Decentralized Failure Diagnosis of Stochastic Discrete Event Systems

Transcription

1 Decentralized Failure Diagnosis of Stochastic Discrete Event Systems Jun Chen, Student Member, IEEE and Ratnesh Kumar, Fellow, IEEE Abstract In decentralized diagnosis the system behavior is monitored at multiple local sites, each possessing its own sensors and maing its own local diagnosis decision without communicating with other sites. In this paper we formalize the decentralized diagnosis for stochastic DESs by introducing S-Codiagnosability (and its stronger version SS-Codiagnosability) that requires a fault be detected statistically with low probability of ambiguity (resp., logically with zero probability of ambiguity) by one of the local sites within a bounded delay with high probability. We give polynomial algorithms for checing (i) necessity and sufficiency of SS-Codiagnosability, (ii) sufficiency of S-Codiagnosability, and (iii) necessity as well as sufficiency of S-Codiagnosability, which requires an additional notion of equivalence of probabilistic automata. Index Terms Discrete event systems, stochastic automata, decentralized fault diagnosis, codiagnosability, complexity. I. INTRODUCTION The problem of fault diagnosis of discrete event systems (DESs) has been widely researched. The notion of diagnosability of DESs was first introduced in [1] and its polynomial verification algorithm was reported in [2] and [3]. The diagnosability for stochastic DESs was later proposed in [4], and [5] provided the verification algorithms that are polynomial. The following other wors on diagnosis of stochastic DESs have appeared in literature; [6] studied the same problem of [4], allowing the observations to be random. [7] later showed that [4] is general enough to also capture any randomized observations, by way of suitably refining the plant model. Problem on counting the occurrences of intermittent/repetitive failure in stochastic DESs was researched in [8], extending the concepts first introduced in [9]. In [10] the authors proposed an approximated minimum mean square error counter for estimating the number of failure occurrences. The sensor selection problem to support diagnosability was introduced in [11] and was adopted for stochastic problems in [12] and [13] for counting the number of routing violations in material flow networs. The diagnosis problem is also investigated in stochastic Petri nets [14], [15]. Besides the diagnosis problem, the control problems for stochastic DESs have been examined in [16], [17], [18], [19], [20], [21]. The problem of failure diagnosis has also been extended to decentralized setting, [22], [23], [24] and [25]. In the decentralized diagnosis the system behavior is monitored at multiple local sites, each possessing its own sensors and maing its own local diagnosis decision without communicating with other sites. The notion of codiagnosability of non-stochastic DESs The research was supported in part by the National Science Foundation under the grants NSF-ECS , NSF-ECCS , NSF-CCF , and NSF-ECCS The authors are with the Department of Electrical and Computer Engineering, Iowa State University, Ames, IA USA ( junchen@iastate.edu; rumar@iastate.edu). was proposed in [22], which requires that a fault be detected by one of the local sites within a bounded delay. Polynomial algorithms for testing codiagnosability and computing the diagnosis delay bound were also given in [22]. In [25] the authors introduced codiagnosability for stochastic DESs by requiring a fault be detected with zero logical ambiguity (as opposed to small statistical ambiguity) by one of the local sites within a bounded delay with high probability. This is indeed equivalent to the Strong Stochastic-Diagnosability (or SS-Diagnosability) in the centralized setting which however is restrictive since in stochastic systems, a fault could be detected with low statistical ambiguity, i.e., when the lielihood of fault rises above certain threshold [4], [5] and [26]. With this motivation, we propose the weaer notion of Stochastic-Codiagnosability, or S-Codiagnosability, which requires that given any tolerable ambiguity level ρ and error bound τ, there must exist a delay bound n such that for any faulty trace s, its extensions, longer than n and the probability of ambiguity higher than ρ at all sites, must occur with probability smaller than τ. (Note by the ambiguity in a faulty trace we mean the existence of some indistinguishable nonfaulty traces.) A stronger version of the definition, called Strong Stochastic-Codiagnosability, or SS-Codiagnosability, restricts this by having ρ = 0, thereby requiring that extensions, longer than n and non-zero probability of ambiguity at all sites, must occur with probability smaller than τ. Note while the stronger version of SS-Codiagnosability was first introduced as the notion of codiagnosability for stochastic DESs in [25], the weaer notion of S-Codiagnosability was not considered there, and is being proposed here for a first time. It should be noted that when there is a single local site, S-Codiagnosability reduces to S-Diagnosability [5] (or equivalently, AA-diagnosability as introduced in [4]) and SS- Codiagnosability reduces to SS-Diagnosability [5] (or equivalently A-diagnosability as introduced in [4]). Additionally, this paper also provides polynomial algorithms for checing (i) necessity and sufficiency of SS- Codiagnosability (in contrast the algorithm in [25] is of exponential complexity), (ii) sufficiency of S-Codiagnosability, and (iii) necessity as well as sufficiency of S-Codiagnosability, which requires an additional notion of equivalence of probabilistic automata. In the centralized setting of [5], the testing automata were created so that all transitions trac a pair of indistinguishable faulty versus nonfaulty traces producing exactly one identical observation. This is feasible in the centralized case since only one mas function exists, and this facilitates determining the transition probabilities in the testing automaton to be able to perform a diagnosability analysis. However in the decentralized case, there are multiple mas functions, and when tracing a faulty plant trace with a set of site-specific

