Discrete Event Dynamic Systems

, Volume 19, Issue 1, pp 1–30

Closed-loop Live Marked Graphs under Generalized Mutual Exclusion Constraint Enforcement

Authors

    • Dipartimento di Ingegneria dell’Informazione e Ingegneria ElettricaUniversità degli Studi di Salerno
  • Laura Recalde
    • Dep. de Informática e Ingeniería de Sistemas
  • Pasquale Chiacchio
    • Dipartimento di Ingegneria dell’Informazione e Ingegneria ElettricaUniversità degli Studi di Salerno
  • Manuel Silva
    • Dep. de Informática e Ingeniería de Sistemas
Article

DOI: 10.1007/s10626-008-0050-7

Cite this article as:
Basile, F., Recalde, L., Chiacchio, P. et al. Discrete Event Dyn Syst (2009) 19: 1. doi:10.1007/s10626-008-0050-7

Abstract

Enforcing a supervisory control policy to avoid forbidden states on a discrete event system modeled by a Petri net may result in a non live system. This may happen even if the admissible states are specified by Generalized Mutual Exclusion Constraints (GMECs). This leads to the problem of synthesizing a maximally permissive control policy preserving liveness of the system under a GMEC. This problem is very interesting in practice, but difficult even for a restricted class of systems. In this paper, we focus on systems which can be modeled as live and safe Marked Graphs (MGs). On such systems, when some of the transitions are uncontrollable, a GMEC can be forced by a monitor place if a not maximally permissive policy is accepted, otherwise a more complex control has to be adopted. Anyway, liveness of the closed-loop system (plant plus control) is not guaranteed. Two sufficient conditions to verify the closed-loop liveness of a live and safe MG plant controlled by a monitor are derived. A sufficient condition for closed loop liveness of MGs where a GMEC has been enforced on is derived. In addition, a set of predicates is provided that enforces, in a maximally permissive way, a GMEC while preserving closed-loop liveness on live and safe MG systems under some restrictions.

Keywords

Supervisory controlClosed-loop livenessGeneralized mutual exclusion constraintMonitor placesMarked graphs

1 Introduction

Supervisory control theory for discrete event systems (DESs) was initiated by Ramadge and Wonham (1989). In their seminal work they represent both the plant, i.e. the system to be controlled, and the desired closed-loop behaviour, by regular languages. The specific problem addressed was to synthesize a controller, called supervisor, to achieve the largest subset of the desired language that is nonblocking, i.e. that does not prevent any task to be completed, by disabling or enabling controllable events. The unwanted sequences may be related, for example, to safety requirements. Although regular languages have been an useful framework to start such DES control theory, they are limited in representing systems consisting of numerous interacting subsystems.

For this reason, a control theory for DESs modeled by partially-synchronized products of automata and Petri nets (PNs) has been developed (Holloway et al. 1997; Stremersch 2001). PNs are effective particularly when there is a high degree of concurrency and synchronization. In control theory general PN models are extended with the concept of controllable transitions. Two possibilities can be explored. In the first one, a controllable transition may be disabled by an external control input represented by the value of a logical predicate; in this case we speak of controlled PNs and of interpreted supervisor (Giua et al. 1993). In the second one the feedback control policy is implemented by a PN controller, whose marking enables or disables, according to the logical specifications, the controllable transitions it is connected to in the closed-loop net. Input arcs from the controller to uncontrollable transitions are not allowed. In this case we have a compiled supervisor and the closed-loop system properties can be analyzed in a single framework, because both the plant and the controller are represented by PNs. What we lose is the expressive power of the control law, that, in the general case, cannot be implemented by a PN in a maximally permissive form (Holloway et al. 1997).

Here we consider the problem of forbidden state specification in conjunction with liveness under control. Avoiding forbidden states is a very common specification for a DES and a lot of work has been done on the subject (Holloway et al. 1997), but unfortunately, the solution may lead the system to deadlocks. However, liveness is a fundamental specification for a DES control problem, like stability in the classical control theory.

Furthermore, notice that even if we have a net-based supervisor to enforce a forbidden state specification, the closed-loop net system is in general more complex than the plant net was for the liveness analysis. A forbidden state problem may represent, for example, a resource sharing problem. Enforcing it introduces conflicts not present in the plant model and thus the resulting closed-loop net system belongs generally to a wider net subclass, where the liveness preservation may be a much more complex problem.

In this paper we restrict our study to plants modeled by Marked Graphs (MGs). There are several reasons for this: MGs are relevant in the modeling of automated manufacturing systems; MGs are a well studied net subclass and so their behaviour is well known; the difficulty of the addressed problem would not have allowed to get a solution for more complex nets, at least in this initial stage of the research. Furthermore, notice that the closed loop net formed by a MG and the controller enforcing a set of GMECs, as for example a MG plus a monitor, belongs in general to a net subclass wider than MG and thus it is not trivial to guarantee its liveness.

The approach presented in this paper consists of two steps at the most.
  • First, enforce a forbidden-state specification without liveness specification, and then analyze the liveness property of the closed-loop system. In some cases the computational complexity required for the synthesis of a controller without the liveness specification and the checking of the closed-loop liveness, especially when the controller is compiled, may be low compared with the one required if the closed-loop liveness is taken into account directly with the control specification: so, it may be convenient to try.

    In this paper we consider, as forbidden state specification, a Generalized Mutual Exclusion Constraint (GMEC) that limits a weighted sum of tokens in a subset of places. When all transitions are controllable it was shown that it is possible to impose a GMEC in a maximally permissive way by a monitor (Giua et al. 1992; Yamalidou et al. 1996). The monitor synthesis is very efficient from the computational point of view and it leads to a compiled supervisor. In presence of uncontrollable transitions (Moody and Antsaklis 2000; Basile et al. 2006), monitors are not always able to implement a maximally permissive policy to enforce GMEC. However, because of their simplicity they may represent an acceptable suboptimal solution to the control problem and, thus, in this paper the problem of checking liveness of a MG system controlled by a monitor is considered providing two sufficient conditions which permit the check at very low computational cost.

  • Second, if the controller synthesized without liveness specification is not live, it is necessary to synthesize a control policy for the forbidden state problem that guarantees closed-loop liveness. This is in general more complex.

    In this paper, if the net system controlled by the monitor results to be non-live, the problem of synthesizing a controller which guarantees both GMEC and liveness enforcing on MGs is addressed. An interpreted supervisor to enforce in a maximally permissive way a GMEC on a MGs under some restrictions, while keeping liveness, is proposed. The synthesis of the control policy requires a computational effort polynomial with respect to the net size and it is suitable to be executed on line since it requires just the evaluation of logical predicates essentially consisting in the comparison between the values of some counter variables with integer numbers.

This paper has some points of contacts with the one of Reveliotis (Park and Reveliotis 2002) and the ones of Iordache and Antsaklis (Iordache et al. 2002; Iordache and Antsaklis 2003).

In Park and Reveliotis (2002) a suboptimal approach is presented. It can be applied to resource allocation problems specified as set of GMECs for a net subclass known as Simple Sequential Process (S2P) consisting of a number of strongly connected state machines connected by resource places enforcing GMECs. The problem to include GMECs not representing resource allocation problems is treated as an extension. The main difference with this work is that the control law here proposed can be applied to MGs and that it is maximally permissive.

In Iordache et al. (2002) and Iordache and Antsaklis (2003) a procedure for the design of supervisors that enforce the transitions in a set \({\cal T}\) to be live is presented. The procedure is general and no assumption on the PN structure is required. However, the procedure is iterative and termination is not guaranteed unless the PN is bounded and it requires a certain number of off-line steps having exponential computational complexity (Iordache and Antsaklis 2006) since it is required the computation of minimal active siphons. The control law is represented by the conjunction of GMECs enforceable by a set of monitor places or by the disjunction of sets of GMECs which cannot be enforced by monitors; in any case the on-line computational is negligible but it is maximally permissive only when all transitions are controllable and observable. In presence of partial controllability and observability maximal permissiveness is not guaranteed. The main differences with this work are: the main goal is liveness or deadlock-freeness of the plant net and the problem to enforce GMECs is treated as an extension while in this work the plant net is supposed to be live and the control law must avoid deadlocks induced by one or several GMECs; the procedure is general while the control law proposed in this paper can be applied only to MGs but it is maximally permissive and the synthesis has polynomial complexity.

Section 2 introduces notations about PNs and presents the problem considered in this paper by a simple example, while in Section 3 control subnet definition, used in the following sections, is introduced.

The main results are collected in Sections 4, 5 and 6.

Some results are presented in Section 4, aimed to verifying if a net controlled by a monitor is closed-loop live. The given conditions suffer of two main drawbacks: they are sufficient, but not necessary conditions, and can only be applied to monitors. However, the computational complexity of control synthesis and of liveness checking is very low. Therefore, these conditions could result very useful.

In Section 5 a sufficient condition is presented to check closed loop liveness for a live and bounded MG system where a GMEC has been imposed on by checking closed loop liveness of proper subnets computed from constrained places (no hypothesis is made on the control technique, the controller may not be a monitor). In this way the problem of checking liveness results to be decomposed and thus it may result simpler. A control policy to enforce a kind of GMEC, under some restrictions, on a cyclic live and safe MG was proposed in Holloway and Krogh (1990) and extended in Krogh and Holloway (1991). In Holloway and Krogh (1992) it was shown that the control policy proposed in Holloway and Krogh (1990) is closed-loop live if the output transition of any forbidden place is not a synchronization transition; the resulting controller is an interpreted supervisor. In Section 6, a control synthesis method to enforce in a maximally permissive way a GMEC on a live and safe MG under some restrictions, while keeping liveness, is presented. It allows a synchronization transition to be an output transition of a forbidden place, generalizing the results in Holloway and Krogh (1990).

2 Preliminaries and formalisms

2.1 Place/transition nets

A place/transition (P/T) net (Murata 1989; Silva 1993) is a structure N = (P,T,Pre,Post) where: P is a set of nplaces represented by circles; T is a set of mtransitions represented by bars; P ∩ T = ∅, P ∪ T ≠ ∅; \(Pre:P \times T \rightarrow {{\mathbb N}}\) (\(Post:P \times T \rightarrow {{\mathbb N}}\)) is the pre- (post-) incidence function that specifies the input (output) arcs directed from places to transitions (from transitions to places), with \({{\mathbb N}}\) set of non-negative integers. For instance, Pre(p,t) = a (Post(t,p) = a) means that there is an arc from p (t) to t (p) with weight a. If all arcs have unitary weights, the net is called ordinary. The pre- and post-incidence functions can be represented as n ×m matrices Pre and Post with elements \(Pre(p_\imath,t_\jmath)\) and \(Post(p_\imath,t_\jmath)\), respectively. The incidence matrix \({\boldsymbol C}\) of the net is defined as \({\boldsymbol C}={\bf Post}-{\bf Pre}\). For pre- and post-sets we use the conventional dot notation, e.g.  ∙ t = { p ∈ P |Pre(p,t) ≠ 0 }, which can be naturally extended to sets of nodes.

A marking is a n ×1 vector \({\boldsymbol m} \in {{\mathbb N}}^{|P|}\) that assigns to each place of a P/T net a non-negative integer number of tokens. A P/T system or net system \(<N,{\boldsymbol m}_0>\) is a P/T net N with an initial marking \({\boldsymbol m}_0\). A transition t ∈ T is enabled at a marking \({\boldsymbol m}\) iff \({\boldsymbol m} \geq {\bf Pre}(\cdot,t)\). If t is enabled, then it may fire yielding a new marking \({\boldsymbol m}^{\prime}={\boldsymbol m}+{\bf Post}(\cdot,t)-{\bf Pre}(\cdot,t)={\boldsymbol m}+{{\boldsymbol C}}(\cdot,t)\). The notation \({\boldsymbol m}[t>{\boldsymbol m}^\prime\) will mean that an enabled transition t may fire at \({\boldsymbol m}\) yielding \({\boldsymbol m}^\prime\). A firing sequence from \({\boldsymbol m}_0\) is a (possibly empty) sequence of transitions σ = t1...tk such that \({\boldsymbol m}_0[t_1>{\boldsymbol m}_1 [t_2>{\boldsymbol m}_2.. [t_k>{\boldsymbol m}_k\). A marking \({\boldsymbol m}\) is reachable in \(\langle N,{\boldsymbol m}_0 \rangle\) iff there exists a firing sequence σ such that \({\boldsymbol m}_0[\sigma>{\boldsymbol m}\). Given a net system \(\langle N,{\boldsymbol m}_0 \rangle\), the set of reachable markings is denoted \(R(N,{\boldsymbol m}_0)\).

