Process Theory for Supervisory Control with Partial Observation of Events and States Jasen Markovski Abstract— We present a process theory that can specify supervisory control feedback loops comprising nondeterministic plants and supervisors with event- and state-based observations. To be able to specify state-based observations we employ the notion of propositional root signal emissions and observation. States of the plant ‘emit’ propositional signals that can be observed by the supervisor by conditioned synchronizing event, thus enforcing supervision by state-based observations. We revisit the notion of partial observation of events and states, which expresses that the supervisor cannot distinguish between traces containing the same observable, but different unobservable events, or between a set of given signals. Existence of a supervisor in such a setting is characterized by the notion of partial observability, which imposes conditions on the plant and the desired behavior. We give an alternative characterization with respect to the observational power of the supervisor by structurally restricting the form of the supervisor and show that both notions coincide in the deterministic setting.

I. INTRODUCTION Control software development is quickly becoming one of the bottlenecks in development of complex high-tech machines [1]. Traditionally, software engineers iteratively write control software based on informal specification documents, which are often ambiguous and constantly change during product development. This makes up for a time-consuming and an expensive development process, which gave rise to supervisory control theory of discrete-event systems [2], [3]. Supervisory control theory deals with automatic synthesis of (discrete-event models of) supervisory control software that coordinates high-level system behavior, based on the models of the uncontrolled system and the control requirements. Supervisory controllers observe the behavior of the machine by receiving sensor signals from ongoing activities. Based upon these signals they make a decision on which activities are allowed to be carried out and send back control signals to the hardware actuators. Under the assumption that a supervisory controller can react sufficiently fast on machine input, one can model this supervisory control feedback loop as a pair of synchronizing processes [2], [3]. The model of the machine, referred to as plant, is restricted by the model of the controller, referred to as supervisor. The control loop can rely on event-based observations [2], [3] or state-based observations [4], [5]. In the former situation the supervisory controller reconstructs the state of the machine based on the history of observed activities. In the latter case, the supervisor receives direct information regarding the state of J. Markovski is with the Department of Mechanical Engineering, Eindhoven University of Technology, The Netherlands [email protected] Supported by Dutch NWO project: ProThOS, no. 600.065.120.11N124.

the machine, which is usually provided by the machine itself or reconstructed by using the so-called observers [4]. In both cases, once the state of the machine is determined in order to provided correct control feedback, the supervisory controller sends back control signals regarding allowed activity. The activities of the machine are modeled as discrete events and the plant is modeled as a set of (observable) traces of events and states. Typically, it is given as a set of synchronizing processes, whose joint recognized language corresponds to the observed traces. The events are split into controllable events, which model interaction with the actuators of the machine, and uncontrollable events, which model observation of sensors. Therefore, the supervisor can disable controllable events by not synchronizing with them, but he must always enable available uncontrollable events, by always synchronizing with them. Moreover, the coupling of the plant and the supervisor, referred to as the supervised plant, must also satisfy the control requirements, which model the safe or allowed behavior of the machine. The conditions that ensure the existence of a supervisor are referred to as controllability conditions [2], [3]. In addition to controllability, the supervisor is often required to be nonblocking, i.e., to prevent deadlock and livelock behavior. The latter is ensured by requiring that given final or marked states are always reachable, which models that the machine can successfully terminate its execution. Another fundamental extension of the theory is the introduction of partial observation [6], [3], i.e., the assumption that not all events or states of the plant are observable, which models lack of sensors or limited power of the observer. The existence of the supervisor in this case is additionally conditioned on the property of partial observability, which ascertains that if the supervisor cannot distinguish between the observable part of two sequences of events or two states, then they should require the same control action. In a way, partial observation introduced nondeterminism in supervisory control theory. Note that nondeterministic automata are not disallowed in [2], but the semantics is still in terms of accepted languages. Nondeterminism naturally occurs in systems with multiple parallel components and it enables abstract (under)specifications and greater modeling convenience [7]. However, it introduces complications as controllability is originally a language-based property. In general, the supervisor is desired to be deterministic, as it should send unambiguous control signals and dutifully follow the state of the plant. Exceptions under strong structural restrictions are considered in [8]. In case the plant or the control requirements are nonde-

