Beruflich Dokumente
Kultur Dokumente
s
29 Shared events in the process space
L() 30 Set of all language vectors in
E , _ 30 Componentwise membership and containment
., 30 Componentwise union and intersection
B
C
o
: Pwr(X)
Pwr(Y ), dened as
(X
X) f
(X
) := y Y [ (x X
) (x, y) f
Thus f
(X
) Y . In particular, f
(X
) for f
(X
: X Y
with f(x) = f
A [ a
E
a. The subscript in [a]
E
may be dropped if known from
the context. The set [a]
E
is also referred to as the coset of a with respect to E.
The collection of all cosets of A with respect to the equivalence relation E denes a
partition of A and will be denoted A/E. The set of all equivalence relations on A is
denoted c(A). A partial order can be dened on c(A) as follows
(E
1
, E
2
c(A)) E
1
E
2
(a, b A) aE
1
b aE
2
b
In the poset (c(A), ) the supremum and inmum of any subset of c(A) always exists.
The supremum of a set T c(A) is
T. Consequently the structure (c(A), ) forms a complete lattice. For the set
A, any function f : A B induces an equivalence relation ker f c(A) referred to
as the equivalence kernel of the function f, given by
(a
1
, a
2
) ker f f(a
1
) = f(a
2
)
Similarly, any E c(A) denes a canonical output map E : A A/E which maps
each element a A to its equivalence class [a]
E
.
2.2 Formal languages and automata
An alphabet is a nite nonempty set of symbols which may be called also letters
or events. A string or word is sequence of events. We will write
+
for the set of all
(nonempty) nite strings with events in , and
=
+
, where , denotes
the empty string. With catenation, cat, as the product operation,
becomes a
monoid. A language over the alphabet is any subset of
is a prex of s
, denoted t s, if there
exists u
, denoted
H, is the set of all strings in
. R is a right congruence on
) s
L
t (u
) su L tu L
That is, s
L
t i s and t can be continued in exactly the same ways (if any) to form
a string in L. It can be proved that
L
is a right congruence.
Let L
1
1
and L
2
2
, where
1
and
2
are not necessarily disjoint. Let
=
1
2
. The natural projection operation from
to
i
is a map P
i
:
i
dened as follows
P
i
() =
P
i
() =
_
_
_
if ,
i
if
i
P
i
(s) = P
i
(s)P
i
()
for all s
.
Proposition 2.3. Let P :
o
be a natural projection. Then,
P pre = pre P, P
1
pre = pre P
1
This is to say that natural projections and their inverses are invariant with respect
to the prex closure operation. The synchronous product of L
1
1
and L
2
2
is
dened according to
L
1
| L
2
= P
1
1
(L
1
) P
1
2
(L
2
)
Intuitively, L
1
|L
2
represents the concurrent evolution of L
1
and L
2
with synchro-
nization on common events. The synchronous product operation can be dened
incrementally as follows. Let L
1
, u
1
, a
1
, L
1
, v
2
, b
2
.
Then
u | = u
| v = v
ua | vb =
_
_
_
(u | vb) a (ua | v) b a (
1
2
), b (
2
1
)
(u | v)(a b) otherwise
L
1
| L
2
=
_
uL
1
,vL
2
u | v
The above denition of synchronous product conforms with the way this product is
computed in practice.
Let and be two nite alphabets. A morphism is a mapping h :
) is a
22
submonoid of
is a morphism from
= h
1
() for all . Then h
1
() = R
and h
1
() = R
with s =
1
. . .
n
where
i
for i [1 . . . n], we can write
h
1
(s) = h
1
(
1
) . . . h
1
(
n
) = R
1
R
2
R
. . . R
R
n
R
. Hence, h
1
is a
semigroup morphism from
to L().
An automaton is a 5-tuple structure (Q, , , q
o
, Q
m
), where Q is a nite set of
states, is a nite nonempty set of events, : Q Q is a (partial) transition
function, q
o
Q is the initial state, and Q
m
Q is a nonempty set of marker states.
A transition in the automaton A is any element of , and may be denoted simply by
the triple (q, , q
) (instead of ((q, ), q
)) where (q, ) = q
in Q we say that
23
q
such that q
= (q, s). We
will write
A
(q) to denote the set of states reachable from q in A.
Let A = (Q, , , q
o
, Q
m
) be an automaton. A state q Q is said to be reachable
if it can be reached from the initial state, that is , if q
A
(q
o
), and A is reachable
if all its states are reachable. A state q is said to be coreachable if it can reach one
of the marker states, that is, if there exists a state q
m
Q
m
such that q
m
A
(q),
and A is coreachable if all its states are coreachable. If all the states in A are both
reachable and coreachable then A is said to be trim. The closed language generated
by an automaton A is L(A) = s
[ (q
o
, s) is dened, and the marked language
of A is L
m
(A) = s
[ (q
o
, s) Q
m
. If A is reachable and coreachable, then
L
m
(A) = L(A).
For a regular language L
u
. A supervisor for G can be
viewed as an external agent that observes the behaviour of the system G and enables
or disables any of the controllable events at any point of time. Formally, a supervisor
24
C for a system G is a function
C : L(G) := Pwr() :
u
The function C assigns for each string s L(G) the set of eligible events that can be
executed. Uncontrollable events are always enabled. The language of the controlled
system, denoted L(V/G), is totally dened by the function C and L(G). The language
L(V/G) can be dened recursively as follows
L(V/G)
s L(V/G), s L(G), and V (s) s L(V/G)
No other strings belong to L(V/G)
The marked behaviour of G under the supervision of C is
L
m
(V/G) = L(V/G) L
m
(G)
The supervisor C is said to be nonblocking if
L
m
(V/G) = L(V/G)
In this case, C allows every string in the controlled behaviour to be extended to a
marked string of L
m
(G).
Typically, the control problem requires constructing a supervisor C for the system
G such that the controlled behaviour of G follows some given specications. The
solution for the supervisory control problem is based on the controllability property.
A language K
,
u
Elig
L
(s) = Elig
K
(s)
Clearly, L(V/G) is controllable with respect to L(G) and it is prex closed by deni-
tion. RW theory guarantees that, for a system G any nonempty and closed control-
lable specication K L(G) can be implemented by a supervisory controller so that
the controlled behaviour is K.
Given a language E representing a specication for G whereas E is possibly un-
controllable with respect to G. Dene (
G
(E) to be the set of all sublanguages of E
that are controllable with respect to G. Formally,
(
G
(E) = K E [ K is controllable with respect to G
As a subset of the sublanguages of E, (
G
(E) is nonempty and closed under arbitrary
unions. In particular, (
G
(E) contains a unique supremal element called the supremal
controllable sublanguage of E with respect to G written as sup (
G
(E). An ecient
xpoint algorithm was developed in [RW87] to compute this supremal language. The
automaton generating the supremal controllable language can be used then as a su-
pervisor for the system.
26
Chapter 3
Interacting Discrete Event Systems
This chapter introduces a formal model for a general class of multiprocess discrete
event systems with well-dened inter-process interactions. First, the formal setting
for multiprocess DES environments is introduced. A multiprocess environment is
referred to here as process space. In this environment basic notions of automata
and formal languages are extended to vector quantities. A process space is dened
by an alphabet vector identifying all possible concurrent events in the underlying
multiprocess environment. In this setting a language vector is a set of languages
representing the behaviour of a set of processes. In the absence of any restrictions,
these processes evolve concurrently while synchronizing their shared events.
In a multiprocess environment, the connection between the set of multiprocess sys-
tems and the set of all possible behaviours in this environment is established through
the composition and the decomposition operations. In this chapter, we investigate
two procedures directly related to these operations. The rst one removes redundant
string vectors from a given language vector so that all parts of the system compo-
nents contribute to the overall behaviour of the system. The result is a compact
language vector where each system component can be recovered directly from the
system behaviour using the corresponding projection operation. The second pro-
cedure compensates the information lost in the decomposition operation so that a
given language can be recovered from its set of projections over the process space.
27
It is shown that every language admits a supremal compensator. However, the
eciency of this construction varies substantially from one system to another, and in
general characterizes how the given system matches the process space structure.
A general model for multiprocess discrete event systems is then introduced. The
model, referred to as a one of interacting discrete event systems (IDES), consists
of two basic elements; a language vector representing the system components, and a
specication language representing the interactions between these components. The
overall behaviour of the system is obtained by restricting the free run of the system
components to the interaction specication.
Analysis of discrete event systems usually involves behaviour comparison in one
way or another. However, the behaviour of a multiprocess system is obtained through
the synchronous composition operation which is computationally intractable. Under
the IDES modelling framework, alternative approaches to behaviour analysis of mul-
tiprocess DES can be formulated where the computation of the synchronous product
of the system components can be avoided or reduced using a simpler representation
of these components.
In interacting discrete event systems the interaction specication can be viewed
as a representation of the system architecture. Architectural specications, how-
ever, usually address the external organization of the system component rather than
their internal structures. To capture this observation, a class of abstraction maps is
proposed. This class preserves the process space structure while abstracting low level
details about the components. The corresponding abstract behaviour can be used to
represent typical architectural specications such as serial and parallel interactions.
A hierarchical form of interaction specications, referred to as interaction struc-
tures, is then introduced. Interaction structures combine several interaction spec-
ications in a multilevel scheme similar to the organization of typical hierarchical
systems. A multi-level interaction structure can always be converted to a at inter-
action specication that has the same overall eect on the system components.
28
3.1 Preliminaries and notations
A process space is a structure that denes a multiprocess environment where a set of
processes can run concurrently. To describe and analyze systems in process spaces,
basic notions of formal language theory will be extended to vector quantities. In the
usual way, a vector quantity refers to an element of a Cartesian product of sets.
Let I be the index set of a collection of processes. An alphabet vector over I is
a set =
i
[ i I of alphabets. Bold letters will be used to distinguish vector
quantities as well as functions with a set of vectors as a codomain (range). The ith
component of a vector will be referred to by the normal (unbolded) symbol with the
subscript i. For example, the ith component of the vector u is denoted u
i
.
Let =
i
[ i I be an alphabet vector. The union of all alphabets in will
be denoted by the normal (unbolded) symbol , or by () if any confusion may
arise. A process space is uniquely dened by its alphabet vector, hence either terms
designate the same entity. For a subset J of I, we will write
J
to denote the set of
all events in the J components in , namely, the set
jJ
j
. Therefore, under this
notation we have
I
= and
{i}
=
i
. We will write
s
or
s
() for the set of
shared (synchronous) events in , namely,
s
=
_
i=j
(
i
j
)
The set of asynchronous (local) events,
s
, will be denoted
a
or
a
().
Let be a process space with index set I. A string vector over is a set
s = s
i
i
[ i I. The empty string vector over I is the set
I
= [ i I. The
subscript I may be dropped if it is clear from the context. An event vector over is
a set =
i
i
[ i I such that ,= . For the string vectors v and u,
the componentwise catenation of u and v is denoted cat(u, v) or simply uv.
A language vector over the process space is a set L = L
i
i
[ i I.
Componentwise catenation can be dened over the set of language vectors in the
29
usual way. The set of all language vectors over is denoted L(). Recall that
L() denotes the set of all languages over the alphabet . A language L L()
is considered a language vector L with a singleton element over the alphabet vector
= , and vice versa, so that L = L. For two language vectors L
and L over
, L
i
L
i
for
all i I. In this case we write L
.L and L
L, respectively.
For a language vector L and a natural projection operation P
o
:
o
, we will
write P
o
L for the componentwise projection of L. That is, P
o
L = P
o
L
i
[ i I. Let
F : L() L() be a map. With a slight abuse of notation, we will write F(L) for
the vector language F(L
i
) [ i I. The synchronous product of the components of
the language vector L will be denoted |L, or B
(L).
A string vector s in the process space is said to be composable if B
(s) ,=
, otherwise it is called incomposable. Consider, for instance, the process space
= a, x, z, b, x, y, c, z, y. In this process space, the string vector s =
axz, xby, zyc is composable with B
: L()
L() associates each language L L() with the language vector P
i
L[ i I where
P
i
:
i
is the natural projection map that erases all events other than those
of the ith component of . Therefore, for the process space the language vector
P
) contains (componentwise) all the string vectors that can be generated in this
process space. For two languages L and L
(L L
) _ P
(L) P
(L
) and P
(L L
) = P
(L) . P
(L
On the other hand, the composition process is represented by the vector composi-
tion function B
(L) =
iI
P
1
i
L
i
. For two language vectors L and L
in L(), it is straightforward
to prove the following dual result for the composition operation.
31
Proposition 3.2.
B
(L) B
(L
) = B
(L L
) and B
(L) B
(L
) B
(L. L
Note that the union inclusion in the above proposition is strict in general. Based
on the above denitions of the composition and decomposition operations, a two way
transformation between the set of languages and the set of language vectors in any
process space is established as shown in the following gure.
B
(Composition)
(Decomposition)
Language Vectors
L() L()
Languages
Figure 3.1: Behaviour transformation in process space
In order to compare the behaviour of a language vector to a given language, one
of these two transformations has to be made. The two approaches, however, are
far from being similar. In the composition approach, the language vector of a given
system is converted to the language generated by the system. In this case, behavioural
comparison can be conducted for the system with respect to any given specication.
However, it is well-known that the composition operation is intractable with respect
to the number of components. The decomposition operation is not computationally
ecient either. However, in most cases the system is given as a set of components and
the specication is given as a language. Therefore, it is only required to decompose
32
the specication. Also, the state size of the specication is usually much less than
the size of the composite system making the decomposition of the specication more
ecient than the composition of the system components. Under these assumptions, it
would be more ecient to decompose the specication into a language vector and then
compare it componentwise with the language vector of the system. Unfortunately,
this simple solution will not work as the outcome of this comparison does not generally
reect the relation between the behaviour of the system and the specication. This
is due to the following facts:
In general, due to possible existence of incomposable string vectors, dierent lan-
guage vectors can generate the same behaviour. Therefore, the componentwise
comparison between language vectors cannot give precise information about the
relation between their corresponding behaviours.
A language L is not in general equivalent to the composite behaviour of its vector
projection, P
in L() we
have
L
_ L = B
(L
) B
(L)
The reverse direction does not hold in general. Therefore, the composition operation
B
is not fully order preserving. To get a closer look into this situation, consider
the kernel of the map B
L()) B
(L) = B
(L
) = L _ L
Basically, a compact language vector contains the minimal set of components that is
1
Within the domain of languages and language vectors, the term order refers to the (componen-
twise) containment order.
34
needed to generate its language. Hence, L is compact if it is the minimal element
in its coset in the partition ker B
(L) = ab, ba, axb. On the other hand, the language vector
H = a, ax, xxa, b, xb, xbxbx with B
(L), is not.
It can be veried easily that for a language L L(), the language vector P
(L)
is always compact. Therefore, if the components of a given system are known to be
equal to the vector projection of the system behaviour then this system is compact.
However, multiprocess systems are usually specied by their components. And, in
this situation, there is a possibility that certain parts of the components do not con-
tribute to the system behaviour. This case may arise, for instance, due to (re)design
errors which are dicult to trace, particularly when the system is composed of a large
number of tightly coupled components. In such cases, compactness of the system is
not guaranteed. The following result provides another characterization for the com-
pactness property. To simplify notation we will write PB
: L() L().
Proposition 3.3. L is compact if and only if L = PB
(L)
Proof. () Let L = L
i
[i I be a language vector. Then we have
P
i
(B
(L)) = P
i
_
jI
P
1
j
L
j
_
= L
i
P
i
_
jIi
P
1
j
L
j
_
L
i
This shows that PB
(P
(L) B
(PB
(L) _ L, we can
conclude that B
(PB
(L)) = B
(L). Hence, L = PB
(L).
() Assume that L = PB
L() with
B
(L) = B
(L
) we have PB
(L) = PB
(L) _ L
. Therefore L _ L
, and hence
L is compact.
35
Therefore, a language vector is compact if and only if its components are exactly
the vector projection of the composite behaviour of the system. Based on this result,
the compact language vector that can generate the same behaviour as a language
vector L is PB
: L() L()
that associates each language vector in L() with the compact language vector that
generates the same behaviour. That is, C
(L) = PB
i
and (j (I i)) L
i
j
= P
s
L
j
where P
s
:
s
is the natural projection of the set of shared events in the
process space. Hence, L
i
is constructed by replacing the ith component of L by
i
,
and replacing all other components by the corresponding projection onto the shared
events. The following proposition denes another way to compute the map C
. First
the following lemma will be needed.
Lemma 3.1. Let and
o
be an alphabet set such that
s
o
and let
P
o
:
o
be the associated natural projection. Then,
(L L()) P
o
(B
(L)) = B
(P
o
L)
The above lemma is a simple extension of a result in [Won01]. The proof of this
extension is direct based on the associativity of the synchronous product.
Proposition 3.4.
C
(L) = L
i
P
i
(B
(L
i
)) [ i I
36
Proof. Write P
j,s
:
(
s
j
)
(L))
j
= P
j
(B
(L))
= P
j
(
iI
P
1
i
L
i
)
= L
j
P
j
(
i=j
P
1
i
L
i
)
= L
j
P
j
(
i=j
P
1
i
L
i
P
1
j
j
)
= L
j
P
j
P
j,s
(
i=j
P
1
i
L
i
P
1
j
j
) (P
j
= P
j
P
j,s
)
= L
j
P
j
(
i(Ij)
P
1
i
P
j,s
L
i
P
1
j
P
j,s
j
) (Lemma 3.1,
s
j,s
)
= L
j
P
j
(
i(Ij)
P
1
i
P
s
L
i
P
1
j
j
)
= L
j
P
j
(B
(L
j
))
Based on the above result, the computation of C
(L) B
(S) L _ S
Proof. The left direction () is trivial and generally holds for any pair of language
vectors not necessarily compact ones. The right direction () is direct based on the
property L
i
= P
i
(B
(P
(L))
The other direction does not hold in general, indicating that the information lost
through the projection operation cannot be recovered using the composition opera-
tion. To have a closer look into this situation, consider the kernel of the decomposition
operation P
is closed under union (but not under intersection in general), simply by the fact that
the projection operation distributes over union. Hence, each coset contains a unique
maximal element. This maximal element is covered below in more detail.
To simplify notation we will write BP
:
L() L(). In the process space , a language L L() is said to be -
decomposable (or simply decomposable if no confusion arises) if
L = BP
(L)
38
Basically, a decomposable language L is a one that can be generated directly from
its vector projection P
.
Proposition 3.6. L is -decomposable if and only if
(L
L()) P
(L
) = P
(L) = L
L
Proof. () Assume that L is -decomposable. Then L = BP
(L). Let L
be
a language such that P
(L) = P
(L
). In general L
BP
(L
) = BP
(L).
