**4. An on-the-fly algorithm for investigating the existence of a controller for a TPN**

This chapter aims to propose an efficient forward on-the-fly method based on the state class graph for checking the existence of a safety/reachability controller for a TPN. As discussed earlier, the state class graph is a good alternative for the on-the-fly algorithms as the exploration converges fast and does not need any over-approximation operation to enforce the convergence. The method, proposed here, is completely a forward and does not compute

12 Will-be-set-by-IN-TECH

<sup>1</sup> , *β*2, *β*�

<sup>1</sup> , *β*2, *β*�

winning states. Since the initial state zone belongs to *X*2, there is a controller for forcing the property *AG not p*<sup>1</sup> + *p*<sup>3</sup> = 0. To keep the model in safe states (in states of *X*2), the controller must delay, in *β*0, the firing of *t*<sup>1</sup> until its clock overpasses the value 2. Doing so, the successor

This approach needs however to construct a state space abstraction before computing the set of winning states. To overcome this limitation, in [10, 20], the authors have investigated the use of on-the-fly algorithms besides the fix point to compute the winning states for timed game automata (timed automata with controllable and uncontrollable transitions). We report, in Fig 4, the on-the-fly algorithm given in [10] for the case of reachability properties and timed game automata. This algorithm uses three lists *Passed* containing all state zones explored so far, *Waiting*, containing the set of edges to be processed and *Depend* indicating, for each state zone *S*, the set of edges to be reevaluated in case the set of the winning states in *S* (*Win*[*S*]) is updated. Using this on-the-fly method, in each step, a part of the state zone graph is

be recomputed later (the edge *e* is added to the *Waiting* list). If *S*� is in *Passed*, the set of the winning states of *S* (*Win*[*S*]) is recomputed and possibly those of its predecessors and so on. The set *Win*[*S*] is the largest subset of *S* which is included in the controllable predecessors of

This on-the-fly algorithm, based on computing controllable predecessors, requires some expensive operations such as the difference between abstract states (state zones). The difference between two state zones is not necessarily a state zone and then may result in

In this chapter, we propose another on-the-fly approach which does not need this expensive operation. Our approach differs from the previous ones by the fact it computes bad states (i.e.: states which may lead to an undesired state) instead of computing the winning states and it constructs a state class graph instead of a state zone graph. In addition, the bad states are computed, using a forward approach, for only state classes containing at least a controllable

**4. An on-the-fly algorithm for investigating the existence of a controller**

This chapter aims to propose an efficient forward on-the-fly method based on the state class graph for checking the existence of a safety/reachability controller for a TPN. As discussed earlier, the state class graph is a good alternative for the on-the-fly algorithms as the exploration converges fast and does not need any over-approximation operation to enforce the convergence. The method, proposed here, is completely a forward and does not compute

states, which are uncontrollable predecessors of bad states of *β*<sup>3</sup> − *β*�

<sup>1</sup> = {*p*<sup>2</sup> + *p*3, 2 < *t*<sup>2</sup> ≤ 3 ∧ 0 ≤ *t*<sup>3</sup> < 1 ∧ 2 ≤ *t*<sup>2</sup> − *t*<sup>3</sup> ≤ 3}.

then these states are added to the winning states of *S*� (*Win*[*S*�

several state zones which need to be handled separately.

<sup>3</sup>, *β*5}. This iteration eliminates from *β*�

3:

) of the *Waiting* list is processed. If the state zone *S*�

]). The winning states of *S* will

, some states which satisfy the desired reachability property,

<sup>3</sup>, *β*5}. The fix point *X*<sup>2</sup> is then the set of

<sup>1</sup> all

*2) Iteration* 2*: X*<sup>2</sup> = *X*<sup>1</sup> ∩ *π*(*X*1) = {*β*0, *β*��

*3) Iteration* 3*: X*<sup>2</sup> = *X*<sup>2</sup> ∩ *π*(*X*2) = {*β*0, *β*��

1 .

constructed and an edge *e* = (*S*, *a*, *S*�

the winning states of all its successors.

transition.

