control of nondeterministic discrete event systems for simulation equivalence

340 IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 4, NO. 3, JULY 2007

Control of Nondeterministic Discrete EventSystems for Simulation Equivalence

Changyan Zhou, Member, IEEE, and Ratnesh Kumar, Fellow, IEEE

Abstract—This paper studies supervisory control of discreteevent systems subject to specifications modeled as nondetermin-istic automata. The control is exercised so that the controlledsystem is simulation equivalent to the (nondeterministic) spec-ification. Properties expressed in the universal fragment of thebranching-time logic can equivalently be expressed assimulation equivalence specifications. This makes the simula-tion equivalence a natural choice for behavioral equivalencein many applications and it has found wide applicability inabstraction-based approaches to verification. While simulationequivalence is more general than language equivalence, we showthat existence as well as synthesis of both the target and rangecontrol problems remain polynomially solvable. Our developmentshows that the simulation relation is a preorder over automata,with the union and the synchronization of the automata serving asan infimal upperbound and a supremal lowerbound, respectively.For the special case when the plant is deterministic, the notionof state-controllable-similar is introduced as a necessary andsufficient condition for the existence of similarity enforcing super-visor. We also present conditions for the existence of a similarityenforcing supervisor that is deterministic.

Note to Practitioners: Abstraction or unmodeled-dynamics canlead to nondeterminism that causes a system to transition to oneof many states when certain events occur at certain states. Fornondeterministic systems, specifying the usual state-sequencingconstraints may not be adequate and state-branching constraintsmay also need to be specified such as: All paths contain a statestarting from where all future states satisfy a certain property.Such a property is not expressible as language equivalence, butcan be expressed using more general simulation equivalence.Simulation equivalence can specify all state-sequencing propertiesand the universal state-branching properties. The present paperstudies the control of a (nondeterministic) system so that thecontrolled system satisfies a simulation equivalence specification.A main contribution is to show that as is the case with languageequivalence specifications, the control problem can be solvedpolynomially. Specializations to deterministic systems and deter-ministic controls are also considered.

Index Terms—Discrete event systems, nondeterministic control,nondeterministic specification, nondeterministic systems, simula-tion equivalence, supervisory control.

Manuscript received April 24, 2006. This paper was recommended for publi-cation by Associate Editor S. Reveliotis and Editor N. Viswanadham. This workwas supported by the National Science Foundation under Grants NSF-ECS-0218207, NSF-ECS-0244732, NSF-EPNES-0323379, NSF-ECS-0424048, andNSF-ECS-0601570.

C. Zhou is with the Indutrial and Enterprise Systems Engineering at theUniversity of Illinois at Urbana-Champaign, Urbana, IL 61801 USA (e-mail:[email protected]).

R. Kumar is with the Department of Electrical and Computer Engineering,Iowa State University, Ames, IA 50011 USA (e-mail: [email protected]).

Digital Object Identifier 10.1109/TASE.2006.891474

I. INTRODUCTION

NONDETERMINISM in systems arises due to the pres-ence of unmodeled dynamics or because of abstraction.

For nondeterministic systems, several notions of behavioralequivalence that are finer than the language equivalence, suchas failures, refusal-trace (or trajectory), ready-trace, simulation,and bisimulation [26] have been proposed, with the objec-tive of specifying the state-branching properties besides thestate-sequencing properties. The bisimulation equivalence isthe most expressive and allows the specification of the fullset of branching constraints (such as nonblocking). On theother hand, none of the branching constraints can be specifiedusing the language equivalence. So the choice of behavioralequivalence employed depends on the application at hand andthere is a tradeoff between the expressivity and the complexity.For example, while language equivalence control problem ispolynomially solvable [9], [20], the complexity for bisimulationequivalence control is doubly exponential [27].

In this paper we study control for simulation equivalencewhose expressiveness is in between the language and thebisimulation equivalences. Being more general that the lan-guage specification, the simulation equivalence can express alltypes of sequencing constraints, but being less general thanthe bisimulation equivalence it can only specify the universalconstraints on the branching behaviors (i.e., the constraintsthat all branching behaviors must satisfy). So, for example,nonblocking, which requires the existence of a path to a finalstate from each reachable state (note an existential quantifieris used in this statement), cannot be expressed via simulationequivalence. An example of a property that can be expressedusing the simulation equivalence but not using the languagesis: All paths contain a state starting from where all future statessatisfy a certain property. (Note no existential quantifier isused in this statement.) The simulation equivalence can expressspecifications in the temporal logic of (the universalfragment of ) [16]. The expressivity of simulation equiv-alence may suffice for certain applications in which case themore general requirement of bisimulation equivalence neednot be imposed. As is demonstrate in this paper, such a choiceresults in a complexity gain (the simulation equivalence controlproblem remains polynomially solvable).

