1570 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 21, NO.
5, SEPTEMBER 2013
Component-Based Method for the Modeling and
Control of Modular Production Systems
Daniel Côté and Richard St-Denis
Abstract— Control software systems for manufacturing plants
reveal common system architectural elements. This suggests
taking advantage of a development paradigm based on reusable
components. Creating and upgrading a repository of reusable
components suitable for many systems that share common
characteristics present a challenge for engineers, especially if
composition mechanisms must be founded on control theories
of discrete event systems and if formal synthesis tools must be
integrated into well-accepted component-based software devel-
opment processes. This paper explores a component model and
a pragmatic method for the development of control software
systems. The method, along with the underlying component
model, fills the gap between a hierarchical control theory and
component-based software engineering. A detailed case study
developed around a Festo didactic learning modular production
system demonstrates the relevance of the proposed approach to
industrial application.
Index Terms— Component-based software engineering,
discrete event system, hierarchical control, model-driven
engineering, modular production system, supervisory control
theory.
I. I NTRODUCTION
E VEN IF scientists spent decades developing programming
theories that guarantee program correctness for safety-
critical systems, control engineers generally follow some prin-
ciples and empirical methods to develop computer programs
and verify them with a limited number of test cases. In
fact, there is a dearth of evidence that the use of formal
methods is becoming increasingly common in industry [1].
This is for multiple and complex reasons [2]. Nowadays, most
researchers embrace an alternative promising paradigm for the
construction of control software systems, i.e., model-driven
engineering. This paradigm encompasses software develop-
ment approaches in which a model of system behavior, with
precise mathematical semantics, is built early in the develop-
ment process [3]. Formal tools for automated reasoning about
models are then used to verify their correctness with respect
to given properties, feed them into an interpreter for abstract
execution, refine them into correct-by-construction implemen-
tations, or improve system performance with performance
analysis. From a practitioner’s perspective, the extensive adop-
tion of model-driven engineering approaches appears to be
Manuscript received August 25, 2011; revised July 3, 2012; accepted
July 11, 2012. Manuscript received in final form July 14, 2012. Date of
publication August 31, 2012; date of current version August 12, 2013.
Recommended by Associate Editor A. Giua.
The authors are with the Département d’informatique, Université de
Sherbrooke, Sherbrooke, QC J1K 2R1, Canada (e-mail: daniel.r.cote@
usherbrooke.ca;
[email protected]
). II. C ONNECTIONS B ETWEEN SCT AND CBSE
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TCST.2012.2209178
1063-6536 © 2012 IEEE
facing serious limitations due to the inherent complexity of
the systems to be modeled. In addition, there is a major issue
with increasing model size, which leaves practitioners daunted
by the inability of synthesis tools to deliver safety-control
software systems of a size comparable to those programmed by
hand. Component-based software engineering (CBSE) seems
to be an attractive avenue to manage the modeling complex-
ity of systems, because large control software systems may
be obtained by composition of reusable, well-defined, and
separated small artifacts [4]. A predominant preoccupation of
the CBSE community has been the definition of operations
for combining components, based on various algebras and
calculi, simultaneously with the formulation of mathematical
laws to specify the properties satisfied by these operations
(e.g., [5]–[7]). However, most recent formal models of inter-
acting components pay little attention to control. Therefore, a
framework of reusable components based on a theory specific
to an application domain may constitute a good way to take
into account both these aspects. Supervisory control theory
(SCT) [8] is a valuable candidate, especially if procedures that
automatically generate implementable controllers are used in
conjunction with a CBSE approach. As SCT has grown and
matured in the model-driven engineering paradigm, wrapping
it in a component model may certainly represent an advance
in the control engineering of discrete event systems (DES).
A software development method based on reusable compo-
nents that conforms to a hierarchical control theory of DES,
including a complete experiment done with a system similar
to those encountered in the manufacturing industry, constitutes
the main contribution of this paper.
This paper is organized as follows. Section II highlights the
links between SCT and CBSE. It removes the obstacles of
the former to make it accessible to engineers with respect to
a target application domain. Section III details a component
model that matches concepts of a hierarchical control theory
of DES and describes a systematic reuse-based development
method for control software systems. It also places emphasis
on code generation such that code generators can be written on
the basis of an abstract dynamic. Section IV summarizes a case
study based on the proposed method, which is characterized by
a large state space to convince the reader how the underlying
hierarchical design method combined with CBSE is scalable.
Finally, Section V presents related work from a technical point
of view and provides concluding remarks.
CBSE approaches owe much of their attractiveness to the
following techniques: abstraction, aggregation, composition-
CÔTÉ AND ST-DENIS: COMPONENT-BASED METHOD FOR THE MODELING AND CONTROL OF MODULAR PRODUCTION SYSTEMS
ality, encapsulation, instantiation, and reusability. These tech-
niques were absent in the original formulation of SCT, because
the focus was on formulating conditions for the solvability
of control problems, designing algorithms for the automatic
derivation of supervisors from mathematical models of DES,
and developing translation procedures for code generation of
software controllers, which must be correct by construction.
SCT has an intuitive notion of component, since a model
of system behavior is often expressed as the synchronous
composition of automata, namely G := i G i , where the
automaton G is interpreted as the interconnection of com-
ponents G 1 , . . . , G n . However, G 1 , . . . , G n are not, strictly
speaking, instances of genuine reusable components as defined
in CBSE. They are unique models of simpler subsystems, or
they are obtained by adapting existing transition structures
(e.g., label renaming). In the latter case, the process of creating
instances cannot be associated with instantiation, because there
is no instantiable pattern with parameters that allow model
customization. Furthermore, if instances must share events
or show any other form of interdependency, the meaning of
instantiation is blurred. Nevertheless, several extensions to
SCT have led to richer paradigms that integrate some CBSE
techniques in different forms. For instance, the paradigm
of control under partial observation includes the notion of
projection, which hides a form of encapsulation. The use of
observation equivalence, process equivalence, or automaton
abstraction is akin to making abstractions with the aim of sim-
plifying the components G 1 , . . . , G n of a modular system [9],
[10]. This is more apparent when one considers the hierarchi-
cal control paradigm. Structural multilevel hierarchies [11],
aggregate multilevel hierarchies [12], [13], and aggregate
models [14]–[20] are valuable representatives of this para-
digm providing abstraction, aggregation, compositionality, and
encapsulation. But, being mostly addressed to nonexperts of
control theories, CBSE must also provide a software devel-
opment method that shields the user from theoretical diffi-
culties based on reuse, through component instantiation and
adaptation, and allow system implementation (e.g., through
code generation). The aim is to supply a software architecture
that supports the development of control software systems,
scales for large systems, and conforms with SCT in order to
ensure correctness with respect to faultless behavioral models.
Although it would be valuable to investigate how such an
approach could be applied for all variants of the hierarchical
control paradigm, this paper focuses on the hierarchical control
architecture (HCA) [15] with borrowings from the modeling
framework developed around the concept of state tree structure
(STS) [11].
A. HCA: An Aggregate Model Approach
Early work on hierarchical supervision [14] culminated in
an abstract hierarchical control theory formulated around the
concepts of control structure and observer [15], [16]. A control
structure is a means to represent control abstractly with a set of
controllable sublanguages, while a control technology, such as
partitioning the event set into controllable and uncontrollable
events, represents a specific implementation of control. An
1571
Fig. 1. Elements of a component with respect to HCA.
observer is the key for aggregation and refinement to achieve
hierarchical consistency while preserving nonblockingness.
An aggregate model Ghi is obtained from a low-level model
Glo by refining the information sent up from the low-level
model to the high-level model to ensure that the supervisor
of the latter can be implemented in the former. This property,
called hierarchical consistency [14], is equivalent to control
consistency [15], which ensures the correspondence between
control structures through the information channel. Once this
property has been established for Glo and Ghi , the process can
be repeated from Ghi to get Gnhi , the next level. Consistency
for Ghi and Gnhi can be fulfilled without reexamining that for
Glo and Ghi . It is also advantageous to consider Glo as the
composition of concurrent subsystems executing in parallel,
with their own abstraction, instead of a monolithic system.
Therefore, this variant is powerful enough to support the usage
of successive abstraction and composition of subsystems using
natural projections [17], [18], [20] or causal maps [21].
Generally, the low level fits with the standard control
