**2.2. Zone Based Graph**

In the Zone Based Graph (ZBG)[6], all clock states reachable by runs supporting the same firing sequence are agglomerated in the same node and considered modulo some over-approximation operation [2, 12]. This operation is used to ensure the finiteness of the ZBG for Bounded TPNs with unbounded firing intervals. An abstract state, called state zone, is defined as a pair *β* = (*M*, *FZ*) combining a marking *M* and a formula *FZ* which characterizes the clock domains of all states agglomerated in the state zone. In *FZ*, the clock of each enabled transition for *M* is represented by a variable with the same name. The domain of *FZ* is convex and has a unique canonical form represented by the pair (*M*, *Z*), where *Z* is a DBM of order <sup>|</sup>*En*(*M*) ∪ {*o*} defined by: <sup>∀</sup>(*x*, *<sup>y</sup>*) <sup>∈</sup> (*En*(*M*) ∪ {*o*})2, *zxy* <sup>=</sup> *SupFZ*(*<sup>x</sup>* <sup>−</sup> *<sup>y</sup>*), where *o* represents the value 0. State zones of the ZBG are in relaxed form.

The initial state zone is the pair *β*<sup>0</sup> = (*M*0, *FZ*0), where *M*<sup>0</sup> is the initial marking and *FZ*<sup>0</sup> = *ti*,*tj*∈*En*(*M*0) 0 ≤ *ti* = *tj* ≤ ↑ *tu*∈*En*(*M*0) *Is*(*tu*).

As an example, consider the TPN given in [11] and reported at Figure 1, its state zone graph is reported at Figure 2 and its state zones are reported in Table 1.

In this document, we consider the state class method and study the possibility to enforce the behavior of a given TPN so that to satisfy a safety / reachability property. The idea is to construct on-the-fly the reachable state classes of the TPN while collecting progressively firing subintervals to be avoided so that to satisfy the properties of interest.

#### **2.3. The state class graph method**

4 Will-be-set-by-IN-TECH

, *Id*�

), if *t*

The TPN state space is the structure (Q, −→, *q*0), where *q*<sup>0</sup> = (*M*0, *Id*0) is the initial state of the TPN and <sup>Q</sup> <sup>=</sup> {*q*|*q*<sup>0</sup> <sup>∗</sup> −→ *<sup>q</sup>*}( <sup>∗</sup> −→ being the reflexive and transitive closure of the relation

→ *qi* holds. The sequence *θ*1*t*1*θ*2*t*2... is called the timed trace of *ρ*. The sequence *t*1*t*2... is called the firing sequence (untimed trace) of *ρ*. A marking *M* is reachable iff ∃*q* ∈ Q s.t. its marking is *M*. Runs (resp. timed / untimed traces) of the TPN are all runs (resp. timed /

To use enumerative analysis techniques with time Petri nets, an extra effort is required to abstract their generally infinite state spaces. Abstraction techniques aim to construct by removing some irrelevant details, a finite contraction of the state space of the model, which preserves properties of interest. For best performances, the contraction should also be the smallest possible and computed with minor resources too (time and space). The preserved properties are usually verified using standard analysis techniques on the abstractions [16]. Several state space abstraction methods have been proposed, in the literature, for time Petri nets like the *state class graph (SCG)* [4], the *zone based graph (ZBG)* [6], and etc. These abstractions may differ mainly in the characterization of states (interval states or clock states), the agglomeration criteria of states, the representation of the agglomerated states (abstract states), the kind of properties they preserve (markings, linear or branching properties) and

These abstractions are finite for all bounded time Petri nets. However, if only linear properties are of interest, abstractions based on clocks are less interesting than the interval based abstractions. Indeed, abstractions based on intervals are finite for bounded TPN with unbounded intervals, while this is not true for abstraction based on clocks. The finiteness is enforced using an approximation operation, which may involve some overhead computation.

