- Email: [email protected]
Diagnosis of modular discrete event systems1
Copyright © IFAC Discrete Event Sys tems. Reims. France, 2004
ELSEVIER
IFAC PUBLICATIONS
www.el sevier.comllocatelifac
DIAGNOSIS OF MODULAR DISCRETE EVENT SYSTEMS 1 Olivier Contant Stephane Lafortune Demosthenis Teneketzis
Department of EEGS. The University of Michigan 1301 Beal Avenue; Ann Arbor, MI48109-2122 USA {olivier, stephane. teneket}@eecs.umich.edu http://www.eecs.umich. edu/ umdes/
Abstract: The diagnosis of unobservable fault events in disc rete event systems modeled in a modular manner by means of parallel composition is considered. The notion of modular diagnosability is introduced for these systems. l'\ecessary and sufficient conditions for this new notion of diagnosability are given. A new a lgorithm fo r ve rifying mod ular diagnosability is presented. The main feature of this algorithm is the exploitation of the modular structure of the system in order to save on computational efforts. Copyright © 2004 IFAC Keywords: Discrete-event systems , Distributed models, Fault d iagnosis , Failure detection, Observers, Detection algorithms.
al., 2002: Su et al. , 2002; Debouk et al., 2002: Genc and Lafortune, 2003) where the modu lar structure of the underlying system is exploited by the respective monitoring or diagnosti c protocols. Th is paper has a similar objective, although the approach adopted is different from those in the aboye references.
1. I.\"TROD lJCTIO.\" l'-.Ionitoring and diagnosis methodologies that are based upon discrete-event models of dynamic systems have proved successful in many application areas including document processing systems. heat ing, vent ilat ion , and ai r-conditioning systems. intelligent transportation systems , chemical process controL and telecommunication netKorks. ~Iost of the disc rete-event fault diagnosis methodologies that have been studied in the literature require a "monolithic" model of the system under consideration for diagnosability analysis and / or const ruction of the diagnostic protocol: see (Lafortune et al., 2001 ) and the references therein. :\'otable exceptions include the approaches de\'eloped in (Holloway and Chand, 1994: Ricker and Fabre. 2000: Fabre et al.. 2002 Garcia et
\Ve consider systems that are modeled by the parallel composition of a set of automata. Each individual automaton models a component or subsystem of the overall system. The coupling of these system components is captured by t he use of common events. \Ye are concerned Kith systems where the construction of the complete system model (namely, the monolithic model obtained by performing the parallel composition of the set of individual automata) is computationally difficult or intractable, making the use of fault diagnosis methodologies such as the "Diagnoser Approach" initiated in (Sampath et al., 1§95) impractical. Therefore , it is necessary to develop modular approaches that are computationally tractable for
: This research is supported in part by ~SF grants ECS0080406. CCR-00S2784 . and CCR-03255Tl , and by a grant from t he Xerox 'Cn iversity .'I.ffairs Committee. l..'seful discUS$ions w ith R. Debouk a re gratefully acknowledged.
327
analyzing the diagnosability properties of the system and for synthesizing appropriate diagnostic protocols. By "mod ular approaches" we mean approaches that exploit the structure of the system as captured by the individual automata and their respective sets of common events.
Due to space limitations, it has been necessary to assume that the reader is familiar with basic notions 2 in languages and automata theory and with the notation and main concepts of the Diag" noser Approach of (Sampath et ai. , 1995), such as diagnosers, certain and uncertain states, and indeterminate cycles. \Ve add the following definitions regarding notation. The notation L = L/UL" indicates that the event set L is the disjoint union of L' and L", i.e. , L' = L \ LIl Let R C T. The event set LR is partitioned as LR = Lc.'vfR ULPVR' where LC MR = LR n [Uz ET\ RLz J represents the set of common events in C R and where LPVR represents the set of private events in CR. \;v"e define LCM = UiETLCM, the set of all common events. \Ve use the notation LCMoR = LCM Rn LOR to represent the set of common and observable events. The notation CoAc( Cs) represents the automaton obtained from Cs by retaining only those states x of Cs that are coaccessi ble, namely, that can reach a (marked ) state in X s=· This notation will often be specialized to C oAc( Cs, A1x) where Mx will be a particular label associated with the marked states of Cs In this case, CoAc(C s , Mr) will be the coaccessible part of Cs with respect to the marked states of Cs that are labeled with .Mx .
The first contribution of this paper is to present a ne"" notion of diagnosability that is explicitly geared towards systems with modular representations. Necessary and sufficient conditions for modular diagnosability are presented and discussed. The second contribution of this paper is the development in Section 4 of a novel algorithm for verifying modular diagnosability. Due to space limitations, all proofs and several discussions have been omitted; for a complete exposition of this work, the reader is referred to (Contant et al., 2004). 2. SYSTEIl,l MODEL
Let I be the total number of components or subsystems in the given modular system under consideration. Let T = {I, ... , I} and S t;:; T. Elements i of T are often termed "sites" hereafter. \Ne use the notation
lt will be necessary in many instances to explicitly
identify t he event set associated with an automaton. By default. the event set LS associated with automaton Cs will be LS := {a E s: s E L(C s )}, namely, all the events that appear in all the traces in L (Cs). In special cases it is required to define a larger set of events associated \vith Cs than the default one. In this regard, the notation (Cs, L) \vill denote the automaton Cs together with the event set L such that L ~ LS· For example , (C i , LS) implies that the original event set Li of C i is nov.- augmented by the set LS \ L i · \Vhile (C i , LS) has the same language properties as (C i , Ld, it has different behavior when performing parallel composition (or. more generally, any operation using sets of events) with other modules as it v.-ill prevent the occurrence of events in LS \ Li'
to denote the automaton v.-ith state space Xs, set of events LS, (partial) transition function Os. initial state xSo ' and set of marked states X s =. When S = T, Cs denotes the global (or complete) system model. V/hen S = {i}, with i E T, Cs denotes individual component model i. \;V"hen S c T, S =I {i}, i E T , Cs denotes the partial system model comprised of the individual automata in the set S, \\'hich we will call the "system Cs" hereafter. In all of the above cases, system Cs accounts for the normal and failed behavior of the components in S. Cs = i zES C z is obtained by composing the individual automata C z. z E S, using the parallel composition operation. The behavior of the system Cs is descri bed by the prefix-closed language L (C 5) generated by Cs· L (C 5) is assumed to be live. This means that there is a transition defined at each state x in Xs· The liveness assumption on L (C s ) is made for the sake of simplicity. With slight modifications, all the main results of this paper hold true when the liveness assumption is relaxed. Some of the events in LS are observable , i.e. , their occurrence can be obsen'ed by sensors. while the rest are unobservable. \Ve use the notation Los and Luos to represent the set of obsen"able and unobservable events of Cs. respectively. \\'here Los = 2:5 \ Luos' Let LIs denote the set of fault events in the system Cs. Without loss of generality. v.-e assume that LIs t;:; Luos' since an observable fault event can be diagnosed trivially.