technology (i.e., a partition of the set of events  in a
subset of controllable events c and a subset of uncontrollable
events u ), which induces a standard locally definable control
structure Clo on L = L(Glo ) ⊆  ∗ (Clo : F L → P 2 (L),
where F L is the set of prefix-closed sublanguages of L). In
HCA, the abstraction mechanism takes the form of a causal
map θ : L → T ∗ , where T is the alphabet representing the
events of the high level. It is assumed that L = L m (Glo ),
θ (L) = M = L(Ghi ) ⊆ T ∗ , and M = M = L m (Ghi ). Thus,
θ , Glo , and Ghi are, respectively, models of the information
channel, the agent, and the abstraction. Because they can erase
transitions instead of events and change event labels arbitrarily,
causal maps often provide more flexible design alternatives for
subsystem abstraction as compared with natural projections.
The usual information flow diagram of hierarchical control,
as depicted in Fig. 1, resembles the notion of component
encountered in recent component models of CBSE (e.g., [22]).
It has been reshaped into a diagram representing an abstract
component defined in terms of HCA elements, which, in turn,
is refined into a typically reusable component. Under some
construction rules for Tc and Tu , the causal map θ leads to
a standard
.
control technology in the abstraction (i.e., T =
Tc ∪Tu ). This makes it possible to exploit any synthesis proce-
dure, developed a while ago in the standard SCT framework,
to generate a control law VT : M → P(T ) on the abstraction
1572 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 21, NO. 5, SEPTEMBER 2013
Fig. 2. Composition of components and superposition of control.
such that L(VT /Ghi ) = κ M (E), where κ M (E) is the supremal
controllable sublanguage of the admissible behavior E for the
abstraction. Therefore, the high level has its own standard,
locally definable control structure Chi : F M → P 2 (M), just
like the low level. The control law for the agent V , with
K = κ L ◦ θ −1 (E) such that L(V /Glo ) = κ L ◦ θ −1 (κ M (E)),
can then be obtained without calculating the supremal element
in the low level [21]. In this way, the control in the high
level is realized through implementation in the low level. The
triple (L, θ, Clo ), however, must be control-consistent (i.e.,
Chi (θ (K )) = θ (Clo (K )) for all K ∈ F L ). In addition, if θ is an
observer, and consistency of marking (i.e., θ −1 (Mm ) = L m )
and the generalized partner-freedom condition hold, then the
nonblocking property is preserved between V and VT , more
precisely, for all E ⊆ M, κ M (E) is nonblocking iff κ L ◦θ −1 (E)
is nonblocking ([16, Th. 6], called the HCA central theorem
afterward).
A sound component model must support systematic com-
position and infer properties about the result of applying an
operation to components. To facilitate reasoning about the
aforementioned properties prescribed by HCA, such oper-
ations must be atomic. Atomic operations have their own
characteristics, thereby preventing the lumping of composition
and control. In addition, composition operations, combined
with a closure property, must allow for aggregation in an
arbitrary way with an unrestrained number of components
and an unrestrained number of levels. As illustrated in Fig. 2,
there are three atomic operations to consider on components:
1) components are aggregated horizontally without adding sup-
plementary control; 2) components are aggregated vertically
without adding supplementary control; and 3) supplementary
control is superposed to the control of the abstraction of
a component. Since CBSE requires a repository to supply
predefined components, a typical scenario for building a new
reusable component follows this pattern. Some components
are retrieved from the repository and instantiated. Their inter-
faces are aggregated horizontally to form the abstraction of a
working subsystem. Control is then applied to this subsystem
abstraction to restrict further its behavior. Finally, vertical
aggregation is used to re-abstract the result into an interface.
The new composite component can then be stored in the
repository, and the previous steps can be repeated with the
new components. Notwithstanding instantiation, the methods
described in [13], and [17]–[20] adopt variations of this
iterative process. Nonetheless, a clearly defined meaningful
self-contained unit of reuse is still lacking.
Properties that must be preserved when applying the pre-
vious operations on components come from the HCA cen-
tral theorem (control consistency, consistency of marking,
observer, and generalized partner freedom). Applying this
theorem constitutes a substantial challenge to practitioners for
two reasons. First, the generalized partner-freedom condition
relies on how the standard control technology for the abstrac-
tion is determined, in particular on the set of controllable
events Tc . In the general setting [21], (L, θ ) is required
to be output control consistent to obtain the finest possible
control granularity. Requiring this property severely limits the
number of possible abstractions, and such abstractions are
often uselessly complex with respect to their intended use.
Furthermore, this property is not preserved when components
are aggregated horizontally [23]. This is a rather serious
pitfall, since it runs counter to the most important principle
of CBSE methods. Therefore, the HCA central theorem has
been specialized under a particular instance of a weaker form
of control consistency, namely Chi (M) ⊆ θ (Clo (L)), provided
that the admissible behavior for the abstraction is controllable,
with the result that control options in the agent may be
discarded. Control then becomes coarser as the hierarchy of
abstraction builds up. Nevertheless, it often proves adequate
for practical use, as it embodies the usual tradeoff made
to obtain coarser-grained interfaces or simpler abstractions
to encapsulate complexity. Second, as mentioned in [24], a
causal map “is hard to define on a DES with large state
size or composed of multiple components, as a designer must
explicitly specify the output symbol for every transition in
the monolithic automaton model.” A comparable situation
arises with a forgetful map [25]. This issue is less critical
with natural observers, which are natural projections with the
observer property. Obviously, all these maps generally select
a subset of Clo (L) since erasing controllable events gives rise
to more restricted control through the projection. Nevertheless,
efforts in designing a map with the observer property are fully
justified in the context of reusable components.
Based on these observations, the standard control technol-
ogy in the abstraction is defined as follows:
Tc := {τ ∈ Tθ | X τ ⊆  ∗ c } and Tu := Tθ − Tc (C1)
where X τ := {sσ ∈ L voc | ω(sσ ) = τ } and Tθ := {τ ∈ T |
X τ = ∅}. An event τ is controllable if all vocal strings
that cause the generation of τ through θ end with an event
that belongs to c (for a given string that belongs to L,
the tail map ω indicates if it is vocal with the event τ or
silent; and L voc is the set of vocal strings [16]). This choice
is based on the fact that condition (C1) leads to control
coincidence (θ −1 (Chi (M)) ⊆ Clo (L)), which is a sufficient
condition for the particular instance of the weaker form
of control consistency and the generalized partner-freedom
condition. Whereas natural observers implicitly provide a set
CÔTÉ AND ST-DENIS: COMPONENT-BASED METHOD FOR THE MODELING AND CONTROL OF MODULAR PRODUCTION SYSTEMS
of sufficient conditions implying conformance with the HCA
central theorem [17], [18], [20], that same set of conditions
are established during the design of a causal map using simple
rules. Finally, the term κ L ◦ θ −1 (E), which appears in the
conclusion of the HCA central theorem, can be replaced by
θ −1 (κ M (E)) when the admissible behavior for the abstraction
is controllable. Therefore, the HCA central theorem is refor-
mulated as follows [26]..
Theorem 1: Let c ∪u = .  be the standard control
technology for the agent, Tc ∪Tu be the standard control
technology for the abstraction that satisfies condition (C1),
. Assumption: Instances of reusable components are pairwise
and θ : L → (Tc ∪Tu )∗ be a causal map. Suppose consistency
of marking and θ is an observer. Then, for all E ⊆ M, κ M (E)
is nonblocking iff θ −1 (κ M (E)) is nonblocking.
Within the context of Theorem 1, a synthesis procedure that
computes κ M (E) while satisfying the nonblocking property
ensures that the implementation of the high-level synthesis
in the low level is nonblocking. The main advantage of this
theorem is that there is an algorithm for computing an observer
from a causal map θ in polynomial time [27] that satisfies the
consistency of marking.
B. Supervisory Control of State Tree Structures
This variant of SCT embraces a top-down modeling
approach in the sense that states can be decomposed. The
dynamics of a hierarchical system with concurrent processes is
described using a kind of hierarchical state machine formalism
very close to statecharts [28], called an STS. The state space
is organized into OR and AND superstates from a tree structure
called a state tree. The local dynamics of an STS is defined
by a set of holons assigned to all the OR superstates of its
state tree. While the concept of state tree makes it possible to
structure the state space following a principle of modularity,
holons are used to define system behavior in a modular fashion
as well. A holon is an automaton in which the state set, event
set, and transition structure are partitioned into an internal
state set and an external state set, an internal event set and
a boundary event set, and an internal transition structure
and a boundary transition structure, respectively. Connections
between holons must satisfy boundary consistency [11].
Exploiting the HCA variant for successive abstraction of
subsystems does not preclude the use of the STS framework
to solve local control problems. Since the approach advocated
in this paper aims at control specification reuse as well as sub-
system description reuse, the use of STS models is motivated
by pragmatic considerations, in particular a compact graphical
representation of the state space and a more human-readable
form of control specifications. More precisely, the parallel
composition of independent subsystems forming a system can
be represented by an equivalent STS model without vertical
