Embed Size (px)
Citation preview
1
Inference-based Ambiguity Management in Decentralized Decision-Making:
Decentralized Diagnosis of Discrete Event Systems
Ratnesh Kumar
Department of Electrical and Computer Engineering, Iowa State University
Ames, Iowa 50011-3060, USA
Shigemasa Takai
Department of Information Science, Kyoto Institute of Technology
Matsugasaki, Sakyo-ku, Kyoto 606-8585, Japan
Abstract
The task of decentralized decision-making involves interaction of a set of local decision-makers, each of whichoperates under limited sensing capabilities and is thus subjected to ambiguity during the process of decision-making.In a prior work [13], [14] we made a key observation that such ambiguities are of differing gradations and presenteda framework for inferencing over varying ambiguity levels to arrive at local and global control decisions. We developa similar framework for performing diagnosis in a decentralized setting. For each event-trace executed by a systembeing monitored, each local diagnoser issues its own diagnosis decision (failure or nonfailure or unsure), taggedwith a certain ambiguity level (zero being the minimum). A global diagnosis decision is taken to be a “winning”local diagnosis decision, i.e., one with a minimum ambiguity level. The computation of an ambiguity level for alocal decision requires an assessment of the self-ambiguity as well as the ambiguities of the others, and an inferencebased up on such knowledge. In order to characterize the class of systems for which any fault can be detectedwithin a uniformly bounded number of steps (or “delay”), we introduce the notion of N -inference-diagnosabilityfor Failures (also called N -inference F-diagnosability), where the index N represents the maximum ambiguity levelof any winning local decision. We show that the codiagnosability introduced in [19] is the same as 0-inference F-diagnosability; the conditional F-codiagnosability introduced in [33], [34] is a type of 1-inference F-diagnosability;the class of higher-index inference F-diagnosable systems strictly subsumes the class of lower-index ones; and theclass of inference F-diagnosable systems is strictly subsumed by the class of systems that are centrally F-diagnosable.Keywords: Discrete event systems, Decentralized diagnosis, Inferencing, Knowledge, Ambiguity, Inference-diagnosability.
This work was supported in part by the National Science Foundation under the grants NSF-ECCS-0424048, NSF-ECCS-0601570, NSF-ECCS-0801763, and NSF-CCF-0811541, and in part by MEXT under Grant-in-Aid for Scientific Research (C) 18560433.
DRAFT
2
NOTE TO PRACTITIONERS
The paper studies the problem of decentralized failure diagnosis in discrete event systems. This is relevant for
diagnosis of large scale distributed systems such as communication networks, manufacturing systems, and power
systems. Multiple decision-makers observe the behaviors of an underlying system using their own set of sensors,
and jointly diagnose the occurrence of a failure based on their observations of the system behavior together with
an inference of the self ambiguity and those of the others. Each diagnosis decision of a decision-maker is tagged
with an ambiguity level, and an overall diagnosis decision is taken to be a diagnosis decision with a minimum
ambiguity level. A notion of N -inference F-diagnosability is introduced as a condition under which each failure is
diagnosed within a bounded number of steps (or “delay”) of its occurrence by one of the decision-makers, and the
ambiguity levels of all winning decisions are upper bounded by N . Properties of N -inference F-diagnosable system
and specification pairs are studied and an algorithm for verifying the property of N -inference F-diagnosability is
presented.
I. INTRODUCTION
In any decentralized decision-making paradigm, such as decentralized control or diagnosis, multiple decision-
makers, each with its limited sensing and/or control capabilities, interact to come up with the global decisions.
Presence of limited sensing capabilities can lead to ambiguity in knowing the system state and thereby ambiguity
in decision-making. Suppose there exist two traces that are executable in the plant and are indistinguishable to a
local diagnoser, and one of the traces is a “failure” trace while the other one is a “nonfailure” trace. Since these
two traces are indistinguishable, upon receiving their observation, the local diagnoser will be ambiguous about
whether or not a failure occurred. Similar situations can also arise in the setting of distributed diagnosis (i.e., one
involving communication among the local diagnosers) since the problem of distributed diagnosis can be reduced
to an instance of decentralized diagnosis (i.e., one involving no communication among the local diagnosers) [18].
Similarly, such ambiguities can also be present in the setting of decentralized decision making for control [13],
[14]. In the context of decentralized control, a knowledge-based mechanism for assessing the self-ambiguity was
presented in [21], and later the same architecture was used for assessing the self-ambiguity as well as the ambiguities
of the others in [22]. The process of utilizing the knowledge of the self-ambiguity together with the ambiguities
of the others for the sake of decision-making was referred to as “inferencing” in [22] and “conditioning” in [37].
These prior inferencing-based approaches were limited by a “single-level” of inferencing, and a comprehensive
framework allowing multi-level inferencing over various local control decisions of varying levels of ambiguity was
first presented in [13], [14].
A behavior violating a specification is called a failure and the task of diagnosis is to deduce the occurrence of
any failure from the behavior observed through the sensors. The property of diagnosability characterizes the ability
to detect a failure within a bounded number of steps (or “delay”) of its occurrence [25]. The failure diagnosis
problem for DESs has been actively researched in various settings such as centralized untimed setting [7], [16],
[24], [26], [36], [38], decentralized untimed setting [1], [5], [18], [19], [23], [27], [28], [33], [34], in the setting
DRAFT
3
of repeatable/intermittent faults [3], [10], [11], [35], [40], in the temporal logic setting [8], [10], in the setting of
discrete-time [39] and dense-time [2], [4], [6], [9], [17], [32], and in the probabilistic setting [31].
In the context of decentralized diagnosis, [19] suggested the following simple technique for the management of
ambiguity. When a local diagnoser is ambiguous about whether or not a failure has occurred it simply opts to issue
no diagnosis decision, i.e., a diagnosis decision is issued by a local diagnoser only when it is unambiguous about
it. This led to the introduction of the notion of codiagnosability in [19] that required that for each failure trace
executable by the system being monitored, there be at least one local diagnoser that can unambiguously determine
this within a bounded number of additional transition-executions. An extension reported in [33], [34] considered
decentralized diagnosis based on the ideas of “conditioning” introduced in the setting of decentralized control and
introduced the notion of conditional codiagnosability that is weaker than codiagnosability. As is the case with
conditional coobservability, conditional codiagnosability involves a single-level of inferencing over the knowledge
about ambiguities.
In this paper we build up on the ideas of inference-based ambiguity management in the setting of decentralized
control [13], [14] and develop a framework for inference-based decentralized diagnosis. Our framework supports (i)
inferencing utilizing the knowledge of the self-ambiguity as well as the ambiguities of the other decision makers,
(ii) inferencing over an arbitrary number of levels of ambiguity. Each local diagnoser uses its observations of the
system behavior to come up with its diagnosis decision together with a grade or level of ambiguity for that diagnosis
decision. The computation of an ambiguity level of a local decision requires the assessment of the self-ambiguity
together with the ambiguities of the others.
A minimum (level-zero) ambiguity decision is issued by a local diagnoser when all traces, producing the same
observation as the one received, are either only the failure traces or only the nonfailure traces. In general a local
diagnoser will issue a failure (resp., nonfailure) decision with an ambiguity level N following a certain observation
if for each nonfailure (resp., failure) trace, producing the same observation as the one received, that local diagnoser
knows there exists another local diagnoser that can issue a nonfailure (resp., failure) decision with an ambiguity
level at most N − 1. Note in certain situations it is possible that a local diagnosis decision is neither “failure”
nor “nonfailure”, but “unsure”. The global diagnosis decision is taken to be the same as a local diagnosis decision
whose ambiguity level is the minimum. (Such a local decision can be considered to be a “winning” local decision.)
We formulate the notion of inference-diagnosability for Failures (also called inference F-diagnosability) to
characterize the class of diagnosable systems in the proposed framework of decentralized diagnosis. A system
is diagnosable for failures if global diagnosis decisions can be synthesized such that there are no missed detections,
i.e., diagnosis decision is “failure” following the execution of any failure trace within a bounded number of additional
transition-executions, and there are no false alarms, i.e., diagnosis decision following a nonfailure (resp., failure)
trace is not “failure” (resp., “nonfailure”). Such a system is N -inference-diagnosable for failures if the global
diagnosis decisions can be synthesized with the property that their ambiguity levels are upper bounded by N , i.e.,
a maximum of N -levels of inferencing is required by any of the diagnosers to resolve any ambiguity.
We present effective algorithms for verifying whether a system is N -inference F-diagnosable and also for the
DRAFT
4
0-inference F -diagnosable
(equivalent to codiagnosable)
1-inference F -diagnosable
(similar to conditional F -codiagnosable)
N -inference F -diagnosable
(N + 1)-inference F -diagnosable
inference F -diagnosable
(centralized) F -diagnosable
Fig. 1. A relation among various classes of diagnosable systems.
synthesis of local and global diagnosers. We also study the various properties of N -inference F-diagnosability. In
particular we show that the notion of codiagnosability studied in [19] is the same as the notion of 0-inference
F-diagnosability. Further the notion of conditional F-codiagnosability introduced in [33], [34] is similar to that
of 1-inference F-diagnosability. We also show an example that is 2-inference F-diagnosable but not conditionally
codiagnosable. We also establish that the classes of N -inference F-diagnosable systems form a monotonically
increasing sequence as a function of N . Further we show that there are systems that are centrally F-diagnosable but
not inference F-diagnosable for any index N . A relation among various classes of diagnosable systems is shown
in Fig. 1.
There are certain differences between the setting of inference-based control versus inference-based diagnosis:
• In case of control it is required that both the enablement and disablement decisions be issued correctly, whereas
in case of diagnosis only the failure decisions are required to be issued correctly (nonfailure decision may
remain ambiguous). Also a finite set of failure decisions may remain ambiguous.
