Using Shared-Resource Capacity for Robust Control of Failure-Prone Manufacturing Systems

Size: px

Start display at page:

Download "Using Shared-Resource Capacity for Robust Control of Failure-Prone Manufacturing Systems"

Rodney Parker
5 years ago
Views:

1 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY Using Shared-Resource Capacity for Robust Control of Failure-Prone Manufacturing Systems Shengyong Wang, Song Foh Chew, and Mark A. Lawley Abstract Deadlock-free resource allocation has been an active area of research in flexible manufacturing. Most researchers have assumed that allocated resources do not fail, and thus, little research has addressed the discrete-event supervision of manufacturing systems that are subject to resource failure. In our previous work, we developed supervisory controllers to ensure robust deadlock-free operation for systems with unreliable resources. These controllers guarantee that parts requiring failed resources do not block the production of parts that are not requiring failed resources. This previous work assumes that parts requiring failed resources can be advanced into failure-dependent (FD) buffer space (buffer space exclusively dedicated to parts requiring unreliable resources). Supervisors admit only states for which a sequence of such part advancements is feasible. The research presented in this paper relaxes this assumption because, in some systems, providing FD buffer space might be too expensive or it might be desirable to load the system more heavily with FD parts. In this paper, we concentrate on distributing parts requiring failed resources throughout the buffer space of shared resources so that these distributed parts do not block the production of part types that are not requiring failed resources. The approach presented here requires no state enumeration and is polynomial in stable measures of system size. We also present results from simulation experiments that compare system performance under these new policies with system performance under our previously published supervisors. These results show that our new policies allow better performance if the required part mixes favor FD part types. The systems of interest are single-unit resource allocation systems. Index Terms Deadlock avoidance, failure-prone systems, flexible manufacturing systems, resource allocation, supervisory control. NOMENCLATURE r i System resource type i. R Set of system resource types. R U Set of unreliable resources. R R Set of reliable resources. R FD Set of FD resources. R NFD Set of NFD resources. Set of PFD resources. R PFD Manuscript received January 23, 2006; revised October 7, 2006 and April 5, This paper was recommended by Associate Editor M. P. Fanti. S. Wang is with the Department of Systems Science and Industrial Engineering, State University of New York at Binghamton, Binghamton, NY USA. S. F. Chew is with the Department of Mathematics and Statistics, Southern Illinois University Edwardsville, Edwardsville, IL USA. M. A. Lawley is with the Weldon School of Biomedical Engineering, Purdue University, West Lafayette, IN USA. Color versions of one or more of the figures in this paper are available online at Digital Object Identifier /TSMCA R Set of currently failed resources. R+ Set of currently failed resources with one additional failure. R Set of currently failed resources with one repair. C i Capacity of resource type i. P Set of part types. P j Part type j. P jk kth stage of part type P j. P FD FD part-type stages. P NFD NFD part-type stages. T j Route of P j. RT jk Residual route of P jk. ρ ρ(p jk ) returns the resource required by P jk. Ω i Set of part-type stages supported by r i. Q Set of system states. Q 0 Set of initial states. Σ Set of system events. Σ c Set of controllable system events. Σ u Set of uncontrollable system events. α jk Event representing allocation ρ(p jk ) to p j,k 1. β jk Service completion for P jk on resource ρ(p jk ). κ i Event representing failure of the server of resource r i. η i Event representing repair of the server of resource r i. ξ Event-enabling function. δ State transition function. Π Set of parts in the system. Π i Set of parts located at r i. Π FD Set of FD parts in the system. Π NFD Set of NFD parts in the system. Π FD i Set of FD parts on r i. y jk Number of unfinished units of P jk at ρ(p jk ). x jk Number of finished units of P jk at ρ(p jk ). z ik Sum of x jk and y jk. ANOVA Analysis of variance. BA Banker s algorithm. DAP Deadlock avoidance policy. FD Failure dependent. NFD Non-FD. NHC Neighborhood policy. PFD Partially FD. RCO Region of continuous operation. RFD Region of failure dependence. ROD Region of distribution. RO Resource order policy. SU-RAS Single-unit resource allocation system /$ IEEE

2 606 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 I. INTRODUCTION REAL-TIME resource allocation is a basic control function in flexibly automated manufacturing systems. Over the past decade, significant research has addressed the deadlockfree allocation of system buffer space, and researchers have developed many useful and practical results [1] [15]. Comparatively, little work has addressed the control of these systems so that they are robust to failures. The concept of robust operation for systems with unreliable resources implies not only that these systems remain deadlock free but that they also continue to operate without disruptions when resource failure and repair occur. A nominal requirement would be that they continue to produce part types not requiring failed resources. To this end, a supervisor must control the resource allocation state, so that if failure occurs, parts requiring failed resources can be redistributed or relocated so that they do not stall the production of parts not requiring failed resources. The redistribution must be safe, so that when failed resources are repaired, system operation can continue. Research works addressing this class of systems can be found in [16] [26]. We will first review the work of other researchers and then briefly review our previous work. In [17], Reveliotis addresses the issue of part blocking in the presence of contingencies due to resource breakdown or introduction of expedient jobs. He combines flexible routing with the DAPs developed in [10] [14] to accommodate operational contingencies. This approach assumes that each part follows an assigned route until a failure occurs. At that point, a route reassignment is computed, and some set of parts is removed from the system in order to continue operation. Park and Lim [18] address fault-tolerant supervisory control by deriving necessary and sufficient conditions for the existence of a fault-tolerant supervisor. These conditions are stated in terms of language theoretic properties and are computationally intensive to compute. In [20] [24], Hsieh develops fault-tolerant controllers for assembly processes using the Petri net formalism. Resource failure is modeled as the removal of tokens from the marking of the Petri net, and sufficient conditions for liveness after the tokens are removed are established. The approach uses the concept of minimal resource requirement to determine acceptable control actions. That is, the firing of a transition is allowed only if the resultant marking has a reachable marking that covers the minimal resource requirements of the processes in the net. The work also proposes a subclass of Petri nets for modeling systems with flexible routing. Fault-tolerant conditions for these Petri nets are established, and a decomposition method is proposed to test the feasibility of production routes. This paper differs from [17] in that we do not assume outside capacity to be sufficient to remove any number of parts from the system. In other words, our controllers take capacity outside the system (central buffer) into account in making allocation decisions. We differ from [18] in that we focus on developing robust polynomial control policies and not on establishing conditions for their existence. Finally, we differ from [20] [24] in that we accept that the failure of a resource will prevent our system from achieving its full range of production. Our objective is to control the system so that if a resource fails, the system can continue to produce part types not requiring that resource. This does not imply that a Petri net model of the system would be live under failure. Our previous research defines the requirements for robust supervision and develops several robust supervisors for SU-RAS. In [16], we develop robust supervisors for systems with a single unreliable resource by modifying and combining the DAPs of [10] [13]. In [25], we combine the RO [14] with an NHC to develop an algebraic supervisor that is robust to the failure of a single unreliable resource. In [26], we extend the results of [16] to systems with multiple unreliable resources so that if any subset of unreliable resources fails, the residual system can continue to produce all part types not requiring failed resources. Note that the supervisors of [16], [25], and [26] admit only safe states for which there exists a sequence of resource allocations that advances parts requiring unreliable resources into FD buffer space (buffer space dedicated exclusively to parts requiring unreliable resources). This guarantees that when unreliable resources fail, shared resources can be cleared of parts requiring failed resources, so that these parts do not block the production of parts not requiring failed resources. In this paper, we relax this requirement so that the system can be more heavily loaded with FD parts, as might be desirable when required part mixes favor FD part types. In our experience, this assumption is essential for automated systems that produce very large bulky components such as semitrailers for hauling freight, where buffer space is necessarily limited. To relax the assumption, we must develop robust supervisors that distribute parts requiring failed resources throughout the buffer space of shared resources such that these parts do not block the production of part types not requiring failed resources. Our approach is to group the resources into three resource regions: the RCO, RFD, and ROD. We then develop supervisors for each of these regions and show that their conjunction satisfies the properties of a robust supervisor. We first do this for systems with a single unreliable resource and, then, extend our results to multiple unreliable resources under the assumption that at most one resource fails at a time. If multiple resources fail simultaneously, the supervisors developed here cannot guarantee robust operation, and some part types not requiring failed resources may be blocked from production until repair events occur. This more limited robustness is the cost of more flexible allocation for FD parts. Finally, we present the results of simulation experiments that illustrate the policies developed in this paper, allowing better system performance when priority is placed on FD parts than the policies presented in our previous work. The remainder of this paper is organized as follows. Section II formally defines the system and the problem that we address. Section III presents the development of the supervisor RO 2 for systems with a single unreliable resource, whereas Section IV presents the development of the supervisor RO 4 for systems with multiple unreliable resources. These supervisors assume that each part type requires at most one unreliable resource, and they guarantee a continuous operation in the face of a single resource failure. Section V presents the results of

3 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 607 Fig. 1. Example system with a single unreliable resource. a simulation experiment that compares system performance under these new policies with system performance under our previously published supervisors. Finally, Section VI discusses future research directions. For the sake of readability, formal definitions and proofs are located in the Appendix. II. DISCRETE EVENT SYSTEM The SU-RAS model presented in this section is identical to that of [16], [21], and [22]. For self-containment, we discuss the model based on the example system shown in Fig. 1. We model the system as a nine-tuple vector S = R, C, P, ρ, Q, Q 0, Σ,ξ,δ. LetR be the set of resource types. R = R R R U, where R R is the set of reliable resource types, which are not subject to failure, and R U is the set of unreliable resource types, which are subject to failure. In the example system in Fig. 1, R R = {r 2,r 3,r 4,r 5,r 6 }, and R U = {r 1 }. Let C be the resource-capacity vector, C = C i : i = 1,..., R, where C i is the capacity of the buffer associated with resource type r i R. In the example system, every resource has four units of capacity; thus, C = 4, 4, 4, 4, 4, 4. Let P be the set of part types produced by the system. Each part type P j P represents an ordered set of processing stages P j = P j1,...,p j Pj, where part-type stage P jk represents the kth processing stage of P j. Four product types are produced in the example system, and the processing stages are the following: P 1 = {P 11,P 12,P 13,P 14 }, P 2 = {P 21,P 22,P 23,P 24 }, P 3 = {P 31,P 32,P 33 }, and P 4 = {P 41,P 42,P 43 }.Weusep jk to represent an actual instance of P jk. Let ρ : P j R be a function such that ρ(p jk ) returns the resource required by P jk. Thus, the route of P j, in terms of resources used, is T j = ρ(p j1 ),...,ρ(p j Pj ). The corresponding product routes in the example system are the following: T 1 = r 4,r 3,r 2,r 1 for P 1, T 2 = r 1,r 2,r 3,r 5 for P 2, T 3 = r 5,r 2,r 6 for P 3, and T 4 = r 6,r 2,r 5 for P 4. We will let Ω i be the set of part-type stages supported by r i, i.e., Ω i = {P jk : ρ(p jk )=r i R}. In the example system, Ω 1 = {P 21,P 14 }, Ω 2 = {P 13,P 22,P 32,P 42 }, and so on (see Fig. 1). We will suppose our system resource types to be workstations consisting of buffer space for staging and storing parts and one server or processor for operating on parts. The capacity of a system resource type indicates the size of the associated buffer. A server will be busy so long as there are unfinished parts in the buffer. A failure of a resource type implies failure of the associated server, not the associated buffer. We assume that when a server fails, we may continue to allocate parts to its associated buffer space up to capacity. Unfinished parts at the buffer space, however, may not be processed and, hence, may not proceed along their respective routes until the server is repaired. Finished parts at the buffer may be advanced out and, hence, may move along their respective routes even if the server fails. We assume that server failure does not damage or destroy a part being processed (although, this assumption is not necessary) and that failure can only occur when a server is busy. Let Q represent the set of system states. For a state q Q,we have q = sv i,y jk,x jk : i =1,..., R,j =1,..., P,k = 1,..., P j, where sv i is the status of the server of workstation i (0 if failed, and 1 if operational), y jk is the number of unfinished units of P jk (parts waiting for the server and in process) located in the buffer space of ρ(p jk ), and x jk is the number of finished units of P jk located in the buffer space of ρ(p jk ). Q 0 is the set of initial states, where q 0 Q 0 is the state in which no resources are allocated and all servers are operational. The dimension of a system state q is R + P j=1 2 P j. Let Σ represent the set of system events that can occur. Σ is partitioned into two sets, the set of controllable events Σ c and the set of uncontrollable events Σ u. The controllable events are those that the supervisor can disable; in our model, this could mean preventing the allocation of a unit of requested resource ρ(p jk ) to a requesting part p j,k 1.Weuseα jk to represent the allocation of a unit of requested resource ρ(p jk ) to a requesting part p j,k 1. In addition, α j, Pj +1 represents a finished part of part type P j leaving the system. Thus, in our model, Σ c = {α jk : j =1,..., P,k =1,..., P j +1} is the set of controllable events in the example in Fig. 1 Σ c = {α 11,α 12,α 13,α 14,α 15 ; (allocation events for P 1 ) α 21,α 22,α 23,α 24,α 25 ; (allocation events for P 2 ) α 31,α 32,α 33,α 34 ; (allocation events for P 3 ) α 41,α 42,α 43,α 44 }. (allocation events for P 4 ) The uncontrollable events represent those events that our supervisors cannot disable. These will include part completions, which are denoted as β jk [i.e., the completion of server processing on a part p jk on resource ρ(p jk )], resource failures, which are denoted as κ i, and resource repairs, which are denoted as η i. That is, κ i represents the failure of the server of resource r i, whereas η i represents the repair of the server of resource r i. More formally, let Σ u =Σ u1 Σ u2 be the set of uncontrollable events, where Σ u1 = {β jk : j =1,..., P,k = 1,..., P j } represents the completion of service for an instance of P jk. Σ u2 = {κ i,η i : r i R U } represents the failure (κ i ) and repair (η i ) events of the server of unreliable resource r i. Again, service completions, failures, and repairs are assumed to

