ON DIAGNOSIS AND PREDICTABILITY OF PARTIALLY-OBSERVED DISCRETE-EVENT SYSTEMS

Transcription

1 ON DIAGNOSIS AND PREDICTABILITY OF PARTIALLY-OBSERVED DISCRETE-EVENT SYSTEMS by Sahika Genc A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Electrical Engineering: Systems) in The University of Michigan 2006 Doctoral Committee: Professor Stéphane Lafortune, Chair Professor Demosthenis Teneketzis Assistant Professor Mingyan Liu Associate Professor Dawn Tilbury

2

3 c Sahika Genc 2006 All Rights Reserved

4 To engineers, scientists, and mathematicians with double X factor ii

5 ACKNOWLEDGEMENTS This thesis reports on work performed while the author was in under the supervision of Professor Stéphane Lafortune at the University of Michigan. The financial support for this thesis was provided in part by NSF grants ECS , CCR and CCR , and by grant from the Xerox University Affairs Committee. The author wishes to acknowledge support from a Barbour Fellowship from the Horace H. Rackham School of Graduate Studies at the University of Michigan. The author thanks to Kurt Rohloff, Dave Thorsley, Tae-Sic Yoo, Yin Wang and Patricia Mena for having great philosophical discussions on Discrete-Event Systems. The author also thanks to Ben Morris for being a constant listener, officemate and one of the coffee pals and to Zeinab Mousavi for sharing her real life stories. As a mathematician nicely put into words, We have the ability to turn coffee into proof. The author acknowledges all the coffee makers in Ann Arbor for their contributions in many of the proofs in the thesis. Finally, the author wishes to thank to Fusun Erkul and Selin Aviyente for just being there all the time through pain and suffering though happiness and joy. The author thanks to her parents, Mustafa Ismet Genc and Semahat Genc, for living in my heart and mind despite being on the other side of the ocean, her sister, Melda Genc, for being the arrogant artist, and her cousin, Demet Coruh, for being the wise one, and her cousin Nihal Bayraktar for being herself any time all the time. iii

6 TABLE OF CONTENTS DEDICATION ii ACKNOWLEDGEMENTS iii LIST OF FIGURES LIST OF TABLES vi x CHAPTER I. Introduction Monitoring and Diagnosis of Discrete-Event Systems Contribution Organization II. Monolithic Diagnosis of Systems Modeled as Petri Nets Introduction Preliminaries Problem Statement Petri Net Diagnosers Case Study Conclusion III. Distributed Diagnosis of Systems Modeled as Petri Nets Introduction Problem Statement Communicating Petri Net Diagnosers Communication Protocol Monolithic Petri Net Diagnosers Correctness Results Implementation of DDC-M: Fixed-Size Message Labels Case Study Conclusion iv

7 IV. Diagnosis of Event Patterns Introduction Preliminaries Pattern Diagnosability Verification of Pattern Diagnosability for Regular Languages Case Study: An Implementation of Pattern Diagnosis Conclusion V. Prediction of Event Occurrences Introduction Preliminaries Problem Statement Diagnosability vs. Predictability Verification of Predictability for Regular Languages Verifier Approach Conclusion VI. Conclusion APPENDICES BIBLIOGRAPHY v

8 LIST OF FIGURES Figure 2.1 Monolithic diagnosis Valve model Valve model with x Valve model with x d, Valve model with x d, Valve model with x d, Valve model with x d, General architecture of modular diagnosis approach System with six place-bordered nets System with six place-bordered nets Place-bordered net: Module#1 (valve) Place-bordered net: Module#2 (pump) Place-bordered net: Module#3 (load) Common places between the modules G G H T (Σ, s) where s = cacao and Σ = {c, a, o} vi

9 4.4 U = U s K2 (G H S (Σ, s)) where K 1 = {ab, dc} and Σ = {a, b, c, d, e} Obs(U) for K 1 = {ab, dc} where Σ o = {b, d} U = U s K2 (G H S (Σ, s)) where K 2 = {ab} and Σ = {a, b, c, d, e} Obs(U) for K 2 = {ab} where Σ o = {b, d} H T (Σ, dc) where Σ = {a, b, c, d, e} G H T (Σ, s) where K = {dc} and Σ = {a, b, c, d, e} U T = U(C(G), U s K (G H S (Σ, s))) where K = {ab, dc} and Σ = {a, b, c, d, e} Obs(U) where Σ o = {b, d} G U S = U s K (G H S (Σ, s)) where K = {ab, dc} and Σ = {a, b, c, d} Obs(U S ) for K = {ab, dc} where Σ o = {b, d} U T = U s K (G H S (Σ, s)) where K = {ab, cd} and Σ = {a, b, c, d} Obs(U T ) for K = {ab, cd} where Σ o = {b, d} G U S Obs(U S ) contains a marking-indeterminate cycle Obs(U S ) does not contain any marking-indeterminate cycles G G D G D G The equivalence classes induced by in F D vii

10 5.6 The verifier states D G D G A.1 The toolbox outline A.2 How to quick load a Petri net? A.3 How to create a Petri net and partitions? A.4 The settings of the Petri net A.5 The incidence matrix (D ) of the Petri net A.6 The incidence matrix (D+) of the Petri net A.7 The place labels of the Petri net A.8 The transition labels (event set) of the Petri net A.9 The initial state of the Petri net A.10 The partitions of the Petri net A.11 The Petri net A.12 The distributed Petri net A.13 The connection between the modules in the distributed Petri net A.14 The sequence of observable events A.15 The set of enabled events A.16 The result of DDC-M A.17 The result of the merge operation A.18 The result of MDA A.19 Manufacturing system modules connection graph viii

11 A.20 Petri net model of manufacturing system processed by Diagnoser Toolbox A.21 Petri net model of manufacturing system A.22 Petri net model of manufacturing system A.23 Petri net model of manufacturing system A.24 Petri net model of manufacturing system processed by Diagnoser Toolbox A.25 Petri net model of manufacturing system A.26 Petri net model of manufacturing system ix

12 LIST OF TABLES Table 4.1 The sample event log A.1 File types A.2 The color code of events and places x

13 CHAPTER I Introduction 1.1 Monitoring and Diagnosis of Discrete-Event Systems The problem of fault diagnosis for discrete-event systems has received considerable attention in the last decade and diagnosis methodologies based on the use of discrete-event models have been successfully used in a variety of technological systems ranging from document processing systems to intelligent transportation systems. A wide variety of methods have been proposed in the literature on fault diagnosis. These include non-model based methods (statistical tests, signature analysis, expert systems), see [62, 50, 45] and the references therein; quantitative model-based methods (analytical models to compare the measurements with their predicted values to detect the occurrence of faults), see [20, 29, 63, 24] and the references therein; and qualitative models (AI-based, discrete-event-systems-based), see [62, 28, 2, 36, 35, 30, 61, 14, 38] and the references therein. The qualitative model-based methods are the most relevant to the work described in this thesis. The qualitative methods employ model-based inferencing to correctly estimate the occurrence of the faults in the behavior of the system. The major advantage of the qualitative model-based methods is that detailed in-depth modeling of the system is not required. 1

14 2 A recently-proposed methodology for fault diagnosis of discrete-event systems modeled by finite-state automata, termed the Diagnoser Approach, is of particular relevance to the present thesis. The methodology was introduced in [55] and subsequently extended in several works including [16, 12] and has been used successfully in a variety of application areas, including heating, ventilation, and air-conditioning units [51], intelligent transportation systems [13, 56], document processing systems [53, 52], and chemical process control [21]. The key feature of the approach is the use of a special discrete-event process called the diagnoser. The diagnoser is built from the system model and is used to (i) test the diagnosability properties of the system and (ii) perform on-line monitoring of the system for the purpose of fault diagnosis. The states of the diagnoser contain information about the possible occurrence of faults, according to the system model. The diagnoser is then used for on-line fault diagnosis of the system as follows. Each observable event executed by the system triggers a state transition in the diagnoser. Examination of the current diagnoser state reveals the status of the different types of faults: fault(s) of Type F 1 did not occur, fault(s) of Type F 1 possibly occurred ( F 1-uncertain state in the terminology of [54]), fault(s) of Type F 1 occurred for sure ( F 1-certain state in the terminology of [54]). This thesis is concerned with partially-observed monolithic and modular discreteevent systems that are modeled by Finite State Automata (FSA) and Petri nets. FSA have been widely used to solve problems of observability, observability with delay, stability and invertibility and fault diagnosis; see [7, 8, 11, 37, 40, 42, 41, 43, 44, 47, 49, 48]. Petri net models also have been employed to solve problems of state observability, system monitoring, alarm analysis, and fault diagnosis in several works, including [58, 25, 27, 3, 5, 4, 26]. Systems possessing modular structures are

15 3 receiving more and more attention in the recent literature on diagnosis, verification, and control of discrete-event systems; see, e.g., [12, 3, 5, 15, 60, 59]. The use of Petri nets instead of automata offers potential advantages in system modeling and analysis of modular systems, especially in terms of the distributed representation of the system state and of the ability to represent coupling of system components by means of common places. 1.2 Contribution In this thesis, we define the notion of a monolithic Petri net diagnoser, or simply diagnoser, which is used as a tool to detect and isolate faults in the system. The system to be diagnosed is modeled by a labeled Petri net. The monolithic diagnoser observes the system and determines the states the system can be in upon observation of an event. Note that upon observation of an event (e.g., sensor readings, changes in the sensor readings), the state of the system is not known exactly in general due to the presence of unobservable events in the set of transition labels. The Petri net diagnoser finds all the states the system can be in, namely, all the states that are consistent with the sequence of observable events seen thus far. Fault information is attached to these state estimates in the from of fault labels. The faults are explicitly modeled as events in the system. We also study the problem of detecting and isolating faults or other significant events in the behavior of a modular dynamic system that is modeled as a set of interacting Petri net modules. The common places among the set of Petri nets modeling a system capture coupling of various system components. The objective is to diagnose the occurrence of fault events based on the sequence of observed events and on the structure of the respective Petri net modules and their coupling

16 4 by common places. It is sought to obtain a distributed diagnosis algorithm that takes advantage of the modular structure of the system. Our investigations on the problem of fault diagnosis of Petri nets were first reported in [22] where the notion of centralized (monolithic) Petri net diagnosers is introduced. Petri net diagnosers serve the same purpose as the automata diagnosers in [55] for on-line monitoring and diagnosis of a system, but they are based on the same Petri net structure as the system model, unlike diagnoser automata which require a conversion of the system model from nondeterministic to deterministic. Our initial work reported in [22] also considered systems composed of two Petri nets sharing a set of common places, leading to a distributed diagnosis algorithm with communication abbreviated. In this thesis, we consider the case of modular systems consisting of a set of M place-bordered Petri nets. We present two new algorithms, one termed extends DDC-M, and the other termed DDC-M with fixed-size message labels which uses an encoding of messages and significantly improves upon the real-time communication requirements. A preliminary version of DDC-M, without message encoding, is presented without a correctness proof in [23]. Clearly, the monolithic approach is a special case of the modular approach where the set of place-bordered Petri nets is a singleton. In the following part of the thesis, we generalize the problem of diagnosing (detecting and isolating) a single event to diagnosing a pattern in the behavior of a system modeled as a partially-observed discrete-event system (DES). To the best of our knowledge, all prior works on fault diagnosis of DES pertain to the diagnosis of a single event among several unobservable events. Our objective is to extend the methodology of the Diagnoser Approach introduced in [55] to the case of patterns. The event pattern to be diagnosed is a set of sequences of events. In application

17 5 areas such as detection of intrusion and attacks in networks [39], patterns of events need to be diagnosed. The system is diagnosable with respect to a pattern if it is possible to detect and isolate occurrences of the pattern upon completion (with finite delay) while observing the sequences of events executed by the system. The problem is trivial if each event executed by the system to be diagnosed is observable. Our objective is two-fold: 1. Off-line verification of the diagnosability property of the system with respect to the pattern, i.e., if the system is diagnosable with respect to the pattern. 2. Online monitoring of the system and diagnosis of the pattern, i.e., how to detect the occurrence of the pattern while partially observing the behavior of the system. Finally, we consider the problem of predicting occurrences of a significant (e.g., fault) event in a DES. We study the problem of whether it is possible to predict occurrences of an event in the system and then depending on the nature of the event the system operator can be warned and the operator may decide to halt the system or otherwise take preventive measures. The system under consideration is modeled by a language over an event set. The event set is partitioned into observable events and unobservable events, i.e., the events that are not directly recorded by the sensors attached to the system. The objective is to predict occurrences of a possibly unobservable event in a system, based on the strings of observable events in the language. To the best of our knowledge, the notion of predictability that is introduced and studied in this thesis is different from prior works (see [9, 6, 57, 19] and references therein) on other notions of predictability.

18 6 1.3 Organization The organization of the thesis is as follows. In Chapter II, we study the monolithic diagnosis of systems modeled as Petri nets. We define how the system and the diagnoser are modeled, and give their graphical representation, consider the dynamics of the diagnoser, and present an illustrative example. In Chapter??, we consider distributed diagnosis of a modular dynamic system that is modeled as a set of interacting Petri net modules. In Chapter IV, we study the diagnosis of event patterns. We define two different notions of pattern diagnosability in the context of formal languages: (i) S-type pattern diagnosability and (ii) T-type pattern diagnosability. These two different types stem from different approaches to defining the occurrence of a pattern. In S-type pattern diagnosability, a pattern is detected if all the sequences executed by the system that record the same observed event sequences contain subsequences in the pattern. In T-type pattern diagnosability, a pattern is detected if all the sequences executed by the system that record the same observed event sequences contain substrings in the pattern. In Chapter V, we address the problem of prediction of event occurrences. The predictability of occurrences of an event in a system is defined in the context of formal languages. It is shown that in the case of regular languages, there exists a necessary and sufficient condition for occurrences of an event to be predictable in the language. Finally, in the Appendix, we present a software implementation of algorithms and operations presented in the thesis. The software interacts with GraphViz developed by AT&T to visualize the labeled Petri nets, diagnoser states (including the state, fault and message information) and dynamics of the Petri nets and the algorithms (if communications occur among modules, which module communicates with which module, list of events en-

19 abled from the diagnoser states, etc.). 7

20 CHAPTER II Monolithic Diagnosis of Systems Modeled as Petri Nets 2.1 Introduction This chapter addresses the problem of detecting and isolating faults or other significant events in the behavior of a monolithic dynamic system that is modeled as a labeled Petri net. The events to be diagnosed, referred to as faults hereafter, are modeled as unobservable events in the system. Events are unobservable when they are not directly recorded by the sensors attached to the system. The common places among the set of Petri nets modeling a system capture coupling of various system components. The objective is to diagnose the occurrence of fault events based on the sequence of observed events and on the structure of the respective Petri net modules and their coupling by common places. It is sought to obtain a distributed diagnosis algorithm that takes advantage of the modular structure of the system. The problem of fault diagnosis for discrete-event systems has received considerable attention in the last decade and diagnosis methodologies based on the use of discrete-event models have been successfully used in a variety of technological systems ranging from document processing systems to intelligent transportation systems; see [34] and the references therein. The methodology termed the Diagnoser 8

21 9 Approach, introduced in [55] and subsequently extended in several works including [16, 12], is of particular relevance to the present chapter. The key feature of the Diagnoser Approach is the use of a special discrete-event process called the diagnoser. The diagnoser is built from the system model and is used to (i) test the diagnosability properties of the system and (ii) perform on-line monitoring of the system for the purpose of fault diagnosis. The above references regarding the Diagnoser Approach are all based on the use of automata models for the system under consideration, leading to the construction of automata diagnosers. This and the next chapters are concerned with discrete-event systems that are modeled by Petri nets. The use of Petri nets instead of automata offers potential advantages in system modeling and analysis, especially in terms of the distributed representation of the system state and of the ability to represent coupling of system components by means of common places. Petri net models have been employed to solve problems of state observability, system monitoring, alarm analysis, and fault diagnosis in several works, including [58, 25, 27, 3, 5, 4, 26]. However, to the best of our knowledge, the algorithms presented in this and next chapter are the first to explore the extension of the Diagnoser Approach of [55] to monolithic and modular discrete-event systems modeled by Petri nets. The organization of the chapter is as follows. In Section 2.2, we define some definitions and notations. In the following section, we present the problem statement. In Section 2.4, we consider the dynamics of the diagnoser. Although the diagnoser is modeled as a labeled Petri net graphically, its state transition function and states differ from typical labeled Petri nets. We conclude the chapter by presenting an illustrative example on notions defined in this chapter.

22 Preliminaries In this section, we give some definitions (stated briefly since they are standard; see, e.g., Chapter 4 of [10] for further details). A Petri net graph is defined as N = P, T, A, w, where P and T are finite sets of places and transitions, respectively, A is the set of arcs from places to transitions and from transitions to places, and w : A Z + is the weight function on the arcs. We denote by W (P, t) the row vector of size equal to the number of places in P and whose i th column is equal to w(t, p i ) w(p i, t) where p i P and t T. A labeled Petri net is defined as (N, Σ, l, x 0 ), where Σ is the set of events, l : T Σ is the transition labeling function, and x 0 is the initial state. A transition t T can fire from x X, where X is the state space of the labeled Petri net, if and only if t is feasible (enabled) from x. A transition t is enabled from x if x + W (t) 0. When t fires from state x, the state transition function f : X T X gives the resulting state according to the usual Petri net dynamics, i.e., f(x, t) = x + W (t). Some of the events in Σ are observable, i.e., their occurrence can be observed (detected by sensors), while the other events are unobservable; thus Σ = Σ o Σ uo. The set of fault events Σ f is a subset of Σ uo. We partition the set of faults into disjoint sets where each set corresponds to a different fault type. This is because it might not be necessary to detect and isolate uniquely every fault event, but only the occurrence of one among a subset (type) of fault events. We denote by Σ F k the set of fault events corresponding to a type k fault. 2.3 Problem Statement In this chapter, we define the notion of a monolithic Petri net diagnoser, which is used as a tool to detect and isolate faults in the system. The system to be diagnosed

23 11 is modeled by a labeled Petri net. The monolithic diagnoser observes the system and determines the states of the system consistent with the sequence of observable events seen thus far. Fault information is attached to these state estimates in the from of fault labels. The faults are explicitly modeled as events in the system. Figure 2.1 gives a block diagram of the system and its diagnoser interacting with each other (the notation in the figure is introduced below in Sections?? and 2.4). M System Model o m Observable Event D Diagnoser F i Failure Type Figure 2.1: Monolithic diagnosis. 2.4 Petri Net Diagnosers The Petri net diagnoser is a special discrete-event process on which we infer about the occurrences of faults in the system. In this sense, the Petri net diagnosers introduced in [22] serve the same purpose as the automata diagnosers introduced in [55] for on-line diagnosis of faults or other significant events in behavior of the system. However, Petri net diagnosers and automata diagnosers have different structures. A Petri net diagnoser inherits the Petri net structure of the underlying system whereas an automaton diagnoser is obtained by an algorithm that incorporates the conversion of a nondeterministic automaton to a deterministic one. The diagnoser and the underlying net to be diagnosed have the same structure, but they do not have the same dynamics. A Petri net diagnoser, upon observation of an event, estimates the states the system could be in. Thus, a Petri net diagnoser state contains a set of system states. The diagnoser state also carries diagnosis information, i.e., fault label, that provides

24 12 information on the fault types that may have occurred. Petri net diagnosers studied here in were first defined in [22]. The diagnoser for a labeled Petri net M is D = (N, Σ, l, x d 0, f ), (2.1) where N, Σ, l are as defined before, x d,0 is the initial diagnoser state, and f is the set of fault types of D. The diagnoser state x d of module D is a matrix of the form x s (i) x f (i) (2.2) where x s (i) denotes the state in row i of diagnoser state x d, x f (i) denotes the corresponding fault label. The state part x s (i) of each row i corresponds to one possible state of M following the occurrence of the observed sequence of events. The diagnoser state transition function of D is of the form f d : X d Σ o X d, where X d is the state space of D. Given the diagnoser state x d X d and the observable event a Σ o, then f d (x d, a) is defined only if there exists some t T labeled with the observable event a and enabled from the state part of some row i of x d. In order to formally define the diagnoser state transition function, we first define S : X d Σ o 2 X 2 f, that is, the set of states with the corresponding fault labels reached from the rows of a diagnoser state. Formally, S(x d, a) = 1 i I t B(xd (i),a){(u s u f ) : u s = f(x m s (i), t), u f = x f (i)}, (2.3) where B(x d (i), a) is the set of t T labeled with a Σ o and enabled from x d (i),

25 13 formally, B(x d (i), a) = {t T : l(t) = a and x d (i) + W (t) 0}. (2.4) Second, we define UR : X 2 f 2 X 2 f, that is, the set of states with the corresponding fault labels reached by firing enabled transitions labeled with unobservable events. Formally, UR((u s u f )) = {(y s y f ) : t Tm, l(t) Σ uo, (y s = f m (u s, t)), 1, if l(t) contains an event in Σ F k, ( k f ) y f (k) = u f (k), otherwise, }. (2.5) The diagnoser state transition function of D is of the form f d : X d Σ o X d, where X d is the state space of D. Given the diagnoser state x d X d and the observable event a Σ o, then f d (x d, a) is defined only if there exists some t T labeled with the observable event a and enabled from the state part of some row i of x d. In that case, f d (x d, a) is the listing of elements in the set u S(xd,a)UR(u). (2.6) The diagnostic information provided by a diagnoser state is given by examining the last k columns of that state: (i) if a column contains only 0 s, then we know that no fault event of the corresponding type could have occurred; (ii) if a column contains only 1 s, then we are certain that at least one fault event of that type has occurred; (iii) otherwise, if a column contains 0 s and 1 s, we are uncertain about the occurrence of a fault of that type. If the diagnoser is certain that a fault of type i has occurred, then it outputs F n as indicated in Figure 2.1. This diagnostic information is equivalent to that obtained from diagnoser automata in the Diagnoser Approach of [54].

26 Case Study We developed a software implementation of DDC-M and of the merge operation. The software interacts with GraphViz developed by AT&T to visualize the labeled Petri nets, diagnoser states (including the state, fault and message information) and dynamics of the Petri nets and the algorithms (if communications occur among modules, which module communicates with which module, list of events enabled from the diagnoser states, etc.). All the analysis results of the examples in this section are performed using the software tool. We study an example of an Heating, Ventilation and Air-Conditioning System which consists of valve, pump, and load models. In this section, we consider the valve model shown in Fig The set of events and the abbreviations in the Fig. 2.2 for the events are as follows: Σ o,1 = {close valve(cv), open valve(ov), stuck open 1(so1), stuck open 2(so2), stuck closed 1(sc1), stuck closed 2(sc2)}. The initial state of the valve is ( x 0 = ). (2.7) The ordering of the digits in x 0 is as follows: c 1, c 1 1, c 2, c 2 1, c 4, c 5, vl 1, vl 2, vl 3, vl 4. The valve model with the initial state is shown in Fig In the figure, we denote the marking, i.e., the number of tokens each place holds, by label of the place [ number of tokens the place holds ]. For example, in Fig. 2.3, vl 1@[1] means that vl 1 holds a one token.