We define
to be the observer of Cs with respect to the set of observable events L'i/ s n Los, where L'Sbs C L:Z ETL z . (See (Cassandras and Lafortune , 1999) for the complete definition of an observer.) For example. Obs (C" LCk!,) , I =I i, is the obserwr of C i with respect to LC.H, :': L o " the observable events of C i that are common with those of Cl·
2
328
See, e.g. , Chapter 2 of (Cassandras and Lafortune, 1999).
Let L: x and L:y be any sets of events. We define t\\,O projection operators relative to these sets, Pp: x ,Ly} for the usual natural projection and R {LX .Ly} for the so-called "reverse" projection. Specifically, the natural projection P{LX ,Ly} L: ----> L: is defined in the usual manner:
y
x
P{LX,Ly}(E): = P{LX,Ly} (0')
(3)
E
O' if := { E if
0' 0'
E L: y
rt
(4)
L: y
To draw comparisons between our modular diagnosability algorithm , presented in Section 4. and any other potential approach , we give necessary and sufficient conditions for modular diagnosability based on monolit hic const ructions of the system model and diagnoser for a given set 5 of system components. C ds and Cs denote , respectively, the d iagnoser of Cs and the nondeterministic automaton built from Cs by eliminating unobservable events; both are defined in (Sampath et al., 1995 ).
P{LX.Ly }( SO' ): = P{LXL y}(S) P{LX, Ly}( O' ) for
5
E L:
x,
0'
E L: x
.
Definition 2. FM' -indeterminate cycle A set of F-uncertain states ql , q2, ··· , qn E Qds is said to form an FM' -indeterminate cycle in C ds
(5)
In contrast , the reverse projection R {LX .Ly} is ap plied to traces of events from L: and produces "inverse" traces from L: y as is usuall y done in inverse projection operations. ;\!lore precisely, R {Lx .Ly} : L: ----> 2Ly is defined as follows:
x
if t he following condition C l is satisfied.
Cl ) States ql. q2,"" qn E Qd s form a cycle in Cds with Ods(qu, O'u ) = qu+l, U = 1.. ,n - l, Ods (qn, O'n) = ql where O'u E Los' U = 1, ... , n and '31 E {1, .. . , n} s .t . 0'/ E L o , . ConSidering the states ql, q2 ,···, qn E Q ds ' '3 (x~ , £~), (y~, £~) E qu , U = 1, ... , n, k = 1, ... , m, and r = 1, ... , m' such that:
x
The natural and reverse projections can also be defined with respect to a particular language L. For L <;:; Ey ,
(i) [( F E e~) 1\ (F ~ £~) ], for all u, k, and r, where F represents the label associated with the fault event f ELf" i E 5 , (ii) the sequences of states {x~} , U = 1, .... n. k = 1, ... ,m, and {y~}, u = 1, .... n, r = 1, ... , m', form cycles in Cs with (x~, O'u , !) ) E oC s' U= 1. .... 1. k = 1. ... , m, k k+!) s: k 1 ( m ( Xn , O'n'X Eucs' = , ... , m- 1,Xn.O'n,
and
xtu . .
n-
1
\Ve conclude this section by stating a key assumption that will be required for the results presented in the remainder of the paper: all common events are observable, i.e .. 'di E T. L:C fl,[, <;:; L: o, · This implies that all faults are private events (since they are unobservable) .
We define the no tion of modular diagnosability as follows.
Definition 1. lVl o dula r Diagno sab ility Let T = {1. .. I}. 5 <;:; T, C s = Il zEs C z , and 5- <;:; 5. The language [ (Cs ) is modularly diagnosable \I·.rt (Eo, : Z E 5 ) and (Lf, : Z E 5 - ) if I:!i E 5 - . 'df EL f" 'ds E [ (Cs) S.t. 5 ends with f, =n E ~ S.t 'rft E [ (Cs )/ s, il P{LS.'L. o,} (t) :, ?: n =? D (st) = 1. The diagnosability condition funct ion D is given by
D (st)
=
{
f
o
:".;
E
E
{"...... 0$ ,L.J$ \"'} 'p l {'L.s .LoS \) ( st )..
R C(cs )
..v',
E
R emark 3. The sY'mbol ":\1;", in the notation "FM' -indeterminate cycle". stands for "Ylodule C;". p'vr' -indeterminate cycles differ slightly from the F-indeterm inate cycles introduced in (Sampath et al.. 1995) in two respects . First. we require that there exists at least one observable event from module C i in the cycle of states ql , q2 ,", qn E Qd s cf. " 31 E {l.. . . , n} S.t. 0' / E L o ," in Condition Cl. Second, we require that the label F in hypothesis (i) of Condition Cl represe nts the label associated with the fault event fEE f,' i.e .. the fault event f originates from module C i ·
3. l\IODCLAR DIAGNOSABILITY
1 1'f
oC s'
and (Y~'O'U,Y(u+l ) ) E oCs'u 1, ... , n - 1, r = l. ... , m' , (Y;:;, ' O'n.Y~+l ) E oC s' r = 1, ... ,m' - 1, (y~',O'n,Yn E oC s'
xl)
Theorem 4. Consider the language [ (Cs ) generated by automaton Cs = IlzES C z · [ (Cs ) is modularly diagnosable w.r.t. (Eo, Z E 5) and (Ef, : i E 5 ). iff the re are no F AI' -indeterminate cycles in the diagnoser Cd s'
=?
