ON DIAGNOSIS AND PREDICTABILITY OF PARTIALLY-OBSERVED ...

ON DIAGNOSIS AND

PREDICTABILITY OF

PARTIALLY-OBSERVED

DISCRETE-EVENT SYSTEMS

by

Sahika Genc

A dissertation submitted in partial fulfillmentof the requirements for the degree of

Doctor of Philosophy(Electrical Engineering: Systems)

in The University of Michigan2006

Doctoral Committee:

Professor Stephane Lafortune, ChairProfessor Demosthenis TeneketzisAssistant Professor Mingyan LiuAssociate Professor Dawn Tilbury

c© Sahika Genc 2006All Rights Reserved

To engineers, scientists, and mathematicians with double X factor

ii

ACKNOWLEDGEMENTS

This thesis reports on work performed while the author was in under the super-

vision of Professor Stephane Lafortune at the University of Michigan. The financial

support for this thesis was provided in part by NSF grants ECS-0080406, CCR-

0082784 and CCR-0325571, and by grant from the Xerox University Affairs Com-

mittee. The author wishes to acknowledge support from a Barbour Fellowship from

the Horace H. Rackham School of Graduate Studies at the University of Michigan.

The author thanks to Kurt Rohloff, Dave Thorsley, Tae-Sic Yoo, Yin Wang and

Patricia Mena for having great philosophical discussions on Discrete-Event Systems.

The author also thanks to Ben Morris for being a constant listener, officemate and

one of the coffee pals and to Zeinab Mousavi for sharing her real life stories. As a

mathematician nicely put into words, “We have the ability to turn coffee into proof.”

The author acknowledges all the coffee makers in Ann Arbor for their contributions

in many of the proofs in the thesis.

Finally, the author wishes to thank to Fusun Erkul and Selin Aviyente for just

being there all the time through pain and suffering though happiness and joy. The

author thanks to her parents, Mustafa Ismet Genc and Semahat Genc, for living in

my heart and mind despite being on the other side of the ocean, her sister, Melda

Genc, for being the arrogant artist, and her cousin, Demet Coruh, for being the wise

one, and her cousin Nihal Bayraktar for being herself any time all the time.

iii

TABLE OF CONTENTS

DEDICATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

ACKNOWLEDGEMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . iii

LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

CHAPTER

I. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Monitoring and Diagnosis of Discrete-Event Systems . . . . . 11.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

II. Monolithic Diagnosis of Systems Modeled as Petri Nets . . . 8

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . 102.4 Petri Net Diagnosers . . . . . . . . . . . . . . . . . . . . . . . 112.5 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

III. Distributed Diagnosis of Systems Modeled as Petri Nets . . 22

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.2 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . 253.3 Communicating Petri Net Diagnosers . . . . . . . . . . . . . 283.4 Communication Protocol . . . . . . . . . . . . . . . . . . . . 333.5 Monolithic Petri Net Diagnosers . . . . . . . . . . . . . . . . 383.6 Correctness Results . . . . . . . . . . . . . . . . . . . . . . . 383.7 Implementation of DDC-M : Fixed-Size Message Labels . . . 463.8 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533.9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

iv

IV. Diagnosis of Event Patterns . . . . . . . . . . . . . . . . . . . . . 64

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 644.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 664.3 Pattern Diagnosability . . . . . . . . . . . . . . . . . . . . . . 694.4 Verification of Pattern Diagnosability for Regular Languages . 724.5 Case Study: An Implementation of Pattern Diagnosis . . . . 904.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

V. Prediction of Event Occurrences . . . . . . . . . . . . . . . . . . 97

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 975.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 995.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . 99

5.3.1 Diagnosability vs. Predictability . . . . . . . . . . . 1025.4 Verification of Predictability for Regular Languages . . . . . . 104

5.4.1 Verifier Approach . . . . . . . . . . . . . . . . . . . 1145.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

VI. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

APPENDICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

v

LIST OF FIGURES

Figure

2.1 Monolithic diagnosis. . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.2 Valve model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.3 Valve model with x0. . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.4 Valve model with xd,0 . . . . . . . . . . . . . . . . . . . . . . . . . . 18




3.1 General architecture of modular diagnosis approach. . . . . . . . . . 24

3.2 System with six place-bordered nets. . . . . . . . . . . . . . . . . . 27

3.3 System with six place-bordered nets. . . . . . . . . . . . . . . . . . 27

3.4 Place-bordered net: Module#1 (valve). . . . . . . . . . . . . . . . . 54

3.5 Place-bordered net: Module#2 (pump). . . . . . . . . . . . . . . . . 55

3.6 Place-bordered net: Module#3 (load). . . . . . . . . . . . . . . . . 56

3.7 Common places between the modules. . . . . . . . . . . . . . . . . . 56

4.1 G. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

4.2 G. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

4.3 HT (Σ, s) where s = cacao and Σ = c, a, o. . . . . . . . . . . . . . 74

vi

4.4 U = Us∈K2(G×HS(Σ, s)) where K1 = ab, dc and Σ = a, b, c, d, e. 82

4.5 Obs(U) for K1 = ab, dc where Σo = b, d. . . . . . . . . . . . . . 82

4.6 U = Us∈K2(G×HS(Σ, s)) where K2 = ab and Σ = a, b, c, d, e. . 83

4.7 Obs(U) for K2 = ab where Σo = b, d. . . . . . . . . . . . . . . . 83

4.8 HT (Σ, dc) where Σ = a, b, c, d, e. . . . . . . . . . . . . . . . . . . . 86

4.9 G×HT (Σ, s) where K = dc and Σ = a, b, c, d, e. . . . . . . . . 86

4.10 UT = U(C(G),Us∈K(G × HS(Σ, s))) where K = ab, dc and Σ =a, b, c, d, e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

4.11 Obs(U) where Σo = b, d. . . . . . . . . . . . . . . . . . . . . . . . 89

4.12 G. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

4.13 US = Us∈K(G×HS(Σ, s)) where K = ab, dc and Σ = a, b, c, d. . 91

4.14 Obs(US) for K = ab, dc where Σo = b, d. . . . . . . . . . . . . . 91

4.15 UT = Us∈K(G×HS(Σ, s)) where K = ab, cd and Σ = a, b, c, d. . 92

4.16 Obs(UT ) for K = ab, cd where Σo = b, d. . . . . . . . . . . . . . 92

4.17 G. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

4.18 US . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

4.19 Obs(US) contains a marking-indeterminate cycle. . . . . . . . . . . . 95

4.20 Obs(US) does not contain any marking-indeterminate cycles. . . . . 96

5.1 G. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

5.2 G. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

5.3 DG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

5.4 DG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

5.5 The equivalence classes induced by ∼ in FD. . . . . . . . . . . . . . 113

vii

5.6 The verifier states. . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

5.7 DG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

5.8 DG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

A.1 The toolbox outline. . . . . . . . . . . . . . . . . . . . . . . . . . . 127

A.2 How to “quick load” a Petri net? . . . . . . . . . . . . . . . . . . . 128

A.3 How to “create” a Petri net and partitions? . . . . . . . . . . . . . . 129

A.4 The settings of the Petri net. . . . . . . . . . . . . . . . . . . . . . . 130

A.5 The incidence matrix (D−) of the Petri net. . . . . . . . . . . . . . 130

A.6 The incidence matrix (D+) of the Petri net. . . . . . . . . . . . . . 131

A.7 The place labels of the Petri net. . . . . . . . . . . . . . . . . . . . 132

A.8 The transition labels (event set) of the Petri net. . . . . . . . . . . . 132

A.9 The initial state of the Petri net. . . . . . . . . . . . . . . . . . . . . 133

A.10 The partitions of the Petri net. . . . . . . . . . . . . . . . . . . . . . 134

A.11 The Petri net. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

A.12 The distributed Petri net. . . . . . . . . . . . . . . . . . . . . . . . 136

A.13 The connection between the modules in the distributed Petri net. . 137

A.14 The sequence of observable events. . . . . . . . . . . . . . . . . . . . 138

A.15 The set of enabled events. . . . . . . . . . . . . . . . . . . . . . . . 139

A.16 The result of DDC-M . . . . . . . . . . . . . . . . . . . . . . . . . . 139

A.17 The result of the “merge” operation. . . . . . . . . . . . . . . . . . 140

A.18 The result of MDA. . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

A.19 Manufacturing system modules connection graph. . . . . . . . . . . 142

viii

A.20 Petri net model of manufacturing system processed by DiagnoserToolbox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

A.21 Petri net model of manufacturing system. . . . . . . . . . . . . . . . 145



A.24 Petri net model of manufacturing system processed by DiagnoserToolbox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148



ix

LIST OF TABLES

Table

4.1 The sample event log. . . . . . . . . . . . . . . . . . . . . . . . . . . 93

A.1 File types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

A.2 The color code of events and places. . . . . . . . . . . . . . . . . . . 135

x

CHAPTER I

Introduction

1.1 Monitoring and Diagnosis of Discrete-Event Systems

The problem of fault diagnosis for discrete-event systems has received consid-

erable attention in the last decade and diagnosis methodologies based on the use

of discrete-event models have been successfully used in a variety of technologi-

cal systems ranging from document processing systems to intelligent transporta-

tion systems. A wide variety of methods have been proposed in the literature on

fault diagnosis. These include non-model based methods (statistical tests, signature

analysis, expert systems), see [62, 50, 45] and the references therein; quantitative

model-based methods (analytical models to compare the measurements with their

predicted values to detect the occurrence of faults), see [20, 29, 63, 24] and the

references therein; and qualitative models (AI-based, discrete-event-systems-based),

see [62, 28, 2, 36, 35, 30, 61, 14, 38] and the references therein. The qualitative

model-based methods are the most relevant to the work described in this thesis.

The qualitative methods employ model-based inferencing to correctly estimate the

occurrence of the faults in the behavior of the system. The major advantage of the

qualitative model-based methods is that detailed in-depth modeling of the system is

not required.

1

2

A recently-proposed methodology for fault diagnosis of discrete-event systems

modeled by finite-state automata, termed the “Diagnoser Approach”, is of particular

relevance to the present thesis. The methodology was introduced in [55] and subse-

quently extended in several works including [16, 12] and has been used successfully

in a variety of application areas, including heating, ventilation, and air-conditioning

units [51], intelligent transportation systems [13, 56], document processing systems

[53, 52], and chemical process control [21]. The key feature of the approach is the

use of a special discrete-event process called the diagnoser. The diagnoser is built

from the system model and is used to (i) test the diagnosability properties of the

system and (ii) perform on-line monitoring of the system for the purpose of fault

diagnosis. The states of the diagnoser contain information about the possible oc-

currence of faults, according to the system model. The diagnoser is then used for

on-line fault diagnosis of the system as follows. Each observable event executed by

the system triggers a state transition in the diagnoser. Examination of the current

diagnoser state reveals the status of the different types of faults: fault(s) of Type F1

did not occur, fault(s) of Type F1 possibly occurred (“F1-uncertain state” in the

terminology of [54]), fault(s) of Type F1 occurred for sure (“F1-certain state” in the

terminology of [54]).

This thesis is concerned with partially-observed monolithic and modular discrete-

event systems that are modeled by Finite State Automata (FSA) and Petri nets.

FSA have been widely used to solve problems of observability, observability with

delay, stability and invertibility and fault diagnosis; see [7, 8, 11, 37, 40, 42, 41,

43, 44, 47, 49, 48]. Petri net models also have been employed to solve problems of

state observability, system monitoring, alarm analysis, and fault diagnosis in several

works, including [58, 25, 27, 3, 5, 4, 26]. Systems possessing modular structures are

3

receiving more and more attention in the recent literature on diagnosis, verification,

and control of discrete-event systems; see, e.g., [12, 3, 5, 15, 60, 59]. The use of

Petri nets instead of automata offers potential advantages in system modeling and

analysis of modular systems, especially in terms of the distributed representation of

the system state and of the ability to represent coupling of system components by

means of common places.

1.2 Contribution

In this thesis, we define the notion of a monolithic Petri net diagnoser, or simply

diagnoser, which is used as a tool to detect and isolate faults in the system. The

system to be diagnosed is modeled by a labeled Petri net. The monolithic diagnoser

observes the system and determines the states the system can be in upon observation

of an event. Note that upon observation of an event (e.g., sensor readings, changes

in the sensor readings), the state of the system is not known exactly in general due

to the presence of unobservable events in the set of transition labels. The Petri net

diagnoser finds all the states the system can be in, namely, all the states that are

consistent with the sequence of observable events seen thus far. Fault information is

attached to these state estimates in the from of fault labels. The faults are explicitly

modeled as events in the system.

We also study the problem of detecting and isolating faults or other significant

events in the behavior of a modular dynamic system that is modeled as a set of

interacting Petri net modules. The common places among the set of Petri nets

modeling a system capture coupling of various system components. The objective

is to diagnose the occurrence of fault events based on the sequence of observed

events and on the structure of the respective Petri net modules and their coupling

4

by common places. It is sought to obtain a distributed diagnosis algorithm that takes

advantage of the modular structure of the system.

Our investigations on the problem of fault diagnosis of Petri nets were first re-

ported in [22] where the notion of centralized (monolithic) Petri net diagnosers is in-

troduced. Petri net diagnosers serve the same purpose as the automata diagnosers in

[55] for on-line monitoring and diagnosis of a system, but they are based on the same

Petri net structure as the system model, unlike diagnoser automata which require a

conversion of the system model from nondeterministic to deterministic. Our initial

work reported in [22] also considered systems composed of two Petri nets sharing a

set of common places, leading to a distributed diagnosis algorithm with communica-

tion abbreviated. In this thesis, we consider the case of modular systems consisting

of a set of M place-bordered Petri nets. We present two new algorithms, one termed

extends DDC-M , and the other termed DDC-M with fixed-size message labels which

uses an encoding of messages and significantly improves upon the real-time commu-

nication requirements. A preliminary version of DDC-M , without message encoding,

is presented without a correctness proof in [23]. Clearly, the monolithic approach is

a special case of the modular approach where the set of place-bordered Petri nets is

a singleton.

In the following part of the thesis, we generalize the problem of diagnosing (de-

tecting and isolating) a single event to diagnosing a pattern in the behavior of a

system modeled as a partially-observed discrete-event system (DES). To the best of

our knowledge, all prior works on fault diagnosis of DES pertain to the diagnosis

of a single event among several unobservable events. Our objective is to extend the

methodology of the Diagnoser Approach introduced in [55] to the case of patterns.

The event pattern to be diagnosed is a set of sequences of events. In application

5

areas such as detection of intrusion and attacks in networks [39], patterns of events

need to be diagnosed.

The system is diagnosable with respect to a pattern if it is possible to detect and

isolate occurrences of the pattern upon completion (with finite delay) while observing

the sequences of events executed by the system. The problem is trivial if each event

executed by the system to be diagnosed is observable. Our objective is two-fold:

1. Off-line verification of the diagnosability property of the system with respect to

the pattern, i.e., if the system is diagnosable with respect to the pattern. 2. On-

line monitoring of the system and diagnosis of the pattern, i.e., how to detect the

occurrence of the pattern while partially observing the behavior of the system.

Finally, we consider the problem of predicting occurrences of a significant (e.g.,

fault) event in a DES. We study the problem of whether it is possible to predict

occurrences of an event in the system and then depending on the nature of the

event the system operator can be warned and the operator may decide to halt the

system or otherwise take preventive measures. The system under consideration is

modeled by a language over an event set. The event set is partitioned into observable

events and unobservable events, i.e., the events that are not directly recorded by

the sensors attached to the system. The objective is to predict occurrences of a

possibly unobservable event in a system, based on the strings of observable events

in the language. To the best of our knowledge, the notion of predictability that is

introduced and studied in this thesis is different from prior works (see [9, 6, 57, 19]

and references therein) on other notions of predictability.

6

1.3 Organization

The organization of the thesis is as follows. In Chapter II, we study the mono-

lithic diagnosis of systems modeled as Petri nets. We define how the system and

the diagnoser are modeled, and give their graphical representation, consider the dy-

namics of the diagnoser, and present an illustrative example. In Chapter ??, we

consider distributed diagnosis of a modular dynamic system that is modeled as a set

of interacting Petri net modules. In Chapter IV, we study the diagnosis of event

patterns. We define two different notions of pattern diagnosability in the context

of formal languages: (i) S-type pattern diagnosability and (ii) T-type pattern diag-

nosability. These two different types stem from different approaches to defining the

occurrence of a pattern. In S-type pattern diagnosability, a pattern is detected if all

the sequences executed by the system that record the same observed event sequences

contain subsequences in the pattern. In T-type pattern diagnosability, a pattern is

detected if all the sequences executed by the system that record the same observed

event sequences contain substrings in the pattern. In Chapter V, we address the

problem of prediction of event occurrences. The predictability of occurrences of an

event in a system is defined in the context of formal languages. It is shown that in

the case of regular languages, there exists a necessary and sufficient condition for

occurrences of an event to be predictable in the language. Finally, in the Appendix,

we present a software implementation of algorithms and operations presented in the

thesis. The software interacts with GraphViz developed by AT&T to visualize the

labeled Petri nets, diagnoser states (including the state, fault and message informa-

tion) and dynamics of the Petri nets and the algorithms (if communications occur

among modules, which module communicates with which module, list of events en-

7

abled from the diagnoser states, etc.).

CHAPTER II

Monolithic Diagnosis of Systems Modeled as Petri

Nets

2.1 Introduction

This chapter addresses the problem of detecting and isolating faults or other

significant events in the behavior of a monolithic dynamic system that is modeled as

a labeled Petri net. The events to be diagnosed, referred to as “faults” hereafter, are

modeled as unobservable events in the system. Events are unobservable when they

are not directly recorded by the sensors attached to the system. The common places

among the set of Petri nets modeling a system capture coupling of various system

components. The objective is to diagnose the occurrence of fault events based on the

sequence of observed events and on the structure of the respective Petri net modules

and their coupling by common places. It is sought to obtain a distributed diagnosis

algorithm that takes advantage of the modular structure of the system.



of discrete-event models have been successfully used in a variety of technological

systems ranging from document processing systems to intelligent transportation sys-

tems; see [34] and the references therein. The methodology termed the “Diagnoser

8

9

Approach”, introduced in [55] and subsequently extended in several works including

[16, 12], is of particular relevance to the present chapter. The key feature of the Di-

agnoser Approach is the use of a special discrete-event process called the diagnoser.

The diagnoser is built from the system model and is used to (i) test the diagnosabil-

ity properties of the system and (ii) perform on-line monitoring of the system for the

purpose of fault diagnosis. The above references regarding the Diagnoser Approach

are all based on the use of automata models for the system under consideration,

leading to the construction of automata diagnosers.

This and the next chapters are concerned with discrete-event systems that are

modeled by Petri nets. The use of Petri nets instead of automata offers potential

advantages in system modeling and analysis, especially in terms of the distributed

representation of the system state and of the ability to represent coupling of system

components by means of common places.

Petri net models have been employed to solve problems of state observability,

system monitoring, alarm analysis, and fault diagnosis in several works, including [58,

25, 27, 3, 5, 4, 26]. However, to the best of our knowledge, the algorithms presented in

this and next chapter are the first to explore the extension of the Diagnoser Approach

of [55] to monolithic and modular discrete-event systems modeled by Petri nets.

The organization of the chapter is as follows. In Section 2.2, we define some

definitions and notations. In the following section, we present the problem statement.

In Section 2.4, we consider the dynamics of the diagnoser. Although the diagnoser

is modeled as a labeled Petri net graphically, its state transition function and states

differ from typical labeled Petri nets. We conclude the chapter by presenting an

illustrative example on notions defined in this chapter.

10

2.2 Preliminaries

In this section, we give some definitions (stated briefly since they are standard;

see, e.g., Chapter 4 of [10] for further details). A Petri net graph is defined as

N = 〈P, T,A, w〉, where P and T are finite sets of places and transitions, respectively,

A is the set of arcs from places to transitions and from transitions to places, and

w : A → Z+ is the weight function on the arcs. We denote by W (P, t) the row

vector of size equal to the number of places in P and whose ith column is equal to

w(t, pi)− w(pi, t) where pi ∈ P and t ∈ T .

A labeled Petri net is defined as (N , Σ, l, x0), where Σ is the set of events, l : T →

Σ is the transition labeling function, and x0 is the initial state. A transition t ∈ T

can fire from x ∈ X, where X is the state space of the labeled Petri net, if and only

if t is feasible (enabled) from x. A transition t is enabled from x if x + W (t) ≥ ~0.

When t fires from state x, the state transition function f : X × T → X gives the

resulting state according to the usual Petri net dynamics, i.e., f(x, t) = x + W (t).

Some of the events in Σ are observable, i.e., their occurrence can be observed

(detected by sensors), while the other events are unobservable; thus Σ = Σo ∪ Σuo.

The set of fault events Σf is a subset of Σuo. We partition the set of faults into

disjoint sets where each set corresponds to a different fault type. This is because it

might not be necessary to detect and isolate uniquely every fault event, but only the

occurrence of one among a subset (type) of fault events. We denote by ΣFk the set

of fault events corresponding to a type k fault.

2.3 Problem Statement

In this chapter, we define the notion of a monolithic Petri net diagnoser, which is

used as a tool to detect and isolate faults in the system. The system to be diagnosed

11

is modeled by a labeled Petri net. The monolithic diagnoser observes the system and

determines the states of the system consistent with the sequence of observable events

seen thus far. Fault information is attached to these state estimates in the from of

fault labels. The faults are explicitly modeled as events in the system. Figure 2.1

gives a block diagram of the system and its diagnoser interacting with each other

(the notation in the figure is introduced below in Sections ?? and 2.4).

Fi

System Model Diagnoser

ObservableEvent

FailureType

M Ds So0 m

Figure 2.1: Monolithic diagnosis.

2.4 Petri Net Diagnosers

The Petri net diagnoser is a special discrete-event process on which we infer

about the occurrences of faults in the system. In this sense, the Petri net diagnosers

introduced in [22] serve the same purpose as the automata diagnosers introduced in

[55] for on-line diagnosis of faults or other significant events in behavior of the system.

However, Petri net diagnosers and automata diagnosers have different structures. A

Petri net diagnoser inherits the Petri net structure of the underlying system whereas

an automaton diagnoser is obtained by an algorithm that incorporates the conversion

of a nondeterministic automaton to a deterministic one. The diagnoser and the

underlying net to be diagnosed have the same structure, but they do not have the

same dynamics.

A Petri net diagnoser, upon observation of an event, estimates the states the

system could be in. Thus, a Petri net diagnoser state contains a set of system states.

The diagnoser state also carries diagnosis information, i.e., fault label, that provides

12

information on the fault types that may have occurred. Petri net diagnosers studied

here in were first defined in [22].

The diagnoser for a labeled Petri net M is

D = (N , Σ, l, xd0, ∆f ), (2.1)

where N , Σ, l are as defined before, xd,0 is the initial diagnoser state, and ∆f is the

set of fault types of D.

The diagnoser state xd of module D is a matrix of the form

− | −

xs(i) | xf (i)

− | −

(2.2)

where xs(i) denotes the state in row i of diagnoser state xd, xf (i) denotes the corre-

sponding fault label. The state part xs(i) of each row i corresponds to one possible

state of M following the occurrence of the observed sequence of events.

The diagnoser state transition function of D is of the form fd : Xd × Σo → Xd,

where Xd is the state space of D. Given the diagnoser state xd ∈ Xd and the

observable event a ∈ Σo, then fd(xd, a) is defined only if there exists some t ∈ T

labeled with the observable event a and enabled from the state part of some row i

of xd.

In order to formally define the diagnoser state transition function, we first define

S : Xd × Σo → 2X×2∆f

, that is, the set of states with the corresponding fault labels

reached from the rows of a diagnoser state. Formally,

S(xd, a) = ∪1≤i≤I ∪t∈B(xd(i),a)(us|uf ) : us = f(xms (i), t), uf = xf (i), (2.3)

where B(xd(i), a) is the set of t ∈ T labeled with a ∈ Σo and enabled from xd(i),

13

formally,

B(xd(i), a) = t ∈ T : l(t) = a and xd(i) + W (t) ≥ ~0. (2.4)

Second, we define UR : X × 2∆f → 2X×2∆f

, that is, the set of states with

the corresponding fault labels reached by firing enabled transitions labeled with

unobservable events. Formally,

UR((us|uf )) = (ys|yf ) : ∃t ∈ T ∗m, l(t) ∈ Σ∗

uo, (ys = fm(us, t)),

(∀k ∈ ∆f )

yf (k) =

1, if l(t) contains an event in ΣFk,

uf (k), otherwise,

. (2.5)

The diagnoser state transition function of D is of the form fd : Xd × Σo → Xd,

where Xd is the state space of D. Given the diagnoser state xd ∈ Xd and the

observable event a ∈ Σo, then fd(xd, a) is defined only if there exists some t ∈ T

labeled with the observable event a and enabled from the state part of some row i

of xd. In that case, fd(xd, a) is the listing of elements in the set

∪u∈S(xd,a)UR(u). (2.6)

The diagnostic information provided by a diagnoser state is given by examining

the last k columns of that state: (i) if a column contains only 0’s, then we know

that no fault event of the corresponding type could have occurred; (ii) if a column

contains only 1’s, then we are certain that at least one fault event of that type has

occurred; (iii) otherwise, if a column contains 0’s and 1’s, we are uncertain about

the occurrence of a fault of that type. If the diagnoser is certain that a fault of

type i has occurred, then it outputs “Fn” as indicated in Figure 2.1. This diagnostic

information is equivalent to that obtained from diagnoser automata in the Diagnoser

Approach of [54].

14

2.5 Case Study

We developed a software implementation of DDC-M and of the merge operation.

The software interacts with GraphViz developed by AT&T to visualize the labeled

Petri nets, diagnoser states (including the state, fault and message information)

and dynamics of the Petri nets and the algorithms (if communications occur among

modules, which module communicates with which module, list of events enabled from

the diagnoser states, etc.). All the analysis results of the examples in this section

are performed using the software tool.

We study an example of an Heating, Ventilation and Air-Conditioning System

which consists of valve, pump, and load models. In this section, we consider the

valve model shown in Fig. 2.2. The set of events and the abbreviations in the

Fig. 2.2 for the events are as follows:

Σo,1 = close valve(cv), open valve(ov), stuck open 1(so1),

stuck open 2(so2), stuck closed 1(sc1), stuck closed 2(sc2).

The initial state of the valve is

x0 =

(1100101000

). (2.7)

The ordering of the digits in x0 is as follows:

c 1, c 1 1, c 2, c 2 1, c 4, c 5, vl 1, vl 2, vl 3, vl 4.

The valve model with the initial state is shown in Fig. 2.3. In the figure, we denote

the marking, i.e., the number of tokens each place holds, by “label of the place [

number of tokens the place holds ]”. For example, in Fig. 2.3, vl 1@[1] means that

vl 1 holds a one token.

