**3. Related work**

8 Will-be-set-by-IN-TECH

*j*∈[1,*f* [

↓ *Is*(*tn*) ≤ *t*

Note that *Fire*(*α*, *ω*) �= ∅ (i.e., *ω* is firable from *α*) iff *ω* is feasible in the underlying untimed

*Proof.* By step 1) all variables associated with transitions of *En*(*M*) are renamed (*ti* is renamed

Step 2) adds the firing constraints of transitions of the sequence (for *f* ∈ [1, *m*]). For each

*Mf* (i.e., transitions of *En*(*M*) and those enabled by *tj* (*New*(*Mj*+1, *tj*), 1 ≤ *j* < *f*) that are

of *New*(*Mj*, *tj*) (with 1 ≤ *j* < *f*) that are maintained continuously enabled at least until firing

As an example, consider the TPN depicted at Figure 1 and its state class graph shown at Figure

{*t*1}, *CF*(*M*1, *t*2) = {*t*2}, *New*(*M*0, *t*1) = {*t*3} and *New*(*M*1, *t*2) = {*t*4}. The subclass (*p*<sup>1</sup> +

1. Initialize *F*� with the formula obtained from 0 ≤ *t*<sup>1</sup> ≤ 4 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 by renaming all

0 1*t* 0 2*t* 1

*<sup>i</sup>* ). This step allows us to distinguish between delays of transitions enabled in *M* from

*<sup>f</sup>* of the sequence, three blocks of constraints are added. The two first blocks

*k f*

*<sup>f</sup>* must be less or equal to the delays of all transitions enabled in

*k <sup>f</sup>* <sup>−</sup><sup>1</sup>

*k f*

*<sup>f</sup>*−<sup>1</sup> in *Mf*−1. The third block of constraints specifies the firing delays of

*k*∈]*j*,*f* [

*CF*(*Mj*,*tj*))

*f <sup>n</sup>* − *t k f*

*t k f <sup>f</sup>* − *t* 0 *<sup>i</sup>* ≤ 0∧

> *t k f <sup>f</sup>* − *t j <sup>n</sup>* ≤ 0∧

*<sup>f</sup>* ≤↑ *Is*(*tn*))

(7)

*<sup>i</sup> such that j* > 0*, rename*

*<sup>f</sup>* ). Transitions of *En*(*M*) that are

*<sup>f</sup>*−<sup>1</sup> in *Mf*−1. Similarly, transitions

*<sup>j</sup>*+<sup>1</sup> in *Mj*+1, and, ..., and

*<sup>f</sup>* are transitions of *En*(*M*) which are not

*kj*<sup>+</sup><sup>1</sup>

<sup>3</sup>). We have *En*(*M*0) = {*t*1, *t*2}, *CF*(*M*0, *t*1) =

*CF*(*Mk*,*tk*))

*2. Add the following constraints:*

*all variables t*<sup>0</sup>

in *t* 0

*t k f*

*p*2, *F*�

transition *t*

in conflict with *t*

not in conflict with *t*

) = *Fire*(*α*0, *t*

variables *ti* in *t*

*k f*

mean that the delay of *t*

*k*1

*<sup>i</sup> in ti.*

 *f*∈[1,*m*]

( *ti*∈(*En*(*M*1)−

*<sup>j</sup>*∈[1, *<sup>f</sup>* [,*tn*∈(*New*(*Mj*+1,*tj*)−

*3. Put the resulting formula in canonical form and eliminate all variables t<sup>j</sup>*

those that are newly enabled by the transitions of the firing sequence.

<sup>1</sup> in *M*1, and, ..., and not in conflict with *t*

*k f f* . Step 3) isolates the largest subclass of *α* such that *ω* is firable from all its states.