4 608 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 be beyond a controller s influence. In Fig. 1, the uncontrollable event sets are the following: Σ u1 = {β 11,β 12,β 13,β 14 ; (completion events for P 1 ) β 21,β 22,β 23,β 24 ; (completion events for P 2 ) β 31,β 32,β 33 ; (completion events for P 3 ) β 41,β 42,β 43 } (completion events for P 4 ) Σ u2 = {κ 1,η 1 } (failure/repair events for r 1 ). We now require two functions. The first, which we denote as ξ, will compute the events that are enabled for a given state (i.e., ξ : Q 2 Σ is a function that, for a given state, returns the set of enabled events). This function is defined for a state q in the following. 1) Events that release new parts into the system are enabled when space is available on the first required workstation in the route, i.e., For P j1 Ω i, if C i (y jk + x jk )>0, then α j1 ξ(q). P jk Ω i 2) If a part is at service, then the corresponding service completion event is enabled, i.e., For P jk Ω i, if y jk > 0 and sv i =1, then β jk ξ(q). 3) If the server is busy with a part, then the corresponding failure event is enabled, i.e., For r i R U, if sv i =1and y jk > 0 for some P jk Ω i, then κ i ξ(q). 4) If the server is failed, the corresponding repair event is enabled, and the corresponding service completion events are disabled, i.e., For r i R U, if sv i =0, then η i ξ(q) and β jk ξ(q) P jk Ω i. 5) When a part finishes its current operation and buffer space is available at its next required workstation, the event corresponding to the advancement of the part is enabled, i.e., For P jk Ω i, 1 <k P j, if x j,k 1 > 0 and C i then α jk ξ(q). P jk Ω i (y jk + x jk ) > 0, 6) If a part has finished all of its operations, the event corresponding to unloading it from the system is enabled, i.e., For P j, Pj Ω i, if x j, Pj > 0, then α j, Pj +1 ξ(q). The second required function, which is denoted as δ, will compute state transitions, i.e., using the current state plus a selected event for execution, δ will determine the state that results after the execution of the event. Specifically, let δ : Q Σ Q such that the conditions shown at the bottom of the page are met, where e xj,k 1, e yjk, e xjk, and e svi are the standard unit vectors with components corresponding to x j,k 1, y jk, x jk, and sv i being one, respectively. Note that, e = e yj, Pj +1 x j0 = 0, which is the zero vector with the same dimension, and that P j0 represents the parts of P j waiting outside the system. As an example, in Fig. 1, if r 1 is operational and holding a finished unit of P 21 and an unfinished unit of P 14, r 2 is holding an unfinished unit of P 22 and an unfinished unit of P 32, r 6 is holding a finished unit of P 33, and all other resources are idle, then the corresponding state vector is as follows: q = 1, 1, 1, 1, 1, 1; (all servers operational) 0, 0, 0, 1; (y 14 =1, one unfinished P 14 ) 0, 1, 0, 0; (y y 22 =1, one unfinished P 22 ) jk 0, 1, 0; (y 32 =1, one unfinished P 32 ) 0, 0, 0; (no unfinished P 4 ) 0, 0, 0, 0; (no finished P 1 ) 1, 0, 0, 0; (x x 21 =1, one finished P 21 ) jk 0, 0, 1; (x 33 =1, one finished P 33 ) 0, 0, 0 (no finished P 4 ). The corresponding enabled events are the following: ξ(q) ={β 14,β 22,β 32 ; (enabled completion events) α 22,α 34 ; (enabled allocation events) κ 1 } (enabled failure event for r 1 ). δ(q, α jk )=q e xj,k 1 +e yjk, δ(q, β jk )=q e yjk +e xjk, δ(q, κ i )=q e svi, δ(q, η i )=q+e svi, advancement of a part p j,k 1 service completion of a part p jk failure of server i repair of server i

5 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 609 If we execute event α 22, then we get a new state δ(q, α 21 )=q e x21 + e y22 = q q = 1, 1, 1, 1, 1, 1; (all servers operational) 0, 0, 0, 1; (y 14 =1, one unfinished P 14 ) 0, 2, 0, 0; (y y 22 =2, two unfinished P 22 s) jk 0, 1, 0; (y 32 =1, one unfinished P 32 ) 0, 0, 0; (no unfinished P 4 ) 0, 0, 0, 0; (no finished P 1 ) 0, 0, 0, 0; (no finished P x 2 ) jk 0, 0, 1; (x 33 =1, one finished P 33 ) 0, 0, 0 (no finished P 4 ). Note that when r 1 fails (the event κ 1 occurs), the occurrences of events in the set } events associated with P 1 {α 11,α 12,α 13,α 14,α 15, β 11,β 12,β 13,β 14, α 21,α 22,α 23,α 24,α 25, β 21,β 22,β 23,β 24 } } events associated with P 2 are bounded until the repair event η 1 occurs. Our objective with robust supervisory control is to make sure that these are the only events whose occurrences are bounded by the failure of r 1. For example, if we are in the state q = 1, 1, 1, 1, 1, 1; (all servers operational) 0, 0, 0, 4; (y 14 =4, four unfinished P 14 s) 0, 0, 0, 0; (no unfinished P y 2 ) jk 0, 0, 0; (no unfinished P 3 ) 0, 0, 0; (no unfinished P 4 ) 0, 0, 4, 0; (x 13 =4, four finished P 13 s) 0, 0, 0, 0; (no finished P x 2 ) jk 0, 0, 0; (no finished P 3 ) 0, 0, 0; (no finished P 4 ) and r 1 fails (the event κ 1 occurs), then the occurrence of all system events will be bounded or blocked until the repair event occurs. This is because every part type requires resource r 2, which is completely allocated to the parts of type P 13. These instances of P 13 are blocked from advancing to r 1, because its buffer space is completely allocated to instances of P 14, which are all unfinished. Note that this prevents P 3 and P 4 from producing although they do not require failed r 1. Thus, the failure of r 1 in this state will eventually stall the whole system, which is what we want to avoid through robust supervision. The properties that we want to ensure through robust supervision are informally stated in the following (the formal statement is given in Appendix A). Property 2.1: A supervisory controller is said to be robust to resource failures if it satisfies the following. 1) The supervisory controller guarantees deadlock-free operation with no resource failures. 2) The supervisory controller guarantees that the system visits only the states for which continuing operation is possible in the event of a resource failure. 3) The supervisory controller guarantees deadlock-free operation while unreliable resources are failed. 4) The supervisory controller guarantees that while unreliable resources are failed, the system will visit only the states for which deadlock-free operation is possible in the event of repair. One objective of our research in robust supervisory control is to develop maximally robust supervisory control policies that satisfy the aforementioned property for any possible subset of failed resources. Such policies are presented [26]. We are also interested in policies that provide some protection against failure but cannot be considered maximally robust (we refer to these as partially robust). This can be advantageous because achieving maximal robustness typically requires greater restrictions on the part mix and resource allocation state than does partial robustness. This paper presents a new class of robust controllers that is partially robust for systems with multiple unreliable resources. These controllers are robust to resource failures that do not occur simultaneously. However, when more than one resource fails at a time, dependence chains that cannot be resolved until repair events occur can form. These dependence chains are not cyclic, i.e., no deadlock will occur, correct operation will continue after sufficient repair events occur, and dependence chains will work themselves out without human intervention. As previously stated, the advantage is that these policies allow greater allocation flexibility under nominal operation, while still protecting against single resource failures. More specifically, our maximally robust supervisors [26] constrain the resource allocation state by requiring parts that need future processing on unreliable resources to have buffer capacity reserved on FD resources (resources dedicated exclusively to processing parts requiring unreliable resources). This assures that if unreliable resources fail, operational resources can be cleared of parts waiting for them to be repaired. The partially robust policies presented here allow such parts to be distributed among the buffer space of resources along their respective routes. This allows greater allocation flexibility because more parts requiring unreliable resources can be allowed in the system. Furthermore, if a single resource is failed, the policy guarantees that the distribution of parts requiring the failed resource does not block the production of parts not requiring that resource. If more than one resource fails at a time, acyclic dependence chains can form, as previously discussed, which cannot be resolved until sufficient repair events occur. After developing the new policies in the next two sections, we analyze simulation experiments that help in revealing, from a performance perspective, when this form of partially robust control is more desirable than maximal robustness. III. SINGLE UNRELIABLE RESOURCE In this section, we develop a robust supervisory controller for systems with a single unreliable resource, which is denoted as RO 2, which is a conjunction of two ROs [14]. Recall that RO is a suboptimal DAP based on the intuition that parts flowing in opposite directions through the same set of workstations must at some point be able to pass (see Appendix F for a brief

610 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 Fig. 3. Resource regions for the system in Fig. 1. Fig. 2. Resource regions and RO.

Resource allocation is constrained so that there never simultaneously exists a workstation that is low in the order filled with parts moving up the order and a workstation that is high in the order

6 610 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 Fig. 3. Resource regions for the system in Fig. 1. Fig. 2. Resource regions and RO. (a) Resource regions. (b) RO 2 for resource regions. example). In this policy, the workstations are ordered, and each part is categorized according to how it flows with respect to that order. Resource allocation is constrained so that there never simultaneously exists a workstation that is low in the order filled with parts moving up the order and a workstation that is high in the order filled with parts moving down the order (this negates a necessary condition for both deadlock and unsafeness). RO is expressible as a set of O( R 2 ) linear inequalities that defines a deadlock-free region of system operation. In [14], Lawley et al. proves the correctness of RO for systems with no unreliable resources. In [25], Lawley illustrates how to apply RO in conjunction with an NHC to guarantee robust operation for systems with a single unreliable resource, assuming that parts requiring that resource can be advanced into FD buffer space. In this paper, we relax this assumption, i.e., we establish robust operation without assuming that shared resources can be cleared of parts requiring a failed resource. In the following, Section III-A presents the groupings of resources and definitions of different resource regions to which RO will be applied. Section III-B introduces the RO 2 and provides examples to illustrate its application. Both sections make frequent referrals to Fig. 1, which shows a system with six resources, four part types, and one unreliable resource. The Appendix provides formal proofs for the robustness of RO 2. Section IV extends our results to systems with multiple unreliable resources. A. Resource Classification and Resource Regions Recall that Ω i = {P jk : ρ(p jk )=r i } is the set of parttype stages supported by a resource r i. We say that a parttype stage P jk is FD if it requires an unreliable resource in its residual route, i.e., if ρ(p jm ) R U for some m k. Otherwise, P jk is NFD. Let P FD and P NFD represent the sets of FD and NFD part-type stages, respectively. For example, in Fig. 1, P FD = {P 11,P 12,P 13,P 14,P 21 } and P NFD = {P 22,P 23,P 24,P 31,P 32,P 33,P 41,P 42,P 43 }. For the next three paragraphs, the reader should refer to Figs. 2(a) and 3. We say that r i is an FD resource if r i supports an FD parttype stage, i.e., if Ω i P FD. Otherwise, r i is an NFD resource. Furthermore, r i is a PFD resource if it supports both FD and NFD part-type stages, i.e., if Ω i P FD and Ω i P NFD. Thus, an FD resource will process FD parts and possibly NFD parts, whereas an NFD resource processes only NFD parts. A PFD resource will process at least one FD and one NFD part. We can now define three resource sets: R FD = {r i : r i is an FD resource}, R NFD = {r i : r i is an NFD resource}, and R PFD = {r i : r i is a PFD resource}. InFig.1,thesesets are R FD = {r 1,r 2,r 3,r 4 }, R NFD = {r 5,r 6 }, and R PFD = {r 2,r 3 }. Clearly, the following set relationships are true. 1) All unreliable resources are FD, i.e., 2) All PFDs are FD, i.e., R U R FD. R PFD R FD. 3) A resource cannot be both FD and NFD, i.e., R FD R NFD =. 4) Each resource is either FD or NFD, i.e., R FD R NFD = R. 5) PFD and NFD resources are reliable, i.e., R PFD R NFD R R. Note that a PFD resource is reliable; otherwise, all of its supported parts would be FD. Based on these sets, we define the following three resource regions. 1) The region of continuous operation, RCO = R PFD R NFD. These are the resources that must continue operations after the unreliable resource fails. Note that RCO does not contain the unreliable resource. 2) The region of failure dependence, RFD = R FD. These are the resources that can hold parts requiring the failed resource. This set includes the unreliable resource.

