Author's personal copy

Transcription

1 Automatica 46 (2010) Contents lists available at ScienceDirect Automatica journal homepage: Optimal sensor activation for diagnosing discrete event systems Weilin Wang a,, Stéphane Lafortune b, Anouck R. Girard a, Feng Lin c a Department of AERO, University of Michigan, Ann Arbor, MI 48109, United States b Department of EECS, University of Michigan, Ann Arbor, MI 48109, United States c Department of ECE, Wayne State University, Detroit, MI 48202, United States a r t i c l e i n f o a b s t r a c t Article history: Received 20 May 2009 Received in revised form 7 December 2009 Accepted 30 March 2010 Available online 14 May 2010 Keywords: Discrete event systems Sensor activation Event diagnosis Supervisory control The problem of dynamic sensor activation for event diagnosis in partially observed discrete event systems is considered. Diagnostic agents are able to activate sensors dynamically during the evolution of the system. Sensor activation policies for diagnostic agents are functions that determine which sensors are to be activated after the occurrence of a trace of events. The sensor activation policy must satisfy the property of diagnosability of centralized systems or codiagnosability of decentralized systems. A policy is said to be minimal if there is no other policy, with strictly less sensor activation, that achieves diagnosability or codiagnosability. To compute minimal policies, we propose language partition methods that lead to efficient computational algorithms. Specifically, we define window-based language partitions for scalable algorithms to compute minimal policies. By refining partitions, one is able to refine the solution space over which minimal solutions are computed at the expense of more computation. Thus a compromise can be achieved between fineness of solution and complexity of computation Elsevier Ltd. All rights reserved. 1. Introduction The problem of event diagnosis in partially observed discrete event systems (DES) is considered. The objective of the diagnostic agents is to perform model-based inferencing to detect the occurrence of significant unobservable events such as faults. On-line diagnosis is driven by the observed traces of event occurrences. However, these observations are limited and costly in many applications, which include, for example, availability of sensors and their life span, battery power, as well as computation and communication resources. In this sense, the motivation of optimizing the use of sensors is significant in system diagnosis. The forms of sensor optimization problems depend on the modeling formalisms chosen to describe the system, the format of the information for system dynamics, the structural assumptions about the sensors, and the cost function to be minimized (Lee & Lee, 2008; Leow, Ni, & Pishro-Nik, 2008; Shi, Johansson, & Murray, 2008). In the discrete event formalism, relevant work started with the sensor selection problem. The objective of sensor selection is The research was supported in part by US AFRL grant FA and by NSF grants ECCS , CNS , and ECCS The material in this paper was partially presented at the American Control Conference 2009, June 10 12, 2009, St. Louis, MO, USA. This paper was recommended for publication in revised form by Associate Editor Bart De Schutter under the direction of Editor Ian R. Petersen. Corresponding author. Tel.: ; fax: addresses: weilinw@umich.edu (W. Wang), stephane@umich.edu (S. Lafortune), anouck@umich.edu (A.R. Girard), flin@ece.eng.wayne.edu (F. Lin). to minimize the set of events that need to be observed under the constraint that diagnosability or observability is preserved; see, e.g., Haji-Valizadeh and Loparo (1996), Jiang, Kumar, and Garcia (2003), Debouk, Lafortune, and Teneketzis (2002) and Yoo and Lafortune (2002). However, since it assumes that a sensor is always activated or never activated for all occurrences of an event, the sensor selection problem excludes the possibility for the observing agent to decide when to activate or deactivate various sensors. One important reason for turning sensors on and off dynamically is that sensors are often operated in an adversarial environment where available resources are limited or costly. For example, in a radar system, emitting radar signals can be dangerous since they can be used to detect the position of the radar (Adamy, 2001); despite the increasing dependency of information collection on unmanned aerial vehicle systems (Unmanned aircraft systems roadmap , 2005), making a measurement will cost hours of flight. In other applications, security concerns may motivate the minimization of communications with sensing devices. In general, the life span of a sensor is dependent on its measurement frequency. These motivations have justified recent research on the problem of dynamic sensor activation for discrete event systems (Cassez & Tripakis, 2008; Thorsley & Teneketzis, 2007). The common objective in these works is to minimize some cost function related to the measurement frequency of event occurrences under the constraint that diagnosability is preserved. There has also been related work on the problem of minimization of the frequency of communication of event occurrences in distributed discrete event systems (Ricker & Caillaud, 2009; van Schuppen, 2004; Wang, Lafortune, & Lin, 2008a,b) /$ see front matter 2010 Elsevier Ltd. All rights reserved. doi: /j.automatica

2 1166 W. Wang et al. / Automatica 46 (2010) As in control problems for partially observed systems, the agent s decisions on activation or deactivation of a sensor are based on its observation of the system behavior. Therefore, an agent should make the same on/off decision for a specific sensor following all traces of events that look the same to that agent. However, for dynamic sensor activation, the intricate part is that, at the same time, the agent s observation of that event trace depends on how sensors have been activated so far. The work in Thorsley and Teneketzis (2007) captures this mutual dependency by defining an information state associated with sensor activation policies. The formulation of the sensor activation problem in Cassez and Tripakis (2008) is based on safety 2-player games and weighted automata. However, the approach in Cassez and Tripakis (2008) has double exponential worst-case complexity with respect to the state space of the system; the approach in Thorsley and Teneketzis (2007) has exponential worst-case complexity with respect to the cardinality of the set of all event traces of the system. Moreover, these works did not address the problem of sensor activation for codiagnosability of decentralized systems. We formulate the problem of dynamic sensor activation in a different manner from prior works where a trade-off between computational cost and refinement of the solution space is captured. Recently, algorithms that are of polynomial complexity in the state space representation of the system for calculating minimal sensor activation policies were presented in Wang, Lafortune, and Lin (2008c) for preserving observability in controlled discrete event systems. In this paper, we investigate a similar problem, but for event diagnosis. Our results are presented for centralized systems first and, then, extended to decentralized systems. The solution space in Wang et al. (2008c) is fixed by the transition structure of the automaton modeling the system. A significant difference with the work in Wang et al. (2008c) is the introduction in this paper of the notions of language partitions and window partitions for characterizing the search space over which optimal sensor activation policies are to be searched. This leads to the formulation of scalable algorithms for minimizing sensor activation while ensuring that diagnosability of the centralized system or codiagnosability of the decentralized system is preserved. More importantly, the use of language-based partitions permits to present the main algorithms of this paper without specifying the modeling formalism; the use of window partitions in automata models allows the relationship between the size of the solution space and the size of the problem to be treated as an input to the algorithms. These new techniques make it possible for the algorithms to be adjusted upon different hardware and software environments, and upon the size of the problem. Running algorithms over a finer solution space can result in a better solution, but at the price of more computational effort. For fixed computational resources, it achieves a desirable balance between high solution accuracy and fast processing time. We borrow some features from the communication problems and sensor activation problem described in Wang et al. (2008a), Wang et al. (2008b) and Wang et al. (2008c) for the current problem setting. The notion of feasibility is used to capture the consistency between the agent s observation of the system and its decisions on sensor activation. The optimality criterion is a logical one: a sensor activation policy is optimal (minimal) if any less sensor activations during the dynamic evolution of the system renders a correct solution incorrect. In the context of this work, incorrectness means that diagnosability or codiagnosability is lost. Note that we need to generalize the notion of diagnosability from the context of sets of observable events, as it appears in prior works starting with Sampath, Sengupta, Lafortune, Sinnamohideen, and Teneketzis (1995), to the present context of observable event