Control of Nondeterministic Discrete Event Systems for Simulation ...

Control of Nondeterministic Discrete Event Systems for Simulation Equivalence ∗ Changyan Zhou and Ratnesh Kumar Department of Electrical & Computer Engineering Iowa State University, Ames, IA 50014 czhou,[email protected]

Abstract The paper studies supervisory control of discrete event systems subject to specifications modeled as a nondeterministic state machine. The control is exercised so that the controlled system is simulation equivalent to the (nondeterministic) specification. Properties expressed in the universal fragment of the branching-time logic CTL* can equivalently be expressed as simulation equivalence specifications. This makes the simulation equivalence a natural choice for behavioral equivalence in many applications and it has found wide applicability in abstraction-based approaches to verification. While simulation equivalence is more general than language equivalence, we show that existence as well as synthesis of both the target and range control problems remain polynomially solvable. Our development shows that simulation relation is a preorder over automata, with union and synchronization of automata serving as a infimal upper bound and a supremal lower bound, respectively. For the special case when plant is deterministic, the notion of state-controllable-similar is introduced as a necessary and sufficient condition for the existence of similarity enforcing supervisor. We also present conditions for the existence of a similarity enforcing supervisor that is deterministic. Keywords: Discrete event systems, supervisory control, simulation equivalence, nondeterministic systems, nondeterministic specification, nondeterministic control Note to Practitioners: Nondeterminism in discrete-event systems arises due to abstraction or unmodeled dynamics, where nondeterminism means that a transition on an event from a current state can lead one of many states arbitrarily. For nondeterministic systems, besides the sequencing constraints one may also need to specify the branching constraints such as, all paths contain a state starting from where all future states satisfy a certain property. For a nondeterministic system above property This work was supported in part by the National Science Foundation under the grants NSF-ECS-0218207, NSF-ECS-0244732, NSF-EPNES-0323379, NSF-ECS-0424048 and NSF-ECS-0601570 and a DoD-EPSCoR grant from the Office of Naval Research under the grant N000140110621. ∗

1

cannot be expressed as a language equivalence specification but as a simulation equivalence specification. Through simulation equivalence one is able to specify properties of all sequencing and branching behaviors. The present paper studies the control of (nondeterministic) systems so that the controlled systems satisfy simulation equivalence specifications. A main contribution is to show that as is the case with language specifications, the control problem remains polynomially solvable. Specializations to deterministic systems and deterministic controls is also considered.

1

Introduction

The supervisory control of discrete event systems provides a framework for control of event-driven systems. A supervisory controller, called supervisor, disables certain controllable events to ensure that the controlled system behavior agrees with the desired behavior. In general, a system can be nondeterministic due to the presence of unmodeled dynamics or because of abstraction. For a nondeterministic system several notions of behavioral equivalence that are finer than the language equivalence have been proposed: failures [8], refusal-trace (or trajectory) [23, 7], ready-trace [3], simulation and bisimulation [21]. This is so that one can specify the sequencing as well as certain types of branching constraints. The bisimulation equivalence is the most expressive and allows the specification of the full set of branching constraints (such as nonblocking). On the other hand none of the branching constraints can be specified using language equivalence. So the choice of behavioral equivalence used depends on the application at hand and there is a trade-off between the expressivity and the complexity. For example while language equivalence control problem is polynomially solvable [26, 13], the complexity for bisimulation equivalence control is doubly exponential [32]. In this paper we study control for simulation equivalence whose expressiveness is in between the language and the bisimulation equivalences. Being more general that the language specification, the simulation equivalence can express all types of sequencing constraints, but being less general than the bisimulation equivalence it can only specify the universal constraints on the branching behaviors, i.e., the constrains that all branching behaviors must satisfy. So for example nonblocking, which requires the existence of a path to a final state from each reachable state (note it uses an existential quantifier in its statement), cannot be expressed via simulation equivalence. An example of a property that can be expressed using the simulation equivalence but not using the languages is as follows: All paths contain a state starting from where all future states satisfy a certain property. (Note no existential quantifier is used in this statement.) The simulation equivalence can express specifications in the temporal logic of ACTL* (the universal fragment of CTL*) [4, 20]. The expressivity of simulation equivalence may suffice for certain applications and in which case the more general requirement of bisimulation equivalence need not be imposed. Such a choice results in a complexity gain since as we demonstrate in the paper, the simulation equivalence control problem remains polynomially solvable. The control of nondeterministic plant is studied in [29, 14, 15, 12, 9, 22, 6] for language, 2

failures and trajectory specifications. [10] studied control of deterministic plants subject to CTL* temporal logic specifications, generalizing the work reported in [1] which used CTL to express specification. A comparison with the works in [18, 16, 17, 2] is also given in [10]. In [24] authors studied the problem of synthesizing a supervisor so that the controlled system is bisimilar to a deterministic specification. [19] studied control for simulation and bisimulation equivalence for a partial specification (defined over an “external event set”). The plant is taken to be deterministic and all events are treated controllable. Further it is required that all indistinguishable events be either all enabled or all disabled at a state. [30] studied the controller synthesis problem for deterministic plants subject to a possibly nondeterministic partial specification such that the controlled system is bisimulation or simulation equivalent to the specification. This is the same problem as that studied in [19] except the aforementioned control requirement is removed. Control of nondeterministic plants subject to bisimulation equivalence using nondeterministic supervisors has recently been studied in [32]. [2] studied the synthesis of controllers for deterministic plants subject to µ-calculus based specifications under partial observation, where the observation mask is restricted to be projection type. (A µ-calculus specification is equivalent to a bisimulation equivalence specification.) Control for µ-calculus specifications is also studied in [28, 25]. As discussed above, the simulation equivalence can be an adequate notion of equivalence for certain applications (where one is concerned with properties of all sequencing/branching behaviors). We show that the complexity of verifying the existence of a simulation equivalence enforcing control is linear in the plant size and quadratic in the specification size. Also, when the existence condition is met, a supervisor of size linear in the size of specification can be synthesized. Similar complexity results hold also for the range control problem (existence condition can be verified linearly in the sizes of the plant, the lower and the upper bound specifications, and synthesis can be performed linearly in the size of the lower bound specification). We first establish that the set of all automata having the same event set endowed with the simulation relation is a prelattice, and consequently (non-unique) infimal and supremal elements exist for a given set of automata. We show that synchronization of automata gives an infimal element, whereas the union of automata gives a supremal element. Using these results we show that the class of similarity enforcing supervisors possesses an infimal element and present a linear algorithm for computing it. The algorithm is similar in spirit to one given in [5], which studied the control in the deterministic setting. We specialize our results to the setting when the plant is deterministic. In this setting, the existence condition is given by, state-controllable-similar, which is a new concept introduced in this paper. We show that the notion of state-controllable-similar is stronger than that of language-controllable (which serves as an existence condition for the language equivalence enforcing control) and weaker than the notion of state-controllable (which serves as an existence condition for the bisimulation equivalence enforcing control for deterministic plants [32]). As such the condition of state-controllable-similar is stronger than the condition for the existence of a similarity enforcing supervisor for nondeterministic plants, but the two conditions become equivalent for deterministic plants. 3

As a final result, we obtain a condition for the existence of similarity enforcing supervisor that is also deterministic. Requiring supervisor to be deterministic, makes the problem computationally more expensive and stronger conditions must hold for the supervisory existence. This situation is somewhat similar to control under partial observation for language equivalence. The deterministic supervisor synthesis problem in that setting is known to be NP-complete [31], but it is shown to be of polynomial complexity when the supervisor is allowed to be nondeterministic [13]. Our results establish that a nondeterministic supervisor is preferable over a deterministic one for similarity enforcing control. Issues regarding the implementation of nondeterministic supervisors are discussed in [13].

