- Email: [email protected]
Design of decentralized critical observers for networks of finite state machines: A formal method approach
Automatica 86 (2017) 174–182
Contents lists available at ScienceDirect
Automatica journal homepage: www.elsevier.com/locate/automatica
Brief paper
Design of decentralized critical observers for networks of finite state machines: A formal method approach ✩ Giordano Pola, Elena De Santis, Maria Domenica Di Benedetto, Davide Pezzuti Department of Information Engineering, Computer Science and Mathematics, Center of Excellence DEWS, University of L’Aquila, 67100 L’Aquila, Italy
article
info
Article history: Received 4 December 2014 Received in revised form 11 February 2017 Accepted 12 August 2017
Keywords: Network of finite state machines Critical observability Decentralized observers Bisimulation equivalence
a b s t r a c t Motivated by safety-critical applications in cyber–physical systems, in this paper we study the notion of critical observability and design of observers for networks of Finite State Machines (FSMs). Critical observability corresponds to the possibility of detecting if the current state of an FSM is in a given region of interest, called set of critical states. A critical observer detects on-line the occurrence of critical states. When a large-scale network of FSMs is considered, the construction of such an observer is prohibitive because of the large computational effort needed. We propose a decentralized architecture for critical observers of networks of FSMs, where on-line detection of critical states is performed by local critical observers, each associated with an FSM of the network, which do not need to interact. For the efficient design of decentralized critical observers we first extend on-the-fly algorithms traditionally used in the community of formal methods for the verification and control design of FSMs. We then extend to networks of FSMs, bisimulation theory traditionally given in the community of formal methods for single FSMs. The proposed techniques provide a remarkable computational complexity reduction, as discussed throughout the paper and also demonstrated by means of illustrative examples. © 2017 Elsevier Ltd. All rights reserved.
1. Introduction Ensuring safety in large-scale and networked safety-critical applications, as for example Air Traffic Management (ATM) systems (MAREA, 2011; Pezzuti, 2015), is a tough but challenging problem. In particular, complexity is one of the most difficult issues that must be overcome to make theoretical methodologies applicable to real industrial applications. In this paper we address the analysis of critical observability and design of observers for networks of Finite State Machines (FSMs). A network of FSMs is a collection of FSMs interacting via parallel composition. Critical observability, introduced in De Santis, Di Benedetto, Di Gennaro, D’Innocenzo, and Pola (2005), corresponds to the possibility of detecting if the current state of an FSM belongs to a set of critical states, modeling operations that may be unsafe or, in general, operations of specific interest in a particular application. Current approaches to check critical observability are based on regular language theory as in Di Benedetto, Di Gennaro, and D’Innocenzo (2008) or on the design ✩ This work has been partially supported by the Center of Excellence for Research DEWS, University of L’Aquila, Italy. The material in this paper was partially presented at the 14th annual European Control Conference, July 15–17, 2015, Linz Austria. This paper was recommended for publication in revised form by Associate Editor Jan Komenda under the direction of Editor Ian R. Petersen. E-mail addresses: [email protected] (G. Pola), [email protected] (E. De Santis), [email protected] (M.D. Di Benedetto), [email protected] (D. Pezzuti). http://dx.doi.org/10.1016/j.automatica.2017.08.025 0005-1098/© 2017 Elsevier Ltd. All rights reserved.
of the so-called critical observers (Cassandras & Lafortune, 1999; De Santis et al., 2005). The computational complexity of the first approach is polynomial in the number of states of the FSM, while the one of the second is exponential. Although disadvantageous from the computational complexity point of view, the construction of critical observers cannot be avoided at the implementation layer since it is necessary for the automatic on-line detection of critical situations. Motivated by this issue we present some results that can reduce, in some cases drastically, the computational effort in designing critical observers for large-scale networks of FSMs. We first propose a decentralized architecture for critical observers of the network, which is composed of a collection of local critical observers, each associated with an FSM of the network, which do not need to interact. Efficient algorithms for their synthesis are proposed, and based on on-the-fly techniques traditionally used for formal verification and control of FSMs (see e.g. Courcoubetis, Vardi, Wolper, & Yannakakis, 1992; Tripakis & Altisen, 1999). We then propose results on model reduction, which extend to networks of FSMs, bisimulation theory (Milner, 1989; Park, 1981) traditionally given for single FSMs. We define a bisimulation equivalence that takes into account criticalities. We then reduce the original network of FSMs to a smaller one, obtained as the quotient of the original network induced by the bisimulation equivalence. We first show that critical observability of the original network is equivalent to critical observability of the quotient network. We then show that a decentralized critical observer for the original
G. Pola et al. / Automatica 86 (2017) 174–182
network can be easily derived from the one designed for the quotient network. To the best of our knowledge, the formal methods techniques proposed in this paper have not yet been explored neither for the analysis of critical observability nor for the analysis of any other observability notion, with the only exception of Zad, Kwong, and Wonham (2003). We defer to the last section a discussion on connections with the existing literature. A full version of this paper can be found in Pola, Pezzuti, Santis, and Benedetto (2017) which also includes an application to biological networks. 2. Networks of finite state machines and critical observability 2.1. Notation and preliminary definitions The symbols ∧ and ∨ denote the And and Or logical operators, respectively. The symbol N denotes the set of nonnegative integers. Given n, m ∈ N with n < m let [n; m] = [n, m] ∩ N. The symbol |X | denotes the cardinality of a finite set X . The symbol 2X denotes the power set of a set X . Given a function f : X → Y we denote by f (Z ) the image of a set Z ⊆ X through f , i.e. f (Z ) = {y ∈ Y |∃z ∈ Z s.t. y = f (z)}; if X ′ ⊂ X and Y ′ ⊂ Y then f |X ′ →Y ′ is the restriction of f to domain X ′ and co-domain Y ′ , i.e. f |X ′ →Y ′ (x) = f (x) for any x ∈ X ′ with f (x) ∈ Y ′ . We now recall from Cassandras & Lafortune (1999) some basic notions of language theory. Given a set Σ , a finite sequence w = σ1 σ2 σ3 ... with symbols σi ∈ Σ is called a word in Σ ; the empty word is denoted by ε . The Kleene closure w ∗ of a word w is the collection of words ε , w , ww , www , ... . The symbol Σ ∗ denotes the set of all words in Σ , including the empty word ε . The concatenation of two words u, v ∈ Σ ∗ is denoted by uv ∈ Σ ∗ . Any subset of Σ ∗ is called a language. ˆ of Σ is the The projection of a language L ⊆ Σ ∗ onto a subset Σ ˆ ∗ |∃w ∈ L s.t. PΣˆ (w) = t } where PΣˆ (w) language PΣ ˆ (L) = {t ∈ Σ is inductively defined for any w ∈ L and σ ∈ Σ by PΣ ˆ (ε ) = ε and ˆ and PΣˆ (wσ ) = PΣˆ (w), otherwise. PΣ ˆ (wσ ) = PΣ ˆ (w )σ if σ ∈ Σ 2.2. Networks of finite state machines In this paper we consider the class of nondeterministic FSMs with observable labels: Definition 2.1. A Finite State Machine (FSM) M is a tuple (X , X 0 , Σ , δ ) where X is the set of states, X 0 ⊆ X is the set of initial states, Σ is the set of input labels and δ : X × Σ → 2X is the transition map. σ1
σ2
σ3
A state run r of an FSM M is a sequence x0 −→ x1 −→ x2 −→ x3 . . . such that x0 ∈ X 0 , xi ∈ X , σ i ∈ Σ and xi+1 ∈ δ (xi , σ i+1 ) for any xi and σ i in the sequence; the sequence σ 1 σ 2 σ 3 . . . is called the trace associated with r. For X ′ ⊆ ⋃ X and σ ∈ Σ , we abuse notation by writing δ (X ′ , σ ) instead of x∈X ′ δ (x, σ ). The extended transition map δˆ associated with δ is inductively defined for any ∗ ˆ ˆ w ⋃ ∈ Σ , σ ∈ Σ and x ∈ X by δ (x, ε) = {x} and δ (x, wσ ) = δ (y , σ ). The language generated by M, denoted L(M), is ˆ y∈δ (x,w ) composed by all traces generated by M, or equivalently, L(M) = {w ∈ Σ ∗ |∃x0 ∈ X 0 s.t. δˆ (x0 , w) ̸= ∅}. An FSM M is deterministic if |X 0 | = 1 and |δ (x, σ )| ≤ 1, for any x ∈ X and σ ∈ Σ . In this paper we are interested in studying whether it is possible to detect if the current state of an FSM M is or is not in a set of critical states C ⊂ X modeling operations that may be unsafe or, in general, operations of specific interest in a particular application. We refer to an FSM (X , X 0 , Σ , δ ) equipped with a set of critical states C by the tuple (X , X 0 , Σ , δ, C ) and to an FSM with outputs by a tuple (X , X 0 , Σ , δ, Y , H), where Y is the set of output labels and H : X → Y is the output function. For simplicity we call an FSM equipped with critical states or with outputs as an FSM. The operator Ac(·) extracts the accessible part from an FSM M = (X , X 0 , Σ , δ, C )
175
(resp. M = (X , X 0 , Σ , δ, Y , H)), i.e. Ac(M) = (X ′ , X 0 , Σ , δ ′ , C ′ ) (resp. Ac(M) = (X ′ , X 0 , Σ , δ ′ , Y , H ′ )) where X ′ = {x ∈ X |∃x0 ∈ X 0 ∧ w ∈ Σ ∗ s.t. x ∈ δˆ (x0 , w )}, δ ′ = δ|X ′ ×Σ →X ′ , C ′ = C ∩ X ′ and H ′ = H |X ′ →Y . Interaction among FSMs is captured by the following. Definition 2.2.) The parallel composition M1 ∥ M2 = X1,2 , X10,2 , Σ1,2 , δ1,2 , C1,2 between two FSMs M1 = (X1 , X10 , Σ1 , δ1 , C1 ) and ′,0 M2 = (X2 , X20 , Σ2 , δ2 , C2 ) is the FSM Ac(X1′ ,2 , X1,2 , Σ1′ ,2 , δ1′ ,2 ,
(
′,0
C1′ ,2 ) where X1′ ,2 = X1 × X2 , X1,2 = X10 × X20 , Σ1′ ,2 = Σ1 ∪ Σ2 ,
C1′ ,2 = (C1 × X2 ) ∪ (X1 × C2 ) and δ1′ ,2 : X1′ ,2 × Σ1′ ,2 → 2 defined for any x1 ∈ X1′ , x2 ∈ X2′ and σ ∈ Σ1′ ,2 by
X1′ ,2
is
⎧ δ1 (x1 , σ ) × δ2 (x2 , σ ), if δ1 (x1 , σ ) ̸= ∅ ∧ δ2 (x2 , σ ) ̸= ∅ ⎪ ⎪ ⎪ ⎨ ∧ σ ∈ Σ1 ∩ Σ2 , δ1 (x1 , σ ) × {x2 }, if δ1 (x1 , σ ) ̸= ∅ ∧ σ ∈ Σ1 \ Σ2 , ⎪ ⎪ ⎪{x1 } × δ2 (x2 , σ ), if δ2 (x2 , σ ) ̸= ∅ ∧ σ ∈ Σ2 \ Σ1 , ⎩ ∅, otherwise. By definition, a state (x1 , x2 ) ∈ C1,2 , i.e. (x1 , x2 ) is considered as critical for M1 ∥ M2 , if and only if x1 ∈ C1 or x2 ∈ C2 . Vice versa, (x1 , x2 ) ∈ / C1,2 if and only if x1 ∈ / C1 and x2 ∈ / C2 . It is well known that Proposition 2.3 (Cassandras & Lafortune, 1999). The parallel composition operation is commutative up to isomorphisms and associative. By the result above, we may write in the sequel M1 ∥M2 ∥M3 , X1,2,3 and C1,2,3 instead of M1 ∥(M2 ∥M3 ), X1,(2,3) and C1,(2,3) or, instead of (M1 ∥M2 )∥M3 , X(1,2),3 and C(1,2),3 . In this paper we consider a network N = {M1 , M2 , . . . , MN }
of N FSMs Mi whose interaction is captured by the notion of parallel composition; the corresponding FSM is given by M(N ) = M1 ∥ M2 ∥ · · · ∥MN . The FSM M(N ) is well defined because the composition operator ∥ is associative. For the computational complexity analysis, we will use in the sequel the number nmax = maxi∈[1;N ] |Xi | as indicator of the sizes of the FSMs composing the network N . An upper bound to space and time computational complexity in constructing M(N ) is O(2N log(nmax ) ). 2.3. Critical observability and observers Critical observability corresponds to the possibility of detecting whether the current state x of a run of an FSM is or is not critical on the basis of the information given by the corresponding trace at state x: Definition 2.4. An FSM M = (X , X 0 , Σ , δ, C ) is critically observable if [δˆ (x0 , w ) ⊆ C ] ∨ [δˆ (x0 , w ) ⊆ X \ C ], for any initial state x0 ∈ X 0 and any trace w ∈ L(M). Any FSM M having an initial state that is critical and another initial state that is not critical, is never critically observable. Moreover, if X 0 = C then FSM M is critically observable and no further analysis for the detection of critical states is needed. For these reasons in the sequel we assume that [ X 0 ⊂ C ] ∨ [ X 0 ⊆ X \ C ] for any FSM M. An illustrative example follows. Example 2.5. Consider FSMs Mi = (Xi , Xi0 , Σi , δi , Ci ), i = 1, 2, depicted in Fig. 1, where X1 = {1, 2, 3, 4} , X10 = {1}, Σ1 = {a, b, c , d}, C1 = {4}, X2 = {5, 6, 7, 8}, X20 = {5}, Σ2 = {a, b, e}, C2 = {7, 8} and transition maps δ1 and δ2 are represented by labeled arrows in Fig. 1; labels on the arrows represent the input label associated with the corresponding transition. FSM M1 is not critically observable because it is possible to reach both noncritical state 3 and critical state 4 starting from the initial state 1, by
176
G. Pola et al. / Automatica 86 (2017) 174–182
Fig. 1. FSM M1 in the left and FSM M2 in the right.
applying the same input label a. FSM M2 is critically observable because by applying traces b(ab)∗ and b(ab)∗ a to the initial state 5, the state reached is always in X2 \ C2 while by applying any trace other than the previous ones, states reached are always critical. On-line detection of critical states of critically observable FSMs can be obtained by means of critical observers, as defined hereafter. 0 Definition 2.6. A deterministic FSM Obs = (XObs , XObs , ΣObs , δObs , YObs , HObs ) with output set YObs = {0, 1} is a critical observer for an FSM M = (X , X 0 , Σ , δ , C ) if ΣObs = Σ and for any state run
σ1
σ2
σ3
r : x0 −→ x1 −→ x2 −→ x3 . . . of M, the corresponding (unique) σ1
σ2
σ3
state run rObs : z 0 −→ z 1 −→ z 2 −→ z 3 . . . of Obs is such that HObs (z i ) = 1 if xi ∈ C and HObs (z i ) = 0 otherwise, for any state z i in rObs . For later use, we report from e.g. (Cassandras & Lafortune, 1999) the following construction of observers. Definition 2.7. Given an FSM M = (X , X 0 , Σ , δ, C ), define the deterministic FSM Obs(M) as the accessible part Ac(Obs′ ) of Obs′ = 0 0 X (XObs′ , XObs ′ , ΣObs′ , δObs′ , YObs′ , HObs′ ), where XObs′ = 2 , XObs′ =
Fig. 2. Parallel composition M1 ∥ M2 of FSMs M1 and M2 .
then get [x1 ∈ δˆ 1 (x01 , PΣ1 (w ))] ∧ [x1 ∈ δˆ 1 (x1 , PΣ1 (w ))] ∧ [x2 ∈ δˆ2 (x02 , PΣ2 (w))] ∧ [x2 ∈ δˆ2 (x02 , PΣ2 (w))]. Moreover, by definition of C1,2 we then get [[x1 ∈ X1 \ C1 ] ∧ [x2 ∈ X2 \ C2 ]] ∧ [[x1 ∈ C1 ] ∨ [x2 ∈ C2 ]]. Hence, either M1 or M2 is not critically observable and a contradiction holds. ■ 0
The converse implication is not true in general, as shown in the following example. Example 3.2. Consider FSMs M1 and M2 in Example 2.5 and depicted in Fig. 1. As discussed in Example 2.5, FSM M2 is critically observable while FSM M1 is not. It is readily seen that FSM M1 ∥ M2 , depicted in Fig. 2, is critically observable because by applying traces b((cd)∗ ab)∗ and b(cd)∗ a(b(cd)∗ a)∗ to the initial state (1, 5), the state reached is always in X1,2 \ C1,2 and by applying any trace other than the previous ones, states reached are always in C1,2 .