The control of nondeterministic plants is studied in [4], [5],[8], [10], [11], [17], and [23] for language, failures, and trajec-tory specifications. Reference [6] studied the control of deter-ministic plants subject to temporal logic specifications,generalizing the work reported in [1] which used CTL to expressspecification. A comparison with the works in [2] and [12]–[14]

1545-5955/$25.00 © 2007 IEEE

ZHOU AND KUMAR: CONTROL OF NONDETERMINISTIC DISCRETE EVENT SYSTEMS 341

is also given in [6]. In [18], the authors studied the problem ofsynthesizing a supervisor so that the controlled system is bisim-ilar to a deterministic specification. [15] studied control for sim-ulation or bisimulation equivalence for a partial specification(defined over an “external event set”). The plant is taken to bedeterministic and all events are treated controllable. Further itis required that all indistinguishable events be either all enabledor all disabled at a state. [24] studied the controller synthesisproblem for deterministic plants subject to a possibly nondeter-ministic partial specifications such that a controlled system isbisimulation or simulation equivalent to a specification. This isthe same problem as that studied in [15] except the aforemen-tioned control requirement is removed. Control of nondetermin-istic plants subject to bisimulation equivalence using nondeter-ministic supervisors has recently been studied in [27]. Reference[2] studied the synthesis of controllers for deterministic plantssubject to -calculus based specifications under partial observa-tion, where the observation mask is restricted to be projectiontype. (A -calculus specification is equivalent to a bisimulationequivalence specification.) Control for -calculus specificationsis also studied in [19], [22].

As discussed before, the simulation equivalence can be an ad-equate notion of equivalence for certain applications (where oneis concerned with properties of all sequencing/branching behav-iors). We show that the complexity of verifying the existence ofa simulation equivalence enforcing control is linear in the plantsize and quadratic in the specification size. Also, when the ex-istence condition is met, a supervisor of size linear in the sizeof specification can be synthesized. Similar complexity resultshold also for the range control problem (existence condition canbe verified linearly in the sizes of the plant, the lower and theupperbound specifications, and synthesis can be performed lin-early in the size of the lowerbound specification).

We first establish that the set of all automata having a commonevent set, endowed with the simulation relation is a prelattice,and consequently (nonunique) infimal and supremal elementsexist for a given set of automata. We show that synchronizationof automata gives an infimal element, whereas the union of au-tomata gives a supremal element. Using these results we showthat the class of similarity enforcing supervisors possesses aninfimal element and present a linear algorithm for computingit. The algorithm is similar in spirit to one given in [3], whichstudied the control in the deterministic setting.

We specialize our results to the setting when the plant is de-terministic. In this setting, the existence condition is given by,state-controllable-similar, which is a new concept introduced inthis paper. We show that the notion of state-controllable-similaris stronger than that of language-controllable (which serves asan existence condition for the language equivalence enforcingcontrol) and weaker than the notion of state-controllable (whichserves as an existence condition for the bisimulation equivalenceenforcing control for deterministic plants [27]). As such the con-dition of state-controllable-similar is stronger than the conditionfor the existence of a similarity enforcing supervisor for nonde-terministic plants, but the two conditions become equivalent fordeterministic plants.

As a final result, we obtain a condition for the existence ofsimilarity enforcing supervisor that is also deterministic. Re-

quiring supervisor to be deterministic, makes the problem com-putationally more expensive and stronger conditions must holdfor the supervisory existence. This situation is somewhat similarto control under partial observation for language equivalence.The deterministic supervisor synthesis problem in that settingis known to be NP-complete [25], but it is shown to be of poly-nomial complexity when the supervisor is allowed to be non-deterministic [9]. Our results establish that a nondeterministicsupervisor is preferable over a deterministic one for similarityenforcing control. Issues regarding the implementation of non-deterministic supervisors are discussed in [9].

II. NOTATION AND PRELIMINARIES

Automata are used to model discrete event systems at thelogical level. A nondeterministic automaton is a 5-tuple

, where is the set of states, is the al-phabet of events, is the state transitionfunction (where is a label for “silent” transitions), isthe set of initial states, and is the set of final states.For notational convenience, we define . A triple

such that is called a tran-sition. For , we define torepresent the set of events defined at state . denotes the setof all finite sequences of events in , called traces, and includesthe zero length trace, denoted .

The -closure (denoted as ) of is the set of statesreached by the execution of zero or more -transitions from state

. By using -closure map, we can extend the definition of tran-sition function from events to traces ,which is defined inductively as ;

, wherefor , and

. Similarly, for ,.

The language generated (respectively, marked) by , de-noted by (respectively, ). is the set ofsequences of events generated starting from an initial state(i.e., ) and isthe set of generated sequences that end in a marked state(i.e., ). Twoautomata and , whereand , are language equivalent if

and . Language equiva-lence preserves the safety properties of the LTL temporal logic.

Define the union of and (assuming their state sets tobe disjoint, and otherwise using a renaming of states) as theautomaton

where for , and

ifif

Given two automata and , a simulation relationis a binary relation over the states of such

that implies


1) , such that;

2) .We write to denote that there exists a simulationrelation with , read as is simulated by .We sometimes omit the subscript from when it is clearfrom the context.

is said to be simulated by , denoted as , ifthere exists a simulation relation such that forall , there exists with .This last fact is concisely written as . Also notethat implies .

