Trace-DC Hierarchical Supervisory Control - CiteSeerX

DC

Trace-

Hierarchical Supervisory Control

Paul Hubbard 1 2 Peter E. Caines 2 3 Department of Electrical Engineering, McGill University 3480 University, Montreal, QC, H3A 2A7 fpeterc, [email protected]

Abstract We present a hierarchical control theory for supervisory automata based on state aggregation. Conditions are determined on state partitions which ensure that the control of transitions between blocks in a high-level (i.e. aggregated) model, combined with local state - dependent controls, is eective in the sense of achieving speci cations given either for the high-level model or for the lowlevel system. A design methodology is proposed for the construction of the necessary partitions. We show this formulation of hierarchical supervision satis es the consistency conditions in the existing language-based hierarchical supervisory control theory. Examples are presented including a material transfer line with re-entrant ow and a double queue. Keywords: discrete event systems, supervisory control, hierarchy, aggregation, dynamical consistency.

1 Introduction The supervisory control framework for modelling discrete event systems (DES) is an untimed logical model that is expressed in terms of the observation and inhibition of events. Within this framework, system behaviours are described by languages (i.e. sets of strings of events) and the theory seeks to determine which behaviours can be achieved via a supervisor that may inhibit a subset of the system's events (see [22] and references therein, in particular [21]). The immediate complexity issues that arise in DESs due to combinatorial explosion (for examples, see [11, 23]) motivates a hierarchical approach to supervisory control. A hierarchical theory for 1 Supported by NSERC Industrial PGS and General Electric R & D, Schenectady, N.Y. 2 Partially supported by NSERC grant number OGP 0001329 and NASA-Ames Research Center grant number

NAG-2-1040. 3 Also aliated with the Canadian Institute for Advanced Research. A portion of this work was performed while the second author was with the Dept of Mechanical and Automation Engineering, The Chinese University of Hong Kong, Shatin, N.T., Hong Kong (1997-98).

p. 1

supervisory control, developed within a linguistic framework, has appeared in [29] and [28]. We present here a hierarchical control theory for this model based on state aggregation. This is expected to have extensions and generalisations in the context of hybrid control systems where continuous and discrete base systems are abstracted to DESs (see [8, 9]). State-dependent control in the supervisory framework has been considered previously in [20, 19]. The distinct characteristic of the present work is that the state aggregation is based upon the Dynamical Consistency (DC). This is a notion developed in the context of forced event (positive-imperative) control in [10, 6], generalised to dierential control systems in [9] and which, further, are related to notions in a purely graph theoretic setting (see [13]) and in computer science (see [4, 14]). An aggregated modular approach to controller reduction also appeared in [27]. An analysis of Petri Nets based on re nement and abstraction appeared in [26] with a corresponding analysis of policies that enforce liveness in [25]. The present work builds on [7, 16, 17]. We give de nitions for the partitions and high-level dynamics for the hierarchical supervisory control automaton. Our primary interest is the problem of ensuring (non-blocking) accessibility of the designated states and we show this problem may be decomposed and solved in a hierarchical fashion with local control in conjunction with control at the aggregated level. We supply an algorithm (called the Vocal Lifting (VL) algorithm), to be implemented at the design stage, that constructs a partition with the necessary properties through extension of the low-level system and enhancement of the observation map. These notions are illustrated with a transfer line example of a physical plant with material feedback (see [29, 12]).

2 State Aggregation In Supervisory Control We consider the supervisory automaton

G = (X; u[_ c; ; Q0 ; Qm )

(1)

where X is the set of states,  = u[_ c is an alphabet of event labels,  : X   ?! X is the (partially-de ned) transition function. All (observed) admissible initial states q0 lie in Q0 and Qm is the set of marked goal states. The alphabet of event labels is divided into a set of controllable labels c which may be disabled by an external control and a set of uncontrollable labels u which must always be permitted. We shall construct abstractions of the system via partitions of the state set. Accordingly, we de ne S the partition  = fX1 ; X2 ; ::; :XN g with Xi = X , Xi 6= ;; 1  i  jj, and Xi \ Xj = ; for i 6= j . Formally, an initial state-set is de ned in (1) in order to maintain a self-similar layering in the hierarchy of state-set partitions, i.e. a given supervisory automaton may be represented as a single p. 2

state in a larger system. For any given sample run of the system, it is assumed the start state at the low level is known. Also, at present we only consider fully state-observable systems at each level. In what follows, we develop a description of the dynamics between partition blocks and therefore, motivated by the analysis in [6], we make the following de nitions.

De nition 2.1 I (Xi ; Q0 ) The In-set I (Xi ; Q0 ) of a partition block Xi is the set of states in Xi that are either in the initial state set or directly accessible (i.e. one step accessible) from the complement of the block, i.e.

x 2 I (Xi ; Q0) () [ x 2 Q0 \ Xi _ 9x0 2 XiC :9u 2 :(x0 ; u) = x]:

2

De nition 2.2 hXi ; Xj iu The relation hXi ; Xj iu holds for i 6= j whenever, for each state in the in-set x of Xi , there exists an uncontrollable path initiating at x, and remaining in Xi until terminating at the in-set of Xj , i.e.

hXi ; Xj iu ()8x 2 I (Xi ; Q0 ):9 2 u: (x; ) 2 Xj ^ 80 < ; (x; 0 ) 2 Xi : where < is the pre x partial order, i.e. s0  s if s0 is a pre x of s.

2

De nition 2.3 hXi ; Xj id The relation hXi ; Xj id holds for i 6= j whenever, for each state x in the in-set of Xi , there exists a path initiating at x, and remaining in Xi until terminating at the in-set of Xj and all such paths contain a controllable transition, i.e.

hXi ; Xj id () 8x 2 I (Xi ; Q0 ):9 2 : (x; ) 2 Xj ^ 80 < :(x; 0 ) 2 Xi ^ 8x 2 I (Xi ; Q0 ): 6 9 2 u: (x; ) 2 Xj ^ 80 < :(x; 0 ) 2 Xi :

2

Note that hXi ; Xj id and hXi ; Xj iu cannot hold simultaneously. We may now formally de ne the abstraction which is itself a supervisory automaton.

De nition 2.4 -partition automaton We de ne the -partition automaton,

G = (; u [_ c ;  ; Q0 ; Qm ) p. 3

where  = fX1 ; ::::XN g is the set of states. When hXi ; Xj id holds between two blocks, we de ne a -level disableable transition Uij . Similarly, when hXi ; Xj iu holds we de ne an undisableable level transition Vij . The (partially-de ned) -level transition function,  :    ! , is de ned such that when a transition exists, it forms a directed edge between the associated states, i.e. hXi ; Xj id =)  (Xi ; Uij ) = Xj , and hXi ; Xj iu =)  (Xi ; Vij ) = Xj : The set of -level initial states = fXi 2 jXi \ Qm 6= ;g. 2 = fXi 2 jXi \ Q0 6= ;g. The set of -level goal states is Qm def is Q0 def Figure 1 illustrates the hierarchical aggregation scheme in De nition 2.4.

G

G Figure 1: Aggregation and the -partition automaton De nition 2.5 Trace-DC A -partition automaton G is Trace-DC i

8 pairshXi; Xj i: fhXi ; Xj iu _ hXi ; Xj id _ :[9w 2 :9x 2 Xi :9x0 2 Xj : (x; w) = x0]g:

2

The Trace-DC de nition ensures that -level transitions are realized by trajectories in the low-level automaton and also that low-level trajectories are always represented in the -partition automaton. We stress that the Trace-DC property of a -partition automaton depends upon the properties of the partition  and the low-level automaton. The unmarked language, i.e. the set of strings of event labels accepted by the automaton G but not necessarily ending at the goal set, is denoted as L(G). The marked language is denoted Lm (G). Languages may be de ned on the high-level alphabet  in a similar fashion, i.e. L(G ); Lm (G ) p. 4

and when necessary, we will include the a superscript, e.g. K   L(G ) to emphasise the layer at which the language is de ned.

