Partial Order Diagnosability Of Discrete Event ... - Semantic Scholar

Proceedings of the 42nd IEEE Conference on Decision and Control Maui, Hawaii USA, December 2003

ThM05-4

Partial Order Diagnosability Of Discrete Event Systems Using Petri Net Unfoldings 1 Stefan Haar, Albert Benveniste, Eric Fabre, and Claude Jard2

In truly asynchronous, distributed systems, neither global state nor global time are available. The diagnosis approach with Petri net unfoldings, motivated by the problem of event correlation in telecommunications network management and proposed in [10], uses only local states in combination with a partial order model of time. Here, we give a definition of weak and strong diagnosability in terms of partially ordered executions, and characterize diagnosable systems; the characterizing property can be effectively verified using a finite complete prefix of the net unfolding. Keywords: asynchronous diagnosability, Petri nets, unfoldings, alarm correlation.

1 Introduction . Failure diagnosis for discrete event systems is a crucial task in automatic control. The diagnosis problem has received much attention in the literature, see [3, 28, 29]. In the discrete event approach, system behavior is modeled as a regular language, and the system itself as well as the diagnoser are modeled as finite state machines (FSM) synchronized via observable events; faulty behavior is read from the state of the diagnoser. The key property that has to be verified by the setup (that is, the subset of observable letters and the FSMs involved) for this to work, is diagnosability: there exists a constant n such that, whatever the circumstances, if a fault occurs now, the diagnoser reaches a state that indicates that fault, in at most n steps from now. For the more formal definition, following Sampath et al. [27], let L be a prefix-closed language (the behavior of the system to be diagnosed) over the event alphabet A, 1 This work was supported by the RNRT project magda, funded by (French) Ministry of Research 2 IRISA, Campus de Beaulieu, 35042 Rennes cedex, France. S.H., A.B., E.F.: INRIA; C. J.: CNRS. Corresponding author: [email protected]

0-7803-7924-1/03/$17.00 ©2003 IEEE

3748

denote O ⊆ A the set of observable and UO := A\O that of unobservable events. Denote P : A∗ → O ∗ the projection to observable words, that is, the homomorphism that erases all unobservable events and leaves observable ones unchanged; moreover, let Φ ⊆ UO be the set of faults1 . Then L is diagnosable iff there exists n ∈ IN such that, for any word L 3 w = w0 f with f ∈ Φ, any v ∈ A∗ s. th. wv ∈ L and |v| ≥ n satisfies x ∈ P −1 [P (wv)]

⇒ |x|Φ ≥ 1.

(1)

Here, |u| denotes total length, and |u|Φ the number of fault events of word u. Condition (1) means that every behavior x that produces the same sequence of observable events as wv does, contains at least one fault event: all extensions of w of at least length n will make the fault apparent. The present paper is motivated by the diagnosis of truly asynchronous systems, in which the above definition is not adequate as it stands. As typical examples, consider networked systems, such as shown in Fig. 1. There, the sensor system is distributed: several

local time

Abstract

Figure 1. Supervision of networked systems

local sensors are attached to some nodes of the network (shown in black). Each local sensor has only a partial view of the system, and its local time is not synchronized with that of other sensors. Alarms are reported asynchronously to the global supervisor, depicted in grey, which performs diagnosis; this is the typical architecture in telecommunications network management 1 for simplicity, we drop the generalization made in [27], with Φ further partitioned into fault types; the results given below extend to that case.

systems today (see [21]). Even if the order of events may be correctly observed locally by each individual sensor, communicating alarm events via the network causes a loss of synchronization: as a result, the interleaving of events communicated to the supervisor is nondeterministic. The right picture of what the supervisor collects is thus a partially ordered set, rather than a sequence, of alarms; see the pattern formed by the squares in Figure 2. The system itself being distributed, we also have partially ordered scenarios of faults (circles in Figure 2), as candidates for explaining the alarm pattern observed by the sensors. That is, we need to compute, for diagnosis, partially ordered sets of events that may have occurred and, had they occurred, would have produced the observed pattern of alarms; note that each such partial order represents in its turn an equivalence class of sequences, thus passing to partial orders allows, in general, a substantial gain in efficiency. In a second step (not treated here), the likelihood of scenarios has to be compared, to select, among the scenarios offered by the model, the most probable explanation for the given observation; see [1, 15]. The present article contributes (i) a s1 s2 s3

