- Email: [email protected]
Diagnosability of system faults with propagation under asymmetric invalidation
North-Holland Microprocessing and Microprogramming 24 (1988) 723-730
723
DIAGNOSABILITY OF SYSTEM FAULTS WITH PROPAGATION UNDER ASYMMETRIC INVALIDATION
Kaiyuan Huang Department of Computer Science, Chongqing University Chongqing, Sichuan 630044 People's Republic of China
We proposed in [i] considering the influence of fault propagation on the diagnosability of an interconnected system. In addition to the parameter t of the ntmber of faulty units, a parameter k was introduced of the n u ~ e r of components consisting of faulty units, so as to capture the effect of fault propagation. While the diagnostic model under symmetric invalidation proposed by Preparata et al. was assumed in [i], we consider in this paper the same problem for the diagnostic model under asymmetric invalidation proposed by Barsi et al. Both one-step and sequential diagnosabilities are fully characterized in terms of test assignment. The results indicate that the requirement on the number of tests for a given degree of diagnosabillty (t) is considerably weaker under this new model than under the BC~ model in the one-step case. In the sequential case, it is shown that the requirement on the number of units for a given degree of diagnosability is also weaker under the new model than under either the B{~4 model or the symmetric invalidation model presented in [i].
i.
INTRODUCTION
Preparata, Metze and Chien [3] first took a graph-theoretic approach to diagnosis of systems with a large number of units. In their approach, a unit is considered to have rather strong capability - - with which it is capable of testing other units in the system. The testing relationship is modeled by a digraph, called test digraph, in which a vertex stands for a unit and an arc for test. An arc from vertex u to vertex v in the test digraph corresponds to a test in the system which unit u performs on unit v. Test outcomes are simply classified as either "fault-free" or "f~Ity." It is assumed that a test outcome is reliable if and only if the unit performing the test is fault-free. If the testing unit is faulty, then either of the test outcomes "fault-free" and "faulty" is producible, irrespective of the status of the t~sted unit. The set of test outcomes is called the syndrome of the system. One way for identifying faulty units is to conduct, after an application of the tests, a logic analysis on the syndrome to identify al[ faulty units. This strategy is called one-step di~3nos~s. Another way for a~:,~omplishing this mission takes a different strategy. Unlike one-step diagnosis, it identifies from a syndrome only a nonempty subset of faulty units, instead of all faulty units. After some faulty units have been localized, they are either repaired or replaced by standby spares. The above test-identify-repair process can be iterated for several times until all faulty units present have been identified and repaired. This strategy is called seq~emtlal diagr~osis.
A system is said to be one-step t-dia@DosabIe if all faulty units can be identified from the syndrome, provided that the number of faulty units does not exceed t. If, under the same hypothesis, a nonempty subset of faulty units can be identified, the system is said to be seqm~tlally t-dlagnosabJe. An important problem is to decide whether a given system is t-dia~osable for a given value of t in either case. For one-step t-diagnosability, a characterization theorem is given in [4] by Rakimi and Amin. While this result looks elegant, it takes exponential time with which to decide if a given system is one-step t-diagnosable. Sullivan [5] has presented the first polynomial time algorithm for determining one-step t-diagnosability, i.e., the greatest value of t for which a given system is one-step t-diagnosable. As to sequential t-diagnosability, no full characterization result has come into being; however, some partial results have been available [3,9]. Since the seminal work by Preparata et al. system-level diagnosis has been of great concern to the fault-tolerant computing community and received intensive study. Several variations of the original model have been proposed and various facets of tile corresponding problems have been studied comprehensively. Important issues already studied include testing for diagnosability, optimal design of diagnosable systems, fault identiTication algorithms and distributed diagnosis procedures. ]t is worth mentioning that certain research activities have been undertaken towards
K. Huang / Diagnosability of System Faults
724
system-level
diagnosis
based
fault-tolerant
systems.
Along this line, Chwa and Hakimi [6] have shown that system-level diagnosis can be employed as a basis for attaining a given level of fault tolerance (redundancy) with fewer resources than the conventional n - m o d u l a r r e d u n d a n c y a p p r o a c h , w h i l e Lombardi [7] h a s d e v e l o p e d a l g o r i t h m s f o r t h i s p u r p o s e . A s i m i l a r i d e a h a s b e e n t a k e n by Cin e t a l . [8] in the design of a decentralized fault-tolerant system, named ATTI~MPTO. Work on this aspect has shown that system-level diagnosis based fault tolerance can be an excellent alternative to n-modular redudancy approach and hence expanded the original application area. These application studies surely further encourage the study of the theory. For our purpose, we need to mention two particular variations of the original model. One is introduced by Barsi et al. [2], in which the nature of a test is taken into consideration. In the original model a faulty testing unit can completely invalidate the test, while in the model of Barsi et al. it is assumed that a faulty unit is always found faulty even if the testing unit is faulty. The motif for the latter model of test outcome interpretation can be found in [2]. These two kinds of test interpretation are called symetrlc Invalidation and asymetrlc inval~datlon respectively. The other variation we will be concerned with is developed by Huang and Chen [i], which takes into consideration the tendency of a fault to propagate. It is assumed there that a fault may be propagated among units through c o m m u n i c a t i o n l i n k s i n one way o r a n o t h e r . As a result, f a u l t y u n i t s a r e somehow c o n n e c t e d with respect to the system connection. A new parameter k is introduced to describe the number o f c o m p o n e n t s composed o f f a u l t y u n i t s . The family of allowable fault sets is therefore reduced to a collection of k/t fault sets each of which contains at most t faulty units with the number of components composed of them not exceeding k. The symmetric invalidation is assumed there and if every k/t fault set is identifiable then the system is said to be one-step kit dlagnesable. It should be obvious from the definition that a system is one-step k/t diagnosable provided that it is one-step t-diagnosable as the family of allowable fault sets for one-step k/t diagnosability is a proper subset of the family of allowable fault sets for one-step t-diagnosability. Sequential kit dlagnesabillty is defined in a similar way. O~,e-step k/t diagnosability characterization, optimal one-step k/t diagnosable system design and sequetial k/t .diagnosability have been studied in [I]. We will take into consideration these two motives and define k/t diagnosability under asymmetric invalidation in either case of the
one-step and the sequential. We will first present the fundamental terms in Section 2 and then characterize one-step k/t diagnosability in Section 3 and sequential k/t diagnosability in Section 4.
2.
PRELIMINARIES
Th~ test assignment for a system is modeled by a digraph D(V,A), called a test dlgrapb, where V is a set of vertices standing for units and A is a set of arcs for tests. An arc (vi,vj) c A means that the unit corresponding to v. i tests the unit corresponding to v .. For J convenience, the terms unit and vertex, and test and arc will be used interchangeably. As mentioned in the Introduction, the diagnostic model under asymmetric invalidation proposed by Barsi et al. [2] will be used in conjunction with an abstraction of fault propagation. This diagnostic model can be presented in the form of a test response fonctlon R: A --. {0,i}, where the values of the function for some edges may not be uniquely determined from the status of their endpoints. For any (vi,vj) e A,
R((vi,vj)) = 0
if v.i and v.j are both fault-free
]
provided v. is faulty J
x
otherwise, where x e {0,I).
