Fault Diagnosis for Timed Automata Stavros Tripakis VERIMAG (www-verimag.imag.fr) Presentation by Marius Mikucionis AAU SSE (marius@cs.auc.dk) 12/11/2002

Marius Mikucionis, AAU SSE 12/11/2002 Overview Framework of fault diagnosis Definitions: TA and operations on them Diagnosers and diagnosability problems Checking diagnosability Building diagnosers Evaluation and critics 10/04/2019 Marius Mikucionis, AAU SSE

Framework of fault diagnosis Plant behavior corresponds to a run of given TA by sequence of events (actions) An event is either observable or unobservable One or more unobservable events are faults A diagnoser is a function which takes observable event sequence and decides whether a fault has occurred during sequence run Fault must be announced in n steps after it has occurred No false reporting and no online repairs allowed 10/04/2019 Marius Mikucionis, AAU SSE

Marius Mikucionis, AAU SSE 12/11/2002 Overview Framework of fault diagnosis Definitions: TA and timed sequences Diagnosers and diagnosability problems Checking diagnosability Building diagnosers Evaluation and critics 10/04/2019 Marius Mikucionis, AAU SSE

Definitions: clock, polyhedron 12/11/2002 Definitions: clock, polyhedron X is a finite set of clocks taking values of non-negative rational numbers Q+ Valuation on X is a function v:XQ+: Given delay Q+ v+ denotes v’: v’(x)=v(x)+ for all xX Given YX reset v[Y:=0] denotes v’: v’(x)=0 for xY and v’(x)=v(x) for xX\Y Polyhedron on X is a set of valuations represented by a boolean expression with atomic constraints of the form xk or x-yk Polyhedra are closed by , ,  10/04/2019 Marius Mikucionis, AAU SSE

Definition: Timed Automaton Timed automaton is A=(Q,X,,E,I): Q is finite set of discrete states, q0 initial X is finite set of clocks  is a finite set of events: =ou, fu E is finite set of transitions: e=(q,q’,a,,Y) q,q’Q, a,  is a polyhedron on X, YX I is the invariant polyhedron function on Q A state of A is a pair s=(q,v), qQ and v is a clock valuation on X such that vI(q) Initial state s0=(q0,0) 10/04/2019 Marius Mikucionis, AAU SSE

Definitions: timed sequences A timed sequence over  is =12…, where i is either an action  or a delay Q+ time() is the limit of sum of delays in   is non-zeno if time()= A projection of  is a sequence =P(,’) where all actions a’ are taken out from  A run of A is a timed sequence =12…, such that s1s2…: siQ, si+1=i(si) -faulty run for Q+ is =12… : i=f for some i=1,2,… j=min(i | i=f) time(j j+1…) 10/04/2019 Marius Mikucionis, AAU SSE

Marius Mikucionis, AAU SSE 12/11/2002 Overview Framework of fault diagnosis Definitions: TA and timed sequences Diagnosers and diagnosability problems Checking diagnosability Building diagnosers Evaluation and critics 10/04/2019 Marius Mikucionis, AAU SSE

Diagnoser: definition and existence FTS is a set of all finite timed sequences over  -diagnoser for N and ATA over =ou is a function D: FTSo{0, 1}:  non-faulty: D(P(,u))=0  -faulty: D(P(,u))=1 ATA is -diagnosable   -diagnoser for A Lemma: for N ATA is -diagnosable  1,2 finite runs of A, if 1 is -faulty and 2 is non-faulty then P(1,u)P(2,u) 10/04/2019 Marius Mikucionis, AAU SSE

Example: diagnosable and not a, b – observable f, u – unobservable f - fault a x:=0 f x>3 u x3 b x6  1-diagnosable a x:=0 f x>2 u x3 b x6 non-diagnosable: (a,2.5,f,0.1,b) and (a,2.5,u,0.1,b) have the same projection: (a,2.6,b), but only the first one is faulty 10/04/2019 Marius Mikucionis, AAU SSE

Marius Mikucionis, AAU SSE 12/11/2002 Overview Framework of fault diagnosis Definitions: TA and timed sequences Diagnosers and diagnosability problems Checking diagnosability Building diagnosers Evaluation and critics 10/04/2019 Marius Mikucionis, AAU SSE

