Joint 48th IEEE Conference on Decision and Control and
1
28th Chinese Control Conference
Shanghai, P.R. China, December 16-18, 2009
Hierarchical Supervisory Control of Discrete-Event Systems Under Partial
Observation
Mohsen Zamani Fekri and Shahin Hashtrudi-Zad†
Abstract— In this paper, the setup of Zhong-Wonham for
hierarchical control of discrete-event systems is extended to
the case of control under partial observation. A suitable
reporting map is developed for sending information to the high-
level supervisor. A Partially-Observable-Strict-Output-Control-
Consistency (PO-SOCC) property is introduced to ensure hier-
archical consistency.
I. INTRODUCTION
One of the methods used to reduce the complexity of
control systems is to use a hierarchical approach in which
control decisions are made by a (high-level) supervisor based
on a simplified, abstract (high-level) model of the plant and
the information containing the important outcomes in the
plant.
In the context of supervisory control theory of Ramadge-
Wonham, [11] proposes a bottom-up hierarchical approach
in which the low-level behavior is summarized and reported
to the high-level through a causal reporting map. In [11]
it is assumed all plant events are observable. A procedure
is also proposed to refine, if necessary, the information
sent to the high-level so that the plant satisfies a Strict-
Output-Control-Consistency (SOCC) property. It is shown
that SOCC guarantees hierarchical consistency. Loosely
speaking, hierarchical consistency means that the behavior
of the plant under supervision, as reported to the high-level,
matches the expectation of the high-level supervisor.
Extensions of the results of [11] to include nonblocking
property is discussed in [8]. The case in which the reporting
map is a natural projection [4], [5] and an “observer” [9]
has also been investigated due to its potential to reduce
computational complexity. Other hierarchical supervisory
frameworks include [2], [3], [7].
Hierarchical supervisory control in the setup of [11] in the
case of control under partial observation has been studied
in [6] and two sets of sufficient conditions for hierarchical
consistency have been obtained. The first set, for instance, is
that (i) the high-level specification, Ehi , should be control-
lable and H-observable with respect to the high-level model
and (ii) the supremal controllable sublanguage of the inverse
↑ Any subset L ⊆ Σ∗ is a language over Σ. For s,t ∈ Σ∗ , s is a
image of Ehi , Elo = (θ −1 (Ehi ))↑ , should be observable with
respect to the low-level model. H-observability follows from
observability with respect to the high-level model. No course
of action or algorithm has been provided in [6] to deal with
cases where condition (i) or (ii) is not met.
In this paper, we extend the setup of [11] to the case of
†: The authors are with the ECE Department of Concordia University,
Montreal, Canada. Emails: mohse za, shz@ece.concordia.ca
978-1-4244-3872-3/09/$25.00 ©2009 IEEE
WeA06.
control under partial observation. Partial observation has
implications for the reporting map and the high-level model
(which have not been addressed in [6]). For instance, the un-
observability of some of the low-level sequences makes some
of the high-level events unobservable. To have a well-defined
and consistent partitioning of the high-level event set, we
introduce the property of Output-Observation-Consistency
(OOC) which is the dual of Output-Control-Consistency
(OCC) in [11]. Furthermore, we present a necessary and
sufficient condition for the reporting map (which we call
the Factorization Property) to ensure that look-alike low-
level sequences generate the same high-level observation. We
also study the issue of hierarchical consistency and develop
a set of sufficient conditions to guarantee it. The main
condition here is the Property Partially-Observable-Strict-
Output-Controllable-Consistency (PO-SOCC) which turns to
be a generalization of SOCC to the case of control under
partial observation. An interesting aspect of our results is
that they reduce to their counterparts in [11] when full
observation is assumed. If PO-SOCC (or any of the proposed
set of sufficient conditions for hierarchical consistency) is not
satisfied, through refining the structure of the low-level plant
and vocalizing some of the states, we ensure PO-SOCC and
thus, achieve hierarchical consistency.
This paper is organized as follows. Section II reviews the
background material. Section III shows how the high-level
event set is partitioned into observable and unobservable
subsets and describes the construction of the reporting map.
Section IV describes a procedure for vocalizing the observer
automaton of the low-level plant and section V explores the
reporting map further. Section VI contains the main results
on design and implementation of hierarchical control and
discusses hierarchical consistency. Section VII contains our
conclusions.
II. BACKGROUND
Let Σ be a nonempty, finite alphabet (set of symbols). Σ+
denotes the set of all finite sequences of symbols (strings)
over Σ and Σ∗ = Σ+ ∪ {ε}, where ε ∈ / Σ is the empty string.
prefix of t (s ≤ t) if there exists u ∈ Σ∗ such that t = su. L̄,
the closure of L, is the set of prefixes of strings of L. L is
prefix-closed (or simply closed) if L = L̄. An Automaton is a
four tuple G = (Q, Σ, δ , q◦ ) where Q is the set of states, Σ the
set of events, δ : Q × Σ −→ Q the partial transition function
and q◦ the initial state. L(G) represents the closed behavior
of G [10].
In [11] a two-level hierarchical framework is proposed for
181

