Embed Size (px)
Citation preview
Failure Diagnosis of Discrete Event Systems With
Linear-Time Temporal Logic Specifications ∗
Shengbing Jiang†and Ratnesh Kumar‡
Abstract
The paper studies failure diagnosis of discrete event systems with linear-time tem-poral logic (LTL) specifications. The LTL formulae are used for specifying failures inthe system. The LTL-based specifications make the specification specifying processeasier and more user-friendly than the formal language/automata-based specifications;and they can capture the failures representing the violation of both liveness and safetyproperties, whereas the prior formal language/automaton-based specifications can cap-ture the failures representing the violation of only the safety properties (such as theoccurrence of a faulty event or the arrival at a failed state). Pre-diagnosability anddiagnosability of discrete event systems in the temporal logic setting are defined. Theproblem of testing pre-diagnosability and diagnosability is reduced to the problem ofmodel checking. An algorithm for the test of pre-diagnosability and diagnosability,and the synthesis of a diagnoser is obtained. The complexity of the algorithm is expo-nential in the length of each specification LTL formula, and polynomial in the numberof system states and the number of specifications. The requirement of non-existenceof unobservable cycles in the system, which is needed for the diagnosis algorithms inprior methods to work, is relaxed. Finally, a simple example is given for illustration.
Keywords: Discrete event system, failure diagnosis, linear-time temporal logic, diag-nosability.
1 Introduction
Detection and isolation of failures in large, complex systems is a crucial and challengingtask. In general, a failure is a deviation of a system from its normal or required behavior,such as occurrence of a failure event, or visiting a failed state, or more generally, reaching
∗The research was supported in part by the National Science Foundation under the grants NSF-ECS-9709796, NSF-ECS-0099851, NSF-ECS-0218207, NSF-ECS-0244732 and NSF-EPNES-0323379, a DoD-EPSCoR grant through the Office of Naval Research under the grant N000140110621, and a KYDEPSCoRgrant. A condensed version of this paper first appeared in [17]. This work was performed while the authorswere with the Department of Electrical and Computer Engineering, University of Kentucky, Lexington.
†GM R&D and Planning, Mail Code 480-106-390, 30500 Mound Road, Warren, MI 48090-9055,[email protected]
‡Department of Electrical & Computer Engineering, Iowa State University, 2215 Coover Hall, Ames, IA50011, [email protected]
1
a deadlock or livelock. Failure diagnosis is the process of detecting and identifying suchdeviations in a system using the information available through sensors. The problem offailure diagnosis has received considerable attention in the literature of reliability engineering,control, and computer science; and a wide variety of schemes have been proposed. Recently,it has also been studied in the framework of discrete event systems (DESs) [24, 25, 2, 4, 5,32, 36, 37, 35, 11, 6, 14, 10, 31, 28, 13, 22, 45, 34, 15, 18, 43, 44, 41].
A notion of failure diagnosis of qualitative behaviors of discrete event systems was firstproposed in [36]. The idea is that if the discrete event system executes a faulty event, thenit must be eventually diagnosed within a bounded number of state-transitions/events. Amethod for constructing a diagnoser was developed, and a necessary and sufficient conditionof diagnosability was obtained in terms of certain properties of the constructed diagnoser.The above work was further extended to timed systems in [6], to decentralized diagnosisin [11], and to diagnosis of repeated failures in [18]. In [15, 43], algorithms of polynomialcomplexity for testing diagnosability without having to construct a diagnoser were obtained.These later work enabled a quick test for diagnosability; by applying this test a diagnoser isconstructed only for those systems that are diagnosable (recall from [36] that the constructionof a diagnoser is of exponential complexity).
In [24, 25], the authors proposed a state-based approach for diagnosis; they studied theproblems of off-line and on-line diagnosis where the basic idea was to “test and observe”.Extensions of the above work can be found in [2] where the authors studied testability ofDESs. In [4, 5], the problem of failure detection in communication networks was studied,where both the normal and faulty behaviors of the system are modeled by formal languages.In [32], the authors also studied the problem of fault detection in communication networkswhere faults are specified as change and addition of arcs in the finite state machine modelof the normal system, and a diagnosis method was provided. In [34], a state-based approachfor failure diagnosis of timed systems was proposed. In [14, 10, 31], the authors developeda template monitoring scheme based on timing and sequencing relationships of events forfault monitoring in manufacturing systems. In [41], the application of discrete event systemtechniques to digital circuits was studied, and an algorithm for the delay fault testabilitymodeling and analysis was presented.
In all the above works, the non-faulty behavior of the system, also called the specification,is either specified by an automaton (containing no failure states) or by a language (event-traces containing no failure events). Since in practical setting a specification is generallygiven in a natural language, when we apply the above failure diagnosis results, we mustfirst transform a natural language specification into a formal language specification. Given asimple natural language specification, the process of finding a corresponding formal languagespecification can be tedious, unintuitive, and error-prone, making it unaccessible to non-specialists. So there exists a gap between the informal natural language specification andthe corresponding formal language specification. Temporal logic based specification wasproposed in [12] as an attempt to bridge such a gap.
Temporal logic has been used in the analysis and control of DESs [40, 23, 27, 26, 30, 29,1, 19, 33, 42, 38, 39, 16]; and it has also been used as a modeling formalism for diagnosingDESs in [9].
In this paper, we study the failure diagnosis problem for systems with linear-time tem-poral logic (LTL) specifications. Given a DES to be diagnosed, we use a LTL formula for
2
the purpose of specifying a fault. In other words, an infinite state-trace of the system issaid to be faulty if it violates the given LTL formula. Thus for example, we can declarean infinite state-trace to be faulty if it visits a faulty state, which may be faulty by itselfas in [2, 24, 25, 45], or may be a state introduced for representing a transition labeled bya faulty event (see Remark 2) as in [36, 37, 35, 11, 6, 4, 5, 32]. We can also have moregeneral specifications for non-faulty state-traces in our setting such as a certain set of statesshould be visited infinitely often, or a certain set of states should be eventually invariant.Thus properties such as “invariance”, “recurrence”, “stability”, etc. can be used to specify(non)-faulty behavior in our setting.
A system is said to be pre-diagnosable with respect to a given LTL specification if everyfaulty state-trace possesses an indicator as its prefix, where an indicator is a finite state-tracefor which all its infinite extensions are faulty. This property of pre-diagnosability should beviewed as a pre-condition for any diagnosability analysis, since without this property, thepossibility of the execution of an infinite faulty state-trace can not be deduced through theobservations of the finite length state-traces, even under complete observation. Note thatthis property automatically holds if the specification is only a safety specification.
A pre-diagnosable system is said to be diagnosable with respect to an observation mask ifthe execution of any indicator by the system can be deduced with a finite delay. This is similarto the language-based definition introduced by [36], but our definition of diagnosabilityshould be viewed as a generalization of that given in [36] since our definition of fault, whichis based on a LTL formula, is more general. It is interesting to note that the execution of anindicator may imply either that a fault has already occurred (such as occurrence of a failureevent), or that a fault is guaranteed to occur in future (such as a livelock or deadlock). Inother words, our approach allows detection and diagnosis of indicators where either a faulthas already occurred or from where the occurrence of a fault is inevitable (i.e., our diagnoserin a sense is also “predictive”). Even with this generalization, the test for diagnosabilityremains polynomial in the number of system states and the number of the specificationsalike the test of diagnosability (see [15]) defined in [36]. In our work, we allow the systemto be diagnosed to be terminating as well as to possess cycles of unobservable events.
The rest of the paper is organized as follows. First the definition of LTL is introduced.Next the failure diagnosis of systems with LTL specifications is studied: the definitions ofpre-diagnosability and diagnosability in the temporal logic setting are provided; algorithmsfor testing these properties, as well as synthesizing a diagnoser, are obtained. Finally, anillustrative example is given.
2 Notations and Preliminaries
In this paper, we use LTL to express the specifications of DESs for the purpose of failurediagnosis. In the following, we give the definition of LTL. For a complete introduction totemporal logic, readers may refer to [12].
Let Md = (Q,R,AP, L) be a state transition graph, where Q is the set of states (finite orinfinite), R ⊆ Q×Q is a total transition relation, i.e., for every q ∈ Q there is a q ′ ∈ Q suchthat R(q, q′), AP is a finite set of atomic proposition symbols, and L : Q → 2AP is a functionthat labels each state with the set of atomic propositions true at that state. A state-trace
3
in Md is defined as a finite or infinite sequence of states, π = (q0(π), q1(π), · · ·) such thatfor every i ∈ {0, 1, · · ·}, (qi(π), qi+1(π)) ∈ R. A proposition-trace is defined as a finite orinfinite sequence of set of atomic propositions, πp = (L0, L1, · · ·), Li ⊆ AP, i = 0, 1, · · ·. Aproposition-trace πp = (L0, L1, · · ·) is said to be contained in Md if there exists a state-traceπ = (q0, q1, · · ·) in Md such that Li = L(qi), i = 0, 1, · · ·, in which case πp is said to beassociated with π.