**for a TPN**

is not in *Passed* and there is, in *S*�

*β*��

of *β*<sup>0</sup> by *t*<sup>1</sup> will be *β*��

**Figure 4.** On-the-fly algorithm for timed game automata proposed in [10]

controllable predecessors (which is considered as an expensive operation). To explain the method, we start with safety properties.

Let us introduce informally the principle of our approach by means of the previous example. Consider the TPN shown in Figure 1, its state class graph depicted in Figure 2 and its state classes reported in Table 2. Our goal is to avoid to reach bad states (i.e., state classes *α*<sup>4</sup> and *α*6) by choosing appropriately the firing intervals for controllable transitions.

From the initial state class *α*0, there are two elementary paths *α*0*t*1*α*1*t*3*α*<sup>4</sup> and *α*0*t*1*α*1*t*2*α*3*t*3*α*<sup>6</sup> that lead to bad states. In both paths, there is only one state class (*α*0) where the controllable transition *t*<sup>1</sup> is firable. To avoid these bad paths, we propose to compute all states of *α*<sup>0</sup> from which *t*1*t*<sup>3</sup> or *t*1*t*2*t*<sup>3</sup> is firable, i.e., *B*(*α*0) = *Fire*(*α*0, *t*1*t*3) ∪ *Fire*(*α*0, *t*1*t*2*t*3), where:

*Fire*(*α*0, *t*1*t*3)=(*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> ≤ 1 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 ∧ 2 ≤ *t*<sup>2</sup> − *t*<sup>1</sup> ≤ 3) and

*Fire*(*α*0, *t*1*t*2*t*3)=(*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> ≤ 2 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 ∧ 1 ≤ *t*<sup>2</sup> − *t*<sup>1</sup> ≤ 3).

To avoid these bad states, it suffices to replace in *α*0, the firing interval of *t*<sup>1</sup> with ]2, 4]. This interval is the complement of [0, 2] ∪ [0, 1] in the firing interval of *t*<sup>1</sup> in *α*<sup>0</sup> ([0, 4]).

The approach we propose in the following section, is a combination of this principle with a forward on-the-fly method.

restricting firing domains of controllable transitions. If this set is nonempty, it means that such a controller does not exist. Otherwise, it exists and the algorithm guarantees that for each state class *α* with some bad sequences, there is a possibility to choose appropriately the firing intervals of some controllable transitions so as to avoid all bad subclasses of *α*. The control of *α* consists of eliminating, from the firing intervals of such controllable transitions, all parts figuring in its bad subclasses. The restriction of domains is also applied on firing delays between two controllable transitions of *α*. We get in *Ctrl*, all possibilities of controlling each state class. In case there is only one controllable transition in *α*, its delay with a fictitious

A Forward On-The-Fly Approach in Controller Synthesis of Time Petri Nets 453

Each element of *Passed* is a triplet (*α*, Ω(*α*), *L I*(*α*)) where *α* = (*M*, *F*) is a state class s.t. *M* ∈/ *bad*, Ω(*α*) is the set of bad sequences of *α*, which cannot be avoided, independently of *α*, from its successors, and *L I*(*α*) gives the intervals of controllable transitions in bad subclasses of *α* (bad intervals). The set *L I*(*α*) allows to retrieve the safe intervals of controllable transitions, by computing the complements, in *α*, of the forbidden intervals (i.e., all possibilities of controlling

The function *explore* receives parameters *α* being the class under process, *t* the transition leading to *α* and C the set of traveled classes in the current path. It uses functions *succ*(*α*, *t*) and *Fire*(*α*, *ω*) already explained by equations 5 and 6 (in sections 2.3 and 2.4, respectively). It

1) *α* has been already processed (i.e., *α* is in *Passed*): In this case, there is no need to explore it again. However, its bad sequences have to be propagated to its predecessor by *t*, in case the control needs to be started before reaching *α* in order to avoid bad states of its predecessors. The control of *α* is independent of its predecessors along the path if all possibilities of control in *α* are limited to the newly enabled transitions. In case there is, in *α*, a possibility of control, which limits the firing interval of some controllable transition not newly enabled in *α*, it means that the predecessor of *α* by *t* has some bad states that must be avoided. The condition *Dep*(*α*, *t*, *L I*), used in Algorithm 2, is to control *α* independently of its predecessor by *t*.