structure [11]. The state tree of such an STS has a single AND
superstate at the root where each AND cell is an OR superstate
matched to a holon with an empty external structure (typically
an automaton). In addition, AND cells may represent memory
elements that are used to formulate control specifications as a
set of sub-state-trees of the STSs underlying state tree. These
define forbidden state families that are eventually translated
1573
into predicates or characteristic functions to be used in efficient
symbolic representation techniques (e.g., BDD). The resulting
predicates are generally more readable than legal language
automata (e.g., offer better traceability to the original informal
specification). Control implementation is also facilitated since
the result of synthesis is a state feedback control function.
C. Application Domain
The following assumption is made to circumscribe the
application domain.
disjoint (i.e., they do not share events).
Similar conditions have been imposed on events in the lit-
erature (e.g., local coupling [11], pairwise disjoint low-level
transition structures [12], disjoint sets of relevant events [18]).
This limitation is reasonable for modular production systems.
This kind of systems, which are widespread in modern indus-
trial plants, consist of physical modular components that can
be configured to adapt to distinct manufacturing processes.
Each physical modular component has its own sensors and
actuators, corresponding to inputs and outputs, that give rise
to occurrences of events observable by the control logic. Since
these components do not share I/O, they are then pairwise
disjoint and evolve in parallel.
Relaxing this assumption would introduce dependencies
between reusable components. It is unclear what such event
sharing means in terms of the modeled subsystems relative
to the controlled hardware. When hardware devices share
events, they can probably be modeled as a single subsystem.
When it becomes necessary for subsystems to share sub-
component instances, then their local control specifications
could eventually conflict. The framework presented in this
paper assumes a conflict-avoidance policy similar to [18].
However, nothing prevents one from using a scheme of conflict
resolution through coordination as suggested in [17] since the
underlying theoretical framework is the same.
III. C OMPONENT M ODEL
A component model typically includes component syntax
and semantics as well as composition mechanisms. These three
features are defined to match HCA concepts as closely as
possible while approaching CBSE practices.
The syntax offers a means of describing and denoting com-
ponent constituent parts. The Fractal component model [22]
constitutes a sound foundation for introducing them. Since a
component must provide control capabilities, it consists of
three parts, as shown in Fig. 1: an interface, an implemen-
tation, and a controller. The implementation part is composed
of other components, called subcomponents, which are under
the supervision of the controller for the enclosing component.
The latter takes actions regarding the behavior to be associated
with a component. In particular, it can superpose control
behavior to the behavior of its subcomponents so as to exercise
coercion on the way components interact. Even though the
Fractal component model distinguishes between different types
of interfaces, such a distinction is omitted in the sequel to
keep the component model as general as possible. Despite
1574 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 21, NO. 5, SEPTEMBER 2013
the fact that variables should need to be assigned sooner or
later to sensors, actuators, and devices, a component does
not expose its contents. It is private. Since the interface is
visible outside a component, it is public, just like the glue
code used during code generation. Additional elements are
included in component description for documentation pur-
poses: a behavioral model of the implementation and interface,
an exhaustive model in the case of an elementary component,
or an assembly diagram in the case of a composite component,
and a control problem specification. They result from modeling
tasks and synthesis procedures upstream and downstream from
a structured process of control problem solving.
The semantics clarifies the role of each constituent part
of a component. The behavioral model is formally expressed
by a pair of automata C := (G, G) that defines component
semantics in terms of dynamic behavior. The first element is
a Mealy machine G := (Q, , {ε} ∪ T, δ, λ, q0 , Q m ), with
an input alphabet  and a disjoint output alphabet {ε} ∪ T
(ε ∈ T is a special symbol meaning no output), specifying the
implementation’s controlled behavior. Discarding all outputs
associated with the transitions from G (keeping only its
transition structure) yields the deterministic finite automaton
(DFA) Gts = (Q, , δ, q0 , Q m ). In practice, G is derived
from Gts by giving a causal map θ : L → M “around” Gts ,
adding to it the output alphabet and output function λ. The
second element is a quotient DFA G = (Y, T, η, y0 , Ym ) spec-
ifying the way the component interacts with other components
through its interface. It is endowed with the observer property
and computed with the algorithm described in [27] from an
appropriate relabeling of Gts . Given well-defined instantia-
tion mechanisms, behavioral models can be seen as generic
schemata for the declaration of instances, which can be used
to build larger components, subsystems, and systems, making
components reusable. In the case of a composite component,
the assembly diagram is an STS without vertical structure.
Since elementary components do not have subcomponents, the
assembly diagram is useless in this case. An exhaustive model
GFB replaces it, where GFB is a DFA expressing the internal
behavior of a component in the absence of any control. For a
composite component, GFB can be obtained from its assem-
bly diagram. The control problem specification completely
describes a control problem, which is implicit in a behavioral
model. It contains, among other things, a control specification
and a control law. The control specification is expressed with a
set of normalized logical formulas, which, in fact, corresponds
to a set of illegal sub-state-trees, as formulated in [11], except
for explicit constraints. The control law is a state feedback
control function f such that Gts = f /GFB . In other words,
Gts is the solution of the control problem.
The composition mechanisms are based on algebraic oper-
ators that allow combining components while maintaining
invariant control coincidence, consistency of marking, and
the observer property when applying any atomic operation
of Fig. 2. For instance, components with the observer prop-
erty are closed under horizontal and vertical composition as
well as under superposition of control [26]. This feature of
the component model is very important because engineers
only have to concentrate their efforts on the condition to be
satisfied by the control technology for the abstraction and
on computation of observers from causal maps, especially
those associated with elementary components and ϕ in the
case of vertical composition. Focusing on these specific points
preserves the formal guaranties provided by HCA throughout
the entire design process with the aim of a correct design, but
not necessarily optimal with regard to the weakening of HCA.
A. Construction of Elementary Components
An elementary component is typically associated with a
hardware device. Its exhaustive model is built a priori in
much the same way that similar models are generally obtained
currently in SCT. Each state in GFB corresponds to a device
configuration that can be determined by actually testing for
specific concrete states. The event set is defined in terms of
detectable hardware state changes or other hardware activities
detectable by the control logic.
The behavioral model (G, G) is the result of an ad hoc
modeling process from the exhaustive model. Assumptions are
made on the latter to obtain a suitable model that depicts an
admissible nonblocking behavior of the device. In particular,
this step allows the elimination of instability problems such as
inertial effects due to chaotic usage of a command. Identifying
hazardous and prohibited transitions results in a control law
f and a DFA Gts that model the device behavior in a
normal operation mode. The modeling process should include
formal verification techniques or, at the very least, statistical
validation techniques to ensure the validity of Gts . The Mealy
machine G is obtained by giving a causal map θ with the
observer property. The former is then refined into an expressive
model G to provide an interface for the component.
Fig. 3 shows the exhaustive model of a typical pneumatic
jack (or cylinder) with two sensors that detect the end of
travel positions and three valves for one stable position. In
this model, the symbols Xi (i = 0, 1) and Y0 denote sensor
inputs and an actuator command, respectively. More precisely,
the values X0 and X1 indicate, respectively, that the jack is
completely retracted and completely extended. Furthermore,
X0∧X1 holds when the jack is neither completely retracted nor
fully extended. Therefore, Y0∧X1 represents the case in which
the cylinder goes out. Likewise, in the symmetric case Y0∧X0,
it goes in. The expressions Xi and Xi denote, respectively,
signal rising and falling edges. The signal Y0 corresponds
to action extend and Y0 corresponds to actions retract and
cancel extension. The transitions with dashed edges have been
identified as nonessential experimentally. Eliminating these
transitions yields control actions, which disable the superfluous
controllable transitions. The interface makes it possible to
extend and retract the cylinder repeatedly. Such an abstraction
reduces the number of states to consider at the next layer.
Even if the reduction ratio is small, the combined effect on
several layers may be considerable. The two configurations in
which X0 ∧ X1 holds have been excluded from the model.
They happen, for example, when a sensor is stuck at true,
which causes the nonfaulty model to block if all the symbols
that delineate the state space appear in conditions associated
with a command. Taking into account faulty configurations
CÔTÉ AND ST-DENIS: COMPONENT-BASED METHOD FOR THE MODELING AND CONTROL OF MODULAR PRODUCTION SYSTEMS 1575

