Nonconflict check by using sequential automaton abstractions based on weak observation equivalence

doi:10.1016/j.automatica.2010.02.025

Automatica

Volume 46, Issue 6, June 2010, Pages 968-978

https://doi.org/10.1016/j.automatica.2010.02.025 Get rights and content

Abstract

In Ramadge–Wonham supervisory control theory we often need to check nonconflict of plants and corresponding synthesized supervisors. For a large system such a check imposes a great computational challenge because of the complexity incurred by the composition of plants and supervisors. In this paper we present a novel procedure based on automaton abstractions, which removes internal transitions of relevant automata at each step, allowing the nonconflict check to be performed on relatively small automata, even though the original product system can be fairly large.

Introduction

Since Ramadge–Wonham supervisory control theory was proposed (Ramadge and Wonham, 1987, Wonham and Ramadge, 1987) in the 1980’s, significant improvement and extensions have been made. The Ramadge–Wonham paradigm relies on synchronous product to compose local components and specifications together, upon which a standard supervisor synthesis procedure (i.e. achieving controllability, observability and nonblockingness) is performed. Unfortunately, the computational complexity of synchronous product is exponentially high with respect to the number of components and their individual numbers of states. To overcome this complexity issue, many new synthesis approaches have been developed. For example, in Wonham and Ramadge (1988) the authors propose the concept of modularity, which is then extended to the concept of local modularity in de Queiroz and Cury (2000). When local supervisors are (locally) modular, a globally nonblocking supervisor becomes a product of local supervisors achievable through local synthesis. Recently new modular synthesis approaches have been proposed, e.g. in Feng and Wonham (2006), Hill, Tilbury, and Lafortune (2008) and Schmidt and Breindl (2008), which perform model abstractions first, upon which the standard synthesis approach is applied. In Leduc, Lawford, and Wonham (2005) the authors present a hierarchical interface-based approach, which, by imposing a specific interface invariance condition, decouples a large system into several independent local modules, and supervisor synthesis can be performed on each local module whose size is usually much smaller than the overall system.

When applying those new techniques, particularly modular approaches, we often need to check whether a collection of finite-state automata are nonconflicting with each other. Such a check is necessary for at least three reasons. First, a synthesis approach may require it, e.g. in de Queiroz and Cury (2000) and Wonham and Ramadge (1988) (local) modularity needs to be tested. Second, during synthesis if we can locate conflicting modules directly, then it is much more efficient to compute appropriate coordinators, that can resolve conflicts among local supervisors, as proposed in Feng and Wonham (2006), Hill et al. (2008) and Schmidt and Breindl (2008). Finally, even though theoretically a synthesis approach can guarantee that a supervisor is nonconflicting with a plant, practically we still need to test it because a synthesis program may contain coding errors causing incorrect results. Thus, a nonconflict check may help a user decide whether the obtained supervisor is indeed nonconflicting with the plant.

