Bisimilarity Control of Partially Observed Deterministic Systems with ...

Bisimilarity Control of Partially Observed Deterministic Systems with Application to Nonblocking ∗ Changyan Zhou and Ratnesh Kumar (czhou,[email protected]) Department of Electrical & Computer Engineering Iowa State University, Ames, IA 50014 November 16, 2005 Abstract Nonblocking control using a deterministic supervisor requires the specification language be controllable and observable (under the setting that marking is also decided by a supervisor). We argue that there exist cases where the above properties do not hold, yet a nonblocking control can be synthesized by allowing the supervisor to be nondeterministic. Use of a nondeterministic supervisor yields a controlled system that is nondeterministic for which a language equivalence does not preserve the nonblocking property, and so instead we require the stronger equivalence of bisimilarity (which preserves “sequential” as well as “branching” behavior such as nonblockingness). This motivates us to consider bisimulation equivalence control of a deterministic system subject to possibly nondeterministic specification. The complexity of the general bisimilarity control problem under partial observation is doubly exponential in the product of the plant and the specification sizes [29]. We show that for deterministic plants the complexity of verifying existence of a controller is polynomial, whereas that of performing its synthesis is singly exponential. We establish state-controllability (SC) together with state-recognizability (SR) as a necessary and sufficient condition for the existence of a control. The notion of SC was introduced in [30] as an existence condition for the same problem under the restriction of complete observability of events; and it generalizes the notion of language-controllability (LC) from the setting of deterministic specifications to nondeterministic ones. In the presence of partial observation, the additional condition of SR is needed. SR generalizes the notion of language-recognizability [12] in a similar manner as SC generalizes LC. We show that SR is polynomially verifiable, and also present an exponential complexity algorithm for synthesizing a bisimilarity enforcing supervisor. The proposed approach can be applied to enforce other properties that depend on branching behavior besides the sequential behavior. Keywords: Discrete event systems, supervisory control, nonblocking, bisimulation equivalence The research was supported in part by the National Science Foundation under the grants NSFECS-9709796, NSF-ECS-0099851, NSF-ECS-0218207, NSF-ECS-0244732, NSF-EPNES-0323379, and NSF0424048, and a DoD-EPSCoR grant through the Office of Naval Research under the grant N000140110621. ∗

1

1

Introduction

The initial works on control of discrete event systems (DESs) established the conditions of controllability [22] and observability [3, 16] of a specification language for the existence of a deterministic nonblocking supervisor (under the setting that marking is also decided by a supervisor). We argue that there exist cases where the above properties do not hold, yet a nonblocking supervisor can be synthesized by allowing it to be nondeterministic. Nondeterministic supervisors were investigated in [5, 6, 12]. It was shown in [12] that when a supervisor is allowed to be nondeterministic the condition of achievability, that is weaker than controllability and observability combined, serves as an existence condition for language equivalence. Further when all events are observable (resp. controllable), achievability reduces to controllability (resp., recognizability) [12]. The work on nondeterministic control has not considered the issue of nonblockingness. Use of nondeterministic supervisor yields a controlled system that is nondeterministic for which a language equivalence requirement may not preserve nonblockingness. This is because nonblockingness is not a property of “sequential” behavior (which is what a language specification can capture); rather it is a property of “branching” behavior. (Said another way nonblockingness can not be expressed as a LTL property rather as a CTL property.) So we consider the stronger notion of behavioral equivalence, namely bisimulation equivalence (which preserves sequential as well as branching behavior). Our idea is to pose the problem of nonblocking control for a language specification as a problem of control for bisimilarity with a possibly nondeterministic specification that is language equivalent to the given specification. This motivates us to consider bisimulation equivalence control of deterministic system subject to possibly nondeterministic specification. Recently there has been interest in control for behavioral equivalences that are finer than the language equivalence (see for example [20, 15, 8, 17, 25, 1, 30, 27]). Finer notions of behavioral equivalence are meaningful when the specification is over branching behavior and either the model of plant (system to be controlled) or the supervisor used is nondeterministic. A nondeterminism in the plant model can arise due to a lack of information (such as unmodeled dynamics and/or partial observation) or due to abstraction for the sake of model reduction. A nondeterministic supervisor may be used since weaker conditions may be needed for the existence of a supervisor. There have also been work on control of nondeterministic systems for language equivalence (see for example [24, 13, 14, 4, 11, 7, 28]). The notions of bisimulation and simulation equivalence [19] are quite commonly used for behavioral equivalence. Bisimulation relation has been used as a technique for control of deterministic systems subject to language specifications in [23, 10, 2, 18, 9]. [21] studied the problem of synthesizing a supervisor so that the controlled system is bisimilar to a deterministic specification. In this work, the event set of the system and specification need not be same, and all events are treated controllable. [17] studied control for bisimulation equivalence for a partial specification. The plant is taken to be deterministic and all events are treated controllable. Further it is required that all events treated indistinguishable from the partial specifications point of view be either all enabled or all disabled at a state. Such a 2

requirement does not make sense in supervisory control context. [25] studied the controller synthesis problem for deterministic plants subject to a possibly nondeterministic partial specification such that the controlled system is bisimulation equivalent to the specification. This is the same problem as that studied in [17] except the aforementioned control requirement is removed. [1] studied the synthesis of controllers for deterministic plants subject to µ-calculus based specifications under partial observation, where the observation mask is restricted to be projection type. A mu-calculus specification is equivalent to a bisimulation equivalence specification, but expressed quite differently. In [30, 31] we studied the bisimulation equivalence control problem allowing both the plant as well as the specification to be nondeterministic, while requiring a complete observation of events. We established a small model result showing that a supervisor exists if and only if it exists over a certain finite state space, namely the power set of the Cartesian product of the plant and the specification states. This also showed that the upper bound for computing a bisimilarity enforcing supervisor (when one exists) is double exponential in the product of the plant and the specification states. It turns out that the above results continue to hold even under partial observation of events (see [29]). While the above mentioned small model result establishes the solvability of the bisimilarity control problem, its high computational complexity serves as a motivation for seeking such specializations which possess more practical complexity bounds. Thus far we have identified two different specializations, both assuming a complete observability of events. In [27] we showed that if instead of the bisimilarity one seeks only the similarity, the control problem (both existence and synthesis) becomes polynomially solvable. Similarly, it was shown in [30, 31] that the bisimilarity control problem (both existence and synthesis) remains polynomially solvable when the plant model is deterministic. (A reason why determinism of the plant helps reduce the complexity of the control problem is that in this case the specification itself can be chosen as a supervisor; the same is not true when the plant is nondeterministic. In fact even when the plant and the specification are the same, one may not be able to choose the specification as a supervisor for the reason that the composition of a system with itself may not be bisimilar to the system.) The notion of state-controllability (SC) was introduced as an existence condition, generalizing the notion of language-controllability (LC) from the setting of the language-control to that of the bisimilarity-control. The present paper extends the result of [30, 31] on bisimilarity control of deterministic plants to the setting of partial observations. It turns out that the existence condition remains polynomially bounded, whereas the complexity of synthesizing a supervisor is now exponentially bounded. This is still better than the double exponential complexity of the general case, and is comparable to the complexity of language-control under partial observation using deterministic supervisors [26]. The presence of partial observation poses a new challenge. Under partial observation, certain events become indistinguishable to a supervisor. As a result the state-updates on indistinguishable events, that are enabled at a state of a supervisor, must be identical. This property is known as observation-compatibility or M -compatibility. Surprisingly the bisimulation equivalence does not preserve the M -compatibility property. A consequence is 3

that again the specification itself may not be chosen as a supervisor, for the specification itself may not be M -compatible. A main contribution of the paper is the identification of the property that the specification must satisfy for the existence of a M -compatible supervisor. We first identify the property that the composition of a deterministic plant with a M -compatible supervisor must satisfy. We call this property “relative M -compatibility”. The reason for choosing such a name is as follows. A system that is relative M -compatible can be transformed to a M -compatible system by way of certain state-mergers, without altering the bisimilarity of the control it exercises. More precisely, if G denotes a plant and S is a relative M -compatible system, then by merging certain states of S we can transform it to a M -compatible system S 0 such that GkS 0 is bisimilar to GkS. Thus although S itself may not be M -compatible, it can be altered to become M -compatible without having to alter the bisimilarity of the control relative to the plant it exercises. As is the case with M -compatibility, the weaker property of relative M -compatibility is also not preserved under bisimilarity. As a result when a M -compatible supervisor is composed with a deterministic plant to yield a controlled plant that is relative M -compatible, the specification which is bisimilar to the controlled plant may not be relative M -compatible. We name the property of being bisimilar to a relative M -compatible system to be staterecognizability (SR). Clearly, SR is a necessary condition for the existence of a supervisor. We show that it is also a sufficient condition. Further we show that when the specification is deterministic (i.e., instead of bisimulation equivalence, the specification is one of language equivalence), then the SR property reduces to the property of language-recognizability (LR), a property that was introduced in [12] in the context of language-control under partial observation using nondeterministic supervisors. Thus SR generalizes LR in a same way as SC generalizes LC. This justifies our choice of the name, “state-recognizability”. Application of our results to nonblocking control for a language specification requires seeking a language equivalent and possibly nondeterministic specification that is state controllable and state recognizable. We present a simple manufacturing example for which no deterministic nonblocking controller exists (the specification is not observable) yet a nondeterministic nonblocking controller can be synthesized. This is because a language equivalent state recognizable specification can be identified. It turns out that such a specification must be represented nondeterministically. Our approach to synthesis of nonblocking control for a language specification using nondeterministic supervisors is applicable to any other property that depends on the “branching” behavior. For interested readers the issue of implementing a nondeterministic supervisor is discussed in detail in [12]. Rest of the paper is organized as follows. Section 2 gives notation and preliminaries. An example is discussed in Section 3. Section 4 introduces relative M -compatibility and SR and studies their properties. Section 5 establishes the existence condition. Section 6 provides a method to verify the property of state-recognizability, whereas Section 7 provides an algorithm to test relative M -compatibility. In Section 8 it is shown that when the specification is deterministic (i.e., it is of language control), the SR property reduces to that of LR. The paper concludes in Section 9. 4