15

The initial diagnoser state is

xd,0 =

1100101000 | 00

1100100010 | 10

1100100001 | 01

, (2.8)

where each digit in the rows of xs,0 correspond to the number of tokens in a place,

and each digit in the rows of xf,0 corresponds a fault type the valve. The ordering

of the digits in xs,0 is the same with the one in x0. The ordering of digits in x1f,0 is

F1 and F2, respectively, where the event sets for the fault types are as follows:

ΣF1,1 = stuck open 1(so1), stuck open 2(so2),

ΣF2,1 = stuck closed 1(sc1), stuck closed 2(sc2).

As we stated earlier, each row in the diagnoser state corresponds to a state estimate

upon observation of an event. Each column in the diagnoser state corresponds to a

list of estimates of number of tokens a place holds upon observation of en event. The

valve model with the initial diagnoser state is shown in Fig. 2.4. In the figure, we

represent by vl 1@[100], the column of xd,0 corresponding to the place named vl 1.

An observable event enabled is open valve. If the event open valve is observed,

then the diagnoser state transition function finds the next diagnoser state as

xd,1 = fd(xd,0, open valve) =

0110100001|01

0110100010|10

0110100100|00

1001100010|10

. (2.9)

An enabled observable event from xd,1 is close valve and the next diagnoser state

16

is

xd,2 = fd(xd,1, close valve) =

0110010001|01

0110010010|10

0110011000|00

1001010010|10

, (2.10)

An enabled observable event from xd,2 is open valve and the next diagnoser state

is

xd,3 = fd(xd,2, open valve) =

(0011010010|10

), (2.11)

The valve model with the diagnoser states xd,1, xd,2, and xd,3 are shown in Figs.2.5,

2.6, and 2.7, respectively.

vl_1

t4:cv

t5:ovt8:so1 t12:sc1

vl_2

t3:sc2 t6:ovt7:cv t11:so2

vl_3

t9:cv t10:ov

vl_4

t1:cv t2:ov

c_5 c_2c_2_1

c_1

c_1_1c_4

Figure 2.2: Valve model

17

vl_1@[1]’

t4:cv

t5:ovt8:so1 t12:sc1

vl_2@[0]’


vl_3@[0]’

t9:cv t10:ov

vl_4@[0]’

t1:cv t2:ov

c_5@[0]’ c_2@[0]’c_2_1@[0]’

c_1@[1]’

c_1_1@[1]’c_4@[1]’

Figure 2.3: Valve model with x0.

2.6 Conclusion

We have defined monolithic Petri net diagnosers. The diagnosers introduced in

this chapter are different from the diagnoser automata in [54] in the sense that they

perform on-line fault diagnosis on the same transition structure as the system model,

namely the Petri net graph of the system.

18

vl_1@[1 0 0]’

t4:cv

t5:ovt8:so1 t12:sc1

vl_2@[0 0 0]’


vl_3@[0 1 0]’

t9:cv t10:ov

vl_4@[0 0 1]’

t1:cv t2:ov

c_5@[0 0 0]’ c_2@[0 0 0]’c_2_1@[1 1 1]’

c_1@[1 1 1]’

c_1_1@[1 1 1]’c_4@[0 0 0]’

Figure 2.4: Valve model with xd,0

19

vl_1@[0 0 0 0]’

t4:cv

t5:ovt8:so1 t12:sc1

vl_2@[0 0 1 0]’


vl_3@[0 1 0 1]’

t9:cv t10:ov

vl_4@[1 0 0 0]’

t1:cv t2:ov

c_5@[0 0 0 0]’ c_2@[1 1 1 0]’c_2_1@[0 0 0 1]’

c_1@[0 0 0 1]’

c_1_1@[1 1 1 0]’c_4@[1 1 1 1]’


20

vl_1@[0 0 1 0]’

t4:cv

t5:ovt8:so1 t12:sc1

vl_2@[0 0 0 0]’


vl_3@[0 1 0 1]’

t9:cv t10:ov

vl_4@[1 0 0 0]’

t1:cv t2:ov

c_5@[1 1 1 1]’ c_2@[1 1 1 0]’c_2_1@[0 0 0 1]’

c_1@[0 0 0 1]’

c_1_1@[1 1 1 0]’c_4@[0 0 0 0]’


21

vl_1@[0]’

t4:cv

t5:ovt8:so1 t12:sc1

vl_2@[0]’


vl_3@[1]’

t9:cv t10:ov

vl_4@[0]’

t1:cv t2:ov

c_5@[1]’ c_2@[1]’c_2_1@[1]’

c_1@[0]’

c_1_1@[0]’c_4@[0]’


CHAPTER III

Distributed Diagnosis of Systems Modeled as

Petri Nets

3.1 Introduction

This chapter addresses the problem of detecting and isolating faults or other

significant events in the behavior of a modular dynamic system that is modeled

as a set of interacting Petri net modules. The events to be diagnosed, referred to

as “faults” hereafter, are modeled as unobservable events in the respective system

modules. Events are unobservable when they are not directly recorded by the sensors

attached to the system. The common places among the set of Petri nets modeling a

system capture coupling of various system components. The objective is to diagnose

the occurrence of fault events based on the sequence of observed events and on the

structure of the respective Petri net modules and their coupling by common places.

It is sought to obtain a distributed diagnosis algorithm that takes advantage of the

modular structure of the system.





22

23

tems; see [34] and the references therein. The methodology termed the “Diagnoser

Approach”, introduced in [55] and subsequently extended in several works including

[16, 12], is of particular relevance to the present chapter. The key feature of the Di-

agnoser Approach is the use of a special discrete-event process called the diagnoser.

The diagnoser is built from the system model and is used to (i) test the diagnosabil-

ity properties of the system and (ii) perform on-line monitoring of the system for the

purpose of fault diagnosis. The above references regarding the Diagnoser Approach

are all based on the use of automata models for the system under consideration,

leading to the construction of automata diagnosers.

This chapter is concerned with discrete-event systems that are modeled by Petri

nets. The use of Petri nets instead of automata offers potential advantages in system

modeling and analysis, especially in terms of the distributed representation of the

system state and of the ability to represent coupling of system components by means

of common places.

Systems possessing modular structures are receiving more and more attention in

the recent literature on diagnosis, verification, and control of discrete-event systems;

see, e.g., [12, 3, 5, 15, 60]. The suitability of Petri nets to model distributed systems

was a key motivation for the use of Petri net structures in the work in [3] on alarm

supervision in telecommunication networks. The same consideration motivates our

choice of Petri net structures as a means to mitigate the combinatorial explosion

that occurs when modular models are converted to monolithic ones. Our approach

is different from that in related work such as [12, 3, 60, 59] and thus our work is

complementary to these references.

Our objectives in the case of the modular approach are: (i) to perform on-line

diagnosis of faults in each module and (ii) to recover the monolithic diagnosis in-

24

formation obtained when all the modules in the system are combined into a single

module that preserves the behavior of the underlying modular system. The first

objective requires a Petri net diagnoser to be attached to each module in the system.

Each Petri net diagnoser has local information on the structure of the module, and

observes and diagnoses the fault types of the module it is attached to. The diag-

noser has shared information on its places that are coupled with other modules in

the system. The second objective requires the Petri net diagnosers to communicate

among each other. Each communicating Petri net diagnoser sends messages to the

diagnosers it is coupled with when a change occurs in the shared information (i.e.,

a change in the token count of common places) upon observation of an event. The

communication of messages triggers the other diagnosers to update their diagnosis

information based on the change in the shared information. The communication and

update of the diagnosis information are the two key features that allow the modu-

lar diagnosis approach to correctly recover the monolithic diagnosis information. In

general, a modular approach that does not consider the coupling of modules through

shared information incorrectly estimates the monolithic diagnosis information. We

present in Figure 3.1 the general architecture of the modular diagnosis approach

described so far.

Diagnoser

Communication Channel

Diagnostics

Module #1 Module #2 Module #M

Diagnoser Diagnoser. . .

. . .

Communication

Messages

Observations

System Model

s So,1 10 s So,2 20 s So,M M0

Figure 3.1: General architecture of modular diagnosis approach.

25

The remainder of this chapter is organized as follows. In Section ??, we start

with a brief summary of terms used throughout the chapter. In Section 3.2, we

state the problem of fault diagnosis. The distributed diagnosis algorithm is based

on communicating Petri net diagnosers. The structure and dynamics of communi-

cating Petri net diagnosers are defined in Section 3.3. In Section 3.4, we present the

first version of our distributed algorithm with communication for diagnosing systems

composed of M modules, DDC-M where M ≥ 2. For the sake of clarity of presenta-

tion, this initial version does not use encoding of messages. In Section 3.6, we state

results about the correctness of the DDC-M . In Section 3.7, we present the DDC-M

with fixed-size message labels. In Section 3.8, we study an example of an Heating,

Ventilation and Air-Conditioning System. which consists of a valve, pump and load

module. Finally, in Section 4.6, we give some concluding remarks.


As was mentioned earlier in the introduction, the system to be diagnosed is mod-

eled as a collection of Petri nets (modules) coupled with each other through common

places. The choice of Petri nets to model a system with a modular structure is a

natural one. Examples of Petri nets coupled by means of common places, hereafter

called place-bordered Petri nets, are found in many industrial applications such as

automated manufacturing and communication systems; see, e.g., [65, 66, 17, 46].

Formally, the system to be diagnosed is the set S of place-bordered Petri nets

defined as

S = (Mm,Pm) : m = 1, 2, . . . , M (3.1)

where

Mm = (Nm, Σm, lm, xm0 ), (3.2)

26

is a labeled Petri net and

Pm = Pm,i ⊆ Pm : i = 1, 2, . . . , M and i 6= m (3.3)

is a set of subsets of Pm where each subset Pm,i is the set of common places between

module m, Mm, and module i, Mi. By definition, the transition sets of the Nm

Petri net graphs are mutually disjoint.

We assume that the place-bordered Petri nets in the system operate as a single

entity. Intuitively speaking, there is a global clock which sets the order in which

modules execute their observable events during the operation of the system. We

present in Figure 3.2 a conceptual view of a system of six place-bordered nets. In

the figure, we draw dashed lines between the modules and put the common places

on these dashed lines to illustrate the fact that the modules are isolated from each

other except for the common places. We present in Figure 3.3 the implementation of

the modular approach on a system of six place-bordered Petri nets. In the figure, we

illustrate with a box the communicating Petri net diagnoser attached to a module and

with the arrows drawn between the diagnosers the communication channels linking

the diagnosers that have common places.

The modular approach has a certain amount of robustness over the monolithic

one, since each diagnoser in the modular approach has local knowledge of the mono-

lithic system. The approach also has practical advantages in the sense that the

modules are isolated from each other and do not share any structural information.

When replacing one or several modules in the system, the rest of the modules in

the system and the corresponding diagnosis devices stay the same as long as the

information shared is not changed.

In the rest of the chapter, we present in detail our modular diagnosis approach

27

MODULE #1

MODULE #2

MODULE #4MODULE #5

MODULE #6

Common Places( Coupling )

Labeled Petri net( Subnetworks,

subprocesses, etc. )

Transitions, arcs,Isolated Places, etc.

( Isolated Components )

System Model( Network, process, etc. )

MODULE #3

so

so

so

so

so

so

Figure 3.2: System with six place-bordered nets.

D1

D2

D3

D4

D5

D6

Communication

Channel

s So 10

s So 60

s So 50

s So 20

s So 30

s So 40

CommunicatingPetri Net Diagnoser

Common Places( Coupling )

Labeled Petri net( Subnetworks,

subprocesses, etc. ) System Model( Network, process, etc. )MODULE #1

MODULE #2

MODULE #4

MODULE #5

MODULE #6

MODULE #3

Figure 3.3: System with six place-bordered nets.

that achieves the objectives described in the introduction and restated in this section.

We also define a method that implements a coding technique to reduce the size of the

28

messages communicated while still recovering the monolithic diagnosis information.

3.3 Communicating Petri Net Diagnosers

As it was the case in Petri net diagnoser, the communicating Petri diagnosers,

upon observation of an event, estimates the states the system could be in and the

faults that may have occurred. Moreover, a communicating Petri net diagnoser

has a priori information on its common places with the other (neighbor) modules

in the system. The communicating Petri net diagnoser memorizes the history of

changes on the common places for each neighbor module and stores this history in

the diagnoser state during the operation of the system. Since it is this history of

changes that is communicated between the diagnosers, we call the corresponding

part of the diagnoser state message label. Thus, in general, a communicating Petri

net diagnoser state contains three parts: (i) a set of system states, (ii) fault label,

and (iii) message labels for each neighbor module. In the case of a single module, the

diagnoser state does not have the message label part since there is no other module

to communicate with.

We now present the formal definitions of the structure and the dynamics of com-

municating Petri net diagnosers. We also restate the required knowledge on Petri net

diagnosers to form a complete set of equations correctly describing communicating

Petri net diagnosers.

In order to perform modular diagnosis we assume the following three conditions

on the place-bordered Petri nets: (i) for each module Mm ∈ S, there exists another

module Mn ∈ S such that the set of common places between Mm and Mn, Pm,n,

is not the empty set, (ii) ∀Mm ∈ S, ∀Mn ∈ S, Σm ∩ Σn = ∅, (iii) ∀Mm ∈ S,

∀t ∈ Tm, if t puts tokens into or removes tokens from Pm,n for some Mn ∈ S, then

29

lm(t) ∈ Σo,m. The motivation for labeling transitions putting tokens into or removing

tokens from the common places with observable events is to allow communication

between diagnosers to be triggered by observable events.

As was explained in Section 3.2, we attach a communicating Petri net diagnoser

to each module in the set S of place-bordered Petri nets that form the system (see,

e.g., Figure 3.3). We denote the diagnoser attached to module (Mm,Pm) with the

pair (Dm,Pm) where Dm = (Nm, Σm, lm, xd,m0 , ∆f,m), ∆f,m is the set of fault types

of Dm, and Pm is as defined in Equation (3.3). The set of communicating Petri net

diagnosers for the set of place-bordered Petri nets S is denoted by SD.

The type of communicating Petri net diagnosers we study in this chapter were

first defined in [22]. The communicating Petri net diagnosers in this chapter differ

from those in [22] in terms of the structure of message labels. We present the salient

features of these diagnosers.

The diagnoser state xmd of module Dm ∈ SD is a matrix of the form

− | − | −

xms (i) | xm

f (i) | xml (i)

− | − | −

(3.4)

where as it was in the case of Petri net diagnosers, xms (i) denotes the state in row i

of diagnoser state xmd and xm

f (i) denotes the corresponding fault label; different from

the Petri net diagnoser case xml (i) denotes the corresponding message label. The

state part xms (i) of each row i corresponds to one possible state of Mm following the

occurrence of the observed sequence of events.

The diagnoser state transition function of Dm ∈ SD is of the form fd,m : Xmd ×

Σo,m → Xmd , where Xm

d is the state space of Dm. Given the diagnoser state xmd ∈ Xm

d

and the observable event a ∈ Σo,m, then fd,m(xmd , a) is defined only if there exists

30

some t ∈ Tm labeled with the observable event a and enabled from the state part of

some row i of xmd . In that case, fd,m(xm

d , a) is the listing of elements in the set

∪u∈Sm(xmd ,a)URm(u), (3.5)

where: (i) Sm(xmd , a) is the set of states with the corresponding fault and message

labels reached from the rows of xmd by firing transitions labeled with the observable

event a in Mm; and (ii) URm(u) is the set of states with the corresponding fault

and message labels reached from u by firing the enabled transitions labeled with

unobservable events. Let there be I rows in xmd . Formally, we have

Sm(xmd , a) = ∪1≤i≤I ∪t∈Bm(xm

d (i),a)

(ums |um

f |uml ) : um

s = fm(xms (i), t), um

f = xmf (i),

∀Mn ∈ S \Mm such that Pm,n 6= ∅,

uml (Pm,n) = [xm

l (i, Pm,n) W (Pm,n, t)], (3.6)

where Bm(xmd (i), a) is the set of t ∈ Tm enabled from xm

d (i) and labeled with a ∈ Σo,m,

and WPm,n(t) is the weighting vector for t and the common places Pm,n of Mm and

Mn.

We define the unobservable reach for each u ∈ Sm(xmd , a) as

URm(u) = (ys|yf |yl) : ∃t ∈ T ∗m, lm(t) ∈ Σ∗

uo,m,

(ys = fm(us, t)),∀k ∈ ∆f,myf (k) =

1, if l(t) contains an event in ΣFk,

uf (k), otherwise,

,

and (yl = ul). (3.7)

Fault labels are used as in automata diagnosers to memorize the occurrence of a

fault event in the diagnoser state. Overall, in the fault label of a diagnoser state, each

31

column corresponds to a fault type. Examination of a given column of the fault label

in a diagnoser state reveals the current status of the diagnosis of the corresponding

fault type (say Fk): (i) all rows have label 0 implies that a fault of Type Fk did not

occur; (ii) some rows have label 0 and some rows have label 1 implies that a fault

of Type Fk possibly occurred (“Fk-uncertain state” in the terminology of [55]); (iii)

all rows have label 1 implies that a fault of Type Fk occurred for sure (“Fk-certain

state” in the terminology of [55]).

The definition of message label is embedded in Equations (3.6) and (3.7). This

is because the message label is based on the state evolution of the labeled Petri net

and is formed using the structure of the Petri net graph. For convenience, we divide

the message label into different parts where each part pertains to common places (if

any) between two given modules.

We now present an example to illustrate the main notions and notation introduced

in this section.

Example 1. Suppose that Mm and Mn are two coupled modules in S. The diag-

noser state xmd for Dm is of the following form

xmd =

a1 | h1 | α1 : γ1

a2︸︷︷︸ | h2︸︷︷︸ | α2︸︷︷︸ : γ2

,

xms xm

f xml (Pm,n)

(3.8)

where αi for i = 1, 2 denotes the message label between the modules Dm and Dn, γi

for i = 1, 2 denotes the message label for all modules Mn′ ∈ S that are coupled with

Mm and n′ 6= n.

Suppose that the event σo ∈ Σo,m is observed and the next diagnoser state of

Dm is ymd = fd,m(xm

d ). Let t1 and t2 be enabled from the first and second row of

xmd , respectively, and lm(t1) = lm(t2) = σo, i.e., t1, t2 ∈ Bm(xm

d (i), σo). Let wi =

32

W (Pm, ti) and wi(Pm,n) = W (Pm,n, ti) for all i = 1, 2. In words, wi denotes the

difference between the number of tokens put into and removed from the places of

Mm when ti is fired from ai, and wi(Pm,n) denotes the part of wi that corresponds to

the common places between Mm and Mn. Then, the set of states reached from ai by

firing transition ti labeled with the observable event σo is formed by Equation (3.6)

as follows

Sm(xmd , σo) =

(a1 + w1 | h1| α1 w1(Pm,n) : γ ′1),

(a2 + w2 | h2 | α2 w2(Pm,n) : γ ′2),

where γ ′i(Pm,n′) = [γi(Pm,n′) wi(Pm,n′)] for i = 1, 2 and for all modules Mn′ ∈ S

coupled with Mm except Mn.

Suppose that there exists ti ∈ T ∗m where l(ti) ∈ Σ∗

uo,m such that ti is enabled from

ai + wi for i = 1, 2. Let wi = W (Pm, ti) and wi(Pm,n) = W (Pm,n, ti) for i = 1, 2.

Then, the unobservable reach, defined by Equation (3.7), is

URm(Sm(xmd , σo)) =

(a1 + w1 | h1 | α1 w1(Pm,n) : γ ′1),

(a2 + w2 | h2 | α2 w2(Pm,n) : γ ′2),

(a1 + w1 + w1 | h′1 | α1 w1(Pm,n) : γ ′1),

(a2 + w2 + w2 | h′2 | α2 w2(Pm,n) : γ ′2) (3.9)

where for all k ∈ ∆f,m h′i(k) = 1 if lm(ti) contains an event in ΣFk, otherwise

h′i(k) = hi(k) for i = 1, 2. The unobservable reach does not result in a change in

message labels, since by assumption the transitions removing tokens from or putting

tokens into common places are labeled with observable events. As stated in Equa-

33

tion (3.5), the next diagnoser state ymd = fd,m(xm

d , σo) is the listing of the elements

of URm(Sm(xmd , σo)) in Equation (3.9). ¤

The module and corresponding diagnoser have the same Petri net graph. Since

the modules do not have disjoint sets of places, they can effect each other’s states

via the common (shared) places. If diagnosers are not informed of each others to-

ken additions/removals for the common places, then they incorrectly estimate the

monolithic diagnoser state. Thus, they incorrectly estimate the fault information.

As stated in the previous sections, we overcome this problem by defining a commu-

nication protocol between diagnosers.

In the following section, when we define the communication protocol, we will

need the following notation for prefixes and suffixes of message labels. Suppose

ymd = fd,m(xm

d , a) for some xmd ∈ Xm

d and a ∈ Σo,m. Then, for some Mn ∈ S

and rows i, j of xmd , ym

d , respectively, if yml (j, Pm,n) = (xm

l (i, Pm,n) W (Pm,n, t)), then

yml (j, Pm,n).Pfx = xm

l (i, Pm,n) and yml (j, Pm,n).Sfx = W (Pm,n, t).

3.4 Communication Protocol

We now formalize our DDC-M algorithm for distributed diagnosis of communi-

cating Petri net diagnosers. At this point, we are presenting a version of DDC-M

where messages grow each time an observable event forces a communication. The

purpose of presenting this version of the DDC-M is to illustrate the key features

of our approach to distributed diagnosis with communication. In Section 3.7, we

present a modified version of DDC-M with messages of fixed-size, which is much

preferable for implementation purposes.

DDC-M is composed of Algorithms 1 and 2 which are presented below. Algo-

rithm 1 pertains to diagnoser state updates and if necessary generation of messages

34

upon occurrence of an observable event at one module. Algorithm 2 pertains to diag-

noser state updates upon reception of a message from another module. Pseudo-code

descriptions of Algorithms 1 and 2 are given in the tables below. We provide some

explanations for the different lines in these two algorithms.

Algorithm 1: Line 1 considers that an observable event σor has occurred. The

module the event occurs at is identified in line 2 and called hereafter the master

module. In line 3, the diagnoser state of the master module is updated for the

observed event according to the diagnoser state transition function. Then, all other

modules that have common places with the master module, referred to as the neighbor

modules hereafter, need to be considered (line 4). For those neighbor modules whose

common places with the master module were affected (addition and/or removal of

tokens) by the execution of the observable event, lines 6-12 need to be performed.

(Recall the assumption that transitions into common places are labeled by observable

events.) In lines 6-12, the appropriate message for the communication from the

master module to the neighbor module is constructed. This message consist of the

message labels of the relevant rows of the master’s diagnoser state, namely the rows

for which tokens were removed and/or added in common places. Note that each row

of the message is composed of a prefix (previous message label) and a suffix (most

recent update on common places). The resulting of a message on the diagnoser

state of the neighbor module is captured by the function UDSC in line 13, which is

evaluated by Algorithm 2.

Algorithm 2: The algorithm is triggered by the reception of a message by a given

module, which will result in an update of the diagnoser state at that module. The

new diagnoser state is initialized in line 1. Then, the algorithm loops over the rows

of the prefix part of the message received (line 2) and over the rows of the current

35

message label in the diagnoser state (line 3) in order to find matches (line 4). Each

match triggers the construction of a new row for the module’s updated diagnoser

state (lines 5 to 9). The construction of this row involves using the suffix of the

message received to update to state of the common places affected and leaving the

states of the other places unchanged (line 5). The fault label of the new row is

carried over from that of the row that triggered the match since the event involved

in the transition is an observable event (line 6). The suffix of the message received

is appended to the appropriate part of the message label of the new row (line 7)

while the rest of the message label is carried over (lines 8 and 9). The complete

row constructed as described is added to the updated diagnoser state (line 11). The

listing of all rows constructed by the above process for all matches in line 4 is the

value returned by the function UDSC. Note that it is not necessary to perform the

unobservable reach since we assume that transitions out of common places are labeled

by observable events.

Algorithm 1 Distributed Diagnosis with Communication1: Upon occurrence of an observable event σor

2: Find Mm such that σor ∈ Σm,3: xm

d,r ← fd,m(xmd,r−1, σor),

4: for all Dn ∈ SD such that Pm,n 6= ∅ do5: if W (Pm,n, t)|t ∈ Bm(xm

d,r−1, σor) 6= ~0 then6: Mesgm,n ← ,7: for all j=1: Number of rows of xm

l,r do8: Mesgm,n .Pfx(j) ← xm

l,r(j, Pm,n).Pfx,9: Mesgm,n .Sfx(j) ← xm

l,r(j, Pm,n).Sfx,10: Mesgm,n(j) ← (Mesgm,n .Pfx(j),Mesgm,n .Sfx(j)),11: end for12: Send all different rows of Mesgm,n ,13: xn

d,r ← UDSC(xnd,r−1,Mesgm,n),

14: end if15: end for

We present an illustrative example to better understand the steps of Algorithms 1

and 2.

36

Algorithm 2 Update of Diagnoser State upon CommunicationRequire: xn

d,r−1,Mesgm,n

1: Xnd,r ← ,

2: for all i = 1 : Number of rows of Mesgm,n .Pfx do3: for all j = 1 : Number of rows of xn

l,r−1(Pm,n) do4: if Mesgm,n .Pfx(i) == xn

l,r−1(j, Pm,n) then5: ys(Pm,n) ← xn

s,r−1(j, Pm,n) + Mesgm,n .Sfx(i),ys(P (n) \ Pm,n) ← xn

s,r−1(j, Pn \ Pm,n)6: yf ← xn

f (j)7: yl(Pm,n) ← (xn

l,r−1(j, Pm,n) Mesgm,n .Sfx(i))8: for all Dq ∈ (SD \ Dm) such that Pn,q 6= ∅ do9: yl(Pn,q) ← xn

l,r−1(j, Pm,n)10: end for11: Xn

d,r ← Xnd,r ∪ [ys|yf |yl]

12: end if13: end for14: end for15: UDSC(xn

d,r−1,Mesgm,n) ← Listing of the set Xnd,r

Example 2. Suppose that Mm and Mn are two coupled modules in S. The diag-

noser states xmd and xn

d of Dm and Dn, respectively, are given as follows:

xmd =

a1 | h1 | α1 : γ1

a2 | h2 | α2︸︷︷︸ : γ2

,

xml (Pm,n)

(3.10)

where αi for i = 1, 2 denotes the message label between the modules Dm and Dn

(i.e., Pm,n 6= ∅), and γi for i = 1, 2 denotes the message labels for all Dn′ ∈ SD that

Dm is coupled with except Dn′ ;

xnd =

b1 | k1 | β1 : δ1

b2 | k2 | β2︸︷︷︸ : δ2

,

xnl (Pm,n)

(3.11)

where βi for i = 1, 2 denotes the message label between the modules Dm and Dn

and, δi for i = 1, 2 denotes the message labels for all Dm′ ∈ SD that Dn is coupled

with except Dm′ .