occurrences. In recent work to be published separately, we have established that the problem of sensor activation for preserving coobservability is transformable to the problem for preserving codiagnosability; it remains an open problem to determine if such a transformation exists for the other direction. Hence, the results of this paper are applicable for solving the problem of preserving coobservability in decentralized control. This paper is organized as follows. Section 2 presents the precise description of our sensor activation model and its relation to the properties of diagnosability and codiagnosability, together with key technical results about monotonicity of diagnosability and codiagnosability with respect to sensor activation. In Section 3, we specialize the problem to the computation of sensor activation policies over a finite search space delimited by a partition of the language model of the system. We first present a general class of language partitions and then specialize this class to socalled window partitions based on automata representations of the language model. Sections 4 and 5 present our algorithms and examples for computing minimal sensor activation policies over a given window partition in order to achieve diagnosability for a centralized system and codiagnosability for a decentralized system respectively. Section 6 concludes the paper. A preliminary and partial version of the results in Sections 3 and 4, without proofs, was presented in Wang, Lafortune, Girard, and Lin (2009). 2. Sensor activation for event diagnosis 2.1. Sensor activation model We first present a general language-based model for sensor activation during the evolution of the system. We assume that the system behavior is described by a prefix-closed language L over event set E. Given a language L with the set of events E and the set of agents A = {1,..., M}, for m A, E o,m is the subset of E whose occurrences can be potentially observed by agent m, and E uo,m = E \E o,m is the subset of E whose occurrences can never be observed by agent m. An occurrence of event e E o,m is observed by agent m only if the sensor for event e is active for agent m at the time of that occurrence. Definition 1. For m A, the set of observable events whose sensors are activated at a given time in the evolution of the system is described by the sensor activation mapping ω m : L 2 E o,m such that, for e E and trajectory se L, e is observed by agent m after s iff e ω m (s). Notation. The overall policy of the system is denoted by ω = [ω 1,..., ω M ]. For trajectory s L and m A, θ ω m (s) is used to capture the observation of s by agent m. Definition 2. Given ω m, we use mutual induction to define the information mapping θ ω m : L E o,m for agent m as follows. For the empty trace ɛ, θ ω m (ɛ) = ɛ. For trace se L, { θ ω m θ ω m (s)e if e ω (se) = m (s) θ ω m (s) otherwise. In words, after the occurrence of s, the next event e is known to agent m iff the sensor for e is active for agent m after the occurrence of s. Example 1. Let s = aee and L = {ɛ, a, ae, aea, aee} with ω m (ɛ) =, ω m (a) = {e}, and ω m (ae) = {a}. Then, θ ω m (aee) = e. Notation. The overall information mapping of the system corresponding to ω is denoted by θ ω = [θ ω 1,..., θ ω M ]. Definition 3. Given a language L, an agent m A, and a sensor activation policy ω m, the set of confusable trace pairs in L for agent

3 W. Wang et al. / Automatica 46 (2010) m, denoted by T conf (ω m ), is defined as T conf (ω m ) = {(s, t) L L : θ ω m (s) = θ ω m (t)}. By definition T conf (ω m ) is reflexive and symmetric. In the examples of this paper, we will only list element (s, t) and omit (t, s) for the sake of brevity. Example 2. The set of confusable trace pairs in Example 1 is T conf (ω m ) = {(ɛ, a), (ae, aee)} {(t, t) : t L}. To guarantee feasibility of ω m in practice, it is required that any two traces of events that are indistinguishable to agent m must be followed by the same activation decision for the same event for agent m. Namely, activation policy ω m must be compatible with the information mapping θ ω m that is built from it. Definition 4. ω m is said to be feasible if ( e E)( se, s e L)θ ω m (s) = θ ω m (s ) [e ω m (s) e ω m (s )]. Clearly, each of ω m, m A, needs to be feasible. Therefore, we say the overall policy of the system ω = [ω 1,..., ω M ] is feasible if ω m is feasible for all m. In the case of centralized systems, we use ω and E o to denote the sensor activation mapping and the set of observable events for the unique agent in the system, respectively. Then, correspondingly, θ ω is the information mapping and E uo is the set of unobservable events for the agent. For a prefix-closed language L L, we define ω m L = ω m (L 2 E o ), where ω m (L 2 E o ) means that we are restricting ω m to the smaller domain of the prefix-closed sublanguage L. Accordingly, we define the information mapping θ ω m L = θ ω m (L E o ), where θ ω m (L E ) o means that we are restricting θ ω m to the smaller domain of the prefix-closed sublanguage L. ω m L is said to be feasible if ( e E)( se, s e L )θ ω m L (s) = θ ω m L (s ) [e ω m L (s) e ω m L (s )]. Clearly, if ω m is feasible, then ω m L is also feasible. Feasibility is used to capture the interdependence of the agent s observation of the system and the sensor activation policies. That is, in general, the determination of when to activate sensors depends on the observation of the system, and at the same time it also affects the observation of the system. An example that illustrates such interdependency is given as follows. Notation. The prefix-closure of trace s is denoted by PC(s); PC(s) = {u E : ( v E ) uv = s}. Example 3. The system is modeled by the regular expression L = PC[(e + ɛ)(ae) ]. Let E = E o = {a, e}. The agent can always freely choose to deactivate the sensor for any one but exactly one event occurrence for either a or e, and it is easy to verify that these policies are feasible. Now, suppose the agent initially deactivates the sensor for e (after empty trace ɛ). Consequently, the agent cannot distinguish traces ɛ and e. By feasibility, such ambiguity precludes the agent from using different policies for the occurrence of a after traces (ae) n and e(ae) n, and e after traces (ae) n a and e(ae) n a, where n N. Moreover, if the agent further deactivates the sensor for a after trace ɛ, then, by feasibility, it has to deactivate sensors for all occurrences of all events. Notation. For m A, given two sensor activation mappings ω m and ω m, ω m ω m means that, for all s L, ω (s) m ω m (s), while ω m ω m means that ω m ω m and there exists s L, such that ω (s) m ω m (s). ω m = ω m ω m means that, for all s L, ω m(s) = ω m (s) ω m (s). (1) Correspondingly, ω ω means that, for all m A, ω m ω m ; and ω ω means ω ω and ω m ω m for at least one of m A. Given two vectors of sets Ā = [A 1,..., A N ] and Ā = [A,..., 1 A N ], Ā Ā means that, for all n = 1,..., N, A n A n ; and Ā Ā means that Ā Ā and, there exists n {1,..., N}, A n A n Event diagnosis with information mappings In the context of sensor activation, an agent no longer observes an occurrence of an observable event unless the corresponding sensor is activated when such an event happens. Whenever a sensor activation policy is given, the agent s observation of the system is captured by a corresponding information mapping, as stated in Section 2.1. We extend the standard definition of diagnosability of discrete event systems to account for information mappings. Let E F E uo denote the set of fault events that must be diagnosed. The objective is to identify the occurrence, if any, of the fault events, while tracking the observable traces generated by the system. For such a purpose, the set of fault events is partitioned into disjoint sets corresponding to different fault types: E F = E f1 E fl. We denote this partition by Π F. Hereafter, the meaning of a fault of type f i has occurred is that some event in the set E fi has occurred. We use common notations: s Ψ (f i ) denotes that the last event of s L is a fault event of type f i ; L/s denotes the postlanguage of L after s, i.e. L/s = {t E : st L}; E fi s denotes that PC(s) Ψ (f i ). In the context of a given information mapping θ constructed from an ω or otherwise, the definition of diagnosability in Sampath et al. (1995) is used to capture whether or not, for any trace in the system which contains any type of fault events, the diagnostic agent is able to distinguish that trace from traces without that type of fault events within finite delay, which is restated as follows. We assume that L is live, i.e., (( s L, n N) t E ) t = n st L. Definition 5. A prefix-closed and live language L is said to be diagnosable with respect to θ and Π F on E F if the following holds: ( E fi Π F ) ( k i N) ( s Ψ (f i )) ( t L/s)[ t k i D] where the diagnosability condition D is ( µ L) θ(µ) = θ(st) E fi µ. A prefix-closed and live language L is said to be diagnosable with respect to ω if it is diagnosable with respect to θ ω. Codiagnosability is an extension of diagnosability to a system with M distributed diagnosers. It says that for any trace in the system which contains any type of fault events, at least one diagnoser can distinguish that trace from traces without that type of fault events within finite delay. Given a system with M diagnosers, let θ m be the information mapping for diagnoser m. The definition of codiagnosability is as follows. Definition 6. A prefix-closed and live language L is said to be codiagnosable with respect to information mapping vector θ, and Π F on E F if the following holds: ( E fi Π F ) ( k i N) ( s Ψ (f i )) ( t L/s) [ t k i D c ] where the codiagnosability condition D c is ( m A)( µ L) θ m (µ) = θ m (st) E fi µ. A prefix-closed and live language L is said to be codiagnosable with respect to ω = [ω 1,..., ω M ] if it is codiagnosable with respect to θ ω = [θ ω 1,..., θ ω M ]. Example 4. In a two-agent system, let L = PC(ae(f + ad)(ac) + af (ad) ) and E F = {f }. Suppose that the information mapping of

