Non-blocking Supervisory Control ofNondeterministic Systems via PrioritizedSynchronization 1Ratnesh KumarDepartment of Electrical EngineeringUniversity of KentuckyLexington, KY 40506-0046Email: kumar@engr.uky.eduMark A. ShaymanDepartment of Electrical Engineering andInstitute for Systems ResearchUniversity of MarylandCollege Park, MD 20742Email: shayman@eng.umd.eduNovember 7, 19941This research was supported in part by the Center for Robotics and Manufacturing, Universityof Kentucky, in part by by the National Science Foundation under the Grants NSFD-CDR-8803012,NSF-ECS-9409712, NSF-ECS-9312587, the Minta Martin Fund for Aeronautical Research, and theGeneral Research Board at the University of Maryland.

AbstractIn a previous paper [15], we showed that supervisory control of nondeterministic dis-crete event systems, in the presence of driven events, can be achieved using prioritizedsynchronous composition as a mechanism of control, and trajectory models as a modelingformalism, �rst introduced by Heymann [4]. The speci�cations considered in [15] were givenby pre�x-closed languages. In this paper, we extend this work to to include markings sothat non-closed speci�cations and issues such as blocking can be addressed. It is shown thatthe usual notion of non-blocking, called language model non-blocking, may not be adequatein the setting of nondeterministic systems, and a stronger notion, called trajectory modelnon-blocking, is introduced. Necessary and su�cient conditions for the existence of languagemodel non-blocking as well as trajectory model non-blocking supervisors are obtained fornondeterministic systems in the presence of driven events in terms of extended controllabilityand relative-closure conditions, and a new condition called the trajectory-closure condition.Keywords: discrete event systems, supervisory control, nondeterministic automata, drivenevents, prioritized synchronization, trajectory models, blockingAMS (MOS) subject classi�cations: 68Q75, 93B25, 93C83

1 IntroductionDiscrete event systems are systems that involve quantities which take on a discreteset of values and which are constant except at discrete times when events occur in thesystem. Examples include communication networks, intelligent vehicle highway systems,manufacturing systems and computer programs. Supervisory control theory was developedto provide a mathematical framework for the design of controllers for such systems in orderto meet various qualitative constraints. A survey of this area (up to 1989) with extensivereferences may be found in [14].The majority of the research e�ort in this area has focused on the supervisory controlof deterministic systems, and relatively little progress has been made towards that of non-deterministic systems{systems in which knowledge of the current state and next event isinsu�cient to uniquely determine the next state. Such nondeterminism arises due to un-modeled system dynamics and/or partial observation. For example a change-giving machinemay give a di�erent combination of coins as change (for the same input amount) dependingon the sequence in which coins are loaded in the machine. However, for simplicity, this detailmay be suppressed while obtaining a model for the machine leading to a nondeterministicmodel of it. Similarly, a machine in a manufacturing systemmay incur a partial undetectablefailure while performing a certain task. This can be modeled by having a nondeterministictransition on the task completion event leading to two successor states depending on whetheror not the failure occurred while completing the task. Also, in a communication network, auser is only able to observe the external events such as transmission and reception of mes-sages, whereas the internal events such as loss or collision of messages, acknowledgments,etc., are not observed. Such internal events can be represented as silent or �-transitionsleading to a nondeterministic model of the communication network.In the Ramadge-Wonham approach to supervisory control, every event is generated bythe plant and synchronously executed by the supervisor [13] which acts passively by dis-abling certain controllable events possible in the open-loop plant. The disablement actionis accomplished by a control-input map which speci�es a set of disabled events based onthe current state of the supervisor. Alternatively, in the work of Kumar-Garg-Marcus [10],the disablement action is accomplished by removing certain transitions from the structureof the supervisor while continuing to require that the plant and supervisor be connected bystrict synchronous composition (SSC). In the work of Golaszewski-Ramadge [3] and, in thereal-time setting, the work of Brandin-Wonham [2], the supervisor is able to initiate certainso-called forcible events that the plant synchronously executes. In the work of Balemi andcoworkers [1], events can originate in the supervisor (so-called command events) or in theplant (so-called response events). The assumption is made that the plant and supervisor aremutually receptive, meaning that neither the plant nor the supervisor can refuse to executean event initiated by the other.Common to all of the above approaches is the assumption that there are never eventswhich may occur in the supervisor without the participation of the plant. However, thisassumption may be unreasonably restrictive for nondeterministic systems. When the plant1

is nondeterministic, there is generally no way to know a priori whether a command issuedby the supervisor can be executed by the plant in its current state. For example, it maybe impossible to know that a device is in a faulted state until after it fails to respond to acommand from the controller.Heymann has introduced an interconnection operator called prioritized synchronous com-position (PSC) [4], which relaxes the synchronization requirements between the plant andsupervisor. Each process in a PSC-interconnection is assigned a priority set of events. Foran event to be enabled in the interconnected system, it must be enabled in all processeswhose priority sets contain that event. Also, when an enabled event occurs, it occurs in eachsubsystem in which the event is enabled. In the context of supervisory control, the priorityset of the plant contains the controllable and uncontrollable events, while the priority set ofthe supervisor contains the controllable and driven events. Thus, controllable events requirethe participation of both plant and supervisor; uncontrollable events require the participa-tion of the plant and will occur synchronously in the supervisor whenever possible; drivenevents require the participation of the supervisor and will occur synchronously in the plantwhenever possible.It is important to distinguish between PSC and other types of parallel composition in theliterature. For example, Hoare [6] de�nes a concurrent composition operator in which eachprocess has its own alphabet and the processes synchronize on the events in the intersection oftheir alphabets. This is generalized to trace-dependent alphabets, called event-control sets,by Inan-Varaiya [8]. The key di�erence between concurrent composition and PSC is that inPSC, although a process cannot block events which are outside its priority set, it may beable to execute these events{and, whenever possible, will execute these events synchronouslywhen they occur in the other process1.Language models identify processes that have the same set of traces. The failures model ofHoare [6] identi�es processes that have the same set of so-called failures. Failure equivalencere�nes language equivalence. Heymann showed that failure equivalence is too coarse tosupport the PSC operator [4]. In other words, there exist two di�erent plants with thesame failures model (and hence with the same language model) such that their PSC's witha common supervisor have di�erent language models. Thus, neither the language modelnor even the failures model retains enough information about a process to do control designusing the operation of PSC.This has led Heymann to introduce the trajectory model, a re�nement of the failures model[4, 5]. The trajectory model is similar to the failure-trace model (also called the refusal-testingmodel) in concurrency theory [12], but di�ers from this model in its treatment of hiddentransitions. The trajectory model treats hidden transitions in a way that is consistent withthe failures model. In a previous paper [15], we proved that the trajectory model retainssu�cient process detail to permit PSC-based controller design.1If applied to so-called improper processes, the parallel operator de�ned by Inan [7] can be viewed asa generalized form of PSC, but only in the deterministic setting. However, when supervisory control isconsidered in this reference, the assumption is made that the plant is proper and has a constant eventcontrol set. This assumption excludes driven events. 2

In [15], we showed that supervisory control of nondeterministic discrete event systems, inthe presence of driven events, can be achieved using prioritized synchronous composition asa mechanism of control, and trajectory models as a modeling formalism. The speci�cationsconsidered in [15] were given by pre�x-closed languages. In this paper, we extend our earlierwork to include the notion of markings by introducing the notion of recognized and generatedtrajectory sets, so that non-closed speci�cations and issues such as blocking can be addressed.The usual notion of non-blocking, referred to as language model non-blocking in this pa-per, requires that each trace belonging to the generated language of a controlled system beextendable to a trace belonging to the recognized language. This property adequately cap-tures the notion of non-blocking in a deterministic setting. However, in a nondeterministicsetting, the execution of a certain trace belonging to the generated behavior may lead tomore than one state. Language model non-blocking only requires that each such trace beextendable to a trace in the recognized behavior from at least one such state{as opposedto all such states. Thus, a language model non-blocking nondeterministic system can dead-lock, as illustrated by the example in the next section. Consequently, there is a need for astronger type of non-blocking for nondeterministic systems. This leads us to introduce theproperty of trajectory model non-blocking, which requires that each refusal-trace belongingto the generated trajectory set of a nondeterministic system be extendable to a refusal-tracebelonging to the recognized trajectory set.Another desirable property of a supervisor is that it should be non-marking, i.e., a certaintrace (respectively, a refusal-trace) of the controlled system should belong to the recognizedlanguage (respectively, the recognized trajectory set) of the controlled system if and only ifa marked state of the uncontrolled system is reached due to its execution regardless of thetype of state reached in the supervisor. We �rst obtain a necessary and su�cient conditionfor the existence of a non-marking and language model non-blocking supervisor for a givennondeterministic system in the presence of driven events. This result is then used to obtaina necessary and su�cient condition for the existence of a non-marking and trajectory modelnon-blocking supervisor in that setting.2 A Motivating ExampleIn this section, we describe an example that illustrates some of the issues to beaddressed in this paper. Figure 1(a) gives a deterministic model for a plant in which partsarrive at a machine from a conveyor and are then processed. The incoming parts are of twotypes that di�er slightly in their widths. The standard width is the wider one. Events a1and a2 denote the arrival at the machine of wide and narrow parts respectively. Events b1and b2 denote the input into the machine of a part with the guides set to wide and narrowrespectively. The default setting of the guides is wide, but intervention by a controller canreset them to narrow. A wide part can only be input with the guides set to wide. A narrowpart can be input with either guide setting. However, input of a narrow part with theguides set to wide leads to the machine jamming{event d. If a part is input with the correctguide setting, then it can be successfully processed and output{event c. It is assumed that3