2

Notation and Preliminaries

Automata are used to model discrete event systems at the logical level. A nondeterministic automaton is a 5-tuple G = (X, Σ, α, X0 , Xm ), where X is the set of states, Σ is the alphabet of events, α : X × (Σ ∪ {}) → 2X is the state transition function (where  is a label for “silent” transitions), X0 ⊆ X is the set of initial states, and Xm ⊆ X is the set of final states. For notational convenience, we define Σ = Σ∪{}. A triple (x, σ, x 0 ) ∈ X ×Σ×X such that x0 ∈ α(x, σ) is called a transition. For x ∈ X, we define Σ(x) := {σ ∈ Σ | α(x, σ) 6= ∅} to represent the set of events defined at state x. Σ∗ denotes the set of all finite sequences of events in Σ, called traces, and includes the zero length trace, denoted . The -closure (denoted as ∗ ) of x ∈ X is the set of states reached by the execution of zero or more -transitions from state x. By using -closure map, we can extend the definition of transition function from events to traces, α∗ : X × Σ∗ → 2X , which is defined inductively as: ∀x ∈ X, α∗ (x, ) := ∗ (x); ∀s ∈ Σ∗ , σ ∈ Σ : α∗ (x, sσ) := ∗ (α(α∗ (x, s), σ)), ˆ ⊆ X, Σ ˆ ⊆ Σ, α(X, ˆ Σ) ˆ := S ˆ ˆ α(x, σ) and ∗ (X) ˆ := S ˆ ∗ (x). Similarly, where for X x∈X,σ∈Σ x∈X ˆ ⊆ X, α∗ (X, ˆ ·) := S ˆ α∗ (x, ·). for X x∈X The language generated (resp., marked) by G, denoted by L(G) (resp., Lm (G)). L(G) is the set of sequences of events generated starting from an initial state, i.e., L(G) = {s ∈ Σ∗ | α∗ (X0 , s) 6= ∅} and Lm (G) is the set of generated sequences that end in a marked state, i.e., Lm (G) = {s ∈ L(G) | α∗ (X0 , s) ∩ Xm 6= ∅}. Two automata G1 and G2 , where G1 = (X1 , Σ, α1 , X01 , Xm1 ) and G2 = (X2 , Σ, α2 , X02 , Xm2 ), are language equivalent if L(G1 ) = L(G2 ) and Lm (G1 ) = Lm (G2 ). Language equivalence preserves the safety properties of the LTL temporal logic. Define the union of G1 and G2 as the automaton G1 ∪ G2 = (X1 ∪ X2 , Σ, α∪ , X01 ∪ X02 , Xm1 ∪ Xm2 ), where for x ∈ X1 ∪ X2 , and σ ∈ Σ, α∪ (x, σ) =

   α1 (x, σ) ∪ α2 (x, σ)  

α1 (x, σ) α2 (x, σ)

4

if x ∈ X1 ∩ X2 if x ∈ X1 − X2 if x ∈ X2 − X1

Given two automata G1 and G2 , a simulation relation Φ ⊆ (X1 ∪ X2 )2 is a binary relation over the states of G1 ∪ G2 such that (x1 , x2 ) ∈ Φ implies 1. σ ∈ Σ, x01 ∈ α∪∗ (x1 , σ) ⇒ ∃x02 ∈ α∪∗ (x2 , σ) such that (x01 , x02 ) ∈ Φ. 2. x1 ∈ Xm1 ⇒ x2 ∈ Xm2 . We write x1 vΦ x2 to denote that there exists a simulation relation Φ with (x1 , x2 ) ∈ Φ, read as x1 is simulated by x2 . We sometimes omit the subscript Φ from vΦ when it is clear from the context. G1 is said to be simulated by G2 , denoted as G1 vΦ G2 , if there exists a simulation relation Φ ⊆ (X1 ∪ X2 )2 such that for all x01 ∈ X01 , there exists x02 ∈ X02 with (x01 , x02 ) ∈ Φ. This last fact is concisely written as X01 vΦ X02 . Also note that G1 v G2 implies L(G1 ) ⊆ L(G2 ). Given two automata G1 and G2 , Φ ⊆ (X1 ∪X2 )2 is a similarity relation if exist simulation relations Φ1 , Φ2 ⊆ (X1 ∪ X2 )2 such that Φ = Φ1 ∪ Φ2 , and ∀x : [∃x0 : (x, x0 ) ∈ Φi ⇒ ∃x00 : (x00 , x) ∈ Φj ], ∀i, j ∈ {1, 2}, i 6= j. We write x1 ∼Φ x2 to denote that there exists a similarity relation Φ such that (x1 , x2 ) ∈ Φ, read as x1 and x2 are simulation equivalent or similar. We sometimes omit the subscript Φ from ∼Φ when it is clear from the context. G1 and G2 are simulation equivalent (or similar), denoted as G1 ∼Φ G2 , if exist simulation relations Φ1 and Φ2 , such that Φ = Φ1 ∪ Φ2 and G1 vΦ1 G2 and G2 vΦ2 G1 . Note that a similarity relation Φ need not be an equivalence relation (as it need not be symmetric), however the similarity of automata is an equivalence relation. Simulation equivalence preserves the properties belonging to the universal fragments of CTL* and µ-calculus temporal logics. A simulation relation is called a bisimulation equivalence relation if it is symmetric. For a bisimulation equivalence relation Φ if (x1 , x2 ) ∈ Φ, then x1 and x2 are called bisimilar, written as x1 'Φ x2 (or simply x1 ' x2 when Φ is clear from context). G1 and G2 are bisimulation equivalent (or bisimilar), denoted as G1 'Φ G2 , if there exists a bisimulation relation Φ ⊆ (X1 ∪X2 )2 such that for all x01 ∈ X01 , there exists x02 ∈ X02 with (x01 , x02 ) ∈ Φ. Note that G1 ' G2 implies G1 ∼ G2 . Bisimulation equivalence preserves the properties expressed in the temporal logics of CTL* and µ-calculus. Remark 1 Existence of simulation relation or simulation or bisimulation equivalence between a pair of automata G1 and G2 can be checked linearly in the sizes of G1 and G2 . However checking the language equivalence of G1 and G2 is exponential in the sizes of G1 and G2 . The following example illustrates the concepts defined above. Example 1 Consider two automata G1 := R00 , G2 := R0 and G3 := R shown in Figure 3. There exists a simulation relation Φ1 between G1 and G2 , where Φ1 = {(1, A), (2, B), (3, D)}, 5

