Robust Failure Diagnosis of Partially Observed Discrete Event Systems

Robust Failure Diagnosis of Partially Observed Discrete Event Systems  Shigemasa Takai ∗ ∗

Osaka University, Suita, Osaka 565-0871, Japan (e-mail: [email protected]).

Abstract: In this paper, we study robust failure diagnosis of partially observed discrete event systems. Given a set of possible models, each of which has its own nonfailure specification, the objective is to synthesize a single diagnoser such that, for all possible models, it detects any occurrence of a failure within a uniformly bounded number of steps. We call such a diagnoser a robust diagnoser. We introduce a notion of robust diagnosability, and prove that it serves as a necessary and sufficient condition for the existence of a robust diagnoser. We then present an algorithm for verifying the robust diagnosability condition. Moreover, we show that a robust diagnoser can be synthesized as an online diagnoser. Keywords: Discrete event system, Failure diagnosis, Robust diagnosability, Online diagnosis 1. INTRODUCTION A language based framework for failure diagnosis of partially observed discrete event systems (DESs) was proposed by Sampath et al. (1995). In this framework, a failure is represented by the occurrence of an unobservable failure event, and the task of a diagnoser is to detect any occurrence of a failure event within a uniformly bounded number of steps. The diagnosability property introduced by Sampath et al. (1995) plays an important role in failure diagnosis. In Jiang et al. (2001) and Yoo and Lafortune (2002), polynomial algorithms for verifying diagnosability were developed. Qiu and Kumar (2006) studied decentralized failure diagnosis in a general case where a nonfailure specification language is specified, and a failure is modeled by violation of the specification language. A notion of codiagnosability was defined to characterize a class of diagnosable systems in the decentralized setting (Qiu and Kumar, 2006). Further, an algorithm for verifying codiagnosability was developed, and a method for synthesizing local online diagnosers was presented by Qiu and Kumar (2006). In some situations, it is only known that an exact system model belongs to a set of possible models. Examples of such model uncertainty were given in Lin (1993), Bourdon et al. (2005), and Saboori and Hashtrudi Zad (2006). In the context of supervisory control of DESs initiated by Ramadge and Wonham (1987), a robust supervisory control problem was formulated by Lin (1993). This problem requires synthesizing a single supervisor that achieves legal behavior for all possible models. The result of Lin (1993) has been extended by Takai (2000), Park and Lim (2002), Bourdon et al. (2005), Saboori and Hashtrudi Zad (2006), and Economakos and Koumboulis (2008) in several ways. To the best of our knowledge, most prior work on failure diagnosis of DESs assumes that an exact model of a system  This work was supported in part by Grant-in-Aid for Scientific Research (No. 21560462).

to be diagnosed is given. In this paper, we assume that a set of possible models, each of which has its own nonfailure specification, is given, and consider a robust failure diagnosis problem. We first introduce a notion of diagnosability for a set of possible models, called robust diagnosability, with respect to a set of nonfailure specification languages. We prove that robust diagnosability is a necessary and sufficient condition for the existence of a single diagnoser such that, for all possible models, it detects any occurrence of a failure within a uniformly bounded number of steps. Such a diagnoser is called a robust diagnoser. We then present an algorithm for verifying the robust diagnosability condition. Moreover, by using the result of Qiu and Kumar (2006), we present a method for synthesizing a robust diagnoser as an online diagnoser. Another notion of robust codiagnosability was defined by Basilio and Lafortune (2009) in the setting of decentralized diagnosis. This robust codiagnosability condition characterizes a class of systems diagnosable by a set of local diagnosers that are subject to failures, and is different from our robust diagnosability condition. 2. PRELIMINARIES We consider a DES modeled by an automaton G = (Q, Σ, α, q0 ), where Q is the set of states, Σ is the finite set of events, α : Q × Σ → Q is the partial state transition function, and q0 ∈ Q is the initial state. Let Σ∗ be the set of all finite strings of elements of Σ, including the empty string ε. For each s ∈ Σ∗ , |s| denotes its length. (Note that, for a finite set A, |A| denotes the number of its elements.) The state transition function α : Q × Σ → Q can be generalized to α : Q × Σ∗ → Q in a natural way. The notation α(q, s)! means that α(q, s) is defined for q ∈ Q and s ∈ Σ∗ . The generated language of G, denoted by L(G), is defined as L(G) = {s ∈ Σ∗ | α(q0 , s)!}. For each

