6

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 11, NO. 1, JANUARY 2014

Symbolic Representation and Computation of Timed Discrete-Event Systems

S. Miremadi, Z. Fei, K. kesson, and B. Lennartson
AbstractIn this paper, we symbolically represent timed discrete-event systems (TDES), which can be used to efciently compute the supervisor in the supervisory control theory context. We model a TDES based on timed extended nite automata (TEFAs): an augmentation of extended nite automata (EFAs) by incorporating discrete time into the model. EFAs are ordinary automata extended with discrete variables, where conditional expressions and update functions can be attached to the transitions. The symbolic computations are based on binary decision diagrams (BDDs). We show how TEFAs can be represented by BDDs. The main feature of this approach is that the BDD-based xed point computations are not based on tick models that have been commonly used in this area, leading to better performance in many cases. The approach has been implemented and applied to a simple case study and several large-scale benchmarks. Note to PractitionersIn todays industry, the control functions are implemented to a great extent manually by designing a candidate and verifying it towards different properties to ensure that the control function is satisfactory. Designing a control function manually makes it a tedious, error-prone and time consuming process. Another way is to do this process automatically, referred to as the synthesis method. In the synthesis method, the designers model the systems behavior and the desired properties and feed them to an algorithm that can automatically generate the control function. Supervisory Control Theory (SCT) provides a powerful framework for automatically synthesizing safe and exible control functions, referred to as supervisors, that restrict the system only when it necessary. For large-scale systems, synthesis typically suffers of from the state space explosion problem, that is the required memory to represent the states of the system is more than the available memory. To handle real-time systems, in this paper, we also incorporate time in the theory and show how the supervisor can be efciently computed for large-scale systems. Index TermsBinary decision diagrams (BDD), extended nite automata (EFA), supervisory control theory (SCT), timed discreteevent systems (TDES).

I. INTRODUCTION ISCRETE EVENT SYSTEMS (DES) are discrete-state, event-driven systems where their state evolution depends entirely on the occurrence of asynchronous events over time. DES have many applications in modeling technological systems such as automated manufacturing and embedded systems. When
Manuscript received April 10, 2013; accepted May 23, 2013. Date of publication October 22, 2013; date of current version January 01, 2014. This paper was recommended for publication by Associate Editor C. Seatzu and Editor M. C. Zhou upon evaluation of the reviewers comments. The authors are with the Automation Research Group, Department of Signals and Systems, Chalmers University of Technology, SE-412 96 Gothenburg, Sweden (e-mail: miremads@chalmers.se; zhennan@chalmers.se; knut@chalmers.se; bengt.lennartson@chalmers.se). Digital Object Identier 10.1109/TASE.2013.2282895

designing control functions for DES, model-based approaches may be used to conveniently understand the systems behavior. A well known framework of such a model-based approach is supervisory control theory (SCT) [1]. Having a plant (the system to be controlled) and a specication, SCT automatically synthesizes a control function, called supervisor, that restricts the conduct of the plant to ensure that the system never violates the given specication. The main feature of the supervisor in SCT is that it restricts the plant only when it is necessary, referred to as the minimally restrictive supervisor. Most of the research in this eld has focused on analyzing qualitative properties, such as safety or liveness specications, by investigating the logical sequencing of events. However, the correct behavior of many real-time systems such as air trafc control systems and networked multimedia systems depends on the delays between events. In addition, on pure DES one cannot perform quantitative analysis such as time optimization or scheduling. Timed DES (TDES) is a generalization of DES in which the times that the events occur are also taken into consideration. In this work, we do not consider stochastic properties of the models. The modeling formalism used in this work is an augmentation of a previously proposed modeling formalism, called extended nite automaton (EFA) [2], where time has been incorporated into the model. EFAs are ordinary automata extended with discrete variables, guard expressions and action functions. The guards and action functions are attached to the transitions, which admit local design techniques of systems consisting of different parts. The main features of EFAs are that they are suitable for the SCT framework and that they usually yield compact models because of the existence of discrete variables. EFAs have been used in several research works and successfully applied to a range of examples such as [3][5]. The EFA framework has been implemented in Supremica [6], a verication and supervisory control tool, where powerful algorithms exist for analysis of DES [7][9]. There have been many attempts to model TDES and generalize SCT considering the real-time aspects. These works can be divided into two categories; they are either based on continuous time or discrete time. On the continuous side, timed automata (TAs) [10] is the most popular modeling formalism used for modeling TDES and employing them in SCT [11][13], [15]. However, in TAs, as the clocks progress by real values, the number of states becomes nite which is not suitable for analysis of TDES. To this mean, in [11], a time automaton is transformed to a corresponding region automaton, based on an equivalence relation, which makes the state-space nite. In [12], two special types of events Set and Exp are introduced, which are used to transform a timed automaton into a minimal and equivalent nite-state automaton, called SetExp-Automaton. In

1545-5955 2013 IEEE

MIREMADI et al.: SYMBOLIC REPRESENTATION AND COMPUTATION OF TIMED DISCRETE-EVENT SYSTEMS

[13], a TDES is modeled by timed Petri nets and a xed point algorithm is presented to compute the unique extremal control-invariant subpredicate of a given predicate. In [15], the passing of time is measured using the number of ticks generated by a digital-clock, thereby relaxing the assumption of the prior works that time can be measured precisely. With respect to control function generation, there exists another approach that differs from the ones using the SCT theory [14], where the controller is based on a winning strategy for a certain game dened for the timed automata, called timed game automata. A lot of works have been carried out on discrete-time models with respect to SCT [16][21]. In these works, it is assumed that there exists a global digital clock. In [17], the timing information is incorporated into the system states in the form of timer variables, which are updated according to some rules relating event occurrences and the passage of time. The more common way to model TDES, described in [16] and [18], is that lower and upper time bounds are associated with events to restrict their occurrence times. In addition, they use a special event tick, which represents the passage of time, and is generated by the global clock. In [22], Brandin and Wonham applied SCT to Timed Transition Models (TTMs) proposed in [16]. The main problem with their approach is that by introducing the tick event more iterations may be needed in the xed point computations. In addition, it is more likely to get early state space explosion. To this end, some methods have been proposed to shrink the state space such as [23], where the supervisor is computed based on an abstraction of the plant model in which time is measured with a slower clock. In [19], the notion of eligible time bounds is considered to analyze the timed-behavior of the system and to avoid the state space explosion due to the addition of tick. In [20], time optimization is also incorporated. Then, the synthesis problem is to end the supervisor whose makespan is minimum among those of all possible supervisors, where the theory of heaps-of-pieces is used to deal with time information. In [21], the synthesis problem is to enforce boundedness, reversibility, and liveness in timed transition Petri nets with ring durations, where stretching is used to represent the state of the system. Nevertheless, most of the aforementioned approaches have addressed the scalability and efciency issues. In fact, for many of them, currently there is no evidence of an existing implementation including [11], [12], [15], and [19]. In [13], [20], and [21], the implementation is applied to quite simple examples and the state space is explored explicitly. This paper is comparable with the approach in [18] that is based on [22]. Both approaches symbolically compute the supervisor for a give TDES based on binary decision diagrams (BDDs) [25]. BDDs are useful data structures for representing Boolean functions, which typically yield compact representations for large state spaces. The main difference between our approach and [18] is how a TDES is represented by BDDs and how the BDDs are used to compute the supervisor. In contrast to [18], in our approach, we eliminate the tick event in the BDD representation overcoming the problem with the tick event, stated earlier. As it will be shown in Section VI, this will typically lead to less xed point iterations and smaller intermediate BDDs, during the synthesis procedure. As a result, The synthesis can be performed in an efcient manner, which is the main contribution of this paper.