The firing count vector of the fireable sequence σ will be denoted as \({\boldsymbol \sigma}\in {{\mathbb N}}^{|T|}\), where \({\boldsymbol \sigma}(t)\) represents the number of occurrences of t in σ. The support of a firing count vector \({\boldsymbol \sigma}\) is the set \(\parallel {\boldsymbol \sigma} \parallel = \{ t \in T \mid {\boldsymbol \sigma}(t) \neq 0\}\). If \({\boldsymbol m}_0[\sigma>{\boldsymbol m}\), then we can write in vector form \({\boldsymbol m}={\boldsymbol m}_0+{{\boldsymbol C}}(\cdot,t) \cdot {\boldsymbol \sigma}\). This is known as the state equation of the system. The solutions of the state equation that do not correspond to reachable markings will be called spurious. Non negative left annuler vectors of \({\boldsymbol C}\) are called P-semiflows, i.e. \({\boldsymbol y} \in {{\mathbb N}}^{|P|}, \, {\boldsymbol y} \neq {\boldsymbol 0} , \, {\boldsymbol y}^T {\boldsymbol C} ={\boldsymbol 0}^T\). The support of a P-semiflow \({\boldsymbol y}\) is the set \(\parallel {\boldsymbol y} \parallel = \{ p \in P \mid {\boldsymbol y}(p) \neq 0\}\). If \({\boldsymbol y}\) is a P-semiflow then \({\boldsymbol y}^T {\boldsymbol m} = {\boldsymbol y}^T {\boldsymbol m}_0 , \, \forall {\boldsymbol m} \in R(N,{\boldsymbol m}_0)\). Non negative right annuler vectors of \({\boldsymbol C}\) are called T-semiflows, i.e. \({\boldsymbol x}\in {{\mathbb N}}^{|T|}, \, {\boldsymbol x} \neq {\boldsymbol 0},\)\({\boldsymbol C} {\boldsymbol x}={\boldsymbol 0}\). A MG is an ordinary P/T net such that ∀ p ∈ P, | ∙ p | = |p ∙ | = 1. A T-semiflow (P-semiflow) is canonical iff the greatest common divisor of its components is 1. A T-semiflow (P-semiflow) is said to be minimal iff it is canonical and has a minimal support.

A P/T system is live when, from every reachable marking, every transition can ultimately occur; and it is deadlock-free when every reachable marking enables some transition. For strongly connected MG, liveness is equivalent to deadlock-freeness.

Let \({\boldsymbol w} \in {{\mathbb N}}^n, k \in {{\mathbb N}}\), a GMEC \(({\boldsymbol w}, k)\) defines the set of legal markings expressed by the following linear inequality: \({\cal L} = {\cal M}({\boldsymbol w},k) \equiv \{ {\boldsymbol m}\in {{\mathbb N}}^n \mid {\boldsymbol w} \cdot {\boldsymbol m} \leq k \}\). The support of \({\boldsymbol w}\) is the set \(Q_w=\{ p \in P \mid {\boldsymbol w}(p) \neq 0\}\).

We assume that the set of transitions T of a net is partitioned into two disjoint subset: Tu, the set of uncontrollable transitions, and Tc, the set of controllable transitions; T = Tu ∪ Tc and Tu ∩ Tc = ∅. A controllable transition may be disabled by the supervisor, a controlling agent which ensures that the behaviour of the system will be within a legal behaviour. An uncontrollable transition represents an event which may not be prevented from occurring by a supervisor. Controllable transitions will be drawn as empty boxes, and uncontrollable ones as black bars.

Given a system \(\langle N, {\boldsymbol m}_0 \rangle\) and a GMEC \(({\boldsymbol w}, k)\), the occurrence of an uncontrollable transition tu, at a certain legal marking \({\boldsymbol m}\), may lead to a forbidden marking \({\boldsymbol m}^\prime\). Therefore, it is necessary avoid also the set of markings \({\cal M}_{fu}({\boldsymbol w},k)=\{{\boldsymbol m}\in {{\mathbb N}}^n \mid {\boldsymbol m} [{\boldsymbol \sigma}>{\boldsymbol m}^\prime,\ {\boldsymbol m}^\prime \not\in{\cal M}({\boldsymbol w},k),{\boldsymbol \sigma} \in T_u^{*} \}\). So, in presence of uncontrollable transitions, the set of legal markings under control will be \({\cal M}_c({\boldsymbol w},k)={( \cal M}({\boldsymbol w},k) \cap R(N,{\boldsymbol m}_0))\setminus {\cal M}_{fu}({\boldsymbol w},k)\). A supervisory control policy is said to be maximally permissive if it prevents only transitions firings that yield illegal markings. Observe that \({\cal M}_c({\boldsymbol w},k) \subseteq {\cal M}({\boldsymbol w},k)\), i.e. the cardinality of the set of legal markings may be decreased.

2.2 Monitor fundamentals

It has been shown in Giua et al. (1992) that, if all transitions are controllable, the PN controller that enforces \(({\boldsymbol w},k)\) has the following incidence matrix \({\boldsymbol c}_c \in {{\mathbb Z}}^{1 \times m}\): \({\boldsymbol c}_c=-{\boldsymbol w} \cdot {\boldsymbol C}_p\) where \({\boldsymbol C}_p\) is the incidence matrix of the plant. The initial marking of the controller \(m_{c0} \in {{\mathbb N}}\) is given by: \(m_{c0}=k-{\boldsymbol w} \cdot {\boldsymbol m}_{p0}\) where \({\boldsymbol m}_{p0}\) is the initial marking of the plant.

The controller so constructed is maximally permissive, i.e. it only prevents those transition firings that yield illegal markings. The control net consists in a control place; no transition is added. Such control place is called monitor. The monitor place, denoted as pm, is connected to the plant transition \(t_\jmath\) as specified by the incidence matrix element \({\boldsymbol c}_c(p_m,t_\jmath)\).

When the controller is modeled by a PN structure, it is possible to disable a transition t only if there is an arc from a controller place to t, and the marking of the controller place does not enable the transition. Arcs to uncontrollable transitions are not allowed. In terms of monitor places this can be formalized imposing an additional constraint (Moody and Antsaklis 2000):
$${\boldsymbol w} \cdot {\boldsymbol C}_u \leq {\boldsymbol 0} \label{unc} $$
(1)
where \({\boldsymbol C}_u \in {{\mathbb Z}}^{n \times m_u}\) is the incidence matrix of the uncontrollable subnet Nu, i.e. the net obtained from N removing the controllable transitions, and mu is the number of uncontrollable transitions of the plant net.

In Moody and Antsaklis (2000) an efficient way to transform the control specification given by a GMEC \(({\boldsymbol w},k)\) into a more restrictive GMEC \(({\boldsymbol w}^\prime,k^\prime)\) that meets Eq. 1 is proposed.

Even if a monitor does not represent a maximally permissive way to enforce a GMEC in the general case, it can be an efficient suboptimal solution from the computational point of view, since its incidence matrix and initial marking are obtained by matrix multiplications, and the algorithm to impose Eq. 1 is polynomial w.r.t. the cardinality of the place set. In addition, its implementation is very simple, just adding a single place and its input and output arcs.

As we say in the introduction, enforcing a GMEC on a live net system may lead to deadlock states. An example is shown in Fig. 1. For the live plant net system in Fig. 1a, the set of legal markings is \({\cal M}({\boldsymbol w},k) = {\boldsymbol m}(p_4) + {\boldsymbol m}(p_5) \leq 1\). This restriction is forced by the monitor place pm, as shown in Fig. 1b. In this case, since the plant net is a safe MG, and \({\boldsymbol w} \leq \bf1\), the monitor represents the maximally permissive solution at preventing forbidden states with respect to the GMEC (Giua et al. 1993), even if uncontrollable transitions exist. However, the closed loop system is not live. It is immediate to see that when t1 fires before t2 a deadlock occurs. To make the closed-loop system live we have to enable the firing of t1, only after t4 has been fired. Thus, the control place pc1 is derived as in Fig. 1c.
https://static-content.springer.com/image/art%3A10.1007%2Fs10626-008-0050-7/MediaObjects/10626_2008_50_Fig1_HTML.gif
Fig. 1

a a live MG system; b the GMEC \({\boldsymbol m}(p_4) + {\boldsymbol m}(p_5) \leq 1\) is forced on the net system in a by the monitor place pm; c the GMEC and closed-loop liveness is forced on the net system in a by the control place pc1; d the net system in c deleting the implicit places p6 and p1 is reduced to a sequential net system

A place is said to be implicit if its removal preserves the possible firing sequences, i.e., it is never the unique restriction for the firing of its output transitions. The removal of implicit places preserves sequential properties like boundedness and liveness. By means of linear relaxations, a sufficient structural condition for a place to be sequentially implicit can be stated, which can be verified in polynomial time.

Proposition 1

(Silva et al. 1998) Let\(\langle N, {\boldsymbol m}_0 \rangle\) be a net system. A place p ∈ P with initial marking\({\boldsymbol m}_0(p)\geq z\), where z is the optimal value of Eq. 2, is (sequential) implicit.
$$\label{minimomarcado} \begin{array}{rll} z = \mbox{min} & {\boldsymbol y}& \cdot{\kern4pt}{\boldsymbol m}_0 + \mu \\ \mbox{s.t.}{\kern6pt} & {\boldsymbol y}& \cdot{\kern4pt}{\boldsymbol C} \leq {\boldsymbol C}(p,T) \\ & {\boldsymbol y}& \cdot{\kern4pt}{\bf Pre}(P,t) + \mu \geq {\bf Pre}(p,t) \;\;\; \forall t \in p^\bullet \\ & {{\boldsymbol y}}& \geq {\bf0}, \;\;\; {{\boldsymbol y}}(p) = 0 \end{array} $$
(2)

If pm and pc1 are added simultaneously to the net system in Fig. 1a, pm happens to be implicit (\({\boldsymbol m}(p_m)={\boldsymbol m}(p_{c1})+ {\boldsymbol m}(p_4)+{\boldsymbol m}(p_6)-1\)). This means that pc1 is imposing a stronger restriction to the original behaviour. If pc1 is added the closed-loop system can be further simplified as shown in Fig. 1d, because both p1 and p6 are implicit. Moreover, looking at Fig. 1d, it is clear that when pc1 has been added the behaviour of the plant system has been restricted to be sequential. That is, the firings of the controllable transitions, that are concurrent in the non controlled system of Fig. 1a, and that may be forced to be conflicting when only the GMEC specification is present, as in Fig. 1b, are sequential when closed-loop liveness is also required.

Even if in general a monitor does not represent a maximally permissive policy, it may represent a good suboptimal solution when the system is closed-loop live. If this is not the case, like for the net system in Fig. 1a, a more complex controller has to be derived.

3 Control subnet

To enforce a GMEC it may be necessary to prevent some transitions from firing. Since it is not possible to disable the firing of an uncontrollable transition t ∈ Tu, we may only disable the set of controllable transitions whose firing is required in order to enable t. In the case of MG systems, it can be analytically computed on the basis of the net structure. At this aim, the concept of control subnet is introduced.

3.1 Definitions

Definition 1

(control subnet of a transition) Let N be a MG net structure, consider a transition \(t_\imath\). The control subnet for \(t_\imath\) is \(N_\imath=(P_\imath,T_\imath,Pre_\imath,Post_\imath)\) where
  • \(P_\imath\subseteq P\) is the set of places connected to \(t_\imath\) by a directed path containing only uncontrollable transitions,

  • \(T_\imath={^\bullet}P_\imath\cup P_\imath{^\bullet}\),

  • \(Pre_\imath(p,t)=Pre(p,t)\),

  • \(Post_\imath(p,t)=Post(p,t)\)

The set of control transitions for \(t_\imath\) is \( C_\imath= {^\bullet}P_\imath\setminus P_\imath^\bullet\) and \(C_\imath \subseteq T_c\). A directed path from a transition \(t \in C_\imath\) to \(t_\imath\) is called control path. Note that if \(t_\imath\in T_c\) then \(C_\imath=\{ t_\imath\}\).

In the case of MGs, given a constraint \(({\boldsymbol w},k)\), the problem is to control the firing of the single input transition of each place pi ∈ Qw in order to meet the constraint. We will denote as \(N_{I_i}=(P_{I_i},T_{I_i},Pre_{I_i},Post_{I_i})\) the control subnet of the input transition of pi and as \(TCI_i= \{ t_{TCI_i}^1, ..., t_{TCI_i}^{m_i}\}\) the set of control transitions for  ∙ pi (that we assume not empty). Notice that \(TCI_i \subseteq T_{I_i}\).

