**4.2. Example**

*I*∈*B I*

To explain the procedure, we trace the algorithm on the TPN shown in Figure 1. Its SCG and its state classes are reported in Figure 2 and Table 2, respectively. For this example, we have *Tc* = {*t*1}, *bad* = {*p*2, *p*4}, *Passed* = ∅ and *α*<sup>0</sup> = (*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> ≤ 4 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3).

The process starts by calling *explore*(*α*0, *�*, {*α*0}) (see Figure 6). Since *α*<sup>0</sup> is not in *Passed* and its marking is not forbidden, *explore* is successively called for the successors of *α*0: *explore*(*α*1, *t*1, {*α*0, *α*1}) and *explore*(*α*2, *t*2, {*α*0, *α*2}). In *explore* of *α*1, function *explore* is successively called for *α*<sup>3</sup> and *α*4. In *explore* of *α*3, function *explore* is called for the successor *α*<sup>6</sup> of *α*<sup>3</sup> by *t*3: *explore*(*α*6, *t*3, {*α*0, *α*1, *α*3, *α*6}). For the successor of *α*<sup>3</sup> by *t*<sup>4</sup> (i.e., *α*0), there is no need to call *explore* as it belongs to the current path. Since *α*<sup>6</sup> has a forbidden marking, *explore* of *α*<sup>6</sup> returns to *explore* of *α*<sup>3</sup> with {*t*3}, which, in turn, adds (*α*3, {*t*2*t*3}, ∅) to *Passed* and returns to *explore* of *α*<sup>1</sup> with {*t*2*t*3}.

**Algorithm 2** On-the-fly algorithm for safety control problem of TPN- Part B

16 Will-be-set-by-IN-TECH

the function. Otherwise, it is needed to propagate the control to its predecessor by *t*. The set of sequences, obtained by prefixing with *t* sequences of Ω, is then returned by the function. This algorithm tries to control the system behavior starting from the last to the first state classes of bad paths. If it fails to control a state class of a path, so as to avoid all bad state classes, the algorithm tries to control its previous state classes. If it succeeds to control a state class, there is no need to control its predecessors. The aim is to limit as little as possible the

behavior of the system (more permissive controller).

**Let** *Tc* **be the set of controllable transitions of** N **and**

**Function** *main*(*TPN* N , *Markings bad*)

**Where** N **is a TPN**

*Passed* = ∅

**return end if**

**end for**

*Dep*(*α*,*t*, *LI*) ≡

*INT*(*α*,*tc* − *<sup>t</sup>*<sup>0</sup> ) �⊆

**4.2. Example**

*Enc* (*M*) = *En*(*M*) ∩ *Tc* ;

*<sup>c</sup>* (*M*) = *Enc* (*M*) ∪ {*t*0}; *Newc*(*M*,*t*) = *New*(*M*,*t*) ∩ *Tc*; *New*(*M*0, *�*) = *En*(*M*0);

(∗) *α* = (*M*, *F*);

*En*<sup>0</sup>

*bad* **is a set of bad markings.**

*α*<sup>0</sup> **the initial state class of** N **.**

**if** (*explore*(*α*0, *�*, {*α*0}) �= ∅) **then {Controller does not exist}**

**for all** ((*α*, Ω, *L I*) ∈ *Passed*) **do**

(*tc*,*ts*,*B I*)∈*LI*

*t*<sup>0</sup> is a fictitious transition whose time variable is fixed at 0.

(*I* ⊕ *INT*(*α*,*ts* − *t*<sup>0</sup> )))

∃(*tc*, *ts*, *B I*) ∈ *LI*,*tc* ∈/ *New*(*M*,*t*) ∧ (*ts* ∈/ *New*(*M*,*t*)∨

and returns to *explore* of *α*<sup>1</sup> with {*t*2*t*3}.

