Mutually Nonblocking Supervisory Control of Discrete Event Systems M. Fabian Department of Signals and Systems Chalmers University of Technology SE-412 96 Göteborg, Sweden [email protected]

R. Kumar Department of Electrical Engineering University of Kentucky, Lexington KY 40506-0046 USA [email protected]

Abstract For discrete event systems, modular supervisory control refers to modular design of a supervisor when multiple control specifications are given. This problem has been studied for the case when the desired specifications must all simultaneously be met. In this paper, we study the case when at least one of the desired specifications must always be met while never blocking any of the remaining specifications. In addition, the entire controlled system must be nonblocking. Thus, we study the case of “disjunction” (as opposed to “conjunction” as in prior work) with the provision for ensuring a type of fairness with regards to each individual specification. We call this the problem of mutually nonblocking supervision, which is demonstrated to have applications in feature interactions in telephony, protocol conversion, and manufacturing. We present a necessary and sufficient condition for the existence of a mutually nonblocking supervisor, where the relevance of the notion of mutual prefix-boundedness is established. Next we show the existence of a maximally permissive mutually nonblocking supervisor, and provide a closed-form formula of the behavior that is achieved under its supervision whenever the desired specification languages are weakly nonconflicting. The formula turns out to be the union of the supremal prefix-bounded sublanguage of one specification language with respect to another. We end by demonstrating that the problem we address is equivalent to the problem of “multiply nonblocking supervision” studied by Lafortune et al. and Thistle et al., and so the techniques developed here can be applied there and vice-versa. Keywords Supervisory Control Theory, Modular Specification, Mutually Nonblocking Languages, Nonconflicting Languages

1

1.

Introduction

Discrete event systems (DESs) are a useful modeling abstraction for many, mainly man-made, systems such as manufacturing and communication systems. The main purpose of such models is analysis and control synthesis. The supervisory control theory initiated by Ramadge (1987) and Wonham (1987) is a general theory for the synthesis of a controller for a DES plant, given a specification describing its allowed and desired behavior. The resulting controller, the supervisor, controls the plant so that the closed-loop system remains within the specification by dynamically disabling events that the plant otherwise might have generated. However, the supervisor cannot disable all events generated by the plant; some of these are uncontrollable. The supervisor must be such that it controls the plant without ever trying to disable any uncontrollable events; it must be complete with respect to the plant. It is known that this can be achieved if and only if a sublanguage of the specification is controllable. In its original setting the supervisory control theory considered a single specification expressing all allowed and desired behavior of a single plant, resulting in a single supervisor. However, as complexity of the plant grows the complexity of deriving the specification also grows. In this case, it is favorable to deal with a modular specification. Such a specification is given as a set of specifications, each expressing only a few relevant aspects of the allowed and desired behavior of the closed-loop system. The task of the supervisor is to make sure that all of the specifications are fulfilled as well as possible, simultaneously. “Modular supervisory control” (Wonham (1988)) has come to denote the type of control where two (or more) specifications are given, and the control objective is to keep the plant within as large a subset of the intersection of the specifications as possible. The intersection is a logical choice, since this guarantees that none of the specifications are violated; only what they all agree upon is allowed. In some cases, supervisors can be calculated for each specification separately, with the conjunction of the supervisors controlling the system, see Wonham (1988). This automatically makes the closedloop system stay within the intersection of the specifications. Such a modular synthesis approach has many benefits in the regular case overcoming the combinatorial state-space explosion problem, but it may also be too restrictive. In that case, the disjunction of the two specification languages could seem a useful alternative interpretation. However, the disjunction by itself does not guarantee any degree of fairness. The supervisor could choose to simply enforce one of the specifications, and never let the closed-loop system perform any task of the other specification. Not unless additional requirements are posed on the supervisor, that is. Let us briefly review some examples to emphasize the point. Consider a multi-operational manufacturing-device that may be configured to do a set of tasks. Configuring the device for some tasks may block its ability to perform other tasks, though; the size of the tool-magazine may be limited, for instance. Assume now that we have two products that we want the device to process, each requiring different but maybe overlapping subsets of the entire set of tasks. Modeling that device as a DES allows each of these sets of tasks to be described by a marked specification. Controlling the device to stay within the intersection of the specifications is overly restrictive, since only tasks desired by both products would be allowed. Controlling the device to stay within the union of the specifications could mean configuring the device for all the tasks of one product, but only a few, and in the worst case none, of the other product. This is hardly fair.

2

Feature interaction in telephony systems poses a similar problem. As the number of available features increase and are added on top of existing features, their interaction becomes increasingly problematic, see Chen (1996), Wong (1996a) and Thistle (1997). The main problem is that new features may interact insidiously with the old features, in the worst case blocking the entire system. Thus, the system must be controlled so that feature interaction does not pose a problem, while at the same time allow as many features as possible. In protocol conversion (Kumar (1996), Takai (1996)) a modular specification arises, see Kumar (1997), from a single specification, the service specification. This specification requires that the system satisfy a certain progress property, which is equivalent to the system being nonblocking with respect to a family of suitably defined marked languages. The converter (supervisor) must be fair in a way that it never blocks the system with respect to any of the specification languages. In this paper, we present a novel approach to modular supervisory control. Given two marked specification languages a supervisor is synthesized that enforces as large part of the disjunction of the specifications as possible, while at the same time guaranteeing a certain degree of fairness. This allows, for instance, the achievement of a sequence of tasks without specifying a priory the exact sequence in which these tasks are to be carried out. Fairness is still guaranteed in that when a task from one specification language is finished, a task from the other specification can always be completed. Such a supervisor is mutually nonblocking with respect to both specifications. For instance, the manufacturing-device described above could be configured for a large part of the union of the required tasks, under the constraint that the processing of one type of product does not block the future processing of a product of the other type. Enforcing this, means that we allow those tasks desired by either product such that they do not block each other. This would allow a certain amount of fairness between the specifications. Note that this also means that we may not be able to perform all tasks pertaining to a specific type of product, only those that will never block the other allowable tasks. The feature interaction problem could be solved in a similar way. To overcome unwanted feature interaction we could specify each feature by a marked language, and then generate a supervisor that is fair with respect to as many features as possible. In this case, this means that the supervisor controls the system within the specifications while guaranteeing that enforcing one feature will not block another. Note though, that this may mean that all features may not be available at all times, only those features can be made available for which no harmful interaction arises with other, already selected, features. The approach of Thistle (1997) uses a “multiplicity of nonblocking conditions” to solve the feature interaction problem, arguing that a supervisor coping with the feature interaction problem must be nonblocking with respect to each of these marked specifications. That is, it must be “multiply nonblocking". This is closely related to the approach presented in this work, as shown in Section 5. However, the mutually nonblocking property does not guarantee that the closed-loop system will always be able to complete some specified task. It only says is that if a trace marked by one language is completed, then it can be continued into a marked trace of the other. It does not say that it is possible to always complete some marked trace. To guarantee this, the supervisor must also be globally nonblocking. It is shown that the multiply nonblocking property of Thistle (1997) is equivalent to being both globally and mutually nonblocking.

