Corrective control is able to compensate the stable state behavior of a faulty asynchronous sequential machine in a desirable manner. In this paper, we present a scheme of fault diagnosis and tolerance for asynchronous sequential machines with intermittent faults. The intermittent faults have the feature that their adverse effect continues for finite time during which the recovery to the normal status is impossible. Based on an event-based framework, we propose a corrective controller for which the closed-loop system can be immune against the attack of intermittent faults. The existence condition for the controller is that there must exist an output equivalent state with the same reachability as the faulty state. An illustrative example is provided for demonstrating the controller design.
Introduction
Corrective control is a novel automatic control theory for discrete event systems working in asynchronous mechanism [3, 6] . It utilizes the unique feature of asynchronous machines that the speed of their transient transitions is very fast (in zero time, ideally). As long as the stable reachability is guaranteed from a given state to a desired state, a corrective controller can generate a control input sequence that drives the considered machine to the desired state.
With the aforementioned capability, corrective control has been successfully applied to compensating the stable state behavior of a given asynchronous machine with various faulty behavior. [6] presents a corrective control law for the model matching problem of input/state asynchronous machines with critical races. [7] addresses the same problem for input/output machines. Here, input/state machines are referred to as asynchronous machines that generate their current state as the output value, while input/output machines are those ones that provide the output value different from the state. [10] utilizes corrective control for model matching control of asynchronous machines with infinite cycles. In [11, 12] , fault tolerant control schemes for overcoming the influence of transient faults are addressed, and [13] presents a similar control strategy for tolerating permanent faults.
In this paper, we present a corrective control scheme for input/output asynchronous machines subject to intermittent faults. In general, an intermittent fault is a malfunction of a device or system that occurs at intervals, followed by the corresponding reset inputs for the fault or new occurrences of fault events [1] . In this study, we define the intermittent fault as a fault event whose adverse influence persists for finite time during which any fault tolerance scheme does not result in explicit recovery. In particular, we adopt an event-based approach in modeling intermittent faults. In an event-based approach of modeling faults [8] , the occurrence of a fault is signified by that of an event, or an input character that represents the adversarial entity. On the other hand, in a state-based approach [15] , it is assumed that the state set of the system is partitioned according to the failure status of the system. Whenever a fault occurs, the system falls into a failure mode, that is, into one of fault states. If the influence of the fault is permanent, the system is stuck in the failure mode indefinitely; otherwise, it can return to the normal mode by fault tolerant control.
In our study, we model the adverse effect of an intermittent fault such that after an occurrence of the intermittent fault, the asynchronous machine undergoes an unauthorized state transition. In accord with the characteristics of intermittent faults [5] , we further assume that the adverse effect of the intermittent fault lasts for finite steps after transferring to the deviated state. If the machine returns to the original state before the effect of the intermittent faults disappears, the machine is immediately forced to move to the deviated state again. The exact moment that the effect of the intermittent fault vanishes is nondeterministic and unobservable from the controller. In this sense, intermittent faults differ from transient faults whose adverse influence vanishes as soon as it happens so that immediate fault tolerance is possible [11, 12] .
The main consideration is given to how to diagnose and tolerate the intermittent fault in the framework of corrective control. We present the existence condition and design procedure for a corrective controller such that the closed-loop system can show the normal input/output be-havior even after the asynchronous machine suffers from the attack of the intermittent fault. We show that the existence condition for the controller is equal to whether there exists an output equivalent state that has the same reachability as the faulty state-the state at which the intermittent fault occurs to the machine. Note that intermittent faults make immediate fault tolerance impossible, as their effect lasts for finite duration as mentioned. Thus the previous scheme of fault tolerance for transient faults [11, 12] , where immediate fault tolerance is feasible, cannot be applied to intermittent faults. Rather, we need to develop a novel fault diagnosis and tolerance scheme to deal with the characteristics of intermittent faults. An illustrative example using a synthetic problem is also provided for demonstrating the proposed scheme.
