Diagnosis of Dense-Time Systems using Digital-Clocks - CiteSeerX

Diagnosis of Dense-Time Systems using Digital-Clocks Shengbing Jiang

Ratnesh Kumar

GM R&D and Planning Mail Code 480-106-390 Warren, MI 48090-9055 Email: [email protected]

Dept. of Elec. & Comp. Eng. Iowa State University Ames, IA 50014 Email: [email protected]

Abstract— We study failure diagnosis of timed discreteevent systems modeled as dense timed-automata for which reachability is decidable [1], [6]. Failure diagnosis of such systems was first studied in [21], assuming that a diagnoser has partial observation of events but can measure (or “observe”) time perfectly. In this paper we relax the latter requirement since in practice time cannot be measured precisely. Thus in our setting we have partial observability of events as well as of “time”. We model the observability of time based on a digitalclock of finite precision and of finite drift, i.e., the clock that a diagnoser uses to measure time ticks every [∆ ± δ] units of time. We show that the “discrete-time behavior” observed using such a clock is regular, i.e., can be represented using a finite (untimed) automaton. In our analysis we allow the non-failure behavior to be also represented as a separate dense timedautomaton that is deterministic (also decidable), which can be viewed as another extension. We show that the verification of diagnosability (ability to detect specification violation within a bounded delay) as well as the off-line synthesis of a diagnoser for a diagnosable system is decidable by reducing the problem to the untimed domain. The reduction to the untimed domain also suggests an effective method for an on-line diagnosis. Keywords: Discrete event systems, diagnosis, timed automaton, diagnosability, dense-time, digital-clock

I. I NTRODUCTION A failure in a system is consider to be its abnormal behavior, i.e., one that violates the specification of a normal behavior. The task of diagnosis of a system requires detecting the occurrence of a failure by observing the system behavior, whereas the diagnosability property requires that the occurrence of a failure be detected within a bounded delay. For untimed discrete-event systems diagnosability has been examined in [17], [25], [8], [24], and a stronger notion of state-observability was examined in [12]. Extensions to decentralized setting can be found in [5], [13], [22] and to distributed setting in [5], [18], [16], [2], [19], [14], [15]. Extensions to diagnosis of repeatable/intermittent-failures can be found in [11], [23], [9], [3], [27], to the temporal logic setting in [10], [9], and to the probabilistic setting in [20]. Above cited work explore diagnosis of untimed discrete event systems. There has also been some research on diagnosis of timed discrete event systems, which includes diagnosis in discrete-time setting [26] and in dense-time setting [7], [4], [21]. It is known that the class of discrete-time systems is a subclass of dense-time ones, and the property of diagnosability of such dense-time systems, modeled as

timed automata [1], [6], was first examined in [21] under the assumption that a diagnoser has partial observation of events but it can measure time perfectly. It was shown that the verification of diagnosability in this setting is decidable and on-line diagnosis can be effectively performed. However, no comments were made about the off-line synthesis of a diagnoser. In this paper we generalize the work reported in [21] in two different ways. First, we relax the requirement that a diagnoser be able to measure time precisely since that is not possible in practice. Thus in our setting we have partial observability of events as well as of “time”. We model the observability of time based on a digital-clock of finite precision and of finite drift, i.e., the clock that the diagnoser uses to measure time ticks every [∆ ± δ] units of time. (∆ > δ ≥ 0, and both ∆ and δ are rationals.) Second, we allow the representation of the non-failure specification also to be a dense timed-automaton. Since the computation of the failure-specification from a non-failure specification requires “complementation”, we assume the non-failure specification to be accepted by a deterministic dense timed-automaton. We show the decidability of the diagnosis problem in this general setting. This decidability result we obtain is based on two main results reported in this paper: (i) We show that the “discretetime behavior” observed using a digital-clock of the type mentioned above is regular, i.e., can be represented using a finite (untimed) automaton. (ii) Diagnosability of a pair of dense-timed system and a deterministic dense-time specification is reducible to the diagnosability of a single untimed system in which failures are represented through faulty events. With these two observations we are able to reduce the problem of diagnosis in the dense-time setting to that of diagnosis in the untimed setting. It then follows from the results in the untimed setting that even in the dense-time setting the verification of diagnosability as well as the offline synthesis of a diagnoser is decidable, and the on-line diagnosis can be effectively performed. The rest of the paper is organized as follows. Section 2 gives the notations and preliminaries. Section 3 shows that that the discrete-time behavior of a dense timed-automaton as observed through a digital clock of finite precision and finite drift is an untimed regular language. Section 4 formulates and studies diagnosability in the dense time setting for sys-

tems in which faults are specified using faulty events. Section 5 looks at the extension where non-failure specification is given, a violation of which corresponds to the occurrence of a fault. Conclusion is presented in Section 6. II. N OTATIONS AND P RELIMINARIES A timed automaton A is a tuple (Q, Σ, Ξ, Υ, Q0 , I), where • • • •

