A hierarchical consistency framework for real-time supervisory control

The control framework of hierarchical consistency of timed discrete-event systems (TDES’s) is investigated in a standard two-level hierarchy. Real-time concepts and the associated theoretical results supporting consistent TDES hierarchies are developed. Where the given low-level system model of the hierarchy possesses time fidelity, a consistency version that assures time fidelity of the high-level system model is also developed. Importantly, this version furnishes a sound real-time high-level specification design foundation for hierarchical control. An example illustrates the new time-fidelity control foundation. Given that in general, a given two-level TDES hierarchy is not hierarchically consistent between the levels, the structural existence and synthesis of the sufficiency structure for hierarchical consistency is investigated. Both the timed versions of hierarchical consistency - without and with output-time fidelity guarantee - are successively treated. The abstraction or output-system refinement procedures for the version without output-time fidelity guarantee are first developed for a class of TDES hierarchies under mild output-system design restrictions. The abstraction methods for the version with output-time fidelity are then developed for a subclass ‘linearly’ structured under further output-system design restrictions. A detailed example explains and illustrates the use of an overarching method developed.


Introduction
Under the general framework of formal languages and finite (or finite-state) automata, the seminal concept of hierarchical consistency for logical or untimed discrete-event systems (DES's) (Zhong and Wonham 1990) is suitably extended to timed DES's (TDES's) in this paper. In a two-level, untimed hierarchical control setup, conceptualized in Zhong and Wonham (1990) and algorithmically realized in Ngo and Seow (2014a), the system at the low level drives the system at the high level which is an abstraction of the former, via an information channel modeled by a hierarchical reporter map. Depicted in Fig. 1, this setup consists of two horizontal levels of standard feedback control which are vertically interconnected so that a manager at the high level (or high-level supervisor) can issue commands to an operator at the low level (or low-level supervisor) to control a real DES modeled by a Moore automaton (Eilenberg 1974), in response to information of interest sent up from the low level to the high level. By hierarchical consistency between the levels (Zhong and Wonham 1990), a low-level supervisor implementing feasible commands issued (or virtual controls) at the high level can fully realize a controllable prefix-closed specification task (Ramadge and Wonham 1987) prescribed at the high level. The importance of hierarchical control stems from the fact that, in general, a hierarchical structure conforms better to practice and renders a given system more manageable for system specification and control in terms of large-scale system design comprehensibility and improving control computational efficiency (Ngo and Seow 2014a).
Based on architecturally the same two-level setup as the hierarchical control of untimed DES's (Zhong and Wonham 1990), in this paper, a TDES hierarchy is modeled by a Moore automaton representing the low-level system driving the high-level system of the hierarchy. The Moore automaton is constructed from a given TDES (automaton) model for the low level and a new timed formulation of a hierarchical reporter map modeling the information channel, via which the high-level system is 'virtualized' and driven by the low-level system. The Moore model of the low-level system may be constructed from a TDES model proposed in Brandin and Wonham (1994). This TDES model is a timed transition graph, and is a formulation that possesses sound system (event-) timing semantics as implicitly founded in Brandin and Wonham (1994), but formally and explicitly elucidated in this paper. In this system model, time is represented by a special event denoting an atomic tick of the global clock. Fig. 1 The command & control hierarchy (Zhong and Wonham 1990) By sound system timing semantics, we mean the system model possesses time fidelity, characterizing time progression as unstoppable and never halting an executing activity event. In generalizing hierarchical control to real time, the high-level system abstraction may aggregate time but should respect high-level time fidelity, in tandem with the low-level system model respecting low-level time fidelity. Without high-level time or output-time fidelity, designers would often need to go beneath the abstraction level to ensure that desired timing requirements are correctly specified for the real system at the low level, and this as a result could increase complexity and effort in specification design and synthesis.
There are several real-time control approaches using different TDES models proposed in the literature. Besides 'timed transition graphs' (Brandin and Wonham 1994), other notable TDES models include 'clock automata' (Brave and Heymann 1988), 'timed transition (semantics) models' (Ostroff and Wonham 1990), 'timed state automata' (Cassandras 1993), 'timed automata' used in Wong-Toi and Hoffman (1988) and Alur and Dill (1994), and 'timed Petri nets ' (Cofer and Garg 1996). Timed transition graphs are a specialized class of finite automata formulated as system models for real-time supervisory control of TDES's in Brandin and Wonham (1994), and are able to represent a variety of timing issues for a useful range of control problems (Wonham 2016). Despite the well-known complexity shortcomings of timed transition graphs as TDES models (Knap 2001;Gohari and Wonham 2003), the real-time nonblocking control theory (Brandin and Wonham 1994) and its subsequent developments form a mathematically rigorous body of conceptually rich work based on this graph model. These developments include work on supervisor reduction (Gohari and Wonham 2003), efficient control synthesis using binary decision diagrams (BDD's) (Saadatpoor and Wonham 2007), control under partial observation (Lin and Wonham 1995;Cai et al. 2014), nonblocking control with communication delay (Park and Cho 2008), specification automaton transparency for validation (Dhananjayan and Seow 2015) and translation (Dhananjayan and Seow 2014) from a class of real-time temporal logic, decentralized control Takai 2011, 2013;Sadid et al. 2014), modular control (Ho 2003;Schafaschek et al. 2017), localized or distributed control (Zhang et al. 2013) and that with communication delay , and hierarchical control (Wong and Wonham 1996;Saadatpoor 2009). In our research, we add to this intellectually promising body of real-time control research by extending the monolithic control theory for TDES's (Brandin and Wonham 1994) to hierarchical control. The contributions include a number of new timed concepts to support hierarchical consistency with output-time fidelity, within the same elementary framework and computational foundation for formal languages and finite automata. Central to timed system abstractions for hierarchical consistency, without and with output-time fidelity guarantee, is the strict version of the respective new system abstraction concepts called output-control consistency and timed output-control consistency, extending the untimed version (Zhong and Wonham 1990) to real time in this paper. Of critical interest is the latter stronger concept that captures the notion of time fidelity in system abstraction. The need for physical time fidelity in system abstraction is partly motivated by challenges in real-time design of cyber-physical systems (CPS's) (Lee 2009(Lee , 2010. Characterized as holistic integrations of computation, communication, and physical systems, CPS's are an important source of hierarchical TDES's. In CPS research, it has been put forth that system abstractions carried out need to unify the low-level (i.e., digital or physical) timing dynamics and the high-level (or cyber) computations in a high-level system model with correct time representation for control design. Generalizing logical (Zhong and Wonham 1990) to timed hierarchical control and borrowing the CPS terminology from Lee (2010), the proposed system abstraction for hierarchical consistency with output-time fidelity is said to correctly 'physicalize the cyber' by aggregating the physicality of time into the cyber (virtual) system, and 'cyberize the physical' by semantically linking cyber or high-level events and their control properties, defined in the cyber system for an application of interest, to appropriate physical control behaviors in terms of timed low-level events in the real (physical) system. Importantly, with or without time fidelity, the high-level TDES model of the hierarchy resulting from the application of either abstraction concept proposed is endowed with a natural control structure, which subsumes the tick preemption concept of event forcing (Brandin and Wonham 1994) and is a generalization of the untimed version (Zhong and Wonham 1990).
Despite its importance as a control architecture, there is relatively little work on hierarchical control in a real-time framework. One related early effort (Wong and Wonham 1996) extends the hierarchical control of logical DES's (Zhong and Wonham 1990;Wonham 2016) -a bottom-up (or detail-abstraction) design approach -to a timed version. However, unlike the timed transition graph formulation of the TDES model (Brandin and Wonham 1994) adopted for our research, in Wong and Wonham (1996), the system property of time not halting an executing event is relaxed for both levels of the hierarchy. Because of this relaxation, the tick event at both levels is akin to timeout 1 in general, and may be treated like any other event. The research therefore does not consider system time fidelity, and in this aspect is fundamentally different from this paper.
Another related effort (Saadatpoor 2009;Saadatpoor et al. 2008) extends the hierarchical control using state tree structures (Ma and Wonham 2005) -a top-down (or detailrefinement) design approach -to a real-time version. In this approach, a given TDES model is of the type (Brandin and Wonham 1994) possessing time fidelity, and is encoded (equivalently) into a timed state tree structure without time aggregation or abstraction for efficient BDD-based control synthesis. System time fidelity is a non-issue in this computational approach.
The rest of the paper is organized as follows. Section 2 presents a relevant background for and on the modeling and control-theoretic study of TDES's that includes unearthing the fundamental properties of system tick preemptability and time fidelity. Section 3 follows up with a Moore system formulation for two-level hierarchical control, and explains the need for system output-time fidelity. Section 4 defines the constituent concepts for the system concept of timed output-control consistency, by which the system abstraction at the high level possesses a natural timed control structure as the system at the low level. An earlier version of the work in Section 4 was published in Ngo and Seow (2014b); the concepts are more fully developed in this paper. Together with these constituent concepts, Section 5 adds a timed concept of partner-freeness to formulate system sufficiency structures for hierarchical consistency between the two levels, without and with output-time fidelity guarantee. Section 6 investigates the structural existence and synthesis of the sufficiency structure for hierarchical consistency, based on which in Section 7, it is shown that hierarchical consistency can be achieved for a class of TDES hierarchies under mild output-system design restrictions, and the version with output-time fidelity can be achieved for a subclass 'linearly' structured under further output-system design restrictions. Section 7 ends with a discussion on generalizing and scaling to multiple levels the consistency of a two-level hierarchy. Section 8 concludes the paper. Examples and figures are provided to help explain and illustrate the theoretical concepts and the use of the procedures developed.

Background
The relevant notation for and background on supervisory control of TDES's, taken mainly from Ramadge and Wonham (1987) and Brandin and Wonham (1994), are reviewed in this section. The fundamental properties of preemptability and fidelity of system atomic time, founded implicitly in Brandin and Wonham (1994), are explicitly defined or elucidated for our subsequent theoretical development.

Languages & automata for TDES modeling
Let Σ be a finite set of symbols representing events. A string is a finite sequence of events. Let Σ * be the set of strings over Σ, including the empty string ε (a sequence with no events); and Σ + = Σ * − {ε}. Given a string s ∈ Σ * , a string s is a prefix of s, denoted by s ≤ s, if (∃t ∈ Σ * )s t = s; a strict prefix of s, denoted by s < s, if s ≤ s and s = s; and a suffix of s if (∃t ∈ Σ * )ts = s.
A formal language L is defined over Σ by a subset of Σ * . For L 1 , L 2 ⊆ Σ * , L 1 is said to be a sublanguage of L 2 if L 1 ⊆ L 2 . The prefix closure of L, denoted by L, is L = {s | (∃s ∈ L)s ≤ s}, the set of prefix strings of strings in L. Clearly, L ⊆ L, and L = ∅ provided ε ∈ L. The language L is said to be prefix-closed if L = L.
A regular language is a language that can be generated by a finite-state automaton (Hopcroft and Ullman 1979). An automaton G is a 5-tuple (Q, Σ, δ, q 0 , Q m ), where Q is the set of states, Σ is the finite set of events, δ : Σ × Q → Q is the (partial and deterministic) transition function, q 0 is the initial state, and Q m ⊆ Q is the subset of marked states. Note that the state set Q is finite unless otherwise specified. That an event σ ∈ Σ is defined at a state q ∈ Q is denoted by δ(σ, q)!, and ¬δ(σ, q)! otherwise. For an event subset Σ ⊆ Σ and a state q ∈ Q, let Σ (q) = {σ ∈ Σ | δ(σ, q)!}, the subset of events in Σ that are defined at state q. The transition function δ can be extended to Σ * as follows: δ(ε, q) = q, and (∀σ ∈ Σ)(∀s ∈ Σ * )δ(sσ, q) = δ (σ, δ(s, q)), which is defined if q = δ(s, q) and δ(σ, q ) are both defined.
Two languages characterize the behavior of automaton G, namely, the prefix-closed lan- A state q ∈ Q is reachable (from the initial state q 0 ) if (∃s ∈ Σ * )δ(s, q 0 ) = q, and coreachable if (∃s ∈ Σ * )δ(s, q) ∈ Q m . Automaton G is reachable if all its states are reachable, and coreachable if all its states are coreachable and so L m (G) = L(G). Finally, automaton G is trim if it is both reachable and coreachable.
Graphically, an automaton G is represented by an edge-labeled directed graph as follows: A graphical node denotes an automaton state. A σ -labeled edge, directed from a node denoting a state q to a node denoting a state q , represents the transition of event σ from q to q , i.e., δ(σ, q) = q . A node with an entering arrow denotes the initial state q 0 , and a node that is darkened or is a double-concentric circle denotes a marked state.
An automaton G is usually formed by the synchronization of n component automata G 1 , G 2 , · · · , G n , n ≥ 2, whose interactions among them may be modeled on the synchronous operator (Cassandras and Lafortune 2008a); and is denoted by G = G 1 G 2 · · · G n , called the synchronous product. This product may be constructed for n = 2 as detailed in Cassandras and Lafortune (2008b), and recursively so for n > 2 by the associativity of . If the n automata share the same event set, then the synchronous product G reduces to the Cartesian product (Cassandras and Lafortune 2008a), modeled on the Cartesian operator and denoted by G = G 1 G 2 · · · G n .

