Centralized and Decentralized Supervisory Controlof Nondeterministic Systems Under PartialObservation 1 2Ratnesh KumarDepartment of Electrical EngineeringUniversity of KentuckyLexington, KY 40506-0046Email: kumar@engr.uky.eduMark A. ShaymanDepartment of Electrical Engineering andInstitute of Systems ResearchUniversity of MarylandCollege Park, MD 20742Email: shayman@src.umd.eduAugust 15, 19951Initial version of this paper has appeared as [18].2This research was supported in part by the Center for Robotics and Manufacturing, Universityof Kentucky, and in part by the National Science Foundation under grants CDR-8803012, EEC-94-02384, ECS-9312587 and ECS-9409712.

AbstractIn this paper we extend our earlier work on supervisory control of nondeterministic sys-tems using prioritized synchronization as the mechanism of control and trajectory modelas the modeling formalism by considering design of supervisors under partial observation.We introduce the notion of observation-compatible systems and show that prioritized syn-chronous composition of observation-compatible systems can be used as a mechanism ofcontrol of nondeterministic systems under partial observation in presence of driven events.Necessary and su�cient conditions, that depend on the trajectory model as opposed to thelanguage model of the plant, are obtained for the existence of centralized as well as decentral-ized supervision. Our work on centralized control shows that the results of the traditionalsupervisory control can be \extended" to the above setting provided the supervisor is de-terministic and the observation mask is projection type. On the other hand, our work ondecentralized control is based on a new relation between controllability, observability, co-observability, and PSC that we derive in this paper.Keywords: discrete event systems, supervisory control, partial observation, nondetermin-istic automata, driven events, prioritized synchronization, trajectory models, controllability,observability, co-observabilityAMS (MOS) subject classi�cations: 68Q75, 93B25, 93C83

1 IntroductionDiscrete event systems (DES's) are systems which involve quantities that take a discreteset of values and which evolve according to occurrence of certain discrete qualitative changes,called events, such as arrival of a customer in a queue, termination of an algorithm in acomputer program, loss of a message packet in a communication network, breakdown of amachine in a manufacturing system, etc. The theory of supervisory control of DES's wasintroduced by Ramadge and Wonham [26, 27] for designing controllers so that the controlledsystem satis�es certain desired qualitative constraints, such as a bu�er in a manufacturingsystem should never over ow, a message sequence in a communication network must bereceived in the same order as it was transmitted, etc.Such qualitative behavior of a deterministic1 DES can be described by the set of allpossible event traces, called a language model, that the system can execute starting fromits initial state. However, due to partial observation and/or unmodeled dynamics, it is toorestrictive to require determinismof a system. If a DES is nondeterministic, then its languagemodel may not adequately describe its qualitative behavior, and more detailed models areneeded. Several models such as failures model [10], refusal-trace model [25], ready-trace model[1], bisimulation model [23, 24], etc., have been proposed in the literature for representingqualitative behavior of nondeterministic DES's. A nice comparative study of such modelingformalisms can be found in [2, 31]. As a designer, it is desirable to choose the least detailedmodeling formalism that is adequate for the design task at hand. As is argued below, thisis the reason for us to choose the trajectory model proposed by Heymann [8], also known asrefusal-trace model, for representing nondeterministic DESs.Most of the prior work on supervisory control of DES's such as [26, 16, 4] essentially usestrict synchronous composition (SSC) of plant DES and supervisor DES as the mechanism ofcontrol. In SSC of systems, it is required that the common events must occur synchronously.This is restrictive, as due to nondeterminism the plant state is not uniquely known followingthe execution of a certain observed trace, and the set of executable events in each such statemay di�er. If we require strict synchronization, then the supervisor is restricted to enablethose events that are executable in each of those states, which imposes a severe restrictionon the supervisor. Moreover, there is no a priori reason for a supervisor to synchronouslyexecute all the uncontrollable events that the plant can execute. Similarly, it is restrictiveto require that the plant synchronously executes the so called forcible [7], or command [4],or driven [8] events that are initiated by the supervisor. The motivating example in [30,Section 2, Example 5] describes a nondeterministic plant that can be controlled only whenthe requirement of strict synchronization is relaxed.In this paper we study the control of qualitative behavior of nondeterministic DES'susing prioritized synchronous composition (PSC) as the mechanism of control. PSC wasoriginally proposed by Heymann [8, 9] and was later applied for supervisory control in thedeterministic setting by Balemi [3] and in the nondeterministic setting by Shayman-Kumar1A DES is said to be deterministic if given the current state and an event that occurs in that state, thenext state is uniquely determined. 1

[30]. PSC is a generalization of the SSC. The parallel operator considered by Inan [12, 13],an extension of the parallel operator de�ned in [14, 15], can be viewed as a generalization ofPSC when applied to the so-called improper systems. However, while studying supervisorycontrol only proper systems are considered; consequently the resulting operation is that ofstrict synchronization.In PSC each system is associated with a certain priority set of events, and for an event tooccur in the composition of a pair of systems operating in prioritized synchrony, each systemhaving the priority over the event must participate. So if an event belongs to the commonpriority set, then it occurs synchronously. On the other hand, if a certain event belongs tothe priority set of a single system, then it can occur asynchronously without the participationof the second system. However, the second system will participate whenever possible; suchsynchronization is called broadcast synchronization. Thus PSC does not impose the unnec-essarily restrictive requirement of SSC that common events must always occur in synchrony.For supervisory control, the priority set of a plant consists of the uncontrollable and thecontrollable events, while the priority set of a supervisor consists of the controllable and thedriven events. Since controllable events are in the priority sets of plant as well as supervisor,they always occur in synchrony in the controlled system, whereas the uncontrollable and thedriven events may occur asynchronously.Heymann showed via an example [8, Example 7] that if PSC is admitted as a mechanismof interconnection, then a modeling formalism which is more detailed than the failures model(and consequently, more detailed than the language model) is needed to adequately describethe behavior of nondeterministic DES's. For this reason, Heymann proposed the modelingformalism called trajectory model. A trajectory model consists of generated and recognizedtrajectories, also called refusal-traces, of a system. A refusal-trace is a sequence of alternatingrefusal sets and events, where a refusal set consists of those events that the system \refuses"to execute when o�ered at a certain execution point. Trajectory model is quite similar tothe refusal-testing model of Phillips [25], but di�ers in its treatment of silent or epsilontransitions.In our previous work [30, 19] we showed that the trajectory model can be used foradequately describing behaviors of nondeterministic DES's that may be interconnected usingPSC, and showed that the operation of PSC is associative. Since an event that belongs to thepriority set of a single system can occur asynchronously, if we augment the other system byadding self-loops on such events, then the operation of PSC can be reduced to the operationof SSC provided the priority sets of the two systems exhaust the entire event set. Underthis condition, we proved in [30, 19] that the PSC of a pair of systems is equivalent to SSCof appropriately augmented systems. In particular, if the plant is augmented with drivenevents and the supervisor is augmented with uncontrollable events, then the PSC of plantand supervisor is equivalent to SSC of augmented plant and augmented supervisor. Usingthese results we obtained necessary and su�cient conditions for the existence of a supervisorso that the language of the controlled plant equals a desired language.In this paper we extend our earlier work on supervisory control of nondeterministicsystems using prioritized synchronization as the mechanism of control and trajectory model2

