . . Deﬁnition 6. Proof : For state machines. p• = {ti }. Hence no transition may output from a place in T to a place not in T . the proof is complete. Consider a place p1 ∈ T . This may be proved by the following inductive reasoning. for state machines the number of basic traps is at most equal to the number of places. . pr tr of transitions and places such that (∀i = 1. j = 0. Assume T consists of k places.3. t• = {pi }. Proposition 6.• ti = {pi }].CHAPTER 6. The tokens initially present in a trap that is not minimal are free to move to any place of the trap provided they also satisfy the constraints enforced by the traps contained in the non minimal trap (Proposition 6. 6. i i−1 We assume that (∀i. All the basic traps that contain p and do not contain p will not be traps in the new net and we need to add to each of them the minimal trap containing p (there is only one such minimal trap) to obtain new basic traps. . Since this reasoning can be applied to any place pi ∈ T . Let us ﬁrst introduce the following deﬁnitions. T is a trap }.3 Composition of State Machines Modules The section discusses how the properties studied in Section 2 for state machines are preserved by concurrent composition. 2 A trap is minimal if it is not the superset of another trap. that is the number of basic traps may only decrease when we add a transition. Proof : On state machines. and let T = {p ∈ T  p ∈ T . r ∧ i = j)[ti = tj ]. it is sufﬁcient to prove that all places in T are strongly connected.3). there is a path from any place to all others. Also a transition has a single input and output arc. r) [• pi = {ti−1 }. Hence p1 is connected to all places in T . . There must be a transition from p1 to some place p2 ∈ T . . The number of tokens in T is nondecreasing. . The tokens initially present in a minimal trap may freely move to any place of the trap (Proposition 6.. These are the only constraints that the set of reachable markings must satisfy and these constraints are captured by Algorithm 6. Consider {p1 . Now assume we have a state machine with its set of basic traps. After the new traps are computed. This reasoning can be carried out until {p1 . We will consider a restricted class of compositions. Let T be a trap.
2. 6. The projection of M on Ni . For this class of compositions we will slightly change the deﬁnition of composition given in Appendix A. 2) a set of simple paths provided all paths are looped in one of the nets.1 State Equation Let N = N1 . . . and let M be a marking.4. . is the vector obtained from M by removing all the components associated to places not present in Ni .ri (i = 1. Example 6. Assume that on each module Ni (∀i = 1.ri ) = 1]. k) [• ti. A net N obtained by composition of subnets N1 and N2 is denoted N = N1 N2 .. the ﬁring count vector σ ↑i yields a ﬁrable sequence σi . ti. and σ a ﬁring sequence deﬁned on it.5. M0 ↑i [σi M ↑i . is the vector obtained by σ removing all the components associated to transitions not present in Ni . σ be a ﬁring count vector. The composed net is shown in Figure 1. denoted σ ↑i . ti. . Paths θ1 and θ2 are looped in N2 .0 . Given a net N . . P re(p. Nn . We also recall the notation used for composed systems. and k simple paths θi = ti.3. Let N be a composed system N = N1 . denoted σ ↑i .b. the k paths are looped in N if (∃p ∈ P ) (∀i = 1. denoted M ↑i . . INCIDENCE MATRIX ANALYSIS 49 Figure 6. Nn be a composed net.5: Two state machines composed along a simple path in Example 6.4. where C is the incidence matrix of N .r In simple words. The two nets in Figure 6. In this chapter.0 = t• i = {p}. . . k). is the ﬁring sequence obtained by σ removing all the transitions not present in Ni . . ti. . .CHAPTER 6.0 ) = P ost(p. We assume that the marking of the places along the composed paths are the same on all subnets. . i. . the k paths are looped if there exists a place p such that the initial (and ﬁnal) transitions of all paths only input from (and only output to) place p with a single arc. i. n). we will consider compositions of subnets that share: 1) a simple path. .6 are composed along the simple paths θ1 = t1 p2 t2 and θ2 = t3 p3 t4 . and let σ be the ﬁring count vector solution of M = M0 + C · σ. The two nets in Figure 6. . .e. The projection of σ on Ni . In fact here we are looking at composition based on the structure of the net rather that on the language generated by the net. .5 are composed along the simple path θ1 = t1 p2 t2 . . The projection of σ on Ni . . Deﬁnition 6.
. however. are used to deﬁne the following class of P/T nets. Elementary Composed State Machine (ECSM) nets are the minimal class of P/T nets that is a superset of the class of state machines and is closed under the following compositions: 1. n). • Composition of two nets sharing one transition t. the ﬁrst kind of compositions may be used to construct the model of several systems connected through buffers or channels. not simple path) composition. By hypothesis on N1 and . This does not imply. A ﬁring count vector for N yields a ﬁrable sequence if and only if on each module Ni the projection of the ﬁring count vector yields a ﬁrable sequence σ i . INCIDENCE MATRIX ANALYSIS 50 Figure 6.5. such that the reachability of a marking of the overall net may be determined simply by the analysis of the modules that compose it. As an example. Composition of two nets through a set Ts of k transitions (or a set Θ of k simple paths) when the transitions (or simple paths) are looped in one of the nets. Let N. .6: Two state machines composed along two simple paths in Example 6.4. There exist particular compositions. M0 be a marked net where N = N1 N2 and assume that N1 and N2 have been composed by means of one of the compositions used to deﬁne the class of ECSM. Deﬁnition 6. 2.CHAPTER 6. . (i = 1.3. Let us prove the “if” part for single transitions (i..e. Composition of two nets sharing a single transition (or a simple path). Proof : The “only if” part is trivial. . however. they permit the modular synthesis of realistic systems. These compositions. . Although the two compositions we used to deﬁne ECSM may appear exceedingly simple. called elementary. Consider a solution σ of the state equation M = M0 + C · σ. Theorem 6. The second kind of composition may be used to represent shared resources. In the case of simple path compositions the proof is substantially the same (see also [Giua 90b]). that on the composed net σ yields a ﬁrable sequence σ such that M0 [σ M .
.2). . 2 1 2 1 1 2 2 Now let σ = x0 x0 t1 x1 x1 t2 . . Corollary 6. Hence the following is a ﬁrable sequence for N2 as well σ2 = x0 t1 x1 t2 . n). INCIDENCE MATRIX ANALYSIS 51 N2 . . Let tj be the jth i occurrence in σi of a transition in Ts . . Proof : Under these hypotheses. Proof : On module Ni . 1 2 1 2 1 2 2 Clearly σ is a ﬁrable sequence given by the ﬁring count vector σ. i. . . (i = 1. A vector (σ ∈ I m ) [M = M0 + C · σ] yields a ﬁrable sequence of transitions if N (∀i = 1. A vector (σ ∈ I m ) [M = M0 + C · σ] yields a ﬁrable sequence of transitions if and only if N in the ﬁring subnet given by σ ↑i (i = 1. . . (i = 1. Theorem 6. Theorem 6.6.CHAPTER 6. is a state machine.2 and Theorem 6. xk−1 t xk xk . (i = 1. Consider a solution σ of the state equation M = M0 + C · σ.. . Proof: By recursive application of Theorem 6. 2).1 σ yields a ﬁrable sequence for N . . n) each connected component is marked by M0 . σ i < σ ↑i ]. By hypothesis on N1 and N2 . . i i i i Now let σ = x0 x0 t x1 x1 t . Let N. 2). M0 be a marked ECSM net where N = N1 · · · Nn and Ni . n). .5. is a state machine. . there are k occurrences of t in each σi . N = N1 Nn and Ni . Then σi may be written as σi = x0 t x1 t . i i i i i i i Let N2 be the looped net. . . M0 be a marked ECSM net and M be a marking of N . . Hence by Corollary 6. σ ↑i yields a ﬁrable sequence σi such that M0 ↑i [σi M ↑i . Theorem 6. xk−1 tk xk xk . (i = 1. . Then any time a transition t ∈ Ts ﬁres any other transition in Ts may ﬁre. 1 2 1 1 2 1 1 1 2 2 Clearly σ is a ﬁrable sequence given by the ﬁring count vector σ. 2). Let the component of σ associated to the transition t have the value k. σ ↑i yields a ﬁrable sequence σi such that M0 ↑i [σi M ↑i . 2).e. Nn and Ni . N = N1 . . n)( ∃σ i ) [M ↑i = M0 ↑i +Ci · σ i . . . . Let N. . the ﬁring count vector σ ↑i yields a ﬁrable sequence if and only if in the ﬁring subnet all connected components are marked (by Theorem 6. . .3). (i = 1. on each module σ ↑i yields a ﬁrable sequence (by Theorem 6.. Hence by Corollary 6. (i = 1.. . .1. . . .7. xk−1 t xk . (i = 1. . Then σi may be written as σi = x0 t1 x1 t2 . is a state machine.3 may be restated in this form for ECSM nets. . n). xk−1 tk xk . A ﬁring count vector for N yields a ﬁrable sequence if and only if on each module Ni the projection of the ﬁring count vector yields a ﬁrable sequence. xk−1 tk xk .1 σ yields a ﬁrable sequence for N if and only if in the ﬁring subnet for each module Ni all connected components are marked. M0 be a marked ECSM net and M be a marking of N . Let N. . • Composition of two net sharing a set of transitions Ts looped in one of the nets.
it is possible to deﬁne the following two sets of places on the net: Pt = {p ∈ P  (∃σ) [σ(t) > 0. Note. that ρmin (M. Let N.4. (Firing Bounds) Let N.CHAPTER 6. t) = M (p) if there is no cycle containing t. t) is ρmax (M. and that when there is a cycle containing t a good approximate bound — that will be used in the following — for ρmax (M. p∈Pt 0 ∞ if there is a cycle containing t and p∈Pt M (p) = 0. the case of two state machines. In simple words. t) and ρmax (M. INCIDENCE MATRIX ANALYSIS 52 6. t). t) = h p∈Pt M (p) ≤ ρmax (M.4. The set Pt contains the places that may be marked without ﬁring t by an initial marking that assigns a token to the initial place p0 and no tokens to the other places. if there is a cycle containing t and p∈Pt M (p) > 0. Mp0 [σ Mp ]}. while for each token in Pt transition t may have ﬁred once if there is no cycle containing t or an arbitrary large number of times if there is a cycle containing t. given a set of transitions Ts . Deﬁnition 6. Then these results will be extended to the composition of ECSM through simple paths. Similarly. the set Pt contains the places that may be marked by ﬁring t at least once by an initial marking that assigns a token to the initial place p0 and no tokens to the other places. where h is any integer large enough. also. is discussed. composed through a single transition or a set of looped transitions. Given a transition t. ρmin (M. ρmax (M. M0 be a marked state machine where M0 assigns all the tokens to a place p0 . t) ≤ p∈P M0 (p). the number of times t has ﬁred to reach M may vary and can assume any integer value in the range [ρmin (M. Pt = {p ∈ P  (∃σ) [σ(t) = 0. Mp0 [σ Mp ]}. ρmax (M.2 Deﬁning the Set of Reachable Markings This subsection will show how it is possible to derive the set of linear inequalities that deﬁnes the set of reachable markings in ECSM nets. t) are called the ﬁring bounds of t for marking M . t)]. Mp0 [σ Mp ]}. M0 be a marked state machine where M0 assigns all the tokens to a place p0 . Now given a marking M ∈ R(N. Proof : For each token in Pt \ Pt transition t must have ﬁred at least once. .3. Firstly. t). it is possible to deﬁne the following two sets of places on the net: PTs = {p ∈ P  (∃σ) (∃t ∈ Ts ) [σ(t) > 0. and let Mp be a marking that assigns a single token to place p and no token elsewhere. M0 ). Mp0 [σ Mp ]}. where ρmin (M. PT s = {p ∈ P  (∃σ) (∀t ∈ Ts ) [σ(t) = 0. t) = p∈Pt \Pt M (p). Proposition 6.
such as buffer spaces or identical machines.. 2). etc. whenever these sets are identical for all the places marked by the initial marking. When two state machines N1 and N2 are composed through a single transition t the set of markings reachable from the initial marking M0 for the composed net N = N1 N2 is given by the following set of linear inequalities A(N ): A(N1 ). We will assume in the following. t) denotes that the ﬁring bound is computed on max min the net Ni . min max where the exponent i in ρi (Mi . t). max min and ρ2 (M2 . t)] min max [ρ2 (M2 . this requires that [ρ1 (M1 .4 are valid. Given T T a reachable marking Mi on the net Ni . Clearly the two intervals will not be disjoint if and only if: ρ1 (M1 . M (p2 ) + M (p3 ) + M (p4 ) − 2}. ρ2 (M2 . 2) are composed through a single transition t.5. ρmax cannot be expressed as a simple linear function of a marking M but may be deﬁned as ρmax (M.7. M (p2 ) + M (p4 ) − 1. When two nets Ni (i = 1. t) ≤ ρ2 (M2 . Example 6. INCIDENCE MATRIX ANALYSIS 53 Figure 6. unless explicitly stated otherwise. Proposition 6. the marking of the overall net will be a subset of the cartesian product of the markings of the two modules. t). the presence of multiple tokens in a state machine module indicates a multiplicity of identical resources.4 is restricted to the case of an initial marking that assigns all tokens to a single place. If N1 and N2 are state machines.8. M (p2 ) + M (p3 ) − 1. Hence the multiple tokens initially should be assigned to the same place. that this initial marking condition is veriﬁed on all state machine modules considered. t). t) ≤ ρ1 (M1 . in the sense that in the application cases of interest here. However.CHAPTER 6. In the net N1 in Figure 6. the results of Proposition 6. . t)] = ∅. M (p) ≤ h2 1 1 p∈Pt \Pt 2 p∈Pt M (p). This requirement is fair.4. even if they are more than one. t) and ρi (Mi . ρ1 (M1 . t). max min Theorem 6. and σ1 (t) = σ2 (t).7: State machine in Example 6. such as manufacturing systems. The problem here is that the sets Pt and Pt are different for the different places marked by the initial marking. t) = min{ M (p2 ). The following example will clarify the necessity for this restriction. A(N2 ). the marking M = [M1 M2 ]T will be reachable on the composed net if and only if there is a sequence σi reaching Mi on the net Ni (i = 1.
since there is a cycle containing t in N2 . h2 = 3. p7 }. Consider the composed system of Figure 6. p6 . INCIDENCE MATRIX ANALYSIS 54 Figure 6. while. • the set of places Pti and Pti belongs to Ni (i = 1.4. Example 6. if there is no cycle containing t in N1 (N2 ). M (p2 ) ≥ 0. The set of places of interest are: Pt1 = {p2 }. max Proof: Follows from Proposition 6. we are using an approximated linear bound for ρi (Mi .8: ECSM net in Example 6. The linear inequalities that deﬁne the space of reachable markings on N1 is: M (p1 ) + M (p2 ) = 3. where: • A(Ni ) (i = 1. • h1 = 1 (h2 = 1). 2). t). 2). M (p1 ). then h1 = 1. and are determined as in Deﬁnition 6. Pt1 = {p1 }. σ ↑2 = σ 2 ] N is a ﬁring count vector for N and by Theorem 6.8. Pt2 = {p4 . M (p) ≤ h1 2 2 p∈Pt \Pt 1 p∈Pt M (p).1). Hence the vector (σ ∈ I m ) [σ ↑1 = σ 1 . Since there is no cycle containing t in N1 . p5 . and on N2 : M (p3 ) + M (p4 ) + M (p5 ) + M (p6 ) + M (p7 ) = 2. is the set of inequalities for the net Ni (as derived with Algorithm 6. p4 . Pt2 = {p3 . As noted before.5 there exists a ﬁrable sequence for the overall net. else h1 (h2 ) is equal to the number of tokens contained in net N2 (N1 ).CHAPTER 6. .4 and the fact that if the last two inequalities are satisﬁed there exists a ﬁrable sequence σi for both modules that reaches M ↑i ﬁring t an equal number of times.6.6. p7 }.
. we have ρ1 (M. 1 (M. t) ≤ M (p2 ) + M (p3 ) − 1. Suppose that on one of the modules. and t may ﬁre inﬁnitely often in N1 for each reachable marking. Here P1 is the set of places of N1 . M (p6 ).7. t) = 0. t) ≤ M (p2 ) + M (p3 ) + M (p4 ) − 2. In the net N1 in Figure 6. min ρ2 (M. M ≥ 0. t) ≤ M (p2 ) + M (p4 ) − 1. M (p2 ) ≤ 3(M (p4 ) + M (p5 ) + M (p6 ) + M (p7 )).7. In this case there is a cycle containing t and p0 (the place marked by M0 ). ρ2 (M. one of the following conditions holds: 1. 55 Note 6. 2. Example 6. M (p3 ) + M (p4 ) + M (p5 ) + M (p6 ) + M (p7 ) = 2. M (p5 ). t) = min{ M (p2 ). Pt1 \ Pt1 = ∅. min ρ2 (M.4. M (p4 ). Hence 0= 1 1 p∈Pt \Pt M (p) ≤ h2 2 p∈Pt M (p) is always veriﬁed. min ρ2 (M. Hence M (p) ≤ h1 M (p) 2 2 p∈Pt \Pt 1 p∈Pt is always veriﬁed. t) ≤ M (p2 ). M (p7 ) ≥ 0.CHAPTER 6. ρmin Hence. INCIDENCE MATRIX ANALYSIS M (p3 ).8 may not always be necessary. M (p2 ) + M (p3 ) + M (p4 ) − 2}. The inequalities derived in Theorem 6. In the following example we will show an example of a system in which the initial marking marks more than one place. max M (p2 ) + M (p4 ) − 1. M (p2 ) + M (p3 ) − 1. Pt1 = P1 . min The case of a composition of two state machines through a set of transitions Ts is now considered. Hence the set of reachable markings on the composed system is deﬁned by: M (p1 ) + M (p2 ) = 3.5. say N1 . when composing the module through transition t with another module N2 the following inequalities should be considered A(N1 ). A(N2 ). M (p5 ) + M (p6 ) ≤ M (p2 ). discussed in Example 6.
