shahin hashtrudi zadshahin hashtrudi zad -4 thesis submitted in conformity with the requirements for...
TRANSCRIPT
FAULT DIAGNOSIS IN
DISCRETE-EVENT AND HYBRID SYSTEMS
Shahin Hashtrudi Zad
-4 thesis submitted in conformity with the requirements
for the degree of Doctor of Philosophy
Graduate Department of Electrical and Cornputer Engineering
University of Toronto
@ Copyright by Shahin Hashtrudi Zad 1999
National Library 1+1 of Canada Bibliothèque nationale du Canada
Acquisitions and Acquisitions et BibtiographicSewices sewicesbibliographiques
395 Wellington Street 395. rue Wdlingtori OttawaON KtAON4 OitawaON K t A W Canada CaMda
The author has granted a non- exclusive Licence allowing the National Library of Canada to reproduce, loan, distribute or seil copies of this thesis in microform, paper or electronic formats.
L'auteur a accordé une licence non exclusive permettant à la Bibliothèque nationale du Canada de reproduire, prêter, distribuer ou vendre des copies de cette thèse sous la forme de microfiche/film, de reproduction sur papier ou sur format électronique.
The author retains ownership of the L'auteur conserve la propriété du copyright in this thesis. Neither the droit d'auteur qui protège cette thèse- thesis nor substantial extracts fiom it Ni la thèse ni des extraits substantiels rnay be printed or otherwise de celle-ci ne doivent être imprimés reproduced without the author's ou autrement reproduits sans son permission. autorisation.
Fault Diagnosis in Discrete-Event and Hybrid Systems
Doctor of Philosophy
1999
G raduat e Depart ment of Elec t rical and Computer Engineering
University of Toronto
Abstract
,A framework for on-line passive fault diagnosis in discrete-event systems is pro-
posed. En this approach, the system and the diagnoser (the fault detection system)
do not have to be initialized a t the sarne time, and no information about the state or
even the condition (failure status) of the systern before the initiation of diagnosis is
required.
First, a state-based approach for fault diagnosis in finite-state automata is pre-
sented. The design of the fault detection system has, in the worst case, exponential
time complexity. A model reduction scheme with polynomiai time complexity is intro-
duced to reduce the computational complexity of the design. Next the use of timing
information to improve the accuracy of diagnosis is considered. Instead of directly
estending the framework to timed discrete-event systems, an alternative approach
is taken which leads to significant reduction in on-line computing requirements, and
in many cases, in the size of the diagnoser a t the expense of more off-line design
calculations. The issue of diagnosability of failures in this framework is also studied
and necessary and sufficient conditions for diagnosability are derived.
In addition, the cases where the discrete-event models used in fault diagnosis are
abstractions of hybrid automata are studied. Here, the important issue is mhether the
discrete-event model contains enough information about the system for the purpose of
fault diagnosis. In this regard, two different notions of consistency between high-level
(discrete-event) and low-level (hybrid) models are introduced. Sufficient conditions
for consistency are derived and a semi-algorithrnic method for constructing suitable
high-level discrete-event models from low-level hybrid systems is developed.
Acknowledgement
1 would like to thank my supervisor, Professor Raymond Kwong, for his invaluable
support and guidance throughout this work. Many thanks to Professor W. Murray
Wonham whose insightful comments and observations have been extremely helpful.
Special thanks to my friends in the Systems Control Group, in particular Peyman
Gohari and Steve Postma, for interesting and inspiring discussions.
This work was supported in part by -4lliedSignal Aerospace Canada. Their s u p
port is gratefully acknowledged.
1 would like to express my deepest gratitude to my family? especially my parents,
for their love and support. This work is dedicated to them.
Contents
1 Introduction 1
1.1 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Fault Diagnosis in Finite-State Automata 9
2.1 Plant Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Diagnoser 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Diagnosability 19
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Mode1 Reduction 30
. . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5 Simultaneous Failures 37
3 Fault Diagnosis in Timed Discrete-Event Systems 44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Plant Mode1 45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Diagnoser 58
. . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Time-Diagnosability 88
4 Fault Diagnosis and Consistency in Hybrid Systems 99
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Plant Mode1 100
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Diagnoser 109
. . . . . . . . . . . . . . . . . . . . . 1.3 Diagnosability and Consistency 112
. . . . . . . . . . . . . . . . . . . . . . . 4.4 Consistent Adode1 Reduction 114
5 Conclusion 134
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Summary 134
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Future Research 136
List of Figures
2.1 Example 2.1. -4 heating system . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Example 2.1. DES mode1 of the heating system . . . . . . . . . . . . . 12
2.3 System and diagnoser . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 zk+l = C(zki ZJ~+~ ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
. . . . . . . . . . . . . . . . . . . . . . . . . . 2.5 Example 2.1. Diagnoser 17
2.6 ExampIe 2.1. Part of the diagnoser . . . . . . . . . . . . . . . . . . . . 17
2.7 Single-failure scenario wïth permanent failure modes . . . . . . . . . . 20
. . . . 2.8 Example of an F-uncertain cycle which is not F-indeterminate 23
2.9 With zo = {O): F wiil be diagnosable . . . . . . . . . . . . . . . . . . . 25
2.10 Example 2.2. Pump and Valve . . . . . . . . . . . . . . . . . . . . . . 27
2.1 1 Example 2.2. DES models of components . . . . . . . . . . . . . . . . 21
. . . . . . . . 2.12 Example 2.2. DES mode1 of the pump and valve system 28
2.13 Example 2.2. Diagnoser . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.14 Pzk = Zk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
. . . . . . . . . . . . . 2.15 Simultaneous occurrence of permanent failures 38
. . . . . . . . 2.16 Example 2.3. DES mode1 of the pump and valve system 41
3.1 TDES and the corresponding timed FSM.4 . . . . . . . . . . . . . . . 53
3.2 Example 3.1. A simple TDES . . . . . . . . . . . . . . . . . . . . . . . 55
3.3 Example 3.1. Timed FSM.4. . . . . . . . . . . . . . . . . . . . . . . . 55
3.4 Example 3.2. -4 neutralization process . . . . . . . . . . . . . . . . . . 56
3 Example 3.2. Activity transition graph . . . . . . . . . . . . . . . . . . 59
3.6 Example 3.2. TDES mode1 . . . . . . . . . . . . . . . . . . . . . . . . 60
. . . . . . . . . . . . . . . . . . . 3.7 Example 3.2. Timed FSMA (Part 1) 62
. . . . . . . . . . . . . . . . . . . 3.8 Example 3.2. Tirned FSMA (Part 2) 63
. . . . . . . . . . . . . . . . . . . . . . . . . . . 3.9 System and diagnoser 65
. . . . . . . . . . . . . . . . . . . . . . . . . . 3.10 Example 3.1. Diagnoser 69
. . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 1 Example 3.2. Diagnoser 72
. . . . . . . . . . . . . . . . . . . . 3.12 Using predictions in fault diagnosis 75
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.13 Example 3.1. G: 79
. . . . . . . . . . . . . . . . . . . . . . . . . 3-14 Proof of Thm . 3.6. Case 1 84
3.15 Proof of Thm . 3.6. Case 2 . T' stands for complex T transition and a # T' . 83
. . . . . . . . . . . . . . . 4.1 Evolution of the state of the hybrid system
4.2 Examples of boundaries: BI. = {(el, & 1 cl = c & b < c2 < a) and
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bl.2.3.4={(bi~) 1. . . . . . . . . . . . . . . . . . . . 4.3 Hybrid system before transformation
. . . . . . . . . . . . . . . 4.4 Case 1 . Hybrid system after transformation
. . . . . . . . . . . . . . . 4.5 Case 2 . Hybrid system after transformation
. . . . . . . . . . . . . . . . . . . . . . . . . 4.6 Esample 4.1. Water tank
. . . . . . . . . . . . . . . . . . . . . . . . . . 4.7 Example 4.1. Controller
. . . . . . . . . . . . . . . . . . . . . 4.8 Example 4.1. Hybrid automaton
4.9 Example 4.1. Transformed hybrid automaton . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 4.10 Example 4.1. Diagnoser
. . . . . . . . . . . . . . . . . . . . 4.11 Hierarchy of models and diagnosers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 riw = 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.13 Pzk = Zk
. . . . . . . . . . . . . . . . . . . . . . 4.14 Example 4.1. High-level mode1
. . . . . . . . . . . . . . . . . . . . 4.15 Example 4.1. High-level diagnoser
. . . . . . . . . . . . . . . . . . . . . 4.16 Example 4.2. Hybrid automaton
4.17 Example 4.2. State trajectories of the hybrid system . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 4.18 Example 4.2. The high-level DES Gi 4.19 Example 4.2. The high-level DES G2 . . . . . . . . . . . . . . . . . . .
4.20 Neighbouring blocks B1 and B2. - . . - . . . . - . . . . . . . . . . . 132
vii
List of Tables
2.1 Example 2.1. Reachability transition system . . . . . . . . . . . . . . . 16
. . . . . . . . . . . . . . 2.2 Example 2.2. Reachability transition system. 28
2.3 Example 2.1 Reduced reachability transition systern . . . . . . . . . . 34
2.4 Example 2.3. Reachability transition system . . . . . . . . . . . . . . . 42
2.5 Esample 2.3. Diagnoser . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.1 Example 3.2. Events and their time bounds . . . . . . . . . . . . . . . 57
3.2 Example 3.2. Output and condition maps of TDES . . . . . . . . . . . 61
3.3 Example 3.1. Tirned reachability transition systern . . . . . . . . . . . 68
3.4 Example 3.2. Timed reachability transition system- . . . . . . . . . . 71
4.1 Example 4.1. Output map . . . . . . . . . . . . . . . . . . . . . . . . . 108
4.2 Example 4.1. Reachabiiity transition system . . . . . . . . . . . . . . . 112
4.3 Example 4.1. Reacbability transition system for the DES mode1 . . . . 125
viii
Chapter 1
Introduction
Fault detection systems play a crucial role in protecting life and propertl-, and in
increasing operational time and productivity. Therefore, they are of paramount im-
portance in aerospace, manufacturing and process industries. A significant portion of
the "control" code in real-world systems (up to 80% in some cases) is dedicated to
test and diagnosis (91. Solving diagnostic problems for complex systems is a cornpli-
cated task requiring a systematic approach. Systematic diagnosis code generation is
less prone to hiiman error than manual code generation. In addition to enhancing the
reliability and accuracy of diagnosis, the use of systematic approaches can potentially
result in faster design process and in reduction in the cost of future revisions and
maintenance of diagnosis code. As a result, fault diagnosis has been the subject of
extensive research (see, e.g., 1121, 1211, [26], [27]).
In this work, a failure (fault) l refers to a nonperrnitted deviation in the be-
haviour of the system under supervision (or a component of the system) for a bounded
or unbounded period of time under specified operating conditions. A valve becoming
stuck-closed, decrease in the efficiency of a heat exchanger, bias in the output of a
sensor. and leakage in pipelines are examples of failures. If after the occurrence of
a failure, the system remains in the faulty condition indefinitely? then the failure is
called permanent (hard). Othenvise, it is nonpermanent. -4 broken shaft in a
'In this thesis, "failure" and "fault" mean the same and are used interchangeably. In the Iitera- ture, however, they can have slightly different meanings [21].
motor is an example of a permanent failure and a loose wire could be the source of
nonpermanent failures in an electrical system.
A typical fault diagnosis system uses the outputs of the sensors of the system
under supervision to detect the faiiure and (if necessary) isolate (locate) the source
of failure. Once a failure is detected, a decision has to be made as to how i t should
be accommodated. Failure accommodation may include a reconfiguration of the
(control) system. Here, we address only the problem of fault diagnosis and leave the
issue of failure accommodation for future research.
In t bis t hesis, nTe examine fault diagnosis in systems t hat , for diagnostic purposes,
can be modelled as discrete-event systems (DES). We consider two types of failure:
(i) drastic failures, such as "valve stuck-closed" and 'kensor short-circuited" , and (ii)
partial failures that result in change in timing characteristics, such as "valve sticking .
Other types of partial failures such as drift in sensor or small changes in dynamics
of actuators are not considered here because they are difficult to model in a DES
framework.
\Ve concentrate on on-line passive diagnosis only; i.e., the system under super-
vision is operational and the fault detection system does not use test inputs for
diagnosing failures but relies solely on output signals.
One of the commonly-used techniques for fault diagnosis is "hardware redun-
dancy" in which multiple sensors (usually three) are used for measuring each plant
variable. The outputs of the sensors measuring the same variable are compared to
determine the plant variable and to detect sensor failures. This method is simple and
fairly d iable , though expensive and of no use in detecting common-cause failures.
Lvloreover, it is only suitable for detecting sensor failures.
Expert systems are also used for diagnosing failures. These systems use the ex-
perience and knowledge of experts (stored as a set of rules) and an inference engine
to diagnose failures. Espert systems are particularly useful in cases where it is hard
to obtain a model for the plant. Gathering the expertise and knowledge required for
building an expert system is usually not an easy task. Furtherrnore, there will be no
guaran tee for the completeness of the resulting diagnostic rules.
In the above techniques, the plant's model is not used in diagnosis. In addition
to model-fkee methods, several model-based techniques for fault diagnosis have
been proposed in the Iiterature. In a model-based method, the observed behaviour
of the plant is compared with that expected from the plant's model. Based on this
comparison, an inference is made about the condition (normal/faulty) of the plant.
It should be noted that obtaining a model for the normal and faulty behaviours of a
system could be difficult (if not impossible) and time consuming. Here it is assumed
that al1 of the different ways in mhich the s y t e m can fail are knom. Finding these
failure modes is perhaps the most challenging problem in hazard analysis. Systematic
model-based diagnostic techniques do not directly help us with this problem. How-
ever. a t least they guarantee that none of the known failure modes will be left out in
the design process.
Some of the model-based techniques which are suitable for diagnosing failures in
discrete-event systems are described in the following. By far, fault-tree analysis [19]
seerns to be the most popular approach. Fault trees can be synthesized automati-
cally. They provide a pictorial display of the system which can be easily read and
understood. However, they have certain limitations: it is difficult to incorporate in-
formation about ordering and timing of events in a fault tree [21]; moreover, problems
arise in the analysis of systems that go through more than one phase of operation
[20]: also, there seems to be no way of treating common-cause failures resulting from
fault propagation (domino effects) using fault trees [20].
In [14], for failure detection, the timed event sequence generated by the DES under
supervision is compared with a set of specifications for normal operation, called tem-
plates. This technique, which relies on sequencing and timing relationships, is suit able
for fault detection in certain high-speed manufacturing lines where the plant can be
modelled as a set of an unspecified number of tirned automata operating in parallel
and independent of each other. It is shown [14], [25] that under certain restrictions7
templates can be used for fault detection. Failure isolation and diagnosability have
not been addressed in [14] and [25] .
In [28] and [17], the dynamics of the plant under supervision is modelled with
state-space equations, with components of the state vector belonging to finite sets.
The state equations are described using predicates on the components of the state
vector and inputs to the system.
In [l?], fault detection and isolation has been examined under the strong assump
tion that changes in the state of the system are observable. A fault is called detectable
if there exist values for state and input that would lead to the detection of the fault in
a finite number of steps. This definition of detectable faults, and the corresponding
definition for isolatable faults, seem to be suitable for active diagnosis. Algorithms
for the verification of detectability and computation of the inputs required for fault
detection are obtained under the strong assumption that failures only affect sensor
maps (and not the dynamics of the system's state). Failure isolation has also been
studied under the same assumptions. Moreoc-er, a procedure for partitioning faults
into sets of indistinguishable faults has been derived. Compared with the descriptions
based on state transition graphs, representations of the system's dynamics and the
diagnosis algorithms with predicates could be more compact, though somewhat dif-
ficul t to interpret. However, they could potentially result in efficient computer code
for diagnosis system design.
Finite-state automata have also been used in the study of diagnostic problems.
The use of finite-state automata and the corresponding state transition diagrams
make the design and maintenance of complex control and diagnostic systems easier
(see. e.g.. [ I l ] ) and it appears that these models match the interna1 models many
people use in trying to analyze and understand complex systems (Ch. 14 of [21]). It
is also straightforward to capture the ordering of events using finite-state automata.
-4 problem associated mith using automata is the computational complexity.
In [22], a state-based approach is used for the study of fault diagnosis. In a
state-based approach, it is assumed that the state set of the system can be parti-
tioned according to the condition (failure status) of the system. The problem of fault
diagnosis is to use measurements (sensor readings) to determine the partition that
the state belonged to (hence, the condition) a t the time the last measurement was
received. In [22], first an off-line diagnosis problem is studied where the state of the
system is assumed fixed during diagnostic tests, and output measurements are used
for failure detection and isolation. The concept of testability is also introduced and
studied. An active on-line diagnosis problem has been studied in [22]. In this case,
input test sequences for fault diagnosis are computed. Furthermore, the notion of
on-line diagnosability is introduced.
In [29] and [30], passive on-line diagnosis is studied using an event-based frame-
work: based on observed events, inference is made about the occurrence of (unob-
servable) failure events. Diagnosability of faiIures is also studied. In this approach, a
failure is called diagnosable if it can be detected and isolated after the occurrence of
at most a bounded nurnber of events following the failure. This framework has been
extended to utilize information about the timing of events [4]. Integrated approaches
to fault diagnosis and supervisory control have also been studied in an event-based
framework in [5] and 1311.
We note that testing of finite-state machines [18] is related to fault diagnosis.
However. the framework used for that purpose is different: the finite-state machines
are usually assumed to be deterministic with a iked condition (faiIure status); also
i t is assumed that transitions can always be observed even if they do not result in a
change in output. These assumptions often do not hold in fault diagnosis of control
systems.
1.1 Thesis Outline
In Chapter 2, we present a state-based approach for passive on-line diagnosis of
finit e s t ate automata. The resulting fault diagnosis system, also caIled diagnoser,
is a finite-state machine that takes the output sequence of the system as input and
generates a t its output an estimate of the condition (failure status) of the system. The
diagnoser, as a finite-state machine, can be automatically translated into cornputer
code. In this way, code generation becomes automated. There are similarities between
our wvork and the event-based approach of [29]. However, Our framework seems to us
to be simpler and the diagnoser is easier to compute. Moreover, wve do not assume
that the piant and the diagnoser are initialized a t the sarne time. Knowledge of the
state and even the condition of the plant (normal/faulty) a t the time the diagnoser is
initialized are not required. This means that our method can be used for diagnosing
failures that could have occurred before the initiation of diagnosis. We show that
any problem in an event-based frarnework can be recast as a problem in the s t a t e
based framework presented here. We also introduce a model reduction scheme with
polynomial time comple.uty to reduce the computational complexity of designing
the diagnoser, which has exponential time complexity in the worst case. To Our
knowledge, the use of model reduction in the design of a diagnoser has not been
studied previously in the DES literature.
We also study failure diagnosability. In our framework, a failure is diagnosable
if it can be detected and isolated after the occurrence of a t most a bounded number
of events following both the occurrence of failure and initialization of the diagnoser.
Note that in our framework, the diagnosis rnight be initiated ajler the occurrence of
failure. We obtain necessary and sufficient conditions for diagnosability.
The diagnoser of Chapter 2 uses changes in the output sequence to detect and
isolate failures. In many cases, however! a failure changes only the timing of the
output sequence (rather than the sequence). In other cases, as a result of failure,
the system stops generating nem output syrnbols. In these situations, timing infor-
mation can be used to increase the accuracy and speed of diagnosis. In Chapter 3,
we extend our state-based framework to incorporate timing information. We assume
that the system can be modelled as a timed discrete-event systern (TDES). Timed
discrete-event systems can be used for capturing timing information in a useful range
of problems in control engineering in a reasonably simple fashion [3]. This is accom-
plished by describing the sequence of events occurring in the system with respect to
the ticks of a global clock. For the purpose of fault diagnosis in TDES, it is possible
to adopt our diagnosis theory for finite-state autornata simply by treating the clock
tick as an extra output signal. In (41, a similar method has been developed for the
extension of the event-based framework of [29]. This straightfonvard approach could
result in very large state sets for the corresponding diagnosers. In this work, hoivever,
ive have taken an alternative approach in which the process of updating the estimate
of the system's condition is perfomed only when a new output syrnbol is generated.
The update process uses the generated output symbols and the number of clock ticks
between them. No update a t clock ticks is required in this method. For fault diag-
nosis between two consecutive output symbols, we rely on predictions of the system's
condition. This results in significant reduction in on-line cornputing requirements,
and in many cases, in the size of the diagnoser, a t the expense of extra off-line de-
sign calculations. Moreover, we study failure diagnosability in TDES, introduce the
concept of time-diagnosability in Our framework and derive necessary and sufficient
c~ndit~ions for time-diagnosability.
In Chapter 2, it is assumed that the plant under supervision can be modelled, for
the purpose of fault diagnosis, as a discrete-event system. In many practical cases, the
DES may be a simplified model (i.e., abstraction) of a hybrid automaton (See [15], [2]
and references therein). A hybrid automaton is a system whose dynarnics is described
by a combination of differential (or difference) equations and a state transition graph.
In other words, it is a blend of continuous-variable and discrete-event models. In
fact, the state vector of a hybrid automaton contains both continuous and discrete
components. The continuous-variable part of the model describes the evolution of
the continuous components of the state vector while the discrete-event part models
changes in the dynamics of the continuotis part (resulting from failure for example).
Examples of these systems can be found in flexible manufacturing, process control
and aerospace systems.
Typically, the design of a diagnosis system, which is based on a simplified discrete-
event model, is verified through simulation and test under a large (though finite)
number of operating conditions of the hybrid system. In Chapter 4: we consider
the development of a more systematic approach to the above verification problem.
Tomards this end, we first extend Our framework for fault diagnosis in DES to hybrid
systems. This framework forms a basis for examining the question of whether a high-
leveI DES contains enough information about the low-level hybrid model, which in
turn, will lead to the introduction of the notion of consistency between the high-
level and low-level models. The high-level and low-level models are called consistent
if the analysis and design based on the high-level model yields the sarne results as
that perforrned a t the low level. l e then provide a set of sufficient conditions for
consistency. The above notion of consistency is somewhat restrictive and, in fact, too
strong. In order to be able to build suitable high-level (DES) models for a larger
class of hybrid automata, we introduce the notion of weak consistency. This will
result in a semi-algorithmic method for obtaining suitable high-level models. This
technique consists of a trial-and-error sequence involving building high-level models.
At each step. a weakly consistent hi&-level model is built and checked if it is suitable
for fault diagnosis. Weakly consistent models are easier to construct than consistent
ones. Unfortunately, in general, no guarantee exists for the finite termination of the
above design sequence.
Finally, in Chapter 5, we present a summary of our results and discuss directions
for future research.
Chapter 2
Fault Diagnosis in Finite-State
Automata
In this chapter, we propose a framework for diagnosing failures in finite-state au-
tomat a. Many systems in aerospace, manufacturing and process industries can be
modelled, for diagnostic purposes, as finite-state automata. In Chapters 3 and 4, me
will extend this approach to timed discrete-event and hybrid systems.
We discuss failure modelling in Section 2.1. In Section 2.2, we introduce the
dia-oser and in Section 2.3, define the notion of diagnosability of failures in Our
framework and derive necessary and sufficient conditions for failure diagnosability.
Section 3.4 presents a mode1 reduction scheme for reducing the computational com-
plexity of the diagnoser design. The discussion in Sections 2.1 to 2.4 assumes that at
most one failure mode may occur at a time. In Section 2.5, the results of Sections 2.1
to 2.4 will be extended to the case of simultaneous occurrence of two (or more) failure
modes.
2.1 Plant Mode1
We assume that the plant under control, i.e., plant along with Iow-level continuous
controllers and DES supervisors, can be modelled as a nondeterministic finite-state
Moore automaton (FSMA) G = (X, T=, cf, xo, Y, A), where X, C and Y are the finite
state? event and output sets; xo is the initial state, 6 : X x C + 2X the transition
function and X : X + Y the output map (2X denotes the power set of X).
The mode1 describes the behaviour of the system in both normal (system function-
ing properly) and faulty situations. Suppose there are p failure modes F I , . . . , Fp-
Each failure mode corresponds to some kind of failure in an instrument (valve, sen-
sor, etc.) or a set of such failures. The event set C includes failure events. In
Sections 2.1 to 2.4, we assume a t most one of the failure modes may occur a t a time.
This means that the system can be in only one of the following p + 1 conditions:
N(normal), FI, . . . , Fp. FVe cal1 this single-failure scenario and it should not be
confused with single failure mode situation in which the system has only one failure
mode, Le., p = 1. Sirnultaneous occurrence of two (or more) failure modes will be
discussed in Section 2.5.
Let X: := { N , FI , . . . , Fp} denote the condit ion set of the system. It is assumed
that the state set X can be partitioned according to the condition of the system:
X = XNUXFiÙ uXF, (0 denotes disjoint union). Define the condition map
K : X -+ K such that for every x E X, ~ ( x ) is the condition of the system a t the state
x: K(X) = N if x E XN, and n(x) = Fi if x E XF, (i E {l,. . . , p l ) Also (abusing
notation) extend the definition of K to the subsets of ,Y: n ( z ) = ~ { n ( z ) 1 x E z } , for
any z C ,Y.
In failure detection and isolation, given the output sequence (y1 y2y3 . . .) , we want
to find the condition of the system. Note that only changes in the output are assumed
to be observable. This means that a transition of the system from one state to
another state having the same output wiil not be noticed, Le., the transition will be
unobservable. So in the output sequence: Yi # yi+l for i 3 1.
In general, some of the events in C are observable. If the occurrence of these
observable events cannot be inferred from the output sequence, then the information
about the occurrence of the observable events can be included in the output map in the
following way. Consider a transition xi 4 2 2 with a being observable. Let us assume
that the occurrence of a cannot be inferred from the output; for example, suppose
X(x1) = X(xZ). Then replace the transition with the two transitions XI 4 x\ 4 x2,
Temp.
Temp. Sensor
Figure 2.1: Example 2.1. -4 heating system.
where xi and c are new state and unobservable event that have to be added to the
state and event set of the system. The output set Y must be extended to Y x {O; 1)
and the output a t any x # xi should be redefined as (X(s), 0) and a t dl as (X(xl), 1).
Therefore the a-transition from zl to x;! shows up at the output as change of the
output from (X(xl),O) to (A(xl), 1) and from (X(xl ) , 1) to (X(x2): O). The above
procedure can be repeated for other observable events (if necessary). From now on' it
will be assumed that information about the occurrence of the observable events has
already been transferred and included in the output map.
Example 2.1 - Heating System -4 heating systern uses a heater, a temperature sensor and an ON/OFF controller to
regulate the temperature of a room about a set-point (Fig. 2.1). The DES mode1 is
shown in Fig. 2.2. The temperature can be Ion7 'Il, below but close to set-point 'b',
or above set-point 'a'. For example, if the set-point is 22"C, then 'a' corresponds
to the temperatures above 22"C, 'b! to the temperatures between, Say, 20°C and
22°C. and '1' to the temperatures below 20°C. The controller can turn the heater
on (enable i t) or turn it off (disable it). It is assumed that the heater may fail
and remain off (even if it is turned on). Each dashed arc in Fig. 2.2 represents a
heater-failure event. 'Load' models the effect of disturbance such as the temperature
of the adjoining room and the ambient temperature, and is supposed to have two
States 'normal (n)' and 'above normal (a)'. Zt is also assumed that even when the
load is above normal, the heater can keep the temperature close to the set-point. In
the heating system: X = {1,2,. . . ,241, Y = {Id, le, bd, be, ad, ae), K = { N , F ) ,
~ ( i ) = N for 1 < i 5 12, and n(i) = F for 13 < i 5 24. The output symbols are
Figure 2.2: Example 2.1. DES mode1 of the heating system.
explained below:
Id temperature low, heater turned OFF (disabled)
le temperature low, heater turned ON (enabled)
bd temperature below set-point, heater turned OFF (disabted)
be temperature below set-point, heater turned ON (enabled)
ad temperature above set-point, heater turned OFF (disabled)
ae temperature above set-point, heater turned ON (enabled).
Note that the output symbol may contain information about the commands issued
by the DES supervisor (in this case, the ON/OFF controller), in addition to sensor
readings.
