Rules-based Modeling of an Assembly Line and its Diagnosisrkumar/PUBS/dia-lego.pdf · An automaton...

Rules-based Modeling of an Assembly Line and its

Diagnosis

Vigyan ChandraTechnology Dept., Eastern Kentucky University, Richmond, KY

Zhongdong HuangDept. of Elec. & Comp. Eng., Univ. of Kentucky, Lexington, KY

Ratnesh KumarDept. of Elec. and Comp. Eng., Iowa State Univ., Ames, IA ∗

Abstract

We study diagnosis of an assembly-line [13] that is modeled in the rules-basedmodeling formalism introduced in [7], and later extended in [14] to model failure-pronesystems. An attractive feature of rules-based model is it’s compactness (size of themodel is polynomial in number of input and output signals). A motivation for thework presented in [15] is to develop failure diagnosis techniques that can exploit thiscompactness. In order to demonstrate the usefulness of the rules-based model and ofdiagnosis techniques based on such a model in manufacturing systems, an educationaltest-bed that simulates an automated car assembly-line built using LEGO r© blocksis being employed. An automaton model based control of this system was presentedin [13]. In this paper we provide a rules-based model of the assembly-line. Next wedemonstrate the diagnosis technique for a rules-based model, that is based on 1st-order temporal logic model checking [15], by applying it to a part of the assembly-line.When the system is found to be not diagnosable, we use sensor refinement and sensoraugmentation to make the system diagnosable.

Keywords: Discrete event system, rules-based model, diagnosability, 1st temporallogic model checking, on-line diagnoser, assembly-line

∗The research was supported in part by the National Science Foundation under the grants NSF-ECS-0099851 and NSF-ECS-0218207, a DoD-EPSCoR grant through the Office of Naval Research under the grantN000140110621, a KYDEPSCoR grant, and a Iowa State University Faculty Start-up Grant.

1

1 Introduction

Detection and isolation of failures in large, complex systems is a crucial and challengingtask. A failure is a deviation of a system from its normal or required behavior, such asoccurrence of a failure event, or visiting a failed state, or more generally, violating a designspecification. A stuck-close valve, decrease in the efficiency of a heat exchanger, abnormalbias in the output of a sensor, and leakage in pipelines are examples of events that can resultin failures. Failure diagnosis is the process of detecting and identifying such deviations in asystem using the information available through the sensors. The problem of failure diagnosishas received considerable attention in the literature of reliability engineering, control, andcomputer science. Recently, it has also been studied in the framework of discrete eventsystems (DESs) [1, 2, 3, 4, 5, 6, 10, 11, 12, 14, 15, 16, 18, 19, 22, 23, 24, 26, 27, 28, 29, 30,31, 32, 33, 34, 35, 36].

A notion of failure diagnosis of qualitative behaviors of discrete event systems was firstproposed in [26]. The idea is that if the DES executes a faulty event, then it must bediagnosed within a bounded number of state-transitions/events. A method for constructinga diagnoser was developed, and a necessary and sufficient condition of diagnosability wasobtained in terms of certain properties of the constructed diagnoser. The above work wasfurther extended to timed systems in [4] and to decentralized diagnosis in [29]. In [16], analgorithm of polynomial complexity for testing diagnosability without having to construct adiagnoser was obtained. This later work enabled a quick test for diagnosability; by applyingthis test a diagnoser is constructed only for those systems that are diagnosable. Note thatthe off-line construction of a diagnoser is of exponential complexity [26].

In [23, 24], the authors proposed a state-based approach for diagnosis; they studied theproblems of off-line and on-line diagnosis where the basic idea was to “test and observe”.Extensions of the above work can be found in [1] where the authors studied testability ofDESs. In [2, 3], the problem of failure detection in communication networks was studied,where both the normal and faulty behaviors of the system were modeled by formal languages.In [6], the authors also studied the problem of fault detection in communication networkswhere faults are specified as change and addition of arcs in the finite state machine (FSM)model of the normal system, and a diagnosis method was provided. In [33], a state-basedapproach for failure diagnosis of timed systems was proposed. In [10, 11, 12], the authorsdeveloped a template based monitoring scheme using timing and sequencing relationshipsof events for fault monitoring in manufacturing systems. In [30], the application of DESstechniques to digital circuits was studied, and an algorithm for the delay fault testabilitymodeling and analysis was presented.

In most of the above works, the non-faulty behavior of the system, also called the speci-fication, is either specified by an automaton (containing no failure states) or by a language(event-traces containing no failure events). Since in practical setting, a specification is gen-erally given in a natural language, we need to first transform a natural language specificationinto a formal language specification before we apply the above failure diagnosis results. Given

2

a simple natural language specification, the process of finding a corresponding formal lan-guage specification can be tedious, non-intuitive, and error-prone, making it unaccessible tonon-specialists. So there exists a gap between the informal natural language specificationand the corresponding formal language specification. Temporal logic based specification wasproposed in [9] as an attempt to bridge such a gap. Temporal logic has been used in theanalysis and control of DESs [37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 50]; and it hasalso been used as a formalism for diagnosing DESs in [5, 18, 20, 36].

In this paper, we study the modeling and failure diagnosis of a miniature assembly line [13]in the rules-based model developed in [7], and later extended in [14] to also model faults.Variables and rules for modifying their values are used to compactly model a DES. Therepresentation of a system with faults in the rules-based modeling formalism is polynomialin the number of input-output signals and faults. The compactness of this model, togetherwith its intuitive nature, makes it user-friendly, less error-prone, more flexible, easily scalable,and provides canonicity of representation for models of systems with faults. The motivationof the work presented in [15] is to develop techniques for failure diagnosis that are able toexploit the compactness of the model. In this regard, techniques based on 1st-order temporallogic model-checking and predicates and predicate transformers were developed.

The rules-based modeling formalism is based on an input/output view of the system. Theinput signals of the system are the independent variables, and output signals the dependentvariables which are a function of the independent variables and of other dependent variables.For simplicity, all signals in the system are assumed to be binary valued (extension to non-binary valued signals has been considered in rules-based formalism [7]), and it is also assumedthat the state of the system can be specified by the current values of the signals (extension tothe case when the state depends on also the past values of the signals has also been consideredin [7]). In order to model failure prone systems, a binary valued fault signal is introduced tomodel presence or absence of each fault. From a modeling standpoint, the fault signals aretreated just the same as any other signal in the system. Addition of fault signals to capturethe faulty behavior requires new rules for the added fault events, and modification of rulesof existing non-faulty events, by appropriately weakening their enabling guard conditions.

In the rules-based model, initial conditions are used to specify the initial values of thesystem signals. An event is a transition of an input or an output signal from one binaryvalue to another. For each of the input and output events of the system (which includes thefault events), we obtain event occurrence rules. The antecedent of such a rule is a predicateover the signal values that serves as the event enabling condition.