2) *α* has a forbidden marking (i.e., *α* is a bad state class): In this case, the transition *t* is returned,

3) In other cases, the function *explore* is called for each successor of *α*, not already encountered in the current path (see Figure 5), to collect, in Ω, the bad sequences of its successors. Once all

3.1) If Ω = ∅, it means that *α* does not lead to any bad state class or its bad sequences can be avoided later by controlling its successors, then (*α*, ∅, ∅) is added to *Passed* and the function

3.2) If Ω � ∅, the function *explore* determines intervals of controllable transitions in bad subclasses, which do not cover their intervals in *α*. It gets such intervals, identifying states to be avoided, in *L I* (bad intervals). It adds (*α*, Ω, *L I*) to *Passed* and then verifies whether or not *α* is controllable independently of its predecessor state class in the current path. In such a case, there is no need to start the control before reaching *α* and then the empty set is returned by

which means that this sequence needs to be avoided before reaching *α*.

transition whose time variable is fixed at 0 is considered.

*α*, *Ctrl*(*α*)).

distinguishes 3 cases:

returns with ∅.

successors are processed, Ω is checked:

**Figure 5.** Path satisfying or not a safety property. Black states should be avoided.

## **4.1. Controller for safety properties**

A controller for safety properties running in parallel with the system should satisfy the property '*AG not bad*' where 'bad' stands for the set of states having a forbidden marking and it means that 'bad' states will never happen. We introduce here an algorithm to re-constrain the controllable transitions and reach a safe net.

The idea is to construct, using a forward on-the-fly method, the state class graph of the TPN to determine whether controllable transitions have to be constrained, in order to avoid forbidden markings. This method computes and explores, path by path, the state class graph of a TPN looking for the sequences leading the system to any forbidden marking (bad sequences or bad paths). And using Proposition 1, we get the subclasses causing the bad states happening later through the found sequences (bad subclasses). We restrict the domain of controllable transitions in the state class where they were enabled so as to avoid its bad subclasses. The restriction of the interval of a controllable transition *t* of a state class *α* is obtained by subtracting from its interval in *α* (*INT*(*α*, *t*)), intervals of *t* in its bad subclasses.

Before describing the procedure formally, we define an auxiliary operation over intervals to be used in the algorithm. Let *I* and *I*� be two nonempty (real) intervals. We denote *I* ⊕ *I*� intervals defined by:

$$\forall a \in \mathbb{R}, a \in I \oplus I'\\
iff \exists b \in I, \exists c \in I', a = b + c. \tag{9}$$

As an example, for *I* = [1, 4] and *I*� =]2, 5], *I* ⊕ *I*� =]3, 9]. And also

$$LII(a) = \left\{ (t\_i, t\_{i\*} \boxtimes I) \middle| t\_i \in \text{En}\_i(M), t\_i \in \text{En}\_{\sharp}^0(M); \boxtimes I = \bigcup\_{\omega \in \Omega(a)} \text{INT}(\text{Fire}(a, \omega), t\_{\omega} - t\_{\omega}) \neq \text{INT}(a, t\_{\omega} - t\_{\omega}) \right\} \tag{10}$$

