On a simplified untiming procedure for supervisory control of timed automata when the time increases strictly monotonically

Given a timed automaton G accepting the timed language L T a finite state machine G′ can be constructed, known as the region automaton, which accepts the untimed language Untime (L T). In this paper we construct an alternative finite state machine which also accepts the language Untime (L T), but has fewer states than G′. This is shown for languages of both finite and infinite traces given that the time values in the time sequence increase strictly monotonically. The supervisory control design for timed automata, when the simplified untiming procedure is used and the time is strictly positive, is studied.


Introduction
Timed discrete event systems are a generalization of discrete event systems in which each event is considered to have occurred at a certain point in time. Primarily, research in this field has concentrated on the logical sequencing of events and abstracted away the actual timing delays between events. However, the correct behaviour of hard real-time systems such as manufacturing systems, transport systems and computer networks depends on the actual delay values between events. Various formalisms have been developed to model timed discrete event systems, including Alur and Dill (1994) and Brandin and Wonham (1994). Work in Brandin and Wonham (1994) corresponds to discrete time using a single system timer as opposite to Alur and Dill (1994) where the dense time model includes several asynchronous clocks and is more expressive than other formalisms allowing composition of timed processes and independent timing conditions for each system component. Here, we are concerned with timed automata as defined in Alur and Dill (1994).
The timed automaton defines (or accepts) a language of timed words. A timed word is defined as follows: given an ordinary word 1 2 . . . n , we pair each letter i with a non-negative real number t i 2 R !0 , subject to the condition that t i < t iþ1 ; thus a timed word over an alphabet S is a finite sequence ð 1 ; t 1 Þ . . . ð n ; t n Þ with i 2 S and the numbers t i are increasing strictly monotonically. It is convenient to define Untime ðð 1 ; t 1 Þ . . . ð n ; t n ÞÞ ¼ ð 1 . . . n Þ. A timed language over S is then a set of timed words over S. Languages of infinite timed words are similarly defined; an infinite (timed) word is called a (timed) !-word, and a language of (timed) infinite words is called a (timed) !-language.
We interpret t i to be the time at which the event i occurs; it is a convention in the theory of timed discrete event systems that an event occurs at a single point in time, whereas a system may be in a particular state for a non-trivial time interval.
Given a timed automaton G accepting the timed language L T , it was shown in Alur and Dill (1994) that a finite state automaton G 0 can be constructed, known as the region automaton, which accepts the language Untime (L T ).
The main result of this paper concerns the definition of a finite state automaton G Ã that also accepts the language Untime (L T ), but has significantly fewer states than G 0 and is therefore easier to construct. We require that the time increases strictly monotonically, while in Alur and Dill (1994) time is first assumed to satisfy the same monotonicity constraint (Definition 3.1), this condition is later relaxed. We first consider timed automata as acceptors of finite timed words, and in } 5 we generalize our results to timed !-words. Indeed, we need to distinguish languages of finite and infinite strings since the derived finite automata in each case are different, whereas in Alur and Dill (1994) the results are the same for both cases. Although the result above is of interest in computer science, we show that our result is useful for the control of real time discrete-event systems as well.
The second result concerns the application of the simplified construction of the automaton G Ã for the supervisory control of timed discrete event systems. Supervisory control for timed discrete event systems has been studied in Hoffmann and Wong-Toi (1992), Brandin and Wonham (1994), Asarin et al. (1998), Laurence andSpathopoulos (1998) andSpathopoulos (2003). In Hoffmann and Wong-Toi (1992) and Laurence and Spathopoulos (1998) the methods of Ramadge and Wonham (1987) are adapted to construct a supervisor for a dense real-time discrete event system modelled by a timed automaton using untiming procedures. In Spathopoulos (2003) the non-blocking supervisory control problem with urgency has been studied and in Asarin et al. (1998) the same problem is addressed without using untiming procedures.
When the time increases strictly monotonically, as is always the case in reality, the simplified automaton derived below, which applies for the finite string case, can be used for the solution of the supervisory control problem. We show that when this simplified technique is used and the time is strictly positive it is necessary for the controlled behaviour to become more conservative. Intuitively this is to be expected since allowing the time to be zero gives more flexibility to the model. The paper is organized as follows. In }} 2 and 3 the timed automata and the construction of the region (untimed) automaton, as given in Alur and Dill (1994), are briefly introduced.
