Testing Modularity of Local Supervisors: An Approach Based on Abstractions

Patrı́cia N. Pena, José E.R. Cury and Stéphane Lafortune

Proceedings of 8th International Workshop on Discrete Event Systems - WODES’06

10-12 of July, 2006, Ann Arbor, MI, US.
 Testing Modularity of Local Supervisors: An Approach Based on
Abstractions
Patrı́cia N. Pena José E.R Cury Stéphane Lafortune
DAS - Federal University of Department of Automation and Department of Electrical Engineering
Santa Catarina, Brazil Systems (DAS) - Federal University and Computer Science (EECS)
Currently at EECS - The University of Santa Catarina, The University of Michigan,
of Michigan, Ann Arbor, MI, USA Florianópolis, SC, Brazil Ann Arbor, MI, USA
Email: [email protected] Email: [email protected] Email: [email protected]

Abstract— This paper presents an efficient way to detect
conflict in composed systems controlled by local supervisors
designed using the Supervisory Control Theory of discrete
event systems. The idea is to apply the required modularity
test not over the languages implemented by the supervisors,
but over abstractions of the supervisors with some specific
characteristics. The concept of observer and some constraints
on the set of relevant events are the basis for the approach. An
illustrative example is presented.
I. I NTRODUCTION
Discrete-Event Systems (DES) are dynamical systems
with state changes that are driven by discrete events. Some
examples of DES are manufacturing systems and communi-
cation networks. In the early 1980’s, Ramadge and Wonham
started an effort to develop a control theory for DES, under
the formalism of finite state machines (FSMs) and formal
languages. The resulting body of work is known as Super-
visory Control Theory [?]. Despite the significant advances
in recent years, the formal techniques are not being widely
employed in industry. One of the main obstacles in industrial
applications is the complexity of supervisor synthesis as it
involves composition of the specifications and the global
plant. This factor is very restrictive as it may cause state
explosion in large scale systems. Several authors have tried to
overcome this restriction by exploiting aspects of the system,
such as modularity [?] [?] and symmetry [?], [?] among
others. It is worthwhile mentioning references [?], [?], [?]
and [?] that address the problem of controlling concurrent
(usually termed modular) systems through local supervisors.
However, those papers consider only prefix-closed languages.
Most large scale systems are modeled through the com-
position of many smaller subsystems usually representing
concurrent operations and, in general, there are many spec-
ifications that restrict only parts of the global plant. In
many cases, the specifications only intend to synchronize
concurrent subsystems. Modular control, introduced in [?],
is a natural solution to deal with such systems because
it divides the overall task into subtasks and assigns them
to different controllers. The “local modular approach” in
[?], an extension of modular control, not only divides the
tasks in subtasks, but also expresses each specification (and
the corresponding supervisor) only in terms of its “local
plant”. The local plant of a specification is the composition
of the subplants that are affected by the specification. The
advantage of this approach is that it is not necessary to
compose the entire plant in the synthesis of the supervisors,
thereby mitigating the state explosion problem. However, as
there are multiple supervisors, there is the possibility of
getting into a situation of blocking when the supervisors
are combined. In such a case, the supervisors are said to
be “conflicting”. To check if the local supervisors obtained
by modular synthesis are nonconflicting a modularity test
is required. The condition of being nonconflicting is also
termed “modular” in [?], which is the terminology that is
used in this paper. Two or more languages are said to be
modular if whenever they share a prefix, they also share a
word containing this prefix.
Though the local modular approach has solved the prob-
lem of state explosion in the synthesis of supervisors, the
verification of modularity is still problematic. To verify the
local modularity property all the local supervisors must
be composed and this composition may itself cause state
explosion. The problem of conflict occurrence is addressed
in the literature in different ways. Some authors have devel-
oped approaches where the supervisors are nonconflicting by
construction [?]. Others have solved the blocking problem
by using coordinators [?], [?], [?]. Recently, there have been
some works that address the problem of detecting efficiently
the occurrence of conflict [?], [?] and [?].
This paper presents an efficient way to detect the presence
of conflict in systems controlled by local supervisors. The
idea is to apply the modularity test not over the languages
implemented by the supervisors, but over abstractions of the
supervisors. In the worst case, the test based on abstractions
has the same complexity as the original one. In practice,
we have found that the test based on abstractions leads to
computational savings.
In Section ?? we present a review of some basic con-
cepts of languages and automata theory and of Supervisory
Control of DES. Section ?? presents the main results of