This method is presented in the algorithms 1 and 2. The symbol *Tc* refers to the set of controllable transitions and all forbidden markings of the net are saved in a set called, *bad*. The list *Passed* is used to retrieve the set of state classes processed so far, their bad sequences, and the bad intervals of controllable transitions (their domains in bad subclasses). Function *main* consists of an initialization step and a calling to the recursive function *explore*. The call *explore*(*α*0, ∅, {*α*0}) returns the set of bad sequences that cannot be avoided, from *α*0, by restricting firing domains of controllable transitions. If this set is nonempty, it means that such a controller does not exist. Otherwise, it exists and the algorithm guarantees that for each state class *α* with some bad sequences, there is a possibility to choose appropriately the firing intervals of some controllable transitions so as to avoid all bad subclasses of *α*. The control of *α* consists of eliminating, from the firing intervals of such controllable transitions, all parts figuring in its bad subclasses. The restriction of domains is also applied on firing delays between two controllable transitions of *α*. We get in *Ctrl*, all possibilities of controlling each state class. In case there is only one controllable transition in *α*, its delay with a fictitious transition whose time variable is fixed at 0 is considered.

14 Will-be-set-by-IN-TECH

A controller for safety properties running in parallel with the system should satisfy the property '*AG not bad*' where 'bad' stands for the set of states having a forbidden marking and it means that 'bad' states will never happen. We introduce here an algorithm to re-constrain

The idea is to construct, using a forward on-the-fly method, the state class graph of the TPN to determine whether controllable transitions have to be constrained, in order to avoid forbidden markings. This method computes and explores, path by path, the state class graph of a TPN looking for the sequences leading the system to any forbidden marking (bad sequences or bad paths). And using Proposition 1, we get the subclasses causing the bad states happening later through the found sequences (bad subclasses). We restrict the domain of controllable transitions in the state class where they were enabled so as to avoid its bad subclasses. The restriction of the interval of a controllable transition *t* of a state class *α* is obtained by

Before describing the procedure formally, we define an auxiliary operation over intervals to be used in the algorithm. Let *I* and *I*� be two nonempty (real) intervals. We denote *I* ⊕ *I*�

*<sup>c</sup>* (*M*); *B I* <sup>=</sup>

This method is presented in the algorithms 1 and 2. The symbol *Tc* refers to the set of controllable transitions and all forbidden markings of the net are saved in a set called, *bad*. The list *Passed* is used to retrieve the set of state classes processed so far, their bad sequences, and the bad intervals of controllable transitions (their domains in bad subclasses). Function *main* consists of an initialization step and a calling to the recursive function *explore*. The call *explore*(*α*0, ∅, {*α*0}) returns the set of bad sequences that cannot be avoided, from *α*0, by

*iff* ∃*b* ∈ *I*, ∃*c* ∈ *I*

*ω*∈Ω(*α*)

�

, *a* = *b* + *c*. (9)

*INT*(*Fire*(*α*,*ω*),*tc* − *ts*) �= *INT*(*α*,*tc* − *ts*)} (10)

subtracting from its interval in *α* (*INT*(*α*, *t*)), intervals of *t* in its bad subclasses.

�

∀*a* ∈ **R**, *a* ∈ *I* ⊕ *I*

As an example, for *I* = [1, 4] and *I*� =]2, 5], *I* ⊕ *I*� =]3, 9]. And also

*LI*(*α*) = {(*tc*, *ts*, *B I*)|*tc* <sup>∈</sup> *Enc* (*M*),*ts* <sup>∈</sup> *En*<sup>0</sup>

**Figure 5.** Path satisfying or not a safety property. Black states should be avoided.

**4.1. Controller for safety properties**

intervals defined by:

the controllable transitions and reach a safe net.

Each element of *Passed* is a triplet (*α*, Ω(*α*), *L I*(*α*)) where *α* = (*M*, *F*) is a state class s.t. *M* ∈/ *bad*, Ω(*α*) is the set of bad sequences of *α*, which cannot be avoided, independently of *α*, from its successors, and *L I*(*α*) gives the intervals of controllable transitions in bad subclasses of *α* (bad intervals). The set *L I*(*α*) allows to retrieve the safe intervals of controllable transitions, by computing the complements, in *α*, of the forbidden intervals (i.e., all possibilities of controlling *α*, *Ctrl*(*α*)).

