Submitted to Discrete Event Dynamic Systems: Theory and Applications

Solvability of Centralized Supervisory Control under Partial Observation Tae-Sic Yoo∗ Idaho National Laboratory Idaho Falls, ID 83403-2528 [email protected] St´ephane Lafortune Department of Electrical Engineering and Computer Science The University of Michigan, 1301 Beal Avenue, Ann Arbor, MI 48109–2122, U.S.A. [email protected]; www.eecs.umich.edu/umdes

Abstract The problem of synthesizing a nontrivial controllable and observable sublanguage of a given non-prefix-closed language is addressed. This problem arises in supervisory control of discrete-event systems, when the objective is to synthesize safe nonblocking supervisors for partially-observed systems. The decentralized version of this problem is known to be unsolvable. We show that the centralized version of this problem is solvable by presenting a new algorithm that synthesizes a nontrivial controllable and observable sublanguage of the given non-prefix-closed language, if one exists. We also show that the union of all nonblocking solutions to the associated supervisory control problem can be expressed as the union of all regular nonblocking solutions.

1

Introduction

We consider centralized supervisory control of partially-observed discrete-event systems. Our objective is to present an algorithm that returns a nontrivial controllable and observable sublanguage of a given non-prefix-closed language (in short, a safe nonblocking solution to the associated supervisor synthesis problem), if one exists. The framework adopted is that of the ∗

This work was done when the first author was at the University of Michigan as a Ph.D. student.

1

theory of supervisory control of discrete-event systems (abbreviated DES hereafter), initiated by Ramadge & Wonham in the 1980’s [8]. (Hereafter, we assume the reader is familiar with the main elements of this theory; see, e.g., Chapter 3 of [2] for a detailed introduction.) Consider a DES modeled by an automaton denoted by G; let the set of event labels in G be denoted by Σ. Equivalently, the system is modeled by the languages generated and marked by G, denoted by L(G) and Lm (G), respectively. The prefix-closed language L(G) models all the traces of events that the system can execute while the marked language Lm (G) models those traces in L(G) that represent, by modeling choice, the completion of some operation or task. The notion of a marked language, or equivalently the notion of marked states in G, allows the consideration of blocking in the analysis of DES. The automaton G models the uncontrolled behavior of the system. This behavior must be restricted by control in order to ensure that only legal traces of events are generated and that blocking does not occur (or its effect is mitigated if blocking cannot be completely eliminated). Control is exerted by means of a supervisor, denoted by S, that observes the events generated by G and controls the events that G is allowed to execute. The controlled system is denoted by S/G. In order to account for actuation and sensing limitations, the set of events Σ is partitioned in two ways. Regarding actuation limitations, Σ is partitioned into Σ = Σc ∪ Σuc , where Σuc is the set of uncontrollable events and Σc is the set of controllable events. The controllable events are those events that can be enabled or disabled by the supervisor. Regarding sensing limitations, Σ is partitioned into Σ = Σo ∪ Σuo , where Σuo is the set of unobservable events and Σo is the set of observable events. The observable events are those events that can be observed or “seen” by the supervisor, meaning they are recorded by the sensors. When Σuo 6= ∅, the supervisor is often denoted by SP , where the subscript P refers to “partial observation”. Figure 1(a) depicts the centralized control architecture described above; in that figure, the block P represents the “projection” operation that filters out unobservable events. The controlled behavior under this paradigm is characterized by the prefix-closed language L(S/G) and the marked language Lm (S/G) := L(S/G) ∩ Lm (G). If Lm (S/G) = L(S/G), we say that S is a nonblocking supervisor. Nonblocking means that there is no deadlock or livelock. A deadlock happens when the system enters a state that is not marked and no transition is defined/enabled out of that state. This state is called deadlock state. A livelock happens when the system enters a strongly connected component of unmarked states and there are no transitions defined/enabled out of the strongly connected component. These states are called livelock states. The reader is referred to [2] for further technical details. Given an uncontrolled system behavior Lm (G), over the set of events Σ, and given a desired behavior Lm (H) such that Lm (H) ⊆ Lm (G) and L(H) = Lm (H), the following fundamental problems arise in supervisory control of DES: 2

P1. Is there a supervisor S such that L(S/G) = L(H) and Lm (S/G) = Lm (H)? P2. Can we synthesize a supervisor S such that L(S/G) = L(H) and Lm (S/G) = Lm (H)? P3. Is there a supervisor S such that Lm (S/G) ⊆ Lm (H) and L(S/G) = Lm (S/G)? (Existence of a safe and nonblocking supervisor.) P4. Can we synthesize a supervisor S such that Lm (S/G) ⊆ Lm (H) and L(S/G) = Lm (S/G)? (Synthesis of a safe and nonblocking supervisor.)

Decision Fusion

Sp G

System Local Decisions Sp1

Sp2

Spn

P1

P2

Pn

G

System

P

(a) Centralized architecture

(b) Decentralized architecture

Figure 1: Control architectures

When all events are observable under the centralized architecture of Fig. 1(a), the answers to the above four problems can be found in [14]. In this case, computing the supremal controllable sublanguage of the desired language is essentially sufficient to answer the above four problems. In the context of the decentralized control architecture shown in Fig. 1(b) [11, 15], the notion of co-observability is required, in addition to the controllability and Lm (G)-closure conditions, in the necessary and sufficient conditions for the existence of a set of supervisors that together achieve exactly the desired language. Co-observability can be tested in polynomial time [9, 15]. Therefore, P1 is decidable in the context of the decentralized architecture. Moreover, if the answer to P1 is positive, it is possible to synthesize a set of supervisors that achieves the desired language exactly. If the answer to P1 is negative, it is clear that we cannot find a set of supervisors that together achieve the desired language exactly. Therefore, P2 is also solvable in the context of the decentralized architecture. Recently, it has been shown that P3 is undecidable in the context of the decentralized architecture [6, 12]. Therefore, P4 becomes unsolvable. Both P3 and P4 can be resolved if the nonblocking condition is relaxed; see [10, 11] and Section 4 of this paper. When some events are not observable in the context of the centralized architecture, the results concerning P1, P2, and P3 are available in [5, 13]. The property of observability (the analogue 3

of co-observability for the centralized architecture) can be verified in polynomial time, which resolves P1 [13]. An argument similar to that above for the decentralized architecture shows that P2 is solvable. In [5], an algorithm computing the union of all safe nonblocking solutions is developed. With this result, P3 can be decided.1 While the existence problem (P3) is decidable, the solvability of the synthesis problem (P4) still remains open. Recent results in [1] provide a way of addressing P4 in a general framework. Taking a direct approach, this paper solves P4 by developing an algorithm for synthesizing a safe nonblocking solution. The resulting solution is a regular language. This paper is organized as follows. Section 2 contains some necessary definitions and assumptions. The problem solved in this paper is formulated in Section 3. We first present its solution in the special case of prefix-closed languages in Section 4. The general solution is presented in Section 6 after some necessary results from previous work are recalled in Section 5. Section 7 concludes the paper.

2

Preliminaries

We assume basic knowledge of supervisory control and its common notations. For introductory material, the readers are directed to [2]. Consider an (in general, nondeterministic) automaton: A A = (QA , ΣA , →A , QA 0 , Qm ) A where QA is the finite state space, ΣA is the set of events, QA 0 ⊆ Q is the set of initial states of A the system and QA m ⊆ Q is the set of marked states. The partial transition relation is denoted s

by →A and q →A q ′ implies that there exists a transition from state q to state q ′ with string s

s ∈ Σ∗ . The notation q →A ! denotes that the transition s from state q is defined. On the other s

hand, q 6 →A implies that the transition s from state q is not defined in the associated automaton A. The language generated by A is denoted by L(A) and defined by: s

A ∗ L(A) := {s ∈ Σ∗ : ∃q0 ∈ QA 0 , q ∈ Q , s ∈ Σ s.t. q0 →A q}.