The system has 24 states. For exampie, in state 1, load is above normal, temper-
ature is low, and the heater is turned off and in the normal mode. -4t this point, the
controller turns the heater on and the systern moves from the state 1 to 3. If the load
becomes normal, then the system moves to the state 4. The rest of Fig. 2.2 can be
interpreted sirnilariy. 0
Output Estimam of Sequence the System's
Condition
Figure 2.3: System and diagnoser.
2.2 Diagnoser
A diagnoser is a system that detects and isolates failures. In our framework, it is
a finite-state machine t hat takes the output sequence of the system (yiyz . gk) as
input and generates a t its output an estimate of the condition of the system a t the
time that I J ~ was generated. Specifically, based on the output sequence up to yk, a set
zk E 2x - (0) is calculated to which x must belong a t the time t hat I J ~ tvas generated.
&(a) will be the estimate of the system's condition (Fig. 2.3). Upon observing Yk+ll
z k will be updated.
Before formally defining the diagnoser, we introduce the concept of output-
adjacency which we will find useful in diagnoser design.
Definition 2.1 For any two states x,xf E x, nre Say x' is output-adjacent to x
and write x * x' if X(x) # X(xl) and there exist I >_ 2, the states 2 2 , . . . , xl-1 (if
1 > 2) , and the events 01,. . . , m-1 S U C ~ that xi+1 E 6(xi1 ui) a ~ d A(xi) = X(X), for d l
1 <_ i 5 Z - 1, with = x and xl =x'. 0
This means that x' is output-adjacent to x if x and x' have different outputs and x'
can be reached from x using a path l along which the output is A(x).
IVe define the diagnoser to be a finite-state Moore machine D = (2 U
{G), Y, C, a, el K ) , where Z U {G), Y and R 2K - {O) are the state, event and
output sets of D; a := (zo, O) is the initial state, with zo E 2" - { O } ; Z 2" - (01,
'Suppose for a sequence of states 21,. . .,xn and events al,.. . ,a, f C, with n 3 2, we have un-1
xi+, E b ( z i , ~ i ) , for 1 5 i 5 n - 1. Then zi o) 22 3 - - + Zn is called a path in (the state transition graph of) the system.
and C : Z u (3) x Y + Z is the transition (partial) function; n : Z U {h} + & is
the output map, with the definition of tc extended according to: K(G) := n(zo). Each
diagnoser state z , except G, is identified with a nonempty subset of X. However, a is considered to be different from other states of the diagnoser because the update
law C a t 3 is different from that a t other states. To distinguish r, from other States,
it has been identified wïth a pair (zO, 0) (rather than a subset).
The diagnoser state transition zkf 1 = C(zk, yk+-~) is given by:
Therefore t k f l d l be the set of states, having output yk+17 that are reachable from
the states in zk using paths dong mhich the output is yk (Fig. 2.4).
zo contains the information available about the state of the system a t the time
t hat the diagnoser is initialized, before the reading of sensors begins. Usually, = X,
because the diagnoser may be initialized a t any time while the system is in operation
and in this situation the state of the system is not known exactly If the system and
the diagnoser are initialized at the same time, then zo = {xo}. If the system is only
known to be normal a t the time that the diagnoser is initialized, then 20 = /YN.
Suppose z l , z2 E Z and C(zl, y) = z2 for some y E Y. Given z'. in order to
compute z2 we have to find for every xl E zl , al1 xz such that X(x2) = y and
X I + x2. Since every x E X typically belongs to several states of the diagnoser, it is
computationally economical to compute the set of output-adjacent states, for every
x E X. This can be done in O(]X1* + 1x1 ITI) time because a breadth-first search
reachability analysis for each x E X can be done in O(IX 1 + IT 1) time [6]. Here ( X 1 and [Tl are the cardinalities of X and T (the set of transitions of G).
We store the information about the output-adjacent states in the reachability
transition system (RTS). We define the RTS (corresponding to G) to be the tran-
sition systern G = (X, R, Y, A), which has X, Y, and X as the state set, output set
and output map. R X x X and (xl, x2) E R if and only if x l * xz. As mentioned
before, G can be cornputed in 6(IXI2 + JXIITI) tirne. With G available, one can com-
pute the diagnoser. Later we will see that G is also useful in on-line irnplementation
of diagnostic computations and in mode1 reduction.
Example 2.1 - Heating System (Cont'd)
The RTS (in the form of a table) and the diagnoser for the heating system are given in
Table 2.1 and Fig. 2.5 (assuming = X). To see how the diagnoser works, suppose
the first output symbol y1 is 'be'. Then ri = {5,6,17,18). If the next output symbol
g2 is 'le', then z2 = {15,16}. Using the RTS (Table 2.1), the reader can verify that
each of the states in 22, namely? 15 and 16, is output-adjacent to (at least) one state
in z,. If instead of 'le', y2='ae1, then 22 = {7,8). The rest of Fig. 2.5 can be similarly
interpreted.
In this example, heater failure can be detected using output observations unless
it occurs while the temperature is low. For example, suppose that the diagnoser
is initialized when the system is at the state 10. The output a t this state is 'ad1.
Therefore zl = {9,10,21,22} and n(zl) = ( N , F). Now assume that the state x
moves to 12, and then to 6; at this point a heater failure occurs following which the
state moves to 18 and finally to 16. While the system evolves along this path, the
output sequence 'bd, be, le' will be generated which d l take the diagnoser to the
state z4 = {XI, l6}. Since n(zr) = { F ) , the diagnoser eventually detects the failure.
To see why heater failure cannot be detected while the temperature is low, suppose
the system is at the state 3 when the diagnoser is started. -4t this state the output is
'le'; thus z1 = {3,4,15,16) and n(zl) = {N, F}. A heater failure a t this point takes
the state x to 15. No new output symbol wiI1 be generated following the failure or
Table 2.1: Example 2.1. Reachability transition system.
aftenvards. Therefore, {N, F) will remain as the estimate of the system's condition.
-4s a result, the failure wiil not be detected with certainty. The issue of diagnosability
of failures will be discussed in Section 2.3. O
The diagnoser, as a finite-state machine, can be automatically translated into
computer code. For example, consider Fig. 2.6 in which part of the diagnoser of
Fig. 2.5 is shown. The three diagnoser states are labeled Dl, D2 and D3. Each state
of the diagnoser can be translated into a segment of computer code. By putting
these segments together, the computer code corresponding to the diagnoser can be
automatically generated. -4 pseudocode for the state DI is given below.
State 1 2 3 4 3 6 7 8 9 10 11 12
Dl z=[5,6,17,18] ;
k=['N' ; 'F'] ;
uhile y== ' be ' read y
end
if y=='leJ go to D2
elseif y=='aeS go to D3
else go to INCONSISTENCY
end
State 13 14 15 16 17 18 19 20 21 22 23
Output-adjacent states (output) 3,4,15,16 (le) 3,4,15,16 (le) s16 (be) 5,6 (be) 8(ae) /15 ,16( le ) 8 ( a e ) / l 5 , 1 6 ( l e ) 9,10,21,22 (ad) 9,10,21,22 (ad) 11,12,23,24 (bd) 11,12,23,24 (bd) 5,6,17,18 (be) 5,6,17,18 (be)
Output-adjacent states (output) 15,16 (le) 15,16 (le) - - 15,16 (le) 15,16 (le) 21,22 (ad) 21,22 (ad) 23,24 (bd) 23,24 (bd) 17,18 (be)
24 1 17,18 (be)
Figure 2.5: Example 2.1. Diagnoser.
Figure 2.6: Example 2.1. Part of the diagnoser.
Note that if the output symbol that follows %e' is neither 'le' nor 'ae', then an
inconsistency between the mode1 and the obsemed behaviour of the system is detected.
This could be the result of either an unforseen failure mode or a glitch in the sensor
output.
Since the number of states of the diagnoser is in the worst case exponential in
IXl, the whole diagnoser may take up a large amount of computer memory. In this
case, it might be better to store the reachability transition system in memory and use
it to perform the diagnostic computations on-line : having z k and the observation
yk+,, use G to cornpute zkfl and update the estimate of the system's condition. G
contains l,Yl states and at most IXI(IX[ - 1) transitions.
There are similarities between our framework and that of [29], especially in the
use of an observer for diagnosis. However, while we try to determine the condition of
the system for fault detection, in [29] the authors attempt to detect the unobservable
failure events. This leads to some differences:
0 In our approach, the state and even the condition of the system do not have
to be known at the time that the diagnoser is started. The diagnoser can be
initialized a t any time while the system is in operation. not necessarily when
the system is started. If Say a failure occurs before the diagnoser is initialized,
then our diagnoser can eventually detect the faulty condition and isolate the
failure (assuming the failure is diagnosable) . However, an event-based diagnoser
cannot detect the failure because the failure event has already happened when
the diagnoser is initialized.
0 Our approach is simpier. In particular, in this framework, computation of the
diagnoser is less complex. This is because at each step, after observing a new
output symbol, n7e only have to update our estimate of the system's state z k .
In the event-based approach of [29], after the occurrence of an observable event,
in addition to updating the state estimate, al1 of the paths that the state of the
- - - -- - - - -
'In this thesis, "off-line calculatioasn refers to the computations at the design stage and "on-line calculationsn refers to the diagnostic computations performed when the plant is in operation.
system might have evolved dong since the occurrence of the previous observable
event, have to be checked for the occurrence of failure events. In the reachability
analysis required for estimate update in our framework, however, (in general)
only a subset of these paths are examined. The simplicity of our framework
significantly contributes to the development of transparent resul ts for model
reduction (Section 2.4) and fault diagnosis in timed discrete-event and hybxid
systems (Chapters 3 and 4).
Remark 2.1 We note that a diagnosis problem in an event-based framework can al-
ways be transformed to an equivalent problern in the state-based framework presented
in this thesis. More specifically, the problem of detecting a set of unobservable events
can be cast into the problem of finding the block of some partition that the state be-
longs to. To see this, suppose we want to detect an unobservable event F. We replace
the original automaton G = (X, C, 6, XO, Y, A) with G* = (X*, C , d*, (xo, O) , Y, A*),
where X* = X x {O, l}, 6*((x, f ) , o) = ~ { ( z ' , f)lz1 E 6(x, O)} if 0 # F , 6'((x1 f ): F ) =
u{(xl, l)Ixl E 6(x, F)}, and A*((x, f ) ) = A(x) for al1 x E X and f E {O, 1). The prob-
lem of detecting F in G becomes equivalent to finding whether in G*, x* E X x (1) or
not. This method can be used for detecting any number of unobservable events. How-
ever, it should be noted that the size of the state space of the transformed automaton
G* will increase with the number of the unobservable events. 0
2.3 Diagnosability
In this section, we study the question of whether or not a failure mode Fi can a1n.a~;~
be detected and isolated. CVe assume for now that the failure modes are permanent.
Later in Remark 2.4, we will discuss nonpermanent failures. We also assume that
only one failure mode may occur a t a time (i.e., single-failure scenario). Simultaneous
occurrence of failures will be discussed in Section 2.5. The assumption of permanent
failure modes implies that in the finite-state automaton model of the system given
in Section 2.1, there are no transitions from the states in XF, (i E (1,. . . , p l ) to any
state in X N U ( u ~ ~ ~ X ~ , ) , i.e., Xlv U (ujZiXF,) is not reachable from XFi (Fig. 2.7).
Figure 2.7: Single-failure scenario with permanent failure modes.
For instance, in Example 2.1 (Heating System), heater failure is permanent and none
of the states in XN is reachable from the states in X F .
Definition 2.2 A state z of the diagnoser is called fi-certain if K ( z ) , the cotre-
sponding estimate of the system's condition, indicates that the failure has occurred. [7
In a single-failure scenario, z is Fi-certain iff K ( Z ) = (Fi}.
Definition 2.3 A state z of the diagnoser is called Fi-uncertain if z is not Fi-certain
but ~ ( z ) indicates that the failure Fi might have occurred, Le., occurrence of Fi is
consistent with the observed output sequence. 0
In a single-failure scenario, 2 is Fi-uncertain iff 6 E ~ ( z ) but K ( Z ) # (Fi). For
instance. in Fig. 2.5 z = (15,161 is F-certain while z = {5: 6,17,18) is F-uncertain.
Kote that if z is not Fi-certain, it does not mean that it is Fi-uncertain.
Note that if for some ka 2 O and a failure mode Fi, ~ ( 2 ~ ) = {Fi), then n(zk) =
{Fi} for all k 2 ko (because XN U (u~+~XF, ) is not reachabie from X E ) . Therefore if
the diagnoser reaches an Fi-certain state, it will remain in the set of Fi-certain states,
ive.. it will 'lock' on Fi.
In general, the number of events that may take the diagnoser to diagnose a failure
(assuming it can) depends on
a the path that the system evolves on, and
a the time of initialization of the diagnoser.
For instance, in Exarnple 2.1, if the system evolves on the path 10 + 12 -+ 6 + 18 + 16 and the diagnoser is initialized when the system is at the state 10, then
the failure will be diagnosed after the system enters the state 16, one event after
the occurrence of the failure. If, on the other hand, the system's state rnoves on
10 + 22 + 24 + 23 + 17 + 15 and, as in the previous case, the diagnosis is
initiated when the system is at the state 10, then the failure Ml1 be diagnosed after
4 events when the system enters the state 15. Of course, in this case, if the diagnoser
was initialized after the system entered the state 15 (instead of IO), then the failure
would not be detected at all.
We Say a failure is diagnosable if it can always be detected and isolated after the
occurrence of a bounded number of events, as explained in the following.
Definition 2.4 -4 permanent failure mode Fi is diagnosable if there exists an inte-
ger Ni 2 O such that following both the occurrence of the failure and initialization of
the diagnoser, Fi can be detected and isolated (i.e., the diagnoser reaches an Fi-certain
state) after the occurrence of a t most Ni events in the system. 0
In the above definition, no assumption is made about the system's condition (nor-
rnal/faulty) a t the time that the diagnoser is initialized, Le., the diagnoser might
have been initialized either before or after the occurrence of the failure. -4ccording
to Def. 2.4, the heater failure in Example 2.1 (Heating System) is not diagnosable.
Remark 2.2 In Def. 2.4, a failure is defined to be diagnosable if it can be detected
and isolated after the occurrence of a t most a bounded number of events. It should
be noted that even though an infinite nurnber of events usually takes an infinite time
to occur, a finite number of events may take an arbitrarilÿ long time to happen. This
issue will further be discussed in Chapter 4. O
We need a few more definitions before providing necessary and sufficient condi-
tions for diagnosability. Sometimes generation of a particular output symbol is an
indication of the occurrence of a failure mode. A sensor failing open-circuited is an
example (assuming open circuit can be detected directly by the electricai interface).
Definition 2.5 If the occurrence of a failure mode Fi can be directly concluded from
the generation of an output symbol y f Y, then y is called Fi-indicative. 13
In a single-failure scenario, y E Y is &indicative iff A-l({g)) C XFi.
Definition 2.6 -4 cycle of Fi-uncertain states of the diagnoser is called an Fi-
uncertain cycle. CI
We shall see later in this section that in one type of undiagnosable failure, the faulty
system can generate a periodic output sequence that throws the diagnoser into a
fault-uncertain cycle. We c d tbese cycles fault-indeterminate.
Definition 2.7 Suppose z l , . . . , zm is a cycle of Fi-uncertain states of the diagnoser.
The cycle is called Fi-indeterminate if there exist 1 2 1 and z',,4,. . . ,4 E z j ,
for al1 1 5 j 5 m such that 4 -; XFi for al1 1 5 j 5 m, 1 5 k 5 1 and
1 2 1 m 1 x,, x,, . . . , xy, x,, . . . , x, , . . . , x, , . . . , xp form a cycie in the RTS. The RTS cycle is
called an underlying faulty cycle of the Fi-indeterminate cycle. 0
According to Def. 2.7, if zl,. . . , rm is an Fi-indeterminate cycle. then the system has
a cycle in the faulty mode Fi such that when it evolves on the cycle, it will generate
the output sequence A(xf ), . . . , A(z7) periodically. The cycle in the mode Fi and
the corresponding output sequence can keep the diagnoser in the Fi-uncertain cycle
tl, . . . , zm indefinitely, and in this case, the failure Fi udl not be diagnosed.
Xot every fault-uncertain cycle is fault-indeterminate. Consider the FSMA of
Fig. 2.8. In this system, X = {1,2 ,..., 9}, X,V = {1,7,8,9}, XF = {2,3,4,5,6}
and Y = {q? a, 8, y, y } . The diagnoser for this system is given in Fig 2.8, assuming
zo = S. The diagnoser states {3,7), {4,8} and {5,9) form an F-uncertain cycle.
This cycle is not F-indeterminate, however, because the system states 3, 4 and 5 do
not form a cycle, i.e., after the occurrence of failure, the output sequence croy will
be generated only once, after which v will be generated which takes the diagnoser to
the F-certain state { 6 } .
3A p t h 21 2 - - . O q l z,, with n 2 2, is a cycle if zi = x,.
22
Figure 2.8: Example of an F-uncertain cycle which is not F-indeterminate.
Theorem 2.1 provides necessary and sufficient conditions for diagnosability of per-
manent failures in single-failure scenarios, assuming zo = S.
Theorem 2.1 Assume single-failure scenario and 20 = X. A permanent failure Fi is
diagnosable if and only if
1. From every x E XF,, there is (at least) one transition to another state in XF,
unless X(x) is Fi-indicative;
2. There is no cycle in -YF, consisting of states having the same output unless the
output symbol is Fi-indicative;
3. There are no Fi-indeterminate cycles in the diagnoser.
We need the folloning trivial lemma for the proof of Theorem 2.1.
Lemma 2.2 Consider a path zo 3 zl 3 r î . - 5 z, (n 2 1) in the diagnoser. For
any x, E z,, there exist xi E zi (1 5 i _< n - 1) such that xi =+ xi+l for 1 5 i 5 n - 1.
cl
Proof of Theorem 2.1. Conditions 1 and 2 guarantee that after Fi occurs, new
output symbol(s) will be generated and the output sequence can only terminate (if
it does) in an Fi-indicative symbol. Suppose cither 1 or 2 does not hold. After Fi
occurs. the output sequence may end in a non-Fi-indicative output. If the diagnoser
is initialized after this last syrnbol is generated, then it wili not be able to detect and
isolate the failure. Therefore, both 1 and 2 are necessary for diagnosability; from now
on, assume they hold.
After the occurrence of Fi and the generation of a new output syrnbol, the diag-
noser state wi11 be either Fi-certain or Fi-uncertain. If it is Fi-certain, then it will
remain Fi-certain (because Fi is permanent) and Fi is diagnosed. If the diagnoser
state is Fi-uncertaint then by condition 3 and the fact that the number of Fi-uncertain
states is bounded, after the generation of a bounded number of output symbols, the
diagnoser will reach an Fi-certain state (In general, the diagnoser gets trapped indef-
initely in a cycle of Fi-uncertain states only if the cycle is Fi-indeterminate). Let ni
denote the number of events that it takes the diagnoser to detect and isolate Fi. By
condition 3, after the occurrence of the failure, the diagnoser can visit an Fi-uncertain
state z at most Iz n XF,I times. Hence
mhere y = C{Izk n XFi 1 1 E Z & zk is Fi-uncertain} and pi is the length of the
longest path of faulty states having the same non-Fi-indicative output. By condition
2, pi 5 lxF , [ . -41~0 C, 5 121. Therefore
AS a result, Fi is diagnosable with Ni = IXq [(lxF1 1 - 121 + 1).
Conversely, if condition 3 is not true, then there exists an output sequence
yi, y2, . . - , gn that can take the diagnoser into a state zk belonging to an Fi-
indeterminate cycle. Let x, € Zn belong to an underlying faulty cycle in the RTS.
By Lemma 2.2, there exist states XI,. . . , x,-1 such that xi * s;+l for 1 5 i 5 n - 1.
After reaching x,, the RTS state rnay remain on the underlying faulty cycle causing
the diagnoser to stay on the Fi-indeterminate cycle indefinitely. Therefore, there ex-
Figure 2.9: With zo = {O), F will be diagnosable.
ists a trajectory for the system leading to states in XE such that the corresponding
output sequence throws the diagnoser into a cycle of Fi-uncertain states and keeps it
there indefinitely. Hence, Fi is not diagnosable. O
Intuitively, Fi would not be diagnosable if after it occurs, the system stops gen-
erating new output syrnbols (unless the last syrnbol is Fi-indicative). Also Fi wouId
be undiagnosable if after its occurrence, the system can generate a periodic output
sequence that throws the diagnoser into a cycle of Fi-uncertain states.
Rernark 2.3 Let DI and D2 be two diagnosers for a system, corresponding to differ-
ent initial state estimates z: and ri. If z: 22, then z i 2 2: for k 2 O (r i and i i are
the state estimates of the diagnosers) because the diagnoser update law C(zk, yk+l) is
monotone in zk (i-e., z i E z: implies C(zL, a+l) C ~(z:, yk+1)). Therefore in Theo-
rem 2.1, if zo # X , then the set of conditions 1, 2 and 3 becomes only sufficient (not
necessary) for diagnosability. Conditions 1 and 2 are not necessary in general. For
esample, consider the system given in Fig. 2.9. Here X N = {O, l i 2 ) and XF = {3)-
Suppose a = (O). Condition 1 is not satisfied since 0 is not F-indicative. The
failure mode F, however, is diagnosable because if it occurs a will be generated
immediately after a while in the normal mode, 0 occurs onlÿ after y. Condition 3,
on the other hand, is necessary for any zo. This follows from an argument similar to
the one given for the necessity of condition 3 in the proof of Theorem 2.1. [7
Remark 2.4 In control we are usually interested in diagnosis of permanent failures.
But sometimes we may have to deal with nonpermanent failures too. For example, a
valve may get stuck for a while and then return to normal operation. In these cases,
if the nonpermanent failure persists long enough, the diagnoser may finally diagnose
it. If on the other hand, the system returns to normal operation after a short while,
then the failure may go undetected. Of course the diagnoser will recognize that the
system has returned to normal condition. If it is necessary to detect nonpermanent
failures, then (in addition to estimating the system condition) one needs to detect
the occurrence of failure events using either the method explained in Rernark 2.1 or
the event-based approach [29]. 0
Remark 2.5 Consider a valve which is closed. If it fails stuck-closed and no open
commands are sent to the valve after the failure, the diagnoser will have no way of
detecting the failure and according to Def. 2.4, the failure is not diagnosable. One
may ignore the undiagnosability of the valve because the stuck-closed failure does
not affect the performance of the system (The valve was closed prior to failure and
no open comrnands has been issued aftenvards). However, if the valve is a critical
component of the system and, Say, it is going to be used in another cycle of the
operation of the plant and hence, the condition of the valve needs to be known, then
the undiagnosability of the valve could be a problem that should be addressed.
In [29], Sampath et al. propose the notion of 1-diagnosability to deal with the
above problem. According to [29], the valve failure should be deemed undiagnosable
(un-1-diagnosable to be specific) only if it cannot be diagnosed in a case where it is
followed by an open command. Othenvise, the failure is considered 1-diagnosable.
This implies that if the valve fails stuck-closed while it is open and no commands
are issued aftenvards, the failure can still be considered (1-)diagnosable even if the
diagnoser cannot detect and isolate the failure. This definition of diagnosability does
not seem to be practically suitable.
We consider that this matter and similar cases involving the diagnosability of
failures which may occur while the corresponding component is not 'active' should
be analyzed on a case-by-case basis. 0
In the example of the heating system, F is not diagnosable because the states 15 and
16 form a cycle which contradicts condition 2 in Theorem 2.1.
LJ Flowmeter
Figure 2.10: Example 2.2. Pump and Valve.
Valve
PD
Pump Controller
Figure 2.11: Example 2.2. DES models of components.
Example 2.2 - Pump and Valve [30]
Consider a system consisting of a pump, a valve and a flowmeter (Fig. 2.10). The
valve may fail stuck-closed ( F I ) or stuck-open (F2). The pump is assumed reliable.
The DES controller orders the valve open (VE), then turns on the pump (PE).
-ifter a while it shuts down the pump (PD) and closes the valve (VD). This cycle
repeats. The finite-state automata describing the components of the system are shown
in Fig. 2.11. The output of the flowmeter is either f (flow) or nf (no flow). The
controller has 4 states. The current state of the controller is assumed to be known
to the diagnoser. Therefore Y C { f, n f ) x {Cl, C2, C3: C4}. The DES mode1 of
the system is the synchronous product of the components and is s h o w in Fig. 2.12.
The RTS is given in Table 2.2 and the diagnoser in Fig. 2.13. Unlike [30], no pnor
information about the state and condition of the plant is assumed here, i.e., ZQ = X.
Condition
Figure 2.12: Example 2.2. DES mode1 of the pump and valve system.
Table 2.2: Example 2.2. Reachability transition system.
State 1
. 2 3 4 5 6
Output-adjacent states (output) 12(C4, n f ) 9 ( C L n f ) G(C2,nf) 7(C3,nf) S(C4,nf) 5 ( C l , n f )
Output-adjacent states (output) 2,6,1O(C2, n f ) 3: l W 3 , f )/7(C3, n f ) 4,12(C4,nf)/7(C3,nf) 1 ,5 ,9(Cl , nf) lO(C2,nf) l l ( C 3 , f )
State 7 8 9 10 11 12
Figure 2.13: Example 2.2. Diagnoser.
The system does not have any deadlock states or cycles with constant output.
Furthermore, there are no Fl-uncertain, hence, no Fi -indeterminate cycles in the
diagnoser. Therefore, by Theorem 2.1, FI is diagnosable. The reader can veri% that
FI can be detected and isolated in at most 3 events. The failure fi7 on the other
hand, is not diagnosable since {1,5,9), {2,6,10), {3,11) and {4,12) form an F2-
indeterminate cycle, with 9, 10, 11 and 12 as the underlying faulty cycle. Physically,
if the valve fails stuck-closed when the pump is on, no flow will be registered by the
flowmeter indicating failure Fl. In fact. [C3: nf] is FI-indicative. The stuck-open
failure, however, does not produce a measurable effect a t the output, i.e.. the output
sequence in F2 mode is identical to that in the normal mode. 0
2.4 Mode1 Reduction
The computational complexity of designing the diagnoser in the worst case is espo-
nential in the number of system states. To mitigate this, in this section we introduce
a mode1 reduction scheme with polynomial tirne complexity. The equivalence relation
used for mode1 reduction is based on the solution of the relational coarsest par-
tition (RCP) problem for the reachability transition system. We will show that the
diagnoser built using the reduced RTS mil1 be 'equivalent7 to the original diagnoser
in the following sense.
Definition 2.8 Two diagnosers for a system are equivalent if for any given output
sequence, t hey produce identical sequences of estimates for the system's condition. O
Consider the RTS G = (X, R, Y, A). For every XI, x2 E X, let x2 E R(xl) iff (z,, z2) E
R, i.e., X I =+ x2. Let ~r = {BI, -. - , BI,,} be a partition of ,Y, with Bi denoting the
blocks of a. The partition 7i is said to be compatible with R (101 if and only if
whenever x and x' are in the same block Bi, then for any block B,, R(x) n Bj # 0 iff
R(x1) n Bj # 0. Let ïi be the set of partitions compatible with R.
Suppose .n is compatible with R and a 5 kerX A k e r ~ , where ker refers to the
equivalence kernel of the corresponding map and A denotes the meet operation in
the lattice of equivalence relations [23]. If two states x and z' are in the same block
of kerX A ker~; , then the system has the same output and condition a t these states.
Moreover, the set of output sequences generated by the system, starting at either
of these states, will be identical. Also, starting a t any of these states and for any
feasible output sequence generated, the sequence of condition estimates will be the
same. This shows that the three statements x E z: x' E z and x,x' E z contain the
same information about the present and future estimates of the system's condition.
Hence, for the purpose of estimating the system's condition, x and xr are equivalent.
Let P : X -t X/x be the canonical projection. For every x E X' [x] := Px
denotes the block x belongs to. -41~0 for simplicity, instead of x E P-'ZL, we m i t e --
z E Z L . We define the reduced RTS G = ( X , R, Y. 1) (corresponding to x ) according
to:
- a For al1 Z E : X(Z) = X(x), for any x E 2.
