Multitasking Supervisory Control of Discrete-Event ... - Semantic Scholar

Download PDF
2 downloads 0 Views 455KB Size Report
Comment
The first example regards the cat and mouse in a maze presented by. Figure 2. Maze (left) and models with colored marking for cat (Gc) and mouse (Gm).
Discrete Event Dynamic Systems: Theory and Applications, 15, 375–395, 2005 # 2005 Springer Science + Business Media, Inc. Manufactured in The Netherlands.

Multitasking Supervisory Control of Discrete-Event Systems MAX H. DE QUEIROZ* LAHPYGEMMYCEFET/SC, Floriano´polis, SC 88020-301, Brazil

[email protected]

JOSE´ E. R. CURY DASYCTC-Federal University of Santa Catarina, Floriano´polis, SC 88040-900, Brazil

[email protected]

W. M. WONHAM [email protected] Systems Control Group, Department of Electrical and Computer Engineering, University of Toronto, Toronto, ON M5S 3G4, Canada

Abstract. This paper presents an approach for functionally dealing with multiple tasks in the supervisory control of discrete-event systems (DES). The colored marking generator (CMG), a special type of Moore automaton, is introduced as a model that distinguishes classes of tasks in DES. The main results of supervisory control theory are extended to this model, allowing the synthesis of minimally restrictive supervisors, which respect the safety specifications and ensure coreachability of multiple control objectives. Reversibility is also investigated as an alternative way of ensuring liveness of multiple tasks. Two examples illustrate the convenience of this approach. Keywords:

1.

supervisory control, discrete-event systems, tasks, control system synthesis, automata

Introduction

Supervisory control theory (SCT) as initiated by Ramadge and Wonham (1987) has been developed in recent decades as an expressive framework for the synthesis of control for discrete-event systems (DES). In SCT, the open-loop behavior of a DES, called plant, is modeled by a generator (Wonham, 2004), whose marked states represent completion of some task. The restrictions to be imposed on the plant can be expressed in terms of a language representing the admissible behavior. The Ramadge-Wonham framework provides computational algorithms for the synthesis of a minimally restrictive supervisor that constrains the behavior of the plant by disabling controllable events in such a way that it respects the admissible language and that it ensures nonblocking, i.e., there is always an event sequence available to reach a marked state. While the admissible language can be viewed as a safety specification (assuring that nothing Bbad^ happens), nonblocking can be interpreted as a liveness specification that ensures that the supervisor will not prevent the completion of a task (something good happens). Other classes of liveness specifications such as stability (Ozveren and Willsky, 1991) and fairness (Gohari-M., 2002) have also been investigated in the literature.

*

Corresponding author.

376

DE QUEIROZ ET AL.

Situations where the liveness of multiple tasks is imposed are common. In particular, interesting DES problems comprising multiple tasks arise in manufacturing and communication systems. In these situations, modeling the plant by a single standard generator can be problematic, for the completion of all classes of tasks would then be identified by the same marking. Especially for composite systems, the marking of each subsystem usually has an individual meaning. In that case, the global model, comprising the synchronous composition of all subsystems, identifies a string of events as a complete task if and only if it leads all subsystems to a marked state. Thus, according to the original approach of SCT, a nonblocking supervisor would ensure that all subsystems complete their tasks at the same global state. That constraint might be too conservative for some problems. One possible approach to enforcing liveness of multiple tasks in a DES is the use of queues, as suggested by Wonham (2004). A queue, like any fairness rule, can be thought of as an extra restriction imposed on the behavior of a system that is potentially stronger than a liveness condition. As a result, this approach can lead to overly conservative solutions. The aim of the current work is to provide a convenient mechanism for the synthesis of minimally restrictive supervisors that ensure the liveness of multiple tasks without enforcing any additional rule. These supervisors will disable an event if and only if it could start an uncontrollable sequence that leads the system out of the safe behavior or could render some task unreachable. Note that such supervisors (like any standard Ramadge-Wonham supervisor) cannot force the completion of tasks, in conformity with the fact that they cannot directly force the occurrence of events. Fabian and Kumar (2000) and Kumar et al. (2004) proposed a related approach, to synthesize mutually nonblocking supervisors for systems restricted by disjunctive specifications, which could be interpreted as different tasks. The results in the present paper have a different characteristic since here the tasks can be defined both in the plant and specifications and the global specification is taken as the conjunction of all rules. Thistle and Malhame´ (1997) and Thistle et al. (1997) have studied similar issues arising with feature interactions in telephone networks, where the specification for a new feature defines a new marked language. They assumed that the specification is modeled by an automaton with multiple subsets of marked states (associated with different features) and extended the basic results of SCT to ensure nonblocking of multiple marked languages. In this paper we propose a framework for multitasking supervisory control, where DES are modeled by Moore automata, whose outputs indicate completion of tasks. Since each task can be assigned to a marked language, some of our results coincide with those of Thistle and Malhame´ (1997). However, the current work is developed in a more general context where the tasks can be defined in the plant or by specifications. Moreover, it makes several additional contributions to the theory, which include the composition of multitasking DES, the generalization of the concept of Lm(G)Yclosure (Wonham, 2004), and the study of reversibility. Next, we introduce our approach for modeling DES with multiple tasks and discuss some properties and operations on this model. In the following section, we extend the main results of SCT to deal with multitasking generators. Further, we solve two problems of multitasking supervisory control. Finally, we investigate the use of reversibility as an alternative way of ensuring liveness of multiple tasks. The results presented in this paper