2 indistinguishable nonfaulty traces, it is not possible to ensure that all sites execute exactly one observation (we can only ensure each site executes at most one observation). This artifact results in new issues that are not present in the centralized setting, which we address in this paper. In particular, additional processing of the automaton, used for testing SS- Codiagnosability, is needed to produce a testing automaton for S-Codiagnosability. This involves collapsing asynchronous transitions (see discussion in the beginning of Section IV-B) and represents a ey feature that is missing in the centralized stochastic setting [5] or the centralized/decentralized logical setting [2], [22]. The rest of this paper is organized as the following. The notations and some preliminaries of stochastic DESs are presented in Section II, followed by the definitions of S/SS- Codiagnosability in Section III. Section IV gives algorithms for checing S/SS-Codiagnosability. A practical example is provided in Section V, whereas the paper is concluded in Section VI. A. Stochastic DESs II. NOTATIONS AND PRELIMINARIES x X α(x, σ, x ) 1. Given an event set Σ, define Σ := Σ {ɛ}, where ɛ represents no-event, and let Σ denote the set of all finite length event sequences over Σ, including ɛ. A member of Σ is called a trace. For s, t Σ, we use s t to denote that s is a prefix of t, and use s to denote the length of s or the number of events in s. A subset of Σ is called language. For L Σ, its prefix-closure, denoted as pr(l), is defined as pr(l) := {s Σ t L : s t}. L is said to be prefix-closed (or simply closed) if pr(l) = L, i.e., whenever L contains a trace, it also contains all the prefixes of that trace. For s Σ and L Σ, L\s, called L after s, is the set of extensions in L executable after s and is defined as L\s := {t Σ st L}. A stochastic DES can be modeled as a stochastic automaton G which is denoted by G = (X, Σ, α, x 0 ), where X is the set of states, x 0 X is the initial state, Σ is the finite set of events and α : X Σ X [0, 1] is the transition probability function [17], satisfying: x X, σ Σ G is said to be non-stochastic if α : X Σ X {0, 1}, and a non-stochastic DES is said to be deterministic if x X, σ Σ, x X α(x, σ, x ) 1. Define a transition in G as a triple (x i, σ, x j ) X Σ X where α(x i, σ, x j ) > 0. The transition probability function α can be extended from domain X Σ X to X Σ X recursively as follows: x i, x j X, s Σ, σ Σ, α(x i, sσ, x j ) = x X α(x i, s, x )α(x, σ, x j ), and α(x i, ɛ, x j ) = 1 if x i = x j and 0 otherwise. Define the language generated by G as L(G) := {s Σ x X, α(x 0, s, x) > 0}. The initialization of a stochastic automaton can also be modeled as an initial state distribution π 0 over the state space X instead of an initial state x 0, where π 0 is a row vector whose elements are nonnegative and sum to one. In this case, the generating probability of an event trace s L(G) is given by α G (s) := x π i X 0(x i ) x X α(x i, s, x). Two automata that defined over the same event set are said to be p-equivalent if for every event trace, the generating probability in two automata are equal [27]. Checing whether or not two automata are p-equivalent could be done in polynomial time by the algorithm presented in [27]. B. Nonfaulty/faulty Behaviors and Observation Mass Given a stochastic DES G = (X, Σ, α, x 0 ), its nonfaulty/faulty behaviors can be modeled by partitioning the event set Σ into faulty events Σ f Σ versus nonfaulty events Σ Σ f. Then the set of nonfaulty behaviors of G is given by K = L(G) (Σ Σ f ), where L(G) =: L is the generated language by G, i.e., overall system behaviors. The remaining behaviors L K are called the faulty behaviors. Clearly the nonfaulty behaviors K can be more generally specified in form of a deterministic automaton R = (Q, Σ, β, q 0 ). Then the refinement of G with respect to R (denoted as G R ) can be used to capture the traces violating the given nonfault specification in form of the reachability of a faulty state (namely, a state containing F as one of its coordinates) and is given by G R := (X Q, Σ, γ, (x 0, q 0 )), where Q = Q {F }, and (x, q), (x, q ) X Q, σ Σ, γ((x, q), σ, (x, q )) = α(x, σ, x ) if the following holds: (q, q Q β(q, σ, q ) > 0) (q = q = F ) (q = F q Q β(q, σ, q) = 0), and otherwise γ((x, q), σ, (x, q )) = 0. The above refinement has the following properties: (1) the generated language of the refinement G R is the same as the one generated by G, i.e. L(G R ) = L(G) = L; (2) any trace (system behavior) in L K(= L(G) L(R)) (of the system but not of the specification) transitions the refinement G R to a faulty state; (3) the probability of occurrence of each trace in G R is the same as that in G. As an example, for a stochastic system G and its nonfault specification model R in Fig. 1, the refined model G R is also shown in Fig. 1. (In the figure, a state is depicted as a node, whereas a transition is depicted as an edge between its origin and termination states, with its event name and probability value labeled on the edge.) In the decentralized setting the system behavior is monitored by a set of local sites I M = {1,..., I M } where I M N. The observations of the events at a site- ( I M ) are filtered by an observation mas, M : Σ, satisfying M (ɛ) = ɛ, whereas denotes the set of observed symbols at site-. An event σ is said to be site- unobservable if M (σ) = ɛ, and the set of site- unobservable events is denoted as whereas the set of site- observable events is then given by Σ. The observation mas can be extended from domain Σ to Σ inductively as following: s Σ, σ Σ, M (sσ) = M (s)m (σ). Example 1: Consider a stochastic automaton G shown in Fig. 1. In this example, the system is monitored at two local sites, site-1 and site-2. The observability of events can vary depending on the configuration of the sensors installed at each local site. Some mas configurations that we will use in the later sections are:

3 Configuration-I: Configuration-II: 1 = {c, d, e, f}, M 1 (a) = a, M 1 (b) = b; 2 = {b, d, e, f}, M 2 (a) = a, M 2 (c) = c. 1 = {c, d, e, f}, M 1 (a) = a, M 1 (b) = b; 2 = {b, c, e, f}, M 2 (a) = a, M 2 (d) = d. for a similar matrix equation): µ (σ) = π µ (σ) + α(σ), (1) where µ (σ), π and α(σ) are all X X square matrices whose ijth elements are given by µ i,σ,j, π ij and α(x i, σ, x j ), respectively. In the presence of partial observability, we define L G (x i, M (σ), x j ) := σ Σ:M (σ )=M (σ)l G (x i, σ, x j ), i.e., it is the language of all traces originating at x i, terminating at x j and executing a sequence of site- unobservable events followed by a single site- observable event that has the same mas value M (σ). Then their occurrence probability is defined by, α(l G (x i, M (σ), x j )) :=,j σ Σ:M (σ )=M (σ) µi,σ. Let 0 = 1 I M Σuo denote the set of events that are not observable at any of the local sites (or simply unobservable events) and Σ 0 be the set of events that are observable at at least one local site (or simply observable events). Then for σ Σ 0, define L G 0 (x i, σ, x j ) = {s Σ s = uσ, M (u) = ɛ, I M, α(x i, s, x j ) > 0}, i.e., it is the set of traces originating at x i, terminating at x j and executing a sequence of unobservable events followed by a single observable event. Let α(l G 0 (x i, σ, x j )) be the probability of all traces in L G 0 (x i, σ, x j ), and as can be seen, it can be obtained by solving equation (1) where we set = 0. Fig. 1. (a) Stochastic automaton G, where X = {0, 1, 2, 3, 4, 5}, Σ = {a, b, c, d, e, f}. (b) Nonfault specification R. (c) Refined system G R. For x i, x j X and σ Σ where I M, define the set of traces originating at x i, terminating at x j and executing a sequence of site- unobservable events followed by a single site- observable event σ as L G (x i, σ, x j ) := {s Σ s = uσ, M (u) = ɛ, α(x i, s, x j ) > 0}. Define α(l G (x i, σ, x j )) := s L G (xi,σ,xj) α(x i, s, x j ) and denote it as µ i,σ,j for short, i.e., it is the probability of all traces originating at x i, terminating at x j and executing a sequence of site- unobservable events followed by a single site- observable event σ. Also define π ij = σ Σ α(x uo i, σ, x j ) as the probability of transitioning from x i to x j while executing a single site- unobservable event. Then it can be seen that µ i,σ,j = m πim µm,σ,j + α(x i, σ, x j ), where the first term on RHS corresponds to transitioning in at least two steps whereas the second RHS term corresponds to transitioning in exactly one step. Thus for each σ Σ, given the values {π ij i, j X} and {α(x i, σ, x j ) i, j X}, all the probabilities {µ i,σ,j i, j X, σ Σ } can be found by solving the following matrix equation (see for example [28] C. Marov Chain For a stochastic DES, the behaviors of an embedded Marov chain, that ignores the event labels in considering the transition probabilities among the state pairs, could be utilized in determining the diagnosabilities properties. Accordingly, given a stochastic DES G = (X, Σ, α, x 0 ), its embedded Marov chain is obtained by abstracting out the event information associated with the transitions, i.e., the embedded Marov chain is given by (X, Ω, x 0 ), where Ω is a size- X X square matrix with ijth entry given by Ω ij = σ Σ α(x i, σ, x j ). (Note the Marov chain contains at most one transition between a pair of states in each direction and does not carry an event label.) For a stochastic automaton G = (X, Σ, α, x 0 ), a component C = (X C, α C ) of G is a subgraph of G, i.e., X C X and x, x X C and σ Σ, α C (x, σ, x ) = α(x, σ, x ), whenever the former is defined. C is said to be a strongly connected component (SCC) or irreducible if x, x X C, s Σ such that α C (x, s, x ) > 0. A SCC C is said to be closed if for each x X C, σ Σ x X C α C (x, σ, x ) = 1. The states which belong to a closed SCC are recurrent states and the remaining states (that do not belong to any closed SCC) are transient states. A closed or recurrent SCC with finitely many states possesses a unique stationary state distribution after reaching which the state distribution remains unchanged. A state is periodic with period 2, if any return to this state must occur in multiples of steps. A state is aperiodic if it is not periodic. A SCC is aperiodic if it contains an aperiodic state (and in which case all its states are also aperiodic) [29]. A component with dual transition distribution is denoted as C = (X C, {αc 1, α2 C }), where transitions are associated with a pair of transition distribution functions αc 1 and α2 C. A component C with dual distribution is a bi-scc if both

4 C 1 = (X C, αc 1 ) and C 2 = (X C, αc 2 ) are strongly connected. A bi-scc C is a bi-closed SCC if both C 1 = (X C, αc 1 ) and C 2 = (X C, αc 2 ) are closed. For a bi-closed SCC C with event labels Σ, we can construct two embedded stochastic automata A 1 C = (X C, Σ, αc 1, π1 C ) and A2 C = (X C, Σ, αc 2, π2 C ), where πc 1 and π2 C are the stationary state distributions of A1 C and A2 C respectively. A bi-closed SCC C is said to be p-equivalent if its embedded automata A 1 C and A2 C are p-equivalent. The following is a useful property of a finite-state Marov chain, [29]. Property 1: Let X be the state space of a finite-state Marov chain and X = X R X T, where X R and X T denote the set of recurrent and transient states, respectively. Let x X be an arbitrary state of the chain and t be any transition sequence starting from x. Then ( τ > 0)( n N) P r(t : x X T, α(x, t, x ) > 0, t n) < τ, which means as the number of transitions increases, the probability of the Marov chain being in a transient state approaches zero. III. CODIAGNOSABILITY OF STOCHASTIC DESS Logical version of codiagnosability of DESs was proposed in [22], requiring that a fault be detected by one of the local sites within a bounded delay. Here we propose two notions of stochastic versions of codiagnosability, Stochastic- Codiagnosability (S-Codiagnosability) and Strong Stochastic- Codiagnosability (SS-Codiagnosability). The definition of S- Codiagnosability requires that given any tolerable ambiguity level ρ and error bound τ, there must exist a delay bound n such that for any faulty trace s L K, its extensions, longer than n and the probability of ambiguity higher than ρ at all sites, must occur with probability smaller than τ. The definition of SS-Codiagnosability restricts this by having ρ = 0 and, thereby requiring that those extensions, longer than n and non-zero probability of ambiguity at all sites, must occur with probability smaller than τ. Definition 1: Consider a stochastic DES G = (X, Σ, α, x 0 ), and a deterministic nonfault specification R = (Q, Σ, β, q 0 ) with generated languages L = L(G) and K = L(R). Suppose there are I M local sites with observation mass M : Σ ( I M = {1,..., I M }). (L, K) is said to be S-Codiagnosable with respect to {M } if ( τ > 0 ρ > 0)( n N)( s L K) ( ) P r t : t L\s, t n, min P r amb (st) > ρ < τ, I M where P r amb : L K [0, 1] is a map that assigns to each faulty trace s L K, the probability of s being ambiguous at site-, which is the probability of all indistinguishable nonfaulty traces conditioned on the fact that the