Supervision of Vector Discrete-Event Systems

Abstract

The state-based approach to DES supervisory control of Chap. 7 will be applied to a class of models known as vector addition systems, which when endowed with our standard control technology we call vector discrete-event systems (VDES). VDES offer a modeling option especially for systems incorporating groups of similar entities (e.g. machines in a workcell) which for control purposes need not be individually distinguished; often in practice such systems are equivalent to a synchronous product of buffers. VDES may be represented graphically as Petri nets (PN); results from the extensive PN literature will be exploited to advantage. We further consider problem restrictions under which an optimal supervisor itself admits a VDES representation, providing examples when this is or respectively is not the case.

Appendix 8.1: Three Examples from Petri Nets

We provide three examples to show how supervisory control problems described in terms of Petri nets can be treated in the automaton framework of this monograph, Chaps. 3, 4, and 6. Commented output from the TCT MAKEIT.TXT files is provided for the reader’s convenience. Details of problem formulation can be found in the cited literature.

Example 1: Manufacturing Workcell

Reference: K. Barkaoui, I. Ben Abdallah. A deadlock prevention method for a class of FMS. Proc. IEEE Int. Conf. on Systems, Man, and Cybernetics. Vancouver, Canada, October 1995, pp. 4119–4124.

The system is a manufacturing workcell consisting of two input bins I1, I2, four machines M1,...,M4, two robots R1, R2, and two output bins O1, O2. Two production sequences, for RED and GRN workpieces, run concurrently; these are:

GRN: I1 \(\rightarrow \) R1 \(\rightarrow \) (M1 or M2) \(\rightarrow \) R1 \(\rightarrow \) M3 \(\rightarrow \) R2 \(\rightarrow \) O1

RED: I2 \(\rightarrow \) R2 \(\rightarrow \) M4 \(\rightarrow \) R1 \(\rightarrow \) M2 \(\rightarrow \) R1 \(\rightarrow \) O2

In the simplest case, treated here, at most one workpiece of each type (red, green) is allowed in the system at any one time.

Since the machines and production sequences share the robots as resources, there is the a priori possibility of deadlock. In fact, without control there is exactly one deadlock state (20) in TEST =  meet (CELL,SPEC). At this state the components are in states:

R1	R2	M1	M2	M3	M4	RED	GRN
1	0	0	1	0	0	2	3

One deadlock sequence is (writing ev for event):

Verse

Verse R1 takes in green part (ev 11 in CELL) R2 takes in red part (ev 91) R1 loads M2 with green part (ev 21) R2 loads M4 with red part (ev 101) R1 unloads red part from M4 (ev 111)

At this point, R1 holds a red, having just unloaded it from M4 (ev 111), while M2 holds a green, having finished processing it. R1 must load M2 with the red it’s holding (ev 121) but cannot do so because M2 holds the green, which only R1 can unload (ev 41). The deadlock occurs because both R1 and M2 are ‘full’ (with a red, green respectively), and there is no mechanism for making the required swap. The cure is easy: simply eliminate state 20 from TEST; the result is then exactly the optimal controlled behavior SUP. So instead of the old blocking sequence 11.91.21.101.111 we now have 11.91.21.101.41; in other words GRN is allowed to progress to its state 4 (ev 41) before RED is allowed to progress to its state 3 (ev 111). The problem arises because a single robot (R1) is shared by 2 machines M2, M4; and M2 is shared by 2 processes (RED,GRN). At the deadlock state RED and GRN have conflicting requirements for M2 and therefore on R1, which is deadlocked because of its previous action on M4. Conclusion: careful sequencing of the interleaved processes RED, GRN is needed to avoid deadlock due to conflicting demands on the shared resources R1 and M2. Of course, this is achieved ‘automatically’ by   supcon.

