A Process-Theoretic State-Based Framework for Live Supervision Jasen Markovski

Abstract— We propose a model-based systems engineering framework that couples supervisory control and verification. The framework has a process-theoretic backbone, which supports all required concepts, and it is implemented using state-ofthe-art tools: Supremica for supervisor synthesis and UPPAAL for state-based verification. The process theory relies on partial bisimulation to model controllability and propositional signal emission to model a supervisory control loop with state-based observations. Supremica can model the signal observation by employing finite integer variables and action guards, whereas the supervised system can be consistently translated to UPPAAL by using a translation tool we developed. We illustrate the framework by revisiting an industrial case study of coordinating maintenance procedures of a high-tech Oc´e printer.

I. INTRODUCTION One of the arising bottlenecks in development of complex high-tech machines is control software development [1]. The traditional approach to software development to iteratively (re)code based on (varying) informal specification documents made up for a time-consuming and an expensive process, which gave rise to supervisory control theory of discreteevent systems [2], [3]. Supervisory control theory deals with automatic synthesis of supervisory control software based on discrete models of the uncontrolled system and the control requirements. Supervisory controllers coordinate high-level system behavior by observing the discrete-event behavior of the machine. They receive sensor signals from ongoing activities, make a decision on allowed activities, and send back control signals to the hardware actuators.

Fig. 1.

State spaces in supervisory control

Supervisory control theory captured the interest of the industry with the promise of automatic control software generation. This technique becomes more captivating as engineers nowadays are familiar with building models for simulation and validation purposes. An additional alluring aspect is rapid prototyping as one can couple the models with the (prototype) hardware to evaluate the control requirements, before building and testing expensive control software. However, as tempting as not having to manually code Supported by Dutch NWO project ProThOS, no. 600.065.120.11N124. J. Markovski is with Eindhoven University of Technology, PB 513, 5600MB, Eindhoven, The Netherlands, [email protected]

control software is, there are concerns voiced by the industry whether the automatically synthesized controller preserves desired functionalities of the systems, i.e., it meets certain liveness requirements. We illustrate this issue in Fig. 1, where we depict (1) the state space of the uncontrolled system, which contains unsafe behavior that is to be eliminated by the controller; (2) the desired safe and intended live functioning of the system as prescribed by the control requirements; and (3) the supervised system, where in order to ensure safety, the synthesis procedure may eliminate additional live states, which may lead to unsafe behavior. We address these issues in our proposal for an efficient state-based systems engineering framework for live supervision that relies on state-of-the-art theory and tools, aiming to relieve some of the concerns mentioned above and set future research directions. We work under the standard assumption that a supervisory controller can react sufficiently fast on machine input and we model the supervisory control feedback loop as a pair of synchronizing processes [2], [3]. The model of the complex machine, referred to as plant, is restricted by the model of the controller, referred to as supervisor, relying on state-based observations [4] and control requirements that offer succinct and readable specifications [5]. We formally specify the plant and the control requirements using a process theory that uses signal emission [6] to specify the state-based information, and employs partial bisimilarity [7] to capture the notion of controllability. The theory is supported by the supervisor synthesis tool Supremica [8], which employs automata extended with variables to capture state-based information [9]. To ensure liveness, we rely on the prominent (state-based) model checker UPPAAL [10]. To couple both tools, we wrote a translation tool called Supremica2UPPAAL [11]. Finally, to illustrate our approach, we revisit an industrial case study that deals with coordination of maintenance procedures of a printing process of an Oc´e prototype high-tech printer [12]. Due to confidentiality issues, we can only present a part of the case study. The goal of the case study is to synthesize a supervisory coordinator that ensures that quality of printing is uncompromised by timely performing maintenance procedures, while interrupting ongoing print jobs as little as possible. There are several attempts to couple safety and liveness properties during the synthesis procedures. The work of [13] extends the NuSMV model checker for synthesis employing CTL∗ . Similarly, control requirements in CTL∗ are proposed and analyzed in [14]. In [15] a proposal to translate temporal logic to standard event-based control requirements is presented. Ensuring liveness for software synthesis by employing a variant of LTL is given in [16]. However, all of these