ambiguity is only caused by indistinguishable traces that are also feasible in L, and is given by: (s) := P r(u K M (u) = M (s)) = P r(u K : M (u) = M (s)) P r(u L : M (u) = M (s)). Our next definition introduces a stronger version, called Strong Stochastic-Codiagnosability or SS-Codiagnosability, by setting ρ = 0 in Definition 1. Definition 2: Consider a stochastic DES G = (X, Σ, α, x 0 ), and a deterministic nonfault specification R = (Q, Σ, β, q 0 ) with generated languages L = L(G) and K = L(R). Suppose there are I M local sites with observation mass M : Σ ( I M = {1,..., I M }). (L, K) is said to be SS-Codiagnosable with respect to {M } if ( τ > 0)( n N)( s L K) ( ) P r t : t L\s, t n, min (st) > 0 < τ. I M Remar 1: The definition of SS-Codiagnoability is the same as the notion of codiagnosability for stochastic DESs proposed in [25], which requires detection with zero logical ambiguity (as opposed to small statistical ambiguity) by one of the local sites. This is indeed equivalent to the Strong Stochastic Diagnosability (or SS-Diagnosability) in the centralized setting which however is restrictive since in stochastic systems, a fault could be detected with low statistical ambiguity, i.e., when the lielihood of fault rises above certain threshold [4], [5] and [26]. The definition of S-Codiagnosability relaxes this by requiring statistical detection for the fault. Remar 2: It is clear that when I M = 1, the diagnosis problem reduces to the centralized setting. In this case, the notions of S-Codiagnosability and SS-Codiagnosability reduce respectively to S-Diagnosability and SS-Diagnosability of [5] (referred respectively as AA-Diagnosability and A- Diagnosability in [4]). Example 2: Consider the system in Example 1. When the sensors are installed following the Configuration-I, then the only traces, having the extensions that are ambiguous with non-zero probability at all sites, are the traces s 1 dfa and s 2 fa with extensions a n, whose probability decreases when n increases. Thus the system is SS-Codiagnosable. On the other hand by the verification algorithm in [5] one could easily chec that the system is not SS-Diagnosable w.r.t. either M 1 or M 2 (yet as described above the system is still SS-Codiagnosable). When the sensors are installed following the Configuration-II, then for a faulty trace s dfa, all its extensions will produce observations a that are logically ambiguous at both sites. Therefore the system is not SS-Codiagnosable under Configuration-II. Furthermore, 1 (st) = 2 (st) = 0.8 for all t L\s. Thus the system is also not S-Codiagnosable under Configuration-II. Example 3: Consider the system G R in Fig 2, where two sites are employed to monitor the system with mas functions M 1 and M 2 as follows: 1 = {b, f}, M 1 (a) = a, M 1 (c) = c, M 1 (d) = d; 2 = {c, d, f}, M 2 (a) = a, M 2 (b) = b. For a faulty trace s fa, all its extensions t a are logically ambiguous at both sites. Thus the system G R is not SS-Codiagnosable. However, P r1 amb (st) = n /( n + 0.2), which decreases n increases. Therefore the fault

5 could be detected statistically with diminishing probability of ambiguity at site-1 and the system G R is S-Codiagnosable. Fig. 2. Refined system G R for Example 3. The following sufficient condition, that the S-Diagnosability (resp., SS-Diagnosability) at any local site implies the S- Codiagnosability (resp., SS-Codiagnosability), is directly obvious from the definitions, and stated without proof. Proposition 1: If exists I M such that (L, K) is S-Diagnosable with respect to M, then (L, K) is S- Codiagnosable with respect to {M }; if exists I M such that (L, K) is SS-Diagnosable with respect to M, then (L, K) is SS-Codiagnosable with respect to {M }. That the above result is only sufficient but not necessary as can be seen in Example 2. IV. VERIFICATION OF STOCHASTIC CODIAGNOSABILITY A. Verification of SS-Codiagnosability The following algorithm checs whether the SS- Codiagnosability is satisfied. Without loss of generality, assume there are two local sites, i.e., I M = {1, 2}. The algorithm could be extended straightforwardly for the general case when I M > 2. The idea is to construct a testing automaton that tracs a trace executed by the system, and for each local site a corresponding indistinguishable nonfaulty trace. Then checing the SS-Codiagnosability amounts to checing certain recurrence properties of the ambiguous states in the testing automaton, where a state of the testing automaton is ambiguous if and only if its first component is faulty (reached by a faulty system trace) whereas, by definition, the remaining components of the state are nonfaulty (reached by nonfaulty traces that are indistinguishable from the faulty system trace at the various observation sites). Algorithm 1: For a given stochastic automaton G = (X, Σ, α, x 0 ) and a deterministic nonfault specification R = (Q, Σ, β, q 0 ), perform the following steps: 1) Construct a testing automaton T = G R G R G R which is denoted as T = (Z, Σ T, δ, z 0 ), where Z = (X Q) (X Q) (X Q); z 0 = ((x 0, q 0 ), (x 0, q 0 ), (x 0, q 0 )) is the initial state; Σ T = Σ Σ Σ; δ := Z Σ T Z [0, 1] is defined as: for all z = ((x, q), (x 1, q 1 ), (x 2, q 2 )) Z, z = ((x, q ), (x 1, q 1), (x 2, q 2)) Z and (σ, σ 1, σ 2 ) Σ T, a) δ(z, (σ, σ 1, σ 2 ), z ) R = α(lg 0 ((x,q),σ,(x,q )))α(l GR i ((x i,q i ),σ i,(x i,q i ))) (x i,q i ) X Q α(lgr i ((x i,q i ),M i(σ i),(x i,q ))) if i the following holds for i = 1 or i = 2 and j = I M \i: (M i(σ) = M i(σ i) ɛ) (q i F ) (L GR i ((x i, q i ), σ i, (x i, q i ))) ) (M j(σ) = ɛ) (σ j = ɛ) ((x j, q j ) = (x j, q j )) (q j F ); b) δ(z, (σ, σ 1, σ 2 ), z ) = α(l GR 0 ((x, q), σ, (x, q ))) IM i=1 α(l GR i ((x i,q i ),σ i,(x i,q i ))) if (x i,q i ) X Q α(lgr i ((x i,q i ),M i(σ i),(x i,q i ))) for all i I M the following holds: (M i(σ) = M i(σ i) ɛ) (q i F ) (L GR i ((x i, q i ), σ i, (x i, q i))) ); c) δ(z, (σ, σ 1, σ 2 ), z ) = 0 in all other cases. (Note that the testing automaton T tracs a triplet of traces s L, u 1 K and u 2 K with property: M 1 (s) = M 1 (u 1 ), M 2 (s) = M 2 (u 2 ). In each step, the first component taes lead by executing a sequence of unobservable events followed by a single observable event σ, whereas site-i responds by 1) silent event ɛ if σ is site-i unobservable or 2) a site-i indistinguishable nonfaulty traces, ending in a site-i observable event σ i, indistinguishable from σ. Note in the second case since site-i must respond by executing indistinguishable nonfaulty traces with the only observation occurring at the end, a conditioning is applied in the computation of the probability to limit the site-i executions to such indistinguishable nonfaulty traces.) 