′
{X 0 }, ΣObs′ = ⋃ Σ , δObs′ : XObs′ × ΣObs′ → 2XObs is defined by δObs′ (z , σ ) = { x∈z δ (x, σ )}, YObs′ = {0, 1} and HObs′ (z) = 1 if z ∩ C ̸ = ∅ and HObs′ (z) = 0, otherwise. An upper bound to the space and time computational complexity in constructing Obs(M) for an FSM M with n = |X | states is O(2n ) from which, an upper bound to the space and time computational N log(nmax ) complexity in constructing Obs(M(N )) is O(22 ). A direct consequence of Definition 2.4, 2.6 and 2.7 is the following:
As a consequence, critical observability of each FSM composing N is not necessary for M(N ) to be critically observable. The intuition behind the example above is that parallel composition reduces the behavior of the involved FSM and therefore can prevent not detectable critical situations from occurring. We now show how decentralized observers can be used for detecting critical states of the network of FSMs M(N ). The notion of isomorphism will be used:
3. Design of decentralized critical observers
Definition 3.3. Two FSMs Mi = (Xi , Xi0 , Σi , δi , Yi , Hi ), i = 1, 2, are isomorphic, denoted M1 =iso M2 , if Σ1 = Σ2 , Y1 = Y2 and there exists a bijective function φ : X1 → X2 , such that: (i) φ (X10 ) = X20 ; (ii) φ (X1 ) = X2 ; (iii) φ (δ1 (x1 , σ )) = δ2 (φ (x1 ), σ ), for any accessible state x1 ∈ X1 of M1 and σ ∈ Σ1 ; (iv) H1 (x1 ) = H2 (φ (x1 )), for any x1 ∈ X1 .
In this section we propose a decentralized architecture for critical observers. We start with the following:
Proposition 3.4. Given FSMs Mi (i ∈ [1; 4]), if M1 =iso M2 and M3 =iso M4 then M1 ∥M3 =iso M2 ∥M4 .
Proposition 2.8. The following statements are equivalent: (i) M is critically observable; 0 (ii) Obs(M) = (XObs , XObs , ΣObs , δObs , YObs , HObs ) is a critical observer for M; (iii) For any z ∈ XObs , if HObs (z) = 1 then z ⊆ C .
Proposition 3.1. If FSMs M1 and M2 are critically observable then FSM M1 ∥ M2 is critically observable. Proof. Set Mi = , , Σi , δi , Ci , i = 1, 2. By contradiction, assume that M1 ∥ M2 is not critically observable. Thus, there exists 0 0 a pair of state runs r1 and r2 with initial states (x01 , x02 ), (x1 , x2 ) ∈ 0 0 0 X1,2 and common trace w such that [(x1 , x2 ) ∈ δˆ 1,2 ((x1 , x2 ), w )] ∧
(
Xi Xi0
)
[(x1 , x2 ) ∈ δˆ1,2 ((x01 , x02 ), w)] and [(x1 , x2 ) ∈ X1,2 \ C1,2 ] ∧ [(x1 , x2 ) ∈ C1,2 ]. By definition of the projection operator PΣi (·) we
Given N , consider the collection of FSMs 0 Obs(Mi ) = (XObs,i , XObs ,i , Σi , δObs,i , YObs,i , HObs,i ),
(1)
each associated to the FSM Mi and define the decentralized observer Obsd (N ) = Obs(M1 )∥ · · · ∥Obs(MN ) with output set Y ⋁Obsd = {0, 1} and output function HObsd (z1 , z2 , . . . , zN ) = i∈[1;N ] HObsi (zi ). The following result shows that the decentralized observer Obsd (N ) can be used for detecting on-line critical states of the FSM M(N ).
G. Pola et al. / Automatica 86 (2017) 174–182
177
Theorem 3.5. Obsd (N )=iso Obs(M(N )). Proof. We start by showing the result for the network N ′ = {M1 , M2 } where Mi = (Xi , Xi0 , Σi , δi , Ci ), i.e. Obs(M1 )∥Obs(M2 )=iso Obs(M1 ∥M2 ).
(2)
Let Obsd (N ′ ) = (XObsd , X 0 d , ΣObsd , δObsd , YObsd , HObsd ) and Obs 0 Obs(M(N ′ )) = (XObs , XObs , ΣObs , δObs , YObs , HObs ). Define φ : XObsd → XObs such that φ ((z1 , z2 )) = z1 × z2 , for any (z1 , z2 ) ∈ XObsd with zi ∈ XObs,i . First of all note that ΣObsd = ΣObs = Σ1 ∪ Σ2 and YObsd = YObs = {0, 1}. Moreover, with reference to Definition 3.3, we get: Condition (i). By Definitions 2.2 and 2.7 we get φ (X 0 d ) = Obs 0 0 0 0 0 0 φ (XObs ,1 × XObs,2 ) = φ ({X1 } × {X2 }) = φ ({(X1 , X2 )}) = 0 0 0 0 0 {φ ((X1 , X2 ))} = {X1 × X2 } = XObs . Conditions (ii) and (iii). We proceed by induction and show that if φ ((z1 , z2 )) = z1 × z2 for a pair of accessible states (z1 , z2 ) ∈ XObsd and z1 × z2 ∈ XObs then φ (δObsd ((z1 , z2 ), σ )) = δObs (φ ((z1 , z2 )), σ ), for any σ ∈ Σ1 ∪ Σ1 . With reference to Definition 2.2, we have three cases: (case 1) σ ∈ Σ1 ∩ Σ2 , (case 2) σ ∈ Σ1 \ Σ2 , and (case 3) σ ∈ Σ2 \ Σ1 . We start with case 1. By Definitions σ ) = δObs (z1 × z2 , σ ) = ⋃ 2.2 and 2.7 we get δObs (φ ((z1 , z2 )),⋃ { (x1 ,x2 )∈z1 ×z2 δ1⋃ = σ) × ,2 ((x1 , x2 ), σ )} ⋃ { (x1 ,x2 )∈z1 ×z2 δ1 (x1 ,⋃ δ2 (x2 , σ )} ⋃= { x1 ∈z1 δ1 (x1 , σ ) × x2 ∈z2 δ2 (x2 , σ )} = {φ ( x1 ∈z1 δ1 (x1 , σ ), x2 ∈z2 ⋃ ⋃ = δ2 (x⋃ = φ ({⋃ ( x ∈z δ1 (x1 , σ ), x ∈z δ2 (x2 , σ ))}) 2 , σ ))} 2 2 1 1 φ ({ x1 ∈z1 δ1 (x1 , σ )} × { x2 ∈z2 δ2 (x2 , σ )}) = φ (δObs,1 (z1 , σ ) × δObs,2 (z2 , σ )) = φ (δObsd ((z1 , z2 ), σ )). Cases 2 and 3 can be shown by using similar arguments. Condition (iv). Suppose HObsd (z1 , z2 ) = 1. By definition of HObsd (.) we get that [HObs,1 (z1 ) = 1] ∨ [HObs,2 (z2 ) = 1], or by Definition 2.7 equivalently that [z1 ∩ C1 ̸ = ∅] ∨ [z2 ∩ C2 ̸ = ∅]. By definition of the set C1,2 , the last conditions imply that z1 × z2 ∩ C1,2 ̸ = ∅ which by Definition 2.6, implies HObs (z1 × z2 ) = 1. Suppose now HObsd (z1 , z2 ) = 0. By definition of HObsd (.) we get that [HObs,1 (z1 ) = 0]∧[HObs,2 (z2 ) = 0], or by Definition 2.7 equivalently that [z1 ∩ C1 = ∅] ∧ [z2 ∩ C2 = ∅]. The last conditions imply that z1 ×z2 ∩C1,2 = ∅ which, by Definition 2.7, implies HObs (z1 ×z2 ) = 0. Hence, the isomorphic equivalence in (2) is proven. We now generalize (2) to the case of a generic network N = {M1 , M2 , . . . , MN }. By applying recursively the equivalence in (2) and by Proposition 3.4, we get Obs(M(N )) = Obs(M1 ∥ (M2 ∥ M3 ∥ · · · ∥MN ))=iso Obs(M1 ) ∥ Obs(M2 ∥ (M3 ∥ · · · ∥MN ))=iso Obs (M1 ) ∥ Obs(M2 )∥Obs(M3 ∥ · · · ∥MN )=iso ...=iso Obs(M1 )∥ Obs(M2 ) ∥ · · · ∥Obs(MN ) = Obsd (N ). ■ In the sequel, we will refer to the FSM Obsd (N ) satisfying condition (iii) of Proposition 2.8 as a decentralized critical observer for N . Fig. 3 shows a possible implementation architecture for Obsd (N ). Observer Obsd (N ) can be obtained as a bank on N local observers Obs(Mi ) that act asynchronously. Each local observer Obs(Mi ) takes as input the trace wi ∈ L(Mi ) generated by Mi in response to the input word w , and sends the output boolean values yi to the OR (static) block. The OR block acts as a coordinator and whenever it receives one or more boolean values yi as inputs, it outputs boolean value y as the logical operation or among yi . Note that this architecture does not require the explicit construction of the parallel composition of local observers Obs(Mi ). As a consequence, local observers do not need to interact. Since space and time computational complexity in constructing Obsd (N ) is O(2nmax N ), a direct consequence of Theorem 3.5 is: Corollary 3.6. An upper bound to space and time computational complexity in constructing Obs(M(N )) is O(2nmax N ).
Fig. 3. A possible architecture for the decentralized observer Obsd (N ).
N log(nmax )
Note that the upper bound above is lower than O(22 ). From Proposition 2.8 and Theorem 3.5, one way to check critical observability and to design decentralized observers of M(N ) is illustrated in Algorithm 1. Algorithm 1 has space and time computational complexity O(2nmax N ). It can be improved from the computational point of view, because: Algorithm 1 Check of critical observability of M(N ). 1: Construct N local observers Obs(Mi ); 2: Compose the N local observers Obs(Mi ) to get Obsd (N ); 3: Apply Proposition 2.8 to Obsd (N ).
(D1) It constructs the whole local observer Obs(Mi ) for each Mi . A more efficient algorithm would construct, for each Mi , only the sub-FSM of Obs(Mi ) that is interconnected with the other local observers in Obsd (N ). (D2) It constructs the whole observer Obsd (N ), which is not required at the implementation layer (see Fig. 3). A more efficient algorithm would check critical observability on the basis of local observers. (D3) It first constructs Obsd (N ) before checking if states z of Obsd (N ) satisfy condition (iii) of Proposition 2.8. A more efficient algorithm would conclude that N is not critically observable when the first state z not satisfying condition (iii) of Proposition 2.8, shows up. In order to cope with the aforementioned drawbacks, we now present a procedure that integrates each step of Algorithm 1 in one algorithm. This procedure extends on-the-fly algorithms for verification and control of FSMs (see e.g. Courcoubetis et al., 1992) to the design of decentralized critical observers and is reported in Algorithm 2. Algorithm 2 makes use of the notion of projected local observers. The projection π |Obs(Mi ) (Obsd (M(N ))) of Obsd (M(N )) onto 0 ′ Obs(Mi ), as in (1), is defined as the FSM Ac(XObs ,i , XObs,i , Σi , δObs,i , ′ YObs,i , HObs,i ) where XObs,i contains states zi ∈ XObs,i for which there exist states zj ∈ XObs,j , j ∈ [1; N ], j ̸ = i such that (z1 , z2 , . . . , zN ) is a state of Obsd (M(N )). The input of Algorithm 2 is the collection of FSMs Mi of N . The output is the collection of projected local observers π |Obs(Mi ) (Obsd (N )) if M(N ) is critically observable. In line 2, the initial state and the output set of the projected local observers are defined and their sets of states XObs,i are initialized to contain only the initial states. At each iteration, the algorithm processes candidate new states of π |Obs(Mi ) (Obsd (N )) and adds them to XObs,i whenever they are compatible with the parallel composition of π |Obs(Mj ) (Obsd (N )) with j ̸= i. For each aggregate (z1 , z2 , . . . , zN ) temp
in the temporary set XObs and for each σ ∈ Σ1 ∪ Σ2 ∪ ... ∪ ΣN (lines 5 and 6), first, successors zi+ of states zi in Mi are computed
178
G. Pola et al. / Automatica 86 (2017) 174–182
(lines 7–12); in particular, if δi (xi , σ ) is defined (note that maps δi are in general partial) then zi+ is set in line 9 to δi (xi , σ ); otherwise it is set in line 11 to zi . If in line 14, according to the definition of the transition map of Obsd (N ), there is a transition in Obsd (N ) from aggregate (z1 , z2 , . . . , zN ) to aggregate (z1+ , z2+ , . . . , zN+ ) with input label σ , then (z1+ , z2+ , . . . , zN+ ) is further processed. Note that we are not storing information computed in line 14 on the transition map of Obsd (N ) but only states of Obsd (N ) which cannot be avoided for computing the projections π|Obs(Mi ) (Obsd (N )). By this fact, Algorithm 2 overcomes drawback (D2) of Algorithm 1. Algorithm 2 first checks in line 15 if the aggregate (z1+ , z2+ , . . . , zN+ ) was not processed before. If so, line 16 is processed. By definition of output function HObsd , condition (z1+ , z2+ , . . . , zN+ ) ̸ ⊆ X1,2,...,N \ C1,2,...,N implies HObsd (z1+ , z2+ , . . . , zN+ ) = 1 which, combined with condition (z1+ , z2+ , . . . , zN+ ) ̸ ⊆ C1,2,...,N , implies that condition (iii) of Proposition 2.8 is not satisfied. Hence, by applying Proposition 2.8, if (z1+ , z2+ , . . . , zN+ ) satisfies such a condition, the algorithm immediately terminates in line 17, concluding that N is not critically observable. By this fact, Algorithm 2 overcomes drawback (D3) of Algorithm 1. If (z1+ , z2+ , . . . , zN+ ) does not satisfy condition in line temp 16, it is added to ZObs in line 19; the set of states XObs,i and the transition map δObs,i of π |Obs(Mi ) (Obsd (N )) are updated in lines 22 and 23. Note that since δObs,i is updated only if condition in line 14 holds, then Algorithm 2 constructs step-by-step π|Obs(Mi ) (Obsd (N )) and not Obs(Mi ). By this fact, Algorithm 2 overcomes drawback (D1) of Algorithm 1. The outputs of states zi+ are set in lines 24–27. temp temp temp In line 35, set XObs is updated to XObs ∪ ZObs and set XObs to ZObs ; the next iteration then starts. Algorithm 2 terminates when there temp are no more states in XObs to be processed (see line 5) or condition in line 16 is satisfied. From the explanation above, it is clear that Algorithm 2 terminates in a finite number of states and that in the worst case, the computational complexity of Algorithm 2 is the same as the one in Algorithm 1, i.e. O(2nmax N ). This is typical for on-the-fly based algorithms. However, there are practical cases in which Algorithm 2 performs better than Algorithm 1 as illustrated by two examples in the end of the next section. 4. Model reduction via bisimulation In this section we use bisimulation equivalence (Milner, 1989; Park, 1981) to reduce the computational complexity in checking critical observability and designing observers. 0 Definition 4.1. Two ( ) FSMs M1 = X1 , X1 , Σ1 , δ1 , C1 and M2 = 0 X2 , X2 , Σ2 , δ2 , C2 are bisimilar, denoted by M1 ∼ = M2 , if Σ1 = Σ2 and there exists a relation R ⊆ X1 × X2 , called bisimulation relation, such that for any (x1 , x2 ) ∈ R the following conditions are satisfied: (i) x1 ∈ X10 if and only if x2 ∈ X20 ; (ii) for any σ ∈ Σ1 such that δ1 (x1 , σ ) ̸ = ∅ and for any + + + x+ 1 ∈ δ1 (x1 , σ ) there exists x2 ∈ δ2 (x2 , σ ) such that (x1 , x2 ) ∈ R; (iii) for any σ ∈ Σ2 such that δ2 (x2 , σ ) ̸ = ∅ and for any + + + x+ 2 ∈ δ2 (x2 , σ ) there exists x1 ∈ δ1 (x1 , σ ) such that (x1 , x2 ) ∈ R; (iv) x1 ∈ C1 if and only if x2 ∈ C2 .