approaches suffer from (doubly-)exponential complexity due to enforcing of liveness during THE synthesis procedure. Consequently, the proposed frameworks can handle only systems with 104 −105 states [13], [14], [15], [16]. For these reasons, we decided to remain in the domain of state-based properties, decoupling supervisor synthesis and verification, and employing the most efficient specialized tools. II. P ROCESS T HEORY We present a basic process theory that encompasses propositional signals that identify states. To this end, we employ the Boolean algebra B = (N , ff, tt, ¬, ∧, ∨, ⇒), where N is a set of the propositional symbols, the constants ff and tt represent false and true, and the operators denote negation, conjunction, disjunction, and implication, respectively. We use B to denote the standard Boolean expressions, which are evaluated with respect to a given valuation v : B → {ff, tt}. The set of valuations is denoted by V. The process theory contains two constant processes: 0 denotes deadlock, which has no outgoing transitions, and 1 denotes successful termination, which models marked or final states [2], [3]. The action-prefixed process corresponding to a.p executes the action a ∈ A and continues behaving as p, where A is the set of actions. The guarded command, notation φ :→ p, specifies a guard φ ∈ B that guards a process p ∈ P. If the guard is successfully evaluated, the process continues behaving as p ∈ P or, else, it deadlocks. The root signal emission process φ ∧Np, emits the propositional signal φ ∈ B until the process p ∈ P takes an outgoing transition. The alternative composition p + q makes a nondeterministic choice by executing an action of p or q and continues to behave as the remainder of the chosen process. The automata-like parallel composition p A kB q synchronizes on the actions of A ∩ B, and interleaves for (A \ B) ∪ (B \ A). By µX.E we denote the solution process of the guarded recursive specification E with respect to the recursive variable X. Guarded recursive equations always prefix recursive variables with actions and guarantee finite unique solutions [6], [17]. The set of guarded recursive specifications is given by E, whereas the set of recursive variables by R. The process terms P are induced by P with: P ::= 0 | 1 | µX.E | a.P | φ :→ P | φ ∧NP | P +P | P A kB P for a ∈ A, φ ∈ B, A, B ⊆ A, X ∈ R, and E ∈ E. We define E , {X = g | X ∈ R(E), g ∈ G}, where R(E) are the variables of E and the guarded terms G are induced by G: G ::= 0 | 1 | a.X | a.G | φ :→ G | φ ∧NG | G + G, for a ∈ A, X ∈ R, and φ ∈ B. To evaluate the guards and determine the consistency of the signals, each process p ∈ P is coupled with a valuation, notation hp, vi ∈ P × V. To capture the dynamics of the valuations with respect to outgoing labeled transitions, we employ the valuation effect function eff : A × V → 2V . The semantics is given in terms of labeled transition systems in a given valuation [6]. The states of the labeled transition systems are labeled by the process terms