Using the atomic propositions and boolean connectives such as conjunction, disjunction,and negation, one can construct more expressions describing properties of states. Howeverwe are also interested in describing the properties of sequences of states that the system canvisit. Such properties are expressed using temporal operators of a temporal logic. LTL isa specific temporal logic formalism. The following temporal operators are used in LTL fordescribing the properties along a specific state-trace.
• X (“next time”): it requires that a property hold in the next state of the state-trace.
• U (“until”): it is used to combine two properties. The combined property holds if thereis a state on the state-trace where the second property holds, and at every precedingstate on the trace, the first property holds.
• F (“eventually” or “in the future”): it is used to assert that a property will hold atsome future state on the state-trace. It is a special case of “until”.
• G (“always” or “globally”): it specifies that a property holds at every state on thetrace.
• B (“before”): it also combines two properties. It requires that if there is a state onthe state-trace where the second property holds, then there exists a preceding state onthe trace where the first property holds.
We have following relations among the above operators, where f denotes a temporal logicspecification:
• Ff ≡ TrueUf
• Gf ≡ ¬F¬f
• fBg ≡ ¬(¬fUg)
It follows that X and U can be used to express the other temporal operators, which are theonly temporal operators that appear in the definition of LTL.
Next we give the syntax of LTL. LTL formulae are generated by rules P1-P3 given below.
P1 If p ∈ AP , then p is a LTL formula.
P2 If f1 and f2 are LTL formulae, then so are ¬f1 and f1 ∧ f2.
P3 If f1 and f2 are LTL formulae, then so are Xf1 and f1Uf2.
4
We use |f | to denote the length of f , which is the number of boolean and temporal operatorsin f .
Next we give the semantics of LTL, which are defined with respect to the infinite state-traces in a state transition graph Md = (Q,R,AP, L). For a LTL formula f , the notationπ |= f (resp., π 6|= f) means that f holds (resp., does not hold) along an infinite state-traceπ in Md. The relation |= is defined inductively as follows:
1. ∀p ∈ AP , π |= p if and only if p ∈ L(q0(π)).
2. π |= ¬f if and only if π 6|= f .
3. π |= f1 ∧ f2 if and only if π |= f1 and π |= f2.
4. π |= Xf if and only if π1 |= f , where π1 = (q1(π), q2(π), · · ·).
5. π |= f1Uf2 if and only if there exists a k such that πk |= f2 and for allj ∈ {0, 1, · · · , k − 1}, πj |= f1, where πk = (qk(π), qk+1(π), · · ·).
From above, one can see that the LTL formulae can also be interpreted over infinitelength proposition-traces over AP without referring to any specific state transition graph.This is done by replacing the first condition above by
∀p ∈ AP, π = (L0, L1, · · ·) |= p ⇔ p ∈ L0,
where π is an infinite proposition-trace over AP , i.e., Li ⊆ AP for all i ≥ 0. Also notethat the semantics of LTL are defined over infinite state-traces. But, as mentioned in [12],one can extend the semantics of LTL to finite state-traces as follows: a finite state-trace(q0, · · · , qn) satisfies a LTL formula f if and only if the infinite state-trace (q0, · · · , qn, qn, · · ·) =(q0, · · · , q
ωn) satisfies f .
Definition 1 Given a LTL formula f , a state transition graph Md = (Q,R,AP, L), anda state q ∈ Q, f is said to hold at the state q [8], denoted as < Md, q >|= f if for everystate-trace π = (q0(π), q1(π), · · ·) in Md starting at q, i.e., q0(π) = q, it holds that π |= f .Given a state transition graph Md with an initial state set Q0, Md is said to satisfy f if∀q ∈ Q0, < Md, q >|= f .
Given a state transition graph Md and a LTL formula f , finding the set of states at whichf holds is a LTL model checking problem (for a detailed introduction to model checking,refer to [8]). The problem of checking whether a state transition graph Md with an initial setQ0 satisfies a given LTL formula f can be solved by first solving the model checking problemof Md with respect to f , i.e., first finding the set of states Qf at which f holds, and nextchecking whether Q0 ⊆ Qf . In the following, we will view the problem of checking whethera system Md satisfies a LTL formula f as an instance of a LTL model checking problem.
The following examples show that LTL formulae can be used to easily express propertiessuch as invariance, recurrence, stability, etc.
Gp means that “along a given state-trace, globally (G) at every state of the trace, p is true”.It is an invariance (a type of safety) property.
5
G(p1 ⇒ Fp2) means that “along a given state-trace, globally (G) for every state s of thetrace, if p1 is true at the state s, then p2 will be true at some future (F ) state”. It is arecurrence (a type of liveness) property.
FGp means that “along a given state-trace, eventually (F ) p will hold globally (G)”. Itis a property of stability (a type of liveness) which requires that the system shouldeventually reach a set of states where p holds and stay there forever.
In the following, we first introduce some notations of formal languages [20], and thendescribe that a LTL formula can be characterized as the language accepted by a non-deterministic generalized Buchi automaton [8].
Let Σ be a finite event set, Σ∗ be the set of all finite length sequences of events fromΣ including the zero length trace ε, Σω be the set of all infinite length sequences of eventsfrom Σ, and Σ∞ = Σ∗ ∪ Σω. K is called a ∗-language over Σ if K ⊆ Σ∗, and B is called aω-language over Σ if B ⊆ Σω. The prefix operation pr : Σ∞ → Σ∗ is defined as:
∀B ⊆ Σ∞, pr(B) := {s ∈ Σ∗ | ∃e ∈ B : s is a prefix of e}.
The limit operation lim : Σ∗ → Σω is defined as:
∀K ∈ Σ∗, lim(K) := {e ∈ Σω | ∃ infinitely many n ∈ N s.t. en ∈ K},
where en denotes the prefix of length n of e, i.e., en = e(1)e(2) · · · e(n) provided that e =e(1)e(2) · · ·. Given a ω-language B ⊆ Σω, B is said to be ω-closed if B = lim(pr(B)). Notethat B ⊆ lim(pr(B)) always holds.
Given a LTL formula f , let Sf denote the set of all infinitely long proposition-traces overAP satisfying f . Then one can obtain a non-deterministic generalized Buchi automaton(for details, refer to [8]) that accepts the ω-language Sf . Before the construction of Tf , wefirst need to put f into negation normal form, in which negation is applied only to atomicpropositions. Next, we rewrite subformulae of the form Fg as TrueUg. Let r be the numberof subformulae of the form µUν in f (it is obvious that r ≤ |f |). Then the non-deterministicgeneralized Buchi automaton can be represented as
Tf = (Qf , ΣAP , Rf , qf0 ,F),
where
• Qf is a finite state set;
• ΣAP = 2AP is the event set;
• Rf ⊆ Qf × ΣAP × Qf is the transition relation;
• qf0 ∈ Qf is the initial state;
• F = {Fi, 1 ≤ i ≤ r} ⊆ 2Qf is the generalized Buchi acceptance condition. For eachsubformula of the form µUν in f , there is a Fi in F . Fi is used for capturing thefulfillment of the liveness of µUν.
6
An infinite length proposition trace πp = (L1, L2, · · ·) ∈ ΣωAP is accepted by Tf if and
only if there exists an infinite length state-trace π = (q0, q1, · · ·) in Tf such that q0 = qf0 ,
(qi−1, Li, qi) ∈ Rf for all i ≥ 1, and π visits each Fi ∈ F (i = 1, · · · , r) infinitely often.We use Lω
Tfto denote the ω-language accepted by Tf , then we have Lω
Tf= Sf . Both the
complexity of the construction of Tf , and the number of states in Tf , are exponential in thelength of the LTL formula f .
3 Notion of Diagnosability with LTL Specifications
In this section, we give the definitions of pre-diagnosability and diagnosability for DESsin the temporal logic setting.
From now on, the system P to be diagnosed for occurrence of failures is modeled by asix tuple, P = (X, Σ, R,X0, AP, L), where
• X is a finite set of states;
• Σ is a finite set of event labels;
• R : X × (Σ ∪ {ε}) × X is a transition relation;
• X0 ⊆ X is the set of initial states;
• AP is a finite set of atomic proposition symbols;
• L : X → 2AP is a labeling function such that ∀x ∈ X, p ∈ L(x) means that p holds atx, and p 6∈ L(x) means that p does not hold at x.