The language marked by A is denoted by Lm (A) and defined by: s

A ∗ Lm (A) := {s ∈ Σ∗ : ∃q0 ∈ QA 0 , q ∈ Qm , s ∈ Σ s.t. q0 →A q}.

If there is a path from an initial state to state q, we say that q is accessible. If there is a path from q to a marked state, we say that q is coaccessible. For further arguments, we define the set 1

It is also proved that P2 is PSPACE-hard in [13]. Chronologically, the computational complexity result [13]

was found before the decidability result [5]. In [5], an exponential complexity algorithm is utilized to decide the existence of a safe nonblocking solution.

4

of accessible states from Q ⊆ QA with a language L as follows: t

∆A (Q, L) = {q ′ ∈ QA : ∃q ∈ Q, ∃t ∈ L s.t. q →A q ′ }. Let A1 and A2 are automata. The product operation over these two automata is denoted by A1 × A2 and defined in the usual manner (see e.g., [2]). With the product operation, the following set of languages are generated: L(A1 × A2 ) = L(A1 ) ∩ L(A2 ) and Lm (A1 × A2 ) = Lm (A1 ) × Lm (A2 ). The projection P is the function P : Σ∗ → Σo ∗ that erases from every trace the unobservable ∗

∗

events. The inverse of P is denoted by P −1 and is defined as P −1 : 2Σ → 2Σ with P −1 (L) := {t ∈ Σ∗ : (∃s ∈ L)[P (t) = s]}. Formally, a supervisor for a partially-observed DES is a function SP : Σo ∗ → Γ := {γ ∈ 2Σ : Σuc ⊆ γ}. That is, a supervisor assigns a set of enabled events to each observable trace s ∈ Σo ∗ , and uncontrollable events are always enabled. The language generated by the supervised DES, denoted by L(SP /G), is defined recursively in the usual manner (see e.g., [2]). The goal of supervisor synthesis is to design a supervisor SP for a given language K ⊆ Lm (G) such that L(SP /G) = K and Lm (SP /G) = K. It has been shown in [7] that such a supervisor exists if and only if K is controllable, observable, and Lm (G)-closed. The definitions of controllability, observability, and Lm (G)-closure are: Definition 1 A language K is controllable (w.r.t. L(G) and Σuc ) if KΣuc ∩ L(G) ⊆ K. Definition 2 A language K ⊆ L(G) is observable (w.r.t. L(G), Σo , and Σc ) if for all s ∈ K and σ ∈ Σc such that sσ ∈ L(G) \ K, P −1 P (s)σ ∩ K = ∅. Definition 3 A language K is Lm (G)-closed if K ∩ Lm (G) = K. We define the following sublanguages of K: S {L ⊆ K : L is controllable (w.r.t. L(G) and Σuc ) and

(K)↑(CO)

:=

(K)↑(COC)

observable (w.r.t L(G), Σo , and Σc )}, S := {L ⊆ K : L is controllable, observable, and Lm (G)-closed}.

5

Suppose that Lm (H) is the desired language. We call language L ⊆ Lm (H) a safe solution if L is controllable and observable. Furthermore, we call language L ⊆ Lm (H) a safe nonblocking solution if L is controllable, observable, and Lm (G)-closed. We define the subautomaton relation over two finite-state deterministic automata. Consider two finite-state deterministic automata over Σ, G1 = (QG1 , Σ, δG1 , q0G1 ) and G2 = (QG2 , Σ, δG2 , q0G2 ) (marked states are irrelevant for the purpose of this definition). We say that G1 is a subautomaton of G2 , denoted by G1 ⊑ G2 , if for all s ∈ L(G1 ), δG1 (q0G1 , s) = δG2 (q0G2 , s). Also we say that G1 is a strict subautomaton of G2 , denoted by G1 ⊏ G2 , if, in addition, for / QG1 , where s′ ≤ s denotes all s ∈ L(G2 ) \ L(G1 ), there exists s′ ≤ s such that δQ2 (q0Q2 , s′ ) ∈ that s′ is a prefix of s. Moreover, we call two finite-state automata isomorphic, denoted by G1 ≃ G2 , if it is possible to rename the states of G1 or G2 and obtain G1 ⊑ G2 and G2 ⊑ G1 . Given two deterministic finite-state automata H and G such that L(H) ⊆ L(G), by following the technique presented in [4], we can construct H ′ and G′ such that L(H) = L(H ′ ), L(G) = L(G′ ) and H ′ ⊏ G′ .

3

Problem Formulation

We formulate the two problems addressed in this paper. EXISTENCE PROBLEM: Instance: H, G, and sets of controllable and observable events Σc and Σo , respectively. Problem: Is there a nonempty safe nonblocking solution, that is, does there exist K ⊆ Lm (G), K 6= ∅, s.t. K is controllable, observable, and Lm (G)-closed? SYNTHESIS PROBLEM: Instance: H, G, and sets of controllable and observable events Σc and Σo , respectively. Problem: If the answer to the above existence problem is positive, can we synthesize such a nonempty safe nonblocking solution? We make the following assumptions in this paper: A1. H and G are deterministic finite-state automata. A2. H ⊏ G. A3. Lm (H) is controllable with respect to L(G) and Σuc . A4. Lm (H) is Lm (G)-closed and Lm (H) = L(H). 6

Based on the above discussion in Section 2, A2 is without loss of generality. So are A3 and A4: it suffices to compute the supremal controllable and Lm (G)-closed sublanguage of the desired language.

4

Decidability with Prefix-closed Languages

Let us assume that Lm (H) = L(H) and Lm (G) = L(G). Under this assumption, we can drop the Lm (G)-closure condition from the above problems. These problems can be resolved by computing the prefix-closed infimal controllable and observable superlanguage of {ǫ}, denoted by ({ǫ})↓(CO) . That is, Theorem 1 ({ǫ})↓(CO) ⊆ L(H) if and only if there is a nonempty controllable and observable sublanguage of L(H). Moreover, if ({ǫ})↓(CO) ⊆ L(H) holds, ({ǫ})↓(CO) is a controllable and observable sublanguage of L(H). Proof: Straightforward from the definition of

↓(CO) .

Theorem 1 assures the decidability of the existence problem and the solvability of the synthesis problem of the preceding section in the case of prefix-closed languages, equivalently, when the nonblocking condition is relaxed. The ↓(CO) operation on languages was originally studied in [10] and the reader is referred to that reference for results about existence and computation. The ↓(CO)

operation can be generalized to

↓(CCO)

pertaining to the infimal prefix-closed controllable

and co-observable superlanguage, as considered in [11]. This shows the decidability of P3 and the solvability of P4 for the decentralized architecture when the nonblocking condition is relaxed, as was mentioned in the introduction. We state a simple result that establishes the equivalence of the with the

↓(C)

↓(CO)

and

↓(CCO)

operations

operation (for the infimal prefix-closed controllable superlanguage, see [3]) in the

case of the empty trace. Proposition 1 ({ǫ})↓(C) = ({ǫ})↓(CO) = ({ǫ})↓(CCO) = (Σuc )∗ ∩ L(G). Proof: The result follows directly by realizing that the control decisions synthesizing these three infimal superlanguages are identical, namely, to disable all controllable events.

