Partial-Order Reduction for Supervisory Controller Synthesis

—A key challenge in the synthesis and subsequent analysis of supervisory controllers is the impact of state-space explosion caused by concurrency. The main bottleneck is often the memory needed to store the composition of plant and requirement automata and the resulting supervisor. Partial-order reduction (POR) is a well-established technique that alleviates this issue in the ﬁeld of model checking. It does so by exploiting redundancy in the model with respect to the properties of interest. For controller synthesis, the functional properties of interest are nonblockingness, controllability, and least-restrictiveness, but also performance properties, such as throughput and latency are of interest. We propose an on-the-ﬂy POR on the input model that preserves both functional and performance properties in the synthesized supervisory controller. This improves the scalability of the synthesis (and any subsequent performance analysis). Synthesis experiments show the effectiveness of the POR on a set of realistic manufacturing system models.

below) of the resulting supervisor [1], [2]. A disadvantage of this synthesis is its limited scalability, caused by the memory complexity of O(|Q P | 2 · |Σ|) [1], [3], where Q P is the set of specification states of the combined plant and requirement automata, and Σ is the set of events. The memory needed to store the full state space often becomes a bottleneck [4]. The size of the supervisor also directly impacts the efficiency of performance analysis, performed on the state space of the supervisor augmented with timing information.
An approach to improve the scalability of the synthesis and subsequent performance analysis is partial-order reduction (POR) [5], [6]. The idea of POR is to exploit redundancy in the network of automata to obtain a reduced composition, while preserving the properties of interest. In each state of the composite automaton, a subset of redundant-enabled transitions is removed, in turn, reducing the number of reachable states. Synthesis can then be performed on this smaller automaton leading to a smaller supervisor, and a smaller state space for performance analysis.
Our POR aims to preserve functional and performance aspects. As functional properties, we consider controllability, nonblockingness, and least-restrictiveness. The supervisor needs to be controllable with respect to the plant, meaning that it should not disable uncontrollable events. Further, the composition of the supervisor with the plant, the controlled system, should be nonblocking, meaning that from every reachable state in the controlled system, a marked state can be reached. This typically indicates the completion of an operation. The supervisor is (non)blocking if the controlled system is (non)blocking [3]. Finally, the supervisor should be least-restrictive, meaning that it restricts the system as little as possible while still being controllable and nonblocking. As performance aspects, we consider throughput and latency. Throughput describes the system production rate, for example the number of products produced by the system per hour. Latency describes the temporal distance between certain events, for example the time between the start and end of processing a product. Fig. 1 shows the proposed POR approach. The system behavior is modeled by plant P, which is a composition of automata 1 P 1 · · · P k . Synthesis can be applied on P directly to obtain a supervisor A sup (an automaton). Alternatively, using POR, reduced plant P is computed on which synthesis can be applied to obtain a reduced supervisor A sup . The conditions on the reduction to P guarantee that the functional and performance properties of A sup are preserved in A sup , denoted A sup f,p A sup (defined precisely in Definition 25). This relation ensures that A sup is nonblocking if A sup is nonblocking, A sup is controllable with respect to P if A sup is controllable with respect to P, and A sup is least-restrictive to P under an adapted notion of least-restrictiveness (see Definition 10) that considers redundancy. The relation also guarantees that the performance aspects are preserved in the corresponding timed state spaces S sup and S sup , denoted S sup ≈ p S sup . We, moreover, provide a concrete POR algorithm (Algorithm 1) that gives a valid on-the-fly reduction to compute reduced plant P during composition.
The proposed POR extends the POR introduced in [8] for the performance analysis of timed systems. We consider controller synthesis and the preservation of both functional and performance properties during synthesis. An integrated overview of both approaches can be found in [9].
We follow [10] by taking system activities as the events in our models. An activity captures a functionally deterministic part of the system behavior, consisting of low-level actions operating on system resources and (acyclic) precedences between those actions. An activity may, for example, correspond to moving a robot arm from one specified position to another position, consisting of several actions on one or more motor resources in a specific order. Actions of different activities may not interfere with each other except through resource claims and releases. During the execution of an activity, the relevant resources are claimed and no interference on these resources is possible. Resources are assigned to activities in the order in which activities are executed. Activities that use different sets of resources may execute concurrently. Activities can then be treated as atomic events, abstracting from the execution orders of activity-internal concurrent actions. As shown in [10], this improves the scalability of controller synthesis.
Various well-known ways to capture the timing behavior of supervisory controllers are real-valued clocks as used in timed automata [11], discrete-valued clocks as used in tick-based models [12], and (max,+) algebra [13]- [15]. We use (max,+) algebra (see for instance [16]), which fits naturally with the notion of activities. A (max,+) timing matrix expresses the relation between the availability times of the system resources and the release times of the resources after executing an activity. Such a (max,+) timing model enables efficient performance analysis [15]. Supervisor synthesis on (max,+) automata with activities can be done without considering their timing because activities can be treated as atomic events. Given the supervisor and the timing matrices of the activities, a timed (max,+) state space can be computed that provides the necessary timing information to evaluate system throughput and latency. Our POR technique improves the scalability of the supervisor synthesis. It preserves both functional and performance properties, which in turn improves scalability of any subsequent performance analysis. Our POR technique can also be used on conventional finite-state automata with events, by assuming activities do not claim or release resources and are assigned the empty 0 × 0 (max,+) timing matrix (implying that they are timeless).
The rest of this article is organized as follows. Section II introduces the modeling framework. Section III defines the functional and performance aspects considered in the POR. Section IV introduces performance equivalence of timed state spaces. Section V defines the POR conditions and shows that these conditions preserve the desired aspects. Section VI introduces an on-the-fly reduction that uses local conditions to compute a reduced automaton directly from a composition of automata. The experimental evaluation in Section VII shows the effectiveness of our POR technique. Related work is described in Section VIII. Finally, Section IX concludes this article.