These theorems will be given without proof. where: • A(Ni ) is the set of inequalities for the net Ni . the set of markings reachable from the initial marking M0 for the composed net N = N1 N2 is given by the following set of linear inequalities A(N ): A(N1 ). Proof: Given the special structure of N2 .s 2 1. .4. . if a marking M2 of N2 may be reached by ﬁring a transition in Ts .q p∈Pt \Pt 0 0 2. as suggested by the previous note.10. 2). . • h is equal to the number of tokens contained in N1 . M (p) ≤ hq.ni (i = 1. say N2 .q 1.8 and Theorem 6. Ni. any reachable marking M2 of N2 may be reached without ﬁring any transition in Ts . i. This constraint is expressed by the third inequality of A(N ). Hence the only constraint imposed by the composition of the T T two modules is that for any marking M = [M1 M2 ]T .q (q ∈ J1 ) and to modules N2.e. Ni = Ni. Theorem 6. Let N1 and N2 be two ECSM nets. and are determined as in Deﬁnis tion 6.s 1 2.s p∈Pt \Pt 0 0 1.j is a state machine.4 are computed with respect to the ﬁrst transition of the path. 2). When two state machines N1 and N2 are composed through a set Ts of transitions and these transitions are looped in one of the nets. s ∈ J2 ).q p∈Pt 0 M (p).1). s ∈ J2 ). (q ∈ J1 . then any sequence of transitions in Ts may also be ﬁred.9 to the composition of two ECSM (not only state machines) along simple paths (not only single transitions). 2). M2 may be also be reached by ﬁring a transition in Ts . A(N2 ).1 . Assume N1 and N2 are to be composed through a simple path of transitions θ = t0 p1 t1 . . .CHAPTER 6..9. Also the places determined in Deﬁnition 6.s (s ≤ J2 ). belongs to Ni . if reaching M1 requires the ﬁring of one or more transition in Ts . M (p) ≤ h 1 p∈PTs \P 1 Ts 2 p∈PTs M (p). The following two theorems generalize Theorem 6. The set of markings reachable from the initial marking M0 for the composed net N = N1 N2 is given by the following set of linear inequalities A(N ): A(N1 ). M (p) ≤ hq. Also. is the set of inequalities for the net Ni (as derived with Algorithm 6. INCIDENCE MATRIX ANALYSIS 56 Theorem 6. where: • A(Ni ) (i = 1. (q ∈ J1 . that a ﬁring sequence on N2 may require the ﬁring of more transitions in Ts than a ﬁring sequence on N1 . When two ECSM nets are composed along a simple path it is necessary to consider the possibility that the path may belong to more than one state machine module on each net. Hence it is never possible. i i • the sets of places PTs and PT (i = 1. A(N2 ).s 2. pr tr that belongs to modules N1. where Ni.s p∈Pt 0 M (p).
k). . 6. Ni. . Assume N1 and N2 are to be composed through a k simple path of transitions θj = tj pj tj . .q (q ∈ Jj ) and that all paths are looped in the module N2. hence they belong to only one state machine module of the looped net. the paths are looped in one of the nets.e. • hq. more than linearly. j ∈ Ji ).j .s = 1 (hq. A(N2 ).1 . where Ni. working concurrently. 2. Let N1 and N2 be two ECSM nets.1 . The procedure for determining a monolithic supervisor requires the construction..q 1 2 (N2. INCIDENCE MATRIX ANALYSIS 57 • the sets of places Pti.10 we have to add 2 × J1 × J2 equations. Hn .s (N1. . Consider m discrete event systems.j and Pti.q (q ∈ Jj ) (j = 1. . tk }. We conclude this section pointing out that when state machines modules are composed to form an ECSM. In the case of Theorem 6.1 P2 = PTs . represented by the state machines N1 . 1 2 When two ECSM nets are composed along k simple paths. . 2). . • P1 is the set of places in N1 that may be marked only by ﬁring a transition t ∈ Ts : k P1 = j=1 q∈Jj P 1.j is a state machine. and let Ts = {t1 . The set of markings reachable from the initial marking M0 for the composed net N = N1 N2 is given by the following set of linear inequalities A(N ): A(N1 ). tj j (j = 1. Else hq. whose transitions are a subset of all the transitions of the N ’s. The speciﬁcations to be enforced on the joint behavior of these systems are represented by n different state machines H1 .s (hq. . Theorem 6. where: • A(Ni ) is the set of inequalities for the net Ni . in the worst case. . . M (p) ≤ h p∈P1 p∈P2 M (p). . . . .q ).s ) is equal to the number of tokens contained in the net N2.q \ P 1.CHAPTER 6. Ni = Ni. it is necessary to consider the possibility that each path may belong to more than one state machine module on the net that is not looped. . It is generally assumed that the set of transitions of all these systems are disjoint. . and are determined as in Deﬁnition 6.11. . the number of equations of that deﬁnes the reachability set grows. However. .s ). • h is equal to the sum of the tokens contained in the nets N1.q . Nm .4 Supervisory Veriﬁcation In this section the results developed so far are applied to the validation of supervisors for the control of discrete event systems (DES).ni (i = 1. . . . .belongs to Ni. by concurrent . j j t0 t0 while P2 is the set of places in N2 that may be marked ﬁring a transition t ∈ Ts : 2. Assume furthermore r 0 0 0 1 1 that path θj belongs to modules N1.4.s = 1) if there does not exist a cycle containing the path θ in the net N1. . i. .j (i = 1. k).
e. Given a marking Mf of N . the transitions enabled in E at a given marking represent the transitions that are allowed to ﬁre in the nets Ni . M ) ⇐⇒ [A0 · M ≥ A0 · M0 ] ∧ ¬[Af · M ≥ Af · Mf ] ⇐⇒ [A0 · M ≥ A0 · M0 ] ∧ [ k ai · M < ai · Mf ] ⇐⇒ i=1 f f (∃i)[(A0 · M ≥ A0 · M0 ) ∧ (ai · ai · Mf − 1)]. where N 1 af . i. M0 ) ∧ Mf ∈ R(N. Finally it is possible to check for the existence of blocking markings as follows. . Mf ). . Assume the reachability set of M0 is given by the set P RA0 (N. M0 ). the coreachability set of Mf is identical to the reachability set from Mf in the reversed net N R = (P.. CS1i Proof: M is a blocking marking ⇐⇒ M ∈ R(N. Nm H1 . belonging to the net Ni . n) will run in parallel. k): A0 · M ≥ A0 · M0 .CHAPTER 6. O. the set {M  Mf ∈ R(N. M0 ) of an ECSM net can be given as a convex linear set. it is possible to check for these properties in more efﬁcient ways than by brute force state space search. E and the nets Ni (i = 1. . INCIDENCE MATRIX ANALYSIS 58 composition. is enabled in Ni but is not enabled in E. . f f M ≥ 0. .1 Blocking Let N. M )} = R(N R . • Nonblockingness: the reachability set of the net E does not contain blocking markings. I. Additionally. i. I). . Similarly the coreachability set of Mf .. T. and the coreachability set of Mf is given by the set P RAf (N. it is also ﬁred in E. . while all other transitions are disabled. as will be shown below. M )] Now the set R(N. and Mf be a ﬁnal marking associated to it. {M  Mf ∈ R(N. In the following subsection it is discussed how these properties may be veriﬁed by Integer Programming techniques in the case that E is an ECSM net. .6. if the following two properties are ensured. it may be the case that the model may be validated by simple Linear Programming. markings from which a ﬁnal marking cannot not be reached. T. Proposition 6. Clearly these restrictions heavily limit the class of control problems that can be solved by our approach. . O) be a net. as shown in Section 3. . 6.e. For the sake of simplicity assume that Mf is the only ﬁnal marking of the net. Hn . that is. Mf ∈ R(N. Let N.e. . according to the following proposition. However. i. Mf ) = {M ∈ I P   Af · M ≥ Af · Mf }. f f . Af = ak f Then there exist a blocking marking M if and only if one or more of the following Constraint Sets has an integer feasible solution (∀i = 1. The net E will represent a proper supervisor.5. M0 ) = {M ∈ I P   N A0 · M ≥ A0 · M0 }. M )}. M0 be a marked net. .. Furthermore. of the net E = N1 . Let N = (P. Recall that there exists a set of ﬁnal markings associated to the N ’s and H’s. • Controllability: it is not possible to reach a marking from which an uncontrollable transition.. whenever a transition ﬁres on one of the nets Ni . .4. M0 be a marked ECSM net and let Mf be the ﬁnal marking associated with it. can be given in this form. The net N will be blocking if and only if (∃M ) [M ∈ R(N. Proposition 6.. ai · M ≤ ai · Mf − 1.
(By the hypothesis that all the systems have disjoint transitions. although it may belong to more than one speciﬁcation net H. Then E will not be controllable if and only if one or more of following Constraint Sets has an integer feasible solution (∀tq ∈ Tu and ∀pj ∈ • tq j > 0) q A · M ≥ A · M0 . 6. pq q }. INCIDENCE MATRIX ANALYSIS 59 Note that each constraint ai · M < ai · Mf has been rewritten in the equivalent form ai · M ≤ f f f ai · Mf − 1. . .7. M0 ) ∧ M (p0 ) ≥ 1 ∧ ( q (∃tq ∈ Tu ) (∃M ) (∃j) [A · M ≥ A · M0 ∧ M (p0 ) q ≥ CS2q. Note also that some of the constraints ai ·M ≥ ai ·Mf may be trivially veriﬁed by any marking f f in R(N. E is not controllable if and only if it is possible to reach a marking M such that an uncontrollable transition tq is enabled by M ↑i in Ni . Proof: E is not controllable ⇐⇒ (∃tq ∈ Tu ) (∃M ) [M ∈ R(E. M (p0 ) ≥ 1. such as the absence of blocking states or controllability. We have shown how it is possible to derive a set of linear inequalities that exactly deﬁne the set of reachable markings. where p0 is a place of Ni and pj (j > 0) is a place of some speciﬁcation q q q net H. f It is possible to relax the constraint that the vector M be integer and obtain a sufﬁcient condition for the validation of the net. The reachability problem for this class can be solved by incidence matrix analysis. for the constraints coming from the Psemiﬂows of the net that are satisﬁed by the reachable and coreachable markings. q ⇐⇒ Also if the constraint that M be integer is relaxed. Thus.) Let the preset of tq k be: • tq = {p0 . as it clearly has no feasible solution. In fact. Let the reachability set of E be given by the set P RA (E. may be studied by Integer Programming techniques. called Elementary Composed State Machine nets. 6.4. M0 ) ∧ M (p0 ) q ≥1∧( j=1 M (pj ) ≤ 0)].5 Conclusions In this chapter we have deﬁned a class of P/T net. we may use Linear Programming to derive a sufﬁcient condition for E to be controllable.CHAPTER 6. a transition may belong to only one net N . for instance.2 Controllability Consider the net E constructed by concurrent composition of all the systems and speciﬁcation modules. . q M (pj ) ≤ 0. q M ≥ 0. E is not controllable if and only if kq (∃tq ∈ Tu ) (∃M ) [M ∈ R(E. . This is the case. Let tq ∈ Tu be an uncontrollable transition and assume that tq belongs to the system net Ni . This approach may be used to validate supervisors for the control of discrete event systems. M0 ) = {M ∈ I P   A·M ≥ A·M0 }. but it is not enabled by M in E. Important properties of the net. if no real vector M satisﬁes the previous systems of inequalities no blocking marking may be reached. we need not solve the corresponding CS1i . The main drawbacks of this approach is summarized as follows: . In other words. M0 ). q N Proposition 6.j kq j j=1 M (pq ) ≤ 0)] 1 ∧ M (pj ) ≤ 0].
in the sense that if the model does not have the desired properties the approach does not directly lead to the construction of a proper supervisor.CHAPTER 6. INCIDENCE MATRIX ANALYSIS 60 • Integer Programming problems may be not be solved. in polynomial time. • The model is limited. in general. However we have also shown that it is possible to use Linear Programming techniques to derive sufﬁcient conditions for supervisory validation. the control problem is not directly solved. in the sense that there exist monolithic supervisors that cannot be modeled as ECSM nets. • Although a procedure to validate a supervisor is given here. .
the acquisition and release of units of the resource. In their approach. k) deﬁnes a set of legal markings: M(w. Viswanadham 90. transitions that may be observed but not prevented from ﬁring by a control agent. the second part of this chapter discusses GMEC for systems represented as marked graphs. The goal is that of constructing a supervisor capable of enforcing the constraints. the complexity of enforcing a GMEC is enhanced by the presence of uncontrollable transitions. A single GMEC may be easily implemented by a monitor. Zhou 91]. thus there exist problems which do not have a “monitorbased” solution.Chapter 7 GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 7.e.e. A problem addressed for those systems with shared resources has been that of deadlock prevention or avoidance [Banaszak 90. A constraint (w.1 Introduction Mutual exclusion constraints are a natural way of expressing the concurrent use of a ﬁnite number of resources. In the framework of Supervisory Control [Golaszewski 88]. in this case we prove that the set of legal markings cannot always be represented by a linear domain in the marking space. M0 be a net system with set of places P . In this context. shared among different processes. Let N. based on linear algebraic techniques [Silva 92].. In this work. k) = {M ∈ I P   wT · M ≤ k}. containing all those markings from which a forbidden one may be reached by ﬁring a sequence of uncontrollable transitions. instead. i. we are interested in deriving a net based structure for the supervisor. may be prevented from ﬁring by a control agent. We 61 . which may be deﬁned as fully interpreted. a place whose initial marking represents the available units of a resource and whose outgoing and incoming transitions represent. In traditional Petri net modeling all transitions are assumed to be controllable. Unfortunately. N where w is a weight vector of nonnegative integers. An equivalence notion among GMEC is introduced and studied from the point of view of structural net theory.. i. we deﬁne a generalized mutual exclusion constraint (GMEC) as a condition that limits a weighted sum of tokens contained in a subset of places [Giua 92b]. it is necessary to prevent the system from reaching a superset of the forbidden markings. Krogh 91]. to compare and simplify GMEC. In the ﬁrst part of this chapter we present a methodology. A solution to this problem has been given by Holloway and Krogh [Holloway 90. and k is a positive integer.. i. respectively. In the framework of Petri nets and from a very general perspective. To enforce a given GMEC. Markings in I P  N that are not legal will be denoted forbidden markings.e. the control policy is efﬁciently computed by an online controller as a feedback function of the marking of the system. Holloway 92a.
Moreover. In Section 7. generalized mutual exclusions constraints are deﬁned. we study the properties of marked graphs with the addition of monitor places. to the net.e. we present two different P/T structures for the supervisor capable of enforcing GMEC for this subclass of marked graphs. i. In Section 7.2.1 Generalized Mutual Exclusion Constraints Deﬁnition 7. km )T . Let N. . 7. k) = i=1 M(wi . Some of these models will be fully compiled. N . The advantages of fully compiling the supervisor action in a net structure are: • The computation of the control action is faster.CHAPTER 7. wm ] and k = (k1 . it is possible to prove that a monitorbased solution may not exist.4. the corresponding supervisor is represented by a P/T net. • A closedloop model of the system under control may be built with standard net composition constructions. In Section 7. Then we study how GMEC may be enforced by adding additional control structure. and k ∈ I + . partially compiled models are more ﬂexible in the sense that some interpretations may be used to implement complex control policies. In particular. since it does not require separate online computation.2 GMEC and Monitors In this section we deﬁne a generalized mutual exclusion constraint (GMEC) as a condition that limits the weighted sum of tokens in a set of places. N where w : P → I is a weight vector. in the form of new places called monitors. . . whose corresponding net structure may be exceedingly large. without an exhaustive state space search.. i.6. corresponding to a set of GMEC. that the system under control enjoys the properties. M0 be a net system with set of places P .e. the corresponding supervisor is given as an interpreted net in which the ﬁring of some transitions not only depends on the marking of the net but on the value of some boolean expressions as well. On the other hand. k) deﬁnes a set of legal markings M(w. we discuss a subclass of marked graphs for which there is always a monitorbased solution. . and analyzed for properties of interest. • The same Petri net system execution algorithms may be used for both the original system and the supervisor.3. If some of the transitions are uncontrollable. k). even when some transitions are uncontrollable. In Section 7. In Section 7. We discuss the modeling power of this kind of constraint and prove that only for restricted classes of systems a forbidden marking problem may be expressed as a mutual exclusion problem. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 62 will discuss and compare several solutions. the structural theory of Petri nets may be used to prove. 7. deﬁnes a set of legal markings m M(W. we compare the advantages and disadvantages of the different control structures. k) = {M ∈ I P   wT · M ≤ k}. others will be partially compiled. these constraints may be enforced by a monitor place.2. A single generalized mutual exclusion constraint (w.5.. ki ) = {M ∈ I P   W T · M ≤ k}. If all transitions of the net are controllable. The chapter is structured as follows. The support of w is the set Qw = {p ∈ P  N N w(p) > 0}. we present two different partially compiled net structures for the supervisor capable of enforcing GMEC for this subclass of marked graphs. A set of generalized mutual exclusion constraints (W. with W = [w1 .1.