2

Notation and Preliminaries

In this paper nondeterministic state machines (NSMs) are used to model discrete event systems. A NSM G is a five tuple: G := (X, Σ, α, X0 , Xm ), where X is its set of states, Σ is its set of events, α : X × (Σ ∪ {}) → 2X is its transition function, X0 ⊆ X is its set of initial states, and Xm ⊆ X is its set of marked states. G is called deterministic if |X0 | = 1, |α(x, σ)| ≤ 1 for all x ∈ X and σ ∈ Σ, and |α(x, )| = 0 for all x ∈ X. The size of a state machine, denoted |G|, is the total number of states and transitions. For a NSM, |G| = O(|X|) + O(|X|2 ) = O(|X|2 ), whereas for a deterministic G, |G| = O(|X|) + O(|X|) = O(|X|). For an event set Σ, we use Σ to denote Σ ∪ {}. A triple (x, σ, x 0 ) ∈ X × Σ × X is called a transition if x0 ∈ α(x, σ); if σ = , the transition is called an -transition. Σ∗ denotes the set of all finite-length sequences of events from Σ, called traces including the trace of zero length, denoted . The -closure of x ∈ X, denoted as ∗ (x), is the set of states reached by executing zero or more -transitions from state x. By using -closure map, we can extend the definition of transition function from events to traces, α ∗ : X × Σ∗ → 2X , which is defined inductively as: ∀x ∈ X, α∗ (x, ) := ∗ (x);

∀s ∈ Σ∗ , σ ∈ Σ : α∗ (x, sσ) := ∗ (α(α∗ (x, s), σ)),

ˆ ⊆ X and Σ ˆ ⊆ Σ, α(X, ˆ Σ) ˆ := ∪ ˆ ˆ α(x, σ), and ∗ (X) ˆ := ∪ ˆ ∗ (x). where for X x∈X,σ∈Σ x∈X The language generated (resp., marked) by G, is denoted as L(G) (resp., Lm (G)). L(G) is the sequence of events generated starting from the initial state, i.e., L(G) = {s ∈ Σ ∗ | α∗ (X0 , s) 6= ∅}, and Lm (G) is the set of generated sequences that end in a marked state, i.e., Lm (G) = {s ∈ L(G) | α∗ (X0 , s) ∩ Xm 6= ∅}. For x ∈ X, we define Σ(x) := {σ ∈ Σ | α(x, σ) 6= ∅} to denote the set of all labels on which transitions are defined at state x. One way to model control interaction between plant and supervisor is via the synchronous composition of their state machine (or automaton) representations. The synchronous composition of two automata G1 and G2 , where Gi = (Xi , Σ, αi , X0i , Xmi ), is the automaton G1 kG2 = (X1 × X2 , Σ, αk , X01 × X02 , Xm1 × Xm2 ), where for x1 ∈ X1 , x2 ∈ X2 , σ ∈ Σ, αk ((x1 , x2 ), σ) =

(

α1 (x1 , σ) × α2 (x2 , σ) if σ 6=  (α1 (x1 , ) × {x2 }) ∪ ({x1 } × α2 (x2 , )) if σ = 

We also define the union of G1 and G2 as the automaton G1 ∪ G2 = (X1 ∪ X2 , Σ, α∪ , X01 ∪ X02 , Xm1 ∪ Xm2 ), where for x ∈ X1 ∪ X2 , and σ ∈ Σ, α∪ (x, σ) =

   α1 (x, σ) ∪ α2 (x, σ)  

α1 (x, σ) α2 (x, σ)

5

if x ∈ X1 ∩ X2 if x ∈ X1 − X2 if x ∈ X2 − X1

Bisimulation equivalence is a type of behavioral equivalence that is used to describe equivalence between nondeterministic systems. A bisimulation relation over two state machines is a symmetric simulation relation. We next introduce the notion of a simulation relation. Definition 1 Given automata G1 = (X1 , Σ, α1 , X01 , Xm1 ) and G2 = (X2 , Σ, α2 , X02 , Xm2 ), a simulation relation is a binary relation Φ ⊆ (X1 ∪ X2 )2 such that (x1 , x2 ) ∈ Φ implies 1. σ ∈ Σ, x01 ∈ α∪∗ (x1 , σ) ⇒ ∃x02 ∈ α∪∗ (x2 , σ) such that (x01 , x02 ) ∈ Φ. 2. x1 ∈ Xm1 ∪ Xm2 ⇒ x2 ∈ Xm1 ∪ Xm2 . G1 is said to be simulated by G2 , denoted as G1 vΦ G2 , if there exists a simulation relation Φ ⊆ (X1 ∪ X2 )2 such that for all x01 ∈ X01 , exists x02 ∈ X02 with (x01 , x02 ) ∈ Φ. This last fact is concisely written as X01 vΦ X02 . We write x1 vΦ x2 to denote that there exists a simulation relation Φ with (x1 , x2 ) ∈ Φ, read as x1 is simulated by x2 . We sometimes omit the subscript Φ from vΦ when it is clear from the context. Further, a simulation relation is called a bisimulation equivalence relation if it is symmetric. For a bisimulation equivalence relation Φ if (x1 , x2 ) ∈ Φ, then x1 and x2 are called bisimilar, written as x1 'Φ x2 (or simply x1 ' x2 when Φ is clear from context). Two automata G1 and G2 are said to be bisimilar, denoted as G1 'Φ G2 , if exists a bisimulation relation such that X01 'Φ X02 . Typically a supervisor operates under limited control and observation capabilities. A limitation in control arises due the presence of uncontrollable events, denoted Σ u ⊆ Σ, that cannot be prevented from occurring. For this reason, an admissible supervisor state machine must enable all uncontrollable events at all its state, a property known as controlcompatibility or Σu -compatibility. A limitation in observation arises due to the type eventsensors used which can provide only a partial or no information about the occurrence of an event they monitor. The sensing capabilities of such event-sensors can be represented as an observation mask function M : Σ → ∆ that maps events into observations (∆ is the set of observed symbols) and satisfies M () = . M is said to be projection type if ∆ ⊆ Σ and for σ ∈ ∆, M (σ) = σ. σ ∈ Σ is said to be an unobservable event if M (σ) = , and otherwise it is said to be an observable event. Two events σ1 , σ2 ∈ Σ are said to be indistinguishable if M (σ1 ) = M (σ2 ). The observation mask M is extended to be defined over traces in Σ∗ as follows: M () := ; ∀s ∈ Σ∗ , σ ∈ Σ : M (sσ) := M (s)M (σ). The notion of (Σu , M )-compatibility is formally defined as follows. Definition 2 Let Σu ⊆ Σ be the set of uncontrollable events and M : Σ → ∆ be the observation mask, then • S = (Y, Σ, β, Y0 , Ym ) is called Σu -compatible if ∀y ∈ Y and ∀a ∈ Σu , β(y, a) 6= ∅. • S is called M -compatible if ∀y ∈ Y and ∀a, b ∈ Σ(y), if M (a) = M (b), then β(y, a) = β(y, b), where it is assumed that a silent transition is implicitly defined as a self-loop. 6

• S is called (Σu , M )-compatible if S is Σu -compatible and M -compatible. Unless otherwise stated, we will use G = (X, Σ, α, X0 , Xm ), R = (Q, Σ, δ, Q0 , Qm ), and S = (Y, Σ, β, Y0 , Ym ) to denote the (deterministic) plant, specification, and supervisor, respectively. The controlled system will be denoted by GkS = (X × Y, Σ, γ, X0 × Y0 , Xm × Ym ).

3

An Example Consider the following manufacturing example.

Storage station 1

Robot

rail 1

Storage station 2

Home location

Work location

rail 2 Storage station 3

Figure 1: A manufacturing system Example 1 A robot is available at its home location to traverse on one of the two available rails (Figure 1). Traversal on rail-i (i = 1, 2) is denoted by event ai , and while on rail-i, the robot can pick a part from storage-i (event bi ) or storage-(i + 1) (event bi+1 ). The robot then takes the part to work location (event c). Upon completion of processing, the robot returns the part to either storage-i (event bi ) or storage-(i + 1) (event bi+1 ) and returns to its home location (event d). Not returning the part to its original pick-up location is undesirable. To avoid this undesirable behavior, the specification requires that while the robot is in its home location it be nondeterministically decided whether to use storage-i or storage-(i + 1) while traversing on rail-i. It is also required that the robot always be able to return to its home location (which means that the state representing the home location is the only marked state). Plant model G and deterministic specification model Rdet are given in Figure 2. We assume that all events are controllable. However, only events c and d are completely observable. Events a1 and a2 are indistinguishable, and so are the events b1 , b2 and b3 . I.e., Σu = ∅, M (a1 ) = M (a2 ), and M (b1 ) = M (b2 ) = M (b3 ). Controllability clearly holds since all events are controllable. However, the observability is violated. This is because a 1 b1 c, a1 b2 c ∈ L(R), M (a1 b1 c) = M (a1 b2 c), a1 b1 cb1 ∈ L(Rdet ), yet a1 b2 cb1 ∈ L(G) − L(Rdet ). It follows that there does not exists a deterministic nonblocking supervisor S such that Lm (GkS) = Lm (Rdet ). Figure 2 also shows some of the nondeterministic specifications R, R 0 , R00 that are “trim” and language equivalent to Rdet . Due to the finiteness of Rdet the number of such “basic” nondeterministic specifications is bounded, and as long as one of them possesses a 7

1

A a1

d

2

C

B b1

b2 D

E

d c

c

G

F b1

b2 H

b2

4

8

b2

c

b2

b2

13

12 c

b3

9

3 b2

4

c

b2

b2

8

2 b3

b2

c 7

b1

10

11

5

c 6

14

15

d

d

a1

a1 a2

b1

b3

c 7

b1

2

11

5

c 6

b3 K

d

b2

a2

a1

9

b1

b3

b2

1

1

a2

a1

a2

c 14

13

d

4

5

7 b2

b1 8

b3 12

c 13

a2

2

b2 11

c

c 6

b3 15

b2

1

a1

9

3

b1 d

12

0

a2

a1

15

d

d

b2

b2 d 5

4

c

c

b3

b1

b3

d 11

c

c

b2

b2

7

6

14

b2

9

b1

8

13

12

d

c 14 b3 15

Figure 2: G (first), Rdet (second), R (third), R0 (fourth), R00 (fifth) bisimilarity enforcing supervisor (possibly nondeterministic), the nonblocking control problem with language specification we set out to solve possesses a supervisor. We show later that there exists a nondeterministic supervisor S such that GkS ' R. Since bisimilarity preserves language equivalence as well as branching behavior (such as nonblockingness), Lm (GkS) = Lm (R) = Lm (Rdet ) and further S is nonblocking as desired. Our main goal in the rest of the paper is to obtain a (Σu , M )-compatible supervisor S such that for a given deterministic plant G and a possibly nondeterministic specification R, it holds that GkS ' R.

