# Closed-loop Live Marked Graphs under Generalized Mutual Exclusion Constraint Enforcement

## Authors

- First Online:

- Received:
- Accepted:

DOI: 10.1007/s10626-008-0050-7

- Cite this article as:
- Basile, F., Recalde, L., Chiacchio, P. et al. Discrete Event Dyn Syst (2009) 19: 1. doi:10.1007/s10626-008-0050-7

- 6 Citations
- 47 Views

## Abstract

Enforcing a supervisory control policy to avoid forbidden states on a discrete event system modeled by a Petri net may result in a non live system. This may happen even if the admissible states are specified by Generalized Mutual Exclusion Constraints (GMECs). This leads to the problem of synthesizing a maximally permissive control policy preserving liveness of the system under a GMEC. This problem is very interesting in practice, but difficult even for a restricted class of systems. In this paper, we focus on systems which can be modeled as live and safe Marked Graphs (MGs). On such systems, when some of the transitions are uncontrollable, a GMEC can be forced by a monitor place if a not maximally permissive policy is accepted, otherwise a more complex control has to be adopted. Anyway, liveness of the closed-loop system (plant plus control) is not guaranteed. Two sufficient conditions to verify the closed-loop liveness of a live and safe MG plant controlled by a monitor are derived. A sufficient condition for closed loop liveness of MGs where a GMEC has been enforced on is derived. In addition, a set of predicates is provided that enforces, in a maximally permissive way, a GMEC while preserving closed-loop liveness on live and safe MG systems under some restrictions.

### Keywords

Supervisory controlClosed-loop livenessGeneralized mutual exclusion constraintMonitor placesMarked graphs## 1 Introduction

Supervisory control theory for discrete event systems (DESs) was initiated by Ramadge and Wonham (1989). In their seminal work they represent both the plant, i.e. the system to be controlled, and the desired closed-loop behaviour, by regular languages. The specific problem addressed was to synthesize a controller, called *supervisor*, to achieve the largest subset of the desired language that is *nonblocking*, i.e. that does not prevent any task to be completed, by disabling or enabling *controllable events*. The unwanted sequences may be related, for example, to safety requirements. Although regular languages have been an useful framework to start such DES control theory, they are limited in representing systems consisting of numerous interacting subsystems.

For this reason, a control theory for DESs modeled by partially-synchronized products of automata and Petri nets (PNs) has been developed (Holloway et al. 1997; Stremersch 2001). PNs are effective particularly when there is a high degree of concurrency and synchronization. In control theory general PN models are extended with the concept of *controllable transitions*. Two possibilities can be explored. In the first one, a controllable transition may be *disabled* by an external control input represented by the value of a logical predicate; in this case we speak of controlled PNs and of *interpreted supervisor* (Giua et al. 1993). In the second one the *feedback control policy* is implemented by a PN controller, whose marking enables or disables, according to the logical specifications, the controllable transitions it is connected to in the closed-loop net. Input arcs from the controller to *uncontrollable* transitions are not allowed. In this case we have a *compiled supervisor* and the closed-loop system properties can be analyzed in a single framework, because both the plant and the controller are represented by PNs. What we lose is the expressive power of the control law, that, in the general case, cannot be implemented by a PN in a maximally permissive form (Holloway et al. 1997).

Here we consider the problem of forbidden state specification in conjunction with liveness under control. Avoiding forbidden states is a very common specification for a DES and a lot of work has been done on the subject (Holloway et al. 1997), but unfortunately, the solution may lead the system to deadlocks. However, liveness is a fundamental specification for a DES control problem, like stability in the classical control theory.

Furthermore, notice that even if we have a net-based supervisor to enforce a forbidden state specification, the closed-loop net system is in general more complex than the plant net was for the liveness analysis. A forbidden state problem may represent, for example, a resource sharing problem. Enforcing it introduces conflicts not present in the plant model and thus the resulting closed-loop net system belongs generally to a wider net subclass, where the liveness preservation may be a much more complex problem.

In this paper we restrict our study to plants modeled by Marked Graphs (MGs). There are several reasons for this: MGs are relevant in the modeling of automated manufacturing systems; MGs are a well studied net subclass and so their behaviour is well known; the difficulty of the addressed problem would not have allowed to get a solution for more complex nets, at least in this initial stage of the research. Furthermore, notice that the closed loop net formed by a MG and the controller enforcing a set of GMECs, as for example a MG plus a monitor, belongs in general to a net subclass wider than MG and thus it is not trivial to guarantee its liveness.

First, enforce a forbidden-state specification without liveness specification, and then analyze the liveness property of the closed-loop system. In some cases the computational complexity required for the synthesis of a controller without the liveness specification and the checking of the closed-loop liveness, especially when the controller is compiled, may be low compared with the one required if the closed-loop liveness is taken into account directly with the control specification: so, it may be convenient to try.

In this paper we consider, as forbidden state specification, a Generalized Mutual Exclusion Constraint (GMEC) that limits a weighted sum of tokens in a subset of places. When all transitions are controllable it was shown that it is possible to impose a GMEC in a maximally permissive way by a

*monitor*(Giua et al. 1992; Yamalidou et al. 1996). The monitor synthesis is very efficient from the computational point of view and it leads to a compiled supervisor. In presence of uncontrollable transitions (Moody and Antsaklis 2000; Basile et al. 2006), monitors are not always able to implement a maximally permissive policy to enforce GMEC. However, because of their simplicity they may represent an acceptable suboptimal solution to the control problem and, thus, in this paper the problem of checking liveness of a MG system controlled by a monitor is considered providing two sufficient conditions which permit the check at very low computational cost.Second, if the controller synthesized without liveness specification is not live, it is necessary to synthesize a control policy for the forbidden state problem that guarantees closed-loop liveness. This is in general more complex.

In this paper, if the net system controlled by the monitor results to be non-live, the problem of synthesizing a controller which guarantees both GMEC and liveness enforcing on MGs is addressed. An interpreted supervisor to enforce in a maximally permissive way a GMEC on a MGs under some restrictions, while keeping liveness, is proposed. The synthesis of the control policy requires a computational effort polynomial with respect to the net size and it is suitable to be executed on line since it requires just the evaluation of logical predicates essentially consisting in the comparison between the values of some counter variables with integer numbers.

This paper has some points of contacts with the one of Reveliotis (Park and Reveliotis 2002) and the ones of Iordache and Antsaklis (Iordache et al. 2002; Iordache and Antsaklis 2003).

In Park and Reveliotis (2002) a suboptimal approach is presented. It can be applied to resource allocation problems specified as set of GMECs for a net subclass known as *Simple Sequential Process* (*S*^{2}*P*) consisting of a number of strongly connected state machines connected by resource places enforcing GMECs. The problem to include GMECs not representing resource allocation problems is treated as an extension. The main difference with this work is that the control law here proposed can be applied to MGs and that it is maximally permissive.

In Iordache et al. (2002) and Iordache and Antsaklis (2003) a procedure for the design of supervisors that enforce the transitions in a set \({\cal T}\) to be live is presented. The procedure is general and no assumption on the PN structure is required. However, the procedure is iterative and termination is not guaranteed unless the PN is bounded and it requires a certain number of off-line steps having exponential computational complexity (Iordache and Antsaklis 2006) since it is required the computation of minimal active siphons. The control law is represented by the conjunction of GMECs enforceable by a set of monitor places or by the disjunction of sets of GMECs which cannot be enforced by monitors; in any case the on-line computational is negligible but it is maximally permissive only when all transitions are controllable and observable. In presence of partial controllability and observability maximal permissiveness is not guaranteed. The main differences with this work are: the main goal is liveness or deadlock-freeness of the plant net and the problem to enforce GMECs is treated as an extension while in this work the plant net is supposed to be live and the control law must avoid deadlocks induced by one or several GMECs; the procedure is general while the control law proposed in this paper can be applied only to MGs but it is maximally permissive and the synthesis has polynomial complexity.

Section 2 introduces notations about PNs and presents the problem considered in this paper by a simple example, while in Section 3 control subnet definition, used in the following sections, is introduced.

The main results are collected in Sections 4, 5 and 6.

Some results are presented in Section 4, aimed to verifying if a net controlled by a monitor is closed-loop live. The given conditions suffer of two main drawbacks: they are sufficient, but not necessary conditions, and can only be applied to monitors. However, the computational complexity of control synthesis and of liveness checking is very low. Therefore, these conditions could result very useful.

In Section 5 a sufficient condition is presented to check closed loop liveness for a live and bounded MG system where a GMEC has been imposed on by checking closed loop liveness of proper subnets computed from constrained places (no hypothesis is made on the control technique, the controller may not be a monitor). In this way the problem of checking liveness results to be decomposed and thus it may result simpler. A control policy to enforce a kind of GMEC, under some restrictions, on a cyclic live and safe MG was proposed in Holloway and Krogh (1990) and extended in Krogh and Holloway (1991). In Holloway and Krogh (1992) it was shown that the control policy proposed in Holloway and Krogh (1990) is closed-loop live if the output transition of any forbidden place is not a synchronization transition; the resulting controller is an interpreted supervisor. In Section 6, a control synthesis method to enforce in a maximally permissive way a GMEC on a live and safe MG under some restrictions, while keeping liveness, is presented. It allows a synchronization transition to be an output transition of a forbidden place, generalizing the results in Holloway and Krogh (1990).

## 2 Preliminaries and formalisms

### 2.1 Place/transition nets

A place/transition (P/T) net (Murata 1989; Silva 1993) is a structure *N* = (*P*,*T*,*Pre*,*Post*) where: *P* is a set of *n**places* represented by circles; *T* is a set of *m**transitions* represented by bars; *P* ∩ *T* = ∅, *P* ∪ *T* ≠ ∅; \(Pre:P \times T \rightarrow {{\mathbb N}}\) (\(Post:P \times T \rightarrow {{\mathbb N}}\)) is the pre- (post-) incidence function that specifies the input (output) arcs directed from places to transitions (from transitions to places), with \({{\mathbb N}}\) set of non-negative integers. For instance, *Pre*(*p*,*t*) = *a* (*Post*(*t*,*p*) = *a*) means that there is an arc from *p* (*t*) to *t* (*p*) with weight *a*. If all arcs have unitary weights, the net is called *ordinary*. The pre- and post-incidence functions can be represented as *n* ×*m* matrices **Pre** and **Post** with elements \(Pre(p_\imath,t_\jmath)\) and \(Post(p_\imath,t_\jmath)\), respectively. The incidence matrix \({\boldsymbol C}\) of the net is defined as \({\boldsymbol C}={\bf Post}-{\bf Pre}\). For pre- and post-sets we use the conventional dot notation, e.g. ^{ ∙ }*t* = { *p* ∈ *P* |**Pre**(*p*,*t*) ≠ 0 }, which can be naturally extended to sets of nodes.