The main result of the paper is given in } 4 and in } 5 the result is extended for infinite strings. Upper bounds for the clock regions of the derived automata are given in } 6. The second result is given in } 7 where the simplified untiming technique is used for the supervisory control problem of real time discrete-event systems. An illustrated example is used in order to derive the conditions under which the simplified construction results in the least restrictive controlled behaviour. Finally, conclusions are given in } 8.

The timed automaton
In this section we give a short overview of the timed automaton as defined in Alur and Dill (1994), where the reader is referred for more details. Our purpose here is not to give intuitive explanations of definitions in timed automata and interested readers should be familiar with them.
For simplicity we consider timed automata as acceptors of finite words. Our results are extended for languages of infinite words in } 5.
Definition 1: A timed automaton is a tuple where S, as usual, is a finite alphabet, S is a finite set of states, C is a finite set of clocks and E is a finite set of edges. The sets S 0 ; S m S are called the initial and final (or accepting) state sets respectively. An edge is a tuple ðs; s 0 ; ; ; C 0 Þ, alternatively written Here C 0 C and is what is known as a clock constraint. A clock constraint is a predicate (that is, a condition) built from the atomic predicates c Ã q (where c 2 C and Ã is one of , ! or ¼ and q 2 Z) using : (not) and the connectives^(and) and _ (or). For instance, if c; d 2 C then c ! 1 _ d ¼ 2 is an example of a predicate.
We need further definitions as follows.
Definition 3: A clock valuation : C ! R !0 is said to satisfy a clock constraint if replacing each clock c in c in by ðcÞ gives a true statement.
Definition 4: If : C ! R !0 is a clock valuation and t 2 R, then þ t is the clock valuation given by ð þ tÞðcÞ ¼ ðc þ tÞ for all clocks c. Also, if t > 0 then þ t is said to be a successor of .
Definition 5: If : C ! R !0 is a clock valuation and C 0 C then ½C 0 ¼ 0 is the clock valuation which sends all clocks in C 0 to zero and sends all the others to the same value as .
Essentially, the timed automaton is an infinite state automaton whose states are ordered pairs ðs; Þ where s 2 S is a state and : C ! R !0 is a clock valuation. We will call such pairs generalized (or extended) states. When the timed automaton is G regarded as an infinite state automaton, its initial (generalized) states are those ordered pairs ðs; Þ where s 2 S 0 and the valuation sends every clock to zero. The final states are those for which s 2 S m . The set of transitions between generalized states is defined as follows.
Given the edge in (2) and clock valuations ; 0 , there is a legal transition with label from ðs; Þ to ðs 0 ; 0 Þif there exists t > 0 and 0 ¼ ½C 0 ¼ 0ð þ tÞ. We call t the time jump of the transition at the state s. We also define the empty timed word ð"; 0Þ, where " is the empty word. All transactions are of this type, or are trivial; that is, there is a transition with label " from every generalized state to itself.
It is worth mentioning again that it is possible to allow zero time jumps in the definition of a transition. This was considered by Alur and Dill (1994) in order to allow the same time value to be associated with many consecutive events in the time sequence. However, in this case the main result of this paper, the construction of an untimed automaton G 0 with fewer states than the region automaton is impossible, since Lemma 3 of } 4 is false.
Having defined G as a state machine, we now explain how G can be used to define a timed language. Let ð 1 ; t 1 Þ . . . ð n ; t n Þ be a finite timed word. Then we say that G accepts ð 1 ; t 1 Þ . . . ð n ; t n Þ if G accepts the untimed word 1 2 . . . n as a state machine and if ðs 0 ; 0 Þ À! 1 ðs 1 ; 1 Þ À! 2 ðs 2 ; 2 Þ Á Á Á ðs nÀ1 ; nÀ1 Þ À! n ðs n ; n Þ is a corresponding accepting path for 1 2 Á Á Á n (recall that this means that s 0 2 S 0 ; s n 2 S m and the valuation 0 sends every clock to zero) then t i À t iÀ1 is the time jump for the transition (between generalized states) ðs iÀ1 ; iÀ1 Þ À! i ðs i ; i Þ. The timed language accepted by G is then defined as the set of timed words accepted by G. If G accepts the timed language L T , then we also say that G accepts the untimed language UntimeðL T Þ.

The Alur-Dill untiming construction
In this section for the sake of completeness we state briefly the region automaton as constructed in Alur and Dill (1994).