4

Relative M -Compatibility and State-Recognizability

In our earlier work on bisimilarity control under complete observation [30, 31], we showed that when the plant is deterministic the existence-test as well as the synthesis of a supervisor can be performed polynomially. We show that even under partial observation, the existence of a supervisor remains polynomially verifiable. Recall from [31] that when G is deterministic, exists a Σu -compatible S such that GkS ' R if and only if R is simulated by G (written, “R is G-simulated” for short), and R is state-controllable (SC). State-controllability should be viewed as a generalization of language-controllability from the setting of deterministic specifications to nondeterministic ones, and is defined as follows: Definition 3 Given plant G and specification R, we say R is state-controllable (SC) with respect to G and Σu if s ∈ L(R), σ ∈ Σu such that sσ ∈ L(G) ⇒ ∀q ∈ δ ∗ (Q0 , s), σ ∈ Σ(q). In the presence of partial observation, S must also be M -compatible. The question becomes what additional property must R possess when there exists (Σu , M )-compatible S such that GkS ' R. Since R is bisimilar to GkS, we first ask what property must GkS satisfy given that G is deterministic and S is M -compatible. Recall that M -compatibility of S implies indistinguishable events when defined at a state must have identical successors. Clearly, when S is composed with G such a property may no longer hold. However, the 8

composed system GkS remains “M -compatible relative to G”, i.e., if we merge the nonidentical successors of indistinguishable events defined at a state of GkS in a certain way, we can construct a M -compatible state machine that also enforces R when used as a supervisor for G. With this motivation we introduce the notion of relative M -compatibility. Relative M -compatibility is defined in terms of a “relative M -compatible bisimulation relation”. The idea behind defining such a relation is that the relative M -compatible bisimilar state-pairs can be merged to satisfy M -compatibility, while preserving the bisimilarity of control exercised. Let Xsyn (y) := {x ∈ X | ∃s ∈ Σ∗ , x ∈ α∗ (X0 , s) and y ∈ β ∗ (Y0 , s)} denote the set of states in G that synchronize with a state y in S, i.e., are reached by a trace s ∈ L(G) ∩ L(S). Definition 4 Given NSMs G = (X, Σ, α, X0 , Xm ) and S = (Y, Σ, β, Y0 , Ym ), a symmetric relation Φ over states of S is said to be a relative M -compatible bisimulation relation if (y1 , y2 ) ∈ Φ implies 1. For i, j = 1, 2, i 6= j, xi ∈ Xsyn (yi ) implies Σ(xi ) ∩ Σ(yj ) ⊆ Σ(xi ) ∩ Σ(yi ), (If xi can synchronize with yi in GkS and is made to synchronize with yj (i, j = 1, 2), then events enabled at xi remain unchanged.) 2. For i, j = 1, 2, i 6= j, ai ∈ Σ(yi ), M (ai ) = M (aj ) implies ∀yi0 ∈ β(yi , ai ), ∃yj0 ∈ β(yj , aj ) s.t. (yi0 , yj0 ) ∈ Φ, (If indistinguishable events ai are defined at yi , then for each ai -successor yi0 of yi , exists a aj -successor yj0 of yj such that (yi0 , yj0 ) ∈ Φ.) 3. For i, j = 1, 2, i 6= j, yi ∈ Ym implies [yj ∈ Ym ] ∨ [Xsyn (yj ) ∩ Xm = ∅]. (If yi is marked then either yj is also marked or it synchronizes with only unmarked states.) We use hy1 , y2 i to denote the state obtained by merger of y1 and y2 . The set of events defined at a state hy1 , y2 i is the union of the set of events defined at y1 and y2 , i.e., Σ(hy1 , y2 i) = ∪i Σ(yi ). For (i) preserving control exercised, and (ii) satisfying M -compatibility when states y1 and y2 are merged, the following should hold: • Enabled events should not change. Since yi synchronizes with xi ∈ Xsyn (yi ), after the merger, hy1 , y2 i will synchronize with states in the set Xsyn (y1 ) ∪ Xsyn (y2 ). So for the control action to not change, we need: Σ(xi ) ∩ [Σ(y1 ) ∪ Σ(y2 )] = Σ(xi ) ∩ Σ(yi ), for i = 1, 2, where left/right hand side is set of events enabled at xi after/before the merger. Suppose we let i = 1, then the above simplifies to [Σ(x1 ) ∩ Σ(y1 )] ∪ [Σ(x1 ) ∩ Σ(y2 )] = Σ(x1 ) ∩ Σ(y1 ). 9

For this to hold, we need Σ(x1 ) ∩ Σ(y2 ) ⊆ Σ(x1 ) ∩ Σ(y1 ). Similarly, if we let i = 2, then Σ(x2 ) ∩ Σ(y1 ) ⊆ Σ(x2 ) ∩ Σ(y2 ) should hold. This justifies the first requirement in Definition 4. • Any pair of indistinguishable events defined at the merged state hy1 , y2 i should have successors that can be paired and combined (for M -compatibility). For this, pairing of successors should exist such that the successor pairs satisfy the same property as the pair (y1 , y2 ) does. This justifies the second requirement in Definition 4. • The combined state should not change the marking status of the controlled system. Thus, for a state-pair being combined, if one of them is marked, then either the other one is also marked or, all states of G that can synchronize with this unmarked state are themselves unmarked. This justifies the third requirement in Definition 4. Definition 5 Given G and S, S is relative M -compatible if exists a relative M -compatible bisimulation relation Φ over states of S such that (y0 , y0 ) ∈ Φ for all y0 ∈ Y0 . Requiring (y0 , y0 ) ∈ Φ implies if exists an indistinguishable pair a1 , a2 ∈ Σ(y0 ), then for every y1 ∈ β(y0 , a1 ) exists y2 ∈ β(y0 , a2 ) such that (y1 , y2 ) ∈ Φ. Then y1 and y2 can be merged to satisfy M -compatibility. This argument can be repeated for any pair (y 1 , y2 ) ∈ Φ. Remark 1 Relative M -compatible bisimulation relation is closed under intersection. To see this, consider two relative M -compatible bisimulation relations Φ1 and Φ2 over states of S. Pick any state-pair (y1 , y2 ) ∈ Φ1 ∩ Φ2 . By Definition 4, condition 1, 2 and 3 hold for (y1 , y2 ). Thus, Φ3 = Φ1 ∩ Φ2 is also a relative M -compatible bisimulation relation. Further if both Φ 1 and Φ2 contain (y0 , y0 ) for each y0 ∈ Y0 , then so does Φ3 = Φ1 ∩ Φ2 . Therefore, whenever S is relative M -compatible, there always exists a certain relative M -compatible bisimulation relation that is unique in the sense that it is the minimum one; which is what we work with by default. The following example illustrates these concepts. Example 2 Consider G and S drawn in Figure 3, M (a) = , M (b1 ) = M (b2 ), M (c) = c, M (d) = d and M (e) = e. We examine whether S is relative M -compatible. I.e., we need to check whether there exists a relative M -compatible bisimulation relation Φ with (A, A) ∈ Φ. The first condition obviously holds for (y1 , y2 ) = (A, A) ∈ Φ. Next, since we have the transitions (A, , A), (A, a, B) and M (a) = , we check condition 1 for the state pair (A, B). Indeed, Xsyn (A) = {1}, [Σ(1) ∩ Σ(B) = ∅] ⊆ [Σ(1) ∩ Σ(A) = {a}], and Xsyn (B) = {2}, [Σ(2) ∩ Σ(A) = ∅] ⊆ [Σ(2) ∩ Σ(B) = {b1 , b2 , d}]. 10

a

1

A

d 4

3

b2 5

b1 C

c,d,e d

b 1 , b 2 ,d

b1 ,b2

B

2

b1



a

a

b2 D

b 2 ,d E





d,e

c,d

d,e d,e

c,d

d

6



F

Figure 3: G (left), S (middle), and S Φ (right) The only pair of indistinguishable transitions defined at the pair of states (A, B) are (A, a, B) and (B, , B). So we need to check the conditions for pair (B, B). Condition 1 is obviously satisfied since two states in the pair are the same. Next, since b1 , b2 ∈ Σ(B) and M (b1 ) = M (b2 ), condition 2 needs to be checked for each b1 -successor and each b2 -successor of B. Consider first the b1 -successor state C. We find that there exists b2 -successor state D such that condition 1 holds, namely, Xsyn (C) = {3}; [Σ(3) ∩ Σ(D) = {d}] ⊆ [Σ(3) ∩ Σ(C) = {d}], and Xsyn (D) = {5}; [Σ(5) ∩ Σ(C) = {d}] ⊆ [Σ(5) ∩ Σ(D) = {d, e}]. Thus, for b1 -successor state C (resp. b2 -successor state D) of B, there exists b2 -successor state D (resp. b1 -successor state C) such that condition 1 holds. Next consider b2 -successor state E of B. Then there exists b1 -successor state C such that Xsyn (E) = {4, 5}; [Σ(4) ∩ Σ(C) = {d}] ⊆ [Σ(4) ∩ Σ(E) = {c, d}], and [Σ(5) ∩ Σ(C) = {d}] ⊆ [Σ(5) ∩ Σ(E) = {d}], and Xsyn (C) = {3}; [Σ(3) ∩ Σ(E) = {d}] ⊆ [Σ(3) ∩ Σ(C) = {d}]. Therefore, there exists a symmetric relative M -compatible bisimulation relation Φ: Φ = {(A, A), (A, B), (B, A), (B, B), (C, C), (C, D), (D, C), (D, D), (C, E), (E, C), (E, E), (F, F )}. Since (A, A) ∈ Φ, we conclude that S is relative M -compatible. The following lemma proves our earlier conjecture that M -compatibility of S and determinism of G implies relative M -compatibility of GkS. Lemma 1 Given deterministic G and M -compatible S, GkS is relative M -compatible. Proof: Define a relation Φ ⊆ (X × Y )2 as follows: 1. ((x0 , y0 ), (x0 , y0 )) ∈ Φ for all y0 ∈ Y0 , 11

2. For ((x1 , y), (x2 , y)) ∈ Φ, if ai ∈ Σ((xi , y)) and M (a1 ) = M (a2 ), then for all y ∈ (a)

β(y, a1 ) = β(y, a2 ), ((x1a1 , y), (x2a2 , y)) ∈ Φ, where xiai = α(xi , ai ). Equality (a) holds since S is M -compatible. From the second part of the definition of Φ, the condition 2 of relative M -compatibility automatically holds. So we only need to show the conditions 1 and 3. Consider a state-pair ((x1 , y), (x2 , y)) ∈ Φ. Then due to the determinism of G, Xsyn ((xi , y)) = {xi }, i.e., xi in G is the unique state that synchronizes with state (xi , y) in GkS. For ((x1 , y), (x2 , y)) ∈ Φ, we have Σ(x1 ) ∩ Σ((x2 , y)) = = ⊆ = =

Σ(x1 ) ∩ [Σ(x2 ) ∩ Σ(y)] [Σ(x1 ) ∩ Σ(y)] ∩ Σ(x2 ) Σ(x1 ) ∩ Σ(y) Σ(x1 ) ∩ [Σ(x1 ) ∩ Σ(y)] Σ(x1 ) ∩ Σ((x1 , y)).