terministic processes, controllability has to be extended. A traced-based notion called state controllability is typically coupled with automata- and language-based frameworks [8], [9], [10]. A refinement relations based on failure, simulation, or bisimulation semantics that characterize nondeterministic supervised behavior are proposed in [11], [12], [9] as an accompanying condition of (state) controllability. Unfortunately, the proposed frameworks suffer from compositionality issues, as state controllability is not a preorder relation [8], [13]. To this end, a process-theoretic treatment of controllability of nondeterministic systems was proposed in [13]. The underlying behavioral relation that captures the notion of controllability is referred to as partial bisimulation, originally introduced as a coalgebraic characterization of controllability of languages [14]. The relation states that controllable events can be simulated, whereas uncontrollable event must be bisimulated, thus preserving the branching structure of the plant. Unlike the elegant characterization of controllability, the introduction of partial observability in a (co)algebraic setting [15] proved to be challenging, as it is given as a global property depending on the traces exhibited by the plant and the desired behavior of the system. Then again, partial observation restricts the observational power of the supervisor without considering the behavior of the desired supervised system. Therefore, we revisit this notion and offer an alternative characterization by structurally restricting the form of the supervisor. To this end, we extend the process theory of [13] with propositional signals [7] to be able to handle supervisory control loops with state-based observations and partial observation of events and states. States that ‘emit’ propositional signals can be identified by employing transitions that are guarded by an accepting propositional condition. For the given setting, we formalize the notion of supervisors with partial observations of events and states, respectively, and relate it to previous work. II. P ROCESS T HEORY BSPRSE | To model the supervisory control loop with event- and state-based observations, we extend the process theory BSP| of [13] with signal emission [7], thus obtaining BSPRSE . | The result is a process theory encompassing successful termination, guarded recursive specifications, propositional signals that identify states, guarded commands that condition transitions based on the emitted signals, and synchronization that models the coupling in the feedback control loop. We note that due to page limitation we do not introduce the full set of operators, but only the ones that are necessary for specifying the supervisory control loop. Other operations can be easily added following the guidelines from [7], [16]. To introduce the propositional signals, we employ the Boolean algebra B = (H, F, T, ¬, ∧, ∨, ⇒), where H is a set of propositional symbols, the constants F and T represent false and true, and the operators denote negation, conjunction, disjunction, and implication, respectively. We use B to denote the standard Boolean expressions, which are evaluated with respect to a given valuation v : B → {F, T}.

The set of valuations is denoted by V. By A we denote the set of actions. The process terms P are induced by P as: P ::= 0 | 1 | ⊥ | µX.E | a.P | φ :→ P | φ ∧NP | P +P | P |P where a ∈ A, φ ∈ B, and µX.E denotes the solution process of the guarded recursive specification E with respect to the recursive variable X. Guarded recursive equations always prefix recursive variables with actions and guarantee finite unique solutions [7], [17]. The set of guarded recursive specifications is given by E, whereas the set of recursive variables by R. The set of recursive variables employed in E is given by R(E). A recursive specification E ∈ E is defined as E , {X = g | X ∈ R(E), g ∈ G}, where the guarded terms G are induced by G: U ::= X | U + U G ::= 0 | 1 | ⊥ | a.U | a.G | φ :→ G | φ ∧NG | G + G, for a ∈ A, φ ∈ B, and X ∈ R. Each process p ∈ P is coupled with a valuation of the propositional symbols that are used to determine the consistency of the signals and to evaluate the guards, notation hp, vi ∈ P × V. The dynamics of the valuations, with respect to outgoing labeled transitions, is captured by a predefined valuation effect function, given by eff : A × V → 2V [7]. The theory has three constants: 0 denotes deadlock that cannot execute any action, 1 denotes the option to successfully terminate, and ⊥ specifies the (unreachable) process where the emitted propositional signals are inconsistent with the valuation. The action-prefixed process corresponding to a.p executes the action a and continues behaving as p. The guarded command, notation φ :→ p, specifies a guard φ ∈ B that guards a process p ∈ P. If the guard is successfully evaluated, the process continues behaving as p ∈ P or, else, it deadlocks. The root signal emission process φ ∧Np, emits the propositional signal φ ∈ B until the process p ∈ P takes an outgoing transition, provided that the propositional signal is consistent with the valuation. The alternative composition p+q makes a nondeterministic choice by executing an action of p or q and continues to behave as the remainder of the chosen process. The synchronous parallel composition p | q synchronizes all actions of p and q, and if no actions can be synchronized, it deadlocks. We give semantics in terms of labeled transition systems coupled with a valuation [7]. The states of the labeled transition systems are labeled by the process terms themselves, and the dynamics of the process is given by a consistency predicate & ∈ P × V that checks whether the state is consistent in the given valuation, successful termination option predicate ↓ ⊆ P × V, and an action transition relation −→ ⊆ P × V × A × P × V. We write hp, vi & for a hp, vi ∈ & , hp, vi↓ for hp, vi ∈ ↓, and hp, vi −→ hp0 , v 0 i for (hp, vi, a, hp0 , v 0 i) ∈ −→. We define & , ↓, and −→ using structural operational semantics [7], depicted by the operational rules in Fig. 1. Rules 1, 2, and 4 state that the deadlock and termination constant, and the action prefix are always consistent as they cannot emit propositional signals. Rule 3 states that the

1

h0, vi &

2

h1, vi &

hp, vi & , hq, vi ↓ 7 hp + q, vi ↓ 11 14

21

h1, vi ↓

4

15

12

hµp.E, vi & , X = p ∈ E hµX.E, vi &

22

a

ha.p, vi −→

9

hp + q, vi −→ hp0 , v 0 i

16

13

hµp.E, vi ↓, X = p ∈ E hµX.E, vi ↓ Fig. 1.