*<sup>f</sup>* are transitions of *New*(*Mj*+1, *tj*) which are not in conflict with *t*

<sup>3</sup>) is computed as follows:

0 <sup>2</sup> ≤ 3

<sup>1</sup> ≤ 4 ∧ 2 ≤ *t*

 *tn*∈*New*(*Mf* <sup>+</sup>1,*tf*)

model and the formula obtained at step 2) above is consistent.

*k f*

maintained continuously enabled at least until firing *t*

maintained continuously enabled at least until firing *t*

*k <sup>f</sup>* <sup>−</sup><sup>1</sup>

transitions that are newly enabled by *t*

2. Let us show how to compute *Fire*(*α*0, *t*

0 1*t* 0 2*t* 1

0 *<sup>i</sup>* : 0 ≤ *t* 0 The theory of control was initially introduced by Ramadge and Wonham in [17]. They have formalized, in terms of formal languages, the notion of control and the existence of a controller that forces a discrete event system (DES) to behave as expected. The concept of control has been afterwards extended to various models such as timed automata [21] and time Petri nets [19], where the control specification is expressed on the model states rather than the model language. Thus, for every system modeled by a controllable language, timed automata or time Petri nets, controller synthesis is used to restrict the behavior of the system making it to satisfy the desired safety or reachability properties. The typical procedure is: a system is modeled, the desired properties are defined, then, the existence and the implementation of the appropriate controller (control problem and controller synthesis problem respectively [1]) are investigated.

Several approaches of controller synthesis have been proposed in the literature. They may differ in the model they are working on (various types of Petri nets or automata), the approach they are based on (analytical as in [22], structural as in [9], semantic as in [10, 11, 20]), and finally the property to be controlled.

In [22], the authors have considered a particular type of capacity timed Petri net, where timing constraints are associated with transitions and some places, and all transitions are controllable. This timed Petri net is used to model a cluster tool with wafer residency time constraints. The wafers and their time constraints are represented by timed places. Using analytical approaches of schedulability and the particular structure of their model (model of the cluster tool), the authors have established an algorithm for finding, if it exists, an optimal periodic schedule which respects residency time constraints of wafers. The control consists

safe states whose behaviors can be controlled so as to maintain the system inside this set of states (i.e., winning states). If the largest fix point of *h* includes the initial state then, it gives a

A Forward On-The-Fly Approach in Controller Synthesis of Time Petri Nets 449

Similarly, the fix point method is also used for reachability properties. Let *AF ψ* be a reachability property and *X*<sup>0</sup> = *Sat*(*ψ*) the set of goal states. The least fix point of *Xi*<sup>+</sup><sup>1</sup> = *h*(*Xi*) = *Xi* ∪ *π*(*Xi*), *i* ≥ 0 is the set of states whose behaviors can be controlled so as to reach

In the context of a timed model, this technique is applied on a state space abstraction of the timed model. In this case, *Xi* is a set of abstract states. If *Xi* is a finite set of abstract states, then the controllable predecessors of *Xi* is also a finite set of abstract states. The computation of the fix point of *h* will converge after a finite number of steps if the state space abstraction is

Note that the state space abstractions used in [10, 11, 20] are based on clocks but the state space abstraction used in [11] is not necessarily complete. The fix point method cannot guarantee to give the safety controller when it exists, unless the state space abstraction is both sound and complete. A state space abstraction of a given model is sound and complete iff it captures all firing sequences of the model and each firing sequence in the state space abstraction reflects a firing sequence of the model. Indeed, a synthesis may fail because of some unreachable states, while for the reachable state space the safety controller exists. However, the cost of processing is increased as a sound and complete state space abstraction should be entirely calculated

Let us explain by means of an example how to compute the fix point of *h* for a safety property. Consider the TPN given in [11] and reported in Figure 1. The state class graph (SCG) and the zone based graph (ZBG) of this TPN are equal, except that nodes are defined differently (state classes or state zones). The state class graph is depicted in Figure 2. Its state zones and state

