On Speciﬁcation Informatics in Discrete-event Systems

State-transparency for Clarity of Finite Automata as Control Speciﬁcations

Amrith Dhananjayan and Kiam Tian Seow

School of Computer Engineering, Nanyang Technological University, 639798, Singapore, Singapore

Keywords:

Discrete-event Systems, Supervisory Control, Finite Automata, Speciﬁcation Informatics, State Transparency,

Human Perception.

Abstract:

In control of discrete-event systems (DES’s), the formalization of control requirements from natural language

statements is essentially a human endeavor. Without automated support tools, human designers often face

the uncertainty of not knowing if the control requirements formalized in the rudimentary DES formalism of

automata are as intended, motivating the automata-theoretic study of speciﬁcation informatics in the ﬁeld of

DES’s. A speciﬁcation automaton that renders its linguistic description more transparent should help design-

ers ascertain the prescribed requirement. Such transparency may be formalized in either the state space or

the event space of the DES. In this paper, treating the former as fundamental, a state-transparent speciﬁcation

automaton is conceptualized with respect to a full speciﬁcation automaton (‘full’ in the sense of having all

the a priori transitional constraints of the DES embedded in it). It contains only speciﬁcation relevant states

called speciﬁcation epochs. Each epoch denotes a “well-deﬁned” disjoint subset of states of the full speciﬁca-

tion automaton in the same phase of execution, meaningfully aggregated such that the resultant speciﬁcation

automaton retains the original restrictiveness on the DES. The problem of maximizing the state-transparency

of speciﬁcation automata for DES’s is then theoretically formulated. Subject to human perceptive or cognition

limits, we believe that such a maximally state-transparent speciﬁcation automaton could be more compre-

hensible, showing clearly the compliant execution of the system through a minimum number of speciﬁcation

epochs, and should aid designers in clarifying if the requirement prescribed is the one intended.

1 INTRODUCTION

Many man-made systems can be modeled as discrete-

event systems (DES’s). Supervisory control theory

for DES’s (Ramadge and Wonham, 1987) provides

a theoretical framework for synthesizing controllers

(called supervisors) for DES’s. A DES is modeled as

a ﬁnite automaton, with its possible executions gener-

ating a formal language over a ﬁnite event set. A su-

pervisor, also modeled as a ﬁnite automaton, restricts

the DES to certain sequences of events or states such

that a given set of control speciﬁcations is conjunc-

tively satisﬁed.

In practice, control requirements are ﬁrst given

in natural language statements. In our opinion, the

potential beneﬁts of supervisory control theory could

be better harnessed provided the speciﬁcations in au-

tomata correctly formalize these verbal or textual

statements (Ou and Hu, 2000). The translation from a

natural language statement of a control requirement

to a speciﬁcation in automata is often a non-trivial

task requiring the working knowledge of the entire

DES (Cassandras and Lafortune, 2008). Often, de-

signers understand the control requirements in natu-

ral language and manually prescribe the correspond-

ing speciﬁcation automata. The lack of formal tools

to help designers in turn interpret and comprehend

the speciﬁcations prescribed has been identiﬁed as a

factor limiting the effective use of supervisory con-

trol theory (Grigorov et al., 2011). Without auto-

mated support tools, designers are generally faced

with the uncertainty of whether a prescribed speci-

ﬁcation is as intended. This has been encountered in

many applications of the automata-based DES frame-

work (Grigorov et al., 2010) – in automated manu-

facturing (Magnusson et al., 2011; Cheriaux et al.,

2010), robotics (Koˇseck´a and Bajcsy, 1994; Ricker

et al., 1996), communicating transaction processes

(Feng et al., 2007), information systems (Hinze et al.,

2006) and intelligent service transportation (Seow and

Pasquier, 2004), to name a few. In fact, with advances

in computing technologies mitigating complexity to a

practically feasible extent, human comprehensibility

is turning out to be more challenging than computa-

357

Dhananjayan A. and Seow K..

On Speciﬁcation Informatics in Discrete-event Systems - State-transparency for Clarity of Finite Automata as Control Speciﬁcations.

DOI: 10.5220/0003977403570367

In Proceedings of the 9th International Conference on Informatics in Control, Automation and Robotics (ICINCO-2012), pages 357-367

ISBN: 978-989-8565-21-1

Copyright

c

2012 SCITEPRESS (Science and Technology Publications, Lda.)

tional issues in solving industrial problems using su-

pervisory control theory (Wonham, 2003). This moti-

vates the automata-theoretic study of speciﬁcation in-

formatics in the ﬁeld of DES’s.

Psychological studies have shown that human be-

ings tend to ﬁrst abstract the representation of a prob-

lem when addressing complex real world problems

(Rasmussen, 1986). In studying a problem, an on-the-

ﬂy model abstraction of the problem could often help

a human’s limited mental capacity better understand

the essence of the problem (Bredereke and Lanke-

nau, 2005). From this empirical study, we infer that it

might be useful to have an algorithm that can abstract

an input speciﬁcation automaton, and present human

designers with an output automaton that is structurally

clearer and thus easier to comprehend, but retains the

essential expressions of the requirement prescribed by

the original automaton. Such clarity or transparency

comes from accentuating speciﬁcation epochal infor-

mation, and correctly suppressing information irrele-

vant to the speciﬁcation without oversimplifying that

could lead to ambiguity. The development of a sys-

tematic approach to obtain such transparent speciﬁ-

cation automata is the aim of this paper. Not unlike

any study involving human cognition, the proposed

approach is assistive and provides a necessity basis to

individual designers for understanding speciﬁcation

automata.

Research on speciﬁcation transparency for DES’s

originates with the work of (Pham et al., 2010).

Therein, the speciﬁcation transparency maximization

problem introduced attempts to highlight the prece-

dence ordering among a minimal set of events deemed

relevant to the speciﬁcation, by ‘hiding’ in self-loops

all the events that are considered irrelevant to the

speciﬁcation but can occur in the DES. For many ap-

plications, it might be more desirable to specify for

the DES in terms of state sequences or trajectories

(Du and Wang, 1988; Ou and Hu, 2000; Faraut et al.,

2011). In fact, it has been noted that while design-

ers of communicationsystems would prefer to specify

restrictions on event sequences generated by a DES

model, designers of manufacturing systems would

prefer to specify restrictions as constraints on state

trajectories traced by the DES (Cao and Ho, 1990).