MULTITASKING SUPERVISORY CONTROL OF DISCRETE-EVENT SYSTEMS

377

have been developed in the first author’s doctoral work (de Queiroz, 2004) in close cooperation with the other authors.

2.

Multitasking DES

We say that a DES completes a task when it executes some sequence of events that accomplishes an objective of the control problem. For example, a machine might complete a task named Bproduce a part^ whenever it returns to the initial state. Two tasks belong to the same class when they are related to objectives that are equivalent, i.e., that have the same meaning in the control problem. When a DES model incorporates multiple classes of tasks we call it a multitasking discrete-event system (MTDES).

2.1.

Colored behaviors

Let * be the set of all finite strings of elements in , including the empty string (. A language is a subset of *. The prefix-closure of a language L is given by

 :¼ fs 2 *j9v 2 * ^ sv 2 Lg: L To distinguish multiple classes of tasks in a DES, we associate a color (label) to each class of task. Let  be the (finite) set of all events that can occur in the system and C be the (finite) set of all colors. For each color c 2 C we can assign a language Lc 2 Pwr(*) (power set of *) that consists of all sequences of events in  that represent the completion of a task of the respective class. In this way, the colored behavior of an MTDES can be modeled by the set {(Lc, c), c 2 C}. We define then a colored behavior LC 2 Pwr(Pwr(*)  C) as a set of pairs (language, color), with the restriction that any two distinct pairs have distinct colors. For a colored behavior LC, the language marked by c 2 C is defined by Lc(LC):= L such that (L, c) 2 LC. The language marked by B  C is defined by LB(LC):= ?b2BLb(LC), i.e., the union of all languages marked by colors of B. Let the colored behaviors MB 2 Pwr(Pwr(*)  B) and NC 2 Pwr(Pwr(*)  C). We say that MB  NC if B  C and for all b 2 B, Lb(MB)  Lb(NC). The synchronous composition of languages (Wonham, 2004) is a useful operation combining two languages into a single language, by synchronizing the common events. The synchronous composition of colored behaviors MB and NC is given by a colored behavior MB || NC with color set B ? C. The languages marked by common colors are defined by the synchronous composition of the respective languages. When a color is exclusive of one colored behavior, the respective language is composed with the prefix closure of the language marked by the set of colors of the other colored behavior. Formally, MB kNC :¼ fðLb ðMB ÞkLb ðNC Þ; bÞ; 8b 2 B \ C g n  o [ Lb ðMB ÞkLC ðNC Þ; b ; 8b 2 B  C n  o [ LB ðMB ÞkLb ðNC Þ; b ; 8b 2 C  B :

378

2.2.

DE QUEIROZ ET AL.