The main difference between the modular and the monolithic (in the sense of (Sampath et al., 1995) ) definitions of diagnosability concerns the type of
(9)
otherwise.
329
traces that need to be considered. YIodular diagnosability focuses only on traces where events from module C t , which is the modu le where the fau lt originates, occur with some regu larity. Consequently, the notion of modular diagnosability is weaker than the notion of monolithic diagnosability since more languages will satisfy this definition than the monolithic one.
2. ) Let ND == T \ D , where D == {z £ (G z ) is monolithically diagnosable w .r.t . L o . and LjJ. Call Preliminary Funct ion . For each local diagnoser G d" i E .iI;' D, and for each sequence of traces SEQx, x E {1, .. . , Xi}, perform the Steps 2-a to 2-d: 2-a. ) j\'lark with the label Alx , x E {I , ... , X;} , i END , the states q E QX in G d , . The label .Mx stands for "State of G d , part of the indeterminate cycle associated with SEQx ".
Our primary motivation for defining modular diagnosability is to ensure that after a fault occurs in one of the system modules, detection and isolation of that fault is only required for continuations that involve events from the given module. It is reminiscent of the familiar "persistency of excitation" condition in system identification. In other words, continuations that entirely exclude the module where the fault originates from cannot lead to a violation of modular diagnosability. (Recall that the approach that we propose assumes that faults do not bring the system, or any of its modules, to a halt. )
2-b .) Construct (10)
A state of GCM i is marked with label !'vlx if one or more of its state components are marked with
.'I1x. 2-c. ) Const ruct
The resu lting event set of machine G [CM is denoted by L[CAf x ' Enlarge the set of events L[C,H by adding LCM, \ L[C M to it . T he machine G[CM and its newly associated event set LCM, are hereafter represented by the notation (G IC M I
4 . TEST FOR MODULAR
DIAG~OSABIL I TY
I
I
'We propose a novel approach that tests modular diagnosability by incorporating incrementally, in a systematic manner, subsystems into the test. ' Ne prove that our approach provides the correct answer to the question "Is £(C T ) modularly diagnosable '\i.r .t. (L o, : z E T ) and (LI, : z ET )?" in a finite number of steps. 'We proceed as follows . In Section 4.1 we present the algorithm: in Section 4.2 we state its properties: in Sections 4.3 and 4.4 we present a discussion of the key steps of the algorithm and online diagnosis. respectively.
I
I
,
LCM,)· 2-d. ) Call R eachability Funct ion with argument {i, SEQx,G ICMI , LI CM LCM,}' If the Reachability Function returns "Reachable" then stop and declare £ ( G T ) not modularly diagnosable W.r.t (L o, : Z E T ) and (Lj, : z ET ). I
,
3) Stop and declare £ (GT ) modularly diagnosable w.rt (Lo, : z E T ) and (Lj, : Z E T). 0
Algorithm 2. - P re liminary Function
4.1 Modular Diagnosability Algorithm
1. ) For each i END. do the following: i.) Call E I C:. Z E {1, .. . , Z} , t he elementary 3 indeterminate cycles in Gd. and t~ . Y E {1 , .... Y:}. their corresponding sequences of events. where Z represents the total number of elementary indeterminate cycles in diagnoser Gd" i E X D , and Yz represents the total number of sequences of events that satisfy t he indete rmina te cycle definition for the particular EIC z
We present the detailed statement of our :'Iodular D iagnosability Algorithm (MDA). For the sake of clarity, :'IDA is broken into three algorithms. Algorithm 1 is the core of :'-.IDA: it calls Algorithm 2 to perform preliminary steps invoh'i ng indeterm inate cycles that could lead to a yiolation of modular diagnosability. Algorithm 1 also calls Algorithm 3 ,vhere t he incremental analysis of each indeterminate cycle is performed .
ii .) !':umber and name SEQ1. SEQ2,·· ., SEQx, all sequences of events t~ , y = 1, ... , Yz and Z = 1. .... Z. To each SEQx . x E {L. .. , X i}, associate its corresponding Fm-indeterminate cycle. m E {1. .....H}. its corresponding sequence of states QX = q1 ... qx and its corresponding sequence of events t~ , Z E { 1, ... , Z} , Y E {1.. .. Y z }. that form t he cycle.
Algorithm 1. MD A 1. ) Let T = {1, ... , I}. Construct the local diagnosers Cd" i E T, and search for indeterminate c,·cles. If. 'c/i E T. £ (C ;) is monolithically diagn'osable w.rt. Lo, and L I.' i.e .. none of the local diagnosers Cd, have F -indeterminate cycles. then stop and declare £ (GT ) modularly diagnosable , u t (L o, : z E T ) and (Lj, z ET). Else. go to Step 2.
I
,
A cycle is called elementary if no state appears more t han once in it.
3
330
Il) Return to MDA with SEQx and QX, Vx E {1, . . . ,Xi}, Vi END. 0
Algorithm 3. - Reachability Function {i , SEQx , G ICM r , L.[CAf r' L.c.\1J A.) Let c: = 1, B~ = {i}, Se = BZ, and SX
= P{Lo,.LCMo}(S EQ x)
(12)
Letc: = c+1 ,
BZ =
{I: [L.G.\f / n L.[C .'vf r
=1=
0 V (l E B~_l )], lE T} ,( 13)
and (14)
B. ) Construct Gmod~
= (G[CM
r ,
L.C:H.l
!I
(1II EB~.I#i G c .'vf/)·( 15)
If there does not exist in Gmod~ a cycle of states labeled Mx the n ret urn to MDA; otherwise denote by si , s~, ... , sJ, the sequences of events that desc ri be such (elementary) cycles and go to step C. C. ) 'lip E {1, .. , P} , let
(16) If ::Jp E {1, ... , P } such t hat SX = s~ or if :Js 'X , s"x. and p E {I , ... , P} such that SX = S'XS"X and s"x SiX = s~. then go to Step D; otherwise return to !\1DA.
D .) Const ruct (17)
Let ~e be the event set of E. ) Let c :=
B cX =
C
Gc.