• In case of control, correct decisions must be known without delay, whereas in case of diagnosis, correct
decisions can be determined within a bounded delay.
The above differences in requirements for control versus diagnosis have lead to the following differences:
• While inference-observability guarantees that all enablement and disablement decisions are issued correctly,
the inference-diagnosability condition only guarantees that all but a finite set of failure decisions are issued
correctly (and the nonfailure decisions can remain ambiguous).
DRAFT
5
• In case of control, the “inference-observability” condition is generated starting from two sublanguages of the
specification language K. In contrast, in case of diagnosis, the “inference-diagnosability” condition is generated
starting from the specification language K and its complement relative to the plant language L(G) − K.
• In case of control, an N -inferring supervisor is one in which for every controllable event, either all enablement
decisions or all disablement decisions have their ambiguity levels upper bounded by N . In case of diagnosis,
an N -inferring diagnoser has a very different meaning: All failure decisions that are unambiguous have their
ambiguity levels upper bounded by N . In both settings the following additional property also holds: If a certain
ambiguity-level decision is “sure”, then all lower ambiguity-level decisions are also “sure”.
Most results presented in this paper were first reported at a conference [15] without proofs. This paper contains
detailed proofs, additional results and examples. An inference-based approach for the diagnosis of nonfailures was
also reported at another conference [29]. The rest of the paper is organized as follows. Section II presents the
notation and the preliminaries, and the inference-based decentralized diagnosis framework is introduced in Section
III. Section IV introduces the notion of N -inference F-diagnosability as a condition for the existence of an inference-
based decentralized diagnosis scheme that can detect any failure within a bounded delay with at most N -levels of
inferencing. Section V presents algorithms for verifying N -inference F-diagnosability and for the synthesis of local
diagnosers. Properties of N -inference F-diagnosability are presented in Section VI, and the conclusion is given in
Section VIII.
II. NOTATION AND PRELIMINARIES
We consider a DES modeled by a finite nondeterministic automaton G = (X, Σ, α, X0, Xm), where X is the
finite set of states, Σ is the finite set of events, a function α : X×(Σ∪{ε}) → 2X is the transition function, X0 ⊆ X
is the set of initial states, and Xm ⊆ X is the set of marked or accepting states. G is said to be deterministic if
the transition function can be written as a partial function α : X × Σ → X and |X0| = 1. Let Σ∗ be the set of
all finite sequences of events including the empty sequence ε. Elements of Σ∗ are called traces, and subsets of Σ∗
are called languages. The transition function α can be generalized to α : 2X × Σ∗ → 2X in a natural way. The
generated and marked (or accepted) languages of G are respectively defined as, L(G) := {s ∈ Σ∗| α(X0, s) 6= ∅},
and Lm(G) := {s ∈ Σ∗| α(X0, s) ∩ Xm 6= ∅}.
For a language K, the set of all prefixes of traces in K is denoted by pr(K), i.e., pr(K) = {s ∈ Σ∗| ∃t ∈
Σ∗; st ∈ K}. K is said to be (prefix-)closed if K = pr(K). A closed language K is said to be deadlock-free if
for any s ∈ K, there exists a trace t 6= ε such that st ∈ K; otherwise s is called a deadlocking trace of K. For
each trace s ∈ Σ∗, |s| denotes its length. For any m ∈ N , where N denotes the set of all nonnegative integers, let
Σ≥m := {s ∈ Σ∗| |s| ≥ m} denote the set of all traces with m or more events.
III. INFERENCE-BASED DECENTRALIZED DIAGNOSIS FRAMEWORK
Let I = {1, 2, · · · , n} denote the index set of local diagnosers that perform the task of diagnosis without sharing
their observations. We assume that the limited sensing capabilities of the ith local diagnoser Di (i ∈ I) can be
DRAFT
6
represented as the local observation mask, Mi : Σ ∪ {ε} → ∆i ∪ {ε}, where ∆i is the set of locally observed
symbols, and Mi(ε) = ε. The map Mi is generalized to Mi : Σ∗ → ∆∗i and Mi : 2Σ∗
→ 2∆∗
i in a natural way:
(∀s ∈ Σ∗, σ ∈ Σ, H ⊆ Σ∗) Mi(ε) := ε; Mi(sσ) = M(s)M(σ); Mi(H) =⋃
s∈H
Mi(s).
Let L 6= ∅ be a closed language representing a generated language of a plant (system to be diagnosed), and
K ⊆ L be a nonempty closed language representing a nonfailure specification language. Traces in L − K are
considered failure traces and the task of diagnosis is to determine the execution of any trace in L − K within an
additional bounded number of system executions. Without loss of generality, the plant language L can be taken to be
deadlock-free. Otherwise we can extend each deadlocking trace by an unbounded sequence of a newly added event
that is unobservable to all diagnosers. This will make the language deadlock-free without altering any diagnosability
property since the newly added event does not produce any observation to any of the diagnosers.
Let the set C = {0, 1, φ} be the set of diagnosis decisions, where “0” represents a nonfailure decision, “1”
represents a failure decision, and “φ” represents an unsure decision. Each inference-based local diagnoser Di is
defined as a map Di : Mi(L) → C ×N , where for each s ∈ L,
Di(Mi(s)) = (ci(Mi(s)), ni(Mi(s))).
Here ci(Mi(s)) ∈ C denotes the diagnosis decision of Di following an observation Mi(s) ∈ Mi(L), and
ni(Mi(s)) ∈ N denotes the ambiguity level of the diagnosis decision of Di. Let n(s) be the minimum ambiguity
level of local decisions, i.e.,
n(s) := mini∈I
ni(Mi(s)).
The decentralized diagnoser {Di}i∈I that consists of local diagnosers Di (i ∈ I) issues global diagnosis decisions.
Formally, {Di}i∈I is defined as a map {Di}i∈I : L → C. For each s ∈ L, the diagnosis decision {Di}i∈I(s) is
given as follows:
{Di}i∈I(s) =
0, if ∀i ∈ I s.t. ni(Mi(s)) = n(s); ci(Mi(s)) = 0
1, if ∀i ∈ I s.t. ni(Mi(s)) = n(s); ci(Mi(s)) = 1
φ, otherwise.
In other words, the global diagnosis decision is taken to be the same as a local diagnosis decision possessing the
minimum level of ambiguity.
A useful notion of a decentralized diagnoser is the largest ambiguity level N ∈ N of any sure decision, and the
preservation of surety of a decision with a decrease in the ambiguity-level (if a certain ambiguity-level decision is
“sure”, then all lower ambiguity-level decisions are also “sure”). We refer to such a diagnoser to be “N -inferring”.
Definition 1: A decentralized diagnoser {Di}i∈I : L → C is said to be N -inferring if the following two
conditions hold:
1) (∀s ∈ L) {Di}i∈I(s) 6= φ ⇒ n(s) ≤ N ,
2) (∀s, s′ ∈ L) [{Di}i∈I(s) 6= φ ∧ n(s′) ≤ n(s)] ⇒ {Di}i∈I(s′) 6= φ.
DRAFT
7
IV. EXISTENCE/SYNTHESIS OF INFERENCE-BASED DECENTRALIZED DIAGNOSERS
Let N ∈ N be a given nonnegative integer. (N represents a parameter for the inference diagnosability and is
elaborated later.) Given a plant language L and a nonfailure specification language K ⊆ L, we inductively define
a monotonically decreasing sequence {(Fk, Hk)}0≤k≤N of language pairs as follows:
• Base step:
F0 := L − K, H0 := K.
• Induction step:
Fk+1 := Fk ∩
(
⋂
i∈I
M−1i Mi(Hk)
)
,
Hk+1 := Hk ∩
(
⋂
i∈I
M−1i Mi(Fk)
)
.
The computation of the sequence {(Fk, Hk)}0≤k≤N of language pairs starts with F0 = L − K, the set of Failure
traces, and H0 = K, the set of nonfailure or “Healthy” traces. Note that Fk+1 is a sublanguage of Fk consisting of
those traces for which for each i ∈ I there exists an Mi-indistinguishable trace in Hk. As a result when the plant
executes a trace in Fk+1 all the local diagnosers will be ambiguous as to whether the executed trace is in Fk+1 or
in Hk. The sublanguage Hk+1 of Hk can be understood in a similar fashion. The language Fk+1 has the following
intuitive interpretation: It consists of those traces for which the failure decision is required but all diagnosers remain
ambiguous about it even after k-levels of inferencing. A dual interpretation exists for the language Hk+1.
Using the sequence {(Fk, Hk)}0≤k≤N of language pairs, a local diagnoser computes its diagnosis decision and
associates a level of ambiguity with such a decision as follows. For each s ∈ L, the ith local diagnoser Di computes
nfi (Mi(s)) := min{k ∈ N| [Mi(s) /∈ Mi(Hk)] ∨ [k = N + 1]}, (1)
nhi (Mi(s)) := min{k ∈ N| [Mi(s) /∈ Mi(Fk)] ∨ [k = N + 1]}. (2)
Note that nfi (Mi(s)) and nh
i (Mi(s)) are bounded above by N +1. Here nfi (Mi(s)) represents the ambiguity level of
a failure decision “contemplated” by the ith diagnoser following the observation Mi(s). When nfi (Mi(s)) < N +1,
it denotes the minimum index k such that the observation Mi(s) does not match with the observations of any
of the traces in Hk. Similarly, the notation nhi (Mi(s)) represents the ambiguity level of a nonfailure decision
“contemplated” by the ith diagnoser following the observation Mi(s). Which of the two contemplated decisions is
ultimately issued is decided by comparing the two ambiguity levels, nfi (Mi(s)) vs. nh
i (Mi(s)), and favoring the
smaller one. This is formalized next.
