376 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 44, NO. 2, FEBRUARY 1999

[15] S. Arimoto, “Robustness of learning control for robot manipulators,” inProc. IEEE Int. Conf. Robotics and Automation, Cincinnati, OH, 1990,pp. 1528–1533.

[16] S. S. Saab, “On the P-type learning control,”IEEE Trans. Automat.Contr., vol. 39, pp. 2298–2302, Nov. 1994.

[17] Y. Chen, C. Wen, and M. Sun, “A robust high-order P-type iterativelearning controller using current iteration tracking error,”Int. J. Contr.,vol. 68, pp. 331–342, Sept. 1997.

[18] T.-Y. Kuc, J. S. Lee, and K. Nam, “An iterative learning control theoryfor a class of nonlinear dynamic systems,”Automatica, vol. 28, no. 6,pp. 1215–1221, 1992.

[19] D. H. Owens, “Iterative learning control—Convergence using high gainfeedback,” inProc. 31st Conf. Decision and Control, Tucson, AZ, Dec.1992, pp. 2545–2546.

[20] Z. Bien and K. M. Huh, “High-order iterative learning control algo-rithm,” Proc. Inst. Elec. Eng. Control Theory and Applications, vol. 136,no. 3, pt. D, pp. 105–112, 1989.

[21] T. Sugie and T. Ono, “An iterative learning control law for dynamicalsystems,”Automatica, vol. 27, no. 4, pp. 729–732, 1991.

[22] B. Porter and S. S. Mohamed, “Iterative learning control of partiallyirregular multivariable plants with initial impulsive action,”Int. J. Syst.Sci., vol. 22, no. 3, pp. 447–454, 1991.

[23] K. H. Lee and Z. Bien, “Initial condition problem of learning control,”in Proc. Inst. Elec. Eng. Contr., Theory and Appl., vol. 138, no. 6, pt.D, pp. 525–528, 1991.

[24] X. Ren and W. Gao, “On the initial conditions in learning control,”in Proc. IEEE Int. Symp. Industry Electronics, Xi’an, China, 1992, pp.182–185.

Robustness of Supervisors for Discrete-Event Systems

Jose E. R. Cury and Bruce H. Krogh

Abstract—Supervisory control in the context of!!!-languages is consid-ered. The nominal supervisor design problem is to find a nonblockingsupervisor for a nominal plant such that the closed-loop infinite behaviorequals a specified closed-loop behavior. The robustness of solutions tothe nominal problem is defined with respect to variations in the plant.It is shown there exists a supervisor solving the nominal problem whichmaximizes the set of plants for which the closed-loop languages for allother plants in the set satisfy lower and upper bounds in the senseof language containment. Computational issues are discussed, and thetheoretical results are illustrated with an example.

Index Terms—Discrete-event systems, robustness, supervisory control.

I. INTRODUCTION

This paper concerns robustness of supervisors for discrete-eventsystems (DES’s) modeled by pairs of languages corresponding totheir finite and infinite (!-language) behaviors, an extension of thefinite-string language framework [4] that allows for the representationof nonterminating processes and liveliness specifications [2]–[5].We consider the robustness of nonblocking supervisors designed fornominal plants to satisfy specifications for the nominal closed-loopinfinite behavior. The objective is to design the supervisor so as to

Manuscript received January 22, 1997. Recommended by Associate Editor,E. K. P. Chong. The work of J. E. R. Cury was supported in part by CNPqand the work of B. H. Krogh was supported in part by Rockwell International.

J. E. R. Cury is with the LCMI-EEL-UFSC, CP 476, 88040-900 Flo-rianopolis, SC-Brazil (e-mail: cury@lcmi.ufsc.br).

B. H. Krogh is with the Department of ECE, Carnegie Mellon University,Pittsburgh, PA 15213 USA (e-mail: krogh@ece.cmu.edu).

Publisher Item Identifier S 0018-9286(99)00587-5.

maximize (if possible) the set of plants for which: 1) the supervisorremains nonblocking and 2) the closed-loop behavior (applying thesame supervisor) remains within specified lower and upper bounds.

Lin considered the problem of designing a single supervisor for agiven finite collection of plants such that the closed-loop behaviorsof all of the plants will satisfy the given specifications using thesame supervisor [6]. In our formulation the nominal closed-loopbehavior for a single nominal plant is a constraint on the admissiblesupervisors. We show that one can design a supervisor that maximizesthe (infinite) set of plants for which the nominal specifications willbe satisfied.