The timed automaton has one important disadvantage in computations; even if the state set S is finite, there will necessarily be infinitely many generalized states (assuming there is at least one clock) simply because there are infinitely many clock valuations. This problem is avoided by partitioning the set of clock valuations into equivalence classes in such a way that there are finitely many such classes and the essential structure of the timed automaton is captured.
An equivalence relation, , is defined on the set Val of clock valuations of A having the following two properties: there are finitely many equivalence classes, and if there exist clock valuations 1 , 2 and 1 with 1 2 and there is a legal transition from ðs; 1 Þ to ðs 0 ; 1 Þ, then there is a clock valuation 2 with 1 2 and a legal transition from ðs; 2 Þ to ðs 0 ; 2 Þ.
Definition 6: Let G be the timed automaton of (1) in Definition 1.
For each clock x 2 C, let c x be the largest integer with which x is compared in any clock constraint in any edge.
Define an equivalence relation on the set of clock valuations as follows: given two valuations . for all clocks x 2 C, either intððxÞÞ ¼ intððxÞÞ or ðxÞ; ðxÞ > c x ; . for all clocks x 2 C, ðxÞ is an integer c x if and only if ðxÞ also satisfies this condition; . for all clocks x; y 2 C, if ðxÞ; ðxÞ c x and ðyÞ; ðyÞ c y then fracððxÞÞ fracððyÞÞ implies fracððxÞÞ fracððyÞÞ.
Then the equivalence classes defined by are known as clock regions. If is a valuation, then regðÞ is the clock region containing . It should be noted that C 0 C if is a set of clocks then implies ½C 0 ¼ 0 ½C 0 ¼ 0: The following lemma is fundamental to the motivation of the definition of the region automaton G 0 and of Definition 8 of } 4.
Proof: We will prove the lemma by induction on jfregð þ a 0 Þja 0 2 ½0; tgj. If this set is empty then r 1 ¼ r 2 and the lemma is obvious. Hence we may assume that r 1 6 ¼ r 2 . Thus necessarily ðxÞ c x for at least one x 2 C. We define K ¼ fx 2 C j ðxÞ c x and ðxÞ 2 Zg we consider two cases.
and ðxÞ c x g and let t 0 1 À minfint ðxÞ þ 1 À ðxÞ j x 2 C and ðxÞ c x g and ðxÞ c x gÞ and positive t 0 1 < minfintðxÞ þ 1 À ðxÞjx 2 C and ðxÞ c x g Here also þ t 1 þ t 0 1 . In both cases we have regðÞ 6 ¼ regð þ t 1 Þ ¼ regð þ t 0 1 Þ. The result now follows from the inductive hypothesis applied to the valuations þ t 0 1 ; þ t 0 1 and t À t 1 in place of t since jfreg ð þ t 1 þ a 0 Þ j a 0 2 ½0; t À t 1 gj < jfreg ðþ a 0 Þ ja 0 2 ½0; tgj. & Lemma 2: Given two states s; s 0 2 S and clock valuations 1 ; 2 ; 1 with 1 2 and a legal transition between generalized states ðs; 1 Þ À! ðs 0 ; 1 Þ then there exists a clock valuation 2 with 2 1 and a legal transition ðs; 2 Þ À! ðs 0 ; 2 Þ Proof: This follows immediately from Lemma 1 and the definition of a transition between generalized states in a timed automaton. & From this result it follows that we can replace the set of clock valuations by the set of clock regions, thus motivating the following definition.
Definition 7: Let G be the timed automaton defined in (1) in Definition 1. We define G 0 to be the finite state machine where R is the set of clock regions of G and 0 is the clock region whose unique valuation sends all clocks to zero.
We define the set of T transitions as follows. There is a transition ðs; r 1 Þ À! ðs 0 ; r 2 Þ for two clock regions r 1 ; r 2 iff there exist clock valuations 1 ; 2 with i 2 r i and there is a transition in G between generalized states The following is the main result of this section. The proof, which may be inferred from Lemma 2, is omitted.
Theorem 1: Let L T be the timed language accepted by G. Then UntimeðL T Þ is the language accepted by the finite state automaton G 0 .
The importance of G 0 is that there are finitely many clock regions (this follows from Definition 6 and the fact that the clock set C is finite), and so G 0 always has finitely many states.

A new finite automaton for languages of finite strings
This partition of the set of clock valuations Val defined above has the following properties: . There are finitely many clock regions.