. Example 7. 1 T · M = 3. M0 ) ⊆ M(w.. The proposition gives a sufﬁcient condition for redundancy. . M0 if R(N. Let (w1 . k2 ) be two GMEC with: w1 = (1330)T . k) is reduced to the set condition considered in [Krogh 91]. M0 ) ∩ M(w2 . k). k2 ) ⊆ 1 M(w1 . k2 = 1. M0 if and only if (W1 .1a whose set of reachable markings is R(N. k). k). k) is redundant wrt a system N.CHAPTER 7. and w2 = (0110)T . M0 ) ∩ M(W2 . k1 ). B T · M = B T · M0 . k1 ) and (W2 . k2 ).1.3).t. The LPP x2 = max wT · M 2 s. M0 ) = {M  1 T · M = 3}. is redundant wrt N. 1 T · M = 3. k1 = 5. k) is redundant with respect to (wrt) a set of markings A ⊆ I P  if A ⊆ M(w. . w(p) = 1 (∀p ∈ Qw ). ki ) is redundant for all i = 1. .e.t. There are classes of nets. Deﬁnition 7. k) is redundant wrt N. has optimal value x∗ = 5 < k1 + 1. Two sets of GMEC (W1 . . M. wm ] and k = (k1 . Consider the system in Figure 7. M0 ) ⊆ M(w. . 1 M ≥ 0. M0 ) ∩ M(W1 . such as marked graphs (see Proposition 7. k1 ) and (w2 . Proof: If x∗ < k + 1 then P R(N. . Also for the nets for which P R(N. where B is a basis of Psemiﬂows of the net. The LPP x1 = max wT · M 1 s. σ ≥ 0. when w ≤ 1. wT · M ≤ 1.t. k2 ) are equivalent wrt N. M0 be a system. . M0 : x = max wT · M s. A set of GMEC (W. M0 )∩ M(W1 .1. M0 ) = P RB (N. k1 ) is redundant wrt R(N. k). k1 ) = R(N. wT · M ≤ 5. 2 M ≥ 0. M0 if (wi . N A GMEC (w. for which the condition is necessary and sufﬁcient [Colom 89]. i. k) and this implies that R(N. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 63 As a particular case. Let N. A GMEC (w. k2 ) is redundant wrt R(N. M0 if R(N. m. M0 ) ∩ M(W2 . If the following Linear Programming Problem (LPP) has optimal solution x∗ < k + 1 then the GMEC (w. In the following we will discuss the redundancy and equivalence between constraints. Linear programming techniques may be used to derive sufﬁcient conditions for redundancy.t. M0 ) we may equivalently check for redundancy solving the following linear programming problem: x = max wT · M s. km )T . the unweighted GMEC (w.1 R(N. Deﬁnition 7.3.2. k2 ). Proposition 7. k1 ) and (W2 . . and (W2 . hence by Proposition 7. k2 ) are equivalent wrt N. k1 ). M = M0 + C · σ. We may check for equivalence between constraints using the same approach we used to check for redundancy. where W = [w1 . In fact from the deﬁnition it follows that two sets of GMEC (W1 . To prove that the two constraints are equivalent wrt the system considered we may proceed as follows. M0 ) ⊆ M(w. M ≥ 0.
k1 ) is redundant wrt R(N. k3 ) = M(w2 . k2 ) is simpler than (w3 ..e. This property is preserved if we add any number of unweighted constraints to the constraint set that deﬁnes the set of reachable markings.1. k3 ). hence any optimal solution of the Linear Programming Program is also a solution of the corresponding Integer Programming Problem. M0 ) ∩ M(w1 . k1 ) is equivalent to (w2 . The equivalence between constraints leads to the idea of simpliﬁcation of a constraint. the equivalence between (w1 . M0 ) ∩ (w3 . It is immediate to see that M(w3 . Note. k1 ). has optimal value: x∗ = 1 R(N.1a consider. wT · M ≤ 5. 5 has optimal value x∗ = 3 < k2 + 1. . For the system in Figure 7. and the constraint set that deﬁnes the set of reachable markings has integer extremal points. Since we have proved in Example 7. constraint. k3 ) to prove equivalence to (w1 . M0 ) ∩ (w3 .2. k2 ). The system considered in the example is a live marked graph. The next example shows another advantage of simplifying constraints. 3 M ≥ 0. Example 7. k) if w < w. A constraint (w . k3 ) we have an inconclusive answer. k2 ) wrt N. in addition to the two constraints discussed in Example 7. 1 T · M = 3. Given a constraint (w. k2 ). in the previous example. but equivalent. hence we cannot conclude that (w1 . k2 ). k3 ) with: w3 = (0330)T .t. M0 . k1 ) ⊆ M(w2 .1: System in Example 7. to pinpoint the advantage of using the simpler unweighted constraint (w2 . that if we try to use a LPP to prove that (w1 . k3 ) also follows.1 that (w1 . k1 ) and (w3 . we may look for a simpler. hence R(N. 19 3 > 6. k2 ) rather than the weighted one (w3 . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 64 Figure 7. k3 = 5. the constraint (w3 . k3 ) is equivalent to (w2 . k1 ) is redundant wrt It is important.1. This proves 2 that the two constraints are equivalent for the given system. k3 ) that is simpler than (w1 . k1 ). (w2 . (w3 . In fact the LPP x1 = max wT · M 1 s. By deﬁnition.CHAPTER 7. In the next subsection we will see that simpler constraints require simpler control structure to be enforced. k ) is simpler than (w. i. k). however.
Consider again the system in Figure 7. This is clearly impossible. k) be a GMEC with: w = (1200)T . 1bounded) systems. Let N. k).3.4. in order to have an unweighted constraint that forbids M3 but that does not forbid M1 and M2 we need to chose a w such that (∀p) w (p) ∈ {0. k) ∩ {0. We will prove.e. i. That is.2: Reachable markings in Example 7. In the case of safe (i. We point out that there does not always exist a set of unweighted constraints equivalent to a set of weighted ones. k ). and M3 ∈ M(w . k). then one of the constraints in this set must be (w . k) wrt N. 1}4 . k) equivalent to (w. the constraint (w. it may be the case that a weighted constraint may be decomposed into a set of unweighted ones. k ).CHAPTER 7. M0 . by contradiction. k) with w = (1234)T and k = 5 is equivalent to the set of constraints (W. 1} and w (p3 ) < w (p1 ) < w (p2 ). There exists a set of unweighted constraints (W. k ) may exists. 0 0 1 1 and k = (211)T . In fact. In Figure 7. Let (w.5. Theorem 7. k) ∩ {0.. In fact M(w.. the following theorem proves that any weighted constraint is equivalent to a set of unweighted constraints. Markings M1 = (2100)T and M2 = (0210)T are legal. k ). and w · M2 < w · M3 =⇒ w (p3 ) < w (p1 ).2. Example 7. If there exists a set of unweighted constraints (W.1a. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 65 Figure 7. k) may be a useful way to compactly express more than one unweighted constraint.1. k = 4. M2 ∈ M(w . M0 be a safe system with set of places P and (w. while marking M3 = (1200)T is forbidden by (w. Proof: Consider the set of vectors V such that ∀v ∈ V the following conditions are veriﬁed: . that no such (w . 7. both weighted and unweighted.2 Modeling Power of Generalized Mutual Exclusion Constraints In this subsection we discuss the modeling power of GMEC. such that M1 . M (p1 ) and M (p2 ). 1}4 = M(W. The use of weights in the deﬁnition of (w. k) a weighted GMEC.2 we have represented the projection of the reachability set on the ﬁrst two components. For safe systems. with w = 1. Example 7. however. k) with 1 1 1 0 W = 0 1 0 1 .e. k) equivalent to (w. w · M1 < w · M3 =⇒ w (p1 ) < w (p2 ).
j In the rest of this subsection we will compare GMEC with the most general kind of constraint that can be deﬁned on the markings of a system. k) where: w(p) = 1 if p ∈ QM else w(p) = 0. wT · v > k. and k =QM  −1. . k) =⇒ M3 ∈ M(W. M0 ) ∧ M ∈ M(w. 1}P  . M0 ) ∧ QM = QM =⇒ M = M . If wT · v 1 ≤ k stop else repeating this procedure construct v 2 . M0 )∩M(W. k). a) Let us prove R(N. k) =⇒ M ≤ 1 ∧ wT · M > k. v j+1 such that M ≥ v 0 > v 1 > · · · > v j+1 and wT · v j+1 ≤ k while wT · v j > k. M0 ) ∩ M(w. . M2 ∈ M(W. wr ) and k = (k1 .CHAPTER 7. k) and any other marking M ∈ R(N. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS C1. Let N. k). k) ⊆ M(W. M0 ) ∩ M(w. kr )T . . the forbidden markings constraint [Holloway 92a]. (∀v ∈ {0. 1. given a set of forbidden markings F we may forbid any M ∈ F with a constraint (w. However it is possible to prove that for some classes of nets there exists an GMEC equivalent to any forbidden marking constraint. k). . . Let v 1 be a new vector such that: if p = p then v1 (p) = v0 (p) else v1 (p) = 0. k) equivalent to F . M2 . k) =⇒ M ≤ 1 ∧ wT · M ≤ k =⇒ M ≤ 1 ∧ (∀v ∈ V ) ∃p ∈ Qv M (p) = 0 =⇒ (∀v ∈ V ) v T · M ≤ ki =⇒ M ∈ M(W. k). In fact given three markings M1 . · · · . Then. However F may be chosen such that M1 . M0 )\F = R(N.e. C3. M. Thus (W. A forbidden marking constraint consists of an explicit list of markings F that we want to forbid. C4.. M0 ) ∩ M(W. It is enough to prove that M ∈ R(N. This means that v j ∈ V . k). such that R(N. Qv ⊆ Qw . k) ⊆ M(w. . M0 ) \ F = R(N. Let (W.. . M0 ) M < M . M0 )∩ M(W. This proves that there may not exist an GMEC equivalent to a forbidden marking constraint. Let v 0 be deﬁned as: if p ∈ Qw then v0 (p) = M (p) else v0 (p) = 0. M ∈ R(N. Clearly v 0 satisﬁes conditions C1C3 listed above. r) ki =Qwi  −1. We will show that there exists vector v j ≤ v 0 and such that v j ∈ V . k) is a convex set. Then given a set of forbidden markings F there exists a set of GMEC (W. v ∈ {0. M0 be a safe and conservative net system. 2. i. hence v T · M =Qvj =⇒ M ∈ M(W. 1}P  . M0 )∧ M ∈ M(w. . M2 ∈ F and M3 ∈ F .e.e. If a net is safe there does not exist two different markings with the same support. . M0 )) ∃M ∈ R(N. If a net is conservative no marking is covering another one. i=1 and where (i = 1. i. where r 66 {wi } = V. since M(W. k).. (∀M ∈ R(N. C2. k) may be constructed as the union of all the GMEC constraints forbidding a marking in F . k) such that R(N.2. M0 and let F be any set of forbidden markings. v < v) wT · v ≤ k. k) be such that W = (w1 . M3 ∈ R(N. Clearly M ∈ M(w. k)? In general the answer is no. Consider p ∈ Qv0 (∀p ∈ Qv0 )w(p ) ≤ w(p). Let us now consider a net system N. k) =⇒ M ∈ M(W. M0 ) is such that M ∈ M(w. M0 ) with M3 = (M1 + M2 )/2 we have that M1 . i. k). M ∈ R(N. M ∈ R(N. Proof: Let us ﬁrst state two obvious facts. k). Is it possible to ﬁnd a set of GMEC (W. b) Let us prove R(N. Theorem 7.
M0 ) ↑P ⊆ R(N. and N S . M0 is identical to the set of legal potentially reachable markings of N. (w. and a GMEC (w. P ostS ).4. M0 is S M0 = M0 k − wT · M0 .1.1b we have represented the two monitors corresponding to the two constraints discussed in Example 7. i. The resulting system is S denoted N S .6.2. P re.e. Given a system N.. i. M0 ) ∩ M(w. k).. M0 . M0 is contained in the set of legal reachable markings of N. Then N S will have incidence matrix CS = C −wT · C .e. The monitor S ensures that the projection on P of the reachability set of N S . M0 be a system. The initial marking of N S . The projection of X on P is the restriction of X to P and will be denoted X ↑P . M0 . We are assuming that there are no selﬂoops containing S in N S .e. M0 ) ∩ M(w. The requirement that the net be conservative may be shown necessary by the following example. The two possible markings of the system are M1 = (1) and M2 = (0). GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 67 Figure 7. k). with N S = (P ∪ {S}. . S 2. k). M0 the system with the addition of the corresponding monitor S. We will use the following notation for system with monitors. We assume that the initial marking M0 of the system satisﬁes the constraint (w.CHAPTER 7. Let C be the incidence matrix of N . S R(N S . M0 ) ↑P = P R(N. S Proposition 7. P reS . This deﬁnition is extended in the usual way to the projection of a set of vectors X . T. k) wT · M2 ≤ wT · M1 ≤ k. X ↑P = {X ↑P  X ∈ X }. S 1.3 Monitors A GMEC may be enforced on a system by a monitor. Example 7. Clearly for a set of forbidden markings F = {(0)} it is not possible to ﬁnd an equivalent GMEC since (∀w. Deﬁnition 7. 7. M0 . M0 . T. k). Consider the 1bounded but not conservative system in Figure 7. i. The monitor S ensures that the projection on P of the potentially reachable set of N S . Let X : P ∪ {S} → I be a N vector.3: System in Example 7. in Figure 7. the monitor that enforces this constraint is a new place S to be added to N . P ost).2. S P R(N S .3. with N = (P. As an example. k) a GMEC. hence P reS and P ostS may be S uniquely determined by C S .5. Let N..
S) = −C S (S. The monitor S is an implicit place in N S . M0 .CHAPTER 7.. it follows that 0 ≤ M S (S) < P reS (S. M0 ). i. Y T · C ≤ 0 ⇐⇒ ∃a ∈ I + such that Y = (aY − w) ≥ 0. i. 4] As shown in [Colom 89]. k) ⇐⇒ (w. 4. M0 ) be such that: S [σ M S .e. in the sense that it prevents only transition ﬁrings that yield forbidden markings. k). ·). Hence wT · M = wT · (M0 + C · σ) ≤ k. M0 ) ⊇ L(N 0 0 0 T .e. t) = wT · C(·. t) be the column M0 0 of C corresponding to transition t. M0 ) = L(N S . We just need to prove that if (w. M0 ) ↑P ⊆ P R(N. S 2] With the same reasoning of the previous point we can immediately conclude that P R(N S .e. Y T · C S ≤ −wT · C ⇐⇒ S is structurally implicit in R S. M0 ) ∩ M(w.e. Then k − wT · M = M S (S) < P reS (S.. M0 ). GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 68 S 3. t). S 3] Let σt ∈ L(N. t) = wT · C(·. t) = wT · C(·.. M0 ) and S ↑ . k) is redundant in N.. S) = 0. t) − P ostS (t. S is implicit ⇐⇒ L(N. M S ∈ P R(N S . M0 then L(N. This implies that wT (M0 + C · σ) ≤ k. The monitor S minimally restricts the behavior of N S . To prove R(N S . i. Then M S = M S + C S · σ or. Clearly L(N. M0 ) = L(N S . Proof: S 1] Clearly R(N S . k) is redundant in N. from which follows wT · M = wT · [M + C(·. S . Then we also have that MS = M k − w · (M0 + C · σ) T S S is a non negative solution of M S = M0 + C S · σ. The monitor S is a structurally implicit place in N S if and only if all places in Qw are structurally bounded. M0 ). i. M S ). Then: All places in Qw are structurally bounded ⇐⇒ ∃Y ≥ 0 such that QY ⊇ Qw . ·) = −wT · C is the incidence vector of S in C S . i.. t). M0 ) be such that: M0 [σ M [t M and σ ∈ L(N S . M =M P 0 M = M0 + C · σ. Let C(·. M0 ) ↑P ⊆ R(N. equivalently. k). M0 ) = R(N S . Let M ∈ P R(N. M0 ) ↑P ⊆ M(w. t) =⇒ P ostS (t. M0 ) =⇒ R(N. M0 . M S ) =⇒ w T · M > k. M S ). t)] > k. wT · M ≤ k. since the addition of a place can only further conS S strain the behavior of a system. P reS (S. Let us prove the reverse inclusion. let M S ∈ R(N S . k − wT · (M0 + C · σ) ≥ 0. S 5. M0 . M0 ) ↑P ⊆ M(w. S M S (S) = M0 (S) − wT · C · σ = k − wT · (M0 + C · σ) ≥ 0. S is structurally implicit in N S if and only if ∃Y ≥ 0 such that Y · C S ≤ C S (S.e. k) is redundant in N. where C S (S. M0 if and only if (w. Then P reS (S. Since t is not enabled by marking M S and since there are no selﬂoops containing S. M ∈ M(w. M0 ) ∩ M(w. N S S 5] Only if. M ) ⊆ L(N S . We need to prove that σt ∈ L(N S . k). t). so we will prove that redundancy implies L(N. ∃σ ≥ 0 such that M = M0 + C · σ. k). S If.
In the same ﬁgure is shown the reachability graph of the original system (all arcs and states) and of the system with monitor (only continuous arcs). An uncontrollable transition represents an event which may not be prevented from occurring by a supervisor. as shown in the system in Figure 7. the system may lose reversibility. k). that satisﬁes the constraint.2. A controllable transition may be disabled by the supervisor. M0 ).5. Given a system N. the set of controllable transitions.g. S) and by the hypothesis that S is not contained in a selﬂoop S we have: M S (S) ≥ P reS (S. In the net in Figure 7. a monitor has been added to enforce the constraint M (p3 ) + M (p4 ) ≤ 1. N . • Even if liveness is preserved. t) = P reS (S. • Not all markings that satisfy the GMEC may be reached on the net with the addition of a monitor. will never be reached again in the system with monitor.. S From the initial marking M0 = (000111)T the marking M S = (100010)T will never be reached even if the net is live. M0 and a set of GMEC (W. In the system in Figure 7.4. k) = {M ∈ I P   W T · M ≤ k}. The addition of a monitor to the net structure modiﬁes the behavior of a system. a monitor has been added to enforce the constraint M (p1 ) + M (p3 ) ≤ 1. S S Let σt ∈ L(N. a controlling agent which ensures that the behavior of the system is within a legal behavior. that the set of transitions T of a net is partitioned into the two disjoints subsets Tu . Then M wT ·C(·. e.4: A system not live under constraint. We pinpoint three facts: • The addition of a monitor does not always preserve liveness of the system. The initial marking. t)−P ostS (t. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 69 Figure 7. in order to avoid reaching markings that do not satisfy the corresponding GMEC.4. The system reaches a deadlock after the ﬁring of a single transition. M0 ) be such that: M0 [σ M [t M and σ ∈ L(N S . the marking (000011)T may not be reached even if it satisﬁes the constraint M (p3 ) + M (p4 ) ≤ 1 because the net reaches a deadlock. This proves that σt ∈ L(N S . M0 ) be such that: M0 [σ M S .g. 7. T T S (S) = k − w T · M ≥ Note that redundancy implies w · M = w · [M + C(·. the set of uncontrollable transitions. e. now..4 Nets With Uncontrollable Transitions We assume. In the net in Figure 7. the set of legal markings is given as a linear domain: M(W. t). t)] ≤ k. and Tc .CHAPTER 7.5.