The present paper demonstrates the applicability of the rules-based modeling and diag-nosis techniques to practical manufacturing systems. The demonstration system is a simpleeducational test-bed built using LEGO r© blocks that simulates an automated car assembly-line. This miniature assembly-line shown in Figure 1 performs the assembly of the roof andthe chassis. These two parts are transported to the press section from their respective load-ing sections, where a vertical press operation presses the two parts together, and finally theassembled part exits the assembly-line through the unloading section. A transporter links

3

the chassis, roof, press, and unloading sections. While setting up the miniature LEGO r©

assembly-line, the one built at the University of Massachusetts [49] served as a prototype.We present the rules-based models of each of the individual sections, the composition of

which is the entire plant model. The number of rules in transporter, chassis, roof, press,and unloading sections is 18, 12, 12, 10, and 6, respectively (compare this to a total ofabout 1.7 × 106 states for the entire assembly-line if they were to be modeled as an au-tomaton). For demonstrating the 1st-order temporal logic model-checking based diagnosistechnique developed in [15], we consider a simplified model of the transporter section, andanalyze it’s diagnosability properties. When the system under examination is not diagnos-able, sensor refinement/augmentation can be used to make the system diagnosable. Weillustrate through various examples drawn from the LEGO r© assembly-line how sensor re-finement/augmentation methods can be used to make the system diagnosable.

The rest of the paper is organized as follows. In Section 2, the definitions of predicatesand predicate transformers, rules-based model, and diagnosability are introduced. A de-scription and rules-based model of the LEGO r© assembly-line is given in Section 3. Section4 illustrates diagnosis in rules-based model using a simplified model of one section of theassembly-line, and also studies how to design diagnosable systems, again using examplesfrom the LEGO r© assembly-line. Finally conclusions are provided in Section 5.

2 Notation and Preliminaries

2.1 Rules-based Model, Predicates, and their Transformers

A discrete event system, denoted G, is a 4-tuple G := (X, Σ,;, X0), where X denotesthe state set, Σ is the finite event set, ; ⊆ X × Σ × X is the set of state transitions, andX0 ⊆ X is the set of initial states. We use state variables to represent the states and a finiteset of conditional assignment statements, called rules, to represent the state transitions.

The notation ~v is used to denote the vector of state variables of G. If ~v is n-dimensional,then ~v = [v1, . . . , vi, . . . , vn], where vi is the ith state variable. The state space X of G equalsthe Cartesian product of domains of all state variables, i.e., X :=

∏ni=1 D(vi), where D(vi) is

the domain of vi. By definition D(vi) is a countable set and can be identified with the set ofnatural numbers N .

We use predicates for describing various subsets of the state space. Let P(~v) denote thecollection of predicates defined using the state variable vector ~v, i.e., if P (~v) ∈ P(~v), then itis a boolean valued map P (~v) : X → {0, 1}. Consider for example a two dimensional statespace X = Z2. Then the predicate P (~v) = [v1 ≥ v2] refers to all the states in which thevalue of variable v1 is at least as large as the value of variable v2. The symbols true andfalse are used for denoting predicates that hold on all and none of the states respectively.With every predicate P (~v) ∈ P(~v), we associate a set XP ⊆ X on which P (~v) takes thevalue one. Thus the collection of predicates P(~v) has a one-to-one correspondence with the

4

power set 2X , and the names predicates and state-sets can be used interchangeably. We saythat the predicate P (~v) holds on X̂ ⊆ X if X̂ ⊆ XP .

State transitions map a state to another state. Such mappings are extended to set ofstates or predicates in a natural way, and are known as predicate transformers. We use Fto denote the collection of all predicate transformers, i.e., if f ∈ F , then f : P(~v) → P(~v).The conjunctive closure of f , denoted f∗, and disjunctive closure of f denoted f ∗ is definedto be

∧i≥0 f i and

∨i≥0 f i respectively, where f 0 is the identity predicate transformer and

f i+1 := f(f i). Given f : X → X and P (~v) ∈ P(~v), P (f(~v)) is obtained by replacing ~v

by f(~v) in P (~v). Consider for example the f given by f(v1, v2) = (v1 + v2, v1 − v2) andP (v1, v2) = [v1 < v2]. Then P (f(v1, v2)) equals [v1 + v2 < v1 − v2], which can be simplifiedto [v2 < 0].

Next we review the rules-based model [7] (which is a specific assignment program model[21]) for representing a DES G described above. The initial state set of G is specified asan initial predicate, denoted I(~v), which implies X0 = XI . The state transitions “;” of G

is specified using a finite set of rules, also called conditional assignment statements, of theform:

σ : [Cσ(~v)] ⇒ [~v ; fσ(~v)],

where σ ∈ Σ is an event, Cσ(~v) is a predicate, called the enabling condition or the guard,and fσ : X → X is a map defined on the state space. If no guard is present, then true istreated as the guard. A conditional assignment statement of the above type is enabled ifthe condition Cσ(~v) holds. An enabled assignment statement may execute. Upon execution,new values are assigned to the state variables according to the map fσ and a state transitionon the event σ occurs. For simplicity, we assume that if multiple assignment statements aresimultaneously enabled, only one of them is nondeterministically executed. This assumptionmay be relaxed to allow concurrency of execution.

Using the maps fσ of the rules-based model, we can define the forward one-step reachable,fr, and backward one-step reachable, br, predicate transformers for G. fr determines the“postcondition” after the occurrence of a state transition for a given “precondition”, whereasbr determines the “precondition” prior to the occurrence of a state transition for a givenpostcondition. For the assignment statement σ : [Cσ(~v)] ⇒ [~v ; fσ(~v)] and a conditionP (~v), these are formally defined as follows:

fr(P (~v), σ) := Cσ(f−1σ (~v)) ∧ P (f−1

σ (~v)); br(P (~v), σ) := Cσ(~v) ∧ P (fσ(~v)).

Note that the computation of br is easier as compared to that of fr, since its computationdoes not require the extra computation of f−1.

For Σ̂ ⊆ Σ, we define fr(P (~v), Σ̂) :=∨

σ∈Σ̂ fr(P (~v), σ), and similarly, br(P (~v), Σ̂) :=∨

σ∈Σ̂ br(P (~v), σ). Finally, note that fr∗(P (~v), Σ̂) denotes the set of states which are reach-

able from a state in P (~v) by execution of zero or more transitions of events in Σ̂. Similarly,br∗(P (~v), Σ̂) denotes the set of states from where a state in P (~v) can be reached by execution

5

of zero or more transitions of events in Σ̂. Clearly, fr∗ is useful in characterizing the forwardreachability, whereas br∗ is useful in characterizing the backward reachability.

Consider two rules based models indexed by i = {1, 2}, having the initial condition I i(~vi),and rule for the event σ ∈ Σ given by, σ : C i

σ ⇒ [~vi; f i

σ(~vi)]. Then their synchronouscomposition is also a rules-based model with initial condition given by, I 1(~v1) ∧ I2(~v2), andrule for the event σ given by, σ : C1

σ(~v1) ∧ C2σ(~v2) → [(~v1, ~v2) ; (f 1

σ(~v1), f 2σ(~v2)].

2.2 Modeling Failure-prone Systems & Diagnosability

In order to obtain event occurrence rules for a system with faults, the set of signals isaugmented with the signal and system fault signals.