27 15 The initial diagnoser state is x d,0 = , (2.8) where each digit in the rows of x s,0 correspond to the number of tokens in a place, and each digit in the rows of x f,0 corresponds a fault type the valve. The ordering of the digits in x s,0 is the same with the one in x 0. The ordering of digits in x 1 f,0 is F 1 and F 2, respectively, where the event sets for the fault types are as follows: Σ F 1,1 = {stuck open 1(so1), stuck open 2(so2)}, Σ F 2,1 = {stuck closed 1(sc1), stuck closed 2(sc2)}. As we stated earlier, each row in the diagnoser state corresponds to a state estimate upon observation of an event. Each column in the diagnoser state corresponds to a list of estimates of number of tokens a place holds upon observation of en event. The valve model with the initial diagnoser state is shown in Fig In the figure, we represent by vl 1@[100], the column of x d,0 corresponding to the place named vl 1. An observable event enabled is open valve. If the event open valve is observed, then the diagnoser state transition function finds the next diagnoser state as x d,1 = f d (x d,0, open valve) =. (2.9) An enabled observable event from x d,1 is close valve and the next diagnoser state

28 16 is x d,2 = f d (x d,1, close valve) = , (2.10) An enabled observable event from x d,2 is open valve and the next diagnoser state is ( x d,3 = f d (x d,2, open valve) = ), (2.11) The valve model with the diagnoser states x d,1, x d,2, and x d,3 are shown in Figs.2.5, 2.6, and 2.7, respectively. vl_1 c_1 t8:so1 t12:sc1 t5:ov c_4 vl_2 c_1_1 t4:cv t7:cv t11:so2 t3:sc2 t6:ov vl_3 vl_4 t9:cv t1:cv t10:ov t2:ov c_5 c_2_1 c_2 Figure 2.2: Valve model

29 17 t8:so1 t12:sc1 t5:ov t4:cv t7:cv t11:so2 t3:sc2 t6:ov t9:cv t1:cv t10:ov t2:ov Figure 2.3: Valve model with x Conclusion We have defined monolithic Petri net diagnosers. The diagnosers introduced in this chapter are different from the diagnoser automata in [54] in the sense that they perform on-line fault diagnosis on the same transition structure as the system model, namely the Petri net graph of the system.

30 18 0 0] 1 1] t8:so1 t12:sc1 t5:ov 0 0] 0 0] 1 1] t4:cv t7:cv t11:so2 t3:sc2 t6:ov 1 0] 0 1] t9:cv t1:cv t10:ov t2:ov 0 0] 1 1] 0 0] Figure 2.4: Valve model with x d,0

31 ] c_1@[ ] t8:so1 t12:sc1 t5:ov c_4@[ ] vl_2@[ ] c_1_1@[ ] t4:cv t7:cv t11:so2 t3:sc2 t6:ov vl_3@[ ] vl_4@[ ] t9:cv t1:cv t10:ov t2:ov c_5@[ ] c_2_1@[ ] c_2@[ ] Figure 2.5: Valve model with x d,1

32 ] c_1@[ ] t8:so1 t12:sc1 t5:ov c_4@[ ] vl_2@[ ] c_1_1@[ ] t4:cv t7:cv t11:so2 t3:sc2 t6:ov vl_3@[ ] vl_4@[ ] t9:cv t1:cv t10:ov t2:ov c_5@[ ] c_2_1@[ ] c_2@[ ] Figure 2.6: Valve model with x d,2

33 21 t8:so1 t12:sc1 t5:ov t4:cv t7:cv t11:so2 t3:sc2 t6:ov t9:cv t1:cv t10:ov t2:ov Figure 2.7: Valve model with x d,3

34 CHAPTER III Distributed Diagnosis of Systems Modeled as Petri Nets 3.1 Introduction This chapter addresses the problem of detecting and isolating faults or other significant events in the behavior of a modular dynamic system that is modeled as a set of interacting Petri net modules. The events to be diagnosed, referred to as faults hereafter, are modeled as unobservable events in the respective system modules. Events are unobservable when they are not directly recorded by the sensors attached to the system. The common places among the set of Petri nets modeling a system capture coupling of various system components. The objective is to diagnose the occurrence of fault events based on the sequence of observed events and on the structure of the respective Petri net modules and their coupling by common places. It is sought to obtain a distributed diagnosis algorithm that takes advantage of the modular structure of the system. The problem of fault diagnosis for discrete-event systems has received considerable attention in the last decade and diagnosis methodologies based on the use of discrete-event models have been successfully used in a variety of technological systems ranging from document processing systems to intelligent transportation sys- 22

35 23 tems; see [34] and the references therein. The methodology termed the Diagnoser Approach, introduced in [55] and subsequently extended in several works including [16, 12], is of particular relevance to the present chapter. The key feature of the Diagnoser Approach is the use of a special discrete-event process called the diagnoser. The diagnoser is built from the system model and is used to (i) test the diagnosability properties of the system and (ii) perform on-line monitoring of the system for the purpose of fault diagnosis. The above references regarding the Diagnoser Approach are all based on the use of automata models for the system under consideration, leading to the construction of automata diagnosers. This chapter is concerned with discrete-event systems that are modeled by Petri nets. The use of Petri nets instead of automata offers potential advantages in system modeling and analysis, especially in terms of the distributed representation of the system state and of the ability to represent coupling of system components by means of common places. Systems possessing modular structures are receiving more and more attention in the recent literature on diagnosis, verification, and control of discrete-event systems; see, e.g., [12, 3, 5, 15, 60]. The suitability of Petri nets to model distributed systems was a key motivation for the use of Petri net structures in the work in [3] on alarm supervision in telecommunication networks. The same consideration motivates our choice of Petri net structures as a means to mitigate the combinatorial explosion that occurs when modular models are converted to monolithic ones. Our approach is different from that in related work such as [12, 3, 60, 59] and thus our work is complementary to these references. Our objectives in the case of the modular approach are: (i) to perform on-line diagnosis of faults in each module and (ii) to recover the monolithic diagnosis in-

36 24 formation obtained when all the modules in the system are combined into a single module that preserves the behavior of the underlying modular system. The first objective requires a Petri net diagnoser to be attached to each module in the system. Each Petri net diagnoser has local information on the structure of the module, and observes and diagnoses the fault types of the module it is attached to. The diagnoser has shared information on its places that are coupled with other modules in the system. The second objective requires the Petri net diagnosers to communicate among each other. Each communicating Petri net diagnoser sends messages to the diagnosers it is coupled with when a change occurs in the shared information (i.e., a change in the token count of common places) upon observation of an event. The communication of messages triggers the other diagnosers to update their diagnosis information based on the change in the shared information. The communication and update of the diagnosis information are the two key features that allow the modular diagnosis approach to correctly recover the monolithic diagnosis information. In general, a modular approach that does not consider the coupling of modules through shared information incorrectly estimates the monolithic diagnosis information. We present in Figure 3.1 the general architecture of the modular diagnosis approach described so far. Communication Communication Channel Diagnostics Messages Observations Diagnoser Diagnoser... Diagnoser o,1 1 o,2 2 o,m M System Model... Module #1 Module #2 Module #M Figure 3.1: General architecture of modular diagnosis approach.

37 25 The remainder of this chapter is organized as follows. In Section??, we start with a brief summary of terms used throughout the chapter. In Section 3.2, we state the problem of fault diagnosis. The distributed diagnosis algorithm is based on communicating Petri net diagnosers. The structure and dynamics of communicating Petri net diagnosers are defined in Section 3.3. In Section 3.4, we present the first version of our distributed algorithm with communication for diagnosing systems composed of M modules, DDC-M where M 2. For the sake of clarity of presentation, this initial version does not use encoding of messages. In Section 3.6, we state results about the correctness of the DDC-M. In Section 3.7, we present the DDC-M with fixed-size message labels. In Section 3.8, we study an example of an Heating, Ventilation and Air-Conditioning System. which consists of a valve, pump and load module. Finally, in Section 4.6, we give some concluding remarks. 3.2 Problem Statement As was mentioned earlier in the introduction, the system to be diagnosed is modeled as a collection of Petri nets (modules) coupled with each other through common places. The choice of Petri nets to model a system with a modular structure is a natural one. Examples of Petri nets coupled by means of common places, hereafter called place-bordered Petri nets, are found in many industrial applications such as automated manufacturing and communication systems; see, e.g., [65, 66, 17, 46]. Formally, the system to be diagnosed is the set S of place-bordered Petri nets defined as S = {(M m, P m ) : m = 1, 2,..., M} (3.1) where M m = (N m, Σ m, l m, x m 0 ), (3.2)

38 26 is a labeled Petri net and P m = {P m,i P m : i = 1, 2,..., M and i m} (3.3) is a set of subsets of P m where each subset P m,i is the set of common places between module m, M m, and module i, M i. By definition, the transition sets of the N m Petri net graphs are mutually disjoint. We assume that the place-bordered Petri nets in the system operate as a single entity. Intuitively speaking, there is a global clock which sets the order in which modules execute their observable events during the operation of the system. We present in Figure 3.2 a conceptual view of a system of six place-bordered nets. In the figure, we draw dashed lines between the modules and put the common places on these dashed lines to illustrate the fact that the modules are isolated from each other except for the common places. We present in Figure 3.3 the implementation of the modular approach on a system of six place-bordered Petri nets. In the figure, we illustrate with a box the communicating Petri net diagnoser attached to a module and with the arrows drawn between the diagnosers the communication channels linking the diagnosers that have common places. The modular approach has a certain amount of robustness over the monolithic one, since each diagnoser in the modular approach has local knowledge of the monolithic system. The approach also has practical advantages in the sense that the modules are isolated from each other and do not share any structural information. When replacing one or several modules in the system, the rest of the modules in the system and the corresponding diagnosis devices stay the same as long as the information shared is not changed. In the rest of the chapter, we present in detail our modular diagnosis approach

39 27 Labeled Petri net ( Subnetworks, subprocesses, etc. ) Transitions, arcs, Isolated Places, etc. ( Isolated Components ) MODULE #1 o Common Places ( Coupling ) MODULE #2 System Model ( Network, process, etc. ) o MODULE #3 o o MODULE #6 MODULE #5 MODULE #4 o o Labeled Petri net ( Subnetworks, subprocesses, etc. ) Communicating Petri Net Diagnoser Figure 3.2: System with six place-bordered nets. D 6 MODULE #1 Communication Channel D 1 o 6 MODULE #6 o 1 o 5 Common Places ( Coupling ) o 2 System Model ( Network, process, etc. ) MODULE #2 D 2 D 3 MODULE #3 o 3 D 5 MODULE #5 D 4 o 4 MODULE #4 Figure 3.3: System with six place-bordered nets. that achieves the objectives described in the introduction and restated in this section. We also define a method that implements a coding technique to reduce the size of the

40 28 messages communicated while still recovering the monolithic diagnosis information. 3.3 Communicating Petri Net Diagnosers As it was the case in Petri net diagnoser, the communicating Petri diagnosers, upon observation of an event, estimates the states the system could be in and the faults that may have occurred. Moreover, a communicating Petri net diagnoser has a priori information on its common places with the other (neighbor) modules in the system. The communicating Petri net diagnoser memorizes the history of changes on the common places for each neighbor module and stores this history in the diagnoser state during the operation of the system. Since it is this history of changes that is communicated between the diagnosers, we call the corresponding part of the diagnoser state message label. Thus, in general, a communicating Petri net diagnoser state contains three parts: (i) a set of system states, (ii) fault label, and (iii) message labels for each neighbor module. In the case of a single module, the diagnoser state does not have the message label part since there is no other module to communicate with. We now present the formal definitions of the structure and the dynamics of communicating Petri net diagnosers. We also restate the required knowledge on Petri net diagnosers to form a complete set of equations correctly describing communicating Petri net diagnosers. In order to perform modular diagnosis we assume the following three conditions on the place-bordered Petri nets: (i) for each module M m S, there exists another module M n S such that the set of common places between M m and M n, P m,n, is not the empty set, (ii) M m S, M n S, Σ m Σ n =, (iii) M m S, t T m, if t puts tokens into or removes tokens from P m,n for some M n S, then

41 29 l m (t) Σ o,m. The motivation for labeling transitions putting tokens into or removing tokens from the common places with observable events is to allow communication between diagnosers to be triggered by observable events. As was explained in Section 3.2, we attach a communicating Petri net diagnoser to each module in the set S of place-bordered Petri nets that form the system (see, e.g., Figure 3.3). We denote the diagnoser attached to module (M m, P m ) with the pair (D m, P m ) where D m = (N m, Σ m, l m, x d,m 0, f,m ), f,m is the set of fault types of D m, and P m is as defined in Equation (3.3). The set of communicating Petri net diagnosers for the set of place-bordered Petri nets S is denoted by S D. The type of communicating Petri net diagnosers we study in this chapter were first defined in [22]. The communicating Petri net diagnosers in this chapter differ from those in [22] in terms of the structure of message labels. We present the salient features of these diagnosers. The diagnoser state x m d of module D m S D is a matrix of the form x m s (i) x m f (i) xm l (i) (3.4) where as it was in the case of Petri net diagnosers, x m s (i) denotes the state in row i of diagnoser state x m d and xm f (i) denotes the corresponding fault label; different from the Petri net diagnoser case x m l (i) denotes the corresponding message label. The state part x m s (i) of each row i corresponds to one possible state of M m following the occurrence of the observed sequence of events. The diagnoser state transition function of D m S D is of the form f d,m : Xd m Σ o,m X m d, where Xm d is the state space of D m. Given the diagnoser state x m d Xm d and the observable event a Σ o,m, then f d,m (x m d, a) is defined only if there exists

42 30 some t T m labeled with the observable event a and enabled from the state part of some row i of x m d. In that case, f d,m(x m d, a) is the listing of elements in the set u Sm (x m d,a) UR m (u), (3.5) where: (i) S m (x m d, a) is the set of states with the corresponding fault and message labels reached from the rows of x m d by firing transitions labeled with the observable event a in M m ; and (ii) UR m (u) is the set of states with the corresponding fault and message labels reached from u by firing the enabled transitions labeled with unobservable events. Let there be I rows in x m d. Formally, we have S m (x m d, a) = 1 i I t Bm(x m d (i),a) {(u m s u m f u m l ) : u m s = f m (x m s (i), t), u m f = x m f (i), M n S \ M m such that P m,n, u m l (P m,n ) = [x m l (i, P m,n ) W (P m,n, t)]}, (3.6) where B m (x m d (i), a) is the set of t T m enabled from x m d (i) and labeled with a Σ o,m, and W P m,n (t) is the weighting vector for t and the common places P m,n of M m and M n. We define the unobservable reach for each u S m (x m d, a) as UR m (u) = {(y s y f y l ) : t T m, l m (t) Σ uo,m, (y s = f m (u s, t)), k f,m 1, if l(t) contains an event in Σ F k, y f (k) =, u f (k), otherwise, and (y l = u l )}. (3.7) Fault labels are used as in automata diagnosers to memorize the occurrence of a fault event in the diagnoser state. Overall, in the fault label of a diagnoser state, each

43 31 column corresponds to a fault type. Examination of a given column of the fault label in a diagnoser state reveals the current status of the diagnosis of the corresponding fault type (say F k): (i) all rows have label 0 implies that a fault of Type F k did not occur; (ii) some rows have label 0 and some rows have label 1 implies that a fault of Type F k possibly occurred ( F k-uncertain state in the terminology of [55]); (iii) all rows have label 1 implies that a fault of Type F k occurred for sure ( F k-certain state in the terminology of [55]). The definition of message label is embedded in Equations (3.6) and (3.7). This is because the message label is based on the state evolution of the labeled Petri net and is formed using the structure of the Petri net graph. For convenience, we divide the message label into different parts where each part pertains to common places (if any) between two given modules. We now present an example to illustrate the main notions and notation introduced in this section. Example 1. Suppose that M m and M n are two coupled modules in S. The diagnoser state x m d for D m is of the following form x m d = a 1 h 1 α 1 : γ 1, a }{{} 2 h }{{} 2 α }{{} 2 : γ 2 x m s x m f x m l (P m,n ) (3.8) where α i for i = 1, 2 denotes the message label between the modules D m and D n, γ i for i = 1, 2 denotes the message label for all modules M n S that are coupled with M m and n n. Suppose that the event σ o Σ o,m is observed and the next diagnoser state of D m is y m d = f d,m (x m d ). Let t 1 and t 2 be enabled from the first and second row of x m d, respectively, and l m(t 1 ) = l m (t 2 ) = σ o, i.e., t 1, t 2 B m (x m d (i), σ o). Let w i =

44 32 W (P m, t i ) and w i (P m,n ) = W (P m,n, t i ) for all i = 1, 2. In words, w i denotes the difference between the number of tokens put into and removed from the places of M m when t i is fired from a i, and w i (P m,n ) denotes the part of w i that corresponds to the common places between M m and M n. Then, the set of states reached from a i by firing transition t i labeled with the observable event σ o is formed by Equation (3.6) as follows S m (x m d, σ o ) = {(a 1 + w 1 h 1 α 1 w 1 (P m,n ) : γ 1), (a 2 + w 2 h 2 α 2 w 2 (P m,n ) : γ 2)}, where γ i(p m,n ) = [γ i (P m,n ) w i (P m,n )] for i = 1, 2 and for all modules M n S coupled with M m except M n. Suppose that there exists t i Tm where l(t i ) Σ uo,m such that t i is enabled from a i + w i for i = 1, 2. Let w i = W (P m, t i ) and w i (P m,n ) = W (P m,n, t i ) for i = 1, 2. Then, the unobservable reach, defined by Equation (3.7), is UR m (S m (x m d, σ o )) = {(a 1 + w 1 h 1 α 1 w 1 (P m,n ) : γ 1), (a 2 + w 2 h 2 α 2 w 2 (P m,n ) : γ 2), (a 1 + w 1 + w 1 h 1 α 1 w 1 (P m,n ) : γ 1), (a 2 + w 2 + w 2 h 2 α 2 w 2 (P m,n ) : γ 2)} (3.9) where for all k f,m h i(k) = 1 if l m (t i ) contains an event in Σ F k, otherwise h i(k) = h i (k) for i = 1, 2. The unobservable reach does not result in a change in message labels, since by assumption the transitions removing tokens from or putting tokens into common places are labeled with observable events. As stated in Equa-

45 33 tion (3.5), the next diagnoser state y m d = f d,m(x m d, σ o) is the listing of the elements of UR m (S m (x m d, σ o)) in Equation (3.9). The module and corresponding diagnoser have the same Petri net graph. Since the modules do not have disjoint sets of places, they can effect each other s states via the common (shared) places. If diagnosers are not informed of each others token additions/removals for the common places, then they incorrectly estimate the monolithic diagnoser state. Thus, they incorrectly estimate the fault information. As stated in the previous sections, we overcome this problem by defining a communication protocol between diagnosers. In the following section, when we define the communication protocol, we will need the following notation for prefixes and suffixes of message labels. Suppose y m d = f d,m (x m d, a) for some xm d X m d and a Σ o,m. Then, for some M n S and rows i, j of x m d, ym d, respectively, if ym l (j, P m,n ) = (x m l (i, P m,n ) W (P m,n, t)), then y m l (j, P m,n ).P fx = x m l (i, P m,n ) and y m l (j, P m,n ).Sfx = W (P m,n, t). 3.4 Communication Protocol We now formalize our DDC-M algorithm for distributed diagnosis of communicating Petri net diagnosers. At this point, we are presenting a version of DDC-M where messages grow each time an observable event forces a communication. The purpose of presenting this version of the DDC-M is to illustrate the key features of our approach to distributed diagnosis with communication. In Section 3.7, we present a modified version of DDC-M with messages of fixed-size, which is much preferable for implementation purposes. DDC-M is composed of Algorithms 1 and 2 which are presented below. Algorithm 1 pertains to diagnoser state updates and if necessary generation of messages

46 34 upon occurrence of an observable event at one module. Algorithm 2 pertains to diagnoser state updates upon reception of a message from another module. Pseudo-code descriptions of Algorithms 1 and 2 are given in the tables below. We provide some explanations for the different lines in these two algorithms. Algorithm 1: Line 1 considers that an observable event σ or has occurred. The module the event occurs at is identified in line 2 and called hereafter the master module. In line 3, the diagnoser state of the master module is updated for the observed event according to the diagnoser state transition function. Then, all other modules that have common places with the master module, referred to as the neighbor modules hereafter, need to be considered (line 4). For those neighbor modules whose common places with the master module were affected (addition and/or removal of tokens) by the execution of the observable event, lines 6-12 need to be performed. (Recall the assumption that transitions into common places are labeled by observable events.) In lines 6-12, the appropriate message for the communication from the master module to the neighbor module is constructed. This message consist of the message labels of the relevant rows of the master s diagnoser state, namely the rows for which tokens were removed and/or added in common places. Note that each row of the message is composed of a prefix (previous message label) and a suffix (most recent update on common places). The resulting of a message on the diagnoser state of the neighbor module is captured by the function UDSC in line 13, which is evaluated by Algorithm 2. Algorithm 2: The algorithm is triggered by the reception of a message by a given module, which will result in an update of the diagnoser state at that module. The new diagnoser state is initialized in line 1. Then, the algorithm loops over the rows of the prefix part of the message received (line 2) and over the rows of the current

47 35 message label in the diagnoser state (line 3) in order to find matches (line 4). Each match triggers the construction of a new row for the module s updated diagnoser state (lines 5 to 9). The construction of this row involves using the suffix of the message received to update to state of the common places affected and leaving the states of the other places unchanged (line 5). The fault label of the new row is carried over from that of the row that triggered the match since the event involved in the transition is an observable event (line 6). The suffix of the message received is appended to the appropriate part of the message label of the new row (line 7) while the rest of the message label is carried over (lines 8 and 9). The complete row constructed as described is added to the updated diagnoser state (line 11). The listing of all rows constructed by the above process for all matches in line 4 is the value returned by the function UDSC. Note that it is not necessary to perform the unobservable reach since we assume that transitions out of common places are labeled by observable events. Algorithm 1 Distributed Diagnosis with Communication 1: Upon occurrence of an observable event σ or 2: Find M m such that σ or Σ m, 3: x m d,r f d,m(x m d,r 1, σ or), 4: for all D n S D such that P m,n do 5: if {W (P m,n, t) t B m (x m d,r 1, σ or)} = { 0} then 6: Mesg m,n { }, 7: for all j=1: Number of rows of x m l,r do 8: Mesg m,n.p fx(j) x m l,r (j, P m,n).p fx, 9: Mesg m,n.sfx(j) x m l,r (j, P m,n).sfx, 10: Mesg m,n (j) (Mesg m,n.p fx(j), Mesg m,n.sfx(j)), 11: end for 12: Send all different rows of Mesg m,n, 13: x n d,r UDSC(xn d,r 1, Mesg m,n), 14: end if 15: end for and 2. We present an illustrative example to better understand the steps of Algorithms 1

48 36 Algorithm 2 Update of Diagnoser State upon Communication Require: x n d,r 1, Mesg m,n 1: Xd,r n { }, 2: for all i = 1 : Number of rows of Mesg m,n.p fx do 3: for all j = 1 : Number of rows of x n l,r 1 (P m,n) do 4: if Mesg m,n.p fx(i) == x n l,r 1 (j, P m,n) then 5: y s (P m,n ) x n s,r 1 (j, P m,n) + Mesg m,n.sfx(i), y s (P (n) \ P m,n ) x n s,r 1 (j, P n \ P m,n ) 6: y f x n f (j) 7: y l (P m,n ) (x n l,r 1 (j, P m,n) Mesg m,n.sfx(i)) 8: for all D q (S D \ D m ) such that P n,q do 9: y l (P n,q ) x n l,r 1 (j, P m,n) 10: end for 11: Xd,r n Xn d,r [y s y f y l ] 12: end if 13: end for 14: end for 15: UDSC(x n d,r 1, Mesg m,n) Listing of the set Xd,r n Example 2. Suppose that M m and M n are two coupled modules in S. The diagnoser states x m d and xn d of D m and D n, respectively, are given as follows: x m d = a 1 h 1 α 1 : γ 1 a 2 h 2 α 2 }{{} : γ 2, (3.10) x m l (P m,n ) where α i for i = 1, 2 denotes the message label between the modules D m and D n (i.e., P m,n ), and γ i for i = 1, 2 denotes the message labels for all D n S D that D m is coupled with except D n ; x n d = b 1 k 1 β 1 : δ 1 b 2 k 2 β 2 }{{} : δ 2, (3.11) x n l (P m,n) where β i for i = 1, 2 denotes the message label between the modules D m and D n and, δ i for i = 1, 2 denotes the message labels for all D m S D that D n is coupled with except D m.