A *marking* is a *n* ×1 vector \({\boldsymbol m} \in {{\mathbb N}}^{|P|}\) that assigns to each place of a P/T net a non-negative integer number of tokens. A P/T system or net system \(<N,{\boldsymbol m}_0>\) is a P/T net *N* with an initial marking \({\boldsymbol m}_0\). A transition *t* ∈ *T* is enabled at a marking \({\boldsymbol m}\) iff \({\boldsymbol m} \geq {\bf Pre}(\cdot,t)\). If *t* is enabled, then it may fire yielding a new marking \({\boldsymbol m}^{\prime}={\boldsymbol m}+{\bf Post}(\cdot,t)-{\bf Pre}(\cdot,t)={\boldsymbol m}+{{\boldsymbol C}}(\cdot,t)\). The notation \({\boldsymbol m}[t>{\boldsymbol m}^\prime\) will mean that an enabled transition *t* may fire at \({\boldsymbol m}\) yielding \({\boldsymbol m}^\prime\). A *firing sequence* from \({\boldsymbol m}_0\) is a (possibly empty) sequence of transitions *σ* = *t*_{1}...*t*_{k} such that \({\boldsymbol m}_0[t_1>{\boldsymbol m}_1 [t_2>{\boldsymbol m}_2.. [t_k>{\boldsymbol m}_k\). A marking \({\boldsymbol m}\) is reachable in \(\langle N,{\boldsymbol m}_0 \rangle\) iff there exists a firing sequence *σ* such that \({\boldsymbol m}_0[\sigma>{\boldsymbol m}\). Given a net system \(\langle N,{\boldsymbol m}_0 \rangle\), the set of reachable markings is denoted \(R(N,{\boldsymbol m}_0)\).

The firing count vector of the fireable sequence *σ* will be denoted as \({\boldsymbol \sigma}\in {{\mathbb N}}^{|T|}\), where \({\boldsymbol \sigma}(t)\) represents the number of occurrences of *t* in *σ*. The support of a firing count vector \({\boldsymbol \sigma}\) is the set \(\parallel {\boldsymbol \sigma} \parallel = \{ t \in T \mid {\boldsymbol \sigma}(t) \neq 0\}\). If \({\boldsymbol m}_0[\sigma>{\boldsymbol m}\), then we can write in vector form \({\boldsymbol m}={\boldsymbol m}_0+{{\boldsymbol C}}(\cdot,t) \cdot {\boldsymbol \sigma}\). This is known as the *state equation* of the system. The solutions of the state equation that do not correspond to reachable markings will be called *spurious*. Non negative left annuler vectors of \({\boldsymbol C}\) are called P-semiflows, i.e. \({\boldsymbol y} \in {{\mathbb N}}^{|P|}, \, {\boldsymbol y} \neq {\boldsymbol 0} , \, {\boldsymbol y}^T {\boldsymbol C} ={\boldsymbol 0}^T\). The support of a P-semiflow \({\boldsymbol y}\) is the set \(\parallel {\boldsymbol y} \parallel = \{ p \in P \mid {\boldsymbol y}(p) \neq 0\}\). If \({\boldsymbol y}\) is a P-semiflow then \({\boldsymbol y}^T {\boldsymbol m} = {\boldsymbol y}^T {\boldsymbol m}_0 , \, \forall {\boldsymbol m} \in R(N,{\boldsymbol m}_0)\). Non negative right annuler vectors of \({\boldsymbol C}\) are called T-semiflows, i.e. \({\boldsymbol x}\in {{\mathbb N}}^{|T|}, \, {\boldsymbol x} \neq {\boldsymbol 0},\)\({\boldsymbol C} {\boldsymbol x}={\boldsymbol 0}\). A MG is an ordinary P/T net such that ∀ *p* ∈ *P*, |^{ ∙ }*p* | = |*p*^{ ∙ }| = 1. A T-semiflow (P-semiflow) is *canonical* iff the greatest common divisor of its components is 1. A T-semiflow (P-semiflow) is said to be *minimal* iff it is canonical and has a minimal support.

A P/T system is *live* when, from every reachable marking, every transition can ultimately occur; and it is *deadlock-free* when every reachable marking enables some transition. For strongly connected MG, liveness is equivalent to deadlock-freeness.

Let \({\boldsymbol w} \in {{\mathbb N}}^n, k \in {{\mathbb N}}\), a GMEC \(({\boldsymbol w}, k)\) defines the set of *legal markings* expressed by the following linear inequality: \({\cal L} = {\cal M}({\boldsymbol w},k) \equiv \{ {\boldsymbol m}\in {{\mathbb N}}^n \mid {\boldsymbol w} \cdot {\boldsymbol m} \leq k \}\). The support of \({\boldsymbol w}\) is the set \(Q_w=\{ p \in P \mid {\boldsymbol w}(p) \neq 0\}\).

We assume that the set of transitions *T* of a net is partitioned into two disjoint subset: *T*_{u}, the set of uncontrollable transitions, and *T*_{c}, the set of controllable transitions; *T* = *T*_{u} ∪ *T*_{c} and *T*_{u} ∩ *T*_{c} = ∅. A controllable transition may be disabled by the supervisor, a controlling agent which ensures that the behaviour of the system will be within a legal behaviour. An uncontrollable transition represents an event which may not be prevented from occurring by a supervisor. Controllable transitions will be drawn as empty boxes, and uncontrollable ones as black bars.

Given a system \(\langle N, {\boldsymbol m}_0 \rangle\) and a GMEC \(({\boldsymbol w}, k)\), the occurrence of an uncontrollable transition *t*_{u}, at a certain legal marking \({\boldsymbol m}\), may lead to a forbidden marking \({\boldsymbol m}^\prime\). Therefore, it is necessary avoid also the set of markings \({\cal M}_{fu}({\boldsymbol w},k)=\{{\boldsymbol m}\in {{\mathbb N}}^n \mid {\boldsymbol m} [{\boldsymbol \sigma}>{\boldsymbol m}^\prime,\ {\boldsymbol m}^\prime \not\in{\cal M}({\boldsymbol w},k),{\boldsymbol \sigma} \in T_u^{*} \}\). So, in presence of uncontrollable transitions, the set of legal markings under control will be \({\cal M}_c({\boldsymbol w},k)={( \cal M}({\boldsymbol w},k) \cap R(N,{\boldsymbol m}_0))\setminus {\cal M}_{fu}({\boldsymbol w},k)\). A supervisory control policy is said to be *maximally permissive* if it prevents only transitions firings that yield illegal markings. Observe that \({\cal M}_c({\boldsymbol w},k) \subseteq {\cal M}({\boldsymbol w},k)\), i.e. the cardinality of the set of legal markings may be decreased.

### 2.2 Monitor fundamentals

It has been shown in Giua et al. (1992) that, if all transitions are controllable, the PN controller that enforces \(({\boldsymbol w},k)\) has the following incidence matrix \({\boldsymbol c}_c \in {{\mathbb Z}}^{1 \times m}\): \({\boldsymbol c}_c=-{\boldsymbol w} \cdot {\boldsymbol C}_p\) where \({\boldsymbol C}_p\) is the incidence matrix of the plant. The initial marking of the controller \(m_{c0} \in {{\mathbb N}}\) is given by: \(m_{c0}=k-{\boldsymbol w} \cdot {\boldsymbol m}_{p0}\) where \({\boldsymbol m}_{p0}\) is the initial marking of the plant.

The controller so constructed is maximally permissive, i.e. it only prevents those transition firings that yield illegal markings. The control net consists in a control place; no transition is added. Such control place is called *monitor*. The monitor place, denoted as *p*_{m}, is connected to the plant transition \(t_\jmath\) as specified by the incidence matrix element \({\boldsymbol c}_c(p_m,t_\jmath)\).

*t*only if there is an arc from a controller place to

*t*, and the marking of the controller place does not enable the transition. Arcs to uncontrollable transitions are not allowed. In terms of monitor places this can be formalized imposing an additional constraint (Moody and Antsaklis 2000):

*N*

_{u}, i.e. the net obtained from

*N*removing the controllable transitions, and

*m*

_{u}is the number of uncontrollable transitions of the plant net.

In Moody and Antsaklis (2000) an efficient way to transform the control specification given by a GMEC \(({\boldsymbol w},k)\) into a more restrictive GMEC \(({\boldsymbol w}^\prime,k^\prime)\) that meets Eq. 1 is proposed.

Even if a monitor does not represent a maximally permissive way to enforce a GMEC in the general case, it can be an efficient suboptimal solution from the computational point of view, since its incidence matrix and initial marking are obtained by matrix multiplications, and the algorithm to impose Eq. 1 is polynomial w.r.t. the cardinality of the place set. In addition, its implementation is very simple, just adding a single place and its input and output arcs.

*p*

_{m}, as shown in Fig. 1b. In this case, since the plant net is a safe MG, and \({\boldsymbol w} \leq \bf1\), the monitor represents the maximally permissive solution at preventing forbidden states with respect to the GMEC (Giua et al. 1993), even if uncontrollable transitions exist. However, the closed loop system is not live. It is immediate to see that when

*t*

_{1}fires before

*t*

_{2}a deadlock occurs. To make the closed-loop system live we have to enable the firing of

*t*

_{1}, only after

*t*

_{4}has been fired. Thus, the control place

*p*

_{c1}is derived as in Fig. 1c.

A place is said to be *implicit* if its removal preserves the possible firing sequences, i.e., it is never the unique restriction for the firing of its output transitions. The removal of implicit places preserves sequential properties like boundedness and liveness. By means of linear relaxations, a sufficient structural condition for a place to be sequentially implicit can be stated, which can be verified in polynomial time.

**Proposition 1**

*Let*\(\langle N, {\boldsymbol m}_0 \rangle\)

*be a net system. A place p*∈

*P with initial marking*\({\boldsymbol m}_0(p)\geq z\)

*, where z*

*is the optimal value of Eq.*2

*, is*(

*sequential*)

*implicit.*

If *p*_{m} and *p*_{c1} are added simultaneously to the net system in Fig. 1a, *p*_{m} happens to be implicit (\({\boldsymbol m}(p_m)={\boldsymbol m}(p_{c1})+ {\boldsymbol m}(p_4)+{\boldsymbol m}(p_6)-1\)). This means that *p*_{c1} is imposing a stronger restriction to the original behaviour. If *p*_{c1} is added the closed-loop system can be further simplified as shown in Fig. 1d, because both *p*_{1} and *p*_{6} are implicit. Moreover, looking at Fig. 1d, it is clear that when *p*_{c1} has been added the behaviour of the plant system has been restricted to be sequential. That is, the firings of the controllable transitions, that are concurrent in the non controlled system of Fig. 1a, and that may be forced to be conflicting when only the GMEC specification is present, as in Fig. 1b, are sequential when closed-loop liveness is also required.

Even if in general a monitor does not represent a maximally permissive policy, it may represent a good suboptimal solution when the system is closed-loop live. If this is not the case, like for the net system in Fig. 1a, a more complex controller has to be derived.

## 3 Control subnet

To enforce a GMEC it may be necessary to prevent some transitions from firing. Since it is not possible to disable the firing of an uncontrollable transition *t* ∈ *T*_{u}, we may only disable the set of controllable transitions whose firing is required in order to enable *t*. In the case of MG systems, it can be analytically computed on the basis of the net structure. At this aim, the concept of *control subnet* is introduced.