7 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 611 3) The region of distribution, ROD = RFD\R U. These are the operational resources throughout which FD parts must be distributed when the unreliable resource fails. This set does not contain the unreliable resource. Fig. 2(a) abstractly shows these regions. Fig. 3 shows the regions for the system in Fig. 1, where RCO = {r 2,r 3,r 5,r 6 }, RFD = {r 1,r 2,r 3,r 4 }, and ROD = {r 2,r 3,r 4 }. Our intuition is as follows. If r 1 fails, we want our RCO, RCO = {r 2,r 3,r 5,r 6 }, to keep on making parts not requiring r 1 (P 3 and P 4 ). To achieve this, we want to be able to distribute parts requiring r 1 (P 1 and P 2 ) throughout the buffer space of resources in the RFD, RFD = {r 1,r 2,r 3,r 4 }, such that no resource in RCO is filled with these FD parts. Operational resources that might have to be shared by FD and NFD parts are contained in the ROD, ROD = {r 2,r 3,r 4 }. The next section will now define and illustrate a supervisor that achieves our control objective. B. RO 2 In this section, we develop a supervisory controller for systems with R U =1. Denoted by RO 2, this controller is the conjunction of two constraint sets: RO RCO and RO RFD. Fig. 2(b) shows the resource regions to which RO RCO and RO RFD are applied. Definition 3.1: RO RCO is the set of constraints z jk + z uv <C g + C h P jk Ω g P uv Ω h where z st = x st + y st, r g, r h RCO, and g h. RO RCO restricts the number of FD and NFD parts in RCO so that there exists in RCO at most one capacitated resource. Definition 3.2: RO RFD is the set of constraints z jk + z uv <C g + C h P jk Ω g P FD P uv Ω h P FD where z st = x st + y st, r g, r h RFD, and g h.ro RFD restricts the number of FD parts in RFD so that there exists in RFD at most one resource filled with FD parts. Definition 3.3: RO 2 admits the enabled controllable event α if and only if δ(q, α) satisfies RO RCO RO RFD. RO RCO guarantees deadlock-free operation for RCO by the correctness of RO [14], which uses the fact that any allocation state with at most one filled resource is safe. In its most conservative form, RO restricts the number of filled resources to one. Intuitively, RO is correct by the following logic: 1) If no resource is filled, then the next required resource of every part is available, and the advancement of any single part can result in at most one filled resource; and 2) if only one resource is filled, then the next required resource of every part on the filled resource is available, and the advancement of any part away from the filled resource can result in at most one filled resource. Thus, if the system is in a resource allocation state with at most one filled resource, then it is possible to move to another resource allocation state with at most one filled resource, implying that the system state is safe. (RO is actually much more flexible than this brief explanation implies. For a complete discussion, see [14].) By using logic that is intuitively similar to the aforementioned, RO RFD guarantees that a sufficient number of FD parts can be safely advanced out of the shared resources (those in R PFD RCO) so that each shared resource has at least one unit of buffer capacity that is not allocated to an FD part. This allows RCO, under the supervision of RO RCO, to continue the production of NFD part types. At the same time, RO RFD guarantees that this advancement of FD parts out of shared resources and into unshared FD resources (those in RFD\R PFD ) does not cause unsafeness or policy-induced deadlocks in the unshared FD resources. In Appendix B we rigorously establish these results for all possible cases by constructing a corresponding event sequence permitted by the supervisor, by showing that the resulting state is safe, and by constructing a safe sequence permitted by the supervisor. As an example, we enumerate the constraints for the system in Fig. 1 as follows: RO RCO : r 2 r 3 : z 13 +z 22 +z 32 +z 42 +z 12 +z 23 < 8 r 2 r 5 : z 13 +z 22 +z 32 +z 42 +z 24 +z 31 +z 43 < 8 r 2 r 6 : z 13 +z 22 +z 32 +z 42 +z 33 +z 41 < 8 r 3 r 5 : z 12 +z 23 +z 24 +z 31 +z 43 < 8 r 3 r 6 : z 12 +z 23 +z 33 +z 41 < 8 r 5 r 6 : z 24 +z 31 +z 43 +z 33 +z 41 < 8 RO RFD : r 1 r 2 : z 14 +z 21 +z 13 < 8 r 1 r 3 : z 14 +z 21 +z 12 < 8 r 1 r 4 : z 14 +z 21 +z 11 < 8 r 2 r 3 : z 13 +z 12 < 8 r 2 r 4 : z 13 +z 11 < 8 r 3 r 4 : z 12 +z 11 < 8. We illustrate the use of RO 2 as follows. Consider Fig. 4, which provides a system state, for example, q, for our example system. In q, r 1 and r 2 are holding four p 14 s and three p 13 s, respectively, whereas r 3 and r 6 have one p 12 and four p 41 s, respectively. It is easy to verify that q is admissible by RO 2. Note, in this case, that the only capacitated resource in R RCO is r 6 and that the only capacitated resource in R FD is r 1. There are a number of feasible part advancements from q. For example, a finished p 41 at r 6 may be advanced into r 2 to become a p 42, resulting in a state, for example, q 1.Inq 1, R RCO has r 2 as the only capacitated resource; hence, RO RCO is not violated. However, R FD contains two capacitated resources, r 1 and r 2. Because r 2 holds the NFD part p 42, r 2 is not filled with FD parts. In fact, r 1 is the only resource filled with FD parts in R FD ;thus,ro RFD is not violated. As a result, RO 2 permits q 1. Let us look at an inadmissible resulting state. Assume, at q, that the completed p 12 from r 3 is advanced into r 2 to become a p 13, resulting in a state, for example, q 2. Clearly, q 2 is not admissible by RO 2, because q 2 violates RO RCO and, in fact,

8 612 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 Fig. 4. Admissible state by RO 2. q 2 also violates RO RFD. Note that q 2 is a safe state, given that unreliable resource r 1 is operational, meaning that there exists a sequence of resource allocations to empty the system of parts from q 2. However, it is possible, at q 2, that r 1 may fail before it has finished any of its p 14 s. If this happens, then the system would not be able to continue to produce both P 3 and P 4 because they are now blocked by the p 13 s filling r 2.Asa consequence, q 2 is undesirable. The following theorem establishes that RO 2 satisfies Property 2.1 and, thus, is robust for systems in which there exists a single unreliable resource. (Its counterpart in the Appendix is Theorem B.1 in Appendix B.) Theorem 3.1: If R U =1,RO 2 satisfies the requirements of Property 2.1 and is therefore robust to failures of the unreliable resource. We note that the number of constraints generated by RO 2 is proportional to O ( ) R 2, which is O( R 2 ). Furthermore, the number of terms in each constraint is loosely bounded by the cumulative route length, CRL = P 1 + P P P. Thus, evaluating the constraints requires no more than O(CRL R 2 ) additions and comparisons, which is a polynomial. We now extend our results to systems with multiple unreliable resources under the assumption that each part type requires at most one unreliable resource. We develop a policy that is robust to the failure of one resource at a time. IV. MULTIPLE UNRELIABLE RESOURCES This section develops a controller RO 4 that satisfies the requirements of Property 2.1 for systems with multiple unreliable resources if each part type requires at most one unreliable resource and at most one unreliable resource is in the failed state at a time. If multiple resources are down simultaneously, the production of some part types that are not requiring failed resources may be blocked until repairs occur. This is a more limited form of robustness than that presented in [26], but, as noted earlier in this paper, this is the cost of a more flexible allocation for FD parts. Appendix C provides formal analysis and robustness proofs for this policy. For the case of multiple unreliable resources R U > 1, we need to define one additional set. Recall that P FD and P NFD represent the sets of FD and NFD part-type stages, respectively. Let Pi FD represent the set of part-type stages that are FD on r i R U. Fig. 5 shows an example system consisting of eight resources, each with capacity 2, where r 4, r 6, and r 8 are unre- Fig. 5. System with three unreliable resources. liable. This system produces four different part types with their respective routes shown in Fig. 5. Note that P FD = {P 21,P 22,P 23,P 31,P 32,P 33,P 41,P 42 } P NFD = {P 11,P 12,P 13,P 24,P 43 } P4 FD = {P 21,P 22,P 23 } P6 FD = {P 41,P 42 } P8 FD = {P 31,P 32,P 33 } and for resources R FD = {r 2,r 4,r 5,r 6,r 7,r 8 } R NFD = {r 1,r 3 } R PFD = {r 2 } RCO = {r 1,r 2,r 3 } RFD = {r 2,r 4,r 5,r 6,r 7,r 8 } ROD = {r 2,r 5,r 7 }. To assure robust operation in this system, we will have to extend RO RFD and define a new RO for ROD, which is RO ROD. RO RCO will remain unchanged from the previous section. Definition 4.1: RO RFD is the set of constraints z jk + z uv <C g + C h for r i R U P jk Ω g P FD i P uv Ω h P FD i where z st = x st + y st, r g, r h RFD, and g h. RO RFD is different from that of Definition 3.2 in that we now generate a constraint set for each unreliable resource. RO RFD admits states for which at most one resource of RFD is parts for each r i R U. Note that it does not place any constraint on the total number of RFD resources capacitated, only on the number capacitated by a single FD part type. Definition 4.2: RO RFD2 is the set of constraints capacitated with P FD i P jk Ω g P FD z jk + P mn Ω h P FD z mn + P uv Ω j P FD z uv <C g + C h + C j where z st = x st + y st, r g, r h, r j RFD, and g h j.

9 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 613 RO RFD2 admits states for which at most two resources of RFD are capacitated with FD parts but does not place any constraint on the total number of RFD resources capacitated. Definition 4.3: RO ROD is the set of constraints z jk + z uv <C g + C h P jk Ω g P FD P uv Ω h P FD where z st = x st + y st, r g, r h ROD, and g h. RO ROD admits states for which at most one resource of ROD is capacitated with FD parts, although it places no constraint on the number of unreliable resources that are capacitated. As an example, we enumerate the constraints for the system in Fig. 5 as follows: RO RCO r 1 r 2 : z 11 + z 12 + z 21 < 4 r 1 r 3 : z 11 + z 13 + z 24 + z 43 < 4 r 2 r 3 : z 12 + z 21 + z 13 + z 24 + z 43 < 4 RO RFD r 2 r 4 : z 21 + z 23 < 4 r 2 r 5 : z 21 + z 22 < 4 r 4 r 5 : z 23 + z 22 < 4 r 5 r 6 : z 41 + z 42 < 4 r 5 r 7 : z 31 + z 32 < 4 r 5 r 8 : z 31 + z 33 < 4 r 7 r 8 : z 32 + z 33 < 4 RO RFD2 r 2 r 4 r 5 : z 21 + z 23 + z 22 + z 31 + z 41 < 6 r 2 r 4 r 6 : z 21 + z 23 + z 42 < 6 r 2 r 4 r 7 : z 21 + z 23 + z 32 < 6 r 2 r 4 r 8 : z 21 + z 23 + z 33 < 6 r 2 r 5 r 6 : z 21 + z 22 + z 31 + z 41 + z 42 < 6 r 2 r 5 r 7 : z 21 + z 22 + z 31 + z 41 + z 32 < 6 r 2 r 5 r 8 : z 21 + z 22 + z 31 + z 41 + z 33 < 6 r 2 r 6 r 7 : z 21 + z 42 + z 32 < 6 r 2 r 6 r 8 : z 21 + z 42 + z 33 < 6 r 2 r 7 r 8 : z 21 + z 32 + z 33 < 6 r 4 r 5 r 6 : z 23 + z 22 + z 31 + z 41 + z 42 < 6 r 4 r 5 r 7 : z 23 + z 22 + z 31 + z 41 + z 32 < 6 r 4 r 5 r 8 : z 23 + z 22 + z 31 + z 41 + z 33 < 6 r 4 r 6 r 7 : z 23 + z 42 + z 32 < 6 r 4 r 6 r 8 : z 23 + z 42 + z 33 < 6 r 4 r 7 r 8 : z 23 + z 32 + z 33 < 6 r 5 r 6 r 7 : z 22 + z 31 + z 41 + z 42 + z 32 < 6 r 5 r 6 r 8 : z 22 + z 31 + z 41 + z 42 + z 33 < 6 r 5 r 7 r 8 : z 22 + z 31 + z 41 + z 32 + z 33 < 6 r 6 r 7 r 8 : z 42 + z 32 + z 33 < 6 RO ROD r 2 r 5 : z 21 + z 22 + z 31 + z 41 < 4 r 2 r 7 : z 21 + z 32 < 4 r 5 r 7 : z 22 + z 31 + z 41 + z 32 < 4. Fig. 6. Admissible state by RO 4. Note that the number of constraints generated is O ( ) R 3 and that, as before, the number of terms in each constraint is bounded by CRL. Thus, evaluating these constraints is no worse than O(CRL R 3 ). We now define RO 4. Definition 4.4: RO 4 admits the enabled controllable event α if and only if δ(q, α) satisfies RO RCO RO RFD RO RFD2 RO ROD. Note that if R U =1, then both RO RFD2 and RO ROD are implied by RO RFD, i.e., they are redundant, and thus, RO 4 is equivalent to RO 2. Furthermore, if R U =, then both RO 2 and RO 4 are equivalent to the original RO given in [14]. We illustrate RO 4 as follows. Fig. 6 shows a system state, for example, q, for the system in Fig. 5. In q, r 2 is holding a p 12 and a p 21, and r 5 and r 6 are holding a p 41 and two p 42 s, respectively. It is easy to verify that q is admissible by RO 4. There are a few feasible part advancements from q. For instance, we may load a new part into the system, such as loading a p 31 into r 5, resulting in a state, for example, q 1.In q 1, r 2 is the only capacitated resource in RCO; thus, RO RCO is not violated. There are three capacitated resources, which are r 2, r 5, and r 6, in RFD. However, because p 12 is an NFD part, only r 5 and r 6 are filled with FD parts, rendering no violation of RO RFD2. Furthermore, RO ROD is not violated, because r 5 is the only resource filled with FD parts. Clearly, there do not exist two or more resources filled with parts that are FD on the same unreliable resource; thus, RO RFD is not violated. As a result, q 1 is acceptable to RO 4. We next look at an undesirable resulting state. For example, if we load a p 41 into r 5 at q, we get a state, for example, q 2, with two resources r 5 and r 6 filled with parts that are FD on the same unreliable resource r 6. Thus, q 2 violates RO RFD and is not permitted by RO 4. Note that q 2 is a safe state, given that unreliable resource r 6 is operational, i.e., there exists a sequence of resource allocations to clear the system of parts from q 2. However, it is possible, at q 2, that r 6 may fail before it has completed any p 42. If this happens, clearly, the system cannot continue to produce both P 2 and P 3 because they are now blocked by the p 41 s filling r 5, although they do not require r 6 in their processing. As a consequence, q 2 is undesirable. In essence, under RO 4, we require that FD parts blocked by the failure of an unreliable resource be able to distribute among the buffer space of resources along their respective routes, so that they do not block the production of other parts. For instance, in the example, if r 6 fails before it has completed any p 42 that it is holding at q, thep 41 is then blocked by the failed