the control of a (low-level) finite-state automaton Glo =
(Q, Σ, δ , q◦ ). Here it is assumed that the event set Σ can be
partitioned into disjoint controllable event set Σc and uncon-
trollable event set Σuc . All events are assumed observable.
It is further assumed that a causal map θ : L(Glo ) −→ T ∗
reports important information (sequences of L(Glo )) to the
high-level. Here T is the set of high-level symbols. θ as a
causal map satisfies the following: θ (ε) = ε; for sσ ∈ L(Glo ),
θ (sσ ) = θ (s) or θ (sσ ) = θ (s)τ for some τ ∈ T . A high-
level model is any automaton Ghi = (Qh , T, δh , qh,o ) with
L(Ghi ) = θ (L(Glo )) representing an abstract model of Glo . It
is useful to define a map ω̂ : L(Glo ) −→ T ∪ {τ◦ } as follows:
ω̂(ε) = τ◦ ; for sσ ∈ L(Glo ), ω̂(sσ ) = τ◦ if θ (sσ ) = θ (s)
and ω̂(sσ ) = τ if θ (sσ ) = θ (s)τ. Here τ◦ is a “silent” output
symbol. Without loss of generality [11] it can be assumed Glo
is a Moore automaton Glo = (Q, Σ, T ∪ {τ◦ }, δ , ω, q◦ ) where
ω : Q −→ T ∪ {τ◦ } is an output map, defined as follows:
ω(q) = ω̂(s) where s satisfies q = δ (q◦ , s). A state q ∈ Q of
Glo is called vocal if ω(q) = τ◦ . A sequence s ∈ L(Glo ) for
which q = δ (q◦ , s) is vocal, is called vocal. A sequence s
that connects the initial state q◦ to a vocal state or a vocal
state to another vocal state through a set of nonvocal states
is called a silent path.
Notation: The empty string and the set of sequences leading
to a vocal state are denoted by Lvoc = {s ∈ L(Glo )|s =
ε or ω̂(s) = τ◦ }. The nonempty silent extensions of a se-
quence s ∈ L(Glo ) that lead to a vocal state are denoted by
Lvoc (s) = {s ∈ Σ+ |ss ∈ Lvoc and (∃τ ∈ T : θ (ss ) = θ (s)τ)}.
 by Glo announce the completion of sequences which are
Note that the sequence s ∈ L(Glo ) in the definition of Lvoc (s)
is not necessarily vocal. For s ∈ Σ∗ , let the map Σc : Σ∗ −→
2Σc denote the controllable events in s:
Σc (s) = {σ | σ ∈ Σc , ∃v, v ∈ Σ∗ vσ v = s}. (1)
A silent path is controllable if it includes at least one
controllable event and is uncontrollable otherwise. It is
assumed that every vocal state in Glo is reached by only
controllable silent paths or by only uncontrollable silent
paths (Output-Control-Consistency or OCC property) [11].
If OCC property does not hold, using the OCC algorithm in
[11], Glo can be modified to satisfy OCC. Assuming OCC,
T can be partitioned into disjoint subsets of controllable
events Tc and uncontrollable events Tuc . In the setup of [11],
given a high-level closed controllable specification Ehi ⊆
T ∗ and model Ghi , a supervisor Shi is designed such that
L(Shi /Ghi ) = Ehi . Furthermore, a low-level supervisor Slo is
proposed to implement the commands of Shi . Specifically,
to disable a high-level controllable event τ, Slo disables a
suitable controllable event. This may unintentionally lead to
disablement of other high-level events. To prevent this, [11]
proposes an algorithm to modify Glo (through refining the
structure of Glo and vocalizing some non-vocal states) to
satisfy Strict-Output-Control-Consistency (SOCC) property.
↑
Let Elo = θ −1 (Ehi ) and Elo denote the supremal controllable
sublanguage of Elo .
Lemma 2.1: [11] Suppose Ehi is closed and controllable.
182
WeA06.1
↑
In this case, (1) if Glo is OCC, then L(Slo /Glo ) = Elo and
(2) if Glo is SOCC, then θ (L(Slo /Glo )) = Ehi . 
The equality θ (L(Slo /Glo )) = Ehi is called hierarchical
consistency. In this paper, we extend the framework of [11]
to the case of control under partial observation. Especially we
study the important hierarchical consistency relation under
partial observation.
Suppose Σ can be partitioned into disjoint observable event
set Σ◦ and unobservable event set Σuo . Let Plo : Σ∗ −→ Σ∗◦
be the natural projection map at the low-level. For the
automaton Glo = (Q, Σ, δ , q◦ ), let G̃lo = (Q̃, Σ◦ , δ̃ , q̃◦ ) denote
the reachable observer automaton. Here, Q̃ ⊆ 2Q − {Ø},
q̃◦ = {q | ∃s ∈ L(Glo ) : q = δ (q◦ , s) and Plo (s) = ε}. The
transition function δ̃ is defined as follows: for q̃1 ∈ Q̃ and
σ ∈ Σ◦ , q̃2 = δ̃ (q̃1 , σ ) = {q2 | ∃q1 ∈ q̃1 and s ∈ Plo−1 (σ ) : q2 =
δ (q1 , s) }. G̃lo generates L(G̃lo ) = Plo (L(Glo ). If a state q̃ is
reached in G̃lo by a sequence S ∈ Σ∗◦ (q̃ = δ̃ (q̃◦ , S)), then q̃
would be the estimate of the states of Glo given observation
S. We will refer to this state estimate by est(S) as well.
Thus est(S) = δ̃ (q̃◦ , S) = {q | ∃s ∈ Plo−1 (S) ∩ L(Glo ) : q =
δ (q◦ , s )}.
III. P ROBLEM F ORMULATION AND R EPORTING M AP
Problem Formulation: In this paper, we extend the
hierarchical setup of [11] to the case of control under partial
observation. By assumption the event set of Σ can be parti-
tioned as Σ = Σ◦ ∪Σ ˙ uo where Σ◦ and Σuo are observable and
unobservable event sets. The output symbols in T generated
important for high-level supervision. Because some of the
low-level events are assumed unobservable, some of the
output symbols become unobservable. Therefore, we should
partition T into observable subset T◦ and unobservable subset
Tuo . Towards this end, we call a silent path unobservable if
it contains only unobservable events; otherwise it will be
observable.
Definition 3.1: Suppose τ ∈ T is the output generated
from the sequence ss with s ∈ Lvoc and s ∈ Lvoc (s); i.e.
τ = ω̂(ss ). Then τ ∈ Tuo if Plo (s ) = ε; otherwise τ ∈ T◦ . 
Suppose q is the state reached by ss in Definition 3.1
(q = δ (q◦ , ss )). Then Definition 3.1 is well-defined if Glo
is Output-Observation-Consistent as defined below.
Definition 3.2: A model Glo is Output-Observation-
Consistent (OOC) if every vocal state q ∈ Q is reached either
by only unobservable silent paths or by only observable silent
paths. 
OOC can be regarded as the dual of OCC property. If
Glo is not OOC, then an algorithm identical to the OCC
algorithm with controllable (resp. uncontrollable) events re-
placed with observable (resp. unobservable) events can be
used to modify Glo to satisfy OOC. From now on, we
assume Glo is OOC and OCC. Therefore T can be partitioned
according to T = T◦ ∪T ˙ uo . Let Phi : T ∗ −→ T◦∗ denote the
high-level natural projection. With the above arrangement,
the generation of symbols in Tuo will be unobservable to the
high-level supervisor. Therefore a reporting map that maps
the low-level observation to high-level information must be

