Model Properties for Efficient Synthesis of Nonblocking Modular Supervisors

Supervisory control theory provides means to synthesize supervisors for cyber-physical systems from models of the uncontrolled plant and models of the control requirements. It has been shown that in general supervisory control synthesis is NP-hard. However, for several industrial systems supervisory control synthesis verifies that the provided control requirements are sufficient to act as a supervisor. In this paper, we propose model properties and a method to identify when no synthesis is needed for a given set of plant models and requirement models, i.e., the plant models and requirement models together form a maximally permissive, controllable, and nonblocking supervisor. The method consists of creating a control problem dependency graph and verifying whether it is acyclic to establish that synthesis can be skipped. In case of a cyclic graph, potential blocking issues can be localized, so that the original control problem can be reduced to only synthesizing supervisors for smaller partial control problems. The proposed method is illustrated in detail with a case study of a production line and applied on a case study of a roadway tunnel for which the method identifies a large part of the system that requires no synthesis.


Introduction
The design of supervisors for cyber-physical systems has become a challenge as these high-tech systems include more and more components to control and functions to fulfill, while at the same time market demands require verified safety, decreased costs and decreased time-to-market for these systems. Model-based systems engineering methodologies can help in overcoming these difficulties.
The supervisory control theory of Ramadge-Wonham [1,2] provides means to synthesize supervisors from a model of the uncontrolled plant and a model of the control requirements. Synthesis guarantees by construction that the closed-loop behavior of the supervisor and the plant adheres to all requirements, is nonblocking, is controllable, and is maximally permissive. It is shown that synthesis is NP-hard, see [3].
Supervisors can be implemented on different hardware platforms, of which the Programmable Logic Controller (PLC) is the one typically used [4]. Those hardware platforms have in common that the supervisor receives sensor signals through the input channels and sends actuator signals through the output channels.
Models on this input/output level are very well suitable for supervisory control theory, as shown by [5]. The notion of controllable events matches with (actuator) commands given by the supervisor to the system, and the notion of uncontrollable events matches with responses of the system to these commands.
Recently, several models of industrial-size applications have been published that use this input/output perspective, among them [6,7,8]. Analyzing the results of these cases, one discovers that the synthesized supervisors do not impose additional restrictions on the system, i.e., the provided set of requirement models is sufficient to control the plant such that the closed-loop behavior is nonblocking, controllable, and maximally permissive. Therefore, time and computing resources could have been saved, as synthesis turned out to be unnecessary for these cases. In [3], it was already noted that by observing real-world problems more closely one could discover instances of supervisory control synthesis that are computationally easier. However, no suggestions are included there of what these instances might be or how to find them.
The main contribution of this paper is a method to indicate which part of the synthesis problem, a given set of plant models and requirement models, can be omitted before applying synthesis, hence reducing the synthesis ef-fort. The method analyzes the dependencies between plant models based on the requirements (and not the actual total state-space) to come to a result. In the best case, the method indicates that the complete synthesis problem can be omitted, implying that synthesis can be skipped completely. In the worst case, the method indicates that nothing can be omitted and one might still have the notorious state-space explosion problem when performing synthesis after applying the method. Instead of using the more common suggestions found in the SCT literature to analyze the dependencies between plant models (e.g., shared events in [9,10]), we analyze the dependencies within the combined set of plant models and the requirement models, as also suggested in [11,12].
The proposed method utilizes a specific formulation of the plant and requirement models, where requirement models are state-based expressions, see [13,14]. We do not restrict the engineers in writing their specifications in this desired way. Rather, we use the way specifications are written based on failure mode analysis of (safety-critical) systems with actuators and sensors, see [15]. In this paper, we show that this way of specifying the system is beneficial for supervisor synthesis. Therefore, engineers of safety-critical systems obtain a powerful tool to gain confidence in the finally obtained supervisor.
The proposed method is most effective for plant models that are decoupled or loosely coupled, often the result of using the input/output perspective. Several case studies with real-life applications, such as [6,7,8], have loosely coupled plant models. With the specific formulation of the plant and requirement models, the method is less effective on models of manufacturing systems in which products are explicitly modeled. Examples of such systems are a wafer scanner [16] and a cluster tool [17]. By having the products modeled, the plant models representing the manufacturing system are intertwined by shared events. Furthermore, it is not obvious how some well-known examples from the literature, like the machine-buffer example from [18], could be modeled in this framework. The key point is that if a system is modeled with the specific formulation used in this paper, a reduction in effort to perform synthesis can be achieved. This paper builds upon preliminary results published in [19]. While the model properties proposed in that paper capture the essence of some models of industrial applications, in this paper we provide relaxed conditions with respect to which control synthesis can be skipped. We introduce the notion of dependency graph to analyze dependencies between plant models based on the requirement models. If this directed graph is acyclic, synthesis can be skipped. However, if this directed graph is cyclic, the cycles indicate problems that potentially require synthesis. In this paper, we show that supervisors can be synthesized independently for each strongly connected component of this graph, resulting in a set of nonconflicting modular supervisors.
Related is the work of [11], where inspiration is taken from systems with shared resources, such as flexible manufacturing systems. In this work, control-flow nets are introduced to analyze dependencies in the system and subsequently abstract away those parts of the system that will not contribute to a potential blocking issue. Controlflow nets are defined for shuffle systems with server and buffer specifications, which limits the applicability. In our work, we use for the plant a similar notion as a shuffle system, while the view on the specifications is state-based, see [13,14]. Nevertheless, both works can coexist as different classes of discrete-event systems are identified for which synthesis is easy.
In this paper, we deviate from an often used approach in supervisory control synthesis in which particular structures of systems are used to ease synthesis and which are applicable to any given discrete-event system model. Examples of such methods include local modular synthesis [20], incremental synthesis [21], compositional synthesis [22], and coordination control [23]. Experimenting with applying several of these synthesis methods directly on the full models of [6,24] shows that these are hard problems, and applying the wrong algorithm is fatal in the sense of running out of memory. Thus, knowing beforehand that synthesis is not necessary will save time and effort (both computational and human).
The structure of this paper is as follows. In Section 2, the preliminaries are provided. The properties as proposed in the previous work [19] are presented in Section 3. In Section 4, the dependency graph is introduced which will be used to analyze the control problem. In Section 5, the result is established that synthesis can be skipped when the dependency graph is acyclic. Section 6 extends the analysis to cyclic dependency graphs to reduce the original control problem into a set of smaller control problems. Sections 7 and 8 provide two case studies related to a production line and to a roadway tunnel to demonstrate the proposed analysis method. Section 9 concludes the paper.

