SYNTHESIZING DETERMINISTIC CONTROLLERS IN

SUPERVISORY CONTROL

Andreas Morgenstern and Klaus Schneider

University of Kaiserslautern, Department of Computer Science

P.O. Box 3049, 67653 Kaiserslautern, Germany

Keywords:

Controller Synthesis, Supervisory Control, Discrete Event Systems.

Abstract:

Supervisory control theory for discrete event systems is based on ﬁnite state automata whose inputs are par-

titioned into controllable and uncontrollable events. Well-known algorithms used in the Ramadge-Wonham

framework disable or enable controllable events such that it is ﬁnally possible to reach designated ﬁnal states

from every reachable state. However, as these algorithms compute the least restriction on controllable events,

their result is usually a nondeterministic automaton that can not be directly implemented. For this reason, one

distinguishes between supervisors (directly generated by supervisory control) and controllers that are further

restrictions of supervisors to achieve determinism. Unfortunately, controllers that are generated from a super-

visor may be blocking, even if the underlying discrete event system is nonblocking. In this paper, we give

a modiﬁcation of a supervisor synthesis algorithm that enables us to derive deterministic controllers. More-

over, we show that the algorithm is both correct and complete, i.e., that it generates a deterministic controller

whenever one exists.

1 INTRODUCTION

New applications in safety critical areas require the

veriﬁcation of the developed systems. In the past

two decades, a lot of veriﬁcation methods for check-

ing the temporal behavior of a system have been de-

veloped (Schneider, 2003), and the research lead to

tools that are already used in industrial design ﬂows.

These tools are able to check whether a system K sat-

isﬁes a given temporal speciﬁcation ϕ. There are a lot

of formalisms, in particular, the µ-calculus (Kozen,

1983), ω-automata (Thomas, 1990), as well as tempo-

ral (Pnueli, 1977; Emerson and Clarke, 1982; Emer-

son, 1990) and predicate logics (B

uchi, 1960b; B

uchi,

1960a) to formulate the speciﬁcation ϕ (Schneider,

2003). Moreover, industrial interest lead already to

standardization efforts on speciﬁcation logics (Ac-

cellera, 2004).

Besides the veriﬁcation problem, where the entire

system K and its speciﬁcation must be already avail-

able, one can also consider the controller synthesis

problem. The task is here to check whether there is a

system C such that the coupled system K k C satisﬁes

ϕ. Obviously, this problem is more general than the

veriﬁcation problem. Efﬁcient solutions for this prob-

lem could be naturally used to guide the development

of ﬁnite state controllers.

The controller synthesis problem is not new; sev-

eral approaches exist for the so-called supervisory

control problem. In particular, the supervisory control

theory initiated by Ramadge and Wonham (Ramadge

and Wonham, 1987) provides a framework for the

control of discrete event systems. The system (also

called a plant) is thereby modeled as a generator of a

formal language. The control feature is represented

by the fact that certain events can be disabled by a so-

called supervisor. One result of supervisory control

theory is that in case of formal languages, i.e., ﬁnite

state machines, such a supervisor can be effectively

computed.

However, if an implementation has to be derived

from a supervisor, several problems have to be solved

(Dietrich et al., 2002; Malik, 2003). A particular

problem that we consider in this paper is the deriva-

tion of a deterministic controller from a supervisor

that guarantees the nonblocking property. A system

is thereby called nonblocking, if it is always possible

to complete some task, i.e. to reach some designated

(marked) state from every reachable state. If we con-

sider the events as signals that can be sent to the plant,

a valid controller should decide in every state what

signal should be sent to the plant to ensure that the

marked state is actually reached. However, even if

the generated supervisor is nonblocking, a controller

Morgenstern A. and Schneider K. (2005).

SYNTHESIZING DETERMINISTIC CONTROLLERS IN SUPERVISORY CONTROL.

In Proceedings of the Second International Conference on Informatics in Control, Automation and Robotics - Robotics and Automation, pages 24-31

DOI: 10.5220/0001164500240031

 SciTePress

idle

task A task B

down

star t A

star t B

f A

f B

star t B

star t A

(a) uncontrolled behavior

idle

task A task B

start A start B

f A

f B

(b) supervised behavior

idle

task A

start A

f A

Figure 1: Generation of a Blocking Controller

that is derived by simply selecting in each state one of

the allowed events/signals could be blocking.

As an example, consider the automaton that is

given in Figure 1(a). This automaton represents a

system with two tasks task

A and task B that can be

started with events start

A and start B, respectively.

