In this paper, an efficient approach to verify diagnosability of discrete-event systems is proposed. The approach consists in constructing a hybrid diagnoser based on the symbolic observation graph (SOG), which is a technique that combines symbolic and enumerative representations in order to build a deterministic observer from a partially observed model. The construction of the diagnoser as well as the verification of diagnosability are performed simultaneously on-the-fly, which can considerably reduce the generated state space of the diagnoser and thus the overall running time. Furthermore, the proposed approach provides a heuristic strategy in order to converge fast into the necessary part, of the diagnoser, for analysing diagnosability.
In automated monitoring and fault diagnosis of
complex dynamic systems, one of the central tasks
is to detect and identify the occurrence of failures
as early as possible. This task has become an
active research area in recent years
One of the main issues in diagnosis activity that
must be addressed is diagnosability investigation.
Analysing diagnosability of a system intends to
determine accurately whether any predetermined
failure or class of failures can be detected and
identified within a finite delay following its occurrence
Diagnosability verification has received considerable
attention since the seminal paper by
Other automata-based approaches
Furthermore, some works on diagnosability of
DESs turned to Petri nets (PNs) formalism,
benefiting from the mathematical and graphical
representations capability and the well-developed
theory underlying PNs
To get a general overview on the literature pertaining
to diagnosis of DESs, the reader can refer to the
recent survey in
The paper is structured as follows. In Section 2, we introduce the basic background needed to deal with diagnosability and to develop our approach. In Section 3, we recall the notion of diagnosability as well as the original diagnoser approach. Section 4 is devoted to discuss the Symbolic Observation Graph adapted to the context of this paper. In Section 5, the verification approach is sketched out then an onthe-fly algorithm based on the SOG is presented. Section 6 discusses the pertinent existing work in relation with the present work. Finally, conclusion remarks and future research directions are given in Section 7.
We first recall some standard notations that will be used in the sequel. Let be a finite alphabet of events (actions). A string is a finite sequence of events in . denotes the empty string. Given a string s, the length of s is denoted by jsj. The set of all strings formed by events in is denoted by . Any subset of is called a language. Given a string s 2 L, L=s , ft 2 js:t 2 Lg is called the postlanguage of L after s and defined as L=s. L is said to be extension-closed when L: = L.
The approach introduced in this paper applies to discrete-events systems modelled by Labelled Transitions Systems (LTSs for short). The formal definition of LTS is as follows.
4-tuple hQ; ; !; q0i, where:
is a finite set of events; ! Q q0 2 Q is the initial state.
In the remainder of this section, we consider a given LTS G = hQ; ; !; q0i. For q; q0 2 Q and 2 , we denote q ! q0 , (q; ; q0) 2!. q ! means that 9q0 2 Q : q ! q0. If s = 1; 2; : : : ; n is a string (sequence of events), s denotes the set of actions occurring in s. Moreover, q !s q0 denotes that 9q1; q2; : : : ; qn 1 2 Q such that, q !1 q1 !2 : : : qn 1 !n q0. q ! q0 denotes that q0 is reachable from q (i.e. q !s q0 for some s 2 ), and q !E q0 holds if s E. We denote by Enable(q) the set of events s.t. q !, for a set of states Q0 Q, EnableE (Q0) denote the set of enabled events from the set of states Q0, i.e.
An execution from the initial state q0 of an LTS G is a finite sequence of transitions = q0 !1 q1 : : : !n qn. The event-trace of , denoted by T r( ), is the sequence of events 1; : : : ; n, [i] stands for the prefix of truncated at state qi, i.e., [i] = q0 !1 q1 : : : !i qi and last( ) represents the last state of . The set of finite executions of LTS G from the initial state q0 is denoted by Runs(G). The behaviour of G is described by its language L(G) = fs 2 jq0 !sg. As we are interested in diagnosis issues, partial observation plays a central role. In this regard, some events in are observable, i.e. their occurrence can be observed, while the rest are unobservable. Thus, the event set can be partitioned as = o U u, where o denotes the set of observable events and u the set of unobservable events. To reflect the limitation on observation, we define the projection function P : ! o. In the usual manner, P ( ) = for 2 o; P ( ) = for 2 u, and P (s ) = P (s)P ( ), where s 2 , 2 . Thus, P simply erases the unobservable events in any event-trace. The inverse projection operation PL 1 is defined by PL 1(y) = fs 2 L(G) : P (s) = yg. Any two executions and 0 are called indistinguishable with respect to the projection function P if they can generate the same observed event-trace. With a slight abuse of notation, we write P ( ) = P ( 0) if and 0 are indistinguishable.