4 1168 W. Wang et al. / Automatica 46 (2010) agent 1 is given by θ ω 1 (aef (ac) ) = e, θ ω 1 (aead(ac) ) = e, and θ ω 1 (af (ad) ) = d; the information mapping of agent 2 is given by θ ω 2 (aef (ac) ) = c, θ ω 2 (aead(ac) ) = d, and θ ω 2 (af (ad) ) = d. It can be verified that a feasible sensor activation policy ω 1 and ω 2 can be uniquely determined by such θ ω 1 and θ ω 2. By definition of codiagnosability, the system is codiagnosable Monotonicity of codiagnosability in sensor activation In this section, we formally analyze the properties of sensor activation for preserving codiagnosability. The first theorem below establishes the monotonicity of feasible sensor activation policies and the second theorem discusses the union of two feasible policies. Theorem 1. Given a prefix-closed language L with two sensor activation policies ω and ω, if ω and ω are both feasible, i.e., they both satisfy (1), then ω ω T conf (ω ) T conf (ω ). Theorem 2. Consider a prefix-closed language L and two feasible sensor activation policies ω and ω for it. Then, ω = ω ω is also feasible. Proofs of Theorems 1 and 2 are omitted here since they resemble Theorems 1 and 2 in Wang et al. (2008c). The following theorem states that monotonicity holds for codiagnosability under feasible sensor activation policies. Theorem 3. Let sensor activation policies ω and ω be feasible and ω ω. Then, L is codiagnosable under ω implies L is codiagnosable under ω. Proof. For m A, let θ ω m and θ ω m be the information mapping corresponding to ω m and ω m respectively. Since L is codiagnosable under ω, by definition, we have ( i Π F ) ( k i N) ( s Ψ (f i )) ( t L/s)[ t k i ( m A)[(( µ L)E fi µ)θ ω m (st) θ ω m (µ)]]. Let k = max(k 1,..., k m ). Then, ( i Π F )( s Ψ (f i ))( t L/s)[ t k ( m A)[(( µ L)E fi µ)θ ω m (st) θ ω m (µ)]]. Then, ( i Π F ) ( s Ψ (f i )) ( t L/s)[ t k ( m A)[(( µ L)E fi µ) (st, µ) T conf (ω m )]]. By definition, for each m A, the sensor activation mapping ω m only affects the information mapping θ ω m of agent m. Therefore, Theorem 1 is applicable to each individual agent m A. Since ω ω, we have, for all m A, ω m ω m. By Theorem 1, ( m A)T conf (ω ) m T conf(ω m ). Thus, ( i Π F ) ( s Ψ (f i )) ( t L/s)[ t k ( m A)[(( µ L)E fi µ)(st, µ) T conf (ω m )]]. We have, ( i Π F ) ( s Ψ (f i )) ( t L/s)[ t k ( m A)[(( µ L)E fi µ)θ ω m (st) θ ω m (µ)]]. Let k i = k, i = 1,..., m, we have ( i Π F ) ( k i N) ( s Ψ (f i)) ( t L/s)[ t k i ( m A)[(( µ L)E fi µ)θ ω m (st) θ ω m (µ)]] i.e., L is codiagnosable under ω. As a special case of Theorem 3, monotonicity holds for diagnosability under feasible sensor activation policies. 3. Language partitions for sensor activation To construct a finite solution space for the sensor activation problem, we present a method to partition a language into a finite number of subsets. A general language partition is presented first, followed by a window partition for an automaton model as a specific case General language partitions The definitions of ω and θ ω in Section 2.1 are language based. In such a model, for a system containing loops, the domain of our sensor activation policy is infinite. It is desirable to limit the richness of the sensor activation policy to a finite domain. For doing so, we partition the language L into a finite number of disjoint subsets, with the requirement that all traces within the same subset have the same last event. Then, we restrict the richness of possible sensor activation policies by requiring that all traces within each one of these subsets must have the same sensor activation decision regarding their common last event. We call such a partition a language-based partition (LBP). Given an LBP, computationally efficient algorithms can be constructed for optimizing the sensor activation policy. Even though the partition techniques are presented for a centralized system in this section, they are completely applicable to decentralized systems by treating each agent individually. Definition 7. Let be a partition of L (elements of are disjoint subsets of language L and the union of all them is L). Then, is an LBP if its elements δ j, j = 0, 1,..., m, satisfy the two properties: (1) δ 0 = {ɛ} and ; and (2) ( δ j \ {δ 0 })s, t δ j [s = s e t = t e] for some s, t L and e E. Definition 8. Given an LBP, we say that a sensor activation policy ω is -implementable if ( δ i \ {δ 0 })se, s e δ i [e ω(s) e ω(s )] (2) holds. Remark 1. In an LBP, traces in two different elements of can end with the same last event e. Correspondingly, the sensor activation decisions for that last event can be different for these two elements. Traditional event-based observations, in which all occurrences of an event are either all observable or all unobservable, are a special case of LBPs. Also note that -implementability does not imply feasibility. The choice of is a trade-off between the degree of refinement in capturing the system dynamics and the computational resources needed for solving the problem. With the restriction of LBP, a -implementable sensor activation policy, denoted by Ω, can be represented as a subset of as ( δ i \ {δ 0 })δ i Ω [( se δ i ) e ω(s)] where e E is the same last event of all traces in δ i. In other words, Ω ( \ {δ 0 }) is a set that collects all δ i, i = 1,..., n, in which the sensor is activated for the occurrences of the last event of all traces. For a given activation policy Ω, let ω be its corresponding language-based sensor activation policy inferred by (2), then, θ Ω is used to denote such θ ω. Given L and Ω, the set of confusable pairs T conf (Ω) of elements of is defined as T conf (Ω) = {(δ i, δ j ) : [( se δ i, s e δ j ) θ Ω (s) = θ Ω (s )] [δ i = δ 0 [( s e δ j )θ Ω (s ) = ɛ]] [δ j = δ 0 [( se δ i )θ Ω (s) = ɛ]] δ i = δ j = δ 0 }.

5 W. Wang et al. / Automatica 46 (2010) As for T conf, in T conf (Ω) we only list pair (δ i, δ j ) and omit (δ j, δ i ) in the examples below. By (2) for the constraints pertaining to -implementability, we can characterize the feasibility of Ω as follows. Ω is feasible iff ( δ i, δ j )[( se δ i s e δ j )θ Ω (s) = θ Ω (s )] [δ i Ω δ j Ω]. Given policy Ω, Ω Ω is called a subpolicy of Ω. We define the unobservable reach of δ k under Ω, denoted by UR(δ k, Ω), to be UR(δ k, Ω) = {δ l : (( se, ste L)se δ k, ste δ l ) θ Ω (s) = θ Ω (st)}. In words, UR(δ k, Ω) is a subset of whose elements δ l contain a trace, say ste for some e E, that extends another trace s with se δ k such that, after s, t is unobservable. In the case where e = e, by (1) for feasibility, we need to have the same sensor activation policy for e after traces s and s = st. For any given -implementable sensor activation policy with respect to LBP, the following theorem states that, among all of its feasible and -implementable subpolicies, there is a policy which is a global maximum. Theorem 4. Consider a language L with LBP and a sensor activation policy Ω. Let Ω i, i = 1,..., k be all feasible sensor activation subpolicies of Ω. Then Ω F = k Ω i=1 i exists and is the maximum feasible subpolicy of Ω. That is, for all feasible Ω with Ω Ω, we have Ω Ω F. Furthermore, its corresponding set of confusable trace pairs is T conf (Ω F ) = k T i=1 conf(ω i ). Proof. Since is finite, so is the number of feasible sensor activation policies. It is obvious that the sensor activation policy Ω = is feasible. Therefore, Ω F = k Ω i=1 i exists. Since Ω i, i = 1,..., k are feasible, so are their corresponding language-based policies ω i. By repeatedly applying Theorem 2, Ω F is feasible. Since Ω i, i = 1,..., k, represent all feasible sensor activation policies as subsets of Ω, we have Ω Ω F for all feasible Ω with Ω Ω. Since Ω F is feasible and Ω F for all i = 1,..., k. = k Ω i=1 i, we have Ω F Ω i By Theorem 1, we have T conf (Ω F ) T conf (Ω i ) for all i = 1,..., k. Thus, T conf (Ω F ) k T i=1 conf(ω i ). Since Ω F is feasible, we have Ω F {Ω i : 1 = 1,..., k}. Thus, T conf (Ω F ) {T conf (Ω i ) : 1 = 1,..., k}. In turn, T conf (Ω F ) k i=1 T conf(ω i ). Therefore, T conf (Ω F ) = k i=1 T conf(ω i ). Remark 2. In DES, partial observation problems are most commonly investigated for languages that are modeled by automata. In the next subsection, we investigate a specific partition method for this model and present an algorithm for calculating the maximum feasible subpolicy in Section 4.3. However, LBP is a general notion without any restriction of modeling formalism. Consequently, the main algorithms for optimizing sensor activation in Sections 4.2 and 5.2 are applicable to any modeling formalism in DES. However, finding suitable partition methods and calculating maximum feasible subpolicies for modeling formalisms other than automata remain open problems Window partitions for automata models The deterministic finite-state automaton model of an untimed discrete event system is described as G = (X, E, φ, x 0 ), where X is the finite set of states, E is the finite set of events, φ : X E X is the transition function where φ(x, e) = y means that there is a transition labelled by event e from state x to state y, and x 0 is the