Any instance r of R, in which the x's have been assigned the specific values "0" or "I", is called a sgndrome of the system. We also need to mention some graph terminologies and notations. The msderl¥1ng simple gralmb of a digraph D(V,A), denoted by G(V,E), is a simple graph having the same vertex set in which there is an edge between a pair of vertices if and only if there is an arc between them in D(V,A). For any subset V' c V, the V'-Indaced subgraph G[V'] of a graph G(V,E) is the remainder of G(V,E) after removing vertices in V - V' and edges incident on vertices in V - V'. The neighborhood N(v) of a vertex v is the set of vertices adjacent to v. A c o ~ n e n t of a graph G is a connected subgraph of G which is not a proper subgraph of any connected subgraph of G. The number of components of G is denoted by e(G). A vertex cover of a graph G is a subset of the vertex set of G such that every edge in G has at least one endpoint in it, while an Indepei~ent set of G is a subset of the vertex set such that there is not any edge between any pair of the vertices in this subset. The vertex cover of minimum cardinality is called mlnlmum v e r t e x c o v e r and the independent set of maximum cardinality is called maximum ~,dependent set. A cut vertex is such a
K. Huang / Diagnosability of System Faults vertex that its removal will lead to disconnection of the original graph. A subgaph isolated by cut vertices including these cut vertices is called a block. A stromgly contracted component of a digraph D is a strongly connected subgraph of D which is not a proper subgraph of any strongly c o n n e c t e d s u b g r a p h o f D. Definition 1: G i v e n a t e s t d i g r a p h D, a f a u l t set F will be called a k/t fault set if w(G[F]) ~ k and IFI < t. The faiily of klt fault sets is d e n o t e d b y ~ ( k / t ) . In the framework of asymmetric invalidation, if a k/t f~ult set can possibly produce a syndrome r, it will be said to be k/t conslstemt wltb r under ~sj~etric invalldation. Furthermore, two k / t f a u l t s e t s F I a n d F 2 a r e s a i d t o b e
is defined
725
as follows:
r-l(v) : { u l ( u , v ) e A}. The t e s t e e s e t o f a v e r t e x v e V, d e n o t e d b y F(v) is defined similarly: r(v) = (ul
r ( v ' ) : L_J
and
r(v).
v~V' Finally, the exterDal tester set T(V') of a subset V' c V is the set of testers external t o V': T(V') : r-l(v ') - V'.
k/t
Definition
asymmetric invalidation.
T+(v) o f v e r t e x v i s d e f i n e d a s t h e vertices from each of which there directed path to v in the test digraph.
dlstlngulshable under asFmmetrlc invalidation if there is no such a syndrome as both F 1 and F 2 are k/t consistent with under
The parameter k has been introduced to capture the effect of fault propagation. Qualitatively speaking, a system with higher c~,l,ability of protection from contamination has a larger value of k.
3.
4:
The
transitive
test
closure
set is
of a
T h e o r e m 1: A s y s t e m i s k / t d i a g n o s a b l e i f a n d only if either of the following conditions h o l d s f o r a n y two f a u l t s e t s F 1 , F 2 e ~ ( k / t ) : i. F-I(F I - F2) - F 2 ~ @, 2. F-I(F2 - FI) - F I ~ @.
TESTING FOR ONE-STEP DIAGNOSABILITY
If every k/t fault set is identifiable from any syndrome it can possibly produce, the system is said to be one-step k / t dlagi~suble. This means that any pair of k/t fault sets are k/t distinguishable. Within the framework of aymmetric invalidation, we have the following:
¥1
1
1
F2
Definition 2: A system with test digraph D(V,A) is said to be one-step k / t dlagnosable under asF1-metrlc Inwalldatlon if F 1 a n d F 2 are k/t distinguishable under invalidation for any fault sets
asymmetric FI, F 2 e
~(k/t). It is immediate from the definition that one-step k/t diagnosability under asymmetric J,,validation degenerates into one-step t-diagnosability under asymmetric invalidation if k is set equal to t. T h a t i s , t h i s new diagnosability measure is a generalization of the old one. It is also obvious that one-step k/t diagnosis under asymmetric invalidation allows more faulty units to be identified than either one-step t-diagnosis under asymmetric invalidation or one-step k/t diagnosis under symmetric invalidation. In what follows, one-step and asymmetric invalidation are implied wherever k/t diagnosability (diagnosis) is concerned, unless otherwise noted. Definition i n the t e s t
3: The t e s t e r digraph
set
D(V,A),
of a vertex
v e V
denoted by r-l(v),
Fig. I
A syndrome consistent with both F 1 and F 2
Proof: (necessity) conditions hold for
If neither of these some f a u l t sets F1,F 2 G
(k/t), we c a n c o n s t r u c t a syndrome r as illustrated in Fig. 1, w h e r e t h e u n l a b e l e d test outcomes are all "0". It can be easily verified that both F 1 and F 2 are k/t consistent with r and therefore the system is not k/t diagnosable.
K. Huang/Diagnosability o f System Faults
726
(sufficiency) If, for any two k/t fault sets F 1 and F2, either of the conditions is met, say, the first is met, then there is a test performed on a vertex in F 1 - F2 by a vertex
Corollary 2: If a system is k/t diagnosable, then IT+(v) l > t for every vertex in the test digraph.
If F 2 is the present fault set,
Proof: Suppose IT+(v) l < t for some vertex v e
the test outcome must be "0". Otherwise, if F 1 is the present fault set, the test outcome
V. We can see that T+(v) and T+(v) U {v} are both k/t fault sets. However, we have
must be "I". In both cases, this test can distinguish F 1 from F 2. It follows that the
=@
outside F 2.
system is k/t diagnosable. Q.E.D. Corollary I: If a system is k/t diagnosable (k < t), then vEV. Proof:
Ir-l(v)l >
k holds for every vertex
r-l(T+(v) - (T+(v) u {v})) - (T+(v) U {v)) and r-l(T+(v) u {v} - T+(v)) - T+(v) = o. It follows from Theorem 1 that the system is not k/t diagnosable. Q.E.D. Corollary 3:
Assume the system is k/t diagnosable.
First, we show that r-l(v) cannot be empty for any vertex v. If some vertex u has no tester, we can take a vertex w tested by u (see Fig. 2 (a)) and we have {U,W},{w} c ~(k/t), r-l({u,w} - {w}) - {w} = • and r-l({w} - {u,w}) - {u,w} = @. By Theorem i, the system is not k/t diagnosable, a contradiction. Second, suppose there is a vertex v e V such that
Ir-l(v)l <
Proof:
If the underlying simple graph of the test digraph is biconnected, choose any two vertices v I and v 2 in V. Otherwise, there are
st least two blocks each of which contains a sigle cut vertex. Choose from each of these b}ocks a vertex which is not a cut vertex. Obviously, such a vertex can always be found. Let the chosen vertices be v I and v 2 (see Fig. 3).