3

In this paper, we assume we are given a plant and two specification languages representing two different task sequences. Then we determine when a globally and mutually nonblocking supervisor can be computed that controls the plant to allow completion of either of the tasks while always allowing the possibility of completing any pending task. This can be achieved when there exists a controllable sublanguage of the union of the specifications, such that this sublanguage is mutually nonblocking with respect to both specification languages. It is also shown that a unique supremal such sublanguage does exist. Furthermore, this language can be calculated in a modular fashion under the condition that each specification language is nonconflicting with respect to the prefix-closure of the other. This is achieved when each language is prefix-bounded by the other and both are bounded by the marked plant-language. It is shown that this supervisor is nonblocking with respect to both languages. Moreover, if the prefix-bounded condition does not hold, we show when and how we can calculate the supremal prefix-bounded sublanguages of the specification languages. In Section 2 we present the necessary notation and background, while Section 3 presents the problem and shows that a unique supremal solution exists. In Section 4 we show how to calculate this solution modularly, and compare our approach to similar approaches. Section 5 establishes the equivalence of globally and mutually nonblocking and multiply nonblocking supervisors. Finally, we give a small example of a protocol conversion system in Section 6.

2.

Preliminaries

In this section, we give the necessary background of formal languages and the supervisory control theory. See Hopcroft (1979) and Ramadge (1987) for details. A formal language, L, is a subset L ⊆ Σ ∗ , where Σ is a finite set of event-symbols and Σ ∗ is the set of all finite sequences of these symbols including the empty sequence, ε . An element t ∈Σ ∗ is called a trace. The prefix-closure of a trace t ∈Σ ∗ , denoted t , is the set of all initial sub-traces, the

{

}

prefixes, of t; that is t = t ′ ∈Σ ∗ ∃t ′′ ∈Σ ∗ s.t. t ′t ′′ = t . Both the empty trace and t itself belong to t . The prefix-closure of a language L is the union of the prefix-closures of its traces. A language that is equal to its prefix-closure is said to be prefix-closed (or simply closed). A DES G will be described by a closed and a marked language, L(G) and Lm (G) , respectively. We will always assume that Lm (G) ⊆ L(G ) . Two DESs, G and S will be composed by synchronous composition, see Hoare (1985), resulting in a new DES G S , such that

Lm (G S ) = Lm ( G) I Lm ( S ) and L( G S) = L(G) I L( S ) . Note that this assumes that both DESs have the same alphabet, which will be one underlying assumption. The supervisory control theory (SCT) initiated by Ramadge (1987) and Wonham (1987) is a general approach to the synthesis of a controller, called a supervisor, for a given DES, the plant. Control is exercised by the supervisor dynamically disabling events of the plant, so that the closed-loop system of supervisor and plant exhibits a pre-decided specification language. The event-set of the plant is partitioned into the two disjoint sets of controllable and uncontrollable events, Σ c and Σ u , respectively. The uncontrollable events are not subject to influence by the supervisor, typically representing finishing of an operation or a failure. The closed-loop system of the plant and supervisor can be modeled by their synchronous composition, see Kumar (1991), provided (Fabian (1995)) that the supervisor is complete (Ramadge (1987)). That is, that it can always participate in the uncontrollable events that it permits the plant to generate. 4

It can be shown, see Fabian (1995), that a supervisor S is complete if and only if L( S ) is controllable with respect to the plant language. Given a plant G, a language K is controllable if (Ramadge (1987))

KΣu I L(G) ⊆ K . Observe that K is controllable, if and only if K is controllable. When the specification language is not prefix-closed, the supervisor must be such that the closed-loop system only generates traces that can be extended to traces marked by the specification. That is, the supervisor must be such that Lm (G S ) = L (G S ) . Then, the supervisor is said to be (globally) nonblocking. Since Lm (G S ) ⊆ L ( G S ) always holds, the nonblocking condition is equivalent to L( G S ) ⊆ Lm (G S ) .