5

General Case: Existence Problem

When the involved languages are not prefix-closed, ({ǫ})↓(CO) ⊆ L(H) does not guarantee the existence of a safe nonblocking solution. However, we may decide the existence problem by verifying if (Lm (H))↑(COC) is empty or not. It is shown in [5] that (Lm (H))↑(COC) can be 7

computed. It is clear that the union of all safe nonblocking solutions is not empty if and only if there exists a safe nonblocking solution. With the result that (Lm (H))↑(COC) is computable, the existence problem is decidable. While the computation of (Lm (H))↑(COC) shows the decidability of the existence problem, it does not provide an obvious way to compute a safe nonblocking solution. In order to investigate the problem of synthesizing a safe nonblocking solution, we recall in the two following sub-sections key results from [5] that are restated in our notation.

5.1

Computation of (L(H))↑(CO) [5]

Let us define nondeterministic automaton N as follows: N N = (QN , Σo , →N , QN 0 , Qm ). H

The state space QN is defined as follows. State (E, Γ) ∈ QN ⊆ 2Q × 2Σ if the following set of conditions holds: 1. E 6= ∅ and Σuc ⊆ Γ. 2. ∆G (E, (Γ ∩ Σuo )∗ (Γ ∩ Σo )) ⊆ QH . Let us explain the implication of the above conditions. For state (E, Γ), “E” denotes a state estimation of the system H and “Γ” represents an enablement control decision.2 Since the uncontrollable events cannot be disabled, enablement decision Γ always includes Σuc . Due to the strict-subautomaton assumption (H ⊏ G), we can partition the state space of G into legal (QH ) and illegal (QG \ QH ) state sets. States that are reachable from E by the control decision Γ, before we have another observation, form the set ∆G (E, (Γ ∩ Σuo )∗ ). Once we have another observation, the set of reachable states is updated to ∆G (E, (Γ ∩ Σuo )∗ (Γ ∩ Σo )). Therefore, condition 2 implies that Γ is a safe control decision from a set of legal states, E ⊆ QH . We define the set of initial states of N as follows: H N (E0 , Γ0 ) ∈ QN 0 ⇔ E0 = {q0 }, (E0 , Γ0 ) ∈ Q

where q0H is the initial state of H. Let (E1 , Γ1 ), (E2 , Γ2 ) ∈ QN . The transitions between states are defined as follows: σ

[σ ∈ Γ1 ∩ Σo ] ∧ [∆G (E1 , (Γ1 ∩ Σuo )∗ σ) = E2 ] ⇔ (E1 , Γ1 ) →N (E2 , Γ2 ). Note that transitions are nondeterministic, in general. The states of N are marked, namely we N N set QN m = Q . Hereafter, only the accessible part of the state space Q is considered when we

refer the state space QN . 2

In [5], Γ denotes disablement decisions, while in this paper we use Γ to denote enablement decisions.

8

For each state of N , we add self-loops for the enabled unobservable events and denote the ˜ . That is, resulting automaton by N σ

[σ ∈ Γ ∩ Σuo ] ⇒ (E, Γ) →N˜ (E, Γ). ˜ , we have the following result characterizing Equipped with the nondeterministic supervisor N the closed-loop behavior. ˜ ) = (L(H))↑(CO) . Theorem 2 [5] L(G × N We present an example illustrating the construction of N . Let us consider the two automata G and H that are shown in Figs. 2 and 3, respectively. It is clear that H ⊏ G.

Let us set

0

β2

β1 1

α1 α1

α2

α2

γ1

γ2 3

7

2

α2

α2

α1 α2

γ1

5

γ2

4

10

γ1

γ2

17

16

9

γ1

14

γ2

15

α2 α1

γ2

12

γ1

γ2 6

13

11

γ1 8

α1 α1

18

Figure 2: G

0

β1 1

α1 α1

β2

α2 α2

α2

γ1

γ2 3

7

γ2

α1 α2

5

α1 α1

γ1 11

γ2 6

13

γ1 8

2

α2

γ2

12

14

α2 α1

4

9

γ1 10

Figure 3: H Σo = {α1 , α2 } and Σc = {γ1 , γ2 }. Following the above construction procedure for N , we obtain the automaton depicted in Fig. 4. Note that, in Fig. 4, we only include states whose control decisions over controllable events are active, for the sake of readability. By “active” we mean that 9

˜ That is, states ({0}, A∪Σuc ) and enabling those events affects the closed-loop language L(G× N). ({1, 2}, A ∪ Σuc ), where A ∈ 2{γ1 ,γ2 } \ ∅, should be included to follow the construction procedure of N exactly. However, it is clear that from states {0} and {1, 2}, enabling γ1 or γ2 does not ˜ ). Consequently, those states can be omitted without affect the closed-loop language L(G × N affecting the result of Theorem 2. α1

α2

y6

y0 α1

y1

α1

α2

y2 α1

y7

y3

α1 α α1 α2 α α2 1 2

y0 y1 y2 y3 y4 y5 y6 y7

α2 y4 α2

y5

= ({0}, Σuc ) = ({3, 4}, {γ1} ∪ Σuc ) = ({3, 4}, {γ2} ∪ Σuc ) = ({5, 6}, {γ1} ∪ Σuc ) = ({5, 6}, {γ2} ∪ Σuc ) = ({1, 2}, Σuc ) = ({3, 4}, Σuc ) = ({5, 6}, Σuc )

Figure 4: N

5.2

Computation of (Lm (H))↑(COC)

For the sake of further arguments, we recall the algorithm described in [5], again restated in our notation. 1. (Initialization) Set i = 0 and Ni = N . ˜i = Hi and T rim(Hi ) = H ′ . If Hi ≃ H ′ , stop the iteration and 2. (Trimming) Denote G × N i i return the resulting automaton Ni as Nnb . 3. (Removing blocking states) Set j = 0, ′

Qb,j = {(Eb , Γb ) ∈ QNi : (qb , Eb , Γb ) ∈ QHi \ QHi }. 4. (Consistency checking) (Eic , Γic ) ∈ Qic,j ⇔ (∃(Eb , Γb ) ∈ Qb,j , ∃σ ∈ Σo , 6 ∃(E, Γ) ∈ QNi \ Qb,j ) σ

σ

[(Eic , Γic ) →Ni (Eb , Γb ), (Eic , Γic ) →Ni (E, Γ)]. Set Qb,j+1 = Qb,j ∪ Qic,j . i If Qb,j+1 = Qb,j , set Qb,j+1 = QN b and

Ni+1 Ni i i QNi+1 = QNi \ QN , Σ, →Ni , QN 0 , Qm ), i←i + 1, b , Ni+1 = T rim(Q

and go to step 2; else j←j + 1 and repeat current step. 10

In [5], the following result characterizing the closed-loop behavior is presented. ˜nb ) = (Lm (H))↑(COC) and Lm (G × N ˜nb ) = (Lm (H))↑(COC) . Theorem 3 [5] L(G × N With Theorem 3, it is clear that the existence problem can be decided. Returning to our example, with N shown in Fig. 4, we get {(3, {3, 4}, Σuc ), (4, {3, 4}, Σuc ), (5, {5, 6}, Σuc ), (5, {5, 6}, Σuc )} = H0 \ H0′ . Therefore, Qb,0 = {({3, 4}, Σuc ), ({5, 6}, Σuc )}. From step 4, we have that Qic,0 = ∅. Then, we get N1 depicted in Fig. 5. With this, we get that T rim(G × N˜1 ) 6≃ G × N˜1 . Therefore, with the algorithm described above, we obtain that Nnb = N1 . y0 α1

α1

y1

α2

y2 α1

y0 y1 y2 y3 y4 y5

α2

y3

y4

α1 α α1 α2 α α2 1 2

α2

= ({0}, Σuc ) = ({3, 4}, {γ1} ∪ Σuc ) = ({3, 4}, {γ2} ∪ Σuc ) = ({5, 6}, {γ1} ∪ Σuc ) = ({5, 6}, {γ2} ∪ Σuc ) = ({1, 2}, Σuc)

y5

Figure 5: N1 = Nnb

6

General Case: Synthesis Problem

In this section, the problem of synthesizing a safe nonblocking solution is addressed. We need the following definition. Definition 4 Let I ⊆ {0, 1, . . .} be an index set and S be an automaton where QS ⊆ QNnb × I. We say that S generates a subbehavior of Nnb if for all transitions in S of the form σ

σ

σ

n (yki0 , i0 ) →1 S (yki1 , i1 ) →2 S . . . → S (ykin , in ) nb where yki0 ∈ QN 0 , there exist corresponding transitions in Nnb such that

σ

σ

σ

n yki0 →1 Nnb yki1 →2 Nnb . . . → Nnb ykin .