Stuck-signal faults: These faults occur when any of the signals (such as actuators orsensors), owing to mechanical, electrical, or electromagnetic interference problems, gets stuckin a particular position with its logic status becoming either true or false permanently,until a recovery occurs through a repair or a replacement. When an actuator gets stuckin the on/off position such fault signals are denoted by so (stuck open)/sc (stuck closed)respectively. The associated fault events are denoted by soF/scF and the recovery eventsby soR/scR, respectively. When a sensor gets stuck in the up/dn (down) position such faultsignals are denoted by sup(stuck up)/sdn(stuck dn) respectively. The associated fault eventsare denoted by supF/sdnF, and the recovery events by supR/sdnR, respectively.

If the r’th actuator/sensor, Ar, is prone to both the stuck open/up fault (which occursonly after the actuator/sensor is already in the on/up condition), and the stuck closed/downfault (which occurs only when the actuator/sensor is already in the off/down condition),then the rule for the occurrence of these stuck actuator/sensor signal faults is written as:

ArsoF : [Ar ∧ Arso] ⇒ [Arso ; Arso];ArsoR : [Arso] ⇒ [Arso ; Arso];ArscF : [Ar ∧ Arsc] ⇒ [Arsc ; Arsc];ArscR : [Arsc] ⇒ [Arsc ; Arsc].

System/equipment faults: Apart from faults of the signals there are faults of sys-tems and its components. Examples include equipment failures, power disruptions, systemsoftware crashes, pipe leakage, etc. These can occur spontaneously in the system dependingonly on their own values, not those of any other signals in the system, i.e., they are indepen-dent variables and form part of the inputs to the system, and hence have “default” eventoccurrence rules.

Permanent vs. Intermittent faults: Both the signal and system faults can be per-manent or intermittent. The difference between these two types of faults being their modeof recovery: Recovery of a permanent fault is only through repair/replacement, whereas thatof an intermittent fault can also be through a reset.

Augmentation of the signals set to include the fault signals requires the weakening ofthe enabling guard conditions of the non-fault events via the introduction of additional

6

disjunctive conditions under also which the non-fault event can occur. The antecedent ofeach rule now contains the disjunct of a pair of terms which represent how the consequentevent can occur under both non-faulty and faulty conditions.

Next, we give the definition of diagnosability of a failure-prone system. Diagnosabilityis the ability to infer about the past occurrences of unobservable failure events within abounded delay. We let ΣF ⊆ Σ denote the set of fault events, and M : Σ ∪ {ε} → ∆ ∪ {ε}with M(ε) = ε denote the event observation mask. Without loss of generality, M(σ) = ε forall σ ∈ ΣF . The diagnosability of DESs is defined in [26], [25] as follows (without loss ofgenerality [16], we only consider a single “failure type”):

Definition 1 A system G is said to be diagnosable with respect to the observation maskM and the failure event set ΣF if

(∃n ∈ N) (∀s ∈ L(G), sf ∈ ΣF ) (∀v = st ∈ L(G), ||t|| ≥ n)⇒ (∀w ∈ L(G),M(w) = M(v)) (∃u ∈ pr({w}), uf ∈ ΣF ),

where L(G) is the set of all event-traces G can execute starting from an initial state, sf , uf ∈Σ denote the last events in traces s, u ∈ Σ∗ respectively, and pr({w}) ⊆ Σ∗ is the set of allprefixes of w ∈ Σ∗.

3 Assembly-Line and it’s Rules-Based Model

For the purpose of applying DES modeling, control, and diagnosis to practical applica-

CONVEYOR

CHASSIS

LOADER

PUSHER

CHASSIS

SECTIONCHASSIS

UNLOAD

UNLOADINGSECTION UNLOAD

PUSHER

FIXTURERACK

TRANSPORTER

AREASTAGING

PRESSPUSHER

WINDERPRESSWINDING

SPOOL

ROOF PRESS

ROOFLOADER ROOFM8a

A5

M1

M8b

L8

M4

ROOF PUSHER

PRESSSECTION

CHASSIS CONVEYORL6

SECTION

ROOF CONVEYOR

T2M3T3M5

L7

M6

T1

M7

T4

M2

Figure 1: LEGO r© assembly-line layout

7

tions, an educational test-bed that simulates an automated car assembly-line has been built[13] (see the layout in Figure 1).

This miniature assembly-line performs the assembly of the roof and the chassis (seeFigure 2). It simulates the conditions under which an actual automobile assembly takes

ROOF

CHASSIS

After Pressing OperationBefore Pressing Operation

Figure 2: Partially assembled car

place, and involves: motors which drive mechanisms which in turn cause the assembly of theroof-chassis to take place; a transporter to move the semi-finished product through variousstages of the assembly; and sensors which bring back the status of the present plant conditionsto the LEGO r© Dacta controller. There are a total of 8 sensors (touch, light, and angle)and 8 actuators (motors). The assembly-line is controlled by one personal computer, whichis interfaced with the assembly-line through a LEGO r© Control Lab Interface Box. Thisinterface box has 8 sensor inputs, four of which accommodate passive sensors viz. touch;while the other four accommodate active sensors viz. light or angle. Touch sensors returna boolean value when depressed. Light sensors return the light intensity reflected into thesensor’s detector, either as a percentage or as a raw number. Angle sensors which are alwaysconnected to a rotating axle, report either the angle in degrees or the number of revolutionsturned. In addition to sensor inputs, the interface box also provides eight motor outputs.The controller code is written using the Control Lab software which is written in a specialversion of the “Logo” programming language.

3.1 Rule-based models for the Assembly-Line

Instead of having a single large model for the system, and for making modeling simpler,we develop smaller sized “sub-models” by partitioning the entire system into five sections,namely, transporter, chassis, roof, press, and unloading. Their description is preceded by alist of all the events possible in the LEGO r© assembly-line which is given in Figure 3.

1. Transporter: Parts are transported from one assembly section to another via thetransporter, which consists of a fixture that is connected to one end of a rack thatis moved by a pinion powered from a gear box motor. An angle sensor mounted onthe same shaft as that of the pinion, counts off the number of rotations of the axlethrough it, in order to determine the position of the fixture. The rules-based model of

8

the transporter is given in Figure 4. The initial conditions of this section consist of theforward and reverse motor turned off (Tf, Tr), and the transporter positioned at theinitial home/unloading position (g, h, i, j, k, l). When the forward motor is turnedon, and the reverse motor is off, the transporter will leave (a) the home position, moveto the press position (b), then leave (c) the press position and reach the roof position(d). It will then leave (e) the roof position and finally reach the chassis position (f).