themselves, and the dynamics of the process is given by a consistency predicate & ∈ P × V that checks whether the signals are consistent in the given valuation, successful termination option predicate ↓ ⊆ P × V that specifies if the state has a termination option, and an action transition relation −→ ⊆ P × V × A × P × V that denotes the outgoing transitions of the state. We write hp, vi & for a hp, vi ∈ & , hp, vi↓ for hp, vi ∈ ↓, and hp, vi −→ hp0 , v 0 i 0 0 for (hp, vi, a, hp , v i) ∈ −→. We define & , ↓, and −→ in Fig. 2 using structural operational semantics [6], where for compactness symmetric rules are denoted in brackets. Rules 1, 2, and 4 state that the deadlock and termination constant, and the action prefix are always consistent as they cannot emit propositional signals. Rule 3 states that the termination constant has the option to successfully terminate. Rule 5 states that the action prefix enables action transitions provided that the target is consistent, whereas the target valuation respects the effect function. Rule 6 states that the alternative composition is consistent if both of its summands are. The alternative composition can successfully terminate if one of the summands successfully terminates and the other is consistent as given by rules 7 and 8. Similarly, action transitions are possible if one of the summands can perform them, whereas the other is consistent as given by rules 9 and 10. Rule 11 states that the synchronization is consistent if both synchronizing processes are, whereas rule 12 states that it can successfully terminate only if both components do so. Action transitions are possible only if both processes can synchronize on the same action in A∩B, as given by rule 13. Interleaving is enabled if the other process is consistent in the initial and target valuation and the interleaving action is in A\B or B \A as given by rules 14 and 15, respectively. The sets A and B represent the alphabets of the processes that were originally synchronized, but they must be maintained in the operational rules. If by Ap ⊆ A we denote that alphabet of p ∈ P, then the parallel composition of p and q in the vein of [2], [3], [8] is specified as p Ap kAq q. For the sake of compactness, we write p k q when the parameters are clear from the context. The guarded command is consistent whenever the guard cannot be successfully evaluated, and in that case the process deadlocks. However, if the guarded process is accessible, then it must be consistent, which is given by rules 16 and 17, respectively. If the guard is successfully evaluated, then the guarded command can successfully terminate or execute an action, provided that the guarded process does so, given by rules 18 and 19, respectively. The root signal emission process is consistent only if it is in accordance with the valuation, as given by rule 20. Rules 21 and 22 enable successful termination and action transitions, respectively, provided that the emitted signal is consistent. Rules 23–25 express that solutions of guarded recursive specifications behave as the defining term for the solution variable. The extended syntax µp.E for p ∈ P and E ∈ E is introduced for convenience. It basically states that the structure of the defining process term determines the behavior of the recursive variable as for other process terms. It is given by structural induction as follows:

1

h0, vi &

2

3

h1, vi &

4

ha.p, vi &

9 (10)

a

a

ha.p, vi −→

a

hp + q, vi −→

hp0 , v 0 i

a

hp A kB q, vi −→ hp0 A kB q 0 , v 0 i v(φ) = ff hφ :→ p, vi &

17

hp, vi & , v(φ) = tt hφ :→ p, vi &

hp, vi & , v(φ) = tt hφ ∧Np, vi &

hµp.E, vi & , X = p ∈ E hµX.E, vi &

24

21

18

for for for for for for

hp, vi & , hq, vi & hp A kB q, vi &

11

hp, vi & , hq, vi & hp + q, vi & 12

hp, vi ↓, hq, vi ↓ hp A kB q, vi ↓

hp, vi −→ hp0 , v 0 i, hq, vi & , hq, v 0 i & , a ∈ A \ B a

hp A kB q, vi −→ hp0 A kB q, v 0 i

hp, vi ↓, v(φ) = tt hφ :→ p, vi ↓

hp, vi ↓, v(φ) = tt hφ ∧Np, vi ↓

hµp.E, vi ↓, X = p ∈ E hµX.E, vi ↓ Fig. 2.

µx.E = x µ(µX.E).E = µX.E µ(a.p).E = a.µp.E µ(p + q).E = µp.E + µq.E µ(φ :→ p).E = φ :→ µp.E µ(φ ∧Np).E = φ ∧Nµp.E

6

hp, v 0 i

a

14 (15)

a

20 23

hp, v 0 i & , v 0 ∈ eff (a, v)