These events are controllable, i.e. they can be disabled

by a supervisor. If one of the machines completes

its task, the (uncontrollable) events f

A and f B oc-

cur, respectively, leading again to the initial state idle.

Whenever both machines work at the same time, the

system breaks down, since the state down is reached

from where on no further progress is possible. Su-

pervisory control theory can ﬁx the problem that state

down is reached by disabling events start

B in state

task

A and start A in state task B (Figure 1(b)). How-

ever, when we have to implement a deterministic con-

troller that has to select one of the signals start A and

start

B, we get a serious problem: if the controller al-

ways selects start

A, the marked state task B is never

reached, and therefore the nonblocking property is vi-

olated (Figure 1(c)).

In (Malik, 2003; Dietrich et al., 2002), the gen-

eration of deterministic controllers is restricted to

cases where certain conditions hold. It is proved that

these conditions guarantee that every deterministic

controller derived from the supervisor is nonblock-

ing. However, no controller can be constructed in

case the discrete event system does not satisfy these

conditions. In particular, a valid controller may exist,

even if the conditions of (Malik, 2003; Dietrich et al.,

2002) do not hold. For example, this is the case for

the automaton given in Figure 1. A valid controller is

obtained by selecting start

B in state idle.

In this paper, we present a new approach to gen-

erate deterministic controllers from supervisors that

does not suffer from the above problem. To this end,

we introduce a more general property than nonblock-

ing which we call forceable nonblocking. A discrete

event system satisﬁes this property if and only if there

exists a deterministic controller that ensures that every

run (either ﬁnite or inﬁnite) of the controlled system

visits a marked state. Obviously, this requirement is

stronger than the nonblocking property. Our algo-

rithm guarantees that a marked state will be reached,

no matter how the plant behaves. In contrast, the non-

blocking property only requires that the plant has the

chance to reach a marked state. Although our prop-

erty is more general than nonblocking, our algorithm

is just a slight adjustment of the original supervisor

synthesis algorithm which is known to have moderate

complexity bounds.

The paper is organized as follows: In the next Sec-

tion, we present the basics of supervisory control the-

ory. In Section 3, we present our new algorithm to

compute deterministic nonblocking controllers from

supervisors whenever this is possible. Finally, the pa-

per ends with some conclusions and directions for fu-

ture work.

2 SUPERVISORY CONTROL

THEORY

In this section, we will give a brief introduction to the

supervisory control theory as initiated by Ramadge

and Wonham (Ramadge and Wonham, 1987). For a

more detailed treatment of the topic we refer to (Won-

ham, 2001).

Traditionally, control theory has focused on con-

trol of systems modeled by differential equations, so-

called continuous variable dynamic systems. There,

the feedback signal from the controller inﬂuences the

behavior of the system, enforcing a given speciﬁca-

tion that would not be met by the open-loop behavior.

Another important class of system models are those

where states have symbolic values instead of numeri-

cal ones. These systems change their state whenever

an external or internal event occurs. This class of sys-

tems, called discrete event systems (DES), is the fo-

cus of supervisory control theory (Ramadge and Won-

ham, 1987).

The theoretical roots of supervisory control theory

explain some of the terminology used. In the Ra-

madge Wonham (RW) framework, one speaks of a

SYNTHESIZING DETERMINISTIC CONTROLLERS IN SUPERVISORY CONTROL

plant

supervisor

events

generated by

plant

events

enabled by

supervisor

Figure 2: The Ramadge-Wonham Framework

plant, a system which generates events and encom-

passes the whole physically possible behavior of the

system to be controlled (including unwanted situa-

tions). The speciﬁcation is a subset of this behav-

ior that should be matched by adding a controller.

A supervisor is an entity that is coupled with the

plant through a communication channel that allows

the supervisor to inﬂuence the behavior of the plant

by enabling those events that may be generated in

the next state of the system (see Figure 2). Usu-

ally, in a physical system, not all of the events can

be inﬂuenced by an external supervisor. This is cap-

tured by distinguishing between events that can be

prevented from occurring, called controllable events,

and those that cannot be prevented, called uncontrol-

lable events. We denote the sets of uncontrollable and

controllable events as Σ

and Σ

, respectively, and

deﬁne Σ = Σ

∪ Σ

The Ramadge Wonham formulation of the supervi-

sory control problem makes use of formal language

theory and automata: A ﬁnite automaton is a 5-tuple

A = hQ, Σ, δ, q

, M i where Σ is a set of events, Q is

a set of states, δ : Q× Σ → Q is a transition function,

and q

∈ Q is the initial state. The states in the set

M ⊆ Q are chosen to mark the completion of tasks

by the system and are therefore called marker states.