Similarly, Σ(x2 ) ∩ Σ((x1 , y)) ⊆ Σ(x2 ) ∩ Σ((x2 , y)). It remains to show that the condition 3 of Definition 4 also holds. Suppose (x1 , y) ∈ Xm × Ym , then y ∈ Ym . If x2 ∈ Xm , then (x2 , y) ∈ Xm × Ym . On the other hand, if x2 6∈ Xm , then since Xsyn ((x2 , y)) = {x2 } (follows from determinism of G), Xsyn ((x2 , y)) ∩ Xm = ∅, establishing the condition 3. It follows that Φ is a relative M -compatible bisimulation relation. Further since ((x0 , y0 ), (x0 , y0 )) ∈ Φ for each y0 ∈ Y0 , GkS is relative M -compatible as desired. The following example substantiates an earlier statement that relative M -compatibility is not preserved under bisimilarity, and as a result M -compatibility of S only guarantees relative M -compatibility of GkS, and not of a specification R that is bisimilar to GkS. Example 3 Consider an example shown in Figure 4, where M (a1 ) = M (a2 ) and identity mask for other events. It can be easily verified that R1 ' R2 , R1 is relative M -compatible, A

1

a1 2

a2 3

a1

c 4

b2 , b3 b1

b1, b2 , b3 5

B

b1

A

a2 C

b2 , b3 E

a1, c

c D

B

b1

b1

a2 C

b2 , b3 D

Figure 4: G (left), R1 (middle), and R2 (right) but R2 is not. To see this, consider state A in R2 . Since M (a1 ) = M (a2 ), for R2 to be relative M -compatible, the condition 1 in Definition 4 should hold for the corresponding successors B and C. Since Xsyn (B) = {2, 4} and [Σ(4) ∩ Σ(C) = {b2 , b3 }] 6⊆ [Σ(4) ∩ Σ(B) = {b1 }], the condition 1 does not hold. Thus, R2 is not relative M -compatible. 12

Loss of relative M -compatibility under bisimilarity transformation motivates the following weaker notion. Definition 6 Given G, R is said to be state-recognizable (SR) with respect to G if there exists a relative M -compatible S such that S ' R. It is evident from the above definition that SR is weaker than relative M -compatibility and also that it is preserved under bisimilarity.

5

Bisimilarity Control under Partial Observation

In this section we establish that the property of SR is an additional property required of a specification R (besides being G-simulated and SC) for the existence of a bisimilarity enforcing supervisor when plant is deterministic. We need to first establish the following main property of relative M -compatibility. Given a relative M -compatible S possessing an underlying relative M -compatible bisimulation relation Φ, it is possible to compute S Φ such that S Φ is M -compatible and GkS ' GkS Φ . Note that this result does not require that the plant be deterministic. The following algorithm computes S Φ by combining relative M -compatible bisimilar states. Definition 7 Suppose S is relative M -compatible, possessing an underlying relative M compatible bisimulation relation Φ. We say that Yˆ ⊆ Y is a Φ-compatible set if y1 , y2 ∈ Yˆ implies (y1 , y2 ) ∈ Φ. Note that by definition Φ is symmetric, and also contains (y0 , y0 ) for all y0 ∈ Y0 . Using the definition of relative M -compatibility it can then be concluded that (y, y) ∈ Φ for each y ∈ Y , i.e., Φ is also reflexive. However Φ need not be transitive, and as a result, the Φcompatible sets do not form a partition of Y , rather only a cover. The states of S Φ are then chosen to be the maximal Φ-compatible sets. Algorithm 1 Given a relative M -compatible bisimulation relation Φ under which S is relative M -compatible, an algorithm for the computation of a M -compatible S Φ is given as below. S Φ := (Y, Σ, β Φ , Y0 , Ym ), where • Y ⊆ 2Y is set of states of S Φ , and Y = {Yˆ ⊆ Y | Yˆ is a maximal Φ-compatible set}. • β Φ is its transition function such that for all Yˆ , Y ∈ Y and for all σ ∈ Σ(Yˆ , Y ) := {σ ∈ Σ(Yˆ ) = ∪y∈Yˆ Σ(y) | β(Yˆ , σ) ∩ Y 6= ∅}, Y ∈ β Φ (Yˆ , σ) ⇔ M −1 M (σ) ∩ Σ(Yˆ ) ⊆ Σ(Yˆ , Y ). 13

• Y0 is its set of initial states, and Y0 = {Yˆ ∈ Y | Yˆ ∩ Y0 6= ∅}. • Ym is its set of marked states, and Ym = {Yˆ ∈ Y | Yˆ ∩ Ym 6= ∅}. The following theorem proves the correctness of Algorithm 1. Theorem 1 Algorithm 1 is correct. I.e., consider G, S and an observation mask M . Suppose S is relative M -compatible so that exists a relative M -compatible bisimulation relation Φ such that (y0 , y0 ) ∈ Φ for all y0 ∈ Y0 . Then S Φ is M -compatible, where S Φ is computed by Algorithm 1. Proof: Pick Yˆ , Y ∈ Y and σ, σ 0 ∈ Σ(Yˆ ) such that M (σ) = M (σ 0 ). Suppose σ ∈ Σ(Yˆ , Y ). We first show that σ 0 ∈ Σ(Yˆ , Y ). Since Yˆ , Y ∈ Y are maximal Φ-compatible sets, by Definition 4, we have ⇒ ⇒ ⇒ ⇒

σ ∈ Σ(Yˆ , Y ), σ 0 ∈ Σ(Yˆ ), M (σ) = M (σ 0 ) ∃y ∈ β(Yˆ , σ) ∩ Y , and ∃y ∈ β(Yˆ , σ 0 ) such that (y, y) ∈ Φ y∈Y β(Yˆ , σ 0 ) ∩ Y 6= ∅ σ 0 ∈ Σ(Yˆ , Y ).

Next from the definition of β Φ , for σ, σ 0 ∈ Σ(Y , Yˆ ), Y ∈ β Φ (Yˆ , σ) ⇔ M −1 M (σ) ∩ Σ(Yˆ ) ⊆ Σ(Yˆ , Y ) ⇔ M −1 M (σ 0 ) ∩ Σ(Yˆ ) ⊆ Σ(Yˆ , Y ) ⇔ Y ∈ β Φ (Yˆ , σ 0 ), as desired. Remark 2 Note that the state set of S Φ is a subset of the power set 2Y . In other words, the complexity of Algorithm 1 is in general exponential in the number of states of S, i.e., O(2|S| ). The following example illustrates the construction of S Φ . Example 4 Consider relative M -compatible state machine S shown in Example 2. We first compute Y. By the relative M -compatible bisimulation relation Φ computed in Example 2, we have Y = {{A, B}, {C, D}, {C, E}, {F, F }}, and Y0 = {{A, B}}. Next we compute the set of transitions. Let Yˆ0 = {A, B}, Yˆ1 = {C, D}, Yˆ2 = {C, E}, Yˆ3 = {F, F }. Note that Σ(Yˆ0 ) = {a, b1 , b2 , d}. 14

• Since Σ(Yˆ0 , Yˆ0 ) = {a} and M −1 M (a) ∩ Σ(Yˆ0 ) = {a} ⊆ Σ(Yˆ0 , Yˆ0 ), transition (Yˆ0 , a, Yˆ0 ) is in S Φ . • Since Σ(Yˆ0 , Yˆ1 ) = {b1 , b2 } and M −1 M (b1 ) ∩ Σ(Yˆ0 ) = {b1 , b2 } = M −1 M (b2 ) ∩ Σ(Yˆ0 ) ⊆ Σ(Yˆ0 , Yˆ1 ), transitions (Yˆ0 , b1 , Yˆ1 ) and (Yˆ0 , b2 , Yˆ1 ) are in S Φ . • Since Σ(Yˆ0 , Yˆ2 ) = {b1 , b2 , d}, and M −1 M (b1 ) ∩ Σ(Yˆ0 ) = {b1 , b2 } = M −1 M (b2 ) ∩ Σ(Yˆ0 ) ⊆ Σ(Yˆ0 , Yˆ2 ), and M −1 M (d) ∩ Σ(Yˆ0 ) = {d} ⊆ Σ(Yˆ0 , Yˆ2 ), transitions (Yˆ0 , b1 , Yˆ2 ), (Yˆ0 , b2 , Yˆ2 ) and (Yˆ0 , d, Yˆ2 ) are in S Φ . Similarly one can compute the other transitions; the details are omitted here. S Φ is drawn in Figure 3. It can be verified by inspection that S Φ is M -compatible. Having showed that S Φ is M -compatible whenever S is relative M -compatible, we next show that if in addition S is bisimilarity enforcing, then so is S Φ . We recall the following theorem from [31, Theorem 4]. Theorem 2 [31] Given automata G1 and G2 , G1 ' G2 if and only if ˆ and 1. ∀x1 ∈ X1 , ∃x2 ∈ (X2 )syn (x1 ), such that Σ(x1 ) = Σ(x2 ) =: Σ, ˆ ∀x1σ ∈ α1∗ (x1 , σ) ⇒ ∃x2σ ∈ α2∗ (x2 , σ) such that Σ(x1σ ) = Σ(x2σ ), ∀σ ∈ Σ, ˆ ∀x2σ ∈ α2∗ (x2 , σ) ⇒ ∃x1σ ∈ α1∗ (x1 , σ) such that Σ(x1σ ) = Σ(x2σ ), ∀σ ∈ Σ, x1 ∈ Xm1 ⇔ x2 ∈ Xm2 . 2. ∪x1 ∈X1 {x2 ∈ (X2 )syn (x1 ) | (x1 , x2 ) satisfies the condition above} = X2 . Theorem 3 Given G and S, if S is relative M -compatible with respect to G, then GkS ' GkS Φ , where Φ is the relative M -compatible bisimulation relation under which S is relative M -compatible, and S Φ is computed by Algorithm 1. Proof: Define a relation Ψ ⊆ ((X × Y) ∪ (X × Y ))2 as: Ψ := {((x, Yˆ ), (x, y)), ((x, y), (x, Yˆ )) | (x, Yˆ ) in GkS Φ , (x, y) in GkS, and y ∈ Yˆ }. Note that from construction in Algorithm 1, Xsyn (Yˆ ) = ∪y0 ∈Yˆ Xsyn (y 0 ). So, x ∈ Xsyn (y) implies x ∈ Xsyn (Yˆ ) when y ∈ Yˆ , i.e., a pair ((x, y), (x, Yˆ )) with y ∈ Yˆ in Ψ is indeed feasible. We use Theorem 2 to prove GkS Φ 'Ψ GkS. For a state (x, Yˆ ) in GkS Φ and y ∈ Yˆ , it is clear that (x, y) ∈ (X × Y )syn (x, Yˆ ). Further, Σ((x, Yˆ )) = Σ(x) ∩ Σ(Yˆ ) = Σ(x) ∩ [∪y0 ∈Yˆ Σ(y 0 )] = [Σ(x) ∩ Σ(y)] ∪ [Σ(x) ∩ [∪y0 ∈Yˆ −{y} Σ(y 0 )]] = Σ((x, y)) ∪ [∪y0 ∈Yˆ −{y} (Σ(x) ∩ Σ(y 0 ))] (a)