- Similarly we define iG : X -+ IC according to k(5) = ~ ( x ) for any x E z. Since
n 5 kerX A k e r ~ , X and k are well-defined. We define the canonical projection of a
subset z E X to be P ( z ) := U{[x]lx E z } .
We refer to the diagnoser designed based on the reduced RTS G with Z0 := Pzo
as its initial state estimate, as the high-level diagnoser (corresponding to îr) and
cal1 it D.
Theorem 2.3 The original diagnoser and the high-level diagnoser are equivalent.
Proof. We have to show that for every output sequence (yl, 32, - , yj) and any
initial state estimate zo, the diagnosers produce the same sequence of estimates for
the condition of system. i-e., ~ ( 2 ~ ) = T E ( & ) for O 5 k 5 j (Zk is the state of D).
Figure 2.14: Pzk = Zk
Let denote the transition (partial) function of D. First we show that Prk = Zk
(Fig. 2.14).
By definition Pzo = 30.
Xow we prove that for k 2 I if Pzk = Zk then Pzktl = Z k f t .
Let x k + l be an element of -'k+ll i.e., X ~ + L E z k + l . Then there exists x k E z k
such tha t ( x ~ , xkC1) E R. Hence ( [ x ~ ] , [xac1] ) E R. From Pzk = 4 it follows that
[rr] E 4- ~ l s o X ( [ ~ k + l ] ) = ~ ( x k + l ) = y k + l . -4s a result [ x k + t ] E z k i l . This shows
that P z k f l C Z k + l .
Yow let Zk+ , be an element of Le.: ak+l E Therefore (zk, z ~ + ~ ) E R for some Z k E Zr: = Pzk. Hence there exist xi E Z c n y and x;+, E z ~ + ~ such that
- (xi, x;,,) E R. Also X ( z ; + , ) = X ( Z k + l ) = y k + i . Thus xLtl E z k + l and as a result
Z k t l = Px;+t E P z ~ + ~ - This proves zk,l C P a + , .
Therefore, by induction, Pzi, = ,"i; for O 5 k <_ j. Finally G(Zk) = E(Pzk) = 6(zk)
since x 5 k e r ~ . O
Remark 2.6 Since Pzk = Zk and P is onto, the number of states of D is less than
or equal to that of D. CI
Remark 2.7 Obviously the coarser the partition T, the fewer states will the reduced
RTS have. The set (n E ll, ?r 5 kerX A k e r ~ ) is closed under V, the join operation in
the lattice of equivalence relations, and therefore has a unique supremal element which
is the coarsest partition compatible with R and finer than kerAAker~. The problem of
computing this supremal element is cailed the relational coarsest partition (RCP)
problem. Iterative algorithms for solving the RCP problem exist in the literature (see
[13] and references therein). The efficient algorithm of [24] solves the RCP problem in
O(IR1 log}XI) time (IR1 is the cardinality of the set R). This gives a O(IXIZloglXI)
time complexity for mode1 reduction, since IR[ 5 fXl(lXl - 1). 0
Remark 2.8 Sometimes theoutput map X provides redundant information, i.e., fault
diagnosis caa be accomplished using a coarser output map. The use of a coarser
output map, in general, results in further aggregation in model reduction, hence
fewer states in the reduced RTS. 0
Remark 2.9 The high-level diagnoser produces an accurate estimate of the system's
condition, with an accuracy proportional to the amount of information availâble in
the reduced RTS iff the relation Pzk = & holds. In the proof of Theorem 2.3, we
showed that Pzk = ZA. liolds for a partition n- 5 kerX A k e r ~ if 7;- is compatible with R.
If 77- is not compatible with R, then we can find two blocks of 7r, Say zl and 52. and
states X I , xi E al and xs E T2 such that (xi, x2) E R but there is no x E Z2 such that
(x', . x) E R. In general, if in this situation we let (zl, &) E R, then the high-level
state estimates will become conservative, i.e., Pzk C &, and if \t7e set (Zi,~2) 4 R,
then the high-level state estimates will be risk-accepting, Le., Zk E Pzk. Thus the use
of compatible partitions is necessary for guaranteeing P z ~ = Zk and in this case, the
coarsest partition compatible with R and finer than kerX A k e r ~ , will be the optimal
partition for model reduction, Le., it will give the reduced RTS with minimum number
of states. O
Example 2.1 - Heating System (Cont'd)
Using Table 2.1, the reader can verify that the partition kerX A k e r ~ = {{l, 2},
{3,4}, {5 ,6) , . , {23! 24)) is compatible with the transition relation R of the RTS.
Table 2.3: Exarnple 2.1 Reduced reachability transition system.
Hence it is the solution to the RCP problem for this example. The reduced RTS is
given in Table 2.3 where each pair of states 2i - 1 and 22 (1 5 2 < 12) in the original
RTS is replaced with 2' in the reduced RTS. Therefore the number of states of the
RTS has been reduced to half. The high-level diagnoser is identical to the original
one (After replacing each pair of 2i - 1 and 22 Mth 2').
The fact that the pair of states 2i and 2i - 1 are equivalent and can be replaced by
the single state if, shows that incorporating the model of the load has not added any
useful information to the heating system's mode1 for the purpose of fauIt diagnosis
and therefore, the load model can be removed. This interesting point could be of use
in decentralized fault diagnosis. Think of the load as subsystem 1 and of the rest of
the heating system as subsystem 2. Our model reduction scheme has shown that in
the absence of sensor readings from subsystem 1 (which is typical in a decentralized
fault detection scherne), the model of subsystem 2 (the local model) has the same
amount of information for fauIt diagnosis as the combined model of the subsystems
(the centralized model). Thus the design of diagnoser for subsystem 2 can be done
based on the local mode1 only. 0
State
1' 2' 3' 4' 5' 6'
In order to verify condition 3 of Theorern 2.1, one needs to build the diagnoser.
We will show in the following that condition 3 can be replaced with a similar condition
in terms of the K-indeterminate cycles of the high-level diagnoser. Therefore there
will be no need to build the low-level diagnoser for checking diagnosability.
State
7' 8' 9' 10'
Output-adjacent states (output) 2',B1(le) 3'(be) 4' (ae) / 8' (le) 5',111 (ad) 6',12' (bd) 3',9' (be)
Output-adjacent states (output) 8' (le) - 8' (le) 11' (ad)
11' 12'
12' (bd) 9'(be)
The low-level and high-level diagnosers produce identical estimates for the sys-
tem's condition. Therefore, a failure mode Fi is diagnosable if and only if it can be
detected and isolated by the high-level diagnoser (i.e., the high-level diagnoser reaches
an Fi-certain state) after the occurrence of a bounded number of events, following the
failure and initialization of the high-level diagnoser. -4s with the low-level diagnoser,
a state Z of the high-level diagnoser is called Fi-certain if the estimate ~ ( 2 ) indi-
cates that the failure Fi has occurred. In a single-failure scenario, 2 is Fi-certain iff
( ) = F i -4 state 2 of the high-level diagnoser is called Fi-uncertain if Z is not
F,-certain but R ( E ) indicates that the failure Fi might have occurred, i.e., occurrence
of Fi is consistent Mth the observed output sequence. In a single-failure scenario, Z
is Fi-uncertain iff Fi E R ( Z ) but R ( Z ) # {Fi}.
Definition 2.9 Suppose fL, . . . , is a cycle of F,-uncertain States of the high-level
diagnoser. The cycle is called Fi-indeterminate (wrt the reduced RTS) if there exist
12 1 and $ , 2 ) 2 , - . . , $ E 3, for al1 15 j 5 msuch that < € X F i for al1 1s j 5 ml -m - 1 1 5 k 5 1 and fi, Z:, . . . , Z;", 3;, . . . , x, , . . . : x, , . . . ,2;" form a cycle in the reduced
RTS. The cycle in the reduced RTS is called an underlying faulty cycle of the
Fi-indeterminate cycle. 0
V,'e need the folloming two lemmas which relate the cycles in the RTS to those in the
reduced RTS.
Lernma 2.4 Let XI,. . . ,x, be a cycle in the RTS. Then [x,], . . . , [x,] is a cycle in
the reduced RTS.
Proof. Follows from: (x, XI) E R iff ([x], [XI]) E R, for al1 x, 9 E X. 0
Lemma 2.5 Let Z1,. . . ,Z, be a cycle in the reduced RTS. Starting at any xl E Tl,
we can construct a path in the RTS such that either the path is a cycle or it leads
to a cycle in the RTS, and the projection of the cycle (and the path) in the reduced
RTS is the cycle Tl, . . . , x,.
Proof. Let X I E f l . (rl;z2) E fi; therefore there exists z 2 E Z2 and (xI,z2) E R.
Continuing in this way, we can build a path xl + x2 + x3 + - - -, X, + in
the RTS, where Xi E Z j with i = km + j for some k 2 O and 1 5 j 5 m. Since the
number of elements of 3, is finite, there exist kL and k2 with O 5 kL < k2 5 IZ1l such
- that xk im+~ - Xkzm+'- This means that the element xk,,+l appears in the path for
a second time. Therefore xkim+l, . . . , xkzm form a cycle in the RTS. Obviously the
projection of this cycle (and that of the path) into X will be the cycle Z1, . . . , 3,. O
Theorem 2.6 Assume single-failure scenario and zo = X. -4 permanent failure Fi is
diagnosable if and only if
1. From every x E XE, there is (at ieast) one transition to another state in XE
unless X(x) is Fi-indicative;
2. There is no cycle in XFi consisting of states having the same output unless the
output symbol is Fi-indicative;
3. There are no Fi-indeterminate cycles in the high-level diagnoser.
Proof. It was shown in the proof of Theorem 2.1 that conditions 1 and 2 are necessary.
So from now on we assume they hold.
Suppose condition 3 holds. Then there will be no Fi-indeterminate cycles in the
low-level diagnoser too. This is because if zl, . . . , zm is an Fi-indeterminate cycle of
the low-level diagnoser with x l , . . . , x' as an underlying faulty cycle in the RTS? t hen
by Lemma 2.4, Pz1,. . . , P z m and [xl], . . . , [x'] will be an Fi-indeterminate cycle of the
high-level diagnoser and an underlying faulty cycle in the reduced RTS, respectively
(Kote that z is Fi-uncertain if and only if P z is Fi-uncertain since ~ ( z ) = iÉ(Pz)). It
follows from Theorem 2.1 that Fi is diagnosable.
Conversely, assume condition 3 is not true. Then there exists an output sequence
y i , y*, . . . , yk that can lead the high-level diagnoser into a state Zk = Pzk belonging
to an Fi-indeterminate cycle (zk is the state of the low-level diagnoser after observing
yl , Y*,. . . , yk). There exists 3, E Zk belonging to an underlying faulty cycle in the
reduced RTS. Let xk € n zk. Note that xk E XF, since Zk E XFi. Since xk E z k ,
there exists a sequence of states of the RTS X j E zj (1 5 j 5 k) such that xi + xicl
for 1 5 i 5 k - 1. Using Lemma 2.5, we can find a path {x,}~>~ in the RTS whose
projection into X will be the underlying faulty cycle that z k belongs to. Note that
x, E XFi for j 2 k. As a result, using the path - in the RTS, we can construct
a trajectory for the system that leads to states in ,YFI and the corresponding output
sequence of this trajectory takes the high-level (and low-level) diagnoser into a cycle
of Fi-uncertain states and keeps it there. Therefore, Fi is not diagnosable. 0
Remark 2.10 Since the high-level and low-level diagnosers produce identical condi-
tion estimates, the upper bounds obtained for ni in the proof of Theorem 2.1, narneiy,
c, x p, + pi and IXFiI(IXFi 1121 + 1). also hold for fii, the number of events it takes
the high-level diagnoser to detect and isolate a diagnosable failure Fi- The following
upper bounds, howek-er, can be obtained directly as well:
with pi as before and
G = C { I P - ' ~ n XF, [ 1 Gis &uncertain}
2 = The state set of the high-level diagnoser - {& }.
2.5 Simultaneous Failures
In this section, results of the previous sections on single-failure scenario will be ex-
tended to the case of sirnultaneous failures. We assume that there are only two failure
modes. Generalization to arbitrary numbers of failures follows similarly.
Let us assume that there are two failure modes Fl and F2. There are three failure
scenarios: Fi, F2 and FI*, with FIP denoting simultaneous occurrence of FI and
F2. Hence the condition set is K = {N, FI , F2, FI*). The state set is partitioned
according to condition: X = XNCJXFi~XF2UXAy The condition map n : X + K
Figure 2.15: Simultaneous occurrence of permanent failures.
is defined as follows: n(x) = N if z E XN, ~ ( z ) = XF, if x E XF, (i E {1,2}) , and
K ( X ) = F12 if x E XFi2. The condition map is extended to the subsets of X according
to K ( Z ) = {n(x) 1 x E z } for al1 z c X. The RTS and the diagnoser are defined and
constructed as in Section 2.2.
In the rest of this section Ive consider the diagnosability of the failure mode FI.
It follows from Def. 2.2 that in the case studied in this section, a state z of the
diagnoser is FI-certain iff n(z) = {Fi} or ~ ( z ) = {FI2} or ~ ( z ) = {Fi, Fi2). A~SO z is
FI-uncertain iff z is not FI-certain and n(z) n {FI, FL2) # 0.
The faiIure modes FI and F2 are assumed permanent. This rneans that x,v is not
reachable from xFl LJ Xh U XF12; neither XFI nor XF2 is reachable from XF12. There
may be transitions directly from states in XN to states in XFi2 (i-e., fai1ure events Fl
and F2 may happen at the same time) (Fig. 2.15).
The definition of diagnosability is the same as in Def. 2.4. The definition of Fi-
indicative output symbols remains the same (Def. 2.5). In our case, an output symbol
9 is FI-indicative iff X-L({y)) C XFl U XF12. Necessary and sufficient conditions for
diagnosability of FI which will be given in Theorem 2.7 are the same as those in the
single-failure scenario except that XFI is replaced with -YFl U XFI2. This is because
after the occurrence of FI , the state x will be in X f i U XF12. Note that since the
failures are assumed permanent, there are no transitions from the states of XF12 to
those of X F ~ . Also any cycle in XFl U XF12 is entirely in either XFI or XFI2.
FI-indeterminate cycles are defined as follows.
Definition 2.10 Suppose zl, . . . , zm is a cycle of fi-uncertain states of the diagnoser.
The cycle is called Fi-indeterminate if there exist 1 3 1 and 4,4,. . . ,4 E z j , for
al1 1 5 j 5 rn such that (41 1 5 j 5 ml 1 < k 5 1 ) E XFl or (4 1 1 5 j 5 rn, 1 5 1 k 5 Z} C XF12, and also x: ,x : , . . . , x ~ , x ~ , . . . , x g , . . . , x , , . . . , x r form a cycle in the
RTS. The RTS cycle is called an underlying fadty cycle of the FL-indeterminate
cycle. O
Theorem 2.7 Suppose 2.0 = X. The permanent failure FI is diagnosable if and only
if
1. From every x E &, u XF12, there is (at least) one transition to another state
in XF~ U XF12 unless X(x) is FI-indicative;
2. There is no cycle in XFi or in XFi2 consisting of states having the same output
unless the output syrnbol is FI-indicative;
3. There are no FI-indeterminate cycles in the diagnoser.
Proof. Siniilar to the proof of Theorem 2.1. 0
The reduced RTS and high-level diagnoser can be constructed in a way similar to
that described in Section 2.4. The low-level and high-level state estimates mil1 still
be related by: Ptk = &. The results of Section 2.4 on diagnosability can be similarly
extended to the case studied in this section. CVe briefly point them out here.
-1 state of the high-level diagnoser Z is Fr-certain iff i i (2) = { F I ) or %(t) = (FI2)
or R ( I ) = ( F I , FI2) . Z is FI-uncertain iff it is not FI-certain and R ( Z ) n { F I , FI2} # 0.
The failure mode FI is diagnosabie if and only if it can be detected and isoiated by
the high-level diagnoser (Le., the high-level diagnoser enters an FI-certain state) after
the occurrence of a bounded number of events, following the failure and initialization
of the high-let-el diagnoser.
The diagnosability conditions, to be given later, are the same as those in the single-
failure scenario except that XFl and XFl are replaced by XFI U XF12 and XF, U XF12 >
respectively. This is simply because after the occurrence of FI, the state x will be in
XF, U XF12. Note that since Fl and F2 are assumed permanent, in the reduced RTS
there are no transitions from states of XF12 to those of XFl ( or XF2 for that matter).
..\lso any cycle in XFl U X F ~ ~ will entirely be either in XFI or in XF12. The definition
of FI-indeterminate cycle (with respect to the reduced RTS) is the same as Def. 2.7
(with i = 1) except that z i , 4, XFl and XF12 are replaced with 2, Z',, FFI and XFi2,
respectively and the underlying cycle will be in the reduced RTS.
Theorem 2.8 Suppose 20 = X . The permanent failure Fl is diagnosable if and onlÿ
if
1. From every x E XFl U XFlz, there is (at least) one transition to another state
in XF, U XF,, unless X(s) is FI-indicative;
2. There is no cycle in XFl or in XFL2 consisting of States having the same output
unless the output syrnbol is Fl-indicative;
3. There are no FI-indeterminate cycles in the hi&-level diagnoser.
Proof. Similar to the proof of Theorem 2.6.
Remark 2.11 In the definition of diagnosability, a failure mode Fi is called diag-
nosable if after the occurrence of the failure and initialization of the diagnoser, and
occurrence of a bounded number of events, the diagnoser enters an Fi-certain state.
This finite set of events may include failure events. One may argue that the detection
of Fi should not depend on the occurrence of another failure (or perhaps another oc-
currence of Fi)- But we would like to point out that in a lot of cases, failures that may
happen simultaneouslÿ are not independent and in fact, are related. Failures having
a common cause and failures involved in a domino effect (where one failure causes an-
other failure) are two such cases. In these situations, the definition of diagnosability
given in this thesis seems reasonable. 0
Example 2.3 - Pump and Valve [30]
Let us go back to the pump and valve system of Example 2.2 (Section 2.3). This
Condition hr Fi F2 F12
Controller State
Cl
Figure 2.16: Example 2.3. DES mode1 of the pump and valve q-stem.
time suppose the valve can only fail stuck-closed (failure mode F I ) . .&O assume that
the pump can fail ON (failure mode F2) and that the pump failure and valve failure
may occur simultaneously. The DES mode1 of the system are given in Fig. 2.16. We
assume that a pressure sensor on the pump detects pressure and generates one of
the tmo output symbols pp (positive pressure) or np (no pressure). In this system,
Y = {ai, a z , Q3i Q4, 03, 7 1 , ̂ (2<Y4,62, 641, mkxe
The RTS and diagnoser are given in Tables 2.4 and 2.5. The reader can easily verifi-
that conditions 1 and 2 of Theorem 2.7 are satisfied for both of the failure modes.
Furthermore, there are no FI-uncertain or F2-uncertain cycles, hence neither FI nor
F2-indeterminate cycles, in the diagnoser and therefore, condition 3 holds as well. As
a result, both FI and F2 are diagnosable.
Intuitively, one can see that if the valve fails stuck-closed while the pump is ON (or
faiIed ON), there will be no flow while positive pressure is detected (output symbol
- - -
Table 2.5: Example 2.3. Diagnoser.
,&); this indicates the existence of the failure FI. Also if the pump fails ON at the
start of cycle when the controller is at the state Cl, positive pressure will be detected
(output symbol yl) indicating the presence of the failure F2. Note that and 71 are
FI and F2 indicative, respectively.
Chapter 3
Fault Diagnosis in Timed
Discrete-Event Systems
In Chapter 2, changes in the output sequence resulting from failures were used for
diagnosing failures in finite-state Moore automata. In many cases, however, a failure
changes only the timing of the output sequence, rather than the sequence itself. In
other cases, as a result of failure, the system stops generating new output symbols
(e.g., when the temperature is low in the heating system of Esample 2.1). In these
situations, timing information can be used to increase the accuracy and speed of
fault diagnosis. This improvement. in general. cornes at the expense of additional
computational complexity.
In this chapter, we extend our framework to timed discrete-event systems (TDES).
In Section 3.1, we discuss failure modelling. Section 3.2 presents an extended version
of the diagnoser of Chapter 2 and explains how i t can be used in fault diagnosis in
TDES. In Section 3.3 diagnosability in a finite time interval is studied, the concept
of tirne-diagnosabilzty in our framework is introduced, and necessary and sufficient
conditions for time-diagnosability are obtained.
3.1 Plant Mode1
In this chapter, we assume that the plant under control can be modelled as a timed
discrete-event system (TDES) [3]. -4 TDES is a finite-state automaton containing
in its event set an event which is the tick of a global clock. The tick is assumed to
be observable. The TDES mode1 can be used to describe the sequence of events
occurring in the system with respect to the ticks of the global clock.
Forrnally, it is assumed that the plant under control can be described by the
finite-state Moore automaton G, = (Q,, Cr, &, qo, Y,, A,), where QT, C , and Y, are
the finite state, event and output sets; go is the initial state, & : Q, x ET + 2Qr the
transition function and A, : Q, + Y, the output rnap. As noted above, one of the
events in C, is the tick of the global clock, and is denoted here by 7. It is assumed
that Q, is reachable from qo.
Note that Gr (or any other TDES for that matter) cannot have deadlock states;
Le., for any q E Qr7 &(q, a) # 0, for some a E C,. This is because at Ieast the
tick event happens periodically, and therefore a t each state q E Q,? even if none of
the non-tick events is enabled, the tick event will be enabled (b,(q, T ) # O ) ? and mil1
occur a t the due tirne.
It is assumed that Gr is activity-loopfree 131, which simply means that there
are no cycles of non-tick transitions in Gr; Le., for every n > 1 and q l , . . . , qn+l f Q,
and al,. . . .on E Cr - {r} such that qi+i E b(qi,ai) (i E {l, . . . , n}), we must have
(11 # qni 1. This means that only a finite number of non-tick events may occur between
any two consecutive dock ticks.
The TDES G, describes the behaviour of the system in both normal and faulty
situations. Suppose there are p failure modes Fl, . . . , Fp- Our discussion in this
chapter will be limited to single-failure scenaxios; the results can be generalized to
the case of simultaneous failures as in Chapter 2.
I t is assumed that the state set Q, can be partitioned according to the condition of
the system: Q = Q,,NUQ~,F~Ù . - uQ,,F,. With K = {N, FI , . . . , Fp) as the condition
set, the condition map of G,, K, : Q, + K, is defined such that for every q E Q,,
n,(q) = iV if q E QTvN, and ~ ~ ( q ) = Fi if q E QTVFt (i E 11, ..., p ) ) . Note that in
our framework, the occurrences of failures are modelled by failure events; therefore
in any transition gl % 42, n,(qi) # n , ( ~ ) only if a is a failure event. Thus, if a = 7,
then ~ , ( q , ) = ~ r ( q 2 ) -
Timed discrete-event systerns are used in [3] in the supervisory control problem.
There, the TDES models are obtained from activity transition graphs (,4TG).
ATG models provide a compact way of describing discrete-event processes. .4TG
models for complex systems can be systematically composed from the ATG models
of the corresponding subsystems using a useful synchronous product [3]. Every -4TG
model can be transferred into a TDES (as defined in this work) but not vice versa;
i-e., not every TDES represents an ATG model.
As mentioned before, .4TG models are convenient for describing discrete-event
processes and we will use them later in this section in an example. In the following,
me describe ATG models and explain how TDES models can be obtained from thern.
For more details about ATG models, the reader can refer to [3].
Let us assume that the plant under control can be modelled with the six-tuple
GXt = ( A : Cact, dut, Ro? YZtr Aacr) which we cal1 the activity transition system. A,
C,, and Y,, are the finite activity, event and output sets; a. is the initial activity,
&, : -4 x C,, + 2" the activity transition function and A,, : A + Y,, the activity
output map. This model is similar to that in [3] except that it is nondeterministic
and includes an output map. The transition graph of G,, is called the activity
transition graph (-4TG).
Let a denote the activity of the system. Initially, a = ao. For a given activity
a, an event a f C,, is enabled (resp. disabled) if b(a, a) # 0 (resp. d(a .0) = 0).
Each activity corresponds to a 'mode' or 'phasey of operation of the system in which
certain events are enabled or remain enabled or are disabled. Each event o E C,,
lias a lower time bound 1, E W and an upper time bound u, E NU {m), with
1, 5 u, (N = {O, 1 ,2 , . . -1). An event a is called prospective if u, E N and remote if u, = m. A prospective
event a with time bounds 1, and u, cannot occur before 1, ticks of the clock but if it
remains enabled, it will occur before the (u, + 1)-th tick (following its enablement)
unless it is preempted by another event in Cm. If a is remote with a lower time
bound of l,, then it wiIl not occur before 1, clock ticks but if it remains enabled, i t
may occur any time after the 1,-th tick. The time bounds 1, and u, typically would
represent delays due to process dynamics or measurement.
To keep track of the status of each event, let us bring in the timers t , (a E C,,).
Initially, by definition, the timers assume their default values given by
u, u prospective, t , =
1, a remote.
If the system is in a E A and a is enabled (i.e., d(a, a) # a), then t, will be decre-
mented by one after each clock tick until tu = O. After this, t , will remain at O. The
timer tu will be reset to its default value if either a occurs or a is disabled. Therefore,
a prospective event a can happen only when O 5 tu < u, -lu; if tu becomes O, then a
will occur before the next tick unless it is preempted by another event in C,,. -41~0,
a remote event a may occur only when tu = 0.
Define timer intervals Tu C 2N according to
[O,u,] o prospective, Tb :=
( [O, lu] a remote.
In this chapter, for j , k E N, [j, k] := {i E W 1 j 5 i 5 k 1. Obviously, tu E T, always,
for al1 a E C,,.
The state of G,, is given by the current activity a and the timers t , (O E C,,).
Formally, the evolution of the state of G,, is described by the timed discrete-event
s ~ s t e m Gr = (Q,, ET, &, qo, K, A,), where Q, C A x n{T, 1 E L), Er =
C,,U{T) and Y, = Y,, are the finite state, event and output sets. Note that the
event set C, includes the clock tick. .At qo, the initial state, a = a. and al1 of the
tirners assume their default values. A, : Q, + Y, is the output map with
6, : Q, x C + 24. is the transition function of the TDES and is defined as follows.
Let ç = (a, {ta 1 a E Cxt }). Then for o E C,,, 6(q, o) # 0 if and only if
1. a = T, and t, > O for al1 prospective a ' s , or
2. O is prospective, S,,(a, O ) # 0, and O 5 tu 5 u, - l,, or
3. a is remote, &,(a, a) # 0, and t, = 0.
1. If O = T , then a' := a, and
for al1 a, prospective
if 6,, (a, a) = 0 t:, :=
ta - 1 if b,, (a, a) # 0 and t, > O
(Xote that if t , = O, then 6(q, T ) = 0)
and for al1 a remote
L if &, (a, a) = 0 t: := ta - 1 if &,, (a, a) # 0 and t, > O
O if d,,,(a: cr) # 0 and ta = 0.
2. If a E Cat, then, by definition, a' E 6,, (a, O ) , and
for al1 a! # a and a prospective
U, if b,, (a', a) = 0 t', :=
ta if Lt (a', a) # 0,
t', := u, if O is prospective,
for al1 a, # a and a, remote
1, if b,, (a', a) = 0 t:, :=
t , if ~ 5 ~ ( a ' , a ) # 0,
and t> = 1, if o is remote.
In this framework, the activity transition model of a system consisting of several
subsystems can be obtained from the synchronous product of the activity transition
rnodels of the subsystems [3] (Note that in our framework, the activity transition
systerns are nondeterministic). The time bounds of events in the resultant systern
are functions of the time bounds of the events in each subsystem. Suppose GXt is
obtained as the synchronous product of Gl,ac- and G2,aa- Let Cl,, and CSlact be the
event sets of Gi1,, and G2,act. If O Cl,act n Cllact, then we usually take the time
bounds of a to be identical to their values in the corresponding activity transition
model. If a E Cl,,, n then 1, and u,, the time bounds in GXt, will depend on
U L , ~ : 12,@ and 7 ~ 2 , ~ (the corresponding time bounds of a in Gl,,, and G2,art) and
on the interaction between the subsystems. The following rule has been suggested in
[3] (alt hough, in t his thesis, we do not necessarily abide by it) :
if Eu 5 u,; othenvise the synchronous product is undefined. This rule embodies the
idea that a shared event may be executed if and only if both subsystems agree on it.