i.e., G1 vΦ1 G2 . Also there exists simulation relation Φ2 between G2 and G1 , where Φ2 = {(A, 1), (B, 2), (C, 2), (D, 3)}, i.e., G2 vΦ2 G1 . Therefore, G1 ∼Φ1 ∪Φ2 G2 . However, G1 6∼ G3 (resp., G2 6∼ G3 ) since state 2 in G1 (resp., state B in G2 ) is not simulated by any state in G3 (no state in G3 has both events b and c defined). Note that this example shows that although L(G1 ) = L(G2 ) = L(G3 ), G1 ∼ G2 6∼ G3 and G1 6' G2 6' G3 . The purpose of control of a DES, called a plant, is to restrict its behavior in order to prevent certain undesirable behavior by dynamically disabling certain controllable events [27]. Such a controller is called a supervisor. The supervisor can be modeled as another automaton operating in synchronous composition with the plant. Given two automata G 1 and G2 , where G1 = (X1 , Σ, α1 , X01 , Xm1 ) and G2 = (X2 , Σ, α2 , X02 , Xm2 ), the synchronous composition of G1 and G2 is the automaton G1 kG2 = (X1 × X2 , Σ, αk , X01 × X02 , Xm1 × Xm2 ), where for x1 ∈ X1 , x2 ∈ X2 , σ ∈ Σ, αk ((x1 , x2 ), σ) =

3

(

α1 (x1 , σ) × α2 (x2 , σ) if σ 6=  (α1 (x1 , ) × {x2 }) ∪ ({x1 } × α2 (x2 , )) if σ = 

Prelattice of Automata Under Simulation Relation

In this section we show that the simulation relation serves as a preorder for the set of all automata defined over a common event set, and also that the set of automata defined over a common event set together with the simulation relation preorder constitutes a prelattice. Definition 1 [11] Given a set X, a preorder over X, denoted ≤⊆ X 2 , is a transitive and reflexive relation, in which case the pair (X, ≤) is called a preordered set. Given Y ⊆ X, x ∈ X is said to be a supremal of Y if • (upper bound): ∀y ∈ Y : y ≤ x, and • (least upper bound): ∀z ∈ X : [∀y ∈ Y : y ≤ z] ⇒ [x ≤ z]. Similarly, x ∈ X is called an infimal of Y ⊆ X if • (lower bound): ∀y ∈ Y : x ≤ y, and • (greatest lower bound): ∀z ∈ X : [∀y ∈ Y : z ≤ y] ⇒ [z ≤ x]. Note that supremal and infimal when defined with respect to a preordered set are not unique. However if x1 and x2 are two supremal or infimal elements of Y , then it holds that x1 ≤ x2 and x2 ≤ x1 . Since a preorder is not antisymmetric we cannot claim that x1 = x2 , and so the uniqueness of supremal/infimal does not hold. We denote the set of all supremals and infimals of Y by SU P (Y ) and IN F (Y ), respectively. 6

Definition 2 [11] A preordered set (X, ≤) is said to be a prelattice if SU P (Y ) ∩ X 6= ∅, and IN F (Y ) ∩ X 6= ∅ for any finite Y ⊆ X. It is said to be a complete prelattice if the same holds for any Y ⊆ X. We next consider the set of all automata A over a fixed alphabet Σ and the simulation relation over this set. It is known that the simulation relation is transitive (refer to [32]), i.e., given automata G1 , G2 and G3 , if G1 v G2 and G2 v G3 , then G1 v G3 . Also, for any automaton G, it holds that G v G, implying the reflexivity of the simulation relation. However G1 v G2 and G2 v G1 only implies G1 ∼ G2 but not G1 = G2 , i.e., antisymmetry does not hold. Therefore, the pair (A, v) is a preordered set. In the following we establish that the automata-union (resp., automata-synchronization) yields a supremal (resp., an infimal) element. Theorem 1 Given G1 and G2 , G1 ∪ G2 ∈ SU P {G1 , G2 }. Proof: From the definition of automata union, G1 and G2 are “subautomata” of G1 ∪ G2 and so it is easy to see that G1 v G1 ∪ G2 and G2 v G1 ∪ G2 , i.e., G1 ∪ G2 is an upper bound for {G1 , G2 }. Next, we show that it is a least upper bound, i.e., G1 v G3 and G2 v G3 implies (G1 ∪ G2 ) v G3 . Notice that G1 v G3 implies X01 v X03 and G2 v G3 implies X02 v X03 . This implies for i = 1, 2, for each x0i ∈ X0i exists x03 ∈ X03 such that x0i v x03 . Since the set of transitions of G1 ∪ G2 is the union of the set of transitions of the two automata, this implies that for each x ∈ X01 ∪ X02 , there exists x03 ∈ X03 , such that x v x03 . Since the initial state set of G1 ∪ G2 is X01 ∪ X02 , it follows that (G1 ∪ G2 ) v G. Theorem 2 Given G1 and G2 , G1 kG2 ∈ IN F {G1 , G2 }. Proof: We first prove that G1 kG2 is a lower bound, i.e., G1 kG2 vΦ1 G1 and G1 kG2 vΦ2 G2 . By the reflexivity property of simulation relation, there exists Φ such that G 1 kG2 vΦ G1 kG2 . Define a simulation relation Φ1 by Φ1 = {((x1 , x2 ), x01 ) | ((x1 , x2 ), (x01 , x02 )) ∈ Φ}. Then it can be seen that Φ1 is a simulation relation, and so G1 kG2 vΦ1 G1 . Similarly, we can show G1 kG2 vΦ2 G2 . Next, we prove that G1 kG2 is a greatest lower bound, i.e., G3 vΦ1 G1 and G3 vΦ2 G2 implies G3 vΦ G1 kG2 . In order to show G3 vΦ (G1 kG2 ), define Φ := {(x3 , (x1 , x2 )) | (x3 , x1 ) ∈ Φ1 , (x3 , x2 ) ∈ Φ2 , ∃s ∈ Σ∗ , s.t. xi ∈ αi∗ (X0i , s), ∀i = 1, 2, 3}. G3 vΦi Gi implies X03 vΦi X0i for i = 1, 2. Since G3 vΦi Gi , it follows that L(G3 ) ⊆ L(Gi ), this further implies L(G3 ) ⊆ L(G1 ) ∩ L(G2 ) = L(G1 kG2 ). This means for every x3 ∈ X3 such that there exists s ∈ Σ∗ with x3 ∈ α3∗ (X03 , s), exists xi ∈ Xi , such that xi ∈ αi∗ (X0i , s) for i = 1, 2. So Φ above is well defined and serves as a simulation relation for establishing G3 vΦ G1 kG2 . The following corollary follows from Theorem 2 and provides a property of simulation order. Corollary 1 Given automata G1 , G2 , G3 , G3 v G1 kG2 implies G3 vΦ1 G1 and G3 vΦ2 G2 . 7