. Let 2 Val and ! 2 regðÞ. Then ! and satisfy the same set of lock constraints. If t ! 0 then there Given a partition satisfying these properties, and a clock region r 2 R, we define succðrÞ 2 R, the successor region to r 2 R, as follows. If t ! 0 implies regð þ tÞ ¼ regðÞ then succðrÞ is undefined. Otherwise let succðrÞ ¼ regð þ tÞ for 2 r and t ! 0 chosen such that = 2 regð þ tÞ and 0 t 0 t implies that regð þ t 0 Þ ¼ regð þ tÞ or regð þ t 0 Þ ¼ regðÞ.
Owing to the third property listed above and the fact that there are finitely many clock regions, such a value of t ! 0 can be found; and owing to the second property listed, the choice of 2 r is irrelevant. We will write succ n ðrÞ ¼ succðsucc nÀ1 ðrÞÞ for n ! 1.
The following definition introduces the notion of closed and non-closed regions and will be used in this section for the simplification of the untiming procedure.
Definition 8: Let r and r 0 be clock regions. We say that r 0 is a successor of r if r 0 contains a valuation which is a successor of a valuation lying in r. By Lemma 1, this implies that every element of r has a successor in r 0 . We define nextðrÞ to be the minimal successor of r; that is, the unique successor of r such that all other successors of r are also successors of next(r).
If any (and hence every) valuation in r maps any clock x 2 C to an integer c x and 2 r, then nextðrÞ is defined as the clock region containing the valuations f þ " j 0 < " < 1 À fracððyÞÞ: 8y 2 C such that ðyÞ < c y g. In other words, for the clock region in which any valuation 2 r maps any clock to an integer, nextðrÞ is the unique minimal time successor region of r. We call such clock regions closed.
On the other hand, if the valuations in r do not map any clock x 2 C to an integer c x , then we define nextðrÞ ¼ r. In other words, in this case, the clock region r has itself a minimal time successor region. We call such clock regions non-closed. Intuitively a region is nonclosed or open when time can pass without leaving the region.
Observe that nextðnextðrÞÞ ¼ nextðrÞ for all clock regions r.
Example 1: Consider a timed automaton with two states s 1 ; s 2 , one clock x and possible transition s 1 À! a s 1 , 1 < x < 2. Closed regions are fx ¼ 0g; For a more general case of two locks the reader is referred to figure 1, where the bisimilar quotient state space (the clock regions) associated with Example 4.4 of Alur and Dill (1994) is given (the same example is used again in } 6). The closed regions are associated with line segments (except for the line segments 2 and 5) and points. The nonclosed regions are associated with the inside area of the rectangulars and the line segments 2 and 5 that have slope 1. The arrow indicate the next (non-closed) region (minimal successor) of the associated closed region. For example nextfðx; yÞ=x ¼ y ¼ 0g ¼ fðx; yÞ= 0 < x < 1; x ¼ yg and nextfðx; yÞ=x ¼ 0; 0 < y < 1g ¼ fðx; yÞ=0 < y < 1; 0 < x < yg.
Below we give a different procedure for defining the untimed language of G. We prove that the clock regions of G which are closed may be deleted from G 0 , provided certain modifications are made to the transitions of G 0 . Thus, we define a new finite automaton G Ã that has considerable fewer states than G 0 .
The main result of this paper is based on the following lemma.
Proof: We first assume that the transition (3) exists and prove that (4) does. Following (3) there are valuations i for i ¼ 1; 2 such that 1 2 r 1 , 2 ¼ 1 þ t; t > 0 and a valuation ¼ ½C 0 ¼ 0 2 which means that 2 r 2 . Clearly reg ð 2 Þ is a successor of r 1 and since the time jump t is strictly positive it is also a successor of next(r 1 ). This implies that there is a transition from nextðr 1 Þ to r 2 . More specifically let 0 < " < t. Then we have the following regions in the order below r 1 ¼ regð 1 Þ ! nextðreg ð 1 ÞÞ ! regð 1 þ "Þ ! regð 2 Þ ! r 2 and this shows that there exists a transition from nextðr 1 Þ to r 2 . Note that it might be that nextðr 1 Þ ¼ regð 1 þ "Þ. The converse statement follows from the fact that any successor of nextðr 1 Þ is also a successor of r 1 .
