INTERACTING DISCRETE EVENT SYSTEMS:

MODELLING, VERIFICATION, AND

SUPERVISORY CONTROL
by
Sherif Salah Abdelwahed
A thesis submitted in conformity with the requirements
for the Degree of Doctor of Philosophy
Department of Electrical and Computer Engineering
University of Toronto
c _ Copyright by Sherif Salah Abdelwahed 2002
For my parents
ii
INTERACTING DISCRETE EVENT SYSTEMS:
MODELLING, VERIFICATION, AND SUPERVISORY CONTROL
A thesis submitted in conformity with the requirements
for the Degree of Doctor of Philosophy
Graduate Department of Electrical and Computer Engineering
University of Toronto
c _ Copyright by Sherif Salah Abdelwahed, 2002
Abstract
Within the formal language and automata settings, a modelling and analysis
paradigm for multiprocess discrete event systems is proposed. The modelling struc-
ture, referred to as one of interacting discrete event systems (IDES), features explicit
representation of the system components. In addition, dierent forms of interactions
between the components can be directly represented - as interaction specication -
in the modelling structure. A multilevel extension to the model is introduced. The
composition and decomposition operations for multiprocess systems are extended for
the IDES model to incorporate the interaction specication.
Several approaches are presented for verifying interacting discrete event systems.
The proposed approaches do not require the computation of the synchronous prod-
uct of the system components, and therefore avoid a major bottleneck in this class
of problems. In one approach, the system is veried for internal correctness (non-
blocking) by rst detecting potential synchronization conicts and then checking the
reachability of the underlying states. External verication with respect to a given
specication is also investigated. In certain situations, the interaction information
can be used to solve the external verication problem modularly by converting the
problem into an equivalent set of verication tests addressing the system components
individually. In case the interaction specication does not provide enough informa-
tion to verify the system modularly, an iterative procedure is presented to rene the
interaction specication gradually until a solution is found.
iii
The supervisory control problem is then investigated within the IDES setting.
Two ecient procedures are presented for optimal non-blocking supervisory synthe-
sis for multiprocess systems. In these procedures, the composition of the system
components is avoided by exploring only the common traces between the system and
the specication. The general case of IDES supervision is then investigated. It is
shown that under certain conditions depending on the structure of the system and
the given specication, optimal supervision can be achieved and implemented modu-
larly, that is, using local supervisors for the components and a high-level supervisor
for the interaction specication.
iv
Acknowledgements
I would like to express my gratitude to all those who helped make this work
a reality. In particular, I would like to thank my supervisor Professor W. Murray
Wonham for his support and guidance. I am also grateful for his assistance and
advice during the nal preparation of the manuscript.
The System Control Group of the Electrical and Computer Engineering Depart-
ment has provided a stimulating research environment. In particular, I would like
to thank Ryan Leduc, Qian Ken Pu, and Su Rong for the friendly and informed
discussions.
Financial support from Connaught fellowship, Ontario Graduate Scholarship, and
the University of Toronto Doctoral Fellowship is gratefully acknowledged.
Special thanks go to my family for their patience and support. For my parents,
there are no words that will suce to thank them. I would have never come so far
without their unconditional support and love.
v
Contents
1 Introduction 1
1.1 Systems and architecture . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Hierarchical architecture . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Discrete event systems . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5 Contribution and outline of the thesis . . . . . . . . . . . . . . . . . . 12
2 Mathematical Preliminaries 17
2.1 Algebraic structures . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2 Formal languages and automata . . . . . . . . . . . . . . . . . . . . . 20
2.3 DES controllability and supervision . . . . . . . . . . . . . . . . . . . 24
3 Interacting Discrete Event Systems 27
3.1 Preliminaries and notations . . . . . . . . . . . . . . . . . . . . . . . 29
3.2 Behaviour analysis in process space . . . . . . . . . . . . . . . . . . . 30
3.3 Compact language vectors . . . . . . . . . . . . . . . . . . . . . . . . 34
3.4 Language compensation in process space . . . . . . . . . . . . . . . . 38
3.5 Interacting discrete event systems . . . . . . . . . . . . . . . . . . . . 42
3.6 Modelling multiprocess systems . . . . . . . . . . . . . . . . . . . . . 44
3.7 Abstract architectural specication . . . . . . . . . . . . . . . . . . . 47
3.8 Multilevel Interaction Structures . . . . . . . . . . . . . . . . . . . . . 57
3.8.1 System Tree Diagram . . . . . . . . . . . . . . . . . . . . . . . 66
3.8.2 Multilevel Decomposition . . . . . . . . . . . . . . . . . . . . 69
vi
4 Behavioural Aspects of Interacting Discrete Event Systems 71
4.1 Abstraction in process spaces . . . . . . . . . . . . . . . . . . . . . . 73
4.1.1 Automaton-based abstraction . . . . . . . . . . . . . . . . . . 74
4.1.2 Language-based abstraction . . . . . . . . . . . . . . . . . . . 79
4.1.3 Abstraction of interacting discrete event systems . . . . . . . . 89
4.2 Compact interacting discrete event systems . . . . . . . . . . . . . . . 93
4.3 Complete interaction specications . . . . . . . . . . . . . . . . . . . 96
5 Interacting Discrete Event Systems: Verication 101
5.1 Blocking in process space . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.1.1 Deadlock detection in multiprocess systems . . . . . . . . . . . 105
5.1.2 Livelock detection in multiprocess systems . . . . . . . . . . . 111
5.1.3 Nonblocking interaction specications . . . . . . . . . . . . . . 122
5.2 Verication of IDES . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
5.3 Iterative verication in process space . . . . . . . . . . . . . . . . . . 134
6 Interacting Discrete Event Systems: Supervisory Control 143
6.1 Supervisory control of multiprocess systems . . . . . . . . . . . . . . 144
6.1.1 Direct synchronization approach . . . . . . . . . . . . . . . . . 145
6.1.2 Detect-rst approach . . . . . . . . . . . . . . . . . . . . . . . 148
6.2 Supervisory control of IDES . . . . . . . . . . . . . . . . . . . . . . . 149
7 Conclusions 162
7.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
7.2 Future Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
A Decomposition and Modularity in Process Space 165
A.1 Decomposition and Modularity . . . . . . . . . . . . . . . . . . . . . 165
A.2 Deterministic Interaction Specications . . . . . . . . . . . . . . . . . 169
B Supervisory Control of Structured IDES 172
vii
List of Symbols
The following is a list of key symbols in the thesis and the corresponding page
numbers where they rst appear.
Symbol Page Description
g f 18 Composition of the functions f and g
L() 21 Set of all languages over
(L) 21 Alphabet of the language L
L 21 Prex closure of the language L
Elig 21 Eligible events function

s
29 Shared events in the process space
L() 30 Set of all language vectors in
E , _ 30 Componentwise membership and containment
., 30 Componentwise union and intersection
B

30 Composition operation in the process space

P

31 Vector projection map in the process space

L
c
() 30 Set of all compact language vectors in
C

(L) 39 Set of -compensators for L

(L) 40 Supremal -compensator for L

I() 42 Set of all IDES in
T

43 Generalized decomposition operation in

c

48 Index equivalence relation generated by

[]

49 Coset of the index equivalence realtion containing

F

49 Natural abstraction map

Y() 49 Set of layouts in the process space
K

62 Interaction language generated by the structure

I
c
() 94 Set of all compact IDES in
C
o

(L) 122 Set of nonblocking compensators for L

C
o

(L) 122 Supremal nonblocking compensator for L

viii
List of Denitions
The following is a list of the main denitions used in the thesis and the corre-
sponding page numbers where they are dened.
Denition Page
process space 29
(in)composable string vector 30
compact language vector 34
(-)decomposable language 38
interacting discrete event system (IDES) 42
(abstract) layout 49
natural abstraction map 49
(in)direct abstraction 77
-abstraction map 80
-abstraction map 81
composition invariant map 84
structured interacting discrete event system (SIDES) 91
compact interacting discrete event system 94
complete (interaction) language 96
blocked system 103
live language vector 103
deadlock/livelock state 104
clique vector 114
reachable/terminal/marked clique module 115
live interacting discrete event system 122
modular supervision 149
ix
x
Chapter 1
Introduction
1.1 Systems and architecture
Technological and economical advances of the twentieth century have created a new
class of articial systems of unprecedented complexity.
1
Consequently, the issue of
systems complexity attracted the attention of the research community in many dis-
ciplines including engineering, economics, politics, sociology and biology. While the
context of the complexity problem may vary substantially depending on the physical
attributes of the system and the scope of analysis, the objective is generally the same,
namely to nd a way to contain the complexity of the system in order to bring the
analysis procedures into feasibility.
It is well observed that contemporary real-life systems, in spite of their apparent
complexity, tend to be organized in one way or another, mainly due to the physical
constraints on the design and development process. Many practical systems can
be viewed as a set of interacting subsystems or system components. Each of these
components performs certain tasks and interacts with other components in a specied
way to achieve a global objective. The composition of these subsystems is modelled
by relating the behaviour of the overall system to the behaviour of its individual
1
The term complex hereafter is being used in the usual sense to mean complicated, huge or both.
1
components. This relationship is dened by the way these components interact and
communicate which in turn denes what is known as the system architecture.
Systems architecture can be viewed as a specication for the system components.
Many practical complex systems can be represented as a set of components together
with an architectural specication that denes how these components interact. Archi-
tectural specication restricts the overall (composite) behaviour of the system compo-
nents to follow certain (high-level) patterns.
2
In practice, the identities of the system
components are usually given at the outset. Alternatively, in certain situations, they
might be identied through given decomposition procedures. Architectural specica-
tions are usually dened at the initial stage of the design and may be rened in the
analysis process.
1.2 Hierarchical architecture
In the context of complex systems analysis, architectural information (specication)
is viewed as an indispensable part of the system model. This information provides the
main support for encapsulation and abstraction of the system behaviour, ultimately
paving the way to contain the complexity of its model. In this regard, hierarchy is
known as the most common architectural scheme supporting this purpose.
In a hierarchically organized system, basic components are connected (interacting)
in a distributed multilevel way. The system components are grouped in a set of disjoint
modules; each contains a set of components interacting in a specied way. Each
module has its own independent architectural specication. These modules form the
components of the next level in the system organization. The process of clustering
components into modules and abstracting modules into higher-level components is
repeated until the highest level of abstraction is reached at which point the interaction
between all the system components is completely specied.
2
Architectural restrictions can be viewed as a high-level controller that controls the external
arrangements of the components rather than their internal behaviour.
2
Based on this description, hierarchical architecture can be regarded as an ordered
set of abstract constraints on the system, usually implemented by a multi-level de-
centralized control structure. By distributing architectural constraints on dierent
levels, the hierarchical scheme allows a set of limited capacity components to han-
dle complex tasks in a stable and manageable way. This scheme provides the basic
support for the decentralized approach to system analysis where, in some situations,
certain procedures involving the overall system can be translated into an equivalent
set of procedures involving the system components individually.
The eciency of a hierarchical structure is directly related to its ability to repre-
sent the coupling between the system components correctly. The process of clustering
components into modules should match the physical coupling between these compo-
nents. Naturally, and otherwise ideally, hierarchical systems are organized such that
the coupling (interaction) between the components in a given module is stronger
than that between components from dierent modules. This rule holds for all the
dierent levels of the hierarchy. Not surprisingly, this natural form of interaction is
an ecient one. In fact, the contrast between strong coupling inside each module and
weak coupling between modules characterizes the eciency of a hierarchical struc-
ture. Capturing such requirement in the design of an articial system and carrying it
through into its model depends largely on the physical attributes of the system, the
design process, and the perceptions of the human modeler about the system and its
environment.
1.3 Discrete event systems
A discrete event system (DES) is a dynamic system with discrete time and state
space, event-driven or asynchronous and possibly nondeterministic. Examples of
discrete event systems include communication networks, database systems, trac
networks, digital circuits and manufacturing systems. In its basic form, a discrete
event system is described by a set of states, possible transitions between them, and
3
the associated events. In physical systems, events correspond to the actions that can
change the state of the system, that is, trigger a transition between states. This
form of description is usually based on internal observation of the system dynamics.
Alternatively, a discrete event system can be described by logical predicates over a
set of state variables. In this case, an event corresponds to a change to one or more
state variables and, consequently, results in a transition from one state to another. A
discrete event system can also be described externally through its observed behaviour.
This is represented formally by the set of all event sequences that generate state
transitions over time. These event sequences dene the language generated by the
system.
In general, behavioural properties of discrete event systems seem more intuitive to
represent and analyze in the formal language setting. This is based on the fact that
the behaviour of a given DES is dened as the language generated by its automaton
model. Therefore, theoretical developments in this thesis are mainly language-based.
However, we will use automaton-based analysis when it appears more appropriate for
the underlying case.
Practical discrete event systems are usually composed of a set of interacting com-
ponents or subsystems. The interaction scheme of the system components is usually
specied in one form or another and given as a part of the system description. In
general, the existence of certain interaction between the system components means
that the behaviour of each component of the system depends not only on its internal
structure but also on the behaviour of the other components. More precisely, the in-
teraction between the system components means that the set of eligible events at any
time in a given component depends not only on the current state of the component
but also on the current states of the other components. The eect of such interaction
is to limit the dynamics of each component. Therefore, from a behavioural point of
view, interaction between the system components can be considered as a restriction
on the overall (composite) system behaviour.
3
3
Roughly speaking, such interaction can also be viewed as a controller that forces the system to
4
In the absence of any interactions, the system components evolve concurrently
while synchronizing on shared events. This form of operation corresponds to the least
restrictive form of interaction (no-interaction). The overall behaviour of the system
in this case is given by the parallel composition
4
of the system components. In this
case the state space of the composite system is represented by the product of the state
space of the components. As a result, the state space of the composite system may
grow exponentially with the number of interacting components. This phenomenon is
commonly referred to as the state explosion problem. In this situation, even a modest
system can quickly scale beyond common computational facilities and the associated
model becomes intractable.
Clearly, parallel composition is not the only form of interaction in discrete event
systems. In general, system components may interact in a variety of ways in order
to conform to their organizational restrictions. Some of these interactions correspond
to common forms of physical arrangement and hence may be referred to as standard
interactions. For example, serial composition is a well-known form of interaction in
which the system components are arranged in a way such that they can complete their
tasks sequentially without interleaving. In this case, the state space of the composite
system grows polynomially with the number of interacting components. This is one
instance where architectural specication, in eect, reduces the complexity of the
model. In hierarchical discrete event systems, the overall interaction between the
system components is the composition of more than one form of interaction; all are
arranged in a scheme that matches the system hierarchy. In order to describe these
systems eciently, the underlying modelling paradigm should be able to express and
incorporate a wide range of interaction specications.
Practical discrete event systems are usually designed for computer controlled au-
tomatic operation. In this case, correct operation is imperative and may be critical.
Failure may result in nancial disaster, or physical and natural damages. One ap-
proach to avoid these problems is to prove formally the correctness of the system
operate within a desired region of the systems state-space.
4
In this thesis, we use the term parallel composition to denote the synchronous product operation.
5
operation by verifying that the system implementation meets a set of specications
that dene the correct behaviour of the system. This approach is usually referred to as
the formal verication approach. Given that the system is correctly modelled, design
bugs can be detected and removed before they percolate down to the implementation
phase. Many algorithms and tools have been developed recently to automate the
verication process. In many cases, these algorithms require exhaustive searching of
the state space of the system and hence may suer from the state explosion prob-
lem inherited from the model. Therefore, from a practical point of view, they are
computationally infeasible for realistic size systems.
Most discrete event systems exhibit control mechanisms through which certain
parts of the system behaviour can be modied. Based on the physical characteris-
tics of the system, events are regarded as either controllable - can be disabled by an
external agent - or uncontrollable - cannot be disabled and considered permanently
enabled. A control theory of a general class of discrete event systems was initiated and
pioneered by Ramadge and Wonham (RW) [RW87]. Control-theoretic concepts such
as controllability and observability have been introduced and formalized in the DES
setting. Supervisory synthesis procedures have been developed within this frame-
work that guarantee that the controlled system behaviour is contained in a given set
of specications. It is often possible to meet these specications optimally, that is, in
a minimally restrictive way. In the current state of RW framework, the specications
and the controllers must be represented as nite state structures. The eort of super-
visor synthesis given the plant and its specication is of polynomial order in the state
size of the associated models. However, in general when the system is formed from a
set of components this turns to grow exponentially with the number of components
and becomes intractable.
Analysis frameworks of discrete event systems deal with a mathematical represen-
tation of the system. In system analysis, it is often the case that the given represen-
tation of the system is the main cause of complexity. Straightforward transcriptions
of complex systems may lead to inecient representation while well-chosen transcrip-
6
tions could bring an ecient one. The eciency of the system representation can
be measured on one hand by the amount of information it reveals about the system
dynamics and, on the other hand, by how such information is organized to allow di-
rect access to relevant elements of the system structure in order to support modular
analysis. Consequently, an ecient representation for complex discrete event sys-
tems should include well-dened representations for the system components as well
as any interaction between these components. The nite state machine model does
not provide such representation and therefore is not suitable to represent complex
multiprocess system. A more structured formulation is needed in order to represent
the interaction dimension of the system structure and to integrate it into the analysis
procedures in a convenient and ecient way.
This thesis presents a new paradigm for modelling and analysis of multiprocess
discrete event systems that incorporates architectural information explicitly in the
modelling and analysis process. The proposed model supports standard forms of
interaction specication such as parallel, serial, renements, and interleaving compo-
sitions. The model can be extended to represent the common form of hierarchical
architecture. This research is motivated by, and directed to, practical system de-
velopment at the levels of modelling, design and analysis with special focus on the
verication and supervisory control problems.
1.4 Related work
This section provides a brief overview of related work on modelling and analysis
approaches for complex discrete event systems. We will focus mainly on those ap-
proaches that utilize and incorporate architectural properties of the system in the
modelling and analysis process, particularly in the verication and supervisory con-
trol problem. However, this review is not intended to be a comprehensive survey of
all relevant work.
Multiprocess discrete event systems have been the focus of extensive research re-
7
cently. As the number of applications mounts in many elds, particularly in engineer-
ing and computer science, so does the need to develop tools to ensure the correctness
and robustness of these systems and to modify their behaviour when needed in or-
der to cope with usual changes of requirements and tasks. Development of these
tools is usually based on concrete mathematical modelling paradigms that can ex-
press relevant aspects of the system dynamics. In [Shi97], several models for parallel
and concurrent logical systems are reviewed and compared. A general framework to
express parallelism in logical multiprocess systems is introduced through which the
relationship between these modelling formalisms is investigated.
The relation between the model and the observed behaviour of the system is cen-
tral to multiprocess system analysis. This relationship has been addressed recently
in formal language theory literature. The main aim of the encountered research is
to provide a formal representation of the eect of the interaction between the sys-
tem components on the overall system behaviour. In [KK97], the notion of vector
controlled concurrent systems was introduced as a behavioural model for concurrent
systems. In this approach the system is represented by a set of sequential processes
together with a vector synchronization mechanism controlling their mutual synchro-
nization. The idea originated from the theory of path expressions [CH74] and its
vector ring sequence semantics. The notion of vector ring sequences was also in-
troduced in [Shi79] as a semantic of COSY systems [JL92]. In another approach
[MRS96], the operation of shue on trajectories is introduced as a generalization of
the parallel composition of asynchronous systems. These works have been inuential
to the modelling paradigm proposed in this thesis.
Statecharts was proposed in [Har87] as a state-based language that extends con-
ventional state machines with structuring and communication mechanisms. These
mechanisms enable the description of large and complex systems in a more struc-
tured way. In Statecharts, the state-transition diagram is enriched with elements
dealing with notions of hierarchy and concurrency. Hierarchy is achieved by a tree-
like relation on the set of states. Parallelism is supported by a special graphical
8
convention that allows communication between parallel components. The proposed
modelling framework in this thesis supports a more general interaction scheme that
includes the AND/OR (parallel/ renement) scheme of Statecharts. In addition, in-
teraction information is utilized to enhance the verication and supervisory control
procedures for multiprocess systems.
The Petri nets model [Pet62] is yet another well-known paradigm for modelling and
analyzing concurrent systems. Petri nets are characterized by a graphical and precise
syntax and also by a long record of theoretical results and supporting tools. How-
ever, similar to state machines, ordinary Petri nets lack a hierarchical decomposition
mechanism and suer from the state explosion problem in its reachability graph. To
overcome these problems, high-level Petri nets [GL81] and coloured Petri nets [Jen87]
have been proposed. A hybrid technique for both top-down and bottom-up modelling
of Petri nets has been presented in [LPM96]. In the top-down approach the system
is decomposed into a set of subsystems at each level of abstraction. Interconnection
rules are then given for the bottom-up synthesis. However, these approaches also deal
with specic form of component interaction (that of renement) and are conned to
the modelling processes with little or no reection on the analysis procedures.
There are several remarkable approaches that utilize hierarchical and structured
modelling formalisms to improve the eciency of the verication procedures. In
[Dil88], a theory of automatic hierarchical verication of speed-independent digital
circuits has been developed. In this approach, the verication task is conducted re-
cursively through multiple applications of a special class of substitution and hiding
operations. In [Kur94], homomorphic reduction of coordination processes was used
to alleviate the complexity associated with the verication of multiprocess systems.
It also introduced a heuristic reduction technique based on task decomposition and
task localization. In the task decomposition process, the specication is decomposed
into a set of local properties, whereas in the task localization step the system model is
reduced to a set of equivalent models with respect to local tasks. In another approach
[AL91], renement maps were introduced to prove that lower level specications cor-
9
rectly implement higher level ones in hierarchical structures.
Iterative verication [BSV93, Kur94] is yet another ecient approach in which
approximation is used to provide a simplied representation of the system. This
simplied representation is then iteratively rened using heuristic methods until the
verication test is armed. In Chapter 5, we propose another variant of the iter-
ative verication algorithm that uses the interaction information in the new model
to implement a renement strategy that is more exible to adjust (and hence more
eective) than the localization strategy used in [BSV93, Kur94] which can only be
used to include or exclude an entire component of the system in the verication check.
Blocking is a major problem in multiprocess discrete event systems. Deadlock
blocking occurs when the system resources have been occupied in such a way that the
set of system components cannot continue their activities. Static reachability analysis
provides a method for automatically detecting blocking situations in multiprocess
systems. Its application in practice, however, is also limited by the state explosion
problem. State space reduction techniques try to avoid searching the entire state space
of the system by exploiting certain regularities in the system structure. Partial order
reduction [God94] is an instance of this approach in which the eect of representing
concurrency is alleviated with interleaving. This reduction technique is based on the
fact that blocking conditions depend only on the partial order of events rather than on
the particular sequence of these events. In another related approach, symmetry in the
system is traced back to its components and then exploited to reduce the complexity
of the reachability analysis [McD89].
Most blocking detection techniques deal only with the multiprocess systems with
parallel components. In this thesis we propose a new approach for blocking detection
in parallel multiprocess systems which can be particularly ecient for loosely cou-
pled systems (with few shared events). The proposed approach is then extended for
multiprocess systems with general interaction specications.
There is also a growing interest in dealing with the complexity issue in the su-
pervisory control eld [Koz94]. In the RW framework, architectural concepts such
10
as modular, decentralized and hierarchical control have been extensively investigated
[WR88, LW90, ZW90]. There have been several other approaches to incorporate ar-
chitectural information directly into the model and utilize it in the analysis process.
In [BH93] an ecient algorithm is developed for computing the reachability tree for a
restricted version of Statecharts. The algorithm is then used for supervisory control
synthesis in the RW framework. In [Sch92] a cellular DES model was presented in
which the system is viewed as a collection of interconnected DES cells each identi-
es a local subsystem. Controllability of the specication structure with respect to
the plant structure is investigated. Conditions for the consistency of the combined
control actions from the controller cells are given. In [Wan95], multiprocess DES are
represented as a set of holons that is mapped into a state tree with two types of
nodes representing the AND/OR expansion schemes. The map is dened such that
the construction, referred to as state tree structure (STS), can provide several levels
and modes of abstractions. Controllability in the STS setting is dened recursively.
An algorithm for designing STS controller for a given STS plant and a matching
specication is given. In another approach, dynamic consistency is introduced in
[CW95] as a constraint on a form of nite state machines abstraction. In [Als96]
procedural control for chemical process is examined. Modular supervisory techniques
are used to control systems of industrial scale, particularly by handling certain forms
of sequential and parallel compositions.
Supervisory control of concurrent discrete event systems is investigated in [WH91].
In this work an extension of the decentralized supervisory control [LW90] is proposed
and investigated. The notion of separability is introduced, and it is shown, under
given conditions, that separability is a necessary and sucient condition for optimal
decentralized control. Part of Chapter 6 in this thesis is a generalization of the re-
sults of this paper. Using the proposed model in this thesis, the decentralized control
scheme can be applied to a more general class of systems where the interaction be-
tween the system components is considered a variable in the model, allowing dierent
forms of interactions, rather than a xed one (parallel composition). Also, based on
the proposed model, the separability condition is dropped allowing the decentralized
11
control structure to be implemented for a more general class of specications.
1.5 Contribution and outline of the thesis
This thesis introduces a modelling and analysis framework for a general class of
multiprocess discrete event systems with well-dened interaction between the sys-
tem components. The proposed model structure, referred to as interacting discrete
event system (IDES), provides a concrete and separate representation for the system
components and their interaction specications. In this framework, components and
interactions are modelled and analyzed within the setting of automata and formal
language theory.
The main feature of the IDES framework is the incorporation of the interaction
specication of the system components as a dimension of the model structure. Inter-
action specication can be used as a representation of the system architecture. In the
reminder of this thesis we will use the term architectural specication to denote
those interaction specications that target the external organization of the system
components rather than their internal structures. In the IDES framework, standard
architectural specications as well as custom ones can be incorporated directly into
the modelling structure. Interaction specication in the IDES structure is directly
linked to the system behaviour. Consequently, the proposed framework provides a
new systematic way to explore the relation between the system architecture and its
behaviour.
The main objective of this thesis is to provide the formal settings and the theo-
retical foundation for:
modelling a general class of multiprocess discrete event systems with the sup-
port for representing general interaction specications, standard architectural
schemes, and multi-level hierarchical congurations,
exploring the relation between the system structure (components and interac-
12
tion specication) and its behaviour, and
utilizing structural information to enhance the analysis procedures for this class
of systems with particular emphasis on the verication and supervisory control
problems.
It is important to note that the problems targeted in this thesis can always be
solved directly through exhaustive search over the composite system. However, based
on the IDES modelling structure we implement two alternative (indirect) approaches
to solve these problems while avoiding the computation of the synchronous product
of the system components. The rst is to limit the reachability analysis to a region
in the state space that is directly related to the problem in hand. In this approach,
relevant parts of the state space are identied rst, then the reachability of these
parts is tested when needed. The worst case complexity of this approach is similar
to that of the direct computation. However, it is shown through some example that
signicant computational gain can be achieved in certain special cases.
The other approach is to solve the (verication or supervisory control) problem
modularly by translating the problem into an equivalent set of problems addressing
the system components individually. The advantage of this approach is mainly struc-
tural as it aims to localize the problem over the system structure. This localization is
of signicant importance to practical situations where the system is typically subject
to continuous changes and upgrades. Under the modular approach, we need only to
recompute the solution with respect to the changed components of the system rather
than the whole system as will be needed under the direct approach.
The thesis is organized as follows.
Chapter 2 presents basic mathematical concepts in algebra, formal languages,
and automata theory and other facts that will be used throughout the thesis. It also
contains a summary of the basic results of the RW theory.
The IDES model is dened over a formal notion of multiprocess environment re-
ferred to as process space. Chapter 3 introduces the basic elements of process space
13
and investigates its properties. In this environment basic elements and operations of
single process systems are extended to vector quantities. In this setting a multipro-
cess system is represented by a language vector. The association between the set of
language vectors and the set of languages is dened based on the composition and
decomposition operation. In the light of this association, the range of the decompo-
sition operation is extended in a way that allows every language to be decomposed
in a recoverable way. This is done by compensating for the information lost through
the projection operation.
The IDES model is then introduced as a natural extension of language vectors to
support the extended composition and decomposition operations. Interacting discrete
event systems are represented by a structure of two elements: a language vector
representing the basic components of the system and a language that species the
interaction between these components. The extended decomposition (projection)
operation can be used to decompose any given single process system into an IDES
structure that generates the same behaviour (language).
Architectural specications can be expressed conveniently in the IDES model.
Architectural specications are usually abstract in the sense that they address the
external organization of the system components. To represent this form of specica-
tions, an abstraction scheme referred to as the natural abstraction map is proposed.
This scheme preserves the structure of the process space while abstracting internal
details of the system components. Languages generated by this abstraction are re-
ferred to as layouts. Layouts are extension of the concept of trajectories presented in
[MRS96] and can be used to dene abstract architectural specication. Many stan-
dard forms of interactions such as serial and parallel compositions can be represented
as layouts in the IDES structure.
The IDES model can be extended to handle hierarchical systems. To this end,
interaction specication is extended to interaction structure. An interaction structure
is a set of interaction specications embedded in a tree that matches the organization
of the system. Such organization is modelled as a multi-level process space. It is
14
shown that multilevel interaction structures can always be transformed into a single
level interaction specication. This transformation can be done directly without
involving the system components. It is also shown that a single process system can
always be converted to a behaviourally equivalent multilevel IDES that matches a
given multilevel process space.
In chapter 4, abstraction of multiprocess DES is investigated. Abstraction is
essential to contain the complexity of multiprocess systems. In general, abstractions
are used to simplify the system model while preserving enough information to carry
out the required analysis. A class of abstraction schemes that maintain a well-dened
association between the system and its abstract representation is introduced. Such
association is important to adjust the abstraction in a way that reveals only the
needed information about the system behaviour. To ensure eectiveness, the given
abstraction schemes can be computed without the need to compute the composition
of the system components.
In Chapter 5, the verication problem is investigated within the IDES model set-
ting. Blocking detection in multiprocess DES, an internal verication problem, is
rst investigated. The detect-rst approach is proposed for this problem. In this
approach, potential blocking states are rst identied by examining shared eligible
events. Potential blocking states are then tested for their reachability. This approach
explores only those global states that are relevant to the blocking condition. Particu-
larly in loosely coupled systems where there are relatively few shared events compared
with local events, the saving oered by this approach can surpass its overhead and
the overall computation can be signicantly less than the direct procedure. This
approach is used for both deadlock and livelock detection.
A formula for computing the supremal non-blocking interaction specication for
a given IDES is presented. This supremal element generates the same behaviour
as the given IDES without blocking. Two approaches are presented for computing
this supremal element without computing the composition of the system components.
The rst approach traces the common behaviour of the system components and the
15
specication and removes blocked states as they are discovered. This approach can
be ecient for highly restricting specication where the state space of the composite
IDES system is much less than that of the composite system components. The other
approach is a slightly modied version of the detect-rst approach which targets the
case when the specication is highly-permissive.
Verifying the system against a set of external specications is then investigated.
It is shown that transforming the specication into an IDES structure can enhance
the chance of nding a modular solution to the verication problem. In general, it is
established that the system satisfy a given specication if IDES structure of the system
is included componentwise in the IDES of the specication. However, no conrmation
can be obtained otherwise. To deal with this case, a common iterative technique is
implemented to rene the interaction specication of the system gradually, using
abstraction, until an answer to the verication question is conrmed.
In Chapter 6 the supervisory control problem is investigated within the IDES
setting. Two procedures are presented to nd a maximally permissive non-blocking
supervisor for a given multiprocess DES. These procedures are adaptations of the ones
introduced in Chapter 5 to obtain the supremal non-blocking interaction specication
for a given IDES. Similar to the earlier developments, these approaches are particu-
larly useful for the cases of highly-restrictive and highly-permissive specication with
mostly controllable events.
Modular supervision of interaction discrete event systems is then investigated. It
is shown that under certain conditions related to the structure of process space, the
architecture of the system, and the given specication, an optimal supervisor can be
computed and implemented modularly. Another more exible set of conditions that is
independent of the specication is established for solution in a special class of IDES.
Conclusions and suggestions for future research are presented in Chapter 7.
16
Chapter 2
Mathematical Preliminaries
This chapter introduces the mathematical concepts used in this thesis. This is also
intended as a statement of notation and terminology of these mathematical concepts.
Standard and straightforward proofs will be omitted. Comprehensive treatments of
these subjects can be found in [MB88, Wec92] for algebra, [HU79, Ber79, RS97] for
formal languages and automata theory, and [Won01] for further information on the
RW framework for discrete event systems control.
2.1 Algebraic structures
Elementary notations of basic set theory will be used throughout this thesis, namely,
membership (), set-builder notation ( [ ), subset (), union (), intersection
(), set subtraction , product of sets (A
1
. . . A
n
), set power (Pwr(A)), and
cardinality ([A[). The term i will be used as an abbreviation of if and only if.
We will not distinguish between the set a and the element a if the intention is clear
from the context.
Let A and B be two sets. A relation between A and B is any subset R AB.
If A = B then R is a binary relation on A. For (a, b) A B we write aRb if the
ordered pair (a, b) R. A function f from a set X to a set Y , written f : X Y ,
17
is a subset of X Y such that for each x X there is exactly one y Y such that
(x, y) f. This will be written as f(x) = y. A function f : X Y is partial if it is
only dened on a subset of X. Associated with each relation R X Y a partial
function f
R
: X Pwr(Y ) dened by f
R
(x) = y Y [ (x, y) R. A function
f : X Y is injective if for all x
1
, x
2
X, f(x
1
) = f(x
2
) implies x
1
= x
2
; it is
surjective if for every y Y there exists x X such that y = f(x); and it is bijective
if it is both injective and bijective.
For a function f : X Y , the subset extension of f is the function f