Let LP ⊆ Σ∗ denote the language generated by P , where ∀s = (e1, · · · , en) ∈ Σ∗, s ∈ LP
if and only if ∃π = (x0, · · · , xn) such that x0 ∈ X0 and (xi−1, ei, xi) ∈ R for all i ∈ {1, · · · , n}.A finite or infinite state-trace π = (x0, x1, · · ·) is called generated by P if x0 ∈ X0, and for alli > 0 there exists a σi ∈ Σ∪{ε} such that (xi−1, σi, xi) ∈ R. We use TrP to denote the set ofall finite state-traces generated by P . For a state-trace π1 = (x1
0, x11, · · ·) (finite or infinite)
and a finite state-trace π2 = (x20, x
21, · · · , x
2k), if the number of states in π1 is more than k,
i.e., |π1| > k, and x1i = x2
i for 0 ≤ i ≤ k, then π2 is called a k-prefix of π1, π1 is called anextension of π2 in P , and π1 can be represented as π1 = π2π, where π = (x1
k+1, · · ·) is calledthe k-suffix of π1. A finite or infinite proposition-trace over AP is called generated by P if itis associated with a state-trace generated by P . We use L
(ω,AP )P ⊆ Σω
AP to denote the set ofall infinite length proposition-traces over AP that are generated by P , where ΣAP = 2AP . Afinite or infinite event-trace (e1, e2, · · ·) over Σ∪{ε} is said to be associated with a state-traceπ = (x0, x1, · · ·) if ∀i > 0, (xi−1, ei, xi) ∈ R.
Observations of events executed by P are filtered through an observation mask M :Σ ∪ {ε} → ∆ ∪ {ε} with M(ε) = ε, where ∆ is the set of observed symbols and it may bedisjoint with Σ. The definition of M can be extended to event-traces inductively as follows:∀s ∈ Σ∗, σ ∈ Σ, M(sσ) = M(s)M(σ). We use Eπ to denote the set of all event-tracesassociated with a state-trace π ∈ TrP , and Oπ denote the observations of event-traces inEπ, i.e., Oπ = {M(s) ∈ ∆∗ | s ∈ Eπ}. For any two finite state-traces π1 = (x1
0, x11, · · · , x
1k1
)
7
and π2 = (x20, x
21, · · · , x
2k2
) in TrP , π1 and π2 are called indistinguishable (with respect to themask M) if Oπ1
∩ Oπ26= ∅, i.e., if they share observations resulting from the execution of
associated event-traces.
Remark 1 From the above definition of P , we know that unobserved cycles are allowed inP , where an unobserved cycle in P is a path (x1, e1, x2, · · · , en, xn+1) such that xn+1 = x1,∀i ∈ {1, · · · , n}, (xi, ei, xi+1) ∈ R and M(ei) = ε. Also note that if P is given to bea terminating system, i.e., if it contains some terminating states where no transition isdefined, we can add self-loops on ε on every terminating state of P without altering its LTLproperties. This is so because the semantics of LTL on a finite state-trace (x1, · · · , xn) is thesame as that on the infinite state-trace (x1, · · · , x
ωn). So, from now on we assume without
loss of any generality, that P has appropriately been augmented with self-loops on ε, andso it is non-terminating. Note that the augmentation by self-loops on ε at the terminatingstates is possible in our framework since we allow the systems to be non-deterministic (sothat they can possess ε-transitions) and to contain unobservable cycles (so that they canpossess self-loops on ε).
Let f be a LTL formula specifying the normal or the non-faulty behavior of the system.In this paper, f is also called the specification of the system, any behavior of the systemviolating f is faulty.
In the following we give the definitions of faulty traces, pre-diagnosability, and diagnos-ability in the temporal logic setting. Let us first define faulty state-traces.
Definition 2 Let P be a system, f be a LTL specification for P , and π be an infinitestate-trace generated by P , then π is called a faulty state-trace if π 6|= f .
Remark 2 In Definition 2, failures are represented by infinitely long state-traces that violatethe specification f . The cases of faulty states as well as faulty events in prior works canbe captured by our definition of failure. For the case of faulty states as in [2, 24, 25, 45],we can label each non-faulty state with a certain proposition p, and then use f = Gp asthe specification; any infinite state-trace violating f is a faulty state-trace. For the caseof faulty events as in [36, 37, 35, 11, 6, 4, 5, 32], we can first transform it to the case offaulty states as follows: for each transition (x, σf , x
′) in the system such that σf is a faultyevent, introduce a faulty state xf into the system and replace the transition (x, σf , x
′) by twotransitions (x, σf , xf ) and (xf , ε, x
′), and then apply the method of specifying faults as in thecase of faulty states. Besides these two cases, we can also have more general specificationfor non-faulty state-traces such as a certain set of states should be visited infinitely often, ora certain set of states should be eventually invariant. Thus properties such as “invariance”,“deadlock”, “recurrence”, “stability”, etc. can be used to specify (non)-faulty behavior inour setting (as discussed in the last section).
The following definition of indicator is needed for (pre)-diagnosability.
Definition 3 Let P be a system and π be a finite state-trace generated by P , π is calledan indicator if all its infinite extensions in P are faulty. We use IndP to denote the set of allindicators in P .
8
Next we define the pre-diagnosability of DESs.
Definition 4 Let P be a system and f be a specification, P is said to be pre-diagnosablewith respect to f if each faulty state-trace in P possesses an indicator as its prefix.
Remark 3 In Definition 4, a system is pre-diagnosable with respect to a given specifica-tion if every faulty state-trace possesses an indicator as its prefix. Note that this propertyautomatically holds if the specification is a safety one, i.e., it only requires that some “bad”things must never occur (such as faulty states must never be visited or faulty events neveroccur). This property of pre-diagnosability, however, may not hold for more general speci-fications (see Example 1 below), and hence it should be viewed as a pre-condition for anydiagnosability analysis. Without this property, the possibility of execution of an infinitefaulty trace can not be deduced through the observations of the finite length state-traces,even under complete observation of state-traces.
If a system is pre-diagnosable, then the failure diagnosis is just the process of detectionand identification of indicators in the system. Note that when an indicator is detected, anactual failure (such as reaching a faulty state) may not have happened yet; it only signifiesthat a failure has either happened or is inevitable. Thus our definition includes both casesof detection (a failure has already occurred) and prediction (a failure will inevitably occur).This kind of prediction is necessary for the detection of failures that violate properties suchas liveness and stability.
Example 1 Consider the system shown in Figure 1, suppose the specification is given as
p1p1
a c
p2
x2x1x0
b d
Figure 1: Example for pre-diagnosability
f = GFp2. It is easy to verify that π = (x0, xω1 ) 6|= f , and no prefix of π is an indicator. This
is because for any observed prefix (x0, xk1) of π, it is also a prefix of π0 = (x0, x
k1, x
ω2 ), where
π0 |= f . So the system is not pre-diagnosable with respect to f . Hence, even with completeobservation of the finite state-traces executed by the system, we can never detect the faultytrace π.
Now suppose the specification is given as f ′ = GFp1, then it is easy to check that thesystem is pre-diagnosable with respect to f ′. Since for any faulty state-trace π0 = (x0, x
k1, x
ω2 ),
the prefix (x0, xk1, x2) is an indicator.
The diagnosability of DESs in the setting of LTL is defined as follows.
Definition 5 Let P be a system, M be an observation mask, and f be a specification, P
is said to be diagnosable with respect to M and f if P is pre-diagnosable with respect to f
9
and
(∃n ∈ N )(∀π0 ∈ IndP )(∀π = π0π1 ∈ TrP , |π1| ≥ n)(∀π′ ∈ TrP , Oπ ∩ Oπ′ 6= ∅)
⇒ (π′ ∈ IndP ),
where N is the set of all natural numbers.
Remark 4 Definition 5 states that a pre-diagnosable system is diagnosable if the executionof any indicator by the system can be deduced with a finite delay from the observed behaviorthrough the mask M . The finite delay is uniformly bounded, i.e., it depends only on thesystem model and the specification, but not on the trace executed. More precisely, thereexists a number n such that for any indicator π0, for any sufficient long (at least n stateslonger) extension π of π0, and for any finite state-trace π′ generated by P , if π′ and π
are indistinguishable with respect to M , i.e., if they can generate a same masked event-trace, then π′ must also be an indicator. This is similar to the language-based definitionof diagnosability introduced in [36], but our definition should be viewed as a generalizationsince our definition of failures which is based on a LTL formula is more general.