Thus any transition ﬁring that yields a legal marking is not forbidden and the behavior of the system under control is the largest behavior that satisﬁes the constraint.. Assume we want to enforce a constraint (w. in the sense that it may not always be solved with the same techniques used in the case that all transitions are controllable. We call this behaviour maximally permissible following [Krogh 87]. k) = M(W. We need to introduce this restriction ∗ because a ﬁring sequence σ ∈ Tu may not be prevented by a controlling agent. M0 ) ∩ M(W. When all transitions are controllable. t2 . such that M (p5 ) + M (p7 ) ≤ 1. a problem of mutual exclusion is transformed into a more general forbidden marking problem. (w.2. we need to further restrict the behavior of the system. Note. Is is easy to see that the markings M1 = (2002001)T and M2 = (0220001)T are in Mc (w. The set of legal marking is in this case: Mc (W. however.2 ensures that. k) but from which a forbidden marking may be reached by ﬁring only uncontrollable transitions. we have represented as empty boxes the controllable transitions t1 .6. k) N ∗ M [σ M ∧ σ ∈ Tu }. i. k) such that R(N. k) (Proposition 7. k) will be reached by the system under control (Proposition 7. but M = (1111001)T = (M1 + M2 )/2 is not. even if some transitions are not controllable. We also discuss the concept of maximally permissible control policy [Krogh 87].6. avoiding all those markings from which a forbidden marking may be reached by ﬁring only uncontrollable transitions. In the net in Figure 7. we have proved that a monitor is capable of enforcing a given GMEC (w. M0 ∩ M(W. Example 7. k) = R(N.. . t5 . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 70 Figure 7.e. This shows that in presence of uncontrollable transitions. in the sense that it can ensure that only markings in M(w. part 1).CHAPTER 7. It is possible to prove that there does not always exist a GMEC (W. k).2. k). k). M0 ) ∩ Mc (w. k). k) such that R(N. k) = R(N. that for safe and conservative systems the result of Theorem 7. which is a qualitatively different problem. we do not consider legal the markings that satisfy (W. i. This proves that there does not exists a GMEC (W. M0 ) ∩ Mc (w. k) may be enforced by a set of monitors. It is also the case that whenever a transition t is prevented from ﬁring by the monitor at a given marking M then M [t M ∧ M ∈ M(w. part 3).e.5: A system not reversible under constraint. In the presence of uncontrollable transitions. k) \ {M ∈ I P   ∃M ∈ M(W. k) with w = (00100010)T and k = 1. Thus we may have cases in which does not exist a monitorbased solution to a given mutual exclusion problem.
Let N. Then P R(N 0 P 0 M(W. Proposition 7.5 we will show several control structure capable of enforcing generalized mutual exclusion constraints. Let N. Then P R(N.4 and Section 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 71 Figure 7. we will consider systems whose underlying net is a strongly connected marked graph (MG).2. the marked graphs (MG). k) will be reached by the system under control. Proof: Follows from Proposition 7. Strongly connected MG are structurally live and bounded. M0 is a live MG system. M0 ). S According to this proposition it is possible to represent the potential reachability set of N S . In the third subsection we restrict our attention to a particular subclass of MG for which a solution to a mutual exclusion problem may be efﬁciently derived. k). M0 as a set of linear inequalities where the ﬁring count vector σ does not appear. M S ) ↑ = B(N. .1 Marked Graphs with Monitors In the rest of this chapter.4. the maximally permissible control policy should ensure that: a) only markings in Mc (w. M0 be S . M0 ) = P R(N. and Propositon 7.3. S Proposition 7. In Section 7. 7.3.3 ([Murata 89]). k) be a set of GMEC. In the case of uncontrollable transitions. M0 ). 7. If N. M )∩ the system with the addition of the corresponding monitors.3 Generalized Mutual Exclusion Constraints on Marked Graphs In this section we focus on a class of nets. M0 be a MG system. in the presence of uncontrollable transitions. b) all transition ﬁrings that yield a marking in Mc (w.CHAPTER 7. part 2. In the ﬁrst subsection we study the properties of marked graphs with the addition of monitors. and let N S . for this subclass. M0 be an MG system. then we also have that R(N. k) should be allowed. M0 ) = B(N.6: A mutual exclusion problem with uncontrollability that does not admit a monitorbased solution. (W. In the second subsection we present a general formalism for enforcing generalized mutual exclusion constraints on MG with uncontrollable transitions.
3. k). However.5 ([Murata 89]). The control subnet for ti is the subnet Ni = (Pi . X = 1. M0 ) ∩ M(W.2 Control Subnet In this subsection we discuss a general methodology for enforcing constraints on systems with uncontrollable transitions. Deﬁnition 7. P re. For monotsemiﬂow nets deadlockfreeness is equivalent to liveness. Ti = • Pi ∩ Pi• . Consider the system in Figure 7.CHAPTER 7. The set of control transitions for t is the set Ai = • Pi \ Pi• . The dead marking M = (3003)T is in P R(N S . Example 7.9.8. M S is live if ∀M ∈ B(N.5. Assume we want to enforce the two constraints: 3M (p1 ) + M (p3 ) ≤ 9. and N S . Given a net N = (P. as shown in the following example. Thus the previous proposition gives a sufﬁcient but not necessary condition for liveness. T. from initial marking M0 = (0303)T the system is not reversible. unfortunately. and let ti ∈ Tu be an uncontrollable transition. Let the initial S marking be M0 = (2130)T . k). To enforce a constraint we need to prevent some transition ﬁring. These markings are called killing spurious markings in structural jargon. and 2M (p2 ) + 3M (p3 ) ≤ 9. P osti ) where Pi ⊆ P is the set of places connected to t by a path containing only uncontrollable transitions. the control subnet for ti is not deﬁned but the set of control . The system is live from any legal initial marking. M0 ) ∩ M(W. The legal marking of this system under the constraints are shown in Figure 7. Let N. 72 The introduction of a set of monitors corresponding to a set of GMEC does not change this property. 7. We may extend this deﬁnition to controllable transitions as well. M0 be a live MG system. The resulting net will be a monotsemiﬂow net [Campos 91]. since M ∈ B(N. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS Proposition 7.7. since the net is a monotsemiﬂow net. Liveness and the existence of repetitive sequence ﬁrable from M0 are not sufﬁcient conditions for reversibility. The legal marking of this system under the constraints are shown in Figure 7. It is obvious that Ai ⊆ Tc . however. prevent the ﬁring of a set of controllable transitions (called control transitions of t) whose ﬁring is required prior to the ﬁring of t. M0 ) and the system is deadlockfree. whose reachability graph is also shown. The following proposition gives a sufﬁcient condition for liveness. but since it is never reachable the system is live. P ost) and a controllable transition ti ∈ Tc . M0 ) ↑P . Example 7. A connected MG has a single minimal tsemiﬂow. we cannot prevent the ﬁring of an uncontrollable transition t ∈ Tu . Unfortunately. M0 is a harder task. We may. This in turn implies liveness. k) a set of GMEC. and M (p2 ) + 3M (p4 ) ≤ 9.8. T. S S Proof: If no dead marking exists in P R(N S . even if there exist a repetitive sequence ﬁrable from M0 . The next example shows that. M0 the S . Ti . P re.7 we want to enforce the two constraints: 2M (p1 ) + 3M (p4 ) ≤ 9. and P rei = P re ∩ (Pi × Ti ). P ost) be a net. k) that are not reachable under control. (W. In the system in Figure 7. S Proposition 7. M is not a dead marking.6. killing spurious markings may exists on marked graphs with monitors. Note that there may exist dead markings in B(N. M0 ) then no dead marking exists in R(N S . P osti = P ost ∩ (Pi × Ti ). M ) ∩ system with the addition of the corresponding monitors.7. P rei . N 0 0 M(W. Let N = (P. S Proving reversibility for a MG with monitors N S .
CHAPTER 7. Figure 7.7: A marked graph system and its reachability graph. .8: Legal markings for the system in Figure 7 under the set of constraints shown. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 73 Figure 7.
ti ) = 0. if t ∈ Ti ∩ Tc . t . Note that the token distance DB(M. t. Ti . The advantage is that this computation may be done on the structure of net.. ti . ti . i. in the following. Proposition 7. This will allows us. the minimum token content among all possible direct paths from t to ti at marking M . P rei . 2] See Murata [Murata 89]. M0 be an MG system and ti one of its transitions. transitions for ti is the set Ai = {ti }. Let Ni = (Pi . We want to apply the ideas developed so far to the problem of enforcing GMEC on marked graph systems.7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 74 Figure 7. Ti ⊆ Tu . . to use the same formalism for both controllable and uncontrollable transitions. Given a marking M ∈ R(N. as its only output transition is controllable. 2. P osti ) be the control subnet for ti . P rei .e. Ai ) = min{td(M. • Ni = (Pi . Proof: 1] By contradiction. the problem is that of controlling the ﬁring of the input transition of all places in Qw to ensure that the constraint is always veriﬁed. i.CHAPTER 7. For marked graphs systems if it possible to analytically compute the dependency between the ﬁring of an uncontrollable transition and the ﬁring of its control transitions. the maximum number of times we may ﬁre ti without ﬁring any transition in Ai (the deviation bound between ti and Ai ) is DB(M. ti )  t ∈ Ai }. ti ) is the token distance between transitions t and ti . M0 ). We will use the following notation. Given a constraint (w.e. where td(M. and let Ai be the set of control transitions for ti . Ti . Note also that if ti is controllable DB(M. without resorting to the construction of the space of reachable markings. Given a place pi ∈ Qw we will denote: • to its output transition. This means that Ai ∩ Ti = ∅. ti .9: Legal markings for the system in Figure 7 under the set of constraints shown. 1.. P osti ) the control subnet for ti . then the input place of t cannot be in Pi . hence t ∈ Ti . Let N. k). i • ti its input transition. the transition itself. t . Ai ) = DB(M. Ai ) may be computed solely from the analysis of Ni and its marking.
Proposition 7. The deviation bound between an uncontrollable transition and its set of control transitions may be used to deﬁne the set of legal markings Mc (w. Deﬁnition 7. M0 . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 75 Figure 7. t . Let N. k) = {M ∈ I P   wT · (M + DM ) ≤ k}. to ) ≤ 1].10: Control subnets for the input transitions of places p1 .7. under the hypothesis discussed in the following. • Ai = {t1 . A place pi of an MG system N. k) a GMEC. · · · . Let A = ( pi ∈Qw Ai ). the maximally permissible control may be computed step by step as follows. M0 be an MG system and (w. ti ) ≤ 1 ∧ DB(M. p3 . with the corresponding control transitions. p2 .CHAPTER 7. implies that by ﬁring only uncontrollable transitions we may reach a new marking M such that M (pi ) = M (pi ) + DM (pi ). Then the set of legal markings is Mc (w. let its input transition be ti . i . We have represented the control subnets for their input transitions.3 Control Safe Places We will consider in the following a special class of MG systems introduced in the next deﬁnition.10 places p1 . If wT · (M + DM ) ≤ k then t should be left free to ﬁre else it should be disabled. k) for a GMEC (w. and the assumption that no place pi belongs to the subnet of any ti .. M0 ) ∧ ∀t ∈ Ai ) [DB(M. N where DM (pi ) = DB(M.6. • All transitions in Tc \ A may be left free to ﬁre. ti . M0 ): • For each ﬁrable t ∈ A. Given a marked graph system N. i i Example 7.e. In Figure 7. i (∀M ∈ R(N. Proof: Proposition 7. the deviation bound between any control transition in Ai i and both ti and to is at most one for any reachable marking. p2 . At ) if pi ∈ Qw else DM (pi ) = 0. M0 is said to be control safe if given its input transition ti and its output transition to . The remaining structure of the marked graph is not shown.9. t . tni } the set of control transitions for ti . p3 belong to the support of a GMEC. i 7. i. k). Then from any marking M ∈ R(N. The previous proposition may be used to deﬁne the maximally permissible control policy that enforces the constraint (w. Assume that: ( pi ∈Qw Pi ) ∩ Qw = ∅.3.8. part 1. compute M M [t M . For each place pi ∈ Qw . k) on marked graphs.
often more efﬁcient than a set of monitors. that no place p in Qw . Let ti be the input transition of pi . i 2. Then pj1 and pj2 are in structural mutual exclusion. . k) =⇒ M ∈ M(w.. k) be an unweighted mutual exclusion constraint. k). M0 be a live and bounded MG system. t.e. i.1 Model 1: Monitorbased Controller Deﬁnition 7. k) else M ∈ M(w2 . k)}. 3. i Proof: Follows from the deﬁnition of control safe place. to the output transition of pi . in the sense that will allow us to derive other control structures. k). based solely on the net structure. M0 be a MG system. .e. Then: if M (pj2 ) > 0 then M (pj1 ) = 0. they will never be marked simultaneously. and pi a control safe place of N . Let N. i. pr } be a set of control safe places of N and assume that r = Qw = k + 1. (w2 . . k). . Assume that pj1 ∈ Qw is in the control subnet of place pj2 ∈ Qw . where: wi (p) = 0 if p = pj1 else wi (p) = w(p). k). Let N. k). w ≤ 1. Let Qw = {p1 . tni } be the set of control transitions for ti and to be the output transition of pi . i.4 and Section 7.5. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS It is possible to check for control safeness of a place. Let N. In the next section we will assume. Proof: Trivially M(w. t. It will permit a simpliﬁcation of the problem. M (pi ) + DM (pi ) = 1 ⇐⇒ (∀t ∈ Ai )[td(M. 76 Proposition 7. i. assume M ∈ M(w1 .4 Fully Compiled Models In this section we present two different ways of enforcing a GMEC on MG systems with control safe places. Hence M(w. k) ∩ M(w2 .9. Then ∀M ∈ R(N. The restriction that the places in Qw be control safe has a similar purpose. . the corresponding control structure is a net system as well.. . . k). k). The i i i monitor that enforces this constraint consists of a place S to be added to the original net with arcs as follows: . p belongs to the control subnet of another place p in Qw . We have seen that if the net is safe there exists a monitorbased solution to any GMEC. k) = M(w1 . M (pi ) + DM (pi ) ≤ 1.7. deﬁned on it. to ) = 1]. by the hypothesis that their are control safe. Proposition 7.e. We assume that M0 ∈ Mc (w. A place pi is control safe if and only if ∀t ∈ Ai there exists a cycle that contains pi and t and this cycle is marked with a single token. even if not all transitions are controllable. We discuss a particular case that may arise for a given constraint (w. k) ∩ M(w2 . (∀t ∈ Ai )[td(M.10. To prove the reverse inclusion. k) =⇒ M ∈ M(w.. M0 ): 1. M0 be a MG system and (w. to ) ≤ 1]. Given a GMEC (w. without loss of generality.. and M ∈ M(w1 . we will assume that the places in Qw are control safe.e. the constraint (w. . k). with i ni =Ai. Given pi ∈ Qw let Ai = {t1 .4. 7. 7. k) ⊆ M(w1 . k · 1) = {(w1 . k) ∩ M(w2 . The idea here is that to check whether a place pi ∈ Qw may be marked by a ﬁring sequence of uncontrollable transitions we need to check only how many ﬁrings of transitions in Ai have occurred.CHAPTER 7. The different solutions are shown in Section 7. and Ai the set of control transitions of ti . k) is equivalent to the set of constraints (W. Both solutions are fully compiled.
. E.e. .10 are the only illegal markings for unweighted constraints of this kind. The previous construction may not be used. Example 7. i which by Proposition 7. k) of this form may be enforced by adding several monitors.g. • P ost(S. t) = 0. a transition t will be selﬂooped if ∃i. We have added a place S to the original system with the arcs shown in dotted lines.. . • P re(S. The previous deﬁnition assume that no transition will be selﬂooped with the monitor place. However the original constraint may be rewritten as a set of constraints according to the following proposition. Assume now (w. is such that Qw > k + 1. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 77 Figure 7.11 we want to enforce the constraint M (p1 ) + M (p2 ) + M (p3 ) ≤ 2 over the net in Figure 7. to ) = 0}  i i.CHAPTER 7. t.11: Example of monitor. j t = to ∧ t ∈ Aj . t.7 enforces the maximally permissible policy that ensures that the constraint (w. s counts the number of control transitions that must ﬁre prior to the marking of all places in Qw . It is easy to see that a monitor constructed as in Deﬁnition 7. t) = ni if t = to else P ost(S. In Figure 7.10. k) will be satisﬁed. . to ) = 1]. A set of constraints (W. t) = 1 if t ∈ Ai else P re(S. t) = 0.. In this case we need to eliminate i the arcs in selﬂoop from the preincidence and postincidence matrices. r)(∀t ∈ Ai )[td(M. k). . with w ≤ 1. i The initial marking will assign s − 1 tokens to place S where s = {t  t ∈ Ai ∧ td(M0 .10. In fact the monitor prevents only transition ﬁrings that lead to all markings M such that (∀i = 1.
p1 . pr . . Proof: (⊆) is trivial. Qw = k + 1}. p2 . pr } be a set of control safe places. t) = 1 if t = to else P reS (pi . tni } be the set of control transitions for ti and to be the output transition of pi . . . k). We assume that M0 ∈ Mc (w. . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 78 Proposition 7.2 Model 2: Compiled Supervisor In this section we consider a net supervisor. k).4.e. Deﬁnition 7. . k) be a GMEC. k) = M(w .11. t) = 0. k) marks at most k places in Qw . Let us prove (⊇). • P reS and P ostS are such that: – P reS (p0 . t) = 0. where Ik+1 = {w ∈ {0. – P ostS (pi . The previous proposition shows that the unweighted constraint (w. ∪ Ar ∪ Ar ∪ {to . . otherwise there exists w ∈ Ik+1 Qw ⊆ {p  M (p) > 0} and M ∈ M(w . . k). The i i i compiled supervisor that enforces this constraint is S = (PS . t) = 0. i – P reS (pi . i. with w ≤ 1. and Qw > k + 1. t) = ni − 1 if t ∈ Ai else P reS (pi .. t) = 1 if t ∈ Ai else P ostS (pi . k). TS . k)  w ∈ Ik+1 }. 1}P  w ≤ w. – P ostS (pi . Clearly M ∈ M(w . k) =⇒ M ∈ M(w. The control pattern is implicit in the transition structure of the supervisor. pr }. Let w ∈ Ik+1 . We have proved in Theorem 7. Let Qw = {p1 . be a weight vector whose support contains all the places marked by M . . t) = w(pi ) if t ∈ Ai else P reS (p0 . p1 . However the problem is that there are different subsets k+1 of Qw of cardinality k + 1. Any marking M ∈ 7. i – P reS (pi . explicitly rewriting the set of unweighted constraints equivalent to the single weighted constraint. t) = 0. k). . . Let N. – P ostS (p0 . t) = 0. t) = 0. The monitor based construction may also be used. . . with w ≤ 1 and Qw> k + 1. Given pi ∈ Qw let Ai = {t1 . . t) = ni − 1 if t = to else P ostS (pi . Then. t) = 0. P reS . p1 .CHAPTER 7. i – P ostS (pi . hence may be Qw enforced by a set of monitors. . pr . when the weight of the places is not unitary. to } where Ai and Ai are sets of transitions r 1 synchronized with Ai . t) = 1 if t ∈ Ai else P ostS (pi . . M(w. Thus in the worst case the number of monitors is exponential with respect to the cardinality of Qw . t) = w(pi ) if t = to else P ostS (p0 . speciﬁes which controllable transitions are allowed to ﬁre. . k · 1) = {(w . . M0 be a MG system and (w. in the sense that a controllable transition that belongs to the supervisor structure is enabled by the control pattern if and only if it is enabled by the marking of the supervisor net. Let (w.1 that this is always possible for the class of nets considered here.8. P ostS ) with: • PS = {p0 . t) = 0. w ∈Ik+1 w ∈Ik+1 M(w . We assume that the supervisor observes the execution of the unconstrained system and at any given instant provides a control pattern. • TS = A1 ∪ A1 ∪ A2 . k) be a mutual exclusion constraint. capable of enforcing a set of GMEC. . is equivalent to the set of constraints (W. – P reS (pi . . t) = 1 if t ∈ Ai else P reS (pi .