: Pwr(X)
Pwr(Y ), dened as
(X

X) f

(X

) := y Y [ (x X

) (x, y) f
Thus f

(X

) Y . In particular, f

(X

) is the image of f. Usually we do not

distinguish between f and f

, simply writing f(X

) for f

(X

). The surjective closure

of a function f : X Y is the function f

: X Y

with f(x) = f

(x) for all x X

and Y

= f(X). The following Proposition shows some basic properties of functions

that will be used directly throughout this thesis
Proposition 2.1. Let f : X Y be a function. Then,
1. (B Y ) f(f
1
(B)) B and equality holds if f is surjective
2. (A X) A f(f
1
(B)) and equality holds if f is injective
3. (A
1
, A
2
X) f(A
1
A
2
) = f(A
1
) f(A
2
), f(A
1
A
2
) f(A
1
) f(A
2
)
4. (B
1
, B
2
Y ) f
1
(B
1
B
2
) = f
1
(B
1
) f
1
(B
2
),
f
1
(B
1
B
2
) = f
1
(B
1
) f
1
(B
2
)

Let f : X Y and g : Y Z be two functions. The function composition of f

and g, written g f : X Z, is the function dened by
g f := (x, z) X Z [ (y Y ) (x, y) f & (y, z) g
18
The composition of functions is associative. Let f be a function from X to Y and let
A X and B Y . We will write f[
A
to denote the restriction of the domain of f to
A.
Proposition 2.2. Let f : X Y be a surjective function, and let A X and
B Y . Then
f(A f
1
(B)) = f(A) B

Let R AA be a binary relation on A. The following is a list of some standard

algebraic properties of R.
reexive: (a A) aRa,
symmetric: (a, b A) aRb = bRa,
antisymmetric: (a, b A) aRb, bRa = b = a,
transitive: (a, b, c A) aRb, bRc = aRc.
Combinations of these properties characterize many important algebraic relational
structures. A relation R over A which is reexive, antisymmetric, and transitive is
called partial order on A. In this case the pair (A, R) is called a partial order set
or simply a poset. In this thesis, the more convenient notation will be used for a
partial order relation with the convention a < b for a b and a ,= b.
Let B be a subset of a poset (A, ). An element x B is an upper bound of B if
a B a x; moreover if for all upper bounds y of B, x y then x is said to be the
least upper bound for B (also called supremum of B) and denoted sup(B). Dually,
we can dene the lower bound and the greatest lower bound (also called inmum of
B) and denoted inf(B).
A lattice is a poset (A, ) in which every two elements of A have both a least upper
bound and a greatest lower bound. A lattice (A, ) is complete if for any subset B of
A both sup(B) and inf(B) exist. Hence, every nite lattice is complete by denition.
For a nonempty complete lattice (A, ), sup(A) is called the top element, and denoted
19
. Dually, inf(A) is called the bottom element, and denoted .
A relation E on A which is reexive, symmetric and transitive is called an equiv-
alence relation on A. The convention a
E
b may be used instead of aEb. For
a A the equivalence class of a generated by the equivalence relation E is the set
[a]
E
= a

A [ a

E
a. The subscript in [a]
E
may be dropped if known from
the context. The set [a]
E
is also referred to as the coset of a with respect to E.
The collection of all cosets of A with respect to the equivalence relation E denes a
partition of A and will be denoted A/E. The set of all equivalence relations on A is
denoted c(A). A partial order can be dened on c(A) as follows
(E
1
, E
2
c(A)) E
1
E
2
(a, b A) aE
1
b aE
2
b
In the poset (c(A), ) the supremum and inmum of any subset of c(A) always exists.
The supremum of a set T c(A) is

T. The inmum of T is the transitive closure

of

T. Consequently the structure (c(A), ) forms a complete lattice. For the set
A, any function f : A B induces an equivalence relation ker f c(A) referred to
as the equivalence kernel of the function f, given by
(a
1
, a
2
) ker f f(a
1
) = f(a
2
)
Similarly, any E c(A) denes a canonical output map E : A A/E which maps
each element a A to its equivalence class [a]
E
.
2.2 Formal languages and automata
An alphabet is a nite nonempty set of symbols which may be called also letters
or events. A string or word is sequence of events. We will write
+
for the set of all
(nonempty) nite strings with events in , and

=
+
, where , denotes
the empty string. With catenation, cat, as the product operation,

becomes a
monoid. A language over the alphabet is any subset of

. The set of all languages

20
over the alphabet will be denoted L(). The complement of a language L will
be denoted L
c
. The alphabet of a language L, denoted (L), is the set of letters
forming strings in L. A string t

is a prex of s

, denoted t s, if there
exists u

such that tu = s. The prex closure of a language H

, denoted
H, is the set of all strings in

that are prexes of strings in H. This can also be

represented by the map pre : L() L() : H H. The eligible events function
over a prex closed language H

maps each string in H to the set of its eligible

events. Formally
Elig
H
: H Pwr() : s [ s H
Let R be an equivalence relation on

. R is a right congruence on

if, for all s, t,

u

, sRt = (su)R(tu). In another words, R is a right congruence if and only if

the cosets of R are invariant with respect to the operation of right catenation. The
Nerode equivalence relation on

with respect to the language L is denoted

L
and
dened as follows
(s, t

) s
L
t (u

) su L tu L
That is, s
L
t i s and t can be continued in exactly the same ways (if any) to form
a string in L. It can be proved that
L
is a right congruence.
Let L
1

1
and L
2

2
, where
1
and
2
are not necessarily disjoint. Let
=
1

2
. The natural projection operation from

to

i
is a map P
i
:

i
dened as follows
P
i
() =
P
i
() =
_
_
_
if ,
i
if
i
P
i
(s) = P
i
(s)P
i
()
for all s

, and i 1, 2. The action of P

i
is to erase all occurrences of
21

i
from s. It is straightforward to check that L P
1
i
P
i
L and L = P
i
P
1
i
L
is valid for any language L

.
Proposition 2.3. Let P :

o
be a natural projection. Then,
P pre = pre P, P
1
pre = pre P
1

This is to say that natural projections and their inverses are invariant with respect
to the prex closure operation. The synchronous product of L
1

1
and L
2

2
is
dened according to
L
1
| L
2
= P
1
1
(L
1
) P
1
2
(L
2
)
Intuitively, L
1
|L
2
represents the concurrent evolution of L
1
and L
2
with synchro-
nization on common events. The synchronous product operation can be dened
incrementally as follows. Let L
1

, u

1
, a
1
, L
1

, v

2
, b
2
.
Then
u | = u
| v = v
ua | vb =
_
_
_
(u | vb) a (ua | v) b a (
1

2
), b (
2

1
)
(u | v)(a b) otherwise
L
1
| L
2
=
_
uL
1
,vL
2
u | v
The above denition of synchronous product conforms with the way this product is
computed in practice.
Let and be two nite alphabets. A morphism is a mapping h :

satisfying h() = and for all s, t

, h(st) = h(s)h(t). Clearly, h(

) is a
22
submonoid of

. The morphism h is said to be alphabetic if

( ) h()
Therefore, projections are a special class of alphabetic morphisms where . A
substitution over

is a morphism from

to L(), namely, a mapping :

L() satisfying () = and for all s, t

, (st) = (s)(t). By denition,

morphisms and substitutions are completely dened by specifying only the image of
each letter in under the mapping. Semigroup morphisms are a generalization
of (monoid) morphisms where it is only required to be invariant with respect to
catenation.
Proposition 2.4. Let h :

be a surjective alphabetic morphism. Then h

1
is a semigroup substitution.
Proof. Let R = h
1
() and R

= h
1
() for all . Then h
1
() = R

and h
1
() = R

for all . Hence, for all s

with s =
1
. . .
n
where

i
for i [1 . . . n], we can write
h
1
(s) = h
1
(
1
) . . . h
1
(
n
) = R

1
R

2
R

. . . R

R
n
R

This shows that h

1
(s
1
s
2
) = h
1
(s
1
)h
1
(s
2
) for all s
1
, s
2

. Hence, h
1
is a
semigroup morphism from

to L().
An automaton is a 5-tuple structure (Q, , , q
o
, Q
m
), where Q is a nite set of
states, is a nite nonempty set of events, : Q Q is a (partial) transition
function, q
o
Q is the initial state, and Q
m
Q is a nonempty set of marker states.
A transition in the automaton A is any element of , and may be denoted simply by
the triple (q, , q

) (instead of ((q, ), q

)) where (q, ) = q

. If (q, ) is dened, then

we say that is eligible at q in A. This can also be captured by the overloaded map
Elig
A
: Q Pwr() which assigns to each state in A the set of eligible events. The
map is extended to strings in the usual way. For two states q, q

in Q we say that
23
q

is reachable from q in A if there exists a string s

such that q

= (q, s). We
will write
A
(q) to denote the set of states reachable from q in A.
Let A = (Q, , , q
o
, Q
m
) be an automaton. A state q Q is said to be reachable
if it can be reached from the initial state, that is , if q
A
(q
o
), and A is reachable
if all its states are reachable. A state q is said to be coreachable if it can reach one
of the marker states, that is, if there exists a state q
m
Q
m
such that q
m

A
(q),
and A is coreachable if all its states are coreachable. If all the states in A are both
reachable and coreachable then A is said to be trim. The closed language generated
by an automaton A is L(A) = s

[ (q
o
, s) is dened, and the marked language
of A is L
m
(A) = s

[ (q
o
, s) Q
m
. If A is reachable and coreachable, then
L
m
(A) = L(A).
For a regular language L

there is a unique (up to isomorphism) minimal

trim automaton that generates L. This automaton is denoted A(L). Clearly, in this
case L = L
m
(A(L)). Let A(L) be the tuple (Q, , , q
o
, Q
m
). The restriction of to
q
o
can be dened by a map : L Q that assigns each string s L to a state
q Q i (q
o
, s) = q. It can be veried that the map is well-dened. It can also be
veried that Elig
L
(s) = Elig
A(L)
((s)) for any s L.
2.3 DES controllability and supervision
Practical discrete event systems usually exhibit a control mechanism that allows their
behaviour to be modied. In the RW framework, the control information is incor-
porated into the system model by partitioning the set of system events into two
disjoint subsets;
c
denoting the set of controllable events, and
u
denoting the set
of uncontrollable events. Controllable events are those events that can be disabled by
an external agent while the uncontrollable ones are considered permanently enabled.
Let G = (Q, , , Q
o
, Q
m
) be a DES with =
c

u
. A supervisor for G can be
viewed as an external agent that observes the behaviour of the system G and enables
or disables any of the controllable events at any point of time. Formally, a supervisor
24
C for a system G is a function
C : L(G) := Pwr() :
u

The function C assigns for each string s L(G) the set of eligible events that can be
executed. Uncontrollable events are always enabled. The language of the controlled
system, denoted L(V/G), is totally dened by the function C and L(G). The language
L(V/G) can be dened recursively as follows
L(V/G)
s L(V/G), s L(G), and V (s) s L(V/G)
No other strings belong to L(V/G)
The marked behaviour of G under the supervision of C is
L
m
(V/G) = L(V/G) L
m
(G)
The supervisor C is said to be nonblocking if
L
m
(V/G) = L(V/G)
In this case, C allows every string in the controlled behaviour to be extended to a
marked string of L
m
(G).
Typically, the control problem requires constructing a supervisor C for the system
G such that the controlled behaviour of G follows some given specications. The
solution for the supervisory control problem is based on the controllability property.
A language K

is said to be controllable with respect to L(G) if

K
u
L(G) K
That is, K is controllable if and only if no string in L(G) that is already a prex of
25
K, when followed by an uncontrollable event in G exits from the prexes of K. In
another words, K is controllable with respect to L if
(s K)(

,
u

Elig
L
(s) = Elig
K
(s)
Clearly, L(V/G) is controllable with respect to L(G) and it is prex closed by deni-
tion. RW theory guarantees that, for a system G any nonempty and closed control-
lable specication K L(G) can be implemented by a supervisory controller so that
the controlled behaviour is K.
Given a language E representing a specication for G whereas E is possibly un-
controllable with respect to G. Dene (
G
(E) to be the set of all sublanguages of E
that are controllable with respect to G. Formally,
(
G
(E) = K E [ K is controllable with respect to G
As a subset of the sublanguages of E, (
G
(E) is nonempty and closed under arbitrary
unions. In particular, (
G
(E) contains a unique supremal element called the supremal
controllable sublanguage of E with respect to G written as sup (
G
(E). An ecient
xpoint algorithm was developed in [RW87] to compute this supremal language. The
automaton generating the supremal controllable language can be used then as a su-
pervisor for the system.
26
Chapter 3
Interacting Discrete Event Systems
This chapter introduces a formal model for a general class of multiprocess discrete
event systems with well-dened inter-process interactions. First, the formal setting
for multiprocess DES environments is introduced. A multiprocess environment is
referred to here as process space. In this environment basic notions of automata
and formal languages are extended to vector quantities. A process space is dened
by an alphabet vector identifying all possible concurrent events in the underlying
multiprocess environment. In this setting a language vector is a set of languages
representing the behaviour of a set of processes. In the absence of any restrictions,
these processes evolve concurrently while synchronizing their shared events.
In a multiprocess environment, the connection between the set of multiprocess sys-
tems and the set of all possible behaviours in this environment is established through
the composition and the decomposition operations. In this chapter, we investigate
two procedures directly related to these operations. The rst one removes redundant
string vectors from a given language vector so that all parts of the system compo-
nents contribute to the overall behaviour of the system. The result is a compact
language vector where each system component can be recovered directly from the
system behaviour using the corresponding projection operation. The second pro-
cedure compensates the information lost in the decomposition operation so that a
given language can be recovered from its set of projections over the process space.
27
It is shown that every language admits a supremal compensator. However, the
eciency of this construction varies substantially from one system to another, and in
general characterizes how the given system matches the process space structure.
A general model for multiprocess discrete event systems is then introduced. The
model, referred to as a one of interacting discrete event systems (IDES), consists
of two basic elements; a language vector representing the system components, and a
specication language representing the interactions between these components. The
overall behaviour of the system is obtained by restricting the free run of the system
components to the interaction specication.
Analysis of discrete event systems usually involves behaviour comparison in one
way or another. However, the behaviour of a multiprocess system is obtained through
the synchronous composition operation which is computationally intractable. Under
the IDES modelling framework, alternative approaches to behaviour analysis of mul-
tiprocess DES can be formulated where the computation of the synchronous product
of the system components can be avoided or reduced using a simpler representation
of these components.
In interacting discrete event systems the interaction specication can be viewed
as a representation of the system architecture. Architectural specications, how-
ever, usually address the external organization of the system component rather than
their internal structures. To capture this observation, a class of abstraction maps is
proposed. This class preserves the process space structure while abstracting low level
details about the components. The corresponding abstract behaviour can be used to
represent typical architectural specications such as serial and parallel interactions.
A hierarchical form of interaction specications, referred to as interaction struc-
tures, is then introduced. Interaction structures combine several interaction spec-
ications in a multilevel scheme similar to the organization of typical hierarchical
systems. A multi-level interaction structure can always be converted to a at inter-
action specication that has the same overall eect on the system components.
28
3.1 Preliminaries and notations
A process space is a structure that denes a multiprocess environment where a set of
processes can run concurrently. To describe and analyze systems in process spaces,
basic notions of formal language theory will be extended to vector quantities. In the
usual way, a vector quantity refers to an element of a Cartesian product of sets.
Let I be the index set of a collection of processes. An alphabet vector over I is
a set =
i
[ i I of alphabets. Bold letters will be used to distinguish vector
quantities as well as functions with a set of vectors as a codomain (range). The ith
component of a vector will be referred to by the normal (unbolded) symbol with the
subscript i. For example, the ith component of the vector u is denoted u
i
.
Let =
i
[ i I be an alphabet vector. The union of all alphabets in will
be denoted by the normal (unbolded) symbol , or by () if any confusion may
arise. A process space is uniquely dened by its alphabet vector, hence either terms
designate the same entity. For a subset J of I, we will write
J
to denote the set of
all events in the J components in , namely, the set
jJ

j
. Therefore, under this
notation we have
I
= and
{i}
=
i
. We will write
s
or
s
() for the set of
shared (synchronous) events in , namely,

s
=
_
i=j
(
i

j
)
The set of asynchronous (local) events,
s
, will be denoted
a
or
a
().
Let be a process space with index set I. A string vector over is a set
s = s
i

i
[ i I. The empty string vector over I is the set
I
= [ i I. The
subscript I may be dropped if it is clear from the context. An event vector over is
a set =
i

i
[ i I such that ,= . For the string vectors v and u,
the componentwise catenation of u and v is denoted cat(u, v) or simply uv.
A language vector over the process space is a set L = L
i

i
[ i I.
Componentwise catenation can be dened over the set of language vectors in the
29
usual way. The set of all language vectors over is denoted L(). Recall that
L() denotes the set of all languages over the alphabet . A language L L()
is considered a language vector L with a singleton element over the alphabet vector
= , and vice versa, so that L = L. For two language vectors L

and L over
, L

is said to be a language subvector or simply a subvector of L if L

i
L
i
for
all i I. In this case we write L

_ L. The componentwise membership is denoted

E . Therefore, s E L if for all i I we have s
i
L
i
. The componentwise union and
componentwise intersection of L

and L are denoted L

.L and L

L, respectively.
For a language vector L and a natural projection operation P
o
:

o
, we will
write P
o
L for the componentwise projection of L. That is, P
o
L = P
o
L
i
[ i I. Let
F : L() L() be a map. With a slight abuse of notation, we will write F(L) for
the vector language F(L
i
) [ i I. The synchronous product of the components of
the language vector L will be denoted |L, or B

(L).
A string vector s in the process space is said to be composable if B

(s) ,=
, otherwise it is called incomposable. Consider, for instance, the process space
= a, x, z, b, x, y, c, z, y. In this process space, the string vector s =
axz, xby, zyc is composable with B

(s) = (axbzyc, axzbyc, axzybc), while the string

vector t = ax, by, cy is incomposable as B

(t) = . Clearly, the composability of a

string vector is directly linked to the order of shared events in its components.
3.2 Behaviour analysis in process space
Behavioural analysis problems in the multiprocess space environment usually share
two main arguments, namely, a system consisting of a set of concurrent processes,
and a specication dening certain tasks or correctness criteria for the system. This
applies to both the verication and the supervisory control problems investigated in
this thesis. It is then required to check if the system satises the given specication
and if not to check whether the system behaviour can be restricted through supervi-
sion to satisfy the specication. In both situations the system behaviour has to be
30
compared to the specication. This comparison is based on the containment order
on the set of languages.
In multiprocess environments, a system of concurrent processes is represented by
a language vector while the specication is usually given as a language. Direct com-
parison between the two domains is not possible. Therefore, a transformation from
one domain to the other is necessary for such comparison. Typically, the composi-
tion operation is used to generate the language representing the behaviour of a given
language vector while the decomposition operation generates the vector projection
of a given language. Formally, these operations are represented by two maps each
transform from one domain to the other.
In process space, the decomposition operation is represented formally as follows.
For a process space over an index set I, the vector projection map P

: L()
L() associates each language L L() with the language vector P
i
L[ i I where
P
i
:

i
is the natural projection map that erases all events other than those
of the ith component of . Therefore, for the process space the language vector
P

) contains (componentwise) all the string vectors that can be generated in this
process space. For two languages L and L

in L() it is straightforward to verify the

following result
Proposition 3.1.
P

(L L

) _ P

(L) P

(L

) and P

(L L

) = P

(L) . P

(L

On the other hand, the composition process is represented by the vector composi-
tion function B

: L() L() that associates each language vector in with the

behaviour (language) it generates. Namely, for a language vector L over we have
B

(L) =
iI
P
1
i
L
i
. For two language vectors L and L

in L(), it is straightforward
to prove the following dual result for the composition operation.
31
Proposition 3.2.
B

(L) B

(L

) = B

(L L

) and B

(L) B

(L

) B

(L. L

Note that the union inclusion in the above proposition is strict in general. Based
on the above denitions of the composition and decomposition operations, a two way
transformation between the set of languages and the set of language vectors in any
process space is established as shown in the following gure.
B

(Composition)
(Decomposition)
Language Vectors
L() L()
Languages
Figure 3.1: Behaviour transformation in process space
In order to compare the behaviour of a language vector to a given language, one
of these two transformations has to be made. The two approaches, however, are
far from being similar. In the composition approach, the language vector of a given
system is converted to the language generated by the system. In this case, behavioural
comparison can be conducted for the system with respect to any given specication.
However, it is well-known that the composition operation is intractable with respect
to the number of components. The decomposition operation is not computationally
ecient either. However, in most cases the system is given as a set of components and
the specication is given as a language. Therefore, it is only required to decompose
32
the specication. Also, the state size of the specication is usually much less than
the size of the composite system making the decomposition of the specication more
ecient than the composition of the system components. Under these assumptions, it
would be more ecient to decompose the specication into a language vector and then
compare it componentwise with the language vector of the system. Unfortunately,
this simple solution will not work as the outcome of this comparison does not generally
reect the relation between the behaviour of the system and the specication. This
is due to the following facts:
In general, due to possible existence of incomposable string vectors, dierent lan-
guage vectors can generate the same behaviour. Therefore, the componentwise
comparison between language vectors cannot give precise information about the
relation between their corresponding behaviours.
A language L is not in general equivalent to the composite behaviour of its vector
projection, P

(L). Therefore, the containment order on the set of languages

does not translate into an equivalent componentwise containment order on the
corresponding language vectors.
The source of the problems here is that neither the composition nor the decompo-
sition operation preserves behavioural information, or more precisely, the containment
order on the set of languages. In the composition operation information is lost due
to the synchronization constraints, whereas in the decomposition operation informa-
tion is lost because of the ambiguity associated with partial observations. To address
these issues, the framework for multiprocess discrete event systems will be rened by
extending the denition of multiprocess system and redening the composition and
decomposition operations accordingly.
33
3.3 Compact language vectors
The composition operation enforces strict synchronization of shared events, that is,
shared events must be triggered simultaneously by the corresponding components of
the system. Under this rule, it is possible that certain strings in one component do
not synchronize with the other components of the system, and therefore these strings
do not contribute to the overall behaviour of the system. As a result, component-
wise comparison between language vectors cannot give precise information about the
relation between their corresponding behaviours. This can be resolved by dening a
class of language vectors in which the composition operation is order preserving.
1
Let be a process space. Then, for any language vectors L and L

in L() we
have
L

_ L = B

(L

) B

(L)
The reverse direction does not hold in general. Therefore, the composition operation
B

is not fully order preserving. To get a closer look into this situation, consider
the kernel of the map B

. This kernel denes an equivalence relation on the set of

language vectors in L() in which a set of language vectors are equivalent if they
generate the same language. Therefore, each coset of ker B

contains a set of lan-

guage vectors generating the same behaviour. It is straightforward to see that the
set of language vectors within each coset of ker B

is closed under componentwise

intersection as indicated by Proposition 3.2. Hence, there is a unique minimal ele-
ment (with respect to componentwise inclusion) in each coset that can generate the
language associated with the coset. This minimal element is formally characterized
as follows. A language vector L over the process space is said to be compact if it
satises
(L

L()) B

(L) = B

(L

) = L _ L

Basically, a compact language vector contains the minimal set of components that is
1
Within the domain of languages and language vectors, the term order refers to the (componen-
twise) containment order.
34
needed to generate its language. Hence, L is compact if it is the minimal element
in its coset in the partition ker B

. Consider, for instance, the process space =

a, x, b, x. In this process space, the language vector L = a, ax, b, xb
is compact with B

(L) = ab, ba, axb. On the other hand, the language vector
H = a, ax, xxa, b, xb, xbxbx with B

(H) = ab, ba, axb = B

(L), is not.
It can be veried easily that for a language L L(), the language vector P

(L)
is always compact. Therefore, if the components of a given system are known to be
equal to the vector projection of the system behaviour then this system is compact.
However, multiprocess systems are usually specied by their components. And, in
this situation, there is a possibility that certain parts of the components do not con-
tribute to the system behaviour. This case may arise, for instance, due to (re)design
errors which are dicult to trace, particularly when the system is composed of a large
number of tightly coupled components. In such cases, compactness of the system is
not guaranteed. The following result provides another characterization for the com-
pactness property. To simplify notation we will write PB

to denote the composition

P

: L() L().
Proposition 3.3. L is compact if and only if L = PB

(L)
Proof. () Let L = L
i
[i I be a language vector. Then we have
P
i
(B

(L)) = P
i
_

jI
P
1
j
L
j
_
= L
i
P
i
_

jIi
P
1
j
L
j
_
L
i
This shows that PB

(L) _ L. Also, in general R B

(P

(R)) for any language

R. Therefore B

(L) B

(PB

(L)). However, given that PB

(L) _ L, we can
conclude that B

(PB

(L)) = B

(L). Then, if L is compact, it must be that L _

PB

(L). Hence, L = PB

(L).
() Assume that L = PB

(L). However, in general for any L

L() with
B

(L) = B

(L

) we have PB

(L) = PB

(L) _ L

. Therefore L _ L

, and hence
L is compact.
35
Therefore, a language vector is compact if and only if its components are exactly
the vector projection of the composite behaviour of the system. Based on this result,
the compact language vector that can generate the same behaviour as a language
vector L is PB

(L). Hence, we can dene a closure operator C

: L() L()
that associates each language vector in L() with the compact language vector that
generates the same behaviour. That is, C

(L) = PB

(L). Note that redundant

information in vector languages arises from the set of incomposable string vectors
which is directly related to the shared behaviour of the system. Therefore, a more
ecient procedure can be developed for the computation of C

(L) by tracing only

the shared behaviour of the system as follows. For i I, dene the language vector
L
i
derived from the language vector L as follows
L
i
i
=

i
and (j (I i)) L
i
j
= P
s
L
j
where P
s
:

s
is the natural projection of the set of shared events in the
process space. Hence, L
i
is constructed by replacing the ith component of L by

i
,
and replacing all other components by the corresponding projection onto the shared
events. The following proposition denes another way to compute the map C

. First
the following lemma will be needed.
Lemma 3.1. Let and
o
be an alphabet set such that
s

o
and let
P
o
:

o
be the associated natural projection. Then,
(L L()) P
o
(B

(L)) = B

(P
o
L)

The above lemma is a simple extension of a result in [Won01]. The proof of this
extension is direct based on the associativity of the synchronous product.
Proposition 3.4.
C

(L) = L
i
P
i
(B

(L
i
)) [ i I
36
Proof. Write P
j,s
:

(
s

j
)

for the natural projection of shared events and

events from the jth component.
(C

(L))
j
= P
j
(B

(L))
= P
j
(

iI
P
1
i
L
i
)
= L
j
P
j
(

i=j
P
1
i
L
i
)
= L
j
P
j
(

i=j
P
1
i
L
i
P
1
j

j
)
= L
j
P
j
P
j,s
(

i=j
P
1
i
L
i
P
1
j

j
) (P
j
= P
j
P
j,s
)
= L
j
P
j
(

i(Ij)
P
1
i
P
j,s
L
i
P
1
j
P
j,s

j
) (Lemma 3.1,
s

j,s
)
= L
j
P
j
(

i(Ij)
P
1
i
P
s
L
i
P
1
j

j
)
= L
j
P
j
(B

(L
j
))
Based on the above result, the computation of C

depends only on the shared

behaviour of the system components. This result also conrms that asynchronous
language vectors (containing no shared events) are always compact.
Proposition 3.5. Let L and S be two compact language vectors. Then
B

(L) B

(S) L _ S
Proof. The left direction () is trivial and generally holds for any pair of language
vectors not necessarily compact ones. The right direction () is direct based on the
property L
i
= P
i
(B

(L)) for all i I when L is a compact language vector, and the

fact that the map P
i
is monotonic.
This says that the composition operation restricted to the set of compact language
vectors is totally order preserving. Because of the importance of this property to
basically all forms of behavioural analysis discussed in this thesis, we will be dealing
mainly with compact language vectors here. The set of compact language vectors will
be denoted L
c
() for the process space .
37
3.4 Language compensation in process space
The decomposition of a language L is a language vector consisting of the projection of
L into each component of the process space. However, in general, because of the infor-
mation lost through the projection operation, languages cannot be recovered directly
from their vector projections using the composition operation. In this section, this
recovery is made possible by considering a mechanism to compensate the information
lost in the decomposition operation.
Let be a process space with index I. As indicated earlier, language decompo-
sition is presented by the vector projection map P

: L() L(). Similar to the

composition map, B

, this map is neither injective nor surjective. In general we have

(L L()) L B

(P

(L))
The other direction does not hold in general, indicating that the information lost
through the projection operation cannot be recovered using the composition opera-
tion. To have a closer look into this situation, consider the kernel of the decomposition
operation P

. This kernel denes an equivalence relation on the set of languages L()

based on the projected language vectors, namely, two languages in L() are equiv-
alent with respect to ker P

if they have the same vector projection. Hence, each

coset of ker P

consists of a set of languages that have the same vector projection in

. It is straightforward to see that the set of languages within each coset of ker P

is closed under union (but not under intersection in general), simply by the fact that
the projection operation distributes over union. Hence, each coset contains a unique
maximal element. This maximal element is covered below in more detail.
To simplify notation we will write BP

to denote the composition B

:
L() L(). In the process space , a language L L() is said to be -
decomposable (or simply decomposable if no confusion arises) if
L = BP

(L)
38
Basically, a decomposable language L is a one that can be generated directly from
its vector projection P

(L) using the composition operation. The following proposi-

tion conrms that the set of decomposable languages is exactly the set of supremal
elements (w.r.t inclusion) in the cosets of ker P

.
Proposition 3.6. L is -decomposable if and only if
(L

L()) P

(L

) = P

(L) = L

L
Proof. () Assume that L is -decomposable. Then L = BP

(L). Let L

be
a language such that P

(L) = P

(L

). In general L

BP

(L

) = BP

(L).
Therefore L

L.
() Let L be a language satisfying the above condition. The language vector P

(L)
is always compact. Therefore by Proposition 3.3 we have P

(L) = P

(B

(P

(L))).
Then by the above condition we get B

(P

(L)) L. However, in general we have

L B

(P

(L)). Therefore, it must be that L = B

(P

(L)). Hence L is -
decomposable.
Clearly, the set of -decomposable languages is exactly the image of the map
B

. As indicated earlier, the class of -decomposable languages can always be recov-

ered from its decomposition using the composition operation. However, in many
behavioural analysis situations we need to deal with languages that are not -
decomposable. Therefore, it may be useful to extend the recoverability feature of
the class of -decomposable languages to the set of all languages in L(). This can
be done by compensating the information lost in the projection operation. That is, to
add necessary information to the composite behaviour BP

(L) such that the overall

behaviour of the structure is equal to L. Clearly, for any language L such compen-
sator depends on L (a function of L) and must contain L. The set of -compensators
for L, denoted C

(L), is dened as follows

C

(L) = K L() [ L = BP

(L) K
39
The set C

(L) is not empty as it contains L. It is easy to verify that the set C

(L)
is closed under union and intersection and hence has a supremal and inmal element.
Clearly, the inmal element of C

(L) is L. We will write

C

(L) to denote the inmal

element of the set C

(L) and

C

(L) to denote its supremal element.