2.1 Maps from low-level systems to high-level systems We de ne the canonical map (for states)  : X ?! ;  (x) = Xi if x 2 Xi ;

1  i  jj;

and extend this in the natural way to domains of successive greater complexity: (state-sets)  : 2X ?! 2 ,

 (R) = fX 2 jX \ R 6= ;g

(strings of event labels)  : L(G) ?! L(G ),  () = ;8 >  ()Uij if (x0 ; ) 2 Xi ; (x; w) 2 Xj and hXi ; Xj id > > > for some 1  i; j  jj; > < j  (w) = > ()Vi if (x0 ; ) 2 Xi ; (x; w) 2 Xj and hXi ; Xj iu > > for some 1  i; j  jj; > > : () if (x0 ; ) 2 Xi and (x; w) 2 Xi for some 1  i  jj; where  2  and w 2 . We note that  : L(G) ?! L(G ) is well-de ned only when G is Trace-DC. We denote the set of sub-languages of L(G) by 2L(G) . (languages)  : 2L(G) ?! 2L(G ) ,  (K ) = f ()j 2 K g   (Mealy Machine Output)  : X   ?!  [ fg ,

8 j > > Vi if x 2 Xi ; (x; w) 2 Xj ; and hXi ; Xj iu ; > :

(2)

 otherwise

The low-level system G together with the output map  given in (2) form the Mealy machine

G = (X; ;  ; ;  ; Q0):

(3)

The interpretation of (3) is that symbols from  vocalise the crossing of partition boundaries. p. 5

2.2 Mealy and Moore representations

To compare the notions of Trace-DC and output control consistency (see [29] and Section 2.3) we construct an equivalent Moore machine representation G~  = (X   ; ;  ; ~; ~  ; [q0; A0 ]) (4) from the Mealy representation G . This can be done, in general, by embedding the states X in a new state-set X~ = X   (see [15] p. 44 for instance). The output function of a Moore machine is based solely on the current state, i.e. ~  : X~ ?!  , while that of the Mealy machine may also depend upon the current transition, as shown in (2). The interpretation of the Mealy to Moore translation is that the information about the current transition event is carried in the state of the Moore machine. Hence we de ne, ~([x; A]; a) = [(x; a);  (x; a)] 2 X   ; ~  ([x; A]) = A: for x 2 X , A 2  , a 2 . A0 in (4) is an arbitrary member of  . An example of the Mealy to Moore construction is given in Appendix 7.1. In practice, for a Mealy machine created via (2) and (3), the construction of the equivalent Moore representation only requires extending the state space at speci c states, i.e. those states which (a) are in-set states and (b) have arriving transitions from two or more dierent blocks Xi1 ; :::; Xin . Such a state x is then replaced with the states [x; i0 ]:::[x; in ]. The remaining states need only be replaced by one state [x0 ; A0 ], where A0 may be chosen arbitrarily.

2.3 Comparison between Trace DC and Output Control Consistency (from [29])

A Moore automata is said to be output control consistent when the high-level alphabet can be divided unambiguously into controllable transitions (inhibitable) and uncontrollable transitions (see Appendix 7.2 or [29] p.1129 for a formal de nition of output control consistent).

The conditions of Trace-DC for G and output control consistent for the associated G~  are incomparable. Trace-DC includes a universal quanti cation over the in-set in a given block which is not needed for output control consistency, while output control consistency requires that highlevel uncontrollable transitions never be instantiated by controllable paths, which is allowable in the de nition of hiu . Counter-examples are shown in Appendix 7.3. We note that the de nition hiu for uncontrollable -level transitions can be strengthened to hisu (strongly uncontrollable) with the additional requirement that there be no paths from the in-set to the next block which contain any controllable events. With this strengthening of hiu to hisu , it may be shown that if G is Trace-DC then G~  is output control consistent. It is signi cant that, as is shown in Section 4, the Trace-DC and output control consistent conditions achieve the same property of preserving language controllability under mapping from low-level to high-level image. p. 6

3 Control of the -Automaton A supervisor for the automaton G with start state q0 in Q0 is a function, f  fq0 :  ?! 2 specifying a set of enabled (i.e. not controller disabled) transitions which immediately follow any given event sequence ; hence for all  we have u  f ()  . After  has occurred, the controlled automaton may evolve with any transition w satisfying ((x0 ; ); w)! and w 2 f (). At the  level, we de ne a supervisor in a similar fashion to that at the low level, i.e. F  :  ?! 2 : We observe that, due to the fact that  automata possess unique event labels (the labels Uij being indexed by the preceding and following blocks Xi and Xj ), a starting state-set jQ0 j  1, does not lead to nondeterministic behaviour at the  level. In this paper, as stated earlier, we assume full observability of the state at the low level. We consider only state-feedback control within each local block, i.e. at each block Xi , f : Xi ?! 2 speci es the enabled transitions at the states within Xi .

Example 1 Figure 2 illustrates two low-level automata and two partition automata. It can be

checked that G1 is Trace-DC. There are four control inputs possible at X1 in G1 and these can be enacted in G1 by the low-level state-feedback controls f1 : x3 7! u ; f1 : x5 7! u which enables neither U12 nor U13 in G1 f2 : x3 7! u [ fu1 g; f2 : x5 7! u which enables U12 , f3 : x3 7! u ; f3 : x5 7! u [ fu3 g which enables U13, and f4 : x3 7! u [ fu1; u2 g; f4 : x5 7! u [ fu3 g which enables both U12 and U13 . (it is assumed fk (xj ) = u for 1  k  4; j = 1; 2; 4). In the second example, on the right of Figure 2, it is the case that G2 is Trace-DC, but there is no low-level control which 2 disables only U13 at X1 in G2 . G1

U12 X1 V14

G1

G2

X2 U13

X1 V14

X3

X4 x6

U12

X2

u1 v1 x3 x2 v2 u v4 2 x4 v6 x1 v5 x u3 5 X1 v3 X x8 4

G2 X3 x7

X2 U13

X3

X4 X2 x5

u2 u1 x2 v2 v3 X3 x1 x3 x6 v1 x4 X1 v4 x7 X 4

Figure 2: Examples of Trace-DC partition automata p. 7

We now de ne a local automaton for each block Xi that is parameterised by a start state x 2 I (Xi ; Q0) and a set of goal states Q.

De nition 3.1 GXi+ (x; Q) We de ne the sub-automaton GXi+ (x; Q) of the automaton G = (X; ; ; Q0 ; Qm ) by +

GXi+ (x; Q) = (Xi+; ; Xi ; x; Q) where Xi+ = Xi [fx0 2 Xic j9w 2 :9y 2 Xi :(y; w) = x0 g, i.e. the block Xi and the states reachable from Xi in one transition. Xi+ is  with domain restricted to the set Xi   and x and Q are parameters (a state and state-set, respectively) for the sub-automaton. 2 We may formulate the controllability notions for state-feedback control and non-blocking accessibility (of target states) with the following de nition.

De nition 3.2 (Non-Blocking) Controllable State-Sets A set R  X is controllable with respect to the automaton G = (X; u [ c; ; x0 ; Qm ) if the following hold: 1: 8x 2 R:9 2 : (x0 ; )= x ^ 80  :(x0 ; 0 ) 2 R 2: 8x 2 R: 6 9u 2 u:(x; u) 2 RC

(R-reachable) (closed with respect to u)

Additionally, R is (non-blocking) controllable with respect to the automaton G if the following condition also holds: 3: 8x 2 R:9 2  : [(x; ) 2 Qm ^ 80  :(x; 0 ) 2 R]

(Non-Blocking) 2

For completeness, we also include the analogous de nition for languages (see [21]).