In the Zone Based Graph (ZBG)[6], all clock states reachable by runs supporting the same firing sequence are agglomerated in the same node and considered modulo some over-approximation operation [2, 12]. This operation is used to ensure the finiteness of the ZBG for Bounded TPNs with unbounded firing intervals. An abstract state, called state zone, is defined as a pair *β* = (*M*, *FZ*) combining a marking *M* and a formula *FZ* which characterizes the clock domains of all states agglomerated in the state zone. In *FZ*, the clock

A *run* in the TPN state space (Q, −→, *q*0), of a state *q* ∈ Q, is a maximal sequence *ρ* = *q*<sup>1</sup>

) by a time progression of *θ* units, i.e.,

) iff the state (*M*�

immediately transition *t* , i.e., *t* ∈ *En*(*M*), ↓ *Id*(*t*) = 0, ∀*p* ∈ *P*, *M*�

), *Id*� (*t*�

−→ defined above) is the set of reachable states of the model.

(*t*��)=[*Max*(↓ *Id*(*t*��) − *θ*, 0), ↑ *Id*(*t*��) − *θ*].

) = *Is*(*t*�

), also denoted (*M*, *Id*) + *θ*, iff from state (*M*, *Id*), we will reach the

*θ* ≤ ↑ *Id*(*t*�

) is reachable from state (*M*, *Id*) by firing

, *t*), *Id*� (*t* � ) = *Id*(*t*�

*<sup>t</sup>*<sup>2</sup> −→ *<sup>q</sup>*3..., such that *<sup>q</sup>*<sup>1</sup> <sup>=</sup> *<sup>q</sup>*. By convention, for any state *qi*, relation

), *M*� = *M*, and

), otherwise.

*θ*1 −→

(*p*) = *M*(*p*) − *Pre*(*p*, *t*) +

*t*� ∈*En*(*M*)

� ∈ *New*(*M*�


∀*t*�� ∈ *En*(*M*�


state (*M*�

*q*<sup>1</sup> + *θ*<sup>1</sup>

their size.

**2.2. Zone Based Graph**

*qi* 0 −→ (*M*�

), *Id*�

−→ (*M*�

*Post*(*p*, *t*), and ∀*t*� ∈ *En*(*M*�

*<sup>t</sup>*<sup>1</sup> −→ *<sup>q</sup>*<sup>2</sup>

, *Id*�

, *Id*�

, *Id*�

*<sup>θ</sup>*<sup>2</sup> −→ *<sup>q</sup>*<sup>2</sup> <sup>+</sup> *<sup>θ</sup>*<sup>2</sup>

untimed traces) of the initial state *q*0.

In the state class graph method [4], all states reachable by the same firing sequence from the initial state are agglomerated in the same node and considered modulo the relation of equivalence defined by: Two sets of states are equivalent iff they have the same marking and the same firing domain. The firing domain of a set of states is the union of the firing domains of its states. All equivalent sets are agglomerated in the same node called a *state class* defined as a pair *α* = (*M*, *F*), where *M* is a marking and *F* is a formula which characterizes the firing domain of *α*. For each transition *ti* enabled in *M*, there is a variable *ti*, in *F*, representing its firing delay. *<sup>F</sup>* can be rewritten as a set of atomic constraints of the form1: *ti* <sup>−</sup> *tj* <sup>≤</sup> *<sup>c</sup>*, *ti* <sup>≤</sup> *<sup>c</sup>* or −*tj* ≤ *c*, where *ti*, *tj* are transitions, *c* ∈ **Q** ∪ {∞} and **Q** is the set of rational numbers.

Though the same domain may be expressed by different conjunctions of atomic constraints (i.e., different formulas), all equivalent formulas have a unique form, called canonical form that is usually encoded by a difference bound matrix (DBM) [3]. The canonical form of *F* is encoded by the DBM *D* (a square matrix) of order |*En*(*M*)| + 1 defined by: ∀*ti*, *tj* ∈ *En*(*M*) ∪ {*t*0}, *dij* = (≤, *SupF*(*ti* − *tj*)), where *t*<sup>0</sup> (*t*<sup>0</sup> ∈/ *T*) represents a fictitious transition whose delay is always equal to 0 and *SupF*(*ti* − *tj*) is the largest value of *ti* − *tj* in the domain of *F*. Its computation is based on the shortest path *Floyd-Warshall*'s algorithm and is considered as the most costly operation (cubic in the number of variables in *F*). The canonical form of a DBM makes easier some operations over formulas like the test of equivalence. Two formulas are equivalent iff the canonical forms of their DBMs are identical.