Timed discrete-event system (TDES) model
A TDES (Brandin and Wonham 1994) can be modeled by an automaton called activity transition graph (ATG) and the timing information associated with each system event. Combining the ATG model and timing information furnishes a timed transition graph (TTG), an automaton generating prefixed-closed and marked languages that explicitly model the timed behaviors of the TDES.
Formally, the ATG of a TDES is the automaton where the state set is redesignated as A, the set of activities, and is finite, with each activity associated with a time duration, Σ act is the finite set of activity events, δ act : Σ act ×A → A is the activity transition function, a 0 is the initial activity, and A m ⊆ A is the subset of marked activities. Let N = {0, 1, 2, · · · }, the set of natural numbers. In associating the ATG G act with timing information, each event σ ∈ Σ act is assigned with time bounds, namely, a lower time bound l σ ∈ N and an upper time bound u σ ∈ N ∪ {∞}, where l σ ≤ u σ , and specified as σ [l σ , u σ ]. A time bound is quantified in terms of a number of ticks of the global clock. A time tick is denoted by a special event symbol tick ∈ Σ act , and its occurrence denotes a transition or passage of an atomic unit of time. Under these time bound assignments, Σ act is divided into two disjoint subsets Σ spe and Σ rem , i.e., Σ act = Σ spe ∪ Σ rem and Σ spe ∩ Σ rem = ∅, and this partition is denoted by Σ act = Σ spe∪ Σ rem . The set Σ rem = {σ ∈ Σ act | u σ = ∞} is called the subset of remote events; and the set Σ spe = {σ ∈ Σ act | u σ < ∞} is called the subset of prospective events. Each event σ ∈ Σ act has a local countdown timer t σ with a default value t σ 0 , initialized as u σ if σ ∈ Σ spe , and l σ if σ ∈ Σ rem . Intuitively, the existence of a lower time bound means that an event σ is only eligible or ready to occur in the TDES after l σ ticks upon entering an activity in G act (1) where σ is defined, and will never occur before that; and each tick occurrence decreases the timer t σ by one tick count, until t σ = 0. If σ is a remote event and t σ is or has decreased to 0, it becomes eligible but might or might not occur next. If σ is a prospective event, it might occur during 0 ≤ t σ ≤ u σ − l σ , and must occur next when t σ = 0 (at which it is said to be imminent) unless it is preempted by another eligible activity event. The timer interval or duration D σ is defined for σ as [0, u σ ] if σ ∈ Σ spe , and [0, l σ ] if σ ∈ Σ rem . Therefore, t σ ∈ D σ . Being instantaneous (Brandin and Wonham 1994), an event occurrence is modeled as abrupt with no time duration.
Let Σ = Σ act∪ {tick}. Given the ATG G act (1) and timer information as defined above for each event σ ∈ Σ act , the TTG of the TDES is the automaton with finite state set Q = A × {D σ | σ ∈ Σ act } and marked state set For an activity event σ ∈ Σ act and a state q = (a, −) ∈ Q, σ is eligible at q provided δ(σ, q)!, and is said to be enabled at q provided δ act (σ, a)!; and δ(σ, q)! iff δ act (σ, a)! and The TDES G is also subjected to both the following conditions: Condition (4) -time-progressivity (TP) -characterizes that the time event tick is eligible at state q provided no prospective event is due at the state. Condition (5) -activity-loop freeness (ALF) -asserts that there is no activity loop at a state q ∈ Q in TDES G. An activity loop is a cycle containing only activity events, and repeated execution of an activity loop is deemed to incur no time duration. As such loops are physically infeasible, this condition is needed to exclude such loops in (the languages of) TDES G.
In meeting TP (4) and ALF (5), the persistence of time (evolution) is not violated in TDES model G, characterizing the fact that a TDES can never stop the clock (Brandin and Wonham 1994).
We now briefly review TDES composition (Brandin and Wonham 1994). A TDES G is usually a modular system of n component TDES's G 1 , G 2 , · · · , G n , n ≥ 2, with their respective component ATG's G 1,act , G 2,act , · · · , G n,act ; and it is herewith denoted by where is called the composition operator. The approach ofcomposing the modular TDES G based on G act = G 1,act G 2,act · · · G n,act -the ATG of G, is detailed in Brandin and Wonham (1994). Where no two arbitrary component TDES's share an activity event, (Wonham 2016).

Timing properties of TDES model
For an automaton G of the type (2) modeling a TDES, the following are its qualitative temporal properties.
The property states that a time event tick is always eligible at a reachable state with no eligible activity events. By Property 1, the continual time elapse that persists even during the transience or absence of system activity is modeled.
The next property strengthens Property 1.
Hence the property.
The property states that the event tick is always eligible at a reachable state with no eligible prospective event.
Hence the property.
The property states that eligible activity events at a reachable state remain eligible at another following the time elapse of a tick. By Property 3, the continual execution of an activity event as time elapses is effectively modeled. Applying this property iteratively, tick occurrences represent the elapse of time until some eligible activity event occurs instantaneously.

Control-theoretic setting & system time fidelity
The control-theoretic setting (Brandin and Wonham 1994) for TDES's assumes that the subset of events controllable by an external supervisor is predetermined. In a logical DES, an event is controllable if it is prohibitable, in that it can be prevented from occurring by (control) disablement. Extending to a TDES G (2), this notion of controllability is subsumed for activity events, and the event tick solely denoting an elapsed real time is also considered controllable wherever its system transitions can be preempted. In TDES G (2), it is further postulated that an event in Σ spe is not prohibitable, or uncontrollable, and it must occur next once its upper time bound is reached unless it is preempted by another eligible activity event, whereas an event in Σ rem may be. With Σ act = Σ spe∪ Σ rem , it follows that the set of prohibitable events, denoted by Σ hib , is a subset of Σ rem , i.e., Σ hib ⊆ Σ rem . In what follows, the uncontrollable event set is defined as Σ u = Σ act − Σ hib = Σ spe∪ (Σ rem − Σ hib ). Let Σ f or ⊆ Σ act be the set of forcible events. An event in Σ act is either forcible or it is not. An enforced forcible event can only preempt tick, i.e., only tick will not occur next, at a state where both tick and the forcible event are eligible. As a forcible event can be either prohibitable or uncontrollable, various cases with regard to the preemptability of tick by a forcible event are distinguished in Definition 1.
Definition 1 (Tick preemptability) The event tick ∈ Σ(q) with q = δ(s, q 0 ) for an arbitrary s ∈ L(G) is said to be non-preemptable at q if Σ(q) ∩ Σ f or = ∅; unambiguously preemptable at q if Σ(q) ∩ Σ f or ∩ Σ u = ∅; and ambiguously preemptable at q if Where the context is understood, 'at q' in Definition 1 is dropped when referring to tick preemptability.
The event tick is 'controllable' by preemption through a forcible event, not by disablement as for an event in Σ hib , since nothing can stop the global clock. Accordingly, the controllable event set is defined as Σ c = Σ − Σ u = Σ hib∪ {tick}. Therefore, Σ = Σ c∪ Σ u and this is identical to the control-theoretic setting for logical DES's (Ramadge and Wonham 1987).
Whenever it is not written as a member of the respective event subsets, a prohibitable and an uncontrollable event may be identified by a superscript '+' and '-' on its event symbol, respectively, and additionally followed by a superscript '#' provided the event is forcible.
We now define the various notions of control strings (and events) with respect to (w.r.t) the transition structure of a TDES G. Given an arbitrary nonempty string s = σ 1 σ 2 · · · σ k ∈ Σ * which is a suffix of some string of L(G), and where σ i ∈ Σ for all i (1 ≤ i ≤ k), string s is said to be -controllable if, for some i (1 ≤ i ≤ k), σ i ∈ Σ hib , or σ i = tick and is unambiguously preemptable; -uncontrollable if, for all i (1 ≤ i ≤ k), σ i ∈ Σ u , or σ i = tick and is non-preemptable; -ambiguously controllable if, for all i (1 ≤ i ≤ k), σ i ∈ Σ u , or σ i = tick and is not unambiguously preemptable, and for some j (1 ≤ j ≤ k), σ j = tick and is ambiguously preemptable; -preemption-unambiguous if, for all i (1 ≤ i ≤ k), either σ i ∈ Σ act , or σ i = tick and is not ambiguously preemptable.
Note that a string s as defined above is either controllable, uncontrollable or ambiguously controllable. Therefore, it is not controllable if it is either uncontrollable or ambiguously controllable, or equivalently, for all i (1 ≤ i ≤ k), σ i ∈ Σ u , or σ i = tick and is not unambiguously preemptable. An ambiguously controllable event is an ambiguously preemptable tick. A preemption-unambiguous string does not contain ambiguously preemptable ticks, and an uncontrollable string is preemption-unambiguous. Now, given the uncontrollable event set Σ u in the control-theoretic setting formulated, an important system model property that strengthens Property 1 but weakens Property 2 may be presented.
Proof By the fact that Σ spe ⊆ Σ u , a logical corollary, replacing Σ spe in Property 2 by Σ u , follows. Hence the property.
The property states that the event tick is always eligible at a reachable state with no eligible uncontrollable event. This means the evolution of time in the model G does not halt regardless of the absence of activity events or the disablement of all eligible prohibitable events at a reachable state.
Properties 1 to 4 present new supporting insights for our research. They provide a clearer understanding of the TDES model G (2) (Brandin and Wonham 1994) reviewed. In fact, Properties 3 and 4 together with ALF (5) of the TDES G model system time fidelity, characterizing time progression as never halting an executing activity event (Property 3) and unstoppable (Property 4 and ALF (5)). Equivalently, the model G is said to possess sound system (event-) timing semantics; or the time tick is said to be Σ-uninterrupting.
In general, an arbitrary TDES model is said to possess time fidelity if it is a TTG G that obeys Properties 3 and 4, as well as ALF (5).

Supervisory control of TDES's
For a sublanguage L ⊆ L(G) (having the same event set Σ), let Σ L (q) = {σ ∈ Σ | δ(σ, q)! and sσ ∈ L} be the set of eligible events at state q w.r.t Σ and the string s ∈ L, such that q = δ(s, q 0 ). Then a (specification) language K ⊆ Σ * is said to be controllable Intuitively, it means that following an arbitrary string s ∈ L, the TDES G does not slip out (of L and hence K) on an uncontrollable event, and any tick that it may slip out on can be preempted without the TDES slipping out as a result. In general, K may not be controllable w.r.t G, but the supremal (or largest) controllable marked sublanguage of the TDES G that lies within K exists. This sublanguage can be generated by a trim automaton computed as Supcon(G, K) 2 (Brandin and Wonham 1994;Wonham 2016), and is exactly L provided K is controllable and L = K ∩ L m (G). Supcon(G, K) is a timed supervisor automaton S with the same event set Σ, and is said to be nonblocking (for TDES G) since L m (S) = L(S) for a trim and hence coreachable S = Supcon(G, K). As a supervisor that can generate the marked language of Supcon(G, K) in conjunction with TDES G, S = Supcon(G, K) is said to be optimal or maximally permissive (w.r.t G under language K). To exercise supervision on G, the supervisor S can 'disable' events in Σ c = Σ hib∪ {tick}, i.e., disable prohibitable activity events and preempt tick, where appropriate.
Let G be TDES G but with all its states marked. It follows that if S = Supcon(G, K), then L m (S) = L(S); and by definition, an arbitrary language Z for which Z ∩L(G) = L(S) is controllable w.r.t G. Such a 'safety' supervisor S obtained for Z is not guaranteed to be nonblocking for the original TDES G, unless Z ∩ L m (G) = L(S).
Finally, in practice, a (control) specification language, an arbitrary constraint on which a supervisor is to be synthesized to restrict (the behavior of) a TDES as specified, is prescribed by an automaton. To fix the notion of specification languages in automata, we define a specification TTG C for a TDES G as a trim automaton that shares the same event set as the TDES G. This TTG is said to prescribe the specification language L m (C) for restricting G to within the language L m (C G). Note that the essence of the control requirements by specification TTG C is in the 'composed' specification TTG C G, which prescribes intra-system restrictions. As these restrictions include prohibitions on activity events and tick preemption in general, C G need not satisfy Properties 3 and 4 of system time fidelity.

Toward a TDES hierarchy with time fidelity
In a two-level hierarchical setup as in Zhong and Wonham (1990), the low-level TDES needs to be equipped with an output function that drives the high-level TDES model. To model a class of such low-level TDES's, a Moore automaton (Eilenberg 1974) is used.

Low-level TDES model formulation for hierarchical control
In general, a TDES model G (2) with event set Σ needs to be re-structured into a Moore automaton (G lo , V ) -an automaton 3 G lo = (Q, Σ, δ, q 0 , Q m ) associated with an information channel defined by a vocalization map V : (G). T act denotes the high-level (virtual) activity event set, t h , called a high-level time or output-time tick, denotes a time aggregation of lowlevel ticks of the global clock in TDES G lo , and the symbol τ o denotes a 'silent output'. For the low-level TDES G lo , we henceforth replace tick by t l to distinguish it as a low-level atomic time tick; therefore, Σ = Σ act∪ {t l }.
Let w n denote a string of n ∈ N consecutive occurrences of string w, with w 0 = ε; and w * denote strings of finitely many occurrences of string w such that we write sw * ∈ L(G lo ) if, for all n ≥ 0, sw n ∈ L(G lo ), and is such that δ(w, q) = q, where q = δ(s, q 0 ) ∈ Q. Then the Moore construction (Eilenberg 1974) of G lo for the TDES G is based on a given timed reporter map -a virtual projection θ : L(G) → T * , defined such that θ(ε) = ε and, for σ ∈ Σ and sσ ∈ L(G), θ(sσ ) is either θ(s) or θ(s)τ for some τ ∈ T . The given map θ obeys the following time-output design laws: Law 1: For s(s t l s ) * ∈ L(G), and s , s ∈ Σ * , θ(s(s t l s ) n ) = θ (s)(t t h t ) n for all n ≥ 0, where t , t ∈ T * . Law 2: For σ ∈ Σ and sσ ∈ L(G), θ(sσ ) = θ(s)t h =⇒ σ = t l .
The constraint by Law 1 means that G lo must be constructed such that whenever a state q = δ(s, q 0 ) in G lo has, traversing through it, a loop string containing a low-level time tick t l , i.e., δ(s t l s , q) = q for some s , s ∈ Σ * , the loop string s t l s must traverse through a state in G lo that outputs or vocalizes a high-level time tick t h . In this sense, G lo is t hresponsive. The constraint by Law 2 means that the high-level tick t h is a time output, in that it must be real time-driven, i.e., t h is always a vocalization that immediately follows the execution of a low-level tick t l in G lo . With θ obeying the time-output design laws, the low-level TDES G lo constructed is said to be time-output responsive.
For the constructed G lo , the vocalization map V for every s ∈ L(G lo ) is defined by where the selected subset Q voc ⊆ Q, called vocal state set, is defined as follows. For σ ∈ Σ and s = sσ , A conceptual procedure applicable for constructing a Moore TDES (G lo , V ) from a given TDES G and a reporter map θ , or simply a TDES (G, θ ), is prescribed in Zhong and Wonham (1990) and Wonham (2016). In the graphical representation of G lo and any Moore automaton in general, every vocal state is represented by a node containing the symbol of an event that it vocalizes. The inverse reporter map for t ∈ T * is now defined as follows: In what follows, extending θ and θ −1 to θ(K) ⊆ T * for K ⊆ L(G lo ) and The Moore automaton (G lo , V ) is simply referred to as G lo when V is understood. Under the map V , G lo outputs events in T to drive some high-level θ -image model G hi whenever it reaches a vocal state q ∈ Q voc , and otherwise outputs the silent symbol τ o ∈ T to signal no 'significant' change for the high level. Formally, model G hi , the high-level image of G lo , is an automaton such that L(G hi ) = {θ(s) | s ∈ L(G lo )} and L m (G hi ) = {θ(s) | s ∈ L m (G lo )}. G hi is said to generate events of T under the θ -map on L(G lo ). The pair (G lo , G hi ) represents a two-level TDES hierarchy.
The vocal language of G lo , denoted by L voc (G lo ), is which is the sublanguage of L(G lo ) containing the empty string ε and all the strings of L(G lo ), called vocal strings, that end in a state of Q voc . In a richer characterization, let an arbitrary vocal string s ∈ L(G lo ), denoted by to be of the form s = s σ 1 σ 2 · · · σ k with σ i ∈ Σ (1 ≤ i ≤ k), such that: In every s = < s , σ i , x i , k, τ > (6) of L(G lo ), s ∈ L(G lo ) is called the reference prefix of string s, and is an empty string if x 0 is the initial low-level system state q 0 ∈ Q. Such a string s ∈ L(G lo ) is called a τ -string and has a suffix σ 1 σ 2 · · · σ k that runs from the initial state or a vocal state, via non-vocal states of G lo , to a vocal state outputting the high-level event τ ∈ T . This suffix is called the co-silent string of s (6). A fundamental result for the Moore TDES model G lo follows.