Therefore L
L.
() Let L be a language satisfying the above condition. The language vector P
(L)
is always compact. Therefore by Proposition 3.3 we have P
(L) = P
(B
(P
(L))).
Then by the above condition we get B
(P
(P
(P
(L)). Hence L is -
decomposable.
Clearly, the set of -decomposable languages is exactly the image of the map
B
(L) = K L() [ L = BP
(L) K
39
The set C
(L)
is closed under union and intersection and hence has a supremal and inmal element.
Clearly, the inmal element of C
(L) and
C
(L) = L BP
(L)
c
Proof. Clearly L = BP
(L) (L BP
(L)
c
), so LBP
(L)
c
is a compensator for
L. Now, assume that K is a compensator for L such that L BP
(L)
c
K. Then
we can write K = LBP
(L)
c
H for some H L() where H(L BP
(L)
c
) =
and therefore H L = and H BP
(L)
(L BP
(L)
c
H). By simple manipulation of this expression we get L = L H
and therefore H L. It is already established that H L = . Then it must be that
H = . Therefore, L BP
(L)
c
is the supremal compensator for L.
It is easy to see that, any language K such that L K
C
(L) is a -
compensator for L. Hence, the set of compensators of L, C
(L) =
. Based on
the above proposition, it must be that L = BP
(L) =
in ker BP
.
40
Example 3.1. Let = a, b, x, c, d, x be a process space. The language
L = (ax, ac, ca, xc) is -decomposable and therefore can be compensated by
.
Clearly, in this case
(c, d)
where A(K) has two states. On the other hand, the automaton of
its optimal compensator,
C
(H) =
(H)
a, b
a
d
c
H
a, b, x
c, d
a
a
(H)
The language F shown below is an example of a -indecomposable language. The
only compensator for F is the language F itself, as we have P
(F) = P
) =
(a, b, x)
, (c, d, x)
.
x
a, b
c, d
x
F =
C
(F)
Using compensation, any language L can be decomposed into its vector projection,
P
(L). In order
to formalize this recovery procedure, an extended form of the composition operation
is needed.
41
3.5 Interacting discrete event systems
In this section the notion of vector languages is extended to a new structure that
can accommodate a decomposition procedure based on language compensation as
presented in the previous section. The composition and vector projection operations
will be extended accordingly.
Let be an alphabet vector with index set I. An interacting discrete event
system (IDES) over is a pair L = (L, K) where L is a language vector in L()
and K is a language in L(). The language K will be referred to as the interaction
specication language or simply the interaction language of the IDES L. We will use
calligraphic letters to denote IDES structures. Also we will write L
i
to denote the
ith component of L. The language generated by L is given by
B
(L) = |L K
Therefore, the IDES structure consists of a set of components, represented by the
language vector L, running concurrently, and a language K that synchronizes with
the composite behaviour of these components. Clearly, in this case K is a compensator
for the language B
is used also to denote the composition operation for IDES. This operation will be
referred to as the generalized composition operation. Similar to the case with language
vectors, B
= (L
, K
is said to be a substructure of L if L
_ L and K
_ L or L _ L
when L
and L is denoted L
.L, K
K). Similarly,
the componentwise intersection of L
. L = (L
L, K
K).
Similar to the set vector languages, the following result can be easily proved.
Proposition 3.8.
B
(L) B
(L
) = B
(L L
) and B
(L) B
(L
) B
(L . L
As shown earlier, any language L L() can be transformed into an IDES con-
taining its vector projection and one of its compensators. However, L can have more
than one compensator in general. Therefore, it can be decomposed into more than
one IDES each generating the same behaviour. The set of IDES that can gener-
ate the language L from its vector projection will have the form (P
(L), K) where
K C
(L). This set has a maximal element (with respect to the relation _) denoted
(L) = (P
(L),
C
(L) = (P
(L),
C
(L)).
This set will be associated with the language L through the generalized decomposition
operation, T
(L) = L I() [
T
(L) _ L _
T
(L)
The generalized decomposition operation associates a language L with the set of IDES
that contains its vector projection and a compensator for L. Therefore, any IDES in
T
(Composition)
(Decomposition)
Interacting DES
L() L()
Languages
Figure 3.2: Behaviour transformation in process space
The IDES setting allows the transformation of any language into a structure that
generates the same behaviour. This makes the decomposition procedure reversible
for all languages. As should be expected and to be conrmed later, this can provide
a better ground for behavioural analysis of multiprocess systems. In addition, the
above setting introduces a new important dimension to the modelling of multiprocess
discrete event systems that can capture architectural information about the system.
In the next section, the basic aspects of modelling multiprocess discrete event sys-
tems are outlined. The relevance of the interaction specication to the modelling
multiprocess system will become more clear in the light of these aspects.
3.6 Modelling multiprocess systems
In the modelling process, physical properties of the system are transformed into a
mathematical model that captures essential details about its behaviour and function.
The extent and the nature of such details in the system model depend mainly on the
specic interest for studying this system. This is valid for simple systems as well as
complex multiprocess systems. However, there are certain factors that are specic to
the structure and behaviour of multiprocess systems. In this section, we outline the
basic factors that dene the behaviour of multiprocess discrete event systems.
44
System components
Complex discrete event systems are composed of a set of basic components. There
is no strict formal denition of what constitutes a basic component. However, in
practice the basic components of the system are usually recognizable from the system
description and can be rened to t the scope of analysis. It is usually assumed
that the system components are relatively independent in the sense that they can act
autonomously.
System environment
Multiprocess environments enforce certain rules for the composition of the system
components. These rules are usually independent of the internal description of the
underlying components. Synchronous composition is a common composition scheme
in discrete event systems in which shared events must be triggered simultaneously
by the corresponding components. Other composition rules can be formulated for
dierent environments. Composition rules are usually assumed xed for a given envi-
ronment. In general, composition rules dene the way processes interact in the least
restrictive form, usually referred to as the parallel or concurrent composition.
Interaction constraints
In practice, the system components may be congured to interact in a variety of ways
in order to conform to certain organizational schemes. Such conguration usually
takes the form of abstract specication that, in eect, constrains the overall behaviour
of the system components. In contrast with the composition rules, these specications
are specic to the environment. Initial interaction constraints may be given as a
part of the system description. These interaction constraints are usually accessible
(observable) and exible to change (controllable) in order to facilitate systems testing,
maintenance and updates.
45
System Environment
Component
Component
Component
Component
Interaction Specication
Figure 3.3: Multiprocess Discrete Event System
46
A modelling framework for multiprocess systems has to consider the above dimen-
sions in one way or another. In the most general form, all of these dimensions can
be represented as the elementary types (variables) of the system model. The IDES
framework provides a mechanism to include the above dimensions independently in
the system model. The system components are represented by a language vector and
their interaction constraint is represented by the interaction language. In the IDES
setting, the composition rule is xed to the synchronous product operation. Nev-
ertheless, the composition rule remains, conceptually, an independent factor in the
IDES model setting. In a more general setting, the composition operation can be
redened or even considered a variable to accommodate other environments.
3.7 Abstract architectural specication
In multiprocess environments, the interaction between the system components has
the eect of restricting the composite behaviour of these components. Therefore, the
interaction language can be regarded as a specication for the system components.
This view is captured in the IDES model and the generalized composition operation as
introduced earlier. In this section, we investigate the use of the interaction language
as an abstract architectural specication.
Let be a process space and let K be a language in L(). The language K denes
a class of IDES in I() in which K is the interaction language, that is, each IDES in
this class has the form (L, K), where L L(). This class will be referred to as the
K-class in and will be denoted I(, K). That is, I(, K) = (L, K) [ L L().
The behaviour of each IDES in this class is the intersection of the synchronous product
of the corresponding language vector with K. Therefore, the behaviour of each IDES
in this class is contained in K. The language vector P
)) B
(s, K) ,= = s E P
(K)
Proof. Let s E P
(s) K ,= then
B
(s)) = s
i
.
B
(s) K ,= = (i I) B
(s) P
1
i
P
i
K ,= (K P
1
i
P
i
K)
= (i I) P
i
(B
(s) P
1
i
P
i
K) ,=
= (i I) P
i
(B
(s)) P
i
(P
1
i
P
i
K) ,=
= (i I) s
i
P
i
(K) ,=
= s E P
(K)
Therefore, only string vectors contained (componentwise) in the interaction do-
main of the set of (, K)-systems can contribute a non-empty behaviour to any IDES
in this class.
In many practical situations, the system architecture - as dened by the interac-
tion between the system components - does not usually target the internal structure
of the components but rather their external arrangement. Serial composition, for
instance, is a well-known form of interaction in which the system components run se-
quentially in a way that is independent of the internal structure of these components.
Using a form of abstract language to describe architectural specication can better
capture typical situations in multiprocess environments. In addition, using a simple
interaction specication would possibly simplify the analysis in this environment.
Let be a process space with index set I. Dene the index equivalence relation
generated by , denoted c
, as follows
(,
) c
(i I)
i
i
48
That is, two events in are equivalent with respect to c
is associated
with a subset of I where the corresponding components share exactly the events of
the coset. The coset of c
.
The set of subsets of I that are associated with the cosets of the index equivalence
relation, c
, will be denoted I
can be viewed as an
abstract event that corresponds to a transition made simultaneously and collectively
by the corresponding set of components. Dene the map f
: () I
as follows
(recall that I
Pwr(I)),
( ) f
() = i I [
i
The map f
= c
.
The function f
) ker f
)(u, v
) uv K u
v K
It is easy to see that the above condition is equivalent to having K = f
1
(f
(K)).
The composition map f
1
.
Based on the above denition, the languages , , and
is an example of such
universal architectural specications.
Intuitively, the universality property can be achieved if the projection of the archi-
tectural specication is equal to the supremal language vector in the corresponding
process space. That is, an architectural specication K is universal if it satises
P
(K) = P
)
namely, K is -indecomposable. It is easy to see, based on Proposition 3.8, that under
this condition the components of the IDES of the architectural specication does not
impose any restriction to the internal structure of any set of components in the process
space. Roughly speaking, this means that, the eect of a universal architectural
specication is independent of the system components. In general, any interaction
specication K can be described as universal with respect to its domain, P
(K), in
the sense that, the interaction specication K does not impose internal restriction
on the components of any language vector L within its domain (i.e. satisfying L _
P
(K)).
The following convention will be used for graphical representation of IDES. Sys-
tem components will be drawn inside a rounded box while the interaction language
(automaton) will be drawn inside a double box. Labels for components and inter-
50
action languages may be added above the boxes. The interaction language will be
shown connected to each component. In the case when the interaction language is a
layout, abstract events can be used. Their legends will be shown as follows
Events that are exclusive to a certain component (not shared with any other
components) will be represented by an abstract event shown in a small box at
the left end corner of the component box.
Shared events will be represented by abstract events shown inside a box in the
hyper edge joining the corresponding components.
The following example illustrates the use of layouts to express architectural speci-
cations, and demonstrates the above graphical conventions for representing IDES.
Example 3.2. Let = a
i
, b
i
, c
i
, d
i
, x [ i [1, 2, 3] be a process space consisting
of three components. The index equivalence relation generated by this process space is
c
= a
1
, b
1
, c
1
, d
1
, a
2
, b
2
, c
2
, d
2
, a
3
, b
3
, c
3
, d
3
, x. The corresponding abstract
events will be denoted U, V , W and X respectively. The natural abstraction map for
this process space is dened as follows
F
(a
i
) = F
(b
i
) = F
(c
i
) = F
(d
i
) = a
i
, b
i
, c
i
, d
i
(i [1, 2, 3]),
F
(x) = x
Now, consider a system consisting of three machines in this process space. A synchro-
nization mechanism is implemented to allow exible arrangements of the machines.
Each arrangement can be expressed as a layout K representing the interaction spec-
ication of the system. The overall system is shown in Figure 3.4 for the layout
K = U, V, W, X
(L, K)
L
1
|L
2
L
3
x
x x
Figure 3.5: The three machines in another conguration
53
The overall system behaviour is outlined in the above gure. The detailed state
machines for L
1
|L
2
and L
3
are omitted for simplication.
As seen in the previous example, architectural specication can be expressed using
abstract events, as dened by the natural abstraction map. Recall that an abstract
event corresponds to a transition made collectively by a specic set of components.
Therefore, specications built over the set of abstract events can dene the way the
components are arranged irrespective of their internal details. Such specications
can be used to dene the same arrangement for any set of components in the process
space.
Consider the process space =
1
,
2
with the corresponding abstract events
U =
1
2
, V =
2
1
and X =
1
2
. In this process space, the language
U
simply means that the rst component can operate in this context. Similarly, the
language V
+
can be interpreted as the second component must operate in the given
context. Also, shared events can be used to dene the context of operation for the
components. This can be done by controlling the initiation and termination of the
components using shared events as shown in the previous example.
Many standard language operations can be simulated using layouts as the corre-
sponding interaction specications. In the following, some standard binary operations
and their corresponding interaction specications are presented. These binary oper-
ations are dened over the process space =
1
,
2
consisting of two components
where the corresponding abstract events are denoted U, X, V as given above.
Serial composition
Serial composition can take dierent forms depending on the system and its environ-
ment. In general, in this form of interaction, components run sequentially one after
the other. In asynchronous environments for instance, serial composition is repre-
sented by the catenation operation which can be simulated by the layout K = U
.
Note that this layout is a universal architectural specications. Other forms of serial
54
composition can be dened for synchronous environments. For example, the layout
K = U
,
where . In this case corresponds to the alphabet of the abstract (high level)
model and is the alphabet of the more detailed (low level) system representation
which extends the high level model.
Language renements can be expressed using the generalized language composi-
tion under certain assumptions. For instance, when shared events are used to initialize
the extension (substitution) procedure while all other events are considered internal
(not shared). This means that each event in is mapped to a language in
in
the form H, where H ( )
.
Handshaking is another example of renement that can be expressed by the gener-
alized languages composition. This form of renement is common in communication
protocols and hardware systems. In this interaction scheme, shared events are used
to initiate the extension (renement) and they are also required to signal its termi-
nation. Generally, there are four disjoint sets of events; initiating events, terminating
events, internal events of the calling subsystem and internal events of the called sub-
system. Considering the same set of initiating and terminating events, handshaking
renements can be simulated by the layout K = U, XV
.
Interleaving
Interleaving is also a common interaction scheme in hardware and software systems. It
corresponds to situations where the system components perform a task in an alternat-
ing way, or when a multiprocess system is simulated in a single-process environment.
In interleaving interaction two or more systems are executed interchangeably based
on certain time limits and priority schemes. In the simple setting of two systems
with equal priorities, no timing constraints, and no shared events, interleaving can
be represented by the (universal) layout K = (UV )
= I
n
c
I
[ n [1 . . . N], and (n [1 . . . N 1]) I
n
< I
n+1
where c
I
is the set of all partitions of the set I. Each element I
n
I
serves as an
index for the alphabet vector
n
. Recall that each element in I
n
is a subset of
I and the set I
n
is a partition of I. Also, the partition I
n
is ner than the partition
I
n+1
for all n [1 . . . N], and at the top level I
N
= I.
The following convention will be used to identify the components in the set of alphabet
vectors . Each component will have two subscripts. The rst subscript indicates
the abstraction level and the second one indicates the index of the component. For
example,
n,j
denotes the component j of the alphabet vector
n
at the nth level.
Note that in this hierarchy, each alphabet component in a given level covers (that
is, contains the alphabet of) a unique set of components at the lower level. The
subvector of
n1
that is covered by the component
n,j
at the upper level will be
denoted
n,j
.
- The second element K is a set of interaction language vectors K
n
[n [1 . . . N]
satisfying
(n [1 . . . N]) K
n
= K
n,j
n,j
[ j I
n
60
Here also two subscripts will be used to identify each interaction language in the set
K similar to the convention used above. So, K
n,j
is the component j of the language
vector K
n
at the nth level.
Example 3.3. Let = (a, x), (b, x, y), (c, y), (d, y) be a process space over the
index set I = 1, 2, 3, 4. Let = (, K) be a 2-level interaction structure over
dened as follows
1. =
1
,
2
, with
1
= a, b, x, y, c, d, y =
1,A
,
1,B
,
2
= a, b, c, d, x, y =
2,I
2. K = K
1
, K
2
, with K
1
= K
1,A
, K
1,B
, and K
2
= K
2,I
, where
K
1,A
1,A
, K
1,B
1,B
, and K
2,I
2,I
The interaction structure applied to a language vector L is shown in the following
gure.
K
1,A
K
1,B
L
1
L
2
L
3
L
4
K
2,I
Here we have I
= I
1
, I
2
where, I
1
= 1, 2, 3, 4 and I
2
= 1, 2, 3, 4. In the
above we write A for 1, 2 and B for 2, 3.
61
The composition operation B
where L
i1,j
is the component j of the language vector L
i1
. This iteration will end
up with the language vector L
N
which contains a single element, L
N,I
, which is the
result of the compound composition B
(L, ) = L
N,I
Clearly, B
(L, ) = L
2,I
It is worthwhile to see if the eect of the interaction structure on a given al-
phabet vector can be simulated by an interaction language. Dene the language
B
(P
= ( K
1,A
| K
1,B
) K
2,I
62
We claim that the language K
i
for the
natural projection from
j
to
i
. The inverse of this projection is denoted P
1
j/i
.
Lemma 3.2. Let
i
j
k
be alphabet sets. Then,
P
1
k/j
P
1
j/i
= P
1
k/i
Proof. Let
i
be an event, and let
ji
=
j
i
and
kj
=
k
j
. Then
P
1
k/j
(P
1
j/i
()) = P
1
k/j
(
ji
ji
)
=
kj
(
kj
ji
kj
)
kj
kj
(
kj
ji
kj
)
kj
= (
kj
ji
)
kj
(
kj
ji
)
kj
= (
kj
ji
)
(
kj
ji
)
ki
ki
= P
1
k/i
()
The extension to strings and languages follows directly from the fact that the inverse
projection operation distributes over catenation and union.
The following result conrms the claim above and shows that the restriction eect
of any interaction structure on a given language can be simulated by an interaction
language that depends only on the interaction structure.
Theorem 3.1. Let be an interaction structure in the process space . Then
(L L()) B
(L, ) = B
(L, K
)
Proof. We will proceed by induction on the number of the levels in the interaction
structure. Clearly, the above equation holds for a one level system. Assume now it
63
holds also for N level systems. Let be an N + 1 interaction structure. For J I,
we will write
N,J
for the restriction of to N levels (starting from level 0) and
J components in I. We also write L
J
for the language vector containing only the
set of J components in L. Now, assume that the recursive procedure for computing
B
(L, ) has been carried through the N level at which we have obtained a language
vector L
N
.
