A Process Algebra for Supervisory Coordination

L. Aceto and M.R. Mousavi (Eds.): P A CO 2011 EPTCS 60, 2011, pp. 36–55, doi:10.4204/EPTCS.60.3 A Pr ocess Algebra f or Supervisory Coordination Jos Baeten Bert v an Beek Allan van Hulst Jasen Mark ovski ∗ Department of Mechanical Engineering, Eindhov en Univ ersity of T echnology , P .O. Box 513, 5600 MB Eindho ven, The Netherlands, { j.c.m.baeten,d.a.v.beek,ahulst,j.markovski } @tue.nl A supervisory controller controls and coordinates the behavior of dif ferent components of a com- plex machine by observing their discrete behaviour . Supervisory control theory studies automated synthesis of controller models, kno wn as supervisors, based on formal models of the machine com- ponents and a formalization of the requirements. Subsequently , code generation can be used to implement this supervisor in software, on a PLC, or embedded microprocessor . In this article, we take a closer look at the control loop that couples the supervisory controller and the machine. W e model both event-based and state-based observ ations using process algebra and bisimulation-based semantics. The main application area of supervisory control that we consider is coordination, re- ferred to as supervisory coordination, and we giv e an academic and an industrial e xample, discussing the process-theoretic concepts employed. 1 Intr oduction Control software development becomes an important issue due to the ev er-increasing machine com- plexity and demands for better quality , performance, safety , and ease of use. T raditionally , the control requirements are formulated informally and, thereafter , manually translated into control software, fol- lo wed by v alidation and re writing of the code whene ver necessary . The cycles of such a design-v alidate process are both error -prone and time-consuming due to frequent ambiguities in the informal specifica- tions. This issue ga ve rise to supervisory control theory [22, 9, 17], where models of the supervisory controllers, referred to as supervisors are synthesized automatically based on formal models of the un- controlled hardware, referred to as plant , and the model of the contr ol requir ements . Based on these models, the control software is generated automatically . The supervisory controller observes discrete machine beha vior and sends back control signals about allowed activities. Assuming that the controller reacts suf ficiently fast on machine input, this feedback loop, depicted in Figure 1a), w as originally mod- eled as a pair of synchronizing processes [22, 9]. Plant Supervisor Observab le beha vior Control signal s Plant Supervisor Observable even ts Allowed controllable events Plant Supervisor Observable states Allowed controll able events a) b) c) Obser ver Figure 1: Control loop: a) general, b) with ev ent-based, c) with state-based observ ations. In this paper , we focus on the modeling of the control loop and the required process-theoretic con- cepts to capture the underlying behavior . The main motiv ation for the in vestigation is the oversimplifi- cation of the coupling between the plant and the supervisor in the original proposal of [22, 9], which still ∗ Research funded by C4C European project FP7-ICT -2007.3.7.c. Baeten, van Beek, van Hulst, Markovski 37 pre vails in modern state-of-the-art approaches, like [13, 11, 20, 26, 16] to name a fe w . Furthermore, we consider coordination as the main application area of supervisory control, where the coordinator(s) are implemented as supervisory controllers that ensure sequencing of e vents, or deadlock- and liv elock-free behavior of the plant, according to the gi v en set of (coordinating) control requirements. Supervisory control loop T o model different aspects of the plant and the control requirements, the discrete ev ents that can occur are split into contr ollable and uncontr ollable e vents. The former can be disabled by the supervisor and typically model actuator acti vities, e.g., starting or stopping a motor . The latter cannot be affected by the supervisor if enabled in the plant and standardly model sensor activities, e.g., the temperature has reached a giv en value. W e distinguish two types of prominent supervisory control loops relying on e vent- and state-based observ ations, depicted in Figure 1b) and c), respecti vely . The control loop in Figure 1b) depicts that the supervisor observes e vents that occ ur in the plant and sends back as feedback the set of controllable ev ents that are allowed for execution. The most prominent operation that captures the coupling between the plant and the supervisor is automata-style synchronous parallel composition [22, 9]. This simple operation restricts the plant by omitting (controllable) e v ents in the supervisor , thereby preventing synchronization and disabling the events. It was quickly realized that this synchronization produces large supervisors that actually memorize the complete supervised beha vior as the supervisor keeps track of the state of the plant by keeping a complete history of observ ed e vents. T o mitigate the large size of the supervisor sev eral synchronization operators were proposed that enable the plant to independently e xecute uncontrollable e vents, pro vided that this does not preclude the supervisor from correctly deducing the state of the plant [14, 13, 15, 10]. W e note that there are other models of the control loop that employ the input/output transition paradigm that require an input (set of controllable/actuator ev ents) from the supervisor to produce an output (uncontrollable/sensor ev ent) from the plant [6, 7, 25]. Nonetheless, they have been sho wn to be equiv alent to one of the abov e approaches with respect to the underlying notions [7]. What synchronous parallel composition or communication fails to model is the difference between the two flo ws of information, their role, and the dif ferent goals of the plant and the supervisor . T o this end, we propose a send/recei v e communication to model the dif ferent flows of communication in Figure 1 and dif ferentiate between the contributions of the plant and the supervisor . The ev ent-based observ ation flo w of Figure 1b) enables communication of all observable e vents, whereas the control signal flo w transmits only controllable e vents. In addition, this setting also supports asynchronous communication between the plant and the supervisor , which af fects almost e very implementation of supervisory controllers [8]. As a solution to the problem of large supervisors, an alternative approach was proposed in [17], as depicted in Figure 1c). The plant (or the supervisor) is augmented with an observer or a tracker that deduces the state of the plant and submits this observed information to the supervisor . The supervisor , based on this state-based information, acts as a lookup table and feeds the plant with the allowed control- lable e vents in the observ ed state. In such a way , the supervisor only incorporates necessary information in order to exercise control over the plant. Nonetheless, this feedback mechanism is not formalized in [17] and, here, we propose to model this v ariant of the control loop using a process-theoretic approach that employs root signal emission [1] to capture the state-based observations. Alternati v e modeling of such control loops is by means of shared v ariables and synchronization [19], but such approaches do not distinguish between the dif ferent flows of information depicted in Figure 1c). Finally , when employing supervisory control for coordination of distributed systems, the supervisor communicates the control actions to several components that have different physical locations. T o this end, we propose to model the feedback control signal communication from the supervisor by means of 38 A Process Algebra for Supervisory Coordination broadcast communication [4]. T o illustrate the proposed process theories that capture the beha vior of the control loops of Figure 1b) and c) we revisit two cases, where we applied supervisory coordination: 1b) a simple case that introduces the main concepts and deals with coordination of an automated guided ve- hicle, in v olving e vent-based observations, and 1c) a part of an industrial study dealing with maintenance