### 3.1 Definitions

**Definition 1**

*N*be a MG net structure, consider a transition \(t_\imath\). The

*control subnet*for \(t_\imath\) is \(N_\imath=(P_\imath,T_\imath,Pre_\imath,Post_\imath)\) where

\(P_\imath\subseteq P\) is the set of places connected to \(t_\imath\) by a directed path containing only uncontrollable transitions,

\(T_\imath={^\bullet}P_\imath\cup P_\imath{^\bullet}\),

\(Pre_\imath(p,t)=Pre(p,t)\),

\(Post_\imath(p,t)=Post(p,t)\)

The set of *control transitions* for \(t_\imath\) is \( C_\imath= {^\bullet}P_\imath\setminus P_\imath^\bullet\) and \(C_\imath \subseteq T_c\). A directed path from a transition \(t \in C_\imath\) to \(t_\imath\) is called *control path*. Note that if \(t_\imath\in T_c\) then \(C_\imath=\{ t_\imath\}\).

In the case of MGs, given a constraint \(({\boldsymbol w},k)\), the problem is to control the firing of the single input transition of each place *p*_{i} ∈ *Q*_{w} in order to meet the constraint. We will denote as \(N_{I_i}=(P_{I_i},T_{I_i},Pre_{I_i},Post_{I_i})\) the control subnet of the input transition of *p*_{i} and as \(TCI_i= \{ t_{TCI_i}^1, ..., t_{TCI_i}^{m_i}\}\) the set of control transitions for ^{ ∙ }*p*_{i} (that we assume not empty). Notice that \(TCI_i \subseteq T_{I_i}\).

*p*

_{1}, named \(N_{I_1}\); Fig. 2c shows the control subnet of the input transition of place

*p*

_{2}, named \(N_{I_2}\).

As shown in the previous section, if we force a GMEC on a live MG a *deadlock* may occur. So, it is important to be sure that the (unique) output transition of a place in *Q*_{w} may always be eventually fired. Thus, also the control subnet of an output transition \(t_{oi}=p_\imath{^\bullet}\) has to be introduced.

We will denote as \(N_{O_\imath}=(P_{O_\imath},T_{O_\imath},Pre_{O_\imath},Post_{O_\imath})\) the control subnet of the output transition of the place \(p_\imath\) and as \(TCO_\imath=\{ t_{TCO_\imath}^1...t_{TCO_\imath}^{q_\imath}\}\) the set of control transitions of \(p_\imath{^\bullet}\) (that we assume is not empty). Notice that \(TCO_i \subseteq T_{O_i}\). Note that if \(p_\imath{^\bullet}=p_\jmath{^\bullet}\) then \(N_{O_\imath}=N_{O_\jmath}\).

Consider again the net in Fig. 2a where the GMEC \({\boldsymbol m}(p_1) + {\boldsymbol m}(p_2) \leq 1\) has to be enforced. Figure 2d shows the control subnet of the output transition of place *p*_{1}, named \(N_{O_1}\); Fig. 2e shows the control subnet of the output transition of place *p*_{2}, named \(N_{O_2}\).

The concept of control subnet of the output transition of \(p_\imath\in Q_{w}\) is essential to characterize in a MG the reachability of a deadlock state when a GMEC has to be enforced. Consider the net system in Fig. 2a. While for the firing of transition *t*_{o2} only the marking of *p*_{2} is required, for the firing of *t*_{o1} two control paths have to be marked. The marking of place *p*_{2}, is not required directly to enable *t*_{o1}, but it is required that it has been marked before. Such information is provided by the control subnet of *t*_{o1}. In section VI this control subnet will be used to obtain a control policy to enforce GMEC and liveness on safe MG systems.

*p*

_{i}. To obtain the control subnet of the input transition of place

*p*

_{i}it is only necessary to set \(t_i = {^\bullet}p_i\) at the beginning of the algorithm.

The algorithm first work on the incidence matrix of \(\hat{N_u}\) which is the subnet obtained from *N*_{u} removing *t*_{i}. Such a net is not strictly a MG, but each place has at most one input or one output transition. This implies that 1) two places connected along a direct path must belong to the support of a minimal P-semiflow having all components equal to one, 2) the support of a P-semiflow can include in its support all input places and no output place of *t*_{i}, since *t*_{i} has been removed.

The key idea of the algorithm is that, in order to check if a place is connected to a transition *t* in a net structure, it is necessary that there exists a P-semiflow including this place and some input place of *t*. The algorithm starts computing a subnet of *N*_{u} having all places along a P-semiflow at least. In this subnet there is a set of places, denoted *P*′_{s}, which belong only to minimal P-semiflows including input places of *t* and another one, denoted \(\bar{P'}_s\), not including such input places. The two sets are not disjoint. Places in *P*′_{s} which do not belong to minimal P-semiflows including input places of *t* must be removed from *N*_{u} to obtain the control subnet. If a place in *P*′_{s} belongs to a P-semiflow including input places of *t*, such a P-semiflow can be decomposed in a linear combination of minimal P-semiflows, and at least one of such minimal P-semiflows must include in its support places in \(\bar{P'}_s\). Then, places in \(P'_s \cap \bar{P'}_s\) cannot have a component equal to 1 in the P-semiflow. This fact is used in the algorithm to obtain the set of places of the control subnet of *t*.

Algorithm 1 just involves to check the feasibility of linear systems of equations which have polynomial complexity. The number of checks can be at most *P*_{u} + *P*′_{u} + |*P*_{s} ∖ *P*′_{s}| with |*P*_{u} | ≤ |*P*|, |*P*′_{u} | ≤ |*P*_{u}| and |*P*_{s} ∖ *P*′_{s}| ≤ |*P*′_{u} | but in practice it is strictly minor than 3 |*P*_{u} |.

### Remark 1

The control subnet of an output transition *t*_{oi} may include directed paths from a controllable transition to *t*_{oi} which does not contain constrained places. As for example, consider the net in Fig. 2a and the GMEC \({\boldsymbol m}(p_1) \leq 1\). The control subnet of *t*_{o1} is the subnet in Fig. 2d but the directed path from *t*_{4} to *t*_{o1} does not contain constrained places. For the control problem presented in this paper, it is not important if these paths are marked or not. Thus, they can be removed decreasing the complexity of the control subnet.

### 3.2 Control subnet and supervisory control

The dependency between the firing of an uncontrollable transition \(t_\imath\) and its control transitions can be computed without recurring to a reachability set computation but only evaluating the number of tokens along directed paths from control transitions of \(t_\imath\) to \(t_\imath\), as shown in the next proposition.

Let \(\langle N, {\boldsymbol m} \rangle\) be a MG system and \(({\boldsymbol w},k)\) a GMEC. Let us denote as \(td({\boldsymbol m},t,t_\imath)\) the *token distance* between transition *t* and \(t_\imath\), i.e. the minimum token content among all possible paths from *t* to \(t_\imath\) under the marking \({\boldsymbol m}\); and as \(DB({\boldsymbol m},TCI_\imath,t_\imath)\) the *deviation bound* between \(t_\imath\) and \(TCI_\imath\), i.e., the maximum number of times \(t_\imath\) may fire without firing any transition in \(TCI_\imath\).

**Proposition 2**

*Let*\(\langle N, {\boldsymbol m}_0 \rangle\)

*be a MG system and*\(({\boldsymbol w},k)\)

*a GMEC. For each place*\(p_\imath\in Q_w\)

*, let*\(t_\imath\)

*be its input transition, and*\(TCI_\imath\)

*the set of control transitions for*\(t_\imath\)

*. We have that*

- (a)
*given a marking*\({\boldsymbol m} \in R(N,{\boldsymbol m}_0)\)*,*\(DB({\boldsymbol m},TCI_\imath,t_\imath)= min\{td({\boldsymbol m},t,t_\imath) | t \in TCI_\imath\}\). - (b)
*the set of legal markings is:*\({\cal M}_c({\boldsymbol w},k)= \{{\boldsymbol m} \in {{\mathbb N}}^{|P|} \mid {\boldsymbol w} \cdot({\boldsymbol m} + {\boldsymbol D}_{{\boldsymbol m}}) \leq k\}\)*, where*\({\boldsymbol D}_{{\boldsymbol m}}(p_\imath)=DB({\boldsymbol m},TCI_\imath,t_\imath)\)*if*\(p_\imath\in Q_{{\boldsymbol w}}\)*,*\({\boldsymbol D}_{{\boldsymbol m}}(p_\imath)= 0\)*otherwise.*

In Giua et al. (1993) the results of Proposition 2 were used to address the problem of enforcing a GMEC on MG systems. In this paper we want to extend this approach to the problem of enforcing a GMEC and closed-loop liveness on MG systems.

## 4 On the liveness of monitor controlled MG systems

Two new sufficient conditions are given that ensure (under some restrictions) that if a MG controlled by a monitor is live, the state equation of the system has no spurious deadlocks. This means that, given a closed-loop system that verifies the restrictions, if its state equation has a deadlock solution, then the system cannot be live. In the last part of this section it is shown how the problem of checking the absence of these solutions for the considered class of systems can be reduced to checking if a system of equations admits a solution (Recalde et al. 1998).

### 4.1 Two new sufficient conditions for the absence of spurious solutions for a monitor controlled MG system

A first result is based on the idea that, when a monitor having ordinary (no weighted) output arcs is marked, at least one of its output transitions can be fired. This property together with the persistency (i.e., once a transition has been enabled, it cannot be disabled by the firing of another transition) of MG systems allows to conclude that no spurious deadlock can exist.

**Theorem 1**

* Let*\(\langle N, {\boldsymbol m}_0 \rangle\)* be a live MG system plus a monitor p*_{m}* associated to a GMEC, and such that for every*\(t \in p_m{^\bullet}\)*,***Pre**(*p*_{m},*t*) = 1*. If*\(\langle N, {\boldsymbol m}_0 \rangle\)* is live, the state equation has no spurious deadlock solution.*

### Proof

Assume a spurious deadlock \({\boldsymbol m}_d= {\boldsymbol m}_0 + {\boldsymbol C} \cdot {\boldsymbol \sigma}_d\) exists. Let *σ*_{0} be a sequence such that \({\boldsymbol m}_0 [ \sigma_0 >\), \({\boldsymbol \sigma}_0 \leq {\boldsymbol \sigma}_d\), and \(\not \exists \sigma_0^\prime\) s.t. \({\boldsymbol m}_0 [ \sigma_0^\prime >\), \({\boldsymbol \sigma}_0^\prime \leq {\boldsymbol \sigma}_d\) but \({\boldsymbol \sigma}_0 < {\boldsymbol \sigma}_0^\prime\). Let \({\boldsymbol m}_1= {\boldsymbol m}_0 + {\boldsymbol C} \cdot {\boldsymbol \sigma}_0\). The system is live, hence there is at least one transition *t* enabled in \({\boldsymbol m}_1\). Since this transition is not enabled in \({\boldsymbol m}_d\), and MG are persistent, **Pre**(*p*_{m},*t*) > 0 and \({\boldsymbol m}_1(p_m) > 0\). Live MGs do not have spurious solutions, hence from the MG point of view, there is a fireable sequence that corresponds to \({\boldsymbol \sigma}_d-{\boldsymbol \sigma}_0\). Let *t*^{′} be the first transition of this sequence. Since \({\boldsymbol m}_1(p_m)>0\), this transition cannot violate the precondition associated to the monitor, i.e., *t*^{′} is fireable. Contradiction.□

A second result is derived by assuming that a place, that belongs to the control subnet of an output transition of a constrained place, cannot disable transitions of control subnets of the output transition of other constrained places. This result does not require that the monitor has ordinary arcs.