10 614 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 r 6 and, thus, will be stored at r 5. However, the resource-failureinduced part blockage will in no way preclude other part types, P 1, P 2, and P 3, which are not requiring r 6 in their processing, from producing. The following theorem guarantees that RO 4 is robust for systems where every part type requires at most one unreliable resource and at most one resource is in a failed state at a time. Theorem 4.1: Supervisor RO 4 is robust for systems where R U 1 and the number of failed resources does not exceed one. The intuition behind this theorem is somewhat similar to that of Theorem 3.1, although the setting and context are much more difficult. RO 4 ensures that if a shared resource (i.e., a PFD resource) is filled with FD parts, at least one can be advanced out of the shared resources and, thus, out of RCO, which can then operate under RO RCO. Furthermore, clearing RCO of this part will not create problems in the FD resources. We now provide a brief and intuitive explanation. To summarize, we have the following. 1) RO RFD allows states with at most one FD resource filled with parts that are FD on the same unreliable resource. 2) RO RFD2 allows states for which at most two FD resources are capacitated with FD parts. 3) RO ROD admits states for which at most one resource of ROD is capacitated with FD parts. Suppose that a state is allowed by RO 4. Then, by 1), it has at most one FD resource filled with parts that are FD on the same unreliable resource. By 2), it has at most two FD resources filled with FD parts, and by 3), it has at most one PFD resource filled with FD parts. Now, suppose that an unreliable resource fails. Roughly speaking, if there is no PFD resource filled with FD parts, then RCO can operate freely under RO RCO, as previously discussed. If there is one PFD resource, for example, r i, which is filled with FD parts [by 3), there can be at most one], then at least one part has to be advanced into the FD\PFD resources (out of RCO) without causing unsafeness. At this point, numerous cases have to be considered and resolved. For illustration, let r u be the failed unreliable resource, and suppose that r u is filled. Then, by 2), r u and r i are the only capacitated resources of RFD, and by 1), r i holds an FD part, for example, p jk, which requires an unreliable resource, r v r u. Note that r v is not filled, nor is any other FD resource required by p jk (other than r i ). Thus, again, roughly speaking, p jk has an open path in the FD resources into r v. Once p jk advances, RCO can operate freely under RO RCO. Once we have proven the existence of a sequence of part advances that sufficiently clears RCO of FD parts, we must prove that it is admitted by RO 4, that the resulting state, for example, q, is safe, and that q exhibits a safe sequence allowed by RO 4. Appendix C provides these proofs for every case. V. E MPIRICAL INVESTIGATION In this section, we first design an experiment to compare RO 2 with RO and NHC+BA for systems with a single unreliable resource. Then, we design an experiment to compare system TABLE I EXPERIMENTAL FACTORS (SINGLE UNRELIABLE RESOURCE) performances under RO 4, RO, and NHC+BA for systems with multiple unreliable resources. Appendices D F provide brief overviews of NHC, BA, and RO, respectively. A. Experiment for Single-Unreliable-Resource System The experimental system for simulation is the example in Fig. 1. Our experiment has two levels of buffer sizes for the resources in RCO, low level (two units) and high level (ten units). The order release policy uses an equal part mix between FD and NFD parts. When all resources in the systems are operational, we load new parts into systems in round-robin order, P 1 P 2 P 3 P 4. When the unreliable resource is down, we immediately switch to continuously loading NFD parts in round-robin order as P 3 P 4 and to loading FD parts as long as the control policy allows. When the unreliable resource is repaired and back to normal status, we immediately switch to the original loading sequence. We also have two levels of failure cycle factors, a short failure cycle as 100 min and a long failure cycle as 1000 min. The last factor is percentage of downtime. We test this at four different levels, which are 10%, 30%, 50%, and 70%. We take a complete resource cycle (uptime + downtime) to be the sum of two exponential random variables, with parameters that add up to either 100 or 1000 min. At 10% downtime and 1000-min failure cycle, the time to failure is exponential 900 min, and the downtime is exponential 100 min. Thus, at 10% downtime, the time to failure is longer, and the downtime is shorter, whereas at 70% downtime, the time to failure is short, and the downtime is long. We set the processing time of all part stages be exponential 5 min. Table I summarizes the experimental factors. For performance measures, we look at the production of FD parts during a simulation run of 1000 h. Finally, we perform three replications for each of the =48combinations. This provides a total of 96 degrees of freedom for estimating experimental error, which we think is very adequate. Table II presents the ANOVA for FD production. Although there are many statistically significant effects, we concentrate our discussion on the main effects (Fig. 7) and the interactions between policy and buffer space, failure cycle, and percentage of downtime (Figs. 8 10, respectively). Although most of the main effects are not surprising, we see in Fig. 7 that RO 2 enables a higher overall FD production rate than does NHC+BA and RO [although there is a partial overlap in the 95% confidence interval (CI)], indicating that using shared buffer space to position FD parts when resources fail has advantages for FD parts. This effect is more pronounced when buffer space is higher, as shown in Fig. 8. When buffer size is small, there is little difference, whereas if buffer size is large, production under RO 2 is significantly

WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 615 TABLE II ANOVA FOR FD PRODUCTION (SINGLE UNRELIABLE RESOURCE) Fig. 7. Main effects for FD production (single unreliable resource).

Even when the buffer sizes of other resources in RCO are high, the policy cannot allow more FD parts into the system.

11 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 615 TABLE II ANOVA FOR FD PRODUCTION (SINGLE UNRELIABLE RESOURCE) Fig. 7. Main effects for FD production (single unreliable resource). higher. This is due to the nature of the policies. The NHC+BA policy restricts the number of FD parts allowed in the system by the buffer sizes of FD resources. Even when the buffer sizes of other resources in RCO are high, the policy cannot allow more FD parts into the system. This explains why FD production under NHC+BA changes little between large and small buffer sizes. In contrast, RO 2 allows the distribution of FD parts across the buffer spaces of resources in RCO. When buffer sizes are larger, more FD parts can be distributed in the system, and the production rate of these part types increases. As for RO, it has the same or better ability to load FD parts into the system as RO 2, thus enabling a higher FD production rate than NHC+BA. However, due to its inability to avoid failure-induced blocking, FD production under RO is lower than RO 2. Figs. 9 and 10 show the policy versus failure cycle and percentage of downtime. In general, RO 2 enables a higher FD production than RO (again, with some partial overlap of the 95% CI s) and NHC+BA, but this is slightly less pronounced for longer failure cycles and higher percentage of downtime. In summary, for systems with a single unreliable resource, when the RCO is sufficiently capacitated, allowing supervisors to use shared-resource capacity to assure robust operation significantly promotes the production of FD part types. B. Experiment for Multiple Unreliable Resources The experimental system for simulation is the system in Fig. 11. It has two unreliable resources, which are r 1 and r 6,

616 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 Fig. 8. Interaction plot of policy and buffer size (single-unreliable-resource system). Fig. 11.

Interaction plot of policy and failure cycle (single-unreliable-resource system). Fig. 10. Interaction plot of policy and percentage of downtime (singleunreliable-resource system).

The experimental design is similar to the experimental setting for the single-unreliable-resource system in Section V-A. Table III summarizes the experimental factors.

There are two levels of buffer sizes in RCO; specifically, for low level, we use three and six units for NFD and PFD resources, respectively, and for high level, we use 9 and 18 units for NFD and PFD

We set the processing time of all part stages to be exponential 5 min. For performance measures, we look at the production of FD parts during a simulation run of 1000 h.

12 616 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 Fig. 8. Interaction plot of policy and buffer size (single-unreliable-resource system). Fig. 11. Experimental system for multiple-unreliable-resource system. TABLE III EXPERIMENTAL FACTORS (MULTIPLE UNRELIABLE RESOURCE) Fig. 9. Interaction plot of policy and failure cycle (single-unreliable-resource system). Fig. 10. Interaction plot of policy and percentage of downtime (singleunreliable-resource system). and produces eight part types, where P 1 P 4 are NFD parts and P 5 P 8 are FD parts. The experimental design is similar to the experimental setting for the single-unreliable-resource system in Section V-A. Table III summarizes the experimental factors. Instead of comparing RO 2, we compare RO 4 with NHC+BA and RO for this system with two unreliable resources. There are two levels of buffer sizes in RCO; specifically, for low level, we use three and six units for NFD and PFD resources, respectively, and for high level, we use 9 and 18 units for NFD and PFD resources, respectively. The order release policy is the same as described in Section V-A. Failure cycle and percentage of downtime follow the same design as in the singleunreliable-resource system. We set the processing time of all part stages to be exponential 5 min. For performance measures, we look at the production of FD parts during a simulation run of 1000 h. Finally, we perform three replications for each of the =48combinations. Table IV presents the ANOVA for FD production. Although there are many statistically significant effects, we concentrate our discussion on the main effects (Fig. 12) and the interactions between policy and buffer space, failure cycle, and percentage of downtime (Figs , respectively). In general, we observe results similar to those for the single-unreliable-resource system. In the main plot (Fig. 12), NHC+BA and RO 4 enable a higher overall average FD production than RO, although they are not discernable in main effect from each other. To understand this, we must look at the interactions. For the effects of buffer space, as shown in Fig. 13, when the buffer size in RCO is high, FD production is higher under RO 4 than in NHC+BA (although there is slight overlap in the 95% CI s). On the other hand, when the buffer size is small, NHC+BA enables a higher FD production than RO 4. In terms of failure cycle, as shown in Fig. 14, RO is always outperformed by both RO 4 and NHC+BA. With a short failure cycle, RO 4 achieves a better FD production rate, and with a

13 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 617 TABLE IV ANOVA FOR FD PRODUCTION (MULTIPLE UNRELIABLE RESOURCE) Fig. 12. Main effects for FD production (multiple-unreliable-resource system). longer failure cycle, NHC+BA becomes the obvious choice for FD production. Fig. 15 shows the interaction between policy and percentage of downtime. Regardless of the percentage of downtime, FD production under RO 4 is always higher than RO. When the percentage of downtime is small, RO 4 enables a higher FD production rate than NHC+BA. NHC+BA, on the other hand, performs better and better and eventually outperforms RO 4 as the percentage of downtime increases. All of the aforementioned observations are due to the natures of the policies. Resource failures cause blocking, and blocking may propagate through the system and thus further stall the production of some portion of the system or the whole system in the worst case. RO does not consider robust supervision under resource failures. RO 4 guarantees continuous production under single resource failure and uses shared buffer space to position FD parts when resources fail. However, RO 4 cannot handle simultaneous multiple resource failures. In other words, when multiple resources fail, RO 4 may not prevent the propagation of blocking. NHC+BA works with multiple resource failures by restricting the number of FD parts allowed in the system by the buffer sizes of FD resources. A smaller percentage of downtime and a shorter failure cycle indicate less chance for multiple resource failures. By allowing the distribution of FD parts across the buffer spaces of resources in RCO, RO 4 admits more FD parts into the system than NHC+BA and thus has

618 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 Fig. 13. Interaction plot of policy and buffer size (multiple-unreliableresource system).

14 618 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 Fig. 13. Interaction plot of policy and buffer size (multiple-unreliableresource system). VI. CONCLUSION In this paper, we developed robust supervisory controllers for SU-RASs with unreliable resources. The first policy, which is RO 2, ensures robust operation for one unreliable resource, whereas the second, which is RO 4, ensures robust operation for several unreliable resources, given that at most one resource is in a failed state at a time. These policies permit part mixes that are more heavily weighted toward FD part types than our previously published work. They do this by allowing parts that require failed resources to be held in the buffer space of resources, producing both FD and NFD part types. We motivated these policies with examples, demonstrated their application, and rigorously established their correctness in the Appendix. Finally, we performed simulation experiments that demonstrate the production advantages that these policies can offer. In future research, we will carry out more extensive experimentation to investigate systems with multiple unreliable resources and to determine the best way to select and configure a robust supervisory controller for a given system. We will also address the idea of condition-based control, where we attempt to develop robust supervisors for systems where probabilistic degradation chains are used to model resource reliability and failure. Fig. 14. Interaction plot of policy and failure cycle (multiple-unreliableresource system). Fig. 15. Interaction plot of policy and percentage of downtime (multipleunreliable-resource system). a higher FD production rate. With increasing percentage of downtime and failure cycle, multiple resource failures occur more frequently. Under RO 4, blocking may propagate, and continuous production may be stalled. Thus, NHC+BA dominates RO 4 and RO in FD production. APPENDIX A DESIRED PROPERTIES FOR A ROBUST SUPERVISORY CONTROLLER This section formally develops and defines a set of desired properties for a robust supervisory controller using language theory. Recall that our system is S = R, C, P, ρ, Q, Q 0, Σ,ξ,δ. Let L(S) Σ be the uncontrolled language generated by S. Furthermore, for a string σ L(S) and an event π Σ, let π σ be the score (number of occurrences) of π in σ. The state transition function δ is extended in the usual way, i.e., for σ L(S) leading from state q o Q o to q Q and π Σ ξ(q), we have δ(q, π) =δ(δ(q o,σ),π)=δ(q o,σπ). The controlled language L(, S) L(S) represents the behavior exhibited by the system S under the control of supervisor. Here, is a function mapping L(S) to the power set of Σ. Specifically, :L(S) 2 Σ such that for σ L(S), (σ) is the control action for S at state δ(q 0,σ) with q 0 Q 0. S is only allowed to execute an event of (σ) ξ(δ(q 0,σ)). Hence, under, π (σ) ξ(δ(q 0,σ)) is admissible, whereas π ξ(δ(q 0,σ))\ (σ) is inadmissible. Note that π must be in Σ c because it is assumed that (Σ u ξ(δ(q 0,σ))) (σ), i.e., is not allowed to disable any enabled uncontrollable events at state δ(q 0,σ). Let L(S/Σ u2 ) {Σ c Σ u1 } represent the uncontrolled language of S, given that resource failures do not occur. Let L(, S/Σ u2 ) L(S/Σ u2 ) represent the controlled language of S under, given that resource failures do not occur. Let Q = {q u : for some σ L(, S/Σ u2 ),q u = δ(q o,σ)}. The first required property of the supervisory controller is that it keeps the system deadlock free in the absence of resource failure, i.e., that it keeps the system safe. In terms of strings