For a local diagnoser Di : Mi(L) → C ×N , its diagnosis decision and ambiguity level following an observation
Mi(s) ∈ Mi(L), i.e., Di(Mi(s)) = (ci(Mi(s)), ni(Mi(s))), is determined as follows:
ci(Mi(s)) =
0, if nhi (Mi(s)) < nf
i (Mi(s))
1, if nfi (Mi(s)) < nh
i (Mi(s))
φ, if nfi (Mi(s)) = nh
i (Mi(s))
(3)
DRAFT
8
and
ni(Mi(s)) = min{nfi (Mi(s)), n
hi (Mi(s))}. (4)
Remark 1: In summary, the decentralized diagnosis in the proposed framework can be implemented as follows.
The language pairs (Fk, Hk) (k = 0, 1, · · · , N) are computed off-line (see Section V) and then each of the ith
local decision-makers is supplied with the language pairs {(Mi(Fk), Mi(Hk))}0≤k≤N . When the plant executes a
trace s ∈ L, it is observed as the trace Mi(s) at the ith local site. Using (1) and (2), the ith local site computes the
values nfi (Mi(s)) and nh
i (Mi(s)). When nfi (Mi(s)) (resp., nh
i (Mi(s))) is smaller, the ith local site issues a failure
(resp., nonfailure) decision with ambiguity level nfi (Mi(s)) (resp., nh
i (Mi(s))), whereas when the two values are
the same, the unsure decision with ambiguity level nfi (Mi(s)) = nh
i (Mi(s)) is issued. Since the ith local diagnoser
has access to the set of language pairs {(Mi(Fk), Mi(Hk))}0≤k≤N , it only needs to perform certain membership-
check and minimization operations to determine its diagnosis decision for each observation Mi(s) ∈ Mi(L). The
complexity of this step is polynomial in the sizes of plant/specification models, whereas N -fold exponential in I
(the total number of sites). So the parameter N must be chosen so that the above can be accomplished during the
run-time operation.
All local decisions are collected at a central decision fusion unit. The global decision is always taken to be a
winning local decision, i.e., a local decision possessing the minimum level of ambiguity. In case no clear winner
exists, the “unsure” global decision is issued.
Example 1: We consider a plant modeled by the finite automaton G shown in Fig. 2(a), which is a modified
version of the DES considered in [33], [34]. Let n = 2,
M1(σ) =
σ, if σ ∈ {a, a′, c, d}
ε, otherwise,
M2(σ) =
σ, if σ ∈ {b, b′, c, d}
ε, otherwise.
Also, let K ⊆ L be a language generated by the finite automaton R shown in Fig. 2(b).
We synthesize the decentralized diagnoser using (1)–(4) for N = 2. We first need to compute the language pairs
{(Fk, Hk)}0≤k≤2. Initially, we have
F0 = c∗(afc∗ + bfc∗ + d(fc∗ + af(ε + b′c∗) + bf(ε + a′c∗))),
H0 = pr(c∗(ab′c+ + ba′c+ + d(ac+ + bc+))).
Since
M1(F0) = c∗(ac∗ + c∗ + d(c∗ + ac∗ + a′c∗)),
M2(F0) = c∗(c∗ + bc∗ + d(c∗ + b′c∗ + bc∗)),
M1(H0) = pr(c∗(ac+ + a′c+ + d(ac+ + c+))),
M2(H0) = pr(c∗(b′c+ + bc+ + d(c+ + bc+))),
DRAFT
9
c
c d
a b
b′ f
c c
f
c c
a′
c c
c
c
a b
f f
f
c c
b′ a′
(a) G
c
c d
a b
b′
c c
a′
c
a b
c c
(b) R
Fig. 2. Automata G and R of Example 2.
we have
F1 = F0 ∩
(
⋂
i∈I
M−1i Mi(H0)
)
= c∗(afc∗ + bfc∗ + d(fc∗ + af + bf)),
H1 = H0 ∩
(
⋂
i∈I
M−1i Mi(F0)
)
= pr(c∗(a + b + d(ac+ + bc+))).
It follows that F1 ∩ F m 6= ∅ for any m ∈ N , which implies that (L, K) is not 0-inference F-diagnosable. Also,
since
M1(F1) = c∗(ac∗ + c∗ + d(c∗ + a + ε)),
M2(F1) = c∗(c∗ + bc∗ + d(c∗ + ε + b)),
M1(H1) = pr(c∗(a + ε + d(ac+ + c+))),
M2(H1) = pr(c∗(ε + b + d(c+ + bc+))),
we have
F2 = F1 ∩
(
⋂
i∈I
M−1i Mi(H1)
)
= c∗(af + bf + d(fc∗ + af + bf)),
H2 = H1 ∩
(
⋂
i∈I
M−1i Mi(F1)
)
= pr(c∗(a + b + d(a + b))).
The local decisions of D1 and D2 computed using (1)–(4) are shown in Table I. For example, D1(ac) is computed
as follows. Since ac ∈ M1(H0)−M1(H1), we have by (1) that nf1 (ac) = 1. Also, since ac ∈ M1(F1) −M1(F2),
DRAFT
10
TABLE ILOCAL DECISIONS OF D1 AND D2 .
t ∈ M1(L) nf1(t) nh
1(t) c1(t) n1(t)
t ∈ c∗ 3 3 φ 3
t ∈ c∗a 3 3 φ 3
t ∈ c∗ac+ 1 2 1 1
t ∈ c∗a′c∗ 1 0 0 0
t ∈ c∗d 3 3 φ 3
t ∈ c∗dc+ 2 3 1 2
t ∈ c∗da 3 3 φ 3
t ∈ c∗dac+ 2 1 0 1
t ∈ c∗da′c∗ 0 1 1 0
t ∈ M2(L) nf2(t) nh
2(t) c2(t) n2(t)
t ∈ c∗ 3 3 φ 3
t ∈ c∗b 3 3 φ 3
t ∈ c∗bc+ 1 2 1 1
t ∈ c∗b′c∗ 1 0 0 0
t ∈ c∗d 3 3 φ 3
t ∈ c∗dc+ 2 3 1 2
t ∈ c∗db 3 3 φ 3
t ∈ c∗dbc+ 2 1 0 1
t ∈ c∗db′c∗ 0 1 1 0
we have by (2) that nh1 (ac) = 2. It follows that 1 = nf
1 (ac) < nh1 (ac) = 2. By (3) and (4), we have c1(ac) = 1
and n1(ac) = 1, which implies that D1 makes a failure decision following the observation ac ∈ M1(L) with the
ambiguity level 1.
Then, the global diagnosis decisions of the decentralized diagnoser {Di}i∈I are computed as shown in Table
II. For example, {Di}i∈I(afc) is computed as follows. Since 1 = n1(M1(afc)) < n2(M2(afc)) = 3 and
c1(M1(afc)) = 1, we have n(afc) = 1 and {Di}i∈I(afc) = 1.
We first show that the decentralized diagnoser given by (1)–(4) is an N -inferring one. This requires the following
lemma.
Lemma 1: Consider the decentralized diagnoser {Di}i∈I : L → C consisting of local diagnosers Di : Mi(L) →
C ×N (i ∈ I), and defined by (1)–(4). Then for any s ∈ L,
s ∈ F0 ⇒ s ∈ Fn(s)
s ∈ H0 ⇒ s ∈ Hn(s).
Proof: Consider any s ∈ L. We begin by proving the first part. Suppose for contradiction that s ∈ F0 and
s /∈ Fn(s). There exists l ∈ N such that 0 ≤ l < n(s), s ∈ Fl, and s /∈ Fl+1. So, there exists j ∈ I such that
DRAFT
11
TABLE IIGLOBAL DECISIONS OF {Di}i∈I .
s ∈ L n(s) {Di}i∈I (s)
s ∈ c∗ 3 φ
s ∈ c∗a(ε + f) 3 φ
s ∈ c∗b(ε + f) 3 φ
s ∈ c∗afc+ 1 1
s ∈ c∗bfc+ 1 1
s ∈ c∗ab′c∗ 0 0
s ∈ c∗ba′c∗ 0 0
s ∈ c∗d(ε + f) 3 φ
s ∈ c∗dfc+ 2 1
s ∈ c∗da(ε + f) 3 φ
s ∈ c∗db(ε + f) 3 φ
s ∈ c∗dac+ 1 0
s ∈ c∗dbc+ 1 0
s ∈ c∗dafb′c∗ 0 1
s ∈ c∗dbfa′c∗ 0 1
s /∈ M−1j Mj(Hl). It follows that Mj(s) /∈ Mj(Hl). We have
nj(Mj(s)) ≤ nfj (Mj(s)) ≤ l < n(s),
which contradicts the definition of n(s).
Next, we prove the second part. Suppose for contradiction that s ∈ H0 and s /∈ Hn(s). There exists l ∈ N such
that 0 ≤ l < n(s), s ∈ Hl, and s /∈ Hl+1. So, there exists j ∈ I such that s /∈ M−1j Mj(Fl). It follows that
Mj(s) /∈ Mj(Fl). We have
nj(Mj(s)) ≤ nhj (Mj(s)) ≤ l < n(s),
which contradicts the definition of n(s).
The following lemma shows that the decentralized diagnoser given by (1)–(4) is an N -inferring one.
Lemma 2: Consider the decentralized diagnoser {Di}i∈I : L → C consisting of local diagnosers Di : Mi(L) →
C ×N (i ∈ I), and defined by (1)–(4). Then, {Di}i∈I is an N -inferring decentralized diagnoser.
Proof: First, we show that {Di}i∈I satisfies the first condition of Definition 1. Consider any s ∈ L such that
{Di}i∈I(s) 6= φ.
We consider the case that {Di}i∈I(s) = 1. For any i ∈ I such that n(s) = ni(Mi(s)), we have ci(Mi(s)) = 1.