b2

b2

(a) deterministic plant

b

a dc

1

1

a b12 a

dbc

a

b1

2

2M (a ) = M (a ) := a

b1

(b) nondeterministic plant

1

a

ca

(c) closed-loop systemFigure 1: Diagram illustrating the example of Section 2a1; a2; c; d are uncontrollable events and that there is no sensor that can distinguish betweenthe two widths of incoming parts{i.e., the observation mask M(�) identi�es a1 and a2{sayM(a1) = M(a2) := a. A natural control speci�cation is that the supervised plant be non-blocking since this guarantees that continuous operation is possible.It is clear that the performance speci�cation cannot be met by any supervisor S of theRamadge-Wonham type that is consistent with the observation mask. To prevent blockingarising from the uncontrollable jamming event d, S would need to disable b1 following anyoccurrence of a2. However, since the mask cannot distinguish between a1 and a2, S wouldalso disable b1 following any occurrence of a1. But this would give a controlled plant thatwould deadlock with the arrival of the �rst wide part.Suppose we replace the event labels a1 and a2 by their common mask value a, therebyobtaining the nondeterministic system shown in Figure 1(b). By so identifying a1 anda2, the events are made indistinguishable from the viewpoints of speci�cation, control andobservation{whereas in the partially observed deterministic model, they are indistinguish-able only from the viewpoint of observation. For this system, however, the nondeterministicmodel is essentially equivalent to the partially observed one from the viewpoint of controlsince a1; a2 are uncontrollable and hence could not be distinguished in a supervisory controllaw. However, the non-blocking speci�cation implicitly distinguishes between a1 and a2 andconsequently forces the de�nition of a new type of non-blocking appropriate for nondeter-ministic systems.Let P denote the nondeterministic state machine (NSM) depicted in Figure 1(b), and letL(P); Lm(P) denote its generated and recognized languages respectively. ThenLm(P) = [a(b1+ b2)c]�; L(P) = pr[[a(b1 + b2)c]�ab1d];where pr(�) denotes the pre�x-closure operation. Having replaced the original partiallyobserved deterministic model with a completely observed nondeterministic model, let usconsider whether the speci�cation can be met by a supervisor of the Ramadge-Wonham type.The closed-loop nondeterministic systemQ obtained by disabling b1 following any occurrenceof a is depicted in Figure 1(c). Since L(Q) = pr((ab2c)�) = pr(Lm(Q)), the supervisor isnon-blocking from the language model point of view. However, this control design is clearly4

unsatisfactory since the closed-loop system can deadlock. After all, the nondeterministicplant model is derived from the partially observed deterministic plant model, and there isno non-blocking Ramadge-Wonham type supervisor for that model.The problem is that the usual language model de�nition of non-blocking given by L(P) =pr(Lm(P)) is not suitable for control speci�cations in a nondeterministic setting. This mo-tivates us to consider a stronger non-blocking requirement which we refer to as trajectorymodel non-blocking to distinguish it from the usual language model non-blocking condition.Using trajectory models for the plant and supervisor, and PSC as the mode of interconnec-tion, it is possible to design a supervisor so that the closed-loop system meets the strongernon-blocking requirement. The details are given in Section 5, Example 3.3 Notation and PreliminariesGiven a �nite event set �, �� is used to denote the collection of all traces, i.e., �nitesequences of events, including the zero length sequence, denoted by �. A subset of �� is calleda language. SymbolsH;K; etc. are used to denote languages. The set 2� � (� � 2�)� is usedto denote the collection of all refusal-traces, i.e., �nite sequences of alternating refusals andevents [5, 15] of the type: �0(�1;�1) : : : (�n;�n);where n 2 N . The sequence �1 : : : �n 2 �� is the trace, and for each i � n, �i � � is theset of events refused (if o�ered) at the indicated point. Symbols P;Q;R; S; etc. are used todenote sets of refusal-traces. Refusal-traces are also referred to as trajectories.Given s 2 ��, we use jsj to denote the length of s, and for each k � jsj, �k(s) 2 � isused to denote the kth event in s. If t 2 �� is another trace such that jtj � jsj and for eachk � jtj, �k(t) = �k(s), then t is said to be a pre�x of s, denoted t � s. For each k � jsj,sk denotes the pre�x of length k of s. The pre�x-closure of s 2 ��, denoted pr(s) � ��,is de�ned as pr(s) := ft 2 �� j t � sg. The pre�x-closure map can be de�ned for a set oftraces in a natural way.Given e 2 2� � (�� 2�)�, we use jej to denote the length of e, and for each k � jej,�k(e) � � is used to denote the kth refusal in e and �k(e) 2 � is used to denote the kthevent in e, i.e., e = �0(e)(�1(e);�1(e)) : : : (�k(e);�k(e)) : : : (�jej(e);�jej(e)):If f 2 2� � (�� 2�)� is another refusal-trace such that jf j � jej and for each k � jf j,�k(f) = �k(e) and �k(f) = �k(e), then f is said to be a pre�x of e, denoted f � e. Foreach k � jej, ek is used to denote the pre�x of length k of e. If f 2 2� � (�� 2�)� is suchthat jf j = jej and for each k � jf j, �k(f) � �k(e) and �k(f) = �k(e), then f is said to bedominated by e, denoted f v e.The pre�x-closure of e 2 2� � (�� 2�)�, denoted pr(e) � 2� � (� � 2�)�, is de�ned aspr(e) := ff 2 2� � (�� 2�)� j f � eg, and the dominance-closure of e, denoted dom(e) �2� � (�� 2�)�, is de�ned as dom(e) := ff 2 2� � (�� 2�)� j f v eg. The pre�x-closure5

and dominance-closure maps can be de�ned for a set of refusal-traces in a natural way.Given a refusal-trace e 2 2� � (� � 2�)�, the trace of e, denoted tr(e) 2 ��, is de�ned astr(e) := �1(e) : : : �jej(e). The trace map can be extended to a set of refusal-traces in a naturalway. Given a set of refusal-traces P � 2� � (�� 2�)�, we use L(P ) := tr(P ) to denote itsset of traces.Symbols P;Q;R; etc. are used to denote NSM's (with �-moves). Let the 5-tupleP := (XP ;�; �P; x0P;XmP )represent a discrete event system modeled as an NSM, where XP is the state set, � is the�nite event set, �P : XP�(�[f�g)! 2XP denotes the nondeterministic transition function2,x0P 2 XP is the initial state, and XmP � XP is the set of accepting or marked states. A triple(x1; �; x2) 2 XP � (� [ f�g) �XP is said to be a transition if x2 2 �P(x1; �). A transition(x1; �; x2) is referred to as a silent or hidden transition. We assume that the plant cannotundergo an unbounded number of silent transitions, i.e., P does not contain any cycle ofsilent transitions. The �-closure of x 2 XP , denoted ��P(x) � XP , is de�ned recursively asx 2 ��P(x); and x0 2 ��P(x)) �P(x0; �) � ��(x);and the set of refusal events at x 2 XP , denoted <P(x) � �, is de�ned as<P(x) := f� 2 � j �P(x0; �) = ;;8x0 2 ��P(x)g:In other words, given x 2 XP , ��P(x) is the set of states that can be reached from x on zero ormore �-moves, and <P(x) is the set of events that are unde�ned at each state in the �-closureof x.The transition function �P : X � (� [ f�g) ! 2XP is extended to the set of traces as��P : X � �� ! 2XP , which is de�ned inductively as:8x 2 XP : ( ��P(x; �) := ��P(x);8s 2 ��; � 2 � : ��P(x; s�) := ��P(�P(��P(x; s); �));where in the last inequality, the transition function �P : X � (� [ f�g) ! 2XP has beenextended to �P : 2XP � (� [ f�g) ! 2XP in a natural way. The transition function is alsoextended to the set of refusal-traces as �TP : X � (2� � (�� 2�)�) ! 2XP , which is de�nedinductively as:8x 2 XP : 8><>: 8�0 � � : �TP(x;�0) := fx0 2 ��P(x) j �0 � <P(x0)g;8e 2 2� � (�� 2�)�; � 2 �;�0 � � :�TP(x; e(�;�0)) := fx0 2 ��P(�P(�TP(x; e); �)) j �0 � <P(x0)g:In other words, a state x0 2 XP is reached by executing a zero-length refusal-trace �0 � �from a state x 2 XP if x0 can be reached in zero or more �-moves from x, and each event2� represents both an internal or unobservable event and an internal or nondeterministic choice [6, 11].6

in �0 is refused at x0. A state x0 2 XP is reached by executing a refusal-trace e(�;�0) 22� � (� � 2�)� from a state x 2 XP if x0 can be reached by executing the event � followedby zero or more �-moves from a state reached by executing the refusal-trace e from x, andeach event in �0 is refused at state x0.The extended transition functions are then used to obtain the language models and thetrajectory models of P as follows:L(P) := fs 2 �� j ��P(x0P ; s) 6= ;g; Lm(P) := fs 2 L(P) j ��P(x0P; s) \XmP 6= ;g;T (P) := fe 2 2� � (�� 2�)� j �TP(x0P ; e) 6= ;g; Tm(P) := fe 2 T (P) j �TP(x0P; e) \XmP 6= ;g:L(P); Lm(P); T (P); Tm(P) are called the generated language, recognized language, generatedtrajectory set, recognized trajectory set, respectively, of P. It is easily seen that L(Tm(P)) =Lm(P) and L(T (P )) = L(P). The pairs (Lm(P); L(P)) and (Tm(P); T (P)) are calledthe language model and the trajectory model, respectively, of P. Two language models(Km1 ;K1); (Km2 ;K2) are said to be equal, written (Km1 ;K1) = (Km2 ;K2), if Km1 = Km2 ;K1 =K2; equality of two trajectory models is de�ned analogously.4 Trajectory Models and Prioritized SynchronizationIt is clear that a language pair (Km;K) with Km;K � �� is a language model if andonly ifKm � K = pr(K) 6= ;.Next we obtain a necessary and su�cient condition for a given refusal-trace set pair tobe a trajectory model. This requires the de�nition of saturated refusal-traces. Given arefusal-trace set P � 2� � (�� 2�)�, we de�ne the saturation map on P by satP : P !2� � (�� 2�)� wheresatP (e) := �0(�1(e);�1) : : : (�jej;�jej); where8k � jej : �k := �k(e) [ f� 2 � j ek(�; ;) 62 dom(pr(P ))g:Thus if an event is not executable in P at a certain point of its refusal-trace e, then it isadded to the refusal set of e at that point to obtain satP (e). The saturated refusal-tracesof P , denoted Psat � P , is de�ned to be the set of �xed points of satP (�). Heymann-Meyerused an axiomatic characterization for de�ning a generated trajectory set. We proved in [15,Theorem 1] that these axioms are necessary and su�cient for a given refusal-trace set to bea generated trajectory set of some NSM:Theorem 1 [15, Theorem 1] Given a refusal-trace set P � 2� � (�� 2�)�, there exists anNSM P with generated trajectory set P , i.e., P = T (P), if and only if7