We model a TDES by Timed EFAs (TEFAs), which are EFAs equipped with a nite set of discrete clocks, and where the value of each clock is increased implicitly at the locations as time progresses. From a modeling perspective, the advantage of using TEFAs compared to TTMs is that the time constraints are added as guards on the transitions (as in timed automata), rather than lower and upper bounds on the events. This could potentially facilitate the modeling for the users. For instance, if the constraints are associated to the events, it will be complicated to model the situation, where the user wants to put different time constraints on an event that appears at different places on the same model. Furthermore, usually such way of modeling leads to a large state space. This paper is organized as follows: Section II introduces TEFAs and explains the semantics of such models. In Section III, we briey describe supervisory control theory. Section IV describes the EFA semantics of TEFAs, i.e., how TEFAs can be transformed into EFAs. The symbolic representations and computations of TEFAs based on BDDs are described in Section V. In Section VI, the proposed approach has been analyzed by applying it to a case study and several large-scale benchmarks. Finally, Section VII provides some conclusions and suggestions for future work. II. TIMED EXTENDED FINITE AUTOMATA In [2], a modeling formalism called Extended Finite Automaton (EFA) was introduced, which is an augmentation of ordinary automata with a nite set of discrete-valued variables. The variables appear in the transitions of the automata as either logical conditions, called guards, or updating functions, called actions. A transition in an EFA is enabled if and only if its corresponding guard formula is evaluated to true and when a transition is taken; and it may follow by updates of variables dened by the associated actions. A Timed Extended Finite Automaton (TEFA) is an EFA augmented with a nite set of digital clocks. Intuitively, a clock in a TEFA is a discrete variable in the sense of EFAs, restricted by some rules, mentioned later. The time automatically elapses only at locations, whereas the transitions occur instantaneously with zero delay. A. Syntax and Semantics In the following, we describe the syntax and the semantics of TEFAs. Denition 1 (Timed Extended Finite Automaton): A timed extended nite automaton is a 10-tuple

where is a nite set of locations; is the domain of variables , where is a nite set of integers; is a nite set of discrete valued clocks is a nonempty nite set of events; is the transition relation; , is an invariant-assignment function; is a set of initial locations;

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 11, NO. 1, JANUARY 2014

is a set of initial values of the variables; is a set of marked locations that are desired to be reached; is a set of pairs of marked valuations of the variables and clocks. , we also dene representing the domain In addition to of the clocks. Later we will explain how the domain of a clock is dened and show that it is nite. The global variable domain denoted by is the set that contains the values of all variables, dened formally as

where and represent Boolean logic true and false, re. This implies that clocks can only be spectively, and compared to constants. All nonzero values are considered as . The semantics of a guard is specied by a satisfaction relation indicating the pair of variable and clock evaluations for which guard is . It is written . is a tuple of functions An action

The global clock domain denoted by is dened similarly. and is denoted by and The largest value in , respectively. If a variable exceeds its domain, the result is not dened, and from an implementation point of view, it is upon the developer to decide how to implement such cases. For instance, the program can give the user a warning. In our implementation, values outside the domain will be ignored and will not be included in our computations, i.e., the corresponding transition will not be executed. In contrast to variables, it is assumed that if a clock reaches its maximum value, it will keep its value until it is reset. For a clock , this behavior is modeled by a saturation function

where is the set of natural numbers. The function is used to saturate the current value of all clocks. The elements and are the sets of guards (conditional expressions) and action functions, respectively. In the TEFA framework, an arithmetic expression is formed according to the grammar % where , and % is the modulo opto denote an expression that does not contain erator. We use . A variable evaluation for a variany clocks and then able is a function , assigning a value to the is dened similarly. variable. A clock evaluation A set of evaluations for all variables and clocks is represented and , respectively. by is a propositional expression formed acA guard cording to the grammar

where and are guards that are based on variables and clocks, respectively

A variable action is a function that is a funcupdates a variable; and a reset action tion that only resets a clock. Hence, for a variable, the action and for a clock it is formed as . is formed as An action function that does not update a variable or clock is denoted by , which is later used in the synchronization process assigns to to determine the updated value of . Function each location a location invariant that constrains the amount of time that may be spent in the location. Specically, the location should be left before the invariant becomes invalid. Intuitively, if a location invariant consists of a less than relation, the invariant can be considered as a deadline. The clocks can be seen as EFA variables that are synchronized with a global digital clock. Hence, the clocks will evolve each time the global clock ticks. In other words, all clocks evolve synchronically at rate one. The value of a clock denotes the amount of time that has been elapsed since its last reset. Potentially, the clocks in can have an innite domain because the time will elapse forever. Nevertheless, based on the following argument a nite domain can be considered for each clock. Among the possible values of a clock, only a subset is relevant: those that can impact the guards evaluations. For in, the values above 4 will all have stance, for a guard the same impact on the guard; thus the relevant values of are . Considering to be the largest constant in the model (including all guards), which the clock is compared to, the domain of the clock is . Thus, . Consequently, the domain of will be nite. the clocks A partial transition relation is written as , where , and . A transition without guard . indicates that there are no restrictions, i.e., consists of the initial values of . For a variable Since TEFAs are specically designed to conform to the supervisory control theory, it becomes natural to include a set of marked locations and values in the tuple of denition of a TEFA. If the set of marked locations, evaluations of a variable or a clock is empty, then the entire domain is considered as marked. . The states of a TEFA are dened as , and clock The state for a location , variable evaluations is represented as . Based on the states evaluations of a TEFA, a state transition system can be dened. A notation that will be used frequently in this paper, is the SOS-notation (Structured Operational Semantics) [26]. The notation