B
(L, ) = | L
N
K
N+1,I
=
JI
N
P
1
I
N
/J
L
N,J
K
N+1,I
=
JI
N
P
1
I
N
/J
(B
(L
J
,
N,J
)) K
N+1,I
=
JI
N
P
1
I
N
/J
(B
(L
J
, K
N,J
)) K
N+1,I
=
JI
N
P
1
I
N
/J
(
jJ
P
1
J/j
L
j
K
N,J
) K
N+1,I
=
JI
N
(
jJ
P
1
I
N
/J
P
1
J/j
L
j
P
1
I
N
/J
K
N,J
) K
N+1,I
=
jI
N
P
1
I
N
/j
L
j
JI
N
P
1
I
N
/J
K
N,J
K
N+1,I
=
jI
P
1
I/j
L
j
(
JI
N
P
1
I
N
/J
K
N,J
K
N+1,I
)
=
jI
P
1
I/j
L
j
K
= B
(L, K
)
This shows that the given equality holds for N + 1 level.
Based on the above result, an IDES model can be represented as a tuple L =
(L, ) where is an interaction structure. The same system can be described by the
multilevel IDES L = (L, K
), where K
)(j I
n
) K
n,j
Y(
n,j
)
That is, every interaction language in the set K is a layout with respect to the
corresponding process space. The following result shows that the interaction language
64
generated by a layout structure is a layout.
Proposition 3.10.
is a layout structure = K
is a layout
Proof. We will proceed by induction on the number of levels in the interaction struc-
ture . First we need to introduce the following lemma.
Lemma 3.3.
= Y() Y()
Proof. Let K Y(). We need to prove that K Y(). Let and
be two
symbols from such that (,
) ker f
, and
are
triggered by the same components in . This implies also that and
are triggered
by the same components in any subset of . Given that , then this implies
that (,
) ker f
N,J
,
and this interaction language is a layout over the process space
N,J
. Therefore
K
N,J
= F
N,J
(K
N,J
). Then we can write
K
JI
N
P
1
I
N
/J
K
N,J
K
N+1,I
=
JI
N
P
1
I
N
/J
F
N,J
(K
N,J
) F
(K
N+1,I
)
=
JI
N
P
1
I
N
/J
F
(K
N,J
) F
(K
N+1,I
)
=
JI
N
F
(P
1
I
N
/J
K
N,J
) F
(K
N+1,I
)
Then K
is a layout.
65
3.8.1 System Tree Diagram
The graphical representation for interacting discrete event systems can be extended
to show hierarchical interaction specications. In this regard, a tree-like diagram,
referred to as the System Tree Diagram (STD), is proposed here. In this diagram the
system components and their hierarchical interaction structure are revealed in a way
that matches the organization of the system.
The convention used for the System Tree Diagram is similar to that used earlier
to draw IDES. In the STD, systems are represented by a tree graph in which the com-
ponents appear at the end leaves inside rounded boxes while interaction languages
are shown at all other nodes inside double boxes. In this diagram each interaction
language shows the interaction between the components that directly descend from
its node. The STD can be used to visualize any hierarchical multiprocess DES. How-
ever, it is more visually eective for loosely coupled systems with layout interaction
specications.
Example 3.4. This example is a slightly modied version of the three machines
system of example 3.2. In this example an extra shared event, y, is used to allow
more exible arrangements of the system. The system is arranged in order to satisfy
the following specications
The second machine can be initiated after event c
1
and must terminate before
the event d
1
(event x is used to initiate and terminate the second machine).
The third machine works only after the rst machine and must terminate before
any of the two machines can start again.
This arrangement can be represented as a hierarchical layout structure as shown in the
Figure 3.8. In this gure, the layout K
1
restrict the rst two machines in accordance
with the rst specication. The second specication is handled at the second level
using the upper level layout. Note that in the rst level the abstract event Z refers to
the event shared between the composition of the rst two machines (under K
1
) and
the third machine, namely the event y.
66
L1
a1
b1
c1
d1
X
U
a2
c2
b2
L2
b3
c3
d3
L3
a3
V W
Y
X
V
X
x
y y
x
U, Y
W, Y
Z
Z Z
U1
U1
V1
V1
K1 K2
U1 V1
Figure 3.8: Three machines in a hierarchical interaction structure
67
Note that each node in this diagram together with all its descendants denes
an integral part of the system and therefore can form their own independent STD
which can be represented by a node in the systems STD. The following gure shows
the above system under the interaction language generated by the above interaction
structure.
L1
y
a1
b1
c1
d1
x
X
U
a2
c2
b2
L2
x
y
b3
c3
d3
L3
a3
V W
Y
W
W
Y
U
U
Y
V
X
V
Figure 3.9: The IDES of the three machines system
68
The above example shows the exibility of the System Tree Diagram in particular
and the settings of the IDES model for multiprocess systems in general. The STD
provides easy access to the system components and their interaction (architectural)
specication. Modications and expansions can be carried out eciently to any part
of the system. In the last example, for instance, any of the given machines can be
expanded into a set of machines having their own interaction. Also, the interaction
between the rst two machines can be modied. These changes can be done locally
without the need to change other parts of the system.
3.8.2 Multilevel Decomposition
It is shown earlier that any language can be decomposed into a IDES structure. In
this section, we extend the decomposition procedure for process space structures.
Under this extension, a given specication for a hierarchical system can be converted
to an IDES with an interaction structure that matches that of the system.
Let =
n
[ n [1 . . . N] be a an N-level process space structure over
the process space and let S be a language in L(). An interaction structure
= (, K) is said to be a compensation structure for S if the composition of P
(S)
under the interaction structure is equal to S, namely
S = B
(P
(S), )
Based on Theorem 3.1, is a compensation structure for S if and only if K
(S). Let
1
= (, K
1
) and
2
= (, K
2
) be two interaction structures. The
componentwise union of
1
and
2
is denoted
1
.
2
and is given as a structure
1
= (, K) where
K = K
n1
. K
n2
[ n [1 . . . N]
That is, the interaction vectors of K are the componentwise union of the correspond-
ing interaction vectors in K
1
and K
2
. Componentwise intersection of interaction
structures is dened similarly. Note that in both operations the arguments and the
69
output are structurally matched, namely, dened over the same process space struc-
ture . It can be shown easily that the set of compensation structures for a given
language S is closed under componentwise union and therefore has a supremal ele-
ment. Clearly, if is the supremal compensation structure for S then K
=
C
(S).
However, the other direction does not generally hold.
For a process space and N-level process space structure over with N > 1,
it is easy to see that the supremal compensation structure for a language S
is
given by (, K) where,
K
i
= P
i
(
) i [1 . . . N 1]
and K
N
=
r,j
. For example, with respect to the process space structure of
Example 3.3, a language S
1,A
1,B
P
1
(S) P
2
(S) P
3
(S) P
4
(S)
(S)
The supremality of this compensation structure is direct based on the associativity
of the synchronous product operation.
70
Chapter 4
Behavioural Aspects of Interacting
Discrete Event Systems
The IDES model contains two basic elements dening the overall behaviour of the
system, namely a language vector that represents the system components, and an
interaction specication that restricts the composite behaviour of these components.
Considering only compact language vectors, a unique language vector is associated
with any given composite behaviour (decomposable language). However, in general,
a set of interaction specications - rather than a unique one - can be associated with
the behaviour of an interacting discrete event system. This exibility in the model
can be utilized to develop ecient behavioural analysis procedures for this class of
systems.
Abstraction can be used to rene the interaction specications of interacting dis-
crete event systems. Clearly, the abstraction procedure has to be ecient itself
before the eciency of the underlying analysis procedure can be claimed. In this
chapter we investigate a class of abstractions that can be computed while avoiding
the direct computation of the synchronous product of the system components. In
addition, we will focus on the case where a well-dened correspondence can be estab-
lished between the system and its abstraction. Such correspondence is essential to
adjust the abstraction procedure such that the required information can be obtained
71
from the abstract representation without revealing unnecessary details about the sys-
tem behaviour. This correspondence also provides important behavioural information
that can be utilized in the analysis process.
Two forms of multiprocess system abstractions are discussed in this chapter,
namely automaton-based and language-based abstractions. Each form ad-
dresses a dierent representation of the underlying system. The objective is to
characterize a class of abstractions that is invariant with respect to the composi-
tion operation. Such invariance can be used to compute the abstraction indirectly
by abstracting the components rst and then computing the synchronous product of
the result. This indirect computation is usually more ecient than the direct one.
Also this procedure preserves the original correspondence between the system and
its abstraction. In IDES the interaction specication is by denition an abstraction
of the system behaviour. Certain behaviour patterns in the interaction specication
can be used to identify an abstraction map that links the system behaviour with the
given interaction specication. An IDES with such map dened is referred to as a
structured IDES.
Finally, in this chapter, the compactness property is extended to interacting
discrete event systems. This property ensures that the vector language component
of a given IDES can be retrieved from its composite behaviour via the decomposi-
tion operation. This resolves one issue for the order preserving requirements of the
composition operation. This property is a necessary condition for some behavioural
analysis results in this thesis. It is shown that the compactness of an IDES requires
the compactness of its language vector. In addition, compactness depends on the
interaction language of the system. Based on this dependence we introduce the no-
tion of complete languages. A combination of a complete interaction language and
compact language vector is a compact IDES. Although, there is no known way to test
the completeness of a given language, a set of results is presented to help in testing
this property for certain classes of interaction languages.
72
4.1 Abstraction in process spaces
Abstraction is a common strategy for containing the complexity of multiprocess sys-
tems. In the abstraction process, the system dynamics is encapsulated into a simpler
model. This simpler representation is usually established so that it contains enough
information about the system behaviour to carry out the required analysis.
It is important to draw a distinction between the notions of abstraction and re-
duction as generally adopted in literature. Given a property P and a system L, a
reduction for L with respect to P will result in another simplied representation of
L, namely L
, q
o
, Q
m
) be two automata. An automaton homomorphism from A
to B is a map H : Q Q
that satises,
1. (q Q)( ) H((q, )) =
(H(q), )
2. H(q
o
) = q
o
3. H(Q
m
) Q
m
It is straightforward to see that based on the denition of H it is always the case
that L(A) L(B). An automaton epimorphism from A onto B is a homomorphism
where H is surjective and, in addition, the inclusion in the third condition above is
replaced by equality. In this case we say that B is a homomorphic image of A.
Consider the automaton A = (Q, , , q
o
, Q
m
). Let be an equivalence relation
on Q. The quotient automaton of A with respect to is denoted A/ and is equal to
(Q/, ,
, q
o
/, Q
m
/) where
is dened as follows
(X, ) = Y = (q X)(q
Y ) (q, ) = q
) )( ) (q, )! (q
, )! = ((q, ), (q
, ))
Clearly, A/ is deterministic if and only if is admissible. It is easy to prove that for
a given partition , the coarsest admissible partition that is ner than always exists.
In the implementation of automaton-based abstractions, we will only consider admis-
sible partitions to avoid unnecessary complications resulting from non-determinism.
Let be a partition on the automaton A and let F
: Q Q/ be the corre-
sponding map. It is easy to see that F
1,2
(q
1
, q
2
) q
1
1
q
1
q
2
2
q
2
That is, two compound states are equivalent with respect to
1
2
i their compo-
nents states in the same automaton are equivalent with respect to the corresponding
partition.
75
Proposition 4.1.
(A
1
|A
2
)/
1,2
= (A
1
/
1
)|(A
2
/
2
)
Proof. Clearly, the set (Q
1
Q
2
)/
1,2
is isomorphic to the set Q
1
/
1
Q
2
/
2
. This
isomorphism is established by the equality
(q
1
Q
1
)(q
2
Q
2
) [(q
1
, q
2
)]
1,2
= [q
1
]
1
[q
2
]
2
Therefore, we have [(q
1o
, q
2o
)]
1,2
= ([q
1o
]
1
, [q
2o
]
2
), and similar equality holds for
each combination of marker states. Next we show that this isomorphism is preserved
under the transition mappings in both structures. Let be the transition map in
(A
1
|A
2
)/
1,2
, be the transition map in (A
1
/
1
)|(A
2
/
2
),
1,2
be the transition map
in A
1
|A
2
, and
i
be the transition map in A
i
/
i
. Assume that, (x, ) = x
for
some
1
2
. Then there must exist (q
1
, q
2
) x and (q
1
, q
2
) x
such that
1,2
((q
1
, q
2
), ) = (q
1
, q
2
). Therefore, we have
1
(q
1
, ) = q
1
and q
2
= q
2
. Then
1
([q
1
]
1
, ) = [q
1
]
2
and therefore (([q
1
]
1
, [q
2
]
2
), ) = ([q
1
]
1
, [q
2
]
2
). However,
[q
1
, q
2
]
1,2
corresponds to ([q
1
]
1
, [q
2
]
2
) under the isomorphism and so does [q
1
, q
2
]
1,2
with ([q
1
]
1
, [q
2
]
2
). Therefore, the isomorphism is preserved under any transition
with event from
1
2
. Similarly, this can proved for events from
2
1
and from
1
2
.
Based on the above result, any partition of the local components of a given system
directly corresponds to a partition of the composite structure. Moreover, the corre-
sponding partition of the composite structure is totally specied by the partitions of
the system components. A result similar to that of Theorem 4.1 can be obtained for
epimorphism mapping. Let h
i
: A
i
B
i
with i [1, 2] be two epimorphism maps.
Dene the map h
1,2
: Q
1
Q
2
Q
1
Q
2
as follows
(q
1
Q
1
)(q
2
Q
2
) h
1,2
(q
1
, q
2
) = (h
1
(q
1
), h
2
(q
2
))
It is easy to see that this map is well-dened. Moreover, this map denes an epi-
76
morphism on the automaton A
1
|A
2
to the automaton h
1
(A
1
)|h
2
(A
2
) namely the
composition B
1
|B
2
. The following result is a direct consequence of the previous
proposition together with Theorem 4.1.
Corollary 4.1.
h
1,2
(A
1
[[A
2
)
= h
1
(A
1
)|h
2
(A
2
)
h
1
h
2
h
2
h
1
A
2
y
x b
2
z
a
2
2
1
0
a
1
b
1
y
x
z
0
1
2
A
1
0 1,2
a
1
x
y
b
1
, z
B
1
x
y
z
a
2
b
2
0,1 2
B
2
B
1
B
2
a
1
b
2
a
1
b
2
x
y
z
A
1
A
2
a
2
b
2
a
2
b
2
a
2
b
2
a
1
b
1
a
1
b
1
a
1
b
1
z
y
x
Figure 4.1: Two way abstraction of a multiprocess DES
78
rect one. In the general case of a system with index set I where the state size of each
component is equal to n
i
for i I, it is easy to verify that the maximum number of
renement steps is equal to
iI
n
i
while direct abstraction has up to
iI
n
i
steps.
4.1.2 Language-based abstraction
Language-based abstractions target the behaviour (language) of the system rather
than its nite state model. In general, abstractions are required to preserve the
original behaviour of the system. Starting from this condition, language-based ab-
stractions can take dierent forms depending on the scope of analysis. The class of
monotonic maps and its catenative subclass are examples of language-based abstrac-
tion maps. Monotonicity is needed to preserve the containment order on the set of
languages, which is required in behavioural comparison of DES. Similar to the case
with automaton-based abstraction, the aim here is to dene a class of language-based
abstractions that can be computed eciently without losing the correspondence with
the original system.
A general class of language-based abstraction maps can be dened based on the
above two features, namely, a monotonic map that preserves the original behaviour of
the system. For the alphabet set a map G :
) s G(s)
Therefore, an extension map extends and preserves the behaviour of its arguments.
It is easy to see that extension maps are monotonic. A catenative map is a map that
is invariant with respect to the catenation operation, namely, a catenative abstraction
map G :
L() satises
(s
1
, s
2
) G(s
1
s
2
) = G(s
1
)G(s
2
)
Therefore, catenative maps are semigroup substitutions and hence completely dened
by specifying only the image of each element in under the mapping. A
79
catenative extension map from
The following proposition establishes the condition for a given abstraction map to
be prex preserving.
Proposition 4.2. Let G be a -abstraction map. Then
pre G = G pre ( ) G() = G()
Proof. () This follows directly from the condition.
() We will proceed with induction on string length. The case when the length is
0 holds as we have G() = G() and G() by denition. Also the case when the
length is 1 holds by the given assumption on G. Next assume G(s) = G(s). We want
2
Transducers are extensions of Mealy machines where transition outputs can be any regular
language [Ber79].
80
to show that for all , G(s) = G(s).
G(s) = G(s s) = G(s) G(s)
= G(s) G(s)G()
= G(s) G(s) G(s)G() (G(s) G(s))
= G(s) G(s)(G() G())
= G(s) G(s)G()
= G(s)G() = G(s)
The extension to languages is straightforward given that the prex closure operation
distributes over union.
Therefore, an abstraction map is prex preserving if the image of each event is
either prex closed or only missing the empty string, , from its prex closure. For
example, based on this result, the abstraction map G :
Recall that []
, that contains
the event . We will refer to -compatible abstraction maps as -abstraction maps.
Hence, -abstraction maps are (monoid) substitutions that extend each event
within the intersection of those components containing .
A -abstraction map that satises the above condition (-compatible) will be sim-
ply referred to as -abstraction map. It is important to note that in a -abstraction
map shared events are mapped to languages over events shared by exactly the same
set of components. The following proposition provides another characterization of
81
the class of -abstraction maps. This characterization is based on the set of natural
projection operations over the process space components.
Proposition 4.3. Let be an alphabet vector with index set I and let G :
L() be a -abstraction map such that = (). Then G is -compatible if and
only if
(i I) P
i
G = G P
i
Proof. () Assume that G satises G() = and for all we have G() []
.
Let be an event in . If
i
then P
i
(G()) = G() = G(P
i
()). Otherwise,
if ,
i
then P
i
(G()) = = G() = G(P
i
()). Therefore for all we have
P
i
G = G P
i
for all i I.
() Assume P
i
G = G P
i
. Let
i
then G(P
i
()) = G() = P
i
(G()).
This implies that G()
i
. For ,
i
then G(P
i
()) = G() = = P
i
(G()).
Therefore we have (G())
i
= for any ,
i
. This conrms that the map G
is -compatible
It is straightforward to verify that the condition for any -abstraction map, G,
to be prex preserving as given in Proposition 4.2 is equivalent to stating that
( )(H []
)( []
) G() = H
That is, a -abstraction map is prex preserving if each event is mapped to a prex
closed language possibly combined with a set of events within its coset []
in the
alphabet set .