Consider vertex sets F 1 = V - {Vl} and F 2
k, then we have r-l(v), r-l(v) u {v} e ~(k/t),
= V - {v2}.
r-l(r-l(v)
G[F 2]
- r-i(v)
u {v}) - r - l ( v )
u {v} = •
and r-l(r-l(v) u {v} - r-l(v)) - r-l(v) = (see Fig. 2 (b)). By Theorem l, the system is not k/t diagnosable. Again, a contradiction. Therefore,
If a system is k/t diagnosable,
then t _< Ivl - 2.
Ir-l(v) l must be greater than k. Q.E.D.
are
The induced subgraphs G[FI] connected
in
both
cases
and and
therefore we have FI, F 2 e ~(k/(IV [ - i)) even in the extreme situation (k = I).
However, it
can be easily seen that r-l(Fl - F 2) - F 2 = and F-I(F2 - FI) - F 1 = @.
By Theorem I, the
system is not k/t diagnosable. Q.E.D.
(a)
Fig. 2
(b)
Two counterexamples
This condition on the number of testers of a unit is just the same as that for k/t diagnosability under symmetric invalidation
[]].
Fig. 3
Compared
A schematic diagram of a underlying simple graph with cut vertices
with
k/t
diagnosability
under
K. Huang/ Diagnosability of System Faults symmetric invalidation, which requires that a system have at least 2t + I units [I], k/t diagnosability places a much weaker constraint o. the number of units in the system. This is in parallel with the comparison of t-diagnosability under asymmetric invalidation with t-diagnosability under symmetric i,,validation. Theorem I': A system is k/t diagnosable (k < t) if and only if the following conditions hold:
727
It is not difficult to see that F-I(F[ - F~) -
F~ ~ r-l( 5 - ~2) - F~ and r-l<~ - ~i) - q r-l(F2 fault r-l(F{
- FI) - F I.
Since Fi and F~ are k/t
sets with at least -
F~)
-
F~ o r
k vertices,
r-l(F~
-
F ' 1)
-
either F'I
is
not empty, which implies that either F-I(FI F 2) - F2 # @ or F-I(F2 - FI) - F I ~ @. Hence
I. Ir-l(v) l > k for every vertex v e V; 2. for any two k/t fault sets F 1 and F 2
[Fll,
with
1~21 ~
the theorem. Q.E.D.
k,
either
F - I ( F 1 - F2) - F 2 ~ ~
or
F - I ( F 2 -- F1)
@
- F1 ~ ~.
F1
Proof: We will only show the sufficiency as tl,,: necessity part is trivial. Suppose the conditions are satisfied. It suffices to show either of F-I(F 1 - F 2) - F 2 # • and r-l(F2 FI) - F 1 ~ @ holds for such a pair of fault sets
with
]Fll
< k or
IF21
< k
.
There
F2
a,'e
two cases to consider: Case I: F 1 c F 2 (F2 c F 1 is analogous) If IF2[ ~ k, we are certain that r-l(F2 - FI)
F i : F I U Fb
F 1 ¢ @ as every vertex has at least k + 1
F~ = F 2 O F a
testers and therefore some tester must be outside of F I. If IF21 > k, we construct a
(a)
new pair of k/t fault sets F~ and F~ each with at least k vertices as in Case 2, which ace distinguishable only if the original pair of fault sets F 1 and F 2 are distinguishable. F1
F2
Case 2: F 1 ¢ F 2 and F 2 ¢ F 1 ]f IFll < k, we repeatedly add vertice~ in F 2 We
IVll
F 1 to F I until name
Similarly, vertices
IFI -
F21
set F~.
the if
: k or
resultant IF21
<
k,
IF2 - F l l
fault we
repeatedly
in F I - F 2 to F Z until = i.
set
: 1. Fi. add
F
/
IF2] = k or
We name the resultant fault
If [F~I ~
[F~I , F~ and F~ must both
be k/t fault sets with at least k vertices (see Fig. 4 (a)). Otherwise, if they both have k vertices we have finished, and if not, we can take k - IF]I vertices from V - F i
F~ : F 1 u Fb o F c F~ = F 2 U F a U F c
(b)
F' 2 and add them to F i and F~ both, resulting two k/t fault sets with exactly k vertices (see Fig. 4 (b)). We can always do so, as we have IF-l(v) l > k, which means that the number of vertices in the system is no less than k + 2.
Fig.
4.
4
Expanding
of f a u l t
sets
TESTING FOR SEQUENTIAL DIAGNOSABILITY
728
K. Huang / D iagnosability o f Systern Faults
As we have seen so far, to uniquely identify a k/t fault set present requires relatively comprehensive inter-unit testing, which, in turn, places a strong requirement on the system connection. This prohibits application of system-level diagnosis in many situations where system connections are not so comprehensive. For instance, the connection of a grid is very limited. To alleviate this difficulty, we may take a circuitous course. We may try to identify a subset, instead of all, of faulty units after an application of the tests and replace or repair them and then repeat this process until all faulty units have been localized and replaced or repaired. We will discuss in this section the identification of a k/t fault set by this strategy.
theorem. Q.E.D. Definition 6: The (k. v)-cover Ck, v of a graph G with vertex than k The (k.
respect to a vertex v is a minimum cover of G which can induce no more components and contains the vertex v. v. N)-cover Ck,v, N of a graph G with
respect to a vertex v is a minimum verle× cover of G which can induce no more than k components and includes N(v) but excludes v. The cardinality of Ck, v is called the
(k. v)-cover l~lex of G with respect to v and is
denoted
cardinality
by of
(k. v o N)-cover Definition
5:
A
system
is
said
to
be
s~lae~tlally klt dlags~sab/e (under asymmetric invalidation) if at least one faulty unit can be identified from a syndrome, provided the fault set present is a k/t fault set. First, we will see it suffices to consider individually the strongly connected components of a system in study of sequential k/t diagnosability. In our scope of discussion, a system is always connected. A disconnected system does not make any sense within this context as we surely can treat each component individually. Theorem 2: If the test graph D(V,A) of a system is not strongly connected, let D[Vl], D[V2] , ..., D[Vm]
be the strongly connected
components of D such that the external tester set T(Vi) is empty for 1 < i < m. For any
fl,k(V). Ck,v, N
Similarly, is
called
the the
i~dex of G with respect to v
and is denoted by fO,k(V).