+ 1 and _
{I: [O:::c.\,[/ 'l L.c- l
=1=
0) V (I E B~_ l )],1 E T}. (18 )
Define (19)
4.3 Discussion To give more insight into MDA, we discuss the key steps of its operation. The procedure starts by building local diagnosers for each module of the system an d checking if they are monolithically diagnosable or not. Clearly, if each individual module is (monolit hically/modularly ) diagnosable , then the complete system is both monolithically and modularly diagnosable. Therefore, \\ie need only focus on the modules that are no t diagnosable in order to fi nd out if a corresponding violation of modular diagnosability occurs or not when the given module is coupled with the rest of the system. To do so, we concentrate on the traces that form indeterminate cycles in local diagnosers. \Ve need to test these traces one by one and determine if t hey survive in t he diagnoser of the complete system , withou t constructing this monolithic diagnoser. The testing procedure starts by select ing one indeterminate cycle in a given (non-diagnosable) local diagnoser and isolating all the so-called "troublesome traces" , namely, the traces that lead to and form in det erminate cycles in local diagnosers; there could be more t han one troublesome trace depending on the accessibility of the indeterminate cycle in the transition structure of the local diagnoser. For each trou blesome trace, we select all other modules that contain an event common with the ones in the troublesome t race. build machines (observers for common events - cf. Step 2-b of Algorithm 1) for each module selected . perform the parallel composition of these machines , and finally check if the indeterminate cycle under consideration survives (cf. Step B of Algorithm 3). If it does not survive at this stage then it will not survive if we were to construct the mon
If Se =1= 0 then go to step B : otherwise declare the indeterminate cycle associated v,ith SEQx "Reachable" and return to MDA . 0
42 Properties of MDA Theorem 5. ~I DA returns an answer in a finite number of steps. Theorem 6. MDA returns the correct answe r , namely, ""'hether l (GT ) is or is not modularly diagnosable ""·. r. t. (Bo, : z E T) and (B!, : Z E T).
33 1
the machine C mod '2 and its co-accessibility properties with respect to the indeterminate cycle under consideration, as determined in St eps C and D of Algorithm 3. The main feature exploited within MDA is the incremental addition of modules by considering only those that are necessary to reach a decision on the modular diagnosability of the monolithic system. Depending on the structure of the system, MDA may consider a smaller number of modules rather than all of T when performing parallel composition operations. :-:evertheless, the worst case can possibly occur and yield I B~ I = ITI, which implies that every system module is considered in the parallel composition for obtaining C mod '2' However, it should be emphasized that the parallel compositions performed in ?\'1DA involve only machines with common events (observers) built from the individual modules. Therefore the resulting automata are likely to have a smaller state spaces than corresponding ones built using entire system modules. It should also be emphasized that in MDA, we construct diagnosers only for the individual C; modules. The process of building diagnosers may result in a large state space growth in the worst case. since subsets of states of the model under consideration must be accounted for. Therefore, it is clearly advantageous to build diagnosers for local subsystems as opposed to building the diagnoser of the monolithic system CT· The same advantage holds for online diagnosis, cf. Section 4.4. Practical experience with models of modular discrete event systems will be key to gaining insight into the potential computational advantages of I\.IDA over a monolithic approach. This is the object of current research. Finally, the whole procedure follO\ved in ~IDA not only exploits the modular structure of the given system, but also may provide insight into causes of non diagnosability and possible remedies for it through coupling of system modules with one another. Thus ?\'IDA could be a useful tool in modular system design.
4.4 Online Diagnosis \\"e can perform on line diagnosis by simply running the local diagnosers Cd" i E T , at each local site. \Vhen the system is modularly diagnosable. we know from the property of modular diagnosability that even if the local diagnoser Cd , contains an indeterminate cycle. t he local observations at site i will never stay forever in this cycle \vhen the complete system C T is functioning.
REFERE;\'CES Cassandras, C. G. and S. Lafortune (1999). Introduction to Discrete Event Systems. Kluwer Academic Publishers. Contant. 0., S. Lafortune and D. Teneketzis (2004). Diagnosis of distributed discrete event systems: Architecture and modular verification approach. Technical Report CGR 04-04. College of Engineering Control Group Reports, University of ;vIichigan. Debouk. R. , R. :vlalik and B. Brandin (2002) . A modular architecture for diagnosis of discrete event systems. In: Proc. 41st IEEE Conf. on Decision and Control. Las Vegas , :\TV, CSA. pp. 417-422. Fabre , E. , A. Benveniste and C. Jard (2002). Distributed diagnosis for large discrete event dynamic systems. In: Proc . 15th IFAC World Congress. Barcelona, Spain. Garcia, E. , F. Morant, R. Blasco-Gimnez, A. Correcher and E. Quiles (2002) . Centralized modular diagnosis and the phenomenon of coupling. In: Proc. of the 2002 International Workshop on Discrete Event Systems - WODES'02. Zaragoza, Spain. pp. 161-168. Genc, S. and S. Lafortune (2003 ). Distributed diagnosis of discrete-event systems using Petri nets. In: Proc. 2003 International Conf. on Application and Theory of Petri Nets. Eindhoven, The :\etherlands. pp. 316-336. Holloway, L. E. and S. Chand (1994). Time templates for discrete event fault monitoring in manufacturing systems. In: Proc. 1994 American Control Conference. Baltimore, MD , USA. pp. 701-706. Lafort une , S., D. Teneketzis , !'vI. Sampath. R. Sengupta and K. Sinnamohideen (200 1). Failure diagnosis of dynamic systems: An approach based on discrete event systems. In: Proc. 2001 American Control Conference. Arlington, VA, USA. pp. 2058-2071. Ricker. L. S. and E Fabre (2000). On the construction of modular observers and diagnosers for discrete event systems. In: Proc. 39th IEEE Conf. on Decision and Control Sydney, Australia. pp. 2240-2244. Sampath, :\L R. Sengupta. K. Sinnamohideen S Lafortune and D . Teneketzis (1995 ) . Diagnosability of discrete event systems. IEEE Trans. Automatic Control 40 (9). 1555-1575 . Su. R .. W. I\.I. \\"onham. J. Kurien and X. Koutsoukos (2002 ) . Distributed diagnosis for qualitative systems. In: Proc. of the 2002 International ~Vorkshop on Discrete Event Systems rVODES·02. Zaragoza, Spain. pp. 169-174.