pCup/dn: chassis pusher retracted/not−retracted output events

pRup/dn: roof pusher retracted/not−retracted output events

dRdn/up: part present/absent at roof station dock output events

dCup/dn: part present/absent at chassis station dock output events

pcUon/of: unloading pusher and conveyor motor on/off input events

pUup/dn: unloading pusher retracted/not−retracted output events

No

No

No

No

M8

L6

T3

L7

L8

T2

cCon/of: chassis conveyor motor on/off input events

pCon/of: chassis pusher motor on/off input eventsM3

pPfon/of: press pusher motor on/off input events

pPron/of: press pusher motor on/off in reverse dirn. input events

wPon/of: press winding motor on/off input events

pPup/dn: press pusher retracted/not−retracted output events NowPup/dn: press weight raised/lowered output eventsT4

pRon/of: roof pusher motor on/off input events Yes

cRon/of: roof conveyor motor on/off input eventsM4

M5

T1

M7

M6

M6

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Press

Roof

Chassis

Unloading

Ifon/of: indexing slide motor on/off forward dirn. input events

Iron/of: indexing slide motor on/off reverse dirn. input events

a : Indexing slide leaving home station during forward movement output event

c/k : Indexing slide leaving press station during forward/reverse movement o/p events

d/h : Indexing slide at roof station during forward/backward movement o/p events

b/j : Indexing slide at press station during forward/reverse movement output events

l : Indexing slide at home or unloading position during reverse movement o/p event

f : Indexing slide at chassis station during reverse movement optput event

g : Indexing slide leaving roof station during forward/reverse movement o/p event

NoNo

No

No

No

No

No

M1

M1

A5

A5

A5

A5

A5

A5

A5

Signals Events Controllable

Yes

Yes

Transporter

No

M2

Section

Figure 3: Legend of signal and event labels

If we model the stuck-on fault for the forward motor (Tf), then the following two rulesfor the stuck-on fault (TfsonF) and stuck-on recovery (TfsonR) events will be added:

TfsonF : [Tf ∧ Tfson] ⇒ [Tfson ; Tfson];TfsoR : [Tfson] ⇒ [Tfson ; Tfson].

9

Also, the guard for the event a will be weakened as follows:

a : [(Tf ∨ Tfson) ∧ (l ∧ k ∧ j ∧ i ∧ h ∧ g)] ⇒ [l ; a].

The rules for the other events b, c, d, e and f will also be altered in a similar way.

• Initial conditions: Tf , Tr, Tfson, a, b, c, d, e, f = [off, off, off,

0, 0, 0, 0, 0, 0].

• Event occurrence rules:

a : [Tf ∧ (l ∧ k ∧ j ∧ i ∧ h ∧ g)] ⇒ [l ; a];l : [Tr ∧ (a ∧ k ∧ j ∧ i ∧ h ∧ g)] ⇒ [a ; l];b : [Tf ∧ (a ∧ k ∧ j ∧ i ∧ h ∧ g)] ⇒ [k ; b];k : [Tr ∧ (a ∧ b ∧ j ∧ i ∧ h ∧ g)] ⇒ [b ; k]c : [Tf ∧ (a ∧ b ∧ j ∧ i ∧ h ∧ g)] ⇒ [j ; c];j : [Tr ∧ (a ∧ b ∧ c ∧ i ∧ h ∧ g)] ⇒ [c ; j];d : [Tf ∧ (a ∧ b ∧ c ∧ i ∧ h ∧ g)] ⇒ [i ; d];i : [Tr ∧ (a ∧ b ∧ c ∧ d ∧ h ∧ g)] ⇒ [d ; i];e : [Tf ∧ (a ∧ b ∧ c ∧ d ∧ h ∧ g)] ⇒ [h ; e];h : [Tr ∧ (a ∧ b ∧ c ∧ d ∧ e ∧ g)] ⇒ [e ; h];f : [Tf ∧ (a ∧ b ∧ c ∧ d ∧ e ∧ g)] ⇒ [g ; f ];g : [Tr ∧ (a ∧ b ∧ c ∧ d ∧ e ∧ f)] ⇒ [f ; g];Tfon : [Tf ∧ Tr] ⇒ [Tf ; Tf ];Tfoff : [Tf ∧ Tr] ⇒ [Tf ; Tf ];Tron : [Tf ∧ Tr] ⇒ [Tr ; Tr];Troff : [Tf ∧ Tr] ⇒ [Tr ; Tr].

Figure 4: Rules-based model of the transporter section

2. Chassis: The chassis conveyor conveys parts to its docking area. The chassis dock actsas a buffer with a capacity of one part. Parts are pushed off the dock onto an emptywaiting transporter by the chassis pusher. Sensors monitor the retracted position ofthe pusher and presence of part on the dock.

The initial conditions of the chassis section require that the chassis conveyor motor(cC) and pusher motor (pC) be off, the pusher should be retracted (puC), there shouldbe a part loaded on the conveyor (ld), and no part on the chassis dock (dC). Also thereshould be no jamming in the chassis section (x). The operation of the chassis sectionbegins when the conveyor is turned on (cCon), the part rolls off the conveyor and isdelivered to the chassis dock (dCup). Next, the pusher motor is turned on (pCon),

10

which causes the pusher to operate (puCdn and it pushes the part off the dock (dCoff)onto the transporter. The pusher returns to its original retracted position (puCup).The rules-based model of the chassis is given in Figure 5.

• Initial conditions: pC, cC, dC, x, ld, puC=[off, off, dn, dn, up, up].


puCup : [(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)∨(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)∨(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)] ⇒ [puC ; puC];

puCdn : [(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)∨(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)∨(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)∨(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)] ⇒ [puC ; puC];

dCup : [(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)] ⇒ [dC ; dC];dCdn : [(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)

∨(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)] ⇒ [dC ; dC];ldup : [(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld)] ⇒ [ld ; ld];lddn : [(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)

∨(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld ∧ f)] ⇒ [ld ; ld];x : [(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld)

∨(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld)∨(cC ∧ pC) ∧ (puC ∧ dC ∧ x ∧ ld)] ⇒ [x ; x];

x : [false] ⇒ [x ; x];pCon : [pC] ⇒ [pC ; pC]; pCoff : [pC] ⇒ [pC ; pC];cCon : [cC] ⇒ [cC ; cC]; cCoff : [cC] ⇒ [cC ; cC].

Figure 5: Rules-based model of the chassis section

3. Roof: The rules-based model of the roof is given in Figure 6. The roof conveyor (cR)conveys parts that are loaded on it onto the roof dock which also has a buffer size ofone. The part is pushed off the dock onto a waiting transporter by the roof pusher(pR). Sensors monitor the retracted position of the pusher (puR) and presence of parton the dock (dR). The operation of the roof is similar to that of the chassis section,with the exception that the presence of a part on the roof dock is indicated by dRdn.This is due to the fact that the roof is black in color and when positioned under a lightsensor causes the dRdn event. The chassis on the other hand is yellow in color andcauses the dCup event to occur when on the chassis dock.

The actuators and sensors in various sections are subject to stuck open/close and stuck

11

up/down faults respectively. In addition the sections could also encounter varioussystem faults, such as power failure, software malfunctions, etc.