0

hp, vi & , hq, vi −→ hq 0 , v 0 i a

hp + q, vi −→ hq 0 , v 0 i a

hp, vi −→ hp , v i, hq, vi −→ hq 0 , v 0 i

0

a

hp | q, vi −→ hp0 | q 0 , v 0 i a

hp, vi ↓, v(φ) = T hφ :→ p, vi ↓

hp, vi ↓, v(φ) = T hφ ∧Np, vi ↓

hp, vi & , hq, vi & hp + q, vi & a

10

a

a

6

hp, v 0 i

hp, vi −→ hp0 , v 0 i, hq, vi &

hp, vi ↓, hq, vi ↓ hp | q, vi ↓

19

hp, v 0 i & , v 0 ∈ eff (a, v)

a

hp, vi & , v(φ) = T hφ :→ p, vi &

hp, vi & , v(φ) = T hφ ∧Np, vi &

5

ha.p, vi &

hp, vi ↓, hq, vi & 8 hp + q, vi ↓

hp, vi & , hq, vi & hp | q, vi &

v(φ) = F hφ :→ p, vi & 18

3

17

hp, vi −→ hp0 , v 0 i, v(φ) = T a

hφ :→ p, vi −→ hp0 , v 0 i

a

20

hp, vi −→ hp0 , v 0 i, v(φ) = T a

hφ ∧Np, vi −→ hp0 , v 0 i a

23

hµp.E, vi −→ hp0 , v 0 i, X = p ∈ E a

hµX.E, vi −→ hp0 , v 0 i

Operational rules

termination constant has the option to successfully terminate. Rule 5 states that the action prefix enables action transitions provided that the target is consistent, whereas the target valuation respects the effect function. Rule 6 states that the alternative composition is consistent if both of its summands are. The alternative composition can successfully terminate if one of the summands successfully terminates, whereas the other is consistent with respect to the valuation as given by rules 7 and 8. Similarly, action transitions are possible if one of the summands can perform them, whereas the other is consistent as given by rules 9 and 10. Rule 11 states that the synchronization is consistent if both synchronizing processes are, whereas rule 12 states that it can successfully terminate only if both components do so. Action transitions are possible only if both processes can synchronize on the same action, as given by rule 13. The guarded command is consistent whenever the guard cannot be successfully evaluated, and in that case the process deadlocks. However, if the guarded process is accessible, then it must be consistent, which is given by rules 14 and 15, respectively. If the guard is successfully evaluated, then the guarded command can successfully terminate or execute an action, provided that the guarded process does so, as given by rules 16 and 17, respectively. The root signal emission process is consistent only if it is in accordance with the valuation, as given by rule 18. Rules 19 and 20 enable successful termination and action transitions, respectively, provided that the emitted signal is consistent. Rules 21–23 express that solutions for given recursive variables in guarded recursive specifications behave as the defining term for the variable. The extended syntax µp.E for p ∈ P and E ∈ E is introduced for convenience, and it is defined in Fig. 2. It basically states that the structure of the defining process term determines the behavior of the recursive variable as for other process terms. The underlying behavioral relation that we employ is an extension of partial bisimulation [13], which is able to handle the valuations. Here, we directly employ the approach of [17], [7], where this extension is shown for bisimulation. Definition 1: We consider a relation R ⊆ P × P to be

µx.E = x µ(µX.E).E = µX.E µ(a.p).E = a.µp.E µ(p + q).E = µp.E + µq.E µ(φ :→ p).E = φ :→ µp.E µ(φ ∧Np).E = φ ∧Nµp.E Fig. 2.

for for for for for for

x ∈ {0, 1, ⊥} X∈R a∈A p, q ∈ P φ ∈ B, p ∈ P φ ∈ B, p ∈ P

Definition of µp.E by structural induction

a partial bisimulation with respect to a bisimulation action set B ⊆ A, if for all (p, q) ∈ R and v ∈ V it holds that: 1) hp, vi ↓ if and only if hq, vi ↓; a 2) if hp, vi −→ hp0 , v 0 i for a ∈ A, then there exist q 0 ∈ P a such that hq, vi −→ hq 0 , v 0 i and (p0 , q 0 ) ∈ R; b 3) if hq, vi −→ hq 0 , v 0 i for b ∈ B, then there exist p0 ∈ P b such that hp, vi −→ hp0 , v 0 i and (p0 , q 0 ) ∈ R. If R is a partial bisimulation relation such that (p, q) ∈ R, then p is partially bisimilar to q with respect to B and we write p B q. If q B p holds as well, we write p ↔B q. It is not difficult to show that partial bisimilarity is a preorder for the process terms in P [17], [13]. Moreover, it can be shown a precongruence for the operators of BSPRSE | following the guidelines of [16], [7]. Theorem 1: Partial bisimilarity is a precongruence for the operators of BSPRSE . | Moreover, p A q amounts to bisimulation [13], whereas p ∅ q represents simulation [13]. Also, we have the following property [13] that defines the spectrum of behavioral relations between simulation and bisimulation. Theorem 2: If p D q, then p C q for every C ⊆ D ⊆ A. We define the standard term model [7] for the process theory BSPRSE (A, R, E, B) defined as the core algebra modulo | partial bisimilarity congruence with respect to B. Definition 2: The term model of BSPRSE (A, R, E, B) is | given by: P = (P/↔B , 0, 1, ⊥, µX.E, a., +, φ :→, φ ∧N, |), where a ∈ A, X ∈ R, E ∈ E, φ ∈ B, and B ⊆ A. The operation rules of Fig. 1 indicate that each process can be represented by a so-called normal form [7], given by