ELSEVIER
IFAC PUBLICATIONS
www.el sevier.comllocatelifac
DIAGNOSIS OF MODULAR DISCRETE EVENT SYSTEMS 1 Olivier Contant Stephane Lafortune Demosthenis Teneketzis
Department of EEGS. The University of Michigan 1301 Beal Avenue; Ann Arbor, MI48109-2122 USA {olivier, stephane. teneket}@eecs.umich.edu http://www.eecs.umich. edu/ umdes/
Abstract: The diagnosis of unobservable fault events in disc rete event systems modeled in a modular manner by means of parallel composition is considered. The notion of modular diagnosability is introduced for these systems. l'\ecessary and sufficient conditions for this new notion of diagnosability are given. A new a lgorithm fo r ve rifying mod ular diagnosability is presented. The main feature of this algorithm is the exploitation of the modular structure of the system in order to save on computational efforts. Copyright © 2004 IFAC Keywords: Discrete-event systems , Distributed models, Fault d iagnosis , Failure detection, Observers, Detection algorithms.
al., 2002: Su et al. , 2002; Debouk et al., 2002: Genc and Lafortune, 2003) where the modu lar structure of the underlying system is exploited by the respective monitoring or diagnosti c protocols. Th is paper has a similar objective, although the approach adopted is different from those in the aboye references.
1. I.\"TROD lJCTIO.\" l'-.Ionitoring and diagnosis methodologies that are based upon discrete-event models of dynamic systems have proved successful in many application areas including document processing systems. heat ing, vent ilat ion , and ai r-conditioning systems. intelligent transportation systems , chemical process controL and telecommunication netKorks. ~Iost of the disc rete-event fault diagnosis methodologies that have been studied in the literature require a "monolithic" model of the system under consideration for diagnosability analysis and / or const ruction of the diagnostic protocol: see (Lafortune et al., 2001 ) and the references therein. :\'otable exceptions include the approaches de\'eloped in (Holloway and Chand, 1994: Ricker and Fabre. 2000: Fabre et al.. 2002 Garcia et
\Ve consider systems that are modeled by the parallel composition of a set of automata. Each individual automaton models a component or subsystem of the overall system. The coupling of these system components is captured by t he use of common events. \Ye are concerned Kith systems where the construction of the complete system model (namely, the monolithic model obtained by performing the parallel composition of the set of individual automata) is computationally difficult or intractable, making the use of fault diagnosis methodologies such as the "Diagnoser Approach" initiated in (Sampath et al., 1§95) impractical. Therefore , it is necessary to develop modular approaches that are computationally tractable for
: This research is supported in part by ~SF grants ECS0080406. CCR-00S2784 . and CCR-03255Tl , and by a grant from t he Xerox 'Cn iversity .'I.ffairs Committee. l..'seful discUS$ions w ith R. Debouk a re gratefully acknowledged.
327
analyzing the diagnosability properties of the system and for synthesizing appropriate diagnostic protocols. By "mod ular approaches" we mean approaches that exploit the structure of the system as captured by the individual automata and their respective sets of common events.
Due to space limitations, it has been necessary to assume that the reader is familiar with basic notions 2 in languages and automata theory and with the notation and main concepts of the Diag" noser Approach of (Sampath et ai. , 1995), such as diagnosers, certain and uncertain states, and indeterminate cycles. \Ve add the following definitions regarding notation. The notation L = L/UL" indicates that the event set L is the disjoint union of L' and L", i.e. , L' = L \ LIl Let R C T. The event set LR is partitioned as LR = Lc.'vfR ULPVR' where LC MR = LR n [Uz ET\ RLz J represents the set of common events in C R and where LPVR represents the set of private events in CR. \;v"e define LCM = UiETLCM, the set of all common events. \Ve use the notation LCMoR = LCM Rn LOR to represent the set of common and observable events. The notation CoAc( Cs) represents the automaton obtained from Cs by retaining only those states x of Cs that are coaccessi ble, namely, that can reach a (marked ) state in X s=· This notation will often be specialized to C oAc( Cs, A1x) where Mx will be a particular label associated with the marked states of Cs In this case, CoAc(C s , Mr) will be the coaccessible part of Cs with respect to the marked states of Cs that are labeled with .Mx .
The first contribution of this paper is to present a ne"" notion of diagnosability that is explicitly geared towards systems with modular representations. Necessary and sufficient conditions for modular diagnosability are presented and discussed. The second contribution of this paper is the development in Section 4 of a novel algorithm for verifying modular diagnosability. Due to space limitations, all proofs and several discussions have been omitted; for a complete exposition of this work, the reader is referred to (Contant et al., 2004). 2. SYSTEIl,l MODEL
Let I be the total number of components or subsystems in the given modular system under consideration. Let T = {I, ... , I} and S t;:; T. Elements i of T are often termed "sites" hereafter. \Ne use the notation
lt will be necessary in many instances to explicitly
identify t he event set associated with an automaton. By default. the event set LS associated with automaton Cs will be LS := {a E s: s E L(C s )}, namely, all the events that appear in all the traces in L (Cs). In special cases it is required to define a larger set of events associated \vith Cs than the default one. In this regard, the notation (Cs, L) \vill denote the automaton Cs together with the event set L such that L ~ LS· For example , (C i , LS) implies that the original event set Li of C i is nov.- augmented by the set LS \ L i · \Vhile (C i , LS) has the same language properties as (C i , Ld, it has different behavior when performing parallel composition (or. more generally, any operation using sets of events) with other modules as it v.-ill prevent the occurrence of events in LS \ Li'
to denote the automaton v.-ith state space Xs, set of events LS, (partial) transition function Os. initial state xSo ' and set of marked states X s =. When S = T, Cs denotes the global (or complete) system model. V/hen S = {i}, with i E T, Cs denotes individual component model i. \;V"hen S c T, S =I {i}, i E T , Cs denotes the partial system model comprised of the individual automata in the set S, \\'hich we will call the "system Cs" hereafter. In all of the above cases, system Cs accounts for the normal and failed behavior of the components in S. Cs = i zES C z is obtained by composing the individual automata C z. z E S, using the parallel composition operation. The behavior of the system Cs is descri bed by the prefix-closed language L (C 5) generated by Cs· L (C 5) is assumed to be live. This means that there is a transition defined at each state x in Xs· The liveness assumption on L (C s ) is made for the sake of simplicity. With slight modifications, all the main results of this paper hold true when the liveness assumption is relaxed. Some of the events in LS are observable , i.e. , their occurrence can be obsen'ed by sensors. while the rest are unobservable. \Ve use the notation Los and Luos to represent the set of obsen"able and unobservable events of Cs. respectively. \\'here Los = 2:5 \ Luos' Let LIs denote the set of fault events in the system Cs. Without loss of generality. v.-e assume that LIs t;:; Luos' since an observable fault event can be diagnosed trivially.
