Professional Documents
Culture Documents
1 s2.0 S1474667015374267 Main
1 s2.0 S1474667015374267 Main
Abstract: This paper proposes a procedure to compute abstractions with the observer
property (OP) for discrete event systems. The procedure is a generalisation of an algorithm
proposed before by the authors, which is based on a quadratic algorithm to test whether a given
projection has the observer property. The new version proposed in this paper supports systems
that have cycles of non-relevant events, thus removing a restriction of the previous version.
Nevertheless, it retains its cubic complexity, which means that the method is asymptotically
faster than other methods proposed in the literature to solve the same problem.
In this framework, the behaviour of a Discrete Event θ(st0 ) = θ(s)t and st0 ∈ L, then θ(L) has the observer
System is described by strings of events taken from a property (OP).
finite alphabet Σ. The set of all finite strings of events
in Σ, including the empty string ε, is denoted by Σ∗ . A In words, if a projection satisfies the observer property
subset L ⊆ Σ∗ is called a language. The concatenation then the tasks that are performed in the abstracted,
of strings s, u ∈ Σ∗ is written as su. A string s ∈ Σ∗ is i.e., projected, automaton correspond uniquely to marked
called a prefix of t ∈ Σ∗ , written s ≤ t, if there exists strings in the original automaton. The observer property is
u ∈ Σ∗ such that su = t. The prefix-closure L of a also applied to automata: θ(G) is called an OP-abstraction
language L ⊆ Σ∗ is the set of all prefixes of strings in L, if θ(Lm (G)) has the observer property (Pena et al., 2008).
i.e., L = { s ∈ Σ∗ | s ≤ t for some t ∈ L }.
In this paper, finite-state automata are used to represent 3. VERIFICATION OF THE OBSERVER PROPERTY
languages. A (nondeterministic) finite-state automaton is
a tuple G = (Σ, Q, →, Q◦ ), where Σ is the finite set of In this section, the verifier introduced in (Pena et al., 2014)
events, Q is the set of states, →− ⊆ Q × Σ × Q is the is described along with some of its properties and their use
transition relation, and Q◦ ⊆ Q is the set of initial states. in the search of the observer property.
The automaton G is said to be deterministic if |Q◦ | ≤ 1
σ σ
and x → y1 and x → y2 imply that y1 = y2 . 3.1 Constructing the Automaton Gnr
The transition relation is extended to strings over Σ∗ by
ε sσ s
making x → x for every x ∈ Q and x → z if x → y and In order to deal with systems with cycles of non-relevant
σ s s
y → z for some y ∈ Q. Also, x → means x → y for some events, an automaton Gnr is introduced. Let G =
s (Σ, Q, →, Q◦ ) be a deterministic nonblocking automaton,
y ∈ Q and x → y means x → y for some s ∈ Σ∗ . The nr
notation x9y represents that there is no s ∈ Σ∗ such that and let Σ = Σr ∪ Σnr . The relation → ⊆ Q × Q is defined
s s
x → y, and x 9 if there is no y ∈ Q such that x → y.
s as follows:
nr s
The notation can also be used in sets of states or automata x → y ⇐⇒ x → y for some s ∈ Σ∗nr ; (2)
s s
such as: X → Y for X, Y ⊆ Q means that x → y for some nr nr
x ↔ y ⇐⇒ x → y and y → x .
nr
(3)
s ◦ s
x ∈ X and y ∈ Y , and G → means Q →. nr
If x ↔ y, then the states x and y are called strongly
The generated language of G is defined as L(G) = { s ∈ Σnr -connected states. If G does not have two distinct Σnr -
s
Σ∗ | Q◦ → }. To express the marking of strings, the connected states, then it is said to be Σnr -acyclic. Any
alphabet Σ is assumed to contain the special event ω ∈ Σ, set of strongly Σnr -connected states is called a strongly
ω
which may only appear on selfloops, i.e., x → y implies Σnr -connected component (Σnr -SCC) of G.
x = y. The marked states of G are indicated by selfloops
If each Σnr -SCC of G is contracted into a single state,
labelled with the event ω, and the marked language of G
the resulting automaton is a Σnr -acyclic automaton, and
is defined as Lm (G) = { s ∈ (Σ \ {ω})∗ | sω ∈ L(G) }. A
tw is called the strongly Σnr -connected component automa-
state x ∈ Q is accessible if G → x, and co-accessible if x → ton Gnr . Formally, it is the quotient automaton
∗
for some t ∈ Σ . An automaton G is said to be accessible nr
if all states are accessible and nonblocking if all accessible Gnr = G/↔ = (Σ, Qnr , → nr , Q◦nr ) . (4)
states are co-accessible. By construction, Gnr does not have cycles of non-relevant
nr
Let G = (Σ, Q, →, Q◦ ) be an automaton and ∼ ⊆ Q × Q events (except for selfloops), namely, if [x] ↔ [y] then
be an equivalence relation on Q. The quotient automaton [x] = [y]. Also, for y ∈ Q, [y] is a terminal component if,
σ
of G is for all σ ∈ Σnr and all z ∈ Q such that [y] → [z], it is true
that [y] = [z].