Example 2 Consider the system shown in Figure 2, where the observation mask is given
x2
x1
p1 p1
p2
p1
p1 , p 2x0
x3 x4
aa
a
b1
b2
c1
c2
Figure 2: Example for diagnosability
as M(a) = a, M(b1) = M(b2) = b, M(c1) = M(c2) = c. Suppose the specification isgiven as f = GFp2. It is easy to verify that the system is diagnosable with respectto f . This is because if an event-trace abcka is observed, then it indicates an indicator(x0, x1, x3(0), · · · , x3(k), x4) is executed by the system.
Now suppose the specification is given as f ′ = Gp1. It is also easy to verify that thesystem is pre-diagnosable with respect to f ′. But the system is not diagnosable with respectto f ′. This is because when the indicator (x0, x1, x2) is executed by the system, no matterhow long an extension of it is considered, an event-trace observation in the form of abck isgenerated, which can also be generated by the state-trace (x0, x1, x3(0), · · · , x3(k)) that isnot an indicator.
In Definition 5, we assumed that there is only one specification f for the system P , so thefailure diagnosis problem is the same as the failure detection problem. However in practicalsituations, we may have multiple specifications, so we need to not only detect the violation ofa specification, but also to diagnose which specification is violated. The following definitionof diagnosability is for the case of multiple specifications, and is an extension of Definition 5.
10
Definition 6 Let P be a system, M be an observation mask, and {fi, i = 1, 2, · · · ,m} be aset of specifications. P is said to be diagnosable with respect to the mask M and the set ofspecifications {fi, i = 1, 2, · · · ,m} if P is diagnosable with respect to the mask M and eachspecification fi, i = 1, 2, · · · ,m.
Note that the diagnosability of a system P with respect to the single specification ∧mi=1fi
does not imply the diagnosability of P with respect to the set of specifications {fi, 1 ≤ i ≤m}. This is because even if we can detect the violation of ∧m
i=1fi, we may not be able toknow which fi has been violated.
If a system is diagnosable, then we need to construct a diagnoser for the failure diagnosisof the system. The diagnoser is defined as follows.
Definition 7 Given a system P , an observation mask M , and a specification f . Let D =(T,MT ), where T = (QT , ∆, RT , QT
0 ) is a non-deterministic finite state machine, and MT :∆∗ → {fault} is a partial function defined as ∀s ∈ ∆∗, MT (s) = fault if s is not generatedby T , i.e., s 6∈ LT . D is called a diagnoser for P with respect to M and f if the followingholds:
1. ∀π ∈TrP , ∀s ∈ Oπ: MT (s) = fault ⇒ π ∈ IndP .
2. ∃n ∈ N : (∀π0 ∈ IndP )(∀π = π0π1 ∈ TrP , |π1| ≥ n)(∀s ∈ Oπ) ⇒ (MT (s) = fault).
Let {fi, i = 1, · · · ,m} be a set of specifications, then a collection of {Di = (Ti,MTi), i =
1, · · · ,m} is called a diagnoser for P with respect to M and {fi, i = 1, 2, · · · ,m} if each Di
(i = 1, 2, · · · ,m) is a diagnoser for P with respect to M and fi.
Remark 5 The above definition states that, a diagnoser D detects the occurrence of eachindicator in the system P by observing the event-traces generated by P through the maskM . It is required that a diagnoser shall never generate a false alarm (the first conditionin the definition), and also there will be no missed detections (the second condition, whichrequires the detection of any indicator within a finite delay). It is obvious that for a givenpre-diagnosable system P , there exists a diagnoser D only if P is diagnosable. Note thatDefinition 7 does not require that a diagnoser D should posses a deterministic finite statemachine T .
Note that the diagnosability of a system P does not necessarily imply the existence ofa finite state diagnoser; and the existence of a diagnoser does not necessarily mean that wecan find one with complexity polynomial in the size of the system. In the next section weshow that if P is diagnosable, then a finite state diagnoser does exist and can be constructedpolynomially in the number of states of P .
4 Algorithm for Diagnosis and Diagnoser Synthesis
The failure diagnosis problem for DESs with LTL specifications is formulated as follows:
11
Let P be a system and M be an observation mask. For a given set of specifications{f1, · · · , fm}, test whether P is diagnosable with respect to M and {f1, · · · , fm};if P is diagnosable, then construct a diagnoser for P to detect the occurrence ofindicators in P by observing the behavior of P through the mask M .
In the following we first give an algorithm for testing the diagnosability and the designof a diagnoser for systems with a single LTL specification f , and then present an algorithmfor the case of multiple specifications. Before presenting the details, we first give a briefexplanation of the algorithm.
Step 1 obtains a generalized Buchi automaton Tf that accepts all proposition-traces overAP satisfying f , where Tf has a generalized Buchi acceptance condition set F = {Fi, 1 ≤i ≤ r}. Step 2 verifies pre-diagnosability of P with respect to f . As shown in Theorem 1
below, P is pre-diagnosable with respect to f if and only if LωTf
∩ L(ω,AP )P is ω-closed. We
first construct a finite state machine T1 from the “proposition-synchronization” of Tf and
P . Then LωTf
∩L(ω,AP )P equals the set of infinite proposition-traces generated by T1 that visit
the Fi-labeled (1 ≤ i ≤ r) states infinitely often. So, LωTf
∩ L(ω,AP )P is ω-closed if and only
if it holds that LωTf
∩ L(ω,AP )P = L
(ω,AP )T1
, i.e., if and only if every infinite proposition-trace
generated by T1 visits Fi-labeled (1 ≤ i ≤ r) states infinitely often, i.e., if and only if T1
satisfies the LTL formula ∧ri=1GFFi, which is a LTL model checking problem. Step 3 tests
for the diagnosability after the system passes the pre-diagnosability test. For this, P isevent-synchronized with T ′
2, where T ′2 generates the language M−1M(LT1
) = {s ∈ Σ∗ | ∃t ∈LT1
, M(s) = M(t)}; the result is denoted by T3. So T3 generates traces in P that share anobservation with traces in T1, i.e., non-faulty traces of P . For diagnosability to hold all suchtraces must themselves be non-faulty. Thus for the diagnosability of P , we need to checkwhether T3 satisfies f , which is a LTL model checking problem.
Algorithm 1 Algorithm for failure diagnosis with single LTL specification
1. This step is for the construction of a non-deterministic generalized Buchi automatonTf that accepts all the infinite proposition-traces satisfying f . From [8], the automatoncan be constructed as
Tf = (Cf , ΣAP , Rf , qf0 ,F),
the details are omitted here. Let LωTf
denote the ω-language accepted by Tf , i.e., theset of all proposition-traces satisfying f .
2. This step is for the test of pre-diagnosability of P .
• Construct T1 =(Q1, Σ, R1, Q10, AP∪F , L1) from the “proposition-synchronization”
of Tf and P = (X, Σ, R,X0, AP, L) that generates every infinite proposition-traceover AP generated by P and satisfying f as follows:
– Q1 = Cf × X is the set of states;
– Σ is the set of events;
– R1 ⊆ Q1× (Σ∪{ε})×Q1 is the transition relation, R1 = {((c, x), σ, (c′, x′)) ∈Q1 × (Σ ∪ {ε}) × Q1 | (c, L(x′), c′) ∈ Rf , (x, σ, x′) ∈ R};
12
– Q10 = {(c, x) ∈ Q1 | (qf
0 , L(x), c) ∈ Rf , x ∈ X0} is the set of initial states;
– AP ∪ F is the new set of atomic propositions;
– L1 : Q1 → 2AP∪F is the labeling function such that
∀(c, x) ∈ Q1, Fi ∈ F , p ∈ AP :
[Fi ∈ L1(c, x) ⇔ c ∈ Fi] ∧ [p ∈ L1(c, x) ⇔ p ∈ L(x)].
– delete each state q ∈ Q1 and its associated transitions if either q has nosuccessor, or no state labeled with some Fi ∈ F can be reached from q;repeat this process until no more states and transitions can be deleted.
It follows from the construction of T1 that LωTf
∩ L(ω,AP )P equals the set of all
infinite length proposition-traces that are generated by T1 and visit the Fi-labeled(1 ≤ i ≤ r) states infinitely often.
• Check whether LωTf
∩ L(ω,AP )P is ω-closed. This is done by checking whether ev-
ery infinite proposition-trace generated by T1 visits the Fi-labeled (1 ≤ i ≤ r)states infinitely often, or equivalently, whether T1 satisfies the the LTL formula∧r
i=1GFFi. We can use the methods given in [8, 3, 7].
If the LTL formula is not satisfied by T1, then stop and output that “the systemis not pre-diagnosable”.