In Figure 7. . . to ) = 0}  −1 else [M0 i i 0 i S S ∧M0 (pi ) = ni − 1 − M0 (pi ) S ∧M0 (pi ) = 0].8 enforces the required maximally permissible policy. k) = {(w1 . . • (∀i = j) Ai ∩ Aj = ∅.12: Example of compiled supervisor. since if a transition in Ai is enabled. the corresponding transition in Ai is not. . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 79 Figure 7. the corresponding transition in Ai or Ai will ﬁre. . If this is not the case. . ki ). . . and conversely. (wm . we need to slightly change the structure of the supervisor by merging the transitions of Ai and Ai in common with Aj and Aj We want to show that the supervisor constructed according to Deﬁnition 7. . Whenever the system executes a transition t ∈ Ai . Note that the behavior is deterministic. ¯ In the case of a set of constraints (W. . . that the supervisor enforces the required policy. S and M0 (p0 ) = k − r S i=1 w(pi )M0 (pi ). . r)[M (pi ) + DM (pi ) = M S (pi )]. ∀i = 1. say Si1 and Si2 . k1 ).10. if [M0 (pi ) + DM0 (pi ) = 1] S S S then [M0 (pi ) = M0 (pi ) = 0 ∧ M0 (pi ) = 1] S (p ) = {t ∈ A  td(M . it will be enabled by the control pattern if and only if it is enabled on both Si1 and Si2 . For the computation of the control pattern. If ni = 1 we may remove the places pi and pi and the set of transitions Ai . Example 7.12 we show the supervisor that may be used to enforce the constraint w(p1 )M (p1 ) + w(p2 )M (p2 ) + w(p3 )M (p3 ) ≤ k over the net shown in Figure 7. km )} we need to construct a supervisor for each single constraint (wi . In the example in Figure 7. . r) ni > 1. Should a controllable transition belong to more that one supervisor.12 we have represented the set of parallel transitions Ai and Ai as a single transition. a transition in Ai is enabled by the control pattern if the corresponding transition in Ai or in Ai is enabled. In the previous deﬁnition we have assumed that: • (∀i = 1. S The initial marking of S is M0 such that. r. . . t. We note ﬁrst that given a marking M of the system and a corresponding marking M S of the supervisor we have that (∀i = 1.CHAPTER 7. by i=1 Proposition 7. . Since the place p0 is enforcing the constraint r w(pi )M S (pi ) ≤ k we have.11. .8.
t) = 0.5. . i – P ostS (pi . t) = w(pi ) if t = πi else P reS (p0 . pr }. . . t) = ni if t = to else P reS (pi . We assume that M0 ∈ Mc (w. pr . r. . – P ostS (p0 . if [M0 (pi ) + DM0 (pi ) = 1] S S S then [M0 (pi ) = M0 (pi ) = 0 ∧ M0 (pi ) = ni ] S (p ) = 1 else [M0 i S ∧M0 (pi ) = {t ∈ Ai  td(M0 . t) = ni − 1 if t = to i else [P ostS (pi . . . . . t) = 0. t) = 1 if t = πi else P reS (pi .13 we show the supervisor that may be used to enforce the constraint w(p1 )M (p1 ) + w(p2 )M (p2 ) + w(p3 )M (p3 ) ≤ k over the net shown in Figure 7. t) = 1 if t = to else P ostS (pi . Example 7. p2 . i – P reS (pi . pr . pr } be a set of control safe places. Given pi ∈ Qw let Ai = {t1 . For instance we may avoid repeating the set of transitions Ai .1 Model 3: NonDeterministic Partially Compiled Supervisor Deﬁnition 7. We will not discuss these modiﬁcations. . • TS = A1 ∪ A2 ∪ . However we need to add additional control structure by introducing transitions with an associated interpretation. . . This partially destroys the possibility of analyzing the net with traditional PN techniques. πr } where each πi is a transition to r 1 which a predicate is associated.5 Partially Compiled Models The net structure of the supervisor may be further simpliﬁed. P reS . • P reS and P ostS are such that: – P reS (p0 . The ﬁring of transition πi will allow place pi to be marked. to ) = 0}  −1 i S S S ∧M0 (pi ) = ni − M0 (pi ) − M0 (pi )]. p1 . t) = 0. . . M0 be a MG system and (w. . is that the “partially interpreted” supervisors that we discuss here may be easily modiﬁed to enforce constraints on any kind of MG system. t) = 0. p1 . where J = {i  M0 (pi ) = 0}.12. ∀i = 1. t) = 0]. . . TS . t) = 0. S The initial marking of S is M0 such that. to } ∪ {π1 . S S and M0 (p0 ) = k − j∈J w(pi ). t) = 1 if t ∈ Ai else P reS (pi . t) = w(pi ) if t = to else P ostS (p0 . – P ostS (pi . . . Let N. The predicate associated to the transitions πi are used to implement the control policy. however. p1 . ∪ Ar ∪ {to . GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 80 7. k). . . t) = 0. . – P ostS (pi . In Figure 7. π2 .CHAPTER 7. k) be a GMEC. t) = 1 if t ∈ Ai else P ostS (pi . . t) = 0. Let Qw = {p1 . . The advantage.9. P ostS ) with: • PS = {p0 .10. – P reS (pi . i – P reS (pi . The noni i i deterministic partially compiled supervisor that enforces this constraint is S = (PS . . 7. . tni } be the set of control transitions for ti and to be the output transition of pi . . t) = 1 if t = πi else P ostS (pi . t. .
P reS . Since the place p0 is enforcing the constraint i∈J w(pi ) ≤ k. P ostS ) with: • PS = {p0 . . . if two or more control transitions may ﬁre simultaneously. given a marking M of the system and a corresponding marking M S of the supervisor we have that (∀i = 1. p1 . pr } be a set of control safe places. t) = 1 if t ∈ Ai else P ostS (pi . . . tni } be the set of control transitions for ti and to be the output transition of pi . – P reS (pi . t) = 0]. . Let Qw = {p1 . π1 . t) = 1 if t = πi else P reS (p0 . . Let N. . p2 . • TS = A1 ∪ A2 ∪ . . . t) = 1 if [t = to or t = πi ] else P ostS (p0 . . r)[M (pi ) + DM (pi ) = 1 ⇐⇒ M S (pi ) = ni ]. i – P ostS (pi . – P ostS (p0 . We assume that M0 ∈ Mc (w. . Given pi ∈ Qw let Ai = {t1 . – P ostS (pi . by Proposition 7.CHAPTER 7. t) = 0. with J = {i  M S (pi ) + M S (pi ) = ni }. t) = 0. t) = 0. π2 .8. In fact. t) = 0. ∪ Ar ∪ {to . t) = 1 if t = πi else P ostS (pi . we have. k) be a GMEC. . k). t) = ni − 1 if t = to i else [P ostS (pi . TS .5. • P reS and P ostS are such that: – P reS (p0 . .10. . . πr } where πi and πi are r 1 transitions to which a predicate is associated. . πr . pr . The deteri i i ministic partially compiled supervisor that enforces this constraint is S = (PS . pr }. t) = 1 if t ∈ Ai else P reS (pi . t) = ni if t = to else P reS (pi . . . The supervisor has been called nondeterministic because we decide a priori which place in Qw will be allowed to be marked. p1 . . .9 will permit the system to reach only legal markings.2 Model 4: Deterministic Partially Compiled Supervisor Deﬁnition 7. M0 be a MG system and (w. as shown in [Krogh 91]. . . i – P reS (pi . . t) = 0. to } ∪ {π1 . that the supervisor will allow only legal markings to be reached. . The supervisor constructed according to Deﬁnition 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 81 Figure 7. . .13: Example of nondeterministic partially compiled supervisor. This control policy is also maximally permissible. . 7.
that affect only the value of the predicates π1 and π1 . . t. The predicate associated to the transitions π1 and π1 are used to implement the control policy. 7.2 for nets with only controllable transitions. It is difﬁcult to show that this supervisor is actually implementing the maximally permissible control policy because of the predicates associated to the transitions πi and πi . Then: • πi = TRUE if [M (pi ) + M (pi ) = ni − 1] ∧ [v + w(pi ) ≤ k] else πi = FALSE. . . S S and M0 (p0 ) = r−  {i  M0 (pi ) = ni } . S The initial marking of S is M0 such that. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 82 Figure 7. we have that (∀i = 1. ∀i = 1. r.14: Example of deterministic partially compiled supervisor. • πi = TRUE if [M (pi ) + M (pi ) = ni ] ∧ [v + w(pi ) > k] else πi = FALSE. . . .6 Comparison of the Models The monitorbased controller is an extension to systems with uncontrollable transitions of the controller studied in Section 7. Note however that given a marking M of the system and a corresponding marking M S of the supervisor.13. Example 7. Thus all the structural properties of monitors may be used to analyze the system under control. .CHAPTER 7. .10. The transitions πi will remove the token necessary to reach M S (pi ) = ni whenever the marking of place pi would violate the constraint. Note that the structure of the supervisor does not depend on the weight vector w and on the integer k. In Figure 7. r)[M (pi ) + DM (pi ) = 1 ⇐⇒ M S (pi ) = ni ].14 we show the supervisor that may be used to enforce the constraint w(p1 )M (p1 ) + w(p2 )M (p2 ) + w(p3 )M (p3 ) ≤ k over the net shown in Figure 7. However. if [M0 (pi ) + DM0 (pi ) = 1] S S then [M0 (pi ) = 0 ∧ M0 (pi ) = ni ] S else M0 (pi ) = {t ∈ Ai  td(M0 . it is the simpler and most straightforward solution. Let J = {i  M (pi ) = ni } and let v = i∈J w(pi ). to ) = 0}  −1 i S S ∧M0 (pi ) = ni − M0 (pi )]. The drawback is that it may require an exceedingly large number of monitors. . in those cases in which it may be used efﬁciently.
we have proved that GMEC may always be enforced by monitors. Thus it is at the same time the simpler model to implement and the most difﬁcult to analyze. marked graphs with control safe places. even in the presence of uncontrollable transitions. we compared a monitorbased solution of mutual exclusion problems with several supervisory based solutions. These speciﬁcations on a net system where all transitions are controllable may be easily enforced by a set of places called monitors. The deterministic partially compiled supervisor has the simpler structure but its behavior strongly depends on the predicates associated to the transitions. For one of these particular classes. since the structure of the supervisor ensures that only legal markings may be reached. as suggested in [Krogh 91]. since it requires all control transitions to be represented twice. For some classes of nets.7 Conclusions We have presented and studied a class of speciﬁcations. The nondeterministic partially compiled supervisor implements a policy slightly different from all other models. it leads to a closedloop model which is difﬁcult to analyze. 7. GENERALIZED MUTUAL EXCLUSION CONSTRAINTS 83 The compiled supervisor has the advantage of always requiring a compact structure that grows linearly with the number of places in the support of the weight vector.CHAPTER 7. This policy is the same derived by Holloway and Krogh [Holloway 92a]. The predicates associated to the transitions may be used to implement different runtime policies. we have shown that this technique is not always applicable when some of the transitions of the net are uncontrollable. called generalized mutual exclusion constraints. However our model does not require online computation. . However. Unfortunately.
1.1 Petri Net Languages for Supervisory Control We have explored the closure properties of Petri net languages under the operators used in Supervisory Control: preﬁx closure. The original contributions consist of four major parts.Chapter 8 CONCLUSIONS AND FUTURE RESEARCH 8. The marked behavior 84 . we have given necessary and sufﬁcient conditions for the existence of Petri net supervisors when the system’s behavior and the legal behavior are deterministic Petri net languages. we use Petri net models to represent not only the system under control but the supervisor as well. b) deterministic.1 Original Contributions The thesis has discussed the use of Petri nets as discrete event models for Supervisory Control. 3. 2. the class LDP is not closed under intersection. If we restrict ourselves to the use of bounded or conservative PN models. c) controllable. and supremal controllable sublanguage. but now not all control problems may be solved by a Petri net supervisor. We have also deﬁned a new class of Petri net languages. Validation of Petri net supervisors. we may consider unbounded Petri net models. Ushio 89]. we face a tradeoff. In fact. The closed behavior L(G) of system G may be restricted to a legal behavior L ⊆ L(G) if and only if L is: a) a preﬁx Petri net language. Unlike all other known classes of Petri net languages. As a ﬁnal result. called DPclosed languages and denoted LDP . we are sure to have a Petri net supervisor for any given control problem. 8.1. The languages in this class are those Ltype Petri net languages (terminal Petri net languages) whose preﬁx language is a Ptype Petri net language (preﬁx Petri net language). Petri net languages for Supervisory Control. Efﬁcient construction of control structure. The approach we have followed is different from previous Petri net based approaches [Holloway 90. Thus. Our results show that Petri net languages are not closed under these operators. If we want to use of the full language power of Petri nets models. which have a ﬁnite reachability set and generate regular languages. It was known from previous work [Wonham 87] that regular languages are closed under these operators. 4. Design of supervisors.
in order to guarantee some important properties. This composition may be easily performed. The class of Elementary Composed State Machines can model both choice and concurrent behavior. showing the advantages of using Petri nets for the design of supervisors. ECSM nets are nets obtained by concurrent composition of state machine modules. 8.1. b) compositions of nets along a set of simple paths that are looped in one of the nets. We have also compared Petri nets and state machines models.3 Validation of Petri Net Supervisors A well known Petri net analysis technique is based on the incidence matrix analysis. the generator constructed in the ﬁrst step of the algorithm is reﬁned to obtain a nonblocking and controllable generator. by introducing new arcs and possibly duplicating transitions. the modular structure of the net is preserved. the same ﬁnite procedure may be used to compose nets with ﬁnite or inﬁnite reachability sets. we have discussed how to reﬁne a coarse structure for a supervisor. these inequalities are obtained by the computation of the basic traps of the state machine modules that compose an ECSM. The ﬁnal Petri net model represents a closed loop model of the controlled system in which it is still possible to identify the composed modules. We have also discussed the difference of our approach with respect to other classical methods based on incidence matrix analysis. We restrict the type of compositions considered. we have presented a design based on the concurrent composition operator. Since the composition is performed on the structure of the net. In particular. using Petri net models. showing how to derive a set of linear inequalities that exactly deﬁne the set of reachable markings. . called Elementary Composed State Machine (ECSM) nets.1. b) Lm (G)closed. We have shown how this approach may be used to validate ECSM supervisors. to avoid reaching undesirable markings. a coarse structure for a supervisor is synthesized by means of concurrent composition of different modules. and by the ﬁring bounds of the composed transitions. by merging transitions labeled by the same symbols. In this reﬁnement. representing the system and the speciﬁcations we want to enforce on the system’s behavior. This procedure may always be applied when the net is conservative.CHAPTER 8. as we have seen. We use a set of linear inequalities to deﬁne the reachability set. may be studied by Integer Programming techniques. as formulated in [Wonham 88a]. These properties may be easily expressed in term of net properties. 8. Important properties of the net. such as the absence of blocking states or controllability.. We have deﬁned a class of P/T net. In the ﬁrst step. This design is well suited for Petri nets models. We have studied how this technique may be used to validate supervisors obtained by concurrent composition of several modules. The design requires two steps. but in some cases it may be necessary to introduce a large number of transitions. c) controllable. CONCLUSIONS AND FUTURE RESEARCH 85 Lm (G) of system G may be restricted to a legal behavior L ⊆ Lm (G) if and only if L is: a) a DPclosed Petri net language. The generator constructed in the ﬁrst step of the algorithm will be a proper supervisor if it is nonblocking and if the language it generates is controllable. The two basic compositions are: a) compositions of nets along a simple path. In the second step.2 Supervisory Design Based on the monolithic supervisory design.
rather than in {0. On the other hand. A GMEC limits a weighted sum of tokens contained in a subset of places. since it does not require separate online computation. i. structure theory of Petri nets may be used to prove.. shared among different processes. A solution to this problem has been given by Holloway and Krogh [Krogh 91]. CONCLUSIONS AND FUTURE RESEARCH 86 8. the corresponding supervisor is represented by a P/T net. called generalized mutual exclusion constraints (GMEC). Unfortunately. Zhou 91]. An equivalence notion among GMEC has been introduced and studied from the point of view of structural net theory. The advantages of fully compiling the supervisor action in a net structure are: • The computation of the control action is faster. to compare and simplify GMEC. respectively. the complexity of enforcing a GMEC is enhanced by the presence of uncontrollable transitions. i. In this context. the corresponding supervisor is given as an interpreted net in which the ﬁring of some transitions depends not only on the marking of the net but on the value of some boolean expressions as well. To enforce a given GMEC. Moreover.e. In the framework of Supervisory Control.. a place whose initial marking represents the available units of a resource and whose outgoing and incoming transitions represent. others are partially compiled. Some of these models are fully compiled. transitions that may be observed but not prevented from ﬁring by a control agent.CHAPTER 8. containing all those markings from which a forbidden one may be reached by ﬁring a sequence of uncontrollable transitions. The goal is that of constructing a supervisor capable of enforcing the constraints.4 Efﬁcient Construction of Control Structure We have presented and studied a class of speciﬁcations for Petri net models. in this case we have proven that the set of legal markings cannot always be represented by a linear domain in the marking space.. all markings that do not satisfy the constraint are called forbidden. we have discussed GMEC for systems represented as marked graphs with control safe places. partially compiled models are more ﬂexible in the sense that some interpretations may be used to implement complex control policies. i. the acquisition and release of units of the resource. it is necessary to prevent the system from reaching a superset of the forbidden markings. A single GMEC may be easily implemented by a monitor. that may be used to express the concurrent use of a ﬁnite number of resources. • A closedloop model of the system under control may be built with standard net composition constructions and analyzed for properties of interest. i. GMEC are a mild generalization of mutual exclusion constraints considered by other authors [Krogh 91. • The same Petri net system execution algorithms may be used for both the original system and the supervisor. the control policy is efﬁciently computed by an online controller as a feedback function of the marking of the system. We have studied..e. that the system under control enjoys the properties. 1}. whose corresponding net structure may be exceedingly large.e.1. thus there exist problems which do not have a “monitorbased” solution. which may be deﬁned as fully interpreted. . In their approach. instead.e. due to the fact that the weights we consider are deﬁned in I . without an exhaustive state space search. We have presented a methodology. N based on linear algebraic techniques. how a net structure for the supervisor may be constructed. We have discussed and compared several solutions.