• Initial conditions: pR, cR, dR, ld, x, puR = [off, off, up, up, dn, up].


puRup : [(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)∨(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)∨(cC ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)] ⇒ [puR ; puR];

puRdn : [(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)∨(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)∨(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)∨(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)] ⇒ [puR ; puR];

dRup : [(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)∨(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld ∧ f)] ⇒ [dR ; dR];

dRdn : [(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)] ⇒ [dR ; dR];ldup : [(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)] ⇒ [ld ; ld];lddn : [(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)

∨(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)] ⇒ [ld ; ld];x : [(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)

∨(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)∨(cR ∧ pR) ∧ (puR ∧ dR ∧ x ∧ ld)] ⇒ [x ; x];

x : [false] ⇒ [x ; x];pRon : [pR] ⇒ [pR ; pR]; pRoff : [pR] ⇒ [pR ; pR];cRon : [cR] ⇒ [cR ; cR]; cRoff : [cR] ⇒ [cR ; cR].

Figure 6: Rules-based model of the roof section

4. Press: The rules-based model of the press is given in Figure 7. The pressing of the roofand the chassis is done by releasing a heavy LEGO r© block onto a properly positionedtransporter carrying the roof-chassis combination. The mechanism is controlled by apress pusher and winding motor. Initially the pusher is advanced (pP) so that theweighted block is suspended at a certain height (wtP). When the pusher motor isreversed (pPr) retracts the weight descends (wtPdn) and presses the pieces together.After this the pusher is advanced again so as to mesh with the winding motor (wP)gears, which when switched on raises the block up again. The retracted position of thepusher (pPup) and the raised position of the block (wtPup) are monitored by sensors.

The press section is the most complex section of the system and requires precise align-ment of the pushing, lifting, and positioning mechanisms.

12

• Initial conditions: pPr, pPf , wP , wtP , pP , x = [off, off, off, up, dn,

dn].


wtPup : [(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)∨(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)] ⇒ [wtP ; wtP ];

wtPdn : [(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)∨(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)∨(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)∨(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)] ⇒ [wtP ; wtP ];

pPup : [(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)∨(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)∨(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)∨(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)] ⇒ [pP ; pP ];

pPdn : [(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)] ⇒ [pP ; pP ];x : [(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)

∨(pPf ∧ pPr ∧ wP ) ∧ (pP ∧ wtP ∧ x)] ⇒ [x ; x];x : [false] ⇒ [x ; x];pPfon : [pPr ∧ pPf ] ⇒ [pPf ; pPf ];pPfoff : [pPf ∧ pPr] ⇒ [pPf ; pPf ];pPron : [pPr ∧ pPf ] ⇒ [pPr ; pPr];wProff : [pPr ∧ pPf ] ⇒ [pPr ; pPr];wPon : [wP ] ⇒ [wP ; wP ]; wPoff : [wP ] ⇒ [wP ; wP ].

Figure 7: Rules-based model of the press section

5. Unloading: The unloading conveyor (pcU) conveys parts that are pushed onto it bythe unloading pusher (also pcU). There is a sensor for monitoring the retracted positionof the pusher (pU). When a part has to be removed from the transporter positioned atthe unloading section, the conveyor and pusher are turned on simultaneously (pcUon),and cause the pusher to advance (pUdn). After pushing the assembled roof-chassis thepusher returns to its retracted position (pUup) and the unloading pusher-conveyor isturned off (pcUof). The rules-based model of the transporter is given in Figure 8.

As with any other motor in the system, the unloading conveyor-pusher motor can getstuck in the on or off positions. Also the sensors can be stuck in either their up ordn position. The rules-based model of the system can be altered accordingly to reflectthese faults. For example, in the presence of pcUsoF fault, the altered rule for theunloading pusher advancing (pUdn) is given as:

pUdn : [(pcU ∨ pcUsoF ) ∧ (pU ∧ l)] ⇒ [pU ; pU ].

13

Similarly, in the unloading section, a motor power fault signal, could cause the motorto stop. The events of the power fault are powerF and powerR, denoting the powerfault, and recovery from power fault events. Owing to the modeling of the power faultsignal, the rules for the unloading motor event(pcUon) and for the retracted/advancedpositions of the pusher (pUdn, pUup respectively are altered. For example, the alteredrule for pUdn, having a pcUsoF fault, and susceptible to a motor power fault, is givenby:

pUdn : [(pcU ∨ pcUsoF ) ∧ power ∧ (pU ∧ l)] ⇒ [pU ; pU ].

• Initial conditions: pcU , pcUsoF , pU = [off, off, dn].


pUdn : [(pcU ∨ pcUsoF ) ∧ (pU ∧ l)] ⇒ [pU ; pU ];pUup : [(pcU ∨ pcUsoF ) ∧ (pU ∧ l)] ⇒ [pU ; pU ];pcUon : [pcU ] ⇒ [pcU ; pcU ];pcUof : [pcU ∨ pcUsoF ] ⇒ [pcU ; pcU ].

Figure 8: Rules-based model of the unloading section

We input the rules of each sub-system in NuSMV , followed by a synchronous compositionof the models and model checking. The diagnosability test does not hold for this system,which means that this system are not diagnosable.

4 Diagnosis Technique Illustration for Rules-based Model

The following observation can be made about the detection of a fault: A fault is detectedwhen a non-faulty guard condition is false, but the consequent event occurs. For this, alltraces indistinguishable to a sufficiently long extension of a trace containing the fault shouldthemselves be faulty. This can be verified through a diagnosability test. For a diagnosablesystem, a diagnoser can be constructed to monitor observation sequence and report theoccurrence of a fault.

For the purpose of illustrating the diagnosis technique, we use a simplified model of thetransporter section of the LEGO r© assembly-line (see Figure 9). This transporter movesbetween home and extended positions, crossing a number of intermediary positions. Theevents that can occur in transport system are: Tfon, Tfoff, Tron, Troff, iup, idn, eup, edn.Tfon/Tfoff refers to the gear-box motor being turned on/off in the forward direction, whileTron/Troff is for the reverse direction. When the transporter leaves the home position it

14

enters an intermediary position, i, which is a collection of all those positions whose valuesare unimportant from the positioning point of view. The events iup/idn corresponds tothe transporter arriving/leaving the intermediary position from/to the home position; andeup/edn corresponds to its arriving/leaving the extended position from/to the intermediateone.

pinionrack

angle sensor

Intermediate positionsHome position Extended position

Gearbox motor

(Angle sensor records intermediate, iup/idn, and extended, eup/edn, positions)

(Issued commands Ifon/Ifoff; Iron/Iroff − for forward/reverse movement)

FIXTURE TRANSPORTER

A1

M1

Figure 9: System layout

We assume that the initial state for the present system is when all the actuators areoff (Troff, Tfoff) and the transporter is in home position (idn, edn). The model of thetransporter in the rules-based formalism is given in Figure 10.

• Initial conditions: Tf , Tr, i, e = [off, off, down, down].


iup : [Tf ∧ Tr ∧ (i ∧ e)] ⇒ [i ; i];idn : [Tr ∧ Tf ∧ (i ∧ e)] ⇒ [i ; i];eup : [Tf ∧ Tr ∧ (i ∧ e)] ⇒ [e ; e];edn : [Tr ∧ Tf ∧ (i ∧ e)] ⇒ [e ; e];Tfon : [Tf ] ⇒ [Tf ; Tf ]; Tfoff : [Tf ] ⇒ [Tf ; Tf ];Tron : [Tr] ⇒ [Tr ; Tr]; Troff : [Tr] ⇒ [Tr ; Tr].

