Intersection Based Decentralized Diagnosis: Implementation and Verification

Size: px

Start display at page:

Download "Intersection Based Decentralized Diagnosis: Implementation and Verification"

Sydney Hancock
5 years ago
Views:

1 Intersection Based Decentralized Diagnosis: Implementation and Verification Maria Panteli and Christoforos N. Hadjicostis Abstract We consider decentralized diagnosis in discrete event systems that are modeled as non-deterministic finite automata and are observed under distinct observation masks at different observation sites. Specifically, we consider a scenario where two or more observers (each with its own observation mask) are allowed to communicate their assessment (state estimate and matching normal/failure conditions) to a centralized location which bases its overall decision on the intersection of the local state estimates and their matching conditions. This intersection based decentralized diagnosis (IBDD) scheme, in which the centralized location does not necessarily have any knowledge of the system model and does not communicate any information back to the obesrvers, can be implemented with polynomial complexity, both at the observation sites and at the centralized location. The diagnosability of IBDD (i.e., the verification of our ability to detect/identify, perhaps with some bounded delay, all possible faults under all system behaviors using IBDD) can be determined with an algorithm that constructs a verifier for each observation site, and analyzes properties of their parallel composition and product with the system. The overall complexity of the proposed verification approach is polynomial in the number of states of the system and exponential in the number of observation sites. Index Terms Decentralized diagnosability, discrete event systems, finite automata, fault diagnosis. I. INTRODUCTION Failure diagnosis is an important aspect of monitoring and control of discrete event systems, including transportation systems, medical diagnostics, heating/ventilation systems, and communication networks. In a centralized (monolithic) setting, detection and isolation of failures in a given (nondeterministic) finite automaton that models the system of interest is performed by a single entity, called observer or diagnoser, typically designed as a finite automaton that is driven by observable events [1] [3]. Following [3], many other researchers have subsequently investigated algorithms of reduced complexity for fault diagnosis and the verification of diagnosability. Language diagnosability as defined in [3] can be verified with polynomial-time algorithms [4], [5]. The approach in [4] assumes a deterministic system and constructs, for each failure type, a verifier with language identical to the language This work falls under the Cyprus Research Promotion Foundation (CRPF) Framework Programme for Research, Technological Development and Innovation (CRPF s FP ), co-funded by the Republic of Cyprus and the European Regional Development Fund, and specifically under Grant T ΠE/OP IZO/0609(BE)/08. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of CRPF. Maria Panteli and Christoforos N. Hadjicostis are with the Department of Electrical and Computer Engineering at the University of Cyprus, Nicosia, Cyprus. {panteli.maria, chadjic}@ucy.ac.cy of the original system. Each verifier can be used to check fault detection and isolation of its corresponding failure type. The system is considered diagnosable for a particular failure type if all cycles of the corresponding verifier have identical state labels. The approach in [5] assumes a non-deterministic system and constructs a verifier automaton with language specified by the observation mask. In contrast to [4], the verifier in [5] tracks labels of multiple faults. The system is considered diagnosable if the cycles of the verifier consist of states with identical failure labels. The two algorithms mentioned above have the same computational complexity in terms of the number of events of the system, whereas the algorithm in [4] is of lower complexity in terms of the number of states (at the cost of dealing with deterministic automata and a single failure type at a time). Related approaches, that overcome the so-called state-explosion problem, also include the work in [6], which assumes asynchronous diagnosis using Petri-nets and [7], which studies failure diagnosis of discrete event systems with linear-time temporal logic specifications. Diagnosability has also been investigated in decentralized architectures. The authors in [8] propose three protocols for coordinated decentralized diagnosis. Protocols 1 and 2 assume unidirectional communication from the local diagnosers to a coordinator, whereas Protocol 3 assumes no communication between them or to any coordinator. We elaborate on these protocols a bit since they are useful for our analysis later on. 1. In Protocol 1, the diagnostic information at a local site is generated by an extended diagnoser, the states of which consist of both the predecessor and successor state estimates of an observable event along with its failure label. The decision rule of the coordinator is defined under different intersection operations applied on pairs of system state estimates and their matching normal/failure conditions. 2. Protocol 2 uses the basic (standard) diagnoser to generate the local diagnostic information, and system diagnosis is performed under the same communication and decision rules as in Protocol 1. Although the computational complexity of Protocol 2 is reduced compared to Protocol 1, the performance of the former is constrained to traces that adhere to the well-ordering property of the coordinator, also referred to as failure-ambiguous traces in [8]. 3. Protocol 3 is directly linked to the so-called property of codiagnosability. A system is codiagnosable (or decentralized diagnosable) if any occurrence of a failure is detected by at least one local diagnoser within a bounded interval of observations. Polynomial complexity algorithms for the verification of codiagnosability can be found in [9] [13].