• •

Q is a finite set of discrete states; Σ is a finite set of events; Ξ is a finite set of clocks; Υ ⊆ Q × Q × Σ × Φ × 2Ξ is a set of transitions. Here Φ is the set of clock constraints. A clock constraint φ ∈ Φ is a boolean formula with atomic constraints of the form ξ ∼ c or ξ1 − ξ2 ∼ c, where ξ1 , ξ2 ∈ Ξ, ∼ ∈ {≤, , ≥}, and c is a rational constant. Each transition υ ∈ Υ is a tuple (q, q 0 , σ, φ, r) with q is the source discrete state, q 0 is the destination discrete state, σ is the event associated with the transition, φ is a clock constraint representing the guard condition of the transition, r is the set of clocks to be reset by the transition when entering the destination discrete state q0 . Q0 ⊆ Q is the set of initial states; I : Q → Φ is the invariant function, which assigns invariants to discrete states.

Let R+ be the set of nonnegative real numbers. A timed trace over Σ is a sequence ν =< σ0 , t0 >< σ1 , t1 > · · · < σi , ti > · · · < σn , tn > with ti ∈ R+ for all i = 0, 1, · · · , n, ti ≤ ti+1 and σi ∈ Σ for all i = 0, 1, · · · , n − 1, and σn ∈ Σ∪{}, where  is the null event. The corresponding untimed trace of ν is νuntime = σ0 · · · σn . A time assignment is a function v : Ξ → R+ assigning a nonnegative real value to every clock. Constants may be added to time assignments, where (v + c)(ξ) = v(ξ) + c. [r 7→ 0]v is the time assignment that maps every clock in r ⊆ Ξ to time 0 and keeps all other clocks same as in v. We say that the clocks in r are reset. The time assignment 0v maps every clock to 0. A run of A over a timed trace ν =< σ0 , t0 >< σ1 , t1 > · · · < σi , ti > · · · < σn , tn > is a sequence of the form (q0 , v0 ) · · ·



→

(qi+1 , vi+1 ) · · ·



→

(qn+1 , vn+1 )

with qi ∈ Q and vi being the time assignments, satisfying the following requirements: • • •

Initialization: q0 ∈ Q0 and v0 = 0v Invariance: ∀i = 0, 1 · · · , n, ∀t ∈ [0, ti − ti−1 ], vi + t satisfies I(qi ), where t−1 = 0 Consecution: ∀i = 0, 1 · · · , n − 1, ∃(qi , qi+1 , σi , φi , ri ) ∈ Υ such that vi + ti − ti−1 satisfies φi and vi+1 = [ri 7→ 0](vi + ti − ti−1 ), where t−1 = 0; if σn 6=  then there is a tuple (qn , qn+1 , σn , φn , rn ) ∈ Υ such that vn + tn − tn−1 satisfies φn and vn+1 = [rn 7→ 0](vn + tn − tn−1 ), otherwise qn+1 = qn and vn+1 = vn + tn − tn−1 .