The models Gact and G, describe the behaviour of the system in both normal and
faulty situations. Suppose there are p failure modes F i , . . . , F,. The event set Ex,
includes failure events. As mentioned earlier, our discussion in this chapter wiil be
limited to single-failure scenarios.
It is assumed that the activity set A can be partitioned according to the condition
of the system: A = ANwAF,u - u A ~ . With K = {N, FI, . . . , F,} as the condition
set, the condition map of G,,, K,, : A + AI, is defined such that for every a E A,
n,,(a) = N if a E AN, and n(a) = Fi if a E AF, (2 E {1, . . . , p l ) . The condition map
of G,, n, : Q, -t K, is defined in terms of n,,; &(q) = ~,,(a) for al1 q = (a, {tu 1 o E
L t ) ) .
Remark 3.1 In the above ATG models, the lower and upper bounds of non-tick
events are not affected by failure. In some practical cases, a failure may change these
bounds; it may also delay or speed up the enabled events. One way of extending the
-4TG models to cover the above cases is (i) to let each non-tick event have different
sets of time bounds for each condition at which the event can be enabled, and (ii)
to make sure that the timers tu stay within their permitted bounds. Specifically,
conslder a non-tick event a. We let a have the time bounds l,,~ and u , ~ (resp.
and uQ,c) if CY can be enabled at the normal mode (resp. the failure mode Fi)- In our
framework, a change of condition is a result some failure event (or perhaps recovery
event ' ). Now consider the transition q 5 q' in the TDES which represents the
occurrence of a failure Fi. If a! is enabled at q but not enabled at q', then, as before,
we let ta, the value of the timer corresponding to cr after the transition, be given by
t: = u, if cr is prospective and tk = 1, if a is remote. If a is enabled at q', then we let
t: = f: (t,, la, u,, l:, u;), where ta is the value of a ' s timer before transition, I, and
IL, (resp. 1; and au:) are the time bounds of n in the condition n,(q) (resp. ~ ~ ( q ' ) ) ,
and j: is a function satisfying O $ /;(ta, l a , IL,, IL, ua) $ u; if LI is prospective and
O 5 fA(t,, Z,, u,, l;, u',) 5 1; if a is remote. f: describes the eEect of the failure mode
Fi on the timing of Q and can be used to mode1 delay or advance in the occurrence
of a. Synchronous product of ATG models can be defined as before. Here, of course,
the dependency of time bounds on the condition (hence, state) should be taken into
account. For example, suppose G,, is obtained as the synchronous product of G1,,,
and G2,act- If at a given activity of G,, a = (al, a2) (with al and a2 being the
corresponding activities in G1,,, and GÎYact), a E Cl,act fi C2,,, is enabled, then the
time bounds of a, in general, depend on its time bounds in ni,,t (al) and K ~ , ~ ~ (a2)
(KI,=, and Q,,, are the condition maps of G1,,, and GPVxt). In [4], another framework
for having different sets of time bounds for each event is proposed which is simpler
'If failure recovery is also modelled, then the event set will include failure recovery events.
50
but not as general as the the one proposed here. 0
From now on, we assume that the plant under control, G,, is a TDES as defined
at the beginning of this section, which rnay or may not have been obtained from an
-4TG model.
Alur et. al [l] have proposed another framework for capturing timing information
in discrete-event systems. We have decided to use an approach based on TDES
models for the following reasons:
0 .A useful range of problems in control engineering can be modeiied using TDES;
0 They are amenable to a useful subsystem composition as described earlier in
this section (when the TDES are obtained from -4TG models):
0 This approach results in a considerably simpler theory for fault diagnosis be-
cause events are timed with respect to a single global clock while in [l], in
general, several asynchronous timers are used for timing. Our framework for
fault diagnosis may be reformulated in the setup of [l]; the resulting theory will
probably be too complex to be useful practically.
Without loss of generality: we assume that no T transition results in a change in
the output. If the TDES is obtained from an activity transition system, then the
above assumption will be true. In general, if the assumption fails, then we replace
any transition ql 4 q ~ , with X,(ql) # X,(qz), with the two transitions ql A 6, 3 92
with X,(qi) = A,(ql). Here q', and 0 1 2 are a new state and event that will be added
to the state and event sets of the TDES. The resulting TDES will satisfy the above
assurnption.
Since r transitions do not result in output change, it will be useful for diagnoser
design to project out the clock ticks from the TDES. For example, consider a path
qi A 92 q3 3 94 in the TDES. We would like to build a systern in which the
above path is replaced by a single transition ql 4 94 and store the transition time (2
ticks) in some set. This transition simply says that q4 is reachable from ql through
a sequence of clock ticks (in this case, 2) followed by a a transition. We refer to
the resulting system which describes the order and duration (in ticks) of occurrence
of the non-tick events in the plant as the timed finite-state Moore automaton
(corresponding to the TDES model). The timed FS-ril.4 corresponding to the TDES
G, is defined to be G = (X, C , 6, T, xo, Y, A), where X: C and Y are the state, event
and output sets; 6, T and X are the transition, transition-time and output functions,
and xo is the initial state. By definition,
X is the set of states that the TDES can enter with a non-tick transition.
Notation. For every x, x' E X and a E C, rire write x 9, x' if and only if there exist
1 > 2, gl, ..., grl with ql = x and ql = x', such that qi+i E d T ( q i , 7 ) for 15 i < 1 - 2
and ql E & (qr-i,B). cl
The transition function 6 : X x C + 2" is defined according to:
b(xl, O ) is the set of states that can be reached from xi through a sequence of n
consecutive T transitions (for some n 2 0): follorved by a a transition.
1Ve also define the transition-time function T : ,Y x C x S -I 2N as follows:
Figure 3.1: TDES and the corresponding timed FSPVIA.
ticks) that a O-transition from xl to x2 may talce in the timed FSM-4.
The output map X : X + Y is given according to: A(x) = XT(x), for al1 x E
X 2 Q,. We further define a condition map K. : X + K mith n(x) := K,(x):
for al1 x E X E Q,, and extend the definition to al1 subsets z Ç X according to
K ( Z ) := U{K(X) 1 x E 2).
For example, consider the TDES and the corresponding timed FSMA of Fig. 3.1.
Here, Q, = (0 , - - - , 5} , qo = O, ET = {01,62,O3,~}, Y = { Y L ~ Y ~ } ; X = {0,3:4},
7(0 '01,3) = {Z), 7(0,02,4) = {3}, 7(0,03, 4) = {l} and T(3,02,4) = {O}. The
timed FSM-4 describes the order of occurrence and the timing of the non-tick events
in the TDES.
Suppose x E X and z # qo = xo. Then there exist x' E QT and O E C, - {T)
such that x E &(XI, O ) . Q, is reachable from qo, by assumption. Therefore, there
esists a path in G, from go to x' which can be continued by a a transition to x. -4fter
projecting out the T transitions of the path from qo to x, we will obtain a path in
G which starts at go and ends with a o transition to x. This shows that in G, X is
reachable from xo = go.
Consider a path ql q2 - - O q,-, 5 q, in the TDES, with ql E X and
t 3 2 . Mter projecting out the T transitions, we get a path q1 5 qt in G with
t - 2 E T ( q l , O, q t ) . Conversely, for any transition q % q' in G , there exists a path
in the TDES starting at ql and ending a t q', consisting of some t back-to-back tick
transitions (t E T ( q , o, q')) followed by a a transition to q'. For example, in Fig. 3.1,
O 5 1 2 4 3 3 4 in the TDES is replaced by O 3 4 in the timed FSMA, with
7(0,02, 4) = {3}-
Output-adjacent states in Gr and G are defined according to Def. 2.1. A very
important point to remember is that if a state q in the TDES is output-adjacent to
some q' E QT, then q E X because, by assumption, the TDES output changes only
as a result of non-tick transitions. The following lemma is easy to prove.
Lemma 3.1 For q, q' E X, q * q' in G if and only if q * q' in Gr. 0
For example, in Fig. 3.1, the state 4 is output-adjacent to O and 3 in both the TDES
and the timed FSMA.
Remark 3.2 For any x, x' E X and a f C , T ( x , o, x') may be either a finite or an
unbounded set. T(., ., .) becomes unbounded only when G, contains cycles consisting
of the tick event, T. If G, is obtained from an activity transition system, then T
selfloops can be the only T cycles G, may contain. This is because after every T
transition, except in T selfloops, a t least one of the timers t,(o E C) and hence,
t , decrease. As a result, in any sequence (other than a r selfloop) qi q2
- - 4 q,, the states qi are d l distinct.
Suppose G, is obtained from an activity transition system. For x,x' E X and
o E Z, T ( x , 0, x') will be unbounded if there exists a path x = pl q2 - - - u
91-1 91 + qiii = x' ( I 2 O) with a t least one of the states q,, . . . qi having a T
selfloop. Therefore 7 ( x , 0, 2) ni11 have one of the following forms:
(i) a finite set of integers, or
(ii) union of a finite set of integers and a set [t*, oo), for some t' E W.
For any x E X, the sets T ( x , ., .) can be calculated using a breadth-first search
with a time complexity of O(l&,I ITc, 1): with Tc, denoting the set of transitions of
G7- - If, however, G, is not obtained from an activity transition system and includes r
cycles other than T selfloops, then the 7 ( x , o, x'), in general, will have complicated
forms. This issue will be further discussed in the following section. 0
Figure 3.2: Exarnple 3.1. -4 simple TDES.
Figure 3.3: Example 3.1. Timed FSMA.
In this chapter, we use two running examples to illustrate our methodology.
Example 3.1 - A Simple TDES
Consider the TDES in Fig. 3.2. In this system, Q, = {O,. . . ,9}, qo = O , C , =
{ O ~ , O ~ : O ~ , T , F ) , Y = {ol,o2}, K: = {M, F ) , QIVN = {O, .. . , 5 } , a n d Q I , ~ = { 6 , - . . : 9 } -
The system has a failure mode F. In both normal and faulty modes, the output se-
quence generated by the system is - - - 01 02 01 02 - . .. The timing, however: is different
in these modes. In the normal mode, 01 is generated one tick after 02 while in
the faulty mode, 01 occurs immediately after 02. The corresponding timed FSMA
is shown in Fig. 3.3. Here, X = {O, 2,4,6,9). In the figure, the transition-time set
7(-, -, .) of each transition is written by the transition. For example' T(O,ol, 2) = (1).
CVe can see that in this system, the state 4 is outputadjacent to O and 2 (in both
the TDES and the timed FSMA). Similarly, 6 is output-adjacent to 4 and 9. 0
Figure 3.4: Example 3.2. A neutralization process.
Our second example, is more complex and is based on a neutralization process.
Example 3.2 - Neutraiization Process
In a (simplified) neutralization process (Fig. 3.4), initially, al1 valves are closed and
the tank is almost empty. The process starts by opening vaive V1 and filling the
reaction tank up to level l 1 with the chemical to be treated (here acid). Next, VI is
cIosed and the neutralizer (base) is added by opening valve V2. When the alkalinity
(pH) of the solution reaches the normal range, V2 is closed and the tank contents
are drained through valve V3. This completes a cycle of the process. Following this:
another cycle will be started.
The events and the corresponding time bounds are given in Table 3.1. Two failure
modes are considered here: valve V1 stuck open ( F I ) and valve V1 stuck closed
(F2) . For simplicity, it is assumed V1 gets stuck open (resp. closed) only when
it is open (resp. closed). Sensor measurements are 'pH' and 'Level', with pH€
{a(acid). n(neutral), 6(base)) and L e v e i ~ { L o , Li, Lz, L,}.
The control sequence consists of 8 steps:
Cl: Order V1 open;
W.4IT UNTIL pH=a OR Level=L1;
IF pH=a GO TO C2;
ELSE GO TO C3
1 Event 1 Time bounds 1 oz ci
Lij a2n n2a W2
Table 3.1: Example 3.2. Events and their time bounds.
FI F2
C5: Order V1 closed;
Order V2 open;
WHEN pH=n GO TO C6
vaive i open valve i closed
level change from Li to L,
pH change from a (acid) to n (neutral) pH change from n (neutral) to a (acid) wait for 2 clock ticks
CG: Order V2 closed;
Order V3 open:
WHEN Level=Ll GO TO C7
[l J I [lJI
[l', u'] for L23 [Z, u] otherwise
144 [lJ1
2 valve V l stuck open valve V1 stuck closed
C8: Order V3 closed;
W.MT for 2 clock ticks;
GO T O C l
[O, 00 ) 1
[O, m )
Note that, by assumption, the controller does not have a way of knowing whether
a valve is open or closed. It is also assumed that in addition to Level and pH,
the current step in the control sequence is known to the diagnoser. Therefore Y C
{ C l , . . - , C 8 ) x { L o , L ~ , L ~ , L ~ ) X {a ,n ,b ) -
The -4TG and the corresponding TDES describing the neutralization process are
depicted in Figures 3.5 and 3.6 (assuming 1 = 2, u = 3, 1' = 1 and u' = 2 for the
time bounds of the Li, as given in Table 3.1). The output and the condition maps
of the TDES are given in Table 3.2. The names of the TDES states have the form q
or q.n, where q refers to the activity q in the -4TG (Fig. 3.5). The ATG consists of
three subautomata each describing the behaviour of the system in the N or FI or F2
condition. Note that, to avoid cluttering the graph, Ive have depicted the transitions
from the normal mode N to the faulty conditions Fi and F2 (i.e., failure events) only
on the subautomata corresponding to the faulty conditions. Initially, the system is
a t qo = 1 where the controller enables the event 01 (open Vl). The lower and upper
bounds of 01 are both 1 which means that following its enablement, 01 cannot occur
before the first clock tick but if it remains enabled, it will certainly happen before
the second clock tick. The event 01 occurs after the first tick but before the second.
Following this, the level reaches the LI range and the solution becomes acid within
the time bounds specified in Table 3.1. Then level reaches Lz in 1(= 2) to u(= 3)
dock ticks and, so on. Note that a t state 15 when the controller orders V3 closed, it
waits tu70 ticks of the clock before starting a new cycle to make sure V3 is closed a t
the start of the new cycle. While V1 is open, it may fail stuck-open which ultimately
results in the occurrence of Lz3. ,%O it may fail stuck-closed while it is closed. In this
case, a t the beginning of the new cycle when the controller orders V1 open, neither
LOI nor n2a will happen.
The timed FSM-4 of the neutralization process is shomn in Figures 3.7 and 3.8.
According to the timed FSM4, for example, the transition from state 5 to 6 takes 2
to 3 ticks. This is in accordance with the TDES (Fig. 3.6).
3.2 Diagnoser
For diagnoser design, it is possible to start with the TDES mode1 of the system and,
treating the clock tick as an extra output signal (Le., extending the output map to
include the ticks), design a diagnoser using the methodology presented in the previous
chapter. This diagnoser, which we will refer to as the standard diagnoser, provides
updates of the system's condition after the generation of every new output symbol in
Figure 3.5: Example 3.2. Activity transition graph.
Figure 3.6: Example 3.2. TDES model.
State 1 1.1 2 2.1 3 4
State 2.1' 2.2' 3' 4' 5' 1
Output, Condition (Cl,Lo,n), N (C1,Lo,n), N (C~,Lo ,n ) , N (C1,Loln), N (C2,Lo,a), (C3,L17n),
a 5.1 5.2 5.3 6 6.1 7 8 9 9.1 9.2 9.3 10
Output, Condition (C1,Lo, n), Fl
(C1,Lo, n), Fl (C2,Lo ,a), FI (C3,Ll 31, FI ( C U 1 ,a), Fl (C4,Ll,a), Fi
5.2' 5.3' 6' 6.1' 8' 8.1' 8.2' 17' 7" 9" 9.1" 9.2" 9.3"
(C4?Ll,a), N (C4,Ll,a), N (C4,Ll,a), Al (C4,Ll,a), Ar (c%L2 4) Y 1v
(C5,L2,a), IV (C5,L2,a>, N (C5,L2,a). N (C%L2,a), N (C5,L2,a), N (C5,L2,a), 1V (C5,L2,a), N (C6,L2,n), N
'
(C4,Ll ,a), F~ (C4,Ll ,a), FI (C5,L2 ,a), Fi (CS, L2 ,a), Fl
7.) FI (C5,L2,a), Fi (C5, L2 ,a) , Fl (C5,L3,a), FI (CS1L2,a), F2 (Cs,& 4) , F2 (C5,L2,a), F2 (C5,L2,a), F2 (C5,L2,a), F2 (C6,L2,n), F2 (C6,L2,n), F2 (CG, L2 ,n), F2 (C6,L2,n),F2 (C6,L2,n),F2
10.1 11 12 13 13.1 13.2 13.3 14 14.1 14.2
(C6,L2,n) ,N (C6,L2?n) !N (C6,L2,n), (C6,L2,n), N (C6,L2,n) ,N
10" 10.1" 11'' 12" 13"
(C6,L2,n)? 1V (C6,L2,n), N (C7,Ll,n), !V (C7,L1 ,n), N (C7,Ll,n), IV
13.1" 13.2" 13.3" 14" 141'
14.3 15 15.1 16 16.1
~ble 3.2: Example 3.2. Output and condition maps of TDES
(C6,L2,n), F2 (C6,L2,n), F2 (C6,L2,n), F2 (C7,Ll,n), F2 (C7,Ll ,n), F2
14.2" 14.3" 15" 15.1" 16" 16.1" 1" 1.1"
(C7,Ll,n), .LW (C8,Lo,n), N (C8,Lo,n), N (C8,Lo,n) ,N (C8,Lo,n): N
(C7, Ll ,n) , F2 (C7,Ll,n), F2 (C8,Lo,n),F2 (C8,Lo,n), F2 (C8,Lo,n),F2 (C8,Lo,n), F2 (Cl,Lo,n), F2 (C1,Lo,n), F2
Figure 3.7: ExampIe 3.2. Timed FSMA (Part 1) .
Figure 3.8: Example 3.2. Timed FSMA (Part 2).
the output set Y and every clock tick. In [4], a similar method has been developed
for the extension of the event-based framework of [29]. This is a straightfonvard
approach. However, the nurnber of states of the corresponding RTS and diagnoser
will be very large due to the incorporation of timing information.
In this chapter, ive propose an alternative approach in which the process of up-
dating the estirnate of the system's condition is performed only when a new output
symbol y E Y is generated. The update process is based on the generated output
symbols and the number of clock ticks occurring between them; no updating a t clock
ticks is required in this method. As wïil be s h o m later, for fault detection and di-
agnosis between two consecutive output symbols, we can rely on what we refer to as
predictians of the system's condition. This results in significant reduction in on-line
computing requirements and, in many cases, in the size of the diagnoser, albeit a t
the expense of extra off-line design calculations. Because of the use of predictions in
diagnosis, we refer to this diagnoser as the predicting diagnoser. In the following,
Ive first discuss diagnoser construction. Then we will explain how the diagnoser can
be used for fault diagnosis.
- Diagnoser Construction
Corisider the plant under control which in the previous section, was modelled as a
timed FSM.4. This timed FSMA generates an output sequence yl, y2, ? yk. Let tk
denote the number of clock ticks that occurred between the observations ykql and yk.
The diagnoser proposed in this chapter generates a state estimate r k E 2" - {a} for
the timed FSMA based on the output sequence yl, v2,. , y k and the timing sequence
t P . - , t k . K ( z ~ ) will be the estimate of the systern's condition a t the time that yk was
generated (Fig 3.9). -4fter t k f l ticks and upon obsert-ing r k d l be updated to
Zk- 1 - The functions 7; : QT x QT +P zN and 7 : X x X + 2N, defined in the following,
give the possible transition times between output-adjacent states in the TDES and
Plant + 1 "hm& Estimates of
Output the Systcm's Sequence Condition
Figure 3.9: System and diagnoser.
the timed FSM-4, respectively.
[ (tl t is the timc (in tidrs) it can take the TDES
to go from q to q' using a path along 7; (q; 9') :=
which the output is h,(q) (except at q')}
{tl t is the time (in ticks) it can take the timed
FSMA to go from x to x' using a path along T(z, d) :=
which the output is X(x) (except a t x')} if x + x',
0 ot herwise.
These functions are used in the diagnoser state update Iaw. For example, in the
neutralization process, 1 =+ 3, %(1,3) = 7(1 '3) = {2); 9 * 10"' 7;(9,10N) =
?(9,1Of') = {2,3}; 9.2 + 10" (in G,) , and 7;(9.2,10") = (0 , l ) . Note that for x. x' E
S, z + z' in G if and only if x =+ x' in G, (Lemma 3.1), and 7 ( x , XI) = %(x, x').
We define the predicting diagnoser to be a finite-state machine D =
( Z 7 p , < , h , k l n ) , where Z C (2" - {a}) x {0,1,2}, ? C Y x PI, k C 2" - { O }
are the state, event and output sets of D. Note that the event set can be countably
infinite. a is the initial state, C : Z x Y + Z is the transition (partial) function, and
k: : 2 -t the output map. - The state of D has the general form z = ( z , e) , where z E 2" - (0) and e E {O, 1,2).
We will explain the role of e, the second component of g, later, after discussing the
transition function of the diagnoser. For the initial state of the diagnoser e = O; Le.,
3 = (zo, O), for some zo E 2X - {@}. zo contains the information available about the
state of the system G before the diagnoser is initialized. Here we assume that the
state of the TDES before the initiation of diagnosis is
zr,-, = ro u {q E Qr 1 q is reachable from a state x E zo through
a sequence of T transitions only).
This means that a t the time when the diagnoser is initialized, no information about
the time of generation of the latest event (and output) is available.
Gsually zo = X (therefore, z,,~ = Q,) because the diagnoser may be initialized
at any time while the system is in operation and, in this situation: the state of the
system is usually unknown. If the system is only known to be normal a t the time
that the diagnoser is initialized, then 20 = XN.
After the diagnoser is started and the first output y, is read, zo is updated to
z1 = zo n A-'({y,}). Since T transitions do not result in output change, z,,~, the state
of the TDES at the time y1 is read, is
&,1 = 27.0 n YI})
= zl u { q E Q, 1 q is reachable from a state x E 21 through
a sequence of T transitions only}.
The diagnoser state transition &+' = (tkC1 , ekC1) = C ( Z ~ ; , gk+' , tk+l) is defined
according to
Xote that zl only depends on zo and yl; t l is actually undefined. The diagnoser
output map : Z + R gives the estimate of the system's condition:
As mentioned earlier, a is the estimate of the system's state before the diagnoser
is initialized. Upon starting the diagnoser and observing the output symbol yl, the
state estimate is updated to z l . At this time, the state of the TDES is in + , 1 . If
after t2 ticks y2 is generated, then zl Nil1 be updated to 22. In order to obtain zz7
first we find the set of states q that are output-adjacent to some q' E z,,l, and satisfy
t2 E %(q', q ) Note that this set is a subset of X (because each of the states of the
set is output-adjacent to some state). Then 22 will be those q's in the above set
that have y2 as output. Next, if y3 is generated after t3 ticks, then z3, the current
state estimate, will be the set of states x E that are output-adjacent to
some 2' E zz with t3 E T(z',z). z3 C X is the estirnate for the state of the timed
FSMA (and the TDES) when y3 is generated. The diagnoser keeps updating the state
estimate in this way after every occurrence of new output symbols from the set Y.
For k 2 2, zk is the estimate for the state of the FSMA (and the TDES) a t the time
?jk is generated.
.At step k, z k is the latest state estimate. Note that the update law for zk is
different for k = O, k = 1 and k > 2. To take this into account, ive have added
a component ek to the state of the diagnoser with eo = O, el = 1, and e k = 2 for
k 2 2. This change in update law is the result of the fact that we do not require
the system and the diagnoser to be initialized at the same time and that we do not
assume any specific knowledge about the state and the condition of the system before
the initiation of diagnosis.
-4s with fauit diagnosis in finitestate automata, it is computationally economical
to construct a transition system to summarize and store the information about the
output-adjacent states of the timed FSMA. The timed reachability transition
system corresponding to the timed FSMA G is defined to be G = (X, 7, Y, A ) , with
Sable 3.3: Example 3.1. Timed reachability transition system.
State Output-adjacent states {time} '
X and Y as the state and the output sets and X : X -+ Y the output map. The
function 7 : X x X + ZN rvas previously defined in this section; we shall refer to it
as the transition-time function of the timed RTS. Note that if a state x' is not
outputadjacent to another state z, then 7(z, 2') = 0.
O
Example 3.1 - A Simple TDES (Cont'd)
The timed RTS and the diagnoser for this example are given in Table 3.3 and Fig. 3.10.
Here we have assumed za = X N = {O, 2,4); i.e., the system is known to be normal
when the diagnosis is initiated. This means that zT,o = {O, 1,2,3: 4,5}. If the first
output symbol read, y,, is 01, then tl = {O, 2) and z,,l = {O, 1,2,3). In this case,
the second output symbol y2 has to be 02 and 22 = {4}. At the time of the initiation
of diagnosis, the TDES is in one of the states of z T , ~ . The reader can verify that
%(0,4) = {2}, 7;(1,4) = %(2,4) = {l}, and 7;(3,4) = {O). Therefore, 02 can
take O to 2 clock ticks to occur following the initialzzation of the diagnoser. The
tirne interval [O, 21 is written on the transition from z = ({O, 2},1) to 4: = ({4}, 2) to
indicate this. Similarly, if yi = 02, then zl = (41, z,,~ = {4,5} and we rnust have
g2 = 01. If 01 is generated after 02, before the next tick, then 22 = {O, 6). But if
01 is generated after one clock tick, then z2 = {O}. The rest of the diagnoser can be
constructed using the timed RTS and the diagnoser state transition law (for k 2 2).
Note that whenever an o l ia generated immediately after an 02, the diagnoser enters
an F-certain state unless the 02 symbol is the first output symbol read. 0
Example 3.2 - Neutralization Process (Cont 'd)
The timed RTS for the neutralization process is given in Table 3.4, assuming 1 = 2,
4
Figure 3.10: Example 3.1. Diagnoser.
u = 3, 1' = 1 and IL' = 2. In this table, the transition-time sets 7(., .) are only
provided for output-adjacent states. Also, '/' is used to separate states with different
outputs.
The diagnoser for the neutraiization process is shown in Fig. 3.11 (assuming zo =
X). Note that there are 4 parameters in the diagnoser: 1 , u, 1' and u'. The way the
diagnoser operates is descnbed in the following. If, for exarnple, the first output
syrnbol is (C5,L2,a), then z1 = {6,7,8,9,6', 6.1', 8', 7", 9", 9.1", - + ,9.u"). Observe
that zTVl = z1 U {6.1,9.1,9.2,9.3,8.11,8.2'} (Note that, for example, 6.1' E zl but
6.1 4 zl since 6.1' can be entered with an Fi transition, and therefore 6.1' E X = ao:
while 6.1 @ X = z0 because it can be entered by T transitions only). If the next output
symbol y* is (C5,L3,a), then = {17') and n(zz) = {Fi}; hence, the diagnoser will
reach an FI-certain state. According to the timed RTS, (C5,L3,a) can be generated
mithin 1' to u' + 1 ticks of the clock from the states in zl. Therefore y2 can take any
time betmeen O to u' + 1 ticks to occur following the znitialzzation of the diagnoser
from the states in z r , ~ ; i.e., O 5 t2 5 u' + 1. The tirne interval [Ol u' + 11 is written
on the transition from {6,7,8,9,6', 6.11, 8', 7", 9", 9.1", . . , 9.ut'} to (17') to indicate
this. Similarly, if instead of (C5,L3,a), y* = (CG, L2,n), then z2 = {IO, 10"). This
transition should occur in O to u t 1 ticks. After this, 33 = (C7, Li, n) will be generated
in Z + 1 to u + 1 ticks ( 1 + 1 < tg 5 u + 1). The rest of Fig. 3.11 can be similarly
interpreted. The transition to z = {l", 1.1") depicted by dashed lines on the left of
Fig. 3.11 will be explained later in this section. 0
Remark 3.3
If x' is output-adjacent to x, then B(x, x') # 0. In this case, ?(z, x') may
be either a finite set or an unbounded set (when there are cycles in G, and
G) . CVhen the I(., .) are large and complicated sets, and therefore difficult to
calculate, a design based on the standard diagnoser may be a more efficient
solution to the fault diagnosis problem.