2 In [9] decentralized diagnosability is studied under a framework of conditional decisions issued by the local sites, and polynomial tests are proposed for the verification of equivalent language-based notions of decentralized diagnosability. In [10] the authors propose polynomial algorithms to transform a problem of coobservability to the problem of codiagnosability under the assumption of dynamic observations. They also propose a polynomial-time algorithm for testing codiagnosability of the system based on cluster automata. The authors of [11] study codiagnosability under the condition of state-dependence and nondeterminism of partial event observation. The algorithms proposed in [12], [13] are based on constructing a testing automaton that, given a faulty trace, searches for corresponding indistinguishable non-faulty traces at each local site. Lower complexity is achieved in [12] by tracking the non-faulty traces in a set smaller than the one assumed in [13]. Decentralized diagnosability similar to Protocols 1 and 2 of [8] has been also studied in [14]. In this work, fault diagnosis is performed locally using the (basic) diagnoser and, upon the request of the coordinator, the local estimates (state estimates along with matching normal/failure conditions) are sent to the coordinator who reaches an overall diagnosis decision by taking the intersection of local pairs of state estimates and normal/failure conditions. The algorithm proposed in [14] for offline verification of diagnosability under this scheme employs the parallel composition of local diagnosers and then searches for ambiguous cycles within this composed structure. The verification of decentralized diagnosability with communication to a coordinator [8], [14] involve the use of local diagnosers whose sizes are, in the worst case, exponential in the number of states of the given system. This paper proposes a polynomial time algorithm for the verification of diagnosability using the intersection based decentralized diagnosis (IBDD) scheme. The IBDD scheme consists of sending state estimates along with matching normal/failure conditions to the coordinator (who then makes a decision based on the intersection of pairs of state/conditions from different local sites). In particular, the polynomial-time verification approach for centralized diagnosability in [5] is used with further adaptations to the decentralized architecture and the intersection operation. Local estimates are combined with the use of the parallel composition of local verifiers and the product with the system model. Necessary and sufficient conditions for the verification of IBDD diagnosability, using this composition automaton, are described later in the paper. The overall complexity is polynomial in the number of states of the finite automaton and exponential in the number of observation sites. A. Model II. PRELIMINARIES The system under diagnosis is modeled as a nondeterministic finite automaton [15]. We further include notation for deterministic systems, to which we frequently refer in our analysis (because it makes connections with earlier work clearer). The system is defined as G = (Q, Σ, δ, q 0 ) where Q denotes the finite set of states, Σ denotes the finite set of events, q 0 Q (or {q 0 } Q) is the initial state 1 and δ : Q Σ 2 Q is the transition function (with 2 Q denoting the power set of Q). System G is deterministic if δ(, ) 1 (where S denotes the cardinality of set S). An event σ Σ causes a transition from the current state q Q to the state q Q if the transition function δ satisfies q δ(q, σ). The language generated by G, denoted by L(G) or sometimes by L, is a subset of Σ where Σ denotes the Kleene closure of the set Σ. The event set Σ is partitioned as Σ = Σ o Σ uo where Σ o is the set of observable events and Σ uo is the set of unobservable events. The event observation can be conveniently described by the so-called natural projection with respect to the set of observable events Σ o, denoted by P Σo : Σ Σ o, where P Σo (sσ) = P Σo (s)p Σo (σ) for s Σ and σ Σ, and { σ, if σ Σo, P Σo (σ) = ɛ, if σ Σ o, with ɛ denoting the empty string (when Σ o is clear from context, we frequently use P instead of P Σo ). Given a sequence of observations ω Σ o, P 1 (ω) = {s Σ : P (s) = ω} denotes the inverse of the natural projection P. For failure diagnosis, we consider some specific events that indicate (faults or abnormal conditions) that need to be detected (more generally, they need to be classified or identified) after a finite delay. Let Σ f Σ denote the set of failure events and assume without loss of generality that Σ f Σ uo (since an observable failure event is immediately diagnosable). The set of failure events is partitioned into disjoint sets of different failure types Σ f = Σ F1... Σ Fk. This partition is denoted by Π f. We also denote the set of traces s L that end with a failure event of type F i as Ψ(Σ Fi ) = {sσ fi L: s (Σ \ Σ f ) σ fi Σ Fi } and the postlanguage of L after s as L \ s = {t Σ : st L}. B. Centralized Diagnosis System diagnosis in a centralized (monolithic) architecture aims to detect or precisely identify the occurrence, if any, of failure events, following the sequence of observations generated by the system. The following assumptions on the language L(G) are typical [3] and are also assumed in our development here: (A1) G has no cycles of unobservable events; (A2) L(G) is live i.e., a transition is defined at each state q Q. Diagnosability as introduced in [3] can be tested with the diagnoser G d = (Q d, Σ o, δ d, q 0d ). This is a deterministic finite automaton built from G that provides an estimate of the current state of system G and its matching failure condition(s) (if any). The latter is given in terms of a subset of failure labels from the set f = {F 1, F 2,..., F k }, that are assigned to each state estimate, and correspond to faulty 1 With some abuse of notation, the initial state is defined for simplicity as a singleton subset of Q but this can be easily relaxed to be an arbitrary subset of Q.

