Abstract-The paper studies supervisory control of discrete event systems when specification is nondeterministic and modeled as a nondeterministic state machine. The control is exercised so that the controlled plant is simulation equivalent to the (nondeterministic) specification. In our previous work on nondeterministic specification [18], the requirement of bisimulation equivalence between the controlled plant and the specification was studied. Simulation equivalence is weaker than bisimulation equivalence but stronger than language equivalence: Besides the language equality, simulation equivalence specifies an upper bound for the branching behavior following any trace, whereas bisimulation equivalence specifies the exact branching behavior following any trace. Simulation equivalence preserves ∀CTL* temporal logic specifications, which is more general than LTL (preserved under language equivalence) but less general than CTL* (preserved under bisimulation equivalence). We develop necessary and sufficient conditions for the existence of a supervisor and provide polynomial complexity algorithms for testing the existence and synthesis of a supervisor. For the special case when plant is deterministic, the notion of state-controllable-similar is introduced as a necessary and sufficient condition for the existence of similarity enforcing supervisor.
I. INTRODUCTION
Nondeterminism in plant model can arise from unmodeled dynamics or abstraction. The control of nondeterministic plant subject to language specification is studied in [16] , [11] , [12] , where plant is modeled using the trajectory model. In [13] and [4] , both plant and specification are nondeterministic and are represented using failures and trajectory models, respectively. Authors in [4] show how to transform their control problem of nondeterministic setting to one of deterministic setting subject to added partial observability. Control of plants modeled using nondeterministic state machines for language specification is also studied in [9] , [6] . All these work used deterministic supervisors.
The use of nondeterministic supervisors for specification represented using language model was explored in [5] , [17] . The notion of nondeterministic control was formalized in [10] and used for control under partial observation for language specification, and the notion of achievability
The research was supported in part by the National Science Foundation under the grants NSF-ECS-9709796, NSF-ECS-0099851, NSF-ECS-0218207, NSF-ECS-0244732, NSF-EPNES-0323379, and NSF-0424048, and a DoD-EPSCoR grant through the Office of Naval Research under the grant N000140110621.
(a property weaker than controllability and observability combined) was introduced. Nondeterministic supervisors were also used in [7] where nondeterministic specification was specified in the temporal logic of CTL*, generalizing the work reported in [1] which used CTL to express specification.
In general, plant, specification, and supervisor all can be nondeterministic. Control of nondeterministic plants subject to nondeterministic specification of bisimulation equivalence using nondeterministic supervisors has recently been studied in [18] . The input-output model matching control studied in [3] also uses the notion of simulation, and as shown in [2] it can be cast as an instance of standard supervisory control problem of deterministic setting. [14] studied the problem of synthesizing a supervisor so that the controlled system is bisimilar to a deterministic specification. The event set of the system and specification need not be same, and all events are treated controllable. Further it is required that all indistinguishable events be either all enabled or all disabled at a state. Such a requirement does not make sense in supervisory control context. This paper continues our prior work reported in [18] where plant, specification, and supervisor are all nondeterministic. While [18] used bisimulation equivalence for specification, the present paper uses simulation equivalence for specification. Simulation equivalence is finer than language equivalence but coarser than bisimulation equivalence. While language equivalence poses no constraints on the nondeterministic (branching) behavior, and bisimulation equivalence specifies the exact branching behavior, simulation equivalence specifies only an upper bound on the branching behavior. Simulation equivalence preserves ∀CTL* temporal logic specifications, which is more general than LTL (preserved under language equivalence) but less general than CTL* (preserved under bisimulation equivalence).
While bisimulation equivalence is more expressive, supervisory control for bisimulation equivalence seems computationally more complex (a test for supervisor existence with complexity double exponential in the size of plant and specification states is given in [18] ). On the other hand, the test for supervisor existence for language equivalence is linear in the size of plant and specification states [15] . We show in this paper that the complexity for testing supervisor existence remains polynomial in the size of plant and specification states even for simulation equivalence specification. (It is linear in plant size and quadratic in specification size.) Also, when the existence condition is met, a supervisor of size linear in the size of specification can be synthesized. These are reasons in favor for studying the control for simulation equivalence as a research topic of it's own.