**Theorem 2**

*Let*\(\langle N, {\boldsymbol m}_0 \rangle\)

*be a live MG plus a monitor associated to a GMEC and such that*

- 1)
*for every p*_{i}∈*Q*_{w}*the only output transition of its control output subnet*\(N_{O_\imath}\)*is t*_{oi}*, i.e.*\((T_{O_\imath}\setminus t_{oi}){^\bullet} \subset P_{O_\imath}\)*and* - 2)
*the output transition of a place*\(p_\imath\in Q_w\)*is not a control transition for a place*\(p_\jmath \in Q_w\)*, i.e. if*\(p_\imath, p_\jmath \in Q_w\)*then*\(t_{oi} \not \in TCI_\jmath\).

*If*\(\langle N, {\boldsymbol m}_0 \rangle\)

*is live, the state equation has no spurious deadlock solution.*

### Proof

*p*

_{m}be the monitor of the system and \({\boldsymbol w} \cdot {\boldsymbol m} \leq k\) the GMEC. Assume a spurious deadlock \({\boldsymbol m}_d = {\boldsymbol m}_0+ {\boldsymbol C} \cdot {\boldsymbol \sigma}_d\) exists. We will see that this marking can be effectively reached from \({\boldsymbol m}_0\), which contradicts liveness of system. This will be done in three steps:

- 1)
Reach a marking in which all the

*k*tokens are in the monitor place,*p*_{m}. To do this, for each control subnet \(N_{O_\imath}\) fire the shortest sequence that contains all possible firings of output transitions*t*_{oi}, without firing controllable transitions and denote such sequence as*σ*_{0}. Let \({\boldsymbol m}_1 = {\boldsymbol m}_0 + {\boldsymbol C} \cdot {\boldsymbol \sigma}_0\). By hypothesis, an output transition cannot belong to any \(TCI_\imath\), hence this sequence does not mark any other control subnet, i.e., \({\boldsymbol m}_1(p_m)=k\).Observe that this firing vector can be decomposed in two parts: the transitions in \({\boldsymbol \sigma}_{d}\) and the rest. That is, \({\boldsymbol \sigma}_0={\boldsymbol \sigma}_{d0}+{\boldsymbol \sigma}_{x0}\), with \({\boldsymbol \sigma}_{d0} \leq {\boldsymbol \sigma}_0\) and \({\boldsymbol \sigma}_{d0} \leq {\boldsymbol \sigma}_d\) and \(\not \exists {\boldsymbol \sigma}_{d0}^\prime\) s.t. \({\boldsymbol \sigma}_{d0}^\prime \leq {\boldsymbol \sigma}_0\) and \({\boldsymbol \sigma}_{d0}^\prime \leq {\boldsymbol \sigma}_d\) but \({\boldsymbol \sigma}_{d0} < {\boldsymbol \sigma}_{d0}^\prime\).

- 2)
Let \({\boldsymbol x} \geq {\boldsymbol \sigma}_{x0}\), be a T-semiflow. It is clear that \({\boldsymbol m}_{d}={\boldsymbol m}_0 + {\boldsymbol C} \cdot ({\boldsymbol \sigma}_{d}+ {\boldsymbol x})={\boldsymbol m}_1+ {\boldsymbol C} \cdot({\boldsymbol \sigma}_{d}+ {\boldsymbol x}-{\boldsymbol \sigma}_0)\).

Consider the support of the firing count vector \({\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0\). Denote by

*S*the set of indexes of control subnet whose transitions are completely included in \(\parallel {\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0 \parallel\), i.e. if*O*_{i}∈*S*then \(T_{O_i} \subseteq \parallel {\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0 \parallel\). Divide \({\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0\) in two parts: (1) a part \({\boldsymbol \sigma}_{1}\) whose support includes transitions not belonging to any control subnet and “complete” subsets of transitions of a control subnet \(N_{O_\imath}\), i.e. \(\parallel {\boldsymbol \sigma}_1 \parallel = (T \setminus \cup_i T_{O_i}) \cup (\cup_{O_i \in S} T_{O_i})\), such that all transitions in a certain control subnet have the same value in \({\boldsymbol \sigma}_{1}\); 2) another part \({\boldsymbol \sigma}_2=({\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0) - {\boldsymbol \sigma}_1\). Notice that \({\boldsymbol \sigma}_0\) may not include all transitions of a certain control subnet: this depends on the initial marking. However with a proper choice of the T-semiflow \({\boldsymbol x}\), it is possible to ensure that all the transitions of a certain control subnet have in \({\boldsymbol \sigma}_{d} + {\boldsymbol x} - {\boldsymbol \sigma}_0\) a component major or equal then the respective output transition. Thus, all the output transitions of the control subnets belong only to the support of \({\boldsymbol \sigma}_1\).We will see that \({\boldsymbol \sigma}_1\) corresponds to a fireable sequence. Let \({\boldsymbol m}_2 = {\boldsymbol m}_1 + {\boldsymbol C} \cdot {\boldsymbol \sigma}_1\). First, we will see that \({\boldsymbol m}_2 \geq {\boldsymbol 0}\). For the monitor

*p*_{m}and the places in control subnets,*p*^{′}, \({\boldsymbol \sigma}_1\) corresponds to a T-semiflow, hence, \({\boldsymbol m}_2(p_m) = {\boldsymbol m}_1(p_m) \geq 0\) and \({\boldsymbol m}_2(p^\prime) = {\boldsymbol m}_1(p^\prime) \geq 0\). For the places not belonging to any control subnet,*p*′′, \({\boldsymbol m}_2(p'')={\boldsymbol m}_d(p'') - {\boldsymbol C}(p'',\cdot) \cdot {\boldsymbol \sigma}_2\), and since \({\boldsymbol \sigma}_2\) does not contain any output transition*t*_{oi}, \({\boldsymbol m}_2(p'')={\boldsymbol m}_d(p'')+ {\bf Pre}(p'',\cdot) \cdot {\boldsymbol \sigma}_2\geq 0\). Therefore, since live MGs do not have spurious solutions of the state equation, \({\boldsymbol \sigma}_{1}\) corresponds to a fireable sequence in the MG.Order the transitions of \({\boldsymbol \sigma}_{1}\) in such a way that: (1) the sequence is fireable in the MG and (2) all the transitions in a certain \(N_{O_\imath}\) are put together, i.e., no input transition of other subnet \(N_{O_\jmath}\) is fired till the output transition

*t*_{oi}has been fired. It is clear that this corresponds to a fireable sequence. - 3)
Finally, we must prove that \({\boldsymbol \sigma}_2\) is fireable. Since \({\boldsymbol m}_d={\boldsymbol m}_2 +{\boldsymbol C} \cdot {\boldsymbol \sigma}_2 \geq {\boldsymbol 0}\), the only problem may be due to the monitor. In \({\boldsymbol \sigma}_2\) there is no output transition of the control subnets, therefore \({\boldsymbol m}_{2}(p_m)={\boldsymbol m}_d(p_m)- {\boldsymbol C}(p_m,\cdot) \cdot {\boldsymbol \sigma}_2= {\boldsymbol m}_d(p_m)+ {\bf Pre}(p_m,\cdot) \cdot {\boldsymbol \sigma}_2\geq {\bf Pre}(p_m,\cdot) \cdot {\boldsymbol \sigma}_{2}\). □

*p*

_{m}has output arcs with weight greater than 1 and \(N_{O_1}\) has two output transitions, (

*t*

_{1},

*t*

_{o1}). The monitor place

*p*

_{m}enforces the GMEC \({\boldsymbol m}(p_1) +{\boldsymbol m}(p_2) +{\boldsymbol m}(p_3) + {\boldsymbol m}(p_4) + {\boldsymbol m}(p_5) + {\boldsymbol m}(p_6) \leq 2\). Although the closed-loop system is live, its state equation has a spurious deadlock solution. It can be seen that by firing

*t*

_{2}

*t*

_{o2}

*t*

_{3}a spurious deadlock solution is obtained. Spurious deadlock solutions may also be found if more than one monitor is added.

### 4.2 How to prove liveness of a monitor controlled MG

In strongly connected MG systems deadlock-freeness implies liveness. This is still true when a controller is added to such systems, so in the following the study of liveness is reduced to that of deadlock-freeness. Deadlock-freeness can be checked verifying that the system of equations formed by the state equation and a set of equations representing deadlock states has no solution (see Recalde et al. 1998 for further details). If the state equation has no spurious solutions, the fact that solution of such system does not exist guarantees the liveness of the system.

Since the computation complexity of checking if a system of linear equations admits a solution has polynomial complexity (Schrijver 2003), the results presented in this section can be used to check in polynomial time if a monitor controlled MG is live.

## 5 On the liveness of bounded MG systems with a GMEC control specification

In this section the problem of checking closed loop liveness of a live and bounded MG system in presence of a control policy enforcing a GMEC is considered. No hypothesis is made on the control technique, the controller may not be a monitor. A sufficient condition based on the closed loop liveness of proper subnets computed from constrained places is presented. In this way the problem is decomposed and it may result simpler. This result is used in Section 6 but it has a general validity.

The control subnets are assumed to be independent. This assumption is described in the following.

### Assumption 1

The control subnets of output transitions of constrained places are *independent*. We say that two control subnets \(N_{O_\imath}\), \(N_{O_\jmath}\), \(\imath\neq j\) defined w.r.t. a constraint \(({\boldsymbol w},k)\) are independent iff \(\forall {\boldsymbol y} \geq {\boldsymbol 0}\) such that \({\boldsymbol y}\) is a minimal P-semiflow, if \([ P_{O_\imath}^{\bullet} \cap T_{{\boldsymbol y}} \neq \emptyset \bigwedge P_{O_\jmath}^{\bullet} \cap T_{{\boldsymbol y}} \neq \emptyset ]\) then \( [ N_{O_\imath}\subset N_{O_\jmath} \bigvee N_{O_\jmath} \subset N_{O_\imath}]\), where \(T_{{\boldsymbol y}}=\{t \in T | t \in p^{\bullet}, \, p \in \parallel {\boldsymbol y} \parallel \}\) . In words, two control subnets cannot have transitions that belong to the same P-invariant subnet, except when one is contained in the other.

