Supervisor Design for a Pressurized Reactor Unit in the Presence of Sensor and Actuator Faults

Abstract

The preservation of the efficient functionality of a pressurized reactor unit in the presence of faults is the aim of the present paper. To satisfy this aim, a distributed supervisory control scheme, considering the possibility of system faults, was designed. Towards this aim, the models of the subsystems of the total pressurized reactor unit in the presence of sensor and actuator faults are developed, using finite deterministic automata. This is the first contribution of the paper. The desired performance of the unit was formulated in the form of rules guaranteeing the desired behavior of a pressurize–depressurize cycle and safety specifications. The rules were translated to six desired regular languages. The realization of these languages, in the form of supervisor automata, was accomplished. This is the second contribution of the paper. A modular supervisory design scheme, towards safety and tolerance in the presence of faults, was proposed and realized, and the properties of the proposed supervisors and the controlled automaton were proven. This is the third contribution of the paper. The complexity of each supervisor was computed. The efficiency of the supervisory design scheme was illustrated through simulations. A PLC implementation of the derived supervisors was proposed. The derived supervisors are suitable for implementation as function blocks.

1. Introduction

Industrial processes have become more complex regarding their procedural behavior and the use of advanced equipment as well as environmental and safety restrictions. Many control methods have been developed regarding the operating procedures of such systems. Among them, there are methods aimed step-wise transitions between the operating points of the controlled process using artificial intelligence tools (indicatively, see [1]) and/or step-wise switching controllers (indicatively, see [2]) as well as discrete event system (DES) models and controllers (indicatively, see [3,4,5,6]). Most of these methods are implementable in low-level devices, such as programmable logic controllers (PLCs) and programmable automation controllers (PACs), providing logic and numerical processing features.

The use of DES and especially the Ramadge Wonham (RW) framework (see [7] and [8]) is offered for controller software development (see [9,10,11]), particularly in industrial applications. In the RW framework, the supervisory structure is capable to restrict some actions to the system and not to impose some actions (see [7,8]). According to [12,13,14], the RW framework provides sufficiently satisfactory results towards a system’s safety and deadlock avoidance. The design of supervisory control, taking into consideration the system’s faults, is a very important issue in industrial automation (see [15,16]). Furthermore, in modern industrial systems, the correlation of a system’s faults with cyberattacks has given the derivation of desired functionality specifications in the presence of faults additive value (see [17,18]).

In [3,4,6], the DES model of a pressurized reactor was developed and a supervisory control scheme, in the RW framework, was proposed. In the analysis presented in [3,4,6], the possibility of the presence of faults was not considered. Here, the problem of modeling and supervisor control of this pressurized reactor was studied in the presence of possible actuator and sensor faults. Appropriate models of the reactor unit subsystems in the presence of faults were developed. This is the first contribution of the present paper. The developed models were extensions of the respective models in [3,4,6]. In addition, appropriate desired performance rules, preserving the requirements for the desired pressurize–depressurize cycles proposed in [3,4,6], were imposed. The performance rules aimed to provide safety and tolerance in the presence of faults. The derivation of the rules and their expression as desired languages is the second contribution of the paper. Finally, in order to satisfy the desired performance rules, a modular supervisory control scheme was proposed, and the required properties of the scheme were proven. This is the third contribution of the paper. A PLC implementation of the supervisors was proposed. The complexity of the present supervisory scheme was computed and was shown to be low. It was mentioned that the derived supervisors were suitable for implementation as function blocks. The IEC 61499 standard, being an extension of IEC 61131-3, is based on using extended function blocks (see [19,20,21]). The implementation of supervisory control algorithms (see [20] and the references within), fault diagnosers (see [21] and the references within), and discrete event systems (see [20,22,23,24]) in IEC 61499 has already attracted considerable interest. The aim of the standard was to introduce the basic concepts for the control design of distributed industrial processes, providing robust and flexible software programs. The different function blocks create a network, sharing their inputs and outputs [22].

This paper is organized as follows: In Section 2, the notation and the notions used in the paper are presented. In Section 3, the models of the reactor unit subsystems in the presence of faults are presented in the form of six tuples. In Section 4, the design specifications are imposed and translated to the appropriate desired languages in analytic forms. In Section 5, the realization of the supervisory control scheme is accomplished in a modular architecture, and the satisfactory performance of the controlled automaton is proven. Finally, in Section 6, the implementation of the proposed supervisory control scheme for PLCs in ladder diagrams and general guidelines for implementation using function blocks are presented.

2. General Notation and Notions

The pressurized reactor unit was analyzed according to its subsystems. Here, each subsystem is modeled in the form of finite deterministic automata, described by six tuples in the form (see [25,26,27,28]) $G=(\mathbb{Q},\mathbb{E},f,ℍ,x_0,{\mathbb{Q}}_m)$, where $\mathbb{Q}$ is the set of the states, $\mathbb{E}$ is the event set (alphabet), $ℍ$ is the active event set function, $f$ is the transition function, $x_0$ is the initial state, and ${\mathbb{Q}}_m$ is the set of the marked states.

To demonstrate the structural properties of the reactor unit subsystems, the closed behavior [7], denoted by $\mathbb{L}(G)$, and the marked behavior [7], denoted by ${\mathbb{L}}_m(G)$, are used. Clearly, it holds that ${\mathbb{L}}_m(G)\subseteq \mathbb{L}(G)\subseteq {\mathbb{E}}^{\ast }$, where ${\mathbb{E}}^{\ast }$ denotes the Kleene Star of $\mathbb{E}$, see [7,8]. The set of the uncontrollable events of each subsystem is denoted by ${\mathbb{E}}_{uc}\subseteq \mathbb{E}$.

The finite deterministic automaton of a supervisor, denoted by $S=({\mathbb{Q}}_S,{\mathbb{E}}_S,f_S,{ℍ}_S,x_{S,0},{\mathbb{Q}}_{S,m})$, is used. The synchronous product [7] (or parallel composition [8]) of the automata $S$ and $G$ is denoted by $S\mid \mid G$. For the properties of the synchronous product of two or more automata, see [7,8]. For the supervisor to be physically realizable, through the synchronous product with $G$, the necessary and sufficient condition is the permissibility of the uncontrollable event transitions of $G$, via $S\mid \mid G$. For the supervisor to be efficient, it is necessary for the synchronous product $S\mid \mid G$ to be a nonblocking automaton.

The complexity of the automaton of the supervisor is a significant characteristic of the design. The complexity of an automaton is the triad including the number of the states, the number of the events, and the number of the transitions of the automaton (indicatively, see [26,29]).

3. Modeling of the Pressurized Reactor Unit

3.1. Description of the Unit

The main component of the system is a pressurized storage tank connected to a gas supply line. An on/off valve is the main control device charging the tank. Through a human–machine interface, the user sends commands to open or close the valve. The human–machine interface is usually an HMI monitor or a common two state switch (button). A pressure sensor is installed in the tank providing information regarding the pressure lever, namely, “low”, “medium”, or “high”. It is important to mention that the desired pressure level of the tank is “medium”. In accordance with [4], a schematic of the interconnection among the subsystems of the reactor unit is presented in Figure 1. The reactor unit was modeled in [3,4,6] via finite deterministic automata for the case where the presence of faults was not included.