Next the relation of -compatible abstraction maps with the inverse projections
maps will be investigated. Write G
i
for the restriction of G to the domain L(
i
).
Proposition 4.4. Let G be a -abstraction map. Then
(i I) G P
1
i
P
1
i
G
i
82
Proof. Let G be a -abstraction map. Then for i I and a language L
i
i
we
have
s G(P
1
i
L
i
) = P
i
s P
i
G(P
1
i
L
i
)
= P
i
s G(P
i
P
1
i
L
i
)
= P
1
i
P
i
s P
1
i
G(L
i
)
= s P
1
i
G(L
i
) (s P
1
i
P
i
s)
Then G(P
1
i
L
i
) P
1
i
G(L
i
).
It is easy to see that the above result does not depend on whether G is catenative
or not. It is only required to satisfy P
i
G = G P
i
for all i I. Therefore,
this result can be used for a more general class of -abstraction maps that are not
necessarily catenative. Note also that the other direction in the above proposition
does not hold in general. The following proposition shows that an extra condition is
required for the other direction to hold.
Proposition 4.5. Let G be a -abstraction map. Then
(i I) P
1
i
G
i
= G P
1
i
( ) G() []
H(
i
)
.
We claim that for every s H it must be that [s[ 1. To show this, assume
there exists a string s H with s =
1
2
. . .
n
where n 2. Then we will have
1
(
i
)
2
. . .
n
P
1
i
(H). However,
1
(
i
)
2
. . .
n
, (
i
)
H(
i
)
as s H and H
i
contradicting the above assumption. Then it must be that
every s H is such that [s[ 1. This implies that G() []
for all .
83
() Assume that ( ) G() []
. Then
G
i
(P
1
i
()) = G
i
((
i
)
(
i
)
)
= G
i
((
i
)
)G
i
()G
i
((
i
)
)
= (
i
)
G
i
()(
i
)
= (
i
)
G
i
()
(
i
)
G
i
()
(
i
)
(
i
)
G
i
()
P
1
i
= P
1
i
G
i
()
= P
1
i
G
i
()
Note that above can be the empty string, . The extension to strings and languages
is straightforward based on the assumption that G
i
and P
1
i
are both catenative and
distribute over union.
To simplify notation, the composition P
1
i
P
i
: L() L() may be denoted P
i
.
The map P
i
associates every language in
(G(L)) = G(B
(L))
Recall that G(L) denotes the language vector G(L
i
) [ i I, and L
c
() is the
set of compact language vectors. The set of -abstraction maps is not in general
composition invariant even if it is invariant with respect to inverse projections as
shown in the following example.
Example 4.1. Consider the process space = a, x, y, b, x, y and let L
1
=
(aax, ay) and L
2
= (xbb, yb). Now, consider the language vector L = L
1
, L
2
and
the natural abstraction map F
(L
1
) | F
(L
2
) while axbb , F
(L
1
| L
2
).
The following proposition explores the relation between the synchronous product
operation and the set of -abstraction maps. Note the necessity of the compactness
property to this result.
Proposition 4.6. Let L be a compact language vector and let G be a -abstraction
map. Then
G(B
(L)) B
(G(L))
Proof. Let s
(L)) = s
iI
P
1
i
P
i
G(B
(L))
= s
iI
P
1
i
G(P
i
(B
(L)))
= s
iI
P
1
i
G(L
i
)
= s B
(G(L))
Therefore, G(B
(L)) B
(G(L))
Note also here that the above result does not depend on whether G is catenative or
not. The other direction of the inclusion in the above proposition does not generally
hold even when L is compact as shown in the last example.
The main problem regarding the invariance of the abstraction with respect to the
synchronous composition operation is in the synchronization mechanism. In general,
under a -abstraction map, it is possible that incomposable string vectors in the
system components map to composable string vectors. For example, consider the
process space = (a, x, y), (b, x, y), and the map G dened as follows
G(a) = a, G(b) = b, G(x) = G(y) = x, y
The string vector s = ax, yb is incomposable (x,y are shared events). Therefore,
G(B
(s)) = G() = . However, the language G(s) = (ax, ay), (xb, yb) is compos-
85
able and therefore B
if
a
= if
s
Proof. The proof here is for the case when the process space contains two compo-
nents. The general case can be proved similarly.
() Assume that G is composition invariant. Then based on the last propositions it
must be that for all we have G() []
1
X
2
. . . X
n
n
X
n+1
where
r
and
r
G(
r
) for all
r [1 . . . n], and X
r
a
with G(X
r
) for all r [1 . . . (n + 1)]. We can
also write u
2
= Y
1
1
Y
2
. . . Y
n
n
Y
n+1
with Y
r
and
r
dened similar to X
r
and
r
re-
spectively. Dene
r
= (
r
1
) (
r
2
). Based on the initial assumption
that G() = for all
s
, it is easy to see that [
r
[ = 1 for all r [1 . . . n].
Let u = (P
1
X
1
)(P
2
Y
1
)
1
(P
1
X
2
)(P
2
Y
2
) . . . (P
1
X
n
)(P
2
Y
n
)
n
(P
1
X
n+1
)(P
2
Y
n+1
). Clearly
s G(u). Moreover, P
1
u = P
1
u
1
and P
2
u = P
2
u
2
. This implies that u P
1
1
P
1
u
1
P
1
2
P
2
u
2
and hence u L
1
|L
2
. Therefore s G(L
1
|L
2
).
86
The composition invariance property for abstraction maps has two important con-
sequences. First, it ensures that the abstracted behaviour preserves the decompos-
ability of the original system. Consequently, the abstracted behaviour is decompos-
able. Moreover, the components of the abstracted system are given directly as the
abstraction of the system components.
The other benet of this property is computational, namely, it allows the com-
putation of the abstraction indirectly by computing the synchronous product of the
abstracted system components rather than computing the abstraction of the syn-
chronous product of these components (the composite system). It is easy to see that,
the complexity of the indirect abstraction is of the order of the size of the abstract
system which is typically less than the original system.
It should be noted however that composition invariant abstraction is a limited form
of abstraction that may not produce a signicant complexity reduction. In general,
the eciency of the computation of composition invariant abstractions depends on the
system. In certain situations, a signicant reduction can be obtained. For instance,
for asynchronous systems (no shared events) or when the system components contain
repeated patterns and such patterns are the target of the abstraction; for instance, the
repeated pattern in the language L
1
= (a
1
b
1
, a
2
b
2
, a
3
b
3
) can be abstracted to ab where
a = a
1
, a
2
, a
3
and b = b
1
, b
2
, b
3
(assuming all a
i
and b
i
are asynchronous events).
On the other hand if all events are shared no composition invariant abstraction can
be achieved.
The following proposition presents a more relaxed condition where a given -
abstraction function can be computed without computing the synchronous product
of the system.
Proposition 4.8. Let G be a -abstraction map such that G() = for all
s
.
Let L be a language vector in . Then,
G(B
(L)) =
iI
G(P
1
i
L
i
)
87
Proof. We will prove the proposition for two components process space. The general
case can be proved directly by induction on the number of components in the process
space. In general, G(P
1
1
L
1
P
1
2
L
2
) G(P
1
1
L
1
) G(P
1
2
L
2
) so we only need
to show the other direction of the inclusion. Assume s G(P
1
1
L
1
) G(P
1
2
L
2
).
Then there must exist u
i
P
1
i
L
i
for i 1, 2 such that s G(u
1
) G(u
2
).
We can write s = S
1
. . . S
n
where for all r [1 . . . n], the nonempty string S
r
is
either in (
1
2
)
+
or in (
2
1
)
+
, or is equal to some
s
. Then we can
write u
1
= X
1
X
2
. . . X
n
where X
r
(
s
)
+
if S
r
(
s
)
+
, and X
r
=
if X
r
=
s
. The sequence X
1
, X
2
, . . . , X
n
as dened above is not unique
but at least one such sequence must exist in order for s to be in G(u
1
). Similarly
we can write u
2
= Y
1
Y
2
. . . Y
n
with Y
r
dened exactly as X
r
. Let Z
r
=
r
if S
r
=
s
, otherwise Z
r
= (P
1
X
r
)(P
2
Y
r
). Clearly this ensures that S
r
G(Z
r
) for all
r [1 . . . n]. Let z = Z
1
Z
2
. . . Z
n
. Hence s G(z). Moreover, P
1
z = P
1
u
1
and
P
2
z = P
2
u
2
. Therefore z P
1
1
P
1
u
1
P
1
2
P
2
u
2
and hence z P
1
1
L
1
P
1
2
L
2
. This
implies that s G(P
1
1
L
1
P
1
2
L
2
) G(P
1
1
L
1
).
The condition in the above proposition restricts only the map of shared events.
It requires that every shared event in the system to be mapped to itself. Clearly,
the above result can be applied directly to any asynchronous systems under any -
abstraction map with no restriction. Similar to the previous result, the eciency of
computing G(B
r
appear equivalent, and so separating these events would not add any information
to solve the given problem
3
. In such cases, depending on the amount of information
we need about this set of events with respect to a given analytical situation, we can
further map this set of events to anywhere from
r
to
r
. The former mapping
corresponds to the minimum amount of information, namely, the possible occurrence
of this set of events within certain contexts in the system dynamics
4
. Another level
of abstraction corresponds to the mapping to
+
r
. The information in this map is
also contextual. However, in this case, more information about the context of this set
of events in the system dynamics is provided. The nest level of abstraction maps
every event in
r
to the set
r
. Under this abstraction, events in
r
have exactly the
same contexts in the abstracted system dynamics. Although, there are many other
possibilities for abstraction mappings, the above three cases are usually sucient for
typical (catenative) abstraction situations.
4.1.3 Abstraction of interacting discrete event systems
In interacting discrete event systems the interaction specication is in itself an ab-
straction of the system behaviour. Therefore, it is only required here to identify a
suitable mapping between the system and its interaction specication. Similar to the
case of language-based abstractions, we will only consider the case when such map-
ping is monotonic. The following result shows that such mapping can be established
3
For instance, the distinction between the events a
1
and a
2
in the language L = (a
1
b
1
, a
2
b
2
) is
irrelevant with respect to the specication S = (a
1
, a
2
b
1
, b
2
).
4
Note that this mapping is dierent from the map P
1
r
P
r
where P
r
:
r
is a natural
projection map, which does not provide any information about the set
r
.
89
under certain conditions.
Proposition 4.9. Let (L, K) be an IDES in the process space , where L _ P
(K)
and let F be a -abstraction satisfying K = F(K), and K F(B
(L)). Then
K = F(B
(L, K))
Proof. In general, as F is an extension map we get K F(K). The set of languages
satisfying F(L) = K is closed under union and therefore has a supremal element.
This element must be K, otherwise we will have K
K with K = F(K
) implying
that F(K
) K
(L))
implies that there exists X B
(K). Therefore X K.
Then X B
(L K)) F(B
(L, K)).
Therefore, in order to establish a mapping between the system and its interaction
specication, we need rst to nd a -abstraction map F such that K = F(K), and
then to test if this map satises K F(L).
In general, nding a suitable map for a given K is an exercise in creativity. How-
ever, in certain situations the map F can be identied by examining each occurrence
of an event in the transition structure of K and identifying its invariance
domain. In another words, for the event we try to obtain a maximal language K
) uv K uK
v K
The language K
where U =
1
and V =
2
. It is easy to see that every event in
i
is invariant with
respect to the language
i
where i = [1, 2]. Therefore, the map F dened as follows
(i [1, 2])(
i
) F() =
i
satises K = F(K). Note that if F satises F(K) = K then so is any function G such
that id G F. Next we check to see if K F(B
(L)) can be computed eciently using Proposition 4.8 then so is any G(B
(L))
where id G F. Therefore, once a -abstraction mapping between the system
and its interaction specication is dened, renements of this mapping become handy.
For instance, the above functional description of the serial composition layout can be
rened to G given as
G() =
_
_
_
1
1
+
2
2
Clearly, G is also an extension map. Here we get K = G(K) automatically. And for
any given L _ P
(L, K))
91
Calligraphic letters will also be used to denote SIDES structures. Similar to the case
with IDES, the ith component of the SIDES will be denoted L
i
, and the language
generated by an SIDES L is given by B
iI
P
1
i
P
i
(L) F(L)
This feature is of special importance in solving the verication and the supervisory
control problems as will be shown later in this thesis. Note that the supremal com-
pensation map,
C
, and F(X) = X
where U, V, W, X as given in the convention of the STD above. It is clear also that
F is an extension map. Using Proposition 4.8 to compute F(B
(L, K)).
Many standard interaction schemes can be formulated such that the underlying
system can be represented as a SIDES. As shown in the above example, simple non-
standard interactions can also be captured in this form. However, in general there
is no mechanical way to establish a monotonic correspondence between the system
behaviour and its interaction specication. Such correspondence has to be guessed
and then checked for correctness.
4.2 Compact interacting discrete event systems
In this section, the compactness property is investigated for the class of IDES struc-
tures and the associated composition operation. Similar to the case with language
vectors, the aim here is to characterize a subclass of interacting DES where the com-
position operation preserves the containment order.
Consider the process space . Let L = (L, K) and o = (S, R) be two IDES in
I(). In general we have,
L _ o = B
(L) B
(o)
This is valid for any two IDES. The problem with behaviour comparison in the IDES
setting is that the other direction cannot be conrmed in general, even when both L
and S are compact as shown in the following example.
93
Example 4.3. Let = a, x, b, x be the process space. Let L = (), (, a),
and S = (, b), (, a) be two language vectors. Let L = (L, K) and o = (S, R)
be two IDES where K =
and R = (
(L) = a and
B
(L) B
(o). However, L ,_ o.
The other direction would hold if the IDES L is associated with the language
B
(L) via a monotonic function, namely the projection operation. One approach
to establish this direction is to extend the compactness property to IDES class. An
IDES L = (L, K) in I() is said to compact if
P
(B
(L)) = L
That is, L is compact if its language vector can be retrieved from its composite
behaviour using the decomposition operation P
(B
(L))
Proof. () Assume that L = (L, K) is compact. Then L = P
(B
(B
(B
(B
(L, K)) = B
(L, K) (B
(P
(B
(L, K))))
c
= (B
(L) K) (B
(L))
c
= (B
(L) (B
(L))
c
) (K (B
(L))
c
)
= K (B
(L))
c
Therefore, we have K
C
(B
(B
(B
(L, K)).
() This is clear from the denition of the set T
(B
(L, K))
94
The above result is another characterization for the compactness property stating
that an IDES is compact if and only if it can be retrieved from its behaviour through
the generalized decomposition operation. Note the similarity between the denition
of compact language vectors and compact IDES as given in the last proposition. The
eect of the compactness property in the composition and decomposition process in
process space is demonstrated in the following diagram. In this diagram the map
id
1
: L() L() assigns each IDES (L, K) to its language vector L.
Lc() L() L()
Ic() Lc()
P P
id id1 B
B
Figure 4.2: The compactness property
It is important to note that, similar to the case with language vectors, the def-
inition of a compact IDES requires the system components to be associated with
its behaviour via monotonic maps, namely, the class of projection operations. This
requirement resolves part of the problem discussed earlier concerning the order pre-
serving property of the generalized composition operation.
Proposition 4.11.
(L, K) is compact = L is compact
Proof. In general we have P
(B
(L, K)) _ P
(B
(L,
(B
(B
(L)).
Therefore, L is compact.
95
Therefore, the compactness of the language vector is necessary for the compactness
of the underlying IDES. However, it is not sucient in general. This should be easy
to see as, in general, the interaction language can be chosen arbitrarily. For instance,
for any compact language vector L with B
(L) ,= , setting K = B
(L)
c
will result
in B
(L)) L is compact
Proof. Every IDES in T
(L), K) where K C
(L). There-
fore, by denition we have L = B
(P
(L) =
P
(B
(P
(L), K) is compact.
Again similar to the case with language vectors, the above result shows that an
IDES obtained from the generalized decomposition of a given language is always
compact. Based on this result, it is always possible to convert a given IDES L into a
compact one that generate the same behaviour. For instance, one such IDES would
be given by
T
(B
is said to be complete
if the restriction of the composition of any composable string vector in its domain,
96
P
(K)) B
(s, K) = = B
(s) =
That is, an interaction specication is complete if it contains at least one string in
the composition of any composable string vector in its domain.
Example 4.4. Let = a, x, b, x be a process space. In this process space,
the interaction language K = (xax, xbx) is not complete as the language vector
L = (xx), (xx) is within the domain of K and B
(L) = xx ,= but B
(L, K) = .
On the other hand, the layout K = axb, aaxb is complete. Also, in the asyn-
chronous process space,
(s, K) = .
In asynchronous process space (no shared events) every string vector is compos-
able. In this case, the condition for completeness reduces to,
(s E P
(K)) P
(B
(s, K)) = s
For a general process space, the decidability of verifying the completeness of a given
language is an open problem. However, simple interaction specications can usually
be checked for completeness by inspection with little eort. It is easy to see that the
languages
(K), however, B
, G(s) is complete. We
want to show that G(s) is complete. First we have G(s) = G(s)G() with G()
[]
. Let t E P
j
r
j
where t
j
P
j
G(s) and r
j
P
j
G() = G(), for all
j J. However, for the string vector t to be composable it must be that r
j
= r
k
for
all j, k J. Then, under the assumption that t is composable, we can write t
j
= t
j
r
where t
j
P
j
G(s) and r P
j
G(), for all j J. Then,
B
(t) =
i(IJ)
P
1
i
t
i
jJ
P
1
j
t
j
r
_
_
i(IJ)
P
1
i
t
i
jJ
P
1
j
t
j
_
_
r
Therefore, (B
(s))r B
j
for j J is in P
(s))r B
(t). Then
B
(t) G(s) ,= .
Based on the above result, it can be shown that all forms of serial composition are
complete. For instance the synchronized serial composition represented by the layout
K = U
(K) but B
(K), whereas B
(s, K) = .
98
Proposition 4.14. Let K
1
and K
2
be languages over . Then
1. If K
1
is complete and P
(K
1
) = P
(K
2
), then K
1
K
2
is complete
2. If K
1
and K
2
are complete, then
((i, j I) i ,= j P
i
K
1
P
j
K
2
= ) = K
1
K
2
is complete
Proof. 1. Assume the K
1
is complete. Let t be a string vector in P
(K
1
K
2
). Now
P
(K
1
) = P
(K
2
) implies P
(K
1
K
2
) = P
(K
1
) = P
(K
2
). Therefore, t is in
P
(K
1
). Hence, B
(t) K
1
,= . Therefore, B
(t) (K
1
K
2
) ,= , and hence
K
1
K
2
is complete.