37

Suppose that the event σo ∈ Σo,m is observed, then the new diagnoser state ymd =

fd,m(xmd , σo) of Dm is constructed as shown in Example 1 and is in the form

ymd =

a1 + w1 | h1 | α1 w1(Pm,n) : γ ′1

a2 + w2 | h2 | α2 w2(Pm,n) : γ ′2

a1 + w1 + w1 | h′1 | α1 w1(Pm,n) : γ ′1

a2 + w2 + w2 | h′2 | α2 w2(Pm,n) : γ ′2

. (3.12)

Suppose that wi(Pm,n) for i = 1, 2 are not vectors of zeros. That is, the occurrence

of σo results in a change in the token distribution of the common places between the

modules Dm and Dn. Then, the occurrence of σo triggers a communication between

Dm and Dn.

Since by assumption σo ∈ Σo,m, Dm is the master module. Then, upon occurrence

of σo, Dm sends a message to Dn. The message is the message label of Dm for Dn.

The message label, extracted from the diagnoser state ymd in Equation (3.12), is as

follows:

yml (Pm,n) =

α1 w1(Pm,n)

α2 w2(Pm,n)

. (3.13)

Suppose that β1 = α1 and β2 = α2. Upon reception of the message Dn updates

xnd to yn

d based on the message from Dm (as defined in Algorithm 2) as follows

ynd =

b′1 | k1 | β1 w1(Pm,n) : δ1

b′2 | k2 | β2 w2(Pm,n)︸︷︷︸ : δ2

,

xnl (Pm,n)

(3.14)

where b′i(Pm,n) = bi(Pm,n) + wi(Pm,n) and b′i(Pn \ Pm,n) = bi(Pn \ Pm,n) for i = 1, 2,

and

ynl (Pm,n) =

β1 w1(Pm,n)

β2 w2(Pm,n)

(3.15)

38

is the updated message label for Dn.

The fault labels ynf and xn

f are the same since by assumption the fault types for

each module are disjoint and the transitions removing tokens from or putting tokens

into the common places are labeled with observable events. ¤

3.5 Monolithic Petri Net Diagnosers

A brief review of the section on monolithic Petri net diagnosers in [22] is required

for completeness of the results presented in Section 3.6 that follows. If the set of

place-bordered nets is a singleton, then we say that the system to be diagnosed

is monolithic and the corresponding diagnoser is a monolithic Petri net diagnoser.

Monolithic Petri net diagnosers have states that do not carry message labels since

those are not needed in that case. We may form a monolithic system by combining

the modules in a set of place-bordered nets. Formally, we have

CS = (〈P, T, A, w〉, Σ, l, x0),

where S = (Mm,Pm) : m = 1, 2, . . . , M. We form the set of places of the mono-

lithic system as P =⋃

m∈1,2,...,M Pm. Similarly for T , A, Σ. For each module

Mm ∈ S, we have w|Am = wm, l|Tm = lm, and x0(Pm) = xm0 . We denote the

monolithic Petri diagnoser of CS by Cd,S .

3.6 Correctness Results

In this section, we present correctness results (with proofs) for DDC-M . The

proofs of the results in this section are given in the appendix. The following lemma

shows that, if for some rows of the diagnoser states of two place-bordered modules

the message labels are the same, then for those rows the state information of the

common places between those two modules must be the same. Later in the section,

39

we use the result of Lemma 3 to define the merge operation that leads to the main

result of the section.

Lemma 3. Given the set of place-bordered nets S, and the set of corresponding

diagnosers SD, let xmd,R : m = 1, 2, . . . ,M be the set of diagnoser states of the

modules Dm ∈ SD after the sequence σo1σo2 . . . σoR of observable events where R ∈ N.

For all Dn ∈ SD such that Pm,n 6= ∅ if xml,R(i, Pm,n) = xn

l,R(j, Pm,n) for some rows im

and in, then xms,R(im, Pm,n) = xn

s,R(in, Pm,n).

of Lemma 3. The proof of the lemma is by construction of DDC-M defined by Al-

gorithms 1 and 2, and induction on the observed sequence of events.

Base (r = 0): By construction xml,0(i, Pm,n) = xn

l,0(j, Pm,n) = [] for all rows i and

j of xml,0(Pm,n) and xn

l,0(Pm,n), and xms,0(im, Pm,n) = xn

s,0(in, Pm,n) for any row im and

in.

Hypothesis (r = R − 1): Suppose that if xml,R−1(im, Pm,n) = xn

l,R−1(in, Pm,n) for

some rows im and in, then xms,R−1(im, Pm,n) = xn

s,R−1(in, Pm,n).

Step (r = R): We show that if xml,R(im, Pm,n) = xn

l,R(in, Pm,n) for some rows im

and in, then xms,R(im, Pm,n) = xn

s,R(in, Pm,n).

If σoR is neither in Σo,m nor Σo,n, then by Algorithm 1, the diagnoser states of

the previous iteration r = R − 1 stay the same. Thus, the induction step is proved

by the induction hypothesis.

If σoR is either in Σo,m or Σo,n, then without loss of generality suppose that

σoR ∈ Σo,m. Then, by Line 3 of Algorithm 1 and the definition of the diagnoser state

function in Equation (3.5) we have

xmd,R = ∪u∈Sm(xm

d,R−1,σoR)URm(u). (3.16)

40

By Equations (3.6) and (3.7), for some row xmd,R(im) and u ∈ Sm(xm

s,R−1, σoR),

xms,R(im) = us + Wm(tuo), (3.17)

where tuo is a sequence of unobservable events enabled from us.

For all fault types k in ∆f,m, if uf (k) = 1, then xmf,R(im) = 1. If uf (k) = 0 and if

there exists a transition in the sequence of unobservable events tuo which is labeled

with an event from the set ΣFk,m, then xmf,R(im) = 1; otherwise xm

f,R(im) = 0.

For the message label we have

xml,R(im, Pm,n) = ul(Pm,n). (3.18)

Suppose that u ∈ Sm(xms,R−1, σoR) is reached from some row xm

d,R−1(jm) by firing

some transition to labeled with σoR. Formally, we have

us = xms,R−1(jm) + Wm(to), (3.19)

uf = xmf,R−1(jm), (3.20)

and for all Dn ∈ SD such that Pm,n 6= ∅, if a message is sent

ul(Pm,n) = [xml,R−1(jm, Pm,n) Wm(to, Pm,n)], (3.21)

otherwise

ul(Pm,n) = xml,R−1(jm, Pm,n) (3.22)

as defined by Equation (3.6) and t ∈ Bm(xmd,R−1, σoR).

We now consider the two following cases: (1) A message is sent from Dm to Dn;

(2) No message is sent.

Case (1) In this case, Equation (3.21) holds. For all Dn ∈ SD, when a mes-

sage is received from Dm, by Line 4 of Algorithm 2 if there exists a row jm such that

41

Mesgm,n.Pfx(jm) = xnl,R−1(jn, Pm,n), then by Line 8 of Algorithm 1 Mesgm,n.Pfx(jm) =

xml,R−1(jm, Pm,n) and by Equation 3.21, Mesgm,n.Sfx(jm) = Wm(t, Pm,n). Thus,

there exists rows jn and jm such that

xnl,R(jn, Pm,n) = xm

l,R(jm, Pm,n). (3.23)

Then, the diagnoser state xnd,R−1(jn, Pm,n) is updated to xn

d,R(in, Pm,n) by Lines

5, 6 and 7 of Algorithm 2 as follows:

xns,R(in, Pm,n) = xn

s,R−1(jn, Pm,n) + Wm(t, Pm,n) (3.24)

and

xns,R(in, Pn \ Pm,n) = xn

s,R−1(jn, Pn \ Pm,n), (3.25)

xnl,R(in, Pm,n) = [xn

l,R−1(jn, Pm,n) Wm(t, Pm,n)]. (3.26)

By Equation (3.23) and induction hypothesis xms,R−1(jm, Pm,n) = xn

s,R−1(jn, Pm,n).

Thus, by Equations (3.19) and (3.24), us(Pm,n) = xns,R(in, Pm,n). By condition (iii),

Wm(tuo, Pm,n) = ~0 in Equation (3.17), and xms,R(im, Pm,n) = us(Pm,n) = xn

s,R(in, Pm,n).

This completes the proof for Case (1).

Case (2) In this case, Equation (3.22) holds, and the diagnoser state of Dn does

not change. If xml,R(im, Pm,n) = xn

l,R(in, Pm,n) for some rows im and in, then by

Equation (3.22), xml,R−1(jm, Pm,n) = xn

l,R−1(jn, Pm,n) for some rows jm and jn and

by induction hypothesis, xms,R(jm, Pm,n) = xn

s,R(jn, Pm,n). If no message is sent,

then Wm(t, Pm,n) = ~0 in Equation (3.19). Thus, us(Pm,n) = xms,R−1(jm, Pm,n) =

xns,R−1(jn, Pm,n). By condition (iii), Wm(tuo, Pm,n) = ~0 in Equation (3.17). Then,

xms,R(im, Pm,n) = us(Pm,n). Since the diagnoser state does not change, xn

s,R−1(jn, Pm,n)

is some row of xnd,R. This completes the proof of Case (2) hence the lemma.

In view of Lemma 3, we define an operation called merge that combines the

diagnoser states of the modules.

42

Definition 4 (Merge). Given the set of place-bordered nets S and the set of corre-

sponding diagnosers SD, let xmd be the diagnoser state ofDm ∈ SD for m = 1, 2, . . . , M

after some sequence of observable events. We define the merge operation on these

states recursively as follows:

1. Merge of two diagnoser states, Dm,Dn ∈ SD. There are two cases:

(a) Pm,n = ∅. In this case for all rows im, in of xmd and xn

d , respectively,

(xms (im, Pm), xn

s (in, Pn) | xmf xn

f )

∈ Merge(xmd , xn

d)(Pm ∪ Pn | ∆f,m ∪∆f,n).

(b) Pm,n 6= ∅. In this case for all rows im, in of xmd and xn

d , respectively, such

that xml (im, Pm,n) = xn

l (in, Pn,m),

(xms (im, Pm), xn

s (in, Pn \ Pm) | xmf xn

f )

∈ Merge(xmd , xn

d)(Pm ∪ Pn | ∆f,m ∪∆f,n).

2. Let Dm,Dn,Dq ∈ SD. Then,

Merge(xmd , xn

d , xqd) = Merge(Merge(xm

d , xnd), xq

d).

The intuition behind the merge of diagnoser states of place-bordered modules is

to form composed states by concatenating rows whose message labels match (case

(1)(b)). This constraint is waved when the modules are not coupled, since all com-

binations of rows are possible (case (1)(a)).

In the rest of this section, we present the relations between the monolithic system

formed by combining the modules in a set of place-bordered nets and the distributed

diagnosis system where a diagnoser is attached to each place-bordered net and com-

munication is allowed between the diagnosers.

43

In the following lemma, we state that if a sequence of observable events is feasible

in the monolithic system, then the merge of the diagnoser states of the place-bordered

modules will not result in an empty set.

Lemma 5. Given the set of place-bordered nets S, and the set of corresponding

diagnosers SD, let xmd,r : m = 1, 2, . . . , M be the set of diagnoser states of the

modules Dm ∈ SD and CS be the the monolithic Petri net formed by combining the

modules in S where r ∈ N. If the sequence of observable events σo1σo2 . . . σor is

feasible in CS , then Merge(xmd,r : Dm ∈ SD) 6= ∅.

of Lemma 5. Base (r=0). By construction of the initial diagnoser states xmd,0 : m =

1, 2, . . . ,M, Merge(xmd,0 : Dm ∈ SD) 6= ∅.

Hypothesis (r=R-1). If the sequence of observable events σo1σo2 . . . σoR−1 is fea-

sible in CS , then Merge(xmd,R−1 : Dm ∈ SD) 6= ∅.

Step (r=R). If the sequence of observable events σo1σo2 . . . σoR is feasible in CS ,

then Merge(xmd,R : Dm ∈ SD) 6= ∅.

Proof of Induction Step: Suppose that σo1σo2 . . . σoR is a feasible sequence in

CSD . Then, σo1σo2 . . . σoR−1 is a feasible sequence. Thus, by the induction hypothesis

(since Merge(xmd,R−1 : Dm ∈ SD) 6= ∅) xm

l,R−1(jm, Pm,n) = xnl,R−1(jn, Pm,n) for some

jm and jn, and any module Dm and Dn in SD.

Without loss of generality, we assume that σoR ∈ Σo,m. Since σoR is enabled in

CSD , then σoR is also enabled in the module Dm ∈ SD.

We now differentiate between the two cases: Upon observation of σoR, (1) a

message is sent from Dm to some module Dn ∈ SD such that Pm,n 6= ∅, or (2) no

message is sent.

Case (1): By the induction hypothesis, Line 4 of Algorithm 2 holds. Thus,

xml,R(im, Pm,n) = xn

l,R(in, Pm,n) for some im and in for all Dn ∈ SD such that Pm,n 6= ∅.

44

Case (2): If there is no communication, then xml,R(im, Pm,n) = xm

l,R−1(jm, Pm,n) for

all Dm ∈ SD. Thus, by induction hypothesis xml,R(im, Pm,n) = xn

l,R(in, Pm,n) for some

im and in for all Dm,Dn ∈ SD such that Pm,n = ∅.

By combining Case (1) and (2), and the definition of merge operation, we form

Merge(xmd,R : Dm ∈ SD) 6= ∅.

The following theorem states that DDC-M is correct in the sense that the merge

operation recovers the corresponding monolithic diagnoser state. That is, when

the token distribution of a set of common places changes, the change in the token

distribution and the past history along which the change has occurred is sent via

message labels. Thus, in a way, message labels not only record the history of changes

but also create a common knowledge of shared history among the modules in the

system. Then, if we concatenate rows whose message labels match as it is defined by

the merge operation, we combine exactly the rows with the very same history and

form the monolithic diagnoser state.

Theorem 6. Given the set of place-bordered nets S, and the set of corresponding

diagnosers SD, let xmd,r : m = 1, 2, . . . , M be the set of diagnoser states of the

modules Dm ∈ SD and Xd,r be the set of states of the monolithic diagnoser state xd,r

of CS after observation of the feasible sequence σo1σo2 . . . σor where r ∈ N. Then,

Merge(xmd,r : Dm ∈ SD) = Xd,r.

of Theorem 6. The proof of the theorem is by construction of DDC-M defined by

Algorithms 1 and 2, and induction on the observed sequence of events.

Base (r=0). The proof is by construction of CS and assumption (iii). By con-

struction x0(Pm) = xm0 for any Dm ∈ SD. Suppose we pick some Dm. Then, by

45

assumption (iii), since the transitions removing tokens from or putting tokens into

the common places are labeled with unobservable events, for all Dn ∈ SD such that

Dm is place-bordered UR(x0(Pm,n)) = x0(Pm,n). Thus, UR(x0(Pm)) = UR(xm0 ) and

no message label is created. By definition of the diagnoser state transition function

in Equation (3.5), xd,0 is the listing of the elements in UR(x0(Pm)). This completes

the proof of the base case.

Hypothesis (r=R-1). “Merge(xmd,R−1 : Dm ∈ SD) = Xd,R−1.”

Step (r=R). “Merge(xmd,R : Dm ∈ SD) = Xd,R.”

Proof of Induction Step: We show set inclusion of both sides of the equality.

(⊆): By Lemma 5, there exists some y ∈ Merge(xmd,R : Dm ∈ SD) such that

ys(Pm) = xms,R(im), (3.27)

yf (∆f,m) = xmf,R(im) (3.28)

for each Dm ∈ SD.

Without loss of generality we assume that σoR ∈ Σo,m. We differentiate between

the two cases: (1 ) A message is sent from Dm to Dn such that Pm,n 6= ∅; (2 ) No

message is sent.

Case (1): If there exists a place-bordered net Dm such that Pm,n 6= ∅, then there

exist some row jn of the diagnoser state of Dn such that for some row jm we have

Mesgm,n.Pfx(jm) = xnl,R−1(jn, Pm,n), i.e., the condition in Line 4 of Algorithm 2

holds. Since by Line 8 of Algorithm 1 Mesgm,n.Pfx(jm) = xml,R−1(jm, Pm,n), then

xml,R−1(jm, Pm,n) = xn

l,R−1(jn, Pm,n). Then, by induction hypothesis there exists some

element xs,R(j) of Xd,R such that

xs,R−1(j, Pm) = xms,R−1(jm), and xs,R−1(j, Pn) = xn

s,R−1(jn), (3.29)

xf,R−1(j, ∆f,m) = xmf,R−1(jm), and xf,R−1(j, ∆f,n) = xn

f,R−1(jn). (3.30)

46

By Equation (3.29) and Lemma 5, if to ∈ Bm(xmd,R−1, σoR), i.e., to is enabled

from xms,R−1(jm), then it is also enabled from xs,R−1(jm, Pm). Similarly, for tuo. On

the other hand, if we consider the very same Equations (3.16)-(3.20) for the place-

bordered singleton set Cd,S , then y ∈ Xd,R.

Case (2): Since no message is sent and received, the proof of this case is straight-

forward by the induction hypothesis.

(⊇): Suppose xd,R(i) ∈ Xd,R. Then, there exists xd,R−1(i) ∈ Xd,R such that the

set of Equations (3.16)-(3.20) hold when the place-bordered set is the singleton set

Cd,S .

By induction hypothesis, there exists xnd,R−1(jn) and xm

d,R−1(jm) such that Equa-

tions (3.29) and (3.30) hold. Then, we find xnd,R(in) and xm

d,R(im) by Equations (3.16)-

(3.26) such that xnd,R(in) merges with xm

d,R(im). Thus,

xms,R(im) = xs,R(i, Pm), (3.31)

xmf,R(im) = xf,R(i, ∆f,m). (3.32)

This completes the proof as xd,R(i) ∈ Merge(xmd,R : Md,m ∈Md).

3.7 Implementation of DDC-M : Fixed-Size Message Labels

The version of Algorithm DDC-M presented in Section 3.4 recovers the monolithic

diagnosis information at the cost of communication and growing message labels.

The size of the message label is bounded by the number of common places and the

number of observable events executed by the system. Thus, observations of longer

sequences of events result in longer message labels. There are several ways to reduce

the communication overhead by reducing the size of the message labels while still

47

recovering the monolithic diagnosis information. In this regard, we now present an

encoding-based method which serves this purpose and results in fixed-size message

labels. We first describe the structure of the message labels and how the encoding

makes it possible to have fixed-size messages and message labels. Secondly, we update

the DDC-M algorithm to reflect the changes in the messages and message labels.

We continue with an example showing the implementation of the updated DDC-

M algorithm. We conclude the section by proving the correctness of the updated

algorithm in the sense that the merge operation still recovers the monolithic diagnoser

state after observation of a sequence of events.

Suppose that the set of place-bordered nets S is the system to be diagnosed and

σo1σo2 . . . σoR is the sequence of events observed. Let Mm,Mn ∈ S be two place-

bordered nets with corresponding common places Pm,n where Pm,n 6= ∅. We define

the set ΩRm,n of words such that each word ω ∈ ΩR

m,n is a combination of elements

from the finite set Cm,n = Wm(t, Pm,n) : t ∈ Tm and the length of the word is at

most R. Formally, we have

ΩRm,n = ω1ω2 . . . ωk : ∀1 ≤ i ≤ k, ωi ∈ Cm,n

and 1 ≤ k ≤ R where R ∈ N. (3.33)

The elements of Cm,n are vectors of size |Pm,n| and correspond to all possible

changes in the token distribution of the common places upon firing of a transition.

The set Cm,n is finite since the arcs removing tokens from or putting tokens into

the common places are of finite weight, and there is a finite number of observable

transitions removing tokens from or putting tokens into the common places. Thus,

each word ω ∈ ΩRm,n is a possible combination of changes that may occur in the

common places upon observation of a sequence of R events. If xml,R is the message

48

label after observation of a sequence of R events, then each row of xml,R corresponds

to a word in the set ΩRm,n.

Our goal is to find a function gR : ΩRm,n → N for all R ∈ Z>0 such that gR

is injective. One such function is the enumeration of the different words in ΩRm,n,

starting with 1, that corresponds to the enumeration of the different rows of xml,R.

We describe such an injective enumeration in Definition 7. Since our goal is to

enumerate the different rows of a message label and message labels are matrices, we

define the enumeration of different rows of a matrix instead of different elements of

a set. When we write En(xml,R), we mean the enumeration of the different rows of

xml,R as in Definition 7.

Definition 7 (Enumeration). Given a matrix A, we denote by A(i) the ith row of

A. Then, we define En as follows:

1. En(A(1)) = 1;

2. For all i ∈ 2, 3, . . . , # of rows of A,

En(A(i)) =

En(A(j)),∃j ∈ 1, 2, . . . , i− 1

such that A(j) = A(i),

1 + maxEn(A(j)) : 1 ≤ j < i,

otherwise.

We update Algorithm 1 to 3 and Algorithm 2 to 4 to account for fixed-size

message labels. The updated algorithms evolve the message labels consistent with

the enumeration function described in Definition 7.

The formal statement of Algorithms 3 and 4 is given below. In Algorithm 4,

Mesgm,n .Sfx(i, 1) denotes the columns of Mesgm,n .Sfx that correspond to the

49

changes in the token distribution of the common places, and Mesgm,n .Sfx(i, 2) de-

notes the column that corresponds to the (new) enumeration.

Algorithm 3 Distributed Diagnosis with Communication with Fixed-Size MessageLabels1: Upon occurrence of an observable event σor

2: Find Mm such that σor ∈ Σm,3: zm

d,r ← fd,m(xmd,r−1, σor),

4: xmd,r ← zm

d,r,5: for all Dn ∈ SD such that Pm,n 6= ∅ do6: xm

l,r(Pm,n) ← En(zml,r(Pm,n)),

7: if W (Pm,n, t)| t ∈ Bm(xmd,r−1, σor) 6= ~0 then

8: Mesgm,n ← ,9: for all j=1:# of rows of zm

l,r(Pm,n) do10: Mesgm,n .Pfx(j) ← zm

l,r(j, Pm,n).Pfx,11: Mesgm,n .Sfx(j) ← (zm

l,r(j, Pm,n).Sfx xml,r(j, Pm,n)),

12: Mesgm,n(j) ← (Mesgm,n .Pfx(j) Mesgm,n .Sfx(j)),13: end for14: Send all different rows of Mesgm,n ,15: xn

d,r ← UDSC(xnd,r−1,Mesgm,n),

16: end if17: end for

Theorem 8. Theorem 6 is valid for the diagnoser states obtained under Algorithms 3

and 4.

of Theorem 8. The proof is similar to the proof of Theorem 6. We follow the very

same methodology of the proof of Theorem 6. However, in this proof the message

labels and messages have different structures as described by Algorithms 3 and 4.

Thus, by Line 6 of Algorithm 3 we rewrite Equation 3.18 in two steps as follows

xml,R(im, Pm,n) = En(zm

l,R(im, Pm,n)) = En(ul(Pm,n)). (3.34)

By Lines 10 and 11 of Algorithm 3, if Mesgm,n.Pfx(jm) = xml,R−1(jm, Pm,n),

then Mesgm,n.Sfx(jm, 1) = Wm(t, Pm,n) and Mesgm,n.Sfx(jm, 2) = xml,R(im, Pm,n).

Thus, Equations (3.24) and (3.25) stay the same but by Line 7 of Algorithm 4

50

Algorithm 4 Update of Diagnoser State upon Communication with Fixed-Size Mes-sage LabelsRequire: xn

d,r−1,Mesgm,n

1: Xnd,r ← ,

2: for all i = 1 : Number of rows of Mesgm,n .Pfx do3: for all j = 1 : Number of rows of xn

l,r−1(Pm,n) do4: if Mesgm,n .Pfx(i) == xn

l,r−1(j, Pm,n) then5: ys(Pm,n) ← xn

s,r−1(j, Pm,n) + Mesgm,n .Sfx(i, 1),ys(P (n) \ Pm,n) ← xn

s,r−1(j, Pn \ Pm,n),6: yf ← xn

f (j),7: yl(Pm,n) ← Mesgm,n .Sfx(i, 2),8: for all Dq ∈ (SD \ Dm) such that Pn,q 6= ∅ do9: yl(Pn,q) ← xn

l,r−1(j, Pm,n)10: end for11: Xn

d,r ← Xnd,r ∪ [ys|yf |yl]

12: end if13: end for14: end for15: UDSC(xn

d,r−1,Mesgm,n) ← Listing of the set Xnd,r

Equation (3.26) becomes

xnl,R(in, Pm,n) = xm

l,R(im, Pm,n). (3.35)

These are the only changes in the equations of the proof of Theorem 6 to complete

the proof of Theorem 3.7.

The key idea that results in the fixed-size message labels is that the next state

in a Petri net is uniquely found by the current state and the changes in the token

distribution of the places. We now consider how this idea is implemented while

message labels are created. In Algorithm 1, we form the message label of the next

diagnoser state by appending the changes on the common places to the message

labels of the current diagnoser state. However, in Algorithm 3, we uniquely encode

the message label found by the diagnoser state transition function and the encoded

message label is the message label of the next diagnoser state. That is, the message

51

label of the next diagnoser state is a bijective function of the message label of the

current diagnoser state and the changes on the common places. Algorithms 2 and 4

do not differ in structure as do Algorithms 1 and 3. Algorithm 4 correctly updates

the diagnoser states of the neighboring states because we use a bijective function to

encode the message label.

In the following example, we illustrate the notion and notations presented in this

section while comparing the steps of Algorithms 3 and 4 to 1 and 2.

Example 9. In Example 2, we derive the diagnoser states when we run Algorithms 1

and 2. In this example, we consider the same setting as in Example 2, however, we

derive the diagnoser states when we run Algorithms 3 and 4 instead. The state

and fault labels of the diagnoser states in this case are the same as the state and

fault labels given in Example 2. However, the message labels and messages sent are

changed. In the following, we go over the steps of Algorithms 3 and 4 to find the

changes in the message labels.

Suppose that Mm and Mn are two coupled modules in S. The diagnoser states

xmd and xn

d of Dm and Dn, respectively, obtained under Algorithms 3 and 4 have same

abbreviations as xmd in Equation (3.10) and xn

d in Equation (3.11), respectively.

In this example, we focus on the message labels between Dm and Dn. We put

the sign ∗ for the message labels for all modules Mn′ ∈ S coupled with Mm except

Mn and for all modules Mm′ ∈ S coupled with Mn except Mm.