Due to lack of space, the proofs are not included in this paper butmay be found in [8].

II. PRELIMINARIES

For a given finite set of events,�, letL; S; M denote, respectively,languages in��; �!; �� [ �!; pre(M) denotes the set of all finitelength prefixes of strings inM . L is said to be prefix closed ifpre(L) = L; lim : 2� ! 2� is defined forL as lim(L) =pre�1(L)\�!; wherepre�1(L) = f� 2 (�� [�!)jpre(�) � Lg;clo: 2�! ! 2�! is defined forS asclo(S) = lim(pre(S)). S is saidto be!-closed ifclo(S) = S, and a languageT � �! is said to be!-closed w.r.t.S if T = clo(T ) \ S. For a stringt 2 �� we denote thesetf� 2 ��[�!jt� 2Mg by M=t ��L(t), the active set ofL aftert 2 L, is defined as�L(t) = �\ (pre(L)=t). Following Thistle [5],we define a DESG as pair of languages(LG; SG) � ����!, suchthatLG is prefix-closed andpre(SG) � LG � LG andSG describe,respectively, the finite and infinite logical behavior of the system.��

denotes the set of all DES’s defined over�.A control structureis defined as a set� � 2� such that: 1)� is

closed under the operation of intersection of sets and 2) if 2 � and � 0 2 2�, then 0 2 �. This definition corresponds to the controlstructure assumed in [4] where� is partitioned into a set�c ofcontrollable events and a set�u of uncontrollable events and 2 2�

is an element of� if and only if � �u. A control input 2 �represents the set of next events allowed to occur inG. Throughoutthe paper we assume a control structure� is given.

A supervisor is defined as a mapf : �� ! � that applies a controlinput to a DES as a function of the observed sequence of pastevents.f=G denotes the DES resulting fromG under control off , whereLf=G is the set of finite strings ofG that subsist undercontrol law f , andSf=G = lim(Lf=G) \ SG. We say thatf is anonblocking supervisorfor G if pre(Sf=G) = Lf=G. We assumewithout loss of generality thatf is a total function, which implies�� = dom(f) � LG, i.e., f is completefor anyG 2 �� [5].

Given a DESG 2 ��, a languageR � �! is *-controllablewith respect toLG if 8 s 2 R; 9 2 � such that \ �L (S) =�R(S); a languageT � �� is *-controllable with respect toLGif pre(T ) is *-controllable with respect toLG; T is !-controllablewith respect toG if pre(T ) = preG(T ) wherepreG(T ) = ft 2pre(T )j9T 0 2 �!; T 0 6= ;; T 0is *-controllable w.r.t. LG=t and!-closed w.r.t.SG=t.

The following proposition summarizes some basic important resultsfrom [5] regarding supervisors.

Proposition 1 [5]: Given a DESG and a languageK � SG, thefollowing statements are equivalent: 1) there exists a nonblockingsupervisorf for G such thatSf=G = K; 2) K is *-controllablewith respectLG to and!-closed with respect toSG; and 3)K is!-controllable with respect toG and!-closed with respect toSG.

0018–9286/99$10.00 1999 IEEE

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 44, NO. 2, FEBRUARY 1999 377

We define themeet(^) andjoin (_) binary operations on elementsG1 andG2 of �� asG1 ^ G2 = (LG \ LG ; SG \ SG ) andG1 _ G2 = (LG [ LG ; SG [ SG ). ForG;A 2 ��, we defineG � A if LG � LA and SG � SA. Cury et al. [3] called A anouter approximationfor G and derived the following results relatingthe closed-loop behaviors ofG and an outer approximationA underthe same supervisorf .

Proposition 2 [3]: GivenG; A 2 ��, if G � A, thenLf=G =Lf=A \ LG andSf=G = Sf=A \ SG for any f : �� ! �.

Corollary 1 [3]: GivenG; A 2 ��, if G � A, thenf=G � f=Afor any f : �� ! �.

Corollary 2 [3]: GivenG; A 2 �� andM; E � �!, if G � Aand f : �� ! � is such thatM � Sf=A � E, then (M \ SG) �Sf=G � E.

Although the results above show that containment relations arepreserved for outer approximations, the same is not generally truewith relation to the nonblocking properties off . It is shown in[3] that, if some additional conditions are fulfilled by the outerapproximation, then the nonblocking property is preserved foranycontroller. The following controller-dependent result imposes lessstringent conditions on the related structures.