3.2. The Model of the Valve including Faults

Using the valve model for the nonfaulty case (see [3,4,6]), the respective model in the presence of faults is developed to be $G_{FV}=({\mathbb{Q}}_{FV},{\mathbb{E}}_{FV},f_{FV},{ℍ}_{FV},x_{FV,0},{\mathbb{Q}}_{FV,m})$. The set of the states is ${\mathbb{Q}}_{FV}=\{q_{FV,1},q_{FV,2},q_{FV,3}\}$. The state $q_{FV,1}$ is the case where the valve is closed. The state $q_{FV,2}$ is the case where the valve is open. The state $q_{FV,3}$ is the case where the valve is in the faulty mode. The initial state of $G_{FV}$ is $x_{FV,0}=q_{FV,1}$. The set of the marked states is ${\mathbb{Q}}_{V,m}=\left\{q_{V,1}\right\}$. The alphabet of $G_{FV}$ is ${\mathbb{E}}_{FV}=\{e_{V,1},e_{V,2},e_{V,3},e_{V,4}\}$. The event $e_{V,1}$ commands the valve to open. The event $e_{V,2}$ commands the valve to close. The event $e_{V,3}$ indicates that a fault took place at the valve. The event $e_{V,4}$ indicates that the fault was repaired. The set of the controllable events is ${\mathbb{E}}_{FV,c}=\{e_{V,1},e_{V,2}\}$, and the set of the uncontrollable events is ${\mathbb{E}}_{FV,uc}=\{e_{V,3},e_{V,4}\}$.

The sets of the active events, per state of $G_{FV}$, are:

$$\begin{gathered} {ℍ}_{FV}(q_{FV,1})=\{e_{V,1},e_{V,3}\}, \\ {ℍ}_{FV}(q_{FV,2})=\{e_{V,2},e_{V,3}\}, \\ {ℍ}_{FV}(q_{FV,3})=\left\{e_{V,4}\right\}. \end{gathered}$$

The transitions, per state and event of $G_{FV}$, are:

$$\begin{gathered} f_{FV}(q_{FV,1},e_{V,1})=q_{FV,2}, \\ {f}_{FV}(q_{FV,1},e_{V,3})=q_{FV,3}, \\ {f}_{FV}(q_{FV,2},e_{V,2})=q_{FV,1}, \\ {f}_{FV}(q_{FV,2},e_{V,3})=q_{FV,3}, \end{gathered}$$

$$f_{FV}(q_{FV,3},e_{V,4})=q_{FV,1}.$$

The closed behavior of the automaton of the valve is:

$$\mathbb{L}(G_{FV})=\overline{{\left({(e_{V,3}{e}_{V,4})}^{*}{e}_{V,1}(e_{V,2}+e_{V,3}{e}_{V,4})\right)}^{*}}.$$

The marked behavior of the automaton of the valve is:

$${\mathbb{L}}_m(G_{FV})={\left({(e_{V,3}{e}_{V,4})}^{*}{e}_{V,1}(e_{V,2}+e_{V,3}{e}_{V,4})\right)}^{*}.$$

Clearly, $\overline{{\mathbb{L}}_m(G_{FV})}=\mathbb{L}(G_{FV})$. Thus, $G_{FV}$ is a nonblocking automaton. For the nonblocking property of an automaton, see [7,8].

In Figure 2, the state diagram of the automaton of the valve is presented. If the fault event, the fault repair event, and the state describing the faulty mode are neglected, then the state diagram is reduced to that in [3,4,6].

3.3. The Model of the Switch in the Presence of Faults

The model of the switch (button) in the presence of faults is expressed in the form $G_{FB}=({\mathbb{Q}}_{FB},{\mathbb{E}}_{FB},f_{FB},{ℍ}_{FB},x_{FB,0},{\mathbb{Q}}_{FB,m})$. The set of the states is ${\mathbb{Q}}_{FB}=\{q_{FB,1},q_{FB,2},q_{FB,3}\}$. The state $q_{FB,1}$ is the case where the switch is turned off. The state $q_{FB,2}$ is the case where the switch is turned on. The state $q_{FB,3}$ is the case where the switch is in the faulty mode. The initial state is $x_{FB,0}=q_{FB,1}$. The set of the marked states is ${\mathbb{Q}}_{FB,m}=\left\{q_{FB,1}\right\}$. The alphabet is ${\mathbb{E}}_{FB}=\{e_{B,1},e_{B,2},e_{B,3},e_{B,4}\}$. The event $e_{B,1}$ indicates that the switch is turned on. The event $e_{B,2}$ indicates that the switch is turned off. The event $e_{B,3}$ indicates that a fault took place. The event $e_{B,4}$ indicates that the fault was repaired. The set of the controllable events is ${\mathbb{E}}_{FB,c}=\varnothing$, and the set of the uncontrollable events is ${\mathbb{E}}_{FB,uc}={\mathbb{E}}_{FB}$.

The sets of the active events, per state of $G_{FB}$, are:

$${ℍ}_{FB}(q_{FB,1})=\{e_{B,1},e_{B,3}\},$$

$${ℍ}_{FB}(q_{FB,2})=\{e_{B,2},e_{B,3}\},$$

$${ℍ}_{FB}(q_{FB,3})=\left\{e_{B,4}\right\}.$$

The transitions, per state and event of $G_{FB}$, is:

$$f_{FB}(q_{FB,1},e_{B,1})=q_{FB,2},$$

$$f_{FB}(q_{FB,1},e_{B,3})=q_{FB,3},$$

$$f_{FB}(q_{FB,2},e_{B,2})=q_{FB,1},$$

$$f_{FB}(q_{FB,2},e_{B,3})=q_{FB,3},$$

$$f_{FB}(q_{FB,3},e_{B,4})=q_{FB,1}.$$

The closed behavior of the automaton of the switch is:

$$\mathbb{L}(G_{FB})=\overline{{\left({(e_{B,3}{e}_{B,4})}^{*}{e}_{B,1}(e_{B,2}+e_{B,3}{e}_{B,4})\right)}^{*}}.$$

The marked behavior of the automaton of the switch is:

$${\mathbb{L}}_m(G_{FB})={\left({(e_{B,3}{e}_{B,4})}^{*}{e}_{B,1}(e_{B,2}+e_{B,3}{e}_{B,4})\right)}^{*}.$$

$G_{FB}$ is a nonblocking automaton, i.e., $\overline{{\mathbb{L}}_m(G_{FV})}=\mathbb{L}(G_{FV})$.

In Figure 3, the state diagram of the automaton of the switch is presented. In the nonfaulty case, the diagram is reduced to the respective state diagrams in [3,4,6].