Suppose that the event σo ∈ Σo,m is observed, then the intermediate diagnoser

52

state zmd = fd,m(xm

d , σo) is found as follows

zmd =

. . . | . . . | α1 w1(Pm,n) : ∗

. . . | . . . | α2 w2(Pm,n) : ∗

. . . | . . . | α1 w1(Pm,n) : ∗

. . .︸︷︷︸ | . . .︸︷︷︸ | α2 w2(Pm,n)︸︷︷︸ : ∗

.

xms xm

f zml (Pm,n)

(3.36)

Suppose that the encoding of the message label is as follows

En(zml (Pm,n)) =

1

2

1

2

. (3.37)

Then, the diagnoser state ymd of Dm upon observation σo is constructed as (the

reader is encouraged to compare to the diagnoser state in Equation (3.12) obtained

under Algorithm 3)

ymd =

a1 + w1 | h1 | 1 : ∗

a2 + w2 | h2 | 2 : ∗

a1 + w1 + w1 | h′1 | 1 : ∗

a2 + w2 + w2 | h′2 | 2 : ∗

. (3.38)

The message sent from Dm to Dn is

Mesgm,n =

α1 | w1(Pm,n) | 1

α2︸︷︷︸ | w2(Pm,n)︸︷︷︸ | 2︸︷︷︸

,

Mesgm,n.Pfx Mesgm,n.Sfx(1) Mesgm,n.Sfx(2)

Upon reception of the message Dn updates xnd to yn

d based on the message from

Dm (as defined in Algorithm 4) as follows (the reader is encouraged to compare to

53

the diagnoser state in Equation (3.14) obtained under Algorithm 4)

y nd =

b′1 | k1 | 1 : ∗

b′2︸︷︷︸ | k2︸︷︷︸ | 2︸︷︷︸ : ∗

.

yns yn

f y nl (Pm,n)

(3.39)

¤

3.8 Case Study

In the following, we study an example of a part of an Heating, Ventilation and

Air-Conditioning System. We consider the valve, pump and load models shown in

Figs. 3.4, 3.5 and 3.6, respectively. Together they form the set of place-bordered

labeled Petri nets that constitute the overall system. The sets of events of these

place-bordered nets are disjoint, hence, so are the sets of transitions. The place-

bordered nets of the valve, pump and load are coupled with each other through

common places. For example, place c1 appears in both the valve and load model in

Figs. 3.4 and 3.6, respectively. Figure 3.7 shows the coupling between the individual

place-bordered nets for the overall system. For all the labeled Petri nets in this

chapter, the filled transitions are labeled with unobservable events.

The set of events and the abbreviations in the Fig. 3.4 to 3.6 for the events are as

follows: Σo,1 = close valve(cv), open valve(ov), stuck open 1(so1), stuck open 2(so2),

stuck closed 1(sc1), stuck closed 2 (sc2), Σo,2 = start pump(st), stop pump(sp),

pump failed on 1(fn1), pump failed on 2(fn2), pump failed off 1(fo1),

pump failed off 2(fo2), Σo,3 = set point decrease(spd), set point increase(spi),

failed off(foff).

Suppose that initially there is only one token at each of the following places: c 1,

c 1 1, vl 1, pm 1 and load 1. Then, the initial diagnoser states of the modules are

54

vl_1

t4:cv

t5:ovt8:so1 t12:sc1

vl_2


vl_3

t9:cv t10:ov

vl_4

t1:cv t2:ov

c_5 c_2c_2_1

c_1

c_1_1c_4

Figure 3.4: Place-bordered net: Module#1 (valve).

as follows as defined by the diagnoser state transition function in Equations (3.5) to

(3.7).

The initial diagnoser state of D1 (the diagnoser for Module#1) is

x1d,0 =

1100001000 | 00

1100000010 | 10

1100000001 | 01

, (3.40)

where each digit in the rows of x1s,0 correspond to the number of tokens in a place of

D1, and each digit in the rows of x1f,0 corresponds a fault type of D1. The ordering of

the digits in x1s,0 is as follows: c 1, c 1 1, c 2, c 2 1, c 4, c 5, vl 1, vl 2, vl 3, vl 4. The

ordering of digits in x1f,0 is F1 and F2, respectively, where the event sets for the

fault types are as follows: ΣF1,1 = stuck open 1(so1), stuck open 2(so2), ΣF2,1 =

stuck closed 1(sc1), stuck closed 2(sc2).

55

pm_1

t4:sp

t5:stt8:fn1 t12:fo1

pm_2

t3:fo2 t6:stt7:sp t11:fn2

pm_3

t9:sp t10:st

pm_4

t1:sp t2:st

c_6 c_3c_3_1

c_2

c_2_1c_5

Figure 3.5: Place-bordered net: Module#2 (pump).


x2d,0 =

0000001000 | 00

0000000010 | 10

0000000001 | 01

, (3.41)

where each digit in the rows of x2s,0 corresponds to the number of tokens in a place of


the digits in x2s,0 is as follows: c 2, c 2 1, c 3, c 3 1, c 5, c 6, pm 1, pm 2, pm 3, pm 4.

The ordering of digits in x2f,0 is F1 and F2, respectively, where the event sets for the

fault types are as follows: ΣF1,2 = pump failed on 1(fn1), pump failed on 2(fn2),

ΣF2,2 = pump failed off 1(fo1), pump failed off 2 (fo2),

56

load_1

t5:spd

t6:spi

load_2

t1:spit3:foff

load_3

t2:spd t4:foff

c_1c_1_1

c_4

c_3 c_3_1

c_6

Figure 3.6: Place-bordered net: Module#3 (load).

Module#1

Module#2

c_2,c_2_1,c_5

Module#3

c_1,c_1_1,c_4

c_3,c_3_1,c_6

Figure 3.7: Common places between the modules.


x3d,0 =

(110000100 | 0

), (3.42)

where each digit in the rows of x3s,0 corresponds to the number of tokens in a place of


the digits in x3s,0 is as follows: c 1, c 1 1, c 3, c 3 1, c 4, c 6, load 1, load 2, load 3. The

57

ordering of digits in x3f,1 is F1 where the event set for the fault type is as follows:

ΣF1,3 = failed off(foff).

The initial diagnoser states do not have message labels by assumption. Thus, the

diagnoser states in (3.40), (3.41) and (3.42) have state and fault type information

only.

The only observable event enabled is open valve. If the event open valve is

observed, then applying Algorithm 1, Module#1 finds the next diagnoser state us-

ing the diagnoser state transition function and sends messages to Module#2 and

Module#3. Upon reception of the messages, Module#2 and Module#3 update

their current diagnoser states according to Algorithm 2. Overall, the diagnoser states

obtained by Algorithms 1 and 2 are presented in the following. The diagnoser state

for D1 is

x1d,1 =

0110000001 | 01 | 100 : −100

0110000010 | 10 | 100 : −100

0110000100 | 00 | 100 : −100

1001000010︸︷︷︸ | 10︸︷︷︸ | 010︸︷︷︸ : 0− 10︸︷︷︸

,

x1s,1 x1

f,1 x1l,1(P1,2) x1

l,1(P1,3)

(3.43)

where each digit (with the minus sign) in the rows of the message labels x1l,1(P1,2)

and x1l,1(P1,3) corresponds to the difference between the number of tokens put into

and removed from a common place. The ordering of digits for the message labels are

as follows: c 2, c 2 1, c 5 for x1l,1(P1,2), and c 1, c 1 1, c 4 for x1

l,1(P1,3).

Upon reception of the message from D1 after the observation of open valve, the

58

diagnoser state for D2 is updated to (by following the steps of Algorithm 2)

x2d,1 =

0100000001 | 01 | 010 :

0100000010 | 10 | 010 :

0100001000 | 00 | 010 :

1000000001 | 01 | 100 :

1000000010 | 10 | 100 :

1000001000︸︷︷︸ | 00︸︷︷︸ | 100︸︷︷︸ : ︸︷︷︸

,

x2s,1 x2

f,1 x2l,1(P2,1) x2

l,1(P2,3)

(3.44)





l,1(P2,3).

Upon reception of the message from D1 after the observation of open valve, the

diagnoser state for D3 is

x3d,1 =

010000100 | 0 | −100 :

100000100︸︷︷︸ | 0︸︷︷︸ | 0− 10︸︷︷︸ : ︸︷︷︸

,

x3s,1 x3

f,1 x3l,1(P3,1) x3

l,1(P3,2)

(3.45)





l,1(P3,2).

The next enabled observable event is start pump. Upon its occurrence, Module#2

finds the next diagnoser state using the diagnoser state transition function and sends

messages to Module#1 and Module#3. After the observation of start pump and

59

the diagnoser state updates triggered by the reception of messages, the state with

fault information and message labels of the new diagnoser states are as follows:

x1d,2 =

0100000001 | 01 | 100− 100 : −100

0100000010 | 10 | 100− 100 : −100

0100000100 | 00 | 100− 100 : −100

1000000010 | 10 | 0100− 10 : 0− 10

(3.46)

x2d,2 =

0001000010 | 10 | 0100− 10 : 010

0010000001 | 01 | 100− 100 : 100

0010000010 | 10 | 100− 100 : 100

0010000100 | 00 | 100− 100 : 100

(3.47)

x3d,2 =

010100100 | 0 | −100 : 010

011000100 | 0 | −100 : 100

100100100 | 0 | 0− 10 : 010

101000100 | 0 | 0− 10 : 100

(3.48)

Upon the occurrence of the next observable event the algorithm will proceed in

the same manner to update the respective diagnoser states.

An examination of the fault labels in the corresponding columns of the above diag-

noser states reveals that: (i) x1d,0, x1

d,1 and x1d,2 are both F1,1−uncertain (stuck open 1

or stuck open 2 could have happened but we do not know for sure) and F2,1 −

uncertain, (ii) x2d,0, x2

d,1 and x2d,2 are both F1,2 − uncertain and F2,2 − uncertain,

and (iii) x3d,0, x3

d,1 and x3d,2 are normal.

We now consider the case of fixed-size message labels. Suppose that we observe

the very same sequence of events which starts with the event open valve followed

by start pump, and we now run Algorithm 3 instead of 1 and Algorithm 4 instead

60

of 2. The state and fault labels of the diagnoser states in this case are the same

with the state and fault labels given in Equations (3.40) to (3.48). However, the

message labels and messages sent are changed. In the following, we go over the steps

of Algorithms 3 and 4 to find the changes in the message labels.

The message labels of the initial diagnoser states are all equal to 1 by construc-

tion. Upon observation of the event open valve (executed by M1), the intermediate

diagnoser state z1d,1 = fd,1(x

1d,0, open valve) is

z1d,1 =

. . . | . . . | 1 100 : 1 − 100

. . . | . . . | 1 100 : 1 − 100

. . . | . . . | 1 100 : 1 − 100

. . .︸︷︷︸ | . . .︸︷︷︸ | 1 010︸︷︷︸ : 1 0− 10︸︷︷︸

,

x1s,1 x1

f,1 z1l,1(P1,2) z1

l,1(P1,3)

(3.49)

The message labels for the diagnoser state x1d,1 are x1

l,1(P1,2) = En(z1l,1(P1,2)) and

x1l,1(P1,3) = En(z1

l,1(P1,3)) for D2 and D3, respectively. Thus, the diagnoser state in

the case of fixed-size message labels (compare to one in 3.49) is found as

x1d,1 =

. . . | . . . | 1 : 1

. . . | . . . | 1 : 1

. . . | . . . | 1 : 1

. . .︸︷︷︸ | . . .︸︷︷︸ | 2︸︷︷︸ : 2︸︷︷︸

.

x1s,1 x1

f,1 x1l,1(P1,2) x1

l,1(P1,3)

(3.50)

The messages sent by D1 are as follows:

Mesg1,2 =

1 | 100 | 1

1︸︷︷︸ | 010︸︷︷︸ | 2︸︷︷︸

,

Mesg1,2.Pfx Mesg1,2.Sfx(1) Mesg1,2.Sfx(2)

61

Mesg1,3 =

1 | −100 | 1

1︸︷︷︸ | 0− 10︸︷︷︸ | 2︸︷︷︸

,


Upon reception of the message the diagnoser states of the neighbor modules are

updated as defined by Algorithm 4. Then, the diagnoser states of D2 and D3 are as

follows:

x 2d,1 =

. . . | . . . | 2 : 1

. . . | . . . | 2 : 1

. . . | . . . | 2 : 1

. . . | . . . | 1 : 1

. . . | . . . | 1 : 1

. . .︸︷︷︸ | . . .︸︷︷︸ | 1︸︷︷︸ : 1︸︷︷︸

,

x 2s,1 x 2

f,1 x 2l,1(P2,1) x 2

l,1(P2,3)

(3.51)

x 3d,1 =

. . . | . . . | 1 : 1

. . .︸︷︷︸ | . . .︸︷︷︸ | 2︸︷︷︸ : 1︸︷︷︸

.

x1s,1 x1

f,1 x1l,1(P2,1) x1

l,1(P3,2)

(3.52)

Upon observation of the event start pump executed by D2, the intermediate

diagnoser state, z2d,2 = fd,2(z

2d,2, start pump), is found as:

z2d,2 =

. . . | . . . | 2 0− 10 : 1 010

. . . | . . . | 1 − 100 : 1 100

. . . | . . . | 1 − 100 : 1 100

. . .︸︷︷︸ | . . .︸︷︷︸ | 1 − 100︸︷︷︸ : 1 100︸︷︷︸

,

x 2s,1 x 2

f,1 z 2l,1(P2,1) z 2

l,1(P2,3)

(3.53)

The message labels for the diagnoser state x 2d,1 are x 2

l,1(P1,2) = En(z 2l,1(P1,2)) and

x 2l,1(P1,3) = En(z 2

l,1(P1,3)) for D2 and D3, respectively. Thus, the diagnoser state in

62

the case of fixed-size message labels is found as

x 2d,2 =

. . . | . . . | 1 : 1

. . . | . . . | 2 : 2

. . . | . . . | 2 : 2

. . .︸︷︷︸ | . . .︸︷︷︸ | 2︸︷︷︸ : 2︸︷︷︸

,

x 2s,1 x 2

f,1 x 2l,1(P2,1) x 2

l,1(P2,3)

(3.54)

The messages sent by D2 are as follows:

Mesg2,1 =

2 | 0− 10 | 1

1︸︷︷︸ | −100︸︷︷︸ | 2︸︷︷︸

,


Mesg2,3 =

1 | 010 | 1

1︸︷︷︸ | 100︸︷︷︸ | 2︸︷︷︸

,


Upon reception of the message the diagnoser states of the neighbor modules are

updated as defined by Algorithm 4. Then, the diagnoser states of D1 and D3 are as

follows:

x1d,2 =

. . . | . . . | 2 : 1

. . . | . . . | 2 : 1

. . . | . . . | 2 : 1

. . .︸︷︷︸ | . . .︸︷︷︸ | 1︸︷︷︸ : 2︸︷︷︸

.

x1s,2 x1

f,2 x1l,2(P1,2) x1

l,2(P1,3)

(3.55)

63

x 3d,2 =

. . . | . . . | 1 : 1

. . . | . . . | 1 : 2

. . . | . . . | 2 : 1

. . .︸︷︷︸ | . . .︸︷︷︸ | 2︸︷︷︸ : 2︸︷︷︸

.

x1s,2 x1

f,2 x1l,2(P2,1) x1

l,2(P3,2)

(3.56)

3.9 Conclusion

We have presented a new algorithm, DDC-M , for on-line monitoring and diag-

nosis of modular systems modeled as a set of place-bordered Petri nets. DDC-M

exploits the distributed nature of the system to avoid the combinatorial explosion of

the state space, but it requires communication among modules on the occurrence of

events that affect common places. Many issues remain to be investigated. Among

those we mention: further improvements of DDC-M to reduce the communication

overhead and deal with communication delays; proper partitioning of a system into

modules in order to enhance the performance of DDC-M ; and performance analysis

of DDC-M on comprehensive examples using our software tool.

CHAPTER IV

Diagnosis of Event Patterns

4.1 Introduction

This chapter addresses the problem of diagnosing (detecting and isolating) sig-

nificant event patterns in the behavior of a system modeled as a partially-observed

discrete-event system (DES). The event pattern to be diagnosed is a set of sequences

of events. The system is diagnosable with respect to a pattern if it is possible to

detect and isolate occurrences of the pattern upon its completion (with finite delay)

while observing the sequences of events executed by the system. The problem is

trivial if each event executed by the system to be diagnosed is observed. However, in

general, the systems are partially-observed. That is, there exist events that are not

directly recorded by sensors attached to the system, i.e., unobservable events. Our

objective is two-fold: 1. Off-line verification of the diagnosability property of the

system with respect to the pattern, i.e., if the system is diagnosable with respect to

the pattern. 2. On-line monitoring of the system and diagnosis of the pattern, i.e.,

how to detect the occurrence of the pattern while partially observing the behavior of

the system.



64

65



tems; see [34] and the references therein. To the best of our knowledge, all prior

works on fault diagnosis of DES pertain to the diagnosis of a single event among

several unobservable events. In application areas such as detection of intrusion and

attacks in networks [39], patterns of events need to be diagnosed. Our objective is

to extend the methodology of the Diagnoser Approach introduced in [55] to the case

of patterns.

In the following sections, we develop a theory for the diagnosability of patterns.

In Section 4.2, we define the mathematical terminology used throughout this chapter.

Then, in Section 4.3, we define two different notions of pattern diagnosability in the

context of formal languages: (i) S-type pattern diagnosability and (ii) T-type pattern

diagnosability. These two different types stem from different approaches to defining

the occurrence of a pattern. In S-type pattern diagnosability, a pattern is detected

if all the sequences executed by the system that record the same observed event

sequences contain subsequences in the pattern. In T-type pattern diagnosability, a

pattern is detected if all the sequences executed by the system that record the same

observed event sequences contain substrings in the pattern. In other words, there

could be events interleaved between the events that make up the pattern in the S-

type case, but not in the T-type case. We conclude Section 4.3 by showing that

the notions of S-type and T-type pattern diagnosability are generalizations of the

notion of diagnosability defined in [55]. In Section 4.4, we consider systems modeled

by regular languages. We present implementable necessary and sufficient conditions

for both types of pattern diagnosability in this case. The conditions for pattern

diagnosability require building a modified version of the diagnoser defined in [55]. In

66

Section 4.5, we present illustrative examples of the notions and results introduced in

the previous sections of the chapter. In Section 4.6, we present a summary of results

and give concluding remarks.

4.2 Preliminaries

Let Σ be a finite set of events. A string is a finite-length sequence of events in Σ.

Given a string s, the length of s (number of events including repetitions) is denoted

by ‖ s ‖. The set of all strings formed by events in Σ is denoted by Σ∗. The set Σ∗ is

also called the Kleene-closure of Σ. Any subset of Σ∗ is called a language over Σ. Let

L be a language over Σ. The prefix-closure of language L is denoted by L and defined

as L = s ∈ Σ∗ : ∃t ∈ L such that st ∈ L. Given a string s ∈ L, L/s is called the

post-language of L after s and defined as L/s = t ∈ Σ∗ : ∃st ∈ L. L is live if every

string in L can be extended to another string in L. Suppose that Σ is partitioned

as Σ = Σo∪Σuo, where Σo and Σuo denote the observable and unobservable events,

respectively.

The projection of strings from L to Σ∗o is denoted by P . Given a string s ∈ L,

P (s) is obtained by removing unobservable events (elements of Σuo) in s. The inverse

projection of a string so ∈ Σ∗o, denoted by P−1(so), is the set of strings in Σ∗ whose

projection is equal to so. Formally,

P−1(so) = s ∈ Σ∗ : P (s) = so. (4.1)

Given an event σ ∈ Σ and a string s ∈ Σ∗, we use the set notation σ ∈ s to say

that σ appears at least once in s. Given a string of the form u = stv in L, then s is

called a prefix of u, t is called a substring of u, and v is called a suffix of u. Given

a string s ∈ L, a subsequence of s is obtained by deleting zero or more events in the

string s.

67

Let L be a language and K be a finite set of bounded strings over Σ. Given

s ∈ K, define the set S(s, L) ⊆ L as

S(s, L) = ω ∈ L : s is a subsequence of ω (4.2)

and the set S(K, L) ⊆ L as

S(K, L) = ∪s∈KS(s, L). (4.3)

Given s = s1σ ∈ K where s1 ∈ Σ∗ and σ ∈ Σ, define the set ΨS(s1σ, L) ⊆ S as

ΨS(s1σ, L) = ω1σ ∈ L : s1σ is a subsequence of ω1σ), (4.4)

and

ΨS(K, L) = ∪s∈KΨS(s, L). (4.5)

Now, consider the definitions for the case of substrings. Given s ∈ K, define the

set T (s, L) ⊆ L as

T (s, L) = ω ∈ L : s is a substring of ω, (4.6)

and the set T (K,L) ⊆ L as

T (K, L) = ∪s∈KT (s, L). (4.7)

Given s = s1σ ∈ K where s1 ∈ Σ∗ and σ ∈ Σ, define the set ΨT (s1σ, L) ⊆ T as

ΨS(s1σ, L) = ω1σ ∈ L : s1σ is a substring of ω1σ), (4.8)

and

ΨT (K, L) = ∪s∈KΨT (s, L). (4.9)

The following result is immediate from the above definitions.

68

Proposition 10. Given a language L and a finite set of bounded strings K over Σ,

s ∈ S(K, L) ⇒ (∀t ∈ L/s)(st ∈ S(K,L)), (4.10)

and similarly

s ∈ T (K, L) ⇒ (∀t ∈ L/s)(st ∈ T (K, L)). (4.11)

Hereafter, for the sake of presentation, we drop the language L or the set of finite

set bounded strings K in the notations of S(K,L), T (K, L), ΨS(K, L) and ΨT (K, L)

since they are always fixed.

A Finite State Automaton (FSA) is a four-tuple

G = (Q, Σ, δ, q0, F ) (4.12)

where Q is the finite set of states, Σ is the finite set of events, δ : Q × Σ → Q is

the partial state transition function, q0 is the initial state, and F ⊆ Q is the set of

marked states.

We extend δ from domain Q× Σ to domain Q× Σ∗ as follows:

δ(q, ε) = q, δ(q, sσ) = δ(δ(q, s), σ),

for s ∈ Σ∗ and σ ∈ Σ.

The language generated by G is

L(G) = s ∈ Σ∗ : δ(q0, s) is defined..

The language marked by G is

Lm(G) = s ∈ Σ∗ : δ(q0, s) ∈ F.

A set of states q1, . . . , ql ⊆ Q and a string σ1 . . . σl ∈ Σ∗ form a cycle in G if

qi+1 = δ(qi, δi) for i = 1, . . . , l − 1 and q1 = δ(ql, σl).

69

4.3 Pattern Diagnosability

We model the system as a language L over an event set Σ and the pattern as a

bounded set K of finite-length strings over ΣK ⊆ Σ.

We define two different types of pattern diagnosability: S-type and T-type. First,

we present an illustrative example for each type of pattern diagnosability. Then, we

give the formal definitions. We conclude the section by showing that the notion of

pattern diagnosability is a generalization of the notion of diagnosability defined in

[55].

In this chapter, given a language and a pattern K over ΣK ⊆ Σ, we assume that

there exists n0 ∈ N, for all vst ∈ L, if s ∈ Σ∗uo, then ‖ s ‖≤ n0.

Consider the prefix-closed, live language L generated by the FSA G shown in Fig.

4.1. The language L is

L = aedbd∗ + (ad + de)cb∗ + dbacd∗. (4.13)

Suppose that Σo = b, d and Σuo = a, c, e and let K = ab, dc be the pat-

tern to be diagnosed. The set of strings in L with subsequences in K is S =

aedbdl, adcbm, decbp, dbacdr : l, m, p, r ≥ 0. Then, ΨS = aedb, adcbm, dec, dbac :

m ≥ 0.

We now show that for each string s in ΨS and for each long-enough continuation

t of s, each string in L that records the same observed string as st is in S.

Let s1 = aedb. If t ∈ L/s and ‖ t ‖≥ 0, then t ∈ dl : l ≥ 0. Pick t1 = dl1 for

some l1 ≥ 0, then P−1P (s1t1)∩L = aedbdl, dbacdr : l, r ≥ 0 and P−1P (s1t1)∩L ⊆

S.

Let s2 = adc. If t ∈ L/s2 and ‖ t ‖≥ 2, then t ∈ bl : l ≥ 2. Pick t2 = bl2 for

some l2 ≥ 2. Then, P−1P (s2t2) ∩ L = adcbl2 , decbl2 and P−1P (s2t2) ∩ L ⊆ S.

70

Let s3 = dec. If t ∈ L/s3 such that ‖ t ‖≥ 2, P−1P (s3t) ⊆ S.

Let s ∈ adcbm, dbac : m ≥ 1. If t ∈ L/s and ‖ t ‖≥ 0, then P−1P (st) ∩ L ⊆ S.

Based on the above discussion, we formally define S-type pattern diagnosability

as follows.

Definition 11. A prefix-closed, live language L over Σ is S-type pattern diagnosable

with respect to a pattern K, a finite set of bounded strings over ΣK ⊆ Σ, and

projection P if

(∃n ∈ N)(∀s ∈ ΨS(K, L))(∀t ∈ L/s)(‖ t ‖≥ n ⇒ DSP )

where

DSP : P−1P (st) ∩ L ⊆ S.

We now study T-type pattern diagnosability. Consider the prefix-closed, live

language L generated by the FSA G shown in Fig. 4.2. The language L is

L = da(bb∗ + cbd∗) + ed(bd∗ + cb∗). (4.14)

Suppose that Σo = b, d and Σuo = a, c, e and let K = ab, dc be the pattern to

be diagnosed. Then, T = dabbl, edcbm : l,m ≥ 0 and ΨT = dab, edc.

We show that for each string s in ΨT and for each long-enough continuation t of

s, each string in L that records the same observed string as st is in T .

Let s1 = dab. If t ∈ L/s1 and ‖ t ‖≥ 1, then t ∈ bl : l ≥ 1. Pick t1 = bl1 for

some l1 ≥ 1. Then, P−1P (s1t1) ∩ L = dabbl1 , edcbl1 and P−1P (s1t1) ∩ L ⊆ T .

Let s2 = edc. If t ∈ L/s2 and ‖ t ‖≥ 1, then t ∈ bl : l ≥ 1. Pick t2 = bl2 for

some l2 ≥ 1. Then, P−1P (s2t2) ∩ L = dabl2 , edcbl2 ⊆ T .

71

Based on the above discussion, we formally define T-type pattern diagnosability

as follows.

Definition 12. A prefix-closed, live language L over Σ is T-type pattern diagnosable

with respect to K, a finite set of bounded strings over ΣK ⊆ Σ, and projection P if

(∃n ∈ N)(∀s ∈ ΨT (K,L))(∀t ∈ L/s)(‖ t ‖≥ n ⇒ DTP )

where

DTP : P−1P (st) ∩ L ⊆ T .