Consider the net in Fig. 2a where the GMEC \({\boldsymbol m}(p_1) + {\boldsymbol m}(p_2) \leq 1\) has to be enforced. Figure 2b shows the control subnet of the input transition of place p1, named \(N_{I_1}\); Fig. 2c shows the control subnet of the input transition of place p2, named \(N_{I_2}\).
https://static-content.springer.com/image/art%3A10.1007%2Fs10626-008-0050-7/MediaObjects/10626_2008_50_Fig2_HTML.gif
Fig. 2

a A net system where the GMEC \({\boldsymbol m}(p_1) \!+\! {\boldsymbol m}(p_2) \!\leq\! 1\) has to be enforced; b control subnet associated to t1; c control subnet associated to t2; d control subnet associated to to1; e control subnet associated to to2

As shown in the previous section, if we force a GMEC on a live MG a deadlock may occur. So, it is important to be sure that the (unique) output transition of a place in Qw may always be eventually fired. Thus, also the control subnet of an output transition \(t_{oi}=p_\imath{^\bullet}\) has to be introduced.

We will denote as \(N_{O_\imath}=(P_{O_\imath},T_{O_\imath},Pre_{O_\imath},Post_{O_\imath})\) the control subnet of the output transition of the place \(p_\imath\) and as \(TCO_\imath=\{ t_{TCO_\imath}^1...t_{TCO_\imath}^{q_\imath}\}\) the set of control transitions of \(p_\imath{^\bullet}\) (that we assume is not empty). Notice that \(TCO_i \subseteq T_{O_i}\). Note that if \(p_\imath{^\bullet}=p_\jmath{^\bullet}\) then \(N_{O_\imath}=N_{O_\jmath}\).

Consider again the net in Fig. 2a where the GMEC \({\boldsymbol m}(p_1) + {\boldsymbol m}(p_2) \leq 1\) has to be enforced. Figure 2d shows the control subnet of the output transition of place p1, named \(N_{O_1}\); Fig. 2e shows the control subnet of the output transition of place p2, named \(N_{O_2}\).

The concept of control subnet of the output transition of \(p_\imath\in Q_{w}\) is essential to characterize in a MG the reachability of a deadlock state when a GMEC has to be enforced. Consider the net system in Fig. 2a. While for the firing of transition to2 only the marking of p2 is required, for the firing of to1 two control paths have to be marked. The marking of place p2, is not required directly to enable to1, but it is required that it has been marked before. Such information is provided by the control subnet of to1. In section VI this control subnet will be used to obtain a control policy to enforce GMEC and liveness on safe MG systems.

The following algorithm computes the control subnet of the output transition of place pi. To obtain the control subnet of the input transition of place pi it is only necessary to set \(t_i = {^\bullet}p_i\) at the beginning of the algorithm.
https://static-content.springer.com/image/art%3A10.1007%2Fs10626-008-0050-7/MediaObjects/10626_2008_50_Fige_HTML.gif

The algorithm first work on the incidence matrix of \(\hat{N_u}\) which is the subnet obtained from Nu removing ti. Such a net is not strictly a MG, but each place has at most one input or one output transition. This implies that 1) two places connected along a direct path must belong to the support of a minimal P-semiflow having all components equal to one, 2) the support of a P-semiflow can include in its support all input places and no output place of ti, since ti has been removed.

The key idea of the algorithm is that, in order to check if a place is connected to a transition t in a net structure, it is necessary that there exists a P-semiflow including this place and some input place of t. The algorithm starts computing a subnet of Nu having all places along a P-semiflow at least. In this subnet there is a set of places, denoted Ps, which belong only to minimal P-semiflows including input places of t and another one, denoted \(\bar{P'}_s\), not including such input places. The two sets are not disjoint. Places in Ps which do not belong to minimal P-semiflows including input places of t must be removed from Nu to obtain the control subnet. If a place in Ps belongs to a P-semiflow including input places of t, such a P-semiflow can be decomposed in a linear combination of minimal P-semiflows, and at least one of such minimal P-semiflows must include in its support places in \(\bar{P'}_s\). Then, places in \(P'_s \cap \bar{P'}_s\) cannot have a component equal to 1 in the P-semiflow. This fact is used in the algorithm to obtain the set of places of the control subnet of t.

Algorithm 1 just involves to check the feasibility of linear systems of equations which have polynomial complexity. The number of checks can be at most Pu + Pu + |Ps ∖ Ps| with |Pu | ≤ |P|, |Pu | ≤ |Pu| and |Ps ∖ Ps| ≤ |Pu | but in practice it is strictly minor than 3 |Pu |.

Remark 1

The control subnet of an output transition toi may include directed paths from a controllable transition to toi which does not contain constrained places. As for example, consider the net in Fig. 2a and the GMEC \({\boldsymbol m}(p_1) \leq 1\). The control subnet of to1 is the subnet in Fig. 2d but the directed path from t4 to to1 does not contain constrained places. For the control problem presented in this paper, it is not important if these paths are marked or not. Thus, they can be removed decreasing the complexity of the control subnet.

3.2 Control subnet and supervisory control

The dependency between the firing of an uncontrollable transition \(t_\imath\) and its control transitions can be computed without recurring to a reachability set computation but only evaluating the number of tokens along directed paths from control transitions of \(t_\imath\) to \(t_\imath\), as shown in the next proposition.

Let \(\langle N, {\boldsymbol m} \rangle\) be a MG system and \(({\boldsymbol w},k)\) a GMEC. Let us denote as \(td({\boldsymbol m},t,t_\imath)\) the token distance between transition t and \(t_\imath\), i.e. the minimum token content among all possible paths from t to \(t_\imath\) under the marking \({\boldsymbol m}\); and as \(DB({\boldsymbol m},TCI_\imath,t_\imath)\) the deviation bound between \(t_\imath\) and \(TCI_\imath\), i.e., the maximum number of times \(t_\imath\) may fire without firing any transition in \(TCI_\imath\).

Proposition 2

(Giua et al. 1993) Let\(\langle N, {\boldsymbol m}_0 \rangle\) be a MG system and\(({\boldsymbol w},k)\) a GMEC. For each place\(p_\imath\in Q_w\), let\(t_\imath\) be its input transition, and\(TCI_\imath\) the set of control transitions for\(t_\imath\). We have that
  1. (a)

    given a marking\({\boldsymbol m} \in R(N,{\boldsymbol m}_0)\),\(DB({\boldsymbol m},TCI_\imath,t_\imath)= min\{td({\boldsymbol m},t,t_\imath) | t \in TCI_\imath\}\).

     
  2. (b)

    the set of legal markings is:\({\cal M}_c({\boldsymbol w},k)= \{{\boldsymbol m} \in {{\mathbb N}}^{|P|} \mid {\boldsymbol w} \cdot({\boldsymbol m} + {\boldsymbol D}_{{\boldsymbol m}}) \leq k\}\), where\({\boldsymbol D}_{{\boldsymbol m}}(p_\imath)=DB({\boldsymbol m},TCI_\imath,t_\imath)\) if\(p_\imath\in Q_{{\boldsymbol w}}\),\({\boldsymbol D}_{{\boldsymbol m}}(p_\imath)= 0\) otherwise.

     

In Giua et al. (1993) the results of Proposition 2 were used to address the problem of enforcing a GMEC on MG systems. In this paper we want to extend this approach to the problem of enforcing a GMEC and closed-loop liveness on MG systems.

4 On the liveness of monitor controlled MG systems

Two new sufficient conditions are given that ensure (under some restrictions) that if a MG controlled by a monitor is live, the state equation of the system has no spurious deadlocks. This means that, given a closed-loop system that verifies the restrictions, if its state equation has a deadlock solution, then the system cannot be live. In the last part of this section it is shown how the problem of checking the absence of these solutions for the considered class of systems can be reduced to checking if a system of equations admits a solution (Recalde et al. 1998).

4.1 Two new sufficient conditions for the absence of spurious solutions for a monitor controlled MG system

A first result is based on the idea that, when a monitor having ordinary (no weighted) output arcs is marked, at least one of its output transitions can be fired. This property together with the persistency (i.e., once a transition has been enabled, it cannot be disabled by the firing of another transition) of MG systems allows to conclude that no spurious deadlock can exist.

Theorem 1

Let\(\langle N, {\boldsymbol m}_0 \rangle\) be a live MG system plus a monitor pm associated to a GMEC, and such that for every\(t \in p_m{^\bullet}\),Pre(pm,t) = 1. If\(\langle N, {\boldsymbol m}_0 \rangle\) is live, the state equation has no spurious deadlock solution.

Proof

Assume a spurious deadlock \({\boldsymbol m}_d= {\boldsymbol m}_0 + {\boldsymbol C} \cdot {\boldsymbol \sigma}_d\) exists. Let σ0 be a sequence such that \({\boldsymbol m}_0 [ \sigma_0 >\), \({\boldsymbol \sigma}_0 \leq {\boldsymbol \sigma}_d\), and \(\not \exists \sigma_0^\prime\) s.t. \({\boldsymbol m}_0 [ \sigma_0^\prime >\), \({\boldsymbol \sigma}_0^\prime \leq {\boldsymbol \sigma}_d\) but \({\boldsymbol \sigma}_0 < {\boldsymbol \sigma}_0^\prime\). Let \({\boldsymbol m}_1= {\boldsymbol m}_0 + {\boldsymbol C} \cdot {\boldsymbol \sigma}_0\). The system is live, hence there is at least one transition t enabled in \({\boldsymbol m}_1\). Since this transition is not enabled in \({\boldsymbol m}_d\), and MG are persistent, Pre(pm,t) > 0 and \({\boldsymbol m}_1(p_m) > 0\). Live MGs do not have spurious solutions, hence from the MG point of view, there is a fireable sequence that corresponds to \({\boldsymbol \sigma}_d-{\boldsymbol \sigma}_0\). Let t be the first transition of this sequence. Since \({\boldsymbol m}_1(p_m)>0\), this transition cannot violate the precondition associated to the monitor, i.e., t is fireable. Contradiction.□

A second result is derived by assuming that a place, that belongs to the control subnet of an output transition of a constrained place, cannot disable transitions of control subnets of the output transition of other constrained places. This result does not require that the monitor has ordinary arcs.

Theorem 2

Let\(\langle N, {\boldsymbol m}_0 \rangle\) be a live MG plus a monitor associated to a GMEC and such that
  1. 1)

    for every pi ∈ Qw the only output transition of its control output subnet\(N_{O_\imath}\) is toi, i.e.\((T_{O_\imath}\setminus t_{oi}){^\bullet} \subset P_{O_\imath}\) and

     
  2. 2)

    the output transition of a place\(p_\imath\in Q_w\) is not a control transition for a place\(p_\jmath \in Q_w\), i.e. if\(p_\imath, p_\jmath \in Q_w\) then\(t_{oi} \not \in TCI_\jmath\).

     
If\(\langle N, {\boldsymbol m}_0 \rangle\) is live, the state equation has no spurious deadlock solution.

Proof

Let pm be the monitor of the system and \({\boldsymbol w} \cdot {\boldsymbol m} \leq k\) the GMEC. Assume a spurious deadlock \({\boldsymbol m}_d = {\boldsymbol m}_0+ {\boldsymbol C} \cdot {\boldsymbol \sigma}_d\) exists. We will see that this marking can be effectively reached from \({\boldsymbol m}_0\), which contradicts liveness of system. This will be done in three steps:
  1. 1)

    Reach a marking in which all the k tokens are in the monitor place, pm. To do this, for each control subnet \(N_{O_\imath}\) fire the shortest sequence that contains all possible firings of output transitions toi, without firing controllable transitions and denote such sequence as σ0. Let \({\boldsymbol m}_1 = {\boldsymbol m}_0 + {\boldsymbol C} \cdot {\boldsymbol \sigma}_0\). By hypothesis, an output transition cannot belong to any \(TCI_\imath\), hence this sequence does not mark any other control subnet, i.e., \({\boldsymbol m}_1(p_m)=k\).

    Observe that this firing vector can be decomposed in two parts: the transitions in \({\boldsymbol \sigma}_{d}\) and the rest. That is, \({\boldsymbol \sigma}_0={\boldsymbol \sigma}_{d0}+{\boldsymbol \sigma}_{x0}\), with \({\boldsymbol \sigma}_{d0} \leq {\boldsymbol \sigma}_0\) and \({\boldsymbol \sigma}_{d0} \leq {\boldsymbol \sigma}_d\) and \(\not \exists {\boldsymbol \sigma}_{d0}^\prime\) s.t. \({\boldsymbol \sigma}_{d0}^\prime \leq {\boldsymbol \sigma}_0\) and \({\boldsymbol \sigma}_{d0}^\prime \leq {\boldsymbol \sigma}_d\) but \({\boldsymbol \sigma}_{d0} < {\boldsymbol \sigma}_{d0}^\prime\).