3.4. The Model of the Pressure Sensor in the Presence of Faults

The model of the pressure sensor in the presence of faults is in the form $G_{FP}=({\mathbb{Q}}_{FP},{\mathbb{E}}_{FP},f_{FP},{ℍ}_{FP},x_{FP,0},{\mathbb{Q}}_{FP,m})$. The set of the states is ${\mathbb{Q}}_{FP}=\{q_{FP,1},q_{FP,2},q_{FP,3},q_{FP,4}\}$. The state $q_{FP,1}$ is the case where the pressure sensor shows low pressure. The state $q_{FP,2}$ is the case where the pressure sensor shows medium pressure, which is the desired pressure. The state $q_{FP,3}$ is the case where the pressure sensor shows high pressure. The state $q_{FP,4}$ is the case where the sensor is in the faulty mode. The initial state is $x_{FP,0}=q_{FP,1}$. The set of the marked states is ${\mathbb{Q}}_{FP,m}=\left\{q_{FP,2}\right\}$. The alphabet is ${\mathbb{E}}_{FP}=\{e_{P,1},e_{P,2},e_{P,3},e_{P,4},e_{P,5},e_{P,6}\}$. The events $e_{P,1}$ and $e_{P,2}$ indicate that the pressure has risen from low to medium and from medium to high, respectively. The events $e_{P,3}$ and $e_{P,4}$ indicate that the pressure has dropped from medium to low and from low to medium, respectively. The event $e_{P,5}$ indicates that a pressure sensor fault took place. The event $e_{P,6}$ indicates that the fault was repaired. The controllable events set is ${\mathbb{E}}_{FP,c}=\varnothing$, and the uncontrollable events set is ${\mathbb{E}}_{FP,uc}={\mathbb{E}}_{FP}$.

The set of the active events, per state of $G_{FP}$, is:

$${ℍ}_{FP}(q_{FP,1})=\{e_{P,1},e_{P,5}\},$$

$${ℍ}_{FP}(q_{FP,2})=\{e_{P,2},e_{P,3},e_{P,5}\},$$

$${ℍ}_{FP}(q_{FP,3})=\{e_{P,4},e_{P,5}\},$$

$${ℍ}_{FP}(q_{FP,4})=\left\{e_{P,6}\right\}.$$

The transitions, per state and event of $G_{FP}$, are:

$$f_{FP}(q_{FP,1},e_{P,1})=q_{FP,2},$$

$$f_{FP}(q_{FP,1},e_{P,5})=q_{FP,4},$$

$$f_{FP}(q_{FP,2},e_{P,2})=q_{FP,3},$$

$$f_{FP}(q_{FP,2},e_{P,5})=q_{FP,4},$$

$$f_{FP}(q_{FP,2},e_{P,3})=q_{FP,1},$$

$$f_{FP}(q_{FP,3},e_{P,4})=q_{FP,2},$$

$$f_{FP}(q_{FP,3},e_{P,5})=q_{FP,4},$$

$$f_{FP}(q_{FP,4},e_{P,6})=q_{FP,1}.$$

The closed behavior of $G_{FP}$ is:

$$\mathbb{L}(G_{FP})=\stackrel{\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_}{{\left({(e_{P,5}{e}_{P,6})}^{*}{e}_{P,1}\left({(e_{P,2}{e}_{P,4})}^{*}\left((\epsilon +e_{P,2})e_{P,5}{e}_{P,6}+e_{P,3}\right)\right)\right)}^{*}}.$$

The marked behavior of $G_{FP}$ is:

$${\mathbb{L}}_m(G_{FP})={(e_{P,5}{e}_{P,6})}^{*}{e}_{P,1}{\left({(e_{P,2}{e}_{P,4})}^{*}\left((\epsilon +e_{P,2})e_{P,5}{e}_{P,6}+e_{P,3}\right){(e_{P,5}{e}_{P,6})}^{*}{e}_{P,1}\right)}^{*}.$$

Clearly, $G_{FP}$ is a nonblocking automaton, i.e., $\overline{{\mathbb{L}}_m(G_{FP})}=\mathbb{L}(G_{FP})$.

In Figure 4, the state diagram of the automaton of the sensor pressure is presented. In the nonfaulty case, the diagram is reduced to those in [3,4,6].

3.5. The Total Automaton

It is observed that the alphabets of the automata of the three subsystems presented in Section 3.2, Section 3.3 and Section 3.4 are disjoint sets. Hence, the synchronous product of the three automata, i.e., $G_F=G_{FV}\mid \mid G_{FB}\mid \mid G_{FP}$, is shuffle [8]. The automaton $G_F$ is the model of the total reactor unit.

The set of the states of $G_F$ is ${\mathbb{Q}}_F={\mathbb{Q}}_{FV}\times {\mathbb{Q}}_{FB}\times {\mathbb{Q}}_{FP}$ and the states are of the form $q_F=(q_{FV},q_{FB},q_{FP})$. The alphabet of the automaton is ${\mathbb{E}}_F={\mathbb{E}}_{FV}\cup {\mathbb{E}}_{FB}\cup {\mathbb{E}}_{FP}$. Clearly, all transitions of the three automata, in Section 3.2, Section 3.3 and Section 3.4, are feasible. The active events sets of $G_F$ have the property ${ℍ}_F\left((q_{FV},q_{FB},q_{FP})\right)={ℍ}_{FV}(q_{FV})\cup {ℍ}_{FB}(q_{FB})\cup {ℍ}_{FP}(q_{FP})$. The set of the marked states is ${\mathbb{Q}}_{F,m}=\{(q_{FV,1},q_{FB,1},q_{FP,1})\}$.

Here, the events indicating faults and the events indicating repairs are available to the controller platform via appropriate sensors. This is an expected characteristic in modern manufacturing practice. Therefore, in what follows, these events will be considered to be observable.

In

Table 1. A simulation of the transitions of the total automaton.

Event	State of the Total Automaton	Description (Valve, Switch, Sensor)
	$(q_{FV,1},q_{FB,1},q_{FP,1})$	(Closed, Off, Low)
$e_{B,1}$	$(q_{FV,1},q_{FB,2},q_{FP,1})$	(Closed, On, Low)
$e_{V,1}$	$(q_{FV,2},q_{FB,2},q_{FP,1})$	(Opened, On, Low)
$e_{P,1}$	$(q_{FV,2},q_{FB,2},q_{FP,2})$	(Opened, On, Medium)
$e_{P,2}$	$(q_{FV,2},q_{FB,2},q_{FP,3})$	(Opened, On, High)
$e_{V,2}$	$(q_{FV,1},q_{FB,2},q_{FP,3})$	(Closed, On, High)
$e_{V,1}$	$(q_{FV,2},q_{FB,2},q_{FP,3})$	(Opened, On, High)
$e_{P,4}$	$(q_{FV,2},q_{FB,2},q_{FP,2})$	(Opened, On, Medium)
$e_{B,2}$	$(q_{FV,2},q_{FB,1},q_{FP,2})$	(Opened, Off, Medium)
$e_{P,2}$	$(q_{FV,2},q_{FB,1},q_{FP,3})$	(Opened, Off, High)
$e_{V,2}$	$(q_{FV,1},q_{FB,1},q_{FP,3})$	(Closed, Off, High)
$e_{P,5}$	$(q_{FV,1},q_{FB,1},q_{FP,4})$	(Closed, Off, Faulty)
$e_{B,1}$	$(q_{FV,1},q_{FB,2},q_{FP,4})$	(Closed, On, Faulty)
$e_{V,1}$	$(q_{FV,2},q_{FB,2},q_{FP,4})$	(Opened, On, Faulty)
$e_{P,6}$	$(q_{FV,2},q_{FB,2},q_{FP,1})$	(Opened, On, Low)