We emphasize here that both types of pattern diagnosability defined in this chap-

ter detect occurrences of a string in the pattern. In the above examples, if the pattern

is K ′ = ab ⊆ K, then L is neither S-type nor T-type pattern diagnosable with

respect to K ′ and projection P .

Proposition 13. If a prefix-closed, live language L is T-type pattern diagnosable with

respect to a pattern K and projection P , then L is also S-type pattern diagnosable

with respect to K and P . The reverse of is not true in general.

The proof of the first part of Proposition 13 follows directly from Definition 11

and 28. The reverse direction is proved by Example 28 presented in Section 4.5.

However, for some patterns with specific structures, S-type pattern diagnosability is

equivalent to T-type pattern diagnosability. One such pattern structure is a set of

strings where each string is of length 1.

Corollary 14. If for all s ∈ K, ‖ s ‖= 1, then a prefix-closed, live language L

is S-type pattern diagnosable with respect to a pattern K and projection P iff L is

T-type pattern diagnosable with respect to K and P .

72

When K is a set of strings of length 1, both S-type and T-type pattern diagnos-

ability reduce to the notion of diagnosability defined in [55]. In that case, the pattern

K corresponds to a single fault type and the events in K are exactly the fault events

in that fault type. This observation proves Corollary 14.

9

10

b

d

8

d

7 d

6 b 5

c

4

c

3

a

2

e d

1

e b

0

a d

Figure 4.1: G.

4.4 Verification of Pattern Diagnosability for Regular Lan-guages

In this section, we consider systems modeled by regular languages. Regular lan-

guages are the languages that are accepted (or generated) by FSA. We construct

two types of FSA: HS for S-type and HT for T-type pattern diagnosability. Our

objective in constructing these two specific FSA is to develop a generic test to verify

the pattern diagnosability of L with respect to K where L is the language generated

by an FSA G and K is the given pattern over ΣK ⊆ Σ.

73

0

1

d

2

e

3

a

4

d

5

b

7

c

8

b

6

c

b

9

b

d b

d

Figure 4.2: G.

The FSA G can be nondeterministic. Each state of G is marked. Thus, L =

L(G) = Lm(G), i,e, L is prefix-closed.

Given an event set Σ and a string s = σ1σ2 . . . σm ∈ Σ∗ for an integer m, build a

special FSA,

HS(Σ, s) = (QS , Σ, δS , qS0 , FS), (4.15)

where QS = 0, 1, 2, . . . , ‖ s ‖, qS0 = 0, FS = ‖ s ‖, and for all q ∈ QS \ ‖ s ‖

and σ ∈ Σ

δS(q, σ) =

q + 1, σ = σq+1,

q, otherwise,

(4.16)

and δS(‖ s ‖, σ) =‖ s ‖.

Similarly, given an event set Σ and a string s = σ1σ2 . . . σm ∈ Σ∗ for an integer

m, build a special FSA,

HT (Σ, s) = (QT , Σ, δT , qT0 , FT ), (4.17)

74

where QT = 0, 1, 2, . . . , ‖ s ‖, qT0 = 0, FT = ‖ s ‖, and for all q ∈ QT \ ‖ s ‖

and σ ∈ Σ

δT (q, σ) =

q + 1, σ = σq+1,

maxi∈match(q)

i, match(q) 6= ∅

0, otherwise,

(4.18)

where match(q) = i : [(i = 1)∧ (σ1 = σ)]∨ [(1 < i ≤ q)∧ (σ1 . . . σi = σq−i+1 . . . σq)]

and δT (‖ s ‖, σ) =‖ s ‖.

The FSA HT (Σ, s) built for s and Σ is based on Knuth-Morris-Platt algorithm

presented in [32]. The algorithm finds the occurrences of a string s in a text where

the alphabet is Σ.

Example 15. Consider Σ = c, a, o and s = cacao. Then, HT (Σ, s) built is shown

in Fig. 4.3.

0 1 2 3 54

a o, a o c, ,

a o,c

c

a c

cc

a

a

o

o

o

Figure 4.3: HT (Σ, s) where s = cacao and Σ = c, a, o.

Let G1 = (Q1, Σ1, δ1, q10, F1) and G2 = (Q2, Σ2, δ2, q

20, F2) be two FSA. Define the

product FSA of G1 and G2 as

G1 ×G2 = (Q, Σ, δ, q0, F ), (4.19)

where Q ⊆ Q1 × Q2, Σ = Σ1 ∩ Σ2, q0 = (q1, q2), F = F1 ∩ F2, and δ((q1, q2), σ) =

(δ1(q1, σ), δ2(q2, σ)), if both δ1(q1, σ) and δ2(q2, σ) are defined, and undefined if oth-

erwise.

75

Let G = (Q, Σ, δ, q0, F ). Define the observer FSA of G as (see, e.g., for [10]

further details)

Obs(G) = (X, Σo, δo, xo), (4.20)

where x ∈ X is a set of states in Q, Σo ⊆ Σ is the set of observable events, and x0

is the initial observer state. In this paper, we do not consider the marking of the

observer states.

Let x = qxi ∈ Q : i = 1, . . . , l ∈ X where l is a positive integer. We define

unobservable reach of x, denoted by URG(x), as

URG(x) = q ∈ Q : q = δ(qxi , u) is defined for some i ∈ 1, . . . ,m and u ∈ Σ∗

uo.

(4.21)

The initial observer state is found as x0 = URG(q0). The observer state transition

function is defined for x ∈ X and σo ∈ Σo if there exists q ∈ URG(x) such that δ(q, σo)

is defined. In that case, the observer state transition function finds the next observer

state, x′ = δo(x, σo), as follows

x′ = q′ ∈ Q : q′ = δ(q, σo) is defined for some q ∈ URG(x). (4.22)

The observer state x is marking-certain if qxi ∈ F for i = 1, . . . l, and marking-

uncertain if there exists qxi ∈ F and qx

j ∈ Q \ F for some i, j ∈ 1, . . . , l.

Definition 16 (Marking-indeterminate cycle). Let x1, . . . , xm and σo,1 . . . σo,m ∈

Σ∗o form a cycle in Obs(G) where m is an integer. The cycle in Obs(G) is a marking-

indeterminate cycle if the following are satisfied

1. xi is marking-uncertain for i = 1, . . . , m,

2. ∃qki , rl

i ∈ xi for all i = 1, . . . , m, k = 1, . . . ,M , and l = 1, . . . , N such that

76

(a) qki is marked and rl

i is not marked for all i, k, l,

(b) there are two corresponding cycles 1 in G:

q11

σo,1t11−→ q12 . . .

σo,m−1t1m−1−→ q1m

σo,mt1m−→

q22 . . .

σo,m−1t2m−1−→ q2m . . . qM

1

σo,1tM1−→ qM2

. . .σo,m−1tMm−1−→ qM

m

σo,mtMm−→ q11

(4.23)

and

r11

σo,1u11−→ r1

2 . . .σo,m−1u1

m−1−→ r1m

σo,mu1m−→

r22 . . .

σo,m−1u2m−1−→ r2

m . . . rN1

σo,1uN1−→ rN

2

. . .σo,m−1uN

m−1−→ rNm

σo,muNm−→ r1

1

(4.24)

where tki , uli ∈ Σ∗

uo for all i, k, l. ¤

Define a union FSA U(G1, G2) of G1 and G2 such that L(U(G1, G2)) = L(G1)∪

L(G2) and s ∈ Lm(U(G1, G2)) if s ∈ Lm(G1) or s ∈ Lm(G2). The extension of the

union of two FSA to more than two is a recursive operation: U(G1, G2, . . . , Gm) =

U(. . .U(U(G1, G2), G3) . . . , Gm) where Gi is an FSA for all i = 1, . . . , m.

Let s be a string in K and let L = L(G) = Lm(G). In Lemma 17, we state that

the language marked by the product FSA of G and HS(Σ, s) is exactly the strings in

L that contain s as a substring. In Lemma 18, we generalize Lemma 17 to consider

all strings in the pattern K instead of a single string in K.

Lemma 17 (S-type). Given L = L(G) = Lm(G), a pattern K, and s ∈ K,

Lm(G×HS(Σ, s)) = S(s, L), (4.25)

and

L(G×HS(Σ, s)) = L. (4.26)

1qs−→ q′ denotes q′ = δ(q, s) where q and q′ are states and s is a string.

77

Proof. Firstly, prove that L(G × HS(Σ, s)) = L. By definition of the product

function and L(G) = L

L(G×HS(Σ, s)) = L ∩ L(HS(Σ, s)). (4.27)

The state transition function of HS(Σ, s) is defined for any state in HS(Σ, s) for

any event in Σ. Thus, L(HS(Σ, s)) = L. If we substitute this in Equation 4.27, then

we have L(G×HS(Σ, s)) = L. This completes the proof.

Secondly, we prove that Lm(G×HS(Σ, s)) = S(s, L). The proof is in two parts.

Let s = σ1 . . . σk where σi ∈ Σ for i = 1, . . . , k, k is an integer, and Σ is the event set

of G.

Lm(G×HS(Σ, s)) ⊆ S(s,L). Pick ω ∈ Lm(G×HS(Σ, s)). Then, by definition

of the product operation, ω ∈ Lm(G) = L, and ω ∈ HS(Σ, s).

By construction of HS(Σ, s), ω is of the form

ω = ω1σ1 . . . ωkσkωk+1, (4.28)

where ωi ∈ (Σ \ σi)∗ for i = 1, . . . , k, k + 1. Thus, s is a subsequence of ω. Also,

ω ∈ L. Then, ω ∈ S(s, L). This completes the first part of the proof.

S(s,L) ⊆ Lm(G×HS(Σ, s)). Pick ω ∈ S(s, L). Then, by definition ω ∈ L

and s = σ1 . . . σk is a subsequence of ω. Thus, ω ∈ Lm(G). We need to show that

ω ∈ Lm(HS(Σ, s)). The proof is by the construction of HS(Σ, s).

We have HS(Σ, s) = (QS , Σ, δS , qS0 , FS). Also, by definition subsequence ω con-

tains s. Then, we have ω given in Equation 4.28. If δS(0, ω) = k, then ω ∈

Lm(HS(Σ, s)). Then,

δS(0, ω) = δS(. . . δS(δS(0, ω1σ1), ω2σ2) . . .), ωkσk), ωk+1). (4.29)

By definition of δS, 1 ≤ δS(0, ω1σ1) ≤ k. This is because if σ1 /∈ ω1 then

78

δS(0, ω1σ1) = 1. Otherwise if σ1 ∈ ω1, then there exists ω11 ∈ ω1 such that σ1 /∈ ω11.

Then, δS(0, ω11σ1) = 1. Thus, δS(0, ω1σ1) ≥ 1.

Also, by definition of δS, if δS(0, z) = i where z ∈ Σ∗ and i = 0, 1, . . . , k, then

δS(0, zσ) = i or δS(0, zσ) = i + 1 for i = 0, 1, . . . , k − 1 and δS(0, zσ) = k for i = k.

Then,

δS(0, ω1σ1 . . . ωk−1σk−1) = δS(. . . δS(δS(0, ω1σ1), ω2σ2) . . .), ωk−1σk−1)

is equal to k − 1 or k. Thus, δS(0, ω) = δS(δS(0, ω1σ1 . . . ωk−1σk−1), ωkσkωk+1) = k.

Thus, ω ∈ Lm(HS(Σ, s)). This completes the proof.

¤

Lemma 18 (S-type). Given L = L(G) = Lm(G) and a pattern K, then

Lm(Us∈K(G×HS(Σ, s))) = S (4.30)

and

L(Us∈K(G×HS(Σ, s))) = L. (4.31)

Proof. The proof of L(Us∈K(G×HS(Σ, s))) = L follows directly from Lemma 17.

The proof of Lm(Us∈K(G×HS(Σ, s))) = S is in two parts. Let U = Us∈K(G×

HS(Σ, s)).

Lm(U) ⊆ S(K,L). Pick ω ∈ Lm(U). By definition of the union operation,

ω ∈ Lm(G × HS(Σ, s)) for some s ∈ K. Then, by Lemma 17, ω ∈ S(s, L). Thus,

ω ∈ S.

S ⊆ Lm(U). Pick ω ∈ S. Then, there exists an s ∈ K such that ω ∈ S(s, L).

Then, by Lemma 17, ω ∈ Lm(G × HS(Σ, s)). By definition of the union operation

ω ∈ Lm(U).

79

¤

In the following theorem, we state the necessary and sufficient condition for S-type

pattern diagnosability of a regular language with respect to a pattern.

Theorem 19 (S-type). A prefix-closed, live language L = L(G) = Lm(G) is S-type

pattern diagnosable with respect to pattern K and projection P iff Obs(Us∈K(G ×

HS(Σ, s))) does not contain any marking-indeterminate cycles.

Proof. The proof is in two parts. For readability of the proof, let U = Us∈K(G×

HS(Σ, s)) and drop K and L in ΨS(K,L) in Definition 11 and use ΨS instead.

Similarly for S. Let

U = (Q, Σ, δ, q0, F ), (4.32)

Obs(U) = (X, Σo, δo, xo). (4.33)

(⇒) We first show that if L is S-type pattern diagnosable, then Obs(U) does not

contain any marking-indeterminate cycle. The proof is by contradiction.

Suppose that x1, . . . , xm ⊆ X and σo,1 . . . σo,m ∈ Σ∗o form a marking-indeterminate

cycle in Obs(U). Consider Definition 16 of a marking-indeterminate cycle. Without

loss of generality pick a marked state q11 ∈ F in x1. Since q1

1 is a marked state of U ,

then there exists a ω ∈ Lm(U) such that q11 = δ(q0, ω).

By Lemma 17, since ω ∈ Lm(U), then there exists an s ∈ K such that ω ∈ S(s, L).

We now consider the following two cases: (i) ω ∈ ΨS , and (ii) ω /∈ ΨS(Σ, s).

Case (i): There exists ω1 ∈ L/ω such that ω1 = (σo,1t11 . . . σo,m)M1tMm and qk

i ∈ F

for i = 1, . . . , m and k = 1, . . . , M form a cycle of marked states in U as shown in

Equation 4.23 where M1 is an integer.

By definition of marking-indeterminate cycle, there exists another cycle in U

formed by states that are not marked. Let r11 = δ(q0, ω

′) where P (ω′) = P (ω). There

80

exists ω′1 ∈ L/ω′ such that ω′1 = (u11σo,1 . . . uN

mσo,1)N1 and rk

i ∈ F for i = 1, . . . , m and

l = 1, . . . , N form a cycle of marked states in U as shown in Equation 4.24 where N1

is an integer.

We choose M1 and N1 such that P (ωω1) = P (ω′ω′1) and M1 is greater than n. For

all i = 1, . . . , m and l = 1, . . . , N , rli is not marked. Thus, ω′ω′1 /∈ Lm(U). Then, by

Lemma 18, ω′ω′1 /∈ S. On the other hand, since ω ∈ S, then ωω1 ∈ S. This violates

DSP in Definition 11. This is because there exists ωω1 ∈ S(Σ, s) and ω′ω′1 /∈ S(Σ, s)

but P (ωω1) = P (ω′ω′1) even though ω1 is long enough. Thus, L is not S-type pattern

diagnosable with respect to K and P . This is a contradiction.

Case (ii): Suppose that q11 = δ(q0, ω). Since ω /∈ ΨS and ω ∈ S, then there exists

a prefix v of ω such that v ∈ ΨS . The rest of the proof is similar to the proof of Case

(i) and is omitted here.

(⇐) We show that if Obs(U) does not contain any marking-indeterminate cycles,

then L is S-type pattern diagnosable. The proof is by contradiction.

Suppose that L is not S-type pattern diagnosable, then we have

(∀n ∈ N)(∃s ∈ ΨS)(∃t ∈ L/s)[(‖ t ‖≥ n) ∧ ¬DSP ] (4.34)

where

¬DSP : P−1P (st) ∩ (L \ S) 6= ∅. (4.35)

Pick n1 ≥ max(|Obs(U)|, |U |). By Equation 4.34, there exists s1 ∈ ΨS and

t1 ∈ L/s1 such that ‖ P (t1) ‖≥ n1 and P−1P (s1t1) ∩ (L/S) 6= ∅. By the pumping

lemma for regular sets, t1 = uvmz where u, v, z ∈ Σ∗o and m is an integer.

By Proposition 10, s1uvmz ⊆ S(K,L). By Lemma 18, s1uvmz ∈ Lm(U). Let the

cycle be formed by q1 . . . qM ⊆ Q and v = σ1 . . . σM in U where M is an integer.

Then, qi ∈ F for all i = 1, . . . ,M .

81

By the condition in Equation 4.35, there exists ω ∈ L \ S such that P (ω) =

P−1P (s1t1). By Lemma 18, if ω ∈ L \ S, then ω /∈ Lm(U) and ω ∈ L(U).

By the pumping lemma for regular languages, ω contains a cycle. Let the cy-

cle be formed by r1 . . . rN ⊆ Q and v′ = σ′1 . . . σ′N in U where N is an integer.

Since P (ω) = P−1P (s1t1), then P (v) = P (v′). Since ω ∈ L(U) \ Lm(U) and by

Proposition 10, then rj ∈ Q \ F for j = 1, . . . , N . Thus, q1 . . . qM ⊆ Q and

v and r1 . . . rN ⊆ Q \ F and v form a marking-indeterminate cycle. This is a

contradiction. ¤

We consider illustrative examples to present the notions and results of S-type

diagnosability introduced in this section. We use [33] to build FSA and perform

(language-based) operations on FSA. Example 20 considers a language L that is S-

type pattern diagnosable with respect to a pattern K1. In Example 21, the language

L is not S-type pattern diagnosable with respect to a pattern K2 that is a subset of

K1.

Example 20 (S-type pattern diagnosability). Consider G in Fig. 4.1. Suppose

that Σ = a, b, c, d, e and Σo = b, d. Let L = L(G) and K1 = ab, dc. Then, the

union FSA U = Us∈K1(G×HS(Σ, s)) and Obs(U) are as shown in Figures 4.4 and

4.5, respectively. Neither of the cycles in Obs(U) is marking-indeterminate. Thus,

L is S-type pattern diagnosable with respect to K1 (as argued in Section 4.3).¤

Example 21 (S-type pattern diagnosability). Consider the G and Σuo in Ex-

ample 20. Let K2 = ab. The union FSA U = Us∈K2(G ×HS(Σ, s)) and Obs(U)

are built as shown in Figures 4.6 and 4.7, respectively. Both of the cycles in Obs(U)

are marking-indeterminate. Consider the cycle formed by 6, 5 and d. The observer

state 6, 5 is marking-uncertain since 6 is marked in U but 5 is not. In addition,

82

9 b

8 b 7

b

6

c

5

12

c

d

14

c

13

10

d

11

b

4

a

3

e b

d

2

d e

1

d a

Figure 4.4: U = Us∈K2(G×HS(Σ, s)) where K1 = ab, dc and Σ = a, b, c, d, e.

9,8,5,12,4,11

9,8

b

12,11

d

b d

1,2,13

3,8,7,6,14,10

d

b

Figure 4.5: Obs(U) for K1 = ab, dc where Σo = b, d.

there is a cycle formed by 6 and d, i.e., a cycle of marked states, and another cycle

formed by 5 and d, i.e., a cycle of states that are not marked. Thus, the cycle formed

by 6, 5 and d is marking-indeterminate. Similarly, the cycle formed by 9, 11 and

b is marking-indeterminate. Thus, L is not S-type pattern diagnosable with respect

83

to K2 (as argued in Section 4.3). ¤

9 b

8

4

a

5

c

7

11

c

b

6 d

14

b

d

13

d

12

10

c

b

3

e d

2

b e

1

a d

Figure 4.6: U = Us∈K2(G×HS(Σ, s)) where K2 = ab and Σ = a, b, c, d, e.

9,8,4,11,6,5

9,11

b

6,5

d

b d

1,3,13

2,7,11,14,12,10

d

b

Figure 4.7: Obs(U) for K2 = ab where Σo = b, d.

In the rest of this section, we consider the verification of T-type pattern diagnos-

ability. We restate Lemmas 17 and 18 in the context of T-type pattern diagnosability

84

in Lemmas 22 and 23, respectively.

Lemma 22 (T-type). Given L = L(G) = Lm(G), a pattern K, and s ∈ K,

Lm(G×HT (Σ, s)) = T (s, L), (4.36)

and

L(G×HT (Σ, s)) ⊆ L. (4.37)

Proof. Firstly, we prove that L(G×HT (Σ, s)) ⊆ L. By definition of the product

operation, we have

L(G×HT (Σ, s)) = L(G) ∩ L(HT (Σ, s)) (4.38)

⊆ L ∩ L(HT (Σ, s)) (4.39)

⊆ L. (4.40)

Secondly, we prove that Lm(G × HT (Σ, s)) = T (s, L). Let s = σ1 . . . σk where

σi ∈ Σ for i = 1, . . . , k, k is an integer and Σ is the event set of G.

Lm(G×HT (Σ, s)) ⊆ T (s,L). Pick ω ∈ Lm(G × HT (Σ, s)). Then, by defini-

tion of the product operation ω ∈ Lm = L and ω ∈ HT (Σ, s).

By construction of HT (Σ, s) (see [32] for correctness of the construction), ω is of

the form

ω = ω1σ1 . . . σkω2, (4.41)

where ω1 ∈ (Σ \ σ1)∗ and ω2 ∈ Σ∗. Then, s is a substring of ω. Thus, ω ∈ T (s, L).

T (s,L) ⊆ Lm(G×HT (Σ, s)). Pick ω ∈ T (s, L). Then, ω ∈ L and s is a

substring of ω. Thus, ω ∈ Lm(G).

85

Since s is a substring of ω, ω ∈ L is of the form ω = ω1sω2 where ω1 and

ω2 are in Σ∗. By construction of HT (Σ, s), ω1sω2 ∈ Lm(HT (Σ, s)). Thus, ω ∈

L ∩ Lm(HT (Σ, s)). This completes the proof. ¤

Lemma 23 (T-type). Given L = L(G) = Lm(G) and a pattern K,

Lm(Us∈K(G×HT (Σ, s))) = T (4.42)

and

L(Us∈K(G×HT (Σ, s))) ⊆ L. (4.43)

Proof. The proof of Lm(Us∈K(G × HT (Σ, s))) = T is similar to the proof of

Lemma 18, thus, omitted here.

The proof of the inequality L(Us∈K(G × HT (Σ, s))) ⊆ L is as follows. Let

U = Us∈K(G×HT (Σ, s)). Then, by definition of the union operation and Lemma 22,

L(U) = ∪s∈KL(G×HT (Σ, s)) (4.44)

⊆ L. (4.45)

This completes the proof. ¤

The results of Lemma 22 slightly differs from the analogous ones in Lemmas 17.

Similarly for 23. In T-type pattern diagnosability, the equations on language gener-

ated become inequalities instead of equalities. We explain this in the following. In

S-type pattern diagnosability, when we form HS(Σ, s) for some s ∈ K, any event

in G is feasible from any state in HS(Σ, s). Thus, the product of G and HS(Σ, s)

contains all the strings in the language generated by G. However, in T-type pattern

diagnosability, when we form HT (Σ, s), there may be events in G that are not feasi-

ble from some states in HT (Σ, s). Hence, the inequalities in Lemmas 22 and 23. We

consider in Example 24 an illustration of this technicality.

86

Example 24 (T-type pattern diagnosability). Consider G in Fig. 4.2. Suppose

that Σ = a, b, c, d, e and Σo = b, d. Let L = L(G) and K = dc. The FSA

HT (Σ, dc) is shown in Fig. 4.8. The product of G and HT (Σ, dc) are shown in Fig.

4.9. The strings dacbd∗ is in the product but not in G.

¤

2 a b c d e

1

c

d

0

d

ea b c

Figure 4.8: HT (Σ, dc) where Σ = a, b, c, d, e.

6 b 5 d

4

c b

3

d

2

8

a

7

b

1

e d

b

Figure 4.9: G×HT (Σ, s) where K = dc and Σ = a, b, c, d, e.

We now define an FSA to convert the inequalities in Lemmas 22 and 23 into

equalities. Let G = (Q, Σ, δ, q0, F ). We build the FSA C(G) = (Q, Σ, δ, q0, ∅). By

87

definition L(C(G)) = L(G) and Lm(C(G)) = ∅.

Lemma 25 (T-type). Given L = L(G) = Lm(G) and a pattern K,

L (U(C(G),Us∈K(G×HT (Σ, s)))) = L. (4.46)

Proof. Let U = U(C(G),Us∈K(G × HT (Σ, s))). By definition of the union

operation

L(U) = L(C(G)) ∪ L(Us∈K(G×HT (Σ, s))). (4.47)

The proof is in two parts.

L(U) ⊆ L. By definition L(C(G)) = L(G) = L. By Lemma ??, L(Us∈K(G×

HT (Σ, s))) ⊆ L. Thus, by Equation refeq:Uinttypeequallemma, we have L(U) ⊆ L.

L ⊆ L(U). By Equation 4.47, L(C(G)) ⊆ L(U). By definition, L(C(G)) = L.

Then, L ⊆ L(U). ¤

We state the necessary and sufficient condition for T-type pattern diagnosability

in Theorem 26.

Theorem 26 (T-type). A prefix-closed, live language L = L(G) is T-type pattern

diagnosable with respect to pattern K and projection P iff Obs(U(C(G),Us∈K(G×

HT (Σ, s)))) does not contain any marking-indeterminate cycle.

The proof of Theorem 26 is similar to the proof of Theorem 19, thus, omitted here.

The statements of Theorems 19 and 26 are similar except for the C(G). Formally,

the reason for including C(G) in Theorem 19 is as follows. Let L = L(G) be a

prefix-closed, live language, ω, ω′ ∈ L, and ω ∈ Lm(Us∈K(G ×HT (Σ, s))) and ω′ /∈

L(Us∈K(G × HT (Σ, s))). We know that such ω and ω′ may exist by Lemmas 23

and ??. Suppose that P (ω) = P (ω′). Then, ω′ ∈ P−1P (ω) ∩ L. If ω and ω′

88

are long enough than the diagnosability condition DTP in Definition 12 is violated.

Thus, L is not T-type pattern diagnosable with respect to K and P . We now

consider the observer Obs(Us∈K(G×HT (Σ, s))). By Theorem 26, ω and ω′ should

contain suffixes that are parts of an indeterminate cycle. However, by assumption

ω′ /∈ L(Us∈K(G×HT (Σ, s))). Then, Obs(Us∈K(G×HT (Σ, s))) may not contain the

marking-indeterminate cycle. Thus, we may conclude L is pattern diagnosable with

respect to K and P . As a result, in Theorem 26, if we do not include C(G) in the

union operation, then Theorem 26 results in a sufficient but not necessary condition

for T-type pattern diagnosability.

