Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Transcription

1 Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications Shengbing Jiang and Ratnesh Kumar Abstract The paper studies failure diagnosis of discrete event systems with linear-time temporal logic (LTL) specifications. The LTL formulae are used for specifying failures in the system. The LTL-based specifications make the specification specifying process easier and more user-friendly than the formal language/automata-based specifications; and they can capture the failures representing the violation of both liveness and safety properties, whereas the prior formal language/automaton-based specifications can capture the failures representing the violation of only the safety properties (such as the occurrence of a faulty event or the arrival at a failed state). Pre-diagnosability and diagnosability of discrete event systems in the temporal logic setting are defined. The problem of testing pre-diagnosability and diagnosability is reduced to the problem of model checking. An algorithm for the test of pre-diagnosability and diagnosability, and the synthesis of a diagnoser is obtained. The complexity of the algorithm is exponential in the length of each specification LTL formula, and polynomial in the number of system states and the number of specifications. The requirement of non-existence of unobservable cycles in the system, which is needed for the diagnosis algorithms in prior methods to work, is relaxed. Finally, a simple example is given for illustration. Keywords: Discrete event system, failure diagnosis, linear-time temporal logic, diagnosability. 1 Introduction Detection and isolation of failures in large, complex systems is a crucial and challenging task. In general, a failure is a deviation of a system from its normal or required behavior, such as occurrence of a failure event, or visiting a failed state, or more generally, reaching The research was supported in part by the National Science Foundation under the grants NSF-ECS , NSF-ECS , NSF-ECS , NSF-ECS and NSF-EPNES , a DoD- EPSCoR grant through the Office of Naval Research under the grant N , and a KYDEPSCoR grant. A condensed version of this paper first appeared in [17]. This work was performed while the authors were with the Department of Electrical and Computer Engineering, University of Kentucky, Lexington. GM R&D and Planning, Mail Code , Mound Road, Warren, MI , shengbing.jiang@gm.com Department of Electrical & Computer Engineering, Iowa State University, 2215 Coover Hall, Ames, IA 50011, rkumar@iastate.edu 1

2 a deadlock or livelock. Failure diagnosis is the process of detecting and identifying such deviations in a system using the information available through sensors. The problem of failure diagnosis has received considerable attention in the literature of reliability engineering, control, and computer science; and a wide variety of schemes have been proposed. Recently, it has also been studied in the framework of discrete event systems (DESs) [24, 25, 2, 4, 5, 32, 36, 37, 35, 11, 6, 14, 10, 31, 28, 13, 22, 45, 34, 15, 18, 43, 44, 41]. A notion of failure diagnosis of qualitative behaviors of discrete event systems was first proposed in [36]. The idea is that if the discrete event system executes a faulty event, then it must be eventually diagnosed within a bounded number of state-transitions/events. A method for constructing a diagnoser was developed, and a necessary and sufficient condition of diagnosability was obtained in terms of certain properties of the constructed diagnoser. The above work was further extended to timed systems in [6], to decentralized diagnosis in [11], and to diagnosis of repeated failures in [18]. In [15, 43], algorithms of polynomial complexity for testing diagnosability without having to construct a diagnoser were obtained. These later work enabled a quick test for diagnosability; by applying this test a diagnoser is constructed only for those systems that are diagnosable (recall from [36] that the construction of a diagnoser is of exponential complexity). In [24, 25], the authors proposed a state-based approach for diagnosis; they studied the problems of off-line and on-line diagnosis where the basic idea was to test and observe. Extensions of the above work can be found in [2] where the authors studied testability of DESs. In [4, 5], the problem of failure detection in communication networks was studied, where both the normal and faulty behaviors of the system are modeled by formal languages. In [32], the authors also studied the problem of fault detection in communication networks where faults are specified as change and addition of arcs in the finite state machine model of the normal system, and a diagnosis method was provided. In [34], a state-based approach for failure diagnosis of timed systems was proposed. In [14, 10, 31], the authors developed a template monitoring scheme based on timing and sequencing relationships of events for fault monitoring in manufacturing systems. In [41], the application of discrete event system techniques to digital circuits was studied, and an algorithm for the delay fault testability modeling and analysis was presented. In all the above works, the non-faulty behavior of the system, also called the specification, is either specified by an automaton (containing no failure states) or by a language (eventtraces containing no failure events). Since in practical setting a specification is generally given in a natural language, when we apply the above failure diagnosis results, we must first transform a natural language specification into a formal language specification. Given a simple natural language specification, the process of finding a corresponding formal language specification can be tedious, unintuitive, and error-prone, making it unaccessible to nonspecialists. So there exists a gap between the informal natural language specification and the corresponding formal language specification. Temporal logic based specification was proposed in [12] as an attempt to bridge such a gap. Temporal logic has been used in the analysis and control of DESs [40, 23, 27, 26, 30, 29, 1, 19, 33, 42, 38, 39, 16]; and it has also been used as a modeling formalism for diagnosing DESs in [9]. In this paper, we study the failure diagnosis problem for systems with linear-time temporal logic (LTL) specifications. Given a DES to be diagnosed, we use a LTL formula for 2