We write δ(q, σ) ↓ to signify that there exists a tran-

sition labeled with σ, leaving q. It is often necessary

to refer to the set of events for which there is a transi-

tion leaving state q. We refer to these events as active

events:

Deﬁnition 1 (Active Events) Given an automaton

A = hQ, Σ, δ, q

, M i and a particular state q ∈ Q,

the set of active events of q is:

act

(q) := {σ ∈ Σ | δ(q, σ ) ↓}

If the plant and the supervisor are represented using

ﬁnite automata, the control action of the supervisor is

captured by the synchronous product:

Deﬁnition 2 (Automata Product) Given automata

= hΣ, Q

, δ

, q

i and A

= hΣ, Q

, q

, M

i, the product A

× A

is the automaton

hΣ, Q

× Q

, δ

P×S

, (q

, q

), M

× M

i, where

P×S

((p, q), σ) = (p

′

, q

′

) iff

(p, σ) = p

′

∧ δ

(q, σ) = q

′

Note that in a state (p, q) of the synchronous prod-

uct, the active events are exactly those events that are

active both in the plant and the supervisor,i.e.

act

×A

((p, q)) = act

(p) ∩ act

(q) .

Disabling controllable events in the states of the su-

pervisor will therefore also disable them in the prod-

uct. This is how the supervisor enforces his control

function.

The behavior of the plant represented by a ﬁnite

automaton is closely related to two formal languages

over the alphabet of events Σ, the generated language

L (A) and the marked language L

(A). The gener-

ated language L (A) represents sequences of events

that the plant generates during execution while the

marked language L

(A) represents those event se-

quences that lead to a marker state. Formally, the two

languages are deﬁned as follows

Deﬁnition 3 (Generated and Marked Language)

L (A) = {w ∈ Σ

∗

: δ(q

, w) ↓}

(A) = {w ∈ Σ

∗

: δ(q

, w) ∈ M}

Given both the plant A

and the supervisor A

, the

generated and marked language of the controlled sys-

tem are denoted by L (A

) and L

)

and deﬁned by the generated and marked language of

the product automaton:

L (A

) := L (A

× A

) = L (A

) ∩ L (A

)

) : = L

× A

)

= L

) ∩ L

)

When we consider algorithms, it is also necessary

that the speciﬁcation is given as a ﬁnite automaton.

The assumption that the uncontrollable events can not

be prevented from occurring, places restrictions on

the possible supervisors. Therefore, a speciﬁcation

automaton A

is called controllable with respect to

a plant A

, if and only if for every state (p, q) of

×A

that is reachable by a string in L (A

× A

)

and every uncontrollable event σ ∈ Σ

, the following

holds:

σ ∈ act

(p) ⇒ σ ∈ act

(q) .

In other words, A

is controllable if and only if no

word of L (A

) that is generated according to the

speciﬁcation, exits from the behavior permitted by

the speciﬁcation if it is followed by an uncontrollable

event. Speciﬁcations that do not fulﬁll this require-

ment are called uncontrollable. If a speciﬁcation is

uncontrollable, the product automaton contains one or

more reachable bad states, which are states (p, q) that

fail to satisfy the following condition:

As usual, we allow δ to process also words instead of

only single events.

ICINCO 2005 - ROBOTICS AND AUTOMATION

act

×A

((p, q)) ⊇ act

(p) ∩ Σ

Given a speciﬁcation automaton A

, the language

K = L

) is controllable if and only if A

× A

has no bad states. Besides controllability, another im-

portant property of discrete event systems is the non-

blocking property which states that it is always possi-

ble to complete some task, i.e. that from every reach-

able state q ∈ Q, it is possible to reach a marked state.

Formally, an automaton is nonblocking, if and only if

for each reachable state q ∈ Q, we have

(q) = {w ∈ Σ

∗

| δ(q, w) ∈ M} 6= ∅.

States that have a path to a marked state are called

coreachable. Ramadge and Wonham have shown that

given a speciﬁcation K which is not controllable, it is

possible to construct for every plant A

and every

speciﬁcation A

the supremal controllable sublan-

guage of K, denoted supC (K). This result is of

practical interest: Given that the speciﬁcation lan-

guage K is uncontrollable, it is possible to compute

supC (K) and to construct a supervisor A

such that

) = supC (K). This implies that the con-

trolled system is nonblocking, meaning that the con-

structed supervisor does not prevent the plant from

completing a task. This supervisor is a solution to the

following problem:

Deﬁnition 4 (Supervisory Control Problem)

Given a plant A

, a speciﬁcation language

K ⊆ L

) representing the desired behavior of

under supervision, ﬁnd a nonblocking supervisor

such that L

) ⊆ K.