1. P 6= ;2. P = pr(P )3. P = dom(P )4. satP (P ) � P5. 8e 2 P : �k+1(e) 62 �k(e); k � jej � 1Corollary 1 If P is a generated trajectory set, then1. satP (�) is idempotent,2. Psat = satP (P ).Proof: Let e 2 P , e := satP (e), and k � jej = jej. We need to show that if � 62 �k(e),then g := ek(�; ;) 2 P . Since � 62 �k(e), f := ek(�; ;) 2 P by de�nition of satP (�). Since(satP (f))k = satP (ek) = ek, it follows that g v satP (f) 2 P by Theorem 1, Property 4.By Property 3, it follows that g 2 P , so satP (e) = e. The second claim is an immediateconsequence of the �rst.Remark 1 It follows easily from Corollary 1 that Properties 3 and 4 in Theorem 1 canbe replaced by the single property P = dom(Psat). In order to see this �rst suppose P =dom(Psat). Then P is dominance-closed, so we have P = dom(P ), i.e., T3 holds. Also, fromCorollary 1, satP (P ) = Psat � dom(Psat) = P , i.e., T4 holds. On the other hand, if T3 andT4 hold, then fromCorollary 1 and T4 we have Psat = satP (P ) � P . Hence it follows fromT3that dom(Psat) � dom(P ) = P . The reverse containment P � dom(Psat) = dom(satP (P ))follows from the de�nitions of the saturation map and the dominance-closure operation.The following result generalizes Theorem 1 to characterize those refusal-trace set pairsthat are trajectory models of NSM's. If �1; : : : ;�n are subsets of �, thenmin(�1;�2; : : : ;�n)denotes the set of minimal sets from among the given subsets with respect to the inclusionpartial order.Theorem 2 Given a pair of refusal-trace sets (Pm; P ) with Pm; P � 2� � (�� 2�)�, it isa trajectory model if and only ifT1: P 6= ;T2: P = pr(P )T3: P = dom(Psat)T4: 8e 2 P : �k+1(e) 62 �k(e); k � jej � 1T5: Pm = dom(Psat \ Pm)Proof: First suppose that (Pm; P ) is a trajectory model, i.e., there exists an NSM P :=(XP ;�; �P; x0P;XmP ) such that Tm(P) = Pm and T (P) = P . Then it follows from Theorem 1and Remark 1 that T1 through T4 hold. In order to show that T5 also holds, we �rstshow that Pm = dom(Pm), i.e., dom(Pm) � Pm. Pick e 2 dom(Pm), then there existsf 2 Pm such that e v f . Hence �TP(x0P ; e) � �TP(x0P; f), which implies that �TP(x0P ; e)\XmP �8

�TP(x0P; f)\XmP , which is nonempty since f 2 Pm. Thus e 2 Pm, so Pm = dom(Pm). Hence,dom(Psat\Pm) � dom(Pm) = Pm. It remains to show that Pm � dom(Psat\Pm). We showusing induction on length of refusal-traces that for each e 2 P and x 2 �TP(x0P; e), there existsf 2 Psat such that e v f and x 2 �TP(x0P; f). If jej = 0, then e = �0 � �. If x 2 �TP(x0P;�0),then x 2 ��P(x0P) and �0 � <P(x). Set f := <P(x); then clearly, f 2 Psat; e v f , andx 2 �TP(x0P; f). This proves the base step of induction. In order to prove the inductionstep, let e = �e(�;�0) 2 P , x 2 �TP(x0P; e). Then x 2 ��P(�P(�x; �)), where �x 2 �TP(x0P ; �e) and�0 � <P(x). Since T2 holds, e 2 P implies �e 2 P . Hence from induction hypothesis, thereexists �f 2 Psat such that �e v �f and �x 2 �TP(x0P ; �f). Set f := �f(�;<P(x)); then f 2 Psat; e v f ,and x 2 �TP(x0P; f). This proves the induction step. Hence it follows that given e 2 Pm, sothat there exists x 2 XmP with x 2 �TP(x0P; e), we can select f 2 Psat such that e v f andx 2 �TP(x0P; f), i.e., f 2 Psat \ Pm. Since e v f , this implies that e 2 dom(Psat \ Pm) asdesired.Next assume that T1 through T5 hold. We need to show that (Pm; P ) is a trajectorymodel, i.e., there exists an NSM P such that Tm(P) = Pm and T (P) = P . Consider theNSM P := (XP;�; �P ; x0P;XmP ) (refer to Remark 2 for an explanation), where� XP := Psat,� x0P := f� 2 � j ;(�; ;) 62 Pg,� XmP := Psat \ Pm,� �P : XP � (� [ f�g)! 2XP is de�ned as:1. 8e 2 Psat; � 2 � :�P(e; �) := ( e(�; f�0 2 � j e(�; ;)(�0; ;) 62 Pg) if e(�; ;) 2 P; otherwise;2 (a). 8�0 � � such that �0 2 Psat :�P(�0; �) := min(f�00 � � j �00 2 Psat;�0 � �00g);2 (b). 8e 2 2� � (�� 2�)�; � 2 �;�0 � � such that e(�;�0) 2 Psat :�P(e(�;�0); �) := fe(�;�00) j �00 2 min(f� � � j e(�; �) 2 Psat;�0 � �g)g:From [15, Lemma 1], it follows that x0P 2 Psat and for each e 2 Psat; � 2 �, �P(e; �) 2 Psatwhenever it is nonempty. Thus NSM P is well-de�ned. It follows from [15, Proposition 2]that T (P) = P . It remains to show that Tm(P) = Pm. By de�nition we have Tm(P) =fe 2 T (P) j �TP(x0P; e) \XmP 6= ;g. Since T (P) = P;XmP = Psat \ Pm, and for each e 2 P ,�TP(x0P; e) = ff 2 Psat j e v fg [15, Corollary 1], we haveTm(P) = fe 2 P j ff 2 Psat j e v fg \ (Psat \ Pm) 6= ;g= fe 2 P j ff 2 Psat \ Pm j e v fg 6= ;g= dom(Psat \ Pm)= Pm;where the last equality follows from T5. 9

Remark 2 In the proof of the su�ciency part of Theorem 2 the NSM P is constructedfrom a given refusal-trace set pair (Pm; P ) satisfying T1-T5 as follows: The state space ofP equals Psat, the set of saturated refusal-traces of P ; the marked states of P are thosesaturated refusal-traces which also belong to Pm; and the initial state of P is the (unique)minimal zero-length saturated refusal-trace of P . The state reached by executing a non-epsilon event � 2 � from a state e 2 Psat equals the minimal saturated refusal-trace ofthe type e(�;�0) dominating e(�; ;). The set of states reached by executing an epsilontransition from a zero-length refusal-trace �0 2 Psat = XP equals the set of minimal zero-length saturated refusal-traces dominating �0. Also, the set of states reached by executingan epsilon transition from a refusal-trace e(�;�0) 2 Psat = XP equals the set of minimalsaturated refusal-traces of the type e(�;�00) dominating e(�;�0).This NSM construction is the same as that given in [15, Algorithm 1] except that ac-cepting states are also de�ned. A construction procedure somewhat similar to the aboveconstruction was �rst given without any proof in [5]. Our construction has the advantagethat it avoids introduction of certain auxiliary states [15, Remark 3].The following result was obtained in the course of the proof of Theorem 2.Corollary 2 Let P := (XP ;�; �P; x0P;XmP ) be an NSM. Then for each e 2 T (P) and x 2�TP(x0P; e), there exists f 2 (T (P))sat such that e v f , x 2 �TP(x0P; f) and �jf j(f) = <P(x).The result of Theorem 2 is not a trivial generalization of Theorem 1. In fact for a languagemodel (Km;K), the pre�x-closure of the recognized language Km is the generated languageof an appropriate state machine provided Km is nonempty. The situation is di�erent fora trajectory model (Pm; P ). If Pm is nonempty, then its pre�x-closure, pr(Pm), satis�esproperties T1,T2,T4. However, pr(Pm) need not satisfy T3 in which case it cannot be thegenerated trajectory set of any NSM. (See Example 1 below.) The following result showsthat a generated trajectory set can be obtained by taking saturation closure.Proposition 1 Let Q be a nonempty refusal-trace set satisfying pr(dom(Q)) = Q and T4.Then R := dom(satQ(Q)) is a generated trajectory set.Proof: R is trivially nonempty and R = dom(R). Since Q is pre�x-closed and for eache 2 Q; k � jej, satQ(ek) = (satQ(e))k, R is pre�x-closed. Also, from the de�nition of satQ(�),T4 holds for R since it holds for Q. It remains only to show that satR(R) � R. SincesatR(�) is monotone (with respect to v) and R is dominance-closed, it su�ces to show thatsatR(satQ(Q)) � R.Let e 2 Q and let e := satQ(e). Then by de�nition, e 2 R. Thus in order to show thatsatR(e) 2 R, it su�ces to show satR(e) = e. We need to show that if there exist k; � suchthat � 62 �k(e), then ek(�; ;) 2 R. Since � 62 �k(e), it follows that f := ek(�; ;) 2 Q. Sincethe map satQ(�) commutes with the operation of taking the length-k pre�x, we haveek(�; ;) = (satQ(e))k(�; ;) = satQ(ek)(�; ;) v satQ(f) 2 R:This shows that satR(e) = e, completing the proof.10