How to check diagnosability Build a special parallel product of A with itself, which: Can generate all pairs of runs of A: both yield the same observations one is faulty and another is not Check that all faulty runs are zeno (are finite), i.e. prove that: We will eventually distinguish faulty run Or fault can never be diagnosed 10/04/2019 Marius Mikucionis, AAU SSE

Special parallel product: Make two “copies” of A: A1 and A2: Rename discrete states: qQ  qiQi Rename clocks: xX  xiXi Rename unobservable events: uu  uiiu Rename transitions: e=(q,q’,u,x3,{y})  ei=(qi,q’i,ui,xi3,{yi}) where uiiu Apply parallel product on A1 and A2 where ao are forced to synchronize: ei=(qi,q’i,a,i,Yi)  e=((q1,q2),(q’1,q’2),a,12,Y1Y2) Remove transitions with fault action f2 10/04/2019 Marius Mikucionis, AAU SSE

Marius Mikucionis, AAU SSE Example of 1 2 3 5 4 6 a x:=0 f x>3 u x3 b x6 1,1 2,2 3,2 5,2 3,5 5,5 a x1:=0 X2:=0 f1 x1>3 u2 x23 b x16  x23 x16  x26 4,6 6,6 2,5 x13  x26 u1 x13 x16  x26 10/04/2019 Marius Mikucionis, AAU SSE

Diagnosability criterion  is a run of  1 and 2 are runs of A, 2 is not faulty and P(1,u)=P(2,u). Also:  is faulty  1 is faulty time()=time(1)=time(2) A is diagnosable   faulty run of is zeno: ) A is not diagnosable  N 1,2 that 1 is -faulty and 1 is non-faulty and P(1,u)=P(2,u)   -faulty of  A has a non-zeno faulty run. )  is non-zeno faulty run of , pick some N.  -faulty run and prefix in , which is a run of 1, 1 are both runs of A and P(1,u)=P(2,u)  A is not diagnosable 10/04/2019 Marius Mikucionis, AAU SSE

-diagnosability criterion x1:=0 x2:=0 f1 x1>3 u2 x23 b x16  x23 x16  x26 x13  x26 u1 x13 x16  x26 a f1 z:=0 u z For ATA and N, A is -diagnosable  the accepting state of is unreachable 10/04/2019 Marius Mikucionis, AAU SSE

Marius Mikucionis, AAU SSE 12/11/2002 Overview Framework of fault diagnosis Definitions: TA and timed sequences Diagnosers and diagnosability problems Checking diagnosability Building diagnosers Evaluation and critics 10/04/2019 Marius Mikucionis, AAU SSE

How to build a diagnoser Alter -diagnosable A and make a bisimilar one: Partition discrete states: Q=Qf(Q-Qf): States in Qf are reachable only by faulty run Once automaton is in qQf it must stay in Qf Use state estimation primitives on set of states S: Ro(S,a)={e(s) | sS, eE(a)} Ru(S,)={(s) | sS, Runs(S,u), time()=} HD(S)= 1, if sS, discrete(s)Qf 0, otherwise 10/04/2019 Marius Mikucionis, AAU SSE

Algorithm of diagnoser Initialize S=Ru({s0}, 0) Loop Set timer T=0 and alarm for T=TO If (HD(S)=1) announce FAULT Await event or alarm interrupt If (event a interrupt) Read  from T Set S= Ro(Ru(S, ), a) Else S= Ru(S, TO) End loop TO – some time-out value a f b c d a f b c d Qf 10/04/2019 Marius Mikucionis, AAU SSE

Marius Mikucionis, AAU SSE Conclusions Not all timed automata are diagnosable Diagnosability is PSPACE-complete Diagnoser construction relies on subset construction and is exponential 10/04/2019 Marius Mikucionis, AAU SSE

Evaluation and Critics Elegant solution to a quite restricted problem: TA model must be reliable “Faulty transitions” must be known “No more - no less”: a little to read - enough to understand Pattern: definition, proposition, proof or example Strange projection notation is confusing Few miss-prints decrease reader’s confidence very much 10/04/2019 Marius Mikucionis, AAU SSE

Marius Mikucionis, AAU SSE 12/11/2002 That’s it! Questions? Thank you for your time and attention. 10/04/2019 Marius Mikucionis, AAU SSE