, the simulation of $G_F$ is presented for a predefined event sequence. Details regarding simulation of discrete event systems can be found in Chapter 10 of Reference [8]. It is important to mention that the results of the simulation have also been verified using the discrete event systems simulation software “Supremica” [23]. According to line 5 of Table 1, the event $e_{P,2}$ took place. Thus, the pressure in the reactor was high. According to line 6 of Table 1, the valve closed (event $e_{V,2}$), allowing the pressure to drop to the desired value. Nevertheless, according to line 7 of the table, the event $e_{V,1}$ took place. The event opened the valve once again. The pressure had not yet dropped significantly, i.e., the pressure of the reactor was still high. Thus, the pressure of the reactor can be further increased with a plausible negative impact on the reactor’s functionality and safety. According to line 12 of the table, an event indicating the appearance of a pressure sensor fault took place (i.e., event $e_{P,5}$). According to line 14 of the table, the command to open the valve took place once again, while the pressure sensor was in the faulty mode; therefore, there was no available information regarding the value of the pressure of the reactor. Hence, opening the valve without knowledge of the reactor’s pressure may further aggravate the aforementioned problems regarding the system’s safety and functionality.

4. Desired Behavior

In ([3,4,6]), the desired behavior of the system focuses on the pressurize–depressurize cycle of the reactor without considering the presence of eventual faults. According to [3,4,6], the desired pressurize–depressurize cycle is: first, the user turns on the switch; next, the valve opens; after, when the pressure is at medium, then the valve closes (the switch can only be turned off); then, if the pressure level becomes low, the valve opens (the switch can only be turned on). In addition to the sequence of the cycle and according to [3,4,6], the following two rules are imposed: (1) if the pressure is beyond its desired level (i.e., medium), then the command to close the valve is disactivated regardless of the switch command; (2) if the pressure is higher than its desired level (i.e., medium), then the command to open the valve is disactivated regardless of the switch command.

Here, the above reported desired pressurize–depressurize cycle and the two rules were preserved and the desired specifications were enriched with requirements considering the possibility of the presence of the faults. Hence, all the desired specifications were formulated as follows:

• When a fault takes place in the total system of the reactor unit, then the command to open the valve is disactivated until the fault repair;
• If the pressure in the reactor is lower than its desired level, then the command to close the valve is disactivated, regardless of the switch command;
• If the pressure in the reactor is higher than its desired level, then the command to open the valve is disactivated, regardless of the switch command;
• The pressurize–depressurize cycle is preserved.

The 1st rule can be analyzed into the following three prefixed closed, regular languages:

$${}^1\mathbb{K}{}_1=\overline{{\left({(e_{V,1}+e_{V,2}+e_{V,4})}^{*}{e}_{V,3}{(e_{V,2}+e_{V,3})}^{*}{e}_{V,4}\right)}^{*}},$$

$${}^1\mathbb{K}{}_2=\overline{{\left({(e_{V,1}+e_{V,2}+e_{V,3}+e_{B,4})}^{*}{e}_{B,3}{(e_{V,2}+e_{V,3})}^{*}{e}_{B,4}\right)}^{*}},$$

$${}^1\mathbb{K}{}_3=\overline{{\left({(e_{V,1}+e_{V,2}+e_{V,3}+e_{P,6})}^{*}{e}_{P,5}{(e_{V,2}+e_{V,3})}^{*}{e}_{P,6}\right)}^{*}}.$$

The 2nd rule is expressed by the prefixed closed language:

$${}^2\mathbb{K}=\overline{{\left({(e_{P,3}+e_{P,6})}^{*}{e}_{P,1}{(e_{P,1}+e_{V,2})}^{*}(e_{P,3}+e_{P,6})\right)}^{*}}.$$

The 3rd rule is expressed by the prefixed closed language:

$${}^3\mathbb{K}=\overline{{\left({(e_{V,1}+e_{P,4}+e_{P,6})}^{*}{e}_{P,2}{e}_{P,2}^{*}(e_{P,4}+e_{P,6})\right)}^{*}}.$$

The 4th rule is expressed by the prefixed closed language ${}^4\mathbb{K}=\stackrel{\_\_\_\_}{{}_0{}^4\mathbb{K}}$, where:

$$\begin{array}{l}{}_0{}^4\mathbb{K}=({(e_{B,2}+e_{P,1}+e_{P,3})}^{*}{e}_{B,1}{(e_{B,1}+e_{B,2}+e_{P,1}+e_{P,3})}^{*}{e}_{V,1}{(e_{B,1}+e_{B,2}+e_{P,3})}^{*}\\ {e_{P,1}{(e_{B,1}+e_{B,2}+e_{P,1}+e_{P,3})}^{*}{e}_{V,2}{(e_{B,1}+e_{P,1}+e_{P,3})}^{*}{e}_{B,2}{(e_{B,1}+e_{B,2}+e_{P,1})}^{*}{e}_{P,3})}^{*}.\end{array}$$

The following alphabets:

$${}^1\mathbb{E}{}_{S,1}=\{e_{V,1},e_{V,2},e_{V,3},e_{V,4}\},$$

$${}^1\mathbb{E}{}_{S,2}=\{e_{V,1},e_{V,2},e_{V,3},e_{B,3},e_{B,4}\},$$

$${}^1\mathbb{E}{}_{S,3}=\{e_{V,1},e_{V,2},e_{V,3},e_{P,5},e_{P,6}\},$$

$${}^2\mathbb{E}{}_S=\{e_{V,2},e_{P,1},e_{P,3},e_{P,6}\},$$

$${}^3\mathbb{E}{}_S=\{e_{V,1},e_{P,2},e_{P,4},e_{P,6}\},$$

$${}^4\mathbb{E}{}_S=\{e_{V,1},e_{V,2},e_{B,1},e_{B,2},e_{P,1},e_{P,3}\}.$$

are the alphabets of ${}^1\mathbb{K}{}_1$,${}^1\mathbb{K}{}_2$,${}^1\mathbb{K}{}_3$,${}^2\mathbb{K}$,${}^3\mathbb{K}$, and ${}^4\mathbb{K}$, respectively.