0 Instead of representing the 7 and with their individual members, one may
use more efficient wvays for storing and manipulating sets such as representing
4' 5' 6' {2,3) 5.1' 6' {1,2) 5.2' 6' (0 , l ) 5.3' 6' {O) 6' 17' {2,3)
State 1
1.1" - 7" 10" {2,3} 9" 10" {2,3) 9.1" 10" {1,2} 9.2" 10" {0,1) 9.3" 10" { O ) 10" 14" {3,4)
. - a I
13.2" 14" {0,1} 13.3" 14" {O) 1 15" {2,3) 14.1" 15" {1,2) 14.2" 15" {O,l} 14.3" 15" 10)
Output-adjacent states {time) 3.3' 421 / 4.4' 121
16" 1+j 1 6 1 1" (O)
Table 3.4: Example 3.2. Timed reachability transition system.
State 1"
Output-adjacent states (time) -
Figure 3.11: Example 3.2. Diagnoser.
sets as unions of intervals and speciwng intervals only with their lower and
upper limits (rather than with their rnernbers).
In order to reduce comple,uity, one may approximate sets with intervais (e.g.,
approximating {l, 2,3,4,6,7,8,9) with [l, 91). This results in diagnosers that
will be less accurate, i.e., it may take the diagnoser a longer time to detect
and isolate a failure, or, in the worst case, the diagnoser may not be able to
detect or isolate a diagnosable failure a t all. -4ssuming that the failures rernain
diagnosable, the computation of the lower and upper Iimits of the approximating
intervals (corresponding to minimum and maximum times of the generation
of events and outputs), reduces to the calculation of optimai paths between
states in subgraphs of the TDES and the timed FSMA. For these calculations,
optimization techniques such as dynamic programming can be used which are
more efficient t han brute-force calculation.
It should be noted that complicated or unpredictable temporal behaviour (e.g.,
cycles) is generally considered undesirable in real-time control. Therefore, me
can expect the methodology proposed here to be applicable to a very useful
range of control problems, and to provide more efficient solutions compared
with the standard diagnoser. [7
Using the Diagnoser
The diagnoser provides estimates of the system's condition at the instants when new
output symbols are generated. For time!y and accurate diagnosis, ive may also need
condition estimates between output symbols after every dock tick. In the following,
we will discuss how for diagnosing permanent failures, these estimates can be replaced
by predictions of the system's condition.
Let us assume that at some point an output symbo1 y is generated. Suppose z and
~ ( z ) are the estimates of the system's state and condition following the generation of
y. Let Rch(z) denote the set of states of the timed FSMA that have output y and are
reachable from a state in z using a path dong which the output is y, namely,
Liml(r) := {x E X 1 x E Rch(z) & (6(x, u) = 0, for any 0 E C)}:
Lim2(z) := {x E X 1 x E Rch(z) & (3 x' E X, o E C : sup T(x , o, x') = oo)},
Lims(z) := {x E XI x belongs to a cycle in Rch(z)},
Lim(z) := Liml ( z ) U Lim2(z) U ~ i m & ) .
Liml(z) is the set of deadlock states in ~ c h ( z ) while Lim2(t) is the set of states of
Rch(z) from which a t least one transition rnay take an arbitrarily long time to occur.
For example, in the neutralization process, Rch({l, 1")) = {1,2, 2.1', 2.2', l", 1.1"},
~ i m ( { i , 1"}) = ~ i m ~ ((1, 1"}) = {l", 1.1"). In Example 3.1, however, Lim(z) = 0, for
al1 state estimates z because the TDES never stops generating new output symbols.
Lemma 3.2 Let zi 2 x* 3 . - be a path in the tirned FSMA that starts in r (i.e.,
xl E z) and stays in Rch(z) for al1 future time, with ti,i+l E N denoting the time
(in clock ticks) taken by the transition zi + xi+l- There exists 1V 2 O (in general,
depending on the path) such that for i > N, Xi E Lim(z); therefore, the state enters
L i m ( r ) in the fiaite tirne of at most CL, tiVicl clock ticks.
Proof. If {xi) is a finite sequence consisting of, s a5 nt transitions, then the
system reaches the state x,,+~ and stays there indefinitely. Therefore, x,,+l
must be either in Liml(z) or in Lim2(z). Thus, the Lemma is true with I\r =
n,. If, on the other hand, { x i } is an infinite sequence, then for i > nmax,
xi must belong to Lim3(z). where nmax = max{n 1 x, E x i & x, E
Rch(z) & x, does not belong to any cycle in Rch(z)). Note that since the states that
Figure 3.12: Using predictions in fault diagnosis.
do not belong to the cycles in Rch(z) c m appear at rnost once in {xi) and X is finite'
n,, is a finite number. Therefore, the lemma holds with 1V = n,,. [7
Therefore, Lim(z) is the set of States and cycles in Rch(a) in which the system can
be trapped for an arbitrarily Iong time without generating new output symbols.
Xow consider Fig. 3.12 which depicts part of a diagnoser. According to the figure,
following y, either a new output symbol y: ( 2 E {l, 2,3)) is generated after some
time. in which case x E 4 a t the time y: is observed, or no new output is generated
and. hence, x must eventually enter Lim(z) after a finite tirne and stay there for al1
future time (by Lernrna 3.2). For this reason, we refer to ~ i m ( z ) U (& 2:) as the
prediction of the system's state at the time y wvas generated. If four t ick occur
without the generation of any new output symbol, w e can conclude that the next
output syrnbol cannot be y;. Therefore the transition to can be ruled out and the
prediction can be updated to Lim(z) U 4 U zi.
ive denote the set of transition times in the diagnoser by T(., .).
Definition 3.1 Suppose g, d E Z - {G } and y' = X(x') for al1 x' E 2'. The
transition-time function of tlie diagnoser, 7 : 2 - {a} x S - {G} + zN, is defined according to
7(4, z') := { t I z' = C k Y', t ) 1.
Note that y' is a function of d; therefore T depends explicitly only on g and d, and
not on y'. In Fig. 3.12, for example,, ~ ( g , d) = {2,3). In general, T ( ~ , 2) might be
empty for some 2 and 2. Formally, prediction of the state of the timed FSMA G is defined as follows.
Definition 3.2 Suppose z (# a) is a diagnoser state and a the corresponding state
estimate. The prediction of the system's state, t clock ticks after the diagnoser enters
2, assuming the generation of no new output symbols after y, is defined according to
Pred(z, t ) := Lim(z) U XOA(&, t ) ,
where
XOA(g, t ) is the set of states that are output-adjacent to some state in z and can be
reached from z via a path that takes a t least t clock ticks and along which the output
does not change? except at the final state. According to the above definition, in the
update process after the t-th clock tick, those transitions in the diagnoser that could
have only taken place before the t-th tick of the clock are ruled out. For example, for
the diagnoser of Fig. 3.12, XOA(g, t) = 8: U zb U z$ for O 5 t 5 3, XoA(g, t ) = z$ U z$
for 4 5 t 5 5, and XOA(g, t) = 2: for t ': 6.
Naturally, ~ ( P r e d ( ~ , t ) ) will be the prediction of the system's condition. Non.
suppose the failures are permanent and, hence, once a failure occurs, it will remain
permanently. Then we can expect to be able to use the predictions for fault detection
and isolation. Later in this section, in Theorems 3.6 and 3.7, we will establish a
relation between rr;(Pred(zji, t ) ) and the condition estimates provided by the standard
diagnoser. Before introducing the t heorems, we discuss the construction of ilstd in
more detail and derive some related results which we need for the proof of Theo-
rems 3.6 and 3.7.
G, is the TDES mode1 describing the system, with Q, being its state set. In
order to design the standard diagnoser, first we incorporate the information about the
occurrence of clock ticks in the output map using the method described in Section 2.1.
Let G: be the resulting TDES with Q:(> Q, > X) and Y'(= Y x {O, l}), A: :
Q: -+ Y', K: : Q: + K: as the corresponding state set, output set, output map and
condition map. Every T transition q l q2 in G, is replaced with two transitions
pl 4 q; 4 9 2 in G: during which the output changes from ( X r ( q l ) , O) to ( A , ( p l ) , l ) ,
and to (X,(ql), O ) (By assumption, A r ( q l ) = A r ( q 2 ) ) . SO in G:, the clock tick is
represented by two transitions. Let us refer to these back-to-back transitions as
comptex r transitions. Note that q z , the state of G: after the complex T transition,
is in Q, (the state set of G,). With the exception of the complex r transitions, the
transition graphs of G, and G: are identical.
The standard diagnoser, Dstdi is designed based on G:. Let ~ ~ d , k denote the state
estimate provided by Dstd immediately after observing y k .
We assume that the initial state of Dstd is given by
zst4o = zo U {Q E Q, 1 q is reachable from some x E zo C X C Q7 through
a sequence of complex r transitions only}, (3.1)
where 20 is the initial state estimate of the predicting diagnoser. This reflects the
assumption that a t the time when the diagnosers are initialized, no information about
the time of generation of the latest event and output is available. Note that
~ ~ ~ d . 0 = z , o , the initial estimate for the state of the TDES.
Since z o & X , A:-:-' ( { ( Y I , O ) } ) n zo = A - ' ( { y l } ) n 20 = zl (zl is the state estimate
provided by D after yl is read). Therefore
Zstd.1 = Zstd.0 n A:-' ( { (Y 1, 0) })
= (zo n A-' ( { Y ~ ) ) ) U { q E Q, 1 q is reachable from some
x E zo n A-'({y,)) C X C Q, through a sequence of complev r
-We have not included any states from Q: - Q, in z s t d , ~ because they are fictitious states and provide no extra information about the state of the TDES.
t ransitious only }
= tl U { q € Q, / q is reachable from some x E z1 Z X C QT through
a sequence of complex T transitions only}.
Note that zstd,~ = .t,,l C Qr (zTtl was defined in Sec. 3.2 as the estimate for
of the TDES following the reading of the first output symbol, yl).
We will find the following version of output-adjacency in G: very usefu
the state
Definition 3.3 Suppose q,ql E QT(C Q:) and Ar(q) # XT(ql)- Then we Say q' is
A,-output-adjacent to q (in Gk) and mi te q +A, q' if there exists a path from q
to q' in G: over which the first component of A: remains constant except a t the final
transition (Le., no output symbol from Y is generated except a t the last transition).
a
In the above definition, the path may include cornpiex r transitions. -&O, since the
last event causes the generation of a new output symboi from Y, it must be a non-tick
event. Thus, q' E X. Note that for q, q' E Q, q + q' in Gr if and only if q =+A, q' in
The folloming lemma establishes the relation between the state estimates provided
by Dstd and D following the generation of each new output symbol for k 2 2.
Lemma 3.3 Let & d , ~ be given by Eq.(3.1). Then we have
Proof. First we show ~ , ~ d , a = z2. Suppose x E 22 C X. Then there exists q E z,,,
and a path in Gr from q to x, containing t2 tick transitions, along which the output
is X,(q) = yl. Therefore, in Gi, x is reachable from q E zstd,l = zT,l via a path,
containing t2 complex r transitions, along which no new output from Y is generated,
except at the final transition (t2 is the number of dock ticks between the reading of
y1 and the generation of y2 in the output sequence of the system). Hence, x E Zstd,2.
This shows C -&d,J. Similarly, we can show that .tstd,2 t2.
Figure 3.13: Example 3.1. G:.
suppose zsrd,k = zt . If q E ~ ~ d , k + l , then qf *A, q, for some q' E zs td ,k C X. There
exists a path Pf from qf to q in G:, containing t k f l complex r transitions, on which
no new output symbol from Y is generated except a t the final transition. Also we
have q E X. After projecting out the complex r transitions from P', we arrive at a
path from q' to g in G. Thus, in G, q' + q and t k + , E F(4f, q ) : hence, q E z k f l . This
shows that z S t d , k + ~ C . z k f l .
Conversely, if z E y + ~ , then there exists x' E zk = +d&, with tk+1 E ?(z', z),
and a path P from x' to x on which the output does not change except at the final
transition. There exists a (not necessarily unique) path P' in G:, connecting x' to x
such that P' includes tk+l complex T transitions, and by projecting out these complex
T transitions, we will get P back. Hence, in G:, x' *A, x and x E z s t d , k + l . O
For example, k t G, be the simple SDES of Example 3.1. The TDES Gi is
depicted in Fig. 3.13. In G:, ~ ~ d , - , = z,,~ = {O, 1,2,3,4,5). Suppose 91 = 01.
Shen z1 = {O, 2}, 4 t d , l = z,,1 = { O , 1,2,3). Suppose a clock tick occurs. Then the
state estimate provided by Dstd after the clock tick, denoted here by ~ ~ ~ ~ , ~ ( f ) , will
be z ~ ~ ~ , ~ (1) = {1,3). If following this, y 2 = 02 is generated, then Dstd will update
zstdVl (1) to Zstd,2 = {4} which equals 22. If after this, a tick occurs, then LIstd will
update its state estimate to ~ ~ ~ ~ ~ ~ ( 1 ) = (3). Following this, the observation of y3 = 01
will resu!t in the generation of the estimate ~ ~ ~ d . 3 = {O} which is identical to 23.
Now define Adv : 2Qr x W + 2Q7 as follows. For z C Q,(C Q:),
a Adv(z, 1) := {The set of states in Q,(c Q:) that c m be reached from
a state in t via a path in G: such that no new output symbo!
is generated on the path (i.e., the first component of A:
remains constant) and the path consists of n non-tick
transitions (n 2 0) , followed by a complex r transition};
Adv(t, t) := Adv(Adv(z, t - l), l ) , for t > 2.
For z C Q,, Adv(z, t ) is the set of states that the TDES can reach from z in t
clock ticks. Observe that A d ~ ( z , ~ ~ , ~ , t) is the state estimate provided by Dstd after t
ticks before y2 is generated. Since output changes are the results of non-tick events,
zstd,a C -Y Qr. Similarly, t,td,k E X E Qr for k > 2. Therefore, if ~ , * ~ , ~ ( t ) denotes
the state estimate provided by Dstd after t clock ticks following the generation of yk,
before the (possible) occurrence of ykti, then zStd,Jt) = Adv(zstd,+, t) .
Define QOA : 2Qr x PI + 2Qr as follows. For z C Q, C Q:
QoA(z, t ) is the set of states that are A,-output-adjacent to some state in Adv(z, t).
Xote that since the states in QOA (2, t) can be reached by non-tick events (recall that
only non-tick events result in output change), QOA(z, t ) C X.
QOA(", t) can be interpreted as follows. q E QOA(z, t) Ç if it can be reached
from a state q' E r via a path such that on the path no new output symbol from
Y is generated except at the final state and the path includes a t least t complex T
transitions. For instance, in the simple TDES of Example 3.1, ~dv({4,9}, 0) = {4,9),
Adv({4,9}, 1) = (51 , QoA({~, 9) ,0) = {O1 6). and QoA({~, 9), 1) = {O}-
Lemma 3.4 If z € Z - {&}, then XOA (4, t) = QOA(Z, t).
Proof. Suppose q E QOA(z, t) C X. Then it can be reached from a state q' E z via
a path such that on the path no new output syrnbol from Y is generated, except at
the final transition, and the path includes a t least t complex T transitions. Therefore,
since q' E z C X, t 5 SU^^(^', q). Conversely, if for some q' E z C X and q E X,
7(4', q) # 0 and t 5 sup 7(q1, q), then q E QoA (r, t) . -4s a result,
O
For a diagnoser estimate z, as explained before, XOA(g, t), is the set of states
in G that are output-adjacent (in G) to some state in z and can be reached via a
path which contains at least t clock ticks. On the other hand, QOA(z, t) is the set
of states in G: that are A,-output-adjacent (in G:) to some state in z and can be
reached via a path in Gb conatining a t l e s t t complex T transitions. The result
,YoA(l, t) = QOA(zi t) is to be expected since for tzvo states z, x' E X , x =+ x' in G
if and only if x + x' in G, (by Lemma 3.1), hence if and only if x +A, x' in G:.
For instance, in Example 3.1, for 4 = ({4,9), 2), X O A ( ~ , O) = {O, 6) = Q o ~ ( ( 4 , 9}, O),
(z, 1) = { O ) = QOA ({4,9), l), and &A(.z, 2) = 0 = Q o A ( ( ~ , 9), 2) (Refer to
Figures 3.10 and 3.13).
Lemma 3.5 For al1 t 2 0, QOA (zstd,l , t) = QOA (21, t ) -
Proof- QOA (zi: t ) E Q o A ( z ~ ~ ~ , L ~ t ) since 21 C 2std.i - Suppose (I E Q o ~ ( ~ s t d , l , t ) - Then
q can be reached from some q' E zStd,l in t' clock ticks (for some t' 2 t), via a path
along which no output syrnbol from Y is generated (except a t the final state). q', in
turn, can be reached from some q" E zl on a path consisting of complex r transitions
only. Along this path, no new symbol from Y is generated. Therefore, q is reachable
from q" E q, in t" clock ticks (for some t" 2 t' 2 t) via a path along which no new
symbol from Y is generated. Thus, q E QOA (z1, t) . 0
Theorem 3.6 For a permanent faiiure mode f i , after t ticks of the clock following
the occurrence of the observation yk, and before the (possible) generation of yk+~, if
the standard diagnoser, Dscd, is in an Fi-certain state, then Pred(&, t) will aiso be
Fi-certain, where is the state of the predicting diagnoser D upon observing yk.
Proof. In order to prove the theorem, we first define predictions of the states of G:
based on the estimates provided by Dstd. Then we show that the condition estimates
based on these predictions are identical to those obtained from the predictions pro-
vided by the predicting diagnoser. It follows that if Dstd is in an Fi-certain state:
then the predictions provided by Dstd, and hence, those given by D will be Fi-certain.
zStd,>t is the state estimate of Drtd following the generation of y,. Let zstdlt(t)
denote the state estimate after t clock ticks, with O 5 t 5 tk+i, before the (possible)
occurrence of yk+~. This definition implies zstd1k = z ~ ~ ~ , ~ ( O ) . For any state of Dstd,
zstd, define
Rch(zStd) := { q E Q: 1 q is reachable from a state in zstd via a path along which
no new output symbol from Y is generated)
= ( q E Q: ( q is reachable from a state in z,,d via a path along which
the first component of the output A:(-) remains the same).
-4lso let
Lim(zstd) := {q E Q: 1 q belongs to a cycle in ~ c h ( 5 ~ ~ ) ) .
Lim(zstd) is the set of cycles in Rch(zStd) in mhich the system can be trapped for an
arbitrariiy long time without generating a new output symbol from Y. (Note that in
G, and hence in G:, the unfolding of events never stops since at least the tick event
happens periodically. Thus, G, (and G:) do not have any deadlock states; i.e., for
any q E Q,, &(q, O ) # 0, for some a E Cr).
Similar to D, define the prediction after t ticks following yk provided by Dstd
according to
pred(zStdvk(t)) can be interpreted as follows. Following the t-th tick, either a new
output symbol from Y (yk+J will be generated after some time (and the state of G:
enters QOA(zstd,k,t)), or no new output is generated and the state of G: will enter
Lirn(r,td,k(t)) after a finite time and stay there for al1 future time.
We want to show that n(Pred(&, t)) = 4 ( ~ r e d ( & ~ ~ , ~ ( t ) ) ) . For this, we prove that
( i ) L i r n ( ~ ~ , ~ , ~ ( t)) = L i m ( ~ , , ~ , ~ ) , and (ii) rc(Lim(&)) = n : ( L i m ( ~ ~ ~ , ~ ) ) .
(i) Lirn(zstdL (t) ) = Lim(stdVk (O)) = Lim(zStdvr) because Lim(zStdvk (t)) is the set of cycles
in Rch(zStdyk) that can be reached from zStd,k in t clock ticks or more. This includes
al1 of the cycles in R c h ( ~ ~ ~ , ~ ) because if a cycle can be reached in t'(< t) ticks, then
since the system can stay in the cycle for an arbitrarily long time, we can think of
the cycle as one reachable in t" clock ticks, for some t" > t. (ii) Xext, we prove that tc(Lim(zk)) = ~ ~ ( L i r n ( z ~ ~ ~ , ~ ) ) .
rc(Lirn(zk)) C ~ : ( L i m ( & ~ , ~ ) ) because for every state or cycle in Lirn(zk), there
exists a cycle in L i r n ( ~ , ~ , ~ ) having the same condition as s h o m below.
For every cycle C in Rch(y) (Le., C C ~im&)) , there is a cycle Cc in Rch(htd,k)
consisting of the same transitions in C plus some complex T transitions such that
by projecting out the complex T transitions in Ci, we can get C back. Since the
condition of the system does not change as a result of r transition (the clock
tick), K ( C ) = K:(C~).
Assume Lim,(zk) # 0 and let x* E ~irn&). z* E Rch(zStd,+) since rk C ~ ~ d , k .
Supppose the state of G, reaches x*. From this point on, only T transitions
will occur in G,. This means that there exists a cycle C,. in G, consisting of
T events only, and reachable from x* through r events. Hence rc(x*) = n,(C,.).
As a result, there exists a cycle Ck. consisting of complex r transitions in G: in
Rch(zstdVk) such that n(x*) = &:(CL. ).
Figure 3-14: Proof of Thm. 3.6. Case 1.
Similarly, if Lim2(zk) # 0, then for every x* E Lim2(zk), G: contains a cycle CL.
in R c h ( ~ ~ ~ , ~ ) with ~ ( x * ) = K',(C:.).
To show n:(Lim(rstdp)) C n(Lim(zk)), we show that for every cycle in L i rn (~ ,~ ,~ ) ,
there exists a state or cycle in Lim(zk) with the same condition. There are two cases-
Case 1. If Ci is a cycle of G: in Rch(zstdYk) corresponding to a cycle Cr in G, which
contains non-tick events, then, after projecting out T events, we will get a cycle
C of G in Rch(zk), with K:(C~) = n,(Cr) = n(C) (See Fig. 3.14 for an example).
Case 2. Suppose C: is a cycle of Gk in R c h ( ~ , ~ ~ , ~ ) , consisting of complex T transitions
only. It follows from Lemma 3.3 and Eq.(3.2) that any state in R c h ( ~ ~ , ~ , ~ ) is
reachable via a path (in G:) starting in zk, lying entirely in R c ~ ( L ~ ~ ~ , ~ ) . Let
Pr be a path starting at some x E zk which ends at a state belonging to C:.
If al1 of the transitions in P are complex T transitions, then x E Lim(zk) and
~ ( x ) = K:(F U Cc) = K:(C:). If Pf includes non-tick events, then let x' be the
state following the last non-tick transition in P' (See Fig. 3.13 for an example).
Obviously x' E X. C i is reachable from s' through a sequence of complex T
transitions. Hence, x' E Lim(zk) and ~ ( x * ) = K:(C:).
This shows that ~ : ( L i m ( . , ~ ~ , ~ ) ) C +im(zk)). Thus,
Figure 3.13: Proof of Thm. 3.6. Case 2. T' stands for complex T transition and O # T'.
Notv observe that by Lernmas 3.4, 3.5 and 3.3,
From Eqs.(3.3) and (3.4), it follows that
Therefore the predictions of condition based on the models G: and G are identical.
This should not corne as a surprise because both models describe the same system
with the same accuracy (for the purpose of estimating the condition of the system).
If zsidYk(t) is Fi-certain, then ~ r e d ( z , , ~ , ~ ( t ) ) will be &certain (since F, is assumed
permanent). -4s a result, by Eq.(3.5), Pred(&, t) will be Fi-certain too. t7
The following theorem proves that if the predicting diagnoser D detects and iso-
lates a failure mode Fi, then the standard diagnoser tvill do so with a delay shorter
than IQ, 1 clock ticks.
Theorem 3.7 Suppose Fi is a permanent failure mode. If a t some point in time, the
state of the predicting diagnoser or its prediction are Fi-certain, then the standard
diagnoser, Dstd, will enter an Fi-certain state in less than IQ,I clock ticks.
Proof. If after the generation of the output yi, E Y, becornes &certain, then
istd,k will be Fi-certain (since K ; ( Z , , ~ , ~ ) = n(zk)) and as a result, Fi is detected
and isolated by Dstd- If in t clock ticks (O 5 t 5 tk+I) following the generation
of y*, P r e d ( ~ , t ) becomes Fi-certain, then, by Theorern 3.6, so Niil be P r e d ( ~ ~ ~ , ~ ( t ) ) .
Therefore, Lirn(qtd,k(t)) and QOA ( z ~ ~ ~ , ~ ~ t) will be &certain. Note that QOA (zstdqk (t))
is the set of states in Q: that are &-output-adjacent to some state in ~ ~ ~ ~ ( t ) . Let
4142 . . - be an arbitrary infinite path in G: starting in ~ ~ ~ , k ( t ) , Le., qi E ~ ~ d , ~ ( t ) -
(Note that G: contains no deadlock states; i.e., for any state q E Q:, there exists
O E C, such that d(q, o) # 0, because a t least the clock always ticks). If {qi) is
Fi-certain, then so will be {qi), for al1 i 2 2, because the failure modes are assumed
permanent. If {gl} is not Fi-certain, then there exists n, with 1 < n 5 IQ:l such
that qn E Lirn(rstdh(t)) or q, E Qoa(~std,k, t) and, hence, {q,) will be Fi-certain
which in turn implies that {qi) is Fi-certain for i > n. We showed that on any path
qlqz - starting in zadtk(t), {qi} is Fi-certain for i 2 IQ:l. -4 path in Gk consisting of
[QI_ 1 - 1 transitions can contain a t most (IQ: 1 - 1)/2 5 IQ, 1 - 1 complex T transitions.
Therefore in less than IQ, 1 clock ticks following the generation of the estimate
(by Dstd), whether a new output symbol is generated in between the clock ticks or
not, the state estimate provided by Dstd wi11 be Fi-certain. O
Theorems 3.6 and 3.7 establish that the predicting diagnoser D is a t least as fast
as the standard diagnoser Dstd in detecting and isolating failures. In sorne cases,
D could even be faster than the standard diagnoser. For instance, if a failure F2 is
caused by another failure FI , then the predicting diagnoser may predict F2 (when it
detects F I ) even before F2 occurs. Obviously, the standard diagnoser cannot detect
F2 before it happens.
In summary, the diagnoser provides an estimate of the system's condition ( ~ ( 2 ~ ) )
every time a new output symbol is generated. Between consecutive output symbols,
the predictions rc(Pred(3, t ) ) can be used for diagnosing permanent failures. Going
back to the diagnoser for the neutralization process (Fig. 3.11): we can easily verify
that for r = {l , l"), L i m ( z ) = {l", 1.1"}, and
Pred(g, t) = {3,3', 4,4') U {l", 1.1") for O 5 t 5 2,
Pred(z, t) = {lu, 1.1"} for t 2 3.
Therefore when the diagnoser is a t z = {l , l"), if no new output syrnbol is gen-
erated for three ticks of the clock, then it can be concluded that F2 has oc-
curred. This deduction is shown in Fig. 3.11 by a transition (depicted by a dashed
line) from z = {l, 1") to ~red(g,t) = {l", 1.1"). Similady, it can be seen that
Lim({l, l", 1.1", 2, 2.11, 2.2>)) = {l", 1.1") and Lim({lT)) = {l?'}. For any other
state estimate z, Lim(z) = 0.
The approach presented in this chapter may result in reduction in on-line com-
putations and in the size of the diagnoser.
In the predicting diagnoser, no update of the estimate of the system's state is re-
quired at dock ticks. Between dock ticks, predictions can be used for fault diagnosis.