Preliminaries
This section provides a brief summary of concepts related to automata, supervisory control theory, and directed graphs relevant for this paper The concepts related to automata and supervisory control theory are taken from [25,18]. The concepts related to directed graphs are taken from [26].

Automata
An automaton is a five-tuple G = (Q, Σ, δ, q 0 , Q m ), where Q is the (finite) state set, Σ is the alphabet of events, δ : Q × Σ → Q the partial transition function, q 0 ∈ Q the initial state, and Q m ⊆ Q the set of marked states. The alphabet Σ = Σ c ∪ Σ u is partitioned into two disjoint sets containing the controllable events (Σ c ) and the uncontrollable events (Σ u ), and Σ * is the set of all finite strings of events in Σ, including empty string ε.
A path p of an automaton is defined as a sequence of alternating states and events, i.e., q 1 σ 1 q 2 σ 2 . . . σ n−1 q n σ n q n+1 such that for i ∈ [1, n] it holds that δ(q i , σ i ) = q i+1 . A path can also be written in infix notation q 1 A state q of an automaton is called reachable if there is a string s ∈ Σ * with δ(q 0 , s)! and δ(q 0 , s) = q. The automaton G is called reachable if every state q ∈ Q is reachable. A state q is coreachable if there is a string s ∈ Σ * with δ(q, s)! and δ(q, s) ∈ Q m . The automaton G is called coreachable if every state q ∈ Q is coreachable. An automaton is called nonblocking if every reachable state is coreachable. An automaton is called trim if it is reachable and coreachable. Notice that a trim automaton is nonblocking, but a nonblocking automaton may not be trim, since it may have unreachable states.
An automaton is called strongly connected if from every state all other states can be reached, i.e., for any pair of states q 1 , q 2 ∈ Q there exists a string s ∈ Σ * such that δ(q 1 , s) = q 2 , see [27].
A composed system G is a collection of automata, i.e., G = {G 1 , . . . , G m }. The synchronous composition of a composed system G, denoted by G, is defined as G = G 1 . . . G m , and the synchronous composition of two composed systems G 1 G 2 is defined as (G 1 ∪ G 2 ).
Finally, let G and K be two automata with the same alphabet Σ. K is said to be controllable with respect to G if, for every string s ∈ Σ * and u ∈ Σ u such that δ K (q 0,K , s)! and δ G (q 0,G , su)!, it holds that δ K (q 0,K , su)!.

Supervisory control theory
The objective of supervisory control theory [1,2,25,18] is to design an automaton called a supervisor which function is to dynamically disable controllable events so that the closed-loop system of the plant and the supervisor obeys some specified behavior. More formally, given a plant model P and requirement model R, the goal is to synthesize supervisor S that adheres to the following control objectives.
• Safety: all possible behavior of the closed-loop system P S should always satisfy the imposed requirements, i.e., L(P S) ⊆ L(P R) • Controllability: uncontrollable events may never be disabled by the supervisor, i.e., P S is controllable with respect to P .
• Nonblockingness: the closed-loop system should be able to reach a marked state from every reachable state, i.e., P S is nonblocking.
• Maximal permissiveness: the supervisor does not restrict more behavior than strictly necessary to enforce safety, controllability, and nonblockingness, i.e., for all other supervisors S it holds that L(P S ) ⊆ L(P S).
Monolithic supervisory control synthesis results in a single supervisor S from a single plant model and a single requirement model [1]. There may exist multiple automata representations of the maximally permissive, safe, controllable, and nonblocking supervisor. Without loss of generality it is assumed that S = P S. When the plant model and the requirement model are given as a composed system P and R, respectively, the monolithic plant model P and requirement model R are obtained by performing the synchronous composition of the models in the respective composed system.
For the purpose of supervisor synthesis, requirements can be modeled with automata and state-based expressions [13,14]. The latter is useful in practice, as some control engineers tend to formulate requirements based on states of the plant. To refer to states of the plant, we introduce the notation P.q which refers to state q of plant P . State references can be combined with the Boolean literals T and F and logic connectives to create predicates.
In this paper, state-event invariant expressions are considered. A state-event invariant expression formulates conditions on the enablement of an event based on states Figure 1: An example of the synchronous composition of an automaton and a state-event invariant expression. In this and subsequent figures, (marked) locations are depicted with (concentric) circles, the initial location with an incoming arrow, and transitions with labeled edges.
of the plant, i.e., the condition should evaluate to true for the event to be enabled. A state-event invariant expression is of the form σ needs C where σ is an event and C a predicate stating the condition. In general, event σ can be a controllable or an uncontrollable event. Let R be a state-event invariant expression, then event(R) returns the event used in R and cond (R) returns the condition predicate. The synchronous composition of a plant P with a state-event invariant expression R, denoted with P R, is defined by altering the transition function δ.
Definition 2. Let P = (Q, Σ, δ, q 0 , Q m ) and R = µ needs C. Then the synchronous composition of P and R is defined as where δ (q, σ) = δ(q, σ), unless σ = µ and C |P.q = F, where C |P.q indicates that all state references P.q in C are substituted by T and all state references P.r, r ∈ Q, r = q in C replaced by F. In the latter case δ (q, σ) is undefined.
An example to illustrate the synchronous composition between an automaton and a state-event invariant expression is provided in Figure 1. This definition can be easily extended to a set of state-event invariant expressions R = {R 1 , . . . , R n }. Given a composed system representation of the plant P = {P 1 , . . . , P m } and a collection of requirements R = {R 1 , . . . , R n }, we define the tuple (P, R) as the control problem for which we want to synthesize a supervisor. We make the following assumptions about this control problem: • P = ∅, while R can be the empty set.
• For all P ∈ P, it holds that P is an automaton where Q P and Σ P are nonempty.
• For all R ∈ R, it holds that if R is an automaton, then Q R and Σ R are nonempty, and Σ R ⊆ Σ P where Σ P = P ∈P Σ P , if R is a state-event invariant expression, then event(R) ∈ Σ P , and for each state reference P.q in cond (R) it holds that P ∈ P and q ∈ Q P .
Modular supervisory control synthesis uses the fact that often the desired behavior is specified with a collection of requirements R [28]. Instead of first transforming the collection of requirements into a single requirement, as monolithic synthesis does, modular synthesis calculates for each requirement a supervisor based on the plant model. In other words, given a control problem (P, R) with R = {R 1 , . . . , R n }, modular synthesis solves n control problems (P, {R 1 }), . . . , (P, {R n }). Each control problem (P, {R i }) for i ∈ [1, n] results in a safe, controllable, nonblocking, and maximally permissive supervisor S i . The collection of supervisors S = {S 1 , . . . , S n } can be conflicting, i.e., S 1 . . . S n can be blocking. A nonconflicting check can verify whether S is nonconflicting [29]. In the case that S is nonconflicting, S is also safe, controllable, nonblocking, and maximally permissive for the original control problem (P, R). In the case that S is conflicting, an additional coordinator C can be synthesized such that S ∪ {C} is safe, controllable, nonblocking, and maximally permissive for the original control problem (P, R) [30].