The basic nonblocking supervisory control problem and its solution can now be formulated as follows. This is a variant of the various formulations of the same problem given originally in Wonham (1987), as well as by Chen (1991), Kumar (1991), Fabian (1995) and others. The Basic Nonblocking Supervisory Control Problem Given a plant G and a specification language K there exists a complete supervisor S such that Lm (G S ) ⊆ K and Lm (G S ) = L (G S ) , if and only if there exists a sub-language K ′ ⊆ K such that K′ is controllable and K ′ ⊆ Lm (G) . Note that if the supervisor is not marked, so that Lm (G S ) = L (G S ) I Lm (G ) , then the condition that K ′ ⊆ Lm (G) must be strengthened to K ′ = K ′ I Lm (G) , that is, K′ being Lm (G) -closed (Ramadge (1987)). This is because when S is unmarked the marking of the closed-loop system is entirely decided by the original marking of G; the supervisor cannot remove any markings. When S is marked, however, only traces marked by both the supervisor and the plant will be marked in the closed-loop system. It is commonly assumed that a marked specification language is a subset of the marked plantlanguage. This assumption is natural, since we can never hope to achieve more than what the physical limitations of the plant allows. Thus, this assumption will be made henceforth. For a given language K the class C ( K ) of all controllable (with respect to a given plant) sublanguages of K is closed under arbitrary language union, so that sup C (K ) the unique supremal controllable sublanguage of K does exist, see Wonham (1987). Thus, when K ⊆ Lm (G) itself is not controllable, then we can find a supervisor S such that Lm (G S ) = sup C (K ) . Such a supervisor is said to be maximally permissive, Wonham (1987). In applications of the SCT where several marked specification languages are imposed on a single plant, such as modular supervisory control (Wonham (1988)) and hierarchical control (Zhong (1990)), there arises the notion of nonconflicting languages. Two languages L1 and L2 are said to be nonconflicting (Wonham (1988)) if L1 I L2 = L1 I L2 , which is equivalent to L1 I L2 ⊆ L1 I L2 since the reverse containment always holds. This means that whenever L1 and L2

share a prefix of a trace, then they also share a trace with that prefix. Thus, there is no conflict

5

between the languages as to how to complete a pending task after that shared prefix; both languages can extend the prefix to a shared marked trace.

3.

Mutually Nonblocking Supervisor and Its Existence

A supervisor is said to be mutually nonblocking with respect to two specification languages if whenever the closed-loop system has completed a task of one language (by completing a marked trace of that language), then it is always able to continue to complete a task of the other language. This is captured by the following definition. Definition 1. Mutually Nonblocking Supervisor Given a plant G and two specification languages K1 and K2 , a supervisor S is ( K1, K2 ) -mutually nonblocking if (for i , j = 1,2 ) whenever the closed-loop system marks a trace of Ki , it can always continue to a marked trace of K j . That is, Lm (G S ) I Ki ⊆ Lm (G S ) I K j .

.

Note that when i = j the inclusion above is trivial. With marked specifications we must also guarantee that the closed-loop system is always able to complete some specified task, that is that Lm (G S ) = L (G S ) . When this is the case, the supervisor is said to be globally nonblocking. Note the difference here. The global nonblocking property guarantees that some marked trace can always be executed, but it also allows the system to remain within the same specification and never execute any marked traces of the other. The mutually nonblocking supervisor guarantees that this is avoidable. Furthermore, a globally nonblocking supervisor would allow the system to halt (deadlock) after any trace marked by either specification, while the mutually nonblocking property in some sense “drives” the system never to halt after a marked trace (unless it is marked by both specifications). Thus, given two marked specification languages K1 and K2 we want to find a single supervisor that is both globally and ( K1, K2 ) -mutually nonblocking. Furthermore, as described in the introduction,

we want the supervisor to keep the closed-loop system within the union of the specification languages. To find such a supervisor we define the following class of all ( K1, K2 ) -mutually nonblocking sublanguages of the union of two specification languages, K1 U K 2 . Definition 2. Mutually Nonblocking Sublanguage For two specification languages K1 and K2 we define the class of all ( K1, K2 ) -mutually nonblocking sublanguages of K1 U K 2 as

{

}

MNB ( K1 , K 2 ) = H ⊆ K1 U K 2 H I Ki ⊆ H I Ki for i , j = 1,2 .

.

Note that for an element H ∈ MNB( K1, K2 ) we require that H I K1 ⊆ H I K 2 as well as H I K2 ⊆ H I K1 . Again, these inclusions are trivial when i = j .

The following theorem gives the condition under which a complete, globally and mutually nonblocking supervisor keeping the closed-loop system within the union of the specifications exists.

6

Theorem 1. Mutually Nonblocking Supervisor Existence, I Given a plant G and two specification languages K1 and K2 , such that K1 U K 2 ⊆ Lm (G ) , a complete, globally and ( K1, K2 ) -mutually nonblocking supervisor S such that Lm (G S ) ⊆ K1 U K2 exists if and only if there exists a controllable K ∈ MNB ( K1, K2 ) . Proof. ( ⇒ ) Assume that such an S exists. Then, since S is

( K1, K2 ) -mutually nonblocking and

Lm (G S ) ⊆ K1 U K2 , Lm (G S ) ∈ MNB( K1, K2 ) . Since S is complete and globally nonblocking Lm (G S ) is controllable.

(⇐ )

Assume that such a K exists. Choose S such that Lm ( S ) = K and L( S ) = K . Then, since

K ⊆ Lm (G) , Lm (G S ) = Lm ( S ) = K so that Lm (G S ) ⊆ K1 U K2 . Also, Lm (G S ) = Lm ( S ) =

L( S ) = L (G S ) so that S is globally nonblocking. Since K is controllable S is complete, and since K ∈ MNB ( K1, K2 ) , S is ( K1, K2 ) -mutually nonblocking.

q

Theorem 1 shows that to find a complete, globally and mutually nonblocking supervisor that keeps the closed-loop system within the union of the specification languages, we have to find a controllable and mutually nonblocking sublanguage of the union of the specification languages. However, we do not just want to find any such language; the empty language, for instance, is always a solution, though not a very satisfactory one. What we want to find is the largest possible such language, if such a language exists. It turns out that it does, as is shown by the following theorem. Theorem 2. Supremal Mutually Nonblocking Sublanguage The set MNB ( K1, K 2 ) contains a unique, supremal element, denoted sup MNB ( K1, K 2 ) . Proof. First we note that MNB ( K1, K 2 ) is non-empty, since it will always contain the empty language. Next, we show that MNB ( K1, K 2 ) is closed under arbitrary language union.

Assume that Lα ∈ MNB( K1, K2 ) for α in some index set. Then, for the union over all indices

U Lα ⊆ K 1 U K 2 . Furthermore, α

( U Lα ) I Ki = U ( L α I K i ) ⊆ U ( L α I K j ) = ( U L α) I K j α

α

shows that MNB ( K1, K 2 ) is closed under arbitrary union.