24

hp, vi & hπdet (p), vi &

25

a

hp, vi ↓ hπdet (p), vi ↓

27

a

D = {hq, wi | hp, vi −→ hq, wi}, D 6= ∅, P W h hq,wi∈D q, hq,wi∈D wi & 26 P W a hπdet (p), vi −→ hπdet ( hq,wi∈D q), hq,wi∈D wi Fig. 3.

hp, vi |= ¬φ ⇒ −→ Y

28

a

hp, vi |= −→ ⇒ φ a

29

v(φ) = F a

hp, vi |= φ ⇒ −→ Y

{hp0 , v 0 i | hp, vi −→ hp0 , v 0 i} = ∅

30

a

hp, vi |= φ ⇒ −→ Y Fig. 4.

v(φ) = T hp, vi |= φ

Satisfiability of state-based control requirements

Deterministic projection of a process

a guarded recursive specifications comprising root emission, guarded commands, action prefix, alternative composition, and successful termination. Thus, for all p ∈ P, we have that p ↔A µX.E for some X ∈ R and E ∈ E, where the recursive equations have the form [17], [7]
P Y = φi ∧N (1) i∈I ψi :→ ai .Yi [ + 1] , P where φi , ψi ∈ B, ai ∈ A, and Yi ∈ R(E), and i∈I pi denotes the alternative composition of pi ∈ G if I 6= ∅, or 0, otherwise, and [ + 1] denotes that the summand 1 is optional. We note that additional operators like interleaving parallel composition or encapsulation can easily be introduced in the theory, but they are also reducible to the normal form (1). To relate to language-based notions of controllability and partial observability, we define a trace transition relation t hp, vi −→∗ hq, wi for some t = a1 . . . an ∈ A∗ , where for  n = 0 we have the empty trace t =  with hp, vi −→∗ hp, vi, a1 a2 a3 an whereas hp, vi −→ hp1 , v1 i −→ hp2 , v2 i −→ . . . −→ hq, wi for n > 0 and some p1 , . . . , pn−1 ∈ P, v1 , . . . , vn−1 ∈ V, and a1 , . . . , an−1 ∈ A. The prefix-closed language [2] generated t by p is L(p) = {t ∈ A∗ | hp, vi −→∗ hq, wi}. III. SUPERVISION WITH PARTIAL OBSERVATION We distinguish between two sets of controllable C and uncontrollable U actions such that C ∩ U = ∅ and C ∪ U = A. We note that marked states are modeled by adding a successfully termination option to the state. To model the plant we take any process p ∈ P. We require the supervisor to be a deterministic process [13], which sends feedback to the plant in terms of synchronizing controllable events. To this end, we define a deterministic projection of a process πdet using the operational rules depicted in Fig. 3. Rules 28 and 29 state that the deterministic projections of the processes are consistent and have termination options, respectively, only if the original versions do. Rule 30 states that the deterministic version of the process ends up in an alternative composition of all possible targets of an action transition, provided that the disjunction of all target environments is consistent. Definition 3: A process q = µX.E is deterministic, if hq | πdet (q), vi↔A hq, vi for every v ∈ V such that hq, vi & . Definition 3 states that for deterministic processes, the nondeterministic choices on the same action are indistinguishable with respect to bisimilarity. Note that the deterministic projection may not comprise all traces in case some target states are inconsistent, e.g., two states reachable by the

same action transitions require that the same propositional signal is enabled and disabled, respectively. We require bisimilarity, as bisimilar terms are also partially bisimilar by Theorem 2. For a specific setting with bisimulation action set B ⊆ A, one can replace ↔A with ↔B . Now, we specify the supervised plant as p | s. To ensure that no uncontrollable events are disabled by the supervisor, we employ partial bisimilarity and require that p | s U p [13].