sequencing speciﬁcations [Holloway 92b]. it may be interesting to consider the composition Macroplace/Macrotransition nets [Jungnitz 92].3 Validation of Petri Net Supervisors Extend the method used to study the reachability set of ECSM to a larger class of nets. the method may be extended to other types of compositions.2. In particular. and derive the corresponding supervisor using a structural based approach. Here the use of interpreted nets should prove a key factor in deriving a simple supervisory structure. Additionally. CONCLUSIONS AND FUTURE RESEARCH 87 8.CHAPTER 8. .2..g.4 Efﬁcient Construction of Control Structure Derive the supervisory structure for enforcing GMEC on classes of nets more general than control safe place marked graphs.1 Petri Net Languages for Supervisory Control Find a characterization of the class LDP in terms of some pumping lemma. We give a list of the problems that may be addressed in the future. Consider classes of speciﬁcation different from GMEC. 8.2 Future Research It may be possible to extend this research in several parts. rather than on its reachability tree. this may permit the reﬁnement of nets with inﬁnite reachability set in all those cases in which the reﬁned model may be given as a Petri net. following the approach presented by [Koh 92] where the composition of partially overlapping paths is considered. which are a superset of state machines.2. 8. or other particular properties of these languages.2. Characterize the class of nonregular Petri net languages that are closed under the supremal controllable sublanguage operator. Since the coverability tree is always ﬁnite. e. 8.2 Supervisory Design Determine a reﬁnement procedure based on the coverability tree of a Petri net. 8.
1986. 17. 88 [Avrunin 91] [Baker 72] [Baker 73] [Banaszak 90] [Beck 86] [Berthelot 86] [Berthelot 87] [Berthomieu 87] [Best 86] [Best 91] . Man. G.” IEEE Trans. 85. Berthelot. 19–40. Reisig and G. 487–506. Banaszak.H. Vol. J. RA6. 1986.” Advances in Petri Nets 1985. J. 1204–1222. E.L Beck. SpringerVerlag. 254I. Laboratoire d’Automatique et d’Analyse des Systèmes du CNR (Toulouse. und Datenverarbeitung. “A Boolean Model for a Class of Discrete Event Systems. Massachusetts). G. SpringerVerlag. Jr.” Arbeitspapiere der Gesellschaft für Math. pp. 1972. “Notation and Terminology on Petri Net Theory. 1973.” IEEE Int. Baker. Massachusetts Institute of Technology (Cambridge. “Checking Properties of Nets Using Transformations. Software Engineering. “Methods for Carrying Proofs on Petri Nets Using their Structural Properties. on Robotics and Automation. Massachusetts). and Cybernetics. “Petri Nets and Languages.” Computation Structures Group Memo 68. Massachusetts Institute of Technology (Cambridge.). Fernández. January. pp. 1974.K. 195. Project MAC.” IEEE Trans. 6. pp. on Systems. No. B. Aveyard. Advances in Petri Nets 1986. 1991. Vol. Jr.” Master’s thesis.” Technical Report. C. W. May.A.S. Baker. Rozenberg (ed. 3.A.). November. of Electrical Engineering. Robotics and Automation. Wileden. December. Avrunin. France). 1986. “Automated Analysis of Concurrent Systems with the Constrained Expression Toolset. Vol. Corbett. 724–734.” Petri Nets: Central Models and Their Properties. pp. No. Vol. C. “Deadlock Avoidance in Flexible Manufacturing Systems with Concurrently Competing Process Flows. Z.H. Krogh. Best. “Transformations and Decompositions of Nets. L. W. 249– 258. 1987. Conf..). SMC4. Best. Lecture Notes in Computer Sciences. SpringerVerlag. B. Buy. 1990. pp.C. Berthomieu. No. Dept.Bibliography [Aveyard 74] R. Lecture Notes in Computer Sciences. 1991. Brauer. H. G. 1987. U. 305–310. Dillon. Berthelot. “Design Methods Based on Nets: Esprit Basic Research Action DEMON” Advances in Petri nets. B. Rosenberg (eds. “Models for Simulation and Discrete Control of Manufacturing Systems.” IEEE Trans. May. pp. Vol. H. Rosenberg (ed. “Equivalence Problems of Petri Nets. 359–376. Krogh.. May.L. G. 1990. E. April. G. 11. pp. No.C.
March. 3. “Supervisory Control of DiscreteEvent Processes with Partial Observations.” IEEE Trans. 1991. 1991. Fanni. M. S.” Tesis Doctoral. Heymann. “Análisis Estructural de Redes de Petri. Cieslak. on Decision and Control (Brighton. Vol. J. “Ergodicity and Throughput Bounds of Petri Nets with Unique Consistent Firing Count Vector. pp. 1991. L. A. S. Dept. 1101–1117.” IEEE Trans. Lafortune. Simone. “Easy Synchronized Petri Nets as Discrete Event Models. SpringerVerlag. Girault and W. on Automatic Control. IEEE Int. pp. No. Rensselaer Polytechnic Institute (Troy. C. December. “Milner’s Communicating Systems and Petri Nets. Rozenberg (eds. F. Pomello.” to appear in IEEE Trans. 1991. pp. Datta. De Michelis.). Vol. Conf. pp. Varaiya. April.” Application and Theory of Petri Nets. “Synthesis of a Class of DeadlockFree Petri Nets. Chiola. “Dealing with Blocking in Supervisory Control of Discrete Event Systems. Gosh. Conf. S. SpringerVerlag. “Stabilization of DiscreteEvent Processes. 1989. pp.” Proc. 1990. De Cindio. 241. G. pp. England). Desrochers. No. SpringerVerlag. F. F. 1987. Pomello. Control. pp. A. “Supervisory Design Using Petri Nets. R. Goos and J. Datta. New York). Desclaux. C. No. Giua.” Master’s Thesis. DiCesare. SE17. pp. “Modular Synthesis of DeadlockFree Control Structures. [Cieslak 91] [Chen 91] [Colom 89] [Crockett 87] [Datta 84] [Datta 86] [De Cindio 82] [De Cindio 83] [DiCesare 91] [Giua 90a] [Giua 90b] [Giua 91] . Campos. 58. Vol. G. 40– 59. A. on Robotics and Automation (Raleigh. 1861–1867. 2–47. Pagnoni and G. No. 486506. J. F. on Decision and Control (Honolulu. 249–260. Giua. Hawaii). Silva. Reisig (eds. pp. DiCesare. Vol. Giua. M. on Software Engineering. D. pp. AC33. 269–279.M. 288– 318.” Proc.K. A. T. F. Hartmanis (eds. Spain). 29th IEEE Int. C. Vol.” Ricerca Operativa. De Cindio. “Superposed Automata Nets. A. “Petri Net Languages for the Control of Discrete Event Systems. “Implementation of a Petri Net Controller for a Machining Workstation. A. G.” Jour. 52. Universidad de Zaragoza (Zaragoza. of the Association for Computing Machinery. 30th IEEE Int. 50. 1990. 1984. G. Chen. Gosh. 2. Simone. P. E. February. December. L. Electrical Computer and Systems Engineering. 3. on Automatic Control.” Application and Theory of Petri Nets. Giua.S. A.” Int. Brave. F. 1983. 385–390. 1991.). 51. Crockett. Ward. DiCesare. July. 1990.BIBLIOGRAPHY [Brave 90] [Campos 91] 89 Y. Programación Lineal y Geometria Convexa. InformatikFachberichte. J. 117–125.1986. DiCesare.). 2839–2844.” Foundation of Software Technology and Theoretical Computer Science. pp. A. “Controllo dei sistemi ad eventi discreti mediante reti di Petri.” Proc. Colom.K. C. Fawaz. Conf. InformatikFachberichte. No. 1982. 66. Vol. A. Vol. De Michelis. North Carolina). 31. A.
pp. Conf. Boudreaux (Eds. December. June. Holloway. pp. Krogh. Silva. Massachusetts Institute of Technology (Cambridge. 1992. 56–68.” Ph. 1990. Massachusetts Institute of Technology (Cambridge. on Decision and Control (Austin.” will appear in Programming Environments for Computer Integrated Manufacturing.E. 1975. Hossain. 5. “Extended State Machine Allocatable Nets.H. May. Illinois). Holloway. Conf. Project MAC. Giua. Gruver and J. Project MAC. on Systems. “Generalized Mutual Exclusion Constraints for Petri Nets with Uncontrollable Transitions. A. “On the Existence of Petri Nets Supervisors. A. Vol.A. Giua. 1992. L. 1992. December. M. Hack. DiCesare. Arizona). and Cybernetics (Chicago. 1990. B. Hack. pp.H. 514–523. F. New York). 1992 IEEE Int. COM31. Massachusetts). pp.” IEEE Trans.E. M. “Mutual Exclusion Problems for Discrete Event Systems with Shared Events.” IEEE Trans. 1972. on Computer Integrated Manufacturing (Troy.C.H.” Technical Report 94. Krogh. DiCesare. “Petri Net Incidence Matrix Analysis for Supervisory Control. 5.” Computation Structures Group Memo 781. P. Texas). 1992.” IEEE Trans. F. M. of Electrical Engineering. DiCesare. Owicki. June. B.” Working Paper. 1992. on Communication. Heymann. IEEE 27th Int. No. F. 1.T.” Proc. F.” IEEE Control Systems Magazine. Dept. dissertation. “Analysis of Production Schemata by Petri Nets. 242–251. pp. M. January. Hailpern. Hack. “Decidability Questions for Petri Nets. Hack. “On Closedloop Liveness of Discrete Event Systems Under Maximally Permissible Control. L. 234–239. Ramadge. 1992. C. Giua. on Automatic Control. pp. Golaszewski. “Petri Nets Languages. May.” Computation Structures Group Memo 124. on Automatic Control. 1975. Conf. Massachusetts Institute of Technology (Cambridge. Massachusetts). an Extension of Free Choice Petri Nets Results. AC35.” 3rd Int. December. February. DiCesare. Conf. Project MAC. Giua. 103–112.J. 1983. Man. October. Massachusetts). No. A.S. “Modular Veriﬁcation of Computer Communication Protocols. Massachusetts Institute of Technology (Cambridge. May.). 692–697.D. “Concurrency and Discrete Event Control. Holloway. B. M. [Giua 92b] [Giua 92c] [Giua 92d] [Golaszewski 88] [Hack 72] [Hack 74] [Hack 75a] [Hack 75b] [Hailpern 83] [Heymann 90] [Holloway 90] [Holloway 92a] [Holloway 92b] . SpringerVerlag.” will appear in Proc. No. Rensselaer Polytechnic Institute (Troy. W. L. AC37. “Synthesis of Feedback Control Logic for a Class of Controlled Petri Nets. 1974. Vol. “GRAFCET and Petri Nets in Manufacturing.” submitted to 31th IEEE Int. S. on Decision and Control (Tucson. M. 1988. Vol.BIBLIOGRAPHY [Giua 92a] 90 A. Massachusetts). “Feedback Control for Sequencing Speciﬁcations in Controlled Petri Nets. F.E. New York).
pp. AC33.” Trans. L. Japan). pp. Brauer.B. “Analysis and Control of Discrete Event Systems Represented by Petri Nets. SICE (in Japanese).H. No. Kurzhanski (eds.” Thèse Doctoral. Krogh.” IEEE Trans. Rensselaer Polytechnic Institute (Troy. New York). 1988. Varaiya. JulyAugust. Johnen. “Approximation Methods for Stochastic Petri Nets. SpringerVerlag. 641–651. on Large Scale Systems (Zurich.H. C.” Petri Nets: Central Models and Their Properties. Illinois). Hoare. Thesis. H.BIBLIOGRAPHY [Hoare 85] [Ichikawa 85] 91 C.” PrenticeHall. IEEE Int. 1985. France). W. “Controlled Petri Nets and Maximally Permissible Feedback Logic. Ichikawa. S. Switzerland). 6. 24. No. Yokoyama. 1114–1119.). A. May. 398–405. Ichikawa. on Robotics and Automation (Philadelphia. Lecture Notes in Control and Information Sciences. on Automatic Control. 1987. “Language Theory of Petri Nets.” Proc. A.H.L Beck. Kurogy. A. No. 1991. July.” Ph. B. E. No. 254I. 1991. Chen. Université Paris–Sud (Paris. Systemès de Réécriture. 1987. Rosenberg (eds. “ Synthesis of Place/Transition Nets for the Simulation and Control of Manufacturing Systems. “A Transformation Theory for Petri Nets and Their Applications to Manufacturing Automation. September. 1985.E. K. Pennsylvania). pp.” Discrete Events Systems: Models and Applications. 115–134. Krogh. A. Conf. C. Desrochers. 487–490. Rensselaer Polytechnic Institute (Troy. 7. Inan. R. 1987. SpringerVerlag. Holloway.” Proc. I. Vol. 1988.” Proc. 397– 412. Symp. “Finitely Recursive Process Models for Discrete Event Systems. pp. P. Circuits and Systems (Kyoto. 4. AC35. December. Krogh.). Vol. 317–326. 1992.” Proc. Ichikawa. Varaiya and A.” IEEE Trans. pp. B. B. Hiraishi. P. and Computing (UrbanaChampaign. 27. on Automatic Control. “A Class of Petri Nets That a Necessary and Sufﬁcient Condition for Reachability is Obtainable. pp. 1988. “The Inﬁmal Closed Controllable Superlanguage and Its Application in Supervisory Control. “Communicating Sequential Processes. M. Vol. pp. K. Vol. [Ichikawa 88a] [Ichikawa 88b] [Inan 88] [Johnen 87] [Jantzen 87] [Jungnitz 92] [Kasturia 88] [Koh 92] [Krogh 86] [Krogh 87] [Krogh 91] [Lafortune 90a] . 1988. Jungnitz. August. 4th IFAC/IFORS Symp. Thesis. “Synthesis of Feedback Control Logic for Discrete Manufacturing Systems. Lecture Notes in Computer Sciences. 626– 639. Advances in Petri Nets 1986. “Analyse Algorithmique des Réseaux de Petri: Veriﬁcation d’Espace d’Accueil. April. E. Vol. 4. New York). IEEE Int.D. A. May. Society of Instrument and Control Engineers. W. 1990. Vol. S. Jantzen. DiCesare. Reisig and G.D. Control. Lafortune. pp.” Ph. 25th Allerton Conf. “Reachability and Control of Discrete Event Systems Represented by ConﬂictFree Petri Net. “Real Time Control of Multilevel Manufacturing Systems Using Colored Petri Nets. 1986. K. K. 103. Koh. Hiraishi.” Automatica. Kasturia. April. F. on Communications.
S.S.BIBLIOGRAPHY [Lafortune 90b] [Lafortune 91] 92 S. Vol. December. Milne. No. Rozenberg (ed. Yoo. 26. Vol. “A Calculus of Communicating Systems. 302–321.” Proc. 346–361. “Observability of Discrete Event Dynamic Systems. H. pp. Ostroff. “ Petri Nets: Properties. Lafortune. Vol.M.” Annals of Operations Research. April. F. Peltz. Lin. on Automatic Control.” J. No. Decision and Control (Austin.” Proceedings IEEE.S. 1–8. IE33. Decision and Control (Austin. ACM.” Proc. 1330–1337. Y. 203–208. T. Lecture Notes in Computer Science 222. pp. 1986. 449–472. 797–806. Özveren. 7. “Decentralized Control and Coordination of DiscreteEvent Systems with Partial Observation. pp. 1988.” Lecture Notes in Computer Science 92. 1977. January. pp.M.). AC35. Lin. 1988.” IEEE Trans.” Jour. C. of Discrete Event Dynamic Systems. [Li 88] [Lin 88] [Lin 90] [Milne 79] [Milner 80] [Murata 77] [Murata 86] [Murata 89] [Narahari 85] [Ostroff 90a] [Ostroff 90b] [Özveren 90] [Parigot 86] . “A Petri NetBased Controller for Flexible and Maintainable Sequence Control and its Application in Factory Automation. 4. 1990. J. R. No.” IEEE Control Systems Magazine. 1986. G. T. “Decentralized Control and Coordination of DiscreteEvent Systems. “Circuit Theoretic Analysis and Synthesis of Marked Graphs. F. K. April. SpringerVerlag. pp. Li. Wonham.M. Narahari. pp. 1. “Some Results on Petri net Languages. W. AC35. on Automatic Control. R. 4. February. pp. 1990. Parigot. Vol. No. No. 1990. A. 4. “Concurrent Processes and Their Syntax. G. TX). AC35. pp. 1979.” Advances in Petri Nets 1985.” IEEE Trans. “A Petri Net Approach to the Modeling and Analysis of Flexible Manufacturing Systems. Komoda. 7. April. December.” IEEE Trans. on Industrial Electronics. W.” IEEE Trans. No. on Automatic Control. K. 95–102. 12. Haruna. pp. 541–580. pp. E. 400–405. July. Analysis and Applications. T. S. W.M. N. Wonham. No. Lafortune. “A Logical Formalism for the Study of the Finite Behavior of Petri Nets. Y. 1125–1130. 482–485. Ostroff. Lin. Viswanadham. 1989. Wonham. 1985.M. Murata. N. 27th IEEE Conf. SpringerVerlag. 27th IEEE Conf. 1990. on Automatic Control. “On Tolerable and Desirable Behaviors in Supervisory Control of Discrete Event Systems. Vol. “Controllability and Observability in the StateFeedback Control of DiscreteEvent Systems. 1990. 3. 1991. Matsumoto. TX). Vol.” IEEE Trans. on Circuits and Systems. July. M. Vol. CAS24. Milner. W. 1980. June. Wonham.” IEEE Trans. pp. Milner. Willsky. “A logic for RealTime Discrete Event Processes. December. Murata. pp. Murata. F. Vol. AC35. J. pp. No. April. PROC77. 386– 397. Vol. “A Framework for RealTime Discrete Event Control. 2.