MIREMADI et al.: SYMBOLIC REPRESENTATION AND COMPUTATION OF TIMED DISCRETE-EVENT SYSTEMS

should be read as follows: if the proposition above the solid line (premise) holds, then the proposition under the fraction bar (conclusion) holds as well. Denition 2 (State Transition System of a TEFA): Let be a TEFA. Its corresponding state transition system (STS), denoted by , is a 5-tuple, where is a nite set of states; is a set of events; is a explicit state transition relation dened by the following rule:

the transition relation dened as follows:

is

(2) where a) :

(1) of zeros); is a set of marked states. We assume that all TEFAs are deterministic. A deterministic TEFA has only a single initial state in its corresponding and STS and for any two transitions , it always implies . Remark (Nonzenoness): We have omitted requirements on the denition necessary for executability. From every reachable state, the TEFA should admit the possibility of time to diverge. For example, the automaton should not enforce innitely many events in a nite interval of time. A TEFA satisfying this operational requirement is called non-zeno [27]. B. Extended Full Synchronous Composition For modeling purposes, it is often easier to have a modular representation, specially for complex systems. Then, to have a monolithic model of the system we need to synchronize the components. For a model with a number of TEFAs, we assume that the variables and clocks are all global, i.e., they are shared between the TEFAs. The global behavior of a modular TEFA model can be expressed by the extended full synchronous composition on TEFAs, similar to the full synchronous composition described in [2]. Denition 3 (Extended Full Synchronous Composition: Consider the following two TEFAs is a set of initial states ( is a -tuple such that * * For

, ,

(3)

b)

is the action function belonging to , where is dened exupdating the th variable, and but on clocks; actly as :

c)

for (EFSC) of as

. The Extended Full Synchronous Composition and , denoted by , is dened

; ; . indicates Intuitively, in (2), an action function of form that variable keeps its current value. Similar to the proof in [28], it can be proved that the EFSC operator is both commutative and associative and can be extended to multiple TEFAs. Note that, in the case of multiple TEFAs, the transition relation in (2) refers to all TEFAs. In other words, should rst be computed for all TEFAs and then replace with the current value. In the above denition, also observe that when the acand explicitly try to update a shared tion functions of variable to different values, we assume that the variable is not updated. It can indeed be discussed whether such a transition should be executed, nevertheless, such a situation is usually a consequence of bad modeling. III. SUPERVISORY CONTROL THEORY

where

; ;

Supervisory Control Theory (SCT) [1], [29] is the rst control theory for a general class of DES, where a control function is automatically synthesized, referred to as supervisor, based on a

10

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 11, NO. 1, JANUARY 2014

given plant and a specication. A specication describes the allowed and inhibited behaviors. The supervisor restricts the conduct of the plant to guarantee that the system never violates the given specication. However, it is often desired, and also in our work, that the supervisor restricts the plant as little as possible, referred to as a minimally restrictive supervisor. This gives the developers several alternatives to implement the controller and perform further analysis such as time or energy optimization. There exist several works on developing efcient algorithms and data structures for SCT problems formulated with EFAs [3], [30]. In this work, the problems are modeled by TEFAs. However, the computations are performed on their corresponding EFAs that will be described in Section IV. In [3], [30], it is shown how a nonblocking and minimally restrictive supervisor can be symbolically computed for a system modeled by EFA models. The computations are based on the corresponding nite automata of EFAs. An automaton-plant can be described by the synchronizaand similarly tion of a number of sub-plants . In our computations, for a specication we assume that a supervisor always renes the plant, i.e., . There are different ways of computing a supervisor such as monolithic [1], modular [31], and compositional [32] synthesis. In our approach we apply monolithic synthesis, which is performing xed point computations on the single composed . automaton Following, we describe some of the concepts in SCT. A state is reachable if it can be reached from the initial state by executing a sequence of events. A state is coreachable if a marked state can be reached from that state. A state is nonblocking if it is both reachable and coreachable. A supervisor is nonblocking if all its states are nonblocking. For a supervisor candidate is that is a sub-automaton of , a reachable state in uncontrollable if from that state an uncontrollable event is dened for the plant but not for the supervisor . A supervisor is controllable if all its states are controllable. A state that is both nonblocking and controllable is called a safe state. As stated earlier, the safe states are synthesized by xed point computations [7]. There are two operators that are used frequently in the xed point computations: Image and PreImage. Given a set of states computes the set of states that can be reached in one transition

where is the set of positive real values. Consequently, the temporal resolution available for modeling purposes is thus just one unit of clock time. For a TEFA, this behavior, can be represented by an EFA by introducing an additional event tick as in [16]. The event tick occurs exactly at the real time moments, which can be imagined to be generated by the global digital clock. Denition 4 (Clock-EFA): For a clock with max value , a clock-EFA, denoted by , is an EFA with the following tuple:

where

If multiple clocks exist, all combinations of the transitions in a clock-EFA for different clocks should be considered. This can be carried out by synchronizing the clock-EFAs based on the full synchronous composition of EFAs [2]. However, in the existence of an invariant for , it should not be possible to execute the tick event if the invariant is not satised. For instance, if the location has an invariant , only a transition should be added. Note that in the new tick transition the term has been changed to ; because based on the invariant semantics, should never reach value 4. In general, a location with invariant can be described by the following tick transition:

and computes the set of states that, in one transition, can reach a state in

is obtained by replacing all terms in form of and appearing in with and , respectively. Denition 5 (Invariant-EFA): Let be a TEFA. We dene its corre, by the sponding invariant-EFA, denoted by EFA : , where ; ; ; , where is a -tuple of zeros. , where the tick transitions An invariant-EFA of a TEFA have been removed (in the above denition this implies that ) is called the isomorphic EFA of . Proposition 1: For TEFAs, the following statement holds:

where

The transition relation is the key element in performing the xed point computations. In Section V, we show how the symbolic representation of the transition relation of a TEFA is computed. IV. EFA SEMANTICS OF TEFA As mentioned earlier, the clocks in TEFAs are discrete-values indicating that we imagine measuring time only with a global digital clock with output

Proof: The proof follows directly from Denition 3 and the full synchronous composition of EFAs, dened in [2]. Denition 6 (Tick-EFA): For a TEFA , its corresponding , is dened as the following tick-EFA, denoted by EFA: (4)