49 37 Suppose that the event σ o Σ o,m is observed, then the new diagnoser state yd m = f d,m (x m d, σ o) of D m is constructed as shown in Example 1 and is in the form yd m = a 1 + w 1 h 1 α 1 w 1 (P m,n ) : γ 1 a 2 + w 2 h 2 α 2 w 2 (P m,n ) : γ 2. (3.12) a 1 + w 1 + w 1 h 1 α 1 w 1 (P m,n ) : γ 1 a 2 + w 2 + w 2 h 2 α 2 w 2 (P m,n ) : γ 2 Suppose that w i (P m,n ) for i = 1, 2 are not vectors of zeros. That is, the occurrence of σ o results in a change in the token distribution of the common places between the modules D m and D n. Then, the occurrence of σ o triggers a communication between D m and D n. Since by assumption σ o Σ o,m, D m is the master module. Then, upon occurrence of σ o, D m sends a message to D n. The message is the message label of D m for D n. The message label, extracted from the diagnoser state y m d in Equation (3.12), is as follows: y m l (P m,n ) = α 1 w 1 (P m,n ) α 2 w 2 (P m,n ). (3.13) Suppose that β 1 = α 1 and β 2 = α 2. Upon reception of the message D n updates x n d to yn d based on the message from D m (as defined in Algorithm 2) as follows y n d = b 1 k 1 β 1 w 1 (P m,n ) : δ 1 b 2 k 2 β 2 w 2 (P m,n ) }{{} : δ 2 x n l (P m,n), (3.14) where b i(p m,n ) = b i (P m,n ) + w i (P m,n ) and b i(p n \ P m,n ) = b i (P n \ P m,n ) for i = 1, 2, and y n l (P m,n ) = β 1 w 1 (P m,n ) β 2 w 2 (P m,n ) (3.15)

50 38 is the updated message label for D n. The fault labels y n f and xn f are the same since by assumption the fault types for each module are disjoint and the transitions removing tokens from or putting tokens into the common places are labeled with observable events. 3.5 Monolithic Petri Net Diagnosers A brief review of the section on monolithic Petri net diagnosers in [22] is required for completeness of the results presented in Section 3.6 that follows. If the set of place-bordered nets is a singleton, then we say that the system to be diagnosed is monolithic and the corresponding diagnoser is a monolithic Petri net diagnoser. Monolithic Petri net diagnosers have states that do not carry message labels since those are not needed in that case. We may form a monolithic system by combining the modules in a set of place-bordered nets. Formally, we have C S = ( P, T, A, w, Σ, l, x 0 ), where S = {(M m, P m ) : m = 1, 2,..., M}. We form the set of places of the monolithic system as P = m {1,2,...,M} P m. Similarly for T, A, Σ. For each module M m S, we have w Am = w m, l Tm = l m, and x 0 (P m ) = x m 0. We denote the monolithic Petri diagnoser of C S by C d,s. 3.6 Correctness Results In this section, we present correctness results (with proofs) for DDC-M. The proofs of the results in this section are given in the appendix. The following lemma shows that, if for some rows of the diagnoser states of two place-bordered modules the message labels are the same, then for those rows the state information of the common places between those two modules must be the same. Later in the section,

51 39 we use the result of Lemma 3 to define the merge operation that leads to the main result of the section. Lemma 3. Given the set of place-bordered nets S, and the set of corresponding diagnosers S D, let {x m d,r : m = 1, 2,..., M} be the set of diagnoser states of the modules D m S D after the sequence σ o1 σ o2... σ or of observable events where R N. For all D n S D such that P m,n if x m l,r (i, P m,n) = x n l,r (j, P m,n) for some rows i m and i n, then x m s,r (i m, P m,n ) = x n s,r (i n, P m,n ). of Lemma 3. The proof of the lemma is by construction of DDC-M defined by Algorithms 1 and 2, and induction on the observed sequence of events. Base (r = 0): By construction x m l,0 (i, P m,n) = x n l,0 (j, P m,n) = [] for all rows i and j of x m l,0 (P m,n) and x n l,0 (P m,n), and x m s,0(i m, P m,n ) = x n s,0(i n, P m,n ) for any row i m and i n. Hypothesis (r = R 1): Suppose that if x m l,r 1 (i m, P m,n ) = x n l,r 1 (i n, P m,n ) for some rows i m and i n, then x m s,r 1 (i m, P m,n ) = x n s,r 1 (i n, P m,n ). Step (r = R): We show that if x m l,r (i m, P m,n ) = x n l,r (i n, P m,n ) for some rows i m and i n, then x m s,r (i m, P m,n ) = x n s,r (i n, P m,n ). If σ or is neither in Σ o,m nor Σ o,n, then by Algorithm 1, the diagnoser states of the previous iteration r = R 1 stay the same. Thus, the induction step is proved by the induction hypothesis. If σ or is either in Σ o,m or Σ o,n, then without loss of generality suppose that σ or Σ o,m. Then, by Line 3 of Algorithm 1 and the definition of the diagnoser state function in Equation (3.5) we have x m d,r = u Sm (x m d,r 1,σ or)ur m (u). (3.16)

52 40 By Equations (3.6) and (3.7), for some row x m d,r (i m) and u S m (x m s,r 1, σ or), x m s,r(i m ) = u s + W m (t uo ), (3.17) where t uo is a sequence of unobservable events enabled from u s. For all fault types k in f,m, if u f (k) = 1, then x m f,r (i m) = 1. If u f (k) = 0 and if there exists a transition in the sequence of unobservable events t uo which is labeled with an event from the set Σ F k,m, then x m f,r (i m) = 1; otherwise x m f,r (i m) = 0. For the message label we have x m l,r(i m, P m,n ) = u l (P m,n ). (3.18) Suppose that u S m (x m s,r 1, σ or) is reached from some row x m d,r 1 (j m) by firing some transition t o labeled with σ or. Formally, we have u s = x m s,r 1(j m ) + W m (t o ), (3.19) u f = x m f,r 1(j m ), (3.20) and for all D n S D such that P m,n, if a message is sent u l (P m,n ) = [x m l,r 1(j m, P m,n ) W m (t o, P m,n )], (3.21) otherwise u l (P m,n ) = x m l,r 1(j m, P m,n ) (3.22) as defined by Equation (3.6) and t B m (x m d,r 1, σ or). We now consider the two following cases: (1) A message is sent from D m to D n ; (2) No message is sent. Case (1) In this case, Equation (3.21) holds. For all D n S D, when a message is received from D m, by Line 4 of Algorithm 2 if there exists a row j m such that

53 41 Mesg m,n.p fx(j m ) = x n l,r 1 (j n, P m,n ), then by Line 8 of Algorithm 1 Mesg m,n.p fx(j m ) = x m l,r 1 (j m, P m,n ) and by Equation 3.21, Mesg m,n.sfx(j m ) = W m (t, P m,n ). Thus, there exists rows j n and j m such that x n l,r(j n, P m,n ) = x m l,r(j m, P m,n ). (3.23) Then, the diagnoser state x n d,r 1 (j n, P m,n ) is updated to x n d,r (i n, P m,n ) by Lines 5, 6 and 7 of Algorithm 2 as follows: x n s,r(i n, P m,n ) = x n s,r 1(j n, P m,n ) + W m (t, P m,n ) (3.24) and x n s,r(i n, P n \ P m,n ) = x n s,r 1(j n, P n \ P m,n ), (3.25) x n l,r(i n, P m,n ) = [x n l,r 1(j n, P m,n ) W m (t, P m,n )]. (3.26) By Equation (3.23) and induction hypothesis x m s,r 1 (j m, P m,n ) = x n s,r 1 (j n, P m,n ). Thus, by Equations (3.19) and (3.24), u s (P m,n ) = x n s,r (i n, P m,n ). By condition (iii), W m (t uo, P m,n ) = 0 in Equation (3.17), and x m s,r (i m, P m,n ) = u s (P m,n ) = x n s,r (i n, P m,n ). This completes the proof for Case (1). Case (2) In this case, Equation (3.22) holds, and the diagnoser state of D n does not change. If x m l,r (i m, P m,n ) = x n l,r (i n, P m,n ) for some rows i m and i n, then by Equation (3.22), x m l,r 1 (j m, P m,n ) = x n l,r 1 (j n, P m,n ) for some rows j m and j n and by induction hypothesis, x m s,r (j m, P m,n ) = x n s,r (j n, P m,n ). If no message is sent, then W m (t, P m,n ) = 0 in Equation (3.19). Thus, u s (P m,n ) = x m s,r 1 (j m, P m,n ) = x n s,r 1 (j n, P m,n ). By condition (iii), W m (t uo, P m,n ) = 0 in Equation (3.17). Then, x m s,r (i m, P m,n ) = u s (P m,n ). Since the diagnoser state does not change, x n s,r 1 (j n, P m,n ) is some row of x n d,r. This completes the proof of Case (2) hence the lemma. In view of Lemma 3, we define an operation called merge that combines the diagnoser states of the modules.

54 42 Definition 4 (Merge). Given the set of place-bordered nets S and the set of corresponding diagnosers S D, let x m d be the diagnoser state of D m S D for m = 1, 2,..., M after some sequence of observable events. We define the merge operation on these states recursively as follows: 1. Merge of two diagnoser states, D m, D n S D. There are two cases: (a) P m,n =. In this case for all rows i m, i n of x m d and xn d, respectively, (x m s (i m, P m ), x n s (i n, P n ) x m f x n f ) Merge(x m d, x n d)(p m P n f,m f,n ). (b) P m,n. In this case for all rows i m, i n of x m d and xn d, respectively, such that x m l (i m, P m,n ) = x n l (i n, P n,m ), (x m s (i m, P m ), x n s (i n, P n \ P m ) x m f x n f ) Merge(x m d, x n d)(p m P n f,m f,n ). 2. Let D m, D n, D q S D. Then, Merge(x m d, x n d, x q d ) = Merge(Merge(xm d, x n d), x q d ). The intuition behind the merge of diagnoser states of place-bordered modules is to form composed states by concatenating rows whose message labels match (case (1)(b)). This constraint is waved when the modules are not coupled, since all combinations of rows are possible (case (1)(a)). In the rest of this section, we present the relations between the monolithic system formed by combining the modules in a set of place-bordered nets and the distributed diagnosis system where a diagnoser is attached to each place-bordered net and communication is allowed between the diagnosers.

55 43 In the following lemma, we state that if a sequence of observable events is feasible in the monolithic system, then the merge of the diagnoser states of the place-bordered modules will not result in an empty set. Lemma 5. Given the set of place-bordered nets S, and the set of corresponding diagnosers S D, let {x m d,r : m = 1, 2,..., M} be the set of diagnoser states of the modules D m S D and C S be the the monolithic Petri net formed by combining the modules in S where r N. If the sequence of observable events σ o1 σ o2... σ or is feasible in C S, then Merge(x m d,r : D m S D ). of Lemma 5. Base (r=0). By construction of the initial diagnoser states {x m d,0 : m = 1, 2,..., M}, Merge(x m d,0 : D m S D ). Hypothesis (r=r-1). If the sequence of observable events σ o1 σ o2... σ or 1 is feasible in C S, then Merge(x m d,r 1 : D m S D ). Step (r=r). If the sequence of observable events σ o1 σ o2... σ or is feasible in C S, then Merge(x m d,r : D m S D ). Proof of Induction Step: Suppose that σ o1 σ o2... σ or is a feasible sequence in C SD. Then, σ o1 σ o2... σ or 1 is a feasible sequence. Thus, by the induction hypothesis (since Merge(x m d,r 1 : D m S D ) ) x m l,r 1 (j m, P m,n ) = x n l,r 1 (j n, P m,n ) for some j m and j n, and any module D m and D n in S D. Without loss of generality, we assume that σ or Σ o,m. Since σ or is enabled in C SD, then σ or is also enabled in the module D m S D. We now differentiate between the two cases: Upon observation of σ or, (1) a message is sent from D m to some module D n S D such that P m,n, or (2) no message is sent. Case (1): By the induction hypothesis, Line 4 of Algorithm 2 holds. Thus, x m l,r (i m, P m,n ) = x n l,r (i n, P m,n ) for some i m and i n for all D n S D such that P m,n.

56 44 Case (2): If there is no communication, then x m l,r (i m, P m,n ) = x m l,r 1 (j m, P m,n ) for all D m S D. Thus, by induction hypothesis x m l,r (i m, P m,n ) = x n l,r (i n, P m,n ) for some i m and i n for all D m, D n S D such that P m,n =. By combining Case (1) and (2), and the definition of merge operation, we form Merge(x m d,r : D m S D ). The following theorem states that DDC-M is correct in the sense that the merge operation recovers the corresponding monolithic diagnoser state. That is, when the token distribution of a set of common places changes, the change in the token distribution and the past history along which the change has occurred is sent via message labels. Thus, in a way, message labels not only record the history of changes but also create a common knowledge of shared history among the modules in the system. Then, if we concatenate rows whose message labels match as it is defined by the merge operation, we combine exactly the rows with the very same history and form the monolithic diagnoser state. Theorem 6. Given the set of place-bordered nets S, and the set of corresponding diagnosers S D, let {x m d,r : m = 1, 2,..., M} be the set of diagnoser states of the modules D m S D and X d,r be the set of states of the monolithic diagnoser state x d,r of C S after observation of the feasible sequence σ o1 σ o2... σ or where r N. Then, Merge(x m d,r : D m S D ) = X d,r. of Theorem 6. The proof of the theorem is by construction of DDC-M defined by Algorithms 1 and 2, and induction on the observed sequence of events. Base (r=0). The proof is by construction of C S and assumption (iii). By construction x 0 (P m ) = x m 0 for any D m S D. Suppose we pick some D m. Then, by

57 45 assumption (iii), since the transitions removing tokens from or putting tokens into the common places are labeled with unobservable events, for all D n S D such that D m is place-bordered UR(x 0 (P m,n )) = x 0 (P m,n ). Thus, UR(x 0 (P m )) = UR(x m 0 ) and no message label is created. By definition of the diagnoser state transition function in Equation (3.5), x d,0 is the listing of the elements in UR(x 0 (P m )). This completes the proof of the base case. Hypothesis (r=r-1). Merge({x m d,r 1 : D m S D }) = X d,r 1. Step (r=r). Merge({x m d,r : D m S D }) = X d,r. Proof of Induction Step: We show set inclusion of both sides of the equality. ( ): By Lemma 5, there exists some y Merge({x m d,r : D m S D }) such that y s (P m ) = x m s,r(i m ), (3.27) y f ( f,m ) = x m f,r(i m ) (3.28) for each D m S D. Without loss of generality we assume that σ or Σ o,m. We differentiate between the two cases: (1 ) A message is sent from D m to D n such that P m,n ; (2 ) No message is sent. Case (1): If there exists a place-bordered net D m such that P m,n, then there exist some row j n of the diagnoser state of D n such that for some row j m we have Mesg m,n.p fx(j m ) = x n l,r 1 (j n, P m,n ), i.e., the condition in Line 4 of Algorithm 2 holds. Since by Line 8 of Algorithm 1 Mesg m,n.p fx(j m ) = x m l,r 1 (j m, P m,n ), then x m l,r 1 (j m, P m,n ) = x n l,r 1 (j n, P m,n ). Then, by induction hypothesis there exists some element x s,r (j) of X d,r such that x s,r 1 (j, P m ) = x m s,r 1(j m ), and x s,r 1 (j, P n ) = x n s,r 1(j n ), (3.29) x f,r 1 (j, f,m ) = x m f,r 1(j m ), and x f,r 1 (j, f,n ) = x n f,r 1(j n ). (3.30)

58 46 By Equation (3.29) and Lemma 5, if t o B m (x m d,r 1, σ or), i.e., t o is enabled from x m s,r 1 (j m), then it is also enabled from x s,r 1 (j m, P m ). Similarly, for t uo. On the other hand, if we consider the very same Equations (3.16)-(3.20) for the placebordered singleton set C d,s, then y X d,r. Case (2): Since no message is sent and received, the proof of this case is straightforward by the induction hypothesis. ( ): Suppose x d,r (i) X d,r. Then, there exists x d,r 1 (i) X d,r such that the set of Equations (3.16)-(3.20) hold when the place-bordered set is the singleton set C d,s. By induction hypothesis, there exists x n d,r 1 (j n) and x m d,r 1 (j m) such that Equations (3.29) and (3.30) hold. Then, we find x n d,r (i n) and x m d,r (i m) by Equations (3.16)- (3.26) such that x n d,r (i n) merges with x m d,r (i m). Thus, x m s,r(i m ) = x s,r (i, P m ), (3.31) x m f,r(i m ) = x f,r (i, f,m ). (3.32) This completes the proof as x d,r (i) Merge({x m d,r : M d,m M d }). 3.7 Implementation of DDC-M: Fixed-Size Message Labels The version of Algorithm DDC-M presented in Section 3.4 recovers the monolithic diagnosis information at the cost of communication and growing message labels. The size of the message label is bounded by the number of common places and the number of observable events executed by the system. Thus, observations of longer sequences of events result in longer message labels. There are several ways to reduce the communication overhead by reducing the size of the message labels while still

59 47 recovering the monolithic diagnosis information. In this regard, we now present an encoding-based method which serves this purpose and results in fixed-size message labels. We first describe the structure of the message labels and how the encoding makes it possible to have fixed-size messages and message labels. Secondly, we update the DDC-M algorithm to reflect the changes in the messages and message labels. We continue with an example showing the implementation of the updated DDC- M algorithm. We conclude the section by proving the correctness of the updated algorithm in the sense that the merge operation still recovers the monolithic diagnoser state after observation of a sequence of events. Suppose that the set of place-bordered nets S is the system to be diagnosed and σ o1 σ o2... σ or is the sequence of events observed. Let M m, M n S be two placebordered nets with corresponding common places P m,n where P m,n. We define the set Ω R m,n of words such that each word ω Ω R m,n is a combination of elements from the finite set C m,n = {W m (t, P m,n ) : t T m } and the length of the word is at most R. Formally, we have Ω R m,n = {ω 1 ω 2... ω k : 1 i k, ω i C m,n and 1 k R where R N}. (3.33) The elements of C m,n are vectors of size P m,n and correspond to all possible changes in the token distribution of the common places upon firing of a transition. The set C m,n is finite since the arcs removing tokens from or putting tokens into the common places are of finite weight, and there is a finite number of observable transitions removing tokens from or putting tokens into the common places. Thus, each word ω Ω R m,n is a possible combination of changes that may occur in the common places upon observation of a sequence of R events. If x m l,r is the message

60 48 label after observation of a sequence of R events, then each row of x m l,r corresponds to a word in the set Ω R m,n. Our goal is to find a function g R : Ω R m,n N for all R Z >0 such that g R is injective. One such function is the enumeration of the different words in Ω R m,n, starting with 1, that corresponds to the enumeration of the different rows of x m l,r. We describe such an injective enumeration in Definition 7. Since our goal is to enumerate the different rows of a message label and message labels are matrices, we define the enumeration of different rows of a matrix instead of different elements of a set. When we write En(x m l,r ), we mean the enumeration of the different rows of x m l,r as in Definition 7. Definition 7 (Enumeration). Given a matrix A, we denote by A(i) the i th row of A. Then, we define En as follows: 1. En(A(1)) = 1; 2. For all i {2, 3,..., # of rows of A}, En(A(j)), j {1, 2,..., i 1} En(A(i)) = such that A(j) = A(i), 1 + max{en(a(j)) : 1 j < i}, otherwise. We update Algorithm 1 to 3 and Algorithm 2 to 4 to account for fixed-size message labels. The updated algorithms evolve the message labels consistent with the enumeration function described in Definition 7. The formal statement of Algorithms 3 and 4 is given below. In Algorithm 4, Mesg m,n.sfx(i, 1) denotes the columns of Mesg m,n.sfx that correspond to the

61 49 changes in the token distribution of the common places, and Mesg m,n.sfx(i, 2) denotes the column that corresponds to the (new) enumeration. Algorithm 3 Distributed Diagnosis with Communication with Fixed-Size Message Labels 1: Upon occurrence of an observable event σ or 2: Find M m such that σ or Σ m, 3: z m d,r f d,m(x m d,r 1, σ or), 4: x m d,r zm d,r, 5: for all D n S D such that P m,n do 6: x m l,r (P m,n) En(z m l,r (P m,n)), 7: if {W (P m,n, t) t B m (x m d,r 1, σ or)} = { 0} then 8: Mesg m,n { }, 9: for all j=1:# of rows of zl,r m (P m,n) do 10: Mesg m,n.p fx(j) zl,r m (j, P m,n).p fx, 11: Mesg m,n.sfx(j) (zl,r m (j, P m,n).sfx x m l,r (j, P m,n)), 12: Mesg m,n (j) (Mesg m,n.p fx(j) Mesg m,n.sfx(j)), 13: end for 14: Send all different rows of Mesg m,n, 15: x n d,r UDSC(xn d,r 1, Mesg m,n), 16: end if 17: end for Theorem 8. Theorem 6 is valid for the diagnoser states obtained under Algorithms 3 and 4. of Theorem 8. The proof is similar to the proof of Theorem 6. We follow the very same methodology of the proof of Theorem 6. However, in this proof the message labels and messages have different structures as described by Algorithms 3 and 4. Thus, by Line 6 of Algorithm 3 we rewrite Equation 3.18 in two steps as follows x m l,r(i m, P m,n ) = En(z m l,r(i m, P m,n )) = En(u l (P m,n )). (3.34) By Lines 10 and 11 of Algorithm 3, if Mesg m,n.p fx(j m ) = x m l,r 1 (j m, P m,n ), then Mesg m,n.sfx(j m, 1) = W m (t, P m,n ) and Mesg m,n.sfx(j m, 2) = x m l,r (i m, P m,n ). Thus, Equations (3.24) and (3.25) stay the same but by Line 7 of Algorithm 4