3 the purpose of specifying a fault. In other words, an infinite state-trace of the system is said to be faulty if it violates the given LTL formula. Thus for example, we can declare an infinite state-trace to be faulty if it visits a faulty state, which may be faulty by itself as in [2, 24, 25, 45], or may be a state introduced for representing a transition labeled by a faulty event (see Remark 2) as in [36, 37, 35, 11, 6, 4, 5, 32]. We can also have more general specifications for non-faulty state-traces in our setting such as a certain set of states should be visited infinitely often, or a certain set of states should be eventually invariant. Thus properties such as invariance, recurrence, stability, etc. can be used to specify (non)-faulty behavior in our setting. A system is said to be pre-diagnosable with respect to a given LTL specification if every faulty state-trace possesses an indicator as its prefix, where an indicator is a finite state-trace for which all its infinite extensions are faulty. This property of pre-diagnosability should be viewed as a pre-condition for any diagnosability analysis, since without this property, the possibility of the execution of an infinite faulty state-trace can not be deduced through the observations of the finite length state-traces, even under complete observation. Note that this property automatically holds if the specification is only a safety specification. A pre-diagnosable system is said to be diagnosable with respect to an observation mask if the execution of any indicator by the system can be deduced with a finite delay. This is similar to the language-based definition introduced by [36], but our definition of diagnosability should be viewed as a generalization of that given in [36] since our definition of fault, which is based on a LTL formula, is more general. It is interesting to note that the execution of an indicator may imply either that a fault has already occurred (such as occurrence of a failure event), or that a fault is guaranteed to occur in future (such as a livelock or deadlock). In other words, our approach allows detection and diagnosis of indicators where either a fault has already occurred or from where the occurrence of a fault is inevitable (i.e., our diagnoser in a sense is also predictive ). Even with this generalization, the test for diagnosability remains polynomial in the number of system states and the number of the specifications alike the test of diagnosability (see [15]) defined in [36]. In our work, we allow the system to be diagnosed to be terminating as well as to possess cycles of unobservable events. The rest of the paper is organized as follows. First the definition of LTL is introduced. Next the failure diagnosis of systems with LTL specifications is studied: the definitions of pre-diagnosability and diagnosability in the temporal logic setting are provided; algorithms for testing these properties, as well as synthesizing a diagnoser, are obtained. Finally, an illustrative example is given. 2 Notations and Preliminaries In this paper, we use LTL to express the specifications of DESs for the purpose of failure diagnosis. In the following, we give the definition of LTL. For a complete introduction to temporal logic, readers may refer to [12]. Let M d = (Q, R, AP, L) be a state transition graph, where Q is the set of states (finite or infinite), R Q Q is a total transition relation, i.e., for every q Q there is a q Q such that R(q, q ), AP is a finite set of atomic proposition symbols, and L : Q 2 AP is a function that labels each state with the set of atomic propositions true at that state. A state-trace 3

4 in M d is defined as a finite or infinite sequence of states, π = (q 0 (π), q 1 (π), ) such that for every i {0, 1, }, (q i (π), q i+1 (π)) R. A proposition-trace is defined as a finite or infinite sequence of set of atomic propositions, π p = (L 0, L 1, ), L i AP, i = 0, 1,. A proposition-trace π p = (L 0, L 1, ) is said to be contained in M d if there exists a state-trace π = (q 0, q 1, ) in M d such that L i = L(q i ), i = 0, 1,, in which case π p is said to be associated with π. Using the atomic propositions and boolean connectives such as conjunction, disjunction, and negation, one can construct more expressions describing properties of states. However we are also interested in describing the properties of sequences of states that the system can visit. Such properties are expressed using temporal operators of a temporal logic. LTL is a specific temporal logic formalism. The following temporal operators are used in LTL for describing the properties along a specific state-trace. X ( next time ): it requires that a property hold in the next state of the state-trace. U ( until ): it is used to combine two properties. The combined property holds if there is a state on the state-trace where the second property holds, and at every preceding state on the trace, the first property holds. F ( eventually or in the future ): it is used to assert that a property will hold at some future state on the state-trace. It is a special case of until. G ( always or globally ): it specifies that a property holds at every state on the trace. B ( before ): it also combines two properties. It requires that if there is a state on the state-trace where the second property holds, then there exists a preceding state on the trace where the first property holds. We have following relations among the above operators, where f denotes a temporal logic specification: F f T rueuf Gf F f fbg ( fug) It follows that X and U can be used to express the other temporal operators, which are the only temporal operators that appear in the definition of LTL. Next we give the syntax of LTL. LTL formulae are generated by rules P1-P3 given below. P1 If p AP, then p is a LTL formula. P2 If f 1 and f 2 are LTL formulae, then so are f 1 and f 1 f 2. P3 If f 1 and f 2 are LTL formulae, then so are Xf 1 and f 1 Uf 2. 4

5 We use f to denote the length of f, which is the number of boolean and temporal operators in f. Next we give the semantics of LTL, which are defined with respect to the infinite statetraces in a state transition graph M d = (Q, R, AP, L). For a LTL formula f, the notation π = f (resp., π = f) means that f holds (resp., does not hold) along an infinite state-trace π in M d. The relation = is defined inductively as follows: 1. p AP, π = p if and only if p L(q 0 (π)). 2. π = f if and only if π = f. 3. π = f 1 f 2 if and only if π = f 1 and π = f π = Xf if and only if π 1 = f, where π 1 = (q 1 (π), q 2 (π), ). 5. π = f 1 Uf 2 if and only if there exists a k such that π k = f 2 and for all j {0, 1,, k 1}, π j = f 1, where π k = (q k (π), q k+1 (π), ). From above, one can see that the LTL formulae can also be interpreted over infinite length proposition-traces over AP without referring to any specific state transition graph. This is done by replacing the first condition above by p AP, π = (L 0, L 1, ) = p p L 0, where π is an infinite proposition-trace over AP, i.e., L i AP for all i 0. Also note that the semantics of LTL are defined over infinite state-traces. But, as mentioned in [12], one can extend the semantics of LTL to finite state-traces as follows: a finite state-trace (q 0,, q n ) satisfies a LTL formula f if and only if the infinite state-trace (q 0,, q n, q n, ) = (q 0,, q ω n) satisfies f. Definition 1 Given a LTL formula f, a state transition graph M d = (Q, R, AP, L), and a state q Q, f is said to hold at the state q [8], denoted as < M d, q > = f if for every state-trace π = (q 0 (π), q 1 (π), ) in M d starting at q, i.e., q 0 (π) = q, it holds that π = f. Given a state transition graph M d with an initial state set Q 0, M d is said to satisfy f if q Q 0, < M d, q > = f. Given a state transition graph M d and a LTL formula f, finding the set of states at which f holds is a LTL model checking problem (for a detailed introduction to model checking, refer to [8]). The problem of checking whether a state transition graph M d with an initial set Q 0 satisfies a given LTL formula f can be solved by first solving the model checking problem of M d with respect to f, i.e., first finding the set of states Q f at which f holds, and next checking whether Q 0 Q f. In the following, we will view the problem of checking whether a system M d satisfies a LTL formula f as an instance of a LTL model checking problem. The following examples show that LTL formulae can be used to easily express properties such as invariance, recurrence, stability, etc. Gp means that along a given state-trace, globally (G) at every state of the trace, p is true. It is an invariance (a type of safety) property. 5