hp, vi −→ hp0 , v 0 i, hq, vi &

hp, vi −→ hp0 , v 0 i, hq, vi −→ hq 0 , v 0 i, a ∈ A ∩ B

16

5

a

hp, vi & , hq, vi ↓ 7 (8) hp + q, vi ↓ 13

h1, vi ↓

a

19

hp, vi −→ hp0 , v 0 i, v(φ) = tt a

hφ :→ p, vi −→ hp0 , v 0 i

a

22

hp, vi −→ hp0 , v 0 i, v(φ) = tt a

hφ ∧Np, vi −→ hp0 , v 0 i a

25

hµp.E, vi −→ hp0 , v 0 i, X = p ∈ E a

hµX.E, vi −→ hp0 , v 0 i

Operational rules

x ∈ {0, 1} X∈R a∈A p, q ∈ P φ ∈ B, p ∈ P φ ∈ B, p ∈ P

We extend the labeled transitions relation to a trace t transition relation by defining hp, vi −→∗ hp0 , v 0 i for some ∗ t = a1 . . . an ∈ A , where for n = 0 we have the empty a1  trace t =  with hp, vi −→∗ hp, vi, whereas hp, vi −→ a2 a3 an 0 0 hp1 , v1 i −→ hp2 , v2 i −→ . . . −→ hp , v i for n > 0 and some p1 , . . . , pn−1 ∈ P, v1 , . . . , vn−1 ∈ V, and a1 , . . . , an−1 ∈ A. The prefix-closed language [2] generated by p then is t L(p) , {t ∈ A∗ | hp, vi −→∗ hp0 , v 0 i}. In [7], partial bisimulation has been identified as a behavioral relation that is suitable to capture the notion of controllability for nondeterministic systems. Here, we extend it to be able to handle the signal valuations by following the approach of [17], [6], applied for standard bisimulation. We consider a relation R ⊆ P × P to be a partial bisimulation with respect to a bisimulation action set B ⊆ A, if for all (p, q) ∈ R and v ∈ V it holds that: 1) hp, vi ↓ if and only if hq, vi ↓; a 2) if hp, vi −→ hp0 , v 0 i for a ∈ A, then there exist q 0 ∈ P a 0 and v ∈ V with hq, vi −→ hq 0 , v 0 i and (p0 , q 0 ) ∈ R; b 3) if hq, vi −→ hq 0 , v 0 i for b ∈ B, then there exist p0 ∈ P b and v 0 ∈ V with hp, vi −→ hp0 , v 0 i and (p0 , q 0 ) ∈ R. We say that p is partially bisimilar to q for B, notation pB q, if R is a partial bisimulation relation such that (p, q) ∈ R. It is not difficult to show that partial bisimilarity is a preorder for the process terms in P [17], [7]. Moreover, it can be shown a precongruence for all operators following the guidelines of [6], [17], so we can build standard term models and develop axiomatizations as in [6]. III. SUPERVISORY CONTROL To model interaction with sensors and actuators, we standardly split the actions to controllable C and uncontrollable

U actions [2], [3], respectively, where A = C ∪ U and C ∩ U = ∅. We can model the plant by any process p ∈ P. The supervisor, however, must be deterministic as it sends feedback to the plant in terms of synchronizing controllable events [7], while observing the state of the plant, identified by the emitted propositional signals. The supervisor must also synchronize on successful termination. Thus, we specify the supervisor as s , µS.ES , where ES has the following form: P P ES = {S = c∈C φc :→ c.S + u∈U u.S + φ1 :→ 1}, (1) P where i∈I pi is the alternative composition of the processes pi for i ∈ I if I 6= ∅, or 0, otherwise. The supervisor of form (1) enables the controllable event c ∈ C depending on the signal observation φc ∈ B, which actually specifies the supervision action [9]. All uncontrollable events are always enabled [3], whereas the successful termination constant is enabled in the states identified by φ1 . Now, the supervised plant can be specified as p k s. To specify controllability of the supervised behavior, i.e., the property that the supervisor does not disable uncontrollable events in the plant, we employ partial bisimilarity and require p k s U p [7].

(2)

Relation (2) states that the controllable events can only be simulated, but once a state that has outgoing uncontrollable actions is reached, then its uncontrollable transitions must be bisimulated. In the deterministic case, this definition amounts to the standard language-based controllability of [2], [3], [7]. We state the control requirements directly in terms of states, i.e., signals that the state is emitting, and additionally, one can specify which events are allowed with respect to the emitted signals [4], [5]. The control requirements S are specified using the syntax induced by S: a

a

S ::= −→ ⇒ φ | φ ⇒ −→ Y | φ, for a ∈ A and φ ∈ B. A given control requirement r ∈ S is satisfied with respect to process p ∈ P in the (consistent) valuation v ∈ V, notation hp, vi |= r, according to the following operational rules:

User Interface a

26

hp, vi |= ¬φ ⇒ −→ Y hp, vi |= −→ ⇒ φ

0

28

27

a

0

a

0

0

v(φ) = ff hp, vi |= φ ⇒ −→ Y

{hp , v i | hp, vi −→ hp , v i} = ∅ a

hp, vi |= φ ⇒ −→ Y

a

v(φ) = tt 29 hp, vi |= φ

The first form of control requirements is introduced for modeling convenience as a frequently occurring case [5]. It is equivalent to the second form, as given by rule 26. Rule 27 states that if the state does not emit the conditional signal, then the requirement is trivially satisfied. Rule 28 states that a state-transition exclusion requirement [4], [5] is satisfied if no transition with the excluded label is possible. Rule 29 states that a state-exclusion requirement [4], [5] restricts the emitted signals, thus, disabling forbidden states, and must be upheld in every state. To ensure that the requirements are satisfied for every reachable state, we extend |= to |=∗ , where t p |=∗ r if p0 |= r for every p0 ∈ P such that hp, vi−→∗ hp0 , v 0 i for v, v 0 ∈ V and t ∈ A∗ . Now, we ensure that the supervised plant respects the control requirements, given by C ⊂ S, by requiring that for every v ∈ V such that hp k s, vi & it holds that V hp k s, vi |=∗ r∈C r. (3) We model the plant and specify the control requirements in the tool Supremica [8]. The tool does not provide direct support for propositional signals, but instead we employ finite integer variables per plant automaton that are assigned a unique value for each state with initial value 1. Equality of variables with respect to a given value identifies the set of propositional symbols, e.g., if the variable X is employed for identification of an automaton with two states, then X == 1 is the signal that identifies the initial state, whereas X == 2 is the signal that identifies the other state. Using the proposed propositional signals, Supremica provides support for guarded commands that are placed on the labeled transitions. Supremica also does not enable us to directly specify the state-based control requirements. Instead we employ control requirements comprising self loops that are guarded by a propositional formula that relates to the original control requirement. For example, if the control requirement is a φ ⇒ −→, Y then the transition with labeled by the event a is enabled only in states for which ¬φ holds and which have outgoing transitions labeled by a. This is equivalent to having a control requirement that has a single state in which we place a self loop labeled by a and guarded by ¬φ. It is not difficult to deduce from the example that this provides a method for modeling state-transition requirements [4], [5]. To model state-exclusion control requirements, we employ the notion of forbidden states. A state can be marked as forbidden in Supremica, meaning that the supervisor must eliminate all controllable events that lead to that state and it must eliminate all states that reach that state by a trace comprising only uncontrollable events [8]. Now, according to rule 29 of Fig. ??, if a state-exclusion requirement ψ is given, then all states that satisfy ¬ψ must be eliminated. To this end, we add a plant automaton that contains one

Printer Controller Embedded Software Managers ... ... Functions

Printing Process Function Target Power Mode _TargetStb _TargetRun

Maintenance Scheduling _ExecOperNow

SchedOper

Status Procedure / Coordinator OperStart Run2Stb Stb2Run _InRun _OperFinished _ToSoftDln _InStb _ToHardDln Current Power Maintenance Page Counter Mode Operation Devices

Hardware Fig. 3.

Printing process function.