α

α

which q

Since the arbitrary union of elements in the set MNB ( K1, K 2 ) is also in the set, the supremal element

sup MNB ( K1, K 2 ) does exist; the union over all elements of the set. Furthermore, we know that the

set C ( K1 U K 2 ) is a union-closed set, and since the intersection of two union-closed sets is also a union-closed set, a unique supremal controllable and mutually nonblocking sublanguage of K1 U K 2 does exist, sup [ MNB ( K1 ,K 2 ) I C ( K1 U K 2 ) ] .

4.

Mutually Nonblocking Supervisor Synthesis

In order to synthesize a mutually nonblocking supervisor, we are interested in finding the supremal controllable and mutually nonblocking sublanguage of the union of two given specification languages. In this section, we will show that under the condition that each specification language is nonconflicting with respect to the prefix-closure of the other, this can be done in a modular way, by operating first on one specification language with respect to the other, and then vice versa. The union of the results is 7

then the sought sublanguage. Thus we could synthesize one supervisor Si for each specification language Ki (assuming it satisfies all the required properties) and then compose those supervisors in the disjunctive form explained in Section 3, so that the closed-loop system, Lm ( G ( S1 o S 2 ) ) ⊆ K1 U K 2 . This is similar to the approach to modular supervisory control of Wonham (1988), except there the supervisor composition is synchronous. Definition 3. Prefix Bounded Languages For two arbitrary languages L1 , L2 ⊆ Σ ∗ , L1 is said to be L2 -prefix bounded, if L1 ⊆ L2 .

For L1 we define also the set of all L2 -prefix bounded sublanguages as

{

}

PB L1, L2 = L ⊆ L1 L ⊆ L2 .

.

Two languages are prefix bounded by each other if and only if their prefix-closures are equal, as stated in the following lemma. Lemma 1. Two arbitrary languages L1 , L2 ⊆ Σ ∗ are prefix bounded by each other if and only if their prefix-closures are equal. That is, L1 ∈ PB L1, L2  ⇔ L1 = L2 . L2 ∈ PB L2 , L1  Proof. ( ⇒ ) When a language is prefix bounded by another, then so is the prefix-closure of that language, thus, L1 ⊆ L2 ⇒ L1 ⊆ L2 and L2 ⊆ L1 ⇒ L2 ⊆ L1 . Obviously, this means that, L1 = L2 .

( ⇐ ) When

L1 = L2 for all traces s ∈ L1 it holds that s ⊆ L2 so that s ∈ L2 . Therefore, L1 ⊆ L2

and likewise L2 ⊆ L1 so that L1 ∈ PB L1 , L2 and L2 ∈ PB L2 , L1 .

q

Next, we show that when two specification languages are prefix bounded by each other, then their union is controllable if and only if they are individually controllable. Lemma 2. Assume a plant G and two specification languages K1 and K2 . For two sublanguages

L1 ⊆ K1 and L2 ⊆ K2 such that L1 ⊆ L2 and L2 ⊆ L1 , their union is controllable if and only if each is controllable. That is (for i , j = 1,2 ), Li ⊆ K i ∧ Li ⊆ Lj ⇒ [ L1 ∈ C ( K1) ∧ L2 ∈ C ( K 2 ) ⇔ L1 U L2 ∈ C ( K1 U K2 ) ] . Proof. ( ⇒ ) It is well known that controllability is preserved under union. Thus, the union L1 U L2 is a controllable sublanguage of K1 U K 2 whenever L1 and L2 are controllable sublanguages of K1 and K2 , respectively.

(⇐ )

The union is by definition controllable when

closure distributes over union this is equivalent to

( L U L ) Σ I L (G) ⊆ L U L . Since prefix( L U L ) Σ I L (G) ⊆ L U L . With L ⊆ L 1

1

2

2

u

u

1

1

2

2

i

j

Lemma 1 tells us that L1 = L2 , which obviously means that controllability of the union implies that both L1 and L2 are controllable. q

8

Note that the backward implication of Lemma 2 does not hold for arbitrary languages. The union of two languages can be controllable without each being controllable. Now we want to show that a complete, globally and mutually nonblocking supervisor exists if and only if there exists sub-languages of the specification languages that are prefix-bounded by each other and have a controllable union. Theorem 3. Mutually Nonblocking Supervisor Existence, II Given a plant G and two specification languages K1 and K2 , such that K1 U K 2 ⊆ Lm (G ) , a complete, globally and ( K1, K2 ) -mutually nonblocking supervisor S such that Lm (G S ) ⊆ K1 U K2 exists if and only if there exists sublanguages K1′ ⊆ K1 and K ′2 ⊆ K 2 such that K1′ is K2′ -prefixbounded, K2′ is K1′ -prefix bounded and K1′ U K 2′ is controllable.

Proof. ( ⇒ ) Assume that S is a complete, globally and ( K1, K2 ) -mutually nonblocking supervisor such that Lm (G S ) ⊆ K1 U K2 . Let Ki′ = Lm (G S ) I Ki for i = 1,2 . Obviously, Furthermore,

Ki′ = Lm (G S ) I Ki ⊆ Lm (G S ) I K j = K ′j

Lm (G S ) ⊆ K1 U K2

we

have

that

(for

i , j = 1,2 ).

Ki′ ⊆ Ki .

Finally,

since

K1′ U K ′2 = ( Lm (G S ) I K1 ) U ( Lm (G S ) I K2 ) =

Lm (G S ) I ( K1 U K 2 ) = Lm (G S ) , and thus K1′ U K 2′ is controllable.