The initial state class is *α*<sup>0</sup> = (*M*0, *F*0), where *F*<sup>0</sup> = *ti*∈*En*(*M*0) ↓ *Is*(*ti*) ≤ *ti* ≤↑ *Is*(*ti*).

Let *α* = (*M*, *F*) be a state class and *tf* a transition and *succ*(*α*, *tf*) the set of states defined by:

$$\text{succc}(\mathfrak{a}, t\_f) = \{q' \in \mathcal{Q} \mid \exists q \in \mathfrak{a}, \exists \theta \in \mathbb{R}^+ \text{ s.t.} \: q \xrightarrow{\theta} q + \theta \xrightarrow{t\_f} q'\} \tag{5}$$

<sup>1</sup> For economy of notation, we use operator <sup>≤</sup> even if *<sup>c</sup>* <sup>=</sup> <sup>∞</sup>.


*α*0

*t*<sup>4</sup> *t*<sup>2</sup>

*α*<sup>3</sup> *α*<sup>1</sup> *α*<sup>2</sup>

*t*2 *t*<sup>3</sup> *t*<sup>3</sup>

*t*2

*α*<sup>6</sup> : *p*<sup>4</sup>

.*ti*.

**2.4. A forward method for computing predecessors of state classes**

**Figure 2.** The State Graph of the TPN presented at Figure 1

**Table 2.** The state classes of the TPN presented at Figure 2

), *ti*), if *ω* = *ω*�

denotes the transition *ti* enabled in *M*. Let *ω* = *t*

*α* (i.e., *α*� ⊆ *α*) s.t. *ω* is firable from all its states, i.e.,

*Fire*(*α*, *ω*) = {*q*<sup>1</sup> ∈ *α* | ∃*θ*1, ..., *θm*, *q*<sup>1</sup>

**Proposition 1.** *Fire*(*α*, *ω*) *is the state class* (*M*�

*succ*(*succ*(*α*, *ω*�

denote *t<sup>k</sup>*

*t k*1 <sup>1</sup> ....*t k f <sup>f</sup> of ω.* *t*1

*t*4

*t*1

A Forward On-The-Fly Approach in Controller Synthesis of Time Petri Nets 445

*α*<sup>6</sup> *α*<sup>4</sup> *α*<sup>5</sup>

*α*<sup>0</sup> : *p*<sup>1</sup> + *p*<sup>2</sup> 0 ≤ *t*<sup>1</sup> ≤ 4 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 *α*<sup>1</sup> : *p*<sup>2</sup> + *p*<sup>3</sup> 0 ≤ *t*<sup>2</sup> ≤ 3 ∧ 2 ≤ *t*<sup>3</sup> *α*<sup>2</sup> : *p*<sup>1</sup> + *p*<sup>4</sup> 0 ≤ *t*<sup>1</sup> ≤ 2 *α*<sup>3</sup> : *p*<sup>3</sup> + *p*<sup>4</sup> 0 ≤ *t*<sup>3</sup> ∧ 0 ≤ *t*<sup>4</sup> ≤ 1 *α*<sup>4</sup> : *p*<sup>2</sup> 0 ≤ *t*<sup>2</sup> ≤ 1 *α*<sup>5</sup> : *p*<sup>3</sup> + *p*<sup>4</sup> 2 ≤ *t*<sup>3</sup> < ∞ ∧ 0 ≤ *t*<sup>4</sup> ≤ 1

Let *<sup>α</sup>* = (*M*, *<sup>F</sup>*) be a state class and *<sup>ω</sup>* <sup>∈</sup> *<sup>T</sup>*<sup>+</sup> a sequence of transitions firable from *<sup>α</sup>*. We denote *succ*(*α*, *ω*) the state class reachable from *α* by firing successively transitions of *ω*. We define inductively this set as follows: *succ*(*α*, *ω*) = *α*, if *ω* = *�* and *succ*(*α*, *ω*) =

During the firing of a sequence of transitions *ω* from *α*, the same transition may be newly enabled several times. To distinguish between different enabling of the same transition *ti*, we

transitions firable from *α* (i.e., *succ*(*α*, *ω*) �= ∅). We denote *Fire*(*α*, *ω*) the largest subclass *α*� of