Notice that fault tolerance for intermittent faults has been addressed in the authors' former study [14] . But the outcome of the fault in [14] is temporary halt of the involved state transitions, while in the present study the machine undergoes unauthorized transitions. As per other approaches on active fault tolerant control, the readers are referred to [2] for continuous time systems and to [9] for discrete-event systems.
Modeling
We represent an input/output asynchronous machine Σ as the following finite state machine:
where A is the input set, Y is the output set, X is the state set, and x 0 P X is the initial state. f : XˆA Ñ X and h : X Ñ Y are the state transition function and the output function, respectively, defined as partial functions.
A In the stable transition from x to x k , Σ generates a sequence of output values hpxq, hpx 1 q, . . . , hpx k q wherein consecutive values of equal characters cannot be distinguished since no synchronizing clock exists. This string, termed the output burst, plays a key role in corrective control for input/output asynchronous machines [3] . Let
e the mapping that generates the output burst bpx, uq " yo f the state-input pair px, uq. Since direct access to the state is unavailable in input/output machines, we must design a state observer that estimates the current stable state of Σ using the information on the control input and the output burst.
To define intermittent faults, we divide A into two disjoint subsets A :" A n 9 YA t where A n is the normal input set and A t is the set of adversarial inputs that cause intermittent faults. For the simplicity of presentation, in this study we assume that there is only one adversarial input termed a t , that is, A t " ta t u. Also, let x t be the state at which a t may occur to Σ and let spx t , a t q :" x q be the next stable state that Σ is forced to reach by the intermittent fault a t . If the unauthorized transition is caused by transient faults, a fault tolerant control mechanism can be applied to Σ as soon as Σ reaches the deviated state [11] . On the other hand, since the adverse effect of intermittent faults persists for some finite time, immediate fault tolerance may not be achieved. In particular, assume that Σ undergoes the stable transition from x t to x q by the intermittent fault a t . Assume further that a fault tolerant controller provides an appropriate input sequence that drives Σ back to the original state x t upon diagnosing the occurrence of a t . If the influence of the intermittent fault vanishes, Σ would stay at x t until further change to the external input. However, if the intermittent fault is still live at x t , Σ would again undergo the unauthorized transition upon reaching x t , thereby moving to x q . In general, the exact time span that the influence of the intermittent fault endures is nondeterministic; only its boundary is known a priori. In this study we stipulate that the effect of a t vanishes at most after the external input changes l times since the occurrence of a t . We assume
where n " #X is the cardinality of the state set X. If l ě n´1, Σ may traverse the entire states before returning to the normal behavior. We remove this case because it would be tantamount to the condition of permanent faults [15] . Figure 1 is the structure of the fault tolerant corrective control system for Σ with the intermittent fault a t . C is the corrective controller that also has the structure of an input/output asynchronous sequential machine. v P A n is the external input, u P A n is the control input generated by C, and y P Y is the output of the machine. Here y˚P Yd enotes that the output feedback is given as a burst. We denote by Σ c the closed-loop system represented by the diagram. B is the state observer that estimates the current state x using the control input u and output feedback y˚, and delivers it to C. In this paper, we omit the design procedure of B and assume that the exact state x is generated by B in the whole stable transitions. A detailed explanation on the latter topic can be found in [3, 13] .
Owing to the lack of a synchronizing clock, we have to design an asynchronous machine in such a way that the input character does not change while the machine undergoes transient transitions; otherwise one could not identify the exact state at which the input change occurs. This operating policy is referred to as fundamental mode operation [4] . Throughout this paper, all asynchronous machines are supposed to operate in fundamental mode.
Under fundamental mode, a t may occur to Σ only when it stays at a stable combination with x t . The control objective is to design a corrective controller C so that whenever the intermittent fault occurs to Σ, C provides a control input sequence for which the closed-loop system Σ c recovers to the original input/output behavior. Figure 1 . Corrective control system for Σ with the intermittent fault a t .