s ∈ L(G), the postlanguage of L(G) after s is defined as L(G)/s = {t ∈ Σ∗ | st ∈ L(G)}. Let K ⊆ Σ∗ be a language. We denote the set of all prefixes of strings in K by pr(K), that is, pr(K) = {s ∈ Σ∗ | ∃t ∈ Σ∗ : st ∈ K}. If K = pr(K), K is said to be (prefix-)closed. A diagnoser for G observes the occurrence of an event through an observation mask M : Σ → Δ ∪ {ε}, where Δ is the set of symbols observed by a diagnoser. An event σ ∈ Σ with M (σ) = ε is unobservable to a diagnoser. An observation mask M : Σ → Δ ∪ {ε} is extended to M : Σ∗ → Δ∗ inductively as follows: • M (ε) = ε, • (∀s ∈ Σ∗ )(∀σ ∈ Σ) M (sσ) = M (s)M (σ). Strings s, s ∈ Σ∗ are said to be indistinguishable (under M ) if M (s) = M (s ). Further, for any language K ⊆ Σ∗ , M (K) ⊆ Δ∗ is defined as M (K) = {M (s) ∈ Δ∗ |s ∈ K}. Also, for any τ ∈ Δ∗ , M −1 (τ ) ⊆ Σ∗ is defined as M −1 (τ ) = {s ∈ Σ∗ |M (s) = τ }. A diagnoser is formally defined as a function D : Δ∗ → {0, 1}. If D is certain that a failure has occurred, then it issues the decision “1”. Otherwise, the decision “0” is issued by D. Let K ⊆ L(G) be a nonempty closed sublanguage that describes the nonfailure behavior of the system G. Fault behavior of G is represented by the execution of a string in L(G) − K. A diagnoser D : Δ∗ → {0, 1} is required to satisfy the following condition: C1) (∃m ∈ N )(∀s ∈ L(G) − K)(∀t ∈ L(G)/s) |t| ≥ m ⇒ D(M (st)) = 1, where N is the set of all nonnegative integers. The condition C1) means that there exists m ∈ N such that the occurrence of any failure is detected by D within m-steps. Further, D is required to issue the decision “1” only after the occurrence of a failure. That is, D should also satisfy the following condition: C2) (∀s ∈ K) D(M (s)) = 1. For the sake of simplicity, we assume that G is live, that is, for any q ∈ Q, there exists σ ∈ Σ such that α(q, σ)!. This is a usual assumption in failure diagnosis of DESs (Sampath et al., 1995). The system G is said to be diagnosable with respect to K (Sampath et al., 1995) if (∃m ∈ N )(∀s ∈ L(G) − K)(∀t ∈ L(G)/s) |t| ≥ m ⇒ M −1 M (st) ∩ L(G) ⊆ L(G) − K. There exists a diagnoser D : Δ∗ → {0, 1} satisfying C1) and C2) if and only if G is diagnosable with respect to K. 3. ROBUST DIAGNOSABILITY In the sequel, we assume that we only know that an exact model of a system to be diagnosed belongs to a set of possible DES models {Gi | i ∈ I} over a common event set Σ, where I := {1, 2, . . . , |I|} is an index set. Each possible model Gi (i ∈ I) is live and has its own nonfailure behavior described by a nonempty closed sublanguage Ki ⊆ L(Gi ). We consider a problem of synthesizing a robust diagnoser D : Δ∗ → {0, 1} satisfying the following two conditions:

d

b

c

q1,1

d q2,1

c

q1,2

q1,0 (a)

a q2,2

a

a q2,0

q2,3

b

(b)