*<sup>i</sup>* for *<sup>k</sup>* <sup>&</sup>gt; 0 the transition *ti* (newly) enabled by the *<sup>k</sup>th* transition of the sequence; *<sup>t</sup>*

*<sup>θ</sup>*<sup>1</sup> −→ *<sup>q</sup>*<sup>1</sup> <sup>+</sup> *<sup>θ</sup>*<sup>1</sup>

, *F*�

*follows*3*: Let M*<sup>1</sup> <sup>=</sup> *M and Mf*<sup>+</sup>1*, for f* <sup>∈</sup> [1, *<sup>m</sup>*]*, be the marking reached from M by the subsequence*

*1. Initialize F*� *with the formula obtained from F by renaming all variables ti in t*<sup>0</sup>

<sup>3</sup> We suppose that the truth value of an empty set of constraints is always *true*.

*t k*1

<sup>1</sup> −→ *<sup>q</sup>*2...*qm* <sup>+</sup> *<sup>θ</sup><sup>m</sup> <sup>t</sup>*

*k*1 <sup>1</sup> ....*t km* 0 *i*

*<sup>m</sup>* <sup>∈</sup> *<sup>T</sup>*<sup>+</sup> with *<sup>m</sup>* <sup>&</sup>gt; 0 be a sequence of

*km*

*i .*

) *where M*� = *M and F*� *can be computed as*

*<sup>m</sup>* −→ *qm*+1} (6)

**Table 1.** State zones of the TPN presented at Figure 2

The state class *α* has a successor by *tf* (i.e. *succ*(*α*, *tf*) �= ∅), iff *tf* is enabled in *M* and can be fired before any other enabled transition, i.e., the following formula is consistent2: *<sup>F</sup>* <sup>∧</sup> ( *ti*∈*En*(*M*) *tf* ≤ *ti*). In this case, the firing of *tf* leads to the state class *α*� = (*M*� , *F*� ) = *succ*(*α*, *tf*) computed as follows [4]:


Formally, the SCG of a TPN model is a structure (CC, −→, *α*0), where *α*<sup>0</sup> = (*M*0, *F*0) is the initial state class, ∀*ti* ∈ *T*, *α ti* −→ *<sup>α</sup>*� iff *<sup>α</sup>*� <sup>=</sup> *succ*(*α*, *ti*) �<sup>=</sup> <sup>∅</sup> and CC <sup>=</sup> {*α*|*α*<sup>0</sup> <sup>∗</sup> −→ *<sup>α</sup>*}.

The SCG is finite for all bounded TPNs and preserves linear properties [5]. As an example, Figure 2 shows the state class graph of the TPN presented at Figure 1. Its state classes are reported in Table 2. For this example, state class graph and state zone based graph of the system are identical while classes and zones are different.

<sup>2</sup> A formula F is consistent iff there is, at least, one tuple of values that satisfies, at once, all constraints of F.

**Figure 2.** The State Graph of the TPN presented at Figure 1

6 Will-be-set-by-IN-TECH

*β*<sup>1</sup> : *p*<sup>2</sup> + *p*<sup>3</sup> 0 ≤ *t*<sup>2</sup> ≤ 3 ∧ 0 ≤ *t*<sup>3</sup> ≤ 3 ∧ 0 ≤ *t*<sup>2</sup> − *t*<sup>3</sup> ≤ 3

*β*<sup>3</sup> : *p*<sup>3</sup> + *p*<sup>4</sup> 0 ≤ *t*<sup>3</sup> ≤ 3 ∧ 0 ≤ *t*<sup>4</sup> ≤ 1 ∧ 0 ≤ *t*<sup>3</sup> − *t*<sup>4</sup> ≤ 3

The state class *α* has a successor by *tf* (i.e. *succ*(*α*, *tf*) �= ∅), iff *tf* is enabled in *M* and can be fired before any other enabled transition, i.e., the following formula is consistent2: *<sup>F</sup>* <sup>∧</sup>

Formally, the SCG of a TPN model is a structure (CC, −→, *α*0), where *α*<sup>0</sup> = (*M*0, *F*0) is the

The SCG is finite for all bounded TPNs and preserves linear properties [5]. As an example, Figure 2 shows the state class graph of the TPN presented at Figure 1. Its state classes are reported in Table 2. For this example, state class graph and state zone based graph of the

*p*<sup>1</sup> *p*<sup>2</sup>

• •

<sup>2</sup> A formula F is consistent iff there is, at least, one tuple of values that satisfies, at once, all constraints of F.