3 Main Result
Diagnosability
For preserving the principle of fundamental mode operation, C must know the end of each stable transition, i.e., it should determine whether the present stable transition ends or not so as to provide a control input character u right after the transition. If, on the contrary, C generates a new control input while Σ is in the middle of transient transitions, Σ would incur an unpredictable outcome. In input/ouput control of asynchronous machines [3] , we say that a transient combination px, uq is detectable if it is possible to determine from input/output data whether or not Σ has reached the next stable state spx, uq. The condition for detectability is derived as bpx, uq b´1px, uq,
where b´1px, uq is the output burst of px, uq minus the last character. For instance, if bpx, uq " y 1 y 2 y 3 , b´1px, uq " y 1 y 2 . If px, uq is a stable combination, b´1px, uq " H.
To address diagnosability of the intermittent fault, assume that Σ stays at a stable combination with the state x t . Then the observer B of Figure 1 receives the output value y˚" hpx t q. Assume further that while the external input remains fixed, the intermittent fault a t infiltrates into Σ, causing the unauthorized state transition. For this transition to be noticeable, the induced output burst bpx t , a t q must be different from hpx t q. Also, as B must detect the end of the unauthorized transition for preserving fundamental mode, condition (1) should be valid for the transition. Thus the diagnosability condition on the intermittent fault is described as bpx t , a t q hpx t q bpx t , a t q b´1px t , a t q.
(2)
Reachability Condition
Provided that condition (2) is satisfied, we address the existence condition for a fault tolerant corrective controller. We first define
as the set of the input characters that make a valid pair with the state x. Also, define the output equivalent set Epxq of a given state x as follows.
Epxq includes all the states that generate the same output value as that of x. Assume again that the intermittent fault a t has occurred to Σ, which undergoes the unauthorized transition from x t to x q . In terms of the input/output behavior, we achieve fault tolerance if the closed-loop system Σ c of Figure 1 continues to generate the normal output value hpx t q despite the occurrence of a t . Recall that we cannot apply the scheme of counteracting Σ directly to the original state x t as used in the case of transient faults [12] , since the effect of the intermittent fault may still be live. Hence, an alternative strategy to maintain the normal behavior is controlling Σ to move to a state x 1 t P Epx t q. In corrective control theory [6] , the condition for the latter goal is that x 1 t is stably reachable from x q , that is, there exists an input sequence rp0q P Aǹ such that spx q , rp0qq " x 1 t . As the corrective controller carries out this control action asynchronously, the closed-loop system Σ c will be observed to have the normal behavior despite the attack of a t .
Assume that after driving Σ to an output equivalent state x 1 t , the external input changes to another value. This input character must belong to Apx t q because Σ is supposed to maintain the normal behavior. For continuing fault tolerance, the current state x 1 t should be compatible with all the possible inputs of Apx t q. In other words, in response to each input character v i P Apx t q, i " 1, . . . , m, we should control Σ to move to the correct next stable state spx t , v i q. Note that we should reflect the characteristic of the intermittent fault in the reachability of the machine after the fault occurrence. By the definition of the intermittent fault, the effect of a t may or may not vanish until the lapse of l steps, i.e., until the external input changes l times. Hence it should be assured that the state x t not be involved in any fault tolerant control procedure, because as soon as reaching x t , Σ may be forced to the deviated state x q by the intermittent fault a t if it is still live.
To describe an input sequence that does not involve the state x t , let us define Trpx, tq Ă X as the set of all the transient states that Σ passes through in the chain of stable transitions px, tq P XˆAǹ . Then, we must find rpiq such that Trpx 
For valid control procedure, of course, all the stable transitions induced by rp0q and rpiq's must be detectable. The existence of a fault tolerant corrective controller C is equal to the existence of an output equivalent state x 1 t P Epx t q that guarantees the conditions (3) and (4).