In many cases, howvever, there is no need for updating condition estimates between
consecutive outputs, and estimates a t the instants of generation of new output sym-
bols are sufficient for fault diagnosis. For instance, in the neutrdization process, there
is no need for using predictions between consecutive output symbols, except when the
output is (C1,Lo,n) (and only after the third clock tick). For example, suppose the
diagnoser (Fig. 3.11) is in the state z = ((5, Y), 2). -4fter the diagnoser enters g, there
is no need for estimate update till the next output is generated at which point, one
needs to make sure that the output and its timing are valid and acceptable (Certainly
if no new output symbol is generated before the u + 1-the tick occurs, then there will
be an inconsistency between the system's mode1 and the observed behaviour). In
these cases, our approach can reduce the on-line computations significantly because
it does not require estimate updates at clock ticks.
In many cases, the predicting diagnoser may have significantly fewer states than
the standard diagnoser. This usually happens when the time bounds of events are
large numbers. For example, in the neutralization process, filling the tank takes a lot
longer than opening a valve (assumed here to take 1 clock tick)- Therefore u and u'
are considerably larger than 1. If we assume u = 200 and ut = 100, then the TDES
mil1 have about 1700 states. As a result, while both the standard diagnoser and the
diagnoser based on the methodology of [4] will have at least a few hundred states,
the predicting diagnoser (Fig. 3.11) has only 19 states and, except for some of the
t ransition-time sets ( j( . , .)), the structure of our diagnoser does not depend on the
parameters 1, u, 1' and ut. In general, a small clock period is necessary for accurate
time keeping in a TDES. If the system contains slow and fast processes, then the
clock period has to be sufficiently small for accurate modelling of the fast processes.
This results in large time bounds for the events of the slow processes, hence, a large
state set for the TDES. In these cases, our approach c m lead to significant reduction
in the size of the diagnoser. The simple TDES of Example 3.1, provides an example
of a case where the sizes of the predicting and standard diagnosers are close (This is
not difficult to verify). in this example, each event is followed by another event in a t
rnost 2 clock ticks.
The above improvements are obtained a t the expense of more off-line design cal-
culations, in particular, the computation of the transition-time sets 7 and (Refer
to Remarks 3.2 and 3.3).
Finally, ive note that for any subset z generated by the diagnoser, Lirn(z) needs to
be calculated. For this, it is computationally economical to compute Lim((x)) for al1
x E S since Lim(r) = ~ { ~ i m ( { x ) ) 1 x E 2). Lim({z}) can be computed in polynomial
time.
3.3 Time-Diagnosability
In this section, the issue of tirne-diagnosability of failures wili be studied. IVe will
assume that failures are permanent and will only discuss singlefailure scenarios.
Extension of our results to the case of simultaneous failures is similiar to that in
Section 2.5 for finite-state automata.
First , we obtain a necessary and sufficient condition for time-diagnosability in
terms of the standard diagnoser. Next, we will derive another set of necessary and
sufficient conditions in terms of the predicting diagnoser.
\Ve begin wit h the definition of time-diagnosability.
Definition 3.4 A permanent failure mode Fi is time-diagnosable if there exists an
integer Ti 2 O such that following both the occurrence of the failure and initialization
of the standard diagnoser, Fi can be detected and isolated after the occurrence of a t
most Ti ticks. O
Xote t hat unlike the event-based version [4], in Our definition of time-diagnosability,
no assumption is made about the system's state or condition a t the tirne the diagnoser
is started.
Remark 3.4 In Def. 3.4, timediagnosability is defined with respect to the standard
diagnoser D. It follows from Theorems 3.6 and 3.7 that a failure is time-diagnosable
(with respect to atd) if and only if it is time-diagnosable with respect to the pre-
dicting diagnoser D , i.e., it can be detected and isolated by the predicting diagnoser
in less than a bounded number of clock ticks. rn
Remark 3.5 If the TDES mode1 of the system is activity-loop-free, then the notions
of diagnosability (Section 2.3) and timediagnosability will become equivalent for the
TDES. This is because the number of non-tick events between two consecutive clock
ticks will be bounded by IQ, 1 - 1, where IQ, 1 is the cardinality of Q,. 0
Necessary and sufficient condition for time-diagnosability in terms of the
standard diagnoser
Xs mentioned in the previous section, in order to design the standard diagnoser, the
information about the dock ticks has to be transferred and included in the output
map of the TDES. Suppose G: = (Q:, C:, d:, go, Y:, A:) is the resulting TDES and
K: : Q: + K the corresponding condition map. The state set Q: can be partitioned
according to the system's condition: Q: = Q:,NÜQ:,FI~ - . .UQ;,~,. Let z be an
estimate of the state of G: given by the standard diagnoser. In a single-failure
scenario, z is Fi-certain if and only if K: (z ) = { F i } , Fi-uncertain if and only if
F, E rc;(z) and 5 ( ~ ) # {Fi), and an output syrnbol y E Y: is &indicative if and
o n l ~ if V'({Y}) C Q:,Fi-
It follows from Theorem 2.1 that assuming single-failure scenario and zo = Q:, a
permanent failure mode Fi is timediagnosable if and only if (i) from every q E
there is (at least) one transition to another state in Q:,Fi unless A: ( q ) is Fi-indicative;
(ii) there is no cycle in Q'T,F, consisting of states having the same output unless the
output syrnbol is Fi-indicative; and (iii) there are no Fi-indeterminate cycles in the
standard diagnoser.
Condition (i) is always satisfied because the clock always ticks. Condition (ii)
always holds too because the activity-loop-free assumption implies that there must
be a clock tick (hence, change of output) in every cycle in the TDES. Therefore we
have the following result.
Theorem 3.8 Assume single-failure scenario and 20 = Q:. -4 permanent failure Fi
is time-diagnosable if and only if there are no Fi-indeterminate cycles in the standard
diagnoser for the TDES. 13
Necessary and sufllcient conditions for time-diagnosability in terms of the
predicting diagnoser
Now ive study tirne-diagnosability in terms of the timed finite-state Moore automaton
G and the predicting diagnoser D. -4s mentioned in Section 3.2, the state set X can
be parti tioned according to the systern's condition: X = XNÙXFI u - . . u X F , and
this partition coincides with kerlc. Let z be an estimate of the state of G given by
the diagnoser. In a single-failure scenario, z is Fi-certain if and only if n(z) = {Fi}
and F*-uncertain if and only if Fi E ~ ( z ) and n(z) # {Fi}. Furthermore, an output
syrnbol y E Y is Fi-indicative if and only if ((y)) C XF, - The necessary and sufficient conditions for time-diagnosabilitj in TDES resemble
those for diagnosability in finitestate automata (Section 2.3). If in a failure mode, the
TDES stops generating new output symbols, then it should be possible to determine
the failure mode either from the last output symbol or from the time elapsed since
the last output symbol was generated. Also, the diagnoser should not get trapped
in a cycle of fault-uncertain states. For this, the diagnoser should not have fault-
i nde temina te cycles. The definition of fault-indeterminate cycles of the predicting
diagnoser is very similar to that for the diagnosers for finite-state automata.
Definition 3.5 Suppose z', . . . , fl is a cycle of Fi-uncertain states of the predict-
ing diagnoser. The cycle is called Fi-indeterminate if there exist 1 2 1 and
z],'zl,, ...,4 ~ z ~ , f o r a ~ ~ 1 ~ j ~ n s u c h t h a t ~ € X ~ , f o r d l 1 ~ j ~ m , 1 ~ k ~ ~ 1 1 and xi, x:, . . . , xr, x,, . . . , x?, . . . , x, , . . . , xr form a cycle in the timed RTS. The cy-
cle in the timed RTS is called an underlying faulty cycle of the Fi-indeterminate
cycle. O
Let ei denote the second component of 2 in the above definition, Le., f = (z',ei).
Then e' = 2 because diagnoser states with e = 1 are reachable only from the initial
state 2, and 2, is not reachable from any state.
Let us define:
Lim({x}) was previously defined in Section 3.2. Lim(XF, ) (resp. Lim(Xx) n XN) is
the set of cycles (with constant output) and states in XFï (resp. XN) in which the
system can get trapped for an arbitrarily long time and therefore generate no new
output symbol.
Theorem 3.9 Assume single-failure scenario and zo = ,Y. -4 permanent failure Fi
is time-diagnosable if and only if
2. There are no Fi-indeterminate cycles in the predicting diagnoser D. 0
Before providing the proof, we explain the meaning of condition 1. Condition 1
can be rewritten as:
If Lim(XF,) = O, then Eq. (3.6) is satisfied. Lim(XF,) = 0 means that after the
occurrence of Fi, the system will continue generating new output symbols no fater
than every t,, ticks of the clock (i.e., t k 5 t,,)) where t,, is defined according to
t,, := mau {maxT(x, x f ) 1 t ( z , z') # 0 & sup ~ ( z , z') < oo). z $ E X
Certainly t,, 5 IQ,(. Suppose Lim(XF, ) # 0 and y E A(Lim(XF,)) for some y E Y. This means that
after generating the output y, the system could delay generating the next output for
an arbitrarily long time. But Eq. (3.7) implies that a delay Longer than t,, + 1 ticks
can only happen when the condition of the system is Fi- Hence, any delay longer
than t,, + 1 ticks in generating a new output symbol whiIe the output is y implies
that Fi has occurred.
In fault diagnosis in finitestate automata, we only rely on the output symbols
for diagnosis and if in a failure condition Fi, the system stops generating new output
symbols, the last output has to be Fi-indicative or Fi will not be diagnosable. But for
TDES, in addition to the output symbols, we also use the timing information tvhich
makes the diagnosis more accurate.
We need the following lemmas to prove Theorem 3.9. In particular, Lemmas 3.11
to 3.14 esplain the implications of condition 1 in more detail.
Lemma 3.10 For 4 E Z - (3):
Proof. Follows from:
Lemma 3.11 -4ssume z is an estimate of the system7s state provided by the predict-
ing diagnoser. If Lim(z) fl Lim(XFi) # 0 and Eq. (3.6) holds, then Lim(z) C Lim(XFi).
Proof. Lim(z) E Lim(XN)u(ulcj9Lim(XFj)) = (Lim(XN)nXN)~(~139Lim(XF,)).
Let x E Lim(z) n Lim(XFi). If Lim(z) Lim(XF,), then Lim(z) n ((Lim(XN) n XN) u (uj+iLim(XF,)) # 0. Let x' E Lim(z) fl ((Lim(XN) n XN) U (ujfiLim(XF,)). Since
x' E Lim(z), X(x) = X(xl); hence x1 E X-l(X(~im(XFi))). This contradicts Eq. (3.6).
CI
Lemma 3.12 Suppose T(&, d ) # 0 and sup T ( ~ , 2) = ca for z, 2 E Z in the diag-
noser. If Lim(z) C Lim(XFi), then 4 2 ' ) = {Fi]-
Proof. Since T ( ~ , - ) is unbounded, for any z' E 2, there exists a path zl + z2 + . + xi -+ x1 in G wvith X I E z, 1 2 1, X(xi) = X(xl) for 1 5 i 5 1, such that either it
includes a cycle and/or a t least one transition with an unbounded transition-time set
T ( - , -). Hence, there exists k, with 1 5 k 5 1 such that z k E Lim(r) Lim(XF,) C XFi
(i.e., the path goes through Lim(z) E Lim(XF,)). Since Fi is permanent, X I E XFi and
Iience. ~(2') = {Fi). O
Lemma 3.13 Suppose the diagnoser reaches a state g = (z, e). Assume that (i) the
failure event Fi occurred before the diagnoser entered g, (ii) Eq. (3.6) holds, and (iii)
no new output is generated after the diagnoser enters 4: for a t least t,, + 1 clock
ticks. Then
~ ( P r e d ( g , t,, + 1)) = {Fi).
Proof. First we show that there exists x E z n XFi such that ~im({x}) # 0. There
are two cases to examine.
e = 1. In this case, z is the diagnoser state after the first output y1 is read.
It follows from (i) that when y was read, the state of the TDES \vas some
q E zTVi fl QT,Fi. q is reachable from some x f z1 through a sequence of t clock
ticks (for some t >_ 0). x E X f i because T transitions do not change the system
condition. If the TDES does not generate any new output for al1 future tirne,
then ~im({x}) # O. If, on the other hand, after t' 3 t,, + 1 ticks the TDES
enters sorne q', with AT(qf) # AT(q)? then q' E X and t + tf E 7 ( x , q f ) . Since
t + t' > t,, + 1, sup T ( x , q') = m. Therefore, there exists a path in G, from x
to q' contining a cycle or a transition for which the transition-time set T(., ., 0 )
is unbounded. Thus, ~im({x)) # 0.
O e = 2. It folloms from (i) that when the output y was generated, the system
entered some xin E z n XFi. By (iii), either T(xin7 X) = 0 for al1 x S U C ~ that
X(z) # A(xin), or there exists x S U C ~ that sup 'T(xin, X) = 00. In the first
case, the system can stay indefinitely in Itch({xin)). Therefore, Lim({xi.)) #
0. In the second case, there exists a path in G from xin to x containing a
cycle or a transition with unbounded transition-time set T(., a, .). Therefore,
Lim({xin}) # 0-
Therefore Lim(z) n Lim(XF,) # (O since ~ i m ( { ~ ~ . } ) C Lim(z) and Lim((~i,}) C
~ i m ( X ~ , ) . Now, Lemma 3.11 implies Lim(t) E Lim(XF,) C XF, - --%O, by Lemmas
3.10 and 3.12,
if ~ ( z ' 1 T(Z, 2 ) # 0 & sup T ( ~ ~ g') 2 t,, + 1} # 0. -4s a result,
rc(Pred(z, t,, + 1)) = { F , ) .
m
Lemma 3.14 Suppose the diagnoser reaches a state z = (z, e). Assume that (i) the
failure event Fi occurs after the diagnoser enters 2, (ii) Eq. (3.6) holds, and (iii) no
new output is generated for a t l e s t t,, + 1 clock ticks following the failure event Fi.
Then
~ ( ~ r e d ( z , t,, + 1)) = { E ) .
Proof. Let xi be the state of the system immediately after the failure event. Then
xi E Rc~(z) n XF, . BY (iii), either 7 (x i1 2) = 0 for al1 z S U C ~ that X ( X ) # X(zi),
or there exists x such that sup 'T(xi, x) = W. In the first case, the system can stay
indefinitely in ~ c h ( { x ~ } ) . Therefore, ~ i m ( { x ~ ) ) # 0. In the second case. there exists a
path in G from xi to 3: containing a cycle or a transition with unbounded transition-
time set 7(-, -, -). Therefore, Lim({zi)) # 0. Therefore Lim(z) n Lim(XFi) # 0, since Lim({xi}) C Lim(z) = Lim(Rch(z)) and Lim({xi)) C Lim(XFi). It follows from
Lemma 3.11 that Lim(z) C Lim(Xq) C XF, and from Lemmas 3.10 and 3.12 that
if u{zr 1 ~ ( 4 : 2) # 0 & sup ~ ( g , g') 2 t,, + 1) # 0. As a result,
Proof of Theorem 3.9.
(Sufficiency) Let 2, denote
(a) the state of the diagnoser after the diagnoser is initialized and the first output
is read if the diagnoser is started after the failure or
(b) the state of the diagnoser immediately after the failure event if the diagnoser
was started some time before the occurrence of the faiiure Fi.
From this point on, in general, the diagnoser will make the transitions g, + 3 + 3 -+ --• as a result of the generation of the output sequence Y2Y3 . - - - Let t lV2 denote
the number of the clock ticks between the time the diagnoser enters 2, to the time it
makes the transition to z2 in case (a) above, and the number of the clock ticks from
the occurrence of failure Fi to the transition to E, in case (b). -41~0, for k > 2, let
t k . k+ , denote the number of the clock ticks the diagnoser stays at a before it moves
to & + l a
Let v = C{(z n XF, 1 1 (z,2) E 2 & z is Fi-uncertain}. It follows from condition 2
of the theorem that the diagnoser can make at most ci - 1 consecutive transitions
among Fi-uncertain States of the form 4 = ( ~ ~ 2 ) . Also note that z, may be neither
Fi-uncertain nor Fi-certain.
After the diagnoser enters g,, depending on the output sequence, one of the fol-
lowing cases wîll happen.
(a) No new output is generated and the diagnoser remains in tl indefinitely. In this
case, by Lemmas 3.13 and 3.14,
i.e., the failure will be diagnosed in at most t,, + 1 clock ticks.
(b) The system generates at least q+l new output syrnbols and with the generation
of each new symbol, the diagnoser makes a transition.
1. -\ssurne 5 tmax (k 3 1 ) . It foilotvs from condition 2 that for k 2 q + 2 ,
a is Fi-certain and therefore' the failure Nil1 be diagnosed in at most
(ci + l ) t , , ticks.
2. Assume for some k 3 1, tk,k+l ), tmax + 1. Let ko be the smallest such
k. If ko 2 + 2, then by an argument similar to that of Case 1, ive can
show that the failure will be diagnosed in at most (ci + l ) t , , ticks. If
ko 5 q + 1, then by Lemmas 3-13 and 3.14, the failure will be detected
and isolated in a t most (ko - l ) t , , + t,, + 1 5 (ci + l)t,, + 1 clock ticks.
(c) The system generates n new output symbols, with 1 5 n 5 c, and as a resuit,
the diagnoser makes n ( 1 5 n 5 c i ) transitions (This case happens only if
G > 1).
1. Assume tk,rtci 5 tmax (k 2 1 ) . By Lemma 3.13, the failure will be detected
and isolated in at most nt,, + t,, + 1 < (q + l ) t , , + 1 ticks (t,, + 1
ticks after the diagnoser enters gn+,).
2. Assume for some k 2 1, ttVk+l > tma* + 1. Let ko be the smallest such
k. By Lemmas 3.13 and 3.14, the failure will be diagnosed in at most
(ko - l)t,, + t,, + 1 5 ~ t , , + 1 ticks.
In summary, the failure is always diagnosed in at most (q + l)t,, + 1 ticks.
(Necessity) Let us suppose condition 1 does not hold. Then there exist x E ~ i r n ( X ~ , )
and x' E ( L i m ( X N ) n X N ) U (uif jLim(XF,)) , with X(X) = X(xt). Suppose after the
occurrence of the failure Fi, the system enters x and at this time the diagnoser is
initialized and the output symbol X(x) = X(z1) is read. Therefore, x,xt E ZL. Since
x E Lim(XFi), the system can stay indefinitely in ~ i m ( X ~ , ) without generating any
new output. But x,xl E zl, therefore x,xt E Lim(zl); hence Pred(l, t) will be Fi-
uncertain for al1 t 2 O. As a result, Fi cannot be diagnosed.
Let us assume condition 1 is true but condition 2 of the theorem does not hold.
Cising an argument similar to that given in the proof of Theorem 2.1, we can show
that there exists a trajectory for the system leading to states in xFi such that the
corresponding output sequence throws the diagnoser into a cycle of Fi-uncertain states
and keeps it there indefinitely. Therefore Fi is not time-diagnosable. O
Example 3.1 - A Simple TDES (Cont'd)
For this TDES, Lim(X,v) = Lim(XF) = 0 since it never stops generating new output
symbols. There are no F-uncertain, hence no F-indeterminate cycles in the diagnoser
(Fig. 3.10). Therefore, F is time-diagnosable. This is expected since the timings of
the output sequence in the normal and faulty modes are different. 0
Example 3.2 - Neutralization Process (Cont'd)
For the neutralization process (Figures 3.7 and 3.8)
Obviously, Eq. (3.6) holds for i = 1,2 . Furthermore, there are no FI or F2-uncertain
cycles, hcnce, neithcr Fl nor F2-indeterminate cycles in the diagnoser. As a result,
both FI and F2 are time-diagnosable.
The reader can verib that if V1 gets stuck-open, then in a t most u +ut + 2 clock
ticks. the output symbol (C5,L3,a) will be generated and the diagnoser will produce
the FI-certain estimate z = {l?'}. On the other hand, if V1 gets stuck-closed, then in
at most 3u+3 ticks, the diagnoser will generate z = {l, 1") and Pred(g, 3) = (lu, 1-ln}
mil1 indicate the occurrence of F2. Hence, F2 will be diagnosed in at most 3u +6 dock
ticks. Therefore, both FI and F2 are time-diagnosable. Note that without the timing
information, F2 would not have been diagnosable because once the tank is emptied
and (CI,Lo,n) is generated, the system stops generating new output syrnbols and the
estimate of the systern's condition remains ambiguous. [7
Chapter 4
Fault Diagnosis and Consistency in
Hybrid Systems
In Chapter 2, a state-based approach to fault diagnosis in discret-event systems
mas developed. In many cases, the discrete-event system is a simplified model (Le.,
abstraction) of a hybrid system. Typically, the design of a diagnosis system which is
based on a discreteevent model is verified through simulation and test under a large,
but nevertheless finite, number of operating conditions of the hybrid system. In this
chapter. Ive attempt to develop a more systematic approach to the above verification
problem. Towards this end, we examine the question of whether a (high-level) DES
model contains enough information about the low-level hybrid model for the purpose
of fault diagnosis; i.e., whether the models are consistent. This would mean that the
analysis and design based on the high-level (DES) model will be equivalent to that
performed a t the low-level.
In Section 4.1, ive introduce the class of hybrid systems that are of interest to us.
Then in Section 4.2, we extend our frarnework for fault diagnosis in DES models to
hybrid systerns. Based on this frarnework, we will define the notion of 'consistency'
between the high-level and low-level modeIs. Section 4.3 presents a set of sufficient
conditions for consistency and a semi-algorithmic method for obtaining suitable high-
level models for the low-level hybrid systems.
4.1 Plant Mode1
Let us assume that the plant under control, Le., plant along with continuous
controllers and DES supervisors, can be modelled as a hybrid automaton
H = (X, C, 8, a, Xo, Y, A), with:
Q x IR?, the reachable part of the state set
the finite set of discrete states or modes
the set of continuous-variable components of states
the finite set of events
Q x Pwr(Rn) x C x {+ : Rn + Rn} x Q, the set of transitions
= { f, : Rn -+ Rn 1 q E Q}, the set of functions describing the dynamics
of the continuous-variable component of the state
C Qo x the set of initial conditions ( x ( 0 ) E Xo), with Qo E Q and
Eo E Rn the finite set of output symbols
X : X + Y, the output map.
The state of the system x = (q,<) has ttvo components: the mode q E Q and
the continuous-variable component < E W. .At a mode q, < evolves according to
( = jq(c) . At some time t , tvhen the system is at the mode q and the continuous- -
variable component of the state [(t) E =, a transition (q, E, a, Q, q') is enabled. If
the event a occurs, then, upon transition, the mode of the system becomes q' and
the continuous-variable component $(J( t ) ) . We cal1 the function @ the assignment
function of the transition.
It is assumed that the event set can be partitioned according to C = CJUC,.
Suppose a t a time t, a transition (q, E, a, 3, q') is enabled. If O E CI and no other
event occurs, then a will occur. If a E Ce, tben as long as J E Z, O may occur, i.e.,
a is simply enabled.
Suppose at t = to, x(to) = (qo,<(to)) (Fig. 4.1). The continuous-variable compo-
nent will evolve on b(t) which satisfies io = f,(h) (with 6 (to) = <(to), by definition)
until a t some t = t l , a transition occurs and the system jumps to the mode ql and
Figure 4.1: Evolution of the state of the hybrid system.
the continuous-variable component becomes $(Co ( t l )). Then the continuous-variable
component will follow (1 = f,, ( f i ) , with Cl( t l ) := q ! ~ ( c ~ ( t ~ ) ) , until at some time t = t2
another transition changes the mode to q2 and the continuous-variable component
becornes @(i5(t2)). The evolution of the mode and the continuous-variable compo-
nents will continue in a similar fashion after t = t2. The state of the system over the
interval [ti7 ti+ll (i 3 O ) will be:
If ti = ti+1, then after the transition a t t = ti7 another transition has occurred right
away; i.e., two transitions have occurred back-to-back. Fie assume that in the hybrid
system H , only a finite number of transitions may occur back-to-back. This is similar
to the activity-loop-free assumption for timed discrete-event systems (Sec. 3.1).
We cal1 the sequence of functions xi ( - ) given by Eq. (4.1) a state trajectory of the
systern. Any other sequence of functions, defined on a sequence of closed intervals,
that satisfies the dynamics of the system will also be called a state trajectory.
Definition 4.1 Suppose we are given to, t l , t2, . . - , tiq . . . with ti 5 ti+i for i 3 O and
functions xi(-) defined on the closed intervals ' [ti, ti+1] (for i 2 0 ) with
'If the sequence of functions zi(-) is finite and of length, say m, then the last intend will be either a closed interval [t,- 1, t,], or an unbounded intervai [t,- 1, m) .
101
,41so, assume that there exist transitions from qi to q i+~ (i > O), Le.,
(4.7 Ei, oi, tbi, qici) E 8 such that <i( t i+ , ) E Zi and +(<i(ti+l)) = Fi+' (ti+')- Then
the sequence of functions xi(.) defined on the intervals [ti,ti+l] (i 2 O) is a state
trajectory of the hybrid systern. 0
We can think of q, and x as functions of time t and the index i. ,4t jump
points ti, in particular, the value of i is required for determining x = (q, <). In the
following, whenever the d u e of i is of no importance to the discussion, we simply
write x ( t ) , q(t) and <(t) to refer to the values of the state and its components, mith
the understanding that these are the values of the state and its components at time
t in some intemal.
In this work, we assume that a t a mode q, the output X(x) is constant; i.e., A
is a function of q only: X((q, <)) = A((q,Q)) for al1 (q,<), (q,<') E X'. This simply
means that output changes are treated as transitions (just as in finite-state DES in
Ch. 2). For example, a change of output from y' to y2 is a result of some transition -
(ql , =12? 012, @12, q2) from a mode ql to q2, with 0 1 2 denoting the event corresponding
to the output change. Typically, GIS(-) is the identity map: Q12(J) = <- Zl2 is the
boundary between the regions in Rn where the output is and y2. As a result of
t his assumption, the continuous-variable component of the state. c(t) , is defined and
known after any output change, and given by the assignment function +(a) of the
corresponding transition.
If the hybrid system does not satis& the above assumption, it can be transformed
to a new system having the same trajectories in which the assumption holds. Suppose
HI = (XI, C', 8', a', XA, Y', A') is the original system. The transformed system H =
( X , C , O, a, Xo, Y, A) can be obtained as follows. Let Y = Y'. Suppose a t a mode q,
the system can generate m 2 2 different output symbols yl,. . . , ym and let
In Hl split the mode q into m modes ql, . . . , q, in the following way:
0 For al1 5 E Rn, A((qi , 5)) := yi;
In the set of discrete states, replace q with 91,. . . , qm;
0 For al1 < E Rn: f&) := fq(<);
If in H', (q,,,a,+,q') E 0' with q # q', then (q,,S n Bi1~,.SIlqf) E (3 if and
only if S n Bi # 0 (Le., the transition can be enabled somewhere in Bi);
If in Hf, ( q , E , o , @ , q ) E g r , then (qi,En Bi ~ ~ - l ( B , ) , a , - + , q , ) E 8 for i, j E
{l: . . . , rn} if and only if n Bi n lIr-'(B,) # 0 (Le-? a transition from a point
in Bi to a point in B, is feasible);
0 For i, j E (1,. . . , m ) with i # j, suppose the regions Bi and B, have a common
boundary Bij # 0. For simplicity, we assume that Bij C Bi or Bij E Bj.
Case 1: Bi, C Bi. Let E be the set of points in Bij where state trajectories
enter Bj , i.e.,
2We assume that each Bi (1 5 i 5 m ) consists of an open set and (perhaps) part of the open set's boundary. The boundary of Bi is the set of points in Rn every neighbourhood of which contains points belonging Bi and points not belonging to Bi. In most cases of interest, the Bi are simply n-dimensional rectangular ceiis.
31f Bij is an n - 1 dimensional surface, having a welI-defined normal vector at each E E Bij , then - = := { E 1 < E Bij & < >> O), where ni, is the normal vector pointing from Bi to B, and < -, - > denotes the inner product of vectors.
Figure 4.2: Examples of boundaries: = {(ci, & 1 cl = c & b < < a) and B1.2.3.4 = {(br C) }-
If 1 # O, then we let (qi, 2, oij, id, qj) E 8, where by definition, oij denotes
output change from y' to yj and oij E CI, and i d denotes the identity map
(i.e., +(<) = for al1 J E Rn).
