A memoryless subsystem is incapable of communicating unauthorised information about data input to the outside world. Such systems are important in the study of protection systems, but are difficult to implement. This paper derives a model of such a system and further gives a proof of its correctness.