So, we have
n(s) = nfi (Mi(s)) < nh
i (Mi(s)) ≤ N + 1,
which implies that n(s) ≤ N .
DRAFT
12
We also consider the case that {Di}i∈I(s) = 0. For any i ∈ I such that n(s) = ni(Mi(s)), we have ci(Mi(s)) =
0. So, we have
n(s) = nhi (Mi(s)) < nf
i (Mi(s)) ≤ N + 1,
which implies that n(s) ≤ N .
Next, we show that {Di}i∈I satisfies the second condition of Definition 1. By the first condition, it suffices to
show that
(∀s ∈ L) n(s) ≤ N ⇒ {Di}i∈I(s) 6= φ. (5)
Consider any s ∈ L. Suppose for contradiction that n(s) ≤ N and {Di}i∈I(s) = φ. Since {Di}i∈I(s) /∈ {0, 1},
there exist i, j ∈ I such that n(s) = ni(Mi(s)) = nj(Mj(s)), ci(Mi(s)) 6= 0, and cj(Mj(s)) 6= 1. We have two
cases that s ∈ K and s ∈ L − K.
We consider the case that s ∈ K, i.e., s ∈ H0. It follows from ci(Mi(s)) 6= 0 that
n(s) = ni(Mi(s)) = nfi (Mi(s)) ≤ N.
We have
n(s) = nfi (Mi(s)) = min{k ∈ N| Mi(s) /∈ Mi(Hk)},
which implies that Mi(s) /∈ Mi(Hn(s)). It follows that s /∈ Hn(s). This contradicts Lemma 1.
We also consider the case that s ∈ L − K, i.e., s ∈ F0. It follows from cj(Mj(s)) 6= 1 that
n(s) = nj(Mj(s)) = nhj (Mj(s)) ≤ N.
We have
n(s) = nhj (Mj(s)) = min{k ∈ N| Mj(s) /∈ Mj(Fk)},
which implies that Mj(s) /∈ Mj(Fn(s)). It follows that s /∈ Fn(s). This contradicts Lemma 1.
We have the following lemma which states that there are no false alarms under the decentralized diagnosis
performed using the local and global diagnosers given by (1)–(4).
Lemma 3: Consider the decentralized diagnoser {Di}i∈I : L → C consisting of local diagnosers Di : Mi(L) →
C ×N (i ∈ I), and defined by (1)–(4). Then,
(∀s ∈ L − K) {Di}i∈I(s) 6= 0, (6)
(∀s ∈ K) {Di}i∈I(s) 6= 1. (7)
Proof: First, we prove (6). Suppose for contradiction that there exists s ∈ L − K such that {Di}i∈I(s) = 0.
Then, for any i ∈ I such that n(s) = ni(Mi(s)), we have ci(Mi(s)) = 0. Since
n(s) = ni(Mi(s)) = nhi (Mi(s)) < nf
i (Mi(s)) ≤ N + 1,
we have
n(s) = nhi (Mi(s)) = min{k ∈ N| Mi(s) /∈ Mi(Fk)},
DRAFT
13
which implies that Mi(s) /∈ Mi(Fn(s)). It follows that s /∈ Fn(s). Since s ∈ L − K = F0, this contradicts Lemma
1.
Next, we prove (7). Suppose for contradiction that there exists s ∈ K such that {Di}i∈I(s) = 1. Then, for any
i ∈ I such that n(s) = ni(Mi(s)), we have ci(Mi(s)) = 1. Since
n(s) = ni(Mi(s)) = nfi (Mi(s)) < nh
i (Mi(s)) ≤ N + 1,
we have
n(s) = nfi (Mi(s)) = min{k ∈ N| Mi(s) /∈ Mi(Hk)},
which implies that Mi(s) /∈ Mi(Hn(s)). It follows that s /∈ Hn(s). Since s ∈ K = H0, this contradicts Lemma 1.
The task of diagnosis further requires that there are no missed detections for arbitrarily long failure traces. In
other words, if we let
F m := (L − K) ∩ (L − K)Σ≥m
denote failure traces in which a failure occurred at least m-steps in the past, then it is desired that there exists m
such that for all traces in F m, the diagnosis decision is 1, i.e.,
(∃m ∈ N )(∀s ∈ F m) {Di}i∈I(s) = 1. (8)
We introduce the notion of N -inference-diagnosability for Failures (also called N -inference F-diagnosability) and
show that there are no missed detections under the decentralized diagnosis performed using the local and global
diagnosers given by (1)–(4) under this condition. In fact this condition serves as a necessary and sufficient condition
for the existence of an N -inferring decentralized diagnoser with no missed detections and false alarms.
The property of N -inference F-diagnosability requires that the failure traces that “remain ambiguous after N -
levels of inferring” must not have incurred a failure in a far past (more than a bounded number of steps in the
past).
Definition 2: The pair (L, K) of languages is said to be N -inference F-diagnosable if there exists m ∈ N such
that FN+1 ∩ F m = ∅.
We have the following lemma which states that if (L, K) is N -inference F-diagnosable, then there are no missed
detections under the decentralized diagnosis performed using the local and global diagnosers given by (1)–(4).
Lemma 4: Consider the decentralized diagnoser {Di}i∈I : L → C consisting of local diagnosers Di : Mi(L) →
C ×N (i ∈ I), and defined by (1)–(4). If (L, K) is N -inference F-diagnosable, then (8) holds.
Proof: We consider m ∈ N such that FN+1 ∩ F m = ∅. We show by contradiction that {Di}i∈I satisfies
(8). Suppose that there exists s ∈ F m such that {Di}i∈I(s) 6= 1. Since s ∈ F m and FN+1 ∩ F m = ∅, we have
s /∈ FN+1. Also, we have s ∈ F m ⊆ L−K = F0. There exists l ∈ N such that 0 ≤ l ≤ N , s ∈ Fl, and s /∈ Fl+1.
So, there exists j ∈ I such that s /∈ M−1j Mj(Hl). It follows that Mj(s) /∈ Mj(Hl). We have
n(s) ≤ nfj (Mj(s)) ≤ l ≤ N.
DRAFT
14
Since {Di}i∈I satisfies (5), we have {Di}i∈I(s) = 0. Since s ∈ L − K, this contradicts the fact that {Di}i∈I
satisfies (6).
The following theorem establishes the main result of the paper. (The proof is found in the appendix.)
Theorem 1: There exists an N -inferring decentralized diagnoser {Di}i∈I : L → C satisfying (6), (7), and (8) if
and only if (L, K) is N -inference F-diagnosable.
In the following we show that the system of Example 1 is 2-inference F-diagnosable but it is not 1-inference
F-diagnosable.
Example 2: We revisit the setting of Example 1. We have
F2 = c∗(af + bf + d(fc∗ + af + bf)),
H2 = pr(c∗(a + b + d(a + b))).
It follows that F2 ∩ F m 6= ∅ for any m ∈ N , which implies that (L, K) is not 1-inference F-diagnosable. Since
M1(F2) = c∗(a + ε + d(c∗ + a + ε)),
M2(F2) = c∗(ε + b + d(c∗ + ε + b)),
M1(H2) = pr(c∗(a + da)),
M2(H2) = pr(c∗(b + db)),
we have
F3 = F2 ∩
(
⋂
i∈I
M−1i Mi(H2)
)
= c∗(af + bf + d(f + af + bf)),
H3 = H2 ∩
(
⋂
i∈I
M−1i Mi(F2)
)
= H2.
We have F3 ∩ F m = ∅ for any m ≥ 1, which implies that (L, K) is 2-inference F-diagnosable.
By Table II, we can verify that {Di}i∈I is a 2-inferring decentralized diagnoser satisfying (6), (7), and (8) for
m ≥ 1.
Remark 2: In the system of Example 2, the event f represents the failure event. By the examples shown in [33],
[34], this system is not conditionally codiagnosable (see Definition 4) for the failure f . However as we showed
above the system is 2-inference F-diagnosable for the failure f .
V. COMPUTATION/VERIFICATION OF INFERENCE-BASED DECENTRALIZED DIAGNOSIS/DIAGNOSERS
The computation of local decisions using (1)–(4) requires computing the sequence {(Fk, Hk)}k≥0 of language
pairs, and we present an inductive method for computing it. Let G = (X, Σ, α, X0, X) be the plant model with
L(G) = Lm(G) = L, and R = (Y, Σ, β, Y0, Y ) be a deterministic generator of the nonfailure specification language,
i.e., L(R) = Lm(R) = K = H0. An acceptor for F0 = L − K is the automaton constructed by the synchronous
composition G‖R, where R = (Y ∪ {F}, Σ, β, Y0, Y ) is R “completed” by (i) adding a dump state “F ”, and (ii)
adding a transition on each event at a state in Y ∪{F} to the dump state F if that event is not defined at that state
DRAFT
15
in R. Then it can be verified that traces in G‖R that end at a state with the second coordinate F belong to L−K
[12]. Also, L(G‖R) = L(G) ∩ L(R) = L(G) ∩ Σ∗ = L(G) [12].
Let RFkand RHk
denote the finite acceptors of Fk and Hk, respectively. For each i ∈ I , a finite acceptor
of M−1i Mi(Fk) is constructed as follows: Replicate each transition that exists in RFk
by a set of transitions on
all Mi-indistinguishable events. Note that since an ε-transition is implicitly defined at each state as a self-loop,
unobservable events will get added as self-loops at each state of RFk. Then, the resulting, possibly nondeterministic,
automaton accepts M−1i Mi(Fk). It should be noted that this resulting automaton, denoted by M−1
i Mi(RFk), has
the same state set as RFk. In the same way, we can construct a finite automaton accepting M−1
i Mi(Hk), denoted by
M−1i Mi(RHk
). Then, the synchronous compositions RFk‖i∈IM
−1i Mi(RHk
) and RHk‖i∈IM
−1i Mi(RFk
) accept
Fk+1 and Hk+1, respectively. Let YFkand YHk
be the state sets of RFkand RHk
, respectively. The following
algorithm summarizes the computation:
Algorithm 1: Given G = (X, Σ, α, X0, X) and R = (Y, Σ, β, Y0, Y ) such that Lm(G) = L(G) = L and
Lm(R) = L(R) = K compute RFN+1and RHN+1
inductively as follows:
• RF0:= G‖R; RH0
:= R,
• RFk+1:= RFk
‖i∈IM−1i Mi(RHk
); RHk+1:= RHk
‖i∈IM−1i Mi(RFk
).