From the above definition, we can see that S simulates Nnb . Now we consider the nondeterministic automaton N = Nnb in Fig. 5. A deterministic automaton, denoted by Sb , that generates a subbehavior of Nnb is shown in Fig. 6. It is clear from Fig. 7 that Lm (G × S˜b ) 6= L(G × S˜b ). ˜nb ≃ T rim(G × N ˜nb ), we cannot guarantee the nonblocking This implies that, while G × N 11

β1 , β2 y0 , 0 α1

α2

γ2 , β1 , β2

γ1 , β1 , β2 y2 , 1 α1

y3 , 2 α1 α2

α2

y5 , 3 β1 , β2

Figure 6: S˜b

β1

β2

α2 α1

α1

α2

α2 γ1

α1 γ2

α1 α2 γ2

γ1

Figure 7: G × S˜b property of the closed-loop language induced by a deterministic automaton that generates a subbehavior of Nnb , in general. In the remainder of this section, we develop an algorithm that returns a deterministic automaton, denoted by Dnb , that generates a subbehavior of Nnb . The closed-loop language induced by Dnb will have the properties of controllability, observability, and Lm (G)-closure. We direct the readers to the end of this paper for the detailed descriptions of all subroutines and to Fig. 16 for a flow chart of the overall procedure. An illustrative running example will be presented as we step through the algorithm. Before we proceed further, let us provide an overview of the algorithm. First, we construct a certain deterministic finite-state automaton D0 with tree transition structure (deterministic finite tree for brevity) generating a subbehavior of Nnb [see Algorithms 2, 3, and 4]. D0 is constructed in such a way that if one tries to build a path from any state of D0 to a state in Nnb that is not a part of D0 , the transition departing from a state of D0 to a state of Nnb becomes nondeterministic (see Lemma 1 for rigorous treatments of this explanation). Therefore, any deterministic extension from a state of D0 to a state of Nnb (the extension from the state of D0 to the state of Nnb that does not use active events at the state of D0 making transition to 12

the other states in D0 ) generating a subbehavior of Nnb should use a state of Nnb that is defined in D0 . The resulting deterministic automaton D0 is part of a deterministic supervisor that we build iteratively. Iterations are performed to ensure the nonblocking property of a certain set of ˜

states in QG×D0 that is called States-To-Be-Marked set. Namely, we extend D0 deterministically to guarantee that all states in States-To-Be-Marked reach marked states [see Algorithms 5 and 6]. This iteration stops in finite steps and returns a deterministic finite tree, denoted by Dn . The resulting deterministic automaton Dn generates a subbehavior of Nnb as well. We define some necessary deterministic transitions between states of Dn and denote the resulting automaton (not necessarily a tree anymore) by Dnb [Algorithm 7]. Dnb also generates a subbehavior of Nnb . ˜ nb ) is a safe nonblocking solution. This solves P4. Finally, we show that L(G × D Now we formally describe the algorithm that returns Dnb . This description is given in terms of the procedure FIND-REGULAR-SOLUTION, which calls routines INITIAL-SETTINGS, MERGE, SHORTEST-PATH, and REROUTING. Algorithms 1 and 2 describe FIND-REGULAR-SOLUTION and INITIAL-SETTING, respectively. The subroutine EXTEND-STATE used in INITIALSETTING is given in Algorithm 3. The subroutine FIND-NEAREST-NEW-STATE used in EXTEND-STATE is described in Algorithm 4. Let us illustrate each step of INITIAL-SETTING(G, Nnb ). In step 1, we select a finite trace ˜nb ) = (Lm (H))↑(COC) where ζi ∈ Σ∗ and σi ∈ Σo . For trace t, t = ζ0 σ1 ζ1 . . . σm ζm ∈ L(G × N uo we can find estimation/control (yki ∈ QNnb ) transitions such that σ

σ

σ

m yk0 →1 yk|ζ0 ...σ1 | →2 . . . → yk|ζ0 ...σm | .

˜nb Let us consider G and Nnb shown in Figs. 2 and 5, respectively. With these, we build G × N ˜nb ) where shown in Fig. 8. Take t = β1 α1 γ1 ∈ L(G × N β1

γ1

α

(0, y0 ) → (1, y0 ) →1 (3, y1 ) → (7, y1 ). Then, the estimation/control transition for this trace is α

y0 →1 Nnb y1 .

Steps 2, 3, and 4 of INITIAL-SETTING(G, Nnb ) realize these control transitions as an automaton D by giving each state an index as follows: σ

σ

σ

m (yk0 , 0) →1 D (yk|ζ0 ...σ1 | , 1) →2 D . . . → D (yk|ζ0 ...σm | , m).

In step 5, the largest index used in D, m, is memorized as variable Max. Following these steps, ˜nb such that we construct automaton D from G × N α

(y0 , 0) →1 D (y1 , 1) 13

0, y0 β1

β2

1, y0 α1

α1

α2

α2

α2

α2

α1 α1

3, y1

3, y2

5, y3

5, y4

6, y4

6, y3

4, y2

4, y1

γ1

γ2

γ1

γ2

γ2

γ1

γ2

γ1

8, y2

12, y3

13, y3

9, y2

7, y1 α1

2, y0

α1 α1

α1

α2

11, y4 α2 α2

14, y4 α2 α2 α2

α2

α2

1, y5

α1

10, y1 α1 α1

α1

2, y5

˜nb Figure 8: G × N and set Max = 1. In step 6, EXTEND-STATE(Nnb , D,Max) is executed and new deterministically accessible states from states of QD are found and added to QD recursively. To execute FIND-NEAREST-NEW-STATE((y, l), Nnb , D, Max) in EXTEND-STATE(Nnb , D, Max), a simple exhaustive search may be used. Following these steps with our running example, we obtain D0 , L, and States-To-Be-Marked shown in Fig. 9. In general, automaton D0 has the following y0 , 0

y0 , 0

α1

α1

y1 , 1

y1 , 1

α2 y3 , 2

α1 y5 , 3 α1

α2 y5 , 4

α2 y4 , 6

α1 α2 y2 , 5

α2

α1

L = {(y5 , 3), (y5 , 4), (y2 , 5), (y4 , 6)}, Max = 6. State-To-Be-Marked = {(1, y5 , 3), (2, y5 , 3), (1, y5 , 4), (2, y5 , 4) (3, y2 , 5), (4, y2 , 5), (8, y2 , 5), (9, y2 , 5), (5, y4 , 6), (6, y4 , 6), (11, y4, 6), (14, y4 , 6)}

Figure 9: Initial-Setting(G, Nnb )