Figure 10: Rules-based model of the transporter without faults

Next, we extend the transporter model to include a fault. Suppose the transport isprone to the forward motor Tf stuck open fault (TfsonF ), whose occurrence does not alterthe transport speed. The rules-based model of the transporter with this fault is given inFigure 11.

15

• Initial conditions: Tf , Tr, Tfson, i, e = [off, off, off, down, down].


iup : [(Tf ∨ Tfson) ∧ Tr ∧ (i ∧ e)] ⇒ [i ; i];idn : [Tr ∧ Tf ∧ (i ∧ e)] ⇒ [i ; i];eup : [(Tf ∨ Tfson) ∧ Tr ∧ (i ∧ e)] ⇒ [e ; e];edn : [Tr ∧ Tf ∧ (i ∧ e)] ⇒ [e ; e];Tfon : [Tf ] ⇒ [Tf ; Tf ];Tfoff : [Tf ∨ Tfson] ⇒ [Tf ; Tf ];Tron : [Tr] ⇒ [Tr ; Tr];Troff : [Tr] ⇒ [Tf ; Tr];TfsonF : [Tf ∧ Tfson] ⇒ [Tfson ; Tfson];TfsonR : [Tfson] ⇒ [Tfson ; Tfson].

Figure 11: Rules-based model of the transporter with a TfsonF fault

4.1 Diagnosability Test

We briefly review the diagnosability test algorithm from [15]. The state variable vector ~v

of G is augmented by a binary valued variable F to indicate whether or not a fault occurredin past. With this the new state variable set becomes, ~x := (~v, F ). Next the rule-basedmodel is extended to include this new state-variable. Assuming that the system starts in anon-faulty state, the initial state is given by the predicate,

I(~x) := I(~v) ∧ [F = 0].

The rule for each event σ ∈ Σ, [Cσ(~v)] ⇒ [~v ; fσ(~v)] is extended as follows. For a non-faultyevent,

[Cσ(~v)] ⇒ [(~v, F ) ; (fσ(~v), F )

(non-faulty event retains the value of F as unchanged), and for a faulty event,

[Cσ(~v)] ⇒ [(~v, F ) ; (fσ(~v), 1)

(faulty event makes the value of F equal to 1).To facilitate diagnosis, a faulty-state predicate is defined: B(~x) = B((~v, F )) := [F = 1].

Using this predicate and the extended rule-base model (which includes the new booleanvariable F , new initial condition, and new assignment statements), we perform the diagnosistest as follows.

16

• Make a second copy of augmented G, with it’s state variable denoted by, ~x′ = (~v′, F ′),and perform a “masked synchronous composition” of the two copies of the augmentedG to obtain the system Gd.

• Check whether there exists an “failure-ambiguous” cycle by model-checking the fol-lowing 1st order linear-time temporal logic formula in Gd:

∃~x0, ~x′0[EGF (~x = ~x0

∧~x′ = ~x′

0

∧B( ~x0)

∧¬B(~x′

0))].

Then G is diagnosable if and only if the above formula does not hold in Gd.

The formula checks for the existence of a state pair (~x0, ~x′0) ∈ (X × {0, 1})2 with the

property that

• ~x0 is a “faulty” state: B(~x0) holds,

• ~x′0 is a “non-faulty” state: ¬B(~x′

0) holds,

• (~x0, ~x′0) is visited infinitely often along some state trajectory starting from the initial

condition I(~x)∧ I(~x′): EGF~x = ~x0 ∧ ~x′ = ~x′0, i.e., exists a path (E) such that globally

(G) along each state of the path, in future (F ) it holds that ~x = ~x0 and ~x′ = ~x′0.

Whenever the above formula is satisfiable, there exists a pair of faulty and non-faultytraces in G of arbitrary long length that are indistinguishable, and the system is not diag-nosable. The model-checking software tools such as NuSMV [51] can be used to compute Gd

as well as to check the satisfiability of the above formula in Gd.For the transporter of Figure 9, we let ~v = (Tf, Tr, Tfson, i, e) denote the state vari-

ables of the transporter, and augment it with the boolean valued variable F to obtain theaugmented state variable ~x = (~v, F ). The augmented rules-based model of the transporterwith TfsonF fault is given in Figure 12.

Next using the state variable ~x′ = (~v′, F ′) for the second copy of the augmented model,where ~v′ = (Tf ′, T r′, T fson′, i′, e′), we compute the masked composition of the two aug-mented models. The resulting rules-based model is shown in Figure 13, where we have usedσ to denote any of the following variables: iup, idn, eup, edn, Tfon, Tfoff , Tron andTroff .

Using NuSMV for model-checking the condition for the diagnosability, we found that thetransporter with TfsonF fault is not diagnosable. The above example demonstrates that thesymbolic technique for diagnosis developed in [15] allows for the diagnosability verificationof practical systems.

4.2 Diagnoser Synthesis

When the system is diagnosable, we can synthesize its on-line diagnoser. Otherwise,the system can be made diagnosable by sensor refinement using the technique developed in

17

• Refined initial conditions: I(~x) = I(Tf, Tr, Tfson, i, e, F ) = [off, off, off,

down, down, 0].


iup : [(Tf ∨ Tfson) ∧ Tr ∧ (i ∧ e)] ⇒ [i, F ; i, F ];idn : [Tr ∧ Tf ∧ (i ∧ e)] ⇒ [i, F ; i, F ];eup : [(Tf ∨ Tfson) ∧ Tr ∧ (i ∧ e)] ⇒ [e, F ; e, F ];edn : [Tr ∧ Tf ∧ (i ∧ e)] ⇒ [e, F ; e, F ];Tfon : [Tf ] ⇒ [Tf, F ; Tf, F ];Tfoff : [Tf ∨ Tfson] ⇒ [Tf, F ; Tf, F ];Tron : [Tr] ⇒ [Tr, F ; Tr, F ];Troff : [Tr] ⇒ [Tr, F ; Tr, F ];TfsonF : [Tf ∧ Tfson] ⇒ [Tfson, F ; Tfson, 1];TfsonR : [Tfson] ⇒ [Tfson, F ; Tfson, 0].

Figure 12: Augmented Rules-based model of the transporter with a TfsonF fault

• Initial conditions: I(~x, (~x′) = (I(~v), 0, I(~v′), 0).