= Σ((x, y)). 15

Equality (a) holds since y 0 ∈ Yˆ − {y}, and y ∈ Yˆ implies (y, y 0 ) ∈ Φ. So by Definition 4, Σ(x) ∩ Σ(y 0 ) ⊆ Σ(x) ∩ Σ(y) = Σ((x, y)) for x ∈ Xsyn (y) and y 0 ∈ Yˆ − {y}. Similar event-set equality as established above for ((x, Yˆ ), (x, y)) pair needs to hold for their respective σ-successors, which will be the case whenever the respective σ-successors form a pair that lies in Ψ. For a σ-successor state (xσ , yσ ) in GkS, exists some Yˆσ ∈ β Φ (Yˆ , σ) such that yσ ∈ Yˆσ since Σ(Yˆ ) = ∪y0 ∈ˆy Σ(y 0 ). Then obviously, ((xσ , Yˆσ ), (xσ , yσ )) ∈ Ψ, as desired. Further by Algorithm 1, y ∈ Yˆ and y ∈ Ym implies Yˆ ∩ Ym 6= ∅, i.e., Yˆ ∈ Ym . Thus (x, y) ∈ Xm × Ym implies (x, Yˆ ) ∈ Xm × Ym . On the other hand, if (x, Yˆ ) ∈ Xm × Ym , then for any y ∈ Yˆ , we claim that y ∈ Ym . Suppose for contradiction that y 6∈ Ym . Since Yˆ ∈ Ym , then there exists y 0 ∈ Yˆ ∩ Ym . Also since y, y 0 ∈ Yˆ , (y, y 0 ) ∈ Φ. Thus by condition 3 of Definition 4, Xsyn (y) ∩ Xm = ∅. Then for x ∈ Xsyn (y), x 6∈ Xm , a contradiction to the fact that (x, Yˆ ) ∈ Xm × Ym . Finally, each state (x, y) of GkS is paired with a state (x, Yˆ ) of GkS Φ such that y ∈ Yˆ , and vice-versa. By Theorem 2, GkS Φ 'Ψ GkS, as desired. So far we have shown that a relative M -compatible state machine may be converted into a M -compatible state machine while preserving the control action. We next show that if the state machine is also state-controllable, then it may be converted to a (Σu , M )-compatible state machine, also preserving the control action. We know that if S is relative M -compatible then S Φ is M -compatible. We show that if S is also SC, then so is S Φ . We need the following alternative characterization of SC. Lemma 2 Given G, S is SC if and only if for each y in S, [∪x∈Xsyn (y) Σ(x)] ∩ Σu ⊆ Σ(y) ∩ Σu . Proof: Note that we have the following equivalence: a ∈ [∪x∈Xsyn (y) Σ(x)] ∩ Σu ⇔ a ∈ Σu , ∃s ∈ L(G) : y ∈ β ∗ (Y0 , s) and sa ∈ L(G). Thus, the proof follows from Definition 3. Lemma 3 Consider G and S such that S is relative M -compatible and SC. Then S Φ is SC, where Φ is the relative M -compatible bisimulation relation under which S is relative M -compatible, and S Φ is computed by Algorithm 1. Proof: Consider a state Yˆ in S Φ , and the set of states Xsyn (Yˆ ) in G that synchronize with Yˆ . Then from construction in Algorithm 1, Xsyn (Yˆ ) = ∪y∈Yˆ Xsyn (y) and Σ(Yˆ ) = ∪y∈Yˆ Σ(y). By Lemma 2, for S Φ to be SC, it suffices to show that [∪y∈Yˆ [∪x∈Xsyn (y) Σ(x)]] ∩ Σu ⊆ [∪y∈Yˆ Σ(y)] ∩ Σu . Since S is SC, for y ∈ Y , [∪x∈Xsyn (y) Σ(x)] ∩ Σu ⊆ Σ(y) ∩ Σu . Thus, the following holds: ∪y∈Yˆ [∪x∈Xsyn (y) Σ(x)∩Σu ] ⊆ ∪y∈Yˆ [Σ(y)∩Σu ] ⇔ ∪y∈Yˆ [∪x∈Xsyn (y) Σ(x)]∩Σu ⊆ ∪y∈Yˆ [Σ(y)]∩Σu . 16

Finally, we show one of the main results of this section that S Φ can further be made Σu -compatible by augmenting each state of S Φ by undefined uncontrollable events at that state such that the control exercised remains unaffected. Theorem 4 Given a SC and relative M -compatible state machine S, consider S Φ where Φ is the relative M -compatible bisimulation relation under which S is relative M -compatible, and S Φ is as computed by Algorithm 1. For each state Yˆ of S Φ and σ ∈ Σu − Σ(Yˆ ), add the following transition(s) on σ: • If 6 ∃a ∈ Σ(Yˆ ) such that M (a) = M (σ), then add σ as self-loop at Yˆ ; • Else, ∀a ∈ Σ(Yˆ ) such that M (a) = M (σ), add transition on σ from Yˆ to Y ∈ β Φ (Yˆ , a). Let S Φ,Σu be the resulting state machine. Then S Φ,Σu is (Σu , M )-compatible, and GkS ' GkS Φ,Σu . Proof: Since σ ∈ Σu is defined at every state of S Φ,Σu , S Φ,Σu is Σu -compatible. By Theorem 1, S Φ is M -compatible. Also, transitions on undefined uncontrollable events are added in S Φ so that all indistinguishable transitions at a state have the same successors in S Φ,Σu . It follows that S Φ,Σu is M -compatible, and so S Φ,Σu is also (Σu , M )-compatible. By Lemma 3, S is state-controllable implies S Φ is state-controllable. Then for any state (x, Yˆ ) in GkS Φ such that x has uncontrollable events defined, S Φ also has those events defined at Yˆ . Therefore, adding transitions at each state Yˆ on undefined uncontrollable events in S Φ does not change the result of synchronous composition. It follows that GkS Φ = GkS Φ,Σu . Since by Theorem 3, GkS ' GkS Φ , GkS ' GkS Φ,Σu , as desired. In order to arrive at the final result of the section (a necessary and sufficient condition for the existence of bisimilarity enforcing control), we need the following result, which shows that bisimilarity is preserved under synchronous composition. Lemma 4 Given G and R1 'Ψ R2 , then GkR1 ' GkR2 . Proof: Define a relation Ψ0 ⊆ ((X × Q1 ) ∪ (X × Q2 ))2 as: Ψ0 := {((x, q1 ), (x, q2 )), ((x, q2 ), (x, q1 )) | (x, qi ) in GkRi , x ∈ Xsyn (q1 ) ∩ Xsyn (q2 ), (q1 , q2 ) ∈ Ψ}. Without loss of generality, assume Ψ is a minimal bisimulation relation, thus, X syn (q1 ) ∩ Xsyn (q2 ) 6= ∅, i.e., a pair ((x, q1 ), (x, q2 )) is indeed feasible. We use Theorem 2 to prove GkR1 'Ψ0 GkR2 . For states (x, qi ) in GkRi , it is clear that (a)

(x, qj ) ∈ (X × Qj )syn (x, qi ) for i, j = 1, 2, and Σ((x, q1 )) = Σ((x, q2 )). Equality (a) holds since (q1 , q2 ) ∈ Ψ implies Σ(q1 ) = Σ(q2 ). Similarly, for σ-successor state (xσ , qiσ ) of (x, qi ) in GkRi , the similar equality (a) holds. Further, (x, q1 ) ∈ Xm ×Qm1 ⇔ (x, q2 ) ∈ Xm ×Qm2 since (q1 , q2 ) ∈ Ψ implies that q1 ∈ Qm1 ⇔ q2 ∈ Qm2 . Thus, each state (x, q1 ) of GkR1 is paired 17

with a state (x, q2 ) of GkR2 as defined in Ψ0 and vice-versa. By Theorem 2, GkR1 'Ψ0 GkR2 as desired. Now we are ready to establish a necessary and sufficient condition for the existence of a bisimilarity enforcing supervisor when plant is deterministic. Theorem 5 Consider a deterministic G, a possibly nondeterministic R, and an observation mask M . Then there exists a (Σu , M )-compatible supervisor S such that GkS ' R if and only if R v G, R is SC and SR. Proof: We first prove the necessity. From [31, Corollary 5], R v G and R is SC holds. Since S is M -compatible and G is deterministic, from Lemma 1, GkS is relative M -compatible. Since R ' GkS, it follows that R is SR. To see the sufficiency, since R is SR, exists S ' R such that S is relative M -compatible. Further since SC is preserved under bisimilarity [31, Lemma 6], SC of R implies SC of S. We choose S Φ,Σu to be the desired supervisor. Then from Theorem 4, S Φ,Σu is (Σu , M )compatible and GkS Φ,Σu ' GkS. Further since S ' R, it follows that GkS ' GkR (refer to Lemma 4). Further since R v G and G is deterministic, it follows that GkR ' R ([31, Corollary 4 and Corollary 5]). This completes the proof. Remark 3 The name state-recognizability is chosen since it is a generalization of “language recognizability” introduced in [12]. Language-recognizability serves as a condition for the existence of a nondeterministic supervisor for enforcing a deterministic specification (i.e., a language specification). As shown above, state-recognizability serves as a condition for the existence of a nondeterministic supervisor for enforcing a nondeterministic specification. Thus state-recognizability should be viewed as a generalization of language-recognizability introduced in [12]. In [12], the notion of language-achievability was introduced as a necessary and sufficient condition for the existence of a nondeterministic supervisor enforcing a deterministic language specification under partial observation. Theorem 5 can be viewed as a generalization of this result to allow nondeterministic specification. Thus the property of SC and SR combined can be viewed as a generalization of the language-achievability from the setting of deterministic specifications to nondeterministic ones. For this reason the combined property of SC and SR is termed as state-achievability.