2) Chec if every closed SCC C of T is unambiguous, i.e., every state of C is of the form ((x, q), (x 1, q 1 ), (x 2, q 2 )) with q F. The system is SS-Codiagnosable if and only if the answer is yes. A polynomial algorithm to identify all closed SCCs was given in [30]. The following theorem guarantees the correctness of Algorithm 1. Theorem 1: System G is SS-Codiagnosable if and only if every closed SCC in T is unambiguous, where the notion of unambiguity of a SCC is defined in step 2 of Algorithm 1. Proof: (Necessity) Suppose there exists an ambiguous closed SCC and z = ((x, q), (x 1, q 1 ), (x 2, q 2 )) is a state of this SCC (in this case z is recurrent and q = F ). Let s L K, s 1 L and s 2 L be such that δ(z 0, (s, s 1, s 2 ), z) > 0. Since the 2 nd and 3 rd components could only execute nonfaulty trace, we have s 1 K, s 2 K, i.e., P ri amb (s) > 0, i I M. Since the SCC is closed, we have t L\s, t 1 K\s 1, t 2 K\s 2, z Z such that δ(z 0, (st, s 1 t 1, s 2 t 2 ), z ) > 0. (Otherwise the probability of outgoing transition from z will not sum to one, maing z transient.) Therefore t L\s, i I M, P ri amb (st) > 0, or equivalently P r(t : t L\s, t > n, min i IM P ri amb (st) > 0) = 1. So given any 0 < τ < 1, s L K, n N, P r(t : t L\s, t > n, min i IM P ri amb (st) > 0) > τ. Therefore the system is not SS-Codiagnosable. (Sufficiency) Suppose all closed SCCs are unambiguous (in this case all the recurrent states in T are unambiguous, i.e., all

6 recurrent states have q F ). For all s L K and t L\s, (P r1 amb (st) > 0 P r2 amb (st) > 0) ( s 1 t 1 K, s 2 t 2 K, z Z, s.t. δ(z 0, (st, s 1 t 1, s 2 t 2 ), z) > 0). Since st is faulty and every recurrent state ((x, q), (x 1, q 1 ), (x 2, q 2 )) has q F, then z Z T, where Z T denotes the set of transient states. Thus for all s L K and t L\s, (min i IM P ri amb (st) > 0) ( c Z, z Z t, s.t. δ(c, (t, t 1, t 2 ), z) > 0). Therefore s L K, P r(t : t L\s, t n, min i (st) > 0) P r((t, t 1, t 2 ) : t L\s, t n, z Z T, δ(c, (t, t 1, t 2 ), z) > 0) (2) Fig. 3. Testing automaton for system in Example 1 with sensor installed following the Configuration-I. T does not have any ambiguous closed SCC, so the system is SS-Codiagnosable. According to Property 1, for any arbitrary c Z ( τ > 0)( n N) P r((t, t 1, t 2 ) : t n, z Z T, δ(c, (t, t 1, t 2 ), z) > 0) < τ (3) Combining (2) and (3) provides ( τ > 0)( n N)( s L K) P r(t : t L\s, t n, min P ri amb (st) > 0) < τ Therefore the system is SS-Codiagnosable. Remar 3: In Algorithm 1, G R has O( X Q ) states and O( X 2 Q Σ ) transitions, and the testing automaton T = (G R ) I M +1 has Z = O( X I M +1 Q I M +1 ) states and T = O( X 2 I M +2 Q I M +1 Σ I M +1 ) transitions. Computing {µ (σ), I M } needs complexity of O( X 3 Q 3 Σ ( I M + 1)). Thus in step 1, the complexity of constructing T is O( Z + T + X 3 Q 3 Σ ( I M +1)). The complexity for constructing the embedded Marov Chain and identifying all the closed SCCs in step 2 is cubic in its number of states and linear in its number of transitions, i.e., O( T + Z 3 ) [30]. Thus the overall complexity of Algorithm 1 is O( X 3 Q 3 Σ ( I M + 1) + 2 T + Z 3 ) = O( X 3 Q 3 Σ ( I M +1)+2 X 2 I M +2 Q I M +1 Σ I M +1 + X 3 I M +3 Q 3 I M +3 ). It should be noted that the complexity of Algorithm 1 is polynomial in the number of states of the system as well as the number of events of the system, and exponential in the number of local sites, in contrast to the complexity in [25] which is exponential in the number of system states, number of events, as well as number of local sites. Example 4: Consider the system in Example 1 with sensor installed following the Configuration-I. Then the testing automaton T is shown in Fig. 3, which does not have any ambiguous closed SCC. Therefore system G is SS- Codiagnosable, as expected from the discussion in Example 2. Example 5: Consider again the system in Example 1, with sensors installed following the Configuration-II. Then the testing automaton T is shown in Fig. 4. The closed SCC mared in bold is ambiguous. Therefore system G is not SS-Codiagnosable, again as expected from the discussion in Example 2. Fig. 4. Testing automaton for system in Example 1 with sensor installed following the Configuration-II. The closed SCC mared in bold is ambiguous. So the system is not SS-Codiagnosable. B. A Polynomial Sufficient Test for S-Codiagnosability Note being a weaer notion, S-codiagnosability holds whenever SS-codiagnosability holds. So to obtain a sufficiency test for S-Codiagnosability, we first chec if SS-Codiagnosability is violated, and next for each closed SCC C that violates the condition in Theorem 1, we extract I M number of embedded bi-sccs {C i, 1 i I M } where the ith SCC C i omits any information about the jth copy (j I M i), and next we collapse the asynchronous transitions to obtain I M number of embedded and compacted SCCs, {C i, 1 i I M }. The construction of C i and C i are illustrated in the following example; their formal definitions are given immediately after the example. The reason for collapsing the asynchronous transitions in C i to obtain C i is to enable the computation of the transition probabilities, since in asynchronous transitions, one of the copies does not transition, and there is no probability associated with no transition. Note C tracs a ( I M + 1 ) number of traces, where the first trace is a faulty trace executed in the system, and the (i + 1)th, (i = 1,..., I M ), trace is a site-i indistinguishable nonfaulty trace. Accordingly, for each i, the embedded and compacted SCC C i tracs a pair of traces, where the first trace is the same as the first trace of C and the second trace is the same as the (i + 1)th trace of C; and the first transition probability is obtained when the plant taes the lead and the site-i responds, whereas the second transition probability is dually defined by letting the site-i tae the lead and the plant respond. Example 6: Consider the system in Example 3 and the testing automaton T in Fig. 5(a). Since T has a closed SCC C that is ambiguous, system is not SS-Codiagnosable. Now for the only closed ambiguous SCC C (shown in bold in Fig. 5(a)), the embedded SCC C 1 and C 2 are constructed according to step (T1) below and shown in Fig. 5(b). Then both C 1 and C 2 are compacted and endowed with a pair of transition