4

Supervisory Control for Simulation Equivalence

In this section, we study the control of a (nondeterministic) plant to ensure simulation equivalence of controlled plant and given (nondeterministic) specification. In what follows, we represent a plant, a specification, and a supervisor by G = (X, Σ, α, X0 , Xm ), R = (Q, Σ, δ, Q0 , Qm ), and S = (Y, Σ, β, Y0 , Ym ), respectively. For control purposes, the event set is partitioned as Σ = Σu ∪ (Σ − Σu ), where Σu and Σ − Σu denote the sets of uncontrollable and controllable events respectively. Since a supervisor cannot disable an uncontrollable event, the notion Σu -compatibility of a supervisor is introduced. Definition 3 A supervisor S is Σu -compatible if each uncontrollable event is defined at each state of S. In order to find a Σu -compatible similarity enforcing supervisor we examine the class of all S such that GkS ∼ R. It turns out that this class possesses an infimal elements and we provide an algorithm for the computation of such an element. The following lemma is needed before we proceed. Lemma 1 Given G1 v G2 and G01 v G02 , it holds that G1 kG01 v G2 kG02 . Proof: By Theorem 2, G1 kG01 v G1 and G1 kG01 v G01 . Also since G1 v G2 and G01 v G02 , it follows that G1 kG01 v G2 and G1 kG01 v G02 . Therefore, by Theorem 2, we have G1 kG01 v G2 kG02 . Let S := {S | S Σu -compatible, GkS ∼ R}. The following lemma shows that S possess an infimal element. Lemma 2 S1 , S2 ∈ S implies S1 kS2 ∈ S. Proof: We need to prove S1 kS2 is Σu -compatible and Gk(S1 kS2 ) ∼ R. Since S1 and S2 are Σu -compatible, from Definition 3, it is obvious that S1 kS2 is Σu -compatible. Next we show Gk(S1 kS2 ) ∼ R, for which we need to show Gk(S1 kS2 ) v R and R v Gk(S1 kS2 ). For i = 1, 2, Si ∈ S implies GkSi ∼ R, which further implies GkSi v R. From Theorem 2, we have (GkS1 )k(GkS2 ) v GkSi v R. Next note that (GkS1 )k(GkS2 ) = (GkG)k(S1 kS2 ) and G v GkG (follows from Lemma 1). So from Lemma 1, we have Gk(S1 kS2 ) v (GkG)k(S1 kS2 ), i.e., Gk(S1 kS2 ) v (GkS1 )k(GkS2 ) v R. Similarly, one can show R v Gk(S1 kS2 ). Next we present an algorithm for computing an element of IN F (S) when S is nonempty. Algorithm 1 Suppose G, R and Σu are such that S 6= ∅. Then the following algorithm computes an automaton Ru ∈ IN F (S). Ru = (Q ∪ {dump}, Σ, δu , Q0 , Qm ), where    δ(q, σ)

∀q ∈ Q ∪ {dump}, σ ∈ Σ : δu (q, σ) :=  dump  δ(q, )

if σ ∈ Σ(q) − {} if σ ∈ Σu − Σ(q) if σ = 

In other words, Ru is obtained by adding in R an extra dump state and adding the “missing” uncontrollable transitions from each state to the dump state. 8

The following theorem proves the correctness of the algorithm. Theorem 3 Algorithm 1 is correct. I.e., Ru is Σu -compatible, and S 6= ∅ implies Ru ∈ IN F (S). Proof: From the construction of Ru , we know that each σ ∈ Σu is defined at each state of Ru . So Ru is Σu -compatible. To prove the infimality of Ru under nonemptiness of S, we need to prove that if there exists a Σu -compatible S such that GkS ∼ R, then GkRu ∼ R and Ru v S. We first prove Ru v S. Note that GkS ∼ R implies R vΦ1 S. Using the fact that S is Σu -compatible, it can be show that Ru vΦ2 S, where Φ2 := Φ1 ∪ {(dump, y)|∃(q, y 0 ) ∈ Φ1 , σ ∈ Σu : δ(q, σ) = dump, y ∈ β(y 0 , σ)}. Next, since Ru v S, from Lemma 1, GkRu v GkS. This together with the fact GkS v R implies GkRu v R. It remains to show that R v GkRu . Since Ru is obtained by adding an extra state and extra transitions, it is obvious that R v Ru . The fact R v G follows from the fact that R v GkS v G. This completes the proof. The following result follows from Theorem 3 and provides a necessary and sufficient condition for the existence of a similarity enforcing supervisor. Theorem 4 Given G and R, there exists a Σu -compatible supervisor S such that GkS ∼ R if and only if GkRu ∼ R (or equivalently, GkRu v R v G), where Ru is as computed in Algorithm 1. Further when the existence condition holds, Ru can be chosen as a supervisor. Proof: Sufficiency is obvious since S can be chosen as Ru . For necessity, suppose the desired S exists. Then S 6= ∅ and so from Theorem 3, Ru ∈ IN F (S) ⊆ S. Since Ru ∈ S, the necessity follows. Remark 2 The complexity of checking GkRu v R is linear in the size of the plant and quadratic in the size of the specification, whereas R v G can be checked linearly in the size of G and R. Also, Ru can be used as supervisor, whose can be computed linearly in the size of R. (Ru has just an extra added state and compared to R.) So far we have studied the “target” control problem when the controlled system GkS and specification R are simulation equivalent, i.e., GkS ∼ R. This is equivalent to saying R v GkS v R, which is a special case of a more general “range” control problem A v GkS v E. Here the automaton A specifies a minimally adequate behavior, whereas the automaton E specifies a maximally acceptable behavior. Note that in a “target” control problem, A = E = R. In the remainder of the section we extend our results to the range control problem. Given an automaton R and the set of uncontrollable events, we have shown the computation of Ru in Algorithm 1. We show in the next lemma that the simulation relation is preserved under such a computation. 9