II. MODELING
Consider a running example with activities A, B, C, D, E, and U . To capture all possible activity orderings in the system, we use (max,+) automata. A (max,+) automaton is a conventional finite-state automaton, where the timing semantics of each activity is described by a (max,+) matrix, as explained in the following. The (max,+) automata of the running example are shown in Fig. 2. We use a representation of (max,+) automata that extends the definition of [15] with rewards, and we restrict ourselves to a setting with deterministic (max,+) automata. This corresponds to the construction discussed in Section VI in [15], in which a regular language constraining the possible sequences of events is combined with a (max,+) automaton defining the timing constraints of the events using the Hadamard product. In our representation, the automata encode the possible sequences of activities (the regular language of events), and the timing constraints are encoded using the classical matrix representation of (max,+) automata.
Definition 1 ((Max,+) Automaton (Adapted from [15])): A (max,+) automaton A is a tuple S,ŝ, S m , Act, reward, M, T , where S is a finite set of states,ŝ ∈ S is the initial state, S m ⊆ S is the set of marked states, Act is a nonempty set of activities, reward : Act → R ≥0 quantifies the progress per activity, M maps each activity to its associated (max,+) matrix, and T ⊆ S × Act × S is the transition relation. We assume that A is deterministic; for any s, s, s ∈ S and A ∈ Act, s, A, s ∈ T and s, A, s ∈ T imply s = s .
Both plants and supervisors are described as (max,+) automata. Marked states define a notion of completion of the plant for supervisor synthesis, as illustrated in the following.
Let set Act * contain all finite strings over Act, including the empty string ε. We write s 1 → A s 2 if s 1 , A, s 2 ∈ T . The transition relation is extended to Act * in the relation → * by letting s → ε * s for all s ∈ S, and for all α ∈ Act * , A ∈ Act, s, s ∈ S, and s → αA * s if s → αA * s and s → A s for some A possible behavior of an automaton is described in a path. A(n) (in)finite path p of A is a(n) (in)finite, alternating sequence of states and activities: Definition 2 (Synchronous Composition of (Max,+) Automata): Given automata A 1 = S 1 ,ŝ 1 , S m 1 , Act 1 , reward 1 , M 1 , T 1 and Fig. 2(e) shows the synchronous composition of P 1 P 2 P 3 P 4 (composition is associative). An activity is disabled in a state, if it is disabled in the current state of one of the automata that has the activity in its alphabet. For example, D is initially disabled because plant P 3 initially disables activity D. The synchronous composition of deterministic automata is again deterministic. Activities abstract from low-level activity-internal action executions. For our intended supervisor synthesis and performance analysis, we only need the timing of the claims and releases of resources. So we abstract from the low-level actions. The (max,+) matrices of the activities of the running example are shown in Fig. 3. Each matrix row represents the release time of a resource in terms of all the availability times of resources. To illustrate, consider matrix M A of activity A. The first row describes the release time of resource r 1 in terms of when resources r 1 , r 2 , and r 3 are available at the start of executing A. The execution of A implies a time delay of 4 time units between the claiming of r 1 and its subsequent release. Similarly, a delay of 5 occurs between the claiming of r 2 and the release of r 1 . There is no dependency on the availability of r 3 , indicated by −∞. We define a (global) resource set Res = {r i | 1 ≤ i ≤ s}, where s is the size of the matrices. In our running example, we have Res = {r 1 , r 2 , r 3 }. Function R maps each activity to the set of resources used. For activity A with (max, Fig. 3, R(B) = {r 1 , r 2 }. As r 3 ∈ R(B), r 3 does not influence the result of multiplying a vector with M B .
The two essential characteristics in an activity execution are synchronization; for example, when an action needs to wait until resources are available, and delay, to model the execution time of actions on resources. These characteristics correspond to the (max,+) operators maximum (max) and addition (+), defined over the set R −∞ = R ∪ {−∞}. These operators are defined as usual, with the additional convention that −∞ is Resource availability times are captured in a (max,+) vector, typically denoted γ. Given such a resource availability vector, we obtain the new resource availability vector after executing an activity by multiplying it with the corresponding (max,+) matrix. Timing evolution is, therefore, expressed using (max,+) vector-matrix multiplication. When all resources are initially available at time 0, captured in vector 0, the new availability times of the resources after executing A are computed as follows: Resources r 1 and r 2 are available again after 5 and 3 time units, respectively. Resource r 3 is not present in R(A), but a row is present for r 3 to carry over its time stamp. Its availability time stays 0, since it is not used by A. The timing semantics of an activity sequence is defined in terms of repeated matrix multiplication. For example, the resource availability after executing activity sequence ABC given vector 0 (see Fig. 4 6,4] . This representation of activity timing generalizes the well-known heapsof-pieces model [17], [18], where pieces have a rigid structure (i.e., have a fixed shape). In our approach, however, the (max,+) matrices encode flexible pieces, as illustrated in Fig. 4

for A.
We define the input model for our POR as a composition of (max,+) automata. The composition of all the individual automata is again an automaton. We assume that the matrices of the constituent automata all have the same size to ensure that they can be multiplied. Additional resources can be added to a matrix by adding a new row and column for the resource and having −∞ in all the new positions, except on the diagonal where the value is 0.
Definition 3 ((Max,+) Timed System): A (max,+) timed system M is described by M = A 1 · · · A n with (max,+) au- We assume that all matrices have size |Res| × |Res| and that for all 1 ≤ i, j ≤ n and each activity A ∈ Act i ∩ Act j , A (max,+) automaton can be interpreted as a normalized (max, +) state space that captures each path of the automaton as a run, and contains all the necessary information for evaluation of performance properties. The state space records normalized resource availability vectors, with transitions between them. Each configuration c = s, γ in the state space consists of a state s of the (max,+) automaton and a normalized resource availability vector γ. Fig. 6 shows the normalized (max,+) state spaced of a simplified running example, discussed in more detail in the following.
Definition 4 (Normalized (Max,+) State Space (Adapted from [19])): Given (max,+) automaton A = S,ŝ, S m , Act, reward, M , T with matrices of size |Res| × |Res|, we define the normalized (max, +) state space S = C,ĉ, Act, Δ, M, w 1 , w 2 as follows: 1) set C = S × R −∞ |Res| of configurations; 2) initial configurationĉ = ŝ, 0 ; 3) labeled transition relation Δ ⊆ C × Act × C that consists of the transitions in the set . . c j from configuration c i up to c j , and ρ[i] = c i . Vectorγ n = ( n k=1 M (A k )) ⊗ 0 gives the resulting resource availability vector after executing activities A 1 · · · A n (without normalization). It can be derived from the normalized (max,+) state space through summation of encountered w 2 values and the final normalized vector.
Proposition 5: Let S be a normalized (max,+) state space with run ρ such that c i = s i , γ i for each i. Then, for all n ≥ 0, γ n = n−1 k=0 w 2 (c k , A k+1 , c k+1 ) + γ n . Proof: Proved with induction over n using Definition 4 and the property that c + M ⊗ γ = M ⊗ (γ + c) given a constant c, matrix M , and vector γ. In the remainder, we restrict ourselves to the reachable part of the normalized (max,+) state space, and we assume that this is finite. The reachable part might be infinite [19]. It is guaranteed to be finite, however, if for each simple cycle (no repetition of transitions is allowed) in the (max,+) automaton with corresponding activity sequence A 1 . . . A k , the matrix M A k ⊗ . . . ⊗ M A 1 is irreducible. This can be practically verified in polynomial time by finding the simple cycles [20] and checking that the corresponding matrices have no entries −∞. Practically, this means that the claim of each resource is linked to the claim of each other resource via the resource dependencies over each cycle in the automaton. In practical systems, resources typically do not operate fully independently.

III. PROPERTIES TO BE PRESERVED
In this section, we introduce the properties that we want to preserve: controllability, nonblockingness, and least-restrictiveness as functional properties, and latency and throughput as performance properties.