3 (a) Diagnoser D 1 Fig. 1. System G. behavior associated with a fault in fault class F i, and the label N, that corresponds to normal behavior of the system. The state space Q d is a subset of 2 Q, where Q is the state space of the system and is the complete set of possible labels = {N} 2 f. More specifically a state q d Q d is of the form q d Q, i.e., q d can be written as q d {(q 1, l 1 ),..., (q n, l n )}, with q i Q and l i (repetitions of q i are permitted 2 ). The transition function δ d : 2 Q Σ o 2 Q satisfies q d = δ d (q d, σ) and updates both the possible states and matching normal/failure condition(s) as defined in [3]. Verification of diagnosability using the diagnoser depends on the presence of F i -uncertain states which are defined as follows [8]. Definition 1: A state q d Q d of the diagnoser is called F i -uncertain if (x, l), (y, l ) q d, such that x, y Q, F i l and F i l. If the state estimate of the diagnoser contains only N labels, the system is diagnosed to normal behavior and if all the labels correspond to F i the system is diagnosed to faulty behavior associated with fault class F i. Otherwise, the estimate corresponds to an F i -uncertain state such that faulty behavior of type F i cannot be isolated and the system cannot be diagnosed (at least not at this point; it might be possible that the failure can be diagnosed once more observations become available). In general, system G is assumed diagnosable if its diagnoser contains no cycles composed exclusively of F i -uncertain states for all failure types 3 F i. Example 1: Consider the system in Figure 1 and assume Σ f = {f}, Σ uo = {f, b} and Σ o = {a, c}. For the set of observable events Σ o, we can construct the diagnoser D 1 shown in Figure 2a. The sequence of events acc (or afbcc ) generates the observation sequence acc and leads the diagnoser to the state (3F, 4N) (to ease notation, we denote the set of pairs of states and labels {(3, F ), (4, N)} as (3F, 4N)). This is an F i -uncertain state, thus the fault cannot be diagnosed for the given observation sequence. Furthermore, the diagnoser contains a cycle consisting of 2 For example, state q d could be the set {(q 1, N), (q 1, F 1 F 2 ), (q 2, F 2 )}. 3 It is possible that cycles with F i -uncertain states are not executable after the occurrence of faults; since such cycles do not violate diagnosability we need to check against this possibility [3]. (b) Diagnoser D 2 Fig. 2. Diagnosers D 1 and D 2 for the system G in Figure 1. a (single) F i -uncertain state, namely the state (3F, 4N). Since this cycle can be executed in the system following the observation sequence acc, the system is not (centralized) diagnosable with respect to Σ o. C. Decentralized Diagnosis In decentralized architectures, diagnosability has to be decided based on the information available at each observation site, and also on the type of protocol that is used to exchange information between sites. For codiagnosability, where no communication to a coordinator is assumed, the local decisions need to be considered individually. Codiagnosability requires that for any arbitrarily long trace following a fault, there exists at least one local site that, based on its own (local) information, can detect the fault with certainty within a bounded interval of observations [13]. Example 2: Consider the system shown in Figure 1. Assume Σ f = {f}, and let Σ o1 = {a, c}, Σ o2 = {b, c} be the sets of observable events for diagnosers D 1 and D 2 respectively. Diagnoser D 1 is shown in Figure 2a (top) and diagnoser D 2 is shown in Figure 2b (bottom). The faulty trace afbcc under projection P Σo1, leads diagnoser D 1 to the cycle consisting of the (single) F i -uncertain state (3F, 4N). The same trace under projection P Σo2, leads diagnoser D 2 to the cycle consisting of the (single) F i - uncertain state (3F, 5N). Thus, neither of the local sites can detect with certainty the occurrence of the failure within a finite number of observations. Hence, the condition of codiagnosability is violated. If communication to a coordinator is allowed, possible combinations of local estimates can be considered. These can be represented by the intersection of the estimates of the local diagnosers [8], [14]. Decentralized diagnosability (under this intersection operation) can be verified by searching for cycles with F i -uncertain states within an automaton composed from the local diagnosers and the given system. Specifically, the authors in [14] proposed the offline pre-computation of possible intersections of local estimates with the use of a look-up table. If after applying the intersection operation on the local