Lemma 1 L(G lo ) = L voc (G lo ).
Proof For a TDES model G lo , that L voc (G lo ) ⊆ L(G lo ) is straightforward. It remains to show that L(G lo ) ⊆ L voc (G lo ), as follows: By Property 1 and the finiteness of state set Q of the TDES G lo , every s p ∈ L(G lo ) can be extended to some s w * ∈ L(G lo ), where s p ≤ s and w ∈ Σ + . Then since δ(w, q) = q, where q = δ(s , q 0 ) ∈ Q, by ALF (5) of G lo , i.e., the fact that (∀q ∈ Q)(∀s ∈ Σ + act , δ(s, q)!)δ(s, q) = q, string w ∈ Σ + act and hence contains a tick t l . By design Law 1 of the reporter map θ from which the time-output responsive G lo is constructed, for s w * ∈ L(G lo ), it necessarily follows that θ( Then, since s p ≤ s , and therefore s p ≤ s , it follows that s p ∈ L voc (G lo ). Hence the lemma.
Two propositions for a TDES hierarchy (G lo , G hi ) may now be presented.

Proposition 1 Given a TDES hierarchy
act and hence contains a tick t l . By design Law 1 of the reporter map θ from which the time-output responsive G lo is constructed, it follows that, for s w * ∈ L(G lo ), θ(s w n ) = θ(s )(t 1 t h t 2 ) n for all n ≥ 0, where t 1 , t 2 ∈ T * . Since state set X of G hi is finite, there exist an n 1 ≥ 0 and an n 2 ≥ 1 such that for all n ≥ 0, θ(s )(t 1 t h t 2 ) n 1 t n 0 ∈ L(G hi ), where t 0 = (t 1 t h t 2 ) n 2 , and is such that

Hence the proposition.
Proposition 2 Given a TDES hierarchy (G lo , G hi ), G hi obeys Property 1.
Then, for an arbitrary t ∈ L(G hi ) and hence an arbitrary state x = ξ(t, x 0 ) ∈ X, we need to prove that Property 1 for G hi , i.e., (T act (x) = ∅) =⇒ ξ(t h , x)!, holds, as follows: Since θ(L(G lo )) = L(G hi ), there must exist a string s ∈ L voc (G lo ) such that θ(s) = t. By Property 1 for G lo , there exists some σ ∈ Σ such that sσ ∈ L(G lo ). Furthermore, by Lemma 1, there must also exist a string w ∈ Σ * such that sσ w ∈ L voc (G lo ) and is some τ -string of L(G lo ), where τ ∈ T and string s is its reference prefix. With θ(sσ w) = tτ and thus ξ(τ, ξ(t, x 0 ))!, it follows that if T act (ξ(t, x 0 )) = ∅, then τ ∈ T act which means τ ∈ T − T act , i.e., τ = t h . Hence the proposition.
In other words, the passage of aggregated time, as represented by the ticking of t h , is continual in the (uncontrolled) high-level TDES G hi , in that the tick t h is always eligible in the absence of activity events at a state of G hi .

System abstraction: need for output-time fidelity
The transition of a high-level time tick t h ∈ T in a system model abstraction (Wong and Wonham 1996) denotes the passage of some low-level time ticks of t l . Time abstraction (or state vocalization of t h ∈ T ) is qualitative if it signals an amount of low-level time elapsed that is possibly irregular but deemed important by hierarchical design, in which case it is said to apply a non-periodic timescale (between the high and low level). Time abstraction is quantitative if a periodic timescale 1 : n reminiscent of that in Gohari and Wonham (2003) is applied, which is a fixed time ratio of 1 high-level tick of t h for every n low-level ticks of t l , where integer n ≥ 1. However, be it qualitative or quantitative, to lay a sound design foundation for timed hierarchical control, we postulate that high-level time (or output-time) fidelity must also be upheld in the control design of a hierarchical abstraction for a base or low-level TDES model under the real-time control-theoretic setting (Brandin and Wonham 1994) reviewed. This is so that the event timing feature, of specifying a real-time requirement for control that is naturally in congruence with time fidelity of the TDES model as laid in Brandin and Wonham (1994), can be extended to system abstraction. By this, we mean that a real-time specification such as 'an activity event must complete execution within one time tick since it started' can be prescribed in terms of t h ∈ T for the system abstraction, with the sublanguage generated by the high-level timed specification on the system abstraction not violating the intended high-level timing semantics of the specification. Otherwise, we would often need to go beneath the abstraction level to examine or re-examine the low-level Moore system structure, to ascertain if desired timing requirements are correctly prescribed. Now, to illustrate the need for time fidelity in system abstraction, consider a high-level specification TTG Spec, as shown in Fig. 2c. It asserts that a high-level activity event τ must complete execution in not more than one high-level time tick upon event eligibility or initiation. As shown in Fig. 2d, the sublanguage due to the specification on Abstraction 1 (without time fidelity) is represented by TTG 1, whereas that due to the same specification on Abstraction 2 (with time fidelity) is represented by TTG 2. Clearly, as opposed to TTG 2, the timing semantics of TTG 1 is incorrect or unsound against the intended timing requirement of 'at most one tick for τ -completion' prescribed by Spec, as τ appears as disabled after a high-level tick.
To specify real-time high-level specifications for hierarchical control without incorrect high-level timing semantics due to the system abstraction, the problem of interest is to construct not only a system abstraction possessing time fidelity such as Abstraction 2, but also one endowed with a natural timed control structure that subsumes time fidelity, as will be elaborated in the next section. Put simply, our intent is to preserve real-time system dynamics at the abstraction or high level with conceptually the same real-time control-theoretic setting as assumed or given at the low level. Reviewed in Section 2, the assumed setting is   (Brandin and Wonham 1994) is developed. Importantly, it is the necessary basis on which an arbitrary proper control specification for a given TDES can always be stated. A real-time specification is said to be proper if, in conjunction with a given TDES, it generates a sublanguage of sound timing semantics (against the specified high-level timings), for realtime and not simply timed control synthesis, against which the supervisor synthesized can be unambiguously understood in terms of permitting or restricting the specified real-time durations for activity events.

Timed control structure
To admit control for a TDES hierarchy (G lo , G hi ), the high-level activity event set T act of G hi is partitioned into the prohibitable event set T hib and the uncontrollable event set T u , and into the forcible event set T f or and the non-forcible event set T act − T f or ; with controllable event set T c = T hib∪ {t h }. However, the two high-level control-theoretic partitions may not be unambiguous and correct under a given control-theoretic setting and a (Moore transition) structure of G lo . Even if they are, the structure of G hi is a TTG that might not possess time fidelity (w.r.t t h ), although the TDES G lo , constructed from a given TDES G (2) and a reporter map θ , does (w.r.t t l ).
For real-time high-level control of (G lo , G hi ), G lo in general needs to be structurally refined so that G hi is endowed with a natural timed control structure (w.r.t subsets T hib , T u , T f or , T act − T f or and {t h }), i.e., so that every high-level event τ ∈ T act defined and output by G lo is unambiguously prohibitable or uncontrollable if it is in T hib or in T u , respectively, and is unambiguously forcible or non-forcible if it is in T f or or in T act − T f or , respectively, and the time tick t h ∈ T is T -uninterrupting. The Moore transition structure of the TDES G lo is defined to be timed output-control consistent if G hi possesses such a natural timed control structure.
In what follows, we present the theoretical development of the fundamental system concept of timed output-control consistency, to lay a time fidelity foundation for feasible hierarchical control of TDES's. We first formulate and explain the component concepts, namely, activity output-control consistency, output-force consistency and output timecompliance. The formulation of these concepts entails the system definition of vocal string structure (6).
Where a graphical illustration of a concept is needed, it is concisely depicted in shorthand drawing notation, where a string traversing between two pertinent system states is graphically represented by a directed edge as for an event, and labeled by the string whose consecutive event transitions it represents unless the context is clear, without showing the intermediate states and transitions, and the edge has no double bars (//) across it only if the intermediate states that the string traverses through are all non-vocal.

Activity output-control consistency
Definition 2 (Activity output-control consistency) A TDES G lo is said to be activity output-control consistent (AOCC) if, for every τ -string < s , σ i , For an AOCC G lo , as depicted in Fig. 3a, τ ∈ T hib only if there is a low-level event in the co-silent string, of every τ -string of L(G lo ), which is prohibitable or is a tick t l at (a) For Thib: Low-level string-wise characterization of high-level event prohibitability No eligible forcible event at arbitrary state , where .

(b) For
Tu: Low-level string-wise characterization of high-level event uncontrollability Fig. 3 Activity output-control consistency a state where an uncontrollable and forcible event is also eligible. As depicted in Fig. 3b, τ ∈ T u only if every low-level event in the co-silent string, of every τ -string of L(G lo ), is uncontrollable or is a tick t l at a state where no forcible event is eligible. Therefore, being AOCC means that every high-level event τ ∈ T act (defined, and output by G lo ) is unambiguously prohibitable or uncontrollable. Time, represented by tick t h , is uncontrollably persistent in the high-level abstraction G hi of an AOCC G lo , and this fact is formalized in Proposition 3.

Proposition 3 Given a TDES hierarchy (G lo , G hi ) and that G lo is AOCC, G hi obeys Property 4.
Proof Consider a TDES hierarchy (G lo , G hi ), where G lo is AOCC and G hi def = (X, T , ξ, x 0 , −). Then, for an arbitrary string t ∈ L(G hi ) and hence an arbitrary state x = ξ(t, x 0 ) ∈ X, we need to prove Property 4 for G hi , i.e., (T act (x) ∩ T u = ∅) =⇒ ξ(t h , x)!, holds, as follows: Since θ(L(G lo )) = L(G hi ), there must exist a string s ∈ L voc (G lo ) such that θ(s) = t. By Property 1 for G lo , there exists some σ ∈ Σ such that sσ ∈ L(G lo ). Furthermore, by Lemma 1, there must also exist a string w ∈ Σ + , where σ ≤ w, such that sw ∈ L voc (G lo ) and is some τ -string of L(G lo ), where τ ∈ T and string s is its reference prefix. It then follows that one such string w = σ 1 σ 2 · · · σ k exists that is uncontrollable or ambiguously controllable, i.e., it contains only uncontrollable activity events or t l 's that are not unambiguously preemptable, found as follows: Because G lo is AOCC, by Definition 2, τ ∈ T hib , since the co-silent string w = σ 1 σ 2 · · · σ k of the τ -string sw ∈ L(G lo ) is either uncontrollable, implying τ ∈ T u , or ambiguously controllable, implying τ = t h . Therefore, it can only be that τ ∈ T u ∪ {t h }. It thus follows that if T act (ξ(t, x 0 )) ∩ T u = ∅, then τ ∈ T u , implying that τ = t h . Hence the proposition.

Output-force consistency
We first define and explain two supporting concepts, before defining the structure of an OFC G lo .
Definition 3 (Preemptability of t h by τ ∈ T act ) Consider an arbitrary τ -string (6) of L(G lo ) with reference prefix s ∈ L(G lo ) and τ ∈ T act . Then t h is said to be unambiguously preemptable w.r.t (s , τ ) if, for every t h -string < w, α j , z j , h, t h > ∈ L(G lo ) such that θ(w) = θ(s ) and w ∈ L(G lo ) is the reference prefix of some τ -string (6) Consider an arbitrary nonempty string r = α p+1 α p+2 · · · α h that leads, from a state x p lying along the transitions defined by the co-silent string σ 1 σ 2 · · · σ k of some τ -string of L(G lo ), τ ∈ T act , that exists, to a vocal state outputting t h , via subsequent non-vocal states that are not lying along the transitions defined by the co-silent string. Then, in words, w.r.t the reference prefix s of a τ -string of L(G lo ), t h is unambiguously preemptable if every t h -string of L(G lo ) with reference prefix w, such that θ(w) = θ(s ) and string w is also the reference prefix of some τ -string of L(G lo ), has such a string σ 1 σ 2 · · · σ p r if 0 < p < min(h, k) and r if p = 0, as its suffix, with α p+1 in string r either a prohibitable event or a t l which can be preempted by a forcible event σ p+1 that lies along the co-silent string of the τ -string that exists. This characterization is depicted in Fig. 4b, and is for the high-level abstraction shown in Fig. 4a.
In words, consider an arbitrary τ -string of L(G lo ) with reference prefix s and τ ∈ T act . Then t h is unambiguously preemptable w.r.t the mirage of (s , τ ) if, for every other string w ∈ L voc (G lo ) that has the same θ -image as string s , but is not the reference prefix of any τ -string of L(G lo ), every t h -string of L(G lo ) with string w as its reference prefix has its co-silent string either containing a prohibitable event, or a t l which can be preempted by a forcible event that is uncontrollable. This characterization is depicted in Fig. 4c, and is for the high-level abstraction shown in Fig. 4a. (c) Preemptability of by -mirage: and is prohibitable, or is and there is a forcible and uncontrollable event at state Definition 5 (Output-force consistency) A TDES G lo is said to be output-force consistent (OFC) if, for every τ -string (6) of L(G lo ) with reference prefix s ∈ L(G lo ) and τ ∈ T act , for which there exists a t h -string with reference prefix w ∈ L(G lo ) such that θ(w ) = θ(s ), τ ∈ T f or iff t h is unambiguously preemptable w.r.t (s , τ ) and its mirage.
For an OFC G lo , as depicted in Fig. 4, τ ∈ T f or if τ ∈ T act can unambiguously preempt the tick t h whenever the former is virtually enforced at a high-level state reached, where τ and t h are eligible as depicted in Fig. 4a. And any such high-level state is reached following an underlying vocal string that has the same θ -image as the reference prefix of an arbitrary τ -string of L(G lo ), and whose co-silent string is under the characterizations as depicted in Figs. 4b and c. Otherwise, τ ∈ T act − T f or . Therefore, being OFC means that every highlevel event τ ∈ T act is unambiguously forcible or non-forcible. By the standard model of event forcing (Brandin and Wonham 1994), a high-level activity event is unambiguously forcible provided, when enforced, it can always preempt the time tick t h .

Output time-compliance
Output time-compliance can be achieved by a proper design or redesign of the reporter map θ , and is formally defined as follows.
For an OTC G lo , same as the non-causal effect of the ticking of t l on the eligibility of a low-level activity event in G lo , the resultant ticking of t h is never the cause of a highlevel activity event becoming ineligible in G hi . This non-causal effect is due to the defined characterization depicted in Fig. 5, and is made clear by Proposition 4.