The function *explore* receives parameters *α* being the class under process, *t* the transition leading to *α* and C the set of traveled classes in the current path. It uses functions *succ*(*α*, *t*) and *Fire*(*α*, *ω*) already explained by equations 5 and 6 (in sections 2.3 and 2.4, respectively). It distinguishes 3 cases:

1) *α* has been already processed (i.e., *α* is in *Passed*): In this case, there is no need to explore it again. However, its bad sequences have to be propagated to its predecessor by *t*, in case the control needs to be started before reaching *α* in order to avoid bad states of its predecessors. The control of *α* is independent of its predecessors along the path if all possibilities of control in *α* are limited to the newly enabled transitions. In case there is, in *α*, a possibility of control, which limits the firing interval of some controllable transition not newly enabled in *α*, it means that the predecessor of *α* by *t* has some bad states that must be avoided. The condition *Dep*(*α*, *t*, *L I*), used in Algorithm 2, is to control *α* independently of its predecessor by *t*.

2) *α* has a forbidden marking (i.e., *α* is a bad state class): In this case, the transition *t* is returned, which means that this sequence needs to be avoided before reaching *α*.

3) In other cases, the function *explore* is called for each successor of *α*, not already encountered in the current path (see Figure 5), to collect, in Ω, the bad sequences of its successors. Once all successors are processed, Ω is checked:

3.1) If Ω = ∅, it means that *α* does not lead to any bad state class or its bad sequences can be avoided later by controlling its successors, then (*α*, ∅, ∅) is added to *Passed* and the function returns with ∅.

3.2) If Ω � ∅, the function *explore* determines intervals of controllable transitions in bad subclasses, which do not cover their intervals in *α*. It gets such intervals, identifying states to be avoided, in *L I* (bad intervals). It adds (*α*, Ω, *L I*) to *Passed* and then verifies whether or not *α* is controllable independently of its predecessor state class in the current path. In such a case, there is no need to start the control before reaching *α* and then the empty set is returned by the function. Otherwise, it is needed to propagate the control to its predecessor by *t*. The set of sequences, obtained by prefixing with *t* sequences of Ω, is then returned by the function.

**Algorithm 2** On-the-fly algorithm for safety control problem of TPN- Part B

) �= ∅ ∧ *succ*(*α*, *t*�

, C∪{*succ*(*α*, *t*�

*<sup>c</sup>* (*M*) ∧

In *explore* of *α*1, function *explore* is called for *α*<sup>4</sup> (*explore*(*α*4, *t*3, {*α*0, *α*1, *α*4})). This call returns, to *explore* of *α*1, with {*t*3}, since *α*<sup>4</sup> has a forbidden marking. In *explore* of *α*1, the tuple (*α*1, {*t*2*t*3, *t*3}, ∅)is added to *Passed* and {*t*1*t*2*t*3, *t*1*t*3} is returned to *explore* of *α*0. Then, *explore* of *α*<sup>0</sup> calls *explore*(*α*2, *t*2, {*α*0, *α*2}), which in turn calls *explore*(*α*5, *t*1, {*α*0, *α*2, *α*5}). Since *α*<sup>5</sup> has only one successor (*α*0) and this successor belongs to the current path, the call of *explore* for *α*<sup>5</sup> adds (*α*5, ∅, ∅) to *Passed* and returns to *explore* of *α*<sup>2</sup> with ∅, which, in turn, returns to *explore*