There has been some work on nonconflict testing, e.g. in, Flordal and Malik (2006)Pena, Carrilho da Cunha, Cury, and Lafortune (2008) and Pena, Cury, and Lafortune (2006) the authors propose to utilize model abstractions to avoid high complexity caused by synchronous product. The relationship between those model abstraction techniques are discussed in Malik, Flordal, and Pena (2008). To compute model abstraction (Pena et al., 2008, Pena et al., 2006) use natural projections, which are required to be observers (Wong & Wonham, 2004). The main disadvantage of using observers is that the alphabet of the codomain of a projection may need to be fairly large for the sake of achieving the observer property, potentially causing the size of the projected image too large for effective nonconflict test. To overcome this difficulty, we propose to use an automaton abstraction procedure, which is extended from the one presented in Su, van Schuppen, and Rooda (2008) and Su, van Schuppen, and Rooda (in press) by replacing the weak bisimilarity with the largest weak observation equivalence relation and revising the concept of standardized automata originally defined in Su et al. (in press) so that the nonblocking equivalence relation holds during abstraction and product, making our abstraction-based nonconflict check approach valid. Although the reduction approach in Flordal and Malik (2006) and several other approaches in the literature are based on nondeterministic automata, e.g. Flordal and Malik (2006), Flordal, Malik, Fabian, and Akesson (2007), Hill et al. (2008), Malik and Flordal (2008) and Su and Thistle (2006), they are different from ours that can be explained as follows. First, they use different equivalence relations during quotient construction, e.g. in Flordal and Malik (2006), Hill et al. (2008) and Su and Thistle (2006) the weak bisimilarity is used, and in Flordal et al. (2007) and Malik and Flordal (2008) the bisimilarity is used. As a contrast, we use the largest weak observation equivalence relation, which contains two different features compared with the (weak) bisimilarity: given two equivalent states, say $x$ and $x^{'}$ , under the largest weak observation equivalence relation, (1) $x$ and $x^{'}$ must have the same marking status, which need not be true under the (weak) bisimilarity; and (2) $x$ and $x^{'}$ may have inequivalent ‘unobservable’ extensions (in the sense that $x$ can reach a state, say $y$ , via an ‘unobservable’ string, but $x^{'}$ cannot reach any state $y^{'}$ weak observation equivalent to $y$ via an ‘unobservable’ string), which can not happen under the (weak) bisimilarity. The first feature potentially makes the state set of an abstraction larger than the one under the (weak) bisimilarity, and the second one affects the size of the state set in an opposite way. Since it is common that there are only a few marker states in a large automaton, the second feature is usually the dominant factor for state reduction, making the largest weak observation equivalence relation favored over the (weak) bisimilarity. The second feature also forces us to adopt a nonstandard way to construct the transition map of an abstraction, where two quotient states are connected only through ‘observable’ events, and no silent event is used, which is different from the standard quotient construction under the (weak) bisimilarity in those existing automaton-based abstraction techniques. Our second contribution is to present an efficient sequential abstraction procedure (SAP), which bears similarity to an algorithm called Computational Procedure for Global Consistency (CPGC) provided in Su and Wonham (2005), except that CPGC is based on natural projections, which, as we have pointed out before, is not suitable for nonconflict check unless all relevant projections are observers. The aggregative nature of SAP is also reflected in Flordal and Malik (2006). But as mentioned above, the abstraction technique of Flordal and Malik (2006) is different from ours. Our third contribution is to present a procedure for nonconflict check (PNC) using SAP, which can handle a large number of automata. The efficiency of PNC has been illustrated by experimental results.

This paper is organized as follows. In Section 2 we introduce basic concepts of languages and automata, and the problem statement of nonconflict check. Then we introduce automaton abstraction and relevant properties in Section 3. A procedure called PNC for nonconflict check based on sequential abstractions is presented in Section 4, along with experimental results. Conclusions are stated in Section 5. Long proofs are presented in the Appendix.

Section snippets

The problem of nonconflict check

In this section we first introduce basic concepts of languages, operations on languages, nondeterministic automata and automaton product. Then we provide a problem statement about nonconflict check. Notations in this section follow rules in Wonham (2007).

Let $Δ$ be a finite alphabet, and $Δ^{*}$ the Kleene closure of $Δ$ , i.e. the collection of all finite sequences of events taken from $Δ$ . Given two strings $s, t \in Δ^{*}$ , $s$ is called a prefix substring of $t$ , written as $s \leq t$ , if there exists $s^{'} \in Δ^{*}$ such that $s s^{'} = t$

Automaton abstraction

In this section we first introduce concepts of standardized automaton and automaton abstraction, which are needed in Section 4 for developing an algorithm to solve the NCP. Then we present properties of automaton abstraction that will be used to prove the correctness of the algorithm presented in Section 4.