procedures inside complex high-tech printers, which emplo ys state-based observations [18]. Process-theor etic approach The process-theoretic treatment of supervisory control theory is sustained by a behavioral relation that captures the notion of contr ollability , which states that supervisory control is possible only if the supervisor can achiev e supervised behavior allowed by the control requirements without ha ving to disable an uncontrollable e v ent. Prior in vestigations to process-theoretic treatments of supervisory control resulted in a special prioritized synchronization operator [14, 13], while employing failure semantics. An alternati ve approach replaced this special operator with a refinement relation to characterize nondeterministic supervised behaviors [20]. In [26, 24] the refinement is given in terms of bisimulation and in terms of simulation in [16]. A coalgebraic approach introduced partial bisimulation as a behavioral relation suitable to define language-based controllability [23]. In essence, it states that controllable events should be simulated, whereas uncontrollable ev ents should be bisimulated. This no- tion was lifted to a concurrenc y theory for supervisory control that succinctly captured the controllability for nondeterministic discrete-event systems [2]. Here, we extend this framework to elaborately model and formalize the behavior of the supervisory control loops depicted in Figure 1. The rest of this paper is or ganized as follows. Section 2 re visits the process theory TCP ∗ from [1] and establishes a link between partial bisimulation and supervisory control. Section 3 shows ho w to model supervisory control loop in the presented theory by applying supervisory coordination to an automated production line. Section 4 extends the process theory to incorporate guarded commands and root signal emission, which are employed in Section 5, where we revisit an industrial case study of coordination of maintenance procedures in a high-tech printer . W e finish with a discussion of future challenges and the potential of applying process theory in supervisory control. 2 Pr ocess theory TCP ∗ In this section we revisit the process algebra TCP ∗ (Theory of Communicating Processes with Itera- tion) [1] in which we introduce generic communication actions and we adopt partial bisimulation as a behavioral relation. This process algebra has a rich syntax, allowing us to express all key ingredients of concurrency theory , including termination, which enables a strong correspondence with automata theory . Syntax W e presuppose a finite data alphabet D and a finite set H of channels . W e assume that A = { c ! m ? n d | c ∈ H , m , n ∈ N , d ∈ D } , where c ! m ? n d is a generic communication action. If m = n = 0, then we treat the generic communication action c ! 0 ? 0 d as a basic ev ent, possibly parameterized with data, notation c ( d ) . Otherwise, we handle it as an outcome from synchronization of m send and n receive actions. W e employ the standard notation for handshaking communication [1], i.e., c ? d for c ! 0 ? 1 d , c ! d for c ! 1 ? 0 d , and c ! ? d for c ! 1 ? 1 d . Intuitiv ely , these ev ents denote that datum d is receiv ed, sent, or communicated along channel c , respecti vely . The set of pr ocess terms T is generated by the follo wing grammar: T :: = 0 | 1 | a . T | T · T | T + T | T k T | T ∗ | ∂ E ( T ) , Baeten, van Beek, van Hulst, Markovski 39 1 1 ↓ 2 a . p a − → p 3 p ∗ ↓ 4 p a − → p 0 p ∗ a − → p 0 · p ∗ 5 p ↓ , q ↓ p · q ↓ 6 p ↓ , q a − → q 0 p · q a − → q 0 7 p a − → p 0 p · q a − → p 0 · q 8 p ↓ ( p + q ) ↓ 9 q ↓ ( p + q ) ↓ 10 p a − → p 0 ( p + q ) a − → p 0 11 q a − → q 0 ( p + q ) a − → q 0 12 p ↓ , q ↓ p k q ↓ 13 p a − → p 0 p k q a − → p 0 k q 14 q a − → q 0 p k q a − → p k q 0 15 p ↓ ∂ E ( p ) ↓ 16 p c ! ` ? k d − → p 0 , q c ! m ? n d − → q 0 , ` + k > 0 , m + n > 0 p k q c ! ` + m ? k + n d − → p 0 k q 0 17 p a − → p 0 , a 6∈ { c ! m ? n d | c ! m ? n ∈ E , d ∈ D } ∂ E ( p ) a − → ∂ E ( p 0 ) T able 1: Operational rules for TCP ∗ where a ∈ A and E ⊆ { c ! m ? n | c ∈ H , m , n ∈ N } . Let us briefly comment on the operators in this syntax. The constant 0 denotes inaction or deadlock , whereas the constant 1 denotes successful termination [1]. For each action a ∈ A there is a unary operator a . denoting action pr efix ; the process denoted by a . p can do an a -transition to the process denoted by p . The binary operator p · q denotes sequential composition that behav es like p , follo wed by q only upon successful termination of p . The binary operator p + q de- notes alternative composition or choice on the first action transition of p and q . The binary operator p k q denotes parallel composition (with generic channel communication actions) ; actions of both arguments can be interleav ed or , alternati vely , communication takes place that keeps track of how many send or recei ve actions are combined. The unary operator p ∗ is iteration or Kleene star that unfolds with respect to the sequential composition. The unary operator ∂ E ( p ) encapsulates the process p in such a way that all (incomplete) communication actions, e.g., c ? d and c ! d , are blocked for all data, so that the desired type of communication is enforced, e.g., if we were to enforce communication between k processes on channel c , then E = { c ! m ? n | 0 < m + n , m + n 6 = k } . Semantics W e giv e semantics to the process terms by a labeled transition relation − → ⊆ T × A × T and a successful termination predicate ↓ ∈ T . W e employ infix notation and write s a − → t if ( s , a , t ) ∈ − → and s ↓ if s ∈ ↓ . W e deri ve the transition relation and the successful termination predicate using structural operational semantics [21], given by the operational rules in T able 1. Alternativ ely , we depict them as a labeled transition system G , specified by the tuple G = ( T , A , ↓ , − → ) . W e briefly comment on the rules. The successful termination constant can successfully terminate, whereas the action prefix enables outgoing labeled transitions, as given by rules 1 and 2. Rule 3 states that iteration can always terminate successfully , which enables sequential composition of recursiv e processes. The unfolding of the iteration is with respect to the sequential composition, as given by rule 4. The sequential composition can terminate only if both processes can do so, as giv en by rules 5, whereas if only the first component can terminate successfully , it can continue behaving as the second. The outgoing transition of the first component is the same for the sequential composition as given by rule 7. Rules 8 and 9 state that alternativ e composition can terminate if one of the components can terminate, whereas the choice is made on the outgoing transitions, as stated by rules 10 and 11. The parallel composition can terminate only if both components can do so. Rules 13 and 14 enable interleaving of transitions. Rules 15 states that encapsulation does not prev ent successful termination. Rule 16 defines synchronization which can occur on communication actions comprising at least one sending or receiving ev ent. The communication actions are merged to accumulate the participating send and receive parties. Finally , 40 A Process Algebra for Supervisory Coordination rule 17 states that all (incomplete) communication actions on a gi ven channel comprising a predefined number of senders and recei vers are blocked by the encapsulation operation. W e can easily extend the transition relation to traces of actions in A ∗ . For p , p 0 ∈ T and t = a 1 , . . . , a n ∈ A ∗ , we write p t  p 0 if there exist p 0 , . . . , p n ∈ T such that p = p 0 a 1 − → · · · a n − → p n = p 0 . By ε we denote the empty trace a 1 , . . . , a n for n = 0 and p = p 0 . Every finite automaton can be described up to isomorphism (and possibly by changing the communication operation) by a term in our setting, see [3]. Language-based supervision No w , we can translate the central notion of a supervisor [22, 9] in our setting. T o this end, we partition the channel names into two disjoint sets of uncontrollable U and controllable C channels such that H = U ∪ C and U ∩ C = / 0. The uncontrollable and controllable channel names induce controllable and uncontrollable actions, respectiv ely , giv en by A C , { c ! m ? n d | c ∈ C , d ∈ D } and A U , { u ! m ? n d | u ∈ U , d ∈ D } . Next, we define the (prefix-closed) language recognized by the process term p or , alternativ ely , the automaton represented by p , as L ( p ) , { t ∈ A ∗ | there e xists p 0 ∈ T such that p t  p 0 } . Note that traces do not need to end with successful termination. W e denote by LL 0 , { t t 0 | t ∈ L , t 0 ∈ L 0 } the concatenation of the languages L and L 0 . Recall that the supervisor cannot achieve the control requirements by forbidding uncontrollable e vents, when synchronizing with the plant. Suppose that the plant, the control requirements, and the supervisor with respect to the former are determined by the languages recognized by the process terms p , r , s ∈ T , respecti v ely . If the operation modeling the control loop is denoted by p / s , then L ( p / s ) ⊆ L ( p ) and L ( p / s ) ⊆ L ( r ) , where we refer to p / s as the supervised plant . W e note that if strict equality holds, then the control requirements can be achieved completely . Often, this is not the case, so one attempts to synthesize a maximally-permissive supervisor , which makes L ( p / s ) as large as possible with respect to inclusion. For deterministic systems, this supervisor is unique, equal to the union of all possible su- pervisors [22, 9], whereas for nondeterministic systems, a unique maximally-permissiv e supervisor in general does not exist [2]. For standard supervisory control [22, 9], the operation that models the con- trol loop p / s is the full synchronous parallel composition of automata [22, 9]. That s does not disable uncontrollable events is ensured by requesting that p / s is contr ollable with respect to p , expressed as L ( p / s ) U ∩ L ( p ) ⊆ L ( p / s ) [22, 9]. Controllability is interpreted as follows. If we observe a desired trace in the plant follo wed by an uncontrollable e vent, then the supervisor cannot request that this uncontrol- lable e vent should be disabled after allo wing that trace. If r is controllable with respect to p , then one can guarantee the existence of a supervisor s , achie ving the desired controlled behavior r by restricting the plant p by synchronization, i.e., L ( p / s ) = L ( r ) . Nondeterminism and partial bisimulation The disadvantages of working in the language domain hav e been discussed on many occasions, e.g., see ov erviews in [13, 11, 2, 1]. Therefore, a proposal was made in [2] to lift controllability to support full nondeterminism in a process-theoretic setting. The underlying beha vioral relation is partial bisimulation [23, 2], which is parameterized with a bisimula- tion actions set B ⊆ A that denotes which actions are to be bisimulated, whereas the other actions are simulated. Definition 1 A r elation R ⊆ T × T is a partial bisimulation with respect to a bisimulation action set B ⊆ A , if for all ( p , q ) ∈ R it holds that: 1. if p ↓ , then q ↓ ; 2. if p a − → p 0 for some a ∈ A , then ther e exists q 0 ∈ T suc h that q a − → q 0 and ( p 0 , q 0 ) ∈ R; Baeten, van Beek, van Hulst, Markovski 41 3. if q b − → q 0 for some b ∈ B, then ther e exists p 0 ∈ T suc h that p b − → p 0 and ( p 0 , q 0 ) ∈ R. If ( p , q ) ∈ R, we say that p is partially bisimilar to q with r espect to B and we write p ≤ B q. If q ≤ B p holds as well, we write p ↔ B q. Note that ≤ B is a preorder relation, making ↔ B an equiv alence relation for all B ⊆ A [2]. If B = / 0, then ≤ / 0 coincides with strong similarity preorder and ↔ / 0 coincides with strong similarity equiv alence [12, 1]. When B = A , ↔ A turns into strong bisimilarity [12, 1]. Moreover , if p ≤ B q , then p ≤ C q for e very C ⊆ B . W e also note that partial bisimilarity is a precongruence with respect to the operators of TCP ∗ [2]. For gi ven processes p , r ∈ T , representing the plant and the control requirements, respecti vely , we ensure that s ∈ T is a valid supervisor that does not disable uncontrollable events by requiring that p / s ≤ / 0 r and p / s ≤ A U p , where A U ⊆ A is the set of uncontrollable ev ents [2]. This setting cov ers both the existing deterministic and nondeterministic definition of controllability for discrete-e vent systems [2]. From the definition, it is also not difficult to observe, that one obtains the same supervised beha vior for e very p 0 ↔ A U p . Thus, one direct benefit from our approach is a procedure for coarsest plant minimization that respects controllability , based on the partial bisimilarity equiv alence. Next, we model the supervisory control loop with ev ent-based observations and we illustrate our approach by a use case in v olving coordination of an automated guided vehicle in a production line. 3 Contr ol Loop with Event-Based Observ ations W e employ the process theory TCP ∗ to formalize the behavior of the control loop with ev ent-based ob- serv ations, depicted in Figure 1b). According to the scheme, the plant cannot ex ecute a controllable e vent without the permission of the supervisor , whereas the supervisor must not disable uncontrollable e vents. Nonetheless, the supervisor is able to observe ex ecution of uncontrollable ev ents in the plant, so that it can correctly determine the state of the plant and transmit correct control signals. Moreo ver , the supervisor should not ex ecute uncontrollable e vents independently , as this does not contribute to his objecti ve. In addition, the supervisor should not introduce deadlocks or li velocks e xplicitly , unless dead- lock or livelock behavior is inherent to the plant. Finally , we assume that the supervisor is a (global) monolithic process, i.e., it is not comprised from multiple modular or distributed synchronizing supervi- sors [9]. T aking into account the above observ ations, we can specify the syntax of the plant processes P and the supervisor processes S as giv en by P and S , respectiv ely: P :: = 0 | 1 | c ? d . P | u ! ` ? k d . P | P · P | P + P | P k P | ∂ E ( P ) | P ∗ S :: = 1 | c ! d . S | u ? d . S | S + S | S ∗ , where c ∈ C , u ∈ U , `, k ∈ { 0 , 1 } , d ∈ D , and E ⊆ { f ! m ? n | f ∈ H , m , n ∈ N } . T o implement broadcast communication in the case when the supervisor sends control signals to sev eral distributed components, which do not have to receive the control signals simultaneously , one would also need to introduce action priorities, cf. [4]. Due to page restrictions, we will not emplo y broadcast in the general form in this paper and, instead, we enforce three-way communication by employing only the encapsulation operator . Supervisory coordination of an automated production line T o illustrate our approach to supervi- sory control and the model of the control loop, we discuss a simple example concerning coordination of an automated guided vehicle (A GV) in an automated production line, depicted in Figure 2. The AGV is responsible for transferring the preproduct made by W orkstation M to W orkstation N and transfer- ring the finished product from W orkstation N to the Deliv ery station. The workstations and the A GV 42 A Process Algebra for Supervisory Coordination AGV Workstation M Workstation N Delivery Supervisor s mn d control signals observable product transfer signals Plant Figure 2: Automated production line are coordinated by a supervisor, which sends the corresponding control signals. W e can model the au- tomated production system depicted in Figure 2 employing TCP ∗ , where M , N , A , and S are process terms that model W orkstation M, W orkstation N, AGV , and the supervisor . W e note that we abstract from the deliv ery station, depicted by a single ev ent deliver , as it does not contribute to any inter- esting behavior . W e retain the communication channel names as depicted in Figure 2, whereas the data elements are D = { make , move2N , pr epr oduct , pr oduct } . The uncontrollable channel names are U = { m , n , pr oduce , pr ocess , move , deliver } , whereas C = { s } is the set of controllable channel names. M , ( s ? make . pr oduce ( pr epr oduct ) . m ! pr epr oduct . 1 ) ∗ N , ( n ? prepr oduct . pr ocess ( pr epr oduct ) . n ! pr oduct . 1 ) ∗ A , ( m ? pr epr oduct . s ? move2N . mo ve ( pr epr oduct ) . n ! pr epr oduct . 1 + n ? pr oduct . deliver ( pr oduct ) . 1 ) ∗ S , ( s ! make . s ! move2N . 