Fig. 1. Possible models G1 and G2 for Example 2. C3) (∀i ∈ I)(∃mi ∈ N )(∀s ∈ L(Gi ) − Ki )(∀t ∈ L(Gi )/s) |t| ≥ mi ⇒ D(M (st)) = 1, C4) (∀i ∈ I)(∀s ∈ Ki ) D(M (s)) = 1. That is, a robust diagnoser satisfying C3) and C4) correctly detects the occurrence of any failure in any possible model. In order to characterize the existence of such a robust diagnoser, we introduce a notion of robust diagnosability. Definition 1. The set {Gi | i ∈ I} of possible models is said to be robustly diagnosable with respect to a set of nonempty closed languages {Ki | i ∈ I} if (∀i ∈ I)(∃mi ∈ N )(∀s ∈ L(Gi ) − Ki )(∀t ∈ L(Gi )/s) |t| ≥ mi ⇒ [∀j ∈ I : M −1 M (st) ∩ L(Gj ) ⊆ L(Gj ) − Kj ]. Robust diagnosability of {Gi | i ∈ I} with respect to {Ki | i ∈ I} requires that, for each possible model Gi (i ∈ I), there exists a nonnegative integer mi ∈ N such that, for any failure string s ∈ L(Gi ) − Ki and any extension t ∈ L(Gi )/s with |t| ≥ mi , any string u ∈ M −1 M (st) ∩ L(Gj ) indistinguishable from st in Gj is also a failure string in L(Gj ) − Kj for all possible models Gj (j ∈ I). Note that, if j = i, the set M −1 M (st) ∩ L(Gj ) of indistinguishable strings may be the empty set. On the other hand, diagnosability of Gi with respect to Ki only requires that strings indistinguishable from st in Gi be failure ones in L(Gi ) − Ki . Thus, if {Gi | i ∈ I} is robustly diagnosable with respect to {Ki | i ∈ I}, then, for each i ∈ I, Gi is diagnosable with respect to Ki . As shown in the following example, however, the converse relation does not hold in general. Example 2. We consider two possible models G1 and G2 shown in Fig. 1 (a) and (b), respectively, where Σ = {a, b, c, d}. (The initial state is identified by ↓ to a circle.) Let Δ = {a, b, c}. We assume that an observation mask M : Σ → Δ ∪ {ε} is given as  σ, if σ ∈ {a, b, c} M (σ) = ε, otherwise. Nonfailure specification languages K1 and K2 are described by automata GK1 and GK2 shown in Fig. 2 (a) and (b), respectively. Since M −1 M (s) ∩ L(G1 ) = {s} ⊆ L(G1 ) − K1 for any failure string s ∈ L(G1 ) − K1 = acc∗ , G1 is diagnosable with respect to K1 . Also, we can verify that G2 is diagnosable with respect to K2 . We show that, however, {Gi | i ∈ I} is not robustly diagnosable with respect to {Ki | i ∈ I}. We consider any failure string s ∈ L(G1 ) − K1 of G1 . For any extension t ∈ L(G1 )/s, st can be written as acn (n ≥ 1). For this string acn , we have dacn ∈ M −1 M (st) ∩ K2 . That is, any

b

c

d qK1 ,1

qK1 ,0 (a)

qK1 ,2

qK2 ,1 (b)

q1,1

q1,0

a qK2 ,0

Fig. 2. Nonfailure specifications GK1 and GK2 for Example 2. failure string acn of G1 cannot be distinguished from a nonfailure string dacn of G2 . Thus, {Gi | i ∈ I} is not robustly diagnosable with respect to {Ki | i ∈ I}. The following theorem shows that robust diagnosability characterizes the existence of a robust diagnoser satisfying C3) and C4). Theorem 3. There exists a robust diagnoser D : Δ∗ → {0, 1} satisfying the conditions C3) and C4) for a set of nonempty closed languages {Ki | i ∈ I} if and only if the set {Gi | i ∈ I} of possible models is robustly diagnosable with respect to {Ki | i ∈ I}. Proof. We first prove the sufficiency part. We consider a diagnoser D : Δ∗ → {0, 1} given as  1, if ∀i ∈ I : M −1 (τ ) ∩ L(Gi ) ⊆ L(Gi ) − Ki D(τ ) = (1) 0, otherwise. We show that this diagnoser D satisfies C3). Consider any i ∈ I. Since {Gi | i ∈ I} is robustly diagnosable with respect to {Ki | i ∈ I}, there exists mi ∈ N such that (∀s ∈ L(Gi ) − Ki )(∀t ∈ L(Gi )/s) |t| ≥ mi ⇒ [∀j ∈ I : M −1 M (st) ∩ L(Gj ) ⊆ L(Gj ) − Kj ]. For any s ∈ L(Gi )−Ki and t ∈ L(Gi )/s such that |t| ≥ mi , we have M −1 M (st) ∩ L(Gj ) ⊆ L(Gj ) − Kj for all j ∈ I, which implies together with (1) that D(M (st)) = 1. It remains to show that D satisfies C4). For each i ∈ I and each s ∈ Ki , since s ∈ M −1 M (s) ∩ L(Gi ), we have D(M (s)) = 0. Thus, C4) holds. We next prove the necessity part. Since D satisfies C3), for each i ∈ I, there exists mi ∈ N such that (∀s ∈ L(Gi ) − Ki )(∀t ∈ L(Gi )/s) |t| ≥ mi ⇒ D(M (st)) = 1. For any s ∈ L(Gi )−Ki and t ∈ L(Gi )/s such that |t| ≥ mi , we consider any j ∈ I and any sj ∈ M −1 M (st) ∩ L(Gj ). Since D(M (sj )) = D(M (st)) = 1, we have by C4) that sj ∈ / Kj , that is, sj ∈ L(Gj ) − Kj . Thus, {Gi | i ∈ I} is robustly diagnosable with respect to {Ki | i ∈ I}. 2 Example 4. We consider two possible models G1 and G2 shown in Fig. 3 (a) and (b), respectively, where Σ = {a, b, c, d, e, f }. Let Δ = {a, b, c, d}. We assume that an observation mask M : Σ → Δ ∪ {ε} is given as  σ, if σ ∈ {a, b, c, d} M (σ) = ε, otherwise. Nonfailure specification languages K1 and K2 are assumed to be described by automata GK1 and GK2 shown in Fig. 4