*I*∈*B I*

*Ctrl*[*α*] =

**Algorithm 1** On-the-fly algorithm for safety control problem of TPN- Part A

{(*tc*, *ts*, *INT*(*α*, *tc* − *ts*) − *B I*)}

To explain the procedure, we trace the algorithm on the TPN shown in Figure 1. Its SCG and its state classes are reported in Figure 2 and Table 2, respectively. For this example, we have

The process starts by calling *explore*(*α*0, *�*, {*α*0}) (see Figure 6). Since *α*<sup>0</sup> is not in *Passed* and its marking is not forbidden, *explore* is successively called for the successors of *α*0: *explore*(*α*1, *t*1, {*α*0, *α*1}) and *explore*(*α*2, *t*2, {*α*0, *α*2}). In *explore* of *α*1, function *explore* is successively called for *α*<sup>3</sup> and *α*4. In *explore* of *α*3, function *explore* is called for the successor *α*<sup>6</sup> of *α*<sup>3</sup> by *t*3: *explore*(*α*6, *t*3, {*α*0, *α*1, *α*3, *α*6}). For the successor of *α*<sup>3</sup> by *t*<sup>4</sup> (i.e., *α*0), there is no need to call *explore* as it belongs to the current path. Since *α*<sup>6</sup> has a forbidden marking, *explore* of *α*<sup>6</sup> returns to *explore* of *α*<sup>3</sup> with {*t*3}, which, in turn, adds (*α*3, {*t*2*t*3}, ∅) to *Passed*

*Tc* = {*t*1}, *bad* = {*p*2, *p*4}, *Passed* = ∅ and *α*<sup>0</sup> = (*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> ≤ 4 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3).

```
Function Traces explore(Class α, Trans t, Classes C)
if (∃Ω, L I s.t. (α, Ω, L I) ∈ Passed) then
  if (Ω �= ∅ ∧ Dep(α, t, L I)) then
     return {t.ω|ω ∈ Ω}
  end if
  return ∅
end if
if (M ∈ bad) then
  return {t}
end if
Traces Ω = ∅;
for all t� ∈ En(M) s.t succ(α, t�
                                ) �= ∅ ∧ succ(α, t�
                                                  ) ∈ C / do
  Ω = Ω ∪ explore(succ(α, t�
                              ), t�
                                 , C∪{succ(α, t�
                                                 )})
end for{Ω contains all bad sequences of α.}
if (Ω = ∅) then
  Passed = Passed ∪ {(α, ∅, ∅)}
  return ∅
end if
L I = {(tc, ts, B I)|(tc, ts) ∈ Enc(M) × En0
                                          c (M) ∧
                    B I = 
                          ω∈Ω
                              INT(Fire(α, ω),tc − ts) ⊂ INT(α, tc − ts)}
Passed = Passed ∪ {(α, Ω, L I)}
if (Dep(α, t, L I)) then
  return {t.ω|ω ∈ Ω}
end if
return ∅
```
In *explore* of *α*1, function *explore* is called for *α*<sup>4</sup> (*explore*(*α*4, *t*3, {*α*0, *α*1, *α*4})). This call returns, to *explore* of *α*1, with {*t*3}, since *α*<sup>4</sup> has a forbidden marking. In *explore* of *α*1, the tuple (*α*1, {*t*2*t*3, *t*3}, ∅)is added to *Passed* and {*t*1*t*2*t*3, *t*1*t*3} is returned to *explore* of *α*0. Then, *explore* of *α*<sup>0</sup> calls *explore*(*α*2, *t*2, {*α*0, *α*2}), which in turn calls *explore*(*α*5, *t*1, {*α*0, *α*2, *α*5}). Since *α*<sup>5</sup> has only one successor (*α*0) and this successor belongs to the current path, the call of *explore* for *α*<sup>5</sup> adds (*α*5, ∅, ∅) to *Passed* and returns to *explore* of *α*<sup>2</sup> with ∅, which, in turn, returns to *explore* of *α*0.

After exploring both successors of *α*0, in *explore* of *α*0, we get in Ω = {*t*1*t*2*t*3, *t*1*t*3} the set of bad paths of *α*0. As the state class *α*<sup>0</sup> has a controllable transition *t*1, its bad subclasses are computed: *Fire*(*α*0, *t*1*t*2*t*3) = {(*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> ≤ 2 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 ∧ 1 ≤ *t*<sup>2</sup> − *t*<sup>1</sup> ≤ 3) and *Fire*(*α*0, *t*1*t*3)=(*p*<sup>1</sup> + *p*2, 0 ≤ *t*<sup>1</sup> ≤ 1 ∧ 2 ≤ *t*<sup>2</sup> ≤ 3 ∧ 2 ≤ *t*<sup>2</sup> − *t*<sup>1</sup> ≤ 3)}. The firing interval of *t*<sup>1</sup> in *α*<sup>0</sup> ([0, 4]) is not covered by the union of intervals of *t*<sup>1</sup> in bad subclasses of *α*<sup>0</sup> ([0, 2] ∪ [0, 1] �= [0, 4]). Then, (*α*0, {*t*1*t*2*t*3, *t*1*t*3}, {(*t*1, *t*0, {[0, 2]})}) is added to *Passed*. As *t*<sup>1</sup> is newly enabled, the empty set is returned to the function *main*, which concludes that a controller