We define
to be the observer of Cs with respect to the set of observable events L'i/ s n Los, where L'Sbs C L:Z ETL z . (See (Cassandras and Lafortune , 1999) for the complete definition of an observer.) For example. Obs (C" LCk!,) , I =I i, is the obserwr of C i with respect to LC.H, :': L o " the observable events of C i that are common with those of Cl·
2
328
See, e.g. , Chapter 2 of (Cassandras and Lafortune, 1999).
Let L: x and L:y be any sets of events. We define t\\,O projection operators relative to these sets, Pp: x ,Ly} for the usual natural projection and R {LX .Ly} for the so-called "reverse" projection. Specifically, the natural projection P{LX ,Ly} L: ----> L: is defined in the usual manner:
y
x
P{LX,Ly}(E): = P{LX,Ly} (0')
(3)
E
O' if := { E if
0' 0'
E L: y
rt
(4)
L: y
To draw comparisons between our modular diagnosability algorithm , presented in Section 4. and any other potential approach , we give necessary and sufficient conditions for modular diagnosability based on monolit hic const ructions of the system model and diagnoser for a given set 5 of system components. C ds and Cs denote , respectively, the d iagnoser of Cs and the nondeterministic automaton built from Cs by eliminating unobservable events; both are defined in (Sampath et al., 1995 ).
P{LX.Ly }( SO' ): = P{LXL y}(S) P{LX, Ly}( O' ) for
5
E L:
x,
0'
E L: x
.
Definition 2. FM' -indeterminate cycle A set of F-uncertain states ql , q2, ··· , qn E Qds is said to form an FM' -indeterminate cycle in C ds
(5)
In contrast , the reverse projection R {LX .Ly} is ap plied to traces of events from L: and produces "inverse" traces from L: y as is usuall y done in inverse projection operations. ;\!lore precisely, R {Lx .Ly} : L: ----> 2Ly is defined as follows:
x
if t he following condition C l is satisfied.
Cl ) States ql. q2,"" qn E Qd s form a cycle in Cds with Ods(qu, O'u ) = qu+l, U = 1.. ,n - l, Ods (qn, O'n) = ql where O'u E Los' U = 1, ... , n and '31 E {1, .. . , n} s .t . 0'/ E L o , . ConSidering the states ql, q2 ,···, qn E Q ds ' '3 (x~ , £~), (y~, £~) E qu , U = 1, ... , n, k = 1, ... , m, and r = 1, ... , m' such that:
x
The natural and reverse projections can also be defined with respect to a particular language L. For L <;:; Ey ,
(i) [( F E e~) 1\ (F ~ £~) ], for all u, k, and r, where F represents the label associated with the fault event f ELf" i E 5 , (ii) the sequences of states {x~} , U = 1, .... n. k = 1, ... ,m, and {y~}, u = 1, .... n, r = 1, ... , m', form cycles in Cs with (x~, O'u , !) ) E oC s' U= 1. .... 1. k = 1. ... , m, k k+!) s: k 1 ( m ( Xn , O'n'X Eucs' = , ... , m- 1,Xn.O'n,
and
xtu . .
n-
1
\Ve conclude this section by stating a key assumption that will be required for the results presented in the remainder of the paper: all common events are observable, i.e .. 'di E T. L:C fl,[, <;:; L: o, · This implies that all faults are private events (since they are unobservable) .
We define the no tion of modular diagnosability as follows.
Definition 1. lVl o dula r Diagno sab ility Let T = {1. .. I}. 5 <;:; T, C s = Il zEs C z , and 5- <;:; 5. The language [ (Cs ) is modularly diagnosable \I·.rt (Eo, : Z E 5 ) and (Lf, : Z E 5 - ) if I:!i E 5 - . 'df EL f" 'ds E [ (Cs) S.t. 5 ends with f, =n E ~ S.t 'rft E [ (Cs )/ s, il P{LS.'L. o,} (t) :, ?: n =? D (st) = 1. The diagnosability condition funct ion D is given by
D (st)
=
{
f
o
:".;
E
E
{"...... 0$ ,L.J$ \"'} 'p l {'L.s .LoS \) ( st )..
R C(cs )
..v',
E
R emark 3. The sY'mbol ":\1;", in the notation "FM' -indeterminate cycle". stands for "Ylodule C;". p'vr' -indeterminate cycles differ slightly from the F-indeterm inate cycles introduced in (Sampath et al.. 1995) in two respects . First. we require that there exists at least one observable event from module C i in the cycle of states ql , q2 ,", qn E Qd s cf. " 31 E {l.. . . , n} S.t. 0' / E L o ," in Condition Cl. Second, we require that the label F in hypothesis (i) of Condition Cl represe nts the label associated with the fault event fEE f,' i.e .. the fault event f originates from module C i ·
3. l\IODCLAR DIAGNOSABILITY
1 1'f
oC s'
and (Y~'O'U,Y(u+l ) ) E oCs'u 1, ... , n - 1, r = l. ... , m' , (Y;:;, ' O'n.Y~+l ) E oC s' r = 1, ... ,m' - 1, (y~',O'n,Yn E oC s'
xl)
Theorem 4. Consider the language [ (Cs ) generated by automaton Cs = IlzES C z · [ (Cs ) is modularly diagnosable w.r.t. (Eo, Z E 5) and (Ef, : i E 5 ). iff the re are no F AI' -indeterminate cycles in the diagnoser Cd s'
=?