(iup, iup) : [(Tf ∨ Tfson) ∧ Tr ∧ (i ∧ e)] ⇒ [i, F, i′, F ′; i, F, i′, F ′];

(idn, idn) : [Tr ∧ Tf ∧ (i ∧ e)] ⇒ [i, F, i′, F ′; i, F, i′, F ′];

(eup, eup) : [(Tf ∨ Tfson) ∧ Tr ∧ (i ∧ e)] ⇒ [e, F, e′, F ′; e, F, e′, F ′];

(edn, edn) : [Tr ∧ Tf) ∧ (i ∧ e)] ⇒ [e, F, e′, F ′,; e, Fe′, F ′];(Tfon, Tfon) : [Tf ] ⇒ [Tf, F, Tf ′, F ′

; Tf, F, Tf ′, F ′];(Tfoff, Tfoff) : [Tf ∨ Tfson] ⇒ [Tf, F, Tf ′, F ′

; Tf, F, Tf ′, F ′];(Tron, Tron) : [Tr] ⇒ [Tr, F, Tr′, F ′

; Tr, F, Tr′, F ′];(Troff, Troff) : [Tr] ⇒ [Tr, F, Tr′, F ′

; Tr, F, Tr′, F ′];(σ, TfsonF ) : [Tf ∧ Tfson] ⇒ [σ, F, σ′, F ′

; σ, F, σ′, 1];(TfsonF, σ′) : [Tf ∧ Tfson] ⇒ [σ, F, σ′, F ′

; σ, 1, σ′, F ′].

Figure 13: Masked synchronization of two augmented rules-based model of the transporter

18

[17]. For example the transporter of Figure 9 prone to the forward motor stuck on fault,TfsonF , is not diagnosable. If we install a smart sensor that can sense the motor speed,then the occurrence of the TfsonF can be declared when Tfoff holds, but the motor speedis non-zero.

For a diagnosable system, we can compute a diagnoser using the method given in [15].For this, we first obtain a rules-based model of the fault-free system by omitting the rulesfor the fault events (such as TfsonF and TfsonR for the transporter system). For eachk ≥ 0, the diagnoser maintains a predicate Nk(~v) ∈ P(~v) that estimates the set of possiblenon-faulty states of the system following the occurrence of the kth observable event. Nk(~v)is computed iteratively as follows:

N0(~v) = fr∗M−1(ε)∩ΣI(~v); Nk+1(~v) = frM−1(δk)[fr∗M−1(ε)∩Σ(Nk(~v))],

where δk ∈ M(Σ) − {ε} denotes the kth observation. A fault is said to have been detectedwhen Nk(~v) = False.

By computing different possible diagnoser states following all different possible observa-tion sequences we can obtain the entire diagnoser. The result of such a computation for thetransporter system is shown as an automaton in Figure 14. Any observation sequence thatis not accepted by this diagnoser automaton indicates the occurrence of the TfsonF fault.

eup/edn: Extended angle sensor High/Low iup/idn: Intermediate angle sensor High/Low

Legend:

1

Tfon Tfon

Tron

Tron

2 3

4

Tfon Tfon

Tron

Tron

5

Tron67

8

edn

Tron

TfonTfon9

1011

12

iup

idn

edn

eup

Tfon/off: Transporter forward command on/offTron/off: Transporter reverse command on/off

Tfoff Tfoff

Troff

Troff

Tfoff Tfoff

Troff

Troff

Troff

TfoffTfoff

Troff

Figure 14: Diagnoser of the transporter with TfsonF fault

5 Conclusion

The rules-based modeling formalism of [7] has been used to model and study diagnosisof a simple assembly-line built using LEGO r© blocks. The advantage of using rules-basedmodel is its compactness since it uses variables to represent states. The number of rulesin the rules-based model is polynomial in number of system signals and faults. Symbolictechnique for failure analysis, based on 1st-order temporal logic model-checking, has beenemployed successfully. Existing software tools such as NuSMV aid the analysis for systemswith bounded state-space. If the given system is not diagnosable, refining the observation

19

mask [17] makes the system diagnosable, and subsequently an on-line diagnoser for thesystem can be constructed. This was demonstrated using several examples drawn from theLEGO r© assembly-line.

References

[1] S. Bavishi and E. Chong. Automated fault diagnosis using a discrete event systemsframework. In Proceedings of 1994 IEEE International Symposium on Intelligent Con-trol, pages 213–218, 1998.

[2] A. Bouloutas, G. W. Hart, and M. Schwartz. On the design of observers for faultdetection in communication networks. In A. Kershenbaum and et al., editor, NetworkManagement and Control, pages 319–338, Plenum Press, 1990.

[3] A. Bouloutas, G. W. Hart, and M. Schwartz. Simple finite-state fault detectors for com-munication networks. IEEE Trans. on Communications, 40(3):477–479, March 1992.

[4] Y. L. Chen and G. Provan. Fault diagnosis in timed discrete-event systems In Proceed-ings of the 38th IEEE Conference on Decision and Control, pages 1756–1761, Pheonix,AZ, 1999.

[5] C. Pecheur and A. Cimatti. Formal Verification of Diagnosability via Symbolic ModelChecking. In Workshop on Model Checking and Artificial Intelligence (MoChArt-2002),Lyon, France, July 22-23, 2002.

[6] Y. Park and E. K. P. Chong. Distributed inversion in timed discrete event systems.Discrete Event Dynamic Systems: Theory and Applications, 5(2-3):219-241, 1995.

[7] V. Chandra and R. Kumar. A event occurrence rules-based compact modeling formalismfor a class of discrete event systems. Mathematical and Computer Modeling of DynamicalSystems, 8(1):49-73, 2002.

[8] V. Chandra, Z. Huang, and R. Kumar. Concurrent, Asynchronous and GenerativeInteractions for the Modeling and Control of Discrete Event Systems American ControlConference, Denver, CO, USA, June 4-6, 2003.

[9] E. Allen Emerson. Temporal and Modal Logic. Handbook of Theoretical ComputerScience,Volume B: Formal Models and Semantics 1990, J. van Leeuwen, ed., North-Holland Pub. Co. MIT Press, Pages 995–1072.

[10] L. E. Holloway and S. Chand. Distributed Fault Monitoring in Manufacturing SystemsUsing Concurrent Discrete-Event Observations. Integrated Computer-Aided Engineer-ing, 3(4):244-254, 1996.

20

[11] S. R. Das and L. E. Holloway. Characterizing a confidence space for discrete eventtimings for fault monitoring using discrete sensing and actuation signals. IEEE Trans-actions on Systems, Man, and Cybernetics—Part A: Systems and Humans, 30(1):52-66,2000.

[12] D. Pandalai and L. E. Holloway. Template languages for fault monitoring of timeddiscrete event processes. IEEE Transactions on Automatic Control, 45(5):868-882, May2000.

[13] V. Chandra, Z. Huang and R. Kumar. Automated control synthesis for an assembly-lineusing discrete event system control theory. Accepted IEEE Transactions on Systems,Man, and Cybernetics, Part C, 2002.

[14] Z. Huang, V. Chandra, S. Jiang, and R. Kumar. Modeling Discrete Event Systemswith Faults using a Rules-Based Modeling Formalism. In Proceedings of the 41st IEEEConference on decision and control, pages 4012–4017, 2002.

[15] Z. Huang, V. Chandra, S. Jiang, and R. Kumar. Diagnosis of Discrete Event Systemsin Rules-based Model using Symbolic Analysis. Submitted to Proceedings of the 42stIEEE Conference on decision and control, 2003.