Given a speciﬁcation automaton A

, we can construct

the least restrictive solution from the product automa-

ton A

× A

. The marked language of this least

restrictive solution A

is equal to supC (K). If an

automaton A = hQ, Σ, δ, q

, M

i is given that rep-

resents the product of the plant and the speciﬁcation,

algorithm 1 can be used to compute this supervisor

(Ziller and Schneider, 2003).

Essentially, this algorithm consists of two loops.

The inner loop calculates the coreachable states x

and the outer loop computes the good states x

i.e. states that are not bad states. Since removing bad

states could destroy the coreachability property and

removing non-coreachable states could result in new

bad states, the two loops have to be nested. Based

on this algorithm, we will provide an algorithm that

calculates a supervisor with the property that every

deterministic controller generated from this supervi-

sor is a valid controller, i.e. guarantees that a marked

state is reached, irrespectively of the behavior of the

plant.

Algorithm 1: Supervisor Synthesis Algorithm

= Q

\ {q ∈ Q | q is initial bad};

j = 0;

repeat

(0,j)

= M ∩ x

;

i = 0;

repeat

(i+1,j)

= x

∩

∪

(

q ∈ Q



∃σ ∈ act

(q) .

(q, σ) ∈ x

(i,j)

i = i + 1;

until x

= x

i−1

;

j+1

= x

∩



q ∈ Q



∀σ ∈ act

(q) ∩ Σ

(q, σ) ∈ x

(i,j)

∩ x



j = j + 1;

until x

= x

j−1

;

3 CONTROLLER SYNTHESIS

We have seen by the example given in Figure 1 that

the nonblocking property is too weak to guarantee

that a marked state is reached under control by a deter-

ministic controller. This is due to the fact that a state

is coreachable even if there exists an inﬁnitely long

sequence of events that never visits a marked state.

We therefore sharpen the coreachability property as

follows:

Deﬁnition 5 (Forceably Coreachable States) A

state is forceable coreachable, if it is coreachable

and

∃n ∈ N.∀t ∈ Σ

∗







δ(q, t) ↓ ∧|t| ≥ n ⇒ ∃t

′

⊑ t.δ(q, t

′

) ∈ Q

∧

δ(q, t) ↓ ∧|t| < n ⇒



∃t

′

⊑ t.δ(q, t

′

) ∈ Q

∨

act

(q) 6= ∅



Intuitively, a state is forceable coreachable, if there

exists a threshold after which a marked state is un-

avoidable. In contrast to the deﬁnition of coreachabil-

ity that imposes a condition on the future, we demand

something about the past: we demand that after a cer-

tain amount of steps (referenced by n), a marked state

must have been visited. As long as this bound n is not

reached, we demand that either the system does not

stop or that a marked state has already been reached.

In terms of temporal logics, we demand that on all

paths a marked state must be reached. In contrast,

the nonblocking property only states that for all states

there exists a path where M is reached. We call an

automaton forceable nonblocking, if each reachable

SYNTHESIZING DETERMINISTIC CONTROLLERS IN SUPERVISORY CONTROL

state is forceable coreachable. The Controller Syn-

thesis Problem is now given as follows:

Deﬁnition 6 (Controller Synthesis Problem)

Given a plant A

, a speciﬁcation language

K ⊆ L

) representing the desired behavior of

under control, ﬁnd a nonblocking supervisor A

such that

• L

) ⊆ K.

• A

× A

is forceable nonblocking.

Hence, a controller ensures that a marked state is ac-

tually reached. It is very easy to derive a determinis-

tic controller from such a solution: in every step, we

can simply select a controllable event to ensure that

a marked state is actually reached. This is due to the

fact, that we demand that all paths leaving a forceable

coreachable state sooner or later reach a marked state.

Therefore, it is irrelevant which of the active control-

lable events we select.

Theorem 1 Given A

= hQ, Σ, δ, q

, M

i and

= hQ, Σ, δ, q

, M

i such that

L (A

) ⊆ L (A

) ∧ L

) ⊆ L

) ,

then, the following holds: If A

is forceable coreach-

able then A

× A

is forceable coreachable.

Proof:

Let (q, p) ∈ Q

× Q

be reachable, such

that δ

×A

((q

, q

), s) = (q, p). Then, also

q ∈ Q

must be reachable in A

. Therefore, q is

forceable coreachable with a constant n. Now, choose

a t ∈ Σ

∗

such that δ

×A

((q, p), t) ↓. We distin-

guish between two cases: First, we assume |t| ≥ n.