Consider the state zone graph and suppose that we are interested to force the following safety

transition *t*<sup>1</sup> is the only controllable transition and the forbidden markings is determined by

To verify whether or not there is a controller for such a property, we compute the fix point of *Xi*+<sup>1</sup> = *h*(*Xi*) = *Xi* ∩ *π*(*Xi*), where *X*<sup>0</sup> = {*β*0, *β*1, *β*2, *β*3, *β*5} is the set of state zones which satisfy the property *not p*<sup>1</sup> + *p*<sup>3</sup> = 0. Such a controller exists iff the initial state of the model is a winning state (i.e., belongs to the fix point of *h*). The fix point is computed, in 3 iterations, as

<sup>1</sup>, *β*2, *β*�

which are uncontrollable predecessors of bad state classes *β*<sup>4</sup> and *β*<sup>6</sup> are eliminated:

*<sup>i</sup>*=<sup>1</sup> *pi* �= 2. As the state class graph shows, if *t*<sup>2</sup> happens before *t*<sup>1</sup> the right path happens which is safe and the controller has nothing to do. On the other hand, if *t*<sup>1</sup> happens before *t*2,

*<sup>i</sup>*=<sup>1</sup> *pi* = 2 which means that the number of tokens in the TPN is always 2. The

<sup>3</sup>, *β*5}. In this iteration, all states of *β*<sup>1</sup> and *β*3,

controller which forces the system to stay in safe states (i.e., a winning strategy).

one of the goal states (i.e., winning states) [10, 20].

before applying the fix point algorithm.

*1) Iteration* 1*: X*<sup>1</sup> = *X*<sup>0</sup> ∩ *π*(*X*0) = {*β*0, *β*�

classes are reported in Table 1 and Table 2, respectively.

two state classes having forbidden markings may be reached (*α*4, *α*6).

<sup>1</sup> = (*p*<sup>2</sup> + *p*3, 1 < *t*<sup>2</sup> ≤ 3 ∧ 0 ≤ *t*<sup>3</sup> < 2 ∧ 1 < *t*<sup>2</sup> − *t*<sup>3</sup> ≤ 3) and

<sup>3</sup> = (*p*<sup>3</sup> + *p*4, 1 ≤ *t*<sup>3</sup> <≤ 3 ∧ 0 < *t*<sup>4</sup> ≤ 1 ∧ 1 ≤ *t*<sup>3</sup> − *t*<sup>4</sup> ≤ 3).

finite [10, 11, 20].

property: *AG* Σ<sup>4</sup>

Σ4

follows:

*β*�

*β*�

**Figure 3.** Controllable Predecessors

of limiting timing constraints of transitions and some places so as to respect residency time constraints of wafers.

In [8, 9], the authors have considered safe and live time Petri nets where deadlines can be associated with some transition firings. The control consists of enforcing the model to meet deadlines of transition firings. The controller has the possibility to disable any transition *t* which prevents to meet the deadline of a transition *td*. A transition *t* is allowed to fire only if its latency (the maximum delay between firing *t* and the next firing of *td*) is not greater than the current deadline of *td*. The latencies of transitions are computed by constructing an unfolding Petri net of the underlying untimed Petri net. This approach does not need to explore the state space. However, in general, the resulting controller is not maximally permissive (i.e. meaning that the controller may disable a net behavior that does not violate the properties of interest).