14

property. Lemma 1 Consider the output automaton D0 of INITIAL-SETTING(G, Nnb ). Let (y, l) ∈ QD0 . Then, there does not exist y ∗ ∈ QNnb satisfying the three following conditions: for all σ ∈ Σo , σ

s

1. y →Nnb yˆ →Nnb y ∗ , σ ∈ Σo , and s ∈ Σo ∗ . (y ∗ is reachable) 2. 6 ∃(y ′ , l′ ) ∈ QD0 such that y ∗ = y ′ . (y ∗ is a new state of Nnb ) σ

3. (y, l) →D0 is not defined. (with 1, y ∗ is deterministically reachable) Proof: Since EXTEND-STATE(Nnb , D, Max) iteratively searches and adds all deterministically reachable new state of Nnb , the result is clear. Algorithms 5 and 6 describe routines MERGE and SHORTEST-PATH that are used in FIND-REGULAR-SOLUTION. Figure 10 shows the resulting automaton B0 of MERGE(D0 , Nnb ) where D0 and Nnb are shown in Figs. 9 and 5, respectively. We have the following lemma that shows a property of the y0 , 0 α1

α2

y1 , 1

y3 , 2

α1

α2

y5 , 3

y5 , 4

α2

α1

y4 , 6

y2 , 5

α2

α1 α1

α2 y0

α2

α1

α1

y1 α1

α2

y2 α1

α1

α2

y3 α1 α2

α2 α2

α1 y4

α2

y5

Figure 10: B0 ← MERGE(D0 , Nnb ) MERGE operation.

15

Lemma 2 Let T be a finite tree generating a subbehavior of Nnb in the sense of Definition 4. ˜ ≃ G × B, ˜ Let us denote the resulting automaton of MERGE(T, Nnb ) by B. Then, T rim(G × B) ˜ is nonblocking. that is, G × B ˜ is deadlock free. For z ∈ QB , if z ∈ QNnb , from the construction Proof: First, we show that G×B ˜nb ) ≃ G × N ˜nb , it is straightforward to see that z is not a deadlock state. of B and T rim(G × N Therefore, we get z := (q, y, l) ∈ QT . For the sake of contradiction, suppose that (q, y, l) ∈ QB is a deadlock state. From the construction of B, we have that, for all α ∈ Σ, α

α

[(y, l) →B˜ !] ⇔ [y →N˜nb !]. Therefore, we have, for all α ∈ Σ, α

α

[(q, y, l) →G×B˜ !] ⇔ [(q, y) →G×N˜nb !]. ˜

˜

B ((q, y) ∈ QG×Nnb ) iff q ∈ QG , we get (q, y, l) is a deadlock state iff (q, y) Since (q, y, l) ∈ QG× m m m ˜nb ) ≃ (G × N ˜nb ). Since we showed is a deadlock state. This contradicts the fact that T rim(G × N

˜ is deadlock free, we only consider livelock hereafter. that G × B ˜

Suppose that z ∈ QG×B is a livelock state. Then, with the same argument as above, it is straightforward to see that z := (q, y, l) ∈ QT . Moreover, this implies that all reachable states from (q, y, l) are in ˜

R := {(q ′ , y ′ , l′ ) ∈ QG×B : (y ′ , l′ ) ∈ QT , q ′ 6∈ QG m }. Moreover, since T is a finite tree and (q, y, l) is a livelock state, R becomes ˜

{(q ′ , y ′ , l′ ) ∈ QG×B : (y ′ , l′ ) = (y, l), q ′ 6∈ QG m }. ˜

α

Suppose that (q, y, l) →G×B˜ (q ′ , y, l). This implies that a transition α ∈ Σ allowed at (y, l) ∈ QB should be a self-loop, that is, α

(y, l) →B˜ (y, l). α

Then, from the construction of B, we have that y →N˜nb is defined. T is a tree over the set of observable events. Therefore, all transitions from states of T in B cannot be self-loops by ˜ with the construction of B. This implies that state (q, y, l) ∈ QT cannot have self-loops in B observable transitions. Therefore, we have α ∈ Σuo . Since an unobservable transition is realized only by a self-loop, we get α

y →N˜nb y ′ ⇒ y ′ = y. α α ˜nb from (q, y) Then, with y →N˜nb ! ⇔ (y, l) →B˜ !, we get that the set of reachable states in G × N

should be in ˜

R′ := {(q ′ , y) ∈ QG×Nnb : (q ′ , y, l) ∈ R}. 16

˜

′ G×Nnb ), we have Since q ′ 6∈ QG m (therefore, (q , y) 6∈ Qm

˜nb ) 6≃ (G × N ˜nb ), T rim(G × N which is a contradiction. Therefore, (q, y, l) cannot be a livelock state. With Lemma 2, we have the following. ˜i ) ≃ G × B ˜i . Corollary 1 In Algorithm 1, for all 0 ≤ i ≤ |States-To-be-Marked|, T rim(G × B Proof: We prove this by induction. ˜0 ) ≃ (Base) Since D0 is a finite tree generating a subbehavior of Nnb , we have T rim(G × B ˜0 by Lemma 2. G×B ˜n ) ≃ (Induction Hypothesis) For 1 ≤ n ≤ |States-To-be-Marked|−1, assume that T rim(G× B ˜n . G×B (Induction Step) With the induction hypothesis, it is possible to find a transition t satisfying the condition described in the step 1 of SHORTEST-PATH. Then, it is straightforward to see ˜n+1 ) ≃ that Dn+1 is a finite tree generating a subbehavior of Nnb . This implies that T rim(G × B ˜n+1 . G×B With the above corollary, we have the following. Lemma 3 It is always possible to find a transition t satisfying the conditions described in the ˜i , Nnb , Di , Max). step 1 of SHORTEST-PATH((q, y, l), G × B ˜i . Proof: Direct consequence of the nonblocking property of G × B ˜0 . We take (1, y5 , 3) ∈ States-To-BeReturning to our example, Fig. 11 shows part of G × B ˜0 , Nnb , D0 , 6). Then, it turns out that Marked and apply SHORTEST-PATH((1, y5 , 3), G × B γ2

α

(1, y5 , 3) →1 G×B˜0 (3, y2 ) →G×B˜0 (8, y2 ) is the shortest sequence of transitions to marked state (8, y2 ). Following SHORTEST-PATH and FIND-REGULAR-SOLUTION, we get automaton D1 augmented with transition α

(y5 , 3) →1 D1 (y2 , 7), which is shown in Fig. 12. Repeating this procedure until States-To-Be-Marked becomes empty, we get D12 shown in Fig. 13. Note that we have 12 iterations, since |States-To-Be-Marked| = 12. Over this D12 , we execute REROUTING(D12 , D0 ), which is described in Algorithm 7. The following lemma shows a property of the REROUTING operation. Lemma 4 In the step 2 of REROUTING(Di , D0 ), for each (y, l, σ) ∈ R, there exists (y ∗ , l∗ ) ∈ σ

QD0 such that y →Nnb y ∗ . 17

0, y0 , 0 β1

β2

1, y0 , 0

2, y0 , 0

α1 3, y1 , 1 γ1 7, y1 , 1 α1 1, y5 , 3 α1

α1

3, y1

α2

3, y2

γ1

5, y4 , 6

γ2

7, y1

γ2

8, y2

11, y4 , 6

˜0 Figure 11: G × B y0 , 0 α1

α2

y1 , 1

y3 , 2

α1 y5 , 3 α1

α2

y2 , 7

y4 , 6

α2 y5 , 4 α1 y2 , 5

Figure 12: D1 Proof: For the sake of contradiction, suppose that there does not exist (y ∗ , l∗ ) ∈ QD0 such σ

that y →Nnb y ∗ . By the construction of Di , we know that D0 is a subtree of Di and Di is a deterministic tree. Let us consider two cases: Case 1: (Di ≃ D0 ) It is straightforward to see that this contradicts Lemma 1.