Proposition 4 Given a TDES hierarchy (G lo , G hi ), G hi obeys Property 3 iff G lo is OTC.
Proof Consider a TDES hierarchy (G lo , G hi ), where G hi def = (X, T , ξ, x 0 , −). That G hi obeys Property 3, i.e., for an arbitrary string t ∈ L(G hi ), and hence an arbitrary state Together, it means that for an arbitrary τ -string of L(G lo ) with reference prefix s , where θ(s ) = t, if there exists a t h -string of L(G lo ) with reference prefix r 1 such that θ(r 1 ) = t and therefore θ(s ) = θ(r 1 ), then there exists a τ -string of L(G lo ) with reference prefix r 2 such that θ(r 2 ) = tt h and therefore θ(r 2 ) = θ(r 1 )t h . By Definition 6, this means that G lo is OTC. Hence the proposition.
Proposition 5 Given a TDES hierarchy (G lo , G hi ) and that G lo is AOCC and OTC, G hi is a TDES model with time fidelity.
Proof Given a TDES hierarchy (G lo , G hi ), by Proposition 1, G hi is activity-loop free.
Since G lo is AOCC, by Proposition 3, G hi satisfies Property 4. And since G lo is OTC, by Proposition 4, G hi satisfies Property 3. Therefore, since G hi is activity-loop free and satisfies Properties 3 and 4 of a TDES model, it is a TDES model with time fidelity. Hence the proposition.

Timed output-control consistency
Based on the concepts of activity output-control consistency, output-force consistency, and output time-compliance, the two concepts of output-control consistency may now be defined.
Definition 7 (Output-control consistency) A TDES G lo is said to be output-control consistent (OCC) if it is AOCC and OFC; and timed OCC (TOCC) if it is OCC and OTC.
The foregoing theoretical development culminates in the following theorem.
Theorem 1 Given a TDES hierarchy (G lo , G hi ) and that G lo is TOCC, G hi is a TDES model with time fidelity.
Proof Consider a TDES hierarchy (G lo , G hi ), where G lo is TOCC. By Definition 7, a TOCC G lo is necessarily AOCC and OTC. Hence the result by Proposition 5.
Importantly, along with the unambiguous control properties of high-level activity events, the abstraction G hi of a TOCC G lo provides a real-time basis of generally coarser time granularity that is decoupled from the low level, for which high-level specification TTG's can be independently specified for feasible hierarchical control design.

Hierarchical consistency: theoretical conditions
A core high-level supervisor expectation issue for timed hierarchical control design inherited from the untimed version (Zhong and Wonham 1990) is explained, and two versions of hierarchical consistency for TDES's, without and with output-time fidelity guarantee, are then defined to address the issue. Before that, a conceptual computation tool is reviewed, and a timed concept of partner-freeness is subsequently introduced as the absence of vocal-state partners and illustrated using this tool, to complete the timed systems synthesis framework for hierarchical consistency.

Moore reachability tree for conceptual computation
where Q t and Q m,t are called the infinite set of nodes and marked nodes, respectively, and each node is identified with a string s ∈ L(G lo ) by a bijection node : L(G lo ) → Q t : s → node(s), such that the initial or root node n 0 = node(ε), and, extended to Σ * , δ t (ε, n) = n where n = node(s ) for an s ∈ L(G lo ), and Clearly, L(G lo,t ) = L(G lo ) and L m (G lo,t ) = L m (G lo ), and conceptually, translations between a Moore automaton and its Moore reachability tree can be made (Wonham 2016).
Corresponding with a state of G lo under V , under V t , a node of the Moore tree automaton (or simply tree) G lo,t is silent if it outputs τ o , and vocal if it outputs a high-level event in T ; and Q voc,t ⊆ Q t denotes the vocal node set of G lo,t . Note that every string of L(G lo ) can be uniquely identified by a node in the tree, and vice versa.
In what follows, the terminology, drawing notation and concepts formulated for states and state-transitions of G lo carry over to nodes and node-transitions of the corresponding tree G lo,t . It should be understood that, in referring to a τ -string < s , σ i , x i , k, τ > ∈ L(G lo,t ), x 0 and x i (1 ≤ i ≤ k) are nodes defined by the transition function δ t of G lo,t over the reference prefix s and string s σ 1 σ 2 · · · σ i , respectively, and w.r.t the root node n 0 .

Consistency for hierarchical control
Consider a two-level TDES hierarchy (G lo , G hi ), where G lo is OCC. Given a high-level specification E ⊆ T * , the optimal high-level timed supervisor synthesized for its prefix closure E w.r.t G hi is S hi = Supcon(G hi , E). Let K = θ −1 (L(S hi )) ⊆ L(G lo ), the (lowlevel) maximal sublanguage of L(G lo ) whose projection under the timed reporter map θ is L(S hi ). In general, K is prefix-closed but not controllable w.r.t G lo . Consider the low-level timed supervisor S lo synthesized for K w.r.t G lo , given by S lo = Supcon(G lo , K). Then since L(S lo ) ⊆ θ −1 L(S hi ), it follows that in general, Inclusion (7) asserts that the projection of the prefix-closed language generated by G lo under the supervision of S lo is a sublanguage of the prefix-closed language generated by G hi under the high-level (virtual) supervision of S hi . Indeed, (7) may turn out to be strict, in which case the low-level system G lo under the supervision of S lo cannot meet the expectation of high-level supervisor S hi . The basis for hierarchical control design for a two-level TDES hierarchy (G lo , G hi ) requires the equality in (7), i.e., θ(L(S lo )) = L(S hi ). In what follows, two concepts of hierarchical consistency are defined.

Vocal-state partnership & strictness of output-control consistency
That Inclusion (7) may be strict can be explained using the concept of vocal-state partnership for OCC DES's (Wonham 2016) extended to OCC TDES's. Intuitively, if two vocal states of an OCC TDES are vocal-state partners, they output two different, eligible controllable outputs that cannot in general be independently controlled, in that, in taking a low-level control action necessary to disable or preempt one output, it is possible that this action also prevents the other output from occurring next. This partnership concept is formalized as follows.
Note that a pair (q 1 , q 2 ) of states in G lo may be control-dependent over several strings structures of the form [s , wσ s , < s 1 s 2 , j].
Definition 10 (Vocal-state partnership) For a TDES G lo , let q 1 , q 2 ∈ Q voc , where either V (q 1 ) or V (q 2 ) is an event of T act . Then (q 1 , q 2 ) is said to be a pair of vocal-state partners if V (q 1 ) = V (q 2 ) and (q 1 , q 2 ) is a pair of control-dependent states.
Together with Definition 9, Definition 10 for a pair of arbitrary vocal-state partners q 1 and q 2 of a TDES (G lo , V ) is depicted in Fig. 6, respectively by nodes n 1 and n 2 in a subtree of the reachability tree generated for G lo . As defined, this tree is also a Moore automaton, denoted by (G lo,t , V t ), with G lo,t def = (Q t , Σ, δ t , n 0 , Q m,t ) and vocal node set Q voc,t ⊆ Q t , except that its transition function is defined over an infinite set of elements called nodes instead of a finite set of states, with a different node representing a possibly duplicate state of G lo reached by a different string of L(G lo ). As depicted, Condition CDS1 asserts that, along the string wσ s defining the transitions via non-vocal nodes from vocal node n of G lo,t corresponding to vocal state q = δ(s , q 0 ) of G lo , the event σ is prohibitable, or is a Fig. 6 Vocal-state partners q 1 and q 2 of a TDES G lo : They are depicted respectively by nodes n 1 and n 2 in a subtree of the system reachability tree, with V (q 1 ) = V t (n 1 ) = τ 1 and V (q 2 ) = V t (n 2 ) = τ 2 , where τ 1 = τ 2 and σ ∈ Σ hib or is a preemptable tick. Note that, each dotted line, for w 1 and w 2 , indicates a catenation of strings between two vocal nodes tick t l that is not non-preemptable. Condition CDS2 asserts that every event along the string s is uncontrollable, or is a non-preemptable tick. Condition CDS3 asserts that the string s j for some j ∈ {1, 2}, defining the transitions from non-vocal node n b corresponding to non-vocal state δ(wσ s , q) of G lo , via non-vocal nodes to the vocal node n j that outputs τ j ∈ T , i.e., V t (n j ) = τ j = V (q j ), contains no prohibitable events and no unambiguously preemptable ticks. Therefore, along this string s j , that τ j cannot be prevented from occurring is definite only if no tick along the transitions defined by the string s j is ambiguously preemptable.
For discussion's sake, let j = 1. Then under such vocal-state partnership of (q 1 , q 2 ) as depicted by (n 1 , n 2 ) in Fig. 6, if the TDES G lo is OCC, then τ i ∈ T c for all i ∈ {1, 2}, and the low-level control action guaranteed to prevent τ 1 from occurring -by disabling or preempting an event along the transitions in G lo defined by the string wσ -will also prevent τ 2 from occurring. In other words, for an OCC G lo , the control of τ 1 and τ 2 is generally not independent if the associated pair (q 1 , q 2 ) are vocal-state partners.
It follows that, to guarantee independence of high-level control, it is sufficient for an OCC TDES G lo to be free of vocal-state partners.
Definition 11 (Partner-freeness) A TDES G lo is said to be partner-free (PF) if it does not contain vocal-state partners.
Two strict versions of output-control consistency follow.
Definition 12 (Strictness of output-control consistency) A TDES G lo is said to be strictly OCC (SOCC) if it is OCC and PF. It is said to be strictly TOCC (STOCC) if it is SOCC and OTC, or equivalently, TOCC and PF.

Hierarchical consistency theorem
We are now ready to state the structural conditions for the consistency of a two-level TDES hierarchy.

Theorem 2 A TDES hierarchy (G lo , G hi ) is HC if G lo is SOCC, and HC-OTF if G lo is STOCC.
Proof Given a TDES hierarchy (G lo , G hi ), the proof for the two cases proceeds as follows.
By Inclusion (7), θ(L(S lo )) ⊆ L(S hi ). It remains to show that θ(L(S lo )) ⊇ L(S hi ). To do that, we now suppose θ(L(S lo )) ⊂ L(S hi ) and show a contradiction of the fact that the given G lo is PF, as follows: Since L(S hi ) − θ(L(S lo )) = ∅, let t be a string of L(G hi ) such that t ∈ L(S hi ) − θ(L(S lo )). Since L(S lo ) = ∅, ε ∈ L(S lo ) and hence ε ∈ θ(L(S lo )). Since L(G hi ) is prefixclosed and ε ∈ θ(L(S lo )), the longest prefix t of t exists such that t < t and t ∈ θ(L(S lo )). Let s ∈ θ −1 (t) and δ(s, q 0 ) ∈ Q voc ∪ {q 0 }. It follows that s ∈ L(S lo ). Since L(S lo ) = ∅ and is prefix-closed, the longest prefix s of s exists such that s ∈ L(S lo ) and δ(s , q 0 ) ∈ Q voc ∪ {q 0 }. Let t = θ(s ). Then t ≤ t and therefore t ∈ L(S hi ). Let w ∈ Σ + such that s w ≤ s, δ(s w, q 0 ) ∈ Q voc ∪ {q 0 } and θ(s w) = θ(s )τ 1 for some τ 1 ∈ T . Since L(S lo ) is controllable, s ∈ L(S lo ) and s w ∈ L(S lo ), it follows that (∃w )(∃σ ∈ Σ)w σ ≤ w, s w ∈ L(S lo ) and σ ∈ Σ hib or (σ = t l )&(∃γ ∈ Σ f or , δ(s w γ, q 0 )!)s w γ ∈ L(S lo )). Otherwise, w ∈ (Σ u ∪ t l ) * and contains no unambiguously preemptable t l , and is such that, due to the controllability of L(S lo ), every event of Σ hib ∩ Σ f or that can preempt a t l in w exits the boundary of L(S lo ), i.e., (∀w , w t l ≤ w) s w ∈ L(S lo ) and (∀γ ∈ Σ hib ∩ Σ f or , δ(s w γ, q 0 )!)s w γ ∈ L(S lo )), and we have s w ∈ L(S lo ), hence contradicting the maximality of s w.r.t inclusion in L(S lo ). Thus w ∈ (Σ * )(Σ hib ∪{t l })(Σ u ∪{t l }) * , such that the event of w in (Σ hib ∪ {t l }) is either prohibitable or a t l that can be preempted by some forcible event that does not exit the boundary of L(S lo ), and every event of Σ hib ∩ Σ f or that can preempt a t l in its suffix string in (Σ u ∪ {t l }) * that contains no unambiguously preemptable t l exits the boundary of L(S lo ). Now, let w ∈ Σ * and σ ∈ (Σ hib ∪ {t l }) be such that s w σ ≤ s w, s w ∈ L(S lo ) and s w σ ∈ L(S lo ), i.e., σ must be disabled to stay in L(S lo ).
In what follows, there must exist a string v ∈ (Σ u ∪{t l }) * that contains no unambiguously preemptable t l , and where every event of Σ hib ∩ Σ f or that can preempt a t l in v exits the boundary of L(S lo ), such that δ(s w σ v, q 0 ) ∈ Q voc ∪ {q 0 }, θ(s w σ v) = θ(s )τ 2 for some τ 2 ∈ T and θ(s w σ v) ∈ L(S hi ), because having no such string v contradicts the fact that L(S lo ) is the supremal controllable sublanguage of θ −1 (L(S hi )) w.r.t G lo .
Let q 1 = δ(s w, q 0 ) and q 2 = δ(s w σ v, q 0 ) and. Thus V (q 1 ) = τ 1 and V (q 2 ) = τ 2 . Since v extends from s w σ and is not controllable in general, the longest common prefix string s w ∈ Σ * of s w and s w σ v exists such that s w w 1 = s w and s w v 1 = s w σ v where w 1 , v 1 ∈ Σ * . It follows that w = w σ s 1 for some s 1 ∈ Σ * . Since v is not controllable, s 1 is not controllable. It follows that there must exist a string s ∈ Σ * that is the longest suffix of s 1 that is uncontrollable, i.e., w σ s 1 = w σ s 2 s , where s 2 is not controllable (i.e., uncontrollable or ambiguously controllable). Therefore (q 1 , q 2 ) is a pair of control-dependent vocal states over [s , w σ s 2 s , < w 1 v 1 , −] since v 1 is not controllable because v is not controllable, and therefore satisfies Condition CDS3 of Definition 9; and -if s 2 is uncontrollable, then σ satisfies Condition CDS1 and string s 2 s satisfies Condition CDS2, of Definition 9; and -ifs 2 is ambiguously controllable and thus is of the form s 1 σ s 2 for some s 1 , s 2 ∈ (Σ u ∪ {t l }) * , where s 2 is uncontrollable and σ = t l is ambiguously preemptable, then event σ satisfies Condition CDS1, and string s 2 s satisfies Condition CDS2, of Definition 9.
Since θ(s w) = t τ 1 ∈ L(S hi ) and θ(s w σ v) = t τ 2 ∈ L(S hi ), it follows that τ 1 = τ 2 and therefore V (q 1 ) = V (q 2 ). Together with the fact that (q 1 , q 2 ) is a pair of control-dependent vocal states, (q 1 , q 2 ) is a pair of vocal-state partners by Definition 10, contradicting the fact that the given G lo is PF. Case 2: G lo is STOCC. Then, by Definition 12, it is necessary that that G lo is SOCC, and therefore by the proof of Case 1 above, (G lo , G hi ) is HC. It also necessary that G lo is TOCC, and therefore by Theorem 1, G hi possesses high-level time fidelity. Combining, it follows that (G lo , G hi ) is HC-OTF by Definition 8-2.
Hence the theorem.

