1 Fault Diagnosis for Timed Automata Stavros Tripakis VERIMAG

2 Fault diagnosis Plant (event + fault generator) Diagnoser (event reader) Observable events Fault announcements

3 Assumptions The plant behaves according to a known model. The diagnoser receives the (observable) events immediately when they occur. The diagnoser reacts immediately.

4 Requirements The diagnoser does not produce any false positives (announces a fault when no fault occurred). The diagnoser always announces a fault within a bounded delay after the fault occurred. Other sanity requirements (diagnoser is causal, does not change its mind, etc).

5 Example f a u b Red events are observable. Blue events are unobservable. f is the fault event. The plant model a b Fault! The diagnoser

6 Not all plants are diagnosable! f a u a

7 Timed fault diagnosis Plant (event + fault generator) Diagnoser (event reader) Observable events + delays Fault announcements

8 Assumptions The plant behaves according to a known timed automaton model. The diagnoser receives the (observable) events immediately when they occur and reacts immediately. The diagnoser measures delays between two events (i.e., has a timer). It can also set timeouts (in case an event is not observed for a long time).

9 Example of timed diagnosis The plant model is a Timed Automaton (with invariants for urgency) f a u a x:=0 x  2 x > 3 This plant is diagnosable! a Fault! y  2 y:=0 y > 2 The diagnoser: In this case, the diagnoser can be modeled as a timed automaton. This is not always the case!

10 “Infinite-clock” diagnoser (example due to Peter Niebert) fa a x:=0 x > 1  y < 1 a a a b u b x:=0 x  1x  0 x = 1 y:=0 y < 1 Faulty behaviors: there is some a exactly 1 time unit before the b. Correct behaviors: either no b, or no a exactly 1 time unit before the b. This plant is diagnosable. However, the diagnoser needs to check whether some a was exactly 1 time unit before the b. To do this, the diagnoser needs an unbounded number of clocks.

11 Example (2) f a u a x:=0 x  2 x > 3 After an f or a u, the plant need not perform an a (it can stay forever in state 1). This plant is NOT diagnosable! 1

12 Formal definitions Timed behaviors over some alphabet  :  =  o   u a 1.1 u 0.4 b 3 f 2.2 c

13 Formal definitions Observable behaviors: a 1.1 u 0.4 b 3 f 2.2 c a 1.5 b 5.2 c Projection to observable events

14 Formal definitions Faulty behavior: contains a fault event. a 1.1 u 0.4 b 3 f 2.2 c a 1.1 u 0.4 b 3 u 2.2 c faulty non-faulty

15 Formal definitions T-faulty behavior (T is a delay): –faulty behavior, –at least T time elapses after the first occurrence of the fault. Examples: –2-faulty (but not 3-faulty) behaviors: a 1.1 u 0.4 b 3 f 2.5 u a 1.1 u 0.4 b 3 f 2.2 u 0 c 0.3 u a 1.1 u 0.4 b 3 f

16 Formal definitions Timed automata: –As usual. –Delays are rationals (to be machine-representable) –No acceptance conditions. –Urgency modeled using state invariants. Non-zeno run: (infinite) run where time diverges.

17 Diagnosers A T-diagnoser for a timed automaton A is a function such that, for every behavior  of A, D : (  o  Q)  {0,1}  If  is not faulty, then D( Proj(  ) ) = 0 If  is T-faulty, then D( Proj(  ) ) = 1

18 Diagnosability A timed automaton A is called T-diagnosable if there exists a T-diagnoser for it. A is diagnosable if there exists T such that A is T-diagnosable. Note: if A is T-diagnosable then it is also (T+1)-diagnosable.

19 Necessary and sufficient condition for diagnosability A is T-diagnosable iff or, equivalently ,  ’.  is T-faulty,  ’ is not faulty, and Proj(  ) = Proj(  ’) ,  ’. if  is T-faulty and  ’ is not faulty, then Proj(  )  Proj(  ’)

20 Questions How to test whether a given timed automaton A is diagnosable? How to find the minimum T such that A is T-diagnosable (but not (T-1)-diagnosable)? How to build a diagnoser?