In [10, 11, 20], the authors have considered timed models (TA or TPN) with two kinds of transitions (controllable and uncontrollable) and investigated the control problem for safety or reachability properties. To prevent some undesired states, the controller can act on any firable and controllable transition by delaying or forcing its firing but it cannot disable transitions. The control problem is addressed by computing the winning states of the model, i.e. states which will not lead, by an uncontrollable transition, to an undesired state. The computation of the winning states is based on the concept of controllable predecessors of states. In the literature, the set of controllable predecessors is usually denoted by *π*(*X*), where *X* is a set of states satisfying the desired property (safe/goal states). The set *π*(*X*) is defined by [11]:

$$\begin{aligned} \pi(X) &= \{ q \in \mathcal{Q} | ((\exists \, \delta \in \mathbb{R}\_{\ge 0} \, t \in T \, q' \in X \, q \xrightarrow{\delta} \, q') \lor \\ & (\exists \, \delta \in \mathbb{R}\_{\ge 0} \, q' \in X \, q \xrightarrow{\delta} \, q') ) \land \\ & \forall \, \delta \in \mathbb{R}\_{\ge 0} \, if \, \exists \, t \in T, q' \notin X \, q \xrightarrow{\delta} \, \frac{t}{\to} \, q' \\ & \text{then } \exists \, \delta\_{\mathbb{C}} < \delta, t\_{\mathbb{C}} \in T\_{\mathbb{C}}, q\_{\mathbb{C}} \in X \, q \xrightarrow{\delta\_{\mathbb{C}}} \, q\_{\mathbb{C}} \} \end{aligned} \tag{8}$$

Intuitively, *π*(*X*) is the set of predecessors of *X* which will not bring the system out of *X*. Figure 3 clarifies this concept. If the environment can execute an uncontrollable transition after *δ* time units, leading the system out of *X* (denoted by *X*¯ ), then the controller should be able to execute a controllable action to keep the system in *X* before *δ* time units. In addition, in the context of timed models with strong semantics (a transition must be fired, without any additional delay, when the upper bound of its firing interval is reached), the controller should not be forced to execute a controllable transition leading the system out of *X*.

Let *AG φ* be a safety property and *X*<sup>0</sup> = *Sat*(*φ*) the set of states which satisfy the property *φ* (safe states). The fix point of *Xi*<sup>+</sup><sup>1</sup> = *h*(*Xi*) = *Xi* ∩ *π*(*Xi*), *i* ≥ 0 gives the largest set of safe states whose behaviors can be controlled so as to maintain the system inside this set of states (i.e., winning states). If the largest fix point of *h* includes the initial state then, it gives a controller which forces the system to stay in safe states (i.e., a winning strategy).

10 Will-be-set-by-IN-TECH

of limiting timing constraints of transitions and some places so as to respect residency time

In [8, 9], the authors have considered safe and live time Petri nets where deadlines can be associated with some transition firings. The control consists of enforcing the model to meet deadlines of transition firings. The controller has the possibility to disable any transition *t* which prevents to meet the deadline of a transition *td*. A transition *t* is allowed to fire only if its latency (the maximum delay between firing *t* and the next firing of *td*) is not greater than the current deadline of *td*. The latencies of transitions are computed by constructing an unfolding Petri net of the underlying untimed Petri net. This approach does not need to explore the state space. However, in general, the resulting controller is not maximally permissive (i.e. meaning that the controller may disable a net behavior that does not violate the properties of interest). In [10, 11, 20], the authors have considered timed models (TA or TPN) with two kinds of transitions (controllable and uncontrollable) and investigated the control problem for safety or reachability properties. To prevent some undesired states, the controller can act on any firable and controllable transition by delaying or forcing its firing but it cannot disable transitions. The control problem is addressed by computing the winning states of the model, i.e. states which will not lead, by an uncontrollable transition, to an undesired state. The computation of the winning states is based on the concept of controllable predecessors of states. In the literature, the set of controllable predecessors is usually denoted by *π*(*X*), where *X* is a set of states satisfying the desired property (safe/goal states). The set *π*(*X*) is defined by [11]:

*<sup>π</sup>*(*X*) = {*<sup>q</sup>* ∈ Q|((<sup>∃</sup> *<sup>δ</sup>* <sup>∈</sup> **<sup>R</sup>**≥0, *<sup>t</sup>* <sup>∈</sup> *T q*� <sup>∈</sup> *X q <sup>δ</sup>*