Proposition 3.7.

(L) = L BP

(L)
c
Proof. Clearly L = BP

(L) (L BP

(L)
c
), so LBP

(L)
c
is a compensator for
L. Now, assume that K is a compensator for L such that L BP

(L)
c
K. Then
we can write K = LBP

(L)
c
H for some H L() where H(L BP

(L)
c
) =
and therefore H L = and H BP

(L). Then we have L = BP

(L)
(L BP

(L)
c
H). By simple manipulation of this expression we get L = L H
and therefore H L. It is already established that H L = . Then it must be that
H = . Therefore, L BP

(L)
c
is the supremal compensator for L.
It is easy to see that, any language K such that L K

C

(L) is a -
compensator for L. Hence, the set of compensators of L, C

(L), is totally dened by

its supremal element,

C

(L). Note that a compensator K for L may be blocking in

the sense that the intersection of K with BP

(L) may produce a string that cannot

be completed to a string in L. The problem of blocking in process space will be
investigated in Chapter 5.
It is worthwhile to examine the limit cases of the maximal compensator for a given
language L L(). One limit corresponds to the case when

C

(L) =

. Based on
the above proposition, it must be that L = BP

(L), that is, L is a -decomposable

language. The other limit corresponds to the case when

C

(L) = L. Based on the

above proposition, this translates to BP

(L) =

. Roughly speaking, the projected

components of L in this case do not carry any information about L. Such languages
will be referred to as -indecomposable languages. It is easy to see that the set of
-indecomposable languages in L() is exactly the set of languages equivalent to

in ker BP

.
40
Example 3.1. Let = a, b, x, c, d, x be a process space. The language
L = (ax, ac, ca, xc) is -decomposable and therefore can be compensated by

.
Clearly, in this case

is the optimal compensator for L. Note that the optimal

compensator for a given language is not necessarily optimal with respect to state
size. For instance, the language H = (ac, ad) can be compensated by the language
K = (a, b)

(c, d)

where A(K) has two states. On the other hand, the automaton of
its optimal compensator,

C

(H) =

(ca, da), has four states as shown below.

c, d
c, d
K C

(H)
a, b
a
d
c
H
a, b, x
c, d
a
a

(H)
The language F shown below is an example of a -indecomposable language. The
only compensator for F is the language F itself, as we have P

(F) = P

) =
(a, b, x)

, (c, d, x)

.
x
a, b
c, d
x
F =

C

(F)

Using compensation, any language L can be decomposed into its vector projection,
P

(L) and a compensator K

C

(L). The language L can then be recovered from

the pair (P

(L), K) via the intersection of K with the composition of P

(L). In order
to formalize this recovery procedure, an extended form of the composition operation
is needed.
41
3.5 Interacting discrete event systems
In this section the notion of vector languages is extended to a new structure that
can accommodate a decomposition procedure based on language compensation as
presented in the previous section. The composition and vector projection operations
will be extended accordingly.
Let be an alphabet vector with index set I. An interacting discrete event
system (IDES) over is a pair L = (L, K) where L is a language vector in L()
and K is a language in L(). The language K will be referred to as the interaction
specication language or simply the interaction language of the IDES L. We will use
calligraphic letters to denote IDES structures. Also we will write L
i
to denote the
ith component of L. The language generated by L is given by
B

(L) = |L K
Therefore, the IDES structure consists of a set of components, represented by the
language vector L, running concurrently, and a language K that synchronizes with
the composite behaviour of these components. Clearly, in this case K is a compensator
for the language B

(L). The set of IDES in the process space will be referred to

as I().
Based on the denition of the behaviour of IDES structures, a language vector L
is behaviourally equivalent to an IDES L = (L,

). Therefore, the set of language

vectors L() has an isomorphic correspondence with a subset of I() containing those
IDES with interaction language K =

. Based on this correspondence, language

vectors may be represented either as an IDES structure or simply by the original
notation as a set of languages. Also, as shown above, the overloaded function B

is used also to denote the composition operation for IDES. This operation will be
referred to as the generalized composition operation. Similar to the case with language
vectors, B

is a map from I() to L().

For two IDES structures L

= (L

, K

) and L = (L, K) over the process space ,

42
L

is said to be a substructure of L if L

_ L and K

K. To simplify the notation, we

will write L

_ L or L _ L

when L

is a substructure of L. Also, the componentwise

union L

and L is denoted L

.L and is set to be equal to (L

.L, K

K). Similarly,
the componentwise intersection of L

and L is the IDES L

. L = (L

L, K

K).
Similar to the set vector languages, the following result can be easily proved.
Proposition 3.8.
B

(L) B

(L

) = B

(L L

) and B

(L) B

(L

) B

(L . L

As shown earlier, any language L L() can be transformed into an IDES con-
taining its vector projection and one of its compensators. However, L can have more
than one compensator in general. Therefore, it can be decomposed into more than
one IDES each generating the same behaviour. The set of IDES that can gener-
ate the language L from its vector projection will have the form (P

(L), K) where
K C

(L). This set has a maximal element (with respect to the relation _) denoted

(L) = (P

(L),

C

(L)) and a minimal element denoted

T

(L) = (P

(L),

C

(L)).
This set will be associated with the language L through the generalized decomposition
operation, T

: L() Pwr(I()) dened as follows

(L L()) T

(L) = L I() [

T

(L) _ L _

T

(L)
The generalized decomposition operation associates a language L with the set of IDES
that contains its vector projection and a compensator for L. Therefore, any IDES in
T

(L) is a valid decomposition for L.

Note that the original settings for composition and decomposition in process space
can be recovered back from the above extended setting by removing the interaction
language from the IDES model and consequently from the generalized composition
and decomposition operation. The extended process space setting for composition
decomposition is shown in the following gure.
43
B

(Composition)
(Decomposition)
Interacting DES
L() L()
Languages
Figure 3.2: Behaviour transformation in process space
The IDES setting allows the transformation of any language into a structure that
generates the same behaviour. This makes the decomposition procedure reversible
for all languages. As should be expected and to be conrmed later, this can provide
a better ground for behavioural analysis of multiprocess systems. In addition, the
above setting introduces a new important dimension to the modelling of multiprocess
discrete event systems that can capture architectural information about the system.
In the next section, the basic aspects of modelling multiprocess discrete event sys-
tems are outlined. The relevance of the interaction specication to the modelling
multiprocess system will become more clear in the light of these aspects.
3.6 Modelling multiprocess systems
In the modelling process, physical properties of the system are transformed into a
mathematical model that captures essential details about its behaviour and function.
The extent and the nature of such details in the system model depend mainly on the
specic interest for studying this system. This is valid for simple systems as well as
complex multiprocess systems. However, there are certain factors that are specic to
the structure and behaviour of multiprocess systems. In this section, we outline the
basic factors that dene the behaviour of multiprocess discrete event systems.
44
System components
Complex discrete event systems are composed of a set of basic components. There
is no strict formal denition of what constitutes a basic component. However, in
practice the basic components of the system are usually recognizable from the system
description and can be rened to t the scope of analysis. It is usually assumed
that the system components are relatively independent in the sense that they can act
autonomously.
System environment
Multiprocess environments enforce certain rules for the composition of the system
components. These rules are usually independent of the internal description of the
underlying components. Synchronous composition is a common composition scheme
in discrete event systems in which shared events must be triggered simultaneously
by the corresponding components. Other composition rules can be formulated for
dierent environments. Composition rules are usually assumed xed for a given envi-
ronment. In general, composition rules dene the way processes interact in the least
restrictive form, usually referred to as the parallel or concurrent composition.
Interaction constraints
In practice, the system components may be congured to interact in a variety of ways
in order to conform to certain organizational schemes. Such conguration usually
takes the form of abstract specication that, in eect, constrains the overall behaviour
of the system components. In contrast with the composition rules, these specications
are specic to the environment. Initial interaction constraints may be given as a
part of the system description. These interaction constraints are usually accessible
(observable) and exible to change (controllable) in order to facilitate systems testing,
maintenance and updates.
45
System Environment
Component
Component
Component
Component
Interaction Specication
Figure 3.3: Multiprocess Discrete Event System
46
A modelling framework for multiprocess systems has to consider the above dimen-
sions in one way or another. In the most general form, all of these dimensions can
be represented as the elementary types (variables) of the system model. The IDES
framework provides a mechanism to include the above dimensions independently in
the system model. The system components are represented by a language vector and
their interaction constraint is represented by the interaction language. In the IDES
setting, the composition rule is xed to the synchronous product operation. Nev-
ertheless, the composition rule remains, conceptually, an independent factor in the
IDES model setting. In a more general setting, the composition operation can be
redened or even considered a variable to accommodate other environments.
3.7 Abstract architectural specication
In multiprocess environments, the interaction between the system components has
the eect of restricting the composite behaviour of these components. Therefore, the
interaction language can be regarded as a specication for the system components.
This view is captured in the IDES model and the generalized composition operation as
introduced earlier. In this section, we investigate the use of the interaction language
as an abstract architectural specication.
Let be a process space and let K be a language in L(). The language K denes
a class of IDES in I() in which K is the interaction language, that is, each IDES in
this class has the form (L, K), where L L(). This class will be referred to as the
K-class in and will be denoted I(, K). That is, I(, K) = (L, K) [ L L().
The behaviour of each IDES in this class is the intersection of the synchronous product
of the corresponding language vector with K. Therefore, the behaviour of each IDES
in this class is contained in K. The language vector P

(K) will be referred to as the

interaction domain of the set I(, K).
47
Proposition 3.9.
(s E P

)) B

(s, K) ,= = s E P

(K)
Proof. Let s E P

) be a string vector in . Clearly, if B

(s) K ,= then
B

(s) ,= and consequently P

i
(B

(s)) = s
i
.
B

(s) K ,= = (i I) B

(s) P
1
i
P
i
K ,= (K P
1
i
P
i
K)
= (i I) P
i
(B

(s) P
1
i
P
i
K) ,=
= (i I) P
i
(B

(s)) P
i
(P
1
i
P
i
K) ,=
= (i I) s
i
P
i
(K) ,=
= s E P

(K)
Therefore, only string vectors contained (componentwise) in the interaction do-
main of the set of (, K)-systems can contribute a non-empty behaviour to any IDES
in this class.
In many practical situations, the system architecture - as dened by the interac-
tion between the system components - does not usually target the internal structure
of the components but rather their external arrangement. Serial composition, for
instance, is a well-known form of interaction in which the system components run se-
quentially in a way that is independent of the internal structure of these components.
Using a form of abstract language to describe architectural specication can better
capture typical situations in multiprocess environments. In addition, using a simple
interaction specication would possibly simplify the analysis in this environment.
Let be a process space with index set I. Dene the index equivalence relation
generated by , denoted c

, as follows
(,

) c

(i I)
i

i
48
That is, two events in are equivalent with respect to c

if they are shared (triggered)

by exactly the same set of components. Consequently, each coset of c

is associated
with a subset of I where the corresponding components share exactly the events of
the coset. The coset of c

that contains the event will be denoted []

.
The set of subsets of I that are associated with the cosets of the index equivalence
relation, c

, will be denoted I

. Each element in the set I

can be viewed as an
abstract event that corresponds to a transition made simultaneously and collectively
by the corresponding set of components. Dene the map f

: () I

as follows
(recall that I

Pwr(I)),
( ) f

() = i I [
i

The map f

associates every event in with the set of components in the process

space that have to coordinate in triggering this event. It is clear that ker f

= c

.
The function f

is extended over languages in the usual way.

Languages over the set I

can be viewed as a form of abstract behaviour that

does not distinguish between the events in the system components while recognizing
the boundaries of the system components and their synchronization constraints. Lan-
guages over I

will be referred to as abstract layouts. The corresponding languages

over the alphabet set will be referred to as layouts. Formally, a layout in the process
space is a language K L() that satises
((,

) ker f

)(u, v

) uv K u

v K
It is easy to see that the above condition is equivalent to having K = f
1

(f

(K)).
The composition map f
1

: L() L() will be referred to as the natural

abstraction map and will be denoted F

.
Based on the above denition, the languages , , and

are layouts. The set

of layouts over will be denoted Y(). Clearly, there is a bijective correspondence
between the set of layouts and the set of languages over I

representing the set of

49
abstract layouts. Therefore, we will not distinguish between these two sets as long as
the interpretation is clear from the context. Based on this bijective correspondence,
it is straightforward to show that the set of layouts is closed under any operation
that respects the partition c

. This includes union, intersection, catenation, and

complement.
As mentioned earlier, architectural specications do not usually target the inter-
nal structure of the components but rather their external arrangement. Therefore,
architectural specications (ideally) should not impose any restriction on the internal
dynamics of the system components. If this applies to any set of components (lan-
guage vector) in the process space, then we say that such architectural specication
is universal. The parallel composition scheme with K =

is an example of such
universal architectural specications.
Intuitively, the universality property can be achieved if the projection of the archi-
tectural specication is equal to the supremal language vector in the corresponding
process space. That is, an architectural specication K is universal if it satises
P

(K) = P

)
namely, K is -indecomposable. It is easy to see, based on Proposition 3.8, that under
this condition the components of the IDES of the architectural specication does not
impose any restriction to the internal structure of any set of components in the process
space. Roughly speaking, this means that, the eect of a universal architectural
specication is independent of the system components. In general, any interaction
specication K can be described as universal with respect to its domain, P

(K), in
the sense that, the interaction specication K does not impose internal restriction
on the components of any language vector L within its domain (i.e. satisfying L _
P

(K)).
The following convention will be used for graphical representation of IDES. Sys-
tem components will be drawn inside a rounded box while the interaction language
(automaton) will be drawn inside a double box. Labels for components and inter-
50
action languages may be added above the boxes. The interaction language will be
shown connected to each component. In the case when the interaction language is a
layout, abstract events can be used. Their legends will be shown as follows
Events that are exclusive to a certain component (not shared with any other
components) will be represented by an abstract event shown in a small box at
the left end corner of the component box.
Shared events will be represented by abstract events shown inside a box in the
hyper edge joining the corresponding components.
The following example illustrates the use of layouts to express architectural speci-
cations, and demonstrates the above graphical conventions for representing IDES.
Example 3.2. Let = a
i
, b
i
, c
i
, d
i
, x [ i [1, 2, 3] be a process space consisting
of three components. The index equivalence relation generated by this process space is
c

= a
1
, b
1
, c
1
, d
1
, a
2
, b
2
, c
2
, d
2
, a
3
, b
3
, c
3
, d
3
, x. The corresponding abstract
events will be denoted U, V , W and X respectively. The natural abstraction map for
this process space is dened as follows
F

(a
i
) = F

(b
i
) = F

(c
i
) = F

(d
i
) = a
i
, b
i
, c
i
, d
i
(i [1, 2, 3]),
F

(x) = x
Now, consider a system consisting of three machines in this process space. A synchro-
nization mechanism is implemented to allow exible arrangements of the machines.
Each arrangement can be expressed as a layout K representing the interaction spec-
ication of the system. The overall system is shown in Figure 3.4 for the layout
K = U, V, W, X

which allows the components to run in parallel.

The shared event, x, is used in this system to detect the initiation and the termination
of each machine. Such mechanism is easy to implement and is common in practical
systems. Figure 3.5 shows another setting of the system where the interaction lan-
guage is set such that the rst two machines run in parallel and then followed by the
third machine in a continuous cycle.
51
x
a1
b1
c1
d1
U
X
x
a2
c2
b2
x
b3
a3
c3
d3
W V
U, V, W, X
Figure 3.4: The IDES structure of three machines in parallel
52
X
X
U, V
X
W
W
X
x
a2
c2
b2
x
b2
a3
c3
d3
W V
L1 L2 L3
(L, K)
x
a1
b1
c1
d1
U
U, V
B

(L, K)
L
1
|L
2
L
3
x
x x
Figure 3.5: The three machines in another conguration
53
The overall system behaviour is outlined in the above gure. The detailed state
machines for L
1
|L
2
and L
3
are omitted for simplication.
As seen in the previous example, architectural specication can be expressed using
abstract events, as dened by the natural abstraction map. Recall that an abstract
event corresponds to a transition made collectively by a specic set of components.
Therefore, specications built over the set of abstract events can dene the way the
components are arranged irrespective of their internal details. Such specications
can be used to dene the same arrangement for any set of components in the process
space.
Consider the process space =
1
,
2
with the corresponding abstract events
U =
1

2
, V =
2

1
and X =
1

2
. In this process space, the language
U

simply means that the rst component can operate in this context. Similarly, the
language V
+
can be interpreted as the second component must operate in the given
context. Also, shared events can be used to dene the context of operation for the
components. This can be done by controlling the initiation and termination of the
components using shared events as shown in the previous example.
Many standard language operations can be simulated using layouts as the corre-
sponding interaction specications. In the following, some standard binary operations
and their corresponding interaction specications are presented. These binary oper-
ations are dened over the process space =
1
,
2
consisting of two components
where the corresponding abstract events are denoted U, X, V as given above.
Serial composition
Serial composition can take dierent forms depending on the system and its environ-
ment. In general, in this form of interaction, components run sequentially one after
the other. In asynchronous environments for instance, serial composition is repre-
sented by the catenation operation which can be simulated by the layout K = U

.
Note that this layout is a universal architectural specications. Other forms of serial
54
composition can be dened for synchronous environments. For example, the layout
K = U

can simulate a form of synchronous composition where one process

starts then synchronizes with a second process (if possible) and then the second pro-
cess continues and exits.
Parallel Composition
Parallel composition can also take dierent forms depending on the system and its
environment. In general, this composition corresponds to the least restrictive inter-
action (no restriction at all) between the system components. This interaction is
represented simply by the synchronous product operation which can be simulated by
the layout K = U, X, V

. In the case when there are no shared events, or when

only asynchronous interaction is allowed, the term X can be removed from the above
setting. The corresponding operation becomes that of the shue (asynchronous prod-
uct) operation. At the other limit, namely when there are only shared events or when
only synchronous interaction is allowed, then the terms U and V can be removed.
Clearly, the corresponding operation becomes that of intersection.
Renement
Renement is a well-known approach for designing and modelling complex systems.
In this approach, the system is described initially by an abstract model that hides
many details about the internal structure of the system. More details about the
system can then be revealed by expanding certain events or states into languages. In
general, the renement procedure adds information to the system model by extending
certain parts of the model. Renement, therefore, can be regarded as the reverse of
the abstraction process.
In discrete event systems, renement can take dierent forms depending on the
underlying system and its environment. Language renement is one of these forms
in which a given behaviour of the system is extended by replacing certain events by
55
languages. In general, language renements can be represented by substitution maps
in the form :

L() which associate every letter in with a language in

,
where . In this case corresponds to the alphabet of the abstract (high level)
model and is the alphabet of the more detailed (low level) system representation
which extends the high level model.
Language renements can be expressed using the generalized language composi-
tion under certain assumptions. For instance, when shared events are used to initialize
the extension (substitution) procedure while all other events are considered internal
(not shared). This means that each event in is mapped to a language in

in
the form H, where H ( )

. This renement is referred to as synchronized

renement. This form of renement can be simulated by the layout K = U, XV

.
Handshaking is another example of renement that can be expressed by the gener-
alized languages composition. This form of renement is common in communication
protocols and hardware systems. In this interaction scheme, shared events are used
to initiate the extension (renement) and they are also required to signal its termi-
nation. Generally, there are four disjoint sets of events; initiating events, terminating
events, internal events of the calling subsystem and internal events of the called sub-
system. Considering the same set of initiating and terminating events, handshaking
renements can be simulated by the layout K = U, XV

.
Interleaving
Interleaving is also a common interaction scheme in hardware and software systems. It
corresponds to situations where the system components perform a task in an alternat-
ing way, or when a multiprocess system is simulated in a single-process environment.
In interleaving interaction two or more systems are executed interchangeably based
on certain time limits and priority schemes. In the simple setting of two systems
with equal priorities, no timing constraints, and no shared events, interleaving can
be represented by the (universal) layout K = (UV )

(U + ). Figure 3.6 shows this

layout as well as the layout of some other standard interactions.
56
U V
U V
X
X
U
Catenation Handshaking renement Interleaving
V
V
Figure 3.6: The Layouts of Some Standard Interactions
3.8 Multilevel Interaction Structures
Practical systems are usually organized in a hierarchical multilevel scheme. In hier-
archical systems, the main components are grouped into a disjoint set of objects or
larger components. Each of these objects contains a set of components interacting
in a specied way. In turn, these objects form the components of the next level.
The process of clustering components is repeated until the highest level is reached at
which the interaction between all the system components is fully specied.
In this section, the IDES model is extended to provide direct representation of
hierarchical multiprocess DES. This requires expanding the interaction specication
from a language to a structure that matches the organization of the systems. This
interaction structure can be viewed as a more detailed representation of the interaction
specication of the system, consisting of an ordered set of local specications each
one targets a specied level of the system description.
57
Let and be two alphabet vectors with index sets I and J respectively such
that () = (). We say that is a cover for , written _ , if
1. (i I)(j J)
i

j
,= =
i

j
,
2. (i I)(j, k J)
i
(
j

k
) = j = k.
That is, every component in is a subset of some unique component of and
every component of is the union of a unique set of components in . Hence,
each j J corresponds to a unique subset of I and, under this correspondence, the
set J can be identied with a partition of I. Note that, in general, both and
may contain shared events. We will write for the case when _ and
,= . For example, consider the case where = (a, b, x), (c, x, y), (y, d) and
= (a, b, x), (c, d, x, y). Then, .
The composition of a hierarchical multiprocess system can be conducted iteratively
as follows. The components of the system are grouped into a collection of disjoint sets
of components. Each set in this collection has its own local interaction specication.
Each set of components is then composed with its local interaction specication to
dene a new higher level component. The set of new components obtained this way
is now dened over a more abstract process space that is a cover for the original one.
A higher level interaction specication can now be dened for these new components.
The new components, in turn, can be grouped into another collection of disjoint sets of
components dened over a higher level of process space abstraction. This procedure is
repeated until the top level is reached where the components has a uniform interaction
specication. At this level the interaction between all basic components of the system
is now completely specied. The outcome of the composition at the highest level
of the hierarchy is the language generated by the overall system. The interaction
specication for such hierarchical systems can be represented by a tree-like structure.
The root node of this structure corresponds to the top level of the abstraction and the
components appear as the leaves of the lowest level as shown in the following gure.
A formal model for multilevel interaction in hierarchical systems can be dened
58
Interaction
Systems
Structure
Components
Figure 3.7: Multilevel Interaction Structure
59
based on the above description. An N-level interaction structure for the process space
is dened as the tuple (, K), where:
- The rst element is a set of alphabet vectors
n
[ n [1 . . . N], (
n
) = (),
referred to as process space structure, satisfying
(n [1 . . . N 1])
n

n+1
and
N
=
That is each alphabet vector in is a cover for any lower rank alphabet vector. The
highest rank alphabet vector has one component, namely, the alphabet set . A set
of partitions for the index set I will be used as indices for the set . This set of
indices is denoted I

and dened as follows,

I

= I
n
c
I
[ n [1 . . . N], and (n [1 . . . N 1]) I
n
< I
n+1

where c
I
is the set of all partitions of the set I. Each element I
n
I

serves as an
index for the alphabet vector
n
. Recall that each element in I
n
is a subset of
I and the set I
n
is a partition of I. Also, the partition I
n
is ner than the partition
I
n+1
for all n [1 . . . N], and at the top level I
N
= I.
The following convention will be used to identify the components in the set of alphabet
vectors . Each component will have two subscripts. The rst subscript indicates
the abstraction level and the second one indicates the index of the component. For
example,
n,j
denotes the component j of the alphabet vector
n
at the nth level.
Note that in this hierarchy, each alphabet component in a given level covers (that
is, contains the alphabet of) a unique set of components at the lower level. The
subvector of
n1
that is covered by the component
n,j
at the upper level will be
denoted
n,j
.
- The second element K is a set of interaction language vectors K
n
[n [1 . . . N]
satisfying
(n [1 . . . N]) K
n
= K
n,j

n,j
[ j I
n

60
Here also two subscripts will be used to identify each interaction language in the set
K similar to the convention used above. So, K
n,j
is the component j of the language
vector K
n
at the nth level.
Example 3.3. Let = (a, x), (b, x, y), (c, y), (d, y) be a process space over the
index set I = 1, 2, 3, 4. Let = (, K) be a 2-level interaction structure over
dened as follows
1. =
1
,
2
, with

1
= a, b, x, y, c, d, y =
1,A
,
1,B
,
2
= a, b, c, d, x, y =
2,I

2. K = K
1
, K
2
, with K
1
= K
1,A
, K
1,B
, and K
2
= K
2,I
, where
K
1,A

1,A
, K
1,B

1,B
, and K
2,I

2,I
The interaction structure applied to a language vector L is shown in the following
gure.
K
1,A
K
1,B
L
1
L
2
L
3
L
4
K
2,I
Here we have I

= I
1
, I
2
where, I
1
= 1, 2, 3, 4 and I
2
= 1, 2, 3, 4. In the
above we write A for 1, 2 and B for 2, 3.
61
The composition operation B

can now be extended to handle multiprocess sys-

tems with interaction structure specication. Let L be a language vector over and
let = (, K) be an interaction structure over . The composition of L under ,
denoted B

(L, ), is dened through the following recursion. Let L

0
= L. For each
i [1 . . . N] dene
L
i
= K
i,J
|
jJ
L
i1,j
[ J I
i

where L
i1,j
is the component j of the language vector L
i1
. This iteration will end
up with the language vector L
N
which contains a single element, L
N,I
, which is the
result of the compound composition B

(L, ). That is,

B

(L, ) = L
N,I
Clearly, B

(L, ) is the language generated by the language vector L under the

restriction of the interaction structure . Applying the above recursion on the last
example we get,
L
0
= L
0,i
[ L
0,i
= L
i
, i [1, . . . , 4] = L,
L
1
= L
1,1
, L
1,2
, where L
1,1
= (L
0,1
|L
0,2
) K
1,A
, L
1,2
= (L
0,3
|L
0,4
) K
1,B
,
L
2
= L
2,1
, where L
2,1
= (L
1,1
|L
1,2
) K
2,I
,
B

(L, ) = L
2,I
It is worthwhile to see if the eect of the interaction structure on a given al-
phabet vector can be simulated by an interaction language. Dene the language
B

(P

), ) as the interaction language generated by interaction structure .

This language may be referred to as the -interaction language and will be denoted
K

. Based on its denition, the language K

can be obtained by composing the set

K recursively starting from the vector K
1
in a way similar to the procedure described
above for computing B

. Applying this procedure to the last example we get

K

= ( K
1,A
| K
1,B
) K
2,I
62
We claim that the language K

simulates the eect of the interaction structure

on any given language vector in the process space . That is, the restriction of any
language vector L in to K

is equivalent to the restriction of L to the structure

. Before we present the proof of this claim we need to introduce the following
convention. Let
i

j
be two alphabet sets. We will write P
j/i
:

i
for the
natural projection from
j
to
i
. The inverse of this projection is denoted P
1
j/i
.
Lemma 3.2. Let
i

j

k
be alphabet sets. Then,
P
1
k/j
P
1
j/i
= P
1
k/i
Proof. Let
i
be an event, and let
ji
=
j

i
and
kj
=
k

j
. Then
P
1
k/j
(P
1
j/i
()) = P
1
k/j
(

ji

ji
)
=

kj
(

kj

ji

kj
)

kj

kj
(

kj

ji

kj
)

kj
= (

kj

ji
)

kj
(

kj

ji
)

kj
= (
kj

ji
)

(
kj

ji
)

ki

ki
= P
1
k/i
()
The extension to strings and languages follows directly from the fact that the inverse
projection operation distributes over catenation and union.
The following result conrms the claim above and shows that the restriction eect
of any interaction structure on a given language can be simulated by an interaction
language that depends only on the interaction structure.
Theorem 3.1. Let be an interaction structure in the process space . Then
(L L()) B

(L, ) = B

(L, K

)
Proof. We will proceed by induction on the number of the levels in the interaction
structure. Clearly, the above equation holds for a one level system. Assume now it
63
holds also for N level systems. Let be an N + 1 interaction structure. For J I,
we will write
N,J
for the restriction of to N levels (starting from level 0) and
J components in I. We also write L
J
for the language vector containing only the
set of J components in L. Now, assume that the recursive procedure for computing
B

(L, ) has been carried through the N level at which we have obtained a language
vector L
N
.
B

(L, ) = | L
N
K
N+1,I
=

JI
N
P
1
I
N
/J
L
N,J
K
N+1,I
=

JI
N
P
1
I
N
/J
(B

(L
J
,
N,J
)) K
N+1,I
=

JI
N
P
1
I
N
/J
(B

(L
J
, K

N,J
)) K
N+1,I
=

JI
N
P
1
I
N
/J
(

jJ
P
1
J/j
L
j
K

N,J
) K
N+1,I
=

JI
N
(

jJ
P
1
I
N
/J
P
1
J/j
L
j
P
1
I
N
/J
K

N,J
) K
N+1,I
=

jI
N
P
1
I
N
/j
L
j


JI
N
P
1
I
N
/J
K

N,J
K
N+1,I
=

jI
P
1
I/j
L
j
(

JI
N
P
1
I
N
/J
K

N,J
K
N+1,I
)
=

jI
P
1
I/j
L
j
K

= B

(L, K

)
This shows that the given equality holds for N + 1 level.
Based on the above result, an IDES model can be represented as a tuple L =
(L, ) where is an interaction structure. The same system can be described by the
multilevel IDES L = (L, K

), where K

is the interaction language equivalent to .

Layout languages were introduced earlier to represent abstract architectural spec-
ications. The abstract characteristics of layouts can be extended to the multilevel
interaction structure as follows. In a process space with index set I, an N-level
interaction structure = (, K) is said to be a layout structure if
(I
n
I

)(j I
n
) K
n,j
Y(
n,j
)
That is, every interaction language in the set K is a layout with respect to the
corresponding process space. The following result shows that the interaction language
64
generated by a layout structure is a layout.
Proposition 3.10.
is a layout structure = K

is a layout
Proof. We will proceed by induction on the number of levels in the interaction struc-
ture . First we need to introduce the following lemma.
Lemma 3.3.
= Y() Y()
Proof. Let K Y(). We need to prove that K Y(). Let and

be two
symbols from such that (,

) ker f

. Based on the denition of f

, and

are
triggered by the same components in . This implies also that and

are triggered
by the same components in any subset of . Given that , then this implies
that (,

) ker f

. Hence, if K is invariant with respect to f

then it must be also

invariant with respect to f

. This proves that K is also a layout for .