F F

A

A F

A F

F

γ

β

α 2

4

3

7

component 2

δ

η

5

6

ζ

1 1

β

7

α

2 α 2

3

4

3

4

γ 1

γ

γ

1

1

5

3

7 α

2

3

δ 7

2

α 2

7

7

δ

η

5

6

ζ 4

3

γ 1

4

δ

η

5

6

Figure 3. Running example (top), branching processes (bottom, right), and a configuration (bottom, left). The flow relation of occurrence nets progresses downwards; arrowheads are omitted.

A A

s4 s5

A

component 1

1

F F F

A

A

Figure 2. Alarms (squares) and faults (circles) definition of diagnosability generalized to languages of partially ordered scenarios, and (ii) a characterization of diagnosability in the partial order framework.

2 Petri Nets and branching processes . This paper, like the asynchronous diagnosis approach from [10], uses Petri nets (PNs) (see [24, 3, 4] as its main tool. For PNs in diagnosis, compare [16, 26, 13, 14]). Branching process unfoldings of PNs were originally proposed by Nielsen, Plotkin and Winskel [23], and used for model checking, see Mc Millan [22] and Esparza et al. [6, 7, 8]; they have been used for supervisory control in [19, 20]. Branching processes represent the set of executions of a Petri net in a net structure, using an asynchronous semantics with local states and partially ordered time. Common prefixes of executions are shared, and executions differing only in

3749

some interleaving of independent transitions are represented only once; this meets the needs of asynchronous diagnosis, where some recorded alarm sequences differ only via the interleaving of concurrent alarms, hence it is desirable not to distinguish them, and similarly for the interleaving of concurrent faults. Nets and homomorphisms. A net is a triple N = (P, T, →), where P and T are disjoint sets of places and transitions, and → ⊂ (P × T ) ∪ (T × P ) is the flow relation. With R∗ denoting the transitive closure of binary relation R, set :=→∗ and ≺:=→ ◦ . For a node x ∈ P ∪T , denote • x = {y : y → x} the preset and x• = {y S : x → y} the postset S of x; for X ⊂ P ∪ T , write • X = x∈X • x and X • = x∈X x• . A homomorphism from net N to net N 0 is a map ϕ : P ∪ T 7−→ P 0 ∪ T 0 such that: (i) ϕ(P ) ⊆ P 0 , ϕ(T ) ⊆ T 0 , and (ii) for every node x of N , restricting ϕ to • x or x• gives a bijection • between • x and • ϕ(x), or x• and ϕ(x) , respectively. Occurrence nets. Two nodes x, x0 of N are in conflict, written x#x0 , if there exist distinct transitions t, t0 ∈ T such that • t ∩ • t0 6= ∅ and t  x, t0  x0 . A node x is in self-conflict if x#x. An occurrence net (ON) is a net O = (B, E, →), with the elements of B called conditions and those of E events, satisfying the additional properties:

1. no self-conflict: ∀x ∈ B ∪ E : ¬[x#x]; 2.  is a partial order: ∀x ∈ B ∪ E : ¬[x ≺ x]; 3. ∀x ∈ B ∪ E : |{y : y ≺ x}| < ∞; 4. no backward branching: ∀b ∈ B : |• b| ≤ 1. Occurrence nets are useful to represent executions of Petri nets, see below: essential dynamical properties are visible via the topological structure of the bipartite graph—unlike for Petri nets. We assume that the set c0 := min(O) of minimal nodes of O is contained in B. ⊥x0 , if neither Nodes x and x0 are concurrent, written x⊥ 0 0 0 x  x , nor x  x, nor x#x hold. A co-set is a set X of concurrent conditions; if co-set X is maximal for set inclusion, call it a cut. Petri nets. A marking of net N is a multi-set M : P 7−→ {0, 1, 2, . . .} of places. A Petri net (PN) is a pair N = (N , M0 ), where N is a net with finite node set, and M0 an initial marking. t ∈ T is enabled at M , written M [ti, if M (p) > 0 for every p ∈ • t. If M [ti, t can fire, leading to M 0 = M − • t + t• ; write M [tiM 0 . The set R(M0 ) of reachable markings of N is the smallest set R(M0 ) containing M0 and such that M ∈ R(M0 ) and M [tiM 0 together imply M 0 ∈ R(M0 ). Petri net N is safe if M (P ) ⊆ {0, 1} for every M ∈ R(M0 ). We consider only safe Petri nets here, hence markings can be regarded as place sets. Branching processes and unfoldings. A branching process of Petri net N is a pair B = (O, ϕ), where O is an occurrence net, and ϕ is an homomorphism from O to N , such that: (i) the restriction of ϕ to min(O) is a bijection between min(O) and M0 (the set of initially marked places), and (ii) for all e, e 0 ∈ E , • e = • e 0 and ϕ(e) = ϕ(e 0 ) together imply e = e 0 . For B, B 0 two branching processes, B 0 is a prefix of B, written B 0 v B, if there exists an injective homomorphism ψ from B 0 into B, such that the composition ϕ ◦ ψ coincides with ϕ0 . By theorem 23 of [5], there exists a unique (up to an isomorphism) v-maximal branching process, called the unfolding of N and denoted UN . Configurations. A sub-net2 κ of O is a configuration if (i) c0 ⊆ κ, (ii)κ is conflict-free (no two nodes are in conflict), (iii) κ is causally closed (if x0  x and x ∈ κ, then x0 ∈ κ), and (iv) all its -maximal nodes are conditions. Hence a finite configuration κ terminates at a cut, which we denote c(κ) or cκ . Denote the set of configurations as Conf . For an event e, denote as [e] the smallest configuration containing e, and as hei the smallest configuration containing • e. For an 2 we will not distinguish between κ seen as a net and as a set of nodes, using set extensions etc. to operate on the corresponding nets, obtained as the induced subnets of the ambient net.

3750

event e 6∈ κ such that • e ⊆ κ and such that no event in κ is in conflict with e, κ can be extended by e, written κ e; in this case, one deduces easily that • e must be a coset of -maximal conditions in κ, and the extension κ • e := κ ∪ {e} ∪ e • is the smallest configuration that contains {e} ∪ κ. A maximal configuration w.r.t. set inclusion is called a run, and generically denoted ω. Two configurations κ and κ0 are compatible, written κ k κ0 , iff κ ∪ κ0 is a configuration; κ is a prefix of κ0 , written κ v κ0 , iff κ ⊆ κ0 . Obviously, κ v κ0 implies κ k κ0 , but not vice versa. Note further that k is not an equivalence relation: in Figure 3, take as κ0 the initial cut, κ1 := [α1 ], where α1 is the grey α-labeled event, and κ2 := [β], with β the only β-labeled event on the lower right hand side of Figure 3. Then κ0 k κ1 and κ0 k κ2 , yet κ1 6k κ2 . The height H(κ) of κ ∈ Conf is the length of the maximal chain of comparable events in κ; define H recursively as: (i) H(c0 ) = 0; (ii) for all e ∈ E : H(e) := H(hei) + 1; and (iii) if κ 6= c0 , H(κ) := max{H(e) | e ∈ κ ∩ E }. A configuration κ is called progressive if for all configurations κ0 such that κ0 k κ and H(κ) = H(κ0 ), κ0 v κ holds. In Figure 3, κ shaded in grey is progressive: H(κ) = 2, and any other configuration of that height is either a prefix of κ or incompatible. The notion of progressive configuration serves to distinguish behaviours according to degree of “balance” in their distributed behaviour: in progressive behaviours, all sub-processes advance at an (approximately) equal pace, no local process is left behind. In Figure 3, not all configurations are progressive: take for example the sub-configuration of the grey κ with the v-labeled event chopped off. More drastically, the net has an infinite run with only β-and γ-labeled events; on this run, there is an infinity of non-progressive configurations. Only the occurrence of iv will lead to progressive configurations; in fact, this is the only progress possible in component 2 as long as i never fires. Note that our notion of progressive configuration captures the progress assumption often used in the literature on distributed algorithms, see [25] for an overview. In Figure 4, the situation is more symmetric with respect to both components: all configurations are compatible with the unique run; however, there are nonprogressive configurations that can be decomposed into an infinite execution of one component and a finite execution of the other. Running example: Fig. 3. The flow relation in Petri nets is depicted using directed arrows; in occurrence nets, by downward solid lines. A Petri net N is shown on the left, a branching process B = (O, ϕ) of N on the right hand side. Conditions are labeled by places, events by transitions. A configuration is shown