(
)
The notion of bisimulation equivalence above slightly differs from the classical one (Milner, 1989; Park, 1981) because of the additional condition (iv), which allows us to establish the following. Proposition 4.2. If FSMs M1 and M2 are bisimilar then: (i) M1 is critically observable if and only if M2 is critically observable; (ii) An FSM Obs is a critical observer for M1 if and only if it is a critical observer for M2 .
Algorithm 2 Integrated design of decentralized observers 1: Input: FSMs Mi = (Xi , Xi0 , Σi , δi , Ci ), with i ∈ [1; N ];
0 0 2: Init: XObs,i := {Xi0 }, XObs ,i := {Xi }, YObs,i := {0, 1} for any i ∈ [1; N ]; XObs := temp
{(X10 , X20 , ..., XN0 )}; XObs := XObs ; temp
3: while XObs temp
̸= ∅ do
4:
ZObs
5: 6: 7: 8: 9: 10: 11: 12: 13: 14:
for all (z1 , z2 , ..., zN ) ∈ XObs do for all σ ∈ Σ1 ∪ Σ2 ∪ ... ∪ ΣN do for all i ∈ [1; N ] do if δi (zi , σ ) is defined then zi+ := δi (zi , σ ); else zi+ := zi ; end if end for + )} then if δObsd ((z1 , z2 , ..., zN ), σ ) = {(z1+ , z2+ , ..., zN
15: 16: 17: 18: 19: 20: 21:
:= ∅ temp
+ )∈ / XObs then if (z1+ , z2+ , ..., zN + + + ⊈ C1,2,...,N ] ∧ [z1+ × z2+ × ... × zN+ ⊈ if [z1 × z2 × ... × zN X1,2,...,N \C1,2,...,N ] then BREAK: M(N ) is not critically observable; end if temp temp + )} ; ZObs := ZObs ∪ {(z1+ , z2+ , ..., zN for all i ∈ [1; N ] do + + / XObs,i ] then if [zi ̸ = ∅] ∧ [zi ∈
XObs,i := XObs,i ∪ {zi+ }; δObs,i (zi , σ ) := {zi+ };
22: 23:
if zi+ ⊆ Ci then
24:
25: HObs,i (zi+ ) := 1; 26: else 27: HObs,i (zi+ ) := 0; 28: end if 29: end if 30: end for 31: end if 32: end if 33: end for 34: end for temp temp temp 35: XObs := XObs ∪ ZObs , XObs := ZObs ; 36: end while 37: output: M(N ) is critically observable;
Projected local observers π|Obs(M ) (Obsd (N )) i YObs,i , HObs,i ).
0 (XObs,i , XObs ,i , Σi , δObs,i ,
=
Proof. Set Mi = (Xi , Xi0 , Σi , δi , Ci ), i = 1, 2 and let R be a bisimulation relation between M1 and M2 . Proof of (i). By contradiction assume that M1 is critically observable and M2 is not critically observable. Hence, there exist a pair 0 of state runs of M2 with initial states x02 , x2 ∈ X20 , common trace 0 w ∈ L(M2 ), and states x2 ∈ δˆ2 (x2 , w), x2 ∈ δˆ2 (x02 , w) such that x2 ∈ C2 ∧ x2 ∈ X2 \ C2 .
(3)
Since M1 ∼ = M2 , there exist a pair of state runs of M1 with initial 0 states x01 , x1 ∈ X10 , common trace w ∈ L(M1 ) and states x1 ∈ 0 δˆ1 (x1 , w), x1 ∈ δˆ1 (x01 , w) such that (x1 , x2 ), (x1 , x2 ) ∈ R which, by (3) and condition (iv) in Definition 4.1, implies x1 ∈ C1 and x1 ∈ X1 \C1 . Thus, M1 is not critically observable and a contradiction holds. Proof of (ii). By contradiction assume that Obs is a critical observer for M1 but not for M2 . By Definition 2.6, there exist a state σ1
σ2
σ3
run r2 : x02 −→ x12 −→ x22 −→ x32 . . . of M2 and the corresponding σ1
σ3
σ2
(unique) state run rObs : z 0 −→ z 1 −→ z 2 −→ z 3 . . . of Obs such that
[HObs (z i ) = 1 ∧ xi2 ∈ / C2 ] ∨ [HObs (z i ) = 0 ∧ xi2 ∈ C2 ], i
for some i. Suppose first HObs (z ) = 1 ∧ σ1
σ2
xi2
(4)
∈ / C2 . By Definition 4.1, σ3
there exists a state run r1 : −→ −→ −→ x31 . . . of M1 such i i that (x1 , x2 ) ∈ R for all i. In particular for i = i we get by condition (iv) of Definition 4.1 that xi1 ∈ / C1 from which, Obs is not a critical x01
x11
x21
G. Pola et al. / Automatica 86 (2017) 174–182
observer for M1 and a contradiction holds. The second case in (4) can be proven by using the same arguments. ■ Space and time computational complexities in checking bisimulation equivalence between M1 and M2 with |X1 | = n1 and |X2 | = n2 states are O(n21 + n22 ) and O((n21 + n22 ) log(n1 + n2 )), respectively, see e.g. (Paige & Tarjan, 1987). Bisimulation equivalence is an equivalence relation on the class of FSMs. We now define the network of FSMs N min as the quotient of the original network N induced by the bisimulation equivalence. More precisely given N , define the following equivalence classes induced by the bisimulation equivalence: E1 = {Mi(1,1) , Mi(1,2) , . . . , Mi(1,n1 ) }, E2 = {Mi(2,1) , Mi(2,2) , . . . , Mi(2,n2 ) },
...,
EN min = {Mi(N min ,1) , Mi(N min ,2) , . . . , Mi(N min ,nN min ) }, such that N = {Mi(k,j) }j∈[1;nk ],k∈[1;N min ] and Mi(k,j1 ) , Mi(k,j2 ) ∈ Ek if and only if Mi(k,j1 ) ∼ = Mi(k,j2 ) . Denote by Mimin ∈ Ek a reprek sentative of the equivalence class Ek and define the network of FSMs N min = {Mimin , Mimin , . . . , Mimin }, with M(N min ) = Mimin ∥ 1
2
N min
1
Mimin ∥ · · · ∥Mimin . We now show that the proposed reduced net2
N min
work M(N min ) preserves the critical observability properties of the original network M(N ). The forthcoming results rely upon the following technical results. Lemma 4.3. Consider FSMs Mi = (Xi , Xi0 , Σi , δi , Ci ) with i ∈ [1; 3] and suppose that M2 and M3 are bisimilar. Then an FSM Obs is a critical observer for M1 ∥ M2 if and only if it is a critical observer for M1 ∥M2 ∥M3 . Proof. Let Obs = , , ΣObs , δObs , YObs , HObs ) and R23 be a bisimulation relation between M2 and M3 . (Sufficiency.) By contradiction assume that Obs is not a critical observer for M1 ∥M2 ∥M3 . 0 (XObs XObs
σ1
By Definition 2.6, there exist a state run r : (x01 , x02 , x03 ) −→ σ2
σn
(x11 , x12 , x13 ) −→ ... −→ (xn1 , xn2 , xn3 ) of M1 ∥M2 ∥M3 and the correσ1
σ2
σn
sponding state run rObs : z 0 −→ z 1 −→ . . . −→ z n of Obs such that (case 1) [(xn1 , xn2 , xn3 ) ∈ / C1,2,3 ∧ HObs (z n ) = 1] or (case n n n 2) [(x1 , x2 , x3 ) ∈ C1,2,3 ∧ HObs (z n ) = 0]. Construct the sequence σ2
σ1
σn
r1,2 : (x01 , x02 ) −→ (x11 , x12 ) −→ ... −→ (xn1 , xn2 ), where r1,2 has been obtained by removing the third component in the states of run r. It is readily seen that r1,2 is a state run of M1 ∥ M2 . Construct the σ1
σ2
σn
sequence rˆ1,2 : (x01 , xˆ 02 ) −→ (x11 , xˆ 12 ) −→ . . . −→ (xn1 , xˆ n2 ) such that (xˆ i2 , xi3 ) ∈ R23 for any i ∈ [0; n]. By construction, rˆ1,2 is a state / run of M1 ∥ M2 . We start by considering case 1. Since (xn1 , xn2 , xn3 ) ∈ C1,2,3 then xn1 ∈ / C1 and xn2 ∈ / C2 from which, the last state (xn1 , xn2 ) of run r1,2 is such that (xn1 , xn2 ) ∈ / C1,2 . Since HObs (z n ) = 1, FSM Obs is not a critical observer for M1 ∥ M2 and a contradiction holds. We now consider case 2. Since (xn1 , xn2 , xn3 ) ∈ C1,2,3 then (case 2.1) [xn1 ∈ C1 ∨ xn2 ∈ C2 ] or (case 2.2) xn3 ∈ C3 . We start by considering case 2.1. Since [xn1 ∈ C1 ∨ xn2 ∈ C2 ] or equivalently, the last state (xn1 , xn2 ) of run r1,2 is such that (xn1 , xn2 ) ∈ C1,2 and by assumption HObs (z n ) = 0, a contradiction holds. We conclude with case 2.2. Since xn3 ∈ C3 , by definition of run rˆ1,2 , state xˆ n2 ∈ C2 which implies that the last state (xn1 , xˆ n2 ) of run rˆ1,2 is such that (xn1 , xˆ n2 ) ∈ C1,2 . This last condition combined with the assumed condition HObs (z n ) = 0, leads to a contradiction, as well. (Necessity.) By contradiction assume that Obs is not a critical observer for M1 ∥ M2 . By Definition 2.6, there exist a state run r :
σ1
σ2
σn
(x01 , x02 ) −→ (x11 , x12 ) −→ . . . −→ (xn1 , xn2 ) of
M1 ∥ M2 and the corresponding state run rObs : σn
σ1
σ2
z 0 −→ z 1 −→
... −→ z n of Obs such that (case 1) [(xn1 , xn2 ) ∈ / C1,2 ∧ HObs (z n ) = 1] or (case 2) [(xn1 , xn2 ) ∈ C1,2 ∧ HObs (z n ) = 0]. Construct the sequence σ1
σ2
σn
r ′ : (x01 , x02 , x03 ) −→ (x11 , x12 , x13 ) −→ . . . −→ (xn1 , xn2 , xn3 ), where
179
(xi2 , xi3 ) ∈ R23 for any i ∈ [0; n]. By construction r ′ is a state run of M1 ∥M2 ∥M3 . We start by considering case 1. By condition (iv) of Definition 4.1, we get [ (xn1 , xn2 ) ∈ / C1,2 ] iff [ xn1 ∈ / C1 ∧ xn2 ∈ / C2 ] iff n n n n n [ x1 ∈ / C 1 ∧ x2 ∈ / C 2 ∧ x3 ∈ / C3 ] iff [ (x1 , x2 , xn3 ) ∈ / C1,2,3 ]. Since HObs (z n ) = 1, FSM Obs is not a critical observer for M1 ∥M2 ∥M3 and a contradiction holds. We now consider case 2. By condition (iv) of Definition 4.1, we get [ (xn1 , xn2 ) ∈ C1,2 ] iff [ xn1 ∈ C1 ∨ xn2 ∈ C2 ] iff [ xn1 ∈ C1 ∨ xn2 ∈ C2 ∨ xn3 ∈ C3 ] iff [ (xn1 , xn2 , xn3 ) ∈ C1,2,3 ]. Since HObs (z n ) = 0, FSM Obs is not a critical observer for M1 ∥M2 ∥M3 and a contradiction holds. ■ Corollary 4.4. Consider FSMs Mi = (Xi , Xi0 , Σi , δi , Ci ) with i ∈ [1; 3] and suppose that M2 and M3 are bisimilar. Then M1 ∥ M2 is critically observable if and only if M1 ∥M2 ∥M3 is critically observable. Proof. The result follows by combining Proposition 2.8 and Lemma 4.3. ■ We now have all the ingredients to present the main results of this section. Theorem 4.5. M(N ) is critically observable if and only if M(N min ) is critically observable. Proof. By applying Corollary 4.4, for any Mi(N min ,j) ∈ N \ N min , FSM M(N min ) = (Mimin ∥Mimin ∥ ... ∥ Mimin ) ∥ Mimin is criti1
2
N min −1
N min
cally observable if and only if FSM (Mimin ∥ Mimin ∥ · · · ∥Mimin 1
2
N min −1 i(N min ,j)
∥Mimin ∥Mi(N min ,j) is critically observable (recall that M N min
Mimin
N min
for any j ∈ [1; nN
min
)
∼ =
]). Hence, by applying recursively
Corollary 4.4 to all other FSMs Mi(k,j) ∈ N \ N min and by making use of Proposition 2.3 to properly rearrange terms in the composed FSM, the result follows. ■ Theorem 4.6. Obs(M(N min )) is a critical observer for M(N min ) if and only if it is a critical observer for M(N ). Proof. By applying Lemma 4.3, Obs(M(N min )) is a critical observer for M(N min ) = (Mimin ∥ Mimin ∥ · · · ∥ Mimin ) ∥ Mimin 1
2
N min −1
if and only if it is a critical observer for (Mimin ∥ Mimin ∥ · · · ∥Mimin 1
2
∥Mimin ∥Mi(N min ,j) for any FSMs Mi(N min ,j) ∈ N \ N N min
Mi(N min ,j) ∼ = Mimin
N min
for any j ∈ [1; n
N min
min
N min
N min −1
)
(recall that
]). Hence, by applying
recursively Lemma 4.3 to all other FSMs M ∈ N \ N min and by making use of Proposition 2.3 to properly rearrange terms in the composed FSM, the result follows. ■ The results above reduce the computational complexity effort since they show that it is possible to consider the reduced network N min to check critical observability and to design critical observers for the original network N . Results above and in Section 3 can be combined together as illustrated in Algorithm 3. As a consequence of Proposition 4.2 (ii), the composition of local observers computed in line 8 of Algorithm 3 is a decentralized critical observer for N . We now provide a computational complexity analysis. We focus on computational complexity with respect to parameters nmax , N and N min . A traditional approach to check critical observability of the network N = {M1 , M2 , . . . , MN } consists in computing Obs(M(N )), whose space and time computational complexity by Corollary 3.6 is O(2nmax N ), as reported in the second column of Table 1. Computational complexity analysis of Algorithm 3 follows. In line 1, one needs to check bisimulation equivalence between any pair of FSMs Mi , Mj in N whose space computational complexity is O(n2max N) and time computational complexity is O(n2max N 2 log(nmax )). Space and time computational complexities
180
G. Pola et al. / Automatica 86 (2017) 174–182
Table 1 Computational complexity analysis. Complexity
Obs(M(N ))
Obsd (N min )
Space
O(2nmax N )
O(n2max N + 2nmax N
Time
O(2
nmax N
O(n2max N 2
)
min
)
log(nmax ) + 2nmax N
min
)
min
associated with line 2 are O(2nmax N ) and those with line 8 are zero. Resulting computational complexity bounds are reported in the third column of Table 1. We conclude this section with two illustrative examples. In both examples, the goal is to check if a network N is critically observable and if so, to design a decentralized critical observer for N . For this purpose we apply Algorithm 3. In the sequel, space complexity of an FSM is computed as S1 + S2 where S1 is the sum of the data needed to be stored for each transition and S2 is the number of output data associated with states. Date stored for a transition from a state (z1 , z2 , . . . , zm ) to + a state (z1+ , z2+ , . . . , zm + ) with a given input label are counted as ∑ ∑ + | z |+ | + i i∈[1;m] i∈[1;m ] zi |+1. Time complexity is computed as the number of transitions generated in composed FSMs and observers, which represent macro iterations in the algorithms.