( ⇐ ) Assume that there exists

Ki′ ⊆ Ki such that K1′ U K 2′ is controllable, and Ki′ is K ′j -prefixbounded. Since K1′ U K 2′ is controllable and K1′ U K 2′ ⊆ Lm (G ) , we can choose S such that

Lm (G S ) = K 1′ U K 2′ and L( G S ) = K 1′ U K ′2 , and thus S is globally nonblocking. Then Lm (G S ) I Ki = ( K1′ U K2′ ) I Ki = Ki′ , and Lm (G S ) I K j = ( K1′ U K ′2 ) I K j = K ′j . Of course, this

means that Lm (G S ) I Ki ⊆ Lm (G S ) I K j , and thus, S is ( K1, K2 ) -mutually nonblocking.

q

Note that when Ki′ is a sublanguage of Ki and it is K ′j -prefix bounded, then Ki′ ∈ PB K i , K ′j . Thus, from Theorem 3 a supervisor exists if and only if there exists Ki′ ∈ PB K i , K ′j such that their union is controllable. Now, since Theorem 1 and Theorem 3 both give necessary and sufficient conditions for the same supervisors, we know that there exists a controllable K ∈ MNB ( K1 ,K 2 ) if and only if there exists K1′ ∈ PB K1, K2′ and K2′ ∈PB K2 , K1′ such that K1′ U K 2′ is controllable. Furthermore, when K1′

and K2′ are prefix bounded by each other, from Lemma 2 their union is controllable if and only if they are individually controllable. Thus, it suffices to look for sublanguages of the specification languages such that they are controllable and prefix bounded by each other. Furthermore, to ensure maximal permissiveness, we look for sublanguages guaranteeing that the closed-loop system will achieve the supremal mutually nonblocking sublanguage. Any element of PB K1, K2 is a sublanguage of both K1 and K2 , and therefore a sublanguage of K1 I K 2 . In fact, K1 I K 2 is the unique supremal K2 -prefix bounded sublanguage of K1 . This is

shown by the following theorem. Theorem 4. Supremal Prefix Bounded Sublanguage The supremal K2 -prefix bounded sublanguage of K1 exists, is unique and is given by 9

sup PB K1, K2 = K1 I K2 . Proof. Obviously, PB K1, K2

PB K1, K2

is non-empty since it always contains the empty language. That

is closed under arbitrary language union is also obvious. Thus, a unique supremal

element does exist. It is obvious that K1 I K 2 is a sublanguage of both K1 and K2 , so that K1 I K 2 ∈ PB K1 , K 2 and hence K1 I K 2 ⊆ sup PB K1, K2 . We have to show that sup PB K1, K2 ⊆ K1 I K2 . When

sup PB K1, K2 = ∅ , this is trivial. Assume that sup PB K1, K2 ≠ ∅ . Pick s ∈ sup PB K1, K2 by definition s belongs both to K1 and K2 , and therefore s ∈ K1 I K 2 . Thus, sup PB K1, K2 ⊆ K1 I K2 .

q

Now we are ready for the second main theorem of this paper, showing that when the supremal prefix bounded sublanguages of two specification languages K1 and K2 are themselves prefix bounded by each other, then the union of the supremal prefix bounded sublanguages equals the supremal ( K1, K2 ) -mutually nonblocking sublanguage of K1 U K 2 . Theorem 5. Modular Calculation of sup MNB ( K1, K2 ) For two specification languages K1 and K2 such that sup PB Ki , K j ⊆ sup PB K j , Ki

(for

i , j = 1,2 ), the language H = sup PB K1 , K 2 U sup PB K 2 , K1 is the supremal element of the set

MNB ( K1, K2 ) . That is, sup PB K i , K j ⊆ sup PB K j , K i ⇒ sup MNB ( K1 , K 2) = sup PB K1, K2 U sup PB K2 , K1 . Proof. We have to show the following three things. 1. Is H ⊆ K1 U K 2 ? This is obvious. 2. Is H I Ki ⊆ H I K j ? We note that H I Ki = sup PB Ki, K j U sup PB K j , Ki  I Ki , so that from Theorem 4 H I Ki =  Ki I K j U K j I K i  I Ki , which obviously means that

(

)

(

) (

)

H I Ki = Ki I K j U ( K j I Ki ) = sup PB K i , K j U ( K j I Ki ) . H I K j = sup PB K j , Ki U ( Ki I K j ) .

Naturally,

In

the

Kj IK i ⊆K i IK j

same

way

and

since

sup PB Ki , K j ⊆ sup PB K j , Ki it must hold that H I Ki ⊆ H I K j . 3. Now we know that H ∈ MNB( K1, K2 ) so that H ⊆ sup MNB( K1 , K2 ) . We have to show that sup MNB ( K1, K2 ) ⊆ H . If sup MNB ( K1 ,K 2 ) = ∅ this is trivial. Assume that sup MNB ( K1 ,K 2 ) ≠ ∅ , and pick a trace s ∈ sup MNB ( K1, K2 ) ⊆ K1 U K 2 . Without loss of generality we can assume that s ∈ K i . Then s ∈ sup MNB ( K1 ,K 2 ) I Ki and by definition of mutual nonblockingness s ∈ sup MNB ( K1 ,K 2 ) I K j which is a subset of K j . Therefore, s ∈ Ki I K j = sup PB Ki , K j ⊆ H .