[16] S. Jiang, Z. Huang, V. Chandra, and R. Kumar. A Polynomial Time Algorithm forDiagnosability of Discrete Event Systems. IEEE Transactions on Automatic Control,pages 1318–1321, volume 46, number 8, August 2001.

[17] S. Jiang, R. Kumar, and H. E. Garcia. Optimal Sensor Selection for Discrete EventSystems Under Partial Observation. IEEE Transactions on Automatic Control, Sub-mitted.

[18] S. Jiang and R. Kumar. Failure diagnosis of discrete event systems with linear-time tem-poral logic fault specifications. In Proceedings of the 2002 American Control Conference,volume 1, pages 128–133, 2002.

[19] S. Jiang, R. Kumar and H. E. Garcia. Diagnosis of Repeated Failures in Discrete EventSystems. IEEE Transactions on Robotics and Automation, Submitted.

[20] S. Jiang and R. Kumar. Diagnosis of Repeated Failures For Discrete Event SystemsWith Linear-Time Temporal Logic Specifications. IEEE Transactions on Systems, Man,and Cybernetics: Part B, 2002, Submitted.

[21] R. Kumar, V. K. Garg, and S. I. Marcus. Predicates and Predicate Transformersfor Supervisory Control of Discrete Event Dynamical Systems. IEEE Transactions onAutomatic Control, pages 232-247, volume 38, number 2, February 1993.

21

[22] M. Larsson. Behavioral and structural model based approaches to discrete diagnosis.PhD thesis, Linkoping University, Linkoping, Sweden, 1999.

[23] F. Lin. Diagnosability of discrete event systems and its applications. Discrete EventDynamic Systems: Theory and Applications, 4(1):197–212, 1994.

[24] F. Lin, J. Markee, and B. Rado Design and test of mixed signal circuits: a discreteevent approach Proceedings of the 32nd IEEE Conference on Decision and Control,pages 246–251, 1993.

[25] M. Sampath. A Discrete Event Systems Approach to Failure Diagnosis. PhD thesis,Department of Electrical Engineering and Computer Science, University of Michigan,Ann Arbor, MI, 1995.

[26] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Diagnos-ability of discrete event systems. IEEE Transactions on Automatic Control, 40(9):1555–1575, September 1995.

[27] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Fail-ure Diagnosis Using Discrete Event Models. IEEE Transactions on Control SystemsTechnology, 4(2):105-124, March 1996.

[28] M. Sampath and S. Lafortune. Active diagnosis of discrete event systems. IEEE Trans-actions on Automatic Control, 43(7):908-929, 1998.

[29] R. Debouk and S. Lafortune and D. Teneketzis Coordinated decentralized protocols forfailure diagnosis of discrete event systems. Discrete Event Dynamical Systems: Theoryand Applications, 10:33-79, 2000.

[30] G. Westerman and R. Kumar and C. Stroud and J. R. Heath. Discrete event systemsapproach for delay fault analysis in digital circuits. In Proceedings of 1998 AmericanControl Conference, Philadelphia, PA, 1998.

[31] S. Young and V. K. Garg Model uncertainty in discrete event systems. SIAM Journalof Control and Optimization, 33(1):208-226, 1995.

[32] S. H. Zad. Fault diagnosis in discrete-event and hybrid systems. University of Toronto,Toronto, Canada, 1999.

[33] S. H. Zad, R. H. Kwong, and W. M. Wonham. Fault diagnosis in timed discrete-eventsystems. In 1999 IEEE Conference on Decision and Control, pages 1756–61, Phoenix,AZ, 1999.

[34] J. Lygeros and D. N. Godbole and M. Broucke. A fault tolerant control architecturefor automated highway system. IEEE Transactions on Control Systems Technology,8(2):205-219, March 2000.

22

[35] D. N. Godbole, J. Lygeros, E. Singh, A. Deshpande, and A. E. Lindsey. Communicationprotocols for a fault-tolerant automated highway system. IEEE Transactions on ControlSystems Technology, 8(5):787-800, September 2000.

[36] A. Darwiche and G. Provan. Exploiting system structure in model-based diagnosisof discrete event systems. In Proceedings of the Seventh International Workshop onPrinciples of Diagnosis, Val Morin Canada, 1996.

[37] S. Jiang and R. Kumar. Supervisory control of discrete event systems with CTL∗

Temporal Logic Specification. In 2001 IEEE Conference on Decision and Control, FL,December 2001.

[38] K. T. Seow and R. Devanathan. A temporal logic approach to discrete event controlfor the safety canonical class. Systems and Control Letters, 28:205-217, 1996.

[39] K. T. Seow and R. Devanathan. Temporal framework for assembly sequence represen-tation and analysis. IEEE Transactions on Robotics and Automation, 10(2):220-229,April 1994.

[40] H. Wong-Toi and D. L. Dill. Synthesizing processes and schedulers from temporal spec-ifications. In Proceedings of the 1991 Computer-Aided Verification Workshop, (LectureNotes in Computer Science), volume 531, Springer-Verlag, 1991.

[41] K. M. Passino and P. J. Antsaklis. Branching time temporal logic for discrete eventsystem analysis. In Proceedings of 1988 Allerton Conference, pages 1160–1169, Allerton,IL, 1988.

[42] M. Barbeau, F. Kabaza, and R. St.-Denis. A method for the synthesis of controllers tohandle safety, liveness, and real-time constraints. em IEEE Transactions on AutomaticControl, 43(11):1543–1559, 1998.

[43] J. F. Knight and K. M. Passino. Decidability for a temporal logic used in discrete-eventsystem analysis. International Journal of Control, 52(6):1489–1506, 1990.

[44] J. S. Ostroff. Synthesis of controllers for real-time discrete event systems. In Proceedingsof 28th IEEE Conference on Decision and Control, Tampa, FL, 1989.

[45] J. S. Ostroff and W. M. Wonham. A framework for real-time discrete event control.IEEE Transactions on Automatic Control, 35(4):386–397, 1990.

[46] J.-Y. Lin and D. Ionescu. Verifying a class of nondeterministic discrete event systemsin a generalized temporal logic. IEEE Transactions on Systems, Man and Cybernetics,22(6):1461–1469, 1992.

23

[47] J. G. Thistle and W. M. Wonham. Control problems in temporal logic framework.International Journal of Control, 44(4):943–976, 1986.

[48] F. Lin. Analysis and synthesis of discrete event systems using temporal logic. ControlTheory and Advanced Technologies, 9(1):341–350, 1993.

[49] C. G. Cassandras, J. Bergendahl, D. Esterman, and M. Sullivan. Computer ControlledLEGO Factory. University of Massachusetts Boston, MA, 1995.

[50] J.-Y. Lin and D. Ionescu. Reachability synthesis procedure for discrete event systemsin a temporal logic. IEEE Transactions on Systems, Man and Cybernetics, 24(9):1397–1406, 1994.

[51] http://nusmv.irst.itc.it/

24

Rules-based Modeling of an Assembly Line and its Diagnosisrkumar/PUBS/dia-lego.pdf · An automaton...

Documents

Transcript of Rules-based Modeling of an Assembly Line and its Diagnosisrkumar/PUBS/dia-lego.pdf · An automaton...