The base case when N = 1 is trivial. Assume that the above predicate is true
for all interaction structures with N levels. Now assume that is an N + 1 level
layout system. For J I, we will write
N,J
for the restriction of to N levels
(starting down from level 1) and J components. Based on the initial assumption,
each interaction structure
N,J
can be simulated by an interaction language K

N,J
,
and this interaction language is a layout over the process space
N,J
. Therefore
K

N,J
= F

N,J
(K

N,J
). Then we can write
K

JI
N
P
1
I
N
/J
K

N,J
K
N+1,I
=

JI
N
P
1
I
N
/J
F

N,J
(K

N,J
) F

(K
N+1,I
)
=

JI
N
P
1
I
N
/J
F

(K

N,J
) F

(K
N+1,I
)
=

JI
N
F

(P
1
I
N
/J
K

N,J
) F

(K
N+1,I
)
Then K

is the intersection of a set of layouts (in ), hence K

is a layout.
65
3.8.1 System Tree Diagram
The graphical representation for interacting discrete event systems can be extended
to show hierarchical interaction specications. In this regard, a tree-like diagram,
referred to as the System Tree Diagram (STD), is proposed here. In this diagram the
system components and their hierarchical interaction structure are revealed in a way
that matches the organization of the system.
The convention used for the System Tree Diagram is similar to that used earlier
to draw IDES. In the STD, systems are represented by a tree graph in which the com-
ponents appear at the end leaves inside rounded boxes while interaction languages
are shown at all other nodes inside double boxes. In this diagram each interaction
language shows the interaction between the components that directly descend from
its node. The STD can be used to visualize any hierarchical multiprocess DES. How-
ever, it is more visually eective for loosely coupled systems with layout interaction
specications.
Example 3.4. This example is a slightly modied version of the three machines
system of example 3.2. In this example an extra shared event, y, is used to allow
more exible arrangements of the system. The system is arranged in order to satisfy
the following specications
The second machine can be initiated after event c
1
and must terminate before
the event d
1
(event x is used to initiate and terminate the second machine).
The third machine works only after the rst machine and must terminate before
any of the two machines can start again.
This arrangement can be represented as a hierarchical layout structure as shown in the
Figure 3.8. In this gure, the layout K
1
restrict the rst two machines in accordance
with the rst specication. The second specication is handled at the second level
using the upper level layout. Note that in the rst level the abstract event Z refers to
the event shared between the composition of the rst two machines (under K
1
) and
the third machine, namely the event y.
66
L1
a1
b1
c1
d1
X
U
a2
c2
b2
L2
b3
c3
d3
L3
a3
V W
Y
X
V
X
x
y y
x
U, Y
W, Y
Z
Z Z
U1
U1
V1
V1
K1 K2
U1 V1
Figure 3.8: Three machines in a hierarchical interaction structure
67
Note that each node in this diagram together with all its descendants denes
an integral part of the system and therefore can form their own independent STD
which can be represented by a node in the systems STD. The following gure shows
the above system under the interaction language generated by the above interaction
structure.
L1
y
a1
b1
c1
d1
x
X
U
a2
c2
b2
L2
x
y
b3
c3
d3
L3
a3
V W
Y
W
W
Y
U
U
Y
V
X
V
Figure 3.9: The IDES of the three machines system

68
The above example shows the exibility of the System Tree Diagram in particular
and the settings of the IDES model for multiprocess systems in general. The STD
provides easy access to the system components and their interaction (architectural)
specication. Modications and expansions can be carried out eciently to any part
of the system. In the last example, for instance, any of the given machines can be
expanded into a set of machines having their own interaction. Also, the interaction
between the rst two machines can be modied. These changes can be done locally
without the need to change other parts of the system.
3.8.2 Multilevel Decomposition
It is shown earlier that any language can be decomposed into a IDES structure. In
this section, we extend the decomposition procedure for process space structures.
Under this extension, a given specication for a hierarchical system can be converted
to an IDES with an interaction structure that matches that of the system.
Let =
n
[ n [1 . . . N] be a an N-level process space structure over
the process space and let S be a language in L(). An interaction structure
= (, K) is said to be a compensation structure for S if the composition of P

(S)
under the interaction structure is equal to S, namely
S = B

(P

(S), )
Based on Theorem 3.1, is a compensation structure for S if and only if K

(S). Let
1
= (, K
1
) and
2
= (, K
2
) be two interaction structures. The
componentwise union of
1
and
2
is denoted
1
.
2
and is given as a structure

1
= (, K) where
K = K
n1
. K
n2
[ n [1 . . . N]
That is, the interaction vectors of K are the componentwise union of the correspond-
ing interaction vectors in K
1
and K
2
. Componentwise intersection of interaction
structures is dened similarly. Note that in both operations the arguments and the
69
output are structurally matched, namely, dened over the same process space struc-
ture . It can be shown easily that the set of compensation structures for a given
language S is closed under componentwise union and therefore has a supremal ele-
ment. Clearly, if is the supremal compensation structure for S then K

=

C

(S).
However, the other direction does not generally hold.
For a process space and N-level process space structure over with N > 1,
it is easy to see that the supremal compensation structure for a language S

is
given by (, K) where,
K
i
= P

i
(

) i [1 . . . N 1]
and K
N
=

(S). That is, the rth component of K

j
K, with 1 j < N
is given as K
r,j
=

r,j
. For example, with respect to the process space structure of
Example 3.3, a language S

can be decomposed into the following multilevel

IDES with optimal compensation structure.

1,A

1,B
P
1
(S) P
2
(S) P
3
(S) P
4
(S)

(S)
The supremality of this compensation structure is direct based on the associativity
of the synchronous product operation.
70
Chapter 4
Behavioural Aspects of Interacting
Discrete Event Systems
The IDES model contains two basic elements dening the overall behaviour of the
system, namely a language vector that represents the system components, and an
interaction specication that restricts the composite behaviour of these components.
Considering only compact language vectors, a unique language vector is associated
with any given composite behaviour (decomposable language). However, in general,
a set of interaction specications - rather than a unique one - can be associated with
the behaviour of an interacting discrete event system. This exibility in the model
can be utilized to develop ecient behavioural analysis procedures for this class of
systems.
Abstraction can be used to rene the interaction specications of interacting dis-
crete event systems. Clearly, the abstraction procedure has to be ecient itself
before the eciency of the underlying analysis procedure can be claimed. In this
chapter we investigate a class of abstractions that can be computed while avoiding
the direct computation of the synchronous product of the system components. In
addition, we will focus on the case where a well-dened correspondence can be estab-
lished between the system and its abstraction. Such correspondence is essential to
adjust the abstraction procedure such that the required information can be obtained
71
from the abstract representation without revealing unnecessary details about the sys-
tem behaviour. This correspondence also provides important behavioural information
that can be utilized in the analysis process.
Two forms of multiprocess system abstractions are discussed in this chapter,
namely automaton-based and language-based abstractions. Each form ad-
dresses a dierent representation of the underlying system. The objective is to
characterize a class of abstractions that is invariant with respect to the composi-
tion operation. Such invariance can be used to compute the abstraction indirectly
by abstracting the components rst and then computing the synchronous product of
the result. This indirect computation is usually more ecient than the direct one.
Also this procedure preserves the original correspondence between the system and
its abstraction. In IDES the interaction specication is by denition an abstraction
of the system behaviour. Certain behaviour patterns in the interaction specication
can be used to identify an abstraction map that links the system behaviour with the
given interaction specication. An IDES with such map dened is referred to as a
structured IDES.
Finally, in this chapter, the compactness property is extended to interacting
discrete event systems. This property ensures that the vector language component
of a given IDES can be retrieved from its composite behaviour via the decomposi-
tion operation. This resolves one issue for the order preserving requirements of the
composition operation. This property is a necessary condition for some behavioural
analysis results in this thesis. It is shown that the compactness of an IDES requires
the compactness of its language vector. In addition, compactness depends on the
interaction language of the system. Based on this dependence we introduce the no-
tion of complete languages. A combination of a complete interaction language and
compact language vector is a compact IDES. Although, there is no known way to test
the completeness of a given language, a set of results is presented to help in testing
this property for certain classes of interaction languages.
72
4.1 Abstraction in process spaces
Abstraction is a common strategy for containing the complexity of multiprocess sys-
tems. In the abstraction process, the system dynamics is encapsulated into a simpler
model. This simpler representation is usually established so that it contains enough
information about the system behaviour to carry out the required analysis.
It is important to draw a distinction between the notions of abstraction and re-
duction as generally adopted in literature. Given a property P and a system L, a
reduction for L with respect to P will result in another simplied representation of
L, namely L

such that L satises property P if and only if L

satises the same

property. Therefore, reductions by denition guarantee a solution to the given prob-
lem. However, reductions are usually hard to nd and computationally expensive.
Moreover, they are specic to the property at hand and have to be adjusted and
recalculated for other properties.
Abstraction, on the other hand, retains enough information about L such that L
satises property P if L

satises the same property

1
. In general, the same conclusion
applies for any other behaviour-based property. In contrast with reductions which
require certain computations, abstractions are usually guessed [Kur94]. However,
abstractions do not guarantee a decisive answer to the problem in the rst run. When
abstractions fail to give such answer, a common technique is to rene the abstraction
iteratively until a solution is found.
Abstraction-based behaviour analysis usually requires a well-dened mapping be-
tween the system and its abstract representation. For instance, in the iterative ap-
proach to behavioural analysis, this mapping is needed to rene the abstraction when
it fails to provide a solution. In this section, we present a class of automaton-based
and language-based abstractions that provide such a correspondence. Moreover, this
correspondence is dened directly based on the relation between components and their
abstraction, without the need to compute the composition of the system components.
1
In particular the property P we deal with in this thesis is that of language inclusion.
73
4.1.1 Automaton-based abstraction
The target of automaton-based abstractions is the nite state structure of the system.
In this form of abstraction the system model is reduced by aggregating its set of
states such that the dynamics of the aggregated system preserves the transitions of
the original system. In such construction, it is always guaranteed that the behaviour
of the original system is a subset of the behaviour of its abstraction. Also, there
is a well-dened mapping between the abstract system and the original one. This
correspondence takes the form of automaton homomorphism.
An automaton homomorphism is a transition preserving map dened over the
state sets of the underlying transition structures. Formally, let A = (Q, , , q
o
, Q
m
)
and B = (Q

, q

o
, Q

m
) be two automata. An automaton homomorphism from A
to B is a map H : Q Q

that satises,
1. (q Q)( ) H((q, )) =

(H(q), )
2. H(q
o
) = q

o
3. H(Q
m
) Q

m
It is straightforward to see that based on the denition of H it is always the case
that L(A) L(B). An automaton epimorphism from A onto B is a homomorphism
where H is surjective and, in addition, the inclusion in the third condition above is
replaced by equality. In this case we say that B is a homomorphic image of A.
Consider the automaton A = (Q, , , q
o
, Q
m
). Let be an equivalence relation
on Q. The quotient automaton of A with respect to is denoted A/ and is equal to
(Q/, ,

, q
o
/, Q
m
/) where

is dened as follows

(X, ) = Y = (q X)(q

Y ) (q, ) = q

In general the quotient automaton A/ can be non-deterministic as several states

with common eligible events may collapse to a single state under the partition while
the targets of these events remain distinct. An admissible partition of the automaton
74
A satises
((q, q

) )( ) (q, )! (q

, )! = ((q, ), (q

, ))
Clearly, A/ is deterministic if and only if is admissible. It is easy to prove that for
a given partition , the coarsest admissible partition that is ner than always exists.
In the implementation of automaton-based abstractions, we will only consider admis-
sible partitions to avoid unnecessary complications resulting from non-determinism.
Let be a partition on the automaton A and let F

: Q Q/ be the corre-
sponding map. It is easy to see that F

is an epimorphism between A and A/. The

map F

is referred to as the natural epimorphism dened by . The next theorem

is a simple restatement of the standard homomorphism theory. It emphasizes the
natural correspondence between automaton epimorphisms (an external relation) and
quotients (an internal relation).
Theorem 4.1. Let A and B be two machines and H be an epimorphism from A to
B. Suppose that is a partition on A satisfying ker H. Then there exists an
epimorphism G from A/ to B such that H = GF

. Furthermore if = ker H then

G is an isomorphism.
The above theorem denes the correspondence between the system and its aggre-
gate representation. The issue now is to see if such correspondence remains under the
composition operation and if so in what form. To this end, consider the two automata
A
i
= (
i
, Q
i
,
i
, q
oi
, Q
mi
) where i [1, 2]. Let
i
be an admissible partition for A
i
.
Dene the partition
1,2
of the Cartesian product Q
1
Q
2
as follows
(q
1
, q
2
)

1,2
(q

1
, q

2
) q
1

1
q

1
q
2

2
q

2
That is, two compound states are equivalent with respect to
1

2
i their compo-
nents states in the same automaton are equivalent with respect to the corresponding
partition.
75
Proposition 4.1.
(A
1
|A
2
)/
1,2

= (A
1
/
1
)|(A
2
/
2
)
Proof. Clearly, the set (Q
1
Q
2
)/
1,2
is isomorphic to the set Q
1
/
1
Q
2
/
2
. This
isomorphism is established by the equality
(q
1
Q
1
)(q
2
Q
2
) [(q
1
, q
2
)]

1,2
= [q
1
]

1
[q
2
]

2
Therefore, we have [(q
1o
, q
2o
)]

1,2
= ([q
1o
]

1
, [q
2o
]

2
), and similar equality holds for
each combination of marker states. Next we show that this isomorphism is preserved
under the transition mappings in both structures. Let be the transition map in
(A
1
|A
2
)/
1,2
, be the transition map in (A
1
/
1
)|(A
2
/
2
),
1,2
be the transition map
in A
1
|A
2
, and

i
be the transition map in A
i
/
i
. Assume that, (x, ) = x

for
some
1

2
. Then there must exist (q
1
, q
2
) x and (q

1
, q

2
) x

such that

1,2
((q
1
, q
2
), ) = (q

1
, q

2
). Therefore, we have
1
(q
1
, ) = q

1
and q
2
= q

2
. Then

1
([q
1
]

1
, ) = [q

1
]

2
and therefore (([q
1
]

1
, [q
2
]

2
), ) = ([q

1
]

1
, [q

2
]

2
). However,
[q
1
, q
2
]

1,2
corresponds to ([q
1
]

1
, [q
2
]

2
) under the isomorphism and so does [q

1
, q

2
]

1,2
with ([q

1
]

1
, [q

2
]

2
). Therefore, the isomorphism is preserved under any transition
with event from
1

2
. Similarly, this can proved for events from
2

1
and from

1

2
.
Based on the above result, any partition of the local components of a given system
directly corresponds to a partition of the composite structure. Moreover, the corre-
sponding partition of the composite structure is totally specied by the partitions of
the system components. A result similar to that of Theorem 4.1 can be obtained for
epimorphism mapping. Let h
i
: A
i
B
i
with i [1, 2] be two epimorphism maps.
Dene the map h
1,2
: Q
1
Q
2
Q
1
Q
2
as follows
(q
1
Q
1
)(q
2
Q
2
) h
1,2
(q
1
, q
2
) = (h
1
(q
1
), h
2
(q
2
))
It is easy to see that this map is well-dened. Moreover, this map denes an epi-
76
morphism on the automaton A
1
|A
2
to the automaton h
1
(A
1
)|h
2
(A
2
) namely the
composition B
1
|B
2
. The following result is a direct consequence of the previous
proposition together with Theorem 4.1.
Corollary 4.1.
h
1,2
(A
1
[[A
2
)

= h
1
(A
1
)|h
2
(A
2
)

Similarly here the map h

1,2
is totally dened by the maps h
1
and h
2
. The above
results show that automaton-based abstraction can be performed by abstracting the
components rst and then composing the abstracted structures. This approach will
be referred as indirect abstraction. Clearly, this is generally more ecient than the
direct abstraction approach where the synchronous product is computed rst then the
composite structure is then abstracted. Figure 4.1 shows both directions in computing
the abstraction h
1,2
(A
1
|A
2
). The corresponding partitions is shown by the dashed
boxed.
Abstraction-based analysis may require the renement of the system abstraction
iteratively until a solution is found. Such iterative procedure is usually required
to be nite, ending with the identity map where the abstraction of the system is
the system itself. In this case, the number of available renement steps will have a
signicant impact on the eciency of the iterative procedure. More renement steps
bring a better resolution which in turn helps to reach a level of abstraction closer to
the exact amount of information needed to solve the given problem. Therefore, the
maximum number of possible renement steps can be used as a quality measure for a
given abstraction scheme. In automaton-based abstractions, this number is equal to
the length of the maximum chain in the lattice of all possible (admissible) partitions
of the system.
The maximum number of renement steps can show the limitation of indirect ab-
straction compared with direct ones. In Figure 4.1, for instance, we have a maximum
of 6 possible renement steps using indirect abstractions compared with 9 for the di-
77

h
1
h
2
h
2
h
1
A
2

y
x b
2
z
a
2
2
1
0
a
1
b
1
y
x
z
0
1
2
A
1
0 1,2
a
1
x
y
b
1
, z
B
1
x
y
z
a
2
b
2
0,1 2
B
2
B
1
B
2
a
1
b
2
a
1
b
2
x
y
z
A
1
A
2
a
2
b
2
a
2
b
2
a
2
b
2
a
1
b
1
a
1
b
1
a
1
b
1
z
y
x
Figure 4.1: Two way abstraction of a multiprocess DES
78
rect one. In the general case of a system with index set I where the state size of each
component is equal to n
i
for i I, it is easy to verify that the maximum number of
renement steps is equal to

iI
n
i
while direct abstraction has up to

iI
n
i
steps.
4.1.2 Language-based abstraction
Language-based abstractions target the behaviour (language) of the system rather
than its nite state model. In general, abstractions are required to preserve the
original behaviour of the system. Starting from this condition, language-based ab-
stractions can take dierent forms depending on the scope of analysis. The class of
monotonic maps and its catenative subclass are examples of language-based abstrac-
tion maps. Monotonicity is needed to preserve the containment order on the set of
languages, which is required in behavioural comparison of DES. Similar to the case
with automaton-based abstraction, the aim here is to dene a class of language-based
abstractions that can be computed eciently without losing the correspondence with
the original system.
A general class of language-based abstraction maps can be dened based on the
above two features, namely, a monotonic map that preserves the original behaviour of
the system. For the alphabet set a map G :

L() is said to be an extension

map if
(s

) s G(s)
Therefore, an extension map extends and preserves the behaviour of its arguments.
It is easy to see that extension maps are monotonic. A catenative map is a map that
is invariant with respect to the catenation operation, namely, a catenative abstraction
map G :

L() satises
(s
1
, s
2

) G(s
1
s
2
) = G(s
1
)G(s
2
)
Therefore, catenative maps are semigroup substitutions and hence completely dened
by specifying only the image of each element in under the mapping. A
79
catenative extension map from

to L() will be referred to as a -abstraction map.

-abstraction maps can be implemented as transducers
2
. The output mapping
of any transducer is monotonic by denition. Therefore a transducer denes a -
abstraction map if transition outputs contain the triggering event, and when any two
transitions with the same event always have the same outputs. -abstraction maps
will be referred to simply as abstraction maps if is known from the context.
A map F :

L() is said to be prex preserving if F pre = pre F.

This property ensures that the evolution history of the system is preserved under the
map. For abstraction maps, this feature is important when the information about the
evolution history of the system is crucial to the underlying analysis. The following
standard result is needed in characterizing prex preserving abstractions.
Lemma 4.1. Let A, B be two languages in L(). Then
1. A B = A B, and A B A B
2. AB = A AB

The following proposition establishes the condition for a given abstraction map to
be prex preserving.
Proposition 4.2. Let G be a -abstraction map. Then
pre G = G pre ( ) G() = G()
Proof. () This follows directly from the condition.
() We will proceed with induction on string length. The case when the length is
0 holds as we have G() = G() and G() by denition. Also the case when the
length is 1 holds by the given assumption on G. Next assume G(s) = G(s). We want
2
Transducers are extensions of Mealy machines where transition outputs can be any regular
language [Ber79].
80
to show that for all , G(s) = G(s).
G(s) = G(s s) = G(s) G(s)
= G(s) G(s)G()
= G(s) G(s) G(s)G() (G(s) G(s))
= G(s) G(s)(G() G())
= G(s) G(s)G()
= G(s)G() = G(s)
The extension to languages is straightforward given that the prex closure operation
distributes over union.
Therefore, an abstraction map is prex preserving if the image of each event is
either prex closed or only missing the empty string, , from its prex closure. For
example, based on this result, the abstraction map G :

L() where G() =

and G() =
+
for all is prex preserving. Also, this result shows that the
composition map P
1
P is always prex preserving where P is a natural projection
map.
Let be an alphabet vector with index set I and let G be a -abstraction where
= (). The map G is said to be -compatible if it satises G() = and
( ) G() []

Recall that []

denotes the coset of the index equivalence relation, c

, that contains
the event . We will refer to -compatible abstraction maps as -abstraction maps.
Hence, -abstraction maps are (monoid) substitutions that extend each event
within the intersection of those components containing .
A -abstraction map that satises the above condition (-compatible) will be sim-
ply referred to as -abstraction map. It is important to note that in a -abstraction
map shared events are mapped to languages over events shared by exactly the same
set of components. The following proposition provides another characterization of
81
the class of -abstraction maps. This characterization is based on the set of natural
projection operations over the process space components.
Proposition 4.3. Let be an alphabet vector with index set I and let G :

L() be a -abstraction map such that = (). Then G is -compatible if and
only if
(i I) P
i
G = G P
i
Proof. () Assume that G satises G() = and for all we have G() []

.
Let be an event in . If
i
then P
i
(G()) = G() = G(P
i
()). Otherwise,
if ,
i
then P
i
(G()) = = G() = G(P
i
()). Therefore for all we have
P
i
G = G P
i
for all i I.
() Assume P
i
G = G P
i
. Let
i
then G(P
i
()) = G() = P
i
(G()).
This implies that G()

i
. For ,
i
then G(P
i
()) = G() = = P
i
(G()).
Therefore we have (G())
i
= for any ,
i
. This conrms that the map G
is -compatible
It is straightforward to verify that the condition for any -abstraction map, G,
to be prex preserving as given in Proposition 4.2 is equivalent to stating that
( )(H []

)( []

) G() = H
That is, a -abstraction map is prex preserving if each event is mapped to a prex
closed language possibly combined with a set of events within its coset []

in the
alphabet set .
Next the relation of -compatible abstraction maps with the inverse projections
maps will be investigated. Write G
i
for the restriction of G to the domain L(
i
).
Proposition 4.4. Let G be a -abstraction map. Then
(i I) G P
1
i
P
1
i
G
i
82
Proof. Let G be a -abstraction map. Then for i I and a language L
i

i
we
have
s G(P
1
i
L
i
) = P
i
s P
i
G(P
1
i
L
i
)
= P
i
s G(P
i
P
1
i
L
i
)
= P
1
i
P
i
s P
1
i
G(L
i
)
= s P
1
i
G(L
i
) (s P
1
i
P
i
s)
Then G(P
1
i
L
i
) P
1
i
G(L
i
).
It is easy to see that the above result does not depend on whether G is catenative
or not. It is only required to satisfy P
i
G = G P
i
for all i I. Therefore,
this result can be used for a more general class of -abstraction maps that are not
necessarily catenative. Note also that the other direction in the above proposition
does not hold in general. The following proposition shows that an extra condition is
required for the other direction to hold.
Proposition 4.5. Let G be a -abstraction map. Then
(i I) P
1
i
G
i
= G P
1
i
( ) G() []

Proof. () Assume that P

1
i
G
i
= G
i
P
1
i
and assume that for we have
G() = H where H []

. Then based on the initial assumption, it must be

that G
i
(P
1
i
()) = P
1
i
(G
i
()). This implies that P
1
i
(H) = (
i
)

H(
i
)

.
We claim that for every s H it must be that [s[ 1. To show this, assume
there exists a string s H with s =
1

2
. . .
n
where n 2. Then we will have

1
(
i
)

2
. . .
n
P
1
i
(H). However,
1
(
i
)

2
. . .
n
, (
i
)

H(
i
)

as s H and H

i
contradicting the above assumption. Then it must be that
every s H is such that [s[ 1. This implies that G() []

for all .
83
() Assume that ( ) G() []

. Then
G
i
(P
1
i
()) = G
i
((
i
)

(
i
)

)
= G
i
((
i
)

)G
i
()G
i
((
i
)

)
= (
i
)

G
i
()(
i
)

= (
i
)

G
i
()
(
i
)

G
i
()
(
i
)

(
i
)

G
i
()
P
1
i
= P
1
i

G
i
()
= P
1
i
G
i
()
Note that above can be the empty string, . The extension to strings and languages
is straightforward based on the assumption that G
i
and P
1
i
are both catenative and
distribute over union.
To simplify notation, the composition P
1
i
P
i
: L() L() may be denoted P
i
.
The map P
i
associates every language in

with the maximal language equivalent to

it with respect to the relation ker P
i
. Note that P
i
is a prex preserving, catenative
-abstraction map. However, it is not -compatible.
The relation between abstraction maps and the composition operation can now
be explored based on the above results. First, the invariance of the abstraction map
with respect to the composition operation is investigated. Let G be a -abstraction
map. The map G is said to be composition invariant if
(L L
c
()) B

(G(L)) = G(B

(L))
Recall that G(L) denotes the language vector G(L
i
) [ i I, and L
c
() is the
set of compact language vectors. The set of -abstraction maps is not in general
composition invariant even if it is invariant with respect to inverse projections as
shown in the following example.
Example 4.1. Consider the process space = a, x, y, b, x, y and let L
1
=
(aax, ay) and L
2
= (xbb, yb). Now, consider the language vector L = L
1
, L
2
and
the natural abstraction map F

for the process space . Clearly, L is compact

84
and the map F

is invariant with respect to inverse projections. However, axbb

F

(L
1
) | F

(L
2
) while axbb , F

(L
1
| L
2
).
The following proposition explores the relation between the synchronous product
operation and the set of -abstraction maps. Note the necessity of the compactness
property to this result.
Proposition 4.6. Let L be a compact language vector and let G be a -abstraction
map. Then
G(B

(L)) B

(G(L))
Proof. Let s

be a string where = (). Then

s G(B

(L)) = s

iI
P
1
i
P
i
G(B

(L))
= s

iI
P
1
i
G(P
i
(B

(L)))
= s

iI
P
1
i
G(L
i
)
= s B

(G(L))
Therefore, G(B

(L)) B

(G(L))
Note also here that the above result does not depend on whether G is catenative or
not. The other direction of the inclusion in the above proposition does not generally
hold even when L is compact as shown in the last example.
The main problem regarding the invariance of the abstraction with respect to the
synchronous composition operation is in the synchronization mechanism. In general,
under a -abstraction map, it is possible that incomposable string vectors in the
system components map to composable string vectors. For example, consider the
process space = (a, x, y), (b, x, y), and the map G dened as follows
G(a) = a, G(b) = b, G(x) = G(y) = x, y
The string vector s = ax, yb is incomposable (x,y are shared events). Therefore,
G(B

(s)) = G() = . However, the language G(s) = (ax, ay), (xb, yb) is compos-
85
able and therefore B

(G(s)) ,= . In order to resolve such cases, abstraction maps

need to be rened such that shared events should not be abstracted under the map.
That is, every shared event is mapped only to itself. This condition is a sucient
and necessary condition to obtain the composition invariance property as shown in
the following proposition.
Proposition 4.7. Let G be a -abstraction map. Let
s
be the set of shared events
in , and
a
be the set of non-shared events. Then G is composition invariant if and
only if
G()
_
_
_
[]

if
a
= if
s
Proof. The proof here is for the case when the process space contains two compo-
nents. The general case can be proved similarly.
() Assume that G is composition invariant. Then based on the last propositions it
must be that for all we have G() []

. Now assume that for some shared

event
s
we have a []

such that , a G(). Then we will have

G(|a) = while a G()|G(a) irrespective of what G(a) is, as a G(a). Therefore
it must be that G() = for all
s
.
() It was shown earlier that G(L
1
| L
2
) G(L
1
) | G(L
2
) holds in general for
any compact language vector L = L
1
, L
2
. Assume s G(L
1
) | G(L
2
). Then
there must exist u
i
P
1
i
P
i
(L
1
|L
2
) such that s G(u
i
) for i 1, 2. We
can write s =
1
. . .
n
where n = [s[ and
r
for all r [1 . . . n]. Then
we can write u
1
= X
1

1
X
2
. . . X
n

n
X
n+1
where
r
and
r
G(
r
) for all
r [1 . . . n], and X
r

a
with G(X
r
) for all r [1 . . . (n + 1)]. We can
also write u
2
= Y
1

1
Y
2
. . . Y
n

n
Y
n+1
with Y
r
and
r
dened similar to X
r
and
r
re-
spectively. Dene
r
= (
r

1
) (
r

2
). Based on the initial assumption
that G() = for all
s
, it is easy to see that [
r
[ = 1 for all r [1 . . . n].
Let u = (P
1
X
1
)(P
2
Y
1
)
1
(P
1
X
2
)(P
2
Y
2
) . . . (P
1
X
n
)(P
2
Y
n
)
n
(P
1
X
n+1
)(P
2
Y
n+1
). Clearly
s G(u). Moreover, P
1
u = P
1
u
1
and P
2
u = P
2
u
2
. This implies that u P
1
1
P
1
u
1

P
1
2
P
2
u
2
and hence u L
1
|L
2
. Therefore s G(L
1
|L
2
).
86
The composition invariance property for abstraction maps has two important con-
sequences. First, it ensures that the abstracted behaviour preserves the decompos-
ability of the original system. Consequently, the abstracted behaviour is decompos-
able. Moreover, the components of the abstracted system are given directly as the
abstraction of the system components.
The other benet of this property is computational, namely, it allows the com-
putation of the abstraction indirectly by computing the synchronous product of the
abstracted system components rather than computing the abstraction of the syn-
chronous product of these components (the composite system). It is easy to see that,
the complexity of the indirect abstraction is of the order of the size of the abstract
system which is typically less than the original system.
It should be noted however that composition invariant abstraction is a limited form
of abstraction that may not produce a signicant complexity reduction. In general,
the eciency of the computation of composition invariant abstractions depends on the
system. In certain situations, a signicant reduction can be obtained. For instance,
for asynchronous systems (no shared events) or when the system components contain
repeated patterns and such patterns are the target of the abstraction; for instance, the
repeated pattern in the language L
1
= (a
1
b
1
, a
2
b
2
, a
3
b
3
) can be abstracted to ab where
a = a
1
, a
2
, a
3
and b = b
1
, b
2
, b
3
(assuming all a
i
and b
i
are asynchronous events).
On the other hand if all events are shared no composition invariant abstraction can
be achieved.
The following proposition presents a more relaxed condition where a given -
abstraction function can be computed without computing the synchronous product
of the system.
Proposition 4.8. Let G be a -abstraction map such that G() = for all
s
.
Let L be a language vector in . Then,
G(B

(L)) =

iI
G(P
1
i
L
i
)
87
Proof. We will prove the proposition for two components process space. The general
case can be proved directly by induction on the number of components in the process
space. In general, G(P
1
1
L
1
P
1
2
L
2
) G(P
1
1
L
1
) G(P
1
2
L
2
) so we only need
to show the other direction of the inclusion. Assume s G(P
1
1
L
1
) G(P
1
2
L
2
).
Then there must exist u
i
P
1
i
L
i
for i 1, 2 such that s G(u
1
) G(u
2
).
We can write s = S
1
. . . S
n
where for all r [1 . . . n], the nonempty string S
r
is
either in (
1

2
)
+
or in (
2

1
)
+
, or is equal to some
s
. Then we can
write u
1
= X
1
X
2
. . . X
n
where X
r
(
s
)
+
if S
r
(
s
)
+
, and X
r
=
if X
r
=
s
. The sequence X
1
, X
2
, . . . , X
n
as dened above is not unique
but at least one such sequence must exist in order for s to be in G(u
1
). Similarly
we can write u
2
= Y
1
Y
2
. . . Y
n
with Y
r
dened exactly as X
r
. Let Z
r
=
r
if S
r
=

s
, otherwise Z
r
= (P
1
X
r
)(P
2
Y
r
). Clearly this ensures that S
r
G(Z
r
) for all
r [1 . . . n]. Let z = Z
1
Z
2
. . . Z
n
. Hence s G(z). Moreover, P
1
z = P
1
u
1
and
P
2
z = P
2
u
2
. Therefore z P
1
1
P
1
u
1
P
1
2
P
2
u
2
and hence z P
1
1
L
1
P
1
2
L
2
. This
implies that s G(P
1
1
L
1
P
1
2
L
2
) G(P
1
1
L
1
).
The condition in the above proposition restricts only the map of shared events.
It requires that every shared event in the system to be mapped to itself. Clearly,
the above result can be applied directly to any asynchronous systems under any -
abstraction map with no restriction. Similar to the previous result, the eciency of
computing G(B