We present the following illustrative examples. Example 27 considers a language

L that is T-type pattern diagnosable with respect to a pattern K1. Example 28 is a

counter-example to show that S-type pattern diagnosability does not imply T-type

pattern diagnosability, in general.

Example 27 (T-type pattern diagnosability). Consider G in Fig. 4.2. Suppose

that Σ = a, b, c, d, e and Σo = b, d. Let L = L(G) and K1 = ab, dc. The union

FSA U defined in Theorem 26 is built from G, HT and K and shown in Fig. 4.10.

The observer FSA Obs(U) shown in Fig. 4.11 does not have marking-indeterminate

cycles. Thus, L is T-type pattern diagnosable with respect to K1 (as argued in

Section 4.3). ¤

Example 28 (S-type vs. T-type pattern diagnosability). Consider G in Fig.

4.12. Suppose that Σ = a, b, c, d and Σo = b, d. Let L = L(G) and K = ab, dc.

The union FSA U defined in Theorem 19 is built from G, HT and K and is shown in

Fig. 4.13. The observer FSA Obs(US) is shown in Fig. 4.14. The observer FSA does

not contain any marking-indeterminate cycle. Thus, L is S-type pattern diagnosable.

89

9 b

8

b

6

c

7

b

d

5 d 4 b

3

10

d

b c

2

a

1

e d

Figure 4.10: UT = U(C(G),Us∈K(G × HS(Σ, s))) where K = ab, dc and Σ =a, b, c, d, e.

7,5 d 9,4 b

1,3

2,8,6,4,10

d

9,7,5,4

b

d b

Figure 4.11: Obs(U) where Σo = b, d.

Consider UT = Us∈K(G × HT (Σ, s)) defined in Theorem 26. The union FSA

is shown in Fig. 4.15. The observer FSA Obs(UT ) shown in Fig. 4.16 contains a

marking-indeterminate cycle, i.e., the cycle formed by 9, 10, 5 and b. Thus, L is

90

not T-type pattern diagnosable. ¤

9 b

8 d 7

b

6 b 5 b

4

b c

3

c b

2

d

1

a

0

a d

Figure 4.12: G.

4.5 Case Study: An Implementation of Pattern Diagnosis

We now consider an illustrative example of an implementation of the theory of

pattern diagnosis to intrusion detection in networked systems. In [31], the authors

develop a tool called BackTracker that builds dependency graphs to identify the se-

quences of operating-system(OS)-level events that led to an intrusion. Then, an

administrator may analyze these sequences of events to quickly identify vulnerabili-

ties in the system. However, the dependency graphs generated by BackTracker may

contain too many events for an administrator to run a quick analysis. Thus, in [31],

the authors apply some filtering rules to reduce the size of the dependency graphs.

Our objective is to help the administrator filter the dependency graphs using a set of

91

9 b

8 b7

b

6 d

5

c b

4 b

3

d

11

b

10

c

b

2

a

1

a d

Figure 4.13: US = Us∈K(G×HS(Σ, s)) where K = ab, dc and Σ = a, b, c, d.

2,7,5,11,10

9,8,6,4

b

6

d

9,8,4

b

d

1,3

d

b

Figure 4.14: Obs(US) for K = ab, dc where Σo = b, d.

observable events and analyze the graph for a smaller and relevant set of observable

events or for vulnerabilities in the system to a known or a possible intrusion. That

is, the administrator may build a pattern for a known or possible intrusion and verify

the diagnosability (of the dependency graph) of the system with respect to the pat-

92

9 b

8

b

4

c

5

b

7

6

b

10

c

d b

b

3

d

2

a

1

a d

Figure 4.15: UT = Us∈K(G×HS(Σ, s)) where K = ab, cd and Σ = a, b, c, d.

6 d

2,8,4,7,10

9,6,10,5

b

d

9,10,5

b

b

1,3

d

Figure 4.16: Obs(UT ) for K = ab, cd where Σo = b, d.

tern and the set of observable events. Also, the administrator may design a variant

of an intrusion by embedding the original intrusion pattern with unobservable events

and then, verify the diagnosability of the dependency graph with respect to these

variants.

93

Time Log0 process A creates process B1 process B writes file 12 process B writes file 23 process A reads file 04 process D busy process D5 process A creates process D6 process C reads file 17 process A creates process C8 process C reads file 29 process C writes file X10 file X busy file X

Table 4.1: The sample event log.

Consider the sample event log in Table 4.1. Build the dependency graph in the

form of an nondeterminate FSA. The FSA is shown in Fig. 4.17. The event set is

Σ = busy, create, read, write. Let L = L(G) and K = read write be the pattern.

Then, US = (G×HS(Σ, read write)) is as shown in Fig. 4.18.

First, suppose that Σo,1 = busy, create. Then, Obs(US) shown in Fig. 4.19

contains a marking-indeterminate cycle. Thus, for Σo,1, L is not S-type pattern

diagnosable with respect to K.

Then, suppose that Σo,2 = busy, write. Obs(US) shown in Fig. 4.20 does

not contain any marking-indeterminate cycles. Thus, for Σo,2, L is S-type pattern

diagnosable with respect to K.

In this implementation, we see that different sets of observable events may result

in different answers for the diagnosability of a language with respect to a pattern. So,

filtering the dependency graph with different sets of events may result in detection

of an intrusion in one case but not in another.

94

process_A

process_C

create

process_D

create

process_B

create

file_X

write

busy

file_2

write

file_1

write

busy

read read

file_0

read

Figure 4.17: G.

4.6 Conclusion

We have generalized the notion of diagnosability of single events in prior works to

diagnosability of sequences of events in partially-observed discrete-event systems. We

have considered two types of pattern diagnosability: S-type, and T-type. We have

shown that there exists necessary and sufficient conditions for both types of pattern

diagnosability. We have developed an implementable test to verify the necessary and

sufficient condition for each type of pattern diagnosability. We have also provided the

reader with a possible application of the theory to intrusion detection in networked

systems.

95

9 busy

8

7

write

busy

6

write

5

read

4

read

3

write write

2

create create create

1

read

Figure 4.18: US .

9,7 busy

1,2

9,8,7,6,5,4,3

create

busy

Figure 4.19: Obs(US) contains a marking-indeterminate cycle.

96

1,2,9,8,3

9

busy

7,6,5,4

write

busy

7

busy write

busy

Figure 4.20: Obs(US) does not contain any marking-indeterminate cycles.

CHAPTER V

Prediction of Event Occurrences

5.1 Introduction

This chapter addresses the problem of predicting occurrences of a significant

(e.g., fault) event in a discrete-event system (DES). The system under consideration

is modeled by a language over an event set. The event set is partitioned into ob-

servable events (e.g., sensor readings, changes in sensor readings) and unobservable

events, i.e., the events that are not directly recorded by the sensors attached to the

system. The objective is to predict occurrences of a possibly unobservable event in

the system behavior, based on the strings of observable events. If it is possible to

predict occurrences of an event in the system, then depending on the nature of the

event the system operator can be warned and the operator may decide to halt the

system or otherwise take preventive measures.

To the best of our knowledge, the notion of predictability that is introduced and

studied in this chapter is different from prior works on other notions of predictability

in [9, 6, 57, 19]. For instance, the prediction problem considered in [9] is related to the

properties of a special type of projection between two languages (sets of trajectories);

this is is much more general than our objective, which is to predict occurrences of

specific events, but our work is not a special case. The state prediction of coupled

97

98

automata studied in [6] is formulated as computing the state vector of n identical

automata after T steps in the operation of the system; the system structure in this

work is different from ours. In our case the interest is on a single automaton and event

prediction, not state, under partial observation. The notion of prediction considered

in [57] differs from the one in our work in the sense that in [57] predictability of a

system is a necessary condition for diagnosability of the system while in our work

diagnosability is a necessary condition for predictability. The prediction problem

studied in [19] considers issuing a warning when it is likely for a fault to happen

in the future evolution of the system; in our work, if the occurrence of an event is

predictable in a language, then it is certain that the event will occur. Also, in [19],

it is possible that false fault prediction warnings are issued; in our work, no false

positives are issued.

The problem of prediction studied in this chapter is inspired by the problem

of fault diagnosis for DES. The problem of fault diagnosis for DES has received

considerable attention in the last decade (see the references in [55]) and diagnosis

methodologies based on the use of discrete-event models have been successfully used

in a variety of technological systems ranging from document processing systems to

intelligent transportation systems. A discrete-event process called diagnoser intro-

duced in [55] is of particular relevance to the present work. Later in the chapter, the

diagnoser is used to derive a necessary and sufficient condition for predictability in

systems modeled by regular languages.

The rest of the chapter is organized as follows. In Section 5.2, the notation and

frequently used terms are introduced. In Section 5.3, the predictability of occur-

rences of an event in a system is defined in the context of formal languages. The

predictability property of a language is a stronger condition than the diagnosabil-

99

ity of the language as defined in [55]. In Section 5.4, it is shown that in the case

of regular languages, there exists a necessary and sufficient condition for predict-

ing occurrences of an event in the language in the form of a test on diagnosers. In

Section 5.5, a summary of the results in the chapter is presented, and concluding

remarks are given.

5.2 Preliminaries

We present in the following the notation and frequently used terms that are not

defined in the previous chapters of the thesis. Let Σ be a finite set of events. Given

an event σ ∈ Σ and a string s ∈ Σ∗, we use the set notation σ ∈ s to say that σ

appears at least once in s. Let L be a prefix-closed and live language over Σ. Given

an event σ ∈ Σ and L, Ψ(σ, L) is the set of strings in L that ends with σ. Formally,

Ψ(σ, L) = sσ ∈ L : s ∈ Σ∗, σ ∈ Σ.


In this section, we define the problem of predicting occurrences of an event in

a system that is under partial observation. We model the system as a language L

over an event set Σ. The event to be predicted may be an unobservable event or an

observable one. First, we present an illustrative example to introduce the notion of

predictability. Then, we give the formal definition for predictability of the occurrence

of an event. We conclude the section by comparing the diagnosability of a language

L as defined in [55] to the predictability of L.

Roughly speaking, the occurrence of an event in a language is predictable if it

is possible to infer about future occurrences of the event based on the observable

record of strings that do not contain the event to be predicted. Consider any string

100

s in Ψ(σp, L) where σp is the event to be predicted. We wish to find a prefix t of

s such that t does not contain σp and all the long-enough continuations in L of the

strings with the same projection as t contain σp. If there is at least one such t, then

the occurrence of σp is predictable in L.

Consider the prefix-closed, live language generated by the automaton shown in

Fig. 5.1. The language generated is

L = aabcpc∗ + abpc∗ + bpac∗ + ac∗, (5.1)

where Σuo = a, p and Σo = b, c. Let p be the event to be predicted. The set of

strings that end with p is

Ψ(p, L) = aabcp, abp, bp. (5.2)

In order to show that p is predictable in L, we must find an n ∈ N and a t ∈ s

for all s ∈ Ψ(p, L) such that p /∈ t and for all u and its continuations v ∈ L/u if

• u records the same string of observable events as t, i.e., P (t) = P (u), and

• u does not contain p, i.e. p /∈ u, and

• v is of length greater than n ∈ N, i.e. ‖ v ‖≥ n,

then v contains p.

Let us start with s = aabcp ∈ Ψ(p, L). Then t ∈ aabc. Suppose that t = aa.

Then, P−1(aa)∩ (Σ\p)∗∩L = ε, a, aa. If u = a, then L/u = abcpc∗ + bpc∗ + c∗.

Since p /∈ c∗, there is a continuation of u that does not contain p. Then, there exists

a string which records the same string of observable events as t and not all of its

continuations contain p. Thus, t = aa is a wrong choice to prove the predictability

of p. Suppose that t = aab. For all u ∈ P−1(aab) ∩ (Σ \ p)∗ ∩ L = aab, ab, b and

101

for all v ∈ L/u such that ‖ v ‖≥ 2, then v contains p. Thus, t = aab is a right choice

for s ∈ aabcp ∈ Ψ(p, L). Similarly, it can be verified that t = ab and t = b work for

s = abp and s = bp in Ψ(p, L), respectively.

9

10

p

c

8

c

7

b

6 c5 c

4

a

3

p

11 c

2

a b c

1

p

0

a b

Figure 5.1: G.

Based on the above discussion, we formally define the notion of predictability.

Definition 29. Given L a prefix-closed, live language over Σ, occurrences of event

σp ∈ Σ are predictable in L with respect to P if

(∃n ∈ N)(∀s ∈ Ψ(σp, L))(∃t ∈ s)[(σp /∈ t) ∧P]

where

P : (∀u ∈ L)(∀v ∈ L/u)[(P (u) = P (t)) ∧ (σp /∈ u) ∧ (‖ v ‖≥ n) ⇒ (σp ∈ v)].

102

5.3.1 Diagnosability vs. Predictability

The predictability of occurrences of an event σp in a prefix closed and live language

L is stronger than the diagnosability of L with respect to σp. We consider the

diagnosability as defined in [55] in the context of formal languages. Roughly speaking,

L is diagnosable with respect to σp if it is possible to detect occurrences of σp with

a finite delay. For the sake of completeness, we recall in Definition 30 the formal

definition of diagnosability.

Definition 30. A prefix-closed and live language is diagnosable with respect to P

and σp if

(∃n ∈ N)(∀s ∈ Ψ(σp, L))(∀t ∈ L/s)[‖ t ‖≥ n ⇒ D]

where

D : ω ∈ P−1P (st) ∩ L ⇒ σp ∈ ω.

We now present an illustrative example where a language is diagnosable with

respect to an event but the occurrence of the event is not predictable. We consider

the language generated by the automaton shown in Fig. 5.2. The language is

L = eac∗ + abepd∗ + abcd∗ + aebpdd∗ (5.3)

where Σo = a, b, c, d and Σuo = e, p.

In this case, the occurrence of p is not predictable. Let s = abep ∈ Ψ(p, L). Then,

t ∈ abe. For any t ∈ abe, we always have have the string abcdn where n ≥ 0, which

does not contain p. Thus, there does not exist a t so that Definition 29 is satisfied

for p. However, the occurrence of p (an unobservable event) can be detected with

a finite delay. After the observation of abd, we are certain that p has occurred at

103

least once. Thus, L is diagnosable with respect to σ but the occurrence of σ is not

predictable in L.

9

10

a

c

8 d

7

p

6

e

11

c

d

5 d

4

d

3

p

2

b

1

b e

0

e a

Figure 5.2: G.

The following proposition follows directly from the above definitions.

Proposition 31. Given a prefix-closed and live language L ⊆ Σ∗, if occurrences of

σp ∈ Σ are predictable in L with respect to P , then L is diagnosable with respect to

P and σp.

Proof. Pick s1 ∈ Ψ(σp, L). By Definition 29, there exists n1 ∈ N and z1 ∈ s1

such that σp /∈ z1 and P is satisfied. We need to show that for all t1 ∈ L/s1 if

‖ t1 ‖≥ n for some positive integer n, then for all ω ∈ P−1P (s1t1)∩L, ω contains σp.

Let s1 = z1z2. If ω ∈ P−1P (s1t1)∩L, then ω ∈ P−1P (z1)P−1P (z2t1)∩L. Choose

n such that for all ‖ t1 ‖≥ n, if ω ∈ P−1P (s1t1) ∩ L, ω = ω1ω2, and P (ω1) = P (z1),

104

then ‖ ω2 ‖≥ n1. Suppose that there exists ω such that σp /∈ ω. Then, σp /∈ ω1

and σp /∈ ω2. By the condition P in Definition 29, for all v ∈ L/u if P (u) = P (z1),

σp /∈ u, and ‖ v ‖≥ n1, then σp ∈ v. Thus, σp ∈ ω2. This is a contradiction. Thus,

there is no ω ∈ P−1P (s1t1) ∩ L such that σp /∈ ω. This completes the proof.

¤

5.4 Verification of Predictability for Regular Languages

In this section, we consider systems modeled by regular languages. Regular lan-

guages are the languages that are accepted (or generated) by Finite State Automata

(FSA). An FSA is a four-tuple

G = (Q, Σ, δ, q0) (5.4)

where Q is the set of states, Σ is the finite set of events, δ : Q× Σ → Q is the state

transition function and q0 is the initial state.

The necessary and sufficient condition (presented later in this section) for pre-

dictability is based on a discrete-event process called diagnoser. The diagnoser is an

FSA built for the system with respect to a projection P onto the set of observable

events and to a given event. Let G = (Q, Σ, δ, q0) be an FSA that generates language

L. We denote by DG the diagnoser built for G and σp ∈ Σ. The diagnoser DG is of

the form

DG = (QD, Σo, δD, qD,0, σp), (5.5)

where QD is the set of diagnoser states, δD : QD × Σo → QD is the diagnoser state

transition function, qD,0 ∈ QD is the initial diagnoser state. The diagnoser state

space QD is a subset of 2Q×N,F1. State qD ∈ QD is of the form

qD = (q1, l1), . . . , (qn, ln), (5.6)

105

where qi ∈ Q and li ∈ N,F1 for i = 1, . . . , n. In this chapter, a diagnoser state

does not contain its unobservable reach unlike the case in previous chapters.

Let qD and q′D be two diagnoser states in QD such that q′D is reached from qD by

σo ∈ Σo, i.e., q′D = δD(qD, σo) is defined. Let

qD = (q1, l1), . . . , (qm, lm)

and

q′D = (q′1, l′1), . . . , (q′n, l′n).

For all i ∈ 1, . . . , n, there exists j ∈ 1, 2, . . . ,m such that

q′i = δ(qj, s), (5.7)

where s = tσo and t ∈ Σ∗uo, and

l′i =

F1, if lj = F1 or (σp ∈ s),

N, if lj = N and (σp /∈ s).

(5.8)

We say that a diagnoser state qD = (q1, l1), . . . , (qm, lm) ∈ QD for m ∈ N is

normal if lj = N for all j = 1, . . . , m; certain if lj = F1 for all j = 1, . . . ,m; and

uncertain if there exist lj = N and li = F1 for some i, j ∈ 1, . . . , m. We denote

by QND ⊆ QD the set of diagnoser states that are normal, by QU

D ⊆ QD the set of

diagnoser states that are uncertain, and by QCD ⊆ QD the set of diagnoser states that

are certain.

Consider FSA G in Fig. 5.1. Let Σuo = a, p. The diagnoser1 for G and p is as

shown in Fig. 5.7. The diagnoser state 1N, 8N, 3N is normal, 9N, 6F1, 5F1 is

uncertain, and 10F1, 6F1, 5F1 is certain.

We define an accessibility operation on an FSA to find the accessible part of an

FSA from a state.1Diagnosers shown in this chapter are built using DESUMA [33].

106

Definition 32. Let G = (Q, Σ, δ, q0) and q ∈ Q. The accessible part of G with

respect to q is denoted by Ac(G, q) and is

Ac(G, q) = (Qac, Σ, δac, q), (5.9)

where Qac = q′ ∈ Q : (∃s ∈ Σ∗)(δ(q, s) = q′ is defined), and δac = δ |Qac×Σ→Qac .

Let G = (Q, Σ, δ, q0). We say that a set of states q1, q2, . . . , qn ⊆ Q and a string

σ1σ2 . . . σn ∈ Σ∗ form a cycle if qi+1 = δ(qi, σi), i = 1, 2, . . . , n− 1 and q1 = δ(qn, σn).

In the rest of this section, we assume the system satisfies the following: If

q1, q2, . . . , qn ⊆ Q and σ1σ2 . . . σn ∈ Σ∗ form a cycle, then there exists at least

one observable event σj in σ1, . . . , σn ⊆ Σ. That is, G does not contain a cycle in

which states are connected with unobservable events only.

Lemma 33 below states that if there is a cycle in DG that contains a certain

diagnoser state, then all the diagnoser states in the cycle are certain (since the F1

label propagates). Lemma 34 states that if there is a cycle in DG that is formed by

uncertain or normal states, then there exists a corresponding cycle in G such that

all the states in the cycle have normal labels in the cycle in DG.

Lemma 33. Let G = (Q, Σ, δ, q0) be an FSA that generates L such that L is prefix-

closed and live, let DG = (QD, Σo, δD, qD,0, σp) be the diagnoser for G and σp. Suppose

qD,1, . . . , qD,n ⊆ QD and σo,1 . . . σo,n ∈ Σ∗o form a cycle in DG where n ∈ N. If there

exists i ∈ 1, 2, . . . , n such that qD,i ∈ QCD, then qD,j ∈ QC

D for all j = 1, 2, . . . , n.


closed and live, and let DG = (QD, Σo, δD, qD,0, σp) be the diagnoser for G and σp.

Suppose qD,1, . . . , qD,n ⊆ QD and σo,1 . . . σo,n ∈ Σ∗o form a cycle in DG where n ∈ N

and qD,i is in QUD or QN

D for all i = 1, 2, . . . , n. Then, there exists (qi, li) ∈ qD,i for

107

i = 1, 2, . . . , n, such that qi+1 = δ(qi, si) for i = 1, 2, . . . , n − 1 and q1 = δ(qn, sn)

where si ∈ Σ∗, P (si) = σo,i, and li = N for i = 1, 2, . . . , n.

Let FD be the set of normal diagnoser states that possess an immediate successor

that is not normal. Formally,

FD = xD ∈ QND : ∃ yD = δD(xD, σo) such that σo ∈ Σo and yD /∈ QN

D. (5.10)

Lemma 35 states that any uncertain or certain diagnoser state is reached from a

diagnoser state in FD.


closed and live, and let DG = (QD, Σo, δD, qD,0, σf ) be the diagnoser for G and σp.

Let xD,i = δD(xD,i−1, σo,i) for i = 1, 2, . . . , m where m ∈ N, xD,i is a diagnoser state,

σo,i is an observable event for i = 1, 2, . . . , m, and xD,0 is the initial diagnoser state.

If xD,m is in QUD or QC

D, then there exists M ≤ m such that xD,M ∈ FD.

Proof. [of Lemma 35] The proof is by induction on the sequence of observable

events.

Base (m = 1): In this case, xD,m = xD,1 /∈ QND and xD,1 = δD(xD,0, σo,1).

Since xD,0 is the initial diagnoser state, by definition it is normal. If the immediate

successor xD,1 of xD,0 is not a normal diagnoser state, then xD,0 ∈ FD. This completes

the proof of induction base.

Hypothesis (m = M ′): If xD,M ′ /∈ QND , then there exists M ≤ M ′ such that

xD,M ∈ FD.

Step (m=M’+1): We need to show that if xD,M ′+1 /∈ QND , then there exists

M ≤ M ′ + 1 such that xD,M ∈ FD. We consider two cases: (i) xD,M ′ ∈ QND ,

and (ii) xD,M ′ /∈ QND . In the first case, if xD,M ′ ∈ QN

D , then xD,M ′ is in FD by

108

definition. For the other case, if xD,M ′ /∈ QND , then by induction hypothesis there

exists M ≤ M ′ < M ′ + 1 such that xD,M is in FD. This completes the proof of the

induction step. ¤

In the following theorem, we state the necessary and sufficient condition for pre-

dictability of occurrences of an event. The condition is based on analyzing the cycles

in the diagnoser.

Theorem 36. Let G = (Q, Σ, δ, q0) be an FSA that generates L where L is prefix-

closed and live. Let DG = (QD, Σo, δD, qD,0, σp) be the diagnoser for G and σp. The

occurrences of σp are predictable in L with respect to P iff for all qD ∈ FD, condition

C holds, where

C : all cycles in Ac(DG, qD) are cycles of certain diagnoser states.

Proof. The proof is in two parts.

(⇒): We prove that if σp is predictable in L, then for all qD ∈ FD the only cycles

in Ac(DG, qD) are cycles of certain diagnoser states. The proof is by contradiction.

Suppose that there exists qD ∈ FD such that Ac(DG, qD) contains a cycle formed

by xD,1, . . . , xD,m and σo,1 . . . σo,m ∈ Σ∗o where xD,i /∈ QC

D for some i ∈ 1, 2, . . . , m.

By Lemma 33, if there exists a diagnoser state xD,i in the cycle such that xD,i

is not a certain diagnoser state, then none of the other diagnoser states in the cycle

are certain. Thus, xD,i /∈ QCD for all i = 1, 2, . . . , m.

By Lemma 34, corresponding to the cycle of diagnoser states in the diagnoser,

there exists a cycle in G such that each state in that cycle is labeled with N in

the cycle in the diagnoser. Suppose that the cycle in G is formed by x1, . . . , xm

and s1 . . . sm ∈ Σ∗ where (xi, N) ∈ xD,i and ωi ∈ Σ∗ such that P (ωi) = σo,i for

i = 1, 2, . . . , m.

109

Let qD ∈ FD be reached from the initial diagnoser state qD,0 by so ∈ Σ∗o. Since

qD is in FD, then there exists s ∈ Ψ(σp, L) such that P (s) = so.

We wish to show that for all t ∈ s such that (σp /∈ t) ∧ P. In order to prove

that P is violated, we wish to find a u ∈ L and v ∈ L/u such that P (u) = P (t) and

σp /∈ u, and if v is of length greater than any n ∈ N, then v does not contain σp.

It is sufficient to prove the theorem by considering a particular t ∈ s. Let s = s1σp

where s1 ∈ Σ∗. If the condition, P, is violated for t1 = s1, then it is violated for all

t ∈ t1. This is because if there is a long enough suffix of t1 violating the condition,

P, then that suffix can be used to prove that there is a long enough suffix of any

t ∈ t violating P.

Pick a diagnoser state in the cycle. Without loss of generality pick xD,1. Then,

we pick the state in the diagnoser state which has label N and is a part of the

corresponding cycle in G. Let (x1, l1) be that state in xD,1, with l1 = N .

Suppose that xD,1 is reached from qD by executing s′o ∈ Σ∗o. Then, xD,1 =

δD(qD,0, sos′o). Since x1 is in the corresponding cycle in G, then x1 = δ(x1, (ω1 . . . ωm)k)

for k ∈ N and k ≥ n. Let u ∈ L and u′ ∈ L/u such that x1 = δ(q0, uu′) and

P (u) = so = P (t1). Then, x1 = δ(q0, uu′(ω1 . . . ωm)k). Let v = u′(ω1 . . . ωm)k. Since

x1 has normal label, then neither u nor u′ does not contain σp. Also, by Lemma 34,

for i = 1, . . . , m, ωi ∈ Σ∗ does not contain σp. Thus, v does not contain σp. This

violates the condition P in the definition of predictability. Thus, there is a contra-

diction. This completes one part of the proof.

(⇐): We prove that if for all qD ∈ FD the only cycles in Ac(DG, qD) are cycles

of certain diagnoser states, then σp is predictable in L.

Pick any s ∈ Ψ(σp, L). Let q = δ(q0, s) ∈ Q. Then, pick any suoσo ∈ L/s such

that suo ∈ Σ∗uo and σo ∈ Σo. Let y = δ(q, suoσo) ∈ Q. Suppose that P (s) = so ∈ Σ∗

o.