in grey. The mechanism for constructing the unfolding of Petri net N is illustrated in the middle. Informally, take the three conditions labeled by the initial marking of N as the minimal branching process of N . Then, for each branching process B already constructed, select a co-set X of B, labeled by the preset • t of some transition t of N , and has no t-labeled event in its postset within B. Append to X a net isomorphic to • t → t → t• (recall • t = X), and label its additional nodes by t and t• , respectively. One thus obtains recursively all possible finite branching processes of N ; their union is the unfolding UN .

3 Asynchronous Diagnosis . The central point for diagnosability will be labelling: assume a function λ : T → A, for A some non-empty alphabet. We will distinguish three frameworks: (I) λ assigns the empty word ε ∈ A to all invisible transitions, and some λ(t ) ∈ Ao := A\{ε} to all observable transitions; ε can not be detected by the diagnoser. An alarm pattern is an Ao -labeled partially ordered set. This is the most general framework, allowing for erasing (i.e. labeling by ε) and ambiguity (the same label for distinct events). (II) In [10], ε is not an admissible value, yet different transitions may be assigned the same alarm; we have ambiguity, yet no erasing, and Ao = A. The asynchronous diagnosis problem is solved using diagnosis nets, introduced to express the solution of asynchronous diagnosis by using suitable branching processes: in [10], we compute branching processes of a product net obtained from N and an alarm pattern A, where A is given as a configuration (unbranched occurrence net) itself. The product glues together transitions of N with corresponding alarms in A (this is the synchronized product for Petri nets); the unfolding UN ×A thus obtained consists of all the explanations that N can give for A. In fact, the configurations κ of N that explain A are those for which UN ×A contains a corresponding configuration κ whose projection (i) to the alarm set yields A, and (ii) to N -nodes yields κ. (III) In this paper, we are less interested in ambiguity, so our framework does not allow it; we will consider only labelings that are injective on O , i. e. can be seen as projections to O . In fact, the extension to (I) will yield not identical, but similar results as below; as it requires more technical work and additional concepts, we postpone this topic to an extended article. Diagnosability. The task here is to identify the systems that allow to be diagnosed, in principle, by this approach, that is, to characterize diagnosability in terms of observability. To formalize this, let

3751

α

β

γ

δ

Figure 4. Weakly but not strongly diagnosable

UO := λ−1 (ε) and O := T \UO be the set of unobservable and observable transitions, respectively, and Φ ⊆ T the set of faults to be diagnosed. Without loss of generality, Φ ∩ O = ∅: a fault that is indicated by an alarm needs not be diagnosed; the diagnosis problem concerns silent faults, whose associated “alarm” is ε. Further, set EΦ := ϕ−1 (Φ), EO := ϕ−1 (O ), and EUO := E \EO . Denote as L := L(N ) the set of N ’s finite configurations, and as Lpro the set of progressive configurations; observe that L and Lpro are prefix closed, and partially ordered by v. For κ ∈ L let M (κ) be the marking obtained after κ, and as κO the labeled partial order induced by κ on κ ∩ EO , and write κ ∼O κ0 iff κO and κ0O are isomorphic; ∼O is an equivalence. Further, let ∼M , ∼mo and ∼Φ be the equivalences on L given by κ ∼ M κ0 κ ∼mo κ0

iff iff

M (κ) = M (κ0 ) [κ ∼M κ0 ∧ κ ∼O κ0 ]

κ ∼ Φ κ0

iff

[κ ∩ EΦ = ∅ ⇐⇒ κ0 ∩ EΦ = ∅] .