initial state. φ is extended to X E in the usual way: for se L(G) and e E, φ(x 0, se) = φ(φ(x 0, s), e). L(G) is used to denote the language generated by G. By taking advantage of the state representation provided by the automaton, we present a new method to partition language L(G), resulting in window partitions that will be denoted by w hereafter. The name window comes from the fact that, for any element δ i w, whether a trace s δ i or not is determined by both the state reached before the last event in s and the suffix of the last n event occurrences of s. The motivation for this type of partition comes from the fact that current state and the most recent event occurrences are important in practice. Definition 9. A finite partition w = g s of L(G) is called a window partition if (1) All elements δ(t, x, e) of g satisfy [( ste L(G))φ(x 0, st) = x ste δ(t, x, e)] [( t E )[t = t t t ɛ] δ(t, x, e) g ]. (2) Every trace in L(G) whose length exceeds a certain number must belong to an element in g. Formally, [( n N)( e E)( se L(G))[ se n [( δ(t, x, e) g ) te n se δ(t, x, e)]]]. (3) In g, an upstream element δ(t, x, e) relates to a downstream element δ(s, y, a) as follows. ( δ(t, x, e), δ(s, y, a) g )[( we δ(t, x, e))( ra E ) wera δ(s, y, a)] [( w e δ(t, x, e))w era δ(s, y, a)]. (4) ɛ s and other elements of s satisfy ( e E)( ue L(G))[[( δ(t, x, e) g ) ue δ(t, x, e)] {ue} s \ {ɛ}]. Window partitions capture both the current state x and the suffix t of the trace of events for the purpose of the sensor activation decision of the next event e by defining δ(t, x, e) g. The length te is called the window size. Condition 3 is always achievable by further partitioning the upstream elements of g. It provides a type of nested structure for calculating the maximum feasible subpolicy in Section 4.3. The next theorem shows how each condition in Definition 9 relates to properties of the partition. Theorem 5. Window partition w of L(G) is well defined. Moreover, it is an LBP. Proof. By condition 1, all elements in g are disjoint. By condition 2, since w is less than two times the number of all possible traces in E with length less than or equal to n, w is finite. For condition 3, since we δ(t, x, e) and wera δ(s, y, a), we have, for all w e δ(t, x, e), φ(x 0, w era) = φ(φ(x 0, w ), era) = φ(φ(x 0, w), era) = φ(x 0, wera). Thus, we have w era L(G) and, in turn, condition 3 is violated only if sa > tera, that is sa = ztera for some z ɛ. But, this can always be resolved by splitting upstream elements δ(t, x, e) g a finite number of times by increasing the length of t. By condition 4, the union of all elements in w is L(G). Also by condition 4, all elements in s are disjoint and every element in g is disjoint with every element in s. We conclude that w is a finite partition of L(G), which means it is well defined. For condition 1 of LBP, by condition 4, we have {ɛ} w. We consider condition 2 of LBP. For all δ(ue) s, δ(ue) is a singleton. Otherwise, by condition 1, traces in the same element in g must have the last event in common. Hence, we conclude that w is an LBP. Remark 3. For all δ(t, x, e) g, if te = n is a fixed number, the window partition in this paper is the same as the n-window- Partition in Wang et al. (2009). We introduce the flexibility of having different lengths te for different δ(t, x, e) g so that the partition can be done according to other criteria, such as the cost of activating a specific sensor for instance.

6 1170 W. Wang et al. / Automatica 46 (2010) Fig. 1. Example for window partition. Notation. In all examples in this paper, (t, x, e) is used to denote δ(t, x, e) g ; (x, e) is used to denote (ɛ, x, e). Example 5. Consider system G in Fig. 1. A window partition for L(G) is w = {{ɛ}, {e}, (0, f ), (0, d), (2, a), (3, e), (4, b), (5, c), (b, 0, e), (f, 1, a), (c, 1, a)}. Another LBP of L(G) is = {{ɛ}, (0, f ), (0, d), (2, a), (fa, 3, e), (ca, 3, e), (4, b), (5, c), (0, e), (1, a)}. This is not a window partition because (fa, 3, e), (ca, 3, e) and (1, a) violate condition 3 in Definition 9. This can be resolved by splitting (1, a) into (f, 1, a) and (c, 1, a). Even though window partitions are a special case of LBPs, in fact, window-partition-based w -implementability generalizes the transition-based implementability condition in Wang et al. (2008a), Wang et al. (2008b) and Wang et al. (2008c). Such a generalization allows a trade-off between the amount of computation and the achievable quality of the solution. For fixed computational resources, this technique ensures a desirable balance between high solution accuracy and fast processing time. 4. Optimization for centralized systems For the sake of readability, we present our results for centralized systems first. Their extension to decentralized systems is covered in Section Problem statement The problem formulation for dynamic sensor activation for centralized systems is as follows. Given a language L together with an LBP, a specification of sets of fault events E F = E f1 E fl, and a set of observable events E o E for the agent, suppose that under Ω = {δ i : ( se δ i ) e E o }, the full-activation policy, the system is diagnosable. Goal: Find a sensor activation policy Ω such that: (1) Ω is feasible and, under Ω, the system is diagnosable. (2) Ω is minimal, i.e., there is no other feasible Ω Ω under which the system is diagnosable. The goal of this minimization problem is to calculate any sensor activation policy that is a minimal solution. We do not address the selection of one minimal solution over another. This is usually application dependent and can be addressed in a second stage, after the above problem has been solved. In this regard, it is imperative to develop effective algorithms for calculating minimal solutions, which is the topic of the next two subsections Main algorithm for minimization of sensor activation We present Algorithm Min-Sen-Diag for finding a minimal sensor activation policy Ω that preserves diagnosability. For the sake of generality, we present this algorithm in the context of LBPs. Algorithm Min-Sen-Diag: Input: Language L, partition, set of observable events E o, and sets of fault events E fi, i = 1,..., l. Step 0: Initialization. Set D = and Ω = {δ k : ( se L) se δ k e E o }. Step 1: Find a δ k with δ k Ω but δ k D. Set Ω Ω \ {δ k }. Calculate the maximum feasible subpolicy Ω F of Ω. Step 2: If D Ω F, test diagnosability for policy Ω F. If D Ω F or the test fails, set D D {δ k }. Otherwise, set Ω Ω F. Step 3: If Ω D, go to Step 1. Otherwise set Ω Ω and stop. Output: Minimal sensor activation policy Ω. Algorithm Min-Sen-Diag always tries to remove a δ k Ω with δ k D from Ω. The two key properties used in the algorithm are the existence of unique maximum feasible subpolicy Ω F and the monotonicity property of sensor activation for diagnosability. Consequently, if Ω F violates diagnosability by either failing the test directly or removing some elements already in D, no feasible subpolicy of Ω will meet the diagnosability test. We can safely put δ k into D because it cannot be removed later on. Theorem 6. The output of Algorithm Min-Sen-Diag is a solution Ω of the problem stated in Section 4.1. Proof. Since D = in Step 0 and all elements being added into D are in Ω, we always have D. For each iteration, the algorithm takes an element that belongs to Ω, but not to D, for potential removal. It is either removed or saved into D. Hence, D is the set of δ k we tried to remove but failed. Since Ω is finite and upper bounded by, eventually, we have Ω = D. From the algorithm, Ω is feasible and the system is diagnosable under Ω. Therefore, we only need to show that the output of Min-Sen-Diag is a minimal solution. Suppose that δ k Ω and D corresponds to Ω ; since D = Ω, we have δ k D. Therefore, at some time when Ω Ω, we tried to remove δ k from Ω but failed. Theorem 4 guarantees that there exists a maximum feasible sensor activation policy Ω F Ω = Ω \ {δ k }. We have either D Ω F but testing of diagnosability under policy Ω F failed or there exists a δ l ( \ Ω F ) D for some δ l with δ l δ k. In the first case, since Ω Ω, for any feasible Ω Ω with δ k Ω, we have Ω Ω F. By Theorem 3, we conclude that the system is not diagnosable under the policy Ω. In the second case, since δ l D when we tried to remove δ k, we tried to remove δ l from some Ω 1 at some time before trying to remove δ k. Thus, Ω 1 Ω (Ω is the policy right before trying to remove δ k.) Let the maximum feasible subpolicy of Ω 1 \ {δ l } be Ω 1 F. Since δ l ( \ Ω F ) D, we have δ l Ω F. Hence, also by Ω 1 Ω, we have Ω 1 F Ω F. By Theorem 3, we have that the system under policy Ω 1 F is not diagnosable implies that the system under policy Ω F is not diagnosable. Suppose D 1 corresponds to Ω 1 right before removing δ l. We have D 1 (D \ {δ l }). It implies that D 1 D 1. Let the policy before each iteration be Ω i. Let D i correspond to Ω i right before the ith iteration. By repeating the previous argument, we have D i D i. Since D is a finite number and D i 0, within at most iterations, we must end up with the first case and conclude that Ω F is not diagnosable. Since δ k Ω was arbitrary, the proof is completed. The number of iterations of Algorithm Min-Sen-Diag is upper bounded by. The overall complexity for the algorithm is also dependent on its two subroutines regarding: (i) the verification of diagnosability and (ii) the calculation of the maximum feasible subpolicy. It is at this point that we specialize LPBs to the case of window partitions obtained from automaton models.