*p*<sup>3</sup> *p*<sup>4</sup>

*ti* −→ *<sup>α</sup>*� iff *<sup>α</sup>*� <sup>=</sup> *succ*(*α*, *ti*) �<sup>=</sup> <sup>∅</sup> and CC <sup>=</sup> {*α*|*α*<sup>0</sup> <sup>∗</sup> −→ *<sup>α</sup>*}.

*t*2[2, 3]

, *F*�

, *tf*).

) = *succ*(*α*, *tf*)

*β*<sup>0</sup> : *p*<sup>1</sup> + *p*<sup>2</sup> 0 ≤ *t*<sup>1</sup> = *t*<sup>2</sup> ≤ 3

*β*<sup>2</sup> : *p*<sup>1</sup> + *p*<sup>4</sup> 2 ≤ *t*<sup>1</sup> ≤ 4

*β*<sup>4</sup> : *p*<sup>2</sup> 2 ≤ *t*<sup>2</sup> ≤ 3 *β*<sup>5</sup> : *p*<sup>3</sup> + *p*<sup>4</sup> 0 ≤ *t*<sup>3</sup> = *t*<sup>4</sup> ≤ 2

*tf* ≤ *ti*). In this case, the firing of *tf* leads to the state class *α*� = (*M*�

4. Eliminate by substitution *tf* and each *ti* of transition conflicting with *tf* in *M*.

5. Add constraint ↓ *Is*(*tn*) ≤ *tn* ≤↑ *Is*(*tn*), for each transition *tn* ∈ *New*(*M*�

*β*<sup>6</sup> : *p*<sup>4</sup>

(*p*) = *M*(*p*) − *Pre*(*p*, *tf*) + *Post*(*p*, *tf*).

*tf* − *ti* ≤ 0)

system are identical while classes and zones are different.

*t*1[0, 4]

**Figure 1.** A simple Petri net with *Tc* = {*t*1}

*t*<sup>4</sup> *t*3[2, ∞[ [0, 1]

**Table 1.** State zones of the TPN presented at Figure 2

( *ti*∈*En*(*M*)

computed as follows [4]:

initial state class, ∀*ti* ∈ *T*, *α*

*ti*∈*En*(*M*)

3. Replace in *F*� each *ti* �= *tf* , by (*ti* + *tf*).

1. ∀*p* ∈ *P*, *M*�

2. *<sup>F</sup>*� = *<sup>F</sup>* ∧ (


**Table 2.** The state classes of the TPN presented at Figure 2

#### **2.4. A forward method for computing predecessors of state classes**

Let *<sup>α</sup>* = (*M*, *<sup>F</sup>*) be a state class and *<sup>ω</sup>* <sup>∈</sup> *<sup>T</sup>*<sup>+</sup> a sequence of transitions firable from *<sup>α</sup>*. We denote *succ*(*α*, *ω*) the state class reachable from *α* by firing successively transitions of *ω*. We define inductively this set as follows: *succ*(*α*, *ω*) = *α*, if *ω* = *�* and *succ*(*α*, *ω*) = *succ*(*succ*(*α*, *ω*� ), *ti*), if *ω* = *ω*� .*ti*.