4 Fig. 3. The automaton D c (D 1 D 2 ) for the verification of multiplerequest diagnosability [14] for system G in Figure 1. estimates, the look-up table contains no ambiguous entries, the system is said to be single-request diagnosable, i.e., the coordinator can determine the failure condition of the system the first time it requests the local estimates (under some assumptions on the time elapsed since the occurrence of the fault). In the case of two observation sites with observation masks Σ o1 and Σ o2, [8], [14] determines multiple-request diagnosability by constructing D c (D 1 D 2 ), where D c is the centralized diagnoser (based on Σ o = Σ o1 Σ o2 ) and D i, i = 1, 2, is the local diagnoser based on Σ oi. If the product automaton D c (D 1 D 2 ) contains no cycles of states corresponding to ambiguous entries of the look-up table, the system is considered multiple-request diagnosable [14]. Example 3: For the system in Figure 1 and the diagnosers in Figure 2, the finite automaton D c (D 1 D 2 ) as defined in [14] is shown in Figure 3, where states are represented by triplets {q Dc, q D1, q D2 }. This FSM contains, amongst others, the cycle consisting of local estimates (3F, 4N) of D 1 and (3F, 5N) of D 2. These are F i -uncertain states and, as shown earlier, the system is not codiagnosable. However, the intersection of these estimates gives {3F } which is not an F i -uncertain state. Therefore, under this scheme, the system is considered multiple-request diagnosable. III. PROBLEM FORMULATION We consider a system G = (Q, Σ, δ, q 0 ) (modeled as a nondeterministic finite automaton) that is observed by multiple observers, each with its own observation mask captured by the natural projection with respect to the set of its own observable events. More specifically, we assume m observers with observation masks OM 1,..., OM m. Each observation mask OM j is characterized by the set of (locally) observable events Σ oj, Σ oj Σ. The set of observable events of the system is defined as the union of the local sets of observable events, i.e., Σ o = Σ o1 Σ om. Similarly, we define Σ uoi = Σ \ Σ oi for i = 1, 2,..., m and Σ uo = Σ \ Σ o. We assume that Σ f Σ uo (without loss of generality, since otherwise, at least one observation site will be able to immediately identify the fault). For fault diagnosis, a local diagnoser D j is assigned to each observer and performs diagnosis based on the events it observes under the observation mask OM j. Note that we refer to a local diagnoser but, in practice, online diagnosis can be performed more efficiently via an iterative algorithm that keeps track of the possible states and matching normal/failure condition(s), following any particular sequence of observations. As in [14], we assume a coordinator that takes a global diagnosis decision by requesting (perhaps at multiple instances) information from the local diagnosers and processing it accordingly. While performing diagnosis, we assume that the following hold. (A3) There is reliable communication between the local sites and the coordinator, i.e., information is communicated to the coordinator correctly and in order. (A4) Local sites are aware of the system model and can recursively estimate the possible states and matching normal/failure condition(s); however, the coordinator has limited memory and capacity (and is not necessarily aware of the system model), We investigate decentralized diagnosis under the intersection operation. In particular, our proposed IBDD scheme has the following specifications. SP1. At any given time instant, following a sequence of events s Σ that generates at observation site OM j the sequence of observations ω j = P Σoj (s), the diagnostic information at a local site j consists of all possible states that can be reached along with their matching label l. Each local site sends its diagnostic information when requested by the coordinator. SP2. The coordinator requests information from local sites periodically and takes the intersection of the local state/conditions to form an estimate of the state of the system and matching normal/failure condition(s), and to reach a diagnosis decision. Informally, the diagnosability of this protocol captures the ability of the coordinator to detect (identify) faults following a finite number of observations after their occurrence. The formal definition of diagnosability using IBDD is as follows. Definition 2: A non-deterministic finite automaton G observed by m observers with observation masks OM 1,..., OM m, under SP1 SP2, is diagnosable using IBDD with respect to fault class F i if the following condition is true: for any arbitrarily long trace following the occurrence of a fault in class F i, the intersection of the local estimates after a finite number of observations becomes F i -certain, i.e., n 0 N, sσ f t L(G), s (Σ \ Σ f ), σ f Σ Fi, t > n 0, m j=1 δ d j (q 0j, P Σoj (sσ f t)) {(q, l), (q, l )} for some q, q Q, with F i l but F i / l, where δ dj is the next state transition function for the diagnoser D j at observation site OM j. Remark 1: In the above definition, the intersection of local estimates is defined for states q V j δ dj (q 0j, P Σoj (sσ f t)), j = 1, 2,..., m, in the standard way q V 1 q V 2... q V m = {(q i, l i ) (q i, l i ) q V j, j = 1, 2,..., m}.