*t*

_{4}and

*t*

_{7}belong to the subnet induced by P-semiflow \({\boldsymbol y}=[ 0 \ 1 \ 0 \ 1 \ 0 \ 1 \ 0 \ 0 \ 1 \ 0]\), and that any place

*p*∈

^{ ∙ }

*t*

_{4}is in mutual exclusion with

*p*

_{4}since the net admits also the P-semiflows \({\boldsymbol y}'=[ 1 \ 0 \ 0 \ 1 \ 0 \ 1 \ 0 \ 1 \ 0 \ 0]\) and \({\boldsymbol y}''=[ 0 \ 0 \ 1 \ 1 \ 0 \ 1 \ 0 \ 0 \ 0 \ 1]\). This makes more difficult our control problem. If we enable the firing of

*t*

_{6}we have that a deadlock occurs, being not possible anymore to enable

*t*

_{4}while respecting the GMEC.

The computational complexity of checking Assumption 1 is practically equal to the complexity of computing the P-semiflows of a control subnet net (Martinez and Silva 1982) whose number is in the worst case equal to \(\left( \begin{array}{l} [p]\\ \left[\displaystyle\frac{p}{2} \right] \end{array}\right) \) where *p* is the number of places of a control subnet and thus *p* < *n*.

Assumption 1 makes more clear the presentation of the results in the rest of the paper but it is not essential. It can be removed by taking into account the additional GMECs induced by P-semiflows having in their support constrained places.

**Definition 2**

*N*be a

*k*-bounded MG on which a GMEC has to be imposed. The

*controlled subnet*is defined as the union of all the control subnets \(N_{O_\imath}\) plus:

- a)
an input place for each transition in \(TCO_\imath\);

- b)
a new output place for each transition

*t*_{oi}; - c)
an extra transition having an output arc to all the input places of each control subnet – the places added as in a) – and an input arc from all the output places of each control subnet – the places added as in b).

The input places are marked in such a way that there are *k* tokens in each cycle.

**Theorem 3**

*Let*\(\langle N,{\boldsymbol m}_0 \rangle\)

*be a live and bounded MG on which a GMEC has to be imposed. If the control is set in such a way that:*

*all the control subnets are independent;**the controlled subnet plus the control is live.*

*Then the complete system with the control is live.*

### Proof

For this considered net subclass just deadlock freeness has to be proved. Assume a deadlock can be reached, i.e., there exists a fireable sequence *σ*_{d}, \({\boldsymbol m}_0 [ \sigma_d > {\boldsymbol m}_d\), and \({\boldsymbol m}_d\) is a deadlock.

Consider the projection of *σ*_{d} on the transitions of the controlled subnet. Clearly this is a fireable sequence, and, since this subnet is live under the control, a transition *t* is enabled in \({\boldsymbol m}_d\). This transition cannot be fired in the complete net. Hence, since all control subnets are independent, there exists a place *p* ∈ ^{ ∙ }*t*, not belonging to the controlled subnet, that is not marked in \({\boldsymbol m}_d\). Observe that *t* is in the “interface” of the control subnet, hence it is a controlled transition, and there exists a directed path from *t* to a constrained place. Let *t*^{′} = ^{ ∙ }*p*, since *t*^{′} cannot be fired either, and by Assumption 1 it cannot be controlled , there exists *p*′ ∈ ^{ ∙ }*t*′ which is unmarked. Repeating this reasoning, an unmarked cycle of *N* can be found. Contradiction, since \(\langle N,{\boldsymbol m}_0 \rangle\) is live. □

## 6 A controller to enforce GMEC and closed loop liveness on live and safe MG

The results presented in Section 4 allow a trial-and-error synthesis method for GMEC and closed loop liveness enforcing. Now, a direct synthesis method is presented in presence of some constraints, in particular MG should be safe. In a live and safe MG system a constrained place can be marked, firing only uncontrollable transitions, if and only if all its control paths are marked. Nevertheless, it is not necessary to record which of the controllable transitions that control such paths have been fired, but it is sufficient to check how many of them have been fired. This implies that the reachability of a forbidden state can be characterized in terms of the number of control paths of the places constrained by the GMEC, that are marked under a certain marking. Here we extend this property to the reachability of a deadlock state introduced on such systems by a GMEC.

In order to enable a transition all its input places have to be marked. In presence of a GMEC, the marking of some of these places may be constrained. A maximally permissive policy has to disable a controllable transition if and only if it will lead to a marking under which no transition can be fired if the GMEC is fulfilled. Our aim is to characterize the reachability of such states in terms of the number of marked control paths of constrained places having common output transitions. As it has been mentioned in Section 4, closed-loop liveness is obtained by proving that a live and safe MG under the proposed control policy is deadlock-free (showing that tokens can be always removed from all the constrained places).

### Assumption 2

Let \(p_\imath\) and \(p_\jmath\) be a couple of constrained places such that \(TCI_\imath\cap TCI_\jmath\neq \emptyset\): 1) \(|TCI_\imath|=|TCI_\jmath|=1\); 2) \(p_\imath\) and \(p_\jmath\) cannot be marked simultaneously.

**Lemma 1**

* If the plant net is a live and safe MG and Assumption *2* holds, it exists a control path including all constrained places controlled by the same transition.*

### Proof

In a live and safe MG any place belongs to the support of a minimal P-semiflow (Murata 1989). If two places cannot be marked simultaneously, i.e. they are in mutual exclusion relation, they belong to the same P-semiflow support and, then, they both belong to a directed circuit (Murata 1989) and so result to be connected by a directed path. □

Assumption 2 allows to consider on equal footing the firing of any transition in \(TCI_\imath\) w.r.t. GMEC. Moreover if \(|TCI_\imath|=1\) we know that, firing the unique control transition of both constrained places, the related control path would be marked. Consider the net system in Fig. 4b, and the GMEC \({\boldsymbol m}(p_1)+{\boldsymbol m}(p_2)+{\boldsymbol m}(p_3) \leq 2\). By definition *TCI*_{1} = {*t*_{1}}, *TCI*_{2} = {*t*_{1}, *t*_{2}}, *TCI*_{3} = {*t*_{3}}, and thus, *t*_{1} is a control transition for the input transition of two constrained places. As a consequence, the firing of *t*_{1} and *t*_{2} cannot be considered on equal footing, because the firing of *t*_{1} will mark a constrained place anyway, but this is not true for *t*_{2}. In order to know if a constrained place can be marked by firing a transition in *TCI*_{2} it is not enough to know that one of the two control paths will be marked, but it is also necessary to know which one of them.

*p*

_{5}and

*p*

_{6}cannot be both constrained since

*TCI*

_{5}=

*TCI*

_{6}= {

*t*

_{6}} and if

*t*

_{6}fires, they would be simultaneously marked.

Assumption 2 is a technical assumption that allows to know the maximum value that a GMEC can assume by firing uncontrollable transitions simply by evaluating some counter variables that are introduced afterwards. From a practical point of view, this is not a strong limitation since it is not usual to control more constrained places, which can be simultaneously marked, with the same control input. This assumption is useless if all controllable transitions control only one constrained place.

The computational complexity of checking Assumption 2 is in practice equivalent to the one of obtaining control subnet of constrained places since it consists in evaluating that the intersections of sets *TCI*_{i} is or not empty.

### 6.1 Definitions of counter variables \(C_{I_i}\), \(C_{O_i}\), of vectors \({\boldsymbol w}_i^-\) and \({\boldsymbol w}_i^+\) and of function \({\boldsymbol f}\)

In the following the counter variables \(C_{I_i}\), \(C_{O_i}\), the vectors \({\boldsymbol w}_i^-\) and \({\boldsymbol w}_i^+\) and the function \({\boldsymbol f}\) associated to a control subnet are introduced. They are useful for the presentation of the control policy in the next subsection.

In order to enable a controllable transition only if the GMEC is not violated, it must be checked if its firing causes that a constrained place \(p_\imath\in Q_{w}\) can be marked by firing only uncontrollable transitions. In other words, it must be checked if the input transition of \(p_\imath\), named \(t_\imath\), can be fired. We say that a transition \(t_{{TCI}_\imath}^r\) is *constrained* under a given marking \({\boldsymbol m}\), if all the paths from \(t_{{TCI}_\imath}^r\) to \(t_\imath\) along single token circuits are not marked, otherwise it is *unconstrained*. Note that if a transition \(t_{{TCI}_\imath}^r\) fires, all the paths from \(t_{{TCI}_\imath}^r\) to \(t_\imath\) become marked.

**Definition 3**

the firing of a transition \(t_{{TCI}_\imath}^r\) will increment the value of \(C_{I_\imath}\) in one unit, notice that \(t_{{TCI}_\imath}^r\) cannot fire twice without firing

*t*_{ι};the firing of the output transition

*t*_{oi}will decrement the value of \(C_{I_\imath}\) in \(m_\imath\) units, where \(m_\imath=|TCI_\imath|\);the firing of a transition \(t_{{TCI}_\jmath}^r\), \(j \neq \imath\), does not change the value of \(C_{I_\imath}\);

the initial value of \(C_{I_\imath}({\boldsymbol m}_0)\) is equal to the sum of unconstrained transitions in the sets \(TCI_\imath\) under the initial marking.

From Eq. 4 we have that a place \(p_\imath\in Q_w\) can be marked firing only uncontrollable transitions iff \(C_{I_\imath}({\boldsymbol m})=m_\imath\). Notice that, if \(|TCI_\imath|=1\), \(C_{I_\imath}\) is not useful since the firing of the unique controllable transition causes that \(p_\imath\) will be marked by firing only uncontrollable transitions.

Consider the net in Fig. 5 – apart from dotted arcs and places – and the GMEC \({\boldsymbol m}(p_1) {\kern-1.25pt} + {\kern-1.25pt}2 {\boldsymbol m}(p_2) {\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_3){\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_6) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_7) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_{13}) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_{14}) {\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_{15}) {\kern-1.5pt}\leq{\kern-1.25pt} 4\). As for the control subnets of the input transitions of places *p* ∈ *Q*_{w} we have that *TCI*_{1} = *TCI*_{3} = *TCI*_{6} = { *t*_{6} }, *TCI*_{2} = *TCI*_{7} = { *t*_{7} }, *TCI*_{13} = { *t*_{12} }, *TCI*_{14} = { *t*_{13}, *t*_{14} }, *TCI*_{15} = { *t*_{11} }. Under the marking in the figure \(C_{I_{14}}=1\) since *t*_{13} is unconstrained and *t*_{14} is constrained. Thus, being \(C_{I_{14}} < m_{14}=2\), *p*_{14} will not be marked by firing only uncontrollable transitions.

To evaluate the weighted sum of places in the GMEC that can be marked firing uncontrollable transitions in a control subnet \(N_{O_\imath}\) we define the vector \({\boldsymbol w}_\imath^-(p)\).