A speciﬁcation automaton in conjunction with a DES

can equivalently be viewed as prescribing a set of

‘legal’ state trajectories of the DES. A speciﬁcation

automaton that traces state trajectories suitably pro-

jected from this legal set might thus furnish a clearer

state-linguistic description that aids in easier interpre-

tation of the prescribed control requirement. This mo-

tivates an alternative but complementary formulation

of the speciﬁcation transparency maximization prob-

lem studied in (Pham et al., 2010), namely, one that is

based on states rather than events.

In our theoretical development, we ﬁrst introduce

the concept of state-transparency of control spec-

iﬁcations prescribed in ﬁnite automata. A state-

transparent speciﬁcation automaton is an abstraction

of a full speciﬁcation automaton (‘full’ in the sense

of having all the a priori transitional constraints of the

DES embedded in it), with each of its states represent-

ing a unique epoch (or execution phase) of the DES

that is relevant to the speciﬁcation. As will be formal-

ized and explained, each relevant epoch distills a dis-

joint subset of states of the full speciﬁcation automa-

ton that is intraconnected. By such intraconnectivity,

any pair of states in each disjoint subset is “graphi-

cally connected” by the automaton via only the states

in the subset, such that the member states reached

by an automaton transition from the same nonmem-

ber state are all temporally strung by a DES string of

events transiting through only the states in the subset.

It is postulated that speciﬁcation epochs deﬁned and

constructed this way would have well-deﬁned mean-

ings for a state-transparent speciﬁcation automaton.

For an intuitive understanding, the reader might want

to skip ahead to Section 5 for an example of abstract-

ing the states of a full speciﬁcation automaton [Fig.

4(a)] into speciﬁcation epochs, and yielding a state-

transparent speciﬁcation automaton [Fig. 4(b)].

Different state-transparent speciﬁcation automata

resulting from a full speciﬁcation automaton can rep-

resent the control requirement using different sets of

speciﬁcation epochs; and any speciﬁcation automaton

is said to be the most (or maximally) state-transparent

if it can retain the original restrictiveness of the speci-

ﬁcation on the DES using the least number of speciﬁ-

cation epochs. Subject to human perceptive or cogni-

tion limits, we believe that such a maximally state-

transparent speciﬁcation automaton could be more

human comprehensible. Constructing such an au-

tomaton is a state-transparency maximization prob-

lem. In this paper, we formalize this problem, which

is shown to be NP-hard elsewhere. As a polynomial

time algorithm cannot be expected for this problem,

we propose an algorithm that can run in polynomial

time and achieve maximal state-transparency in indi-

vidual cases but not in general.

The rest of this paper is organized as follows. Sec-

tion 2 reviews relevant concepts in languages and

automata theory, and in some graph basics. The

new concept of state-transparency is deﬁned, and the

problem and NP-hardness of ﬁnding a maximally

state-transparentspeciﬁcation automaton are formally

stated in Section 3. A polynomial time algorithm that

can compute state-transparent speciﬁcation automata

ICINCO2012-9thInternationalConferenceonInformaticsinControl,AutomationandRobotics

358

is proposed in Section 4. An illustrative example is

presented in Section 5 to demonstrate the concept of

a state-transparent speciﬁcation automaton. Section 6

presents some related work. Section 7 concludes the

paper.

2 PRELIMINARIES

2.1 Formal Languages and Automata

We follow the framework of Ramadge and Wonham

(Ramadge and Wonham, 1987). Let Σ be a ﬁnite set

of events. A string denotes a ﬁnite sequence of events

from Σ. Let Σ

∗

be the set of all ﬁnite strings from Σ

including the empty string ε. A string t

′

is a preﬁx of

t, if there exists a string s such that t

′

s = t.

A language L over Σ is a subset of Σ

∗

. We say L

1

is a sublanguage of L

2

if L

1

⊆ L

2

. For a language L,

its preﬁx closure

¯

L is the language consisting of all

preﬁxes of its strings. As any string s in Σ

∗

is a preﬁx

of itself, we have L ⊆

¯

L. A language L is considered

preﬁxed-closed if L =

¯

L.

Any regular language can be generated by

an automaton. An automaton G is a 5-tuple

(Q,Σ,δ, q

0

,Q

m

), where Q is the ﬁnite set of discrete

states, Σ is the ﬁnite set of discrete events, δ : Σ×Q →

Q is the (partial) transition function, q

0

is the initial

state and Q

m

⊆ Q is the set of marker states.

Write δ(σ,q)! to mean that δ(σ,q) is deﬁned and

¬δ(σ,q)! to mean otherwise. The deﬁnition of δ can

be extended to Σ

∗

× Q in the usual way as follows.

δ(ε,q) = q,

(∀σ ∈ Σ)(∀s ∈ (Σ)

∗

)δ(sσ,q) = δ(σ,δ(s,q)).

The preﬁx-closed language L(G) and the marked

language L

m

(G) describe the behavior of automaton

G. Formally,

L(G) = {s ∈ Σ

∗

| δ(s,q

0

)!},

L

m

(G) = {s ∈ L(G) | δ(s,q

0

) ∈ Q

m

}.

A state q ∈ Q is reachable if (∃s ∈ Σ

∗

) δ(s,q

0

) = q,

and coreachable if (∃s ∈ Σ

∗

) δ(s,q) ∈ Q

m

. Automa-

ton G is reachable if all its states are reachable, and

is coreachable if all its states are coreachable, i.e.,

L

m

(G) = L(G). If G is both reachable and coreach-

able then it is said to be trim.

2.2 Graph Basics

Following (Diestel, 2006), an undirected graph J is

a 2-tuple (V

J

,E

J

), where V

J

is the set of nodes and

E

J

⊆ V

J

× V

J

is the set of edges. A path from node

u ∈ V

J

to node v ∈ V

J

in J is a sequence of edges in

E

J

, starting at node u and ending at node v:

(u,u

1

),(u

1

,u

2

)...(u

k−1

,u

k

)(u

k

,v).

Two nodes u and v are said to be connected if such

a path exists. A graph is connected if every pair of

nodes in V

J

is connected.

Finally, let |P| denote the cardinality of the set P.

3 PROBLEM CONCEPTS AND

DESCRIPTION

3.1 Speciﬁcation Automaton and

State-transparency

Deﬁnition 1. (Pham et al., 2010) Given a DES G =

(Q,Σ,δ, q

0

,Q

m

), and a regular language L such that

L = L

m

(A), where automaton A = (X,F, ξ,x

0

,X

m

). If

A is said to be a speciﬁcation automaton (of L for DES

G), then 1) F = Σ, 2) L

m

(A) ∩ L

m

(G) = L(A) ∩ L(G),

and 3) A is trim.

