Design of Petri Net Supervisor with 1-monitor place for a Class of Behavioral Constraints

This paper studies the design of supervisory controllers with a minimum number of monitor places for Manufacturing System modeled as safe Petri Nets. The proposed approach considers a class of safety specifications known as Behavioral Constraints with a restricted syntax. The set of Behavioral Constraints are represented as predicate logic formulas in normal conjunctive form. Then, each Behavioral Constraint induces a set of algebraic linear inequalities. The approach establishes an equivalence in order to minimize the number of monitor places. Thus, each Behavioral Constraint induces a single linear inequality, giving rise to a 1-monitor place Petri Net supervisor. The approach is illustrated with the design and implementation of 1-monitor place modular supervisor for an automated manufacturing prototype.


Introduction
The operation of manufacturing systems is increasingly challenging because of the execution of more complex tasks. In order to reduce periods for manufacturing procedures, but complying with regulatory standards to guarantee a proper operation and product quality, plenty of manufacturing features have been improved in recent years ( [1]). The reconfigurability allows to change the entire procedure of an Automated Manufacturing System (AMS), but it also must minimize the use of time and resources ( [2]). The safety of the operation, with all the automatic processes occurring in the AMS is a critic feature, leading to the existence of entities with the propose of guarantee safety operation, such as Supervisory Controllers (SCs). For AMS modeled as discrete event systems, Supervisory Control Theory (SCT) proposed by Wonham in [3] is a well-accepted paradigm frequently employed for designing logic controllers at the coordination and basic layers of control systems. Petri Nets provides a formal logic platform for modeling and synthesis of logic controllers as well as analysis widely used in AMS (e.g. [4] [5]). The synthesized Supervisory Controller (SC) is a Petri Net (PN) with a finite number of places, which are called monitor places. Some of the advantage of PN, more compact representations of the supervisor than their automata counterparts are usually achieved and accepts concurrency in the execution of transitions. Among several design methods considering safety specifications, the Invariant Based Control Design method [6] has been successfully employed to deal with forbidden states [7] and Behavioral Constraints [8]. However, the resulting PN may not be a minimal realization of the SC. Synthesis strategies for PN supervisor with a reduced number of monitor places have been proposed for forbidden state avoidance [9] only, not for Behavioral Constraints. This paper studies the synthesis of 1-monitor place supervisory controllers for safe PN. The proposed design approach employs the Invariant Based Control Design (IBCD) method and a class of safety specifications [10] that can be modeled as Behavioral Constraints [8]. Section 2 introduces the fundamentals of PN and SCT and the representation of Behavioral Constraints (BCs) as a set of linear inequalities. Section 3 shows the proposed technique to transform the set of Behavioral Constraint (BC) into a smaller set of linear inequalities, leading to a PN supervisor with a reduced number of monitor places using the IBCD method. Section 3 also establishes the conditions for a Supervisory Controller based on Be-havioral Constraints (SCBC) to be proper. Section 4 shows the case study used in this work, an AMS, presenting its description and modeling. Then, Section 5 presents a set of BCs to be imposed in the AMS, the representation as linear inequalities and the resulting SC designed using the IBCD method, as well as its implementation as a ladder diagram.

Fundamentals
In this Section the basic definitions of Petri Nets and Supervisory Control Theory are introduced.

Petri Nets fundamentals
For modeling techniques, as well as structural and dynamic properties of PN the reader is refereed to [11].

Supervisory Control Theory (SCT)
The automata version of SCT is developed in [3]. In this subsection, the fundamentals SCT for discrete event system modeled as PN are introduced, as seen in [6]. Moreover, the basic concepts and definitions of BC are discussed in [12] and presented in the current section.
Definition 9 (Control pattern) Let N be a PN and T be its set of transitions.
The control pattern Γ is defined as the set of transitions enabled in a marking M of (N,M).
Definition 10 (Transition sequence) Let (N , M) be a PN system and T be its set of transitions. σ = t 1 t 2 · · · t n is a transition sequence of transitions such that Finally, the concept of safety specification is explained. A safety specification leads to the system to developed a safety property. Safety properties are often characterized as " nothing bad should happen " . The mutual exclusion property, deadlock freedom are examples of safety properties [10].