1 ) ∗ . W orkstation M repeatedly waits for a command from the supervisor to make a preproduct, which is of fered to the AGV once it is made. W orkstation N waits for a preproduct from the A GV , which is there- after processed and offered back to the AGV . The A GV can either pick up a preproduct at W orkstation M, after which it asks for permission to mov e the preproduct to W orkstation N, or pick up a finished product at W orkstation N and deliver it. Now , the unsupervised plant is given by the process U , ∂ F ( M k N k A ) , where F = { m ? , m ! , n ? , n ! } . At this point, we note that we enforce meaningful communication of uncontrollable channels within the plant by encapsulation and this does not restrict the beha vior of the unsupervised plant, b ut only ensures its meaningful behavior . Follo wing the framework outlined abov e, it can be readily observed that the plant U ∈ P follo ws the outlined syntax. In this first modeling instance, we assume that the A GV is responsible for deli v ering the final product and we propose a supervisor as given by the process S . Note that the supervisor S ∈ S follows the outlined syntax and it does not make use of any observed information. Supervisor S repeatedly giv es orders to W orkstation M for new products to be made, followed by orders to the A GV to transfer the preproduct to W orkstation N. Thus, the automated production system is modeled as U / S , ∂ E ( S k U ) , where E = { s ? , s ! } , Baeten, van Beek, van Hulst, Markovski 43 ξ ( 0 ) = 0 ξ ( 1 ) = 1 ξ ( p ∗ ) = ξ ( p ) ∗ ξ ( p  q ) = ξ ( p )  ξ ( q ) for  ∈ { + , · , k} ξ ( c ! m ? n d . p ) = ξ ( c ! m ? n d ) . ξ ( p ) for c ∈ H , d ∈ D , m , n ∈ N T able 2: Renaming function which enforces communication of control signals and transfer of (pre)products. One can directly check that S is a valid supervisor by establishing that the supervised plant is partially bisimulated by the original plant with respect to the uncontrollable ev ents. T o this end, we must employ renaming of events, as the original plant has open communication actions that wait for synchronization with the supervisor . This renaming function ξ trav erses the process terms and renames all open communication actions to succeeded communication actions. W e note that we ov erload the name of the renaming function of the process terms and apply it to the communication action names as well. Also, we only specify the communication actions that are actually renamed. The definition of the renaming operation is given by structural induction in T able 2. No w , in order to verify that the supervisor does not disable uncontrollable events, it is suf ficient to verify that it holds that U / S ≤ A U ξ ( U ) , where ξ : s ? d 7→ s ! ? d for d ∈ D , which can be directly checked. W e note that there was no restriction imposed on the control requirements, which in this case coincide with the plant and are, therefore, tri vially satisfied. Nonblocking supervision Unfortunately , our automated production system has a deadlock. The main reason for the deadlock is that a second preproduct can come too early , before the first product is com- pletely finished and deli vered, which is set off by sending a s ! make command too early , i.e., before the processed product has left W orkstation N. Then, the A GV picks up the preproduct from W orkstation M, but it cannot deliv er it to W orkstation N, as the latter also waits for a finished product to be picked. A trace that leads to deadlock is s ! ? make pr oduce ( pr epr oduct ) m ! ? pr epr oduct s ! ? move2N n ! ? pr eproduct s ! ? make pr oduce ( pr epr oduct ) m ! ? pr epr oduct s ! ? move2N pr ocess ( pr epr oduct ) 0 . Such form of blocking beha vior appears often, so in many cases the supervisor is additionally required to pre vent deadlock and/or liv elock, or also known as blocking, behavior [22, 9]. T o this end, special marked states are introduced to automata in supervisory control. W e note that these states roughly correspond to successful termination in our setting. The correspondence is not strict, mainly due to the absence of sequential composition and the Kleene star operator in the supervisory control literature and the role of the successful termination in these contexts, confer T able 1. Note that the marked states do not contribute to the formation of the recognized language of an automaton, which is different from its marked language [22, 9]. So, besides the control requirements, we impose an additional deadlock-freedom requirement on the supervisor , stated formally as: there exists no trace t ∈ A ∗ such that U / S t  0. T o ensure this additional nonblocking requirement, we have to modify the supervisor to accept requests for making a ne w preprod- uct only after the finished product has been loaded on the A GV , to be transferred to the delivery station. 44 A Process Algebra for Supervisory Coordination T o this end, the supervisor should allow for a new product to be made only after the finished prod- uct has been loaded to the A GV at W orkstation N, which can be achiev ed by observing this additional information on channel n . T o this end, we modify the supervisor to S 0 as follo ws: S 0 , ( s ! make . s ! move2N . n ? pr oduct . 1 ) ∗ . At this point, we note that communication on the channel n no w must occur between three parties, i.e., W orkstation N that sends information and the A GV and the supervisor that receiv e it. In order to enforce this communication, we employ the generic communication actions, i.e., we encapsulate all (incomplete) communication actions on n , except for n ! 1 ? 2 pr oduct . The definition of the deadlock-free supervised plant no w becomes: U / S 0 , ∂ E 0 ( S 0 k U ) , where E 0 = { s ? , s ! , n ? , n ! ? } . Again, one directly verifies that the supervisor is valid by establishing partial bisimilarity between the supervised and the original plant following an appropriate renaming of the incomplete communication actions, gi ven by ξ : s ? d 7→ s ! ? d , n ! ? d 7→ n ! 1 ? 2 d for d ∈ D . Next, we e xtend the process theory TCP ∗ to accommodate state-based observ ations as well. 4 Contr ol Loop with State-Based Observations W e propose TCP ∗ ⊥ , an extension of TCP ∗ , with propositional signals [5] and guarded commands in order to support the modeling of a control loop with state-based observations. T o this end, we employ the Boolean algebra B = ( N , F , T , ¬ , ∧ , ∨ , ⇒ ) , where N = { P 1 , . . . , P n } are the propositional symbols, the constants represent false and true, whereas the operators denote negation, conjunction, disjunction, and implication, respecti vely . W e use B to denote the standard Boolean expressions of B , which are ev aluated with respect to a gi ven valuation v : B → { F , T } . The set of v aluations is denoted by V . Process theory TCP ∗ ⊥ W e enrich the syntax of TCP ∗ and the set of process terms T with the inac- cessible pr ocess constant, guarded commands , and signal emission . The inaccessible process, notation ⊥ , specifies the process in which there are inconsistencies between the v aluation of the propositional v ariables and the emitted propositional signals. Such a state cannot be reached from any consistent state. The guarded command, notation φ : → p , specifies a guard φ ∈ B that guards a process p ∈ T . If the guard is successfully ev aluated, the process continues behaving as p ∈ T or , else, it deadlocks. The root signal emission process φ ∧ N p , emits the propositional signal φ ∈ B until the process p ∈ T takes an outgoing transition, provided that the propositional signal is consistent with the valuation. T o be able to ev aluate the propositional expressions, we couple the process terms with valuations, notation h p , v i ∈ T × V . The dynamics of the valuations, with respect to outgoing labeled transitions, is captured by a predefined valuation ef fect function, giv en by effect : A × V → 2 V . W ith respect to the valuation we have to extend the successful termination predicate to ↓ ∈ T × V and the labeled transition relation to − → ∈ T × V × A × T × V . W e introduce an additional consistency predicate & ∈ T × V that checks Baeten, van Beek, van Hulst, Markovski 45 18 h 0 , v i & 19 h 1 , v i & 20 h 1 , v i ↓ 21 h a . p , v i & 22 h p , v 0 i & , v 0 ∈ effect ( a , v ) h a . p , v i a − → h p , v 0 i 23 h p , v i a − → h p 0 , v 0 i , h q , v i & h p + q , v i a − → h p 0 , v 0 i 24 h p , v i & , h q , v i a − → h q 0 , v 0 i h p + q , v i a − → h q 0 , v 0 i 25 h p , v i & , h q , v i ↓ h p + q , v i ↓ 26 h p , v i ↓ , h q , v i & h p + q , v i ↓ 27 h p , v i & , h q , v i & h p + q , v i & 28 h p , v i ↓ , h q , v i ↓ h p · q , v i ↓ 29 h p , v i ↓ , h q , v i a − → h q 0 , v 0 i h p · q , v i a − → h q 0 , v 0 i 30 h p , v i a − → h p 0 , v 0 i , h p 0 · q , v 0 i & h p · q , v i a − → h p 0 · q , v 0 i 31 h p , v i ↓ , h q , v i & h p · q , v i & 32 h p , v i & , h p , v i 6 ↓ h p · q , v i & 33 h p , v i & h p ∗ , v i ↓ 34 h p , v i & h p ∗ , v i & 35 h p , v i a − → h p 0 , v 0 i h p ∗ , v i a − → h p 0 · p ∗ , v 0 i 36 h p , v i ↓ , h q , v i ↓ h p k q , v i ↓ 37 h p , v i & , h q , v i & h p k q , v i & 38 h p , v i a − → h p 0 , v 0 i , h q , v i & , h q , v 0 i & h p k q , v i a − → h p 0 k q , v 0 i 39 h p , v i & , h p , v 0 i & , h q , v i a − → h q 0 , v 0 i h p k q , v i a − → h p k q 0 , v 0 i 40 h p , v i c ! ` ? k d − → h p 0 , v 0 i , h q , v i c ! m ? n d − → h q 0 , v 00 i , h p 0 k q 0 , v 000 i & , v 000 ∈ effect ( c ! ` + m ? k + n d , v ) , ` + k > 0 , m + n > 0 h p k q , v i c ! ` + m ? k + n d − → h p 0 k q 0 , v 000 i 41 p ↓ ∂ E ( p ) ↓ 42 p & ∂ E ( p ) & 43 p a − → p 0 a 6∈ { c ! m ? n d | c ! m ? n ∈ E , d ∈ D } ∂ E ( p ) a − → ∂ E ( p 0 ) 44 h p , v i ↓ , v ( φ ) = T h φ : → p , v i ↓ 45 h p , v i & , v ( φ ) = T h φ : → p , v i & 46 v ( φ ) = F h φ : → p , v i & 47 h p , v i a − → h p 0 , v 0 i , v ( φ ) = T h φ : → p , v i a − → h p 0 , v 0 i 48 h p , v i ↓ , v ( φ ) = T h φ ∧ N p , v i ↓ 49 h p , v i & , v ( φ ) = T h φ ∧ N p , v i & 50 h p , v i a − → h p 0 , v 0 i , v ( φ ) = T h φ ∧ N p , v i a − → h p 0 , v 0 i T able 3: Operational rules for TCP ∗ ⊥ whether the state is consistent. The operational rules in T able 3 gi ve the semantics of the new predi- cate and the transition relation with respect to the new operators. W e note that the operational rules of T able 1 have to be enhanced by decorating the process terms with valuations and additional checks for consistency . The rules ensure that when taking an action transition, the target state is always consistent. W e comment the important rules that are not directly taken from T able 1 and adapted in a setting with v aluations. The deadlock, successful termination, and action prefix are always consistent as stated by rules 18, 19, and 21, respectively . The target process must be consistent for the target v aluation, which is determined by the effect function as gi ven by rule 22. Rules 23-27 introduce valuations and consistenc y for the alternative composition, whereas rules 28-32 do the same for the sequential composition and rules 33-35 describe iteration. Rules 38 and 39 introduce interleaving in the ne w setting. Rule 40 sho ws ho w the effect function is impacted by synchronization. For the effect function to be well-defined with respect to the v aluations by interleaving and synchronization [1], we require additionally that effect ( c ! ` + m ? k + n d , v ) ⊆ effect ( c ! m ? n d , ef fect ( c ! ` ? k d , v )) ∩ ef fect ( c ! ` ? k d , ef fect ( c ! m ? n d , v )) for all `, k , m , n ∈ N with ` + k > 0 and m + n > 0. Rules 41-43 introduce the encapsulation operator in the ne w setting. Rules 44 and 47 sho w that a guarded process does not deadlock only when the guard e valuates to true. W e note, ho we ver , that the value of the guard does not affect the consistency of the term, 46 A Process Algebra for Supervisory Coordination provided that the term that is guarded is consistent. This is in direct contrast with signal emission, see rule 49, where the consistency is preserved only if the emitting signal is consistent within the valuation. In that case, the process that emits the signal can continue with its normal ex ecution. Finally , we also hav e to adapt our behavioral relation in order to correctly handle the valuations. Here, we directly employ the approach of [5, 1], where this extension is shown for bisimulation. W e consider a relation R ⊆ T × T to be a partial bisimulation with respect to a bisimulation action set B ⊆ A , if for all ( p , q ) ∈ R it holds that: 1. if h p , v i ↓ for some v ∈ V , then h q , v i ↓ ; 2. if h p , v i a − → h p 0 , v 0 i for some v ∈ V and a ∈ A , then there exists q 0 ∈ T such that h q , v i a − → h q 0 , v 0 i and ( p 0 , q 0 ) ∈ R ; 3. if h q , v i b − → h q 0 , v 0 i for some v ∈ V and b ∈ B , then there exists p ∈ T such that h p , v i b − → h p 0 , v 0 i and ( p 0 , q 0 ) ∈ R . Again, if ( p , q ) ∈ R , we say that p is partially bisimilar to q with respect to B and we write p ≤ B q . If q ≤ B p holds as well, we write p ↔ B q . Also, we consider a process s ∈ T to be a supervisor of the plant p ∈ T with respect to the control requirements r ∈ T if p / s ≤ / 0 r and p / s ≤ A U p . Plant and supervisor syntax No w , we can model the control loop with state-based observations as depicted in Figure 1c). Intuitiv ely , the plant emits a signal that identifies the observ able states. Upon ob- serving such a signal, the supervisor checks which controllable actions are allo wed in the state identified by the signal. Allo wance of actions is specified in the form of guarded prefix es in which a process term is bound to a propositional formula deduced from the control requirements. These ne w concepts introduce further asymmetry in the control loop, where the syntax of the plant and the supervisor is again given by P and S , respectiv ely: P :: = 0 | 1 | c ? d . P | u ! ` ? k d . P | P · P | P + P | P k P | ∂ E ( P ) | φ : → P | φ ∧ N P | P ∗ S :: = 1 | c ! d . S | S + S | φ : → S | S ∗ , for c ∈ C , u ∈ U , `, k ∈ { 0 , 1 } , d ∈ D , φ ∈ B , and E ⊆ { f ! m ? n | f ∈ H , m , n ∈ N } . W e note that in the state-based setting, the control requirements can be stated directly in terms of states, i.e., signals that the state is emitting, and additionally , one can specify which e vents are allowed with respect to the emitted signals. The control requirements R have the follo wing syntax gi ven by R : R :: = φ | f ! m ? n d − → ⇒ φ | φ ⇒ f ! m ? n d X − → , for f ∈ H , d ∈ D , m , n ∈ N , and φ ∈ B . Giv en control requirements r ∈ R are satisfied with respect to process p ∈ T in the valuation v ∈ V , notation h p , v i | = r , according to the following operational rules: 51 v ( φ ) = T h p , v i | = φ 52 h p , v i | = ¬ φ ⇒ f ! m ? n d X − → h p , v i | = f ! m ? n d − → ⇒ φ 53 v ( φ ) = T , h p , v i f ! m ? n d X − → h p , v i | = φ ⇒ f ! m ? n d X − → , where h p , v i a X − → for a ∈ A holds if there does not exist h p 0 , v 0 i such that h p , v i a − → h p 0 , v 0 i with v 0 = effect ( a , v ) . W e note that the second form of the control requirements is introduced since it corresponds better to modeling intuition and it is equiv alent to the third, which is easily seen from the operational rule 52. Furthermore, for the propositional symbols, we employ the notation in ( StateName ) , where in ( StateName ) is a signal emitted from the process, corresponding to a state in the labeled graph rep- resentation identified by StateName . For example, in the Current Power Mode process in Figure 5, the process modeling the state with associated name Standby emits the signal in ( Standby ) . Baeten, van Beek, van Hulst, Markovski 47 A B Paper sheet Toner image Imaging drum Fuse pinches Toner transfuse belt Groove cleaner Supply toner roll Image toner roll Paper path b) job printing job printing job printing job printing A B c) Run Standby Transitioning Run ↔ St andby P r o l o n g e d u s e r w a i t i n g t i m e I n t e n d e d u s e r w a i t i n g t i m e Power mode: a) Figure 3: a) Printing process, b) maintenance operation, c) emergent beha vior 5 Coordination Contr ol of Maintenance Procedur es W e employ the process theory TCP ∗ ⊥ to model the coordination of maintenance procedures of a printing process of a high-end Oc ´ e printer [18]. The printing process consists of sev eral distributed independent components as depicted in Figure 3a). The process applies the toner image onto the toner transfuse belt and fuses it onto the paper sheet. T o maintain high printing quality , sev eral maintenance