1 Elementary Component Jack111:ce Y0,X0,X1 {

2 State Variable = Y0, X0, X1
3 f Y0 := Y0 ∧ X0 ∧ X1
4 f Y0 := Y0 ∧ X0
5 Project Y0 () := {return Funcextend ();}
6 Project Y0 () := {
7 if (X1) then return Funcretract ();
8 else return Funcce ();}
9 Project X1 () := {
10 if (Y0) then return Funceoe ();
11 else return true;}
12 Project X0 () := {return Funceor ();}
13 LactionsY0 () := {set(Y0);}
14 LactionsY0 () := {reset(Y0);}
15 Cycle() := Cycle() + {
16 if (X0) then FuncX0 ();
17 if (X1) then FuncX1 ();
18 FuncY0 ();
19 FuncY0 ();
20 }
21 }

Fig. 4. Control problem specification for Jack111:ce .

TABLE I
S AMPLE OF E LEMENTARY C OMPONENTS W ITH S OME S TATISTICS
Exhaustive Control
Implementation Interface
model specifica-
G G
Component GFB tion
(No. of (No. of
(No. of (No. of
states) states)
states) predicates)

Conveyorbelt 6 6 2 2
Conveyorrotary 3 4 2 2
Injector 8 12 2 4
Jack100 6 8 2 4
Jack101 6 7 2 4
Jack110 6 7 2 4
Jack111 6 6 2 4
Jack111:ce 6 6 3 4
Jack111:cecr 6 6 4 4
Jack111:cr 6 6 3 4
Jack111:ss 6 6 2 2
Fig. 3. Models for the elementary component Jack111:ce . Jack211::e 6 9 2 4
Jack211::r 6 9 2 4
Relayad 6 8 2 4
during code generation is not obvious and would require more Relaysd 4 4 2 4
SuctionCup 4 6 2 4
investigation. SuctionCup:cc 4 6 3 4
The header of a control problem specification contains the Timerod 4 4 2 3
name of an elementary component and an instantiation signa- Timerod:nc:e 4 4 3 3
ture. Every symbol declared in the instantiation signature has
a data type that falls under the scope of a set of conventional
type definitions for sensors, actuators, timers, registers, and For instance, Y0 is enabled if Y0 ∧ X0 ∧ X1. This example
memory elements. For example, the symbol Y0 designates a gives the reader an idea of the extent of pseudo-routines.
Boolean actuator, whereas X0 and X1 are Boolean sensors. The pseudo-routines Projectσ () represent the observer θ (lines
As a last step before code generation, engineers assign actual 5–12). The pseudo-routines Lactionsσ () send a command to an
physical resources to the symbols declared in the instantiation actuator to reflect the occurrence of the event σ (lines 13–14).
signature using a syntax that is proper to the target hardware The pseudo-routine Cycle() is accessible by the main loop and
[e.g., Y0 := Q0.5 assigns hardware Boolean input point Q0.5 its explanation appears later in this section.
to the symbol Y0 on a Siemens programmable logic controller
(PLC)]. On instantiation of a component, the instance has
access to a state variable containing the value corresponding B. Sample of Elementary Components
to its current state. It is declared from symbols that appear in Presently, the repository contains 48 elementary components
the instantiation signature. The rest of the control problem usually encountered in modular production systems. Table I
specification consists of glue code, mainly pseudo-routines presents a sample of them. There is a wide variety of conveyors
used by code generation procedures. for material handling. A conveyor belt conveys workpieces one
Fig. 4 contains the control problem specification of the after another. Two sensors detect when a workpiece reaches or
component Jack111:ce , in particular, the control law expressed leaves the belt, respectively. A relay starts and stops an elec-
by a family of predicates { f σ | σ ∈ } (lines 3–4) such trical motor that drives the belt. A rotary conveyor is a driving
that f σ (v) :⇔ σ ∈ f (v), where v denotes the state variable. mechanism equipped with a geared motor (i.e., with a latency
1576 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 21, NO. 5, SEPTEMBER 2013
time at stopping). Such devices must be controlled locally
because of strict temporal constraints involved between the
alignment sensor and driving mechanism. An injector consists
of a jack coupled with a cylinder barrel located in the basis
of a gravity-feed magazine, which is monitored by a sensor
to detect the presence of a workpiece. It pushes the bottom
workpiece out of the magazine. This component is considered
as an elementary component because its subcomponents are
strongly coupled. Pneumatic jacks come in various forms.
Their main features are the number of valves to regulate the
exhaust air flow (e.g., three valves for one stable position or
five valves for two stable positions), the valve type (e.g., self-
locking valve), and the presence of sensors to detect the end
of travel positions. The lack of sensors at either end of the
travel positions requires a timer to assess complete extension
or retraction. Jacks may have various interfaces, differing in
the number of commands they provide and their initial state.
The following nomenclature is used in referring to jacks:
ce: cancel extension
cr: cancel retraction
cecr: cancel extension/cancel retraction
ss: start/stop
e: initially in extension
r: initially in retraction
Jackvre:i:i
0: timer to assess complete extension
1: sensor to detect complete extension.
0: timer to assess complete retraction
1: sensor to detect complete retraction
1: three valves
2: five self-locking valves
Jack111 is used as an example. It has a four-state interface with
a fixed initial state because there is only one stable position.
Sensors detect the end travel positions. Adding or removing
commands yields four other jacks. To avoid redundancy,
Jack100 , Jack101 , and Jack110 are given in only one form in
Table I. Jack211 comes in two standard versions according to
the initial state. There are almost as many relays as jacks.
They are used to electrically turn on/off switches, while con-
sidering latency effects. An electrical motor that cannot reach
its nominal speed instantaneously is a good example of an
instance of a relay. The delay can be asymmetric, symmetric,
or null. Five interfaces are possible for an asymmetric delay
relay, but only two for the other relay types. A suction cup
can be used to pick up and hold objects with smooth surfaces
by vacuum. SuctionCup:cc is like SuctionCup, but with an
additional command (cancel close). Finally, the component
Timerod encapsulates the behavior of an on-delay timer. There
are four different interfaces for this device according to the
initial state, and presence or nonpresence of a transition to
cancel the timing. The size of the control specification does not
take into account simplifications to reflect the effort done by
engineers to specify them and the difference between devices
of same type.
C. Construction of Composite Components
A repository of reusable components can be seen as a set of
generic schemata {Cρ | Cρ = (Gρ , Gρ ), ρ ∈ R}, where R is
an index set. A generic schema of a prefabricated component
can be specialized by declaring a new type of instances X
Fig. 5. Assembly diagram of the composite component Hooke:f .
represented by an augmented relabeled version G X of Gρ for
a given ρ ∈ R. The model G X inherits the transition structure
from Gρ but it may be augmented with self-loop transitions
on local events, called synthetic events, which are specific
to the memories H1, . . . , Hm of the composite component
C = (G, G) under construction. Essentially, a memory is a
DFA H that coordinates, possibly through internal data, the
behavior of subcomponent instances C1 , . . . , Cn used in the
construction of C. Its alphabet TH is a subset of the union of
alphabets of GC1 , . . . , GCn (i.e., TH ⊆ ∪i∈{1,...,n} TCi and may
contain synthetic events). Synthetic events are not generated by
any subcomponent instance but rather belong to the subsystem
itself. Their purpose is to enable the subsystem to change its
local memory state independently of subcomponent instance
activity. Since memory is under internal control, synthetic
events are controllable. Therefore, memory elements and sub-
component instances can synchronize on synthetic events to
introduce explicit behavioral constraints. These notions allow
the expression of the control specification and control law
as a family of predicates on the state space. The memo-
ries H1, . . . , Hm and instances C1 , . . . , Cn are then grouped
together in an assembly diagram. Contrary to an elementary
component, the control law f and the corresponding transition
structure Gts associated with a composite component are
calculated from a control specification and the free behavior
GFB = H1  · · ·  Hm  GC1  · · ·  GCn in accordance with
a synthesis procedure. The pair (G, G) is obtained in the same
way as for an elementary component.
The construction of a composite component is illustrated
with a typical extendable hook with a failure/recovery mode,
named Hooke:f . Fig. 5 shows the assembly diagram of this
component. It consists of a winch, hook, and memory that puts
the operations in order with respect to two operation modes. In
the normal mode, a workpiece is gripped and then released by
the extendable hook. The failure/recovery mode is used when
it is impossible to create the vacuum because no workpiece
is at the grip position. The free behavior of the extendable
hook is obtained by the product of the three automata. This
yields an automaton with 44 states and 89 transitions. The
behavioral model (G, G) of Hooke:f , depicted in Fig. 6, is the
CÔTÉ AND ST-DENIS: COMPONENT-BASED METHOD FOR THE MODELING AND CONTROL OF MODULAR PRODUCTION SYSTEMS 1577

1 Composite Component Hooke:f {

2 State Variable = <Seq, Winch, Hook>
3 Synthetic Events := { c := {clr} }
4 Seq : MW;
5 Winch : Jack111:ce with {
6 c := {extend[wd], ce[wcd], retract[wu]}
7 u := {eoe[wed], eor[wea]}
8 η = η ∪ { r, clr, r }
9 }
10 Hook : SuctionCup:cc with {
11 c := {close[hig], cc[hcg], open[hir]}
12 u := {eoc[hfg], eoo[hfr]}
13 η = η ∪ { nv, clr, nv }
14 }
15 CtrlSpec {
16 /* Explicit control constraints */
17 /*(1) clr <= Seq = f ∧ Winch = r
18 ∧ Hook = nv */
19 /*(2) hig <= Seq = g */
20 /*(3) wcd <= Seq = g */
21 /*(4) hcg <= Seq = f */
22 /* Standard control constraints */
23 /*(5) */ Seq = f ∧ Winch = ie
24 /* Implicit control constraints */
25 /*(6) */ Winch = r ∧ Hook ∈ {l, p}
26 /*(7) */ Seq = g ∧ Winch = ie ∧ Hook = l
27 /*(8) */ Seq = g ∧ Winch = ir
28 ∧ Hook ∈ {l, p}
29 /*(9) */ Seq = g ∧ Winch = ir ∧ Hook = nv
30 /*(10)*/ Seq = f ∧ Winch = ir
31 ∧ Hook ∈ {l, p, v}
32 /*(11)*/ Seq = r ∧ Winch ∈ {ie, ir}
33 ∧ Hook ∈ {l, p}
34 /*(12)*/ Seq = r ∧ Winch = ie ∧ Hook = nv
35 /*(13)*/ Seq = r ∧ Winch = ir ∧ Hook = v
36 /*(14)*/ Seq = r ∧ Winch = e ∧ Hook = p
37 }
38 f clr : Seq = f ∧ Winch = r
Fig. 6. Models for the composite component Hooke:f . 39 f wd : Seq ∈ {g, r} ∧ Winch = r
40 f wcd : Seq = g ∧ Winch = ie ∧ Hook = v
41 f wu : Winch = e ∧ Hook = nv
result of the control problem stated in the control problem 42 f hig : Winch = ie ∧ Hook = nv
43 f hcg : Seq = f ∧ Hook = p
specification of Fig. 7. The transition structure Gts of G is the 44 f hir : Winch = e ∧ Hook = v
Cycle() := Cycle() + { Funcclr (); }
result of a synthesis procedure which computes the control 45
46 }
law. Then, (G, G) is derived from Gts with an algorithm that 47 }

synthesizes an observer based on the decisions of engineers.

The component Hooke:f is a self-contained generic schema
defining a new type that can be stored in the repository
and used afterward in the construction of more complex
components, such as a crane.
The control problem specification introduces the synthetic
event clr (line 3), and indicates that Seq is a memory (line
4), Winch a specialization of Jack111:ce (lines 5–9), and Hook
a specialization of SuctionCup:cc (lines 10–14). The control
specification associated with this component includes 14 con-
straints. Inspired from the work of Ma and Wonham [11], they
are classified into three groups: explicit control constraints,
standard control constraints, and implicit control constraints.
An uncontrollable event shared between a memory and at
least one subcomponent instance implies that there must be
a transition labeled with this event from every state in the
transition diagram of the memory because the occurrence of
such events cannot be directly forbidden by some means. The
states from which they should not occur may, however, be
considered illegal. Defining a set of forbidden states corre-
f, r, nv. It is an explicit control
sponds to prescribe a standard control constraint expressed in
a propositional logic formula. Excluding transitions labeled
with a controllable event is always possible. This corresponds
to prescribing explicit control constraints. In this case, contrary
to standard control constraints, the control is direct in the
sense that a synthesis procedure does not have to backtrack
on a sequence of uncontrollable transitions from illegal states
Fig. 7. Control problem specification of Hooke:f .
to compute a controllable solution. It can, however, make
the subsystem blocking. Therefore, the synthesis procedure
is still required to avoid blockingness. Excluding too many
transitions can possibly lead to overspecification. Engineers
must be aware of this potentially undesirable side effect, but
it is common practice in SCT and often makes sense. Implicit
control constraints also define sets of forbidden states, but their
formulation is not based on event-sharing. The addition of
extraneous memories is unnecessary in this case. Engineers
write propositional logic formulas by focusing on local states
of each subcomponent instance that appears in the assembly
diagram. They express strict shuffling of command pair, equip-
ment safety, and functionality requirements. For example:
1) clr ⇐ Seq = f ∧ Winch = r ∧ Hook = nv (lines 17–18)
indicates that the event clr can only occur if the value
of the state variable is
constraint;
2) Seq = r ∧Winch ∈ {ie, ir}∧Hook ∈ {l, p} (lines 32–33)
is a strict shuffling of command pair constraint. When
negated, this formula means that the winch and the hook
cannot proceed simultaneously in the release mode.
The control problem specification also includes the nonblock-
ing control law (lines 38–44). The predicate f clr (line 38)
1578 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 21, NO. 5, SEPTEMBER 2013

TABLE II
S AMPLE OF C OMPOSITE C OMPONENTS W ITH S OME S TATISTICS
State- Flat state-
Control specification Interface
space space
upper upper
Component (No. of predicates) G
bound bound
(No.
(No. of (No. of
of
states) states)
states)

Conveyorts 12 32 2 5 2
Cranebr 256 5184 19 11 2
Cranelr 16 54 5 4 6
Cranelr:all 16 54 5 4 9
Cranelr2 64 5832 13 14 5
Cranelr2:f 192 17 496 14 24 7
Cranewlr2:f 21 52 488 5 38 2
Dispatcher 80 180 3 4 6
Drill 128 864 10 6 2
Hooke 32 72 6 4 4
Hooke:f 48 108 14 6 6
Servomotor 12 16 2 3 4
Tester 12 24 6 5 3
Fig. 8. Instantiation of Jack111:ce .