Directed graphs
Definitions and notations of directed graphs are taken from [26]. A directed graph is a tuple (V, E) of sets of vertices V (or nodes) and edges E (or arcs), together with two functions init : E → V and ter : E → V . The function init assigns to each edge e an initial vertex init(e) and the function ter assigns to each edge e a terminal vertex ter(e). An edge e is said to be directed from vertex init(e) to vertex ter(e). If init(e) = ter(e), the edge e is called there exists an edge e i ∈ E with init(e i ) = x i and ter(e i ) = x i+1 . The path p is also called a path from x 0 to x k . Two paths p 1 = x 0 . . . x k and p 2 = y 0 . . . y l can be concatenated into path , a cycle is a path from x 0 to itself with at least one other vertex along the path (a loop is not considered to be a cycle). A directed graph is called cyclic if it contains a cycle, otherwise it is called acyclic.
A directed graph is called strongly connected if there is a path between each pair of vertices. A strongly connected component of a directed graph is a maximal strongly connected subgraph.

Nonblocking Modular Supervisors
In this section, we first describe several characteristics of several applications where synthesis does not add any restrictions besides those implied by the requirements. Then, we provide properties that guarantee controllable, nonblocking, and maximally permissive supervisors that are together nonconflicting.

Characteristics of models
First, as the supervisors synthesized for the applications presented in [6,7,8] are intended to be implemented on control hardware, the input-output perspective of [5] is used. This entails that each sensor is modeled by uncontrollable events, while actuators are modeled by controllable events. Each event represents a change of the state of such a component. This modeling paradigm results in a collection of numerous small plant models that do not share any events. Therefore, the plant model is a product system.
In the rest of this paper, we call an automaton a sensor automaton if its alphabet has only uncontrollable events, i.e., Σ = Σ u , and an actuator automaton if its alphabet has only controllable events, i.e., Σ = Σ c .
Second, both sensors and actuators have cyclic behavior, often resulting in a trim and strongly connected plant model. For example, all sensors and actuators are modeled in this way in the production line in [7]. Furthermore, unreachable states in an uncontrolled plant represent states that are impossible to reach and are often not modeled or removed from the model.
Finally, requirements for applications often originate from safety risk analysis [31] and failure mode and effect analysis [15]. States are identified in which some actuator actions would result in unsafe behavior. For example, the safety specifications of a waterway lock that need to be fulfilled by the supervisor are mentioned in Section 4.191 of [32]. Each of the 16 requirements given over there describes a state of the system and the disablement of certain actuator actions for that state. It is shown in [6] that these textual specifications can be described with state-event invariant expressions.

Properties
The following properties together guarantee that the control problem itself is a modular globally nonblocking and controllable system.

Definition 3 (CNMS).
A control problem (P, R) satisfies CNMS (Controllable and Nonblocking Modular Supervisors properties) if it has the following properties: 1. P is a product system.
2. For all P ∈ P holds that P is a strongly connected automaton with at least one marked state.

For all
c. There exists no other requirement for this event µ.
d. C is in a disjunctive normal form (see [33]) where each atomic proposition (or variable) is of the form P.q with P ∈ P.
e. Each conjunction contains at most one reference to each P ∈ P.
f. When P ∈ P only has a single state, the literal ¬P.q is not allowed in C.
g. Each P ∈ P mentioned in C is a sensor automaton.
The intuition behind why a system satisfying CNMS is nonblocking and controllable is as follows. Properties 1 and 2 ensure that the plant is already nonblocking in the open loop setting, i.e. without controller, and exhibits cyclic behavior. Furthermore, they ensure that individual plant models behave independently of the other plant models, i.e. an individual plant model can take a transition while the state of each of the other plant models remains the same.
Requirements satisfying Property 3 will not introduce blocking or controllability issues. There is no controllability issue, as there may not exist a requirement restricting the enablement of uncontrollable events. The reason why the controlled system is still nonblocking can be explained as follows. First, a sensor automaton can always go to a marked state with Properties 1, 2 and 3.b. For a plant automaton with one or more controllable events, we know from Properties 1 and 2 that from each state there exists a path to a marked state. For any controllable event along the path that is being restricted by a requirement, the condition of that requirement needs to be satisfied for the enablement of the controllable event. As only states of sensor automata are used in a condition and sensor automata can always reach each state without affecting other plant models, there exists a path in the sensor automata to satisfy the condition and subsequently enable the controllable event. By repeating the process of locally changing states in sensor automata, non-sensor automata can reach marked states if the requirements act as the supervisor.
The following theorem states that for a control problem satisfying CNMS synthesis can be skipped, i.e., the plant models and requirement models together already form controllable and nonblocking modular supervisors. In that case, the modular supervisor represented by the plant models and requirement models is by definition also maximally permissive. The proof of this theorem can be found in Appendix A.
Theorem 1 (CNMS [19]). Let (P, R) be a control problem satisfying CNMS. Then no supervisor synthesis is required, i.e., P R is controllable and nonblocking.

Dependency Graphs of Control Problems
As indicated in [19], there exist published control problems that do not satisfy CNMS, but as turned out do not require synthesis. In this section, the CNMS properties are relaxed.