To satisfy the specifications 1–4, $G_F$ must be appropriately controlled. The desired performance of the controlled automaton is described by the following six languages, where the first three correspond to the 1st rule, and the remaining three correspond to the 2nd, the 3rd, and the 4th rule, respectively

$${}^1\mathbb{K}{}_{D,k}={}^{1}P{}_k^{-1}\left(\overline{{}^1\mathbb{K}{}_k}\right)\cap {\mathbb{L}}_m(G_F),k=1,2,3$$

(1)

$${}^{\ell }\mathbb{K}{}_D={}^{\ell }P{}_{}^{-1}\left(\overline{{}^{\ell }\mathbb{K}}\right)\cap {\mathbb{L}}_m(G_F),\ell =2,3,4$$

(2)

In (1), the functions ${}^{1}P{}_1^{}$, ${}^{1}P{}_2$, and ${}^{1}P{}_3$ denote the projections ${\mathbb{E}}_F^{\ast }$ to ${}^1\mathbb{E}{}_{S,1}^{\ast }$, ${}^1\mathbb{E}{}_{S,2}^{\ast }$, and ${}^1\mathbb{E}{}_{S,3}^{\ast }$, respectively. In (2), the functions ${}^{2}P$, ${}^{3}P$, and ${}^{4}P$ denote the projections of ${\mathbb{E}}_F^{\ast }$ to ${}^2\mathbb{E}{}_S^{\ast }$, ${}^3\mathbb{E}{}_S^{\ast }$, and ${}^4\mathbb{E}{}_S^{\ast }$, respectively. The definition and the properties of the projections can be found in [7,8].

5. Supervisory Control Design

5.1. Realization of Supervisors

Consider the class of supervisor automata [7,8], denoted by $S=({\mathbb{Q}}_S,{\mathbb{E}}_S,f_S,{ℍ}_S,x_{S,0},{\mathbb{Q}}_{S,m})$, where ${\mathbb{Q}}_S=\{q_{S,1},q_{S,2}\}$ is the set of its states. This class is parameterized by four regular languages, expressed by the four regular expressions $c_1$, $c_2$, $c_3$, and $c_4$. Let ${\mathbb{E}}_{c,1}$, ${\mathbb{E}}_{c,2}$, ${\mathbb{E}}_{c,3}$, and ${\mathbb{E}}_{c,4}$ be the alphabets of the expressions $c_1$, $c_2$, $c_3$, and $c_4$, respectively. The alphabet of the supervisor automaton is ${\mathbb{E}}_S={\mathbb{E}}_{c,1}\cup {\mathbb{E}}_{c,2}\cup {\mathbb{E}}_{c,3}\cup {\mathbb{E}}_{c,4}$. Its initial state is denoted by $x_{S,0}=q_{S,1}$. For the set of the marked states, it holds that ${\mathbb{Q}}_{S,m}={\mathbb{Q}}_S$, i.e., all states are marked. The active event sets, per state, are defined to be ${ℍ}_S(q_{S,1})={\mathbb{E}}_{c,1}\cup {\mathbb{E}}_{c,2}$ and ${ℍ}_S(q_{S,2})={\mathbb{E}}_{c,3}\cup {\mathbb{E}}_{c,4}$. The transitions of $S$, per state and event, are defined to be:

$$f_S(q_{S,1},e)=q_{S,1},\forall e\in {\mathbb{E}}_{c,1},$$

$$f_S(q_{S,1},e)=q_{S,2},\forall e\in {\mathbb{E}}_{c,2},$$

$$f_S(q_{S,2},e)=q_{S,2},\forall e\in {\mathbb{E}}_{c,3},$$

$$f_S(q_{S,2},e)=q_{S,1},\forall e\in {\mathbb{E}}_{c,4},$$

The complexity triad of $S$ is $\left(2,\mid {\mathbb{E}}_S\mid ,\mid {\mathbb{E}}_S\mid \right)$. Its state diagram is presented in Figure 5. Based on the automaton $S$, the supervisors of the desired regular languages, given in definitions (1) and (2), are realized.

The supervisor realizing the prefix closed language ${}^1\mathbb{K}{}_1$ is denoted by ${}^{1}S{}_1$, and it is derived from $S$ by letting $c_1=e_{V,1}+e_{V,2}+e_{V,4}$, $c_2=e_{V,3}$, $c_3=e_{V,2}+e_{V,3}$, and $c_4=e_{V,4}$. The complexity triad of ${}^{1}S{}_1$ is $(2,4,7)$. The supervisor realizing the prefix closed language ${}^1\mathbb{K}{}_2$ is denoted by ${}^{1}S{}_2$, and it is derived from $S$ by letting $c_1=e_{V,1}+e_{V,2}+e_{V,3}+e_{B,4}$, $c_2=e_{B,3}$, $c_3=e_{V,2}+e_{B,3}$, and $c_4=e_{B,4}$. The complexity triad is $(2,4,8)$. The supervisor realizing the prefix closed language ${}^1\mathbb{K}{}_3$ is denoted by ${}^{1}S{}_3$ and it is derived from $S$ by letting $c_1=e_{V,1}+e_{V,2}+e_{V,3}+e_{P,6}$, $c_2=e_{P,5}$, $c_3=e_{V,2}+e_{P,5}$, and $c_4=e_{P,6}$. The complexity triad of ${}^{1}S{}_3$ is also $(2,4,8)$. The supervisor realizing the prefix closed language ${}^2\mathbb{K}$ is denoted by ${}^{2}S$, and it is derived from $S$ by letting $c_1=e_{P,3}+e_{P,6}$, $c_2=e_{P,1}$, $c_3=e_{P,1}+e_{V,2}$, and $c_4=e_{P,3}+e_{P,6}$. The respective complexity triad is $(2,4,7)$. The supervisor realizing the prefix closed language ${}^3\mathbb{K}$ is denoted by ${}^{3}S$ and it is derived from $S$ by letting $c_1=e_{V,1}+e_{P,4}+e_{P,6}$, $c_2=e_{P,2}$, $c_3=e_{P,2}$, and $c_4=e_{P,4}+e_{P,6}$. The respective complexity triad is $(2,4,7)$.

The supervisor realizing the prefix closed language ${}^4\mathbb{K}$ is ${}^{4}S=({}^4\mathbb{Q}{}_S,{}^4\mathbb{E}{}_S,{}^{4}f{}_S,{}^4ℍ{}_S,{}^{4}x{}_{S,0},{}^4\mathbb{Q}{}_{S,m})$. The set of the states of ${}^{4}S$ is ${}^4\mathbb{Q}{}_S={\displaystyle {\cup }_{\lambda =1}^6\left\{{}^{4}q{}_{S,\lambda }\right\}}$. The alphabet of ${}^{4}S$ is ${}^4\mathbb{E}{}_S$. The initial state is ${}^{4}x{}_{S,0}={}^{4}q{}_{S,1}$, and the set of the marked states is ${}^4\mathbb{Q}{}_{S,m}={}^4\mathbb{Q}{}_S$. The active event sets, per state of ${}^{4}S$, are:

$${}^4ℍ{}_S({}^{4}q{}_{S,1})=\{e_{B,1},e_{B,2},e_{P,1},e_{P,3}\},$$

$${}^4ℍ{}_S({}^{4}q{}_{S,2})=\{e_{V,1},e_{B,1},e_{B,2},e_{P,1},e_{P,3}\},$$

$${}^4ℍ{}_S({}^{4}q{}_{S,3})={}^4ℍ{}_S({}^{4}q{}_{S,5})={}^4ℍ{}_S({}^{4}q{}_{S,6})={}^4ℍ{}_S({}^{4}q{}_{S,1}),$$