A timed automaton A accepts a timed trace ν if A has a run over ν. The timed language accepted by A is the set of all timed traces accepted by A, which is denoted by L(A). It is obvious that L(A) is prefix closed. The untimed language of A is Luntime (A) = {νuntime |ν ∈ L(A)}. It is required that in a timed automaton, when the invariant of a discrete state is violated, some outgoing transition must be enabled; and the automaton is non-zeno, i.e., there does not exist any run of the automaton that contains infinite transitions in a finite interval of time. The product of two timed automata is defined as follows. Let A1 = (Q1 , Σ1 , Ξ1 , Υ1 , Q10 , I1 ) and A2 = (Q2 , Σ2 , Ξ2 , Υ2 , Q20 , I2 ) be two timed automata. Assume that the clock sets Ξ1 and Ξ2 are disjoint. Then, the product is the timed automaton A1 kA2 = (Q1 × Q2 , Σ1 ∪ Σ2 , Ξ1 ∪ Ξ2 , Υ, Q10 × Q20 , I), where I(q1 , q2 ) = I1 (q1 ) ∧ I2 (q2 ) and the transition set Υ is defined by: 1) ∀σ ∈ Σ1 ∩ Σ2 , ∀(q1 , q10 , σ, φ1 , r1 ) ∈ 0 Υ1 , ∀(q2 , q2 , σ, φ2 , r2 ) ∈ Υ2 , we have ((q1 , q2 ), (q10 , q20 ), σ, φ1 ∧ φ2 , r1 ∪ r2 ) ∈ Υ. 2) ∀σ ∈ Σ1 − Σ2 , ∀(q1 , q10 , σ, φ1 , r1 ) ∈ Υ1 , ∀q2 ∈ Q2 , we have ((q1 , q2 ), (q10 , q2 ), σ, φ1 , r1 ) ∈ Υ. 3) ∀σ ∈ Σ2 − Σ1 , ∀(q2 , q20 , σ, φ2 , r2 ) ∈ Υ2 , ∀q1 ∈ Q1 , we have ((q1 , q2 ), (q1 , q20 ), σ, φ2 , r2 ) ∈ Υ. From [1], [6], we have the following result. Theorem 1: The untimed language Luntime (A) of a timed automaton A is regular. To introduce partial observation of events, let M : Σ ∪ {} → Λ∪{} be an event observation mask with M () = , where Λ is the set of output symbols. An untimed trace s = σ0 σ1 · · · σi · · · is observed through the mask M as M (s) = M (σ0 )M (σ1 ) · · · M (σi ) · · ·. Given an untimed closed language K ⊆ Σ∗ , the event masked language M (K) is given by, M (K) := {M (s) ∈ Λ∗ | s ∈ K}. To introduce the faults, let F = {F1 , F2 , · · · , Fm } be the set of failure types, ψ : Σ → 2F be the fault assignment function for each event, where ψ(σ) = ∅ means σ is a good event otherwise σ is a faulty event and ψ(σ) is the set of fault types that σ is associated with. Hereafter, when we write that “a fault of type Fi has occurred”, we will mean that some faulty event σ has occurred such that Fi ∈ ψ(σ). For an untimed trace s = σ0 σ1 · · · σi · · ·, if Fi ∈ ψ(σi ) for some event σi in the trace, then we say that a fault of type Fi has occurred in s, which is denoted as Fi ∈ s. The definition of diagnosability for untimed discrete event systems is given below ([17]). Definition 1: A prefix-closed language K ⊆ Σ∗ is said to be diagnosable with respect to the event mask M and the fault assignment function ψ if the following holds: (∀Fi ∈ F)(∃Ni > 0) (∀s = σ0 · · · σj ∈ K, Fi ∈ s) (∀t = sσj+1 · · · σj+n ∈ K, n ≥ Ni ) (∀w ∈ L, M (w) = M (t) ⇒ (Fi ∈ w) A discrete event system is diagnosable if its generated language is diagnosable.

Polynomial algorithms for the test of the above diagnosability and the synthesis of the on-line diagnoser can be found in [8], [24], [11]. III. T IMING M ASKED L ANGUAGE AND ITS R EGULARITY In this section we define the “discrete-time” behavior of a dense timed-automaton as “observed” using a digital clock of finite precision and finite drift. We show that such as a “discrete-time” behavior is a regular language, i.e., can be accepted by a (untimed) automaton. To introduce the observation mask for the time, suppose we have a digital-clock with the precision of ∆ and the clock drift of δ with ∆ > δ ≥ 0 and both ∆ and δ are rational numbers, then for every T ∈ [∆ − δ, ∆ + δ] time units the clock will generate a special tick event τ 6∈ Σ. We will denote such a digital clock by clock(∆,δ) . Definition 2: Given a clock clock(∆,δ) , the timing mask function M(∆,δ) for timed traces is defined as: for every timed trace ν =< σ0 , t0 >< σ1 , t1 > · · · < σi , ti > · · ·, M(∆,δ) (ν)