Remark 3: It follows from the above algorithm that the languages F0 and H0 can be computed in O(|X ||Y |)
and O(|Y |), respectively, whereas Fk+1 and Hk+1 are computed from Fk and Hk in O(|YFk| × |YHk
||I|) and
O(|YHk| × |YFk
||I|), respectively. It can be concluded that the overall complexity is polynomial in plant model,
specification model, and (N + 1)-fold exponential in I (where N is index of inference-diagnosability). Note when
N = 0, this is the same as the complexity reported in [19], whereas when N = 1, this is the same as the complexity
obtained in [33]. As the parameter N increases (i.e., more levels of inferencing are allowed), the corresponding
complexity increases, which is the trade-off for being able to perform a better diagnosis.
The verification of N -inference F-diagnosability requires checking the existence of m ∈ N such that FN+1 ∩
F m = FN+1 ∩ (L − K)Σ≥m = ∅. Our test is based on the following observation.
Lemma 5: For any k, m ∈ N it holds that Fk∩(L−K)Σ≥m = ∅ if and only if (pr(Fk)−K)∩(L−K)Σ≥m = ∅.
Proof: (⇒) It suffices to show that pr(Fk) ∩ (L − K)Σ≥m = ∅. Pick s ∈ pr(Fk) so that st ∈ Fk for some
t ∈ Σ∗. From the hypothesis, st 6∈ (L − K)Σ≥m. Since (L − K)Σ≥m is such that whenever it contains a trace,
it also contains all the extensions of the trace, s must not belong to (L − K)Σ≥m (otherwise st would belong to
(L − K)Σ≥m).
(⇐) It suffices to show that Fk ⊆ pr(Fk)−K. Obviously Fk ⊆ pr(Fk) and from its definition, Fk ⊆ F0 = L−K.
Thus, Fk ⊆ pr(Fk) ∩ (L − K). Using the fact that pr(Fk) ⊆ L, we have pr(Fk) ∩ (L − K) = pr(Fk) − K.
It follows from Lemma 5 that (L, K) is N -inference F-diagnosable if and only if there exists m ∈ N such that
(pr(FN+1)−K)∩(L−K)Σ≥m = ∅. Note that (L−K)Σ≥m = (L−K)∂Σ≥m, where (L−K)∂ := (L−K)∩KΣ
is the set of “boundary” failure traces. It follows that (L, K) is not N -inference F-diagnosable if and only if for
all m ∈ N , (pr(FN+1) − K) ∩ (L − K)∂Σ≥m 6= ∅.
DRAFT
16
We have the following lemma about the traces in pr(FN+1) −K. We call a state of RFN+1to be a faulty-state
if its second coordinate is F .
Lemma 6: Consider the (trim) acceptor RFN+1of FN+1. Then for any s ∈ pr(FN+1), s ∈ pr(FN+1) − K if
and only if all the states reached by executing s in RFN+1are faulty.
Proof: From the construction, RFk+1= RFk
‖i∈IM−1i Mi(RHk
) for each k ∈ N . By repeatedly using this
relation, we have RFN+1= RF0
‖Nk=0[‖i∈IM
−1i Mi(RHk
)]. Since RF0= G‖R, it follows that pr(FN+1) =
L(RFN+1) = L(G‖R) ∩ L(‖N
k=0[‖i∈IM−1i Mi(RHk
)]). Since s ∈ pr(FN+1) ⊆ L(R)(= Σ∗) reaches the dump
state F in R if and only if s 6∈ K and since R is the second component in the composed automaton RFN+1, the
lemma follows.
We have the following test for N -inference F-diagnosability. We call a cycle to be a non-epsilon cycle if it
contains at least one non-epsilon transition.
Theorem 2: The pair (L, K) of languages is not N -inference F-diagnosable if and only if there exists a non-
epsilon cycle of faulty-states in the (trim) acceptor RFN+1of FN+1.
(The proof is found in appendix.)
Remark 4: Since the existence of a cycle of faulty-states can be checked by first removing the “non-faulty” states
and then checking the existence of a cycle in the remaining graph, and since cycles can be detected linearly in the
size of the graph, N -inference F-diagnosability can be verified linearly in the size of RFN+1.
VI. PROPERTIES OF N -INFERENCE F-DIAGNOSABILITY
In this section, we study various properties of N -inference F-diagnosable systems. First, we show that the class
of codiagnosable systems studied in [19] is equivalent to the class of 0-inference F-diagnosable systems.
Definition 3: [19] The pair (L, K) of languages is said to be codiagnosable if
(∃m ∈ N )(∀s ∈ L − K)(∀st ∈ L − K s.t. |t| ≥ m)
(∃i ∈ I)(∀u ∈ Ei(st); u ∈ L − K),
where Ei(st) := M−1i Mi(st) ∩ L.
In the above definition Ei(st) is the set of traces in L which have the same ith local observation as st.
Theorem 3: The pair (L, K) of languages is 0-inference F-diagnosable if and only if it is codiagnosable.
(The proof is found in the appendix.)
Next, we show that the notion of conditional F-codiagnosability introduced in [34] is similar to that of 1-inference
F-diagnosability.
Definition 4: [34] The pair (L, K) of languages is said to be conditionally F-codiagnosable if
(∃m ∈ N )(∀s ∈ L − K)(∀st ∈ L − K s.t. |t| ≥ m)
(∃i ∈ I)(∀uu′ ∈ Ei(st) ∩ K s.t. Mi(u) = Mi(s))
(∃j ∈ I)(∀vv′ ∈ Ej(uu′) s.t. Mj(v) = Mj(u); v ∈ K).
DRAFT
17
Theorem 4: The pair (L, K) of languages is 1-inference F-diagnosable if and only if
(∃m ∈ N )(∀s ∈ L − K)(∀st ∈ L − K s.t. |t| ≥ m)
(∃i ∈ I)(∀u ∈ Ei(st) ∩ K)
(∃j ∈ I)(∀v ∈ Ej(u); v ∈ K).
(The proof is found in the appendix.)
Remark 5: Theorem 4 shows that if v ∈ K is replaced by vv′ ∈ K in the condition
(∀vv′ ∈ Ej(uu′) s.t. Mj(v) = Mj(u); v ∈ K)
of conditional F-codiagnosability, the notions of 1-inference F-diagnosability and conditional F-codiagnosability are
identical.
Since vv′ ∈ K implies v ∈ K, the following is an immediate corollary of Theorem 4.
Corollary 1: If the pair (L, K) of languages is 1-inference F-diagnosable, then it is conditionally F-codiagnosable.
We also establish that the classes of N -inference F-diagnosable systems form a monotonically increasing sequence
as a function of N . Since the sequence {(Fk, Hk)}k≥0 of language pairs is monotonically decreasing for any k ∈ N ,
the following result is easily obtained (the proof is omitted).
Theorem 5: For any N ∈ N , if the pair (L, K) of languages is N -inference F-diagnosable, then it is (N + 1)-
inference F-diagnosable.
The converse relation of Theorem 5 need not hold. For example, the system of Example 1 is 2-inference F-
diagnosable, but not 1-inference F-diagnosable.
Remark 6: In [30] we show that even when the plant language is regular, the property of N -inference F-
diagnosability is strictly stronger than the property of (N + 1)-inference F-diagnosability for any N ∈ N , i.e.,
the classes of N -inference F-diagnosable systems form a strictly increasing chain of systems.
Finally we show that there are systems that are centrally F-diagnosable but not F-diagnosable decentrally. We
recall the definition of F-diagnosability. The global observation mask M is defined as a map M : Σ ∪ {ε} →
(∆1 ∪ {ε})× (∆2 ∪ {ε})× · · · × (∆n ∪ {ε}), where for each σ ∈ Σ∪ {ε}, M(σ) = (M1(σ), M2(σ), · · · , Mn(σ)).
Definition 5: [25] The pair (L, K) of languages is said to be F-diagnosable if
(∃m ∈ N )(∀s ∈ L − K)(∀st ∈ L − K s.t. |t| ≥ m)
(∀u ∈ M−1M(st) ∩ L; u ∈ L − K).
Theorem 6: If the pair (L, K) of languages is N -inference F-diagnosable, then it is also F-diagnosable.
(The proof is found in the appendix.)
The converse relation of Theorem 6 need not hold. We present an example of a system that is F-diagnosable,
but not N -inference F-diagnosable for any N ∈ N .
DRAFT
18
c a b
(a) G
a b fc
c a b
(b) R
a b
Fig. 3. Automata G and R of Example 3.
Example 3: We consider a DES modeled by the automaton G shown in Fig. 3(a). Let n = 2, and
M1(σ) =
σ, if σ ∈ {a, c}
ε, otherwise,
M2(σ) =
σ, if σ ∈ {b, c}
ε, otherwise.
We consider a language K ⊆ L which is generated by the automaton R shown in Fig. 3(b).