a map θ̃ : Plo (L(Glo )) −→ T◦∗ such that for every s ∈ L(Glo ),
θ̃ (Plo (s)) = Phi (θ (s)) or in other words, θ̃ ◦Plo = Phi ◦θ . Such
a map exists (and is unique) if and only if1
ker(Plo ) ≤ ker(Phi ◦ θ )
In other words, Phi ◦ θ must factor through Plo . We refer to
(2) as the Factorization Property. Note that in the proposed
hierarchy under partial observation, θ̃ (not θ ) is the reporting
map which will be implemented. If (2) is not satisfied, then it
is possible to enhance θ (through refining Glo and vocalizing
some of the non-vocal states) to ensure (2). The details are
omitted for brevity. Therefore, in the rest of this paper we
assume reporting map θ is such that (2) is satisfied.
Definition 3.1 and Factorization Property have implications
for silent paths that are described in the following proposi-
tion.
Proposition 3.3: Consider a nonempty vocal sequence s ∈
Lvoc . If ω̂(s) ∈ T◦ (is observable), then s = s1 σ for some
σ ∈ Σ◦ and s1 ≤ s. 
Proposition 3.3 states if a silent path generates a high-level
observable event, the last event of that silent path must be
observable.
IV. VOCALIZING O BSERVER AUTOMATON
Observer automaton G̃lo = (Q̃, Σ◦ , δ̃ , q̃◦ ) plays an impor-
tant role in establishing hierarchical consistency. In this
section we show how G̃lo can be vocalized.
Definition 4.1: Consider an automaton G = (Q, Σ, δ , q◦ ).
For sequences s1 , s2 ∈ L(G) we say s1 ≡ s2 (mod G) if and
only if δ (q◦ , s1 ) = δ (q◦ , s2 ) = q for some q ∈ Q.
The binary relation ≡ (mod G) is an equivalence relation on
L(G) and partitions L(G) into |Q| equivalence classes.
Lemma 4.2: Let G̃lo = (Q̃, Σ◦ , δ̃ , q̃◦ ) be the observer au-
tomaton for Glo . For every two sequences S, S ∈ L(G̃lo )
define S = {s | s ∈ Plo−1 (S) ∩ L(Glo )} and S = {s | s ∈
Plo−1 (S ) ∩ L(Glo )}. Then we have S ≡ S (mod G̃lo ) if and
only if (∀s ∈ S, ∃s ∈ S : s ≡ s (mod Glo )) and (∀s ∈
S , ∃s ∈ S : s ≡ s (mod Glo ))
Two subsets, not necessarily disjoint, of q̃ ∈ Q̃ are defined
in the following.
Definition 4.3: Let q̃ = δ̃ (q̃◦ , S) be a state of G̃lo with
S ∈ Σ+ ∗
◦ . We refer to the set inS (q̃) = {q | ∃s ∈ Σ , σ ∈ Σ◦ :
S = Plo (s σ ) and q = δ (q◦ , s σ )} as the incoming subset of
state q̃ w.r.t the sequence S. We also denote the union of
incoming subsets of a state q̃ as in(q̃) = {q| q ∈ q̃ and (∃S ∈
Σ+◦ : q ∈ inS (q̃))}.
Definition 4.4: Let q̃ = δ̃ (q̃◦ , S) be a state of G̃lo and σ ∈
Σ◦ be an observable event. We refer to the set outσ (q̃) =
{q ∈ q̃| δ (q, σ )!} as the outgoing subset of q̃ w.r.t σ . We
also denote the union of outgoing subsets of a state q̃ as
out(q̃) = {q|q ∈ q̃ and (∃σ ∈ Σ◦ : q ∈ outσ (q̃))}.
Next, we show how a state q̃ = δ̃ (q̃◦ , S) of G̃lo can inherit
the output of its incoming subset of states.
1 Consider two maps f : X −→ Y and g : X −→ Z with the same domain
X. If ker(g) ≤ ker( f ) then there exits a unique map h : Z −→ Y such that
h ◦ g = f [1]. Here f is said to factor through g.
WeA06.1
Definition 4.5: A state q̃ ∈ Q̃ with q̃ = q̃◦ is called P-
vocal if it contains some vocal state (i.e. there exists q ∈ q̃
with ω(q) = τ◦ ). 
Lemma 4.6: Let q̃ = q̃◦ be a state of G̃lo . Then q̃ is P-
(2)
vocal if and only if for every S ∈ Σ+◦ that q̃ = δ̃ (q̃◦ , S), there
exists q ∈ inS (q̃) with ω(q) = τ◦ . 
Proposition 4.7: Let q̃ ∈ Q̃ (with q̃ = q̃◦ ) be a P-vocal
state in G̃lo . Then there exists τ ∈ T◦ such that for every
state q ∈ in(q̃), we have ω(q) = τ. 
V. O UTPUT M AP P ROPERTIES
The uniqueness of outputs of in(q̃), shown in Proposition
4.7, justifies the definition of an output map ω̃ : L(G̃lo ) −→
T◦ ∪ {τ◦ } for G̃lo .
Definition 5.1: We define ω̃ : L(G̃lo ) −→ T◦ ∪ {τ◦ } as
follows: Let S ∈ L(G̃lo ), q̃ = δ̃ (q̃◦ , S) and I = {s ∈
L(Glo )| δ (q◦ , s) ∈ in(q̃)}. Then ω̃(S) = τ◦ if S = ε and
ω̃(S) = ω̂(s) for any s ∈ I. (3)