Lemma 3 Given R1 v R2 , it holds that R1u v R2u . Proof: R1 v R2 implies exists a simulation relation Φ1 ⊆ Q1 ×Q2 such that Q01 ×Q02 ⊆ Φ1 . Also, Φ1 = {(q1 , q2 ) | q1 v q2 }. Define a relation Φ2 ⊆ (Q1 ∪ {dump1 }) × (Q2 ∪ {dump2 }) as: Φ2 = Φ1 ∪ {(dump1 , dump2 )}. Then it is easy to see that Φ2 is a simulation relation and R1u vΦ2 R2u . We next present a necessary and sufficient condition for the “range” control problem. Theorem 5 Given plant G and lower and upper bound specifications A v E, there exists a Σu -compatible supervisor S such that A v GkS v E if and only if A v G and GkAu v E. Further when the existence condition holds, Au can be chosen as a desired supervisor. Proof: (If) Let S = Au , where Au is constructed by Algorithm 1 and is Σu -compatible. Then A v G and A v Au implies A v GkAu , which together with GkAu v E, yields A v GkAu v E. This proves the sufficiency. (Only If) By Corollary 1, A v GkS implies A v G. It remains to show that GkA u v E. Suppose GkS := R0 , then A v GkS v E implies A v R0 v E. By Lemma 3, A v R0 implies Au v Ru0 . By Lemma 1, we have GkAu v GkRu0 . Also, GkS = R0 implies GkS ∼ R0 , then by Theorem 4, GkRu0 v R0 . Combining previous inequations yields GkAu v GkRu0 v R0 v E. This completes the proof. Remark 3 The complexity for checking GkAu v E is linear in the sizes of A, G and E. Also, from the proof of Theorem 5, Au can serve as a supervisor for the “range” control problem, where Au can be computed linearly in size of the lower bound specification A. The following example serves to illustrate the simulation equivalence enforcing control. Example 2 Consider a simple vending machine that delivers a cookie or a candy in exchange for a coin, whose state machine model is shown in Figure 1. Upon getting a coin, the vending machine nondeterministically transits to one of two states. At each state, user can wait for a delivery or push a button. In the first state if the user chooses to wait, the machine times out delivering a cookie; whereas if the user chooses to push the button the machine transits to the second state and remains there with additional pushes of the button. In the second state, the pushing of the button does not cause a state change but when the user opts to wait, the machine times out and delivers either a candy or a cookie. Once a delivery is completed, the machine returns to its initial state. The timeout event is deemed uncontrollable, whereas the other events are controllable. Note that in the above vending machine example it is not possible for a user to receive a candy with certainty, which is an undesirable behavior. To rectify this situation, a desired specification is shown in Figure 1. According to the specification, after a user inserts a coin, 10

get coin

cookie

x2 timeout x4

x1

push

get coin

get coin

push

x3 timeout

cookie candy

cookie

x5

q2 timeout q4

q1

get coin

push

timeout

q3 push push

candy

q5 timeout q6

Figure 1: Model G of vending machine (left) and its specification R (right) the vending machine nondeterministically transits to one of two states. However, regardless of the state reached, if the user chooses to wait, the machine delivers a cookie; whereas if the user chooses to push the button at least twice (before timeout), the machine delivers a candy. If the user opts to push the button once and then to wait, then the machine delivers a cookie or a candy depending on the initial nondeterministic transition made. Note since the specification allows such a nondeterministic choice, it is not adequate to use a language to capture the behavior of the specification. The above specification can be expressed in a temporal logic syntax as follows: After receiving a coin, for all paths, deliver a cookie if the button is not pushed (before timeout); deliver a candy if the button is pushed at least twice (before timeout); deliver a cookie or a candy if the button is pushed only once (before timeout). This is an instance of a “universal” temporal logic specification (no existential quantifier is needed to express the specification). Since a universal temporal logic specification is preserved under simulation equivalence, it suffices to require that the controlled plant and specification be simulation equivalent. Our goal is to find a Σu -compatible supervisor S for the vending machine such that GkS ∼ R. We first check whether R v G. We find the following simulation relation Φ 1 exists between R and G: Φ1 = {(q1 , x1 ), (q2 , x2 ), (q3 , x3 ), (q4 , x4 ), (q5 , x3 ), (q6 , x5 )}, implying R vΦ1 G. Next, we check whether GkRu v R. We construct Ru using Algorithm 1, and the result is depicted in Figure 2. The synchronous composition of Ru with plant, namely GkRu , is shown in Figure 2. The following simulation relation Φ2 exists between GkRu and R: Φ2 := {((x1 , q1 ), q1 ), ((x2 , q2 ), q2 ), ((x3 , q3 ), q3 ), ((x4 , q4 ), q4 ), ((x5 , q4 ), q4 ), ((x2 , q3 ), q3 ), ((x3 , q2 ), q2 ), ((x3 , q5 ), q5 ), ((x5 , q6 ), q6 )}, 11

get coin q2 timeout

q1

get coin

push

timeout

cookie timeout

q4 timeout

timeout

q3 push q5

push

candy candy

cookie

push push x2q2 x2q3

timeout x4q4

timeout

dump timeout

x1q1

get coin

get coin

push

timeout

x3q5

get coin x3q3

get coin push x3q2

cookie

timeout push timeout x5q4 push

timeout q6

x5q6

Figure 2: Ru (left) and GkRu (right) implying GkRu vΦ2 R. It follows from Theorem 4 that there exists a Σu -compatible supervisor to enforce simulation equivalence between the controlled system and the specification, and Ru serves as such a supervisor.

5

Specialization to Deterministic Case

The results obtained in section 4 are applicable to deterministic plants. However the special case of deterministic plants is of separate interest since a weaker condition may be required for the existence of a supervisor. In fact this happens to be the case when the specification is of bisimulation equivalence [32], where it was shown that the bisimulation equivalence control problem can be solved polynomially when plant model is deterministic. (No polynomial algorithm is known when the plant is nondeterministic.) A necessary and sufficient condition for the existence of a bisimilarity enforcing supervisor for a deterministic G and a possibly nondeterministic R is that R be simulated by G and R ∗ be state-controllable with respect to G and Σu (R∗ is the NSM obtained by replacing the transition function δ of R by the transition function δ ∗ [32, Definition 8] and R∗ = R in the absence of -transitions.) In this section we show that if we only require the simulation equivalence of the controlled plant and the specification, then a weaker condition than state-controllability is required (as expected). In this section we introduce that weaker condition, called state-controllablesimilar, prove its necessity and sufficiency, and present a way to test it. The notion of state-controllable-similar is defined in terms of state-controllable, both of which are introduced next. Definition 4 Given automata G and R with L(R) ⊆ L(G), we say R is state-controllable

12

with respect to G and Σu if s ∈ L(R), σ ∈ Σu such that sσ ∈ L(G) ⇒ ∀q ∈ δ ∗ (Q0 , s), σ ∈ Σ(q). R is a state-controllable-similar (SCS) with respect to G and Σu if it is simulation equivalent to a system R0 that is state-controllable with respect to G and Σu . We recall that the language-controllability requires the following: s ∈ L(R), σ ∈ Σu such that sσ ∈ L(G) ⇒ ∃q ∈ δ ∗ (Q0 , s), σ ∈ Σ(q). It is clear that when R is deterministic, state-controllability of R with respect to G and Σ u reduces to language-controllability of L(R) with respect to L(G) and Σ u . Also it can be easily deduced that Σu -compatibility implies state-controllability, i.e., the latter is a weaker notion. The notion of SCS is stronger than language-controllable (LC) and weaker than statecontrollable (SC). Recall that for deterministic G and possibly nondeterministic R with L(R) ⊆ L(G), LC serves as a necessary and sufficient condition for a language equivalence control, whereas SC serves as a necessary and sufficient condition for a bisimulation equivalence control. We show that the “intermediate” condition of SCS serves as a necessary and sufficient condition for a simulation equivalence control. The next example illustrates the above various concepts of controllability. Example 3 Consider automata G = R, R0 , and R00 shown in Figure 3, and suppose Σu = {b}. Notice that in G, uncontrollable event b is defined after trace a. R 00 is SC since at state