Colored marking generators

A direct way of representing a colored marking behavior with automata is to model each language by a generator, so that an MTDES would be modeled as a set of pairs (generator, color). For convenience, an MTDES can be modeled by a special generator, whose states are marked by subsets of colors according to the classes of tasks to be achieved. Such a state machine, named colored marking generator (CMG), is formally defined as a 6-tuple G := (Q, , C, , c, q0), where:

 Q is a set of states;   is a finite set of events;  C is a finite set of colors;  : Q   Y Q is a state transition function (extended for strings as usual);  c: Q Y Pwr(C) is a marking function;  q0 is the initial state. For a CMG G, we can define the eligible event function G: Q Y Pwr(), which associates each state q 2 Q to a subset of  with all events that can occur in q, i.e., ðqÞ :¼ fA 2 jðq; AÞ!g: This model adds to the standard generator (Wonham, 2004) a set of colors C, representing all the classes of tasks that the system can execute, and a marking function c, that assigns to each state of Q a subset (empty or not) of colors. Therefore, a CMG is basically a Moore automaton (Hopcroft and Ullman, 1979), whose outputs, represented by subsets of colors, define the classes of tasks that are completed in the corresponding states. It should be stressed that our usage of the terms Bmarked,^ Bmarking,^ Bcolors^ and Bcolored^ is in no way connected with that of the same terms in the theory of Petri nets (e.g. Jensen, 1992). The generated language of a colored marking generator G, denoted by L(G), is the set of all finite strings that are defined in G from the initial state q0, that is, LðGÞ :¼ fs 2 *jðq0 ; sÞ!g: The marked language of a standard generator is the set of all strings that complete a task. Since a CMG usually comprises multiple classes of tasks, we can define a marked language for each class of task by the set of strings that reach states where the marking function returns a set containing the color associated with that class. Hence Lc(G), the language marked by c 2 C, is formally defined by Lc ðGÞ :¼ fs 2 LðGÞjc 2 ððq0 ; sÞÞg:

MULTITASKING SUPERVISORY CONTROL OF DISCRETE-EVENT SYSTEMS

379

We extend the concept of language marked by a color to a nonempty set of colors as the set of event strings that complete any of the respective tasks. Then for the color set B, ; Î B  C, we define the language marked by B as LB ðGÞ :¼ fs 2 LðGÞjB \ ððq0 ; sÞÞ 6¼ ;g: The colored behavior of a CMG G, denoted by LC (G), is defined by C ðGÞ :¼ fðLc ðGÞ; cÞ; c 2 C g: We define the relation  between CMG (read as Bsubgenerator of ^) by G1  G2 whenever:

 Q1  Q2;  1 = 2;  C1 = C2;  1(q, s) = q0 Á 2(q, s) = q0 ;  c1 = c2|Q1;  q01 ¼ q02 if q02 2 Q1 ; undefined otherwise: We say that a state q 2 Q is reachable if it can be reached by a sequence of transitions starting from the initial state q0, that is, if there exists s 2 * such that (q0, s) = q. We denote by Qrch the set of all reachable states of Q. G is reachable if q is reachable for every q 2 Q (Q = Qrch). The operation Rch(G) eliminates all non-reachable states of G. A state q 2 Q is weakly coreachable w.r.t. B if there is a sequence of transitions that, starting from q, reaches a state that marks at least one color of B, i.e., if there exist b 2 B and s 2 * such that b 2 c((q, s)). G is weakly coreachable w.r.t. B if q is weakly coreachable w.r.t. B for every q 2 Q. A state q 2 Q is strongly coreachable w.r.t. B if, for every color b of B, there is a sequence of transitions that, starting from q, reaches a state that marks b, i.e., if for all b 2 B there is s 2 * such that b 2 c((q, s)). Denote by Qsco,B the set of all states of Q that are strongly coreachable w.r.t. B. Clearly, Qsco,B = 7b2BQsco,{b}. G is strongly coreachable w.r.t. B if q is strongly coreachable w.r.t. B for every q 2 Q, i.e., if Q = Qsco,B. Note that it is possible that from some states q 2 Qsco,B we can complete a task b 2 B only in states q0 2 QjQsco,B. Thus, we do not necessarily obtain a strongly coreachable generator by erasing from G all states that fail to be strongly coreachable. A CMG G is strongly trim w.r.t. B if it is reachable and strongly coreachable w.r.t. B, i.e., if Qrch = Qsco,B. In order to obtain a CMG strongly trim w.r.t. B from a given G, we have to eliminate all states of G that fail to be reachable and strongly coreachable

380

DE QUEIROZ ET AL.