Observations from models
The main reason the control problems of [6,7,8] do not satisfy the CNMS properties is the violation of Property 3.g. In these control problems, there exist requirements that restrict the behavior of controllable events based on the behavior of plant models other than sensor automata, which in turn may also be restricted by other requirements. Several causes of this violation are described below.
As pointed out in [34], it may be desired to model the physical interaction between actuator and sensor components, because a supervisor that is proven to be deadlockfree for a model without interactions may deadlock after implementation on the physical system with interactions.
Adding shared events to model the interactions will violate Property 1, as it is no longer a product system. Transforming this new model into a product system representation, the actuator and sensor models are combined into one due to the shared events. Therefore, requirements no longer refer only to states of sensor automata (violating Property 3.g).
Second, sometimes a requirement needs to refer explicitly to the state of an actuator to guarantee correct behavior of the system. For example, consider a hydraulic arm that has one actuator to extend it and one actuator to retract it. In this case, the modeler could express that it is undesired that both actuators are on at the same time, resulting in two requirements each expressing that one actuator may only be activated if the other actuator is deactivated.
Finally, timer-based requirements violate Property 3.g. A timer is typically modeled with a controllable event to activate it and an uncontrollable event to indicate the timeout of the timer. Therefore, the model of a timer is neither a sensor automaton nor an actuator automaton. If a timer is needed, typically two requirements associated with it express when it can be activated (the controllable events of the timer model are used) and what should happen when the timer has timed out (the state of the timer model is used). Service calls in a server-client architecture are modeled in the same way, see for example [35], where service calls are modeled with controllable events and responses with uncontrollable events.

Dependency graph
For control problems (P, R) satisfying all properties of CNMS except Property 3.g (which we will call the Relaxed Controllable and Nonblocking Modular Supervisors Properties RCNMS), a directed graph can be constructed indicating the dependencies between plant models from P based on the requirement models from R. In this directed graph, each vertex represents a plant model from the control problem. For each requirement in the control problem, a set of edges is present in the graph such that the initial vertex of each edge is the plant model containing the event that is restricted by the requirement. Furthermore, P1 P2 P3 e1 e2 Figure 2: The dependency graph Gcp of control problem ({P 1 , P 2 , P 3 }, {R}) with R = µ needs P 2 .q 1 ∨ ¬P 3 .q 1 and µ ∈ Σ P 1 . This graph has three vertices P 1 , P 2 , and P 2 and two edges e 1 and e 2 .  for each plant model used in the condition of the requirement there is an edge having this plant model as terminating vertex. For example, consider the control problem ({P 1 , P 2 , P 3 }, {R}) with R = µ needs P 2 .q 1 ∨ ¬P 3 .q 1 and µ ∈ Σ P1 . The dependency graph of this control problem is shown in Figure 2. It has three vertices P 1 , P 2 and P 3 . For requirement R, two edges e 1 and e 2 are present such that init(e 1 ) = init(e 2 ) = P 1 , as the restricted event of R originates from P 1 , ter(e 1 ) = P 2 , as P 2 is mentioned in the condition of R, and ter(e 2 ) = P 3 , as P 3 is mentioned in the condition of R. This example also shows that there may be multiple, but isomorphic, dependency graphs for the same control problem.
More formally, let the dependency graph of control problem (P, R) be a directed graph G cp = (P, E) such that for each requirement R ∈ R a set of edges E R ⊆ E is constructed such that for all edges e ∈ E R : init(e) = P i ∈ P and event(R) ∈ Σ Pi , and for each P j ∈ P used in cond (R) there is an edge e ∈ E R with ter(e) = P j , and finally E = R∈R E R .
A control problem satisfying CNMS results in an acyclic bipartite dependency graph. Figure 3 shows the dependency graph of a control problem satisfying RCNMS, but not CNMS. Plant models P 2 and P 3 have both incoming and outgoing edges, which indicate that the enablement of one or more events in each plant model is restricted by a requirement and that one or For the CNMS property, we have shown with Theorem 1 that, essentially, no edge is permanently disabled. As the properties ensure that in a controlled system each sensor automaton can always reach each state, the condition of each state-event invariant expression can be eventually satisfied, enabling the controllable event of each stateevent invariant expression. Therefore, each non-sensor plant model can reach all states from each state.

Acyclic Dependency Graphs
This argument can be used inductively to show that a control problem satisfying RCNMS still requires no synthesis. As the behavior of plants P 2 and P 3 in Figure 3 only depends on sensor plants P 4 and P 5 , it holds that P 2 and P 3 can reach all states from each state. Since the behavior of P 1 only depends on the plant models P 2 , P 3 , and P 5 , and it is already known that all these models can reach all states from each state, we can conclude that P 1 also can reach all states from each state. Therefore, the complete control problem is nonblocking. This is formalized in Theorem 2. The proof of this theorem can be found in Appendix B.
Theorem 2 (Acyclic RCNMS). Let (P, R) be a control problem satisfying RCNMS. Then no supervisor synthesis is required, i.e., P R is controllable and nonblocking, if the dependency graph G cp of (P, R) is acyclic and loop free.

Cyclic Dependency Graphs
For the case that a dependency graph is cyclic, supervisory control synthesis may be needed as P R could be blocking. Figure 5 shows two control problems CP 1 = ({P 1 , P 2 }, {R 1 , R 2 }) and CP 2 = ({P 1 , P 2 }, {R 3 , R 4 }), both based on the same set of plant models {P 1 , P 2 }. Those control problems result in the same cyclic dependency graph. However, CP 1 is blocking, while CP 2 is nonblocking.
So, a dependency graph containing cycles may or may not require synthesis to obtain a maximally permissive, controllable, and nonblocking supervisor. In the remainder of this section we show that in case of a cyclic dependency graph the original control problem can be reduced to partial control problems containing the cycle(s).