e◦ ) ,
G/∼ = (Σ, Q/∼, →/∼, Q (1) Example 2. The strongly connected components automa-
0 σ
ton Gnr constructed from G in Fig. 1 for Σr = {λ, ω} is
such that →/∼ = { ([x], σ, [y]) | x → y 0 for some x0 ∈ [x] shown in Fig. 2. The states 1, 2, and 3 form the Σnr -SCC
and y 0 ∈ [y] } and Q e ◦ = { [x◦ ] | x◦ ∈ Q◦ }. Here, [1] = {1, 2, 3} in Gnr . Also, [0] = {0} and [4] = {4}.
[x] = { x ∈ Q | x ∼ x0 } denotes an equivalence class
of x ∈ Q and Q/∼ = { [x] | x ∈ Q } is the set that includes
all equivalence classes.
In this paper, Σ is partitioned as Σ = Σr ∪Σnr , where Σr is
the set of relevant events and Σnr is the set of non-relevant
events. For Σr ⊆ Σ, the natural projection θ : Σ∗ → Σ∗r Fig. 1. Automaton G.
maps sequences of events in Σ∗ to sequences of events in Σ∗r
by erasing events that are not in Σr . This concept can be
extended to languages by θ(L) = { t ∈ Σ∗r | t = θ(s) for
some s ∈ L }. A property that characterises the natural
projection is presented in the following.
Definition 1. (Wong et al., 2000) Let L ⊆ Σ∗ and θ : Σ∗ →
Σ∗r be the natural projection. If for all s ∈ L and all t ∈ Σ∗r Fig. 2. Automaton Gnr .
such that θ(s)t ∈ θ(L), there exists t0 ∈ Σ∗ such that
351
WODES 2014
Cachan, France. May 14-16, 2014
352
WODES 2014
Cachan, France. May 14-16, 2014
verifier, that can be exploited in the search for the observer Input and Output Transitions. Given an unsafe root state
property in the presence of cycles of non-relevant events. {ui } ∈ Qur
V , we furthermore define the set of input/output
transitions
in/out
→i ⊆ ((QV \ Qur ur
V ) ∪ Ωtotal ) × Σ × ((QV \ QV ) ∪ Ωtotal )
4.1 Constructing the Hybrid Verifier
for σ ∈ Σ, {x, y} ∈ Ωi , {[z], [w]} ∈ QV \ Qur ur
V , {uj } ∈ QV ,
with j 6= i, and {x0 , y 0 } ∈ Ωj as follows:
Unsafe Root States. To construct the hybrid verifier, the
start states of the paths in Proposition 6 are examined σ in/out σ
(i) {[z], [w]} →i {x, y}, if {[z], [w]} →V {ui } and
more closely. Given a verifier VG , the set Qur
V of unsafe either:
root states is defined as follows: σ
• σ ∈ Σr , ∃z 0 ∈ [z] such that z 0 → x and ∃w0 ∈ [w]
Qur
V = { {[x]} ∈ QV \ {⊥} | (9) σ
such that w0 → y; or
{[x]} is the start state of a path (8) } . σ
• σ ∈ Σnr , ∃z 0 ∈ [z] such that z 0 → x and y ∈ [w];
In words, unsafe root states are singleton verifier states σ in/out σ
(ii) {x, y} →i {[z], [w]}, if {ui } →V {[z], [w]} and
that initiate paths composed only of states of cardinality
either:
two that reach the state ⊥. We denote the unsafe root σ
• σ ∈ Σr , ∃z 0 ∈ [z] such that x → z 0 and ∃w0 ∈ [w]
states in Qur
V by {ui } where ui = [xi ] is a Σnr -SCC of G. σ
Thus, the set Qur such that y → w0 ; or
V of unsafe root states can also be written σ
as Qur ur
V = {{u1 }, . . . , {un }} where n = |QV |. In example 3,
• σ ∈ Σnr and ∃z 0 ∈ [z] such that x → z 0 and
there is only one unsafe root state, so that Qur V = {{u1 }}
y ∈ [w];
with u1 = [1]. σ in/out σ σ
(iii) {x, y} →i {x0 , y 0 }, if {ui } →V {uj }, x → x0 , and
σ
Given an unsafe root state {ui } ∈ Qur V , we define the y → y0 .