(2)

In the deterministic setting, language-based controllability L(p | s) U ∩ L(p) ⊆ L(p | s) [2], [3] is implied by (2) [14]. In the setting of this paper, we consider state-based control requirements, which are stated in terms of the emitted signals, and may additionally specify which events are allowed with respect to the emitted signals. For a setting with eventbased control requirements, we refer the interested reader to [13]. The state-based control requirements, denoted by the set S, have the following syntax induced by S: a

a

S ::= −→ ⇒ φ | φ ⇒ −→ Y | φ,

for a ∈ A and φ ∈ B. A given control requirement r ∈ S is satisfied with respect to process p ∈ P in the (consistent) valuation v ∈ V, notation hp, vi |= r, according to the operational rules depicted in Fig. 4. The first form of control requirements is introduced for modeling convenience as a frequently occurring case [18] and it is equivalent to the second form, as given by rule 27. Rule 28 states that if the state does not emit the conditional signal, then the requirement is trivially satisfied. Rule 29 states that a state-transition exclusion requirement [19] is satisfied if no transition with the excluded label is possible. Rule 30 states that a state-exclusion requirement [19] restricts the emitted signals, thus disabling unsafe or forbidden states, and must be upheld in every state. To ensure that the requirements are satisfied for every reachable state, we extend |= to |=∗ , where p |=∗ r if q |= r for every q ∈ P such that t hp, vi & and hp, vi −→∗ hq, wi for v, w ∈ V and t ∈ A∗ . To ensure that the supervised plant respects the state-based control requirements, given by C ⊂ S, we require that V hp | s, vi |=∗ r∈C r for v ∈ V with hp | s, vi & . (3) Next, we turn to partial observation. To this end, the action set is split to a set of observable O and unobservable N actions. Occurrence of unobservable actions cannot be detected by the supervisor, but if these actions are controllable, i.e., C ∩ N 6= ∅, the supervisor can still enable or disable them. Partial observability ascertains that if the supervisor cannot

distinguish between the observable part of two event traces, then they should require the same control action. We noted that even though partial observation makes a statement regarding the observational power of the supervisor, its language-based definition deals with the languages of the plant and the desired behavior. Let πobs : A∗ → O∗ be the natural projection that eliminates unobservable actions from traces. Then, the language of the desired behavior q ∈ P is said to be observable with respect to the language of the plant p if for all t ∈ L(q) and c ∈ C it holds that if −1 tc 6∈ L(q) and tc ∈ L(p), then πobs (πobs (t))c∩L(q) = ∅ [6], [3]. This definition states that the process that describes the desired behavior must not require different control actions for a controllable event following the same observable trace. First, we consider supervisors that rely on event-based observations. We note that as the control requirements are state-based, the supervised behavior retains the emitted signals and guarded commands of the plant. Thus, the supervisors do not influence the emitted signals, nor they affect the guarded commands, so they can be considered as deterministic process comprising no state-based information. Then, by reducing (1) and applying Definition 3 supervisors can be rewritten to guarded recursive specifications E ∈ E comprising equations of the form
P P X = a∈AX a. (4) Y ∈RX,a Y [ + 1], where AX ⊆ A are the available action prefixes for the variable X, RX,a ⊆ R(E) are the variables prefixed by a for the variable X, and [ + 1] is an optional summand. Since the supervisor cannot update its state while synchronizing on unobservable events, it only has the option of enabling or disabling these events by placing them in a self loop. Thus, given a supervisor s = µS.ES , we obtain the supervisor with partial observations poN (s) = µSN .ESN by enforcing control over unobservable events by synchronization with self loops. To this end, we define the set r ∗ , {Y ∈ R(E) | hµX.E, vi −→∗ hµY.E, wi, r ∈ N∗ } RX that identifies the variables that are reachable by traces of unobservable prefixes. Also, for Severy X ∈ R(ES ) we put S ∗ A∗X , Z∈R∗ AZ and RX,a , Z∈R∗ RZ,a , which define X X the reachable action and recursive variables sets. Now, the structure of the recursive equations of the supervisor under partial observation poN (s) is given by
P P XN = o∈A∗ ∩O o. Y + ∗ Y ∈RX,o X P (5) n∈A∗ ∩N n.XN + [ + 1]. X

The set of observable events that are enabled by the supervisor is formed by all observable action transitions that are reachable by unobservable traces. The set of enabled unobservable events does not change the state of the supervisor as they only form self loops. The possible successful termination option is required to preserve the termination options of the plant wherever needed. We illustrate this situation by an example depicted in Fig. 5, where ui ∈ U for 1 ≤ i ≤ 4, cj ∈ C for 1 ≤ j ≤ 4, and the unobservable events are depicted by dashed lines,

a)

b)

c)