A. Controllability, Nonblockingness, and Least-Restrictiveness
In supervisory control, the activity alphabet Act is partitioned into set Act c of controllable activities and set Act u of uncontrollable activities. In the running example, A, B, C, D, and E are controllable and U is uncontrollable.
To define least-restrictiveness, we need the notions of subautomata and union of automata. A subautomaton is obtained as a reduction of a given (max,+) automaton, where a subset of the states and transitions is preserved.
2} be two (max,+) automata with the same alphabet Act (and derived reward function and timing matrices) and initial stateŝ.
The latter ensures that marking in A 1 is consistent with marking in A 2 .
Definition 7 (Union of (Max,+) Automata): be a set of automata all having the same activity alphabet, reward function, timing matrices, and initial state. The union of these (max,+) automata is defined as The behavior of an uncontrolled system is represented by a plant P. A supervisor A sup is added to ensure that the controlled system, formed by P A sup , is nonblocking [1].
Plant P in Fig. 2(e) is blocking, since states s 10 , s 11 , s 12 , and s 13 are blocking. A sup in Fig. 2(f) is nonblocking, as it is always possible to return to s 8 . This shows how marked states can be used to ensure a notion of completion.
We assume that A sup P, since the computed supervisor is often a restriction of the plant by disabling transitions that lead to undesired behavior, violating the nonblocking requirement or the controllability requirement, defined in the following. Since A sup P, P A sup = A sup , which means that P A sup is nonblocking iff A sup is nonblocking.
A supervisor is required to be controllable with respect to the plant it needs to control, such that it does not disable any uncontrollable activity that the plant defines in any state reachable in the controlled system. Definition 9 (Controllability): Let P = S P ,ŝ P , S m P , Act P , reward P , M P , T P and A is controllable with respect to P iff, for every string α ∈ (Act P ∪ Act A ) * , every state s ∈ S A , and every U ∈ Act u such thatŝ A → α * A s andŝ P → αU * P s for some s ∈ S P , it holds that s → U A s for some s ∈ S A . Any state s of A that satisfies this property is called a controllable state; otherwise, it is uncontrollable.
As an example, consider string CABE and path Fig. 2(f). In plant P, the execution of string CABE leads to state s 9 . In state s 9 in P, uncontrollable activity U is enabled. In A sup , activity U is also present in state s 9 in A sup . Since this also holds for the other strings and uncontrollable activities, A sup is controllable with respect to P.
The union of controllable and nonblocking subautomata of a given automaton is again controllable and nonblocking [7]. A subautomaton is least-restrictive iff it is the union of all the subautomata of P that satisfy both properties.
Definition 10 (Least-restrictiveness): Let A, A be (max,+) automata. Define predicate CN (A, A) to be true iff A A and A is nonblocking and controllable with respect to A. The supremal controllable and nonblocking subautomaton of A is Both A sup and A sup in Fig. 2(f) are nonblocking and controllable with respect to P. Given P, calculating A sup = supCN (P) is called synthesis. Synthesis algorithms implement fixed-point computations [1], [2], where in each iteration bad states are removed. Bad states are those states that are blocking or that lead to a blocking state through uncontrollable activities. These bad states are identified and removed iteratively, until no more such states remain in the resulting supervisor.

B. Throughput and Latency
The performance of a supervisor is quantified using throughput and latency metrics, defined on the corresponding normalized (max,+) state space. Throughput is defined as the ratio between the cumulative reward and the cumulative execution time of a run. For throughput analysis, we only consider infinite runs. Latency is the temporal distance that separates the resource availability times of a resource at the start of two activity instances in a run. Latency analysis can be performed on both finite and infinite runs. For readability, we assume for performance analysis that a supervisor is total, meaning that each reachable state has at least one outgoing transition. A nontotal supervisor has a throughput lower bound of zero. The presented latency analysis applies to nontotal supervisors as well. As supervisor synthesis guarantees that from each state a marked state is reachable, the supervisor is total if each marked state has at least one outgoing transition. A total supervisor can be seen as an ω-automaton [21] accepting infinite words over Act. There are no specific acceptance conditions, so any infinite word starting in the initial state is accepted. Marked states are not used to define acceptance conditions. For the performance analysis of a supervisor, all infinite runs in the timed states space S are considered, contained in set R(S).
We define throughput of a run as the ratio between the cumulative reward (sum of w 1 weights) and the cumulative execution time (sum of w 2 weights).
Definition 11 (Throughput): The ratio of a run (fragment) . is the ratio of the sums of weights w 1 and w 2 , defined as follows: The throughput guarantee corresponds to the minimum ratio value achieved by any of those runs: Since the reachable part of S is finite, infinite runs pass recurrent configurations infinitely often. Thus, infinite runs are composed of simple cycles of the state space. The minimum ratio value of the state space is, hence, determined by the simple cycle with the lowest ratio value, since this behavior can be continuously repeated in a run. This cycle, thus, provides a lower bound on the throughput (hence, a throughput guarantee). Since S has a finite number of simple cycles, we can determine the minimum ratio value of the graph from a minimum cycle ratio (MCR) analysis [22]. To illustrate the MCR, consider the normalized (max,+) state space shown in Fig. 6, obtained from the composition of plants P 1 ,P 2 , andP 3 shown in Fig. 5. We use this small model such that we can show the full (max,+) state space. In this state space, activities A, B, and D have reward 0 (weight w 1 ), and activity C has reward 1. Then, the MCR is 1/8, with a total reward of 1 and a total execution time of 8, which can for instance be found in the cycle corresponding to the execution of (CBAD) ω : In this cycle, the first transition represents the execution of Latency is the time delay between a stimulus and its effect. A well-known related notion in the field of production systems is makespan, where the stimulus is the start of the schedule and the effect is the completion of the product. In the context of (max,+) timed systems, we define latency in terms of the temporal distance that separates the resource availability times of a resource at a designated source activity A src and sink activity A snk . In the state space, consider some We define the start-to-start latency λ between the resource availability times of resource r in γ i and γ j as As an example, consider the execution of activity sequence ACB starting from the initial configuration in the normalized (max,+) state space shown in Fig. 6. This corresponds to run fragment ρ = Say that we want to compute the start-to-start latency between the resource availability times of r 2 inγ 0 (start of activity A) and inγ 2 (start of activity B). First, we compute the vectors without normalization from the state space using Proposition 5 to find γ 0 = γ 0 andγ 2 = [5, 3,4] . Then, we compute the latency We assume that the occurrences of A src and A snk activities are related. In any run, for any k ≥ 1, the kth occurrence of A src is paired with the kth occurrence of A snk . We refer to such a pair of related activities as a source-sink pair. Let getOccurrence(ρ, A, k) denote the index of the kth occurrence of activity A in run ρ. The start-to-start latency for resource r in ρ with source-sink pair A i+1 = A src and A j+1 = A snk in run fragment ρ[i, j + 1] is equal to λ(ρ, i, j, r). The maximum start-to-start latency in a run is obtained by looking at all source-sink pairs Definition 13 (Latency): Given normalized (max,+) state space S, the maximum start-to-start latency of S with resource r and source-sink pair A src , A snk is found by taking the maximum latency over all runs in the state space