Fig. 4.
Projected local observers π|Obs(M1 ) (Obsd (N min )) in the left and
π |Obs(M2 ) (Obsd (N min )) in the right.
Algorithm 3 Integrated design of decentralized observers with model reduction 1: 2: 3: 4: 5: 6: 7: 8:
Compute the network N min ; Apply Algorithm 2 to N min ; if M(N min ) is not critically observable then BREAK: M(N ) is not critically observable; else M(N ) is critically observable; end if Define projected local observers
π|Obs(Mi(k,j) ) (Obsd (N ))
Fig. 5. FSM M5 .
=
π |Obs(M min ) (Obsd (N min )) for any j ∈ [1; nk ], k ∈ [1; N min ]. i
k
Example 4.7. Consider N = {M1 , M2 , M3 , M4 } where FSMs M1 and M2 are depicted in Fig. 1 and FSMs M3 and M4 in Fig. 6, and apply Algorithm 3. (Line 1.) It is easy to see that FSMs M1 and M3 are bisimilar with bisimulation relation R13 = {(1, 9), (2, 10), (3, 11), (3, 12), (4, 13)} and that FSMs M2 and M4 are bisimilar with bisimulation relation R24 = {(5, 14), (6, 15), (7, 16), (7, 17), (7, 18), (8, 16), (8, 17), (8, 18)}. Equivalence classes induced by the bisimulation equivalence on N are E1 = {M1 , M3 } and E2 = {M2 , M4 }. The resulting network N min can be chosen as {M1 , M2 }. (Line 2.) By applying Algorithm 2 we get that N min is critically observable. The resulting projected local observers π |Obs(M1 ) (Obsd (N min )) and π|Obs(M2 ) (Obsd (N min )) are depicted in Fig. 4. (Line 8.) Define π |Obs(Mi ) (Obsd (N )) as π|Obs(M1 ) (Obsd (N min )) for i = 1, 3 and as π |Obs(M2 ) (Obsd (N min )) for i = 2, 4. Space and time complexities in constructing projected local observers are 54 and 8. A traditional approach would first construct explicitly M(N ) and then construct Obs(M(N )). The number of states of M(N ) is 21 and the one of Obs(M(N )) is 6. Resulting space and time complexities are 633 and 39. Example 4.8. Consider N = {M1 , M2 , M3 , M4 , M5 } where FSMs Mi , i ∈ [1; 4] are as in Example 4.7 and M5 is depicted in Fig. 5 with C5 = {20}, and apply Algorithm 3. (Line 1.) It is easy to see that for any i ∈ [1; 4], FSMs M5 and Mi are not bisimilar from which, N min can be chosen as {M1 , M2 , M5 }. (Line 2.) In the first iteration of Algorithm 2, starting from the initial state z = ({1}, {5}, {19}) with label b, state z + = ({2}, {6}, {20, 21}) is reached. Since state z + does not satisfy the condition in line 12 of Algorithm 2, Algorithm 2 terminates from which, Algorithm 3 terminates as well, giving as output that N is not critically observable. Data stored in line 1 of Algorithm 2 are 72 while those in lines 2–9 are 19 from which, space complexity at line 12 is 91. Since Algorithm 2 terminates at
Fig. 6. FSM M3 in the left and FSM M4 in the right.
the first iteration and no transitions are generated, time complexity is evaluated as 0. A traditional approach would first construct explicitly M(N ) to then construct Obs(M(N )). The number of states of M(N ) is 24 and the one of Obs(M(N )) is 6. Resulting space and time complexities are 895 and 39. 5. Discussion An exhaustive review of the relationships between our observability notion and related notions existing in the literature is out of the scope of the present paper. For the sake of completeness, we establish here a classification and comparisons. The ‘‘observability’’ notions can be roughly categorized along the following directions: language (L) vs. state space (S) based notions; centralized (C) vs. decentralized (D) architectures; notions employed for purely analysis purposes (A) vs. notions instrumental to address control design (CD). Among others, we recall here: within (L)–(C)–(A) the notions of language observability (Lin & Wonham, 1988) and of diagnosability (Sampath, Sengupta, Lafortune, Sinnamohideen, & Teneketzis, 1995); within (L)–(C)–(CD) optimal sensor activation in Wang, Lafortune, Girard, and Lin (2010); Wang, Lafortune, Lin, and Girard (2010); within (L)–(D)–(A) the notion of co-diagnosability in e.g. (Contant, Lafortune, & Teneketzis, 2006; Debouk, Malik, & Brandin, 2002; Schmidt, 2013; Su & Wonham, 2005; Zhou, Kumar, & Sreenivas, 2008), extending the one of diagnosability to a decentralized
G. Pola et al. / Automatica 86 (2017) 174–182
setting; within (L)–(D)–(CD) the notion of co-observability (Rudie & Wonham, 1989) extending the one of language observability to a decentralized setting, and the work (Wang, Girard, Lafortune, & Lin, 2011) proposing an extension of the notion of co-observability to dynamic observations in controlled DESs and results for translating co-observability problems into co-diagnosability problems; within (S)–(C)–(A) the notions of diagnosability with a state space approach in Zad et al. (2003), detectability e.g. (Shu, Lin, & Ying, 2007) and efficient algorithms for the computation of indistinguishable states in e.g. (Wang, Lafortune, & Lin, 2007); within (S)–(D)–(A) the concept of states disambiguation in e.g. (Rudie, Lafortune, & Lin, 2003) and the notion of critical observability in Di Benedetto et al. (2008) and in the present paper. Many papers mentioned above consider deterministic FSMs with partially observable transitions while in our paper we consider nondeterministic FSMs with observable transitions. Connections with the concept of states disambiguation in e.g. (Rudie et al., 2003) which is in (S)–(D)– (A) as our paper, follow. The work (Rudie et al., 2003) uses states disambiguation as a mean to address communication problems without the need to consider communication and coobservability issues together. States disambiguation deals with studying conditions under which any pair of states of a DES can be distinguished on the basis of the traces associated to state runs of the DES and ending in the two states. It is readily seen that an FSM where all states are disambiguated is also critically observable, while the converse implication is not true in general. Apart from technical differences between the concepts of states disambiguation and critical observability, the present paper approaches the efficient design of decentralized critical observers by extending techniques based on formal methods, a new approach that was not explored before in the literature with the only exception of Zad et al. (2003). However, while Zad et al. (2003) use bisimulation-based reduction for checking diagnosability of single FSM, our approach proposes bisimulation-based reduction for analyzing critical observability of networks of FSMs. In future work we plan to extend the formal methods techniques proposed in this paper, from decentralized critical observability to co-diagnosability. Acknowledgment We wish to thank Sina Lessanibahri for participating in fruitful discussions at the beginning of this project. References Cassandras, C. G., & Lafortune, S. (1999). Introduction to discrete event systems. Kluwer Academic Publishers. Contant, O., Lafortune, S., & Teneketzis, D. (2006). Diagnosability of discrete event systems with modular structure. Discrete Event Dynamic Systems, 16, 9–37. Courcoubetis, C., Vardi, M., Wolper, P., & Yannakakis, M. (1992). Memory-efficient algorithms for the verification of temporal properties. Formal Methods in System Design, 1(2–3), 275–288. Debouk, R., Malik, R., & Brandin, B. (2002). A modular architecture for diagnosis of discrete event systems. In Proceedings of the 41th conference on decision and control, Las Vegas, Nevada, USA (pp. 417–422). De Santis, E., Di Benedetto, M. D., Di Gennaro, S., D’Innocenzo, A., & Pola, G. (2005). Lecture notes on control and information sciences. Critical observability of a class of hybrid systems and application to air traffic management. Springer Verlag, (Book Chapter). Di Benedetto, M. D., Di Gennaro, S., & D’Innocenzo, A. (2008). Discrete state observability of hybrid systems. International Journal of Robust and Nonlinear Control, Special Issue on Observability and Observer Design for Hybrid Systems, 19(14), 1564–1580. Lin, F., & Wonham, W. (1988). On observability of discrete-event systems. Information Sciences, 44, 173–198. MAREA, (2011). Mathematical Approach Towards Resilience Engineering in ATM. Technical Tender Public version. http://complexworld.eu/wiki/MAREA. Milner, R. (1989). Communication and concurrency. Prentice Hall. Paige, R., & Tarjan, R. (1987). Three partition refinement algorithms. SIAM Journal on Computing, 16(6), 987–989.
181
Park, D. M. R. (1981). Lecture notes in computer science: vol. 104. Concurrency and automata on infinite sequences (pp. 167–183). Springer-Verlag. Pezzuti, D. (2015). Formal Methods for complexity reduction in the analysis of safety critical systems. Ph.D. thesis. University of L’Aquila (Italy). Pola, G., Pezzuti, D., De Santis, E., & Di Benedetto, M. D. (2017). Decentralized Critical observers of networks of finite state machines and model reduction, Available at arXiv:1412.1784v2 [math.OC]. Rudie, K., Lafortune, S., & Lin, F. (2003). Minimal communication in a distributed discrete-event system. IEEE Transactions on Automatic Control, 48, 957–975. Rudie, K., & Wonham, W. (1989). Think globally, act locally: decentralized supervisor control. IEEE Transactions on Automatic Control, 37(11), 1692–1708. Sampath, M., Sengupta, R., Lafortune, S., Sinnamohideen, K., & Teneketzis, D. (1995). Diagnosability of discrete-event systems. IEEE Transactions on Automatic Control, 40(9), 1555–1575. Schmidt, K. W. (2013). Verification of modular diagnosability with local specifications for discrete-event systems. IEEE Transactions on Systems, Man and Cybernetics, 43(5), 1130–1140. Shu, S., Lin, F., & Ying, H. (2007). Detectability of discrete event systems. IEEE Transactions on Automatic Control, 52(12), 2356–2359. Su, R., & Wonham, W. M. (2005). Global and local consistencies in distributed fault diagnosis for discrete-event systems. IEEE Transactions on Automatic Control, 50(12), 1923–1935. Tripakis, S., & Altisen, K. (1999). On-the-fly controller synthesis for discrete and dense-time systems. In Lecture notes in computer science: vol. 1708. World congress on formal methods in the development of computing systems (pp. 233– 252). Berlin: Springer Verlag. Wang, W., Girard, A. R., Lafortune, S., & Lin, F. (2011). On codiagnosability and coobservability with dynamic observations. IEEE Transactions on Automatic Control, 56(7), 1551–1566. Wang, W., Lafortune, S., Girard, A. R., & Lin, F. (2010). Optimal sensor activation for diagnosing discrete event systems. Automatica, 46, 1165–1175. Wang, W., Lafortune, S., & Lin, F. (2007). An algorithm for calculating indistinguishable states and clusters in finite-state automata with partially observable transitions. Systems & Control Letters, 56, 656–661. Wang, W., Lafortune, S., Lin, F., & Girard, A. R. (2010). Minimization of dynamic sensor activation in discrete event systems for the purpose of control. IEEE Transactions on Automatic Control, 55, 2447–2461. Zad, S. H., Kwong, R. H., & Wonham, W. M. (2003). Fault diagnosis in discreteevent systems: framework and model reduction. IEEE Transactions on Automatic Control, 48(7), 51–65. Zhou, C., Kumar, R., & Sreenivas, R. S. (2008). Decentralized modular diagnosis of concurrent discrete event systems. In Proceedings of the 9th international workshop on discrete event systems, Gteborg, Sweden (pp. 28–30).
Giordano Pola received the ‘‘Laurea Degree’’ in Electrical Engineering in July 2000 and the Ph.D. degree in Electrical Engineering and Computer Science in June 2004, from the University of L’Aquila, Italy. He was Visiting Scholar at the University of Cambridge, UK in 2002 and 2003 and Assistant Researcher in 2003 and Research Fellow in 2004 at the University of Twente, The Netherlands. From April 2005 to September 2006 he was a Postdoctoral Researcher at the University of L’Aquila, Italy and from October 2006 to December 2007 a Postdoctoral Researcher at the University of California at Los Angeles, USA. Since 2008, he has been Assistant Professor at the University of L’Aquila, Italy. He has published over 70 research papers in archival journals, books and refereed conference proceedings. In 2012 he was plenary speaker at the First International Conference on Systems and Computer Science. His research interests include modeling, analysis and control of hybrid, embedded, networked and distributed systems.
Elena De Santis received the degree in Electrical Engineering (cum laude) from the University of L’Aquila, L’Aquila, Italy, in 1983. From 1987 to 1998, she was an Assistant Professor with the University of L’Aquila. Since 1998 she has been teaching Optimal Control in the same University, as Associate Professor. Elena De Santis has published papers in archival journals, conferences proceedings, and book series in analysis control and optimization of constrained and uncertain dynamic systems, dynamic-model management for decision support systems, positive systems, dynamic games, hybrid and switching systems. Ms. De Santis received the Outstanding Reviewer Honorable Mention from the editorial board of IEEE Trans. on Automatic Control for 2004 and 2013. She is a member of the Executive Committee of the Center of Excellence DEWS (Architectures and design methodologies for embedded controllers, wireless interconnected and system-onchip) of the University of L’Aquila, Member of IEEE since 1999 she has been elected
182
G. Pola et al. / Automatica 86 (2017) 174–182
at the grade of Senior Member, in 2006. She is member of IFAC Technical Committee TC 1.3 on Discrete Event and Hybrid Systems. She has been the chair and/or organizer of a number of sessions and member of the program committee in the main international conferences. She is member of the Editorial Board of European Journal of Control.
Maria Domenica Di Benedetto has been Professor of Control Theory at University of l’Aquila since 1994. From 1995 to 2002, she was Adjunct Professor at the Department of EECS, University of California at Berkeley. In 1987, she was Visiting Scientist al MIT; in 1988, 1989 and 1992 Visiting Professor at the University of Michigan, Ann Arbor; in 1992 Chercheur Associé, C.N.R.S., Poste Rouge, Ecole Nationale Supérieure de Mécanique, Nantes, France; from 1990 to 1995 McKay Professor at the University of California Berkeley. Since 2002, she has been IEEE Fellow. From 2007 to 2010, she was member of the IEEE Control Systems Technical Fields Award Committee, IEEE Control Systems Society. From 2003 to 2007 she was Chair of the Standing Committee on Fellow Nominations, IEEE Control Systems Society. From 1995 to 1999, she was Associate Editor of the IEEE Transactions of Automatic Control. From 2006 to 2009, she was Associate Editor at Large of the IEEE Transactions on Automatic Control. Since 1995 she has been Subject Editor of the International Journal of Robust and Nonlinear Control. Since
2015 she has been a member of the Editorial Board of Annual Reviews in Control. Since 2016 she has been member of the Editorial Board of Nonlinear Analysis Hybrid Systems. She is the Director of the Center of Excellence for Research DEWS ‘‘Architectures and Design methodologies for Embedded controllers, Wireless interconnect and System-on-Chip’’. She has been President of the European Embedded Control Institute since 2009. She has been Member of the International Advisory Board for LCCC—Lund Center for Control of Complex engineering systems since 2010. She was Member of the scientific review panel (ICT panel) for the Swedish Research Council in 2012 and 2014. Since 2013 she has been President of the Italian Association of Researchers in Automatic Control (SIDRA). Her research interests are in the area of nonlinear, hybrid and networked systems, and applications to energy and traffic control.
Davide Pezzuti received his Master’s Degree and P.h.D. in Automation Engineering from the University of L’Aquila (Italy) in 2011 and 2015, respectively. His research is focused on Analysis and Control of Networked Complex Large-scale Systems, with emphasis on Discrete Event Systems.