MIREMADI et al.: SYMBOLIC REPRESENTATION AND COMPUTATION OF TIMED DISCRETE-EVENT SYSTEMS

11

Essentially, a tick-EFA is the EFA semantics of a TEFA. In the sequel, we denote the synchronization of all clock-EFAs as . Note that synchronizing clock-EFAs will never disable the tick event. Lemma 2: Synchronizing clock-EFAs, the tick event never becomes disabled. Proof: Consider the following facts: for a clock , since will always allow either of the transitions; the clock-EFAs do not share any variables and thus cannot restrict each other in synchronization. Based on the above facts and the denition of full synchronous composition on EFAs, it directly follows that the tick event never becomes disabled. Theorem 3: For TEFAs and clocks, the following statement holds:

(5) Proof: We construct the left-hand side by starting from the right-hand side. From (4), we have

minal. Each decision node is labeled by a Boolean variable and has two edges to its low-child and high-child, corresponding to assigning 0 and 1 to the variable, respectively. The size of a , refers to the number of decision nodes. BDD, denoted as The power of BDDs lies in their simplicity and efciency to perform binary operations. The time complexity of a binary and is . operator between two BDDs Two BDD operations that have been used extensively in our implementation is the existential quantication and the substibe a BDD and and two sets of tution operators. Let removes all variBoolean variables. The operation that have appeared in . The notation ables belonging to is used to describe the result of substituting all free in by their one-to-one corresponding varioccurrences of . For a more elaborate and verbose exposition of ables in BDDs and the implementation of different operators, refer to [36]. can be repreThe corresponding BDD for a nite set sented using its corresponding characteristic function. Denition 7 (Characteristic Function): Let be a nite set , where is the nite universal set. A characterso that istic function is dened by

(6) From Proposition 1, (6) is equal to (7) . Finally, from (4), (7) is equal to The above theorem will be the basis for applying SCT to TEFAs. From the SCT perspective, we assume that the tick event is uncontrollable because the supervisor cannot impact the passage of time. However, as we will see later in Section V, the symbolic computations will be performed on an abstraction of the tick-EFAs by eliminating the tick event. This will be the main advantage of this approach compared to the tick-based approach in [33], [34]. V. SYMBOLIC REPRESENTATIONS AND COMPUTATIONS When performing xed point computations for systems of industrially interesting sizes, exploring all states in the composed model explicitly can be computationally expensive, in terms of both time and memory, due to the state space explosion problem. We tackle this problem by representing the models and performing the computations symbolically using Binary Decision Diagrams (BDDs) [25], powerful data structures for representing Boolean functions. For large systems where the number of states grows exponentially, BDDs can improve the efciency of set and Boolean operations performed on the state sets [8], [35], [7]. Given a set of Boolean variables , a Boolean function ( is the set of Boolean values, i.e., 0 and 1) can be expressed using Shannons decomposition. This decomposition can be expressed by a directed acyclic graph, called a BDD, which consists of two types of nodes: decision nodes and terminal nodes. A terminal node can either be 0-terminal or 1-ter-

Since the set is nite, in practice, its elements are represented or their corresponding binary -tuples bewith numbers in longing to . For a binary characteristic funcis used to map the eletion, an injective function is constructed ments in to elements in . In general, as (8) where on two binary -tuples and is dened as (9) denotes the th element of . where Hence, different set-operations can be carried out on basic Boolean operators. A. Abstraction of Tick-EFAs As stated earlier, supervisory control on timed DES based on tick models has been investigated in several works such as [33], [34]. The tick models suffer from a major problem. The state size is very sensitive to the clock frequency: a tick event must be associated with the passage of each unit of time. As the clock frequency increases, so must the number of tick events. As a consequence, performing reachability analysis based on tick models using BDDs follows with two main issues: 1) usually many iterations are needed in the xed point computations; 2) the intermediate BDDs representing the reachable states can be very big that may need more memory than available, i.e., state space explosion.

using

12

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 11, NO. 1, JANUARY 2014

Following, we explain how the iterations caused by the tick event can be eliminated in the BDD implementation to tackle the above-mentioned issues. The idea lies on the fact that time cannot be stopped. In tickEFAs, this indicates that all the tick transitions will eventually occur, unless there exist a location invariant (Lemma 2). and For instance, consider two clocks with domains and assume is the current state of the system. Following, shows the sequence of the states that can be reached by the tick event:

same rate. We will discuss these challenges and motivate the so. In lution we used to construct the corresponding BDD for the sequel, we base our discussions on the corresponding characteristic functions of BDDs. B. BDD Representation of Assume we have a model with a single TEFA including a with no invariants. Let us construct the corresingle clock sponding characteristic function of the reachability transition ; for brevity, we representing a partial transition . We start by constructing the explicit transition write . of the corresponding isomorphic EFAs, denoted as Let be a -tuple of Boolean variables used to represent the events; be a -tuple of Boolean variables used to represent the locations; be a -tuple of Boolean variables used to represent the valuations of variable and be a -tuple of Boolean variables used to represent the valuations of clock . Similarly, let and denote Boolean tuples used to represent the target (updated) locations and valuations of and , respectively. In [3], we showed that the characteristic function of a transition is

Since all tick transitions will eventually occur, it can be diis reached, the states rectly computed that when the state are also reachable. Given a set of as below states , we dene

(10) where . Denition 8 (Timed Transition Relation (TTR)): For a set of clocks , the timed transition relation (TTR) is dened as below In particular, the TTR will expand a tuple of clock evaluato the clock evaluations that can be reached by tions the passage of time. We write to denote a number , where of explicit transitions . Based on the TimedImage operator, we propose the following denition. Denition 9 (Reachability Transition Relation): For a TEFA with transition relation , its corresponding reachability transition relation, denoted by , is dened as below (11) where

(12) (13) where and . The characteristic function of the total transition relation can be computed by disjuncting the corresponding characteristic functions of all partial transition relations. Recall that in (13) the clocks are considered as ordinary variables of an EFA. Now let us transform (13) to its reachability transition to give the clock its real semantics. Based on (11), this can be performed by replacing the term with , where , i.e., . However, if we follow the above formula to construct a partial transition relation with multiple clocks, the clocks will not be synchronized with the same rate. If we add another clock to the model, then the above result will be logically conjuncted . Thus, the term will yield states, where the target evaluations of the clocks will , which clearly means that clocks do not evolve be synchronously with the same rate, i.e., the TimedImage operator will not be implemented correctly. clocks, to get the correct Hence, when there exists result, the statement (12) should be