7 W. Wang et al. / Automatica 46 (2010) We have solved the problem of verification of diagnosability with respect to information mappings and developed algorithms in the case of window partitions. These algorithms are of polynomial complexity in the size of the window partitions. These results are of independent interest. They can be obtained by generalizing the results in Wang, Girard, Lafortune, and Lin (2009). In the remainder of this section, we present an algorithm for calculating the maximum feasible sensor activation policy in the case of a window partition Maximum feasible subpolicy for window partitions Consider language L and an LBP. For any -implementable sensor activation policy Ω, by Theorem 4, there always exists a maximum feasible subpolicy Ω F of Ω such that any feasible subpolicy of Ω is a subpolicy of Ω F. However, the calculation of Ω F depends on how the language L is partitioned. This is certainly a design issue that depends on the modeling formalism chosen for language L. The guideline is that a reasonable class of partitions should balance the computational effort for solving the problem with the desirable degree of refinement of the final solution. For this purpose, we focus on the case of window partitions. For window partitions, the maximum feasible sensor activation policy Ω F of policy Ω can be found by Algorithm F-Window as follows. Algorithm F-Window Input: Automaton G, sensor activation policy Ω, and window partition w. Step 0: Initially, set ˆΩ Ω and T {(δ i, δ i ) w w }. Step 1: Recursively set T T {(δ i, δ j ) w w : ( (δ k, δ l ) T) δ i UR(δ k, ˆΩ) δ j UR(δ l, ˆΩ)} (3) T T {(δ i, δ j ) w w : ( (δ k, δ l ) T)( se δ k, te δ l )( see, tee L(G))[see δ i tee δ j ]} (4) ˆΩ ˆΩ \ {δ k ˆΩ : ( δ l w \ ˆΩ)( se, te L(G)) [(δ l, δ k ) T] [se δ l te δ k ]}. (5) Repeat this step until ˆΩ and T have converged. Step 2: Then, set Ω F ˆΩ and T conf (Ω F ) T. Output: The maximum feasible sensor activation policy Ω F of policy Ω and the corresponding T conf (Ω F ). Every iteration of Algorithm F-Window preserves invariants T T conf (Ω F ) and ˆΩ Ω F. Since ˆΩ Ω F, executing (3) and (4) does not change invariant T T conf (Ω F ). Since elements in ˆΩ are removed in accordance with T in (5), T T conf (Ω F ) preserves ˆΩ Ω F after executing (5), which ensures T T conf (Ω F ) in the next iteration. The algorithm stops when none of T or ˆΩ changes by executing (3) (5), by which the feasibility condition is satisfied. Since ˆΩ Ω F is always true, ˆΩ is the maximum feasible subpolicy when the algorithm stops. This intuitive argument is formalized in the proof of Theorem 7 below. To justify Algorithm F-Window we need to characterize the relationship between feasibility and T conf. Lemma 1. Ω is feasible if, for arbitrary δ k, δ l with some se δ k and te δ l for some e E, (δ k, δ l ) T conf (Ω) (δ k Ω δ l Ω). Proof. The proof follows directly from the definition of T conf and feasibility. Theorem 7. For a given system G, let Ω be a sensor activation policy corresponding to window partition w. Then, the output Ω F of Algorithm F-Window satisfies Theorem 4, i.e., it is the maximum feasible sensor activation policy of all feasible and w -implementable policies Ω that satisfy Ω Ω. Furthermore, the output T conf (Ω F ) is the set of pairs of confusable elements in w under Ω F. Proof. By Step 0, initially we have Ω F ˆΩ Ω and T = {(δ i, δ i ) w w } T conf (Ω F ). We show that, if ˆΩ Ω F, iteration of (3) in Step 1 preserves the invariant T T conf (Ω F ) as follows. Assume that T T conf (Ω F ), and δ i, δ j w such that, there exists (δ k, δ l ) T, δ i UR(δ k, ˆΩ) and δ j UR(δ l, ˆΩ). Since T T conf (Ω F ), we have (δ k, δ l ) T conf (Ω F ). Therefore, under Ω F, there exists se, s e L(G), such that θ Ω F (s) = θ Ω F (s ) with se δ k and s e δ l for some e, e E. By (3), since δ i UR(δ k, ˆΩ), δ j UR(δ l, ˆΩ), and ˆΩ Ω F, there exists teua, t e u a L(G) such that te δ k and t e δ l and teua δ i and t e u a δ j for some a, a E with θ Ω F (teu) = θ Ω F (t) and θ Ω F (t e u) = θ Ω F (t ). Then, by definition of window partition, if δ k s, we have te = se; otherwise, δ k g. In both cases, by condition 3 of window partition, we have seua δ i. For the same reason, s e u a δ j. Let eua = u 1 u 2. Start with u 1 = 1 and increment it to eua. Recursively, by (3), we have su 1, tu 1 δ m for some δ m w. By (2) for the definition of the -implementability condition and θ Ω F (teu) = θ Ω F (t), at the same time we have θ Ω F (su 1 ) = θ Ω F (s) for u 1 = 1,..., eu. Thus, θ Ω F (seu) = θ Ω F (s). By the same reason, θ Ω F (s e u ) = θ Ω F (s ). Then, θ Ω F (seu) = θ Ω F (s) = θ Ω F (s ) = θ Ω F (s e u ). Then, we have (δ i, δ j ) T conf (Ω F ). We show that iteration of (4) in Step 1 preserves the invariant T T conf (Ω F ) as follows. Assume that T T conf (Ω F ) and δ i, δ j w such that there exist (δ k, δ l ) T and se, see, te, tee L(G) such that se δ k and te δ l and see δ i and tee δ j. Then, we have (δ k, δ l ) T conf (Ω F ). Therefore, under Ω F, there exists s e, t e L(G), such that θ Ω F (s ) = θ Ω F (t ) with s e δ k and t e δ l. Thus, by condition 3 of window partition, s ee δ i. For the same reason, we have t ee δ j. Since (δ k, δ l ) T conf (Ω F ), by feasibility, we have either δ k, δ l Ω F or δ k, δ l Ω F. In both cases, we have θ Ω F (s e) = θ Ω F (t e). Therefore (δ i, δ j ) T conf (Ω F ). We show that, if T T conf (Ω F ), iteration of (5) preserves the invariant Ω F ˆΩ Ω. Assume that Ω F ˆΩ Ω, and δ k, δ l w such that there exist se δ k and te δ l such that (δ l, δ k ) T and δ l ˆΩ. Since ˆΩ Ω F and δ l ˆΩ, we have δ l Ω F. Since (δ k, δ l ) T and T T conf (Ω F ), we have (δ k, δ l ) T conf (Ω F ). se δ l and te δ k imply that all traces in δ l and δ k end with the same event e. Therefore, by Lemma 1 for feasibility, δ k Ω F. Therefore, in iterations of Step 1, we always have T T conf (Ω F ) and Ω F ˆΩ Ω. The amount of iterations of Step 1 in Algorithm F-Window is upper bounded by Ω + T conf (Ω F ), which is further upper bounded by w + w 2. Since the bound is finite, the algorithm will go to Step 2 and stop within a finite number of iterations. Algorithm F-Window stops when its calculations are exhausted. Therefore, before going to Step 2, there is no change of ˆΩ by the last iteration of Step 1. We denote that ˆΩ by ˆΩ. Thus, under ˆΩ, we have ( (δ k, δ l ) T) δ i UR(δ k, ˆΩ ) δ j UR(δ l, ˆΩ ) (δ i, δ j ) T ( δ k, δ l w )(δ k, δ l ) T [( se δ k, te δ l ) ( e, e E)see δ i, tee δ j ] (δ i, δ j ) T and (6) (7)

8 1172 W. Wang et al. / Automatica 46 (2010) ( δ k, δ l w )( se δ k, te δ l )δ l ˆΩ (δ k, δ l ) T δ k ˆΩ. (8) We show that T conf ( ˆΩ ) T as follows. Let (δ i, δ j ) T conf ( ˆΩ ). Then, there are two traces se, te L(G), such that se δ i and te δ j with θ ˆΩ (s) = θ ˆΩ (t). Let θ ˆΩ (s) = θ ˆΩ (t) = e 1 e 2 e 3 e n with e i E, i = 1,..., n. We can write s = s 0 e 1 s 1 e 2 s n 1 e n s n with θ ˆΩ (s 0 e 1 s k 1 e k s k ) = θ ˆΩ (s 0 e 1 s k 1 e k ) = e 1 e k and t = t 0 e 1 t 1 e 2 t n 1 e n t n with θ ˆΩ (t 0 e 1 t k 1 e k t k ) = θ ˆΩ (t 0 e 1 t k 1 e k ) = e 1 e k for k = 0,..., n, for some s k, t k E. By Step 0, (δ l, δ l ) T conf ( ˆΩ ) for all δ l w. Let s = k s 0e 1 s 1 e 2 s n 1 e k and t = k t 0e 1 t 1 e 2 t k 1 e k. Let s k δ k and t k δ k. Repeatedly applying (6) and (7), we have (δ, k δ ) k T, k = 1,..., n, and, finally, (δ i, δ j ) T. Since (δ i, δ j ) T conf ( ˆΩ ) is arbitrary, we have T conf ( ˆΩ ) T. Since T conf ( ˆΩ ) T, by (8), we have ( δ k, δ l w )( se δ k, te δ l )δ l ˆΩ (δ k, δ l ) T conf ( ˆΩ ) δ k ˆΩ. Therefore ˆΩ is feasible. But from the previous argument we have maintained ˆΩ Ω F and, thus, ˆΩ Ω F. Therefore ˆΩ = Ω F. We have T conf (Ω F ) T T conf (Ω F ). Thus, T conf (Ω F ) = T. We note that the number of iterations of Algorithm F- Window is upper bounded by the size of T conf plus the size of Ω F. It is further upper bounded by w 2 + w Illustrative examples In this section, we illustrate how Algorithm Min-Sen-Diag and Algorithm F-Window proceed by examples. We consider for simplicity the case of 1-window-partitions in Examples 6 and 7. In this case, the set of transitions of G is the space over which optimization is performed, i.e., for w = g s, s = and, for all δ(t, x, e) g, t = 0. Then, by expressing the solution of Example 7 in the window partition of Example 5 and reapplying Algorithm Min-Sen-Diag to it, we show that a refinement of the solution space improves the solution quality in Example 8. For window partitions defined on transitions of G, graphically we use square brackets to show that a transition is removed (i.e., the sensor for that transition is not activated) and use parentheses to show that a transition cannot be removed (i.e., the sensor for that transition must be activated). The subscripts outside the square brackets and parentheses are used to mark the order in which the transitions are examined. Therefore, suppose we are examining the nth transition; the current D is the set of all transitions within parentheses that have a subscript less than n, and the current Ω is set of all the transition of G minus all transitions within square brackets that have a subscript less than n. Notation. For (i, j) X X, (i, j) T means that, for all e, a E and for all (i, e), (j, a) such that φ(i, e) and φ(j, a) is defined, ((i, e), (j, a)) T. Example 6. Algorithm F-Window is illustrated as follows. Suppose the system is given by Fig. 1 as for Example 5. We consider 1-Window-Partition with Ω = {(0, e), (1, a), (2, a), (5, c)}. By Step 0, ˆΩ Ω, and T = {(x, x) : x X}. Recursively apply Step 1 as follows. By (3), set T = {(0, 1), (0, 5), (1, 5), (3, 4), (3, 0), (3, 1), (3, 5), (4, 0), (4, 1), (4, 5)} {(x, x) : x X}. By (4), T T {(2, 4)}. Since (3, 0) T, by (5), ˆΩ ˆΩ \ {(0, e)}. By (3), T T {(0, 2), (1, 2), (2, 5), (3, 2), (4, 2)}. Fig. 2. Illustrative example for Algorithm Min-Sen-Diag. T does not change this time by applying (4). By (5), ˆΩ does not change. Calculations are exhausted for Step 1. Finally, by Step 2, Ω F = {(1, a), (2, a), (5, c)}, and T conf (Ω F ) = {(0, 1), (0, 5), (1, 2), (1, 5), (2, 5), (3, 4), (3, 0), (3, 1), (3, 5), (4, 0), (4, 1), (4, 5), (0, 2), (3, 2), (4, 2)} {(x, x) : x X}. Example 7. This example illustrates Algorithm Min-Sen-Diag. Suppose the system is given by Fig. 1 as for Example 5. We consider window partition w = {(0, d), (0, e), (5, c), (1, a), (2, a), (3, e), (4, b)} first. Let f be the only fault event and the only unobservable event. The results of following iterations are also shown in Fig. 2. By Step 0, set D = and Ω = {(0, d), (0, e), (5, c), (1, a), (2, a), (3, e), (4, b)}. Iterate Step 1 to Step 2 for transitions (0, d) and, then, (3, e), we have Ω Ω \ {(0, d), (3, e)}. Try to remove (4, b). By Step 1, set Ω Ω \{(4, b)}. By the calculation of Example 6, corresponding Ω F = {(1, a), (2, a), (5, c)}. Go to Step 2. The system is not diagnosable under such Ω F. Set D D {(4, b)}. Try to remove (0, e), no further removal is caused. By Step 2, the system becomes not diagnosable. Set D D {(0, e)}. A removal of (1, a) will force us to remove (0, e). But (0, e) is already in D. Set D D {(1, a)}. By similar reasoning, set D D {(5, c)}. Iterate Step 1 to Step 3 for transition (2, a). We can find out that (2, a) is removable. By Step 3, we have Ω = {(0, e), (5, c), (1, a), (4, b)} = D. Set Ω Ω. We have Ω = {(0, e), (5, c), (1, a), (4, b)}. Example 8. If the partition in given by Example 5, the policy Ω equivalent to the minimal solution Ω from Example 7 is Ω = {{e}, (4, b), (5, c), (b, 0, e), (c, 1, a), (f, 1, a)}. Starting Algorithm Min-Sen-Diag with Ω, (c, 1, a) is removed and a minimal policy for this window partition is Ω = {{e}, (4, b), (5, c), (b, 0, e), (f, 1, a)}. The solution is improved by refining the solution space Complexity of Algorithm Min-Sen-Diag As a consequence of the iterative procedure in Algorithm Min- Sen-Diag and of Algorithm F-Window for the implementation of Step 1, we have the following result. Theorem 8. For a given window partition w, the problem formulated in Section 4.1 can be solved in worst-case polynomial time complexity with respect to both the cardinality of w and the cardinality of the event set E of G. Proof. Algorithm Min-Sen-Diag examines each δ i w at most once in the iterations. Therefore, the number of such iterations is upper bounded by the cardinality of the w of the system. Each iteration calls Algorithm F-Window once. The number of iterations of Algorithm F-Window is upper bounded by the size of Ω F plus the product of the size of T conf and the size of the

9 W. Wang et al. / Automatica 46 (2010) event set. It is further upper bounded by 2 w 2 E. Each iteration also verifies diagnosability once at Step 2; if the same strategy as in Wang et al. (2009) is adopted for verification, the computational efforts are no more than w 2 E. The amount of computation of Algorithm Min-Sen-Diag is the number of iterations times the summation of the amounts of computation in Step 1 and Step 2. In all, the order of the worst-case computational complexity for solving the problem in Section 4.1 by Algorithm Min-Sen-Diag is O( w 3 E ). Remark 4. As was mentioned earlier, if the window size te = n is fixed constant for all δ(t, x, e) g, w = g s is an n-window-partition as defined in Wang et al. (2009). In this case, we have w X E n+1. Accordingly, the worst-case computational complexity for Algorithm Min-Sen-Diag in terms of the state space and the event set is O( X 3 E 3n+4 ), which depends on n. However, the window partition defined in this paper allows different window sizes for different δ(t, x, e) g. Consequently, we can run Algorithm Min-Sen-Diag starting with small window size. Suppose Ω is the solution. Then, as in Example 8, we increase the window size to refine some elements in Ω whose sensor activation is deemed costly. After that, set Ω to be the refined Ω at Step 0 and rerun Algorithm Min-Sen-Diag. This procedure can be repeated several times to refine the solution. 5. Optimization for decentralized systems 5.1. Problem statement The problem formulation of sensor activation for decentralized systems is as follows. In a system with a set of agents A = {1,..., M}, the system dynamics are described by a language L. The specification of the sets of fault events is given by E F = E f1 E fl ; for agent m, m A, the LBP is m, and the set of observable events is E o,m E; let = [ 1,..., M ]; let Ω = [Ω 1,..., Ω M ], where Ω m is the sensor activation policy for agent m with respect to E o,m and m ; assume that if all sensors are always activated, i.e., for all m A, Ω m = {δ i m : ( se δ i ) e E o,m } the system is codiagnosable. Goal: Find a sensor activation policy Ω, where Ω such that: (1) Ω is feasible and, under Ω, the system is codiagnosable. (2) Ω is minimal, i.e., there is no other feasible Ω Ω under which the system is codiagnosable Main algorithm for minimization of sensor activation In this section, we present an algorithm, called Algorithm Min-Sen-Codiag, for finding a minimal sensor activation policy Ω that preserves codiagnosability, which solves the problem in Section 5.1. Algorithm Min-Sen-Codiag: Input: Language L, set of observable events E o,m and LBP m for each agent m A, and sets of fault events E fi, i = 1,..., l. Step 0: Initialization. Set Ω = [Ω 1,..., Ω M ] such that Ω m = {δ m,k m : ( se L) se δ m,k e E o,m } and, for all m A, set D m =. Step 1: For some m A with Ω m D m, pick a δ m,k m with δ m,k Ω m but δ m,k D m. Let Ω m Ω m \ {δ m,k }. Then, calculate the maximum feasible sensor activation policy Ω F m of all feasible subsets of Ω m. Set 1 Ω F = [Ω 1,..., Ω m 1, Ω F m, Ω m+1,..., Ω M ]. 