If there is no
(k, v, N)-cover with respect to some vertex v, then the value of fO,k(V) is defined to be equal to the number of vertices in the system. The value of the (k, v)-cover index fl,k(V) equals to the minimum number of vertices which must be faulty to give rise to an all "l" syndrome on the assumption that v is faulty. the value of the (k, v, N)-cover index fO,k(V) equals to the minimum number of vertices which must be faulty to give rise to an all "I" syndrome on the assumption that v is fault-free. Here the set of faulty vertices must conform to our k/t fault pattern, rn certain cases, there is no vertex cover of G which includes N(v) but excludes v and induces no more than k components for some vertex v.
given value of kj let k/t i be the sequential diagnosability of D[Vi] for 1 ~ i < m.
Then
the sequential diagnosability k/t of the system is such that t = Min (tl, t2, ..., tm). Proof: First we show that there is at least one strongly connected component that does not have any outside tester. Assume, to the contrary, every strongly connected component has an outside tester. Then we can proceed from a strongly connected component and trace a test into that component from another strongly connected component. Since the number of strongly connected components is finite, we can eventually enter a strongly connected component already visited, which implies these distinct connected components are in a co~lon strongly connected component, a contradiction. Finally, it can be easily seen that if all faulty vertices appear in a single strongly connected component without any outside tester, the tests not internal to this component do not provide any useful information for identification of these faulty uuits. This completes the proof of the
Fig. 5
Example illustrating absence of some (k, v, N)-cover
Take as an example the test digraph shown in Fig. 5. We cannot find any (I, v4, N)-cover of this test digraph.
If v 4 is fault-free, we
cannot find any i/t fault set to interpret an
K. Huang / Diagnosability of System Faults
all "I" syndrome. In this case, if an all "L" syndrome does occur, we can unambiguously identify v 4 as faulty. Theorem 3: If the test digraph D(V,A) of a system is strongly connected, then the system is sequentially k/t diagnosable if and only i £ t < Max ( U {fO,k' fl,k })" v
(necessity)
fl,k(V)}),
If t _> Max ( U {fO,k (v)' veV then fO,k(V) _< t and fl,k(V) _< t
hold for every vertex v e V. This implies that there is a k/t fault set which can produce an all "i" syndrome and that if this fault set is present every vertex will be col,sistent with its two states of "fault-free" and "faulty," a contradiction. (sufficiency) Suppose, to the contrary, that the condition is satisfied but the system is not sequentially k/t diagnosable. This implies that some k/t fault set can produce a sy,,drome which are consistent with both states of each vertex. Such a syndrome is necessarily all "1" as a "0" test outcome allows identification of at least one fault-free vertex, which means at least one faulty vertex can be identified since the test digraph is strongly connected. However, the condition in the theorem implies that there is some vertex v with fO,k(V) >_ t + 1 or f],k(V) > t + I. The number of faulty vertices present must be exactly t and neither of fO,k(V) and fl,k(V) can be greater than t + [ since an all "i" syndrome is produced. In addition, fo,k(v) and fl,k(V) cannot both take the value of t + i.
If fO,k(V) = t + i, v can
be unambiguously identified as faulty, col,tradicting to the hypothesis that the system is not sequentially k/t diagnosable. ]f fl,k(V) = t + I, v can be identified as fault-free and from this fault-free vertex at least one faulty vertex can be identified, again, a contradiction. Q.E.D. Theorem 3, together with Theorem 2, provides means of testing an arbitrary system for sequential k/t diagnosability. As a direct consequence of Theorem 3, we have the following: Corollary 4: If a system with test digraph D(V,A) is sequentially k/t diagnosable, then we have IVI > t. Proof: It suffices only to consider strongly connected test digraphs. From Definition 6, we can see that fl,k(V) < IVI and fO,k(V) <_ IV] for any vertex v and value of k. It follows from Theorem 3 that a system can never
729
have a sequential k/t diagnosability with t = Ivl •
O.E.D. The upper bound on the value of t of sequential k/t diagnosability provided by Corollary 3 is, in fact, a tight bound. This 8ssertion can be justified by studing the test digraph in Fig. 5. It can be easily verified that fO,l(V4) equals to four, the number of vertices in the test digraph. Compared with the upper bound on the value t of sequential t-diagnosability (under asymmetric invalidation), which is IVl - 2 [2], the upper bound for sequential k/t diagnosability is increased by one. Finally, if there is a test between two fault-free vertices, one fault-free vertex can immediately be localized. Furthermore, if the test digraph is strongly connected, it is very easy to find a faulty vertex, if there is any, from this fault-free vertex. Theorem 4: If the test digraph is strongly connected and if every k/t fault set is not a vertex cover of the underlying simple graph of the test digraph, then the system is sequentially k/t diagnosable. Proof: The proof of this and therefore omitted.
theorem
is trivial
Theorem 4 also suggests a very simple algorithm for sequential k/t diagnosis for systems which meet the conditions of Theorem 4.
5.
CONCLUSION
We have developed a new model which incorporates the fundamental ideas of [i] and [2]. The diagnosability characterization problem has been solved in both the one-step and sequential cases. The results obtained under this new model have shown that the new model is superior to its ancestors in some respect.
REFEHENCES
[l]K. Huang and T. Chen, "On the diagnosis of system faults with propagation," IEEE Trans. Comput., Vol. C-35, pp. 1082-1086, Dec. 1988. [2] A. B a r s i , F. Grandoni and P. M a e s t r i n i , "A t h e o r y o f d i a g n o s a b i l i t y o f d i g i t a l s y s t e m s , " IEEE Trans. Comput., Vol. C-25, pp. 885-893, June 1976. [3] F. P r e p a r a t a , G. Metze and R. Chien, "On t h e c o n n e c t i o n a s s i g n m e n t problem o f diagnosable systems," IEEE Trans. Electron. Comput., Vol. EC-16, pp. 848-854, Dec. 1967. [4] S. Hakimi and A. Amin, " C h a r a c t e r i z a t i o n
730
K. Huang/Diagnosability of System Faults
of connection assignment of diagnosable systems," IERE Trans. Comput., Vol. C-23, pp. 86-88, Jan. 1974. [5] G. Sullivan, "A polynomial time algorithm for fault diagnosability," Prec. FOCS-84, pp. 148-156. [6] K. Chwa and S. Hakimi, "Schemes f o r fault-tolerant computing: A c o m p a r i s o n o f modularly redundant ant t-diagnosable systems," Information and Control, Vol. 49, pp. 212-238, 1981.
[7] F. Lombardi, "Diagnosable systems for fault-tolerant c o m p u t i n g , " P r e c . FTCS-]5, pp. 4 2 - 5 0 , 1985. [8] H. Cin e t a l . , "ATTEMPTO: An e x p e r i m e n t n l fault tolerant multiprocessor system," M i c r o p r o c . and M i c r o p r o g . , Vol. 20, pp. 301-308, May 1987. [9] F. Ciompi and L Simoncini, "Analysis ,rod optimal desgn of self-diagnosable systems with repair," IEEE Trans. Comput., Vol. C-28, pp. 362-365, Hay 1979.