3. This step is for the test of diagnosability of P .
• Construct T2 = (Q2, ∆, R2, Q20), the “projection” of T1 through M , i.e., LT2
=M(LT1
). T2 is constructed to be a non-deterministic state machine containing noε-transitions as follows:
– Q2 = Q10 ∪ {q ∈ Q1 | ∃(q′, σ, q) ∈ R1,M(σ) 6= ε} is the set of states: Q2
contains all the initial states of T1 and the states in T1 such that there is atransition labeled with an observable event leading into the state;
– ∆ is the set of observed symbols;
– R2 ⊆ Q2×∆×Q2 is the set of transitions, ∀(q, β, q′) ∈ Q2×∆×Q2, (q, β, q′) ∈R2 if and only if there exists a path (q0, σ1, q1, · · · , σk, qk, σk+1, qk+1) (k ≥ 0)in T1 such that (qi, σi+1, qi+1) ∈ R1 for 0 ≤ i ≤ k, q0 = q, qk+1 = q′, M(σi) = ε
for 1 ≤ i ≤ k, and M(σk+1) = β;
– Q20 = Q1
0 is the set of initial states.
• Construct T ′2 = (Q2, Σ, R′
2, Q20) that accepts the language M−1(LT2
), i.e., LT ′2
=M−1(LT2
) = M−1M(LT1), where the transition relation R′
2 ⊆ Q2×Σ×Q2 is givenas
∀(q, σ, q′) ∈ Q2 × Σ × Q2 :
(q, σ, q′) ∈ R′2 ⇔
[(q,M(σ), q′) ∈ R2] ∨ [(q = q′) ∧ (M(σ) = ε)].
13
• Construct T3 = (Q3, Σ, R3, Q30, AP, L3), which accepts the language LT ′
2∩ LP =
M−1M(LT1)∩LP , from the event-synchronization of T ′
2 and P . (Here T3 generatesa proposition-trace over AP that is associated with a state-trace in TrP if andonly if the later is indistinguishable from a prefix of a non-faulty state-trace inP .)
– Q3 = Q2 × X is the set of states;
– Σ is the set of events;
– R3 ⊆ Q3 × (Σ ∪ {ε}) × Q3 is the transition relation such that
∀((q1, x1), σ, (q2, x2)) ∈ Q3 × (Σ ∪ {ε}) × Q3 :
((q1, x1), σ, (q2, x2)) ∈ R3 ⇔
[(σ 6= ε) ∧ ((q1, σ, q2) ∈ R′2) ∧ ((x1, σ, x2) ∈ R)] ∨
[(σ = ε) ∧ (q1 = q2) ∧ ((x1, σ, x2) ∈ R)];
– Q30 = Q2
0 × X0 is the set of initial states;
– AP is the set of atomic propositions;
– L3 : Q3 → 2AP is the labeling function such that ∀(q, x) ∈ Q3, L3(q, x) =L(x);
– delete each state q ∈ Q3 and its associated transitions if q has no successor;repeat this process until no more states and transitions can be deleted.
• Check whether every infinite proposition-trace generated by T3 satisfies f , usingthe LTL model checking methods in [8, 3, 7]. If f is not satisfied by T3, then stopand output that “the system is not diagnosable”.
4. This final step is for the construction of a diagnoser. Output (T2,MT2) as the diagnoser
D. Here MT2: ∆∗ → {fault} is a partial function defined as: ∀s ∈ ∆∗, MT2
(s) = fault
if s is not generated by T2, i.e., if s 6∈ LT2.
The diagnoser D operates as follows. It observes the event-traces generated by P
through the mask M . If an observed event-trace s is not in the generated language ofT2, then the diagnoser outputs “fault” which indicates the occurrence of an indicatorof P , with a finite delay.
In Algorithm 1, T ′2, that generates the language M−1M(LT1
), is constructed so as not tocontain any ε-transitions. For this, T2, that generates the language M(LT1
) and contains noε-transitions, is first constructed. The reason for not allowing ε-transitions in T ′
2 is technical,and has to do with the possibility of the presence of unobservable cycles in P . This willbecome more evident when we prove the correctness of the diagnosability test in Theorem 3.
Remark 6 It is known that the first step of Algorithm 1 has a complexity of O(2|f |). Thesecond step has a complexity of O(2O(|f |)|X|2). This is because the complexity for the LTLmodel checking with the special formula ∧r
i=1GFFi is linear in both the size of the system(number of states and transitions) and the value of r (we can model check the formula GFFi
for each i = 1, · · · , r), and r ≤ |f |. The complexity of the third step is O(2O(|f |)|X|4) since
14
the complexity for LTL model checking is linear in the size of the system (number of statesand transitions) and exponential in the length of the LTL formula. So the complexity todesign a diagnoser as well as to test the diagnosability is O(2O(|f |)|X|4), which is polynomialin the number of states of the system and exponential in the length of the specification LTLformula. This power-4 dependence on the number of system states is the same as that inthe setting of faulty events based approach to diagnosis [15]. The exponential dependenceon the length of the LTL specification f comes from having an abstract, and hence a morecompact, representation of the specification. The number of states in T2 that is part of thediagnoser D is O(2|f ||X|).
Remark 7 In practice [21], the system specification may be given in the form of fsafe∧flive,where fsafe (resp., flive) represents only some safety (resp., liveness) properties. Then forcomputational savings, the first and the second steps of the above algorithm can be modifiedas follows (for the pre-diagnosability applies only to liveness specifications).
1. Construct the generalized Buchi automata Tfsafeand Tflive
for fsafe and flive respec-tively.
2. Test pre-diagnosability of P with respect to flive as in Step 2 of Algorithm 1.
3. Construct T1 from the “proposition-synchronization” of Tfsafe, Tflive
, and P and proceedto the Step 3 of Algorithm 1. From above it is clear that the pre-diagnosability testis not needed for a pure safety specification. Thus we can gain some computationalsavings by testing pre-diagnosability only for the liveness sub-specifications. However,the total complexity for testing diagnosability remains O(2O(|f |)|X|4). This is becausethe complexity is dominated by the Step 3 of the algorithm, and that step is neededfor a specification in the form of f = fsafe ∧ flive.
In the following we prove that Algorithm 1 is sound and complete. We first prove thereductions of the problems of testing pre-diagnosability and diagnosability to those of LTLmodel checking. The following theorem states that a system is pre-diagnosable if and onlyif the set of all infinite non-faulty proposition-traces accepted by the system is ω-closed.
Theorem 1 Let P be a system and f be a LTL specification. P is pre-diagnosable withrespect to f if and only if the ω-language Sf ∩L
(ω,AP )P ⊆ Σω
AP is ω-closed, where ΣAP = 2AP .
(Here Sf denotes the set of all infinite proposition-traces over AP satisfying f , and L(ω,AP )P
denotes the set of all proposition-traces generated by P .)
Proof: For necessity, suppose P is pre-diagnosable. For contradiction, suppose S(f,P ) =
Sf ∩ L(ω,AP )P ⊆ Σω
AP is not ω-closed, i.e., ∃u = (e1, e2, · · ·) ∈ lim(pr(S(f,P ))) − S(f,P ). It is
easy to verify that L(ω,AP )P is ω-closed. Thus we have
u ∈ [lim(pr(S(f,P ))) − S(f,P )] ⊆ lim(pr(L(ω,AP )P )) = L
(ω,AP )P .
Since u 6∈ S(f,P ), u 6|= f . Let πu = (x1, x2, · · ·) be a state-trace accepted by P and associatedby u, i.e., L(xi) = ei for all i ≥ 1. Then we have πu 6|= f , i.e., πu is faulty. Since P is pre-diagnosable and πu is a faulty trace in P , πu must have an indicator prefix πn
u = (x1, · · · , xn).
15
Because u ∈ lim(pr(S(f,P ))), from the definition of lim operation, there must exist a k > n
such that uk = (e1, · · · , ek) ∈ pr(S(f,P )), which implies that πku = (x1, · · · , xk) is a prefix
of some non-faulty trace in P . It follows that πnu could not be an indicator, which is a
contradiction. So the necessity holds.For sufficiency, suppose S(f,P ) is ω-closed, i.e., lim(pr(S(f,P ))) − S(f,P ) = ∅. For con-
tradiction, if P is not pre-diagnosable, then from Definition 4 we know there exists afaulty state-trace π = (x1, x2, · · ·) in P such that no prefix of π is an indicator. In otherwords, πn = (x1, · · · , xn) is a prefix of some non-faulty trace in P for every n ≥ 1, i.e.,un ∈ pr(S(f,P )) for every n ≥ 1, where un = (L(x1), · · · , L(xn)) is the proposition-traceassociated with πn. Let u = (L(x1), · · ·) be the proposition-trace associated with π, then itis obvious that u ∈ L(ω,AP )
p and u 6|= f . Because un ∈ pr(S(f,P )) for every n ≥ 1, we haveu ∈ lim(pr(S(f,P ))). Since u 6|= f , u 6∈ S(f,P ). From above we have u ∈ lim(pr(S(f,P )))−S(f,P ),i.e., lim(pr(S(f,P ))) − S(f,P ) 6= ∅, which is a contradiction to the hypothesis. So P is pre-diagnosable.