$${}^4ℍ{}_S({}^{4}q{}_{S,4})=\{e_{V,2},e_{B,1},e_{B,2},e_{P,1},e_{P,3}\}.$$

The transitions of the supervisor, per state and event, are:

$${}^{4}f{}_S({}^{4}q{}_{S,1},e_{B,1})={}^{4}q{}_{S,2},$$

$${}^{4}f{}_S({}^{4}q{}_{S,1},e_{B,2})={}^{4}q{}_{S,1},$$

$${}^{4}f{}_S({}^{4}q{}_{S,1},e_{P,1})={}^{4}q{}_{S,1},$$

$${}^{4}f{}_S({}^{4}q{}_{S,1},e_{P,3})={}^{4}q{}_{S,1},$$

$${}^{4}f{}_S({}^{4}q{}_{S,2},e_{V,1})={}^{4}q{}_{S,3},$$

$${}^{4}f{}_S({}^{4}q{}_{S,2},e_{B,1})={}^{4}q{}_{S,2},$$

$${}^{4}f{}_S({}^{4}q{}_{S,2},e_{B,2})={}^{4}q{}_{S,2}$$

$${}^{4}f{}_S({}^{4}q{}_{S,2},e_{P,1})={}^{4}q{}_{S,2},$$

$${}^{4}f{}_S(q_{S,2},e_{P,3})={}^{4}q{}_{S,2},$$

$${}^{4}f{}_S({}^{4}q{}_{S,3},e_{P,1})={}^{4}q{}_{S,4},$$

$${}^{4}f{}_S({}^{4}q{}_{S,2},e_{B,2})={}^{4}q{}_{S,2},$$

$${}^{4}f{}_S({}^{4}q{}_{S,3},e_{B,2})={}^{4}q{}_{S,3},$$

$${}^{4}f{}_S({}^{4}q{}_{S,3},e_{P,3})={}^{4}q{}_{S,3},$$

$${}^{4}f{}_S({}^{4}q{}_{S,4},e_{V,2})={}^{4}q{}_{S,5},$$

$${}^{4}f{}_S({}^{4}q{}_{S,4},e_{B,1})={}^{4}q{}_{S,4},$$

$${}^{4}f{}_S({}^{4}q{}_{S,4},e_{B,2})={}^{4}q{}_{S,4},$$

$${}^{4}f{}_S({}^{4}q{}_{S,4},e_{P,1})={}^{4}q{}_{S,4},$$

$${}^{4}f{}_S({}^{4}q{}_{S,4},e_{P,3})={}^{4}q{}_{S,4},$$

$${}^{4}f{}_S({}^{4}q{}_{S,5},e_{B,2})={}^{4}q{}_{S,6},$$

$${}^{4}f{}_S({}^{4}q{}_{S,5},e_{B,1})={}^{4}q{}_{S,5},$$

$${}^{4}f{}_S({}^{4}q{}_{S,5},e_{P,1})={}^{4}q{}_{S,5},$$

$${}^{4}f{}_S({}^{4}q{}_{S,5},e_{P,3})={}^{4}q{}_{S,5},$$

$${}^{4}f{}_S({}^{4}q{}_{S,6},e_{P,3})={}^{4}q{}_{S,1},$$

$${}^{4}f{}_S({}^{4}q{}_{S,6},e_{B,1})={}^{4}q{}_{S,6},$$

$${}^{4}f{}_S({}^{4}q{}_{S,6},e_{B,2})={}^{4}q{}_{S,6},$$

$${}^{4}f{}_S({}^{4}q{}_{S,6},e_{P,1})={}^{4}q{}_{S,6}.$$

The complexity triad of ${}^{4}S$ is $\left(6,6,26\right)$. Its state diagram is presented in Figure 6.

5.2. The Performance of the Controlled System

In order to achieve the desired performance presented in Section 4, using the supervisors introduced in Section 5.1, the controlled automaton is proposed to be the synchronous product of the six supervisors and the total automaton of $G_F$:

$$G_{F,c}={}^{1}S{}_1\mid \mid {}^{1}S{}_2\mid \mid {}^{1}S{}_3\mid \mid {}^{2}S\mid \mid {}^{3}S\mid \mid {}^{4}S\mid \mid G_F.$$

(3)

From (3), it can be observed that the closed and the marked behavior of the controlled automaton are:

$$\mathbb{L}(G_{F,c})=\mathbb{L}(G_F)\cap {}^{1}P{}_1^{-1}\left(\overline{{}^1\mathbb{K}{}_1}\right)\cap {}^{1}P{}_2^{-1}\left(\overline{{}^1\mathbb{K}{}_2}\right)\cap {}^{1}P{}_3^{-1}\left(\overline{{}^1\mathbb{K}{}_3}\right)\cap {}^{2}P{}_{}^{-1}\left(\overline{{}^2\mathbb{K}}\right)\cap {}^{3}P{}_{}^{-1}\left(\overline{{}^3\mathbb{K}}\right)\cap {}^{4}P{}_{}^{-1}\left(\overline{{}^4\mathbb{K}}\right).$$

(4)

Using (1) and (2), it holds that:

$${\mathbb{L}}_m(G_{F,c})={}^1\mathbb{K}{}_{D,1}\cap {}^2\mathbb{K}{}_{D,1}\cap {}^3\mathbb{K}{}_{D,1}\cap {}^1\mathbb{K}{}_{D,2}\cap {}^2\mathbb{K}{}_{D,2}\cap {}^3\mathbb{K}{}_{D,2}\cap {}^1\mathbb{K}{}_{D,3}\cap {}^2\mathbb{K}{}_{D,3}\cap {}^1\mathbb{K}{}_{D,4}\cap {}^2\mathbb{K}{}_{D,4}.$$

(5)

The application of the six supervisors to the automaton $G_F$, through the synchronous product in (3), is physically realizable if and only if the transitions of the process $G_F$, activated by the uncontrollable events of $G_F$, are not obstructed by the six supervisors. Clearly, the transitions from the states of $G_F$, being nonaccessible in the synchronous product (3), were not tested. This physical realizability property is clearly equivalent to the controllability (see [8], p. 147) of the prefixed closed languages ${}^1\mathbb{K}{}_1$, ${}^1\mathbb{K}{}_2$, ${}^1\mathbb{K}{}_3$, ${}^2\mathbb{K}$, ${}^3\mathbb{K}$, and ${}^4\mathbb{K}$ with regard to $G_F$. To this end, the following proposition are established.

Proposition 1.

The prefixed closed languages${}^1\mathbb{K}{}_1$, ${}^1\mathbb{K}{}_2$, ${}^1\mathbb{K}{}_3$, ${}^2\mathbb{K}$, ${}^3\mathbb{K}$, and${}^4\mathbb{K}$are controllable regarding$G_F$.