62 50 Algorithm 4 Update of Diagnoser State upon Communication with Fixed-Size Message Labels Require: x n d,r 1, Mesg m,n 1: X n d,r { }, 2: for all i = 1 : Number of rows of Mesg m,n.p fx do 3: for all j = 1 : Number of rows of x n l,r 1 (P m,n) do 4: if Mesg m,n.p fx(i) == x n l,r 1 (j, P m,n) then 5: y s (P m,n ) x n s,r 1 (j, P m,n) + Mesg m,n.sfx(i, 1), y s (P (n) \ P m,n ) x n s,r 1 (j, P n \ P m,n ), 6: y f x n f (j), 7: y l (P m,n ) Mesg m,n.sfx(i, 2), 8: for all D q (S D \ D m ) such that P n,q do 9: y l (P n,q ) x n l,r 1 (j, P m,n) 10: end for 11: X n d,r Xn d,r [y s y f y l ] 12: end if 13: end for 14: end for 15: UDSC(x n d,r 1, Mesg m,n) Listing of the set X n d,r Equation (3.26) becomes x n l,r(i n, P m,n ) = x m l,r(i m, P m,n ). (3.35) These are the only changes in the equations of the proof of Theorem 6 to complete the proof of Theorem 3.7. The key idea that results in the fixed-size message labels is that the next state in a Petri net is uniquely found by the current state and the changes in the token distribution of the places. We now consider how this idea is implemented while message labels are created. In Algorithm 1, we form the message label of the next diagnoser state by appending the changes on the common places to the message labels of the current diagnoser state. However, in Algorithm 3, we uniquely encode the message label found by the diagnoser state transition function and the encoded message label is the message label of the next diagnoser state. That is, the message

63 51 label of the next diagnoser state is a bijective function of the message label of the current diagnoser state and the changes on the common places. Algorithms 2 and 4 do not differ in structure as do Algorithms 1 and 3. Algorithm 4 correctly updates the diagnoser states of the neighboring states because we use a bijective function to encode the message label. In the following example, we illustrate the notion and notations presented in this section while comparing the steps of Algorithms 3 and 4 to 1 and 2. Example 9. In Example 2, we derive the diagnoser states when we run Algorithms 1 and 2. In this example, we consider the same setting as in Example 2, however, we derive the diagnoser states when we run Algorithms 3 and 4 instead. The state and fault labels of the diagnoser states in this case are the same as the state and fault labels given in Example 2. However, the message labels and messages sent are changed. In the following, we go over the steps of Algorithms 3 and 4 to find the changes in the message labels. Suppose that M m and M n are two coupled modules in S. The diagnoser states x m d and xn d of D m and D n, respectively, obtained under Algorithms 3 and 4 have same abbreviations as x m d in Equation (3.10) and xn d in Equation (3.11), respectively. In this example, we focus on the message labels between D m and D n. We put the sign for the message labels for all modules M n S coupled with M m except M n and for all modules M m S coupled with M n except M m. Suppose that the event σ o Σ o,m is observed, then the intermediate diagnoser

64 52 state z m d = f d,m(x m d, σ o) is found as follows zd m = α 1 w 1 (P m,n ) : α 2 w 2 (P m,n ) : α 1 w 1 (P m,n ) : }{{}... }{{}... α 2 w 2 (P m,n ) }{{} : x m s x m f z m l (P m,n ). (3.36) Suppose that the encoding of the message label is as follows 1 2 En(zl m (P m,n )) =. (3.37) 1 2 Then, the diagnoser state y m d of D m upon observation σ o is constructed as (the reader is encouraged to compare to the diagnoser state in Equation (3.12) obtained under Algorithm 3) yd m = a 1 + w 1 h 1 1 : a 2 + w 2 h 2 2 : a 1 + w 1 + w 1 h 1 1 : a 2 + w 2 + w 2 h 2 2 :. (3.38) The message sent from D m to D n is α 1 w 1 (P m,n ) 1 Mesg m,n = α }{{} 2 w 2 (P m,n ) }{{} }{{} 2, Mesg m,n.p fx Mesg m,n.sfx(1) Mesg m,n.sfx(2) Upon reception of the message D n updates x n d to yn d based on the message from D m (as defined in Algorithm 4) as follows (the reader is encouraged to compare to

65 53 the diagnoser state in Equation (3.14) obtained under Algorithm 4) y n d = b 1 k 1 1 : b 2 }{{} k 2 }{{} 2 }{{} : y n s y n f y n l (P m,n ). (3.39) 3.8 Case Study In the following, we study an example of a part of an Heating, Ventilation and Air-Conditioning System. We consider the valve, pump and load models shown in Figs. 3.4, 3.5 and 3.6, respectively. Together they form the set of place-bordered labeled Petri nets that constitute the overall system. The sets of events of these place-bordered nets are disjoint, hence, so are the sets of transitions. The placebordered nets of the valve, pump and load are coupled with each other through common places. For example, place c 1 appears in both the valve and load model in Figs. 3.4 and 3.6, respectively. Figure 3.7 shows the coupling between the individual place-bordered nets for the overall system. For all the labeled Petri nets in this chapter, the filled transitions are labeled with unobservable events. The set of events and the abbreviations in the Fig. 3.4 to 3.6 for the events are as follows: Σ o,1 = {close valve(cv), open valve(ov), stuck open 1(so1), stuck open 2(so2), stuck closed 1(sc1), stuck closed 2 (sc2)}, Σ o,2 = {start pump(st), stop pump(sp), pump failed on 1(fn1), pump failed on 2(fn2), pump failed off 1(fo1), pump failed off 2(fo2)}, Σ o,3 = {set point decrease(spd), set point increase(spi), failed off(foff)}. Suppose that initially there is only one token at each of the following places: c 1, c 1 1, vl 1, pm 1 and load 1. Then, the initial diagnoser states of the modules are

66 54 vl_1 c_1 t8:so1 t12:sc1 t5:ov c_4 vl_2 c_1_1 t4:cv t7:cv t11:so2 t3:sc2 t6:ov vl_3 vl_4 t9:cv t1:cv t10:ov t2:ov c_5 c_2_1 c_2 Figure 3.4: Place-bordered net: Module#1 (valve). as follows as defined by the diagnoser state transition function in Equations (3.5) to (3.7). The initial diagnoser state of D 1 (the diagnoser for Module#1) is x 1 d,0 = , (3.40) where each digit in the rows of x 1 s,0 correspond to the number of tokens in a place of D 1, and each digit in the rows of x 1 f,0 corresponds a fault type of D 1. The ordering of the digits in x 1 s,0 is as follows: c 1, c 1 1, c 2, c 2 1, c 4, c 5, vl 1, vl 2, vl 3, vl 4. The ordering of digits in x 1 f,0 is F 1 and F 2, respectively, where the event sets for the fault types are as follows: Σ F 1,1 = {stuck open 1(so1), stuck open 2(so2)}, Σ F 2,1 = {stuck closed 1(sc1), stuck closed 2(sc2)}.

67 55 pm_1 c_2 t8:fn1 t12:fo1 t5:st c_5 pm_2 c_2_1 t4:sp t7:sp t11:fn2 t3:fo2 t6:st pm_3 pm_4 t9:sp t1:sp t10:st t2:st c_6 c_3_1 c_3 Figure 3.5: Place-bordered net: Module#2 (pump). The initial diagnoser state of D 2 (the diagnoser for Module#2) is x 2 d,0 = , (3.41) where each digit in the rows of x 2 s,0 corresponds to the number of tokens in a place of D 2, and each digit in the rows of x 2 f,0 corresponds a fault type of D 2. The ordering of the digits in x 2 s,0 is as follows: c 2, c 2 1, c 3, c 3 1, c 5, c 6, pm 1, pm 2, pm 3, pm 4. The ordering of digits in x 2 f,0 is F 1 and F 2, respectively, where the event sets for the fault types are as follows: Σ F 1,2 = {pump failed on 1(fn1), pump failed on 2(fn2)}, Σ F 2,2 = {pump failed off 1(fo1), pump failed off 2 (fo2)},

68 56 c_3 c_3_1 load_1 t5:spd load_2 c_6 t3:foff t1:spi t6:spi c_1_1 load_3 c_1 t2:spd t4:foff c_4 Figure 3.6: Place-bordered net: Module#3 (load). Module#3 c_3,c_3_1,c_6 c_1,c_1_1,c_4 Module#2 c_2,c_2_1,c_5 Module#1 Figure 3.7: Common places between the modules. The initial diagnoser state of D 3 (the diagnoser for Module#3) is ( x 3 d,0 = ), (3.42) where each digit in the rows of x 3 s,0 corresponds to the number of tokens in a place of D 3, and each digit in the rows of x 3 f,0 corresponds a fault type of D 3. The ordering of the digits in x 3 s,0 is as follows: c 1, c 1 1, c 3, c 3 1, c 4, c 6, load 1, load 2, load 3. The

69 57 ordering of digits in x 3 f,1 is F 1 where the event set for the fault type is as follows: Σ F 1,3 = {failed off(foff)}. The initial diagnoser states do not have message labels by assumption. Thus, the diagnoser states in (3.40), (3.41) and (3.42) have state and fault type information only. The only observable event enabled is open valve. If the event open valve is observed, then applying Algorithm 1, M odule#1 finds the next diagnoser state using the diagnoser state transition function and sends messages to M odule#2 and M odule#3. Upon reception of the messages, M odule#2 and M odule#3 update their current diagnoser states according to Algorithm 2. Overall, the diagnoser states obtained by Algorithms 1 and 2 are presented in the following. The diagnoser state for D 1 is x 1 d,1 = : : 100, : }{{} }{{} 10 }{{} 010 : 0 } {{ 10 } (3.43) x 1 s,1 x 1 f,1 x 1 l,1 (P 1,2) x 1 l,1 (P 1,3) where each digit (with the minus sign) in the rows of the message labels x 1 l,1 (P 1,2) and x 1 l,1 (P 1,3) corresponds to the difference between the number of tokens put into and removed from a common place. The ordering of digits for the message labels are as follows: c 2, c 2 1, c 5 for x 1 l,1 (P 1,2), and c 1, c 1 1, c 4 for x 1 l,1 (P 1,3). Upon reception of the message from D 1 after the observation of open valve, the

70 58 diagnoser state for D 2 is updated to (by following the steps of Algorithm 2) : : x 2 d,1 = :, : : }{{} }{{} 00 }{{} 100 : }{{} (3.44) x 2 s,1 x 2 f,1 x 2 l,1 (P 2,1) x 2 l,1 (P 2,3) where each digit (with the minus sign) in the rows of the message labels x 2 l,1 (P 2,1) and x 2 l,1 (P 3,1) corresponds to the difference between the number of tokens put into and removed from a common place. The ordering of digits for the message labels are as follows: c 2, c 2 1, c 5 for x 2 l,1 (P 2,1), and c 3, c 3 1, c 6 for x 2 l,1 (P 2,3). Upon reception of the message from D 1 after the observation of open valve, the diagnoser state for D 3 is x 3 d,1 = :, }{{} }{{} 0 0 } {{ 10 } : }{{} x 3 s,1 x 3 f,1 x 3 l,1 (P 3,1) x 3 l,1 (P 3,2) (3.45) where each digit (with the minus sign) in the rows of the message labels x 3 l,1 (P 2,1) and x 3 l,1 (P 3,1) corresponds to the difference between the number of tokens put into and removed from a common place. The ordering of digits for the message labels are as follows: c 1, c 1 1, c 4 for x 3 l,1 (P 3,1), and c 3, c 3 1, c 6 for x 3 l,1 (P 3,2). The next enabled observable event is start pump. Upon its occurrence, M odule#2 finds the next diagnoser state using the diagnoser state transition function and sends messages to M odule#1 and M odule#3. After the observation of start pump and

71 59 the diagnoser state updates triggered by the reception of messages, the state with fault information and message labels of the new diagnoser states are as follows: : : 100 x 1 d,2 = : : : : 100 x 2 d,2 = : : : : 100 x 3 d,2 = : : 100 (3.46) (3.47) (3.48) Upon the occurrence of the next observable event the algorithm will proceed in the same manner to update the respective diagnoser states. An examination of the fault labels in the corresponding columns of the above diagnoser states reveals that: (i) x 1 d,0, x1 d,1 and x1 d,2 are both F 1,1 uncertain (stuck open 1 or stuck open 2 could have happened but we do not know for sure) and F 2,1 uncertain, (ii) x 2 d,0, x2 d,1 and x2 d,2 are both F 1,2 uncertain and F 2,2 uncertain, and (iii) x 3 d,0, x3 d,1 and x3 d,2 are normal. We now consider the case of fixed-size message labels. Suppose that we observe the very same sequence of events which starts with the event open valve followed by start pump, and we now run Algorithm 3 instead of 1 and Algorithm 4 instead

72 60 of 2. The state and fault labels of the diagnoser states in this case are the same with the state and fault labels given in Equations (3.40) to (3.48). However, the message labels and messages sent are changed. In the following, we go over the steps of Algorithms 3 and 4 to find the changes in the message labels. The message labels of the initial diagnoser states are all equal to 1 by construction. Upon observation of the event open valve (executed by M 1 ), the intermediate diagnoser state zd,1 1 = f d,1(x 1 d,0, open valve) is z 1 d,1 = : : : }{{}... }{{}... 1 }{{ 010 } : 1 } 0 {{ 10 }, x 1 s,1 x 1 f,1 z 1 l,1 (P 1,2) z 1 l,1 (P 1,3) (3.49) The message labels for the diagnoser state x 1 d,1 are x1 l,1 (P 1,2) = En(z 1 l,1 (P 1,2)) and x 1 l,1 (P 1,3) = En(z 1 l,1 (P 1,3)) for D 2 and D 3, respectively. Thus, the diagnoser state in the case of fixed-size message labels (compare to one in 3.49) is found as x 1 d,1 = : : : 1 }{{}... }{{}... }{{} 2 : }{{} 2. x 1 s,1 x 1 f,1 x 1 l,1 (P 1,2) x 1 l,1 (P 1,3) (3.50) The messages sent by D 1 are as follows: Mesg 1,2 = }{{} 1 }{{} 010 }{{} 2, Mesg 1,2.P fx Mesg 1,2.Sfx(1) Mesg 1,2.Sfx(2)

73 61 Mesg 1,3 = }{{} 1 0 } {{ 10 } }{{} 2, Mesg 1,3.P fx Mesg 1,3.Sfx(1) Mesg 1,3.Sfx(2) Upon reception of the message the diagnoser states of the neighbor modules are updated as defined by Algorithm 4. Then, the diagnoser states of D 2 and D 3 are as follows: x 2 d,1 = : : : : : 1 }{{}... }{{}... }{{} 1 : }{{} 1, (3.51) x 3 d,1 = x 2 s,1 x 2 f,1 x 2 l,1 (P 2,1) x : 1 }{{}... }{{}... }{{} 2 : }{{} 1 l,1 (P 2,3). x 1 s,1 x 1 f,1 x 1 l,1 (P 2,1) x 1 l,1 (P 3,2) (3.52) Upon observation of the event start pump executed by D 2, the intermediate diagnoser state, zd,2 2 = f d,2(zd,2 2, start pump), is found as: : zd,2 2 = : : }{{}... }{{}... 1 } {{ 100 } : 1 }{{ 100 } x 2 s,1 x 2 f,1 z 2 l,1 (P 2,1) z 2 l,1 (P 2,3), (3.53) The message labels for the diagnoser state x 2 d,1 are x 2 l,1 (P 1,2) = En(z 2 l,1 (P 1,2)) and x 2 l,1 (P 1,3) = En(z 2 l,1 (P 1,3)) for D 2 and D 3, respectively. Thus, the diagnoser state in

74 62 the case of fixed-size message labels is found as x 2 d,2 = : : : 2 }{{}... }{{}... }{{} 2 : }{{} 2, x 2 s,1 x 2 f,1 x 2 l,1 (P 2,1) x 2 l,1 (P 2,3) (3.54) The messages sent by D 2 are as follows: Mesg 2,1 = }{{} }{{} 2 }{{}, Mesg 2,1.P fx Mesg 2,1.Sfx(1) Mesg 2,1.Sfx(2) Mesg 2,3 = }{{} 1 }{{} 100 }{{} 2, Mesg 2,3.P fx Mesg 2,3.Sfx(1) Mesg 2,3.Sfx(2) Upon reception of the message the diagnoser states of the neighbor modules are updated as defined by Algorithm 4. Then, the diagnoser states of D 1 and D 3 are as follows: x 1 d,2 = : : : 1 }{{}... }{{}... }{{} 1 : }{{} 2. x 1 s,2 x 1 f,2 x 1 l,2 (P 1,2) x 1 l,2 (P 1,3) (3.55)

75 63 x 3 d,2 = : : : 1 }{{}... }{{}... }{{} 2 : }{{} 2. x 1 s,2 x 1 f,2 x 1 l,2 (P 2,1) x 1 l,2 (P 3,2) (3.56) 3.9 Conclusion We have presented a new algorithm, DDC-M, for on-line monitoring and diagnosis of modular systems modeled as a set of place-bordered Petri nets. DDC-M exploits the distributed nature of the system to avoid the combinatorial explosion of the state space, but it requires communication among modules on the occurrence of events that affect common places. Many issues remain to be investigated. Among those we mention: further improvements of DDC-M to reduce the communication overhead and deal with communication delays; proper partitioning of a system into modules in order to enhance the performance of DDC-M; and performance analysis of DDC-M on comprehensive examples using our software tool.

76 CHAPTER IV Diagnosis of Event Patterns 4.1 Introduction This chapter addresses the problem of diagnosing (detecting and isolating) significant event patterns in the behavior of a system modeled as a partially-observed discrete-event system (DES). The event pattern to be diagnosed is a set of sequences of events. The system is diagnosable with respect to a pattern if it is possible to detect and isolate occurrences of the pattern upon its completion (with finite delay) while observing the sequences of events executed by the system. The problem is trivial if each event executed by the system to be diagnosed is observed. However, in general, the systems are partially-observed. That is, there exist events that are not directly recorded by sensors attached to the system, i.e., unobservable events. Our objective is two-fold: 1. Off-line verification of the diagnosability property of the system with respect to the pattern, i.e., if the system is diagnosable with respect to the pattern. 2. On-line monitoring of the system and diagnosis of the pattern, i.e., how to detect the occurrence of the pattern while partially observing the behavior of the system. The problem of fault diagnosis for discrete-event systems has received considerable attention in the last decade and diagnosis methodologies based on the use 64

77 65 of discrete-event models have been successfully used in a variety of technological systems ranging from document processing systems to intelligent transportation systems; see [34] and the references therein. To the best of our knowledge, all prior works on fault diagnosis of DES pertain to the diagnosis of a single event among several unobservable events. In application areas such as detection of intrusion and attacks in networks [39], patterns of events need to be diagnosed. Our objective is to extend the methodology of the Diagnoser Approach introduced in [55] to the case of patterns. In the following sections, we develop a theory for the diagnosability of patterns. In Section 4.2, we define the mathematical terminology used throughout this chapter. Then, in Section 4.3, we define two different notions of pattern diagnosability in the context of formal languages: (i) S-type pattern diagnosability and (ii) T-type pattern diagnosability. These two different types stem from different approaches to defining the occurrence of a pattern. In S-type pattern diagnosability, a pattern is detected if all the sequences executed by the system that record the same observed event sequences contain subsequences in the pattern. In T-type pattern diagnosability, a pattern is detected if all the sequences executed by the system that record the same observed event sequences contain substrings in the pattern. In other words, there could be events interleaved between the events that make up the pattern in the S- type case, but not in the T-type case. We conclude Section 4.3 by showing that the notions of S-type and T-type pattern diagnosability are generalizations of the notion of diagnosability defined in [55]. In Section 4.4, we consider systems modeled by regular languages. We present implementable necessary and sufficient conditions for both types of pattern diagnosability in this case. The conditions for pattern diagnosability require building a modified version of the diagnoser defined in [55]. In

78 66 Section 4.5, we present illustrative examples of the notions and results introduced in the previous sections of the chapter. In Section 4.6, we present a summary of results and give concluding remarks. 4.2 Preliminaries Let Σ be a finite set of events. A string is a finite-length sequence of events in Σ. Given a string s, the length of s (number of events including repetitions) is denoted by s. The set of all strings formed by events in Σ is denoted by Σ. The set Σ is also called the Kleene-closure of Σ. Any subset of Σ is called a language over Σ. Let L be a language over Σ. The prefix-closure of language L is denoted by L and defined as L = {s Σ : t L such that st L}. Given a string s L, L/s is called the post-language of L after s and defined as L/s = {t Σ : st L}. L is live if every string in L can be extended to another string in L. Suppose that Σ is partitioned as Σ = Σ o Σ uo, where Σ o and Σ uo denote the observable and unobservable events, respectively. The projection of strings from L to Σ o is denoted by P. Given a string s L, P (s) is obtained by removing unobservable events (elements of Σ uo ) in s. The inverse projection of a string s o Σ o, denoted by P 1 (s o ), is the set of strings in Σ whose projection is equal to s o. Formally, P 1 (s o ) = {s Σ : P (s) = s o }. (4.1) Given an event σ Σ and a string s Σ, we use the set notation σ s to say that σ appears at least once in s. Given a string of the form u = stv in L, then s is called a prefix of u, t is called a substring of u, and v is called a suffix of u. Given a string s L, a subsequence of s is obtained by deleting zero or more events in the string s.