R1	=	create(R1,[mark 0],[tran [0,11,1],[0,41,1],[0,51,1],
		[0,111,1],[0,131,1],[1,21,0],[1,31,0],[1,61,0],[1,121,0],
		[1,141,0]]) (2,10)
R2	=	create(R2,[mark 0],[tran [0,71,1],[0,91,1],[1,81,0],
		[1,101,0]]) (2,4)
M1	=	create(M1,[mark 0],[tran [0,31,1],[1,51,0]]) (2,2)
M2	=	create(M2,[mark 0],[tran [0,21,1],[0,121,1],[1,41,0],
		[1,131,0]]) (2,4)
M3	=	create(M3,[mark 0],[tran [0,61,1],[1,71,0]]) (2,2)
M4	=	create(M4,[mark 0],[tran [0,101,1],[1,111,0]]) (2,2)
CELL	=	sync(R1,R2) (4,28)    Blocked_events  = None
CELL	=	sync(CELL,M1) (8,52)     Blocked_events  = None
CELL	=	sync(CELL,M2) (16,88)     Blocked_events   = None
CELL	=	sync(CELL,M3) (32,160)     Blocked_events  = None
CELL	=	sync(CELL,M4) (64,288)     Blocked_events  = None
ALL	=	allevents(CELL) (1,14)
GRN	=	create(GRN,[mark 0],[tran [0,11,1],[1,21,2],[1,31,3],
		[2,41,4],[3,51,4],[4,61,5],[5,71,6],[6,81,0]]) (7,8)
RED	=	create(RED,[mark 0],[tran [0,91,1],[1,101,2],[2,111,3],
		[3,121,4],[4,131,5],[5,141,0]]) (6,6)
SPEC	=	sync(RED,GRN) (42,90)     Blockedevents  = None
nonconflict(CELL,SPEC) = false
TEST	=	meet(CELL,SPEC) (35,61)
SUP	=	supcon(CELL,SPEC) (34,60)
SUP	=	condat(CELL,SUP) Controllable.

[Only events 51,71 do not appear in the condat table; therefore they could be replaced by uncontrollable counterparts (say 50,70) without changing the controlled behavior.]

SIMSUP	=	supreduce(CELL,SUP,SUP) (11,38)
STEST	=	meet(CELL,SIMSUP) (34,60)
isomorph(STEST,SUP) = true
SIMSUP	=	condat(CELL,SIMSUP) Controllable.

The following shows that removing the single  blocking state 20 is enough to obtain the optimal control from the naive behavior TEST.

ETEST	=	edit(TEST,[states -[20]]) (34,60)
isomorph(ETEST,SUP) = true

Example 2: Piston Rod Robotic Assembly Cell

Reference: J.O. Moody, P.J. Antsaklis. Supervisory Control of Discrete Event Systems Using Petri Nets. Kluwer, 1998; Sect. 8.4.

With reference to Fig. 8.11 of the cited text, the system consists of an M-1 robot performing various tasks (Petri net places p4, p5, p6, p7), and similarly an S-380 robot (p2, p3); p1 is used for initialization.

M-1 ROBOT

To model this we replace p4 by a generator capable of holding up to two piston pulling tools in a two-slot buffer MR1; the tools are generated by event 40 and selected for use by event 41. The event sequence 41.51.60.70.80 tracks the installation of a cap on a piston rod and the conveyance of its engine block out of the work space. In our model, up to four operations in this sequence could be progressing simultaneously, although a specification (below) will limit this number to one.

MR1	=	create(MR1,[mark 0],[tran [0,40,1],[1,40,2],[1,41,0],
		[2,41,1]]) (3, 4)
MR2	=	create(MR2,[mark 0],[tran [0,41,1],[1,51,0]]) (2,2)
MR3	=	create(MR3,[mark 0],[tran [0,51,1],[1,60,0]]) (2,2)
MR4	=	create(MR4,[mark 0],[tran [0,60,1],[1,70,0]]) (2,2)
MR5	=	create(MR5,[mark 0],[tran [0,70,1],[1,80,0]]) (2,2)
MROB	=	sync(MR1,MR2) (6,9)
MROB	=	sync(MROB,MR3) (12,21)
MROB	=	sync(MROB,MR4) (24,48)
MROB	=	sync(MROB,MR5) (48,108)

S-380 ROBOT

Starting from the ready-to-work condition, this robot performs the event sequence 10.20.30 corresponding to readying parts for assembly; its work cycle is closed by event 80.

SROB = create(SROB,[mark 0],[tran [0,10,1],[1,20,2],[2,30,3], [3,80,0]]) (4,4)

PLANT = sync(MROB,SROB) (192,504)

Note that the only controllable events are 41,51, which more than satisfies the authors’ requirement that events 60,70,80 be  uncontrollable.