Given two automata and , is a simi-larity relation if exist simulation relationssuch that , and

We write to denote that there exists a similarity rela-tion such that , read as and are simulationequivalent or similar. We sometimes omit the subscript from

when it is clear from the context.and are simulation equivalent (or similar), denoted as

, if exist simulation relations and , such thatand and . Note that

a similarity relation need not be an equivalence relation (asit need not be symmetric), however the similarity of automatais an equivalence relation. Simulation equivalence preserves theproperties belonging to the universal fragments of and

-calculus temporal logics.A simulation relation is called a bisimulation equivalence re-

lation if it is symmetric. For a bisimulation equivalence rela-tion if , then and are called bisimilar,written as (or simply when is clear fromcontext). and are bisimulation equivalent (or bisimilar),denoted as , if there exists a bisimulation relation

such that for all , there existswith . Note that implies

. Bisimulation equivalence preserves the propertiesexpressed in the temporal logics of and -calculus.

Remark 1: Existence of a simulation relation, or a simulationor bisimulation equivalence between a pair of automata and

can be checked linearly in the sizes of and . Howeverchecking the language equivalence of and is exponentialin the sizes of and .

The following example illustrates the concepts definedbefore.

Example 1: Consider the automata , , shown in Fig. 3(as part of Example 3). There exists a simulation relationbetween and , where

that is, . Also, simulation relation exists betweenand , where

that is, . Therefore, .

However, (respectively, ) since state 2 in(respectively, state in ) is not simulated by any state in(no state in has both the events and defined). Note that thisexample shows that although ,

, and further it can be verified that .The purpose of control of a DES, called a plant, is to

restrict its behavior in order to prevent certain undesir-able behavior by dynamically disabling certain control-lable events [21]. Such a controller is called a supervisor,which can be modeled as another automaton operating insynchronous composition with the plant. Given two au-tomata and , where and

, the synchronous composition ofand is the automaton

where for , ,

ifif

III. PRELATTICE OF AUTOMATA UNDER SIMULATION RELATION

In this section, we show that the simulation relation servesas a preorder for the set of all automata defined over a commonevent set, and also that the set of automata defined over acommon event set together with the simulation relation pre-order constitutes a prelattice.

Definition 1: [7] Given a set , a preorder over , denoted, is a transitive and reflexive relation, in which case the

pair is called a preordered set. Given , issaid to be a supremal of if

• (upperbound): ;• (least upperbound):

.Similarly, is called an infimal of if

• (lowerbound): ;• (greatest lowerbound):

.Note that supremal and infimal, when defined with respect to

a preordered set, are not unique. However, if and are twosupremal or infimal elements of , then it holds thatand . Since a preorder is not antisymmetric we cannotclaim that , and so the uniqueness of supremal/infimaldoes not hold. We denote the set of all supremals and infimalsof by and , respectively.

Definition 2: [7] A preordered set is said to be aprelattice if , and forany finite . It is said to be a complete prelattice if thesame holds for any .

We next consider the set of all automata over a fixed al-phabet and the simulation relation over this set. It is knownthat the simulation relation is transitive (refer to [27]) (i.e., givenautomata , and , if and , then

). Also, for any automaton , it holds that , implyingthe reflexivity of the simulation relation. However


and only implies but not (i.e.,antisymmetry does not hold). Therefore, the pair is apreordered set.

In the following, we establish that the automata-union(respectively, automata-synchronization) yields a supremal(respectively, an infimal) element.

Theorem 1: Given and , .Proof: From the definition of automata union, and

are “subautomata” of and so it is easy to see thatand (i.e., is an upperbound

for ). Next, we show that it is a least upperbound (i.e.,and implies ).

Notice that implies andimplies . This implies for ,2, for each

exists such that . Since the set oftransitions of is the union of the set of transitions ofthe two automata, this implies that for each , thereexists , such that . Since the initial state setof is , it follows that .

Theorem 2: Given and , .Proof: We first prove that is a lowerbound (i.e.,

and ). By the reflexivity prop-erty of simulation relation, there exists such that

. Define a simulation relation by

Then, it can be seen that is a simulation relation, and so. Similarly, we can show .

Next, we prove that is a greatest lowerbound (i.e.,and implies ). In order

to show , define

implies for ,2. Since, it follows that , this further

implies . Thismeans for every such that there exists with

, exists , such that for. So above is well defined and serves as a simulation

relation for establishing .The following corollary follows from Theorem 2 and pro-

vides a property of simulation order.Corollary 1: Given automata , , ,

implies and .

IV. SUPERVISORY CONTROL FOR SIMULATION EQUIVALENCE

In this section, we study the control of a (nondetermin-istic) plant to ensure simulation equivalence of controlledplant and given (nondeterministic) specification. In what fol-lows, we represent a plant, a specification, and a supervisorby , , and

, respectively.For control purposes, the event set is partitioned as

, where and denote the sets of uncontrollableand controllable events respectively. Since a supervisor cannot

disable an uncontrollable event, the notion -compatibility ofa supervisor is introduced.

Definition 3: A supervisor is -compatible if each uncon-trollable event is defined at each state of .

In order to find a -compatible similarity enforcing super-visor we examine the class of all such that . It turnsout that this class possesses an infimal elements and we providean algorithm for the computation of such an element.

The following lemma is needed before we proceed.Lemma 1: Given and , it holds that

.Proof: By Theorem 2, and .

Also since and , it follows thatand . Therefore, by Theorem 2, we have

.Let -compatible . The following

lemma shows that possesses an infimal element.Lemma 2: implies .