Note that the set of infinite proposition-traces Sf ∩ L(ω,AP )P is the set of all infinite non-
faulty proposition-traces generated by P . The next theorem validates our test for pre-diagnosability.
Theorem 2 Let P be a system and f be a LTL specification. P is pre-diagnosable withrespect to f if and only if ∀q ∈ Q1
0, < T1, q >|= ∧Fi∈F GFFi, where T1 is as defined inAlgorithm 1.
Proof: Since T1 is “proposition-synchronization” of Tf and P , the set of infinite proposition-traces generated by T1 that visit the Fi-labeled (1 ≤ i ≤ r) states infinitely often is the set
of infinite proposition-traces generated by P and satisfying f , i.e., the set LωTf
∩ L(ω,AP )P .
From construction of Tf , LωTf
= Sf . So from Theorem 1, P is pre-diagnosable if and only if
LωTf
∩ LP (ω,AP ) is ω-closed, i.e., if and only if
LωTf
∩ L(ω,AP )P = lim(pr(Lω
Tf∩ L
(ω,AP )P )) = L
(ω,AP )T1
,
where the last equality follows from the construction of T1, which keeps T1 “trim”. Theequality Lω
Tf∩ L
(ω,AP )P = L
(ω,AP )T1
holds if and only if L(ω,AP )T1
⊆ LωTf
∩ L(ω,AP )P since the
reverse containment holds by the construction of T1. Further, since L(ω,AP )T1
⊆ L(ω,AP )P by
construction, L(ω,AP )T1
⊆ LωTf
∩ L(ω,AP )P if and only if L
(ω,AP )T1
⊆ LωTf
, or equivalently, every
infinite proposition-trace generated by T1 visits the Fi-labeled (1 ≤ i ≤ r) states infinitelyoften, or equivalently, ∀q ∈ Q1
0, < T1, q >|= ∧Fi∈F GFFi. This completes the proof.The next theorem validates our test for diagnosability.
Theorem 3 Let P be a system, which is pre-diagnosable with respect to a specification f ,and M be an observation mask. then P is diagnosable with respect to M and f if and onlyif ∀q ∈ Q3
0, < T3, q >|= f , where T3 is as defined in Algorithm 1.
Proof: For necessity, suppose P is diagnosable. For contradiction, if ∃q ∈ Q30, < T3, q > 6|= f ,
then from the construction of T3, we know that there exists an infinite state-trace π =((q0, x0), (q1, x1), · · ·) accepted by T3 and π 6|= f . This implies that: (i) π1 = (x0, x1, · · ·) 6|= f
16
and π1 is accepted by P (because T3 is constructed from the synchronization of T ′2 and P ,
and T ′2 does not contain any ε transition); (ii) any prefix (x0, · · · , xk) of π1 can generate a
same masked event-trace as a finite state-trace π2 = ((q′0, x′0), · · · , (q
′j, x
′j)) accepted by T1,
which further implies that (x0, · · · , xk) and (x′0, · · · , x
′n) are two “indistinguishable” finite
state-traces accepted by P . Here from the pre-diagnosability of P and Theorem 2, we knowthat any infinite extension of π2 in T1 satisfies f , which means that there is an infiniteextension of (x′
0, · · · , x′n) in P that satisfies f , i.e., (x′
0, · · · , x′n) is not an indicator. Since π1
is faulty and P is pre-diagnosable, there is a prefix π0 of π1 such that π0 is an indicator.From above, for any arbitrary long finite extension of π0 along π1, denoted as (x0, · · · , xk),there always exists a finite state-trace (x′
0, · · · , x′n) accepted by P that is indistinguishable
from (x0, · · · , xk) and is not an indicator. From Definition 5, P is not diagnosable, which isa contradiction to the hypothesis. So the necessity holds.
For sufficiency, suppose ∀q ∈ Q30, < T3, q >|= f . Let T ′
3 be the state machine obtainedbefore performing the deletion process that deletes the terminating states (while derivingT3 in the third step of Algorithm 1). Suppose π = (x0, · · · , xk) is an indicator in P . Ifno state-trace in the form of ((q0, x0, ), · · · , (qk, xk)) is accepted by T ′
3, then no state-trace((q′0, x
′0, ), · · · , (q
′j, x
′j)) is accepted by T1 such that π and (x′
0, · · · , x′j) are indistinguishable
in P . It further implies that any state-trace in TrP that is indistinguishable from π is anindicator. If there exists a state-trace π1 = ((q0, x0, ), · · · , (qk, xk)) that is accepted by T ′
3,then we claim that any extension of π1 in T ′
3 can never reach a state that is contained in a loopin T ′
3. If our claim is true, then for any finite extension π0 = ππ2 = (x0, · · · , xk, xk+1, · · · , xk+r)of π in P with |π2| = r ≥ |Q2 × X| − 1 = |Q2| ∗ |X| − 1, no state-trace in the form of((q0, x0, ), · · · , (qk+r, xk+r)) is accepted by T ′
3. This from above would imply that any state-trace in TrP that is indistinguishable from π0 is an indicator. From Definition 5, P wouldbe diagnosable, where n can be chosen to be n = |Q2| ∗ |X| − 1. So the sufficiency wouldhold. So, it suffices to prove our claim, which we do in the following.
Suppose there is an extension π1π′1 of π1 in T ′
3 ending in a state that is contained in aloop. Then we can get an infinite extension π0 of π1 = ((q0, x0), · · · , (qk, xk)) in T ′
3 along theloop, and obviously π0 is accepted by T3. From the hypothesis, we know π0 |= f . Let
π0 = π1((qk+1, xk+1), · · · , (qk+i, xk+i))((qk+i+1, xk+i+1), · · · , (qk+i+j, xk+i+j))ω.
From the construction of T3 and because that T ′2 does not contain any ε transition, it can
be verified thatπ′ = (x0, · · · , xk, · · · , xk+i)(xk+i+1, · · · , xk+i+j)
ω
is an infinite state trace accepted by P and π′ |= f . Since π = (x0, · · · , xk) is a prefix of π′
and π′ |= f , π is not an indicator in P , which is a contradiction to the hypothesis that π isan indicator in P . This establishes our claims and completes the proof.
Now we prove the soundness and completeness of Algorithm 1, where soundness meansthat the diagnoser found by Algorithm 1 is correct, i.e., there are no “missed detections”and “false alarms”; completeness means that Algorithm 1 finds a diagnoser whenever thesystem is diagnosable.
Theorem 4 Algorithm 1 is sound and complete.
17
Proof: For soundness, from Theorem 3, we know that no execution of an indicator in P
remains undetected for more than |Q2| ∗ |X| − 1 state steps by T2 (i.e., there are no “misseddetections”). Next from the construction of T1, we know that any event-trace in P thatis not associated with an indicator (i.e., that can be extended to to an infinite event-tracethat is associated with an infinite state-trace satisfying f), is generated by T1. This impliesthat the execution of any non-indicator state-trace is accepted by T2 (i.e., there are no “falsealarms”).
The completeness comes directly from Theorem 3. This is because if then from Theorem 3we know that the system is not diagnosable, and so in fact no diagnoser exists.
The following algorithm solves the failure diagnosis problem for systems with multiplespecifications and is based on Algorithm 1. The soundness and completeness of the algorithmfollows directly from Definition 6 and Theorem 4.
Algorithm 2 Algorithm for failure diagnosis with multiple specifications
1. Test the diagnosability of the system P with respect to each specification fi usingAlgorithm 1. If P is not diagnosable with respect to some fi, then stop and outputthat “the system is not diagnosable”, otherwise obtain the diagnoser Di for each fi
using Algorithm 1.
2. Derive the diagnoser D for the set of specifications {fi, i = 1, 2, · · · ,m} as the collectionof all Di, i.e., D = {Di, i = 1, 2, · · · ,m}. For any observed event-trace of P throughthe mask M , if a “fault” signal is generated by a Di, i = 1, 2, · · · ,m, then it indicatesthe detection of a “fi-type failure” in P representing the violation of the specificationfi.
Remark 8 Algorithm 2 provides a method for failure detection and identification. It iseasy to verify that its complexity is polynomial in both the number of states of the systemand the number of specifications (or failure types) and is exponential in the length of eachindividual specification LTL formula. It is for the first time that a polynomial algorithm inboth the number of states of the system and the number of failure types is derived for failurediagnosis.