5 For example, for states q V 1 = (3F, 4N) and q V 2 = (3F, 5N), the intersection of local estimates (3F, 4N) (3F, 5N) gives the singleton state (3F ). For states q V 1 = (2F, 4N) and q V 2 = (4N, 2F ), the intersection of local estimates gives the non-singleton state (2F, 4N). Online operation for IBDD is actually rather straightforward: each local site recursively maintains a set of pairs of possible states and fault conditions (maintaining this list requires polynomial complexity in the number of states and exponential complexity in the number of fault classes because the total number of elements maintained is, at most Q 2 Π f, i.e., all the elements of Q ). When prompted by the coordinator, the local site communicates its state estimates (along with their associated failure labels) to the coordinator, who then computes the intersection of these state estimates. Note that IBDD is different from the notion of codiagnosability. More specifically, codiagnosability implies IBDD but not the other way around. This is illustrated in the example below. Example 4: In system G of Figure 1, following the faulty trace afbcc, diagnosers D 1 and D 2 reach the F i -uncertain states (3F, 4N) and (3F, 5N) respectively. Hence, the system is not codiagnosable; however, the intersection of these estimates gives {3F } which is not an F i -uncertain state. Hence, IBDD allows us to determine the occurrence of the fault, at least for this particular sequence of observations. IV. VERIFICATION OF IBDD A. Verifier Automaton for Each Observation Site For each observation site OM j, we construct a verifier which is a non-deterministic automaton that can track the pairs of current system state and matching normal/failure condition(s) that are consistent with the sequence of observations at the jth site. Definition 3: Consider a system G = (Q G, Σ, δ G, q0 G ) Let Σ f Σ denote the set of failure events, assume Σ f = Σ F1... Σ Fk is the partition into different failure types, and denote by = {N} 2 f the complete set of possible labels where f = {F 1, F 2,..., F k }. Consider observation mask OM j under the natural projection map P Σoj for a set of events Σ oj Σ. The Verifier automaton V j is a non-deterministic automaton constructed from the given nondeterministic system G as V j = (Q V j, Σ oj, δ V j, q V j 0 ), where 1. Q V j = Q G Q G is the set of states. 2. The transition rule δ V j for the verifier automaton is (for (q i, l i, q i, l i ) QVj and σ Σ oj ) δ V j ((q i, l i, q i, l i ), σ) = {(q i+1, l i+1, q i+1, l i+1 ) s 1, s 2 Σ, P Σoj (s 1 ) = P Σoj (s 2 ) = σ, q i+1 δ G (q i, s 1 ), q i+1 δg (q i, s 2), l i+1 = f(l i, s 1 ), l i+1 = f(l i, s 2)}, where, for l i and s h, h = 1, 2, the label function f : Σ is defined as l i L(sh ), l i N, f(l i, s h ) = L(s h ), l i = N and f Σ f, σ f s h, N, l i = N and f Σ f, σ f / s h, with L(s h ) = {F i σ fi Σ Fi s.t. σ fi s h }. (1) 3. The initial state of V j is given by q V j 0 = {(q 0, l 0, q 0, l 0) s 01, s 02 (Σ \ Σ oj ) s.t. q 0 δ G (q0 G, s 01 ), q 0 δ G (q0 G, s 02 ), l 0 = f(s 01 ), l 0 = f(s 02 )}, where f(s 0h ) for h = 1, 2 is given by { N, if σf Σ f(s 0h ) = f, σ f / s 0h, {F i σ fi Σ Fi s.t. σ fi s 0h }, otherwise. By construction, δ V j is defined whenever δ G is defined. Thus, it tracks two strings in L(G) that are equal under the projection P Σoj i.e., they produce the same sequence of observations, but have different failure information as the observation sequence evolves. The labels associated to each state of the verifier track the occurrence of faults from different classes, but neglect the order in which they appear as well as the number of occurrences of each fault. Remark 2: The verifier automaton above is defined for a non-deterministic system G in a setting with multiple observation sites. In the case of a single observation site (m = 1), the verifier shares similarity to the one in [5]. Definition 4: A subset of states {v j 1, vj 2,..., vj n} Q V j forms a path denoted by v j 1, vj 2,..., vj n V j if there exist transitions σ 1, σ 2,..., σ n 1 Σ oj such that v j σ 1 1 v j σ σn 1 vn. j Definition 5: A path v j 1, vj 2,..., vj n V j forms a cycle if v j 1 = vj n. A cycle v j 1, vj 2,..., vj n V j is F i -confused if for all v j k = k, l (qvj vj k, q vj k, l vj k), k = 1,..., n, F i l vj k but F i / l vj k, or vice versa. Verification of diagnosability (in a centralized architecture) is captured in the following lemma. Lemma 1: System G is diagnosable under observation mask OM j and partition Π f on Σ f iff the verifier automaton V j has no F i -confused cycles. Proof: Lemma 1 addresses centralized diagnosability; its proof is similar to Theorem 1 of [5] and omitted. Example 5: Consider again the system shown in Figure 1 and the diagnosers shown in Figure 2. For observable sets Σ o1 = {a, c} and Σ o2 = {b, c}, we construct respectively the verifiers V 1 and V 2 of system G as shown in Figure 4. Consider again the trace afbcc : we observe that V 1 reaches (amongst others) the cycles 3F, 4N and 4N, 3F, and V 2 the cycles 3F, 5N and 5N, 3F. These are F i -confused cycles and, by Lemma 1, we conclude that the system is not diagnosable, neither w.r.t Σ o1 at observation site 1 nor w.r.t Σ o2 at observation site 2. For IBDD, the local estimates need to be combined to make a global diagnosis decision. It turns out, that via an