Definition 1 (Diagnosability.) N is called (strongly) diagnosable w.r.t. O and Φ iff there exists n ∈ IN such that for all κΦ ∈ L such that κΦ has a maximal event e ∈ EΦ , every κ ∈ L such that κΦ v κ and H(κ) ≥ H(κΦ ) + n satisfies: ∀κ0 ∈ L : κ0 ∼O κ

⇒ EΦ ∩ κ0 6= ∅;

(2)

weakly diagnosable w.r.t. O and Φ if there exists n ∈ IN such that (2) holds for all κ ∈ Lpro . Strong diagnosability trivially implies weak diagnosability. Figure 4 illustrates that the converse is not true: Suppose β is a fault event to be detected, O = {α}, and for n ∈ IN, let κn be the smallest configuration such that (i) β never occurs on κn , and (ii) δ occurs exactly n times on κn . Then the height of κn is H(κn ) = 2n + 1, yet κn ∼O κ1 , so the system is not strongly diagnosable. On the other hand, the κn are not progressive; since all progressive configurations of height at least 2k + 1 contain at least k instances of α ∈ O , the system is weakly diagnosable.

4 Characterization of Diagnosability . Diagnosability is violated iff the system is able to perform, two indiscernible, non-fault-equivalent cycles. That is, if there are O -equivalent configurations κ1 and κ2 having O -equivalent extensions κ01 and κ02 such that κ0i leads to the same marking Mi , and such that κ01 and κ02 are not Φ-equivalent; then the system may repeat that cyclic behavior indefinitely, without a decision about occurrence of faults. Theorem 1 N is strongly diagnosable w.r.t. O and Φ iff, for all κ1 , κ2 , κ01 , κ02 ∈ L, it holds that:  κ1 ∼O κ2 ∧ κ01 ∼O κ02    κ1 6= κ01  ⇒ κ01 ∼Φ κ02 .(3) κi ∼M κ0i   ∀ i ∈ {1, 2} :  κi v κ0i N is weakly diagnosable w.r.t. O and Φ iff (3) holds restricted to configurations from Lpro . Proof: We show the strong diagnosability case; the characterization of weak diagnosability is obtained replacing L by Lpro . Let κi v κ0i and κi ∼M κ0i , i ∈ {1, 2}, such that (3) is violated; without loss of generality, κ01 ∩ EΦ 6= ∅ and κ02 ∩ EΦ = κ2 ∩ EΦ = ∅. Then (i) κ0i is the concatenation κ0i = κi ◦ µi of κi with a configuration µi of N restarted with M0 replaced by M (κi ), and such that µi contains at least one event, (ii) µ2 ∩ EΦ = ∅, and (iii) M (κ0i ) = M (κi ). From this, it follows that a copy of µi can be appended to κ0i as well, and so forth; let κki be the configuration obtained after appending k copies of µi to κi . Observe that H(κki ) ≥ max (k · H (µi ) , H (κi )) .

For any κ1 v κ1 (n), let U (κ1 , n) be the set of configurations κ2 v κ2 (n) such that κ2 ∼O κ1 . For any reachable marking M of N , let S1 (M, n) be the set of configurations κ1 such that (i) κ1 v κ1 (n) and (ii) M (κ1 ) = M . Let K ∈ IN be the number of reachable states of N . Then for all n > K, there is at least one marking M such that |S1 (M, n)| ≥ 2; repeating the argument, one finds using (8) that for all n > K 2 there exists a marking M such that |S1 (M, n)| > K. With   ∃κ1 ∈ S1 (M, n) : κ2 ∈ L, , U2 (M, n) := κ2 v κ2 (n) κ1 ∼ O κ2 we thus have |U2 (M, n)| > K. This in turn implies that there exist κ2 , κ02 ∈ U2 (M, n) such that κ2 6= κ02 and κ2 ∼M κ02 . Then, by construction, there must be κ1 , κ01 ∈ L such that (i) κ1 ∼O κ2 , (ii) κ01 ∼O κ02 , (iii) κ1 v κ01 v κ1 (n) and (iv) M (κ1 ) = M (κ01 ) = M ; hence (3) is violated, q.e.d. Complete prefix. A 1-safe net has only finitely many reachable markings (in fact, its reachability graph can be seen as a finite automaton). As a consequence, all infinite runs of the unfolding will repeatedly pass through states that have already been visited before; conversely, there exist finite prefixes of the unfolding that contain already all information about the possible behaviours of the net. This is what allows using branching processes in Model Checking [6, 7, 8, 22]; the different ways of obtaining and optimizing the complete prefix have received considerable attention in the literature, see [18] for a comprehensive treatment. Call a prefix B UO-cycle complete (or complete 1