In the context of fault diagnosis, let f u denote the set of failure events. They are usually represented using unobservable events, since their detection and diagnosis would be trivial if they were observable. We partition the set of failure events into disjoint failure classes f = f1 U f2 U U fm , with fi denotes the failure class fi.
In this work, only diagnosability analysis of permanent faults is considered. Once a fault has occurred, the system remains irreparably faulty. We assume that the LTS G under consideration satisfies the following two assumptions: 1. The language generated by G is live, i.e. there is an executable transition from any state of the system. 2. The LTS G is finite, in term of the state space, and does not contain cycles formed only by unobservable events.
Diagnosability is an important property in the
monitoring and fault diagnosis activities. In simple
terms, it refers to the ability to infer accurately,
from a partially observed execution, about the
faulty behaviour within a finite delay after possible
occurrences of faults. The original definition of
diagnosability, introduced in the seminal work of
A prefix-closed and live language L is said to be diagnosable with respect to the projection function P and with respect to a failure class of faults f if the following holds (9ni 2 N) [8s 2 ( f )] (8t 2 L=s) [jtj ni ) D] where the diagnosability condition D is ! 2 P 1[P (s:t)] ) f 2 !. with ( f ) is the set of finite sequences that terminate with a faulty event from f .
The above definition means the following. Let s be any sequence generated by the LTS G that ends with a failure event from f , and let t be any sufficiently long continuation of s. Condition D then requires that every sequence ! belonging to the language that produces the same observable trace as sequence s:t (P (!) = P (s:t)) must hold a failure event from f . In other terms, diagnosability requires that every failure event leads to observations distinct enough to identify the failure type within a finite delay.
In order to analyse diagnosability,
Let G = hQ; ; !; q0i be an LTS to be diagnosed. A diagnoser of G is a deterministic LTS Gd = hX ; o; !d; X0i associated with a tagging function Diag : X ! 24, with 4 = fN; F g (for only one class of failures). with N means normal and F means faulty.
Each diagnoser state x has the form x = f(q1; l1); : : : ; (qn; ln)g, with qi 2 Q and li 2 4. If 8i = 1; : : : ; n, we have li = N (resp. li = F ), the diagnoser state x is said to be N-certain (resp. F certain), otherwise F -uncertain state.
For more details about the formal framework and
algorithmic procedure of constructing the diagnoser,
we refer the reader to the original paper
We define an f-indeterminate cycle in a diagnoser to be a cycle composed exclusively of F -uncertain diagnoser states and corresponding to the presence of two cycling traces, in the system, that sharing the same observable events, such that the faulty event f from the class f occurs in the 1st trace but not in the 2nd. The notion of f-indeterminate cycle is very important, since it helps to give a necessary and sufficient condition for diagnosability analysis.
and only if there are no f-indeterminate cycles in its diagnoser Gd for any class of faults f .
Let us consider the LTS G in Figure 1 (adapted from
The diagnoser Gd corresponding to the LTS G is depicted in Figure 2. There exists a cycle of f-uncertain states composed of f3F; 7Ng and f5F; 10F; 12Ng w.r.t. the observable sequence (bd) . This cycle corresponds to two cycles in the LTS G. The 1st one, which is composed of states f3g; f4g; f5g w.r.t. the sequence (bud) , which is reachable from the faulty sequence fa. The 2nd cycle, which is composed of states f7g; f11g; f12g and reached by the fault-free sequence a. Thus we can infer, according to Theorem 1, that there exists an f-indeterminate cycle in the diagnoser and consequently the LTS G is not diagnosable w.r.t. to faulty class f and the projection function P . start f1Ng a f3F; 7Ng d
b f6F g t f5F; 10F; 12Ng
t It is worth noticing that the diagnoser can be used either off-line to check diagnosability or on-the-fly by connecting it to the system in order to provide on-line diagnosis upon the occurrence of observable events.