6 G(p 1 F p 2 ) means that along a given state-trace, globally (G) for every state s of the trace, if p 1 is true at the state s, then p 2 will be true at some future (F ) state. It is a recurrence (a type of liveness) property. F Gp means that along a given state-trace, eventually (F ) p will hold globally (G). It is a property of stability (a type of liveness) which requires that the system should eventually reach a set of states where p holds and stay there forever. In the following, we first introduce some notations of formal languages [20], and then describe that a LTL formula can be characterized as the language accepted by a nondeterministic generalized Büchi automaton [8]. Let Σ be a finite event set, Σ be the set of all finite length sequences of events from Σ including the zero length trace ɛ, Σ ω be the set of all infinite length sequences of events from Σ, and Σ = Σ Σ ω. K is called a -language over Σ if K Σ, and B is called a ω-language over Σ if B Σ ω. The prefix operation pr : Σ Σ is defined as: B Σ, pr(b) := {s Σ e B : s is a prefix of e}. The limit operation lim : Σ Σ ω is defined as: K Σ, lim(k) := {e Σ ω infinitely many n N s.t. e n K}, where e n denotes the prefix of length n of e, i.e., e n = e(1)e(2) e(n) provided that e = e(1)e(2). Given a ω-language B Σ ω, B is said to be ω-closed if B = lim(pr(b)). Note that B lim(pr(b)) always holds. Given a LTL formula f, let S f denote the set of all infinitely long proposition-traces over AP satisfying f. Then one can obtain a non-deterministic generalized Büchi automaton (for details, refer to [8]) that accepts the ω-language S f. Before the construction of T f, we first need to put f into negation normal form, in which negation is applied only to atomic propositions. Next, we rewrite subformulae of the form F g as T rueug. Let r be the number of subformulae of the form µuν in f (it is obvious that r f ). Then the non-deterministic generalized Büchi automaton can be represented as where Q f is a finite state set; Σ AP = 2 AP is the event set; T f = (Q f, Σ AP, R f, q f 0, F), R f Q f Σ AP Q f is the transition relation; q f 0 Q f is the initial state; F = {F i, 1 i r} 2 Q f is the generalized Büchi acceptance condition. For each subformula of the form µuν in f, there is a F i in F. F i is used for capturing the fulfillment of the liveness of µuν. 6

7 An infinite length proposition trace π p = (L 1, L 2, ) Σ ω AP is accepted by T f if and only if there exists an infinite length state-trace π = (q 0, q 1, ) in T f such that q 0 = q f 0, (q i 1, L i, q i ) R f for all i 1, and π visits each F i F (i = 1,, r) infinitely often. We use L ω T f to denote the ω-language accepted by T f, then we have L ω T f = S f. Both the complexity of the construction of T f, and the number of states in T f, are exponential in the length of the LTL formula f. 3 Notion of Diagnosability with LTL Specifications In this section, we give the definitions of pre-diagnosability and diagnosability for DESs in the temporal logic setting. From now on, the system P to be diagnosed for occurrence of failures is modeled by a six tuple, P = (X, Σ, R, X 0, AP, L), where X is a finite set of states; Σ is a finite set of event labels; R : X (Σ {ɛ}) X is a transition relation; X 0 X is the set of initial states; AP is a finite set of atomic proposition symbols; L : X 2 AP is a labeling function such that x X, p L(x) means that p holds at x, and p L(x) means that p does not hold at x. Let L P Σ denote the language generated by P, where s = (e 1,, e n ) Σ, s L P if and only if π = (x 0,, x n ) such that x 0 X 0 and (x i 1, e i, x i ) R for all i {1,, n}. A finite or infinite state-trace π = (x 0, x 1, ) is called generated by P if x 0 X 0, and for all i > 0 there exists a σ i Σ {ɛ} such that (x i 1, σ i, x i ) R. We use Tr P to denote the set of all finite state-traces generated by P. For a state-trace π 1 = (x 1 0, x 1 1, ) (finite or infinite) and a finite state-trace π 2 = (x 2 0, x 2 1,, x 2 k), if the number of states in π 1 is more than k, i.e., π 1 > k, and x 1 i = x 2 i for 0 i k, then π 2 is called a k-prefix of π 1, π 1 is called an extension of π 2 in P, and π 1 can be represented as π 1 = π 2 π, where π = (x 1 k+1, ) is called the k-suffix of π 1. A finite or infinite proposition-trace over AP is called generated by P if it is associated with a state-trace generated by P. We use L (ω,ap ) P Σ ω AP to denote the set of all infinite length proposition-traces over AP that are generated by P, where Σ AP = 2 AP. A finite or infinite event-trace (e 1, e 2, ) over Σ {ɛ} is said to be associated with a state-trace π = (x 0, x 1, ) if i > 0, (x i 1, e i, x i ) R. Observations of events executed by P are filtered through an observation mask M : Σ {ɛ} {ɛ} with M(ɛ) = ɛ, where is the set of observed symbols and it may be disjoint with Σ. The definition of M can be extended to event-traces inductively as follows: s Σ, σ Σ, M(sσ) = M(s)M(σ). We use E π to denote the set of all event-traces associated with a state-trace π Tr P, and O π denote the observations of event-traces in E π, i.e., O π = {M(s) s E π }. For any two finite state-traces π 1 = (x 1 0, x 1 1,, x 1 k 1 ) 7