uncontrollable transition with a uniquely-named label that has not been used in the modeling of the plant, and let it target a forbidden state. This transitions is guarded by ¬ψ, so all states that satisfy this guard will be marked forbidden and, ultimately, eliminated. After the supervised plant has been obtained in Supremica, we use the translation tool Supremica2UPPAAL [11] to obtain a UPPAAL model. Since UPPAAL supports the same variable type, we can employ the same propositional signals to identify states in UPPAAL. As the supervised plant does not synchronize with the environment and it is treated as a closed system, we translate all labeled transitions as outgoing broadcast channels. Thus, the translation preserves both the propositional signals and the transition structure of the labeled transitions of the supervised plant. The final step is to model check the supervised plant, for which UPPAAL provides several schemes of temporal logical formulas that can express both safety and liveness properties [10]. We employ the tool to validate both the obtained supervised behavior by model checking safety properties induced by the control requirements, as well as verify that our supervised system is live and performing as intended. IV. COORDINATING A PRINTING PROCESS We are dealing with high-tech printers of [12], the control architecture of which is abstractly depicted in Fig. 3. In this paper, we remodel the case study using the proposed process theory and implement the model in Supremica, where we synthesize a supervisor. Afterwards, we translate the supervised plant to UPPAAL and verify that the control is meaningful, i.e., intended functionality is preserved. The user initiates print jobs, which are assigned to the embedded software by the printer controller in order to actuate the hardware to realize them. The embedded software is organized in a distributed way, per functional aspect, such as, paper path, printing process, etc. Several managers communicate with the printer controller and each other to assign tasks to functions, which take care of the functional aspects. We depict a printing process function comprising one maintenance operation in Fig. 3. Each function is hierarchically differentiates (1) controllers: Target Power Mode and Maintenance Scheduling, which receive control and scheduling tasks from the managers; (2) procedures: Status

State-exclusion control requirements 1)

Page counter NoDeadline

_ToHardDln PC = 3

_ToSoftDln PC = 2

SoftDeadline

_OperFinished PC = 1

SchedOper (PC==2 & TPM!=2) | PC==3 Run2Stb TPM==1 | MS==3 Req

Stopping

Standby Stdb2Run CPM = 2

_TargetStandby TPM = 1 TargetRun

Run2Stdb CPM = 4 Run

_InRun CPM = 3

Stb2Run TPM==2 & MS!=3

OperStart MS==3

TargetStandby _TargetRun TPM = 2

Fig. 5.

ExecuteNow

OperStart MO = 2

_ExecOperNow MS = 3

NotScheduled SchedOper Scheduled MS = 2

Control requirements

OperInProg

OperIdle

Fig. 4.

Forbidden

Transition-exclusion control requirements 2), 3), and 4)

_OperFinished PC = 1

_InStdb CPM = 1

_OperFinished MS = 1

Blocking HardDeadline

_OperFinished PC = 1

Starting

_block MO == 2 & CPM != 1

_OperFinished MO = 1

Supremica model of the plant

Procedure, Current Power Mode, Maintenance Operation, and Page Counter, which handle specific tasks and actuate devices, and (3) devices as hardware interface. Status Procedure is responsible for coordinating the other procedures given the input form the controllers. The control problem is to synthesize a supervisory coordinator that ensures that quality of printing is not compromised by timely performing maintenance procedures, while interrupting ongoing print jobs as little as possible [12]. We define the coordination rules that ensure safe behavior of the system below. We briefly describe the procedures of which the Supremica models are depicted in Fig. 4. Automata and procedure names coincide, whereas state names (in sans serif) hint on physical representation. The uncontrollable events are underscored, whereas variable assignments are place below transitions labels. Current Power Mode (CPM) sets the power mode to run or standby depending on the enabling signals from Status Procedure. Maintenance Operation (MO) either carries out a maintenance operation or it is idle. The confirmation is sent back by the event OperF inished, which synchronizes Maintenance Scheduling (MS), Maintenance Operation, and Page Counter (PC). Page Counter counts the printed pages since the last maintenance and sends signals when soft or hard deadlines are reached. A soft deadline signals that maintenance should be performed, but it is not yet compulsory if there are pending print jobs. A hard deadline is reached when maintenance of the printing process must be performed to ensure quality of the print. The page counter is reset, triggered by the synchronization on OperF inished, each time that maintenance is finished. Target Power Mode (TPM) sends signals regarding incoming print jobs to Status Procedure, which should set the printing process to run mode for printing and standby mode for maintenance and power saving. Maintenance Scheduling receives a request for maintenance from Status Procedure