w.r.t. B. Since the elimination of one state can alter the properties of another, in general this operation, represented by STr(G, B), is performed in multiple iterations. For that we consider Qstr,B := Qrch 7 Qsco,B and define a partial strongly trim function by  PSTrðG; BÞ :¼

   Qstr;B ; ; C; j Qstr;B   ; cjQ: str;B ; q0 if Qstr;B 6¼ ; ð;; ; C; ;; ;; Þ otherwise:

Obviously, if G is strongly coreachable, so is PSTr(G, B). But if it is not, PSTr(G, B) can still fail to be strongly coreachable, since this operation erases states of Q j Qsco,B, which could be necessary for the coreachability of some states in Qsco,B. For this reason we define the sequence: G0 ¼ G;

  Gjþ1 ¼ PSTr Gj ; B ;

j ¼ 0; 1; . . .

Clearly, if Q is finite, the sequence above converges in a finite number of iterations. Then we formally define STr(G, B) by STrðG; BÞ :¼ lim Gj ð j ! 1Þ: The synchronous composition of Moore automata requires the definition of an output function that represents the composition of the output functions for the systems involved. We consider that, when a color is associated to different CMG, the composed system marks the task represented by the color when all subsystems are in states marking this color. Hence, just as a composed transition function synchronizes common events, the composed marking function synchronizes shared colors. Then we define the synchronous composition of CMG G1 = (Q1, 1, C1, 1, c1, q01) and G2 = (Q2, 2, C2, 2, c2, q02), with respective eligible event functions G1 and G2, as the CMG G1 kG2 :¼ RchðQ1  Q2 ; 1 [ 2 ; C1 [ C2 ; ; ; ðq01 ; q02 ÞÞ; where: 8 > > ð1 ðq1 ; AÞ; 2 ðq2 ; AÞÞ; if A 2 1 ðq1 Þ \ 2 ðq2 Þ > > < ððq1 ; q2 Þ; AÞ ¼ ð1 ðq1 ; AÞ; q2 Þ; if A 2 :1 ðq1 Þn2 > >ðq ;  ðq ; AÞÞ; if A 2  ðq Þn > 2 2 1 > : 1 2 2 undefined otherwise; and cððq1 ; q2 ÞÞ ¼ ½c1 ðq1 Þ [ ðC2  C1 Þ \ ½c2 ðq2 Þ [ ðC1  C2 Þ: The eligible event function G associated to G1 || G2 is given by ððq1 ; q2 ÞÞ ¼ ½1 ðq1 Þ [ ð2  1 Þ \ ½2 ðq2 Þ [ ð1  2 Þ:

MULTITASKING SUPERVISORY CONTROL OF DISCRETE-EVENT SYSTEMS

381

It can be shown that L(G1 || G2) is equal to L(G1) || L(G2), but in general it is not always true that the colored behavior of G1 || G2 is equivalent to the synchronous composition of the colored behaviors of G1 and G2. However, this assertion holds, for example, when C1 = C2 or when G1 and G2 are weakly coreachable with respect to the respective color sets. A colored behavior is regular when all the languages marked by its colors are regular, i.e., when they can be modeled by finite-state generators. The following proposition shows that any regular colored behavior can be modeled by a finite-state colored marking generator.

PROPOSITION 1 Let LC = {(Lc, c), c 2 C.} be a colored behavior. If LC is regular (Lc is regular for all c 2 C), there exists a finite-state colored marking generator G such that LC(G) = LC and LðGÞ ¼ [c2C Lc .

Proof: Notice that the language [c2C Lc is regular, prefix-closed and, for all b 2 C, it contains Lb. Therefore, for each color b 2 C, we can obtain a standard finite-state generator Hb = (Qb, , b, q0b, Qmb) such that Lm(Hb) = Lb and LðHb Þ ¼ [c2C Lc . Hence, for each color b 2 C, there is a CMG Gb = (Qb, , {b}, b, cb, q0b) such that Lb(Gb) = Lb and L(Gb) = [c2C Lc . Let G = ||b2CGb. Then   LðGÞ ¼ Lðkb2C Gb Þ ¼ kb2C LðGb Þ ¼ kb2C [c2C Lc ¼ [c2C Lc ; 8d 2 C; Ld ðGÞ ¼ Ld ðkb2C Gb Þ   ¼ Ld ðGd Þk kb2Cfd g LðGb Þ    ¼ Ld k kb2Cfd g [c2C Lc   ¼ Ld k [c2C Lc ¼ Ld : 2.3.