8 and π 2 = (x 2 0, x 2 1,, x 2 k 2 ) in Tr P, π 1 and π 2 are called indistinguishable (with respect to the mask M) if O π1 O π2, i.e., if they share observations resulting from the execution of associated event-traces. Remark 1 From the above definition of P, we know that unobserved cycles are allowed in P, where an unobserved cycle in P is a path (x 1, e 1, x 2,, e n, x n+1 ) such that x n+1 = x 1, i {1,, n}, (x i, e i, x i+1 ) R and M(e i ) = ɛ. Also note that if P is given to be a terminating system, i.e., if it contains some terminating states where no transition is defined, we can add self-loops on ɛ on every terminating state of P without altering its LTL properties. This is so because the semantics of LTL on a finite state-trace (x 1,, x n ) is the same as that on the infinite state-trace (x 1,, x ω n). So, from now on we assume without loss of any generality, that P has appropriately been augmented with self-loops on ɛ, and so it is non-terminating. Note that the augmentation by self-loops on ɛ at the terminating states is possible in our framework since we allow the systems to be non-deterministic (so that they can possess ɛ-transitions) and to contain unobservable cycles (so that they can possess self-loops on ɛ). Let f be a LTL formula specifying the normal or the non-faulty behavior of the system. In this paper, f is also called the specification of the system, any behavior of the system violating f is faulty. In the following we give the definitions of faulty traces, pre-diagnosability, and diagnosability in the temporal logic setting. Let us first define faulty state-traces. Definition 2 Let P be a system, f be a LTL specification for P, and π be an infinite state-trace generated by P, then π is called a faulty state-trace if π = f. Remark 2 In Definition 2, failures are represented by infinitely long state-traces that violate the specification f. The cases of faulty states as well as faulty events in prior works can be captured by our definition of failure. For the case of faulty states as in [2, 24, 25, 45], we can label each non-faulty state with a certain proposition p, and then use f = Gp as the specification; any infinite state-trace violating f is a faulty state-trace. For the case of faulty events as in [36, 37, 35, 11, 6, 4, 5, 32], we can first transform it to the case of faulty states as follows: for each transition (x, σ f, x ) in the system such that σ f is a faulty event, introduce a faulty state x f into the system and replace the transition (x, σ f, x ) by two transitions (x, σ f, x f ) and (x f, ɛ, x ), and then apply the method of specifying faults as in the case of faulty states. Besides these two cases, we can also have more general specification for non-faulty state-traces such as a certain set of states should be visited infinitely often, or a certain set of states should be eventually invariant. Thus properties such as invariance, deadlock, recurrence, stability, etc. can be used to specify (non)-faulty behavior in our setting (as discussed in the last section). The following definition of indicator is needed for (pre)-diagnosability. Definition 3 Let P be a system and π be a finite state-trace generated by P, π is called an indicator if all its infinite extensions in P are faulty. We use Ind P to denote the set of all indicators in P. 8

9 Next we define the pre-diagnosability of DESs. Definition 4 Let P be a system and f be a specification, P is said to be pre-diagnosable with respect to f if each faulty state-trace in P possesses an indicator as its prefix. Remark 3 In Definition 4, a system is pre-diagnosable with respect to a given specification if every faulty state-trace possesses an indicator as its prefix. Note that this property automatically holds if the specification is a safety one, i.e., it only requires that some bad things must never occur (such as faulty states must never be visited or faulty events never occur). This property of pre-diagnosability, however, may not hold for more general specifications (see Example 1 below), and hence it should be viewed as a pre-condition for any diagnosability analysis. Without this property, the possibility of execution of an infinite faulty trace can not be deduced through the observations of the finite length state-traces, even under complete observation of state-traces. If a system is pre-diagnosable, then the failure diagnosis is just the process of detection and identification of indicators in the system. Note that when an indicator is detected, an actual failure (such as reaching a faulty state) may not have happened yet; it only signifies that a failure has either happened or is inevitable. Thus our definition includes both cases of detection (a failure has already occurred) and prediction (a failure will inevitably occur). This kind of prediction is necessary for the detection of failures that violate properties such as liveness and stability. Example 1 Consider the system shown in Figure 1, suppose the specification is given as b d x 0 a x 1 c x 2 p 1 p 1 p 2 Figure 1: Example for pre-diagnosability f = GF p 2. It is easy to verify that π = (x 0, x ω 1 ) = f, and no prefix of π is an indicator. This is because for any observed prefix (x 0, x k 1) of π, it is also a prefix of π 0 = (x 0, x k 1, x ω 2 ), where π 0 = f. So the system is not pre-diagnosable with respect to f. Hence, even with complete observation of the finite state-traces executed by the system, we can never detect the faulty trace π. Now suppose the specification is given as f = GF p 1, then it is easy to check that the system is pre-diagnosable with respect to f. Since for any faulty state-trace π 0 = (x 0, x k 1, x ω 2 ), the prefix (x 0, x k 1, x 2 ) is an indicator. The diagnosability of DESs in the setting of LTL is defined as follows. Definition 5 Let P be a system, M be an observation mask, and f be a specification, P is said to be diagnosable with respect to M and f if P is pre-diagnosable with respect to f 9

10 and ( n N )( π 0 Ind P )( π = π 0 π 1 Tr P, π 1 n)( π Tr P, O π O π ) (π Ind P ), where N is the set of all natural numbers. Remark 4 Definition 5 states that a pre-diagnosable system is diagnosable if the execution of any indicator by the system can be deduced with a finite delay from the observed behavior through the mask M. The finite delay is uniformly bounded, i.e., it depends only on the system model and the specification, but not on the trace executed. More precisely, there exists a number n such that for any indicator π 0, for any sufficient long (at least n states longer) extension π of π 0, and for any finite state-trace π generated by P, if π and π are indistinguishable with respect to M, i.e., if they can generate a same masked eventtrace, then π must also be an indicator. This is similar to the language-based definition of diagnosability introduced in [36], but our definition should be viewed as a generalization since our definition of failures which is based on a LTL formula is more general. Example 2 Consider the system shown in Figure 2, where the observation mask is given p 2 b 1 x 2 c 1 p 1 p 1 a a x 0 x 1 p 1, p 2 b x a 2 3 x 4 c 2 p 1 Figure 2: Example for diagnosability as M(a) = a, M(b 1 ) = M(b 2 ) = b, M(c 1 ) = M(c 2 ) = c. Suppose the specification is given as f = GF p 2. It is easy to verify that the system is diagnosable with respect to f. This is because if an event-trace abc k a is observed, then it indicates an indicator (x 0, x 1, x 3 (0),, x 3 (k), x 4 ) is executed by the system. Now suppose the specification is given as f = Gp 1. It is also easy to verify that the system is pre-diagnosable with respect to f. But the system is not diagnosable with respect to f. This is because when the indicator (x 0, x 1, x 2 ) is executed by the system, no matter how long an extension of it is considered, an event-trace observation in the form of abc k is generated, which can also be generated by the state-trace (x 0, x 1, x 3 (0),, x 3 (k)) that is not an indicator. In Definition 5, we assumed that there is only one specification f for the system P, so the failure diagnosis problem is the same as the failure detection problem. However in practical situations, we may have multiple specifications, so we need to not only detect the violation of a specification, but also to diagnose which specification is violated. The following definition of diagnosability is for the case of multiple specifications, and is an extension of Definition 5. 10