Controller Design
In Figure 1 , C has the form of an input/output asynchronous machine
where XˆA n is the input set, A n is the output set, Ξ is the state set, ξ 0 P Ξ is the initial state, ϕ : ΞˆXˆA n Ñ Ξ is the state transition function, and η : Ξ Ñ A n is the output function. Note that among the two input values, the state x is provided by the observer B.
In the first, C stays at the initial state ξ 0 . Whenever Σ reaches a stable combination with x t , C moves to another state ξ t P Ξ, termed the transition state [10] . Since the intermittent fault occurs to Σ only when it stays at a stable combination with x t , C should signify the possibility of a fault occurrence by moving to ξ t . When the external input switches to a new character, Σ continues its normal behavior by transferring to the next stable state. Receiving the new input value, C also returns to the initial state ξ 0 . Since C conducts no practical control activity at ξ 0 or ξ t , it relays the external input v to the control input channel u without modification.
In accordance with the transitions of Σ, the state observer B generates the proper state value x. Thus when C is at the transition state ξ t , it receives the state feedback x t from B. Assume now that the intermittent fault a t happens, causing the unauthorized transition from x t to x q . If the diagnosability condition (2) is valid, we can know not only the moment of the fault occurrence but the end of the unauthorized transition by observing the change of the output burst. The fault diagnosis by B is outlined as follows. If the output feedback y˚changes but still y˚ bpx t , a t q while the control input u remains fixed, this implies that the intermittent fault a t has occurred to Σ and Σ is on the way to the deviated state x q . Hence B continues to provide the state x t . At the moment that the output feedback becomes y˚" bpx t , a t q, B perceives the end of the unauthorized state transition by the condition (2), and delivers the deviated state x q to C.
Upon receiving the state input x q , C begins the fault tolerant control mechanism. Assume that Σ satisfies the reachability conditions (3) and (4). In corrective control, the corresponding strings rp0q and rpiq's are used as the control input sequences for realizing fault tolerance. Let |rp0q| and |rpiq|'s denote the length of the input sequences, respectively, and let The first objective is to control Σ using rp0q so that it transfers to the output equivalent state x 1 t that satisfies the condition (3). To this end, C needs |rp0q| auxiliary states, termed ξ 1 , . . . , ξ |rp0q| P Ξ [6] . When the state input changes from x t to x q , C moves to ξ 1 , the first auxiliary state, and provides Σ with a 1 , the first input character of rp0q. In response to a 1 , Σ will undergo the corresponding stable transition, reaching the next stable state spx q , a 1 q. Receiving spx q , a 1 q, C then moves to the second auxiliary state ξ 2 and generates the second control input a 2 . Σ in turn transfers to the next stable state spspx q , a 1 q, a 2 q, and so forth. Finally, at ξ |rp0q| , C gives the last control input a |rp0q| , in response to which Σ reaches the goal state x 1 t . As mentioned before, since the interaction between C and Σ is conducted asynchronously, an outer user does not notice this chain of stable transitions. The closed-loop system also maintains the normal input/output behavior at x 1 t , which provides the same output value as x t . Figure 2 illustrates the interaction between C and Σ for this control procedure where x 1 , . . . , x |rp0q|´1 denote the intermediate stable states:
Now that Σ reaches the output equivalent state x 1 t , it waits for the further change of the external input v, while C stays at the state ξ |rp0q| . Since Σ is supposed to be at the original state x t , the next external input must be one of Apx t q. Assume that the external input changes to v i P Apx t q. For preserving the normal input/output behavior, Σ should move to the next stable state spx t , v i q. Recall that by the condition (4), there exists an input sequence rpiq such that spx 1 t , rpiqq " spx t , v i q. Thus we can design the correction trajectory in the controller C by defining |rpiq| auxiliary states, namely ζ i,1 , . . . , ζ i,|rpiq| P Ξ. The correction