Control problem reduction
From the dependency graph, all strongly connected components containing a cycle are identified. For each strongly connected component, the set of vertices (plant models) is denoted by φ, and the collection of these sets is denoted by Φ = {φ 1 , . . . , φ m }. From the definition of strongly connected components, it follows that they are non-overlapping. Figure 6 shows control problem CP , with its dependency graph G CP shown in Figure 7. G CP contains two cycles c 1 = P 1 P 2 P 1 and c 2 = P 3 P 4 P 3 , and the strongly connected components of these two cycles are This example also shows plants whose behavior depends on the behavior of these strongly connected components. Requirement R 5 restricts the behavior of component model P 5 based on the behavior of component models P 2 and P 3 . In this example, a supervisor is needed, as any synthesized supervisor for requirements R 1 , R 2 , R 3 , and R 4 would make states P 2 .q 4 and P 3 .q 6 unreachable in the closed-loop system, and therefore requirement R 5 never enables event j. A supervisor is needed to disable event i to prevent component P 5 from being blocked in state q 10 . Therefore, it is insufficient to only analyze the strongly connected components in isolation.
To this end, vertices are added recursively to these strongly connected components. A vertex is added to a set of vertices if there exists an edge such that this edge originates in this added vertex and terminates in one of the vertices already in the set. Eventually, the strongly connected component is enlarged with those vertices from which there exists a path to a vertex in the strongly connected component. Formally, the extended set of vertices for each strongly connected component with a cycle φ i , denoted by V φi , is defined as V φi = {P ∈ P | ∃p = x 0 x 1 . . . x k , k ≥ 0, p ∈ Path(G CP ) : x 0 = P ∧ x k ∈ φ i }, and V = {V φ1 , . . . , V φm }, with Path(G CP ) the set of all paths in G CP . The extended sets of vertices for the ex- ample are calculated as V φ1 = {P 1 , P 2 , P 5 , P 6 } and V φ2 = {P 3 , P 4 , P 5 , P 6 }. Still, it is insufficient to only analyze each extended vertex set V φi . Two extended vertex sets may share vertices. This sharing could be problematic. In the running example, V φ1 and V φ2 share vertices P 5 and P 6 .
Shared vertices between extended sets V φi and V φj will not always imply that it is necessary to analyze the partial control problem represented by V φi ∪ V φj . Sometimes, it is still sufficient to analyze the partial control problems of V φi and V φj separately. For the control problem CP of Figure 6, V φ1 and V φ2 should be combined, as the edges e 5 and e 6 relate to the same requirement R 5 . The evaluation of the condition of requirement R 5 requires the result of the analysis of both strongly connected components φ 1 and φ 2 . If we replace requirement R 5 by, for example, the two requirements R 5 : j needs P 2 .q 4 and R 5 : j needs P 3 .q6, the extended sets V φi and V φj do not need to be merged for analyzing the cycles. While the dependency graph remains the same, edges e 5 and e 6 are now induced by different requirements.
Unfortunately, the above reasoning cannot be generalized. Let us modify the control problem in Figure 6 again.
An additional transition is added to plant model P 5 from state q 10 to q 9 labeled with j . Requirement R 5 is replaced by two requirements R 5 : j needs P 2 .q 4 and R 5 : j needs P 3 .q 6 . Again, the dependency graph in Figure 7 remains unchanged. The maximally permissive, controllable, and nonblocking supervisor S 1 synthesized for the partial control problem ({P 1 , P 2 , P 5 , P 6 }, {R 1 , R 2 , R 5 , R 6 }) would disable the transition labeled with event j, and the maximally permissive, controllable, and nonblocking supervisor S 2 synthesized for the partial control problem ({P 3 , P 4 , P 5 , P 6 }, {R 3 , R 4 , R 5 , R 6 }) would disable the transition labeled with event j . Now, S 1 S 2 is blocking, because plant P 5 deadlocks in state q 10 , as the supervisors together disable both event j and event j . Therefore, two extended sets of vertices need to be merged once they share a vertex. Let ∼ ⊆ V × V be a relation between extended sets of vertices. (V φi , V φj ) ∈ ∼ if and only if V φi ∩ V φj = ∅, i.e., they share at least one vertex. From this definition, it follows directly that ∼ is reflexive and symmetric, but not transitive. We extend this relation (which we will also denote by ∼) to be transitive by defining that if (V φ1 , V φ2 ) ∈ ∼ and (V φ2 , V φ3 ) ∈ ∼, then (V φ1 , V φ3 ) ∈ ∼. Now, ∼ has become an equivalence relation. Now, the partition W of V is the set of all equivalence classes of V with equivalence relation ∼, i.e., W = V/ ∼ is the quotient set of V by ∼. For the example shown in Figure 7, the partition W is {{P 1 , . . . , P 6 }}.
A simplified partial control problem (P s ,R s ) represented by a subset of vertices P s ⊆ P is constructed as follows. First, R s = {R ∈ R | ∃P ∈ P s : event(R) ∈ Σ P }. Subsequently, the condition of each requirement in this set is adjusted where each literal containing reference to a state of a plant not in P s is replaced by the boolean literal T, resulting in the set of adjusted requirementsR s . Theorem 3 contains the main result of this section: based on the dependency graph, synthesizing a supervisor can be performed following a modular approach which guarantees global maximal permissiveness, controllability, and nonblockingness. This theorem can be used to reduce the computational complexity of supervisor synthesis. The proof of this theorem can be found in Appendix C.
Theorem 3 (Cyclic RCNMS). Let (P, R) be a control problem satisfying RCNMS and let G cp be its dependency graph. For each W ∈ W, let S W be a maximally permissive, controllable, and nonblocking supervisor for the simplified partial control problem represented by V ∈W V . Then P R ( W ∈W S W ) is a maximally permissive, modular, controllable, and nonblocking supervisor of (P, R). Theorem 3 shows for which partial control problems synthesis might still be needed and for which part of the system no synthesis is needed. In the worst-case situation, the original control problem is the only single equivalence class in W. Sections 7 and 8 show that there exist industrial systems for which the control problem can be reduced. There are two options available for those partial control problems that might need synthesis: either synthesize a supervisor with an existing synthesis algorithm, like monolithic [2], compositional [22], and incremental synthesis [21], or reason with an additional method that synthesis is still not needed (as it is known for the case studies in [6,7,8] that no synthesis is needed). The second option is left open for future work.

FESTO production line
In this section, the proposed method is demonstrated with a case study. For this case study, a small-scale production line consisting of six workstations has been considered, see Figure 8. The hardware of the system is produced by Festo Didactic for vocational training in the field of industrial automation. This system has been previously modeled in [7]. In the remainder of this section, we first provide a description of this production line. Subsequently, we analyze two workstations in isolation to demonstrate Theorems 1 and 2. Finally, the complete production line is analyzed to demonstrate Theorem 3.

Case description
While no real production is taking place, all movements, velocities, and timings are as if it were. In total, the production line consists of 28 actuators, like DC motors and pneumatic cylinders, and 59 sensors, like capacitive, optical, and inductive ones.
The intended controlled behavior is as follows. Products enter the production line through the distribution station where they have been placed in three storage tubes. For each storage tube, a pusher is able to release a new product. The second workstation, the handling station, transports products from the distribution station to the testing station in two steps. First, a pneumatic gripper transports released products to an intermediate buffer. From this buffer, a transfer cylinder picks them up and places them in the testing station where the product height is tested. Correct products are moved by an air slide to the next station while rejected products are stored in a local buffer. In the fourth station, the buffering station, products can be held on a conveyor belt. A separator controls the release of products from the conveyor belt. At the next station, the processing station, products are processed. A turntable with six places rotates products through this station. After entering the processing station, the product is moved to a testing location where the orientation of the product is checked. Subsequently, at the next location a hole is drilled in the product only if the orientation is correct. At the fourth location, processed products are ejected to the sorting station. The last two locations can be used to correct the orientation if needed, and in that case the product can be processed again. In the final workstation, the sorting station, products are stored on one of the three slides, depending on color and the material of the product. Two pneumatic gates can be used to divert the product to the correct slide. In [7], a model of the production line is presented, which is slightly modified for this case study to have exclusively state-event invariant expressions; adjustments are indicated by comments in the model. The model contains 75 plant models and 214 requirement models, which can be accessed at a GitHub repository 1 .
Performing monolithic synthesis on this model reveals that the synthesized supervisor does not impose any additional restrictions to ensure controllable and nonblocking behavior, i.e., the control problem can already act as a maximally permissive, modular, controllable, and nonblocking supervisor.