7 probabilities, according to (T2) to obtain C 1 and C 2 as shown in Fig. 5(c); the first transition probability in C i, i = 1, 2 is obtained by letting the plant tae the lead (by executing a trace with single observation at site-i) and the site-i copy respond (by executing an indistinguishable single observation trace), and the second transition probability is dually defined where the site-i taes the lead whereas the plant responds. Fig. 5. (a) Testing automaton for system in Example 3. The closed SCC C mared in bold is ambiguous and thus the system is not SS-Codiagnosable. (b) Top: Embedded SCC C 1 ; Bottom: Embedded SCC C 2. (c) Left: Embedded and compacted SCC C 1 which is not closed under δ 2 ; Right: Embedded C 1 and compacted SCC C 2 which is closed under δ 2 C 2. The formal definitions of C i and C i are as follows: (T1) SCC C i is same as C with the state and event information of jth copy (j I M i) removed from C. (T2) The compacted SCC C i is obtained by collapsing unobservable transitions in C i as follows: a) (((x, q), (x i, q i )), (σ, σ i ), ((x, q ), (x i, q i))) is a valid transition in C i if and only if exists u 0 ( i ) σ and u i ɛ σ i such that M i (σ) = M i (σ i ) ɛ and (((x, q), (x i, q i )), (u 0, u i ), ((x, q ), (x i, q i))) is a valid transition in C i. b) The pair of transition probabilities of C i are aggregated, individually, by collapsing the unobservable transitions to obtain the pair of transition probabilities of C i as follows: δ 1 C i (((x, q), (x i, q i )), (σ, σ i), ((x, q ), (x i, q i))) = α(l GR i ((x, q), σ, (x, q ))) α(l GR i ((x i, q i ), σ i, (x i, q i ))) (x i,q i ) X Q α ( L GR i ((x i, q i ), M i(σ i), (x i, q i ))) δ 2 C i (((x, q), (x i, q i )), (σ, σ i), ((x, q ), (x i, q i ))) = α(l GR i ((x i, q i ), σ i, (x i, q i ))) α(l GR i ((x, q), σ, (x, q ))) (x,q ) X Q α(lgr i ((x, q), M i(σ), (x, q ))) Remar 4: Note in the logical centralized/decentralized setting, transitions do not possess probabilities, and so allowing asynchronous transitions is not a problem, i.e., there is no need to collapse the asynchronous transitions. This artifact is new to the stochastic decentralized setting without which the diagnosability analysis cannot proceed. In the next step we chec whether or not each embedded and compacted SCC C i is a bi-closed SCC to obtain a sufficiency test for S-codiagnosability. Algorithm 2: For a given stochastic automaton G = (X, Σ, α, x 0 ) and a deterministic nonfault specification R = (Q, Σ, β, q 0 ), perform the following steps: 1) Chec the SS-Codiagnosability of G according to Algorithm 1. If the system is SS-Codiagnosable, then it is also S- Codiagnosable; otherwise identify all the ambiguous closed SCCs and proceed to step 2; 2) For each SCC C identified in step 1, construct I M embedded and compacted SCCs, {C i, i = 1,..., I M }, following the rules (T1) - (T2) above; 3) Chec if every closed SCC C identified in step 1 possesses an embedded and compacted SCC C i that is not bi-closed. The system is S-Codiagnosable if the answer is yes. According to the construction, we now that for each closed SCC C that violates the condition in Theorem 1, its embedded and compacted SCC C i is already closed under the first distribution. Therefore the algorithm simply checs whether or not C i is also closed under the second distribution. The following theorem guarantees the correctness of Algorithm 2. Theorem 2: System G is S-Codiagnosable if (I) It is SS-Codiagnosable (so T does not contain any ambiguous closed SCC) or (II) For every ambiguous closed SCC C of T, there exists i I M such that its embedded and compacted SCC C i is not bi-closed. Proof: If G is SS-Codiagnosable, by the definition, it is S-Codiagnosable for sure. Suppose G is not SS-Codiagnosable (in this case there is at least one ambiguous closed SCC in testing automaton T ) and satisfies condition (II) in Theorem 2. Let U be the set of traces executed by the first component and taing T to an ambiguous closed SCC. For given s L K and its extension t, we consider two cases, st L U and st U. For the case of st L U, similar to the proof of sufficiency of Theorem 1, we have ( τ > 0)( n 1 N)( s L K) P r(t : t L\s, t n 1, st L U, min i (st) > 0) < τ. Now for any s L K and st U, let st tae testing automaton T to an ambiguous SCC C. According to condition (II) in Theorem 2 we now there is an embedded and compacted

8 SCC of C that is not bi-closed. Assume C i is not bi-closed. According to [5], st is S-Diagnosable w.r.t. M i, i.e., ( τ > 0 ρ > 0)( n 2 N)( s L K) Let n = max(n 1, n 2 ), then P r(t : t L\s, t n 2, ( τ > 0 ρ > 0)( n N)( s L K) st U, i (st) > ρ) < τ. P r(t : t L\s, t n, min i (st) > ρ) < τ. Therefore system G is S-Codiagnosable. Example 7: Consider the system in Example 3. As can be seen in Fig. 5(c), C 1 is not closed under distribution δ 2 C 1, and so from Theorem 2 the system is S-Codiagnosable, as expected from the discussion in Example 3. The next two examples show that the condition in Theorem 2 is sufficient but need not be necessary. Both examples violate the condition in Theorem 3, yet the first one is S- Codiagnosable and the second one is not S-Codiagnosable. Example 8: See the system in Fig. 6 (a) with the observations at two local sites configured as: 1 = {c, f}, M 1 (a) = a, M 1 (b) = b; 2 = {b, c, f}, M 2 (a) = a. According to [4], the system is S-Diagnosable with respect to M 1 and hence S-Codiagnosable. However, it fails to satisfy the sufficient condition in Theorem 2, as can be seen from Fig. 6(c), where both C 1 and C 2 are bi-closed. Fig. 6. (a) Refined system G R. (b) Testing automaton T, with closed ambiguous SCC C mared in bold. Hence the system is not SS-Codiagnosable. (c) C 1 and C 2 for the closed SCC C. Both C 1 and C 2 are bi-closed, violating the sufficiency of Theorem 2, yet S-Codiagnosability holds. Example 9: Consider the system in Example 1 endowed with the sensor Configuration-II. The system is shown to be not SS-Codiagnosable (See Example 5 and Fig. 4). Now for the only closed ambiguous SCC C, we can recover two embedded and compacted SCCs C 1 and C 2, as shown in Fig. 7. Since for i {1, 2}, C i is bi-closed, the S-Codiagnosability of the system can not be determined from Theorem 2. Fig. 7. C 1 and C 2 for the closed SCC C mared in bold in Fig. 4. (a) C 1 which is bi-closed. (b) C 2 which is also bi-closed. Next we extend the result of Theorem 2 to obtain a necessary and sufficient condition for S-Codiagnosability, by utilizing the notion of p-equivalence. C. Verification of S-Codiagnosability The sufficiency condition for S-Codiagnosability of Theorem 2 can be weaened to mae it both necessary and sufficient by adding another disjunctive clause that requires for any ambiguous closed SCC C that violates condition (II) in Theorem 2, there exists i I M such that the embedded and compacted SCC C i is not p-equivalent. Algorithm 3: For a given stochastic automaton G = (X, Σ, α, x 0 ) and a deterministic nonfault specification R = (Q, Σ, β, q 0 ), perform the following steps: 1) Chec the S-Codiagnosability of G according to Algorithm 2. If the S-Codiagnosability can not be determined by Algorithm 2 then identify all ambiguous closed SCCs for which all its embedded and compacted SCCs are bi-closed and proceed to step 2. 