the paper followed by an illustrative example in Section ??.
Section ?? presents the conclusions of the paper. Due to
space constraints, proofs of technical results are omitted; they
are available in [?].
 II. P RELIMINARIES
In this section, we recall some concepts and notations as
well as the basic ideas behind the local modular supervisory
control approach. The paper is set in the supervisory control
framework of Ramadge and Wonham [?]. We refer the
reader to [?] or [?] for a detailed introduction to the theory.
In this framework, a DES is modelled as an FSM G =
(Q, Σ, δ, q0 , Qm ), where Q is the set of states, Σ is the set
of events, δ is the transition function, q0 is the initial state,
and Qm is the set of marked states. Σ∗ is the set of all finite
strings of elements in Σ, including the empty string ǫ. A
language is a subset of Σ∗ . The behavior of G, modelled as
a language L(G) ⊆ Σ∗ , is the set of finite strings that G can
generate. G can model a second language, Lm (G) ⊆ L(G),
that is the set of strings that represent completed tasks (or,
equivalently, that end in marked states).
The prefix closure of a language L (represented by L) is
the set of all prefixes of strings in L. A language is said
prefix-closed if L = L.
A. Natural Projections and Observers
The natural projection Pi : Σ∗ → Σ∗i is a map with the
following characteristics:
Pi (ǫ) = ǫ
 have to be obtained. The set of events used to model the
Pi (s) if s ∈ Σ∗ , σ ∈
/ Σi
Pi (sσ) = plant are divided into controllable (the ones that can be
Pi (s)σ if s ∈ Σ∗ , σ ∈ Σi .
In words, the projection erases the events of Σ that are not
in Σi . The concept of natural projection can be extended to
languages as follows:
Pi (L) = {ui ∈ Σ∗i | ui = Pi (u) for some u ∈ L}.
The inverse projection is, then, defined as
Pi−1 (Li ) = {u ∈ Σ∗ | Pi (u) ∈ Li }.
Given a set of languages Li over event sets Σi , i ∈
n
{1, . . . , n} with Σ = ∪ Σi , the notion of inverse projection
i=1
is used to give a formal definition of the synchronous product
(or parallel composition) of languages, as follows:
n
n
|| Li = ∩ Pi−1 (Li ).
i=1 i=1
The property of distributivity of projection over synchronous
product, considered in [?] and extensively used in the proofs
of this paper, is presented below as a proposition.
n
Proposition 1 [?] Let Li ⊆ Σ∗i , i ∈ I = {1, . . . , n}, Σ = ∪
i=1
Σi , Σr ⊆ Σ, PΣ→Σr : Σ∗ → Σ∗r and PΣi →(Σi ∩Σr ) : Σ∗i →
(Σi ∩ Σr )∗ .
n
n
PΣ→Σr || Li = || PΣi →(Σi ∩Σr ) (Li )
i=1 i=1
if Σc ⊆ Σr where Σc = ∪(Σj ∩ Σl ), ∀j, l ∈ I with j 6= l.
The property of projections known as observer property
will be used in this paper. It was introduced in [?] and is
presented as a definition.
Definition 1 [?] Let S ⊆ Σ∗ be a language, Σ′ ⊆ Σ an
event set and θ : Σ∗ → Σ′∗ the natural projection of strings
in Σ∗ to strings in Σ′∗ . If
(∀a ∈ S)(∀b ∈ Σ′∗ ) θ(a)b ∈ θ(S) =⇒
(∃c ∈ Σ∗ ) θ(ac) = θ(a)b and ac ∈ S
then the projection is said to have the observer property.
It is known from [?] that the time complexity of computing
projections is at worst exponential and that the size of the
state space of the FSM that represents the projected language
can increase exponentially with the number of states in
the original system. However, if the projection possesses
the observer property, it is guaranteed that the FSM that
represents the projection always has a number of states not
greater than that of the minimal generator for the original
language and that it can be obtained in polynomial time [?].
The main theoretical result of this paper is based on natural
projections that possess the observer property, as will be seen
in Section ??.
B. Supervisory Control of DES
In order to synthesize supervisors, the models of the
plant and the specifications for the closed-loop behavior
disabled by the supervisor) and uncontrollable (the ones
that cannot be disabled, usually representing the spontaneous
events of the plant). The action of the supervisor over the
plant is to inhibit the occurrence of controllable events in
order to achieve the desired behavior. Sometimes the desired
behavior cannot be achieved. In such cases, the supervisor
will implement the supremal controllable sublanguage of the
desired language, named Sup C(K, Lm (G), where K is the
desired language and Lm (G) is the open-loop behavior of
the plant. Monolithic supervisory control of DES consists
of obtaining one plant and one specification by the compo-
sition of all subplants and specifications, respectively, and
subsequent calculus of a unique supervisor that implements
Sup C(K, Lm (G)).
C. Blocking and Modularity Test
The concept of blocking is related to the idea of not being
able to reach a marked state from some state of the FSM. A
FSM G is said to be nonblocking if Lm (G) = L(G). The
fundamental point is that the conjunction of two (or more)
nonblocking machines may lead to a blocking FSM. In such
a case, we say that the two (or more) FSMs are conflicting.
The modularity test was introduced in [?] to check if
supervisors obtained through the modular approach are non-
conflicting. Let Si be a set of languages, i = {1 . . . n}. The
modularity test consists of checking if the equality below
holds:
n n
∩ Si = ∩ Si . (1)
i=1 i=1
In words, if two or more languages share a prefix, they must
also share a word containing this prefix.
 Σ Σ Σ
Σ3 Σ3 Σ3
Σ1 Σ1 Σ1 Σr
Σr Σr