Consequently, by using in the xed point computations (as the transition relation passed to the Image and PreImage operators), rather than transitions based on tick-EFAs: 1) a number of states can be reached with a single iteration, compared to the tick transitions, where multiple iterations are required (multiple calls of Image and PreImage operators); 2) usually the corresponding BDD of a set of states becomes smaller than the intermediate BDDs resulted after executing a tick transition. In [3], we have shown how EFAs and their synchronous operator are transformed to BDDs. However, this transformation becomes more complicated when clocks are included in the model, specially when it comes to synchronizing the clocks with the

(14)

MIREMADI et al.: SYMBOLIC REPRESENTATION AND COMPUTATION OF TIMED DISCRETE-EVENT SYSTEMS

13

where

and thus

which represents the following characteristic function:

Essentially, the characteristic function (14) represents the time evolution. The construction of the BDD representing the synchronization of a number of EFAs has already been elaborated in [3]. Having a number of TEFAs and clocks, we construct the BDD by performing the following steps: representing 1) construct the BDD of the explicit transition relation of each corresponding isomorphic EFA and compute their synchronization; 2) construct the BDD representing the TTR; 3) apply the timed semantics to the BDD of step1 by considering the BDD computed in Step 2; 4) compute the invariant-BDD and apply it to the BDD from Step 3. We denote the characteristic function of the BDD from Step 1 by . In Step 2, we implement the TTR by constructing a BDD that represents (14) for all clock valuations . As mentioned earlier, we use the expand operator to replace the target value by a set of values. This replacement occurs in Step 3 and to , we introduce a do this on the BDD level, in addition to set of temporary Boolean variables . The BDD computed in without considering the invariants, Step 3 will represent denoted by . In Step 4, we compute a BDD representing the invariants of all locations and apply it to the BDD obtained . from Step 3 to get the corresponding BDD of 1) BDD Construction of the Isomorphic EFAs: This step has been explained in [3]. 2) BDD Construction of the Time Transition Relation: Before continuing, as an example, we apply steps 2 and 3 to the BDD representing the characteristic function (13). We rst compute the BDD representing the TTR for all values in

Hence, each value represented by has been substituted by . Algorithm 1 shows the construction of the BDD representing the TTR having the following characteristic function:

(17) Before digging into the algorithm, it is worth describing the principle behind implementing the saturation function , which is especially an issue when there are multiple clocks. The basic idea is to rst let the values of the clocks grow even when they exceed the domains of the clocks. In other words, we enlarge the domains of the clocks. Then, in the next step, all values outside of the domain will be replaced by the largest value. For instance, assume there exist two clocks and let be a tuple which each with domain we want to expand. Without enlarging the domain the result , however, changing the domain to is the result would be . Finally, value 3 will be replaced by 2, i.e., the largest value in , which the old domain, yielding will be the result of the function. This implementation could be done in other ways too, but the main reason that we want to enlarge the domain is to always have unique values in the tuples, which is necessary for the correctness of the algorithm. Note that the increase of the domain will be applied to the . To ensure that the values temporary Boolean variables always increase when we want to expand a tuple of multiple clocks, we let include Boolean variables. and denote the 0 and 1 terminals, In the algorithm, respectively; represents a number of Boolean variables used represents a number of Boolean variables to represent ; and corresponds to the BDD repused to represent resenting value by using . In our implementation, we represent integers and the arithmetic operations by BDD bit-vectors [37]. The notation is the BDD bit-vector representing value , where each bit is a BDD using . is the BDD . For a bit-vector for all values that can be represented by more detailed description on how arithmetic operations are performed on BDD bit-vectors refer to [37].

(15) where . Next, we compute (15) (13) yielding

(16) where . Let be the BDD representing (16). The nal step is to quantify away the Boolean variables in and then substitute the variables in by

14

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 11, NO. 1, JANUARY 2014

Lines 819 synchronize the clocks without considering the saturation function . The basic idea is to synchronize each clock in the model with the rst clock and conjunct it with the BDD that has been computed so far for the previous clocks. In line represents all evaluation pairs larger than and 16, for clocks and , respectively, where the difference is . will then represent (20)

. Such a BDD where will be constructed for all s and s in and , respectively, . Then, and will be disjuncted together, stored in will be conjuncted with that represents the TTR of the clocks that have been computed so far. In lines 20-24 the saturation function is implemented. As mentioned earlier, for will be replaced each clock all values that are larger than by . Lemma 4: Algorithm 1 returns the corresponding BDD of the TTR. Proof: Without loss of generality, we perform the proof based on the symbol introduced earlier, rather than using the characteristic functions. When will be equal to (18). In this case, only lines 1-7 will be executed and it is straightforward to see that represents (19). , we divide the algorithm into two parts: lines 8-19 For and lines 20-24 (saturation implementation), and prove the correctness of each part separately. represents For lines 8-19, we prove that (21) We prove this by induction. , from (20) it can be directly deFor the basic case, where will represent (21). duced that at the end of the iterations, Since the loop in line 8 only iterates once, when line 19 is reached, which means that . represents (21) and the basic step is proved. Hence, Now, for the inductive step, let us assume that reprst clocks, denoted by resents (21) for the Lines 27 construct the time transition relation for the case of a single clock in the model. In this case (22) is a -tuple and is the domain for the where rst clocks. We prove that this also holds for . In (18) represents the TTR between clock 1 and iteration . Based on (20), the BDD represents clock (23) (19) in line 19, which is obtained Now, let us compute by conjuncting the corresponding BDDs for (22) and (23). We

This represents the set

MIREMADI et al.: SYMBOLIC REPRESENTATION AND COMPUTATION OF TIMED DISCRETE-EVENT SYSTEMS

15

perform the conjunction on their corresponding characteristic functions. From (17), we have that the corresponding characteristic function for (22) is

Lemma 6: The CF representing

is equal to

(24) and for (23), we have

Proof: Based on the proof of correctness for in [3] and Lemma 4, the correctness can be directly deduced. 4) Applying Invariants: Finally, we need to consider the invariants into . We compute a BDD, called invariant-BDD, represented by the following characteristic function:

where is the number of TEFAs in the model and of locations of TEFA . It can be observed that represents the set

is the set

(25) By conjuncting (24) and (25) we get Theorem 7: The characteristic function of is

(26)

Proof: We prove based on the corresponding explicit sets. We have that represents