In this section, we present the so-called symbolic
observation graph
Consider the LTS G = hQ; ; !; q0i with = o U u. An aggregate a is a non empty set of states satisfying: q 2 a , Saturate u(q) a; where Saturate u(q) = fq0 2 Qjq ! u q0g.
In the following, Saturate u is extended to sets of states as follows: Saturate u(Q0) =
hA; o; ! o; a0i where: 1. A is a finite set of aggregates such that: a) There is an aggregate a0 2 A s.t. a0 =
Saturate u(q0); b) For each a 2 A and for each 2 o, if 9q 2 a, q0 2= a: q ! q0 then Saturate(fq0 2= aj9q 2 a; q ! q0g) equals a0 for some aggregate a0 and (a; ; a0) 2! o; 2. ! o A o A is the transition relation, obtained by applying 1:b).
The SOG can be constructed by starting with
the initial aggregate a0 and iteratively adding new
aggregates as long as the condition of 1:b) holds
(see
In this section, we discuss how the SOG is used in
order to build a hybrid diagnoser and we provide an
on-the-fly algorithm to construct the hybrid diagnoser
and to verify diagnosability simultaneously.
The underlying idea behind using SOG for
diagnosability analysis is basically to tackle the state
explosion phenomenon raised when building the
diagnoser. It is worth recalling here that the
Sampath’s diagnoser is computed with an exponential
complexity regarding the state space of the model
Using the results of Section 4, we would use the SOG to perform a hybrid diagnoser construction. In order to capture the feature of analysing diagnosability which is tracking the ambiguous behaviour of the system, i.e. normal and faulty executions which share the same observable events, we modify the structure of the aggregate, introduced in Definition 4, by splitting the set of states (managed using BDDs) into tow sets of states in the same aggregate: one set contains normal states, i.e. states reachable by fault-free sequences, and the other contains faulty states, i.e. states reachable by sequences containing one (or more) faulty events. Both of sets are represented and managed using BDDs.
Figure 3 depicts the general form of a diagnoser aggregate where two BDDs represent two sets of states; BDDn represents the set of normal states, while BDDf represents the set of faulty ones. The set of faulty states may be reached from the set of normal states by the occurrence of a faulty event, and thus a faulty transition form BDDn to BDDf may exist in any diagnoser aggregate. Depending on the executed behaviour, i.e. the executed sequence, the diagnoser aggregate may contain the two sets of states (BDDs) or only one set. If a diagnoser aggregate contains only BDDn (resp. BDDf ), it is called an N-certain (resp. F -certain) diagnoser aggregate, else it is an F -uncertain diagnoser aggregate in the same way as in the classic diagnoser (Definition 3).
The dashed arrows show the different possibilities that a transition from a diagnoser aggregate can produce. For instance, observable event b enabled by the diagnoser aggregate can be enabled from both normal and faulty sets or from only one set. This feature will be considered during the on-the-fly construction of our hybrid diagnoser, since we do not need to construct the diagnoser aggregates reached through an observable event from only the faulty set of an aggregate. Moreover, this information will be used to establish some heuristics that prioritizing the branches to be followed while building the hybrid diagnoser. Consider an LTS G = hQ; ; !; q0i with = o U u and f u. A diagnoser aggregate a = hQn; Qf i is a non empty set of states satisfying: 1. 8q 2 Q s.t. q0 f! q (i.e. q is reachable by a faulty sequence): q 2 a , Saturate u (q) a:Qf ; 2. 8q 2 Q s.t. q0 ! n f q (i.e. q is reachable by a fault-free sequence): q 2 a , Q0 = Saturate un f (q) a:Qn ^ Saturate u (Img(Q0; f ) a:Qf . 3. 8q; q0 2 a; 9s; s0 2
P (s) = P (s0) s0 , s.t. q0 !s q, q0 ! q0, and with Saturate un f (q)=fq0 2 Qjq ! un f q0g, and Img(Q0; f )=fq0jq 2 Q0 : q !f q0g, i.e. it returns the set of immediate successors of states in Q0 through the occurrence of event f .
a:Qf ) the set of normal (resp. faulty) states in an aggregate a.
We now introduce the hybrid diagnoser which is a modified SOG built from the LTS model G.