Σ2 Σ2 Σ2

Σ4 Σ4 Σ4
(a) (b) (c)

Fig. 1. Venn Diagrams of the inclusion of the event sets for n = 4: (a) Σ1 , Σ2 , Σ3 , Σ4 and Σ = Σ1 ∪ Σ2 ∪ Σ3 ∪ Σ4 (b) Initial Σr = Σc = ∪(Σj ∩ Σl ),
∀j, l ∈ I = {1 . . . 4} with j 6= l; (c) Final Σr , after extending initial Σr of (b).

The modularity test in equation (??) can only be applied
when all the supervisors have the same event set. In a
more general case, where the supervisors’ event sets are
different, the modularity test need to be adapted to cope
with this situation. The adapted modularity test, named local
modularity test by the authors in [?], is shown in equation
(??):
n n
|| Si = || Si .
i=1 i=1
The local modularity test can be used to check the non-
conflict property in sets of supervisors obtained through any
method whenever their languages represent the closed-loop
language of their system composed by plant+supervisor. The
test if equation (??) becomes the one in equation (??) when
the event sets of all supervisors are the same.
As can be seen in equation (??), to perform the test, all
supervisors have to be composed, what may lead to state
explosion.
D. Notation
n
Consider the event set Σ = ∪ Σi , the languages Si ⊆ Σi
i=1
and, Σr ⊆ Σ as being the set of events considered relevant
to the conflict. The natural projections that lead to the
abstractions are named θi : Σ∗i → Σ′∗ ′
i where Σi = Σi ∩ Σr
∗ ∗ ′∗
and θ : Σ → Σr . So, we have that θi (Si ) ⊆ Σi represents
the abstraction of Si . The event set Σc is the set of events
that are shared by any two or more supervisors, namely
Σc = ∪(Σj ∩ Σl ), ∀j, l ∈ I = {1 . . . n} with j 6= l.
III. M AIN R ESULTS
One important outstanding problem in the application
of modular supervisory control to actual systems is the
computational complexity of the modularity test in equation
(??). This section presents a novel modularity test performed
over abstractions of the supervisors obtained by the natural
projection of these supervisors to a subset of their events.
More precisely, the objective is to identify sufficient con-
ditions for the desired abstractions, denoted by θi (Si ) for
supervisor Si , so that the following property holds:
n n n n
|| θi (Si ) = || θi (Si ) ⇐⇒ || Si = || Si .
i=1 i=1 i=1 i=1
The abstractions θi (Si ), in our approach, have the charac-
teristics listed below:
1) common events are in Σr i.e., Σc ⊆ Σr ;
2) observer property.
Hereafter, we call an abstraction satisfying the observer
property an OP-abstraction. All the results presented in this
paper rely in a set Σr that contains all events that are
shared by more than one supervisor. Figure ?? presents an
illustration of those sets of events.
In order to show equation (??), we first establish the
(2) following lemma. The proofs of Lemma ?? and Theorems
?? and ?? are omitted in the paper, but are available in [?].
Lemma 1 Let Si ⊆ Σ∗i , s ∈ Σ∗ , t ∈ Σ∗r , the projections θi ,
θ, PΣ→Σi be defined as before. Assume that Σj ∩ Σl ⊆ Σr ,
n
∀j, l ∈ I = {1, . . . , n} with j 6= l . If θ(s)t ∈ || θi (Si ) then
i=1
∃ti ∈ Σ′∗
i , ∀i ∈ I, such that the following statements are
true:
n
i. θ(s)t ∈ || θi (PΣ→Σi s)ti
i=1
ii. θi (PΣ→Σi s)ti ∈ θi (Si )
n n
iii. || θi (PΣ→Σi s)ti ⊆ || θi (Si ).
i=1 i=1
Theorem ?? presents the main theoretical result of the
paper.
Theorem 1 Using the definitions presented before, if the
natural projections θi (Si ), ∀i ∈ I, are OP-abstractions and
if Σj ∩ Σl ⊆ Σr , ∀j, l ∈ I with j 6= l, then
n n n n
|| θi (Si ) = || θi (Si ) ⇐⇒ || Si = || Si .
i=1 i=1 i=1 i=1
Theorem 1 shows that it is indistinctive to take the mod-
ularity test over the supervisors or over their abstractions.
Since the abstractions are OP-abstractions, they will have,
in general, state space smaller than the original supervisors.
The composition of the abstractions is not necessarily smaller
than the composition of the original supervisors though.
However, Theorem ?? shows that the composition of OP-
abstractions will be also an OP-abstraction.
(3) Theorem 2 Using the definitions presented before, if, ∀i ∈
I , the natural projections θi (Si ) are OP-abstractions and if
n