(4)

2

H(κki )

→ ∞ as k → ∞, and since we have, by Since construction, κk2 ∩ EΦ = ∅ and κk2 ∼O κ2 , it follows from (4) that (2) is violated. For the “if” part, suppose (2) does not hold in L, i.e. for every n ∈ IN, there exists a configuration κ(n) ∈ L such that (i) some e ∈ EΦ is -maximal in E ∩ κ(n), and (ii) there exist κ1 (n), κ2 (n) ∈ L such that κ(n)

v

H(κ1 (n)) ≥ κ2 (n) ∼O κ1 (n) and

κ1 (n)

(5)

H(κ(n)) + n κ2 ∩ EΦ = ∅.

(6) (7)

Suppose first that one can choose κ1 v κ01 v κ1 (n) such that κ1 ∼mo κ01 and κ1 6= κ01 ; then we are done, taking κ02 := κ2 . So suppose that  κ1 v κ01 v κ1 (n) (8) ⇒ κ1 = κ01 . κ1 ∼mo κ01

3752

γ

1

1

γ 1

7

α 2

3

3

7

2

2

δ

γ

γ

5

1

1

ζ

β

β

4

2

2

η

5

6

4

3

7

4 δ

ζ

ι

β 3

2

2

γ

α

7 α

β

δ

η

5

6

Figure 5. A UO-cycle-complete prefix for Fig.3 for short) iff for all finite configurations κ of N , there exist κ1 , κ2 ∈ Conf (B) such that (i) κ1 6= κ2 , (ii) κ ∼M κ1 ∼M κ2 , (iii) κ1 v κ2 and (iv) κ1 ∼O κ2 . Such a prefix is sufficient to verify the diagnosability criterion of Theorem 1, see Fig. 5.

Example. Consider again Figure 3, with the extension in Figure 5. Let Φ := {β, η}; hence O ⊆ {α, γ, δ, ζ}. We ask which choices of O make N strongly diagnosable. First, assume a configuration κ contains an event labeled η. Then no extension of κ can contain more occurrences of δ than κ, and at most one further occurrence of α. In this way, one finds that P is weakly diagnosable, whatever the choice of O ; moreover, making α observable seems to be a good start for obtaining strong diagnosability as well. However, although α appears central to the system, choosing O = {α} does not ensure diagnosability: the cycle with transitions β and γ can perform any number of turns without waiting for progress in other parts of the nets. To detect η, one therefore has to include γ into O ; obviously, γ is also sufficient to detect β. In Figure 5, the γ-labeled events are highlighted. Inspection of all cases shows: N from Figure 3 is diagnosable iff O 3 γ. Efficiency. In many situations, exhibiting a very high degree of parallelism combined with a moderate degree of branching behavior, B can be considerably smaller than the reachability graph of N , that is, the automaton representation of N ; in particular, the more parallelism there is in the application, the more is gained from the partial order representation. The computational complexity of the unfolding approach will thus compare favorably to the polynomial complexity of diagnosability verification shown in [31].

[10] E. Fabre, A. Benveniste, C. Jard, and S. Haar. Diagnosis of Asynchronous Discrete Event Systems, a Net Unfolding Approach. IEEE Trans. Aut. Control48(5)714–727.

5 References*

[23] M. Nielsen, G. Plotkin, and G. Winskel. Petri nets, event structures, and domains, Part I. Theor. CS 13:85–108, 1981.

[1] A. Benveniste, E. Fabre, S. Haar. Markov nets: probabilistic models for distributed and concurrent systems. INRIA Report 4235, 2002; http://www.inria.fr/rrrt/rr-4253.html [2] A.T. Bouloutas, S. Calo, and A. Finkel. Alarm correlation and fault identification in communication networks. IEEE Trans. on Communication 42(2-4), 1994. [3] C. Cassandras and S. Lafortune. Introduction to discrete event systems. Kluwer Academic Publishers, 1999.