Hierarchical mission control of a robotic camera system
As an illustration of the STOCC system concept for building a hierarchy that is HC-OTF, we now present an example of a simplified robotic camera system. One may think of it as a module on board a drone or an unmanned aerial vehicle, for use in a surveillance mission along a designated flying route. This module is to be organized as a hierarchy (G lo , G hi ), constructed from a given TDES (G, θ ) that is represented by a Moore ATG G act and the associated event timing information as shown in Fig. 7, with θ : L(G) → T * and T act = {τ 1 , τ 2 }, under a periodic timescale 1 : 2. The event set Σ act = {σ 1 , σ 2 , σ 3 } of G is partitioned with Σ hib = {σ 1 , σ 3 } and Σ f or = {σ 3 }. The definitions of the activities and events are given in Table 1.
Following the construction as shown in Fig. 8, it can be verified that G lo is: -OCC, by setting T hib = {τ 2 } and T u = {τ 1 }; T f or = {τ 2 } and τ 1 ∈ T f or . -PF, due to the absence of a partnership structure as depicted in Fig. 6, by determining that for all state pairs (q 1 , q 2 ) with V (q 1 ), V (q 2 ) ∈ T , every pair of V (q 1 )-string and

Models Event Activity
G lo σ 1 : Detected new object localized a 0 : Scanning and detecting new suspicious moving σ 2 : Camera set or stationary object of interest σ 3 : Camera clicked a 1 : Setting camera shutter speed and aperture based on scene lighting a 2 : Improving camera setting and zooming in on localized object G hi τ 1 : New object seen τ 2 : Photo taken V (q 2 )-string with common reference prefix and co-silent strings with common prefix s, has either V (q 1 ) = V (q 2 ) = t h or s = ε. -OTC, by observing that G hi obeys Property 3 and following Proposition 4. Therefore, in the constructed hierarchy (G lo , G hi ), G lo is STOCC by Definition 12, and hence the hierarchy is HC-OTF by Theorem 2.

Fig. 8 Camera system: A constructed hierarchy (G lo , G hi )
A system abstraction is very useful if it can abstract away unnecessary low-level language details and provide unambiguous control information of interest abstracted as languages of high-level events. As this example hierarchy shows, the abstraction G hi provides a clear understanding of the application mission-level driven by the underlying real TDES G lo , and allows real-time requirements to be more readily identified and specified at the high level.
As a specification example over G hi , consider a controllable specification asserting that, continually, the robotic camera, upon seeing a new object, is to take a photo with no further t h -time delay as soon as it is ready to do so (following a t h -setup 5 ). This specification may be prescribed by a TTG (say, MC) that structurally is G hi (see Fig. 8a), but with the selfloop t h -transition at state 3 removed. A low-level supervisor S lo for the TDES G lo can be synthesized for which θ(L(S lo )) = L(MC).
In driving home the point, a hierarchy that is HC-OTF is necessary if we need to synthesize low-level supervisor solutions that fully realize the prefix closure of controllable, high-level real-time specifications w.r.t the high-level TDES model, without violating their intended high-level timing semantics.

Hierarchical consistency: output-system synthesis
In general, a Moore TDES (G lo , V ) constructed from given hierarchical system information (G, θ ) is not STOCC. Refining it to be so by modifying the associated map V for G lo turns out to be a challenging research problem. Herewith, we first investigate the structural existence and synthesis (or refinability) issues for SOCC systems, and point out the abstraction anomalies to be removed for obtaining STOCC systems. Along with it, the conditions under which timescale is preserved under a system refinement are also of interest. In essence, these conditions are the system structural conditions under which a refinement does not introduce a new t h -string for the refined TDES. Details of this aspect of our investigation are found elsewhere (Ngo 2016).
By system refinement or synthesis, we refer to redefining the map V over G lo , without removing any given high-level activity and timing information. It can be easily deduced that a TDES G lo refined as such remains time-output responsive (in the sense of not invalidating the time-output design Laws 1 and 2). Therefore, the system concepts and their constituent relationships defined for a given TDES G lo are also applicable to a refined TDES, and so are the definitions and results presented in Sections 3 through 5. Where required, a refined TDES will be referred to by the same symbol, G lo , to imply that it remains time-output responsive as the given TDES G lo , in all the theoretical proofs of subsequent synthesis results.
For clarity of description, every system refinement (procedure or method) will be defined, and thought of, as being 'implemented' in terms of refinement of the Moore reachability tree introduced in Section 5.1, i.e., redefining the map V over G lo is made by redefining the corresponding V t over its tree G lo,t . The system refinement is therefore conceptual. 6

String-wise control partitions of outputs
At this juncture, it is useful to bring in some string-wise definitions for the event-control properties of τ ∈ T , as follows. Given an arbitrary τ -string s = < s , σ i , x i , k, τ > ∈ L(G lo ): τ ∈ T is said to be controllable w.r.t s if the co-silent string of s is controllable, i.e., for τ ∈ T is said to be ambiguously controllable w.r.t s if the co-silent string of s is ambiguously controllable, i.e., for all and its mirage, and is not forcible w.r.t s otherwise, in either case that there exists a t hstring with reference prefix s ∈ L(G lo ) such that θ(s ) = θ(s ), or else it is said to be force-don't-care w.r.t s .
In the above, all the definitions except the last are for events in T = T act∪ {t h }. A τ ∈ T act that is force-don't-care w.r.t the reference prefix s of a given τ -string is said to be definable as either forcible or not forcible w.r.t s . It follows that the definitions induce two stringwise control partitions of Moore outputs. In one partition, an arbitrary τ ∈ T is either controllable, uncontrollable or ambiguously controllable w.r.t to every of its τ -strings, and in the other, an arbitrary τ ∈ T act is either forcible or non-forcible w.r.t to the reference prefix of every of its τ -strings.

OCC-system refinability & refinement
In what follows, a TDES is said to be AOCC-, OFC-, and OCC-system refinable, if it can be refined to be AOCC, OFC, and OCC, respectively.

Theorem 3 A TDES G lo is not AOCC-system refinable iff there exists a τ -string
, and σ k is ambiguously controllable, i.e., σ k = t l and is ambiguously preemptable.
, and σ k = t l and is ambiguously preemptable.
Then, the τ -string s ∈ L(G lo ) does not satisfy any of the respective condition for τ ∈ T hib and τ ∈ T u stated in Definition 2, and it follows that G lo is not AOCC. Regardless of any Moore transition redefinition along the co-silent string σ 1 σ 2 · · · σ k−1 of s, that σ k = t l is ambiguously preemptable remains, and hence there will always exist a τ -string of L(G lo ), with reference prefix s σ 1 · · · σ i for some i (1 ≤ i ≤ k − 1), for the refined G lo that does not satisfy any of the respective condition for τ ∈ T hib and τ ∈ T u stated in Definition 2, implying that the refined G lo is not AOCC. Hence, the given G lo is not AOCC-system refinable.
(Only if): Suppose G lo is not AOCC-system refinable, and is therefore not AOCC. Together, they mean that there exists a τ -string s = < s , σ i , x i , k, τ > ∈ L(G lo ) with τ ∈ T act , that -does not satisfy any of the respective condition for τ ∈ T hib and τ ∈ T u stated in Definition 2 and thus -and no Moore transition redefinition along its co-silent string σ 1 σ 2 · · · σ k−1 can be made to satisfy the condition for τ ∈ T u as stated in Definition 2, implying the additional condition that In other words, if G lo is not AOCC-system refinable, by logical conjunction, there exists a τ -string s = < s , σ i , , is ambiguously preemptable.
Hence the theorem.
Noting that, by definition, σ ∈ Σ is not ambiguously controllable if σ ∈ Σ act , or σ = t l and is non-preemptable or unambiguously preemptable, a logically straightforward corollary of Theorem 3 follows.
We now present a conceptual procedure named Procedure OCC-SR for a TDES (G lo , V ). We then show, by the proof of Theorem 4 below, that Procedure OCC-SR can be applied for OCC-system refinement of an AOCC-system refinable TDES (G lo , V ).
Following the procedure, T hib = {α n , α n } ∩ T act ; T u = {β n , β n } ∩ T act ; and T f or = {α n , β n } ∩ T act . In the maximal case, each enumerated τ n (1 ≤ n ≤ κ) is replaced by four distinct outputs α n , α n , β n and β n , and the maximal cardinality of the new T act is 4κ.

Theorem 4 A TDES G lo is AOCC-system refinable iff it is OCC-system refinable.
Proof (If): Suppose a given TDES G lo is OCC-system refinable. Then G lo can be refined to be OCC, and hence AOCC and OFC by Definition 7. That the TDES G lo can be refined to be AOCC implies it is AOCC-system refinable.
(Only if): Suppose a given TDES G lo is AOCC-system refinable. It is sufficient to show that using Procedure OCC-SR, it can be refined to be AOCC, and then OFC without violating the established AOCC-system property, and hence OCC by Definition 7. The necessity proof proceeds as follows: -Show that the given TDES G lo can be refined to be AOCC: An arbitrary τ n ∈ T act is, in general, either ambiguously controllable, controllable or uncontrollable w.r.t every τ n -string of L(G lo ). By Corollary 1, for every τ -string < s , σ i , −, k, τ > ∈ L(G lo ) with τ ∈ T act , the prefix σ i · · · σ k−1 of its co-silent string is either controllable or ambiguously controllable, and its terminal event σ k ∈ Σ is, string-wise, either controllable or uncontrollable. Hence every τ n -string s = < s , σ i , −, k, τ n > of L(G lo ), w.r.t which τ n ∈ T act is ambiguously controllable, has the longest prefix s σ 1 · · · σ p for some p (1 ≤ p ≤ k − 1) -at which σ p = t l and is ambiguously preemptable, and beyond which the suffix σ p+1 · · · σ k is uncontrollable. With the new event output notation accordingly defined, and over the reachability tree constructed for G lo , Step 1 of Procedure OCC-SR labels such a prefix as a t h -string and such a τ n -string s as a β n -string, of L(G lo ), with the new t h -string s σ 1 · · · σ p as its reference prefix; and as a result, the new β n -string s now satisfies the condition for an activity event in T u as stated in Definition 2 (of activity output-control consistency).
The step also relabels every other τ n -string s ∈ L(G lo ), w.r.t which τ n ∈ T act is controllable or uncontrollable, as an α n -string or a β n -string, of L(G lo ), respectively, and as a result, the new α n -or β n -string s now satisfies the condition for an activity event in T hib or T u , respectively, as stated in Definition 2.
It thus follows that Step 1 of Procedure OCC-SR refines the given TDES G lo to be AOCC according to Definition 2, with the new set of high-level activity outputs T act ⊆ {α n , β n } partitioned into T hib = {α n } ∩ T act and T u = {β n } ∩ T act . -Show that the AOCC-system refined G lo can be further refined to be OFC without violating the established AOCC-system property: 7 An event denoted by symbol x γ is simply called a force-don't-care event, and is either γ or γ .
With additional new event output notation accordingly defined, and over the reachability tree of the now AOCC-system G lo , Step 2 of Procedure OCC-SR relabels α n -strings and β n -strings as α n -and β n -strings, of L(G lo ), accordingly as needed, such that the refined G lo becomes OFC according to Definition 5. As the step entails only output relabeling, it thus follows that every newly formed α n -or β n -string of L(G lo ), like their α n -or β n -string counterpart, retains satisfying the condition for an activity event in T hib or T u , respectively, as stated in Definition 2.
It thus follows that Step 2 of Procedure OCC-SR refines the TDES G lo to be OFC without violating the AOCC-system property established by Step 1, and hence the refined G lo is OCC according to Definition 7, with T act ⊆ {α n , β n , α n , β n } partitioned into T hib = {α n , α n } ∩ T act and T u = {β n , β n } ∩ T act ; and partitioned with T f or = {α n , β n } ∩ T act .
Hence the theorem.
In subsequent references, Steps 1 and 2 of Procedure OCC-SR may be separately referred to as Subprocedures AOCC-SR and OFC-SR, respectively. Henceforth, when we say a TDES is OCC-, AOCC-, and OFC-system refinable, we now mean, more specifically, that it can be refined to be OCC, AOCC and OFC, using Procedure OCC-SR and Subprocedures AOCC-SR and OFC-SR, respectively.

PF-system refinement & SOCC-system refinability
Relating as explained in Section 5.1, the terminology and concepts formulated for state pairs of G lo carry over to node pairs of the corresponding tree G lo,t .
In logical hierarchical control, a method over the system's Moore reachability tree is developed (Zhong and Wonham 1990;Wonham 2016) to break up vocal-node partners, by first finding them via breadth-first search of the tree. To refine a TDES (G lo , V ) so that it becomes free of vocal-state partners, however, it is discovered that, in finding vocal-node partners over [s , wσ s , < s 1 s 2 , j], similarly by breadth-first search of the tree (G lo,t , V t ), and breaking them up, new vocal-node partners may be introduced. This is because in breaking them up, the map V t needs to be redefined so that the node δ t (s wσ, n 0 ) outputs t h if σ ∈ Σ(δ t (s w, n 0 )) is an ambiguously preemptable tick, and otherwise, as in the partnersbreakup method for logical hierarchical control (Zhong and Wonham 1990;Wonham 2016), outputs a given new activity event. The following example illustrates this issue.
Example 2 Consider a subtree of the reachability tree (G lo,t , V t ) for a Moore TDES G lo , as depicted in Fig. 9a with s ∈ L voc (G lo,t ), w, s ∈ Σ * , σ i ∈ Σ act for all i (1 ≤ i ≤ 5), and τ 1 , τ 2 ∈ T act . Suppose σ 1 , σ 2 , σ 3 and σ 5 are prohibitable, σ 4 is uncontrollable and σ 3 is also forcible. The subtree, according to Definition 10, has a pair of vocal-node partners, namely, (n 2 , n 3 ). To remove their partnership, V t can be redefined such that the non-vocal node n 4 (reachable by string s wσ 1 s t l ) becomes a vocal node outputting t h , as depicted in Fig. 9b. However, in so doing, a new pair of vocal-node partners is introduced, namely, (n 1 , n 4 ), as depicted in Fig. 9b. In general, the issue is due to vocal-state partners being 'hidden' by certain pairs of control-dependent vocal states outputting the same activity event, formalized as follows.
Definition 13 (Hidden vocal-state partnership) For a TDES G lo , let q 1 , q 2 ∈ Q voc , where either V (q 1 ) or V (q 2 ) is an event of T act . Then (q 1 , q 2 ) is said to be a pair of partner-hiding states if V (q 1 ) = V (q 2 ) ∈ T act and (q 1 , q 2 ) is a pair of control-dependent states over [s , wσ s , < s 1 s 2 , j], for which (∃s c ∈ Σ * )(s c t l < s j & Σ(δ(s wσ s s c , q 0 ))∩Σ f or ∩Σ hib = ∅).
In words, two system vocal states q 1 and q 2 outputting the same activity event are partnerhiding if they are control dependent over [s , wσ s , < s 1 s 2 , j] in the system, such that an ambiguously preemptable tick exists at q j = δ(s wσ s s c , q 0 ) along some s c ∈ Σ * for which s c t l < s j , for which q i and q j , i ∈ {1, 2} and i = j , are vocal-state partners if q j were to output t h .
To break up partners without introducing new partners, using breadth-first search strategy, conservatively, pairs of vocal-state partners and partner-hiding states need to be broken up. In what follows, a conceptual procedure for PF-system refinement, named Procedure PF-SR, is defined over the reachability tree (G lo,t , V t ) of a TDES (G lo , V ), as follows: For each pair (n 1 , n 2 ) of vocal-node partners or partner-hiding nodes over [s , wσ s , < s 1 s 2 , j] in G lo,t , detected with s wσ ∈ L(G lo,t ) found by breadth-first search of the tree G lo,t starting from its root node, it is the case that 1. if σ ∈ Σ(δ t (s w, n 0 )) is ambiguously controllable, i.e., σ = t l and is ambiguously preemptable, then redefine V t (δ t (s wσ, n 0 )) = t h ; 2. else redefine V t (δ t (s wσ, n 0 )) = τ p , where τ p ∈ T is the given new activity event.
Definition 14 (Partner-hiding-state freeness) A TDES G lo is said to be partner-hiding-state free (PHF) if it does not contain partner-hiding (vocal) states. Therefore, by Definitions 11 and 14, Procedure PF-SR refines a TDES G lo into a system that is not only PF, but also PHF.
Henceforth, a TDES is said to be SOCC-system refinable if it can be refined to be SOCC using the (ordered) application of Procedure PF-SR followed by Procedure OCC-SR, or either one of these two procedures.