723
DIAGNOSABILITY OF SYSTEM FAULTS WITH PROPAGATION UNDER ASYMMETRIC INVALIDATION
Kaiyuan Huang Department of Computer Science, Chongqing University Chongqing, Sichuan 630044 People's Republic of China
We proposed in [i] considering the influence of fault propagation on the diagnosability of an interconnected system. In addition to the parameter t of the ntmber of faulty units, a parameter k was introduced of the n u ~ e r of components consisting of faulty units, so as to capture the effect of fault propagation. While the diagnostic model under symmetric invalidation proposed by Preparata et al. was assumed in [i], we consider in this paper the same problem for the diagnostic model under asymmetric invalidation proposed by Barsi et al. Both one-step and sequential diagnosabilities are fully characterized in terms of test assignment. The results indicate that the requirement on the number of tests for a given degree of diagnosabillty (t) is considerably weaker under this new model than under the BC~ model in the one-step case. In the sequential case, it is shown that the requirement on the number of units for a given degree of diagnosability is also weaker under the new model than under either the B{~4 model or the symmetric invalidation model presented in [i].
i.
INTRODUCTION
Preparata, Metze and Chien [3] first took a graph-theoretic approach to diagnosis of systems with a large number of units. In their approach, a unit is considered to have rather strong capability - - with which it is capable of testing other units in the system. The testing relationship is modeled by a digraph, called test digraph, in which a vertex stands for a unit and an arc for test. An arc from vertex u to vertex v in the test digraph corresponds to a test in the system which unit u performs on unit v. Test outcomes are simply classified as either "fault-free" or "f~Ity." It is assumed that a test outcome is reliable if and only if the unit performing the test is fault-free. If the testing unit is faulty, then either of the test outcomes "fault-free" and "faulty" is producible, irrespective of the status of the t~sted unit. The set of test outcomes is called the syndrome of the system. One way for identifying faulty units is to conduct, after an application of the tests, a logic analysis on the syndrome to identify al[ faulty units. This strategy is called one-step di~3nos~s. Another way for a~:,~omplishing this mission takes a different strategy. Unlike one-step diagnosis, it identifies from a syndrome only a nonempty subset of faulty units, instead of all faulty units. After some faulty units have been localized, they are either repaired or replaced by standby spares. The above test-identify-repair process can be iterated for several times until all faulty units present have been identified and repaired. This strategy is called seq~emtlal diagr~osis.
A system is said to be one-step t-dia@DosabIe if all faulty units can be identified from the syndrome, provided that the number of faulty units does not exceed t. If, under the same hypothesis, a nonempty subset of faulty units can be identified, the system is said to be seqm~tlally t-dlagnosabJe. An important problem is to decide whether a given system is t-dia~osable for a given value of t in either case. For one-step t-diagnosability, a characterization theorem is given in [4] by Rakimi and Amin. While this result looks elegant, it takes exponential time with which to decide if a given system is one-step t-diagnosable. Sullivan [5] has presented the first polynomial time algorithm for determining one-step t-diagnosability, i.e., the greatest value of t for which a given system is one-step t-diagnosable. As to sequential t-diagnosability, no full characterization result has come into being; however, some partial results have been available [3,9]. Since the seminal work by Preparata et al. system-level diagnosis has been of great concern to the fault-tolerant computing community and received intensive study. Several variations of the original model have been proposed and various facets of tile corresponding problems have been studied comprehensively. Important issues already studied include testing for diagnosability, optimal design of diagnosable systems, fault identiTication algorithms and distributed diagnosis procedures. ]t is worth mentioning that certain research activities have been undertaken towards
K. Huang / Diagnosability of System Faults
724
system-level
diagnosis
based
fault-tolerant
systems.
Along this line, Chwa and Hakimi [6] have shown that system-level diagnosis can be employed as a basis for attaining a given level of fault tolerance (redundancy) with fewer resources than the conventional n - m o d u l a r r e d u n d a n c y a p p r o a c h , w h i l e Lombardi [7] h a s d e v e l o p e d a l g o r i t h m s f o r t h i s p u r p o s e . A s i m i l a r i d e a h a s b e e n t a k e n by Cin e t a l . [8] in the design of a decentralized fault-tolerant system, named ATTI~MPTO. Work on this aspect has shown that system-level diagnosis based fault tolerance can be an excellent alternative to n-modular redudancy approach and hence expanded the original application area. These application studies surely further encourage the study of the theory. For our purpose, we need to mention two particular variations of the original model. One is introduced by Barsi et al. [2], in which the nature of a test is taken into consideration. In the original model a faulty testing unit can completely invalidate the test, while in the model of Barsi et al. it is assumed that a faulty unit is always found faulty even if the testing unit is faulty. The motif for the latter model of test outcome interpretation can be found in [2]. These two kinds of test interpretation are called symetrlc Invalidation and asymetrlc inval~datlon respectively. The other variation we will be concerned with is developed by Huang and Chen [i], which takes into consideration the tendency of a fault to propagate. It is assumed there that a fault may be propagated among units through c o m m u n i c a t i o n l i n k s i n one way o r a n o t h e r . As a result, f a u l t y u n i t s a r e somehow c o n n e c t e d with respect to the system connection. A new parameter k is introduced to describe the number o f c o m p o n e n t s composed o f f a u l t y u n i t s . The family of allowable fault sets is therefore reduced to a collection of k/t fault sets each of which contains at most t faulty units with the number of components composed of them not exceeding k. The symmetric invalidation is assumed there and if every k/t fault set is identifiable then the system is said to be one-step kit dlagnesable. It should be obvious from the definition that a system is one-step k/t diagnosable provided that it is one-step t-diagnosable as the family of allowable fault sets for one-step k/t diagnosability is a proper subset of the family of allowable fault sets for one-step t-diagnosability. Sequential kit dlagnesabillty is defined in a similar way. O~,e-step k/t diagnosability characterization, optimal one-step k/t diagnosable system design and sequetial k/t .diagnosability have been studied in [I]. We will take into consideration these two motives and define k/t diagnosability under asymmetric invalidation in either case of the
one-step and the sequential. We will first present the fundamental terms in Section 2 and then characterize one-step k/t diagnosability in Section 3 and sequential k/t diagnosability in Section 4.
2.
PRELIMINARIES
Th~ test assignment for a system is modeled by a digraph D(V,A), called a test dlgrapb, where V is a set of vertices standing for units and A is a set of arcs for tests. An arc (vi,vj) c A means that the unit corresponding to v. i tests the unit corresponding to v .. For J convenience, the terms unit and vertex, and test and arc will be used interchangeably. As mentioned in the Introduction, the diagnostic model under asymmetric invalidation proposed by Barsi et al. [2] will be used in conjunction with an abstraction of fault propagation. This diagnostic model can be presented in the form of a test response fonctlon R: A --. {0,i}, where the values of the function for some edges may not be uniquely determined from the status of their endpoints. For any (vi,vj) e A,
R((vi,vj)) = 0
if v.i and v.j are both fault-free
]
provided v. is faulty J
x
otherwise, where x e {0,I).