Predicate representation of Behavioral Constraints
Let N be a safe PN with firing vector Q =[q 1 q 2 · · · q l ] and let (N , M) be a system with marking vector M =[m 1 m 2 · · · m l ].
Definition 17 Predicate variable A : Q → {T rue, False} associated to a firing transition T i is defined with the rule Definition 19 (Behavioral Constraint (BC)) A BC is defined with the following predicate logic syntax with A being a predicate variable associated to firing transition T a and Φ a formula in conjunctive normal form, composed by predicate variables associated to marking places, that is with r j as the place index in N , j = 1, 2, . . . , l, with l the number of places associated in Eq. 3 and Eqs. 1 and 2 are equivalent to Proof. N is a safe net, thus N is a 1-bounded net. Hence the marking vector takes only 0 and 1 values. Therefore Table 21 holds. Table 21 Truth table of Proposition 21 Using Proposition 21, BC presented in Eq. 5 can be written in an equivalent form, as shown in Lemma 22.
with il as the number of disjunction variables in each formula φ i . Proof. It follows from applying Proposition 21 to BC 5.

Supervisory Controllers design
using an Equivalent representation of a set of Behavioral Constraints Using the n inequalities induced by predicate system 8 with the IBCD method ( [6]), a PN supervisor is obtained with n monitor places, each one with a bidirectional arc to transition t a . It is presented below a procedure to design a PN SC, based on a BC as in Eq. 1 with a single monitor place.
Theorem 23 Let A(q a ) and Θ(m k 1 ), Θ(m k 2 ) . . . Θ(m k l ) be variables as in definitions 17 and 18. Let a BC for restricting the system behavior be with m K = m k 1 + m k 2 + · · · + m k n and m J = m j 1 + m j 2 + · · · + m j m and m > 0 www.astesj.com

a BC for restricting the system behavior. A 1-monitor place PN supervisor can be synthesized (i. e. its incidence matrix can be calculated) with the IBCD method using linear inequality
[nq a − m K ] ≤ 0 (11) with m K = m k 1 + m k 2 + · · · + m k n 3.1 Properness of a Supervisory Controller based on Behavioral Constraints The conditions for a SCBC to be non-blocking and controllable are studied in this subsection.
Definition 25 (System Under Supervision) Let N be a safe net and M its marking vector. Let C be the PN that implements a supervisor for N and M c the marking vector of C.

A System Under Supervision (SUS) is defined as
where N ||C represents the synchronization of nets N and This definition complements definition 13, adding the marking vector. In the rest of the document, closed loop system will be refereed as SUS.
A supervisor is proper iff the SUS in non-blocking and controllable [3].

Liveness analysis
A necessary condition for non-blocking is liveness. For safe PN modeling AMS, the condition of liveness is required, as shown in this subsection. An AMS is composed by sub systems, each modeled as a live and bounded PN circuit.
Definition 26 (Partial blocking) A system (N , M) is called partially blocking if there is a sub system (N 1 , M 1 ) of (N , M) which is blocking.