SOCC-system synthesis theorems
Theorem 5 A TDES G lo is SOCC-system refinable if it is AOCC-system refinable and, over each [s , wσ s , < s 1 s 2 , j] of every pair (q 1 , q 2 ) of vocal-state partners or partner-hiding states, it is the case that for i, j, k ∈ {1, 2}, i = j , and s k = s k α k where α k ∈ Σ, -if V (q i ) = t h and s i is not controllable, then α i is preemption-unambiguous; -if V (q j ) = t h , then α j is uncontrollable.
Proof Consider an AOCC-system refinable TDES G lo with the structural conditions as specified. It is sufficient to show that, by applying Procedure PF-SR followed by Procedure OCC-SR, the given TDES G lo can be refined to be PF without violating AOCC-system refinability and then further refined to be OCC without violating the established PF-system property, and hence SOCC by Definition 12. The proof proceeds as follows: -Show that the given TDES G lo can be refined to be PF without violating AOCC-system refinability: For each structure [s , wσ s , < s 1 s 2 , j] of every pair (q 1 , q 2 ) of vocal-state partners (Definition 10) or partner-hiding states (Definition 13), both of which are controldependent vocal states (Definition 9) in G lo , Procedure PF-SR, in computing over the Moore reachability tree constructed for (G lo , V ), labels string s wσ as a τ p -string where τ p is a new high-level activity output, only if in the co-silent string wσ of the new τ p -string, either σ ∈ Σ hib or σ = t l and is unambiguously preemptable. Therefore, the new τ p -string with reference prefix s satisfies the condition for AOCC-system refinability (required by each τ -string of L(G lo ) for every high-level activity event τ ), as stated in Corollary 1.
Next, let s j = s j α j for s j ∈ Σ * and α j ∈ Σ, if V (q j ) = τ j ∈ T act . Then, since s j is not controllable by Definition 9 for control-dependent vocal states that vocal-state partners and partner-hiding states are, together with the condition that α j is uncontrollable, it follows that the new τ j -string with reference prefix s wσ and co-silent string s s j α j satisfies the condition for AOCC-system refinability as stated in Corollary 1.
For i ∈ {1, 2}, i = j , let s i = s i α i for s i ∈ Σ * and α i ∈ Σ. It follows that if V (q i ) = τ i ∈ T act and s i is not controllable, then, that α i is preemptionunambiguous implies α i is either controllable or uncontrollable. Consequently, this implies that the new τ i -string with reference prefix s wσ and co-silent string s s i α i satisfies the condition for AOCC-system refinability as stated in Corollary 1.
Hence, by refining G lo as such using Procedure PF-SR, the refined G lo is not only PF and PHF, implying it is PF, but also remains AOCC-system refinable according to Corollary 1. -Show that the PF-system refined G lo can be further refined to be OCC without violating the established PF-system property: Since the refined G lo is AOCC-system refinable, by Theorem 4, it is OCC-system refinable using Procedure OCC-SR.
An arbitrary τ n ∈ T act is, in general, either ambiguously controllable, controllable or uncontrollable w.r.t every τ n -string of L(G lo ). As defined, over the reachability tree constructed for G lo , Subprocedure AOCC-SR of Procedure OCC-SR simply relabels, accordingly, τ n -strings of L(G lo ), w.r.t which τ n ∈ T act is controllable or uncontrollable. Effectively, no vocal-state partners are created herewith.
It remains to show that, in Subprocedure AOCC-SR relabeling τ n -strings of L(G lo ) w.r.t which each τ n ∈ T act is ambiguously controllable, effectively no vocal-state partners are also created, as follows: We note that a τ n -string s = s σ 1 · · · σ k ∈ L(G lo ), where σ i ∈ Σ for all i (1 ≤ i ≤ k) and s is its reference prefix, w.r.t which τ n ∈ T act is ambiguously controllable, has the longest prefix s σ 1 · · · σ p for some p (1 ≤ p ≤ k − 1) -at which σ p = t l and is ambiguously preemptable, and beyond which the suffix σ p+1 · · · σ k is uncontrollable.
Herewith, Subprocedure AOCC-SR labels such a prefix as a t h -string and relabels τ n -string s as some β n -string accordingly, with the new t h -string s σ 1 · · · σ p as its reference prefix. It then follows that, to prove by contradiction, assume that, due to the preceding refinement, q 1 is the new vocal state outputting the t h and q 2 is some originally existent vocal state outputting an activity event such that (q 1 , q 2 ) forms a pair of vocal-state partners over some structure [s , wσ s , < s 1 s 2 , j], where q 1 = δ(s wσ s s 1 , q 0 ), q 2 = δ(s wσ s s 2 , q 0 ) and j ∈ {1, 2}. Associating this structure with the form of the string s, the co-silent string of the t h -string is wσ s s 1 = σ 1 · · · σ p , which is ambiguously controllable as σ p is, and so σ 1 · · · σ p−1 is either uncontrollable or ambiguously controllable. Together with Definition 9 for control-dependent vocal states that vocal-state partners are, it can only be that σ = t l and is ambiguously preemptable (i.e., σ is ambiguously controllable), and so the string σ 1 · · · σ p−1 must be ambiguously controllable. Thus, it follows that s 1 is not controllable and we may let j = 1.
In what follows, since state q 1 resides along the co-silent string of the initially given τ n -string s, there exists a string w 1 ∈ (Σ u ∪{t l }) + such that s = s wσ s s 1 w 1 . And since w 1 is the co-silent string of the newly formed β n -string s, w 1 = σ p+1 · · · σ k and is therefore uncontrollable. Since s 1 is not controllable and w 1 is uncontrollable, it follows that the vocal state reachable by string s outputting τ n initially and vocal state q 2 must initially be a pair of control-dependent vocal states over [s , wσ s , < s 1 w 1 s 2 , j], according to Definition 9. It follows that, if they output the same activity events, they form a pair of partner-hiding states by Definition 13, or otherwise form a pair of vocal-state partners by Definition 10, contradicting the fact that the G lo is PF and PHF.
Therefore, refining G lo to be AOCC using Subprocedure AOCC-SR does not introduce new vocal-state partners, implying the AOCC-system refined G lo remains PF.
Finally, as defined, over the reachability tree constructed for G lo , Subprocedure OFC-SR of Procedure OCC-SR simply relabels τ n -strings of L(G lo ) accordingly, and hence does not create new vocal states and therefore does not introduce new vocal-state partners.
All in all, the OCC-system refined G lo remains PF.
Hence the theorem.
A corollary of Theorem 5 follows.
Corollary 2 An OCC TDES G lo is SOCC-system refinable if, over each [s , wσ s , < s 1 s 2 , j] of every pair (q 1 , q 2 ) of vocal-state partners or partner-hiding states, it is the case that for Proof Consider an OCC TDES G lo with the conditions as specified for each structure [s , wσ s , < s 1 s 2 , j] of every pair (q 1 , q 2 ) of vocal-state partners (Definition 10) or partnerhiding states (Definition 13), both of which are control-dependent vocal states (Definition 9) in G lo . Taken together, the structural conditions (and these include the given fact that G lo is OCC) can be logically shown to be stronger than the sufficiency conditions stated in Theorem 5 for an SOCC-system refinable TDES. It thus follows that G lo is SOCC-system refinable. Hence the corollary.

STOCC-system synthesis: a discussion
Consider a hierarchy (G lo , G hi ) built based on the proposed formulation. Suppose G lo is SOCC and hence OCC. Based on the foregoing theoretical development, Property 4 and ALF (5) are satisfied for G hi . Suppose we want the tick t h for the high-level model G hi to model real time, i.e., G hi to possess time fidelity. What then remains to attain high-level time fidelity is that G hi must also satisfy Property 3, and this is so provided G lo is or can be refined to be OTC while remaining SOCC, and hence STOCC -a sufficient condition for HC-OTF. Any violation of Property 3 by G hi is caused by either of two anomalies in the abstraction of the original Moore TDES, 8 namely, either, upon a t h -occurrence, an eligible high-level activity event becomes ineligible or it has one of its event-control properties modified.
W.r.t high-level time fidelity, the temporal dynamics of an SOCC G lo being not OTC is deemed erroneous as the real-time soundness of all specifications w.r.t its abstraction model G hi is not guaranteed. This necessitates a redesign of the reporter map θ by refining (G lo , V ) that removes the abstraction anomalies as well, and this general problem of existence and synthesis (by refinement) of an STOCC G lo is a challenging one. In the next section, we study the SOCC-system refinability of an existent class of TDES's, and show that a 'linear' subclass formulated is STOCC-system refinable.

Hierarchical consistency for NTU & NTI systems
We consider a class of Moore TDES's, that we call next-output terminal-control unambiguous (NTU) systems. NTU systems impose some output-system design or modeling restrictions in the resultant class of TDES hierarchies. A special subclass of NTU systems, called non-terminal time-control invariant (NTI) systems, is also defined. In what follows, the SOCC-system synthesis of NTU TDES's is formally proved. A further restricted linear subclass of NTI systems is also characterized, which, importantly, lends itself to STOCC-system synthesis of linear NTI systems as also formally proved, and that entails a neat strategy of arbitrarily removing the abstraction anomalies identified without violating SOCC-system refinability in obtaining STOCC systems.
Definition 15 (NTU and NTI systems) Let s = s σ 1 σ 2 · · · σ k be an arbitrary τ -string of L(G lo ) with reference prefix s and σ i ∈ Σ for all i (1 ≤ i ≤ k). Then the TDES G lo is said to be NTU if, for each τ -string s ∈ L(G lo ) of every τ ∈ T act , the terminal event σ k , if it is a tick t l , is either non-preemptable or unambiguously preemptable. The TDES G lo is said to be NTI if it is NTU and, for each τ -string s ∈ L(G lo ) of every τ ∈ T act ∪ {t h }, every (non-terminal) σ i (1 ≤ i < k) that is a tick t l is either non-preemptable or unambiguously preemptable.
For an NTU or NTI TDES G lo , the terminal event σ ∈ Σ in every τ -string sσ ∈ L(G lo ) of every output τ ∈ T act is either an unambiguously preemptable or a nonpreemptable tick, or an activity event (which is either prohibitable or uncontrollable). In other words, the terminal σ -control of the next activity output τ is unambiguous. For an NTI TDES G lo , additionally, except the terminal tick t l of every t h -string of L(G lo ), the control preemptability of tick t l elsewhere (i.e., whether t l elsewhere can be preempted or not) is always the same under arbitrary system control dynamics. In other words, referring to t l as a system non-terminal time tick whenever it is not the terminal event of a t h -string of L(G lo ), the (low-level preemptive) control of non-terminal time ticks is invariant.
Remark 1 We should point out that NTU TDES's are not a limited class of hierarchical systems. It is first discussed in Wong and Wonham (1996) that, in general, a given TDES can be redesigned to become free of activity events, each of which is both forcible and prohibitable. A Moore TDES G lo with Σ f or ∩ Σ hib = ∅ or equivalently, Σ f or ⊆ Σ u , is clearly NTI since all its time ticks are control invariant, and hence is NTU.

SOCC-system synthesis for NTU systems
For NTU systems, an important result follows.

Theorem 6 An NTU TDES G lo is SOCC-system refinable.
Proof Consider an NTU TDES G lo . By Definition 15 of an NTU TDES and Corollary 1, G lo is AOCC-system refinable. Over [s , wσ s , < s 1 s 2 , j] of every pair (q 1 , q 2 ) of vocalstate partners (Definition 10) or partner-hiding states (Definition 13), both of which are control-dependent vocal states (Definition 9) in G lo , and letting s k = s k α k where α k ∈ Σ, k ∈ {1, 2}, it is the case that, since the given G lo is NTU, if V (q i ) = t h , then α i is preemption-unambiguous; and if V (q j ) = t h , then α j is uncontrollable.
Together, it follows that the NTU TDES G lo satisfies the sufficiency conditions stated in Theorem 5 for an SOCC-system refinable TDES. Hence the theorem.