Proof: We need to prove is -compatible and. Since and are -compatible,

from Definition 3, it is obvious that is -compat-ible. Next we show , for which we need toshow and . For ,2,

implies , which further implies .From Theorem 2, we have .Next note thatand (follows from Lemma 1). So fromLemma 1, we have (i.e.,

). Similarly, one can show.

Next we present an algorithm for computing an element ofwhen is nonempty.

Algorithm 1: Suppose , and are such that .Then the following algorithm computes an automaton

. , where:

ififif

In other words, is obtained by adding in an extra dumpstate and adding the “missing” uncontrollable transitions fromeach state to the dump state.

The following theorem proves the correctness of thealgorithm.

Theorem 3: Algorithm 1 is correct (i.e., is -compat-ible) and implies ).

Proof: From the construction of , we know that eachis defined at each state of . So is -compatible.

To prove the infimality of under nonemptiness of , weneed to prove that if there exists a -compatible such that

, then and . We first prove. Note that implies . Using the

fact that is -compatible, it can be show that ,where


Next, since , from Lemma 1, . Thistogether with the fact implies . It remainsto show that . Since is obtained by adding anextra state and extra transitions, it is obvious that . Thefact follows from the fact that . Thiscompletes the proof.

The following result follows from Theorem 3 and provides anecessary and sufficient condition for the existence of a simi-larity enforcing supervisor.

Theorem 4: Given and , there exists a -compatiblesupervisor such that if and only if (orequivalently, ), where is as computed inAlgorithm 1. Further, when the existence condition holds,can be chosen as a supervisor.

Proof: Sufficiency is obvious since can be chosen as .For necessity, suppose the desired exists. Then and sofrom Theorem 3, . Since , thenecessity follows.

Remark 2: The complexity of checking is linearin the size of the plant and quadratic in the size of the specifica-tion, whereas can be checked linearly in the size ofand . Also, can be used as supervisor, whose can be com-puted linearly in the size of . ( has just an extra added stateand compared to .)

So far we have studied the “target” control problem whenthe controlled system and specification are simula-tion equivalent (i.e., ). This is equivalent to saying

, which is a special case of a more general“range” control problem . Here the automaton

specifies a minimally adequate behavior, whereas the au-tomaton specifies a maximally acceptable behavior. Note thatin a “target” control problem, . In the remainder ofthe section we extend our results to the range control problem.

Given an automaton and the set of uncontrollable events,we have shown the computation of in Algorithm 1. We showin the next lemma that the simulation relation is preserved undersuch a computation.

Lemma 3: Given , it holds that .Proof: implies there exists a simulation relation

such that . Also

Define a relation as

Then it is easy to see that is a simulation relation and.

We next present a necessary and sufficient condition for the“range” control problem.

Theorem 5: Given plant and lower and upperbound spec-ifications , there exists a -compatible supervisorsuch that if and only if and .Further when the existence condition holds, can be chosenas a desired supervisor.

Proof: (If) Let , where is constructed by Al-gorithm 1 and is -compatible. Then and

implies , which together with , yields. This proves the sufficiency.

(Only If) By Corollary 1, implies . It re-mains to show that . Suppose , then

implies . By Lemma 3,implies . By Lemma 1, we have .Also, implies , then by Theorem 4,

. Combining previous inequations yields. This completes the proof.

Remark 3: The complexity for checking is linearin the sizes of , and . Also, from the proof of Theorem 5,

can serve as a supervisor for the “range” control problem,where can be computed linearly in size of the lowerboundspecification .

The following example serves to illustrate the simulationequivalence enforcing control.

Example 2: Consider a simple vending machine that deliversa cookie or a candy in exchange for a coin, whose state machinemodel is shown in Fig. 1. Upon getting a coin, the vending ma-chine nondeterministically transits to one of two states. At eachstate, user can wait for a delivery or push a button. In the firststate if the user chooses to wait, the machine times out deliv-ering a cookie; whereas if the user chooses to push the buttonthe machine transits to the second state and remains there withadditional pushes of the button. In the second state, the pushingof the button does not cause a state change but when the useropts to wait, the machine times out and delivers either a candyor a cookie. Once a delivery is completed, the machine returnsto its initial state. The timeout event is deemed uncontrollable,whereas the other events are controllable.

Note that in the above vending machine example it is not pos-sible for a user to receive a candy with certainty, which is anundesirable behavior. To rectify this situation, a desired speci-fication is shown in Fig. 1. According to the specification, aftera user inserts a coin, the vending machine nondeterministicallytransits to one of two states. However, regardless of the statereached, if the user chooses to wait, the machine delivers acookie; whereas if the user chooses to push the button at leasttwice (before timeout), the machine delivers a candy. If the useropts to push the button once and then to wait, then the machinedelivers a cookie or a candy depending on the initial nonde-terministic transition made. Note since the specification allowssuch a nondeterministic choice, it is not adequate to use a lan-guage to capture the behavior of the specification.

The above specification can be expressed in a temporal logicsyntax as follows. After receiving a coin, for all paths, delivera cookie if the button is not pushed (before timeout); delivera candy if the button is pushed at least twice (before timeout);deliver a cookie or a candy if the button is pushed only once(before timeout). This is an instance of a “universal” temporallogic specification (no existential quantifier is needed to expressthe specification). Since a universal temporal logic specifica-tion is preserved under simulation equivalence, it suffices to re-quire that the controlled plant and specification be simulationequivalent.