S1 u1

u1

u1

u1

u4

c3

u3

u2 , c 2

S2

S3

u4

u2

S4

S5 c3

u4

c1

u3

u2

u2 c2

S6

d)

c3 u3

c4

S7↓

↓

c2

S6 :→c2

↓

S4 :→c3

↓ u1 , u 2 , u 3 , u 4

Fig. 5. Supervision under partial observation: a) Plant, b) Deterministic event-based supervisor, c) Deterministic event-based supervisor under partial observation, d) State-based supervisor

i.e., N = {c1 , c2 , u2 }. The plant depicted in Fig. 5a) emits the signals Sk ∈ B for 1 ≤ k ≤ 7, where the state emitting S7 has the option to successfully terminate. We employ (1) to define p using the recursive specification EP ∈ E, where EP = { P1 P2 P3 P4 P5 P6 P7

= S1 ∧N(u1 .P2 + u1 .P3 ), = S2 ∧Nu2 .P4 , = S3 ∧N(c1 .P5 + u2 .P6 ), = S4 ∧Nc3 .P7 , = S5 ∧Nu3 .P7 + u4 .P1 , = S6 ∧N(c2 .P5 + c4 .P7 ), = S7 ∧N1},

with p = µP1 .EP . The supervisor depicted in Fig. 5b) is synthesized with respect to the set of control requirements c c C = {S3 ⇒ −→, Y 1 S6 ⇒ −→}. Y 4 It is specified by the recursive specification ES following (4) as ES = { X1 X2 X3 X4 X5

= u1 .X2 , = u2 .X3 , = c2 .X4 + c3 .X5 , = u3 .X5 + u4 .X1 , = 1},

where the supervisor s = µS1 .ES . It can be directly verified c c that p | s U p and p | s |=∗ (S3 ⇒ −→) Y 1 ∧ (S6 ⇒ −→). Y 4 The supervisor under partial observation poN (s) = µS1N .ESN is depicted in Fig. 5c), provided that c3 6= c1 and c3 6= c4 . In the opposite, the system is not observable as we have a conflicting control action because c1 and c4 are disabled after the observable trace u1 , whereas c3 is enabled. Following the transformation (5) we obtain ESN as ESN = { X1N = u1 .X3N , X3N = c3 .X5N + u3 .X5N + u4 .X1N + u2 .X3N + c2 .X3N X5N = 1}. We note that X2N = u2 .X2N and X4N = u3 .X5N are omitted in ESN as they are not needed to solve µS1N .ESN . Again, c c we have that p | poN (s) |=∗ (S3 ⇒ −→) Y 1 ∧ (S6 ⇒ −→) Y 4 and p | poN (s) U p, provided that c3 6= c1 and c3 6= c4 .

Given a desired behavior q ∈ P, the minimal deterministic supervisor that can achieve q is the deterministic process that comprises the traces of q. We note that this is the case as the control requirements deal with disabling events or forbidding states given an emitted signal, but they do not alter the signals. To this end, we define the trace projection πtr that strips the state-based information of a given a process process. The projection is easily defined using structural induction, where all other operators except signal emission and guarded command are left intact, whereas πtr (φ ∧Np) = πtr (φ :→ p) = πtr (p) for every φ ∈ B and p ∈ P. Now, we define the supervisor s of q by s = πdet (πtr (q)) since this is the minimal process that comprises all of its traces [13]. Definition 4: Let p ∈ P be the plant, q ∈ P be the desired behavior, and C ⊂ S be the control requirements. We say that q is controllableVunder partial observation with respect to N if q U p, q |=∗ r∈C r, and p | poN (πdet (πtr (q)))U q. Definition 4 extends the controllability definition of [13] with partial observations. It structurally restricts the possible choice for a supervisor in order to ascertain partial observation and in doing so, it circumvents the need for the partial observability property. For deterministic systems without state information, i.e., standard automata- or language-based specifications, q U p directly translates to language-controllability [14], [16], whereas observability is ascertained by requiring that L(p | poN (q)) ⊆ L(q). Theorem 3: Let p, q ∈ P be deterministic processes such that πtr (p) = p, πtr (q) = q, L(q) ⊆ L(p), and L(q)U ∩ L(p) ⊆ L(q). Then, L(q) is observable with respect to L(p) if and only if it holds that L(p | poN (q)) ⊆ L(q). Proof: The condition πtr (p) = p and πtr (q) = q states that p and q contain no state information, so that we treat them as standard automata. It is known that observability of uncontrollable events is ensured by controllability [3], so we only consider traces of the form tc for t ∈ A∗ and c ∈ C. We note that L(q) ⊆ L(p) and L(q) ⊆ L(poN (q)), we have that L(q) ⊆ L(p | poN (q)), i.e., L(p | poN (q)) = L(q). Let q = µXQ .EQ , where EQ has the form given by (4). First, we show that if L(q) is not observable with respect to L(p), then L(p | poN (q)) 6⊆ L(q). The former implies that there exist t1 , t2 ∈ A∗ such that πobs (t1 ) = πobs (t2 ) = t ∈ O∗ and t1 c 6∈ L(q), t1 c ∈ L(p), and t2 c ∈ L(q). Let t = a1 a2 . . . an for some n ∈ N. Then, there exist variables X0 , X1 , ..., Xn ∈ R(EQ ) such that Xi−1 = ai .Xi +gi , where gi ∈ G for 1 ≤ i ≤ n, XQ = X0 , and Xn = c.Y +g for some Y ∈ R(EQ ) and g ∈ G. Suppose that t = aj1 aj2 . . . ajm for some m ≤ n and ajk ∈ O for 1 ≤ jk ≤ n and 1 ≤ k ≤ m. Following the construction of poN (q), there exist Xj1 N , . . . , Xjm N ∈ R(EQN ) such that Xjk−1 N = ajk .Xjk N + hjk where hjk ∈ G for 1 ≤ k ≤ m, XQN = Xj1 N , and Xjm = c.YN + h for some YN ∈ R(EQN ) and h ∈ G. But t1 c ∗ then hp | poN (q), vi −→ hp0 , v 0 i for every v ∈ V, i.e., t1 c ∈ L(p | poN (q)), implying that L(p | poN (q)) 6⊆ L(q). Next, we show that if L(p | poN (q)) 6⊆ L(q), then L(q) is not observable with respect to L(p). Suppose that L(p | poN (q)) 6⊆ L(q). As controllability holds, for every t0 ∈ A∗ and u ∈ U such that t0 u ∈ L(p) and t0 ∈ L(q) implies that