Intuitively, a speciﬁcation automaton for DES G

models a (marked) sublanguage of G over event set

Σ. The sublanguage L

m

(A) ∩ L

m

(G) is well modeled

such that every common preﬁx string in L(A) ∩ L(G)

can be extended to a marked string in L

m

(A)∩ L

m

(G),

thereby specifying an uninhibited sequence of execu-

tions to complete some task.

Given a speciﬁcation automaton A for G, a trim

automaton H such that L

m

(H) = L

m

(A) ∩ L

m

(G) is

said to be a full automaton, in that it embodies the

a priori transitional constraints of G, and thus repre-

sents the full nonblocking behavioral speciﬁcation for

G under A. By Deﬁnition 1, H can be called a speci-

ﬁcation automaton.

Given a full speciﬁcation automaton H =

(Y,Σ,ζ,y

0

,Y

m

) for DES G = (Q,Σ,δ, q

0

,Q

m

), we de-

ﬁne the following (cf. (Su and Wonham, 2004)).

Let E :Y → 2

Σ

be the set of events deﬁned at y ∈Y

such that E(y) = {σ ∈ Σ | ζ(σ,y)!}.

Let D : Y → 2

Σ

be the set of events not permitted

by the speciﬁcation at y ∈ Y such that D(y) = {σ ∈ Σ |

¬ζ(σ,y)! and (∃s ∈ Σ

∗

)[ζ(s,y

0

) = y and δ(sσ,q

0

)!]}.

Let T : Y → {true, false} with T(y) =

true if (∃s ∈ Σ

∗

)[ζ(s,y

0

) = y and δ(s,q

0

) ∈ Q

m

].

T(y) is true if y is reachable by a string in the marked

language of G.

Let M :Y → {true, false} with M(y) = true if y ∈

Y

m

. M(y) is true if y is a marker state.

We say two states in a full speciﬁcation automa-

ton H are speciﬁcation compatible with each other if

their associated event permission and nonpermission

OnSpecificationInformaticsinDiscrete-eventSystems-State-transparencyforClarityofFiniteAutomataasControl

Specifications

359

in a DES G as well as their markings are consistent,

formally deﬁned as follows.

Deﬁnition 2. Given a full speciﬁcation automaton

H = (Y, Σ,ζ,y

0

,Y

m

) for a DES G, let C ⊆ Y × Y be

the set of pairs of speciﬁcation compatible states of H

on G. Then:

For y, y

′

∈ Y, (y,y

′

) ∈ C iff

1. E(y) ∩ D(y

′

) = E(y

′

) ∩ D(y) =

/

0;

2. T(y) = T(y

′

) ⇒ M(y) = M(y

′

).

Condition 1 states that for (y,y

′

) ∈ C, an event

permitted at y should not be denied permission at

y

′

and vice versa. According to Condition 2, states

y,y

′

∈ Y of H such that (y, y

′

) ∈ C are consistently

marked true or false if both states are reachable

by some strings in the marked language of G (i.e.,

when T(y) = T(y

′

) = true), or if neither is reachable

by a string in the marked language of G (i.e., when

T(y) = T(y

′

) = false).

In what follows, a procedure called 13 is devel-

oped to check if a state pair is speciﬁcation compati-

ble. Lemma 1 is immediate.

Procedure : ChkI fInC(y, y

′

).

Input: Two states y,y

′

∈ Y of H = (Y,Σ,ζ,y

0

,Y

m

);

Output: true if (y,y

′

) ∈ C; f alse, otherwise;

1 begin

2 if (E(y) ∩ D(y

′

)) ∪ (E(y

′

) ∩ D(y)) =

/

0 then

3 if T(y) = T(y

′

) then

4 if M(y) = M(y

′

) then

5 return true;

6 end

7 end

8 else

9 return true;

10 end

11 end

12 return false;

13 end

Lemma 1. Let C be the set of pairs of speciﬁcation

compatible states of a full speciﬁcation automaton

H = (Y,Σ,ζ,y

0

,Y

m

) for a DES G. Then for a pair of

input states y,y

′

∈ Y, Procedure 13(y,y

′

) returns true

iff (y,y

′

) ∈ C.

A cover of a setY is a family of subsets ofY whose

union is Y. Each element of a cover is called a cell. A

cover is a partition if its cells are pairwise disjoint.

We now deﬁne what is called a speciﬁcation-

equivalent partition P over the state set of a full spec-

iﬁcation automaton H.

Deﬁnition 3. Let C be the set of pairs of speciﬁca-

tion compatible states of a full speciﬁcation automa-

ton H = (Y,Σ,ζ,y

0

,Y

m

) for a DES G. For an index

set X, a partition P = {Y

x

⊆ Y | x ∈ X} is said to be a

speciﬁcation-equivalent partition of H if

1. (∀x ∈ X)(∀y,y

′

∈ Y

x

)(y, y

′

) ∈ C;

2. (∀x ∈ X)(∀σ ∈ Σ)(∃x

′

∈ X)[(∀y ∈ Y

x

)ζ(σ,y)! ⇒

ζ(σ,y) ∈ Y

x

′

].

For an index set X and a state y ∈ Y, we denote the

cell of P = {Y

x

⊆ Y | x ∈ X} containing y as [y], i.e.,

for y ∈ Y

x

, we have [y] = Y

x

.

Condition 1 of Deﬁnition 3 states that all pairs

of states within the same cell must be speciﬁcation

compatible. Condition 2 asserts that, for two arbitrary

cells Y

x

and Y

x

′

of P, the states reachable via the same

event from states of the same cell Y

x

must all belong

to the same cell Y

x

′

.

According to Deﬁnition 3, two states y, y

′

∈ Y

are to be placed together in a cell of a speciﬁcation-

equivalent partition if the state pair is speciﬁation

compatible and all the state pairs reachable by iden-

tical strings from y and y

′

are also speciﬁcation com-

patible. Any two states y and y

′

that can be placed

within a cell as such are said to be pairable. It follows

that all state pairs reachable by identical strings from

pairable y and y

′

are also pairable. State pairability is

formally deﬁned as follows.

Deﬁnition 4. Let C be the set of pairs of speciﬁcation

compatible states of a full speciﬁcation automaton

H = (Y,Σ,ζ,y

0

,Y

m

) for a DES G. Two states y,y

′

∈ Y

are said to be pairable if

1. (y,y

′

) ∈ C

2. (∀s ∈ Σ

∗

)[ζ(s,y)! and ζ(s,y

′

)! ⇒

(ζ(s,y),ζ(s,y

′

)) ∈ C]

In what follows, we present a procedure (cf.