is a direct consequence of the first explicit control constraint
(lines 17–18). Since there is only one state in G with Seq = f
and Winch = r , the condition Hook = nv is superfluous and
has been eliminated. The predicate f wu (line 41) enables the
occurrence of wu when the winch is extended only if there is
no vacuum because of constraints 10, 11, and 13. The pseudo-
routines Projectσ () have not been included in Fig. 7 because
they are generated from G.
D. A Sample of Composite Components
The repository also includes 17 composite components
common in transportation (e.g., cranes, complex conveyors,
dispatchers, and sorters) and processing (e.g., drills, microm-
eters, and testers). In Table II, Cranebr is a base rail crane
driven by a servomotor that picks up a workpiece from three
possible input positions and moves it to a unique output
position, where it is put down. Cranelr is a unidirectional
crane which moves a workpiece from left to right. The
component Cranelr2 is similar, but it has two output positions
and an extendable hook. The version Cranelr2:f takes into
consideration a failure/recovery mode when trying to pick
up a workpiece. The component Cranelr:all is like Cranelr in
which all events are projected. Reusable components with an
interface identical to their implementation make it possible
to impose constraints on their whole behavior when they
are instantiated. Cranewlr2:f wrap the interfaces of Cranelr2:f
for specific usages by adding more state information defined
by a memory. The former is not really reusable, but it has
been added to the repository to show how to create other
components that model similar cranes, but with different,
even more permissive, behaviors. The state-space size of a
component is given in terms of upper bounds calculated from
the size of memories and subcomponent instances that appear
in the assembly diagram without considering synchronization
(see Fig. 5). Upper bounds include reachable states as well as
unreachable states because the memories represent constraints
that can shrink or expand the state space defined from the
free behavior of subcomponent instances. Furthermore, such
constraints may vary from one control problem to another.
That of Hooke:f is 48 = 3 × 4 × 4. The upper bound of
the corresponding flat state space is 108 = 3 × 6 × 6 (3
for the memory and 6 for the size of Jack111:ce and the
size of SuctionCup:cc with respect to the data in the second
column of Table I). The size of its interface G is 6. Its control
specification includes 14 normalized constraints and reuses 6
constraints (3 from Jack111:ce and 3 from SuctionCup:cc ). It is
easy to observe the impact of abstraction on several levels by
comparing upper bounds in the first two columns.
E. Instantiation of Reusable Components
Generally, the instantiation mechanism is used when build-
ing a subsystem from subcomponent instances, where a sub-
system is the base unit of modularization and subcomponent
instances are derived from reusable components. A reusable
component is precisely a subsystem specification in which a
causal map with the observer property is defined as a means
to give the subsystem an interface. A system can then be seen
as the instance of a subsystem with no interface located at
the root of an aggregation tree of subcomponent instances
in which the leaves are instances of elementary components.
Fig. 8 illustrates how the subcomponent instance Winch is
created from the component Jack111:ce . The relabeling function
rWinch is based on an aliasing map defined in the with clause
of a subcomponent instance declaration (lines 5–9 in Fig. 7),
where each interface event is associated with a corresponding
alias given within square brackets. Since the alphabets of
subcomponent instances must be pairwise disjoint within a
subsystem, event aliases are expected to be unique across all
subcomponents within the subsystem. The transition structure
resulting from this aliasing is identical to that of the original
interface definition, except that the event names have been
replaced by their aliases and transitions on synthetic events
have been added to synchronize with memories, if necessary.
The relabeled version becomes a new formal object defined
CÔTÉ AND ST-DENIS: COMPONENT-BASED METHOD FOR THE MODELING AND CONTROL OF MODULAR PRODUCTION SYSTEMS
Fig. 9. Environment structure of Hooke:f .
within the subsystem. As part of this adaptation mechanism,
the subsystem designer may also change the status of events
from controllable to uncontrollable, if it makes sense in the
subsystem design. The converse is forbidden.
The instantiation process can be seen as the creation of
an abstract computational environment—one per instance—
which consists of a self-contained namespace where abstract
computational objects are defined. Fig. 9 depicts a part of
the environment structure of the subsystem associated with an
instance of Hooke:f (h), which itself aggregates a subsystem
obtained through instantiation of Jack111:ce and named Winch
in the former subsystem. The environment of Winch is con-
tained in the one of h (h aggregates Winch). Global types
Hooke:f and Jack111:ce are accessible system-wide and both
subsystems define an object G of their corresponding types.
Since the environments define self-contained namespaces,
however, it is clear that  in the environment of h (h.) is dis-
tinct from  in the environment of Winch (h.W i nch.). The
control problem specification of Hooke:f in Fig. 7 introduces a
memory and two subcomponent instances. The memory HSeq
is defined and created locally. The subcomponent instances
GWinch and GHook are defined through appropriate relabeling
and made available locally. Finally, the following abstract
computational objects are accessible in each abstract computa-
tional environment: a state variable v and pseudo-routines. The
state variable v reflects the current state of sensors, actuators,
timers, and devices in the case of an elementary component or
the current state of its subcomponent instances and memories
in the case of a composite component. The pseudo-routines
are related to the abstract dynamic.
F. Abstract Dynamic
Usually, code generation schemata are defined for a general
application architecture. Since it is often impossible to foresee
all the mechanisms that may be required to adapt new or exist-
ing control hardware to an application architecture, this paper
introduces an abstract dynamic both for interactions between
components among themselves, and between components and
1579
Fig. 10. Control flow in an aggregation tree.
control hardware. It fulfills three main goals. First, it expresses
the relative ordering of the operations performed within a
subsystem itself, and between a subsystem and its component
subsystems during the execution of the main control loop
according to a control flow established from an aggregation
tree that mimics the hierarchical aggregation of components
(see Fig. 10). Second, it provides a mechanism for component
runtime adaptation realized by specific points in the execution
of subsystems into which glue code can be inserted. Third, it
allows for customizable code generators specific to different
targets using any appropriate combination of target languages
and machine architectures. In this way, code generators can
be written without overconstraining their design.
The abstract dynamic of components and subsystems is
specified using a set of abstract pseudo-routines. They are
computational objects that are either defined or declared in
a subsystem’s local environment and have free access to any
other object defined in it. The following sets of routines are
defined within a subsystem’s local environment: {Pσ () :→
B | σ ∈ }, {Projectσ () :→ B | σ ∈ }, {Lactionsσ () :→
void | σ ∈ }, {Funcσ () :→ B | σ ∈ }, and Cycle() :→ void.
The following set of abstract routine declarations is added to
this: {Funcτ () :→ B | τ ∈ T }.
Routines Pσ () correspond to the family of predicates { f σ |
σ ∈ }. For a given σ ∈ , Pσ () returns the Boolean value
of f σ evaluated from the current state of the local subsystem
using its state variable v.
Routines Projectσ () add global control on top of local
control. For subsystems derived from composite component,
they are automatically generated from G and this skeleton:
1 Project σ () :→ B
2 if (v = q ∧ λ(q, σ ) = τ ∈ T ) then
3 return Funcτ ();
4 else return true;
5 end.
For a given σ ∈ , Projectσ () tests whether or not a transition
on σ is erased or projected across the interface of the local
subsystem (line 2). If σ is erased, it returns true (line 4),
meaning that σ may happen because it cannot be disabled by
control in the outer subsystem. A code generator can take into
account the trivial case where σ is always erased to optimize
the code generated for Projectσ (). Otherwise, it returns the
result of Funcτ () (line 3), a place-holder symbol. The goal of
this artifice is twofold. First, it activates the outer subsystem
with a call to the corresponding Funcσ  () routine, where σ  is
an event of the outer subsystem (not the local one) such that its
1580 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 21, NO. 5, SEPTEMBER 2013
occurrence coincides with that of τ because of relabeling used
in the instantiation mechanism. Second, it verifies whether or
not the projected event is enabled by control in the global
system (i.e., the outer subsystem and other subsystems above
it in the aggregation tree). If σ  is permitted to occur in the
global system, then Funcτ (), under its alias name Funcσ  (),
returns true; otherwise, it returns false.
Routines Lactionsσ () perform all changes required to the
local subsystem environment. In particular, they update their
state variable. For a given σ ∈ , Lactionsσ () executes all
local actions associated with the occurrence of σ .
Routines Funcσ () react to the occurrence of their corre-
sponding events. They are automatically generated from the
control problem specification and following skeleton:
1 Funcσ () :→ B
2 if Pσ () then
3 if Project σ () then
4 Lactionsσ ();
5 return true;
6 end;
7 return false;
8 end.
For a given σ ∈ , Funcσ () evaluates the control predicate
associated with σ (line 2). If it holds, σ is enabled locally
and Funcσ () invokes Projectσ () (line 3) to determine if σ
is enabled globally when projected. If these two conditions
are satisfied, then Funcσ () invokes Lactionsσ () to execute
actions consequent upon the occurrence of σ and returns true
(lines 4–5). In all other cases, the subsystem state remains
the same and Funcσ () returns false (line 7), meaning that σ is
prohibited by global control. Routines Funcσ () can return false
only for controllable events, since Pσ () always holds for an
uncontrollable event σ , and the instantiation mechanism does
not permit the change of status of an event from uncontrollable
to controllable. A code generator can exploit this restriction to
optimize the code generated for Funcσ (). It should be noted
that, when the call to Projectσ () is successful, any subsystems
above the current subsystem in the aggregation tree have
already changed their state. Accordingly, the global system
state changes propagate from the root down to the leaves.
In particular, the commands that correspond to controllable
events are sent last in the sequence of environmental changes.
The routine Cycle() is directly and exclusively accessible
by the main control loop. Based on a synchronous execution
model for control applications, the control hardware cyclically
executes a main control loop that allocates a time slice to every
single component subsystem by invoking its Cycle() routine.
Invocation of Cycle() routines is done in depth-first post-
order along the aggregation tree. The active Cycle() routine
calls the routines Funcσ () associated with all events generated
by a subsystem instantiated from an elementary component
(see Fig. 4) or associated with all local synthetic events of
a subsystem instantiated from a composite component (see
Fig. 7) to evaluate the control law from the current state
of sensors and memories, send commands to actuators, and
update memories in a hierarchical manner. In the case of an
uncontrollable event, the call is conditional upon the detection
of its occurrence. In the case of a controllable event, the call
is systematic. The routine Cycle() may also be involved with
local periodic tasks such as timer activation and time out.
Fig. 11. Relationship between instantiation and control flow.
Routines Funcτ () are symbols that are declared in the
local environment but not bound locally to any definition.
They are rather bound at instantiation to routines Funcσ  ()
located inside the outer subsystem. The information for the
binding is given by the aliasing map defined in the control
problem specification. As illustrated in Fig. 11, the with clause
contains terms of the form τ [σ  ], which establish an aliasing
relationship between the two events (i.e., τ is aliased by σ  ).
This relationship is implemented by binding the declaration
of Funcτ () (declared in the subcomponent environment) to
Funcσ  () (defined in the outer subsystem environment).
For subsystems derived from elementary components, the
pseudo-routines Pσ (), Projectσ (), Lactionsσ (), and Cycle()
interact with the hardware and need glue code as a mechanism
for adaptation. These code blocks appear between braces in
control problem specifications. In order to preserve the ability
to generate code automatically, glue code insertion is restricted
to elements of the abstract dynamic, with the exception
Funcτ () routines. Insertion of glue code takes the form of a
routine redefinition, which is written as an assignment (“:=”)
of a code block to the routine name. By default, f σ is assigned
to Pσ (). A syntax variation can be used to add glue code
at the beginning or at the end of routines Lactionsσ () and
Cycle(). In Fig. 4, a code block is appended to Cycle()
(lines 15–20). The syntax forbids adding glue code to Pσ (),
Projectσ (), and Funcσ (), but they can be redefined completely
with a single code block. For composite components, glue
code insertion can be avoided entirely as the control problem
specification and the assembly diagram are enough to generate
the intermediate code. However, for elementary components,
glue code insertion seems unavoidable to provide hardware
adaptation. Consequently cross-platform portability issues may
arise. To circumvent this and ease code generator retargeting,
glue code should have its own proper syntax, which should
forbid looping constructs as the proposed execution model is
synchronous and cyclical. Here, a C-like idiom is used for
conciseness but, for cross-platform portability, a proper subset
of IEC 61131-3 [29], [30] may reveal to be more judicious.
CÔTÉ AND ST-DENIS: COMPONENT-BASED METHOD FOR THE MODELING AND CONTROL OF MODULAR PRODUCTION SYSTEMS 1581