Proposition 3: GivenG; A 2 ��, if G � A andf : �� ! � isa nonblocking supervisor forA, thenf is a nonblocking supervisorfor G if and only if

pre(Sf=A) \ LG = pre(Sf=A \ SG): (1)

As a consequence of the Proposition 3 we have the following.Corollary 3: Given G; A 2 ��, if G � A and f : �� ! �

is a nonblocking supervisor forA with Sf=A � SG, thenLf=G =Lf=A; Sf=G = Sf=A; consequently,f is a nonblocking supervisorfor G.

III. T HE ROBUST SUPERVISORY CONTROL PROBLEM

The general robust supervisory control problem to be examined inthis paper can be stated informally as follows: Design a nonblockingsupervisor for a nominal plantG0 to achieve a desired nominalclosed-loop behaviorK � �!, such that it maximizes the set ofplants for which the supervisor is nonblocking and the closed-loopbehavior remains within specified limits.

To formalize this problem statement, forA � E � �! andf : �� ! �, let (A; E; f) be defined as the setfG 2 ��jA �Sf=G and pre(Sf=G) = Lf=Gg, and forK � �! andG 2 ��,let F (G; K) be defined as the setff : �� ! �jSf=G = Kand pre(Sf=G) = Lf=Gg. In words, (A; E; f) is the set ofplants for which the supervisorf is nonblocking and the closed-loop infinite behavior lies betweenA andE, andF (G; K) is the setof nonblocking supervisors for a plantG for which the closed-loopinfinite behavior equalsK. The general robust supervisory controlproblem (RSCP-G) can be stated formally as follows.

RSCP-G: Given G0 2 ��, K � SG , and A � E � �!,find f� 2 F (G0; K) such that8 f 2 F (G0; K), (A; E; f�) � (A; E; f).

The RSCP-Ghas no solution in general because the set of ad-missible variations in the plant cannot be maximized over the set ofadmissible supervisors. In this paper we examine a particular form oftheRSCP-Gfor which a solution always exists. The particular robustsupervisory control problem (RSCP-P) is stated formally as follows.

RSCP-P: GivenG0 2 ��, K � SG , andA � E � �!, findf� 2 F (G0; K) such that,8 f 2 F (G0; K), (A0; E0; f�) � (A0; E0; f); whereA0 = A \ SG , E0 = E \ SG .

Note that inRSCP-Pone could simply assume the specificationlanguagesA; E are contained inSG . In applications, however, this

is not typically the case and one must computeA0; E0 as indicatedin the problem formulation.

To solveRSCP-Pwe derive some preliminary results. Let�(K) =[f (K; K; f), that is,�(K) is the family of all plants for which theconditions in Proposition 1 are satisfied. It can be shown that�(K)is nonempty and closed under arbitrary meet and join operations,implying it is a complete lattice with respect to�. Moreover

�(K) = fG 2 ��j inf[�(K)] � G � sup[�(K)]g

where inf[�(K)] = (pre (K); K) and sup[�(K)] = (Lsup[�];Ssup[�]), with Lsup[�] defined by:

1) " 2 Lsup[�];2) if s 2 Lsup[�], s 2 pre (K) and� 2 �pre (K)(s) [ �c, then

s� 2 Lsup[�];3) if s 2 Lsup[�], s =2 pre (K) and� 2 �, thens� 2 Lsup[�];4) everys 2 Lsup[�] can be obtained by applying rules 1), 2), or

3); andSsup[�] = K [ [lim(Lsup[�])nclo(K)].

From the above recursive definition ofLsup[�] it follows thatLsup[�] containspre(K) plus all strings that leavepre(K) onlythrough controllable events. Beyond these controllable events (whichcan always be disabled by a supervisor) all events are allowedto occur arbitrarily often. Regarding the expression forSsup[�],since Lsup[�] � pre(K), we have lim(Lsup[�]) � clo(K), andconsequentlySsup[�] is well defined. In words,Ssup[�] is the languageK plus all infinite sequences which are extensions of strings beyondthe controllable events that lead to strings inLsup[�] outside ofpre(K).

We can now establish the following result which characterizes thesupervisors that satisfy the specifications for all plants in�(K).