During the firing of a sequence of transitions *ω* from *α*, the same transition may be newly enabled several times. To distinguish between different enabling of the same transition *ti*, we denote *t<sup>k</sup> <sup>i</sup>* for *<sup>k</sup>* <sup>&</sup>gt; 0 the transition *ti* (newly) enabled by the *<sup>k</sup>th* transition of the sequence; *<sup>t</sup>* 0 *i* denotes the transition *ti* enabled in *M*. Let *ω* = *t k*1 <sup>1</sup> ....*t km <sup>m</sup>* <sup>∈</sup> *<sup>T</sup>*<sup>+</sup> with *<sup>m</sup>* <sup>&</sup>gt; 0 be a sequence of transitions firable from *α* (i.e., *succ*(*α*, *ω*) �= ∅). We denote *Fire*(*α*, *ω*) the largest subclass *α*� of *α* (i.e., *α*� ⊆ *α*) s.t. *ω* is firable from all its states, i.e.,

$$\operatorname{Fire}(a,\omega) = \{q\_1 \in \mathfrak{a} \mid \exists \theta\_1 \dots \theta\_m . q\_1 \xrightarrow{\theta\_1} q\_1 + \theta\_1 \xrightarrow{f\_1^{k\_1}} q\_2 \dots q\_m + \theta\_m \xrightarrow{f\_m^{k\_m}} q\_{m+1}\} \tag{6}$$

**Proposition 1.** *Fire*(*α*, *ω*) *is the state class* (*M*� , *F*� ) *where M*� = *M and F*� *can be computed as follows*3*: Let M*<sup>1</sup> <sup>=</sup> *M and Mf*<sup>+</sup>1*, for f* <sup>∈</sup> [1, *<sup>m</sup>*]*, be the marking reached from M by the subsequence t k*1 <sup>1</sup> ....*t k f <sup>f</sup> of ω.*

*1. Initialize F*� *with the formula obtained from F by renaming all variables ti in t*<sup>0</sup> *i .*

<sup>3</sup> We suppose that the truth value of an empty set of constraints is always *true*.

#### 8 Will-be-set-by-IN-TECH 446 Petri Nets – Manufacturing and Computer Science A Forward On-The-Fly Approach in Controller Synthesis of Time Petri Nets <sup>9</sup>

#### *2. Add the following constraints:*

$$\begin{array}{c} \bigwedge \left( \bigwedge\_{f \in [1, m]} \bigwedge\_{t\_i \in (\operatorname{En}(M\_1) - \bigcup\_{f \in [1, f]} \operatorname{CF}(M\_{\bar{f}}, t\_i))} \sharp\_f^{k\_f} - \sharp\_i^0 \le 0 \wedge \\ \bigwedge\_{j \in [1, f]} \bigwedge\_{t\_n \in (\operatorname{New}(M\_{[l+1}, t\_l) - \bigcup\_{k \in [1, f]} \operatorname{CF}(M\_{\bar{k}}, t\_l))} \sharp\_f^{k\_f} - \sharp\_n^j \le 0 \wedge \\ \bigwedge\_{t\_n \in \operatorname{New}(M\_{f+1}, t\_f)} \downarrow \operatorname{Is}(t\_n) \le \sharp\_n^f - \sharp\_f^{k\_f} \le \uparrow \operatorname{Is}(t\_n)) \end{array} \tag{7}$$

2. Add the firing constraints of *t*<sup>1</sup> before *t*2, *t*<sup>2</sup> before *t*<sup>3</sup> and constraints on the firing intervals

1 <sup>3</sup> − *t* 0 <sup>1</sup> ∧ 0 ≤ *t*

<sup>3</sup>) consists of all states of *α*<sup>0</sup> from which the sequence *t*1*t*2*t*<sup>3</sup> is firable.

2 <sup>4</sup> − *t* 0 <sup>2</sup> ≤ 1

A Forward On-The-Fly Approach in Controller Synthesis of Time Petri Nets 447

*j*

0 1*t* 0 2*t* 1

*<sup>i</sup>* such that *j* > 0,

<sup>3</sup>) (i.e., ]2, 4]).

<sup>0</sup> of *β*0,

<sup>3</sup> ≤ 0 ∧ 2 ≤ *t*

*<sup>i</sup>* in *ti*: 0 ≤ *t*<sup>1</sup> ≤ 2 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 ∧ 1 ≤ *t*<sup>2</sup> − *t*<sup>1</sup> ≤ 3.