Contents lists available at ScienceDirect
Automatica journal homepage: www.elsevier.com/locate/automatica
Brief paper
Design of decentralized critical observers for networks of finite state machines: A formal method approach ✩ Giordano Pola, Elena De Santis, Maria Domenica Di Benedetto, Davide Pezzuti Department of Information Engineering, Computer Science and Mathematics, Center of Excellence DEWS, University of L’Aquila, 67100 L’Aquila, Italy
article
info
Article history: Received 4 December 2014 Received in revised form 11 February 2017 Accepted 12 August 2017
Keywords: Network of finite state machines Critical observability Decentralized observers Bisimulation equivalence
a b s t r a c t Motivated by safety-critical applications in cyber–physical systems, in this paper we study the notion of critical observability and design of observers for networks of Finite State Machines (FSMs). Critical observability corresponds to the possibility of detecting if the current state of an FSM is in a given region of interest, called set of critical states. A critical observer detects on-line the occurrence of critical states. When a large-scale network of FSMs is considered, the construction of such an observer is prohibitive because of the large computational effort needed. We propose a decentralized architecture for critical observers of networks of FSMs, where on-line detection of critical states is performed by local critical observers, each associated with an FSM of the network, which do not need to interact. For the efficient design of decentralized critical observers we first extend on-the-fly algorithms traditionally used in the community of formal methods for the verification and control design of FSMs. We then extend to networks of FSMs, bisimulation theory traditionally given in the community of formal methods for single FSMs. The proposed techniques provide a remarkable computational complexity reduction, as discussed throughout the paper and also demonstrated by means of illustrative examples. © 2017 Elsevier Ltd. All rights reserved.
1. Introduction Ensuring safety in large-scale and networked safety-critical applications, as for example Air Traffic Management (ATM) systems (MAREA, 2011; Pezzuti, 2015), is a tough but challenging problem. In particular, complexity is one of the most difficult issues that must be overcome to make theoretical methodologies applicable to real industrial applications. In this paper we address the analysis of critical observability and design of observers for networks of Finite State Machines (FSMs). A network of FSMs is a collection of FSMs interacting via parallel composition. Critical observability, introduced in De Santis, Di Benedetto, Di Gennaro, D’Innocenzo, and Pola (2005), corresponds to the possibility of detecting if the current state of an FSM belongs to a set of critical states, modeling operations that may be unsafe or, in general, operations of specific interest in a particular application. Current approaches to check critical observability are based on regular language theory as in Di Benedetto, Di Gennaro, and D’Innocenzo (2008) or on the design ✩ This work has been partially supported by the Center of Excellence for Research DEWS, University of L’Aquila, Italy. The material in this paper was partially presented at the 14th annual European Control Conference, July 15–17, 2015, Linz Austria. This paper was recommended for publication in revised form by Associate Editor Jan Komenda under the direction of Editor Ian R. Petersen. E-mail addresses: [email protected] (G. Pola), [email protected] (E. De Santis), [email protected] (M.D. Di Benedetto), [email protected] (D. Pezzuti). http://dx.doi.org/10.1016/j.automatica.2017.08.025 0005-1098/© 2017 Elsevier Ltd. All rights reserved.
of the so-called critical observers (Cassandras & Lafortune, 1999; De Santis et al., 2005). The computational complexity of the first approach is polynomial in the number of states of the FSM, while the one of the second is exponential. Although disadvantageous from the computational complexity point of view, the construction of critical observers cannot be avoided at the implementation layer since it is necessary for the automatic on-line detection of critical situations. Motivated by this issue we present some results that can reduce, in some cases drastically, the computational effort in designing critical observers for large-scale networks of FSMs. We first propose a decentralized architecture for critical observers of the network, which is composed of a collection of local critical observers, each associated with an FSM of the network, which do not need to interact. Efficient algorithms for their synthesis are proposed, and based on on-the-fly techniques traditionally used for formal verification and control of FSMs (see e.g. Courcoubetis, Vardi, Wolper, & Yannakakis, 1992; Tripakis & Altisen, 1999). We then propose results on model reduction, which extend to networks of FSMs, bisimulation theory (Milner, 1989; Park, 1981) traditionally given for single FSMs. We define a bisimulation equivalence that takes into account criticalities. We then reduce the original network of FSMs to a smaller one, obtained as the quotient of the original network induced by the bisimulation equivalence. We first show that critical observability of the original network is equivalent to critical observability of the quotient network. We then show that a decentralized critical observer for the original
G. Pola et al. / Automatica 86 (2017) 174–182
network can be easily derived from the one designed for the quotient network. To the best of our knowledge, the formal methods techniques proposed in this paper have not yet been explored neither for the analysis of critical observability nor for the analysis of any other observability notion, with the only exception of Zad, Kwong, and Wonham (2003). We defer to the last section a discussion on connections with the existing literature. A full version of this paper can be found in Pola, Pezzuti, Santis, and Benedetto (2017) which also includes an application to biological networks. 2. Networks of finite state machines and critical observability 2.1. Notation and preliminary definitions The symbols ∧ and ∨ denote the And and Or logical operators, respectively. The symbol N denotes the set of nonnegative integers. Given n, m ∈ N with n < m let [n; m] = [n, m] ∩ N. The symbol |X | denotes the cardinality of a finite set X . The symbol 2X denotes the power set of a set X . Given a function f : X → Y we denote by f (Z ) the image of a set Z ⊆ X through f , i.e. f (Z ) = {y ∈ Y |∃z ∈ Z s.t. y = f (z)}; if X ′ ⊂ X and Y ′ ⊂ Y then f |X ′ →Y ′ is the restriction of f to domain X ′ and co-domain Y ′ , i.e. f |X ′ →Y ′ (x) = f (x) for any x ∈ X ′ with f (x) ∈ Y ′ . We now recall from Cassandras & Lafortune (1999) some basic notions of language theory. Given a set Σ , a finite sequence w = σ1 σ2 σ3 ... with symbols σi ∈ Σ is called a word in Σ ; the empty word is denoted by ε . The Kleene closure w ∗ of a word w is the collection of words ε , w , ww , www , ... . The symbol Σ ∗ denotes the set of all words in Σ , including the empty word ε . The concatenation of two words u, v ∈ Σ ∗ is denoted by uv ∈ Σ ∗ . Any subset of Σ ∗ is called a language. ˆ of Σ is the The projection of a language L ⊆ Σ ∗ onto a subset Σ ˆ ∗ |∃w ∈ L s.t. PΣˆ (w) = t } where PΣˆ (w) language PΣ ˆ (L) = {t ∈ Σ is inductively defined for any w ∈ L and σ ∈ Σ by PΣ ˆ (ε ) = ε and ˆ and PΣˆ (wσ ) = PΣˆ (w), otherwise. PΣ ˆ (wσ ) = PΣ ˆ (w )σ if σ ∈ Σ 2.2. Networks of finite state machines In this paper we consider the class of nondeterministic FSMs with observable labels: Definition 2.1. A Finite State Machine (FSM) M is a tuple (X , X 0 , Σ , δ ) where X is the set of states, X 0 ⊆ X is the set of initial states, Σ is the set of input labels and δ : X × Σ → 2X is the transition map. σ1
σ2
σ3
A state run r of an FSM M is a sequence x0 −→ x1 −→ x2 −→ x3 . . . such that x0 ∈ X 0 , xi ∈ X , σ i ∈ Σ and xi+1 ∈ δ (xi , σ i+1 ) for any xi and σ i in the sequence; the sequence σ 1 σ 2 σ 3 . . . is called the trace associated with r. For X ′ ⊆ ⋃ X and σ ∈ Σ , we abuse notation by writing δ (X ′ , σ ) instead of x∈X ′ δ (x, σ ). The extended transition map δˆ associated with δ is inductively defined for any ∗ ˆ ˆ w ⋃ ∈ Σ , σ ∈ Σ and x ∈ X by δ (x, ε) = {x} and δ (x, wσ ) = δ (y , σ ). The language generated by M, denoted L(M), is ˆ y∈δ (x,w ) composed by all traces generated by M, or equivalently, L(M) = {w ∈ Σ ∗ |∃x0 ∈ X 0 s.t. δˆ (x0 , w) ̸= ∅}. An FSM M is deterministic if |X 0 | = 1 and |δ (x, σ )| ≤ 1, for any x ∈ X and σ ∈ Σ . In this paper we are interested in studying whether it is possible to detect if the current state of an FSM M is or is not in a set of critical states C ⊂ X modeling operations that may be unsafe or, in general, operations of specific interest in a particular application. We refer to an FSM (X , X 0 , Σ , δ ) equipped with a set of critical states C by the tuple (X , X 0 , Σ , δ, C ) and to an FSM with outputs by a tuple (X , X 0 , Σ , δ, Y , H), where Y is the set of output labels and H : X → Y is the output function. For simplicity we call an FSM equipped with critical states or with outputs as an FSM. The operator Ac(·) extracts the accessible part from an FSM M = (X , X 0 , Σ , δ, C )
175
(resp. M = (X , X 0 , Σ , δ, Y , H)), i.e. Ac(M) = (X ′ , X 0 , Σ , δ ′ , C ′ ) (resp. Ac(M) = (X ′ , X 0 , Σ , δ ′ , Y , H ′ )) where X ′ = {x ∈ X |∃x0 ∈ X 0 ∧ w ∈ Σ ∗ s.t. x ∈ δˆ (x0 , w )}, δ ′ = δ|X ′ ×Σ →X ′ , C ′ = C ∩ X ′ and H ′ = H |X ′ →Y . Interaction among FSMs is captured by the following. Definition 2.2.) The parallel composition M1 ∥ M2 = X1,2 , X10,2 , Σ1,2 , δ1,2 , C1,2 between two FSMs M1 = (X1 , X10 , Σ1 , δ1 , C1 ) and ′,0 M2 = (X2 , X20 , Σ2 , δ2 , C2 ) is the FSM Ac(X1′ ,2 , X1,2 , Σ1′ ,2 , δ1′ ,2 ,
(
′,0
C1′ ,2 ) where X1′ ,2 = X1 × X2 , X1,2 = X10 × X20 , Σ1′ ,2 = Σ1 ∪ Σ2 ,
C1′ ,2 = (C1 × X2 ) ∪ (X1 × C2 ) and δ1′ ,2 : X1′ ,2 × Σ1′ ,2 → 2 defined for any x1 ∈ X1′ , x2 ∈ X2′ and σ ∈ Σ1′ ,2 by
X1′ ,2
is
⎧ δ1 (x1 , σ ) × δ2 (x2 , σ ), if δ1 (x1 , σ ) ̸= ∅ ∧ δ2 (x2 , σ ) ̸= ∅ ⎪ ⎪ ⎪ ⎨ ∧ σ ∈ Σ1 ∩ Σ2 , δ1 (x1 , σ ) × {x2 }, if δ1 (x1 , σ ) ̸= ∅ ∧ σ ∈ Σ1 \ Σ2 , ⎪ ⎪ ⎪{x1 } × δ2 (x2 , σ ), if δ2 (x2 , σ ) ̸= ∅ ∧ σ ∈ Σ2 \ Σ1 , ⎩ ∅, otherwise. By definition, a state (x1 , x2 ) ∈ C1,2 , i.e. (x1 , x2 ) is considered as critical for M1 ∥ M2 , if and only if x1 ∈ C1 or x2 ∈ C2 . Vice versa, (x1 , x2 ) ∈ / C1,2 if and only if x1 ∈ / C1 and x2 ∈ / C2 . It is well known that Proposition 2.3 (Cassandras & Lafortune, 1999). The parallel composition operation is commutative up to isomorphisms and associative. By the result above, we may write in the sequel M1 ∥M2 ∥M3 , X1,2,3 and C1,2,3 instead of M1 ∥(M2 ∥M3 ), X1,(2,3) and C1,(2,3) or, instead of (M1 ∥M2 )∥M3 , X(1,2),3 and C(1,2),3 . In this paper we consider a network N = {M1 , M2 , . . . , MN }
of N FSMs Mi whose interaction is captured by the notion of parallel composition; the corresponding FSM is given by M(N ) = M1 ∥ M2 ∥ · · · ∥MN . The FSM M(N ) is well defined because the composition operator ∥ is associative. For the computational complexity analysis, we will use in the sequel the number nmax = maxi∈[1;N ] |Xi | as indicator of the sizes of the FSMs composing the network N . An upper bound to space and time computational complexity in constructing M(N ) is O(2N log(nmax ) ). 2.3. Critical observability and observers Critical observability corresponds to the possibility of detecting whether the current state x of a run of an FSM is or is not critical on the basis of the information given by the corresponding trace at state x: Definition 2.4. An FSM M = (X , X 0 , Σ , δ, C ) is critically observable if [δˆ (x0 , w ) ⊆ C ] ∨ [δˆ (x0 , w ) ⊆ X \ C ], for any initial state x0 ∈ X 0 and any trace w ∈ L(M). Any FSM M having an initial state that is critical and another initial state that is not critical, is never critically observable. Moreover, if X 0 = C then FSM M is critically observable and no further analysis for the detection of critical states is needed. For these reasons in the sequel we assume that [ X 0 ⊂ C ] ∨ [ X 0 ⊆ X \ C ] for any FSM M. An illustrative example follows. Example 2.5. Consider FSMs Mi = (Xi , Xi0 , Σi , δi , Ci ), i = 1, 2, depicted in Fig. 1, where X1 = {1, 2, 3, 4} , X10 = {1}, Σ1 = {a, b, c , d}, C1 = {4}, X2 = {5, 6, 7, 8}, X20 = {5}, Σ2 = {a, b, e}, C2 = {7, 8} and transition maps δ1 and δ2 are represented by labeled arrows in Fig. 1; labels on the arrows represent the input label associated with the corresponding transition. FSM M1 is not critically observable because it is possible to reach both noncritical state 3 and critical state 4 starting from the initial state 1, by
176
G. Pola et al. / Automatica 86 (2017) 174–182
Fig. 1. FSM M1 in the left and FSM M2 in the right.
applying the same input label a. FSM M2 is critically observable because by applying traces b(ab)∗ and b(ab)∗ a to the initial state 5, the state reached is always in X2 \ C2 while by applying any trace other than the previous ones, states reached are always critical. On-line detection of critical states of critically observable FSMs can be obtained by means of critical observers, as defined hereafter. 0 Definition 2.6. A deterministic FSM Obs = (XObs , XObs , ΣObs , δObs , YObs , HObs ) with output set YObs = {0, 1} is a critical observer for an FSM M = (X , X 0 , Σ , δ , C ) if ΣObs = Σ and for any state run
σ1
σ2
σ3
r : x0 −→ x1 −→ x2 −→ x3 . . . of M, the corresponding (unique) σ1
σ2
σ3
state run rObs : z 0 −→ z 1 −→ z 2 −→ z 3 . . . of Obs is such that HObs (z i ) = 1 if xi ∈ C and HObs (z i ) = 0 otherwise, for any state z i in rObs . For later use, we report from e.g. (Cassandras & Lafortune, 1999) the following construction of observers. Definition 2.7. Given an FSM M = (X , X 0 , Σ , δ, C ), define the deterministic FSM Obs(M) as the accessible part Ac(Obs′ ) of Obs′ = 0 0 X (XObs′ , XObs ′ , ΣObs′ , δObs′ , YObs′ , HObs′ ), where XObs′ = 2 , XObs′ =
Fig. 2. Parallel composition M1 ∥ M2 of FSMs M1 and M2 .
then get [x1 ∈ δˆ 1 (x01 , PΣ1 (w ))] ∧ [x1 ∈ δˆ 1 (x1 , PΣ1 (w ))] ∧ [x2 ∈ δˆ2 (x02 , PΣ2 (w))] ∧ [x2 ∈ δˆ2 (x02 , PΣ2 (w))]. Moreover, by definition of C1,2 we then get [[x1 ∈ X1 \ C1 ] ∧ [x2 ∈ X2 \ C2 ]] ∧ [[x1 ∈ C1 ] ∨ [x2 ∈ C2 ]]. Hence, either M1 or M2 is not critically observable and a contradiction holds. ■ 0
The converse implication is not true in general, as shown in the following example. Example 3.2. Consider FSMs M1 and M2 in Example 2.5 and depicted in Fig. 1. As discussed in Example 2.5, FSM M2 is critically observable while FSM M1 is not. It is readily seen that FSM M1 ∥ M2 , depicted in Fig. 2, is critically observable because by applying traces b((cd)∗ ab)∗ and b(cd)∗ a(b(cd)∗ a)∗ to the initial state (1, 5), the state reached is always in X1,2 \ C1,2 and by applying any trace other than the previous ones, states reached are always in C1,2 .