f

(a)

qK2 ,3

q2,0

d

q1,3 q2,2

b

e

a

d

c

e

a

b

d

a qK2 ,2

q1,2

a

q2,1 (b)

f

c

q2,3

Fig. 3. Possible models G1 and G2 for Example 4. b

a qK1 ,0 qK1 ,1 (a)

d

a qK2 ,0 qK2 ,1 (b)

Fig. 4. Nonfailure specifications GK1 and GK2 for Example 4. (a) and (b), respectively. We have L(G1 ) − K1 = b∗ aec∗ + b∗ af d∗ and L(G2 ) − K2 = d∗ aeb∗ + d∗ af c∗ . We first show that (∀s ∈ L(G1 ) − K1 )(∀t ∈ L(G1 )/s) |t| ≥ 1 ⇒ [∀j ∈ I : M −1 M (st) ∩ L(Gj ) ⊆ L(Gj ) − Kj ]. For any s ∈ L(G1 ) − K1 and t ∈ L(G1 )/s with |t| ≥ 1, st can be written as bk aecl or bk af dl , where k ≥ 0 and l ≥ 1. We consider the case that st = bk aecl . Then, we have M −1 M (st) ∩ L(G1 ) = {bk aecl } ⊆ L(G1 ) − K1 . Also, if k = 0 then M −1 M (st) ∩ L(G2 ) = {af cl } ⊆ L(G2 ) − K2 ; otherwise M −1 M (st) ∩ L(G2 ) = ∅ ⊆ L(G2 ) − K2 . We consider the case that st = bk af dl . Then, we have M −1 M (st) ∩ L(G1 ) = {bk af dl } ⊆ L(G1 ) − K1 and M −1 M (st) ∩ L(G2 ) = ∅ ⊆ L(G2 ) − K2 . Thus, the above condition holds. Analogously, we can verify that (∀s ∈ L(G2 ) − K2 )(∀t ∈ L(G2 )/s) |t| ≥ 1 ⇒ [∀j ∈ I : M −1 M (st) ∩ L(Gj ) ⊆ L(Gj ) − Kj ]. We can conclude that {Gi | i ∈ I} is robustly diagnosable with respect to {Ki | i ∈ I}. By (1), a robust diagnoser D : Δ∗ → {0, 1} is given as  0, if τ ∈ b∗ + b∗ a + d∗ + d∗ a D(τ ) = 1, otherwise. 4. VERIFICATION AND SYNTHESIS RESULTS In this section, we present algorithms for verifying robust diagnosability and synthesizing robust diagnosers by generalizing the results of Qiu and Kumar (2006) (in the centralized setting). Hereafter, we assume that each possible model Gi = (Qi , Σ, αi , qi,0 ) (i ∈ I) has a finite state set, and a nonfailure specification language Ki ⊆ L(Gi ) is generated by a finite automaton GKi = (QKi , Σ, αKi , qKi ,0 ). We augment the automaton GKi by adding a dump state qdi ∈ / QKi . Formally, the augmented automaton is defined ˜ K , Σ, α ˜ K = QK ∪ {qd }, ˜ K = (Q ˜ Ki , qKi ,0 ), where Q as G i i i i i

˜K × Σ → Q ˜ K is and the state transition function α ˜ Ki : Q i i defined as

(n+1)

(k+1)

ri (n ≥ 1), where, for each k ∈ {1, 2, . . . , n}, ri (k) (k) (1) (n+1) αTi (ri , σTi ). π is called a cycle if ri = ri .