18

y0 , 0 α1

α2

y1 , 1

y3 , 2

α1

α2

y5 , 3 α1

y5 , 4

α2

y2 , 7

α1

y4 , 6

y2 , 5

α2

y2 , 14

y4 , 8

α1

y5 , 12 α1

α2

y5 , 9

α2

α1

y3 , 13

y1 , 10

α2 y4 , 11

Figure 13: D12 Case 2: (Di 6≃ D0 ) This implies that there exist (y ′ , l′ ) ∈ QD0 , (y ′′ , l′′ ) ∈ QDi \ QD0 , σ ′ ∈ Σo , s ∈ Σo ∗ satisfying the following conditions: σ′

s

σ

1. y ′ →Nnb y ′′ →Nnb y →Nnb y ∗ . 2. 6 ∃(y D0 , lD0 ) ∈ QD0 such that y ∗ = y D0 . σ′

3. (y ′ , l′ ) →D0 is not defined. Then, it is straightforward to see that this contradicts Lemma 1. Returning to our example, Fig. 14 shows the result of REROUTING(D12 , D0 ). The resulting Dnb has the following properties that are described in Lemmas 5, 6, 7, and 8. ˜ nb ) = L(G × D ˜ nb ). Lemma 5 Lm (G × D ˜

Proof: We show this by arguing that every state in QG×Dnb reaches a marked state. First we ˜ nb is deadlock free. Suppose that there is a deadlock state (q, y, l) ∈ QG×D˜ nb for show that G × D the sake of contradiction. From the construction of Dnb (see the REROUTING operation), we have that, for all α ∈ Σ, α

α

[(y, l) →D˜ nb !] ⇔ [y →N˜nb !]. Therefore, we have, for all α ∈ Σ, α

α

[(q, y, l) →G×D˜ nb !] ⇔ [(q, y) →G×N˜nb !]. 19

y0 , 0 α1

α2

y1 , 1

y3 , 2

α1 α1

y5 , 3

α1 y2 , 7

α2 y5 , 4

α2

α1

y4 , 6

α1

y4 , 8

α1 α2

y5 , 12

y2 , 14

α2

y2 , 5

α2

α1

α2

α2

α1 y5 , 9

α2

α1

y3 , 13

y1 , 10

α2 y4 , 11

Figure 14: REROUTING(D12 , D0 ) ˜

˜

Snb ((q, y) ∈ QG×Nnb ) iff q ∈ QG , we get that (q, y, l) is a deadlock state Since (q, y, l) ∈ QG× m m m ˜nb ) ≃ (G × N ˜nb ). Since iff (q, y) is a deadlock state. This contradicts the fact that T rim(G × N

˜ nb is deadlock free, we only consider livelock hereafter. we showed that G × D ˜

For (q, y, l) ∈ QG×Dnb , we consider the following cases: (Case 1: (y, l) ∈ L) where L is from INITIAL-SETTING. That is, (q, y, l) ∈ States-To-BeMarked. By Lemma 3, each (q, y, l) is guaranteed to reach a marked state. (Case 2: (y, l) 6∈ L and (y, l) ∈ QD0 ) Assume that (q, y, l) is a livelock state, for the sake of contradiction. With the conclusion of case 1, (q, y, l) cannot reach states in States-To-Be-Marked. This implies that all reachable states from (q, y, l) are in ˜

R := {(q ′ , y ′ , l′ ) ∈ QG×Dnb : (y ′ , l′ ) 6∈ L, (y ′ , l′ ) ∈ QD0 , q ′ ∈ QG m} by the construction of D0 and the definition of L. Moreover, since D0 is a finite tree and (q, y, l) is a livelock state, R becomes ˜

R := {(q ′ , y ′ , l′ ) ∈ QG×Dnb : (y ′ , l′ ) = (y, l), q ′ ∈ QG m }. α

Suppose that (q, y, l) →G×D˜ nb (q ′ , y, l). This implies that a transition α ∈ Σ allowed at (y, l) ∈ ˜

QDnb should be a self-loop, that is, α

(y, l) →D˜ nb (y, l).

20

α ˜ nb , we have that y → Then, from the construction of D ˜nb is defined. Suppose that α ∈ Σo . N

Then, since (y, l) 6∈ L and (y, l) ∈ QD0 , we get α

(y, l) →D0 (y ′ , l′ ) 6= (y, l). This implies that

α

(y, l) 6 →Dnb (y, l), ˜nb which is a contradiction. Therefore, we have α ∈ Σuo . Since an unobservable transition in N is realized only by a self-loop, we get α

y →N˜nb y ′ ⇒ y ′ = y. α α ˜nb Then, with y →N˜nb ! ⇔ (y, l) →D˜ nb !, we get that the set of reachable states from (q, y) in G× N

should be in ˜

R′ := {(q ′ , y) ∈ QG×Nnb : (q ′ , y, l) ∈ R}. ˜

′ / QG×Nnb . Therefore, we have Since q ′ 6∈ QG m , we get (q y) ∈

˜nb ) 6≃ (G × N ˜nb ), T rim(G × N which is a contradiction. Therefore, (q, y, l) cannot be a livelock state. (Case 3: (y, l) 6∈ QD0 ) We consider two cases. The first case is when (q, y, l) reaches one of the states of Cases 1 or 2. Then, (q, y, l) can reach a marked state eventually. The second case is when (q, y, l) cannot reach any of the states of Cases 1 and 2. Applying a similar argument to that of case 2, with a slight modification, we can show that (q, y, l) should reach a marked state. ˜ nb ) = L(G × D ˜ nb ). This leads to Lm (G × D ˜ nb ). Returning to the example, Fig 15 shows the result of L(G × D ˜ nb ) is controllable w.r.t. L(G) and Σuc , and observable w.r.t. L(G), Σc , and Lemma 6 L(G × D Σo . ˜ nb ) is not Proof: (Controllability) For the sake of contradiction, let us suppose that L(G × D ˜ nb ) and σ ∈ Σuc such that controllable w.r.t. L(G) and Σuc . That is, there exist s ∈ L(G × D ˜ nb ). Since s ∈ L(G × D ˜ nb ), we know that there exist transitions in D ˜ nb such sσ ∈ L(G) \ L(G × D that s

(E0 , Γ0 , 0) →D˜ nb (E, Γ, k) where (E0 , Γ0 , 0) is the initial state of Dnb . Since Σuc ⊆ Γ and σ ∈ Σuc , we get σ ∈ Γ. We consider two cases.