Then, there exists a t

′

⊑ t such that δ(q, t

′

) ∈ M

Therefore, st

′

∈ L

) ⊆ L

((A

)) holds.

Since all automata are deterministic, it follows that

δ((q, p), t

′

) ∈ (M

×M

) holds. In the remaining

case, we have |t| < n. Then, either there exists a

′

⊑ t that visits a marked state as in the ﬁrst case or

act

(q) 6= ∅. Again, since the language inclusion

holds, we have act

×A

(δ((q, p), t)) 6= ∅.

4 CONTROLLER SYNTHESIS

ALGORITHM

In this section, we develop a controller synthesis al-

gorithm based on the supervisor synthesis algorithm

of Section 1. In order to guarantee the forceable non-

blocking property, we have to adopt the calculation of

the coreachable states. In contrast to the coreachabil-

ity property, which only demands that a marked state

is reachable, i.e. that it is possible to directly reach

a marked state or to reach a state which is known to

be coreachable, a state is forceable coreachable if it is

coreachable and all events lead to forceable coreach-

able states. State and event pairs that guarantee this

property are collected in the set moves. This implies

that all destination states of uncontrollable transitions

leaving a state q must be identiﬁed as forceable core-

achable before we can add any transition from q to

moves. Otherwise, q is bad, which is identiﬁed in the

-loop. This ensures that the controllability prop-

erty is not violated. To prevent the plant from looping,

we forbid adding new moves, if we had already found

a move that lead to a marked state. This is done due

to the fact that those newly found moves will need a

longer path to reach a marked state than the already

introduced moves and may therefore introduce loops.

We collect the forceable coreachable states in the set

by adding those states that have a path to a marked

state where this can be guaranteed. Altogether, we

thus have developed algorithm 2.

Algorithm 2: Controller Synthesis Algorithm

j = 0;

= Q

\ {q ∈ Q

| q is initial bad};

repeat

(0,j)

= M ∩ x

;

i = 0;

move

(0,j)

= {};

repeat

move

(i+1,j)

= move

(i,j)

∪











(q, σ)



(q, σ) ∈ x

(i,j)

∧



∀σ ∈ act

(q) ∩ Σ

(q, σ) ∈ x

(i,j)



∧

∀σ ∈ Σ. (q, σ) /∈ move

(i,j)











(i+1,j)

= x

∩



(i,j)

∪





∃(q, σ) ∈ move

(i+1,j)

(q, σ) ∈ x

(i,j)



i = i + 1;

until x

= x

i−1

;

j+1

∩



q ∈ Q



∀σ ∈ act

(q) ∩ Σ

(q, σ) ∈ x

(i,j)

∩ x



j = j + 1

until x

= x

j−1

;

The above algorithm may only loop for a ﬁnite

number of iterations, since there are only ﬁnitely

many states: In x

, only ﬁnitely many states may

be added and from x

only ﬁnitely many states

may be removed. Therefore, there exists a k such

that x

= x

k+1

ﬁnally holds. Additionally, for

every i there exists a l such that x

(i,l)

= x

(i,l+1)

and moves

(i,l)

= moves

(i,l+1)

. For this reason,

we use the following notation:x

= x

∞

and also

ICINCO 2005 - ROBOTICS AND AUTOMATION

(i,∞)

:= x

(i,k)

as well as move

(i,∞)

:= move

(i,k)

for every i, and ﬁnally x

(∞,∞)

:= x

(l,k)

and

moves

(∞,∞)

:= moves

(l,k)

for the last iteration

step.

Note that according to the deﬁnition of x

, it

holds that x

(i,j)

⊆ x

for every i, j and thus also

(∞,∞)

⊆ x

∞

holds. Since move does only contain

transitions leading to forceable coreachable states, it

thus contains only transitions to good states.

If q

∈ x

(∞,∞)

holds, we deﬁne a controller as

follows: A

= hQ

, Σ, δ

, q

, M

i with

(q, σ) =



(q, σ) , if (q, σ ) ∈ move

(∞,∞

)

↑ , else

The following lemma shows that we decrease the dis-

tance to a marked state whenever we use an event en-

abled by the controller:

Lemma 1

∀i > 0∀q ∈



(i,∞)

\ x

(i−1,∞)



∀σ ∈ act

(q) .