Marking Constraint to be applied on *t*<sup>1</sup>

A Forward On-The-Fly Approach in Controller Synthesis of Time Petri Nets 457

reasons: no class having enabled controllable transitions exists in a bad path; or, calculated bad subclasses covers entire domain of controllable transitions. Note that, in a time Petri net[15] it is impossible to cancel a transition. Thus, if the entire domain of a controllable transition leads to bad states, as it cannot be canceled or delayed, the state class cannot be controlled so

In the algorithms presented here, a state class is declared to be uncontrollable if it does not contain controllable transitions or it cannot be controlled so as to avoid all bad state classes. Note that if a state class cannot be controlled to avoid all bad classes, it can be however controlled to avoid some bad classes. To limit as little as possible the behavior of the system, the set of bad sequences of a state class *α* can be partitioned in two subsets: the set of bad sequences that can be avoided from *α* and the set of bad sequences that cannot to be avoided from *α*. The former set is avoided from *α* while the latter is let to be controlled by the predecessors of *α*. The function *explore* in this case should return the set of bad sequences that cannot be controlled from *α*. In this way, we increase the permissiveness of the controller. The most significant advantage of this algorithm is the possibility of choosing the level of

**1) Static controller**: The control is independent of markings and states of the system. For each controllable transition, the intersection of all safe intervals is considered. Let *tc* be a controllable transition whose interval needs to be restricted and *SIr*(*tc*) = {*Ir*|∀(*α*, Ω, *L*) ∈ *Passed*, ∃(*tc*, *S I*) ∈ *Ctrl*[*α*], *Ir* ⊆ *S I* ∧ *Ir* �= ∅}. The static firing interval of *tc* should be replaced with any interval of *SIr*(*tc*). Note that *SIr*(*tc*) may be empty. In this case, such a controller does not exist. Otherwise, it exists and its implementation is static as if the model is corrected rather than controlled. On the other hand, the permissiveness is sacrificed for the sake of simplicity of implementation. Albeit being simple, the controller has a high impact on performance of the system. For the previous example, such a controller exists and consists of

**2) Marking dependent controller**: The controller is a function of marking. The intersection of all safe intervals of controllable state classes with the same marking is considered, causing loss of permissiveness. Let *tc* be a controllable transition whose interval needs to be restricted and *SIm*(*M*,*tc*) = {*Im*|∀((*M*, *I*), Ω, *L*) ∈ *Passed*, ∃(*tc*, *S I*) ∈ *Ctrl*[(*M*, *I*)], *Im* ⊆ *S I* ∧ *Im* �= ∅}. For each marking *M*, the firing interval of each controllable transition *tc* enabled in *M* should be any interval of *SIm*(*M*,*tc*). The set *SIm*(*M*, *tc*) may be empty and then such a controller does not exist. Otherwise, it exists and can be represented by duplicating some controllable transitions, each of them being associated with an interval and conditioned to a marking. Such a controller exists for the previous example and is given in Table 3 and the controlled TPN is

**3) State dependent controller**: The third level is the most permissive. A controllable transition is limited depending on the class the system is. In fact, making decision is delayed as much as

*p*<sup>1</sup> + *p*<sup>2</sup> 2 < *t*<sup>1</sup> ≤ 4 Others 0 ≤ *t*<sup>1</sup> ≤ 4

**Table 3.** A marking dependent controller for the TPN at Figure 1

control. Three levels of control can be carried out:

replacing the static interval of *t*<sup>1</sup> with [2, 4].

what comes in Figure 7.

as to avoid bad states.

**Figure 6.** Applying Algorithms 1 & 2 on the TPN at Figure 1 for *AG not p*<sup>1</sup> + *p*<sup>3</sup> = 0

exists. According with the list *Passed*, *α*<sup>0</sup> needs to be controlled (*Ctrl*[*α*0] = {(*t*1, *t*0, {[0, 4] − [0, 2]})}). For all others, there is nothing to do.

Note that for this example, it is possible to carry out a static controller, which is, in this case, a mapping over controllable transitions. Indeed, it suffices to replace the static interval of *t*<sup>1</sup> with ]2, 4]. Such a controller is in general less permissive than the state dependent controller. However, its implementation is static and very simple as if the model is corrected rather than controlled.