operations ha v e to be carried out, like: toner transfuse belt jittering, which displaces the transfuse belt to prolong its lifes- pan due to wearing by paper edges; black image operation, which removes paper dust by occasionally printing completely black pages; coarse toner particles removal operation; etc. Most maintenance oper- ations are scheduled after a gi ven number of prints, but must be carried out after a gi ven strict threshold. T o perform a maintenance operation, the printing process has to change its power mode, from Run mode, used for printing, to Standby mode, required for maintenance. Howe ver , this change can actually trigger pending maintenance operations, which may unnecessary prolong the user waiting time. As an illustration, in Figure 3b) we depict the situation, where due to inevitable ex ecution of main- tenance operation A , the ongoing print job is suspended and the po wer mode of the printer is changed to Standby . Ho we ver , an unwanted situation occurs, i.e., the power mode change triggers a longer , yet postponable maintenance operation B as depicted in Figure 3c). For instance, a black image operation ( A ) must be performed, which takes the time needed to print one page and is acti vated often, but the switching of the power mode triggers the much longer toner transfuse belt jittering ( B ), thus making the user wait unnecessarily . The goal of the research performed for this use case was to eliminate undesired emergent beha vior due to interactions of otherwise correctly-functioning distributed components, with primary focus at coordinating maintenance operations. Our approach was to synthesize a supervisory coordinator for the maintenance procedures [18], which here we model in the proposed process theory . Inf ormal description of the printing process An abstract view of the control architecture of a high- end printer is depicted in Figure 4. Print jobs are sent to the printer by means of the user interface. The printer controller communicates with the user and assigns print jobs to the embedded software, which actuates the hardware to realize print jobs. The embedded software is organized in a distributed way , per functional aspect, such as, paper path, printing process, etc. Sev eral managers communicate with the printer controller and each other to assign tasks to functions, which take care of the functional aspects. W e depict a printing process function comprising one maintenance operation in Figure 4. W e abstract from all timing behavior , which can be present in some control signals, e.g., execute a maintenance procedure after a gi ven delay . Each function is hierarchically organized as follows: (1) controllers: T arget Power Mode and Maintenance Scheduling, which recei ve control and scheduling tasks from the 48 A Process Algebra for Supervisory Coordination P r i n t e r C o n t r o l l e r E m b e d d e d S o f t w a r e H a r d w a r e U s e r I n t e r f a c e . . . M a n a g e r s F u n c t i o n s . . . M a i n t e n a n c e O p e r a t i o n P a g e C o u n t e r C u r r e n t P o w e r M o d e D e v i c e s S t a t u s P r o c e d u r e / C o o r d i n a t o r T a r g e t P o w e r M o d e P r i n t i n g P r o c e s s F u n c t i o n _ T o S o f t D l n _ T o H a r d D l n _ T a r g e t S t b _ T a r g e t R u n M a i n t e n a n c e S c h e d u l i n g R u n 2 S t b S t b 2 R u n _ I n R u n _ I n S t b O p e r S t a r t _ O p e r F i n i s h e d _ E x e c O p e r N o w S c h e d O p e r Figure 4: Printing process function. managers; (2) procedures: Status Procedure, Current Po wer Mode, Maintenance Operation, and Page Counter , which handle specific tasks and actuate de vices, and (3) de vices as hardware interface. The Status Procedure is responsible for coordinating the other procedures giv en the input from the controllers. It will be implemented as a supervisory coordinator with respect to the coordination rules gi ven below . The Current Power Mode procedure sets the power mode to Run or Standby depending on the enabling signals from the Status Procedure Stb2Run and Run2Stb , respectiv ely . The confirma- tion is sent back via the signals InRun and InStb , respectiv ely . Maintenance Operation either carries out maintenance operation or it is idle. The triggering signal is OperStart and the confirmation is sent back by OperF inished . The Page Counter procedure counts the printed pages since the last mainte- nance and sends signals when soft and hard deadlines are reached using T oSoftDln and T oHar dDln , respecti vely . The counter is reset each time the maintenance is finished, by recei ving the confirmation signal OperF inished from Maintenance Operation. The controller T arget Power Mode defines which mode is requested by the manager by sending the control signals T arg etStb and T ar getRun to the Status Procedure. Maintenance Scheduling receiv es a request for maintenance from Status Procedure via the signal SchedOper , which it forwards to a manager . The manager confirms the scheduling with the other functions and sends a response back to the Status Procedure via the control signal ExecOperNow . It also recei ves feedback from Maintenance Operation that the maintenance is finished in order to reset the scheduling. Plant modeling in TCP ∗ ⊥ W e model the procedures by means of processes. W e retain the names of the control signals, turning them into communication actions where appropriate. The controllable communicating channels are the giv en by C = { Run2Stb , Stb2Run , SchedOper , OperStart } , modeled as recei ve actions in the plant. W e note that we abstract from data elements as communication should only enforce ordering of ev ents. The other actions are uncontrollable, also prefixed by , where only OperF inished is modeled as a communication action, as the procedure Maintenance operation must send signals and reset Page Counter and Maintenance Scheduling. The signals emitted from the plant uniquely identify the state of the plant. For clarity , we also depict the processes in Figure 5, where the signal names are gi ven next to the states that emit them. Page Counter is modeled by the process C , where OperF inished is modeled as a recei ve action, to be synchronized with Maintenance Operation: Baeten, van Beek, van Hulst, Markovski 49 _OperFinished! OperStart? Stb2Run? Run2Stb? _InStb _InRun _OperFinished? _ToSoftDln _OperFinished? _ToHardDln SchedOper? _ExecOperNow _OperFinished? _TargetStandby _TargetRun _OperFinished? Page Counter Target Power Mode Maintenance Operation Current Power Mode Maintenance Scheduling Standby Starting Stopping Run NoDeadline SoftDeadline HardDeadline OperIdle OperInProg Target Standby Target Run NotScheduled Scheduled ExecuteNow Figure 5: Plant modeling of the Printing Process Function. C ,  in ( NoDeadline ) ∧ N ( OperF inished ? . 1 + T oSoftDln .  in ( SoftDeadline ) ∧ N ( OperF inished ? . 1 + T oHar dDln . in ( HardDeadline ) ∧ N OperF inished ? . 1 ))   ∗ . Maintenance Operation is specified by the process O , where OperF inished broadcasts that the main- tenance operation has finished: O ,  in ( OperIdle ) ∧ N OperStart ? . in ( OperInProg ) ∧ N OperF inished ! . 1  ∗ . T arget Power Mode is modeled by T : T ,  in ( T argetStandby ) ∧ N T ar getRun . in ( T argetRun ) ∧ N T ar getStandby . 1  ∗ , whereas Current Po wer Mode is giv en by P : P ,  in ( Standby ) ∧ N Stb2Run ? . in ( Starting ) ∧ N InRun . in ( Run ) ∧ N Run2Stb ? . in ( Stopping ) ∧ N InStb . 1  ∗ . Finally , Maintenance Scheduling is specified as M : M ,  in ( NotScheduled ) ∧ N SchedOper ? . in ( Scheduled ) ∧ N ExecOperNow . in ( ExecuteNow ) ∧ N OperF inished ? . 1  ∗ . Due to the generic v aluation ef fect function, we need to impose additional restriction on the emitted sig- nals. More precisely , we wish that the signals emitted in a process are not ambiguous, e.g., it cannot be that both in ( Standby ) and in ( Run ) are v alid at the same time as these are two distinct states that belong to the same process. Note, howe ver , that this situation is possible as one can easily construct a valuation 50 A Process Algebra for Supervisory Coordination ef fect function that always assigns the same values to the above propositional symbols. Howe ver , such misconstrued v aluations can actually lead to wrong supervised beha vior as the supervisor bases its de- cision on the emitted signals, which are deduced from the valuations. At this point, we hav e two viable options. One is to make the signal emission complete and rewrite all signal emissions such that the ef fect function leads to inconsistencies unless it uniquely defines each state. For example, then we w ould hav e to re write T to T 0 : T 0 ,  ( in ( T argetStandby ) ∧ ¬ in ( T argetRun )) ∧ N T ar getRun . ( ¬ in ( T argetStandby ) ∧ in ( T argetRun )) ∧ N T ar getStandby . 