Since M(ab) 6= M(ba), (L, K) is F-diagnosable. We show that (L, K) is not N -inference F-diagnosable for any
N ∈ N . Initially, we have F0 = abfc∗ and H0 = pr(ab + bac+). Since
M1(F0) = ac∗, M2(F0) = bc∗,
M1(H0) = pr(a + ac+), M2(H0) = pr(b + bc+),
we have F1 = abfc∗ and H1 = ab + bac∗. Also, since
M1(F1) = ac∗, M2(F1) = bc∗,
M1(H1) = ac∗, M2(H1) = bc∗,
we have F2 = abfc∗ = F1 and H2 = ab + bac∗ = H1. It follows that Fk = abfc∗ and Hk = ab + bac∗ for any
k ≥ 1. Thus, for any N ∈ N and m ∈ N , FN+1 ∩ F m 6= ∅.
Remark 7: In [30] we also compare N -inference F-diagnosability with decentralized-diagnosability introduced
by Sengupta and Tripakis [27] (a property that plays a role in distributed diagnosis), and show that the N -inference
F-diagnosability property is strictly stronger than the property of decentralized-diagnosability for any N ∈ N .
VII. ILLUSTRATIVE EXAMPLE
In this section, we give a simple example to illustrate our results. We consider a plant that processes a job. This
plant is modeled by the finite automaton G shown in Fig. 4(a). The event labels represent the following actions:
i : arrival of a job,
o : departure of a job,
ai, bi (i = 1, 2, 3): six kinds of operations for a job.
DRAFT
19
(a) G
i a1
(b) R
b1 a2 b2 a3a3 b3
o o o o o o
i a1 b1 a2 b2 a3a3 b3
o o o
Fig. 4. Plant and specification models.
If a departure occurs following an ai event (i = 1, 2, 3) but prior to the corresponding bi event, a fault is declared.
The nonfailure specification is modeled by the finite automaton R shown in Fig. 4(b). Let n = 2, and suppose the
first diagnoser observes arrival, operations ai (i = 1, 2, 3), and departure of a job, whereas the second diagnoser
observes arrival, operations bi (i = 1, 2, 3), and departure of a job. Then,
M1(σ) =
σ, if σ ∈ {i, a1, a2, a3, o}
ε, otherwise,
M2(σ) =
σ, if σ ∈ {i, b1, b2, b3, o}
ε, otherwise.
We show that the above system is 2-inference-diagnosable but not 1-inference-diagnosable.
The plant and nonfailure specification models have deadlocking states. We can augment the models with unob-
servable self-loops, labeled by a fictitious event c, at deadlocking states without altering any of the diagnosability
properties. The corresponding augmented models are presented in Fig. 5. It should be noted that such an augmen-
tation is not a prerequisite for performing diagnosis analysis but having deadlock-free models helps simplify the
definitions and the analysis.
Let L and K be the generated languages of the augmented plant and nonfailure specification models, respectively.
We show that (L, K) is 2-inference F-diagnosable. Initially, we have
F0 = (ia1o + ia1b1a2o + ia1b1a2b2a3o)c∗,
H0 = pr((ia1b1o + ia1b1a2b2o + ia1b1a2b2a3b3o)c∗).
Since
M1(F0) = ia1o + ia1a2o + ia1a2a3o,
M2(F0) = io + ib1o + ib1b2o,
M1(H0) = pr(ia1o + ia1a2o + ia1a2a3o),
DRAFT
20
(a) G
i a1
(b) R
b1 a2 b2 a3a3 b3
o o o o o o
c c c c c c
i a1 b1 a2 b2 a3a3 b3
o o o
c c c
Fig. 5. Augmented Plant and specification models.
M2(H0) = pr(ib1o + ib1b2o + ib1b2b3o),
we have
F1 = (ia1b1a2o + ia1b1a2b2a3o)c∗, H1 = (ia1b1o + ia1b1a2b2o)c
∗.
It follows that F1 ∩ F m 6= ∅ for any m ∈ N , which implies that (L, K) is not 0-inference F-diagnosable. Also,
since
M1(F1) = ia1a2o + ia1a2a3o,
M2(F1) = ib1o + ib1b2o,
M1(H1) = ia1o + ia1a2o,
M2(H1) = ib1o + ib1b2o,
we have
F2 = ia1b1a2oc∗, H2 = ia1b1a2b2oc
∗.
It follows that F2∩F m 6= ∅ for any m ∈ N , which implies that (L, K) is not 1-inference F-diagnosable. Moreover,
since
M1(F2) = ia1a2o,
M2(F2) = ib1o,
M1(H2) = ia1a2o,
M2(H2) = ib1b2o,
DRAFT
21
TABLE IIILOCAL DECISIONS OF D1 AND D2 .
t ∈ M1(L) nf1(t) nh
1(t) c1(t) n1(t)
t ∈ pr(ia1a2a3) 1 0 0 0
t = ia1o 2 1 0 1
t = ia1a2o 3 3 φ 3
t = ia1a2a3o 1 2 1 1
t ∈ M2(L) nf2(t) nh
2(t) c2(t) n2(t)
t ∈ pr(ib1b2b3) 1 0 0 0
t = io 0 1 1 0
t = ib1o 2 3 1 2
t = ib1b2o 3 2 0 2
t = ib1b2b3o 1 0 0 0
TABLE IVGLOBAL DECISIONS OF {Di}i∈I .
s ∈ L n(s) {Di}i∈I(s)
s ∈ pr(ia1b1a2b2a3b3) 0 0
s ∈ ia1oc∗ 0 1
s ∈ ia1b1oc∗ 1 0
s ∈ ia1b1a2oc∗ 2 1
s ∈ ia1b1a2b2oc∗ 2 0
s ∈ ia1b1a2b2a3oc∗ 1 1
s ∈ ia1b1a2b2a3b3oc∗ 0 0
we have
F3 = H3 = ∅.
We have F3 ∩ F m = ∅ for any m ≥ 0, which implies that (L, K) is 2-inference F-diagnosable.
Let N = 2. The local decisions of D1 and D2 computed using (1)–(4) are shown in Table III. The global
diagnosis decisions of the decentralized diagnoser {Di}i∈I are computed as shown in Table IV. {Di}i∈I is a
2-inferring decentralized diagnoser satisfying (6), (7), and (8) for m ≥ 0. Any illegal occurrence of the event o can
be detected without delay.
The diagnosis decision of the two agents can be explained as follows. If plant executes the faulty trace ia1o, then
the agent-2 knows this unambiguously (since no nonfaulty trace is M2-indistinguishable with ia1o) and issues a
fault decision with ambiguity level zero. On the other hand since M1(ia1o) = M1(ia1b1o), agent-1 is ambiguous.
But agent-1 can infer that for trace ia1o agent-2 can issue a zero-ambiguity fault decision, and so it issues a nonfault
decision with ambiguity level one (so as to safeguard against the possibility that plant may have executed ia1b1o).
DRAFT
22
Similarly if plant executes the faulty trace ia1b1a2b2a3o, agent-1 is ambiguous since M1(ia1b1a2b2a3o) =
M1(ia1b1a2b2a3b3o). But agent-1 can infer that for trace ia1b1a2b2a3b3o agent-2 is unambiguous and can issue
a nonfault decision with ambiguity level zero, and so it issues a fault decision with ambiguity level one. Agent-2
is also ambiguous since M2(ia1b1a2b2a3o) = M2(ia1b1a2b2o). But agent-2 can infer that for trace ia1b1a2b2a3o
agent-1 issues a fault decision with ambiguity level one, and so it issues a nonfault decision with ambiguity level
two (to safeguard against the possibility that plant may have executed the trace ia1b1a2b2o).
Finally if plant executes the faulty trace ia1b1a2o, then the agent-2 is ambiguous since M2(ia1b1a2o) =
M2(ia1b1o). But agent-2 can infer that for trace ia1b1o agent-1 can issue a nonfault decision with ambiguity
level one, and so it issues a fault decision with ambiguity level two (again to safeguard against the possibility
of missing a fault). On the other hand since M1(ia1b1a2o) = M1(ia1b1a2b2o), agent-1 is also ambiguous. But
it can infer that for trace ia1b1a2o agent-2 can issue a fault decision with ambiguity level two whereas for trace
ia1b1a2b2o agent-2 can issue a nonfault decision with ambiguity level two (see above), and so it issues the unsure
decision with ambiguity level three.
In summary, the faulty trace ia1o is detected with ambiguity level zero, the faulty trace ia1b1a2b2a3o is detected
with ambiguity level one, and the faulty trace ia1b1a2o is detected with ambiguity level two (all without delay).
Our paper provides a mathematical framework to carry out the above line of reasoning in an automated fashion.
VIII. CONCLUSION
A key issue in decentralized decision-making is the “fusion” of the local decisions to arrive at a global decision.
We made an observation in a prior work [13], [14] that such decision fusion can be facilitated by assessing the
ambiguity levels of each local decision-maker (arising due to its limited sensing capability) and later by using
that knowledge in arriving at a global decision. Based on this idea we proposed an inference-based framework
for decentralized control in [13], [14]. The present paper proposed an inference-based framework for decentralized
diagnosis.
The proposed framework extends the existing approaches to decentralized diagnosis (such as those reported in
[19], [33], [34]). Also through the work reported in [18], [20], a decentralized diagnosis framework (one involving
no communication among local diagnosers) is also useful for distributed diagnosis applications (one involving
communication among local diagnosers), and so the applicability of the proposed framework extends to the setting
of distributed diagnosis.
It should be noted that as the level of inferencing incorporated into decentralized decision-making is enhanced,
the corresponding cost of computing the local decisions is also increased (as formalized in Section V). So the
additional gain resulting from a higher level of inferencing comes at an additional computational cost.
APPENDIX A
THEOREM PROOFS
Proof of Theorem 1: (⇐) Consider the decentralized diagnoser {Di}i∈I : L → C consisting of local diagnosers
Di : Mi(L) → C × N (i ∈ I), and defined by (1)–(4). By Lemmas 2, 3, and 4, {Di}i∈I is an N -inferring
DRAFT
23
decentralized diagnoser satisfying (6), (7), and (8).