(q, σ) ∈ x

(i−1,∞)

Proof:

Let q ∈ Q

such that q ∈ x

(i+1,∞)

\ x

(i,∞)

This implies that there must exist a move

(q, σ) ∈



move

(i+1,∞)

\ move

(i,∞)



such that

(q, σ) ∈ x

(i,∞)

. But this directly implies that

(q, σ) ∈ x

(i,∞)

for every (q, σ) ∈ move

(i+1,∞)

We thus have the statement for those moves added

in the i + 1-th iteration step. Additionally, if follows

from the deﬁnition of move that there can be no move

(q, σ

′

) ∈ move

(∞,∞)

\ move

(i+1,∞)

. Therefore

(q, σ) ∈ x

(i,∞)

for every σ ∈ act

(q).

The above lemma does not apply to marked states

(those are contained in x

(0,∞)

). And indeed, with-

out the additional set x

, this would not be true. The

next lemma ﬁxes this deﬁciency.

Lemma 2

∀q ∈



∩ x

(∞,∞)



∀σ ∈ act

(q) .

(q, σ) ∈ x

(∞,∞)

Proof:

Choose an arbitrary state q ∈

∩ x

(∞,∞)

⊆ x

∞

. The proof follows directly

for uncontrollable events because of the deﬁnition of

∞

. Thus, consider a controllable event. According

to the deﬁnition of δ

, σ ∈ act

(q) ∩ Σ

implies

that (q, σ) ∈ move

(∞,∞)

. According to the deﬁnition

of move, we must have (q, σ) ∈ move

(i,∞)

for a

suitable i. Therefore, we have δ

(q, σ) ∈ x

(i−1,∞)

and thus δ

(q, σ) ∈ x

(i−1,∞)

Since the x

(i,∞)

, i ∈ N are monotone in i, the follow-

ing Lemma follows inductively:

Lemma 3

∀q ∈ x

(∞,∞)

∀t ∈ Σ

∗

(q, t) ↓ ⇒ δ

(q, t) ∈ x

(∞,∞)

While the above lemma only guarantees that the

forceable coreachable states are never left, the next

lemma shows that the plant may not stop until a

marked state is reached:

Lemma 4

∀i > 0∀q ∈ x

(i,∞)

∃σ ∈ act

(q) .

(q, σ) ∈ x

(i−1,∞)

Proof:

According to the deﬁnition and the monotony

of x

q ∈ x

(i,∞)

⇔ q ∈ x

∞

∧



q ∈ M

∨ ∃(q, σ) ∈ move

(i,∞)

(q).

(q, σ) ∈ x

(i−1,∞)



If q ∈ M

we are done, otherwise the lemma follows

from the deﬁnition of δ

and the monotony of

move

(i,∞)

with respect to i.

Finally, we now have the following theorem:

Theorem 2 All q ∈ x

(∞,∞)

are coreachable in A

Proof: Take some q ∈ x

(∞,∞)

. Then, q ∈ x

(i,∞)

for

some k. If q is marked, we are done. Otherwise, we

can iteratively apply Lemma 4 to generate a string

t ∈ Σ

∗

that reaches a marked state. This is due to the

fact that if we apply Lemma 4, then the i-index of the

destination state decreases in each step. Therefore,

after at most k iteration steps, we have constructed a

word t such that δ(q, t) ∈ x

(0,∞)

= M

We will show in the next lemma that also the stronger

property of forceable coreachability holds:

Theorem 3 All q ∈ x

(∞,∞)

, are forceable coreach-

able

Proof:

The coreachability property follows from the

last theorem. We will now show the rest of the force-

able coreachability property for any q ∈ x

(∞,∞)

Since q ∈ x

(∞,∞)

, there exists an i ∈ N such that

q ∈ x

(i,∞)

\ x

(i−1,∞)

. If i = 0, we are done, because

then x

is marked. Otherwise we show that this i is the

threshold that is required for forceable coreachability.

Let t ∈ Σ

∗

be such that δ

(q, t) ↓ holds. Apply-

ing Lemma 3 shows that δ

(q, t) ∈ x

(∞,∞)

holds.

SYNTHESIZING DETERMINISTIC CONTROLLERS IN SUPERVISORY CONTROL

We distinguish two cases: If |t| < i holds, then ei-

ther δ

(q, t) ∈ M

or ∃σ ∈ act

(q) .δ

(q, σ) ∈

(i−1,∞)

according to Lemma 4. Both cases satisfy

the condition of forceable coreachability for the case

|t| < i.