G. Code Generation

The development of a trustworthy code generator along

the lines of the abstract dynamic introduced in the previous
subsection is straightforward given a PLC target. This is
particularly true if the generated intermediate code is also
Structured Text, since it can provide the mechanism to imple-
ment function block (FB) as an architectural unit of reuse to
encapsulate a subsystem [30]. Structuring the implementation
around such units provides two benefits. First, FBs can be
invoked, with an appropriate call signature, and return a result
rather like functions in conventional programming languages.
Their use presents an advantage for implementing the routines
Funcτ () and their binding to Funcσ  (), as illustrated in Fig. 11.
Second, FBs have a state, through the association with data
blocks, which provides a convenient way to implement envi-
ronments of the abstract dynamic. These characteristics help
make the generated code human readable, since the structure
and elements of the abstract dynamic can be recognized
more easily within it. Fig. 12 contains a part of the code
generated for the Winch. The code, written in S7-SCL (the
Siemens version of Structured Text defined in the standard
IEC 61131-3), is intended to run on a Siemens CPU 315PN/DP
PLC connected to a PROFIBUS network.
Overall, the call structure of FB units among themselves
follows the structure in Fig. 10, in which each box repre-
sents an FB unit. The main control loop (called OB1 after
Siemens terminology) systematically calls the FB in depth-first
post-order. The FB signature contains common parameters—
a subsystem number (ssn) and an event number (evn)—to Fig. 12. Code generated for the Winch subcomponent.
distinguish between a call from the main loop and a call from
an inner subsystem. The main loop has a special dedicated component FB receives calls from two sources, OB1 call
subsystem number (OB1_ssn) and defines two events: initial- processing (lines 8–23) must be isolated from subcomponent
ization (OB1_init) and cyclic feedback (OB1_process). An FB FB calls (lines 24–68). In the first case, the code of the routine
receiving a cyclic feedback event from OB1 is expected to Cycle() only deals with synthetic events. According to the
execute the code corresponding to its routine Cycle(). control problem specification of Hooke:f (line 45 in Fig. 7),
In the case of an FB implementing a subsystem derived from the code for the routine Funcclr () is in-lined (lines 13–20).
an elementary component, extra parameters, corresponding In the second case, a two-level case structure dispatches the
to their input/output resources, are appended to its signature call to Funcτ () to the appropriate local Funcσ  (), according
(lines 8, 9, and 12 in Fig. 12). Apart from the initialization to the binding illustrated in Fig. 11. The first-level case
code (lines 19–23), which is isolated from cyclic feedback dispatches on the subsystem number ssn; the second on the
code by a RETURN statement, the FB only contains the event number evn. In this way, call chains always go from
code corresponding to the abstract dynamic (lines 24–51). inner subsystems to outer subsystems and toward the root of
It is generated from the definition of Cycle() in Fig. 4. All the aggregation tree. The lengths of call chains are finite, since
events are processed sequentially, beginning with uncontrol- glue-code insertion forbids looping constructs. The worst case
lable events. For a given event σ , the code corresponding to performance of the scan cycle can even be computed.
Pσ (), Projectσ (), Lactionsσ (), and Funcσ () is in-lined. Only
the call to Funcτ () actually takes the form of a call to the
outer subsystem FB (lines 26, 32, 37, 44, and 46). IV. C ASE S TUDY
Fig. 13 shows the FB implementing a subsystem derived Fig. 14 shows the didactic learning modular production
from the composite component Hooke:f . In this case, a system [31] used as a test bench in the case study. It is
Boolean value is appended to its signature (line 4 in Fig. 13). a part of a complete system (nine individual stations) that
Contrary to an elementary component FB that only accepts assembles a pneumatic cylinder made up of several elements.
main-loop OB1 calls, a composite component FB also receives The version available in our laboratory consists of the first
subcomponent FB calls. In the abstract dynamic, this corre- five stations (distribution, testing, processing, handling, and
sponds to subcomponents calling one of their routines Funcτ (), sorting), plus an homemade returning station added to the
which all return a Boolean result. Hence, the callee must make original system to implement a continuous manufacturing
this result available to the caller upon return. Since a composite process. The distribution station removes a workpiece from the
1582 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 21, NO. 5, SEPTEMBER 2013
Fig. 13. Code generated for the h subsystem.
Fig. 14. Global view of the didactic learning modular production system.
feed magazine to make it available for the testing station. This
is accomplished by a transfer module, which is a pneumatic
handling device that grabs a workpiece with a vacuum suction
cup and transfers it from between 0° and 180° via a swivel
drive. The testing station determines physical characteristics
(e.g., color, material) of a workpiece using three proximity
sensors with digital output, measures its thickness with an
analog sensor based on a linear potentiometer with voltage
divider tapping, and either rejects it or makes it available to
the processing station via a lift and evacuator. The processing
station comprises a rotary indexed table module, a drilling
module, and a drilled-hole checking module. The table has
four workpiece retainers fixed on a rotating plate that trans-
ports every workpiece from the home position to the end
position, including the drilling and checking positions. The
handling station conveys a workpiece from the end position
of the processing station to either the sorting station or a
slide, based on the result of the drilled-hole checking module.
A rotary cylinder and two linear cylinders permit rotational
motions in the X–Y plane and horizontal and vertical motions
in X- and Z -axes, respectively. The sorting station and the
returning station, which constitute the handling subsystem, are
described in detail in a companion paper [32].
It is not hard to identify and separate the constituent parts of
the modular production system from its description to obtain
its hierarchical representation in terms of elementary compo-
nents, composite components, and subsystems. For instance,
Fig. 15 shows the hierarchical structure of the processing sub-
system, which includes the processing station and the handling
station. In this figure, the names of the physical modules
appear just above the boxes, which represent reusable software
components or local software components (dashed outline).
These names are also used to designate the corresponding
instances of software components. For example, the probe and
the winch are all instances of the same reusable component
Jack111:ce . As shown in Table III, the upper bound of the state-
space size has been estimated at 7.13 × 1013 reachable and
unreachable states (256 for the memories, 8 for the Stopper
or Jack100:ss, 32 for Conveyorts , 864 for the Drill, 24 for
the tester, and 52 488 for the Cranewlr2:f ). It consists of 19
components and 10 memories organized into five levels. The
control specification includes 94 predicates, 84% of which are
reused (2 + 7 + 16 + 11 + 43). An S7-SCL program generated
for this subsystem has 1272 lines of code (without blank and
comment lines, and constant declarations), which corresponds
to an object code of 13 454 bytes. Table III presents the
statistics for the other subsystems. The first two correspond
to the distribution and testing stations.
The last column demonstrates the relevance of the proposed
method to industrial application, since the system used in the
case study, with all its pneumatic, mechanical, and electrical
apparatuses, is similar to those encountered in the manufac-
turing industry. The method has been used successfully in the
systematic derivation of an S7-SCL program with a naive
code generation procedure from the glue code of reusable
components after instantiation. The program has 3590 lines
of source code. The size of the object code is greater than
that obtained from an ad hoc solution programmed using
Sequential Function Chart (36 580 versus 26 718 bytes), since
no code optimization algorithm has been integrated into the
code generator. The run times are less than 350 ms for
synthesizing each control law with Supremica [33] and less
than 1 s for computing each observer with our own C++
CÔTÉ AND ST-DENIS: COMPONENT-BASED METHOD FOR THE MODELING AND CONTROL OF MODULAR PRODUCTION SYSTEMS 1583

TABLE III
S TATISTICS A BOUT THE D EVELOPMENT OF THE C ONTROL S OFTWARE S YSTEM FOR THE M ODULAR P RODUCTION S YSTEM

Distribution Testing Processing Handling Modular

subsystem subsystem subsystem subsystem production system

State-space upper bound 1.10 × 104 5.29 × 104 7.13 × 1013 7.17 × 108 2.97 × 1031
Number of components 5 6 19 13 44
Number of memories 1 2 10 7 22
Number of layers 3 3 5 5 6
Control specification 14 22 15 10 4
Control specification (reuse) 11 14 79 48 213
Total 25 36 94 58 217
Size of source code (LOC) 337 390 1272 901 3590
Size of object code (bytes) 3944 3964 13 454 9948 36 580

maximum number of allocated atoms impacts on automata

maximal size. The run times observed with A LLOY were
significantly higher than those recorded with Supremica and
the C++ program.