Our goal is to find a -compatible supervisor for thevending machine such that . We first check whether


Fig. 1. Model G of vending machine (left) and its specification R (right).

Fig. 2. R (left) and GkR (right).

. We find the following simulation relation exists be-tween and :

implying . Next, we check whether . Weconstruct using Algorithm 1, and the result is depicted inFig. 2. The synchronous composition of with plant, namely

, is shown in Fig. 2. The following simulation relationexists between and :

implying . It follows from Theorem 4 that thereexists a -compatible supervisor to enforce simulation equiv-alence between the controlled system and the specification, and

serves as such a supervisor.

V. SPECIALIZATION TO DETERMINISTIC CASE

The results obtained in Section IV are applicable to determin-istic plants. However the special case of deterministic plants isof separate interest since a weaker condition may be requiredfor the existence of a supervisor. In fact this happens to be thecase when the specification is of bisimulation equivalence [27],where it was shown that the bisimulation equivalence controlproblem can be solved polynomially when plant model is deter-ministic. (No polynomial algorithm is known when the plant isnondeterministic.) A necessary and sufficient condition for theexistence of a bisimilarity enforcing supervisor for a determin-istic and a possibly nondeterministic is that be simu-lated by and be state-controllable with respect to and

( is the NSM obtained by replacing the transition func-tion of by the transition function [27, Definition 8] and

in the absence of -transitions.) In this section, we showthat if we only require the simulation equivalence of the con-trolled plant and the specification, then a weaker condition thanstate-controllability is required (as expected). In this section we


Fig. 3. R (First), R (second), R (third), R (fourth), and RkR (fifth).

introduce that weaker condition, called state-controllable-sim-ilar, prove its necessity and sufficiency, and present a way totest it.

The notion of state-controllable-similar is defined in terms ofstate-controllable, both of which are introduced next.

Definition 4: Given automata and with ,we say is state-controllable with respect to and if

such that

is a state-controllable-similar (SCS) with respect to andif it is simulation equivalent to a system that is state-

controllable with respect to and .We recall that the language-controllability requires the

following: ,. It is clear that when is deterministic,

state-controllability of with respect to and reduces tolanguage-controllability of with respect to and .Also it can be easily deduced that -compatibility impliesstate-controllability (i.e., the latter is a weaker notion).

The notion of SCS is stronger than language-controllable(LC) and weaker than state-controllable (SC). Recall thatfor deterministic and possibly nondeterministic with

, LC serves as a necessary and sufficient con-dition for a language equivalence control, whereas SC servesas a necessary and sufficient condition for a bisimulationequivalence control. We show that the “intermediate” conditionof SCS serves as a necessary and sufficient condition for asimulation equivalence control. The next example illustratesthe above various concepts of controllability.

Example 3: Consider automata , , and shownin Fig. 3, and suppose . Notice that in , the uncon-trollable event is defined after trace . is SC since at state 2reached by trace , event is defined. It follows that is alsoSCS and LC. On the other hand, is not SC since at statereached by trace , event is undefined. However, is SCS,since , where is SC. Also, similarity of andimplies their language equivalence. So since is LC, so is .Finally, is LC since . However is not SCsince at state reached by trace , event is undefined. Also

is not SCS since it can be argued that one cannot find a SCsuch that : For the reason that simulates , event

must be defined at some state reached by trace in . Furtherfor the reason that is SC, event must be defined at this state.I.e., there must exist a state in reached by trace where events

and are both defined. Since none of the states of reachable

by trace have both events and defined, cannot simulate.Next, we establish a necessary and sufficient condition for

the existence of a similarity enforcing control for deterministicplants.

Theorem 6: Given deterministic plant and possibly nonde-terministic specification , there exists a -compatible super-visor such that if and only if is simulated byand state-controllable-similar with respect to and .

Proof: (Only If) From Theorem 4, implies. Since and (from con-

struction of ), it follows that . So, .By construction, is -compatible and since is determin-istic, from [27, Lemma 7], is state-controllable. Sinceis simulation equivalent to , it follows that is state-con-trollable-similar.

(If) Let be similar to that is SC. Define to bewith each state augmented with self-loops on all the undefineduncontrollable events of that state. Then (by [27,Lemma 1]). Since , it follows that . Also,

, and so . On the other hand,by Theorem 2, and so we have . It follows that

, which completes the proof.The next theorem presents a method to verify the property of

SCS of with respect to and .Theorem 7: Given deterministic and , is SCS

with respect to if and only if .Proof: For deterministic , by Theorems 4 and 6, we have

the equivalence

is -simulated and

is -simulated and is

This can be rewritten as

is -simulated is

Remark 4: From Theorem 7 we can test whether is SCSby testing whether . It follows that the complexityof checking SCS is linear in the size of and quadratic in thesize of . The complexity of checking is simulated by islinear in sizes of and . Thus, the complexity of checkingthe existence of a supervisor for a similarity enforcing controlof deterministic plants is .

In the following corollary, we show that when the existencecondition of Theorem 6 holds, can be chosen as a desiredsupervisor.