There are three specifications, as detailed in the authors’ equations (8.11)–(8.13) in (Moody and Antsaklis 1998). These are linear inequalities on markings, which are easily converted (by inspection of the Petri net in (Moody and Antsaklis 1998)) into counting constraints on suitable event pairs. For instance, (8.12) requires that m4+m5+m6+m7 \(\le \) 1, where mi is the marking of place pi; by inspection, this is equivalent to

$$\begin{aligned} (|41|-|51|) + (|51|-|60|) + (|60|-|70|) + (|70|-|80|) \le 1 \end{aligned}$$

or simply \( |41|-|80| \le 1 \); here |k| is the number of firings of transition k since the start of the process. By inspection of the Petri net in (Moody and Antsaklis 1998) it is clear that the inequality forces events 41,80 to alternate, with 41 occurring first; hence SPEC2, below.

SPEC1	=	create(SPEC1,[mark 0],[tran [0,10,1],[1,30,0]]) (2,2)
SPEC2	=	create(SPEC2,[mark 0],[tran [0,41,1],[1,80,0]]) (2,2)
SPEC3	=	create(SPEC3,[mark 0],[tran [0,30,1],[1,51,0]]) (2,2)
SPEC	=	sync(SPEC1,SPEC2) (4,8)
SPEC	=	sync(SPEC,SPEC3) (8,18)
PLANTALL	=	allevents(PLANT) (1,9)
SPEC	=	sync(SPEC,PLANTALL) (8,50)

The supremal supervisor can now be computed, then simplified by the control-congruence reduction procedure.

SUPER	=	supcon(PLANT,SPEC) (33,60)
SUPER	=	condat(PLANT,SUPER) Controllable.
SIMSUP	=	supreduce(PLANT,SUPER,SUPER) (3,12)

Thus SIMSUP is strictly minimal.

The authors specify four auxiliary constraints (8.14)–(8.17) (see (Moody and Antsaklis 1998)), of the form already discussed; we model these as follows, and create the auxiliary specification ASPEC. We test these constraints against the existing controlled behavior SUPER, and confirm that they are already satisfied.

ASP1	=	create(ASP1,[mark 0],[tran [0,20,1],[1,30,0]]) (2,2)
ASP2	=	create(ASP2,[mark 0],[tran [0,41,1],[1,60,0]]) (2,2)
ASP3	=	create(ASP3,[mark 0],[tran [0,60,1],[1,70,0]]) (2,2)
ASP4	=	create(ASP4,[mark 0],[tran [0,70,1],[1,80,0]]) (2,2)
ASPEC	=	sync(ASP1,ASP2) (4,8)
ASPEC	=	sync(ASPEC,ASP3) (8,18)
ASPEC	=	sync(ASPEC,ASP4) (16,40)
ASPEC	=	sync(ASPEC,PLANTALL) (16,88)
COASPEC	=	complement(ASPEC,[]) (17,153)
X	=	meet(SUPER,COASPEC) (33,60)
TX	=	trim(X) (0,0)

Unobservable events: we assume with (Moody and Antsaklis 1998) that events 51,60,70 have become  unobservable. As a simplifying assumption on supervisor design, we consider that controllable event 51 will now not be subject to  disablement. Thus we could (but will not) relabel event 51 as 50 throughout. Our new assumption allows us to treat the problem as an instance of SCOP (Sect. 6.5). We therefore compute as follows.

N	=	supnorm(PLANT,SPEC,null[51,60,70]) (24,39)
NO	=	project(N,null[51,60,70]) (15,24)
PLANTO	=	project(PLANT,null[51,60,70]) (60,129)
SUPERO	=	supcon(PLANTO,NO) (15,24)
		[‘Observer’s supervisor’]
SUPERO	=	condat(PLANTO,SUPERO) Controllable.
		[‘Observer’s supervisor’]
OSUPER	=	selfloop(SUPERO,[51,60,70]) (15,69)
		[Feasible supervisor]
		nonconflict(PLANT,OSUPER) = true
K	=	meet(PLANT,OSUPER) (24,39)
		[Controlled behavior using feasible supervisor]
SIMSUPO	=	supreduce(PLANTO,SUPERO,SUPERO) (2,7)

Thus SIMSUPO is strictly minimal.

SIMSUPO	=	condat(PLANTO,SIMSUPO) Controllable.
TESTO	=	meet(PLANTO,SIMSUPO) (15,24)
isomorph(TESTO,SUPERO) = true

We will check that, as expected, controlled behavior K using the feasible supervisor is more restricted than the original controlled behavior SUPER (which of course was computed without assuming any observational constraint). Nevertheless, K is adequate for performance of the assembly process: for instance the K-string 10.20.30.40.41.51.60.70.80 is a full assembly cycle.