as the modeling formalism by considering design of supervisors under partial observation.Partial observation in the setting of supervisory control arises due to lack of su�cient numberof sensors. As in the work of Lin and Wonham [21], we use a projection function, also calledan observation mask, to represent such partial observation. A supervisor under partialobservation must take identical control action following indistinguishable traces. We callthis property of a supervisor observation-compatibility, which captures physically realizablesupervisors. Such supervisors make control decisions based on only the observed event traceof the system, and do not require any \special" internal knowledge of the system.We de�ne the notion of observation-compatibility of a trajectory model and prove thatthis property is preserved under augmentation whenever the system is deterministic. Usingthis result we obtain a necessary and su�cient condition for the existence of an observation-compatible supervisor so that the language of the plant operating in prioritized synchronywith the supervisor equals the desired one. This result is then applied to obtain a supervisorwhich achieves mutually exclusive usage of a shared channel in a communication system. Wealso obtain conditions for the existence of non-blocking supervisors [27, 5].Finally, we study the problem of decentralized supervision [29, 20, 22, 6, 32]. Decen-tralized supervision is inevitable when the plant is physically distributed for example as incommunication networks and manufacturing systems. A supervisor is installed at each lo-cation of the \sub-plant". In such a situation, a supervisor is able to control a certain setof events, called local events, and is able to observe a partial set of events. The problemof decentralized supervision requires design of supervisors that are observation-compatiblewith respect to their own observation function, and control events in their own priority sets.This problem is naturally formulated in our framework. We show that the condition ofcontrollability together with the condition of co-observability is necessary and su�cient fordecentralized supervision. Our constructive proof is novel and is based on a nice relation-ship betweem controllability, observability, co-observability, and PSC that we derive in thispaper. These conditions, however, are signi�cantly di�erent from the standard ones [21, 29],as they depend on the trajectory model (rather than language model) of the plant.The remainder of the paper is organized as follows: In Section 2 we introduce the relevantnotation. In Section 3, we de�ne the notion of observation-compatibility and study some of itsproperties. In Section 4 we study the supervisory control problem under partial observationin the proposed framework and apply it for achieving mutually exclusive usage of a sharedcommunication channel in a communication system. In Section 5 we study the problem ofdecentralized supervision. Finally, Section 6 concludes the work presented here.2 Notation and PreliminariesGiven a �nite event set �, �� is used to denote the collection of all traces, i.e., �nitesequences of events, including the zero length sequence, denoted as �. A subset of �� is calleda language. Symbols H;K, etc., are used to denote languages. For a language K � ��, thenotation pr(K) � ��, called the pre�x-closure of K, is the set of all pre�xes of traces fromK. K is said to be pre�x-closed if K = pr(K).3

The set 2�(�� 2�)� is used to denote the collection of all refusal-traces, i.e., �nite se-quences of alternating refusals and events [9, 30] of the type:�0(�1;�1) : : : (�n;�n);where n 2 N . The sequence �1 : : : �n 2 �� is the trace, and for each i � n, �i � � is aset of events refused (if o�ered) at the indicated point. Symbols P;Q;R; S, etc., are used todenote sets of refusal-traces. Refusal-traces are also referred to as trajectories.Given e 2 2�(� � 2�)�, we use jej to denote the length of e, and for each k � jej,�k(e) � � is used to denote the kth refusal in e and �k(e) 2 � is used to denote the kthevent in e, i.e., e = �0(e)(�1(e);�1(e)) : : : (�k(e);�k(e)) : : : (�jej(e);�jej(e)):The trace of e, denoted tr(e) 2 ��, is de�ned as tr(e) := �1(e) : : : �jej(e). Given a set ofrefusal-traces P � 2�(�� 2�)�, we use L(P ) := tr(P ) to denote its set of traces.If f 2 2�(�� 2�)� is another refusal-trace such that jf j � jej and for each k � jf j,�k(f) = �k(e) and �k(f) = �k(e), then f is said to be a pre�x of e, denoted by f � e. Foreach k � jej, the notation ek � e is used to denote the pre�x of length k of e. The pre�x-closure of e, denoted pr(e) � 2�(�� 2�)�, is the set of all pre�xes of e. If f 2 2�(� � 2�)�is such that jf j = jej and for each k � jf j, �k(f) � �k(e) and �k(f) = �k(e), then fis said to be dominated by e, denoted by f v e. The dominance-closure of e, denoteddom(e) � 2�(� � 2�)�, is the set of all refusal-traces dominated by e.Symbols P;Q;R, etc., are used to denote NSM's (with �-moves). Let the 5-tupleP := (XP ;�; �P; x0P;XmP )represent a discrete event system modeled as an NSM, where XP is the state set, � is the�nite event set, �P : XP�(�[f�g)! 2XP denotes the nondeterministic transition function2,x0P 2 XP is the initial state, and XmP � XP is the set of accepting or marked states. A triple(x1; �; x2) 2 XP � (� [ f�g) �XP is said to be a transition if x2 2 �P(x1; �). A transition(x1; �; x2) is referred to as a silent or hidden transition. We assume that the plant cannotundergo an unbounded sequence of silent transitions.The �-closure of x 2 XP , denoted ��P(x) � XP , is de�ned inductively as:x 2 ��P(x); and x0 2 ��P(x)) �P(x0; �) � ��P(x);and the set of refusal events at x 2 XP , denoted <P(x) � �, is de�ned as<P(x) := f� 2 � j �P(x0; �) = ;;8x0 2 ��P(x)g:In other words, given x 2 XP , ��P(x) is the set of states that can be reached from x onzero or more �-moves, and <P(x) is the set of events that are unde�ned at each state in the2� represents both an internal or unobservable event and an internal or nondeterministic choice [10, 23].4

�-closure of x. Using the de�nitions of the �-closure and refusal maps, the transition function�P : XP�(�[f�g)! 2XP is extended (i) to the set of traces, denoted as ��P : XP��� ! 2XP ,which is de�ned in the usual way [11], and (ii) to the set of refusal-traces, denoted as�TP : X � (2�(�� 2�)�)! 2XP , which is de�ned inductively as:8x 2 XP : 8><>: 8�0 � � : �TP(x;�0) := fx0 2 ��P(x) j �0 � <P(x0)g;8e 2 2�(�� 2�)�; � 2 �;�0 � � :�TP(x; e(�;�0)) := fx0 2 ��P(�P(�TP(x; e); �)) j �0 � <P(x0)g:These maps are then used to obtain the language models and the trajectory models of P asfollows:L(P) := fs 2 �� j ��P(x0P ; s) 6= ;g; Lm(P) := fs 2 L(P) j ��P(x0P; s) \XmP 6= ;g;T (P) := fe 2 2�(�� 2�)� j �TP(x0P; e) 6= ;g; Tm(P) := fe 2 T (P) j �TP(x0P ; e) \XmP 6= ;g:L(P); Lm(P); T (P); Tm(P) are called the generated language, recognized language, gener-ated trajectory set, recognized trajectory set, respectively, of P. The pairs (Lm(P); L(P))and (Tm(P); T (P)) are called the language model and the trajectory model, respectively,of P. Two language models, (Km1 ;K1) and (Km2 ;K2), are said to be equal, written as(Km1 ;K1) = (Km2 ;K2), if Km1 = Km2 and K1 = K2; equality of two trajectory models isde�ned analogously.Given a trajectory model, the trace map can be used to obtain the associated languagemodel. On the other hand, given a language model (Km;K), the trajectorymap, trjK : K !2�(�� 2�)� can be used to obtain the deterministic trajectory model3 having the languagemodel (Km;K), which is de�ned as follows:trjK(s) := �0(s)(�1(s);�1(s)) : : : (�jsj(s);�jsj(s)) 2 2�(�� 2�)�; where�k(s) := f� 2 � j sk� 62 Kg;8k � jsj:De�ne (detm(Km;K); det(K)) := (dom(trjK(Km)); dom(trjK(K))). Then it is shown in[19, Proposition 1] that it is the unique deterministic trajectory model that has the languagemodel (Km;K).In [8, 9, 30, 19] prioritized synchronous composition (PSC) of systems is used as themechanism of control. In this setting, associated with each system is a priority set of events,which endows the system with the ability to prevent the occurrence of events belonging to itspriority set; a system must participate in the execution of an event belonging to its priorityset for that event to occur in the PSC with other system(s). Letting P AkB Q denote thePSC of NSM's P and Q with priority sets A;B � � respectively, and Tm(P) AkB Tm(Q),T (P) AkB T (Q) denote the PSC of corresponding trajectory models, it was proved in [30,Theorem 2] and [19, Theorem 2] thatTm(P) AkB Tm(Q) = Tm(P AkB Q); T (P) AkB T (Q) = T (P AkB Q):3A trajectory model (Pm; P ) is said to be deterministic if there exists a deterministic state machine Psuch that (Tm(P); T (P )) = (Pm; P ). 5