Lemma 27 Let N be a safe PN. System(N , M) is live if and only if is not partially blocking.
Proof. As necessary condition, if a system is not partially blocking, then there is the system is live. For the sufficiency, is enough to prove that in a partially blocking system there is a transition not enabled in every reachable marking of M. Assuming a blocking system (N 1 , M 1 ) with N 1 a sub net of N . Let t be an output transition to a place s of N 1 and t is not enabled in marking M 1 , s has no tokens in M 1 . The system is partially blocking M 1 , hence the reachable markings from M contains element such that s has no tokens. If s has no tokens, transition t is not enabled. Therefore (N , M) is not live.
Therefore, for safe PN, non-partial blocking is required in order to ensure a full funcionallity in the AMS. Hence by Lemma 27, liveness is required. Now, the condition for a SCBC to be live is established. Using definition 28, of Proposition 29 and Lemma 31 are proved. Proposition 29 establishes conditions to guarantee reachability of a marking vector. Lemma 31 demonstrates if an associated marking vector is reachable, then SUS is live. Finally, Theorem 32 follows from Proposition 29 and Lemma 31, establishing condition for a SUS to be live.
Definition 28 (Marking vector associated to constraints) The marking vector associated to the above constraint is defined as There is not more than 1 place in the BC belonging to the same minimal S-invariant S of N if and only if the associated marking vector of the above BC R T = m 1 m 2 · · · 1 1 · · · 1 m 2+k n · · · m l with l as the number of places, is reachable.
Proof. First the following implication is proved using its contra-positive. If the associated marking vector is reachable, then there is not more that 1 place in the BC belonging to the same minimal S-invariant. Consider S a minimal S-invariant containing 2 or more places included in the BC, and vector S1 = [1 1 · · · 1] of length m, with m as the number of places in S. The next equation is the invariance condition and guarantees that the number of tokens in an S-invariant is conservative.
M os is the initial marking of the places in S, and for the conservativeness of the S-invariant, this value holds for any reachable marking. Let R be a projection containing the values of R corresponding to the places in S.
Multiplying S1 by R S1 * R ≥ 2 The above expression violates conservativeness, hence the marking is not reachable.
For the converse implication, consider that there is not more than 1 place in the BC belonging to the same minimal S-invariant S. Therefore, all places of the BC belongs to different and disjoints minimal S-invariant, this is concluded from the fact that the net N is 1-bounded and system (N , M) is live. The last claim implies that every minimal S-invariant is marking in M, because N is a free-choice PN (see [11] Commoner Theorem). Thus, every S-invariant has a token in the initial marking, the system is live and by Lemma 27 it is not partially blocking. Hence, there is a reachable marking of the system (N , M) such that every place in the BC has one token simultaneously (invariants are disjoints) and the associated marking vector is reachable. Proof. If associated marking vector is not reachable, it means that the formula Φ of the BC never is true, thus transition t a is never enabled. The system is not live.
Proof. By contradiction, assume a SUS live and there is not any reachable marking such that formula Φis true and t a is enabled. By 30, associated marking vector of the BC is not reachable, hence by 31 SUS is not live, leading to a contradiction. Now for the sufficiency condition, assume that marking M r is reachable and formula Φ is true and t a is enabled in M r . Therefore, transition t a is enabled in SUS, hence it is enabled in systems with and without supervision. The following claim is proved in 37 from subsection 3.1.2, only transition t a may be disabled by the supervisor. The system (N , M) is live and the SUS may only disables transition t a . However, there is a marking M r enabling transition t a in the SUS, henceforth every transition is enabled in some reachable marking of SUS and by definition SUS is live.

Non-conflict analysis
If a set of BC is non-conflicting then the resulting SC is non-blocking [3]. As before, liveness is required for manufacturing systems. Hence, a set of BC is called non-conflicting if the SUS is live. Proof. Necessary condition. A set of constraints is non-conflicting if the SUS is live. Assume a SUS such that there is a subnet C 1 of C generating a non-live system (C 1 , M 1 ). Since is not live, there is a transition t 1 disabled in all reachable markings from some marking M i . t 1 is a transition of the SUS also, therefore the SUS is not live, leading to a contradiction.
For the sufficiency, assume that a SUS is not live. Therefore, at least a transition t of N is not enabled for all reachable markings. In the first case, t is connected to C. Then, there is a place c input to t in C with no tokens for all reachable marking. There is a transition T 1 input to c not enabled and following the same idea that t, assuming T 1 connected to C there is c 1 input to T 1 in C. Recursively until place c n is place c (there is a finite number of places in C), there is a subnet of C with a disabled transition, hence the subnet is not live. If transition t is not connected to C, there is a transition t in the same minimal S-invariant of t connected to C, and the above procedure can be followed for t i . That is, a controlled siphon is a siphon that never becomes unmarked.

Controllability analysis
This subsection shows that a SUS synthesized using the IBCD method with BC is, in fact, controllable.

AMS case study 4.1 System description and open loop model description
The AMS employed as a case study is a pneumatic punching center whose topology is illustrated in Fig.  1. The manufacturing procedure begins when a piece arrives to the storage unit (SU), then valve B (VB) opens, activating the input piston (IP). IP pushes the piece into the slot 1 (S1) of the rotatory table, while valve A (VA) retracts the IP. The motor (MR) is turned on, generating a rotation of 90 degrees clock-wise in the rotor, and the piece advances to slot 2 (S2). The piece is processed by the punching machine (PM) at slot 2, using valve E (VE) to activate the PM. Then, the motor turns 90 degrees clock-wise again, placing piece into slot 3 (S3). The piece at slot 3 is pushed by the output piston (OP), activated by valve D (VD), to a conveyor belt, and finally, valve C (VC) retracts the OP.
Each elementary component of the AMS is modeled as a two-places PN block. A place is added to the block associated to each discrete value. The set of transitions are defined as the events to change the discrete value of a component. A transition is added to the model for each event. For the initial marking, a token is added to the associated place of the initial discrete value of each component. The rest of the places remain with no tokens. Table 3 enlists the elementary components with the associated semantics of each place and transition. Fig. 2 shows the PN blocks of the AMS.
The following causal relationships complete in the open loop behavior of the AMS. Bidirectional arcs are added to the model to include the relationships in the behavior, as shown in Fig. 2. • A piece can arrive to slot 1 only if input piston is out and there is a piece in storage (bidirectional arcs from P 2 and P 4 to T 5). This PN is live and 1-bounded, i. e. is a safe PN. The incidence matrix d of each PN module is of the form of Eq. 14. Hence, the incidence matrix D p of the entire system is a 28x28 block matrix in Eq. 15. The initial marking vector m of each module is shown in Eq. 16. Hence, the initial marking vector M o of the AMS is shown as a block vector in Eq. 17.