(Su and Wonham, 2004)) called : PTran that

computes and returns an induced automaton A =

(X,Σ,ξ,x

0

,X

m

) from a given speciﬁcation-equivalent

partition P = {Y

x

⊆ Y | x∈ X} deﬁned on a full speciﬁ-

cation automaton H = (Y,Σ, ζ,y

0

,Y

m

), such that each

state x ∈ X of A uniquely corresponds to cell Y

x

of P.

The initial state of A corresponds to the cell contain-

ing the initial state of H. A state of A is marked if the

corresponding cell contains any marked state of H. In

A, a transition of event σ ∈ Σ from a state x to a state

x

′

is deﬁned if there is a transition of the same event

in H, from a state inY

x

to a state in Y

x

′

. The procedure

has a worst case complexity of O(|Y||Σ|).

Theorem 1. Given a full speciﬁcation automaton H

for a DES G and a speciﬁcation-equivalent parti-

tion P of H. Then under G, A = PTran(H, P) is a

speciﬁcation automaton modeling L

m

(H) such that

L

m

(H) = L

m

(A) ∩ L

m

(G).

Remark 1. A speciﬁcation-equivalent partition (of

Deﬁnition 3), though mathematically similar, is con-

ceptually different from a control congruence (Su and

Wonham, 2004). For a different purpose as will be

ICINCO2012-9thInternationalConferenceonInformaticsinControl,AutomationandRobotics

360

discussed in Section 6, the latter notion requires H

to be controllable; and we note that for a control con-

gruence P

c

deﬁned on a controllable H, PTran(H, P

c

)

becomes a procedure that returns a nonblocking and

possibly state-reduced supervisor (Su and Wonham,

2004) realizing L

m

(H) for DES G. Exposing this tech-

nical correspondence, it is not unexpected that cer-

tain deﬁnitions in this paper have some similarity with

those in (Su and Wonham, 2004).

Procedure : PTran(H,P).

Input: A full speciﬁcation automaton H = (Y,Σ,ζ,y

0

,Y

m

)

and a speciﬁcation-equivalent partition

P = {Y

x

⊆ Y | x ∈ X} of H;

Output: An induced speciﬁcation automaton A such that

each state of A uniquely represents a cell of P;

1 begin

2 x

0

= x ∈ X such that y

0

∈ Y

x

;

3 X

m

= {x ∈ X | Y

x

∩Y

m

6=

/

0};

4 ξ : Σ× X → X(pfn) with ξ(σ,x) = x

′

for (x,x

′

∈ X) and

(σ ∈ Σ), such that (∃y ∈ Y

x

)ζ(σ,y) ∈ Y

x

′ ;

5 return A = (X,Σ,ξ, x

0

,X

m

);

6 end

Given an automaton H = (Y,Σ, ζ,y

0

,Y

m

) and a

subset Y

′

⊆ Y of states, an undirected graph de-

noted by I(H,Y

′

) can be induced such that I(H,Y

′

) =

(Y

′

,E

′

) with E

′

= {(y,y

′

) | (y,y

′

∈ Y

′

) and (∃σ ∈

Σ)[ζ(σ,y) = y

′

]}.

For a partition P of the state set Y of H, we say

a cell p ∈ P is intraconnected if the states it contains

are all “graphically connected” in the automaton via

only the states within the cell, i.e., the induced graph

I(H, p) is connected.

For any given input cell p ∈ P, Procedure

CheckI fConnected conducts a breadth-ﬁrst search on

the graph I(H, p) and returns true if I(H, p) is con-

nected. The procedure starts by adding a random

node of I(H, p) to a list con nodelist. The procedure

then adds to con nodelist all nodes in p that share

an edge with the selected node. This step is repeated

for each node that is added to con nodelist. Once af-

ter all nodes in con nodelist are considered and there

are no further nodes to be added to con nodelist, if

con nodelist equals p, then I(H, p) is connected. The

procedure has a complexity of O(|p||Σ|).

In what follows is the important deﬁnition of a

state-transparent partition over a full speciﬁcation au-

tomaton.

Deﬁnition 5. Let X be an index set. Given a full spec-

iﬁcation automaton H = (Y,Σ,ζ,y

0

,Y

m

) for a DES G,

a state-transparent partition of H is a speciﬁcation-

equivalent partition P = {Y

x

⊆ Y|x ∈ X} of H with

the following cell intraconnectivity property: (∀x ∈

X)[I(H,Y

x

) is connected].

Procedure : CheckI fConnected(p).

Input: A cell p of a partition on the state set of an

automaton H;

Output: true, if p is intraconnected; false, otherwise;

1 begin

2 (p,E

′

) = I(H, p);

3 Select any y

′′

∈ p;

4 Add y

′′

to a queue u;

5 con nodelist := {y

′′

};

6 while u is not empty do

7 Dequeue y from u;

8 foreach (y

1

,y

2

) ∈ E

′

such that y ∈ {y

1

,y

2

} do

9 Let y

′

= {y

1

,y

2

} − {y};

10 if y

′

/∈ con nodelist then

11 con nodelist := con nodelist ∪ {y

′

};

12 Add y

′

to u;

13 end

14 end

15 end

16 if p = con nodelist then

17 return true;

18 end

19 else

20 return false;

21 end

22 end

According to Deﬁnition 5, a state-transparent par-

tition is a speciﬁcation-equivalent partition contain-

ing only intraconnected cells over a full speciﬁcation

automaton. We postulate that these cells can be ab-

stracted to reveal well-deﬁned speciﬁcation-relevant

epochs, in what is deﬁned as a state-transparent spec-

iﬁcation automaton.

Deﬁnition 6. Given a full speciﬁcation automaton H

for a DES G. Let P be the set of all state-transparent

partitions on H. Then for P ∈ P , a speciﬁcation au-

tomaton A = PTran(H,P) (for DES G) is said to be a

P-transparent speciﬁcation automaton of H.

A P-transparent speciﬁcation automaton formal-

izes a state-transparent speciﬁcation. Intuitively, un-

der DES G, a P-transparent speciﬁcation automaton A

is an abstract representation of a full speciﬁcation H,

and each state of A is a speciﬁcation epoch abstract-

ing a cell of the state-transparent partition P of H. By

Theorem 1, A possesses the same restrictiveness on G

as H.

We postulate that the most (or maximally) state-

transparent speciﬁcation automaton A should express

the control requirement using the least number of

speciﬁcation epochs, i.e., the state-transparent parti-

tion P should be of minimal cardinality.

3.2 Problem Statement

The problem of ﬁnding a maximally state-transparent

OnSpecificationInformaticsinDiscrete-eventSystems-State-transparencyforClarityofFiniteAutomataasControl

Specifications

361

speciﬁcation automaton A for a full speciﬁcation au-

tomaton H on DES G can now be formally stated.

