Distributed synchronous diagnosis of discrete-event systems

Recently, the centralized and decentralized synchronous diagnosis of discreteevent systems have been proposed in the literature. In this work, we propose a di erent synchronous diagnosis strategy called distributed synchronous diagnosis. In this scheme, local diagnosers are computed based on the observation of the fault-free behavior models of the system components. It is considered that these local diagnosers are separated into networks, and are capable of communicating the occurrence of events and their current state estimate to other local diagnosers that belong to the same network. The diagnosers are implemented considering an speci c communication protocol that re nes the state estimate of the faultfree behavior of the system modules, reducing, therefore, the augmented fault-free language considered for synchronous diagnosis. In order to do so, boolean conditions are added to the transitions of the fault-free component models, which check if the occurrence of an observable event is possible according to the current state estimate of other local diagnosers. This leads to the notion of distributed synchronous diagnosability. An algorithm to verify the distributed synchronous diagnosability with polynomial complexity in the state-space of the system component models is proposed.Recentemente, o diagnóstico síncrono centralizado e descentralizado de sistemas a eventos discretos foi proposto na literatura. Neste trabalho, propomos uma estratégia de diagnóstico síncrono diferente, denominada diagnóstico síncrono distribuído. Neste esquema, diagnosticadores locais são construídos com base na observação do comportamento livre de falha dos componentes do sistema. Considera-se que esses diagnosticadores locais são agrupados em redes de comunicação e capazes de informar a ocorrência de eventos e sua estimativa de estado atual a outros diagnosticadores locais pertencentes à mesma rede. Os diagnosticadores são implementados considerando um protocolo de comunicação específico, o qual refina a estimativa de estado do comportamento livre de falha dos módulos do sistema, reduzindo, portanto, a linguagem aumentada livre de falha considerada no diagnóstico síncrono. Isso é feito com a adição de condições booleanas para a transposição de transições dos modelos livre de falha dos componentes do sistema, as quais verificam se a ocorrência de um evento observável é possível de acordo com a estimativa do estado atual dos outros diagnosticadores locais. Isso leva à noção de diagnosticabilidade síncrona distribuída. Um algoritmo para verificar a diagnosticabilidade síncrona distribuída com complexidade polinomial no espaço de estados dos modelos dos componentes do sistema é proposto

INCREMENTAL FAULT DIAGNOSABILITY AND SECURITY/PRIVACY VERIFICATION

Dynamical systems can be classified into two groups. One group is continuoustime systems that describe the physical system behavior, and therefore are typically modeled by differential equations. The other group is discrete event systems (DES)s that represent the sequential and logical behavior of a system. DESs are therefore modeled by discrete state/event models.DESs are widely used for formal verification and enforcement of desired behaviors in embedded systems. Such systems are naturally prone to faults, and the knowledge about each single fault is crucial from safety and economical point of view. Fault diagnosability verification, which is the ability to deduce about the occurrence of all failures, is one of the problems that is investigated in this thesis. Another verification problem that is addressed in this thesis is security/privacy. The two notions currentstate opacity and current-state anonymity that lie within this category, have attracted great attention in recent years, due to the progress of communication networks and mobile devices.Usually, DESs are modular and consist of interacting subsystems. The interaction is achieved by means of synchronous composition of these components. This synchronization results in large monolithic models of the total DES. Also, the complex computations, related to each specific verification problem, add even more computational complexity, resulting in the well-known state-space explosion problem.To circumvent the state-space explosion problem, one efficient approach is to exploit the modular structure of systems and apply incremental abstraction. In this thesis, a unified abstraction method that preserves temporal logic properties and possible silent loops is presented. The abstraction method is incrementally applied on the local subsystems, and it is proved that this abstraction preserves the main characteristics of the system that needs to be verified.The existence of shared unobservable events means that ordinary incremental abstraction does not work for security/privacy verification of modular DESs. To solve this problem, a combined incremental abstraction and observer generation is proposed and analyzed. Evaluations show the great impact of the proposed incremental abstraction on diagnosability and security/privacy verification, as well as verification of generic safety and liveness properties. Thus, this incremental strategy makes formal verification of large complex systems feasible

Robust predictability in discrete event systems under sensor attacks

The problem of robust predictability against sensor attacks is investigated. The objective of a diagnoser is to predict the occurrence of a critical event of a discrete event system (DES) under partial observation. An attacker may rewrite the diagnoser observation by inserting fake events or erasing real events. Two novel structures, namely, real diagnoser and the fake diagnoser, are constructed based on the diagnoser of the system. We compute the hybrid diagnoser as the parallel composition of the real diagnoser and the fake diagnoser. The hybrid diagnoser can be used to verify if a critical event of the system is robustly predictable when an attacker tampers with the diagnoser observation