110

Then, let xD = δD(qD,0, so) and yD = δD(xD, σo) in QD. Then, there exists (y, ly) ∈

yD where ly = F1. Thus, yD ∈ QUD ∪QC

D. We now consider the following two cases:

(i) xD ∈ QND , thus, xD ∈ FD, and (ii) xD ∈ QU

D ∪QCD.

Case (i). Since xD ∈ QND and yD /∈ QN

D , then xD ∈ FD. We choose t = s. For all

u such that P (u) = P (t), P (u) = so. Since the only cycles in Ac(DG, xD) are cycles

of certain states, then for all v ∈ L/u, v contains σp.

Case (ii). If xD ∈ QUD ∪ QC

D, i.e., xD is not normal, then we wish to find a

normal diagnoser state in FD from which xD is reached. By Lemma 35, there exists

a diagnoser state wD reachable from the initial diagnoser state, xD is accessible from

wD, and wD is in FD. Then, since FD consists of normal diagnoser states, wD is in

QND . Thus, the proof of Case (ii) reduces to the case of (i) in which we substitute

wD ∈ QND for xD ∈ QN

D . This completes the second part of the proof. ¤

Consider the FSA in Fig. 5.1 and the corresponding diagnoser in Fig. 5.7 where

Σuo = a, p and Σo = b, c, and FD = 1N, 8N, 3N. The accessible FSA from

1N, 8N, 3N contains only one cycle formed by 10F1, 6F1, 5F1 which is a certain

diagnoser state. Thus, the occurrence of p is predictable. If we consider the FSA

in Fig. 5.2 and the corresponding diagnoser in Fig. 5.8 where Σo = a, b, c, d and

Σuo = e, p, then, FD = 6N, 3N. The accessible FSA from 6N, 3N contains

two cycles one of which contains a normal diagnoser state. Here, the occurrence of

p is not predictable.

We now show that it is sufficient to test condition C in Theorem 36 on certain

subsets of FD to guarantee that this condition holds for all states in FD.

Corollary 37. Let xD, yD ∈ FD such that yD = fD(xD, so) is defined for some

so ∈ Σ∗o. Then, condition C holds for all qD ∈ FD iff C holds for all qD ∈ FD \yD.

Proof. ⇒ Clearly, if condition C holds for all qD ∈ FD, then C holds for all

111

9N,6F1,5F1

10F1,6F1,5F1

c

c

0N

1N,8N,3N

b

11N

c

c

c

Figure 5.3: DG.

6N,3N

11N

c

8F1,5F1

d

d d

0N

1N,10N

a

b

10N

c

c

Figure 5.4: DG.

qD ∈ FD \ yD.

⇐ We show that if C holds for all qD ∈ FD \ yD, condition C holds for

all qD ∈ FD. Since xD ∈ FD \ yD, then C holds for xD. Thus, Ac(DG, xD)

contains only cycles of certain diagnoser states. Since yD is reachable from xD by

112

so ∈ Σ∗o, then any cycle in Ac(DG, yD) is also a cycle in Ac(DG, xD). Thus, all cycles

in Ac(DG, yD) are cycles of certain diagnoser states. Thus, C holds for yD. This

completes the proof. ¤

In view of Corollary 37, let us call a subset of FD “C-sufficient” if testing con-

dition C in Theorem 36 on this subset is sufficient to guarantee that C holds for all

qD ∈ FD. Denote by SFDthe set of all C-sufficient subsets of FD. Let Min(SFD

)

denote all subsets of FD in SFDthat have minimum cardinality.

Proposition 38. Min(SFD) is not a singleton in general.

Proof. The proof of Proposition 38 is by a counter example. We find an

example where Min(SFD) is not a singleton. Let FD = xD, yD such that yD =

δD(xD, so) and xD = δD(yD, to) are defined for some so, to ∈ Σ∗o. Suppose that

condition C holds for both xD and yD in FD. Then, by Corollary 37, C holds for

both FD \ xD = yD and FD \ yD = xD and both sets have cardinality 1.

Thus, yD, xD ∈ Min(SFD). This completes the proof. ¤

Define a relation between xD and yD in FD as follows: xD ∼ yD ⇔ ∃so, to ∈ Σ∗o

such that yD = δD(xD, so) and xD = δD(yD, to). That is, two states in FD are related

if both of them appear in a cycle in the diagnoser.

We now assume that for all qD ∈ FD, qD = δD(qD, ε) is defined for an event

ε /∈ Σo where ε is an empty symbol. We need this assumption to make the relation,

∼, reflexive.

Proposition 39. The relation ∼ is an equivalence relation.

Proof. We show that the relation ∼ is reflexive, symmetric and transitive.

By assumption, for all qD ∈ FD, qD = δD(qD, ε) is defined. Then, qD ∼ qD and

Thus, ∼ is reflective. By definition of the relation, xD ∼ yD iff yD ∼ xD where xD,

113

yD ∈ FD. Thus, ∼ is symmetric.

Let xD ∼ yD and yD ∼ zD where xD, yD, zD ∈ FD. We now show that xD ∼ zD.

By definition of the relation, there exist so, to ∈ Σ∗o such that yD = δD(xD, so) and

xD = δD(yD, to). Also, there exist s′o, t′o ∈ Σ∗o such that zD = δD(yD, s′o) and

yD = δD(zD, t′o). Then, zD = δD(xD, sos′o) and xD = δD(zD, t′oto). Thus, xD ∼ zD.

Then, ∼ is transitive. ¤

We now work on the equivalence classes (induced by ∼) in FD instead of the

states in FD. Let ED be the equivalence classes of FD for the relation ∼. Depicted in

Fig. 5.5 is an illustration of the equivalence classes of FD: xD,1 ∼ xD,2, yD,1 ∼ yD,2,

xD,1, xD,2 ∈ xD, yD,1, yD,2 ∈ yD, and xD, yD ∈ ED.

FD

xDyD

xD,1yD,1

xD,2yD,2

. . .

_ _

Figure 5.5: The equivalence classes induced by ∼ in FD.

Denote by SEDthe set of all C-sufficient subsets of ED. If S1 is a C-sufficient

subset in SED, then S1 ⊆ SED

and by Corollary 37 for all yD ∈ ED \ S1, there exists

and xD ∈ S1 such that yD = δ(xD, so) for some so ∈ Σ∗o where xD, yD ∈ FD, xD ∈ xD,

and yD ∈ yD.

Let Min(SED) denote all sets in SED

that have minimum cardinality. Theorem 41

states that there is only one C-sufficient subset of ED with the minimum cardinality.

Corollary 40. Let S1 ∈ Min(SED). For all xD, yD ∈ S1, for all xD ∈ xD and

yD ∈ yD, there does not exist so, to ∈ Σ∗o such that yD = δ(xD, so) or xD = δ(yD, to)

is defined.

Proof. The proof is by contradiction. Suppose that there exists so ∈ Σ∗o such

114

that yD = δ(xD, so), then by Corollary 37, C holds for all qD ∈ S1 \ yD. This is a

contradiction because then S1 is not of minimum cardinality. ¤

Theorem 41. Min(SED) is a singleton.

Proof. The proof is by contradiction. Let S1, S2 ∈ Min(SED) where S1 6= S2.

By definition of Min(SED), |S1| = |S2|. Let xD ∈ S1 \ S2 and yD ∈ S2 \ S1.

Since xD ∈ ED and xD /∈ S2, there exists zD ∈ S2 such that there exists xD ∈ xD

and zD ∈ zD such that xD = δD(zD, so) for some so ∈ Σ∗o. Similarly, since zD ∈ ED

and zD /∈ S1, there exists yD ∈ S1 such that there exists yD ∈ yD and zD = δD(xD, to)

is defined for some to ∈ Σ∗o. Then, xD = δD(yD, toso). Since S1 ∈ Min(SED

), then

xD = yD. Thus, xD ∼ zD. This is a contradiction. ¤

We have developed an algorithm for finding this unique element in Min(SED).

In view of Corollary 37 and Theorem 41, the necessary and sufficient condition for

predictability in Theorem 36 becomes: “Condition C holds for all qD ∈ Min(SED).”

In general, Min(SED) ⊆ FD, thus resulting in computational savings once Min(SED

)

has been computed.

5.4.1 Verifier Approach

In this section, we define another discrete-event process called verifier. We present

a necessary and sufficient condition for predictability based on the verifier. The use

of verifiers to test for predictability is computationally efficient. The computational

complexity of the test based on verifiers is polynomial-time. On the other hand, the

complexity of the test based on diagnosers is exponential-time in the worst case.

The verifier was first defined in [64]. In [64], the authors use verifiers to test for

diagnosability. The verifier is an nondeterministic FSA built for the system with

respect to a projection P onto the set of observable events, Σo, and a set of fault

115

events (in our case, the event to be predicted, σp). Let G = (Q, Σ, δ, q0) be an FSA

that generates language L. We denote by VG the verifier built for G and σp. The

verifier VG is of the form

VG = (QV , Σ, δV , qV,0, σp), (5.11)

where QV is the set of verifier states, δV is the verifier state transition relation, and

qV,0 is the initial verifier state. Verifier state qV ∈ QV is of the form

qV = [(q1, l1), (q2, l2)], (5.12)

where qi ∈ Q and li ∈ N,F1 for i = 1, 2. The verifier state space QV is a subset

of Q× N,F1 ×Q× N,F1.

Let qV = [(q1, l1), (q2, l2)] ∈ QV . The state transition relation δV (qV , σ) is defined

for some σ ∈ Σ if δ(q1, σ) or δ(q2, σ) is defined. Suppose that δV (qV , σ) is defined for

some σ ∈ Σ. Since δV is a relation, then δV (qV , σ) is a set of verifier states, and is

defined as

If σ ∈ Σuo, then

δV ([(q1, l1), (q2, l2)], σ) = [(δ(q1, σ), l′1), (q2, l2)],

[(q1, l1), (δ(q2, σ), l′2)], [(δ(q1, σ), l′1), (δ(q2, σ), l′2)], (5.13)

and if σ ∈ Σo, then

δV ([(q1, l1), (q2, l2)], σ) = [(δ(q1, σ), l′1), (δ(q2, σ), l′2)], (5.14)

where if σ = σp, then l′1 = l′2 = F1, otherwise l′1 = l1 and l′2 = l2.

Lemma 42. Let G = (Q, Σ, δ, q0) be an FSA that generates L, let s = usσo and

t = utσo in L such that qs = δ(q0, s) and qt = δ(q0, t) where us, ut ∈ Σ∗uo and

σo ∈ Σo, and let VG = (QV , Σ, δV , qV,0, σp) be the verifier for G and σp. Then, there

116

exists qV ∈ QV such that qV ∈ δV (qV,0, usutσo) is defined and qV = [(qs, ls), (qt, lt)],

where ls, lt ∈ N, F1.

Proof. By definition qV,0 = [(q0, N), (q0, N)]. Let qus = δ(q0, us) ∈ Q. Since,

us is feasible from q0, then it is also feasible from qV,0. Thus, there exists qV,s =

[(qus , lus), (q0, N)] ∈ QV where lus ∈ N,F1. Let qut = δ(q0, ut) ∈ Q. Since, us is

feasible from q0, then it is also feasible from qV,s. Thus, qV,s = [(qus , lus), (qut , lts)] ∈

QV where lut ∈ N,F1. The observable event, σo is feasible from both qus and qut ,

then by definition of the verifier relation function, there exists qV = [(qs, ls), (qt, lt)],

where ls, lt ∈ N, F1. This completes the proof. ¤

Theorem 43. Let G = (Q, Σ, δ, q0) be an FSA that generates L, let s, t ∈ L

such that qs = δ(q0, s) and qt = δ(q0, t) is defined and P (s) = P (t), and let

VG = (QV , Σ, δV , qV,0, σp) be the verifier for G and σp. Then, there exists qV ∈ QV

such that

qV = [(qs, ls), (qt, lt)], (5.15)

for ls, lt ∈ N, F1.

The proof of Theorem 43 follows from Lemma 42 and is an induction on the

sequence of observable events. The proof is omitted.

We say that a verifier state qV = [(q1, l1), (q2, l2)] is normal if l1 = l2 = N , certain

if l1 = l2 = F1, and uncertain if l1 = F1 and l2 = N or vice versa. We denote by

QNV the set of verifier states that are normal, QC

V the set of states that are certain,

and QUV the set of states that are uncertain.


closed and live, let VG = (QV , Σ, δV , qV,0, σp) be the verifier for G and σp. Suppose

117

qV,1, . . . , qV,n ⊆ QV and σ1 . . . σn ∈ Σ∗ form a cycle in VG where n ∈ N. If there

exists i ∈ 1, 2, . . . , n such that qV,i ∈ QCV , then qV,j ∈ QC

V for all j = 1, 2, . . . , n.

Let FV be the set of normal verifier states defined as follows

FV = xV ∈ QNV : δV (xV , suoσp) is defined for σ ∈ Σ, suo ∈ Σ∗

uo and σp /∈ suo.

(5.16)

Intuitively, both FD and FV serve the same purpose, i.e., draw the boundary to switch

from normal verifier states to uncertain or certain states. However, due the structure

of the verifier, the formal definitions differ. The set, FV , contains the verifier states

that have unobservable reaches such that an immediate successor of that verifier

state is an uncertain or certain verifier state and the string of unobservable events

do not contain the event to be predicted.


closed and live, and let VG = (QV , Σo, δV , qV,0, σp) be the diagnoser for G and σp. Let

xV,i = δV (xV,i−1, σo,i) for i = 1, 2, . . . , m where m ∈ N, xV,i is a diagnoser state, σo,i

is an observable event for i = 1, 2, . . . , m, and xV,0 is the initial diagnoser state. If

xV,m is in QUV or QC

V , then there exists M ≤ m such that xV,M ∈ FV .

The proof of Lemma 45 is similar to the proof of Lemma 35 and is omitted here.

In the following theorem, we state the necessary and sufficient condition for pre-

dictability of occurrences of an event. The condition is based on analyzing the cycles

in the verifier instead of diagnoser. The condition based on the verifier provides a

more efficient test for predictability.

Theorem 46. Let G = (Q, Σ, δ, q0) be an FSA that generates L where L is prefix-

closed and live. Let VG = (QV , Σo, δV , qV,0, σp) be the verifier for G and σp. The

118

occurrences of σp are predictable in L with respect to P iff for all qV ∈ FV , condition

CV holds, where

CV : all cycles in Ac(VG, qV ) are cycles of certain verifier states.

Proof. The proof is in two parts.

(⇒): We prove that if σp is predictable in L, then for all qV ∈ FV the only cycles

in Ac(VG, qV ) are cycles of certain verifier states. The proof is by contradiction.

Suppose that there exists qV ∈ FV such that Ac(VG, qV ) contains a cycle formed

by xV,1, . . . , xV,m and σ1 . . . σm ∈ Σ∗ where xV,i /∈ QCV for some i ∈ 1, 2, . . . , m.

Let qV = [(q1, N), (q2, N)] ∈ δV (qV,0, ω1) where q1, q2 ∈ Q and ω1 ∈ Σ∗. Since

qV ∈ FV , there exists yV = [(y1, N), (y2, N)] and zV = [(z1, lz1), (z2, lz2)] as shown in

Fig. 5.6, where y1, y2, z1, z2 ∈ Q, suo ∈ Σ∗ and σp /∈ suo.

[ ( )q , N ,0 ( ) ]q , N0 [ ( )q , N ,1 ( ) ]q , N2

sp

s1 . . . sm

w1

w2

suo

[ ( )x , N ,1 ( ) ]x , l2 x2

[ (y ), N ,1 ( ) ]y , N2

[ ( )z , l ,1 z1 2 z2( ) ]z , l

q FV V0 y FV V0

zV

xV ,1

Figure 5.6: The verifier states.

There exists s ∈ Ψ(σp, L) such that P (s) = P (ω1suoσp). We wish to show that

for all t ∈ s such that σp /∈ t, the condition, P, is violated. Let s = s1σp where

s1 ∈ Σ∗. If the condition, P, is violated for t1 = s1, then it is violated for all t ∈ t1.

thus, hereafter, we consider the case of t1 only.

We pick without loss of generality xV,1 in the cycle. Let xV,1 = [(x1, N), (x2, lx2)]

where x1, x2 ∈ Q and lx2 ∈ N,F1, and let xV,1 ∈ δV (qV , ω2).

119

There exist u ∈ L and u′ ∈ L/u such that P (ω1) = P (u) and x1 = δ(q0, uu′).

Since x1 has normal label in xV,1, then neither u nor u′ contains σp. Also, since

P (ω1) = P (ω1suo) = P (s1) = P (t1), then P (u) = P (t1).

If there a cycle formed by xV,1, . . . , xV,m and σ1 . . . σm ∈ Σ∗, then there is

a corresponding cycle in G formed by normal states in xV,i for i = 1, . . . , m and

a subsequence σ′1 . . . σ′m′ ∈ Σ∗ where m′ ≤ m is a positive integer. Thus, x1 =

δ(q0, uu′(σ′1 . . . σ′m′)k) for some integer k ≥ n and u′(σ′1 . . . σ′m′)k does not contain σp.

Pick v = u′(σ′1 . . . σ′m′)k ∈ L/u. By above discussion neither u nor v contain σp.

Thus, there exist u and v ∈ L/u such that P (u) = P (t1), σp /∈ u, ‖ v ‖≥ n and

σp /∈ v. This is a violation of the condition, P. Thus, σp is not predictable in L.

This is a contradiction. This completes the proof.

(⇐): We prove that if for all qV ∈ FV the only cycles in Ac(VG, qV ) are cycles of

certain verifier states, then σp is predictable in L.

Pick any s ∈ Ψ(σp, L). By definition, s = s1σp for s1 ∈ Σ∗. Let x = δ(q0, s1)

and y = δ(x, σp). Then, there exists xV = [(x,N), (x′, l′x)] and yV = [(y, F ), (y′, l′y)]

in QV and yV ∈ δV (xV , σp) where x′, y′ ∈ Q and l′x, l′y ∈ N, F1. The verifier state

xV is either normal or uncertain. Also, yV is either uncertain or certain. We now

consider the following two cases: (i) xV ∈ QNV , thus, xV ∈ FV , and (ii) xV ∈ QU

V .

Case (i). Since xV ∈ QNV and yV /∈ QN

V , then xV ∈ FV . We choose t = s1. For all

u such that P (u) = P (t) = P (s1) and σp /∈ u, by Theorem 43, there exists a verifier

state of the form qV = [(x,N), (δ(q0, u), N)]. We wish to show that qV ∈ FV . This is

because only cycles in Ac(VG, qV ) are of certain states. Thus, for all u and v ∈ L/u,

v contains σp. Hence, σp is predictable.

We now consider the two cases: σp ∈ Σuo or σp ∈ Σo. If σp ∈ Σuo, then

[(y, F1), (δ(q0, u), N)] ∈ δV (qV , σp).

120

Thus, qV ∈ FV . If σp ∈ Σo, then

[(y, F1), (δ(δ(q0, u), σp), F1)] ∈ δV (qV , σp).

Thus, qV ∈ FV . This completes the proof.

Case (ii). If xV ∈ QUV , i.e., xV is not normal, then we wish to find a normal

verifier state in FV from which xV is reached. By Lemma 45, there exists a verifier

state wV reachable from the initial verifier state, xV is accessible from wV , and wV

is in FV . Then, since FV consists of normal verifier states, wV is in QNV . Thus, the

proof of Case (ii) reduces to the case of (i) in which we substitute wV ∈ QNV for

xD ∈ QNV . This completes the second part of the proof. ¤

Consider the FSA in Fig. 5.1 and the corresponding diagnoser in Fig. 5.7 where

Σuo = a, p and Σo = b, c, and

FV = [1N, 1N ], [3N, 1N ], [8N, 3N ], [8N, 1N ], [9N, 9N ].

Each accessible FSA from the verifier states in FV contains only cycles of certain

verifier states. Thus, the occurrence of p is predictable.

If we consider the FSA in Fig. 5.2 and the corresponding diagnoser in Fig. 5.8

where Σo = a, b, c, d and Σuo = e, p, then,

FV = [6N, 6N ], [7N, 6N ], [3N, 6N ], [3N, 7N ], [3N, 3N ].

The accessible FSA from [6N, 6N ] contains a cycle which contains a normal verifier

state. Thus, the occurrence of p is not predictable.

5.5 Conclusion

We have defined the new property of predictability of the occurrence of a signif-

icant event (e.g., fault) based on the current record of observable events. We have

121

10F1,10F1 c

9N,5F1

10F1,5F1

p

c

1N,1N

4F1,1N

p

6F1,1N

a

4F1,4F1

p

8N,3N

8N,5F1

p

c

10F1,6F1 c

0N,0N

b

2N,0N

a

3N,1N

b

7N,0N

a

6F1,4F1

6F1,6F1

a

c

7N,2N

b

7N,7N

a

8N,8N

b

8N,4F1

8N,6F1

a

9N,6F1

c

5F1,1N

p

5F1,4F1

p

a

8N,1N

b

p a

p

p

10F1,9N

p

5F1,6F1

a

c

9N,9N

p

c

Figure 5.7: DG.

shown a necessary and sufficient condition for predictability in the case of systems

modeled by regular languages. We have presented a test to verify the predictability

property based on diagnosers. An alternate test of polynomial-time complexity (in

the number of system states) is presented. The study of predictability is inspired

and motivated by the study of fault diagnosis. Our long term goal is to form an

122

8F1,7N

8F1,8F1

p

d

5F1,8F1 d

4F1,8F1

d

3N,3N

4F1,3N

p

4F1,4F1

p

3N,6N

3N,7N

e

4F1,6N

p

4F1,7N

p e

5F1,5F1

d

2N,2N

b

p

10N,2N

1N,1N

6N,6N

b

2N,1N

e

7N,6N

e

11N,11N

c b e

0N,0N

a

9N,0N

e

10N,1N

a

9N,9N

e

d

10N,10N c

7N,7N

e

8F1,6N

p

p e

e a

d

Figure 5.8: DG.

integrated theory of diagnosis and prediction in the framework of formal languages.

CHAPTER VI

Conclusion

Monolithic and distributed on-line fault detection and isolation of modular dy-

namic systems modeled as sets of partially-observed place-bordered Petri nets are

considered. Algorithms for on-line monitoring and diagnosis of monolithic and modu-

lar systems modeled as a set of place-bordered Petri nets. The distributed algorithms

exploit the modular nature of the system to avoid the combinatorial explosion of the

state space, but it requires communication among modules on the occurrence of

events that affect common places. Many issues remain to be investigated. Among

those further improvements to reduce the communication overhead and deal with

communication delays; proper partitioning of a system into modules in order to

enhance the performance of DDC-M ; and performance analysis of DDC-M on com-

prehensive examples using our software tool are mentioned.

We have generalized the notion of diagnosability of single events in prior works to

diagnosability of sequences of events in partially-observed discrete-event systems. We

have considered two types of pattern diagnosability: S-type, and T-type. We have

shown that there exists necessary and sufficient conditions for both types of pattern

diagnosability. We have developed an implementable test to verify the necessary and

sufficient condition for each type of pattern diagnosability. We have also provided the

123

124

reader with a possible application of the theory to intrusion detection in networked

systems. One of our future goals is to work on experimental data of intrusions and

investigate more of on the extensions of the theory based on the experimental results

and structure and nature of the system and intrusions.

We have defined the new property of predictability of the occurrence of a signif-

icant event (e.g., fault) based on the current record of observable events. We have

shown a necessary and sufficient condition for predictability in the case of a system

modeled by regular languages. We have presented an exponential-time test to verify

the predictability property. However, we also have developed a polynomial-time test.

The study of predictability is inspired and motivated by the study of fault diagno-

sis. Our future goals in the study of predictability include extending the definition

of the predictability to consider stochastic DES and develop distributed algorithms

to analyze predictability of event occurrences in monolithic or modular DES. Our

long term goal is to form an integrated theory of diagnosis and prediction in the

framework of formal languages.

APPENDICES

125

126

APPENDIX A

Software Implementations

We developed a software implementation of DDC-M and of the merge operation1.

The software interacts with GraphViz developed by AT&T to visualize the labeled

Petri nets, diagnoser states (including the state, fault and message information)

and dynamics of the Petri nets and the algorithms (if communications occur among

modules, which module communicates with which module, list of events enabled

from the diagnoser states, etc.).

The Petri nets can be loaded into the toolbox using visual components of the

graphical interface or user created files. The software is capable of partitioning a

given Petri net into a set of place-bordered Petri nets or composing several Petri nets

with a controller. We use one of Matlab’s data types called structures with fields,

named data containers, to model labeled Petri nets. That is because each field in a

structure can hold any kind of data and a labeled Petri net is composed of dissimilar

kinds of data such as places, transitions, forward and backward incidence matrices

that define the arc relations and weight function, transition labeling function, etc.

We also make use of Matlab’s cell arrays that are composed of elements called

cells and similar to fields of a structure, cells can hold any kind of data. One cell of

1The software has not been made publicly available yet.

127

a cell array may contain an array of text characters, another a matrix of integers.

In constructing the data structures for Petri nets, we use cell arrays to model the

event set of a labeled Petri net which contains strings that are modeled as arrays

of characters with different lengths. The software also exploits Matlab’s matrix

manipulation functions and search algorithms for matrices in order to efficiently

implement the for-loops in DDC-M .

A.1 Graph: How to load a Petri net?

This section explains how the system to be diagnosed is created using the toolbox

or otherwise loaded into the toolbox. There are two ways to create/load a Petri net.

Figure A.1: The toolbox outline.

A.1.1 Quick Load

Users can load a Petri net from a set of files (see Table.A.1). The set of files

listed in Table.A.1 should be saved with the very same name to use the “quick load”

option (ex: robot.pnm, robot.pnp. robot.tlb, . . . ).

To use the “quick load” option, go to the toolbar (see Figure A.2) of the Diagnoser

Toolbox. Select “Quick Load” from “Graph” menu. Then, a window pops up. In

128

this window the user enters:

1. The directory the set of files to load the Petri net are in,

2. The name of the set of files (w/o any extension of different file types).

File Type Comment

*.pnm Incidence matrix (Removing tokens from places): D-*.pnp Incidence matrix (Putting tokens in to places): D+*.plb Place labels*.tlb Transition labels (Event set)*.is Initial state*.md Event set partition of Modules*.obs Observable events*.ft Fault partition

Table A.1: File types.

Figure A.2: How to “quick load” a Petri net?

A.1.2 Create

User can create a Petri net and necessary partitions to run the diagnoser algo-

rithms. To use this menu go to the toolbar of Diagnoser Toolbox and select “Create”

129

section of “Graph” menu (see Figure A.3). In the rest of this section we explain each

item in the “Create” menu.

Figure A.3: How to “create” a Petri net and partitions?