Various properties of PSC of trajectory models were studied in [30, 19]. In particular,associativity of PSC was proved [19, Proposition 2, Corollary 6], a language intersectionresult for the case when A = B = � was obtained [19, Corollary 4, Corollary 5], and thenotion of augmentation and its properties were studied.We recall from [30, 19] that the augmentation of an NSM P by an event set D � � isthe NSM PD := P ;k; D, where D denotes the deterministic state machine with one state,which is marked, and has self-loops labeled by every event in D. Thus the augmented NSMPD can also be obtained by adding self-loops on each state of P on those events in D thatare refused at that state, i.e., PD := (XP ;�; �PD; x0P;Xm), where the transition function isde�ned as: 8x 2 XP ; � 2 � : �PD(x; �) := ( fxg if � 2 D \ <P(x)�P(x; �) otherwiseRefer to Example 1 for illustration. Since the trajectory model of D is (det(D�); det(D�)),the augmented trajectory model is given by((Tm(P))D; (T (P))D) := (Tm(PD); T (PD)) = (Tm(P) ;k; det(D�); T (P) ;k; det(D�)):It was shown in [30, Proposition 4] and [19, Proposition 3] that whenever the prioritysets of a given pair of systems exhaust the entire event set, then the operation of PSCcan be reduced to that of SSC of appropriately augmented systems. Speci�cally, given apair of trajectory models (Pm; P ) and (Qm; Q) with priority sets A;B � �, respectively, ifA [B = �, thenPm AkB Qm = (Pm)��A �k� (Qm)��B; P AkB Q = P��A �k� Q��B:Consequently we have the following identities:L(Pm AkB Qm) = L((Pm)��A) \ L((Qm)��B); L(P AkB Q) = L(P��A) \ L(Q��B):Thus the technique of augmentation is useful in studying the behavior of a pair of systemsoperating in prioritized synchrony if their priority sets jointly exhaust the entire event set.In particular, we can apply the technique of augmentation in supervisory control, as theevent set � can be written as the union of the priority set of plant, which is the set ofuncontrollable and controllable events, and the priority set of supervisor, which is the set ofcontrollable and driven events.3 Observation-Compatible SystemsIn many control designs, it is not possible to completely observe the behavior of theuncontrolled plant due to lack of su�cient number of sensors. Thus, certain events executedby the uncontrolled plant may be unobservable. In the setting of supervisory control, anobservation mask|a projection map de�ned from the set of events to the set of observableevents|is used to describe such partial observation. In such situations it is natural to require6

that the control actions taken by a supervisor following indistinguishable traces be identical.We call this property of a supervisor observation-compatibility. In this section, we formallyde�ne the notion of observation-compatibility of the trajectory model of a nondeterministicdiscrete event system, and study some of its properties.Let �o � � be the set of observable events, i.e., the events that can be sensed by asupervisor. A projection function M : � ! �o [ f�g, called an observation mask [21, 6], isused to represent such a partial observation; it is de�ned as:8� 2 � :M(�) := ( � if � 2 �o� otherwiseNote that we assume that the observation mask is a projection function.Recall from [26] that a language K � �� is said to be controllable with respect to a givenpre�x-closed language H and the set of uncontrollable events � � B, called (H;� � B)-controllable, if pr(K)(� �B) \H � pr(K);i.e., if the extension of a certain pre�x of K by an uncontrollable event results in a traceof H, then this extended trace should also be a pre�x of K. Also, recall from [21] thatK is is said to be observable with respect to H and a given observation mask M(�), called(H;M)-observable, if8s; t 2 pr(K); � 2 � : M(s) = M(t); s� 2 pr(K); t� 2 H ) t� 2 pr(K):In other words, K is said to be (H;M)-observable if given an indistinguishable pair of tracesin pr(K), the pair of traces resulting from appending a common event to the given pair hasidentical membership in pr(K) whenever they have identical membership inH. It was shownin [21] that the observability of pre�x-closed languages is preserved under intersection so thatthe in�mal pre�x-closed and observable superlanguage of a given language exists. Using theabove notion of observability we next de�ne the concept of observation-compatibility.De�nition 1 Given a trajectory model (Sm; S) and an observation mask M(�), (Sm; S) issaid to be observation compatible with respect to M(�) or simply M-compatible if8s; t 2 L(S); � 2 � :M(s) = M(t); s� 2 L(S)) t� 2 L(S):A NSM is said to be M -compatible, if its associated trajectory model is M -compatible.Thus a trajectory model is M -compatible if and only if its generated language is (��;M)-observable. Note that the property of observation-compatibility captures physically realizablesupervisors. Such supervisors make control decisions based on only the observed event traceof the system, and do not require any \special" internal knowledge of the system. Next weshow that M -compatibility of a deterministic trajectory model is preserved under augmen-tation. We �rst need to establish two lemmas.7

De�nition 2 Given a nonempty pre�x-closed language K, the projection of �� onto K isde�ned inductively by:�K(�) := �; 8s 2 ��; � 2 � : �K(s�) := ( �K(s)� if �K(s)� 2 K�K(s) otherwiseWhen the choice of K is clear, we use the abbreviated notation s0 for �K(s).The �rst lemma asserts that the state reached by the execution of a certain trace in anaugmented deterministic state machine is the same as that reached in the unaugmented statemachine by the execution of the trace projected onto its language.Lemma 1 Let P := (XP ;�; �P; x0P;XmP ) be a deterministic state machine and D � �. Thenfor each s 2 L(PD), ��PD(x0P; s) = ��P(x0P ; �L(P)(s)):Proof: We use induction on length of s for proving the assertion. For notational simplicity,de�ne �L(P)(s) := s0. If jsj = 0, then s = s0 = �. Hence ��PD(x0P; s) = ��P(x0P ; s0) =x0P, as P, and so PD, are deterministic. Thus the base step trivially holds. In order toprove the induction step, suppose s = �s�, where � 2 �. De�ne �s0 := �L(P)(�s). Then itfollows from induction hypothesis that ��PD(x0P ; �s) = ��P(x0P; �s0) := x�s. If � 62 <P(x�s), then��PD(x0P; s) = ��P(x�s; �) = ��P(x0P; s0). On the other hand, if � 2 D \ <P(x�s), then s0 = �s0,and ��PD(x0P; s) = x�s, so that ��P(x0P ; s0) = ��P(x0P; �s0) = x�s = ��PD(x0P; s). This proves theinduction step and completes the proof.The next lemma asserts that if a certain language is (��;M)-observable, then the indis-tinguishability of a pair of traces implies indistinguishability of their projections onto thelanguage.Lemma 2 Consider an observation maskM(�), and a nonempty pre�x-closed language K ���. If K is (��;M)-observable, then8s; t 2 �� :M(s) =M(t))M(�K(s)) =M(�K(t)):Proof: For notational simplicity, de�ne s0 := �K(s) and t0 := �K(t). We prove the assertionby induction on jsj+ jtj. For the base step, if jsj = 0 or jtj = 0, then M(s) = M(t) = �, soM(s0) = M(t0) = �. For the induction step, consider s = �s�s and t = �t�t with �s; �t 2 �� and�s; �t 2 �. De�ne �s0 := �K(�s) and �t0 := �K(�t). We have three possibilities: (i) M(�s) = �,which implies that M(�s) = M(t). Then, M(s0) = M(�s0) = M(t0), where the �rst equalityfollows trivially from the unobservability of �s and the second equality follows by inductionhypothesis. (ii) M(�t) = �. Then it follows from symmetry and case (i) above that M(s0) =M(t0). (iii) M(�s) 6= �; M(�t) 6= �, which implies that �s = �t := � and M(�s) = M(�t). Byinduction hypothesis, M(�s0) = M(�t0). Since K is (��;M)-observable, either �s0�; �t0� 2 K or�s0�; �t0� 62 K. In the �rst case, M(s0) = M(�s0�) = M(�s0)� = M(�t0)� = M(�t0�) = M(t0). Inthe second case, M(s0) = M(�s0) =M(�t0) = M(t0):The results of Lemma 1 and 2 are now used to prove that the observation-compatibilityof a deterministic system is preserved under augmentation.8