2. Assume the K
1
and K
2
are complete. Let t be a string vector in P
(K
1
K
2
) which
is equal to P
(K
1
)P
(K
2
). Assuming that P
i
K
1
P
j
K
2
= for any i ,= j. Then any
string vector s with mixed components from P
(K
1
) and P
(K
2
) is incomposable.
Therefore, t is composable if and only if t is either in P
(K
1
) or P
(K
2
). Considering
the rst case then B
(t) K
1
,= . Therefore, B
(t) (K
1
K
2
) ,= , and hence
K
1
K
2
is complete.
The rst part of this proposition can be used to show that parallel compositions
are complete. The second part can be used to show that the interaction languages
for renements are complete. For instance, consider the handshaking renement
which can be represented by the layout (U, XV
X)
XV
XU
)
n
where n N, the set of all
natural numbers. Each one of these language is complete as it is the outcome of a
-abstraction map of the string (uxvxu)
n
where u U and v V . Also n ,= m
implies that P
s
(U
XV
XU
)
n
,= P
s
(U
XV
XU
)
m
for every n, m N. Therefore
K = (U, XV
X)
is complete.
The following theorem establishes the link between the completeness of interaction
languages and the compactness of the underlying IDES structures.
Theorem 4.2. Let K be an interaction specication in the process space . Then
99
K is complete if and only if
(L _ P
(K) is
compact. Then we have L = P
(B
(B
(L, K)) _ L.
Now assume there exists a composable string vector t E L such that t is not in
P
(B
(B
(B
(B
(t, K)),
hence B
(L) B
(L)
where L = L
i
[ i I. However, the other direction of the inclusion does not hold in
general. This is due to the fact that the evolution history of the system components
may contain composable strings that do not contribute to the evolution history of the
overall system behaviour. This should be clear from the fact that incomposable string
vectors with empty behaviour always contain at least one composable prex, namely
I
which has a nonempty behaviour. A language vector L is said to be unblocked or
live if B
(L) = B
iI
P
1
i
L
i
=
iI
P
1
i
L
i
103
Blocking originates from the shared dynamics of the system. Therefore, similar to
the compactness property, a system with no shared events is always live. However,
although the liveness and compactness properties are directly linked to the shared
behaviour of the system, they are not related as demonstrated in the following exam-
ple.
Example 5.1. Consider the process space = (a, b, x, y), (c, d, x, y). The language
vector L = (ax, by), (cy, dx) is compact but not live. A blocking situation in this
language vector is shown below.
y
c
d
a
x
b
y x
L
2
L
1
The language vector L = (a, x), (b, y), on the other hand, is live but not compact
as x B
(L) but x , B
(L).
It is important to distinguish between two forms of blocking in discrete event
systems. The rst corresponds to the case when an unmarked reachable state cannot
reach any other state (including itself), that is, when no event can be triggered at the
blocked state. Such state is referred to as a deadlock state. Otherwise, if a blocked
state can reach some other unmarked state it is referred to as a livelock state. Clearly,
the two forms are exhaustive, that is, a blocked state must be of either form but not
both.
104
5.1.1 Deadlock detection in multiprocess systems
Let L be a language vector in . A string s B
(L) B
(L)))( ) s B
(L)
Deadlock can be detected by exploring all the state space of the synchronous product
of the system components and identifying those non-terminal states with no eligible
events. An alternative approach is to identify potential blocking states rst and
then to check their reachability. This approach will be referred to as detect-rst
approach. The key to this approach is given in the following result which provides
a characterization for deadlock freeness in multiprocess discrete event systems. For
given a subset J of I, let
(J)
denote the set of events exclusive to the set of J
components. Namely,
(J)
=
jJ
j
iIJ
i
.
Theorem 5.1. The language vector L is deadlock-free if and only if
(s B
(L) B
(L))(J I)
(J)
jJ
Elig
L
j
(P
j
s) ,=
Proof. Let s (B
(L) B
jJ
Elig
L
j
P
j
(s) ,= . This
could not hold for the case J = as
()
= by denition. Therefore, we must have
a nonempty J and an event
(J)
such that P
j
(s) L
j
for all j J. Therefore
we get P
1
j
(P
j
(s)) P
1
j
L
j
for all j J. However as
(J)
then it must be that
P
1
i
(P
i
(s)) = P
1
i
(P
i
(s)) P
1
i
L
i
for all i I J. Therefore we obtain
s
iI
P
1
i
P
i
(s)
iI
P
1
i
L
i
= B
(L)
Then the system is not deadlocked at any string s satisfying the given condition. The
only if direction is straightforward.
105
The above theorem shows that deadlock can be traced by examining the set of
eligible events at local strings generated by the system components. Clearly, if a
deadlock occurs at a given string then it also occurs at the corresponding state in
the systems automaton, as the Nerode equivalent strings of a deadlocked string must
be deadlocked as well. Based on the above theorem a string s B
(L) B
(L)
identies a deadlock state if and only if
(J I)
jJ
Elig
L
j
(P
j
s)
(J)
=
Therefore, a language vector L cannot be deadlocked at a string s if there exists
an asynchronous (local) event enabled at any of the vector projection components
of this string. The reverse is also true, that is, if an asynchronous (local) event is
enabled in a given local state, then any global state containing this local state cannot
be deadlocked. Therefore, in detecting global deadlocked states, we only need to
consider those combinations of local states all of whose eligible events are shared.
These combinations (global states) are further rened by testing them with respect
to the above criterion to determine if they identify potential deadlock states in the
composite system. Each potential deadlock state is then traced backward to check
if it is reachable in the composite system. The following Proposition, which follows
directly from Lemma 3.1, shows that this search can also be performed by considering
only the shared behaviour of the system.
Proposition 5.1. Let L be a language vector in a process space . Then
B
(L) = B
(P
s
(L)) = .
Therefore, a given potential deadlock state is reachable if and only if the corre-
sponding state in the projected composite system is reachable. Testing reachability
through the projected system, P
s
(B
(L)) = B
(P
s
(L)) as implied by Proposi-
106
tion 4.7.
To further clarify the detect-rst approach for deadlock detection, consider the
language vector L represented by a set of automata A
i
= (
i
, Q
i
,
i
, q
oi
, Q
mi
), i I
where A
i
= A(L
i
). Every automaton A
i
is assumed trim and therefore live. Let
A = |
iI
A
i
be the synchronous product automaton given by the tuple (, Q, , q
o
, Q
m
)
where =
iI
i
and Q Q
1
Q
2
. . . Q
n
be the set of all possible states in
A. Transitions in the automaton A are dened through the synchronous product
operation in the usual way. Write
Q for the set Q
1
Q
2
. . . Q
n
. Clearly, L
m
(A) =
B
jJ
Elig
A
j
(q
j
(Q
j
Q
jm
))
(J)
=
Therefore, the set PDS(A) can be computed by testing only unmarked local states
1
where all eligible events are shared (no asynchronous events). The set of (actual)
deadlock states in A is then equal to PDS(A) Reach(A), where Reach(A) denotes
the set of all reachable states in A. In another words, a potential deadlock state is an
actual deadlock state if it is reachable from the initial state of the composite system,
namely q
o
= (q
o1
, . . . , q
on
). A direct backward reachability procedure can be used to
determine if a given state q Q is reachable in A.
For loosely coupled systems, testing that a given global state q belongs to the set
Reach(A) can be conducted more eciently by considering only the shared behaviour
of A namely P
s
(A). Based on Proposition 4.7, the projection map P
s
is a composition
invariant map and therefore P
s
(A) can be computed indirectly as P
s
(A) = |
iI
P
s
(A
i
).
The projection operation P
s
denes a correspondence between Q and the set of states
of P
s
(A) which can be identied as a subset X of Pwr(Q). Based on Proposition 5.1,
q Reach(A) if and only if there exists x X where x Reach(P
s
(A)) and q x.
1
This is based on the convention that Elig
B
() = for any automaton B.
107
The complexity of the detect-rst procedure depends to a great extent on the
shared behaviour of the system. The initial part of the procedure detects the set
of potential deadlock states from those combinations of local states with all shared
eligible events. Therefore the worst case complexity of this part is of the order of
[Q
s
1
[ . . . [Q
s
n
[ where Q
s
i
Q
i
denotes the set of states in the ith component of the
system having only shared eligible events. However, the typical complexity of this part
is much smaller than the worst case as many combinations can be excluded during the
test. For instance, if for some J I we have
jJ
Elig
A
j
(q
j
)
(J)
,= , then it follows
from Theorem 5.1 that any global state containing the set q
j
[j J is deadlock-free.
In fact, the eciency of computing the set PDS(A) can vary substantially depending
on the order at which the set of local states are tested with respect to the deadlock
condition given in Theorem 5.1
2
.
In the second part of the procedure, the reachability of potential deadlock states
is checked. The worst case complexity of this part is in the order of the state size
of the composite system, [Q[. However, this part would explore only those states
leading to potential deadlock states. The actual overhead in this part is the tracing of
unreachable potential deadlock states (as the identication of a deadlock state must
involve testing its reachability in one way or another). However, the rate of early
termination of such backward tracing can be high, particularly in loosely coupled
systems. Also, as discussed earlier, a signicant reduction of the complexity of the
reachability test can be obtained by considering only the shared behaviour of the
system.
Example 5.2. The system shown in the gure below is a modied version of the Mil-
ner scheduler presented in [Mil80], which is often used as a benchmark for verication
algorithms because of its exponential state expansion with the number of cyclers. The
scheduler consists of a set of simple components called cyclers. The modied version
allows exible cycling. Figure 5.1 shows the automaton representation of the ith cy-
cler, where i [0 . . . N] for a scheduler consisting of N + 1 cyclers. In this system,
2
The situation here is similar to the problem of generating an ecient ordered binary decision
diagram which depends to a large extent on the way the variables are ordered.
108
state 1i is the initial and marker state for the rst cycler (i = 0) while state 0i is the
initial and marker state for the remaining cyclers (i [1 . . . N]). The subscripts of
the local components are taken as mod N, so that x
N+1
= x
0
. The cycling sequence
can be adjusted using an interaction specication layout and the overall system can
be described by an IDES L = (L, K), where L is the language vector representing
the set of cyclers and K is their interaction specication.
y
i1
y
i1
x
i+1
x
i+1
6i 5i
4i 3i
2i 1i 0i
C
i
K
x
i
,y
i
C
k
C
1
C
0
. . .
b
i
c
i
b
i
a
i
c
i
Figure 5.1: The process scheduler
It is required to verify that the parallel composition of above cyclers is deadlock free.
Applying the detect-rst procedure, potential deadlock states are selected from those
states with all shared eligible events, that is, the set
Q
s
= (q
0ro
, q
1r
1
, . . . , q
Nr
N
)[(j [0 . . . n] r
j
[0, 3]
The set Q
s
can be tested thoroughly with respect to the denition of PDS(A). How-
ever, working by eliminating those subsets of Q
s
that do not correspond to potential
deadlock states can be more ecient for this system. Clearly, any global state con-
taining any of the combinations (q
i0
, q
(i+1)3
) or (q
i0
, q
(i1)3
) for i [0 . . . N] cannot be
a deadlock state. Excluding these cases will leave only two potential deadlock states,
109
namely (q
0r
, q
1r
, . . . , q
Nr
) where r [0, 3]. The next step is to check the reachability
of these two states. Backward tracing will reveal that both states are not reachable.
To reach this conclusion, the backward reachability test explores 2
N+1
global states
for the rst potential-deadlock state (r = 0) and 3 global states for the second one
(the composite system contains approximately 7
N+1
states). Backward reachability
can also be performed using the projection of the shared behaviour of the system
components shown in the following diagram.
x
i
, y
i
x
o
, y
o
y
i1
P
s
(C
i
) P
s
(C
o
)
00
y
N
10 0i 1i
x
i+1
x
1
Potential deadlock states in the composite system correspond to the set of states
(q
0(r1)
, q
1r
, . . . , q
Nr
) where r [0, 1] in the composite of the components projection.
Checking the reachability of these states requires testing only two global states in
the projected system. The complexity of computing the projections is of the order of
7(N + 1) in this case.
The above procedure upon termination will return the set of all deadlock global
states in the system. Based on this information, the system model can be modied
and then tested again until it is deadlock free. It is important to note that the
overhead of the detect-rst procedure (the number of unreachable potential deadlock
states) can be very high in tightly coupled systems. However, for loosely coupled
systems the computational gain is expected to surpass this overhead.
110
5.1.2 Livelock detection in multiprocess systems
Livelock is usually caused by a aw in the communication exchange between the
system components preventing the system from performing its tasks. In contrast
with deadlock, a livelock state has a nonempty set of eligible events and therefore
can reach other states (possibly itself). The diculty in detecting livelock states
stems from its characterization, which is linked to the existence of deadlock states.
Particularly, a livelock state can be dened recursively as a state with a reachable
domain consisting entirely of a nonempty set of deadlock or livelock states. Detecting
livelock states may, therefore, depend on the existence of deadlock states, and hence
deadlock detection has to be performed rst.
Livelock detection can be simplied by considering those states that can only reach
livelock states. Blocked states that can reach only deadlock states can be considered
blocked for this reason. Such blocked states will be referred to as semi-livelock. By
denition, the existence of semi-livelock states is tied to the existence of deadlock
states. Therefore, assuming that the system is deadlock-free we only need to consider
blocked states that can reach only livelock states. Those states will be referred to
simply as livelock states. Given the assumption of nite state space, the recursive
characterization of livelock leads to the conclusion that any livelock state must exist
within a loop, or more precisely a clique, in the global system.
Let A = (, Q, , q
o
, Q
m
) be a deadlock-free automaton. Based on the above
description, a state q A is a livelock state i,
A
(q) ,=
A
(q) Q
m
= (q
A
(q))
A
(q
) ,=
The rst two conditions characterize also semi-livelock states, while the last condition
distinguishes (strict) livelock states as those which can only lead to another livelock
state. Clearly, based on the above denition, the reachable domain of a livelock state
is a nonempty set of livelock states. The automaton A is said to be livelock-free if it
does not contain any livelock state.
111
Let X be a nonempty subset of Q in A. Let
X
denote the restriction of to the
states in X, and let
X
A
: X Pwr(X) be the reachability map that assigns each
state x X to those states in X that are reachable from x via transitions from
X
.
The set X is called a clique in A if every state in X can reach any other state in X
via transitions from
X
. Formally, a set of states X is a clique in A if
(x, x
X) x
X
A
(x)
Clearly, the empty set is a (trivial) clique under the above denition. However, here
we restrict the notion of clique to nonempty subsets of Q. A state x
o
X is called
an input state for the clique X if x
o
is the initial state of A or
(q QX)( ) (q, ) = x
o
In this case the transition (q, , x
o
) is said to be an input transition for the clique X.
Similarly, a state x
m
X is called an output state in X if it is a terminal state in
A or there exists a transition (q, , x
m
) with q Q X. In this case, the transition
(q, , x
m
) is then an output transition for the clique Q
= (X
, X
o
, X
m
) in A such that X X
, X
o
X
o
, and
X
m
X
m
. A clique is said to be terminal if each reachable state from the clique is
in the clique, that is, if
A
(X) = X. It is easy to see that every terminal clique is
maximal but the reverse is not generally true. For example, in the above automaton,
cliques 0, 1, 2 and 3, 4 are maximals, but only 3, 4 is terminal.
Proposition 5.2. Assume that the automaton A is deadlock-free. Then A is livelock-
free if and only if every reachable terminal clique in A contains a marked state.
Proof. Clearly, any reachable terminal clique that is not coreachable is associated
with at least one livelock state in A. Then, we only need to show the other direction,
that is, for every livelock state x in A, the set
A
(x) contains a terminal clique that
is not coreachable. Let x be a livelock state in A. First we show, by contradiction,
that
A
(x) must contain a clique. We dene a run in
A
(x) as a sequence of states
x
o
, x
1
, . . . , x
n
where x
o
= x and x
i
A
(x) and x
i1
= (x
i
,
i
) for some
i
for
all i [1 . . . n]. Now assume that
A
(x) does not contain a clique. Then every run in
A
(x) consists of a set of distinct states. Given that A is nite then it follows that
every run in
A
(x) is nite, and therefore contains a (nonempty) set of maximals with
113
respect to the prex ordering. By denition, each maximal run ends with a state that
cannot reach any other state in A contradicting the assumption that x is a livelock
state. Therefore
A
(x) must contain a clique. Clearly, if
A
(x) contains a clique then
it must contain the maximal clique of that clique, as any clique containing a clique in
A
(x) must be in
A
(x). Therefore
A
(x) must contain a maximal clique. It remains
to shown that
A
(x) contains a terminal clique. This follows directly from the fact
that every maximal clique in
A
(x) is either terminal or must reach another maximal
clique (otherwise, A would contain a deadlock state), and the fact that the set of
maximal cliques is disjoint and nite (for a nite state system). It follows that for
every livelock state x, the set
A
(x) must contain a terminal clique. Clearly such a
terminal clique does not contain a marker state. This completes the proof.
Therefore, livelock states can be detected by testing the set of terminal cliques
in the system
3
. The above result can be used as a base for developing a detect-rst
procedure to livelock detection in multiprocess systems. First we need to identify
the conditions in the system components that characterize a terminal clique in the
composite system. To this end, let (X, X
o
, X
m
) be a clique structure in A. A clique
machine is a tuple M = (X, x
o
, X
m
) where x
o
X
o
. The transition function of this
machine is
X
. A clique machine M = (X, x
o
, X
m
) is said to be maximal if there is no
other clique machine M
= (X
, x
o
, X
m
) such that x
o
= x
o
, X X
, and X
m
X
m
,
that is if it is not a submachine of any other clique machine. As mentioned earlier, if
A is trim then every clique in A must have at least one input and one output state.
Therefore, in this case, each clique is associated with at least one maximal clique
machine.
Let A be a set of trim automata A
i
= (
i
, Q
i
,
i
, q
oi
, Q
mi
) [ i I over a process
space and let A = |A
i
= (, Q, , q
o
, Q
m
) be their synchronous product. For a
nonempty J I let M = M
j
= (x
jo
, X
j
, X
jm
) [ (j J) be a set of clique machines
in A. The set M is said to be a clique vector if M = |M is a clique machine, where
3
Finding all possible cliques in a given graph is a known NP-complete problem as it requires
examining all possible subsets of the set of state [GJ79].
114
| is the composition operation for the process space . The composite machine M
is a tuple (x
o
, X, X
m
), where x
o
= x
jo
[ j J is called the local input state for M,
X
jJ
X
j
is the set of states reachable from x
o
in M, and X
m
= X
jJ
X
jm
. By
denition, the set M is a clique vector if and only if x
o
is reachable from itself in the
composition |M, that is, only through states from X. Let y
iIJ
Q
i
and x X.