M. J. 1989. 1980. 1989. SpringerVerlag. W. Vol. P. pp. 7th European Workshop on Application and Theory of Petri Nets (Oxford. A. 1981. No. pp. N. Vol. P. SpringerVerlag.. 1885. on Automatic Control. M. Italy). Vol. Reisig.L. Ramadge. No. Silva. Dept. Symposium on Semantics of Concurrent Computation (Evian.M. Salomaa (eds. Control and Optimization. Shefﬁeld City Polytech. pp. Ontario). Pnueli. Toronto (Toronto. 1. “Programmable Logic Controllers and Petri nets: a comparative study.” SIAM Jour.” Discrete Event Systems: Models and Applications.A. “Petri Nets: An Introduction. J. on Low Cost Automation (Milan. IFAC Int. Vol. 7th Int. Analysis and Optimization of Systems (Antibes. pp. Pergamon Press. AC34. S. 224–237. Rozenberg and A. 4. Peterson. 1989.” Digital Processes.). 25.M. Ramadge.M. pp. November. 1983. “Supervisory Control of a Class of DiscreteEvent Processes. 1. Symp. Lecture Notes in Computer Science 70. 1988. Vol. Puente and Ferrate (Eds. “Inﬁnitary Languages of Petri Nets and Logical Sentences. M.). “Logic Controllers. January.” Proc. 1987. Rozenberg ed. G. No. Lecture Notes in Control and Information Sciences. “Control and Supervision of Discrete Event Processes. 103. January.” Proc.” IFAC Conference on Software for Computer Control. “The Temporal Semantics of Concurrent Programs. “Simpliﬁcation des rèseaux de Petri par elimination des places implicites. Wonham. France). 386– 417. Silva. Varaiya and Kurzhanski (eds.. pp. 10–19.J.J. pp. E. 1986. P.” Proceedings IEEE. “The Control of Discrete Event Systems. 1985. 1989. G.” Proc. Electrical Engineering.” IEEE Trans. Univ. “Modular Supervisory Control of DiscreteEvent Systems. AC. Conf. England). Ed. Madrid. Wonham. “Petri Net Theory and the Modeling of Systems. SpringerVerlag. [Peterson 81] [Pnueli 79] [Ramadge 83] [Ramadge 86] [Ramadge 87] [Ramadge 88] [Ramadge 89a] [Ramadge 89b] [Reisig 85] [Silva 80] [Silva 83] [Silva 85] [Silva 89a] [Silva 89b] . PROC77. P. pp. Ramadge. pp. M. Silva. P.). January. Spain.” PrenticeHall. Ramadge. 1983. France).” Ph. Las redes de Petri en la Automatica y la Informatica. Peltz. 6.J. Silva. Ramadge. 206–230. Velilla.BIBLIOGRAPHY [Peltz 86] 93 E. Silva.J. Ramadge. 245–256. 83–88. W. Brauer. W.” EATCS Monographs on Theoretical Computer Science.M. “Some Tractable Supervisory Control Problem for DiscreteEvent Systems Modeled by Büchi Automata. Thesis.” Proc. M.J. pp. Int.D. W. 1–20. Colom. pp. “On the Computation of Structural Synchronic Invariants in P/T Nets” Advances in Petri nets. 1. W. 1988. 1986. 81–98. Wonham. June. 202–214. 6980.J. 157–165 bis. SpringerVerlag. P. 1979. “Supervisory Control of Discrete Event Systems: A Survey and Some New Results.
J. 1164–1168. May. (to appear) 1992. Texas). 1992. Matsumoto. pp. M.” Proc. M. Vol. Sreenivas. J. Ushio. 2857–2860. New York). 419–422. RA6. No. AC34. Control Signals Systems. “On the Control of DiscreteEvent Dynamical Systems. 1990. “Modular Supervisory Control of DiscreteEvent Systems.” IEEE Trans. Laub (eds. February. Maimon. W. [Sreenivas 92] [Tadmor 89] [Tsitsiklis 87] [Ushio 88] [Ushio 89] [Ushio 90] [Viswanadham 90] N. pp.” IEEE Trans. Krogh. B.” IEEE Trans. T. 1987. Conf. 29th IEEE Int. Ushio. O. 2. pp. Vol. 1. 27th Int. December. pp. 6.” SIAM Jour. F. 1991. “On The Existence of Finite State Supervisors in DiscreteEvent Systems. 713–723. P. Colom. 265–275.” Proc. November.J. G. Narahari. pp. “Parallel and Sequential Mutual Exclusions for Petri Net Modeling of Manufacturing Systems with Shared Resources.” Proc. Conf. “State Feedback and Modular Control Synthesis in Controlled Petri Nets.M. 1.N. on Automatic Control. 1988. M. R. [Wonham 87] W.M. “A Theory for the Synthesis and Augmentation of Petri Nets in Automation. 515–527. 5. No.” ControlTheory and Advanced Technology. RA7. No.C. P. “On the Controllability of Controlled Petri Nets. Ramadge.” Proc. Tadmor. Silva. December.D.). “Deadlock Prevention and Deadlock Avoidance in Flexible Manufacturing Systems Using Petri Net Models. 11. Thesis. J. W. December. Hawaii). 4. pp. December. T. Campos.” IEEE Trans. No. Denham and A. Viswanadham. 1989. on Robotics and Automation.” Advanced Computing Concepts and Techniques in Control Engineering. “Linear Algebraic Techniques for the Analysis of Petri Nets. 3.J. May.” Math. pp. T. pp. AC37. 1989. “A Control Theory for DiscreteEvent Systems. T.” Ph. Vol. on Mathematical Theory of Networks and Systems. pp.M. No. MITA Press (Tokyo. Ramadge. Decision and Control (Austin. Symp. August. on Robotics and Automation. [Wonham 88a] [Wonham 88b] [Zhou 90] [Zhou 91] . “On the Supremal Controllable Sublanguage of a Given Language. “On Petri Net Models of Inﬁnite State Supervisors. Vol. Y. Johnson. pp. Wonham. on Automatic Control. 3. Wonham. Vol.C. Decision and Control (Honolulu. Vol. 1990. 25. Conf. pp.M. 1988.BIBLIOGRAPHY [Silva 92] 94 M. Decision and Control (Los Angeles.J. 637–659. 274–277. California). R. “Control of Large Discrete Event Systems: Constructive Algorithms. Vol. Japan). Int.J. Rensselaer Polytechnic Institute (Troy. Zhou. 1987. No. Tsitsiklis. DiCesare. 1990. 26th IEEE Int.H. 1988. Zhou. SpringerVerlag. Control and Optimization. No. 13–30. Ushio.S. Wonham. 1502–1507.J. 129–169. September.
The Dtype or deadlock language is deﬁned as the set of strings generated by ﬁring sequences that reach a marking at which no transition is enabled... i. • : T → Σ ∪ {λ} is a labeling function that assigns to each transition a label from the alphabet of events Σ or assigns the empty string as a label.e.e. T. • The Gtype or covering language or weak language is deﬁned as the set of strings generated by ﬁring sequences that reach a marking M covering a ﬁnal marking. 95 .e. Peterson 81]: • N = (P. • In a λfree labeled PN no transition is labeled λ. (∀t. LD (G) = { (σ)  M0 [σ M ∧ (∀t ∈ T )¬M [t }. t ∈ T ) [t = t =⇒ (t) = (t )] and (∀t ∈ T ) [ (t) = λ]. 1 This language is called marked behavior in the framework of Supervisory Control and is denoted Lm (G).. • In a arbitrary labeled PN no restriction is posed on . • F is a ﬁnite set of ﬁnal markings.Appendix A PETRI NET LANGUAGES A. . ∀σ ∈ T ∗ ) [ (σt) = (σ) (t)]. LL (G) = { (σ)  M0 [σ Mf ∈ F }. i. Three different type of labeling functions are usually considered.e. M0 .1 Petri Net Generators A labeled Petri net (or Petri net generator) is a 4tuple G = (N. • In a freelabeled PN all transitions are labeled distinctly and none is labeled λ. P ost) is a Petri net structure.. • The Ltype or terminal language1 is deﬁned as the set of strings generated by ﬁring sequences that reach a ﬁnal marking. i. F ) where [Jantzen 87. i. The labeling function may be extended to a function : T ∗ → Σ∗ deﬁning: (λ) = λ and (∀t ∈ T. • M0 is an initial marking. Thus we will use the word system to refer to a Petri net generator. LG (G) = { (σ)  M0 [σ M ≥ Mf ∈ F }. We will use Petri net generators to represent discrete event systems. Four languages are associated with G depending on the different notions of terminal strings. P re.
i. D. G f .e.1 is freelabeled.1. deadlock. A. Some of these relations are easily proved. deadlock. preﬁx) languages generated by λfree labeled PN generators. LP (G) = { (σ)  M0 [σ }. Example A. The initial marking. preﬁx) languages generated by arbitrary labeled PN generators. P f ) denotes the class of terminal (resp. . LP (G) = {am  m ≥ 0} ∪ {am cbn  m ≥ n ≥ 0} ∪ {am cbn d  m ≥ n ≥ 0}. • The Ptype or preﬁx language2 is deﬁned as the set of strings generated by any ﬁring sequence. The languages of this system are: LL (G) = {am cbm  m ≥ 0}. The set of ﬁnal markings is F = {(0010)T }. PETRI NET LANGUAGES 96 Figure A.2 Classes of Petri Net Languages The classes of Petri net languages are denoted as follows. deadlock. P λ ) denotes the class of terminal (resp.1: Freelabeled system G in Example A. Here → represents set inclusion ⊇. The following table shows the relationship among these classes. 2 This language is called closed behavior in the framework of Supervisory Control and is denoted L(G). is M0 = (1000)T . covering. Dλ .. • Lλ (resp. covering. LG (G) = {am cbn  m ≥ n ≥ 0}. G λ .APPENDIX A. • Lf (resp. As an example. G. The system G in Figure A. any Ptype language of a generator G may also be obtained as a Gtype language deﬁning as a set of ﬁnal markings F = {0}. LD (G) = {am cbn d  m ≥ n ≥ 0}. also shown in the ﬁgure. preﬁx) languages generated by freelabeled PN generators. Df . • L (resp. P) denotes the class of terminal (resp.1. covering.
1 for the general classes.2 with set of ﬁnal states F = {(1000)T . Thus Ld will denote the subclass of L generated by deterministic Petri nets. This means that the knowledge of the string generated by the system from the initial marking is sufﬁcient to determine the actual marking of the system. Example A.1: Known relations among classes of Petri net languages. since the two transitions labeled a are both enabled at the initial marking.1 shows that P ⊂ L. . We can then deﬁne twelve new classes of PN languages. PETRI NET LANGUAGES Lλ ↓↑ Dλ ↓ Gλ ↓ Pλ → → → → L ↓↑ D ↓ G ↓ P → → → → Lf Df Gf ↓ Pf 97 Table A. (t ) = λ]. M [t ∧ M [t =⇒ [ (t) = (t ). called deterministic Pclosed is discussed in Chapter 4. the next example shows that Pd ⊂ Ld . This class. Table A. (0001)T }. we will consider the L − type and P − type language generated by deterministic systems. Here LP (G) = {am  m ≥ 0} ∪ {am cbn  m ≥ n ≥ 0} ∪ {am cbn d  m ≥ n ≥ 0} is a deterministic P − type PN language. A.1 with set of ﬁnal markings F = {(0001)T }.2. However G is nondeterministic. An arc → represents the set inclusion. In the framework of Supervisory Control. However. etc. It is intuitively clear that no deterministic Petri net may generate LP (G) as a terminal language if F is ﬁnite. with t = t and ∀M ∈ R(N. (0010)T .2. For each of the previously deﬁned classes we will denote with the subscript d the corresponding deterministic subclass. (t) = λ. t ∈ T .3 Deterministic Languages A PN generator G is deterministic if the labeling function and the behavior of G are such that ∀t. A new subclass of L. We want to construct a new system G such that LL (G ) = LP (G). will play a major role in deriving necessary and sufﬁcient conditions for the existence of supervisors represented as deterministic Petri net generators. Consider again the deterministic system G in Figure A.2: Nondeterministic system G in Example A.APPENDIX A. denoted LDP . M0 ). The relations among the subclasses of deterministic languages are different from those reported in Table A. Figure A. A possible solution is the system in Figure A.
The class L is closed under: concatenation.APPENDIX A. Let G1 = (N1 . M0. 3 4 The string wR is the reversal of string w. since other operators of interest. Then a labels a transition in T with the same input and output bag of t. 2) be the place set. The class L is not closed under: Kleene star. is the system G = (N. i. Their concurrent composition. F2 ) be two PN generators. preﬁx closure4 . concurrent composition. denoted also G = G1 G2 . If we consider the class L of PN languages.3. A. Let Pi . 1 . intersection.2 . 2 .2.1 . . Ti and Σi (i = 1. it is possible to prove that L is a strict superset of regular languages and a strict subset of contextsensitive languages.5 Concurrent Composition and System Structure In this section we will review the counterpart of language operators on the structure of a PN generator. P = P1 ∪ P2 . M0. M0 . F1 ) and G2 = (N2 . We will consider only the concurrent composition operator. union. PETRI NET LANGUAGES 98 Figure A. Then m1 × m2 transitions in T will be labeled a. F ) that generates LL (G) = LL (G1 ) LL (G2 ) and LP (G) = LP (G1 ) LP (G2 ). It is possible to prove that L and the class of contextfree languages are not commensurable. – Let a ∈ Σ1 \ Σ2 (a ∈ Σ2 \ Σ1 ) be the label of a transition t ∈ T1 (t ∈ T2 ). and the alphabet of Gi . The input (output) bag of each of these transitions is the sum of the input (output) bags of one transition in T1 and of one transition in T2 . A. The structure of G may be determined as follows.e. • The place set P of N is the union of the place sets of N1 and N2 .4 Closure Properties and Relations with Other Classes Parigot and Peltz have deﬁned PN languages as regular languages with the additional capability of determining if a string of parenthesis is well formed. • The transition set T of N and the corresponding labels are computed as follows.. . transition set. In the diagram in Figure A. T T • M0 = [M0. An example of a language that is contextfree but is not in L: L = {wwR  w ∈ Σ∗ }3 if Σ > 1. – Let a ∈ Σ1 ∩ Σ2 be labeling m1 transitions in T1 and m2 transitions in T2 . An example of a language in L that is not contextfree: L = {am bm cm  m ≥ 0}.1 M0.2 ]T . the set L is denoted “L PN languages”. As proved in Section 4. such as the intersection and shufﬂe operators may be considered as a special case of concurrent composition.3: Relations among the class L and other classes of formal languages.
We will use the following structural notation for composed systems.4: Two systems G1 . denoted P re ↑i . F1 ) and G2 = (N2 .1 .. denoted P ost ↑i . Ti . The composition of more than two systems may computed by repeated application of the procedure for composing two systems. P rei .3. Let N = (P. (i = 1. • The projection of P re on net Ni . Note that while the set of places grows linearly. 2). F ) their concurrent composition. M0. σ be a ﬁring count vector. (i = 1. as the restriction of P re to P ↑i ×T ↑i . (i = 1. Also let M be a marking. i. .4. 2 . P osti ). The initial marking of G is M0 = (1010)T and its set of ﬁnal markings is F = {(1010)T . and σ a ﬁring sequence deﬁned on net N . 2). T T • F is the cartesian product of F1 and F2 . (i = 1. 2). We deﬁne: • The projection of P on net Ni .e. as P ↑i = Pi . M0. F2 ) be two PN generators and G = G1 G2 = (N. Note that T ↑i may be different from Ti . Let G1 = (N1 . PETRI NET LANGUAGES 99 Figure A. 2). as the restriction of P ost to P ↑i ×T ↑i .3. • The projection of T on net Ni . Their concurrent composition G = G1 G2 is also shown in Figure A. (i = 1. Let G1 = (N1 . Here F1 = {(10)T } and F2 = {(10)T . 2). 1 .2 . Example A. (i = 1. P re. M0 . since additional transitions may have been introduced by composing systems in which the same symbol is labeling more than one transition.APPENDIX A. 2). P ost) and Ni = (Pi . as T ↑i = {t ∈ T  (• t ∪ t• ) ∩ P ↑i = ∅}.1 . The projection of M on Ni . F1 ) and G2 = (N2 . F2 ) be two systems in Figure A. (1001)T }. M2 ∈ F2 }. denoted M ↑i . (01)T }. is the vector obtained from M by removing . M0. • The projection of P ost on net Ni . 2 .2 . M0.4. F = {[M1 M2 ]T  M1 ∈ F1 . 1 . the set of transitions and of ﬁnal markings may grow faster. T. G2 and their concurrent composition G in Example A.
2). (i = 1.APPENDIX A. denoted σ ↑i . The projection of σ on Ni . PETRI NET LANGUAGES 100 all the components associated to places not present in Ni . denoted σ ↑i . The projection of σ over Ni . (i = 1. . is the vector obtained by σ removing all the components associated to transitions not present in Ni . is the ﬁring sequence obtained by σ removing all the transitions not present in Ni . 2).