Fig. 4. Block diagram of a message transmission system.

Fig. 5. ModelG of message transmission system (left) and its specificationR(right).

Corollary 2: Given deterministic plant and possibly non-deterministic specification , if is simulated by and state-controllable-similar with respect to , then as computed inAlgorithm 1 can serve as a similarity enforcing supervisor (i.e.,

).Proof: By Algorithm 1, is -compatible. Since

(see the proof of Theorem 6) and (see The-orem 7), we obtain as desired.

Remark 5: We showed in Theorem 7 that when is deter-ministic and is simulated by , being SCS is equivalent to

. In general, however (when is nondeterministic),being is stronger than . This can be illus-

trated by considering automaton drawn in Fig. 3.and are also drawn in Fig. 3. It can be verified

. However, as explained in Example 3, is not SCS.We illustrate the results of this section through an example.Example 4: Consider a message transmission system, shown

in Fig. 4, that sends messages from a sender to a receiver. Twotypes of messages are generated by the sender, and ,which are first received by a message center. The messages arethen forwarded (event ) to a routing center which decides alongwhich channels the messages be routed. Two types of channels,secure and unsecure , are available for routing. Upona successful reception, an acknowledgment is sent by thereceiver to the sender, allowing transmission of another mes-sage. The acknowledgment is generated automatically, and istreated as an uncontrollable event. The deterministic automaton

, drawn in Fig. 5, models the above behavior.A specification for the legal behavior of the system is also

drawn in Fig. 5. It requires that messages of type 1 betransmitted over the secure channel, while no such restrictionis imposed on the type of channel to be used for the transmis-sion of the messages of the second type . However, once a

message of type 2 gets forwarded, it (nondeterministically) findsthe routing center to be in one of its two states: In the first state,the transmission occurs on the secure channel, whereas in thesecond state, on the unsecure channel.

It is easy to verify that the specification language is a con-trollable sublanguage of the plant language. If we apply the su-pervisory control results from the deterministic setting and usea deterministic generator of the specification language as a su-pervisor, the controlled system will be a deterministic generatorof the specification language (since the plant is given to be de-terministic, whereas supervisor is constructed to be determin-istic, and plant language is a superlanguage of the specificationlanguage). A deterministic generator of the specification lan-guage however will allow both the choices (secure as well asunsecure channel) for the routing of all messages of type 2 afterthey have arrived at the routing center. This situation is not per-mitted by the desired specification, and so the specification willbe violated.

Our goal is to find a -compatible supervisor for the mes-sage transmission system such that . To do this, wefirst check whether is simulated by (i.e., ). We findthe following simulation relation exists between and :

implying .Next, we need to check whether is SCS. By Theorem 7, we

need to check whether . For this we need to constructusing Step 1 of Algorithm 1. The constructed is depicted

in Fig. 6. The synchronous composition of and is shownin Fig. 6. We find the following simulation relation existsbetween and :

that is, . Thus, we conclude that there existsa -compatible supervisor to enforce simulation equivalencebetween the controlled system and the specification, and canserve as a supervisor.

To verify whether using as a supervisor yields, we search for a similarity relation between the controlled

system and the specification . A similarity relationbetween and is given by


Fig. 6. R (left) for R and GkR (right) for G and R of Fig. 5.

A meaning for the control being exercised is as follows. In theplant model, the routing center can be thought to have a singlequeue for all arrived messages. When the routing center is readyto put a message on a channel it picks one of the messages fromthe queue (say from the head of the queue) and places it on ei-ther of the two channels. The controller restricts this behavior ofthe routing center by essentially implementing two queues, onefor each channel (and not one for each message). Upon arrival,messages of type 1 are always placed in the queue for the se-cure channel, whereas the messages of the type 2 can be placedin either of the two queues. The exact channel selection for amessage of type 2 can be done for example based on the lengthsof two queues. However since the lengths of the two queuesat any given time are not known in advance, the selection ofa channel essentially occurs nondeterministically for each mes-sage of type 2.

VI. SIMULATION EQUIVALENCE VIA DETERMINISTIC CONTROL

The condition (or equivalently,), is necessary and sufficient for the existence of a sim-

ilarity enforcing supervisor. When a supervisor exists, canbe chosen to be one. Clearly, is deterministic if and only ifis deterministic. But a deterministic supervisor may exist evenwhen is not deterministic, and we present a necessary andsufficient condition for the same. The point of this exercise isto show two things: 1) existence condition for deterministic su-pervisor is stronger than that for nondeterministic one (this is tobe expected) and 2) the time complexity of verifying existenceof a deterministic supervisor is exponential. Thus, we can drawthe conclusion that it is preferable to opt for a nondeterministicsupervisor. The following theorem presents a necessary and suf-ficient condition for its existence. We use to denote thedeterministic generator of .

Theorem 8: Given and , there exists a -compatibledeterministic supervisor such that if and only if

• ;• is controllable with respect to and ;• .

Proof: (Only if) Since existence of similarity enforcingsupervisor implies the existence of a languageenforcing supervisor , must be con-trollable with respect to whenever a similarity enforcing

Fig. 7. det(R) (left) and Gkdet(R) (right) for G and R of Fig. 5.

supervisor exists. In other words, a necessary condition isthat is controllable. Next, impliesand . Since implies and

, which further implies ,and further since , we have . Thisimplies, . Combining this with(since ), we obtain . Thisproves the necessity.