2) Chec if every ambiguous SCC C identified in step 1 possesses an embedded and compacted bi-closed SCC C i that is not p-equivalent. The system is S-Codiagnosable if and only if the answer is yes. The following theorem guarantees the correctness of Algorithm 3. Theorem 3: System G is S-Codiagnosable if and only if (I) It is SS-Codiagnosable (so T does not contain any ambiguous closed SCC), or (II) For every ambiguous closed SCC C of T, there exists i I M such that the embedded and compacted SCC C i is not bi-closed, or (III) For every ambiguous closed SCC C violating (II), there exists i I M such that the embedded and compacted SCC C i is not p-equivalent. Proof: (Necessity) If G is not SS-Codiagnosable and there exists one ambiguous closed SCC whose all embedded and compacted SCCs are p-equivalent. Let (s, s 1, s 2 ) be the triple of traces that taes testing automaton T to this ambiguous closed SCC and (t, t 1, t 2 ) be the extensions that maes each embedded and compacted automata in their stationary distributions. Then for all extensions t of st, we have P r1 amb (stt ) = s 1 t 1 /(st + s 1 t 1 ) and P r2 amb (stt ) = s 2 t 2 /(st + s 2 t 2 ). Let

9 ρ < min(s 1 t 1 /(st + s 1 t 1 ), s 2 t 2 /(st + s 2 t 2 )) and τ < 1 would show that system G is not S-Codiagnosable. (Sufficiency) Suppose G is not SS-Codiagnosable and satisfies condition (III) in Theorem 3. Let C be the set of SCCs that are identified in step 1 of Algorithm 3 and let U be the set of traces executed by first copy of T and taing T to one of SCC in C. For a given s L K and its extension t, we consider two cases, st L U; and st U. For the case of st L U, similar to the proof of Theorem 2, we have ( τ > 0 ρ > 0)( n 1 N)( s L K) P r(t : t L\s, t n 1, st L U, min P ri amb (st) > ρ) < τ. Now for any s L K and st U, let st tae testing automaton T to a SCC C C. According to condition (III) in Theorem 3 we now there is an embedded and compacted SCC of C that is not p-equivalent. Assume C i is not p-equivalent. According to [5], st is S-Diagnosable w.r.t. to M i, i.e., ( τ > 0 ρ > 0)( n 2 N)( s L K) P r(t : t L\s, t n 2, st U, Let n = max(n 1, n 2 ), then min P ri amb (st) > ρ) < τ. ( τ > 0 ρ > 0)( n N)( s L K) P r(t : t L\s, t n, min i (st) > ρ) < τ. Therefore system G is S-Codiagnosable. Example 10: Consider again the system in Example 8. As can be seen in Fig. 6(c), the embedded and compacted SCC C 1 is not p-equivalent. Thus the system is S-Codiagnosable, as expected. Example 11: Now consider the system in Example 1 endowed with the sensor Configuration-II, which fails the sufficient test of Theorem 2 (see Example 9). As shown in Fig. 7, i {1, 2}, C i is p-equivalent, so system is not S- Codiagnosable, as expected from the discussion in Example 2. Fig. 8. Monitored system showing complete item flows. Fig. 9. Stochastic automata for each internal station. For any station, state 0 means empty and state i means it is occupied with a Type i item. V. AN ILLUSTRATIVE APPLICATION In this section, the algorithms discussed above are applied to a discrete flow monitoring system, taen from an actual plant in [31], [5]. Consider the system shown in Fig. 8, which presents a flow networ consisting of two input ports I 1 and I 2, four internal stations S i, i = 1, 2, 3, 4 and three output ports O i, i = 1, 2, 3. Three types of items are being transferred through this system, namely, Type 1, Type 2 and Type 3. Type 1 items are imported from I 1, transferred through S 1, S 2 and S 3, and exit through O 2. Type 2 items are imported from I 1, transferred through S 1, S 2 and exit through O 1, or transferred through S 1, S 4 and exit through O 1. Type 3 items are imported from I 2, transferred through S 3, S 4 and exit through O 3. Each internal station has a buffer capacity of one. Owing to internal routing fault, there is a 1% chance that after leaving S 4, a Type 3 item enters S 2 and stays there forever, instead of exiting by O 3. This abnormal behavior may cause the flow networ to stall and hence it needs to be detected within a bounded delay. Similar to [31], the stochastic automata for each internal station are shown in Fig. 9. For each station, state 0 means it is empty and state i, i = 1, 2, 3 means it is occupied with a Type i item. Event P i P j T reads a Type item is transferred from port P i to port P j (where a port can either be an input port, an output port or an internal station). To detect an event, two types of sensors, location sensor and assay sensor may be installed at a port, the first of which reports the destination port, whereas the second reports the type. The deterministic nonfault specification R 2 for S 2 is shown in Fig. 10, whereas for station S i, i 2, there are no faulty events and so the global refined model G R is directly obtained as G R = S 1 S R 2 S 3 S 4. Suppose there are two local sites: a location sensor and an assay sensor are installed at S 3 which produce observation