Problem 1. Given a full speciﬁcation automaton H

for a DES G. Let P be the set of all state-transparent

partitions on H. Construct a P-transparent speciﬁ-

cation automaton A = PTran(H,P) of H such that

(∀P

′

∈ P )|P

′

| ≥ |P|.

Theorem 2. Problem 1 is NP-hard.

4 PROCEDURES AND SOLUTION

ALGORITHM

Since the state-transparency maximization problem is

NP-hard, a polynomial-time algorithm that can al-

ways return a speciﬁcation automaton of maximal

state-transparency is not expected. In this section,

a polynomial-time algorithm that cannot guarantee

maximal state-transparency, but can often produce

maximal solution in individual cases is proposed.

By Theorem 1 and Deﬁnition 6, a state-

transparent partition induces a state-transparent spec-

iﬁcation automaton. A procedure to compute a state-

transparent partition is, therefore, essential for com-

puting a state-transparent speciﬁcation automaton.

Such a procedure, : GetSTPartition, is presented in

Section 4.3. The procedure utilizes another procedure

(Section 4.1) to check for state pairability and yet an-

other procedure (Section 4.2) for checking the cell in-

traconnectivity property. In Section 4.4, a solution

algorithm for Problem 1 is then presented.

4.1 Checking of State Pairability

For two states y, y

′

∈ Y of a full speciﬁcation automa-

ton H = (Y,Σ,ζ, y

0

,Y

m

), Procedure : ChkI fPairable

checks if the input states y and y

′

are pairable. For

this, initially, the procedure checks if the input state

pair is speciﬁcation compatible (Condition 1 of Deﬁ-

nition 4) by invoking Procedure 13 and thereafter re-

cursively checks if all state pairs reachable by iden-

tical strings from the input state pair are also speciﬁ-

cation compatible (Condition 2 of Deﬁnition 4). The

procedure returns true if all the state pairs considered

are speciﬁcation compatible; and false, otherwise. A

list waitlist (that is initialized to the empty set

/

0 when-

ever Procedure : ChkI fPairable is invoked by Proce-

dure : GetSTPartition) is updated with each state pair

that is considered. The procedure has a complexity of

O(|Y|

2

)

Procedure : ChkI fPairable(y,y

′

,waitlist).

Input: Two states y,y

′

of input speciﬁcation automaton H, a

list waitlist of states pairs considered so far;

Output: true, if y and y

′

are pairable; false, otherwise;

with waitlist updated;

1 begin

2 Let W(y) = {y

′′

| {(y,y

′′

),(y

′′

,y)} ∩ waitlist 6=

/

0};

3 foreach y

1

∈ [y]∪

S

y

′

1

∈W(y)

[y

′

1

] do

4 foreach y

2

∈ [y′]∪

S

y

′

2

∈W(y′)

[y

′

2

] do

5 if {(y

1

,y

2

),(y

2

,y

1

)} ∩ waitlist =

/

0 and [y

1

] 6= [y

2

] then

6 if ChkI f InC(y

1

,y

2

) = false then

7 return false;

8 end

9 waitlist := waitlist ∪{(y

1

,y

2

)};

10 foreach

σ ∈ Σ such that ζ(σ,y

1

)! and ζ(σ,y

2

)!

do

11 flag = ChkI f Pairable(ζ(σ,y

1

),

ζ(σ,y

2

),waitlist);

12 if f lag = false then

13 return false;

14 end

15 end

16 end

17 end

18 end

19 return true;

20 end

Procedure : GetCnctPartition(waitlist,P).

Input: A list waitlist of pairable state pairs and a

state-transparent partition P;

Output: A partition P

′

that augments P such that the states

paired in waitlist are placed within same cells,

whenever P

′

has only intraconnected cells; P,

otherwise;

1 begin

2 Let W(y) = {y

′′

| {(y,y

′′

),(y

′′

,y)} ∩ waitlist 6=

/

0};

3 P

′

= {[y]∪

S

y

′

∈W(y)

[y

′

] | [y],[y

′

] ∈ P};

4 foreach p ∈ P

′

do

5 flag = CheckI fConnected(p);

6 if f lag = f alse then

7 return P;

8 end

9 end

10 return P

′

;

11 end

4.2 Checking of Cell Intraconnectivity

For a list waitlist of pairable state pairs and a state-

transparent partition P, Procedure : GetCnctPartition

augments P to a partition of states of H such that the

state pairs in waitlist are placed within same cells

of the partition. Each cell of the newly computed

partition is checked for intraconnectivity by invoking

ICINCO2012-9thInternationalConferenceonInformaticsinControl,AutomationandRobotics

362

Procedure : CheckI fConnected. If each of its cells

is intraconnected, the newly computed partition is a

state-transparent partition and is returned by Proce-

dure : GetCnctPartition. Otherwise, the input state-

transparent partition is returned without any modiﬁ-

cation. The procedure has a complexity of O(|Y|

2

).

Procedure : GetSTPartition(H, G).

Input: A full speciﬁcation automaton H = (Y,Σ,ζ,y

0

,Y

m

)

on DES G;

Output: A state-transparent partition P of H;

1 begin

2 P = {[y] | [y] = {y} for y ∈ Y};

3 foreach y ∈ Y do

4 foreach σ ∈ Σ do

5 if ζ(σ,y)! then

6 Let y

′

= ζ(σ,y);

7 waitlist :=

/

0;

8 flag = ChkI f Pairable(y,y

′

,waitlist);

9 if f lag = true then

10 P = GetCnctPartition(waitlist, P);

11 end

12 end

13 end

14 end

15 return P;

16 end

4.3 Computation of a State-transparent

Partition

For an input full speciﬁcation automaton H on DES

G, Procedure : GetSTPartition computes a state-

transparent partition P of H. Initially, the proce-

dure deﬁnes P such that each state belongs to a dis-

tinct cell. Then, for each pair of states that are con-

nected in H by a transition, the procedure invokes

Procedure ChkI fPairable to check if the state pair

is pairable. Procedure : ChkI fPairable returns true

if its input state pair is pairable, with waitlist hav-

ing a list of state pairs that are reachable by iden-

tical strings from the input state pair. Whenever,

Procedure : ChkI fPairable returns true, Procedure

: GetCnctPartition is invoked. As explained in the

preceding subsection, Procedure : GetCnctPartition

updates P by placing within same cells those states

that are paired in waitlist, provided the cell intracon-

nectivity property is satisﬁed. Otherwise, the state-

transparent partition is not updated. The procedure

terminates after it has considered all pairs of states in

H connected by a transition. The complexity of the

procedure is O(|Y|

3

|Σ|)

4.4 Solution Algorithm

For an input full speciﬁcation automaton H on DES

Algorithm 1: Computation of a state-transparent

speciﬁcation automaton.