We show simulation relation over the set of automata is a prelattice, and consequently (non-unique) infimal and supremal elements exist for a given set of automata. We show that synchronization of two automata gives an infimal element for the two automata, whereas the union of the two automata gives a supremal element. Recognizing that the simulation relation is a preorder, we are able to have the notion of an infimal state-controllable system simulating a given specification. (The notion of state-controllability was introduced in [18] generalizing the notion of controllability from the setting of languages to automata.) Using such a system we develop a test for the existence of a similarity enforcing supervisor. Further, when the test passes, this system itself can serve as a supervisor.
We specialize our results to the setting when plant is deterministic. We show that in this setting our necessary and sufficient condition for the existence of a similarity enforcing supervisor specializes to the condition of "statecontrollable-similar", which is a new concept introduced in this paper. We show that state-controllable-similar is stronger than language-controllable (which serves as an existence condition for language equivalence enforcing control), and weaker than state-controllable (which serves as an existence condition for bisimulation equivalence enforcing control for deterministic plants). As such the condition of state-controllable-similar is stronger than the condition for the existence of a similarity enforcing supervisor for nondeterministic plants, but the two conditions become equivalent for deterministic plants.
As a final result, we obtain a condition for the existence of similarity enforcing supervisor that is also deterministic. Requiring supervisor to be deterministic, makes the problem computationally more expensive and stronger conditions must hold for the supervisory existence. Our results on similarity enforcing control using deterministic supervisors establish the point that one should opt for nondeterministic supervisors over deterministic ones. Issues regarding implementation of nondeterministic supervisors is discussed in [10] .
II. A MOTIVATING EXAMPLE
We present a simple example to illustrate some of the issues pertaining to control for simulation equivalence.
Example 1: Consider a message transmission system, shown in Figure 1 , that sends messages from a sender to a receiver. Two types of messages are generated by the sender, m 1 and m 2 , which are first received by a message center. The messages are then forwarded (event f ) to a routing center which decides along which channels the messages be routed. Two types of channels, secure (s) and unsecure (u), are available for routing. Upon a successful reception, an acknowledgment (a) is sent by the receiver to the sender, allowing transmission of another message. The acknowledgment is generated automatically, and is treated an uncontrollable event. The nondeterministic automaton G, drawn in Figure 2 , models the above behavior.
A specification for the legal behavior of the system is also drawn in Figure 2 . It requires that messages of type 1 (m 1 ) be transmitted over the secure channel, while no such restriction is imposed on the type of channel to be used for the transmission of the messages of the second type (m 2 ). However, once a message of type 2 gets forwarded, it (nondeterministically) finds the routing center to be in one of it's two states: In the first state, the transmission occurs on the secure channel, whereas in the second state, on the unsecure channel. It is easy to verify that the specification language is a controllable sublanguage of the plant language. If we apply the supervisory control results from the deterministic setting and use a deterministic generator of the specification language as a supervisor, the controlled system will be a deterministic generator of the specification language (since the plant is given to be deterministic, whereas supervisor is constructed to be deterministic, and plant language is a superlanguage of the specification language). A deterministic generator of the specification language however will allow both the choices (secure as well as unsecure channel) for the routing of all messages of type 2 after they have arrived at the routing center. This situation is not permitted by the desired specification, and so the specification will be violated.