Proposition 4.7 implies that the output map ω̃ is well-defined
and every state q̃ is either silent, ω̃(S) = τ◦ , or P-vocal with
a unique output ω̃(S) = τ ∈ T◦ . Furthermore the observer
model G̃lo can be equipped with an output map ϖ : Q̃ −→
T◦ ∪ {τ◦ } where for every q̃ ∈ Q̃ that q̃ = δ̃ (q̃◦ , S), we have
ϖ(q̃) = ω̃(S). Once again Proposition 4.7 ensures ϖ is well-
defined. So finally G̃lo = (Q̃, Σ◦ , T◦ ∪ {τ◦ }, δ̃ , ϖ, q̃◦ ) becomes
a Moore automaton.
Theorem 5.2: The reporting map θ̃ : L(G̃lo ) −→ T◦∗ , de-
 fined by θ̃ ◦ Plo = Phi ◦ θ , has the property that for every
S ∈ L(G̃lo ), θ̃ (S) = ε if S = ε, and θ̃ (S) = θ̃ (S )ω̃(S σ ) if
S = S σ for some S ∈ Σ∗◦ and σ ∈ Σ◦ . 
The following definitions will be useful in the next section
in the study of hierarchical consistency.
Definition 5.3: Let q̃ be a state in G̃lo and S ∈ Σ+ ◦ such
that δ̃ (q̃, S)!. We say S is Plo -controllable from q̃ if for
every q ∈ out(q̃) and every s ∈ Plo−1 (S) that δ (q, s)! we have
|Σc (s)| ≥ 1 where Σc (.) is given in (1). 