Corollary 3 Let Pm be a nonempty recognized trajectory set. Then dom(satpr(Pm)(pr(Pm))is a generated trajectory set.Example 1 Consider the NSM P with � = fa; bg and unspeci�ed marking shown in Figure2(a); each state is labeled with the set of events that are refused at that state. Thus, P isε ε

a b{b} {a}

{a,b} {a,b}

ε ε

a b{b} {a}

{a,b} {a,b}

{}

{a,b} {a,b}

a b

{}

{a,b}

{b}

a

(b) NSM P Q(a) NSM (c) NSM RFigure 2: Diagram illustrating Example 1obtained from the nondeterministic choice between two deterministic subsystems{one thatexecutes a and deadlocks, the other that executes b and deadlocks. Then the generated tra-jectory set of P is given by P := T (P) = dom(pr(fe1; e2g)), where e1 := fbg(a; fa; bg); e2 :=fag(b; fa; bg). The saturated refusal-traces of P are given byPsat = f;; fag; fbg; e1; e2; e3; e4g;where e3 := ;(a; fa; bg); e4 := ;(b; fa; bg). Let Pm := dom(fe3g). Then dom(Pm \ Psat) =dom(fe3g) = Pm, so that the refusal-trace set pair (Pm; P ) satis�es T1-T5. Hence it followsfrom Theorem 2 that there exists a NSM Q such that T (Q) = P; Tm(Q) = Pm. Onechoice for Q is the canonical NSM described in the proof of Theorem 2, which is shown inFigure 2(b). However, there is no marking of the states of P for which Tm(P) = Pm. Thusa speci�cation of the marking information results in \re�nement" of the associated statemachine.Furthermore, if we consider P 0 := pr(Pm) = pr(dom(fe3g)) = f;g [ dom(fe3g), thenwe have satP 0(P 0) = pr(e1). Clearly, dom(satP 0(P 0)) = dom(pr(e1)) 6= P 0, i.e., T3 does nothold for P 0; consequently, it cannot be the generated trajectory set of any NSM. However,it follows from Corollary 3 that dom(satP 0(P 0)) = dom(pr(e1)) is a generated trajectory set.The NSM R shown in Figure 2(c) generates this trajectory set.Next we de�ne the notion of a deterministic trajectory model.De�nition 1 A trajectory model (Pm; P ) is said to be deterministic if there exists a deter-ministic state machine P := (XP ;�; �P; x0P;XmP ) such that Tm(P) = Pm and T (P) = P .11

An equivalent de�nition of a deterministic generated trajectory set was �rst given in [5,de�nition 12.4] (refer to Remark 3 below). Note that given a trajectory model, the tracemap can be used to obtain the associated language model. Conversely, given a languagemodel (Km;K), the trajectory map trjK : K ! 2� � (�� 2�)� can be used to obtain theassociated deterministic trajectory model:trjK(s) := �0(s)(�1(s);�1(s)) : : : (�jsj(s);�jsj(s)); where�k(s) := f� 2 � j sk� 62 Kg;8k � jsj:Thus the kth refusal-set in the refusal-trace trjK(s) is the set of events that are unexecutablein K after the pre�x of length k of s. Let det(K) := dom(trjK(K)) and detm(Km;K) :=dom(trjK(Km)).Proposition 2 Given a language model (Km;K), (detm(Km;K); det(K)) is the unique de-terministic trajectory model with language model (Km;K).Proof: From a standard result, there exists a deterministic state machine P such thatLm(P) = Km and L(P) = K. Let (Pm; P ) be the trajectory model of P. By [15, Proposition3], det(K) is the unique deterministic generated trajectory model with generated languageK, so P = det(K). It is clear from the de�nition of trjK that Psat = trjK(K). By T5, itfollows that Pm = dom(trjK(K) \ Pm). Thus, Km = L(Pm) = L(trjK(K) \ Pm), whichimplies that trjK(K) \ Pm = trjK(Km), so Pm = detm(Km;K).Remark 3 It follows from Proposition 2 and [5, Proposition 12.5] that the de�nition of adeterministic generated trajectory set given in [5, De�nition 12.4] and the de�nition givenabove are in fact equivalent.In the remainder of this section we give the de�nition of prioritized synchronous compo-sition (PSC) and study some of its properties. In [4, 5, 15], (PSC) of systems is used as themechanism of control. In this setting, each system is assigned a priority set of events. Whensystems are interconnected via PSC, an event can occur in the composite system only if itcan occur in each subsystem which has priority over it. In this way, a subsystem can preventthe occurrence of certain events, thereby implementing a type of supervisory control. Thefollowing de�nition of PSC of two NSM's extends the one introduced by Heymann in [4] bytaking into account the silent transitions and the notion of marking. A less general extensionwhich does not consider the notion of marking was given by us in [15, De�nition 9].De�nition 2 Let P := (XP ;�; �P; x0P;XmP );Q := (XQ;�; �Q; x0Q;XmQ ) be two NSM's havingpriority sets A;B � � respectively. The PSC of P and Q is another NSM which is denotedby P AkB Q := R := (XR;�; �R; x0R;XmR );where XR = XP �XQ; x0R = (x0P ; x0Q);XmR = XmP �XmQ , and the state transition function�R : XR � (� [ f�g)! 2XR is de�ned as: 12

8xr = (xp; xq) 2 XR :8� 2 � : �R(xr; �) := 8>>><>>>: �P(xp; �)� �Q(xq; �) if �P(xp; �); �Q(xq; �) 6= ;�P(xp; �)� fxqg if �P(xp; �) 6= ;; � 2 <Q(xq); � 62 Bfxpg � �Q(xq; �) if �Q(xq; �) 6= ;; � 2 <P(xp); � 62 A; otherwise;�R(xr; �) := [�P(xp; �) [ fxpg]� [�Q(xq; �) [ fxqg]� f(xp; xq)g:Thus an event is executed synchronously whenever both systems can participate; however,it can occur asynchronously whenever one of the systems can participate and the secondsystem refuses it but has no priority over it.For notational convenience, given �0;�1;�2;�00 � �, we de�ne�0 �1N�2 �00 := (�0 \ �00) [ (�0 \ �1) [ (�00 \ �2):Given generated trajectory sets P;Q, the PSC of a pair of trajectories ep 2 P; eq 2 Q was�rst given in [5, De�nition 13.1], which was made precise in [15, De�nition 10] as follows:De�nition 3 Let P;Q be generated trajectory sets with ep 2 P; eq 2 Q. Then the PSC ofep and eq (with respect to P and Q), denoted ep AkB eq, is de�ned inductively on jepj+ jeqjas follows:8�p;�q � � such that �p 2 P;�q 2 Q :�p AkB �q := f�0 � �p ANB �qg;8ep 2 P ; eq 2 Q;�p; �q 2 �;�p;�q � � such that ep(�p;�p) 2 P; eq(�q;�q) 2 Q :ep(�p;�p) AkB eq(�q;�q) := T1 [ T2 [ T3;whereT1 := 8>>><>>>: fe(�p;�0) j e 2 ep AkB eq(�q;�q); �0 � �p ANB �qg if �p 62 B andeq(�q;�q)(�p; ;) 62 Q; otherwiseT2 := 8>>><>>>: fe(�q;�0) j e 2 ep(�p;�p) AkB eq; �0 � �p ANB �qg if �q 62 A andep(�p;�p)(�q; ;) 62 P; otherwiseT3 := 8><>: fe(�;�0) j e 2 ep AkB eq; �0 � �p ANB �qg if �p = �q := �; otherwise13

It should be noted that ep AkB eq is a set of refusal-traces that depends on the generatedtrajectory sets P;Q as well as on the particular trajectories ep; eq. The dependence on P;Qis not explicitly indicated in the notation.The PSC of two zero-length refusal-traces �p 2 P and �q 2 Q is obtained by computing�p ANB �q = (�p\�q)[ (�p\A)[ (�q\B), i.e., an event is refused in the composed systemif either it is refused in both the systems, or it is refused in a system which has priority overthat event. Next the PSC of two refusal-traces ep(�p;�p) 2 P and eq(�q;�q) 2 Q is obtainedby considering these three possible cases: (i) a refusal-trace belonging to ep AkB eq(�q;�q)has already been executed in the composed system, and at this point, �p is executable in P(indicated by ep(�p;�p) 2 P ), the occurrence of �p cannot be blocked byQ (indicated by �p 62B), and Q cannot participate in the occurrence of �p (indicated by eq(�q;�q)(�p; ;) 62 Q);(ii) a refusal-trace belonging to ep(�p;�p) AkB eq has already been executed in the composedsystem, and at this point, �q is executable in Q, and P can neither block the occurrence of�q, nor it can participate in the occurrence of �q; (iii) �p = �q := �; a refusal-trace belongingto ep AkB eq has already been executed in the composed system, and at this point, � isexecutable in both P and Q.Using the de�nition of PSC of refusal-traces, we next de�ne the PSC of trajectory models.De�nition 4 Let (Pm; P ); (Qm; Q) be trajectory models with priority sets A;B � � re-spectively. The PSC of (Pm; P ) and (Qm; Q), denoted (Pm; P ) AkB (Qm; Q), is the pair ofrefusal-trace sets (Rm; R), whereRm := [ep2Pm;eq2Qm ep AkB eq; R := [ep2P;eq2Q ep AkB eq;where ep AkB eq is with respect to P;Q in the de�nitions of both Rm and R.We will use the notation (Pm AkB Qm; P AkB Q) for (Pm; P ) AkB (Qm; Q). However, it mustbe kept in mind that Pm AkB Qm implicitly depends on P and Q. The following theo-rem proves that the trajectory model retains su�cient system detail to support prioritizedsynchronous composition.Theorem 3 Let P;Q be NSM's and A;B � �. Tm(P) AkB Tm(Q) = Tm(P AkB Q) andT (P) AkB T (Q) = T (P AkB Q).Proof: The fact that T (P) AkB T (Q) = T (P AkB Q) is proved in [15, Theorem 2]. Fornotational convenience, let R := P AkB Q; we �rst prove that Tm(R) � Tm(P) AkB Tm(Q).Pick e 2 Tm(R). Then e 2 T (R), and there exists xr = (xp; xq) 2 �TR(x0R; e) \ XmR =�TR(x0R; e) \ (XmP �XmQ ): It follows from [15, Corollary 5] that given e and xr, there existsep 2 T (P) and eq 2 T (Q) such thate 2 ep AkB eq and xr 2 �TP(x0P ; ep)� �TQ(x0Q; eq): (1)It follows that �TP(x0P; ep)\XmP 6= ; and �TQ(x0Q; eq)\XmQ 6= ;. This implies that ep 2 Tm(P)and eq 2 Tm(Q), proving that e 2 Tm(P) AkB Tm(Q).14