21

α1

β1

β2

α2

α1

γ1

γ1

γ1

γ1

α1

α2

α1

α2

α2 α1 α1

α2

α2 α1 α1 α2

α1 γ2

α1 α2

γ2

α2

α1

γ2

γ2

α2

α1

α2

α1

γ1

γ1

α1

α1

α2

γ2

α1

γ2

α2

α2

α2

γ2

γ2

α2

α1

γ2

α1

α2

α2

α1

γ2

γ2

α2

γ1

α1

γ1

α2

γ2

˜ nb Figure 15: G × D ˜ nb , we get sσ ∈ s(Γ ∩ Σuo )∗ ⊆ L(D ˜ nb ) with (Case 1: σ ∈ Σuo ) From the construction of D ˜ nb ). This is a a slight abuse of notation. Then, with sσ ∈ L(G), we have sσ ∈ L(G × D contradiction. (Case 2: σ ∈ Σo ) With Lemma 4 and the construction of Nnb , if sσ ∈ L(G), we get sσ ∈ ˜ nb ). This implies that sσ ∈ L(G × D ˜ nb ). This is a contradiction. s(Γ ∩ Σo ) ⊆ L(D ˜ nb ) is not observable. (Observability) For the sake of contradiction, let us suppose that L(G× D ˜ nb ) and σ ∈ Σc such that P (s) = P (s′ ) and sσ ∈ L(G × D ˜ nb ) That is, there exist s, s′ ∈ L(G × D ˜ nb ). Since s, s′ ∈ L(G × D ˜ nb ), we know that there exist transitions in and s′ σ ∈ L(G) \ L(G × D Dnb such that (E0 , Γ0 , 0)

P (s)=P (s′ ) −→ Dnb

(E, Γ, k).

˜ nb and sσ ∈ L(D ˜ nb ), we get σ ∈ Γ. We consider two cases: From the construction of D ˜ nb , we get s′ σ ∈ s′ (Γ ∩ Σuo )∗ ⊆ L(D ˜ nb ). Then, (Case 1: σ ∈ Σuo ) From the construction of D ˜ nb ). This is a contradiction. with s′ σ ∈ L(G), we have s′ σ ∈ L(G × D (Case 2: σ ∈ Σo ) With Lemma 4 and the construction of Nnb , if s′ σ ∈ L(G), we get ˜ nb ). Then, we have s′ σ ∈ L(G × D ˜ nb ). This is a contradiction. s′ σ ∈ s′ (Γ ∩ Σo ) ⊆ L(D

22

˜ nb ) is Lm (G)-closed. Lemma 7 Lm (G × D Proof: ˜ nb ) ∩ Lm (G) = L(G × D ˜ nb ) ∩ Lm (G) Lm (G × D (∵ Lemma 5) ˜ = L(G) ∩ L(Dnb ) ∩ Lm (G) ˜ nb ) ∩ Lm (G) = Lm (D ˜ nb ) = Lm (G × D

(∵ Lm (G) ⊆ L(G))

˜ nb ) ⊆ Lm (H). Lemma 8 Lm (G × D ˜ nb ) = L(G × D ˜ nb ) by Proof: We have that Lm (H) = L(H) by assumption and Lm (G × D ˜ nb ) are Lm (G)-closed by assumption and Lemma 5. We also have that Lm (H) and Lm (G × D ˜ nb ) ⊆ L(H) to prove Lm (G × D ˜ nb ) ⊆ Lm (H). Lemma 7. Therefore, it is enough to show L(G × D ˜ nb , it is straightforward that, for all transitions defined in D ˜ nb of From the construction of D the form σ

σ

σ

m (y0 , 0) →1 D˜ nb (y1 , i1 ) →2 D˜ nb . . . → ˜ nb (ym , im ), D

there exist corresponding transitions in Nnb such that σ

σ

σ

m y0 →1 N˜nb y1 →2 N˜nb . . . → ˜nb ym . N

˜nb ) ⊆ L(H), we get L(G × D ˜ nb ) ⊆ L(H). Since L(G × N Collecting all the preceding results, we obtain the main contribution of this paper. Theorem 4 SYNTHESIS PROBLEM is solvable. Proof: First we test the existence of a safe nonblocking solution. This can be done by synthesizing Nnb . If Nnb is the empty automaton, answer “No”. If Nnb is not empty, apply FINDREGULAR-SOLUTION(G, Nnb ). We conclude the section with a further characterization of the

↑(COC)

operation that builds on

the algorithms presented in this section. Let us define the following class of languages: Lreg (Lm (H)) := {L ⊆ Lm (H) : L is controllable, observable, Lm (G)-closed, and regular}. Then, we have the following. Theorem 5

S {L : L ∈ Lreg (Lm (H))} = (Lm (H))↑(COC) .

23

Proof: The inclusion

S

{L : L ∈ Lreg (Lm (H))} ⊆ (Lm (H))↑(COC) is obvious. For the other

direction, we can choose any finite trace t ∈ (Lm (H))↑(COC) in INITIAL-SETTING(G, Nnb ). ˜ nb ) and L(G × D ˜ nb ) is regular. Therefore, the result is Moreover we know that t ∈ L(G × D immediate. This results gives some insight into the structure of the solution space of safe nonblocking solutions of centralized supervisory control under partial observation. Namely, the union of all regular safe nonblocking solutions is a regular language. The implications of this result remain to be explored. START

(D0 , Max, States-To-Be-Marked) ← INITIAL-SETTING(G, Nnb ) [Alg. 2, 3, 4]

i←0

Yes States-To-Be-Marked =∅

Dnb ← REROUTING(Di , D0 ) [Alg. 7]

No Pick any (q, y, l) ∈ State-To-Be-Marked

Return Dnb

Bi ← MERGE(Di , Nnb ) [Alg. 5]

D← ˜ i , Nnb , Di , Max) SHORTEST-PATH((q, y, l), G × B [Alg. 6]

i←i + 1

Di ←D

States-To-Be-Marked ← States-To-Be-Marked\{(q, y, l)}

Figure 16: Flow chart of the algorithm (Algorithm 1)

24

7

Conclusion

We presented an algorithm synthesizing a safe and nonblocking solution in the context of centralized supervisory control under partial observation. Figure 16 shows the flow chart of the algorithm. With this algorithm, we showed that the problem of synthesizing a safe and nonblocking solution is solvable.

Acknowledgment This research was supported in part by NSF grant CCR-0082784.

References [1] A. Arnold, A. Vincent, and I. Walukiewicz. Games for synthesis of controllers with partial observation. Theoretical Computer Science, 1(303):7–34, 2003. [2] C. G. Cassandras and S. Lafortune. Introduction to Discrete Event Systems. Kluwer Academic Publishers, 1999. [3] E. Chen and S. Lafortune. On the infimal closed and controllable superlanguage of a given language. IEEE Trans. on Automat. Contr., 35(4):398–404, 1990. [4] H. Cho and S. I. Marcus. On supremal languages of classes of sublanguages that arise in supervisor synthesis problems with partial observation. Math. Control Signals Systems, 2:47–69, 1989. [5] K. Inan.

Nondeterministic supervison under partial observation.

In G. Cohen and

J. Quadrat, editors, 11th International Conference on Analysis and Optimization of Systems: Discrete Event Systems, pages 39–48. Springer-Verlag, 1994. [6] H. Lamouchi and J. Thistle. Control of infinite behaviour of discrete event systems under partial observations. In Proc. of CDC 2000, IEEE Conference on Decision and Control, pages 22–28, 2000. [7] F. Lin and W. M. Wonham. On observability of discrete-event systems. Information Sciences, 44(3):173–198, 1988. [8] P. J. Ramadge and W. M. Wonham. Supervisory control of a class of discrete event processes. SIAM J. Control and Optim., 25(1):206–230, 1987.

25

[9] K. Rudie and J. C. Willems. The computational complexity of decentralized discrete-event control problems. IEEE Trans. on Automat. Contr., 40(7):1313–1318, 1995. [10] K. Rudie and W. M. Wonham. The infimal prefix closed and observable superlanguage of a given language. Systems and Control Letters, 15(5):361–371, 1990. [11] K. Rudie and W. M. Wonham. Think globally, act locally: Decentralized supervisory control. IEEE Trans. on Automat. Contr., 37(11):1692–1708, 1992. [12] S. Tripakis. Undecidable problems of decentralized observation and control. In Proc. of CDC 2001, IEEE Conference on Decision and Control, pages 4104–4109, 2001. [13] J. N. Tsitsiklis. On the control of discrete event dynamical systems. Math. Control Signals Systems, 2(2):95–107, 1989. [14] W. M. Wonham and P. J. Ramadge. On the supremal controllable sublanguage of a given language. SIAM J. Control Optim., 25(3):637–659, 1987. [15] T. Yoo and S. Lafortune. A general architecture for decentralized supervisory control of discrete-event systems. Discrete Event Dynamic Systems: Theory and Applications, 12(3):335–377, 2002.