LTS G is a modified SOG h ; o; !SOG; 0i.
is a finite set of diagnoser aggregates. 0 is the initial diagnoser aggregate with; a) b) 0.Qn = Saturate un f (q0); 0.Qf =Saturate u (Img( 0:Qn; f )). 3. !SOG o defined as below,
is the transition relation, 8a; a0 2 , 2 o s.t.
2 Enable(a:Qn [a:Qf ): a !SOG a0 , a0:Qn= Saturate un f (Img(a:Qn; )) ^ a0:Qf =Saturate u (Img(a0:Qn; f ) [
Img(a:Qf; )) To summarize, the hybrid diagnoser DSOG(G) is constructed as follows: let the current aggregate of the diagnoser be a, and the next observed event be . The target diagnoser aggregate a0 of the hybrid diagnoser is computed following these rules: 1. If
2 Enable(a:Qn) \ Enable(a:Qf ) then: a. a0:Qn = Saturate un f (Img(a:Qn; )). b. a0:Qf =
Saturate u (Img(a0:Qn; f )
Img(a:Qf; )). a. a0:Qn = Saturate un f (Img(a:Qn; )). b. a0:Qf = Saturate u (Img(a0:Qn; f )). 3. If
2 Enable(a:Qf )nEnable(a:Qn) then: a. a0:Qn = ;.
b. a0:Qf = Saturate u (Img(a:Qf ; )).
These rules preserve a specific fault propagation. From an F -uncertain diagnoser aggregate, we can reach either another F -uncertain, an F -normal or an F -certain diagnoser aggregate, from an N certain diagnoser aggregate, we can reach either another N -certain diagnoser aggregate or an F uncertain one, and finally from an F -certian diagnoser aggregate, we can reach only another F certain diagnoser aggregate, which depicts exactly the hypothesis of permanent failures. Figure 4 illustrates these points.
N -certain
F -uncertain
F -certain
noser associated with the LTS of Example 1, depicted in Figure 1. As it is intended to construct the hybrid diagnoser on-the-fly, it is more convenient to represent the hybrid diagnoser as a tree-like structure.
of the LTS and the state 2 reachable from state
diagnoser aggregates (2) and (3) contain two sets
of states (each one is represented by a BDD).
After the occurrence of event d we reach diagnoser
aggregate (4), which is the same as diagnoser
aggregate (2) thus, there exists a cycle on the
hybrid diagnoser composed of aggregates (2) and
(3) by executing the observable event sequence
(bd) . Diagnoser aggregate (5) is reached after the
occurrence of event t and it contains only the set
of faulty states thus, it is an F -certain diagnoser
aggregate. As F -certain diagnoser aggregates are
not necessary to analyse diagnosability, in
on-thefly constructing of the hybrid diagnoser, we do
not construct them. Indeed, one knows that all
the subsequent aggregates will be F -certain as
well. Besides, computing such aggregates is not
necessary for online diagnosis.
We recall that our goal is to avoid the state-explosion
problem, not only by providing this compact form
(SOGs) to build the hybrid diagnoser but also by
constructing the hybrid diagnoser on-the-fly and
verifying diagnosability simultaneously. Constructing
the hybrid diagnoser on-the-fly serves to avoid
generating the whole state space of the diagnoser
even if the system is diagnosable, i.e. as we deal
with permanent faults, we do not need to construct
the part, of the hybrid diagnoser, containing only F
certain diagnoser aggregates since such a part is not
necessary for analysing diagnosability (see
Hereafter, we provide the SOG-based algorithm needed for on-the-fly construction of the hybrid diagnoser. The following function and data structures are used:
Img(S; t), as described previously, returns the set of immediate successors of the states of a set S through the occurrence of event t.
OBDDs (Ordered Binary Decision Diagram) are used to represent the sets of states belonging to an aggregate, i.e. the set of normal states and the set of faulty states in an aggregate. This task is performed by the function Reduce().
The hybrid diagnoser is represented by a standard graph representation with a set of vertices, namely V , and a set of edges, namely E, connecting these aggregates and labelled with observable events.
EnableObs(S) returns the set of observed events that are enabled by at least one of the states in set S.
Saturate i (), as defined before, computes the various states reached through events from set i.