COSUPER	=	complement(SUPER,[]) (34,306)
X	=	meet(K,COSUPER) (24,39)
TX	=	trim(X) (0,0)

Some routine checks, in principle redundant, are:

nonconflict(PLANT,OSUPER) = true
OSUPER = condat(PLANT,OSUPER) Controllable.

As expected, OSUPER never  disables unobservable event 51.

Example 3: Unreliable Machine (Deadlock Avoidance)

Reference: J.O. Moody, P.J. Antsaklis. Deadlock avoidance in Petri nets with  uncontrollable  transitions. Proc. 1998 American Automatic Control Conference. Reproduced in J.O. Moody, P.J. Antsaklis. Supervisory Control of Discrete Event Systems Using Petri Nets. Kluwer, 1998; Sect. 8.3 (pp. 122–129).

This is a problem which, in the authors’ Petri net formulation, requires finding the system’s two ‘uncontrolled siphons’. By contrast, the TCT solution is fast and immediate, requiring no special analysis.

The system model consists of a machine M1 containing two 1-slot output buffers M1C (for completed workpieces) and M1B (for damaged workpieces, which result when M1 breaks down), together with two dedicated AGVs to clear them. M1 is the SCT machine model (e.g. Sect. 3.2). Event 10 (successful completion) increments M1C, which must be cleared (event 14) by AGV1 before M1 can restart; event 12 (breakdown) increments M1B, which must be cleared (event 16) by AGV2 before M1 can be repaired after breakdown (event 13); these requirements are enforced by SPEC1C, SPEC1B, respectively. The workspace near the buffers can be occupied by only one AGV at a time: this is enforced by SPEC1; the final SPEC model issync(SPEC1,SPEC1C,SPEC1B). Blocking would occur if, for instance, AGV1 moved into position to clear its buffer M1C, but M1B rather than M1C was filled; or AGV2 moved into position to clear its buffer M1B, but M1C rather than M1B was filled; in each case the positioned AGV would lock out the other.

Modeling the plant

M1	=	create(M1,[mark 0],[tran [0,11,1],[1,10,0],[1,12,2],
		[2,13,0]]) (3,4)
M1C	=	create(M1C,[mark 0],[tran [0,10,1],[1,14,0]]) (2,2)
M1B	=	create(M1B,[mark 0],[tran [0,12,1],[1,16,0]]) (2,2)
AGV1	=	create(AGV1,[mark 0],[tran [0,101,1],[1,14,2],
		[2,100,0]]) (3,3)
AGV2	=	create(AGV2,[mark 0],[tran [0,201,1],[1,16,2],
		[2,200,0]]) (3,3)

P	=	sync(M1,M1C) (6,10)    Blocked_events  = None
P	=	sync(P,M1B) (12,24)   Blocked_events  = None
P	=	sync(P,AGV1) (36,84)    Blocked_events  = None
P	=	sync(P,AGV2) (108,288)    Blocked_events  = None
PALL	=	allevents(P) (1,10)

Modeling the specification

SPEC1	=	create(SPEC1,[mark 0],[tran [0,101,1],[0,201,2],[1,100,0],
		[2,200,0]]) (3,4)
SPEC1C	=	create(SPEC1C,[mark 0],[tran [0,10,1],[0,11,0],[1,14,0]])
		(2,3)
SPEC1B	=	create(SPEC1B,[mark 0],[tran [0,12,1],[0,13,0],[1,16,0]])
		(2,3)
SPEC	=	sync(SPEC1,SPEC1C) (6,17)  Blocked_events = None
SPEC	=	sync(SPEC,SPEC1B) (12,52)  Blocked_events = None
SPEC	=	sync(SPEC,PALL) (12,52)  Blocked_events = None
nonconflict(P,SPEC) = false

Blocking could occur in the absence of supervisory control. Some blocking strings are 11.10.201, 201.11.10, 11.12.101, 101.11.12. These result in the situations described earlier, where an AGV in the workspace locks out the other, required AGV.

PSPEC	=	meet(P,SPEC) (24,40)
nonconflict(PSPEC,PALL) = false
MPSPEC	=	minstate(PSPEC) (23,40)

Computing the supremal supervisor

SUP	=	supcon(P,SPEC) (16,24)
SUP	=	condat(P,SUP) Controllable.

Computing a simplified supervisor

SIMSUP	=	supreduce(P,SUP,SUP) (5,23)
X	=	meet(P,SIMSUP) (16,24)
isomorph(SUP,X) = true
SIMSUP	=	condat(P,SIMSUP) Controllable.

It is easy to check by inspection that SIMSUP prohibits the blocking sequences listed above.