Any instance r of R, in which the x's have been assigned the specific values "0" or "I", is called a sgndrome of the system. We also need to mention some graph terminologies and notations. The msderl¥1ng simple gralmb of a digraph D(V,A), denoted by G(V,E), is a simple graph having the same vertex set in which there is an edge between a pair of vertices if and only if there is an arc between them in D(V,A). For any subset V' c V, the V'-Indaced subgraph G[V'] of a graph G(V,E) is the remainder of G(V,E) after removing vertices in V - V' and edges incident on vertices in V - V'. The neighborhood N(v) of a vertex v is the set of vertices adjacent to v. A c o ~ n e n t of a graph G is a connected subgraph of G which is not a proper subgraph of any connected subgraph of G. The number of components of G is denoted by e(G). A vertex cover of a graph G is a subset of the vertex set of G such that every edge in G has at least one endpoint in it, while an Indepei~ent set of G is a subset of the vertex set such that there is not any edge between any pair of the vertices in this subset. The vertex cover of minimum cardinality is called mlnlmum v e r t e x c o v e r and the independent set of maximum cardinality is called maximum ~,dependent set. A cut vertex is such a
K. Huang / Diagnosability of System Faults vertex that its removal will lead to disconnection of the original graph. A subgaph isolated by cut vertices including these cut vertices is called a block. A stromgly contracted component of a digraph D is a strongly connected subgraph of D which is not a proper subgraph of any strongly c o n n e c t e d s u b g r a p h o f D. Definition 1: G i v e n a t e s t d i g r a p h D, a f a u l t set F will be called a k/t fault set if w(G[F]) ~ k and IFI < t. The faiily of klt fault sets is d e n o t e d b y ~ ( k / t ) . In the framework of asymmetric invalidation, if a k/t f~ult set can possibly produce a syndrome r, it will be said to be k/t conslstemt wltb r under ~sj~etric invalldation. Furthermore, two k / t f a u l t s e t s F I a n d F 2 a r e s a i d t o b e
is defined
725
as follows:
r-l(v) : { u l ( u , v ) e A}. The t e s t e e s e t o f a v e r t e x v e V, d e n o t e d b y F(v) is defined similarly: r(v) = (ul
r ( v ' ) : L_J
and
r(v).
v~V' Finally, the exterDal tester set T(V') of a subset V' c V is the set of testers external t o V': T(V') : r-l(v ') - V'.
k/t
Definition
asymmetric invalidation.
T+(v) o f v e r t e x v i s d e f i n e d a s t h e vertices from each of which there directed path to v in the test digraph.
dlstlngulshable under asFmmetrlc invalidation if there is no such a syndrome as both F 1 and F 2 are k/t consistent with under
The parameter k has been introduced to capture the effect of fault propagation. Qualitatively speaking, a system with higher c~,l,ability of protection from contamination has a larger value of k.
3.
4:
The
transitive
test
closure
set is
of a
T h e o r e m 1: A s y s t e m i s k / t d i a g n o s a b l e i f a n d only if either of the following conditions h o l d s f o r a n y two f a u l t s e t s F 1 , F 2 e ~ ( k / t ) : i. F-I(F I - F2) - F 2 ~ @, 2. F-I(F2 - FI) - F I ~ @.
TESTING FOR ONE-STEP DIAGNOSABILITY
If every k/t fault set is identifiable from any syndrome it can possibly produce, the system is said to be one-step k / t dlagi~suble. This means that any pair of k/t fault sets are k/t distinguishable. Within the framework of aymmetric invalidation, we have the following:
¥1
1
1
F2
Definition 2: A system with test digraph D(V,A) is said to be one-step k / t dlagnosable under asF1-metrlc Inwalldatlon if F 1 a n d F 2 are k/t distinguishable under invalidation for any fault sets
asymmetric FI, F 2 e
~(k/t). It is immediate from the definition that one-step k/t diagnosability under asymmetric J,,validation degenerates into one-step t-diagnosability under asymmetric invalidation if k is set equal to t. T h a t i s , t h i s new diagnosability measure is a generalization of the old one. It is also obvious that one-step k/t diagnosis under asymmetric invalidation allows more faulty units to be identified than either one-step t-diagnosis under asymmetric invalidation or one-step k/t diagnosis under symmetric invalidation. In what follows, one-step and asymmetric invalidation are implied wherever k/t diagnosability (diagnosis) is concerned, unless otherwise noted. Definition i n the t e s t
3: The t e s t e r digraph
set
D(V,A),
of a vertex
v e V
denoted by r-l(v),
Fig. I
A syndrome consistent with both F 1 and F 2
Proof: (necessity) conditions hold for
If neither of these some f a u l t sets F1,F 2 G
(k/t), we c a n c o n s t r u c t a syndrome r as illustrated in Fig. 1, w h e r e t h e u n l a b e l e d test outcomes are all "0". It can be easily verified that both F 1 and F 2 are k/t consistent with r and therefore the system is not k/t diagnosable.
K. Huang/Diagnosability o f System Faults
726
(sufficiency) If, for any two k/t fault sets F 1 and F2, either of the conditions is met, say, the first is met, then there is a test performed on a vertex in F 1 - F2 by a vertex
Corollary 2: If a system is k/t diagnosable, then IT+(v) l > t for every vertex in the test digraph.
If F 2 is the present fault set,
Proof: Suppose IT+(v) l < t for some vertex v e
the test outcome must be "0". Otherwise, if F 1 is the present fault set, the test outcome
V. We can see that T+(v) and T+(v) U {v} are both k/t fault sets. However, we have
must be "I". In both cases, this test can distinguish F 1 from F 2. It follows that the
=@
outside F 2.
system is k/t diagnosable. Q.E.D. Corollary I: If a system is k/t diagnosable (k < t), then vEV. Proof:
Ir-l(v)l >
k holds for every vertex
r-l(T+(v) - (T+(v) u {v})) - (T+(v) U {v)) and r-l(T+(v) u {v} - T+(v)) - T+(v) = o. It follows from Theorem 1 that the system is not k/t diagnosable. Q.E.D. Corollary 3:
Assume the system is k/t diagnosable.
First, we show that r-l(v) cannot be empty for any vertex v. If some vertex u has no tester, we can take a vertex w tested by u (see Fig. 2 (a)) and we have {U,W},{w} c ~(k/t), r-l({u,w} - {w}) - {w} = • and r-l({w} - {u,w}) - {u,w} = @. By Theorem i, the system is not k/t diagnosable, a contradiction. Second, suppose there is a vertex v e V such that
Ir-l(v)l <
Proof:
If the underlying simple graph of the test digraph is biconnected, choose any two vertices v I and v 2 in V. Otherwise, there are
st least two blocks each of which contains a sigle cut vertex. Choose from each of these b}ocks a vertex which is not a cut vertex. Obviously, such a vertex can always be found. Let the chosen vertices be v I and v 2 (see Fig. 3).