a

A

B

a

a C

b

c D

B

b

A

c D

1

a

a

a C

c

b

2

b

A

b

c dump

3

B

AA

a

a a C

c b

b D

a a

BB

b

CB BC

b

CC

c

Ddump DD

Figure 3: R (First), R0 (second), R00 (third), Ru (fourth) and RkRu (fifth) 2 reached by trace a, event b is defined. It follows that R00 is also SCS and LC. On the other hand, R0 is not SC since at state C reached by trace a, event b is undefined. However R 0 is SCS, since R0 ∼ R00 , where R00 is SC. Also, similarity of R0 and R00 implies their language equivalence. So since R00 is LC, so is R0 . Finally, R is LC since L(R) = L(G). However R is not SC since at state C reached by trace a, event b is undefined. Also R is not SCS since it can be argued that one cannot find a SC R such that R ∼ R: For the reason that R simulates R, event c must be defined at some state reached by trace a in R. Further for the reason that R is SC, event b must be defined at this state. I.e., there must exist a state in R reached by trace a where events b and c are both defined. Since none of the states of R reachable by trace a have both events b and c defined, R cannot simulate R. 13

Next, we establish a necessary and sufficient condition for the existence of a similarity enforcing control for deterministic plants. Theorem 6 Given deterministic plant G and possibly nondeterministic specification R, exists a Σu -compatible supervisor S such that GkS ∼ R if and only if R is simulated by G and state-controllable-similar with respect to G and Σu . Proof: (Only If) From Theorem 4, GkS ∼ R implies GkRu v R v G. Since R v G and R v Ru (from construction of Ru ), it follows that R v GkRu . So, GkRu ∼ R. By construction, Ru is Σu -compatible and since G is deterministic, from [32, Lemma 7], GkRu is state-controllable. Since R is simulation equivalent to GkRu , it follows that R is statecontrollable-similar. (If) Let R be similar to R0 that is SC. Define S to be R0 with each state augmented with self-loops on all the undefined uncontrollable events of that state. Then GkS ' GkR 0 (by [32, Lemma 1]). Since R0 ∼ R v G, it follows that R0 v G. Also, R0 v R0 , and so R0 v GkR0 . On the other hand, GkR0 v R0 by Theorem 2, and so we have GkR0 ∼ R0 . It follows that GkS ' GkR0 ∼ R, which completes the proof. The next theorem presents a method to verify the property of SCS of R with respect to G and Σu . Theorem 7 Given deterministic G and R v G, R is SCS with respect to G if and only if GkRu v R. Proof: For deterministic G, by Theorems 4 and 6 we have the equivalence: [R is G-simulated and GkRu v R] ⇔ [R is G-simulated and R is SCS]. This can be rewritten as, [R is G-simulated] ⇒ [GkRu v R ⇔ R is SCS].

Remark 4 From Theorem 7 we can test whether R is SCS by testing whether GkRu v R. It follows that the complexity of checking SCS is linear in the size of G and quadratic in the size of R. The complexity of checking R is simulated by G is linear in sizes of G and R. Thus the complexity of checking the existence of a supervisor for a similarity enforcing control of deterministic plants is O(|G| × |R|2 ). In the following corollary we show that when the existence condition of Theorem 6 holds, Ru can be chosen as a desired supervisor. Corollary 2 Given deterministic plant G and possibly nondeterministic specification R, if R is simulated by G and state-controllable-similar with respect to G, then R u as computed in Algorithm 1 can serve as a similarity enforcing supervisor, i.e., GkR u ∼ R. 14

Proof: By Algorithm 1, Ru is Σu -compatible. Since R v GkRu (see the proof of Theorem 6) and GkRu v R (see Theorem 7), we obtain GkRu ∼ R as desired. Remark 5 We showed in Theorem 7 that when G is deterministic and R is simulated by G, R being SCS is equivalent to GkRu v R. In general, however (when G is nondeterministic), R being SCS is stronger than GkRu v R. This can be illustrated by considering automaton G = R drawn in Figure 3. Ru and GkRu = RkRu are also drawn in Figure 3. It can be verified GkRu v R. However, as explained in Example 3, R is not SCS. We illustrate the results of this section through an example. Example 4 Consider a message transmission system, shown in Figure 4, that sends messages from a sender to a receiver. Two types of messages are generated by the sender, m1 and acknowledgment

sender

m1/m2

message center

forward

s

secure channel receiver

routing center u

unsecure channel

Figure 4: Block diagram of a message transmission system m2 , which are first received by a message center. The messages are then forwarded (event f ) to a routing center which decides along which channels the messages be routed. Two types of channels, secure (s) and unsecure (u), are available for routing. Upon a successful reception, an acknowledgment (a) is sent by the receiver to the sender, allowing transmission of another message. The acknowledgment is generated automatically, and is treated as an uncontrollable event. The deterministic automaton G, drawn in Figure 5, models the above behavior. A specification for the legal behavior of the system is also drawn in Figure 5. It requires that messages of type 1 (m1 ) be transmitted over the secure channel, while no such restriction is imposed on the type of channel to be used for the transmission of the messages of the second type (m2 ). However, once a message of type 2 gets forwarded, it (nondeterministically) finds the routing center to be in one of its two states: In the first state, the transmission occurs on the secure channel, whereas in the second state, on the unsecure channel. It is easy to verify that the specification language is a controllable sublanguage of the plant language. If we apply the supervisory control results from the deterministic setting and use a deterministic generator of the specification language as a supervisor, the controlled system will be a deterministic generator of the specification language (since the plant is given to be deterministic, whereas supervisor is constructed to be deterministic, and plant language is a superlanguage of the specification language). A deterministic generator of the specification language however will allow both the choices (secure as well as unsecure channel) for the 15

q0

x0 m1

m1

m2

m2

q2

q1

x1 f

f

a

q3

x2

a

q4

s

u

s

f

f

u

q5

x3

Figure 5: Model G of message transmission system (left) and its specification R (right) routing of all messages of type 2 after they have arrived at the routing center. This situation is not permitted by the desired specification, and so the specification will be violated. Our goal is to find a Σu -compatible supervisor S for the message transmission system such that GkS ∼ R. To do this, we first check whether R is simulated by G (i.e., R v G). We find the following simulation relation exists between R and G: Φ1 = {(q0 , x0 ), (q1 , x1 ), (q2 , x1 ), (q3 , x2 ), (q4 , x2 ), (q5 , x3 )}, implying R vΦ1 G. Next, we need to check whether R is SCS. By Theorem 7, we need to check whether GkRu v R. For this we need to construct Ru using Step 1 of Algorithm 1. The constructed Ru is depicted in Figure 6. The synchronous composition of G and Ru is shown in Figure 6. We find the following simulation relation Φ2 exists between GkRu and R: q0