26

Algorithm 1 Dnb ← FIND-REGULAR-SOLUTION(G, Nnb ) 1: (D0 , Max, States-To-Be-Marked) ← INITIAL-SETTING(G, Nnb ) 2:

i←0

3:

while States-To-Be-Marked 6= ∅ do

4:

Pick any (q, y, l) ∈ States-To-Be-Marked

5:

Bi ← MERGE(Di , Nnb )

6:

˜i , Nnb , Di , Max) D ← SHORTEST-PATH((q, y, l), G × B

7:

i ← i+1

8:

Di ← D

9:

States-To-Be-Marked ← States-To-Be-Marked\{(q, y, l)}

10:

end while

11:

Dnb ← REROUTING(Di , D0 )

27

Algorithm 2 [D, Max, States-To-Be-Marked] ← INITIAL-SETTING(G, Nnb ) ˜nb ). Then, t can be expressed as follows: 1: Pick a finite trace t ∈ L(G × N ti ∈ Σ,

t = t 1 t 2 t 3 . . . tn ,

= ζ0 σ1 ζ1 . . . σm ζm , ζi ∈ Σ∗uo , σi ∈ Σo Then, there exist transitions such that t

t

1 n (qk0 , yk0 ) → ˜nb . . . →G×N ˜nb (qkn , ykn ) G×N

ζ0

σ

⇒ (qk0 , yk0 ) →G×N˜nb (qk|ζ0 | , yk0 ) →1 G×N˜nb . . . ζm

σm

→ G×N˜nb (qk|ζ0 ...σm | , yk|ζ0 ...σm | ) →G×N˜nb (qk|ζ0 ...ζm | , yk|ζ0 ...σm | )

2:

QD ← {(yk0 , 0), (yk|ζ0 ...σ1 | , 1), . . . , (yk|ζ0 ...σm | , m)} and QD 0 ← {(yk0 , 0)}

3:

(yk0 , 0) →1 D (yk|ζ0 ...σ1 | , 1) and (yk|ζ0 ...σ

4:

D D ← (QD , Σo , →D , QD 0 ,Q )

5:

Max ← m

6:

(D, L, Max) ← EXTEND-STATE(Nnb , D, Max)

7:

States-To-Be-Marked ←

σ

σ

i−1 |

, i − 1) →i D (yk|ζ0 ...σ | , i), for 2 ≤ i ≤ m i

{(q, y, l) : (q, y, l) ∈ QG × L where y = (E, Γ) and q ∈ ∆G (E, (Γ ∩ Σuo )∗ )}

Algorithm 3 [D, L] ← EXTEND-STATE(Nnb , D, Max) 1:

Set Y = QD

2:

while Y 6= ∅ do

3:

Pick any (y, l) ∈ Y

4:

(D, New-States, Max) ← FIND-NEAREST-NEW-STATE((y, l), Nnb , D, Max)

5:

if New-States = ∅ then

6: 7: 8: 9: 10: 11:

Y ←Y \ (y, l) else Y ←Y ∪ New-States end if σ

σ

L ← {(y, l) ∈ QD : ∃σ ∈ ΣNNb , ∃y ′ ∈ QNnb s.t. y →Nnb y ′ and (y, l) →D is not defined} end while

28

Algorithm 4 [D, New-States, Max] ← FIND-NEAREST-NEW-STATE((y, l), Nnb , D, Max) 1: Find transitions satisfying the following conditions: σ

σ

σ

n 1. y →1 Nnb yk1 →2 Nnb . . . → Nnb ykn , σi ∈ Σo

2. |σ1 σ2 . . . σn | = n is minimal 3. 6 ∃(y ′ , l′ ) ∈ QD such that ykn = y ′ σ

4. (y, l) →1 D is not defined 2:

Augment D with the following transitions: σ

σ

σ

σ

n (y, l) →1 D (yk1 , Max + 1) →2 D (yk2 , Max + 2) →3 D . . . → D (ykn , Max + n)

3:

New-States ← {(yki , Max + i)) : 1 ≤ i ≤ n}

4:

Max ← Max + n

Algorithm 5 Bi ← MERGE(Di , Nnb ) 1:

Bi i Construct automaton Bi = (QBi , Σo , →Bi , QB 0 , Q ) as follows: Di i QBi = QNnb ∪ QDi and QB 0 = Q0

The transition rules are: (Case 1: (y, l), (y ′ , l′ ) ∈ QDi ) σ

σ

(y, l) →Bi (y ′ , l′ ), if (y, l) →Di (y ′ , l′ ) (Case 2: y, y ′ ∈ QNnb ) σ

σ

y →Bi y ′ , if y →Nnb y ′ (Case 3: (y, l) ∈ QDi , y ′ ∈ QNnb ) σ

σ

σ

(y, l) →Bi y ′ , if [y →Nnb y ′ ] ∧ [(y, l) →Di is not defined] σ

y ′ →Bi (y, l) is not defined

29

˜i , Nnb , Di , Max) Algorithm 6 Di ← SHORTEST-PATH((q, y, l), G × B 1: Find a transition t, where ti ∈ Σ,

t = t 1 t 2 t 3 . . . tn ,

= ζ0 σ1 ζ1 . . . σm ζm , ζi ∈ Σ∗uo , σi ∈ Σo , satisfying the following conditions: t

t

˜

t

1 2 n G×Bi . 1. (q, y, l) := (q0 , z0 ) → ˜i (q1 , z1 ) →G×B ˜i . . . →G×B ˜i (qn , zn ) ∈ Qm G×B

2. |t1 t2 . . . tn | = n is minimal. Then, ζ0

σ

(q0 , z0 ) →G×B˜i (q|ζ0 | , z0 ) →1 G×B˜i . . . ζm

σm

→ G×B˜i (q|ζ0 ...σm | , z|ζ0 ...σm | ) →G×B˜i (q|ζ0 ...ζm | , z|ζ0 ...σm | ).

We have corresponding transitions in Bi such that σ

σ

σ

m z0 := zi0 →1 Bi zi1 →2 Bi . . . → Bi zim .

Then, {zi0 , . . . , zim } ⊆ QDi or there exists j such that {zi0 , . . . , zij−1 } ⊆ QDi and {zij , . . . , zim } ⊆ QNnb by the construction Bi . 2:

If there exists such a j, for j ≤ k ≤ m, then set zi′k ←(zik , Max + k).

3:

Augment →Di with the transitions σ

σ

σ

m ′ zij−1 →1 Bi zi′j →2 Bi . . . → Bi zim .

30

Algorithm 7 Di ← REROUTING(Di , D0 ) 1:

R := {(y, l, σ) ∈ QDi × Σo : ∃σ ∈ Σo , ∃y ∗ ∈ QNnb s.t. σ

σ

y →Nnb y ∗ and (y, l) →Di is not defined}. σ

1:

For each (y, l, σ) ∈ R, pick a (y ∗ , l∗ ) ∈ QD0 such that y →Nnb y ∗

2:

Augment →Di with σ

(y, l) →Di (y ∗ , l∗ )

31