=

Theorem 5. The set {Gi | i ∈ I} of possible models is not robustly diagnosable with respect to {Ki | i ∈ I} if and only if there exists i ∈ I such that, in the testing

qK , σ) α ˜ Ki (˜  i qKi , σ), if q˜Ki ∈ QKi and αKi (˜ qKi , σ)! αKi (˜ = qdi , otherwise.

(1)

(1)

˜ K ) = Σ∗ . Further, for any s ∈ Σ∗ , s ∈ / Ki if We have L(G i and only if α ˜ Ki (qKi ,0 , s) = qdi .

automaton Ti , there exists a reachable cycle ri (2)

(2)

ri

(n−1)

(n)

σT

σT

(n)

i i −→ · · · −→ ri

σT

(1)

i −→ ri

such that (k)

(∃k ∈ {1, 2, . . . , n}) σ (k) = ε ∧ q˜Ki = qdi ,

4.1 Verification of Robust Diagnosability

σT

i −→

(3)

For each i ∈ I, we construct a testing automaton Ti = (Ri , ΣT , αTi , ri,0 ) (i ∈ I)

where σTi

˜ K , and |I| − 1 automata by composing Gi , two copies of G i ˜ GKj (j = i) as follows:

Proof. First, we suppose that, in the testing automaton

(k)

where

 = q˜K i  = qˆK j

  

αi (qi , σ), if σ = ε qi , otherwise,

• P (ε) = ε, Pj (ε) = ε, • (∀sT ∈ Σ∗T )(∀σT := (σ, σ1 , σ2 . . . , σ|I| ) ∈ ΣT ) P (sT σT ) = P (sT )σ, Pj (sT σT ) = Pj (sT )σj . By the definition of αTi , we have, for any sTi ∈ L(Ti ), αTi (ri,0 , sTi ) = (qi , q˜Ki , qˆK1 , qˆK2 , . . . , qˆK|I| ), (2) where αi (qi,0 , P (sTi )) = qi , α ˜ Ki (qKi ,0 , P (sTi )) = q˜Ki , and, for all j ∈ I, α ˜ Kj (qKj ,0 , Pj (sTi )) = qˆKj . Also, we have M (P (sTi )) = M (Pj (sTi )) for any j ∈ I. Thus, Ti traces all strings s ∈ L(G) and s1 , s2 , . . . , s|I| ∈ Σ∗ such that • (∀l ∈ I) M (s) = M (sl ), • (∃j ∈ I) sj ∈ Kj . A path πi in the testing automaton Ti is a sequence of (1)

σT

(2)

(2)

σT

=

(1)

(1)

Ti (i ∈ I), there exists a reachable cycle ri (n−1)

σT

i

(n)

(n) ri

σT

σT

(2)

(2)

i −→ ri

σT

i −→

(1)

i −→ ri satisfying (3). Then, there exists · · · −→ (1) sTi ∈ L(Ti ) such that αTi (ri,0 , sTi ) = ri . Note that, for ˜ K reaches the dump state qd , it remains all j ∈ I, once G j j there. Since there exists k ∈ {1, 2, . . . , n} such that the (k) (k) second coordinate q˜Ki of ri is qdi , the second coordinate

(1)

(1)

(1)

(n)

(n)

q˜Ki of ri is qdi . Also, since ri = αTi (ri , σTi ), we have by the definition of αTi that there exists j ∈ I (1) such that qˆKj = qdj . It follows from P (sTi ) ∈ L(Gi ) and α ˜ Ki (qKi ,0 , P (sTi )) = qdi that s := P (sTi ) ∈ L(Gi ) − Ki . (1) Also, since α ˜ Kj (qKj ,0 , Pj (sTi )) = qˆKj = qdj , we have sj := Pj (sTi ) ∈ Kj . For any nonnegative integer mi ∈ N , we consider (1) (2) (n) ∗ i tm Ti ∈ ΣT , where tTi := σTi σTi · · · σTi . Since there

(1)

For strings in Σ∗T , projection functions P : Σ∗T → Σ∗ and Pj : Σ∗T → Σ∗ (j ∈ I) are defined as follows:

i −→ ri

(k)

(k)

qKj , σj ), if σj = ε α ˜ Kj (ˆ (∀j ∈ I). qˆKj , otherwise

(1)

(k)

exists σTi whose first coordinate σ (k) is not ε, we have mi i ∈ |t| ≥ mi , where t := P (tm Ti ). Also, since sTi tTi mi L(Ti ), we have st = P (sTi tTi ) ∈ L(Gi ). Moreover,

qKi , σ), if σ = ε α ˜ Ki (˜ q˜Ki , otherwise,

transitions such that ri

(k)

(k) (k) (k) (k) (k) (qi , q˜Ki , qˆK1 , qˆK2 , . . . , qˆK|I| ).