(27) which represents where

Hence, based on (26), will represent the following set: and thus the inductive step is proved. Finally, in lines 20-24 of the algorithm (as stated earlier), for the values that are larger than each clock in will be replaced by , which will yield a BDD representing (17), i.e., . The correctness of these lines is straightforward. Hence, the correctness of the entire algorithm is proved. Proposition 5: The time complexity of Algorithm 1 is , where is the time complexity of performing the BDD operations in the loops, which is proportional to the sizes of the BDDs. Proof: The algorithm consists of three sequential parts, lines 27, lines 819 and lines 2024. Since the time complexity of lines 819 is larger than the other two parts, it can be deduced that the time complexity of the entire algorithm is equal to the time complexity of lines 819, which is equal to . 3) Applying the Timed Semantics to the Isomorphic EFAs: This step can be concluded in the following lemma.

which represents . Consequently, having a number of TEFAs, the corresponding represents the transition relation of the synchroBDD of nized model, excluding the tick event, and where the clocks evolve synchronously. VI. CASE STUDY AND EXPERIMENTAL RESULTS The symbolic approach discussed in Section V has been implemented and integrated in the DES tool Supremica [6] which uses JavaBDD [38] as the BDD package. The experiments were carried out on a standard PC (Intel Core 2 Quad CPU @

16

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 11, NO. 1, JANUARY 2014

Fig. 1. The production cell.

2.4 GHz and 3 GB RAM) running Windows 7. The maximum heap memory used by JAVA was 1024 MB. The approach has been evaluated by computing the supervisor of several large-scale examples, modeled by TEFAs, and comparing the results with the results obtained by computing the supervisor based on their corresponding tick-EFAs. This section is divide into two parts. The rst part, discusses a case study, representing a production cell, by considering the modeling aspects and a detailed BDD analysis. In the second part, the approach has been applied to further benchmark cases, with focus on the computational aspects. A. Production Cell The production cell, taken from [39], is of interest to formal method researchers as it is complicated but still manageable. In the context of supervisory control, it has been investigated in [40] based on the State Tree Structure (STS) methodology and then extended to timed STS in [18]. The production cell, shown in Fig. 1, consists of six interconnected parts: feed belt, elevating rotary table, robot, press, deposit belt and traveling crane. One notable feature is that the robot has two arms to maximize the capacity of the press, namely to make it possible for the press to be forging while arm1 is picking up another metal blank. More exposition can be found in [40]. The main object is to prevent collisions among certain parts at the same time guarantee nonblocking. Due to the complexity of the example and the page limitation, we only focus on the modeling of one component: the elevating rotary table. In addition, there are six specications expressed as logic formulas to prevent the system from reaching collision states. For the sake of simplicity, those safety specications are not taken into account. We forego the discussion and synthesize the nonblocking and controllable supervisor of the production cell example. The table can move vertically and horizontally. Its task is to lift blanks to the top position and rotates by 50 so that arm1 of the robot can pick them up. Subsequently, it needs to come back to the bottom position with 0 to acquire another blank from

Fig. 2. TEFA modeling the horizontal movement of the elevating rotary table. The description of the alphabet can be found in [40].

the feed belt. In our work, we model the table as two modular TEFAs, , shown in Fig. 2 and , modeling the horizontal and vertical movement, respectively. The TEFA consists of the following invariants:

The complete behavior of the table can be obtained by the synchronous product . Fig. 3 shows the corresponding tick-EFA, where is now considered as an EFA variable. Due to space limitations, we have not included on transitions . However, based on the denition of TEFAs the semantics will be the same. The events and are uncontrollable and the rest are controllable. The tick-EFAs can roughly be considered as the tick-models used in [18]. The production cell example consists of and reachable and nonblocking states, respectively. The synthesis was performed in 19 and 10 s for tick-EFAs and TEFAs, respectively. For the reachability computation, the tick-based approach needs 342 iterations to reach a xed point, while for the TEFAs 289 iterations are needed. Fig. 4 shows the sizes of the intermediate BDDs, representing the states reached so far, during the reachability analysis for the two implementations. For tick-EFAs, the biggest BDD consists of 17487 nodes, whereas for the TEFAs the biggest BDD consists of 12486 nodes. We can also observe that in most of

MIREMADI et al.: SYMBOLIC REPRESENTATION AND COMPUTATION OF TIMED DISCRETE-EVENT SYSTEMS

17

RESULTS

OF THE

TABLE I BENCHMARK STUDIES

B. Benchmarks The benchmark cases include the following complex industrial models. pim fms Design of a robust and optimal controller for a plastic injection molding machine, taken from [41]. Extension of the large-scale exible manufacturing system described in [42]. The time has been considered into the model similar to the case study described in Section VI-A. Extension of the automated guided vehicle (AGV) coordination model (Petri net) described in [43]. In this version, a new zone is introduced at the input station, making the system blocking. Furthermore, the amount time needed for the AGVs to move between work stations is considered. The time has been considered into the model similar to the case study described in Section VI-A. Extension of a production cell in a metal-processing plant, described in [44]. The time has been considered into the model similar to the case study described in Section VI-A. Extension of a production cell, building the ceiling of toy car, taken from [45]. In this model, the system is divided to different operations. The time that takes to perform the operations is considered in the model.

agv

Fig. 3. The corresponding tick-EFA of

mpp

epc

6link Extension of a cluster tool for wafer processing, studied for synthesis in [46]. The amount of time needed to process the wafers is considered. The results are shown in Table I. For each model, the table shows the number of automata (Aut), the number of variables , the number of clocks , the number of reachable states (Size), the number of safe states , the number of xed point iterations, the maximum size of the intermediate BDDs during the xed point computations (BDDmax), and the synthesis time in seconds. The benchmarks include models from the size of and up to reachable states. From the table, it can be observed that the required xed point iterations for the TEFA implementation is always less than the tick-based implementation. On the other side, this fact does not hold for the maximum size of the intermediate BDDs. In models pim and mpp, maxBDD is larger

Fig. 4. The intermediate BDD sizes during the reachability analysis for both tick-EFAs and TEFAs.

the iterations the sizes of the BDDs of the TEFA approach are smaller than the tick-based approach. It should be mentioned that the result, in terms of the number of states, computed from either of those two approaches is different from the result in [18] due to distinct modeling formalisms used to model the production cell.