Input: A full speciﬁcation automaton H on DES G;

Output: A state-transparent speciﬁcation automaton A of

H;

1 begin

2 P = GetSTPartition(H,G);

3 A = PTran(H,P);

4 return A;

5 end

G, Algorithm 1 computes a state-transparent speciﬁ-

cation automaton A of H. Procedure : GetSTPartition

computes and returns a state-transparent partition

P of H. The algorithm returns automaton A =

PTran(H,P), which by Deﬁnition 6, is a P-

transparent speciﬁcation automaton of H. The com-

plexity of Algorithm 1 is O(|Y|

3

|Σ|). The complexity

of Algorithm 1 is the sum of complexities of proce-

dures : GetSTPartition and : PTran, i.e., O(|Y|

3

|Σ|+

|Y||Σ|) ≈ O(|Y|

3

|Σ|).

Theorem 3. For a full speciﬁcation automaton H

on DES G, Algorithm 1 returns a state-transparent

speciﬁcation automaton A of H such that L

m

(H) =

L

m

(A) ∩ L

m

(G).

I/O

X

I/O

Y

M1 M2

1load

X

1release

X

2load

X

1release

Y

2release

X

R

2load

Y

2release

Y

1load

Y

Figure 1: FMS layout.

5 ILLUSTRATIVE EXAMPLE

In this section, we illustrate the concept of state-

transparency using an example of a ﬂexible manufac-

turing system (FMS) adapted from (Uzam, 2004). As

shown in Fig. 1, the FMS consists of two machines

M1 and M2, and a robot R, all capable of handling

parts of two different types X and Y. Parts of type

X enter and leave the FMS through an inﬁnite-size

buffer I/O

X

and those of type Y through an inﬁnite-

size buffer I/O

Y

. Each machine can process only one

part at a time, and the robot can hold only one part at

a time. The production cycles for part types X and Y

are as follows.

X : M1 → R → M2

Y : M2 → R → M1

In the former cycle, a part of type X is ﬁrst loaded into

machine M1 for initial-stage processing, before robot

R takes and loads it into machine M2 for ﬁnal-stage

processing. In the latter cycle, a part of type Y is ﬁrst

OnSpecificationInformaticsinDiscrete-eventSystems-State-transparencyforClarityofFiniteAutomataasControl

Specifications

363

1load

X

m

I

1

m

X

1

m

Y

1

1release

X

1load

Y

1release

Y

(a) Machine M1

2load

X

m

I

2

m

X

2

m

Y

2

2release

X

2load

Y

2release

Y

(b) Machine M2

2release

Y

r

I

r

Y

r

X

1load

Y

1release

X

2load

X

(c) Robot R

Figure 2: FMS models.

loaded into machine M2 for initial-stage processing,

before robot R takes and loads into machine M1 for

ﬁnal-stage processing.

As depicted in Figs. 2(a) and 2(b), machines M1

and M2 transit among states idling (m

1

I

, m

2

I

), process-

ing X (m

1

X

, m

2

X

) and processing Y (m

1

Y

, m

2

Y

), respec-

tively. The robot R transits among states idling (r

I

),

holding X (r

X

) and holding Y (r

Y

), as depicted in Fig.

2(c). Note that in the directed graph representation

of an automaton, a state is represented by a node,

and a state-to-state transition by a directed edge la-

beled with an event. The initial state is represented

by a node with an entering arrow, and a marker state

by a node drawn as a double-concentric circle. For

i ∈ {1, 2}, event iload

X

represents the loading of X

into Mi for processing and event irelease

X

represents

the release of X by Mi after processing. Similarly,

event iload

Y

represents the loading of Y into Mi and

event irelease

Y

represents the release of Y by Mi.

The DES G for the FMS is formed by the syn-

chronous product (Cassandras and Lafortune, 2008)

of M1, M2 and R. A control requirement for G is

that, once the processing of a part of type X starts,

the processing of a part of type Y cannot start un-

til the processing of the part of type X is completed,

and vice versa. The full speciﬁcation automaton H

of this requirement for G is shown in both Figs. 3(a)

and 4(a). It is derived from some speciﬁcation au-

tomaton B prescribed by a system designer such that

L

m

(B) ∩ L

m

(G) = L

m

(H) ⊆ L

m

(G).

Fig. 3 shows a speciﬁcation-equivalent partition

of minimal cardinality [Fig. 3(a)] over H that induces

a minimal-state speciﬁcation automaton MIN [Fig.

3(b)] of H. It has been pointed out in (Wonham, 2003)

that the control requirement prescribed in MIN is

not easy to comprehend. The speciﬁcation-equivalent

partition in Fig. 3(a) used to construct MIN is not a

state-transparent partition. Notice that the cell that in-

duces state 1 of MIN does not satisfy the cell intracon-

nectivity property; intuitively, it means the cell con-

tains states in clearly different phases of execution,

such as m

1

X

r

I

m

2

I

that occurs when a part of type X is

processed, and m

1

I

r

I

m

2

Y

that occurs when a part of type

Y is processed. Due to this, both the events 1load

X

m

X

1

r

I

m

I

2

m

I

1

r

I

m

Y

2

m

I

1

r

X

m

I

2

m

I

1

r

I

m

X

2

m

X

1

r

X

m

I

2

m

X

1

r

I

m

X

2

m

I

1

r

X

m

X

2

m

X

1

r

X

m

X

2

m

I

1

r

Y

m

I

2

m

Y

1

r

I

m

I

2

m

Y

1

r

I

m

Y

2

m

I

1

r

Y

m

Y

2

m

Y

1

r

Y

m

I

2

m

Y

1

r

Y

m

Y

2

2

r

e

l

e

a

s

e

X

1load

X

2load

Y

2release

Y

1load

Y

2load

X

1release

X

1load

X

2load

X

1release

X

2release

X

1load

X

2release

X

2release

X

1release

Y

1load

Y

2load

Y

2load

Y

1release

Y

2load

Y

1load

X

m

I

1

r

I

m

I

2

1release

Y

2release

Y

1release

Y

(a) Minimal speciﬁcation-equivalent partition over the full speciﬁcation au-

tomaton H

0

2 1 3

1load

X

, 2load

Y

1release

X

2release

Y

2load

Y

1load

X

2load

X

1load

Y

1release

Y

2load

X

, 2release

X

,

1load

Y,

1release

Y

2release

X

2release

X

,

1release

Y

(b) The resultant minimal state speciﬁcation automaton MIN

Figure 3: Speciﬁcation state minimization.

and 2load

Y

, that initiate respectively the processing

of parts of type X and Y, lead to state 1 in MIN. As a

result, this state does not form a meaningful speciﬁca-

tion epoch in MIN as it represents either “type-X part

processing” or “type-Y part processing”. This is am-

biguous, in that type-X part processing could be con-

fused with executing event 1load

X

followed by event

2release

Y

, when the latter event should be executed

only following a type-Y part processing.