On the Equivalence of Observation Structures for Petri Net Generators

Observation structures considered for Petri net generators usually assume that the firing of transitions may be observed through a static mask and that the marking of some places may be measurable. These observation structures, however, are rather limited, namely they do not cover all cases of practical interest where complex observations are possible. We consider in this paper more general ones, by correspondingly defining two new classes of Petri net generators: labeled Petri nets with outputs (LPNOs) and adaptive labeled Petri nets (ALPNs). To compare the modeling power of different Petri net generators, the notion of observation equivalence is proposed. ALPNs are shown to be the class of bounded generators possessing the highest modeling power. Looking for bridges between the different formalisms, we first present a general procedure to convert a bounded LPNO into an equivalent ALPN or even into an equivalent labeled Petri net (if any exists). Finally, we discuss the possibility of converting an unbounded LPNO into an equivalent ALPN

Strict Minimal Siphon-Based Colored Petri Net Supervisor Synthesis for Automated Manufacturing Systems With Unreliable Resources

Various deadlock control policies for automated manufacturing systems with reliable and shared resources have been developed, based on Petri nets. In practical applications, a resource may be unreliable. Thus, the deadlock control policies proposed in previous studies are not applicable to such applications. This paper proposes a two-step robust deadlock control strategy for systems with unreliable and shared resources. In the first step, a live (deadlock-free) controlled system that does not consider the failure of resources is derived by using strict minimal siphon control. The second step deals with deadlock control issues caused by the failures of the resources. Considering all resource failures, a common recovery subnet based on colored Petri nets is proposed for all resource failures in the Petri net model. The recovery subnet is added to the derived system at the first step to make the system reliable. The proposed method has been tested using an automated manufacturing system deployed at King Saud University.publishedVersio

Twin‐engined diagnosis of discrete‐event systems

Diagnosis of discrete-event systems (DESs) is computationally complex. This is why a variety of knowledge compilation techniques have been proposed, the most notable of them rely on a diagnoser. However, the construction of a diagnoser requires the generation of the whole system space, thereby making the approach impractical even for DESs of moderate size. To avoid total knowledge compilation while preserving efficiency, a twin-engined diagnosis technique is proposed in this paper, which is inspired by the two operational modes of the human mind. If the symptom of the DES is part of the knowledge or experience of the diagnosis engine, then Engine 1 allows for efficient diagnosis. If, instead, the symptom is unknown, then Engine 2 comes into play, which is far less efficient than Engine 1. Still, the experience acquired by Engine 2 is then integrated into the symptom dictionary of the DES. This way, if the same diagnosis problem arises anew, then it will be solved by Engine 1 in linear time. The symptom dic- tionary can also be extended by specialized knowledge coming from scenarios, which are the most critical/probable behavioral patterns of the DES, which need to be diagnosed quickly

On detectability of labeled Petri nets and finite automata

Detectability is a basic property of dynamic systems: when it holds an observer can use the current and past values of the observed output signal produced by a system to reconstruct its current state. In this paper, we consider properties of this type in the framework of discrete-event systems modeled by labeled Petri nets and finite automata. We first study weak approximate detectability. This property implies that there exists an infinite observed output sequence of the system such that each prefix of the output sequence with length greater than a given value allows an observer to determine if the current state belongs to a given set. We prove that the problem of verifying this property is undecidable for labeled Petri nets, and PSPACE-complete for finite automata. We also consider one new concept called eventual strong detectability. The new property implies that for each possible infinite observed output sequence, there exists a value such that each prefix of the output sequence with length greater than that value allows reconstructing the current state. We prove that for labeled Petri nets, the problem of verifying eventual strong detectability is decidable and EXPSPACE-hard, where the decidability result holds under a mild promptness assumption. For finite automata, we give a polynomial-time verification algorithm for the property. In addition, we prove that strong detectability is strictly stronger than eventual strong detectability for labeled Petri nets and even for deterministic finite automata

