Fault Diagnosis for Timed Automata

1

Fault Diagnosis forTimed Automata

Stavros TripakisVERIMAG

2

Fault diagnosis

Plant(event + fault

generator)

Diagnoser(event reader)

Observable events

Fault announcements

3

Assumptions

• The plant behaves according to a known model.

• The diagnoser receives the (observable) events immediately when they occur.

• The diagnoser reacts immediately.

4

Requirements

• The diagnoser does not produce any false positives (announces a fault when no fault occurred).

• The diagnoser always announces a fault within a bounded delay after the fault occurred.

• Other sanity requirements (diagnoser is causal, does not change its mind, etc).

5

Example

f a

ub

Red events are observable.

Blue events are unobservable.

f is the fault event.

The plant model

a

b

Fault!The diagnoser

6

Not all plants are diagnosable!

f a

ua

7

Timed fault diagnosis

Plant(event + fault

generator)

Diagnoser(event reader)

Observable events + delays

Fault announcements

8

Assumptions

• The plant behaves according to a known timed automaton model.

• The diagnoser receives the (observable) events immediately when they occur and reacts immediately.

• The diagnoser measures delays between two events (i.e., has a timer). It can also set timeouts (in case an event is not observed for a long time).

9

Example of timed diagnosis

The plant model is aTimed Automaton

(with invariants for urgency)

f a

u ax:=0

x 2

x > 3

This plant is diagnosable!

a

Fault!

y 2y:=0

y > 2The diagnoser:

In this case, the diagnoser canbe modeled as a timed automaton.

This is not always the case!

10

“Infinite-clock” diagnoser(example due to Peter Niebert)

f a

a

x:=0

x > 1 y < 1

a

a

a

b

u

b

x:=0

x 1x 0 x = 1

y:=0 y < 1

• Faulty behaviors: there is some a exactly 1 time unit before the b.

• Correct behaviors: either no b, or no a exactly 1 time unit before the b.

This plant is diagnosable.However, the diagnoser needs to check whether

some a was exactly 1 time unit before the b.To do this, the diagnoser needs an unbounded

number of clocks.

11

Example (2)

f a

u ax:=0

x 2

x > 3

After an f or a u, the plant need not perform an a(it can stay forever in state 1).

This plant is NOT diagnosable!

1

12

Formal definitions• Timed behaviors over some alphabet :

= o u

a 1.1 u 0.4 b 3 f 2.2 c

13

Formal definitions• Observable behaviors:

a 1.1 u 0.4 b 3 f 2.2 c

a 1.5 b 5.2 c

Projection to observable events

14

Formal definitions• Faulty behavior: contains a fault event.

a 1.1 u 0.4 b 3 f 2.2 c

a 1.1 u 0.4 b 3 u 2.2 c

faulty

non-faulty

15

Formal definitions• T-faulty behavior (T is a delay):

– faulty behavior,– at least T time elapses after the first occurrence

of the fault.• Examples:

– 2-faulty (but not 3-faulty) behaviors:

a 1.1 u 0.4 b 3 f 2.5 u

a 1.1 u 0.4 b 3 f 2.2 u 0 c 0.3 u

a 1.1 u 0.4 b 3 f 1.9 0.1

16

Formal definitions• Timed automata:

– As usual.– Delays are rationals (to be machine-representable)– No acceptance conditions.– Urgency modeled using state invariants.

• Non-zeno run: (infinite) run where time diverges.

17

Diagnosers• A T-diagnoser for a timed automaton A is a

function

• such that, for every behavior of A,

D : (o Q) {0,1}

If is not faulty, then D( Proj() ) = 0

If is T-faulty, then D( Proj() ) = 1

18

Diagnosability

• A timed automaton A is called T-diagnosable if there exists a T-diagnoser for it.

• A is diagnosable if there exists T such that A is T-diagnosable.

• Note: if A is T-diagnosable then it is also (T+1)-diagnosable.

19

Necessary and sufficient condition for diagnosability

• A is T-diagnosable iff

• or, equivalently

, ’ . is T-faulty, ’ is not faulty,and Proj() = Proj(’)

, ’ . if is T-faulty and ’ is not faulty,then Proj() Proj(’)

20

Questions

• How to test whether a given timed automaton A is diagnosable?