If *t*<sup>1</sup> is controllable, to avoid reaching the marking *p*<sup>4</sup> by the sequence *t*1*t*2*t*3, it suffices to

Note that this forward method of computing predecessors can also be adapted and applied to the clock based abstractions. For instance, using the zone based graph, the initial state zone

from which the sequence *t*1*t*2*t*<sup>3</sup> is firable, can be computed in a similar way as the previous

<sup>0</sup> = (*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> = *t*<sup>2</sup> ≤ 2). To avoid reaching by the sequence *t*1*t*2*t*<sup>3</sup> the marking *p*4, it suffices to delay the firing of *t*<sup>1</sup> until when its clocks overpasses 2, which means that its firing

The theory of control was initially introduced by Ramadge and Wonham in [17]. They have formalized, in terms of formal languages, the notion of control and the existence of a controller that forces a discrete event system (DES) to behave as expected. The concept of control has been afterwards extended to various models such as timed automata [21] and time Petri nets [19], where the control specification is expressed on the model states rather than the model language. Thus, for every system modeled by a controllable language, timed automata or time Petri nets, controller synthesis is used to restrict the behavior of the system making it to satisfy the desired safety or reachability properties. The typical procedure is: a system is modeled, the desired properties are defined, then, the existence and the implementation of the appropriate controller (control problem and controller synthesis problem respectively [1])

Several approaches of controller synthesis have been proposed in the literature. They may differ in the model they are working on (various types of Petri nets or automata), the approach they are based on (analytical as in [22], structural as in [9], semantic as in [10, 11, 20]), and

In [22], the authors have considered a particular type of capacity timed Petri net, where timing constraints are associated with transitions and some places, and all transitions are controllable. This timed Petri net is used to model a cluster tool with wafer residency time constraints. The wafers and their time constraints are represented by timed places. Using analytical approaches of schedulability and the particular structure of their model (model of the cluster tool), the authors have established an algorithm for finding, if it exists, an optimal periodic schedule which respects residency time constraints of wafers. The control consists

of the TPN shown at Figure 1 is *β*<sup>0</sup> = (*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> = *t*<sup>2</sup> ≤ 3). The sub-zone *β*�

of transitions enabled by these firings (i.e., *t*<sup>3</sup> and *t*4):

0 <sup>2</sup> − *t* 1

3. Put the resulting formula in canonical form and eliminate all variables *t*

choose the firing interval of *t*<sup>1</sup> in *α*<sup>0</sup> outside its firing interval in *Fire*(*α*0, *t*

procedure where delay constraints are replaced by clock constraints:

*t* 0 <sup>1</sup> − *t* 0 <sup>2</sup> ≤ 0 ∧ *t*

0

0 1*t* 0 2*t* 1

rename all variables *t*

The subclass *Fire*(*α*0, *t*

interval should be ]2, 4].

**3. Related work**

are investigated.

finally the property to be controlled.

*β*�

*3. Put the resulting formula in canonical form and eliminate all variables t<sup>j</sup> <sup>i</sup> such that j* > 0*, rename all variables t*<sup>0</sup> *<sup>i</sup> in ti.*

Note that *Fire*(*α*, *ω*) �= ∅ (i.e., *ω* is firable from *α*) iff *ω* is feasible in the underlying untimed model and the formula obtained at step 2) above is consistent.

*Proof.* By step 1) all variables associated with transitions of *En*(*M*) are renamed (*ti* is renamed in *t* 0 *<sup>i</sup>* ). This step allows us to distinguish between delays of transitions enabled in *M* from those that are newly enabled by the transitions of the firing sequence.

Step 2) adds the firing constraints of transitions of the sequence (for *f* ∈ [1, *m*]). For each transition *t k f <sup>f</sup>* of the sequence, three blocks of constraints are added. The two first blocks mean that the delay of *t k f <sup>f</sup>* must be less or equal to the delays of all transitions enabled in *Mf* (i.e., transitions of *En*(*M*) and those enabled by *tj* (*New*(*Mj*+1, *tj*), 1 ≤ *j* < *f*) that are maintained continuously enabled at least until firing *t k f <sup>f</sup>* ). Transitions of *En*(*M*) that are maintained continuously enabled at least until firing *t k f <sup>f</sup>* are transitions of *En*(*M*) which are not in conflict with *t k*1 <sup>1</sup> in *M*1, and, ..., and not in conflict with *t k <sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>f</sup>*−<sup>1</sup> in *Mf*−1. Similarly, transitions of *New*(*Mj*, *tj*) (with 1 ≤ *j* < *f*) that are maintained continuously enabled at least until firing *t k f <sup>f</sup>* are transitions of *New*(*Mj*+1, *tj*) which are not in conflict with *t kj*<sup>+</sup><sup>1</sup> *<sup>j</sup>*+<sup>1</sup> in *Mj*+1, and, ..., and not in conflict with *t k <sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>f</sup>*−<sup>1</sup> in *Mf*−1. The third block of constraints specifies the firing delays of transitions that are newly enabled by *t k f f* .