(If) For the sufficiency, choose to be . Then isdeterministic. Since is controllable, is language-con-trollable (as well as state-controllable). Further,implies . For the reverse, since and since

, we have . Thus, we haveshown . We define to be with each state ofaugmented with self-loops on all the undefined uncontrollableevents of that state. Then is -compatible. Further sinceis state-controllable, (from Lemma 1 in [27]).Further since , we also have .

Remark 6: The complexity of checking the existence of asimilarity enforcing deterministic supervisor using the condi-tion of Theorem 8 is linear in the size of plant and exponentialin the size of specification (due to the need for the computationof a deterministic automaton that accepts the same language asthat accepted by the specification automaton). Requiring super-visor to be deterministic, makes the problem computationallymore expensive. This situation is similar to control under partialobservation for language specification. The deterministic super-visor synthesis problem in that setting is known to be NP-com-plete [25], but it is shown to be of polynomial complexity whenthe supervisor is allowed to be nondeterministic [9].

Let us revisit the message transmission system examplestudied in Section V.

Example 5: Our goal it to find a deterministic -compat-ible supervisor for the message transmission system such that

. Condition 1 in Theorem 8 is verified in Example 7.In Example 7 it was also shown that is SCS, which impliesis LC, which establishes the second condition. So next we checkcondition 3. as well as are drawn in Fig. 7.Since no state of can simulate the state of ,it follows that cannot be simulated by . Therefore,there does not exist a -compatible deterministic supervisor

, such that . Note that we showed earlier that a non-deterministic supervisor exists for this system.


VII. CONCLUSION

This paper studied the problem of supervisory control for en-forcing simulation equivalence between the controlled plant andthe specification. Through our work, we have shown that thesimulation equivalence represents a nice compromise betweenthe complexity of control specification versus its expressive-ness. While the bisimilarity enforcing control is the most ex-pressive, the best known complexity for such a control is doublyexponential in the sizes of the plant and the specification. Onthe other hand, while a language equivalence control is polyno-mially solvable, it is the least expressive. A simulation equiva-lence specification is more expressive than a language equiva-lence specification, yet it remains polynomially solvable. (Thecomplexity turns out to be an order higher in the specificationsize when compared to a language equivalence specification.)

We presented a necessary and sufficient condition for the ex-istence of a similarity enforcing supervisor for a nondetermin-istic plant and also for deterministic plant. The results are con-structive in nature and find a supervisor when one exists. Boththe target and range control problems are studied. We also pre-sented a condition for the existence of a similarity enforcing de-terministic supervisor.

REFERENCES

[1] M. Antoniotti, “Synthesis and verification of discrete controllers forrobotics and manufacturing devices with temporal logic and control-dsystems,” Ph.D. dissertation, Dept. Comput. Sci., New York Univ.,New York, 1995.

[2] A. Arnold, A. Vincent, and I. Walukiewicz, “Games for synthesis ofcontrollers with partial observation,” Theor. Comput. Sci., pp. 7–34,2003.

[3] A. Bergeron, “A unified approach to control problems in discrete eventprocesses,” in Proc. Inform. Theory Applications, 1993, vol. 27, pp.555–573.

[4] M. Heymann and F. Lin, “Discrete-event control of nondeterministicsystems,” IEEE Trans. Autom. Control, vol. 43, no. 1, pp. 3–17, Jan.1998.

[5] S. Jiang and R. Kumar, “Supervisory control of nondeterministic dis-crete event systems with driven events via masked prioritized synchro-nization,” IEEE Trans. Autom. Control, vol. 47, no. 9, pp. 1438–1449,Sep. 2002.

[6] ——, “Supervisory control of discrete event systems with CTL tem-poral logic specification,” SIAM J. Contr. Optim., vol. 44, no. 6, pp.2079–2103, 2006.

[7] R. Kumar and V. K. Garg, Modeling and Control of Logical DiscreteEvent Systems. Norwell, MA: Kluwer, 1995.

[8] R. Kumar and M. Heymann, “Masked prioritized synchronization forinteraction and control of discrete event systems,” IEEE Trans. Autom.Control, vol. 45, no. 11, pp. 1970–1982, Nov. 2000.

[9] R. Kumar, S. Jiang, C. Zhou, and W. Qiu, “Polynomial synthesis ofsupervisor for partially observed discrete-event systems by allowingnondeterminism in control,” IEEE Trans. Autom. Control, vol. 50, no.4, pp. 463–475, Apr. 2005.

[10] R. Kumar and M. A. Shayman, “Nonblocking supervisory control ofnondeterministic systems via prioritized synchronization,” IEEE Trans.Autom. Control, vol. 41, no. 8, pp. 1160–1175, Aug. 1996.

[11] ——, “Centralized and decentralized supervisory control of nondeter-ministic systems under partial observation,” SIAM J. Control Optim.,vol. 35, no. 2, pp. 363–383, Mar. 1997.