IV. STATE-SPACE PERFORMANCE EQUIVALENCE
The performance of the supervisory controller is analyzed on the corresponding normalized (max,+) state space. In our POR, we ensure that performance properties are preserved in the normalized (max,+) state space of the reduced supervisor. We capture this preservation in the notion of state-space performance equivalence. Throughput and latency are both expressed in terms of runs in the state space. We introduce the notion of equivalent runs that have the same ratio value (Definition 11). We show that equivalent runs have the same throughput and latency values. In Section V, we show that our POR preserves equivalent runs in the corresponding normalized (max,+) state spaces, thereby preserving performance properties.
A state space may have multiple equivalent runs with the same ratio value caused by the interleaving of ratio-independent activities that have no mutual influence. Such runs have the same throughput and latency values, as shown in the following. The first property of ratio-independent activities, say A and B, is the classical notion of independence: in every configuration where A and B are both enabled, the execution of one activity cannot disable the other activity, and the resulting configuration after executing both activities in any order is the same. The second property requires that the summed weights w 1 and w 2 of the corresponding transitions of A and B are the same. The third property requires that A and B do not share resources. As an example, consider the initial configuration in Fig. 6, where activities A and C are ratio-independent. To illustrate, consider configuration c 0 = s1, 0 in the state space shown in Fig. 6. Activities A and B are ratio-dependent in c 0 (they do not satisfy condition 1 in Definition 15) and ratioindependent with activity C.
To formalize the equivalence on runs, we first define the equivalence of run prefixes. Two run prefixes are equivalent iff their corresponding activity sequences can be obtained from each other by repeatedly commuting adjacent ratio-independent activities. Given prefix ρ[. . Definition 16 (String Equivalence): Let S = C,ĉ, Act, Δ, M, w 1 , w 2 be a normalized (max,+) state space. Strings α, β ∈ Act * are equivalent [24] in a configuration c, denoted α ≡ c β, iff there exists a list of strings υ 0 , υ 1 , . . . , υ n , where υ 0 = α, υ n = β, and for each 0 ≤ i < n, υ i =ῡABυ and υ i+1 =ῡBAυ for someῡ,υ ∈ Act * and A, B ∈ Act such that A and B are ratioindependent inῡ(c). Throughput is defined as a limit on prefix ratios of infinite runs. To define equivalence of runs in terms of throughput, we need to consider equivalent run prefixes (in the sense of Definition 17) with a bounded difference in the number of activities following those prefixes. This bounded difference ensures that the resulting weight difference can be ignored in the limit.
Definition 18 (Run Equivalence): Let ρ and σ be two runs in S = C,ĉ, Act, Δ, M, w 1 , w 2 . We define ρ σ iff there exists a d ∈ N such that for all n ≥ 0 it holds that ρ d n σ. We define ρ d n σ iff there exists some k ≥ n, a runρ ∈ R(S) with run prefixρ[.
Two finite runs ρ and σ are equivalent if ρ d n σ for 0 ≤ n ≤ |ρ| and σ d n ρ for 0 ≤ n ≤ |σ|, where d = max(|σ|, |ρ|). As an example, consider run ρ with activity sequence (ABCD) ω in the state space in Fig. 6. In this state space, we can also find run σ = (CABD) ω , which is equivalent because C is ratioindependent of A and B. The run should satisfy ρ d n σ for some d ∈ N and for all n ≥ 0. Consider the case for n = 2, shown in Fig. 7(a). Then, we need to match two (n) activities of ρ to the first two activities of σ. The prefix consisting of the first two activities of ρ, AB, is not a prefix of σ. In σ, independent activity C is performed first. Runρ, equivalent (in the sense of Definition 17) to ρ and identical to σ for n = 2 activities and d = 1, which can be constructed by moving C to the front. ρ and σ must be such that this can be done for any n ≥ 0. The general case is shown in Fig. 7(b). It is crucial for the preservation of throughput that the length k that one needs to consider in ρ to find the first n activities of σ exceeds n by maximally a finite amount d, independent of n.
The property that equivalent runs have the same throughput and latency values was stated in [8] without proof. It is included here with proof for completeness purposes.
Proof: By Definition 18, for each prefix in one run we can match a (possibly) shorter prefix in the other run. The difference between the prefixes is a suffix α bounded in length by d.
For throughput preservation, observe that the maximum weight difference between the prefixes for both weights w 1 and w 2 is bounded by the maximum cumulative sum of the weights w 1 and w 2 of α. By Proposition 12, it suffices to consider the maximum cumulative weights w 1 and w 2 over all simple cycles in the state space to determine the maximum cumulative sum for α for both weights. In the limit, a bounded weight difference can be ignored. Therefore, ρ and σ have the same ratio value, and consequently also the same throughput value.
The maximum latency in a run between A src and A snk on resource r is determined by some source-sink occurrence pair. The prefixes of ρ and σ are matched by swapping the ratioindependent activities. Given condition 3 of Definition 15, the source and sink activity can only be part of swaps where the resource availability time of r is not affected. These swaps thus do not affect the latency value for the source-sink occurrence pair, and hence, ρ and σ have the same maximum latency.

V. (MAX,+) AUTOMATON REDUCTION
In the previous section, we defined when two state spaces are performance-equivalent, preserving throughput and latency aspects. We proceed to define POR conditions at the level of a (max,+) automaton, which ensure that functional properties are preserved during synthesis and that the corresponding state spaces of the supervisor and reduced supervisor are performance-equivalent.
To reuse existing POR techniques, we want to remove the need to identify the marked states with special set S m . We add a self-loop with a special controllable activity ω to marked states. Nonblockingness of A can then be replaced by the notion of ω-reachability of the resulting automaton A ω . The fact that A is nonblocking iff A ω is ω-reachable follows directly from the definitions.
Definition 20 (ω-Reachability): Let A = S,ŝ, S m , Act, reward, M, T be a (max,+) automaton. The ω-extension of A is the automaton A ω is ω-reachable iff from each reachable state s ∈ S (i.e.,ŝ → * s) a state s ω is reachable in which ω is enabled.
We want to exploit redundancy in the plant to obtain a reduced plant while preserving the properties of interest. Part of the redundancy is caused by the interleaving of activities that have no mutual influence on these properties. Such activities are referred to as uncontrollable-independent. Two activities A and B are uncontrollable-independent in state s if (i) they are independent in the classical sense, no uncontrollable activities are enabled in any of the states s, A(s), B(s), and AB(s), and they do not share resources. Condition (ii) guarantees that uncontrollable activities do not influence the execution of both activities. It ensures that both the AB and BA paths are either preserved or removed during synthesis. The need for this condition is illustrated with Fig. 8. In the example, we have paths s 1 −→ BA * s 4 and s 1 −→ AB * s 4 in the full automaton, and we may only have path s 1 −→ AB * s 4 in the reduced automaton if the reduction considers both paths equivalent based on the independence of A and B. Synthesis on the reduced automaton yields an empty supervisor because state s 2 leads to blocking state s 5 via uncontrollable activity U . Synthesis on the full automaton yields a nonempty supervisor. Although in states s 1 , s 2 , s 3 , and s 4 , the same uncontrollable activity U is enabled, only in state s 2 it takes the system to a blocking state. Therefore, both paths cannot be considered equivalent and activities A and B cannot be considered uncontrollable-independent. Condition (iii) guarantees that the activities have no mutual influence on their timing behavior. Two activities are uncontrollable-dependent in s iff they are not uncontrollable-independent in s.
As an example, consider state s 1 in P shown in Fig. 2(e). Here, activities A and B are uncontrollable-dependent since they both use resources r 1 and r 2 (as shown in Fig. 3). They are uncontrollable-independent with activity C, since they do not share a resource, are independent, and do not enable an uncontrollable activity.
Uncontrollable-independence lifts the notion of ratioindependence to the level of a (max,+) automaton. If two activities A and B are uncontrollable-independent in some state in the (max,+) automaton, then they are also ratio-independent in the corresponding configurations in the underlying state space. As R(A) ∩ R(B) = ∅, their corresponding (max,+) matrices commute. As a result, the resulting normalized vector after multiplication is the same, and the sum of the weights w 1 and w 2 is the same, independent of the execution order.
Two paths in a (max,+) automaton are equivalent iff they can be obtained from each other by repeatedly commuting adjacent uncontrollable-independent activities.
A reduction of a (max,+) automaton is defined as follows.