Now consider any string t with length i and assume

that δ

(q, t

′

) /∈ M

for every t

′

⊑ t. Then, we

can iteratively apply Lemma 1 i-times to conclude

that δ

(q, t) ∈ x

(0,∞)

⊆ M

holds. The forceable

coreachability property therefore holds for every

string with length i and thus also for every string of

length greater i.

The following theorem gives us the correctness of our

algorithm:

Theorem 4 (Correctness of the Algorithm) If

∈ x

(∞,∞)

, then A

is forceable nonblocking and

the generated supervisor A

is a valid solution to the

controller synthesis Problem.

Proof:

Since q

∈ x

(∞,∞)

holds, we can conclude

from Lemma 3 that every reachable state is contained

in x

(∞,∞)

. The ﬁrst part of the statement now

follows from theorem 3. For the second part, we note

that the generated language is necessarily contained

in the speciﬁcation, because of the construction of

A = A

× A

. The forceable nonblocking property

follows now from theorem 1. The controllability

property can be seen as follows: Similar to the

original supervisor synthesis algorithm, we can be

sure that no initial bad state is reached, because we

removed those states from the good states and only

good states may be visited. On the other hand, we

never remove single uncontrollable transitions due to

the deﬁnition of move. Rather, we remove all states

that have an uncontrollable transition to a non-good

or non-forceable coreachable state in the condition

for the good states. Since x

∞

⊆ x

∞

and q

∈ x

∞

we can be sure that only good states are visited.

We have shown that the above algorithm is correct.

To show also its completeness, i.e. that the algorithm

generates a controller, whenever a controller exists,

we need the next deﬁnition and some additional lem-

mata. According to the deﬁnition of forceable core-

achability, for every forceable coreachable state, there

exists a constant n after which a marked state is un-

avoidable. Thus, we can deﬁne an ordering on the

states by taking the minimal constant n for which the

forceable coreachable property holds. Thus, we de-

ﬁne for every automaton A:



q ∈ Q



q is forceable coreachable

with a minimal constant n



Lemma 5 For every forceable coreachable automa-

ton A the following holds:

∀i > 0∀q ∈ F







∀σ ∈ act

(q) .δ

(q, σ) ∈

[

j<i

∧

∃σ ∈ act

(q) .δ

(q, σ) ∈

[

j<i







Proof:

Let q in F

. For the ﬁrst part, as-

sume that there exists σ ∈ act

(q) such that

(q, σ) /∈

j<i

holds. Then, we can distin-

guish two cases: if q

′

= δ

(q, σ) is not forceable

coreachable, then there exists an inﬁnite string t with

δ(q

′

, t) ↓ that avoids all marked states. Accordingly,

q can not be forceable coreachable, because other-

wise all marked states are avoidable by the inﬁnite

string σt. On the other hand, if δ

(q, σ) is forceable

coreachable, but with a constant greater or equal i,

then q can not have a minimal constant i. To prove the

second part of the lemma, we ﬁrst note that q can not

be marked, because otherwise q ∈ F

. Therefore,

there exists a successor state, because otherwise q

can not be coreachable. However, this successor state

must be contained in

j<i

according to the proof

of the ﬁrst part.

Lemma 6 If there exists an automaton A

such that

A × A

is forceable nonblocking and A

respects the

controllability property with respect to A, then q

∈

(∞,∞)

Proof:

Since A × A

is forceable nonblocking, every

reachable state is forceable coreachable, therefore

contained in some F

A×A

. We will show by induc-

tion on i:

if (p, q) ∈ F

A×A

for some i, then q ∈ x

(i,∞)

The above lemma follows then from the fact that the

initial state (q

, q

) must be forceable nonblocking

and therefore contained in some F

A×A

Inductive Base: i = 0. Then (p, q) is marked and

we are done.

Inductive Step: Let (p, q) ∈ F

i+1

A×A

. Then accord-

ing to lemma 5 the following holds:

∀σ ∈ act

A×A

((p, q)) .δ

A×A

((p, q), σ) ∈

[

j<i

A×A

Since the controllability property holds, we have that

every uncontrollable event in q is also active in (p, q).

Therefore

∀σ ∈ act

(q) ∩ Σ

.δ

A×A

((p, q), σ) ∈

[

j<i

A×A

ICINCO 2005 - ROBOTICS AND AUTOMATION

It now follows from the inductive hypothesis and the

determinacy of A, that

∀σ ∈ act

(q) ∩ Σ

.δ

(q, σ) ∈

[

j<i

(i,∞)

= x

(i,∞)

Again considering Lemma 5, we obtain:

∃σ ∈ act

A×A

((p, q)) .δ

A×A

((p, q), σ) ∈ F

A×A

Therefore, using the inductive hypothesis, we obtain

∃σ ∈ act

A×A

((p, q)) ⊆ act

(q) .