Proof. 

Here, physical realizability is tested. First, it can be observed that the uncontrollable events of $G_F$, not belonging to the alphabet of a supervisor, are not obstructed in producing transitions. Second, the rest of the uncontrollable events (i.e., the uncontrollable events of the supervisors) are examined one by one. The uncontrollable events of ${}^{1}S{}_1$, namely, the uncontrollable events of ${}^1\mathbb{K}{}_1$, are the events $e_{V,3}$ and $e_{V,4}$. These events are active events of every state of ${}^{1}S{}_1$. Thus, it was concluded that for every ${}^{1}q{}_{S,1}$, being a state of ${}^{1}S{}_1$, and every $q_F\in {\mathbb{Q}}_F$, it holds that:

If $e_{V,3}\in {ℍ}_F(q_F)$, then $e_{V,3}\in \left({}^1ℍ{}_{S,1}({}^{1}q{}_{S,1})\cap {ℍ}_F(q_F)\right)$.

If $e_{V,4}\in {ℍ}_F(q_F)$, then $e_{V,4}\in \left({}^1ℍ{}_{S,1}({}^{1}q{}_{S,1})\cap {ℍ}_F(q_F)\right)$.

Hence, in the synchronous product ${}^{1}S{}_1\mid \mid G_F$, the supervisor ${}^{1}S{}_1$ does not obstruct the transitions of $G_F$ being activated by the uncontrollable events $e_{V,3}$ and $e_{V,4}$. Thus, the controllability of ${}^1\mathbb{K}{}_1$, regarding $G_F$, is proven. This proof can directly be extended to cover the controllability of ${}^1\mathbb{K}{}_2$ by focusing on the uncontrollable events $e_{B,3}$ and $e_{B,4}$. Following the same procedure, the controllability of the languages ${}^1\mathbb{K}{}_3$, ${}^2\mathbb{K}$, ${}^3\mathbb{K}$, and ${}^4\mathbb{K}$ is also proven by focusing on:

-

The uncontrollable events $e_{P,3}$ and $e_{P,4}$ for ${}^1\mathbb{K}{}_3$;

-

The uncontrollable events $e_{P,1}$, $e_{P,3}$, and $e_{P,6}$ for ${}^2\mathbb{K}$;

-

The uncontrollable events $e_{P,2}$, $e_{P,4}$ and $e_{P,6}$ for ${}^2\mathbb{K}$;

-

The uncontrollable events $e_{B,1}$, $e_{B,2}$, $e_{P,1}$, and $e_{P,3}$ for ${}^4\mathbb{K}$.

□

According to (5), the performance of the controlled automaton $G_{F,c}$, regarding its marked behavior, is satisfactory. The closed behavior of $G_{F,c}$ is satisfactory if and only if $G_{F,c}$ is nonblocking, i.e., $\overline{{\mathbb{L}}_m(G_{F,c})}=\mathbb{L}(G_{F,c})$. This property will be proven in Proposition 2.

Proposition 2.

The controlled automaton$G_{F,c}$is a nonblocking automaton.

Proof. 

According to Figure 5 and Figure 6, all states of all supervisors are marked states. Thus, in order to investigate nonblocking of the controlled automaton $G_{F,c}$, it suffices to check if there always exist active events in $G_F$ that are not obstructed by the supervisors to trigger at least one transmission from every nonmarked state to a marked state. Since $G_F$ is the shuffle of its subsystems, the latter goal is reduced to the existence of appropriate active events in every subsystem that are not obstructed by the supervisors to trigger at least one transmission from every nonmarked state to a marked state. To investigate the problem, it is remarked that, according to Proposition 1, the transmissions triggered by uncontrollable events are not obstructed by the supervisors. Using this remark, it is observed that the events indicating faults and the events indicating fault repairs, being uncontrollable events, are not obstructed to activate transitions of the controlled automaton $G_{F,c}$ to marked states. Hence, in what follows only the nonmarked states, being “nonfaulty” in the subsystems $G_{FB}$, $G_{FP}$, and $G_{FV}$, are examined. Regarding $G_{FB}$ and $G_{FP}$, it will be proved that the “nonfaulty” and nonmarked states of the synchronous product of the automata $G_{FB}$, $G_{FP}$ and the respective supervisors have always an uncontrollable event in their active events sets, triggering a transition to a marked state.Particularly, for the subsystem $G_{FB}$, it holds that the uncontrollable event $e_{B,2}$, being active in the “nonfaulty” and nonmarked state, activates the transition to the marked state (see Figure 3). For the subsystem $G_{FP}$ and according to Figure 4, it is observed that each of the uncontrollable events, $e_{P,1}$ and $e_{P,4}$, participates in the active event set of one of the two “nonfaulty” and nonmarked states and activates the transition to the marked state of $G_{FP}$. For the subsystem $G_{FV}$ and according to Figure 2, the transition from the nonmarked state $q_{FV,2}$, not being a “faulty mode” state to the marked state $q_{FV,1}$ is accomplished through the controllable event $e_{V,2}$. It is observed that $e_{V,2}$ belongs to the active event sets of all states of the supervisors ${}^{1}S{}_1$, ${}^{1}S{}_2$, and ${}^{1}S{}_3$. Regarding ${}^{3}S$, it is observed that $e_{V,2}$ does not belong to its alphabet. Thus, $e_{V,2}$ is not obstructed to activate the transition from $q_{FV,2}$ to the marked state $q_{FV,1}$. Regarding ${}^{2}S$, it is observed that $e_{V,1}$ does not belong to the alphabet. Thus, the transition from the marked state $q_{FV,1}$ to the unmarked state $q_{FV,2}$ is always permissible. If the automaton $G_{FV}$ is at $q_{FV,2}$ then ${}^{2}S$, is at its 1st or its 2nd state. If it is at the 1st state then the uncontrollable event $e_{P,1}$ activates the transition to the 2nd, where $e_{V,2}$ is an active event, thus allowing the transition from $q_{FV,2}$ to $q_{FV,1}$. Regarding ${}^{4}S$, it is observed that for $G_{FV}$ to be at $q_{FV,2}$, the automaton ${}^{4}S$ must be at ${}^{4}q{}_{S,3}$ or at ${}^{4}q{}_{S,4}$. The transition from ${}^{4}q{}_{S,3}$ to ${}^{4}q{}_{S,4}$ can be accomplished through the uncontrollable event $e_{P,1}$. Clearly, $e_{V,2}$ is an active event of ${}^{4}q{}_{S,4}$. Thus, the event sequence $e_{P,1}{e}_{V,2}$ leads ${}^{4}S$ to the state ${}^{4}q{}_{S,5}$ and $G_{FV}$ to the marked state $q_{FV,1}$. □

From the proof of Proposition 2, the following corollary being of significant practical importance is derived.

Corollary 1.

The nonblocking property of$G_{F,c}$is sufficiently strong in the sense that its marked states are always accessible from its initial state, through words that do not necessarily include events indicating faults or fault repairs.

In

Table 2. Simulation of the controlled automaton.