Distribution station
The distributed construction of the model of the production line eases the individual analysis of workstations. To start with, the distribution station is analyzed. Figure 9 shows the dependency graph of the distribution station. To prevent cluttering of names, numbers are displayed in this and subsequent figures instead of the actual plant names in the model. The readme file in the model repository explains how the actual names can be obtained. Plant models 1 through 10 are sensor automata, i.e., they only have uncontrollable events in their alphabet, plant models 11, 12, and 13 are actuator automata, i.e., they only have controllable events in their alphabet. As each edge in this dependency graph has an actuator automaton as initial vertex and a sensor automaton as terminal vertex, Theorem 1 applies. This indicates that, if a supervisor is only needed for this workstation, synthesis can be skipped and the control problem already represents the supervisor. Figure 10 shows the dependency graph of the sorting station. In this workstation, plant models 1 through 7 are sensor automata, plant models 8 through 11 are actuator automata and plant model 12 contains both controllable and uncontrollable events. This graph already indicates that Theorem 1 does not apply: there are edges (representing requirements) that have a non-sensor automaton as a terminal vertex. In particular, plant models 11 and 12 have both incoming and outgoing edges, which indicates a violation of Property 3.g of the CNMS properties. Fortunately, as the model satisfies the RCNMS properties and the control dependency graph is acyclic, Theorem 2 applies. Therefore, synthesis can be skipped. Figure 11 shows the dependency graph of the complete production line. Cycles in this graph are indicated in red. Clearly, both Theorems 1 and 2 are not applicable for the control problem of the complete production line.

Production line
With the help of Theorem 3, the problem of synthesizing a monolithic supervisor can be reduced to analyzing smaller control problems based on the identified cycles. In the dependency graph, we can identify five strongly connected components containing cycles: φ 1 = {P 21 , P 22 }, φ 2 = {P 25 , P 26 }, φ 3 = {P 36 , P 37 }, φ 4 = {P 47 , P 48 }, and φ 5 = {P 58 , P 59 , P 60 , P 61 , P 62 }. Next, these sets need to be extended to include all plant models from which there exists a path to one of the plants in that particular strongly connected component. This is only the case for φ 1 , as from P 23 there exists a path from P 23 to P 21 (and P 22 ). Therefore, V φ1 = {P 21 , P 22 , P 23 }, while V φ2 = φ 2 , V φ3 = φ 3 , V φ4 = φ 4 , and V φ5 = φ 5 . In this case, there is no overlap between these extended sets, so W i = V φi for i ∈ [1,5]. Finally, five supervisors, S 1 , . . . , S 5 are synthesized, one for each simplified partial control problem represented by V φ i ∈W V φi . From Theorem 3 it follows that P R S 1 S 2 S 3 S 4 S 5 is a maximally permissive, modular, controllable, and nonblocking supervisor for the production line. Table 1 shows the results of applying Theorem 3 on the production line model. For each control problem solved, the uncontrolled and controlled state-space size is provided. The control problems for synthesizing automatonbased supervisors S 1 , . . . , S 5 are tiny compared to monolithic synthesis, i.e., obtaining these supervisors can be done even manually. In future research, a full experimental analysis of potential computational effort reduction with respect to other synthesis algorithms can be performed. Inspecting the synthesized supervisors confirms the observation from Section 7.1 that no additional restrictions are imposed to ensure controllable and nonblocking behavior.

Roadway tunnel
In this section, we demonstrate the applicability of the proposed method on an industrial large-scale system. For this demonstration, we use the case study of synthesizing a supervisory controller for the 'Eerste Heinenoord Tunnel', a tunnel located south of Rotterdam, the Netherlands. This system has been previously modeled in [24].

Case description
Nowadays, each tunnel is equipped with a supervisory controller that ensures correct cooperation between the tunnel subsystems, such as ventilation, lighting, boom barriers, and emergency detection sensors. For example, when an emergency is detected by several sensors, the supervisor has to automatically close off the tunnel for traffic. Figure 12 shows the 'Eerste Heinenoord Tunnel' (EHT) on the right and the 'Tweede Heinenoord Tunnel' (THT) on the left. The EHT is a two-tube roadway tunnel, which was initially opened in 1969. The THT, which was added in 1999, is only accessible for slow traffic such as cyclists and agricultural traffic. Rijkswaterstaat, the executive body of the Dutch ministry of Infrastructure and Water Management, is currently in the preparation and planning phase of renovating the EHT. In the renovation project, both the physical tunnel components and the tunnel supervisory controller are being renewed.
The model of the EHT in [24] contains 540 plant models and 1668 requirement models, which can be accessed at a GitHub repository 2 . This large number of component models results in the uncontrolled state-space size of 1.87 · 10 226 , for which a monolithic supervisor can no longer be calculated by the CIF tooling [36].