We will write (y
x) to denote the global state q corresponding to the disjoint union
of x and y components. The tuple (M, y) will be referred to as a clique module. The
clique module (M, y) is said to be reachable if
(x
o
y)
A
(q
o
)
That is, the global state (x
o
y) is reachable in the composite system. The clique
module (M, y) is said to be terminal if
(q Q) q
A
(x
o
y) = (x X)q = (x
y)
That is, any reachable global state from (x
o
y) must remain in the clique while
preserving its y part. To satisfy this condition it is necessary that y be deadlocked
with respect to M, i.e., there should be no eligible event at y that is also an eligible
event at any x X. Clearly, this also requires that y have no asynchronous eligible
events. Finally, (M, y) is said to be marked if
(x
m
X
m
) (x
m
y) Q
m
That is, a the clique module contains a global marked state. Intuitively, a clique
vector M = M
j
= (x
jo
, X
j
, X
jm
) [ (j J) is a set of local cliques that compose
to a clique in the global system independently of any other components in I J.
Therefore, for any y
iIJ
Q
i
the tuple (M, y) corresponds to a potential clique in
the global system. The tuple (M, y) only needs to be reachable to correspond to an
actual clique, that is when (x
o
, y) is reachable. The conditions for termination and
marking can be formulated directly for this tuple through this correspondence.
115
Theorem 5.2. Let A be a vector of trim automata in where A = |A is deadlock-
free. Then A is livelock-free if and only if every reachable and terminal clique module
in A is marked.
Proof. As shown earlier, A is livelock-free if and only if every reachable terminal clique
in A contains a marker state. We show rst that every reachable terminal clique in
A corresponds to a reachable terminal clique module in A. Let X Q be a terminal
clique in A. Let M = (x
o
, X, X
m
) be one of its clique machines. As M is reachable
in A then it must be that x
o
A
(q
o
). Let (M) be the set of the transition events
of M. Let J be the maximal subset of I that satises
(j J)
A
(M)
j
,=
It is easy to verify that such J is always unique and nonempty for any clique in A.
Given that each A
i
is trim, then the composition operation denes a homomorphic
correspondence between each component automaton A
i
and the composite automaton
A given as h
i
: Q Q
i
where h
i
(q) = q
i
i q
i
q. Then, the clique machine
(x
o
, X, X
m
) in A corresponds to the machine M
j
= (x
jo
, X
j
, X
jm
) in A
j
, where x
oj
=
h
j
(x
o
), X
j
= h
j
(X), and X
mj
= h
j
(X
m
). It is easy to see that the machine M
j
is a clique as we have
A
(X)
j
,= and it is known that projection preserves
reachability. Also, for i J I, the clique M corresponds to a single state, with
no transitions in the corresponding automaton A
i
. Let y
iIJ
Q
i
denote this set
of states. Therefore, the set of clique machines M = M
j
= (x
jo
, X
j
, X
jm
) [ j
J together with y forms a clique module. The composite machine M
= |M
j
=
(x
o
, X
, X
m
) has the same transition structure of the clique M, therefore, L(M) =
L(M
). Based on the correspondence between the clique M and the set M, we can
conclude that M is reachable via y in A and it is also terminal with respect to the
same y as M is terminal. Also M could not be marked via y, as this would imply that
M contains a marked state, contradicting the initial assumption. The other direction
can be proved by contradiction using the above deduction.
116
Based on the above result, livelock situations can be traced from reachable and
terminal clique modules that are not marked. Therefore, detecting livelock in multi-
process systems can be performed by detecting this class of clique modules. Identify-
ing modules, however, requires identifying all cliques in the system components and
examining the synchronous behaviour of all possible combinations of these cliques.
In general, the number of cliques in a given automaton may exceed its number of
states. However, many of these combinations are expected to be eliminated early by
examining the criteria for a livelock situation. In summary, a set of clique machines
M = M
j
= (x
jo
, X
j
, X
jm
) [ j J and a set of states y
iIJ
Q
i
in a vector
automaton A identies a livelock situation in the composite system A = |A i
1. (M, y) is a clique module:
The composite machine M = |M = (x
o
, X, X
m
) satises x
o
M
(x
o
)
2. (M, y) is reachable in A:
(y
x
o
)
A
(q
o
)
3. (M, y) is terminal in A:
Any state reachable from (x
o
, y) state in A must be in the form (x
y) for some
x X. That is, y is deadlocked with respect to the set of states X. In general
y should not have any eligible event that is asynchronous.
4. (M, y) is not marked:
Every global state (x
m
y) must not be in Q
m
, the set of marked states of the
composite system.
A clique module is rst identied by a composable set of cliques M and set of
states y that is deadlocked with respect to the states in |M. The clique module
(M, y) identies a potential livelock source if it satises any of the above conditions.
It becomes a livelock source if it satises all the above condition. A list of potential
livelock sources is built and updated by testing the conditions above for reachability
and marking. A clique module (M, y) is removed from the list when it fails any of
these conditions.
117
The detection procedure can be enhanced by utilizing the reachability and core-
achability information as they accumulate during the detection process. Another
enhancement can be obtained by observing the inclusion of one clique machine into
another in the system components. Formally, a clique machine M = (x
o
, X, X
m
) is
a submachine of another clique machine M
= (x
o
, X
, X
m
) if x
o
= x
o
, X X
, and
X
m
X
m
. A clique machine is said to maximal if it is not a submachine of any
other clique machine. Let M be a submachine of M
(L) = B
(L)
with the convention that L = (L, K). Similar to the case of language vectors, the set
of live IDES is not closed under componentwise union or intersection. An IDES that
is not live is called blocked. Clearly, an IDES L can be blocked even if the language
vector L and the interaction language K are both live. Moreover, L can be live
even if the language vector L or the interaction language K (or both) is blocked. To
simplify the analysis we will assume that the language vector L is live. In this case
we can focus on checking if the interaction language K does not block the parallel
composition of the system components.
Let be a process space and let L L(). Let C
o
(L) = K C
(L) [ B
(P
(L), K) = B
((P
(L), K))
This set is not empty for any language L as it contains L itself. It is easy to verify
that this set is not closed under intersection in general. However, it is closed under
union and hence contains a supremal element. We will denote this supremal element,
C
o
C
o
(L) = L
_
L [BP
(L)]
c
_
(L)]
c
_
is a compensator
122
for L. For simplication, we will write H(L) for the set
_
L [BP
(L)]
c
_
. We
only need to show that
BP
(L)
_
L [BP
(L)]
c
_
=
It is easy to see that the above equality holds based on the facts that [BP
(L)]
c
=
[BP
(L)]
c
and BP
(L) BP
(L)]
c
_
(L), and t
. Therefore a
string s
_
L [BP
(L)]
c
_
(L)]
c
. Therefore we
can write
BP
(L)
_
L [BP
(L)]
c
_
L
Based on that we show below that the compensator above is a non-blocking one.
BP
(L) L H(L) =
_
BP
(L) L
_
_
BP
(L) H(L)
_
= L
_
BP
(L) H(L)
_
= L
_
BP
(L)
_
L [BP
(L)]
c
_
_
= L
Next, we show that the above non-blocking compensator is a supremal one. Clearly,
any compensator for L must contain L itself. Now assume that S is non-blocking
compensator of L and there exists s S such that s , H(L). Clearly, we only need
to consider the case when s , L. Therefore, based on the non-blocking assumption
we can write
s BP
(L) L
However as s , L we must have u s and such that u L but u , BP
(L).
Then, it must be that
s
_
L [BP
(L)]
c
_
,=
This contradicts the assumption that s , H(L). Therefore, the above non-blocking
compensator is the optimal one.
123
Therefore, to obtain
C
o
(L)
and at every state (q
1
, q
2
) in this product, where q
1
is a state in A(L) and q
2
is a state
in A(BP
= (Elig
A(L)
(q
1
) Elig
A(BP
(L))
(q
2
))
leading to a terminal state with self-loop
(B
(L)]
and then add to it any string that escapes this intersection without further move in
the prex of B
(L). This is achieved by disabling any event that escapes from this
intersection through a common event in the prexes K and B
(L)] is
computed by exploring only those states in B
(L)]. Consequently, this computation can more ecient than the direct
composition approach when the specication K is highly restrictive such that the
size of K B
C
o
(B
= a
1
, a
2
).
b
2
b
2
a
2
a
2
L
2
x
y
z
a
2
a
1
1
0
1
L
1
a
1
b
1
b
1
a
1
z
y
x
0
2
3
4 0 1
3
4
2
126
First we test if the components alone are live. In these two components there are
only two potential deadlock states, namely, (0,4) and (4,0). Testing the reachability
requires the exploration of two global states and will conrm that the two components
are deadlock-free. Also, examining clique vectors in these two components will show
that there are no terminal clique modules in these components (there are only two
maximal cliques in each component). The interaction specication restricts only
two events. At state 0 of the specication, event a
2
is the only event that is not
eligible. This leaves only state 3 from the second component to consider for potential
deadlock. In the rst component we only need to consider state 0 and 4 together
with this combination, as they have all shared eligible events. Therefore, we have
(0,3,0), and (4,3,0) as potential deadlock global states. With similar arguments we
can obtain (3,0,1) and (3,4,1) as the remaining potential deadlock states. Testing the
reachability of these states requires the exploration of only 4 global states and will
conrm that the overall IDES structure is deadlock-free.
The detect-rst approach can also be used for livelock detection in IDES. The
procedure is similar to that used earlier for multiprocess systems. Basically, the set
of clique modules in the system components and the set of cliques in the interaction
specication are rst identied. Then each combination of a clique module in the
components and a clique in the interaction specication is tested for reachability,
coreachability and composability as to verify that the composition of the two cliques
forms a clique in the overall system. The details of this procedure will not be pre-
sented here. However, there are two important points to consider in this approach.
First, information about the clique modules and their reachability and coreachability
is usually available from detecting livelock situations in the systems components. This
information can be reused when an interaction specication is added to the model.
Second, the total synchronization between the components and the interaction spec-
ication can be an advantage as invalid clique combinations can be identied early
without extensive exposure to the global states of the composite systems. There-
fore, it may be more ecient to do the three tests (reachability, coreachability, and
composability) in an alternative scheme, going through a part of each test at a time.
127
5.2 Verication of IDES
The term external verication or simply verication refers here to the procedure in
which the system model is checked against a set of behavioural specications that
ensure that the system works as expected. The (external) verication problem can
be described formally as follows, given a system modelled by automaton P and a
specication modelled by another automaton S; test if the statement L(P) L(S)
is true, where L(G) denotes the language generated by the system G.
In practice, the system P is usually composed of a number of coordinating com-
ponents, and therefore, the composed structure P is too complex to allow a language
containment test directly by conventional means. This motivates the use of the de-
composition approach as a base for ecient solution. It is important to emphasize
again that the eciency of this approach can be claimed only under the assumption
that the specication is much simpler than the system, and therefore, the decompo-
sition of the specication is not by itself a computational bottleneck.
In general, the system is given as a set of components interacting concurrently,
which may be constrained by a given interaction language. The specication, on the
other hand, is usually given as a language (automaton) describing a desired behaviour
or a task to be achieved. Formally, the IDES verication problem can be described as
follows: given an IDES system L = (L, K) over a process space and a specication
S L() we want to test the statement B
(L)
B
(o). The following proposition shows that the componentwise inclusion implies
behaviour inclusion.
Proposition 5.4.
L _ o = B
(L) B
(o)
128
Proof. Having L
i
S
i
for all i I implies that B
(L) B
(L) K B
(L) B
(o).
The above result holds even if L and/or o are not compact. The other direction
does not generally hold even if both L and o are compact, and even if, in addition,
their interaction languages are optimal - both are equal to the supremal compensator
for their prospective behaviour. This case is shown in the following example.
Example 5.4. Let = a, x, b, x be the process space. Let L = (a), (b),
and S = (a, aa), (b) be two language vectors. Let L = (L, K) and o = (S, R)
be two IDES where K =
and R =
aab. Then L = B
(L) and R =
C
(L) B
(o). However, L ,_ o as K , R.
Note that for a system L = (L, K) and a specication o = (S, R), we may have
B
(L) B
(L) B
(L)) in order
to conrm the behavioural containment.
In spite of the fact that the IDES model does not guarantee a modular solution to
the verication problem, it oers in general a better ground towards such a modular
solution. The interaction information provided in the IDES structure enhances the
chance of nding a modular solution in certain situations that would otherwise require
the computation of the synchronous product of the system components. This is
illustrated in the following example.
Example 5.5. Let be the process space of the previous example. Consider the
system L
= (L, K
) where K
= a
_ o. This
conrms that B
(L) S.
Proposition 5.5. Assume that L and o are compact and G H. Then
L _ o B
(L) B
(o)
130
Proof. The right direction holds in general as proved in the previous proposition. The
left direction is obtained as follows. The assumption that both L and o are compact
implies that L
i
= P
i
(B
(L)) and S
i
= P
i
(B
(S),
C
(S)).
a2
b2
c2
x
d2
a1
b1
c1, d1, x
. . . .
a
1
b
1
a1
a1
a1
a1
b1
b1
b1
B
A
A
b1
A, B
A, B
x
a
k
b
k
c
k
d
k
The following abbreviations are used in the gure above: A = c
1
, d
1
, x, B =
a
i
, b
i
, c
i
, d
i
[ i [2 . . . k], and
(S). However, it is
easy to check that the specication is invariant with respect to the abstraction map
G dened as follows
(i [2 . . . k]) G(a
i
) = G(b
i
) = G(c
i
) = G(d
i
) = a
i
, b
i
, c
i
, d
i
,
G(a
1
) = a
1
, G(b
1
) = b
1
, G(c
1
) = c
1
, G(x) = x
The map G can then be used to abstract the system. The abstraction of the system
can be computed eciently using the result of Proposition 4.8. The gure below
shows the abstraction of the system, K = G(B
is the set
a
1
, b
1
, c
1
.
c
1
d
1
b
1
a
1
x
It is easy to see that K is invariant with respect to G, that is K = G(K). Conse-
quently, the system can be represented by the SIDES structure (L, K, G). Also, given
that S = G(S), the specication can be represented by the SIDES (P
(S), S, G).
Here we have K , S, and based on Proposition 5.5, this conrms that the system
does not satisfy this specication. Now consider the situation when the system is
arranged as shown below.
132
U1
a1
c1
d1
b1
x U1
a1
c1
d1
b1
x
. . . . .
X
U
k
x
d
k
c
k
b
k
a
k
.
.
.
.
U
k
X
U
1
X
U
k
U1
The above interaction specication K
The above specication requires the scheduler in its free form be initiated and termi-
nated in its rst cycler. It is easy to see that this specication is invariant with the
-abstraction map, G, dened as follows:
(i [0 . . . k]) G(x
i
) = x
i
, G(y
i
) = y
i
, G(a
0
) = a
1
, G(b
1
) = G(c
1
) = c
1
, b
1
(i [1 . . . k]) G(a
i
) = G(b
i
) = G(c
i
) = a
i
, b
i
, c
i
(S), G(L) S
In the case when K = 4, the scheduler machine B
(S) is also
negligible compared to the size of the composite system.
5.3 Iterative verication in process space
It is shown in the previous section that if the system IDES is componentwise contained
(_) in the specication IDES or if the system interaction language is contained in the
specication, then it can be concluded that the system behaviour is contained in the
specication. No such conclusion can be drawn otherwise. However, the interaction
specication of the system is an abstraction of its behaviour. This abstraction can
134
be rened toward its minimal limit, namely, the overall system behaviour. At this
limit the verication test can always be conrmed. This suggests using an iterative
renement procedure to adjust the amount of information in the IDES model. In such
procedure the interaction specication of the system is rened towards its minimal
limit until a solution is found. This procedure is guaranteed to terminate if the
renement steps are nite and progressive in the sense that every renement is strictly
ner than the previous ones.
The iterative approach for IDES verication can be summarized as follows. Con-
sider an IDES L = (L, K) in the process space and a specication S L().
The specication can be converted to an IDES o = (S, R) where S = P
(s) and
R =
C
C
1
C
0
x
i
x
i+1
x
i+1
b
i
c
i
b
i
a
i
c
i
Figure 5.3: A 3-cyclers scheduler
The above scheduler is organized in a parallel scheme in which the system goes through
the cycles 0 to 2 repeatedly. In this system, state 1 is the initial and marker state
for the rst cycler (i = 0), and state 0 is the initial and marker state for all other
cyclers. The system can be described by the IDES L = (L, K), where L is the set of
cyclers and K =
= b
i
, c
i
, x
i
[ i [0 . . . 3]. It is easy
to verify that this specication is -indecomposable.
136
a
2
a
0
a
1
.
Verication
Assume that the current abstraction of the system is K
n
where n N. At this stage we
check if K
n
R. If this is true, then the verication procedure terminates conrming
that the system meets the given specication. Otherwise, if K
n
, R, then we need
to check if this failure is due to the system or is a result of over-approximating the
system behaviour in the given abstraction K
n
. The initial abstraction of the scheduler
system clearly fails this step, as we have K
o
, R.
137
Failure analysis
In the case of verication failure, verication tools usually provide a failure report
containing a set of failure paths. Each failure path consists of a sequence of transitions
starting from the initial state and ending with a state with an eligible event that leads
out of the specication R. The failure report at step n can then be represented by a
nite set of tuples in the form (s, ), where s
(L) ,= . If
this statement is true then the verication procedure terminates with failure as, under
the assumption that the system components are live (B
(L) = B
after s
where s = s
. This
process continues until an event leading to in s is disabled. Disabling after s can
be achieved by preempting another event between s and . This preemption can be
done as follows. Let q be the state in K
n
at which s terminates and is enabled. Let
q
i
be a state in the nth abstraction of the ith component L
i
, referred to as A
n
(L
i
). Let
n
i
be the corresponding partition so that A
n
(L
i
) is the quotient machine A(L
i
)/
n
i
.
Let [q
i
]
n
i
be the class of states equivalent to q
i
under
n
i
. Assume that
i
, and
let s
i
be the ith projection of s. Let X
i
be the set of states in [q
i
]
n
i
where is
eligible, and let Y
i
be the set of states in [q
i
]
n
i
that are the destination of the string
s
i
. If X
i
Y
i
= , then rene the partition [q
i
]
n
i
into two partitions one containing
X
i
and the other containing Y
i
. Such renement will guarantee that is no longer
available after s in the composite abstraction. This is valid if is either a shared or
an asynchronous event. This situation is illustrated in the following diagram.