expansion of {ui } as the following structure: in/out
The transitions → i link expanded states in a set Ωi to
(Ωi , →i ) (10) other states. (i) represents transitions from states {[z], [w]}
where that are not unsafe root states into Ωi , and (ii) represents
transitions from Ωi to states that are not unsafe root
• Ωi = { P ⊆ ui | 1 ≤ |P | ≤ 2 } is a set with elements states. The last case (iii) represents transitions between
of the type {x, y} or {x}, with x, y ∈ ui . the expansions Ωi and Ωj of two different unsafe root
• → i ⊆ Ωi × Σ × Ωi is a transition relation, defined for states {ui } =
6 {uj }. It is justified by Proposition 5, where
{x, y}, {x0 , y 0 } ∈ Ωi and σ ∈ Σ as: transitions in VG that connect states of the form {ui }
σ σ
· {x, y} →i {x0 , y 0 } if σ ∈ Σr , x → x0 such that and {uj } are labelled only by relevant events.
σ
x0 ∈ ui , and y → y 0 such that y 0 ∈ ui ;
σ σ The complete set of input and output transitions for the
· {x, y} →i {x0 , y} if σ ∈ Σnr and x → x0 such that set of unsafe root states Qur
0 V is then:
x ∈ ui . [n
in/out in/out
→ total = →i . (14)
Again, if x = y, then a pair {x, y} ∈ Ωi is simply written i=1
as {x}. For instance, the input and output transitions for the un-
λ in/out
The structure (Ωi , → i ) can be obtained from {ui } ∈ Qur
V safe root state {ui } = {[1]} in example 3 are {[0]} →i
by arbitrarily choosing an element {x, y}, with x, y ∈ ui , λ in/out λ in/out
and applying recursively and exhaustively the definition {1}, {1, 3} →i {[1], [4]}, and {3} →i {[4]}.
of the transition relation → i . In the trivial case, where
Old Transitions. The set of old transitions, defined as
ui = {xi } is one-state Σnr -SCC, the structure (Ωi , → i )
consists of only the state xi . → old = { (A, σ, B) ∈ → V | A ∈ Qur ur
V or B ∈ QV } (15)
consists of all transitions of the verifier VG that are linked
For instance, expansion of the unsafe root state {ui } =
to an unsafe root state in Qur V . These transitions are re-
{[1]} in example 3 gives the set Ωi = {{1}, {2}, {3}, {1, 2}, in/out
λ β moved and replaced by the transitions in → i and → i
{1, 3}, {2, 3}} and the transitions {1} →i {1}, {1} →i to construct the hybrid verifier.
β γ γ
{1, 2}, {1, 2} →i {2}, {1, 2} →i {1, 3}, {2} →i {2, 3},
γ β γ γ
The old transitions for the unsafe root state {ui } = {[1]}
{1, 3} →i {1}, {1, 3} →i {2, 3}, {2, 3} →i {1, 2}, {2, 3} →i λ λ
γ in Example 3 are {[0]} →old {[1]}, {[1]} →old {[1]},
{3} and {3} →i {1, 3}. β γ λ
{[1]} →old {[1]}, {[1]} →old {[1]}, {[1]} →old {[4]} and
Each expansion (Ωi , → i ) corresponds to a unique unsafe λ
{[1]} →old {[1], [4]}.
root state {ui } ∈ Qur V . Moreover, it can be shown that
(Ωi , → i ) forms a Σnr -SCC (Bravo, 2012). Thus, we define Hybrid Verifier. Given the above definitions, the hybrid
a new structure in the following way: verifier is the automaton VH = (Σ, QH , → H , Q◦H ) where:
(Ωtotal , →total ) (11)
• QH = (QV \ QurV ) ∪ Ωtotal ;
where in/out
• → H = (→ V \ → old ) ∪ → total ∪ → total ; and
[n ◦
Ωtotal = Ωi (12) • If QV ∈ ur ◦ ◦
/ QV , then QH = QV , otherwise Q◦H = {Q◦ }.
[ni=1 To build the hybrid verifier VH from VG , G and Σr , the
→ total = →i . (13)
i=1 first step is to identify the set of unsafe root states {ui }
353
WODES 2014
Cachan, France. May 14-16, 2014
354
WODES 2014
Cachan, France. May 14-16, 2014
355