After exploring both successors of *α*0, in *explore* of *α*0, we get in Ω = {*t*1*t*2*t*3, *t*1*t*3} the set of bad paths of *α*0. As the state class *α*<sup>0</sup> has a controllable transition *t*1, its bad subclasses are computed: *Fire*(*α*0, *t*1*t*2*t*3) = {(*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> ≤ 2 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 ∧ 1 ≤ *t*<sup>2</sup> − *t*<sup>1</sup> ≤ 3) and *Fire*(*α*0, *t*1*t*3)=(*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> ≤ 1 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 ∧ 2 ≤ *t*<sup>2</sup> − *t*<sup>1</sup> ≤ 3)}. The firing interval of *t*<sup>1</sup> in *α*<sup>0</sup> ([0, 4]) is not covered by the union of intervals of *t*<sup>1</sup> in bad subclasses of *α*<sup>0</sup> ([0, 2] ∪ [0, 1] �= [0, 4]). Then, (*α*0, {*t*1*t*2*t*3, *t*1*t*3}, {(*t*1, *t*0, {[0, 2]})}) is added to *Passed*. As *t*<sup>1</sup> is newly enabled, the empty set is returned to the function *main*, which concludes that a controller

), *t*�

) ∈ C / **do**

A Forward On-The-Fly Approach in Controller Synthesis of Time Petri Nets 455

)})

*INT*(*Fire*(*α*, *ω*),*tc* − *ts*) ⊂ *INT*(*α*, *tc* − *ts*)}

**Function** *Traces explore*(*Class α*, *Trans t*, *Classes* C)

**if** (∃Ω, *L I* **s.t.** (*α*, Ω, *L I*) ∈ *Passed***) then if** (Ω �= ∅ ∧ *Dep*(*α*, *t*, *L I*)) **then return** {*t*.*ω*|*ω* ∈ Ω}

**end if return** ∅

**if (***M* ∈ *bad***) then return** {*t*}

**for all** *t*� ∈ *En*(*M*) **s.t** *succ*(*α*, *t*�

Ω **=** Ω ∪ *explore*(*succ*(*α*, *t*�

*Passed* = *Passed* ∪ {(*α*, Ω, *L I*)}

**if** (*Dep*(*α*, *t*, *L I*)) **then return** {*t*.*ω*|*ω* ∈ Ω}

*Passed* = *Passed* ∪ {(*α*, ∅, ∅)}

**end for{**Ω **contains all bad sequences of** *α***.}**

*L I* <sup>=</sup> {(*tc*, *ts*, *B I*)|(*tc*, *ts*) <sup>∈</sup> *Enc*(*M*) <sup>×</sup> *En*<sup>0</sup>

*B I* =

*ω*∈Ω

*Traces* Ω = ∅;

**if (**Ω = ∅**) then**

**return** ∅

**end if**

**end if**

**end if**

**end if return** ∅

of *α*0.

This algorithm tries to control the system behavior starting from the last to the first state classes of bad paths. If it fails to control a state class of a path, so as to avoid all bad state classes, the algorithm tries to control its previous state classes. If it succeeds to control a state class, there is no need to control its predecessors. The aim is to limit as little as possible the behavior of the system (more permissive controller).

**Algorithm 1** On-the-fly algorithm for safety control problem of TPN- Part A

```
Function main(TPN N , Markings bad)
  Where N is a TPN
  bad is a set of bad markings.
  Let Tc be the set of controllable transitions of N and
  α0 the initial state class of N .
  Passed = ∅
  if (explore(α0, �, {α0}) �= ∅) then
     {Controller does not exist}
     return
  end if
  for all ((α, Ω, L I) ∈ Passed) do
     Ctrl[α] = 
                (tc,ts,B I)∈LI
                            {(tc, ts, INT(α, tc − ts) − B I)}
  end for
(∗)
α = (M, F);
Enc (M) = En(M) ∩ Tc ;
En0
  c (M) = Enc (M) ∪ {t0};
Newc(M,t) = New(M,t) ∩ Tc;
New(M0, �) = En(M0);
t0 is a fictitious transition whose time variable is fixed at 0.
Dep(α,t, LI) ≡
∃(tc, ts, B I) ∈ LI,tc ∈/ New(M,t) ∧ (ts ∈/ New(M,t)∨
INT(α,tc − t0 ) �⊆ 
                   (I ⊕ INT(α,ts − t0 )))
```