STOCC-system synthesis for linear NTI systems
Fundamental to the linearity characterization on an NTI system is the system concept of linear time control-invariance, which requires the following definition.
Definition 16 (Timed-output-state control uniformity) A TDES G lo is said to be timedoutput-state control uniform (w.r.t T act ) if, for all τ ∈ T act , if there exists a τ -string of L(G lo ) with reference prefix s and a t h -string of L(G lo ) with reference prefix w such that θ(w ) = θ(s ), then for every τ -string s ∈ L(G lo ) with reference prefix s such that θ(s ) = θ(s ), τ has the same controllability property w.r.t s and the same forcibility property w.r.t s .
The characterization of the concept is depicted in Fig. 10. The concept of linear time control-invariance follows.
Definition 17 (Linear time control-invariance) A TDES G lo is linear time control-invariant (w.r.t T act ) if it is timed-output-state control uniform and NTI.
Thus, a TDES G lo is linear time control-invariant in the sense that (a) High-level abstraction of the characterization (b) Low-level string-wise characterization: , the controllability property of w.r.t s s1 is the same as that w.r.t s s2, and the forcibility property of w.r.t s is the same as that w.r.t s . Fig. 10 Timed-output-state control uniformity -it is timed-output-state control uniform, and thus at an arbitrary high-level state where a τ ∈ T act and t h are eligible, and the state is reachable from below by a string s ∈ L voc (G lo ), the string-wise control properties of τ ∈ T act over every τ -string of L(G lo ) with reference prefix s such that θ(s ) = θ(s ) are the same; and -it is NTI, and thus at an arbitrary low-level state, whenever a tick t l is eligible, the control preemptability of the tick t l under arbitrary system control dynamics is always the same if the tick t l is not a terminal event of a t h -string of L(G lo ).
Note that because a linear time control-invariant TDES is NTI, string-wise, no τ ∈ T act is ambiguously controllable. The two possible abstraction anomalies, of an eligible τ ∈ T act becoming ineligible, and of it having one of its event-control properties modified upon a t h -occurrence, are formalized as t h -preemptability and t h -property-modifiability, respectively, as follows.
Definition 18 (t h -preemptability of τ ∈ T act ) Consider an arbitrary τ -string of L(G lo ) with τ ∈ T act and reference prefix s . Then τ is said to be t h -preemptable w.r.t s if there exists a t h -string w ∈ L(G lo ) with reference prefix w such that θ(s ) = θ(w ), but there is no τ -string of L(G lo ) with reference prefix r such that θ(r) = θ(w).
Intuitively, t h -preemptability of τ ∈ T act characterizes the situation where a high-level event τ that is eligible is 'preempted' or becomes ineligible following an occurrence of t h at a high-level state where τ and t h are eligible. A proposition relating system output time-compliance and t h -preemptability follows.

Proposition 6 A TDES
Proof For an arbitrary τ -string of L(G lo ) with reference prefix s , where τ ∈ T act , by Definition 18 of t h -preemptability, τ is not t h -preemptable w.r.t s -provided that for every t h -string w ∈ L(G lo ) with reference prefix w such that θ(s ) = θ(w ), there exists a τ -string of L(G lo ) with reference prefix r such that θ(r) = θ(w); -provided that if there exists a tt h ∈ θ(L(G lo ) such that θ(s ) = t, then there exists a τ -string of L(G lo ) with reference prefix r such that θ(r) = θ(w )t h ; -provided that, if there exists a t h -string of L(G lo ) with reference prefix w such that θ(s ) = θ(w ), then there exists a τ -string of L(G lo ) with reference prefix r such that θ(r) = θ(w )t h ; and provided that G lo is OTC by Definition 6 of an OTC TDES. Hence the proposition.
Next is the t h -property-modifiability of a τ ∈ T act . Essentially, it means that, for a TDES hierarchy (G lo , G hi ) where G hi def = (X, T , ξ, x 0 , −), there is some reachable state x ∈ X with τ ∈ T act (x), and a state x = ξ(t h , x) ∈ X, for which there is no τ -string s 2 ∈ L(G lo ) with reference prefix s such that x = ξ(θ(s ), x 0 ) and θ(s ) = tt h for some t ∈ T * such that x = ξ(t, x 0 ), and for which τ has the same controllability and forcibility properties w.r.t s 2 and s , respectively, as it respectively has w.r.t any τ -string s 1 ∈ L(G lo ) and s , where s is the reference prefix of s 1 such that θ(s ) = t. In this paper, for a clearer exposition, it suffices to formally define this anomaly for a linear time control-invariant TDES G lo .
Definition 19 (t h -property-modifiability of τ ∈ T act ) Consider an arbitrary τ -string s 1 ∈ L(G lo ) with τ ∈ T act and reference prefix s , where TDES G lo is linear time controlinvariant. Then τ is said to be t h -property-modifiable w.r.t s if there exists a t h -string w ∈ L(G lo ) with reference prefix w , where θ(s ) = θ(w ), and there exists a τ -string s 2 ∈ L(G lo ) with reference prefix s , where θ(s ) = θ(w) such that, for every such s 2 ∈ L(G lo ), -either, τ is controllable w.r.t s 1 iff τ is not controllable w.r.t s 2 , -or, τ is forcible w.r.t s iff τ is not forcible w.r.t s .
Intuitively, characterizing for a linear time control-invariant TDES G lo , the t h -propertymodifiability of τ ∈ T act refers to one 'uniform' string-wise event-control property (of either controllability or forcibility) of the high-level event τ changing completely, following an occurrence of t h at a high-level state where τ and t h are eligible.
Based on Proposition 6, we may define a stronger concept of an OTC-system.
Definition 20 (Control output time-compliance) A TDES G lo is said to be control OTC if every τ ∈ T act is neither t h -preemptable nor t h -property-modifiable w.r.t the reference prefix of each τ -string of L(G lo ).
We now define the relative index for the starting state of the longest suffix of the cosilent string of a t h -string in a TDES G lo that may exist, along which the TDES will never diverge from entering a state outputting t h .
Definition 21 (Output-time attractor limit) The attractor limit for a t h -string < s , σ i , −, k, t h > ∈ L(G lo ), if it exists, is the smallest index b (1 ≤ b < k) starting which the prefix s σ 1 · · · σ i for every i (b ≤ i < k) cannot be extended to any τ -string of L(G lo ) with reference prefix s , where τ ∈ T act . Intuitively, if no attractor limit b (1 ≤ b < k) exists for a t h -string < s , σ i , x i , k, t h > ∈ L(G lo ), it means that every prefix s σ 1 · · · σ i (1 ≤ i < k) can be extended to some τ -string of L(G lo ) with reference prefix s , where τ ∈ T act . If it does, then evolving from TDES state x 0 , it is only after entering state x b that the evolution toward state x k or any other vocal state that outputs t h is guaranteed.
Two more system concepts, for a linear time control-invariant TDES, follow.
In words, for a linear time control-invariant TDES G lo , it is output-control deterministic if, for every τ -string, τ ∈ T act and for every τ -string of L(G lo ), both with the same reference prefix s , if τ = τ and their co-silent strings share the first p low-level events, then each shared event is either uncontrollable or is a t l that is non-preemptable. This characterization is depicted in Fig. 11. Intuitively, it ensures that every high-level prohibitable event can always be solely disabled and every preemptable t h can always be solely preempted.
Next, G lo is anomalous output-time linearly blockable if, for every τ -string with reference prefix s , τ ∈ T act , if τ is either t h -preemptable or t h -property-modifiable w.r.t s , then two conditions hold. One, for every t h -string < s , α j , z j , h, t h > ∈ L(G lo ) whose co-silent string shares its first p events with the co-silent string of the τ -string, there must exist an attractor limit b for the t h -string such that b > p and the suffix of the co-silent string of the t h -string starting from state z b must contain a low-level activity event α g for some j = g (b ≤ j < h). Two, for every t h -string < w , β j , y j , l, t h > ∈ L(G lo ) where its reference prefix w has the same θ -image as the string s and cannot be extended to a τ -string with the same reference prefix w , there exists an attractor limit b for the t h -string such that the suffix of the co-silent string of the t h -string starting from state y b contains a lowlevel activity event β g for some j = g (b ≤ j < l). This characterization is depicted in Fig. 12. Intuitively, anomalous output-time linearly blockability asserts that, at a high-level state where t h and an activity event are eligible, if the occurrence of t h preempts the activity event or changes its controllability or forcibility property, then there must exist critical low-level activity events whose occurrence discontinues or alters the nature of the on-going high-level activity w.r.t time, respectively.
We are now ready to define a linear NTI system, and present its STOCC-system synthesis result.  A lemma follows.
To prove that G lo is PF: Since G lo is output-control deterministic by Definition 23 of a linear NTI TDES, it follows by Definition 22-1 of output-control determinism that, if τ = τ , then for all i (1 ≤ i ≤ p), σ i ∈ Σ u or (σ i = t l & Σ(x i−1 ) ∩ Σ f or = ∅). This implies that string σ 1 · · · σ p is uncontrollable. Hence, (q 1 , q 2 ) is not a pair of controldependent states as Condition CDS1 of Definition 9 is not satisfied. Therefore (q 1 , q 2 ) is not a pair of vocal-state partners by Definition 10. By Definition 11, since G lo does not have vocal-state partners, it is PF.
To prove that G lo is PHF: By Definition 23, G lo is also linear time control-invariant and therefore NTI by Definition 17. This implies that if τ = τ ∈ T act , the co-silent strings σ 1 · · · σ k and α 1 · · · α h of the τ -string and τ -string of L(G lo ), respectively, do not contain an ambiguously preemptable tick t l , and hence (q 1 , q 2 ) is not a pair of partner-hiding states by Definition 13. By Definition 14, since G lo does not have partner-hiding states, it is PHF.
Hence the lemma.
We now present a conceptual method named Method STOCC-LNTI-SR for a linear NTI TDES (G lo , V ). The method uses another conceptual method named Method COTC-SR, which is presented first.
Method COTC-SR is defined over the reachability tree (G lo,t , V t ) as follows: For each τ ∈ T act , and for every τ -string s =< s , σ i , −, k, τ > ∈ L(G lo ) for which τ is t hpreemptable or t h -property-modifiable w.r.t its reference prefix s : Step 1) Add a new activity output γ to T act .
Method STOCC-LNTI-SR for a linear NTI TDES (G lo , V ) is now outlined in two steps, as follows: Step 1) Refine the TDES G lo by applying Method COTC-SR.
Step 2) Refine the model G lo further by first applying Procedure OCC-SR, and thereafter fixing each force-don't-care event Henceforth, a TDES is said to be STOCC-system refinable if it can be refined to be STOCC using Method STOCC-LNTI-SR.
We first show that, by applying Step 1 (i.e., Method COTC-SR) of Method STOCC-LNTI-SR, the given linear NTI TDES G lo can be refined to be control OTC without violating the linear NTI-system property, as follows: Consider an arbitrary τ -string s =< s , σ i , x i , k, τ > ∈ L(G lo ), where τ ∈ T act .
-Show that the given G lo can be refined to be control OTC: If τ ∈ T act is t h -preemptable or t h -property-modifiable w.r.t s , Definitions 18 and 19 together imply that there must exist a t h -string w =< w , α j , −, h, t h > such that θ(w ) = θ(s ). It follows that w may or may not be the reference prefix of some τ -string of L(G lo ). Therefore, we have two cases to consider: Case 1: The string w is the reference prefix of some τ -string. Then since τ is either t h -preemptable or t h -property-modifiable w.r.t s , τ is also t h -preemptable or t h -property-modifiable w.r.t w . By Definition 22-2 of anomalous output-time linearly blockabilty, it follows that there exists an attractor limit (of Definition 21), which is an index b such that along the co-silent string α 1 · · · α h of w, for some j (b ≤ j < h), α j ∈ Σ act . Hence, in applying Method COTC-SR, one such index j can be found for redefining V (δ(w α 1 α 2 · · · α j , q 0 )) = γ , where γ is the new activity output introduced.
Case 2: The string w is not the reference prefix of any τ -string. Then since τ is either t h -preemptable or t h -property-modifiable w.r.t s , by Definition 22-2 of anomalous output-time linearly blockabilty, it follows that there exists an attractor limit which is an index b , such that along the co-silent string α 1 · · · α h of w, for some j (b ≤ j < h), α j ∈ Σ act . Hence similarly, in applying Method COTC-SR, one such index j can be found for redefining V (δ(w α 1 α 2 · · · α j , q 0 )) = γ , where γ is the new activity output introduced.
In (effectively) redefining the vocalization map V as such, Method COTC-SR refines the TDES G lo such that every τ ∈ T act for the refined G lo is no longer t hpreemptable or t h -property-modifiable w.r.t s . Hence the refined G lo does not contain a τ -string where τ is either t h -preemptable or t h -property-modifiable w.r.t its reference prefix, and therefore is control OTC by Definition 20.
-Show that the refined G lo remains a linear NTI system: To prove that G lo remains NTI: As deduced from Definition 15, G lo is NTI provided every event along the co-silent string of an arbitrary τ -string of L(G lo ) is not an ambiguously preemptable tick t l , and so is every non-terminal event along the co-silent string of an arbitrary t h -string of L(G lo ). For the given NTI G lo , without relabeling or unlabeling any existing t h -string (i.e., redefining it as a non-t h -string or a non-vocal string, respectively), and only introducing each new γ -string as prescribed for each new γ added to T act , Method COTC-SR clearly does not change this provision for the refined G lo ; and hence the refined G lo remains NTI.
To prove that G lo remains timed-output-state control uniform: From the proof above showing that the given G lo can be refined to be control OTC, it is clear that, for any new activity output γ , and therefore any new γ -string of L(G lo ) with reference prefix s introduced by Method COTC-SR, there is no t h -string with reference prefix w such that θ(s ) = θ(w ) in the refined G lo , and the co-silent string of every τ -string in the given G lo remains the same in the refined G lo . Therefore, the refined G lo remains timed-output-state control uniform by Definition 16.
At this juncture, we have proved that the refined G lo is linear time control-invariant (Definition 17), to which Definition 22 is applicable.
To prove that G lo remains anomalous output-time linearly blockable: As proved above, the refined G lo is control OTC (Definition 20). It follows by Definition 22-2 that it is trivially anomalous output-time linearly blockable.
Together, the refined G lo that is control OTC and hence OTC by Definition 20 and Proposition 6, is a linear NTI system by Definition 23.
We then show, by applying Step 2 of Method STOCC-LNTI-SR, that the TDES G lo can be further refined to be SOCC without violating the established OTC-system property, and hence to be STOCC by Definition 12, as follows: Remaining linear NTI, the OTC-system refined G lo is, by Lemma 2, PF and PHF, which is the same as a TDES refined using Procedure PF-SR. Therefore, by Theorem 6, G lo , an NTI and therefore NTU TDES by Definition 15, can be further refined to be SOCC by applying the remaining Procedure OCC-SR. Because G lo is NTI, no co-silent string of every τ -string of L(G lo ), where τ ∈ T act , is ambiguously controllable, and hence no new t h -string is introduced by Procedure OCC-SR in Step 2 of Method STOCC-LNTI-SR. Together with the fact that the TDES G lo to be further refined is control OTC, after applying Step 2 of Method STOCC-LNTI-SR, no (control relabeled) γ ∈ T act in the refined G lo is t h -preemptable or t h -property-modifiable, string-wise. Hence the SOCC-system refined G lo remains control OTC and hence OTC by Definition 20 and Proposition 6.
Hence the theorem.

Hierarchical control of a photocopying system -a linear NTI system
The STOCC-system synthesis for linear NTI TDES's is illustrated, with the necessity for output-time fidelity reiterated, using a simplified but non-trivial photocopying machine that takes a photo snapshot of every properly placed document page and saves it as a software image file.