79 67 Let L be a language and K be a finite set of bounded strings over Σ. Given s K, define the set S(s, L) L as S(s, L) = {ω L : s is a subsequence of ω} (4.2) and the set S(K, L) L as S(K, L) = s K S(s, L). (4.3) Given s = s 1 σ K where s 1 Σ and σ Σ, define the set Ψ S (s 1 σ, L) S as Ψ S (s 1 σ, L) = {ω 1 σ L : s 1 σ is a subsequence of ω 1 σ)}, (4.4) and Ψ S (K, L) = s K Ψ S (s, L). (4.5) Now, consider the definitions for the case of substrings. Given s K, define the set T (s, L) L as T (s, L) = {ω L : s is a substring of ω}, (4.6) and the set T (K, L) L as T (K, L) = s K T (s, L). (4.7) Given s = s 1 σ K where s 1 Σ and σ Σ, define the set Ψ T (s 1 σ, L) T as Ψ S (s 1 σ, L) = {ω 1 σ L : s 1 σ is a substring of ω 1 σ)}, (4.8) and Ψ T (K, L) = s K Ψ T (s, L). (4.9) The following result is immediate from the above definitions.

80 68 Proposition 10. Given a language L and a finite set of bounded strings K over Σ, s S(K, L) ( t L/s)(st S(K, L)), (4.10) and similarly s T (K, L) ( t L/s)(st T (K, L)). (4.11) Hereafter, for the sake of presentation, we drop the language L or the set of finite set bounded strings K in the notations of S(K, L), T (K, L), Ψ S (K, L) and Ψ T (K, L) since they are always fixed. A Finite State Automaton (FSA) is a four-tuple G = (Q, Σ, δ, q 0, F ) (4.12) where Q is the finite set of states, Σ is the finite set of events, δ : Q Σ Q is the partial state transition function, q 0 is the initial state, and F Q is the set of marked states. We extend δ from domain Q Σ to domain Q Σ as follows: δ(q, ɛ) = q, δ(q, sσ) = δ(δ(q, s), σ), for s Σ and σ Σ. The language generated by G is L(G) = {s Σ : δ(q 0, s) is defined.}. The language marked by G is L m (G) = {s Σ : δ(q 0, s) F }. A set of states {q 1,..., q l } Q and a string σ 1... σ l Σ form a cycle in G if q i+1 = δ(q i, δ i ) for i = 1,..., l 1 and q 1 = δ(q l, σ l ).

81 Pattern Diagnosability We model the system as a language L over an event set Σ and the pattern as a bounded set K of finite-length strings over Σ K Σ. We define two different types of pattern diagnosability: S-type and T-type. First, we present an illustrative example for each type of pattern diagnosability. Then, we give the formal definitions. We conclude the section by showing that the notion of pattern diagnosability is a generalization of the notion of diagnosability defined in [55]. In this chapter, given a language and a pattern K over Σ K Σ, we assume that there exists n 0 N, for all vst L, if s Σ uo, then s n 0. Consider the prefix-closed, live language L generated by the FSA G shown in Fig The language L is L = aedbd + (ad + de)cb + dbacd. (4.13) Suppose that Σ o = {b, d} and Σ uo = {a, c, e} and let K = {ab, dc} be the pattern to be diagnosed. The set of strings in L with subsequences in K is S = {aedbd l, adcb m, decb p, dbacd r : l, m, p, r 0}. Then, Ψ S = {aedb, adcb m, dec, dbac : m 0}. We now show that for each string s in Ψ S and for each long-enough continuation t of s, each string in L that records the same observed string as st is in S. Let s 1 = aedb. If t L/s and t 0, then t {d l : l 0}. Pick t 1 = d l1 for some l 1 0, then P 1 P (s 1 t 1 ) L = {aedbd l, dbacd r : l, r 0} and P 1 P (s 1 t 1 ) L S. Let s 2 = adc. If t L/s 2 and t 2, then t {b l : l 2}. Pick t 2 = b l 2 for some l 2 2. Then, P 1 P (s 2 t 2 ) L = {adcb l 2, decb l 2 } and P 1 P (s 2 t 2 ) L S.

82 70 Let s 3 = dec. If t L/s 3 such that t 2, P 1 P (s 3 t) S. Let s {adcb m, dbac : m 1}. If t L/s and t 0, then P 1 P (st) L S. Based on the above discussion, we formally define S-type pattern diagnosability as follows. Definition 11. A prefix-closed, live language L over Σ is S-type pattern diagnosable with respect to a pattern K, a finite set of bounded strings over Σ K Σ, and projection P if ( n N)( s Ψ S (K, L))( t L/s)( t n D S P ) where D S P : P 1 P (st) L S. We now study T-type pattern diagnosability. Consider the prefix-closed, live language L generated by the FSA G shown in Fig The language L is L = da(bb + cbd ) + ed(bd + cb ). (4.14) Suppose that Σ o = {b, d} and Σ uo = {a, c, e} and let K = {ab, dc} be the pattern to be diagnosed. Then, T = {dabb l, edcb m : l, m 0} and Ψ T = {dab, edc}. We show that for each string s in Ψ T and for each long-enough continuation t of s, each string in L that records the same observed string as st is in T. Let s 1 = dab. If t L/s 1 and t 1, then t {b l : l 1}. Pick t 1 = b l 1 for some l 1 1. Then, P 1 P (s 1 t 1 ) L = {dabb l 1, edcb l 1 } and P 1 P (s 1 t 1 ) L T. Let s 2 = edc. If t L/s 2 and t 1, then t {b l : l 1}. Pick t 2 = b l 2 for some l 2 1. Then, P 1 P (s 2 t 2 ) L = {dab l 2, edcb l 2 } T.

83 71 Based on the above discussion, we formally define T-type pattern diagnosability as follows. Definition 12. A prefix-closed, live language L over Σ is T-type pattern diagnosable with respect to K, a finite set of bounded strings over Σ K Σ, and projection P if ( n N)( s Ψ T (K, L))( t L/s)( t n D T P ) where D T P : P 1 P (st) L T. We emphasize here that both types of pattern diagnosability defined in this chapter detect occurrences of a string in the pattern. In the above examples, if the pattern is K = {ab} K, then L is neither S-type nor T-type pattern diagnosable with respect to K and projection P. Proposition 13. If a prefix-closed, live language L is T-type pattern diagnosable with respect to a pattern K and projection P, then L is also S-type pattern diagnosable with respect to K and P. The reverse of is not true in general. The proof of the first part of Proposition 13 follows directly from Definition 11 and 28. The reverse direction is proved by Example 28 presented in Section 4.5. However, for some patterns with specific structures, S-type pattern diagnosability is equivalent to T-type pattern diagnosability. One such pattern structure is a set of strings where each string is of length 1. Corollary 14. If for all s K, s = 1, then a prefix-closed, live language L is S-type pattern diagnosable with respect to a pattern K and projection P iff L is T-type pattern diagnosable with respect to K and P.

84 72 When K is a set of strings of length 1, both S-type and T-type pattern diagnosability reduce to the notion of diagnosability defined in [55]. In that case, the pattern K corresponds to a single fault type and the events in K are exactly the fault events in that fault type. This observation proves Corollary a d 2 1 e d e b d c a 9 6 b 5 b c 10 d 7 d Figure 4.1: G. 4.4 Verification of Pattern Diagnosability for Regular Languages In this section, we consider systems modeled by regular languages. Regular languages are the languages that are accepted (or generated) by FSA. We construct two types of FSA: H S for S-type and H T for T-type pattern diagnosability. Our objective in constructing these two specific FSA is to develop a generic test to verify the pattern diagnosability of L with respect to K where L is the language generated by an FSA G and K is the given pattern over Σ K Σ.

85 73 0 d e 1 2 a d 3 4 b c b c 5 b 7 8 d 6 b b 9 d Figure 4.2: G. The FSA G can be nondeterministic. Each state of G is marked. Thus, L = L(G) = L m (G), i,e, L is prefix-closed. Given an event set Σ and a string s = σ 1 σ 2... σ m Σ for an integer m, build a special FSA, H S (Σ, s) = (Q S, Σ, δ S, q0 S, F S ), (4.15) where Q S = {0, 1, 2,..., s }, q S 0 = 0, F S = { s }, and for all q Q S \ { s } and σ Σ and δ S ( s, σ) = s. q + 1, σ = σ q+1, δ S (q, σ) = q, otherwise, (4.16) Similarly, given an event set Σ and a string s = σ 1 σ 2... σ m Σ for an integer m, build a special FSA, H T (Σ, s) = (Q T, Σ, δ T, q T 0, F T ), (4.17)

86 74 where Q T = {0, 1, 2,..., s }, q T 0 = 0, F T = { s }, and for all q Q T \ { s } and σ Σ δ T (q, σ) = q + 1, σ = σ q+1, max i, i match(q) match(q) (4.18) 0, otherwise, where match(q) = {i : [(i = 1) (σ 1 = σ)] [(1 < i q) (σ 1... σ i = σ q i+1... σ q )]} and δ T ( s, σ) = s. The FSA H T (Σ, s) built for s and Σ is based on Knuth-Morris-Platt algorithm presented in [32]. The algorithm finds the occurrences of a string s in a text where the alphabet is Σ. Example 15. Consider Σ = {c, a, o} and s = cacao. Then, H T (Σ, s) built is shown in Fig a, o o a c a c a o o c c a, o c a, o, c Figure 4.3: H T (Σ, s) where s = cacao and Σ = {c, a, o}. Let G 1 = (Q 1, Σ 1, δ 1, q 1 0, F 1 ) and G 2 = (Q 2, Σ 2, δ 2, q 2 0, F 2 ) be two FSA. Define the product FSA of G 1 and G 2 as G 1 G 2 = (Q, Σ, δ, q 0, F ), (4.19) where Q Q 1 Q 2, Σ = Σ 1 Σ 2, q 0 = (q 1, q 2 ), F = F 1 F 2, and δ((q 1, q 2 ), σ) = (δ 1 (q 1, σ), δ 2 (q 2, σ)), if both δ 1 (q 1, σ) and δ 2 (q 2, σ) are defined, and undefined if otherwise.

87 75 Let G = (Q, Σ, δ, q 0, F ). Define the observer FSA of G as (see, e.g., for [10] further details) Obs(G) = (X, Σ o, δ o, x o ), (4.20) where x X is a set of states in Q, Σ o Σ is the set of observable events, and x 0 is the initial observer state. In this paper, we do not consider the marking of the observer states. Let x = {q x i Q : i = 1,..., l} X where l is a positive integer. We define unobservable reach of x, denoted by UR G (x), as UR G (x) = {q Q : q = δ(qi x, u) is defined for some i {1,..., m} and u Σ uo}. (4.21) The initial observer state is found as x 0 = UR G (q 0 ). The observer state transition function is defined for x X and σ o Σ o if there exists q UR G (x) such that δ(q, σ o ) is defined. In that case, the observer state transition function finds the next observer state, x = δ o (x, σ o ), as follows x = {q Q : q = δ(q, σ o ) is defined for some q UR G (x)}. (4.22) The observer state x is marking-certain if q x i F for i = 1,... l, and markinguncertain if there exists q x i F and q x j Q \ F for some i, j {1,..., l}. Definition 16 (Marking-indeterminate cycle). Let {x 1,..., x m } and σ o,1... σ o,m Σ o form a cycle in Obs(G) where m is an integer. The cycle in Obs(G) is a markingindeterminate cycle if the following are satisfied 1. x i is marking-uncertain for i = 1,..., m, 2. q k i, r l i x i for all i = 1,..., m, k = 1,..., M, and l = 1,..., N such that

88 76 (a) q k i is marked and r l i is not marked for all i, k, l, (b) there are two corresponding cycles 1 in G: q 1 1 σ o,1 t 1 1 q σ o,m 1t 1 m 1 q 1 m σ o,m t 1 m q σ o,m 1t 2 m 1 qm 2... q1 M σ o,1 t M 1 q M 2 (4.23)... σ o,m 1t M m 1 q M m σ o,m t M m q 1 1 and r 1 1 σ o,1 u 1 1 r σ o,m 1u 1 m 1 r 1 m σ o,m u 1 m r σ o,m 1u 2 m 1 rm 2... r1 N σ o,1 u N 1 r N 2 (4.24)... σ o,m 1u N m 1 r N m σ o,m u N m r 1 1 where t k i, u l i Σ uo for all i, k, l. Define a union FSA U(G 1, G 2 ) of G 1 and G 2 such that L(U(G 1, G 2 )) = L(G 1 ) L(G 2 ) and s L m (U(G 1, G 2 )) if s L m (G 1 ) or s L m (G 2 ). The extension of the union of two FSA to more than two is a recursive operation: U(G 1, G 2,..., G m ) = U(... U(U(G 1, G 2 ), G 3 )..., G m ) where G i is an FSA for all i = 1,..., m. Let s be a string in K and let L = L(G) = L m (G). In Lemma 17, we state that the language marked by the product FSA of G and H S (Σ, s) is exactly the strings in L that contain s as a substring. In Lemma 18, we generalize Lemma 17 to consider all strings in the pattern K instead of a single string in K. Lemma 17 (S-type). Given L = L(G) = L m (G), a pattern K, and s K, L m (G H S (Σ, s)) = S(s, L), (4.25) and L(G H S (Σ, s)) = L. (4.26) 1 q s q denotes q = δ(q, s) where q and q are states and s is a string.

89 77 Proof. Firstly, prove that L(G H S (Σ, s)) = L. By definition of the product function and L(G) = L L(G H S (Σ, s)) = L L(H S (Σ, s)). (4.27) The state transition function of H S (Σ, s) is defined for any state in H S (Σ, s) for any event in Σ. Thus, L(H S (Σ, s)) = L. If we substitute this in Equation 4.27, then we have L(G H S (Σ, s)) = L. This completes the proof. Secondly, we prove that L m (G H S (Σ, s)) = S(s, L). The proof is in two parts. Let s = σ 1... σ k where σ i Σ for i = 1,..., k, k is an integer, and Σ is the event set of G. {L m (G H S (Σ, s)) S(s, L)}. Pick ω L m (G H S (Σ, s)). Then, by definition of the product operation, ω L m (G) = L, and ω H S (Σ, s). By construction of H S (Σ, s), ω is of the form ω = ω 1 σ 1... ω k σ k ω k+1, (4.28) where ω i (Σ \ σ i ) for i = 1,..., k, k + 1. Thus, s is a subsequence of ω. Also, ω L. Then, ω S(s, L). This completes the first part of the proof. {S(s, L) L m (G H S (Σ, s))}. Pick ω S(s, L). Then, by definition ω L and s = σ 1... σ k is a subsequence of ω. Thus, ω L m (G). We need to show that ω L m (H S (Σ, s)). The proof is by the construction of H S (Σ, s). We have H S (Σ, s) = (Q S, Σ, δ S, q0 S, F S ). Also, by definition subsequence ω contains s. Then, we have ω given in Equation If δ S (0, ω) = k, then ω L m (H S (Σ, s)). Then, δ S (0, ω) = δ S (... δ S (δ S (0, ω 1 σ 1 ), ω 2 σ 2 )...), ω k σ k ), ω k+1 ). (4.29) By definition of δ S, 1 δ S (0, ω 1 σ 1 ) k. This is because if σ 1 / ω 1 then

90 78 δ S (0, ω 1 σ 1 ) = 1. Otherwise if σ 1 ω 1, then there exists ω 11 ω 1 such that σ 1 / ω 11. Then, δ S (0, ω 11 σ 1 ) = 1. Thus, δ S (0, ω 1 σ 1 ) 1. Also, by definition of δ S, if δ S (0, z) = i where z Σ and i = 0, 1,..., k, then δ S (0, zσ) = i or δ S (0, zσ) = i + 1 for i = 0, 1,..., k 1 and δ S (0, zσ) = k for i = k. Then, δ S (0, ω 1 σ 1... ω k 1 σ k 1 ) = δ S (... δ S (δ S (0, ω 1 σ 1 ), ω 2 σ 2 )...), ω k 1 σ k 1 ) is equal to k 1 or k. Thus, δ S (0, ω) = δ S (δ S (0, ω 1 σ 1... ω k 1 σ k 1 ), ω k σ k ω k+1 ) = k. Thus, ω L m (H S (Σ, s)). This completes the proof. Lemma 18 (S-type). Given L = L(G) = L m (G) and a pattern K, then L m (U s K (G H S (Σ, s))) = S (4.30) and L(U s K (G H S (Σ, s))) = L. (4.31) Proof. The proof of L(U s K (G H S (Σ, s))) = L follows directly from Lemma 17. The proof of L m (U s K (G H S (Σ, s))) = S is in two parts. Let U = U s K (G H S (Σ, s)). {L m (U) S(K, L)}. Pick ω L m (U). By definition of the union operation, ω L m (G H S (Σ, s)) for some s K. Then, by Lemma 17, ω S(s, L). Thus, ω S. {S L m (U)}. Pick ω S. Then, there exists an s K such that ω S(s, L). Then, by Lemma 17, ω L m (G H S (Σ, s)). By definition of the union operation ω L m (U).

91 79 In the following theorem, we state the necessary and sufficient condition for S-type pattern diagnosability of a regular language with respect to a pattern. Theorem 19 (S-type). A prefix-closed, live language L = L(G) = L m (G) is S-type pattern diagnosable with respect to pattern K and projection P iff Obs(U s K (G H S (Σ, s))) does not contain any marking-indeterminate cycles. Proof. The proof is in two parts. For readability of the proof, let U = U s K (G H S (Σ, s)) and drop K and L in Ψ S (K, L) in Definition 11 and use Ψ S instead. Similarly for S. Let U = (Q, Σ, δ, q 0, F ), (4.32) Obs(U) = (X, Σ o, δ o, x o ). (4.33) ( ) We first show that if L is S-type pattern diagnosable, then Obs(U) does not contain any marking-indeterminate cycle. The proof is by contradiction. Suppose that {x 1,..., x m } X and σ o,1... σ o,m Σ o form a marking-indeterminate cycle in Obs(U). Consider Definition 16 of a marking-indeterminate cycle. Without loss of generality pick a marked state q1 1 F in x 1. Since q1 1 is a marked state of U, then there exists a ω L m (U) such that q1 1 = δ(q 0, ω). By Lemma 17, since ω L m (U), then there exists an s K such that ω S(s, L). We now consider the following two cases: (i) ω Ψ S, and (ii) ω / Ψ S (Σ, s). Case (i): There exists ω 1 L/ω such that ω 1 = (σ o,1 t σ o,m ) M 1 t M m and qi k F for i = 1,..., m and k = 1,..., M form a cycle of marked states in U as shown in Equation 4.23 where M 1 is an integer. By definition of marking-indeterminate cycle, there exists another cycle in U formed by states that are not marked. Let r1 1 = δ(q 0, ω ) where P (ω ) = P (ω). There

92 80 exists ω 1 L/ω such that ω 1 = (u 1 1σ o,1... u N mσ o,1 ) N 1 and ri k F for i = 1,..., m and l = 1,..., N form a cycle of marked states in U as shown in Equation 4.24 where N 1 is an integer. We choose M 1 and N 1 such that P (ωω 1 ) = P (ω ω 1) and M 1 is greater than n. For all i = 1,..., m and l = 1,..., N, ri l is not marked. Thus, ω ω 1 / L m (U). Then, by Lemma 18, ω ω 1 / S. On the other hand, since ω S, then ωω 1 S. This violates D S P in Definition 11. This is because there exists ωω 1 S(Σ, s) and ω ω 1 / S(Σ, s) but P (ωω 1 ) = P (ω ω 1) even though ω 1 is long enough. Thus, L is not S-type pattern diagnosable with respect to K and P. This is a contradiction. Case (ii): Suppose that q1 1 = δ(q 0, ω). Since ω / Ψ S and ω S, then there exists a prefix v of ω such that v Ψ S. The rest of the proof is similar to the proof of Case (i) and is omitted here. ( ) We show that if Obs(U) does not contain any marking-indeterminate cycles, then L is S-type pattern diagnosable. The proof is by contradiction. Suppose that L is not S-type pattern diagnosable, then we have ( n N)( s Ψ S )( t L/s)[( t n) D S P ] (4.34) where D S P : P 1 P (st) (L \ S). (4.35) Pick n 1 max( Obs(U), U ). By Equation 4.34, there exists s 1 Ψ S and t 1 L/s 1 such that P (t 1 ) n 1 and P 1 P (s 1 t 1 ) (L/S). By the pumping lemma for regular sets, t 1 = uv m z where u, v, z Σ o and m is an integer. By Proposition 10, s 1 uv m z S(K, L). By Lemma 18, s 1 uv m z L m (U). Let the cycle be formed by {q 1... q M } Q and v = σ 1... σ M in U where M is an integer. Then, q i F for all i = 1,..., M.

93 81 By the condition in Equation 4.35, there exists ω L \ S such that P (ω) = P 1 P (s 1 t 1 ). By Lemma 18, if ω L \ S, then ω / L m (U) and ω L(U). By the pumping lemma for regular languages, ω contains a cycle. Let the cycle be formed by {r 1... r N } Q and v = σ 1... σ N in U where N is an integer. Since P (ω) = P 1 P (s 1 t 1 ), then P (v) = P (v ). Since ω L(U) \ L m (U) and by Proposition 10, then r j Q \ F for j = 1,..., N. Thus, {q 1... q M } Q and v and {r 1... r N } Q \ F and v form a marking-indeterminate cycle. contradiction. This is a We consider illustrative examples to present the notions and results of S-type diagnosability introduced in this section. We use [33] to build FSA and perform (language-based) operations on FSA. Example 20 considers a language L that is S- type pattern diagnosable with respect to a pattern K 1. In Example 21, the language L is not S-type pattern diagnosable with respect to a pattern K 2 that is a subset of K 1. Example 20 (S-type pattern diagnosability). Consider G in Fig Suppose that Σ = {a, b, c, d, e} and Σ o = {b, d}. Let L = L(G) and K 1 = {ab, dc}. Then, the union FSA U = U s K1 (G H S (Σ, s)) and Obs(U) are as shown in Figures 4.4 and 4.5, respectively. Neither of the cycles in Obs(U) is marking-indeterminate. Thus, L is S-type pattern diagnosable with respect to K 1 (as argued in Section 4.3). Example 21 (S-type pattern diagnosability). Consider the G and Σ uo in Example 20. Let K 2 = {ab}. The union FSA U = U s K2 (G H S (Σ, s)) and Obs(U) are built as shown in Figures 4.6 and 4.7, respectively. Both of the cycles in Obs(U) are marking-indeterminate. Consider the cycle formed by {6, 5} and d. The observer state {6, 5} is marking-uncertain since 6 is marked in U but 5 is not. In addition,

94 82 1 d a 3 2 e b d e c a c d 8 b c b b 12 d 9 b 11 d Figure 4.4: U = U s K2 (G H S (Σ, s)) where K 1 = {ab, dc} and Σ = {a, b, c, d, e}. 1,2,13 d 3,8,7,6,14,10 b 9,8,5,12,4,11 b d 9,8 b 12,11 d Figure 4.5: Obs(U) for K 1 = {ab, dc} where Σ o = {b, d}. there is a cycle formed by 6 and d, i.e., a cycle of marked states, and another cycle formed by 5 and d, i.e., a cycle of states that are not marked. Thus, the cycle formed by {6, 5} and d is marking-indeterminate. Similarly, the cycle formed by {9, 11} and b is marking-indeterminate. Thus, L is not S-type pattern diagnosable with respect

95 83 to K 2 (as argued in Section 4.3). 1 a d 3 2 e d b e d c a c b b b c 6 d 9 b 5 d Figure 4.6: U = U s K2 (G H S (Σ, s)) where K 2 = {ab} and Σ = {a, b, c, d, e}. 1,3,13 d 2,7,11,14,12,10 b 9,8,4,11,6,5 b d 9,11 b 6,5 d Figure 4.7: Obs(U) for K 2 = {ab} where Σ o = {b, d}. In the rest of this section, we consider the verification of T-type pattern diagnosability. We restate Lemmas 17 and 18 in the context of T-type pattern diagnosability

96 84 in Lemmas 22 and 23, respectively. Lemma 22 (T-type). Given L = L(G) = L m (G), a pattern K, and s K, L m (G H T (Σ, s)) = T (s, L), (4.36) and L(G H T (Σ, s)) L. (4.37) Proof. Firstly, we prove that L(G H T (Σ, s)) L. By definition of the product operation, we have L(G H T (Σ, s)) = L(G) L(H T (Σ, s)) (4.38) L L(H T (Σ, s)) (4.39) L. (4.40) Secondly, we prove that L m (G H T (Σ, s)) = T (s, L). Let s = σ 1... σ k where σ i Σ for i = 1,..., k, k is an integer and Σ is the event set of G. {L m (G H T (Σ, s)) T (s, L)}. Pick ω L m (G H T (Σ, s)). Then, by definition of the product operation ω L m = L and ω H T (Σ, s). By construction of H T (Σ, s) (see [32] for correctness of the construction), ω is of the form ω = ω 1 σ 1... σ k ω 2, (4.41) where ω 1 (Σ \ σ 1 ) and ω 2 Σ. Then, s is a substring of ω. Thus, ω T (s, L). {T (s, L) L m (G H T (Σ, s))}. Pick ω T (s, L). Then, ω L and s is a substring of ω. Thus, ω L m (G).