If such renement cannot be established at the ith component (X
i
Y
i
,= ),
then try other components j where
j
. If no renements can established in
any of these components, then move backward and replace with
and s with s
where s
n
i
in order to separate between X
i
and Y
i
in
general. Therefore, there are several ways to rene the current partition in order to
disable after s. Heuristic rules can be used to choose a suitable partition that will
reveal the minimum amount of information in the process; for instance, minimizing
the dierence between the sizes of the partitions. It will be assumed that a suitable
renement is randomly chosen among the available ones. It is already established
that s is not in B
L
i
. . . . . .
L
n
i
K
n
s
s
N
s
i
L
n
N L
n
1
s
1
P
1
P
i
P
N
Figure 5.5: Rening the abstraction at the nth iteration
140
partition.
In the scheduler example, the failure tuple (, a
1
) can be traced back to the second
component. In this component, disabling a
1
after can be achieved by separating
state 0 and 1 in the next renement. Clearly, there are many partitions that can
achieve this. The partition
1
1
= 0, 2, 3, 4, 5, 6, 1 will be used here. Similar
partition will be used in the third cycler to disable a
2
after . The partition of the
rst cycler will remain the same. The abstraction K
1
of the system now has three
states as shown in the following gure where
= a
1
, x
1
, a
2
, x
2
.
a
2
a
1
x
2
x
1
Figure 5.6: The system abstraction after the rst iteration
The above procedure is guaranteed to terminate, as every iteration must either
terminate or rene the current abstraction, and there is a nite number of possi-
ble abstractions that end with the overall system behaviour B
2
0
= 0, 1, 4, 6, 2, 3, 5 will be used. Similarly, a
2
cannot be disabled after x
2
,
141
and to disable x
2
after , the state set 3, 5 must be separated from the state set
4, 6. The partition
2
1
= 1, 2, 3, 5, 4, 6, 0 will be used. The partition of the
third components will remain the same. The abstraction K
2
is the composition of the
three quotient components. Continuing this procedure, the following abstraction can
be obtained at the fth iteration (
= a
0
, x
0
, a
1
, x
1
, a
2
, x
2
). This abstraction
is a subset of R, conrming that the system meets the given specication.
a
2
x
2
x
1
a
0
x
0
a
1
= b
1
, b
2
, b
3
.
0
1
2
b1
b3
b2
146
In this system the set of uncontrollable events is a
1
, a
2
, a
3
. All other events
are controllable (controllable transitions are marked with a tick in the correspond-
ing edge). Using the synchronization procedure, the optimal supervisor - shown in
Figure 6.2 - is constructed using direct synchronization for the above specication.
0,0,0 1,1,1
x
y
a1
a2
a3
a2
a1
a3
a3
b1
b1
b1
b1 b1
b1 b1
a1
a2
a3
a2
a1
3,1,1
2,1,1
1,2,1
1,1,2
3,2,1
3,1,2
2,1,2
2,2,1
1,2,2
2,2,2
4,1,2
3,2,2
4,1,1 4,2,1
4,2,2
b1
b2
b3
z
4,4,2 4,4,4
Figure 6.2: The optimal supervisor for three process system
In this example all bad states (shaded nodes in the above gure) are identied in
one iteration. The total number of explored states is 19, while the number of states
of the composite system is 64.
147
6.1.2 Detect-rst approach
The detect-rst approach can also be used in the supervisory synthesis of multiprocess
systems. The basic idea is to isolate and then to remove potential bad states.
Potential bad states have the same characteristics of the bad states in the direct
synchronization approach. The only dierence is that in the detect-rst approach
these bad states are identied rst and then checked for reachability (if needed) by
backward tracing. The detect-rst approach is explained in the following.
Consider the set of components L and the specication K. We assume initially
that L is live. To identify bad states, we rst identify those states in K where not
all the events in are eligible. Let x be such state in K and let
be the set of
events that are not eligible at x. Next we identify the set of states q in the composite
structure B
is eligible in q, a subset of
is
the only set of events that can lead to a marked global state in the composite structure
of (L, K), or if it has an uncontrollable event that leads to a bad state. Potential bad
states are then tested for reachability by backward tracing. A conrmed bad state is
then removed from the specication by disabling the latest controllable event leading
to it. This process is repeated until all bad states are eliminated.
Note that, in the detect-rst procedure above, we do not need to carry out the
reachability test for all potential bad states. Conrming the status of a potential bad
state is only needed if it aects the status of other states. In another words, we need
to test the reachability of a potential bad states (q, x) only if there exists another
state (q
, x
, x
(L),
and a specication language S represented by an IDES structure, o = (S, R) with
S = B
(L/1)
as follows
B
(L/1) = |
iI
(V
i
/L
i
) (T/K)
where V
i
is a supervisor for L
i
with respect to the specication S
i
. Then (V
i
/L
i
)
denotes the restriction of the ith component of the system by the ith component
of the supervisor. Typically such restriction is achieved by total synchronization
(intersection). The IDES supervision setting is depicted in Figure 6.3.
149
V
n
L
n
K
T
V
n1
L
n1
V
1
L
1
. . . . .
Figure 6.3: The IDES supervision structure
150
We will address two main issues regarding the IDES supervision mechanism. The
rst is the validity of this form of supervision, that is, to check if IDES supervision
can restrict the system to the given specication. The second issue is optimality,
that is, to check when the IDES supervision can produce the minimally restrictive
behaviour while satisfying the specication.
Recall that for a language S representing a specication for a system language
L, the set of all sublanguages of S that are controllable with respect to L is denoted
(
L
(S). This set contains a supremal element denoted sup (
L
(S). This element, if not
empty, corresponds to the optimal supervisor for L with respect to the specication
S. The blocking issue will not be considered here. Therefore, the system and the
specication languages are assumed prex closed.
Proposition 6.1. Let S
1
, S
2
, L L() be prex closed languages. Then
sup (
L
(S
1
S
2
) = sup (
L
(S
1
) sup (
L
(S
1
)
The above proposition is a special case of a more general result in [Won01]. The
following result is a direct consequence of the controllability property.
Proposition 6.2. Let E, L L(). Then
L E = sup (
L
(E) = E
(
L
(S). Given this notation, the optimality of IDES supervision
can be expressed by the following condition:
sup
(
L
(S) = | sup
(
L
i
(S
i
) sup
(
K
(R) =
iI
P
1
i
sup
(
L
i
(S
i
) sup
(
K
(R)
151
Clearly the optimality of IDES supervision implies its validity. Conditions for the op-
timal IDES supervision will be explored hereafter. The validity issue will be discussed
after that in the light of the optimality conditions.
Proposition 6.3.
S = S and L = L = sup
(
L
(S) = sup
(
L
(S)
Proof. First we show that sup (
L
(S) = sup (
L
(S). Let H L() be a language.
Then
H (
L
(S) = H S and H
u
L H
= H S and H
u
L H (S = S and H = H)
= H (
L
(S)
Hence, sup (
L
(S) (
L
(S). Therefore, sup (
L
(S) sup (
L
(S). Also sup (
L
(S)
sup (
L
(S) in general, hence it must be that sup (
L
(S) = sup (
L
(S). Now, we have
sup
(
L
(S) = sup (
L
(S L) = sup (
L
(S) L = sup (
L
(S) L
However,
sup (
L
(S) L sup (
L
(S) L
Therefore, sup (
L
(S L) sup (
L
(S L). Also, in general we have
sup (
L
(S L) sup (
L
(S L)
Then it must be that sup (
L
(S L) = sup (
L
(S L). That is, sup
(
L
(S) = sup
(
L
(S)
Based on the above result, the optimal supervisor is guaranteed to be prex closed
when the system and the specication are prex closed . The next result shows that
the sup
(
L
i
(S
i
) = sup
(
P
1
i
L
i
(P
1
i
S
i
)
Proof. Let H
i
be a language in the set
(
L
i
(S
i
). First, H S
i
L
i
implies
P
1
i
H P
1
i
S
i
P
1
i
L
i
. Second,
H
(
L
i
(S
i
) = H
ui
L
i
H
= H
ui
L
i
H
ui
=
ui
= P
1
i
_
H
ui
L
i
_
P
1
i
H
= P
1
i
H P
1
i
ui
P
1
i
L
i
P
1
i
H
= P
1
i
H
u
P
1
i
L
i
P
1
i
H (
u
P
1
i
ui
)
= P
1
i
H
u
P
1
i
L
i
P
1
i
H
= P
1
i
H
(
P
1
i
L
i
(P
1
i
S
i
)
For the other direction, let T L() be a language in the set
(
P
1
i
L
i
(P
1
i
S
i
). First,
T P
1
i
S
i
P
1
i
L
i
implies that P
i
T S
i
L
i
. Second,
T
(
P
1
i
L
i
(P
1
i
S
i
) = T
u
P
1
i
L T
= P
i
(T
u
P
1
i
L) P
i
T
= P
i
T P
i
u
P
i
P
1
i
L
i
P
i
T
= P
i
T
ui
L
i
P
i
T
= P
i
T
(
L
i
(S
i
)
Now let X = sup
(
L
i
(S
i
) and let Y = sup
(
P
1
i
L
i
(P
1
i
S
i
). Then we have, by supremal-
ity, P
1
i
X Y and P
i
Y X. Therefore P
1
i
P
i
Y P
1
i
X. However, Y P
1
i
P
i
Y .
Then it must be that P
1
i
X = Y . Therefore, we can write
P
1
i
sup
(
L
i
(S
i
) = sup
(
P
1
i
L
i
(P
1
i
S
i
)
This completes the proof.
153
The next step is to nd conditions upon which the synthesis of local supervisors
for the system components can be done optimally using only information about these
components without the need of any information from the other components of the
system.
Proposition 6.5. Let L = (L, K) be an IDES such that K is controllable with
respect to B
(L) and
s
c
. Let L = B
such that s L, s P
1
i
L
i
and
s , L. Given that shared events are controllable, then
u
i
implies that
s P
1
j
L
j
for all j I i. Also by the controllability of K, if
u
then
s
iI
P
1
i
L
i
and s K implies that s K. Therefore, we can state that
(s
)( (
u
i
)) s P
1
i
L
i
= s L
Hence, for any language T L, we have T(
u
i
) P
1
i
L T
u
L. Then, we
can write
T (
L
(P
1
i
S
i
L) = T
u
L T
= T(
u
i
) P
1
i
L
i
T
= P
1
i
P
i
(T(
u
i
) P
1
i
L) P
1
i
P
i
T
= P
1
i
P
i
T P
1
i
P
i
(
u
i
) P
1
i
L
i
P
1
i
P
i
T
= P
1
i
P
i
T
u
P
1
i
L
i
P
1
i
P
i
T
154
Clearly, T (P
1
i
S
i
L) implies P
1
i
P
i
T (P
1
i
S
i
P
1
i
L
i
). Then based on the
above we can conclude that P
1
i
P
i
T (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L). This shows that
P
1
i
P
i
sup (
L
(P
1
i
S
i
L) sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L)
Given that sup (
L
(P
1
i
S
i
L) P
1
i
P
i
sup (
L
(P
1
i
S
i
L) and combining the previ-
ous result, we can write
sup (
L
(P
1
i
S
i
L) sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L) sup (
L
(P
1
i
S
i
P
1
i
L
i
)
Now, given that any language H such that H L = is controllable with re-
spect to L trivially, then with little eort it can be seen that sup (
L
(P
1
i
S
i
L) =
sup (
L
(P
1
i
S
i
P
1
i
L
i
) L. Then by adding the intersection with L to the above
line we get sup (
L
(P
1
i
S
i
P
1
i
L
i
) L = sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L
i
) L. This
completes the proof.
The conditions in the above proposition are sucient to guarantee the optimality
of supervision at the components level. The question about the necessity of these
conditions does not aect the results in this section and will be left for future inves-
tigation. The controllability conditions for the interaction part of the model will be
examined next.
Given the IDES specication o = (S, R), to achieve optimal IDES supervision a
condition is needed such that information about the interaction language K is enough
to calculate the language sup (
L
(R) K. This language represents the optimal super-
visor for the systems interaction language with respect to the interaction language
of the specication.
Proposition 6.6. Assume R K is controllable with respect to K. Then
sup (
L
(R K) = sup (
K
(R K)
Proof. Assume H (
K
(R), then H
u
K H. However, H
u
L H
u
K H.
155
Hence H (
L
(R). Therefore
sup (
K
(R K) sup (
L
(R K)
Also if R K is controllable with respect to K, then it must be that R K =
sup (
K
(R K). However, it always holds that sup (
L
(R K) K R. This shows
that sup (
L
(R K) = sup (
K
(R K), and both in this case are equal to R K.
It is clear that the condition that R K is controllable with respect to K is
sucient but not necessary. For instance, when K = L, the implication of the propo-
sition holds trivially independent of R. However, based on the above proposition, an
optimal supervision for the systems interaction language K can be achieved if a com-
pensator R for the specication is found such that KR is controllable with respect
to K. In general, the set of compensators for the specication S is any language R
such that S R
C
(S))
(S)) is prex closed. It is worthwhile here to reect on limit cases for the
system interaction language, K. In one limit case, when K = L, the supervisor of the
system interactions is always optimal regardless of the specication. However, this is
also the most complex case. The other limit is more interesting, namely when K =
can
156
be implemented for any two parallel components if and only if the set of events V is
controllable.
Theorem 6.1. Let L = (L, K) be an IDES over a process space with L = L(L),
and let S L(). Assume that,
1.
s
c
2. K is controllable w.r.t B
(L)
3. S sup (
K
(
C
o
(S)).
Then
sup
(
L
(S) = | sup
(
L
i
(S
i
) sup
(
K
(R)
Proof. Given the third condition, we can construct an IDES model, o = (S, R), for
the specication S such that KR is controllable with respect to K, and R is prex
closed. Based on the above assumption we can make the following deductions.
sup
(
L
(S) = sup
(
L
(
iI
P
1
i
S
i
R)
=
iI
sup (
L
(P
1
i
S
i
P
1
i
L
i
L) sup (
L
(R K)
=
iI
_
sup (
L
(P
1
i
S
i
P
1
i
L
i
) L
_
sup (
L
(R K)
=
iI
_
sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L
i
) L
_
sup (
K
(R K)
=
iI
sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L
i
) sup
(
K
(R) L
=
iI
P
1
i
sup (
L
i
(S
i
L
i
) sup
(
K
(R) L
=
iI
P
1
i
sup
(
L
i
(S
i
) sup
(
K
(R) L
Clearly, for all i I we have sup
(
L
i
(S
i
) L
i
also we have sup
(
K
(R) R, hence
iI
P
1
i
sup
(
L
i
(S
i
) sup
(
K
(R)
iI
P
1
i
L
i
R = L
This completes the proof.
The eciency of the solution for this problem depends, among other factors, on
the interaction language of the system, as well as that of the specication. Roughly
157
speaking, the chance of nding an optimal IDES supervisor increases by restricting
the interaction language of the system and relaxing that of the specication.
Example 6.2. The system in this example consists of two processes with synchro-
nization mechanism to allow certain forms of coordination using two shared events
x, y. The system is initially arranged such as the two processes are working in parallel.
The STD of the system is shown below.
op1a op2a
Process A
fa2 fa1
op3a
r3a
x x
ma
op1b op2b
r1b r2b
Process B
op3b
r3b
r4b
op4b
x
mb
r1a r2a
fb1 fb2
op4a
r4a
U V
The specication of the system is shown in the gure below. The specication S is
converted to the shown IDES structure o = (P
(S),
C
o
(S)).
Spec A Spec B
op2a
op1a
r2b
op1b
op2a,r2b
op2a,op1b
op2a,r2b
op1a,r2b
op2a
op1a
r2b
op1b
op1a r2b
op1b op2a
C
o
(S)
Specication S
(seloops of remining events are not shown)
158
It is clear that the specication S is not controllable with respect to the interaction
language of the system K =
. However,
C
o
(S)) =
C
o
159
The conditions for the optimality of IDES supervision, as given in the above
Proposition, are related to the system, the specication, and the structure and the
control characteristics of the process space. However, if the optimality of the IDES
supervision is not required, some or all of these conditions can be relaxed. To this
end, an IDES supervision is said to be valid if it can restrict the system behaviour to
the given specication. Formally, this can be described by the following condition:
| sup
(
L
i
(S
i
) sup
(
K
(R)
(
L
(S)
That is, a valid IDES supervisor corresponds to a (at) supervisor (not necessarily
optimal) for the overall system.
Theorem 6.2. Let L(L, K) and o = (S, R) be two interacting discrete event systems
over a process space with L = L(L) and S = L(o). Then | sup
(
L
i
(S
i
) sup
(
K
(R)
is a valid supervisor for L with respect to S.
Proof. We only need to show that
| sup
(
L
i
(S
i
) sup
(
K
(R) (
L
(S L)
Based on the proof of the previous lemmas, we have
sup
(
K
(R) (
L
(R K) (Proof of Lemma 6.6)
sup
(
P
1
i
L
i
(P
1
i
S
i
) (
L
(P
1
i
S
i
P
1
i
L
i
) (Proof of Lemma 6.5)
Therefore we can write
iI
sup
(
P
1
i
L
i
(P
1
i
S
i
) sup
(
K
(R)
iI
(
L
(P
1
i
S
i
P
1
i
L
i
) (
L
(R K)
(
L
(
iI
_
P
1
i
S
i
P
1
i
L
i
_
(R K))
(
L
(L S)
This shows that every IDES supervisor is a valid supervisor for the system. The
160
extent of how close this IDES supervisor is to an optimal supervisor cannot be known
in advance. Based on the given conditions, in general, a better solution is more likely
for loosely coupled systems than for tightly coupled ones.
The established conditions for optimal IDES supervision are not mutually depen-
dent. This allows dierent possibilities for adjusting the system and its model. For
instance, the condition that requires shared events to be controllable may require
changing the process space structure. The other conditions involve mainly the inter-
action specications of the system and the specication. This adds other possibilities
for adjustments as interaction specications are not unique.
161
Chapter 7
Conclusions
7.1 Summary
In this thesis we investigated the relation between the behaviour and the structure
of interacting multiprocess discrete event systems. In the light of these investigations
we proposed an approach to modelling and analysis of a general class of multiprocess
discrete event systems with well-dened interaction specication. The framework is
based on elementary notions of formal languages and automata. One of the main
objectives of this thesis is to provide the formal basis and the theoretical foundation
for integrating the information about the components interaction in the modelling and
analysis process. As shown in the thesis, such integration can be a key for modular and
ecient behavioural analysis in the complex environment of multiprocess systems.
The relation between the model and the system behaviour is crucial to the analysis
in multiprocess environment. In the IDES framework this relation is founded on the
reversibility of the composition (synchronous product) and decomposition (vector
projection) operations. This reversibility is established based on the compactness
property and the compensation concept. Compensation can be used to convert any
given language to an IDES structure, while a generalized composition operation can
be used to obtain the language generated by a given IDES structure. This reversibility
162
is an essential element of the analysis approaches presented in this thesis.