Definition 5.4: Let q̃ be a state in G̃lo and S ∈ Σ+ ◦ such
that δ̃ (q̃, S)!. We say S is Plo -uncontrollable from q̃ if there
exists q ∈ out(q̃) and s ∈ Plo−1 (S) ∩ Σ+uc with δ (q, s)!. 
Definition 5.5: An observable sequence S ∈ Σ+ ◦ in G̃lo
which connects the root state q̃◦ to a P-vocal state or two
immediate P-vocal states to each other is called a Plo -silent
path. 
 VI. S UPERVISION I MPLEMENTATION AT THE L OW- LEVEL
Let Glo describe the low-level model and G̃lo be the
observer automaton for Glo . Let Ghi be the abstracted model
at the high-level with L(Ghi ) = θ (L(Glo )) and Ehi be a high-
level controllable specification which is also observable w.r.t.
 Ghi . A virtual high-level supervisor Shi can be obtained by
solving a supervisory control problem under partial obser-
vation for the pair (Ehi , Ghi ) such that L(Shi /Ghi ) = Ehi . Let
Elo = θ −1 (Ehi ) be the low-level image of Ehi . Hierarchical
supervisory control is performed by a low-level supervisor
Slo implementing a controllable and observable sublanguage
183
 WeA06.1

of Elo at the low-level with L(Slo /Glo ) ⊆ Elo . It is desired to WD WE

V D E
achieve hierarchical consistency [11] under partial observa- To ensure property 6.2 WD
tion. Hierarchical consistency requires that θ (L(Slo /Glo )) = D V
W
b d
Ehi , i.e. high-level specification Ehi is recovered through
the actual low-level supervisory action. In [11], hierarchical
Fig. 2. Motivational example for Property 6.2: Event α cannot be disabled
consistency is achieved by ensuring that in two silent paths independently.
which have a common prefix and generate different outputs,
disablement of one silent path does not (unintentionally) dis-
able the other silent path. In the case of control under partial problem. For a path r ∈ Σ∗ , let η(r) = {u | u ∈ Σ∗uo , (∃w ∈
observation, we have to consider look-alike sequences. Fig. 1 Σ+ ∗
◦ Σ ∪ {ε} : r = uw)} be the largest unobservable prefix of
r.
s D V
W cc Property 6.2: For every sequence s ∈ Lvoc and its silent
New outputs to ensure Property 6.1
path extension r ∈ Lvoc (s), it should be the case that
Plo (s) Plo (s' )
WD WE
W Plo (r) = ε and ω̂(sr) ∈ Tc =⇒ Σc (η(r)) = Ø. (5)
s' V D E O
Wc
b d

Fig. 1. Motivational example for Property 6.1: Event α cannot be disabled Property 6.2 means if an observable-controllable silent path
independently. starts with an unobservable segment, that segment should be
uncontrollable. (5) can also be rewritten as
shows a model in which Σc = {α, β } and dashed lines denote
the low-level unobservable events Σuo . Also T = {τ, τ , τ } Σc (η(r)) = Ø =⇒ Plo (r) = ε. (6)
and Tc = {τ , τ } is the set of high-level controllable events. In Fig. 2, if the state reached by ασ is vocalized, then ασ
The system is prone to unintended disablement which occurs will become an unobservable silent path and Property 6.2
when for example either of τ or τ is to be disabled through will be ensured. In general, by vocalizing some states and
disabling α. To resolve this issue, we include the information refining the structure of G̃lo Property 6.2 (and 6.1) can be
of unobservable-controllable events in Ghi . Specifically we ensured. The details are omitted for brevity.
propose the following property to be imposed. If a Plo -silent path is Plo -controllable, its corresponding
Property 6.1: For each s ∈ Lvoc and s ∈ Lvoc (s) that we output is controllable. However, the reverse is not generally
have ω̂(ss ) ∈ Tuo ∩ Tc , we should have |Σc (s )| = 1 where true. Proposition 6.3 discusses the condition under which the
Σc (.) is defined in (1).  reverse is ensured. Let L̃voc = {S ∈ L(G̃lo ) | S = ε or ω̃(S) =
If Property 6.1 is not satisfied, we can use the following τ0 } which contains the null sequence ε and the sequences
procedure to ensure it (Some details are omitted for brevity). which end in P-vocal states.
Define a new set of labels Proposition 6.3: Assume Property 6.2 is satisfied and let
Tcuo = {τσ | σ ∈ Σuo ∩ Σc } (4) S ∈ L̃voc be a P-vocal sequence in G̃lo and R ∈ Σ+ ◦ be a Plo -
silent path following S. In this case, if ω̂(SR) is controllable
and add them to the set of high-level events. Also by defini- (ω̂(SR) ∈ Tc ), then R is Plo -controllable from q̃ = δ̃ (q̃◦ , S).
tion we let Tcuo ⊆ T uo ∩ Tc . To satisfy Property 6.1, we assign 
output from the set Tcuo to the destination node of every Proposition 6.3 implies that a Plo -silent path is Plo -
unobservable-controllable transition of every unobservable- controllable if and only if the output which is generated
controllable silent path (If the label of transition is σ , the upon the completion of that Plo -silent path is controllable.
assigned label will be τσ ∈ Tcuo ). In this way, by choosing A similar conclusion follows from Proposition 6.3 for Plo -
labels from Tcuo , we include the information about the uncontrollable Plo -silent paths. In the rest of this paper we
unobservable-controllable events in the high-level model assume the map θ is such that Properties 6.1 and 6.2 are
Ghi . Property 6.1 and the modification performed in the satisfied.
above procedure ensure that if an unobservable silent path Fig. 3 shows a model whose reporting map satisfies Factor-
is controllable then its controllability originates from only a
single controllable event, say σ ∈ Σc , and furthermore the V
a
D b g d
A