97 85 Since s is a substring of ω, ω L is of the form ω = ω 1 sω 2 where ω 1 and ω 2 are in Σ. By construction of H T (Σ, s), ω 1 sω 2 L m (H T (Σ, s)). Thus, ω L L m (H T (Σ, s)). This completes the proof. Lemma 23 (T-type). Given L = L(G) = L m (G) and a pattern K, L m (U s K (G H T (Σ, s))) = T (4.42) and L(U s K (G H T (Σ, s))) L. (4.43) Proof. The proof of L m (U s K (G H T (Σ, s))) = T is similar to the proof of Lemma 18, thus, omitted here. The proof of the inequality L(U s K (G H T (Σ, s))) L is as follows. Let U = U s K (G H T (Σ, s)). Then, by definition of the union operation and Lemma 22, L(U) = s K L(G H T (Σ, s)) (4.44) L. (4.45) This completes the proof. The results of Lemma 22 slightly differs from the analogous ones in Lemmas 17. Similarly for 23. In T-type pattern diagnosability, the equations on language generated become inequalities instead of equalities. We explain this in the following. In S-type pattern diagnosability, when we form H S (Σ, s) for some s K, any event in G is feasible from any state in H S (Σ, s). Thus, the product of G and H S (Σ, s) contains all the strings in the language generated by G. However, in T-type pattern diagnosability, when we form H T (Σ, s), there may be events in G that are not feasible from some states in H T (Σ, s). Hence, the inequalities in Lemmas 22 and 23. We consider in Example 24 an illustration of this technicality.

98 86 Example 24 (T-type pattern diagnosability). Consider G in Fig Suppose that Σ = {a, b, c, d, e} and Σ o = {b, d}. Let L = L(G) and K = {dc}. The FSA H T (Σ, dc) is shown in Fig The product of G and H T (Σ, dc) are shown in Fig The strings dacbd is in the product but not in G. 0 a b c e d 1 d c 2 a b c d e Figure 4.8: H T (Σ, dc) where Σ = {a, b, c, d, e}. 1 e d 3 2 d a 4 8 c b b 6 b 5 d 7 b Figure 4.9: G H T (Σ, s) where K = {dc} and Σ = {a, b, c, d, e}. We now define an FSA to convert the inequalities in Lemmas 22 and 23 into equalities. Let G = (Q, Σ, δ, q 0, F ). We build the FSA C(G) = (Q, Σ, δ, q 0, ). By

99 87 definition L(C(G)) = L(G) and L m (C(G)) =. Lemma 25 (T-type). Given L = L(G) = L m (G) and a pattern K, L (U(C(G), U s K (G H T (Σ, s)))) = L. (4.46) Proof. Let U = U(C(G), U s K (G H T (Σ, s))). By definition of the union operation L(U) = L(C(G)) L(U s K (G H T (Σ, s))). (4.47) The proof is in two parts. {L(U) L}. By definition L(C(G)) = L(G) = L. By Lemma??, L(U s K (G H T (Σ, s))) L. Thus, by Equation refeq:uinttypeequallemma, we have L(U) L. {L L(U)}. By Equation 4.47, L(C(G)) L(U). By definition, L(C(G)) = L. Then, L L(U). We state the necessary and sufficient condition for T-type pattern diagnosability in Theorem 26. Theorem 26 (T-type). A prefix-closed, live language L = L(G) is T-type pattern diagnosable with respect to pattern K and projection P iff Obs(U(C(G), U s K (G H T (Σ, s)))) does not contain any marking-indeterminate cycle. The proof of Theorem 26 is similar to the proof of Theorem 19, thus, omitted here. The statements of Theorems 19 and 26 are similar except for the C(G). Formally, the reason for including C(G) in Theorem 19 is as follows. Let L = L(G) be a prefix-closed, live language, ω, ω L, and ω L m (U s K (G H T (Σ, s))) and ω / L(U s K (G H T (Σ, s))). We know that such ω and ω may exist by Lemmas 23 and??. Suppose that P (ω) = P (ω ). Then, ω P 1 P (ω) L. If ω and ω

100 88 are long enough than the diagnosability condition D T P in Definition 12 is violated. Thus, L is not T-type pattern diagnosable with respect to K and P. We now consider the observer Obs(U s K (G H T (Σ, s))). By Theorem 26, ω and ω should contain suffixes that are parts of an indeterminate cycle. However, by assumption ω / L(U s K (G H T (Σ, s))). Then, Obs(U s K (G H T (Σ, s))) may not contain the marking-indeterminate cycle. Thus, we may conclude L is pattern diagnosable with respect to K and P. As a result, in Theorem 26, if we do not include C(G) in the union operation, then Theorem 26 results in a sufficient but not necessary condition for T-type pattern diagnosability. We present the following illustrative examples. Example 27 considers a language L that is T-type pattern diagnosable with respect to a pattern K 1. Example 28 is a counter-example to show that S-type pattern diagnosability does not imply T-type pattern diagnosability, in general. Example 27 (T-type pattern diagnosability). Consider G in Fig Suppose that Σ = {a, b, c, d, e} and Σ o = {b, d}. Let L = L(G) and K 1 = {ab, dc}. The union FSA U defined in Theorem 26 is built from G, H T and K and shown in Fig The observer FSA Obs(U) shown in Fig does not have marking-indeterminate cycles. Thus, L is T-type pattern diagnosable with respect to K 1 (as argued in Section 4.3). Example 28 (S-type vs. T-type pattern diagnosability). Consider G in Fig Suppose that Σ = {a, b, c, d} and Σ o = {b, d}. Let L = L(G) and K = {ab, dc}. The union FSA U defined in Theorem 19 is built from G, H T and K and is shown in Fig The observer FSA Obs(U S ) is shown in Fig The observer FSA does not contain any marking-indeterminate cycle. Thus, L is S-type pattern diagnosable.

101 89 1 e d 3 2 d a 10 8 b c b c 5 d 4 b 9 b 6 b 7 d Figure 4.10: U T = U(C(G), U s K (G H S (Σ, s))) where K = {ab, dc} and Σ = {a, b, c, d, e}. 1,3 d 2,8,6,4,10 b 9,7,5,4 d b 7,5 d 9,4 b Figure 4.11: Obs(U) where Σ o = {b, d}. Consider U T = U s K (G H T (Σ, s)) defined in Theorem 26. The union FSA is shown in Fig The observer FSA Obs(U T ) shown in Fig contains a marking-indeterminate cycle, i.e., the cycle formed by {9, 10, 5} and b. Thus, L is

102 90 not T-type pattern diagnosable. 0 a d 2 1 d a 4 3 b c c b 8 d 6 b 7 5 b b 9 b Figure 4.12: G. 4.5 Case Study: An Implementation of Pattern Diagnosis We now consider an illustrative example of an implementation of the theory of pattern diagnosis to intrusion detection in networked systems. In [31], the authors develop a tool called BackTracker that builds dependency graphs to identify the sequences of operating-system(os)-level events that led to an intrusion. Then, an administrator may analyze these sequences of events to quickly identify vulnerabilities in the system. However, the dependency graphs generated by BackTracker may contain too many events for an administrator to run a quick analysis. Thus, in [31], the authors apply some filtering rules to reduce the size of the dependency graphs. Our objective is to help the administrator filter the dependency graphs using a set of

103 91 1 a d 3 2 d a 5 11 c b b c 7 6 d 8 b 10 b b 9 b 4 b Figure 4.13: U S = U s K (G H S (Σ, s)) where K = {ab, dc} and Σ = {a, b, c, d}. 1,3 d 2,7,5,11,10 b 9,8,6,4 d b 6 d 9,8,4 b Figure 4.14: Obs(U S ) for K = {ab, dc} where Σ o = {b, d}. observable events and analyze the graph for a smaller and relevant set of observable events or for vulnerabilities in the system to a known or a possible intrusion. That is, the administrator may build a pattern for a known or possible intrusion and verify the diagnosability (of the dependency graph) of the system with respect to the pat-

104 92 1 a d 3 2 d a 7 8 b c b c 6 d 10 b 9 b 4 b 5 b Figure 4.15: U T = U s K (G H S (Σ, s)) where K = {ab, cd} and Σ = {a, b, c, d}. 1,3 d 2,8,4,7,10 b 9,6,10,5 d b 6 d 9,10,5 b Figure 4.16: Obs(U T ) for K = {ab, cd} where Σ o = {b, d}. tern and the set of observable events. Also, the administrator may design a variant of an intrusion by embedding the original intrusion pattern with unobservable events and then, verify the diagnosability of the dependency graph with respect to these variants.

105 93 Time Log 0 process A creates process B 1 process B writes file 1 2 process B writes file 2 3 process A reads file 0 4 process D busy process D 5 process A creates process D 6 process C reads file 1 7 process A creates process C 8 process C reads file 2 9 process C writes file X 10 file X busy file X Table 4.1: The sample event log. Consider the sample event log in Table 4.1. Build the dependency graph in the form of an nondeterminate FSA. The FSA is shown in Fig The event set is Σ = {busy, create, read, write}. Let L = L(G) and K = {read write} be the pattern. Then, U S = (G H S (Σ, read write)) is as shown in Fig First, suppose that Σ o,1 = {busy, create}. Then, Obs(U S ) shown in Fig contains a marking-indeterminate cycle. Thus, for Σ o,1, L is not S-type pattern diagnosable with respect to K. Then, suppose that Σ o,2 = {busy, write}. Obs(U S ) shown in Fig does not contain any marking-indeterminate cycles. Thus, for Σ o,2, L is S-type pattern diagnosable with respect to K. In this implementation, we see that different sets of observable events may result in different answers for the diagnosability of a language with respect to a pattern. So, filtering the dependency graph with different sets of events may result in detection of an intrusion in one case but not in another.

106 94 file_0 read process_a create create process_d busy process_b create write write file_2 file_1 read read process_c write file_x busy Figure 4.17: G. 4.6 Conclusion We have generalized the notion of diagnosability of single events in prior works to diagnosability of sequences of events in partially-observed discrete-event systems. We have considered two types of pattern diagnosability: S-type, and T-type. We have shown that there exists necessary and sufficient conditions for both types of pattern diagnosability. We have developed an implementable test to verify the necessary and sufficient condition for each type of pattern diagnosability. We have also provided the reader with a possible application of the theory to intrusion detection in networked systems.

107 95 1 read 2 create create create 9 busy 3 8 write write 5 4 write read read 6 write 7 busy Figure 4.18: U S. 1,2 create 9,8,7,6,5,4,3 busy 9,7 busy Figure 4.19: Obs(U S ) contains a marking-indeterminate cycle.

108 96 1,2,9,8,3 busy write 9 busy 7,6,5,4 busy write 7 busy Figure 4.20: Obs(U S ) does not contain any marking-indeterminate cycles.

109 CHAPTER V Prediction of Event Occurrences 5.1 Introduction This chapter addresses the problem of predicting occurrences of a significant (e.g., fault) event in a discrete-event system (DES). The system under consideration is modeled by a language over an event set. The event set is partitioned into observable events (e.g., sensor readings, changes in sensor readings) and unobservable events, i.e., the events that are not directly recorded by the sensors attached to the system. The objective is to predict occurrences of a possibly unobservable event in the system behavior, based on the strings of observable events. If it is possible to predict occurrences of an event in the system, then depending on the nature of the event the system operator can be warned and the operator may decide to halt the system or otherwise take preventive measures. To the best of our knowledge, the notion of predictability that is introduced and studied in this chapter is different from prior works on other notions of predictability in [9, 6, 57, 19]. For instance, the prediction problem considered in [9] is related to the properties of a special type of projection between two languages (sets of trajectories); this is is much more general than our objective, which is to predict occurrences of specific events, but our work is not a special case. The state prediction of coupled 97

110 98 automata studied in [6] is formulated as computing the state vector of n identical automata after T steps in the operation of the system; the system structure in this work is different from ours. In our case the interest is on a single automaton and event prediction, not state, under partial observation. The notion of prediction considered in [57] differs from the one in our work in the sense that in [57] predictability of a system is a necessary condition for diagnosability of the system while in our work diagnosability is a necessary condition for predictability. The prediction problem studied in [19] considers issuing a warning when it is likely for a fault to happen in the future evolution of the system; in our work, if the occurrence of an event is predictable in a language, then it is certain that the event will occur. Also, in [19], it is possible that false fault prediction warnings are issued; in our work, no false positives are issued. The problem of prediction studied in this chapter is inspired by the problem of fault diagnosis for DES. The problem of fault diagnosis for DES has received considerable attention in the last decade (see the references in [55]) and diagnosis methodologies based on the use of discrete-event models have been successfully used in a variety of technological systems ranging from document processing systems to intelligent transportation systems. A discrete-event process called diagnoser introduced in [55] is of particular relevance to the present work. Later in the chapter, the diagnoser is used to derive a necessary and sufficient condition for predictability in systems modeled by regular languages. The rest of the chapter is organized as follows. In Section 5.2, the notation and frequently used terms are introduced. In Section 5.3, the predictability of occurrences of an event in a system is defined in the context of formal languages. The predictability property of a language is a stronger condition than the diagnosabil-

111 99 ity of the language as defined in [55]. In Section 5.4, it is shown that in the case of regular languages, there exists a necessary and sufficient condition for predicting occurrences of an event in the language in the form of a test on diagnosers. In Section 5.5, a summary of the results in the chapter is presented, and concluding remarks are given. 5.2 Preliminaries We present in the following the notation and frequently used terms that are not defined in the previous chapters of the thesis. Let Σ be a finite set of events. Given an event σ Σ and a string s Σ, we use the set notation σ s to say that σ appears at least once in s. Let L be a prefix-closed and live language over Σ. Given an event σ Σ and L, Ψ(σ, L) is the set of strings in L that ends with σ. Formally, Ψ(σ, L) = {sσ L : s Σ, σ Σ}. 5.3 Problem Statement In this section, we define the problem of predicting occurrences of an event in a system that is under partial observation. We model the system as a language L over an event set Σ. The event to be predicted may be an unobservable event or an observable one. First, we present an illustrative example to introduce the notion of predictability. Then, we give the formal definition for predictability of the occurrence of an event. We conclude the section by comparing the diagnosability of a language L as defined in [55] to the predictability of L. Roughly speaking, the occurrence of an event in a language is predictable if it is possible to infer about future occurrences of the event based on the observable record of strings that do not contain the event to be predicted. Consider any string

112 100 s in Ψ(σ p, L) where σ p is the event to be predicted. We wish to find a prefix t of s such that t does not contain σ p and all the long-enough continuations in L of the strings with the same projection as t contain σ p. If there is at least one such t, then the occurrence of σ p is predictable in L. Consider the prefix-closed, live language generated by the automaton shown in Fig The language generated is L = aabcpc + abpc + bpac + ac, (5.1) where Σ uo = {a, p} and Σ o = {b, c}. Let p be the event to be predicted. The set of strings that end with p is Ψ(p, L) = {aabcp, abp, bp}. (5.2) In order to show that p is predictable in L, we must find an n N and a t s for all s Ψ(p, L) such that p / t and for all u and its continuations v L/u if u records the same string of observable events as t, i.e., P (t) = P (u), and u does not contain p, i.e. p / u, and v is of length greater than n N, i.e. v n, then v contains p. Let us start with s = aabcp Ψ(p, L). Then t aabc. Suppose that t = aa. Then, P 1 (aa) (Σ \ {p}) L = {ɛ, a, aa}. If u = a, then L/u = abcpc + bpc + c. Since p / c, there is a continuation of u that does not contain p. Then, there exists a string which records the same string of observable events as t and not all of its continuations contain p. Thus, t = aa is a wrong choice to prove the predictability of p. Suppose that t = aab. For all u P 1 (aab) (Σ \ {p}) L = {aab, ab, b} and

113 101 for all v L/u such that v 2, then v contains p. Thus, t = aab is a right choice for s aabcp Ψ(p, L). Similarly, it can be verified that t = ab and t = b work for s = abp and s = bp in Ψ(p, L), respectively. 0 a b 2 1 a b c p c 4 b p a 8 5 c 6 c c 9 p 10 c Figure 5.1: G. Based on the above discussion, we formally define the notion of predictability. Definition 29. Given L a prefix-closed, live language over Σ, occurrences of event σ p Σ are predictable in L with respect to P if ( n N)( s Ψ(σ p, L))( t s)[(σ p / t) P] where P : ( u L)( v L/u)[(P (u) = P (t)) (σ p / u) ( v n) (σ p v)].

114 Diagnosability vs. Predictability The predictability of occurrences of an event σ p in a prefix closed and live language L is stronger than the diagnosability of L with respect to σ p. We consider the diagnosability as defined in [55] in the context of formal languages. Roughly speaking, L is diagnosable with respect to σ p if it is possible to detect occurrences of σ p with a finite delay. For the sake of completeness, we recall in Definition 30 the formal definition of diagnosability. Definition 30. A prefix-closed and live language is diagnosable with respect to P and σ p if ( n N)( s Ψ(σ p, L))( t L/s)[ t n D] where D : ω P 1 P (st) L σ p ω. We now present an illustrative example where a language is diagnosable with respect to an event but the occurrence of the event is not predictable. We consider the language generated by the automaton shown in Fig The language is L = eac + abepd + abcd + aebpdd (5.3) where Σ o = {a, b, c, d} and Σ uo = {e, p}. In this case, the occurrence of p is not predictable. Let s = abep Ψ(p, L). Then, t abe. For any t abe, we always have have the string abcd n where n 0, which does not contain p. Thus, there does not exist a t so that Definition 29 is satisfied for p. However, the occurrence of p (an unobservable event) can be detected with a finite delay. After the observation of abd, we are certain that p has occurred at

115 103 least once. Thus, L is diagnosable with respect to σ but the occurrence of σ is not predictable in L. 0 e a 9 1 a b e 10 c 6 2 e c b 7 11 d 3 p p 8 d 4 d 5 d Figure 5.2: G. The following proposition follows directly from the above definitions. Proposition 31. Given a prefix-closed and live language L Σ, if occurrences of σ p Σ are predictable in L with respect to P, then L is diagnosable with respect to P and σ p. Proof. Pick s 1 Ψ(σ p, L). By Definition 29, there exists n 1 N and z 1 s 1 such that σ p / z 1 and P is satisfied. We need to show that for all t 1 L/s 1 if t 1 n for some positive integer n, then for all ω P 1 P (s 1 t 1 ) L, ω contains σ p. Let s 1 = z 1 z 2. If ω P 1 P (s 1 t 1 ) L, then ω P 1 P (z 1 )P 1 P (z 2 t 1 ) L. Choose n such that for all t 1 n, if ω P 1 P (s 1 t 1 ) L, ω = ω 1 ω 2, and P (ω 1 ) = P (z 1 ),

116 104 then ω 2 n 1. Suppose that there exists ω such that σ p / ω. Then, σ p / ω 1 and σ p / ω 2. By the condition P in Definition 29, for all v L/u if P (u) = P (z 1 ), σ p / u, and v n 1, then σ p v. Thus, σ p ω 2. This is a contradiction. Thus, there is no ω P 1 P (s 1 t 1 ) L such that σ p / ω. This completes the proof. 5.4 Verification of Predictability for Regular Languages In this section, we consider systems modeled by regular languages. Regular languages are the languages that are accepted (or generated) by Finite State Automata (FSA). An FSA is a four-tuple G = (Q, Σ, δ, q 0 ) (5.4) where Q is the set of states, Σ is the finite set of events, δ : Q Σ Q is the state transition function and q 0 is the initial state. The necessary and sufficient condition (presented later in this section) for predictability is based on a discrete-event process called diagnoser. The diagnoser is an FSA built for the system with respect to a projection P onto the set of observable events and to a given event. Let G = (Q, Σ, δ, q 0 ) be an FSA that generates language L. We denote by D G the diagnoser built for G and σ p Σ. The diagnoser D G is of the form D G = (Q D, Σ o, δ D, q D,0, σ p ), (5.5) where Q D is the set of diagnoser states, δ D : Q D Σ o Q D is the diagnoser state transition function, q D,0 Q D is the initial diagnoser state. The diagnoser state space Q D is a subset of 2 Q {N,F 1}. State q D Q D is of the form q D = {(q 1, l 1 ),..., (q n, l n )}, (5.6)

117 105 where q i Q and l i {N, F 1} for i = 1,..., n. In this chapter, a diagnoser state does not contain its unobservable reach unlike the case in previous chapters. Let q D and q D be two diagnoser states in Q D such that q D is reached from q D by σ o Σ o, i.e., q D = δ D(q D, σ o ) is defined. Let q D = {(q 1, l 1 ),..., (q m, l m )} and q D = {(q 1, l 1),..., (q n, l n)}. For all i {1,..., n}, there exists j {1, 2,..., m} such that q i = δ(q j, s), (5.7) where s = tσ o and t Σ uo, and F 1, if l j = F 1 or (σ p s), l i = N, if l j = N and (σ p / s). (5.8) We say that a diagnoser state q D = {(q 1, l 1 ),..., (q m, l m )} Q D for m N is normal if l j = N for all j = 1,..., m; certain if l j = F 1 for all j = 1,..., m; and uncertain if there exist l j = N and l i = F 1 for some i, j {1,..., m}. We denote by Q N D Q D the set of diagnoser states that are normal, by Q U D Q D the set of diagnoser states that are uncertain, and by Q C D Q D the set of diagnoser states that are certain. Consider FSA G in Fig Let Σ uo = {a, p}. The diagnoser 1 for G and p is as shown in Fig The diagnoser state {1N, 8N, 3N} is normal, {9N, 6F 1, 5F 1} is uncertain, and {10F 1, 6F 1, 5F 1} is certain. We define an accessibility operation on an FSA to find the accessible part of an FSA from a state. 1 Diagnosers shown in this chapter are built using DESUMA [33].