′
{X 0 }, ΣObs′ = ⋃ Σ , δObs′ : XObs′ × ΣObs′ → 2XObs is defined by δObs′ (z , σ ) = { x∈z δ (x, σ )}, YObs′ = {0, 1} and HObs′ (z) = 1 if z ∩ C ̸ = ∅ and HObs′ (z) = 0, otherwise. An upper bound to the space and time computational complexity in constructing Obs(M) for an FSM M with n = |X | states is O(2n ) from which, an upper bound to the space and time computational N log(nmax ) complexity in constructing Obs(M(N )) is O(22 ). A direct consequence of Definition 2.4, 2.6 and 2.7 is the following:
As a consequence, critical observability of each FSM composing N is not necessary for M(N ) to be critically observable. The intuition behind the example above is that parallel composition reduces the behavior of the involved FSM and therefore can prevent not detectable critical situations from occurring. We now show how decentralized observers can be used for detecting critical states of the network of FSMs M(N ). The notion of isomorphism will be used:
3. Design of decentralized critical observers
Definition 3.3. Two FSMs Mi = (Xi , Xi0 , Σi , δi , Yi , Hi ), i = 1, 2, are isomorphic, denoted M1 =iso M2 , if Σ1 = Σ2 , Y1 = Y2 and there exists a bijective function φ : X1 → X2 , such that: (i) φ (X10 ) = X20 ; (ii) φ (X1 ) = X2 ; (iii) φ (δ1 (x1 , σ )) = δ2 (φ (x1 ), σ ), for any accessible state x1 ∈ X1 of M1 and σ ∈ Σ1 ; (iv) H1 (x1 ) = H2 (φ (x1 )), for any x1 ∈ X1 .
In this section we propose a decentralized architecture for critical observers. We start with the following:
Proposition 3.4. Given FSMs Mi (i ∈ [1; 4]), if M1 =iso M2 and M3 =iso M4 then M1 ∥M3 =iso M2 ∥M4 .
Proposition 2.8. The following statements are equivalent: (i) M is critically observable; 0 (ii) Obs(M) = (XObs , XObs , ΣObs , δObs , YObs , HObs ) is a critical observer for M; (iii) For any z ∈ XObs , if HObs (z) = 1 then z ⊆ C .
Proposition 3.1. If FSMs M1 and M2 are critically observable then FSM M1 ∥ M2 is critically observable. Proof. Set Mi = , , Σi , δi , Ci , i = 1, 2. By contradiction, assume that M1 ∥ M2 is not critically observable. Thus, there exists 0 0 a pair of state runs r1 and r2 with initial states (x01 , x02 ), (x1 , x2 ) ∈ 0 0 0 X1,2 and common trace w such that [(x1 , x2 ) ∈ δˆ 1,2 ((x1 , x2 ), w )] ∧
(
Xi Xi0
)
[(x1 , x2 ) ∈ δˆ1,2 ((x01 , x02 ), w)] and [(x1 , x2 ) ∈ X1,2 \ C1,2 ] ∧ [(x1 , x2 ) ∈ C1,2 ]. By definition of the projection operator PΣi (·) we
Given N , consider the collection of FSMs 0 Obs(Mi ) = (XObs,i , XObs ,i , Σi , δObs,i , YObs,i , HObs,i ),
(1)
each associated to the FSM Mi and define the decentralized observer Obsd (N ) = Obs(M1 )∥ · · · ∥Obs(MN ) with output set Y ⋁Obsd = {0, 1} and output function HObsd (z1 , z2 , . . . , zN ) = i∈[1;N ] HObsi (zi ). The following result shows that the decentralized observer Obsd (N ) can be used for detecting on-line critical states of the FSM M(N ).
G. Pola et al. / Automatica 86 (2017) 174–182
177
Theorem 3.5. Obsd (N )=iso Obs(M(N )). Proof. We start by showing the result for the network N ′ = {M1 , M2 } where Mi = (Xi , Xi0 , Σi , δi , Ci ), i.e. Obs(M1 )∥Obs(M2 )=iso Obs(M1 ∥M2 ).
(2)
Let Obsd (N ′ ) = (XObsd , X 0 d , ΣObsd , δObsd , YObsd , HObsd ) and Obs 0 Obs(M(N ′ )) = (XObs , XObs , ΣObs , δObs , YObs , HObs ). Define φ : XObsd → XObs such that φ ((z1 , z2 )) = z1 × z2 , for any (z1 , z2 ) ∈ XObsd with zi ∈ XObs,i . First of all note that ΣObsd = ΣObs = Σ1 ∪ Σ2 and YObsd = YObs = {0, 1}. Moreover, with reference to Definition 3.3, we get: Condition (i). By Definitions 2.2 and 2.7 we get φ (X 0 d ) = Obs 0 0 0 0 0 0 φ (XObs ,1 × XObs,2 ) = φ ({X1 } × {X2 }) = φ ({(X1 , X2 )}) = 0 0 0 0 0 {φ ((X1 , X2 ))} = {X1 × X2 } = XObs . Conditions (ii) and (iii). We proceed by induction and show that if φ ((z1 , z2 )) = z1 × z2 for a pair of accessible states (z1 , z2 ) ∈ XObsd and z1 × z2 ∈ XObs then φ (δObsd ((z1 , z2 ), σ )) = δObs (φ ((z1 , z2 )), σ ), for any σ ∈ Σ1 ∪ Σ1 . With reference to Definition 2.2, we have three cases: (case 1) σ ∈ Σ1 ∩ Σ2 , (case 2) σ ∈ Σ1 \ Σ2 , and (case 3) σ ∈ Σ2 \ Σ1 . We start with case 1. By Definitions σ ) = δObs (z1 × z2 , σ ) = ⋃ 2.2 and 2.7 we get δObs (φ ((z1 , z2 )),⋃ { (x1 ,x2 )∈z1 ×z2 δ1⋃ = σ) × ,2 ((x1 , x2 ), σ )} ⋃ { (x1 ,x2 )∈z1 ×z2 δ1 (x1 ,⋃ δ2 (x2 , σ )} ⋃= { x1 ∈z1 δ1 (x1 , σ ) × x2 ∈z2 δ2 (x2 , σ )} = {φ ( x1 ∈z1 δ1 (x1 , σ ), x2 ∈z2 ⋃ ⋃ = δ2 (x⋃ = φ ({⋃ ( x ∈z δ1 (x1 , σ ), x ∈z δ2 (x2 , σ ))}) 2 , σ ))} 2 2 1 1 φ ({ x1 ∈z1 δ1 (x1 , σ )} × { x2 ∈z2 δ2 (x2 , σ )}) = φ (δObs,1 (z1 , σ ) × δObs,2 (z2 , σ )) = φ (δObsd ((z1 , z2 ), σ )). Cases 2 and 3 can be shown by using similar arguments. Condition (iv). Suppose HObsd (z1 , z2 ) = 1. By definition of HObsd (.) we get that [HObs,1 (z1 ) = 1] ∨ [HObs,2 (z2 ) = 1], or by Definition 2.7 equivalently that [z1 ∩ C1 ̸ = ∅] ∨ [z2 ∩ C2 ̸ = ∅]. By definition of the set C1,2 , the last conditions imply that z1 × z2 ∩ C1,2 ̸ = ∅ which by Definition 2.6, implies HObs (z1 × z2 ) = 1. Suppose now HObsd (z1 , z2 ) = 0. By definition of HObsd (.) we get that [HObs,1 (z1 ) = 0]∧[HObs,2 (z2 ) = 0], or by Definition 2.7 equivalently that [z1 ∩ C1 = ∅] ∧ [z2 ∩ C2 = ∅]. The last conditions imply that z1 ×z2 ∩C1,2 = ∅ which, by Definition 2.7, implies HObs (z1 ×z2 ) = 0. Hence, the isomorphic equivalence in (2) is proven. We now generalize (2) to the case of a generic network N = {M1 , M2 , . . . , MN }. By applying recursively the equivalence in (2) and by Proposition 3.4, we get Obs(M(N )) = Obs(M1 ∥ (M2 ∥ M3 ∥ · · · ∥MN ))=iso Obs(M1 ) ∥ Obs(M2 ∥ (M3 ∥ · · · ∥MN ))=iso Obs (M1 ) ∥ Obs(M2 )∥Obs(M3 ∥ · · · ∥MN )=iso ...=iso Obs(M1 )∥ Obs(M2 ) ∥ · · · ∥Obs(MN ) = Obsd (N ). ■ In the sequel, we will refer to the FSM Obsd (N ) satisfying condition (iii) of Proposition 2.8 as a decentralized critical observer for N . Fig. 3 shows a possible implementation architecture for Obsd (N ). Observer Obsd (N ) can be obtained as a bank on N local observers Obs(Mi ) that act asynchronously. Each local observer Obs(Mi ) takes as input the trace wi ∈ L(Mi ) generated by Mi in response to the input word w , and sends the output boolean values yi to the OR (static) block. The OR block acts as a coordinator and whenever it receives one or more boolean values yi as inputs, it outputs boolean value y as the logical operation or among yi . Note that this architecture does not require the explicit construction of the parallel composition of local observers Obs(Mi ). As a consequence, local observers do not need to interact. Since space and time computational complexity in constructing Obsd (N ) is O(2nmax N ), a direct consequence of Theorem 3.5 is: Corollary 3.6. An upper bound to space and time computational complexity in constructing Obs(M(N )) is O(2nmax N ).
Fig. 3. A possible architecture for the decentralized observer Obsd (N ).
N log(nmax )
Note that the upper bound above is lower than O(22 ). From Proposition 2.8 and Theorem 3.5, one way to check critical observability and to design decentralized observers of M(N ) is illustrated in Algorithm 1. Algorithm 1 has space and time computational complexity O(2nmax N ). It can be improved from the computational point of view, because: Algorithm 1 Check of critical observability of M(N ). 1: Construct N local observers Obs(Mi ); 2: Compose the N local observers Obs(Mi ) to get Obsd (N ); 3: Apply Proposition 2.8 to Obsd (N ).
(D1) It constructs the whole local observer Obs(Mi ) for each Mi . A more efficient algorithm would construct, for each Mi , only the sub-FSM of Obs(Mi ) that is interconnected with the other local observers in Obsd (N ). (D2) It constructs the whole observer Obsd (N ), which is not required at the implementation layer (see Fig. 3). A more efficient algorithm would check critical observability on the basis of local observers. (D3) It first constructs Obsd (N ) before checking if states z of Obsd (N ) satisfy condition (iii) of Proposition 2.8. A more efficient algorithm would conclude that N is not critically observable when the first state z not satisfying condition (iii) of Proposition 2.8, shows up. In order to cope with the aforementioned drawbacks, we now present a procedure that integrates each step of Algorithm 1 in one algorithm. This procedure extends on-the-fly algorithms for verification and control of FSMs (see e.g. Courcoubetis et al., 1992) to the design of decentralized critical observers and is reported in Algorithm 2. Algorithm 2 makes use of the notion of projected local observers. The projection π |Obs(Mi ) (Obsd (M(N ))) of Obsd (M(N )) onto 0 ′ Obs(Mi ), as in (1), is defined as the FSM Ac(XObs ,i , XObs,i , Σi , δObs,i , ′ YObs,i , HObs,i ) where XObs,i contains states zi ∈ XObs,i for which there exist states zj ∈ XObs,j , j ∈ [1; N ], j ̸ = i such that (z1 , z2 , . . . , zN ) is a state of Obsd (M(N )). The input of Algorithm 2 is the collection of FSMs Mi of N . The output is the collection of projected local observers π |Obs(Mi ) (Obsd (N )) if M(N ) is critically observable. In line 2, the initial state and the output set of the projected local observers are defined and their sets of states XObs,i are initialized to contain only the initial states. At each iteration, the algorithm processes candidate new states of π |Obs(Mi ) (Obsd (N )) and adds them to XObs,i whenever they are compatible with the parallel composition of π |Obs(Mj ) (Obsd (N )) with j ̸= i. For each aggregate (z1 , z2 , . . . , zN ) temp
in the temporary set XObs and for each σ ∈ Σ1 ∪ Σ2 ∪ ... ∪ ΣN (lines 5 and 6), first, successors zi+ of states zi in Mi are computed
178
G. Pola et al. / Automatica 86 (2017) 174–182
(lines 7–12); in particular, if δi (xi , σ ) is defined (note that maps δi are in general partial) then zi+ is set in line 9 to δi (xi , σ ); otherwise it is set in line 11 to zi . If in line 14, according to the definition of the transition map of Obsd (N ), there is a transition in Obsd (N ) from aggregate (z1 , z2 , . . . , zN ) to aggregate (z1+ , z2+ , . . . , zN+ ) with input label σ , then (z1+ , z2+ , . . . , zN+ ) is further processed. Note that we are not storing information computed in line 14 on the transition map of Obsd (N ) but only states of Obsd (N ) which cannot be avoided for computing the projections π|Obs(Mi ) (Obsd (N )). By this fact, Algorithm 2 overcomes drawback (D2) of Algorithm 1. Algorithm 2 first checks in line 15 if the aggregate (z1+ , z2+ , . . . , zN+ ) was not processed before. If so, line 16 is processed. By definition of output function HObsd , condition (z1+ , z2+ , . . . , zN+ ) ̸ ⊆ X1,2,...,N \ C1,2,...,N implies HObsd (z1+ , z2+ , . . . , zN+ ) = 1 which, combined with condition (z1+ , z2+ , . . . , zN+ ) ̸ ⊆ C1,2,...,N , implies that condition (iii) of Proposition 2.8 is not satisfied. Hence, by applying Proposition 2.8, if (z1+ , z2+ , . . . , zN+ ) satisfies such a condition, the algorithm immediately terminates in line 17, concluding that N is not critically observable. By this fact, Algorithm 2 overcomes drawback (D3) of Algorithm 1. If (z1+ , z2+ , . . . , zN+ ) does not satisfy condition in line temp 16, it is added to ZObs in line 19; the set of states XObs,i and the transition map δObs,i of π |Obs(Mi ) (Obsd (N )) are updated in lines 22 and 23. Note that since δObs,i is updated only if condition in line 14 holds, then Algorithm 2 constructs step-by-step π|Obs(Mi ) (Obsd (N )) and not Obs(Mi ). By this fact, Algorithm 2 overcomes drawback (D1) of Algorithm 1. The outputs of states zi+ are set in lines 24–27. temp temp temp In line 35, set XObs is updated to XObs ∪ ZObs and set XObs to ZObs ; the next iteration then starts. Algorithm 2 terminates when there temp are no more states in XObs to be processed (see line 5) or condition in line 16 is satisfied. From the explanation above, it is clear that Algorithm 2 terminates in a finite number of states and that in the worst case, the computational complexity of Algorithm 2 is the same as the one in Algorithm 1, i.e. O(2nmax N ). This is typical for on-the-fly based algorithms. However, there are practical cases in which Algorithm 2 performs better than Algorithm 1 as illustrated by two examples in the end of the next section. 4. Model reduction via bisimulation In this section we use bisimulation equivalence (Milner, 1989; Park, 1981) to reduce the computational complexity in checking critical observability and designing observers. 0 Definition 4.1. Two ( ) FSMs M1 = X1 , X1 , Σ1 , δ1 , C1 and M2 = 0 X2 , X2 , Σ2 , δ2 , C2 are bisimilar, denoted by M1 ∼ = M2 , if Σ1 = Σ2 and there exists a relation R ⊆ X1 × X2 , called bisimulation relation, such that for any (x1 , x2 ) ∈ R the following conditions are satisfied: (i) x1 ∈ X10 if and only if x2 ∈ X20 ; (ii) for any σ ∈ Σ1 such that δ1 (x1 , σ ) ̸ = ∅ and for any + + + x+ 1 ∈ δ1 (x1 , σ ) there exists x2 ∈ δ2 (x2 , σ ) such that (x1 , x2 ) ∈ R; (iii) for any σ ∈ Σ2 such that δ2 (x2 , σ ) ̸ = ∅ and for any + + + x+ 2 ∈ δ2 (x2 , σ ) there exists x1 ∈ δ1 (x1 , σ ) such that (x1 , x2 ) ∈ R; (iv) x1 ∈ C1 if and only if x2 ∈ C2 .