Next we prove that Tm(P) AkB Tm(Q) � Tm(R). Pick e 2 Tm(P) AkB Tm(Q). Thenthere exist ep 2 Tm(P) and eq 2 Tm(Q) such that e 2 ep AkB eq. Since ep 2 T (P) andeq 2 T (Q), it follows from [15, Corollary 5] that �TP(x0P ; ep) � �TQ(x0Q; eq) � �R(x0R; e). Thisimplies that [�TP(x0P; ep) \XmP ]� [�TQ(x0Q; eq) \XmQ ] � �TR(x0R; e) \XmR : (2)Since ep 2 Tm(P) and eq 2 Tm(Q), we have �TP(x0P ; ep) \XmP 6= ; and �TQ(x0Q; eq) \XmQ 6= ;.Thus, Equation 2 implies that �TR(x0R; e) \XmR 6= ;, so e 2 Tm(R).Next we prove the associative property of PSC. It is immediate from De�nition 2 thatgiven NSM's P;Q with priority sets A;B � � respectively, the following holds for for eachxr = (xp; xq) 2 XR, where R := P AkB Q:<R(xr) = <P(xp) ANB <Q(xq) = [<P(xp) \ <Q(xq)] [ [<P(xp) \A] [ [<Q(xq) \ B]:Theorem 4 Let P;Q;R be NSM's and A;B;C � �. Then(P AkB Q) A[BkC R = P AkB[C (QBkC R):Proof: Let S1 := (P AkB Q) A[BkC R, and S2 := P AkB[C (QBkC R). Then it followsfrom De�nition 2 that XS1 = XS2 = XP � XQ � XR := XS , x0S1 = x0S2 = (x0P; x0Q; x0R),XmS1 = XmS2 = XmP �XmQ �XmR , and for each xs = (xp; xq; xr) 2 XS :�S1(xs; �) = �S2(xs; �) = [�P(xp; �) [ fxpg]� [�Q(xq; �) [ fxqg]� [�R(xr; �) [ fxqg]� fxsg:It remains to show that for each xs = (xp; xq; xr) 2 XS and � 2 �:�S1(xs; �) = �S2(xs; �): (3)It follows from De�nition 2 that�S1(xs; �) =8>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>:

�P(xp; �)� �Q(xq; �)� �R(xr; �) if �P(xp; �); �Q(xq; �); �R(xr; �) 6= ;�P(xp; �)� fxqg � �R(xr; �) if �P(xp; �); �R(xr; �) 6= ;; � 2 <Q(xq);� 62 Bfxpg � �Q(xq; �)� �R(xr; �) if �Q(xq; �); �R(xr; �) 6= ;; � 2 <P(xp);� 62 A�P(xp; �)� �Q(xq; �)� fxrg if �P(xp; �); �Q(xq; �) 6= ;; � 2 <R(xr);� 62 C�P(xp; �)� fxqg � fxrg if �P(xp; �) 6= ;; � 2 <Q(xq) \ <R(xr);� 62 B [ Cfxpg � �Q(xq; �)� fxrg if �Q(xq; �) 6= ;; � 2 <P(xp) \ <R(xr);� 62 A [ Cfxpg � fxqg � �R(xr; �) if �R(xr; �) 6= ;; � 2 <P(xp) \ <Q(xq);� 62 A [B; otherwise15

An expression for �S2(xs; �) can be analogously obtained. Note that in the �fth clauseof the expression for �S1(xs; �), the condition � 2 <Q(xq) \ <R(xr) and � 62 B [ C isequivalent to � 2 <Q(xq)BNC <R(xr) and � 62 B [ C. Similarly, in the sixth clause of theexpression for �S1(xs; �), the condition � 2 <P(xp) \ <R(xr) and � 62 A [ C is equivalentto � 2 <P(xp) ANC <R(xr) and � 62 A [ C. If similar simpli�cations in the clauses of theexpression for �S2(xs; �) are performed, then Equation 3 is easily proved.Appendix A lists some of the corollaries of Theorems 3 and 4. We conclude this sectionby extending the notion of augmentation �rst introduced in [15, Subsection 5.2]. Note thatsince an event that belongs to the priority set of a single system can occur asynchronously,if we augment the other system by adding self-loops on such events, then the operation ofprioritized synchronization can be reduced to that of strict synchronization provided thepriority sets of the two systems exhaust the entire event set. Thus augmentation is a usefulnotion. Formally, augmentation of an NSM with a given event set D � � is its PSC withthe NSM D := (fx0Dg;�; �D; x0D; fx0Dg), the transition function of which is de�ned as:8� 2 � [ f�g; �D(x0D; �) := ( fx0Dg if � 2 D; otherwise:In other words, D is a deterministic state machine consisting of a single marked state havingself-loops on events in D � �. It is clear that Lm(D) = L(D) = D� and Tm(D) = T (D) =det(D�).De�nition 5 Given an NSM P := (XP ;�; �P; x0P;XmP ) and D � �, the augmented NSMwith respect to D, denoted PD, is de�ned to be PD := P ;k; D. Given a trajectory model(Pm; P ), the augmented trajectory model with respect to D, denoted (Pm; P )D, is de�ned tobe (Pm; P )D := (Pm; P ) ;k; (det(D�); det(D�)):It follows from the above de�nition that the augmented NSM PD is obtained by addingself-loops at each state of P on those events in D that are refused at that state, i.e., PD :=(XP ;�; �PD; x0P;XmP ), where the transition function is de�ned as:8x 2 XP ; � 2 � [ f�g : �PD(x; �) := 8><>: �P(x; �) if �P(x; �) 6= ;fxg if � 2 D \ <P(x); otherwiseUsing ((Pm)D; PD) to denote (Pm; P )D, we have (Pm)D = Pm ;k; det(D�) and PD =P ;k; det(D�). As is always the case with the PSC of recognized trajectory sets, the ex-pression for (Pm)D implicitly depends on the corresponding generated trajectory sets P anddet(D�). Clearly the trajectory model (Tm(PD); T (PD)) of the augmented NSM PD is equalto ((Tm(P))D; (T (P))D). Also, since det(D�) can always execute every event in D and cannever execute any event in � �D, it follows that given any trajectory model (Pm; P ), anyA � ��D, and any B � D(Pm)D := Pm ;k; det(D�) = Pm AkB det(D�),PD := P ;k; det(D�) = P AkB det(D�).16

Next we show that the PSC of two systems is equivalent to the strict synchronous com-position (over the union of the two priority sets) of the associated augmented systems.Proposition 3 Let (Pm; P ); (Qm; Q) be trajectory models, and A;B � �. Then1. Pm AkB Qm = (Pm)B�A A[BkB Qm = (Pm)B�A A[BkA[B (Qm)A�B,2. P AkB Q = PB�A A[BkB Q = PB�A A[BkA[B QA�B.Proof: We only prove the �rst part; the second part can be proved analogously. Again,we only prove the �rst equality as the second equality follows from symmetry and a secondapplication of the �rst equality. From the de�nition of augmentation and associativity ofPSC (Corollary 8), we have(Pm)B�A A[BkB Qm = (Pm AkB�A det((B �A)�)) A[BkB Qm= det((B �A)�)B�AkA[B (Pm AkB Qm)= Pm AkB Qm;where the last equality follows from the two facts: (i) The priority set of Pm AkB Qm isA[B, and B�A � A[B, so det((B�A)�) cannot execute an event that Pm AkB Qm doesnot execute. (ii) det((B � A)�) can always execute each event in its priority set, so that itcannot block any event in Pm AkB Qm.5 Supervisory Control Using PSCSupervisory control theory for nondeterministic systems in the setting of trajectorymodels and PSC proposed by Heymann [4] and Heymann-Meyer [5] was rigorously developedin our previous work [15]. In this work, all refusal-traces of the plant were consideredmarked and the desired behavior was speci�ed by a pre�x-closed language; thus the issue ofdeadlock/blocking was not investigated. In this section, we generalize the results in [15] toinclude non-closed speci�cations and arbitrary marking of the plant refusal-traces.Since trajectory models contain su�cient detail to support the operation of prioritizedsynchronization, we use trajectory models, rather than NSM's, to represent a discrete eventsystem. Unless otherwise speci�ed, the trajectory model of the plant and that of the su-pervisor are denoted by (Pm; P ) and (Sm; S), and the priority set of the plant and that ofthe supervisor are denoted by A and B respectively. The controlled (or closed-loop) systemis (Pm; P ) AkB (Sm; S). In certain situations, a plant may consist of several \sub-plants"operating in prioritized synchrony. In such a case, if (Pmi ; Pi) is the trajectory model of theith sub-plant, and Ai � � is its priority set, then the trajectory model of the composed plantis given by (Pm; P ) := (kAiPmi ; kAiPi), where the notation (kAiPmi ; kAiPi) is used to denotethe PSC of sub-plants f(Pmi ; Pi)g. (Since PSC is associative (Corollary 8), (kAiPmi ; kAiPi) iswell de�ned, and it follows from Corollary 5 that it is a trajectory model.) The priority setof the composed plant is given by A := [iAi.17