6

Supervisor Existence Verification; its Computation

In order to verify the existence of a bisimilarity enforcing supervisor for a deterministic plant using Theorem 5, we need a method to verify the SR property of R. (Methods to verify R v G are well-known, and a method to verify SC property of R was reported in [31].) Since the property of SR is “existential” in nature (requiring the existence of a relative M -compatible—bisimilar system), it is not clear how to verify it. We show in this section that when R is G-simulated and G is deterministic, R is SR if and only if GkR is relative M -compatible. With such a result in hand all is needed is a way to test for the 18

relative M -compatibility, which we present in the next section. We need the results of the following two lemmas. Lemma 5 Given deterministic G, S is relative M -compatible implies that GkS is relative M -compatible. Proof: S is relative M -compatible implies that there exists a relative M -compatible bisimulation relation Φ ⊆ Y 2 with (y0 , y0 ) ∈ Φ for y0 ∈ Y0 . Define a relation Φ ⊆ (X × Y )2 as Φ0 := Φ(y1 ,y2 )→((x1 ,y1 ),(x2 ,y2 )) , i.e., Φ with (y1 , y2 ) ∈ Φ replaced by ((x1 , y1 ), (x2 , y2 )), where (y1 , y2 ) ∈ Φ and xi ∈ Xsyn (yi ). We need to show that all the conditions appearing in Definition 4 are satisfied. Due to determinism of G, Xsyn ((xi , yi )) = {xi }. Thus, for ((x1 , y1 ), (x2 , y2 )) ∈ Φ0 , Σ(x1 ) ∩ Σ((x2 , y2 )) = Σ(x1 ) ∩ [Σ(x2 ) ∩ Σ(y2 )] = [Σ(x1 ) ∩ Σ(y2 )] ∩ Σ(x2 ) (a)

⊆ [Σ(x1 ) ∩ Σ(y1 )] ∩ Σ(x2 ) ⊆ Σ(x1 ) ∩ Σ(y1 ) = Σ(x1 ) ∩ Σ((x1 , y1 )).

Containment (a) holds since relative M -compatibility of S implies Σ(x1 ) ∩ Σ(y2 ) ⊆ Σ(x1 ) ∩ Σ(y1 ) for x1 ∈ Xsyn (y1 ). Similarly, Σ(x2 ) ∩ Σ((x1 , y1 )) ⊆ Σ(x2 ) ∩ Σ((x2 , y2 )). Thus, the condition 1 of Definition 4 holds. Also, ai ∈ Σ((xi , yi )) implies ai ∈ Σ(yi ), and (y1 , y2 ) ∈ Φ implies (y1a1 , y2a2 ) ∈ Φ. It follows that ((x1a1 , q1a1 ), (x2a2 , q2a2 )) ∈ Φ0 . Thus the condition 2 of Definition 4 also holds. Finally, if (x1 , y1 ) ∈ Xm × Ym and (x2 , y2 ) 6∈ Xm × Ym , then either x2 6∈ Xm or y2 6∈ Ym . If y2 6∈ Ym , then since (y1 , y2 ) ∈ Φ, we have Xsyn (y2 ) ∩ Xm = ∅. So since x2 ∈ Xsyn (y2 ), x2 6∈ Xm . Under determinism of G, this further implies Xsyn ((x2 , y2 ))∩Xm = {x2 }∩Xm = ∅. It follows that the condition 3 of Definition 4 holds. Thus, Φ0 is a relative M -compatible bisimulation relation. Further since ((x0 , y0 ), (x0 , y0 )) ∈ Φ0 for each y0 ∈ Y0 , GkS is relative M -compatible as desired. Lemma 5 shows that relative M -compatibility of S implies relative M -compatibility of GkS (under determinism of G). However, the converse needs not hold. Consider G and R 2 shown in Example 3, it can be verified that GkR2 is relative M -compatible, but R2 is not so. Lemma 6 Given deterministic G, (possibly nondeterministic) S = (Y, Σ, β, Y 0 , Ym ) and S 0 = (Y 0 , Σ, β 0 , Y00 , Ym0 ), if S 'Ψ S 0 and GkS is relative M -compatible, then GkS 0 is also relative M -compatible. Proof: GkS is relative M -compatible implies there exists a relative M -compatible bisimulation relation Φ ⊆ (X × Y )2 with ((x0 , y0 ), (x0 , y0 )) ∈ Φ for all y0 ∈ Y0 . Define a relation Φ0 ⊆ (X × Y 0 )2 as Φ0 := Φ((x1 ,y1 ),(x2 ,y2 ))→((x1 ,y10 ),(x2 ,y20 )) , 19

i.e., Φ with ((x1 , y1 ), (x2 , y2 )) replaced by ((x1 , y10 ), (x2 , y20 )), where (y1 , y10 ), (y2 , y20 ) ∈ Ψ. Since G is deterministic, Xsyn ((xi , yi )) = Xsyn ((xi , yi0 )) = {xi }. Thus, ∀x ∈ Xsyn ((xi , yi )) = {xi } : Σ(x) ∩ Σ((xj , yj )) ⊆ Σ(x) ∩ Σ((xi , yi )) for i, j = 1, 2 ⇒ Σ(xi ) ∩ Σ((xj , yj )) ⊆ Σ(xi ) ∩ Σ((xi , yi )) for i, j = 1, 2 (a)

⇒ Σ(xi ) ∩ Σ((xj , yj0 )) ⊆ Σ(xi ) ∩ Σ((xi , yi0 )) for i, j = 1, 2 ⇒ ∀x ∈ Xsyn ((xi , yi0 )), Σ(x) ∩ Σ((xj , yj0 )) ⊆ Σ(x) ∩ Σ((xi , yi0 )) for i, j = 1, 2 Implication (a) holds since (yi , yi0 ) ∈ Ψ implies Σ(yi ) = Σ(yi0 ). By Definition 4, Φ0 is a relative M -compatible bisimulation relation with ((x0 , y00 ), (x0 , y00 )) ∈ Φ0 for all y00 ∈ Y00 . Therefore, GkS 0 is relative M -compatible. The following theorem establishes a way to verify state-recognizability of a specification R that is G-simulated. Theorem 6 Given a deterministic G and a nondeterministic R such that R v G, R is SR if and only if GkR is relative M -compatible. Proof: For the necessity, exists S such that S ' R and S is relative M -compatible. By Lemma 5, GkS is relative M -compatible. This together with the fact that S ' R, implies from Lemma 6 that GkR is relative M -compatible. To see the sufficiency, we need to show the existence of S ' R such that S is relative M -compatible. Choose S = GkR. Then by relative M -compatibility of GkR, S is relative M -compatible. So it remains to show that S(= GkR) ' R. Since G is deterministic and R v G, it follows that GkR ' R. Remark 4 According to Theorem 5, S Φ,Σu can be used as a supervisor, where S is any state machine such that S ' R and S is relative M -compatible. According to Theorem 6, S can be chosen to be GkR. Thus a possible (Σu , M )-compatible bisimilarity enforcing supervisor for a deterministic plant is given by (GkR)Φ,Σu . The complexity of its computation is same as that of (GkR)Φ since the complexity of computing (·)Σu is linear in size of (·). Recall that a state in (GkR)Φ is a subset of X × Q implying that the complexity of synthesizing a bisimilarity enforcing supervisor for a deterministic plant is of order O(2 |G|×|R| ). Next we illustrate Theorem 5 by revisiting Example 1. Example 5 Applying Theorem 5, we first check whether R is G-simulated (R and G are shown in Figure 2). This can be easily verified. Also, since Σu = ∅, R is trivially SC. Next, we verify whether GkR (shown in Figure 5) is relative M -compatible. We find the following relative M -compatible bisimulation relation Φ ⊆ (X × Q)2 exists (the details are omitted): Φ = {((A, 1), (A, 1)), ((B, 2), (C, 10)), ((B, 3), (C, 9)), ((D, 4), (E, 12)), ((D, 5), (E, 11)), ((F, 6), (G, 14)), ((F, 7), (G, 13)), ((H, 8), (K, 15)), ((C, 10), (B, 2)), ((C, 9), (B, 3)), ((E, 12), (D, 4)), ((E, 11), (D, 5)), ((G, 14), (F, 6)), ((G, 13), (F, 7)), ((K, 15), (H, 8))}. 20

Thus, R is SR. Therefore, there exists a (Σu , M )-compatible supervisor S such that GkS ' R. Since Σu = ∅, S is same as (GkR)Φ , which is drawn in Figure 5. The controlled system GkS turns out to be the same as R and is also shown in Figure 5. Obviously GkS ' R and so S is nonblocking and Lm (GkS) = Lm (R) = Lm (Rdet ), where Rdet as shown in Figure 2 is a deterministic automaton representing the desired language specification. (A,1) a1

b2

b1

a2

a1 a2 (B,3)

(B,2)

(C,9)

(E,11)

d c

c

b1

c

c (F,7)

(F,6)

b2 (H,8)

(E,12) d

(G,13)

a2 a1

b1 d

a1

a2

a1 (C,10) b3

b2

(D,5)

(D,4)



b3

b1

b2

c

a2

a1 a2



c



b2

b2

b3

d

d c

c

c

c

b1

b2

b2

b3



(G,14) b2

b3

b3 b1

b2

(K,15)

Figure 5: GkR (left), S = (GkR)Φ (middle), and GkS (right) Of course if R were not SC or SR, one would verify whether other nondeterministic, trim, and language equivalent specifications (such as R0 or R00 shown in Figure 2) satisfy such properties. Note that due to the finiteness of Rdet the number of such “basic” nondeterministic, trim, and language equivalent specifications is bounded. (The boundedness also follows from the small model result of decidability of CTL* or µ-calculus specifications.)

7

Test for Relative M -compatibility

Since the state-recognizability property of R is equivalent to a relative M -compatibility property (under determinism of G and the fact that R is G-simulated), we next develop an algorithm for verifying relative M -compatibility. Algorithm 2 The algorithm for verifying relative M -compatibility of S is given as below: 1. Consider two copies of S and perform their masked-composition, denoted M C(S, S) := 2 (Y 2 , Σ2 , β 2 , Y02 , Ym2 ), where ∀(y1 , y2 ) ∈ Y 2 , (σ1 , σ2 ) ∈ Σ ,  β(y1 , σ1 ) × β(y2 , σ2 ),     β(y , σ ) × {y }, 1 1 2 β 2 ((y1 , y2 ), (σ1 , σ2 )) :=  {y1 } × β(y2 , σ2 ),   

∅,

if if if if

M (σ1 ) = M (σ2 ), σ1 6=  6= σ2 , M (σ1 ) =  = σ2 , M (σ2 ) =  = σ1 , σ1 = σ2 = .