**Definition 4**

- 1)
If a place

*p*belongs to a directed path from a transition \(t \in TCO_{_\imath}\) to*t*_{oi}and more than one constrained place is controlled by*t*, choose a control path named \(\bar{\pi}\) to which any constrained place controlled by*t*belongs to (Assumption 2 ensures the existence of such a path).If \(p \in \bar{\pi}\), let \(\bar{\pi}'\) be the directed sub-path of \(\bar{\pi}\) from

*p*to*t*_{oi}, \({\boldsymbol w}_\imath(p)^-=max_{p_\jmath \in \bar{\pi}'}{\boldsymbol w}(p_\jmath)\). If \(p \not \in \bar{\pi}\), \({\boldsymbol w}_\imath(p)^-=0\).Note that the choice of the control path \(\bar{\pi}\) is arbitrary but the same control path has to used for all places

*p*which belong to a directed path from a transition \(t \in TCO_{_\imath}\) to*t*_{oi}. - 2)If a place
*p*belongs to a directed path from a transition \(t \in TCO_{_\imath}\) to*t*_{oi}and only the constrained place \(p_\jmath\) is controlled by*t*,- if
*p*belongs to one of the directed paths from*t*to \(p_\jmath\), then \({\boldsymbol w}_\imath(p)^-=\frac{l}{l_\jmath} {\boldsymbol w}(p_\jmath)\), where*l*be the number of directed paths from transitions in the set \(TCO_\imath\) to*t*_{oi}to which*p*belongs,\(l_\jmath\) be the total number of paths from any transition in the set \(TCO_{_\imath}\) to \(p_\jmath\)

otherwise, \({\boldsymbol w}_\imath(p)^-=0\)

- 3)
If a place

*p*does not belong to a directed path from a transition \(t \in TCO_{_\imath}\) to*t*_{oi}, \({\boldsymbol w}_\imath(p)^-=0\).

Consider again the net in Fig. 5 – apart from dotted arcs and places – and the GMEC \({\boldsymbol m}(p_1) {\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_2) {\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_3){\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_6) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_7) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_{13}) {\kern-1.25pt}+{\kern-1.25pt} {\boldsymbol m}(p_{14}) {\kern-1.25pt}+{\kern-1.25pt} 2 {\boldsymbol m}(p_{15}) \!\leq\! 4\). As for the control subnets of the output transitions of places *p* ∈ *Q*_{w} we obtain *TCO*_{3} = *TCO*_{6} = { *t*_{6} }, *TCO*_{1} = *TCO*_{2} = { *t*_{6}, *t*_{7}}, *TCO*_{7} = { *t*_{7} }, *TCO*_{13} = *TCO*_{14} = { *t*_{11}, *t*_{12}, *t*_{13}, *t*_{14}}, *TCO*_{15} = { *t*_{11} }.

Let *TCO*_{o1} = *TCO*_{1} = *TCO*_{2} and *TCO*_{o2} = *TCO*_{13} = *TCO*_{14}. As for example, we have \({\boldsymbol w}_{o2}^-(p_{17})=1/2\) since *p*_{17} belongs to *l* = 1 paths from *t*_{13} or *t*_{14} to *t*_{o2}, *p*_{14} is the only constrained place controlled by *t*_{13} or *t*_{14} and there are *l*_{14} = 2 paths from *t*_{13} or *t*_{14} to *p*_{14}. The term \(\frac{l}{l_{14}}\) takes into account that a token in place *p*_{17} means that only *l* of the *l*_{14} control paths of *p*_{14} are marked.

Since the transition *t*_{6} ∈ *TCO*_{o1} controls more than one constrained place, a control path including all such constrained places, named \(\bar{\pi}_6\), has to be defined. Let it be \(\bar{\pi}_6=t_6 p_8 t_4 p_6 t_3 p_3 t_1 p_1 t_{o1} \). Thus, as for example, \({\boldsymbol w}_\imath(p_8)^-=max_{p_\jmath \in \bar{\pi}'_6}{\boldsymbol w}(p_\jmath)=2\) where \(\bar{\pi}'_6=p_8 t_4 p_6 t_3 p_3 t_1 p_1 t_{o1}\) and \({\boldsymbol w}_\imath(p_9)^-=0\) since *p*_{9} does not belong to \(\bar{\pi}_6\).

Note that, if all places in a control subnet would belong to a directed path from a transition \(t \in T_{O_\imath}\) to *t*_{oi} which controls more than one constrained place, by Assumption 2 it must exist an index *j* such that \(t \in TCI_\jmath\) and \(|TCI_\jmath|=1\). In this case, since all control paths are marked when *t* fires, \(\sum_{p \in P_{O_\imath}} {\boldsymbol w}_\imath(p)^- {\boldsymbol m}(p)\) is the maximum value that can be reached by the weighted sum of constrained place that can be marked in the control subnet \(N_{O_\imath}\) by firing only uncontrollable transitions. This is not true when a place belongs to a directed path from a transition \(t \in T_{O_\imath}\) to *t*_{oi} which controls only one constrained place, since in this case \({\boldsymbol w}^-(p)\) may be rational and not all control paths of a constrained place in the subnet \( N_{O_\imath}\) can be marked at a time. This motivates the introduction of a binary function \({\boldsymbol f}\) which is true when all control paths of a constrained place in the subnet \( N_{O_\imath}\) are marked.

**Definition 5**

Let us define a binary function \({\boldsymbol f}: (P,{\boldsymbol m}) \rightarrow \{ 0,1 \}\) as follows:

\({\boldsymbol f}(p,{\boldsymbol m})=1\), if it exits an index *k* such that \(p \in P_{I_k}\) and \(C_{I_k}({\boldsymbol m})=m_k\) (note that, by definition, \( \forall t \in TCO_{\imath}, \, \exists k \mbox{ s.t. } t \in TCI_k\)), otherwise \({\boldsymbol f}(p,{\boldsymbol m})=0\).

In words, \({\boldsymbol f}(p,{\boldsymbol m})=1\) iff all control paths of the constrained places to which *p* is connected are marked.

**Lemma 2**

* Let*\(R_u(N,{\boldsymbol m})\)* be the set of markings reachable from*\({\boldsymbol m}\)* by firing only uncontrollable transition, it results*\(\max_ { {\boldsymbol m}' \in R_u(N,{\boldsymbol m})} \sum_{p \in P_{O_\imath}} {\boldsymbol w}(p) {\boldsymbol m}'(p)=\sum_{p \in P_{O_\imath}}\)\({\boldsymbol w}_\imath(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})\)*. Furthermore*\(\sum_{p \in P_{O_\imath}} {\boldsymbol w}_\imath(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})\)* is always non negative integer.*

### Proof

The proof follows from the fact that in a live and safe MG system a constrained place can be marked, firing only uncontrollable transitions, iff all its control paths are marked.□

For the net in Fig. 5, we have that \(P_{O_{o2}}=\{ p_{11}, \dots, p_{18} \}\), and under the marking in figure \({\boldsymbol f}(p,{\boldsymbol m})=0, \forall p\). Note that \(\sum_{p \in P_{O_2}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})=0\), consistently with the fact that there is not a constrained place in the subnet \(N_{O_{o2}}\) that can be uncontrollably marked, but \(\sum_{p \in P_{O_2}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) =1/2\).

*t*

_{o11}has only one constrained input place,

*p*

_{11}, its control subnet contains also places

*p*

_{7},

*p*

_{9},

*p*

_{10}, and

*p*

_{12}whose marking is a pre-condition to enable

*t*

_{o11}. Even if these places are not constrained places, their marking requires that the constrained places

*p*

_{4}and

*p*

_{6}have been marked. To take this into account, we introduce the vector \({\boldsymbol w}_\imath(p)^+\), defined as follows.

**Definition 6**

- 1)If a place
*p*belongs to a directed path from a transition \(t \in TCO_{\imath}\) to*t*_{oi}and more than one constrained place is controlled by*t*, choose a control path named \(\bar{\pi}\) which any constrained place controlled by*t*belongs to (Assumption 2 ensures the existence of such a path). If \(p \in \bar{\pi}\), letthen \({\boldsymbol w}_\imath(p)^+=\max \left (\max_{p_\jmath \in \bar{\pi}'}{\boldsymbol w}(p_\jmath)- \max_{ \pi \in \Pi(p,t_{oi} )} \max_{p_\jmath \in \pi} {\boldsymbol w}(p_\jmath) , \; 0 \right)\).\(\bar{\pi}'\) be the directed sub-path of \(\bar{\pi}\) from

*t*to*p*,*Π*(*p*,*t*_{oi}) be the set of all directed paths from*p*to*t*_{oi},

If \(p \not \in \bar{\pi}\), then \({\boldsymbol w}_\imath(p)^+=0\).

Note that the choice of the control path \(\bar{\pi}\) is arbitrary but the same control path has to used for all places

*p*which belong to a directed path from a transition \(t \in TCO_\imath\) to*t*_{oi}. - 2)
If a place

*p*belongs to a directed path from a transition \(t \in TCO_\imath\) to*t*_{oi}and*p*_{j}is the only constrained place controlled by*t*if along any control path controlled by

*t*the place*p*is not preceded by \(p_\jmath\), then \({\boldsymbol w}_\imath^+(p)=0\);- if along such paths
*p*is preceded by \(p_\jmath\), then \({\boldsymbol w}_\imath^+(p)=\frac{r_\jmath}{r}{\boldsymbol w}(p_\jmath)\), where\(r_\jmath\) is the number of directed paths in \(N_{O_\imath}\) from \(p_\jmath\) to

*p*,*r*is the number of directed paths in \(N_{O_\imath}\) from \(p_\jmath \) to*t*_{oi},

- 3)
If a place

*p*does not belong to a directed path from a transition \(t \in TCO_{_\imath}\) to*t*_{oi}, \({\boldsymbol w}_\imath^+(p)=0\).

For the net in Fig. 6a and the GMEC \({\boldsymbol m}(p_4) + {\boldsymbol m}(p_6) + {\boldsymbol m}(p_{11}) \leq 1\) we have: \({\boldsymbol w}_{o11}^+(p_7)=1\) since *p*_{7} is preceded by \(p_4 \in Q_{{\boldsymbol w}}\) only along the control path *t*_{1}*p*_{4}*t*_{4}*p*_{7}*t*_{7}*p*_{10}*t*_{o11} and there is only one directed path from *p*_{4} to *p*_{7} and only one directed path from *p*_{4} to *t*_{o1}; \({\boldsymbol w}_{o11}^+(p_8)=0\) since *p*_{8} is not preceded by a place \(p \in Q_{{\boldsymbol w}}\) along any control path.