Lemma 1: Given K � �! and a functionf : �� ! �, f 2F (G; K) for all G 2 �(K) if and only if

f(s) = �pre(K)(s) [�u; for s 2 pre(K): (2)

The solution ofRSCP-Pis given by the following proposition.Proposition 4: GivenG0 2 ��, K � SG , andA � E � �!,

a supervisorf� 2 F (G0; K) is a solution toRSCP-Pif and only ifit satisfies (2) in Lemma 1. Moreover

(A0; E0; f�) = fG0 2 ��j inf[�(A0)] � G0 � sup[�(K)];

pre(K)\ LG = pre(K \ SG )g: (3)

Proposition 4 shows whatf� is forG0 in the sense ofRSCP-Pandalso gives an explicit definition of the set of all admissible variationsfrom G0. This set is independent of the upper boundE0 = E \SG .Fig. 1 illustrates Proposition 4. The full figure is the space of allDES’s. The solid lines represent containment relations between twoDES’s, with the higher DES being an outer approximation to thelower DES and the dashed lines outline of sets of DES’s. Thesupremal and infimal elements of the sets are indicated at the upperand lower vertices of the sets. The shaded area corresponds to thespecial case whenK = A = E.

Suppose now that a set of plants� � �� is given and one wantsto check for its admissibility. For that, one must check if the setis contained in�(A0; E0; f�). This can be done by checking therelations: 1)U � sup[�(K)], whereU = _G 2�G

0; 2) inf[�(A0)] �L, whereL = ^G 2�G

0; and 3)pre (K) \ LG = pre(K \ SG ),G0 2 �. Since condition 3) is always satisfied for any element of� \ �(K) this relation must be checked only forG0 =2 �(K).

IV. COMPUTATIONAL ISSUES

To compute a solution toRSCP-P,or equivalently, to providecomputational means to represent�(K), (A0; E0; f�) and f�,

378 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 44, NO. 2, FEBRUARY 1999

Fig. 1. Diagram illustrating the solution ofRSCP-P.

one can use deterministic Rabin automata, a particular class of!-automata that accepts all!-regular languages [9]. A deterministicRabin automaton is a five-tupleA = (�; X; �; x0; f(Rp; Ip): p 2Pg), where� is an input alphabet,X is a finite state set,x0 is theinitial state,�: X � � ! X is a transition (partial) function, andf(Rp; Ip): p 2 Pg is a family of pairs of elements of2x, whichdetermines a Rabinrecognition condition.We extend the transitionfunction � to strings by defining a function�: X � �� ! X in thenatural way. We denoteL(A) � �� as the set of all finite stringss 2 �� such that�(x0; s) is defined (also denoted�(x0; s)!). A pathin A of a string� = (�0 �1 �2 � � �) 2 �!, with pre(�) � L(A),is an infinite sequence of states�(�) = (x0 x1 x2 � � �), xi 2 X,such that�(xi; �i) = xi+1, 8 i � 0. The infinitary set of�, j�j1is the set of states that appear infinitely many times in�(�). The!-language accepted byA; S(A) � �!, is the set of all infinite strings� 2 �!, pre(�) � L(A), for which9p 2 P such thatj�j1\Rp 6= ;and j�j1 � Ip. Note that without loss of generality we can assumeRp � Ip.

We assume that we have deterministic finite-state Rabin au-tomata representations forA; G0; K; E. Thus, we have a finiterepresentation forinf[�(K)] = (pre(K); K), and we can con-struct using basic operations a representation forinf[�(A0)] =(pre(A0); A0) = (pre(A\SG ); A\SG ) from the representationsof G0 andA. AK = (�; Q; �; q0; f(Ru; Iu): u 2 Ug) andAA =(�; X; �; x0; f(Rp; Ip): p 2 Pg) denote deterministic Rabinautomata withL(AK) = pre(K), L(AA) = pre(A0); S(AK) = Kand S(AA) = A0.

To compute a representation forsup[�(K)], we use the followingresult.

Proposition 5: Given K � �! and a corresponding Ra-bin automatonAK , sup[�(K)] = (L(AM); S(AM)), whereAM is the Rabin Automaton defined byAM = (�; (Q [fqMg); �M ; q0; (fRu; Iu): u 2 Ug [ QM)), where qM =2Q; QM = f(fqMg, fqMg), and

�M (q; �)

=�(q; �); for q 2 Q; � 2 �; s.t. �(q; �)!;qM ; for q 2 Q; � 2 �c; s.t. �(q; �) is undefined;

or for � 2 �; q = qM :

Finally, to implement a supervisor asf�, we can usean *-automaton that acceptspre(K), as for example,A�K = (�; Q; �; qo; Q), with �; Q; �; q0 as inAK .