occurrence of σ is shown in Ghi with a unique symbol τσ . D

The result of applying the above procedure is shown in Fig.
1 where the new outputs are indicated with shaded area.
Fig. 2 shows another model which satisfies Property 6.1.
Here Σc = {α, β } and as usual unobservable low-level events
have been shown with dashed lines. T = {τα , τβ , τ} is the set
of high-level events. It can be checked that the system is still
prone to unintended disablement which occurs if for example
either of τα or τ is desired to be disabled at the high-level.
We propose Property 6.2 to be imposed as a remedy to this
B
a b c d f
Fig. 3. Motivation example for PO-SOCC property: Event α cannot be
disabled independently.
ization Property (2) as well as Properties 6.1 and 6.2. There,
Σ = {a, b, c, d, f, g, α, σ }, Σc = {α, c} and the dashed lines
denote low-level unobservable events Σuo = {α, σ }. T = T◦ =
{A, B} is the set of high-level events. It can be verified that
the system is prone to unintended disablement which occurs

184
 WeA06.1

if for example event A is desired to be disabled at the high- the structure of Glo we can ensure PO-SOCC. The details
level. In this case, event α is disabled after an observable are omitted for brevity.
event “a” is generated. If the low-level supervisor is feasible, Proposition 6.8: If Glo is PO-SOCC, then it is SOCC. 
this leads to unintended disablement of B.
For a more general discussion consider Fig. 4.(a). Fig. Suppose high-level specification Ehi is controllable and ob-
servable. The supremal controllable sublanguage of Elo =
↑
W1 θ −1 (Ehi ) which we denote by Elo would not necessarily be
r1 s1 s3
u
observable with respect to the low-level model Glo . Below
r2 s2 W2 ↑
(a) v s4 we show Elo can be guaranteed to be observable in a more
relaxed sense which we call (G, Plo , θ )-observability.
Plo ( s3 )
W1 Let a map actθ : L(Glo ) −→ 2T be defined as
q~
Plo (r1 ) Plo (r2 )
W Plo (s1) Plo (s2 )
1

(b) q~ ~
p {ω̂(s)}, if s ∈ Lvoc ,
W2 actθ (s) =
Plo ( s4 )
q~2 {τ | ∃u ∈ Lvoc (s), ω̂(su) = τ}, otherwise.
actθ (s) returns the generated high-level event if s is vocal.
Fig. 4. PO-SOCC Property inspiration, (a): two branches in reachability Otherwise, it returns the set of next possible high-level
tree of Glo , (b): corresponding projected branches with common segments events.
in reachability tree of G̃lo .
Definition 6.9: A language E ⊆ L(G) is said to be
4.(a) shows two transitions r1 s1 us3 , r2 s2 vs4 ∈ L(Glo ) which (G, Plo , θ )-observable if for any s, s ∈ E that Plo (s) = Plo (s )
generate high-level events τ1 , τ2 ∈ Tc . We assume Plo (r1 ) = and for any σ ∈ Σ that actθ (sσ ) − actθ (s σ ) = Ø and
Plo (r2 ), Plo (u) = Plo (v) = ε, Plo (s1 ) = Plo (s2 ) = ε and actθ (s σ ) = Ø, we have
Plo (s3 ), Plo (s4 ) = ε. Fig. 4.(b) shows the corresponding sσ ∈ E and s σ ∈ L(G) =⇒ s σ ∈ E.
projections Plo (r1 )Plo (s1 u)Plo (s3 ), Plo (r2 )Plo (s2 v)Plo (s4 ) ∈
L(G̃lo ) share a common segment Plo (r1 )Plo (s1 ) ∈ Σ+ ◦ . Let q̃ 
be P-vocal and Plo (s1 u)Plo (s3 ) and Plo (s2 v)Plo (s4 ) be two Proposition 6.10: Consider a high-level controllable
Plo -silent paths which start from q̃ and lead respectively specification Ehi . Let Elo = θ −1 (Ehi ) be the translation
to q̃1 and q̃2 where we have ϖ(q̃1 ) = τ1 and ϖ(q̃2 ) = τ2 . of Ehi at the low-level. If Glo is PO-SOCC, then Elo ↑
is
Also let the state p̃ be the last state which is reached by (Glo , Plo , θ )-observable. 
the common segment Plo (r1 )Plo (s1 u). If Plo (s3 ) or Plo (s4 )
is Plo -uncontrollable from p̃, disabling τ1 or τ2 might not Next, it is shown how supervision can be implemented at
be done independently from each other (This is comparable the low-level. Let Shi : T ∗ × Tc −→ {0, 1} be the high-level
with partnership status in the full observation case). The PO- supervisor which implements a controllable and observable
SOCC Property (which will turn out to be a generalization of specification Ehi . A disablement map Δhi : L(Ghi ) −→ 2Tc can
SOCC for the case of control under partial observation) is in- be derived for Shi as
troduced in the following to prevent unintended disablement Δhi (t) = {τ ∈ Tc | Shi (t, τ) = 0}.
in these cases. First we define P-partners.
Definition 6.4: Two P-vocal nodes n1 and n2 with differ- A high-level disablement is implemented at the low-level by
ent controllable outputs in the reachability tree of G̃lo are a low-level disablement law Δ̃lo : Σ∗ × T ∗ −→ 2Σc given by