System description
The machine is a system composition G of two real-time component TDES's: a photocopier G 1 and a page positioner G 2 . The ATG's G 1,act and G 2,act with their associated timing information, by which the respective components G 1 and G 2 (not shown) are constructed, are shown in Figs. 13a and b; and the composite system is shown in Fig. 13c.
The definitions of the system events are given in the 'Events' row of Table 2.
The dynamics of the system components are described as follows. Following a 1-tick joint initialization or re-initialization of sensors, the system components are both ready to begin the next photocopying cycle. When a document page in the input tray is detected (σ 1 ), the page positioner and photocopier are jointly alerted. Following, the page positioner takes 1 tick to ready itself, and up to 1 subsequent tick to pull the page from the input tray and position it in the photocopy area (σ 5 ). Concurrently, the photocopier takes 2 ticks to set up, and up to 2 more ticks to photocopy and save the photocopied as a software file (σ 4 ). Upon executing σ 4 , the photocopier may clear any page in the photocopy area into the input tray (σ 3 ) or, following a 1 tick-delay, take up to 1 more tick to clear the page in the photocopy area into the output tray (σ 2 ). Upon executing σ 5 followed by a tick, the page positioner readies itself for the next document page (σ 6 ).
The intricate timed interleaving of the events between the system components is captured in the TDES model G.

Initial hierarchical system design
Suppose that in the initial hierarchical system design, we are given the set of high-level activity events, such that each is defined as an output by vocal states of a Moore version G lo shown in Fig. 13d of the composite system G, entered following a respective low-level activity event or a string of low-level activity events (in ATG G 1,act G 2,act ). The system outputs of interest pertain to the photocopying cycle. The definitions of these system outputs are given in the 'Outputs (given)' row of Table 2. The outputs correspond to 'next page placed for photocopying', signaled as high-level event τ 1 when σ 1 occurs; 'page processed' signaled as τ 2 when σ 2 occurs; 'page photocopy assured' signaled as τ 3 when σ 5 is the next activity event to occur after σ 1 ; 'page failed to be photocopied' signaled as τ 4 when σ 4 is the next activity event to occur after σ 1 ; and 'page left in photocopy area' signaled as τ 5 when σ 5 occurs immediately after σ 3 .  photocopy-as-software-file action executed σ 5 : page pulled from input tray and positioned in photocopy area σ 6 : ready for next photocopying cycle τ 1 : next page placed for photocopying (vocalized after σ 1 ) Outputs (given) τ 2 : page processed (vocalized after σ 2 ) τ 3 : page photocopy assured (vocalized after σ 1 σ 5 ) τ 4 : page failed to be photocopied (vocalized after σ 1 σ 4 ) τ 5 : page left in photocopy area (vocalized after σ 3 σ 5 ) Output (added) τ 6 : page to be re-processed (vocalized after σ 3 )

Linear NTI system -a verification
In the following, we verify that the given G lo of Fig. 13d with T act = {τ i | 1 ≤ i ≤ 5} is linear NTI (Definition 23).
-G lo is NTI (Definition 15) because no t l in G lo is ambiguously preemptable (Definition 1). -G lo is timed-output-state control uniform (Definition 16) since: -For each γ ∈ T act − {τ 2 } and for an arbitrary γ -string s ∈ L(G lo ) with reference prefix s , there does not exist a γ -string w ∈ L(G lo ), w = s, with reference prefix s such that θ(s ) = θ(s ). Therefore, each γ trivially satisfies the condition required by every τ ∈ T act for timed-output-state control uniformity. -For τ 2 ∈ T act , consider an arbitrary τ 2 -string of L(G lo ) with reference prefix s . For each s ∈ R 2 = {t l σ 1 t l t l σ 4 , t l σ 1 t l σ 5 , t l σ 1 t l t l σ 5 }, there exists a t h -string of L(G lo ) with reference prefix s ; and for every τ 2 -string s ∈ L(G lo ) with reference prefix s such that θ(s ) = θ(s ) (where we note that s = s ), τ 2 stays uncontrollable w.r.t the given s and forcible w.r.t the string s . It can be inferred from R 2 -the set of representative reference prefixes for τ 2 -and the structural regularity of (finite-state) G lo that the reference prefix of every τ 2string is the reference prefix of some t h -string, both of L(G lo ), and for every τ 2 -string s ∈ L(G lo ) with reference prefix s , τ 2 is uncontrollable w.r.t s and forcible w.r.t s . Thus, τ 2 satisfies the condition required by every τ ∈ T act for timed-output-state control uniformity.
-G lo is output-control deterministic (Definition 22-1) since: -For each γ ∈ T act − {τ 5 } and for every γ -string s ∈ L(G lo ), since its cosilent string contains only events in Σ u ∪ {t l }, of which every t l present is non-preemptable, trivially, γ satisfies the condition required by every τ -string of L(G lo ), τ ∈ T act , for output-control determinism.
-For τ 5 ∈ T act , for the τ 5 -string s σ 3 σ 5 ∈ L(G lo ) with reference prefix s = t l σ 1 t l t l σ 4 and co-silent string σ 3 σ 5 , since s σ 3 cannot be extended, by an event or a string via intermediate non-vocal states, into states vocalizing outputs other than τ 5 , this τ 5 -string trivially satisfies the condition required by every τstring of L(G lo ), τ ∈ T act , for output-control determinism. It can be inferred from the representative reference prefix s = t l σ 1 t l t l σ 4 for τ 5 and the structural regularity of G lo that every τ 5 -string of L(G lo ) satisfies the condition required by every τ -string of L(G lo ), τ ∈ T act , for output-control determinism.
-G lo is anomalous output-time linearly blockable (Definition 22-2) since (string-wise), no τ ∈ T act is t h -property modifiable, and only τ 2 , τ 5 ∈ T act are t h -preemptable: τ 2 is t h -preemptable w.r.t s ∈ R 2 (with R 2 defined earlier above), τ 5 is t hpreemptable w.r.t t l σ 1 t l t l σ 4 ∈ R 2 . It can be inferred from the representative reference prefix set R 2 for {τ 2 , τ 5 } and the structural regularity of G lo that τ 2 , τ 5 ∈ T act are t h -preemptable w.r.t every of their reference prefixes.
Along the co-silent string of every t h -string with the same reference prefix as a τ -string of L(G lo ), where τ ∈ {τ 2 , τ 5 }, there exists a non-vocal state entered via a transition of event σ 3 , from which the system's reach cannot be extended, by an event or a string via intermediate non-vocal states, into a state vocalizing an activity output. Thus, for every such t h -string, an attractor limit exists (at every state entered via a transition of σ 3 ).
In what follows, we explain how to refine the given TDES G lo to build a consistent hierarchy, but which is one that has some design time anomalies.

SOCC-system synthesis & high-level time fidelity issues
The given G lo is NTI and hence NTU. By Theorem 6, it is SOCC-system refinable using Procedure PF-SR followed by Procedure OCC-SR. By Lemma 2, since the given G lo is linear NTI, it is PF and PHF. To refine it into an SOCC-system, it remains to apply Procedure OCC-SR, to relabel accordingly and unambiguously associate every τ ∈ T act with the event-control properties. Note that following Step 1 of Procedure OCC-SR, τ 4 becomes β 4 ; and following Step 2, string-wise, β 4 is found to be always force-don't-care, and defaulted to non-forcible with relabel β 4 . The OCC-system refined G lo is also partner-free, and hence is SOCC.
The refined hierarchy (G lo , G hi ), where G lo is SOCC, is shown in Fig. 14. By Theorem 2, it is HC.
Note that in the abstracted model G hi shown in Fig. 14a, the eligibility of giving assurance that a page can be photocopied (β 3 ) is invariant under high-level time tick transition. Importantly, this aspect of timing semantics captures a critical fact that any high-level tick delay in giving such assurance can result in the imminent and uncontrollable possibility of page-photocopy failure (β 4 ) while the assurance is still in progress. The eligibility of a page placed and ready for photocopying (β 1 ) is also invariant under high-level time tick transition, and that of β 4 is trivially so. However, high-level activity events β 2 and α 5 do not comply with such timed eligibility invariance, and thus G hi violates Property 3, or equivalently, the SOCC G lo violates the OTC-system property.
Violating Property 3 although Property 4 and ALF (5) are satisfied, model G hi in Fig. 14a does not possess time fidelity. It follows that, as similarly illustrated in the example system depicted in Fig. 2, a high-level real-time specification such as ensuring 'at most one high-level tick for page processing (β 2 ) completion' has unsound timing semantics w.r.t G hi . Certain high-level specifications might still have sound timing semantics, but without going underneath the abstraction to understand the low-level system dynamics of the non-OTC G lo , studying the high-level model G hi alone poses difficulty for a high-level control designer to identify and prescribe with confidence any correct and required high-level control specification for G hi . As a matter of fact, one wonders what unabstracted low-level activity event or string of low-level events occurs along with the tick t h , causing the system G hi in Fig. 14a to, upon the t h -occurrence, cancel the processing (β 2 ) or prevent a page from being left in the photocopy area (α 5 ).
In what follows, we explain how to refine the given TDES G lo in Fig 13d to build a consistent hierarchy with output-time fidelity.

STOCC-system synthesis
Because the given G lo is linear NTI as established earlier, by Theorem 7, it is STOCCsystem refinable (using Method STOCC-LNTI-SR). From a design perspective, the missing high-level information is the signal that a document page needs to be re-processed. So it turns out that, although technically not necessarily the only way, we may introduce a new high-level event τ 6 to represent this information, to be output by every state entered  Table 2, the modified G lo , as shown in Fig. 13e, becomes OTC with no τ ∈ T act that is string-wise t h -preemptable or t h -property-modifiable, as shown in Fig. 13e. Applying Procedure OCC-SR to this modified G lo , every τ ∈ T act is relabeled accordingly and unambiguously associated with the event-control properties. Again, note that, following Step 1 of Procedure OCC-SR, τ 2 , τ 4 , τ 5 and τ 6 become β 2 , β 4 , α 5 and α 6 , respectively; and following Step 2, string-wise, β 2 , β 4 , α 5 and α 6 are found to be always force-don't-care, and defaulted to non-forcible, with relabels β 2 , β 4 , α 5 and α 6 , respectively.
The desired refined hierarchy (G lo , G hi ), where G lo is STOCC, is shown in Fig. 15. By Theorem 2, it is HC-OTF.

Hierarchical control specification
As a specification example over G hi shown in Fig. 15a, we may now assert the requirement that every document page is to be photocopied once without failure. The specification TTG for this requirement is shown in Fig. 16. A high-level supervisor (not shown) may be synthesized using standard real-time control theory (Brandin and Wonham 1994).
Note that a specialized untimed hierarchical nonblockingness result that entails the reporter map to be a system marked language observer (see Wonham (2016) for details) is   Fig. 15a applicable to TDES's within the same framework of formal languages and finite automata. Although hierarchical consistency, as formalized by Definition 8 and Theorem 2, does not deal with marked states, it can be shown by applying this nonblockingness result that the photocopying system hierarchy (G lo , G hi ) in Fig. 15 admits nonblocking high-level supervisor that can be realized or implemented by a corresponding low-level supervisor generating prefix-closed sublanguages.

Framework generalization & scalability
Our theory development of formulating and building a consistent control hierarchy began with adopting the control-theoretic formulation of G (2) (Brandin and Wonham 1994) as the base TDES model and our formulation of the timed reporter map θ . This puts our contribution in the context of a useful control-theoretic system model possessing time fidelity that G (2) is for real-time system and control design (Brandin and Wonham 1994), with the added control-theoretic postulation of Σ spe ⊆ Σ u being sufficient for proving Property 4 under the two partitions of Σ act , namely, Σ spe∪ Σ rem and Σ hib∪ Σ u . It should be clear that the theory part on hierarchical consistency with output-time fidelity still applies as long as a given base TDES model, a TTG, possesses time fidelity, and the part on that without outputtime fidelity guarantee still applies even if the base TDES model has Property 3 relaxed, in which case we are using a TDES model where tick still represents time but is not always 'behaviorally' real time as it can be a timeout (see Footnote 1) -an event denoting a time elapse in simultaneity with some implied action, whose transition may disrupt the eligibility of activity events.
In concluding, we note that the hierarchical consistency for two levels may be extended to multiple levels. Once hierarchical consistency is achieved, either of the type without or with output-time fidelity guarantee as desired for, say (G lo,0 , G hi,0 ) -the base level and initial level up -by refining accordingly, the Moore TDES G lo,0 that is NTU or linear NTI, respectively, the constructions may be repeated by first assigning state outputs in G hi,0 (according to the time-output design laws and respective NTU or linear NTI system modeling constraints) to obtain a Moore TDES G lo,1 as desired, and then bringing in the next higher level, G hi,1 . Clearly, by similarly refining the TDES G lo,1 obtained, the hierarchical consistency of the same type for (G lo,1 , G hi,1 ) as attained for (G lo,0 , G hi,0 ) can be achieved without disturbing the consistency of (G lo,0 , G hi,0 ). In principle, therefore, as with the logical framework (Zhong and Wonham 1990), our real-time framework is vertically scalable.

Conclusion
The concepts of output-control consistency and partner-freeness for hierarchical control are generalized, from untimed DES's (Zhong and Wonham 1990) to TDES's (Wong and Wonham 1996) where time fidelity need not be respected in the sense of not obeying Property 3; and the foundation is then augmented with the new concept of output time-compliance for a class of Moore TDES's that possesses time fidelity, to develop a new real-time controltheoretic framework for hierarchical control where output-time fidelity is also respected, i.e., a new framework of hierarchical consistency with output-time fidelity. In essence, developed in this paper are abstraction concepts by which to 'cyberize the physical TDES' at the low level and 'physicalize the cyber TDES' at the high level, when applied to building a cyber-physical system as a consistent two-level TDES hierarchy. Under this framework, supporting SOCC-system existence and synthesis results are presented, on which the results, of SOCC-system synthesis for hierarchical consistency and STOCC-system synthesis for hierarchical consistency with output-time fidelity, are proved for the mildly restrictive class of NTU systems and its subclass of linear NTI systems, respectively.
Formalized over controllable, high-level prefix-closed system sublanguages as in the logical version (Zhong and Wonham 1990), hierarchical consistency does not ensure control nonblockingness at the high level by low-level control implementation; only the prefixclosure of high-level nonempty controllable sublanguages can be realized, unless some hierarchical observer condition holds as briefly mentioned at the end of Section 7.3. Using the key system concepts of output-control consistency developed in this paper, the logical theory of hierarchical consistency with marking (Wonham 2016) can be extended to a timed framework, under which a high-level nonblocking supervisor can be implemented by a low-level nonblocking supervisor.
Finally, it is well understood that the problem of computational complexity in system and control synthesis for large composite TDES's is serious because of state explosion from system composition that is exacerbated by Moore TTG modeling. To graduate from theory to practice, future research will need to address and mitigate this problem in our real-time framework, by first considering more efficient and compact representations in place of (infinite node) reachability trees for the Moore system synthesis procedures conceptualized.
Quang Ha Ngo received the B.Eng. (Hons.) and Ph.D. degrees in computer engineering from Nanyang Technological University, Singapore, in 2008 and 2017, respectively. He is currently a Senior Data Scientist at ISI-Dentsu South East Asia, Singapore.
His research interests include discrete-event systems, data mining, and big data analytics. Dr. Seow's academic research interests include intelligent agents and multiagent systems, supervisory control of discrete-event systems and temporal logic, with emphasis on their mutual connections and applications.