The main difference between the modular and the monolithic (in the sense of (Sampath et al., 1995) ) definitions of diagnosability concerns the type of
(9)
otherwise.
329
traces that need to be considered. YIodular diagnosability focuses only on traces where events from module C t , which is the modu le where the fau lt originates, occur with some regu larity. Consequently, the notion of modular diagnosability is weaker than the notion of monolithic diagnosability since more languages will satisfy this definition than the monolithic one.
2. ) Let ND == T \ D , where D == {z £ (G z ) is monolithically diagnosable w .r.t . L o . and LjJ. Call Preliminary Funct ion . For each local diagnoser G d" i E .iI;' D, and for each sequence of traces SEQx, x E {1, .. . , Xi}, perform the Steps 2-a to 2-d: 2-a. ) j\'lark with the label Alx , x E {I , ... , X;} , i END , the states q E QX in G d , . The label .Mx stands for "State of G d , part of the indeterminate cycle associated with SEQx ".
Our primary motivation for defining modular diagnosability is to ensure that after a fault occurs in one of the system modules, detection and isolation of that fault is only required for continuations that involve events from the given module. It is reminiscent of the familiar "persistency of excitation" condition in system identification. In other words, continuations that entirely exclude the module where the fault originates from cannot lead to a violation of modular diagnosability. (Recall that the approach that we propose assumes that faults do not bring the system, or any of its modules, to a halt. )
2-b .) Construct (10)
A state of GCM i is marked with label !'vlx if one or more of its state components are marked with
.'I1x. 2-c. ) Const ruct
The resu lting event set of machine G [CM is denoted by L[CAf x ' Enlarge the set of events L[C,H by adding LCM, \ L[C M to it . T he machine G[CM and its newly associated event set LCM, are hereafter represented by the notation (G IC M I
4 . TEST FOR MODULAR
DIAG~OSABIL I TY
I
I
'We propose a novel approach that tests modular diagnosability by incorporating incrementally, in a systematic manner, subsystems into the test. ' Ne prove that our approach provides the correct answer to the question "Is £(C T ) modularly diagnosable '\i.r .t. (L o, : z E T ) and (LI, : z ET )?" in a finite number of steps. 'We proceed as follows . In Section 4.1 we present the algorithm: in Section 4.2 we state its properties: in Sections 4.3 and 4.4 we present a discussion of the key steps of the algorithm and online diagnosis. respectively.
I
I
,
LCM,)· 2-d. ) Call R eachability Funct ion with argument {i, SEQx,G ICMI , LI CM LCM,}' If the Reachability Function returns "Reachable" then stop and declare £ ( G T ) not modularly diagnosable W.r.t (L o, : Z E T ) and (Lj, : z ET ). I
,
3) Stop and declare £ (GT ) modularly diagnosable w.rt (Lo, : z E T ) and (Lj, : Z E T). 0
Algorithm 2. - P re liminary Function
4.1 Modular Diagnosability Algorithm
1. ) For each i END. do the following: i.) Call E I C:. Z E {1, .. . , Z} , t he elementary 3 indeterminate cycles in Gd. and t~ . Y E {1 , .... Y:}. their corresponding sequences of events. where Z represents the total number of elementary indeterminate cycles in diagnoser Gd" i E X D , and Yz represents the total number of sequences of events that satisfy t he indete rmina te cycle definition for the particular EIC z
We present the detailed statement of our :'Iodular D iagnosability Algorithm (MDA). For the sake of clarity, :'IDA is broken into three algorithms. Algorithm 1 is the core of :'-.IDA: it calls Algorithm 2 to perform preliminary steps invoh'i ng indeterm inate cycles that could lead to a yiolation of modular diagnosability. Algorithm 1 also calls Algorithm 3 ,vhere t he incremental analysis of each indeterminate cycle is performed .
ii .) !':umber and name SEQ1. SEQ2,·· ., SEQx, all sequences of events t~ , y = 1, ... , Yz and Z = 1. .... Z. To each SEQx . x E {L. .. , X i}, associate its corresponding Fm-indeterminate cycle. m E {1. .....H}. its corresponding sequence of states QX = q1 ... qx and its corresponding sequence of events t~ , Z E { 1, ... , Z} , Y E {1.. .. Y z }. that form t he cycle.
Algorithm 1. MD A 1. ) Let T = {1, ... , I}. Construct the local diagnosers Cd" i E T, and search for indeterminate c,·cles. If. 'c/i E T. £ (C ;) is monolithically diagn'osable w.rt. Lo, and L I.' i.e .. none of the local diagnosers Cd, have F -indeterminate cycles. then stop and declare £ (GT ) modularly diagnosable , u t (L o, : z E T ) and (Lj, z ET). Else. go to Step 2.
I
,
A cycle is called elementary if no state appears more t han once in it.
3
330
Il) Return to MDA with SEQx and QX, Vx E {1, . . . ,Xi}, Vi END. 0
Algorithm 3. - Reachability Function {i , SEQx , G ICM r , L.[CAf r' L.c.\1J A.) Let c: = 1, B~ = {i}, Se = BZ, and SX
= P{Lo,.LCMo}(S EQ x)
(12)
Letc: = c+1 ,
BZ =
{I: [L.G.\f / n L.[C .'vf r
=1=
0 V (l E B~_l )], lE T} ,( 13)
and (14)
B. ) Construct Gmod~
= (G[CM
r ,
L.C:H.l
!I
(1II EB~.I#i G c .'vf/)·( 15)
If there does not exist in Gmod~ a cycle of states labeled Mx the n ret urn to MDA; otherwise denote by si , s~, ... , sJ, the sequences of events that desc ri be such (elementary) cycles and go to step C. C. ) 'lip E {1, .. , P} , let
(16) If ::Jp E {1, ... , P } such t hat SX = s~ or if :Js 'X , s"x. and p E {I , ... , P} such that SX = S'XS"X and s"x SiX = s~. then go to Step D; otherwise return to !\1DA.
D .) Const ruct (17)
Let ~e be the event set of E. ) Let c :=
B cX =
C
Gc.