Theorem 1 Let (Sm; S) be a deterministic trajectory model,M(�) be an observation mask,and D � �. Suppose (Sm; S) is M -compatible. Then ((Sm)D; SD) is also M -compatible(and deterministic).Proof: It su�ces to show that L(SD) is (��;M)-observable. Pick s; t 2 L(SD); � 2 �such that M(s) = M(t) and s� 2 L(SD). Then we need to show that t� 2 L(SD). Since(Sm; S) is a deterministic trajectory model, there exists a deterministic state machine S :=(XS ;�; �S ; x0S;XmS ) with trajectory model (Sm; S). Then ((Sm)D; SD) = (Tm(SD); T (SD)).De�ne s0 := �L(S)(s) and t0 := �L(S)(t). Then it follows from Lemma 1 that��SD(x0S; s) = ��S(x0S ; s0); ��SD(x0S ; t) = ��S(x0S ; t0): (1)Also, sinceM(s) = M(t), it follows from Lemma 2 that M(s0) = M(t0). Hence if s0� 2 L(S),then it follows from (��;M)-observability of L(S) that t0� 2 L(S). Hence (1) impliest� 2 L(SD). On the other hand, if s0� 62 L(S), then � 2 D, so t� 2 L(SD) trivially.We show via the following example that the requirement of determinismcannot be relaxedin Theorem 1.Example 1 In order to see that the determinism is a necessary condition for Theorem 1d

bd

d

c

bd

c bc b

aa aa

b

c

b

b

b

NSM P Augmented NSM P{b}

(a) (b)

c b,c

c b,cFigure 1: Diagram Illustrating Example 1to hold, consider the NSM P shown in Figure 1(a) with � = fa; b; c; dg and M(�) such thatM(a) = a;M(b) = b;M(c) = �;M(d) = d. Then (i) ac� 2 L(P), and each trace in ac� hasidentical mask value. It can be checked that the set of events enabled after each trace inac� equals fb; c; dg. (ii) ac�bc� 2 L(P), and each trace in ac�bc� has identical mask value. Itcan also be checked that the set of events enabled after each trace in ac�bc� equals fcg. (iii)Finally, ac�d 2 L(P), and each trace in ac�d has identical mask value. One can verify that9

no event is enabled after each such trace. Thus L(P) is (��;M)-observable, so the associatedtrajectory model (Tm(P); T (P)) is M -compatible.The augmented NSM Pfbg is shown in Figure 1(b). Then ab; abc 2 L(Pfbg) withM(ab) = M(abc). However, the set of events enabled after ab equals fb; cg, whereas theset of events enabled after abc equals fb; c; dg. Thus L(Pfbg) is not (��;M)-observable, andso the associated trajectory model (Tm(Pfbg); T (Pfbg) is not M -compatible.4 Centralized Control under Partial ObservationIn a previous paper [30], we showed that PSC can be used as a mechanism of controlunder the restriction that all controllable events are observable to the supervisor. We show inthis section that PSC can be used as a mechanism of control without imposing this restrictionon the observation mask. As discussed in the previous section, whenever the observationsof a supervisor are �ltered through a mask, the supervisor must be observation-compatiblewith respect to its observation mask, i.e., a supervisor under partial observation must satisfythe constraint that following each pair of traces that look alike under the observation mask,it must take identical control action.Prior to establishing the main result of this section, we prove the following preliminaryresult:Lemma 3 Let H � �� be pre�x-closed, K � H, and M(�) be an observation mask. IfKM � �� denotes the in�mal pre�x-closed and (��;M)-observable superlanguage of K,then KM \H equals the in�mal pre�x-closed and (H;M)-observable superlanguage of K.Proof: For simplicity of notation de�ne K 0 := KM \ H. Let K̂ � �� denote the in�malpre�x-closed and (H;M)-observable superlanguage of K. We need to show that K 0 = K̂. Inorder to show that K̂ � K 0, it su�ces to show that K 0 is a pre�x-closed (H;M)-observablesuperlanguage of K. Since K � H, it follows that K 0 = KM \ H is a superlanguage ofK. Also, from the fact that pre�x-closure is preserved under intersection, it follows that K 0is pre�x-closed. Finally, since KM is (��;M)-observable, clearly, it is (H;M)-observable.Then it follows from the fact that observability of pre�x-closed languages is preserved underintersection [21, 28] that K 0 = KM \H is also (H;M)-observable.It remains to show that K 0 � K̂. Suppose for contradiction that K̂ is a proper sublan-guage of K 0. Then there exists s 2 K̂ and � 2 � such that s� 2 K 0 � K̂. Since K 0 � KM ,it follows that s� 2 KM . Also, since K � K̂ � K 0 � KM , and KM is the in�mal pre�x-closed and (��;M)-observable superlanguage of K, it follows that KM is also the in�malpre�x-closed and (��;M)-observable superlanguage of K̂. Finally, since s 2 K̂ , s� 62 K̂,and s� 2 KM , it follows from the fact that KM is the in�mal pre�x-closed and (��;M)-observable superlanguage of K̂ that there exists t 2 K̂ such that M(t) =M(s) and t� 2 K̂.We also have that s 2 K̂, and s� 2 K 0 � K̂ � H � K̂ . Thus we arrive at a contradiction tothe fact that K̂ is (H;M)-observable.The following corollary is immediate from Lemma 3:10

Corollary 1 Let H � �� be pre�x-closed, M(�) be an observation function, and K � Hbe pre�x-closed and (H;M)-observable. If KM � �� denotes the in�mal pre�x-closed and(��;M)-observable superlanguage of K, then KM \H = K.Recall from [19] that a supervisor with trajectory model (Sm; S) is said to be non-markingif Sm = S. In the following theorem we obtain a necessary and su�cient condition for theexistence of a non-marking and observation-compatible deterministic supervisor. We needthe following result from [30, Remark 11]: Given a plant trajectory model (Pm; P ) withpriority set A, if a language K satis�es the controllability condition of Theorem 2 below,and H is any pre�x-closed language satisfying L(P��A) \ H = K, then the non-markingdeterministic supervisor (S; S) := (det(H); det(H)) with priority set B such that A[B = �yields K as the closed-loop behavior L(P AkB S).Theorem 2 Let (Pm; P ) be the trajectory model of a plant, A;B � �, with A [ B = �,M(�) be an observation mask, and K � L(P��A) be a nonempty language. Then thereexists a deterministic, non-marking, and M -compatible supervisor with trajectory model(S; S) such that L(P AkB S) = K if and only ifPre�x-closure: pr(K) = K, andControllability: pr(K)(� �B) \ L(P��A) � pr(K), andObservability: 8s; t 2 pr(K); � 2 � : M(s) = M(t); s� 2 pr(K); t� 2L(P��A)) t� 2 pr(K).In this case S can be chosen to be det(KM), where KM is the in�mal pre�x-closed and(��;M)-observable superlanguage of K.Proof: In order to see the su�ciency part, consider the supervisor with S := det(KM).Then L(S) = KM , so that S is M -compatible. Also, it follows from Corollary 1 thatKM \ L(P��A) = K. Using [30, Remark 11], we obtain L(P AkB S) = K.In order to see the necessity part, suppose (S; S) is the trajectory model of a deterministicnon-marking and M -compatible supervisor such that L(P AkB S) = K. Then it follows fromthe necessity part of [30, Theorem 4] that K is pre�x-closed and controllable. It remains toshow that K is (L(P��A);M)-observable. Since K = L(P AkB S) = L(P��A) \ L(S��B),it su�ces to show that L(S��B) is (��;M)-observable. This follows from the fact that(S; S) is a deterministic and M -compatible trajectory model, and as shown in Theorem 1,M -compatibility of deterministic trajectory models is preserved under augmentation.Remark 1 In contrast to the standard controllability and observability condition of theRamadge-Wonham setting, the conditions of Theorem 2 refer to the language of the aug-mented plant. This language depends on the trajectory model of the plant and in generalcannot be deduced from the language model of the plant. Readers are referred to [30, Remark9, Example 3] for further elaboration on this point.Also, since the necessity part of Theorem 2 uses the result of Theorem 1, it follows fromExample 1 that the necessity part of Theorem 2 may not hold if the supervisor is not required11