Definition 9: Define the finite state automaton G Ã as follows. G Ã is obtained from G 0 by deleting all states ðs; rÞ such that the region r is closed, deleting all transitions incident to these states and adding in transitions of the form ðs; nextðr 1 ÞÞ À! ðs 0 ; nextðr 2 ÞÞ for every transition in G 0 of the form ðs; r 1 Þ À! ðs 0 ; r 2 Þ The following is the main result of this section.
Theorem 2: G Ã and G 0 accept the same language.
To show the converse, again let w ¼ 1 Á Á Á n and assume that w is accepted by G Ã . By the definition of the automaton G Ã , this means that there is a sequence of transitions in G Ã ðs 0 ; nextð0Þ À! 1 ðs 1 ; nextðr 1 ÞÞ Á Á Á ðs nÀ1 ; nextðr nÀ1 ÞÞ À! n ðs n ; nextðr n ÞÞ ð5Þ for clock regions r i of G and with s 0 2 S 0 , s n 2 S m . We now show by induction on i that for all i n there is the following sequence of transitions in G 0 , for clock regions r 0 j satisfying nextðr 0 j Þ ¼ next ðr j Þ For i ¼ 0 this is trivial. Assume (6) holds for some i < n. From (5) and the definition of G Ã , there is a transition ðs i ; r 00 i Þ À! iþ1 ðs iþ1 ; r 0 iþ1 Þ in G 0 with nextðr 00 i Þ ¼ nextðr i Þ ¼ nextðr 0 i Þ and nextðr 0 iþ1 Þ ¼ nextðr iþ1 Þ. By Lemma 3.1 there is a transition ðs i ; nextðr 00 i ÞÞ À! iþ1 ðs iþ1 ; r 0 iþ1 Þ in G 0 ; hence by Lemma 3.2 there is a transition ðs i ; r 0 i Þ À! iþ1 ðs iþ1 ; r 0 iþ1 Þ in G 0 . Thus we have proved the inductive step, and hence proved that w is accepted by G 0 . &

Remark:
Our result can be summarized as follows. For any closed region, since time must take place (leading to next(r)) before any further transition, we can consider r and next(r) to be bisimilar. Transitions that are enabled at exactly the closed region r are covered by regions 'after' r, i.e. for r being fx ¼ 1g, the region f1 < x < 2g will include all transitions which are enabled at fx ¼ 1g. Therefore we may consider the two regions together given by f1 x < 2g.
In other words, we may identify together the (extended) states whose clock regions have the same next-value.

Extension of results to acceptors of infinite words
In this section we construct another automaton, similar to G Ã , in order to simplify the untiming procedure in the case where the timed automata are regarded as acceptors of !-words.
Definition 10: A timed Buechi automaton (Alur and dill 1994, Definition 3.10) is a tuple where the symbols have the same meanings as in (1) of Definition 1. But H is regarded as an acceptor of timed !-words as follows: let w ¼ ð 1 ; t 1 Þ Á Á Á ð i ; t i Þ Á Á Á be a timed !-word. Then H accepts w provided the following two conditions hold: 1. There is an infinite sequence of transitions H with s 0 2 S 0 and s i 2 S m for infinitely many values of i.
2. lim i!1 t i ¼ 1. This is called the progress condition.
The timed !-language accepted by H is then defined to be the set of timed !-words accepted by H. If H defines the timed !-language L T then we say that H accepts the untimed !-language Untime(L T ), by analogy with ordinary timed automata.
Lemma 4: Let Á Á Á ð i ; t i Þ Á Á Á be an infinite timed word which defines a path through the sequence of generalized states Á Á Á ðs i ; i Þ Á Á Á of H. Then there is a word Á Á Á ð i ; t 0 i Þ Á Á Á passing through the same sequence of states of H and satisfying the progress condition if and only if for every clock x 2 C, we have i ðxÞ ¼ 0 or i ðxÞ > c x for infinitely many values of i. This is shown in Alur and Dill (1994, Lemma 4.13).
Definition 11: A timed Muller automaton is a tuple M ¼ ðS; S; C; E; S 0 ; FÞ M which is identical to a Buechi timed automaton except that the accepting set S m is replaced by a collection F of subsets of the state set S, and instead of the condition (1), to be accepted by M a timed word must have a path through M which passes infinitely many times through the sets in P S and finitely many times through the sets in S À P, for some set P 2 F.
Next we define the Muller automaton M 0 ¼ ðAE; S Â R; T; S 0 Â 0; FÞ M where F contains the following subsets of the state set S Â R; F contains all those subsets of S Â R which intersect non-trivially with S m Â R and with all sets S Â R x for x 2 C, where R x is the set of all clock regions whose valuations map the clock x to zero or to a number greater than c x .