11 Definition 6 Let P be a system, M be an observation mask, and {f i, i = 1, 2,, m} be a set of specifications. P is said to be diagnosable with respect to the mask M and the set of specifications {f i, i = 1, 2,, m} if P is diagnosable with respect to the mask M and each specification f i, i = 1, 2,, m. Note that the diagnosability of a system P with respect to the single specification m i=1f i does not imply the diagnosability of P with respect to the set of specifications {f i, 1 i m}. This is because even if we can detect the violation of m i=1f i, we may not be able to know which f i has been violated. If a system is diagnosable, then we need to construct a diagnoser for the failure diagnosis of the system. The diagnoser is defined as follows. Definition 7 Given a system P, an observation mask M, and a specification f. Let D = (T, M T ), where T = (Q T,, R T, Q T 0 ) is a non-deterministic finite state machine, and M T : {fault} is a partial function defined as s, M T (s) = fault if s is not generated by T, i.e., s L T. D is called a diagnoser for P with respect to M and f if the following holds: 1. π Tr P, s O π : M T (s) = fault π Ind P. 2. n N : ( π 0 Ind P )( π = π 0 π 1 Tr P, π 1 n)( s O π ) (M T (s) = fault). Let {f i, i = 1,, m} be a set of specifications, then a collection of {D i = (T i, M Ti ), i = 1,, m} is called a diagnoser for P with respect to M and {f i, i = 1, 2,, m} if each D i (i = 1, 2,, m) is a diagnoser for P with respect to M and f i. Remark 5 The above definition states that, a diagnoser D detects the occurrence of each indicator in the system P by observing the event-traces generated by P through the mask M. It is required that a diagnoser shall never generate a false alarm (the first condition in the definition), and also there will be no missed detections (the second condition, which requires the detection of any indicator within a finite delay). It is obvious that for a given pre-diagnosable system P, there exists a diagnoser D only if P is diagnosable. Note that Definition 7 does not require that a diagnoser D should posses a deterministic finite state machine T. Note that the diagnosability of a system P does not necessarily imply the existence of a finite state diagnoser; and the existence of a diagnoser does not necessarily mean that we can find one with complexity polynomial in the size of the system. In the next section we show that if P is diagnosable, then a finite state diagnoser does exist and can be constructed polynomially in the number of states of P. 4 Algorithm for Diagnosis and Diagnoser Synthesis The failure diagnosis problem for DESs with LTL specifications is formulated as follows: 11

12 Let P be a system and M be an observation mask. For a given set of specifications {f 1,, f m }, test whether P is diagnosable with respect to M and {f 1,, f m }; if P is diagnosable, then construct a diagnoser for P to detect the occurrence of indicators in P by observing the behavior of P through the mask M. In the following we first give an algorithm for testing the diagnosability and the design of a diagnoser for systems with a single LTL specification f, and then present an algorithm for the case of multiple specifications. Before presenting the details, we first give a brief explanation of the algorithm. Step 1 obtains a generalized Büchi automaton T f that accepts all proposition-traces over AP satisfying f, where T f has a generalized Büchi acceptance condition set F = {F i, 1 i r}. Step 2 verifies pre-diagnosability of P with respect to f. As shown in Theorem 1 below, P is pre-diagnosable with respect to f if and only if L ω T f L (ω,ap ) P is ω-closed. We first construct a finite state machine T 1 from the proposition-synchronization of T f and P. Then L ω T f L (ω,ap ) P equals the set of infinite proposition-traces generated by T 1 that visit the F i -labeled (1 i r) states infinitely often. So, L ω T f L (ω,ap ) P is ω-closed if and only if it holds that L ω T f L (ω,ap ) P = L (ω,ap ) T 1, i.e., if and only if every infinite proposition-trace generated by T 1 visits F i -labeled (1 i r) states infinitely often, i.e., if and only if T 1 satisfies the LTL formula r i=1gf F i, which is a LTL model checking problem. Step 3 tests for the diagnosability after the system passes the pre-diagnosability test. For this, P is event-synchronized with T 2, where T 2 generates the language M 1 M(L T1 ) = {s Σ t L T1, M(s) = M(t)}; the result is denoted by T 3. So T 3 generates traces in P that share an observation with traces in T 1, i.e., non-faulty traces of P. For diagnosability to hold all such traces must themselves be non-faulty. Thus for the diagnosability of P, we need to check whether T 3 satisfies f, which is a LTL model checking problem. Algorithm 1 Algorithm for failure diagnosis with single LTL specification 1. This step is for the construction of a non-deterministic generalized Büchi automaton T f that accepts all the infinite proposition-traces satisfying f. From [8], the automaton can be constructed as T f = (C f, Σ AP, R f, q f 0, F), the details are omitted here. Let L ω T f denote the ω-language accepted by T f, i.e., the set of all proposition-traces satisfying f. 2. This step is for the test of pre-diagnosability of P. Construct T 1 =(Q 1, Σ, R 1, Q 1 0, AP F, L 1 ) from the proposition-synchronization of T f and P = (X, Σ, R, X 0, AP, L) that generates every infinite proposition-trace over AP generated by P and satisfying f as follows: Q 1 = C f X is the set of states; Σ is the set of events; R 1 Q 1 (Σ {ɛ}) Q 1 is the transition relation, R 1 = {((c, x), σ, (c, x )) Q 1 (Σ {ɛ}) Q 1 (c, L(x ), c ) R f, (x, σ, x ) R}; 12