     
  2. 2)

    Let \({\boldsymbol x} \geq {\boldsymbol \sigma}_{x0}\), be a T-semiflow. It is clear that \({\boldsymbol m}_{d}={\boldsymbol m}_0 + {\boldsymbol C} \cdot ({\boldsymbol \sigma}_{d}+ {\boldsymbol x})={\boldsymbol m}_1+ {\boldsymbol C} \cdot({\boldsymbol \sigma}_{d}+ {\boldsymbol x}-{\boldsymbol \sigma}_0)\).

    Consider the support of the firing count vector \({\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0\). Denote by S the set of indexes of control subnet whose transitions are completely included in \(\parallel {\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0 \parallel\), i.e. if Oi ∈ S then \(T_{O_i} \subseteq \parallel {\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0 \parallel\). Divide \({\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0\) in two parts: (1) a part \({\boldsymbol \sigma}_{1}\) whose support includes transitions not belonging to any control subnet and “complete” subsets of transitions of a control subnet \(N_{O_\imath}\), i.e. \(\parallel {\boldsymbol \sigma}_1 \parallel = (T \setminus \cup_i T_{O_i}) \cup (\cup_{O_i \in S} T_{O_i})\), such that all transitions in a certain control subnet have the same value in \({\boldsymbol \sigma}_{1}\); 2) another part \({\boldsymbol \sigma}_2=({\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0) - {\boldsymbol \sigma}_1\). Notice that \({\boldsymbol \sigma}_0\) may not include all transitions of a certain control subnet: this depends on the initial marking. However with a proper choice of the T-semiflow \({\boldsymbol x}\), it is possible to ensure that all the transitions of a certain control subnet have in \({\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0\) a component major or equal then the respective output transition. Thus, all the output transitions of the control subnets belong only to the support of \({\boldsymbol \sigma}_1\).

    We will see that \({\boldsymbol \sigma}_1\) corresponds to a fireable sequence. Let \({\boldsymbol m}_2 = {\boldsymbol m}_1 + {\boldsymbol C} \cdot {\boldsymbol \sigma}_1\). First, we will see that \({\boldsymbol m}_2 \geq {\boldsymbol 0}\). For the monitor pm and the places in control subnets, p, \({\boldsymbol \sigma}_1\) corresponds to a T-semiflow, hence, \({\boldsymbol m}_2(p_m) = {\boldsymbol m}_1(p_m) \geq 0\) and \({\boldsymbol m}_2(p^\prime) = {\boldsymbol m}_1(p^\prime) \geq 0\). For the places not belonging to any control subnet, p′′, \({\boldsymbol m}_2(p'')={\boldsymbol m}_d(p'') - {\boldsymbol C}(p'',\cdot) \cdot {\boldsymbol \sigma}_2\), and since \({\boldsymbol \sigma}_2\) does not contain any output transition toi, \({\boldsymbol m}_2(p'')={\boldsymbol m}_d(p'')+ {\bf Pre}(p'',\cdot) \cdot {\boldsymbol \sigma}_2\geq 0\). Therefore, since live MGs do not have spurious solutions of the state equation, \({\boldsymbol \sigma}_{1}\) corresponds to a fireable sequence in the MG.

    Order the transitions of \({\boldsymbol \sigma}_{1}\) in such a way that: (1) the sequence is fireable in the MG and (2) all the transitions in a certain \(N_{O_\imath}\) are put together, i.e., no input transition of other subnet \(N_{O_\jmath}\) is fired till the output transition toi has been fired. It is clear that this corresponds to a fireable sequence.

     
  3. 3)

    Finally, we must prove that \({\boldsymbol \sigma}_2\) is fireable. Since \({\boldsymbol m}_d={\boldsymbol m}_2 +{\boldsymbol C} \cdot {\boldsymbol \sigma}_2 \geq {\boldsymbol 0}\), the only problem may be due to the monitor. In \({\boldsymbol \sigma}_2\) there is no output transition of the control subnets, therefore \({\boldsymbol m}_{2}(p_m)={\boldsymbol m}_d(p_m)- {\boldsymbol C}(p_m,\cdot) \cdot {\boldsymbol \sigma}_2= {\boldsymbol m}_d(p_m)+ {\bf Pre}(p_m,\cdot) \cdot {\boldsymbol \sigma}_2\geq {\bf Pre}(p_m,\cdot) \cdot {\boldsymbol \sigma}_{2}\). □

     
In Fig. 3 an example of a net controlled by a monitor and not meeting the hypothesis of Theorems 1 and 2 is presented. In particular, the monitor place pm has output arcs with weight greater than 1 and \(N_{O_1}\) has two output transitions, (t1,to1). The monitor place pm enforces the GMEC \({\boldsymbol m}(p_1) +{\boldsymbol m}(p_2) +{\boldsymbol m}(p_3) + {\boldsymbol m}(p_4) + {\boldsymbol m}(p_5) + {\boldsymbol m}(p_6) \leq 2\). Although the closed-loop system is live, its state equation has a spurious deadlock solution. It can be seen that by firing t2to2t3 a spurious deadlock solution is obtained. Spurious deadlock solutions may also be found if more than one monitor is added.
https://static-content.springer.com/image/art%3A10.1007%2Fs10626-008-0050-7/MediaObjects/10626_2008_50_Fig3_HTML.gif
Fig. 3

For the live net system in a the state equation exhibits a spurious deadlock solution: monitor place pm has output arcs with weight greater than 1 and the control subnet of transition to1, denoted as \(N_{O_1}\) and shown in b, has two output transitions (t1,to1)

4.2 How to prove liveness of a monitor controlled MG

In strongly connected MG systems deadlock-freeness implies liveness. This is still true when a controller is added to such systems, so in the following the study of liveness is reduced to that of deadlock-freeness. Deadlock-freeness can be checked verifying that the system of equations formed by the state equation and a set of equations representing deadlock states has no solution (see Recalde et al. 1998 for further details). If the state equation has no spurious solutions, the fact that solution of such system does not exist guarantees the liveness of the system.

Since the computation complexity of checking if a system of linear equations admits a solution has polynomial complexity (Schrijver 2003), the results presented in this section can be used to check in polynomial time if a monitor controlled MG is live.

5 On the liveness of bounded MG systems with a GMEC control specification

In this section the problem of checking closed loop liveness of a live and bounded MG system in presence of a control policy enforcing a GMEC is considered. No hypothesis is made on the control technique, the controller may not be a monitor. A sufficient condition based on the closed loop liveness of proper subnets computed from constrained places is presented. In this way the problem is decomposed and it may result simpler. This result is used in Section 6 but it has a general validity.

The control subnets are assumed to be independent. This assumption is described in the following.

Assumption 1

The control subnets of output transitions of constrained places are independent. We say that two control subnets \(N_{O_\imath}\), \(N_{O_\jmath}\), \(\imath\neq j\) defined w.r.t. a constraint \(({\boldsymbol w},k)\) are independent iff \(\forall {\boldsymbol y} \geq {\boldsymbol 0}\) such that \({\boldsymbol y}\) is a minimal P-semiflow, if \([ P_{O_\imath}^{\bullet} \cap T_{{\boldsymbol y}} \neq \emptyset \bigwedge P_{O_\jmath}^{\bullet} \cap T_{{\boldsymbol y}} \neq \emptyset ]\) then \( [ N_{O_\imath}\subset N_{O_\jmath} \bigvee N_{O_\jmath} \subset N_{O_\imath}]\), where \(T_{{\boldsymbol y}}=\{t \in T | t \in p^{\bullet}, \, p \in \parallel {\boldsymbol y} \parallel \}\) . In words, two control subnets cannot have transitions that belong to the same P-invariant subnet, except when one is contained in the other.

Assumption 1 ensures that the marking of a place \(p \in P_{O_\imath}\) cannot prevent the enabling of any transition \(t \in T_{O_\jmath}, j \neq \imath\). Under this assumption a place in a subnet \(N_{O_\imath}\) and a place in a subnet \(N_{O_\jmath}\) cannot belong to the same minimal P-semiflow support, and thus their markings cannot be in mutual exclusion relation. If \(p_\imath,p_\jmath \in \parallel {\boldsymbol y} \parallel\), where \({\boldsymbol y}\) is a minimal P-semiflow, since \({\boldsymbol y}^T {\boldsymbol m} = {\boldsymbol y}^T {\boldsymbol m}_0 , \, \forall {\boldsymbol m} \in R(N,{\boldsymbol m}_0)\), it follows that in a live and safe MG \({\boldsymbol m}(p_\imath)+{\boldsymbol m}(p_\jmath) \leq 1, \, \forall {\boldsymbol m} \in R(N,{\boldsymbol m}_0)\) holds. Consider the net system in Fig. 4a, and the GMEC \({\boldsymbol m}(p_1)+{\boldsymbol m}(p_2)+{\boldsymbol m}(p_3)+{\boldsymbol m}(p_4)+{\boldsymbol m}(p_5) \leq 3\). It is immediate to see that transitions t4 and t7 belong to the subnet induced by P-semiflow \({\boldsymbol y}=[ 0 \ 1 \ 0 \ 1 \ 0 \ 1 \ 0 \ 0 \ 1 \ 0]\), and that any place p ∈  ∙ t4 is in mutual exclusion with p4 since the net admits also the P-semiflows \({\boldsymbol y}'=[ 1 \ 0 \ 0 \ 1 \ 0 \ 1 \ 0 \ 1 \ 0 \ 0]\) and \({\boldsymbol y}''=[ 0 \ 0 \ 1 \ 1 \ 0 \ 1 \ 0 \ 0 \ 0 \ 1]\). This makes more difficult our control problem. If we enable the firing of t6 we have that a deadlock occurs, being not possible anymore to enable t4 while respecting the GMEC.
https://static-content.springer.com/image/art%3A10.1007%2Fs10626-008-0050-7/MediaObjects/10626_2008_50_Fig4_HTML.gif
Fig. 4

a In this net system with respect to the GMEC \({\boldsymbol m}(p_1)+{\boldsymbol m}(p_2)+{\boldsymbol m}(p_3)+{\boldsymbol m}(p_4)+{\boldsymbol m}(p_5) \leq 3\) Assumption 1 is not verified; b in this net system with respect to the GMEC \({\boldsymbol m}(p_1)+{\boldsymbol m}(p_2)+{\boldsymbol m}(p_3) \leq 2\) Assumption 2 is not verified

The computational complexity of checking Assumption 1 is practically equal to the complexity of computing the P-semiflows of a control subnet net (Martinez and Silva 1982) whose number is in the worst case equal to \(\left( \begin{array}{l} [p]\\ \left[\displaystyle\frac{p}{2} \right] \end{array}\right) \) where p is the number of places of a control subnet and thus p < n.

Assumption 1 makes more clear the presentation of the results in the rest of the paper but it is not essential. It can be removed by taking into account the additional GMECs induced by P-semiflows having in their support constrained places.

Definition 2

Let N be a k-bounded MG on which a GMEC has to be imposed. The controlled subnet is defined as the union of all the control subnets \(N_{O_\imath}\) plus:
  1. a)

    an input place for each transition in \(TCO_\imath\);

     
  2. b)

    a new output place for each transition toi;

     
  3. c)

    an extra transition having an output arc to all the input places of each control subnet – the places added as in a) – and an input arc from all the output places of each control subnet – the places added as in b).

     

The input places are marked in such a way that there are k tokens in each cycle.

Theorem 3

Let\(\langle N,{\boldsymbol m}_0 \rangle\) be a live and bounded MG on which a GMEC has to be imposed. If the control is set in such a way that:
  • all the control subnets are independent;

  • the controlled subnet plus the control is live.

Then the complete system with the control is live.

Proof

For this considered net subclass just deadlock freeness has to be proved. Assume a deadlock can be reached, i.e., there exists a fireable sequence σd, \({\boldsymbol m}_0 [ \sigma_d > {\boldsymbol m}_d\), and \({\boldsymbol m}_d\) is a deadlock.

Consider the projection of σd on the transitions of the controlled subnet. Clearly this is a fireable sequence, and, since this subnet is live under the control, a transition t is enabled in \({\boldsymbol m}_d\). This transition cannot be fired in the complete net. Hence, since all control subnets are independent, there exists a place p ∈  ∙ t, not belonging to the controlled subnet, that is not marked in \({\boldsymbol m}_d\). Observe that t is in the “interface” of the control subnet, hence it is a controlled transition, and there exists a directed path from t to a constrained place. Let t =  ∙ p, since t cannot be fired either, and by Assumption 1 it cannot be controlled , there exists p′ ∈  ∙ t′ which is unmarked. Repeating this reasoning, an unmarked cycle of N can be found. Contradiction, since \(\langle N,{\boldsymbol m}_0 \rangle\) is live. □

6 A controller to enforce GMEC and closed loop liveness on live and safe MG

The results presented in Section 4 allow a trial-and-error synthesis method for GMEC and closed loop liveness enforcing. Now, a direct synthesis method is presented in presence of some constraints, in particular MG should be safe. In a live and safe MG system a constrained place can be marked, firing only uncontrollable transitions, if and only if all its control paths are marked. Nevertheless, it is not necessary to record which of the controllable transitions that control such paths have been fired, but it is sufficient to check how many of them have been fired. This implies that the reachability of a forbidden state can be characterized in terms of the number of control paths of the places constrained by the GMEC, that are marked under a certain marking. Here we extend this property to the reachability of a deadlock state introduced on such systems by a GMEC.

