IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 12, NO. 5, SEPTEMBER 2004
763
Reconfigurable Robot Teams: Modeling and Supervisory Control Diana Gordon-Spears and Kiriakos Kiriakidis
Abstract—Teams of land-based, airborne, or submerged robots constitute a new breed of robotic systems for which the issue of controlled behavior arises naturally. In this brief, we model the dynamics of the robot team in the discrete-event system (DES) framework and design a reconfigurable system that can handle situations in which robot units may switch offline. In particular, we exploit the dichotomy between controllable and uncontrollable behavior to synthesize a supervisor using only controllable events, but also one whose structure adapts to uncontrollable events. This brief presents a novel method based on learning and verification for restoring supervision as well as behavioral assurance of the team. Index Terms—Autonomous vehicle groups, discrete-event systems (DES), modeling, software verification and validation, supervisory control.
I. INTRODUCTION
A
UTONOMOUS vehicles and software agents are becoming increasingly prevalent because of their ability to relieve people of labor-intensive tedium or exposure to hazardous conditions. Multiple cooperating robots, or agents, are especially effective. Examples include a platoon of robots, a swarm of micro air vehicles, or a fleet of autonomous underwater vehicles. Designers can furnish cooperating teams with plans to perform various tasks but cannot possibly foresee all circumstances that will be encountered. Therefore, such systems need to be able to adapt by modifying their plans in real time, to handle unforeseen situations. The objective of this research is to enable a robot team to learn and modify its plans as needed, but to ensure that the system remains within the bounds of prespecified behavioral constraints (properties), even after learning. Behavioral assurance is especially important for robotic collectives performing industrial, aerospace, or military tasks. The contribution of this brief is in presenting a novel, practical method for multirobot systems to adapt “safely,” i.e., remaining within the bounds of specified properties. We assume that a finite state automaton (FSA) models the behavior of an individual robot. To capture the collective behavior of a robot team whose composition changes, we construct an event-varying discreteevent system (DES) as the team’s model. To control the natural behavior of such DES, we follow the approach of supervisory control theory [1], [2]. Adaptation is achieved with machine Manuscript received February 7, 2003. Manuscript received in final form November 14, 2003. Recommended by Associate Editor M. Lemmon. This work was supported by the Naval Academy Research Council and the Office of Naval Research under Grants N0001499WR20020 and N0001499WR20010. D. Gordon-Spears is with the Computer Science Department, College of Engineering, University of Wyoming, Laramie, WY 82071 USA (e-mail:
[email protected]). K. Kiriakidis is with the Department of Weapons and Systems Engineering, United States Naval Academy, Annapolis, MD 21402 USA (e-mail: kiriakid@ novell.nadn.navy.mil;
[email protected]). Digital Object Identifier 10.1109/TCST.2004.825048
learning, and behavioral assurance is guaranteed with formal verification using automata-theoretic (AT) model checking [3]. The focus of this brief is on how to recover effective supervisory control, as well as preserve properties, when faced with unexpected robotic failures or regrouping, i.e., shifting the composition of robot teams. In summary, our approach may be viewed as a novel synthesis of machine learning, verification, and supervisory control of DES. Supervisory control theory for DES addresses a number of related problems, albeit on the typical assumption that the system is fixed and known [4]–[6]. At present, the literature offers only a few works on adaptive or robust supervisory control to tackle the problem of uncertainty in the DES model [7]–[9]. Furthermore, although this prior work advances the development of a theory for uncertain DES, the literature lacks any design methods for emerging engineering applications. Here, we present a practical engineering method that has been tested on a team of robots. There are numerous potential applications of our approach. One example is teams of planetary rovers that adapt to unanticipated environmental conditions while remaining within critical mission parameters. Another is automated factory robot teams that adapt to equipment failures and continue operation within essential tolerances and other specifications. As a third example, supportive groups of automated military equipment transport vehicles would require both flexibility and behavioral assurance. Finally, consider the application of groups