+ 1 and _
{I: [O:::c.\,[/ 'l L.c- l
=1=
0) V (I E B~_ l )],1 E T}. (18 )
Define (19)
4.3 Discussion To give more insight into MDA, we discuss the key steps of its operation. The procedure starts by building local diagnosers for each module of the system an d checking if they are monolithically diagnosable or not. Clearly, if each individual module is (monolit hically/modularly ) diagnosable , then the complete system is both monolithically and modularly diagnosable. Therefore, \\ie need only focus on the modules that are no t diagnosable in order to fi nd out if a corresponding violation of modular diagnosability occurs or not when the given module is coupled with the rest of the system. To do so, we concentrate on the traces that form indeterminate cycles in local diagnosers. \Ve need to test these traces one by one and determine if t hey survive in t he diagnoser of the complete system , withou t constructing this monolithic diagnoser. The testing procedure starts by select ing one indeterminate cycle in a given (non-diagnosable) local diagnoser and isolating all the so-called "troublesome traces" , namely, the traces that lead to and form in det erminate cycles in local diagnosers; there could be more t han one troublesome trace depending on the accessibility of the indeterminate cycle in the transition structure of the local diagnoser. For each trou blesome trace, we select all other modules that contain an event common with the ones in the troublesome t race. build machines (observers for common events - cf. Step 2-b of Algorithm 1) for each module selected . perform the parallel composition of these machines , and finally check if the indeterminate cycle under consideration survives (cf. Step B of Algorithm 3). If it does not survive at this stage then it will not survive if we were to construct the mon
If Se =1= 0 then go to step B : otherwise declare the indeterminate cycle associated v,ith SEQx "Reachable" and return to MDA . 0
42 Properties of MDA Theorem 5. ~I DA returns an answer in a finite number of steps. Theorem 6. MDA returns the correct answe r , namely, ""'hether l (GT ) is or is not modularly diagnosable ""·. r. t. (Bo, : z E T) and (B!, : Z E T).
33 1
the machine C mod '2 and its co-accessibility properties with respect to the indeterminate cycle under consideration, as determined in St eps C and D of Algorithm 3. The main feature exploited within MDA is the incremental addition of modules by considering only those that are necessary to reach a decision on the modular diagnosability of the monolithic system. Depending on the structure of the system, MDA may consider a smaller number of modules rather than all of T when performing parallel composition operations. :-:evertheless, the worst case can possibly occur and yield I B~ I = ITI, which implies that every system module is considered in the parallel composition for obtaining C mod '2' However, it should be emphasized that the parallel compositions performed in ?\'1DA involve only machines with common events (observers) built from the individual modules. Therefore the resulting automata are likely to have a smaller state spaces than corresponding ones built using entire system modules. It should also be emphasized that in MDA, we construct diagnosers only for the individual C; modules. The process of building diagnosers may result in a large state space growth in the worst case. since subsets of states of the model under consideration must be accounted for. Therefore, it is clearly advantageous to build diagnosers for local subsystems as opposed to building the diagnoser of the monolithic system CT· The same advantage holds for online diagnosis, cf. Section 4.4. Practical experience with models of modular discrete event systems will be key to gaining insight into the potential computational advantages of I\.IDA over a monolithic approach. This is the object of current research. Finally, the whole procedure follO\ved in ~IDA not only exploits the modular structure of the given system, but also may provide insight into causes of non diagnosability and possible remedies for it through coupling of system modules with one another. Thus ?\'IDA could be a useful tool in modular system design.
4.4 Online Diagnosis \\"e can perform on line diagnosis by simply running the local diagnosers Cd" i E T , at each local site. \Vhen the system is modularly diagnosable. we know from the property of modular diagnosability that even if the local diagnoser Cd , contains an indeterminate cycle. t he local observations at site i will never stay forever in this cycle \vhen the complete system C T is functioning.
REFERE;\'CES Cassandras, C. G. and S. Lafortune (1999). Introduction to Discrete Event Systems. Kluwer Academic Publishers. Contant. 0., S. Lafortune and D. Teneketzis (2004). Diagnosis of distributed discrete event systems: Architecture and modular verification approach. Technical Report CGR 04-04. College of Engineering Control Group Reports, University of ;vIichigan. Debouk. R. , R. :vlalik and B. Brandin (2002) . A modular architecture for diagnosis of discrete event systems. In: Proc. 41st IEEE Conf. on Decision and Control. Las Vegas , :\TV, CSA. pp. 417-422. Fabre , E. , A. Benveniste and C. Jard (2002). Distributed diagnosis for large discrete event dynamic systems. In: Proc . 15th IFAC World Congress. Barcelona, Spain. Garcia, E. , F. Morant, R. Blasco-Gimnez, A. Correcher and E. Quiles (2002) . Centralized modular diagnosis and the phenomenon of coupling. In: Proc. of the 2002 International Workshop on Discrete Event Systems - WODES'02. Zaragoza, Spain. pp. 161-168. Genc, S. and S. Lafortune (2003 ). Distributed diagnosis of discrete-event systems using Petri nets. In: Proc. 2003 International Conf. on Application and Theory of Petri Nets. Eindhoven, The :\etherlands. pp. 316-336. Holloway, L. E. and S. Chand (1994). Time templates for discrete event fault monitoring in manufacturing systems. In: Proc. 1994 American Control Conference. Baltimore, MD , USA. pp. 701-706. Lafort une , S., D. Teneketzis , !'vI. Sampath. R. Sengupta and K. Sinnamohideen (200 1). Failure diagnosis of dynamic systems: An approach based on discrete event systems. In: Proc. 2001 American Control Conference. Arlington, VA, USA. pp. 2058-2071. Ricker. L. S. and E Fabre (2000). On the construction of modular observers and diagnosers for discrete event systems. In: Proc. 39th IEEE Conf. on Decision and Control Sydney, Australia. pp. 2240-2244. Sampath, :\L R. Sengupta. K. Sinnamohideen S Lafortune and D . Teneketzis (1995 ) . Diagnosability of discrete event systems. IEEE Trans. Automatic Control 40 (9). 1555-1575 . Su. R .. W. I\.I. \\"onham. J. Kurien and X. Koutsoukos (2002 ) . Distributed diagnosis for qualitative systems. In: Proc. of the 2002 International ~Vorkshop on Discrete Event Systems rVODES·02. Zaragoza, Spain. pp. 169-174.