In order to enable a transition all its input places have to be marked. In presence of a GMEC, the marking of some of these places may be constrained. A maximally permissive policy has to disable a controllable transition if and only if it will lead to a marking under which no transition can be fired if the GMEC is fulfilled. Our aim is to characterize the reachability of such states in terms of the number of marked control paths of constrained places having common output transitions. As it has been mentioned in Section 4, closed-loop liveness is obtained by proving that a live and safe MG under the proposed control policy is deadlock-free (showing that tokens can be always removed from all the constrained places).

The assumption of safeness reduces the complexity of checking if a place \(p_\imath\in Q_w\) may be marked firing only uncontrollable transitions, as it was shown in Giua et al. (1993). This is due to the fact that it is not necessary to record which transition fires, but just to check the number of firings of transitions in \(TCI_\imath\). From Proposition 2 it follows that
$$ \label{SMG1} \forall p_\imath \in Q_{{\boldsymbol w}}, \, \forall {\boldsymbol m} \in R(N,{\boldsymbol m}_0), \, {\boldsymbol m}(p_\imath) + {\boldsymbol D}_{{\boldsymbol m}}(p_\imath) \leq 1 $$
(3)
$$ \label{SMG2} \forall p_\imath \in Q_{{\boldsymbol w}}, \, \forall {\boldsymbol m} \in R(N,{\boldsymbol m}_0), \, {\boldsymbol m}(p_\imath) + {\boldsymbol D}_{{\boldsymbol m}}(p_\imath) = 1 \longleftrightarrow td({\boldsymbol m},t,t_{i})=1, \forall t \in TCI_\imath $$
(4)
and thus a place \(p_\imath\in Q_{{\boldsymbol w}}\) can be marked firing only uncontrollable transitions iff all its control paths are marked.

Assumption 2

Let \(p_\imath\) and \(p_\jmath\) be a couple of constrained places such that \(TCI_\imath\cap TCI_\jmath\neq \emptyset\): 1) \(|TCI_\imath|=|TCI_\jmath|=1\); 2) \(p_\imath\) and \(p_\jmath\) cannot be marked simultaneously.

Lemma 1

If the plant net is a live and safe MG and Assumption 2 holds, it exists a control path including all constrained places controlled by the same transition.

Proof

In a live and safe MG any place belongs to the support of a minimal P-semiflow (Murata 1989). If two places cannot be marked simultaneously, i.e. they are in mutual exclusion relation, they belong to the same P-semiflow support and, then, they both belong to a directed circuit (Murata 1989) and so result to be connected by a directed path. □

Assumption 2 allows to consider on equal footing the firing of any transition in \(TCI_\imath\) w.r.t. GMEC. Moreover if \(|TCI_\imath|=1\) we know that, firing the unique control transition of both constrained places, the related control path would be marked. Consider the net system in Fig. 4b, and the GMEC \({\boldsymbol m}(p_1)+{\boldsymbol m}(p_2)+{\boldsymbol m}(p_3) \leq 2\). By definition TCI1 = {t1}, TCI2 = {t1, t2}, TCI3 = {t3}, and thus, t1 is a control transition for the input transition of two constrained places. As a consequence, the firing of t1 and t2 cannot be considered on equal footing, because the firing of t1 will mark a constrained place anyway, but this is not true for t2. In order to know if a constrained place can be marked by firing a transition in TCI2 it is not enough to know that one of the two control paths will be marked, but it is also necessary to know which one of them.

Consider the net in Fig. 5. By Assumption 2, places p5 and p6 cannot be both constrained since TCI5 = TCI6 = { t6 } and if t6 fires, they would be simultaneously marked.
https://static-content.springer.com/image/art%3A10.1007%2Fs10626-008-0050-7/MediaObjects/10626_2008_50_Fig5_HTML.gif
Fig. 5

A net system. If \({\boldsymbol m}(p_1) + 2 {\boldsymbol m}(p_2) + 2 {\boldsymbol m}(p_3)+ 2 {\boldsymbol m}(p_6) + {\boldsymbol m}(p_7) + {\boldsymbol m}(p_{13}) + {\boldsymbol m}(p_{14}) + 2 {\boldsymbol m}(p_{15}) \leq 4\) has to be enforced, the control subnets of the constrained places output transitions to1 and to2 are independent and none of them is included in the other

Assumption 2 is a technical assumption that allows to know the maximum value that a GMEC can assume by firing uncontrollable transitions simply by evaluating some counter variables that are introduced afterwards. From a practical point of view, this is not a strong limitation since it is not usual to control more constrained places, which can be simultaneously marked, with the same control input. This assumption is useless if all controllable transitions control only one constrained place.

The computational complexity of checking Assumption 2 is in practice equivalent to the one of obtaining control subnet of constrained places since it consists in evaluating that the intersections of sets TCIi is or not empty.

6.1 Definitions of counter variables \(C_{I_i}\), \(C_{O_i}\), of vectors \({\boldsymbol w}_i^-\) and \({\boldsymbol w}_i^+\) and of function \({\boldsymbol f}\)

In the following the counter variables \(C_{I_i}\), \(C_{O_i}\), the vectors \({\boldsymbol w}_i^-\) and \({\boldsymbol w}_i^+\) and the function \({\boldsymbol f}\) associated to a control subnet are introduced. They are useful for the presentation of the control policy in the next subsection.

In order to enable a controllable transition only if the GMEC is not violated, it must be checked if its firing causes that a constrained place \(p_\imath\in Q_{w}\) can be marked by firing only uncontrollable transitions. In other words, it must be checked if the input transition of \(p_\imath\), named \(t_\imath\), can be fired. We say that a transition \(t_{{TCI}_\imath}^r\) is constrained under a given marking \({\boldsymbol m}\), if all the paths from \(t_{{TCI}_\imath}^r\) to \(t_\imath\) along single token circuits are not marked, otherwise it is unconstrained. Note that if a transition \(t_{{TCI}_\imath}^r\) fires, all the paths from \(t_{{TCI}_\imath}^r\) to \(t_\imath\) become marked.

Definition 3

\(C_{I_\imath}({\boldsymbol m})\) is equal to the number of transitions belonging to \(TCI_\imath\) that are unconstrained under the marking \({\boldsymbol m}\), and so:
  • the firing of a transition \(t_{{TCI}_\imath}^r\) will increment the value of \(C_{I_\imath}\) in one unit, notice that \(t_{{TCI}_\imath}^r\) cannot fire twice without firing tι;

  • the firing of the output transition toi will decrement the value of \(C_{I_\imath}\) in \(m_\imath\) units, where \(m_\imath=|TCI_\imath|\);

  • the firing of a transition \(t_{{TCI}_\jmath}^r\), \(j \neq \imath\), does not change the value of \(C_{I_\imath}\);

  • the initial value of \(C_{I_\imath}({\boldsymbol m}_0)\) is equal to the sum of unconstrained transitions in the sets \(TCI_\imath\) under the initial marking.

In other words, \(C_{I_\imath}({\boldsymbol m})\) represents the number of control paths of \(p_\imath\) that are marked under the marking \({\boldsymbol m}\).

From Eq. 4 we have that a place \(p_\imath\in Q_w\) can be marked firing only uncontrollable transitions iff \(C_{I_\imath}({\boldsymbol m})=m_\imath\). Notice that, if \(|TCI_\imath|=1\), \(C_{I_\imath}\) is not useful since the firing of the unique controllable transition causes that \(p_\imath\) will be marked by firing only uncontrollable transitions.

Consider the net in Fig. 5 – apart from dotted arcs and places – and the GMEC \({\boldsymbol m}(p_1) {\kern-1.25pt} + {\kern-1.25pt}2 {\boldsymbol m}(p_2) {\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_3){\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_6) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_7) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_{13}) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_{14}) {\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_{15}) {\kern-1.5pt}\leq{\kern-1.25pt} 4\). As for the control subnets of the input transitions of places p ∈ Qw we have that TCI1 = TCI3 = TCI6 = { t6 }, TCI2 = TCI7 = { t7 }, TCI13 = { t12 }, TCI14 = { t13, t14 }, TCI15 = { t11 }. Under the marking in the figure \(C_{I_{14}}=1\) since t13 is unconstrained and t14 is constrained. Thus, being \(C_{I_{14}} < m_{14}=2\), p14 will not be marked by firing only uncontrollable transitions.

To evaluate the weighted sum of places in the GMEC that can be marked firing uncontrollable transitions in a control subnet \(N_{O_\imath}\) we define the vector \({\boldsymbol w}_\imath^-(p)\).

Definition 4

To define the vector \({\boldsymbol w}_\imath^-\in {{\mathbb N}}^{|P|}\) two different cases must be considered.
  1. 1)

    If a place p belongs to a directed path from a transition \(t \in TCO_{_\imath}\) to toi and more than one constrained place is controlled by t, choose a control path named \(\bar{\pi}\) to which any constrained place controlled by t belongs to (Assumption 2 ensures the existence of such a path).

    If \(p \in \bar{\pi}\), let \(\bar{\pi}'\) be the directed sub-path of \(\bar{\pi}\) from p to toi, \({\boldsymbol w}_\imath(p)^-=max_{p_\jmath \in \bar{\pi}'}{\boldsymbol w}(p_\jmath)\). If \(p \not \in \bar{\pi}\), \({\boldsymbol w}_\imath(p)^-=0\).

    Note that the choice of the control path \(\bar{\pi}\) is arbitrary but the same control path has to used for all places p which belong to a directed path from a transition \(t \in TCO_{_\imath}\) to toi.

     
  2. 2)
    If a place p belongs to a directed path from a transition \(t \in TCO_{_\imath}\) to toi and only the constrained place \(p_\jmath\) is controlled by t,
    • if p belongs to one of the directed paths from t to \(p_\jmath\), then \({\boldsymbol w}_\imath(p)^-=\frac{l}{l_\jmath} {\boldsymbol w}(p_\jmath)\), where
      • l be the number of directed paths from transitions in the set \(TCO_\imath\) to toi to which p belongs,

      • \(l_\jmath\) be the total number of paths from any transition in the set \(TCO_{_\imath}\) to \(p_\jmath\)

    • otherwise, \({\boldsymbol w}_\imath(p)^-=0\)

     
  3. 3)

    If a place p does not belong to a directed path from a transition \(t \in TCO_{_\imath}\) to toi, \({\boldsymbol w}_\imath(p)^-=0\).

     

Consider again the net in Fig. 5 – apart from dotted arcs and places – and the GMEC \({\boldsymbol m}(p_1) {\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_2) {\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_3){\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_6) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_7) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_{13}) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_{14}) {\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_{15}) \!\leq\! 4\). As for the control subnets of the output transitions of places p ∈ Qw we obtain TCO3 = TCO6 = { t6 }, TCO1 = TCO2 = { t6, t7}, TCO7 = { t7 }, TCO13 = TCO14 = { t11, t12, t13, t14}, TCO15 = { t11 }.

Let TCOo1 = TCO1 = TCO2 and TCOo2 = TCO13 = TCO14. As for example, we have \({\boldsymbol w}_{o2}^-(p_{17})=1/2\) since p17 belongs to l = 1 paths from t13 or t14 to to2, p14 is the only constrained place controlled by t13 or t14 and there are l14 = 2 paths from t13 or t14 to p14. The term \(\frac{l}{l_{14}}\) takes into account that a token in place p17 means that only l of the l14 control paths of p14 are marked.