β 2 ((y1 , y2 ), ) := (β(y1 , ) × {y2 }) ∪ ({y1 } × β(y2 , )). 2. Mark a state (y1 , y2 ) of M C(S, S) “good” if and only if ∀xi ∈ Xsyn (yi ), Σ(xi ) ∩ Σ(yj ) ⊆ Σ(xi ) ∩ Σ(yi ), i, j = 1, 2, and yi ∈ Ym , yj 6∈ Ym ⇒ Xsyn (yj ) ∩ Xm = ∅, i, j = 1, 2. 21

3. (a) n := 0, Φn := {(y1 , y2 ) | (y1 , y2 ) is a “good” state in M C(S, S)}. (b) For (y1 , y2 ) ∈ Φn , if ai ∈ Σ(yi ) for i = 1, 2, and M (a1 ) = M (a2 ), then for each yi0 ∈ β(yi , ai ), check whether exists yj0 ∈ β(yj , aj ), where i, j = 1, 2, such that (y10 , y20 ) ∈ Φn . If not, Φn+1 := Φn − {(y1 , y2 )}. (c) If Φn+1 = Φn or Φn+1 = ∅, then Φ := Φn+1 and stop; Otherwise, n := n + 1, go to step (b). 4. S is relative M -compatible if and only if (y0 , y0 ) ∈ Φ for all y0 ∈ Y0 . The following theorem proves the correctness of Algorithm 2. Theorem 7 Algorithm 2 is correct. Proof: We first prove that Φ is a relative M -compatible bisimulation relation. By step 1, every state in M C(S, S) is a pair of states reached by indistinguishable traces in S, i.e., (y1 , y2 ) in M C(S, S) ⇔ ∃s1 , s2 with M (s1 ) = M (s2 ) s.t. yi ∈ β ∗ (Y0 , si ), for i = 1, 2. Note that by Definition 4, an element of a relative M -compatible bisimulation relation is a state-pair that are reached by indistinguishable traces. Thus, the set of state-pairs in a relative M -compatible bisimulation relation is a subset of state-pairs in M C(S, S) computed in step 1. By step 2, for each (yi , yj ) ∈ Φ, conditions 1 and 3 of Definition 4 is satisfied. By step 3, for each (yi , yj ) ∈ Φ, conditions 1, 2, and 3 of Definition 4 is satisfied. Thus, Φ is a relative M -compatible bisimulation relation as desired. Further if by step 4, (y 0 , y0 ) ∈ Φ for all y0 ∈ Y0 , then by Definition 5, S is relative M -compatible. Next we prove that if S is relative M -compatible, then Algorithm 2 computes one relative M -compatible bisimulation relation. Assume Φ∗ is a relative M -compatible bisimulation relation under which S is relative M -compatible. Then we need to show that Φ∗ ⊆ Φ. As argued above, by conditions 1 and 3 of Definition 4 and steps 1 and 2, Φ∗ ⊆ Φ0 . Also by condition 2 in Definition 4 and step 3, Φ∗ ⊆ Φ. Finally since (y0 , y0 ) ∈ Φ∗ for each y0 ∈ Y0 and by step 4, Φ∗ ⊆ Φ, proving the correctness of the algorithm. Remark 5 The complexity of masked-composition of S and S is O(|S|2 ). The complexity of marking “good” states is linear in the size of GkS and quadratic in the size of S, i.e., O(|G| × |S|) + O(|S|2 ). This is because for each (y1 , y2 ) ∈ M C(S, S), we need to check |Xsyn (y1 )| + |Xsyn (y2 )| number of event containment relations and |Xsyn (y1 )| + |Xsyn (y2 )| number of state marking status. So the total number of checks needed is, 2

X

(|Xsyn (y1 )| + |Xsyn (y2 )|) = 2

X X

(

y2

(y1 ,y2 )∈Y 2

≤ 2

X

|Xsyn (y1 )|) +

y1

X X

(

y1

|X| × |Y | +

y2

X

|Xsyn (y2 )|)

y2

|X| × |Y |

y1

= 2|X| × |Y |[

X y1

22

1+

X y2

1] = 4|X| × |Y |2 = O(|X| × |S|).

The complexity of computing Xsyn (·) is O(|G| × |S|) and that of M C(S, S) is O(|S|2 ), and so the complexity of step 1 is O(|X| × |S|) + O(|G| × |S|) + O(|S|2 ) = O(|G| × |S|) + O(|S|2 ). The complexity of step 3 is linear in the size of M C(S, S), i.e., O(|S|2 ). Thus, the complexity of Algorithm 2 is linear in the size of GkS and quadratic in the size of S, i.e., O(|G| × |S|) + O(|S|2 ). It follows that the complexity of checking relative M -compatibility of GkR is O(|G| × (|G|×|R|))+O((|G|×|R|)2 ) = O(|G|2 ×|R|2 ). Complexity of checking R is SC is O(|G|×|R|). Complexity for checking whether R is G-simulated is O(|G| × |R|). Thus, the complexity of checking the existence of a (Σu , M )-compatible bisimilarity enforcing supervisor for deterministic plants is O(|G|2 × |R|2 ).

8

Comparison with Control for Language Specification

In a prior section, we showed that a necessary and sufficient condition for the existence of a (possibly) nondeterministic supervisor such that the controlled system is bisimilar to a (possibly) nondeterministic specification for deterministic plants is SR and SC. In [12], it was shown that a necessary and sufficient condition for the existence of a (possibly) nondeterministic supervisor for a language specification is (Σu , M )-achievability (called language-achievability or LA for short). A necessary and sufficient condition for the existence of a nonblocking deterministic supervisor such that the language of the controlled system equals a specification language is controllability together with observability (called language-controllability and observability or LO & LC for short). All the above conditions also apply to deterministic plants. Thus, it is interesting to compare these conditions and explore how they are related to each other. It was shown in [12] that LO & LC is strictly stronger than LA Let state-achievability (SA) be SC and SR combined. We show that SA is a strictly stronger notion than LA, and the notions of SA and LO & LC are not comparable in general. However, it turns out that they are equivalent requirements when the specification is deterministic and trim. We first show that the notion of SA is stronger than LA. Recall the definition of languageachievability. Let L(R) ⊆ L(G), (i) L(R) is said to be Σu -controllable with respect to L(G) if ∀s ∈ L(R) and ∀a ∈ Σu , sa ∈ L(G) ⇒ sa ∈ L(R). (ii) L(R) is said to be M -recognizable with respect to L(G) if ∀s, t ∈ Σ∗ and ∀a ∈ Σ with M (a) = , sat ∈ L(R) ⇒ sa∗ t ∩ L(G) ⊆ L(R). (iii) L(R) is said to be (Σu , M )-achievable with respect to L(G) if L(R) is Σu -controllable and M -recognizable with respect to L(G), and ∀s, t ∈ Σ∗ , ∀a ∈ Σ, b ∈ Σu with M (a) = M (b), sat ∈ L(R) ⇒ {sbt} ∩ L(G) ⊆ L(R). Proposition 1 If R is SA, then R is LA. Proof: For notational convenience, let xs (resp., qs ) and xsa (resp., qsa ) be a state reached by a trace s and sa in G (resp., R), respectively. 23

We first show that if R is SA then L(R) is Σu -controllable. Suppose s ∈ L(R) and a ∈ Σu . Since R is SC, by Lemma 2, ∪x∈Xsyn (qs ) Σ(x) ∩ Σu ⊆ Σ(qs ) ∩ Σu . Note that sa ∈ L(G) implies that a ∈ ∪x∈Xsyn (qs ) Σ(x) ∩ Σu . Then a ∈ Σ(qs ) ∩ Σu . I.e., sa ∈ L(R). Next we show that if R is SA then L(R) is M -recognizable. We first prove that if sat ∈ L(R) for M (a) = , then san ∩ L(G) ⊆ L(R) for n ≥ 0. Since  ∈ Σ(qs ), a ∈ Σ(qs ) and M (a) = , ((xs , qs ), (xsa , qsa )) ∈ Φ, where Φ is a relative M -bisimulation relation under which GkR is relative M-compatible. Since G is deterministic, Xsyn ((xsa , qsa )) = {xsa }. Thus, Σ(xsa ) ∩ Σ((xs , qs )) ⊆ Σ(xsa ) ∩ Σ((xsa , qsa )). If saa ∈ L(G), i.e., a ∈ Σ(xsa ), then a ∈ Σ(qsa ), establishing base step. Note that since  ∈ Σ(qs ), a ∈ Σ(qsa ) and M (a) = , for R being SR, ((xs , qs ), (xsaa , qsaa )) ∈ Φ. Suppose san ∈ L(R), i.e., ((xs , qs ), (xsan , qsan )) ∈ Φ, then Σ(xsan ) ∩ Σ((xs , qs )) ⊆ Σ(xsan ) ∩ Σ((xsan , qsan )). If san+1 ∈ L(G), i.e., a ∈ Σ(xsan ), then a ∈ Σ(qsan ), i.e., san+1 ∈ L(R), which proves the induction step. Knowing san ∩ L(G) ⊆ L(R), next we prove san t ∩ L(G) ⊆ L(R). When |t| = 0, then san ∩L(G) ⊆ L(R), establishing the base step. Supposing san t0 ∩L(G) ⊆ L(R) for t0 ≤ t (i.e., t0 is a prefix of t). Then ((xsat0 , qsat0 ), (xsan t0 , qsan t0 )) ∈ Φ. Thus, Σ(xsan t0 ) ∩ Σ((xsat0 , qsat0 )) ⊆ Σ(xsan t0 ) ∩ Σ((xsan t0 , qsan t0 )). If san t0 σ ∈ L(G), i.e., σ ∈ Σ(xsan t0 ), then σ ∈ Σ(qsan t0 ). I.e., san t0 σ ∩ L(G) ⊆ L(R), which proves the induction step. Next, we show that if R is SA then R is (Σu , M )-achievable. We first notice that {sb} ∩ L(G) ⊆ L(R) for b ∈ Σu since R is SC. We next prove that sbt ∩ L(G) ∈ L(R). When |t| = 0, then {sb} ∩ L(G) ∈ L(R), establishing the base step. Supposing {sbt0 } ∩ L(G) ∈ L(R) for t0 ≤ t (i.e., t0 is a prefix of t). Note that ((xs , qs ), (xs , qs )) ∈ Φ. Also M (b) = M (a) and R is SR, then ((xsa , qsa ), (xsb , qsb )) ∈ Φ. Then ((xsat0 , qsat0 ), (xsbt0 , qsbt0 )) ∈ Φ. Thus, Σ(xsbt0 ) ∩ Σ((xsat0 , qsat0 )) ⊆ Σ(xsbt0 ) ∩ Σ((xsbt0 , qsbt0 )). If sbt0 σ ∈ L(G), i.e., σ ∈ Σ(xsbt0 ), then σ ∈ Σ(qsbt0 ). I.e., {sbt0 σ} ∩ L(G) ⊆ L(R), which proves the induction step. The following example shows that SA is strictly stronger than LA. Example 6 Consider L(G) = a(c + d) + bc, L(R) = ad + bc, where M (a) = M (b) 6=  and Σu = ∅. Let xa = α(x0 , a) and xb = α(x0 , b), then Σ(xa ) = {c, d} and Σ(xb ) = {c}. Also, let qa = δ(q0 , a) and qb = δ(q0 , b), then Σ(qa ) = {d} and Σ(qb ) = {c}. If R is SR, then there should exist a relative M -bisimulation relation Φ such that ((x a , qa ), (xb , qb )) ∈ Φ. For this to hold, Σ(xa ) ∩ Σ((xb , qb )) ⊆ Σ(xa ) ∩ Σ((xa , qa )) should hold, which is not true since Σ(xa ) ∩ Σ((xb , qb )) = {c}, Σ(xa ) ∩ Σ((xa , qa )) = {d}. Thus, R is not SA. Further since Σu = ∅, SA reduces to SR. It is easy to verify that L(R) is language-recognizable. Thus, SA is strictly stronger than LA. Next we show that SA and LC & LO are not comparable in general. Example 7 Consider an example shown in Figure 6. The observation mask is given by: M (b1 ) = M (b2 ) and identity mask for the other events. Assume all events are controllable. We show that R is not LO but it is SR, whereas R0 is LO but it is not SR. R is not LO since ab1 , ab2 ∈ L(R) with M (ab1 ) = M (ab2 ), ab1 b1 ∈ L(R) and ab2 b1 ∈ L(G) − L(R). However, R is SR. A desired relative M -bisimulation relation Φ is given by: Φ = {((1, A), (1, A)), ((2, B), (2, B)), ((2, C), (2, C)), ((3, D), (3, D)) ((3, E), (3, E)), ((4, F ), (4, F ))}. 24