- - Case 2: Bij E Bj. Let = := Bi,. We let (pi, =,O,, id,qj) E Q, where by
definition, Oij denotes output change from to yj and aij E CI.
Let Bijk ,...k, (1 2 1) denote the common boundary of the regions Bi, B,, Bk,,
. . ., Bkl (See Fig. 4.2 for an example).
For sirnplicity, we assume (i) Bijk,...kl Bi, or (ii) Bijk,+ Bj, or (iii)
Bijcl...kl & Br, for some r E {1, . . . , 1 } . In the first tn70 cases, we add tran-
sitions to 8 as in Cases 1 and 2 above for Bij. In the third case, obviously there
will be no transitions from B; to Bi through Bijk,.+,.
0 O contains no transitions other than those mentioned above.
In this way, we split al1 of the modes at which the original system can generate more
than one output syrnbol and expand the sets Q', Cl, @' to Q, C, @ to accommodate
the new modes, events and vector fields.
Let us consider the simple example of Fig. 4.3. Here a E CL = C' and for the
transition q + q', y>(-) = id, and = (c 1 < = l}. Xh = { ( q , O ) ) .
Figure 4.3: Hybrid system before transformation.
Figure 4.4: Case 1. Hybrid system after transformation.
Case 1. Suppose X(q, <) = y' if < 5 1 and X(q, <) = y2 if < > 1, and let X ( q f , 5 ) = y3.
The transformed system is given in Fig 4.4. Here BI = { E $ 1) and B2 = {< > -
l}. For the transition q, + q2, = = {< = 1). Also Xo = {(ql, O)) .
Case 2. Suppose X(q, E ) = y' if c < 1 and X(q, c) = y2 if 5 > 1. Also X(q', c ) = y3,
as in Case 1. The transformed system is given in Fig. 4.5 where BI = {c < l}, - BÎ = { E 2 l}. For the transition ql + q*, = = {< = 1). Also Xo = {(ql,O)).
In this case, the output must change before a can occur.
The mode1 W describes the behaviour of the system in both normal and faulty
situations. Suppose there are p failure modes F I , . . . , Fp. The event set C includes
failure events. For brevity, we consider single-failure scenarios only. As with fault
diagnosis in finite-state automata, our results can be easily generalized to the case of
simultaneous occurrence of two (or more) failure modes.
Let R- := { N , FI , . . . , Fp) denote the condition set of the system. It is assumed
that the state set X can be partitioned according to the condition of the system:
Figure 4.5: Case 2. Hybrid system after transformation.
= XNuXFiu - - u X F P . Define the condition map n : X + K such that for every
x E ,Y, K ( Z ) is the condition of the system a t the state x: n(x) = IV if x E X N , and
~ ( x ) = Fi if x E XF, (i E {l, . . . , p ) ) Also extend the definition of K to the subsets
of X: n ( z ) = U { K ( X ) 1 x E z ) , for any z E X. The condition of a hybrid system
changes as a result of failure (or perhaps repair or recovery) events. Therefore, n is
only a function of q (mode), not < (continuous-variable component).
In fault diagnosis for hybrid systems (similar to the case of finite-state automata in
Ch. 21, we use the output sequence (gI y2y3 . . .) to find the condition of the system. If
a transition (other than output changes) is observable, then by defining new output
symbols and introducing new transitions (if necessary), the information about the
occurrence of the transition can be transferred and included in the output map (in
the same way described in Sec. 2.1 for finite-state automata). Ttierefore, from now
on, we shall assume that the output sequence contains al1 of the information available
about the system.
Example 4.1 - Water Tank Water is charged into a tank (Fig. 4.6) a t a (volume) flow rate of qo (when the control
valve is open). The tank is discharged a t a rate of q = kJh, vvhere k is a constant and
h the water level. When water is a t or below the lower threshold L, the controller
opens the valve and when water is a t or above U, the controller closes the valve.
Figure : Example 4.1. Water tank.
Figure 4.7: Example 4.1. Controller.
Initially, the tank is empty and the valve is closed.
Let -4 be the cross-sectional area of the tank and hm := ( q o / k ) 2 . When the valve
is open
and when it is closed
It is assumed that the valve may become stuck-open (the event F). Let us denote
the regions {O 5 h $ L}, {L < h < LI) and {U 5 h <_ hm) by Ho, H I and Hz.
We assume that a sensor measures water level and generates one of the symbols &,
H I and HZ accordingly. Let Hij denote the transition from region Hi to H j . The
state transition graph of the controller is depicted in Fig. 4.7. Here VO and VC refer
to the commands "valve open" and "valve closed", respectively. We assume that
the state of the controller is available for fault diagnosis. Therefore, for this system
Figure 4.8: Example 4.1. Hybrid automaton.
Table 4.1: Example 4.1. Output map.
Y G {Ho: H l , H 2 } x {Cl1C2,C3,C4).
The hybrid automaton for the water tank is shown in Fig. 4.8. In this system,
CI = {VO, VC}, Ce = {F), and the assignment functions of the transitions ($(.))
are al1 identity maps. Following the algorithm mentioned before this example, ive
transform the system in Fig. 4.8 to that depicted in Fig. 4.9, in order to mode1
output changes as transitions. In these figures, and 4) refer to the equations (4.2)
and (4.3), respectively. In this system, when the valve is in the normal condition and
the water level increases (fi), the output changes from (Ho, C2) to ( H l , C2), and from
( H I , C2) to (H2, C3). -4s a result, the mode fi of the normal condition in Fig. 4.8 has
been split into three modes ql, 93 and q4 in Fig. 4.9. The rest of the modes of the
system in Fig. 4.8 are split similarly. The output map is given in Table 4.1. In this
system, E = h and Q = {ql, . . . , 912). The assignment functions Q(-)) are al1 identity
maps. O
Figure 4.9: Example 4.1. Transformed hybrid automaton.
4.2 Diagnoser
In our framework, the diagnoser for the hybrid system H is a system (not necessarily
finite-state) that takes the output sequence of the system (y1 y2 - . . y k ) as input and
generates a t its output an estimate of the condition of the system a t the time that
yk was generated. Specifically, based on the output sequence up to yk, a set z k E
2Qxan - (0) is calculated to which x must belong a t the time that yk was generated.
~ ( z k ) will be the estimate of the system's condition. Upon obsert-ing yk+l, zk wïll be
updated to z k t i .
Definition 4.2 For any two States x, x' E Q x Rn, we Say x' is output-adjacent
to x and write x =+ x' if A(x) # X(x' ) and there exists a trajectory of finite duration,
satisfying the hybrid system's dynamics, starting at x and ending a t x' such that for
al1 x" # x' belonging to the trajectory: A(xt') = A(x). O
We define the diagnoser to be a machine (not necessarily finite-state) D = (2 U
{G), Y. C,&, k, K ) , where Z U {h}, Y and 5 2" - {O) are the state, event and
output sets of D. 1, := (zo, O) is the initial state, with 10 E 2X - {a). Z C 2X - {a) and is not necessarily finite. C : Z u (40) x Y + Z is the transition (partial) function
and K : Z U {a} + L the output map, with the definition of the condition map, K,
extended according to: &,) := K ( z ~ ) . Each diagnoser state z, except G, is identified
with a nonempty subset of X. G, however, is considered to be difTerent from other
states of the diagnoser because the update law a t 5 is different from that a t other
states. To distinguish Z, from other states, i t has been identified with a pair (zo,O)
(rather than a subset).
The diagnoser state transition zk+l = C(zk, yk+l) is given by:
Therefore Z ~ + L will be the set of states, having output yk+l, that are reachable from
the states in zk using trajectories along which the output is yk.
As assumed in the previous section, in the mode1 Hl changes in the output are
represented by transitions. The state of the system immediately after the output
change is given by the corresponding transition; i-e., if (q, S, 0, @, q') is the transi-
tion, then for any s = (q,<) with < E S, (qf,@(C)) will be the state of the system
imrnediately after the transition (output change).
zo? the initial state estimate, contains the information available about the state of
the system a t the time that the diagnoser is initialized, before the reading of sensors
begins. Simiiar to the case of finitestate automata, usually 20 = x. The construction of the diagnoser for hybrid automata is similar to that for finite-
state automata (Sec. 2.2) except that for hybrid automata, the state estimates (zk) are
not necessarily finite sets. For updating the state of the diagnoser, zk, information
about output-adjacent states is required (refer to the definition of the update law
<). Similar to the case of finite-state automata, this information can be gathered in
a reachability transition system (RTS). The RTS corresponding to the hybrid
transition system H is defined to be H = ( X , R, Y, A), where the state set X, output
Figure 4.10: Example 4.1. Diagnoser.
set Y and output map X are the same as those of the original system, and the transition
relation R C X x X is given by
Le., (x1,z2) E R if and only if z z is output-adjacent to zl. Note that fi is not afinite
transition system since X and (in general) R are not finite sets.
Example 4.1 - Water Tank (Cont'd)
The RTS and the diagnoser for the water tank system are given in Table 4.2 and
Fig. 4.10. In this example, the diagnoser has a finite number of states. The operation
of the diagnoser is similar to that of the diagnosers of Ch. 2. 13
Table 4.2: Example 4.1. Reachability transition system.
4.3 Diagnosability and Consist ency
Let us assume that the failure modes are permanent. The definitions of fault-certain
and fault-uncertain States of the diagnoser are similar to those of the diagnoser for
finite-state automata (Sec. 2.3). In a single-failure scenario, z is Fi-certain if and
only if ~ ( 2 ) = IF*), and Fi-uncertain if and only if Fi E ~ ( z ) but n(z) # {Fi}. The
definition of diagnosability in hybrid systems is also similar to that given in Sec. 2.3
cxcept that "bounded number of events" is replaced with "finite time".
Definition 4.3 A permanent failure mode Fi is diagnosable if following both the
occurrence of the failure and initialization of the diagnoser, Fi can be detected and
isolated (Le., the diagnoser reaches an Fixertain state) in finite time. O
In the above definition, no assumption is made about the system's condition a t the
time that the diagnoser was initialized; i.e., the diagnoser could have been initialized
either before or after the occurrence of the failure. In the water tank system (Example
4.1), the failure (valve stuck-open) can be detected only if it occurs when L < h < U
and the valve is closed. In this case, the output will be (Hl , C4), followed by (H2 , C4)
in less than (LI - ~ ) / h , i . units of time where hmin = k(& - JU)/A. Upon the
generation of ( H z , C4), the diagnoser enters the F-certain state z = {(ql 1, LI)).
Remark 4.1 Let tinit and t~ denote the time when the diagnoser is initialized and
the time when the failure Fi occurs, respectively. Let to = max{tinit, tF,}. We refer to
the time (from to) that it takes the diagnoser to detect and isolate a failure mode as
the diagnosis t ime, and denote it by Td. We define Td = 00 when the failure is not
diagnosed. In general, Td depends on tinit and the trajectory the systems evolves on
(Here: the initial state estimate, zo, is considered a fùted parameter of the diagnoser).
-4ccording to Def. 4.3, Fi is diagnosable if Td is a finite nurnber for any tinit and any
state trajectory that either enters XF, or is entirely in XF,. Later in the following
section, we discuss the cases where we want Td to be bounded; i.e., the cases where
there exists T 3 O such that for any tinit and any state trajectory (entering ,YF, or
entirley in X K ) , we have Td 5 T. 0
So far, we have introduced the hybrid system, the corresponding diagnoser and
the concept of diagnosability. The diagnoser is used for two purposes:
(i) To determine the condition of the system based on the output sequence; and
(ii) To examine the diagnosability of the failure modes.
In practice, if possible, instead of the detailed hybrid model, a simpler finite-state
automaton may be used for modelling the system. In this case, using the theory de-
veloped in Chapter 2, a (high-level) finite-state diagnoser can be designed to provide
answers to the above-mentioned questions (Fig. 4.11).
The high-level model (finitestate automaton) is simpler than the low-level hybrid
model and contains less information about the system. At this point, we are not
concerned with how the high-level model is obtained.
Definition 4.4 The low-level and high-level models of the system as described above
are said to be consistent (for the purpose of fault diagnosis) if and only if
Low Level
(High-Level)
Diagnoser n Transition 1 Syrtem /
(Low-Level) I Diagnoser
Figure 4.1 1 : Hierarchy of models and diagnosers.
m the low-level and high-level diagnosers are equivalent; Le., they generate the
same condition estimate in response to a given output sequence of the system,
and
a failure mode is diagnosable nith respect to the low-level model (Def. 4.3) if
and only if it is diagnosable with respect to the high-level model (Def. 2.4). 0
When the models are consistent, the diagnosers provide identical answers to ques-
tions (i) and (ii) above. Note that in the above definition, it is assumed that the
output set of the high-level mode1 is the same as that of the low-level model, namely,
Er. In some cases, Y is not given initially and a suitable output set for the systems
has to be found. We do not address this issue in our work.
If the high-level rnodel has been derived from the low-level model using a model
reduction scheme that guarantees consistency, then in the process of model reduction,
the information required for fault diagnosis is preserved. In the following section, we
will study this matter in more detail.
4.4 Consistent Mode1 Reduct ion
In this section, we introduce a particular set of partitions of the state set X of the
hybrid system H. If this set is nonempty, then we show how a consistent high-level
finitestate DES mode1 for the hybrid system can be constmcted using any of these
partitions.
Definition 4.5 Let n = { B I , . . . , BP) be a finite partition of X, with B' denoting -
its blocks. Also let P : X + X/T = X be the canonicai projection that maps every
state x to its coset in X/T. Suppose x(.) is a trajectory consisting of a sequence
of functions xi(-). We cal1 the sequence of functions P x i ( - ) the projection of the
trajectory (on X / r ) . O
In this work, for simplicity, we do not distinguish between a coset Z E X and the
corresponding block P-'T. Therefore the projection of a trajectory is simply the set
of blocks that are crossed or passed through by the trajectory.
Throughout t his section, we will assume t hat
Assumption (a): The trajectories of the hybrid system and the partitions, in-
cluding kerX and k e r ~ , satisfy the condition that the projection of any trajectory
x(.), is a sequence of the blocks of the partition.
Let n = {BI, B2,. . . , ~ 1 ~ 1 ) be a finite partition of the state set X of the hybrid
system H with the following properties:
(II) let B? B' E n, with B # B'. If for some xl E B, there exists xi E B' and a
trajectory of finite duration that starts a t xl and ends a t xi and lies in B u B',
then for any x2 E B, there exists xi E B' and a trajectory of finite duration
from x2 to a', lying in B u B'.
Let II* be the set of partitions with the above properties. Timed automata [l] are
examples of systems for which ll* # 0. In general, II* might be empty however.
Consider the example in Fig. 4.12. In this system, the transition q1 + q 2 becomes
JHere is an example of a partition and a trajectory that do not satis& the condition. Let ~r = { B o , B1) with Bo=rational numbers and B1 = W - Bo. Also let z(t) = t, with t E (-w,w). The function y(t) , with y(t) = 1 if y E Bo, y(t) = O if y E BI, has an uncountable, infinite number of discontinuities. In fact, it is discontinuous everywhere in R
Figure 4.12: II' = 0.
enabled when < 2 1 and the transition qz + ql is enabled for al1 <. Suppose kern A
kerA = {(qt) x [O, l), {qi) x [Il a i ) , (q2) x ['lm)} (Note that {42} X [O, 1) is net
reachable. Any partition T E ll' has the form {{q,) x Al, . . . , {ql) x A,, , {q2} x
A;, . . . , {q2} x AL2), with Ai C [O, m) and Ai C [l, oo) (1 5 i 5 nl, 1 $ j 5 n2) and
U:A1Ai = [O0 m) and Ü:z,A> = [l, ai ) . Since the assignment function for q2 + ql is
the identity map, x satisfies (II) only if Ai Ti A> # 0 or 4 S A,, for any i and j, with
1 5 i 5 nl and 1 5 j 4 nl. This means that the partition of [l, m ) in the mode 92 is
finer than that in the mode ql; i.e., {A> 1 1 5 j 5 n2} 5 {Ai 1 Ai C [ l , m ) , 1 $ i 5
nl}. Let us suppose that for practical purposes we are only interested in partitions in
which the Ai (resp. the A;) are finite unions of subintervals of [O, m) (resp. [l, m)).
Since [O, a>) is unbounded, one of the A,, Say Aio, rnust be unbounded and contain
an interval of the form I = [a ,m) (or I = (a, m)), with a > 1. Let J = {j 1 A: C I } .
Therefore, 1 = ujEJA>. The interval I under the assignment Q(c) = $J is mapped to
[a /2 , oc) (or ( a / 2 , oo) if I = (a, 00)). The subset (2a, CQ) is mapped to I = LJjEJA$
If 1 = [a, co), then n7e can find a sufficiently small open set (2a - e , 2a) which is
mapped to points outside Aio. If I = (a, m), then the point 2a is mapped to a 4 A,, . Therefore, part of {ql} x A, is mapped to {q2) x (LJjE-~A>) 2 { q 2 ) x Ai, and part of it
to { q 2 } x ([O, 00)-Aie). This violates (II). Hence, restricting the Ai and the AI to finite
unions of subintervals of [O, oo) and [l, oo), respectively, ll* = 0. Note that the infinite
partition {{ql}x[O,1),{qi}x[~l2),{4i)x[2l4),---)~{{~2}x[1,2)l{~2}X[2,4),--.}
satisfies properties (1) and (II).
Suppose ll' # 0 and x E n'. Let P : X + X = Xj?r be the canonical projection.
For every x E X, let [XI := Px denote the coset corresponding to x. For simplicity,
instead of x E P - ' Z ~ (for Z1 E X), we wnte x E Z1.
Definition 4.6 Let ?r E iI* and P : X + X = X/T be the canonical projection.
The high-Ievel DES corresponding to H is the finite-state Moore automaton G = - - - - - -
(X, C, 6, Xo, Y, X), where X, C and Y are the state, event and output sets. X := X / x
and the event set is a singleton C = {z), for some 5. Xo := PXo is the set of initial
states. 6 : X x C + 2x is the transition function and X : X + Y the output map.
They are defined as follows. For al1 Tl, z2 E X, by definition Z2 E b(zL , 5) if and only
if there exist x1 and 1 2 with XI E and x2 f Z2 and a trajectory of finite duration - -
from x l to x2 lying in Tl U T2- For d l Z E X: A@) := h(x) for any x E a. Sirnilarly.
we define E : X -t X: according to K(Z) = n(x) for any x E T. [7
Since ?r 5 kerh A kern, X and n are well-defined. It was assumed in Sec. 4.1 that the
output sequence contains al1 of the information available about the system through
observation. This information is retained at the high level by the output map X. Therefore we do not need to differentiate between events a t the high level (or the
low level for that matter) and hence, let the event set of the high-level mode1 be a
singleton.
Lemma 4.1 Suppose x =+ x' , for some x, x' E x. Then [XI + [XI; Le., in the
high-level DES, [x] and [x'] are output-adjacent.
Proof. Since x' is output-adjacent to x, there exists a trajectory from x to x' on
which the output is X(x), except at x'. By assumption (a), the projection of this
trajectory is a sequence of states frorn [XI to [x']. Therefore, in the automaton G: [x'] is reachable from [XI. Let Xs be the set of the high-level states which G passes
in going from [XI to [x']. xs is finite since Xs C X. Therefore there exists a path:
[z] = zi -+ z2 . . . + 37" = [dl, with 2 E X, and 2 5 m 5 IzI. Since the output
of each of the states in X,, encept [x'], is X([x]), A($) = X([x]) (1 5 i 5 rn - 1).
Therefore, [x] * [x']. 0
Lemma 4.2 Suppose 3 * 2, for some Z, 3 E X. Then for any x E 2, there exists
x' E T' such that x x'.
Proof. Since 3? and 3 are output-adjacent, there exists a path 5 = I' + Z* + z3 + . . . + F = 3, with m 5 1x1 such that X(P) = X(z) # A(?), for 1 < i 5 rn - 1.
By property (II), there exists a trajectory of finite duration which starts a t x , lies
in 2' U z2 and ends a t some x2 E z2. Similarly, we can find a trajectory of finite
duration from x2 to some x3 E z3, lying entirely in z2 U z3 and so on. In this way, a
trajectory of finite duration can be constructed from 52 to some xm E F"' = 5'. On
the trajectory from x to xm, let d be the state immediately after the output changes
from X(Zrn-') = X(Z) to A(?) (Le., following the transition to 3). \Ne can see that
5 * 2'. O
We define the canonical projection of a subset z X to be P z := U{[x] 1 x E 2).
Let D be the (high-level) diagnoser designed for the high-level DES G (following the
procedure given in Ch. 2), with Zo := Pzo as its initial state estimate (ro is the initial
state estimate in the (low-level) diagnoser for the hybrid system).
Definition 4.7 The low-level and tiigh-level diagnosers are equivalent if for any out-
put sequence, they produce identical sequences of estimates for the system's condition.
13
Theorem 4.3 The low-level diagnoser D and the high-level diagnoser D are equiv-
aient.
Proof. We have to show that for every output sequence (yl, 9 2 ' . . . , y j ) and any
initial state estimate ZO, the diagnosers produce the same sequence of estimates for
the condition of the system, i.e., K ( Q ) = ~ ( 4 ) for O < k 5 j (Zk is the state of D). Let T denote the transition (partial) function of D. First we show that Pzk = Zk
(Fig. 4.13).
By definition Pzo = ZO.
Figure 4.13: Pzk = Zk
Now nre prove that for k 2 1 if Pzk = Z k , then P z ~ + ~ = ';Zk+l.
Let xk+l be an element of z k + ~ , Le., xk+l E zk+l. Then there exists x k E z k such
that z k * X ~ + L . Hence by Lemma 4.1, [xk] + [ x ~ + ~ ] . From Pzk = Zk it follows that -
[ xk ] E f k . -41~0 X ( [ X ~ + ~ ] ) = X(xkct) = yk+l. AS a resdt, [ x ~ + ~ ] E Z k i l - This shows
that Pzk+, C z k t l .
Now let Tk+l be an element of Z k f l , i.e., Lk+l E Zkcl. Therefore Tk * Fk+l for
some 9 E & = P z k . Let xi E Tk n y # 0. Hence by Lemma 4.2, there exists -
x i + , E Tk+l such that xi J, xL1. -4.41~0 X(x;+,) = X(zk+,) = yk+l. Thus x;,, E y + l
and as a result, Zk+1 = Px;,, E This proves fk+l C P z ~ + ~ .
Therefore, by induction, Pzk = Zk for O < k 5 j. Finally, T C ( Z ~ ) = G ( P ~ ) = K ( z ~ )
since 7 < k e r ~ . O
Xote the similarity betmeen the above proof and the proof of the equivalence of high-
level and low-level diagnosers in Ch. 2.
Next we show the equivalence of high-level and low-level diagnosabilities (Defi-
nitions 2.4 and 4.3). First we make two assumptions the validity of which depends
on the partition n and the dynamics of the hybrid system. We will use them to
establish the equivalence of the two notions of diagnosability. Later, we will examine
the assumptions in more detail.
Assumption (A): The projection of any Low-level trajectory of finite duration
on the high-level state space is a finite sequence of states.
-4ssumption (B): Suppose that the projection of a low-level trajectory on the
high-level state space is a single state, Say Il with 6 ( f , ~ ) # 0. Then the
trajectory must be of finite duration.
Assumption (A) states that over a finite interval of time, only a finite number of
events can occur a t the high-level DES. Note that assumption (A) is stronger than
assumption (a), previously introduced in this section.
Theorem 4.4 A failure mode is diagnosable with respect to the low-level (hybrid)
model if and only if it is diagnosable with respect to the high-level (DES) model.
Proof. Let tFi be the instant a t which the failure Fi occurs and tinit the instant a t
which the diagnosers are initialized. Let to = max(t tinit).
(If) Suppose a failure mode Fi is not diagnosable with respect to the low-level
model but diagnosable with respect to the high-level model. Then there exists a
trajectory for t 2 to starting a t some x(to) E XE such that if the system evolves on
it, the low-level diagnoser will never reach an Fi-certain state.
a if the projection of the trajectory on the high level is an infinite sequence of
states, then since Fi is diagnosable with respect to the high level, the high-
level diagnoser will enter an Fi-certain state after a bounded nurnber of events
are generated. Since the high-level and low-level diagnosers are equivalent
( ~ ( 2 ~ ) = T C ( & ) ) , this is not possible.
If the projection of the trajectory on the high level is a finite sequence of events,
then by assumption (B), the last state in this sequence is a state from mhich
transition to no ot her state is possible. But again since Fi is diagnosable with re-
spect to the high level, after the time the high-level system enters the final state
of the above sequence, the high-level diagnoser must be in an F,-certain state.
Since the high-level and low-level diagnosers are equivalent (tc(zk) = K(&)),
the low-level diagnoser must also enter an Fi-certain state. By assumption
(B), it takes a finite time from t = to for a to get to the last state of its path.
This contradicts the assumption that Fi is not diagnosable with respect to the
low-level model.
(Only if) Suppose a failure mode Fi is not diagnosable with respect to the high-
level system. Then either (i) there exists a finite sequence of states { T ~ } ~ < ~ < ~ ending
a t a state in XFi, from which there are no transitions to other states, and the resulting
output sequence does not take the high-level diagnoser into an Fi-certain state, or
(ii) there exists an infinite sequence of states { z ~ } ~ > ~ and a k 1 O with Zi E XFi for
i 2 k such that the resulting output sequence { X ( ~ F , ) ) ~ > ~ does not take the high-level
diagnoser into an &certain state. \Ve examine the two cases separately.
(i) In this case, one can construct a trajectory of finite duration, Say for O 5 t 5 t f ,
whose projection on the high level will be { z ~ } ~ ~ ~ < ~ - No matter how this
trajectory is continued after t 3 t f , no new output symbol wiil be generated
because the projection of the rest of the trajectory d l be 5,. Since Fi is
diagnosable (with respect to the low-level mode)), therefore the finite duration
t rajectory should take the low-level diagnoser into an Fi-certain state; hence,
by the equivalence of low-level and high-level diagnosers, the out put sequence
{ X ( ~ i ) ) ~ < i < ~ - - should take the high-levei diagnoser into an Fi-certain state which
is a contradiction,
(ii) We can construct a trajectory for t 2 O at the low level whose projection on the
high level will be { z ~ } ~ ~ ~ . By assumption (A), this trajectory will not be of finite
duration. Since Fi is diagnosable with respect to the low-level system, there
exists t > to such that the output sequence generated between tini, 5 t 5 tf will
take the low-level diagnoser into an Fi-certain state. This output sequence also
takes the high-level diagnoser into an Fi-certain state. By assumption (A), over
[tinit,tj] only a finite number of events can occur. But this is a contradiction.
0
Remark 4.2 Loosely speaking, assumptions (A) and (B) mean: "finite number of
events is equivalent to finite duration". This should not corne as a surprise because
at the low level a failure is diagnosable if it can be detected and isolated in a "finite
time" while at the high level, failure detection and isolation is expected to happen in
a "finite number of events". If the two definitions are to become equivalent, then we
can expect some sort of equivalence between the "real time" and "logical time". 0
Remark 4.3 Consider a state z of a finite-state automaton for which b(3,o) # 0
for al1 a E Cs C Cl with Cs # 0. In fault diagnosis for finite-state automata, it is
impiicitly assumed that if the state of the automaton reaches 5, then at some point
in the future one of the events in will occur (and therefore the information about
this transition and the possible future transitions can be used for diagnosis). This is
exactly what assumption (B) implies. 0
Remark 4.4 Diagnosability depends on system's behaviour after the occurrence of
failure. Therefore, for establishing the equivalence of high-level and low-level diag-
nosabilities, assumptions (A) and (B) are only required to be valid for the trajectories
in S - X N and sequences in X - XN. O
Remark 4.5 In Def. 4.3, by replacing "finite tirne" with "bounded finite time", we
arrive at a stronger notion of (low-level) diagnosability (Please refer to Remark 4.1).
If in assurnption (B), "finite duration" is replaced with 'Lbounded finite duration",
then Ive can show that Theorem 4.4 will still hold. The "only if ' part follows from
the "only if'part of Theorem 4.4 (Note that in the proof of the "only if ' part of
Theorem 4.4, assumption (B) is not used.). Here we prove the (if) part.