Since the transition t6 ∈ TCOo1 controls more than one constrained place, a control path including all such constrained places, named \(\bar{\pi}_6\), has to be defined. Let it be \(\bar{\pi}_6=t_6 p_8 t_4 p_6 t_3 p_3 t_1 p_1 t_{o1} \). Thus, as for example, \({\boldsymbol w}_\imath(p_8)^-=max_{p_\jmath \in \bar{\pi}'_6}{\boldsymbol w}(p_\jmath)=2\) where \(\bar{\pi}'_6=p_8 t_4 p_6 t_3 p_3 t_1 p_1 t_{o1}\) and \({\boldsymbol w}_\imath(p_9)^-=0\) since p9 does not belong to \(\bar{\pi}_6\).

$$ \begin{array}{rll} \text{It results}\,\; \small {\boldsymbol w}_{o1}^-&=&\left[1 \quad 2 \quad 2 \quad 0 \quad 0 \quad 2 \quad 2 \quad 2 \quad 0 \quad 2 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \right. \\&&\left.{\kern2.3pt} 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \right],\\ \small {\boldsymbol w}_{o2}^-&=&\left[\,0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 1 \quad 1 \quad 2 \quad 1 \quad 1/2 \quad 1/2 \quad\right. \\&&\left.{\kern4.5pt} 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \vphantom{1/2}\right].\\ \small {\boldsymbol w}_{15}^-&=&\left[\,0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 2 \quad 0 \quad 0 \quad 0 \quad 0 \quad \right. \\&&\left.{\kern4.3pt}0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \right]. \end{array} $$

Note that, if all places in a control subnet would belong to a directed path from a transition \(t \in T_{O_\imath}\) to toi which controls more than one constrained place, by Assumption 2 it must exist an index j such that \(t \in TCI_\jmath\) and \(|TCI_\jmath|=1\). In this case, since all control paths are marked when t fires, \(\sum_{p \in P_{O_\imath}} {\boldsymbol w}_\imath(p)^- {\boldsymbol m}(p)\) is the maximum value that can be reached by the weighted sum of constrained place that can be marked in the control subnet \(N_{O_\imath}\) by firing only uncontrollable transitions. This is not true when a place belongs to a directed path from a transition \(t \in T_{O_\imath}\) to toi which controls only one constrained place, since in this case \({\boldsymbol w}^-(p)\) may be rational and not all control paths of a constrained place in the subnet \( N_{O_\imath}\) can be marked at a time. This motivates the introduction of a binary function \({\boldsymbol f}\) which is true when all control paths of a constrained place in the subnet \( N_{O_\imath}\) are marked.

Definition 5

Let us define a binary function \({\boldsymbol f}: (P,{\boldsymbol m}) \rightarrow \{ 0,1 \}\) as follows:

\({\boldsymbol f}(p,{\boldsymbol m})=1\), if it exits an index k such that \(p \in P_{I_k}\) and \(C_{I_k}({\boldsymbol m})=m_k\) (note that, by definition, \( \forall t \in TCO_{\imath}, \, \exists k \mbox{ s.t. } t \in TCI_k\)), otherwise \({\boldsymbol f}(p,{\boldsymbol m})=0\).

In words, \({\boldsymbol f}(p,{\boldsymbol m})=1\) iff all control paths of the constrained places to which p is connected are marked.

Lemma 2

Let\(R_u(N,{\boldsymbol m})\) be the set of markings reachable from\({\boldsymbol m}\) by firing only uncontrollable transition, it results\(\max_ { {\boldsymbol m}' \in R_u(N,{\boldsymbol m})} \sum_{p \in P_{O_\imath}} {\boldsymbol w}(p) {\boldsymbol m}'(p)=\sum_{p \in P_{O_\imath}}\)\({\boldsymbol w}_\imath(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})\). Furthermore\(\sum_{p \in P_{O_\imath}} {\boldsymbol w}_\imath(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})\) is always non negative integer.

Proof

The proof follows from the fact that in a live and safe MG system a constrained place can be marked, firing only uncontrollable transitions, iff all its control paths are marked.□

For the net in Fig. 5, we have that \(P_{O_{o2}}=\{ p_{11}, \dots, p_{18} \}\), and under the marking in figure \({\boldsymbol f}(p,{\boldsymbol m})=0, \forall p\). Note that \(\sum_{p \in P_{O_2}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})=0\), consistently with the fact that there is not a constrained place in the subnet \(N_{O_{o2}}\) that can be uncontrollably marked, but \(\sum_{p \in P_{O_2}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) =1/2\).

Consider the net system in Fig. 6a and the GMEC \({\boldsymbol m}(p_4) + {\boldsymbol m}(p_6) + {\boldsymbol m}(p_{11}) \leq 1\). Even if to11 has only one constrained input place, p11, its control subnet contains also places p7, p9, p10, and p12 whose marking is a pre-condition to enable to11. Even if these places are not constrained places, their marking requires that the constrained places p4 and p6 have been marked. To take this into account, we introduce the vector \({\boldsymbol w}_\imath(p)^+\), defined as follows.
https://static-content.springer.com/image/art%3A10.1007%2Fs10626-008-0050-7/MediaObjects/10626_2008_50_Fig6_HTML.gif
Fig. 6

a A live MG net system; b the GMEC \({\boldsymbol m}(p_4) + {\boldsymbol m}(p_6) + {\boldsymbol m}(p_{11}) \leq 1\) is enforced on the system in a by the monitor place pm but this leads to a dead closed-loop system; c the GMEC and closed-loop liveness are enforced on the system in a via a more evolved net controller; d a simplification of the system in c

Definition 6

To define the pre-condition weight vector \({\boldsymbol w}_\imath^+\in {{\mathbb N}}^{|P|}\) three different cases must be considered.
  1. 1)
    If a place p belongs to a directed path from a transition \(t \in TCO_{\imath}\) to toi and more than one constrained place is controlled by t, choose a control path named \(\bar{\pi}\) which any constrained place controlled by t belongs to (Assumption 2 ensures the existence of such a path). If \(p \in \bar{\pi}\), let
    • \(\bar{\pi}'\) be the directed sub-path of \(\bar{\pi}\) from t to p,

    • Π(p,toi) be the set of all directed paths from p to toi,

    then \({\boldsymbol w}_\imath(p)^+=\max \left (\max_{p_\jmath \in \bar{\pi}'}{\boldsymbol w}(p_\jmath)- \max_{ \pi \in \Pi(p,t_{oi} )} \max_{p_\jmath \in \pi} {\boldsymbol w}(p_\jmath) , \; 0 \right)\).

    If \(p \not \in \bar{\pi}\), then \({\boldsymbol w}_\imath(p)^+=0\).

    Note that the choice of the control path \(\bar{\pi}\) is arbitrary but the same control path has to used for all places p which belong to a directed path from a transition \(t \in TCO_\imath\) to toi.

     
  2. 2)

    If a place p belongs to a directed path from a transition \(t \in TCO_\imath\) to toi and pj is the only constrained place controlled by t

    • if along any control path controlled by t the place p is not preceded by \(p_\jmath\), then \({\boldsymbol w}_\imath^+(p)=0\);

    • if along such paths p is preceded by \(p_\jmath\), then \({\boldsymbol w}_\imath^+(p)=\frac{r_\jmath}{r}{\boldsymbol w}(p_\jmath)\), where
      • \(r_\jmath\) is the number of directed paths in \(N_{O_\imath}\) from \(p_\jmath\) to p,

      • r is the number of directed paths in \(N_{O_\imath}\) from \(p_\jmath \) to toi,

     
  3. 3)

    If a place p does not belong to a directed path from a transition \(t \in TCO_{_\imath}\) to toi, \({\boldsymbol w}_\imath^+(p)=0\).

     

For the net in Fig. 6a and the GMEC \({\boldsymbol m}(p_4) + {\boldsymbol m}(p_6) + {\boldsymbol m}(p_{11}) \leq 1\) we have: \({\boldsymbol w}_{o11}^+(p_7)=1\) since p7 is preceded by \(p_4 \in Q_{{\boldsymbol w}}\) only along the control path t1p4t4p7t7p10to11 and there is only one directed path from p4 to p7 and only one directed path from p4 to to1; \({\boldsymbol w}_{o11}^+(p_8)=0\) since p8 is not preceded by a place \(p \in Q_{{\boldsymbol w}}\) along any control path.

For the net in Fig. 5 – apart from dotted arcs and places – and the GMEC \({\boldsymbol m}(p_1) + 2 {\boldsymbol m}(p_2) + 2 {\boldsymbol m}(p_3)+ 2 {\boldsymbol m}(p_6) + {\boldsymbol m}(p_7) + {\boldsymbol m}(p_{13}) + {\boldsymbol m}(p_{14}) + 2 {\boldsymbol m}(p_{15}) \leq 4\) we have: \({\boldsymbol w}_{o1}^+(p_1)=1\) since p1 belongs to the control path \(\bar{\pi}_6= t_6 p_8 t_4 p_6 t_3 p_3 t_1 p_1 t_{o1} \) to which belong three constrained places and \(max_{p_\jmath \in \bar{\pi}'_6}{\boldsymbol w}(p_\jmath)=2\), where \(\bar{\pi}_6'=t_6 p_8 t_4 p_6 t_3 p_3 t_1 p_1 \) is the directed sub-path of \(\bar{\pi}_6\) from t6 to p1, and \(max_{ \pi \in \Pi(p_{1},t_{o1} )} max_{p_\jmath \in \pi} {\boldsymbol w}(p_\jmath)=1\) since Π(p1,to1) = { p1to1 } ; \({\boldsymbol w}_{o2}^+(p_{11})=1\) since p11 is preceded by \(p_{15} \in Q_{{\boldsymbol w}}\) along the path t11p15t8p11to2, p15 is the only constrained place controlled by t11, there are r15 = 1 directed paths in \(N_{O_{o2}}\) from p15 to p11 and r = 2 directed paths in \(N_{O_2}\) from p15 to to2.

$$ \begin{array}{rll} \text{It results}\,\; \small {\boldsymbol w}_{o1}^+&=&\left[\,1 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad \right.\\ &&\left.{\kern4pt} 0\quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \right], \\ \small {\boldsymbol w}_{o2}^+&=&\left[{\kern2pt} 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 1 \quad 1 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad\right.\\&&{\kern2.3pt} \left. 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \right], \\ \small {\boldsymbol w}_{15}^+&=& \bf0. \end{array} $$
The terms \(n_\imath\) and \(n_\imath^\prime\) are now introduced:
  • \(n_\imath= \sum_{p \in {TCO_\imath}^{\bullet}} {\boldsymbol w}_\imath(p)^-\), that is the maximum value that can assume the weighted sum of places in the GMEC by firing all transitions in the set \(TCO_\imath\). Thus, \(n_\imath- \sum_{p \in P_{O_\imath}} {\boldsymbol w}_\imath^+(p) {\boldsymbol m}(p)\) represents the maximum value that can assume the weighted sum of constrained places in \(N_{O_\imath}\) that are not yet marked. It is immediate to see that
    $$ n_\imath\geq \sum\limits_{p \in P_{O_\imath}} {\boldsymbol w}_\imath^+(p) {\boldsymbol m}(p) \label{n1def} $$
    (5)
  • \(n_\imath^\prime=\sum_p {\boldsymbol w}(p), \, p \in {^\bullet}t_{oi} \cap Q_w\), that is the weighted sum of places in the GMEC that have to be marked for the firing of toi, because they belong to the set \(^{\bullet}t_{oi}\) (note that \(n_\imath\geq n_\imath^\prime\)). For the net in Fig. 6a, it is immediate to verify that no11 = 3 but \(n^\prime_{o11}=1\), since to11 has only one input place constrained.

Definition 7

Given a control subnet \(N_{O_\jmath}\), if there is not a control subnet \(N_{O_{j'}}\) such that TCOj ⊂ TCOj, we call \(N_{O_\jmath}\)maximal.

Let us denote by M the set of indexes of maximal control subnets. For the net of Fig. 6c \(N_{O_{o11}}\) is the unique maximal control subnet since TCO4 ⊂ TCOo11 and TCO6 ⊂ TCOo11, thus M = { o11 }.

In order to ensure the deadlock-freeness of the closed-loop net, when a controllable transition is enabled, if it belongs to the control subnet of the output transition of a constrained place, it must be guaranteed that all the input places of such transition can be simultaneously marked without violating the GMEC, otherwise the transition would be dead. Thus, we introduce the set of counter variables \(C_{O_\imath}({\boldsymbol m})\). Given a GMEC (\({\boldsymbol w},k)\), \(C_{O_\imath}({\boldsymbol m})\) represents, under the current marking, the complement to k of the maximum value that the weighted sum of the constrained places can assume by firing only uncontrollable transitions that belong to a maximal control subnet NOj, except for ones that eventually belong to \(N_{O_\imath}\), plus the complement to ni of the maximum value that can assume the weighted sum of constrained places that belong to the control subnet of toi and that have to be still marked to enable toi. Then its value can be obtained from k minus the weighted sum of the marking of places \(p \not \in P_{O_\imath}\) but \(p \in P_{O_\jmath}\) where \(N_{O_\jmath}\) is maximal, with weights given by elements of vector \({\boldsymbol w}_\jmath^- {\boldsymbol f}\), plus the weighted sum of the marking of places p with \(p \in P_{O_\imath}\) with weights given by elements of vector \({\boldsymbol w}_\imath^+\).