1 Ω F is the result that changes Ω m to Ω F m in vector Ω. Step 2: If D m Ω F m, test codiagnosability for policy Ω F. If D m Ω F m, or if the system is not codiagnosable under Ω F, set D m D m {δ k }. Otherwise, set Ω Ω F. Step 3: If ( m A) Ω m D m, go to Step 1. Otherwise set Ω Ω. Then, stop. Output: Minimal sensor activation policy Ω. In Algorithm Min-Sen-Codiag, we attempt to remove each δ m,k from each Ω m in Ω one by one. Since the maximum subpolicy of a given policy is unique, if Ω cannot increase when running Algorithm Min-Sen-Codiag, then the maximum feasible subpolicy of the policy after δ m,k is removed from Ω m in Ω also cannot increase. By the monotonicity property of sensor activations for codiagnosability, the fact that δ m,k cannot be successfully removed from Ω m implies it cannot be removed later on. Theorem 9. The Algorithm Min-Sen-Codiag calculates the solution Ω of the minimization of sensor activation problem in Section 5.1. Proof. For each iteration, the algorithm takes an element that belongs to Ω m but not to D m to remove for an m A. It is either removed or saved into D m. Hence, D m is the set of δ m,l we tried to remove but failed. Since Ω is finite and upper bounded by, eventually, we have Ω m = D m for all m A. From the algorithm, we also know that Ω is feasible and the system is codiagnosable. Therefore, we only need to show that the solution from Min-Sen- Codiag is minimal. Suppose that δ m,k Ω m and D m corresponds to Ω m, since D = m Ω m, we have δ m,k D m. Therefore, at some time when Ω Ω, we tried to remove δ m,k from Ω m but failed. By definition, for each m A, the sensor activation mapping ω m only affects the information mapping θ ω m of agent m. Therefore, Theorem 4 guarantees that there exists a maximum feasible sensor activation policy Ω F m Ω m = Ω m \ {δ m,k }. We have either D m Ω F m but testing of codiagnosability under policy Ω F failed or D m Ω F m. In the former case, since Ω Ω, for any feasible Ω Ω with δ m,k Ω m, we have Ω Ω F. By Theorem 3, we conclude that the system is not codiagnosable under the policy Ω. In the latter case, there exists a δ m,l ( m \ Ω F m ) D m for some δ m,l m with δ m,l δ m,k. since δ m,l D m when we try to remove δ m,k, we try to remove δ m,l from some Ω 1 m in some Ω 1 at some time before trying to remove δ m,k. Thus, Ω 1 Ω. Let the maximum feasible subpolicy of Ω 1 m \{δ m,l} be Ω 1 F m. Since δ m,l ( m \ Ω F m ) D m, we have δ m,l Ω F m. Hence, by Ω 1 Ω, we have Ω 1 F Ω F. By Theorem 3, we have that the system under policy Ω 1 F is not codiagnosable implies that the system under policy Ω F is not codiagnosable. Suppose D 1 m corresponds to Ω 1 m right before trying to remove δ l. We have D 1 m D m \ {δ l }. It implies that D 1 m D m 1. Let D i m correspond to Ω i m right before the ith iteration. By repeating the previous argument, we have D i m D m i. Since D m m is a finite number and D i m 0, we must end up with the first case and conclude that Ω F is not codiagnosable within iterations. Since m A and δ m,k Ω m were arbitrary, the proof is completed. The number of iterations of Algorithm Min-Sen-Codiag is upper M bounded by m=1 m, where M is the number of local agents. The overall complexity for the algorithm is also dependent on its two subroutines. One is the calculation of maximum feasible subpolicy and another is the verification of codiagnosability. The Algorithm F-Window for calculation of maximum feasible sensor activation policy based on window partition was presented in Section 4.3, whereas the verifier for codiagnosability, as the one for diagnosability mentioned in Section 4.2, can be obtained by generalizing the result in Wang et al. (2009) and is not presented here.

10 1174 W. Wang et al. / Automatica 46 (2010) (a) For Diagnoser 1. (b) For Diagnoser 2. Fig. 3. The system G for Example 9 with calculations of Algorithm Min-Sen-Codiag for Diagnosers 1 and 2, respectively Illustrative example Fig. 4. The system model of Example 10. We illustrate how Algorithm Min-Sen-Codiag proceeds by examples as follows. Example 9. We consider the system with two local diagnosers, A = {1, 2} as shown in Fig. 3; suppose the event set E = {a, b, c, d, f } with E o,1 = {a, b, d} and E o,2 = {a, c, d}; suppose f is the only fault event that need to be diagnosed, which is unobservable to both of the diagnosers. We consider a 1-Window- Partition. Suppose we are removing the nth transition; the current D i is the set of all the transitions within the parentheses that have a subscript less than n, and the current Ω i is set of all the transition of G set minus all the transitions within square brackets that have a subscript less than n. A transition marked by square brackets with subscript 0 means the corresponding event is unobservable to the corresponding diagnoser. These results are showed in Fig. 3(a) for Diagnoser 1 and Fig. 3(b) for Diagnoser 2. The detailed calculations are as follows. By Step 0, set Ω 1 = {(0, d), (1, b), (2, a), (3, d), (4, b), (5, a)}, D 1 =, Ω 2 = {(0, c), (0, d), (2, a), (3, d), (5, a), (6, c), (7, c)}, and D 2 =. For Diagnoser 1, iterate Step 1 to Step 2 for transitions (5, a) and (1, b) in this order, respectively. All of them are removed. We have Ω 1 Ω 1 \ {(5, a), (1, b)}. For Diagnoser 2, by Step 1 and Step 2, (0, d) is removable. We have Ω 2 Ω 2 \ {(0, d)}. Also for Diagnoser 2, we try to remove (5, a). By Step 1, set Ω 2 Ω 2 \ {(5, a)}. By applying Algorithm F-Window, the corresponding Ω F 2 = {(0, c), (3, d), (6, c), (7, c)}. Set Ω F [Ω 1, Ω F 2 ]. Go to Step 2. Since D 2 =, we have ( 2 \Ω F ) 2 D 2 =. The system remains codiagnosable under policy Ω F. Set Ω 2 Ω F 2. A removal of (2, a) from Ω 1 causes a violation of codiagnosability for the corresponding Ω F at Step 2. Therefore, set D 1 D 1 {(2, a)}. A removal of (0, d) from Ω 1 results in (2, a) Ω F correspondingly. But (2, a) D 1. By Step 2, set D 1 D 1 {(0, d)}. A removal of (3, d) from Ω 1 results in (2, a) Ω F correspondingly. But (2, a) D 1. By Step 2, set D 1 D 1 {(3, d)}. A removal of (3, d) from Ω 2 causes a violation of codiagnosability for the corresponding Ω F at Step 2. Therefore, set D 2 D 2 {(3, d)}. Any removal of (7, c), (0, c), or (6, c) from Ω 2 results in (3, d) Ω F correspondingly, but (3, d) D 2. By Step 2, set D 2 D 2 {(7, c), (0, c), (6, c)}. By Step 3, we have Ω 1 = D 1 and Ω 2 = D 2. Therefore, Ω = 1 {(2, a), (3, d), (4, b), (0, d)} and Ω 2 = {(0, c), (3, d), (6, c), (7, c)}. Example 10. This example shows an improvement of the solution by refining the solution space in a decentralized system. We consider the system with two diagnosers A = {1, 2} as shown in Fig. 4. Suppose E = {a, b, c, d, e, f }, E o,1 = {b, c, d}, and E o,2 = {a, d}. Suppose f is the only fault event. By applying Algorithm Min-Sen-Codiag for the 1-Window-Partition, a minimal sensor activation policy Ω for codiagnosability is Ω 1 = {(0, c), (3, d), (4, d)} and Ω 2 = {(0, a), (3, d), (4, d)}. Increasing the window size, the policy Ω = [Ω 1, Ω 2 ] equivalent to the solution Ω is Ω 1 = {{c}, (f, 3, d), (d, 3, d), (b, 4, d), (e, 4, d)} and Ω 2 = {{a}, (f, 3, d), (d, 3, d), (b, 4, d), (e, 4, d)}. Running Algorithm Min-Sen-Codiag starting with this Ω, the resulting minimal solution is Ω 1 = {{c}, (f, 3, d), (b, 4, d)} and Ω 2 = {{a}, (f, 3, d), (b, 4, d)}. Clearly, this solution activates less Complexity of Algorithm Min-Sen-Codiag The complexity analysis of Section 4.5 carriers over to the decentralized case. Theorem 10. For a given system G with M agents and a window partitions w, the problem formulated in Section 5.1 can be solved in worst-case polynomial time complexity with respect to w and E. Proof. Algorithm Min-Sen-Codiag examines each δ i w at most once for each local agent in the iterations. Therefore, the number of such iterations is upper bounded by M w. Each iteration calls Algorithm F-Window once. As in the proof of Theorem 8, the number of iterations of Algorithm F-Window is upper bounded by 2 w 2 E. Each iteration also at most verifies codiagnosability once at Step 2 and, if the same strategy as in Wang et al. (2009) is adopted for verification, the computational efforts are no more than w M+1 E. The amount of computation of Algorithm Min- Sen-Codiag is the number of iterations times the summation of the amounts of computation in Step 1 and Step 2. In all, the order of the worst-case computational complexity for solving the problem in Section 5.1 by Algorithm Min-Sen-Codiag is O( w M+2 E ). Remark 5. In the case of an n-window-partition, we have w X E n. Correspondingly, the worst-case computational complexity for solving the problem in Section 5.1 by Algorithm Min-Sen- Codiag for an n-window-partition is O( X M+2 E n(m+2)+1 ), which depends on n. However, as mentioned in Remark 4 for centralized systems, we can start by running Algorithm Min-Sen-Codiag for a small window size at first. Then, we can gradually increase the window size for elements in Ω with high activation cost and reapply Algorithm Min-Sen-Codiag to obtain finer solutions.