Theorem 3: M 0 accepts the same !-language as H.
Proof: Let 1 Á Á Á be an untimed !-word. Then both conditions of Definition 10 are satisfied for some time sequence Á Á Á t i Á Á Á if and only if there is a path with label 1 Á Á Á through M 0 starting at S 0 Â 0 and also satisfying the following conditions: the path passes infinitely often through the state set S m Â R and it passes infinitely often through the sets S Â R x for all x 2 C, by Lemma 4. Thus the result follows immediately from the definition of M 0 .
We mimic the construction of M 0 using a modified version of the definition of next(r).
We define a Muller automaton M Ã obtained from M 0 in a similar way in which G Ã was obtained from where . the state set S Ã contains all elements of S Â R of the form (s, next(r)), where r is any clock region, or of the form ðs; rÞ, where r is a clock region whose valuations send any clock to zero. . The transition set T Ã is as follows: for every transition in the region automaton G 0 of the form ðs; r 1 Þ À! ðs 0 ; r 2 Þ there is a transition in T Ã of the form ðs; secðr 1 Þ À! ðs 0 ; secðr 2 ÞÞ where the clock region sec(r) is defined to be next(r) unless r maps any clock to zero, in which case secðrÞ ¼ r. . S Ã 0 ¼ S 0 Â 0 is the set of initial states. . The accepting state sets are those which intersect non-trivially with S m Â secðRÞ and with all sets S Â secðR x Þ for all x 2 C.
Thus M Ã 'lies between' G 0 and G Ã in the sense that it is obtained from G 0 by eliminating some of the non-closed clock regions.
Theorem 4: H and M Ã accept the same language.
Proof: Since the clock region secðrÞ is always either next(r) or r, Lemma 3 still holds with next(r) replaced by secðrÞ. The result therefore follows from an argument similar to that in Theorem 2. &

Upper bounds for numbers of clock regions
In Alur and Dill (1994, Lemma 4.5) an upper bound of is given for the number of clock regions of the timed automaton G. The number of non-closed clock regions for the finite string case can similarly be shown to be bounded by To prove this, observe that the clock region of G is uniquely specified by the following: (a) for each clock x, one clock constraint from the set an ordering of the integers f1; 2; . . . ; jCjg to indicate an ordering of the numbers frac(x) for x 2 C, (c) for each integer n 2 f2; 3; . . . jCjg, whether fracðxÞ > fracðyÞ or fracðxÞ ¼ fracðyÞ, where x and y are the nth and n À 1th clocks in the ordering given in (b).
There are jCj! choices in (b) and 2 jCjÀ1 in (c). Case (a) gives Q x2C ð2c x þ 2Þ choices for all regions, but if only closed regions need to be listed, then the first set given in (a) is irrelevant, giving Q x2C ðc x þ 1Þ choices. Multiplying the results gives the upper bounds claimed above. Thus replacing G 0 by G Ã reduces the upper bound on the number of states by a factor of 2 jCj .
We consider the timed automaton example with two clocks given in Alur and Dill (1994, Example 4.4). The region automaton involves 28 clock regions, of which only 10 are closed. Therefore in the new automaton we may delete the closed regions or consider them together with the associated non-closed regions. In figure  1, the associated non-closed regions just 'after' the closed regions are shown using arrows. The 10 (non-closed) regions needed for the new finite automaton are illustrated in figure 1 using bold numbers. Note that only 2 and 5 are line segments. The derived upper bounds are rather conservative. Thus, in practice and for specific problems the non-closed regions are much fewer than the closed ones. This results in deriving significantly fewer extended states for the new finite automaton.
It is not difficult to conclude that the number of nonclosed clock regions in the infinite string case is bounded by jCj!2 jCjÀ1 Q x2C ðc x þ 2Þ. Thus replacing G 0 by M Ã reduces again the upper bound on the number of states by a factor of almost 2 jCj . For the above examples we must now include all closed regions associated with the clock axis x and y and illustrated in figure 1 as 1i-9i. This allows the valuations to be reset infinitely many times to zero required by Lemma 4. Now 19 clock regions are needed.

On supervisory control for dense real-time discreteevent systems
In this section the application of the derived simplified technique to the supervisory control design and its effect in obtaining the least restrictive controlled behaviour are given.