Consider vertex sets F 1 = V - {Vl} and F 2
k, then we have r-l(v), r-l(v) u {v} e ~(k/t),
= V - {v2}.
r-l(r-l(v)
G[F 2]
- r-i(v)
u {v}) - r - l ( v )
u {v} = •
and r-l(r-l(v) u {v} - r-l(v)) - r-l(v) = (see Fig. 2 (b)). By Theorem l, the system is not k/t diagnosable. Again, a contradiction. Therefore,
If a system is k/t diagnosable,
then t _< Ivl - 2.
Ir-l(v) l must be greater than k. Q.E.D.
are
The induced subgraphs G[FI] connected
in
both
cases
and and
therefore we have FI, F 2 e ~(k/(IV [ - i)) even in the extreme situation (k = I).
However, it
can be easily seen that r-l(Fl - F 2) - F 2 = and F-I(F2 - FI) - F 1 = @.
By Theorem I, the
system is not k/t diagnosable. Q.E.D.
(a)
Fig. 2
(b)
Two counterexamples
This condition on the number of testers of a unit is just the same as that for k/t diagnosability under symmetric invalidation
[]].
Fig. 3
Compared
A schematic diagram of a underlying simple graph with cut vertices
with
k/t
diagnosability
under
K. Huang/ Diagnosability of System Faults symmetric invalidation, which requires that a system have at least 2t + I units [I], k/t diagnosability places a much weaker constraint o. the number of units in the system. This is in parallel with the comparison of t-diagnosability under asymmetric invalidation with t-diagnosability under symmetric i,,validation. Theorem I': A system is k/t diagnosable (k < t) if and only if the following conditions hold:
727
It is not difficult to see that F-I(F[ - F~) -
F~ ~ r-l( 5 - ~2) - F~ and r-l<~ - ~i) - q r-l(F2 fault r-l(F{
- FI) - F I.
Since Fi and F~ are k/t
sets with at least -
F~)
-
F~ o r
k vertices,
r-l(F~
-
F ' 1)
-
either F'I
is
not empty, which implies that either F-I(FI F 2) - F2 # @ or F-I(F2 - FI) - F I ~ @. Hence
I. Ir-l(v) l > k for every vertex v e V; 2. for any two k/t fault sets F 1 and F 2
[Fll,
with
1~21 ~
the theorem. Q.E.D.
k,
either
F - I ( F 1 - F2) - F 2 ~ ~
or
F - I ( F 2 -- F1)
@
- F1 ~ ~.
F1
Proof: We will only show the sufficiency as tl,,: necessity part is trivial. Suppose the conditions are satisfied. It suffices to show either of F-I(F 1 - F 2) - F 2 # • and r-l(F2 FI) - F 1 ~ @ holds for such a pair of fault sets
with
]Fll
< k or
IF21
< k
.
There
F2
a,'e
two cases to consider: Case I: F 1 c F 2 (F2 c F 1 is analogous) If IF2[ ~ k, we are certain that r-l(F2 - FI)
F i : F I U Fb
F 1 ¢ @ as every vertex has at least k + 1
F~ = F 2 O F a
testers and therefore some tester must be outside of F I. If IF21 > k, we construct a
(a)
new pair of k/t fault sets F~ and F~ each with at least k vertices as in Case 2, which ace distinguishable only if the original pair of fault sets F 1 and F 2 are distinguishable. F1
F2
Case 2: F 1 ¢ F 2 and F 2 ¢ F 1 ]f IFll < k, we repeatedly add vertice~ in F 2 We
IVll
F 1 to F I until name
Similarly, vertices
IFI -
F21
set F~.
the if
: k or
resultant IF21
<
k,
IF2 - F l l
fault we
repeatedly
in F I - F 2 to F Z until = i.
set
: 1. Fi. add
F
/
IF2] = k or
We name the resultant fault
If [F~I ~
[F~I , F~ and F~ must both
be k/t fault sets with at least k vertices (see Fig. 4 (a)). Otherwise, if they both have k vertices we have finished, and if not, we can take k - IF]I vertices from V - F i
F~ : F 1 u Fb o F c F~ = F 2 U F a U F c
(b)
F' 2 and add them to F i and F~ both, resulting two k/t fault sets with exactly k vertices (see Fig. 4 (b)). We can always do so, as we have IF-l(v) l > k, which means that the number of vertices in the system is no less than k + 2.
Fig.
4.
4
Expanding
of f a u l t
sets
TESTING FOR SEQUENTIAL DIAGNOSABILITY
728
K. Huang / D iagnosability o f Systern Faults
As we have seen so far, to uniquely identify a k/t fault set present requires relatively comprehensive inter-unit testing, which, in turn, places a strong requirement on the system connection. This prohibits application of system-level diagnosis in many situations where system connections are not so comprehensive. For instance, the connection of a grid is very limited. To alleviate this difficulty, we may take a circuitous course. We may try to identify a subset, instead of all, of faulty units after an application of the tests and replace or repair them and then repeat this process until all faulty units have been localized and replaced or repaired. We will discuss in this section the identification of a k/t fault set by this strategy.
theorem. Q.E.D. Definition 6: The (k. v)-cover Ck, v of a graph G with vertex than k The (k.
respect to a vertex v is a minimum cover of G which can induce no more components and contains the vertex v. v. N)-cover Ck,v, N of a graph G with
respect to a vertex v is a minimum verle× cover of G which can induce no more than k components and includes N(v) but excludes v. The cardinality of Ck, v is called the
(k. v)-cover l~lex of G with respect to v and is
denoted
cardinality
by of
(k. v o N)-cover Definition
5:
A
system
is
said
to
be
s~lae~tlally klt dlags~sab/e (under asymmetric invalidation) if at least one faulty unit can be identified from a syndrome, provided the fault set present is a k/t fault set. First, we will see it suffices to consider individually the strongly connected components of a system in study of sequential k/t diagnosability. In our scope of discussion, a system is always connected. A disconnected system does not make any sense within this context as we surely can treat each component individually. Theorem 2: If the test graph D(V,A) of a system is not strongly connected, let D[Vl], D[V2] , ..., D[Vm]
be the strongly connected
components of D such that the external tester set T(Vi) is empty for 1 < i < m. For any
fl,k(V). Ck,v, N
Similarly, is
called
the the
i~dex of G with respect to v
and is denoted by fO,k(V).