13 Q 1 0 = {(c, x) Q 1 (q f 0, L(x), c) R f, x X 0 } is the set of initial states; AP F is the new set of atomic propositions; L 1 : Q 1 2 AP F is the labeling function such that (c, x) Q 1, F i F, p AP : [F i L 1 (c, x) c F i ] [p L 1 (c, x) p L(x)]. delete each state q Q 1 and its associated transitions if either q has no successor, or no state labeled with some F i F can be reached from q; repeat this process until no more states and transitions can be deleted. It follows from the construction of T 1 that L ω T f L (ω,ap ) P equals the set of all infinite length proposition-traces that are generated by T 1 and visit the F i -labeled (1 i r) states infinitely often. Check whether L ω T f L (ω,ap ) P is ω-closed. This is done by checking whether every infinite proposition-trace generated by T 1 visits the F i -labeled (1 i r) states infinitely often, or equivalently, whether T 1 satisfies the the LTL formula r i=1gf F i. We can use the methods given in [8, 3, 7]. If the LTL formula is not satisfied by T 1, then stop and output that the system is not pre-diagnosable. 3. This step is for the test of diagnosability of P. Construct T 2 = (Q 2,, R 2, Q 2 0), the projection of T 1 through M, i.e., L T2 = M(L T1 ). T 2 is constructed to be a non-deterministic state machine containing no ɛ-transitions as follows: Q 2 = Q 1 0 {q Q 1 (q, σ, q) R 1, M(σ) ɛ} is the set of states: Q 2 contains all the initial states of T 1 and the states in T 1 such that there is a transition labeled with an observable event leading into the state; is the set of observed symbols; R 2 Q 2 Q 2 is the set of transitions, (q, β, q ) Q 2 Q 2, (q, β, q ) R 2 if and only if there exists a path (q 0, σ 1, q 1,, σ k, q k, σ k+1, q k+1 ) (k 0) in T 1 such that (q i, σ i+1, q i+1 ) R 1 for 0 i k, q 0 = q, q k+1 = q, M(σ i ) = ɛ for 1 i k, and M(σ k+1 ) = β; Q 2 0 = Q 1 0 is the set of initial states. Construct T 2 = (Q 2, Σ, R 2, Q 2 0) that accepts the language M 1 (L T2 ), i.e., L T 2 = M 1 (L T2 ) = M 1 M(L T1 ), where the transition relation R 2 Q 2 Σ Q 2 is given as (q, σ, q ) Q 2 Σ Q 2 : (q, σ, q ) R 2 [(q, M(σ), q ) R 2 ] [(q = q ) (M(σ) = ɛ)]. 13

14 Construct T 3 = (Q 3, Σ, R 3, Q 3 0, AP, L 3 ), which accepts the language L T 2 L P = M 1 M(L T1 ) L P, from the event-synchronization of T 2 and P. (Here T 3 generates a proposition-trace over AP that is associated with a state-trace in Tr P if and only if the later is indistinguishable from a prefix of a non-faulty state-trace in P.) Q 3 = Q 2 X is the set of states; Σ is the set of events; R 3 Q 3 (Σ {ɛ}) Q 3 is the transition relation such that ((q 1, x 1 ), σ, (q 2, x 2 )) Q 3 (Σ {ɛ}) Q 3 : ((q 1, x 1 ), σ, (q 2, x 2 )) R 3 [(σ ɛ) ((q 1, σ, q 2 ) R 2) ((x 1, σ, x 2 ) R)] [(σ = ɛ) (q 1 = q 2 ) ((x 1, σ, x 2 ) R)]; Q 3 0 = Q 2 0 X 0 is the set of initial states; AP is the set of atomic propositions; L 3 : Q 3 2 AP is the labeling function such that (q, x) Q 3, L 3 (q, x) = L(x); delete each state q Q 3 and its associated transitions if q has no successor; repeat this process until no more states and transitions can be deleted. Check whether every infinite proposition-trace generated by T 3 satisfies f, using the LTL model checking methods in [8, 3, 7]. If f is not satisfied by T 3, then stop and output that the system is not diagnosable. 4. This final step is for the construction of a diagnoser. Output (T 2, M T2 ) as the diagnoser D. Here M T2 : {fault} is a partial function defined as: s, M T2 (s) = fault if s is not generated by T 2, i.e., if s L T2. The diagnoser D operates as follows. It observes the event-traces generated by P through the mask M. If an observed event-trace s is not in the generated language of T 2, then the diagnoser outputs fault which indicates the occurrence of an indicator of P, with a finite delay. In Algorithm 1, T 2, that generates the language M 1 M(L T1 ), is constructed so as not to contain any ɛ-transitions. For this, T 2, that generates the language M(L T1 ) and contains no ɛ-transitions, is first constructed. The reason for not allowing ɛ-transitions in T 2 is technical, and has to do with the possibility of the presence of unobservable cycles in P. This will become more evident when we prove the correctness of the diagnosability test in Theorem 3. Remark 6 It is known that the first step of Algorithm 1 has a complexity of O(2 f ). The second step has a complexity of O(2 O( f ) X 2 ). This is because the complexity for the LTL model checking with the special formula r i=1gf F i is linear in both the size of the system (number of states and transitions) and the value of r (we can model check the formula GF F i for each i = 1,, r), and r f. The complexity of the third step is O(2 O( f ) X 4 ) since 14