and forwards it to the manager. The manager confirms the scheduling with the other functions and sends a response back to Status Procedure. It also receives feedback from Maintenance Operation in order to reset the scheduling, again triggered by OperF inished. We can specify the plant that models the Printing Process Function by the process term ppf ∈ P: ppf , µCPM .E k µPC .E k µTPM .E k µMS .E k µMO.E, where the recursive specification E ∈ E is given by: CPM = StandBy ∧NStdb2Run.(Starting ∧N InRun.( Run ∧NRun2Stdb.(Stopping ∧N InStdb.CPM ))) PC = NoDeadline ∧N( ToSoftDln.PC1 + OperFinished.PC ) PC1 = SoftDeadline ∧N( ToHardDln.PC2 + OperFinished.PC ) PC2 = HardDeadline ∧N OperFinished.PC TPM = TargetStb ∧N TargetRun.(TargetRun ∧N TargetStb.TPM ) MS = NotScheduled ∧NSchedOper .(Scheduled ∧N ExecOper .( ExecuteNow ∧N OperFinished.MS )) MO = OperIdle ∧NOperStart.(OperInProg ∧N OperFinished.MO)

Status Procedure is restricted by several coordination rules with the corresponding state-based control requirements: 1) Maintenance operations can be performed only when the printing process function is in standby: StandBy ⇒ OperInProg.

(4)

2) Maintenance operations can be scheduled only if soft deadline has been reached and there are no print jobs in progress, or a hard deadline is passed: SchedOper

−→

⇒ (SoftDeadline∧NoJob)∨HardDeadline (5)

3) Only scheduled maintenance operations can be started; OperStart

−→

⇒ ExecuteNow.

(6)

4) The power mode of the printing process function must follow the power mode dictated by the managers, unless overridden by a pending maintenance operation. Stb2Run

−→ ⇒ TargetRun ∧ ¬ExecuteNow.

Run2Stb

−→ ⇒ TargetStandby ∨ ExecuteNow.

(7) (8)

The control requirements translated in Supremica are given in Fig. 5. We give an example concerning requirement 1).

The variable coupled with Current Power Mode is CPM and with Maintenance Operation is MO. The guards employing the variables that identify StandBy and OperInProg in Supremica notation [8] are PM == 1 and MO == 2, respectively. Now, following the discussion in section 3, the guard for the forbidden state is CPM ! = 1 & MO == 2, where ! = denotes inequality. After the translation to UPPAAL is performed, we have to model the verification properties using the temporal logic supported by the tool. The logic is a restricted variant of CTL [10], where the combinations of A and E, meaning for all paths and there exists a path, respectively, and  and ♦, meaning for all states and there exists a state, respectively, are allowed, but without nesting. The standard logical operators are not, and, or, imply, and deadlock denotes presence of deadlock in system. A useful form, referred to as leads to operator, given by φ → ψ for φ, ψ ∈ B is introduced instead, which is equivalent to A(p imply A♦ q). We illustrate some of the properties that can be verified. First, we verify that Status Procedure does not have a deadlock, using the formula A not deadlock.

(9)

Next, we check that the state-exclusion requirement is satisfied. For this task, we employ variables with the same name and value as in the Supremica model, as our translation preserves the variables with their corresponding assignments. Thus, we verify that A MO == 2 imply CPM == 1.

(10)

Next, we check that if the system reaches a hard deadline and no maintenance operation is scheduled, then the maintenance operation becomes scheduled. This is specified as PC == 3 and MS == 1 → MS == 2.

(11)

To ascertain that the maintenance procedure can be scheduled when soft deadline has been reached, we employ E♦ PC == 1 and MO == 2.

(12)

Finally, we can check that Status Procedure follows the commands from the Target Power Mode manager, by verifying that if the target power mode is run, then the printing process also eventually switches to run mode as well: TPM == 2 → CPM == 3.

(13)

We note that the state-transition exclusion control requirements specify properties of states with respect to their outgoing transitions. As the system we are dealing with is deterministic, we can determine the target state of the transition and, thus, model check such requirements. However, this feature is not directly supported in UPPAAL, so for nondeterministic systems, one has to consider all target states, which may not be supported by the tool. This suggests that UPPAAL is suitable for verifying state reachability properties, but it might be difficult or involved to express properties that simultaneously consider states and their outgoing transitions.