→ *q*� ))∧

> → *t* → *q*�

Intuitively, *π*(*X*) is the set of predecessors of *X* which will not bring the system out of *X*. Figure 3 clarifies this concept. If the environment can execute an uncontrollable transition after *δ* time units, leading the system out of *X* (denoted by *X*¯ ), then the controller should be able to execute a controllable action to keep the system in *X* before *δ* time units. In addition, in the context of timed models with strong semantics (a transition must be fired, without any additional delay, when the upper bound of its firing interval is reached), the controller should

Let *AG φ* be a safety property and *X*<sup>0</sup> = *Sat*(*φ*) the set of states which satisfy the property *φ* (safe states). The fix point of *Xi*<sup>+</sup><sup>1</sup> = *h*(*Xi*) = *Xi* ∩ *π*(*Xi*), *i* ≥ 0 gives the largest set of

*<sup>δ</sup><sup>c</sup>* <sup>→</sup> *tc qc*}

(<sup>∃</sup> *<sup>δ</sup>* <sup>∈</sup> **<sup>R</sup>**≥0, *<sup>q</sup>*� <sup>∈</sup> *X q <sup>δ</sup>*

<sup>∀</sup> *<sup>δ</sup>* <sup>∈</sup> **<sup>R</sup>**≥<sup>0</sup> *i f* <sup>∃</sup> *<sup>t</sup>* <sup>∈</sup> *<sup>T</sup>*, *<sup>q</sup>*� <sup>∈</sup>/ *X q <sup>δ</sup>*

*then* ∃ *δ<sup>c</sup>* < *δ*, *tc* ∈ *Tc*, *qc* ∈ *X q* →

not be forced to execute a controllable transition leading the system out of *X*.

**Figure 3.** Controllable Predecessors

constraints of wafers.

*q*� *q* ∈/ *X*

*<sup>q</sup>* <sup>+</sup> *<sup>δ</sup><sup>c</sup> <sup>q</sup>* <sup>+</sup> *<sup>δ</sup> <sup>δ</sup><sup>c</sup> <sup>δ</sup>* <sup>−</sup> *<sup>δ</sup><sup>c</sup> <sup>t</sup>*

*tc*

*qc* ∈ *X*

→ *t* → *q*� )∨

(8)

Similarly, the fix point method is also used for reachability properties. Let *AF ψ* be a reachability property and *X*<sup>0</sup> = *Sat*(*ψ*) the set of goal states. The least fix point of *Xi*<sup>+</sup><sup>1</sup> = *h*(*Xi*) = *Xi* ∪ *π*(*Xi*), *i* ≥ 0 is the set of states whose behaviors can be controlled so as to reach one of the goal states (i.e., winning states) [10, 20].

In the context of a timed model, this technique is applied on a state space abstraction of the timed model. In this case, *Xi* is a set of abstract states. If *Xi* is a finite set of abstract states, then the controllable predecessors of *Xi* is also a finite set of abstract states. The computation of the fix point of *h* will converge after a finite number of steps if the state space abstraction is finite [10, 11, 20].

Note that the state space abstractions used in [10, 11, 20] are based on clocks but the state space abstraction used in [11] is not necessarily complete. The fix point method cannot guarantee to give the safety controller when it exists, unless the state space abstraction is both sound and complete. A state space abstraction of a given model is sound and complete iff it captures all firing sequences of the model and each firing sequence in the state space abstraction reflects a firing sequence of the model. Indeed, a synthesis may fail because of some unreachable states, while for the reachable state space the safety controller exists. However, the cost of processing is increased as a sound and complete state space abstraction should be entirely calculated before applying the fix point algorithm.

Let us explain by means of an example how to compute the fix point of *h* for a safety property. Consider the TPN given in [11] and reported in Figure 1. The state class graph (SCG) and the zone based graph (ZBG) of this TPN are equal, except that nodes are defined differently (state classes or state zones). The state class graph is depicted in Figure 2. Its state zones and state classes are reported in Table 1 and Table 2, respectively.