Results
The model of the EHT satisfies RCNMS, but it does not satisfy CNMS. Therefore, Theorem 1 does not ap-2 https://github.com/magoorden/NonblockingModularSupervisors Figure 13: The dependency graph of the EHT. Red indicates the five strongly connected components, purple the nodes and edges added in the extended strongly connected components, and blue the nodes and edges those that can be omitted from synthesis according to Theorem 3. ply. Figure 13 shows the dependency graph of this model. Again, extended cycles are indicated in red in the figure.
Since the dependency graph is cyclic, Theorem 2 does not apply too. Therefore, Theorem 3 is used to reduce the synthesis problem.
With the help of Theorem 3, instead of using the complete model as input for synthesis, the model can be significantly reduced. The dependency graph of the EHT model contains five strongly connected components, which transforms into one large subgraph of the five extended sets of vertices. Now, according to Theorem 3, all blue vertices (and edges) can be removed before synthesis is started on the control problem represented by the red edges and vertices. Table 2 shows the results of the analysis of the EHT. In the most-refined product representation, the EHT model contains 492 plant models and 1668 requirements. Theorem 3 reduces the synthesis problem to only 157 plant models and 1312 requirement models. This is a reduction of 68% of the plant models and 21% of the requirement models. Now the reduced model can be used as input for any synthesis method, e.g. monolithic, modular, and compositional synthesis, to obtain a supervisor. We applied monolithic synthesis to verify whether a supervisor can be synthesized for the reduced control problem without running into memory issues. For the reduced control problem, a monolithic supervisor can be synthesized in 19.4 seconds. This shows that reducing the control problem is beneficial for synthesis.
As a subsequent experiment, multilevel synthesis [37,12] and compositional synthesis [22] are applied on the original model of the EHT. For multilevel synthesis, we used the implementation in CIF [36]; for compositional synthesis, we used the implementation in Supremica [38]. Multilevel synthesis is able to synthesize supervisors on average in 220 seconds 3 . This is without performing a nonconflicting check on the synthesized supervisors. Both the monolithic BDD-based nonconflicting check in CIF and the compositional nonconflicting check in Supremica run out of memory (4GB available). Compositional synthesis is not able to synthesize a supervisor, because it runs out of memory (4GB available). This experiment shows that it is currently sometimes necessary to reduce the control problem before performing state-of-the-art synthesis algorithms on models of large-scale applications.

Conclusion
In this paper, a method is presented to determine in some cases whether synthesis can be skipped for a given set of plant models and requirement models based on model properties. In such a case, the control problem itself represents a safe, controllable, nonblocking, and maximally permissive supervisor. The presented method uses dependency graphs. When such a directed graph is acyclic, it is proven that synthesis can be skipped.
Furthermore, when the dependency graph is cyclic (and thus it is not clear whether synthesis can be skipped), the strongly connected components of identified cycles provide means to reduce the original control problem to a collection of smaller partial control problems that are easier to solve. This results in maximally permissive, modular, controllable, and nonblocking supervisors that are proven to be also nonconflicting. The utilized modeling framework restricts the applicability of the method in general. Yet, two industrial cases studies demonstrate that the reduction method presented in this paper generates useful results in practice. The tunnel case studie even shows that model reduction is necessary, because state-of-the-art synthesis tools are not able to synthesize supervisors on the original model.
The infrastructural systems we have encountered in the project with Rijkswaterstaat, like waterway locks [6], movable bridges [8], and tunnels [24], satisfy RCNMS. This is a motivation to further investigate the applicability of the proposed model properties and analysis method to systems from other domains, like, e.g., manufacturing and automotive systems.
Future work also includes the identification of special cases to be able to conclude that synthesis can be skipped for some of the partial control problems identified by the strongly connected components. Monolithic supervisors of the partial control problems of the production line case still indicate that synthesis can be skipped, but it is yet unclear how this conclusion could be obtained without performing synthesis for these partial control problems. q i,k ∈ Q m,i . From the definition of synchronous composition and the fact that P is a product system, it follows that δ((r 1 , . . . , q i , . . . , r m ), s i ) = (r 1 , . . . , q i,k , . . . , r m ) for any state r j ∈ Q j , j = i. Therefore, it holds that δ(q, s 1 s 2 . . . s n ) ∈ Q m in P . As state q is chosen arbitrarily, it follows that P is coreachable.
Lemma 2. Let P = {P 1 , . . . , P m } be a product system where each individual P i ∈ P is a strongly connected automaton. Then P 1 . . . P m is a strongly connected automaton.
As each individual P i is strongly connected, it follows that there exists a string s i ∈ Σ * i such that δ i (x i , s i ) = y i . From the definition of synchronous composition and the fact that P is a product system, it follows that δ((r 1 , . . . , x i , . . . , r m ), s i ) = (r 1 , . . . , y i , . . . , r m ) for any state r j ∈ Q j , j = i. Therefore, it holds that δ(x, s 1 s 2 . . . s n ) = y in P . As states x and y are chosen arbitrarily, it follows that P is a strongly connected automaton.
The following lemma expresses that when a control problem with a single requirement satisfies CNMS, then we can always eventually reach a state such that the condition of this requirement evaluates to true, thus enabling the guarded event.
Lemma 3. Let (P, {R}) be a control problem with a single requirement satisfying CNMS. Denote R = e needs C. Then, from any state q, there exists a string s ∈ Σ * such that a state r is reached and C(r) = T.
Proof. As P is a product system (Property 1), there is only a single plant component P k such that e ∈ Σ k . From the combination of Properties 3.b, 3.d, and 3.g, it follows that plant component P k is not used in condition C, as it has to be an actuator model. Therefore, the state of P k does not matter.
Furthermore, observe that P \ {P k } = ∅ and (P \ {P k }) = (P \ {P k }) R. From Property 2 and Lemma 2 it follows that (P \{P k }) is a strongly connected automaton, thus (P \ {P k }) R is also a strongly connected automaton. Therefore, if there exists a state r that satisfies C, i.e., C(r) = T, then there also exists a string s ∈ Σ * such that δ(q, s) = r. So it remains to be proven that such a state r exists.
As C is in disjunctive normal form (Property 3.d), it follows that if r satisfies C, it satisfies one of the conjunctions. From Properties 3.e and 3.g we know that there is at most one reference to each P i ∈ P \ {P k } in each conjunction. If there is no reference to P i , then all states of this automaton satisfy this conjunction. If P i is mentioned in this conjunction, then, from Properties 3.d and 3.f, there exists at least one state q i ∈ Q i that satisfies this conjunction. Thus there exists a state r such that C is satisfied. Now we prove the following two lemmas: the first one shows that under the given conditions, we do not have to do synthesis locally, and the second one shows that under the given conditions the supervisors are globally nonblocking. In the rest of this section, the notation sup CN (P, R) is the function that constructs the maximally permissive, controllable, and nonblocking supervisor given plant P and requirement R. Lemma 4. Let (P, R) be a control problem satisfying CNMS. For each R j ∈ R, P R j is a maximally permissive, controllable, and nonblocking supervisor for plant P = P and requirement R j .
Proof. In the case that R = ∅, no supervisor is synthesized. It follows from Properties 1 and 2 and Lemma 1 that P is trim, so there is indeed no need for a supervisor. In the remainder of the proof we assume that R = ∅.
For each individual supervisor P R j we show that P R j is controllable with respect to plant P and that P R j is nonblocking. The fact that P R j is controllable follows directly from Property 3.b. It remains to be proven that P R j is nonblocking. From Property 3.a we have an event e j = event(R j ) associated with this requirement R j . As P is a product system (Property 1), there is only a single plant component P k such that e j ∈ Σ k . Now we partition the set of plant component models into {P k }, P sm = {P i ∈ P | P i is a sensor model}, and P o = P \ ({P k } ∪ P sm ). Observe that the behavior of the plant components in P sm and P o are not restricted by requirement R j , so Lemmas 1 and 2 apply to the sets P sm , P o , and P sm ∪ P o , i.e, P sm R j , P o R j , and (P sm ∪ P o ) R j are all trim and strongly connected automata.
To show that P R j is nonblocking, we show that for each reachable state q there exists a string s ∈ Σ * such that a marked state q m ∈ Q m can be reached. Consider automaton P k with current state q k . As automaton P k is trim (Property 2), there exists a path labeled with string s k ∈ Σ * k by which a state q m,k ∈ Q m,k can be reached from state q k . We will show that this path is still possible under the influence of requirement R j , i.e., it is still a path in P k R j . Consider two cases for this path.
• If s k does not contain event e j , then the path labeled with s k is trivially possible in P k R j .
• If s k contains event e j , then requirement R j may remove event e j from the enabled event set and prevents P k R j from reaching a marked state. For each transition labeled with event e j , we know from Lemma 3 that there exists a path in P reaching a state r such that C(r) = T. Therefore, there always exists a path in P such that e j is enabled. Thus, the path labeled with s k is still possible in P k R j .
Combining the above observation for s k and the fact that (P sm ∪ P o ) R j is trim, we know that a string s exists by which a marked state q m is reached from state q. As q is arbitrarily chosen, it follows that P R j is nonblocking.
Lemma 5. Let (P, R) be a control problem satisfying CNMS. Construct the set of modular supervisors S = {S 1 , . . . , S n } such that each supervisor S j = sup CN (P, R j ) is the maximally permissive, controllable, and nonblocking supervisor for plant P = P 1 . . . P m and requirement R j ∈ R. Then S is nonconflicting.
Proof. For S to be nonconflicting, it should hold that S 1 . . . S n is nonblocking. From Lemma 4 it follows that each S j = P R j . Therefore, S 1 . . . S n = (P R 1 ) . . . (P R n ) = P R 1 . . . R n . Partition the set of plant models P into the set of sensor models P sm = {P i ∈ P | P i is a sensor model}, the set of restricted models P r = {P i ∈ P | ∃R j ∈ R s.t. event(R j ) ∈ Σ i }, and the other plant models P o = P \ (P sm ∪ P r ).
Clearly, no plant model in P o is affected by the requirements, so Lemmas 1 and 2 apply, i.e., P o R is a trim and strongly connected automaton. Furthermore, from Property 3.b and the definition of a sensor model it follows that also no plant model in P sm is affected by the requirements, thus by Lemmas 1 and 2 it follows that P sm R is a trim and strongly connected automaton. Again using Lemmas 1 and 2 yield that P o P sm R is a trim and strongly connected automaton.
For P o P sm P r R to be nonblocking, it should hold that from every reachable state q ∈ Q there exists a string s ∈ Σ * such that δ(q, s) ∈ Q m . As P r is trim (Lemma 1) it follows that there exists a string s r ∈ Σ * r such that δ(q r , s r ) ∈ Q m in P r . For δ(q r , s r ) ∈ Q m in P r R to exist, each event in s r should be enabled along its path. There are two cases for each event σ in string s r to consider following Definition 2 of synchronous composition with a state-event requirement.
• If there does not exist a requirement R j ∈ R such that event(R j ) = σ, then σ is enabled.
• If there does exist a requirement R j ∈ R such that event(R j ) = σ, then R j is also the only requirement in R such that event(R j ) = σ (Property 3.c). As the condition C j = cond (R j ) only depends on plant components from P sm and not plant components from P r or P o (Property 3.g), it follows from Lemma 4 that there exists a string in P sm such that the reached state r satisfies C j . No transition in plant components from P r and P o are needed as all states from these plant components are irrelevant in satisfying the condition C j . Therefore, there exists a path in P such that σ is enabled.
From the above observation, we conclude that we can always find a string (including the empty string) such that σ is enabled. As σ is chosen arbitrarily along the path in P r labeled with s r , it follows that δ(q r , s r ) ∈ Q m,r . Finally, combining this with the fact that q r is chosen arbitrarily and that P o P sm R is trim, it follows that P o P sm P r R is nonblocking. Now we are ready to prove Theorem 1.
Proof of Theorem 1. From Lemmas 4 and 5 it follows that we can construct a set of supervisors S = {S 1 , . . . , S n } such that S j = sup CN (P, R j ) = P R j and S is nonconflicting. The antecedent follows directly from combining these last two facts.

