The subsystems modeled by (safe) Petri Nets to describe system
behavior are given in Figure 14. The input/output
structure is shown by the condition and event arcs incident to the
signals 
's, 
's, 
's, and 
's.
Figure 14: PN-Modules and Input/Output Structure for NCES Model
Note: The diagram was created by a special editor which was
developed to design such systems efficiently. This editor uses the
identifier ``s'' for places, instead of ``p,'' by default. Also,
transitions are shown as boxes here instead of bars.
From this, we can easily obtain the NCES model, shown in Figure
15:
where:
; 
; 
is the incidence matrix:
The condition signal matrix 
is such that its rows are labeled
with the places, and its columns are labeled with the transitions. An
entry 
if there is a condition arc from place 
to
transition 
, and 
otherwise.
The event signal matrix 
is a square matrix whose rows and
columns are labeled with transitions. An entry 
if there
is an event arc from transtion 
to transition , and
otherwise.
Figure 15: Net Condition Event System for Two-Pusher Example
Notice that the forbidden state specification, which is part of the
model 
, is included in the NCES by means of the fact/transtion
. We synthesize the safety controller as follows:
is 
and the
predecessor marking of 
is 
. So, the original
expression is modified as follows:
We develop a sequential controller for our desired path specification:
bring a token from place 
to 
. There is only one path
for this token to follow, which is determined by the sequence of
transitions 
. We start by
trying to put a token in 
by firing transition 
. Notice
that is a forced transition, and so we must actually fire 
together with . To do this, we must ensure that the
pre-places and conditions of both and have the appropriate
values; these are 
, , and 
. Since the current
(initial) marking has tokens in both and , then we set
and fire and thus . This ``forward'' step is
summarized in the first row of the table shown below.
All other forward steps are determined in a similar way. Notice,
however, that on the fifth row, the firing of transition 
,
which takes us to the goal place , also takes us to a
forbidden marking 
. This means that we should first remove tokens
from place and then try again to put a token in , and
thus in .
Finally, from the above table we can construct the entity C, the
controller, which is given in Figure 16. This is a NCES
with ``states'' 
, ... , 
. In the closed-looped system,
the controller inputs, which are shown on the left, correspond to
the plant outputs (the 's), and the controller outputs, shown on
the right, correspond to the signals 
's which will be inputs
to the plant.
Figure 16: Sequential Controller for Two-Pusher Example
Our next figure, Figure 17, shows the sequential controller described by means of a Sequential Function Chart. This is a language that can be directly implemented in a Programmable Logic Controller (PLC). It is built by using steps (rectangles) and transitions (bars). We can associate controller outputs (plant inputs) to each of these steps. These are on the right part of the diagram. The firing conditions, on the left, result from the marking of places which indicate the end of the preceding step or the necessary conditions to perform the next step. Boolean operations are described using Instruction List, which is also a programming language for PLC's similar to assembler code. The symbol LD denotes that a value of a variable is loaded into the accumulator of the PLC. The symbol AND denotes the appropriate boolean operation performed with the accumulator and the second value. The result is available in the accumulator of the PLC and plays the role of an additional firing condition of the transition in the controller. The controller transitions are forced to fire as soon as they are enabled.
Figure 17: Sequential Function Chart for PLC