15 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 619 and events, we express this as follows: Assuming no resource failure, must guarantee that σ 1 L(, S/Σ u2 ) and n ℵ (natural numbers), σ 2 L(, S/Σ u2 ) such that σ 1 is a prefix of σ 2 and π Σ c Σ u1, π σ2 >n. This basically states that, in the absence of resource failures, the system can continue to produce all of its part types indefinitely. Now, suppose that the system has executed the event sequence σ 1 L(, S/Σ u2 ), that the system is in state q u = δ(q o,σ 1 ), and that the server of r i R U is busy in this state. If we append a failure event κ i onto σ 1, we get σ 1 κ i L(, S) and state δ(q u,κ i ). The event set that S can generate is now reconfigured; in fact, we will say that we have a modified events generator S i that bounds the occurrence of certain events, at least those in ψ i. Furthermore, S i must start in initial state δ(q u,κ i ), and in fact, the set of initial states for S i can be defined as Q i = {δ(q u,κ i ):q u Q and q u enables κ i }. Let L(, S i /Σ u2) be the controlled language of S i, assuming no further event failure or repair, and let Q i = {q v : for some q u Q i there exists σ L(, S i /Σ u2) such that q v = δ(q u,σ)}. must now keep S i safe while the failed resource is being repaired. That is, assuming no further resource failure or repair, must guarantee that σ 1 L(, S i /Σ u2) and n ℵ, σ 2 L(, S i /Σ u2) such that σ 1 is a prefix of σ 2 and π {Σ c Σ u1 }/ψ i, π σ2 >n. This basically states that, in the absence of additional resource failures or repairs, the system can continue to produce all part types not requiring failed resource r i R U. This further implies that, while supervising S, must constrain S to feasible initial states for S i, i.e., the initial states of S i for which continuing operation is possible. Now, suppose that the system has executed the event sequence σ 1 κ i σ 2 L(, S), where σ 1 L(, S/Σ u2 ), κ i Σ u2, and σ 2 L(, S i /Σ u2), and that the uncontrollable repair event η i Σ u2 occurs. Then, we have the event sequence σ 1 κ i σ 2 η i L(, S) and state δ(q o,σ 1 κ i σ 2 η i )= δ(q u,κ i σ 2 η i )=δ(q u,σ 2 η i )=δ(q v,η i )=q v. The event set that S can generate has now been restored, and must once again supervise S, this time, starting in initial state q v. This implies that, in supervising S i, must constrain S i to feasible initial states for S, i.e., the initial states of S from which continuing operation is possible. The following is now possible. Property A: Supervisory controller is robust to the failure of resource r i R U, if the following are true. A.1 σ 1 L(, S/Σ u2 ) and n ℵ, σ 2 L(, S/Σ u2 ) such that σ 1 is a prefix of σ 2 and π Σ c Σ u1, π σ2 >n. A.2 For every q u Q that enables κ i, the state δ(q u,κ i ) serves as a feasible initial state for S i. A.3 σ 1 L(, S i /Σ u2) and n ℵ, σ 2 L(, S i /Σ u2) such that σ 1 is a prefix of σ 2 and π {Σ c Σ u1 )/ψ i, π σ2 >n. A.4 For every q v Q, the state δ(q v,η i ) serves as a feasible initial state for S. Property A is the formal statement of Property 2.1. APPENDIX B CORRECTNESS PROOF FOR RO 2 This section establishes that RO 2 satisfies Property A for systems with R U =1. For this purpose, we will use a number of lemmas to develop simple results that, when combined, establish the correctness of RO 2. Lemma B.1 establishes that if a part-type stage is NFD, then so are its successors. Lemma B.1: P jk P NFD implies that P jm P NFD for m k. Proof: Suppose P jm P FD (i.e., P jm P NFD ) for some m k. Then, by definition, P jk P FD (i.e., P jk P NFD ). Lemma B.2 establishes that if a part-type stage is NFD, then its associated resource is in RCO. Lemma B.2: P jk P NFD implies that ρ(p jk ) RCO. Proof: Recall that RCO = R NFD R PFD. ρ(p jk ) RCO implies ρ(p jk ) (R\RCO) = (R\(R NFD R PFD )) = (R\R NFD )\R PFD = R FD \R PFD. Thus, P jk P FD (i.e., P jk P NFD ) because every stage supported by a resource of R FD \R PFD is FD. Lemma B.3 establishes that if a part-type stage is NFD, then its residual route is contained in RCO. Lemma B.3: P jk P NFD implies T jk RCO. Proof: Follows directly from Lemmas B.1 and B.2. Lemma B.3 asserts that an NFD part will never visit a resource of R\RCO. Lemma B.4 establishes that an FD part requires a resource of R FD for its processing. Lemma B.4: P jk P FD implies ρ(p jk ) R FD. Proof: If ρ(p jk ) R\R FD = R NFD (i.e., ρ(p jk ) R FD ), then P jk P NFD (i.e., P jk P FD ). Lemma B.5 establishes that, under RO 2, no deadlock structure can arise. Lemma B.5: Suppose q Q 2 RO (i.e., state q is admitted by RO 2 ), and let D R. Then, D is not a deadlock at q Q 2 RO. Proof: Let Π be the set of parts present in the system at state q Q 2 RO.LetΠFD be the set of FD parts in the system at state q, Π NFD be the set of NFD parts in the system at state q, and Π g be the set of parts located at r g at state q. It is clear that, Π=Π FD Π NFD with Π FD Π NFD =. Suppose that D R is in deadlock at q Q 2 RO. Because D is in deadlock, D > 1 and r i D, Π i =C i. Thus, D RCO because RO RCO allows at most one capacitated resource in RCO. Similarly, D R\RCO = R FD \R PFD because RO RFD allows at most one resource filled with only FD parts in RFD. These two arguments imply that D =2with D RCO =1and D (R\RCO) =1(note that R\RCO is the complement of RCO). Let {r h } =(D RCO) = (D (R PFD R NFD )) and {r g } = D (R\RCO) = D (R FD \R PFD ). Clearly, r g is an FD resource that processes only FD parts, but r h might be either FD or NFD. Note that Π h =C h, and we claim that r h is filled with FD parts. To see this, p jk Π h, ρ(p j,k+1 )=r g, because r g and r h are the sole resources in deadlock. Thus, by definition of FD parts, all parts in Π h are FD, i.e., Π h Π FD, because ρ(p j,k+1 )=r g R FD \R PFD. This implies r h RCO R FD = R PFD. Thus, in state q Q 2 RO, we have two resources r g and r h from

16 620 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 RFD, both filled with FD parts, which violate RO RFD.This contradicts the assumption that q Q 2 RO. Lemma B.6 establishes that for any state admitted by RO 2, there will be a sequence of resource allocations admitted by RO 2 that completes all NFD parts. Lemma B.6: For q Q 2 RO, there exists a sequence of resource allocations admitted by RO 2 that empties the system of NFD parts. Proof: Let q Q 2 RO. We need to prove that, beginning at q, there is a sequence of resource allocations admitted by RO 2 to empty the system of all NFD parts. We consider two cases. Case 1 q Q 2 RO Exhibits No Capacitated Resource in RCO: Every resource of RCO must have at least one free unit of capacity. By Lemma B.3, every NFD part must be in RCO. Select any NFD part and advance it one step. This is possible because no RCO resource is capacitated. The resulting state has at most one capacitated resource in RCO. Thus, it satisfies RO RCO.Also,RO RFD remains unaffected because NFD parts do not appear in its constraints. Thus, the resulting state satisfies RO 2. Iterate until either RCO is empty of NFD parts or RCO exhibits one capacitated resource. If the first condition occurs, we are done. If the second condition occurs, go to Case 2. Case 2 q Q 2 RO Exhibits One Capacitated Resource in RCO: There are two possibilities. Case 2.1 considers the situation where the capacitated resource, for example, r g, holds at least one NFD part. Case 2.2 considers the situation where the capacitated resource, which is again r g, is filled with FD parts. Case 2.1: The capacitated resource r g holds at least one NFD part. From r g, advance an NFD part, for example, p jk, one step. This is possible because the resource where it is advancing to is again in RCO by Lemma B.3 and is not capacitated. The resulting state has at most one capacitated resource in RCO. Thus, it satisfies RO RCO.RO RFD remains unaffected because NFD parts do not appear in its constraints. Thus, the resulting state satisfies RO 2. This state satisfies either the condition of Case 1 or Case 2.1. If Case 2.1 is satisfied, repeat the procedure of Case 2.1. If Case 1 is satisfied, repeat the procedure of Case 1. Continue until RCO is empty of NFD parts. Case 2.2: The capacitated resource r g is filled with FD parts. Then, by Lemma B.4, r g RCO RFD = R PFD.In addition, r g is the only capacitated resource in the system, because its FD parts appear in both RO RCO and RO RFD. Select any part on r g and advance it one step. The advancement either results in a single new capacitated resource or in no capacitated resource, both of which satisfy RO 2. If the resulting state has no capacitated resource, follow the logic of Case 1. If the resulting state has a capacitated resource with at least one NFD part, follow the logic of Case 2.1. If the resulting state has a capacitated resource filled with FD parts, then there are two possibilities. Either the resource is in the following. 1) R PFD RCO. 2) R FD \R PFD (where RCO (R FD \R PFD )= ). That is, either the resource is in RCO or it is in R\RCO. If 1) is true, iterate the logic of Case 2.2; if 2) is true, follow the logic of Case 1. This procedure will terminate in a finite number of steps with all NFD parts being removed from the system. Lemma B.7: For q Q 2 RO with ΠNFD =, there exists a sequence of resource allocations admitted by RO 2 that empties the system of FD parts. Proof: Let q Q 2 RO such that ΠNFD =. By Lemma B.4, every FD part must be held by a resource of RFD. If RFD contains a capacitated resource, this must be the only capacitated resource in the system, and it is filled with FD parts. Select any part from the capacitated resource and advance it one step. Else, if no capacitated resource exists, select any part and advance it one step. There are two possible outcomes. 1) The advanced part remains an FD part. 2) The advanced part becomes an NFD part, rendering Π NFD. In either case, the resulting state exhibits at most one capacitated resource and thus satisfies both RO RCO and RO RFD.If 1) is true, then we continue to iterate the aforementioned step. If 2) is true, then we follow the proof of Lemma B.6 to clear the NFD part. After that, if Π FD, we continue to iterate the aforementioned steps. It is obvious that a finite number of iterations will empty the system of FD parts. Lemma B.8: RO 2 ensures safety for the system, given that r i R U does not fail. Proof: This follows directly from Lemmas B.6 and B.7. Lemma B.9: q u Q 2 RO such that κ i ξ(q u ), δ(q u,κ i )= q u is a feasible initial state for the reduced system. Proof: We need to prove that, beginning at q u, we are able to continue producing every part type that is not requiring the failed resource r i. To do this, we will establish a sequence of resource allocations permitted by RO 2 that advances all NFD parts out of the system. By Lemma B.6, there exists an admissible sequence of events, for example, σ, beginning at q u, that advances every NFD part out of the system, given that the unreliable resource does not fail. In fact, σ remains valid, beginning at q u.tosee this, note that σ does not contain any service completion events β jk s such that P jk Ω i. As a result, the status of unreliable resource r i is irrelevant to σ. In other words, the occurrence of the failure event for r i, which is κ i,atq u does not in any way influence σ. Therefore, σ is valid for removing NFD parts from the system, beginning at q u. Furthermore, by the proof of Case 2.2 of Lemma B.6, δ(q u,σ) has no capacitated resource in RCO. Now, suppose we load new NFD parts into the system as long as RO 2 is not violated. Then, by the aforementioned logic, these parts can be completed. Thus, the production of every part type that is not requiring r i can continue indefinitely starting from q u, and hence, q u is a feasible initial state. Lemma B.10: RO 2 ensures safety for the system, given that r i R U has failed. Proof: Follows directly from the proof of Lemma B.9. Lemma B.11: q v Q i such that η RO 2 i ξ(q v), δ(q v,η i )= q v is a feasible initial state for the upgraded system. Proof: We need to establish that, beginning at q v, there is an admissible sequence of resource allocations that empties the system. By Lemma B.10, all NFD parts can be completed by executing an admissible sequence σ that is unaffected by the status of r i R U. Thus, σ is valid for removing NFD