Check nonconflict of finite-state automata

Recall that in the nonconflict check problem, given a set of nondeterministic finite-state automata $A ≔ {A_{i} = (Y_{i}, Δ_{i}, η_{i}, y_{i, 0}, Y_{i, m}) | i \in I}$ , we need to determine whether $B (\times_{i \in I} A_{i}) = \emptyset$ . To solve this problem we propose the procedure of nonconflict check (PNC):

(1)
Input: $A = {A_{i} | i \in I = {1, 2, \dots, n}}$ .
(2)
For each $i \in I$ , we create a standardized automaton $G_{i} = (X_{i}, Σ_{i}, ξ_{i}, x_{i, 0}, X_{i, m})$ as follows:
- (a)
  $X_{i} ≔ Y_{i} \cup {x_{i, 0}}$ , where $x_{i, 0} \notin Y_{i}$
- (b)
  $X_{i, m} ≔ Y_{i, m}$
- (c)
  $Σ_{i} ≔ Δ_{i} \cup {τ, μ}$
- (d)
  $ξ_{i} : X_{i} \times Σ_{i} \to 2^{X_{i}}$ is defined as follows:
  - •
    For all $x \in Y_{i}$ , $σ \in Δ_{i}$ , $ξ_{i} (x, σ) ≔ η_{i} (x, σ)$
  - •
    $ξ_{i} (x_{i, 0}, τ) ≔ {y_{0}}$
  - •
    For

Conclusions

In this paper we first introduce an automaton-based abstraction technique and provide relevant properties. Then we propose a sequential abstraction procedure (SAP), based on which we propose the procedure PNC to check nonconflict of a large number of nondeterministic finite-state automata, which is commonly encountered in Ramadge–Wonham supervisory control theory. Numerical results show that, PNC can help us avoid high complexity in nonconflict check.

Acknowledgements

We would like to thank Mr Pascal A.W. van Overmeire of the Systems Engineering Group at Eindhoven University of Technology for providing the computational results for the last four cases about the cluster tools in Table 1.

Rong Su received the M.A.Sc. and Ph.D. degrees both in electrical engineering from the University of Toronto, Toronto, Canada, in 2000 and 2004 respectively. He is currently affiliated with the Systems Engineering Group in the Department of Mechanical Engineering at Eindhoven University of Technology in the Netherlands. His research interests include modeling, fault diagnosis and supervisory control of discrete-event systems. Dr. Su has been a member of IFAC technical committee on discrete

References (25)

J.C. Fernandez
An implementation of an efficient algorithm for bisimulation equivalence
Science of Computer Programming
(1990)
R. Milner
Operational and algebraic semantics of concurrent processes
Design Software: XPTCT (Version 121 for Windows 98/XP). Systems Control Group, Dept. of ECE, University of Toronto,...
Feng, L., & Wonham, W. M. (2006). Computationally efficient supervisor design: abstraction and modularity. In Proc. 8th...
Flordal, H., & Malik, R. (2006). Modular nonblocking verification using conflict equivalence. In Proc. 8th...
H. Flordal et al.
Compositional synthesis of maximally permissive supervisors using supervisor equivalence
Discrete Event Dynamic Systems
(2007)
Hill, R. C., Tilbury, D. M., & Lafortune, S. (2008). Modular supervisory control with equivalence-based conflict...
R.J. Leduc et al.
Hierarchical interface-based supervisory control-part II: parallel case
IEEE Transactions on Automatic Control
(2005)
Malik, R., & Flordal, H. (2008). Yet another approach to compositional synthesis of discrete event systems. In Proc....
Malik, R., Flordal, H., & Pena, P. N. (2008). Conflicts and projections. In Proc. 1st IFAC workshop on dependable...

Pena, P. N., Carrilho da Cunha, A. E., Cury, J. E. R., & Lafortune, S. (2008). New results on the nonconflict test of...

Pena, P. N., Cury, J. E. R., & Lafortune, S. (2006). Testing modularity of local supervisors: an approach based on...