In the setting of supervisory control, A = �u [ �c, where �u;�c � � denote the sets ofuncontrollable and controllable events respectively [13, 14]; and B = �c [ �d, where �d � �denotes the set of so-called driven [4] or forcible [3, 2] or command events [1]. By de�nition�u;�c and �d are pairwise disjoint and exhaust the entire event set, i.e., A [ B = �. Sincecontrollable events belong to the common priority set, they cannot occur solely in the plant orin the supervisor. This is consistent with the de�nition of controllable events in Ramadge-Wonham theory [13] where although they originate in the plant, their execution requiresenablement by the supervisor. Only the plant has priority over the uncontrollable events,so they can occur whenever the plant can participate. Again this is consistent with thede�nition of uncontrollable events in Ramadge-Wonham theory where uncontrollable eventsare always enabled by the supervisor. Driven events are \dual" to uncontrollable events.Only the supervisor has priority over them, so they can occur whenever the supervisor isable to execute them, regardless of whether the plant can participate.We begin by de�ning the notions of non-markingness and non-blockingness which aredesirable properties of supervisors. Informally, a supervisor is said to be non-marking ifit does not \a�ect" the marking status of a certain refusal-trace, i.e., if the execution of acertain refusal-trace of a controlled plant leads to a marked state of the plant, then regardlessof the type of state reached in the supervisor that refusal-trace should be a marked refusal-trace of the controlled plant. On the other hand, a supervisor is said to be non-blocking if itis always possible to reach a marked state of the controlled plant from any of its other states,i.e., the controlled system does not get \blocked" in one of its states that is not marked.De�nition 6 Given a plant (Pm; P ) with priority set A � �, a supervisor, with trajectorymodel (Sm; S) and priority set B � �, is said to be non-marking if Sm = S; it is said tobe language model non-blocking if pr(L(Pm AkB Sm)) = L(P AkB S); and it is said to betrajectory model non-blocking if pr(Pm AkB Sm) = P AkB S.Note that if a supervisor is trajectory model non-blocking, then it is also language modelnon-blocking. On the other hand, if a plant as well as a supervisor are deterministic, and thesupervisor is language model non-blocking, then it is also trajectory model non-blocking.Remark 4 It must be kept in mind that although trajectory model non-blocking is astronger notion than language model non-blocking, it is possible to have a system whichis trajectory model non-blocking yet it \blocks". Consider for example a simple NSM withevent set � = fag and consisting of three states, in which there is nondeterministic transitionon event a from the initial marked state to the other two states, only one of which is marked;no other transition is de�ned. Then the recognized as well as generated trajectory set ofthis NSM is given by pr(dom(;(a; fag)). Consequently, it is trajectory model non-blocking.However, after executing the event a in its initial state, the system can reach an unmarkedstate from which no marked state is reachable.Thus the notion of trajectory model non-blocking is not adequate when a \blocking" aswell as a \non-blocking" state is reachable by the execution of the same set of refusal-traces.However, in a practical setting this is unlikely, as whenever a \blocking" and a \non-blocking"18

state is reached by the execution of the same trace due to the presence of nondeterminism,we expect the refusal-sets at the two states to be di�erent (as they are physically di�erentstates), so it is not possible to reach the two states by the same set of refusal-traces.Next we obtain a necessary and su�cient condition for the existence of a non-markingand language model non-blocking supervisor. This result is then used to obtain a necessaryand su�cient condition for the existence of a non-marking and trajectory model non-blockingsupervisor.Theorem 5 Let (Pm; P ) be the trajectory model of a plant, A;B � � with A [ B = �,and Km � L((Pm)��A) with Km 6= ;. Then there exists a non-marking and language modelnon-blocking supervisor with trajectory model (S; S) such that L(Pm AkB S) = Km if andonly ifRelative-closure: pr(Km) \ L((Pm)��A) = KmControllability: pr(Km)(A�B) \ L(P��A) � pr(Km):In this case, S can be chosen to be det(pr(Km)).Proof: We begin with the proof for necessity. Suppose there exists a non-marking and lan-guage model non-blocking supervisor with trajectory model (S; S) such that L(Pm AkB S) =Km. Then pr(Km) = pr(L(Pm AkB S)) = L(P AkB S); (4)where the last equality follows from the supervisor being language model non-blocking. Itfollows from De�nitions 4 and 5 that (Pm)��A � P��A, which implies that pr(Km) �pr(L((Pm)��A)) � L(P��A). Hence it follows from the necessity part of [15, Theorem 4]that pr(Km)(A � B) \ L(P��A) � pr(Km){i.e., the controllability property is satis�ed. Itremains to show that the relative-closure property is also satis�ed. We have the followingseries of equalities:pr(Km) \ L((Pm)��A) = L(P AkB S) \ L((Pm)��A)= L((P AkB S) �kA Pm)= L((P AkA Pm) AkB S)= L((P AkA Pm)��A) \ L(S��B); (5)where the �rst equality follows from Equation 4, the second equality follows from Corollary7 and Proposition 3, the third equality follows from associativity of PSC (Corollary 8), andthe �nal equality follows from Corollary 7. On the other hand, we haveKm = L(Pm AkB S) = L((Pm)��A) \ L(S��B); (6)where the last equality follows from Proposition 3 and Corollary 7. It follows from Equations5 and 6 that in order to show that the relative-closure property is satis�ed, it su�ces to show19

L((P AkA Pm)��A) = L((Pm)��A). We haveL((P AkA Pm)��A) = L((P AkA Pm) Ak��A det((��A)�))= L(P Ak� (Pm Ak��A det((��A)�)))= L(P Ak� (Pm)��A)= L(P��A) \ L((Pm)��A)= L((Pm)��A);where the �rst and third equalities follow from the de�nition of augmentation, the secondequality follows from the associativity of PSC (Corollary 8), and the fourth equality followsfrom Proposition 3. This completes the proof of necessity.Next we prove su�ciency. Suppose the relative-closure and controllability properties aresatis�ed. Then it follows from the su�ciency part of [15, Theorem 4] that the non-markingdeterministic supervisor with trajectory model (S; S), where S := det(pr(Km)), yieldsL(P AkB S) = pr(Km); (7)and Sm is arbitrary. We select Sm = S, so the supervisor is non-marking. It follows fromEquation 7 that pr(Km) = L(P��A) \ L(S��B): (8)Using the relative-closure property gives the following series of equalities:Km = pr(Km) \ L((Pm)��A)= [L(P��A) \ L(S��B)] \ L((Pm)��A)= L((Pm)��A) \ L(S��B)= L(Pm AkB S):Since pr(Km) = L(P AkB S) and Km = L(Pm AkB S), the supervisor is language modelnon-blocking.Remark 5 In contrast to the standard conditions [13] for the existence of a non-markingand language model non-blocking supervisor in the absence of driven events, the control-lability and relative-closure conditions given in Theorem 5 refer to the language model ofthe augmented plant. It is easily demonstrated [15, Example 2] that this language modeldepends on the trajectory model of the plant and generally cannot be determined if only thelanguage model of the plant is known.We now obtain necessary and su�cient conditions for the existence of a deterministicnon-marking and trajectory model non-blocking supervisor that imposes a desired closed-loop recognized language. The following preliminary results are needed.Lemma 1 [15, Lemma 6] Let P;Q be generated trajectory sets, A;B � �; fp; ep 2P; fq; eq 2 Q, with fp v ep; fq v eq. Then fp AkB fq � ep AkB eq:20

Lemma 2 Let (Pm; P ) be a trajectory model, ; 6= H = pr(H) � ��, and K := L(P ) \H.Then1. P �k� det(H) = P �k� det(K),2. Pm �k� det(H) = Pm �k� det(K).Proof: By T3, every refusal-trace in a generated trajectory set is dominated by a saturatedtrajectory. By T5, every refusal-trace in a recognized trajectory set is dominated by a satu-rated marked trajectory. By Lemma 1, it su�ces to show that for any saturated trajectoriese 2 P (respectively, e 2 Pm), f 2 det(H), g 2 det(K), we havee �k� f � P �k� det(K) (respectively, Pm �k� det(K)) (9)e �k� g � P �k� det(H) (respectively, Pm �k� det(H)): (10)The left side of Equation 9 is empty unless tr(e) = tr(f) 2 K, while the left side of Equation10 is empty unless tr(e) = tr(g) 2 K. Thus, to establish Equations 9 and 10, it su�ces toshow that for e 2 Psat with tr(e) := t 2 K, f := trjH(t); g := trjK(t), we havee �k� f = e �k� g: (11)We have for each k � jtj, � 2 �k(f) (respectively, � 2 �k(g)) if and only if tk� 62 H(respectively, tk� 62 K). It follows from De�nition 3 thate �k� f = fh 2 2� � (�� 2�)� j tr(h) = t;�k(h) � �k(e) [ �k(f); k = 0; : : : ; jtjg;e �k� g = fh 2 2� � (�� 2�)� j tr(h) = t;�k(h) � �k(e) [ �k(g); k = 0; : : : ; jtjg:Thus, to establish Equation 11, it su�ces to show that�k(e) [ �k(f) = �k(e) [ �k(g); k = 0; : : : ; jtj: (12)Since K � H, it follows that �k(f) � �k(g). On the other hand, if � 2 �k(g)��k(e), thentk� 62 K and, since e 2 Psat, it follows that ek(�; ;) 2 P , so tk� 2 L(P ). Hence, tk� 62 H, so� 2 �k(f) proving Equation 12.Proposition 4 Let (Pm; P ) be the trajectory model of a plant, A;B � � with A[B = �,and Km � L((Pm)��A) with Km 6= ;. If (S; S) is any non-marking language model non-blocking deterministic supervisor with L(Pm AkB S) = Km, thenP AkB det(pr(Km)) = P AkB S; (13)Pm AkB det(pr(Km)) = Pm AkB S: (14)Proof: It follows that the relative-closure and controllability conditions in Theorem 3hold, and hence that (det(pr(Km)); det(pr(Km))) is a non-marking and language modelnon-blocking supervisor with L(Pm AkB det(pr(Km))) = Km. Thus,pr(Km) = L(P AkB det(pr(Km))) = L(P��A) \ L((det(pr(Km)))��B):21