Closed loop specification modeling
The specifications to be imposed upon the AMS are described in this subsection. Four safety specifications are defined to ensure the AMS safe operation. Matching definition 19, each specification have a corresponding BC.
1. If turning on motor (T27) is enabled, then both piston (P3, P13) and punching machine (P11) are in the withdrawn position and there is a manufacturing piece in slot 1 (P6) or in slot 2 (P8 www.astesj.com 37 Using Lemma 22, the induced system for the BCs from Eqs. 18-21 is presented in Eq. system 22 consisting of a linear system of 8 inequalities. Employing the method proposed in section 3 (Theorem 23 and corollary 24) Eqs. 18-21 are transformed into a set of 4 linear inequalities shown in Eq. system 23.

Properness analysis
This subsection presents the analysis to show that the designed SCBC is in fact proper, i. e. the SUS is live, non-conflicting and controllable. For each BC, there are not 2 places belonging to the same PN block. Each PN block is a minimal S-invariant (see [11]).Therefore, there are not 2 places belonging to the same minimal S-invariant. Hence, by Proposition 29 the associated marking vectors for all the BCs are reachable. Now, by Proposition 30 in those markings the respective formulaes Φ are true. Since all transition of the BC are enabled in its respective associated reachable markings by Theorem 32 the SUS for every BC is live. Now, by Theorem 33 the PN supervisor must not have any not live subnet in order to prove that the set of constraints is non-conflicting. However, the only not disjoint subnet of PN supervisor is concerned to transitions T 7 and T 8 . From a quick analysis it is clear that this particular subnet is live. Hence, by 34 and Theorem 33 the SUS is live, i.e. the set of BCs is nonconflicting.
The set of constraints must be proven admissible. By Theorem 38, the set of constraints is proven admiswww.astesj.com 38

Ladder diagram implementation of supervisory controller
A PN can be translate into a ladder diagram for its implementation in a control device (e.g. a PLC). The general procedure for the translation of PN into ladder diagram is explained in [14]. Every place has a corresponding register in the ladder diagram. Every transition has a corresponding contact and its execution generates the change of the contact state.
The following rules are an adaptation of the translation procedure developed in [14]. Let T a be a transition in the supervisor PN. Let P a be an output place of T a , connected by an arc with weight na. Let P b be an input place of T a , connected by an arc with weight nb.
• Each transition T a is represented as a contact in a ladder segment.
• If P a is 1−bounded, then it is represented by a coil with a set function. If P a is not 1−bounded, then it is represented by an add block, adding na tokens to P a .
• If P b is 1−bounded, then it is represented by a coil with a reset function. Also,a normally open contact is associated to P b in the segment.
• If P b is not 1−bounded, then it is represented by a subtract block, subtracting nb tokens to P b . Also, a comparison contact is associated to P b , with the rule, greater or equal than nb.
• If P a = P b (self-loop), then the number of tokens holds. Thus, there are not output blocks associated to P a in the segment.
The resulting ladder diagram for the SCBC is composed by 28 segments, one for each transition of the AMS model. A part of this ladder diagram is shown in Fig. 4.4. Each segment contains the conditions to enable the corresponding transition. For example, monitor place C1 must have at least 7 tokens for enabling transition T27. The number 7 is the coefficient corresponding to transition T 27 in the Eq. system 23. Moreover, in the Fig. 4