• How to find the minimum T such that A is T-diagnosable (but not (T-1)-diagnosable)?

• How to build a diagnoser?

21

Testing diagnosability• Assumption: A is non-zeno.• Make two copies of A, A1 and A2:

– Copy/rename states, transitions, clocks, etc.– Copy/rename unobservable events.– Copy but do not rename observable events.

• Remove all faulty transitions from A2.• Take the product B of A1 and A2: synchronize on

common labels (i.e., observable events).

• A is diagnosable iff all faulty runs of B are zeno.

22

Testing diagnosability• The proof is based on the following facts:

• Every run of B corresponds to a pair of runs , ’ of A which have the same projection.

’ cannot be faulty.

• If a TA has a T-faulty run for all T, then it has a non-zeno faulty run.

23

Testing diagnosability• Example:

f1a

u1a

x1:=0

x1 2

x1 > 3f2

a

u2a

x2:=0

x2 2

x2 > 3

f a

u ax:=0

x 2

x > 3

24

Testing diagnosability• Example:

f1a

u1a

x1:=0

x1 2

x1 > 3

u2a

x2:=0

x2 2

f a

u ax:=0

x 2

x > 3

25

Testing diagnosability• Example:

f1

a

u1

a

x1:=0

x1 2

x1 > 3

u2

x2:=0

x2 2

u2

u1

u2

f1

x2 2

x2 2x1 2

26

Testing diagnosability• Example:

f1

ax1:=0 x1 > 3

u2

x2:=0

x2 2

u2

f1

x2 2

27

Finding the minimum T for T-diagnosability

• Assumption: A is diagnosable.• Take the product B as before.• Take the product of B and the observer automaton

below (where T is a parameter).

f1z:=0 z > T

f1

• A is T-diagnosable iff the final state of the observer cannot be reached.

• Perform a binary search on T : 0, 1, 2, 4, …etc. Complexity: log(T) reachability checks.

28

Representing diagnosers• A diagnoser will be represented as a

deterministic machine M=(W, w0, F, G, H), where

– W is its set of states,– w0 is its initial state,– F : W o W (event transition function)– G : W Q W (time transition function)– H : W {0,1} (decision function)

29

Representing diagnosers• Given an observed behavior,

• Feed it to the machine:– w1 = F(w0, a), w2 = G(w1, 1.5),– w3 = F(w2, b), w4 = G(w3, 5.2),– w5 = F(w4, c),

• Then apply the decision function to the state where the machine stopped:– D( ) = H(w5).

= a 1.5 b 5.2 c

30

Building a diagnoser• Assumption: the structure of A is such that

no discrete state can be reached by both a faulty and a non-faulty path.

• Every automaton can be transformed so that it meets the assumption (by doubling, at most, its discrete states).

f a

u b

f a

ub

Not OK OK

faultystates

31

Building a diagnoser• Preliminary definition:• Let S be a set of states of the timed

automaton A.

• ReachUnobs(S, ) = { s‘ | sS, s reaches s’ via a run of exactly time units that takes only unobservable actions }.

• ReachUnobs() is easily implementable using standard TA model-checking techniques (DBMs, reachability, etc).

32

Building a diagnoser• W : the set of all possible subsets of states of the

timed automaton,

• w0 = ReachUnobs({s0}, 0),

• F(S, a) = { s’ | sS, s s’},

• G(S, ) = ReachUnobs(S, ),

• H(S) = 0, if s=(q,v)S such that q is non-faulty, 1, otherwise.

a

That is, the diagnoser

works as anon-line state

estimator

33

Summary

• Introduced notions of diagnosers and diagnosability for timed automata.

• Necessary and sufficient conditions.

• Conditions reduce to finding non-zeno runs on a product automaton:– this can be done efficiently on-the-fly [BTY-RTSS’97].

• Diagnosers can be effectively built.

34

Future work

• Easily extendable to timed automata with acceptance conditions (meaning?).

• Represent diagnosers as timed automata (when can this be done?).

• Controller synthesis for timed automata based on partial observability of events.

35

Acceptance conditions

The automaton below is in principle diagnosable: b will eventually happen after f (due to the acceptance condition).

However, there is no bound of b happening after f.

fua

b