In the thesis, we investigated the verication and supervisory control problem
within the IDES framework. We proposed several approaches for solving these prob-
lems while avoiding the direct computation of the synchronous product of the system
components. Also, conditions have been established for modular solution for the ver-
ication and supervisory synthesis problems. The established conditions emphasize
the importance of the coupling between the system components on the eciency of
the analysis procedures.
7.2 Future Research
The proposed IDES framework was intended to be a general one. In this thesis,
many important aspects on behavioural analysis of multiprocess systems have been
addressed. However, much research remains to be done to address other important
issues.
Real time systems
The IDES model can easily be extended to represent real time specications. The
extension of the analysis procedures needs more eort. This is due to the special
characteristics of the timing information that requires special treatment. However,
many analytical results in this direction can be obtained by extending the results in
this thesis using the already established results for the verication and supervisory
control of real-time systems.
Multilevel systems
The extension of the IDES framework to multilevel systems in this thesis has consid-
ered only the modelling aspects of the framework. There are many analytical issues
to be addressed for multilevel hierarchical systems. The multilevel structure of the
163
system can be incorporated and utilized in the analysis process.
Blocking issue
Blocking is one of the major problems in the IDES framework. Further research is
needed to address this problem for interacting multiprocess systems. This includes the
incorporation of dierent techniques to limit the search domain. Iterative techniques
such as the one discussed for the verication problem may be useful to detect blocking
situations in multiprocess systems eciently.
Software Implementation
A software implementation of the IDES modelling and analysis framework would
require special arrangement in the input interface to incorporate the interaction spec-
ication and the process space structure (alphabet vector) together with the corre-
sponding operations (composition, decomposition, abstractions, ... etc.). The veri-
cation and supervisory control procedures described in this thesis can be directly
translated into software functions. Such software tool is essential to bring the result
of this thesis to potential non-specialist users.
164
Appendix A
Decomposition and Modularity in
Process Space
In this section, we consider a general denition of decomposability in process space
that takes into account the interaction between the system components. One expected
outcome of utilizing this dimension is to extend the domain of specications that can
be veried modularly. We also investigate the case when the interaction specication
can guarantee a modular verication for any given specication.
A.1 Decomposition and Modularity
Let be an alphabet vector with index set I and let K L() be a language. A
language H
(P
(H), K)
That is, H is (, K)-decomposable if it can be constructed from its vector projection
and the language K. The set of (, K)-decomposable languages is not closed under
union. However, it can be shown easily that it is closed under intersection.
165
A language H is said to be (, K)-semidecomposable if H can be written as a
nite union of a set of (, K)-decomposable languages. Hence, by denition a K-
decomposable language is also K-semidecomposable. A interaction language K is
said to be modular if any sublanguage of K is (, K)-decomposable. Formally, K is
modular if
(H K) H = B
(P
(H), K)
A interaction language K is said to be semimodular if any regular sublanguage of K
is (, K)-semidecomposable. Clearly, from the above denition, if K is semimodular
then it is modular. Let H be a regular sublanguage of K. Dene the set of (, K)-
decomposable sublanguages of H as follows
D
K
(H) = F H [ F = B
(P
(F), K)
We will write
D
K
(P
,
x X
+
and v V
, v
1
, v
2
V
, and x X
+
. If s and t share the
same set of states in H then it must be that u
1
xv
2
and u
2
xv
1
are both in H, therefore,
B
(P
for
j [2, 4 . . . n]. Therefore, if s and t share the same set of states in H, then we can
exchange each u
i
with a
i
or v
j
with b
j
and the result string in either cases will be in
H. Therefore, in this case B
(P
= a
1
b
1
. . . a
n
b
n
is also in H and it must be in the
set B
D
K
(H). Clearly s, t
(P
must have at least one state not in common and so are s and t.
Therefore, any sublanguage of any of the above interaction schemes can be repre-
sented as a nite union of a set of maximal decomposable sublanguages.
Example A.1. Let = (a, b, x, y), (c, d, x, y). The catenation composition base
for this process space is K = (a, b)
(c, d)
D
K
(H)
d
d
a
a
b
a
b
c
c
168
The complexity of the above approach depends on the number of maximal (, K)-
decomposable sublanguages in the specications. Clearly, the above proposition will
be more useful if an ecient algorithm is found to decompose any sublanguage of a
modular interaction language into a nite set of (, K)-decomposable languages.
A.2 Deterministic Interaction Specications
In this section, an attempt is made to characterize semimodular interaction specica-
tions. An interaction language K is said to be deterministic if the restriction of the
composition of any string vector in the domain P
(K)) [ B
(s, K) [ 1
Roughly speaking, the determinism property reects the unambiguity of the compo-
nents interaction. That is, each sequence of events in the system components con-
tributes a unique sequence of events (possibly none) in the overall system behaviour.
Note the duality of determinism and the completeness property (completeness re-
quires that [ B
(K)). Clearly,
when K is both deterministic and complete, then we have [ B
(K) _ P
L implies
that s E P
(s, K) [ [ B
(s, K) [ 1.
2. Let s E P
(K
1
K
2
). Then s E P
(K
1
) and s P
(K
2
). Hence [ B
(s, K
1
) [ 1
and [ B
(s, K
2
) [ 1. Also we have B
(s, (K
1
K
2
)) = B
(s, K
1
) B
(s, K
2
). Then
it must be that [ B
(s, (K
1
K
2
)) [ 1.
3. Let s E P
(K
1
K
2
). Then B
(s, (K
1
K
2
)) = B
(s, K
1
) B
(s, K
2
). Therefore,
[B
(s, (K
1
K
2
))[ 1 except for the case when B
(s, K
1
) and B
(s, K
2
) are both non
empty and not equal. In this case let t
1
= B
(s, K
1
) and t
2
= B
(s, K
2
). Clearly, this
implies that t
1
K
1
, t
2
K
2
, and P
i
t
1
= P
i
s = P
i
t
2
for all i I. This contradicts
the initial assumption that there exists some i I where P
i
K
1
P
i
K
2
= . Therefore,
K
1
K
2
must be deterministic.
4. Similar to the previous case. We must have P
s
t
1
= P
s
s = P
s
t
2
. This contradicts
the assumption that P
s
K
1
P
s
K
2
= .
From the third part of the above proposition we can conclude that the interac-
tion language of catenation is deterministic. This is based on the fact that any two
strings in this layout do not share the same vector projection. Similarly we can see
that synchronous catenation is deterministic. The same argument applies for the
interleaving layout. From, the third and fourth parts we can conclude that the in-
teraction language of renements is deterministic. From the rst part we can state
that any sublanguage of a deterministic interaction language is also deterministic.
Therefore, the procedure to obtain the optimal non-blocking compensator preservers
the determinism property.
170
The nite union of a set of deterministic interaction languages is of special impor-
tance to the topic of this section and we will refer to such union as a semideterministic
interaction language. The two-way interleaving interaction is an example of this class.
Theorem A.1.
K is semimodular = K is semideterministic
Proof. We only need to show that if K is modular, then it is deterministic. Let K be a
modular language. Now assume that B
(P
(P
(P
(t), K) = t. So it
must be that [B
(P
(H)
is nite for any regular H K.
171
Appendix B
Supervisory Control of Structured
IDES
The condition in Theorem 6.1 ensures the optimality of the interaction specication
supervision. The following result shows that there is another way to achieve this.
Proposition B.1.
(R L()) sup
(
L
(R) = sup
(
K
(R) L is controllable with respect to K
Proof. () Assume that sup (
L
(R L) = sup (
K
(R K) for any R
. Let R = L
then we got sup (
K
(L K) = sup (
L
(L), hence, as L K we get sup (
K
(L) = L,
therefore L is controllable with respect to K.
() We already showed that sup (
K
(R K) sup (
L
(R K) in the proof of Propo-
sition 6.6. For the other direction let H
be a language, then
H (
L
(R K) = H
u
L H
= H
u
(L
u
K) H L (L
u
K L)
= (H L)
u
K H L (L = L)
= H L (
K
(R K)
172
Therefore, combining all the results above we get
sup (
L
(R K) L sup (
K
(R K) sup (
L
(R K)
However, given that any language H such that H L = is controllable with re-
spect to L trivially, then with little eort it can be seen that sup (
L
(R K) L =
sup (
L
(R K). Adding this to the above line, and given that L K, then we get
sup (
L
(R L) = sup (
K
(R K).
The main concern regarding the above result is how to check that L is controllable
with respect to K eciently without resorting to the computation of synchronous
product of the system components. More important, is how to adjust K if needed
such that L can be controllable with respect to K. As discussed earlier, in some
situations the system can be described by a structured IDES model where the system
interaction specication is associated with its behaviour through a known monotonic
map. In this situation, the system can be described by the model L = (L, K, G)
where K = G(B
(L)). Given this setting, the question here is how to test that L
is controllable with respect to G(L) locally by dealing with the system components
individually. This can be achieved by testing the relation between the controllability
of the system and the controllability of its components under the given abstraction
map. The blocking issue will not be considered here, therefore, all relevant languages
are assumed prex closed and the map G is assumed prex preserving.
Proposition B.2. Let G : L() L() be a -abstraction map then
(i I) L
i
is controllable w.r.t G(L
i
) = L is controllable w.r.t G(L)
173
Proof.
(i I) L
i
ui
G(L
i
) L
i
= (i I) L
i
ui
G(L
i
) L
i
= (i I) P
1
i
_
L
i
ui
G(L
i
)
_
P
1
i
L
i
= (i I) P
1
i
L
i
P
1
i
ui
P
1
i
G(L
i
) P
1
i
L
i
= (i I) P
1
i
L
i
u
G(P
1
i
L
i
) P
1
i
L
i
(G P
1
P
1
i
G)
=
iI
P
1
i
L
i
u
G
_
iI
P
1
i
L
i
_
iI
P
1
i
L
i
=
iI
P
1
i
L
i
u
G(L)
iI
P
1
i
L
i
G(L)
=
iI
P
1
i
L
i
u
G(L)
u
G(L)
iI
P
1
i
L
i
G(L)
= L
u
G(L) L
The condition above does not depend on the control structure of the underlying
process space. However, the situation is dierent in the reverse direction as shown
the next proposition.
Proposition B.3. Let G : L() L() be a -abstraction map. Assume that
s
c
and G(L) is complete. Then
L is controllable w.r.t G(L) = (i I) L
i
is controllable w.r.t G(L
i
)
Proof. As L is controllable with respect G(L), then L
u
G(L) L. Now, assume
there exists
u
and a string s
such that s P
1
i
P
i
G(L) and s , G(L).
Based on the completeness of G(L), we can state that
s P
1
i
P
i
G(L) and s , G(L) = (j I) s , P
1
j
P
j
G(L)
However, if s G(L), then s(
j
)
P
1
j
P
j
G(L). Given also that shared events
are controllable then, it must be that (
j
i
), or in general (
i
). Hence
174
we can state that for an string s G(L)
( (
u
i
)) s P
1
i
P
i
G(L) = s G(L)
Therefore for any language T G(L), we have T(
u
i
)P
1
i
P
i
G(L) T
u
G(L).
Based on that we can write
L
u
G(L) = L (
u
i
) P
1
i
P
i
G(L) L
= P
i
(L
ui
P
1
i
G(P
i
L)) P
i
L (P
i
G = G P
i
)
= P
i
L
ui
G(P
i
L)) P
i
L
= L
i
ui
G(L
i
) L
i
(G is complete)
This completes the proof.
Next we present the main theorem in this section showing the conditions to test
the controllability of the overall system behaviour w.r.t its interaction specication
locally. Note that abstraction map G is assumed prex preserving in the setting of
the problem.
Theorem B.1. Let L = (L, K, G) be a structured IDES over a process space with
L = B
(L), and
s
c
. Assume that K is complete. Then
(i I) L
i
is controllable w.r.t G(L
i
) L is controllable w.r.t K
The above results can be used to adjust the abstraction map G (locally) so that
K is controllable w.r.t L. It is important to note the dierence between this approach
and the approach adopted in the previous section. In this approach, we are looking
for an interaction specication K for the system L such that L is controllable with
175
respect to K. Once this K is found, it can be used with any specication. In contrast,
the conditions given in the previous section are specic to the given specication.
176
Bibliography
[AL91] M. Abadi and L. Lamport. The existence of renement mappings. Theo-
retical Computer Science, 82:253284, 1991.
[Als96] N. Alsop. Formal Techniques for the Procedural Control of Industrial Pro-
cesses. PhD thesis, Center for Process Systems Engineering, Imperial Col-
lege London, 1996.
[Ber79] J. Berstel. Transductions and Context Free Languages. Teubner, Stuttgart,
1979.
[BH93] Y. Brave and M. Heymann. Control of discrete event systems modeled as
hierarchical state machines. IEEE Trans. Autom. Control, 38(12):1803
1819, December 1993.
[BSV93] F. Balarin and A. Sangiovanni-Vincentelli. An iterative approach to lan-
guage containment. In Lecture Notes in Computer Science, volume 697,
pages 2940. Springer, Berlin, 1993.
[CH74] R. H. Campell and A. N. Habermann. The specication of process syn-
chronization by path expressions. In Lecture Notes in Computer Science,
volume 16, pages 89102. Springer, Berlin, 1974.
[CW95] P. E. Caines and Y.-J. Wei. On dynamically consistent hybrid systems.
Lecture Notes in Computer Science, 999:8691, 1995.
177
[Dil88] D. L. Dill. Trace Theory for Automatic Hierarchical Verication of Speed-
Independent Circuits. The MIT Press, 1988. An ACM Distinguished Dis-
sertation.
[GJ79] M.R. Garey and D.S. Johnson. Computers and Intractability: A Guide to
the Theory of NP Completeness. W.H. Freeman and Company, New York,
1979.
[GL81] H. J. Genrich and K. Lautenbach. System modeling with high-level petri
nets. Theoretical Computer Science, 13(1):109136, January 1981.
[God94] P. Godefroid. Partial Order Methods for the Verication of Concurrent Sys-
tems: An Approach to the State Explosion Problem. PhD thesis, University
de Liege, 1994.
[Har87] D. Harel. Statecharts: A visual formalism for complex systems. Science of
Computer Programming, 8(3):231274, 1987.
[HU79] J.E. Hopcroft and J.D. Ullman. Introduction to Automata Theory, Lan-
guages, and Computation. Addison-Wesley, Reading, MA, USA, 1979.
[Jen87] K. Jensen. Coloured petri nets. In W. Brauer, W. Reisig, and G. Rozenberg,
editors, Petri Nets: Central Models and Their Properties, Advances in Petri
Nets 1986, LNCS 254, pages 248299. Springer-Verlag, 1987.
[JL92] R. Janicki and P. E. Lauer. Specication and Analysis of Concurrent Sys-
tems, The COSY Approach. EATCS Monographs on Theoretical Computer
science. Springer, Berlin, 1992.
[KK97] N. W. Keesmaat and H. C. M. Kleijn. Restrictions and representations
of vector controlled concurrent system behaviours. Theoretical Computer
Science, 179:61102, 1997.
[Koz94] P. Koz ak. Dealing with complexity in the discrete event system control
methods. In Proc. of the IEEE European Workshop on Computer-Intensive
178
Methods in Control and Signal Processing, pages 229236, Prague, Czech
Republic, September 1994.
[Kur94] R. P. Kurshan. Computer-Aided Verication of Coordinating Processes.
Princeton University Press, Princeton, New Jersey, 1994.
[LPM96] H. Liu, J. Park, and R. E. Miller. On hybrid synthesis for hierarchical
structured petri nets. Technical Report CS-TR-3628, Dept. of Computer
Science, Univ. of Maryland, College Park, Maryland, USA, April 1996.
[LW90] F. Lin and W.M. Wonham. Decentralized control and coordination of dis-
crete event systems with partial observation. IEEE Trans. Autom. Control,
35(12):13301337, 1990.
[MB88] S. MacLane and G. Birkho. Algebra. Chelsea, New York, 1988.
[McD89] C. E. McDowell. A practical algorithm for static analysis of parallel algo-
rithms. Journal of Parallel and Distributed Processing, 6(3):515536, June
1989.
[Mil80] R. Milner. A Calculus of Communicating Systems, volume 92 of Lecture
Notes in Computer Science. Springer-Verlag, 1980.
[MRS96] A. Mateescu, G. Rozenberg, and A. Salomaa. Shue on trajectories: Syn-
tactic constraints. Technical Report 41, Turku Centre for Computer Science,
1996.
[Pet62] C.A. Petri. Kommunikation mit Automaten. PhD thesis, Univ. Bonn, West
Germany, 1962.
[RS97] G. Rozenberg and A. Salomaa. Handbook of Formal Language. Springer-
Verlag, Berlin Heidelberg, 1997.
[Rud92] K. Rudie. Decentralized Control of Discrete Event Systems. PhD thesis,
University of Toronto, 1992.
179
[RW87] P.J. Ramadge and W.M. Wonham. Supervisory control of a class of discrete-
event systems. SIAM Journal on Control and Optimization, 25:206230,
1987.
[Sch92] B. Schwartz. State aggregation of controlled discrete-event systems. Mas-
ters thesis, Dept. of Elec. Eng., Univ. of Toronto, Canada, October 1992.
[Shi79] M. W. Shields. Adequate path expressions. In Lecture Notes in Computer
Science, volume 70, pages 249265. Springer, Berlin, 1979.
[Shi97] M. W. Shields. Semantics of Parallelism: Non-Interleaving Representation
of Behaviour. Springer-Verlag, London, 1997.
[Wan95] B. Wang. Top-down design for RW supervisory control theory. Masters
thesis, Dept. of Elec. Eng., Univ. of Toronto, Canada, 1995.
[Wec92] W. Wechler. Universal Algebra for Computer Scientists, volume 25 of
EATCS Monograms on Theoretical Computer Science. Springer-Verlag,
New York, 1992.
[WH91] Y. Willner and M. Heymann. Supervisory control of concurrent discrete
event systems. Int. Journal of Control, 54(5):11431169, 1991.
[Won01] W.M. Wonham. Notes on control of discrete-event systems. Lecture notes,
Department of Electrical Engineering, University of Toronto, Toronto, Ont.,
2001.
[WR88] W.M. Wonham and P.J. Ramadge. Modular supervisory control of discrete
event systems. Mathematics of Control, Signals and Systems, 1(1):1330,
1988.
[ZW90] H. Zhong and W.M. Wonham. On the consistency of hierarchical supervi-
sion in discrete-event systems. IEEE Trans. Autom. Control, 35(10):1125
1134, October 1990.
180