to be deterministic. In a recent paper Inan has studied the design of nondeterministicsupervisors under partial observation [13], where he has introduced the notion of co-closure(a condition weaker than controllability and observability combined), and has proved itsnecessity and su�ciency.Finally, it may seem that the result of Theorem 2 is an immediate consequence of our priorwork on nondeterministic systems, and the standard supervisory control results. However,this is not true as it is not clear at the outset whether our results on nondeterministicsystems under complete observations will immediately \carry over" to the case of partialobservations (with appropriate extensions as in the standard supervisory control). In factthe result of Theorem 2 fails to hold if more general non-projection type observation masksare considered. This is because the observation-compatibility of a deterministic system is notpreserved under augmentation if the observation mask is no longer the projection type. Tosee this consider an observation mask that identi�es the only events a and b of a deterministicsystem which executes the event a in its initial state and deadlocks. Clearly, the system isobservation-compatible. However, its augmentation with the event b has a self-loop on b inboth its states. So, in the augmented system a as well as b can occur after the occurrenceof the initial b, whereas only b can occur after the occurrence of the initial a, which violatesthe observation-compatibility since a and b are indistinguishable.We next apply the result of Theorem 2 to the design of a supervisor that achievesmutuallyexclusive usage of a shared communication channel in a communication system.Example 2 Consider the nondeterministic plant P depicted in Figure 2(a). In this example,a

ac

b

b

bc

d

h

a

ac

b

b

bc

d

h

d

d

d

d

dd

(b) Augmented plant {d}P(a) Plant PFigure 2: Plant P and augmented plant P��A = P fdgthe plant represents a partial model of a multi-user communication system. Only the portionsof the model needed to illustrate the main result are included. The communication system12

has two channels. The �rst user can transmit messages using either channel, and switchesbetween the channels in a manner that is unmodeled and hence nondeterministic. Thesecond user can transmit only on channel 2. The event a represents the commencement oftransmission by user 1 and results in a nondeterministic transition to one of two successorstates depending on which channel is used. The event b represents the commencement oftransmission by user 2. Both the commencement events are controllable but are unobservableto the supervisor to be constructed. If both users are able to transmit their messages withoutcollision, then an uncontrollable completion event c occurs which returns the plant to itsinitial state.In order to avoid collision of messages, user 1 may receive a signal that causes it to vacatechannel 2 provided it has in fact chosen channel 2. This is represented by the event d. It isa driven event because it must be initiated by a supervisor and is executed synchronouslyby the plant only if able to do so{i.e., only if user 1 is transmitting on channel 2. If user1 has been transmitting on channel 2 and user 2 commences transmission without it beingpreceded by d, then there are two possibilities: If user 1 has happened to �nish before user2 starts, then b is followed by the completion event c; otherwise b is followed by the collisionevent h, an uncontrollable event.Thus in this example,� = fa; b; c; d; hg; A = fa; b; c; hg; B = fa; b; dg;as a and b are controllable, c and h are uncontrollable, and d is a driven event. Note thata and b are the only events that are unobservable to the supervisor to be constructed. Thebasic performance speci�cation is that a collision-free service should be provided. This canbe represented by the pre�x-closed sublanguage of the augmented plant (shown in Figure2(b)) given byK0 := fs 2 L(P��A) j s does not contain hg = pr[(d�ad�bd�c)�]:However, since user 1 cannot vacate the channel 2 unless it is using it, it is reasonable toconsider the desired behavior to be the sublanguage of K0 consisting of those traces that donot contain any occurrence of d that is not immediately preceded by a. This is given byK1 := pr[(abc+ adbc)�]:Since the uncontrollable event h can occur following the trace ab 2 K1, it is not controllable.The supremal pre�x-closed and controllable sublanguage of K1 is given byK"1 = pr[(adbc)�]:However this is not L(P��A;M)-observable. In fact since �; a 2 K"1 with M(�) = M(a) andd 2 L(P��A)�K"1 , it follows that any pre�x-closed sublanguage of K"1 that is (L(P��A);M)-observable cannot contain ad. Thus, a pre�x-closed (L(P��A);M)-observable sublanguageof K"1 is contained in pr(a). By Theorem 2, it follows any M -compatible supervisor that13

results in a closed-loop generated language contained in the speci�cation language K1 givesa closed-loop generated language contained in pr(a). This is clearly unsatisfactory.Thus, we must relax the speci�cation given by K1 keeping in mind that the constraintgiven by K0 must be satis�ed. The in�mal pre�x-closed and (L(P��A);M)-observablesuperlanguage of K"1 is pr[(adbc)�d], which is a sublanguage of K0. Since pr[(adbc)�d] isalso controllable, and since its in�mal pre�x-closed and (��;M)-observable superlanguage ispr[(a�db�c)�d] it follows from Theorem 2 that the non-marking supervisorS1 := det[(pr(a�db�c)�d)] = det[(pr(a�db�c)�)]depicted in Figure 3(a) is M -compatible and yields pr[(adbc)�d] as the closed-loop generatedlanguage. The closed-loop system is shown in Figure 3(b).ba

(a) Supervisor 1

c

dd

a

a

cb

b

d

d(b) Closed-loop system 1Figure 3: Supervisor S1 and closed-loop system P AkB S1The supervisor implements the following simple control strategy: Initially it allows onlyuser 1 to transmit. Before enabling transmission by user 2, it signals user 1 to vacate channel2. This command is synchronously executed in the plant only when user 1 is transmitting onchannel 2; otherwise, it is \refused" by the plant and occurs asynchronously in the supervisor.The supervisor then allows user 2 to communicate, and returns to its initial state when thecompletion event c occurs. The ability of the plant to refuse a driven event initiated bythe supervisor is essential to our control, and is available because of the PSC-based controldesign. (Such a feature is certainly unavailable in an SSC-based control design.)This design is not entirely satisfactory since, as can be seen from Figure 3(b), the closed-loop system deadlocks following the execution of any trace in (adbc)�d. 4 This is becausewe did not require that the closed-loop behavior be live [17]. 5 So the next alternative isto consider a live superlanguage of the \non-live" language pr[(adbc)�d] that is also control-lable and observable and is contained in K0. Although controllability and observability ofpre�x-closed languages are preserved under intersection, liveness is not. Similarly, althoughcontrollability and liveness of languages is preserved under union, observability is not. Hence,no unique solution can be identi�ed. So a \semi-automatic" design involving some humanreasoning is unavoidable.4Note that although the closed-loop system is non-blocking in the sense that the pre�x-closure of therecognized refusal-traces is the same as the generated refusal-traces, it may deadlock.5Informally, a language is said to be live if each of its trace has an extension in the language.14

With a little insight into the problem, it is easy to see that a simple modi�cation of thesupervisor in which a transition is added to permit the supervisor to return to its initial stateby execution of d achieves liveness of the closed-loop behavior. The new supervisor, denotedS2, and the resulting closed-loop system are shown in Figure 4. The closed-loop system canba

d

cc,d

d

dd

ad

d

a

d

d

b

b

(a) Supervisor 2 (b) Closed-loop system 2Figure 4: Supervisor S2 and closed-loop system P AkB S2no longer deadlock. The language of the closed-loop system equals pr[(dd + ad(dd)�bd�c)�],which is a sublanguage of K0 as desired.Note that both S1 and S2 do not change their state when either a or b occur, showingthat they are compatible with the unobservability of these events.We conclude this section by extending the result of Theorem 2 to obtain conditions forthe existence of non-blocking supervisors. Recall from [19, De�nition 6] that given a plant(Pm; P ) with priority set A, a supervisor (Sm; S) with priority set B is said to be languagemodel non-blocking if pr(L(Pm AkB Sm)) = L(P AkB S); it is said to be trajectory modelnon-blocking if pr(Pm AkB Sm) = P AkB S. In the following corollary we provide a necessaryand su�cient condition for the existence of an observation-compatible and language modelnon-blocking supervisor.Corollary 2 Let (Pm; P ) be the trajectory model of a plant, A;B � �, with A [ B = �,M(�) an observation mask, and Km � L((Pm)��A) a nonempty language. Then there existsa deterministic, non-marking, language model non-blocking, and M -compatible supervisorwith trajectory model (S; S) such that L(Pm AkB Sm) = Km if and only ifRelative-closure: pr(Km) \ L((Pm)��A) = Km, andControllability: pr(Km)(��B) \ L(P��A) � pr(Km), andObservability: 8s; t 2 pr(Km); � 2 � : M(s) = M(t); s� 2 pr(Km); t� 2L(P��A)) t� 2 pr(Km).In this case S can be chosen to be det((Km)M), where (Km)M denotes the in�mal pre�x-closed and (��;M)-observable superlanguage of Km.15