The supervisory control theory for the deterministic setting is not applicable here, and we need to extend the theory to synthesize supervisors to satisfy nondeterministic specifications of the type discussed above. This is the direction we pursue in this paper and show that for the above example it suffices to synthesize a supervisor that ensures that the controlled system is simulation equivalent to the given nondeterministic specification. Automata are used to model discrete event systems at the logical level. A nondeterministic automaton is a 4-tuple G = (X, Σ, α, X 0 ), where X is the set of states, Σ is the alphabet of events, α :
is the state transition function (where is a label for "silent" transitions), X 0 ⊆ X is the set of initial states. For notational convenience, we define
Σ * denotes the set of all finite sequences of events in Σ, called traces, and includes the zero length trace, denoted . The -closure (denoted as * ) of x ∈ X is the set of states reached by the execution of zero or more -transitions from state x. ForX ⊆ X, * (X) := x∈X * (x). By using -closure map, we can extend the definition of transition function from events to traces, α * : X × Σ * → 2 X , which is defined inductively as:
is the set of sequences of events generated starting from the initial state, i.e.,
The purpose of control of a DES, called a plant, is to restrict its behavior in order to prevent certain undesirable behavior by dynamically disabling certain uncontrollable events [15] . Such a controller is called a supervisor. The supervisor can be modeled as another automaton operating in synchronous composition with the plant. Given two automata G 1 and G 2 , where G 1 = (X 1 , Σ, α 1 , X 01 ) and G 2 = (X 2 , Σ, α 2 , X 02 ), the synchronous composition of G 1 and G 2 is the automaton
where for
We also define
where for x ∈ X 1 ∪ X 2 , and σ ∈ Σ,
We next introduce the concept of a simulation relation. Definition 1: Given two automata G 1 and G 2 , a simulation relation is a binary relation
2 such that for all x 01 ∈ X 01 , exists x 02 ∈ X 02 with (x 01 , x 02 ) ∈ Φ. This last fact is concisely written as X 01 Φ X 02 . We write x 1 Φ x 2 to denote that there exists a simulation relation Φ with (x 1 , x 2 ) ∈ Φ, read as x 1 is simulated by x 2 . We sometimes omit the subscript Φ from Φ when it is clear from the context. Further, a simulation relation is called a bisimulation equivalence relation if it is symmetric. For a bisimulation equivalence relation Φ if (x 1 , x 2 ) ∈ Φ, then x 1 and x 2 are called bisimilar, written as x 1 Φ x 2 (or simply x 1 x 2 when Φ is clear from context).
Definition 2: Given two automata G 1 and
2 is a simulation equivalence relation if exist simulation relations
2 , such that Φ = Φ 1 ∪ Φ 2 , and
We write x 1 ∼ Φ x 2 to denote that there exists a simulation equivalence relation Φ such that (x 1 , x 2 ) ∈ Φ, read as x 1 and x 2 are simulation equivalent or similar.
IV. PRELATTICE OF AUTOMATA UNDER SIMULATION RELATION
In this section, we show that simulation relation serves a preorder for the set of all automata defined over a common event set, and show that the set of automata defined over a common event set together with the simulation relation preorder constitutes a prelattice.
Definition 3: [8]
A preorder relation, denoted ≤, over a set X is a transitive and reflexive relation. The pair (X, ≤), where X is a set and ≤ is a preorder over X, is called a preordered set.
Note that supremal and infimal computed over a preordered set are not unique. If x 1 and x 2 are two supremal or infimal elements of Y , then it holds that x 1 ≤ x 2 and x 2 ≤ x 1 . However since a preorder is not antisymmetric we cannot claim that x 1 = x 2 , i.e., the uniqueness of supremal/infimal does not hold. We Now we consider the set of all automata A over a fixed alphabet Σ and the simulation relation over this set. It is known that the simulation relation is transitive (refer to [18] ), i.e., given automata G 1 , G 2 and G 3 , if G 1 G 2 and G 2 G 3 , then G 1 G 3 . Also, G G holds the implying reflexivity of the simulation relation. However G 1 G 2 and
e., antisymmetry does not hold. Therefore, the pair (A, ) is a preorder set. For space consideration, all proofs are omitted.
Theorem 1:
V. CONTROL FOR SIMULATION EQUIVALENCE
In what follows, we represent a plant, a specification, and a supervisor by G = (X, Σ, α, X 0 ), R = (Q, Σ, δ, Q 0 ) and S = (Y, Σ, β, Y 0 ), respectively. We introduced the notion of state-controllability in [18] to extend the traditional notion of language-controllability from the deterministic setting to the nondeterministic setting.
Definition 5: Given plant and specification automata G and R with L(R) ⊆ L(G), we say R is state-controllable with respect to
Since a supervisor can not disable an uncontrollable event, the following notion is defined to enforce this requirement.