De nition 3.3 (Non-Blocking) Controllable Languages A language K  L(G) is controllable with respect to the automaton G = (X; u [ c ; ; x0 ; Qm ) if K u \ L(G)  K . The language K is non-blocking if K = K \ Lm(G). 2 We recall from [20] that there exists a state dependent control that realizes each R-reachable, controllable state-set R (in the sense that, under the set of enablements prescribed by the control, the reachable set is R). Furthermore for each R-reachable, controllable set R, there exists a unique maximally enabling (permissive) state dependent control, i.e. one that enables the largest possible set of events at each reachable state. De ne the operation [ on supervisors by p. 8

f [ g : L(G) ?! 2; f [ g() def = f () [ g(), i.e. f [ g inhibits a transition only if both f and g inhibit the transition. The maximally enabling state dependent control realizing R as the reachable S set can be found by taking the union, f , over all state dependent controls f that realize R. In the context of languages, the analogous result is that there exists a history-dependent control for each pre x-closed controllable language (see [21]).

3.1 Internal requirements for controllability

The control inputs at the  level are disablements of -level transitions but must be enacted by local low-level state-dependent supervisors. This requires the existence of a low-level controllable state-set in the sub-automaton that overlaps any neighbouring blocks requested by the -level control. The key point as far as achieving speci cations at the  level is whether there is a controllable state-set to instantiate every set of disablements at the  level; this is the issue illustrated in the examples above.

To ensure that there is such a state-set in each block, we de ne the following condition for a block Xi and the collections of blocks Pid = fXj : hXi ; Xj id g, Piu = fXj : hXi ; Xj iu g. This is the counterpart to the IBC de nition found in [6] for forced event systems.

De nition 3.4 (Non-Blocking) In Block Controllable (IBC) Partition Automaton A Trace-DC partition automaton is (non-blocking) IBC if for all blocks Xi , both the of following hold, (i) 8Xj 2 Pid :8x 2 I (Xi ; Q0 ):9RXXij;x  Xi+ such that 1: 8k:[Xk \ RXXij;x 6= ;] () [k = i _ k = j _ Xk 2 Piu ]; and 2: RXXij;x is (non-blocking) controllable w.r.t. the sub-automaton GXi+ (x; Piu [ [Xj \ Xi+ ]): (ii) [Xi \ Qm 6= ;] =) 8x 2 I (Xi ; Q0 ):9RXQmi ;x  Xi such that 1: Qm \ RXQmi ;x 6= ;; and 2: RXQmi ;x is (non-blocking) controllable w.r.t. the sub-automaton GXi+ (x; Qm \ Xi ): We will refer to the partition  as (non-blocking) IBC when G is (non-blocking) IBC.

2

Example 2 Figure 3 shows four of the required controllable state-sets for condition (1) of the (non-

blocking) IBC condition (shown as shaded regions). The slanted inhibition lines are used to represent \inhibitable but not inhibited". Consider the the third state-set (from the left) in which the high-level transition U13 is inhibited. Blocks X2 and X4 are still (non-blocking) accessible from x0 as the set RXX12;x0 is (non-blocking) controllable with respect to the automaton GX1+ (x0; fx2 ; x3g):

We note that due to the de nition of h; iu , any controllable subset R 2 Xi+ must always contain states from each block in Piu . p. 9

U12 X1 V14

X2

X2

U13 X4

X3

X2 X3

X1

x2

x3

X4 x2

x2

x0

x0

x3

X3

X1

X4 x2

x0

X3

X1

X4

X2

x0

x3

x3

Figure 3: The required (non-blocking) controllable state-sets for (non-blocking) IBC condition (i) for the in-set state x0

Condition (ii) of the (non-blocking) IBC condition assures that, within each -level goal state, nonblocking goal state reachability is guaranteed to hold. Unfortunately, unlike the situation in [10, 6, 8], the (non-blocking) IBC condition is preserved under neither the greatest lower bound (intersection) or least upper bound (chain union) operations in the lattice of partitions. An example of the loss of the (non-blocking) IBC condition under the chain union operation is given in Figure 19 in Appendix 7.4.

3.2 Synthesis of supervisors through sequential re nement

We note that singleton blocks satisfy trivially the requirements in the de nition of (non-blocking) IBC, hence the identity partition, id = X is (non-blocking) IBC. A Trace-DC hierarchical control structure is a chain, or sequence of (non-blocking) IBC partitions of increasing re nement. Our key motivation is that speci cation, design and analysis may be performed at any level of granularity and the resulting feedback controls may be translated down this chain of partitions, yielding subsequent levels of control re nement. De nition 3.4 posits the existence of controllable state-sets. Hence for a given (non-blocking) IBC partition automaton, for each hXi ; Xj id ; (1  i; j  jj) and x 2 I (Xi ; Q0 ), we may nd the maximal (non-blocking) controllable state-set, which we will label RXXij;x , by taking the union of all sets satisfying the (non-blocking) controllable condition. Similarly, for each block Xi 2 Qm (1  i  jj) and state x 2 I (Xi ; Q0 ), we label the maximal (non-blocking) controllable state-set by RXQmi ;x. We label the maximally permissive state dependent controls which realize RXXij;x and RXQmi ;x by fXXij;x : Xi ?! 2 and fXQim;x : Xi ?! 2 respectively. For a -level language speci cation K   L(G ) , the following scheme translates the control p. 10

H  : L(G ) ?! 2 , which synthesises K  in G , to a low-level control hlow : L(G) ?! 2 (now possibly history-dependent by the dependence on H  in its construction). The scheme is illustrated in Figure 4.

IBC () IBC Synthesis Algorithm Klow Input : H  [a] For s 2 L(G) such that  (s) = , let

hlow (s) =

[

W 2H  ()



fX 0(;xX00 ;W )((x0 ; s)):

[b] For s 2 L(G) such that  (s) = S , let

hlow (s) =

[

W 2H  (S )



fX 0(;xX00 ;W )((x0 ; s)); 0

where X 0 =  (X0 ; S ), x00 = (x0 ; s0 ) and s0 is a minimal string such that  (s0 ) = S and s0  s (i.e. for any other s00 satisfying these requirements, s0  s00  s). [c] Finally, for s 2 L(G) such that  (s) = S 2 Lm (G ),

hlow (s) = fXQ0m;x00 ((x0 ; s)); where, again, X 0 =  (X0 ; S ), x00 = (x0 ; s0 ) and s0 is a minimal string such that  (s0 ) =  (s) and s0  s.

Output: hlow

IBC (K  ). An illustration We label the unique low-level language resulting from the control hlow as Klow of this high-to-low synthesis for (non-blocking) IBC partitions is provided in Section 6 in the context of manufacturing systems.

4 Controllable Sub-Languages of the -Automaton We show rst that the Trace-DC condition alone achieves the same consistency result as that of output control consistency; namely that the -level image of a controllable language is controllable.

Theorem 4.1 Consider a Trace-DC partition  of X in the automaton G = (X; u [_ c; ; Q0 ; Qm ); and any x0 2 Q0 . If a language K is non-blocking and controllable w.r.t. G then  (K ) is nonblocking and controllable w.r.t.