of robots for hazardous waste cleanup. This brief is organized as follows. Section II introduces the problem formulation, Section III formalizes modeling a robotic group as an event-varying DES, and Section IV presents our paradigm of adaptive supervisory control of the robotic group using the DES model. Section V describes the learning and the subsequent repair required for continued effective operation of the robotic group following a failure or regrouping. This section presents two algorithms for repairing the desired language FSA used for supervisory control and discusses issues on nonemptiness and nonblocking of the resulting supervisor. The brief continues with a description, in Section VI, of the application and validation of this approach to a delivery task involving a group of mobile robots and a coordinator. In the concluding section, we discuss related and future work. Finally, in the Appendix, we present the proofs of the propositions associated with the adaptive supervisor and the complexity of the learning algorithms. II. PROBLEM FORMULATION In this brief, we consider robots that, in addition to equipment (e.g., sensors) necessary to carry out tasks, comprise a receiver and transmitter device as a means of communication with a coordinator (supervisor). We shall refer to a collection of robots
1063-6536/04$20.00 © 2004 IEEE
764
IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 12, NO. 5, SEPTEMBER 2004
that are collaborating with a common coordinator as a robotic group. The coordinator shapes the group’s collective behavior by imposing cooperation between individual robots. In turn, cooperation implies that the robotic group possesses a set of desired properties, characteristic of its functionality, that it is required to obey. For example, a desired property of a delivery system whose function is to transport an object from point A to point Z is that delivery at Z eventually follows delivery at A. In general, the robotic group may be operating on its own or as part of a larger system of peer groups. To model a particular group, we recognize that its behavior is associated with two classes of events. First, there are events that describe, in a well-defined sense, the tasks that each robot executes. The coordinator can disable some of those events to ensure multirobot coordination. Second, there are events unpreventable by the coordinator such as when individual units (robots) switch coordinators or fail during operation. To update the state of the robotic group, the supervisor needs to know the event that a robot has just executed in order to identify its current task or determine that it has gone offline. Moreover, the structure of the event-driven model needs to be modified to capture the new situation when the coordinator loses (or gains) a robot. To provide for this, we shall assume a model that is also event-varying. In this brief, we focus our attention on the behavior of a robotic group and address the problem of maintaining the desired properties of the group in spite of unavoidable events. We shall employ the theory of automata, express each desired property as a sequence of events, and embed the resulting sequences in a desired language. To guarantee the desired language, we shall synthesize the group’s coordinator, in the context of the supervisory control method [10], [11], so that it adapts to changes that have occurred in the group.
III. MODELING A ROBOTIC GROUP AS AN EVENT-VARYING DES Each robot has autonomy to complete a task (e.g., to transport an object from point A to point B). A robot is in a certain state, , while a task is occupying it or it is waiting to start a new task. An event, , occurs when a robot starts a new task, thus, events coincide with state transitions. Before it starts a task and after it has completed one, the robot normally notifies the supervisor. Upon the completion of its current task, a robot is ready to execute another event. The coordinator (or supervisor) decides which events are enabled and accordingly notifies the robots. Clearly, these events constitute an observable and controllable model. There are also uncontrollable events. A robot may be unable to start or finish a task. For example, a unit may have broken down or started to collaborate with another supervisor. These uncontrollable events are not part of the model per se, but their occurrence necessitates changes in the model. These events, however, are observable. If a robot starts to cooperate with another group, it will notify its old supervisor. For a robot that has broken down but is unable to notify its supervisor, the supervisor will assume that the robot is offline after a certain amount of time has elapsed.
Fig. 1. The FSA 3 of the uncontrollable events. Each circle represents a state and the shortest arrow identifies the initial state.