6 Fig. 4. The Verifiers V 1 (left) and V 2 (right) for system G in Figure 1. appropriate composition of the local verifiers in Definition 3, diagnosability of IBDD can be verified with polynomial complexity. The algorithm proposed for this is presented in the following section, followed by its proof of correctness. B. Algorithm for Verification of IBDD The algorithm proposed for verifying IBDD first constructs the parallel composition of local verifiers V j. If we focus for simplicity on two verifiers, we have where V 1 V 2 = (Q V 1 V 2, Σ V 1 V 2, δ V 1 V 2, q V 1 V 2 0 ), 1. Q V 1 V 2 = Q V 1 Q V 2 ; 2. Σ V 1 V 2 = Σ o1 Σ o2 ( Σ o ); 3. δ((q V 1, q V 2 ), σ) defined for all q V 1 Q V 1, q V 2 Q V 2, σ Σ o1 Σ o2 by δ V 1 (q V 1, σ) δ V 2 (q V 2, σ), for σ Σ o1 Σ o2, δ V 1 (q V 1, σ) q V 2, for σ Σ o1 \ Σ o2, q V 1 δ V 2 (q V 2, σ), for σ Σ o2 \ Σ o1, undefined, otherwise; 4. q V 1 V 2 0 = q V 1 0 q V2 0. Following the execution of a string s L(G), the states reached in the parallel composition of verifiers provide pairs of compatible states reached by the local verifiers following the projection of s under the local set of observable events, i.e., for s L(G), (q V 1, q V 2 ) (δ V 1 V 2 ((q V 1 0, q V 2 0 ), P Σo1 Σ o2 (s)) if and only if q V 1 δ V 1 (q V 1 0, P Σo1 (s)), q V 2 δ V 2 (q V 2 0, P Σo2 (s)). Note that transitions of observable events that appear possible in V 1 V 2 might not necessarily be executable by the system. The algorithm eliminates these by computing the product of a modified version of V 1 V 2, denoted by Ṽ 1 Ṽ 2, with the system, i.e. G (Ṽ 1 Ṽ 2 ). Automaton Ṽ 1 Ṽ 2 includes all events in Σ in its set of events (unlike automaton V 1 V 2 which only includes the observable events Σ o Σ o1 Σ o2 ). Specifically, automaton Ṽ 1 Ṽ 2 appends a self loop transition for each unobservable event σ u Σ uo (note that Σ uo = Σ \ Σ o ) at each state of V 1 V 2 δṽ 1 Ṽ 2 ((q V 1, q V 2 ), σ u ) = (q V 1, q V 2 ) for σ u Σ uo. Thus, the state space of Ṽ 1 Ṽ 2 remains the same as V 1 V 2, but the event space is augmented in order to include unobservable events in Σ uo. C. Necessary and Sufficient Conditions for IBDD We verify Intersection Based Decentralized Diagnosability by checking for F i -uncertain states in G Ṽ 1 Ṽ 2, where F i -uncertainty is now defined under the intersection-based scheme. The automaton G Ṽ 1 Ṽ 2 is referred to as the Product Verifier from now on. Definition 6: A state (q V 1, q V 2 ) of Ṽ 1 Ṽ 2 is Intersection Based F i -uncertain if the intersection of its local estimates includes a subset of the form {(q, l), (q, l )} with q, q Q and F i l but F i / l (or vice versa).

7 Remark 3: Note that a state q V j of a (local) verifier V j consists of exactly two state estimates of the system. Therefore, the above definition holds only whenever q V 1, q V 2 are both F i -uncertain and consist of the same pair of state estimates and label. Also important is the observation that labels that become faulty with label F i in a local verifier V j, and thus also in the parallel composition automaton Ṽ 1 Ṽ 2, have to remain faulty with label F i (due to the way function f is defined in Eq. (1)). Since diagnosability is considered in the case when multiple requests are allowed, we are particularly interested in Intersection Based F i -uncertain states that exist within cycles of the Product Verifier. Such cycles are called Intersection Based F i -confused cycles and are defined as follows. Definition 7: A cycle of the Product Verifier (v1, 1 v1), 2 (v2, 1 v2), 2..., (vn, 1 vn) Ṽ 2 1 is Intersection Based F i -confused if each of the pairs Ṽ 2 (v1, 1 v1), 2 (v2, 1 v2), 2..., (vn, 1 vn) 2 are Intersection Based F i -uncertain states. By Remark 3, we note that (v1, 1 v1), 2 (v2, 1 v2), 2..., (vn, 1 vn) Ṽ 2 1 is Intersection Ṽ 2 Based F i -confused if v1, 1 v2, 1..., vn 1 V 1, v1, 2 v2, 2..., vn 2 V 2 are F i -confused cycles and vk 1 consist of the same pairs of F i -uncertain state estimates as vk 2, for k = 1,..., n. Considering the above, we can now state the following theorem. Theorem 1: A non-deterministic system G observed by m = 2 observers with observation masks OM 1 and OM 2 respectively, under SP1 SP2, is F i -diagnosable under IBDD with respect to Σ o1, Σ o2, and partition Π f on Σ f if and only if the automaton G Ṽ 1 Ṽ 2 has no intersection based F i - confused cycles. Proof: ( ) Assume that L(G) is IBDD with respect to Σ o1 and Σ o2 and Π f on Σ f. For proof by contradiction, suppose that the composition Ṽ 1 Ṽ 2 has an