:=

τ bt0 /T0 c σ0 τ bt1 /T1 c−bt0 /T0 c σ1 · · · τ bti /Ti c−bti−1 /Ti−1 c σi · · ·

0

i+1

i

where τ = , τ = τ · τ and Ti ∈ [∆ − δ, ∆ + δ] for all i ≥ 0. The timing masked language of A under clock(∆,δ) is M(∆,δ) (L(A)) = {M(∆,δ) (ν)|ν ∈ L(A)}. It is obvious that M(∆,δ) (L(A)) is prefix closed and is a language over Σ ∪ {τ }, i.e., M(∆,δ) (L(A)) ⊆ (Σ ∪ {τ })∗ . Since τ is just another symbol (a “tick” symbol), this implies that the timing masked language is an untimed language. We show below that when A is a dense timed-automaton, its timing masked language is a regular untimed language. Theorem 2: Given a timed automaton A, let L(A) be its timed language, then its timing masked language M(∆,δ) (L(A)) is regular. Sketch of Proof: Let C = (Qc , Σc , Ξc , Υc , Qc0 , Ic ) be the timed automaton model for the digital clock clock(∆,δ) with Qc = Qc0 = {q0 }, Σc = {τ }, Ξ = {ξc }, Υc = {(q0 , q0 , τ, [ξc ≥ ∆ − δ] ∧ [ξc ≤ ∆ + δ], {ξc })}, and Ic (q0 ) = [ξc ≥ 0] ∧ [ξc ≤ ∆ + δ]; and let P = AkC be the product timed automaton of A and C. It can be proved that M(∆,δ) (L(A)) = Luntime (P ). Then the result follows directly from Theorem 1. IV. FAILURE D IAGNOSIS W ITH E VENT AND T IMING M ASKS In this section we study the failure diagnosis problem of timed discrete event systems modeled by timed automata with both timing and event observation masks. Let A = (Q, Σ, Ξ, Υ, Q0 , I) be the timed automata model of the system, M(∆,δ) be the timing mask, M : Σ ∪ {} → Λ ∪ {} be the event observation mask, F = {F1 , F2 , · · · , Fm } be the set of failure types, ψ : Σ → 2F be the fault assignment function for each event. For a timed trace ν =< σ0 , t0 >< σ1 , t1 > · · · < σi , ti > · · ·, if Fi ∈ ψ(σi ) for some event σi in the trace, then we say that a fault of type Fi has occurred in ν, which is denoted as Fi ∈ ν.

A timed trace ν =< σ0 , t0 >< σ1 , t1 > · · · < σi , ti > · · · observed through the event observation mask M is M (ν) = · · · < M (σi ) 6= , ti > · · ·. The trace ν observed through both timing and event masks is M ◦ M(∆,δ) (ν)

=

τ bt0 /∆c M (σ0 )τ bt1 /∆c−bt0 /∆c M (σ1 ) · · · τ bti /∆c−bti−1 /∆c M (σi ) · · ·

It is not difficult to verify that M ◦ M(∆,δ) (ν) = M(∆,δ) ◦ M (ν). The event and timing masked language of A is M ◦ M(∆,δ) (L(G)) = {M ◦ M(∆,δ) (ν) | ν ∈ L(A)}. Now we give the definition of diagnosability. Definition 3: A prefix-closed timed language L is said to be diagnosable with respect to the timing mask M(∆,δ) , the event mask M , and the fault assignment function ψ if the following holds: (∀Fi ∈ F)(∃Bi ∈ R+ ) (∀µ =< σ0 , t0 > · · · < σj , tj >∈ L, Fi ∈ µ) (∀µ0 = µ < σj+1 , tj+1 > · · · < σn , tn >∈ L, tn ≥ (tj + Bi )) (∀ν ∈ L, M ◦ M(∆,δ) (ν) = M ◦ M(∆,δ) (µ0 )) ⇒ (Fi ∈ ν) A dense-time system A is said to be diagnosable if its timed language L(A) is diagnosable. The diagnosis problem of dense-time systems with both timing and event masks can be reduced to the diagnosis problem of untimed systems with only event observation mask. In the following, we first show that the timing masked language of a timed automaton is regular, and next establish the equivalence of the diagnosabilities of a timed language and its timing masked language. Theorem 3: A prefix-closed timed language L is diagnosable with respect to the timing mask M(∆,δ) , the event mask M , and the fault assignment function ψ if and only if its timing masked language M(∆,δ) (L) is diagnosable with respect to the event mask M and the fault assignment function ψ. Sketch of Proof: For the sufficiency, suppose M(∆,δ) (L) is diagnosable, i.e., for any Fi there exists a Ni such that the conditions in Definition 1 are satisfied. Then by picking Bi = Ni ∗ (∆ + δ) for the parameter Bi in Definition 3, we can directly prove the diagnosability of L based on the following two facts. Fact 1: for any segment of a timed trace, if the time duration of the segment is longer than Ni ∗(∆+δ) then the timing mask of the segment contains at least Ni tick events. Fact 2: for any timed trace µ ∈ L, Fi ∈ µ if and only if Fi ∈ M(∆,δ) (µ). For the necessity, Suppose the timed language L is diagnosable, i.e., for any Fi there exists a Bi such that the conditions in Definition 3 are satisfied. From the assumption that the system is non-zeno, we know that given a T ∈ R+ , there exists an integer KT such that for any segment of a timed trace in L, if the segment contains more than KT events then the time duration of the segment is longer than T . Let KBi denote the above bound for the number