Definition 6: An automaton S is Σ u -compatible if each uncontrollable event is defined at each state of S.
Suppose S is state-controllable with respect to G and Σ u . Define S as S augmented with self-loops at each state on undefined uncontrollable events at the state. Then S is Σ ucompatible and G S G S (refer to Lemma 3 in [18] ).
It is known that the language-controllability is closed under intersection for prefix-closed languages. We show that state-controllability is also preserved under synchronous composition of automata.
Lemma 1: R 1 and R 2 are state-controllable with respect to G implies that R 1 R 2 is state-controllable with respect to G.
The following theorem provides a necessary and sufficient condition for the existence of a supervisor. The condition is existential in nature, and will be used to obtain a constructive one latter.
Theorem 2: Given nondeterministic plant G and specification R, there exists a Σ u -compatible supervisor S such that G S ∼ R if and only if (i) R G and, (ii) Exists a state-controllable state machine R such that G R R R .
Before providing a constructive condition for the existence of a similarity enforcing supervisor, we introduce the notion of an infimal R-simulating state-controllable system. We have:
• R R 1 and R R 2 implies R R 1 R 2 , and • R 1 and R 2 state-controllable implies R 1 R 2 statecontrollable. So we can define the notion of an infimal R-simulating state-controllable system: Definition 7: Given G and R, R is an infimal Rsimulating state-controllable system with respect to G if
• R is state-controllable with respect to G, • R R , i.e., R is R-simulating, and • R is state-controllable with respect to G and R R implies R R . We denote an infimal R-simulating state-controllable system as inf SC(R). The following theorem immediately follows. It provides a constructive necessary and sufficient condition for the existence of a similarity enforcing supervisor.
Theorem 3: Given G and R, there exists a Σ ucompatible supervisor S such that G S ∼ R if and only if (i) R G and, (ii) G inf SC(R) R.
Testing the existence of a similarity enforcing supervisor using Theorem 3 requires the computation of inf SC(R). Since R G is a part of the necessary and sufficient condition, we assume without loss of generality that R G, and present an algorithm for computing inf SC(R) under this assumption.
Algorithm 1: Given G and R with R G, the following algorithm computes inf SC(R).
by language preserving determinization of the automaton G. Theorem 4: Algorithm 1 is correct. For testing the existence of a similarity enforcing supervisor using the condition of Theorem 2, we need to check G inf SC(R) R. In the following theorem, we show this can be further simplified by showing that
Theorem 5: Given G and R, it holds that G R u ∼ G inf SC(R), where R u is as constructed in Algorithm 1.
The following result is immediate and provides an easily testable necessary and sufficient condition for the existence of a similarity enforcing supervisor.
Theorem 6: Given G and R, there exists a Σ ucompatible state machine S such that G S ∼ R if and only if G R u R G, where R u is as computed in Step 1 of Algorithm 1.
Remark 1: The complexity of checking G R u R is linear in the size of the plant and quadratic in the size of the specification. Also, proof of Theorem 6 demonstrates that R u can be used as supervisor, the complexity of whose computation is linear in the size of specification. (R u has just an extra added state compared to R.)
Now we revisit the motivating example introduced in Section 2.
Example 2: Our goal is to find a Σ u -compatible supervisor S for the message transmission system such that G S ∼ R. To do this, we first check whether R G. We find the following simulation relation exists between R and G:
Next, we need to check whether G R u R. For this we need to construct R u using Step 1 of Algorithm 1. The constructed R u is depicted in Figure 3 .
Next the synchronous composition of G and R u is shown in Figure 3 . We find the following simulation relation Φ 2 exists between G R u and R:
i.e., G R u Φ2 R. Thus we conclude that there exists a Σ u -compatible supervisor to enforce simulation equivalence between the controlled system and specification, and R u can serve as a supervisor.