Definition 23 ((Max,+)-Automaton Reduction Function):
A reduction function reduce for a (max,+) automaton A = S,ŝ, S m , Act, reward, M, T is a mapping from S to 2 Act such that reduce(s) ⊆ enabled(s) for each state s ∈ S. We define the reduction of A induced by reduce as the smallest (max,+) automaton A = S, ŝ, S m , Act, reward, M, T that satisfies the following conditions: 2) for every s ∈ S and A ∈ reduce(s), s, A, A(s) ∈ T . A reduction on plant P gives a reduced plant P , as shown in Fig. 2(e). The supervisor A sup synthesized for P will typically not be least-restrictive with respect to P. Therefore, we introduce a new notion of reduced least-restrictiveness that defines that an equivalent path in P is preserved for each path in P to a marked state.

Definition 24 (Reduced Least-Restrictiveness): Let
In our running example, A sup is reduced least-restrictive with respect to A sup , since it preserves a representative path to the marked state s 8 for all pruned paths.
We apply POR to obtain P from P. After synthesis we have supervisors A sup = supCN (P) and A sup = supCN (P ). Reduced supervisor A sup should preserve the functional aspects and performance aspects of supervisor A sup , defined by A sup f,p A sup .
Definition 25: Let P be a plant and A sup and A sup be supervisors for P. Let S and S be the corresponding normalized (max,+) state spaces of A sup and A sup . We define A sup f,p A sup iff 1) A sup is nonblocking, then A sup is nonblocking, 2) A sup is controllable w.r.t. P, then A sup is controllable w.r.t. P, 3) A sup is reduced least-restrictive w.r.t. A sup , and 4) S ≈ p S.  if enabled(AB(s)) ∩ Act u = ∅, then A ∈ ample(s) ⇔ B ∈ ample(s). We refer to set ample(s) for any state s as an ample set. Condition (A1) ensures that deadlock-freedom is preserved. Condition (A2) ensures that starting from some state s, any activity in ample(s) remains enabled as long as no activity in ample(s) has been executed. Condition (A3) ensures that all uncontrollable activities in the enabled set remain in the ample set to avoid that they become disabled by the reduction. Condition (A4) ensures that in the reduced automaton marked states can still be identified. Note that ω acts like an uncontrollable activity, since it must remain in the ample set. We have chosen it to be controllable, however, as we do not want ω to have an impact on conditions (A5.1) and (A5.2), and subsequently on the reductions that can be achieved. Condition (A2) ensures that an equivalent path for any path to a marked state, where ω is enabled, is preserved in the reduced plant. Conditions (A5.1) and (A5.2) ensure that if a path to a marked state is present in the supervisor, then an equivalent path is also present in the reduced supervisor.
To illustrate the need for conditions (A5.1) and (A5.2), consider the plants shown in Fig. 9. Fig. 9(a) shows plant P 1 , where the reduction satisfies conditions (A1) till (A4) and (A5.2), but not (A5.1). Condition (A5.1) is not satisfied, since uncontrollable activity U is enabled after A, but ample(s 1 ) = enabled(s 1 ). Synthesis on P 1 yields an empty supervisor, whereas synthesis on P 1 yields a supervisor with path s −→ BA * s 4 to marked state s 4 . If condition (A5.1) is satisfied, both A and B are in the ample set of s 1 . This is needed since state s 2 becomes a bad state during synthesis, and the alternative path to s 4 is then preserved. To illustrate the need for condition (A5.2) consider plant P 2 shown in Fig. 9(b). Here, the reduction yielding P 2 satisfies conditions (A1) till (A5.1), but not condition (A5.2); activity U ∈ enabled(BC(s 1 )), but only C is present in ample(s 1 ), and not B. The result after synthesis on P 2 contains the paths s 1 → A s 2 → B s 4 → C s 8 and s 1 → B s 3 → A s 4 → C s 8 , whereas synthesis on the reduced plant P 2 yields an empty supervisor since states s 9 and s 10 are not marked.
We now prove the main result that synthesis after reduction preserves both functional and performance aspects.
Theorem 27: Let P be a plant, and P the reduced plant obtained from an ample reduction. Then, supCN (P ) f,p supCN (P).
Proof: Let A sup = supCN (P ) and A sup = supCN (P). To show that A sup f,p A sup , we need to prove the four conditions as stated in Definition 25.

3) Reduced least-restrictiveness:
We need to show that supCN (P ) supCN (P) and that for each path p to a marked state in supCN (P), supCN (P ) has a path p to a marked state in supCN (P ) that is equivalent to p. First, we show that supCN (P ) supCN (P). By induction on the iterations of the synthesis algorithm given in [2], we can show that states of P are bad in iteration k of synthesis on P if and only if those states are bad in iteration k of synthesis on P. Consequently, since P P, also supCN (P ) supCN (P). Second, we show that a path p exists in supCN (P ) equivalent to p. As supCN (P) P, by our assumption below Definition 8, p is also a path in P. By structural induction, we can find an equivalent path p in P . In each step, we reorder uncontrollable-independent activities in p to extend the prefix of p , in the end obtaining path p . To prove that p is also a path in supCN (P ), we assume toward a contradiction that path p is not preserved in supCN (P ). Assuming that p is not in supCN (P ), there must be a state on p that turns bad during synthesis. Path p is also a path in P, as P P. The earlier observation that states of P are bad in iteration k of synthesis on P if and only if those states are bad in iteration k of synthesis on P implies that p is also not in supCN (P). Path p is obtained from p by swapping uncontrollable-independent activities. By induction on the number of swaps to obtain a path from an equivalent one, it can be shown that synthesis preserves equivalent paths. The key observation is that a swap of two uncontrollable-independent activities preserves bad states (via condition 2 of Definition 21). Given that p is not in supCN (P), and p and p being equivalent, this implies that also p is not in supCN (P), which contradicts our initial assumption. Therefore, p must be present in supCN (P ), showing reduced leastrestrictiveness of supCN (P ). 4) Performance: Let S and S be the state spaces of supCN (P) and supCN (P ), respectively. We first observe that any run of S is also a run of S. This follows from the fact that supCN (P ) supCN (P). Thus, S does not introduce any new ratio or latency values not also present in S. Second, we show that there is a run in S with the worst-case throughput (ratio value) of S . Finally, we show that for any run in S with maximum latency, there is a run with the same latency value in S .