(q, σ) ∈

[

j<i

(j,∞)

= x

(i,∞)

Now either (q, σ) is added to move

i+1

, or there ex-

ists another move (q, σ

′

) that has been already added

to move. In both cases, we have q ∈ x

(i+1,∞)

We are now ready to show completeness of the algo-

rithm:

Theorem 5 (Completeness of the Algorithm)

Given a plant A

and a speciﬁcation A

where

the controller synthesis problem is solvable. Then,

∈ x

(∞,∞)

, i.e. the presented algorithm generates

a valid controller.

Proof:

Let A

be an automaton that solves the

controller synthesis problem. Then, necessar-

ily L (A

× A

) ⊆ L (A

) holds as well as

× A

) ⊆ L

). A

× A

is forceable

nonblocking. Therefore, A

× A

= A

× A

is forceable nonblocking. According to the deﬁnition

of controller synthesis problem, A

needs to be

controllable with respect to A

. Therefore, A

must

be also controllable with respect to A

× A

= A.

The statement follows now from Lemma 6.

5 CONCLUSION

In this paper, we have developed an algorithm for

the generation of valid controllers from a supervi-

sory control model as used in the Ramadge-Wonham

framework. To this end, we have strengthened the

coreachability property in order to guarantee that a

marked state is eventually reached, irrespective of the

plant’s behavior. We have proved the correctness and

the completeness of our algorithm. In the future, we

plan to implement our Algorithm on top of our toolset

Averest (Averest, 2005) to evaluate the runtime be-

haviour of the algorithm.

REFERENCES

Accellera (2004). PSL/Sugar.

http://www.haifa.il.ibm.com/projects/veriﬁcation/sugar.

Averest (2005). www.averest.org.

uchi, J. (1960a). On a decision method in restricted second

order arithmetic. In Nagel, E., editor, International

Congress on Logic, Methodology and Philosophy of

Science, pages 1–12, Stanford, CA. Stanford Univer-

sity Press.

uchi, J. (1960b). Weak second order arithmetic and ﬁnite

automata. Z. Math. Logik Grundlagen Math., 6:66–

92.

Dietrich, P., Malik, R., Wonham, W., and Brandin, B.

(2002). Implementation considerations in supervisory

control. In B. Caillaud, P. Darondeau, L. Lavagno,

and X. Xie, editors, Synthesis and control of dis-

crete event systems, pages 185–201. Kluwer Acad-

emic Publishers.

Emerson, E. (1990). Temporal and modal logic. In Hand-

book of Theoretical Computer Science, volume B,

chapter Temporal and Modal Logics, pages 996–1072.

Elsevier.

Emerson, E. and Clarke, E. (1982). Using branching-time

temporal logic to synthesize synchronization skele-

tons. Science of Computer Programming, 2(3):241–

266.

Kozen, D. (1983). Results on the propositional µ-calculus.

Theoretical Computer Science, 27:333–354.

Malik, P. (2003). From Supervisory Control to Nonblock-

ing Controllers for Discrete Event Systems. PhD the-

sis, University of Kaiserslautern, Kaiserslautern, Ger-

many.

Pnueli, A. (1977). The temporal logic of programs. In Sym-

posium on Foundations of Computer Science (FOCS),

volume 18, pages 46–57, New York. IEEE Computer

Society.

Ramadge, P. and Wonham, W. (1987). Supervisory control

of a class of discrete event processes. SIAM Journal

of Control and Optimization, 25(1):206–230.

Schneider, K. (2003). Veriﬁcation of Reactive Systems –

Formal Methods and Algorithms. Texts in Theoretical

Computer Science (EATCS Series). Springer.

Thomas, W. (1990). Automata on inﬁnite objects. In Hand-

book of Theoretical Computer Science, volume B,

chapter Automata on Inﬁnite Objects, pages 133–191.

Elsevier.

Wonham, W. (2001). Notes on control of discrete-event sys-

tems. Technical Report ECE 1636F/1637S 2001-02,

Department of Electrical and Computer Engineering,

University of Toronto.

Ziller, R. and Schneider, K. (2003). A generalized ap-

proach to supervisor synthesis. In Formal Methods

and Models for Codesign (MEMOCODE), pages 217–

226, Mont Saint-Michel, France. IEEE Computer So-

ciety.

SYNTHESIZING DETERMINISTIC CONTROLLERS IN SUPERVISORY CONTROL