q 10

Theorem 5 tells us that, given two specification languages, we can find the supremal mutually nonblocking sublanguage of their union by first calculating the supremal prefix bounded sublanguages of the specifications, and then form their union. This we can do under the condition that the supremal prefix bounded sublanguages are themselves prefix bounded by each other. A question arises then, under what conditions will the supremal prefix bounded sublanguages be guaranteed to be mutually prefix bounded? Another question of interest is when is the language sup MNB ( K1, K2 ) controllable? We know that since both MNB ( K1, K2 ) and C ( K1 U K 2 ) are closed under arbitrary union, a supremal mutually nonblocking and controllable element, sup [ MNB ( K1 ,K 2 ) I C ( K1 U K 2 ) ] , does exist. Furthermore, it can be shown that when sup MNB ( K1, K2 ) is controllable, then it is this element. Of course, sup MNB ( K1, K2 ) will be controllable when sup PB Ki , K j (for i , j = 1,2 ) are both controllable. More precisely, Lemma 2 tells us that it is only then that sup MNB ( K1, K2 ) will be controllable. Thus, another question we are apt to ask is when are the sup PB Ki , K j controllable? It turns out that both of these questions have the same answer. In modular supervisory control the notion of nonconflicting languages arises, see Wonham (1988). It is well known that the intersection of two nonconflicting controllable languages is also a controllable language. In our case, however, we are interested in controllability of sup PB K i , K j = Ki I K j . Obviously, if both languages are controllable, and Ki is nonconflicting with K j , then also will sup PB Ki , K j

be controllable. Therefore, of principal interest will be languages that are

nonconflicting with respect to the prefix-closures of other languages; such languages are said to be weakly nonconflicting. Definition 4. Weakly Nonconflicting Languages For two arbitrary languages L1 , L2 ⊆ Σ ∗ , L1 is said to be L2 -weakly nonconflicting if L1 I L2 ⊆ L1 I L2 . For L1 we also define the set of all L2 -weakly nonconflicting sublanguages as

{

}

WNC L1 , L2 = L ⊆ L1 L I L2 ⊆ L I L2 .

+

Of course, L1 being L2 -weakly nonconflicting is a weaker condition than L1 and L2 being nonconflicting. L1 being L2 -weakly nonconflicting means that whenever L1 and L2 share a prefix s ∈ L1 I L2 , there exists a string s1 ∈ L1 and a string s2 ∈ L2 such that s ∈ s1 ⊆ s 2 .

Example 1. Weakly Nonconflicting is weaker than Nonconflicting Assume that L1 = {abx, aby} and L2 = {abxy} . Then L1 I L2 = {ε , a, ab, abx} = L1 I L2 , thus L1 is

L2 -weakly nonconflicting. However, L1 I L2 = ∅ so that L1 and L2 are conflicting.

+

There exists the supremal L2 -weakly nonconflicting sublanguage of L1 , sup WNC L1 , L2 . However, even though any

L ∈ PB L1 , L2

is always

L2 -weakly nonconflicting, since 11

L ∈ PB L1, L2 ⇒ L ⊆ L2

so that L I L2 = L I L2 = L , the supremal

L2 -prefix bounded

sublanguage of L1 , sup PB L1 , L2 , is not necessarily equal to sup PNC L1, L2 . Example 2. sup PB L1 , L2 may not be equal to sup WNC L1 , L2 With the same languages as in Example 1 we note that sup PB L1 , L2 = {abx} which is smaller than L1. Thus, though sup PB L1 , L2 is L2 -weakly nonconflicting, a larger L2 -weakly nonconflicting sub-language of L1 exists, namely L1 itself. Thus, sup PB L1 , L2 cannot be the sup WNC L1 , L2 . + The following two lemmas are of significance. First, we emphasize the fact that the intersection of an L2 -weakly nonconflicting language L1 with L2 is controllable whenever L1 and L2 both are controllable. Lemma 3. For two arbitrary languages L1 , L2 ⊆ Σ ∗ such that L1 is L2 -weakly nonconflicting, the intersection L1 I L2 is controllable whenever L1 and L2 both are controllable. Proof. This follows from the fact that the intersection of two nonconflicting controllable languages is still controllable (see Wonham (1988)) and that L2 is controllable if and only if L2 is controllable. + Next we show that when two languages are weakly nonconflicting with respect to each other, then the respective supremal prefix-bounded sublanguages are themselves prefix-bounded by each other. Lemma 4. For two languages L1 and L2 , it holds that (for i , j = 1,2 ) Li ∈ WNC Li , L j ⇒ sup PB Li , L j ⊆ sup PB L j , Li Proof. We know that sup PB L2 , L1 = L1 I L2 . When L1 is L2 -weakly nonconflicting then L1 I L2 = L1 I L2 .

Obviously,

L1 I L2 = sup PB L1, L2 .

Thus,

sup PB L2 , L1 = L1 I L2 ⊆

L1 I L2 = sup PB L1, L2 . Similarly we can show that sup PB L1, L2 ⊆ sup PB L2 , L1 when L2 is

q

L1 -weakly nonconflicting.

It follows from Lemma 3 that when the specification languages are controllable and mutually weakly nonconflicting then their supremal prefix-bounded sublanguages are controllable. Lemma 4 further gives that under the condition of mutual weakly nonconflictingness the supremal prefix-bounded sublanguages are themselves mutually prefix-bounded. We can summarize this section in the following theorem. Theorem 6. Closed Form Formula for sup [ MNB ( K1 ,K 2 ) I C ( K1 U K 2 ) ] For two controllable specification languages K1 and K2 such that Ki ∈ WNC Ki , K j

(for

i , j = 1,2 ), the supremal controllable and mutually nonblocking sublanguage is given by the union of

the intersections of one specification language with the prefix-closure of the other. That is, Ki ∈ WNC Ki , K j I C ( K i ) ⇒ sup [ MNB ( K1, K2 ) I C ( K1 U K2 )] = ( K1 I K 2 ) U ( K1 I K 2 ) .

Proof. By Theorem 4 Ki I K j = sup PB Ki , K j . From Lemma 3 we know that these languages will be controllable, and from Lemma 4 we know that they will be mutually prefix-bounded. Thus, 12

Theorem 5 tells us that sup MNB ( K1 , K 2) = ( K1 I K2 ) U ( K1 I K2 ) , and since this language is controllable, it will be equal to sup [ MNB ( K1 ,K 2 ) I C ( K1 U K 2 ) ] .