Let us formalize the modeling of a robot group using the DES framework. In this brief, the generic FSA is a quintuple , where is the set of states, the tranthe initial state, the set of marked (task sition function, completion) states. The definition of an FSA, , in the DES literature is slightly different than the one in automata theory. In the DES framework used in this brief, the transition function, , is partial and, as result, there are two languages associated with , namely, the generated language, , and the marked lan, where strings terminate in a marked state. The guage, , is prefix closed, but the marked langenerated language, guage may not be [11]. In automata theory, where is a total and hence only function, the generated language is simply the marked language is useful. Initially, the number of units (robots) in the group is . Each , an index set; has its own alphabet of unit , where events, , and each admits an FSA model, . Both the indi, comvidual alphabets, , and the group’s alphabet, prise controllable events only. To take into account that robots may go offline, we define the FSA , depicted in Fig. 1, that is based on the following alphabet of uncontrollable events: . Let denote the maximum number of units that may go offline and, in the sequel, assume that . , where , coThe occurrences of the events , respectively. incide with the losses of the robots In accordance with the FSA , each uncontrollable event occurs only once. Therefore, after the event the robotic group robots. comprises only To describe the natural behavior of a pair of robots modeled as and , we cast the automata operation of the the automata parallel composition,1 denoted as (for its definition, see [11]). The parallel composition, also known as the synchronous product or composition of automata, possesses the associative . Using the asproperty, i.e., sociative property, the natural language of the robotic group , before any uncontrollable event occurs, stems defined as follows: from the automaton
where is the empty string. When an uncontrollable event occurs, the parallel composition changes. After the uncontrollable , , occurs, the model becomes event
Upon the occurrence of the uncontrollable events , the respective models are as follows: where
,
1If the respective alphabets 6 and 6 are disjoint, the parallel composition reverts to the shuffle-product automata operator.
IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 12, NO. 5, SEPTEMBER 2004
. Let be a string of events in the language generated by , i.e., identifies a sequence of units that go offline. Then, the set of all pos. Consider the FSA-valued sible models , where for the empty string, , the function model of robotic group . Suppose a string of events includes the string of uncontrollable events . Then, the occurrence of an event affects the group’s model as follows: (1) for . This event-varying DES captures the changes in the behavior of the robotic group as individual robots go offline. IV. ADAPTIVE SUPERVISORY CONTROL As mentioned earlier, the coordinator of a robotic group restricts the group’s natural behavior in order to ensure that the group possesses certain desired properties. In the context of supervisory control, the coordinator accomplishes this by specifying and executing the desired language. In Section II, we introduced the notion of the desired language as one that guaranand denote the tees a set of desired properties. Let FSAs of desired properties and the current desired language, re, satisfies the set spectively. The current desired language, of desired properties, , iff , or, for brevity, . The languages for each and consist of strings with events in the alphabets and , respectively. Before any uncontrollable event occurs, is the set of all allowable action sequences for the robotic group . In general, the initial desired language FSA, , is constructed by an expert engineer. First, the desired language must be such that . Second, it ought to satisfy each desired prop. For example, might state that an object erty, , that has been picked up must eventually be delivered. Third, the expert engineer may require that the initial desired language meet performance criteria more specific but less essential than the desired properties. Without supervision the robotic system may be unable to satisfy the desired properties, for, in general, . Based on the event-varying DES that models the robotic group, we propose a learning algorithm to modify the desired language specified to the supervisor after each occurrence of an uncontrollable event. Upon execution of the uncontrollable , the learning algorithm removes the events that event pertain to the th robot from the desired language FSA, . In turn, the algorithm repairs the resulting (possibly fractured or disconnected) FSA and yields a candidate desired language. A verification algorithm checks the candidate in order to ensure that the desired properties, , are still valid. For verification, we use the method of AT model checking [3], [13]. In brief, AT model checking assumes and are expressed as FSAs, and checks whether . If the verification is successful, then the candidate is indeed . Clearly, it a desired language, whose FSA we denote as . If the verification fails, we reholds that
765
sort to an alternate learning algorithm that results in a smaller language, which, however, guarantees the desired properties. The procedure above repeats itself during a string of uncontrollable events and, thus, generates a succession of desired language FSAs . We shall address the issue of whether the elements of are nonempty as well as nonblocking later in the brief. The supervisor synthesis step derives from the following result. Proposition 1: Consider the event-varying DES (1) and the succession of desired languages . Suppose that the supervisor for (1) is the FSA-valued function where and (2) , the supervised language
Then for . Proof: Given in Appendix I.