Fig. 15. Hierarchical structure of the processing subsystem.
implementation of the algorithm developed by Wong and
Wonham [27]. To the best of our knowledge, this is the first
time that the HCA framework has been adapted to solve a
control problem of substantial size in the context of CBSE.
This also demonstrates how the underlying hierarchical design
method combined with CBSE is scalable.
A previous paper reported an experiment to evaluate
whether it was possible to build a repository of reusable com-
ponents with a SAT-solving approach [32]. The condition (C1)
imposed on Tc as well as consistency of marking, observer, and
controllability properties were formulated with respect to the
specification language A LLOY [34], a symbolic model checker
that uses SAT-solvers to verify the satisfiability of axioms
defined in a model and find counterexamples for properties
(theorems) that should be deduced from these axioms. This
approach is interesting because the A LLOY model developed
for this purpose is concise (about 400 lines) and close to the
mathematical formulation of HCA and SCT. The experiment
was successful for all elementary components. Because of
the limitations imposed by A LLOY, however, it has been
impossible to build some composite components because the
V. C ONCLUSION
The multifaceted method proposed in this paper is based on
knowledge and practices inherited from two fields: SCT and
CBSE. In particular, this paper showed how a formal frame-
work such as HCA can support CBSE to reduce modeling
complexity through abstraction, save a significant amount of
effort during system design through reuse, and avoid error-
prone programming through code generation. It also revealed
that the goal of correctness by construction is not antago-
nistic to scalability and within the scope of domain experts
with no deep knowledge of any control theory. Compared to
related work (e.g., [13] and [17]–[19]), this paper presented a
complementary perspective where CBSE issues were given as
much attention as SCT issues. It is hoped that associating SCT
and CBSE in this fashion will stimulate research in directions
which have so far mostly escaped formal treatment in SCT
despite a clear need for it (e.g., failure detection, diagnostic,
and recovery).
A. Technical Notes with respect to Related Work
While abstraction, reuse, and code generation techniques
have been investigated separately in previous SCT work,
especially in the context of hierarchical control, they are
integrated in a uniform and consistent way in the method
proposed in this paper.
The idea of exploiting both abstraction techniques and
reusable components to develop software hierarchically goes
back to 1970, but it is relatively recent in SCT. On the
one hand, reducing modeling complexity by using abstraction
techniques has been considered many times in the DES com-
munity. Some researchers have, however, mentioned that hier-
archical variants lag far behind in terms of application because
they are disparate and lacking a unifying theme [35]. The main
differences between the methods that combine both horizontal
and vertical aggregations can be given with respect to the
following three points: 1) the mathematical objects to perform
abstraction (e.g., natural projection [17], [18], [20]; causal
map [16]; automaton abstraction [10]); 2) conditions to achieve
1584 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 21, NO. 5, SEPTEMBER 2013
nonblockingness and/or optimality; and 3) architectural restric-
tions (e.g., limited [12] or unlimited [13] number of levels
in module hierarchies). To appreciate the differences between
such methods, we refer the reader to [20]. Nevertheless, even
though hierarchical variants are based on very different mod-
els and theoretical formulations, deeper examination quickly
reveals many more commonalities among them than differ-
ences in terms of the concepts used. For example, the observer
property in HCA is echoed by strict rules for holon matching
in the STS framework [11] and strict rules for level-wise
controllability and nonblocking in hierarchical interface-based
supervisory control [12], [13]. On the other hand, reusable
components are omnipresent in industrial engineering [36]. In
the DES community, this issue has been tackled independently
of hierarchical control, except by Leduc et al. [12], where
low-level subsystems could be recast as generic models. Stan-
dardized models have been proposed as a means to create
global plant models [37]. Some state-machine templates have
been introduced to program control software systems [35],
[38]. Reuse of subsystem models is one of the main features
of a modeling, analysis, and synthesis tool [39]. However,
the three last solutions do not include robust composition
mechanisms.
As shown in this paper, code generation depends on a model
of the abstract dynamic. Balemi et al. [40] and Cieslack et
al. [41] were amongst the first to study the implementation
aspects of supervisors as theoretically defined in SCT. The
former associated commands and responses to controllable
events and uncontrollable events, respectively. The latter were
preoccupied with the translation of supervisors into executable
code. Charbonnier et al. [42] introduced a new supervised
control schema to force the occurrences of events associated
with commands sent to actuators. Basile and Chiacchio [43]
extended this schema by adding a dispatcher for conflict
resolution. They identified several problems that might arise
in implementing supervisors and defined properties to avoid
them. They also provided code generation algorithms from
automaton or Petri net supervisors. The target code, written
in ST [30], preserves the semantic meaning of the closed-
loop behavior. These solutions are far from satisfying the
goals mentioned in Section III-F, except for code generation.
First, they consider a simpler theoretical framework that does
not support hierarchical aggregation of components. Second,
they pay no attention to a mechanism for component runtime
adaptation since instantiation was not a preoccupation.
Finally, it should be mentioned that several empirical studies
have been conducted to assess the value of SCT and its hierar-
chical variants, in most cases to illustrate theoretical concepts
and show computational benefits of proposed methods. To the
best of our knowledge, only one work has been carried out to
assess a (nonhierarchical) method with a significant number
of industrial examples and case studies [44]. In general, only
one substantial system is used as an illustrative example. The
manufacturing system of the Atelier Inter-établissements de
Productique [11], [45] and a system of automated guided
vehicles [17], [18] served as reference systems. Other specific
manufacturing systems with large state space have also been
used [10], [13], [19], [20]. All these studies ignored the aspects
around a repository of reusable components and a hierarchical
software architecture, as described in Section III. For instance,
abstraction is a means to reduce the state space and thus
computation time for the synthesis of supervisors. Therefore,
interfaces are tied to specific control problem formulations
and a component does not have to represent a meaningful set
of services. It should, however, be noted that the approach
followed by Schmidt and Breindl [20] to develop a solution
for a system comparable to the one used in our case study is in
the same spirit as ours notwithstanding the two latter points.
B. Open Issues
Some issues remain with respect to the work presented
in this paper. First, the component model details in depth
an instantiation mechanism with its underlying creation of
an abstract computational environment. The latter is defined
according to an abstract dynamic independent of machine
architectures. In general, these aspects were lacking in pre-
vious attempts about reusable components in the context of
SCT. The proposed solution, however, could be improved
when considering, for example, the components Cranelr2:f and
Cranewlr2:f . Instead of including the latter in the repository,
instances of this type could be directly obtained from the
former, if the instantiation mechanism made it possible to add
state information in addition to relabeling. Second, the current
implementation on a Siemens PLC was devised for illustration
purposes. The FB call chain and the abstract dynamic are
made obvious in the source code. The disadvantage is that this
implementation does not provide object code reuse. Any call to
an outer subsystem FB must be explicit in the source code. To
obtain object code reuse would require the use of pointers or
a similar mechanism. There seems to be little doubt that such
a mechanism can be provided at the expense of source code
clarity. Finally, the dominant rationale behind the proposed
approach is to create repositories of reusable components
that could pass through a standard certification process that
assesses their reliability. In this way, the substantial work and
effort invested in constructing components can eventually pay
for itself in subsequent years, potentially compounding the
cost savings usually associated with reuse.
ACKNOWLEDGMENT
The authors would like to thank the anonymous reviewers
for their useful comments. They also gratefully acknowledge
the technical support of R. Desrochers and D. Imbeault.