said to be P-partners if their Plo -silent paths start either at Δ̃lo (s,t) = {Δlo (s ,t )| s ∈ Plo−1 Plo (s) ∩ L(Glo ),
the root node or at the same P-vocal node, share an initial
segment S1 ∈ Σ+ t ∈ Phi−1 Phi (t) ∩ L(Ghi )},
◦ which is followed in turn by segments S2 ∈
Σ+ +
◦ and S3 ∈ Σ◦ , where S1 S2 and S1 S3 are Plo -controllable where Δlo (s,t) is defined similar to [11]:
and at least one of S2 or S3 is Plo -uncontrollable. 
If two nodes in the reachability tree of G̃lo are P-partners Δlo (s,t) = {σ ∈ Σc | ∃u ∈ Σ∗uc , sσ u ∈ L(Glo ) and
then disabling the high-level event associated with one of ω̂(sσ u) ∈ Δhi (t) and ∀s < u, ω̂(sσ s ) = τ◦ }.
them might unintentionally disable the other one.
Definition 6.5: A Moore automaton Glo is Partially- Then low-level supervisor S̃lo : Σ∗ × T −→ {0, 1} is defined
Observable-Strictly-Output-Control-Consistent (PO- based on Δ̃lo as follows:

SOCC) if it is (i) OCC and OOC and (ii) no two P-vocal 0 if σ ∈ Δ̃lo (s, θ (s))
nodes with controllable outputs are P-partners in the S̃lo (s, σ ) = (7)
1 otherwise.
reachability tree of its observer automaton G̃lo . 
Remark 6.6: In Proposition 6.8 we show that PO-SOCC To study the properties of S̃lo , we compare it with the low-
is stronger than SOCC. However, note that in the case of full level supervisor Slo : Σ∗ × T −→ {0, 1} defined based on Δlo
observation, the PO-SOCC property reduces to SOCC (and for the case of full observation [11]:
Properties 6.1 and 6.2 hold trivially).  
Remark 6.7: Similar to SOCC, if PO-SOCC does not 0 if σ ∈ Δlo (s, θ (s))
Slo (s, σ ) =
hold in the system, by vocalizing new states and refining 1 otherwise.

185
 WeA06.1

A
1 a 3 b 5 7 b 9 a 14
B
0
V
11 b 13 15 a
D WD E A
c
B
E WJ A
a 2 b 4 6 8 10 d 12

Fig. 7. Ghi : Final high-level model

Fig. 5. Glo : Low-level model which is not PO-SOCC.

D
D WD E A V
1 a 3 b 5
V 1 a 3 b 5 7 b 9 a 14 E
V
E WJ 0
D 11 b 13
0 V
11 b 13 15 a
D WD B a 2 b 4
a 2 b 4 6
c
8
V 10 d 12

Fig. 8. S̃lo /Glo : System under supervision which is hierarchically consistent

Fig. 6. Final model Glo after satisfying Properties 6.1, 6.2 and PO-SOCC. with Ehi = D.E.
Colored states are vocal.