18

IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 11, NO. 1, JANUARY 2014

for the TEFA implementation. These models contain time invariants which forces the system to leave the locations quite early after that they are reached. In other words, few tick events are performed at the locations, which will not be advantageous when using the BDD representing the TTR which abstracts the tick events. In addition, in these cases, due to the large domain of the clocks, the BDD representing the TTR becomes very large. As a consequence, for the mpp model, the TEFA implementation needed more time to compute the supervisor compared to the tick-based implementation. In all other cases, the TEFA implementation computed the supervisor faster than the tick-based implementation. Consequently, for a TDES, the TEFA implementation can, in most of the cases, compute the supervisor faster than the tick-based implementation. VII. CONCLUSION AND FUTURE WORKS In this paper, we presented a method to symbolically, using BDDs, represent timed TDES, modeled by timed extended nite automata (TEFAs), that are ordinary automata extended with variables and clocks. It was shown how the TEFAs and their synchronization can be represented by BDDs. Furthermore, based on the framework in [16], we showed how SCT can be applied to TEFAs, by introducing a new uncontrollable event tick to the model, and transforming TEFAs to their corresponding tick-EFAs. However, since the tick-based approach suffers from the fact that the state space is very sensitive to the clock frequency, we proposed an approach to eliminate the tick event in the BDD-based computations. The approach was implemented and applied to a classical production cell and several large-scale benchmarks. The results show that the elimination of the tick event in the xed point computations typically leads to less iterations and smaller intermediate BDDs, which in turn will improve the performance of the synthesis algorithm. It was also shown that for TEFAs consisting of clocks with large domains, the BDD representing time can be large, which can decrease the performance of the synthesis algorithm. There are some possible directions for future work that we are currently working on. So far, we have considered that the tick event is always uncontrollable, however, we may have cases where an event can preempt the tick, called forcible events, which causes the tick event to become controllable. In the next work, this property will be considered in the framework. We also desire to develop efcient algorithms for quantitative analysis such as time optimization, beside the qualitative analysis (supervisor synthesis). The interesting point about optimization on TEFAs is the existence of uncontrollable events that may lead to several optimal solutions. REFERENCES
[1] P. Ramadge and W. M. Wonham, The control of discrete event systems, Proc. IEEE, vol. 77, no. 1, pp. 8198, 1989. [2] M. Skldstam, K. kesson, and M. Fabian, Modeling of discrete event systems using nite automata with variables, in Proc. 46th IEEE Conf. Decision Control, 2007, pp. 33873392. [3] S. Miremadi, B. Lennartson, and K. kesson, A BDD-based approach for modeling plant and supervisor by extended nite automata, IEEE Trans. Control Syst. Technol., vol. 20, no. 6, pp. 14211435, 2012.

[4] K. Bengtsson, C. Thorstensson, B. Lennartson, K. kesson, S. Miremadi, and P. Falkman, Relations identication and visualization for sequence planning and automation design, in Proc. IEEE Int. Conf. Autom. Sci. Eng., Aug. 2010, pp. 841848. [5] P. Magnusson, N. Sundstrm, K. Bengtsson, B. Lennartson, P. Falkman, and M. Fabian, Planning transport sequences for exible manufacturing systems, in Preprints of the 18th IFAC World Congr., Milano, Italy, 2011, pp. 94949499. [6] K. kesson, M. Fabian, H. Flordal, and R. Malik, SupremicaAn integrated environment for verication, synthesis and simulation of discrete event systems, in Proc. 8th Int. Workshop Discrete Event Syst., Ann Arbor, MI, USA, 2006, pp. 384385. [7] A. Vahidi, M. Fabian, and B. Lennartson, Efcient supervisory synthesis of large systems, Control Eng. Practice, vol. 14, no. 10, pp. 11571167, Oct. 2006. [8] S. Miremadi, K. kesson, M. Fabian, A. Vahidi, and B. Lennartson, Solving two supervisory control benchmark problems using Supremica, in Proc. 9th Int. Workshop on Discrete Event Syst., May 2008, pp. 131136. [9] Z. Fei, S. Miremadi, and K. kesson, Efcient symbolic supervisory synthesis and guard generation, in Proc. 3rd Int. Conf. Agents Artif. Intell., Rome, Italy, 2011, pp. 106115. [10] R. Alur and D. L. Dill, A theory of timed automata, Theor. Comput. Sci., vol. 126, no. 2, pp. 183235, Apr. 1994. [11] H. Wong-Toi and G. Hoffmann, The control of dense real-time discrete event systems, in Proc. 30th IEEE Conf. Decision Control, 1991, pp. 15271528. [12] L. Ouedraogo, A. Khoumsi, and M. Nourelfath, SetExp: A method of transformation of timed automata into nite state automata, Real-Time Syst., vol. 46, no. 2, pp. 189250, Aug. 2010. [13] H. Chen and H. M. Hanisch, Control synthesis of timed discrete event systems based on predicate invariance, IEEE Trans. Syst., Man, Cybern.. Part B, Cybern., vol. 30, no. 5, pp. 71324, Jan. 2000. [14] E. Asarin, O. Maler, and A. Pnueli, Symbolic controller synthesis for discrete and timed systems, Hybrid Systems IILecture Notes in Computer Science, vol. 999, pp. 120, 1995. [15] S. Xu and R. Kumar, Real-time control of dense-time systems using digital-clocks, IEEE Trans. Autom. Control, vol. 55, no. 9, pp. 20032013, Sep. 2010. [16] J. S. Ostroff and W. M. Wonham, A framework for real-time discrete event control, IEEE Trans. Autom. Control, vol. 35, no. 4, pp. 386397, Apr. 1990. [17] B. A. Brandin, The modeling and supervisory control of timed DES, in Proc. 4th Int. Workshop of Discrete Event Syst., WODES98, 1998, pp. 814. [18] A. Saadatpoor, Timed state tree structures: supervisory control and fault diagnosis, Ph.D. dissertation, Univ. Toronto, Toronto, ON, Canada, 2009. [19] S. Park, K.-H. Cho, and J.-T. Lim, Supervisory control of real-time discrete event systems under bounded time constraints, in IEE Proc. Control Theory Appl., 2004, vol. 151, no. 3, pp. 347352. [20] J. H. van Schuppen and J. E. Rooda, The synthesis of time optimal supervisors by using heaps-of-pieces, IEEE Trans. Autom. Control, vol. 57, no. 1, pp. 105118, Jan. 2012. [21] A. Aybar and A. Iftar, Supervisory controller design to enforce some basic properties in timed-transition Petri nets using stretching, Nonlinear Analysis: Hybrid Syst., vol. 6, no. 1, pp. 712729, Feb. 2012. [22] B. A. Brandin and W. M. Wonham, Supervisory control of timed discrete-event systems, IEEE Trans. Autom. Control, vol. 39, no. 2, pp. 329342, 1994. [23] P. Gohari and W. M. Wonham, Reduced supervisors for timed discrete-event systems, IEEE Trans. Autom. Control, vol. 48, no. 7, pp. 11871198, Jul. 2003. [24] R. Alur, C. Courcoubetis, and D. Dill, Model-checking in dense realtime, Inform. Comput., vol. 104, no. 1, pp. 234, 1993. [25] S. B. Akers, Binary decision diagrams, IEEE Trans. Comput., vol. 27, pp. 509516, Jun. 1978. [26] G. D. Plotkin, A structural approach to operational semantics, rhus Univ., Aarhus, Denmark, Sep. 1981, Tech. Rep.. [27] C. Baier and J.-P. Katoen, Principles of Model Checking. Cambridge, MA, USA: The MIT Press, 2008. [28] C. A. R. Hoare, Communicating sequential processes, Commun. ACM, vol. 21, no. 8, pp. 666667, 1978. [29] C. G. Cassandras and S. Lafortune, Introduction to Discrete Event Systems, 2nd ed. New York, NY, USA: Springer, 2008.