[12] O. Kupferman, P. Madhusudan, P. S. Thiagarajan, and M. Y. Vardi,“Open systems and reactive environments: control and synthesis,”Proc. 11th Conf. Concurrency Theory (ser. Lecture Notes in ComputerScience) vol. 1877, pp. 92–107, Aug. 2000.

[13] O. Kupferman and M. Y. Vardi, “Robust satisfaction,” Proc. 10th Conf.Concurrency Theory (ser. Lecture Notes in Computer Science) vol.1664, pp. 382–398, Aug. 1999.

[14] O. Kupferman, M. Y. Vardi, and P. Wolper, “Module checking,” In-form. Comput., vol. 164, pp. 322–344, 2001.

[15] P. Madhusudan and P. S. Thiagarajan, “Branching time controllers fordiscrete event systems,” Theor. Comput. Sci., vol. 274, pp. 117–149,2002.

[16] M. Maidi, “The common fragment of CTL and LTL,” in Proc. Foun-dations of Computer Science, 2000, pp. 643–652.

[17] A. Overkamp, Supervisory Control for Nondeterministic Systems, G.Cohen and J.-P. Quadrat, Eds. New York: Springer-Verlag, 1994, vol.199, Lecture Notes in Control and Information Sciences, pp. 59–65.

[18] H. Qin and P. Lewis, Factorization of Finite State Machines UnderObservational Equivalence. New York: Springer-Verlag, 1990, vol.458.

[19] J. B. Raclet and S. Pinchinat, “The control of non-deterministic sys-tems: a logical approach,” in Proc. IFAC Word Congr., Prague, CzechRepublic, 2005.

[20] P. J. Ramadge and W. M. Wonham, “Supervisory control of a class ofdiscrete event processes,” SIAM J. Control Optim., vol. 25, no. 1, pp.206–230, 1987.

[21] ——, “The control of discrete event systems,” Proc. IEEE, vol. 77, no.1, pp. 81–98, Jan. 1989.

[22] S. Riedweg and S. Pinchinat, “Quantified mu-calculs for controlsynthesis,” in Mathematical Foundations of Computer Science. NewYork: Springer, 2003.

[23] M. A. Shayman and R. Kumar, “Supervisory control of nondetermin-istic systems with driven events via prioritized synchronization and tra-jectory models,” SIAM J. Control Optim., vol. 33, no. 2, pp. 469–497,Mar. 1995.

[24] P. Tabuada, “Open maps, alternating simulations and control syn-thesis,” in Proc. Int. Conf. Concurrency Theory, 2004, pp. 466–480.

[25] J. N. Tsitsiklis, “On the control of discrete event dynamical systems,”Math. Contr. Signals Syst., vol. 2, no. 2, pp. 95–107, 1989.

[26] R. van Glabbeek, “The linear time—branching time spectrum,” in Proc.CONCUR, Amsterdam, The Netherlands, 1990, vol. 458, ser. LectureNotes in Computer Science.

[27] C. Zhou, R. Kumar, and S. Jiang, “Control of nondeterministic discreteevent systems for bisimulation equivalence,” IEEE Trans. Autom. Con-trol, vol. 51, no. 5, pp. 754–765, May 2006.

Changyan Zhou (M’04) received the B.S. degreein mechanical engineering from the NorthwesternPolytechnical University, Xian, China, and the M.S.degree in mechatronic engineering from the HarbinInstitute of Technology, Harbin, China, in 1993and 1996, respectively, and the Ph.D. degree inelectrical and computer engineering from Iowa StateUniversity, Ames, in 2007.

Her research interests include formal methodand control and diagnosis of reactive/event-drivensystems and their applications.

Ratnesh Kumar (F’07) received the B.Tech. degreein electrical engineering from the Indian Institute ofTechnology, Kanpur, in 1987, and the M.S. and thePh.D. degrees in electrical and computer engineeringfrom the University of Texas at Austin in 1989 and1991, respectively.

From 1991 to 2002, he was on the faculty of Uni-versity of Kentucky, Lexington, and since 2002 hehas been on the faculty of the Iowa State University,

Ames, where he is a Full Professor. He has held visiting position at the Insti-tute of Systems Research at the University of Maryland at College Park, theApplied Research Laboratory at the Pennsylvania State University, the NASAAmes Research Center, and the Argonne National Laboratory-West. His pri-mary research interest is modeling, verification, control, and diagnosis of re-active/event-driven, real-time, and hybrid systems and their applications. He iscoauthor of the book Modeling and Control of Logical Discrete Event Systems(Norwell, MA: Kluwer, 1995). He is an associate editor of the Journal on Con-trol and Optimization and the Journal of Discrete Event Dynamical Systems.

Dr. Kumar was a recipient of the Microelectronics and Computer Devel-opment (MCD) Fellowship from the University of Texas at Austin, and wasawarded the Lalit Narain Das Memorial Gold Medal for the Best EE Studentand the Ratan Swarup Memorial Gold Medal for the Best All-rounder Studentfrom the Indian Institute of Technology at Kanpur, India. He is a recipient ofthe NSF Research Initiation Award, NASA-ASEE summer faculty fellowshipaward. He is a member of the IEEE Control Systems Society and is a past As-sociate Editor of the IEEE TRANSACTIONS ON ROBOTICS AND AUTOMATION.

control of nondeterministic discrete event systems for simulation equivalence

Documents