Note that our method has an extra complexity that is exponential in the length of eachindividual specification LTL formula. This is to be expected since we are using a moreabstract, and hence a more compact, representation of a specification. It is possible torepresent the given LTL specification using faulty transitions as in [36], but the computationalcomplexity of diagnosis based upon such a translation will be inferior compared to the directapproach we have given. To substantiate our claim, the following steps may be taken torepresent the given LTL specification in terms of faulty transitions:
1. Construct a non-deterministic generalized Buchi automaton Tf for the given LTL for-mula f . Assuming pre-diagnosability (since otherwise, there is no need to proceedfurther), the acceptance condition in Tf can be removed, i.e., Tf can be viewed as anon-deterministic automaton that generates a regular ∗-language.
2. Obtain a deterministic finite state machine Td by determinizing Tf .
18
3. Perform a proposition-synchronization of P and Td, and during the synchronizationprocess any transition in P , that can not be synchronized with a transition in Td, isdeclared as a faulty transition.
It can be verified that the computational complexity of the above steps is doubly exponentialin the length of the LTL formula f , i.e., O(22|f |
). This is inferior compared to the directapproach we have taken whose complexity is singly exponential in the length of the LTLspecification f .
Remark 9 In the following, we provide a comparison of our approach to failure diagnosisversus the approach of [36].
1. Due to the use of temporal logic for specification, our approach may be thought to bemore “user-friendly”. In practical situations, it is more common that a natural languagebased specifications of the faults is given. In most cases, it is easy to translate suchnatural language specifications into temporal logic specifications. Derivation of eventfailure types from a set of natural language specifications may not always be clear.
2. Only “safety” failures can be captured through a failure event, whereas our methodcan capture both “safety” and “liveness” failures.
3. A test for checking diagnosability as defined in [36], which is polynomial in number ofsystem states and number of failure types, is recently reported in [15]. The methodfor diagnoser design given in [36], has a complexity that is exponential in the numberof states of the system and double exponential in the number of failure types. Ourmethod has a polynomial complexity in number of system states and number of failuretypes for both diagnosability test and diagnoser design. Also, since the problem oftesting diagnosability is reduced to that of model checking, by using symbolic modelchecking (see [8]) or bounded model checking [3, 7] we may test the diagnosabilityof large systems more efficiently, although the worst case complexity will remain thesame.
4. The methods for diagnosability test in [15] and diagnoser design in [36] require thatthere is no unobserved cycle in the system, whereas such a requirement is not neededin our work. This makes our method applicable to a more general class of systems.
5. The generality of our framework (that allows the system to be non-deterministic andpossibly containing unobservable cycles) makes our approach applicable to terminatingas well as non-terminating systems.
6. There is a difference between the diagnoser derived from [36] and the diagnoser derivedfrom Algorithm 2. The diagnoser in [36] is a deterministic state machine, while oursconsists of a set of non-deterministic state machines. Having a non-deterministic rep-resentation of the diagnoser that is polynomial in number of system states and numberof specifications makes it practical to design a diagnoser off-line, also to implementit on-line. For the on-line implementation, our diagnoser needs to maintain a set ofpossible present states (which is polynomially bounded by the number of states of thesystem), whereas the on-line implementation of the deterministic diagnoser given in[36] will have an exponential space complexity.
19
5 Illustrative Example
In this section, we give a simple example to illustrate our result. Our example consists ofa traffic monitoring problem of a mouse in a maze. The maze, shown in Figure 3, consists ofsix rooms connected by various one-way passages, where some of them have sensors installed
: observable
: unobservable
3 4
0
mouse
cat 51
2food
Figure 3: Mouse in a maze
to detect the passing of the mouse. There is also a cat which alway stays in room 1. Themouse is initially in room 0, but it can visit other rooms by using one way passages andit never stays at one room forever. Our task is to monitor the behavior of the mouse byobserving the signal of those sensors to detect whether or not the given specifications aresatisfied, and if violated, then identify them. The specifications are given as:
Spec 1 The mouse never visit room 1 where the cat stays (this is an invariance, a type ofsafety, property);
Spec 2 The mouse shall visit room 2 for food infinitely often (this is a recurrence, a typeof liveness, property).
Note that the above problem can not be solved by the method in [36] because of theliveness specification Spec 2 and the unobservable cycle generated by the loop of (room 3,room 4, room 3) in the system. It can be formulated as a failure diagnosis problem of adiscrete event system with LTL specifications as follows. The system is modeled by
P = (X, Σ, R, x0, AP, L),
which is shown in Figure 4, where X = {xi, 0 ≤ i ≤ 5}; Σ = {o1, o2, o3, o4, u}, ∆ ={o1, o2, o3, o4}; the mask M is given as M(u) = ε and M(oi) = oi for 0 ≤ i ≤ 4; AP = {p1, p2};L(xi) = ∅ for i 6∈ {1, 2}, L(x1) = {p1}, and L(x2) = {p2}. The specifications are given bythe LTL formulae f1 = G¬p1 and f2 = GFp2.
Now we can use Algorithm 2 for the above failure diagnosis problem. We first use Algo-rithm 1 to test the diagnosability of the system with respect to each individual specification.From the first step of Algorithm 1, the generalized Buchi automaton for fi is derived asTfi
= (Cfi, ΣAP , Rfi
, qfi
0 ,Fi), i = 1, 2, which are shown in Figure 5(a) and (b) respectively.
Here qf1
0 = s0, qf2
0 = t0, F1 = {F 11 = {s1}}, and F2 = {F 2
1 = {t1}}.Next T
f1
1 and Tf2
1 are derived from the second step of Algorithm 1. They are shown inFigure 6(a) and (b) respectively, where yij = (si, xj) and zij = (ti, xj). It is easy to verify
20
u u
u
u
u
o4
x2p2
x4
x3o
1 x0
o3o
2
x1
p1
x 5
Figure 4: System model
p2
p2
p1φ,
p1φ,
p2 p
1φ,p
2φ,p
2φ,
F11
F12
t 1 t 2
t 0
(b)(a)
s 0
s 1
Figure 5: Automata for f1 and f2
y13
y10
y14 y
12y15
z20
z21
z25z
12
u uu
u
u
u
(b)(a)
o4
o2 o3
p1
F
o4F
o3o
2
F1 o
1F
1
, pF1 2, pF1 2
1
1 1
1
1
1
1
2
Figure 6: Models of Tf1
1 and Tf2
1
21
that both acceptance conditions with respect to F1 = {F 11 } and F2 = {F 2
1 } are satisfiedby every infinite state-traces in the two state machines respectively, i.e., the correspondingLTL formulae are satisfied by the state machines respectively. So P is pre-diagnosable withrespect to f1 and f2 respectively.
The masked versions of Tf1
1 and Tf2
1 are derived as Tf1
2 and Tf2
2 from the third step ofAlgorithm 1, which are shown in Figure 7(a) and (b) respectively.
y13
y10
y12
z12
z20
(b)(a)
4o
o4 o2 o3o3
o2
o1
4o
Figure 7: Models of Tf1
2 and Tf2
2
From the third step of Algorithm 1, Tf1
3 and Tf2
3 can also be derived; and they havesimilar transition structures as T
f1
1 and Tf2
1 in Figure 6 respectively. The details are omittedhere. It is easy to verify that f1 and f2 are satisfied by T
f1
3 and Tf2
3 respectively. So thesystem P is diagnosable with respect to f1 and f2 respectively. From Definition 6, we knowP is diagnosable with respect to the set of specifications {f1, f2}.
Finally we can use D = {D1 = (T f1
2 ,MT
f12
), D2 = (T f2
2 ,MT
f22
)} as the diagnoser for the
system. It is easy to check that the behavior of the mouse that violates Spec i can be detectedby Di = (T fi
2 ,MT
fi2
) (i = 1, 2).
6 Conclusion
In this paper, the failure diagnosis problem for discrete event systems with LTL spec-ifications is studied. The diagnosability of DESs in the temporal logic setting is defined.The problem of testing diagnosability is reduced to that of model checking. An algorithm ofcomplexity exponential in the length of each specification LTL formula and polynomial in thenumber of states of the system and the number of specifications for the test of diagnosabilityand the design of diagnoser is derived. An illustrative example is also provided.
Note that we have used LTL formulae for specifying properties of DESs in this paper. Asa future research direction, one may use CTL* formulae [12, 8] to represent the specificationsof DESs, and study the failure diagnosis problem with CTL* specifications. Also note thatin this paper, no action is taken after a failure is detected and reported. However in realapplications, after a failure is detected in a system, the system should be reconfigured, i.e.,the system should be adaptive to the occurrences of failures. Thus a failure-adaptive controlof DESs is also a future research topic.