Algorithm 1 returns a state-transparent speciﬁca-

tion automaton A (which incidentally is maximal)

over H, as shown in Fig. 4(b). The state-transparent

partition computed on H is shown in Fig. 4(a). Each

state of A abstracts a cell of the computed state-

transparent partition of H. As will be explained, each

such cell has states in the same phase of execution.

Note in Fig. 4(a) that when event 1load

X

brings the

system from the initial state m

1

I

r

I

m

2

I

of H to state

m

1

X

r

I

m

2

I

, it means that the system has started process-

ing a part of type X. To help better understand speci-

ﬁcation H, in conformance with Deﬁnition 5, our al-

gorithm aggregates the state m

1

X

r

I

m

2

I

with other states

in H, forming a cell of pairable and intraconnected

states, to distill a well-deﬁned speciﬁcation epoch

meaningfully interpreted as “Processing X”. Other

speciﬁcation epochs that result can also be interpreted

meaningfully. Effectively, the output state-transparent

ICINCO2012-9thInternationalConferenceonInformaticsinControl,AutomationandRobotics

364

m

X

1

r

I

m

I

2

m

I

1

r

I

m

Y

2

m

I

1

r

X

m

I

2

m

I

1

r

I

m

X

2

m

X

1

r

X

m

I

2

m

X

1

r

I

m

X

2

m

I

1

r

X

m

X

2

m

X

1

r

X

m

X

2

m

I

1

r

Y

m

I

2

m

Y

1

r

I

m

I

2

m

Y

1

r

I

m

Y

2

m

I

1

r

Y

m

Y

2

m

Y

1

r

Y

m

I

2

m

Y

1

r

Y

m

Y

2

2

r

e

l

e

a

s

e

X

1load

X

2load

Y

2release

Y

1load

Y

2load

X

1release

X

1load

X

2load

X

1release

X

2release

X

1load

X

2release

X

2release

X

1release

Y

1load

Y

2load

Y

2load

Y

1release

Y

2load

Y

1load

X

m

I

1

r

I

m

I

2

1release

Y

Processing X

Processing Y

Another X

Another Y

Idling

2release

Y

1release

Y

(a) Minimal state-transparent partition over the full speciﬁcation automaton

H

1load

X

2load

Y

1load

Y

2load

X

1load

X

2load

Y

2load

X

1load

Y

1release

X

,

2release

X

2release

Y

,

1release

Y

2release

X

2release

X

,

1release

Y

Idling

1release

Y

Processing

Y

Processing

another Y

Processing

X

Processing

another X

(b) The resultant maximally state-transparent speciﬁcation au-

tomaton A

Figure 4: Speciﬁcation state-transparency maximization.

speciﬁcation automaton A ‘summarizes’ state infor-

mation in H as speciﬁcation epochs, highlighting only

the essential restrictions on the DES. The speciﬁca-

tion automaton A is easier to comprehend, since the

temporal essence of the speciﬁcation - that once the

processing of a part of type X starts, the processing of

a part of type Y cannot start until the processing of the

part of type X is completed, and vice versa - is clearly

depicted in A.

6 RELATED WORK

Within the DES control community, design compre-

hensibility is receivingincreasing attention and recog-

nition. Current efforts focus primarily on clarifying

supervisor design, whereas our work focuses on clar-

ifying given speciﬁcations:

• In the former line of research, state reduction of

synthesized supervisors has been proposed as a

technique that might render the control actions

due to a speciﬁcation more readily comprehensi-

ble to designers (e.g., (Su and Wonham, 2004)).

Over a controllable speciﬁcation automaton gen-

erating a sublanguage of the DES, the supervisor

reduction algorithm in (Su and Wonham, 2004)

constructs a control congruence,which essentially

is a partition of states of the input automaton, and

uses it to compute a state-reduced supervisor au-

tomaton. By “virtually setting” all events as con-

trollable, one could adapt the algorithm to achieve

state size reductionfor a full speciﬁcation automa-

ton. In some cases a state-reduced automaton con-

structed may be easier to understand, but the out-

put of such a state reduction procedure (Su and

Wonham, 2004) is usually not appealing to human

engineers (Wonham, 2003). The reason is that

the output often also abstracts away those a pri-

ori DES constraints essential for interpreting the

speciﬁcation. The fact of the matter is that the

main aim in (Su and Wonham, 2004) is to con-

struct a supervisor automaton to achieve economy

of implementation, using the least possible num-

ber of control states by removing constraints al-

ready enforced by the DES. Also related is the re-

search (Miremadi et al., 2008) that generates and

attaches propositional formulae called guards to a

given supervisor to aid in design clarity.

• In this paper, along our latter and complementary

line of research, state-transparency is introduced

and developed. Our aim is to re-express a speci-

ﬁcation automaton using the minimum number of

speciﬁcation relevant states manifesting as speci-

ﬁcation epochs, so as to aid in clarifying if it spec-

iﬁes the intended requirement.

Finally, the concept of state-transparency provides a

different language perspective to clarifying speciﬁca-

tions from that of event-transparency introduced in

(Pham et al., 2010). This is manifested by two main

differences as follows. First, in the case of maxi-

mal state-transparency, a speciﬁcation is recast us-

ing the least possible number of speciﬁcation rele-

vant states, with each state representing some unique

speciﬁcation epoch. In the case of maximal event-

transparency, the precedence ordering among a mini-

mal set of events deemed relevant to the speciﬁcation

is highlighted. Second, states in a state-transparent

speciﬁcation automaton correspond to a state parti-

tion of a full speciﬁcation, but are not so for an

event-transparentspeciﬁcation automaton. The event-

transparency maximization algorithm developed in

(Pham et al., 2010) allows unrestricted state splitting,

causing in some cases, an event that is not permit-

ted and therefore undeﬁned in a state of a given in-

put full speciﬁcation automaton to be undeﬁned at

several states of the output event-transparent automa-

ton. This could result in a cluttered state structure

Specifications

365

of the automaton. In other words, event-transparency

tends to facilitate clarity in event ordering informa-

tion, whereas state-transparency facilitates clarity in

temporal state information.