Supervisory Control and Analysis of Partially-observed Discrete Event Systems

Nowadays, a variety of real-world systems fall into discrete event systems (DES). In practical scenarios, due to facts like limited sensor technique, sensor failure, unstable network and even the intrusion of malicious agents, it might occur that some events are unobservable, multiple events are indistinguishable in observations, and observations of some events are nondeterministic. By considering various practical scenarios, increasing attention in the DES community has been paid to partially-observed DES, which in this thesis refer broadly to those DES with partial and/or unreliable observations. In this thesis, we focus on two topics of partially-observed DES, namely, supervisory control and analysis. The first topic includes two research directions in terms of system models. One is the supervisory control of DES with both unobservable and uncontrollable events, focusing on the forbidden state problem; the other is the supervisory control of DES vulnerable to sensor-reading disguising attacks (SD-attacks), which is also interpreted as DES with nondeterministic observations, addressing both the forbidden state problem and the liveness-enforcing problem. Petri nets (PN) are used as a reference formalism in this topic. First, we study the forbidden state problem in the framework of PN with both unobservable and uncontrollable transitions, assuming that unobservable transitions are uncontrollable. For ordinary PN subject to an admissible Generalized Mutual Exclusion Constraint (GMEC), an optimal on-line control policy with polynomial complexity is proposed provided that a particular subnet, called observation subnet, satisfies certain conditions in structure. It is then discussed how to obtain an optimal on-line control policy for PN subject to an arbitrary GMEC. Next, we still consider the forbidden state problem but in PN vulnerable to SD-attacks. Assuming the control specification in terms of a GMEC, we propose three methods to derive on-line control policies. The first two lead to an optimal policy but are computationally inefficient for large-size systems, while the third method computes a policy with timely response even for large-size systems but at the expense of optimality. Finally, we investigate the liveness-enforcing problem still assuming that the system is vulnerable to SD-attacks. In this problem, the plant is modelled as a bounded PN, which allows us to off-line compute a supervisor starting from constructing the reachability graph of the PN. Then, based on repeatedly computing a more restrictive liveness-enforcing supervisor under no attack and constructing a basic supervisor, an off-line method that synthesizes a liveness-enforcing supervisor tolerant to an SD-attack is proposed. In the second topic, we care about the verification of properties related to system security. Two properties are considered, i.e., fault-predictability and event-based opacity. The former is a property in the literature, characterizing the situation that the occurrence of any fault in a system is predictable, while the latter is a newly proposed property in the thesis, which describes the fact that secret events of a system cannot be revealed to an external observer within their critical horizons. In the case of fault-predictability, DES are modeled by labeled PN. A necessary and sufficient condition for fault-predictability is derived by characterizing the structure of the Predictor Graph. Furthermore, two rules are proposed to reduce the size of a PN, which allow us to analyze the fault-predictability of the original net by verifying that of the reduced net. When studying event-based opacity, we use deterministic finite-state automata as the reference formalism. Considering different scenarios, we propose four notions, namely, K-observation event-opacity, infinite-observation event-opacity, event-opacity and combinational event-opacity. Moreover, verifiers are proposed to analyze these properties

VERIFICATION AND APPLICATION OF DETECTABILITY BASED ON PETRI NETS

In many real-world systems, due to limitations of sensors or constraints of the environment, the system dynamics is usually not perfectly known. However, the state information of the system is usually crucial for the purpose of decision making. The state of the system needs to be determined in many applications. Due to its importance, the state estimation problem has received considerable attention in the discrete event system (DES) community. Recently, the state estimation problem has been studied systematically in the framework of detectability. The detectability properties characterize the possibility to determine the current and the subsequent states of a system after the observation of a finite number of events generated by the system. To model and analyze practical systems, powerful DES models are needed to describe the different observation behaviors of the system. Secondly, due to the state explosion problem, analysis methods that rely on exhaustively enumerating all possible states are not applicable for practical systems. It is necessary to develop more efficient and achievable verification methods for detectability. Furthermore, in this thesis, efficient detectability verification methods using Petri nets are investigated, then detectability is extended to a more general definition (C-detectability) that only requires that a given set of crucial states can be distinguished from other states. Formal definitions and efficient verification methods for C-detectability properties are proposed. Finally, C-detectability is applied to the railway signal system to verify the feasibility of this property: 1. Four types of detectability are extended from finite automata to labeled Petri nets. In particular, strong detectability, weak detectability, periodically strong detectability, and periodically weak detectability are formally defined in labeled Petri nets. 2. Based on the notion of basis reachability graph (BRG), a practically efficient approach (the BRG-observer method) to verify the four detectability properties in bounded labeled Petri nets is proposed. Using basis markings, there is no need to enumerate all the markings that are consistent with an observation. It has been shown by other researchers that the size of the BRG is usually much smaller than the size of the reachability graph (RG). Thus, the method improves the analysis efficiency and avoids the state space explosion problem. 3. Three novel approaches for the verification of the strong detectability and periodically strong detectability are proposed, which use three different structures whose construction has a polynomial complexity. Moreover, rather than computing all cycles of the structure at hand, which is NP-hard, it is shown that strong detectability can be verified looking at the strongly connected components whose computation also has a polynomial complexity. As a result, they have lower computational complexity than other methods in the literature. 4. Detectability could be too restrictive in real applications. Thus, detectability is extended to C-detectability that only requires that a given set of crucial states can be distinguished from other states. Four types of C-detectability are defined in the framework of labeled Petri nets. Moreover, efficient approaches are proposed to verify such properties in the case of bounded labeled Petri net systems based on the BRG. 5. Finally, a general modeling framework of railway systems is presented for the states estimation using labeled Petri nets. Then, C-detectability is applied to railway signal systems to verify its feasibility in the real-world system. Taking the RBC handover procedure in the Chinese train control system level 3 (CTCS-3) as an example, the RBC handover procedure is modeled using labeled Petri nets. Then based on the proposed approaches, it is shown that that the RBC handover procedure satisfies strongly C-detectability