˜K ) × Q ˜K × Q ˜K × · · · × Q ˜K . • Ri = (Qi × Q i 1 2 |I| • ri,0 = (qi,0 , qKi ,0 , qK1 ,0 , qK2 ,0 , . . . , qK|I| ,0 ). • ΣT = (Σ ∪ {ε}) × (Σ ∪ {ε}) × · · · × (Σ ∪ {ε})    (|I| + 1) times − {(ε, ε, . . . , ε)}. • αTi : Ri × ΣT → Ri is defined as follows: For each ri = (qi , q˜Ki , qˆK1 , qˆK2 , . . . , qˆK|I| ) ∈ Ri and σTi = (σ, σ1 , σ2 , . . . , σ|I| ) ∈ ΣT , αTi (ri , σTi )! if and only if · ∃j ∈ I : qˆKj = qdj ∧ [σj = ε ⇒ α ˜ Kj (ˆ qKj , σj ) = qdj ], · σ = ε ⇒ αi (qi , σ)!, · ∀l ∈ I : M (σ) = M (σl ). If αTi (ri , σTi )!, then     αTi (ri , σTi ) = (qi , q˜K , qˆK , qˆK , . . . , qˆK ), i 1 2 |I| qi =

(k)

(σ (k) , σ1 , σ2 , . . . , σ|I| ) and ri

=

(n−1)

σT

(n)

(n)

i i −→ · · · −→ ri

σT

i −→

i ˆKj = qdj , we have since α ˜ Kj (qKj ,0 , Pj (sTi tm Ti )) = q mi uj := Pj (sTi tTi ) ∈ Kj ⊆ L(Gj ). It follows that uj ∈ M −1 M (st) ∩ L(Gj ) and uj ∈ Kj . We can conclude that {Gi | i ∈ I} is not robustly diagnosable with respect to {Ki | i ∈ I}.

Next, we suppose that {Gi | i ∈ I} is not robustly diagnosable with respect to {Ki | i ∈ I}. Then, there exists i ∈ I such that, for any mi ∈ N , (∃s ∈ L(Gi ) − Ki )(∃t ∈ L(Gi )/s) |t| ≥ mi ∧ [∃j ∈ I : M −1 M (st) ∩ L(Gj ) ⊆ L(Gj ) − Kj ]. Consider any mi > |Ri |, where |Ri | denotes the number of states of Ti . We pick up an index j ∈ I such that M −1 M (st) ∩ L(Gj ) ⊆ L(Gj ) − Kj . For this index j, there exists uj ∈ Kj such that M (st) = M (uj ). Also, for any l ∈ I with l = j, let ul ∈ Σ∗ be any string such that M (st) = M (ul ). Note that, for any vj ∈ pr({uj }), we have α ˜ Kj (qKj ,0 , vj ) = qdj . By the construction of the testing automaton Ti , there exists sTi ∈ L(Ti ) such that P (sTi ) = st, Pl (sTi ) = ul for all l ∈ I, and αTi (ri,0 , sTi ) = (qi , q˜Ki , qˆK1 , qˆK2 , . . . , qˆK|I| ), where

4.2 Synthesis of Robust Diagnosers (q1,0 , qK1 ,0 , qK1 ,0 , qK2 ,0 )

It is well-known that offline synthesis of a diagnoser is computationally intractable. In order to avoid the difficulty, a computationally feasible online procedure for synthesizing a diagnoser was presented in Qiu and Kumar (2006). An online diagnoser computes its diagnosis decision online each time it observes an observable symbol. We use the online procedure of Qiu and Kumar (2006) (in the centralized setting) to synthesize the robust diagnoser given by (1) as an online diagnoser.