It is also possible to carry out a marking dependent controller (a mapping over markings). Such a controller can be represented by duplicating *t*1, each of them being associated with an interval and conditioned to a marking (see Table 3 and Figure 7).

This algorithm is able to determine whether a safety controller exists or not. If the algorithm fails to determine a controller, then the controller does not exist. This failure may have two

**Figure 7.** The controlled TPN obtained for the TPN at Figure 1 for *AG not p*<sup>1</sup> + *p*<sup>3</sup> = 0


**Table 3.** A marking dependent controller for the TPN at Figure 1

18 Will-be-set-by-IN-TECH

*t*1

*α*<sup>1</sup> *α*<sup>2</sup>

*t*2

*α*0

*t*1

*explore*(*α*4, *<sup>t</sup>*3, {*α*0, *<sup>α</sup>*1, *<sup>α</sup>*4}) *Return* {*t*3}

exists. According with the list *Passed*, *α*<sup>0</sup> needs to be controlled (*Ctrl*[*α*0] = {(*t*1, *t*0, {[0, 4] −

Note that for this example, it is possible to carry out a static controller, which is, in this case, a mapping over controllable transitions. Indeed, it suffices to replace the static interval of *t*<sup>1</sup> with ]2, 4]. Such a controller is in general less permissive than the state dependent controller. However, its implementation is static and very simple as if the model is corrected rather than

It is also possible to carry out a marking dependent controller (a mapping over markings). Such a controller can be represented by duplicating *t*1, each of them being associated with an

This algorithm is able to determine whether a safety controller exists or not. If the algorithm fails to determine a controller, then the controller does not exist. This failure may have two *p*<sup>1</sup> *p*<sup>2</sup>

• •

*Return* ∅

*α*5

*explore*(*α*1, *<sup>t</sup>*1, {*α*0, *<sup>α</sup>*1}) *Return* {*t*1*t*2*t*3, *<sup>t</sup>*1*t*3}

*t*3

interval and conditioned to a marking (see Table 3 and Figure 7).

*p*3

*p*<sup>1</sup> + *p*<sup>2</sup> *not p*<sup>1</sup> + *p*<sup>2</sup>

*t*3[2, ∞[

**Figure 7.** The controlled TPN obtained for the TPN at Figure 1 for *AG not p*<sup>1</sup> + *p*<sup>3</sup> = 0

*t*<sup>4</sup> *t* [0, 1] <sup>11</sup>]2, 4] *t*12[0, 4]

*α*3

*t*2 *t*3

*α*4

**Figure 6.** Applying Algorithms 1 & 2 on the TPN at Figure 1 for *AG not p*<sup>1</sup> + *p*<sup>3</sup> = 0

*explore*(*α*3, *t*2, {*α*0, *<sup>α</sup>*1, *<sup>α</sup>*3}) *Return* {*t*2*t*3}

[0, 2]})}). For all others, there is nothing to do.

controlled.

*explore*(*α*6, *<sup>t</sup>*3, {*α*0, *<sup>α</sup>*1, *<sup>α</sup>*3, *<sup>α</sup>*6}) *Return* {*t*3}

*α*6

*explore*(*α*0, *�*, {*α*0}) *Return* <sup>∅</sup>

*explore*(*α*5, *t*1, {*α*0, *α*2, *α*5})

*explore*(*α*2, *<sup>t</sup>*2, {*α*0, *<sup>α</sup>*2}) *Return* <sup>∅</sup>

*p*4

*t*2[2, 3]

reasons: no class having enabled controllable transitions exists in a bad path; or, calculated bad subclasses covers entire domain of controllable transitions. Note that, in a time Petri net[15] it is impossible to cancel a transition. Thus, if the entire domain of a controllable transition leads to bad states, as it cannot be canceled or delayed, the state class cannot be controlled so as to avoid bad states.

In the algorithms presented here, a state class is declared to be uncontrollable if it does not contain controllable transitions or it cannot be controlled so as to avoid all bad state classes. Note that if a state class cannot be controlled to avoid all bad classes, it can be however controlled to avoid some bad classes. To limit as little as possible the behavior of the system, the set of bad sequences of a state class *α* can be partitioned in two subsets: the set of bad sequences that can be avoided from *α* and the set of bad sequences that cannot to be avoided from *α*. The former set is avoided from *α* while the latter is let to be controlled by the predecessors of *α*. The function *explore* in this case should return the set of bad sequences that cannot be controlled from *α*. In this way, we increase the permissiveness of the controller.