21 Testing diagnosability Assumption: A is non-zeno. Make two copies of A, A1 and A2: –Copy/rename states, transitions, clocks, etc. –Copy/rename unobservable events. –Copy but do not rename observable events. Remove all faulty transitions from A2. Take the product B of A1 and A2: synchronize on common labels (i.e., observable events). A is diagnosable iff all faulty runs of B are zeno.

22 Testing diagnosability The proof is based on the following facts: Every run of B corresponds to a pair of runs ,  ’ of A which have the same projection.  ’ cannot be faulty. If a TA has a T-faulty run for all T, then it has a non-zeno faulty run.

23 Testing diagnosability Example: f1f1 a u1u1 a x 1 :=0 x 1  2 x 1 > 3 f2f2 a u2u2 a x 2 :=0 x 2  2 x 2 > 3 f a u a x:=0 x  2 x > 3

24 Testing diagnosability Example: f1f1 a u1u1 a x 1 :=0 x 1  2 x 1 > 3 u2u2 a x 2 :=0 x 2  2 f a u a x:=0 x  2 x > 3

25 Testing diagnosability Example: f1f1 a u1u1 a x 1 :=0 x 1  2 x 1 > 3 u2u2 x 2 :=0 x 2  2 u2u2 u1u1 u2u2 f1f1 x 1  2

26 Testing diagnosability Example: f1f1 a x 1 :=0 x 1 > 3 u2u2 x 2 :=0 x 2  2 u2u2 f1f1

27 Finding the minimum T for T-diagnosability Assumption: A is diagnosable. Take the product B as before. Take the product of B and the observer automaton below (where T is a parameter). f1f1 z:=0z > T f1f1 A is T -diagnosable iff the final state of the observer cannot be reached. Perform a binary search on T : 0, 1, 2, 4, …etc. Complexity: log(T) reachability checks.

28 Representing diagnosers A diagnoser will be represented as a deterministic machine M=(W, w0, F, G, H), where –W is its set of states, –w0 is its initial state, –F : W   o  W(event transition function) –G : W  Q  W(time transition function) –H : W  {0,1}(decision function)

29 Representing diagnosers Given an observed behavior, Feed it to the machine: –w1 = F(w0, a ), w2 = G(w1, 1.5 ), –w3 = F(w2, b ), w4 = G(w3, 5.2 ), –w5 = F(w4, c ), Then apply the decision function to the state where the machine stopped: –D(  ) = H(w5).  = a 1.5 b 5.2 c

30 Building a diagnoser Assumption: the structure of A is such that no discrete state can be reached by both a faulty and a non-faulty path. Every automaton can be transformed so that it meets the assumption (by doubling, at most, its discrete states). f a u b f a u b Not OKOK faulty states

31 Building a diagnoser Preliminary definition: Let S be a set of states of the timed automaton A. ReachUnobs(S,  ) = { s‘ |  s  S, s reaches s’ via a run of exactly  time units that takes only unobservable actions }. ReachUnobs() is easily implementable using standard TA model-checking techniques (DBMs, reachability, etc).

32 Building a diagnoser W : the set of all possible subsets of states of the timed automaton, w0 = ReachUnobs({s0}, 0), F(S, a ) = { s’ |  s  S, s s’}, G(S,  ) = ReachUnobs(S,  ), H(S) =0, if  s=(q,v)  S such that q is non-faulty, 1, otherwise. a That is, the diagnoser works as an on-line state estimator

33 Summary Introduced notions of diagnosers and diagnosability for timed automata. Necessary and sufficient conditions. Conditions reduce to finding non-zeno runs on a product automaton: –this can be done efficiently on-the-fly [BTY-RTSS’97]. Diagnosers can be effectively built.

34 Future work Easily extendable to timed automata with acceptance conditions (meaning?). Represent diagnosers as timed automata (when can this be done?). Controller synthesis for timed automata based on partial observability of events.

35 Acceptance conditions The automaton below is in principle diagnosable: b will eventually happen after f (due to the acceptance condition). However, there is no bound of b happening after f. f ua b