Stack is an ordered set of 5-uplet, which contains two sets of states (Sn; Sf ) and three sets of events (Evtf ; Evtn; Evt) with Evt = (Evtn [ Evtf )n(Evtn \ Evtf ).
IsU ncertain() is a function that returns Boolean value (true if the encountered cycle is composed of only f -uncertain diagnoser aggregates and f alse otherwise).
IsIndeterminate(): is a function that returns Boolean value (true if the existing cycle is an f indeterminate cycle and f aulse otherwise. This function will be discussed later.
RemoveLast(S) is an operation that removes, then returns, the last event of a set S.
For the sake of simplicity, we consider that f contains only one faulty event, generalization to a set of faulty events is straightforward.
The initialization step (lines 1-11) serves to compute the initial diagnoser aggregate, handle it efficiently using OBDD (function Reduce()), and push it, associated with its enabled observable events, into the stack. The construction of the hybrid diagnoser is performed using a depth first exploration: As long as the stack in not empty, a new observable event t, enabled by the diagnoser aggregate a at the top of the stack, is removed from the set of enabled events (Evt) and then processed. If such an event does not exist, the corresponding aggregate is poped from the stack (lines 13-15). Otherwise, if the set Evtn of events enabled by the set of normal states Sn of the diagnoser aggregate a, is empty then the aggregate a is poped from the stack (lines 16 and 18). This step serves to avoid the construction of the subsequent F -certain diagnoser aggregates, i.e. since this part of the hybrid diagnoser is not necessary to analyse diagnosability.
The computation of the new aggregate a0, reachable through an observable event from aggregate a, is completed by saturation on the unobservable events (lines 20-26). If a0 has already been encountered (i.e. existence of a cycle) then the hybrid diagnoser is updated by adding a new edge (lines 27-28) and if the cycle is uncertain (i.e., contains only f -uncertain diagnoser aggregates), the function IsIndeterminate() is launched in order to detect whether there exists an f -indeterminate cycle or not (line 29-32). If the cycle is an f -indeterminate one then we output that the model is undiagnosable and we stop the diagnoser construction. Otherwise, construction is continued, a0 with its enabled observable events are pushed into the stack, and so on. When the stack is empty, then the necessary part of the diagnoser, for analysing diagnosability, is completely built, we output that the model is diagnosable.
As mentioned in Section 3, diagnosability analysis
is performed by searching two infinite executions
that share the same observed event-sequences
such that one sequence contains a faulty event
and not the other one. That means to search an
f -indeterminate cycle in the diagnoser
This task is performed by function
IsIndeterminate() in the Algorithm 1 (line 28)
which calls a specific function (path exists()) from
the digraph library
We emphasize that verification of the existence of f -indeterminate cycles is performed on-the-fly in parallel to the process of constructing the hybrid diagnoser, i.e. the process of constructing the hybrid diagnoser runs and when a cycle of F -uncertain diagnoser aggregates is found, we check whether this cycle corresponds to an f -indeterminate cycle or not. If it is the case (i.e. the cycle is an f indeterminate cycle), then the whole process is stopped and a negative verdict is emitted regarding diagnosability, else the building process is continued. Example 2 Let us take again LTS G of Figure 1 and its hybrid diagnoser (Figure 5). We have a cycle, in the hybrid diagnoser, composed of only F -uncertain diagnoser aggregates (2) (3). Once the algorithm of construction arrives at this cycle, we check if this cycle is an f -indeterminate one or not, before continuing the construction process. The cycle of f -uncertain diagnoser aggregates (2) (3) is reached by executing the observed event-sequence a(bd) .