Í

Blocking

The concept of blocking in a generator is related to the idea of executing a sequence of events that leads to a state from where it is not possible to complete a task. When the generator comprises multiple colors, the idea of blocking allows two different interpretations: it can be not possible to complete tasks of any class or it can be not possible to complete tasks of at least one class. Given a nonempty subset of colors B, we say that a generator G is weakly nonblocking w.r.t. B if LðGÞ ¼ LB ðGÞ;

382

DE QUEIROZ ET AL.

that is, if any generated string is a prefix of at least one completed task or, equivalently, if Rch(G) is weakly coreachable w.r.t. B.We say that a generator G is strongly nonblocking w.r.t. B if 8b 2 B; LðGÞ ¼ Lb ðGÞ; that is, if any generated string can be completed (not necessarily in the same way) to a task of all the classes represented by colors of B or, equivalently, if Rch(G) is strongly coreachable w.r.t. B. The idea of strong nonblocking can be extended to colored behaviors as follows. A colored behavior LC 2 Pwr(Pwr(*)  C) is strongly nonblocking w.r.t. B  C whenever 8b 2 B; Lb ðC Þ ¼ LC ðC Þ; that is, when any incomplete string can complete tasks of all colors of B. PROPOSITION 2 There is a strongly trim CMG that models a regular colored behavior LC if and only if LC is strongly nonblocking. Proof: (if) Let LC be such that for all b 2 B; Lb ðC Þ ¼ LC ðC Þ. By Proposition 1, there is a CMG G such that for all c 2 C, Lc(G) = Lc(LC) and LðGÞ ¼ [c2C Lc ðC Þ ¼ Lc ðC Þ. Since for all b 2 B; Lb ðGÞ ¼ LC ðC Þ ¼ LðGÞ, G is strongly nonblocking w.r.t. B. Thus, Rch(G) is a CMG strongly trim w.r.t. B that models LC. (only if ) Let G be a strongly trim CMG such that for all c 2 C, Lc(G) = Lc(LC) and LðGÞ ¼ [c2C Lc ðC Þ. Then 8b 2 B; Lb ðGÞ ¼ LðGÞ implies that 8b 2 B; Lb ðC Þ ¼ Lb ðGÞ ¼ LðGÞ ¼ [c2C Lc ðC Þ ¼ LC ðC Þ.

Í

THEOREM 1 Let the set of strongly nonblocking behaviors contained in LC be defined by SNBðC ; BÞ :¼ fMC  C j8b 2 B; Lb ðMC Þ ¼ LC ðMC Þ . The set SNB(LC,B) has a supremal element SupSNB(LC, B) that represents the maximal strongly nonblocking behavior contained in LC.

Proof: (i) Define the behavior ZC = {(;, c), Oc2C}, such that LC(ZC) = ?c2CLc(ZC) = ;. Then ZC is strongly nonblocking and contained in LC. Hence, SNB(LC, B) is nonempty. (ii) Let T be a set of indexes and let MCt 2 SNB(LC, B), t 2 T, be colored behaviors strongly nonblocking w.r.t. B. Let MC = ?{MCt, t 2 T}. Then MC  LC and, LC ðMC Þ ¼ LC ð[fMCt ; t 2 T gÞ ¼ [fLC ðMCt Þ; t 2 T g

MULTITASKING SUPERVISORY CONTROL OF DISCRETE-EVENT SYSTEMS

383

Thus, 8b 2 B; Lb ðMC Þ ¼ Lb ð[fMCt ; t 2 T gÞ ¼ [fLb ðMCt Þ; t 2 T g ¼ [fLb ðMCt Þ; t 2 T g ¼ [fLC ðMCt Þ; t 2 T g ¼ [fLC ðMCt Þ; t 2 T g ¼ LC ðMC Þ Therefore, MC 2 SNB(LC, B), i.e., strong nonblocking of colored behaviors is closed under arbitrary unions. (iii) Since SNB(LC, B) is nonempty and closed under arbitrary unions, it has a unique supremal element given by SupSNB(LC, B) := ?{MC | MC 2 CSNB(LC, B)}.