x0q0

m1

q2

q1

f

f

a

u s

x2q4

u

s

a

a

f

x2q3

a a

q5

x1q2

f

f

q4

a

m2

x1q1

f

q3

a

m1

m2

x3q5 dump

a

Figure 6: Ru (left) for R and GkRu (right) for G and R of Figure 5 16

Φ2 = {(x0 , q0 ), q0 ), ((x1 , q1 ), q1 ), ((x1 , q2 ), q2 ), (((x2 , q3 ), q3 ), (x2 , q4 ), q4 ), ((x3 , q5 ), q5 )}, i.e., GkRu vΦ2 R. Thus we conclude that there exists a Σu -compatible supervisor to enforce simulation equivalence between the controlled system and the specification, and Ru can serve as a supervisor. To verify whether using Ru as a supervisor yields GkRu ∼ R, we search for a similarity relation between the controlled system GkRu and the specification R. A similarity relation Φ3 between GkRu and R is given by: Φ3 = {(x0 , q0 ), q0 ), ((x1 , q1 ), q1 ), ((x1 , q2 ), q2 ), ((x2 , q3 ), q3 ), ((x2 , q4 ), q4 ), ((x3 , q5 ), q5 )(q0 , (x0 , q0 )), (q1 , (x1 , q1 )), (q2 , (x1 , q2 )), (q3 , (x2 , q3 )), (q4 , (x2 , q4 )), (q5 , (x3 , q5 ))}. A meaning for the control being exercised is as follows. In the plant model, the routing center can be thought to have a single queue for all arrived messages. When the routing center is ready to put a message on a channel it picks one of the messages from the queue (say from the head of the queue) and places it on either of the two channels. The controller restricts this behavior of the routing center by essentially implementing two queues, one for each channel (and not one for each message). Upon arrival, messages of type 1 are always placed in the queue for the secure channel, whereas the messages of the type 2 can be placed in either of the two queues. The exact channel selection for a message of type 2 can be done for example based on the lengths of two queues. However since the lengths of the two queues at any given time are not known in advance, the selection of a channel essentially occurs nondeterministically for each message of type 2.

6

Simulation Equivalence via Deterministic Control

The condition GkRu v R v G (or equivalently, GkRu ∼ R v G), is necessary and sufficient for the existence of a similarity enforcing supervisor. When a supervisor exists, Ru can be chosen to be one. Clearly, Ru is deterministic if and only if R is deterministic. But a deterministic supervisor may exist even when R is not deterministic, and we present a necessary and sufficient condition for the same. The point of this exercise is to show two things, (i) existence condition for deterministic supervisor is stronger than that for nondeterministic one (this is to be expected), and (ii) the time complexity of verifying existence of a deterministic supervisor is exponential. Thus we can draw the conclusion that it is preferable to opt for a nondeterministic supervisor. The following theorem presents a necessary and sufficient condition for its existence. We use det(R) to denote the deterministic generator of L(R). Theorem 8 Given G and R, there exists a Σu -compatible deterministic supervisor S such that GkS ∼ R if and only if • R v G, 17

• L(R) is controllable with respect to L(G) and Σu , and • Gkdet(R) v R. Proof: (Only if) Since existence of similarity enforcing supervisor (GkS ∼ R) implies existence of a language enforcing supervisor (L(GkS) = L(R)), L(R) must be controllable with respect to L(G) whenever a similarity enforcing supervisor exists. In other words, a necessary condition is that L(R) is controllable. Next, GkS ∼ R implies R v S and R v G. Since R v S implies L(R) ⊆ L(S) and Lm (R) ⊆ Lm (S), which further implies det(R) v det(S), and further since det(S) = S, we have det(R) v S. This implies, Gkdet(R) v GkS. Combining this with GkS v R (since GkS ∼ R), we obtain Gkdet(R) v GkS v R. This proves the necessity. (If) For the sufficiency, choose S 0 to be det(R). Then S 0 is deterministic. Since det(R) is controllable, S 0 is language-controllable (as well as state-controllable). Further, Gkdet(R) v R implies GkS 0 v R. For the reverse, since R v G and since R v det(R), we have R v Gkdet(R) = GkS 0 . Thus we have shown GkS 0 ∼ R. We define S to be S 0 with each state of S 0 augmented with self-loops on all the undefined uncontrollable events of that state. Then S is Σu -compatible. Further since S 0 is state-controllable, GkS 0 ' GkS (from Lemma 1 in [32]). Further since GkS 0 ∼ R, we also have GkS ∼ R. Remark 6 The complexity of checking the existence of a similarity enforcing deterministic supervisor using the condition of Theorem 8 is linear in the size of plant and exponential in the size of specification (due to the need for the computation of a deterministic automaton that accepts the same language as that accepted by the specification automaton). Requiring supervisor to be deterministic, makes the problem computationally more expensive. This situation is similar to control under partial observation for language specification. The deterministic supervisor synthesis problem in that setting is known to be NP-complete [31], but it is shown to be of polynomial complexity when the supervisor is allowed to be nondeterministic [13]. Let us revisit the message transmission system example studied in Section 5. Example 5 Our goal it to find a deterministic Σu -compatible supervisor S for the message transmission system such that GkS ∼ R. Condition 1 in Theorem 8 is verified in Example 7. In Example 7 it was also shown that R is SCS, which implies R is LC, which establishes the second condition. So next we check condition 3. det(R) as well as Gkdet(R) are drawn in Figure 7. Since no state of R can simulate the state x2 q4 of Gkdet(R), it follows that Gkdet(R) cannot be simulated by R. Therefore, there does not exist a Σu -compatible deterministic supervisor S, such that GkS ∼ R. Note that we showed earlier that a nondeterministic supervisor exists for this system.

7

Conclusion

The paper studies the problem of supervisory control for enforcing simulation equivalence between the controlled plant and the specification. Through our work we have shown that 18

x0q0

q0

m1

m2

q1

q2

a

f

f q3

q4

s

m2

m1 x1q1

x1q2

f

f

x2q3

u

s

s

s

a

x2q4

u x3q5

q5

Figure 7: det(R) (left) and Gkdet(R) (right) for G and R of Figure 5 the simulation equivalence represents a nice compromise between the complexity of control specification vs. its expressiveness. While the bisimilarity enforcing control is the most expressive, the best known complexity for such a control is doubly exponential in the sizes of the plant and the specification. On the other hand, while a language equivalence control is polynomially solvable, it is the least expressive. A simulation equivalence specification is more expressive than a language equivalence specification, yet it remains polynomially solvable. (The complexity turns to be an order higher in the specification size when compared to a language equivalence specification.) We present necessary and sufficient conditions for the existence of similarity enforcing supervisors for nondeterministic and also for deterministic plants. Our results are constructive and find a supervisor when one exists. Both the target and range control problems are studied. We also present a condition for the existence of a similarity enforcing deterministic supervisor.