Proof: First consider su�ciency. Since pr(Km) is nonempty, pre�x-closed, controllable,and (L(P��A);M)-observable, it follows from the su�ciency part of Theorem 2 that thenon-marking supervisor with S := det((pr(Km))M) = det((Km)M) is M -compatible, andL(P AkB S) = pr(Km). Hence using the relative closure condition we obtain the followingseries of equalities: Km = pr(Km) \ L((Pm)��A)= L(P AkB S) \ L((Pm)��A)= [L(P��A) \ L(S��B)] \ L((Pm)��A)= L((Pm)��A) \ L(S��B)= L(Pm AkB S):Since pr(Km) = L(P AkB S) and Km = L(Pm AkB S), the supervisor is language modelnon-blocking.The necessity part follows from the necessity parts of Theorem 2 and [19, Theorem 5].The result of Corollary 2 can be extended to obtain a necessary and su�cient conditionfor the existence of an observation-compatible and trajectory model non-blocking supervisor.We need the following result from [19, Proposition 4]: Given a plant (Pm; P ) with priority setA and a nonempty language Km � L((Pm)��A), if there exists a deterministic, non-markingand language model non-blocking supervisor (S; S) with priority set B such that A[B = �and L(Pm AkB S) = Km, thenPm AkB det(pr(Km)) = Pm AkB S; P AkB det(pr(Km)) = P AkB S:Corollary 3 Let (Pm; P ) be the trajectory model of a plant, A;B � �, with A [ B = �,M(�) an observation mask, and Km � L((Pm)��A) a nonempty language. Then there existsa deterministic, non-marking, trajectory model non-blocking, and M -compatible supervisorwith trajectory model (S; S) such that L(Pm AkB Sm) = Km if and only ifRelative-closure: pr(Km) \ L((Pm)��A) = Km, andControllability: pr(Km)(��B) \ L(P��A) � pr(Km), andObservability: 8s; t 2 pr(Km); � 2 � : M(s) = M(t); s� 2 pr(Km); t� 2L(P��A)) t� 2 pr(Km), andTrajectory-closure: P AkB det(pr(Km)) = pr[Pm AkB det(pr(Km))].In this case S can be chosen to be det((Km)M), where (Km)M denotes the in�mal pre�x-closed and (��;M)-observable superlanguage of Km.Proof: The necessity part follows from the necessity part of Corollary 2 and that of [19,Theorem 6]; the su�ciency part follows from the su�ciency part of Corollary 2 and [19,Proposition 4]. 16

5 Decentralized ControlSo far we have restricted our attention to the problem of centralized control under partialobservation. However, in many applications such as manufacturing systems, communicationnetworks, etc., the plant is physically distributed and it is desirable to have decentralizedcontrollers [6, 20, 22, 29, 32], where each controller is able to control a certain set of eventsand is able to observe certain other events. The problem of decentralized control can bestudied quite elegantly in our PSC based approach.Without any loss of generality we consider the case of \two-decentralization", i.e., given adiscrete event plant P with priority set A we consider synthesis of two supervisors S1 and S2with priority sets B1 and B2, respectively, which are compatible with their own observationmasks M1(�) and M2(�), respectively, such that the controlled plant P AkB1[B2 (S1 B1kB2 S2)satis�es a desired behavior constraint. The priority set of supervisor Si(i = 1; 2) is Bi, andits observations are �ltered through the mask function Mi(�). Thus the events in the setA\Bi are the controllable events for Si, those in the set A�Bi are the uncontrollable eventsfor Si, and �nally those in Bi �A are the driven events for Si. Also, Si must be compatiblewith Mi(�), i.e., its generated language must be (��;Mi)-observable. Since an event mustbelong to at least one of the priority sets we have that A [B1 [ B2 = �.For notational simplicity we de�ne B := B1 [B2 and S := S1 B1kB2 S2. Since the eventsin the set A�B are in the priority set of neither of the supervisors, these represent the uncon-trollable events. Thus for decentralized supervision it is expected that the desired behaviorbe controllable with respect to these uncontrollable events. The remaining events are in thepriority set(s) of one or both of the supervisors, however, their enablement/disablementmustsatisfy the restriction that results from the partial observability of the supervisors. This iscaptured by the following condition of co-observability, which is similar to the one given byRudie and Wonham [29]:De�nition 3 Given the priority sets B1 and B2 of two supervisors, and their observationmasks M1(�) and M2(�), respectively, a language K � �� is said to be co-observable withrespect to a pre�x-closed language H � ��, called (H;B1; B2;M1;M2){co-observable, if8s1; s2; t 2 pr(K); � 2 B1 [B2:(1) [� 2 B1 �B2;M1(s1) = M1(t); s1� 2 pr(K); t� 2 H]) [t� 2 pr(K)](2) [� 2 B2 �B1;M2(s2) = M2(t); s2� 2 pr(K); t� 2 H]) [t� 2 pr(K)](3) [� 2 B1 \ B2;M1(s1) =M1(t);M2(s2) = M2(t); s1�; s2� 2 pr(K); t� 2 H])[t� 2 pr(K)]Thus if an event belongs solely to priority set of one of the supervisors and it is enabledfollowing a trace, then it must be enabled following any other trace that is indistinguishableto that supervisor (provided it can occur in the plant). On the other hand, if the event belongsto the common priority set of the supervisors, and it can occur in the plant following a tracewhich is indistinguishable from a certain trace to the �rst supervisor, and from anothertrace to the second supervisor, and the event is enabled following these latter pair of traces,17

then the event must also be enabled following the former trace. It is clear that K is co-observable if and only if pr(K) is co-observable. Also, as is the case with observability,co-observability of pre�x-closed languages is preserved under intersection [29]; consequently,the in�mal pre�x-closed and co-observable superlanguage of a given language exists.We show below that controllability together with co-observability is necessary and su�-cient for decentralized supervision. It is clear that observability with respect to each of themasks implies co-observability. Thus a weaker condition than observability with respect toeach of the masks is needed for decentralized supervision; this is because the events in thecommon priority set of the two supervisors can be disabled by either of them. However, if thecommon priority set is empty, then under the condition of controllability, co-observability isequivalent to observability with respect to each of the masks.We saw above that the operation of PSC of a pair of systems can be reduced to that ofSSC when the priority sets of the two systems exhaust the entire event set. We next provethat this is also the case when more than two systems are involved. We need the followinglemma:Lemma 4 Consider NSM's S1;S2 with priority sets B1; B2 respectively. Then(S1 B1kB2 S2)��B = S��B11 �k� S��B22 ;where B := B1 [ B2.Proof: The above lemma follows from the following series of equalities:S��B11 �k� S��B22 = (SB�B11 )��B �k� (SB�B22 )��B= [SB�B11 Bk��B det((��B)�)] �k� [SB�B22 Bk��B det((��B)�)]= [SB�B11 BkB SB�B22 ] Bk��B [det((��B)�) ��Bk��B det((��B)�)]= [SB�B11 BkB SB�B22 ] Bk��B det((��B)�)= [S1 B1kB2 S2]��B;where the �rst, second, and �nal equalities follow from de�nition of augmentation, and thethird equality follows from associativity of PSC.The following corollary is immediate from the above lemma:Corollary 4 Consider NSM's P;S1;S2 with priority sets A;B1; B2 respectively, such thatA [B1 [B2 = �. Then P AkB S = P��A �k� [S��B11 �k� S��B22 ];where B := B1 [ B2 and S := S1 B1kB2 S2.Proof: Since A [B = �, it follows from a PSC property [9, 30, 19] thatP AkB S = P��A �k� S��B :Thus the result follows from Lemma 4. 18