Fig. 2. Production line example.

(a) (b)

Fig. 3. Models for the (a) input area and (b) output area.

Fig. 4. Automata forE andA.

V. EXAMPLE

To illustrate the above results, consider the example of a smallproduction line as shown in Fig. 2.

The system consists of two machining areas separated by anintermediate buffer of capacity two. In the nominal plantG0, theinput area has two identical machines of type MACH-I and theoutput area has one machine of type MACH-O. The model forthe behavior ofG0 is the result of the composition of the twoRabin automata of Fig. 3. Events�I and�O correspond to startingmachining operations on parts and are considered controllable events;events�I and�O correspond to finishing machining operations andare uncontrollable events. Also, we assume that when a machinefinishes an operation, the part is automatically put in the intermediatebuffer if the machine is at the input area, or in an output bufferif it is at the output area. The output buffer (not shown in thefigure) is considered to be of infinite capacity. Unless under controlrestrictions from the supervisor, all machines are assumed to be ableto perform complete machining cycles infinitely often so that thepairs determining recognition conditions are(f0g; f0; 1; 2g) and(f0g;f0; 1g), respectively, for the input and output model.

We want to control the system in such a way that the closed-loop behavior is nonblocking and avoids overflow (an input machineMACH-I tries to put a part in the buffer when it is full) andunderflow (the output machine MACH-O tries to take a part fromthe buffer when it is empty). Also, we want the line to be alwaysable to perform the production cycle(�I�I�O�O)!. These tworequirements are made to be the!-languagesE andA. Fig. 4 showsRabin automata for these languages. There, the pairs determiningrecognition conditions are, respectively, and(f0; 1; 2g; f0; 1; 2g),and (f0g; f0; 1; 2; 3g), for E andA.

The nominal behaviorK for G0 is chosen to be the mostpermissive language satisfying the above requirements. (Such asupremal behavior may not exist in general [5].) A particular feasibledesign for a supervisor that maximizes the admissible set is suchthat: 1) it enables�I only when at least one MACH-I machine isidle, and the total number of parts in the input area and buffer isless than two and 2) it enables�O only when MACH-O is idle, andthe buffer is not empty. We then can compute an automatonAM for

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 44, NO. 2, FEBRUARY 1999 379

sup[�(k)] from an automatonAK as in section.AK andAM , notshown here, have, respectively, 12 and 13 states. The computationsfor this example were performed using TCT [10].

We can verify using the results in the previous sections that forthis design the corresponding maximal admissible set is such thatsuppressing one machine at the input area is admissible, although theresulting closed-loop behavior is more restrictive than the originalone; adding machines at the input or output area leads to plantsbelonging to�(K), so that this modification is admissible and theresulting closed-loop behavior isK.

For some perturbations of the plant, the supervisorf� may bemore restrictive than necessary to satisfy the original specificationsA; E. To illustrate this, consider the situation when an additionaloutput machine is introduced to the system. In this case the supervisorsolving RSCP-Pfor the nominal plant continues to satisfy the upperand lower bound specifications for the new plant. Note, however,that since the upper boundE0 for the nominal system requires thatwhen an�O occurs,�O must occur before another�O can occur(reflecting the behavior of the nominal plant which has only a singleoutput machine), the supervisorf� will not take advantage of anadditional output machine. This is a consequence of the fact that inRSCP-Pthe closed-loop infinite behaviors of the nonnominal plantshave to lie within the behavior of the nominal plant.

VI. DISCUSSION

This paper presents the solution to an RSCP for DES’s with infinitebehavior. Given a nominal plantG0 and a desired closed-loop infinitebehaviorK for the nominal system, the general objective is to find anonblocking supervisorf� for the nominal problem which maximizesthe set of plants for whichf� is a nonblocking supervisor and suchthat the closed-loop infinite behavior for each plant in the set satisfiesupper and lower bound specifications using supervisorf�.

We are currently investigating methods for generalizing the prob-lems formulated in this paper to relax the constraints on the non-nominal plants. This issue was illustrated in the example where theoperational constraint for the nominal system made it impossible forthe controller to take advantage of an additional output machine in the“perturbed” plant. As noted in Section III, the general RSCP-G doesnot have a solution because there is not a unique maximal element tothe sets of plants one obtains when the supervisor is varied over theclass of solutions for the nominal plant. Consequently, the problemmust be restricted to consider, for example, maximization over a classof perturbations to the nominal plant. Defining such classes of plantsmight be analogous to the concept of structured perturbations in thetheory of robust control for continuous-state systems.