Í

PROPOSITION 3 Let G = (Q, , C, , c, q0) be a finite-state CMG that models a regular colored behavior LC. Then SupSNB(LC, B) = LC(STr(G, B)). Proof: ( ) By Proposition 2, we know that LC(STr(G, B)) is strongly nonblocking w.r.t. B and thus LC(STr(G, B))  SupSNB(LC, B). ( ) Since G is finite, we can assume that, for some natural l, STr(G, B) = Gl  Gl-1  . . .  G0 = G, where Gj + 1 = PSTr(Gj, B). For j = 0, . . . , l, denote by Qj the set of states of Gj and by Qj,str,B its set of states that are reachable and strongly coreachable w.r.t. B. The proof follows by induction on j: For j = 0, SupSNB(LC, B)  LC = LC(G0). For j = 1, for all c 2 C, s 2 Lc(SupSNB(LC, B)) implies that, for all b 2 B, there exists w 2 * such that sw 2 Lb(SupSNB(LC, B))  Lb(LC) = Lb(G) and hence b 2 c((q0, sw)). As a consequence, (q0, s) 2 Q0,str,B and thus s 2 Lc(PSTr(G0, B)) = Lc(G1). Assuming that SupSNB(LC, B)  LC(Gk), we have that, for all c 2 C, s 2 Lc(SupSNB(LC, B)) implies that (q0, s) 2 Qk,str,B, since (q0, s) 2 Qk. Therefore, s 2 Lc(PSTr(Gk, B)) = Lc(Gk + 1). Consequently, SupSNB(LC, B)  LC(Gl) = LC(STr(G, B)).

Í

3.

Multitasking supervisory control

Let the open loop behavior of a DES be modeled by a colored marking generator G = (Q, , C, , c, q0), with eligible event function G, whose alphabet is partitioned into controllable events s 2 c (events that can be disabled) and uncontrollable events s 2 u. Let D be a set of tasks for which liveness (strong nonblocking) is required. The safety specification can be expressed in terms of a colored behavior with all strings of G that can complete tasks without violating the specifications. It is convenient to allow the specification to define a set E of new classes of tasks (E = D Y C), as this can bring new

384

DE QUEIROZ ET AL.

Figure 1. Control architecture for coloring supervisor.

information (states) into the model. For example, the specification for a buffer between two machines can highlight the state where the buffer is empty, which could define a new task. Note that for practical purposes the designer may prefer to represent the colored behavior of the specification by a CMG (Proposition 1). Thereby, instead of directly assigning new colors to strings, the designer can define the set E by marking states of the CMG model of the specification. Accordingly, let the specification be given by a colored behavior AD 2 Pwr(Pwr(*)  D) such that: 8d 2 D \ C; ;  Ld ðAD Þ  Ld ðGÞ; 8d 2 E; ;  Ld ðAD Þ  LðGÞ: Such specification contains sublanguages of the colored behavior of the plant and marks sublanguages of L(G ) with new colors. The objective of supervisory control is to generate an entity (designated supervisor), which, by disabling controllable events, prevents the controlled system from violating the languages of the specification. The supervisor should also guarantee that the controlled system is always capable of completing all tasks of D. By consequence, a specification represented by a colored behavior expresses both the safety specification, given by the prefix-closure of its languages, and the liveness requirement, delimited by the marking of the behavior. Therefore, the main difference between the multitasking and the usual supervisory control problem lies in the liveness specification, which can enforce strong nonblocking with respect to all tasks of D. 3.1.

Coloring supervisor

In many problems, the specifications may include classes of tasks that are not explicit in the plant (E m ;). In this case, the role of marking the new colors in the controlled system is assigned to the supervisor. A coloring supervisor is then defined as a mapping that associates to each sequence of events of the plant a set of enabled events and a set of new colors (of E) representing completed tasks, as illustrated in Figure 1. Thus, a coloring supervisor S consists of a function S: L(G) Y Pwr()    Pwr(E).   Let S(s) = (g, m), where g   and m  E, and write < S ðsÞ ¼ g and = S ðsÞ ¼ m. The events that can occur after the occurrence of a string s 2 L(G) are given by

MULTITASKING SUPERVISORY CONTROL OF DISCRETE-EVENT SYSTEMS

385