(⇒) Let {Di}i∈I : L → C be an N -inferring decentralized diagnoser satisfying (6), (7), and (8). We show that
FN+1 ∩ F m = ∅ for m ∈ N such that {Di}i∈I satisfies (8).
Suppose for contradiction that FN+1 ∩ F m 6= ∅. We first show that there exist s0, s1, · · · , sm ∈ L and
j0, j1, · · · , jm−1 ∈ I such that
• si ∈
Fn(si)+1, if i is an even number
Hn(si)+1, if i is an odd number(i = 0, 1, · · · , m),
• n(si) > n(si+1) (i = 0, 1, · · · , m − 1),
• n(sm) = 0,
• Mji(si) = Mji
(si+1) (i = 0, 1, · · · , m − 1).
We can pick up s0 ∈ FN+1 ∩ F m 6= ∅. Since s0 ∈ F m, we have by (8) that {Di}i∈I(s0) = 1. Since {Di}i∈I
is N -inferring, we have n(s0) ≤ N . Then, we have s0 ∈ FN+1 ⊆ Fn(s0)+1. Also, there exists j0 ∈ I such that
n(s0) = nj0(Mj0(s0)) and cj0(Mj0(s0)) = 1.
Since s0 ∈ Fn(s0)+1, we have s0 ∈ M−1j0
Mj0(Hn(s0)). Then, we can pick up s1 ∈ Hn(s0) such that Mj0(s0) =
Mj0(s1). Since s1 ∈ H0 = K, we have by (7) that {Di}i∈I(s1) 6= 1. Also, since
n(s1) ≤ nj0(Mj0(s1)) = nj0(Mj0(s0)) = n(s0),
it follows from the second condition of Definition 1 that {Di}i∈I(s1) = 0. There exists j1 ∈ I such that n(s1) =
nj1(Mj1(s1)) and cj1(Mj1(s1)) = 0. Moreover, since cj0(Mj0(s1)) = cj0(Mj0(s0)) 6= 0, we have n(s1) <
nj0(Mj0(s1)) = nj0(Mj0(s0)) = n(s0). Thus, we have s1 ∈ Hn(s0) ⊆ Hn(s1)+1.
Since s1 ∈ Hn(s1)+1, we have s1 ∈ M−1j1
Mj1(Fn(s1)). Then, we can pick up s2 ∈ Fn(s1) such that Mj1(s1) =
Mj1(s2). Since s2 ∈ F0 = L − K, we have by (6) that {Di}i∈I(s2) 6= 0. Also, since
n(s2) ≤ nj1(Mj1(s2)) = nj1(Mj1(s1)) = n(s1),
it follows from the second condition of Definition 1 that {Di}i∈I(s2) = 1. There exists j2 ∈ I such that n(s2) =
nj2(Mj2(s2)) and cj2(Mj2(s2)) = 1. Moreover, since cj1(Mj1(s2)) = cj1(Mj1(s1)) 6= 1, we have n(s2) <
nj1(Mj1(s2)) = nj1(Mj1(s1)) = n(s1). Thus, we have s2 ∈ Fn(s1) ⊆ Fn(s2)+1.
By repeating this procedure, we can obtain s0, s1, · · · , sm ∈ L and j0, j1, · · · , jm−1 ∈ I that satisfy the above
four conditions. Then we have the following two cases for sm ∈ L with n(sm) = 0 that sm ∈ F1 and sm ∈ H1.
We first consider the case that sm ∈ F1. Since sm ∈ F0 = L − K, we have by (6) that {Di}i∈I(sm) 6= 0.
Also, since n(sm) = 0 ≤ n(s0) and {Di}i∈I(s0) 6= φ, it follows from the second condition of Definition 1
that {Di}i∈I(sm) = 1. There exists j ∈ I such that 0 = n(sm) = nj(Mj(sm)) and cj(Mj(sm)) = 1. Since
sm ∈ M−1j Mj(H0), there exists smj
∈ H0 = K such that Mj(sm) = Mj(smj). Further, since 0 = nj(Mj(sm)) =
nj(Mj(smj)), we have n(smj
) = nj(Mj(smj)) = 0 ≤ n(s0), which implies together with (7) and the second
condition of Definition 1 that {Di}i∈I(smj) = 0. However, since n(smj
) = nj(Mj(smj)) and cj(Mj(smj
)) =
cj(Mj(sm)) = 1, we have {Di}i∈I(smj) 6= 0, which contradicts {Di}i∈I(smj
) = 0.
DRAFT
24
We next consider the case that sm ∈ H1. Since sm ∈ H0 = K, we have by (7) that {Di}i∈I(sm) 6= 1. Also, since
n(sm) = 0 ≤ n(s0) and {Di}i∈I(s0) 6= φ, it follows from the second condition of Definition 1 that {Di}i∈I(sm) =
0. There exists j ∈ I such that 0 = n(sm) = nj(Mj(sm)) and cj(Mj(sm)) = 0. Since sm ∈ M−1j Mj(F0), there
exists smj∈ F0 = L−K such that Mj(sm) = Mj(smj
). Further, since 0 = nj(Mj(sm)) = nj(Mj(smj)), we have
n(smj) = nj(Mj(smj
)) = 0 ≤ n(s0), which implies together with (6) and the second condition of Definition 1
that {Di}i∈I(smj) = 1. However, since n(smj
) = nj(Mj(smj)) and cj(Mj(smj
)) = cj(Mj(sm)) = 0, we have
{Di}i∈I(smj) 6= 1, which contradicts {Di}i∈I(smj
) = 1.
Proof of Theorem 2: (⇐) If there exists a non-epsilon cycle of faulty-states in RFN+1, then given any m
consider a trace s ∈ pr(FN+1) that visits the cycle at least m-times and ends on a state of the cycle. Since s
reaches a faulty-state (on the cycle), it reaches the state F in R, implying s 6∈ K. Thus s ∈ pr(FN+1) − K.
Consider the shortest faulty prefix t of s. Then t ∈ (L − K)∂ , which implies s ∈ (L − K)∂Σ≥m. It follows that
(pr(FN+1) − K) ∩ (L − K)∂Σ≥m 6= ∅.
(⇒) Suppose for each m ∈ N there exists sm ∈ (pr(FN+1)−K)∩(L−K)∂Σ≥m. Pick m0 to be larger than the
number of states in RFN+1. Then the fact that sm0
∈ (L−K)∂Σ≥m0 , it implies that sm0= tu with t ∈ (L−K)∂
and |u| ≥ m0. Since |u| is bigger than the number of states in RFN+1, u visits a non-epsilon cycle cl. Also, we
have t ∈ pr(sm0) ⊆ pr(FN+1). This together with t ∈ (L − K)∂ ⊆ L − K implies t ∈ pr(FN+1) − K. From
Lemma 6, the states reached by execution of t are all faulty. Since once a faulty-state is entered it is never exited
(since R has a self-loop on all events at the state F ) and since the cycle cl is reached as part of the execution of
u, i.e., after the execution of t, cl must be a cycle of faulty-states.
Proof of Theorem 3: (⇒) We assume that (L, K) is 0-inference F-diagnosable. Then, there exists m ∈ N such
that F1∩F m = ∅. Let s ∈ L−K. Consider any st ∈ L−K such that |t| ≥ m. We have st ∈ (L−K)∩(L−K)Σ≥m =
F m. Since F1 ∩ F m = ∅ and st ∈ F m ⊆ F0, we have st ∈ F0 − F1, which implies that there exists i ∈ I
such that st /∈ M−1i Mi(H0) = M−1
i Mi(K). It follows that Mi(st) /∈ Mi(K). For any u ∈ Ei(st), we have
Mi(u) = Mi(st) /∈ Mi(K), which implies that u /∈ K, i.e., u ∈ L − K. Thus, (L, K) is codiagnosable.
(⇐) We assume that (L, K) is codiagnosable. Let m ∈ N be a nonnegative integer such that the condition of
codiagnosability holds. Suppose for contradiction that F1 ∩F m 6= ∅. We consider any s ∈ F1 ∩F m. Since s ∈ F m,
we can write s := tu ∈ L−K where t ∈ L−K and |u| ≥ m. Also, since s ∈ F1, we have tu ∈ M−1i Mi(K) for
all i ∈ I . There exists vi ∈ K ⊆ L such that Mi(tu) = Mi(vi). Since vi ∈ Ei(tu) and vi ∈ K for all i ∈ I , the
condition of codiagnosability does not hold. This is a contradiction.
Proof of Theorem 4: (⇒) We assume that (L, K) is 1-inference F-diagnosable. Then, there exists m ∈ N such
that F2∩F m = ∅. Let s ∈ L−K. Consider any st ∈ L−K such that |t| ≥ m. We have st ∈ (L−K)∩(L−K)Σ≥m =
F m. Suppose for contradiction that
(∀i ∈ I)(∃ui ∈ Ei(st) ∩ K)
(∀j ∈ I)(∃vij ∈ Ej(ui); vij ∈ L − K).
Since st ∈ F0 and st ∈ M−1i Mi(ui) ⊆ M−1
i Mi(H0) for all i ∈ I , we have st ∈ F1. Also, since ui ∈ H0 and ui ∈
DRAFT
25
M−1j Mj(vij) ⊆ M−1
j Mj(F0) for all j ∈ I , we have ui ∈ H1. It follows that st ∈ M−1i Mi(ui) ⊆ M−1
i Mi(H1) for
all i ∈ I , which implies together with st ∈ F1 that st ∈ F2. Thus, we have st ∈ F2 ∩ F m 6= ∅, which contradicts
the assumption that (L, K) is 1-inference F-diagnosable.