Step 3) isolates the largest subclass of *α* such that *ω* is firable from all its states.

As an example, consider the TPN depicted at Figure 1 and its state class graph shown at Figure 2. Let us show how to compute *Fire*(*α*0, *t* 0 1*t* 0 2*t* 1 <sup>3</sup>). We have *En*(*M*0) = {*t*1, *t*2}, *CF*(*M*0, *t*1) = {*t*1}, *CF*(*M*1, *t*2) = {*t*2}, *New*(*M*0, *t*1) = {*t*3} and *New*(*M*1, *t*2) = {*t*4}. The subclass (*p*<sup>1</sup> + *p*2, *F*� ) = *Fire*(*α*0, *t* 0 1*t* 0 2*t* 1 <sup>3</sup>) is computed as follows:

1. Initialize *F*� with the formula obtained from 0 ≤ *t*<sup>1</sup> ≤ 4 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 by renaming all variables *ti* in *t* 0 *<sup>i</sup>* : 0 ≤ *t* 0 <sup>1</sup> ≤ 4 ∧ 2 ≤ *t* 0 <sup>2</sup> ≤ 3

2. Add the firing constraints of *t*<sup>1</sup> before *t*2, *t*<sup>2</sup> before *t*<sup>3</sup> and constraints on the firing intervals of transitions enabled by these firings (i.e., *t*<sup>3</sup> and *t*4):

$$\mathfrak{t}\_1^0 - \mathfrak{t}\_2^0 \le 0 \land \mathfrak{t}\_2^0 - \mathfrak{t}\_3^1 \le 0 \land \mathfrak{2} \le \mathfrak{t}\_3^1 - \mathfrak{t}\_1^0 \land 0 \le \mathfrak{t}\_4^2 - \mathfrak{t}\_2^0 \le 1$$

3. Put the resulting formula in canonical form and eliminate all variables *t j <sup>i</sup>* such that *j* > 0, rename all variables *t* 0 *<sup>i</sup>* in *ti*: 0 ≤ *t*<sup>1</sup> ≤ 2 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 ∧ 1 ≤ *t*<sup>2</sup> − *t*<sup>1</sup> ≤ 3.

The subclass *Fire*(*α*0, *t* 0 1*t* 0 2*t* 1 <sup>3</sup>) consists of all states of *α*<sup>0</sup> from which the sequence *t*1*t*2*t*<sup>3</sup> is firable. If *t*<sup>1</sup> is controllable, to avoid reaching the marking *p*<sup>4</sup> by the sequence *t*1*t*2*t*3, it suffices to choose the firing interval of *t*<sup>1</sup> in *α*<sup>0</sup> outside its firing interval in *Fire*(*α*0, *t* 0 1*t* 0 2*t* 1 <sup>3</sup>) (i.e., ]2, 4]).

Note that this forward method of computing predecessors can also be adapted and applied to the clock based abstractions. For instance, using the zone based graph, the initial state zone of the TPN shown at Figure 1 is *β*<sup>0</sup> = (*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> = *t*<sup>2</sup> ≤ 3). The sub-zone *β*� <sup>0</sup> of *β*0, from which the sequence *t*1*t*2*t*<sup>3</sup> is firable, can be computed in a similar way as the previous procedure where delay constraints are replaced by clock constraints:

*β*� <sup>0</sup> = (*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> = *t*<sup>2</sup> ≤ 2). To avoid reaching by the sequence *t*1*t*2*t*<sup>3</sup> the marking *p*4, it suffices to delay the firing of *t*<sup>1</sup> until when its clocks overpasses 2, which means that its firing interval should be ]2, 4].