V. LEARNING ALGORITHMS A. Maxmend: Automaton Repair With Verification As mentioned earlier, the learning mechanism deletes from the desired language FSA, , events pertaining to a failed or exited subsystem. Note that deleting events generally implies deleting FSA transitions, which can fracture the FSA into multiple isolated components. To restore continuity, the fractured FSA needs to be repaired by patching (mending) the gaps that result from deleted transitions [14]–[16]. Figs. 2 and 3 show our algorithm Maxmend for repairing the FSA following learning. Therein, we denote the FSA transi, where and are states and tion function as is an event. If , this means has no successor for . The subscripts “pre” and “post” denote pre- and postlearning. Moreover, is the set of all prelearning successor states is the set of all postlearning sucof state in FSA , is the particular prelearning successor of cessors of , is the postlearning successor state for event , and is the set of all prelearning events, of for event . Also, is the set of all postlearning events, and is the set of . events deleted by learning. In other words, is the set of all states in the FSA . Finally, In the algorithm, procedures such as “repair method” are recursive, i.e., they call themselves. Recursion is used to perform a depth-first search through the desired language FSA to visit all accessible (from the initial state) states. Depth-first search begins by visiting the initial state. It then continues following the FSA edges to visit each state in turn, until a state is reached that has already been visited, at which point the search backtracks and chooses another path. Let us now proceed to describe procedure Maxmend. Prior to calling procedure “repair method” (Fig. 2), variable “visited” is initialized to false for every state in the FSA. Procedure “repair method” is then called with the initial FSA state as parameter . Procedure repair method does a depth-first search through the set of all states that are accessible from the initial state after learning. For each state visited on the depth-first
766
IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 12, NO. 5, SEPTEMBER 2004
Fig. 4.
The algorithm Quickmend for FSA repair without verification.
The following proposition summarizes the time complexity results for Maxmend. Proposition 2: The (worst case) time complexity of the algorithm Maxmend is Fig. 2.
The algorithm Maxmend for FSA repair with verification.
(3) denotes the cardinal number of a set. where Proof: Given in Appendix II. The disadvantage of this repair algorithm is that it requires reverification to be sure the resulting FSA still satisfies the property after patching has been done. The reason that reverification is required is that the process of patching adds new FSA transitions, which results in new strings of events. There is no guarantee that these new strings will satisfy the desired properties. Assuming the property can be expressed succinctly as an FSA, verification with model checking takes time [3]. B. Quickmend: Automaton Repair Without Verification
Fig. 3. The subroutines of Maxmend.
search, “visited” is set to true so that it is not revisited. Each state that is visited which has no postlearning successors is considered an “unlinked vertex.” In this case, procedure “find linked vertex” (Fig. 3) is called to find the first prelearning descendant of the “unlinked vertex” that has a postlearning successor. This descendant is considered to be the “linked vertex.” Procedure “copy-connections” (Fig. 3) sets the successors of the “unlinked vertex” equal to the successors of the “linked vertex” for all postlearning events. If time permits, following this repair method the FSA may be simplified by removing unused (i.e., inaccessible) states and grouping states into equivalence classes using a state-minimization algorithm [17]. For worst case time complexity analysis of the algorithm, we define the following notation [18]. Definition 1: Let and be mappings of the set of integers is if there are constants into itself. We say that and such that whenever . Without loss of generality, we assume that assignment and comparison statements, such as “visited = true” and “if (visited == true)” in Figs. 2 and 3, take a constant amount of time each.