REFERENCES

[1] P. J. G. Ramadge and W. M. Wonham, “The control of discrete eventsystems,”Proc. IEEE,vol. 77, no. 1, pp. 81–98, Jan. 1989.

[2] R. Kumar, V. Garg, and S. I. Marcus, “On supervisory control of sequen-tial behaviors,”IEEE Trans. Automat. Contr.,vol. 37, pp. 1978–1985,Dec. 1992.

[3] P. J. G. Ramadge, “Some tractable supervisory control problems fordiscrete-event systems modeled by Buchi automata,”IEEE Trans. Au-tomat. Contr.,vol. 34, pp. 10–19, Jan. 1989.

[4] J. G. Thistle, “On control of systems modeled as deterministic Rabinautomata,”Discrete Event Dynamic Syst.: Theory and Appl.,vol. 5, no.4, pp. 357–381, Sept. 1995.

[5] J. G. Thistle and W. M. Wonham, “Supervision of infinite behaviorof discrete-event systems,”SIAM J. Contr. Opt.,vol. 32, no. 4, pp.1098–1113, July 1994.

[6] F. Lin, “Robust and adaptive supervisory control of discrete eventsystems,”IEEE Trans. Automat. Contr.,vol. 38, pp. 1848–1852, Dec.1993.

[7] J. E. R. Cury, B. H. Krogh, and T. Niinomi, “Synthesis of supervisorycontrollers for hybrid systems based on approximating automata,”IEEETrans. Automat. Contr.,to be published.

[8] J. E. R. Cury and B. H. Krogh, “Design of robust supervisors for discreteevent systems with infinite behaviors,” Dept. Electrical and ComputerEngineering, Carnegie Mellon Univ., Tech. Rep., Apr. 1996.

[9] W. Thomas, “Automata on infinite objects,” inHandbook of TheoreticalComputer Science, Volume B: Formal Models and Semantics,J. vanLeeuwen, Ed. New York: Elsevier, 1990, Ch. 4.

[10] S. D. O’Young,TCT_talk: User’s Guide, Systems Control Group Rep.8915, Oct. 1989.

Further Properties of Optimal Hedging Pointsin a Class of Manufacturing Systems

Xin-Zhen Yu and Wen-Zhong Song

Abstract—For single-part-type manufacturing systems with homoge-neous irreducible Markov machine failure rates, it is known that simplefeedback control policies, called hedging point policies, are optimal, andthe stationary probability distribution of the part surplus can be obtainedanalytically for given tentative values of hedging points. In this paper, theauthors extend previous work on the ordering of optimal hedging points,and some better results are obtained.

Index Terms—Hedging point policy, HJB equation, manufacturingsystem.

I. INTRODUCTION

Liberopoulos and Hu [5] studied the problem of the relativeordering of optimal hedging points in several manufacturing systemconfigurations, and this paper proceeds with the same problem. Ourmethod is to multiply the Hamilton–Jacobi–Bellman (HJB) equationsby transition rates so as to eliminate one of the terms in the HJBequations containing the first derivative of the value function. Thismethod, used in the next two sections, has dramatic effects ondetermining the relative ordering of optimal hedging points.

The terminology and the equations are the same as in [5] and,therefore, omitted. We refer the reader to [5] and references therein.

The first part of this paper investigates some deeper relations ofoptimal hedging points in the system which is the last one in [5](for details, see the next section). We provide a sufficient conditionfor determining the relative ordering of any two optimal hedgingpoints of transitive machine states (1; 2; � � � ; n�1 in Fig. 1) and twocorollaries for the minimum and maximum optimal hedging points ofthese machine states. A special case with two nonidentical unreliablemachines is studied, and we conclude that the optimal hedging pointcorresponding to the largest capacity state is the minimum of all theoptimal hedging points.

Manuscript received May 6, 1996. Recommended by Associate Editor,J. B. Lasserre.

X.-Z. Yu was with with the Automation Research Institute, SoutheastUniversity, Nanjing 210096, China. He is now with the Department ofAutomation, Tsinghua Unviersity, Beijing 100084, China.

Publisher Item Identifier S 0018-9286(99)00582-6.

0018–9286/99$10.00 1999 IEEE