1  ∗ , and adapt the rest of the processes analogously . The other option is to set an in v ariant process in parallel to the components that will ensure that only one state can be identified per process. T o this end, we define the operation L P ∈ S P , W P ∈ S  P ∧ V Q ∈ S \{ P } ¬ Q  for a set of propositional symbols S ⊆ N , which ensures that only one propositional symbol, i.e., one signal, is exclusi vely emitted per state. Now , the in v ariant process I that enforces this restriction can be specified as: I ,  V 5 i = 1 L P ∈{ S i } P  ∧ N 0  ∗ , where S i ⊂ N for i ∈ { 1 , . . . , 5 } contain the signals emitted by the processes C , O , T , P , and M , respec- ti vely , i.e., S 1 = { in ( NoDeadline ) , in ( SoftDeadline ) , in ( HardDeadline ) } , S 2 = { in ( OperIdle ) , in ( OperInProg ) } , S 3 = { in ( T argetStandby ) , in ( T argetRun ) } , S 4 = { in ( Standby ) , in ( Starting ) , in ( Stopping ) , in ( Run ) } , S 5 = { in ( NotScheduled ) , in ( Scheduled ) , in ( ExecuteNow ) } . Finally , the unsupervised plant can be specified as U ∈ P giv en by: U , ∂ F ( C k O k T k P k M ) k I , where F = { O perF inished ? , O per F inished ! , O per F inished ! 0 ? 2 , O per F inished ! ? } enforces a three- way communication between C , O , and M . W e note that due to the stringent streamlining in variant, the role of the valuation effect function is now diminished and one can simply assume that effect ( a , v ) = V for e very a ∈ A and v ∈ V . Coordination r equirements W e synthesized a coordinator that implements Status Procedure, see Fig- ure 4, which coordinates the maintenance procedures with the rest of the printing process. The following coordination requests describe the behavior of the Status Procedure: 1. Maintenance operations can be performed only when the printing process is in standby; 2. Maintenance operations can be scheduled only if soft deadline has been reached and there are no print jobs in progress or a hard deadline is passed; 3. Maintenance operations can be started only after being scheduled; 4. The power mode of the printing process must follow the power mode dictated by the managers, unless ov erridden by a pending maintenance operation. Baeten, van Beek, van Hulst, Markovski 51 W e formalize these control requirements as follows: 1. The maintenance procedure is performed if the process emits the signal in ( OperInProg ) , while emitting the signal in ( Standby ) as well: R 1 , in ( OperInProg ) ⇒ in ( Standby ) . 2. For the control signal SchedOper! to be sent to Maintenance Scheduling, either one of the fol- lo wing must hold: (1) A soft deadline has been passed, identified by emission of the signal in ( SoftDeadline ) , and there are no print jobs waiting, meaning that the target power mode is not in run, identified by the signal in ( T argetRun ) ; or (2) A hard deadline has been passed, indicated by the signal in ( HardDeadline ) . This is captured by the follo wing control requirement: R 2 , SchedOper ! − → ⇒ ( in ( SoftDeadline ) ∧ ¬ in ( T argetRun )) ∨ in ( HardDeadline ) . 3. The maintenance operation can be started by sending the control signal OperStart! only if it has been scheduled, prompted by the emission of the signal in ( ExecuteNow ) : R 3 , OperStart ! − → ⇒ in ( ExecuteNow ) . 4. If we want to switch from standby to run power mode, indicated by sending the control signal Stb2Run! , then this has been requested by the target power mode manager by emitting the signal in ( T argetRun ) , pro vided that there are no maintenance operations scheduled, for which the signal in ( ExecuteNow ) should be checked: R 4 , 1 , Stb2Run − → ⇒ in ( T argetRun ) ∧ ¬ in ( ExecuteNow ) . When switching from run to standby power mode, indicated by sending the control signal Run2Stb! , the target power mode should be in standby , giv en by emission of the signal in ( T argetStandby ) . An exception is made when a maintenance operation is scheduled to be ex ecuted, giv en by emis- sion of the signal in ( ExecuteNow ) : R 4 , 2 , Run2Stb − → ⇒ in ( T argetStandby ) ∨ in ( ExecuteNow ) . Supervisor synthesis W ith respect to the control requirements we synthesized a deadlock- and liv elock- free maximally-permissi ve supervisor [18]. The supervisor sends the control signals upon observation of certain signal combinations, which are gi ven in the form of guards. The indices of the guards correspond to the indices of the control requirements that concern the control signal: g 2 , ( in ( SoftDeadline ) ∧ in ( T argetStandby )) ∨ in ( HardDeadline ) g 3 , in ( Standby ) ∧ in ( ExecuteNo w ) g 4 , 1 , ¬ in ( ExecuteNow ) ∧ in ( T argetRun ) ∧ ¬ in ( OperInProg ) g 4 , 2 , ( ¬ in ( ExecuteNow ) ∧ in ( T argetStandby )) ∨ in ( ExecuteNow ) . The supervisor is gi ven by S ∈ S : S ,  g 2 : → SchedOper ! . 1 + g 3 : → OperStart ! . 1 + g 4 , 1 : → Stb2Run ! . 1 + g 4 , 2 : → Run2Stb ! . 1  ∗ . 52 A Process Algebra for Supervisory Coordination g 41 : → Run2Stb! g 2 : → SchedOper! g 42 : → Stb2Run! g 41 : → Run2Stb! g 2 : → SchedOper! g 42 : → Stb2Run! g 3 : → OperStart! Figure 6: Alternativ e form of the supervisor No w , the supervised plant U / S is giv en by: U / S , ∂ E ( S k U ) , where E = { c ! , c ? | c ∈ C } . Again, we can sho w that the supervised plant is partially bisimilar to the original plant with respect to the uncontrollable e vents by sho wing that U / S ≤ A U ξ ( U ) , where ξ : c ? 7→ c ! ? for c ∈ C . The abov e form of the supervisor does not provide much information regarding the choices made. It can be visualized as a single state transition system with four outgoing guarded transitions. Howe v er , it is not dif ficult to deduce that initially the ev ent Run2Stb is not possible since the initial signal is in ( Standby ) . Also, StartOper is initially unav ailable as the signal in ( ExecuteNow ) is not emitted. In order to better understand the consequences of the control choices made by the supervisor and the thereafter enabled controllable ev ents, we depict an alternative supervisor in Figure 6. W e note that both variants of the supervisor produce equiv alent supervised behavior (the guards remain the same), the difference being that the supervisor depicted in Figure 6 rev eals the consequences of choosing a particular controllable action. W e can no w observe, that if the operation is scheduled while the printing process is in standby po wer mode, then it can be directly ex ecuted, returning the supervisor to the initial state. Howe ver , if the po wer mode is run, then the maintenance operation can still be scheduled, b ut the system has to switch to standby po wer mode before it can be executed. 