For simplicity we consider the timed automaton A ¼ ðS; s 0 ; AE; E; CÞ similar to the one defined in (1) but without accepting (marked) states. In this section, we are only interested in timed automata as acceptors of languages of finite timed words. We assume that A is time deterministic; that is, it satisfies the following condition; besides having only one initial state, for any so defined extended stated ðs; Þ, where : C ! R !0 are the clock valuations, and for any event 2 AE there is a maximum of one edge ðs; s 0 ; ; ; C 0 Þ in A such that satisfies the clock constraint . This implies that for any timed word ð 1 ; t 1 Þ Á Á Á ð n ; t n Þ there is a maximum of one path starting at the initial state s 0 over the timed word ð 1 ; t 1 Þ Á Á Á ð n ; t n Þ through A.
We denote O the set of extended states of A and as in the case of a finite state automaton, we partition the event alphabet into controllable and uncontrollable events: AE ¼ AE c [ AE u . The control function for A is defined as : O Â AE ! f0; 1g satisfying ðe; Þ ¼ 1 if 2 AE u and e is any extended state. We call the pair ðA; Þ a controlled timed automaton. We define the timed language Ltimed ðA; Þ to be the set of all timed words ð 1 ; t 1 Þ Á Á Á ð n ; t n Þ such that there is a path ðs 0 ; 0Þ À! ð 1 ;t 1 Þ ðs 1 ; 1 Þ Á Á Á À! ð n ;t n Þ ðs n ; n Þ where the clock valuation 0 sends all clocks to zero, satisfying the condition ðs iÀ1 ; iÀ1 þ t i ; i Þ ¼ 1 for all i. If such a path exists we say that the extended states ðs i ; i Þ are accessible under .
Let F (for forbidden) be a set of extended states (possibly infinite, since the number of valuations are infinite) of A. The supervisory control problem that we are dealing is the following (forbidden control problem): Supervisory control of timed automata Find the control function m such that every element of F is inaccessible under m and such that LtimedðA; Þ is maximal for all such control functions m.
For simplicity the non-blocking condition is not included assuming that the languages are closed. The interested reader is referred to Spathopoulos (2003) for the non-blocking forbidden control problem.
It has been shown (Hoffman and Wong-Toi 1992, Laurence and Spathopoulos 1988) that this can be solved considering the control problem for the finite state automaton Untime(A) (as defined in the following definition) provided that the forbidden state set F satisfies a certain condition stated in Theorem 5. Remark: The automaton Untime(A) is similar to G 0 where the event that models the 'time passage' has been added in the alphabet. Basically we use the timeabstract transition system for which the set of events is AE [ fg. The time passage is treated in this paper as an uncontrollable event. The reader is referred to Spathopoulous (2003) where the notion of urgency is introduced and the time passage may be defined as a controllable event as well.
It can be shown that A time deterministic implies Untime(A) deterministic. This was the reason for requiring A to be time deterministic.
It is useful to make the following definition: if ðs; Þ is an extended state then let ðs; Þ ¼ ðs; reg ðÞÞ.
Proof: Follows from Definition 13 and Lemma 2. & Given a timed word ð 1 ; t 1 Þ Á Á Á ð n ; t n Þ defining a path Á Á Á ðs i ; i Þ À! i ðs 0 iþ1 ; 0 iþ1 Þ Á Á Á through A, the projection of this word is defined to be the label of the corresponding path in Untime(A) given by combining the path-segments of the form given in Lemma 5(1).
The following theorem states that the supervisory control problem for timed automata can be solved using the automaton Untime(A).
Theorem 5: Let be a control function for the timed automaton A, and let F be a set of extended states of A such that if ðs; Þ 2 F and 0 2 regðÞ then ðs; 0 Þ 2 F (or equivalently, À1 ððFÞÞ ¼ FÞ and let : SÂ R Â ðAE [ fgÞ ! f0; 1g be a control function for the finite state automaton Untime(A), with the 'time passage' event classed as uncontrollable. Define the control function : O Â AE ! f0; 1g as ðs; ; Þ ¼ ðs; regðÞ; Þ. Assume that the states ðFÞ are inaccessible in (Untime(A), ); then the extended states in F are inaccessible in ðA; Þ; furthermore, if L(Untime)(A),) is maximal with this property, then so is Ltimed(A, ).