Consider the state zone graph and suppose that we are interested to force the following safety property: *AG* Σ<sup>4</sup> *<sup>i</sup>*=<sup>1</sup> *pi* = 2 which means that the number of tokens in the TPN is always 2. The transition *t*<sup>1</sup> is the only controllable transition and the forbidden markings is determined by Σ4 *<sup>i</sup>*=<sup>1</sup> *pi* �= 2. As the state class graph shows, if *t*<sup>2</sup> happens before *t*<sup>1</sup> the right path happens which is safe and the controller has nothing to do. On the other hand, if *t*<sup>1</sup> happens before *t*2, two state classes having forbidden markings may be reached (*α*4, *α*6).

To verify whether or not there is a controller for such a property, we compute the fix point of *Xi*+<sup>1</sup> = *h*(*Xi*) = *Xi* ∩ *π*(*Xi*), where *X*<sup>0</sup> = {*β*0, *β*1, *β*2, *β*3, *β*5} is the set of state zones which satisfy the property *not p*<sup>1</sup> + *p*<sup>3</sup> = 0. Such a controller exists iff the initial state of the model is a winning state (i.e., belongs to the fix point of *h*). The fix point is computed, in 3 iterations, as follows:

*1) Iteration* 1*: X*<sup>1</sup> = *X*<sup>0</sup> ∩ *π*(*X*0) = {*β*0, *β*� <sup>1</sup>, *β*2, *β*� <sup>3</sup>, *β*5}. In this iteration, all states of *β*<sup>1</sup> and *β*3, which are uncontrollable predecessors of bad state classes *β*<sup>4</sup> and *β*<sup>6</sup> are eliminated:

*β*� <sup>1</sup> = (*p*<sup>2</sup> + *p*3, 1 < *t*<sup>2</sup> ≤ 3 ∧ 0 ≤ *t*<sup>3</sup> < 2 ∧ 1 < *t*<sup>2</sup> − *t*<sup>3</sup> ≤ 3) and *β*� <sup>3</sup> = (*p*<sup>3</sup> + *p*4, 1 ≤ *t*<sup>3</sup> <≤ 3 ∧ 0 < *t*<sup>4</sup> ≤ 1 ∧ 1 ≤ *t*<sup>3</sup> − *t*<sup>4</sup> ≤ 3).

*2) Iteration* 2*: X*<sup>2</sup> = *X*<sup>1</sup> ∩ *π*(*X*1) = {*β*0, *β*�� <sup>1</sup> , *β*2, *β*� <sup>3</sup>, *β*5}. This iteration eliminates from *β*� <sup>1</sup> all states, which are uncontrollable predecessors of bad states of *β*<sup>3</sup> − *β*� 3:

$$\mathcal{S}\_1^{\prime\prime} = \{p\_2 + p\_3, 2 < \underline{t}\_2 \le 3 \land 0 \le \underline{t}\_3 < 1 \land 2 \le \underline{t}\_2 - \underline{t}\_3 \le 3\}.$$

*3) Iteration* 3*: X*<sup>2</sup> = *X*<sup>2</sup> ∩ *π*(*X*2) = {*β*0, *β*�� <sup>1</sup> , *β*2, *β*� <sup>3</sup>, *β*5}. The fix point *X*<sup>2</sup> is then the set of winning states. Since the initial state zone belongs to *X*2, there is a controller for forcing the property *AG not p*<sup>1</sup> + *p*<sup>3</sup> = 0. To keep the model in safe states (in states of *X*2), the controller must delay, in *β*0, the firing of *t*<sup>1</sup> until its clock overpasses the value 2. Doing so, the successor of *β*<sup>0</sup> by *t*<sup>1</sup> will be *β*�� 1 .