V. CONCLUSION We presented a state-based systems engineering framework based on a process theory that employs partial bisimulation to define controllability and signal emission to model state-based observations. We implemented the framework by employing two state-of-the-art tools: Supremica for supervisor synthesis and UPPAAL for state-based verification. To interface these tools, we built a translation tool Supremica2UPPAAL and successfully applied it for remodeling of an industrial case study involving a high-tech Oc´e printer. We synthesized a live supervisory coordinator for the maintenance procedures of the printing process function. The tools provided sufficient support for implementation of the framework, but we may need a more expressive model checker when dealing with nondeterministic plants. R EFERENCES [1] N. Leveson, “The challenge of building process-control software,” IEEE Software, vol. 7, no. 6, pp. 55–62, 1990. [2] P. J. Ramadge and W. M. Wonham, “Supervisory control of a class of discrete-event processes,” SIAM Journal on Control and Optimization, vol. 25, no. 1, pp. 206–230, 1987. [3] C. Cassandras and S. Lafortune, Introduction to discrete event systems. Kluwer Academic Publishers, 2004. [4] C. Ma and W. M. Wonham, Nonblocking Supervisory Control of State Tree Structures, ser. Lecture Notes in Control and Information Sciences. Springer, 2005, vol. 317. [5] J. Markovski, D. A. van Beek, R. J. M. Theunissen, K. G. M. Jacobs, and J. E. Rooda, “A state-based framework for supervisory control synthesis and verification,” in Proceedings of CDC 2010. IEEE, 2010, pp. 3481–3486. [6] J. C. M. Baeten, T. Basten, and M. A. Reniers, Process Algebra: Equational Theories of Communicating Processes, ser. Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 2010, vol. 50. [7] J. C. M. Baeten, D. A. van Beek, B. Luttik, J. Markovski, and J. E. Rooda, “A process-theoretic approach to supervisory control theory,” in Proceedings of ACC 2011. IEEE, 2011, pp. 4496–4501. [8] K. Akesson, M. Fabian, H. Flordal, and R. Malik, “Supremica - an integrated environment for verification, synthesis and simulation of discrete event systems,” in Proceedings of WODES 2006. IEEE, 2006, pp. 384 – 385. [9] S. Miremadi, K. Akesson, and B. Lennartson, “Extraction and representation of a supervisor using guards in extended finite automata,” in Proceedings of WODES 2008. IEEE, 2008, pp. 193–199. [10] K. G. Larsen, P. Pettersson, and W. Yi, “U PPAAL in a Nutshell,” International Journal on Software Tools for Technology Transfer, vol. 1, no. 1–2, pp. 134–152, 1997. [11] J. Markovski, “Supremica2UPPAAL tranformation tool,” sites.google.com/site/jasenmarkovski, 2012. [12] J. Markovski, K. G. M. Jacobs, D. A. van Beek, L. J. A. M. Somers, and J. E. Rooda, “Coordination of resources using generalized statebased requirements,” in Proceedings of WODES 2010. IFAC, 2010, pp. 300–305. [13] R. Ziller and K. Schneider, “Combining supervisor synthesis and model checking,” ACM Transactions on Embedded Computing Systems, vol. 4, no. 2, pp. 331–362, 2005. [14] S. Jiang and R. Kumar, “Supervisory control of discrete event systems with CTL* temporal logic specifications,” SIAM Journal on Control and Optimization, vol. 44, no. 6, pp. 2079–2103, 2006. [15] K. T. Seow, “Integrating temporal logic as a state-based specification language for discrete-event control design in finite automata,” IEEE Transactions on Automation Science and Engineering, vol. 4, no. 3, pp. 451–464, 2007. [16] N. R. D. V. Braberman, N. Piterman, and S. Uchitel, “Synthesis of live behaviour models,” in Proceedings of SIGSOFT 2010. ACM, 2010, pp. 77–86. [17] J. C. M. Baeten and J. A. Bergstra, “Process algebra with propositional signals,” Theoretical Computer Science, vol. 177, pp. 381–405, 1997.