6 Conclusions and Futur e W ork W e modeled two prominent types of supervisory control loops, one employing e vent-based observations and the other employing state-based observations. T o this end, we revisited the process theory TCP ∗ of [1], where we introduced generic communication actions to model communication between multiple parties, and we applied the de veloped theory to model the control loop with ev ent-based observations. W e classified the processes modeling the unsupervised system and the controller to capture their specific goals. W e illustrated our approach on an academic e xample of coordinating an automated guided v ehicle in a production line. T o model the control loop with state-based observations as well, we extended the process theory with guarded commands and root signal emission, leading to TCP ∗ ⊥ . W e reiterated on an industrial study dealing with coordination of maintenance procedures in a printing process of a high-tech printer . W e demonstrated that our approach is capable of modeling the interaction in the control loop precisely by distinguishing between the information flo ws of the observations and the control signals. Baeten, van Beek, van Hulst, Markovski 53 A pplication of pr ocess theory in supervisory coordination The work presented in this paper is merely the third step in our inv estigations reg arding application of process theory in supervisory control and coordination. Our prior work identified and employed partial bisimulation as a suitable behavioral relation to capture the central notion of controllability [2]. Based on this relation we dev eloped an effi- cient minimization procedure for nondeterministic plants that respects controllability . Here, we modeled the most prominent variants of the supervisory control loop and further calibrating the process algebra with respect to the notions that are needed to correctly capture the central notions of supervisory control theory . The issues are far from resolved. W e intend to proceed in several directions of research, where we expect that a process-theoretic approach can advance the theory and/or define the notion more clearly and concisely . One issue that we partially treat in this paper is the notion of partial observability , which is an inherent property of plants in which due to una vailability of sensors certain information is unobserv able to the supervisor [9]. There is a lot of work regarding partial observability of events, which can be treated as uncontrollable actions that are not communicated to the supervisor or as silent steps from which the supervisor has to abstract. The first option is already present in the current setting, whereas the second approach is more than familiar in the process-theoretic community . An unavoidable complication in supervisory control is that the supervisor must not make a wrong control choice, irrespectiv e of not being able to observe the correct state of the plant, making partial observability a global property [2]. In the setting with state-based observ ations, one can easily abstract from state information by emitting slightly ambiguous signals, e.g., instead of uniquely identifying as being in states S or T , one can emit the signal in ( S ) ∨ in ( T ) . W e intend to further inv estigate the mechanics of state abstraction in supervisory control. As expected, there are quantitative extensions of supervisory control theory employing real and stochastic timing, probabilities, and data. Howe ver , the supervisory control community seems to strug- gle with clear and acceptable definitions of controllability , as typically these follow the original approach of [22] and are, thus, giv en in trace semantics. There are other approaches that are instead based on games, but these often suffer from great computational complexities. W e believ e that here the commu- nity of process theory and verification can contribute a great deal, both in providing suitable definitions and algorithms for minimization and supervisor synthesis. Finally , the supervisor synthesis algorithms almost al ways have distributed, decentralized, modular , or hierarchical implementations. Concurrency is inherent to our work, and we believ e that there are a lot of interesting problems, issues, and challenges that are hidden in this exciting field. Refer ences [1] J. C. M. Baeten, T . Basten & M. A. Reniers (2010): Pr ocess Algebr a: Equational Theories of Communicating Pr ocesses . Cambridge T racts in Theoretical Computer Science 50, Cambridge Uni versity Press. [2] J. C. M. Baeten, D. A. van Beek, B. Luttik, J. Marko vski & J. E. Rooda (2011): A Pr ocess-Theor etic Appr oach to Supervisory Contr ol Theory . In: Proceedings of A CC 2011 , IEEE. A vailable from: http://se.wtb.tue.nl . [3] J. C. M. Baeten, B. Luttik, T . Muller & P . v an T ilb urg (2010): Expressiveness modulo Bisimilarity of Re gular Expr essions with P arallel Composition (e xtended abstract) . In: Proceedings of EXPRESS 2010 , Electronic Proceedings of Theoretical Computer Science 41, pp. 1–15, doi:10.4204/EPTCS.41.1. [4] J. C. M. Baeten & W . P . W eijland (1990): Pr ocess algebra . Cambridge Tracts in Theoretical Computer Science 18, Cambridge Uni versity Press, doi:10.1017/CBO9780511624193. 54 A Process Algebra for Supervisory Coordination [5] J.C.M. Baeten & J.A. Bergstra (1997): Pr ocess algebra with propositional signals . Theoretical Computer Science 177, pp. 381–405, doi:10.1016/S0304-3975(96)00253-8. [6] S. Balemi, G. J. Hoffmann, P . Gyugyi, H. W ong-T oi & G. F . Franklin (1993): Supervisory contr ol of a rapid thermal multipr ocessor . IEEE T ransactions on Automatic Control 38(7), pp. 1040 –1059. [7] G. Barrett & S. Lafortune (1998): Bisimulation, the Supervisory Contr ol Pr oblem and Str ong Model Matc hing for F inite State Machines . Discrete Event Dynamic Systems 8(4), pp. 377–429, doi:10.1023/A:1008301317459. [8] H. Beohar & P .J.L. Cuijpers (2010): A theory of desynchr onisable closed loops system . In: Proceedings of ICE 2010 , Electronic Proceedings in Theoretical Computer Science 38, Open Publishing Association, pp. 99–114, doi:10.4204/EPTCS.38.10. [9] C. Cassandras & S. Lafortune (2004): Intr oduction to discr ete event systems . Kluwer Academic Publishers. [10] V . Chandra, Z. Huang, W . Qiu & R. Kumar (2004): Prioritized Composition W ith Exclusion and Genera- tion for the Interaction and Contr ol of Discrete Event Systems . Mathematical and Computer Modelling of Dynamical Systems 9(3), pp. 255 – 280. [11] M. F abian & B. Lennartson (1996): On non-deterministic supervisory contr ol . Proceedings of the 35th IEEE Decision and Control 2, pp. 2213–2218. [12] R. J. v an Glabbeek (2001): The linear time–br anching time spectrum I . Handbook of Process Algebra , pp. 3–99. [13] M. Heymann & F . Lin (1998): Discrete-Event Contr ol of Nondeterministic Systems . IEEE Transactions on Automatic Control 43(1), pp. 3–17, doi:10.1109/9.654883. [14] M. Heymann & G. Meyer (1991): Algebra of discrete event pr ocesses . T echnical Report NASA 102848, N ASA Ames Research Center . [15] R. Kumar & M. A. Shayman (1996): Nonblocking Supervisory Contr ol of Nondeterministic Sys- tems via Prioritized Synchr onization . IEEE T ransactions on Automatic Control 41(8), pp. 1160–1175, doi:10.1109/9.533677. [16] R. Kumar & C. Zhou (2007): Contr ol of Nondeterministic Discr ete Event Systems for Simula- tion Equivalence . IEEE T ransactions on Automation Science and Engineering 4(3), pp. 340–349, doi:10.1109/T ASE.2006.891474. [17] C. Ma & W . M. W onham (2005): Nonblocking Supervisory Contr ol of State T r ee Structures . Lecture Notes in Control and Information Sciences 317, Springer . [18] J. Markovski, K. G. M. Jacobs, D. A. van Beek, L. J. A. M. Somers & J. E. Rooda (2010): Coor dination of Resour ces using Generalized State-Based Requirements . In: Proceedings of WODES 2010 , IF A C, pp. 300–305. [19] S. Miremadi, K. Akesson & B. Lennartson (2008): Extraction and repr esentation of a supervisor using guar ds in extended finite automata . In: Proceedings of WODES 2008 , IEEE, pp. 193 –199. [20] A. Overkamp (1997): Supervisory Contr ol Using F ailure Semantics and P artial Specifications . IEEE Trans- actions on Automatic Control 42(4), pp. 498–510, doi:10.1109/9.566659. [21] G. D. Plotkin (2004): A structur al appr oach to operational semantics . The Journal of Logic and Algebraic Programming 60-61, pp. 17–139, doi:10.1016/j.jlap.2004.05.001. [22] P . J. Ramadge & W . M. W onham (1987): Supervisory Contr ol of a Class of Discr ete Event Pr ocesses . SIAM Journal on Control and Optimization 25(1), pp. 206–230, doi:10.1137/0325013. [23] J. J. M. M. Rutten (1999): Coalg ebra, concurr ency , and contr ol . SEN Report R-9921, Center for Mathematics and Computer Science, Amsterdam, The Netherlands. [24] P . T abuada (2008): Contr oller synthesis for bisimulation equivalence . Systems and Control Letters 57(6), pp. 443–452, doi:10.1016/j.sysconle.2007.11.005. [25] S. Xu & R. Kumar (2008): Asynchr onous implementation of sync hr onous discr ete e vent control . In: Proceed- ings of WODES 2008 , IEEE, pp. 181 –186. Baeten, van Beek, van Hulst, Markovski 55 [26] C. Zhou, R. Kumar & S. Jiang (2006): Contr ol of nondeterministic discr ete-e vent systems for bisimulation equivalence . IEEE Transactions on Automatic Control 51(5), pp. 754–765, doi:10.1109/T A C.2006.875036.