Definition 8

\({\kern3pt} C_{O_\imath}({\boldsymbol m})\,=\,k -\, \sum_{j \in M}\, \sum_{p \in P_{O_\jmath} \,\bigwedge \,p \,\not \in \,P_{O_\imath}} \,{\boldsymbol w}_\jmath(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m}){\kern1pt} + \sum_{p \in P_{O_\imath}}\)\( {\boldsymbol w}_\imath(p)^+ {\boldsymbol m}(p)\). So we have that:
  • the firing of a transition \(t_{{TCO}_\jmath}^r, \, j \neq \imath\) will decrement the value of \(C_{O_\imath}({\boldsymbol m})\) by \(\sum_{p \in {TCI_k}^{\bullet}} {\boldsymbol w}_\imath(p)^-\) units if \(C_{I_k}({\boldsymbol m})=m_k-1\) (by definition, \( \exists k \mbox{ s.t. } t_{{TCO}_\jmath}^r \in TCI_k\).), unless \(t_{{TCO}_\jmath}^r \in TCO_\imath\); in this way the value of \(C_{O_\imath}({\boldsymbol m})\) is updated when ∀ p ∈ TCIk ∙  it results \({\boldsymbol f}(p,{\boldsymbol m}')=1\) with \({\boldsymbol m}[ t_{{TCO}_\jmath}^r > {\boldsymbol m}'\).

  • the firing of a transition \(t_{{TCO}_\imath}^r\) does not change the value of \(C_{O_\imath}({\boldsymbol m})\);

  • the firing of output transitions \(t_{oj}, \jmath \neq \imath\) will increment the value of \(C_{O_\imath}({\boldsymbol m})\) by \(n'_\jmath - \sum_{p \in t_{oj}^{\bullet}} {\boldsymbol w}_{\bar{\jmath}}(p)^-\) units where \(\bar{\jmath} \in M\) is the maximal subnet index such that \(TCO_{\jmath} \subseteq TCO_{\bar{\jmath}}\) if \(n'_\jmath >\sum_{p \in t_{oj}^{\bullet}} {\boldsymbol w}_{\bar{\jmath}}(p)^-\), otherwise it does not change the value of \(C_{O_\imath}\);

  • the firing of output transitions toi will decrement the value of \(C_{O_\imath}({\boldsymbol m})\) in \(n_\imath-n_\imath^\prime\) units;

  • the initial value of \(C_{O_\imath}({\boldsymbol m})\) is equal \(C_{O_\imath}({\boldsymbol m}_0)=k - \sum_{j \in M} \sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_\imath}}\)\({\boldsymbol w}_\jmath(p)^- {\boldsymbol m}_0(p) {\boldsymbol f}(p,{\boldsymbol m}_0)+ \sum_{p \in P_{O_\imath}} {\boldsymbol w}_\imath(p)^+ {\boldsymbol m}_0(p)\).

Notice that counter variables are natural valued and they cannot assume negative values.

For the net of Fig. 6c by definition

$$ \begin{array}{rll} {\boldsymbol w}_{o11}^-&=&\left[{0 \quad 0 \quad 0 \quad 1 \quad 1 \quad 1 \quad 0 \quad 1 \quad 0 \quad 0 \quad 1 \quad0} \right],\\ {\bf w}_4^+&=&{\bf0}, {\bf w}_{6}^+={\bf0}, {\bf w}_{11}^+=\left[0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 1 \quad 0 \quad 1 \quad 1 \quad 0 \quad 1 \right],\, \text{then} \end{array} $$
$$ \begin{array}{rll} \small C_{O_{4}}({\bf m})&=& 1{\kern-1pt} - {\kern-1pt}\underbrace{{\boldsymbol m}(p_5) {\boldsymbol f}(p_5,{\boldsymbol m}) {\kern-1pt}- {\kern-1pt}{\boldsymbol m}(p_6) {\boldsymbol f}(p_6,{\boldsymbol m}){\kern-1pt} - {\kern-1pt}{\boldsymbol m}(p_8) {\boldsymbol f}(p_8,{\bf m}) {\kern-1pt}-{\kern-1pt} {\boldsymbol m}(p_{11}) {\boldsymbol f}(p_{11},{\boldsymbol m})}_{\displaystyle\sum{_{p \in P_{O_{o11}} \bigwedge p \not \in P_{O_4}}} {\boldsymbol w}_{o11}(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p) } \\&&+ \underbrace{0}_{\displaystyle\sum{_{p \in P_{O_4}} {\boldsymbol w}_4(p)^+ {\boldsymbol m}(p) }} ,\\ C_{O_{6}}({\boldsymbol m})&=& 1 {\kern-1pt}-{\kern-1pt} \underbrace{{\boldsymbol m}(p_4) {\boldsymbol f}(p_4,{\boldsymbol m}) {\kern-1pt}- {\kern-1pt}{\boldsymbol m}(p_5) {\boldsymbol f}(p_5,{\boldsymbol m}) {\kern-1pt}- {\kern-1pt}{\boldsymbol m}(p_8) {\boldsymbol f}(p_8,{\boldsymbol m}) {\kern-1pt}- {\boldsymbol m}(p_{11}) {\boldsymbol f}(p_{11},{\boldsymbol m})}_{\displaystyle\sum{_{p \in P_{O_{011}} \bigwedge p \not \in P_{O_6}}} {\boldsymbol w}_{o11}(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p) } \\&&+, \underbrace{0}_{\displaystyle\sum{_{p \in P_{O_6}} {\boldsymbol w}_6(p)^+ {\boldsymbol m}(p) }}, \end{array} $$
$$ \begin{array}{rll} C_{O_{o11}}({\boldsymbol m})&=& 1 +\! \underbrace{0}_{\displaystyle\sum{_{p \not \in P_{O_{o11}}} {\boldsymbol w}_{o11}(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p)}}\! + \underbrace{{\boldsymbol m}(p_7) + {\boldsymbol m}\left.(p_9) \right)+ {\boldsymbol m}(p_{10}) + {\boldsymbol m}(p_{12}) }_{\displaystyle\sum{_{p \in P_{O_{o11}}} {\boldsymbol w}_{11}(p)^+ {\boldsymbol m}(p) }}. \end{array} $$

In Fig. 6c \(C_{O_{o11}}({\boldsymbol m})\) is equal to the marking of the place pc2 and under the marking in figure it results \({\boldsymbol f}(p,{\boldsymbol m})={\bf0} \; \forall p\).

Definition 9

We say that a control subnet \(N_{O_k}\) is included in a control subnet \(N_{O_\imath}\) maximal according to Definition 7 and we write \(N_{O_k} \prec N_{O_\imath}\) if there is place p ∈  ∙ toi such that \(p \not \in Q_{{\boldsymbol w}}\) and there is a directed path from any transition t ∈ TCOk to p.

Consider the net in Fig. 6 and the GMEC \({\boldsymbol m}(p_4)+{\boldsymbol m}(p_6)+{\boldsymbol m}(p_{11}) \leq 1\), the control subnet \(N_{O_4}\) is included in \(N_{O_{11}}\) since \(p_{10} \in {^\bullet}t_{11}\), \(p_{10} \not \in Q_{{\boldsymbol w}}\) and there is a directed path from any transition t ∈ TCO4 to p10.

6.2 The control policy

In the following the control policy will be exposed to enforce a GMEC while keeping liveness on a live and safe MG. The control policy ensures the firing of any transition toi, so the closed-loop system is deadlock-free in a maximally permissive way. For the clarity of presentation, we present the results in two propositions. In the first proposition, requiring that only Assumption 2 is fulfilled, the case with only one maximal control subnet is considered, while in the second proposition, requiring that Assumption 1 and Assumption 2 are fulfilled, the case with two independent maximal control subnets is considered. Thus, from Theorem 3 it follows that also the closed-loop system is live in both cases.

In presence of a set of GMECs as control specification, since for the considered net subclass deadlock-freeness implies liveness and the control law designed considering separately each GMEC ensures that the single GMEC is not violated and that the unique output transition of each constrained place can be fired, it is immediate to conclude that a controllable transition must be enabled iff it is enabled by all the control laws of each GMECs. Thus, the control policy is modular.

Proposition 3

Let us consider a live and safe MG and a GMEC\(({\boldsymbol w},k)\) such that Assumption 2 is verified. Suppose that there is only one maximal control subnet named\(N_{O_1}\), i.e. any other control subnet\(N_{O_k}\) verifies that TCOk ⊂ TCO1, k ≠ 1. Firing a transition\(t_{TCO_1}^j \in TCI_\imath\), it is possible, after a fireable sequence, to enable to1 without violating the GMEC iff

$$ {\rm[C1]}\, C_{I_1}({\boldsymbol m}) < m_\imath- 1 (\text{\rm note that by definition}, \forall t \in TCO_1, \, \exists \imath\mbox{ s.t. } t \in TCI_\imath)$$

or one of the following conditions is true

$${\rm[C2]}\, \underbrace{C_{O_1}({\boldsymbol m}) \geq n_1}_{[C2a]} \bigvee \underbrace{C_{O_k}({\boldsymbol m}) \geq n_k \mbox{ if } t \in TCO_k \mbox{ s.t. } N_{O_k} \prec N_{O_1}}_{[C2b]}$$

If\(|TCI_\imath|=1 \; \forall \imath\), condition [C1] is never true.

Proof

(If) If [C1] is true, by firing \(t_{TCO_1}^j\) the place \(p_\imath\in P_{O_1}\) could not be uncontrollably marked (because of Assumption 2), being at least one of its control paths unmarked. Nothing changes in the system as for GMEC meeting and closed-loop liveness.

Now, suppose that the net system reaches a marking \({\boldsymbol m}\) such that \(C_{I_\imath}({\boldsymbol m})=m_\imath-1\) and so firing the transition \(t_{TCO_1}^j\) will cause \(p_\imath\) to become uncontrollably marked. If [C2a] is true, by the definition of \(C_{O_1}({\boldsymbol m})\), we have that \(k - \sum_{j \in M}\sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_1}}\)\( {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})+ \sum_{p \in N_{O_1}} {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \geq n_1\), and thus it follows that k  − ∑ j ∈ M\( \sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_1}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,\!{\boldsymbol m}) \!\geq\! n_1 \!-\! \sum_{p \in P_{O_1}} {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \!\geq\! 0\) since \(n_1 \!\geq\! \sum_{p \!\in\! P_{O_1}}\)\({\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \) by Eq. 5. By noticing that \(k \!-\!\sum_{j \in M} \sum_{p \in P_{O_\jmath} \!\bigwedge\! p \not \in P_{O_1}}{\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})\) represents the complement to k of the maximum value of the weighted sum of the constrained places of places \(p \not \in P_{O_1}\) that can be uncontrollably marked, we conclude that the GMEC will be not violated. The same occurs if [C2b] is true.

As for firing to1, note that all the transitions in the net \(N_{O_1}\) can be disabled only by the marking of places in the net \(N_{O_1}\). If condition [C2a] is verified under the marking \({\boldsymbol m}\) we have that \(k -\sum_{j \in M} \sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_1}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})\geq n_1 - \sum_{p \in P_{O_1}}\)\( {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \geq 0\). By noticing that \(k -\sum_{j \in M} \sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_1}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})\) represents the weighted sum of the constrained places of places \(p \not \in P_{O_1}\) that can be uncontrollably marked and that \(n_1 - \sum_{p \in P_{O_1}} {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p)\) represents the maximum value that can assume the weighted sum of the constrained places in \(N_{O_1}\) that have to be still marked to enable to1, we deduce it is possible to enable all the transitions \(t_{TCO_1}^j, \forall j\) so that all the control paths of to1 can be marked and to1 can be fired.

If [C2a] is not true, by the same reasoning, we conclude that, if [C2b] is true, it is possible to fire all transitions tok such that \(N_{O_k} \prec N_{O_1}\) without violating the GMEC. The counter \(C_{O_1}\) is so incremented until [C2b] becomes true.