118 106 Definition 32. Let G = (Q, Σ, δ, q 0 ) and q Q. The accessible part of G with respect to q is denoted by Ac(G, q) and is Ac(G, q) = (Q ac, Σ, δ ac, q), (5.9) where Q ac = {q Q : ( s Σ )(δ(q, s) = q is defined)}, and δ ac = δ Qac Σ Q ac. Let G = (Q, Σ, δ, q 0 ). We say that a set of states {q 1, q 2,..., q n } Q and a string σ 1 σ 2... σ n Σ form a cycle if q i+1 = δ(q i, σ i ), i = 1, 2,..., n 1 and q 1 = δ(q n, σ n ). In the rest of this section, we assume the system satisfies the following: If {q 1, q 2,..., q n } Q and σ 1 σ 2... σ n Σ form a cycle, then there exists at least one observable event σ j in {σ 1,..., σ n } Σ. That is, G does not contain a cycle in which states are connected with unobservable events only. Lemma 33 below states that if there is a cycle in D G that contains a certain diagnoser state, then all the diagnoser states in the cycle are certain (since the F 1 label propagates). Lemma 34 states that if there is a cycle in D G that is formed by uncertain or normal states, then there exists a corresponding cycle in G such that all the states in the cycle have normal labels in the cycle in D G. Lemma 33. Let G = (Q, Σ, δ, q 0 ) be an FSA that generates L such that L is prefixclosed and live, let D G = (Q D, Σ o, δ D, q D,0, σ p ) be the diagnoser for G and σ p. Suppose {q D,1,..., q D,n } Q D and σ o,1... σ o,n Σ o form a cycle in D G where n N. If there exists i {1, 2,..., n} such that q D,i Q C D, then q D,j Q C D for all j = 1, 2,..., n. Lemma 34. Let G = (Q, Σ, δ, q 0 ) be an FSA that generates L such that L is prefixclosed and live, and let D G = (Q D, Σ o, δ D, q D,0, σ p ) be the diagnoser for G and σ p. Suppose {q D,1,..., q D,n } Q D and σ o,1... σ o,n Σ o form a cycle in D G where n N and q D,i is in Q U D or QN D for all i = 1, 2,..., n. Then, there exists (q i, l i ) q D,i for

119 107 i = 1, 2,..., n, such that q i+1 = δ(q i, s i ) for i = 1, 2,..., n 1 and q 1 = δ(q n, s n ) where s i Σ, P (s i ) = σ o,i, and l i = N for i = 1, 2,..., n. Let F D be the set of normal diagnoser states that possess an immediate successor that is not normal. Formally, F D = {x D Q N D : y D = δ D (x D, σ o ) such that σ o Σ o and y D / Q N D}. (5.10) Lemma 35 states that any uncertain or certain diagnoser state is reached from a diagnoser state in F D. Lemma 35. Let G = (Q, Σ, δ, q 0 ) be an FSA that generates L such that L is prefixclosed and live, and let D G = (Q D, Σ o, δ D, q D,0, σ f ) be the diagnoser for G and σ p. Let x D,i = δ D (x D,i 1, σ o,i ) for i = 1, 2,..., m where m N, x D,i is a diagnoser state, σ o,i is an observable event for i = 1, 2,..., m, and x D,0 is the initial diagnoser state. If x D,m is in Q U D or QC D, then there exists M m such that x D,M F D. Proof. [of Lemma 35] The proof is by induction on the sequence of observable events. Base (m = 1): In this case, x D,m = x D,1 / Q N D and x D,1 = δ D (x D,0, σ o,1 ). Since x D,0 is the initial diagnoser state, by definition it is normal. If the immediate successor x D,1 of x D,0 is not a normal diagnoser state, then x D,0 F D. This completes the proof of induction base. Hypothesis (m = M ): If x D,M / Q N D, then there exists M M such that x D,M F D. Step (m=m +1): We need to show that if x D,M +1 / Q N D, then there exists M M + 1 such that x D,M F D. We consider two cases: (i) x D,M Q N D, and (ii) x D,M / Q N D. In the first case, if x D,M QN D, then x D,M is in F D by

120 108 definition. For the other case, if x D,M / Q N D, then by induction hypothesis there exists M M < M + 1 such that x D,M is in F D. This completes the proof of the induction step. In the following theorem, we state the necessary and sufficient condition for predictability of occurrences of an event. The condition is based on analyzing the cycles in the diagnoser. Theorem 36. Let G = (Q, Σ, δ, q 0 ) be an FSA that generates L where L is prefixclosed and live. Let D G = (Q D, Σ o, δ D, q D,0, σ p ) be the diagnoser for G and σ p. The occurrences of σ p are predictable in L with respect to P iff for all q D F D, condition C holds, where C : all cycles in Ac(D G, q D ) are cycles of certain diagnoser states. Proof. The proof is in two parts. ( ): We prove that if σ p is predictable in L, then for all q D F D the only cycles in Ac(D G, q D ) are cycles of certain diagnoser states. The proof is by contradiction. Suppose that there exists q D F D such that Ac(D G, q D ) contains a cycle formed by {x D,1,..., x D,m } and σ o,1... σ o,m Σ o where x D,i / Q C D for some i {1, 2,..., m}. By Lemma 33, if there exists a diagnoser state x D,i in the cycle such that x D,i is not a certain diagnoser state, then none of the other diagnoser states in the cycle are certain. Thus, x D,i / Q C D for all i = 1, 2,..., m. By Lemma 34, corresponding to the cycle of diagnoser states in the diagnoser, there exists a cycle in G such that each state in that cycle is labeled with N in the cycle in the diagnoser. Suppose that the cycle in G is formed by {x 1,..., x m } and s 1... s m Σ where (x i, N) x D,i and ω i Σ such that P (ω i ) = σ o,i for i = 1, 2,..., m.

121 109 Let q D F D be reached from the initial diagnoser state q D,0 by s o Σ o. Since q D is in F D, then there exists s Ψ(σ p, L) such that P (s) = s o. We wish to show that for all t s such that (σ p / t) P. In order to prove that P is violated, we wish to find a u L and v L/u such that P (u) = P (t) and σ p / u, and if v is of length greater than any n N, then v does not contain σ p. It is sufficient to prove the theorem by considering a particular t s. Let s = s 1 σ p where s 1 Σ. If the condition, P, is violated for t 1 = s 1, then it is violated for all t t 1. This is because if there is a long enough suffix of t 1 violating the condition, P, then that suffix can be used to prove that there is a long enough suffix of any t t violating P. Pick a diagnoser state in the cycle. Without loss of generality pick x D,1. Then, we pick the state in the diagnoser state which has label N and is a part of the corresponding cycle in G. Let (x 1, l 1 ) be that state in x D,1, with l 1 = N. Suppose that x D,1 is reached from q D by executing s o Σ o. Then, x D,1 = δ D (q D,0, s o s o). Since x 1 is in the corresponding cycle in G, then x 1 = δ(x 1, (ω 1... ω m ) k ) for k N and k n. Let u L and u L/u such that x 1 = δ(q 0, uu ) and P (u) = s o = P (t 1 ). Then, x 1 = δ(q 0, uu (ω 1... ω m ) k ). Let v = u (ω 1... ω m ) k. Since x 1 has normal label, then neither u nor u does not contain σ p. Also, by Lemma 34, for i = 1,..., m, ω i Σ does not contain σ p. Thus, v does not contain σ p. This violates the condition P in the definition of predictability. Thus, there is a contradiction. This completes one part of the proof. ( ): We prove that if for all q D F D the only cycles in Ac(D G, q D ) are cycles of certain diagnoser states, then σ p is predictable in L. Pick any s Ψ(σ p, L). Let q = δ(q 0, s) Q. Then, pick any s uo σ o L/s such that s uo Σ uo and σ o Σ o. Let y = δ(q, s uo σ o ) Q. Suppose that P (s) = s o Σ o.

122 110 Then, let x D = δ D (q D,0, s o ) and y D = δ D (x D, σ o ) in Q D. Then, there exists (y, l y ) y D where l y = F 1. Thus, y D Q U D QC D. We now consider the following two cases: (i) x D Q N D, thus, x D F D, and (ii) x D Q U D QC D. Case (i). Since x D Q N D and y D / Q N D, then x D F D. We choose t = s. For all u such that P (u) = P (t), P (u) = s o. Since the only cycles in Ac(D G, x D ) are cycles of certain states, then for all v L/u, v contains σ p. Case (ii). If x D Q U D QC D, i.e., x D is not normal, then we wish to find a normal diagnoser state in F D from which x D is reached. By Lemma 35, there exists a diagnoser state w D reachable from the initial diagnoser state, x D is accessible from w D, and w D is in F D. Then, since F D consists of normal diagnoser states, w D is in Q N D. Thus, the proof of Case (ii) reduces to the case of (i) in which we substitute w D Q N D for x D Q N D. This completes the second part of the proof. Consider the FSA in Fig. 5.1 and the corresponding diagnoser in Fig. 5.7 where Σ uo = {a, p} and Σ o = {b, c}, and F D = {{1N, 8N, 3N}}. The accessible FSA from {1N, 8N, 3N} contains only one cycle formed by {10F 1, 6F 1, 5F 1} which is a certain diagnoser state. Thus, the occurrence of p is predictable. If we consider the FSA in Fig. 5.2 and the corresponding diagnoser in Fig. 5.8 where Σ o = {a, b, c, d} and Σ uo = {e, p}, then, F D = {{6N, 3N}}. The accessible FSA from {6N, 3N} contains two cycles one of which contains a normal diagnoser state. Here, the occurrence of p is not predictable. We now show that it is sufficient to test condition C in Theorem 36 on certain subsets of F D to guarantee that this condition holds for all states in F D. Corollary 37. Let x D, y D F D such that y D = f D (x D, s o ) is defined for some s o Σ o. Then, condition C holds for all q D F D iff C holds for all q D F D \ {y D }. Proof. { } Clearly, if condition C holds for all q D F D, then C holds for all

123 111 0N b c 1N,8N,3N 11N c c 9N,6F1,5F1 c 10F1,6F1,5F1 c Figure 5.3: D G. 0N a 1N,10N b c 6N,3N 10N c c d 11N d 8F1,5F1 d Figure 5.4: D G. q D F D \ {y D }. { } We show that if C holds for all q D F D \ {y D }, condition C holds for all q D F D. Since x D F D \ {y D }, then C holds for x D. Thus, Ac(D G, x D ) contains only cycles of certain diagnoser states. Since y D is reachable from x D by

124 112 s o Σ o, then any cycle in Ac(D G, y D ) is also a cycle in Ac(D G, x D ). Thus, all cycles in Ac(D G, y D ) are cycles of certain diagnoser states. Thus, C holds for y D. This completes the proof. In view of Corollary 37, let us call a subset of F D C-sufficient if testing condition C in Theorem 36 on this subset is sufficient to guarantee that C holds for all q D F D. Denote by S FD the set of all C-sufficient subsets of F D. Let Min(S FD ) denote all subsets of F D in S FD that have minimum cardinality. Proposition 38. Min(S FD ) is not a singleton in general. Proof. The proof of Proposition 38 is by a counter example. We find an example where Min(S FD ) is not a singleton. Let F D = {x D, y D } such that y D = δ D (x D, s o ) and x D = δ D (y D, t o ) are defined for some s o, t o Σ o. Suppose that condition C holds for both x D and y D in F D. Then, by Corollary 37, C holds for both F D \ {x D } = {y D } and F D \ {y D } = {x D } and both sets have cardinality 1. Thus, {y D }, {x D } Min(S FD ). This completes the proof. Define a relation between x D and y D in F D as follows: x D y D s o, t o Σ o such that y D = δ D (x D, s o ) and x D = δ D (y D, t o ). That is, two states in F D are related if both of them appear in a cycle in the diagnoser. We now assume that for all q D F D, q D = δ D (q D, ɛ) is defined for an event ɛ / Σ o where ɛ is an empty symbol. We need this assumption to make the relation,, reflexive. Proposition 39. The relation is an equivalence relation. Proof. We show that the relation is reflexive, symmetric and transitive. By assumption, for all q D F D, q D = δ D (q D, ɛ) is defined. Then, q D q D and Thus, is reflective. By definition of the relation, x D y D iff y D x D where x D,

125 113 y D F D. Thus, is symmetric. Let x D y D and y D z D where x D, y D, z D F D. We now show that x D z D. By definition of the relation, there exist s o, t o Σ o such that y D = δ D (x D, s o ) and x D = δ D (y D, t o ). Also, there exist s o, t o Σ o such that z D = δ D (y D, s o) and y D = δ D (z D, t o). Then, z D = δ D (x D, s o s o) and x D = δ D (z D, t ot o ). Thus, x D z D. Then, is transitive. We now work on the equivalence classes (induced by ) in F D instead of the states in F D. Let E D be the equivalence classes of F D for the relation. Depicted in Fig. 5.5 is an illustration of the equivalence classes of F D : x D,1 x D,2, y D,1 y D,2, x D,1, x D,2 x D, y D,1, y D,2 y D, and x D, y D E D. F D x D,1 y D,1 x D,2 y D,2... _ x D _ y D Figure 5.5: The equivalence classes induced by in F D. Denote by S ED the set of all C-sufficient subsets of E D. If S 1 is a C-sufficient subset in S ED, then S 1 S ED and by Corollary 37 for all y D E D \ S 1, there exists and x D S 1 such that y D = δ(x D, s o ) for some s o Σ o where x D, y D F D, x D x D, and y D y D. Let Min(S ED ) denote all sets in S ED that have minimum cardinality. Theorem 41 states that there is only one C-sufficient subset of E D with the minimum cardinality. Corollary 40. Let S 1 Min(S ED ). For all x D, y D S 1, for all x D x D and y D y D, there does not exist s o, t o Σ o such that y D = δ(x D, s o ) or x D = δ(y D, t o ) is defined. Proof. The proof is by contradiction. Suppose that there exists s o Σ o such

126 114 that y D = δ(x D, s o ), then by Corollary 37, C holds for all q D S 1 \ {y D }. This is a contradiction because then S 1 is not of minimum cardinality. Theorem 41. Min(S ED ) is a singleton. Proof. The proof is by contradiction. Let S 1, S 2 Min(S ED ) where S 1 S 2. By definition of Min(S ED ), S 1 = S 2. Let x D S 1 \ S 2 and y D S 2 \ S 1. Since x D E D and x D / S 2, there exists z D S 2 such that there exists x D x D and z D z D such that x D = δ D (z D, s o ) for some s o Σ o. Similarly, since z D E D and z D / S 1, there exists y D S 1 such that there exists y D y D and z D = δ D (x D, t o ) is defined for some t o Σ o. Then, x D = δ D (y D, t o s o ). Since S 1 Min(S ED ), then x D = y D. Thus, x D z D. This is a contradiction. We have developed an algorithm for finding this unique element in Min(S ED ). In view of Corollary 37 and Theorem 41, the necessary and sufficient condition for predictability in Theorem 36 becomes: Condition C holds for all q D Min(S ED ). In general, Min(S ED ) F D, thus resulting in computational savings once Min(S ED ) has been computed Verifier Approach In this section, we define another discrete-event process called verifier. We present a necessary and sufficient condition for predictability based on the verifier. The use of verifiers to test for predictability is computationally efficient. The computational complexity of the test based on verifiers is polynomial-time. On the other hand, the complexity of the test based on diagnosers is exponential-time in the worst case. The verifier was first defined in [64]. In [64], the authors use verifiers to test for diagnosability. The verifier is an nondeterministic FSA built for the system with respect to a projection P onto the set of observable events, Σ o, and a set of fault

127 115 events (in our case, the event to be predicted, σ p ). Let G = (Q, Σ, δ, q 0 ) be an FSA that generates language L. We denote by V G the verifier built for G and σ p. The verifier V G is of the form V G = (Q V, Σ, δ V, q V,0, σ p ), (5.11) where Q V is the set of verifier states, δ V is the verifier state transition relation, and q V,0 is the initial verifier state. Verifier state q V Q V is of the form q V = [(q 1, l 1 ), (q 2, l 2 )], (5.12) where q i Q and l i {N, F 1} for i = 1, 2. The verifier state space Q V is a subset of Q {N, F 1} Q {N, F 1}. Let q V = [(q 1, l 1 ), (q 2, l 2 )] Q V. The state transition relation δ V (q V, σ) is defined for some σ Σ if δ(q 1, σ) or δ(q 2, σ) is defined. Suppose that δ V (q V, σ) is defined for some σ Σ. Since δ V is a relation, then δ V (q V, σ) is a set of verifier states, and is defined as If σ Σ uo, then δ V ([(q 1, l 1 ), (q 2, l 2 )], σ) = {[(δ(q 1, σ), l 1), (q 2, l 2 )], [(q 1, l 1 ), (δ(q 2, σ), l 2)], [(δ(q 1, σ), l 1), (δ(q 2, σ), l 2)]}, (5.13) and if σ Σ o, then δ V ([(q 1, l 1 ), (q 2, l 2 )], σ) = [(δ(q 1, σ), l 1), (δ(q 2, σ), l 2)], (5.14) where if σ = σ p, then l 1 = l 2 = F 1, otherwise l 1 = l 1 and l 2 = l 2. Lemma 42. Let G = (Q, Σ, δ, q 0 ) be an FSA that generates L, let s = u s σ o and t = u t σ o in L such that q s = δ(q 0, s) and q t = δ(q 0, t) where u s, u t Σ uo and σ o Σ o, and let V G = (Q V, Σ, δ V, q V,0, σ p ) be the verifier for G and σ p. Then, there

128 116 exists q V Q V such that q V δ V (q V,0, u s u t σ o ) is defined and q V = [(q s, l s ), (q t, l t )], where l s, l t {N, F 1}. Proof. By definition q V,0 = [(q 0, N), (q 0, N)]. Let q us = δ(q 0, u s ) Q. Since, u s is feasible from q 0, then it is also feasible from q V,0. Thus, there exists q V,s = [(q us, l us ), (q 0, N)] Q V where l us {N, F 1}. Let q ut = δ(q 0, u t ) Q. Since, u s is feasible from q 0, then it is also feasible from q V,s. Thus, q V,s = [(q us, l us ), (q ut, l ts )] Q V where l ut {N, F 1}. The observable event, σ o is feasible from both q us and q ut, then by definition of the verifier relation function, there exists q V = [(q s, l s ), (q t, l t )], where l s, l t {N, F 1}. This completes the proof. Theorem 43. Let G = (Q, Σ, δ, q 0 ) be an FSA that generates L, let s, t L such that q s = δ(q 0, s) and q t = δ(q 0, t) is defined and P (s) = P (t), and let V G = (Q V, Σ, δ V, q V,0, σ p ) be the verifier for G and σ p. Then, there exists q V Q V such that q V = [(q s, l s ), (q t, l t )], (5.15) for l s, l t {N, F 1}. The proof of Theorem 43 follows from Lemma 42 and is an induction on the sequence of observable events. The proof is omitted. We say that a verifier state q V = [(q 1, l 1 ), (q 2, l 2 )] is normal if l 1 = l 2 = N, certain if l 1 = l 2 = F 1, and uncertain if l 1 = F 1 and l 2 = N or vice versa. We denote by Q N V the set of verifier states that are normal, QC V the set of states that are certain, and Q U V the set of states that are uncertain. Lemma 44. Let G = (Q, Σ, δ, q 0 ) be an FSA that generates L such that L is prefixclosed and live, let V G = (Q V, Σ, δ V, q V,0, σ p ) be the verifier for G and σ p. Suppose

129 117 {q V,1,..., q V,n } Q V and σ 1... σ n Σ form a cycle in V G where n N. If there exists i {1, 2,..., n} such that q V,i Q C V, then q V,j Q C V for all j = 1, 2,..., n. Let F V be the set of normal verifier states defined as follows F V = {x V Q N V : δ V (x V, s uo σ p ) is defined for σ Σ, s uo Σ uo and σ p / s uo }. (5.16) Intuitively, both F D and F V serve the same purpose, i.e., draw the boundary to switch from normal verifier states to uncertain or certain states. However, due the structure of the verifier, the formal definitions differ. The set, F V, contains the verifier states that have unobservable reaches such that an immediate successor of that verifier state is an uncertain or certain verifier state and the string of unobservable events do not contain the event to be predicted. Lemma 45. Let G = (Q, Σ, δ, q 0 ) be an FSA that generates L such that L is prefixclosed and live, and let V G = (Q V, Σ o, δ V, q V,0, σ p ) be the diagnoser for G and σ p. Let x V,i = δ V (x V,i 1, σ o,i ) for i = 1, 2,..., m where m N, x V,i is a diagnoser state, σ o,i is an observable event for i = 1, 2,..., m, and x V,0 is the initial diagnoser state. If x V,m is in Q U V or QC V, then there exists M m such that x V,M F V. The proof of Lemma 45 is similar to the proof of Lemma 35 and is omitted here. In the following theorem, we state the necessary and sufficient condition for predictability of occurrences of an event. The condition is based on analyzing the cycles in the verifier instead of diagnoser. The condition based on the verifier provides a more efficient test for predictability. Theorem 46. Let G = (Q, Σ, δ, q 0 ) be an FSA that generates L where L is prefixclosed and live. Let V G = (Q V, Σ o, δ V, q V,0, σ p ) be the verifier for G and σ p. The

130 118 occurrences of σ p are predictable in L with respect to P iff for all q V F V, condition C V holds, where C V : all cycles in Ac(V G, q V ) are cycles of certain verifier states. Proof. The proof is in two parts. ( ): We prove that if σ p is predictable in L, then for all q V F V the only cycles in Ac(V G, q V ) are cycles of certain verifier states. The proof is by contradiction. Suppose that there exists q V F V such that Ac(V G, q V ) contains a cycle formed by {x V,1,..., x V,m } and σ 1... σ m Σ where x V,i / Q C V for some i {1, 2,..., m}. Let q V = [(q 1, N), (q 2, N)] δ V (q V,0, ω 1 ) where q 1, q 2 Q and ω 1 Σ. Since q V F V, there exists y V = [(y 1, N), (y 2, N)] and z V = [(z 1, l z1 ), (z 2, l z2 )] as shown in Fig. 5.6, where y 1, y 2, z 1, z 2 Q, s uo Σ and σ p / s uo. 1 [ ( q 0, N ), ( q 0, N) ] [ ( q 1, N ), ( q 2, N) ] q V F yv F V s uo V [ (y 1, N ), ( y 2, N) ] p 2 z V [ ( z, l ), ( z, l ) ] 1 z1 2 z2 x V,1 [ ( x 1, N ), ( x 2, lx2) ] 1 m Figure 5.6: The verifier states. There exists s Ψ(σ p, L) such that P (s) = P (ω 1 s uo σ p ). We wish to show that for all t s such that σ p / t, the condition, P, is violated. Let s = s 1 σ p where s 1 Σ. If the condition, P, is violated for t 1 = s 1, then it is violated for all t t 1. thus, hereafter, we consider the case of t 1 only. We pick without loss of generality x V,1 in the cycle. Let x V,1 = [(x 1, N), (x 2, l x2 )] where x 1, x 2 Q and l x2 {N, F 1}, and let x V,1 δ V (q V, ω 2 ).