Σj ∩ Σl ⊆ Σr , ∀j, l ∈ I with j 6= l then θ || Si is also an
i=1
OP-abstraction.
 Mill 66
4 65 12
74 74

41 42 66
2 9
73
B3 73 72
6
11 12 B5 61
C1 B1 36 66 39
32 35 72

64 8
31 s ta rt

0 66
38 63 72
Robot B6 AM 30 1
30 66 7
39 14
33 30 13 30
66 39 30
21 22 65 71 66
C2 B2 34 37,39 39 66
11 5 15 10
B7 66
3
71
72
B4
71 74
72
51,53 52,54
72
C
Lathe
72 73
Fig. 4. Supervisor S1
B8

81 82

PD Thus, in order to apply the result of Theorem ??, we

propose the following procedure:
Fig. 2. Flexible Manufacturing System 1) Define as the initial set of relevant events, the set of
events that are common to more than one supervisors;
39 66
Robot AM 2) Define the initial local relevant events for each super-
30
65
visor Si as the intersection of the set obtained in Step
B7
1 with Σi ;
71 74
3) Apply the algorithm presented in [?] to each supervisor
C in order to get extensions of those initial observable
72 73 events sets, leading to OP-abstractions.
B8 All the events that are rendered observable by applying
81 82 the algorithm in [?] to a particular supervisor are necessarily
PD
not shared with any other supervisor. Thus, the algorithm can
be applied to all supervisors independently and concurrently.
Fig. 3. Diagram of the partial problem The final set of relevant events is composed of the initial set
of relevant events (obtained in Step 1) and the extensions
returned by the algorithm (Step 3) when applied to each
Theorem ?? together with Proposition ?? shows that if supervisor.
all abstractions θi (Si ) are OP-abstractions, their composition The next section presents an example where the modular-
n n
|| θi (Si ) = θ( || Si ) is also an OP-abstraction. From [?], ity test over abstractions is performed and compared with
i=1 i=1 the original modularity test. It shows a reasonable reduction
we can say that the minimum automaton that represents the
n of complexity when testing modularity over abstractions.
language θ( || Si ) has, in the worst case, the same number
i=1
of states as the minimum automaton that represents the lan- IV. E XAMPLE
n
guage || Si . Namely, the modularity test over abstractions Consider the Flexible Manufacturing System (FMS) de-
i=1
will have, in the worst case, the same size as the original scribed in [?]. It produces two types of products from raw
modularity test. blocks and raw pegs: a block with a conical pin on top (Prod-
The problem of obtaining abstractions with the observer uct A) and a block with a cylindrical painted pin (Product
property is addressed in [?] and [?]. The first paper presents B). The FMS consists of eight devices: three conveyors (C1 ,
a method to refine a causal reporter map to obtain an optimal C2 and C), a Mill, a Lathe, a Robot, a Painting Device (PD)
observer (with the smallest refinement) in polynomial time. and an Assembly Machine (AM) (Fig. ??). The devices are
This algorithm requires some relabeling of events, what is connected through buffers Bk , k = {1, . . . , 8}, each with
not permitted in natural projections. Reference [?] adapts the capacity for one part. The control problem is to give maximal
algorithm presented in [?] to deal with natural projections. It degree of freedom to the FMS while avoiding overflow or
shows that the problem of finding a minimal extension to a underflow of parts in the buffers. The liveness specifications
given initial set of relevant events (in this context, sometimes are: the supervisor should not prevent the manufacture of
referred to as observable events) to attain an OP-abstraction Product A and Product B nor should it prevent the Lathe from
is NP-hard. Nevertheless, it proposes a polynomial (with operating simultaneously with the Mill. Furthermore, the
respect to states and transitions) algorithm that returns a supervisor should not prevent the buffers Bi , i = {1, . . . , 6}
reasonable extension, not necessarily minimal, of the set of from becoming empty and the buffers B7 and B8 from
observable events, such that the required observer property becoming simultaneously empty. The controllable events are
holds. labeled by odd numbers.
 30