B. Latency
The maximum latency between source activity A src and sink activity A snk for resource r is determined by some sourcesink occurrence pair in some run ρ in S. Let prefix ρ[. . . m], for some m, with Act(ρ[. . . m]) = α 1 · A src · α 2 · A snk contain this occurrence pair. ρ[. . . m] corresponds to a path p in supCN (P) with Act(p) = Act(ρ[. . . m]). We can extend p to pathp with Act(p) = Act(p) · α 3 such thatp leads to a marked state. By reduced least-restrictiveness of supCN (P ), for each such path, there exists an equivalent pathp with Act(p ) ≡ŝ ,u Act(p), whereŝ is the initial state in P and P. Pathp can be obtained fromp by swapping uncontrollableindependent activities such that Act(p ) = β 1 · A src · β 2 · A snk · β 3 . As uncontrollable-independence in the automaton implies ratio-independence in the state space, we obtain a run ρ in S such that Act(ρ [. . . m ]) = Act(p ) ≡ĉ Act(ρ[. . . m]) · α 3 . Note that pathp can always be extended to an infinite run, because it ends in a marked state having an ω-self loop. Activities A src and A snk can only be a part of a swap where the resource availability time of r is not affected (as explained in the proof of Proposition 19). Hence, the latency of this occurrence is identical to the one in ρ. Given the assumption that the latency value of the considered source-sink occurrence pair in ρ is the maximum value in S and since S does not introduce new latency values, the latency value of ρ must be the same worst-case value as the latency value of ρ.

VI. ON-THE-FLY REDUCTION
Section V gives sufficient conditions for a reduction function on a single (max,+) automaton to preserve functional and performance properties. For an efficient reduction, we avoid first computing the full composition of the (max,+) automata. Rather, we use sufficient local conditions on the network of (max,+) automata to compute a reduced composition on-the-fly. Given (max,+) timed system M = A 1 · · · A n and A = {A i | 1 ≤ i ≤ n}, the ample function selects a set ample(s) in each state s of the composition, such that conditions (A1) till (A5) are met. The ample set is induced by a cluster C ⊆ A, and computed as ample(s) = enabled C (s) = enabled(s) ∩ Act(C), where Act(C) = A i ∈C Act i and Act i is the alphabet of (max,+) automaton A i . This cluster-inspired ample approach, based on [23], is a generalization of the traditional on-the-fly method of Peled [5] that selects the enabled activities enabled i (s) = enabled(s) ∩ Act i of one (max,+) automaton A i as ample set, if possible, while exploring a state s = s 1 , s 2 , . . . , s n . If this is not possible, all enabled activities in s are selected as ample set.
A cluster that ensures that the ample conditions are met is called a safe cluster. To consider the local state π C (s) in a cluster C ⊆ A, we define a projection π A c k } and c j < c j+1 for all 1 ≤ j < k.
Given local state π C (s), enabled(π C (s)) denotes the set of enabled activities in the composition of the (max,+) automata in C.
Note that enabled C (s) ⊆ enabled(π C (s)), since the latter might contain activities that are enabled in the local state of the clustercomposition A c 1 . . . A c k for cluster C = {A c 1 , . . . , A c k }, but disabled in the global composition due to a (max,+) automaton outside the cluster disabling the activity. We only consider independence of activities across (max,+) automata, and not within the same (max,+) automaton. The former can be checked locally, whereas the latter requires an exploration on the internal transition structure. We treat activities inside the same (max,+) automaton as dependent.
Definition 28 (Cluster Safety): Let C ⊆ A be any cluster, and s be a state in the composition of A. Cluster C is safe in s if the following conditions are satisfied: (C1) if enabled(s) = ∅, then enabled C (s) = ∅; (C2.1) for any A ∈ enabled C (s) and B ∈ Act(C), A and B are uncontrollable-independent; (C2.2) for any A ∈ enabled(π C (s)) ∩ Act i , (C5.1) if A ∈ enabled C (s) and enabled(A(s)) ∩ Act u = ∅, then enabled C (s) = enabled(s); (C5.2) for A, B ∈ enabled(s) if enabled(AB(s)) ∩ Act u = ∅, then A ∈ enabled C (s) ⇔ B ∈ enabled C (s). Condition (C2.2) requires that each activity in enabled(π C (s)) does not occur outside of the cluster. Together with (C2.1), this ensures that no activity A / ∈ enabled C (s), dependent on some activity in enabled C (s), becomes enabled by executing only activities outside the cluster. Condition (C3) ensures that uncontrollable activities are always preserved. Condition (C4) ensures that ω, if enabled, is preserved. Conditions (C5.1) and (C5.2) ensure that if a path to a marked state remains after synthesis on the full composition, then also an equivalent path remains after synthesis on the reduced composition. Note that C = A is a safe cluster in any state. We define a cluster-inspired ample reduction based on cluster safety on a (max,+) timed system.