131 119 There exist u L and u L/u such that P (ω 1 ) = P (u) and x 1 = δ(q 0, uu ). Since x 1 has normal label in x V,1, then neither u nor u contains σ p. Also, since P (ω 1 ) = P (ω 1 s u o) = P (s 1 ) = P (t 1 ), then P (u) = P (t 1 ). If there a cycle formed by {x V,1,..., x V,m } and σ 1... σ m Σ, then there is a corresponding cycle in G formed by normal states in x V,i for i = 1,..., m and a subsequence σ 1... σ m Σ where m m is a positive integer. Thus, x 1 = δ(q 0, uu (σ 1... σ m )k ) for some integer k n and u (σ 1... σ m )k does not contain σ p. Pick v = u (σ 1... σ m )k L/u. By above discussion neither u nor v contain σ p. Thus, there exist u and v L/u such that P (u) = P (t 1 ), σ p / u, v n and σ p / v. This is a violation of the condition, P. Thus, σ p is not predictable in L. This is a contradiction. This completes the proof. ( ): We prove that if for all q V F V the only cycles in Ac(V G, q V ) are cycles of certain verifier states, then σ p is predictable in L. Pick any s Ψ(σ p, L). By definition, s = s 1 σ p for s 1 Σ. Let x = δ(q 0, s 1 ) and y = δ(x, σ p ). Then, there exists x V = [(x, N), (x, l x)] and y V = [(y, F ), (y, l y)] in Q V and y V δ V (x V, σ p ) where x, y Q and l x, l y {N, F 1}. The verifier state x V is either normal or uncertain. Also, y V is either uncertain or certain. We now consider the following two cases: (i) x V Q N V, thus, x V F V, and (ii) x V Q U V. Case (i). Since x V Q N V and y V / Q N V, then x V F V. We choose t = s 1. For all u such that P (u) = P (t) = P (s 1 ) and σ p / u, by Theorem 43, there exists a verifier state of the form q V = [(x, N), (δ(q 0, u), N)]. We wish to show that q V F V. This is because only cycles in Ac(V G, q V ) are of certain states. Thus, for all u and v L/u, v contains σ p. Hence, σ p is predictable. We now consider the two cases: σ p Σ uo or σ p Σ o. If σ p Σ uo, then [(y, F 1), (δ(q 0, u), N)] δ V (q V, σ p ).

132 120 Thus, q V F V. If σ p Σ o, then [(y, F 1), (δ(δ(q 0, u), σ p ), F 1)] δ V (q V, σ p ). Thus, q V F V. This completes the proof. Case (ii). If x V Q U V, i.e., x V is not normal, then we wish to find a normal verifier state in F V from which x V is reached. By Lemma 45, there exists a verifier state w V reachable from the initial verifier state, x V is accessible from w V, and w V is in F V. Then, since F V consists of normal verifier states, w V is in Q N V. Thus, the proof of Case (ii) reduces to the case of (i) in which we substitute w V Q N V for x D Q N V. This completes the second part of the proof. Consider the FSA in Fig. 5.1 and the corresponding diagnoser in Fig. 5.7 where Σ uo = {a, p} and Σ o = {b, c}, and F V = {[1N, 1N], [3N, 1N], [8N, 3N], [8N, 1N], [9N, 9N]}. Each accessible FSA from the verifier states in F V contains only cycles of certain verifier states. Thus, the occurrence of p is predictable. If we consider the FSA in Fig. 5.2 and the corresponding diagnoser in Fig. 5.8 where Σ o = {a, b, c, d} and Σ uo = {e, p}, then, F V = {[6N, 6N], [7N, 6N], [3N, 6N], [3N, 7N], [3N, 3N]}. The accessible FSA from [6N, 6N] contains a cycle which contains a normal verifier state. Thus, the occurrence of p is not predictable. 5.5 Conclusion We have defined the new property of predictability of the occurrence of a significant event (e.g., fault) based on the current record of observable events. We have

133 121 0N,0N b a 1N,1N 2N,0N p b a 4F1,1N 3N,1N 7N,0N a p p a b 6F1,1N 4F1,4F1 5F1,1N 7N,2N 8N,1N p a p b a p 6F1,4F1 5F1,4F1 8N,3N 7N,7N 8N,4F1 a a p b a 6F1,6F1 c 5F1,6F1 c 8N,5F1 8N,8N 8N,6F1 c c c 9N,5F1 9N,9N 9N,6F1 p p p 10F1,5F1 c 10F1,9N 10F1,6F1 c p 10F1,10F1 c Figure 5.7: D G. shown a necessary and sufficient condition for predictability in the case of systems modeled by regular languages. We have presented a test to verify the predictability property based on diagnosers. An alternate test of polynomial-time complexity (in the number of system states) is presented. The study of predictability is inspired and motivated by the study of fault diagnosis. Our long term goal is to form an

134 122 0N,0N a e 1N,1N 9N,0N b e a e 6N,6N 2N,1N 10N,1N 9N,9N e c b e e a 7N,6N 11N,11N d 3N,6N 2N,2N 10N,2N 10N,10N c e p e p b 7N,7N 8F1,6N 3N,7N 4F1,6N 3N,3N p e p e p 8F1,7N 4F1,7N 4F1,3N p p p 8F1,8F1 d 4F1,8F1 4F1,4F1 d d 5F1,8F1 d 5F1,5F1 d Figure 5.8: D G. integrated theory of diagnosis and prediction in the framework of formal languages.

135 CHAPTER VI Conclusion Monolithic and distributed on-line fault detection and isolation of modular dynamic systems modeled as sets of partially-observed place-bordered Petri nets are considered. Algorithms for on-line monitoring and diagnosis of monolithic and modular systems modeled as a set of place-bordered Petri nets. The distributed algorithms exploit the modular nature of the system to avoid the combinatorial explosion of the state space, but it requires communication among modules on the occurrence of events that affect common places. Many issues remain to be investigated. Among those further improvements to reduce the communication overhead and deal with communication delays; proper partitioning of a system into modules in order to enhance the performance of DDC-M; and performance analysis of DDC-M on comprehensive examples using our software tool are mentioned. We have generalized the notion of diagnosability of single events in prior works to diagnosability of sequences of events in partially-observed discrete-event systems. We have considered two types of pattern diagnosability: S-type, and T-type. We have shown that there exists necessary and sufficient conditions for both types of pattern diagnosability. We have developed an implementable test to verify the necessary and sufficient condition for each type of pattern diagnosability. We have also provided the 123

136 124 reader with a possible application of the theory to intrusion detection in networked systems. One of our future goals is to work on experimental data of intrusions and investigate more of on the extensions of the theory based on the experimental results and structure and nature of the system and intrusions. We have defined the new property of predictability of the occurrence of a significant event (e.g., fault) based on the current record of observable events. We have shown a necessary and sufficient condition for predictability in the case of a system modeled by regular languages. We have presented an exponential-time test to verify the predictability property. However, we also have developed a polynomial-time test. The study of predictability is inspired and motivated by the study of fault diagnosis. Our future goals in the study of predictability include extending the definition of the predictability to consider stochastic DES and develop distributed algorithms to analyze predictability of event occurrences in monolithic or modular DES. Our long term goal is to form an integrated theory of diagnosis and prediction in the framework of formal languages.

137 APPENDICES 125

138 126 APPENDIX A Software Implementations We developed a software implementation of DDC-M and of the merge operation 1. The software interacts with GraphViz developed by AT&T to visualize the labeled Petri nets, diagnoser states (including the state, fault and message information) and dynamics of the Petri nets and the algorithms (if communications occur among modules, which module communicates with which module, list of events enabled from the diagnoser states, etc.). The Petri nets can be loaded into the toolbox using visual components of the graphical interface or user created files. The software is capable of partitioning a given Petri net into a set of place-bordered Petri nets or composing several Petri nets with a controller. We use one of Matlab s data types called structures with fields, named data containers, to model labeled Petri nets. That is because each field in a structure can hold any kind of data and a labeled Petri net is composed of dissimilar kinds of data such as places, transitions, forward and backward incidence matrices that define the arc relations and weight function, transition labeling function, etc. We also make use of Matlab s cell arrays that are composed of elements called cells and similar to fields of a structure, cells can hold any kind of data. One cell of 1 The software has not been made publicly available yet.

139 127 a cell array may contain an array of text characters, another a matrix of integers. In constructing the data structures for Petri nets, we use cell arrays to model the event set of a labeled Petri net which contains strings that are modeled as arrays of characters with different lengths. The software also exploits Matlab s matrix manipulation functions and search algorithms for matrices in order to efficiently implement the for-loops in DDC-M. A.1 Graph: How to load a Petri net? This section explains how the system to be diagnosed is created using the toolbox or otherwise loaded into the toolbox. There are two ways to create/load a Petri net. Figure A.1: The toolbox outline. A.1.1 Quick Load Users can load a Petri net from a set of files (see Table.A.1). The set of files listed in Table.A.1 should be saved with the very same name to use the quick load option (ex: robot.pnm, robot.pnp. robot.tlb,... ). To use the quick load option, go to the toolbar (see Figure A.2) of the Diagnoser Toolbox. Select Quick Load from Graph menu. Then, a window pops up. In

140 128 this window the user enters: 1. The directory the set of files to load the Petri net are in, 2. The name of the set of files (w/o any extension of different file types). File Type Comment *.pnm Incidence matrix (Removing tokens from places): D- *.pnp Incidence matrix (Putting tokens in to places): D+ *.plb Place labels *.tlb Transition labels (Event set) *.is Initial state *.md Event set partition of Modules *.obs Observable events *.ft Fault partition Table A.1: File types. Figure A.2: How to quick load a Petri net? A.1.2 Create User can create a Petri net and necessary partitions to run the diagnoser algorithms. To use this menu go to the toolbar of Diagnoser Toolbox and select Create

141 129 section of Graph menu (see Figure A.3). In the rest of this section we explain each item in the Create menu. Figure A.3: How to create a Petri net and partitions? Settings User assigns the number of places and transitions for other menus (see Figure A.4). Incidence Matrix:D- The incidence matrix D ( Incidence:D- menu) shows how many tokens the transitions remove from the places of the Petri net (see Figure A.5). All the entries are positive. User can input the entries into the boxes and click OK to exit. In addition, the user can open a previously saved matrix or save the matrix before exiting the menu. The menus of open and save are reached from the File menu in the toolbar of the Incidence:D- menu. The file type of this menu can be found in Table A.1.

142 130 Figure A.4: The settings of the Petri net. Figure A.5: The incidence matrix (D ) of the Petri net. Incidence Matrix:D+ The incidence matrix D+ ( Incidence:D+ menu) shows how many tokens the transitions put into the places of the Petri net (see Figure A.6). All the entries

143 131 are positive. User can input the entries into the boxes and click OK to exit. In addition, the user can open a previously saved matrix or save the matrix before exiting the menu. The menus of open and save are reached from the File menu in the toolbar of the Incidence:D+ menu. The file type of this menu can be found in Table A.1. Figure A.6: The incidence matrix (D+) of the Petri net. Place Labels As default, the places of the Petri net are enumerated according to the incidence matrices (see Figure A.7). Users can change the labels of the places by using open and save the place labels. The file type of this menu can be found in Table A.1. Transition Labels As default, the transitions of the Petri net are enumerated according to the incidence matrices (see Figure A.8). Users can change the labels of the transitions by using open and save the place labels. The file type of this menu can be found

144 132 Figure A.7: The place labels of the Petri net. in Table A.1. Figure A.8: The transition labels (event set) of the Petri net.

145 133 Initial State The initial state of the Petri net is assigned by this menu (see Figure A.9). Users can change the labels of the transitions, open and save the place labels. The file type of this menu can be found in Table A.1. Figure A.9: The initial state of the Petri net. Partitions There are three different partitions (of the event set) assigned in this menu (see Figure A.10). The first partition is the set of observable events corresponding to the column Obs. If the check box is checked for the Obs column, then the event is observable. If the check box is not checked for the Obs column, then the event is unobservable. The second partition is used for modular diagnosis. This partition is defined by the column Module (see Figure A.10). For each event the user enters which module the event belongs to. The modules are enumerated. Thus, the entries of Module

146 134 column are integers. The third partition defines the fault partition. This partition is defined by the column Fault (see Figure A.10). If the event does not belong to a fault type, then the entry in the column Fault is zero. Otherwise, the fault type is entered. The fault types are enumerated. Thus, the entries of this column are integers. All three partitions are opened and saved together. One name is given to all the partition.but different surnames are assigned to each partition (see Table A.1 for details). Figure A.10: The partitions of the Petri net. A.2 Draw: How to draw graphs? This section explains how the loaded graphs. The user can draw the Petri Net, Distributed Petri Net and Connection Graph. All the loaded graphs are saved to a folder named Figures either under the Examples folder or otherwise under the directory in which Diagnoser Toolbox runs. The color codes of different types of

147 135 events and places are given in Table A.2. Color yellow pink red/orange green blue Discription Observable event Unobservable event Fault place common place Table A.2: The color code of events and places. A.2.1 Petri Net The Petri net is drawn by GraphViz [1] (specifically dot.exe - see Figure A.11). The toolbox creates the pn.dot file under the Figures folder and calls dot.exe to convert the pn.dot file to pn.jpg,pn.png,pn.gif,pn.png. The file pn.png is loaded as a Matlab figure. Figure A.11: The Petri net.

148 136 A.2.2 Distributed Petri Net The distributed Petri net is drawn by GraphViz (specifically dot.exe - see Figure A.12). The toolbox creates the dpn.dot file under the Figures folder and calls dot.exe to convert the dpn.dot file to dpn.jpg,dpn.png,dpn.gif,dpn.png. The file dpn.png is loaded as a Matlab figure. Figure A.12: The distributed Petri net. A.2.3 Connection Graph The Petri net is drawn by GraphViz (specifically dot.exe - see Figure A.13). The toolbox creates the con.dot file under the Figures folder and calls dot.exe to convert the con.dot file to con.jpg,con.png,con.gif,con.png. The file con.png is loaded as a Matlab figure. In the connection graph, the nodes denote the modules. An edge drawn between two nodes denotes the existence of common places between the modules corresponding to these two nodes and is labeled with the set of common places between the modules. No edge is drawn between two nodes if the set of

149 137 common places between the modules corresponding to these two nodes is empty. Figure A.13: The connection between the modules in the distributed Petri net. A.3 Modular: How to run the distributed diagnosis algorithm? This chapter explains how to run distributed diagnosis with communication algorithm (DDC-M). A.3.1 Initialize This menu initializes the Petri net and the diagnosers of modules to their initial states and diagnoser states, respectively. In addition, it clears the windows of Diagnoser Toolbox. A.3.2 Sequence Users can enter the sequence of observable events to run DDC-M. The menu allows to add or delete observable events only (see Figure A.14).

150 138 Figure A.14: The sequence of observable events. A.3.3 Enable? This menu shows the events enabled from the current diagnoser states on the left and the sequence of events observed on the right. Users can append from the list of enable events (see Figure A.15). A.3.4 Distributed Diagnosis with Communication Algorithm This menu option runs DDC-M and outputs the sequence of events observed, which module sends a message to which module, fault information and diagnoser states in Diagnoser Toolbox (see Figure A.16). The message labels of the diagnoser states are showed in another window. If the Enabled? menu is open, then the set of enabled events is refreshed. The diagnoser states (token distribution) are also shown on the figure window of the distribute a Petri net. However, the states of the common places are not shown. But users can see the token distribution in the Diagnoser States menu of Diagnoser

151 139 Figure A.15: The set of enabled events. Toolbox. Figure A.16: The result of DDC-M. A.3.5 Merge The merge operation combines the diagnoser states of the modules to form the monolithic diagnoser states (see Figure A.17). To check if the correct result

152 140 is achieved, this menu option runs the monolithic diagnosis algorithm (MDA) and compares the result of the merge operation and MDA. Figure A.17: The result of the merge operation. A.4 Monolithic Diagnosis This menu option runs MDA and outputs the diagnoser states and fault information. A.4.1 Initialize Same as Section A.3.1. A.4.2 Sequence Same as Section A.3.2. A.4.3 Enable? Same as Section A.3.3.

153 141 A.4.4 Diagnosis: Monolithic Diagnosis This menu option runs MDA (see Figure A.16). The diagnoser states (token distribution) are also shown in the figure window of the distributed Petri net. Figure A.18: The result of MDA. A.5 Example In this section, we first illustrate the application of DDC-M. Then, we merge the diagnoser states of the modules. Finally, we show that the merge correctly obtains the diagnoser state of the complete system. We consider an example of an automated manufacturing system which is a modified version of a system considered in [18], page 172. The Petri net graph of the example is given in Figure A.21. The system has three modules. Each module corresponds to a machine. Each machine gets parts from the buffers, processes the parts and then puts them into the buffers. Faults may occur during the operation of the machines.

154 142 The sets of places of modules are P 1 = {p1, p2, p3, p4, p5, p6}, P 2 = {p1, p5, p7, p8, p9, p10} and P 3 = {p1, p6, p10, p11, p12}. The buffers where machines get parts from or put parts into are modeled as common places. The sets of common places is as follows: P 1,2 = {p1, p5}, P 1,3 = {p1, p6} and P 2,3 = {p1, p10} (see Figure A.19). Note that p1 is common to all of the modules. Figure A.19: Manufacturing system modules connection graph. The initial diagnoser states of the modules are as follows 1, 2, 3, 4, 5, 6 1 1, 5, 7, 8, 9, 10 2 x 1 d,0 =(1, 0, 0, 0, 1, 1 0 ), x2 d,0 =(1, 1, 0, 0, 0, 1 0 ), 1, 6, 10, 11, 12, 3 (A.1) x 3 d,0 =(1, 1, 1, 0, 0 0 ).

155 143 Note that the rows above the matrices x 1 d,3, x2 d,3 and x3 d,3 show the place numbers and fault types of the complete system. Suppose that we observe the sequence of events M 1Busy, M 1P rocess, M 2Busy. When we run DDC-M on the system, we see that observations of M1Busy and M1P rocess each result in a message to be sent from M d,1 to M d,2 and M d,3. The observation of M2Busy results in a message to be sent from M d,2 to M d,1 but no message is sent from M d,2 to M d,3. After observation of the above sequence of events the output of the Diagnoser Toolbox is displayed (see Figure A.20) and the diagnoser states of the modules are calculated by DDC-M to be (see Figure A.22): 1, 2, 3, 4, 5, 6 1 1, 5, 1, 5, 1, 5 1, 6, 1, 6 x 1 d,3 = 0, 0, 0, 0, 1, 2 0 1, 0, 0, 1, 0, 1 1, 0, 0, 1 0, 0, 0, 0, 0, 2 1 1, 0, 0, 0, 0, 1 1, 0, 0, 1, (A.2) 1, 5, 7, 8, 9, , 5, 1, 5, 1, 5 0, 1, 1, 1, 0, 1 0 1, 0, 0, 1, 0, 1 0, 0, 1, 1, 0, 1 0 1, 0, 0, 0, 0, 1 x 2 d,3 = 0, 1, 1, 0, 1, 1 1 1, 0, 0, 1, 0, 1 0, 0, 1, 0, 1, 1 1 1, 0, 0, 0, 0, 1, (A.3) x 3 d,3 = ( 1, 6, 10, 11, 12, 3 1, 6, 1, 6 0, 2, 1, 1, 0, 0 0 1, 0, 0, 1 ). (A.4) When x 1 d,3, x2 d,3 and x3 d,3 are merged, the first row of x1 d,3 merges with the first and third rows of x 2 d,3, and then with x3 d,3. The second row of x1 d,3 merges with the second and fourth rows of x 3 d,3, and then with x3 d,3. Overall, merge correctly forms

156 144 Figure A.20: Petri net model of manufacturing system processed by Diagnoser Toolbox. the diagnoser state of the complete system as (see Figure A.23): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 1, 2, 3 0, 0, 0, 0, 1, 2, 1, 1, 0, 1, 0, 0 0, 0, 0 0, 0, 0, 0, 0, 2, 1, 1, 0, 1, 0, 0 1, 0, 0 x d,3 = 0, 0, 0, 0, 1, 2, 1, 0, 1, 1, 0, 0 1, 1, 0 0, 0, 0, 0, 1, 2, 1, 0, 1, 1, 0, 0 0, 1, 0. (A.5) Now, suppose that we observed the events M 2Busy, M 2P rocess and M 2P rocess respectively. The observation of M2Busy results in a message to be sent from M d,2 to M d,1 but no message is sent from M d,2 to M d,3. After that, observation of M2P rocess twice results in a message to be sent from M d,2 to M d,1 and M d,3. After observation of the above sequence of events the output of the Diagnoser Toolbox is displayed (see Figure A.24) and the diagnoser states of the modules are calculated

157 145 Figure A.21: Petri net model of manufacturing system. by DDC-M to be (see Fig. A.25): x 1 d,3 = ( 1, 2, 3, 4, 5, 6 1 3, 0, 0, 0, 0, 1 0 ), (A.6) x 2 d,3 = ( 1, 5, 7, 8, 9, , 0, 0, 0, 0, 3 1 ), (A.7) 1, 6, 10, 11, 12 3 ( ) x 3 d,3 = 3, 1, 3, 0, 0 0. (A.8) Thus, upon observation of the sequence of events M2Busy, M2P rocess, M2P rocess, M d,2 is certain of fault type 2. Since there is only one row in each diagnoser state,

158 146 Figure A.22: Petri net model of manufacturing system. the merging operation is trivial and the centralized diagnoser state is found as (see Figure A.26): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 1, 2, 3 ( ) x d,3 = 3, 0, 0, 0, 0, 1, 0, 0, 0, 3, 0, 0 0, 1, 0. (A.9)

159 147 Figure A.23: Petri net model of manufacturing system.

160 148 Figure A.24: Petri net model of manufacturing system processed by Diagnoser Toolbox.

161 149 Figure A.25: Petri net model of manufacturing system.

162 150 Figure A.26: Petri net model of manufacturing system.