15 the complexity for LTL model checking is linear in the size of the system (number of states and transitions) and exponential in the length of the LTL formula. So the complexity to design a diagnoser as well as to test the diagnosability is O(2 O( f ) X 4 ), which is polynomial in the number of states of the system and exponential in the length of the specification LTL formula. This power-4 dependence on the number of system states is the same as that in the setting of faulty events based approach to diagnosis [15]. The exponential dependence on the length of the LTL specification f comes from having an abstract, and hence a more compact, representation of the specification. The number of states in T 2 that is part of the diagnoser D is O(2 f X ). Remark 7 In practice [21], the system specification may be given in the form of f safe f live, where f safe (resp., f live ) represents only some safety (resp., liveness) properties. Then for computational savings, the first and the second steps of the above algorithm can be modified as follows (for the pre-diagnosability applies only to liveness specifications). 1. Construct the generalized Büchi automata T fsafe and T flive for f safe and f live respectively. 2. Test pre-diagnosability of P with respect to f live as in Step 2 of Algorithm Construct T 1 from the proposition-synchronization of T fsafe, T flive, and P and proceed to the Step 3 of Algorithm 1. From above it is clear that the pre-diagnosability test is not needed for a pure safety specification. Thus we can gain some computational savings by testing pre-diagnosability only for the liveness sub-specifications. However, the total complexity for testing diagnosability remains O(2 O( f ) X 4 ). This is because the complexity is dominated by the Step 3 of the algorithm, and that step is needed for a specification in the form of f = f safe f live. In the following we prove that Algorithm 1 is sound and complete. We first prove the reductions of the problems of testing pre-diagnosability and diagnosability to those of LTL model checking. The following theorem states that a system is pre-diagnosable if and only if the set of all infinite non-faulty proposition-traces accepted by the system is ω-closed. Theorem 1 Let P be a system and f be a LTL specification. P is pre-diagnosable with respect to f if and only if the ω-language S f L (ω,ap ) P Σ ω AP is ω-closed, where Σ AP = 2 AP. (Here S f denotes the set of all infinite proposition-traces over AP satisfying f, and L (ω,ap ) P denotes the set of all proposition-traces generated by P.) Proof: For necessity, suppose P is pre-diagnosable. For contradiction, suppose S (f,p ) = S f L (ω,ap ) P Σ ω AP is not ω-closed, i.e., u = (e 1, e 2, ) lim(pr(s (f,p ) )) S (f,p ). It is easy to verify that L (ω,ap ) P is ω-closed. Thus we have u [lim(pr(s (f,p ) )) S (f,p ) ] lim(pr(l (ω,ap ) P )) = L (ω,ap ) P. Since u S (f,p ), u = f. Let π u = (x 1, x 2, ) be a state-trace accepted by P and associated by u, i.e., L(x i ) = e i for all i 1. Then we have π u = f, i.e., π u is faulty. Since P is prediagnosable and π u is a faulty trace in P, π u must have an indicator prefix π n u = (x 1,, x n ). 15

16 Because u lim(pr(s (f,p ) )), from the definition of lim operation, there must exist a k > n such that u k = (e 1,, e k ) pr(s (f,p ) ), which implies that πu k = (x 1,, x k ) is a prefix of some non-faulty trace in P. It follows that πu n could not be an indicator, which is a contradiction. So the necessity holds. For sufficiency, suppose S (f,p ) is ω-closed, i.e., lim(pr(s (f,p ) )) S (f,p ) =. For contradiction, if P is not pre-diagnosable, then from Definition 4 we know there exists a faulty state-trace π = (x 1, x 2, ) in P such that no prefix of π is an indicator. In other words, π n = (x 1,, x n ) is a prefix of some non-faulty trace in P for every n 1, i.e., u n pr(s (f,p ) ) for every n 1, where u n = (L(x 1 ),, L(x n )) is the proposition-trace associated with π n. Let u = (L(x 1 ), ) be the proposition-trace associated with π, then it is obvious that u L p (ω,ap ) and u = f. Because u n pr(s (f,p ) ) for every n 1, we have u lim(pr(s (f,p ) )). Since u = f, u S (f,p ). From above we have u lim(pr(s (f,p ) )) S (f,p ), i.e., lim(pr(s (f,p ) )) S (f,p ), which is a contradiction to the hypothesis. So P is prediagnosable. Note that the set of infinite proposition-traces S f L (ω,ap ) P is the set of all infinite nonfaulty proposition-traces generated by P. The next theorem validates our test for prediagnosability. Theorem 2 Let P be a system and f be a LTL specification. P is pre-diagnosable with respect to f if and only if q Q 1 0, < T 1, q > = Fi F GF F i, where T 1 is as defined in Algorithm 1. Proof: Since T 1 is proposition-synchronization of T f and P, the set of infinite propositiontraces generated by T 1 that visit the F i -labeled (1 i r) states infinitely often is the set of infinite proposition-traces generated by P and satisfying f, i.e., the set L ω T f L (ω,ap ) P. From construction of T f, L ω T f = S f. So from Theorem 1, P is pre-diagnosable if and only if L ω T f L P (ω, AP ) is ω-closed, i.e., if and only if L ω T f L (ω,ap ) P = lim(pr(l ω T f L (ω,ap ) P )) = L (ω,ap ) T 1, where the last equality follows from the construction of T 1, which keeps T 1 trim. The equality L ω T f L (ω,ap ) P = L (ω,ap ) T 1 holds if and only if L (ω,ap ) T 1 L ω T f L (ω,ap ) P since the reverse containment holds by the construction of T 1. Further, since L (ω,ap ) T 1 L (ω,ap ) P by construction, L (ω,ap ) T 1 L ω T f L (ω,ap ) P if and only if L (ω,ap ) T 1 L ω T f, or equivalently, every infinite proposition-trace generated by T 1 visits the F i -labeled (1 i r) states infinitely often, or equivalently, q Q 1 0, < T 1, q > = Fi F GF F i. This completes the proof. The next theorem validates our test for diagnosability. Theorem 3 Let P be a system, which is pre-diagnosable with respect to a specification f, and M be an observation mask. then P is diagnosable with respect to M and f if and only if q Q 3 0, < T 3, q > = f, where T 3 is as defined in Algorithm 1. Proof: For necessity, suppose P is diagnosable. For contradiction, if q Q 3 0, < T 3, q > = f, then from the construction of T 3, we know that there exists an infinite state-trace π = ((q 0, x 0 ), (q 1, x 1 ), ) accepted by T 3 and π = f. This implies that: (i) π 1 = (x 0, x 1, ) = f 16