Algorithm 1 On-the-fly algorithm to construct the hybrid diagnoser DiagSOG (LT S; o; u; f ); Diagnoser aggregate a; a0; Set of vertices V ; Set of edges E; Set of Events Evtn; Evtf ; Evt; Set of states Sn; Sf ; Sn0; Sf0 ; Stack st = ;; 1: Sn = Saturate unf (q0); 2: Sf = Img(Sn; f ); 3: if (Sf 6= ;) then 4: Sf = Saturate u (Sf ); 5: end if 6: a = hSn; Sf i; 7: Reduce (a; u); 8: V = a; E = ;; 9: Evtn = EnableObs(Sn); 10: Evtf = EnableObs(Sf ); 11: st.Push(hSn; Sf ; Evtn; Evtf ; Evti; 12: while (st 6= ;) do 13: hSn; Sf ; Evtn; Evtf ; Evti = st.Top(); 14: if Evt = ; then 15: hSn0; Sf0 ; Evtn; Evtf ; Evti = st.Pop(); 16: else 17: if (Evtn = ; then 18: hSn0; Sf0 ; Evtn; Evtf ; Evti = st.Pop(); 19: else 20: t = RemoveLast(Evt); 21: Sn0 = Img(Sn; t); 22: Sn0 = Saturate unf (Sn0); 23: Sf0 = Img(Sf ; t) [ Img(Sn0; f ); 24: Sn0 = Saturate u (Sf0 ); 25: a0 = hSn0; Sf0 i; 26: Reduce (a0; u); 27: if (9w 2 V j w = a0); then
E = E [ a !tSOG w; if (IsU ncertain()) then if (IsIndeterminate()) then
return UNDIAGNOSABLE; end if end if else
V = V [ fa0g; 36: E = E [ a !tSOG a0; 37: Evtn = EnableObs(Sn0); 38: Evtf = EnableObs(Sf0 ; 39: st.PushhSn0; Sf0 ; Evtn; Evtf ; Evti; 40: end if 41: end if 42: end if 43: end while 44: return DIAGNOSABLE;
corresponds to two event-sequences: 1. The faulty sequence f a(bud) that leads to a cycle composed of states 3, 4, and 5. 2. The fault-free sequence a(bud) that leads to a cycle composed of states 7, 11, 12.
diagnoser, composed of diagnoser aggregates (2) and (3) is an f -indeterminate cycle. Thus, we stop constructing the hybrid diagnoser and we output that
Our algorithm for constructing the hybrid diagnoser is based on a depth-first search (DFS) to investigate the state space (diagnoser aggregate in the developed tree-like structures) execution by execution. Generally, no rules are defined to select the execution to be investigated first, i.e. the order of execution exploring is arbitrary. However, as we deal with diagnosability analysis, in our case, the diagnoser aggregate structure provides some information that can be exploited to direct the search in such a way as to increase the chances of quickly obtaining a diagnosability verdict by exploring the most promising executions at first.
When we deal with diagnosability analysis, the interesting executions of the system are those which share the same observed event-sequence such that some of them contain a faulty event and the others are fault-free. This is reduced to track the observed event-sequences, in the hybrid diagnoser, leading to F -uncertain aggregates. Generally, there exists three types of enabled transitions from any aggregate, as depicted in Figure 6.
1. Transitions enabled only by states from the faulty set (Figure 6.(a)). As said before, this type of branches will not be explored. 2. Transitions enabled only by states from the normal set (Figure 6.(b)). In this case, we need to continue the construction since other faults may occur in the future. 3. Transitions enabled from both normal and faulty sets (Figure 6.(c)). In this case, the reached diagnoser aggregate will be certainly F -uncertain.
This last type of transitions is the most-promising to find an f -indeterminate cycle since we know, a priori, that the new diagnoser aggregate will be certainly an f -uncertain aggregate, contrary to the other above cases. Thus, it will be the first to be explored in order to direct the construction of the hybrid diagnoser and to potentially speed up the verification process. We note that in the actual version of the algorithm, this heuristic strategy is not implemented.
In the literature, there are several diagnoser-based
approaches for analysing diagnosability inspired
from the seminal work of
The approach proposed in this paper, takes
advantage from these two last approaches (i.e.,
In this work, we have developed an on-the-fly approach for diagnosability analysis, based on a hybrid diagnoser. The approach is based on the symbolic observation graph (SOG), which is a paradigm that combines symbolic and enumerative representations in order to build a deterministic observer from a partially observed model. The approach aims to improve the efficiently in terms of runtime and memory resources when analysing diagnosability.
Several future directions are considered. First, we wish to make experimentations over casestudies in order to assess the efficiency and the scalability of our approach and also to compare the obtained results with those provided by other existing approaches. Then, we will investigate some other practical versions of diagnosability, namely K-diagnosability and Kmin-diagnosability. Finally, we intend to extend the proposed approach for analysing diagnosability based on the verifier approach by means of a non deterministic version of the symbolic observation graph.