Our second repair algorithm, called Quickmend, is guaranteed to preserve all properties with no reverification required. This is because it only deletes, and never adds, FSA transitions. If FSA transitions are only deleted, then all properties are guaranteed to be preserved [19]. If the robotic group must respond quickly, this algorithm typically saves time compared with the repair algorithm of the preceding section. The tradeoff is that it usually results in a smaller desired language. Quickmend may be used in place of Maxmend, or it may be used after Maxmend when subsequent reverification fails. Fig. 4 shows the Quickmend algorithm for repairing the desired language FSA after learning occurs. Prior to calling the algorithm of Fig. 4, “visited” is initialized to false for every state in the FSA. Procedure “repair method” is then called with the initial FSA state as parameter . Procedure “repair method” does a depth-first search through the set of all prelearning states that are accessible from the initial state, and “visited” is set to avoid revisitation. When the algorithm has visited all states, it pops the recursion stack to revisit the states beginning with the last (i.e., it then visits the states in reverse order). For each state visited in reverse order, the algorithm tests whether has any postlearning successors. If not, it deletes all postlearning pointers to that state. Optionally, the FSA may be further simplified, e.g., by removing unused states.
IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 12, NO. 5, SEPTEMBER 2004
767
Let us consider the worst case time complexity of the Quickmend repair algorithm. We exclude the time to perform optional FSA simplifications. Proposition 3: The (worst case) time complexity of the algorithm Quickmend is (4)
Fig. 5.
DES model of the delivery system. TABLE I ROBOT TASKS AND STATES
denotes the cardinal number of a set. where Proof: Given in Appendix III. C. Desired Language’s Characteristics After Learning has been modified by After the desired language learning and repaired, we need to ensure that it is nonempty and nonblocking. To satisfy nonblocking, we check whether the following holds: (5) where denotes prefix closure and is the language marked by . The reason we need to check nonblocking is that if blocking occurs this implies that the robotic group can execute a sequence of events leading to a state from which a marked state is unreachable, i.e., it cannot complete a task. One test suffices to determine whether is both nonempty and nonblocking. Perform a depth-first search of the FSA beginning in the initial state. If a state is reached for which there is either no successor or only a self-successor, and the state is not marked, then there is blocking. If no marked state is encountered at any time during the depth-first search, then the (marked) language is empty. This . test is linear in VI. APPLICATION TO A DELIVERY SYSTEM In the laboratory, we tested the adaptive supervisory control approach on a delivery system that comprises a group of three mobile robots and a coordinator. The coordinator consists of a field computer, which stays near the group and executes the supervisor’s automaton, and a main computer that devises the automaton and uploads it to the field computer. The goal of the robotic group is to deliver a number of objects from location A to location D. A set of sensors allows each mobile robot to detect the object (e.g., a puck) and find the location to deliver it. The communication between the main and field computers, as well as the field computer and each robot, is based on infrared transceivers. A simple two-event two-state FSA is sufficient to capture the and , natural behavior of each robot. For let denote the FSA and the th state of the th robot, respectively. In accordance with Fig. 5, the states of each robot correspond to tasks as on Table I. In Fig. 5, the events , , , , , and are controllable. The figure also depicts the FSA that generates the strings of uncontrollable events. Herein, there is only one such event, namely, , whose occurrence coincides with the failure of the robot 2. Each robot has autonomy to complete a task, but it needs the coordinator’s authorization before it starts a new task. The job of the coordinator’s field computer is to disable certain state transitions (events) and enable other events in order to constrain the group’s natural language so that it satisfies the desired property, , stated as fol-
D
of the delivery system’s desired language. The double circle Fig. 6. FSA identifies the marked states.
Fig. 7. FSA
D
of the formerly desired language after learning.