t0 u ∈ L(q) ⊆ L(poN (q)). Thus, if t0 u ∈ L(p | poN (q)), then t0 u ∈ L(q). So, there exists tc ∈ L(p) ∩ L(poN (q)) for some t = a1 . . . an ∈ A∗ , with n ∈ N, and c ∈ C with tc 6∈ L(q). Then, there exist variables XiN ∈ R(EQN ) for 1 ≤ i ≤ n such that X(i−1)N = ai .XiN + gi , where gi ∈ G for 1 ≤ i ≤ n and XnN = c.YN + g for some YN ∈ R(EQN ) and h ∈ G. According to (5) for all ai ∈ N for 1 ≤ i ≤ n, we have that X(i−1)N = XiN . So, there exists r ∈ N∗ such that πobs (t) = r. As tc ∈ poN (q) there exists t2 ∈ q such that πobs (t2 ) = r and t2 c ∈ L(q), which completes the proof. Next, we consider supervision under state-based observations. The supervisor observes the state of the plant, identified by the emitted propositional signals, and synchronizes on controllable events, while always enabling uncontrollable events. Thus, the supervisor does not have to keep a history of events, so it can be defined by a guarded recursive specification µXS .ES of the form P P ES = {XS = c∈C φc :→ c.XS + u∈U u.XS + ψ :→ 1}, (6) for φc , ψ ∈ B. The supervisor employs signal observation [7] to identify the state of the plant and send back feedback regarding controllable events by synchronizing on self loops, P as specified by c∈C φc :→ c.XS . Moreover, it Palways enables the uncontrollable events as specified by u∈U u.XS . It can potentially disable undesired termination options in states identified by ψ. The guards φc for c ∈ C depict the supervision and partial observation is already taken into account during the synthesis procedure [5]. For the example depicted in Fig. 5, the supervisor employing state-based observations is depicted in Fig. 5d). The recursive specification is given by P4 XS = S4 :→ c3 .XS + S6 :→ c2 .XS + i=1 ui .XS + 1. Partial observation of states is modeled by a disjunction of the emitted signals, as the supervisor cannot observe the exact state of the plant. For example, if one state emits the signal φ1 and another state emits the signal φ2 , whereas the supervisor cannot distinguish between these two states, then he must treat both states as emitting the signal φ1 ∨ φ2 . Thus, whenever the supervision depends on φ1 or φ2 , it must depend on φ1 ∨ φ2 instead. Let F ⊂ 2H denote a set of partially observable sets of states that comprise disjoint subsets of propositional symbols, i.e., for every F1 , F2 ∈ F, F1 ∩F2 = ∅. The subsets identify sets of states that emit the signals corresponding to the states that are partially observable. We note that if the subsets are not disjoint, then they can be made disjoint by merging subsets that have common states, as the supervisor cannot distinguish between such sets of states. Given a supervision condition φ ∈ B, we define a state signal abstraction ssaF (φ) with respect to F, defined in Fig. 6. Given a supervisor s = µXS .ES with state-based observations, cf. (6), we define a supervisor with partial observations of states poF (s) = µXSF .ESF with respect to F as P P XSF = c∈C ssaF (φc ) :→ c.XSF + u∈U u.XSF + 1. (7)

ssaF (C) = C for C ∈ S {T, F} ssaF (S) = W S if S 6∈ F ∈F F for S ∈ H ssaF (S) = T ∈F T if T ∈ F ∈ F for S ∈ H ssaF (¬φ) = ¬ssaF (φ) for φ ∈ B ssaF (φ1 op φ2 ) = ssaF (φ1 ) op ssaF (φ2 ) for op ∈ {∧, ∨, ⇒} and φ1 , φ2 ∈ B Fig. 6.