[11] E. Fabre, A. Benveniste, and C. Jard. Distributed diagnosis for large discrete event dynamic systems. IFAC Cong. 2002. [12] R.G. Gardner and D. Harle. Methods and systems for alarm correlation. GlobeCom 1996. [13] A. Giua. Petri net state estimators based on event observation. Proc. CDC 1997. [14] A. Giua and C. Seatzu. Observability of Place/Transition Nets. IEEE Trans. Aut. Control 47(9):1424–1437, 2002. [15] S. Haar. Probabilistic Cluster Unfoldings. Fundamenta Informaticae. 53(3-4):281–314, 2002. [16] C.N. Hadjicostis, and G.C. Verghese. Monitoring discrete event systems using Petri net embeddings. in Proc. 20st (ICATPN), LNCS 1639:188–208, Springer Verlag 1999. [17] I. Katsela, A.T. Bouloutas, S. Calo. Centralized vs distributed fault localisation. Integrated Network Management IV, A.S. Sethi, Y. Raynaud, F. Faure-Vincent (eds.), 251-261. Chapman and Hall 1995. [18] V. Khomenko, M. Koutny, and W. Vogler. Canonical Prefixes of Petri Net Unfoldings. Proc. CAV 2002, LNCS 2404:582– 595, Springer Verlag 2002. [19] K.X. He and M.D. Lemmon. Liveness verification of discrete-event systems modeled by n-safe Petri nets. Proc. 21st ICATPN 2000, LNCS 1825:227–243, Springer Verlag. [20] K.X. He and M.D. Lemmon. On the existence of livenessenforcing supervisory policies of discrete-event systems modeled by n-safe Petri nets. Proc. IFAC’2000 Conf. on Cont. Syst. Design, special session on Petri nets. [21]

MAGDA project. See URL: http://magda.elibel.tm.fr

[22] K. McMillan. Using Unfoldings to avoid the state explosion problem in the verification of asynchronous circuits. 4th Workshop on Computer Aided Verification 164–174, 1992.

[24]

W. Reisig. Petri nets. Springer Verlag, 1985.

[25] W. Reisig. Elements of Distributed Algorithms. Modelling and Analysis with Petri Nets. Springer Verlag, 1998. [26] A. Sahraoui, H. Atabakhche, M. Courvoisier, and R. Valette. Joining Petri nets and knowledge-based systems for monitoring purposes. Proc. IEEE Int. Conf. on Robotics Automation, 1160–1165, 1987.

[4] J. Desel, and J. Esparza. Free Choice Petri Nets. Cambridge University Press, 1995.

[27] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. Teneketzis. Diagnosability of discrete-event systems. IEEE Trans. Aut. Control 40(9), 1555-1575, 1995.

[5] J. Engelfriet. Branching Processes of Petri Nets. Acta Informatica 28:575–591, 1991.

[28] R. Sengupta. Diagnosis and communications in distributed systems. Proceedings WODES 1998, 144-151.

[6] J. Esparza. Model Checking Using Net Unfoldings. Science of Computer Programming 23:151–195, 1994.

[29] S. Tripakis. Undecidable problems of decentralized observation and control. Proceedings CDC 2001.

[7] J. Esparza, S. R¨ omer, and W. Vogler. An improvement of McMillan’s unfolding algorithm. Formal Methods in System Design 20(3):285-310, 2002.

[30] G. Winskel. Event structures. Advances in Petri nets, LNCS 255: 325–392, Springer Verlag, 1987.

[8] J. Esparza and S. R¨ omer. An unfolding algorithm for synchronous products of transition systems. Proc. CONCUR’99, LNCS 1664, Springer Verlag 1999. [9] E. Fabre,A. Benveniste, C. Jard, L. Ricker, and M. Smith. Distributed state reconstruction for discrete event systems. Proceedings CDC’2000.

3753

[31] T. Yoo and S. Lafortune. Polynomial-Time Verification of Diagnosability of Partially-Observed Discrete-Event Systems. IEEE Trans. Aut. Control 47(9):1491-1495 , 2002. [32] T. Yoo and S. Lafortune. NP-completeness of Sensor Selection Problems Arising in Partially-Observed Discrete-Event Systems. IEEE Trans. Aut. Control 47(9):1495–1499, 2002.