(⇐) Let m ∈ N be a nonnegative integer such that the condition of Theorem 4 holds. Suppose for contradiction
that F2 ∩ F m 6= ∅. We consider any s ∈ F2 ∩ F m. Since s ∈ F m, we can write s := tu ∈ L − K where
t ∈ L − K and |u| ≥ m. Also, since s ∈ F2, we have tu ∈ M−1i Mi(H1) for all i ∈ I . There exists vi ∈ H1
such that Mi(tu) = Mi(vi). It follows that vi ∈ Ei(tu) ∩ K for all i ∈ I . Moreover, since vi ∈ H1, we have
vi ∈ M−1j Mj(F0) for all j ∈ I . There exists wij ∈ F0 such that Mj(vi) = Mj(wij ). It follows that wij ∈ Ej(vi)
and wij ∈ L − K for all j ∈ I . This contradicts the condition of Theorem 4.
Proof of Theorem 6: Suppose for contradiction that (L, K) is not F-diagnosable. Then for any m ∈ N , there
exists st ∈ L − K such that s ∈ L − K, |t| ≥ m, and
∃u ∈ M−1M(st) ∩ K.
It follows that st ∈ F m.
We show by induction that st ∈ Fk and u ∈ Hk for any k ∈ N . By the definitions of F0 and H0, we have
st ∈ F0 and u ∈ H0. Suppose that st ∈ Fk and u ∈ Hk for some k ∈ N . It follows from M(st) = M(u) that
Mi(st) = Mi(u) for any i ∈ I . Then we have
st ∈ Fk ∩
(
⋂
i∈I
M−1i Mi(Hk)
)
= Fk+1
and
u ∈ Hk ∩
(
⋂
i∈I
M−1i Mi(Fk)
)
= Hk+1.
Thus, we have st ∈ FN+1∩F m 6= ∅, which contradicts the assumption that (L, K) is N -inference F-diagnosable.
REFERENCES
[1] R. K. Boel and J. H. van Schuppen. Decentralized failure diagnosis for discrete-event systems with constrained communication betweendiagnosers. In Proceedings of International Workshop on Discrete Event Systems, 2002.
[2] P. Bouyer, F. Chevalier, and D. D’Souza. Fault diagnosis using timed automata. In Proceeding of the 8th International Conference onFoundations of Software Science and Computation Structures (FoSSaCS’05), Edinburgh, 2005.
[3] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of intermittent faults. Discrete Event Dynamical Systems: Theory and Application,14:171–202, 2004.
[4] S. R. Das and L. E. Holloway. Characterizing a confidence space for discrete event timings for fault monitoring using discrete sensingand actuation signals. IEEE Transactions on Systems, Man, and Cybernetics—Part A: Systems and Humans, 30(1):52–66, 2000.
[5] R. Debouk, S. Lafortune, and D. Teneketzis. Coordinated decentralized protocols for failure diagnosis of discrete event systems. DiscreteEvent Dynamical Systems: Theory and Applications, 10:33–79, 2000.
[6] L. E. Holloway and S. Chand. Distributed fault monitoring in manufacturing systems using concurrent discrete-event observations.Integrated Computer-Aided Engineering, 3(4):244–254, 1996.
[7] S. Jiang, Z. Huang, V. Chandra, and R. Kumar. A polynomial time algorithm for diagnosability of discrete event systems. IEEE Transactionson Automatic Control, 46(8):1318–1321, 2001.
[8] S. Jiang and R. Kumar. Failure diagnosis of discrete event systems with linear-time temporal logic fault specifications. IEEE Transactionson Automatic Control, 49(6):934–945, 2004.
DRAFT
26
[9] S. Jiang and R. Kumar. Diagnosis of dense-time systems using digital-clocks. In Proceedings of 2006 American Control Conference,pages 6051–6056, Minneapolis, MN, June 2006.
[10] S. Jiang and R. Kumar. Diagnosis of repeated failures for discrete event systems with linear-time temporal logic specifications. IEEETransactions on Automation Science and Engineering, 3(1):47–59, 2006.
[11] S. Jiang, R. Kumar, and H. E. Garcia. Diagnosis of repeated/intermittent failures in discrete event systems. IEEE Transactions on Roboticsand Automation, 19(2):310–323, 2003.
[12] R. Kumar and V. K. Garg. Modeling and Control of Logical Discrete Event Systems. Kluwer Academic Publishers, Boston, MA, 1995.[13] R. Kumar and S. Takai. Inference-based ambiguity management in decentralized decision-making: Decentralized control of discrete event
systems. In Proceeding of 2005 IEEE Conference on Decision and Control and European Control Conference, Seville, Spain, December2005.
[14] R. Kumar and S. Takai. Inference-based ambiguity management in decentralized decision-making: Decentralized control of discrete eventsystems. IEEE Transactions on Automatic Control, March 2005. Accepted.
[15] R. Kumar and S. Takai. Inference-based ambiguity management in decentralized decision making: Decentralized failure diagnosis ofdiscrete event systems. In Proceedings of 2006 American Control Conference, pages 6069–6074, Minneapolis, MN, June 2006.
[16] F. Lin. Diagnosability of discrete event systems and its applications. Discrete Event Dynamic Systems: Theory and Applications, 4(1):197–212, 1994.
[17] D. Pandalai and L. Holloway. Template languages for fault monitoring of timed discrete event processes. IEEE Transactions on AutomaticControl, 45(5):868–882, May 2000.
[18] W. Qiu and R. Kumar. Distributed failure diagnosis under bounded delay communication of immediately forwarded local observations.IEEE Transactions on Systems, Man, and Cybernetics—A, 38(3): 628-643, 2008.
[19] W. Qiu and R. Kumar. Decentralized failure diagnosis of discrete event systems. IEEE Transactions on Systems, Man, and Cybernetics—A,36(2):384–395, 2006.
[20] W. Qiu, R. Kumar, and S. Jiang. Decidability of distributed diagnosis under unbounded-delay communication. IEEE Transactions onAutomatic Control, 52:114–117, 2007.
[21] S. L. Ricker and K. Rudie. Know means no: Incorporating knowledge into discrete-event control systems. IEEE Transactions on AutomaticControl, 45:1656–1668, September 2000.
[22] S. L. Ricker and K. Rudie. Knowledge is a terrible thing to waste: Using inference in discrete-event control problems. In Proceedings of2003 American Control Conference, pages 2246–2251, Denver, CO, 2003.
[23] S. L. Ricker and J. H. van Schuppen. Decentralized failure diagnosis with asynchronous communication between supervisors. In Proceedingsof the European Control Conference, pages 1002–1006, 2001.
[24] M. Sampath and S. Lafortune. Active diagnosis of discrete event systems. IEEE Transactions on Automatic Control, 43(7):908–929, 1998.[25] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Diagnosability of discrete event systems. IEEE Transactions
on Automatic Control, 40(9):1555–1575, September 1995.[26] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Failure diagnosis using discrete event models. IEEE
Transactions on Control Systems Technology, 4(2):105–124, March 1996.[27] R. Sengupta and S. Tripakis. Decentralized diagnosis of regular language is undecidable. In Proceedings of IEEE Conference on Decision
and Control, pages 423–428, Las Vegas, NV, December 2002.[28] R. Su and W. M. Wonham. Global and local consistencies in distributed fault diagnosis for discrete-event systems. IEEE Transactions on
Automatic Control, 50(12):1923–1935, 2005.[29] S. Takai and R. Kumar. Decentralized diagnosis for nonfailures of discrete event systems using inference-based ambiguity management.
In Proceeding of 2006 International Workshop on Discrete Event Systems, pages 242–247, Ann Arbor, MI, July 2006.[30] S. Takai and R. Kumar. Inference-diagnosability: Nonconvergence and other complexity results. In Proceeding of SICE Annual Conference
2007, Takamatsu, Kagawa, Japan, September 2007.[31] D. Thorsley and D. Teneketzis. Diagnosability of stochastic discrete-event systems. IEEE Transactions on Automatic Control, 50(4):476–
498, 2005.[32] S. Tripakis. Fault diagnosis for timed automata. In Formal Techniques in Real Time and Fault Tolerant Systems, volume 2469 of Lecture
Notes in Computer Science. Springer Verlag, 2002.[33] Y. Wang, T.-S. Yoo, and S. Lafortune. New results on decentralized diagnosis of discrete-event systems. In Proceedings of 2004 Annual
Allerton Conference, 2004.[34] Y. Wang, T.-S. Yoo, and S. Lafortune. Decentralized diagnosis of discrete event systems using unconditional and conditional decisions.
In Proceedings of 2005 IEEE Conference on Decision and Control, pages 6298–6304, Seville, Spain, December 2005.[35] T. Yoo and H. E. Garcia. Event diagnosis of discrete-event systems with uniformly and nonuniformly bounded diagnosis delays. In
Proceedings of 2004 American Control Conference, pages 5102–5107, Boston, MA, June 2004.
DRAFT
27
[36] T. S. Yoo and S. Lafortune. Polynomial-time verification of diagnosability of partially observed discrete-event systems. IEEE Transactionson Automatic Control, 47(9):1491–1495, 2002.
[37] T. S. Yoo and S. Lafortune. Decentralized supervisory control with conditional decisions: Supervisor existence. IEEE Transactions onAutomatic Control, 49(11):1886–1904, 2004.
[38] S. H. Zad, R. H. Kwong, and W. M. Wonham. Fault diagnosis in discrete-event systems: Framework and model reduction. IEEETransactions on Automatic Control, 48(7):1199–1212, 2003.
[39] S. H. Zad, R. H. Kwong, and W. M. Wonham. Fault diagnosis in discrete-event systems: Incorporating timing information. IEEETransactions on Automatic Control, 50(7):1010–1015, 2005.
[40] C. Zhou and R. Kumar. Computation of diagnosable fault-occurrence indices for systems with repeatable-faults. In Proceeding of 2005IEEE Conference on Decision and Control and European Control Conference, Seville, Spain, December 2005.
DRAFT