Cited by (36)

Consistent reduction in discrete-event systems
2022, Automatica
Citation Excerpt :
Since bisimulation is also an equivalence relation, a minimal quotient system may be constructed. We note that bisimulation has also been used as an abstraction method in discrete-event systems (DES) (Mohajerani et al., 2014; Su et al., 2010). In this paper we develop a general framework, called “consistent reduction”, for formalizing and solving a large class of minimization/reduction problems in DES.
In this paper we develop a general framework, called “consistent reduction”, for formalizing and solving a class of state minimization/reduction problems in discrete-event systems. Given an arbitrary finite-state automaton and a cover on its state set, we propose a consistent reduction procedure that generates a reduced automaton, preserving certain special properties of the original automaton. The key concept of the consistent reduction procedure is the dynamically consistent cover; in each cell of this cover, any two states, as well as their future states reached by the same system trajectories, satisfy the binary relation induced from the given cover. We propose a new algorithm that computes a dynamically consistent cover that refines a given cover. We demonstrate the developed general framework on state reduction problems in different application areas.
Compositional Verification of Non-Blockingness with Prioritised Events
2022, IFAC-PapersOnLine
This paper addresses the verification of non-blockingness for modular discrete-event systems, i.e., discrete-event systems that are composed from component models. For such systems, the explicit construction of a monolithic representation turns out intractable for relevant applications, since such a construction in general is of exponential cost w.r.t. the number of components. One well established approach to circumvent the need for a monolithic representation for the verification task at hand is to alternate (a) the substitution of individual components by abstractions and (b) the composition of only a small number of strategically chosen components at a time. When successful, one ends up with a single moderately sized automaton which does not represent the overall behaviour in any detail but which does block if and only if the original modular system fails to be non-conflicting. This approach is referred to as compositional verification and originates from the field of process algebra with more recent adaptations to finite automata models. The main contribution of the present study is the development of a number of abstraction rules valid for compositional verification of non-conflictingness in the presence of global event priorities, i.e., where high priority events from one component possibly preempt events with lower priority of other components.
Counterexample Computation in Compositional Nonblocking Verification
2018, undefined
This paper describes algorithms to compute a counterexample when compositional nonblocking verification determines that a discrete event system is blocking. Counterexamples are an important feature of model checking that explains the cause of a detected problem, greatly helping users to understand and fix faults. In compositional verification, counterexamples are difficult to compute due to the large state space and the loss of information after abstraction. The paper explains the difficulties and proposes a solution, and experimental results show that counterexamples can be computed successfully for several industrial-scale systems.
Supremica–An Efficient Tool for Large-Scale Discrete Event Systems
2017, IFAC-PapersOnLine
Supremica is a tool for the modelling and analysis of discrete-event control functions based on state machine models of the uncontrolled plant and specification of the desired closed-loop behaviour. The modelling framework in Supremica is based on finite-state machines extended with variables, guard conditions, and action functions. In order to handle large-scale problems of industrially interesting size, Supremica uses advanced model checking techniques such as symbolic representations and compositional abstraction. Supremica has been used in several industrial research projects to verify and synthesise control functions for embedded controllers, industrial robots, and flexible manufacturing systems, and to verify program code for autonomous vehicles. This paper gives an overview of the modelling features of Supremica, shows the verification and synthesis facilities and their performance for large problems, and presents some of the industrial applications where Supremica has been used.
An algorithm for compositional nonblocking verification using special events
2015, Science of Computer Programming
Citation Excerpt :
Various abstraction rules preserving conflict equivalence have been proposed and used for compositional nonblocking verification. First, observer projection [10] and weak observation equivalence [11] have been used to simplify automata. The journal paper [8] introduces conflict equivalence to compositional nonblocking verification and proposes a set of conflict-preserving abstraction rules.
This paper proposes to improve compositional nonblocking verification of discrete event systems through the use of special events. Compositional verification involves abstraction to simplify parts of a system during verification. Normally, this abstraction is based on the set of events not used in the remainder of the system, i.e., in the part of the system not being simplified. Here, it is proposed to exploit more knowledge about the remainder of the system and check how events are being used. Always enabled events, selfloop-only events, failing events, and blocked events are easy to detect and often help with simplification even though they are used in the remainder of the system. Abstraction rules from previous work are generalised, and experimental results demonstrate the applicability of the resulting algorithm to verify several industrial-scale discrete event system models, while achieving better state-space reduction than before.
Nonblocking check in fuzzy discrete event systems based on observation equivalence
2015, Fuzzy Sets and Systems
Citation Excerpt :
We will discuss how to use the FSAP to check nonconflict of a large number of FFAs in this section. With a desire to provide further applications of FFA theory in FDES more effectively, and as a continuation of works in [35,37], in this paper, we study fuzzy automaton-based abstraction technique for nonblocking check by using observing equivalence relations. Relevant properties are provided, and a sequential abstraction procedure to check nonconflict of a large number of FFAs proposed, which will be encountered in supervisory control of FDES.
In this paper, we deal with the synthesis about nonblocking check in fuzzy discrete event systems (FDESs) by using abstraction and observation equivalence of fuzzy finite automaton (FFA). In FDESs, such a check imposes a great computational challenge because of the complexity incurred by the composition of plants and the supervisors. With respect to ideas in modeling control system, we present procedure based on FFA abstractions, which removes internal transitions of irrelevant transitions, allowing the nonblocking check to be performed on relatively small automata.