Proof: Suppose that an extended state ðs n ; n Þ is accessible in ðA; Þ; then there is a path ðs 0 ; 0Þ À! ð 1 ;t 1 Þ ðs 1 ; 1 Þ Á Á Á À! ð n ;t n Þ ðs n ; n Þ through A satisfying ðs iÀ1 ; iÀ1 þ t i ; i Þ ¼ 1 for all i. Thus from multiple applications of Lemma 5(1) there is a path ðs 0 ; 0Þ Á Á Á ðs iÀ1 ; regð iÀ1 ÞÞ À! ðs iÀ1 ; succðreg ð iÀ1 ÞÞÞ À! Á Á Á À! ðs iÀ1 ; succ n iÀ1 ðregð iÀ1 ÞÞÞ À! i ðs i ; regð i ÞÞ Á Á Á ðs n ; regð n ÞÞ through Untime(A) for succ n i ðregð i ÞÞ ¼ regð i þ t iþ1 Þ with ðs iÀ1 ; regð iÀ1 þ t i Þ; i Þ ¼ 1 for all i. Thus ðs n ; reg ð n ÞÞ ¼ ðs n ; n Þ is accessible in (Untime(A), ) and this proves the first part of the theorem. Now assume that the timed language Ltimed(A, ) is not maximal with this property: that is, that there is a control function Ã such that LtimedðA; Ã Þ LtimedðA; Þ, there is a timed word ð 1 ; t 1 Þ Á Á Á ð n ; t n Þ lying in LtimedðA; Ã Þ À Ltimed ðA; Þ and the extended states in F are also inaccessible in ðA; Ã Þ. Let ðs 0 ; 0Þ À! ð 1 ;t 1 Þ ðs 1 ; 1 Þ Á Á Á À! ð n ;t n Þ ðs n ; n Þ be the path in A defined by the timed word ð 1 ; t 1 Þ Á Á Á ð n ; t n Þ starting at ðs 0 ; 0Þ. For all i n, there does not exist a path over any word in AE Ã u starting at ðs i ; i Þ and ending at an element of F. Furthermore, for at least one value of i < n, we must have ðs i ; reg ð i þ t iþ1 Þ; iþ1 Þ ¼ ðs i ; i þ t iþ1 ; iþ1 Þ ¼ 0 (since ð 1 ; t 1 Þ Á Á Á ð n ; t n Þ= 2Ltimed ðA; Þ) and so the projection of the timed word ð 1 ; t 1 Þ Á Á Á ð n ; t n Þ onto  is strictly positive and it is natural to expect that the controlled behaviour should become more conservative. In other words, when the time is not allowed to be zero, the automaton would not be permitted to visit non-closed states associated with forbidden closed states. This is due to the fact that, when the simplified automaton is used, if nextðxÞ ¼ nextðyÞ then, when ðs; xÞ is forbidden, ðs; yÞ also becomes forbidden since there can be no difference between extended states with the same next-value.
From the above it follows that when the time jump is strictly positive the controlled behaviour is more conservative. The following corollary gives a condition under which the controlled behaviour is the least restrictive one derived using theorem 5.
Corollary 1: The forbidden state control problem using the simplified untiming procedure gives the least restrictive controlled behaviour as stated by Theorem 5 under the condition that the forbidden states are not closed regions. In other words the atomic predicates specifying the forbidden extended states should be of the form x Ã c for a clock x 2 C where Ã is one of , <, ! or > (but not ¼).

Conclusions
Given a timed automaton G, we have defined a new finite state automaton G Ã that accepts the same untimed language as G and has significantly fewer states than the region automaton G 0 . Given a timed Buechi automaton, we have proved a similar result.
Next, this result is used in connection with the forbidden state control problem for timed discrete event systems. We study this problem and show that the simplified untiming construction leads to a simplified supervisory control design for real time discrete-event systems modelled by timed automata. Conditions under which the least restrictive solution is obtained are given.
Due to its complexity, the untiming procedure for dense time automata results in a large number of regions for the untimed automaton. The efficiency of the involved supervisory design depends on the number of regions of the untimed automaton. Therefore, simplifications and computational approximations for timed automata are of importance. For the simplified untiming procedure addressed here, the number of regions in the graph still depend exponentially on the number of clocks. In practice, as explained in } 6, the reduction of regions is significant. In Laurence and Spathopoulos (1998), the simplified procedure reduces the exponential number of regions. However, it works only for a special case that essentially corresponds to the case where the time is discretized. Further work with reference to the notion of urgency introduced in Spathopoulos (2003) will be reported elsewhere.