+

5. Equivalence of Globally and Mutually Nonblocking with Multiply Nonblocking In this section, we compare our work with the recent works of Thistle (1997) and Chen (1995) on modular supervisory control of conflicting specifications. This has been shown to have applications to feature interaction problems in telecommunication networks. Thistle (1997) argue that the problem of designing supervisors to cope with interacting features motivates an extension of the basic supervisory control problem, in that the supervisor must be nonblocking with respect to a multiplicity of marked specifications, i.e., it must be “multiply nonblocking". Definition 5. Multiply Nonblocking Given a plant G and specifications where {Ki }i∈I for some indexing set I, a supervisor S is said to be

{K i } -multiply nonblocking whenever it is nonblocking with respect to each specification. That is,

when ∀i ∈ I

L( G S ) ⊆ Lm ( G S ) I K i .

+

A necessary and sufficient condition for the existence of a multiply nonblocking supervisor and an algorithm to construct such a maximally permissive supervisor was obtained by Thistle (1997). We show here that the problem of multiply nonblocking supervision is equivalent to the problem of globally and mutually nonblocking supervision. Without loss of generality, we assume that there are two specifications only. Theorem 7. Nonblocking Equivalences Given a plant G and two specifications K1 and K2, there exists a supervisor S such that it is multiply nonblocking and Lm (G S ) ⊆ K1 U K2 if and only if S is globally and mutually nonblocking and

Lm (G S ) ⊆ K1 U K2 .

Proof. ( ⇒ ) Since S is multiply nonblocking we have that L( G S ) ⊆ Lm ( G S ) I K i ⊆ Lm ( G S ) ,

that is, S is globally nonblocking. Next, we also have that Lm (G S ) I Ki ⊆ L( G S ) ⊆ Lm ( G S ) I K j

where the second containment follows from the hypothesis, establishing that S is mutuallynonblocking.

(⇐ )

By symmetry, it suffices to show that S is nonblocking with respect to K1, that is, that

L( G S ) ⊆ Lm (G S ) I K1 . We have the following series of inequalities.

13

L( G S ) ⊆ Lm (G S ) = Lm (G S ) I ( K1 U K2 ) = ( Lm (G S )I K1) U (Lm (G S ) I K 2 ) = Lm (G S ) I K1 U Lm (G S ) I K 2 = Lm (G S ) I K1

since S is globally nonblocking since Lm (G S ) ⊆ K 1 U K 2 since intersection commutes with union since prefix-closure commutes with union S MNB ⇒ Lm (G S ) I K2 ⊆ Lm (G S ) I K1

This completes the proof.

+

Remark. With the establishment of the equivalence of mutually and globally nonblocking, and multiply nonblocking supervisors, the results obtained in this paper (which include existence conditions for a mutually and globally nonblocking supervisor, the computation techniques for such a maximally permissive supervisor, and a closed form formula of the resulting controlled behavior) can be directly applied to the setting of multiply nonblocking supervisor design. The results presented in this paper thus provide further insight into the design of multiply nonblocking supervisors. Despite the similarity of the problem studied here and that studied by Thistle (1997) and Chen (1995), the three solution approaches are different. While we have studied the problem of generating a maximally permissive sub-solution contained in the union of the two specifications, the work of Thistle (1997) and Chen (1995) is concerned with generating a super-solution containing the intersection of the two specifications. Also, while Thistle (1997) use ideas from hierarchical supervisory control, Chen (1995) use prioritization for obtaining a multiply nonblocking supervisor.

6.

Example

As an example, a simplified version of the protocol conversion problem of Kumar (1996) is presented. In a communication system a protocol mismatch occurs when the sending and receiving ends use different protocols. A practical solution to such a protocol mismatch is to introduce a converter between the sending and receiving systems. This converter has to adhere to the service specification, a specification that is defined, not on the entire event-set, but on a sub-set of the event set, the external events, typically representing the reception and delivery of data. These are the events by which the higher level “user” that wants to transmit and receive data, interacts with the lower level “provider” that does the actual transmitting. While the user only interacts via the external events, the provider evolves on both external and internal events. The protocol conversion system must satisfy a certain progress property that requires that external events are not blocked by the communication system whenever they are not blocked in the service specification. In Figure 1, G represents the plant, an abstract model of the mismatched protocols and the transmission channel. The specification languages K1 and K2 are shown in their automata representations. These are derived from a suitably refined version of the service specification (see Kumar (1996)) by synchronization with G. The external events are acc and del. K1 represents that acc is never blocked, while K2 represents that del is never blocked. For the progress property to hold the conversion system needs to be both globally and mutually nonblocking. We can immediately note that K1 = K2 , since the automata for the respective language are isomorphic up to the marking of the states. Since the specification languages are prefix-bounded by each other, they are mutually weakly nonconflicting. G is unmarked and both specifications are sublanguages of Lm (G) = L(G) . 14

G:

acc

b

b

del

del b

K:

b

1

K:

a

b

2

b

del

b

a

acc

b

a b

del

acc

b a

b

del

a

b

del

Figure 1. An unmarked plant G and two marked specifications represented as automata. The black dots signify initial states, and the double circles represent marked states.

Let us assume that the a and b events are controllable and all other events are uncontrollable. Specifically, the external events are uncontrollable, see Kumar (1996). Then, both specification languages are uncontrollable, since after the trace acc.a the plant can generate a new uncontrollable acc event, but the specifications cannot follow. Thus, the supremal controllable sublanguages of the specifications consist of only the right-hand halves. Of course, these are again prefix-bounded by each other. Since they are mutually prefix-bounded sup PB Ki , K j = Ki I Kj = Ki , and thus the supremal prefix-bounded languages are also mutually prefix-bounded. Then, sup MNB ( K1, K2 ) is the union of the supremal prefix-bounded languages, and this language is controllable (Theorem 6). The supervisor then, is the single automaton shown in Figure 2. Note that the states marked by either language are also marked in the supervisor. The supervisor of Figure 2 is also a model of the closed loop system, and it is easily verified that the mutual nonblocking property is satisfied under its supervision.

7.

Conclusions

We have described an extension to modular supervisory control theory where given two specification languages the supervisor achieves as large part of their union as possible. Thus extending the conventional formulation, that achieves as large part of their intersection as possible. The extension guarantees the additional requirement that enforcing one specification language does not block the

Figure 2. The resulting supervisor for the plant and specification languages of Figure 1. The marked states of both languages have been marked in the supervisor.