scribed as “Event A cannot occur”. This is formally written

Recall that in supervisory control under partial observation, a
supervisor is said to be feasible if it acts the same in response
to two look-alike sequences (two sequences with the same
natural projection).
Proposition 6.11: Low-level supervisor S̃lo , given in (7),
is feasible. 
The following theorem shows PO-SOCC guarantees hierar-
chical consistency.
Theorem 6.12: If Glo is PO-SOCC and the high-level
specification Ehi is controllable and observable with respect
to Ghi , then θ (L(S̃lo /Glo )) = Ehi  was discussed. A feasible low-level supervisor was proposed
Example 6.13: Consider the model Glo in Fig. 5. There
Σ = {a, b, c, d, α, γ, σ }, Σc = {c, α, γ}, the unobservable
events have been shown by dashed lines and T = Tc =
{A, B}. Let G̃lo denote the observer automaton of Glo . First,
note that disabling high-level event A also disables B since
to disable A, event α in state 5 must be disabled as a
result of which α at state 4 will also be disabled. In fact,
it can be verified that Glo is not PO-SOCC. Note that the
nodes reached respectively by sequences S1 = a.b.b.a and
S2 = a.b.c.d will be P-partners in the reachability tree of G̃lo
since S1 and S2 are Plo -controllable Plo -silent paths, share a
segment “a.b” with each other while the segment S3 = b.a is
Plo -uncontrollable from q̃ = δ̃ (q̃◦ , a.b). The reporting map θ
has been enhanced to satisfy PO-SOCC Property (see Fig. 6).
First, we vocalize states 4 and 5 with ω(4) = ω(5) = D ∈ Tuc
so that the model becomes PO-SOCC. Next, Properties 6.1
and 6.2 are examined and to ensure Property 6.2, we assign
ω(6) = ω(7) = τα ∈ Tcuo . However, it can be seen that
after these modifications OCC will not hold. Note that two
(look-alike, silent) paths “σ .b.γ.a” starting from state 5 and
“b.a”, starting from state 7, are respectively controllable and
uncontrollable. Note that splitting state 14 as required by
the OCC algorithm will result in violation of Factorization
Property. Therefore, instead we assign ω(9) = ω(13) = E ∈
Tuc , ω(15) = τγ ∈ Tcuo and ω(14) = A ∈ Tuc so that the
information of low-level unobservable-controllable transition
γ from state 13 to 15 is included in Ghi . Therefore we will
have Tc = {τα , τγ , B} and Tuc = {A, D, E}. The model Glo
in Fig. 6 satisfies Factorization Property, Properties 6.1, 6.2
and Po-SOCC. Fig. 7 shows the high-level model.
Now let the verbal specification Ehi at the high-level be de-
as Ehi = {t ∈ L(Ghi ) | ∀r ≤ t, rA  t}. It can be verified that
Ehi = D.E is an observable and controllable sublanguage
of Ehi (in fact, the largest). The system under supervision
(S̃lo /Glo ) is given in Fig. 8. It can be verified that hierarchical
consistency holds and we have θ (L(S̃lo /Glo )) = Ehi . 
VII. C ONCLUSION
In this paper, the hierarchical supervisory control setup of
Zhong-Wonham was extended to the case of control under
partial observation. The construction of a reporting map
to implement the commands of the high-level supervisor.
Partially-Observable SOCC property, as a natural extension
of SOCC property, was introduced and it was shown that
PO-SOCC (along with Properties 6.1 and 6.2) was sufficient
to ensure hierarchical consistency.
R EFERENCES
[1] G. Birkhoff. Lattice theory. American Mathematical Society, page
418, 1992.
[2] Y. Brave and M. Heymann. Control of discrete-event systems modeled
as hierarchical state machines. IEEE Transactions on Automatic
Control, 38(12):1803–1819, 1993.
[3] P. Caines and Y.J. Wei. Hierarchical hybrid control systems: a
lattice theoretic formulation. IEEE Transactions on Automatic Control,
43(4):501–508, 1998.
[4] L. Feng and W.M. Wonham. Supervisory control architecture for
discrete-event systems. IEEE Transactions on Automatic Control,
53(6):1449–1461, 2008.
[5] T. Moor amd S. Perk K. Schmidt. Nonblocking hierarchical control of
decentralized discrete event systems. IEEE Transactions on Automatic
Control, 53(10):2252–2265, 2008.
[6] S.G. Kim, K.H. Cho, and J.T. Lim. Hierarchical supervisory control
of discrete event systems based on h-observability. IEE Proceedings,
Control Theory and Applications, 150(2):179–182, March 2003.
[7] R.J. Leduc, M. Lawford, and W.M. Wonham. Hierarchical interface-
based supervisory control-part i: serial case. IEEE Trans. Automatic
Control, 50(9):1322–1335, Sept. 2005.
[8] K.C. Wong and W. M.Wonham. Hierarchical control of discrete-event
systems. Discrete Event Dynamic Systems:Theory and Applications,
6(3):241–273, 1996.
[9] K.C. Wong and W. M.Wonham. On the computation of observers in
discrete-event systems. Discrete Event Dynamic Systems:Theory and
Applications, 14(1):55–107, 2004.
[10] W. M. Wonham. Supervisory control of discrete-event systems.
Department of Electrical and Computer Engineering, University of
Toronto, 2008.
[11] H. Zhong and W.M. Wonham. On the consistency of hierarchical su-
pervision in discrete-event systems. IEEE Transactions on Automatic
Control, 35(10):1125–1134, 1990.

186