Settings

User assigns the number of places and transitions for other menus (see Fig-

ure A.4).

Incidence Matrix:D-

The incidence matrix D− (“Incidence:D-” menu) shows how many tokens the

transitions remove from the places of the Petri net (see Figure A.5). All the entries

are positive. User can input the entries into the boxes and click “OK” to exit. In

addition, the user can open a previously saved matrix or save the matrix before

exiting the menu. The menus of “open” and “save” are reached from the “File”

menu in the toolbar of the “Incidence:D-” menu. The file type of this menu can be

found in Table A.1.

130

Figure A.4: The settings of the Petri net.

Figure A.5: The incidence matrix (D−) of the Petri net.

Incidence Matrix:D+

The incidence matrix D+ (“Incidence:D+” menu) shows how many tokens the

transitions put into the places of the Petri net (see Figure A.6). All the entries

131

are positive. User can input the entries into the boxes and click “OK” to exit. In

addition, the user can open a previously saved matrix or save the matrix before

exiting the menu. The menus of “open” and “save” are reached from the “File”

menu in the toolbar of the “Incidence:D+” menu. The file type of this menu can be

found in Table A.1.

Figure A.6: The incidence matrix (D+) of the Petri net.

Place Labels

As default, the places of the Petri net are enumerated according to the incidence

matrices (see Figure A.7). Users can change the labels of the places by using “open”

and “save” the place labels. The file type of this menu can be found in Table A.1.

Transition Labels

As default, the transitions of the Petri net are enumerated according to the

incidence matrices (see Figure A.8). Users can change the labels of the transitions

by using “open” and “save” the place labels. The file type of this menu can be found

132

Figure A.7: The place labels of the Petri net.

in Table A.1.

Figure A.8: The transition labels (event set) of the Petri net.

133

Initial State

The initial state of the Petri net is assigned by this menu (see Figure A.9). Users

can change the labels of the transitions, “open” and “save” the place labels. The file

type of this menu can be found in Table A.1.

Figure A.9: The initial state of the Petri net.

Partitions

There are three different partitions (of the event set) assigned in this menu (see

Figure A.10).

The first partition is the set of observable events corresponding to the column

“Obs”. If the check box is checked for the “Obs” column, then the event is observable.

If the check box is not checked for the “Obs” column, then the event is unobservable.

The second partition is used for modular diagnosis. This partition is defined by

the column “Module” (see Figure A.10). For each event the user enters which module

the event belongs to. The modules are enumerated. Thus, the entries of “Module”

134

column are integers.

The third partition defines the fault partition. This partition is defined by the

column “Fault” (see Figure A.10). If the event does not belong to a fault type, then

the entry in the column “Fault” is zero. Otherwise, the fault type is entered. The

fault types are enumerated. Thus, the entries of this column are integers.

All three partitions are opened and saved together. One name is given to all the

partition.But different surnames are assigned to each partition (see Table A.1 for

details).

Figure A.10: The partitions of the Petri net.

A.2 Draw: How to draw graphs?

This section explains how the loaded graphs. The user can draw the “Petri Net”,

“Distributed Petri Net” and “Connection Graph”. All the loaded graphs are saved

to a folder named “Figures” either under the “Examples” folder or otherwise under

the directory in which Diagnoser Toolbox runs. The color codes of different types of

135

events and places are given in Table A.2.

Color Discription

yellow Observable eventpink Unobservable eventred/orange Faultgreen placeblue common place

Table A.2: The color code of events and places.

A.2.1 Petri Net

The Petri net is drawn by GraphViz [1] (specifically dot.exe - see Figure A.11).

The toolbox creates the pn.dot file under the “Figures” folder and calls dot.exe to

convert the pn.dot file to pn.jpg,pn.png,pn.gif,pn.png. The file pn.png is loaded as a

Matlab figure.

Figure A.11: The Petri net.

136

A.2.2 Distributed Petri Net

The distributed Petri net is drawn by GraphViz (specifically dot.exe - see Fig-

ure A.12). The toolbox creates the dpn.dot file under the “Figures” folder and

calls dot.exe to convert the dpn.dot file to dpn.jpg,dpn.png,dpn.gif,dpn.png. The file

dpn.png is loaded as a Matlab figure.

Figure A.12: The distributed Petri net.

A.2.3 Connection Graph

The Petri net is drawn by GraphViz (specifically dot.exe - see Figure A.13).

The toolbox creates the con.dot file under the “Figures” folder and calls dot.exe to

convert the con.dot file to con.jpg,con.png,con.gif,con.png. The file con.png is loaded

as a Matlab figure. In the connection graph, the nodes denote the modules. An

edge drawn between two nodes denotes the existence of common places between the

modules corresponding to these two nodes and is labeled with the set of common

places between the modules. No edge is drawn between two nodes if the set of

137

common places between the modules corresponding to these two nodes is empty.

Figure A.13: The connection between the modules in the distributed Petri net.

A.3 Modular: How to run the distributed diagnosis algo-rithm?

This chapter explains how to run distributed diagnosis with communication al-

gorithm (DDC-M).

A.3.1 Initialize

This menu initializes the Petri net and the diagnosers of modules to their ini-

tial states and diagnoser states, respectively. In addition, it clears the windows of

Diagnoser Toolbox.

A.3.2 Sequence

Users can enter the sequence of observable events to run DDC-M . The menu

allows to add or delete observable events only (see Figure A.14).

138

Figure A.14: The sequence of observable events.

A.3.3 Enable?

This menu shows the events enabled from the current diagnoser states on the left

and the sequence of events observed on the right. Users can append from the list of

enable events (see Figure A.15).

A.3.4 Distributed Diagnosis with Communication Algorithm

This menu option runs DDC-M and outputs the sequence of events observed,

which module sends a message to which module, fault information and diagnoser

states in Diagnoser Toolbox (see Figure A.16). The message labels of the diagnoser

states are showed in another window. If the “Enabled?” menu is open, then the set

of enabled events is refreshed.

The diagnoser states (token distribution) are also shown on the figure window of

the distribute a Petri net. However, the states of the common places are not shown.

But users can see the token distribution in the “Diagnoser States” menu of Diagnoser

139

Figure A.15: The set of enabled events.

Toolbox.

Figure A.16: The result of DDC-M .

A.3.5 Merge

The “merge” operation combines the diagnoser states of the modules to form

the monolithic diagnoser states (see Figure A.17). To check if the correct result

140

is achieved, this menu option runs the monolithic diagnosis algorithm (MDA) and

compares the result of the “merge” operation and MDA.

Figure A.17: The result of the “merge” operation.

A.4 Monolithic Diagnosis

This menu option runs MDA and outputs the diagnoser states and fault infor-

mation.

A.4.1 Initialize

Same as Section A.3.1.

A.4.2 Sequence


A.4.3 Enable?


141

A.4.4 Diagnosis: Monolithic Diagnosis

This menu option runs MDA (see Figure A.16). The diagnoser states (token

distribution) are also shown in the figure window of the distributed Petri net.

Figure A.18: The result of MDA.

A.5 Example

In this section, we first illustrate the application of DDC-M . Then, we merge the

diagnoser states of the modules. Finally, we show that the merge correctly obtains

the diagnoser state of the complete system. We consider an example of an automated

manufacturing system which is a modified version of a system considered in [18], page

172. The Petri net graph of the example is given in Figure A.21. The system has

three modules. Each module corresponds to a machine. Each machine gets parts

from the buffers, processes the parts and then puts them into the buffers. Faults

may occur during the operation of the machines.

142

The sets of places of modules are

P1 = p1, p2, p3, p4, p5, p6,

P2 = p1, p5, p7, p8, p9, p10

and

P3 = p1, p6, p10, p11, p12.

The buffers where machines get parts from or put parts into are modeled as common

places. The sets of common places is as follows: P1,2 = p1, p5, P1,3 = p1, p6 and

P2,3 = p1, p10 (see Figure A.19). Note that p1 is common to all of the modules.

Figure A.19: Manufacturing system modules connection graph.

The initial diagnoser states of the modules are as follows

1, 2, 3, 4, 5, 6 | 1 1, 5, 7, 8, 9, 10 | 2

x1d,0=(1, 0, 0, 0, 1, 1 | 0 ), x2

d,0=(1, 1, 0, 0, 0, 1 | 0 ),

1, 6, 10, 11, 12, | 3

x3d,0=(1, 1, 1, 0, 0 | 0 ).

(A.1)

143

Note that the rows above the matrices x1d,3, x2

d,3 and x3d,3 show the place numbers

and fault types of the complete system.

Suppose that we observe the sequence of events M1Busy, M1Process, M2Busy.

When we run DDC-M on the system, we see that observations of M1Busy and

M1Process each result in a message to be sent from Md,1 to Md,2 and Md,3. The

observation of M2Busy results in a message to be sent from Md,2 to Md,1 but no

message is sent fromMd,2 toMd,3. After observation of the above sequence of events

the output of the Diagnoser Toolbox is displayed (see Figure A.20) and the diagnoser

states of the modules are calculated by DDC-M to be (see Figure A.22):

1, 2, 3, 4, 5, 6 | 1 | 1, 5, 1, 5, 1, 5 | 1, 6, 1, 6

x1d,3=

0, 0, 0, 0, 1, 2 | 0 | −1, 0, 0, 1, 0, −1 | −1, 0, 0, 1

0, 0, 0, 0, 0, 2 | 1 | −1, 0, 0, 0, 0, −1 | −1, 0, 0, 1

,

(A.2)

1, 5, 7, 8, 9, 10 | 2 | 1, 5, 1, 5, 1, 5

x2d,3=

0, 1, 1, 1, 0, 1 | 0 | −1, 0, 0, 1, 0, −1

0, 0, 1, 1, 0, 1 | 0 | −1, 0, 0, 0, 0, −1

0, 1, 1, 0, 1, 1 | 1 | −1, 0, 0, 1, 0, −1

0, 0, 1, 0, 1, 1 | 1 | −1, 0, 0, 0, 0, −1

,

(A.3)

1, 6, 10, 11, 12, | 3 | 1, 6, 1, 6

x3d,3=

(0, 2, 1, 1, 0, 0 | 0 | −1, 0, 0, 1

).

(A.4)

When x1d,3, x2

d,3 and x3d,3 are merged, the first row of x1

d,3 merges with the first

and third rows of x2d,3, and then with x3

d,3. The second row of x1d,3 merges with the

second and fourth rows of x3d,3, and then with x3

d,3. Overall, merge correctly forms

144

Figure A.20: Petri net model of manufacturing system processed by Diagnoser Tool-box.

the diagnoser state of the complete system as (see Figure A.23):

1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 | 1, 2, 3

xd,3=

0, 0, 0, 0, 1, 2, 1, 1, 0, 1, 0, 0 | 0, 0, 0

0, 0, 0, 0, 0, 2, 1, 1, 0, 1, 0, 0 | 1, 0, 0

0, 0, 0, 0, 1, 2, 1, 0, 1, 1, 0, 0 | 1, 1, 0

0, 0, 0, 0, 1, 2, 1, 0, 1, 1, 0, 0 | 0, 1, 0

.

(A.5)

Now, suppose that we observed the events M2Busy, M2Process and M2Process

respectively. The observation of M2Busy results in a message to be sent from Md,2

to Md,1 but no message is sent from Md,2 to Md,3. After that, observation of

M2Process twice results in a message to be sent from Md,2 to Md,1 and Md,3. After

observation of the above sequence of events the output of the Diagnoser Toolbox is

displayed (see Figure A.24) and the diagnoser states of the modules are calculated

145

Figure A.21: Petri net model of manufacturing system.

by DDC-M to be (see Fig. A.25):

1, 2, 3, 4, 5, 6 | 1

x1d,3=

(3, 0, 0, 0, 0, 1 | 0

),

(A.6)

1, 5, 7, 8, 9, 10 | 2

x2d,3=

(3, 0, 0, 0, 0, 3 | 1

),

(A.7)

1, 6, 10, 11, 12 | 3

x3d,3=

(3, 1, 3, 0, 0 | 0

).

(A.8)

Thus, upon observation of the sequence of events M2Busy, M2Process, M2Process,

Md,2 is certain of fault type 2. Since there is only one row in each diagnoser state,

146


the merging operation is trivial and the centralized diagnoser state is found as (see

Figure A.26):

1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 | 1, 2, 3

xd,3=

(3, 0, 0, 0, 0, 1, 0, 0, 0, 3, 0, 0 | 0, 1, 0

).

(A.9)

147


148

Figure A.24: Petri net model of manufacturing system processed by Diagnoser Tool-box.

149


150


BIBLIOGRAPHY

151

152

BIBLIOGRAPHY

[1] Graphviz At&T Labs-Research. http://www.research.att.com/sw/tools/graphviz/.

[2] S. Bavishi and E. Chong. Automated fault diagnosis using a discrete event sys-tems framework. In 9th IEEE International Symposium on Intelligent Control,pages 213–218, 1994.

[3] A. Benveniste, E. Fabre, S. Haar, and C. Jard. Diagnosis of asynchronous dis-crete event systems, a net unfolding approach. IEEE Trans. Automatic Control,48(5):714–727, May 2003.

[4] R. K. Boel and G. Jiroveanu. A distributed approach for fault detection anddiagnosis based on time Petri nets. In Proceedings of CESA’03, Lille, France,July 2003.

[5] R. K. Boel and G. Jiroveanu. Distributed contextual diagnosis for very large sys-tems. In Proc. of the 2004 International Workshop on Discrete Event Systems- WODES’04, Reims, France, September 2004.

[6] Samuel R. Buss, Christos Papadimitriou, and John Tsitsiklis. On the pre-dictability of coupled automata: an allegory about chaos. Complex Systems,5:525–539, 1991.

[7] P. Caines, R. Greiner, and S. Wang. Classical and logic based dynamic observersfor finite automata. IMA J. Math. Control Inform., 8:45–80, 1991.

[8] P. Caines and S. Wang. COCOLOG: A conditional observer and controller logicfor finite machines. SIAM J. Control and Optimization, 33(6):1687–1715, 1995.

[9] Xi-Ren Cao. The predictability of discrete event systems. IEEE Trans. Auto-matic Control, 34(11):1168–1171, November 1989.

[10] C. G. Cassandras and S. Lafortune. Introduction to Discrete Event Systems.Kluwer Academic Publishers, 1999.

[11] R. Cieslak, C. Desclaux, A. Fawaz, and P. Varaiya. Supervisory control ofdiscrete-event processes with partial observations. IEEE Trans. Automatic Con-trol, 33(3):249–260, March 1988.

153

[12] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of modular discreteevent systems. In Proc. of the 2004 International Workshop on Discrete EventSystems - WODES’04, Reims, France, September 2004.

[13] H. T. Simsek, R. Sengupta, S. Yovine, and F. Eskafi. Fault diagnosis for intra-platoon communication. In Proc. 38th IEEE Conf. on Decision and Control,December 1999.

[14] A. Darwiche and G. Provan. Exploiting system structure in model-based di-agnosis of discrete event systems. In Proceedings of the Seventh InternationalWorkshop on the Principles of Diagnosis, DX-96, Val Morin, Canada, October1996.

[15] M. H. de Queiroz and J. E. R. Cury. Modular control of composed systems. InProc. 2000 American Control Conf., Chicago, USA, June 2000.

[16] R. Debouk, S. Lafortune, and D. Teneketzis. Coordinated decentralized pro-tocols for failure diagnosis of discrete-event systems. Discrete Event DynamicSystems: Theory and Applications, 10(1/2):33–86, January 2000.

[17] A. A. Desrochers and Robert Y. Al-Jaar. Applications of Petri nets in automatedmanufacturing systems : Modeling, control, and performance analysis. IEEEPress, 1995.

[18] Alan A. Desrochers and Robert Y. Al-Jaar. Applications of Petri Nets in Man-ufacturing Systems: Modeling, Control and Performance Analysis. Institute ofElectical and Electronics Engineers, Inc., 1994.

[19] H.K. Fadel and L.E. Holloway. Using SPC and template monitoring methodfor fault detection and prediction in discrete event manufacturing systems. InProceedings of the 1999 IEEE International Symposium on Intelligent Con-trol/Intelligent Systems and Semiotics, pages 150 – 155, September 1999.

[20] P. M. Frank. Analytical and qualitative model-based fault diagnosis - a surveyand some new results. European Journal of Control, 2:6–28, 1996.

[21] E. Garcıa, F. Morant, R. Blasco-Gimenez, and E. Quiles. Centralized modulardiagnosis and the phenomenon of coupling. In M. Silva, A. Giua, and J.M.Colom, editors, Proceedings of the 6th International Workshop on Discrete EventSystems, pages 161–168. IEEE Computer Society, October 2002.

[22] S. Genc and S. Lafortune. Distributed diagnosis of discrete-event systems usingPetri nets. In Application and Theory of Petri Nets, 2003 (Series Lecture Notesin Computer Science), volume 2679, pages 316–336. Springer-Verlag, June 2003.

[23] S. Genc and S. Lafortune. A distributed algorithm for on-line diagnosis of place-bordered Petri nets. In 16th International Federation of Automatic ControlWorld Congress, Prague, Czech Republic, July 2005.

154

[24] J. Gertler. Fault Detection and Diagnosis in Engineering Systems. MarcelDekker, 1998.

[25] Alessandro Giua. Petri net state estimators based on event observation. IEEE36th Int. Conf. on Decision and Control, pages 4086–4091, December 1997.

[26] Alessandro Giua. State estimation of λ-free labeled Petri nets with contact-freenondeterministic transitions. Discrete Event Dynamic Systems: Theory andApplications, 15(1):85–108, March 2005.

[27] Christoforos N. Hadjicostis and George C. Verghese. Monitoring Discrete EventSystems Using Petri Net Embeddings. Application and Theory of Petri Nets1999 (Series Lecture Notes in Computer Science), 1639:188–207, 1999.

[28] W. Hamscher, M. Y. Kiang, and R. Lang. Qualitative reasoning in business,finance, and economics: introduction. Decis. Support Syst., 15(2):99–103, 1995.

[29] D. Handelman and R. Stengel. Combining expert systems and analytical redun-dancy concepts for fault tolerant flight control. Journal of Guidance, 12(1):39–45, 1989.

[30] L. Holloway and S. Chand. Time templates for discrete event fault monitoringin manufacturing systems. In American Control Conference, Baltimore, MD,June 1994.

[31] Samuel T. King and Peter M. Chen. Backtracking intrusions. ACM Trans.Comput. Syst., 23(1):51–76, February 2005.

[32] Donald E. Knuth, James H. Morris Jr., and Vaughan R. Pratt. Fast patternmatching in strings. SIAM J. Comput., 6(2):323–350, 1977.

[33] S. Lafortune and L. Ricker. Desuma. http://www.eecs.umich.edu/umdes/ tool-boxes.html.

[34] S. Lafortune, D. Teneketzis, M. Sampath, R. Sengupta, and K. Sinnamohideen.Failure diagnosis of dynamic systems: An approach based on discrete eventsystems. In Proc. 2001 American Control Conf., pages 2058–2071, June 2001.

[35] F. Lin. Diagnosability of discrete-event systems and its applications. In DiscreteEvent Dynamic Systems: Theory and Applications, volume 4, 1994.

[36] F. Lin, J. Markee, and B.Rado. Design and test of mixed signal circuits: Adiscrete-event approach. In Proc. 32nd IEEE Conf. on Decision and Control,1993.

[37] F. Lin and W. M. Wonham. On observability of discrete-event systems. Infor-mation Sciences, 44:173–198, 1988.

[38] J. Lunze and J. Schroeder. Process diagnosis based on a discrete-event descrip-tion. Automatisierungstechnik, 47:358–365, 1999.

155

[39] Ludovic Me and Cedric Michel. Intrusion detection: A bibliography. TechnicalReport SSIR-2001-01, Supelec, Rennes, France, September 2001.

[40] C. M. Ozveren and A. S. Willsky. Observability of discrete event dynamicsystems. IEEE Trans. Automatic Control, 35(7):797–806, July 1990.

[41] C. M. Ozveren and A. S. Willsky. Invertibility of discrete event dynamic systems.Math. Control Signals Systems, 5:365–390, 1992.

[42] C. M. Ozveren, A. S. Willsky, and P. J. Antsaklis. Stability and stabilizabilityof discrete event dynamic systems. Journal of the ACM, 38(3):730–752, July1991.

[43] Y. Park and E. Chong. On the eventual invertibility of discrete event systemsand its applications. In Proc. 32th IEEE Conf. on Decision and Control, pages680–685, December 1993.

[44] Y. Park and E. Chong. Faul detection and identification in communicationnetworks: A discrete event systems approach. In Proc. 33rd Allerton Conf. onCommunication, Control, and Computing, September 1995.

[45] A. D. Pouliezos and G. S. Stavrakakis. Real time fault monitoring of industrialprocesses. Kluwer Academic Publishers, 1994.

[46] Jean-Marie Proth and Xiaolan Xie. Petri nets : A tool for design and manage-ment of manufacturing systems. Wiley, 1996.

[47] P. J. Ramadge. Observability of discrete event systems. In Proc. 25th IEEEConf. on Decision and Control, pages 1108–1112, Athens, Greece, December1986.

[48] P. J. Ramadge. On the periodicity of symbolic observations of piecewise smoothdiscrete-time systems. IEEE Trans. Automatic Control, 35(7):807–813, July1990.

[49] P. J. Ramadge and W. M. Wonham. The control of discrete event systems.Proc. IEEE, 77(1):81–98, January 1989.

[50] S. Rich and V. Venkatasubramanian. Model-based reasoning in diagnostic ex-pert systems for chemical process plants. Computers and Chemical Engineering,11(2):111–122, 1987.

[51] M. Sampath. Discrete event systems based diagnostics for a variable air vol-ume terminal box application. Technical report, Advanced Development Team,Johnson Controls, Inc., September 1995.

[52] M. Sampath. A hybrid approach to failure diagnosis of industrial systems. InProc. 2001 American Control Conf., June 2001.

156

[53] M. Sampath, A. Godambe, E. Jackson, and E. Mallow. Combining qualitativeand quantitative reasoning - a hybrid approach to failure diagnosis of industrialsystems. In IFAC SafeProcess 2000, pages 494–501, June 2000.

[54] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. Teneket-zis. Diagnosability of discrete event systems. IEEE Trans. Automatic Control,40(9):1555–1575, September 1995.

[55] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. Teneketzis.Failure diagnosis using discrete event models. IEEE Trans. Control SystemsTechnology, 4(2):105–124, March 1996.

[56] R. Sengupta. Discrete-event diagnostics of automated vehicles and highways.In Proc. 2001 American Control Conf., June 2001.

[57] Jiang Shengbing and Ratnesh Kumar. Failure diagnosis of discrete-event sys-tems with linear-time temporal logic specifications. IEEE Trans. AutomaticControl, 49(6):934 – 945, June 2004.

[58] Joseph Sifakis. Realization of fault-tolerant systems by coding Petri nets. Jour-nal of Design Automation and Fault-Tolerant Computing Vol. 3, pages 93–107,April 1979.

[59] R. Su and W.M. Wonham. Hierarchical distributed diagnosis under global con-sistencies. In M. Silva, A. Giua, and J.M. Colom, editors, Proc. of the 2004International Workshop on Discrete Event Systems - WODES’04, pages 157–162, September 2004.

[60] R. Su, W.M. Wonham, J. Kurien, and X. Koutsoukos. Distributed diagnosisfor qualitative systems. In M. Silva, A. Giua, and J.M. Colom, editors, Proc.of the 2002 International Workshop on Discrete Event Systems - WODES’02,pages 169–174. IEEE Computer Society, October 2002.

[61] N. Viswanadham and Y. Narahari. Performance Modeling of Automated Man-ufacturing Systems. Prentice-Hall Inc, 1992.

[62] Hamscher W, Console L, and de Kleer J, editors. Readings in model-baseddiagnosis. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 1992.

[63] A. S. Willsky. A survey of design methods for failure detection in dynamicsystems. Automatica, 12:601–611, 1976.

[64] Tae-Sic Yoo and Stephane Lafortune. Polynomial-time verification of diagnos-ability of partially-observed discrete-event systems. IEEE Transactions of Au-tomatic Control, 47(9):1491–1495, 2002.

[65] MengChu Zhou and Frank Dicesare. Petri net synthesis for discrete event con-trol of manufacturing systems. Kluwer Academic Publishers, 1993.

157

[66] MengChu Zhou and Kurapati Venkatesh. Modeling, simulation, and control offlexible manufacturing systems : A Petri net approach. World Scientific, 1999.

ABSTRACT

ON DIAGNOSIS AND PREDICTABILITY OF PARTIALLY-OBSERVED

DISCRETE-EVENT SYSTEMS

by

Sahika Genc

Chair: Stephane Lafortune

In this thesis problems of diagnosis and prediction of event sequences in dynamic

systems modeled using discrete-event formalisms are studied.

Monolithic and distributed on-line fault detection and isolation of modular dy-

namic systems modeled as sets of partially-observed place-bordered Petri nets are

considered. The common places among the set of Petri nets modeling a system cap-

ture coupling of various system components. The transitions are labeled by events,

some of which are unobservable, i.e., not directly recorded by the sensors attached

to the system. The events whose occurrences must be diagnosed have unobservable

transition labels. These events model faults or other significant changes in the sys-

tem state. The existing theory of diagnosis of discrete-event systems is extended in

the context of the above model. The modular structure of the system is exploited

by a distributed algorithm for fault diagnosis. A Petri net diagnoser is associated

1

to every Petri net and the diagnosers communicate in real-time during the diagnos-

tic process when the token count of common places changes. A merge function is

defined to combine the individual diagnoser states and recover the complete diag-

noser state that would be obtained under a monolithic approach. Strategies that

reduce the communication overhead are presented. The software implementation of

the distributed algorithm is discussed.

The problem of diagnosis of a pattern of events in a partially-observed discrete-

event system is studied. Two different types of pattern diagnosability are defined

in the context of formal languages: (i) S-type for patterns in the form of subse-

quences of sequences of events and (ii) T-type for patterns in the form of substrings

of sequences of events. These two notions of pattern diagnosability generalize the

notion of diagnosability of single events in prior works. Implementable necessary and

sufficient conditions for both types of pattern diagnosability in systems modeled by

regular languages are presented.

Finally, the problem of predicting occurrences of a significant event in a discrete-

event system is considered. The notion of predictability of event occurrences in a

system is defined in the context of formal languages. The predictability of a language

is a stronger condition than the diagnosability of the language. Implementable nec-

essary and sufficient conditions for predictability of event occurrences in systems

modeled by regular languages are presented. It is shown that predictability in sys-

tems modeled by regular languages can be tested in polynomial-time.

ON DIAGNOSIS AND PREDICTABILITY OF PARTIALLY-OBSERVED ...

Documents

Transcript of ON DIAGNOSIS AND PREDICTABILITY OF PARTIALLY-OBSERVED ...