of events within a time duration of Bi , then by picking Ni = KBi + dBi /(∆ − δ)e + 1 for the parameter Ni in Definition 1, we can directly prove the diagnosability of M(∆,δ) (L) based on the following facts. Fact 1: for any segment of a timing mask trace in M(∆,δ) (L), if it contains more than Ni events, then it either contains more than KBi events in Σ or contains more than dBi /(∆ − δ)e tick events, and in either case the duration of the segment is longer than Bi . Fact 2: for any timing mask of a timed trace µ ∈ L, Fi ∈ M(∆,δ) (µ) if and only if Fi ∈ µ. From Theorems 2 and 3, the diagnosis problem of densetime systems with both timing and event observation masks can be reduced to the diagnosis problem of untimed discrete event systems with event observation mask. Thus, the results for the diagnosis of untimed discrete event systems like [8], [24], [11] can be applied for the test of diagnosability and the synthesis of on-line as well as off-line diagnoser. V. D IAGNOSIS WITH D ENSE T IME S PECIFICATION We study the diagnosis problem where one dense timedautomaton is given as the system model and another dense timed-automaton as the specification model which specifies the non-failure behavior. The task of diagnosis is to diagnose any faulty behavior of the system (with respect to the specification) within a bounded delay of its occurrence in the presence of both timing and event masks. In other words, the fault is not specified as faulty events directly. This notion of diagnosability is captured by the following definition. Definition 4: Given a system with a timed automaton model G = (Q, Σ, Ξ, Υ, Q0 , I), a specification with a timed automaton model R = (QR , Σ, ΞR , ΥR , QR 0 , IR ), the timing mask M(∆,δ) , and the event mask M , (G, R) is said to be diagnosable with respect to M(∆,δ) and M if the following holds: (∃B ∈ R+ ) (∀µ =< σ0 , t0 > · · · < σj , tj >∈ L(G) − L(R)) (∀µ0 = µ < σj+1 , tj+1 > · · · < σn , tn >∈ L(G), tn ≥ (tj + B)) (∀ν ∈ L(G), M ◦ M(∆,δ) (ν) = M ◦ M(∆,δ) (µ0 )) ⇒ (ν 6∈ L(R)) For any deterministic specification R, the above diagnosis problem for a pair of timed automata can be transferred to the diagnosis problem of a single timed automaton with faulty event as defined in Definition 3. For this, we first complete the specification R by adding a dump state and all the missing transitions. Let R denote the automaton derived; it is constructed as follows: R = (QR ∪ {dump}, Σ, ΞR , ΥR ∪ Υadd , QR 0 , IR ), where ∀q ∈ QR , IR (q) = IR (q), IR (dump) = true, and the set of added transitions Υadd is defined as • ∀q ∈ QR , ∀σ ∈ Σ, suppose there are n ≥ 0 out-going transitions from q labeled with σ, and let {φ1σ , · · · , φnσ } be the set of guard conditions associated with those n transitions, then (q, dump, ¬(∨ni=1 φiσ ), σ, ∅) ∈ Υadd . • ∀σ ∈ Σ, (dump, dump, true, σ, ∅) ∈ Υadd .