Event	State of the Controlled Automaton	Description (Valve, Switch, Sensor)
	$(q_{FV,1},q_{FB,1},q_{FP,1})$	(Closed, Off, Low)
$e_{B,1}$	$(q_{FV,1},q_{FB,2},q_{FP,1})$	(Closed, On, Low)
$e_{V,1}$	$(q_{FV,2},q_{FB,2},q_{FP,1})$	(Opened, On, Low)
$e_{P,1}$	$(q_{FV,2},q_{FB,2},q_{FP,2})$	(Opened, On, Medium)
$e_{P,2}$	$(q_{FV,2},q_{FB,2},q_{FP,3})$	(Opened, On, High)
$e_{V,2}$	$(q_{FV,1},q_{FB,2},q_{FP,3})$	(Closed, On, High)
$e_{V,1}$	$(q_{FV,1},q_{FB,2},q_{FP,3})$	(Closed, On, High)
$e_{P,4}$	$(q_{FV,1},q_{FB,2},q_{FP,2})$	(Closed, On, Medium)
$e_{B,2}$	$(q_{FV,1},q_{FB,1},q_{FP,2})$	(Closed, Off, Medium)
$e_{P,2}$	$(q_{FV,1},q_{FB,1},q_{FP,3})$	(Closed, Off, High)
$e_{V,2}$	$(q_{FV,1},q_{FB,1},q_{FP,3})$	(Closed, Off, High)
$e_{P,5}$	$(q_{FV,1},q_{FB,1},q_{FP,4})$	(Closed, Off, Faulty)
$e_{B,1}$	$(q_{FV,1},q_{FB,2},q_{FP,4})$	(Closed, On, Faulty)
$e_{V,1}$	$(q_{FV,1},q_{FB,2},q_{FP,4})$	(Closed, On, Faulty)
$e_{P,6}$	$(q_{FV,1},q_{FB,2},q_{FP,1})$	(Closed, On, Low)

, the simulation of the controlled automaton $G_{F,c}$ is presented for the same predefined event sequence used for the simulation of $G_F$ (see Table 1). The results of the present simulation have also been verified using the discrete event systems simulation software “Supremica”. According to line 5 of Table 2, the event $e_{P,2}$ takes place. This means that the pressure in the reactor is high. According to line 6 of the table, the valve closes (event $e_{V,2}$) and allows the pressure to drop to the desired value. According to line 7 of the table, the event $e_{V,1}$ takes place (i.e., the command to open the valve). The controllable event $e_{V,1}$ is disabled by the supervisor ${}^{1}S{}_3$ to trigger transitions. Thus, the valve of the system remains closed. According to line 12 of the table, the event indicating the appearance of a pressure sensor fault takes place (i.e., event $e_{P,5}$). According to line 14 of the table, the command to open the valve takes place once again, while the pressure sensor is in the faulty mode. The controllable event $e_{V,1}$ is disabled by the supervisor ${}^{3}S$ to trigger transitions. Thus, the valve of the system stays closed.

6. Supervisor Implementation

Based on [9,10,11], where the implementation of modular supervisory control schemes in PLC was tackled, it is observed that the parametric expression of the five supervisors, in the present design scheme, facilitates the implementation to local units (i.e., PLCs or PACs). The languages ${}^1\mathbb{K}{}_1$, ${}^1\mathbb{K}{}_2$, ${}^1\mathbb{K}{}_3$, ${}^2\mathbb{K}$, and ${}^3\mathbb{K}$ are realized in the same supervisor form (see Figure 5). This way, five supervisors, namely, the supervisors ${}^{1}S{}_1$, ${}^{1}S{}_2$, ${}^{1}S{}_3$, ${}^{2}S$, and ${}^{3}S$ can be implemented by a unique function block. This block is proposed to be defined and included in the local library. The supervisor ${}^{4}S$ is implemented by another block. The ladder diagrams of $S$ and ${}^{4}S$ are presented in Figure 7 and Figure 8, respectively. In ladder diagrams, all transitions from each state are grouped. The groups are indexed by the rung number, i.e., in Figure 7 rung 1 indicates the group of all transitions from state $q_{S,1}$ and rung 2 indicates the group of all transitions from state $q_{S,2}$. Similarly, in Figure 8 ladder diagram consist of six groups.

Using the methods proposed in [21,22,23,24], it is observed that the present supervisory control scheme is offered for the realization of using the IEC 61499 standard. Using the instructions in [22,24] or even the simulation software “Supremica” (see [23]), the algorithms of the function blocks can easily be developed, and the design of the event execution control is straightforward. Additionally, it is mentioned that the three subsystems of the plant are shuffled, and only the valve has controllable events (automaton $G_{FV}$). Thus, the supervisory control algorithm is implementable via quite simple programs, while only a few events are interconnected between the control device of each subsystem. In particular, ${}^{1}S{}_1$ can be implemented as a local supervisor of $G_{FV}$, while events not included in the alphabet of ${}^{1}S{}_1$ (external events) are not required. The supervisor ${}^{1}S{}_2$ can be implemented as a local supervisor of $G_{FV}$, and the availability of the “external” events $e_{B,3}$ and $e_{B,4}$ is required. The supervisor ${}^{1}S{}_3$ can be implemented as local a supervisor of $G_{FV}$, and the availability of the “external” events $e_{P,5}$ and $e_{P,6}$ is required. The supervisor ${}^{2}S$ can be implemented as a local supervisor of $G_{FV}$, and the availability of the “external” events $e_{P,1}$, $e_{P,3}$, and $e_{P,6}$ are necessary. The supervisor ${}^{3}S$ can be implemented as a local supervisor of $G_{FV}$ and the availability of the “external” events $e_{P,2}$, $e_{P,4}$, and $e_{P,6}$ is required. Finally, ${}^{4}S$ can be implemented as a local supervisor of $G_{FV}$, and the availability of the “external” events $e_{B,1}$, $e_{B,2}$, $e_{P,2}$, $e_{P,1}$, and $e_{P,3}$ is required.

7. Conclusions

In the present paper, the issue of the preservation of the efficient functionality of a pressurized reactor unit in the presence of actuator and sensor faults was studied. Considering the presence of faults, the pressurized reactor unit was modeled through the modeling of its subsystems in the form of six-tuple finite deterministic automata. The desired behavior of the reactor unit was analyzed into appropriate rules and translated into a set of prefixed closed, regular, desired languages. A modular supervisory control scheme, based on the desired languages, was developed. The controllability of the proposed languages and the nonblocking property of the controlled automaton were proven. The complexities of the derived supervisors and the overall modular supervisory design scheme were computed. The PLC implementations of the derived supervisors were presented in the form of ladder diagrams. It was mentioned that the complexity of the supervisors was low. In addition, it is important to mention that the supervisors are offered for implementation in the form of function blocks in the framework of the IEC 61499 standard.

The issue of the influence of the present supervisors on a gas pipeline network, interconnected with a pressurized gas reactor unit, is currently under investigation. A future perspective of the present results is the extension to larger and more complex reactor units.