(L)) as given in the above proposition depends on the system and

the abstraction map.
As indicated by the last two propositions, the eciency of computing the ab-
straction of a given system depends on the coupling between the system components
as expressed by their shared behaviour. In general, a more ecient computation of
the abstraction can be expected for loosely coupled systems compared with that for
tightly coupled ones. This observation regarding the relation between the compo-
nents coupling and computational eciency will become more evident throughout
this thesis.
88
Implementation remark
Typically, model abstraction is conducted manually within the modelling and analysis
stages. The information content of common abstraction schemes can provide some
guidance for the abstraction process. Consider, for instance, the set of events . First
we need to gure out if certain subset
r
of is irrelevant with respect to a given
analytical situation - a specication for example. That is, roughly speaking, events in

r
appear equivalent, and so separating these events would not add any information
to solve the given problem
3
. In such cases, depending on the amount of information
we need about this set of events with respect to a given analytical situation, we can
further map this set of events to anywhere from

r
to
r
. The former mapping
corresponds to the minimum amount of information, namely, the possible occurrence
of this set of events within certain contexts in the system dynamics
4
. Another level
of abstraction corresponds to the mapping to
+
r
. The information in this map is
also contextual. However, in this case, more information about the context of this set
of events in the system dynamics is provided. The nest level of abstraction maps
every event in
r
to the set
r
. Under this abstraction, events in
r
have exactly the
same contexts in the abstracted system dynamics. Although, there are many other
possibilities for abstraction mappings, the above three cases are usually sucient for
typical (catenative) abstraction situations.
4.1.3 Abstraction of interacting discrete event systems
In interacting discrete event systems the interaction specication is in itself an ab-
straction of the system behaviour. Therefore, it is only required here to identify a
suitable mapping between the system and its interaction specication. Similar to the
case of language-based abstractions, we will only consider the case when such map-
ping is monotonic. The following result shows that such mapping can be established
3
For instance, the distinction between the events a
1
and a
2
in the language L = (a
1
b
1
, a
2
b
2
) is
irrelevant with respect to the specication S = (a
1
, a
2
b
1
, b
2
).
4
Note that this mapping is dierent from the map P
1
r
P
r
where P
r
:

r
is a natural
projection map, which does not provide any information about the set
r
.
89
under certain conditions.
Proposition 4.9. Let (L, K) be an IDES in the process space , where L _ P

(K)
and let F be a -abstraction satisfying K = F(K), and K F(B

(L)). Then
K = F(B

(L, K))
Proof. In general, as F is an extension map we get K F(K). The set of languages
satisfying F(L) = K is closed under union and therefore has a supremal element.
This element must be K, otherwise we will have K

K with K = F(K

) implying
that F(K

) K

contradicting that F is an extension map. Now K F(B

(L))
implies that there exists X B

(L) such that K = F(X). This is based on the

assumption that F is a -abstraction map and that L _ P

(K). Therefore X K.
Then X B

(L) K and as F is monotonic we get F(X) F(B

(L) K). Hence,

K F(B

(L) K). Also, in general, F(B

(L K)) F(B

(L)) F(K). Given

that K = F(K) and K F(B

(L)), then we get F(B

(L K)) K. Then it must

be that K = F(B

(L, K)).
Therefore, in order to establish a mapping between the system and its interaction
specication, we need rst to nd a -abstraction map F such that K = F(K), and
then to test if this map satises K F(L).
In general, nding a suitable map for a given K is an exercise in creativity. How-
ever, in certain situations the map F can be identied by examining each occurrence
of an event in the transition structure of K and identifying its invariance
domain. In another words, for the event we try to obtain a maximal language K

that always occurs in the same context within K. Namely,

(u, v

) uv K uK

v K
The language K

can then be a candidate image of under the map F that we

are looking for. This search continues until the images of all events can be
specied. When K is simple enough, the above procedure can lead to a suitable
90
(coarse) -abstraction map F such that K = F(K). Consider for instance the layout
of the serial composition K = U

in the asynchronous process space =

1
,
2

where U =
1
and V =
2
. It is easy to see that every event in
i
is invariant with
respect to the language

i
where i = [1, 2]. Therefore, the map F dened as follows
(i [1, 2])(
i
) F() =

i
satises K = F(K). Note that if F satises F(K) = K then so is any function G such
that id G F. Next we check to see if K F(B

(L)) for the given IDES. To check

this eciently, it is necessary to be able to compute F(B

(L)) eciently. This is the

case for above map as it satises the conditions of Proposition 4.8. Note also that if
F(B

(L)) can be computed eciently using Proposition 4.8 then so is any G(B

(L))
where id G F. Therefore, once a -abstraction mapping between the system
and its interaction specication is dened, renements of this mapping become handy.
For instance, the above functional description of the serial composition layout can be
rened to G given as
G() =
_
_
_

1

1

+
2

2
Clearly, G is also an extension map. Here we get K = G(K) automatically. And for
any given L _ P

(K), the abstraction G(B

(L)) can be computed eciently using

Proposition 4.8.
Structured IDES
The case when the interaction language is associated with the system behaviour
through a monotonic map is of special importance in behavioural analysis of IDES
and therefore will be given a special notation. We will distinguish those IDES models
where such a map is given as structured interacting discrete event systems. Formally,
a structured interacting discrete event system (SIDES) is a tuple L = (L, K, F) such
that
K = F(B

(L, K))
91
Calligraphic letters will also be used to denote SIDES structures. Similar to the case
with IDES, the ith component of the SIDES will be denoted L
i
, and the language
generated by an SIDES L is given by B

(L). Note that having K associated with

L = B

(L, K) via a monotonic map completes the picture of L being composed of

the images of L under a set of monotonic maps (the maps P
1
i
P
i
are obviously
monotonic). That is
L =

iI
P
1
i
P
i
(L) F(L)
This feature is of special importance in solving the verication and the supervisory
control problems as will be shown later in this thesis. Note that the supremal com-
pensation map,

C

, could not t in the SIDES structure because this map is not

monotonic in general as was shown in Example 4.3.
Example 4.2. A system of three machines uses a synchronization mechanism for
exible arrangement of the machines. This is implemented using the shared event x
which can be used also to observe the termination of each cycle. The system - shown
below - is arranged such that machines 1 and 2 are working in parallel and have to
complete their cycles before the third machine can start.
U, V
U, V
F
X X
W
x x x
c
3
a3
b3
d3
b2
c2
a2
d2
X
W
V
U
d1
c1
a1
b1
92
It is easy to see that the interaction language of the system is invariant with respect
to the map F dened as follows
F(U) = U, F(V ) = V, F(W) = W

, and F(X) = X
where U, V, W, X as given in the convention of the STD above. It is clear also that
F is an extension map. Using Proposition 4.8 to compute F(B

(L)) will reduce the

maximum number of states involved in this computation from 27 to 9 states. It is
then easy to verify that K F(B

(L)) conrming that K = F(B

(L, K)).
Many standard interaction schemes can be formulated such that the underlying
system can be represented as a SIDES. As shown in the above example, simple non-
standard interactions can also be captured in this form. However, in general there
is no mechanical way to establish a monotonic correspondence between the system
behaviour and its interaction specication. Such correspondence has to be guessed
and then checked for correctness.
4.2 Compact interacting discrete event systems
In this section, the compactness property is investigated for the class of IDES struc-
tures and the associated composition operation. Similar to the case with language
vectors, the aim here is to characterize a subclass of interacting DES where the com-
position operation preserves the containment order.
Consider the process space . Let L = (L, K) and o = (S, R) be two IDES in
I(). In general we have,
L _ o = B

(L) B

(o)
This is valid for any two IDES. The problem with behaviour comparison in the IDES
setting is that the other direction cannot be conrmed in general, even when both L
and S are compact as shown in the following example.
93
Example 4.3. Let = a, x, b, x be the process space. Let L = (), (, a),
and S = (, b), (, a) be two language vectors. Let L = (L, K) and o = (S, R)
be two IDES where K =

and R = (

(b, ba)) . Here we have B

(L) = a and
B

(o) = ab. Therefore, B

(L) B

(o). However, L ,_ o.
The other direction would hold if the IDES L is associated with the language
B

(L) via a monotonic function, namely the projection operation. One approach
to establish this direction is to extend the compactness property to IDES class. An
IDES L = (L, K) in I() is said to compact if
P

(B

(L)) = L
That is, L is compact if its language vector can be retrieved from its composite
behaviour using the decomposition operation P

. The class of compact IDES in

will be denoted I
c
().
Proposition 4.10.
L is compact L T

(B

(L))
Proof. () Assume that L = (L, K) is compact. Then L = P

(B

(L, K)). There-

fore, each IDES in the set T

(B

(L, K)) will have the form (L, R), where R

C

(B

(L, K)). Clearly, we have B

(L, K) K. Also we have

(B

(L, K)) = B

(L, K) (B

(P

(B

(L, K))))
c
= (B

(L) K) (B

(L))
c
= (B

(L) (B

(L))
c
) (K (B

(L))
c
)
= K (B

(L))
c
Therefore, we have K

C

(B

(L, K)). Hence, K C

(B

(L, K)). Therefore

(L, K) T

(B

(L, K)).
() This is clear from the denition of the set T

(B

(L, K))
94
The above result is another characterization for the compactness property stating
that an IDES is compact if and only if it can be retrieved from its behaviour through
the generalized decomposition operation. Note the similarity between the denition
of compact language vectors and compact IDES as given in the last proposition. The
eect of the compactness property in the composition and decomposition process in
process space is demonstrated in the following diagram. In this diagram the map
id
1
: L() L() assigns each IDES (L, K) to its language vector L.
Lc() L() L()
Ic() Lc()
P P
id id1 B
B
Figure 4.2: The compactness property
It is important to note that, similar to the case with language vectors, the def-
inition of a compact IDES requires the system components to be associated with
its behaviour via monotonic maps, namely, the class of projection operations. This
requirement resolves part of the problem discussed earlier concerning the order pre-
serving property of the generalized composition operation.
Proposition 4.11.
(L, K) is compact = L is compact
Proof. In general we have P

(B

(L, K)) _ P

(B

(L,

)). Then, if (L, K) is com-

pact we can deduce that L _ P

(B

(L)). Now, given that the other direction of the

(componentwise) inclusion holds in general. Then, it must be that L = P

(B

(L)).
Therefore, L is compact.
95
Therefore, the compactness of the language vector is necessary for the compactness
of the underlying IDES. However, it is not sucient in general. This should be easy
to see as, in general, the interaction language can be chosen arbitrarily. For instance,
for any compact language vector L with B

(L) ,= , setting K = B

(L)
c
will result
in B

(L, K) = . Clearly, the IDES (L, K) in this case is not compact.

Proposition 4.12. Let be a process space and let L be a language in L(). Then
(L T

(L)) L is compact
Proof. Every IDES in T

(L) has the form (P

(L), K) where K C

(L). There-
fore, by denition we have L = B

(P

(L), K) and this implies that P

(L) =
P

(B

(P

(L), K)). Hence (P

(L), K) is compact.
Again similar to the case with language vectors, the above result shows that an
IDES obtained from the generalized decomposition of a given language is always
compact. Based on this result, it is always possible to convert a given IDES L into a
compact one that generate the same behaviour. For instance, one such IDES would
be given by

T

(B

(L)) which can be directly computed from B

(L). However, such

construction requires the computation of the composite behaviour of L and therefore
is not ecient.
4.3 Complete interaction specications
In this section, we characterize the class of complete interaction specications. A
combination of a complete interaction specication and any compact language vector
in its domain produces a compact IDES structure. The completeness property can
ensure the compactness of a given IDES without the need to compute the composite
structure.
For a process space , an interaction language K

is said to be complete
if the restriction of the composition of any composable string vector in its domain,
96
P

(K), to K is not empty. Formally, K is complete if

(s E P

(K)) B

(s, K) = = B

(s) =
That is, an interaction specication is complete if it contains at least one string in
the composition of any composable string vector in its domain.
Example 4.4. Let = a, x, b, x be a process space. In this process space,
the interaction language K = (xax, xbx) is not complete as the language vector
L = (xx), (xx) is within the domain of K and B

(L) = xx ,= but B

(L, K) = .
On the other hand, the layout K = axb, aaxb is complete. Also, in the asyn-
chronous process space,

= a, b, the interaction language K = (ab, aaabb) is

incomplete as the composable string vector s = (a), (bb) is within the domain of
K, however, we have B

(s, K) = .
In asynchronous process space (no shared events) every string vector is compos-
able. In this case, the condition for completeness reduces to,
(s E P

(K)) P

(B

(s, K)) = s
For a general process space, the decidability of verifying the completeness of a given
language is an open problem. However, simple interaction specications can usually
be checked for completeness by inspection with little eort. It is easy to see that the
languages

, , are all complete by denition. Also, it is straightforward to check

that all forms of parallel compositions discussed in the previous chapter are complete.
It is easy also to check that the interaction language for interleaving is not complete.
For instance, given the process space = a, b, the string vector t = a, bbb
is in P

(K), however, B

(t, K) = . The following two propositions can be used to

identify and construct complete interaction languages.
Proposition 4.13. Let G be a -abstraction map and s

be a string. Then the

language G(s) is complete.
97
Proof. We will proceed by induction on the string length. The initial step with [s[ = 0
holds as by denition G() = . Assume that for a string s

, G(s) is complete. We
want to show that G(s) is complete. First we have G(s) = G(s)G() with G()
[]

. Let t E P

(G(s)). Then for all i I we have t

i
P
i
G(s) = G(P
i
(s)). Let
J be the set of components in I that contains . Then for all i (I J) we have
t
i
G(P
i
(s)) = P
i
G(s), and for all j J we have t
j
G(P
j
(s)) = P
j
G(s)P
j
G().
Then we can write t
j
= t

j
r
j
where t

j
P
j
G(s) and r
j
P
j
G() = G(), for all
j J. However, for the string vector t to be composable it must be that r
j
= r
k
for
all j, k J. Then, under the assumption that t is composable, we can write t
j
= t

j
r
where t

j
P
j
G(s) and r P
j
G(), for all j J. Then,
B

(t) =

i(IJ)
P
1
i
t
i

jJ
P
1
j
t

j
r
_
_

i(IJ)
P
1
i
t
i

jJ
P
1
j
t

j
_
_
r
Therefore, (B

(s))r B

(t). Now, the string vector s with s

i
= t
i
for all i (I J)
and s
j
= t

j
for j J is in P

(G(s)), that is, in the domain of G(s). Hence, by the

completeness of G(s) we have B

(s) G(s) ,= . Also we have r G(), therefore

we can say that (B

(s)) r G(s) ,= . Given that we have (B

(s))r B

(t). Then
B

(t) G(s) ,= .
Based on the above result, it can be shown that all forms of serial composition are
complete. For instance the synchronized serial composition represented by the layout
K = U

can be obtained by a -abstraction of any string uxv where u U,

x X and v V and therefore is complete.
In general, the set of complete layouts is not closed under intersection or union.
For example, in the process space = a, b the interaction languages K
1
=
(ab, abb, bba, aabb) and K
2
= (ba, abb, aab, bbaa) are both complete but their intersec-
tion, K = (abb, bba, bbaa), is not complete as the string vector s = (a), (d) is in
the domain P

(K) but B

(s, K) = . Also, the interaction languages K

1
= (ab)
and K
2
= (aabb) are both complete, however, their union K = (UV, UUV V ) is not
complete as s = (a), (dd) is in P

(K), whereas B

(s, K) = .
98
Proposition 4.14. Let K
1
and K
2
be languages over . Then
1. If K
1
is complete and P

(K
1
) = P

(K
2
), then K
1
K
2
is complete
2. If K
1
and K
2
are complete, then
((i, j I) i ,= j P
i
K
1
P
j
K
2
= ) = K
1
K
2
is complete
Proof. 1. Assume the K
1
is complete. Let t be a string vector in P

(K
1
K
2
). Now
P

(K
1
) = P

(K
2
) implies P

(K
1
K
2
) = P

(K
1
) = P

(K
2
). Therefore, t is in
P

(K
1
). Hence, B

(t) K
1
,= . Therefore, B

(t) (K
1
K
2
) ,= , and hence
K
1
K
2
is complete.
2. Assume the K
1
and K
2
are complete. Let t be a string vector in P

(K
1
K
2
) which
is equal to P

(K
1
)P

(K
2
). Assuming that P
i
K
1
P
j
K
2
= for any i ,= j. Then any
string vector s with mixed components from P

(K
1
) and P

(K
2
) is incomposable.
Therefore, t is composable if and only if t is either in P

(K
1
) or P

(K
2
). Considering
the rst case then B

(t) K
1
,= . Therefore, B

(t) (K
1
K
2
) ,= , and hence
K
1
K
2
is complete.
The rst part of this proposition can be used to show that parallel compositions
are complete. The second part can be used to show that the interaction languages
for renements are complete. For instance, consider the handshaking renement
which can be represented by the layout (U, XV

X)

. This language can be written

as the union of the set of languages (U

XV

XU

)
n
where n N, the set of all
natural numbers. Each one of these language is complete as it is the outcome of a
-abstraction map of the string (uxvxu)
n
where u U and v V . Also n ,= m
implies that P
s
(U

XV

XU

)
n
,= P
s
(U

XV

XU

)
m
for every n, m N. Therefore
K = (U, XV

X)

is complete.
The following theorem establishes the link between the completeness of interaction
languages and the compactness of the underlying IDES structures.
Theorem 4.2. Let K be an interaction specication in the process space . Then
99
K is complete if and only if
(L _ P

(K)) L is compact = (L, K) is compact

Proof. (only if) Assume that K is complete and the language vector L _ P

(K) is
compact. Then we have L = P

(B

(L)). This implies that P

(B

(L, K)) _ L.
Now assume there exists a composable string vector t E L such that t is not in
P

(B

(L, K)). Then it must be that B

(t, K) = which contradicts the assumption

that K is complete. Therefore, it must be that P

(B

(L, K)) = L and hence (L, K)

is compact.
(if) Assume that t is a composable string vector in P

(K). Clearly, t is compact,

that is, t = P

(B

(t)). Therefore, as (t, K)) is compact we get t = P

(B

(t, K)),
hence B

(t, K) ,= . Hence, K is complete.

The above theorem shows that the completeness of the interaction language pre-
serves the compactness property in the transition from the language vector domain
to the IDES domain. Therefore, a compact IDES structure can be constructed by
combining a compact language vector and a complete interaction specication. It
is important to note here that a compact IDES does not necessarily have a com-
plete interaction specication. This should be clear as for any language K the IDES
structure (P

(K), K) is compact irrespective of the completeness of K.

100
Chapter 5
Interacting Discrete Event
Systems: Verication
In the verication stage the system is tested to ensure that it works correctly as
expected. Problems in the system behaviour may originate from the internal in-
teractions and communications between the system components, as dened by the
synchronization mechanism between discrete event systems. Correctness of the sys-
tem can also be measured with respect to a set of external specications that dene
how the system should work. Therefore, the verication can be labelled as either in-
ternal or external depending on the correctness criterion.
The direct approach to verication is to check the system with respect to the
correctness specication through exhaustive search of the systems state space. This
is obviously inecient in dealing with practical multiprocess systems. In this chapter,
we present a set of indirect procedures to verify both the internal and external
correctness of multiprocess and interacting discrete event systems. These procedures
avoid the exploration of the whole state space of the system by focusing on relevant
regions in the system state space. The proposed procedures can be particularly
ecient in dealing with loosely coupled systems, that is, those with relatively limited
synchronous interaction.
101
Detecting blocking is a typical internal verication problem. Blocking corresponds
to the situation when the system reaches a region in the state space where it cannot
exit from. Depending on the possibility of further moves, blocked states can be
described as either deadlock or livelock. In this chapter, an indirect approach is
proposed to detect and identify blocking states of both forms for multiprocess systems.
In this approach, referred to as the detect-rst approach, potential deadlock states
are rst identied and then tested for reachability.
Detecting blocking in interacting discrete event systems is then investigated. As-
suming a set of nonconicting components, we can focus only on those blocking
situations caused by the interaction specication. Two indirect blocking detection
procedures are proposed for special cases when the interaction specication is either
too restrictive or too permissive. The case when the specication is too permissive is
treated by detecting potential blocking situations rst, similar to the approach used
for detecting blocking in multiprocess systems.
The problem of verifying the system behaviour with respect to a given speci-
cation is then considered. One approach to solving this problem eciently (under
certain assumptions) is to decompose the specication into an equivalent IDES and
perform the verication modularly. However, in general, the IDES model does not
carry enough information to support the decomposition approach. Nevertheless,
modular verication can be armative when the specication interaction is a su-
perset of the system interaction language. Also, it is shown that the existence of a
monotonic correspondence between the system behaviour and its interaction speci-
cation can help to obtain a modular solution.
An iterative approach to the verication problem is then discussed. In this
approach, the interaction specication is iteratively rened until it has enough in-
formation to solve the verication problem modularly. The abstraction techniques
discussed in the previous chapter are used here to rene the interaction specication.
The correspondence between the abstracted representation and the system behaviour
is essential to the implementation of this approach.
102
5.1 Blocking in process space
Blocking is a major problem in multiprocess discrete event systems. It originates
from the nature of the synchronous composition operation. Possibilities of blocking
depend strongly on the arrangement of shared transitions in the system components.
The direct approach to detect blocking requires the exploration of the entire state
space of the system. An alternative approach is presented in this section. In this
approach only relevant parts of the system behaviour - related to its shared dynamics
- are explored. Consequently, the complexity of this approach depends directly on the
coupling between the system components and is therefore expected to be generally
more ecient than the direct search in loosely coupled systems.
A dynamic system is said to be blocked if there exists a reachable state from
which the system cannot reach any terminal state. These states are referred to as
blocked states. Formally, for discrete event systems, blocking can be expressed by
the condition L(A) ,= L
m
(A) where A is the automaton model of the system. In
multiprocess environments, the composite system may contain blocked states even if
its individual components are not blocked. Such blocking situations result from the
nature of the synchronous composition operation. In general, any vector language L
in a process space satises
B

(L) B

(L)
where L = L
i
[ i I. However, the other direction of the inclusion does not hold in
general. This is due to the fact that the evolution history of the system components
may contain composable strings that do not contribute to the evolution history of the
overall system behaviour. This should be clear from the fact that incomposable string
vectors with empty behaviour always contain at least one composable prex, namely

I
which has a nonempty behaviour. A language vector L is said to be unblocked or
live if B

(L) = B

(L). Clearly, L is live if the set P

1
i
L
i
[ i I is non-conicting,
that is, satisfying

iI
P
1
i
L
i
=

iI
P
1
i
L
i
103
Blocking originates from the shared dynamics of the system. Therefore, similar to
the compactness property, a system with no shared events is always live. However,
although the liveness and compactness properties are directly linked to the shared
behaviour of the system, they are not related as demonstrated in the following exam-
ple.
Example 5.1. Consider the process space = (a, b, x, y), (c, d, x, y). The language
vector L = (ax, by), (cy, dx) is compact but not live. A blocking situation in this
language vector is shown below.
y
c
d
a
x
b
y x
L
2
L
1
The language vector L = (a, x), (b, y), on the other hand, is live but not compact
as x B

(L) but x , B

(L).
It is important to distinguish between two forms of blocking in discrete event
systems. The rst corresponds to the case when an unmarked reachable state cannot
reach any other state (including itself), that is, when no event can be triggered at the
blocked state. Such state is referred to as a deadlock state. Otherwise, if a blocked
state can reach some other unmarked state it is referred to as a livelock state. Clearly,
the two forms are exhaustive, that is, a blocked state must be of either form but not
both.
104
5.1.1 Deadlock detection in multiprocess systems
Let L be a language vector in . A string s B

(L) is called nonterminal if it is not

in B

(L). A language vector L is said to be deadlock-free if the set of eligible events

at every nonterminal string in B

(L) is not empty. Formally, L is deadlock-free if

(s (B

(L) B

(L)))( ) s B

(L)
Deadlock can be detected by exploring all the state space of the synchronous product
of the system components and identifying those non-terminal states with no eligible
events. An alternative approach is to identify potential blocking states rst and
then to check their reachability. This approach will be referred to as detect-rst
approach. The key to this approach is given in the following result which provides
a characterization for deadlock freeness in multiprocess discrete event systems. For
given a subset J of I, let
(J)
denote the set of events exclusive to the set of J
components. Namely,
(J)
=
jJ

j

iIJ

i
.
Theorem 5.1. The language vector L is deadlock-free if and only if
(s B

(L) B

(L))(J I)
(J)

jJ
Elig
L
j
(P
j
s) ,=
Proof. Let s (B

(L) B

(L)). Clearly this implies that P

i
(s) L
i
for all i I.
Now assume that there exists J I such that
(J)

jJ
Elig
L
j
P
j
(s) ,= . This
could not hold for the case J = as
()
= by denition. Therefore, we must have
a nonempty J and an event
(J)
such that P
j
(s) L
j
for all j J. Therefore
we get P
1
j
(P
j
(s)) P
1
j
L
j
for all j J. However as
(J)
then it must be that
P
1
i
(P
i
(s)) = P
1
i
(P
i
(s)) P
1
i
L
i
for all i I J. Therefore we obtain
s

iI
P
1
i
P
i
(s)

iI
P
1
i
L
i
= B

(L)
Then the system is not deadlocked at any string s satisfying the given condition. The
only if direction is straightforward.
105
The above theorem shows that deadlock can be traced by examining the set of
eligible events at local strings generated by the system components. Clearly, if a
deadlock occurs at a given string then it also occurs at the corresponding state in
the systems automaton, as the Nerode equivalent strings of a deadlocked string must
be deadlocked as well. Based on the above theorem a string s B

(L) B

(L)
identies a deadlock state if and only if
(J I)

jJ
Elig
L
j
(P
j
s)
(J)
=
Therefore, a language vector L cannot be deadlocked at a string s if there exists
an asynchronous (local) event enabled at any of the vector projection components
of this string. The reverse is also true, that is, if an asynchronous (local) event is
enabled in a given local state, then any global state containing this local state cannot
be deadlocked. Therefore, in detecting global deadlocked states, we only need to
consider those combinations of local states all of whose eligible events are shared.
These combinations (global states) are further rened by testing them with respect
to the above criterion to determine if they identify potential deadlock states in the
composite system. Each potential deadlock state is then traced backward to check
if it is reachable in the composite system. The following Proposition, which follows
directly from Lemma 3.1, shows that this search can also be performed by considering
only the shared behaviour of the system.
Proposition 5.1. Let L be a language vector in a process space . Then
B

(L) = B

(P
s
(L)) = .

Therefore, a given potential deadlock state is reachable if and only if the corre-
sponding state in the projected composite system is reachable. Testing reachability
through the projected system, P
s
(B

(L)), can oer a computational advantage in

loosely coupled systems, given that P
s
(B

(L)) = B

(P
s
(L)) as implied by Proposi-
106
tion 4.7.
To further clarify the detect-rst approach for deadlock detection, consider the
language vector L represented by a set of automata A
i
= (
i
, Q
i
,
i
, q
oi
, Q
mi
), i I
where A
i
= A(L
i
). Every automaton A
i
is assumed trim and therefore live. Let
A = |
iI
A
i
be the synchronous product automaton given by the tuple (, Q, , q
o
, Q
m
)
where =
iI

i
and Q Q
1
Q
2
. . . Q
n
be the set of all possible states in
A. Transitions in the automaton A are dened through the synchronous product
operation in the usual way. Write

Q for the set Q
1
Q
2
. . . Q
n
. Clearly, L
m
(A) =
B

(L). However L(A) may not be equal to B

(L) due to possible blocked states in

the composite system. Dene PDS(A) as the set of potential deadlock states in A as
outlined by the last theorem, namely
PDS(A) = (q
1
, . . . , q
n
)

Q[ (J I)

jJ
Elig
A
j
(q
j
(Q
j
Q
jm
))
(J)
=
Therefore, the set PDS(A) can be computed by testing only unmarked local states
1
where all eligible events are shared (no asynchronous events). The set of (actual)
deadlock states in A is then equal to PDS(A) Reach(A), where Reach(A) denotes
the set of all reachable states in A. In another words, a potential deadlock state is an
actual deadlock state if it is reachable from the initial state of the composite system,
namely q
o
= (q
o1
, . . . , q
on
). A direct backward reachability procedure can be used to
determine if a given state q Q is reachable in A.
For loosely coupled systems, testing that a given global state q belongs to the set
Reach(A) can be conducted more eciently by considering only the shared behaviour
of A namely P
s
(A). Based on Proposition 4.7, the projection map P
s
is a composition
invariant map and therefore P
s
(A) can be computed indirectly as P
s
(A) = |
iI
P
s
(A
i
).
The projection operation P
s
denes a correspondence between Q and the set of states
of P
s
(A) which can be identied as a subset X of Pwr(Q). Based on Proposition 5.1,
q Reach(A) if and only if there exists x X where x Reach(P
s
(A)) and q x.
1
This is based on the convention that Elig
B
() = for any automaton B.
107
The complexity of the detect-rst procedure depends to a great extent on the
shared behaviour of the system. The initial part of the procedure detects the set
of potential deadlock states from those combinations of local states with all shared
eligible events. Therefore the worst case complexity of this part is of the order of
[Q
s
1
[ . . . [Q
s
n
[ where Q
s
i
Q
i
denotes the set of states in the ith component of the
system having only shared eligible events. However, the typical complexity of this part
is much smaller than the worst case as many combinations can be excluded during the
test. For instance, if for some J I we have

jJ
Elig
A
j
(q
j
)
(J)
,= , then it follows
from Theorem 5.1 that any global state containing the set q
j
[j J is deadlock-free.
In fact, the eciency of computing the set PDS(A) can vary substantially depending
on the order at which the set of local states are tested with respect to the deadlock
condition given in Theorem 5.1
2
.
In the second part of the procedure, the reachability of potential deadlock states
is checked. The worst case complexity of this part is in the order of the state size
of the composite system, [Q[. However, this part would explore only those states
leading to potential deadlock states. The actual overhead in this part is the tracing of
unreachable potential deadlock states (as the identication of a deadlock state must
involve testing its reachability in one way or another). However, the rate of early
termination of such backward tracing can be high, particularly in loosely coupled
systems. Also, as discussed earlier, a signicant reduction of the complexity of the
reachability test can be obtained by considering only the shared behaviour of the
system.
Example 5.2. The system shown in the gure below is a modied version of the Mil-
ner scheduler presented in [Mil80], which is often used as a benchmark for verication
algorithms because of its exponential state expansion with the number of cyclers. The
scheduler consists of a set of simple components called cyclers. The modied version
allows exible cycling. Figure 5.1 shows the automaton representation of the ith cy-
cler, where i [0 . . . N] for a scheduler consisting of N + 1 cyclers. In this system,
2
The situation here is similar to the problem of generating an ecient ordered binary decision
diagram which depends to a large extent on the way the variables are ordered.
108
state 1i is the initial and marker state for the rst cycler (i = 0) while state 0i is the
initial and marker state for the remaining cyclers (i [1 . . . N]). The subscripts of
the local components are taken as mod N, so that x
N+1
= x
0
. The cycling sequence
can be adjusted using an interaction specication layout and the overall system can
be described by an IDES L = (L, K), where L is the language vector representing
the set of cyclers and K is their interaction specication.
y
i1
y
i1
x
i+1
x
i+1
6i 5i
4i 3i
2i 1i 0i
C
i
K
x
i
,y
i
C
k
C
1
C
0
. . .
b
i
c
i
b
i
a
i
c
i
Figure 5.1: The process scheduler
It is required to verify that the parallel composition of above cyclers is deadlock free.
Applying the detect-rst procedure, potential deadlock states are selected from those
states with all shared eligible events, that is, the set
Q
s
= (q
0ro
, q
1r
1
, . . . , q
Nr
N
)[(j [0 . . . n] r
j
[0, 3]
The set Q
s
can be tested thoroughly with respect to the denition of PDS(A). How-
ever, working by eliminating those subsets of Q
s
that do not correspond to potential
deadlock states can be more ecient for this system. Clearly, any global state con-
taining any of the combinations (q
i0
, q
(i+1)3
) or (q
i0
, q
(i1)3
) for i [0 . . . N] cannot be
a deadlock state. Excluding these cases will leave only two potential deadlock states,
109
namely (q
0r
, q
1r
, . . . , q
Nr
) where r [0, 3]. The next step is to check the reachability
of these two states. Backward tracing will reveal that both states are not reachable.
To reach this conclusion, the backward reachability test explores 2
N+1
global states
for the rst potential-deadlock state (r = 0) and 3 global states for the second one
(the composite system contains approximately 7
N+1
states). Backward reachability
can also be performed using the projection of the shared behaviour of the system
components shown in the following diagram.
x
i
, y
i
x
o
, y
o
y
i1
P
s
(C
i
) P
s
(C
o
)
00
y
N
10 0i 1i
x
i+1
x
1
Potential deadlock states in the composite system correspond to the set of states
(q