intersection based F i -confused cycle, (v1, 1 v1), 2 (v2, 1 v2), 2..., (vn, 1 vn) Ṽ 2, 1 Ṽ 2 that is also present in the automaton G Ṽ 1 Ṽ 2. Without loss of generality assume v 1 i = v 2 i for i = 1,..., n and let v 1,2 1 = (q 1,2, F i, q 1,2, N) and {σ 1, σ 2,..., σ n 1 } Σ denote the transitions over the cycle (v1, 1 v1), 2 (v2, 1 v2), 2..., (vn, 1 vn) Ṽ 2 such that 1 Ṽ 2 (vi 1, v2 i ) σ i (v 1 i+1, vi+1 2 ). Note that, if σ i Σ uo, then δṽ 1 Ṽ 2 ((vi 1, v2 i ), σ i) = (vi 1, v2 i ) denotes a self loop transition in Ṽ 1 Ṽ 2, hence, (vi+1 1, v2 i+1 ) = (v1 i, v2 i ) but the G- component may move. Then, by construction, s 0, s 0 L(G) such that the following holds P Σo1 (s 0 ) = P Σo1 (s 0), P Σo2 (s 0 ) = P Σo2 (s 0), q v1,2 1 δ G (q0 G, s 0 ), q v1,2 1 δ G (q0 G, s 0), Σ Fi s 0 but Σ Fi s 0, where Σ Fi s 0 denotes, with slight abuse of notation, the occurrence of failure events of type F i in the trajectory s 0. Since σ 1, σ 2,..., σ n 1 are transitions over a cycle in G (Ṽ 1 Ṽ 2 ) then s 0 (σ 1 σ 2... σ n 1 ) L(G (Ṽ 1 Ṽ 2 )) s 0(σ 1 σ 2... σ n 1 ) L(G (Ṽ 1 Ṽ 2 )). Consider the two traces w(k) = s 0 (σ 1 σ 2... σ n 1 ) k w (k) = s 0(σ 1 σ 2... σ n 1 ) k where k 0. Then, by construction of G (Ṽ 1 Ṽ 2 ), the following hold: w(k), w (k) L(G), P Σo1 (w(k)) = P Σo1 (w (k)), P Σo2 (w(k)) = P Σo2 (w (k)), Σ Fi w(k) but Σ Fi w (k). Since Σ Fi s 0 we can take s such that s s 0, s Ψ(Σ Fi ) and t L \ s such that st = w(k). By assumption (A1), we have that P Σo1 (σ 1 σ 2... σ n 1 ) ɛ or P Σo2 (σ 1 σ 2... σ n 1 ) ɛ. Hence, by choosing k arbitrarily large we can get t n 0 for any n 0 N, and at least one of the observers will be aware of the activity in the system. Since P Σo1 (w(k)) = P Σo1 (w (k)), P Σo2 (w(k)) = P Σo2 (w (k)), both local diagnosers will have an F i -confused cycle with common F i -uncertain state pairs. Hence the condition of IBDD of L(G) is contradicted. ( ) For a proof by contradiction assume that L(G) is not Intersection Based Decentralized Diagnosable with respect to Σ o1 and Σ o2, and Π f on Σ f. That is, there exist two arbitrarily long traces w, w in L(G) with P Σo1 (w) = P Σo1 (w ) and P Σo2 (w) = P Σo2 (w ) where Σ Fi w and Σ Fi w. Let s Ψ(Σ Fi ) and t L(G) \ s such that t n, where n N can be chosen arbitrarily large, and w = st. Since Σ Fi w, there exists s such that Σ Fi s and s w, and s P 1 Σ o1 (P Σo1 (s)) L(G) and s P 1 Σ o2 (P Σo2 (s)) L(G). Pick w and w such that n Q G 5 4. Let q s and q s be the states reached by s and s respectively and similarly let q st and q w be the states reached by st and w. Then q s δ G (q 0, s), q s δ G (q 0, s ) q st δ G (q 0, st), q w δ G (q 0, w ). By definition of δ V j, and since P Σoj (s) = P Σoj (s ), P Σoj (st) = P Σoj (w ) the following holds for j = 1, 2 (q s, l i, q s, l i ) δv j (q V j 0, P Σoj (s)), (q s, l i, q s, l i ) δv j (q V j 0, P Σoj (s )), (q st, l i, q w, l i ) δv j (q V j 0, P Σoj (st)), (q st, l i, q w, l i ) δv j (q V j 0, P Σoj (w )), where l i, l i are such that F i l i but F i / l i. By construction of G (Ṽ 1 Ṽ 2 ), (q s, (q s, F i, q s, N), (q s, F i, q s, N)) G (Ṽ 1 Ṽ 2 ), (q s, (q s, F i, q s, N), (q s, F i, q s, N)) G (Ṽ 1 Ṽ 2 ), (q st, (q st, F i, q w, N), (q st, F i, q w, N)) G (Ṽ 1 Ṽ 2 ), (q w, (q st, F i, q w, N), (q st, F i, q w, N)) G (Ṽ 1 Ṽ 2 )

8 are accessible states of G (Ṽ 1 Ṽ 2 ). Therefore, there exist transitions σ 1, σ 2,..., σ n = t Σ such that n n and for l = 0, 1, 2,.., n 1, we have with (q kl, (q kl, F i, q k l, N), (q kl, F i, q k l, N)) σ l+1 (q kl+1, (q kl+1, F i, q k l+1, N), (q kl+1, F i, q k l+1, N)) (q k0, (q k0, F i, q k 0, N), (q k0, F i, q k 0, N)) = (q s, (q s, F i, q s, N), (q s, F i, q s, N)), (q kn, (q kn, F i, q k, N), (q n k n, F i, q k, N)) = n (q st, (q st, F i, q w, N), (q st, F i, q w, N)). (Note that the states in the sequence have to be all necessarily F i -confused because the definition of the labeling function implies that once label F i is assigned it has to remain assigned and cannot become N.) Since n n Q G 5 4 and by assumptions (A1), (A3), it must be that G (Ṽ 1 Ṽ 2 ) enters a cycle before reaching (q st, (q st, F i, q w, N), (q st, F i, q w, N)). This is necessarily an intersection based F i -confused cycle which contradicts the initial assumption. Example 6: Consider again the system G in Figure 1. Automaton G (Ṽ 1 Ṽ 2 ) contains (amongst others) the cycles 3F, 3F 4N, 5N3F, 3F, 4N3F, 5N3F, 3F, 3F 4N, 3F 5N, 3F, 4N3F, 3F 5N, where 3F 4N, 4N3F and 5N3F, 3F 5N are F i -confused cycles in V 1 and V 2 respectively. However, the intersection {3F, 4N} {5N, 3F } gives {3F } which is not an F i - uncertain state. Hence, G (Ṽ 1 Ṽ 2 ) has no intersection based F i -confused cycles, and the system is IBDD. D. Computational Complexity By Definition 3, the number of states of V j is Q G 2 2 and its number of transitions is Q G 2 2 Σ oj ; thus, the complexity for constructing the parallel composition of two verifiers, V 1 V 2, is Q G 4 4 Σ o1 Σ o2. This complexity