For the net in Fig. 5 – apart from dotted arcs and places – and the GMEC \({\boldsymbol m}(p_1) + 2 {\boldsymbol m}(p_2) + 2 {\boldsymbol m}(p_3)+ 2 {\boldsymbol m}(p_6) + {\boldsymbol m}(p_7) + {\boldsymbol m}(p_{13}) + {\boldsymbol m}(p_{14}) + 2 {\boldsymbol m}(p_{15}) \leq 4\) we have: \({\boldsymbol w}_{o1}^+(p_1)=1\) since *p*_{1} belongs to the control path \(\bar{\pi}_6= t_6 p_8 t_4 p_6 t_3 p_3 t_1 p_1 t_{o1} \) to which belong three constrained places and \(max_{p_\jmath \in \bar{\pi}'_6}{\boldsymbol w}(p_\jmath)=2\), where \(\bar{\pi}_6'=t_6 p_8 t_4 p_6 t_3 p_3 t_1 p_1 \) is the directed sub-path of \(\bar{\pi}_6\) from *t*_{6} to *p*_{1}, and \(max_{ \pi \in \Pi(p_{1},t_{o1} )} max_{p_\jmath \in \pi} {\boldsymbol w}(p_\jmath)=1\) since *Π*(*p*_{1},*t*_{o1}) = { *p*_{1}*t*_{o1} } ; \({\boldsymbol w}_{o2}^+(p_{11})=1\) since *p*_{11} is preceded by \(p_{15} \in Q_{{\boldsymbol w}}\) along the path *t*_{11}*p*_{15}*t*_{8}*p*_{11}*t*_{o2}, *p*_{15} is the only constrained place controlled by *t*_{11}, there are *r*_{15} = 1 directed paths in \(N_{O_{o2}}\) from *p*_{15} to *p*_{11} and *r* = 2 directed paths in \(N_{O_2}\) from *p*_{15} to *t*_{o2}.

- \(n_\imath= \sum_{p \in {TCO_\imath}^{\bullet}} {\boldsymbol w}_\imath(p)^-\), that is the maximum value that can assume the weighted sum of places in the GMEC by firing all transitions in the set \(TCO_\imath\). Thus, \(n_\imath- \sum_{p \in P_{O_\imath}} {\boldsymbol w}_\imath^+(p) {\boldsymbol m}(p)\) represents the maximum value that can assume the weighted sum of constrained places in \(N_{O_\imath}\) that are not yet marked. It is immediate to see that$$ n_\imath\geq \sum\limits_{p \in P_{O_\imath}} {\boldsymbol w}_\imath^+(p) {\boldsymbol m}(p) \label{n1def} $$(5)
\(n_\imath^\prime=\sum_p {\boldsymbol w}(p), \, p \in {^\bullet}t_{oi} \cap Q_w\), that is the weighted sum of places in the GMEC that have to be marked for the firing of

*t*_{oi}, because they belong to the set \(^{\bullet}t_{oi}\) (note that \(n_\imath\geq n_\imath^\prime\)). For the net in Fig. 6a, it is immediate to verify that*n*_{o11}= 3 but \(n^\prime_{o11}=1\), since*t*_{o11}has only one input place constrained.

**Definition 7**

Given a control subnet \(N_{O_\jmath}\), if there is not a control subnet \(N_{O_{j'}}\) such that *TCO*_{j} ⊂ *TCO*_{j′}, we call \(N_{O_\jmath}\)*maximal*.

Let us denote by *M* the set of indexes of maximal control subnets. For the net of Fig. 6c \(N_{O_{o11}}\) is the unique maximal control subnet since *TCO*_{4} ⊂ *TCO*_{o11} and *TCO*_{6} ⊂ *TCO*_{o11}, thus *M* = { *o*11 }.

In order to ensure the deadlock-freeness of the closed-loop net, when a controllable transition is enabled, if it belongs to the control subnet of the output transition of a constrained place, it must be guaranteed that all the input places of such transition can be simultaneously marked without violating the GMEC, otherwise the transition would be dead. Thus, we introduce the set of counter variables \(C_{O_\imath}({\boldsymbol m})\). Given a GMEC (\({\boldsymbol w},k)\), \(C_{O_\imath}({\boldsymbol m})\) represents, under the current marking, the complement to *k* of the maximum value that the weighted sum of the constrained places can assume by firing only uncontrollable transitions that belong to a maximal control subnet *N*_{Oj}, except for ones that eventually belong to \(N_{O_\imath}\), plus the complement to *n*_{i} of the maximum value that can assume the weighted sum of constrained places that belong to the control subnet of *t*_{oi} and that have to be still marked to enable *t*_{oi}. Then its value can be obtained from *k* minus the weighted sum of the marking of places \(p \not \in P_{O_\imath}\) but \(p \in P_{O_\jmath}\) where \(N_{O_\jmath}\) is maximal, with weights given by elements of vector \({\boldsymbol w}_\jmath^- {\boldsymbol f}\), plus the weighted sum of the marking of places *p* with \(p \in P_{O_\imath}\) with weights given by elements of vector \({\boldsymbol w}_\imath^+\).

**Definition 8**

the firing of a transition \(t_{{TCO}_\jmath}^r, \, j \neq \imath\) will decrement the value of \(C_{O_\imath}({\boldsymbol m})\) by \(\sum_{p \in {TCI_k}^{\bullet}} {\boldsymbol w}_\imath(p)^-\) units if \(C_{I_k}({\boldsymbol m})=m_k-1\) (by definition, \( \exists k \mbox{ s.t. } t_{{TCO}_\jmath}^r \in TCI_k\).), unless \(t_{{TCO}_\jmath}^r \in TCO_\imath\); in this way the value of \(C_{O_\imath}({\boldsymbol m})\) is updated when ∀

*p*∈*TCI*_{k}^{ ∙ }it results \({\boldsymbol f}(p,{\boldsymbol m}')=1\) with \({\boldsymbol m}[ t_{{TCO}_\jmath}^r > {\boldsymbol m}'\).the firing of a transition \(t_{{TCO}_\imath}^r\) does not change the value of \(C_{O_\imath}({\boldsymbol m})\);

the firing of output transitions \(t_{oj}, \jmath \neq \imath\) will increment the value of \(C_{O_\imath}({\boldsymbol m})\) by \(n'_\jmath - \sum_{p \in t_{oj}^{\bullet}} {\boldsymbol w}_{\bar{\jmath}}(p)^-\) units where \(\bar{\jmath} \in M\) is the maximal subnet index such that \(TCO_{\jmath} \subseteq TCO_{\bar{\jmath}}\) if \(n'_\jmath >\sum_{p \in t_{oj}^{\bullet}} {\boldsymbol w}_{\bar{\jmath}}(p)^-\), otherwise it does not change the value of \(C_{O_\imath}\);

the firing of output transitions

*t*_{oi}will decrement the value of \(C_{O_\imath}({\boldsymbol m})\) in \(n_\imath-n_\imath^\prime\) units;the initial value of \(C_{O_\imath}({\boldsymbol m})\) is equal \(C_{O_\imath}({\boldsymbol m}_0)=k - \sum_{j \in M} \sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_\imath}}\)\({\boldsymbol w}_\jmath(p)^- {\boldsymbol m}_0(p) {\boldsymbol f}(p,{\boldsymbol m}_0)+ \sum_{p \in P_{O_\imath}} {\boldsymbol w}_\imath(p)^+ {\boldsymbol m}_0(p)\).

For the net of Fig. 6c by definition

In Fig. 6c \(C_{O_{o11}}({\boldsymbol m})\) is equal to the marking of the place *p*_{c2} and under the marking in figure it results \({\boldsymbol f}(p,{\boldsymbol m})={\bf0} \; \forall p\).

**Definition 9**

We say that a control subnet \(N_{O_k}\) is *included* in a control subnet \(N_{O_\imath}\) maximal according to Definition 7 and we write \(N_{O_k} \prec N_{O_\imath}\) if there is place *p* ∈ ^{ ∙ }*t*_{oi} such that \(p \not \in Q_{{\boldsymbol w}}\) and there is a directed path from any transition *t* ∈ *TCO*_{k} to *p*.

Consider the net in Fig. 6 and the GMEC \({\boldsymbol m}(p_4)+{\boldsymbol m}(p_6)+{\boldsymbol m}(p_{11}) \leq 1\), the control subnet \(N_{O_4}\) is included in \(N_{O_{11}}\) since \(p_{10} \in {^\bullet}t_{11}\), \(p_{10} \not \in Q_{{\boldsymbol w}}\) and there is a directed path from any transition *t* ∈ *TCO*_{4} to *p*_{10}.

### 6.2 The control policy

In the following the control policy will be exposed to enforce a GMEC while keeping liveness on a live and safe MG. The control policy ensures the firing of any transition *t*_{oi}, so the closed-loop system is deadlock-free in a maximally permissive way. For the clarity of presentation, we present the results in two propositions. In the first proposition, requiring that only Assumption 2 is fulfilled, the case with only one maximal control subnet is considered, while in the second proposition, requiring that Assumption 1 and Assumption 2 are fulfilled, the case with two independent maximal control subnets is considered. Thus, from Theorem 3 it follows that also the closed-loop system is live in both cases.

In presence of a set of GMECs as control specification, since for the considered net subclass deadlock-freeness implies liveness and the control law designed considering separately each GMEC ensures that the single GMEC is not violated and that the unique output transition of each constrained place can be fired, it is immediate to conclude that a controllable transition must be enabled iff it is enabled by all the control laws of each GMECs. Thus, the control policy is modular.

**Proposition 3**

* Let us consider a live and safe MG and a GMEC*\(({\boldsymbol w},k)\)* such that Assumption *2* is verified. Suppose that there is only one maximal control subnet named*\(N_{O_1}\)*, i.e. any other control subnet*\(N_{O_k}\)* verifies that TCO*_{k} ⊂ *TCO*_{1}, *k* ≠ 1*. Firing a transition*\(t_{TCO_1}^j \in TCI_\imath\)*, it is possible, after a fireable sequence, to enable t*_{o1}* without violating the GMEC iff*

*or one of the following conditions is true*

*If*\(|TCI_\imath|=1 \; \forall \imath\)*, condition* [C1]* is never true.*

### Proof

(If) If [C1] is true, by firing \(t_{TCO_1}^j\) the place \(p_\imath\in P_{O_1}\) could not be uncontrollably marked (because of Assumption 2), being at least one of its control paths unmarked. Nothing changes in the system as for GMEC meeting and closed-loop liveness.

Now, suppose that the net system reaches a marking \({\boldsymbol m}\) such that \(C_{I_\imath}({\boldsymbol m})=m_\imath-1\) and so firing the transition \(t_{TCO_1}^j\) will cause \(p_\imath\) to become uncontrollably marked. If [C2a] is true, by the definition of \(C_{O_1}({\boldsymbol m})\), we have that \(k - \sum_{j \in M}\sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_1}}\)\( {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})+ \sum_{p \in N_{O_1}} {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \geq n_1\), and thus it follows that *k* − ∑ _{j ∈ M}\( \sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_1}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,\!{\boldsymbol m}) \!\geq\! n_1 \!-\! \sum_{p \in P_{O_1}} {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \!\geq\! 0\) since \(n_1 \!\geq\! \sum_{p \!\in\! P_{O_1}}\)\({\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \) by Eq. 5. By noticing that \(k \!-\!\sum_{j \in M} \sum_{p \in P_{O_\jmath} \!\bigwedge\! p \not \in P_{O_1}}{\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})\) represents the complement to *k* of the maximum value of the weighted sum of the constrained places of places \(p \not \in P_{O_1}\) that can be uncontrollably marked, we conclude that the GMEC will be not violated. The same occurs if [C2b] is true.