17 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 621 parts from the system, beginning at q v. Because δ(q v,σ) satisfies RO 2, Lemma B.7 guarantees an admissible sequence that completes all FD parts, for example, τ, beginning with δ(q v,σ). Thus, δ(q v,στ)=q o Q o. Now, because the system is empty and all resources are operational, it is obvious that the production of every part type can continue indefinitely, because RO 2 guarantees safety for the upgraded system. Theorem B.1 now follows directly. Theorem B.1: If R U =1,RO 2 satisfies the requirements of Property A and is therefore robust to failures of the unreliable resource. Proof: Follows directly from Lemmas B.8 B.11. We have now established that controller RO 2 is robust to resource failures for systems with R U =1. APPENDIX C CORRECTNESS PROOF FOR RO 4 This section establishes that RO 4 satisfies Property A for systems with R U > 1 under the assumption that each part type requires at most one unreliable resource and that we only have one failure at a time. As stated before, if more than one unreliable resource fails, parts that are not requiring those resources may be blocked from production until repair events occur. Lemma C.1 ensures the following property: Suppose Π NFD = and ROD contains a capacitated resource. Then, ROD holds a part such that every resource required to advance the part to its unreliable resource has at least one free unit of capacity. Lemma C.1: Let q Q 4 RO and ΠNFD =. Ifr g ROD with Π g =C g, then p jk Π g Π FD i for some r i R U, such that r h ρ(p jk )=r g,...,ρ(p j,k+c )=r i distinct from r g, Π h < C h. Proof: The set Π g Π FD, because Π NFD =. By RO ROD, r g is the only capacitated resource filled with FD parts in ROD. In addition, r g is the only capacitated resource in ROD because there are no NFD parts in ROD. By Lemma B.4, P jk,...,p j,k+c Pi FD, and thus, we have ρ(p jk )= r g,...,ρ(p j,k+c )=r i RFD. In other words, every resource required for advancing a part p jk at r g into the buffer of its required unreliable resource r i is an FD resource. We now establish the proof by contradiction. Assume that r i R U, p jk Π g Π FD i, r h ρ(p jk )=r g,..., ρ(p j,k+c )=r i such that r h r g and Π h =C h. Because ρ(p jk )=r g,...,ρ(p j,k+c )=r i RFD, r h RFD, and thus, r h ROD, because r g is the only capacitated resource in ROD. Because ROD = RFD\R U, it is clear that r h R U.ByRORFD 2, at most two resources of RFD may be capacitated in an admissible state, and thus, r h is the only capacitated resource in R U (because r g and r h are both capacitated, and in RFD, no other resource in RFD can be capacitated). As a result, p jk Π g, p jk Π FD h.wenowhave Π g =C g and Π h =C h such that Π g Π FD h and Π h Π FD h, which is a violation of RORFD (RO RFD does not admit a state if it has two resources in RFD filled with the parts that are FD on the same unreliable resource). Thus, we have a contradiction. Lemma C.2 now establishes that if we have a capacitated resource in R PFD holding only FD parts, then the resource holds at least one part such that every resource required to advance the part to its unreliable resource has at least one free unit of capacity. This result places no restriction on NFD parts. Lemma C.2: Let q Q 4 RO and r g R PFD with Π g = C g and Π g Π FD. Then, p jk Π g Π FD i for some r i R U, such that r h ρ(p jk )=r g,...,ρ(p j,k+c )=r i distinct from r g, Π h < C h. Proof: Because r g R PFD R FD \R U =ROD, RO ROD guarantees that r g is the only capacitated resource in ROD filled with FD parts. Because r g R PFD RCO, RO RCO guarantees that r g is the only capacitated resource in ROC. Thus, r g is the only capacitated resource in RCO ROD = R PFD R NFD ROD = R PFD R NFD (R FD \R U )=(R FD R NFD )\R U = R\R U. Thus, if any other resource is capacitated, it must be in R U. To complete the proof, apply the contradiction of the proof of Lemma C.1. Lemmas C.1 and C.2 guarantee that a part in ROD held by a capacitated resource filled with FD parts can be advanced into the buffer of its required unreliable resource. Lemmas C.3 and C.4 show that this advancement does not violate RO 4. Lemma C.3: Assume that the conditions of Lemma C.1 hold. That is, let q Q 4 RO, ΠNFD =, and r g ROD with Π g = C g and Π g Π FD. Let p jk Π g Π FD i such that r h ρ(p jk )=r g,...,ρ(p j,k+c )=r i distinct from r g, Π h < C h.letσ jm = α j,k+1 β j,k+1,...,α j,k+m,form =1,...,c. Then, {δ(q, σ j,k+m ):m =1,...,c} Q 4 RO. That is, all states encountered during the advancement of p jk from r g to r i will satisfy RO 4. Proof: We first establish that RO RFD is not violated by δ(q, σ j,k+m ) for m =0,...,c. For the sake of induction, we assume that σ jk = σ j,k+0 = ε (the null string) so that δ(q, σ jk )= δ(q, σ j,k+0 )=δ(q, ε) =q. Note that, because δ(q, σ j,k+0 )=q Q 4 RO, q does not violate RO RFD. This is our base case. Now, we show that if δ(q, σ j,k+n ) satisfies RO RFD, then δ(q, σ j,k+n+1 ) for n = 1,...,c 1 also satisfies RO RFD. Consider state δ(q, σ j,k+n ). In this state, the advanced part p j,k+n is at resource ρ(p j,k+n ). This is the only resource that can be capacitated along the sequence ρ(p jk )= r g,...,ρ(p j,k+c )=r i, because, in state q, only r g was capacitated, and advancing one part from r g along this sequence can result in at most one capacitated resource in the sequence. Because, by assumption, δ(q, σ j,k+n ) Q 4 RO, δ(q, σ j,k+n) does not violate RO RFD, i.e., δ(q, σ j,k+n ) has at most one resource, for example, r t, in RFD that is filled with parts that are FD on the same unreliable resource. There are three cases to consider for δ(q, σ j,k+n ). 1) r t does not exist. 2) r t exists, and r t = ρ(p j,k+n ). 3) r t exists but r t ρ(p j,k+n ). For cases 1) and 2), δ(q, σ j,k+n+1 ) has at most one resource in RFD filled with parts that are FD on the same unreliable resource, and this capacitated resource must be ρ(p j,k+n+1 ),

18 622 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 because ρ(p j,k+n+1 ) is the only resource that could be filled by advancing p j,k+n one step (note that, after advancing p j,k+n one step, ρ(p j,k+n ) cannot be capacitated). Thus, for these two cases, δ(q, σ j,k+n+1 ) satisfies RO RFD. For case 3), because ρ(p j,k+n ) ROD RFD and RO ROD is not violated in δ(q, σ j,k+n ), r t RFD\ROD = R U.Note that r t r i, because, by Lemma C.1, r i is not capacitated. Because p j,k+n is FD on r i, in state δ(q, σ j,k+n+1 ), ρ(p j,k+n+1 ) cannot be filled with parts that are FD on r t, because p j,k+n+1 is not FD on r t. Thus, for this case, δ(q, σ j,k+n+1 ) satisfies RO RFD. Thus, δ(q, σ j,k+m ) for m =0,...,csatisfies RO RFD. We now establish that RO ROD is not violated by δ(q, σ j,k+m ) for m =0,...,c. Because δ(q, σ j,k+0 )=q Q 4 RO, q does not violate RO ROD. Suppose δ(q, σ j,k+n ) Q 4 RO. Then, δ(q, σ j,k+n ) does not violate RO ROD, i.e., δ(q, σ j,k+n ) has at most one resource, for example, r t, in ROD that is filled with FD parts. There are three cases to consider for δ(q, σ j,k+n ). 1) r t does not exist. 2) r t exists, and r t = ρ(p j,k+n ). 3) r t exists but r t ρ(p j,k+n ). For cases 1) and 2), δ(q, σ j,k+n+1 ) has at most one resource in ROD filled with parts that are FD on the same unreliable resource, and this capacitated resource must be ρ(p j,k+n+1 ), because ρ(p j,k+n+1 ) is the only resource that could be filled by advancing p j,k+n one step (note that, after advancing p j,k+n one step, ρ(p j,k+n ) cannot be capacitated). Thus, for these two cases, δ(q, σ j,k+n+1 ) satisfies RO ROD. For case 3), note that ρ(p j,k+n ) is the only resource in the sequence ρ(p jk )=r g,...,ρ(p j,k+c )=r i that can be capacitated in δ(q, σ j,k+n ). Thus, r t ρ(p jk )= r g,...,ρ(p j,k+c )=r i. Thus, r t is not affected by the sequence of events σ j,k+n, in which r t was capacitated with FD parts in the original state q. Thus, for q, wehaver t ROD and r g ROD, both capacitated with FD parts, which contradicts the induction hypothesis. Thus, we conclude that δ(q, σ j,k+n+1 ) satisfies RO ROD. Next, we establish that RO RCO is not violated by δ(q, σ j,k+m ) for m =0,...,c. Because δ(q, σ j,k+0 )=q Q 4 RO, q does not violate RORCO. Suppose δ(q, σ j,k+n ) Q 4 RO. Then, δ(q, σ j,k+n ) does not violate RO RCO, i.e., δ(q, σ j,k+n ) has at most one resource, for example, r t, in RCO filled with parts. By the assumption of Lemma C.1, these must be FD parts (thus, there are no parts in the resources of RCO\RFD). Thus, r t RFD RCO = R PFD. There are three cases to consider for δ(q, σ j,k+n ). 1) r t does not exist. 2) r t exists, and r t = ρ(p j,k+n ). 3) r t exists but r t ρ(p j,k+n ). For cases 1) and 2), δ(q, σ j,k+n+1 ) has at most one resource in RFD RCO filled with parts, and this capacitated resource must be ρ(p j,k+n+1 ), because ρ(p j,k+n+1 ) is the only resource that could be filled by advancing p j,k+n one step. Thus, for these two cases, δ(q, σ j,k+n+1 ) satisfies RO RCO. For case 3), note that ρ(p j,k+n ) is the only resource in the sequence ρ(p jk )=r g,...,ρ(p j,k+c )=r i that can be capacitated in δ(q, σ j,k+n ). Thus, r t ρ(p jk )= r g,...,ρ(p j,k+c )=r i. Thus, r t is not affected by the sequence of events σ j,k+n, which implies that r t was capacitated with FD parts in the original state q. Thus, for q, wehaver t RCO RFD = R PFD ROD and r g ROD\RCO, which violates RO ROD, which is contrary to the induction hypothesis. Thus, we conclude that δ(q, σ j,k+n+1 ) satisfies RO RCO. We now establish that RO RFD2 is not violated by δ(q, σ j,k+m ) for m =0,...,c. Because δ(q, σ j,k+0 )=q Q 4 RO, q does not violate RORFD2. Suppose δ(q, σ j,k+n ) Q 4 RO. Then, δ(q, σ j,k+n) does not violate RO RFD2, i.e., δ(q, σ j,k+n ) has at most two resources, for example, r s and r t, in RFD filled with FD parts. Because δ(q, σ j,k+n ) satisfies RO ROD, both are not in ROD = R FD \R U, and thus, at least one, for example, r s,mustbeinr U. Assume that r t R FD \R U and r s R U. By previous logic, r t must be ρ(p j,k+n ). Note the following. 1) ρ(p j,k+n+1 ) R FD \R U. 2) ρ(p j,k+n+1 ) R U. If 1) is true, then δ(q, σ j,k+n+1 ) has at most two resources r s R U and ρ(p j,k+n+1 ) R FD \R U in RFD filled with FD parts. If 2) is true, then δ(q, σ j,k+n+1 ) has at most two resources r s R U and ρ(p j,k+n+1 ) R U in RFD filled with FD parts. Thus, δ(p j,k+n+1 ) satisfies RO RFD2. Thus, we have shown that δ(q, σ j,k+0 )=q Q 4 RO, and that if δ(q, σ j,k+n ) Q 4 RO, then δ(q, σ j,k+n+1) Q 4 RO, and this completes the proof. Lemma C.4: Assume that the conditions of Lemma C.2 hold. That is, let q Q 4 RO and r g R PFD with Π g = C g and Π g Π FD. Let p jk Π g Π FD i such that r h ρ(p jk )=r g,...,ρ(p j,k+c )=r i distinct from r g, Π h < C h.letσ jm = α j,k+1 β j,k+1,...,α j,k+m for m =1,...,c. Then, {δ(q, σ j,k+m ):m =1,...,c} Q 4 RO. That is, all states encountered during the advancement of p jk from r g to r i will satisfy RO 4. Proof: We first establish that RO RFD is not violated by δ(q, σ j,k+m ) for m =0,...,c. For the sake of induction, we assume that σ jk = σ j,k+0 = ε (the null string) so that δ(q, σ jk )= δ(q, σ j,k+0 )=δ(q, ε) =q. Note that because δ(q, σ j,k+0 )=q Q 4 RO, q does not violate RO RFD. This is our base case. Now, we show that if δ(q, σ j,k+n ) satisfies RO RFD, then δ(q, σ j,k+n+1 ) for n = 1,...,c 1 also satisfies RO RFD. Consider state δ(q, σ j,k+n ). In this state, the advanced part p j,k+n is at resource ρ(p j,k+n ). This is the only resource that can be capacitated along the sequence ρ(p jk )= r g,...,ρ(p j,k+c )=r i, because, in state q, only r g was capacitated, and advancing one part from r g along this sequence can result in at most one capacitated resource in the sequence. Because, by assumption, δ(q, σ j,k+n ) Q 4 RO, δ(q, σ j,k+n) does not violate RO RFD, i.e., δ(q, σ j,k+n ) has at most one resource, for example, r t, in RFD that is filled with parts that are FD on the same unreliable resource. There are three cases to consider for δ(q, σ j,k+n ). 1) r t does not exist. 2) r t exists, and r t = ρ(p j,k+n ). 3) r t exists but r t ρ(p j,k+n ).