The most significant advantage of this algorithm is the possibility of choosing the level of control. Three levels of control can be carried out:

**1) Static controller**: The control is independent of markings and states of the system. For each controllable transition, the intersection of all safe intervals is considered. Let *tc* be a controllable transition whose interval needs to be restricted and *SIr*(*tc*) = {*Ir*|∀(*α*, Ω, *L*) ∈ *Passed*, ∃(*tc*, *S I*) ∈ *Ctrl*[*α*], *Ir* ⊆ *S I* ∧ *Ir* �= ∅}. The static firing interval of *tc* should be replaced with any interval of *SIr*(*tc*). Note that *SIr*(*tc*) may be empty. In this case, such a controller does not exist. Otherwise, it exists and its implementation is static as if the model is corrected rather than controlled. On the other hand, the permissiveness is sacrificed for the sake of simplicity of implementation. Albeit being simple, the controller has a high impact on performance of the system. For the previous example, such a controller exists and consists of replacing the static interval of *t*<sup>1</sup> with [2, 4].

**2) Marking dependent controller**: The controller is a function of marking. The intersection of all safe intervals of controllable state classes with the same marking is considered, causing loss of permissiveness. Let *tc* be a controllable transition whose interval needs to be restricted and *SIm*(*M*,*tc*) = {*Im*|∀((*M*, *I*), Ω, *L*) ∈ *Passed*, ∃(*tc*, *S I*) ∈ *Ctrl*[(*M*, *I*)], *Im* ⊆ *S I* ∧ *Im* �= ∅}. For each marking *M*, the firing interval of each controllable transition *tc* enabled in *M* should be any interval of *SIm*(*M*,*tc*). The set *SIm*(*M*, *tc*) may be empty and then such a controller does not exist. Otherwise, it exists and can be represented by duplicating some controllable transitions, each of them being associated with an interval and conditioned to a marking. Such a controller exists for the previous example and is given in Table 3 and the controlled TPN is what comes in Figure 7.

**3) State dependent controller**: The third level is the most permissive. A controllable transition is limited depending on the class the system is. In fact, making decision is delayed as much as

possible. When the algorithm is being synthesized, different scenarios are considered. During the execution, the controller decides upon the scenario the system is (the current state class).

**Algorithm 4** On-the-fly algorithm for the reachability control of TPN-Part B

) �= ∅ **do**

, C∪{*succ*(*α*, *t*�

*<sup>c</sup>* (*M*) ∧

)})

A Forward On-The-Fly Approach in Controller Synthesis of Time Petri Nets 459

*INT*(*Fire*(*α*, *ω*),*tc* − *ts*) ⊂ *INT*(*α*, *tc* − *ts*)}

), *t*�

**Function** *Traces explore*(*Class α*, *Trans t*, *Classes* C)

**if (**∃Ω, *L I* **s.t.** (*α*, Ω, *L I*) ∈ *Passed***) then if** (Ω �= ∅ ∧ *Dep*(*α*, *t*, *L I*)) **then return** {*t*.*ω*|*ω* ∈ Ω}

**end if return** ∅

**if (***M* ∈ *goal***) then return** ∅

**if** (*En*(*M*) = ∅) **then return** {*t*}

**if** *succ*(*α*, *t*�

Ω = Ω ∪ {*t*�

**for all** *t*� ∈ *En*(*M*) **s.t** *succ*(*α*, *t*�

) ∈ C **then**

}

Ω **=** Ω ∪ *explore*(*succ*(*α*, *t*�

*Passed* = *Passed* ∪ {(*α*, Ω, ∅)}

*Passed* = *Passed* ∪ {(*α*, Ω, *L I*)}

**if** (*Dep*(*α*, *t*, *L I*)) **then return** {*t*.*ω*|*ω* ∈ Ω}

*L I* <sup>=</sup> {(*tc*, *ts*, *B I*)|(*tc*, *ts*) <sup>∈</sup> *Enc*(*M*) <sup>×</sup> *En*<sup>0</sup>

*B I* =

*ω*∈Ω

**end if**

**end if**

**end if** *Traces* Ω = ∅

**else**

**end if end for**

**if (**Ω = ∅**) then**

**return** ∅

**end if**

**end if return** ∅