6
39
66
39 72
4 72
39 66
66 7 30
3 66 30 23
71 21
39 72 9
72 66
2 66 71 20
30 81
72 19 30 26 81
1 66 30 24
39
18 72 39
s ta rt

0 39
66 10 30
81
65 17 66 12
22 66
82
5 66 81
81
29 82
81
66 39 66
25 27 30 32 15
8 30
82 82 82 30
16 82
74
11 73 30 13
66 39 66
14 28
73
39

66 31 74
33
66

Fig. 6. Modularity test (S1 ||S2 )

72 81 82
71 1 2 3 4 73
s ta rt

0 5 72
74
71 39
30 5 6 30
1 3
72 7
Fig. 5. Supervisor S2 39
72

s ta rt

0 65

It turns out that the supervisors built using the local 73 74 4

modular approach [?] lead to a situation of conflict. Upon 2
inspection, it is determined that the conflict is caused by
the supervisors responsible for controlling underflow and Fig. 7. Abstraction θ1 (S1 )
overflow of buffers B7 and B8 . To illustrate the result of
this paper on an example of moderate scale, we consider 6
72 9 81

only those two supervisors, hereafter named S1 (for buffer 30 30

30
12 82
30 15
B7 ) and S2 (for buffer B8 ). The FMS is reduced to the 4 72
7
81
10 82
13
39 39 39
system shown in Fig. ??. The supervisors S1 and S2 are 72
39

71 3 5 81
presented in Figs. ?? and ??, respectively. 39 1
30 2 8 82
11
73
14 74
0 16
The local modularity test consists of checking if the
s ta rt

65

parallel composition of S1 and S2 is nonblocking. In Fig. ??

we show that it is blocking (from the rightmost state (15), it Fig. 8. Modularity test over the abstractions θ1 (S1 )||S2
is not possible to reach a marked state).
To perform the test with the abstractions, we first should
determine what are the events that must be in the relevant Notice that it was possible to detect the conflict occurrence
set Σr . As mentioned before, Σr must contain all events in a simpler (less states and transitions) modularity test.
that are common to more than one supervisors (Σc = Comparing Fig. ?? with Fig. ??, a reduction in the size of
{71, 72, 73, 74} ⊆ Σr ). It was determined that the projection the test from 34 states and 62 transitions to 17 states and 23
of S1 to the subset {30, 39, 65, 71, 72, 73, 74} is an OP- transitions can be noticed.
abstraction. This abstraction of supervisor S1 is presented
in Fig. ??. V. C ONCLUSIONS
It was not possible to find an abstraction with the required In this paper, we presented a novel modularity test based
characteristics for S2 . Fortunately, that is not a problem since on abstractions of the supervisors (obtained through natural
we can just treat S2 as an observer of itself, meaning that projections) with some specific characteristics, such as being
θ2 (S2 ) = S2 . OP-abstractions.
The modularity test over the abstractions consists of Obtaining an abstraction with the observer property is a
taking the parallel composition of θ1 (S1 ) and θ2 (S2 ) (or difficult problem, especially if the original supervisor has a
equivalently θ1 (S1 )||S2 ) and checking if it is nonblocking. large state space. However, if the supervisor is built using
Figure ?? shows the result of the test. It can be seen approaches such as the local modular control, the resulting
that it is not possible to reach a marked state from some supervisor will tend to be small. In addition, the complexity
states (for example state 15, the upper rightmost state). of obtaining the abstractions does not necessarily increase
when adding more subsystems and specifications, since they
are obtained locally.
ACKNOWLEDGMENT
The first author is supported by CNPq, and the second is
supported in part by CNPq grant 300953/93-3. The research
of the third author is supported in part by NSF grant CCR-
0325571 and by ONR grant N00014-03-1-0232.