19 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 623 For cases 1) and 2), δ(q, σ j,k+n+1 ) has at most one resource in RFD filled with parts that are FD on the same unreliable resource, and this capacitated resource must be ρ(p j,k+n+1 ), because ρ(p j,k+n+1 ) is the only resource that could be filled by advancing p j,k+n one step (note that, after advancing p j,k+n one step, ρ(p j,k+n ) cannot be capacitated). Thus, for these two cases, δ(q, σ j,k+n+1 ) satisfies RO RFD. For case 3), because ρ(p j,k+n ) ROD RFD and RO ROD is not violated in δ(q, σ j,k+n ), r t RFD\ROD = R U.Note that r t r i, because, by Lemma C.2, r i is not capacitated. Because p j,k+n is FD on r i, in state δ(q, σ j,k+n+1 ), ρ(p j,k+n+1 ) cannot be filled with parts that are FD on r t, because p j,k+n+1 is not FD on r t. Thus, for this case, δ(q, σ j,k+n+1 ) satisfies RO RFD. Thus, δ(q, σ j,k+m ) for m =0,...,csatisfies RO RFD. We now establish that RO ROD is not violated by δ(q, σ j,k+m ) for m =0,...,c. Because δ(q, σ j,k+0 )=q Q 4 RO, q does not violate RO ROD. Suppose δ(q, σ j,k+n ) Q 4 RO. Then, δ(q, σ j,k+n ) does not violate RO ROD, i.e., δ(q, σ j,k+n ) has at most one resource, for example, r t, in ROD that is filled with FD parts. There are three cases to consider for δ(q, σ j,k+n ). 1) r t does not exist. 2) r t exists, and r t = ρ(p j,k+n ). 3) r t exists but r t ρ(p j,k+n ). For cases 1) and 2), δ(q, σ j,k+n+1 ) has at most one resource in ROD filled with parts that are FD on the same unreliable resource, and this capacitated resource must be ρ(p j,k+n+1 ), because ρ(p j,k+n+1 ) is the only resource that could be filled by advancing p j,k+n one step (note that, after advancing p j,k+n one step, ρ(p j,k+n ) cannot be capacitated). Thus, for these two cases δ(q, σ j,k+n+1 ) satisfies RO ROD. For case 3), note that ρ(p j,k+n ) is the only resource in the sequence ρ(p jk )=r g,...,ρ(p j,k+c )=r i that can be capacitated in δ(q, σ j,k+n ). Thus, r t ρ(p jk )= r g,...,ρ(p j,k+c )=r i. Thus, r t is not affected by the sequence of events σ j,k+n, and thus, r t could not be capacitated with FD parts in the original state q. Thus, for q, wehaver t ROD and r g ROD, both capacitated with FD parts, which contradicts the induction hypothesis. Thus, we conclude that δ(q, σ j,k+n+1 ) satisfies RO ROD. Next, we establish that RO RCO is not violated by δ(q, σ j,k+m ) for m =0,...,c. Because δ(q, σ j,k+0 )=q Q 4 RO, q does not violate RORCO. Suppose δ(q, σ j,k+n ) Q 4 RO. Then, δ(q, σ j,k+n ) does not violate RO RCO, i.e., δ(q, σ j,k+n ) has at most one resource, for example, r t, in RCO filled with parts. There are three cases to consider for δ(q, σ j,k+n ). 1) r t does not exist. 2) r t exists, and r t = ρ(p j,k+n ). 3) r t exists but r t ρ(p j,k+n ). For cases 1) and 2), δ(q, σ j,k+n+1 ) has at most one resource in RFD RCO filled with parts, and this capacitated resource must be ρ(p j,k+n+1 ), because ρ(p j,k+n+1 ) is the only resource that could be filled by advancing p j,k+n one step. Thus, for these two cases, δ(q, σ j,k+n+1 ) satisfies RO RCO. For case 3), note that ρ(p j,k+n ) is the only resource in the sequence ρ(p jk )=r g,...,ρ(p j,k+c )=r i that can be capacitated in δ(q, σ j,k+n ), implying that r t ρ(p jk )= r g,...,ρ(p j,k+c )=r i. Thus, r t is not affected by the sequence of events σ j,k+n, which implies that r t was capacitated with parts in the original state q. Thus, for q, wehaver t RCO and r g R PFD RCO, which violate RO RCO, which is contrary to the induction hypothesis. Thus, we conclude that δ(q, σ j,k+n+1 ) satisfies RO RCO. We now establish that RO RFD2 is not violated by δ(q, σ j,k+m ) for m =0,...,c. Because δ(q, σ j,k+0 )=q Q 4 RO, q does not violate RORFD2. Suppose δ(q, σ j,k+n ) Q 4 RO. Then, δ(q, σ j,k+n) does not violate RO RFD2, i.e., δ(q, σ j,k+n ) has at most two resources, for example, r s and r t, in RFD filled with FD parts. Because δ(q, σ j,k+n ) satisfies RO ROD, both are not in ROD = R FD \R U, and thus, at least one, for example, r s,mustbeinr U. Assume that r t R FD \R U and r s R U. By previous logic, r t must be ρ(p j,k+n ). Note the following. 1) ρ(p j,k+n+1 ) R FD \R U. 2) ρ(p j,k+n+1 ) R U. If 1) is true, then δ(q, σ j,k+n+1 ) has at most two resources r s R U and ρ(p j,k+n+1 ) R FD \R U in RFD filled with FD parts. If 2) is true, then δ(q, σ j,k+n+1 ) has at most two resources r s R U and ρ(p j,k+n+1 ) R U in RFD filled with FD parts. Thus, δ(p j,k+n+1 ) satisfies RO RFD2. Thus, we have shown that δ(q, σ j,k+0 )=q Q 4 RO, and that if δ(q, σ j,k+n ) Q 4 RO, then δ(q, σ j,k+n+1) Q 4 RO, and this completes the proof. Lemma C.5 asserts that we can advance every NFD part out of the system. Lemma C.5: For q u Q 4 RO, there exists a sequence of resource allocations admitted by RO 4 that empties the system of NFD parts. Proof: Let q u Q 4 RO. We need to establish that, beginning at q, there exists an underlying sequence σ of resource allocations admitted by RO 4 to empty the system of NFD parts. There are two cases. Case 1: There Exists No Capacitated Resource in RCO: Every resource of RCO has a free unit of capacity at q u.asa result, basing on the arguments presented in Case 1 of Lemma B.6, we will be able to advance all NFD parts out of RCO. Furthermore, advancing an NFD part out of the system will not violate RO 4. This is true in that advancing an NFD part in its route will give rise to at most one capacitated resource in RCO and, thus, will not violate RO RCO. In addition, RO RFD, RO ROD, and RO RFD2 remain intact, because these sets of constraints do not count NFD parts. Therefore, the sequence of the resulting states generated by advancing an NFD part out of the system will be admitted by RO 4. After clearing all NFD parts, we have Π NFD =, and thus, R NFD holds no part. Case 2 There Exists One Capacitated Resource, for Example, r g, in RCO: There are two possible cases to consider. First, Case 2.1 will deal with the situation where r g holds an NFD part. Case 2.2 will handle the situation where r g holds only FD parts. We show that we can advance all NFD parts out of the system, beginning at q u, without violating RO 4. Case 2.1 r g holds an NFD part: Basing on the arguments presented in Case 2.1 of Lemma B.6, we are able to

20 624 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 advance from r g an NFD part out of the system. Furthermore, advancing this NFD part out of the system will not violate RO 4. Clearly, RO RCO is not violated, because advancing this NFD part will result in at most one capacitated resource in RCO. In addition, RO RFD, RO ROD, and RO RFD2 are not affected, because they do not consider NFD parts. Therefore, the sequence of states generated by advancing this NFD part out of the system will be permitted by RO 4. After decapacitating r g, there exist no capacitated resources in RCO. To continue to clear the system of the remaining parts, we will now proceed to Case 1. Case 2.2 r g holds only FD parts: Lemma B.4 indicates that r g is in RCO RFD = R PFD. Lemma C.2 ensures that we can advance a part p jk of Π g into the buffer of r i such that r i RT jk R U. Lemma C.4 guarantees that no constraints will be violated as we advance p jk along its route. Hence, the sequence of states generated by advancing p jk into the buffer of r i will be acceptable to RO 4. Then, there exists no capacitated resource in RCO, and we may now proceed to Case 1 to continue to empty the system of the remaining NFD parts. Let r g R U. Lemma C.6 establishes the following: 1) If r g is operational, then every resource of the residual route of every part that is FD on r g is operational; and 2) if no reliable resource is capacitated, then, for every part that is FD on r g, every resource that is unique from r g in its residual route is uncapacitated. These results are necessary for us to establish safe sequences for FD parts. Lemma C.6: Let q Q 4 RO and r g R U. 1) If r g R, then p jk Π FD g, r h RT jk, and r h R. 2) If r f R R, Π f < C f, then p jk Π FD g, we have r h RT jk and r h r g, Π h < C h. Proof: Recall that P jk P, RT jk R U 1, and thus, 1) follows immediately. For 2), suppose that p jk Π FD g such that r h RT jk and r h r g, Π h =C h. Then, r h R U because r f R R, Π f < C f. As a consequence, RT jk R U = {r g,r h }. Now, Lemma C.7 provides a sequence that advances FD parts out of the system when there are no NFD parts in the system. Lemma C.7: Let q Q 4 RO such that ΠNFD =. Then, there exists a sequence σ such that r g R U \R, Π FD g = in δ(q, σ). Proof: We establish the proof by constructing a sequence σ of events to clear every set of FD parts associated with every operational unreliable resource. Suppose r h ROD such that Π h =C h. Because Π NFD =, Π h Π FD. Because RO ROD allows in ROD at most one capacitated resource filled with FD parts, r h is the only capacitated resource in ROD. Because Π NFD =, every resource of R R \ROD is empty. Thus, r h is the only capacitated resource of ROD (R R \ROD) =ROD R R =(R FD \R U ) R R = R R. First, decapacitate r h by advancing a part p jk of Π h into the buffer of r u RT jk R U. This is possible by Lemma C.1. (Note that it is possible for r u R.) Assume that the resulting state obtained after advancing p jk into r u is q 1. By Lemma C.3, every state encountered in advancing p jk into the buffer of r u satisfies RO 4. Thus, q 1 Q 4 RO and contains no capacitated resource in R R. For all r i R U \R, we want to empty Π FD i beginning at q 1. If r g R U \R such that Π g =C g, advance a part of Π g out of the system to decapacitate r g. Then, advance any remaining part of Π FD g out of the system until Π FD g is empty. This is possible by Lemma C.6 (although we have not shown that it satisfies RO 4 ). When r g R U \R, Π g < C g, select any Π FD g and advance any part of Π FD g out of the system. Again, this is possible by Lemma C.6. Repeat until Π FD g is empty. Clearly, we can repeat the procedure until r g R U \R, Π FD g =. Lemma C.8 ensures that RO 4 is not violated by the procedure of Lemma C.7. Lemma C.8: Let q Q 4 RO such that ΠNFD =. Letσ be a = in δ(q, σ), and let σ be any prefix of σ. Then, δ(q, σ ) Q 4 RO. Proof: The sequence σ of events obtained in the proof of Lemma C.7 will first decapacitate r h in ROD. Let σ 1 be the sequence of events that advances a part from r h into the buffer of its required unreliable resource. Let σ 1 be any prefix of σ 1. Then, by Lemma C.3, δ(q, σ 1) Q 4 RO. Note that δ(q, σ 1)= q 1 Q 4 RO. sequence such that r g R U \R, Π FD g, r i R U \R, be- be a sequence of events such that δ(q 1,σ 2 )=q 2, where r i R U \R, Π FD i = in q 2, and if σ 2 is any proper prefix of σ 2, r i R U \R such that Π FD i. Clearly, σ = σ 1 σ 2. We now have to establish that δ(q 1,σ 2) Q 4 RO. Note that δ(q 1,σ 2) does not violate RO ROD. To see this, note that q 1 has no capacitated resource in R R and that advancing a single FD part out of the system can cause at most one capacitated resource in ROD R R. Thus, δ(q 1,σ 2) has at most one capacitated resource in ROD. By the same argument, δ(q 1,σ 2) does not violate RO RCO. Now, suppose δ(q 1,σ 2) violates RO RFD2. Then, δ(q 1,σ 2) exhibits three capacitated resources in RFD. Because R R contains no capacitated resource at q 1, advancing an FD part out of the system can cause at most one capacitated resource in ROD R R. We must then have two capacitated resources in R U at δ(q 1,σ 2). By the procedure given in the proof of Lemma C.7, these two capacitated resources must be in R at q 1, and thus, R > 1. This contradicts our assumption that q Q 4 RO, R 1. Therefore, advancing FD parts out of the system will not violate RO RFD2. Finally, RO RFD will not be violated by the arguments similar to those presented in Lemmas C.3 and C.4. We have now The sequence σ will next empty Π FD i ginning at δ(q, σ 1 )=q 1. Let σ 2 completed the proof. We will show that supervisor RO 4 is robust to a single resource failure of R U at a time. To this end, we will first establish four lemmas as follows. The following Lemma C.9 indicates that the supervisor ensures safety for the system if no resource failure occurs. Lemma C.9: RO 4 ensures safety for the system, given that R =. Proof: Follows directly from Lemmas C.5 and C.8. Lemma C.10: q u Q 4 RO and q u that enables κ i Σ u2,we have δ(q u,κ i )=q u, serving as a feasible initial state for the reduced system.

21 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 625 Proof: It follows directly from Lemmas C.5 and C.8 that if q u Q 4 RO with R = and κ i ξ(q u ), then, starting with q u = δ(q u,κ i ), implying that R = r i in q u, it is possible, under the supervision of RO 4, to first empty the system of all NFD parts and then of all FD parts that are not requiring r i R. Furthermore, in the resulting state, the only possible capacitated resource will be r i R. Thus, no resource of R\R is capacitated, i.e., each resource of R\R has at least one unit of unoccupied buffer capacity. Next, we show that we are able to indefinitely produce every part that is not requiring r i. We can load and advance new parts so long as RO 4 is not violated. By Lemma C.5, we can finish all NFD parts, and by Lemma C.8, we can finish all FD parts that are not requiring r i R. It is clear that every part that is not requiring r i R can continue to produce indefinitely in the reduced system so long as R = {r i }. Lemma C.11: RO 4 ensures safety for the system, given that R = {r i }. Proof: Follows from the proof of Lemma C.10. Lemma C.12: For R = {r i } in q v with q v Q 4 RO and η i ξ(q v), q v = δ(q v,η i ) serves as a feasible initial state for the upgraded system. Proof: First, note that for q v, R =. Furthermore, q v and q v have exactly the same distribution of parts, i.e., the same resource allocation, because the execution of η i does not change the resource allocation state. Because Q 4 RO considers only the resource allocation state and not the status of unreliable resources, q v Q 4 RO implies that q v Q 4 RO.Thus,byLemma C.9, the system is safe in state q v = δ(q v,η i ). The following theorem is now readily available. Theorem C.1: Supervisory controller RO 4 is robust for systems where R U 1and R 1. Proof: It follows directly from Lemmas C.9 C.12. We have now established that controller RO 4 is robust to a single resource failure for systems with R U 1. APPENDIX D NHC NHC is a set of neighborhood constraints based on the notion of failure dependence. Informally, a resource is FD if every part that enters its buffer space requires some future processing on a given unreliable workstation. Thus, all unreliable resources are FD. Some reliable resources may also be FD if they only process parts that require future processing on a given unreliable resource. For each FD resource, we generate a neighborhood. The neighborhood of an FD resource is a virtual space of finite capacity that is used to control the distribution of parts requiring that given FD resource. In the following, we illustrate the NHC through example and refer the reader to [26] for an in-depth discussion. The system in Fig. 16 has two unreliable resources {r 2,r 9 }. Note that, anytime r 1 appears in a route, r 2 appears later in the route, and thus, r 1 is FD on r 2 (and r 2 is FD on itself). Also, anytime r 7 or r 8 appears in a route, r 9 appears later in the route; therefore, the resources in the set {r 7,r 8,r 9 } are FD on r 9. Thus, for r 2, we set up two neighborhoods, one for r 1 and Fig. 16. System with two unreliable resources. one for r 2 (call these NH 2 1 and NH 2 2), and for r 9, we set up three neighborhoods, one for r 7, one for r 8, and one for r 9 (call these NH 9 7,NH 9 8, and NH 9 9). These are defined as follows: NH 2 1 = {P 14,P 22,P 23,P 24,P 25,P 26 } NH 2 2 = {P 11,P 12,P 13,P 15,P 21,P 27 } NH 9 7 = {P 32 } NH 9 8 = {P 31 } NH 9 9 = {P 33,P 34,P 35 }. To understand this, consider NH 2 1 and NH 2 2. Note that the support set of r 1 is Ω 1 = {P 14,P 26 } and that the support set of r 2 is Ω 2 = {P 13,P 15,P 21,P 27 }. Thus, {P 14,P 26 } NH 2 1, and {P 13,P 15,P 21,P 27 } NH 2 2. Now, consider T 1 = {ρ(p 11 ),ρ(p 12 ),ρ(p 13 ),ρ(p 14 ),ρ(p 15 )} = {r 6,r 3,r 2,r 1,r 2 }. Because {r 6,r 3 } precede r 2 in the route but are not FD on r 2, parts in their support set that require r 2 in future processing, which are {P 11,P 12 }, will belong to NH 2 2. Similarly, T 2 = {ρ(p 21 ),ρ(p 22 ), ρ(p 23 ),ρ(p 24 ),ρ(p 25 ),ρ(p 26 ),ρ(p 27 ),ρ(p 28 )} = {r 2,r 3,r 4, r 6,r 5,r 1,r 2,r 3 }. Because {r 3,r 4,r 6,r 5 } are not FD on r 2, {P 22,P 23,P 24,P 25 } will belong to NH 2 1. Thus, we get NH 2 1 = {P 14,P 22,P 23,P 24,P 25,P 26 } and NH 2 2 = {P 11,P 12,P 13,P 15,P 21,P 27 }. We now construct neighborhood constraints. Our intention is to guarantee that every part in the neighborhood of an FD resource has capacity reserved at that resource. Recall that x jk is the number of finished instances, and y jk is the number of