This together with Lemma 2 givesP��A �k� (det(pr(Km)))��B = P��A �k� det(pr(Km)); (15)(Pm)��A �k� (det(pr(Km)))��B = (Pm)��A �k� det(pr(Km)): (16)Since (S; S) is language model non-blocking,pr(Km) = L(P AkB S) = L(P��A) \ L(S��B):Hence it follows from Lemma 2 and the fact that S��B is deterministic thatP��A �k� S��B = P��A �k� det(pr(Km)); (17)(Pm)��A �k� S��B = (Pm)��A �k� det(pr(Km)): (18)From Equations 15-18 we haveP��A �k� (det(pr(Km)))��B = P��A �k� S��B;(Pm)��A �k� (det(pr(Km)))��B = (Pm)��A �k� S��B:This implies Equations 13-14.Theorem 6 Let (Pm; P ) be the trajectory model of a plant, A;B � � with A[B = �, andKm � L((Pm)��A) with Km 6= ;. Then there exists a non-marking and trajectory modelnon-blocking deterministic supervisor with trajectory model (S; S) such that L(Pm AkB S) =Km if and only ifRelative-closure: pr(Km) \ L((Pm)��A) = KmControllability: pr(Km)(A�B) \ L(P��A) � pr(Km)Trajectory-closure: P AkB det(pr(Km)) = pr[Pm AkB det(pr(Km))].In this case, S can be chosen to be det(pr(Km)).Proof: We �rst prove the su�ciency. Since the relative-closure and controllability conditionshold, it follows from the su�ciency part of Theorem 5 that the non-marking deterministicsupervisor (S; S), where S := det(pr(Km)), yields L(Pm AkB S) = Km and L(P AkB S) =pr(Km). It follows from the trajectory-closure condition that the supervisor is also trajectorymodel non-blocking.Next we prove the necessity. Suppose there exists a non-marking and trajectory modelnon-blocking deterministic supervisor with trajectory model (S; S) such that L(Pm AkB S) =Km. Since a trajectory model non-blocking supervisor is also language model non-blocking,it follows from Theorem 5 that the relative-closure and controllability conditions hold, andfrom Proposition 4 that P AkB det(pr(Km)) = P AkB S; (19)Pm AkB det(pr(Km)) = Pm AkB S: (20)Since (S; S) is trajectory model non-blocking, we have P AkB S = pr(Pm AkB S). Hence,the trajectory-closure condition is implied by Equations 19-20.22

Remark 6 The controllability condition of Theorem 5 is needed for the existence of a su-pervisor such that the closed-loop generated language equals the closure of the language tobe recognized by the closed-loop system, i.e., L(P AkB S) = pr(Km). The relative-closurecondition is needed so that the corresponding non-marking supervisor (S; S) yields equal-ity of closed-loop recognized language and the desired language, i.e., L(Pm AkB S) = Km.Clearly, this design automatically yields that the non-marking supervisor (S; S) is also lan-guage model non-blocking. The extra trajectory-closure condition of Theorem 6 is neededso that the non-marking supervisor (S; S) is also trajectory model non-blocking. Thus allthree conditions of Theorem 6 are needed for the existence of a non-marking and trajectorymodel non-blocking deterministic supervisor so that the closed-loop recognized language isthe desired one.The three conditions of Theorem 6 are su�cient for the existence of a non-markingand trajectory model non-blocking supervisor that imposes the desired marked languageconstraint. However, these conditions are not necessary for the existence of such a supervisor;rather they are necessary for the existence of a supervisor that is also deterministic. Thus(i) the requirement of determinism in Theorem 6 cannot be relaxed, and (ii) it is possible toobtain a nondeterministic supervisor meeting the other speci�cations of Theorem 6 in theabsence of the trajectory-closure condition (refer to the example below). Consequently, it ispossible to weaken the conditions of Theorem 6 by relaxing the requirement of determinismof the supervisor. However, deterministic supervisors may be preferred due to their ease inimplementation.Example 2 Consider the plant NSM de�ned on the event set � = fa; bg, shown in Fig-ure 3(a). Since the refusal-trace fbg(a; fa; bg) belongs to the generated trajectory set of theplant, and there exists no refusal-trace in the recognized trajectory set of the plant withfbg(a; fa; bg) as its pre�x, the plant is trajectory model blocking.a b

a

εa b

a a a

ε ε εε ε

a b

a

εa b

(a) plant/closed-loop systemunder deterministic supervisor

(b) nondeterministicsupervisor

(c) closed-loop syatem undernondeterministic supervisor supervisor

(d) deterministicFigure 3: Diagram illustrating Example 2Consider the nondeterministic supervisor depicted in Figure 3(b). The supervisor hasthe same structure as the plant except that all its states are marked, so that it is non-marking. Let the priority set of both plant and supervisor be the entire event set. The23

closed-loop system under the nondeterministic supervision is shown in Figure 3(c). Thegenerated trajectory set of the closed-loop system is same as that of the plant. However,the recognized trajectory set is larger than that of the plant. In particular, the refusal-tracefbg(a; fa; bg) belongs to the recognized trajectory set of the closed-loop system, and theclosed-loop system is trajectory model non-blocking.The generated language of the closed-loop system is pr(a + b). The non-marking deter-ministic supervisor shown in Figure 3(d) generates this language. The closed-loop systemunder the supervision of the deterministic supervisor has the same NSM as the plant, andhence it is trajectory model blocking. Thus the trajectory-closure condition of Theorem 6does not hold even though a non-marking and trajectory model non-blocking supervisorexists for the given plant.Remark 7 Theorem 6 requires that in order to determine the existence of a non-marking,trajectory model non-blocking and deterministic supervisor that imposes the desired recog-nized language constraint, the conditions of controllability, relative-closure, and trajectory-closure must be veri�ed. The conditions of controllability and relative-closure can be veri�edin polynomial time by simple extensions of the known tests for the deterministic setting [9] tothe nondeterministic setting. We provide a simple test for verifying whether the trajectory-closure condition is satis�ed. Given an NSM, it is said to be co-accessible if a marked statecan be reached from every state that is reachable from the initial state. Let P be a NSMhaving (Pm; P ) as its trajectory model, and S be a deterministic state machine with lan-guage model (Km; pr(Km)). Then it is easy to verify that the trajectory-closure conditionholds whenever P AkB S is co-accessible. Note that co-accessibility of an NSM can be testedin time linear in the number of states in the NSM.In case the conditions of Theorem 6 are not satis�ed, it is possible to construct a mini-mally restrictive supervisor [13] that imposes the supremal sublanguage of Km satisfying thethree conditions as the desired behavior. In order to demonstrate the existence of such a sub-language it su�ces to show that the trajectory-closure condition is preserved under union,as it is known that the controllability and the relative-closure conditions are preserved underunion. Since the PSC operation (with a �xed refusal-trace set, and �xed priority sets) aswell as the pre�x-closure operation over the space of refusal-trace sets are obtained by theextensions of the corresponding operations over the space of refusal-traces, they both dis-tribute over arbitrary union. So it is readily obtained that the trajectory-closure conditionis preserved under union.With Theorem 6 in hand, we revisit the example of Section 2.Example 3 Consider the open-loop NSM P described in Section 2 and depicted in Fig-ure 1(b). It is given that a; c; d are uncontrollable. We regard b1 as a controllable event{i.e.,requiring the participation of both the plant and supervisor. However, we regard b2 as adriven event. This models the possibility that the supervisor may request the input of apart with the guides set to narrow, but that this request may be refused by the plant if24

the arriving part is wide. Thus, for PSC-based design, the priority sets of the plant andsupervisor are A = fa; b1; c; dg and B = fb1; b2g respectively.In Section 2, we indicated that a language model non-blocking Ramadge-Wonham typesupervisor could be constructed that gives Km1 := (ab2c)� as the closed-loop recognizedlanguage. We also noted that the closed-loop system is unsatisfactory since deadlock canoccur. Let us determine whether a PSC-based supervisor can impose the speci�cation Km1without permitting deadlock. The augmented plant P��A is shown in Figure 4(a) and hasgenerated language given byL(P��A) = pr[[b�2a(b�2b1 + b2)b�2c]�b�2ab1b�2db�2]:It is straightforward to verify that Km1 satis�es the controllability and relative-closure con-b

2

b1

b2

b2

b1

b2

b1

b2

b2

dbc

a2

a

b1

b2

b2

b2

b2

a a

c

(a) augmented plant (b) closed-loop system 1

a

cc

a a

cc

(d) closed-loop system 2(c) supervisor 2Figure 4: Diagram illustrating Example 3ditions of Theorem 5. Thus, it follows from Theorem 5 that the non-marking supervisor(S1; S1); S1 := det(pr(Km1 )), is language model non-blocking and imposes Km1 as the closed-loop recognized language.To determine whether there is any deterministic non-marking and trajectory model non-blocking supervisor that can impose Km1 , we must check the trajectory-closure condition inTheorem 6. Let S1 denote the minimal deterministic state machine (with 3 states) withLm(S1) = L(S1) = pr(Km1 ). Let Q1 := P AkB S1 depicted in Figure 2(b). Letting (Pm; P )denote the trajectory model of P, it follows from Theorem 3 thatP AkB det(pr(Km1 )) = T (Q1); Pm AkB det(pr(Km1 )) = Tm(Q1):25