It is obvious that R accepts any timed trace over the event set Σ, if a timed trace leads to the state dump, then the trace is not accepted by R, and in which case it indicates a fault. In order to represent such a fault using a faulty event, next we “split” the dump state into dump1 and dump2 states; make all self-loop transitions of dump as self-loop transitions of dump2 ; make all incoming non-selfloop transitions of dump as incoming transitions of dump1 ; add an outgoing transition on f from dump1 to dump2 . f The automaton obtained is denoted as R and it is defined f as follows. R = (QR ∪ {dump1 , dump2 }, Σ ∪ {f }, ΞR ∪ f f {ξf }, ΥR ∪ Υfadd , QR 0 , IR ), where ∀q ∈ QR , IR (q) = IR (q), f f IR (dump1 ) = (ξf = 0), IR (dump2 ) = true, and the set of transitions Υfadd is defined as • ∀q ∈ QR , ∀σ ∈ Σ, suppose there are n ≥ 0 out-going transitions from q labeled with σ, and let {φ1σ , · · · , φnσ } be the set of guard conditions associated with those n transitions, then (q, dump1 , ¬(∨ni=1 φiσ ), σ, {ξf }) ∈ Υfadd . f • ∀σ ∈ Σ, (dump2 , dump2 , true, σ, ∅) ∈ Υadd . f • (dump1 , dump2 , ξf = 0, f, ∅) ∈ Υadd . f

Then we can compose G with R and obtain the product f timed automaton GkR with the faulty event f . Since f 6∈ Σ, the event f occurs asynchronously in the composition (i.e., without the participation of G), whereas all other events f occur synchronously. For the automaton GkR , we have only one failure type, i.e., F = {F1 }, and the corresponding fault assignment function ψf is defined as ψf (f ) = {F1 } and ψf (σ) = ∅ for any σ ∈ Σ. f From the construction of GkR it can be proved that (G, R) is diagnosable according to Definition 4 if and only f if GkR is diagnosable according to Definition 3. Also the problem can be further reduced to the diagnosis of untimed systems as established above. We have the following theorem. Theorem 4: Given a system G, a deterministic specification R, the timing mask M(∆,δ) , and the event mask M , (G, R) is diagnosable with respect to M(∆,δ) and M if and f only if GkR is diagnosable with respect to M(∆,δ) , M , and ψf . Sketch of Proof: The result follows directly from the facts that there is a one-to-one mapping between the timed lanf guages of G and GkR ; and for any timed trace ν ∈ L(G), ν 6∈ L(R) if and only if ν f , which is the corresponding trace f of ν in L(GkR ), contains the faulty event f , i.e., F1 ∈ ν f . VI. C ONCLUSION The paper considered the diagnosis of timed discrete event systems where the model of the system as well as of the non-failure specification is allowed to be dense timedautomaton [1], [6]. (The non-failure specification model is deterministic.) While it is meaningful for a system as well as its specification of non-failure behavior to have a densetime semantics, it is not practical for a diagnoser to be

able to measure dense-time precisely. An imprecision in measurement of time can be viewed as partial observability of “time”, just as the presence of imprecise sensors leads to a partial observability of events. A main observation is that for a diagnoser with access to a digital-clock, the “discrete-time” behavior as observed by the diagnoser is regular as long as the digital-clock can be modeled as a dense timed-automaton. (This for example is the case for a digital-clock with finite precision and a bounded drift.) Another observation is that the diagnosability property is preserved under “timing masking”. Based on these two observations it was shown that the problem of diagnosis of dense-time systems can be reduced to one of untimed systems. Consequently, results from the untimed setting such as those reported in [11] can be applied to perform the diagnosis of a dense-time system against a dense-time specification in the presence of partial observation of events as well as imprecise measurement of time. ACKNOWLEDGMENT The research was supported in part by the National Science Foundation under the grants NSF-ECS-0218207, NSFECS-0244732, NSF-EPNES-0323379, and NSF-0424048. R EFERENCES [1] R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126:183–235, 1994. [2] R. K. Boel and J. H. van Schuppen. Decentralized failure diagnosis for discrete-event systems with constrained communication between diagnosers. In Proceedings of International Workshop on Discrete Event Systems, 2002. [3] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of intermittent faults. Discrete Event Dynamical Systems: Theory and Application, 14:171–202, 2004. [4] S. R. Das and L. E. Holloway. Characterizing a confidence space for discrete event timings for fault monitoring using discrete sensing and actuation signals. IEEE Transactions on Systems, Man, and Cybernetics—Part A: Systems and Humans, 30(1):52–66, 2000. [5] R. Debouk, S. Lafortune, and D. Teneketzis. Coordinated decentralized protocols for failure diagnosis of discrete event systems. Discrete Event Dynamical Systems: Theory and Applications, 10:33–79, 2000. [6] T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic model-checking for real-time systems. Information and Computation, 111:193–244, 1994. [7] L. E. Holloway and S. Chand. Distributed fault monitoring in manufacturing systems using concurrent discrete-event observations. Integrated Computer-Aided Engineering, 3(4):244–254, 1996. [8] S. Jiang, Z. Huang, V. Chandra, and R. Kumar. A polynomial time algorithm for diagnosability of discrete event systems. IEEE Transactions on Automatic Control, 46(8):1318–1321, 2001. [9] S. Jiang and R. Kumar. Diagnosis of repeated failures for discrete event systems with linear-time temporal logic specifications. In Proceedings of IEEE Conference on Decision and Control, pages 3221–3226, Maui, Hawaii, 2003. [10] S. Jiang and R. Kumar. Failure diagnosis of discrete event systems with linear-time temporal logic fault specifications. IEEE Transactions on Automatic Control, 49(6):934–945, 2004. [11] S. Jiang, R. Kumar, and H. E. Garcia. Diagnosis of repeated/intermittent failures in discrete event systems. IEEE Transactions on Robotics and Automation, 19(2):310–323, 2003. [12] C. M. Ozveren and A. S. Willsky. Observability of discrete event dynamical systems. IEEE Transactions on Automatic Control, 35(7):797– 806, 1990. [13] W. Qiu and R. Kumar. Decentralized failure diagnosis of discrete event systems. In Proceedings of 2004 International Workshop on Discrete Event Systems, Reim, France, September 2004.