is polynomial in terms of the number of states of the system and is a significant improvement over the doubly exponential complexity of [14] that results from the parallel composition of (two) local diagnosers (which is of order 2 Q 2 Q ). In the general case of multiple verifiers, say m, the complexity for constructing the parallel composition automaton is at most O( Q G 2m 2m Σ o m ), given that Σ oj Σ o (recall Σ o = Σ o1 Σ o2 Σ om ). Note that, to take the product of Ṽ 1 Ṽ 2... Ṽ m with the system G, requires an additional computation time Q G Σ, hence the complexity for constructing G Ṽ 1 Ṽ 2... Ṽ m is O( Q G 2m+1 2m Σ m+1 ). V. CONCLUSIONS In this work, we have introduced the notion of intersection based decentralized diagnosis (IBDD), compared it to the notion of codiagnosability, and argued that the former is superior to the latter (at the cost of sending state and matching normal/fault condition information to the coordinator, rather than pure diagnosis decisions). The implementation of IBDD requires polynomial complexity at the local observation sites (in order to recursively maintain a list of possible states and fault conditions following a sequence of observations) whereas the coordinator only needs to take the intersection of states provided by the local observation sites (without necessarily having knowledge of the system model). For the verification of IBDD, we have proposed an algorithm that constructs local verifier automata (for local diagnosis) and combines them via the parallel composition of local verifiers and the product with the system model (for the global diagnosis decision). The algorithm is applicable to arbitrary non-deterministic systems (deterministic systems are a special case). For m observation masks, the complexity of the algorithm is O( Q G 2m+1 2m Σ m+1 ). Future extensions of this work include investigating the efficiency of the algorithm under different communication rules. For example, information from the local sites can be communicated to the coordinator at regular intervals prior to the end of an arbitrarily long observation sequence. REFERENCES [1] F. Lin, Diagnosability of discrete event systems and its applications, Discrete Event Dynamic Systems, vol. 4, no. 2, pp , [2] S. Bavishi and E. Chong, Automated fault diagnosis using a discrete event systems framework, in IEEE Symposium on Intelligent Control, 1994, pp [3] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. Teneketzis, Diagnosability of discrete-event systems, IEEE Transactions on Automatic Control, vol. 40, no. 9, pp , [4] T.-S. Yoo and S. Lafortune, Polynomial-time verification of diagnosability of partially observed discrete-event systems, IEEE Transactions on Automatic Control, vol. 47, no. 9, pp , [5] S. Jiang, Z. Huang, V. Chandra, and R. Kumar, A polynomial algorithm for testing diagnosability of discrete-event systems, IEEE Transactions on Automatic Control, vol. 46, no. 8, pp , [6] A. Benveniste, E. Fabre, S. Haar, and C. Jard, Diagnosis of asynchronous discrete-event systems: a net unfolding approach, IEEE Transactions on Automatic Control, vol. 48, no. 5, pp , [7] S. Jiang and R. Kumar, Failure diagnosis of discrete-event systems with linear-time temporal logic specifications, IEEE Transactions on Automatic Control, vol. 49, no. 6, pp , [8] R. Debouk, S. Lafortune, and D. Teneketzis, Coordinated decentralized protocols for failure diagnosis of discrete event systems, Discrete Event Dynamic Systems, vol. 10, no. 1, pp , [9] Y. Wang, T.-S. Yoo, and S. Lafortune, Diagnosis of discrete event systems using decentralized architectures, Discrete Event Dynamic Systems, vol. 17, no. 2, pp , [10] W. Wang, A. R. Girard, S. Lafortune, and F. Lin, On codiagnosability and coobservability with dynamic observations, IEEE Transactions on Automatic Control, vol. 56, no. 7, pp , [11] S. Takai and T. Ushio, Verification of codiagnosability for discrete event systems modeled by Mealy automata with nondeterministic output functions, IEEE Transactions on Automatic Control, vol. 57, no. 3, pp , [12] M. V. Moreira, T. C. Jesus, and J. C. Basilio, Polynomial time verification of decentralized diagnosability of discrete event systems, IEEE Transactions on Automatic Control, vol. 56, no. 7, pp , [13] W. Qiu and R. Kumar, Decentralized failure diagnosis of discrete event systems, IEEE Transactions on Systems Man and Cybernetics Part A: Systems and Humans, vol. 36, no. 2, pp , [14] E. Athanasopoulou and C. N. Hadjicostis, Decentralized failure diagnosis in discrete event systems, in 2006 American Control Conference, 2006, pp [15] C. G. Cassandras and S. Lafortune, Introduction to Discrete Event Systems. New York: Kluwer, 1999.

Resolution of Initial-State in Security Applications of DES

Resolution of Initial-State in Security Applications of DES Christoforos N. Hadjicostis Abstract A non-deterministic labeled finite automaton is initial-state opaque if the membership of its true initial