G = (; u [_ c ;  ; Q0 ; Qm ); p. 11

G



H

X0

X1

 (S ) =

S

X0

X5

X6

=

f

X2

X1

X4

X3

X2

hlow (s)

G

fU34; V35g

X4 X3 ;x0 (x)

X4

X3

s x0

X5

0

s

x

x

0

X6

R

X4

0

X3 ;x

Figure 4: Translation of control from high to low levels = fXi 2 jXi \ Qm 6= ;g. where Q0 def = fXi 2 jXi \ Q0 6= ;g and Qm def

Proof:

Let  2  (K ) and V 2 u and let  V 2 L(G ). Also, let  2 K be an instantiating string such that  () =  . That  (K ) is non-blocking and controllable can be shown (independently) as follows. (controllable) V represents an uncontrollable DC link hXi ; Xj iu for some 1  i; j  jj. Let 0   be such that (x0 ; 0 ) 2 I (Xi ; Q0 ). Since hXi ; Xj iu , 0 can be continued by s 2 u such that (x0 ; 0 s) 2 Xj . But K is controllable, so 0s 2 K , meaning  V =  (s) 2  (K ). Hence  (K ) is controllable. (non-blocking) As K is non-blocking,  can be continued by some s 2  to the goal states. All low-level goal states are contained in -level goal states so the image  () can be continued to  (s) such that  (X0 ;  (s)) 2 Qm . We are primarily interested in the (non-blocking) controllability of state-sets for our analysis of non-blocking accessibility of the goal state and therefore make the following observations. First, note that for any non-blocking, controllable subset R, there exists a unique maximal non-blocking p. 12

and controllable language LR that has R as the reachable state-set. Second, note that for any nonblocking, controllable language K , the (unique) reachable state-set must also be non-blocking and controllable. Hence we have the following corollary:

Corollary 4.1 Consider a Trace-DC partition  of X in the automaton G and any x0 2 Q0 . If R  X is (non-blocking) controllable w.r.t. G then  (R) is (non-blocking) controllable w.r.t. G . Proof: It can be veri ed that the reachable set (of -level states) associated with  (LR ) is  (R).

The (non-blocking) controllability of  (R) follows from that of  (LR ) (which is non-blocking and controllable via Theorem 4.1). IBC allows the formation The construction in the previous section via the synthesis algorithm Klow IBC (K  ) from a high-level speci cation K  . We now show that this of a low-level language Klow construction is eective in the sense that it yields a non-blocking, controllable low-level language which has the correct image K  .

Theorem 4.2 Consider a (non-blocking) IBC partition  of X in the automaton G = (X; u[_ c; ; Q0 ; Qm ) and any x0 2 Q0 . If K  is non-blocking and controllable w.r.t. G = (; u [_ c ;  ; Q0 ; Qm ) IBC (K  ) is non-blocking and controllable w.r.t. G and  (K IBC (K  )) = K  . then Klow low

Proof:

IBC (K  ) and let v 2 u be such that v 2 L(G). Let 0 (controllable) Let  2 Klow be the shortest pre x of  with the same image (i.e. 0   and  (0 ) =  () =  and for any other such 00 , 0  00 ). Further, let x0 = (x0 ; 0 ) and X 0 =  (X0 ;  ).

The string  is realizable under hIBC low (i.e. is an element of the language generated by G under IBC IBC (K  ). So for at least one W 2 H  ( ) with the control hlow ) since, by assumption,  2 Klow 00 X 00 =  (X 0 ; W ), it is the case that v 2 fXX0;x0 ((x0 ; )) (or fXQ0m;x0 ((x0 ; )) if X 0 is already in the goal set Qm ). Hence, [  (X0 ; W ) v 2 hIBC (  ) = fX 0;x0 low IBC (K  ) is controllable. and therefore Klow

W 2H  ( )

IBC (K  ), and let  =  () be continued by S = S1 S2


SjS j, (non-blocking) Let  2 Klow where Si 2  ; i = 1:::jS j, such that  (X0 ;  S ) 2 Qm (which is possible as K  is non-blocking).

We may recursively construct an instantiating string s = s1 s2


sjS j+1, si 2  , by nding, in succession: p. 13

IBC and [a] s1 such that s1 2 Klow

(x0 ; ) ?! s1 I ( (X0 ;  S1); Q0 );

IBC (K  ) and [b] si , for 2  i  jS j, such that s1


si 2 Klow

I ( (X0 ;  S1S2


Si); Q0 ) ?! si I ( (X0 ;  S1S2


Si+1; Q0 ));

[c] sjS j+1 such that

I ( (X0 ;  S ); Q0 ) sj?! S j+1 Qm :

In cases [a] and [b], such a string exists because A(S;i+1) hIBC low ()  fA(S;i);B(s;i) ((x0 ; ));

where A(S; i) =  (X0 ;  S1 S2


Si) and B (s; i) = (x0 ; s1 s2


si). This is the case for all  such that  () =  S1 S2


Si since S(i+1) 2 H  ( S1 S2


Si), by assumption, and the application of each local function f

;
results in a (non-blocking) controllable state-set. For the case i = jS j + 1, we can nd a string to instantiate the nal portion within the high-level goal state  (X0 ;  S ), because we use the local non-blocking control fQm(X0 ; S );(x0 ;s) . IBC (K  ), there exists s such that s 2 K IBC (K  ) and (x0 ; s) 2 Qm . Hence Hence for any  2 Klow low IBC (K  ) is non-blocking. Klow IBC (K  (K  )))) Let S = S1 S2


SjS j 2 K  . S may be instantiated by s 2 (K    (Klow IBC (K  ) such that  (s) = S ; this is by the same construction used for the proof above of Klow non-blocking starting from the empty string  and leading to the block  (X0 ; S ). Hence S 2 IBC (K  )).  (Klow IBC (K  )) and s = s1 s2 :::s 2 Klow be IBC (K  ))  K  ) Let S = S1 S2


SjS j 2  (Klow ( (Klow jS j such that for each i, (x0 ; s1 s2:::si) 2 I ( (X0 ; S1 S2


Si); Q0 ), i.e. for each pair SiSi+1, si connects in-set to subsequent in-set.

Recall the construction of hlow in  (X0 ; S1 S2


Si ), and the fact that non-blocking controllability and reachability from a given start state are closed with respect to union. Hence it is the case that (x0 ; s1 s2


si+1) is reachable from I ( (X0 ; S1S2


Si); Q0 ) if and only if Si+1 2 H  (S1 S2


Si). But this means S is a realizable string under the application of H  , i.e. S 2 K  . By the very speci cation of  and the de nition of controllable state subsets in the -partition automaton G , we obtain: p. 14

Corollary 4.2 Consider a -level (non-blocking) IBC partition of X in the automaton G and any x0 2 Q0. If R   is (non-blocking) controllable w.r.t. G then there exists a set R  X which is (non-blocking) controllable w.r.t. G such that  (R) = R .

Proof: To R can be associated a unique maximal nonblocking controllable language KR  . From

IBC (K   ) is non-blocking, controllable and  (K IBC (KR ) = KR . Hence the Theorem 4.2, Klow R low IBC (KR ) also has these properties. reachable state-set R associated with Klow

4.1 Hierarchical Consistency (from [29]) and (non-blocking) IBC

To further the comparison with [29] (in the light of Theorem 4.2) we give the relevant de nition of hierarchical consistency. Let Glo = (Z; ; T; ; ; x0 ) be a Moore automaton where  : Z ?! T is an output map from state to output symbols in T . In analogy with the map  de ned in Section 2, the map  can be extended to  : 2L(Glo ) ?! 2T  which associates to each low-level language Elo a high-level language Ehi composed of strings of symbols observed along the state trajectories of the strings in Elo . Let Ghi be an automaton with alphabet T , i.e. L(Ghi )  T  .

De nition 4.1 Hierarchical Consistency ([29])

A pair (Glo ; Ghi) possesses hierarchical consistency if Lm (Ghi) = (Lm (Glo )) and for every nonempty, closed, controllable language Ehi  Lm (Ghi), (?1 (Ehi )" ) = Ehi where ()" is the maximal controllable sub-language operator.