The initial state is denoted by an arrow. Figure B. Example B. we will mention Petri nets. The two languages associated with a DES G are: • The closed behavior L(G) ⊆ Σ∗ . a preﬁxclosed language that represents the possible evolutions of the system. that represents the evolutions corresponding to the completion of certain tasks. The state machine in Figure B. a DES is simply a generator of a formal language.1 represents a discrete event system G. We have discussed in Appendix A how the closed and marked behavior may be associated with a Petri net. Wonham. L(G) = {λ} ∪ {a} ∪ {abcn  n ≥ 0} = abc∗ = Lm (G). where the overline bar represent the preﬁx closure operator. The languages associate to G are: Lm (G) = {abcn  n ≥ 0} = abc∗ . deﬁned on an alphabet Σ. 101 .Appendix B AN INTRODUCTION TO SUPERVISORY CONTROL B. the theory they built is very general.1.. In the examples presented in this section we will use state machine models to be consistent with the original notation. Although Ramadge and Wonham have used in their seminal papers a state machine based representation for DES. When relevant. • The marked behavior Lm (G) ⊆ L(G). et al. Any other formalism that can represent the closed and marked behavior of a system may be used in this framework.1 Discrete Event Systems and Properties In the supervisory control theory developed by Ramadge. the ﬁnal states (just one in this example) are denoted by a double circle. however.1: A discrete event system modeled by a ﬁnite state machine.
. The following example shows nets with different combinations of liveness and nonblocking properties (deadlockfreeness is implied by liveness. and the set Σu of uncontrollable events (that cannot be disabled by an external agent).2: A blocking discrete event system and its trimmed structure in Example B. a Petri net is nonblocking if from any reachable marking it is possible to reach a ﬁnal marking. Deadlockfreeness means that the reachability set does not contain a dead marking. so we will not discuss it). The agent who speciﬁes which events are to be enabled and disabled is called a supervisor. If a ∈ γ. Then a state machine is nonblocking if and only if all reachable states are coreachable. It often required to restrict the behavior of a system within the limits of a speciﬁcation language. More formally. Equivalently.2 we have a blocking system G1 . all the uncontrollable events are present in the control input). into a string that belongs to the marked language.2 Controllable Events and Supervisor The events labels in Σ are partitioned into two disjoint subsets: the set Σc of controllable events (that can be disabled if desired). AN INTRODUCTION TO SUPERVISORY CONTROL 102 Figure B. In this case we obtain the new DES G2 with Lm (G2 ) = Lm (G1 ). Let us deﬁne a control input as a subset γ ⊆ Σ satisfying Σu ⊆ γ (i. Similarly. i. from state q it is not possible to reach a ﬁnal marking.3 are shown: a) a live and nonblocking system. and as coreachable a state from which it is possible to reach a ﬁnal state. d) a nonlive and blocking system.. Note that the DES may be trimmed removing the state q and the transitions entering it. a marking that enables no transition. Example B. B.e..e.APPENDIX B. The set of ﬁnal markings F is also given in the ﬁgure for each net. c) a live and blocking system. This property may be restated for state machines as follows. a DES G is nonblocking if Lm (G) = L(G).e.3. In Figure B.. L(G2 ) = Lm (G2 ) = Lm (G1 ) ⊂ L(G1 ). Liveness implies that from any reachable marking there exists a ﬁring sequence containing all transitions. However a nonblocking system may have a dead marking (if it is a ﬁnal marking). Note that this property is signiﬁcantly different from deadlockfreeness and liveness. Example B. In Figure B. Let us deﬁne as reachable a state that may be reached from the initial state. A DES is said to be nonblocking if any string w ∈ L(G) can be completed into a string wx ∈ Lm (G). the event a is enabled by γ (permitted to occur).2.1. b) a nonlive and nonblocking system. We may only enable and disable the controllable events to achieve this behavior. i. The strings “ab” and “aca” cannot be completed into a string that belongs to the marked language.
That is. . rather than a state feedback.APPENDIX B. where Σc = {a. but of the string of events generated. Example B. A supervisor controls a DES G by switching the control input through a sequence of elements γ1 . γ2 . Figure B.4. A supervisor may be given as a function f : L(G) → Γ specifying the control input f (w) .4. Note that in state q0 the control input is different depending on the value of w. If the system is deterministic. the uncontrollable events are always enabled. Consider the system in Figure B. Assume we want a terminal string to contain the event b exactly twice. Thus trace feedback is more general than state feedback. it is possible to reconstruct its state from the string of events generated.3: Combinations of nonblocking and liveness properties for Petri nets with set of ﬁnal markings F in Example B. A point that should be stressed is the fact that the supervisor is implementing a trace feedback. Let Γ ⊆ 2Σ denote the set of all the possible control inputs. A closed loop block diagram showing a system under supervision is shown in Figure B. .4: A closed loop controlled discrete event system. otherwise a is disabled by γ (prohibited from occurring).5. Table B. as generally assumed.1 summarizes the required control input γ after a string w has been generated. The controllable transitions are denoted with a “:”. in response to the observed string of previously generated events. c} and Σu = {b}.2. AN INTRODUCTION TO SUPERVISORY CONTROL 103 Figure B. ∈ Γ. and the corresponding state of the system. the control input is not a function of the present state of the system. .
all marked strings of G that are also marked by S. whenever an event occurs in G the same event will be executed by S. it has no ﬁnal states. Let us assume in the following that the supervisor is given as a DES S.5 .APPENDIX B. AN INTRODUCTION TO SUPERVISORY CONTROL 104 Figure B.e.e. For what regards the language accepted by S/G there are two possible deﬁnitions. Lm (S) is not deﬁned. Then. the subset of the uncontrolled behavior that survives under supervision. that runs in parallel with the system G. It also possible to represent a supervisor as another DES S.4 state q0 q1 q0 q1 q0 q2 w λ a ab aba abab ababc γ {a.5. The closed loop system under control will be denoted S/G and may be considered as a new discrete event system [Ramadge 87]. c} {a..6: Supervisor in Example B.1: Control inputs in Example B. we call the supervisor non marking and we deﬁne Lm (S/G) as Lm (S/G) = Lm (G) ∩ L(S/G). i. i. The events enabled at a given instant on S determine the control input.6.. c} {b.. c} Table B. b. Example B. In this case. b. b} {a..4. i. b} {a. i. A transition structure for the same supervisor is shown in Figure B. If we assume that the supervisor does not mark strings. the closed behavior of S/G is L(S/G) = L(G) ∩ L(S). Figure B. to be applied for each possible string of events w generated by the system G.e. If S has a set of ﬁnal states we may deﬁne as marked behavior of S/G as Lm (S/G) = Lm (G) ∩ Lm (S).5: System in Example B.4 the supervisor has been described in tabular format. In Example B.e. c} {b.
6. B.. c}. and S2 in Example B.e. S1 . Here the closed and marked behavior of S/G are L(S/G) = ababc. S qualiﬁes as a proper supervisor for G if the two following properties are ensured. since only non marking supervisors are considered. Lm (S/G) has been used to denote the controlled behavior of S/G.7: Closed loop system S/G in Example B. S1 is not a supervisor for G because in the initial state it disables the uncontrollable event a that is enabled in the initial state of G. 1 The notation is unfortunately ambiguous. If we had considered a supervisor with no ﬁnal states. however.7. S2 is not a proper supervisor for G because if the event a is executed it prevents the system from reaching the ﬁnal state (in fact the event b is never enabled). . We will use Lm (S/G) to denote the language accepted by the closed loop system. AN INTRODUCTION TO SUPERVISORY CONTROL 105 Figure B. i. In [Ramadge 89b] and in the work of other authors.APPENDIX B. as can be derived from the ﬁgure. Example B.8: Systems G. L(S/G) = Lm (S/G). ∀a ∈ Σu ) [wa ∈ L(G) =⇒ wa ∈ L(S/G)].3 Supervisory Control Problem Controlling a DES consists in restricting its open loop behavior within a given speciﬁcation language. the subset of the uncontrolled marked behavior that survives under supervision.e.5.7 represented the closed loop system S/G for the system and supervisor discussed in Example B. specifying whenever necessary if it represents the marked or controlled behavior. Now let us assume that we are given two DES G and S. in place of the marked behavior. the controlled behavior Lm (S/G) = λ + ab + abab + ababc. while Lc (S/G) denotes the controlled behavior. and Lm (S/G) = abab + ababc. In [Ramadge 87] Lm (S/G) denotes the marked behavior of S/G.7. Figure B. and S2 be the DES in Figure B. and call it controlled behavior1 . • controllability: S does not disable any uncontrollable event that may occur in G. i.6.e. we would have considered. i.8. The DES in Figure B.. S1 . (∀w ∈ L(S/G). Example B. Thus we may state the two following Supervisory Control Problems.. Let G. • nonblockingness (or properness): the behavior of the system under supervision must be nonblocking. Here Σc = {b.
i. A language K ⊂ Lm (G) is said to be Lm (G)closed if K = K ∩ Lm (G).1). Hence there does not exit a supervisor S such that Lm (S/G) = L.e. The DES G in Figure B. T. For nonempty L ⊆ Lm (G) there exists a nonblocking supervisor S such that Lm (S/G) = L if and only if L is Lm (G)closed and controllable. However w ∈ L(S/G) =⇒ w ∈ L(S/G). which is now uncontrollable. i. a contradiction. This means that any marked string of G that is the preﬁx of some string of K is also a string of K. Let L = (ab)∗ be the desired closed behavior of the closed loop system. . and marked behavior Lm (G) = (a(b + cd))∗ .2 ([Ramadge 87]. w ∈ Lm (G) ∩ L(S/G) = Lm (S/G). preventing the occurrence of controllable transitions. deﬁned in the following. This means that it is always possible.9: System to control in Example B.. For nonempty L ⊆ L(G) there exists a supervisor S such that L(S/G) = L if and only if L is preﬁx closed and controllable. By deﬁnition of controlled language. c}. Let L = (abab)∗ be the desired controlled behavior of the closed loop system and assume Σu = {a. The supervisor simply needs to disable the controllable event c whenever the system is in state q1 .e. 5.8. then w = abab ∈ Lm (S/G) ⊆ L(S/G) and w = ab ∈ Lm (S/G). A language K ⊂ Σ∗ is said to be controllable (with respect to L(G) and Σu ) if KΣu ∩L(G) ⊆ K. there exists a supervisor S such that L(S/G) = L? SCP2 Given a DES G and a speciﬁcation language L ⊆ Lm (G). (b) If Σu = {b. there exists a nonblocking supervisor S such that Lm (S/G) = L? (Here we assume that S does not mark strings. Theorem B. Theorem B. 2. Lm (S/G) = Lm (G) ∩ L(S/G).1). 6. (a) If Σu = {a. Now assume Lm (S/G) = L. L is controllable and may be enforced by a supervisor. but is not Lm (G)closed. to restrict L(G) within K. when the system is in state q1 . In fact the supervisor cannot disable the event c. due to Ramadge and Wonham [Ramadge 87.8..APPENDIX B. d}. P. AN INTRODUCTION TO SUPERVISORY CONTROL 106 Figure B. This can be also be shown by contradiction in this particular example. The following two theorems. give necessary and sufﬁcient conditions for the existence of a supervisor. Example B.) The solution of these two problems is based on the notions of controllable language and Lm (G)closure. Ramadge 89b].9 has closed behavior L(G) = (a(b + cd))∗ . Lm (S/G) is the controlled behavior of S/G. L is controllable. 1. L is not controllable and cannot be enforced by a supervisor.1 ([Ramadge 87]. SCP1 Given a DES G and a speciﬁcation language L ⊆ L(G). d}.
e. Assume the delays are the following.8. Thus the behavior of the closed loop system is now L(S /G) = K ⊂ L. it is a subset of the legal behavior. Ramadge and Wonham have also shown that in the regular case (i. However we may consider a controllable sublanguage K ⊆ L that may be enforced by a supervisor S . Given a language L we will deﬁne the supremal controllable sublanguage of L as L↑ = sup{K  K ⊆ L. We also want to minimally restrict the behavior of the system. Theorem B.e. If L satisﬁes the conditions of Theorem B. Example B. the supervisor S such that L(S/G) = L may be represented as a ﬁnite state machine. Let G be a ﬁnite state machine (i. However it may well be the case that L↑ contains only the empty string or is even the empty language. By Theorem B. For the problem in Example B.1). its closed and marked behavior are regular languages) and let L be a regular speciﬁcation language. B..4 ([Ramadge 87]. event delay [s] a 0 b 10 c 10 d 0 e 8 f 4 .. K ∈ C(G)} Theorem B. An extension by Lafortune and Chen [Lafortune 90a] to the standard Supervisory Control Problem. the supervisor S such that Lm (S /G) = L may be represented as a ﬁnite state machine. The Petri net system in Figure B. If L satisﬁes the conditions of Theorem B. we note that the supremal controllable sublanguage is optimal from a logical point of view but not necessarily from the performance point of view. The place p0 represents the effect of the supervisor that ensures that places p2 and p6 are never marked at the same time. generate blocking. 3. T.3 ([Wonham 87].1 a supervisor S such that L(S/G) = L does not exist. We will not consider SCPB in this thesis. Since the supremal controllable sublanguage may be too restrictive.APPENDIX B. Let us deﬁne C(G) = {K  KΣu ∩ L(G) ⊆ K} as the set of all languages controllable with respect to L(G) and Σu .10. we want to construct the supervisor which allows the largest behavior of the system within the limits given by the speciﬁcation L. each transition).1b L↑ = {λ}.9. 7.1.10 has a delay associated with each event (i. In order to minimally restrict the behavior we allow the initial ﬁring of either “ab” or “de”.e. As a ﬁnal remark. i. called SCPB (SCP with Blocking) considers a different approximation of the desired behaviour in terms of Inﬁmal Controllable Superlanguage deﬁned as L↓ = inf{K  K ⊇ L.1)..e.. i. however. other controllable approximations to L have been deﬁned. This behavior is called the supremal controllable sublanguage. AN INTRODUCTION TO SUPERVISORY CONTROL 107 Another important result due to Ramadge and Wonham is concerned with the existence of ﬁnite state machine supervisors. This may. K ∈ C(G)}.e. P.. when both the system behavior and the speciﬁcation behavior are regular languages) the supremal controllable sublanguage is a regular language and can be computed in a ﬁnite number of steps. The supremal controllable sublanguage for a given supervisory control problem exists and is unique.2.4 Supremal Controllable Sublanguage Assume we want to restrict the closed behavior of a system G within the limits of a legal language L that is not controllable. Example B.
If the sequence “ab” is initially executed. we have that the required time to reach the ﬁnal marking (0001001)T is 22 seconds. Clearly. .10.10: A timed Petri net model in Example B. while if the sequence “de” is initially executed the ﬁnal marking is reached in 28 seconds.APPENDIX B. it would be better to further restrict the system’s behavior allowing only the ﬁring of the sequence “ab” from the initial marking. AN INTRODUCTION TO SUPERVISORY CONTROL 108 Figure B. if it is required that the system reaches the ﬁnal marking in the shortest time.
If G is given as a Petri net model. the set {K  KΣu ∩ L(G) ⊆ K}. c. N A P/T net. A Petri net model of a discrete event system is G = (N. . The set of marking satisfying a generalized mutual exclusion constraint. . M0 . The sets of Ltype. 109 Lm (G) L. Mf is a ﬁnal marking). Ld . The reversal of a P/T net N . .Appendix C NOTATION a. events. Discrete event system G constrained by speciﬁcation H A set of ﬁnal markings of a P/T net. The set of languages controllable with respect to L(G) and Σu . deterministic Ltype. A marking of a P/T net (M0 is an initial marking.e. If G is given as a Petri net model. M0 ) L(G) H Symbols of an alphabet. the set {M ∈ I P   wT · M ≤ k}. i. The closed behavior of the discrete event system G. A labeling function that assigns to each transition of a net a label from the alphabet Σ. The preﬁxclosure of language L. The incidence matrix of a P/T net. F ). P ost) NR . . and DPclosed Petri net languages. LDP M :P →I N M(w.. The set of ﬁring sequence of N. A basis of nonnegative Pinvariants. k) N = (P. A discrete event system representing a speciﬁcation. The marked behavior of the discrete event system G. The supremal controllable sublanguage of language L. B C = P ost − P re C(G) E=G F G H K :T →Σ L L L↑ L(N. the closed behavior is also called Ptype Petri net language of G. A controllable language. P re. A language. M0 . i. T.e. A discrete event system. b.. the marked behavior is also called Ltype Petri net language of G.
A siphon of a P/T net. y. M0 ) S S S/G t • t. sequences of events. A set of places of a P/T net. Pd QX R(N. i. A nonnegative Pinvariant (Psemiﬂow) of a P/T net. M0 p • p. A marked net. NOTATION NS I N N. N The set of reachable markings of N. T. the net (P ∪ {S}. Strings of a language. the set {a ∈ A  X(a) > 0}. i. The preincidence matrix of a P/T net. The Kleene star of alphabet Σ. Σu is an alphabet of uncontrollable events. P ostS ). a net N with initial marking M0 . M0 ) P. Σc is an alphabet of controllable events. i. A set of generalized mutual exclusion constraints. The set of all possible control inputs determined by a supervisor. The postincidence matrix of a P/T net. A ﬁring count vector of a marked net.APPENDIX C.. x. and deterministic Ptype Petri net languages. M0 ) P RB (N. The empty string. A place of a P/T net. M0 (reachability set). A transition of a P/T net. A set of transitions of a P/T net. A supervisor. N The set of markings {M ∈ I P   B T · M = B T · M0 }. P P ost : P × T → I N P re : P × T → I N P R(N. The closedloop system composed by the system G under the action of supervisor S. P reS . The support of a vector X : A → I . i. t• T T w.e. M0 ) P RA (N... A vector. The set of markings {M ∈ I P   A · M ≥ A · M0 }. the language containing all strings composed with symbols in Σ and the empty string λ. A generalized mutual exclusion constraint. An alphabet. A trap of a P/T net. N The sets of Ptype. k) X:A→I N Y γ Γ θ λ σ σ:T →I N Σ Σ∗ . k) (W. A simple path of a P/T net.e.e.e. p• 110 A P/T net N with the addition of a monitor place S. z (w. The sets of input and output transitions of place p. A ﬁring vector of transitions. The set of markings {M ∈ I P   (∃σ ∈ I T  )[M = M0 + C · σ} N N (potentially reachable set). The set of nonnegative integers. The sets of input and output places of transition t. A control input determined by a supervisor.
d 111 The shufﬂe operator (concurrent composition over disjoint alphabets). .APPENDIX C. The concurrent composition operator. NOTATION ↑ The projection operator. Denotes the end of a proof.
This action might not be possible to undo. Are you sure you want to continue?
Use one of your book credits to continue reading from where you left off, or restart the preview.