(ε, ε, d) (q1,0 , qK1 ,0 , qK1 ,0 , qK2 ,1 ) (a, a, a) (q1,2 , qK1 ,2 , qK1 ,2 , qK2 ,2 ) (c, c, c) (q1,2 , qd1 , qd1 , qK2 ,2 )

In the online computations, we use the synchronous compositions ˜ K = (Qi × Q ˜ K , Σ, βi , (qi,0 , qK ,0 )) Gi G

(c, c, c)

i

Fig. 5. A part of the testing automaton T1 for Example 7. ˜ Ki (qKi ,0 , st) = q˜Ki , and α ˜ Kl (qKl ,0 , ul ) = αi (qi,0 , st) = qi , α qˆKl for all l ∈ I. There exists a prefix sTi of sTi such that P (sTi ) = s.  be the second coordinate of αTi (ri,0 , sTi ). Then, Let q˜K i  . Since s ∈ L(Gi ) − Ki , we we have α ˜ Ki (qKi ,0 , s) = q˜K i  have q˜Ki = qdi . This means that the second coordinate of any state reachable from αTi (ri,0 , sTi ) is qdi . We can write sTi = sTi tTi . Then, we have P (tTi ) = t. Since |t| ≥ mi > |Ri |, tTi contains more than |Ri | events in ΣT whose first coordinates are not ε. Thus, there exists a (1)

(1) ri

σT

i

(2)

(2) ri

σT

i

(n−1)

σT

i

(n)

(n) ri

σT

i

(1) ri

−→ −→ · · · −→ −→ satisfying cycle (3) along the string tTi . Since sTi = sTi tTi ∈ L(Ti ), this cycle is reachable from ri,0 in Ti . 2 Remark 6. For each i ∈ I, the number of states of the testing automaton Ti is at most |Qi | × (|QKi | + 1)2 ×  { j=i (|QKj | + 1)}. Since |ΣT | = (|Σ| + 1)|I|+1 − 1, there  are at most |Qi |×(|QKi |+1)2 ×{ j=i (|QKj |+1)}×{(|Σ|+ 1)|I|+1 − 1} transitions in Ti . Therefore, for each Ti , the complexity of verifying the existence  of a reachable cycle satisfying (3) is O(|Qi | × |QKi |2 × ( j=i |QKj |) × |Σ||I|+1 ).

Intuitively, the existence of a reachable cycle satisfying (3) in Ti implies that there exists a failure string s ∈ L(Gi ) − Ki (which is traced by the first two components G and ˜ K ) such that any extension of s cannot be distinguished G i from a nonfailure string in some nonfailure specification language Kj (which is traced by the j + 2th component ˜ K ). G j

The following example illustrates the verification result of Theorem 5. Example 7. We revisit the setting of Example 2. A part of the testing automaton T1 is shown in Fig. 5. Since there exists a reachable cycle (c,c,c)

(q1,2 , qd1 , qd1 , qK2 ,2 ) −→ (q1,2 , qd1 , qd1 , qK2 ,2 ) satisfying (3), we can conclude that {Gi | i ∈ I} is not robustly diagnosable with respect to {Ki | i ∈ I}. The part of T1 shown in Fig. 5 indicates that the occurrence of a failure string acn (n ≥ 1) of G1 cannot be distinguished from a nonfailure string dacn of G2 .

i

i

˜ K (i ∈ I), where the partial state transition of Gi and G i ˜ K ) × Σ → Qi × Q ˜ K is defined as function β : (Qi × Q i  i ˜ Ki (˜ qKi , σ)), if αi (qi , σ)! (αi (qi , σ), α β((qi , q˜Ki ), σ) = undefined, otherwise. ˜ K and any qKi , σ)! for any q˜Ki ∈ Q (Recall that α ˜ Ki (˜ i ˜ ˜K ) = σ ∈ Σ.) Then, we have L(Gi GKi ) = L(Gi ) ∩ L(G i ∗ ˜ ˜K L(Gi ) ∩ Σ = L(Gi ). Since L(Gi GKi ) = L(Gi ), Gi G i can be considered as a refined system model such that a failure string in L(Gi ) − Ki leads a state whose second coordinate is qdi . An online diagnoser updates estimates of the current states ˜ K (i ∈ I) each time of all possible refined models Gi G i it observes an observable symbol, and issues its diagnosis decision based on the updated estimates. In order to compute such estimates, we define the unobservable reach ˜ set U Ri (Xi ) ∈ 2Qi ×QKi (i ∈ I) for each subset Xi ⊆ Qi × ˜ K as follows: Q i  ˜ K | ∃(qi , q˜K ) ∈ Xi , ) ∈ Qi × Q U Ri (Xi ) = {(qi , q˜K i i i  ∃s ∈ M −1 (ε) : (qi , q˜K ) = βi ((qi , q˜Ki ), s)}. i ˜ K (i ∈ I), we Then, for each possible refined model Gi G i inductively define a state estimate function Ei : Δ∗ → ˜ 2Qi ×QKi as follows:

• Ei (ε) = U Ri ({(qi,0 , qKi ,0 )}), • (∀τ ∈ Δ∗ )(∀δ ∈ Δ) Ei (τ δ) = U Ri (Xi,τ δ ), where Xi,τ δ  ˜ Ki | ∃(qi , q˜Ki ) ∈ Ei (τ ), = {(qi , q˜K ) ∈ Qi × Q i  ∃σ ∈ Σ ∩ M −1 (δ) : (qi , q˜K ) = βi ((qi , q˜Ki ), σ)}. i

We consider a situation where, for an output string τ ∈ Δ∗ , the state estimate set Ei (τ ) has been computed for each ˜ K . For a newly observed possible refined model Gi G i symbol δ ∈ Δ, Xi,τ δ is the set of states reachable from a state in Ei (τ ) by an event which is observed as δ. By computing the unobservable reach set U Ri (Xi,τ δ ), we obtain the state estimate set Ei (τ δ). In this way, the state estimate set is updated online. Since  ˜ K | ∃s ∈ M −1 (τ ) : ) ∈ Qi × Q Ei (τ ) = {(qi , q˜K i i

 ) = βi ((qi,0 , qKi ,0 ), s)} (qi , q˜K i ∗ for each τ ∈ Δ , we have the following proposition.

Proposition 8. Let D : Δ∗ → {0, 1} be the diagnoser given by (1). For any τ ∈ Δ∗ , D(τ ) = 1 if and only if, for any i ∈ I, Ei (τ ) ⊆ Qi × {qdi }. The above proposition shows that the robust diagnoser D given by (1) is synthesized as an online diagnoser by using ˜ the state estimate functions Ei : Δ∗ → 2Qi ×QKi (i ∈ I). Remark 9. We have Ei (τ ) = ∅ for any τ ∈ / M (L(Gi )). ˜ K becomes the Thus, if the state estimate set for Gi G i empty set, Gi can be eliminated from the set of possible models during the online procedure. 5. CONCLUSIONS In this paper, we considered a situation where a set of possible models, instead of an exact single model, is given, and studied a problem of synthesizing a robust diagnoser that detects any occurrence of a failure within a uniformly bounded number of steps for all possible models. We introduced a notion of robust diagnosability which characterizes the existence of a robust diagnoser. We then presented a verification algorithm for robust diagnosability. Moreover, we presented a method for synthesizing a robust diagnoser as an online diagnoser. REFERENCES Basilio, J. C., and Lafortune, S. (2009). Robust codiagnosability of discrete event systems. In Proc. 2009 American Control Conference (pp. 2202–2209). Bourdon, S. E., Lawford, M., and Wonham, W. M. (2005). Robust nonblocking supervisory control of discreteevent systems. IEEE Transactions on Automatic Control, 50 (12), 2015–2021. Economakos, C., and Koumboulis, F. N. (2008). Modular implementation of robust supervisory controllers for discrete event systems. IEEE Transactions on Automatic Control, 53 (6), 1559–1563. Jiang, S., Huang, Z., Chandra, V., and Kumar, R. (2001). A polynomial algorithm for testing diagnosability of discrete-event systems. IEEE Transactions on Automatic Control, 46 (8), 1318–1321. Lin, F. (1993). Robust and adaptive supervisory control of discrete event systems. IEEE Transactions on Automatic Control, 38 (12), 1848–1852. Park, S.-J., and Lim, J.-T. (2002). Robust and nonblocking supervisory control of nondeterministic discrete event systems using trajectory models. IEEE Transactions on Automatic Control, 47 (4), 655–658. Qiu, W., and Kumar, R. (2006). Decentralized failure diagnosis of discrete event systems. IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans, 36 (2), 384–395. Ramadge, P. J., and Wonham, W. M. (1987). Supervisory control of a class of discrete-event processes. SIAM Journal on Control and Optimization, 25 (1), 206–230. Saboori, A., and Hashtrudi Zad, S. (2006). Robust nonblocking supervisory control of discrete-event systems under partial observation. Systems & Control Letters, 55 (10), 839-848. Sampath, M., Sengupta, R., Lafortune, S., Sinnamohideen, K., and Teneketzis, D. (1995). Diagnosability of discreteevent systems. IEEE Transactions on Automatic Control, 40 (9), 1555–1575.

Takai, S. (2000). Robust supervisory control of a class of timed discrete event systems under partial observation. Systems & Control Letters, 39 (4), 267–273. Yoo, T.-S., and Lafortune, S. (2002). Polynomial-time verification of diagnosability of partially observed discreteevent systems. IEEE Transactions on Automatic Control, 47 (9), 1491–1495.