2

We continue to use G~  for the Moore automaton de ned in Section 2 via the translation from Mealy to Moore automata. We note that by the construction of G~  , a language is controllable with respect to G if and only if it is controllable with respect to G~  .

Theorem 4.3 Consider a (non-blocking) IBC partition  of X in the automaton G and any choice of x0 in Q0 . Then the pair (G~  ; G ) possesses hierarchical consistency.

2

Proof: Consider E hi  Lm(G ), a non-empty, closed, controllable language, and let Elo" be the maximal controllable language satisfying (Elo" )  E  , i.e. Elo" = (?1 (Ehi ))" . For any choice = IBC IBC (Ehi ) r of x0 2 Q0 , the mapping Ehi ?! Klow Elow of the IBC synthesis algorithm gives a

IBC controllable with respect to G such that (E IBC ) = E hi (by Theorem low-level language Elow low IBC  E " so we have that Ehi  (E " )  (E IBC ) = E hi , and hence 4.2). By assumption Elow low lo lo " ?1 "  ( (Ehi ) ) = (Elo ) = E , as required.

Hierarchical Consistency of the pair (G~  ; G ) does not, in general, imply that G is (non-blocking) IBC. A counter-example is given in Figure 5, where Hierarchical Consistency can be veri ed by

p. 15

checking the four high-level controllable languages accepted by G and their associated inverse images, e.g. ?1 f; Ag = f; a; b; ac; beg (?1 f; Ag)" = f; a; b; acg ((?1 f; Ag)" ) = f; Ag ?1 f; A; AB g = f; a; b; ac; be; acd; bef g (?1 f; A; AB g)" = f; a; b; ac; acdg ((?1 f; A; AB g)" ) = f; A; AB g ?1 f; A; AC g = f; a; b; ac; be; acg; behg (?1 f; A; AC g)" = f; a; b; ac; acgg ((?1 f; A; AC g)" ) = f; A; AC g ?1 f; A; AB; AC g = L(G) ((?1 f; A; AB; AC g)" ) = f; A; AB; AC g

f; Ag : f; A; AB g : f; A; AC g : f; A; AB; AC g :

A a b

A c A e

B C d f

h

g

B

C

Figure 5: A Hierarchically Consistent pair where G is not IBC This partition is Trace-DC but is not (non-blocking) IBC due to the canonical lack of control of the

ow after transition e. It is still possible to discuss these consistency criteria from the perspective of existence of the partitions, i.e. under what conditions does hierarchical consistency imply the existence of (non-blocking) IBC partitions? To treat this issue we develop, in the following section, a so-called Vocalised Lifting (VL) algorithm which extends the state space of the low-level system in order to make the system amenable to state-aggregated hierarchical control. p. 16

5 Designing Trace-DC and (Non-blocking) IBC Partition Automata In this section, we address two questions: (i) in what sense does hierarchical consistency (see previous section) imply the existence of IBC partitions? and (ii) how can (non-blocking) IBC partitions be formed at the design stage?

5.1 Existence of (non-blocking) IBC partitions

For a pair (Glo; Ghi ), where Glo is a Moore automaton and the automaton Ghi is such that L(Ghi) = (L(Glo )), hierarchical consistency does not necessarily imply the existence of a partition ~ of the state space of Glo such that Ghi is isomorphic to the partition automaton G~ . A counter-example is shown in Figure 6. The issue in this example is where to place the low-level state x0 as it cannot accompany the low-level states labelled A; B; C or D without requiring an additional transition at the  level.

Ghi Glo

A B

C

C D D

A B

x

C 0

D

Figure 6: A hierarchically consistent pair for which there is no partition automaton isomorphic to Ghi Motivated by this example we pose the problem of whether, given a hierarchically consistent pair, the low-level state-set and dynamics can be augmented so as to allow a representation as a partition automaton. As discussed in the introduction, the goal is to provide a hierarchical structure that is not only intuitively appealing but functional in the sense that the level of granularity at which design takes place can be chosen to match the design considerations. Such a hierarchical structure can be created by sacri cing minimality for regularity.

5.2 State splitting via a vocalised lifting algorithm

We propose the following vocalised lifting (VL) algorithm which creates a new supervisory automaton VL GVL def = (X VL ; ; VL ; QVL 0 ; Qm )

p. 17

from G = (X;  = c [ u ; ; Q0 ; Qm ), a supervisory automaton, and a set of seed points Xseed  X . The intention is, eventually, for Xseed to represent the set of observable nodes in a Moore representation.

Algorithm VL

Input: G = (X; ; ; Q0 ; Qm ), Xseed  X 1. (Closure from Seeds) For each node x 2 Xseed [ Q0 , compute the silent (or non-vocalised) forward closure,

Yx = fx0 2 X j9s 2 :(x; s) = x0 ^ 8s0  s:(x; s0 ) 62 Xseedg: and de ne the cover K def = fYx j x 2 Xseed [ Q0 g. 2. (State Splitting - de nition of X VL and VL ) For each node x: If x 2 Yi1 \ Yi2 \


\ Yin ; 1  n  jKj, de ne the states VL VL xVLi1 ; xVL i2 ; :::; xin 2 X and let VL xVL i1 2 Yi1 2 VL VL xVL i2 2 Yi2 2 VL


VL VL xin 2 Yin 2 VL

3. (Dynamics - de nition of VL ) For all  2  and xVL 2 X VL VL (xVL ; ) = yVL if (i) xVL ; yVL 2 Y VL and (x; ) = y or (ii) y 2 Xseed [ X0 and (x; ) = y: VL 4. (De nition of QVL 0 , Qm ) VL De ne the start states and goal states QVL 0 = fx jx 2 Q0 g be VL QVL m = fx jx 2 Qm g respectively.

VL VL Output: GVL def = (X VL ; ; VL ; QVL 0 ; Qm ), Xseed  X

The eect of this algorithm is illustrated in Figure 7, where the nodes in Xseed have been labelled with A and B and the new split states have superscripts tagging them to their respective seed nodes. A growth bound on the state-set cardinality is O(n2 ). In the worst case, all non seed nodes need to be put in each seed node's cover and seed nodes make up 50% of the total nodes . p. 18

G; Xseed)

A

(

GV L

Xs XA

x

y

xs

ys

B

yA

A xA

yB

XB B

Figure 7: Illustration of the VL algorithm Note that the blocks Y VL in Step 2 form a partition VL , with jVL j = jXseed j + jX0 j. We de ne the partition automaton GVL in the same manner as Section 2, i.e. GVL = (VL ; u [_ c ; VL ; Q0 VL ; QmVL )

where VL is now the state-set. When hYiVL ; YjVL id holds between two blocks, we de ne a -level disableable transition Uij . Similarly, when hYiVL ; YjVL iu holds we de ne an undisableable -level  : VL   ! VL , is de ned such that transition Vij . The (partially-de ned) transition function, VL when a transition exists; it forms a directed edge between the associated states, i.e.hYiVL ; YjVL id =)  (Y VL ; U j ) = Y VL : The set of VL -level initial states is VL (YiVL; Uij ) = YjVL, and hYiVL; YjVL iu =) VL i j i def  VL VL VL VL = fYiVL 2 VL jYiVL \ QVL Q0 = fYi 2 jYi \ Q0 6= ;g. The set of -level goal states is QmVL def m 6= ;g.

Theorem 5.1 GVL is Trace-DC Proof: We note rst that for every block Y 2 VL: (i) I (Y; Q0 ) = fyg for some y 2 Xseed [ Q0, i.e. in-sets are singletons; and (ii) by construction every node in the block Y is reachable from y.