To verify whether using R u as a supervisor will yield G R u ∼ R, we serach for a simulation equivalence relation between the controlled system G R u and the specification R. A simulation equivalence relation Φ 3 between G R u and R is given by:
A meaning for the control being exercised is as follows. In the plant model, the routing center can be thought to have a single queue for all arrived messages. When the routing center is ready to put a message on a channel it picks one of the messages from the queue (say from the head of the queue) and places it on either of the two channels. The controller restricts this behavior of the routing center by essentially implementing two queues, one for each channel (and not one for each message). Upon arrival, messages of type 1 are always placed in the queue for the secure channel, whereas the messages of the type 2 can be placed in either of the two queues. The exact channel selection for a message of type 2 can be done for example based on the lenghts of two queues. However since the lengths of the two queues at any given time is not known in advance, the selection of a queue essentially occurs nondeterministically for each message of type 2.
VI. SPECIALIZATION TO DETERMINISTIC CASE
The case of deterministic plant is of special interest for the following reason: In our prior work on supervisory control for achieving bisimulation equivalence (refer [18] ), we showed that the problem can be solved polynomially when plant model is deterministic. (No polynomial algorithm is known when the plant is nondeterministic.) It was shown in [18] that a necessary and sufficient condition for the existence of a Σ u -compatible supervisor S such that G S R for a deterministic G and a possibly nondeterministic R is that R be simulated by G and R be state-controllable. In this section we show that if we only require simulation equivalence of controlled plant G S and specification R, then a weaker condition than statecontrollability is required (as expected). In this section we introduce that weaker condition, called state-controllablesimilar, prove it's necessity and sufficiency, and present a way to test it.
Definition 8: R is a state-controllable-similar (SCS) with respect to G if it is simulation equivalent to a system R that is state-controllable with respect to G.
The notion of SCS is stronger than language-controllable (LC) and weaker than state-controllable (SC). Recall that for deterministic G and possibly nondeterministic R with L(R) ⊆ L(G), LC serves as a necessary and sufficient condition for language equivalence control, and SC serves as a necessary and sufficient condition for bisimulation equivalence control.
Theorem 7: Given deterministic plant G and possibly nondeterministic specification R, exists a Σ u -compatible supervisor S such that G S ∼ R if and only if R is Gsimulated and state-controllable-similar with respect to G.
The next theorem presents a method to verify the property of SCS of R with respect to G.
Theorem 8: Given deterministic G and R G, R is SCS with respect to G if and only if G R u R.
, is necessary and sufficient for the existence of a similarity enforcing supervisor. When a supervisor exists, R u can be chosen to be one. Clearly, R u is deterministic if and only if R is deterministic. But a deterministic supervisor may exists even otherwise. The point of this exercise is to show two things, (i) existence condition for deterministic supervisor is stronger than that for nondeterministic one, and (ii) complexity of verifying existence of deterministic supervisor is exponential. So, it is preferable to opt for a nondeterministic supervisor. The following theorem presents a necessary and sufficient condition for it's existence.
Theorem 9: Given G and R, there exists a Σ ucompatible deterministic supervisor S such that G S ∼ R if and only if (i) R G, (ii) det(R) is controllable, and (iii) G det(R) R.
Remark 2: The complexity of checking the existence of a similarity enforcing deterministic supervisor is linear in the size of plant and exponential on the specification (due to the need for the determinization of the specification automaton).
VIII. CONCLUSION
The paper studies supervisor control for enforcing simulation equivalence between controlled plant and specification, and is a continuation of our work on supervisory control for nondeterministic specification (prior work reported in [18] considered control for bisimulation equivalence). Simulation equivalence seems to represent a nice compromise between the polynomial complexity offered by language equality based control, and the generality of bisimilarity based control: While the control computation for the former has a polynomial complexity, the control computation for the latter seems to have an exponential complexity. On the other hand, language equality imposes no constraint for the nondeterministic (branching) behavior, whereas bisimilarity poses an exact constraint for the nondeterministic behavior. Simulation equivalence is able to impose certain types of constraints for the branching behavior (namely, the upper bound constraints), yet the control computation complexity for simulation equivalence remains polynomial. This makes simulation equivalence a useful notion of behavioral equivalence from the view-point of control.