0(r1)
, q

1r
, . . . , q

Nr
) where r [0, 1] in the composite of the components projection.
Checking the reachability of these states requires testing only two global states in
the projected system. The complexity of computing the projections is of the order of
7(N + 1) in this case.
The above procedure upon termination will return the set of all deadlock global
states in the system. Based on this information, the system model can be modied
and then tested again until it is deadlock free. It is important to note that the
overhead of the detect-rst procedure (the number of unreachable potential deadlock
states) can be very high in tightly coupled systems. However, for loosely coupled
systems the computational gain is expected to surpass this overhead.
110
5.1.2 Livelock detection in multiprocess systems
Livelock is usually caused by a aw in the communication exchange between the
system components preventing the system from performing its tasks. In contrast
with deadlock, a livelock state has a nonempty set of eligible events and therefore
can reach other states (possibly itself). The diculty in detecting livelock states
stems from its characterization, which is linked to the existence of deadlock states.
Particularly, a livelock state can be dened recursively as a state with a reachable
domain consisting entirely of a nonempty set of deadlock or livelock states. Detecting
livelock states may, therefore, depend on the existence of deadlock states, and hence
deadlock detection has to be performed rst.
Livelock detection can be simplied by considering those states that can only reach
livelock states. Blocked states that can reach only deadlock states can be considered
blocked for this reason. Such blocked states will be referred to as semi-livelock. By
denition, the existence of semi-livelock states is tied to the existence of deadlock
states. Therefore, assuming that the system is deadlock-free we only need to consider
blocked states that can reach only livelock states. Those states will be referred to
simply as livelock states. Given the assumption of nite state space, the recursive
characterization of livelock leads to the conclusion that any livelock state must exist
within a loop, or more precisely a clique, in the global system.
Let A = (, Q, , q
o
, Q
m
) be a deadlock-free automaton. Based on the above
description, a state q A is a livelock state i,

A
(q) ,=
A
(q) Q
m
= (q

A
(q))
A
(q

) ,=
The rst two conditions characterize also semi-livelock states, while the last condition
distinguishes (strict) livelock states as those which can only lead to another livelock
state. Clearly, based on the above denition, the reachable domain of a livelock state
is a nonempty set of livelock states. The automaton A is said to be livelock-free if it
does not contain any livelock state.
111
Let X be a nonempty subset of Q in A. Let
X
denote the restriction of to the
states in X, and let
X
A
: X Pwr(X) be the reachability map that assigns each
state x X to those states in X that are reachable from x via transitions from
X
.
The set X is called a clique in A if every state in X can reach any other state in X
via transitions from
X
. Formally, a set of states X is a clique in A if
(x, x

X) x

X
A
(x)
Clearly, the empty set is a (trivial) clique under the above denition. However, here
we restrict the notion of clique to nonempty subsets of Q. A state x
o
X is called
an input state for the clique X if x
o
is the initial state of A or
(q QX)( ) (q, ) = x
o
In this case the transition (q, , x
o
) is said to be an input transition for the clique X.
Similarly, a state x
m
X is called an output state in X if it is a terminal state in
A or there exists a transition (q, , x
m
) with q Q X. In this case, the transition
(q, , x
m
) is then an output transition for the clique Q

. For a clique set X we will

write X
o
for its set of input states and X
m
for its set of output states. Therefore, a
system may enter a clique from one of its input states, then it can stay in the clique
indenitely or exit the clique from one of its output states. The tuple (X, X
o
, X
m
)
will be referred to as a clique structure in A. Clearly, every clique denes exactly one
clique structure, so both names may be used for the same thing. For example, the
automaton in the following diagram contains four cliques, namely, 0, 1, 2, 1, 2,
2, and 3, 4.
A clique is said to be reachable if any (and therefore all) of its states is reachable,
and is said to be coreachable if any (and therefore all) of its states is coreachable. All
the cliques in the shown automaton are reachable, and all of them are coreachable
except 3, 4. Note that if an automaton A is reachable then every clique structure
in A must contain at least one input state, and if A is coreachable then every clique
112
d
c
b
a
c
b
1
0
3 4
2
d
a
structure in A must contain at least one output state. A clique is said to be maximal
if there is no other clique X

= (X

, X

o
, X

m
) in A such that X X

, X
o
X

o
, and
X
m
X

m
. A clique is said to be terminal if each reachable state from the clique is
in the clique, that is, if
A
(X) = X. It is easy to see that every terminal clique is
maximal but the reverse is not generally true. For example, in the above automaton,
cliques 0, 1, 2 and 3, 4 are maximals, but only 3, 4 is terminal.
Proposition 5.2. Assume that the automaton A is deadlock-free. Then A is livelock-
free if and only if every reachable terminal clique in A contains a marked state.
Proof. Clearly, any reachable terminal clique that is not coreachable is associated
with at least one livelock state in A. Then, we only need to show the other direction,
that is, for every livelock state x in A, the set
A
(x) contains a terminal clique that
is not coreachable. Let x be a livelock state in A. First we show, by contradiction,
that
A
(x) must contain a clique. We dene a run in
A
(x) as a sequence of states
x
o
, x
1
, . . . , x
n
where x
o
= x and x
i

A
(x) and x
i1
= (x
i
,
i
) for some
i
for
all i [1 . . . n]. Now assume that
A
(x) does not contain a clique. Then every run in

A
(x) consists of a set of distinct states. Given that A is nite then it follows that
every run in
A
(x) is nite, and therefore contains a (nonempty) set of maximals with
113
respect to the prex ordering. By denition, each maximal run ends with a state that
cannot reach any other state in A contradicting the assumption that x is a livelock
state. Therefore
A
(x) must contain a clique. Clearly, if
A
(x) contains a clique then
it must contain the maximal clique of that clique, as any clique containing a clique in

A
(x) must be in
A
(x). Therefore
A
(x) must contain a maximal clique. It remains
to shown that
A
(x) contains a terminal clique. This follows directly from the fact
that every maximal clique in
A
(x) is either terminal or must reach another maximal
clique (otherwise, A would contain a deadlock state), and the fact that the set of
maximal cliques is disjoint and nite (for a nite state system). It follows that for
every livelock state x, the set
A
(x) must contain a terminal clique. Clearly such a
terminal clique does not contain a marker state. This completes the proof.
Therefore, livelock states can be detected by testing the set of terminal cliques
in the system
3
. The above result can be used as a base for developing a detect-rst
procedure to livelock detection in multiprocess systems. First we need to identify
the conditions in the system components that characterize a terminal clique in the
composite system. To this end, let (X, X
o
, X
m
) be a clique structure in A. A clique
machine is a tuple M = (X, x
o
, X
m
) where x
o
X
o
. The transition function of this
machine is
X
. A clique machine M = (X, x
o
, X
m
) is said to be maximal if there is no
other clique machine M

= (X

, x

o
, X

m
) such that x

o
= x
o
, X X

, and X
m
X

m
,
that is if it is not a submachine of any other clique machine. As mentioned earlier, if
A is trim then every clique in A must have at least one input and one output state.
Therefore, in this case, each clique is associated with at least one maximal clique
machine.
Let A be a set of trim automata A
i
= (
i
, Q
i
,
i
, q
oi
, Q
mi
) [ i I over a process
space and let A = |A
i
= (, Q, , q
o
, Q
m
) be their synchronous product. For a
nonempty J I let M = M
j
= (x
jo
, X
j
, X
jm
) [ (j J) be a set of clique machines
in A. The set M is said to be a clique vector if M = |M is a clique machine, where
3
Finding all possible cliques in a given graph is a known NP-complete problem as it requires
examining all possible subsets of the set of state [GJ79].
114
| is the composition operation for the process space . The composite machine M
is a tuple (x
o
, X, X
m
), where x
o
= x
jo
[ j J is called the local input state for M,
X
jJ
X
j
is the set of states reachable from x
o
in M, and X
m
= X
jJ
X
jm
. By
denition, the set M is a clique vector if and only if x
o
is reachable from itself in the
composition |M, that is, only through states from X. Let y
iIJ
Q
i
and x X.
We will write (y

x) to denote the global state q corresponding to the disjoint union
of x and y components. The tuple (M, y) will be referred to as a clique module. The
clique module (M, y) is said to be reachable if
(x
o

y)
A
(q
o
)
That is, the global state (x
o

y) is reachable in the composite system. The clique
module (M, y) is said to be terminal if
(q Q) q
A
(x
o

y) = (x X)q = (x

y)
That is, any reachable global state from (x
o

y) must remain in the clique while
preserving its y part. To satisfy this condition it is necessary that y be deadlocked
with respect to M, i.e., there should be no eligible event at y that is also an eligible
event at any x X. Clearly, this also requires that y have no asynchronous eligible
events. Finally, (M, y) is said to be marked if
(x
m
X
m
) (x
m

y) Q
m
That is, a the clique module contains a global marked state. Intuitively, a clique
vector M = M
j
= (x
jo
, X
j
, X
jm
) [ (j J) is a set of local cliques that compose
to a clique in the global system independently of any other components in I J.
Therefore, for any y
iIJ
Q
i
the tuple (M, y) corresponds to a potential clique in
the global system. The tuple (M, y) only needs to be reachable to correspond to an
actual clique, that is when (x
o
, y) is reachable. The conditions for termination and
marking can be formulated directly for this tuple through this correspondence.
115
Theorem 5.2. Let A be a vector of trim automata in where A = |A is deadlock-
free. Then A is livelock-free if and only if every reachable and terminal clique module
in A is marked.
Proof. As shown earlier, A is livelock-free if and only if every reachable terminal clique
in A contains a marker state. We show rst that every reachable terminal clique in
A corresponds to a reachable terminal clique module in A. Let X Q be a terminal
clique in A. Let M = (x
o
, X, X
m
) be one of its clique machines. As M is reachable
in A then it must be that x
o

A
(q
o
). Let (M) be the set of the transition events
of M. Let J be the maximal subset of I that satises
(j J)
A
(M)
j
,=
It is easy to verify that such J is always unique and nonempty for any clique in A.
Given that each A
i
is trim, then the composition operation denes a homomorphic
correspondence between each component automaton A
i
and the composite automaton
A given as h
i
: Q Q
i
where h
i
(q) = q
i
i q
i
q. Then, the clique machine
(x
o
, X, X
m
) in A corresponds to the machine M
j
= (x
jo
, X
j
, X
jm
) in A
j
, where x
oj
=
h
j
(x
o
), X
j
= h
j
(X), and X
mj
= h
j
(X
m
). It is easy to see that the machine M
j
is a clique as we have
A
(X)
j
,= and it is known that projection preserves
reachability. Also, for i J I, the clique M corresponds to a single state, with
no transitions in the corresponding automaton A
i
. Let y
iIJ
Q
i
denote this set
of states. Therefore, the set of clique machines M = M
j
= (x
jo
, X
j
, X
jm
) [ j
J together with y forms a clique module. The composite machine M

= |M
j
=
(x

o
, X

, X

m
) has the same transition structure of the clique M, therefore, L(M) =
L(M

). Based on the correspondence between the clique M and the set M, we can
conclude that M is reachable via y in A and it is also terminal with respect to the
same y as M is terminal. Also M could not be marked via y, as this would imply that
M contains a marked state, contradicting the initial assumption. The other direction
can be proved by contradiction using the above deduction.
116
Based on the above result, livelock situations can be traced from reachable and
terminal clique modules that are not marked. Therefore, detecting livelock in multi-
process systems can be performed by detecting this class of clique modules. Identify-
ing modules, however, requires identifying all cliques in the system components and
examining the synchronous behaviour of all possible combinations of these cliques.
In general, the number of cliques in a given automaton may exceed its number of
states. However, many of these combinations are expected to be eliminated early by
examining the criteria for a livelock situation. In summary, a set of clique machines
M = M
j
= (x
jo
, X
j
, X
jm
) [ j J and a set of states y
iIJ
Q
i
in a vector
automaton A identies a livelock situation in the composite system A = |A i
1. (M, y) is a clique module:
The composite machine M = |M = (x
o
, X, X
m
) satises x
o

M
(x
o
)
2. (M, y) is reachable in A:
(y

x
o
)
A
(q
o
)
3. (M, y) is terminal in A:
Any state reachable from (x
o
, y) state in A must be in the form (x

y) for some
x X. That is, y is deadlocked with respect to the set of states X. In general
y should not have any eligible event that is asynchronous.
4. (M, y) is not marked:
Every global state (x
m

y) must not be in Q
m
, the set of marked states of the
composite system.
A clique module is rst identied by a composable set of cliques M and set of
states y that is deadlocked with respect to the states in |M. The clique module
(M, y) identies a potential livelock source if it satises any of the above conditions.
It becomes a livelock source if it satises all the above condition. A list of potential
livelock sources is built and updated by testing the conditions above for reachability
and marking. A clique module (M, y) is removed from the list when it fails any of
these conditions.
117
The detection procedure can be enhanced by utilizing the reachability and core-
achability information as they accumulate during the detection process. Another
enhancement can be obtained by observing the inclusion of one clique machine into
another in the system components. Formally, a clique machine M = (x
o
, X, X
m
) is
a submachine of another clique machine M

= (x

o
, X

, X

m
) if x
o
= x

o
, X X

, and
X
m
X

m
. A clique machine is said to maximal if it is not a submachine of any
other clique machine. Let M be a submachine of M

and let M be a clique vector

containing M, and M

be the clique vector obtained from M by substituting M with

M

. It is easy to see that if M

does not satisfy any one of the above conditions then

M does not also satisfy it. And if M

satises all these conditions then it is a source

of livelock and the overall set of states, including M irrespective of its status with
respect to the above condition, need to be examined. Therefore, we only need to
consider the set of maximal clique machines in the detecting procedure.
The detect-rst procedure outlined above can be used to conrm that the system
in Example 5.2 is livelock-free, simply because the only possible clique module is
the whole system which must be marked if the composite system is a clique. The
following is an example of a more complex situation where all the above conditions
need to be examined.
Example 5.3. In this example we consider the alternating bit protocol (ABP) as
presented in [Rud92]. This protocol was designed to achieve reliable full-duplex data
transfer between two processes over unreliable half-duplex transmission line in which
messages can be lost or corrupted in a detectable way, but not duplicated or reordered.
The basic components of the protocol are shown in Figure 5.2.
In this model, the sender gets the current data frame (get-data) and transmits
it (tdi, i [0, 1]) to the receiver with a sequence number i. The timer is then
set (set-timer) and the sender waits for an acknowledgment (rack). The sender will
retransmit the data that was sent most recently if it does not receive any message
from B within a given time-out interval after it sends a message (time-out) or if
it receives an acknowledgment error (aerror). When a correct acknowledgement is
118
1 0 2 1 0
5 4 3
2 1 0
9 8 7 6 5
4 3 2 1 0
td0 rack
get data td1 rack
reset timer reset timer
Sender
Ack Channel Data Channel
Receiver
rd0
rd0
rd1
sack
rerror
rerror
put data
sack
put data
rd1
sd0 sd1 sack
rerror
rd1,
dlose,
rerror
dlose,
rd0,
alose,
aerror
rack,
aerror, timeout
aerror, timeout
set timer get data
set timer
Figure 5.2: The alternating bit protocol model
119
received the timer is reset (reset-timer) and the sender sends the next data package
with an alternating sequence number. The receiver will wait for the message with
the correct sequence number (rdi, i [0, 1]). Once the data is received, it is sent to
the user (put-data) and then acknowledged (sack). The receiver will retransmit the
acknowledgment on receiving the same sequence number again and will ignore data
errors (rerror). The models of the two channels include the events of losing data and
acknowledgments (dlose, alose). The overall protocol is the composition of the shown
four components.
A successful protocol for transmission problem must possess two properties: (1)
the sequence of data that has been received by the receiver at a given moment is a
prex of the sequence output by the sender, and (2) any data item given to process A
(or B) is eventually output to the receiver at B (or A). The rst property is a safety
property since it does not require that any action take place but merely that, if an
action does occur, it is permissible. The second property is a liveness property since
it does require that some actions take place. In this example we consider only the
liveness property of the protocol.
Consider rst the deadlock issue. In the above model, the local sets of states with
only shared eligible events are
OSE(Sender) = 2, 7, OSE(Data-Channel) = 0,
OSE(Receiver) = 0, 2, 3, 5, OSE(Ack-Channel) = 0
where OSE(A) denote the set of states in A that have only shared eligible events. The
set of potential deadlock states is then tested based on Theorem 5.1. Using the result
of this Theorem, we can conrm that the global states (2, X, 0, X) and (7, X, X, 0),
where X denotes any state in the corresponding component, cannot correspond to a
deadlock state. However, these two combinations are exactly all possible global states
with only shared eligible events. This shows that the protocol is deadlock-free.
To detect livelock states in the protocol, the set of maximal clique machines in
each components has to be identied. In the sender we can identify the following
120
maximal clique machines.
S1 = (Q
1
, 0, 0), S2 = (1, 2, 3, 1, 3), S3 = (1, 2, 3, 6, 6, 7, 8)
In the receiver machine we have the following maximal clique machines,
R1 = (Q
2
, 0, 0), R2 = (2, 3, 2, 3), R3 = (3, 3, 3),
R4 = (5, 0, 0, 0), R5 = (5, 0, 5, 0)
In both the Data-Channel and the Ack-channel the only maximal clique is the machine
itself. We denote these cliques as D1 and A1 respectively. First consider those com-
binations containing S1. Examining this clique will show that it needs to synchronize
with events from the other three machines in order to remain as a loop in the com-
posite structure. Therefore, we need to consider only clique combinations containing
a clique from each component. The combinations (S1, R1, D1, A1), (S1, R4, D1, A1),
and (S1, R5, D1, A1) are excluded as they are always marked. The combinations
(S1, R2, D1, A1), and (S1, R3, D1, A1) are also excluded as their local initial states
(0, 2, 0, 0), and (0, 3, 0, 0) are not reachable. Testing the remaining combinations will
reveal that the system is livelock-free.
As shown in the above example, there are several ways a given clique vector M
could be excluded from the list of potential livelock generators. The eciency of
detecting livelock using the detect-rst approach depends to a large extent on the
way the given conditions are tested. The detection procedure can be enhanced by
conducting some tests before others. For instance, checking if a given clique vector M
is reachable or terminal may be more ecient than testing if it is a module (computing
the composition |M) if the size of the clique sets in M is relatively large. The reverse
can be true if the size of the clique sets in M is relatively small. Although the above
procedure can be fully automated, we believe it is better used in a semiautomated
way as certain parts can be done more eciently manually, such as detecting local
cliques and excluding certain clique combinations.
121
5.1.3 Nonblocking interaction specications
In interacting discrete event systems the interaction specication adds another di-
mension to the blocking phenomenon. To investigate the blocking problem for IDES
we rst need to extend the denition of blocking to the class of interacting discrete
event systems. An IDES system L = (L, K) is said to be live i
B

(L) = B

(L)
with the convention that L = (L, K). Similar to the case of language vectors, the set
of live IDES is not closed under componentwise union or intersection. An IDES that
is not live is called blocked. Clearly, an IDES L can be blocked even if the language
vector L and the interaction language K are both live. Moreover, L can be live
even if the language vector L or the interaction language K (or both) is blocked. To
simplify the analysis we will assume that the language vector L is live. In this case
we can focus on checking if the interaction language K does not block the parallel
composition of the system components.
Let be a process space and let L L(). Let C
o

(L) denote the set of non-

blocking compensators for L. Formally, the set C
o

(L) is dened as follows:

C
o

(L) = K C

(L) [ B

(P

(L), K) = B

((P

(L), K))
This set is not empty for any language L as it contains L itself. It is easy to verify
that this set is not closed under intersection in general. However, it is closed under
union and hence contains a supremal element. We will denote this supremal element,

C
o

(L) for a given language L. Therefore, it is always possible to generate an optimal

live IDES model that generates the language L. This is based on the following result.
Proposition 5.3.

C
o

(L) = L
_
L [BP

(L)]
c
_

Proof. First we show that the language L

_
L [BP

(L)]
c
_

is a compensator
122
for L. For simplication, we will write H(L) for the set
_
L [BP

(L)]
c
_

. We
only need to show that
BP

(L)
_
L [BP

(L)]
c
_

=
It is easy to see that the above equality holds based on the facts that [BP

(L)]
c

=
[BP

(L)]
c
and BP

(L) BP

(L). Note that any string in

_
L [BP

(L)]
c
_

must have the form ut where u L, , u , BP

(L), and t

. Therefore a
string s
_
L [BP

(L)]
c
_

must be either in L or in [BP

(L)]
c
. Therefore we
can write
BP

(L)
_
L [BP

(L)]
c
_

L
Based on that we show below that the compensator above is a non-blocking one.
BP

(L) L H(L) =
_
BP

(L) L
_

_
BP

(L) H(L)
_
= L
_
BP

(L) H(L)
_
= L
_
BP

(L)
_
L [BP

(L)]
c
_

_
= L
Next, we show that the above non-blocking compensator is a supremal one. Clearly,
any compensator for L must contain L itself. Now assume that S is non-blocking
compensator of L and there exists s S such that s , H(L). Clearly, we only need
to consider the case when s , L. Therefore, based on the non-blocking assumption
we can write
s BP

(L) L
However as s , L we must have u s and such that u L but u , BP

(L).
Then, it must be that
s
_
L [BP

(L)]
c
_
,=
This contradicts the assumption that s , H(L). Therefore, the above non-blocking
compensator is the optimal one.
123
Therefore, to obtain

C
o

(L), we add to L any string that extends a string in L

without being a prex of BP

(L). The situation is illustrated in the following gure.

In this diagram, the event
1
should be disabled after s as it escapes the closure L to a
prex of BP

(L). On the other hand, all possible extensions of t

2
will be included.
2
s
t
BP(L)
L
1
This can be implemented by computing the synchronous product of L and BP

(L)
and at every state (q
1
, q
2
) in this product, where q
1
is a state in A(L) and q
2
is a state
in A(BP

(L)), we add a set of transitions with events

= (Elig
A(L)
(q
1
) Elig
A(BP

(L))
(q
2
))
leading to a terminal state with self-loop

. Similarly, it is always possible to obtain

the optimal live IDES that is behaviourally equivalent to a given IDES (L, K). Based
on the above result, to obtain

C
o

(B

((L, K))), compute the intersection [KB

(L)]
and then add to it any string that escapes this intersection without further move in
the prex of B

(L). This is achieved by disabling any event that escapes from this
intersection through a common event in the prexes K and B

(L) and enable any

other event.
To reduce the complexity of this computation, the intersection [K B

(L)] is
computed by exploring only those states in B

(L) that are needed to synchronize

with K. Blocked states can be identied and removed iteratively in the usual way.
124
The number of explored states in this case is typically in the order of the state size
of [K B

(L)]. Consequently, this computation can more ecient than the direct
composition approach when the specication K is highly restrictive such that the
size of K B

(L) is much smaller than that of B

(L). Consider, for instance, the

process space = a, b, c, d, the language vector L = (aba), (cdd) in L(),
and the interleaving interaction specication K = (UV )

(U + ) shown in Fig 3.7

with U = a, b and V = c, d. The synchronization procedure will only need to
explore 7 out of the total 16 states of B

(L). The optimal non-blocking compensator

C
o

(B

((L, K))) contains 8 states as shown below.

a
a,b,c
a,b,c,d
a,b,c,d
b,c
c,b c,a
a,d
b,d
d a d b c
The detect-rst approach discussed earlier can also be applied to nd a non-
blocking compensator for a given language vector L when the interaction specica-
tion K is highly permissive, namely, when relatively few restrictions to the system
behaviour is required to satisfy K. As discussed earlier, the idea is to isolate potential
blocking states rst and then to trace back their reachability. However, we have here
a case of total synchronization between the events in L and K. Considering dead-
lock situations, blocking can occur at any state in the composite structure where the
corresponding state in K and that of B

(L) do not have a common eligible event.

Such composite state is a potential deadlock state. Formally, let (q
1
, . . . , q
n
) be a
state in the automaton A of B

(L) and x be a state in the automaton B of K. The

125
composite state (q
1
, . . . , q
n
, x) is a potential deadlock state in the composite structure
of the IDES (L, K) if
Elig
A
(q
1
, . . . , q
n
) Elig
B
(x) =
Assuming that A is deadlock-free, then we only need to consider the case when
Elig
A
(q
1
, . . . , q
n
) ,= . This condition can be tested locally as indicated by Theo-
rem 5.1. Potential deadlock states can be detected by rst identifying the set of
ineligible events at each state in B. Then we identify those states in the local com-
ponents of L where a subset of this ineligible events set is the only set of possible
events after synchronization. Therefore, this procedure is more ecient for the case
when K is not very restrictive, that is, when most of the system events are eligible at
each state in B. Consider for example the IDES structure shown below. This IDES
represents a system of two processes, L
1
and L
2
, interacting such that event a
1
is
always executed before the a
2
(

= a
1
, a
2
).
b
2
b
2
a
2
a
2
L
2
x
y
z
a
2
a
1
1
0
1
L
1
a
1
b
1
b
1
a
1
z
y
x

0
2
3
4 0 1
3
4
2
126
First we test if the components alone are live. In these two components there are
only two potential deadlock states, namely, (0,4) and (4,0). Testing the reachability
requires the exploration of two global states and will conrm that the two components
are deadlock-free. Also, examining clique vectors in these two components will show
that there are no terminal clique modules in these components (there are only two
maximal cliques in each component). The interaction specication restricts only
two events. At state 0 of the specication, event a
2
is the only event that is not
eligible. This leaves only state 3 from the second component to consider for potential
deadlock. In the rst component we only need to consider state 0 and 4 together
with this combination, as they have all shared eligible events. Therefore, we have
(0,3,0), and (4,3,0) as potential deadlock global states. With similar arguments we
can obtain (3,0,1) and (3,4,1) as the remaining potential deadlock states. Testing the
reachability of these states requires the exploration of only 4 global states and will
conrm that the overall IDES structure is deadlock-free.
The detect-rst approach can also be used for livelock detection in IDES. The
procedure is similar to that used earlier for multiprocess systems. Basically, the set
of clique modules in the system components and the set of cliques in the interaction
specication are rst identied. Then each combination of a clique module in the
components and a clique in the interaction specication is tested for reachability,
coreachability and composability as to verify that the composition of the two cliques
forms a clique in the overall system. The details of this procedure will not be pre-
sented here. However, there are two important points to consider in this approach.
First, information about the clique modules and their reachability and coreachability
is usually available from detecting livelock situations in the systems components. This
information can be reused when an interaction specication is added to the model.
Second, the total synchronization between the components and the interaction spec-
ication can be an advantage as invalid clique combinations can be identied early
without extensive exposure to the global states of the composite systems. There-
fore, it may be more ecient to do the three tests (reachability, coreachability, and
composability) in an alternative scheme, going through a part of each test at a time.
127
5.2 Verication of IDES
The term external verication or simply verication refers here to the procedure in
which the system model is checked against a set of behavioural specications that
ensure that the system works as expected. The (external) verication problem can
be described formally as follows, given a system modelled by automaton P and a
specication modelled by another automaton S; test if the statement L(P) L(S)
is true, where L(G) denotes the language generated by the system G.
In practice, the system P is usually composed of a number of coordinating com-
ponents, and therefore, the composed structure P is too complex to allow a language
containment test directly by conventional means. This motivates the use of the de-
composition approach as a base for ecient solution. It is important to emphasize
again that the eciency of this approach can be claimed only under the assumption
that the specication is much simpler than the system, and therefore, the decompo-
sition of the specication is not by itself a computational bottleneck.
In general, the system is given as a set of components interacting concurrently,
which may be constrained by a given interaction language. The specication, on the
other hand, is usually given as a language (automaton) describing a desired behaviour
or a task to be achieved. Formally, the IDES verication problem can be described as
follows: given an IDES system L = (L, K) over a process space and a specication
S L() we want to test the statement B

(L) S. The challenge is to conduct

this test without computing B

(L). As shown earlier, the IDES model supports dual

conversions to and from the domain of languages. Hence, the specication S in the
above problem statement can always be converted to an IDES, say o = (S, R) such
that S = B

(o). The verication problem is then to test the inclusion B

(L)
B

(o). The following proposition shows that the componentwise inclusion implies
behaviour inclusion.
Proposition 5.4.
L _ o = B

(L) B

(o)
128
Proof. Having L
i
S
i
for all i I implies that B

(L) B

(S). Then, adding

K R, we obtain B

(L) K B

(S) R and hence B

(L) B

(o).
The above result holds even if L and/or o are not compact. The other direction
does not generally hold even if both L and o are compact, and even if, in addition,
their interaction languages are optimal - both are equal to the supremal compensator
for their prospective behaviour. This case is shown in the following example.
Example 5.4. Let = a, x, b, x be the process space. Let L = (a), (b),
and S = (a, aa), (b) be two language vectors. Let L = (L, K) and o = (S, R)
be two IDES where K =

and R =

aab. Then L = B

(L) = (ab, ba)

and S = B

(o) = ab, ba, baa with K =

C

(L) and R =

C

(S). Here we have

B

(L) B

(o). However, L ,_ o as K , R.
Note that for a system L = (L, K) and a specication o = (S, R), we may have
B

(L) B

(o) even if L ,_ S. It is easy to see that if K B

(o) then we will

have B

(L) B

(o) irrespective of L and S. However, as shown in the above result,

having L _ S will relax the requirement to K R (instead of K B

(L)) in order
to conrm the behavioural containment.
In spite of the fact that the IDES model does not guarantee a modular solution to
the verication problem, it oers in general a better ground towards such a modular
solution. The interaction information provided in the IDES structure enhances the
chance of nding a modular solution in certain situations that would otherwise require
the computation of the synchronous product of the system components. This is
illustrated in the following example.
Example 5.5. Let be the process space of the previous example. Consider the
system L

= (L, K

) where K

= a

. The language vector L, the specication S

and its IDES o are as given in the last example. Clearly, we have L

_ o. This
conrms that B

(L) S. Note the necessity of the compensation information of the

specication S and the information about the interaction specication of L to obtain
a modular solution in this example.
129
Two limiting cases are worth mentioning here. The rst is when the specication
is -decomposable. In this case, the verication check can always be conrmed
modularly irrespective of the interaction specication of the system. The second case
arises when the system components interact in the total parallelism scheme. In this
case the compensator for the systems is

. Based on the last proposition, the only

form of specication that can be (directly) checked modularly is one with similar
compensation, that is, a decomposable specication.
Verication of Structured IDES
As shown above, the information provided in the IDES model is not enough to carry
out the verication modularly. The problem is that in the IDES model the correspon-
dence between the system behaviour and its interaction specication is not generally
order preserving. The structured IDES model can resolve this problem. As intro-
duced earlier, this model provides a more powerful representation of multiprocess
systems in which a well-dened monotonic association between the system behaviour
and its interaction language is given.
As discussed in the previous chapter, a SIDES model for a given system can be
obtained by identifying patterns of behavioural invariance in the interaction speci-
cation. To allow modular comparison, the specication should also be converted into
a SIDES structure. In contrast with IDES, there is no known procedure to trans-
form a given language into SIDES structure other than for the trivial case with the
identity map. Therefore, invariance patterns in the specication have to be explored
and tested to obtain a suitable SIDES representation. The verication problem can
then be described formally as follows, given an SIDES system L = (L, K, G) over a
process space and a specication S represented by another SIDES o = (S, R, H);
verify that B