11 W. Wang et al. / Automatica 46 (2010) Conclusion We formulated the problem of dynamic sensor activation in the context of event diagnosis. Algorithms were developed for the optimization of sensor activation policies that preserve the properties of diagnosability and codiagnosability, respectively. We defined language partitions and the class of window partitions where we were able to trade-off between the amount of computations and the achievable quality of the final solution. The results in this paper provide insight and standard properties that can be used to solve globally optimal sensor activation problems for quantitative cost functions. References Adamy, D. (2001). EW 101: a first course in electronic warfare. Boston: Artech House. Cassez, F., & Tripakis, S. (2008). Fault diagnosis with static and dynamic observers. Fundamenta Informaticae, 88(4), Debouk, R., Lafortune, S., & Teneketzis, D. (2002). On an optimization problem in sensor selection. Discrete Event Dynamic Systems: Theory and Applications, 12(4), Haji-Valizadeh, A., & Loparo, K. A. (1996). Minimizing the cardinality of an event set for supervisors of discrete-event dynamical systems. IEEE Transactions on Automatic Control, 41(11), Jiang, S., Kumar, R., & Garcia, H. E. (2003). Optimal sensor selection for discrete-event systems with partial observation. IEEE Transactions on Automatic Control, 48(3), Lee, H., & Lee, K. (2008). Energy minimization for flat routing and hierarchical routing for wireless sensor networks. In Second international conference on sensor technologies and applications (pp ), Cap Esterel, France, August Leow, W. L., Ni, D., & Pishro-Nik, H. (2008). A sampling theorem approach to traffic sensor optimization. IEEE Transactions on Intelligent Transportation Systems, 9(2), Ricker, L., & Caillaud, B. (2009). Revisiting state-baed models for synthesizing optimal communicating decentralized discrete-event controllers. In European control conference 2009, ECC 09, Budapest, Hungary, August Sampath, M., Sengupta, R., Lafortune, S., Sinnamohideen, K., & Teneketzis, D. (1995). Diagnosability of discrete event systems. IEEE Transactions on Automatic Control, 40(9), Shi, L., Johansson, K. H., & Murray, R. M. (2008). Optimal sensor hop selection: sensor energy minimization and network lifetime maximization with guaranteed system performance. In Proc. 47th IEEE conference on decision and control (pp ), Cancun, Mexico, December Thorsley, D., & Teneketzis, D. (2007). Active acquisition of information for diagnosis and supervisory control of discrete event systems. Discrete Event Dynamic Systems: Theory and Applications, 17(4), Unmanned aircraft systems roadmap ( ) (2005). Technical report. Office of the Secretary of Defense. van Schuppen, J. H. (2004). Decentralized control with communication between controllers. In V. D. Blondel, & A. Megretski (Eds.), Unsolved problems in mathematical systems and control theory (pp ). Princeton: Princeton University Press. Wang, W., Girard, A. R., Lafortune, S., & Lin, F. (2009). The verification of codiagnosability in the case of dynamic observations. In Proc European control conf., Budapest, Hungary, August Wang, W., Lafortune, S., Girard, A. R., & Lin, F. (2009). Dynamic sensor activation for event diagnosis. In Proc American control conf., St. Louis, MO, USA, June Wang, W., Lafortune, S., & Lin, F. (2008a). Minimization of communication of event occurrences in acyclic discrete event systems. IEEE Transactions on Automatic Control, 53(9), Wang, W., Lafortune, S., & Lin, F. (2008b). On the minimization of communication in networked systems with a central station. Discrete Event Dynamic Systems: Theory and Applications, 18(4), Wang, W., Lafortune, S., & Lin, F. (2008c). Optimal sensor activation in controlled discrete event systems. In Proc. 47th IEEE conf. on decision and control (pp ), Cancun, Mexico, December Yoo, T.-S., & Lafortune, S. (2002). NP-completeness of sensor selection problems arising in partially-observed discrete event systems. IEEE Transactions on Automatic Control, 47(9), Weilin Wang received M.S. and Ph.D. degrees in Electrical Engineering: Systems from the University of Michigan, Ann Arbor, in 2003 and 2007, respectively. He received a M.S.E. in Industrial Engineering, also from the University of Michigan, Ann Arbor, in He is currently a research fellow in the Department of Aerospace Engineering at the University of Michigan, Ann Arbor. Prior to enrolling at the University of Michigan, Ann Arbor, he worked for the Zhejiang Department of Transportation, Hangzhou, China. His research interests include information acquisition, communication, and control in networked discrete event systems; cooperative control for unmanned aircraft systems; and modeling and optimizing performance of human operators in unmanned aircraft systems. Dr. Wang is a senior member of IEEE. He is also a member of Sigma Xi. Stéphane Lafortune received the B. Eng. degree from Ecole Polytechnique de Montréal in 1980, the M. Eng. degree from McGill University in 1982, and the Ph.D. degree from the University of California at Berkeley in 1986, all in electrical engineering. Since September 1986, he has been with the University of Michigan, Ann Arbor, where he is a Professor of Electrical Engineering and Computer Science. Dr. Lafortune is a Fellow of the IEEE (1999). He received the Presidential Young Investigator Award from the National Science Foundation in 1990 and the George S. Axelby Outstanding Paper Award from the Control Systems Society of the IEEE in 1994 (for a paper co-authored with S.L. Chung and F. Lin) and in 2001 (for a paper co-authored with G. Barrett). Dr. Lafortune is a member of the editorial boards of the Journal of Discrete Event Dynamic Systems: Theory and Applications and of the International Journal of Control. His research interests are in discrete event systems and include multiple problem domains: modeling, diagnosis, control, optimization, and applications to computer systems. He is co-developer of the software packages DESUMA and UMDES. He co-authored, with C. Cassandras, the textbook Introduction to Discrete Event Systems Second Edition (Springer, 2007). Anouck R. Girard holds a Ph.D. in Mechanical/Ocean Engineering from the University of California, Berkeley (2002). She was a postdoctoral Researcher and lecturer at the University of California, Berkeley from , an Assistant Professor of Mechanical Engineering at Columbia University from , and is currently an Assistant Professor of Aerospace Engineering at the University of Michigan, Ann Arbor. Dr. Girard is the Director and Principal Investigator of the Michigan/AFRL Collaborative Center in Control Science. Dr. Girard has been a Summer Faculty Fellow at the Control Science Center for Excellence at Air Force Research Laboratory, Air Vehicles Directorate in 2005, 2006 and She serves on the AIAA Guidance, Navigation and Control Technical Committee and was selected to be a part of the National Academy of Engineering s Frontiers of Engineering Program in She is the author of over 50 archival and conference publications. She has organized invited sessions at the CDC (2001, 2004) and ECC (2001), as well as a tutorial (CDC 2001). Dr. Girard is a member of AIAA and ASME. Feng Lin received his B. Eng. degree in electrical engineering from Shanghai Jiao-Tong University, Shanghai, China, in 1982, and his M.A.Sc. and Ph.D. degrees in electrical engineering from the University of Toronto, Toronto, Canada, in 1984 and 1988, respectively. From 1987 to 1988, he was a postdoctoral fellow at Harvard University, Cambridge, MA. Since 1988, he has been with the Department of Electrical and Computer Engineering, Wayne State University, Detroit, Michigan, where he is currently a professor. His research interests include discrete event systems, hybrid systems, robust control, and image processing. He is the author of a book entitled Robust Control Design: An Optimal Control Approach. He was a consultant for GM, Ford, Hitachi and other auto companies. He co-authored a paper that received a George Axelby outstanding paper award from IEEE Control Systems Society. He is also a recipient of a research initiation award from the National Science Foundation, an outstanding teaching award from Wayne State University, a faculty research award from ANR Pipeline Company, and a research award from Ford. He was an associate editor of IEEE Transactions on Automatic Control. He is a fellow of IEEE.