15

other. That is, the supervisor is mutually nonblocking with respect to both specification languages. Hence, a sort of “fairness” is required and enforced. This finds its application in control of several interesting discrete event systems, such as manufacturing, communication protocols and feature interaction in telephony systems. We have shown that a complete, globally and mutually nonblocking supervisor constraining the plant within the union of the specification languages exists if and only if there exists a controllable mutually nonblocking sublanguage of the union of the specifications. There does exist a unique supremal such language. We have also shown how this supremal language can be calculated in a modular fashion, by expressing it as the union of the supremal mutually prefix-bounded sublanguages of the respective specifications. This is possible under the condition that the specification languages are weakly nonconflicting, that is, each language is nonconflicting with respect to the prefix-closure of the other. Further research includes studying the case when the specification languages are conflicting with respect to the prefix-closure of the other. Chen (1991) presents algorithms for calculating the supremal nonconflicting sublanguage of a given language with respect to a fixed language. They also give algorithms for finding this language under the condition that it should be controllable with respect to a third language, the plant language. This does not seem to be directly applicable to our problem, since in our case neither of the languages can be considered fixed with respect to the other. However, the algorithms may be extended to handle the problem of finding the supremal nonconflicting sublanguage, not with respect to a fixed language but with respect to the prefix-closure of the other specification language. We will also look into the problem of minimally relaxing the specifications. Thus calculating the smallest super-language (if such exists) of each specification such that it is prefix-bounded by the other, while still guaranteeing the existence of a supervisor that is mutually nonblocking with respect to each specification. The case where the supervisor must be nonmarked, needs also to be investigated.

8.

Acknowledgments

A preliminary version of this paper was presented at the 36th IEEE Conference on Decision and Control (Fabian (1997)). This work received financial support from the Swedish National Board for Industrial and Technical Development (NUTEK) under grant 9304792-5. This work was also supported by the National Science Foundation Grant NSF ECS-9709796.

References Chen (1991). Chen, E. and S. Lafortune, On Nonconflicting Languages that Arise in Supervisory Control of Discrete Event Systems, Systems & Control Letters 17, 105-113, 1991. Chen (1995). Chen, Y.-L., and S. Lafortune, Modular Supervisory Control with Priorities for Discrete Event Systems, 34th IEEE Conference on Decision and Control, New Orleans, LA, USA, December 1995. Chen (1996). Chen, Y.-L., S. Lafortune and F. Lin, Design of Nonblocking Modular Supervisors Using Event Priority Functions, Submitted to IEEE Trans. on Automatic control, April, 1996. Fabian (1995). Fabian, M., On Object Oriented Non-deterministic Supervisory Control, Technical Report No. 282, Ph.D. Thesis, Control Eng. Lab, Chalmers, Dec. 1995. 16

Fabian (1997). Fabian, M. and R. Kumar, Mutually Nonblocking Supervisory Control of Discrete Event Systems, 36th IEEE Conference on Decision and Control, CDC’97, San Diego, CA, USA, December 1997. Hoare (1985). Hoare, C. A. R., Communicating Sequential Processes, Prentice-Hall International Series in Computer Science, 1985. Hopcroft (1979). Hopcroft, J. E., J. D. Ullman, Introduction to Automata Theory, Languages and Computation, Addison-Wesley Series in Computer Science, 1979. Kumar (1991). Kumar, R., V. Garg and S. I. Marcus, On Controllability and Normality of Discrete Event Dynamical Systems, Systems & Control Letters 17, 157-168, 1991. Kumar (1996). R. Kumar, S. Nelvagal and S. I. Marcus, A Discrete Event Systems Approach for Protocol Conversion, Discrete Event Dynamical Systems: Theory and Applications, Vol. 7, No. 3, 295-315, 1996. Kumar (1997). Kumar, R., M. Fabian, On Supervisory Control of Partial Specification arising in Protocol Conversion, 35th Allerton Conference on Communication, Control and Computing, 543-552, Urbana-Champaign, Illinois, 1997. Ramadge (1987). Ramadge, P. J. and W. M. Wonham, Supervisory Control of a Class of Discrete Event Processes, SIAM Journal of Control and Optimization, Vol. 25, No 1, 206-230, 1987. Takai (1996). Takai, S., A. Takae and S. Kodarna, The Extremal Languages in Supervisory Control of Discrete Event Systems with Service Specifications, 35th CDC, Kobe, Japan, December 1996. Thistle (1997). Thistle, J.G., R.P. Malhamé, H.-H. Hoang and S. Lafortune, Supervisory Control of Distributed Systems Part I: Modelling, Specification and Synthesis, Internal report, Dept. de génie électrique et de génie informatique, École Polytechnique de Montreal, Canada, 1997. Wong (1996a). Wong, K.C., J. G. Thistle, H.-H. Hoang and R. P. Malhamé, Conflict resolution in Modular Control with Applications to Feature Interaction, 34th CDC, New Orleans, LA, USA, December 1996. Wong (1996b). Wong, K. C and W. M. Wonham, Hierarchical Control of Discrete Event Systems, Discrete Event Dynamical Systems: Theory and Applications, Vol. 6, 241-273, 1996. Wonham (1987). Wonham, W. M., P. J. Ramadge, On the Supremal Controllable Sublanguage of a Given Language, SIAM Journal of Control and Optimization, Vol. 25, No 3, 637-659, 1987. Wonham (1988). Wonham, W. M. and P. J. Ramadge, Modular Supervisory Control of Discrete Event Systems, Mathematics of Control, Signals and Systems, 1:13-30, 1988. Zhong (1990). Zhong, H. and W. M. Wonham, On the Consistency of Hierarchical Supervision in Discrete Event Systems, IEEE Trans. on Automatic Control, Vol. 35, No. 10, 1125-1134, October 1990.

17