17 and π 1 is accepted by P (because T 3 is constructed from the synchronization of T 2 and P, and T 2 does not contain any ɛ transition); (ii) any prefix (x 0,, x k ) of π 1 can generate a same masked event-trace as a finite state-trace π 2 = ((q 0, x 0),, (q j, x j)) accepted by T 1, which further implies that (x 0,, x k ) and (x 0,, x n) are two indistinguishable finite state-traces accepted by P. Here from the pre-diagnosability of P and Theorem 2, we know that any infinite extension of π 2 in T 1 satisfies f, which means that there is an infinite extension of (x 0,, x n) in P that satisfies f, i.e., (x 0,, x n) is not an indicator. Since π 1 is faulty and P is pre-diagnosable, there is a prefix π 0 of π 1 such that π 0 is an indicator. From above, for any arbitrary long finite extension of π 0 along π 1, denoted as (x 0,, x k ), there always exists a finite state-trace (x 0,, x n) accepted by P that is indistinguishable from (x 0,, x k ) and is not an indicator. From Definition 5, P is not diagnosable, which is a contradiction to the hypothesis. So the necessity holds. For sufficiency, suppose q Q 3 0, < T 3, q > = f. Let T 3 be the state machine obtained before performing the deletion process that deletes the terminating states (while deriving T 3 in the third step of Algorithm 1). Suppose π = (x 0,, x k ) is an indicator in P. If no state-trace in the form of ((q 0, x 0, ),, (q k, x k )) is accepted by T 3, then no state-trace ((q 0, x 0, ),, (q j, x j)) is accepted by T 1 such that π and (x 0,, x j) are indistinguishable in P. It further implies that any state-trace in Tr P that is indistinguishable from π is an indicator. If there exists a state-trace π 1 = ((q 0, x 0, ),, (q k, x k )) that is accepted by T 3, then we claim that any extension of π 1 in T 3 can never reach a state that is contained in a loop in T 3. If our claim is true, then for any finite extension π 0 = ππ 2 = (x 0,, x k, x k+1,, x k+r ) of π in P with π 2 = r Q 2 X 1 = Q 2 X 1, no state-trace in the form of ((q 0, x 0, ),, (q k+r, x k+r )) is accepted by T 3. This from above would imply that any statetrace in Tr P that is indistinguishable from π 0 is an indicator. From Definition 5, P would be diagnosable, where n can be chosen to be n = Q 2 X 1. So the sufficiency would hold. So, it suffices to prove our claim, which we do in the following. Suppose there is an extension π 1 π 1 of π 1 in T 3 ending in a state that is contained in a loop. Then we can get an infinite extension π 0 of π 1 = ((q 0, x 0 ),, (q k, x k )) in T 3 along the loop, and obviously π 0 is accepted by T 3. From the hypothesis, we know π 0 = f. Let π 0 = π 1 ((q k+1, x k+1 ),, (q k+i, x k+i ))((q k+i+1, x k+i+1 ),, (q k+i+j, x k+i+j )) ω. From the construction of T 3 and because that T 2 does not contain any ɛ transition, it can be verified that π = (x 0,, x k,, x k+i )(x k+i+1,, x k+i+j ) ω is an infinite state trace accepted by P and π = f. Since π = (x 0,, x k ) is a prefix of π and π = f, π is not an indicator in P, which is a contradiction to the hypothesis that π is an indicator in P. This establishes our claims and completes the proof. Now we prove the soundness and completeness of Algorithm 1, where soundness means that the diagnoser found by Algorithm 1 is correct, i.e., there are no missed detections and false alarms ; completeness means that Algorithm 1 finds a diagnoser whenever the system is diagnosable. Theorem 4 Algorithm 1 is sound and complete. 17

18 Proof: For soundness, from Theorem 3, we know that no execution of an indicator in P remains undetected for more than Q 2 X 1 state steps by T 2 (i.e., there are no missed detections ). Next from the construction of T 1, we know that any event-trace in P that is not associated with an indicator (i.e., that can be extended to to an infinite event-trace that is associated with an infinite state-trace satisfying f), is generated by T 1. This implies that the execution of any non-indicator state-trace is accepted by T 2 (i.e., there are no false alarms ). The completeness comes directly from Theorem 3. This is because if then from Theorem 3 we know that the system is not diagnosable, and so in fact no diagnoser exists. The following algorithm solves the failure diagnosis problem for systems with multiple specifications and is based on Algorithm 1. The soundness and completeness of the algorithm follows directly from Definition 6 and Theorem 4. Algorithm 2 Algorithm for failure diagnosis with multiple specifications 1. Test the diagnosability of the system P with respect to each specification f i using Algorithm 1. If P is not diagnosable with respect to some f i, then stop and output that the system is not diagnosable, otherwise obtain the diagnoser D i for each f i using Algorithm Derive the diagnoser D for the set of specifications {f i, i = 1, 2,, m} as the collection of all D i, i.e., D = {D i, i = 1, 2,, m}. For any observed event-trace of P through the mask M, if a fault signal is generated by a D i, i = 1, 2,, m, then it indicates the detection of a f i -type failure in P representing the violation of the specification f i. Remark 8 Algorithm 2 provides a method for failure detection and identification. It is easy to verify that its complexity is polynomial in both the number of states of the system and the number of specifications (or failure types) and is exponential in the length of each individual specification LTL formula. It is for the first time that a polynomial algorithm in both the number of states of the system and the number of failure types is derived for failure diagnosis. Note that our method has an extra complexity that is exponential in the length of each individual specification LTL formula. This is to be expected since we are using a more abstract, and hence a more compact, representation of a specification. It is possible to represent the given LTL specification using faulty transitions as in [36], but the computational complexity of diagnosis based upon such a translation will be inferior compared to the direct approach we have given. To substantiate our claim, the following steps may be taken to represent the given LTL specification in terms of faulty transitions: 1. Construct a non-deterministic generalized Büchi automaton T f for the given LTL formula f. Assuming pre-diagnosability (since otherwise, there is no need to proceed further), the acceptance condition in T f can be removed, i.e., T f can be viewed as a non-deterministic automaton that generates a regular -language. 2. Obtain a deterministic finite state machine T d by determinizing T f. 18