Since e := ;(a; ;)(b2; fcg) 2 T (Q1) � pr(Tm(Q1)), the trajectory-closure condition fails tohold. Thus, Km1 cannot be imposed without trajectory model blocking.Consider the alternative speci�cation Km2 := (ab2(� + b1)c)�, which also satis�es thecontrollability and relative-closure conditions of Theorem 5. Let S2 denote the determinis-tic state machine with Lm(S2) = L(S2) = pr(Km2 ) depicted in Figure 2(c). The resultingclosed-loop system Q2 := P AkB S2 is shown in Figure 2(d). Since T (Q2) = pr(Tm(Q2)),the trajectory-closure condition holds. Thus, the non-marking deterministic supervisor(S2; S2); S2 := det(pr(Km2 )), is trajectory model non-blocking and imposesKm2 as the closed-loop recognized language.The supervisor implements the following control strategy: When a part arrives, thesupervisor requests that it be input with the guides set to narrow. If the part happens tobe narrow, the plant accepts this request and executes the event b2. However, if the partis wide, the plant refuses to execute the event and the transition on b2 occurs only in thesupervisor. The part is then input with the guides set to wide. By following this strategy, anarrow part is never input with the guides set to wide, so jamming does not occur. Allowingfor the possibility that a supervisor-initiated event may be refused by the plant is an essentialfeature of this control design.6 ConclusionIn this paper, we have extended our earlier work on supervisory control of nonde-terministic systems to include markings so that the issue of blocking can be investigated.Since language model non-blocking is inadequate for certain nondeterministic systems, thestronger requirement of trajectory model non-blocking is introduced. Necessary and suf-�cient conditions for the existence of language model non-blocking as well as trajectorymodel non-blocking supervisors that meet given language speci�cations are obtained in termsof standard controllability and relative-closure condition, and a new condition called thetrajectory-closure condition. The co-accessibility of a certain NSM, which is polynomiallytestable, can be used to verify the trajectory-closure condition. The trajectory-closure con-dition is preserved under union, so it is possible to obtain a minimally restrictive supervisor.A Corollaries of Theorems 3 and 4The �rst part of the following corollary states that the trajectory model containsenough detail to support the prioritized synchronous composition of NSM's. The secondpart of Corollary 4 states that the trajectory model serves as a language congruence [4]with respect to the operation of prioritized synchronous composition. This fact was �rstmentioned in [5] without proof.Corollary 4 Let P1;P2;Q1;Q2 be NSM's such that Tm(P1) = Tm(P2); T (P1) = T (P2),Tm(Q1) = Tm(Q2); T (Q1) = T (Q2). Then for any A;B � �:26

1. Tm(P1 AkB Q1) = Tm(P2 AkB Q2) and T (P1 AkB Q1) = T (P2 AkB Q2);2. Lm(P1 AkB Q1) = Lm(P2 AkB Q2) and L(P1 AkB Q1) = L(P2 AkB Q2):Proof: The �rst part follows immediately from Theorem 3. The second part follows fromthe �rst part since Lm(P1 AkB Q1) = L(Tm(P1 AkB Q1)), etc.The following corollary was �rst reported in [5, Theorem 13.3]. However, its rigorousdemonstration follows from the precise de�nition of PSC of refusal-traces given by us in [15,De�nition 10] and the development of Section 4, in particular Theorem 3.Corollary 5 Let (Pm; P ) and (Qm; Q) be two trajectory models, and A;B � �. Then(Pm AkB Qm; P AkB Q) is a trajectory model.Proof: By hypothesis, there exist NSM's P and Q such that (Tm(P); T (P)) = (Pm; P )and (Tm(Q); T (Q)) = (Qm; Q). It follows from Theorem 3 that (Pm AkB Qm; P AkB Q) =(Tm(P AkB Q); T (P AkB Q)), which completes the proof.The following corollary states that when the priority sets of two systems are each equalto the entire event set, then the language model of the composed system can be obtainedas the intersection of the individual language models. Thus if two systems operate in strictsynchrony, then the language model of the composed system can be determined from thelanguage models of the individual systems (the trajectory models of the individual systemsmay not be known).Corollary 6 Let P := (XP ;�; �P; x0P;XmP );Q := (XQ;�; �Q; x0Q;XmQ ) be NSM's. Then1. Lm(P �k� Q) = Lm(P) \ Lm(Q),2. L(P �k� Q) = L(P) \ L(Q).Proof: We only prove the �rst part; the second part can be proved analogously. LetR := P �k� Q. We have Lm(P) = L(Tm(P)); Lm(Q) = L(Tm(Q)); Lm(R) = L(Tm(R)),and it follows from Theorem 3 that Tm(R) = Tm(P) �k� Tm(Q). Hence it su�ces to showthat L(Tm(P) �k� Tm(Q)) = L(Tm(P))\L(Tm(Q)). Pick s 2 L(Tm(P) �k� Tm(Q)). Thenthere exists e 2 Tm(P) �k� Tm(Q) such that tr(e) = s. Since e 2 Tm(P) �k� Tm(Q), itfollows that there exist ep 2 Tm(P); eq 2 Tm(Q) such that e 2 ep AkB eq and tr(ep) =tr(eq) = tr(e) = s. (Refer to [15, Remark 6].) I.e., s 2 L(Tm(P)) \ L(Tm(Q)). This provesthat L(Tm(P) �k� Tm(Q)) � L(Tm(P)) \ L(Tm(Q)).Similarly, given s 2 L(Tm(P)) \ L(Tm(Q)), there exist ep 2 Tm(P); eq 2 Tm(Q) suchthat tr(ep) = tr(eq) = s. Choose e 2 ep �k� eq, which is clearly nonempty. Then e 2Tm(P) �k� Tm(Q) and tr(e) = s. (Refer to [15, Remark 6].) Consequently, we have s 2L(Tm(P) �k� Tm(Q)), which proves that L(Tm(P)) \ L(Tm(Q)) � L(Tm(P) �k� Tm(Q)).Corollary 7 Let (Pm; P ) and (Qm; Q) be trajectory models. Then1. L(Pm �k� Qm) = L(Pm) \ L(Qm), 27

2. L(P �k� Q) = L(P ) \ L(Q).Proof: From the hypothesis there exist NSM's P;Q such that (Tm(P); T (P)) = (Pm; P )and (Tm(Q); T (Q)) = (Qm; Q). Hence the result follows from Corollary 6.The following corollary is an immediate consequence of Theorem 4. Part 2 of this corol-lary was stated without proof in [5]; a direct proof of part 2 that does not depend on thecorresponding result for NSM's is given in [15, Theorem 3].Corollary 8 Let (Pm; P ), (Qm; Q) and (Rm; R) be trajectory models and A;B;C � �.Then1. (Pm AkB Qm) A[BkC Rm = Pm AkB[C (Qm BkC Rm),2. (P AkB Q) A[BkC R = P AkB[C (QBkC R).Proof: From the hypothesis, there exist NSM'sP;Q;R such that (Tm(P); T (P)) = (Pm; P ),(Tm(Q); T (Q)) = (Qm; Q), and (Tm(R); T (R)) = (Rm; R). It is easily shown using the resultof Theorem 3 that(Pm AkB Qm) A[BkC Rm = Tm((P AkB Q) A[BkC R);Pm AkB[C (Qm BkC Rm) = Tm(P AkB[C (QBkC R));(P AkB Q) A[BkC R = T ((P AkB Q) A[BkC R);P AkB[C (QBkC R) = T (P AkB[C (QBkC R)):Thus the result follows from Theorem 4.References[1] S. Balemi, G. J. Ho�mann, P. Gyugyi, H. Wong-Toi, and G. F. Franklin. Supervisorycontrol of a rapid thermal multiprocessor. IEEE Transactions on Automatic Control,38(7):1040{1059, July 1993.[2] B. A. Brandin and W. M.Wonham. Supervisory control of timed discrete event systems.IEEE Transactions on Automatic Control, 39(2):329{342, February 1994.[3] C. H. Golaszewski and P. J. Ramadge. Control of discrete event processes with forcedevents. In Proceedings of 26th IEEE Conference on Decision and Control, pages 247{251, Los Angeles, CA, 1987.[4] M. Heymann. Concurrency and discrete event control. IEEE Control Systems Magazine,10(4):103{112, 1990.[5] M. Heymann and G. Meyer. Algebra of discrete event processes. Technical ReportNASA 102848, NASA Ames Research Center, Mo�ett Field, CA, June 1991.28

[6] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, Inc., EnglewoodCli�s, NJ, 1985.[7] K. Inan. An algebraic approach to supervisory control. Mathematics of Control, Signalsand Systems, 5:151{164, 1992.[8] K. Inan and P. Varaiya. Algebras of discrete event models. Proceedings of the IEEE,77(1):24{38, 1989.[9] R. Kumar and V. K. Garg. Modeling and Control of Logical Discrete Event Systems.Kluwer Academic Publishers, Boston, MA, 1994.[10] R. Kumar, V. K. Garg, and S. I. Marcus. On controllability and normality of discreteevent dynamical systems. Systems and Control Letters, 17(3):157{168, 1991.[11] R. Milner. A Calculus of Communicating Systems. Springer Verlag, 1980.[12] I. Phillips. Refusal testing. Theoretical Computer Science, 50:241{284, 1987.[13] P. J. Ramadge and W. M. Wonham. Supervisory control of a class of discrete eventprocesses. SIAM Journal of Control and Optimization, 25(1):206{230, 1987.[14] P. J. Ramadge and W. M. Wonham. The control of discrete event systems. Proceedingsof IEEE: Special Issue on Discrete Event Systems, 77:81{98, 1989.[15] M. Shayman and R. Kumar. Supervisory control of nondeterministic systems withdriven events via prioritized synchronization and trajectory models. SIAM Journal ofControl and Optimization, January 1995. To appear.29