lows: “If picks up, then will eventually deliver.” In other words, event will eventually occur, if event occurs. Despite the possible failure of robot 2, the adaptive supervision method described in this brief guarantees that the above desired property will hold and, hence, the robotic group will meet its goal. In the beginning, the group comprises all three , is shown in Fig. 6. robots and its desired language FSA, . During Using model checking, we verify that operation, however, the robot 2 fails. Shortly afterwards, the field computer realizes that robot 2 is no longer part of the group and sends this piece of information to the main computer, which commences the learning algorithm. At this stage, the the proposed adaptive scheme removes from the FSA events of , as in Fig. 7. In turn, it reconstructs the language FSA using the repair algorithm Maxmend of Sec, in tion V-A. The result is the candidate desired language, models the propFig. 8. From verification, it follows that erty . In accordance with formula (2), the main computer uploads the new supervisor to the field computer for execution. To demonstrate the repair algorithm Quickmend, which requires no verification, we depict its output, indeed a smaller language, is in Fig. 9. In both cases, an additional test ensures that both nonempty and nonblocking. Note that after either Maxmend or Quickmend, the supervisor continues its operation uninterruptedly. If, prior to repair, the supervisor is at a state that
768
IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 12, NO. 5, SEPTEMBER 2004
. Then, for
in , Fig. 8. FSA
Fig. 9.
FSA
D
D
of the desired language after repair with Maxmend.
of the desired language after repair with Quickmend.
gets deleted during repair, it will continue to execute events from the first predecessor state that did not get deleted. VII. CONCLUSION AND FUTURE WORK This brief describes a practical method for the modeling and control of teams of robots, despite dynamically changing team composition. The method consists of applying learning to adapt to the situation of units going offline, followed by algorithmic revisions and verification of the desired language FSA, which is used for supervisory control. Although the algorithms Maxmend and Quickmend are not optimal in terms of the size of the resulting language, both produce a language that satisfies desired properties and, at the same time, are computationally efficient, which is a serious practical concern. The time complexity of our approach, which is based on the event-varying DES model, is favorable when compared with the time complexity of adaptive supervision methods that assume a multiple DES model [7]. The latter depends on the set of compositions that are consistent with an identification procedure. The former depends on the size of the desired language FSA before the occurrence of an uncontrollable event and, thus, on the single composition of the robot team. The method described in this brief has another advantage. The desired language is revised after the occurrence of each uncontrollable event. Hence it is based on the structure of the system at that time rather than all possible structures from that point on; thus, yielding a less restrictive supervisor. Finally, the practicality of our method has been demonstrated on a team of actual robots under supervision. There are a couple of extensions to the current approach the authors may explore in future work. First, the approach described here handles units going offline, but a complementary approach is needed for the case of new units dynamically joining a team. Second, we would like to extend the approach to handle multiple distributed supervisors, thus, adding further flexibility. In parallel, we will continue to validate our approach on a variety of real-world applications.
APPENDIX I PROOF OF PROPOSITION 1 for each . Consider the desired language is nonempty and First, from the hypothesis, . Second, is prefix closed, for it is controllable is a generated language [11]. Third, with respect to , for there are no uncontrollable events
, the supervisor (2) yields , see [12]. Similarly, for .
APPENDIX II PROOF OF PROPOSITION 2 To prove the proposition, the following lemmas for consecutive and nested processes, respectively, are needed [18]. be mappings of the set Lemma 1: Let , , , and be and be of integers into itself, and . If and are not directly comparable (i.e., is one is not clearly greater than the other), then ; otherwise, it is . is and is Lemma 2: Suppose that . Then is . Let us now return to the proof of the proposition. In the worst , are visited during case, all of the states in , a total of the depth-first search. For every one of these states, the for-loop times. Within this loop, “viscould be executed at most ited” is reinitialized to zero for every state and the complexity . In the same for-loop, of this initialization process is there is also a call to the procedure “find linked vertex,” which, in the worst case, searches all remaining states and their pre. learning transitions. Thus, it requires time Then, using Lemmas 1 and 2 to combine, the complexity of the for-loop is (6) After exiting the for-loop, procedure “copy connections” copies the transitions for all postlearning events, which takes time . The procedure “copy connections” could be called for every state (during depth-first search) and, therefore, the total associated complexity is (7) The additional tests in procedure “repair method” for and , as well as for , add nothing more to the complexity of the Maxmend algorithm. Clearly, time complexity (3) follows from (6) and (7), using Lemma 1. APPENDIX III PROOF OF PROPOSITION 3 During depth-first search, the algorithm could try to visit every state with every possible prelearning event, which takes time (8) For each state visited on this search that has no postlearning successors, a nested loop is executed that could entail all states and postlearning events. Thus, the time complexity of the second process (within the second if-then statement) is (9) using Lemma 2. Time complexity (4) follows from (8) and (9), using Lemma 1.
IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 12, NO. 5, SEPTEMBER 2004
ACKNOWLEDGMENT The authors thank the Associate Editor M. Lemmon and three anonymous reviewers for their valuable and insightful comments and suggestions, which were useful in the revision of this brief. They are also grateful to Prof. T. Bailey for numerous constructive comments and suggestions. REFERENCES [1] P. J. Ramadge and W. M. Wonham, “Supervisory control of a class of discrete event processes,” SIAM J. Control Optim., vol. 25, no. 1, pp. 206–230, 1987. [2] W. M. Wonham and P. J. Ramadge, “On the supremal controllable sublanguage of a given language,” SIAM J. Control Optim., vol. 25, no. 3, pp. 637–659, 1987. [3] P. Kurshan, Computer Aided Verification of Coordinating Processes. Princeton, NJ: Princeton Univ. Press, 1994. [4] Y. Du and S. H. Wang, “Control of discrete-event systems with minimal switching,” Int. J. Control, vol. 48, no. 3, pp. 981–991, 1988. [5] W. M. Wonham and P. J. Ramadge, “Modular supervisory control of discrete-event systems,” Math. Control Signals Syst., vol. 1, no. 1, pp. 13–30, 1988. [6] J. G. Thistle, “Supervisory control of discrete event systems,” Math. Comput. Model., vol. 23, no. 11, pp. 25–53, 1996. [7] F. Lin, “Robust and adaptive supervisory control of discrete event systems,” IEEE Trans. Automat. Contr., vol. 38, pp. 1842–1852, Dec. 1993.
769
[8] S. Young and V. K. Garg, “Model uncertainty in discrete event systems,” SIAM J. Control Optim., vol. 33, no. 1, pp. 208–226, 1995. [9] Y.-L. Chen, S. Lafortune, and F. Lin, “How to reuse supervisors when discrete event systems evolve,” in Proc. IEEE Conf. Decision and Control, San Diego, CA, 1997, pp. 1442–1448. [10] P. J. Ramadge and W. M. Wonham, “The control of discrete event systems,” Proc. IEEE, vol. 77, pp. 81–98, Jan. 1989. [11] C. G. Cassandras and S. Lafortune, Introduction to Discrete Event Systems. Norwell, MA: Kluwer, 2001. [12] R. Kumar and V. K. Garg, Modeling and Control of Logical Discrete Event Systems. Norwell, MA: Kluwer, 1995. [13] M. Vardi and P. Wolper, “An automata-theoretic approach to automatic program verification,” in Proc. 1st Annu. IEEE Symp. Logic Computer Science, Cambridge, MA, 1986, pp. 322–331. [14] K. Kiriakidis and D. Gordon, “Supervision of multiple-robot systems,” in Proc. Amer. Control Conf., Washington, DC, 2001, pp. 2117–2118. [15] D. Gordon and K. Kiriakidis, “Adaptive supervisory control of interconnected discrete event systems,” in Proc. IEEE Conf. Control Applications, Anchorage, AK, 2000, pp. 935–940. [16] , “Design of adaptive supervisors for discrete event systems via learning,” in Proc. ASME Dynamic Systems Control Division, Int. Mechanical Engineering Congr. Exposition, Orlando, FL, 2000, pp. 365–370. [17] J. Hopcroft and J. Ullman, Introduction to Automata Theory, Languages, and Computation. Reading, MA: Addison-Wesley, 1979. [18] K. Rosen, Discrete Mathematics and Its Applications. New York: McGraw-Hill, 2003. [19] D. Gordon, “Asimovian adaptive agents,” J. Artif. Intell. Res., vol. 13, pp. 95–153, 2000.