(
)
The notion of bisimulation equivalence above slightly differs from the classical one (Milner, 1989; Park, 1981) because of the additional condition (iv), which allows us to establish the following. Proposition 4.2. If FSMs M1 and M2 are bisimilar then: (i) M1 is critically observable if and only if M2 is critically observable; (ii) An FSM Obs is a critical observer for M1 if and only if it is a critical observer for M2 .
Algorithm 2 Integrated design of decentralized observers 1: Input: FSMs Mi = (Xi , Xi0 , Σi , δi , Ci ), with i ∈ [1; N ];
0 0 2: Init: XObs,i := {Xi0 }, XObs ,i := {Xi }, YObs,i := {0, 1} for any i ∈ [1; N ]; XObs := temp
{(X10 , X20 , ..., XN0 )}; XObs := XObs ; temp
3: while XObs temp
̸= ∅ do
4:
ZObs
5: 6: 7: 8: 9: 10: 11: 12: 13: 14:
for all (z1 , z2 , ..., zN ) ∈ XObs do for all σ ∈ Σ1 ∪ Σ2 ∪ ... ∪ ΣN do for all i ∈ [1; N ] do if δi (zi , σ ) is defined then zi+ := δi (zi , σ ); else zi+ := zi ; end if end for + )} then if δObsd ((z1 , z2 , ..., zN ), σ ) = {(z1+ , z2+ , ..., zN
15: 16: 17: 18: 19: 20: 21:
:= ∅ temp
+ )∈ / XObs then if (z1+ , z2+ , ..., zN + + + ⊈ C1,2,...,N ] ∧ [z1+ × z2+ × ... × zN+ ⊈ if [z1 × z2 × ... × zN X1,2,...,N \C1,2,...,N ] then BREAK: M(N ) is not critically observable; end if temp temp + )} ; ZObs := ZObs ∪ {(z1+ , z2+ , ..., zN for all i ∈ [1; N ] do + + / XObs,i ] then if [zi ̸ = ∅] ∧ [zi ∈
XObs,i := XObs,i ∪ {zi+ }; δObs,i (zi , σ ) := {zi+ };
22: 23:
if zi+ ⊆ Ci then
24:
25: HObs,i (zi+ ) := 1; 26: else 27: HObs,i (zi+ ) := 0; 28: end if 29: end if 30: end for 31: end if 32: end if 33: end for 34: end for temp temp temp 35: XObs := XObs ∪ ZObs , XObs := ZObs ; 36: end while 37: output: M(N ) is critically observable;
Projected local observers π|Obs(M ) (Obsd (N )) i YObs,i , HObs,i ).
0 (XObs,i , XObs ,i , Σi , δObs,i ,
=
Proof. Set Mi = (Xi , Xi0 , Σi , δi , Ci ), i = 1, 2 and let R be a bisimulation relation between M1 and M2 . Proof of (i). By contradiction assume that M1 is critically observable and M2 is not critically observable. Hence, there exist a pair 0 of state runs of M2 with initial states x02 , x2 ∈ X20 , common trace 0 w ∈ L(M2 ), and states x2 ∈ δˆ2 (x2 , w), x2 ∈ δˆ2 (x02 , w) such that x2 ∈ C2 ∧ x2 ∈ X2 \ C2 .
(3)
Since M1 ∼ = M2 , there exist a pair of state runs of M1 with initial 0 states x01 , x1 ∈ X10 , common trace w ∈ L(M1 ) and states x1 ∈ 0 δˆ1 (x1 , w), x1 ∈ δˆ1 (x01 , w) such that (x1 , x2 ), (x1 , x2 ) ∈ R which, by (3) and condition (iv) in Definition 4.1, implies x1 ∈ C1 and x1 ∈ X1 \C1 . Thus, M1 is not critically observable and a contradiction holds. Proof of (ii). By contradiction assume that Obs is a critical observer for M1 but not for M2 . By Definition 2.6, there exist a state σ1
σ2
σ3
run r2 : x02 −→ x12 −→ x22 −→ x32 . . . of M2 and the corresponding σ1
σ3
σ2
(unique) state run rObs : z 0 −→ z 1 −→ z 2 −→ z 3 . . . of Obs such that
[HObs (z i ) = 1 ∧ xi2 ∈ / C2 ] ∨ [HObs (z i ) = 0 ∧ xi2 ∈ C2 ], i
for some i. Suppose first HObs (z ) = 1 ∧ σ1
σ2
xi2
(4)
∈ / C2 . By Definition 4.1, σ3
there exists a state run r1 : −→ −→ −→ x31 . . . of M1 such i i that (x1 , x2 ) ∈ R for all i. In particular for i = i we get by condition (iv) of Definition 4.1 that xi1 ∈ / C1 from which, Obs is not a critical x01
x11
x21
G. Pola et al. / Automatica 86 (2017) 174–182
observer for M1 and a contradiction holds. The second case in (4) can be proven by using the same arguments. ■ Space and time computational complexities in checking bisimulation equivalence between M1 and M2 with |X1 | = n1 and |X2 | = n2 states are O(n21 + n22 ) and O((n21 + n22 ) log(n1 + n2 )), respectively, see e.g. (Paige & Tarjan, 1987). Bisimulation equivalence is an equivalence relation on the class of FSMs. We now define the network of FSMs N min as the quotient of the original network N induced by the bisimulation equivalence. More precisely given N , define the following equivalence classes induced by the bisimulation equivalence: E1 = {Mi(1,1) , Mi(1,2) , . . . , Mi(1,n1 ) }, E2 = {Mi(2,1) , Mi(2,2) , . . . , Mi(2,n2 ) },
...,
EN min = {Mi(N min ,1) , Mi(N min ,2) , . . . , Mi(N min ,nN min ) }, such that N = {Mi(k,j) }j∈[1;nk ],k∈[1;N min ] and Mi(k,j1 ) , Mi(k,j2 ) ∈ Ek if and only if Mi(k,j1 ) ∼ = Mi(k,j2 ) . Denote by Mimin ∈ Ek a reprek sentative of the equivalence class Ek and define the network of FSMs N min = {Mimin , Mimin , . . . , Mimin }, with M(N min ) = Mimin ∥ 1
2
N min
1
Mimin ∥ · · · ∥Mimin . We now show that the proposed reduced net2
N min
work M(N min ) preserves the critical observability properties of the original network M(N ). The forthcoming results rely upon the following technical results. Lemma 4.3. Consider FSMs Mi = (Xi , Xi0 , Σi , δi , Ci ) with i ∈ [1; 3] and suppose that M2 and M3 are bisimilar. Then an FSM Obs is a critical observer for M1 ∥ M2 if and only if it is a critical observer for M1 ∥M2 ∥M3 . Proof. Let Obs = , , ΣObs , δObs , YObs , HObs ) and R23 be a bisimulation relation between M2 and M3 . (Sufficiency.) By contradiction assume that Obs is not a critical observer for M1 ∥M2 ∥M3 . 0 (XObs XObs
σ1
By Definition 2.6, there exist a state run r : (x01 , x02 , x03 ) −→ σ2
σn
(x11 , x12 , x13 ) −→ ... −→ (xn1 , xn2 , xn3 ) of M1 ∥M2 ∥M3 and the correσ1
σ2
σn
sponding state run rObs : z 0 −→ z 1 −→ . . . −→ z n of Obs such that (case 1) [(xn1 , xn2 , xn3 ) ∈ / C1,2,3 ∧ HObs (z n ) = 1] or (case n n n 2) [(x1 , x2 , x3 ) ∈ C1,2,3 ∧ HObs (z n ) = 0]. Construct the sequence σ2
σ1
σn
r1,2 : (x01 , x02 ) −→ (x11 , x12 ) −→ ... −→ (xn1 , xn2 ), where r1,2 has been obtained by removing the third component in the states of run r. It is readily seen that r1,2 is a state run of M1 ∥ M2 . Construct the σ1
σ2
σn
sequence rˆ1,2 : (x01 , xˆ 02 ) −→ (x11 , xˆ 12 ) −→ . . . −→ (xn1 , xˆ n2 ) such that (xˆ i2 , xi3 ) ∈ R23 for any i ∈ [0; n]. By construction, rˆ1,2 is a state / run of M1 ∥ M2 . We start by considering case 1. Since (xn1 , xn2 , xn3 ) ∈ C1,2,3 then xn1 ∈ / C1 and xn2 ∈ / C2 from which, the last state (xn1 , xn2 ) of run r1,2 is such that (xn1 , xn2 ) ∈ / C1,2 . Since HObs (z n ) = 1, FSM Obs is not a critical observer for M1 ∥ M2 and a contradiction holds. We now consider case 2. Since (xn1 , xn2 , xn3 ) ∈ C1,2,3 then (case 2.1) [xn1 ∈ C1 ∨ xn2 ∈ C2 ] or (case 2.2) xn3 ∈ C3 . We start by considering case 2.1. Since [xn1 ∈ C1 ∨ xn2 ∈ C2 ] or equivalently, the last state (xn1 , xn2 ) of run r1,2 is such that (xn1 , xn2 ) ∈ C1,2 and by assumption HObs (z n ) = 0, a contradiction holds. We conclude with case 2.2. Since xn3 ∈ C3 , by definition of run rˆ1,2 , state xˆ n2 ∈ C2 which implies that the last state (xn1 , xˆ n2 ) of run rˆ1,2 is such that (xn1 , xˆ n2 ) ∈ C1,2 . This last condition combined with the assumed condition HObs (z n ) = 0, leads to a contradiction, as well. (Necessity.) By contradiction assume that Obs is not a critical observer for M1 ∥ M2 . By Definition 2.6, there exist a state run r :
σ1
σ2
σn
(x01 , x02 ) −→ (x11 , x12 ) −→ . . . −→ (xn1 , xn2 ) of
M1 ∥ M2 and the corresponding state run rObs : σn
σ1
σ2
z 0 −→ z 1 −→
... −→ z n of Obs such that (case 1) [(xn1 , xn2 ) ∈ / C1,2 ∧ HObs (z n ) = 1] or (case 2) [(xn1 , xn2 ) ∈ C1,2 ∧ HObs (z n ) = 0]. Construct the sequence σ1
σ2
σn
r ′ : (x01 , x02 , x03 ) −→ (x11 , x12 , x13 ) −→ . . . −→ (xn1 , xn2 , xn3 ), where
179
(xi2 , xi3 ) ∈ R23 for any i ∈ [0; n]. By construction r ′ is a state run of M1 ∥M2 ∥M3 . We start by considering case 1. By condition (iv) of Definition 4.1, we get [ (xn1 , xn2 ) ∈ / C1,2 ] iff [ xn1 ∈ / C1 ∧ xn2 ∈ / C2 ] iff n n n n n [ x1 ∈ / C 1 ∧ x2 ∈ / C 2 ∧ x3 ∈ / C3 ] iff [ (x1 , x2 , xn3 ) ∈ / C1,2,3 ]. Since HObs (z n ) = 1, FSM Obs is not a critical observer for M1 ∥M2 ∥M3 and a contradiction holds. We now consider case 2. By condition (iv) of Definition 4.1, we get [ (xn1 , xn2 ) ∈ C1,2 ] iff [ xn1 ∈ C1 ∨ xn2 ∈ C2 ] iff [ xn1 ∈ C1 ∨ xn2 ∈ C2 ∨ xn3 ∈ C3 ] iff [ (xn1 , xn2 , xn3 ) ∈ C1,2,3 ]. Since HObs (z n ) = 0, FSM Obs is not a critical observer for M1 ∥M2 ∥M3 and a contradiction holds. ■ Corollary 4.4. Consider FSMs Mi = (Xi , Xi0 , Σi , δi , Ci ) with i ∈ [1; 3] and suppose that M2 and M3 are bisimilar. Then M1 ∥ M2 is critically observable if and only if M1 ∥M2 ∥M3 is critically observable. Proof. The result follows by combining Proposition 2.8 and Lemma 4.3. ■ We now have all the ingredients to present the main results of this section. Theorem 4.5. M(N ) is critically observable if and only if M(N min ) is critically observable. Proof. By applying Corollary 4.4, for any Mi(N min ,j) ∈ N \ N min , FSM M(N min ) = (Mimin ∥Mimin ∥ ... ∥ Mimin ) ∥ Mimin is criti1
2
N min −1
N min
cally observable if and only if FSM (Mimin ∥ Mimin ∥ · · · ∥Mimin 1
2
N min −1 i(N min ,j)
∥Mimin ∥Mi(N min ,j) is critically observable (recall that M N min
Mimin
N min
for any j ∈ [1; nN
min
)
∼ =
]). Hence, by applying recursively
Corollary 4.4 to all other FSMs Mi(k,j) ∈ N \ N min and by making use of Proposition 2.3 to properly rearrange terms in the composed FSM, the result follows. ■ Theorem 4.6. Obs(M(N min )) is a critical observer for M(N min ) if and only if it is a critical observer for M(N ). Proof. By applying Lemma 4.3, Obs(M(N min )) is a critical observer for M(N min ) = (Mimin ∥ Mimin ∥ · · · ∥ Mimin ) ∥ Mimin 1
2
N min −1
if and only if it is a critical observer for (Mimin ∥ Mimin ∥ · · · ∥Mimin 1
2
∥Mimin ∥Mi(N min ,j) for any FSMs Mi(N min ,j) ∈ N \ N N min
Mi(N min ,j) ∼ = Mimin
N min
for any j ∈ [1; n
N min
min
N min
N min −1
)
(recall that
]). Hence, by applying
recursively Lemma 4.3 to all other FSMs M ∈ N \ N min and by making use of Proposition 2.3 to properly rearrange terms in the composed FSM, the result follows. ■ The results above reduce the computational complexity effort since they show that it is possible to consider the reduced network N min to check critical observability and to design critical observers for the original network N . Results above and in Section 3 can be combined together as illustrated in Algorithm 3. As a consequence of Proposition 4.2 (ii), the composition of local observers computed in line 8 of Algorithm 3 is a decentralized critical observer for N . We now provide a computational complexity analysis. We focus on computational complexity with respect to parameters nmax , N and N min . A traditional approach to check critical observability of the network N = {M1 , M2 , . . . , MN } consists in computing Obs(M(N )), whose space and time computational complexity by Corollary 3.6 is O(2nmax N ), as reported in the second column of Table 1. Computational complexity analysis of Algorithm 3 follows. In line 1, one needs to check bisimulation equivalence between any pair of FSMs Mi , Mj in N whose space computational complexity is O(n2max N) and time computational complexity is O(n2max N 2 log(nmax )). Space and time computational complexities
180
G. Pola et al. / Automatica 86 (2017) 174–182
Table 1 Computational complexity analysis. Complexity
Obs(M(N ))
Obsd (N min )
Space
O(2nmax N )
O(n2max N + 2nmax N
Time
O(2
nmax N
O(n2max N 2
)
min
)
log(nmax ) + 2nmax N
min
)
min
associated with line 2 are O(2nmax N ) and those with line 8 are zero. Resulting computational complexity bounds are reported in the third column of Table 1. We conclude this section with two illustrative examples. In both examples, the goal is to check if a network N is critically observable and if so, to design a decentralized critical observer for N . For this purpose we apply Algorithm 3. In the sequel, space complexity of an FSM is computed as S1 + S2 where S1 is the sum of the data needed to be stored for each transition and S2 is the number of output data associated with states. Date stored for a transition from a state (z1 , z2 , . . . , zm ) to + a state (z1+ , z2+ , . . . , zm + ) with a given input label are counted as ∑ ∑ + | z |+ | + i i∈[1;m] i∈[1;m ] zi |+1. Time complexity is computed as the number of transitions generated in composed FSMs and observers, which represent macro iterations in the algorithms.