As for firing *t*_{o1}, note that all the transitions in the net \(N_{O_1}\) can be disabled only by the marking of places in the net \(N_{O_1}\). If condition [C2a] is verified under the marking \({\boldsymbol m}\) we have that \(k -\sum_{j \in M} \sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_1}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})\geq n_1 - \sum_{p \in P_{O_1}}\)\( {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \geq 0\). By noticing that \(k -\sum_{j \in M} \sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_1}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m})\) represents the weighted sum of the constrained places of places \(p \not \in P_{O_1}\) that can be uncontrollably marked and that \(n_1 - \sum_{p \in P_{O_1}} {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p)\) represents the maximum value that can assume the weighted sum of the constrained places in \(N_{O_1}\) that have to be still marked to enable *t*_{o1}, we deduce it is possible to enable all the transitions \(t_{TCO_1}^j, \forall j\) so that all the control paths of *t*_{o1} can be marked and *t*_{o1} can be fired.

If [C2a] is not true, by the same reasoning, we conclude that, if [C2b] is true, it is possible to fire all transitions *t*_{ok} such that \(N_{O_k} \prec N_{O_1}\) without violating the GMEC. The counter \(C_{O_1}\) is so incremented until [C2b] becomes true.

(Only if) If [C1] and [C2a] are not true, it follows that \(k -\sum_{j \in M} \sum_{p \in N_{O_\jmath} \bigwedge p \not \in P_{O_1}}\)\( {\boldsymbol w}_1(p)^- {\boldsymbol m}(p) {\boldsymbol f}(p,{\boldsymbol m}) < n_1 - \sum_{p \in P_{O_1}} {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \). This means that under current marking it is not possible to mark all places needed to enable *t*_{o1}. Since \(N_{O_k} \subset N_{O_1}, \, k \neq 1\) and [C2b] is not true, no other output transition of a constrained place included in \(N_{O_1}\) can be fired before *t*_{o1} fires, i.e. the quantity \(n_1 - \sum_{p \in P_{O_1}} {\boldsymbol w}_1(p)^+ {\boldsymbol m}(p) \) cannot be decremented. Thus, by firing \(t_{TCO_1}^j\) a marking \({\boldsymbol m}^\prime\) will be reached from \({\boldsymbol m}\) under which *t*_{o1} is deadlocked. □

### Example 1

Consider again the net system shown in Fig. 6a, and the GMEC \({\boldsymbol m}(p_4)+{\boldsymbol m}(p_6)+{\boldsymbol m}(p_{11}) \leq 1\). The monitor controlled net system shown in Fig. 6b enforces the GMEC, but it can be proved to be not live by using the results shown in Section 4. By definition we have that \(|TCI_\imath|=1, \forall \imath\) and the following set of control transitions result to be defined *TCO*_{4} = {*t*_{1}}, *TCO*_{6} = { *t*_{3} }, *TCO*_{o11} = {*t*_{1}, *t*_{2}, *t*_{3} }. Also, recall that for this net system and for the specified GMEC the subnet \(N_{O_{o11}}\) is the only maximal control subnet. It results \(N_{O_4} \prec N_{O_1}\) and \(N_{O_6} \prec N_{O_1}\). The plant net is a live and safe MG, and the hypothesis of Proposition 3 are verified. A control policy is: enable a transition *t* ∈ *TCO*_{o11} iff \(C_{O_{o11}}({\boldsymbol m}) \geq 3\), being *n*_{o11} = 3; enable a transition *t* ∈ *TCO*_{6} iff \(C_{O_6}({\boldsymbol m}) \geq 1\), being *n*_{6} = 1; enable a transition *t* ∈ *TCO*_{4} iff \(C_{O_4}({\boldsymbol m}) \geq 1\), being *n*_{4} = 1. The resulting controller is shown in Fig. 6c, where the places *p*_{c1}, *p*_{c2}, *p*_{c3} implement respectively \(C_{O_4}({\boldsymbol m})\), \(C_{O_{o11}}({\boldsymbol m})\), \(C_{O_6}({\boldsymbol m})\). The closed-loop net system can be simplified as shown in Fig. 6d.

**Proposition 4**

* Let us consider a live and safe MG and a GMEC*\(({\boldsymbol w},k)\)* such that Assumption *1* and Assumption *2* are verified. Suppose that two independent and maximal control subnets*\(N_{O_1}\)* and*\(N_{O_2}\)* are defined, i.e. any other control subnet*\(N_{O_k}\)* verifies that*\(TCO_k \subset TCO_1, \, k \neq 1 \bigvee TCO_k \subset TCO_2, \, k \neq 2\)*. Firing a transition*\(t_{TCO_1}^j \in TCI_\imath\)*, it is possible, after a fireable sequence, to enable t*_{o1}* without violating the GMEC iff*

*or*\(C_{I_\imath}({\boldsymbol m}) = m_\imath-1\)* but one of the two following conditions is verified*

*If*\(|TCI_\imath|=1 \; \forall \imath\)*, condition* [C1]* is never true.*

### Proof

Only condition [C3] will be proved since the proof of conditions [C1], [C2] can be derived from the proof of Proposition 3. In the proof of Proposition 3 we have not used that

\(\sum_{j \in M} \sum_{p \in P_{O_\jmath} \bigwedge p \not \in P_{O_1}} {\boldsymbol w}_1(p)^- {\boldsymbol m}(p)=0\) when *M* = { 1 } and thus it works also in presence of two maximal independent control subnets.

(If) By firing \(t_{TCO_1}^j\), \({\boldsymbol m} [ t_{TCO_1}^j > {\boldsymbol m}^\prime\). From condition [C3] it follows that \(C_{O_2}({\boldsymbol m}^\prime) \geq n_2\), so it is possible to enable *t*_{o2}. By firing of *t*_{o2}\(C_{O_1}\) is incremented by \(n^\prime_2\), then it is possible to reach a marking \({\boldsymbol m}^{\prime \prime}\) such that \(C_{O_1}({\boldsymbol m}^{\prime \prime}) \geq n_1\). From Proposition 3 we conclude that *t*_{o1} can be fired.

(Only if) If [C3] is not true, even if we assume that \(C_{O_2}({\boldsymbol m}) \geq n_2 + \sum_{p \in {TCI_1}^{\bullet}} {\boldsymbol w}_\imath(p)^- \) and thus *t*_{o2} can be fired, \(C_{O_1}\) is incremented by \(n^\prime_2\) units but it results \(C_{O_1}({\boldsymbol m}^\prime) < n_1\) being \(C_{O_1}({\boldsymbol m}) + n^\prime_2 < n_1\). From Proposition 3 we conclude that a marking \({\boldsymbol m}^{\prime \prime}\) will be reached from \({\boldsymbol m}^\prime\) under which *t*_{o1} is deadlocked. □

### Example 2

Consider the net system in Fig. 5 – apart from dotted arcs and places – and the GMEC \({\boldsymbol m}(p_1) + 2 {\boldsymbol m}(p_2) + 2 {\boldsymbol m}(p_3)+ 2 {\boldsymbol m}(p_6) + {\boldsymbol m}(p_7) + {\boldsymbol m}(p_{13}) + {\boldsymbol m}(p_{14}) + 2 {\boldsymbol m}(p_{15}) \leq 4\). The monitor *p*_{c} enforces the GMEC but the closed-loop system can be proved to be not live by using the results shown in Section 4.

Since \(N_{O_{o1}}\) and \(N_{O_{o2}}\) are independent and they are the only two maximal control subnets, the hypothesis of Proposition 4 are verified. The control subnet \(N_{O_{15}}\) is included in \(N_{O_{o2}}\) according to Definition 9, i.e. \(N_{O_{15}} \prec N_{O_{02}}\). No other control subnet is included in \(N_{O_{o1}}\) or in \(N_{O_{o2}}\).

*n*

_{o1}= 4,

*n*′

_{o1}= 3,

*n*

_{o2}= 4,

*n*′

_{o2}= 2,

*n*

_{o15}= 2,

*n*′

_{o15}= 2.

*I*

_{k}| = 1 (e.g.

*p*

_{13}) since it results \({\boldsymbol f}(p,{\boldsymbol m})=1\) when \({\boldsymbol m}(p)=1\).

A transition *t* ∈ *TCO*_{o1} is enabled iff \(C_{O_{o1}} \geq 4\) or \(C_{O_{o2}}({\boldsymbol m}) \geq 4 + 2 = 6 \, \bigwedge\)\( C_{O_1}({\boldsymbol m}) + 2 \geq 4 \)

A transition *t* ∈ *TCO*_{o2} is enabled iff \(C_{O_{o2}} \geq 4\) or \(C_{O_{o1}}({\boldsymbol m}) \geq 4 + 3 = 7\, \bigwedge\)\(C_{O_2}({\boldsymbol m}) + 3 \geq 4 \)

A transition *t* ∈ *TCO*_{o2} ∩ *TCO*_{15} is enabled iff

\(C_{O_{o2}} \geq 4\) or \(C_{O_{o15}} \geq 2\) or \(C_{O_{o1}}({\boldsymbol m}) \geq 4 + 4 = 7 \; \bigwedge \; C_{O_2}({\boldsymbol m}) + 3 \geq 4 \)

Under the marking in Fig. 5 it results \(C_{O_{o1}}({\boldsymbol m})=4\), \(C_{O_{o2}}({\boldsymbol m})=4\), \(C_{O_{15}}({\boldsymbol m})=4\). Indeed, all controllable transitions can be left free to fire. Assume *t*_{14} fires, it results \(C_{O_{o1}}({\boldsymbol m})=3\), \(C_{O_{o2}}({\boldsymbol m})=4\), \(C_{O_{15}}({\boldsymbol m})=3\). Then, only a transition *t* ∈ *TCO*_{o2} may be left free to fire. Indeed, if a transition *t* ∈ *TCO*_{o1} fires, a deadlock state is reached.

### Note 1

The result presented in Proposition 4 is referred to the case where only two maximal independent control subnets are considered. It can be generalized to *r* > 2 maximal independent control subnets, by considering for the enabling of a controllable transition \(t \in TCO_\imath\) under a given marking the fact that the output transition *t*_{oi} may fire after a sequence that includes the firing of some (at most all) *r* − 1 output transitions.

The control policy is suitable to be executed on-line since it only requires: for each constrained place the allocation of two counter variables \(C_{I_i}\) and \(C_{O_i}\); the evaluation of logical predicates essentially consisting in the comparison between the values of such counters with an integer number.

## 7 Concluding remarks

Some results on the liveness of plant MG, where a GMEC has been forced via a monitor place, have been presented in this paper. First, two sufficient conditions have been obtained which guarantee that no solution of the state equation is a spurious deadlock. As a consequence, checking liveness in these cases can be reduced to check if a system of equations admits a solution. In addition, a sufficient condition has been presented for closed loop liveness of MGs where a GMEC has been enforced on. Also, a maximally permissive control policy to enforce a GMEC and closed-loop liveness on live and safe controlled MGs has been proposed.