References [1] M. Antoniotti. Synthesis and Verification of Discrete Controllers for Robotics and Manufacturing Devices with Temporal Logic and Control-D Systems. PhD thesis, Department of Computer Science, New York University, New York, NY, 1995. [2] A. Arnold, A. Vincent, and I. Walukiewicz. Games for synthesis of controllers with partial observation. Theoretical Computer Science, pages 7–34, 2003. [3] J. C. M. Baeten, J. A. Bergstra, and J. W. Klop. Ready-trace semantics for concrete process algebra with the priority operator. The Computer Journal, 30(6):498–506, 1987. [4] Saddek Bensalem, Ahmed Bouajjani, Claire Loiseaux, and Joseph Sifakis. Property preserving simulations. In CAV, pages 260–273, 1992. 19

[5] A. Bergeron. A unified approach to control problems in discrete event processes. In Proceedings of Information Theory and Applications, volume 27, page 555. [6] M. Heymann and F. Lin. Discrete-event control of nondeterministic systems. IEEE Transactions on Automatic Control, 43(1):3–17, January 1998. [7] M. Heymann and G. Meyer. Algebra of discrete event processes. Technical Report NASA 102848, NASA Ames Research Center, Moffett Field, CA, June 1991. [8] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, Inc., Englewood Cliffs, NJ, 1985. [9] S. Jiang and R. Kumar. Supervisory control of nondeterministic discrete event systems with driven events via masked prioritized synchronization. IEEE Transactions on Automatic Control, 47(9):1438–1449, 2002. [10] S. Jiang and R. Kumar. Supervisory control of discrete event systems with CTL ∗ temporal logic specification. SIAM Journal on Control and Optimization, 2005. Accepted. [11] R. Kumar and V. K. Garg. Modeling and Control of Logical Discrete Event Systems. Kluwer Academic Publishers, Boston, MA, 1995. [12] R. Kumar and M. Heymann. Masked prioritized synchronization for interaction and control of discrete event systems. IEEE Transactions on Automatic Control, 45(11):1970– 1982, 2000. [13] R. Kumar, S. Jiang, C. Zhou, and W. Qiu. Polynomial synthesis of supervisor for partially observed discrete-event systems by allowing nondeterminism in control. IEEE Transactions on Automatic Control, 50(4):463–475, 2005. [14] R. Kumar and M. A. Shayman. Nonblocking supervisory control of nondeterministic systems via prioritized synchronization. IEEE Transactions on Automatic Control, 41(8):1160–1175, August 1996. [15] R. Kumar and M. A. Shayman. Centralized and decentralized supervisory control of nondeterministic systems under partial observation. SIAM Journal of Control and Optimization, 35(2):363–383, March 1997. [16] O. Kupferman, P. Madhusudan, P. S. Thiagarajan, and M. Y. Vardi. Open systems and reactive environments: control and synthesis. In Proceedings of 11th Conference on Concurrency Theory, (Lecture Notes in Computer Science), volume 1877, pages 92–107. Springer-Verlag, August 2000. [17] O. Kupferman and M. Y. Vardi. Robust satisfaction. In Proceedings of 10th Conference on Concurrency Theory, (Lecture Notes in Computer Science), volume 1664, pages 382–398. Springer-Verlag, August 1999. 20

[18] O. Kupferman, M. Y. Vardi, and P. Wolper. Module checking. Information and Computation, 164:322–344, 2001. [19] P. Madhusudan and P.S. Thiagarajan. Branching time controllers for discrete event systems. Theoretical Computer Science, 274:117–149, 2002. [20] M. Maidi. The common fragment of CTL and LTL. In Proceedings of Foundations of Computer Science, pages 643–652, 2000. [21] R. Milner. Communication and Concurrency. Prentice Hall, New York, 1989. [22] A. Overkamp. Supervisory control for nondeterministic systems. In Guy Cohen and Jean-Pierre Quadrat, editors, Lecture Notes in Control and Information Sciences 199, pages 59–65. Springer-Verlag, New York, 1994. [23] I. Phillips. Refusal testing. Theoretical Computer Science, 50:241–284, 1987. [24] H. Qin and P. Lewis. Factorization of finite state machines under observational equivalence. In Lecture Notes In Computer Science, volume 458. Springer-Verlag, 1990. [25] J. B. Raclet and S. Pinchinat. The control of non-deterministic systems: A logical approach. In IFAC Word Congress, Prague, 2005. [26] P. J. Ramadge and W. M. Wonham. Supervisory control of a class of discrete event processes. SIAM Journal of Control and Optimization, 25(1):206–230, 1987. [27] P. J. Ramadge and W. M. Wonham. The control of discrete event systems. Proceedings of IEEE: Special Issue on Discrete Event Systems, 77:81–98, 1989. [28] S. Riedweg and S. Pinchinat. Quantified mu-calculs for control synthesis. In Mathematical Foundations of Computer Science, Bratislava, Slovak Republic, 2003. [29] M. A. Shayman and R. Kumar. Supervisory control of nondeterministic systems with driven events via prioritized synchronization and trajectory models. SIAM Journal of Control and Optimization, 33(2):469–497, March 1995. [30] P. Tabuada. Open maps, alternating simulations and control synthesis. In International Conference on Concurrency Theory, pages 466–480, 2004. [31] J. N. Tsitsiklis. On the control of discrete event dynamical systems. Mathematics of Control Signals and Systems, 2(2):95–107, 1989. [32] C. Zhou, R. Kumar, and S. Jiang. Control of nondeterministic discrete event systems for bisimulation equivalence. IEEE Transactions on Automatic Control, 2006. To Appear.

21

A

Syntax of Temporal Logic

Temporal logic is a formalism for describing properties of sequences of states as well as of tree structures of states using temporal operators and path quantifiers. The following temporal operators are used for describing the properties along a specific path: • X (“next time”): requires that a property hold in the next state of the path. • U (“until”): used to combine two properties. The combined property holds if there is a state on the path where the second property holds, and at every preceding state on the path, the first property holds. Two path quantifiers are used to specify that all the paths or some of the paths starting at a state have some property. • A : for all paths. • E : for some paths. There are two types of formulas in CTL*: state formulas (which are true in a specific state) and path formulas (which are true along a specific path). Let AP be the set of atomic propositions and p an element of it. Let f1 and f2 be state formulas, and g1 and g2 be path formulas. We inductively define state formulas using rules S1–S3 and path formulas using rules P1–P3: S1 If p ∈ AP , then p is a state formula. S2 If f1 and f2 are state formulas, then so are ¬f1 and f1 ∧ f2 . S3 If g1 is a path formula, then Eg1 and Ag1 are state formulas. P1 Each state formula is also a path formula. P2 If g1 and g2 are path formulas, then so are ¬g1 and g1 ∧ g2 . P3 If g1 and g2 are path formulas, then so are Xg1 and g1 U g2 . CTL* formulas are the state formulas generated by the above rules. The linear temporal logic (LTL) is obtained by removing rules S2–S3, and the universal fragment of CTL* is obtained by removing Eg1 from rule S3.

22