(Only if) If [C1] and [C2a] are not true, it follows that \(k -\sum_{j \in M} \sum_{p \in N_{O_\jmath} \bigwedge p \not \in P_{O_1}}\)\( {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m}) < n_1 - \sum_{p \in P_{O_1}} {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \). This means that under current marking it is not possible to mark all places needed to enable to1. Since \(N_{O_k} \subset N_{O_1}, \, k \neq 1\) and [C2b] is not true, no other output transition of a constrained place included in \(N_{O_1}\) can be fired before to1 fires, i.e. the quantity \(n_1 - \sum_{p \in P_{O_1}} {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \) cannot be decremented. Thus, by firing \(t_{TCO_1}^j\) a marking \({\boldsymbol m}^\prime\) will be reached from \({\boldsymbol m}\) under which to1 is deadlocked. □

Example 1

Consider again the net system shown in Fig. 6a, and the GMEC \({\boldsymbol m}(p_4)+{\boldsymbol m}(p_6)+{\boldsymbol m}(p_{11}) \leq 1\). The monitor controlled net system shown in Fig. 6b enforces the GMEC, but it can be proved to be not live by using the results shown in Section 4. By definition we have that \(|TCI_\imath|=1, \forall \imath\) and the following set of control transitions result to be defined TCO4 = {t1}, TCO6 = { t3 }, TCOo11 = {t1, t2, t3 }. Also, recall that for this net system and for the specified GMEC the subnet \(N_{O_{o11}}\) is the only maximal control subnet. It results \(N_{O_4} \prec N_{O_1}\) and \(N_{O_6} \prec N_{O_1}\). The plant net is a live and safe MG, and the hypothesis of Proposition 3 are verified. A control policy is: enable a transition t ∈ TCOo11 iff \(C_{O_{o11}}({\boldsymbol m}) \geq 3\), being no11 = 3; enable a transition t ∈ TCO6 iff \(C_{O_6}({\boldsymbol m}) \geq 1\), being n6 = 1; enable a transition t ∈ TCO4 iff \(C_{O_4}({\boldsymbol m}) \geq 1\), being n4 = 1. The resulting controller is shown in Fig. 6c, where the places pc1, pc2, pc3 implement respectively \(C_{O_4}({\boldsymbol m})\), \(C_{O_{o11}}({\boldsymbol m})\), \(C_{O_6}({\boldsymbol m})\). The closed-loop net system can be simplified as shown in Fig. 6d.

Proposition 4

Let us consider a live and safe MG and a GMEC\(({\boldsymbol w},k)\) such that Assumption 1 and Assumption 2 are verified. Suppose that two independent and maximal control subnets\(N_{O_1}\) and\(N_{O_2}\) are defined, i.e. any other control subnet\(N_{O_k}\) verifies that\(TCO_k \subset TCO_1, \, k \neq 1 \bigvee TCO_k \subset TCO_2, \, k \neq 2\). Firing a transition\(t_{TCO_1}^j \in TCI_\imath\), it is possible, after a fireable sequence, to enable to1 without violating the GMEC iff

$$[{\rm C}1]\, C_{I_\imath}({\boldsymbol m}) \!<\! m_\imath- \!1 \mbox{ \rm with } i\!=\!1, 2, {\rm(}\text{\rm note that by definition}, \forall t \!\in\! TCO_\jmath, \, \exists \imath\,\text{\rm s.t. }\, t \!\in\! TCI_\imath{\rm)}$$

or\(C_{I_\imath}({\boldsymbol m}) = m_\imath-1\) but one of the two following conditions is verified

$$ \begin{array}{rll} {\rm[C2]}&& C_{O_1}({\boldsymbol m}) \geq n_1 \bigvee C_{O_k}({\boldsymbol m}) \geq n_k \;\text{\rm if}\; t \in TCO_k\; \text{\rm s.t.}\; N_{O_k} \prec N_{O_1}\\ {\rm[C3]}&& C_{O_2}({\boldsymbol m}) \geq n_2 + \sum\nolimits_{p \in {TCI_1}^{\bullet}} {\boldsymbol w}_\imath(p)^- \; \bigwedge \; C_{O_1}({\boldsymbol m}) + n^\prime_2 \geq n_1 \end{array} $$

If\(|TCI_\imath|=1 \; \forall \imath\), condition [C1] is never true.

Proof

Only condition [C3] will be proved since the proof of conditions [C1], [C2] can be derived from the proof of Proposition 3. In the proof of Proposition 3 we have not used that

\(\sum_{j \in M} \sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_1}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p)=0\) when M = { 1 } and thus it works also in presence of two maximal independent control subnets.

(If) By firing \(t_{TCO_1}^j\), \({\boldsymbol m} [ t_{TCO_1}^j > {\boldsymbol m}^\prime\). From condition [C3] it follows that \(C_{O_2}({\boldsymbol m}^\prime) \geq n_2\), so it is possible to enable to2. By firing of to2\(C_{O_1}\) is incremented by \(n^\prime_2\), then it is possible to reach a marking \({\boldsymbol m}^{\prime \prime}\) such that \(C_{O_1}({\boldsymbol m}^{\prime \prime}) \geq n_1\). From Proposition 3 we conclude that to1 can be fired.

(Only if) If [C3] is not true, even if we assume that \(C_{O_2}({\boldsymbol m}) \geq n_2 + \sum_{p \in {TCI_1}^{\bullet}} {\boldsymbol w}_\imath(p)^- \) and thus to2 can be fired, \(C_{O_1}\) is incremented by \(n^\prime_2\) units but it results \(C_{O_1}({\boldsymbol m}^\prime) < n_1\) being \(C_{O_1}({\boldsymbol m}) + n^\prime_2 < n_1\). From Proposition 3 we conclude that a marking \({\boldsymbol m}^{\prime \prime}\) will be reached from \({\boldsymbol m}^\prime\) under which to1 is deadlocked. □

Example 2

Consider the net system in Fig. 5 – apart from dotted arcs and places – and the GMEC \({\boldsymbol m}(p_1) + 2 {\boldsymbol m}(p_2) + 2 {\boldsymbol m}(p_3)+ 2 {\boldsymbol m}(p_6) + {\boldsymbol m}(p_7) + {\boldsymbol m}(p_{13}) + {\boldsymbol m}(p_{14}) + 2 {\boldsymbol m}(p_{15}) \leq 4\). The monitor pc enforces the GMEC but the closed-loop system can be proved to be not live by using the results shown in Section 4.

Since \(N_{O_{o1}}\) and \(N_{O_{o2}}\) are independent and they are the only two maximal control subnets, the hypothesis of Proposition 4 are verified. The control subnet \(N_{O_{15}}\) is included in \(N_{O_{o2}}\) according to Definition 9, i.e. \(N_{O_{15}} \prec N_{O_{02}}\). No other control subnet is included in \(N_{O_{o1}}\) or in \(N_{O_{o2}}\).

We proceed to apply the control policy given in Proposition 4. To be consistent with notations, we use no1 = 4, no1 = 3, no2 = 4, no2 = 2, no15 = 2, no15 = 2.
$$ \begin{array}{rll} C_{\!O_{o1}}(\!{\boldsymbol m})&\!\!{\kern-1.6pt}=\!{\kern-2pt}& 4 \!{\kern-.8pt}-\!{\kern-.8pt} \underbrace{\!{\boldsymbol m}(p_{\!13}) \!{\kern-.8pt}-\!{\kern-.8pt} {\boldsymbol m}(p_{\!14}) {\boldsymbol f}(p_{\!14},\!{\boldsymbol m}) \!{\kern-.8pt}-\!{\kern-.8pt} 2 {\boldsymbol m}(p_{\!15}) \!{\kern-.8pt}-\!{\kern-.8pt} {\boldsymbol m}(p_{\!16}) \!{\kern-.8pt}-\!{\kern-.8pt} 1\!{\kern-.8pt}/2 {\boldsymbol m}(p_{17}) {\boldsymbol f}(p_{17},\!{\boldsymbol m}) \!{\kern-.8pt}-\!{\kern-.8pt} 1/2 {\boldsymbol m}(p_{\!18}) {\boldsymbol f}(p_{\!18},\!{\boldsymbol m})}_{\sum_{p \in P_{O_{o2}} } {\boldsymbol w}_{o2}(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,\!{\boldsymbol m}) } \!+\\ &&+\underbrace{ {\boldsymbol m}(p_1)}_{\sum_{p \in P_{O_{o1}}} {\boldsymbol w}_{o1}(p)^+ {\boldsymbol m}(p) } , \end{array} $$
$$ \begin{array}{rll} C_{O_{15}}({\boldsymbol m})&=& 4 - \underbrace{ {\boldsymbol m}(p_1) - 2 {\boldsymbol m}(p_2) - 2 {\boldsymbol m}(p_3) - 2 {\boldsymbol m}(p_6) - 2 {\boldsymbol m}(p_7) - 2 {\boldsymbol m}(p_8) - 2 {\boldsymbol m}(p_{10}) }_{\sum_{p \in P_{O_{o1}} } {\boldsymbol w}_{o1}(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m}) } +\\ &&+\underbrace{{\boldsymbol m}(p_{13}) - {\boldsymbol m}(p_{14}) {\boldsymbol f}(p_{14},{\boldsymbol m}) - {\boldsymbol m}(p_{16}) - 1/2 {\boldsymbol m}(p_{17}) {\boldsymbol f}(p_{17},{\boldsymbol m}) - 1/2 {\boldsymbol m}(p_{18}) {\boldsymbol f}(p_{18},{\boldsymbol m})}_{\sum_{p \in P_{O_{o2}} \bigwedge p \not \in P_{O_{15}}} {\boldsymbol w}_{o2}(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m}) } \\&&+ \underbrace{0}_{\sum_{p \in P_{O_{15}}} {\boldsymbol w}_{15}(p)^+ {\boldsymbol m}(p) } ,\\ C_{O_{o2}}({\boldsymbol m})&=& 4 - \underbrace{ {\boldsymbol m}(p_1) - 2 {\boldsymbol m}(p_2) - 2 {\boldsymbol m}(p_3) - 2 {\boldsymbol m}(p_6) - 2 {\boldsymbol m}(p_7) - 2 {\boldsymbol m}(p_8) - 2 {\boldsymbol m}(p_{10}) }_{\sum_{p \in P_{O_{o1}} } {\boldsymbol w}_{o1}(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m}) } \\&&+ \underbrace{ {\boldsymbol m}(p_{11}) + {\boldsymbol m}(p_{12}) }_{\sum_{p \in P_{O_{o2}}} {\boldsymbol w}_{o2}(p)^+ {\boldsymbol m}(p) } . \end{array} $$
Note that in the expressions of \(C_{O_{o1}}\), \(C_{O_{15}}\) and \(C_{O_{o2}}\), for sake of brevity, we omitted the term \({\boldsymbol f}(p,{\boldsymbol m})\) for all places which belong to a subnet \(N_{I_k}\) with |Ik| = 1 (e.g. p13) since it results \({\boldsymbol f}(p,{\boldsymbol m})=1\) when \({\boldsymbol m}(p)=1\).

A transition t ∈ TCOo1 is enabled iff \(C_{O_{o1}} \geq 4\) or \(C_{O_{o2}}({\boldsymbol m}) \geq 4 + 2 = 6 \, \bigwedge\)\( C_{O_1}({\boldsymbol m}) + 2 \geq 4 \)

A transition t ∈ TCOo2 is enabled iff \(C_{O_{o2}} \geq 4\) or \(C_{O_{o1}}({\boldsymbol m}) \geq 4 + 3 = 7\, \bigwedge\)\(C_{O_2}({\boldsymbol m}) + 3 \geq 4 \)

A transition t ∈ TCOo2 ∩ TCO15 is enabled iff

\(C_{O_{o2}} \geq 4\) or \(C_{O_{o15}} \geq 2\) or \(C_{O_{o1}}({\boldsymbol m}) \geq 4 + 4 = 7 \; \bigwedge \; C_{O_2}({\boldsymbol m}) + 3 \geq 4 \)

Under the marking in Fig. 5 it results \(C_{O_{o1}}({\boldsymbol m})=4\), \(C_{O_{o2}}({\boldsymbol m})=4\), \(C_{O_{15}}({\boldsymbol m})=4\). Indeed, all controllable transitions can be left free to fire. Assume t14 fires, it results \(C_{O_{o1}}({\boldsymbol m})=3\), \(C_{O_{o2}}({\boldsymbol m})=4\), \(C_{O_{15}}({\boldsymbol m})=3\). Then, only a transition t ∈ TCOo2 may be left free to fire. Indeed, if a transition t ∈ TCOo1 fires, a deadlock state is reached.

Note 1

The result presented in Proposition 4 is referred to the case where only two maximal independent control subnets are considered. It can be generalized to r > 2 maximal independent control subnets, by considering for the enabling of a controllable transition \(t \in TCO_\imath\) under a given marking the fact that the output transition toi may fire after a sequence that includes the firing of some (at most all) r − 1 output transitions.

The control policy is suitable to be executed on-line since it only requires: for each constrained place the allocation of two counter variables \(C_{I_i}\) and \(C_{O_i}\); the evaluation of logical predicates essentially consisting in the comparison between the values of such counters with an integer number.

7 Concluding remarks

Some results on the liveness of plant MG, where a GMEC has been forced via a monitor place, have been presented in this paper. First, two sufficient conditions have been obtained which guarantee that no solution of the state equation is a spurious deadlock. As a consequence, checking liveness in these cases can be reduced to check if a system of equations admits a solution. In addition, a sufficient condition has been presented for closed loop liveness of MGs where a GMEC has been enforced on. Also, a maximally permissive control policy to enforce a GMEC and closed-loop liveness on live and safe controlled MGs has been proposed.

Copyright information

© Springer Science+Business Media, LLC 2008