Let t ~ , be the instant a t which the failure Fi occurs, tinit the instant a t which the
diagnosers are initialized and to = max(tF,, tinit). Let us assume that a failure mode
Fi is not diagnosable with respect to the low-level model.
Suppose there exists a trajectory for t 3 to starting at some x(to) E X E such that
if the system evolves on it, the low-level diagnoser never reaches an Fi-certain state.
If the projection of the trajectory on the high-level is an infinite sequence of
states, then since Fi is diagnosable with respect to the high level, the high-level
diagnoser will enter an Fi-certain state after a bounded number of events are
generated. Assumption (B) implies that these bounded number of events have
to occur in a bounded time. Since the high-level and low-level diagnosers are
equivalent ( K ( z ~ ) = n(&)), this is not possible.
If the projection of the trajectory on the high level is a finite sequence of events,
then by assumption (B), the 1 s t state in this sequence is a state from which
transition to no other state is possible. But again since Fi is diagnosable with re-
spect to the high level, after the time the high-level system enters the final stôte
of the above sequence, the high-Ievel diagnoser must be in an Fi-certain state.
In fact, the high-level diagnoser reaches an Fi-certain state before a bounded
number of transitions in the high-level model. Once again by assurnption (B),
these transitions happen in a bounded time. Since the high-level and low-level
diagnosers are equivalent ( ~ ( g ) = z ( Z k ) ) , the low-level diagnoser must also
enter an Fi-certain state in a bounded time (from t = to). This contradicts the
assumption that Fi is not diagnosable with respect to the low-level model.
Therefore on any trajectory that starts a t t = to, after some finite time the Low-
Ievel diagnoser reaches an Fi-certain state. This irnplies that the high-level diag-
noser too wi11 reach an Fi-certain state. It follows from high-level diagnosability
and assumption (B) that this will happen in a bounded time. Hence the low-level
diagnoser (which is equivalent to the high-level diagnoser) enters an Fi-certain state
in a bounded time. This contradicts the assurnption that Fi is not diagnosable with
respect to the low-level model. O
Example 4.1 - Water Tank (Cont'd)
Using Table 4.2, the reader can verify that the partition sr = { B I , . . - , B16)> with
Bi = { X 1 q = p l , h =O} BIo = { x 1 q = 97, h = O}
B2 = { X 1 q = q2,h E [O,L]} B l l = { x 1 q = q7,h = L }
B ~ = { x I ~ = ~ ~ , ~ E [ L , U ) } 8 1 2 = { 4 q = q 8 , h ~ [ O , L ] }
B 4 = { x I q = q 3 , h = C J } 8 1 3 = { X 1 q = q g 1 h € [ L , u ] )
B 5 = { z I q = q 4 , h = U } B14 = { X ( q = q10, h = U)
B b = { x I q = q 5 , h = U ) B15 = { X I 9 = 911, h = [K htl])
8 7 = { X 1 q = 96. h E ( L , LI]) = { X 1 Q = 912, h E [L, Ci])
B 8 = { x I q = q 6 , h = L }
B 9 = { x [ q = q 1 , h = L }
Valve: Closed Open S tuck-open S tu&-open
Figure 4.14: Example 4.1. High-Ievel model.
satisfies assumptions (1) and (II), and hence, belongs to Il*. The high-level model,
reachability transition system and diagnoser are given in Fig. 4.14, Table 4.3 and
Fig. 4.15. The low-level and high-level diagnosers produce identical estimates for
the system's condition in response to the system's output sequence. Note that the
trajectories of the hybrid system satisfy assumptions (A) and (B). -4ccording to the
high-level model, the valve failure can be diagnosed if it happens while the system is
at B7. This is in accordance wvith the low-level model. 0
In general, it is very difficult to verify whether a given partition n satisfies property
(II) (or even whether Il* # 0). This makes the construction of high-level models
difficult.
In the following, we introduce another method for building high-level models
which is based on partitions that only have to satisfy property (1) and assumption
(B). These DES models are significantly easier to construct. We will show that the
Table 4.3: Example 4.1. Reachability transition system for the DES model.
Block #
1 2 3 4 5 6 7 8
1 9
Figure 4.15: Example 4.1. High-level diagnoser.
Output-adjacent blocks (output) 2,12 (Ho, C2) 3713 (Hl 7 C2) 5714 (H27 C3) 5 (fi, c 3 ) 6 1 5 (Hz , c 4 ) 7 (Hl, c4) 9 C1) / 15 (H2 7 C4) 9 (HO? Cl) 2,f 2 (HO? C'a 1 l
Block #
10 11 12
1 13 14
1 15 1 16
Output-adjacent blocks (out put) 12 (Ho, C2) 12 (Ho, C2) l3 (Hl, C2) 14 (H2, c 3 ) 15 (H2, c4) - 15 (H2> C4)
1
condition estimates generated by the resutting high-level diagnosers will be more
conservative; however, the diagnosers may still be used for fault diagnosis and for
verifying diagnosability. Here we are taking an approach similar to thât proposed
in [16] by Kurshan et al. for developing a semi-algorithmic method for veriwng
properties of digital circuits.
Usually, it is very difficult to calculate X, the reachable part of the state space
of a hybrid system. However, determining a superset of X might be easier. Let
,Y* clenote one such superset; hence X C X* Q x Rn. Let ?i 5 kerX r\ kerrl and
P+ : X' + X e / % be the canonical projection. Based on this partition, let us define
the finitestate Moore automaton G = ( ~ , e , b , & , Y, i ) , with X, 2 and Y as the
state, event and output sets. x := Xe/* and 2 is a singleton; Le., 2 = {â}, for
sorne â. Let := P X o be the set of initial states, 8 : x x 9 + 2X the transition
function and i : x + Y the output map. For 2L,22 E X , let 1 2 E ~ ( z ~ , Q ) if and
only if there elcist xl E and 5 2 E and a trajectory of finite duration (satisfying
the hybrid system's dynamics) from xi to 2 2 lying in xl U 2 2 . Note that since .ii does
not necessarily satisfy property (II), the block 22 may not be reachable from every
state in it1. For al1 Z E X, i ( 2 ) := X(z) for any x E 2. Similarly define 2 : 2 + K according to k ( 2 ) := K ( Z ) for any x E 2. Since îr 5 kerX /\ kern, and k are
rvell-defined. G is a high-level mode1 for H. In this automaton, a transition from
a state 21 to another state 3C2 indicates the existence of trajectory from block t1 to
block lying entirely in 2l U 2,.
Lemma 4.5 Suppose x =+ z' with x,x' E X* (x' is output-adjacent to x). Then
Pxx =+ P+zt ; Le., in G, the block P+xt is output-adjacent to Prix.
Proof. Similar to that of Lemma 4.1, with G and X replaced by G and X . ;l
Define the canonical projection of a subset z C X to be P*z := u{P+x 1 x E 2).
Let D be the high-level diagnoser designed based on G, with Zo := Pezo as its initial
5 X and E; were earlier defined on X. Here we have assumed that their domain is even larger and includes X'. This is typically the case. The reachable part of the state set is usually a subset of the domains of the output and condition maps.
state estimate. Let 4 denote the state of D following the generation of the output
symbol yk.
Theorem 4.6 Let zr, and Zk denote the states of the low-level diagnoser D and
high-level diagnoser D, respectively. Then K(z&) k ( 4 ) .
Proof. By definition P+zo = Z0.
Ar1 = P+(zo n A-' ({yl}))
= n P+(X-'({y1}))
= 20 n X' ({y 1)) (because ?i 5 kerX)
= 21.
Now we prove that for k > 1 if P+zk .Sk then Pnzk+l C 2k+l.
Let xk+' be an element of z & + ~ , i.e.. xk+l E Zk+1. Then there exists xk E zk such
that xk + xk+'. Hence by Lemma 4.5, P+xk =+ P*xk+l. From P+zk = Sk it follows
that P+sk E Zk. Also i(p+xkc1) = X ( Z ~ + ~ ) = yk+l. -4s a result, Pnzk+l E irct This
shows that P+zk+1 C Zk+l. Finally, rc(zk) = k(P+zk) C k(&) since 5 5 k e r ~ . O
The t heorern states t hat D produces more conservative estimates for the systern's
condition than D. Hence, D is less accurate than D. If D enters an F,-certain state,
so will D (but not vice versa).
Let us suppose assumption (B) holds for 7r, namely, if the projection of a low-level
trajectory in X on the high-level state space X/î i is a single state 2 , with 8(2, a) # 0,
then the trajectory must be of finite duration. Since calculating X is difficult, we
may verify assurnption (B) for the projection of the trajectories in X* on X'/% =
mhich is sufficient to guarantee assumption (B) (for the trajectories in X).
Theorem 4.7 If a failure mode is diagnosable with respect to the high-level model
G, then it must be diagnosable with respect to the low-level hybrid model H.
Proof. Similar to the (If) part of the proof of Theorem 4.4, except that rt(zk) = E(&)
should be replaced with rc(zk) E k(Zk). The diagnosers are not equivalent; however,
if the high-level diagnoser is a t an Fi-certain state, so is the low-level diagnoser. O
As a result, if a failure mode is diagnosable with respect to the high-level model,
then it is certainly diagnosable with respect to the low-level model and can be diag-
nosed using D, the high-level diagnoser. Therefore the high-level model rnay replace
the low-Ievel one for the purpose of fault diagnosis. But if a failure turns out to be
undiagnosable at the high level, it rnay still be diagnosable at the low level. In this
case, the analysis based on the high-level model is inconclusive- At this point, we
rnay replace the existing partition with another (perhaps finer) partition. An analysis
based on the resulting diagnoser rnay show that the failure is diagnosable. If, on the
other hand, the failure turns out to be undiagnosable a t the high level, then n-e may
try another partition.
In general, the failure may be undiagnosable even at the low level. In these cases,
information from the high-level model (e-g., fault-indeterminate cycles) rnay assist
us in proving the undiagnosability of the failure mode a t the low level by providing
clues about trajectories that rnay lead the 101-level diagnoser into fault-uncertain
States.
Based on the above discussion, we introduce the notion of weak conszstency.
Definition 4.8 The low-level and high-level models of the system are said to be
weakly consistent (for the purpose of fault diagnosis) if and only if
0 the estimates for the system's condition generated by the low-level diagnoser
are subsets of the estimates given by the high-Ievel diagnoser ( ~ ( 2 ~ ) C i i ( Z k ) ) ,
and
0 if a failure mode is diagnosable with respect to the high-level model (Def. 2.4),
then it must be diagnosable with respect to the low-level model (Def. 4.3). 0
Example 4.2 - Consider the hybrid system depicted in Fig. 4.16. In this system, C I = Io1, 02~03, 04}
Figure 4.16: Example 4.2. Hybrid automaton.
Figure 4.17: Example 4.2. State trajectories of the hybrid system.
and Xe = { F ) . Also
The trajectories of < in P in the normal and faulty modes are shown in Fig. 4.17.
Figure 4.18: Exampie 4.2. The high-level DES G ~ .
If in modes ql and 92 we partition R2 according to IR2 = B l l j B 2 , with B1 =
{ ( E l , E 2 ) 1 Et < O } and B2 = { (c l , 5 2 ) 1 cl 2 O } : then the resulting high-level mode1
G 1 mil1 be as shown in Fig. 4.18. Here X* = ( { q l ) x B i ) U ( { q l ) x B2) u ( { q 2 } x Bi) u
( { q 2 ) x B2) U ( { q 3 ) x R2) U ( { q 4 } x IR2). In this figure, the output a t each high-level
state is shown. According to G ~ , the failure is not diagnosable since in both normal
and faulty modes, the system can generate the output sequence - - y1 y2 y1 y2 - -. Now let us use a finer partition for R2 (in modes q, and q2) : R2 = B ~ u . . . U Bi,
mith Bi = { ( F i , F 2 ) I EL < 0. G < O } : B; = { ( S i ? & ) 1 f i < O, E2 2 0 ) .
Bi = { ( C i & ) 1 Ft 2 0 . G < 0) and Bi = {(CI,&) 1 Fi 2 0 , E2 > O } . The
high-level is given in Fig. 4.19. In this case, X' = ( { q l } x Bi) u - --u x 8:) u 4 } x Bi) U ( (43 ) x I R 2 ) U ({qq } x R ) . According to G2? and in (142) X 4) U . - - U ( { q
agreement with the hybrid system, in the faulty mode the system only generates one
of the two output sequences . . . y1y2y3y~y2y3.. . or . .- y1y4y2y1y4y2 .... Therefore the
failure is high-level, hence, Low-level diagnosable. Note that in Fig. 4.19, the event
a: corresponds to transition from Bi to B4 in the mode 92 when O 5 J 1 < 0.4 and
(2 = O. This transition, however, never happens in the hybrid system because that
part of the boundary between Bi and Bi is not reachable in the mode q2. [3
Figure 1.19: Example 4.2. The high-level DES G2.
Figure 4.20: Neighbouring blocks BI and B2.
In the high-level mode1 î), 22 E d(Z1, &) for sorne Zi, î2 E x if there exists a
trajectory from an xl E to some x2 E &, lying entirely in 51 U 2 2 . Veri@ing
t his property (i-e., existence of the trajectory) is significantly simpler t han property
(II) of the partitions in ri'. In fact, this property should be investigated only on the
boundary between Zl and 3F2; specifically, we have to see if a trajectory crosses the
boundary.
For example, suppose 5 = (ci,&) E IR2 and Q = { q ) . Furthermore, assume that
IR2 bas been partitioned into rectangular blocks (Fig. 4.20). We would like to knom
if there exists a trajectory from BI to B2 in Fig. 4.20. Let = f,'(ti, &). If there
exists 6 E [a: b] such that
(1 = f; (c, G ) > o. (4.4)
then certainly a trajectory crosses the boundary from BI to B2. One way of checking
Eq.(4.4) is to obtain the supremum and infimurn of fi on the boundary. If fi is
monotone in & (this is true for LTI systems where fi (cl, c2) = aicl + a2C2, for
a l . a2 E R)? then min{/,'(c, a ) , f,'(c. b ) } 5 f i (c, G) I max{f,'(c, a),l,'(c, b ) ) . This
method for checking boundary crossing can be used in the more general case of E Rn,
especially if the components of f, are monotone in the components of < = (cl, . . . , 6).
I t is evident that checking boundary crossing is easier than verifying property (II).
We rnay also study the sensitivity of the high-level model with respect to changes
in the parameters of the functions f , and extemal disturbance and as a result,
see whether the weak consistency of the high-level model is robust with respect
to parameter changes and disturbance. Let us go back to Fig. 4.20. Assume that
a = (al ,a2) E IR2 and w E R represent system parameters and disturbance in-
put, respectively. Then the dynamics of il can be described in more detail with:
i i = f,L(<i,Gl W ; ai , a2)- S W ~ o s e ai E [ai,min,ai,ma], a2 E [a2.min, az,,,], and
Iw(t)l 5 w,, for al1 t. In order to check il > O on the boundary between Bi
and B2, one has to obtain the supremum and infimum of fi (as a function of c l ,
el w, ai and a2) on the boundary. If fi is monotone in al1 of its parameters (for
example, in LTI systems), then this supremum and infimum can be easily calculated
using the extreme values of the parameters.
As an example, consider the DES model s h o m in Fig. 4.14 which is consistent,
hence weakly consistent, with the low-levei model. In t his automaton, the transition
B2 to B3 indicates that there must be a trajectory from B2 to B3 (In fact, B3 is
reachable from al1 of the states in B2 since .ir E n*). We wvant to know to what extent
the crossing of the boundary from & to B3 is robust with respect to the changes in
qo, the input flow. On the boundary between B2 and B3:
If qo fluctuates, as long as qo > k a . h remains positive and the boundary h = L can
be crossed.
A sirnilar sensitivity analysis for the partitions in II' in order to verify the robust-
ness of the consistency of the corresponding high-level models would be extremely
difficult (though possible in principle).
Chapter 5
Conclusion
5.1 Summary
In this thesis, we study fault diagnosis using discrete-event models. I t is assumed
that the plant under supernision is operational and that no test inputs are to be used;
diagnosis has to be based on measurements and perhaps, information about the input
commands sent to the plant.
First, Ive propose a state-based framework for fault diagnosis in systems that can
be modelled as finite-state automata. It is assumed that the state set of the systern
can be partitioned according to the system's condition (failure status). The diagnoser
(fault detection system) is a finite-state machine that takes the output sequence of
the system as input and generates a t its output an estimate of the condition of the
system. This approach is relatively simple and straightforward. The system and the
diagnoser do not have to be started at the same time. Furthermore, no information
about the state or even the condition of the system before the initialization of the
diagnoser is required. We also introduce a mode1 reduction scheme with polynomial
time complexity for reducing the computational complexity of designing the diagnoser
which, in the worst case, has exponential time complexity. We study the issue of
diagnosability of failures. In our framework, a permanent failure is diagnosable if it
can be detected and isolated after the occurrence of a t most a bounded number of
events following the occurrence of the failure and initialization of the diagnoser. We
derive necessary and sufficient conditions for failure diagnosability.
1% extend our framework to fault diagnosis in timed discrete-vent systems by
incorporating timing information. This improves the accuracy of diagnosis. In a timed
discrete-event system, the sequence of events occurring in the system is described
with respect to the ticks of a global clock. We present a new method for using
timing information which does not require estimate updates at clock ticks; instead,
it relies on the number of clock ticks between consecutive output symbols in the
output sequence, and on "predictions" for the system's condition. This significantly
reduces on-line computing requirements, and in many cases, the size of the diagnoser.
Time-diagnosability in our frarnework is also discussed and necessary and sufficient
conditions for time-diagnosabiIity are obtained.
Next me study the cases in which the DES model used for fault diagnosis is a
simplified model for a more complex hybrid automaton. Here an important issue is
whether the simplified high-level model (DES) contains enough information about
the plant for the purpose of fault diagnosis. In order to formalize the above question,
ive first extend our framework for fault diagnosis in DES to hybrid systems. Then
we introduce the notion of "consistency" between the high-level (DES) and low-level
(hybrid) models. A high-level mode1 is called consistent with the low-level model if
(i) the corresponding high-level and low-level diagnosers generate identical estimates
for the system's condition, and (ii) any failure mode is diagnosable with respect to the
high-level rnodel if and only if it is diagnosable with respect to the low-level model.
-2 set of sufficient conditions for consistency is presented. Moreover, we introduce
a more relaxed notion of consistency, called "weak consistency", based on which we
develop a semi-algorithmic method for obtaining suitable high-level DES models for
Iow-level hybrid systems.
Whether Our methodology for fault diagnosis is suitable for application in a sys-
tem or not, depends on two factors: availability of a model for the system and the
cornplexity of the problem.
Our framework is model-based and therefore, requires a description of the system
in its normal and al1 faulty modes. This makes the technique suitable for cases where
the dynamics of the system are (at least to some extent) understood. Building the
model is time consuming; however, the effort can be j ustified in part by the fact that
the model c m be used as system requirements specification [21]. Besides, in case of
future revision in the system7s design, the diagnostic system can be updated simply
by revising the system model.
Note that if the system develops an unforseen failure which was not included in
the model, then the diagnoser may still be able to detect the failure based on the
discrepancy between the model and observations. In general, in these cases, failure
detection can not guaranteed (unless a failure model is availab1e)-
-4 challenge associated wïth methods based on automata is the reduction of com-
putational complexity. In this thesis, we have addressed this problem in several
places. In fact, Our work on fault diagnosis primarily deals with two issues: com-
plexity and diagnosability. In the following section, ive provide some suggestions for
future research on the problem of complexity. Interestingly enough, while appearing
as a "demon", complexity is the prime motive for the study of systematic approaches!
In this thesis, we attempt to provide a new framework for solving a class of fault
diagnosis problems. In any real-world system, depending on failure types and the
information available about the system, a combination of techniques is typically used
to arrive a t a solution for the diagnostic problem. Our methodology is meant to be
one of the tools in the designer's toolbox.
Future Research
Throughout the thesis, we used different examples to illustrate Our approach. These
examples were simplified, smail-scale versions of real-world problems. In order to
assess the methodology properly, we need to apply Our technique to real systems. As
with any technique based on discrete-event models, computational complexity is the
most important obstacle that has to be overcome. While the schemes developed in
Section 2.4 and Chapter 3 are helpful in reducing complexity, in (larger) real problems,
they will not be enough unless they are coupled with techniques that exploit system
architecture for reducing complexity. For example, in a system cornprïsing several
subsystems, for the diagnosis of one of the failure modes of a subsystem, a detailed
mode1 of the subsystem might be enough, while for another failure, reduced models of
a number of the subsystems might be required. A hierarchical decentralized approach
would be extremely useful here. In [7] and [8], the idea of decentralized fault diagnosis
has been explored.
In this work, we focused on passive diagnosis. Active diagnosis, in which input
commands are issued by the diagnoser for testing the system and detecting failures:
is another interesting area of research. Here the problem is to find a systematic
way of generating input commands suitable for diagnosing failure modes. -4ctit-e
diagnosis of finitestate machines has been studied extensively [18]. In [22], it has been
examined in the context of control systems in a state-based framework. Integrated
approaches to diagnosis and control have been studied in [5] and [31] in an ewnt-
based frarnework, where the goal is to design a controller that, in addition to satisfjring
design specifications, renders the system under supervision diagnosable. The resulting
diagnoser can only diagnose failures that happen aj?er the diagnoser is initialized. It
would be interesting to build on the results of [22], [5] and (311, and develop a practical
methodology for active diagnosis of control systems in a state-based framework.
Upon the detection and diagnosis of a failure mode, the control system has to
accommodate the failure. Failure accommodation has not been studied in this work
but is an important problem for future study. In this problem, fault diagnosis and
supervisory control becorne closely interconnected and d l add much more complexity
to the analysis.
Our results in Chapter 4 are the first steps towards a practical theory for the
verification of consistency in hybrid systems and construction of consistent high-level
models. As with other problems in formal verification, obtaining a general systematic
solution is extremely difficult (if not impossible). However, it is possible to enlarge
the class of systems that can be formally analyzed by developing semi-algorithmic
met hods, along with useful mathematical and software tools. Application of the
techniques developed in Chapter 4 to mal-world systems is a suitable starting point
towards the above goal and should be explored further.
Another issue that we merely touched upon in Chapter 4 is the robustness of
(weak) consistency with respect to modelling uncertainty and external disturbance.
This, too, is an important matter which is lei3 for future research.
Bibliography
[1] R. Alur and D.L. Dill, ''-4 theory of timed automata," Theoretical Conputer
Science, vol. 126, pp. 183-235, 1994.
[2] -4utomatica, A Special Issue on Hybrid Systems, vol. 35, no. 3, 1999.
[3] B.A. Brandin and W.M. Wonham, "Supervisory control of timed discrete-event
systerns," IEEE Trans. Automut. Contr., vol. 39, no. 2, pp. 329-342, 1994.
[4] Y. Chen and G. Provan, "Lfodeling and diagnosis of timed discrete event systems-
A factory automation example," in Proc. Amer. Contr. Conf., Albuquerque, Nkl:
June 1997, pp. 31-36.
[5] T.Y .L. Chun, "Diagnostic supervisory control: A DES approach," Master's the-
sis, University of Toronto, Toronto, Canada, Aug. 1996.
[fi] T.H. Cormen, C.E. Leiserson and R.L. Rivest, Introduction to Algorithms. New
York: McGraiv-Hill, 1990.
[ï] A. Danviche and G. Provan. "The effect of observations on the complexity of
model-based diagnosis," in Proc. 14th National Conf. on Artificial Intelligence
(AAAI), Providence, USA, 1997.
[8] R. Debouk, S. Lafortune and D. Teneketzis, "Coordinated decentralized proto-
cols for failure diagnosis of discrete event systems," in Proc. 37th IEEE Conf.
Decision Contr., Tampa, FL, USA, Dec. 1998, pp. 3763-3768.
[9] Y. El Fattah and G. Provan, "Modeling temporal behavior in the model-based
diagnosis of discrete-event systems (A preliminary note) ," Proc. Intl. Worlcshop
on Princaples of Diagnosis, Le Mont-Saint-Michel, France, 1997.
[IO] J.-C. Fernandez, "An implementation of an efficient algorithm for bisimulation
equivalence," Sci. Comput. Programrning, 13, pp. 219-236, 1989/90.
[Il] W. Fountain, "State logic speeds PLC programming," Instrumentation EY Con-
trol Systems, vol. 67, no. 2, pp- 83-85, 1994.
[E] W. Hamscher, L. Console and J. de Kleer, Eds., Readings in Model-Based Diag-
nosis. San Mateo, CA: Morgan Kaufmann, 1992.
[13] S. Hashtrudi Zad, R.H. Kwong and W.M. Wonham, "Supremum operators and
computation of supremal elements in system theory," SIAM J. Control Optim.,
vol. 37, no. 3, pp. 695-709, 1999.
[14] L.E. Holloway and S. Chand, 'Time templates for discrete event fault monitoring
in manufacturing systems," Proc. Amer. Contr. Conf., Baltimore, MD: June
1994, pp. 701-706.
[l5] IEEE Transactions on Automatic Control, Special Issue on Hybrid Control Sys-
tems, vol. 43, no. 4, 1998.
[16] R. P. Kurshan and K. L. McMillan, "Analysis of digital circuits through syrnbolic
reduction," IEEE Trans. Computer-Aided Deszgn, vol. 10: no. 11, pp. 1356-1371,
1991.
[l?] M. Larsson, "Diagnosis and analysis of diagnosis properties using discrete event
dynamic systems," in Proc. 37th IEEE Conf. Decision Contr., Tampa, FL: USA,
Dec. 1998, pp. 3775-3780.
[18] D. Lee and M. Yannakakis, "Principles and methods of testing finite state
machines- A survey," Proc. IEEE, vol. 84, no. 8, pp. 1090-1123, 1996.
[19] W.S. Lee, D.L. Grosh, F.A. Tillman and C.H. Lie, "Fault tree analysis, methods,
and applications- A review," IEEE Trans. Reliability, vol. R-34, no. 3, pp. 194-
203, 1985.
[20] F.P. Lees, Loss Preuention in the Process Industries, Volume 1. London: But-
terworths, 1980.
[21] N.G. Leveson, Safeware: System Safety and Cornputers. Reading, Mass.:
-4ddison- Wesley, 1995.
[22] F . Lin. "Diagnosability of discrete event systems and its applications." Discrete
Event Dynamic Systerns, vol. 4 , pp. 197-212, 1994.
[23] S. MacLane and G. Birkhoff, Algebra. Macmillan, 1967.
[24] R. Paige and R.E. Tarjan, "Three partition refinement algorithms," SIAM J.
Cornput., vol. 16, pp. 973-989, 1987.
[25] D.N. Pandalai and L.E. Holloway, "Template languages for fault monitoring
of single-instance and multiple-instance discrete event processes," in Proc. 36th
Conf. Decision Contr., San Diego, USA, Dec. 1997, pp. 4619-4625.
[26] R. Patton, P. Frank and R. Clark, Eds., Fault Diagnosis in Dynamic Systems:
Theory and Applications. New York: Prentice-Hall, 1989.
[27] R.J. Patton and J. Chen, Eds., Proc. IFAC Symp. Fault Detection, Supervision
and Safety for Technacal Processes 1997, Kingston Upon Hull, UK, 1997.
[28] G. Provan and Y.-L. Chen, "Diagnosis of timed discrete event systems using
temporal causal networks: Modeling and analysis," Proc. Worhhop on Discrete
Event Systems, Cagliari, Italy, 1998, pp. 152-154.
[29] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen and D. Teneket-
zis, "Diagnosability of discrete-event systems," IEEE Trans. Automat. Contr.,
vol. 40, no. 9, pp. 1555-1575, 1995.
[30] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen and D. Teneket-
zis, "Failure diagnosis using discrete-event models," IEEE Trans. Contr. Syst.
Technology, vol. 4, no. 2, pp. 105-124, 1996.
[3 11 M. Sampath, S. Lafortune and D. Teneketzis, "Active diagnosis of discrete-event
systems," IEEE Trans. Automat- Contr., vol. 43, no. 7, pp. 908-929, 1998.