22 626 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART A: SYSTEMS AND HUMANS, VOL. 38, NO. 3, MAY 2008 unfinished instances of P jk located in the buffer of ρ(p jk ).For the example, we have the following constraints: { NHC 2 1 = Z1 2 = (x jk + y jk ) C 1, Z 2 2 = { NHC 9 1 = Z7 9 = Z 9 8 = Z 9 9 = P jk NH 2 1 P jk NH 2 2 P jk NH 9 7 P jk NH 9 8 P jk NH 9 9 (x jk + y jk ) C 2 } (x jk + y jk ) C 7, (x jk + y jk ) C 8, (x jk + y jk ) C 9 }. These constraints assure that none of the neighborhoods become overcapacitated. These constraints alone can induce deadlock among FD resources, because if all neighborhoods are capacitated, parts cannot move from one neighborhood to another without overcapacitating a neighborhood. Thus, we develop an additional set of constraints (called NHC i 2)asfollows. For NHC i 2, it is first necessary to compute the part flows among neighborhoods. For neighborhoods with mutual flow, we develop a constraint that allows only one of the neighborhoods to be filled at a time. For example, we see that NH 2 1 and NH 2 2 have mutual flows, because {P 14,P 26 } NH 2 1 and {P 13,P 27 } NH 2 2 (P 13 moves from NH 2 2 to NH 2 1 where it becomes P 14, and P 26 moves from NH 2 1 to NH 2 2 where it becomes P 27 ). Thus, we get the constraint NHC 2 2 = {Z Z 2 2 < C 1 +C 2 }, which guarantees that these two are not simultaneously capacitated. Note that there is no mutual flow between neighborhoods of FD resources for r 9, and thus, no additional constraints are generated for these. To summarize, NHC guarantees that no neighborhood is overcapacitated and that neighborhoods with mutual-flow dependencies are not simultaneously capacitated. APPENDIX E BA BA is perhaps the most widely known DAP, and its underlying concepts have influenced the thinking of numerous researchers. BA is a suboptimal DAP in the sense that it achieves computational tractability by sacrificing some safe states. BA avoids deadlock by allowing an allocation only if the requesting processes can be ordered, so that the terminal resource needs for the ith process P i in the ordering can be met by pooling available resources and those released by completed processes P 1,P 2,...,P i 1. The ordering is essentially a sequence in which all processes in the system can complete successfully. BA is of O(mn log n), where m is the number of resource types and n is the number of requests. For our purposes, we modify BA to search for an ordering of parts that advances FD parts (those requiring unreliable Fig. 17. Counterflow system. resources) into the resource of their current neighborhood and NFD parts (those not requiring unreliable resources) out of the system. Our modifications are straightforward (see [26] for the detailed algorithm). Again, the ordering is such that the resources required by the first part are all available, those required by the second part are all available after the first part has finished and released the resources held by the part, and so forth. If the system can be cleared in this way (all FD parts are advanced into FD resources, and all NFD parts are advanced out of the system), then we can guarantee that, if any unreliable resource fails, the system can continue producing parts that do not require the failed resource. APPENDIX F RO RO is a suboptimal DAP based on the intuition that parts flowing in opposite directions through the same set of resources must at some point be able to pass [14]. RO constraints are given as follows: z ij + z km < C u +C v P ij RU u P km LU v r u,r v s.t. h(r u ) <h(r v ) and z ij = x ij + y ij. RU u (LU v ) represents the set of part-type stages on r u (r v ) that are flowing to the right ( left ), and h represents an ordering of the resources (resources that are low in the order are on the left, and resources that are high in the order are on the right ). Note that a constraint is generated for each pair of resources. This constraint sums the current number of the rightbound P ij s of the resource that is low in the order (to the left) and the current number of leftbound P km s of the resource that is high in the order (to the right) and ensures that this sum is always less than the combined capacity of the two resources. Applying this policy to the system in Fig. 17 will yield the following: RU 1 = {P 11 } LU 1 = RU 2 = {P 12 } LU 2 = {P 23 } RU 3 = {P 13 } LU 3 = {P 22 } RU 4 = LU 4 = {P 21 }. 1) z 11 + z 23 < 3+4=7(r 1 and r 2 ). 2) z 11 + z 22 < 3+3=6(r 1 and r 3 ). 3) z 11 + z 21 < 3+2=5(r 1 and r 4 ). 4) z 12 + z 22 < 4+3=7(r 2 and r 3 ). 5) z 12 + z 21 < 4+2=6(r 2 and r 4 ). 6) z 13 + z 21 < 3+2=5(r 3 and r 4 ).

capacities of r 1 and r 2. These constraints will disallow states such as that in Fig. 17, which violates constraint 3). For complete details, the reader is referred to [14]. REFERENCES [1] Z.

Krogh, Deadlock avoidance in flexible manufacturing systems with concurrently competing process flows, IEEE Trans. Robot. Autom., vol. 6, no. 6, pp. 724 734, Dec. 1990. [3] N. Viswanadham, Y.

23 WANG et al.: USING SHARED-RESOURCE CAPACITY FOR ROBUST CONTROL 627 Constraint 1), for example, assures that the number of P 11 s at r 1 plus the number of P 23 s at r 2 is always less than the combined capacities of r 1 and r 2. These constraints will disallow states such as that in Fig. 17, which violates constraint 3). For complete details, the reader is referred to [14]. REFERENCES [1] Z. Banaszak and E. Roszkowska, Deadlock avoidance in pipeline concurrent processes, Podst. Ster. (Foundations of Control), vol. 18, no. 1, pp. 3 17, [2] Z. Banaszak and B. Krogh, Deadlock avoidance in flexible manufacturing systems with concurrently competing process flows, IEEE Trans. Robot. Autom., vol. 6, no. 6, pp , Dec [3] N. Viswanadham, Y. Narahari, and T. Johnson, Deadlock prevention and deadlock avoidance in flexible manufacturing systems using Petri net models, IEEE Trans. Robot. Autom., vol. 6, no. 6, pp , Dec [4] R. Wysk, N. Yang, and S. Joshi, Detection of deadlocks in flexible manufacturing cells, IEEE Trans. Robot. Autom., vol. 7, no. 6, pp , Dec [5] Y. Leung and G. Sheen, Resolving deadlocks in flexible manufacturing cells, J. Manuf. Syst., vol. 12, no. 4, pp , [6] F. Hsieh and S. Chang, Dispatching-driven deadlock avoidance controller synthesis for flexible manufacturing systems, IEEE Trans. Robot. Autom., vol. 10, no. 2, pp , Apr [7] J. Ezpeleta, J. Colom, and J. Martinez, A Petri net based deadlock prevention policy for flexible manufacturing systems, IEEE Trans. Robot. Autom., vol. 11, no. 2, pp , Apr [8] K. Xing, B. Hu, and H. Chen, Deadlock avoidance policy for Petri-net modeling of flexible manufacturing systems with shared resources, IEEE Trans. Autom. Control, vol. 41, no. 2, pp , Feb [9] M. Fanti, B. Maione, S. Mascolo, and B. Turchiano, Event-based feedback control for deadlock avoidance in flexible production systems, IEEE Trans. Robot. Autom., vol. 13, no. 3, pp , Jun [10] M. Lawley, S. Reveliotis, and P. Ferreira, FMS structural control and the neighborhood policy Part 1: Correctness and scalability, IIE Trans., vol. 29, no. 10, pp , [11] M. Lawley, S. Reveliotis, and P. Ferreira, FMS structural control and the neighborhood policy Part 2: Generalization, optimization, and efficiency, IIE Trans., vol. 29, no. 10, pp , [12] S. Reveliotis, M. Lawley, and P. Ferreira, Polynomial-complexity deadlock avoidance policies for sequential resource allocation systems, IEEE Trans. Autom. Control, vol. 42, no. 10, pp , Oct [13] M. Lawley, S. Reveliotis, and P. Ferreira, The application and evaluation of Banker s algorithm for deadlock-free buffer space allocation in flexible manufacturing systems, Int. J. Flexible Manuf. Syst., vol. 10, no. 1, pp , Feb [14] M. Lawley, S. Reveliotis, and P. Ferreira, A correct and scalable deadlock avoidance policy for flexible manufacturing systems, IEEE Trans. Robot. Autom., vol. 14, no. 5, pp , Oct [15] M. Lawley and S. Reveliotis, Deadlock avoidance for sequential resource allocation systems: Hard and easy cases, Int. J. Flexible Manuf. Syst., vol. 13, no. 4, pp , Oct [16] M. Lawley and W. Sulistyono, Robust supervisory control policies for manufacturing systems with unreliable resources, IEEE Trans. Robot. Autom., vol. 18, no. 3, pp , Jun [17] S. Reveliotis, Accommodating FMS operational contingencies through routing flexibility, IEEE Trans. Robot. Autom., vol. 15, no. 1, pp. 3 19, Feb [18] S. Park and J. Lim, Fault-tolerant robust supervisor for discrete event systems with model uncertainty and its application to a workcell, IEEE Trans. Robot. Autom., vol. 15, no. 2, pp , Apr [19] F. Hsieh, Reconfigurable fault tolerant deadlock avoidance controller synthesis for assembly production processes, in Proc. IEEE Conf. Man, Syst. Cybern., Nashville, TN, 2000, pp [20] F. Hsieh, Fault-tolerant deadlock avoidance algorithm for assembly processes, IEEE Trans. Syst., Man, Cybern. A, Syst., Humans, vol. 34, no. 1, pp , Jan [21] F. Hsieh, Robustness of deadlock avoidance algorithms for sequential processes, Automatica, vol. 39, no. 10, pp , Oct [22] F. Hsieh, Fault tolerant liveness analysis for a class of Petri nets, in Proc. IEEE Int. Conf. Control Appl., Istanbul, Turkey, 2003, pp [23] F. Hsieh, Analysis of a class of controlled Petri net based on structural decomposition, in Proc. 10th IFAC/ IFORS/IMACS/IFIP Symp. Large Scale Syst.: Theory Appl., Jul. 2004, pp [24] F. Hsieh, Robustness of a class of controlled Petri nets, in Proc. 36th Southeastern Symp. Syst. Theory, 2004, pp [25] M. Lawley, Control of deadlock and blocking in production systems with unreliable workstations, Int. J. Prod. Res.,vol.40,no.17,pp , [26] S. Chew and M. Lawley, Robust supervisory control for production systems with multiple resource failures, IEEE Trans. Autom. Sci. Eng., vol. 3, no. 3, pp , Jul Shengyong Wang received the B.S. degree in mechanical engineering from the Beijing University of Aeronautics and Astronautics, Beijing, China, the M.S. degree in innovation in manufacturing system and technology from the Singapore Massachusetts Institute of Technology Alliance, Singapore, and the Ph.D. degree in industrial engineering from Purdue University, West Lafayette, IN, in 2000, 2001, and 2006, respectively. He is currently a Research Assistant Professor with the Department of Systems Science and Industrial Engineering, State University of New York, Binghamton. His research interests include healthcare engineering, discrete-event systems, modeling and simulation, production system analysis, and robust supervisory control. Dr. Wang is a member of the Institute for Operations Research and the Management Sciences. Song Foh Chew received the B.S. degree in mathematics with a minor in physics from Bemidji State University, Bemidji, MN, and the M.S. and Ph.D. degrees in industrial engineering from Purdue University, West Lafayette, IN, in 1992, 1997, and 2005, respectively. He is currently an Assistant Professor of Operations Research with the Department of Mathematics and Statistics, Southern Illinois University Edwardsville, Edwardsville. His research interests are primarily in the areas of deadlock avoidance and robust supervisory control of resource allocation systems. Mark A. Lawley received the Ph.D. degree in mechanical engineering from the University of Illinois, Urbana Champaign in He is currently an Associate Professor with the Weldon School of Biomedical Engineering, Purdue University, West Lafayette, IN. Before joining the Weldon School of Biomedical Engineering in 2007, for nine years, he served as an Assistant and Associate Professor of industrial engineering, also at Purdue University, and held engineering positions with Westinghouse Electric Corporation, Emerson Electric Company, and the Bevill Center for Advanced Manufacturing Technology. As a researcher in academics, he has authored over 60 technical papers. He is particularly interested in developing optimal decision policies for system configuration and resource allocation in large healthcare systems. As a Regenstrief Scholar, he has focused on research initiatives with Wishard Hospital, Regenstrief Institute of Indianapolis, Richard L. Roudebush Veterans Administration Medical Center, Ascension Health, and St. Vincent Hospitals. His research has been supported by the National Science Foundation, Union Pacific Railroads, Consilium Software, General Motors, Ascension Health, Indiana State Department of Health, Regenstrief Foundation, St. Vincent Ministry, and many others. Dr. Lawley has won two best paper awards for his work in the control of flexible automation. In January 2005, he was appointed Regenstrief Faculty Scholar in support of Purdue University s Regenstrief Center for Health Care Engineering.

On the Optimality of Randomized Deadlock Avoidance Policies

On the Optimality of Randomized Deadlock Avoidance Policies Spyros A. Reveliotis and Jin Young Choi School of Industrial & Systems Engineering Georgia Institute of Technology Atlanta, GA 30332 Abstract