A

1

a

a

A

a

a C

B 2

B

b2

b1 b2

b1

b1

E

D

3

b2

b2

b1 F

4

b1

b2 b2 D

C

b1

b2

b2

E

Figure 6: G (left), R (middle), and R0 (right) Next, R0 is LO since L(R0 ) = L(G). However, R0 is not SR. At state (2, B) of GkR0 , M (b1 ) = M (b2 ). For b2 -successor (3, D), there should exist a b1 -successor such that the condition 1 of Definition 4 holds. Note that (3, C) is the only b1 -successor of (2, B), and Xsyn ((3, D)) = {3},

[Σ(3) ∩ Σ((3, C)) = {b1 , b2 }] 6⊆ [Σ(3) ∩ Σ((3, D)) = {b2 }],

implying R0 is not SR. Although SA and LC & LO are not comparable in general, they are equivalent when R is deterministic and trim as shown next. Proposition 2 Given deterministic G, deterministic and trim R with R v G, R is SA if and only if R is LC & LO. Proof: We first show the necessity. Since G and R are deterministic, G||R is deterministic, and so (G||R)Φ and (G||R)Φ,Σu = S are deterministic. I.e., supervisor S such that G||S ' R can be chosen to be deterministic. G||S ' R implies L(G||S) = L(R) and Lm (G||S) = Lm (R), and so since S is deterministic, R is LC & LO. For the sufficiency, when L(R) = pr(Lm (R)) is LC & LO, exists a deterministic S such that L(G||S) = L(R) and Lm (G||S) = Lm (R). Since G||S and R are both deterministic, their language model equivalence implies their bisimulation equivalence, i.e., G||S ' R. So, it follows that R is SA.

9

Conclusion

Motivated by developing an alternate approach to language control subject to some branching properties (such as nonblockingness), this paper studied the supervisory control of deterministic systems subject to nondeterministic specifications under partial observation, with the objective that the controlled system be bisimulation equivalent to the specification system. The above problem for general nondeterministic plants is known to have a complexity bound that is double exponential in the product of the plant and the specification sizes. The existence condition we find for the special case of deterministic plants is polynomially 25

verifiable, whereas the complexity of synthesizing a supervisor (when one exists) is singly exponential. These complexities are similar to the ones for control under partial observation in completely deterministic setting [26]. We obtained a necessary and sufficient condition for the existence of a supervisor in terms the notion of state-recognizability introduced in this paper, and presented an algorithm of polynomial complexity for verifying it. The presence of partial observation poses a new challenge in the setting of nondeterministic specifications. It turns out certain properties that are relevant in the setting of partial observation such as observation-compatibility are not preserved under bisimilarity. So unlike the deterministic setting or the setting of complete observation where when a supervisor exists, the specification itself can be chosen as a supervisor, we cannot use the specification itself as a supervisor. An elaborate computation is required to show that the composition of the plant and the specification when suitably transformed through certain state-mergers can be used as a supervisor. Even the statemerger is quite unique: Unlike a usual situation where states to be merged belong to certain equivalence class, the states to be merged in our case don’t form a partition, rather only a cover (see Algorithm 1). Such a construction (i.e., one involving state-mergers based on a cover rather than a partition) is quite novel and to the best of our knowledge the first in the literature dealing with supervisory control theory. We think that this particular idea of state-mergers over a cover (rather a partition) may be useful in future in other problems of relevance to supervisory control.

References [1] A. Arnold, A. Vincent, and I. Walukiewicz. Games for synthesis of controllers with partial observation. Theoretical Computer Science, 303:7–34, 2003. [2] G. Barrett and S. Lafortune. Using bisimulation to solve discrete event control problem. In 1997 American Control Conference, pages 2337–2341, Albuquerque, New Mexico, June 1997. [3] R. Cieslak, C. Desclaux, A. Fawaz, and P. Varaiya. Supervisory control of discrete event processes with partial observation. IEEE Transactions on Automatic Control, 33(3):249–260, 1988. [4] M. Heymann and F. Lin. Discrete-event control of nondeterministic systems. IEEE Transactions on Automatic Control, 43(1):3–17, January 1998. [5] K. Inan. Supervisory control: Theory and application to the gateway synthesis problem. In Belgian-French-Netherlands Summer School on Discrete Event Systems, page 31 pages. Spa, Belgium, 1993. [6] K. Inan. Nondeterministic supervision under partial observations. In Guy Cohen and Jean-Pierre Quadrat, editors, Lecture Notes in Control and Information Sciences 199, pages 39–48. Springer-Verlag, New York, 1994. 26

[7] S. Jiang and R. Kumar. Supervisory control of nondeterministic discrete event systems with driven events via masked prioritized synchronization. IEEE Transactions on Automatic Control, 47(9):1438–1449, 2002. [8] S. Jiang and R. Kumar. Supervisory control of discrete event systems with CTL ∗ temporal logic specification. SIAM Journal on Control and Optimization, 2005. Accepted. [9] J. Komenda. Coalgebra and supervisory control of discrete-event systems with partial observations. In International Symposium (MTNS 2002), pages 12–16, Notre Dame, August 2002. [10] J. Komenda. Computation of supremal sublanguages of supervisory control using coalgebra. In Workshop on Discrete-Event Systems (WODES’02), pages 26–33, Zaragoza, October 2002. [11] R. Kumar and M. Heymann. Masked prioritized synchronization for interaction and control of discrete event systems. IEEE Transactions on Automatic Control, 45(11):1970– 1982, 2000. [12] R. Kumar, S. Jiang, C. Zhou, and W. Qiu. Polynomial synthesis of supervisor for partially observed discrete-event systems by allowing nondeterminism in control. IEEE Transactions on Automatic Control, 50(4):463–475, 2005. [13] R. Kumar and M. A. Shayman. Nonblocking supervisory control of nondeterministic systems via prioritized synchronization. IEEE Transactions on Automatic Control, 41(8):1160–1175, August 1996. [14] R. Kumar and M. A. Shayman. Centralized and decentralized supervisory control of nondeterministic systems under partial observation. SIAM Journal of Control and Optimization, 35(2):363–383, March 1997. [15] O. Kupferman, P. Madhusudan, P.S. Thiagarajan, and M.Y. Vardi. Open systems in reactive environments: Control and synthesis. In Proc. 11th Int. Conf. on Concurrency Theory, volume 1877 of Lecture Notes in Computer Science, pages 92–107. SpringerVerlag, 2000. [16] F. Lin and W. M. Wonham. On observability of discrete-event systems. Information Sciences, 44(3):173–198, 1988. [17] P. Madhusudan and P.S. Thiagarajan. Branching time controllers for discrete event systems. Theoretical Computer Science, 274:117–149, 2002. [18] H. Marchand and S. Pinchinat. Supervisory control problem using symbolic bisimulation techniques. In 2000 American Control Conference, pages 4067–4071, Chicago, Illinois, USA, June 2000.

27

[19] R. Milner. Communication and Concurrency. Prentice Hall, New York, 1989. [20] A. Overkamp. Supervisory control using failure semantics and partial specifications. IEEE Transactions on Automatic Control, 42(4):498–510, 1997. [21] H. Qin and P. Lewis. Factorization of finite state machines under observational equivalence. In Lecture Notes In Computer Science, volume 458. Springer-Verlag, 1990. [22] P. J. Ramadge and W. M. Wonham. Supervisory control of a class of discrete event processes. SIAM Journal of Control and Optimization, 25(1):206–230, 1987. [23] J.J.M.M. Rutten. Coalgebra, concurrency, and control. In 5th Workshop on Discrete Event Systems, pages 31–38, 2000. [24] M. A. Shayman and R. Kumar. Supervisory control of nondeterministic systems with driven events via prioritized synchronization and trajectory models. SIAM Journal of Control and Optimization, 33(2):469–497, March 1995. [25] P. Tabuada. Open maps, alternating simulations and control synthesis. In International Conference on Concurrency Theory, pages 466–480, 2004. [26] J. N. Tsitsiklis. On the control of discrete event dynamical systems. Mathematics of Control Signals and Systems, 2(2):95–107, 1989. [27] C. Zhou and R. Kumar. Control of nondeterministic discrete event systems for simulation equivalence. In Proceedings of IEEE Conference on Decision and Control, pages 507–512, Nassau, Bahama, 2004. [28] C. Zhou and R. Kumar. Interaction and control of discrete event systems via prioritized synchronous composition under mask. In Proceedings of American Control Conference, pages 3943–3948, 2005. [29] C. Zhou and R. Kumar. Small model theorem for bisimilarity control under partial observation. In Proceedings of American Control Conference, pages 3937–3942, 2005. [30] C. Zhou, R. Kumar, and S. Jiang. Control of nondeterministic discrete event systems for bisimulation equivalence. In Proceedings of 2004 American Control Conference, pages 4488–4492, Boston, MA, June 2004. [31] C. Zhou, R. Kumar, and S. Jiang. Control of nondeterministic discrete event systems for bisimulation equivalence. IEEE Transactions on Automatic Control, 2004. Accepted.

28