(L) S.
Proposition 5.5. Assume that L and o are compact and G H. Then
L _ o B

(L) B

(o)
130
Proof. The right direction holds in general as proved in the previous proposition. The
left direction is obtained as follows. The assumption that both L and o are compact
implies that L
i
= P
i
(B

(L)) and S
i
= P
i
(B

(o)) for any i I. Given that the

projection operation is monotonic, then we can conclude that L
i
S
i
for all i I.
Also, G H implies that K R. This completes the proof.
Note that compactness is only needed for the only if direction. Based on the
above result, the verication problem can be solved modularly if a monotonic map
H G is found to model behavioural invariance in the specication, or alternatively
an extension monotonic map H = G is found to abstract both the system and the
specication such that K R.
Example 5.6. The system in this example is a modied version of the three machines
system given in Example 4.2, whereas the number of machines here is k. Also, the
interaction specication is set to K =

, that is, the component machines are

working in parallel. Now consider checking if the system under this conguration will
allow event b
1
to directly follow the event a
1
. The gure below shows this specication,
S, and the associated IDES structure o = (P

(S),

C

(S)).
a2
b2
c2
x
d2
a1
b1
c1, d1, x
. . . .
a
1
b
1

a1
a1
a1
a1
b1
b1

b1
B
A
A
b1
A, B
A, B
x
a
k
b
k
c
k
d
k
The following abbreviations are used in the gure above: A = c
1
, d
1
, x, B =
a
i
, b
i
, c
i
, d
i
[ i [2 . . . k], and

= A B. The IDES of the specication can-

131
not bring a decisive answer to the verication check as K ,

C

(S). However, it is
easy to check that the specication is invariant with respect to the abstraction map
G dened as follows
(i [2 . . . k]) G(a
i
) = G(b
i
) = G(c
i
) = G(d
i
) = a
i
, b
i
, c
i
, d
i

,
G(a
1
) = a
1
, G(b
1
) = b
1
, G(c
1
) = c
1
, G(x) = x
The map G can then be used to abstract the system. The abstraction of the system
can be computed eciently using the result of Proposition 4.8. The gure below
shows the abstraction of the system, K = G(B

(L)). In this diagram

is the set
a
1
, b
1
, c
1
.
c
1
d
1
b
1

a
1

x
It is easy to see that K is invariant with respect to G, that is K = G(K). Conse-
quently, the system can be represented by the SIDES structure (L, K, G). Also, given
that S = G(S), the specication can be represented by the SIDES (P

(S), S, G).
Here we have K , S, and based on Proposition 5.5, this conrms that the system
does not satisfy this specication. Now consider the situation when the system is
arranged as shown below.
132
U1
a1
c1
d1
b1
x U1
a1
c1
d1
b1
x
. . . . .
X
U
k
x
d
k
c
k
b
k
a
k
.
.
.
.
U
k
X
U
1
X
U
k
U1
The above interaction specication K

restricts the operation of the system so that

only one machine is working at a time. Given the same specication, the IDES model
of the specication can give a decisive answer as we have K

(S). This conrms

that the system in this form satises the specication.
The use of the structure IDES model in verication can be useful to verify local
specications as shown in the above example. In other words, it can be used to
verify that certain local properties of some of the system components rather than
the whole system. In this case the abstraction map will be required to preserve all
the information about the local components in question and to abstract all other
components. It is also important to note, however, that ecient computation of the
system abstraction may require every shared event to be mapped to itself. This can
signicantly reduce the eciency of this approach for tightly coupled components.
Example 5.7. Consider the Milner scheduler described in Example 5.2. Assume here
that the cyclers are left free without a restrictive interaction specication. Under
this assumption, it is required to test if the composite system meets the following
specication.
133
a
0
x
0
, y
0
a
0
, x
0
, y
0

The above specication requires the scheduler in its free form be initiated and termi-
nated in its rst cycler. It is easy to see that this specication is invariant with the
-abstraction map, G, dened as follows:
(i [0 . . . k]) G(x
i
) = x
i
, G(y
i
) = y
i
, G(a
0
) = a
1
, G(b
1
) = G(c
1
) = c
1
, b
1

(i [1 . . . k]) G(a
i
) = G(b
i
) = G(c
i
) = a
i
, b
i
, c
i

Therefore, the specication can be represented by the SIDES (P

(S), S, G). The

system can also be abstracted indirectly using the map G. Therefore, the system can
be represented by the SIDES (L, G(L), G). Given this setting, the system satises
the specication i
L _ P

(S), G(L) S
In the case when K = 4, the scheduler machine B

(BL) has 1620 states and the

abstracted system G(L) has less than 25 states. The computation of P

(S) is also
negligible compared to the size of the composite system.
5.3 Iterative verication in process space
It is shown in the previous section that if the system IDES is componentwise contained
(_) in the specication IDES or if the system interaction language is contained in the
specication, then it can be concluded that the system behaviour is contained in the
specication. No such conclusion can be drawn otherwise. However, the interaction
specication of the system is an abstraction of its behaviour. This abstraction can
134
be rened toward its minimal limit, namely, the overall system behaviour. At this
limit the verication test can always be conrmed. This suggests using an iterative
renement procedure to adjust the amount of information in the IDES model. In such
procedure the interaction specication of the system is rened towards its minimal
limit until a solution is found. This procedure is guaranteed to terminate if the
renement steps are nite and progressive in the sense that every renement is strictly
ner than the previous ones.
The iterative approach for IDES verication can be summarized as follows. Con-
sider an IDES L = (L, K) in the process space and a specication S L().
The specication can be converted to an IDES o = (S, R) where S = P

(s) and
R =

C

(S). We will let R = S if L ,_ S. Initially, the language K is chosen as an

abstraction of the system. Then, in the verication step we check if K R. If it is
true then terminate with a conrmation that the system satises the specication.
Otherwise, analyze the failure path to determine whether the failure is inherent in
the system or is caused by over-approximation in current abstraction. If the former is
true, terminate with a conrmation that the system does not satisfy the specication.
Otherwise, rene the abstraction in a way that the reported failure is eliminated and
then go back to the verication step. This sequence is repeated until a conrmation
is obtained.
This general procedure is applicable to any formal verication methods that im-
plement a well-dened incremental abstraction mechanism. The specic iterative
algorithm depends on the abstraction mechanism as well as the choice of the initial
abstraction and renement procedures. In [Kur94, BSV93], for instance, the abstrac-
tion and renement process are aiming at localizing the verication test to a subset
of the system components.
In the following a general iterative procedure is presented for the verication of
multiprocess systems based on the IDES model settings. Only multiprocess systems
are considered here. Therefore, the interaction specication of the system is simply
an abstraction of the concurrent behaviour of the systems components and does not
135
add any restrictions to it. In this procedure, the interaction specication of the sys-
tem is iteratively rened, while maintaining a well-dened association with the overall
system behaviour, until a solution is found. The association between the interaction
specication and the system behaviour is used to nd a proper renement or to iden-
tify a discrepancy between the system and the specication. Both automaton-based
and language-based abstractions, as presented in the previous chapter can be used
in this procedure. However, only the automaton-based abstraction is demonstrated
here. This approach is illustrated through another version of Milner scheduler. The
scheduler here consists of three cyclers as shown in the following gure.
5
4
3
2
C
i
0 1
6
C
2

C
1
C
0
x
i
x
i+1
x
i+1
b
i
c
i
b
i
a
i
c
i
Figure 5.3: A 3-cyclers scheduler
The above scheduler is organized in a parallel scheme in which the system goes through
the cycles 0 to 2 repeatedly. In this system, state 1 is the initial and marker state
for the rst cycler (i = 0), and state 0 is the initial and marker state for all other
cyclers. The system can be described by the IDES L = (L, K), where L is the set of
cyclers and K =

is its interaction language. The correctness specication for the

scheduler is shown in the gure below where

= b
i
, c
i
, x
i
[ i [0 . . . 3]. It is easy
to verify that this specication is -indecomposable.
136
a
2
a
0
a
1

Figure 5.4: The scheduler specication

The scheduler system will now be veried against the above specication using
the iterative approach. In general, the iterative verication procedure consists of four
main steps.
Initial abstraction
In this step an initial abstraction for the system is specied. This abstraction must
have a well-dened association with the system behaviour or transition structure.
Automaton-based or language-based abstractions - as presented in the previous chap-
ter - can be used here to obtain a well-dened association between the system and
its abstraction. In the automaton-based scheme, the initial abstraction can be taken
as the coarsest partition of the components states. The transition structure of this
abstraction consists of a single state with a seloop of all the system events, namely,
the initial abstraction in this case is K
o
=

.
Verication
Assume that the current abstraction of the system is K
n
where n N. At this stage we
check if K
n
R. If this is true, then the verication procedure terminates conrming
that the system meets the given specication. Otherwise, if K
n
, R, then we need
to check if this failure is due to the system or is a result of over-approximating the
system behaviour in the given abstraction K
n
. The initial abstraction of the scheduler
system clearly fails this step, as we have K
o
, R.
137
Failure analysis
In the case of verication failure, verication tools usually provide a failure report
containing a set of failure paths. Each failure path consists of a sequence of transitions
starting from the initial state and ending with a state with an eligible event that leads
out of the specication R. The failure report at step n can then be represented by a
nite set of tuples in the form (s, ), where s

and , such that

s K
n
and s R and s , R
Given this information, it is now required to test the statement s B

(L) ,= . If
this statement is true then the verication procedure terminates with failure as, under
the assumption that the system components are live (B

(L) = B

(L)), this conrms

that part of the system behaviour, namely the set s B

(L), is not included in

the specication. Otherwise, if s B

(L) = for every failure tuple (s, ) then

proceed to the next step. Note that checking that s B

(L) ,= can be done by

exploring only those global states in B

(L) that are required to synchronize with the

failure path s. In the scheduler example the following failure tuples are found for the
automaton-based abstraction; (, a
1
) and (, a
2
). Verifying that each tuple is not part
of the composite system behaviour will require the exploration of two global states.
Renement
Reaching this step, the verication has failed because of over-approximation. There-
fore, the current abstraction needs to be rened to eliminate all failure paths. How-
ever, such renement should be just enough for this elimination without exposing
unnecessary details about the system behaviour. Therefore, for a failure pair (s, ),
the renement should achieve the removal of s from the set K
n
with a minimal
exposure to the system behaviour. Clearly the optimal situation is to keep s in prex
of the next abstraction K
n+1
while disabling after s. If this cannot be achieved
then we move backward to maintain the maximal possible prex of s in the next
138
abstraction while disabling all the events leading to after that.
Consider the automaton-based abstraction scheme. The renement procedure will
try rst to disable after s in the next abstraction. If that cannot be achieved, then
it moves one step backward and tries to disable

after s

where s = s

. This
process continues until an event leading to in s is disabled. Disabling after s can
be achieved by preempting another event between s and . This preemption can be
done as follows. Let q be the state in K
n
at which s terminates and is enabled. Let
q
i
be a state in the nth abstraction of the ith component L
i
, referred to as A
n
(L
i
). Let

n
i
be the corresponding partition so that A
n
(L
i
) is the quotient machine A(L
i
)/
n
i
.
Let [q
i
]

n
i
be the class of states equivalent to q
i
under
n
i
. Assume that
i
, and
let s
i
be the ith projection of s. Let X
i
be the set of states in [q
i
]

n
i
where is
eligible, and let Y
i
be the set of states in [q
i
]

n
i
that are the destination of the string
s
i
. If X
i
Y
i
= , then rene the partition [q
i
]

n
i
into two partitions one containing
X
i
and the other containing Y
i
. Such renement will guarantee that is no longer
available after s in the composite abstraction. This is valid if is either a shared or
an asynchronous event. This situation is illustrated in the following diagram.
If such renement cannot be established at the ith component (X
i
Y
i
,= ),
then try other components j where
j
. If no renements can established in
any of these components, then move backward and replace with

and s with s

where s

= s and repeat the above steps. Clearly, if X

i
Y
i
= , then there is
more than one possibility to partition [q
i
]

n
i
in order to separate between X
i
and Y
i
in
general. Therefore, there are several ways to rene the current partition in order to
disable after s. Heuristic rules can be used to choose a suitable partition that will
reveal the minimum amount of information in the process; for instance, minimizing
the dierence between the sizes of the partitions. It will be assumed that a suitable
renement is randomly chosen among the available ones. It is already established
that s is not in B

(L), therefore, there must exist a partition that can remove s

from the prex of K
n
. Given that the string s (from the failure report) is nite, it
follows that the above backward searching procedure will always terminate with such
139
s
i
X
Y

L
i
. . . . . .
L
n
i
K
n
s

s
N
s
i

L
n
N L
n
1
s
1
P
1
P
i
P
N
Figure 5.5: Rening the abstraction at the nth iteration
140
partition.
In the scheduler example, the failure tuple (, a
1
) can be traced back to the second
component. In this component, disabling a
1
after can be achieved by separating
state 0 and 1 in the next renement. Clearly, there are many partitions that can
achieve this. The partition
1
1
= 0, 2, 3, 4, 5, 6, 1 will be used here. Similar
partition will be used in the third cycler to disable a
2
after . The partition of the
rst cycler will remain the same. The abstraction K
1
of the system now has three
states as shown in the following gure where

= a
1
, x
1
, a
2
, x
2
.

a
2
a
1
x
2
x
1
Figure 5.6: The system abstraction after the rst iteration
The above procedure is guaranteed to terminate, as every iteration must either
terminate or rene the current abstraction, and there is a nite number of possi-
ble abstractions that end with the overall system behaviour B

(L), at which the

verication check can always be conrmed.
Continuing with the next iteration for the scheduler example will bring two failure
tuples at the verication step, namely (x
1
, a
1
) and (x
2
, a
2
). In the renement step,
based on the current partitions of the system components, it will not be possible
to rene any of the partitions in order to disable a
1
after x
1
. The procedure, then,
moves backward and tries to disable x
1
after . This can be achieved by separating
the state set 1 from the state set 3, 5 in the rst component. The partition

2
0
= 0, 1, 4, 6, 2, 3, 5 will be used. Similarly, a
2
cannot be disabled after x
2
,
141
and to disable x
2
after , the state set 3, 5 must be separated from the state set
4, 6. The partition
2
1
= 1, 2, 3, 5, 4, 6, 0 will be used. The partition of the
third components will remain the same. The abstraction K
2
is the composition of the
three quotient components. Continuing this procedure, the following abstraction can
be obtained at the fth iteration (

= a
0
, x
0
, a
1
, x
1
, a
2
, x
2
). This abstraction
is a subset of R, conrming that the system meets the given specication.
a
2
x
2
x
1
a
0
x
0
a
1

Figure 5.7: The system abstraction after the fth iteration

The eciency of this procedure can be measured by the number of iterations and
the size of the nal abstraction. Both factors are related, to a large extent, to the
choice of the initial abstraction, as well as, to the choice of a suitable renement
among the set of valid ones in the renement step.
142
Chapter 6
Interacting Discrete Event
Systems: Supervisory Control
In the supervisory control problem a supervisor is constructed for a given sys-
tem such that the controlled (supervised) behaviour of the system follows a set of
predened specications. Based on the physical characteristics of the system, events
are regarded as either controllable (can be disabled) or uncontrollable (permanently
enabled). In general, the outcome of the supervisory control procedure determines
whether or not a supervisor exists that can restrict the system behaviour to the desired
specication. Therefore, supervisory synthesis can be considered a generalization of
the verication problem.
Similar to the verication problem, the supervisory synthesis procedure suers
from the state explosion problem in multiprocess environment. The practical context
of both problems is similar; the targeted systems are usually hierarchically organized,
complex, and multiprocess. In this chapter the supervisory control of multiprocess
and interacting discrete event systems is investigated. The relation between the sys-
tem model and its behaviour is central to supervision synthesis. However, the control
dimension introduces new factors and conditions that render the problem more man-
ageable in certain situations.
143
Similar to internal verication, the supervisory control problem can be solved for
multiprocess DES by exploring only relevant parts in the state space of the system.
Supervision based on forward and backward exploration is introduced. Modular
supervision of interacting discrete event system is also investigated. It is shown
that under certain conditions regarding the controllability of shared events, modular
supervision can be achieved without the need to compute the synchronous product
of the system components. The result is extended for structured IDES.
It is interesting to see the relevance of the coupling between the system components
to both the verication and the supervisory control problems. In both problems it is
shown that more ecient solutions can be formulated for loosely coupled components.
In multiprocess discrete event systems, coupling is represented by shared events. In
the supervisory control problem, it is shown that the existence of a modular solution
is directly linked, among other factors, to the controllability of shared events, and,
a modular solution (not necessary optimal) is always guaranteed for asynchronous
multiprocess systems.
6.1 Supervisory control of multiprocess systems
In the IDES setting, it is assumed that the parallel behaviour of the system com-
ponents can be restricted to any interaction specication via direct synchronization.
In other words, all events are assumed controllable and can be disabled at any time
through an external agent. Clearly, this is not always the case in practice. In gen-
eral some of the system events may not be controllable and, therefore, cannot be
disabled. In this case, the given interaction specication may not be implementable
via direct synchronization. Techniques based on supervisory control theory can be
used to design a supervisor that restricts the system behaviour to conform with the
specication while respecting the given control limitations.
In general, supervisor synthesis for a given multiprocess system requires an ex-
haustive search of the state space of the system and thus is intractable for multipro-
144
cess systems. However, in certain situations, an optimal supervisor can be synthesized
without the need to explore all possible behaviour of the system. This can be achieved
by focusing on the common behaviour between the system and the specication, or
alternatively on the dierences between the two structures.
6.1.1 Direct synchronization approach
Supervisory synthesis for multiprocess systems is a generalization of computing the
supremal nonblocking compensator for a given IDES. It was shown in the previous
chapter that the supremal non-blocking compensator for a given IDES can be obtained
by expanding only those traces in the composite IDES structure that are needed to
synchronize with the interaction specication. Blocked (bad) states are removed
as discovered during this synchronization. This procedure can be extended for a
limited control situation as follows. The specication is synchronized with the systems
components incrementally, that is, only states required for such synchronization are
explored. During this exploration, a global state consisting of a specication state x
and the set of components states q = (q
1
, . . . , q
n
) is marked bad if it satises one
of the following conditions
an uncontrollable event is eligible at q but not eligible at x,
(q, x) is not marked and cannot reach a marked state,
(q, x) is the source of an uncontrollable event that leads to a bad state
Note that the rst condition is what distinguishes this procedure from the one
used for nding the supremal non-blocking compensator. No exploration is further
attempted at a bad state. The exploration process is repeated until no more explo-
ration is possible and all bad states are identied. These bad states are then removed
from the synchronous composition of the specication and the set of components. It is
easy to see that the outcome of this procedure is a non-blocking maximally permissive
supervisor for the system.
145
The worst-case complexity of this synchronization procedure is similar to the direct
approach that requires the computation of the synchronous product of the systems
components. However, this approach is generally more ecient, as only the part of
the system behaviour that is relevant to the specication is explored. This procedure
is expected to be more ecient if the specication is highly restrictive, such that
the state size of the supervised system is much less than that of the synchronous
composition of the system components.
Example 6.1. The system in this example is a three process version of the system
given in section 5.1.3. Also here the processes are required to synchronize at initial
and terminal states. The system is shown in the following gure.
0 1
2
3
4
x
y
0 1
2
3
4
x
y
b1
a1 b1
a1
0 1
2
3
4
x
y
a2
b2
b2
a2
a3
b3
b3
a3
Figure 6.1: A three process system
It is required to design a supervisor such that events b
1
, b
2
, and b
3
are executed
sequentially without interleaving with any other event in between. This specication
is shown below where

= b
1
, b
2
, b
3
.
0
1
2
b1
b3
b2

146
In this system the set of uncontrollable events is a
1
, a
2
, a
3
. All other events
are controllable (controllable transitions are marked with a tick in the correspond-
ing edge). Using the synchronization procedure, the optimal supervisor - shown in
Figure 6.2 - is constructed using direct synchronization for the above specication.
0,0,0 1,1,1
x
y
a1
a2
a3
a2
a1
a3
a3
b1
b1
b1
b1 b1
b1 b1
a1
a2
a3
a2
a1
3,1,1
2,1,1
1,2,1
1,1,2
3,2,1
3,1,2
2,1,2
2,2,1
1,2,2
2,2,2
4,1,2
3,2,2
4,1,1 4,2,1
4,2,2
b1
b2
b3
z
4,4,2 4,4,4
Figure 6.2: The optimal supervisor for three process system
In this example all bad states (shaded nodes in the above gure) are identied in
one iteration. The total number of explored states is 19, while the number of states
of the composite system is 64.
147
6.1.2 Detect-rst approach
The detect-rst approach can also be used in the supervisory synthesis of multiprocess
systems. The basic idea is to isolate and then to remove potential bad states.
Potential bad states have the same characteristics of the bad states in the direct
synchronization approach. The only dierence is that in the detect-rst approach
these bad states are identied rst and then checked for reachability (if needed) by
backward tracing. The detect-rst approach is explained in the following.
Consider the set of components L and the specication K. We assume initially
that L is live. To identify bad states, we rst identify those states in K where not
all the events in are eligible. Let x be such state in K and let

be the set of
events that are not eligible at x. Next we identify the set of states q in the composite
structure B

(L) that has eligible events from the set

. The combination (q, x) is a

potential bad state if: an uncontrollable event in

is eligible in q, a subset of

is
the only set of events that can lead to a marked global state in the composite structure
of (L, K), or if it has an uncontrollable event that leads to a bad state. Potential bad
states are then tested for reachability by backward tracing. A conrmed bad state is
then removed from the specication by disabling the latest controllable event leading
to it. This process is repeated until all bad states are eliminated.
Note that, in the detect-rst procedure above, we do not need to carry out the
reachability test for all potential bad states. Conrming the status of a potential bad
state is only needed if it aects the status of other states. In another words, we need
to test the reachability of a potential bad states (q, x) only if there exists another
state (q

, x

) where the status of (q

, x

), as being potentially bad or not, depends on

whether (q, x) is an actual bad state or not. Otherwise, if the status of a potential
bad state (q, x) need not be conrmed, then we just supply the control information
needed to avoid reaching this state. This information will be the set of controllable
events to be disabled at a given global state leading to (q, x).
The worst case complexity of the detect-rst procedure is also similar to that of the
direct approach. However, this approach can be more ecient in certain situations,
148
particularly, when most of the events are controllable and the specication is, roughly
speaking, highly permissive. In such cases, there are few events that are not eligible
at any state of the specication. In this situation, the set of bad states is not likely
to proliferate. Therefore, turning the specication into a supervisor will not require
excessive exposure to the state space of the system.
6.2 Supervisory control of IDES
In the IDES setting of the supervisory control problem, the system is given as a set of
components interacting concurrently and, optionally, may be constrained by a given
interaction specication language. The specication, on the other hand, is given as
a language describing a desired behaviour or a task to be achieved. However, it is
always possible to convert any language to an IDES model. Therefore, without loss
of generality, we will assume that the specication is also given as an IDES structure.
The supervisory control problem for IDES is stated formally as follows: given
a system L = (L, K) over a process space generating a language L = B

(L),
and a specication language S represented by an IDES structure, o = (S, R) with
S = B

(o), construct an IDES supervisor 1 = (V , T), such that the supervised

system L/1 satises B

(L/1) S. The form of supervision we want to develop in

this section is a component-wise supervision where each component of the supervisor
controls the corresponding component of the system, and the supervisors interaction
specication controls the systems interaction specication. Such supervision will be
referred to as modular supervision. Formally this translates into dening B

(L/1)
as follows
B

(L/1) = |
iI
(V
i
/L
i
) (T/K)
where V
i
is a supervisor for L
i
with respect to the specication S
i
. Then (V
i
/L
i
)
denotes the restriction of the ith component of the system by the ith component
of the supervisor. Typically such restriction is achieved by total synchronization
(intersection). The IDES supervision setting is depicted in Figure 6.3.
149
V
n
L
n
K
T
V
n1
L
n1
V
1
L
1
. . . . .
Figure 6.3: The IDES supervision structure
150
We will address two main issues regarding the IDES supervision mechanism. The
rst is the validity of this form of supervision, that is, to check if IDES supervision
can restrict the system to the given specication. The second issue is optimality,
that is, to check when the IDES supervision can produce the minimally restrictive
behaviour while satisfying the specication.
Recall that for a language S representing a specication for a system language
L, the set of all sublanguages of S that are controllable with respect to L is denoted
(
L
(S). This set contains a supremal element denoted sup (
L
(S). This element, if not
empty, corresponds to the optimal supervisor for L with respect to the specication
S. The blocking issue will not be considered here. Therefore, the system and the
specication languages are assumed prex closed.
Proposition 6.1. Let S
1
, S
2
, L L() be prex closed languages. Then
sup (
L
(S
1
S
2
) = sup (
L
(S
1
) sup (
L
(S
1
)

The above proposition is a special case of a more general result in [Won01]. The
following result is a direct consequence of the controllability property.
Proposition 6.2. Let E, L L(). Then
L E = sup (
L
(E) = E

Optimal supervisors are implemented by the language sup (

L
(S L). Based on
the above results sup (
L
(S) L = sup (
L
(S L). To simplify notation, this language
will be denoted as sup

(
L
(S). Given this notation, the optimality of IDES supervision
can be expressed by the following condition:
sup

(
L
(S) = | sup

(
L
i
(S
i
) sup

(
K
(R) =

iI
P
1
i
sup

(
L
i
(S
i
) sup

(
K
(R)
151
Clearly the optimality of IDES supervision implies its validity. Conditions for the op-
timal IDES supervision will be explored hereafter. The validity issue will be discussed
after that in the light of the optimality conditions.
Proposition 6.3.
S = S and L = L = sup

(
L
(S) = sup

(
L
(S)
Proof. First we show that sup (
L
(S) = sup (
L
(S). Let H L() be a language.
Then
H (
L
(S) = H S and H
u
L H
= H S and H
u
L H (S = S and H = H)
= H (
L
(S)
Hence, sup (
L
(S) (
L
(S). Therefore, sup (
L
(S) sup (
L
(S). Also sup (
L
(S)
sup (
L
(S) in general, hence it must be that sup (
L
(S) = sup (
L
(S). Now, we have
sup

(
L
(S) = sup (
L
(S L) = sup (
L
(S) L = sup (
L
(S) L
However,
sup (
L
(S) L sup (
L
(S) L
Therefore, sup (
L
(S L) sup (
L
(S L). Also, in general we have
sup (
L
(S L) sup (
L
(S L)
Then it must be that sup (
L
(S L) = sup (
L
(S L). That is, sup

(
L
(S) = sup

(
L
(S)
Based on the above result, the optimal supervisor is guaranteed to be prex closed
when the system and the specication are prex closed . The next result shows that
the sup

( operation is invariant with inverse projections. We will write to denote

152
the set .
Proposition 6.4.
P
1
i
sup

(
L
i
(S
i
) = sup

(
P
1
i
L
i
(P
1
i
S
i
)
Proof. Let H

i
be a language in the set

(
L
i
(S
i
). First, H S
i
L
i
implies
P
1
i
H P
1
i
S
i
P
1
i
L
i
. Second,
H

(
L
i
(S
i
) = H
ui
L
i
H
= H
ui
L
i
H
ui
=
ui

= P
1
i
_
H
ui
L
i
_
P
1
i
H
= P
1
i
H P
1
i

ui
P
1
i
L
i
P
1
i
H
= P
1
i
H
u
P
1
i
L
i
P
1
i
H (
u
P
1
i

ui
)
= P
1
i
H
u
P
1
i
L
i
P
1
i
H
= P
1
i
H

(
P
1
i
L
i
(P
1
i
S
i
)
For the other direction, let T L() be a language in the set

(
P
1
i
L
i
(P
1
i
S
i
). First,
T P
1
i
S
i
P
1
i
L
i
implies that P
i
T S
i
L
i
. Second,
T

(
P
1
i
L
i
(P
1
i
S
i
) = T
u
P
1
i
L T
= P
i
(T
u
P
1
i
L) P
i
T
= P
i
T P
i

u
P
i
P
1
i
L
i
P
i
T
= P
i
T
ui
L
i
P
i
T
= P
i
T

(
L
i
(S
i
)
Now let X = sup

(
L
i
(S
i
) and let Y = sup

(
P
1
i
L
i
(P
1
i
S
i
). Then we have, by supremal-
ity, P
1
i
X Y and P
i
Y X. Therefore P
1
i
P
i
Y P
1
i
X. However, Y P
1
i
P
i
Y .
Then it must be that P
1
i
X = Y . Therefore, we can write
P
1
i
sup

(
L
i
(S
i
) = sup

(
P
1
i
L
i
(P
1
i
S
i
)
This completes the proof.
153
The next step is to nd conditions upon which the synthesis of local supervisors
for the system components can be done optimally using only information about these
components without the need of any information from the other components of the
system.
Proposition 6.5. Let L = (L, K) be an IDES such that K is controllable with
respect to B

(L) and
s

c
. Let L = B

(L). Then for all i I,

sup (
L
(P
1
i
S
i
P
1
i
L
i
) L = sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L
i
) L
Proof. Let H L() be a language. Then
H (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L
i
) = H
u
P
1
i
L
i
H
= H
u
L H (L P
1
i
L
i
)
= H (
L
(P
1
i
S
i
P
1
i
L
i
)
Therefore, we have sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L
i
) sup (
L
(P
1
i
S
i
P
1
i
L
i
). Now, as-
sume there exists
u
and a string s

such that s L, s P
1
i
L
i
and
s , L. Given that shared events are controllable, then
u

i
implies that
s P
1
j
L
j
for all j I i. Also by the controllability of K, if
u
then
s
iI
P
1
i
L
i
and s K implies that s K. Therefore, we can state that
(s

)( (
u

i
)) s P
1
i
L
i
= s L
Hence, for any language T L, we have T(
u

i
) P
1
i
L T
u
L. Then, we
can write
T (
L
(P
1
i
S
i
L) = T
u
L T
= T(
u

i
) P
1
i
L
i
T
= P
1
i
P
i
(T(
u

i
) P
1
i
L) P
1
i
P
i
T
= P
1
i
P
i
T P
1
i
P
i
(
u

i
) P
1
i
L
i
P
1
i
P
i
T
= P
1
i
P
i
T
u
P
1
i
L
i
P
1
i
P
i
T
154
Clearly, T (P
1
i
S
i
L) implies P
1
i
P
i
T (P
1
i
S
i
P
1
i
L
i
). Then based on the
above we can conclude that P
1
i
P
i
T (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L). This shows that
P
1
i
P
i
sup (
L
(P
1
i
S
i
L) sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L)
Given that sup (
L
(P
1
i
S
i
L) P
1
i
P
i
sup (
L
(P
1
i
S
i
L) and combining the previ-
ous result, we can write
sup (
L
(P
1
i
S
i
L) sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L) sup (
L
(P
1
i
S
i
P
1
i
L
i
)
Now, given that any language H such that H L = is controllable with re-
spect to L trivially, then with little eort it can be seen that sup (
L
(P
1
i
S
i
L) =
sup (
L
(P
1
i
S
i
P
1
i
L
i
) L. Then by adding the intersection with L to the above
line we get sup (
L
(P
1
i
S
i
P
1
i
L
i
) L = sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L
i
) L. This
completes the proof.
The conditions in the above proposition are sucient to guarantee the optimality
of supervision at the components level. The question about the necessity of these
conditions does not aect the results in this section and will be left for future inves-
tigation. The controllability conditions for the interaction part of the model will be
examined next.
Given the IDES specication o = (S, R), to achieve optimal IDES supervision a
condition is needed such that information about the interaction language K is enough
to calculate the language sup (
L
(R) K. This language represents the optimal super-
visor for the systems interaction language with respect to the interaction language
of the specication.
Proposition 6.6. Assume R K is controllable with respect to K. Then
sup (
L
(R K) = sup (
K
(R K)
Proof. Assume H (
K
(R), then H
u
K H. However, H
u
L H
u
K H.
155
Hence H (
L
(R). Therefore
sup (
K
(R K) sup (
L
(R K)
Also if R K is controllable with respect to K, then it must be that R K =
sup (
K
(R K). However, it always holds that sup (
L
(R K) K R. This shows
that sup (
L
(R K) = sup (
K
(R K), and both in this case are equal to R K.
It is clear that the condition that R K is controllable with respect to K is
sucient but not necessary. For instance, when K = L, the implication of the propo-
sition holds trivially independent of R. However, based on the above proposition, an
optimal supervision for the systems interaction language K can be achieved if a com-
pensator R for the specication is found such that KR is controllable with respect
to K. In general, the set of compensators for the specication S is any language R
such that S R

C

(S). Based on that we can state the following result.