R EFERENCES
[1] J. C. Bicarregui, J. S. Fitzgerald, P. G. Larsen, and J. C. P. Woodcock,
“Industrial practice in formal methods: A review,” in Proc. 16th Int.
Symp. Formal Methods, LNCS 5850. Eindhoven, The Netherlands,
Nov. 2009, pp. 810–813.
[2] J. B. Almeida, M. J. Frade, J. S. Pinto, and S. M. de Sousa, Rigorous
Software Development: An Introduction to Program Verification. Lon-
don, U.K.: Springer-Verlag, 2011.
[3] D. C. Schmidt, “Guest editor’s introduction: Model-driven engineering,”
Computer, vol. 39, no. 2, pp. 25–31, Feb. 2006.
[4] G. T. Heineman and W. T. Councill, Component-Based Software Engi-
neering: Putting the Pieces Together. Boston, MA: Addison-Wesley,
2001.
CÔTÉ AND ST-DENIS: COMPONENT-BASED METHOD FOR THE MODELING AND CONTROL OF MODULAR PRODUCTION SYSTEMS
[5] G. Gössler and J. Sifakis, “Composition for component-based modeling,”
Sci. Comput. Program., vol. 55, nos. 1–3, pp. 161–183, 2005.
[6] M. Broy, “A theory of system interaction: Components, interfaces, and
services,” in Interactive Computation: The New Paradigm, D. Goldin,
S. A. Smolka, and P. Wegner, Eds. Berlin, Germany: Springer-Verlag,
2006, pp. 41–96.
[7] K.-K. Lau, M. Ornaghi, and Z. Wang, “A software component model
and its preliminary formalisation,” in Formal Methods for Components
and Objects (Lecture Notes in Computer Science), vol. 4111, F. S. de
Boer, M. M. Bonsangue, S. Graf, and W.-P. de Roever, Eds. New York:
Springer-Verlag, Nov. 2005, pp. 1–21.
[8] P. J. G. Ramadge and W. M. Wonham, “The control of discrete event
systems,” Proc. IEEE, vol. 77, no. 1, pp. 81–98, Jan. 1989.
[9] H. Flordal, R. Malik, M. Fabian, and K. Åkesson, “Compositional
synthesis of maximally permissive supervisors using supervision equiv-
alence,” J. Discrete Event Dynamic Syst., Theory Appl., vol. 17, no. 4,
pp. 475–504, 2007.
[10] R. Su, J. H. van Schuppen, and J. E. Rooda, “Aggregative synthesis of
distributed supervisors based on automaton abstraction,” IEEE Trans.
Autom. Control, vol. 55, no. 7, pp. 1627–1640, Jul. 2010.
[11] C. Ma and W. M. Wonham, Nonblocking Supervisory Control of State
Tree Structures (Lecture Notes in Control and Information Sciences),
vol. 317. Berlin, Germany: Springer-Verlag, 2005.
[12] R. J. Leduc, B. A. Brandin, M. Lawford, and W. M. Wonham, “Hier-
archical interface-based supervisory control-part I: Serial case,” IEEE
Trans. Autom. Control, vol. 50, no. 9, pp. 1322–1335, Sep. 2005.
[13] R. C. Hill, J. E. R. Cury, M. H. de Queiroz, D. M. Tilbury, and
S. Lafortune, “Multi-level hierarchical interface-based supervisory con-
trol,” Automatica, vol. 46, no. 7, pp. 1152–1164, 2010.
[14] H. Zhong and W. M. Wonham, “On the consistency of hierarchical
supervision in discrete-event systems,” IEEE Trans. Autom. Control,
vol. 35, no. 10, pp. 1125–1134, Oct. 1990.
[15] K. C. Wong, “Discrete-event control architecture: An algebraic
approach,” Ph.D. dissertation, Dept. Electr. Comput. Eng., Univ. Toronto,
Toronto, ON, Canada, 1994.
[16] K. C. Wong and W. M. Wonham, “Hierarchical control of discrete-event
systems,” J. Discrete Event Dynamic Syst., Theory Appl., vol. 6, no. 3,
pp. 241–273, 1996.
[17] L. Feng and W. M. Wonham, “Supervisory control architecture for
discrete-event systems,” IEEE Trans. Autom. Control, vol. 53, no. 6,
pp. 1449–1461, Jun. 2008.
[18] R. C. Hill and D. M. Tilbury, “Incremental hierarchical construction of
modular supervisors for discrete-event systems,” Int. J. Control, vol. 81,
no. 9, pp. 1364–1381, 2008.
[19] K. Schmidt, T. Moor, and S. Perk, “Nonblocking hierarchical control
of decentralized discrete event systems,” IEEE Trans. Autom. Control,
vol. 53, no. 10, pp. 2252–2265, Oct. 2008.
[20] K. Schmidt and C. Breindl, “Maximally permissive hierarchical control
of decentralized discrete event systems,” IEEE Trans. Autom. Control,
vol. 56, no. 4, pp. 723–737, Apr. 2011.
[21] K. C. Wong and W. M. Wonham, “Modular control and coordination of
discrete-event systems,” J. Discrete Event Dynamic Syst., Theory Appl.,
vol. 8, no. 3, pp. 247–297, 1998.
[22] E. Bruneton, T. Coupaye, and J. B. Stefani. (2004). The Fractal
Component Model [Online]. Available: http://Fractal.OW2.org
[23] H. Zhong and W. M. Wonham, “Hierarchical coordination,” in Proc. 5th
IEEE Int. Symp. Intell. Control, vol. 1. Philadelphia, PA, Sep. 1990,
pp. 8–14.
[24] L. Feng and W. M. Wonham, “On the computation of natural observers
in discrete-event systems,” J. Discrete Event Dynamic Syst., Theory
Appl., vol. 20, no. 1, pp. 63–102, 2010.
[25] K. C. Wong, J. G. Thistle, R. P. Malhamé, and H.-H. Hoang, “Super-
visory control of distributed systems: Conflict resolution,” J. Discrete
Event Dynamic Syst., Theory Appl., vol. 10, nos. 1–2, pp. 131–186,
2000.
[26] D. Côté, M. Embe Jiague, and R. St-Denis, “Systems-theoretic view
of component-based software development,” in Proc. 7th Int. Workshop
Formal Aspects Comp. Softw., LNCS 6921. Guimarães, Portugal, Oct.
2010, pp. 163–181.
[27] K. C. Wong and W. M. Wonham, “On the computation of observers in
discrete-event systems,” J. Discrete Event Dynamic Syst., Theory Appl.,
vol. 14, no. 1, pp. 55–107, 2004.
[28] D. Harel “Statecharts: A visual formalism for complex systems,” Sci.
Comput. Program., vol. 8, no. 3, pp. 231–274, 1987.
[29] Programmable Controllers—Part 3: Programming Languages, IEC
Standard 61131-3, 2003.
1585
[30] K.-H. John and M. Tiegelkamp, IEC 61131-3: Programming Industrial
Automation Systems. Berlin, Germany: Springer-Verlag, 2001.
[31] Modular Production System, Festo Didactic GmbH & Company, Denk-
endorf, Germany, 1999.
[32] D. Côté, B. Fraikin, M. Frappier, and R. St-Denis, “A SAT-based
approach for the construction of reusable control system components,”
in Proc. 16th Int. Workshop Formal Methods Ind. Critical Syst., LNCS
6959. Trento, Italy, Aug. 2011, pp. 52–67.
[33] K. Åkesson, M. Fabian, H. Flordal, and R. Malik, “Supremica —
An integrated environment for verification, synthesis and simulation of
discrete event systems,” in Proc. 8th Int. Workshop Discrete Event Syst.,
Ann Arbor, MI, Jul. 2006, pp. 384–385.
[34] D. Jackson, Software Abstractions. Cambridge, MA: MIT Press, 2006.
[35] L. Grigorov, B. Butler, J. E. R. Cury, and K. Rudy, “Conceptual design
of discrete-event systems using templates,” J. Discrete Event Dynamic
Syst., Theory Appl., vol. 21, no. 2, pp. 257–303, 2011.
[36] S. M. Lee, R. Harrison, and A. A. West, “A component-based control
system for agile manufacturing,” Proc. Inst. Mech. Eng., B, J. Eng.
Manuf., vol. 219, no. 1, pp. 123–135, 2005.
[37] F. Wenck, “Decentralized supervisory control of a distributed filling shop
using standardized models,” in Proc. 44th IEEE Conf. Decision Control,
Seville, Spain, Dec. 2005, pp. 3486–3492.
[38] G. Ekberg and B. H. Krogh, “Programming discrete control systems
using state machine templates,” in Proc. 8th Int. Workshop Discrete
Event Syst., Ann Arbor, MI, Jul. 2006, pp. 194–200.
[39] D. Shewa, J. Ashley, and L. Holloway, “Spectoll 2.4 Beta: A research
tool for modular modeling, analysis, and synthesis of discrete event
systems,” in Proc. 8th Int. Workshop Discrete Event Syst., Ann Arbor,
MI, Jul. 2006, pp. 477–478.
[40] S. Balemi, G. J. Hoffmann, P. Gyugyi, H. Wong-Toi, and G. F. Franklin,
“Supervisory control of a rapid thermal multiprocessor,” IEEE Trans.
Autom. Control, vol. 38, no. 7, pp. 1040–1059, Jul. 1993.
[41] R. Cieslak, C. Desclaux, A. S. Fawaz, and P. Varaiya, “Supervisory
control of discrete-event processes with partial observations,” IEEE
Trans. Autom. Control, vol. 33, no. 3, pp. 249–260, Mar. 1988.
[42] F. Charbonnier, H. Alla, and R. David, “The supervised control of
discrete-event dynamic systems,” IEEE Trans. Control Syst. Technol.,
vol. 7, no. 2, pp. 175–187, Mar. 1999.
[43] F. Basile and P. Chiacchio, “On the implementation of supervised control
of discrete event systems,” IEEE Trans. Control Syst. Technol., vol. 15,
no. 4, pp. 725–739, Jul. 2007.
[44] B. A. Brandin, R. Malik, and P. Malik, “Incremental verification and
synthesis of discrete-event systems guided by counter examples,” IEEE
Trans. Control Syst. Technol., vol. 12, no. 3, pp. 387–401, May 2004.
[45] R. J. Leduc, M. Lawford, and P. Dai, “Hierarchical interface-based
supervisory control of a flexible manufacturing system,” IEEE Trans.
Control Syst. Technol., vol. 14, no. 4, pp. 654–668, Jul. 2006.
Daniel Côté received the B.Sc., M.Sc., and Ph.D.
degrees in computer science from the Université
de Sherbrooke, Sherbrooke, QC, Canada, in 1992,
2004, and 2011, respectively.
He has been involved in research for several years
on telecommunications and embedded systems with
Nortel Networks, Ottawa, ON, Canada, and Positron
Fiber Systems, Montreal, QC. His current research
interests include discrete event systems, software
engineering, and formal language theory and its
applications.
Richard St-Denis received the B.Sc. and M.Sc.
degrees in computer science from the Université
de Montréal, Montreal, QC, Canada, in 1975 and
1977, respectively, and the Ph.D. degree in applied
sciences from the École Polytechnique de Montréal,
Montreal, in 1992.
He has been with the Université de Sherbrooke,
Sherbrooke, QC, since 1980, where he is currently
a Professor of computer science, specializing in
software systems, formal languages, and algorithms.
His current research interests include modeling and
control of discrete event systems, formal specification methods, and software
engineering.