Consider a pair < Yi ; Yj >; Yi ; Yj 2 VL and let there exist some yi 2 Yi ; yj 2 Yj and w 2  such that VL (yi ; w) = yj . As the node yi is reachable from I (Yi ; Q0 ), there exists at least one path from I (i; Q0 ) to (Yj . It remains to check all such paths and, if there is at least one uncontrollable path then hYi ; Yj iu , otherwise hYi ; Yj id : We now consider an observation map  : Xseed ?! T , where T is a high-level alphabet. Let (G; ) and (GVL ; ) denote the Moore machines formed via the observation  of the sets X and XVL (with (x) =  for x 62 Xseed ). Note that Xseed is a subset of both X and XVL . We make the following remarks regarding G and GVL . p. 19

 A string  in L(G) (= L(GVL)) results in the same string of observations  2 T  whether processed by (G; ) or (GVL ; ).  The Nerode equivalence classes for the mapping from  to T  de ned by the pair (G; ) are identical to those for the map de ned by the pair (GVL ; ).  Any language K 2 L(G)(= L(GVL)) has the same set of controllable sub-languages with respect to G as it does with respect to GVL . Next we show that there are natural, non-trivial, IBC partitions of GVL when (G; Ghi) are hierarchically consistent and the map  : Xseed ?! T is injective.

Theorem 5.2 Let (G; ) denote a Moore automaton with vocal nodes Xseed  X and let the auhi hi tomaton Ghi = (X hi ; T; hi ; Qhi 0 ; Qm ) be such that L(G ) = (L(G)).

If the following conditions hold for all x0 2 Q0 : (i) the pair ((G; ); Ghi ) is hierarchically consistent, and (ii)  : Xseed ?! T is injective, (iii) Lm (G) is controllable w.r.t G then GV L is a (non-blocking) IBC partition automaton, i.e. the partition VL of XVL is (non-blocking) IBC.

Proof: By Theorem 5.1, GV L is Trace-DC. To establish the (non-blocking) IBC property we rst note that, at every block Yi 2 V L , all -level control policies are required for some high-level controllable language Ehi. This property holds generally for all deterministic supervisory automata (and hypothesis (ii) ensures that Ghi is deterministic). Speci cally, the property can be stated as: for all Yi 2 V L and for all such that

fUij jhXi ; Xj iug   fUij jhXi ; Xj iu _ hXi; Xj id g; there exists a controllable language Ehi  L(Ghi) (and an associated control f  such that L(G =f  ) = Ehi), such that (1) Yi 2 Rbl(G =f  ), (2) = f  (Yi ) and (3) if f  and f 0 are such that L(G =f  ) = L(G =f 0 ) = Ehi, then R(G =f  ) = R(G =f 0 ) and 8Y 2 R(G =f  ) f  (Y ) = f 0 (Y ), and in particular, f  (Yi ) = f 0 (Yi ). From the de nition of hierarchical consistency, all Ehi which are controllable, necessarily have at least one controllable low-level counterpart Elow such that (Elow ) = Ehi . This requirement together p. 20

with the general property above imply that, at all blocks Yi , all -level control policies must have counterpart low-level controllable languages (and therefore state-sets) in the sub-automaton GXi + . This means for all singleton sets Pid = fYj g there must exist a set RYYij;xi0 to satisfy the (non-blocking) IBC property. Note that in-sets are all singletons in GVL . Part (ii) of the (non-blocking) IBC condition follows from hypothesis (iii) directly via the fact that any in-set state x00 of a goal block Xm in GVL is a member of the reachable state-set for Lm (Ghi ). The set of suxes of strings in Lm (Ghi ) originating at x00 form a (non-blocking) controllable language, and the reachable state-set for this language supplies the required state-set RXQmm ;x00 within the block Xm . Figure 8 shows the relationship between the two consistency conditions under the assumption that the observation map  is injective (as stated in Theorem 5.2). The many-to-one map hi  is shown to emphasise that the original high-level observations can be re-captured from the VL partition automaton. Figure 9 shows the result for the motivating example in Figure 6.

Hierarchical Consistency () In Block Controllability  hi  : !T

GVL

Ghi

 : L(G) ! T  ( : Xseed ! T injective)

G

VL Algorithm

 : L(GVL ) ! 

GVL

Figure 8: Hierarchical consistency and (non-blocking)-IBC when Lm(G) is controllable. Theorem 5.2 extends naturally to systems with three or more layers as hierarchical consistency and the fact that GVL is (non-blocking) IBC are transitive. The VL algorithm, leading to the unentangling of strings via state splitting can be performed either top-down (i.e. split blocks, then split states) or bottom-up leading to the same result. p. 21

A

Ghi

B

C

C

U13 U

1 0

D

GVL

D A

x

C

B

U02

U24

A

0

G

U14 U23

C

xA 0

D

GVL

B

xB 0

D

Figure 9: The relationship in Figure 8 for the example in Figure 6 5.3 Formation of (non-blocking)-IBC partitions as a design issue

In this subsection, we address the issue of the creation of partitions with desired properties at the design stage. First, we note that in many circumstances there may be natural and intuitively appealing partitions of the state-set which, if they are not already (non-blocking) IBC partitions, can be augmented to achieve this property. We provide no algorithms for this procedure in this paper but note that in the case of forced event systems such algorithms exist (see [24]). Second, we note that (non-blocking) IBC partitions can be formed at the design stage by component-wise design. In work in progress (see [5, 18]), we concentrate on nding conditions under which properties such as (non-blocking) IBC are preserved for multi-agent systems formed through synchronous or simultaneous products.

6 Material Transfer Line Examples We concentrate in this section on applying the theory to the organisation of manufacturing plants. We will examine two examples based on the models in Figure 10 for machines, buers and testing units. The states I , W , E and F stand for \idle", \working", \empty" and \full", respectively. By assumption, the machines and testing units may be disabled from starting a task, but may not be disabled from nishing. We de ne a layout for a manufacturing plant as a directed multi-graph where each node is labelled with a primitive, or elementary, symbol corresponding to a simple machine model Gi taken from a small set G of machines (here either a machine, buer or testing unit). Each transition in the layout S is of the form [Gi ; ; Gj ]; 2 [ic \ jc] [iu \ ju], i.e. the label must be either controllable in both alphabets or uncontrollable in both alphabets. The interpretation of the layout is that pieces p. 22

are processed by passing through the machines, buers and testing units along the given transitions. Hence the removal of a piece from one model is accompanied by an associated addition of a piece in another. We assume each transitions in the layout may occur independently of all others. A low-level automata model for a given layout can be found by taking the synchronous product (see Appendix 7.5) of the individual machine and buer models, with event labels assigned as they appear on the layout (for instance, in Figure 10, the synchronous product of the three automata G1 , G2 and G3 would give a model for a Machine-Buer-Testing Unit sequence).

Buffer

Machine 1

M

2

B

2

I

3

3

1

3

G1

3

2

F

N

4

2

2

W

TU I

E 3

1

Machine

2

G2

4

W

G3

over ll

Figure 10: The machine, buer and testing unit models The control objective in all three examples is to avoid over lling the buers while A) maintaining reachability to the \empty" state, i.e. where all buers are empty and all machines idle and B) allowing maximally permissive use of the machines. This objective can be re-stated as a non-blocking accessibility problem by creating a \dump" state to which all over ll events lead, and from which there are no exiting transitions, i.e. the empty state (the goal) is not accessible from the \dump" state. For illustrative purposes, we will always condense all over ll states (those shaded in Figure 10) to a single \dump" state, as the dynamics once an over ll event may have occurred are considered inconsequential. The intention is for the resulting controls to represent the rst layer, designed for safety, of a control architecture. Subsequent stricter control action may be applied by applying, in conjunction with the control for safety, controls that optimise for throughput or minimise time, etc. The examples have been simulated, and data les can be found at [1] for software in the formats of p. 23

[3] and [2].