[14] W. Qiu and R. Kumar. Distributed failure diagnosis under bounded delay using immediate observation passing protocol. In Proceedings of 2005 American Control Conference, Portland, OR, June 2005. [15] W. Qiu, R. Kumar, and S. Jiang. Decidability of distributed diagnosis under unbounded-delay communication. IEEE Transactions on Automatic Control, 2004. Submitted. [16] S. L. Ricker and J. H. van Schuppen. Decentralized failure diagnosis with asynchronous communication between supervisors. In Proceedings of the European Control Conference, pages 1002–1006, 2001. [17] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D. Teneketzis. Diagnosability of discrete event systems. IEEE Transactions on Automatic Control, 40(9):1555–1575, September 1995. [18] R. Sengupta and S. Tripakis. Decentralized diagnosis of regular language is undecidable. In Proceedings of IEEE Conference on Decision and Control, pages 423–428, Las Vegas, NV, December 2002. [19] R. Su, W. M. Wonham, J. Kurien, and X. Koutsoukos. Distributed diagnosis for qualitative systems. In Proceedings of International Workshop on Discrete Event Systems, 2002. [20] D. Thorsley and D. Teneketzis. Diagnosability of stochastic discreteevent systems. IEEE Transactions on Automatic Control, 50(4):476– 498, 2005. [21] S. Tripakis. Fault diagnosis for timed automata. In Formal Techniques in Real Time and Fault Tolerant Systems, volume 2469 of Lecture Notes in Computer Science. Springer Verlag, 2002. [22] Y. Wang, T.-S. Yoo, and S. Lafortune. New results on decentralized diagnosis of discrete-event systems. In Proceedings of 2004 Annual Allerton Conference, 2004. [23] T. Yoo and H. E. Garcia. Event diagnosis of discrete-event systems with uniformly and nonuniformly bounded diagnosis delays. In Proceedings of 2004 American Control Conference, pages 5102–5107, Boston, MA, June 2004. [24] T. S. Yoo and S. Lafortune. Polynomial-time verification of diagnosability of partially observed discrete-event systems. IEEE Transactions on Automatic Control, 47(9):1491–1495, 2002. [25] S. H. Zad, R. H. Kwong, and W. M. Wonham. Fault diagnosis in discrete-event systems: Framework and model reduction. IEEE Transactions on Automatic Control, 48(7):1199–1212, 2003. [26] S. H. Zad, R. H. Kwong, and W. M. Wonham. Fault diagnosis in discrete-event systems: Incorporating timing information. IEEE Transactions on Automatic Control, 50(7):1010–1015, 2005. [27] C. Zhou and R. Kumar. Computation of diagnosable fault-occurrence indices for systems with repeatable-faults. In Proceeding of 2005 IEEE Conference on Decision and Control and European Control Conference, Seville, Spain, December 2005.