Definition 29 (Cluster-Inspired Ample Reduction):
A clusterinspired ample reduction ample for a (max,+) timed system M = A 1 · · · A n is a mapping from S = S 1 × . . . × S n to 2 Act such that ample(s) for all states s ∈ S satisfies the following condition: (M1) ample(s) = enabled C (s), where C ⊆ A is safe in s. Theorem 30: Let P = A 1 · · · A n be a plant modeled as (max,+) timed system, and P be the (max,+) automaton obtained by a cluster-inspired ample reduction. Then, supCN (P ) f,p supCN (P).
Proof: Let ample be a cluster-inspired ample reduction. We show that ample satisfies the conditions of Definition 26. The result then immediately follows from Theorem 27.
Consider any state s in the composition of A 1 · · · A n . Let ample(s) = enabled C (s), where C is any safe cluster in s, satisfying condition (M1). Conditions (A1), (A3), (A4), (A5.1), and (A5.2) follow directly from (C1), (C3), (C4), (C5.1), and (C5.2). We prove (A2) by contraposition, for the case that enabled(s) = ∅. If enabled(s) = ∅, (A2) is trivially satisfied. Assume that (A2) does not hold. This means that there exists a finite path fragment p = s where A 1 . . . A n−1 are uncontrollable-independent with ample(s) = enabled C (s), and A n is uncontrollable-dependent with some activity in enabled C (s). Since A n is uncontrollable-dependent with some activity in enabled C (s), by (C2.1), A n ∈ Act(C). Moreover, we have A n / ∈ enabled C (s). Since activities A 1 , . . . , A n−1 are uncontrollable-independent with ample(s), A 1 , . . . , A n−1 ∈ Act(C), they do not affect the state of C, and therefore, π C (s) does not change in the first n − 1 steps. As A n ∈ enabled(s n−1 ), A n ∈ enabled(π C (s)). Since A n / ∈ enabled C (s), A n becomes enabled in π C (s) by executing one of the activities in set A 1 , . . . , A n−1 . Since A 1 , . . . , A n−1 are activities outside of C, there must be some A i with 1 ≤ i ≤ n − 1 that enabled A n , which can only happen if A n occurs outside of cluster C by definition of synchronous composition. This contradicts (C2.2).
In each composition state s, we compute a safe cluster starting from a candidate activity. To guarantee conditions (C5.1) and (C5.2), we check whether an activity A might enable an uncontrollable activity in enabled(A(s)) or enabled(AB(s)) for some uncontrollable-independent activity B. To avoid Algorithm 1: Algorithm To Compute A Safe Cluster. 1: Proc ComputeClusters, candidate 2: A ← candidate; C ← ∅; processed ← ∅ 3: if ω ∈ enabled(s) then 4: return A 5: for U ∈ enabled(s) ∩ Act u do 6: if A ∈ enabled(s) then 10: if A ∈ U then 11: return A 12: if B / ∈ Act(C) then 15: if processed = enabled(π C (s)) then

21:
A ← [enabled(π C (s)) \ processed].first() 22: else 23: A ← ⊥ 24: return C computing these enabled sets during the on-the-fly reduction, we introduce a new set U that can be generated a priori from the network of (max,+) automata. U contains all activities that enable (or do not disable) an uncontrollable activity in any of the automata The reduction is most effective if this set U is small, and not effective if it contains all activities. After executing some activity A ∈ U, an uncontrollable activity U might still be disabled by some other (max,+) automaton, even though A enables it locally, so C is conservative.
A safe cluster in a state s can be computed with Algorithm 1. In the algorithm, [A i | B ∈ Act i ] denotes a list comprehension that creates a list of all elements A i for which B ∈ Act i . Function first() picks the first element. With A ← ⊥, we denote that no activity is assigned to A. The algorithm first ensures that conditions (C3) and (C4) are met (lines 2-8). If enabled(s) contains ω, then set A is returned, since all (max,+) automata have ω in their alphabet and will be added to the cluster. If not, then for each enabled uncontrollable activity, all (max,+) automata having this activity in the alphabet are added to the cluster (lines [6][7][8]. The algorithm then checks for each activity enabled in the current cluster C whether condition (C2.1) or (C2.2) is violated, ensuring that also (C5.1) and (C5.2) are satisfied. The algorithm starts with candidate activity A. If A is enabled in the composition (line 11), we check if A ∈ U, as A might then enable an uncontrollable activity and condition (C5.1) or (C5.2) might get violated. When A ∈ U and A is if A ∈ Act i then 5: for B ∈ enabled(s i ) do 6: if B ∈ enabled(s) then 7: w ← w + |A| · |Act| 8: else 9: w ← w + 1 10: return w enabled within the current cluster, the set of all automata is returned (line 13); otherwise, we add all (max,+) automata containing A (line 15) and add a (max,+) automaton for each dependent activity outside the current cluster (lines [16][17][18]. This ensures that condition (C2.1) is satisfied for activity A and the cluster obtained after executing lines 11-21. If A is enabled in the composition of (max,+) automata in the cluster, but not in the full composition, then we add a (max,+) automaton that causes A to be disabled in the full composition. This ensures that condition (C2.2) is satisfied for A for the cluster obtained after executing lines 22-28. After handling A, we check whether there are other unprocessed activities that are locally enabled in the new cluster (line [29][30][31][32][33]. The algorithm continues until all locally enabled activities are processed. Theorem 31: Let s be a state in the composition M = A 1 · · · A n and A ∈ enabled(s) be the candidate activity. Then, COMPUTECLUSTER(s, A) returns a safe cluster in s.
Proof: From the previous reasoning, it follows that COMPUTECLUSTER(s, A) returns a safe cluster C in s that satisfies conditions (C1) through (C5.2).
In each composition state, there are typically multiple valid safe clusters. Heuristics can be used to select a cluster that likely yields a large reduction. One approach is to select a safe cluster yielding the smallest ample set starting from each candidate activity in the enabled set. This heuristic often performs well [25], since it allows to prune most enabled transitions. A disadvantage is that a safe cluster is constructed starting from each candidate. For larger enabled sets, this leads to a significant overhead. Algorithm 2 is an alternative heuristic that selects only one candidate activity. First, it checks if enabled(s) contains ω or an uncontrollable activity. As they will always be in the ample set, they are a good candidate choice; otherwise, a weight is computed for each candidate based on two aspects, and a candidate with the minimum weight is selected. The first aspect considers whether an activity is selected that does not occur in (max,+) automata that have locally enabled activities that are also in enabled(s), since this implies that the ample set will increase. We add weight |A| · |Act| as this is the maximum total sum of locally enabled activities. The second aspect considers minimizing the number of other enabled activities within the cluster, since possibly (max,+) automata need to be added where these are not enabled. For each other locally enabled activity, we increase the weight by one.

VII. EXPERIMENTAL EVALUATION
To test the effectiveness of the on-the-fly reduction, we use a set of models without data variables available from Supremica [26], the ASML lithography scanner model described in [27], and four variants of the Twilight system [27]. Twilight is an imaginary manufacturing system with two processing stations (conditioning, drilling) that processes balls according to a given recipe. This system is a simplification of the ASML lithography scanner using similar types of resources. The first variant (TW1) is described in [10]. Here, the life cycle and location of each product is explicitly modeled. In TW2, we remove these productlocation and life-cycle automata, and instead, use automata that ensure that products are always moved forward in the production process. TW3 extends TW2 with a polish station, where each product undergoes a polish and drill step after the condition step but in arbitrary order. To analyze the scalability of synthesis with POR, we also used a variant of TW3 and TW3-10s, with 10 processing stations. In TW4, we fix the order so that a product is always first conditioned, then drilled, and then polished.
We use two heuristics to compute ample sets; AllCandidates (Algorithm 1) that tries all candidate activities to find the smallest ample set, and SmartCandidate (Algorithm 2) that selects one candidate activity. All experiments were performed with a 2.40 GHz Intel i5-6300 U CPU processor and with 4 GB Java heap space to run the algorithms.
We evaluate the achievable reductions while preserving only functional aspects, as well as preserving both functional and performance aspects. As Supremica models do not describe the resource usage, we assume that activities do not claim or release resources and are assigned the 0 × 0 (max,+) timing matrix. This implies that they are timeless, and that we effectively preserve only functional aspects. For the Twilight and ASML models, we have the timing matrices and also consider performance aspects.