Appendix B. Proof of Theorem 2
Before we prove Theorem 2, the following lemma is introduced which transforms an acyclic dependency graph into a forest of trees. A tree is an acyclic directed graph where each vertex has at most one incoming edge, i.e., for each vertex v there is at most one edge e such that ter(e) = v. A forest is a set of trees. A forest can be constructed from an acyclic directed graph recursively. Assume that a subgraph T having vertex v as root node is already a tree. Then for each incoming edge into v subgraph T is duplicated and set to the terminating vertex of that edge. Figure 4 shows the forest with a single tree of the dependency graph as shown in Figure 3. As vertex P 5 has two incoming edges, the directed graph G cp is not a tree. By duplicating vertex P 5 , the tree in Figure 4 is constructed.
From a dependency (sub)graph, the control problem it represents can be reconstructed as follows. The control problem (P, R ) represented by a dependency graph (P, E) is the one where R = {R ∈ R | ∃e ∈ E : event(R) ∈ Σ init(e) and ter(e) ∈ cond (R)}. Lemma 6. Let G CP = (P, E) be an acyclic dependency graph of control problem CP = (P, R) satisfying RC-NMS, and let F be the forest constructed from G CP . Then S is a maximally permissive, controllable, and nonblocking supervisor of CP if and only if S is a maximally permissive, controllable, and nonblocking supervisor of the control problem CP .
Proof. In the construction of the forest F from G CP , subgraphs are duplicated. Duplicating plants and requirements results in the same maximally permissive, controllable, and nonblocking supervisor, i.e., S is a maximally permissive, controllable, and nonblocking supervisor for (P P ) (R R ) if and only if S is a maximally permissive, controllable, and nonblocking supervisor for P R , where P ⊆ P and R ⊆ R are sets of plant models and requirement models, respectively. As forest F is constructed recursively in this manner, the result holds for the complete forest.
The proof of Theorem 2 follows now.