6.1 An illustrative example: transfer line with re-entrant ow

We consider the transfer line with re-entrant ow shown in gure 11 (an extension to an example in [29]). Each workpiece must be processed by all the machines, and upon testing by the testing unit, may be accepted or rejected, the latter resulting in another pass through machines M2 and M3. 1

M1

2

B1

3

M2

4

B2

5

M3

6

B3

7

TU

8

9

Figure 11: A material transfer line with re-entrant ow The state hIIII 000i is identi ed as both the initial and goal state as it is the \empty" state. The system has 129 states. In gure 12, a portion of the low-level system is displayed. A natural partition based on the number of active pieces is also displayed. Note that the remainder of the state space is similarly partitioned leading to the -level automaton G in gure 13. Note that G is a non-blocking IBC partition automaton and that R is a controllable subset with respect to G . The main result of Section 4 states that the ow, at the level of the -automaton, around the blocks in R can be realized in the low-level system via the IBC Synthesis Algorithm. For example, let H  be a high-level supervisory policy for G such that,

H  (S ) = fu [ U43g for all S with  (X0 ; S ) = X4 i.e. the control applied at the block ``X4 : 2 Pieces" is to enable only U43 and hence force the state to X3 . For labelling purposes, let H  result in the language K  . At the low level, the following control, hlow would be synthesised within the block X4 by the IBC synthesis algorithm:

hlow :

xa 7?! f2; 4g; xb 7?! f2; 5g; xc 7?! f2; 6g; xd 7?! f2g; xe 7?! f4g; xf 7?! f5g; xg 7?! f6g; xh 7?! f3g; xi 7?! f4; 6g; xj 7?! f4; 7g; xi 7?! f6g; xk 7?! f7g

Notice, for instance, that the set of possible events that can occur after a string leading to xi includes the event 1. The low-level control hlow inhibits 1 at xi to prevent ow to the block \X5 : 3 Pieces" as U45 is inhibited at the -level by the control H  . Note also that allowing access to this state runs contrary to the control objectives.

6.2 A double queue

We examine the two-stage queue in Figure 15, with buer size N for both buers. As a rst step, the rst machine-buer-machine sequence is analysed independently (see the top left of Figure 14). The state space (4N states) for this portion with a simple (non-blocking) IBC partition is shown at p. 24

8

X0

9 1

2

X1

hIIII 000i

R R



3

A

4

B

1

1 4

xb 2

xa 2

4

xf

xe

X4

5

6

1 5

5

xc 2 xg 3 xi 4

1 1

C

9

xk

D

7

X2

1 6

6

6

6

xg

xd 2

A

xh 3 xj 4 xl

8

xe 9

7 4 8 7 5 8

9 xh 9

B C D

6

X3 Figure 12:  and base level controllable state-sets with a typical inhibited undesirable event 1 (all others suppressed for clarity)

X0 : Empty

G

Potential Over ll Buer 1 C Potential Over ll Buer 2

over ll

X1 :1 Piece X4 : 2 Pieces

Potential Over ll Buer 3

R

X5 : 3 Pieces 4 Pieces or more

X2 :1 Piece (testing) X3 : 2 Pieces (t) Potential Over ll Buer 1 A Potential Over ll Buer 1 B

3 Pieces (testing)

over ll

over ll

Figure 13: A -level controllable state-set

p. 25

the right in Figure 14 and the corresponding partition automaton is shown on the left. The labelling refers to the state of the machines and buers:\0" is used for \empty", \N" for \full" and \N+1" for \over ll" (e.g. in the state \IkW ", M1 is idle, there are k pieces B2 and M2 is working). The over ll states and their images at the higher levels are shaded. Note that adjacent blocks in Figure 14 can be amalgamated to form larger (non-blocking) IBC blocks. The automaton for the double queue is formed by taking the synchronous product of the low-level automaton in Figure 14 with its counterpart for the second portion of the queue. The shared events (3 and 4) force the second machine in the rst portion to be in the same state as that of the rst machine in the second portion, hence the total count of the reachable state space is the expected 4N  4N=2 = 8N 2 . A partition automaton, G1 for this system is displayed in Figure 16. The internal structure of several of the blocks is also shown in Figure 16. Finally, a partition of the 1 level state-set is presented in Figure 16, which leads to a third level, G2 in the hierarchical layering. The partition 2 has a natural description at the base level since each diagonal band has the same number of active pieces within a margin of 2. The utility of the theory is exhibited by the fact that the control speci cation, i.e. that of not allowing reachability of the over ll states, can be stated and solved for through common sense reasoning at the level of the large blocks of the 2 -level system in Figure 16. The control can then be translated down the chain of increasingly re ned partitions to the full system model in a straightforward, but sound, manner. This example may be extended by the addition of other machine-buer-machine portions in series with the double queue. As each portion is added, a new partition can be formed as illustrated in Figure 16 for the extension from one buer to two buers. In present work (see [5], [18]), we consider a recursive formulation of this process of alternating extensions and re-partitioning (for this and other natural layouts). The emphasis is to determine whether paradigmatic systems emerge in the limit for this recursion.

7 Appendix 7.1 Mealy machine to Moore machine translation

With reference to the translation introduced in Section 2, we consider the example in Figure 17. In the gure, G is a partition machine in the Mealy format, i.e. where the observation map,  : X   ?!  , reports a subset of the low-level event set. G~  shows an equivalent Moore representation where the observation map is now ~  : X~ ?!  . Note that only, as stated in the text, only states x and y need be split because these are in-set states which have incoming transitions from multiple blocks. The two representations are equivalent in the sense that all accepted strings give the same string of observations. p. 26

I0I

1

M1

2

3

B1

M2

Buer Size = N

4

1

4

W0I

2

I1I

4 1

W0W

3 2

W1I

I2I

4

1 4 2 3

I1W

1

1

4

4

1

1 W(k-1)I

4

W(k-2)W

3 2

I(k)I

1

N+3 Blocks

I0W

3

W(k-1)W

3 2

W(k)I

I(k+1)I

4 1

W(k)W

3 2

W(k+1)I

I(k+2)I

4

4 2 3

I(k-1)W

1 4

2 3

I(k)W

1 4 2 3

I(k+1)W

1

1

4

4

1

1 W(N-1)I

4

W(N-2)W

3 2

I(N)I

1

W(N-1)W

3 2

W(N)I

4 2 3

1 4

2

I(N+1)I

4

I(N-1)W

I(N)W

1 4

W(N)W

I(N+1)W

Figure 14: State space and partition for rst portion of double queue 1

M

2

B

Buer Size = N

3

M

4

3

M

4

B

5

M

6

Buer Size = N

Figure 15: A two buer queue (\double queue") p. 27

7.2 Formal de nition of Output Control Consistency [29] De nition 7.1 Output Control Consistency A Moore machine G = (X;  = u [ c; ; T = f0 g [ Tu [ Tc ; ; x0 ) is output control consistent if for every string s 2 L(G) of the form s = 12


k (A) or, respectively, (where s 2 + and  2 ) i s = s01 2


k ; (B) with (A), ((x0 ; 1 2


i )) = 0 ; for 1  i  k ? 1; and ((x0 ; s)) =  6= 0 or, respectively (B), ((x0 ; s0 )) 6= 0 ; and ((x0 ; s0 1 2


i )); for 1  i  k ? 1; and ((x0 ; s)) =  6= 0 ; it is the case that, if  2 Tc ; then for some i; 1  i  k; i 2 c ; and if  2 Tu ; then for all i; 1  i  k; i 2 u

7.3 Incomparability of Trace-DC and Output Control Consistency

In Figure 18, G1 is Trace-DC but not Output Control Consistent, while G2 is the opposite.