Abstraction of the supervision condition

To ensure controllability, we require that (2) and (3) hold. If we suppose that F = {{S2 , S3 }, {S4 , S5 , S6 }} for the example of Fig. 5, the we have that the state-based supervisor with partial observation of states is given by P4 XSF = (S4 ∨S5 ∨S6 ) :→ (c3 .XSF +c2 .XSF )+ i=1 ui .XSF +1. IV. CONCLUDING REMARKS We presented a process theory encompassing successful termination that models marked states, guarded recursive specifications, propositional signals that identify states, guarded commands that condition transitions based on the emitted signals, and synchronization that models the coupling of a plant and supervisor in a feedback loop with event- or state-based observations. We formalized the notion of state-based control requirements and supervised plant in the proposed setting by extending the notion of partial bisimilarity to cater for state-based information. Afterwards, we extended the framework with partial observation of events and states, and we gave an alternative characterization of partial observability by structurally restricting the form of the supervisors. Finally, we showed that both notions coincide in the deterministic setting and we illustrated the framework on a simple example. R EFERENCES [1] N. Leveson, “The challenge of building process-control software,” IEEE Software, vol. 7, no. 6, pp. 55–62, 1990. [2] P. J. Ramadge and W. M. Wonham, “Supervisory control of a class of discrete-event processes,” SIAM Journal on Control and Optimization, vol. 25, no. 1, pp. 206–230, 1987.

[3] C. Cassandras and S. Lafortune, Introduction to discrete event systems. Kluwer Academic Publishers, 2004. [4] C. Ma and W. M. Wonham, Nonblocking Supervisory Control of State Tree Structures, ser. Lecture Notes in Control and Information Sciences. Springer, 2005, vol. 317. [5] S. Miremadi, K. Akesson, and B. Lennartson, “Extraction and representation of a supervisor using guards in extended finite automata,” in Proceedings of WODES 2008. IEEE, 2008, pp. 193–199. [6] F. Lin and W. Wonham, “On observability of discrete-event systems,” Information Sciences, vol. 44, no. 3, pp. 173–198, 1988. [7] J. C. M. Baeten, T. Basten, and M. A. Reniers, Process Algebra: Equational Theories of Communicating Processes, ser. Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 2010, vol. 50. [8] M. Fabian and B. Lennartson, “On non-deterministic supervisory control,” Proceedings of the 35th IEEE Decision and Control, vol. 2, pp. 2213–2218, 1996. [9] C. Zhou, R. Kumar, and S. Jiang, “Control of nondeterministic discrete-event systems for bisimulation equivalence,” IEEE Transactions on Automatic Control, vol. 51, no. 5, pp. 754–765, 2006. [10] M. Heymann and F. Lin, “Discrete-event control of nondeterministic systems,” IEEE Transactions on Automatic Control, vol. 43, no. 1, pp. 3–17, 1998. [11] A. Overkamp, “Supervisory control using failure semantics and partial specifications,” IEEE Transactions on Automatic Control, vol. 42, no. 4, pp. 498–510, 1997. [12] R. Kumar and C. Zhou, “Control of nondeterministic discrete event systems for simulation equivalence,” IEEE Transactions on Automation Science and Engineering, vol. 4, no. 3, pp. 340–349, 2007. [13] J. C. M. Baeten, D. A. van Beek, B. Luttik, J. Markovski, and J. E. Rooda, “A process-theoretic approach to supervisory control theory,” in Proceedings of ACC 2011. IEEE, 2011, pp. 4496–4501. [14] J. J. M. M. Rutten, “Coalgebra, concurrency, and control,” Center for Mathematics and Computer Science, Amsterdam, The Netherlands, SEN Report R-9921, 1999. [15] J. Komenda and J. H. van Schuppen, “Control of discrete-event systems with partial observations using coalgebra and coinduction,” Discrete Event Dynamic Systems, vol. 15, pp. 257–315, 2005. [16] J. C. M. Baeten, A. C. van Hulst, D. A. van Beek, and J. Markovski, “Towards a concurrency theory for supervisory control,” Eindhoven University of Technology, SE Report 2012-01, 2012. [Online]. Available: http://se.wtb.tue.nl/sereports [17] J. Baeten and J. Bergstra, “Process algebra with propositional signals,” Theoretical Computer Science, vol. 177, pp. 381–405, 1997. [18] J. Markovski, D. A. van Beek, R. J. M. Theunissen, K. G. M. Jacobs, and J. E. Rooda, “A state-based framework for supervisory control synthesis and verification,” in Proceedings of CDC 2010. IEEE, 2010, pp. 3481–3486. [19] J. Markovski, K. G. M. Jacobs, D. A. van Beek, L. J. A. M. Somers, and J. E. Rooda, “Coordination of resources using generalized statebased requirements,” in Proceedings of WODES 2010. IFAC, 2010, pp. 300–305.