22
References
[1] M. Barbeau, F. Kabaza, and R. St.-Denis. A method for the synthesis of controllersto handel safety, liveness, and real-time constraints. IEEE Transactions on AutomaticControl, 43(11):1543–1559, 1998.
[2] S. Bavishi and E. Chong. Automated fault diagnosis using a discrete event systemsframework. In Proceedings of 1994 IEEE International Symposium on Intelligent Con-trol, pages 213–218, 1998.
[3] A. Biere, A. Cimatti, E. Clarke, and Y. Zhu. Symbolic model checking without bdds. InProceedings of the Workshop on Tools and Algorithms for the Construct ion and Analysisof Systems (TACAS99), (Lecture Notes in Computer Science). Springer-Verlag, 1999.
[4] A. Bouloutas, G. W. Hart, and M. Schwartz. On the design of observers for faultdetection in communication networks. In A. Kershenbaum and et al., editors, NetworkManagement and Control, pages 319–338. Plenum Press, 1990.
[5] A. Bouloutas, G. W. Hart, and M. Schwartz. Simple finite-state fault detectors for com-munication networks. IEEE Trans. on Communications, 40(3):477–479, March 1992.
[6] Y. L. Chen and G. Provan. Fault diagnosis in timed discrete-event systems. In Proceed-ings of the 38th IEEE Conference on Decision and Control, pages 1756–1761, Phoenix,AZ, 1999.
[7] E. Clarke, A. Biere, R. Raimi, and Y. Zhu. Bounded model checking using satisfiabilitysolving. Formal Methods in System Design, 19(1):7–34, 2001.
[8] E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. MIT Press, Cambridge,MA, 1999.
[9] A. Darwiche and G. Provan. Exploiting system structure in model-based diagnosisof discrete event systems. In Proceedings of the Seventh International Workshop onPrinciples of Diagnosis, Val Morin Canada, 1996.
[10] S. R. Das and L. E. Holloway. Characterizing a confidence space for discrete eventtimings for fault monitoring using discrete sensing and actuation signals. IEEE Trans-actions on Systems, Man, and Cybernetics—Part A: Systems and Humans, 30(1):52–66,2000.
[11] R. Debouk, S. Lafortune, and D. Teneketzis. Coordinated decentralized protocols forfailure diagnosis of discrete event systems. Discrete Event Dynamical Systems: Theoryand Applications, 10:33–79, 2000.
[12] E. A. Emerson. Temporal and modal logic. In J. van Leeuwen, editor, Handbook ofTheoretical Computer Science. Elsevier Science Publishers, 1990.
[13] D. N. Godbole, J. Lygeros, E. Singh, A. Deshpande, and A. E. Lindsey. Communicationprotocols for a fault-tolerant automated highway system. IEEE Transactions on ControlSystems Technology, 8(5):787–800, September 2000.
23
[14] L. E. Holloway and S. Chand. Distributed fault monitoring in manufacturing systemsusing concurrent discrete-event observations. Integrated Computer-Aided Engineering,3(4):244–254, 1996.
[15] S. Jiang, Z. Huang, V. Chandra, and R. Kumar. A polynomial time algorithm fordiagnosability of discrete event systems. IEEE Transactions on Automatic Control,46(8):1318–1321, 2001.
[16] S. Jiang and R. Kumar. Supervisory control of discrete event systems with CTL∗
temporal logic specification. In 2001 IEEE Conference on Decision and Control, pages4122–4127, FL, December 2001.
[17] S. Jiang and R. Kumar. Failure diagnosis of discrete event systems with linear-timetemporal logic fault specifications. In Proceedings of 2002 American Control Conference,pages 128–133, Anchorage, Alaska, 2002.
[18] S. Jiang, R. Kumar, and H. E. Garcia. Diagnosis of repeated failures in discrete eventsystems. In Proceedings of 2002 Conference on Decision and Control, pages 4000–4005,Las Vegas, NV, December 2002.
[19] J. F. Knight and K. M. Passino. Decidability for a temporal logic used in discrete-eventsystem analysis. International Journal of Control, 52(6):1489–1506, 1990.
[20] R. Kumar and V. K. Garg. Modeling and Control of Logical Discrete Event Systems.Kluwer Academic Publishers, Boston, MA, 1995.
[21] L. Lamport. Specifying Systems: The TLA+ Language and Tools for Hardware andSoftware Engineers. Addison-Wesley, Boston, 2002.
[22] M. Larsson. Behavioral and structural model based approaches to discrete diagnosis.PhD thesis, Linkoping University, Linkoping, Sweden, 1999.
[23] F. Lin. Analysis and synthesis of discrete event systems using temporal logic. ControlTheory and Advanced Technologies, 9(1):341–350, 1993.
[24] F. Lin. Diagnosability of discrete event systems and its applications. Discrete EventDynamic Systems: Theory and Applications, 4(1):197–212, 1994.
[25] F. Lin, J. Markee, and B. Rado. Design and test of mixed signal circuits: a discreteevent approach. In Proceedings of the 32nd IEEE Conference on Decision and Control,pages 246–251, 1993.
[26] J.-Y. Lin and D. Ionescu. Verifying a class of nondeterministic discrete event systemsin a generalized temporal logic. IEEE Transactions on Systems, Man and Cybernetics,22(6):1461–1469, 1992.
[27] J.-Y. Lin and D. Ionescu. Reachability synthesis procedure for discrete event systemsin a temporal logic. IEEE Transactions on Systems, Man and Cybernetics, 24(9):1397–1406, 1994.
24
[28] J. Lygeros, D. N. Godbole, and M. Broucke. A fault tolerant control architecturefor automated highway system. IEEE Transactions on Control Systems Technology,8(2):205–219, March 2000.
[29] J .S. Ostroff. Synthesis of controllers for real-time discrete event systems. In Proceedingsof 28th IEEE Conference on Decision and Control, Tampa, FL, 1989.
[30] J. S. Ostroff and W. M. Wonham. A framework for real-time discrete event control.IEEE Transactions on Automatic Control, 35(4):386–397, 1990.
[31] D. Pandalai and L. Holloway. Template languages for fault monitoring of timed discreteevent processes. IEEE Transactions on Automatic Control, 45(5):868–882, May 2000.
[32] Y. Park and E. K. P. Chong. Distributed inversion in timed discrete event systems.Discrete Event Dynamic Systems: Theory and Applications, 5(2-3):219–241, 1995.
[33] K. M. Passino and P. J. Antsaklis. Branching time temporal logic for discrete eventsystem analysis. In Proceedings of 1988 Allerton Conference, pages 1160–1169, Allerton,IL, 1988.
[34] R. H. Kwong S. H. Zad and W. M. Wonham. Fault diagnosis in timed discrete-eventsystems. In Proceedings of the 38th IEEE Conference on Decision and Control, pages1756–1761, Phoenix, AZ, 1999.
[35] M. Sampath and S. Lafortune. Active diagnosis of discrete event systems. IEEE Trans-actions on Automatic Control, 43(7):908–929, 1998.
[36] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Diagnos-ability of discrete event systems. IEEE Transactions on Automatic Control, 40(9):1555–1575, September 1995.
[37] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Failurediagnosis using discrete event models. IEEE Transactions on Control Systems Technol-ogy, 4(2):105–124, March 1996.
[38] K. T. Seow and R. Devanathan. Temporal framework for assembly sequence represen-tation and analysis. IEEE Transactions on Robotics and Automation, 10(2):220–229,April 1994.
[39] K. T. Seow and R. Devanathan. A temporal logic approach to discrete event controlfor the safety cannonical class. Systems and Control Letters, 28:205–217, 1996.
[40] J. G. Thistle and W. M. Wonham. Control problems in temporal logic framework.International Journal of Control, 44(4):943–976, 1986.
[41] G. Westerman, R. Kumar, C. Stroud, and J. R. Heath. Discrete event systems approachfor delay fault analysis in digital circuits. In Proceedings of 1998 American ControlConference, Philadelphia, PA, 1998.
25
[42] H. Wong-Toi and D. L. Dill. Synthesizing processes and schedulers from temporal spec-ifications. In Proceedings of the 1991 Computer-Aided Verification Workshop, (LectureNotes in Computer Science), volume 531. Springer-Verlag, 1991.
[43] T. S. Yoo and S. Lafortune. Polynomial-time verification of diagnosability of partiallyobserved discrete-event systems. IEEE Transactions on Automatic Control, 47(9):1491–1495, 2002.
[44] S. Young and V. K. Garg. Model uncertainty in discrete event systems. SIAM Journalof Control and Optimization, 33(1):208–226, 1995.
[45] S. H. Zad. Fault diagnosis in discrete-event and hybrid systems. PhD thesis, Universityof Toronto, Toronto, Canda, 1999.
26