7.4 Counter-example for closure under chain union

Figure 19 shows a counter-example, where two partitions (one marked with dashed lines, the other with solid lines and singletons assumed unless otherwise shown) are themselves (non-blocking) IBC, but their chain union is not.

7.5 Synchronous product Let 1 ; 2   and de ne the canonical maps, Pi :  ?! i by, Pi() Pi () = Pi(s)

( =

 if s 2 i  if  62 i = Pi (s)Pi ()

for  2  and s 2  . The synchronous product of a language L1  1 and L2  2 is,

\

L1jjsL2 = P1?1L1 P2?1L2: p. 28

Acknowledgement The authors gratefully acknowledge extensive discussions of this work with Gang Shen.

References

[1] http://www.cim.mcgill.ca/ phubbard, May 1999. Centre for Intelligent Machines: Research and Publications of the Hierarchical, Hybrid and Logic Control Group. [2] ftp://kumar.ee.engr.uky.edu/pub/HTTP/index.html, May 1999. Ratnesh Kumar's Home Page. [3] http://www.eecs.umich.edu/umdes/projects/lib/umdeslib.html, May 1999. UMDES Software Library. [4] R. Alur and T.A. Henzinger. Computer Aided Veri cation. Lecture Notes, Deptartment of Engineering and Computer Science, UCB, 1996. [5] P. E. Caines, P. Hubbard, and G. Shen. Multi-agent products for nite state systems. In preparation, February, 1999. [6] P.E. Caines, V. Gupta, and G. Shen. The hierarchical control of ST- nite state machines. Systems and Control Letters, 32:185{192, December 1997. [7] P.E. Caines, P.J. Hubbard, and G. Shen. State aggregation and hierarchical supervisory control. In Proc. of 36th IEEE CDC, pages 3590{3591, San Diego, CA, December 1997. [8] P.E. Caines and Y-J Wei. Hierarchical hybrid control systems. In Steve Morse, editor, Control Using Logic-Based Switching, Proceedings of the Block Island Workshop, pages 39{48. Springer Verlag, 1996. [9] P.E. Caines and Y-J Wei. Hierarchical hybrid control systems: A lattice theoretic formulation. IEEE Transactions on Automatic Control, pages 501{508, April 1998. [10] P.E. Caines and Y.J. Wei. The hierarchical lattices of a nite machine. Systems and Control Letters, 25:257{263, 1995. [11] Y-L. Chen and S. Lafortune. Resolving feature interaction using modular supervisory control with priorities. In P. Dini, editor, Feature Interactions in Telecommunications and Distributed Systems IV. IOS Press, 1997. [12] A. A. Desrochers and R. Y. Al-Jaar. Applications of Petri Nets in Manufacturing Systems. IEEE Press, 1995. [13] F. Harary, R.Z. Norman, and D. Cartwright. Structural Models: An introduction to the Theory of Directed Graphs. John Wiley & Sons, New York, 1965. [14] J. Hartmanis and R.E. Stearns. Algebraic Structure Theory of Sequential Machines. Prentice Hall, 1966. [15] J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 1979. p. 29

[16] P. Hubbard and P.E. Caines. A state aggregation approach to hierarchical supervisory control with applications to a transfer line example. In Proc. of the WODES98: Workshop on Discrete Event Systems, Cagliari, Italy, August 1998. IEE. [17] P. Hubbard and P.E. Caines. Trace-dc hierarchical supervisory control with applications to transfer-lines. In Proceedings of the 37nd IEEE Conference on Decision and Control, pages 3293{98, Tampa, FL, 1998. [18] P. Hubbard and P.E. Caines. Initial investigations of hierarchical supervisory control for multiagent systems. In submitted to the 38th IEEE CDC, Pheonix, AZ, 1999. [19] R. Kumar, V.K. Garg, and S.I. Marcus. Predicates and predicate transformers for supervisory control of discrete event systems. IEEE Transactions on Automatic Control, 32(2):232{247, 1993. [20] Y. Li and W.M Wonham. Controllability and observability in the state-feedback control of discrete-event systems. In Proc. of 29th IEEE CDC, pages 203{208, New York, Dec. 1988. [21] P.J. Ramadge and W.M. Wonham. Supervisory control of a class of discrete event systems. SIAM J. Control and Optimization, 25(1):206{230, 1987. [22] P.J. Ramadge and W.M. Wonham. The control of discrete event systems. Proceedings of the IEEE, 77(1):81{98, January 1989. [23] M. Sampath, S. Lafortune, and D. Teneketzis. Active diagnosis of discrete-event systems. IEEE Transactions on Automatic Control, 43(7), July 1998. [24] G. Shen and P.E. Caines. On the application of hadp to multi-agent networks. submitted to the 38th IEEE CDC, Pheonix, AZ, 1999. [25] R. S. Sreenivas. On supervisory policies that enforce liveness in a class of completely controlled petri nets obtained via re nement. IEEE Transactions on Automatic Control, 1999. [26] I. Suzuki and T. Murata. A method for stepwise re nement and abstraction of petri nets. Journal of Computer and System Sciences, 27:51{76, 1983. [27] A.F. Vaz and W.M. Wonham. On supervisor reduction in discrete-event systems. Int. J. Control, 44(2):475{491, 1986. [28] K.C. Wong and W.M. Wonham. Hierarchical control of discrete-event systems. Discrete Event Dynamical Systems, 6:241{273, 1996. [29] H. Zhong and W.M Wonham. On the consistency of hierarchical supervision in discrete-event systems. IEEE Transactions on Automatic Control, 35(10):1125{1134, 1990.

p. 30

G2

N+1 Blocks BlockdN=2e

I(N+1)I0I

I(N+1)I0W

6

2

2

6

WNI0I

W(k)I0I

3

1 3

1

2

5

WNI0W

1

I(k+1)I0I

5

1 5

6

I(k+1)I0W

3

2

6

5

WkI0W

3

1

1

1

1

6

I1I0I

2

5

I1I0W

3

2

6

W0I0I

W0I0W

5 3

1

1

I0I0I

6

I0I0W

5

W(k+1)I(j+1)I

1

W(k+1)W(j)I

I(k+1)I(j)W W(k)I(j)I

5

W(k)W(j-1)W

I(k+1)W(j-1)I

5

2 6

W(k)I(j+1)I

I(k+1)W(j-1)W

4

W(k)W(j)I

5

W(k)W(j)W

I(k+2)W(j)I I(k+2)W(j)W

W(k)I(j+1)W

4 W(k)W(j-1)I

1

1

5

I(k+1)I(j)I

I(k+2)I(j+1)I

1

W(k+1)W(j)W

W(k)I(j)W

G1

I(k+2)I(j+1)W

W(k+1)I(j+1)W

6

2

2

I(k+1)I(j+1)W 6

I(k+1)I(j+1)I

4

4

I(k+1)W(j)I 6

2

I(k+1)W(j)W

3 3

3

3

W(k-1)I(j+2)W W(k-1)I(j+2)I

I(k)I(j+2)I

W(k-1)W(j+1)I

I(k)W(j+1)I

W(k-1)W(j+1)W

I(k)I(j+2)W

I(k)W(j+1)W

Figure 16: Three levels of hierarchy for the double queue p. 31

G

X2 V24

U12

X1

G~ X4

U23 U13

U12

X1

V24 V34

y

V34

x

X2

U23 U13

X3

X4

X3

Figure 17: Appendix 7.1 Mealy to Moore Translation

G1

v41

u21

X2

G2 X3 u31

X1 v14

X4

v41

u21

X2 X3 u31

X1 v14

X4

Figure 18: Appendix 7.3: G1 is Trace-DC but not Output Control Consistent, while G2 is the opposite

Figure 19: Appendix 7.4 IBC is not preserved under the chain union p. 32