Conclusions
The approach presented in this work reduces the number of monitor places needed to impose a set of constraints in a AMS. In the case study, the safety specification were successfully imposed in the system behavior using 4 monitor places, showing the exact same results that using the classical approach with 8 monitor places. The incidence matrix of a discrete event system modeled as a PN usually has a lot of zero entries. The proposed approach reduces the dimension of Matrix L of the IBCD method, avoiding unnecessary by-zero multiplications giving a computational numerical advantage.
In the context of discrete event system the state expansion leads to complicated and unreadable graphs representations, such as Finite State Machines. The use of PN gives a more compact representation of the system, but it is still possible to find very complex graphs representations when a SC is design.
It has been proposed a synthesis method for a class of BC with a restricted syntax. Giving rise to a minimal PN SC. This increases the variety that can be considered in the synthesis (i.e. forbidden states) using a solid and mathematically established procedure.
The safety specifications ensure a behavior that forbids to any unwanted situation occurs in the system. The implementation was made using techniques previously proposed. The resulting implementation is compact and is a more usable approach for manufacturing systems.
is the same solution set for the system Proof. The solution set of an inequalities system agrees to the intersection of each inequality solution set. Let predicate 29 be associated to system 28 and predicate 30 be associated to ineq. 27.
Then Σ is the solution set for the inequality Proof. (By mathematical induction) Let the base case be Proposition 39. The induction hypothesis of the inductive step is the Lemma statement. Therefore, it must be proved that the solution set of ineq. 34 and system 35 is the same.

Ineq. 34 holds if and only if
x − y s+1 ≤ 0 (36) holds and (x − y 1 ) + (x − y 2 ) + · · · + (x − y s ) ≤ 0 (37) also holds. This is derived from the fact that x can only take values 0 and 1. If Σ is the solution set for ineqs. 36 and 37, then σ is the solution set for 34. By induction hypothesis, if ineq. 37 holds, then system x − y s ≤ 0 also holds. Therefore, Σ is the set solution for system 35 and it is proven that Σ is solution for 34 and 35.
Lemma 41 Let X, y 1 , y 2 , · · · , y n , z 1 , z 2 , · · · z m be integer variables with domain {0,1}. Let Y = y 1 + y 2 + · · · y n , Z = z 1 + z 2 + · · · z m . Let R = {(X, Y , Z)|X = {0, 1}, Y = {0, 1, · · · n}, Z = {0, 1, · · · m}} be the constrained domain. Let Σ ⊂ R the solution set for the inequality Then Σ is also the solution set for the system Proof. The proof consists of two steps. First the inequality 38 is derived from a geometrical perspective. Then, it is proven that if Σ is solution for eq. 38, then it is also solution for system 39. By Lemma 40, the first n inequalities are equivalent to ineq. 33, therefore system 39 becomes From a geometric perspective, both inequalities in system 40 have a corresponding plane in a tree dimensional space (X, Y , Z). The solution set for each inequality is constructed with the points contained in domain R and bounded above by the corresponding plane, thus the solution set for system 39 is constructed with the points contained in domain R and bounded above for the intersection of both corresponding planes. Therefore, there is a plane such that contains the intersection of both planes and bounds above all the points contained in domain R and the solution set of system 40. The intersection of these planes is a line containing the points (0, 0, 0) and (1, n, 1). In order to describe a plane equation, an orthogonal vector to the plane is required, and for its calculation a third point is obtained by convenience, ( m (mn+1) , 1, 0). the orthogonal vector is obtained by calculating the cross product of two vectors in the plane, for simplicity, v 1 =< 1, n, 1 > and v 2 =< m, mn + 1, 0 >. The plane equation is (mn + 1)X − mY − Z = 0. Thus, the solution set for (mn + 1)X − mY − Z ≤ 0 is the same of system 39. Fig. 1. shows the plane and the constrained domain R. Now it is proven that solution set Σ for ineq. 38 is the same for system 39. System 39 holds for X = 0. If X 0, because of the domain constraint, then X = 1. If X = 1, 39 holds for y i ≥ 1 and Z ≥ 1, then Y ≥ n. Again because of the domain constraint, Y = n. Hence the set Σ that holds for expression 41 is the solution set for system 39.
(  T  F  F  T  F  F  F  T  T  T  T  F  F  T  T  F  T  T  T  T  F  T  T  T  T  T  Table 41 Truth table of equation 41 T  T  T  T  F  F  T  T  F  T  T  T  T  F  T  T  T  T  T  Table 41 Truth table of   shares the same solution set with system 44 and, henceforth, with system 42.