Fig. 4.
Projected local observers π|Obs(M1 ) (Obsd (N min )) in the left and
π |Obs(M2 ) (Obsd (N min )) in the right.
Algorithm 3 Integrated design of decentralized observers with model reduction 1: 2: 3: 4: 5: 6: 7: 8:
Compute the network N min ; Apply Algorithm 2 to N min ; if M(N min ) is not critically observable then BREAK: M(N ) is not critically observable; else M(N ) is critically observable; end if Define projected local observers
π|Obs(Mi(k,j) ) (Obsd (N ))
Fig. 5. FSM M5 .
=
π |Obs(M min ) (Obsd (N min )) for any j ∈ [1; nk ], k ∈ [1; N min ]. i
k
Example 4.7. Consider N = {M1 , M2 , M3 , M4 } where FSMs M1 and M2 are depicted in Fig. 1 and FSMs M3 and M4 in Fig. 6, and apply Algorithm 3. (Line 1.) It is easy to see that FSMs M1 and M3 are bisimilar with bisimulation relation R13 = {(1, 9), (2, 10), (3, 11), (3, 12), (4, 13)} and that FSMs M2 and M4 are bisimilar with bisimulation relation R24 = {(5, 14), (6, 15), (7, 16), (7, 17), (7, 18), (8, 16), (8, 17), (8, 18)}. Equivalence classes induced by the bisimulation equivalence on N are E1 = {M1 , M3 } and E2 = {M2 , M4 }. The resulting network N min can be chosen as {M1 , M2 }. (Line 2.) By applying Algorithm 2 we get that N min is critically observable. The resulting projected local observers π |Obs(M1 ) (Obsd (N min )) and π|Obs(M2 ) (Obsd (N min )) are depicted in Fig. 4. (Line 8.) Define π |Obs(Mi ) (Obsd (N )) as π|Obs(M1 ) (Obsd (N min )) for i = 1, 3 and as π |Obs(M2 ) (Obsd (N min )) for i = 2, 4. Space and time complexities in constructing projected local observers are 54 and 8. A traditional approach would first construct explicitly M(N ) and then construct Obs(M(N )). The number of states of M(N ) is 21 and the one of Obs(M(N )) is 6. Resulting space and time complexities are 633 and 39. Example 4.8. Consider N = {M1 , M2 , M3 , M4 , M5 } where FSMs Mi , i ∈ [1; 4] are as in Example 4.7 and M5 is depicted in Fig. 5 with C5 = {20}, and apply Algorithm 3. (Line 1.) It is easy to see that for any i ∈ [1; 4], FSMs M5 and Mi are not bisimilar from which, N min can be chosen as {M1 , M2 , M5 }. (Line 2.) In the first iteration of Algorithm 2, starting from the initial state z = ({1}, {5}, {19}) with label b, state z + = ({2}, {6}, {20, 21}) is reached. Since state z + does not satisfy the condition in line 12 of Algorithm 2, Algorithm 2 terminates from which, Algorithm 3 terminates as well, giving as output that N is not critically observable. Data stored in line 1 of Algorithm 2 are 72 while those in lines 2–9 are 19 from which, space complexity at line 12 is 91. Since Algorithm 2 terminates at
Fig. 6. FSM M3 in the left and FSM M4 in the right.
the first iteration and no transitions are generated, time complexity is evaluated as 0. A traditional approach would first construct explicitly M(N ) to then construct Obs(M(N )). The number of states of M(N ) is 24 and the one of Obs(M(N )) is 6. Resulting space and time complexities are 895 and 39. 5. Discussion An exhaustive review of the relationships between our observability notion and related notions existing in the literature is out of the scope of the present paper. For the sake of completeness, we establish here a classification and comparisons. The ‘‘observability’’ notions can be roughly categorized along the following directions: language (L) vs. state space (S) based notions; centralized (C) vs. decentralized (D) architectures; notions employed for purely analysis purposes (A) vs. notions instrumental to address control design (CD). Among others, we recall here: within (L)–(C)–(A) the notions of language observability (Lin & Wonham, 1988) and of diagnosability (Sampath, Sengupta, Lafortune, Sinnamohideen, & Teneketzis, 1995); within (L)–(C)–(CD) optimal sensor activation in Wang, Lafortune, Girard, and Lin (2010); Wang, Lafortune, Lin, and Girard (2010); within (L)–(D)–(A) the notion of co-diagnosability in e.g. (Contant, Lafortune, & Teneketzis, 2006; Debouk, Malik, & Brandin, 2002; Schmidt, 2013; Su & Wonham, 2005; Zhou, Kumar, & Sreenivas, 2008), extending the one of diagnosability to a decentralized
G. Pola et al. / Automatica 86 (2017) 174–182
setting; within (L)–(D)–(CD) the notion of co-observability (Rudie & Wonham, 1989) extending the one of language observability to a decentralized setting, and the work (Wang, Girard, Lafortune, & Lin, 2011) proposing an extension of the notion of co-observability to dynamic observations in controlled DESs and results for translating co-observability problems into co-diagnosability problems; within (S)–(C)–(A) the notions of diagnosability with a state space approach in Zad et al. (2003), detectability e.g. (Shu, Lin, & Ying, 2007) and efficient algorithms for the computation of indistinguishable states in e.g. (Wang, Lafortune, & Lin, 2007); within (S)–(D)–(A) the concept of states disambiguation in e.g. (Rudie, Lafortune, & Lin, 2003) and the notion of critical observability in Di Benedetto et al. (2008) and in the present paper. Many papers mentioned above consider deterministic FSMs with partially observable transitions while in our paper we consider nondeterministic FSMs with observable transitions. Connections with the concept of states disambiguation in e.g. (Rudie et al., 2003) which is in (S)–(D)– (A) as our paper, follow. The work (Rudie et al., 2003) uses states disambiguation as a mean to address communication problems without the need to consider communication and coobservability issues together. States disambiguation deals with studying conditions under which any pair of states of a DES can be distinguished on the basis of the traces associated to state runs of the DES and ending in the two states. It is readily seen that an FSM where all states are disambiguated is also critically observable, while the converse implication is not true in general. Apart from technical differences between the concepts of states disambiguation and critical observability, the present paper approaches the efficient design of decentralized critical observers by extending techniques based on formal methods, a new approach that was not explored before in the literature with the only exception of Zad et al. (2003). However, while Zad et al. (2003) use bisimulation-based reduction for checking diagnosability of single FSM, our approach proposes bisimulation-based reduction for analyzing critical observability of networks of FSMs. In future work we plan to extend the formal methods techniques proposed in this paper, from decentralized critical observability to co-diagnosability. Acknowledgment We wish to thank Sina Lessanibahri for participating in fruitful discussions at the beginning of this project. References Cassandras, C. G., & Lafortune, S. (1999). Introduction to discrete event systems. Kluwer Academic Publishers. Contant, O., Lafortune, S., & Teneketzis, D. (2006). Diagnosability of discrete event systems with modular structure. Discrete Event Dynamic Systems, 16, 9–37. Courcoubetis, C., Vardi, M., Wolper, P., & Yannakakis, M. (1992). Memory-efficient algorithms for the verification of temporal properties. Formal Methods in System Design, 1(2–3), 275–288. Debouk, R., Malik, R., & Brandin, B. (2002). A modular architecture for diagnosis of discrete event systems. In Proceedings of the 41th conference on decision and control, Las Vegas, Nevada, USA (pp. 417–422). De Santis, E., Di Benedetto, M. D., Di Gennaro, S., D’Innocenzo, A., & Pola, G. (2005). Lecture notes on control and information sciences. Critical observability of a class of hybrid systems and application to air traffic management. Springer Verlag, (Book Chapter). Di Benedetto, M. D., Di Gennaro, S., & D’Innocenzo, A. (2008). Discrete state observability of hybrid systems. International Journal of Robust and Nonlinear Control, Special Issue on Observability and Observer Design for Hybrid Systems, 19(14), 1564–1580. Lin, F., & Wonham, W. (1988). On observability of discrete-event systems. Information Sciences, 44, 173–198. MAREA, (2011). Mathematical Approach Towards Resilience Engineering in ATM. Technical Tender Public version. http://complexworld.eu/wiki/MAREA. Milner, R. (1989). Communication and concurrency. Prentice Hall. Paige, R., & Tarjan, R. (1987). Three partition refinement algorithms. SIAM Journal on Computing, 16(6), 987–989.
181
Park, D. M. R. (1981). Lecture notes in computer science: vol. 104. Concurrency and automata on infinite sequences (pp. 167–183). Springer-Verlag. Pezzuti, D. (2015). Formal Methods for complexity reduction in the analysis of safety critical systems. Ph.D. thesis. University of L’Aquila (Italy). Pola, G., Pezzuti, D., De Santis, E., & Di Benedetto, M. D. (2017). Decentralized Critical observers of networks of finite state machines and model reduction, Available at arXiv:1412.1784v2 [math.OC]. Rudie, K., Lafortune, S., & Lin, F. (2003). Minimal communication in a distributed discrete-event system. IEEE Transactions on Automatic Control, 48, 957–975. Rudie, K., & Wonham, W. (1989). Think globally, act locally: decentralized supervisor control. IEEE Transactions on Automatic Control, 37(11), 1692–1708. Sampath, M., Sengupta, R., Lafortune, S., Sinnamohideen, K., & Teneketzis, D. (1995). Diagnosability of discrete-event systems. IEEE Transactions on Automatic Control, 40(9), 1555–1575. Schmidt, K. W. (2013). Verification of modular diagnosability with local specifications for discrete-event systems. IEEE Transactions on Systems, Man and Cybernetics, 43(5), 1130–1140. Shu, S., Lin, F., & Ying, H. (2007). Detectability of discrete event systems. IEEE Transactions on Automatic Control, 52(12), 2356–2359. Su, R., & Wonham, W. M. (2005). Global and local consistencies in distributed fault diagnosis for discrete-event systems. IEEE Transactions on Automatic Control, 50(12), 1923–1935. Tripakis, S., & Altisen, K. (1999). On-the-fly controller synthesis for discrete and dense-time systems. In Lecture notes in computer science: vol. 1708. World congress on formal methods in the development of computing systems (pp. 233– 252). Berlin: Springer Verlag. Wang, W., Girard, A. R., Lafortune, S., & Lin, F. (2011). On codiagnosability and coobservability with dynamic observations. IEEE Transactions on Automatic Control, 56(7), 1551–1566. Wang, W., Lafortune, S., Girard, A. R., & Lin, F. (2010). Optimal sensor activation for diagnosing discrete event systems. Automatica, 46, 1165–1175. Wang, W., Lafortune, S., & Lin, F. (2007). An algorithm for calculating indistinguishable states and clusters in finite-state automata with partially observable transitions. Systems & Control Letters, 56, 656–661. Wang, W., Lafortune, S., Lin, F., & Girard, A. R. (2010). Minimization of dynamic sensor activation in discrete event systems for the purpose of control. IEEE Transactions on Automatic Control, 55, 2447–2461. Zad, S. H., Kwong, R. H., & Wonham, W. M. (2003). Fault diagnosis in discreteevent systems: framework and model reduction. IEEE Transactions on Automatic Control, 48(7), 51–65. Zhou, C., Kumar, R., & Sreenivas, R. S. (2008). Decentralized modular diagnosis of concurrent discrete event systems. In Proceedings of the 9th international workshop on discrete event systems, Gteborg, Sweden (pp. 28–30).
Giordano Pola received the ‘‘Laurea Degree’’ in Electrical Engineering in July 2000 and the Ph.D. degree in Electrical Engineering and Computer Science in June 2004, from the University of L’Aquila, Italy. He was Visiting Scholar at the University of Cambridge, UK in 2002 and 2003 and Assistant Researcher in 2003 and Research Fellow in 2004 at the University of Twente, The Netherlands. From April 2005 to September 2006 he was a Postdoctoral Researcher at the University of L’Aquila, Italy and from October 2006 to December 2007 a Postdoctoral Researcher at the University of California at Los Angeles, USA. Since 2008, he has been Assistant Professor at the University of L’Aquila, Italy. He has published over 70 research papers in archival journals, books and refereed conference proceedings. In 2012 he was plenary speaker at the First International Conference on Systems and Computer Science. His research interests include modeling, analysis and control of hybrid, embedded, networked and distributed systems.
Elena De Santis received the degree in Electrical Engineering (cum laude) from the University of L’Aquila, L’Aquila, Italy, in 1983. From 1987 to 1998, she was an Assistant Professor with the University of L’Aquila. Since 1998 she has been teaching Optimal Control in the same University, as Associate Professor. Elena De Santis has published papers in archival journals, conferences proceedings, and book series in analysis control and optimization of constrained and uncertain dynamic systems, dynamic-model management for decision support systems, positive systems, dynamic games, hybrid and switching systems. Ms. De Santis received the Outstanding Reviewer Honorable Mention from the editorial board of IEEE Trans. on Automatic Control for 2004 and 2013. She is a member of the Executive Committee of the Center of Excellence DEWS (Architectures and design methodologies for embedded controllers, wireless interconnected and system-onchip) of the University of L’Aquila, Member of IEEE since 1999 she has been elected
182
G. Pola et al. / Automatica 86 (2017) 174–182
at the grade of Senior Member, in 2006. She is member of IFAC Technical Committee TC 1.3 on Discrete Event and Hybrid Systems. She has been the chair and/or organizer of a number of sessions and member of the program committee in the main international conferences. She is member of the Editorial Board of European Journal of Control.
Maria Domenica Di Benedetto has been Professor of Control Theory at University of l’Aquila since 1994. From 1995 to 2002, she was Adjunct Professor at the Department of EECS, University of California at Berkeley. In 1987, she was Visiting Scientist al MIT; in 1988, 1989 and 1992 Visiting Professor at the University of Michigan, Ann Arbor; in 1992 Chercheur Associé, C.N.R.S., Poste Rouge, Ecole Nationale Supérieure de Mécanique, Nantes, France; from 1990 to 1995 McKay Professor at the University of California Berkeley. Since 2002, she has been IEEE Fellow. From 2007 to 2010, she was member of the IEEE Control Systems Technical Fields Award Committee, IEEE Control Systems Society. From 2003 to 2007 she was Chair of the Standing Committee on Fellow Nominations, IEEE Control Systems Society. From 1995 to 1999, she was Associate Editor of the IEEE Transactions of Automatic Control. From 2006 to 2009, she was Associate Editor at Large of the IEEE Transactions on Automatic Control. Since 1995 she has been Subject Editor of the International Journal of Robust and Nonlinear Control. Since
2015 she has been a member of the Editorial Board of Annual Reviews in Control. Since 2016 she has been member of the Editorial Board of Nonlinear Analysis Hybrid Systems. She is the Director of the Center of Excellence for Research DEWS ‘‘Architectures and Design methodologies for Embedded controllers, Wireless interconnect and System-on-Chip’’. She has been President of the European Embedded Control Institute since 2009. She has been Member of the International Advisory Board for LCCC—Lund Center for Control of Complex engineering systems since 2010. She was Member of the scientific review panel (ICT panel) for the Swedish Research Council in 2012 and 2014. Since 2013 she has been President of the Italian Association of Researchers in Automatic Control (SIDRA). Her research interests are in the area of nonlinear, hybrid and networked systems, and applications to energy and traffic control.
Davide Pezzuti received his Master’s Degree and P.h.D. in Automation Engineering from the University of L’Aquila (Italy) in 2011 and 2015, respectively. His research is focused on Analysis and Control of Networked Complex Large-scale Systems, with emphasis on Discrete Event Systems.