MIREMADI et al.: SYMBOLIC REPRESENTATION AND COMPUTATION OF TIMED DISCRETE-EVENT SYSTEMS

19

[30] Z. Fei, S. Miremadi, K. kesson, and B. Lennartson, Efcient supervisory synthesis to large-scale discrete event systems modeled as extended nite automata, Chalmers Univ. Technol., Gteborg, Sweden, 2012, Tech. Rep.. [31] W. M. Wonham and P. Ramadge, Modular supervisory control of discrete-event systems, Math. Control Signals Syst., vol. 1, no. 1, pp. 1330, 1988. [32] H. Flordal, R. Malik, M. Fabian, and K. kesson, Compositional synthesis of maximally permissive supervisors using supervision equivalence, Discrete Event Dynamic Syst., vol. 17, no. 4, pp. 475504, Aug. 2007. [33] Y. Brave and M. Heymann, Formulation and control of real time discrete event processes, in Proc. 27th IEEE Conf. Decision Control, 1988, pp. 11311132. [34] B. A. Brandin and W. M. Wonham, The supervisory control of timed DES, IEEE Trans. Autom. Control, vol. 39, no. 2, pp. 329342, 1994. [35] C. Ma and W. M. Wonham, STSLib and its application to two benchmarks, in Proc. 9th Int. Workshop on Discrete Event Syst., WODES08, May 2008, pp. 119124. [36] H. Andersen, An introduction to binary decision diagrams, Dept. Inform. Technol., Technical Univ. Denmark, Lyngby, Denmark, 1999, Tech. Rep.. [37] E. M. Clarke, K. L. Mcmillan, X. Zhao, M. Fujita, and J. Yang, Spectral transforms for large boolean functions with applications to technology mapping, Form. Methods Syst. Des., vol. 10, no. 23, pp. 137148, 1997. [38] JavaBDD [Online]. Available: javabdd.sourceforge.net [Online]. Available: [39] , C. Lewerentz and T. Lindner, Eds., Formal Development of Reactive SystemsCase Study Production Cell, ser. Lecture Notes in Computer Science. New York, NY, USA: Springer, 1995, vol. 891, ch. II, pp. 719. [40] C. Ma, Nonblocking supervisory control of state tree structures, Ph.D. dissertation, Univ. Toronto, Toronto, ON, Canada, 2005. [41] F. Cassez, J. J. Jessen, K. G. Larsen, J.-F. Raskin, and P.-A. Reynier, Automatic synthesis of robust and optimal controllersAn industrial case study, in Proc. 12th Int. Conf. Hybrid Syst.: Comput. Control, 2009, pp. 90104. [42] M. C. Zhou, F. Dicesare, and D. L. Rudolph, Design and implementation of a Petri net based supervisor for a exible manufacturing system, Automatica, vol. 28, no. 6, pp. 11991208, Nov. 1992. [43] J. O. Moody and P. J. Antsaklis, Supervisory Control of Discrete Event Systems Using Petri Nets. Norwell, MA, USA: Kluwer, 1998. [44] L. Feng, K. Cai, and W. M. Wonham, A structural approach to the nonblocking supervisory control of discrete-event systems, Int. J. Adv. Manuf. Technol., vol. 41, no. 1112, pp. 11521168, 2009. [45] M. R. Shoaei, S. Miremadi, K. Bengtsson, and B. Lennartson, Reduced-order synthesis of operation sequences, in Proc. EEE 16th Conf. Emerging Technol. Factory Autom. (ETFA), 2011, pp. 18. [46] R. Su, J. Schupen, and J. Rooda, Aggregative synthesis of distributed supervisors based on automaton abstraction, IEEE Trans. Autom. Control, vol. 55, no. 7, pp. 12671640, 2010.

Sajed Miremadi was born in Linkping, Sweden, in 1983. He received the B.Sc. degree in computer engineering from the Sharif University of Technology, Tehran, Iran, in 2006, the M.Sc. degree in computer science from Linkping University, Linkping, Sweden, in 2008, and the Ph.D. degree in automation from Chalmers University of Technology, Gothenburg, Sweden, in 2012. His main research interests include supervisory control and optimization of untimed and timed discrete event systems, using formal methods.

Zhennan Fei received the M.Sc. degree in computer science from Chalmers University of Technology, Gothenburg, Sweden, in 2009. He is currently pursuing the Ph.D. degree in automation at Chalmers University of Technology. His main research interests include supervisory control and automated planning of discrete-event systems.

Knut lesson received the M.S. degree in computer science and engineering from the Lund Institute of Technology, Lund, Sweden, in 1997 and the Ph.D. degree in control engineering from Chalmers University of Technology, Gothenburg, Sweden, in 2002. Currently, he is an Associate Professor with the Department of Signals and Systems, Chalmers University of Technology, where his main research interest is to develop and applying formal methods for verication and synthesis of control logic.

Bengt Lennartson (M10) was born in Gnosj, Sweden, in 1956. He received the Ph.D. degree in automatic control from Chalmers University of Technology, Gothenburg, Sweden, in 1986. Since 1999, he has been a Professor of the Chair of Automation, Department of Signals and Systems. He was Dean of Education at Chalmers University of Technology from 2004 to 2007, and since 2005, he is a Guest Professor at University West, Trollhttan. He was Chairman of the Ninth International Workshop on Discrete-Event Systems, WODES08, Associate Editor for Automatica from 2002 to 2005, and currently is Co-Chair of the RAS-TC on Sustainable Production Automation, and Associate Editor for IEEE TRANSACTION ON AUTOMATION SCIENCE AND ENGINEERING. He is (co)author of two books and 220 peer reviewed international papers with more than 3800 citations (GS). His main areas of interest include discrete event and hybrid systems, especially for manufacturing applications, as well as robust feedback control.