A. Reduction Preserving Only Functional Aspects
Before applying POR, we compute set U to check whether a reduction is possible. For some models in our test set, U contains all activities and no reductions are possible: DosingTank, MachineBufferMachine, TankProcess, AutomaticCarParkGate, TransferLine, and TransferLine3. For the Twilight models and the ASML model, we disregard the performance aspects by assigning the 0 × 0 (max,+) timing matrix to activities. Table I shows the POR results where reductions are possible. The highest reductions are achieved in VolvoCell and Robo-tAssemblyCell, where all activities are controllable and plants describe local parts of the system. This leaves a lot of redundant interleaving of activities that can be exploited to obtain a smaller composition. A similar reasoning applies to TW2, TW3, and TW4. The reduction for TW1 is very small, as there is a lot of activity synchronization by the product-location and life-cycle automata. Recall condition (C2.2), requiring that each enabled activity in the local state of a safe cluster must be independent with activities outside the cluster. During state-space exploration of TW1, the algorithm often needs to add product-location or life-cycle automata to the cluster to satisfy this condition (C2.2), which limits reduction possibilities. The reductions for TW2, TW3, and TW4 are much larger, since we do not explicitly model the product-location and life-cycle automata. For TW3-10, we had to compute the full state space on a server with much more heap space. Therefore, we have no running times on the same hardware, indicated by an X, and cannot compare the running times. In the ASML model, a large reduction of 86.1% is achieved, since all activities in this model are controllable and requirements are local. As expected, AllCandidates yields similar or better reductions than SmartCandidate in terms of states and transitions remaining in the composition by selecting the smallest safe cluster in each state. However, there is a significant runtime overhead in computing the reduced composition (T P ) with AllCandidates due to the computations involved in Algorithm 1. This overhead is much lower for SmartCandidate, where Algorithm 1 is run only once in each state. The additional runtime induced by the computations in SmartCandidate is in most cases a factor of 2. We also considered the total time T S needed to apply synthesis. For the heuristics, T S includes time T P that is needed to compute the reduced composition. For AllCandidates, the median additional synthesis runtime overhead is a factor of 3.3, and for SmartCandidate, it is a factor 2.3. Again, in almost all cases, the POR algorithm gives some runtime overhead. Note that in practice, the bottleneck in synthesis is not the runtime, but the memory required to store the composition. This means that for scalability, the most important metrics are the reductions that can be achieved in terms of the number of states and transitions. Table II shows the results of the reduction that preserves both functional and performance aspects. This reduction yields larger compositions, thus achieving less reduction than the reduction preserving only functional aspects. This is as expected, since resource sharing between activities is also considered. The normalized (max,+) state spaces of the full ASML and full TW3-10 s models could not be computed due to insufficient memory.

VIII. RELATED WORK
The application of POR techniques in the domain of supervisory control theory has been first investigated by Hellgren et al. [28]. There, POR is used to reduce the state space when checking deadlocks. A setting with only controllable actions is considered and the models adhere to a specific structure, with resource booking/unbooking and acyclic product life cycles where each resource can occur only once. Shaw [29] introduces an on-the-fly model checking approach for both controllability and nonblockingness. Because the aim is model checking rather than synthesis, the required conditions are different from the ones we use. For example, for checking controllability, a reduction might remove uncontrollable events from a plant model that are independent with controllable events. This is not valid if one wants to apply synthesis in a subsequent step.
There has been some initial work in applying POR techniques to timed systems. Bengtsson et al. [30] apply POR on timed automata for reachability analysis. These automata execute asynchronously, in their own local time scale, and synchronize their time scales on communication transitions. Yoneda et al. [31] investigated POR for timed Petri nets, for the verification of similar timing relations. Theelen et al. [32] applied ideas from POR on scenario-aware data flow models, using an independence relation among actions to resolve nondeterministic choices that have no impact on the performance metrics.
Our POR technique can be used to obtain a smaller supervisory controller for the given plant. There are also other approaches to construct a reduced nonblocking supervisor. Dietrich et al. [33] impose three sufficient conditions on a restricted supervisor to preserve nonblockingness. Morgenstern and Schneider [34] propose a stronger notion of nonblockingness called forceable nonblockingness. Given a plant, a controller is forceable nonblocking if every (in)finite run of the controlled system visits a marked state. This means that a marked state will be reached, no matter how the plant behaves, whereas in the original setting, the plant only has the possibility to reach a marked state. A synthesis algorithm is provided that computes such a controller. Huang and Kumar [35] described an approach to generate a reduced controller under the traditional notion of nonblockingness. Another approach is to find a smaller equivalent least-restrictive supervisor [36]. A supervisor typically has information about the enabling and disabling of events, and information to keep track of the plant evolution. The latter may contain redundancy. The technique exploits this redundancy to obtain a smaller supervisor. Compared to our approach, all approaches except the last one do not ensure a property of least-restrictiveness. Also, it is not straightforward to combine these reduction techniques with preserving other aspects, such as performance-related properties. Our POR achieves this by adding sufficient conditions to the reduction function and adapting the notion of event-dependence used.
Su et al. [17] described a related approach to compute a maximally permissive supervisor that optimizes makespan. It does not consider latency and throughput preservation. Parallelism is encoded using a mutual exclusion function. In our approach, we encode the specific resource usage, and thereby the mutual exclusion on resources, in the activities. The evaluation in the approach of [17] relies on the construction of a tree automaton, which grows exponentially in size in the worst case. In our (max,+) state space, redundancy in subsequences with the same timing information is encoded more efficiently.
Supervisory control of (max,+) automata is also considered in [13] and [14]. Here, the conventional (max,+) automaton definition is used, where the timing aspects are coupled to the system states. As a result, synthesis is performed on a model including timing information. In our approach, we abstract from the timing information during synthesis, which benefits scalability of the approach.

IX. CONCLUSION
We presented a POR technique for a network of (max,+) automata specifying a plant and its requirements to obtain a smaller supervisor while preserving controllability, nonblockingness, reduced least-restrictiveness, throughput, and latency. The reduction helps in synthesis and performance analysis of supervisory controllers, as less memory is needed to perform synthesis and to store the resulting reduced supervisor and timed state space. The technique is inspired by an existing cluster-based ample set reduction for nontimed systems. The reduced supervisor is computed by exploiting the structure of the automata and information about the (in)dependence among activities. The experimental evaluation shows that our POR technique is successful for models where a small set of states has uncontrollable activities enabled, and where automata describe local parts of the system. We obtained reductions up to 80.4% and 91.4% in the number of states and transitions. The possible reductions are highly dependent on the amount of synchronization on activities among automata and the extent to which activities use the same resources. In our models, the POR technique successfully exploits redundant interleaving related to processing stations that can perform operations in parallel and robot movements that can be executed simultaneously.