10 Fig. 10. Deterministic nonfault specification R 2 for S 2. only at site-1, and an assay sensor is installed at S 1 which produces observation only at site-2. According to [5] we now under this sensor configuration the system is S-Diagnosable at site-1 and thus it is also S-Codiagnosable. However, for any faulty behavior, the only ensuing observation that can be received by site-1 is (S 3 T 3 ) and the only ensuing observation that can be received by site-2 is (T 1 ) or (T 2 ), which have non-zero probability of ambiguity. Thus the system is not SS- Codiagnosable. Note that in this example if a diagnosis decision is made centrally combining the observations from both local sites, then the system is SS-Diagnosable, as demonstrated in [5]. VI. CONCLUSION For decentralized diagnosis of stochastic DESs we proposed the notion of S-Codiagnosability supplementing the notion of SS-Codiagnosability first introduced in [25], and also provide polynomial algorithms for checing (i) necessity and sufficiency of SS-Codiagnosability, (ii) sufficiency of S- Codiagnosability, and (iii) necessity as well as sufficiency of S- Codiagnosability, utilizing an additional notion of equivalence of probabilistic automata. The notion of SS-Codiagnosability is the same as the one in [25] but the verification algorithm in this paper has complexity that is polynomial in the number of system states and events, compared to the exponential one in [25]. The decentralized diagnosis considered here is essentially disjunctive (a global detection decision is affirmative if and only if a local detection decision is affirmative), and an extension to the inferencing based decentralized diagnosis [32] is an important future direction. REFERENCES [1] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. Teneetzis, Diagnosability of discrete-event systems, IEEE Trans. Autom. Control, vol. 40, no. 9, pp , Sep [2] S. Jiang, Z. Huang, V. Chandra, and R. Kumar, A polynomial algorithm for testing diagnosability of discrete-event systems, IEEE Trans. Autom. Control, vol. 46, no. 8, pp , Aug [3] T.-S. Yoo and S. Lafortune, Polynomial-time verification of diagnosability of partially observed discrete-event systems, IEEE Trans. Autom. Control, vol. 47, no. 9, pp , Sep [4] D. Thorsley and D. Teneetzis, Diagnosability of stochastic discreteevent systems, IEEE Trans. Autom. Control, vol. 50, no. 4, pp , Apr [5] J. Chen and R. Kumar, Polynomial test for stochastic diagnosability of discrete event systems, IEEE Trans. Auto. Sci. and Eng., submitted. [6] E. Athanasopoulou, L. Li, and C. N. Hadjicostis, Probabilistic failure diagnosis in finite state machines under unreliable observations, in Proc. 8th Int. Worshop Discrete Event Syst., Ann Arbor, MI, Jul. 2006, pp [7] D. Thorsley, T.-S. Yoo, and H. E. Garcia, Diagnosability of stochastic discrete-event systems under unreliable observations, in Proc Amer. Control Conf., Jun. 2008, pp [8] T. Yoo and H. Garcia, Stochastic event counter for discrete-event systems under unreliable observations, in Proc Amer. Control Conf., Jun. 2008, pp [9] S. Jiang, R. Kumar, and H. E. Garcia, Diagnosis of repeated/intermittent failures in discrete event systems, IEEE Trans. Robot. Automat., vol. 19, no. 2, pp , Apr [10] T. Yoo and H. Garcia, Diagnosis of behaviors of interest in partiallyobserved discrete-event systems, Systems & Control Letters, vol. 57, no. 12, pp , [11] S. Jiang, R. Kumar, and H. Garcia, Optimal sensor selection for discrete-event systems with partial observation, IEEE Trans. Autom. Control, vol. 48, no. 3, pp , Mar [12] W. Lin, H. Garcia, and T. Yoo, Selecting observation platforms for optimized anomaly detectability under unreliable partial observations, in Proc Amer. Control Conf. IEEE, Jun. 2011, pp [13] W.-C. Lin, H. E. Garcia, and T.-S. Yoo, A diagnoser algorithm for anomaly detection in DEDS under partial and unreliable observations: characterization and inclusion in sensor configuration optimation, Discrete Event Dyn. Syst., to appear. [14] A. Aghasaryan, E. Fabre, A. Benveniste, R. Boubour, and C. Jard, Fault detection and diagnosis in distributed systems: an approach by partially stochastic petri nets, Discrete event dynamic systems, vol. 8, no. 2, pp , [15] D. Lefebvre and E. Leclercq, Stochastic petri net identification for the fault detection and isolation of discrete event systems, IEEE Trans. Syst., Man, Cybern. A, Syst., Human, vol. 41, no. 2, pp , Mar [16] R. Kumar and V. Garg, Control of stochastic discrete event systems modeled by probabilistic languages, IEEE Trans. Autom. Control, vol. 46, no. 4, pp , Apr [17] V. K. Garg, R. Kumar, and S. I. Marcus, A probabilistic language formalism for stochastic discrete-event systems, IEEE Trans. Autom. Control, vol. 44, no. 2, pp , Feb [18] A. Arapostathis, R. Kumar, and S. Tangirala, Controlled Marov chain with safety criteria, IEEE Trans. on Autom. Control, vol. 48, no. 7, pp , Jul [19] A. Arapostathis, R. Kumar, and S. Hsu, Control of Marov chains with safety bounds, IEEE Trans. Auto. Sci. and Eng., vol. 2, no. 4, pp , Oct [20] V. Pantelic, S. Postma, and M. Lawford, Probabilistic supervisory control of probabilistic discrete event systems, IEEE Trans. Autom. Control, vol. 54, no. 8, pp , Aug [21] V. Pantelic and M. Lawford, Optimal supervisory control of probabilistic discrete event systems, IEEE Trans. Autom. Control, vol. 57, no. 5, pp , May [22] W. Qiu and R. Kumar, Decentralized failure diagnosis of discrete event systems, IEEE Trans. Syst., Man, Cybern., Part A: Syst. Humans, vol. 36, no. 2, pp , Mar [23] Y. Wang, T.-S. Yoo, and S. Lafortune, Decentralized diagnosis of discrete event systems using unconditional and conditional decisions, in Proc. 44th IEEE Conf. Decision Control/Eur. Control Conf., Seville, Spain, Dec. 2005, pp [24] J. Neidig and J. Lunze, Decentralised diagnosis of automata networs, in Proc. 16th IFAC World Congr., Prague, Czech Republic, [25] F. Liu, D. Qiu, H. Xing, and Z. Fan, Decentralized diagnosis of stochastic discrete event systems, IEEE Trans. Autom. Control, vol. 53, no. 2, pp , Mar [26] I. Hwang, S. Kim, Y. Kim, and C. E. Seah, A survey of fault detection, isolation, and reconfiguration methods, IEEE Trans. Control Syst. Technol, vol. 18, no. 3, pp , May [27] W.-G. Tzeng, A polynomial-time algorithm for the equivalence of probabilistic automata, SIAM J. Computing, vol. 21, no. 2, pp , Apr [28] X. Wang and A. Ray, A language measure for performance evaluation of discrete-event supervisory control systems, Applied Math. Modelling, vol. 28, no. 9, pp , Sep [29] P. Brémaud, Marov Chains: Gibbs Fields, Monte Carlo Simulation and Queues. New Yor: Springer-Verlag, [30] A. Xie and P. A. Beerel, Efficient state classification of finite-state marov chains, IEEE Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 17, no. 12, pp , Dec [31] H. E. Garcia and T.-S. Yoo, Model-based detection of routing events in discrete flow networs, Automatica, vol. 41, no. 4, pp , Oct [32] R. Kumar and S. Taai, Inference-based ambiguity management in decentralized decision-maing: Decentralized diagnosis of discrete-event