Remark 2 Corollary 4 shows that the operation of PSC of two or more systems can bereduced to that of SSC whenever the priority sets of all the systems jointly exhaust theentire event set. It also follows that under the hypothesis of Corollary 4L(P AkB S) = L(P��A) \ L(S��B11 ) \ L(S��B22 ): (2)Next we establish a relationship between controllability, observability, co-observabilityand PSC. In the following lemma we prove that if supervisors S1 and S2 are M1-compatibleand M2-compatible, respectively, and both generate (��;� � B) controllable languages,then the language of S1 B1kB2 S2 is (��;� � B)-controllable and (��; B1; B2;M1;M2){co-observable.Lemma 5 Consider deterministic state machines S1 and S2 with priority sets B1 and B2respectively. Suppose S1 and S2 are observation-compatible with respect to masks M1 andM2 respectively, and L(S1) as well as L(S2) are (��;��B) controllable, where B := B1[B2.Then L(S), where S := S1 B1kB2 S2, is (��; B1; B2;M1;M2){co-observable and (��;� �B)controllable.Proof: In order to see co-observability, pick s1; s2; t 2 L(S) and � 2 B, Since S1 and S2are deterministic, S is also deterministic. Let (x1s1; x2s1); (x1s2; x2s2); (x1t ; x2t ) denote the statesreached in S after execution of s1; s2; t, respectively, where the �rst coordinate denotes thestate reached in S1 and the second coordinate denotes the state reached in S2.In order to prove co-observability of L(S) we must consider the three di�erent cases of thede�nition of co-observability. First suppose � 2 B1 �B2, M1(s1) = M1(t), and s1� 2 L(S);we need to show that t� 2 L(S). Since � 2 B1 � B2 and s1� 2 L(S) it follows that � isde�ned at the state x1s1 of S1. Then using the result of Lemma 2 and the fact that S1 isM1-compatible, we obtain that � is also de�ned at the state x1t of S1; which implies thatt� 2 L(S). It can be argued in a similar manner that the second and third cases of thede�nition of co-observability also hold.In order to see controllability, consider s 2 L(S) and � 2 ��B. Let (x1s; x2s) be the statereached in S by execution of s. Then it follows from the controllability of L(S1) that � isde�ned at state x1s of S1. Hence s� 2 L(S).Given a language K, we use KBMi (i = 1; 2) to denote the in�mal pre�x-closed, (��;��B)-controllable and (��;Mi)-observable superlanguage of K, which exists as the control-lability and observability of pre�x closed languages is preserved under intersection. Thenotation KBM12 is used to denote the in�mal pre�x-closed, (��;� � B)-controllable and(��;M1;M2; B1; B2){co-observable superlanguage of K. The result of Lemma 5 can be usedto show that if S1 generates KBM1, S2 generates KBM2, then S generates KBM12. This westate in the following theorem:Theorem 3 Let M1;M2; B1; B2;KBM1;KBM2;KBM12 be as de�ned above. Suppose S1 andS2 are deterministic state machines with L(S1) = KBM1 and L(S2) = KBM2. Then L(S) =KBM12, where S := S1 B1kB2 S2 and B := B1 [B2.19

Proof: Since K � L(S1) and K � L(S2), it follows that K � L(S). Also, it followsfrom Lemma 5 that L(S) is controllable and co-observable. Thus L(S) is a pre�x-closed,controllable and co-observable superlanguage of K. Hence we have that KBM12 � L(S).In order to see the reverse containment, it su�ces to show that non-zero length strings ofL(S) are also in KBM12, as the zero length string � does belong to KBM12. Thus we need toshow that for any string t 2 KBM12 and an event � such that t� 2 L(S), t� 2 KBM12. If� 2 � �B, then it follows from the pre�x-closure and (��;� �B)-controllability of KBM12that t� 2 KBM12. On the other hand, if � 2 B, then we show that the following holds:(1) [� 2 B1 �B2]) [9s1 :M1(s1) = M1(t); s1� 2 pr(K)](2) [� 2 B2 �B1]) [9s2 :M2(s2) = M2(t); s2� 2 pr(K)](3) [� 2 B1\B2]) [9s1; s2 : M1(s1) = M1(t);M2(s2) =M2(t); s1�; s2� 2 pr(K)],as this together with (��; B1; B2;M1;M2){co-observability of KBM12 clearly implies thatt� 2 KBM12.We prove this using induction on length of t. We only prove that the case (1) holds, asthe proof for the other two cases is similar. In order to see the base step, set t = � (notethat we do have � 2 KBM12) and pick � 2 B1 �B2. Since t� = � 2 L(S) and � 2 B1 �B2,it follows from construction of S that � 2 L(S1) = KBM1. Since KBM1 is the in�mal pre�xclosed, (��;� � B)-controllable and (��;M1)-observable superlanguage of K, and � is notan uncontrollable event, it follows that there exists a string s1 such that s1� 2 pr(K) andM1(s1) = M1(t) = �. The other two cases of the base step can be proved analogously.In order to see the induction step set t = �t�� and pick � 2 B1�B2. Suppose �� 2 B1�B2.Then it follows from induction hypothesis that there exists �s1 such that s01 := �s1�� 2 pr(K)and M1(�s1) = M1(�t). Let (x1t ; x2t ); (x1s01; x2s01) denote the states reached in S after execution oft; s01, respectively, where the �rst coordinate denotes the state reached in S1 and the secondcoordinate denotes the state reached in S2. Since � 2 B1 �B2, we have that � is de�ned atstate x1t . Hence it follows from Lemma 2 and M1-compatibility of S1 that � is also de�nedat state x1s01 , which implies that s01� 2 L(S). Since s01 2 pr(K) � L(S1) and � 2 B1 � B2,we must have s01� 2 L(S1) = KBM1. Since KBM1 is the in�mal pre�x-closed controllableand observable superlanguage of K, and � is not an uncontrollable event, this implies thatthere exists s1 such that s1� 2 pr(K) and M1(s1) = M1(s01). Thus s1 is the desired string,as M1(s1) = M1(s01) = M1(t).Using the results derived in this section, we are now ready to present a necessary andsu�cient condition for decentralized supervision.Theorem 4 Consider A;B1; B2;M1;M2 as de�ned above with A [ B1 [ B2 = �. Let(Pm; P ) be the trajectory model of a plant, and K � L(P��A) be a nonempty language.Then there exist deterministic, non-marking, and M1-compatible supervisor with trajec-tory model (S1; S1) and M2-compatible supervisor with trajectory model (S2; S2) such thatL(P AkB S) = K, where S := S1 B1kB2 S2 and B := B1 [B2 if and only ifPre�x-closure: pr(K) = K, andControllability: pr(K)(� �B) \ L(P��A) � pr(K), andCo-observability: K is (L(P��A); B1; B2;M1;M2){co-observable.20