If there is no
(k, v, N)-cover with respect to some vertex v, then the value of fO,k(V) is defined to be equal to the number of vertices in the system. The value of the (k, v)-cover index fl,k(V) equals to the minimum number of vertices which must be faulty to give rise to an all "l" syndrome on the assumption that v is faulty. the value of the (k, v, N)-cover index fO,k(V) equals to the minimum number of vertices which must be faulty to give rise to an all "I" syndrome on the assumption that v is fault-free. Here the set of faulty vertices must conform to our k/t fault pattern, rn certain cases, there is no vertex cover of G which includes N(v) but excludes v and induces no more than k components for some vertex v.
given value of kj let k/t i be the sequential diagnosability of D[Vi] for 1 ~ i < m.
Then
the sequential diagnosability k/t of the system is such that t = Min (tl, t2, ..., tm). Proof: First we show that there is at least one strongly connected component that does not have any outside tester. Assume, to the contrary, every strongly connected component has an outside tester. Then we can proceed from a strongly connected component and trace a test into that component from another strongly connected component. Since the number of strongly connected components is finite, we can eventually enter a strongly connected component already visited, which implies these distinct connected components are in a co~lon strongly connected component, a contradiction. Finally, it can be easily seen that if all faulty vertices appear in a single strongly connected component without any outside tester, the tests not internal to this component do not provide any useful information for identification of these faulty uuits. This completes the proof of the
Fig. 5
Example illustrating absence of some (k, v, N)-cover
Take as an example the test digraph shown in Fig. 5. We cannot find any (I, v4, N)-cover of this test digraph.
If v 4 is fault-free, we
cannot find any i/t fault set to interpret an
K. Huang / Diagnosability of System Faults
all "I" syndrome. In this case, if an all "L" syndrome does occur, we can unambiguously identify v 4 as faulty. Theorem 3: If the test digraph D(V,A) of a system is strongly connected, then the system is sequentially k/t diagnosable if and only i £ t < Max ( U {fO,k' fl,k })" v
(necessity)
fl,k(V)}),
If t _> Max ( U {fO,k (v)' veV then fO,k(V) _< t and fl,k(V) _< t
hold for every vertex v e V. This implies that there is a k/t fault set which can produce an all "i" syndrome and that if this fault set is present every vertex will be col,sistent with its two states of "fault-free" and "faulty," a contradiction. (sufficiency) Suppose, to the contrary, that the condition is satisfied but the system is not sequentially k/t diagnosable. This implies that some k/t fault set can produce a sy,,drome which are consistent with both states of each vertex. Such a syndrome is necessarily all "1" as a "0" test outcome allows identification of at least one fault-free vertex, which means at least one faulty vertex can be identified since the test digraph is strongly connected. However, the condition in the theorem implies that there is some vertex v with fO,k(V) >_ t + 1 or f],k(V) > t + I. The number of faulty vertices present must be exactly t and neither of fO,k(V) and fl,k(V) can be greater than t + [ since an all "i" syndrome is produced. In addition, fo,k(v) and fl,k(V) cannot both take the value of t + i.
If fO,k(V) = t + i, v can
be unambiguously identified as faulty, col,tradicting to the hypothesis that the system is not sequentially k/t diagnosable. ]f fl,k(V) = t + I, v can be identified as fault-free and from this fault-free vertex at least one faulty vertex can be identified, again, a contradiction. Q.E.D. Theorem 3, together with Theorem 2, provides means of testing an arbitrary system for sequential k/t diagnosability. As a direct consequence of Theorem 3, we have the following: Corollary 4: If a system with test digraph D(V,A) is sequentially k/t diagnosable, then we have IVI > t. Proof: It suffices only to consider strongly connected test digraphs. From Definition 6, we can see that fl,k(V) < IVI and fO,k(V) <_ IV] for any vertex v and value of k. It follows from Theorem 3 that a system can never
729
have a sequential k/t diagnosability with t = Ivl •
O.E.D. The upper bound on the value of t of sequential k/t diagnosability provided by Corollary 3 is, in fact, a tight bound. This 8ssertion can be justified by studing the test digraph in Fig. 5. It can be easily verified that fO,l(V4) equals to four, the number of vertices in the test digraph. Compared with the upper bound on the value t of sequential t-diagnosability (under asymmetric invalidation), which is IVl - 2 [2], the upper bound for sequential k/t diagnosability is increased by one. Finally, if there is a test between two fault-free vertices, one fault-free vertex can immediately be localized. Furthermore, if the test digraph is strongly connected, it is very easy to find a faulty vertex, if there is any, from this fault-free vertex. Theorem 4: If the test digraph is strongly connected and if every k/t fault set is not a vertex cover of the underlying simple graph of the test digraph, then the system is sequentially k/t diagnosable. Proof: The proof of this and therefore omitted.
theorem
is trivial
Theorem 4 also suggests a very simple algorithm for sequential k/t diagnosis for systems which meet the conditions of Theorem 4.
5.
CONCLUSION
We have developed a new model which incorporates the fundamental ideas of [i] and [2]. The diagnosability characterization problem has been solved in both the one-step and sequential cases. The results obtained under this new model have shown that the new model is superior to its ancestors in some respect.
REFEHENCES
[l]K. Huang and T. Chen, "On the diagnosis of system faults with propagation," IEEE Trans. Comput., Vol. C-35, pp. 1082-1086, Dec. 1988. [2] A. B a r s i , F. Grandoni and P. M a e s t r i n i , "A t h e o r y o f d i a g n o s a b i l i t y o f d i g i t a l s y s t e m s , " IEEE Trans. Comput., Vol. C-25, pp. 885-893, June 1976. [3] F. P r e p a r a t a , G. Metze and R. Chien, "On t h e c o n n e c t i o n a s s i g n m e n t problem o f diagnosable systems," IEEE Trans. Electron. Comput., Vol. EC-16, pp. 848-854, Dec. 1967. [4] S. Hakimi and A. Amin, " C h a r a c t e r i z a t i o n
730
K. Huang/Diagnosability of System Faults
of connection assignment of diagnosable systems," IERE Trans. Comput., Vol. C-23, pp. 86-88, Jan. 1974. [5] G. Sullivan, "A polynomial time algorithm for fault diagnosability," Prec. FOCS-84, pp. 148-156. [6] K. Chwa and S. Hakimi, "Schemes f o r fault-tolerant computing: A c o m p a r i s o n o f modularly redundant ant t-diagnosable systems," Information and Control, Vol. 49, pp. 212-238, 1981.
[7] F. Lombardi, "Diagnosable systems for fault-tolerant c o m p u t i n g , " P r e c . FTCS-]5, pp. 4 2 - 5 0 , 1985. [8] H. Cin e t a l . , "ATTEMPTO: An e x p e r i m e n t n l fault tolerant multiprocessor system," M i c r o p r o c . and M i c r o p r o g . , Vol. 20, pp. 301-308, May 1987. [9] F. Ciompi and L Simoncini, "Analysis ,rod optimal desgn of self-diagnosable systems with repair," IEEE Trans. Comput., Vol. C-28, pp. 362-365, Hay 1979.