7 CONCLUSIONS

The study of informatics for the clariﬁcation of

discrete-event control speciﬁcations in automata is

motivated, and the informatics notion of state-

transparency is developed. A state-transparent speci-

ﬁcation automaton is formally deﬁned and a solution

algorithm to construct a speciﬁcation automaton of

signiﬁcant state-transparency is proposed. An illus-

trative example is given to highlight how such an au-

tomaton can enhance the intuitive understanding of a

speciﬁcation in automata.

To enhance speciﬁcation comprehensibility, our

future work will incorporate temporal logic to ex-

tend our state-transparency speciﬁcation framework

to a dual-language framework. Temporal logic is a

natural language readable and expressive formalism

for writing speciﬁcations (Manna and Pnueli, 1992).

An algorithm is proposed in (Seow, 2007) to trans-

late a state-based (ﬁnitary) temporal logic speciﬁca-

tion for a DES G to a full speciﬁcation automaton

H. An algorithm that directly translates such a tem-

poral logic speciﬁcation to a state-transparent spec-

iﬁcation automaton A for which L

m

(H) = L

m

(A) ∩

L

m

(G) should be of great practical utility to design-

ers prescribing speciﬁcation for DES’s. Such a dual-

language framework can give designers added conﬁ-

dence in ascertaining whether a prescribed speciﬁca-

tion is as intended by rendering the control require-

ment of the translated speciﬁcation automaton eas-

ier to understand from the integrated perspective of

automaton state-transparency clariﬁed with readable

temporal state information.

ACKNOWLEDGEMENTS

This research is funded by the Singapore Ministry

of Education, under NTU-AcRF Tier 1 Grant No:

RG65/07.

REFERENCES

Bredereke, J. and Lankenau, A. (2005). Safety-relevant

mode confusions–modelling and reducing them. Reli-

ability Engineering & System Safety, 88(3):229 – 245.

Cao, X.-R. and Ho, Y.-C. (1990). Models of discrete event

dynamic systems. IEEE Control Systems Magazine,

10(4):69 – 76.

Cassandras, C. G. and Lafortune, S. (2008). Introduction to

Discrete Event Systems. Springer.

Cheriaux, F., Picci, L., Provost, J., and Faure, J.-M. (2010).

Conformance test of logic controllers of critical sys-

tems from industrial speciﬁcations. In Proceedings of

the European Conference on Safety and Reliability.

Diestel, R. (2006). Graph theory. Springer.

Du, Y. and Wang, S. H. (1988). Translation of output con-

straint into event constraint in the control of discrete

event systems. In Proceedings of the IEEE Confer-

ence on Decision and Control, volume 2, pages 1119

–1124.

Faraut, G., Pi´etrac, L., and Niel, E. (2011). Process track-

ing by equivalent states in modal supervisory control.

In Proceedings of the IEEE Conference on Emerging

Technologies & Factory Automation, pages 1 – 8.

Feng, L., M.Wonham, W., and Thiagarajan (2007). Design-

ing communicating transaction processes by supervi-

sory control theory. Formal Methods in System De-

sign, 30:117–141.

Grigorov, L., Butler, B., Cury, J., and Rudie, K. (2010).

Conceptual design of discrete-event systems using

templates. Discrete Event Dynamic Systems, pages

1–47.

Grigorov, L., Butler, B., Cury, J., and Rudie, K. (2011).

Conceptual design of discrete-event systems using

templates. Discrete Event Dynamic Systems, 21:257–

303.

Hinze, A., Malik, P., and Malik, R. (2006). Interaction de-

sign for a mobile context-aware system using discrete

event modelling. In Proceedings of the Australasian

Computer Science Conference, pages 257–266.

Koˇseck´a, J. and Bajcsy, R. (1994). Discrete event sys-

tems for autonomous mobile agents. Robotics and Au-

tonomous Systems, 12(3-4):187–198.

Magnusson, P., Sundstr¨om, N., Bengtsson, K., Lennart-

son, B., Falkman, P., and Fabian, M. (2011). Plan-

ning transport sequences for ﬂexible manufacturing

systems. In Proceedings of the IFAC World Congress.

Manna, Z. and Pnueli, A. (1992). The temporal logic of

reactive and concurrent systems. Springer-Verlag.

Miremadi, S., Akesson, K., and Lennartson, B. (2008).

Extraction and representation of a supervisor using

guards in extended ﬁnite automata. In International

Workshop on Discrete Event Systems, pages 193 –199.

Ou, Y.-C. and Hu, J. (2000). A modiﬁed method for super-

visor speciﬁcation and synthesis of a class of discrete

event systems. Asian Journal of Control, 2(4):263–

273.

Pham, M. T., Dhananjayan, A., and Seow, K. T. (2010). On

the transparency of automata as discrete-event control

speciﬁcations. In Proceedings of the IEEE Interna-

tional Conference on Robotics and Automation, pages

1474–1479.

Ramadge, P. J. and Wonham, W. M. (1987). Supervisory

control of a class of discrete event processes. SIAM

Journal of Control and Optimization, 25(1):206–230.

ICINCO2012-9thInternationalConferenceonInformaticsinControl,AutomationandRobotics

366

Rasmussen, J. (1986). Information processing and human-

machine interaction: an approach to cognitive engi-

neering. North-Holland.

Ricker, S. L., Sarkar, N., and Rudie, K. (1996). A discrete

event systems approach to modeling dextrous manip-

ulation. Robotica, 14(5):515–525.

Seow, K. T. (2007). Integrating temporal logic as a state-

based speciﬁcation language for discrete-event control

design in ﬁnite automata. IEEE Transactions on Au-

tomation Science and Engineering, 4(3):451–464.

Seow, K. T. and Pasquier, M. (2004). Supervising passenger

land-transport systems. IEEE Transactions on Intelli-

gent Transportation Systems, 5(3):165–176.

Su, R. and Wonham, W. M. (2004). Supervisor reduction

for discrete-event systems. Discrete Event Dynamic

Systems: Theory and Applications, 14(1):31–53.

Uzam, M. (2004). An optimal deadlock prevention pol-

icy for ﬂexible manufacturing systems using petri

net models with resources and the theory of regions.

The International Journal of Advanced Manufactur-

ing Technology, 19(3):192–208.

Wonham, W. M. (2003). Supervisory control theory: Mod-

els and methods. In Proc. ATPN - Workshop on Dis-

crete Event Systems Control, International Confer-

ence on Application Theory of Petri Nets, pages 1–14.

Specifications

367