This approach needs however to construct a state space abstraction before computing the set of winning states. To overcome this limitation, in [10, 20], the authors have investigated the use of on-the-fly algorithms besides the fix point to compute the winning states for timed game automata (timed automata with controllable and uncontrollable transitions). We report, in Fig 4, the on-the-fly algorithm given in [10] for the case of reachability properties and timed game automata. This algorithm uses three lists *Passed* containing all state zones explored so far, *Waiting*, containing the set of edges to be processed and *Depend* indicating, for each state zone *S*, the set of edges to be reevaluated in case the set of the winning states in *S* (*Win*[*S*]) is updated. Using this on-the-fly method, in each step, a part of the state zone graph is constructed and an edge *e* = (*S*, *a*, *S*� ) of the *Waiting* list is processed. If the state zone *S*� is not in *Passed* and there is, in *S*� , some states which satisfy the desired reachability property, then these states are added to the winning states of *S*� (*Win*[*S*� ]). The winning states of *S* will be recomputed later (the edge *e* is added to the *Waiting* list). If *S*� is in *Passed*, the set of the winning states of *S* (*Win*[*S*]) is recomputed and possibly those of its predecessors and so on. The set *Win*[*S*] is the largest subset of *S* which is included in the controllable predecessors of the winning states of all its successors.

This on-the-fly algorithm, based on computing controllable predecessors, requires some expensive operations such as the difference between abstract states (state zones). The difference between two state zones is not necessarily a state zone and then may result in several state zones which need to be handled separately.

**Figure 4.** On-the-fly algorithm for timed game automata proposed in [10]

*α*6) by choosing appropriately the firing intervals for controllable transitions.

which *t*1*t*<sup>3</sup> or *t*1*t*2*t*<sup>3</sup> is firable, i.e., *B*(*α*0) = *Fire*(*α*0, *t*1*t*3) ∪ *Fire*(*α*0, *t*1*t*2*t*3), where:

interval is the complement of [0, 2] ∪ [0, 1] in the firing interval of *t*<sup>1</sup> in *α*<sup>0</sup> ([0, 4]).

*Fire*(*α*0, *t*1*t*3)=(*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> ≤ 1 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 ∧ 2 ≤ *t*<sup>2</sup> − *t*<sup>1</sup> ≤ 3) and *Fire*(*α*0, *t*1*t*2*t*3)=(*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> ≤ 2 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 ∧ 1 ≤ *t*<sup>2</sup> − *t*<sup>1</sup> ≤ 3).

method, we start with safety properties.

forward on-the-fly method.

controllable predecessors (which is considered as an expensive operation). To explain the

A Forward On-The-Fly Approach in Controller Synthesis of Time Petri Nets 451

Let us introduce informally the principle of our approach by means of the previous example. Consider the TPN shown in Figure 1, its state class graph depicted in Figure 2 and its state classes reported in Table 2. Our goal is to avoid to reach bad states (i.e., state classes *α*<sup>4</sup> and

From the initial state class *α*0, there are two elementary paths *α*0*t*1*α*1*t*3*α*<sup>4</sup> and *α*0*t*1*α*1*t*2*α*3*t*3*α*<sup>6</sup> that lead to bad states. In both paths, there is only one state class (*α*0) where the controllable transition *t*<sup>1</sup> is firable. To avoid these bad paths, we propose to compute all states of *α*<sup>0</sup> from

To avoid these bad states, it suffices to replace in *α*0, the firing interval of *t*<sup>1</sup> with ]2, 4]. This

The approach we propose in the following section, is a combination of this principle with a

In this chapter, we propose another on-the-fly approach which does not need this expensive operation. Our approach differs from the previous ones by the fact it computes bad states (i.e.: states which may lead to an undesired state) instead of computing the winning states and it constructs a state class graph instead of a state zone graph. In addition, the bad states are computed, using a forward approach, for only state classes containing at least a controllable transition.