behavior by C can be defined in a similar manner to the former case. The procedure of fault tolerance is completed once Σ is controlled to move to spx t , v i q in response to v i . Figure 3 shows the structure of the fault tolerant controller C. Note that for the clarity of illustration, all the input characters and stable combinations are omitted in the figure. Referring to Figure 3 , we know that C consists of two phases: ξ t " ξ |rp0q| for driving Σ from the deviated state x q to the output equivalent state x 1 t , and ζ i,1 " ζ i,|rpiq| for driving Σ from x 1 t to each spx t , v i q, i " 1, . . . , m. After going through the fault tolerant control procedure, Σ may visit the state x t again. If more than l steps lapse after the occurrence of the intermittent fault a t , the adverse effect of the intermittent fault has vanished at x t . Otherwise, x t may or may not return to the normal mode. If x t is still under the influence of the intermittent fault, C will activate again to tolerate the unauthorized transition, as follows. As soon as Σ reaches a stable combination with x t , C will move to the transition state ξ t as assigned before. If the intermittent fault is live, Σ will undergo the unauthorized transition immediately after reaching x t , which leads to the output burst bpx t , a t q. Again as assigned before, C moves to ξ 1 and initiates the correction procedure. In this way, the closed-loop system Σ c overcomes the attack of the intermittent fault.
Example
For demonstrating the applicability of the proposed scheme, consider an example asynchronous machine Σ whose state flow diagram is shown in Figure 4 . For the simplicity's sake, we set s " f , i.e., all the underlying transitions incur no transient states. The output value of each state is written after a slash. As marked by a dashed arrow, the intermittent fault a t occurs to Σ when it is at x 3 . Thus x t " x 3 and x q " spx 3 , a t q " x 2 . Also, assume l " 1, i.e, the adverse effect of the intermittent fault vanishes after the external input changes to a new character.
We first check whether the diagnosability condition (2) is valid. As hpx 3 q " 2, hpx 2 q " 1, and no transient states exist from x 3 to x 2 , we have bpx 3 , a t q " 20. Clearly, (2) is guaranteed with this output burst. Therefore, the intermittent fault a t is diagnosable.
Next, we examine whether there exists a corrective controller C that realizes fault tolerance. Referring to Figure 4 , we have Epx 3 q " tx 5 u and Apx 3 q " tb, c, eu. As spx 2 , adq " x 5 , x 5 is stably reachable from x 2 with the input sequence rp0q :" ad. Thus Σ satisfies the condition (3). Further, the set of the next stable states reached from x 3 with each input character of Apx 3 q is derived as tspx 3 , bq, spx 3 , cq, spx 3 , equ " tx 3 , x 1 , x 4 u.
A slight examination of Figure 4 shows that all these states are stably reachable from x 5 . Letting v 1 " b, v 2 " c, and v 3 " e, we can choose the corresponding input sequences as rp1q :" eaeb, rp2q :" ea, rp3q :" e. Since the condition (4) is valid too, it is possible to design a corrective controller C for overcoming the intermittent fault a t . Note that since l " 1, the adverse effect of a t will vanish when the external input changes after the fault occurrence, i.e., when C reaches the auxiliary state ξ |rp0q| in Figure 3 . 
Conclusion
In this paper, we have proposed a corrective control scheme for diagnosing and tolerating intermittent faults occurring to input/output asynchronous sequential machines. We have focused our concern on overcoming the restraint by the intermittent fault that after the fault occurrence, its adverse effect lasts for finite time. In our scheme, thus, upon detecting the occurrence of the intermittent fault, the considered machine is controlled to move to an output equivalent state of the original state. For continuing the normal input/output behavior, the output equivalent state must have the same stable reachability as that of the original state. We have addressed the existence condition and design procedure for a fault tolerant controller under the framework of corrective control, and have demonstrated its applicability in the illustrative example. Application of the proposed control scheme to real-world systems remains as a further study.