View all citing articles on Scopus

Jan H. van Schuppen received the M.Sc. degree in applied physics from the Delft University of Technology, Delft, The Netherlands, in 1970, and the Ph.D. degree in electrical engineering from the University of California, Berkeley, in 1973. He is affiliated with the Research Institute Centrum voor Wiskunde en Informatica (CWI), Amsterdam, The Netherlands. His research interests include control of hybrid and discrete-event systems, stochastic control, realization, and system identification. In applied research his interests include engineering problems of control of motorway traffic, of communication networks, and control and system theory for the life sciences. Dr. Van Schuppen is Editor-in-Chief of the journal Mathematics of Control, Signals, and Systems, was Associate Editor-at-Large of the IEEE TRANSACTIONS AUTOMATIC CONTROL, and was Department Editor of the journal Discrete Event Dynamic Systems.

Jacobus E. Rooda received the M.Sc. degree from Wageningen University of Agriculture Engineering and the Ph.D. degree from Twente University, The Netherlands. Since 1985 he is Professor of (Manufacturing) Systems Engineering at the Department of Mechanical Engineering of Eindhoven University of Technology, The Netherlands. His research fields of interest are modeling and analysis of manufacturing systems. His interest is especially in control of (high-tech) manufacturing lines and in supervisory control of high-tech (manufacturing) machines.

Albert T. Hofkamp graduated from his masters study at the University of Twente at Enschede, The Netherlands in 1995. He received his Ph.D. degree in Design from the Systems Engineering Group in the Department of Mechanical Engineering at Eindhoven University of Technology in the Netherlands with a real-time implementation of the Chi specification language in 2001. Still working in the same group, he implements simulators, compilers, and transformation tools, and helps researchers realize their ideas in software.

^☆: The material in this paper was partially presented at 10th European Control Conference, Budapest, Hungary, August 23–26, 2009. This paper was recommended for publication in revised form by Associate Editor Bart De Schutter under the direction of Editor Ian R. Petersen.

View full text

Nonconflict check by using sequential automaton abstractions based on weak observation equivalence☆

Abstract

Introduction

Section snippets

The problem of nonconflict check

Automaton abstraction

Check nonconflict of finite-state automata

Conclusions

Acknowledgements

Science of Computer Programming

Compositional synthesis of maximally permissive supervisors using supervisor equivalence

Discrete Event Dynamic Systems

Hierarchical interface-based supervisory control-part II: parallel case

IEEE Transactions on Automatic Control