Proposition 6.7. There exists an IDES model (S, R) for S such that R is prex
closed and K R is controllable with respect to K if
S sup (
K
(

C
o

(S))

Note that if S is prex closed, then

C
o

(S) is also prex closed, and therefore

sup (
K
(

C
o

(S)) is prex closed. It is worthwhile here to reect on limit cases for the
system interaction language, K. In one limit case, when K = L, the supervisor of the
system interactions is always optimal regardless of the specication. However, this is
also the most complex case. The other limit is more interesting, namely when K =

reecting total parallelism of the system components. Clearly here K R = R for

any compensator R for the specication. It is straightforward to check that in this
case, the above condition holds if and only if R
u
R, namely uncontrollable events
are always enabled in R. For instance, the serial composition interaction U

can
156
be implemented for any two parallel components if and only if the set of events V is
controllable.
Theorem 6.1. Let L = (L, K) be an IDES over a process space with L = L(L),
and let S L(). Assume that,
1.
s

c
2. K is controllable w.r.t B

(L)
3. S sup (
K
(

C
o

(S)).
Then
sup

(
L
(S) = | sup

(
L
i
(S
i
) sup

(
K
(R)
Proof. Given the third condition, we can construct an IDES model, o = (S, R), for
the specication S such that KR is controllable with respect to K, and R is prex
closed. Based on the above assumption we can make the following deductions.
sup

(
L
(S) = sup

(
L
(

iI
P
1
i
S
i
R)
=

iI
sup (
L
(P
1
i
S
i
P
1
i
L
i
L) sup (
L
(R K)
=

iI
_
sup (
L
(P
1
i
S
i
P
1
i
L
i
) L
_
sup (
L
(R K)
=

iI
_
sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L
i
) L
_
sup (
K
(R K)
=

iI
sup (
P
1
i
L
i
(P
1
i
S
i
P
1
i
L
i
) sup

(
K
(R) L
=

iI
P
1
i
sup (
L
i
(S
i
L
i
) sup

(
K
(R) L
=

iI
P
1
i
sup

(
L
i
(S
i
) sup

(
K
(R) L
Clearly, for all i I we have sup

(
L
i
(S
i
) L
i
also we have sup

(
K
(R) R, hence

iI
P
1
i
sup

(
L
i
(S
i
) sup

(
K
(R)

iI
P
1
i
L
i
R = L
This completes the proof.
The eciency of the solution for this problem depends, among other factors, on
the interaction language of the system, as well as that of the specication. Roughly
157
speaking, the chance of nding an optimal IDES supervisor increases by restricting
the interaction language of the system and relaxing that of the specication.
Example 6.2. The system in this example consists of two processes with synchro-
nization mechanism to allow certain forms of coordination using two shared events
x, y. The system is initially arranged such as the two processes are working in parallel.
The STD of the system is shown below.

op1a op2a
Process A
fa2 fa1
op3a
r3a
x x
ma
op1b op2b
r1b r2b
Process B
op3b
r3b
r4b
op4b
x
mb
r1a r2a
fb1 fb2
op4a
r4a
U V
The specication of the system is shown in the gure below. The specication S is
converted to the shown IDES structure o = (P

(S),

C
o

(S)).
Spec A Spec B
op2a
op1a
r2b
op1b
op2a,r2b
op2a,op1b
op2a,r2b
op1a,r2b
op2a
op1a
r2b
op1b
op1a r2b
op1b op2a

C
o

(S)
Specication S
(seloops of remining events are not shown)
158
It is clear that the specication S is not controllable with respect to the interaction
language of the system K =

. However,

C
o

(S) is controllable with respect to K

and therefore sup (
K
(

C
o

(S)) =

C
o

(S). The IDES supervisor for the specication is

shown below.
op2a
op1a
r2b
op1b
op2a,r2b
op2a,op1b
op2a,r2b
op1a,r2b
r1a
Sup A
op2a
x
x
r2a
op1a
x
x
r2b
op1b
r1b
fb1 fb2
op4b
op3b
r3b
mb
r4b
op2b
Sup B
The following gure shows a new specication for the system. The new speci-
cation aects only the local specication for process B. Therefore, the new IDES
supervisor can be obtained from the one above by updating only the supervisor for
process B with respect to its new specication.
op1a
op2a
op2b
op1b
op1b
op2b
Spec B
r1b
op1b
r2b
op2b
Sup B
x
x
new specication new local specication new local supervisor

159
The conditions for the optimality of IDES supervision, as given in the above
Proposition, are related to the system, the specication, and the structure and the
control characteristics of the process space. However, if the optimality of the IDES
supervision is not required, some or all of these conditions can be relaxed. To this
end, an IDES supervision is said to be valid if it can restrict the system behaviour to
the given specication. Formally, this can be described by the following condition:
| sup

(
L
i
(S
i
) sup

(
K
(R)

(
L
(S)
That is, a valid IDES supervisor corresponds to a (at) supervisor (not necessarily
optimal) for the overall system.
Theorem 6.2. Let L(L, K) and o = (S, R) be two interacting discrete event systems
over a process space with L = L(L) and S = L(o). Then | sup

(
L
i
(S
i
) sup

(
K
(R)
is a valid supervisor for L with respect to S.
Proof. We only need to show that
| sup

(
L
i
(S
i
) sup

(
K
(R) (
L
(S L)
Based on the proof of the previous lemmas, we have
sup

(
K
(R) (
L
(R K) (Proof of Lemma 6.6)
sup

(
P
1
i
L
i
(P
1
i
S
i
) (
L
(P
1
i
S
i
P
1
i
L
i
) (Proof of Lemma 6.5)
Therefore we can write

iI
sup

(
P
1
i
L
i
(P
1
i
S
i
) sup

(
K
(R)

iI
(
L
(P
1
i
S
i
P
1
i
L
i
) (
L
(R K)
(
L
(

iI
_
P
1
i
S
i
P
1
i
L
i
_
(R K))
(
L
(L S)
This shows that every IDES supervisor is a valid supervisor for the system. The
160
extent of how close this IDES supervisor is to an optimal supervisor cannot be known
in advance. Based on the given conditions, in general, a better solution is more likely
for loosely coupled systems than for tightly coupled ones.
The established conditions for optimal IDES supervision are not mutually depen-
dent. This allows dierent possibilities for adjusting the system and its model. For
instance, the condition that requires shared events to be controllable may require
changing the process space structure. The other conditions involve mainly the inter-
action specications of the system and the specication. This adds other possibilities
for adjustments as interaction specications are not unique.
161
Chapter 7
Conclusions
7.1 Summary
In this thesis we investigated the relation between the behaviour and the structure
of interacting multiprocess discrete event systems. In the light of these investigations
we proposed an approach to modelling and analysis of a general class of multiprocess
discrete event systems with well-dened interaction specication. The framework is
based on elementary notions of formal languages and automata. One of the main
objectives of this thesis is to provide the formal basis and the theoretical foundation
for integrating the information about the components interaction in the modelling and
analysis process. As shown in the thesis, such integration can be a key for modular and
ecient behavioural analysis in the complex environment of multiprocess systems.
The relation between the model and the system behaviour is crucial to the analysis
in multiprocess environment. In the IDES framework this relation is founded on the
reversibility of the composition (synchronous product) and decomposition (vector
projection) operations. This reversibility is established based on the compactness
property and the compensation concept. Compensation can be used to convert any
given language to an IDES structure, while a generalized composition operation can
be used to obtain the language generated by a given IDES structure. This reversibility
162
is an essential element of the analysis approaches presented in this thesis.
In the thesis, we investigated the verication and supervisory control problem
within the IDES framework. We proposed several approaches for solving these prob-
lems while avoiding the direct computation of the synchronous product of the system
components. Also, conditions have been established for modular solution for the ver-
ication and supervisory synthesis problems. The established conditions emphasize
the importance of the coupling between the system components on the eciency of
the analysis procedures.
7.2 Future Research
The proposed IDES framework was intended to be a general one. In this thesis,
many important aspects on behavioural analysis of multiprocess systems have been
addressed. However, much research remains to be done to address other important
issues.
Real time systems
The IDES model can easily be extended to represent real time specications. The
extension of the analysis procedures needs more eort. This is due to the special
characteristics of the timing information that requires special treatment. However,
many analytical results in this direction can be obtained by extending the results in
this thesis using the already established results for the verication and supervisory
control of real-time systems.
Multilevel systems
The extension of the IDES framework to multilevel systems in this thesis has consid-
ered only the modelling aspects of the framework. There are many analytical issues
to be addressed for multilevel hierarchical systems. The multilevel structure of the
163
system can be incorporated and utilized in the analysis process.
Blocking issue
Blocking is one of the major problems in the IDES framework. Further research is
needed to address this problem for interacting multiprocess systems. This includes the
incorporation of dierent techniques to limit the search domain. Iterative techniques
such as the one discussed for the verication problem may be useful to detect blocking
situations in multiprocess systems eciently.
Software Implementation
A software implementation of the IDES modelling and analysis framework would
require special arrangement in the input interface to incorporate the interaction spec-
ication and the process space structure (alphabet vector) together with the corre-
sponding operations (composition, decomposition, abstractions, ... etc.). The veri-
cation and supervisory control procedures described in this thesis can be directly
translated into software functions. Such software tool is essential to bring the result
of this thesis to potential non-specialist users.
164
Appendix A
Decomposition and Modularity in
Process Space
In this section, we consider a general denition of decomposability in process space
that takes into account the interaction between the system components. One expected
outcome of utilizing this dimension is to extend the domain of specications that can
be veried modularly. We also investigate the case when the interaction specication
can guarantee a modular verication for any given specication.
A.1 Decomposition and Modularity
Let be an alphabet vector with index set I and let K L() be a language. A
language H

is said to be (, K)-decomposable, or simply K-decomposable when

is known from the context, if
H = B

(P

(H), K)
That is, H is (, K)-decomposable if it can be constructed from its vector projection
and the language K. The set of (, K)-decomposable languages is not closed under
union. However, it can be shown easily that it is closed under intersection.
165
A language H is said to be (, K)-semidecomposable if H can be written as a
nite union of a set of (, K)-decomposable languages. Hence, by denition a K-
decomposable language is also K-semidecomposable. A interaction language K is
said to be modular if any sublanguage of K is (, K)-decomposable. Formally, K is
modular if
(H K) H = B

(P

(H), K)
A interaction language K is said to be semimodular if any regular sublanguage of K
is (, K)-semidecomposable. Clearly, from the above denition, if K is semimodular
then it is modular. Let H be a regular sublanguage of K. Dene the set of (, K)-
decomposable sublanguages of H as follows
D
K

(H) = F H [ F = B

(P

(F), K)
We will write

D
K

(H) to denote the maximals of the set D

K

(H). Clearly, to show that

K is semimodular we need to show that the set

D
K

(H) is nite for any sublanguage

H of K.
Proposition A.1. The interaction languages for serial composition, renement, and
interleaving are semimodular.
Proof. We will consider only the case of two components process space. The extension
to the general case is straightforward. Let =
1
,
2
be a process space with the
corresponding abstract events U =
1

2
, V =
2

1
and X =
1

2
. Let
A, B

D
K

(H) where A ,= B. Clearly, there must exist s A and t B such that

B

(P

s, t, K) , H, otherwise either A is contained in B or B is contained in A

contradicting the assumption that they are maximals. The set s, t will be called
an indecomposable pair in H. It is easy to see that if s, t is indecomposable in
H then it must be that P
s
s = P
s
t, that is, they share the same sequence of shared
events. In the following, we will show that the set

D
K

(H) is nite by showing that

any two indecomposable strings must dier at least in one state in the automaton of
H. This will imply that any two maximals in

D
K

(H) must have at least one state

166
not in common. Given that H is regular by assumption and therefore has a nite
number of states, this will prove that H has a nite number of maximals, and thus
is K-semidecomposable.
(Serial composition) We consider rst the case of synchronous serial composition.
In this interaction scheme, each string in K will have the form uxv where u U

,
x X
+
and v V

. Therefore, we can write the two strings s and t as u

1
xv
1
and
u
2
xv
2
respectively where u
1
, u
2
U

, v
1
, v
2
V

, and x X
+
. If s and t share the
same set of states in H then it must be that u
1
xv
2
and u
2
xv
1
are both in H, therefore,
B

(P

s, t, K) H, contradicting the assumption they are indecomposable in H.

Therefore, s and t must have at least one state not in common in H. Similar argument
can be used for the asynchronous serial composition.
(Renement) Considering the handshaking renement scheme with the interaction
language K = U, XV

. Then s, t will have the form

s = u
1
x
1
v
2
x
2
u
3
. . . u
n1
x
n1
v
n
x
n
u
n+1
, t = a
1
x
1
b
2
x
2
a
3
. . . a
n1
x
n1
b
n
x
n
a
n+1
where u
i
, a
i
U

for i [1, 3 . . . n + 1], x

k
X for k [1 . . . n], and v
j
, b
j
V

for
j [2, 4 . . . n]. Therefore, if s and t share the same set of states in H, then we can
exchange each u
i
with a
i
or v
j
with b
j
and the result string in either cases will be in
H. Therefore, in this case B

(P

s, t, K) H contradicting the initial assumption.

The case for the synchronized renement can be proven similarly.
(Interleaving) For K = (UV )

(U + ), the strings s, t will have the form (uv)

n
or
(uv)
n
u where n is any natural number. Note that every string w K satises
[P
1
(w)[ = [P
2
(w)[ + r where r [0, 1]. Therefore, to be indecomposable, s and t
must satises [[s[ [t[[ 1. Without losing generality, let s = u
1
v
1
. . . u
n
v
n
and
t = a
1
b
1
. . . a
n
b
n
a
n+1
where u
i
, a
i
U and v
i
, b
i
V . If s and t share the same set of
states in H, then it must be that t

= a
1
b
1
. . . a
n
b
n
is also in H and it must be in the
set B

D
K

(H). Clearly s, t

also share the same set of states. Now, replacing each

occurrence of u
i
with a
i
and/or v
i
with b
i
will result in a string in H. Consequently,
we must have B

(P

s, t, K) H contradicting the initial assumption. Therefore,

167
s and t

must have at least one state not in common and so are s and t.
Therefore, any sublanguage of any of the above interaction schemes can be repre-
sented as a nite union of a set of maximal decomposable sublanguages.
Example A.1. Let = (a, b, x, y), (c, d, x, y). The catenation composition base
for this process space is K = (a, b)

(c, d)

. The gure shows a sublanguage of K and

the corresponding set of maximal (, K)-decomposable sublanguages.
H
H2
H1
b
a
b a
c
c
d
c d
a
a
b

D
K

(H)
d
d
a
a
b
a
b
c
c

Modular verication can be achieved when the specication can be transformed

into an equivalent one that can be decomposed and checked locally. Formally, consider
and IDES L = (L, K) over a process space and a specication S K. Then
B

(L) S can be veried locally if S is (, K)-semidecomposable. In this case

we can write S =
nN
S
n
, where the set N is nite and S
n
is a maximal (, K)-
decomposable sublanguage of S. Then,
Proposition A.2.
L S (n N)(i I) L
i
P
i
(S
n
)

168
The complexity of the above approach depends on the number of maximal (, K)-
decomposable sublanguages in the specications. Clearly, the above proposition will
be more useful if an ecient algorithm is found to decompose any sublanguage of a
modular interaction language into a nite set of (, K)-decomposable languages.
A.2 Deterministic Interaction Specications
In this section, an attempt is made to characterize semimodular interaction specica-
tions. An interaction language K is said to be deterministic if the restriction of the
composition of any string vector in the domain P

(K) to K is either a single string

or the empty set. Formally,
(s E P

(K)) [ B

(s, K) [ 1
Roughly speaking, the determinism property reects the unambiguity of the compo-
nents interaction. That is, each sequence of events in the system components con-
tributes a unique sequence of events (possibly none) in the overall system behaviour.
Note the duality of determinism and the completeness property (completeness re-
quires that [ B

(s, K) [ 1 for every composable string vector in P

(K)). Clearly,
when K is both deterministic and complete, then we have [ B

(s, K) [ = 0 if and only

if s is incomposable.
Unfortunately, there is no known general way to check the determinism of a given
language. However, it is shown in [MRS96] that checking the determinism property is
decidable when K is a layout in asynchronous environment. However, in certain situ-
ations the interaction language is simple enough to allow determinism to be checked
by inspection. For example, it is straightforward to check that parallel composition
is not deterministic, except in the case of intersection. The following results can help
to test the determinism of simple interaction languages.
169
Proposition A.3. Let K
1
and K
2
be deterministic languages over . Then
1. (L L()) L K
1
= L is deterministic.
2. K
1
K
2
is deterministic.
3. (i I) P
i
K
1
P
i
K
2
= = K
1
K
2
is deterministic.
4. P
s
K
1
P
s
K
2
= = K
1
K
2
is deterministic.
Proof. Let K
1
and K
2
be deterministic languages over .
1. Let L K be a language. Then, P

(K) _ P

(L) and therefore s E P

L implies
that s E P

(K). Also, given that L K, then [ B

(s, K) [ [ B

(s, K) [ 1.
2. Let s E P

(K
1
K
2
). Then s E P

(K
1
) and s P

(K
2
). Hence [ B

(s, K
1
) [ 1
and [ B

(s, K
2
) [ 1. Also we have B

(s, (K
1
K
2
)) = B

(s, K
1
) B

(s, K
2
). Then
it must be that [ B

(s, (K
1
K
2
)) [ 1.
3. Let s E P

(K
1
K
2
). Then B

(s, (K
1
K
2
)) = B

(s, K
1
) B

(s, K
2
). Therefore,
[B

(s, (K
1
K
2
))[ 1 except for the case when B

(s, K
1
) and B

(s, K
2
) are both non
empty and not equal. In this case let t
1
= B

(s, K
1
) and t
2
= B

(s, K
2
). Clearly, this
implies that t
1
K
1
, t
2
K
2
, and P
i
t
1
= P
i
s = P
i
t
2
for all i I. This contradicts
the initial assumption that there exists some i I where P
i
K
1
P
i
K
2
= . Therefore,
K
1
K
2
must be deterministic.
4. Similar to the previous case. We must have P
s
t
1
= P
s
s = P
s
t
2
. This contradicts
the assumption that P
s
K
1
P
s
K
2
= .
From the third part of the above proposition we can conclude that the interac-
tion language of catenation is deterministic. This is based on the fact that any two
strings in this layout do not share the same vector projection. Similarly we can see
that synchronous catenation is deterministic. The same argument applies for the
interleaving layout. From, the third and fourth parts we can conclude that the in-
teraction language of renements is deterministic. From the rst part we can state
that any sublanguage of a deterministic interaction language is also deterministic.
Therefore, the procedure to obtain the optimal non-blocking compensator preservers
the determinism property.
170
The nite union of a set of deterministic interaction languages is of special impor-
tance to the topic of this section and we will refer to such union as a semideterministic
interaction language. The two-way interleaving interaction is an example of this class.
Theorem A.1.
K is semimodular = K is semideterministic
Proof. We only need to show that if K is modular, then it is deterministic. Let K be a
modular language. Now assume that B

(s, K) = H for some s E P

(K) where [H[ >

1, that is, H contains more than one string. Then for every string t H we have P
i
t =
s
i
. Hence B

(P

(t), K) = H. This implies that [B

(P

(t), K)[ > 1 contradicting

the initial assumption that K is modular which requires B

(P

(t), K) = t. So it
must be that [B

(P

(t), K)[ = 1 for all s E P

(K). Hence, K is deterministic. Then

if K is a nite union of modular language then it is also a nite union of deterministic
languages.
Note that, if K is deterministic then, it is not necessary modular. For instance, the
layout of catenation is deterministic but not modular. However, the other direction
in the above theorem is believed to hold at least when K is regular. To prove this,
we need to show that a deterministic K is semimodular. However, neither a counter
example nor a proof can be found for this claim.
Conjecture A.1.
K is semideterministic = K is semimodular

Note that it is easy to show that every sublanguages of a deterministic K can be

written as a union of a set of (, K)-decomposable languages, as every string s K
is by denition (, K)-decomposable. The problem is to show that the set of

D
K

(H)
is nite for any regular H K.
171
Appendix B
Supervisory Control of Structured
IDES
The condition in Theorem 6.1 ensures the optimality of the interaction specication
supervision. The following result shows that there is another way to achieve this.
Proposition B.1.
(R L()) sup

(
L
(R) = sup

(
K
(R) L is controllable with respect to K
Proof. () Assume that sup (
L
(R L) = sup (
K
(R K) for any R

. Let R = L
then we got sup (
K
(L K) = sup (
L
(L), hence, as L K we get sup (
K
(L) = L,
therefore L is controllable with respect to K.
() We already showed that sup (
K
(R K) sup (
L
(R K) in the proof of Propo-
sition 6.6. For the other direction let H

be a language, then
H (
L
(R K) = H
u
L H
= H
u
(L
u
K) H L (L
u
K L)
= (H L)
u
K H L (L = L)
= H L (
K
(R K)
172
Therefore, combining all the results above we get
sup (
L
(R K) L sup (
K
(R K) sup (
L
(R K)
However, given that any language H such that H L = is controllable with re-
spect to L trivially, then with little eort it can be seen that sup (
L
(R K) L =
sup (
L
(R K). Adding this to the above line, and given that L K, then we get
sup (
L
(R L) = sup (
K
(R K).
The main concern regarding the above result is how to check that L is controllable
with respect to K eciently without resorting to the computation of synchronous
product of the system components. More important, is how to adjust K if needed
such that L can be controllable with respect to K. As discussed earlier, in some
situations the system can be described by a structured IDES model where the system
interaction specication is associated with its behaviour through a known monotonic
map. In this situation, the system can be described by the model L = (L, K, G)
where K = G(B

(L)). Given this setting, the question here is how to test that L
is controllable with respect to G(L) locally by dealing with the system components
individually. This can be achieved by testing the relation between the controllability
of the system and the controllability of its components under the given abstraction
map. The blocking issue will not be considered here, therefore, all relevant languages
are assumed prex closed and the map G is assumed prex preserving.
Proposition B.2. Let G : L() L() be a -abstraction map then
(i I) L
i
is controllable w.r.t G(L
i
) = L is controllable w.r.t G(L)
173
Proof.
(i I) L
i

ui
G(L
i
) L
i
= (i I) L
i

ui
G(L
i
) L
i
= (i I) P
1
i
_
L
i

ui

G(L
i
)
_
P
1
i
L
i
= (i I) P
1
i
L
i
P
1
i

ui

P
1
i
G(L
i
) P
1
i
L
i
= (i I) P
1
i
L
i

u

G(P
1
i
L
i
) P
1
i
L
i
(G P
1
P
1
i
G)
=

iI
P
1
i
L
i

u

G
_
iI
P
1
i
L
i
_

iI
P
1
i
L
i
=

iI
P
1
i
L
i

u

G(L)

iI
P
1
i
L
i

G(L)
=

iI
P
1
i
L
i

u

G(L)
u

G(L)

iI
P
1
i
L
i

G(L)
= L
u
G(L) L
The condition above does not depend on the control structure of the underlying
process space. However, the situation is dierent in the reverse direction as shown
the next proposition.
Proposition B.3. Let G : L() L() be a -abstraction map. Assume that

s

c
and G(L) is complete. Then
L is controllable w.r.t G(L) = (i I) L
i
is controllable w.r.t G(L
i
)
Proof. As L is controllable with respect G(L), then L
u
G(L) L. Now, assume
there exists
u
and a string s

such that s P
1
i
P
i
G(L) and s , G(L).
Based on the completeness of G(L), we can state that
s P
1
i
P
i
G(L) and s , G(L) = (j I) s , P
1
j
P
j
G(L)
However, if s G(L), then s(
j
)

P
1
j
P
j
G(L). Given also that shared events
are controllable then, it must be that (
j

i
), or in general (
i
). Hence
174
we can state that for an string s G(L)
( (
u

i
)) s P
1
i
P
i
G(L) = s G(L)
Therefore for any language T G(L), we have T(
u

i
)P
1
i
P
i
G(L) T
u
G(L).
Based on that we can write
L
u
G(L) = L (
u

i
) P
1
i
P
i
G(L) L
= P
i
(L
ui
P
1
i
G(P
i
L)) P
i
L (P
i
G = G P
i
)
= P
i
L
ui
G(P
i
L)) P
i
L
= L
i

ui
G(L
i
) L
i
(G is complete)
This completes the proof.
Next we present the main theorem in this section showing the conditions to test
the controllability of the overall system behaviour w.r.t its interaction specication
locally. Note that abstraction map G is assumed prex preserving in the setting of
the problem.
Theorem B.1. Let L = (L, K, G) be a structured IDES over a process space with
L = B

(L), and
s

c
. Assume that K is complete. Then
(i I) L
i
is controllable w.r.t G(L
i
) L is controllable w.r.t K

The above results can be used to adjust the abstraction map G (locally) so that
K is controllable w.r.t L. It is important to note the dierence between this approach
and the approach adopted in the previous section. In this approach, we are looking
for an interaction specication K for the system L such that L is controllable with
175
respect to K. Once this K is found, it can be used with any specication. In contrast,
the conditions given in the previous section are specic to the given specication.
176
Bibliography
[AL91] M. Abadi and L. Lamport. The existence of renement mappings. Theo-
retical Computer Science, 82:253284, 1991.
[Als96] N. Alsop. Formal Techniques for the Procedural Control of Industrial Pro-
cesses. PhD thesis, Center for Process Systems Engineering, Imperial Col-
lege London, 1996.
[Ber79] J. Berstel. Transductions and Context Free Languages. Teubner, Stuttgart,
1979.
[BH93] Y. Brave and M. Heymann. Control of discrete event systems modeled as
hierarchical state machines. IEEE Trans. Autom. Control, 38(12):1803
1819, December 1993.
[BSV93] F. Balarin and A. Sangiovanni-Vincentelli. An iterative approach to lan-
guage containment. In Lecture Notes in Computer Science, volume 697,
pages 2940. Springer, Berlin, 1993.
[CH74] R. H. Campell and A. N. Habermann. The specication of process syn-
chronization by path expressions. In Lecture Notes in Computer Science,
volume 16, pages 89102. Springer, Berlin, 1974.
[CW95] P. E. Caines and Y.-J. Wei. On dynamically consistent hybrid systems.
Lecture Notes in Computer Science, 999:8691, 1995.
177
[Dil88] D. L. Dill. Trace Theory for Automatic Hierarchical Verication of Speed-
Independent Circuits. The MIT Press, 1988. An ACM Distinguished Dis-
sertation.
[GJ79] M.R. Garey and D.S. Johnson. Computers and Intractability: A Guide to
the Theory of NP Completeness. W.H. Freeman and Company, New York,
1979.
[GL81] H. J. Genrich and K. Lautenbach. System modeling with high-level petri
nets. Theoretical Computer Science, 13(1):109136, January 1981.
[God94] P. Godefroid. Partial Order Methods for the Verication of Concurrent Sys-
tems: An Approach to the State Explosion Problem. PhD thesis, University
de Liege, 1994.
[Har87] D. Harel. Statecharts: A visual formalism for complex systems. Science of
Computer Programming, 8(3):231274, 1987.
[HU79] J.E. Hopcroft and J.D. Ullman. Introduction to Automata Theory, Lan-
guages, and Computation. Addison-Wesley, Reading, MA, USA, 1979.
[Jen87] K. Jensen. Coloured petri nets. In W. Brauer, W. Reisig, and G. Rozenberg,
editors, Petri Nets: Central Models and Their Properties, Advances in Petri
Nets 1986, LNCS 254, pages 248299. Springer-Verlag, 1987.
[JL92] R. Janicki and P. E. Lauer. Specication and Analysis of Concurrent Sys-
tems, The COSY Approach. EATCS Monographs on Theoretical Computer
science. Springer, Berlin, 1992.
[KK97] N. W. Keesmaat and H. C. M. Kleijn. Restrictions and representations
of vector controlled concurrent system behaviours. Theoretical Computer
Science, 179:61102, 1997.
[Koz94] P. Koz ak. Dealing with complexity in the discrete event system control
methods. In Proc. of the IEEE European Workshop on Computer-Intensive
178
Methods in Control and Signal Processing, pages 229236, Prague, Czech
Republic, September 1994.
[Kur94] R. P. Kurshan. Computer-Aided Verication of Coordinating Processes.
Princeton University Press, Princeton, New Jersey, 1994.
[LPM96] H. Liu, J. Park, and R. E. Miller. On hybrid synthesis for hierarchical
structured petri nets. Technical Report CS-TR-3628, Dept. of Computer
Science, Univ. of Maryland, College Park, Maryland, USA, April 1996.
[LW90] F. Lin and W.M. Wonham. Decentralized control and coordination of dis-
crete event systems with partial observation. IEEE Trans. Autom. Control,
35(12):13301337, 1990.
[MB88] S. MacLane and G. Birkho. Algebra. Chelsea, New York, 1988.
[McD89] C. E. McDowell. A practical algorithm for static analysis of parallel algo-
rithms. Journal of Parallel and Distributed Processing, 6(3):515536, June
1989.
[Mil80] R. Milner. A Calculus of Communicating Systems, volume 92 of Lecture
Notes in Computer Science. Springer-Verlag, 1980.
[MRS96] A. Mateescu, G. Rozenberg, and A. Salomaa. Shue on trajectories: Syn-
tactic constraints. Technical Report 41, Turku Centre for Computer Science,
1996.
[Pet62] C.A. Petri. Kommunikation mit Automaten. PhD thesis, Univ. Bonn, West
Germany, 1962.
[RS97] G. Rozenberg and A. Salomaa. Handbook of Formal Language. Springer-
Verlag, Berlin Heidelberg, 1997.
[Rud92] K. Rudie. Decentralized Control of Discrete Event Systems. PhD thesis,
University of Toronto, 1992.
179
[RW87] P.J. Ramadge and W.M. Wonham. Supervisory control of a class of discrete-
event systems. SIAM Journal on Control and Optimization, 25:206230,
1987.
[Sch92] B. Schwartz. State aggregation of controlled discrete-event systems. Mas-
ters thesis, Dept. of Elec. Eng., Univ. of Toronto, Canada, October 1992.
[Shi79] M. W. Shields. Adequate path expressions. In Lecture Notes in Computer
Science, volume 70, pages 249265. Springer, Berlin, 1979.
[Shi97] M. W. Shields. Semantics of Parallelism: Non-Interleaving Representation
of Behaviour. Springer-Verlag, London, 1997.
[Wan95] B. Wang. Top-down design for RW supervisory control theory. Masters
thesis, Dept. of Elec. Eng., Univ. of Toronto, Canada, 1995.
[Wec92] W. Wechler. Universal Algebra for Computer Scientists, volume 25 of
EATCS Monograms on Theoretical Computer Science. Springer-Verlag,
New York, 1992.
[WH91] Y. Willner and M. Heymann. Supervisory control of concurrent discrete
event systems. Int. Journal of Control, 54(5):11431169, 1991.
[Won01] W.M. Wonham. Notes on control of discrete-event systems. Lecture notes,
Department of Electrical Engineering, University of Toronto, Toronto, Ont.,
2001.
[WR88] W.M. Wonham and P.J. Ramadge. Modular supervisory control of discrete
event systems. Mathematics of Control, Signals and Systems, 1(1):1330,
1988.
[ZW90] H. Zhong and W.M. Wonham. On the consistency of hierarchical supervi-
sion in discrete-event systems. IEEE Trans. Autom. Control, 35(10):1125
1134, October 1990.
180