In this case Si (i = 1; 2) can be chosen to be det(KBMi), where KBMi is the in�mal pre�x-closed, (��;��B)-controllable and (��;Mi)-observable superlanguage of K.Proof: We begin by proving the necessity. Pre�x-closure and controllability conditionsfollow from the necessity part of [30, Theorem 4]. We need to show that the co-observabilitycondition also holds. It follows from hypothesis and Corollary 4 that K = L(P AkB S) =L(P��A)\L(S��B11 )\L(S��B22 ). Hence it su�ces to show that H := L(S��B11 )\L(S��B22 )is (��; B1; B2;M1;M2){co-observable. Pick s1; s2; t 2 H and � 2 �. We must consider thethree di�erent cases of the de�nition of co-observability. We only consider the �rst case, asthe other cases can be proved in a similar manner. Suppose � 2 B1 � B2, s1� 2 H andM1(s1) = M1(t). We need to show that t� 2 H. Since t 2 L(S��B22 ) and � 2 B1 � B2 �� � B2, t� 2 L(S��B22 ) trivially. It remains to show that t� 2 L(S��B11 ). This followsfrom the fact that S��B11 is M1-compatible (as S1 is M1-compatible and deterministic, andobservation-compatibility of deterministic systems is preserved under augmentation). Thiscompletes the proof of the necessity part.In order to see the su�ciency part select S1 := det(KBM1) and S2 := det(KBM2). Then S1and S2 are deterministic, S1 is M1-compatible and S2 is M2-compatible. It remains to showthat the controlled plant language equals K. From Theorem 3 we have that L(S) = KBM12,where KBM12 is the in�mal pre�x-closed, (��;��B)-controllable and (��; B1; B2;M1;M2){co-observable superlanguage ofK. Using arguments similar to those in Lemma 3 we can read-ily conclude that L(P��A)\L(S) is the in�mal pre�x-closed, (L(P��A);��B)-controllableand (L(P��A); B1; B2;M1;M2){co-observable superlanguage of K. Hence it follows from thepre�x-closure, controllability and co-observability conditions thatL(P��A) \ L(S) = K: (3)We need to show that we also have the following equality: H := L(P��A) \ L(S��B) = K.This follows from (3) and the fact that K is controllable as is shown next.Since L(S) � L(S��B), clearly, K � H. Suppose for contradiction that there exists astring s such that s 2 H �K. Let s be a minimal-length such string. Since � 2 K, we haves 6= �, which implies s = �s�, where �s 2 K and � 2 �. Since �s 2 K and �s� 62 K, it must bethe case that � 2 ��B. This is contradictory to the fact that K is controllable, as we have�s 2 K, � 2 ��B, �s� 2 H, which implies �s� 2 L(P��A); however, �s� 62 K. This completesthe proof.Remark 3 Note that the conditions of controllability and co-observability in Theorem 4are with regard to the language of the augmented plant, which depends on the trajectorymodel of the plant and cannot be inferred from the language model of the plant. Also, as isthe case of the necessity part of Theorem 2, the necessity part of Theorem 4 may not holdif the supervisors are nondeterministic.Finally, the result of Theorem 4 can be easily extended to obtain conditions for eitherlanguage model non-blocking or trajectory model non-blocking supervisors. In fact argu-ments similar to those given in Corollaries 2 and 3 can be used to show that language model21

nonblocking supervision would require the condition of relative-closure instead of that ofpre�x-closure, and a trajectory model nonblocking supervision would require the additionaltrajectory-closure condition.6 ConclusionIn this paper we have extended our earlier work on supervisory control of nondeter-ministic systems using prioritized synchronization as the mechanism of control and trajec-tory model as the modeling formalism to control under partial observation. The notion ofobservation-compatibility of trajectory models has been introduced, and necessary and suf-�cient conditions for the existence of observation-compatible supervisors have been obtainedfor centralized as well as decentralized supervision. Although these conditions are similar tothe standard conditions of controllability, observability, and co-observability found in litera-ture, they are di�erent, as they depend on the trajectory model as opposed to the languagemodel of the plant. Also, our work demonstrates the suitability of PSC based supervisordesign for nondeterministic systems under centralized as well as decentralized setting. Theseresults have been applied for the design of a supervisor that achieves a mutually exclusiveusage of a communication channel in a communication system.References[1] J. C. M. Baeten, J. A. Bergstra, and J. W. Klop. Ready-trace semantics for concreteprocess algebra with the priority operator. The Computer Journal, 30(6):498{506, 1987.[2] J. C. M. Baeten and W. P. Weijland. Process Algebra. Cambridge University Press,Cambridge, 1990.[3] S. Balemi. Input/output discrete event processes and communication delays. DiscreteEvent Dynamical Systems: Theory and Applications, pages 41{85, 1994.[4] S. Balemi, G. J. Ho�mann, P. Gyugyi, H. Wong-Toi, and G. F. Franklin. Supervisorycontrol of a rapid thermal multiprocessor. IEEE Transactions on Automatic Control,38(7):1040{1059, July 1993.[5] E. Chen and S. Lafortune. Dealing with blocking in supervisory control of discrete eventsystems. IEEE Transactions on Automatic Control, 36(6):724{735, 1991.[6] R. Cieslak, C. Desclaux, A. Fawaz, and P. Varaiya. Supervisory control of discreteevent processes with partial observation. IEEE Transactions on Automatic Control,33(3):249{260, 1988.[7] C. H. Golaszewski and P. J. Ramadge. Control of discrete event processes with forcedevents. In Proceedings of 26th IEEE Conference on Decision and Control, pages 247{251, Los Angeles, CA, 1987. 22

[8] M. Heymann. Concurrency and discrete event control. IEEE Control Systems Magazine,10(4):103{112, 1990.[9] M. Heymann and G. Meyer. Algebra of discrete event processes. Technical ReportNASA 102848, NASA Ames Research Center, Mo�ett Field, CA, June 1991.[10] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, Inc., EnglewoodCli�s, NJ, 1985.[11] J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages andComputation. Addison-Wesley, Reading, MA, 1979.[12] K. Inan. An algebraic approach to supervisory control. Mathematics of Control, Signalsand Systems, 5:151{164, 1992.[13] K. Inan. Nondeterministic supervision under partial observations. In Guy Cohen andJean-Pierre Quadrat, editors, Lecture Notes in Control and Information Sciences 199,pages 39{48. Springer-Verlag, New York, 1994.[14] K. Inan and P. Varaiya. Finitely recursive process models for discrete event systems.IEEE Transactions on Automatic Control, 33(7):626{639, 1988.[15] K. Inan and P. Varaiya. Algebras of discrete event models. Proceedings of the IEEE,77(1):24{38, 1989.[16] R. Kumar, V. K. Garg, and S. I. Marcus. On controllability and normality of discreteevent dynamical systems. Systems and Control Letters, 17(3):157{168, 1991.[17] R. Kumar, V. K. Garg, and S. I. Marcus. On supervisory control of sequential behaviors.IEEE Transactions on Automatic Control, 37(12):1978{1985, December 1992.[18] R. Kumar and M. A. Shayman. Supervisory control of nondeterministic systems underpartial observation. In Proceedings of 1994 IEEE Conference on Decision and Control,Orlando, FL, December 1994. 3649-3654.[19] R. Kumar and M. A. Shayman. Non-blocking supervisory control of nondeterministicsystems via prioritized synchronization. IEEE Transactions on Automatic Control, 1995.Accepted.[20] F. Lin and W. M. Wonham. Decentralized supervisory control of discrete event systems.Information Sciences, 44:199{224, 1988.[21] F. Lin and W. M. Wonham. On observability of discrete-event systems. InformationSciences, 44(3):173{198, 1988.[22] F. Lin and W. M.Wonham. Decentralized control and coordination of discrete-event sys-tems with partial observation. IEEE Transactions of Automatic Control, 35(12):1330{1337, December 1990. 23

[23] R. Milner. A Calculus of Communicating Systems. Springer Verlag, 1980.[24] R. Milner. Communication and Concurrency. Prentice Hall, New York, 1989.[25] I. Phillips. Refusal testing. Theoretical Computer Science, 50:241{284, 1987.[26] P. J. Ramadge and W. M. Wonham. Supervisory control of a class of discrete eventprocesses. SIAM Journal of Control and Optimization, 25(1):206{230, 1987.[27] P. J. Ramadge and W. M. Wonham. The control of discrete event systems. Proceedingsof IEEE: Special Issue on Discrete Event Systems, 77:81{98, 1989.[28] K. Rudie and W. M. Wonham. The in�mal pre�x closed and observable superlanguageof a given language. Systems and Control Letters, 15(5):361{371, 1990.[29] K. Rudie and W. M. Wonham. Think globally, act locally: decentralized supervisorycontrol. IEEE Transactions on Automatic Control, 37(11):1692{1708, November 1992.[30] M. Shayman and R. Kumar. Supervisory control of nondeterministic systems withdriven events via prioritized synchronization and trajectory models. SIAM Journal ofControl and Optimization, 33(2):469{497, March 1995.[31] R. J. van Glabbeek. Comparative Concurrency Semantics, With Re�nement of Actions.PhD thesis, Free University of Amsterdam, 1990.[32] Y. Willner and M. Heymann. Supervisory control of concurrent discrete-event systems.International Journal of Control, 54(5):1143{1169, 1991.24