On Codiagnosability and Coobservability With ... - Semantic Scholar

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 56, NO. 7, JULY 2011

1551

On Codiagnosability and Coobservability With Dynamic Observations Weilin Wang, Senior Member, IEEE, Anouck R. Girard, Stéphane Lafortune, Fellow, IEEE, and Feng Lin, Fellow, IEEE

Abstract—Codiagnosability and coobservability in discrete event systems where observations are dynamic are considered. Instead of having a fixed set of observable events, the observation of an event is dynamic (trace-dependent) in this paper. A procedure is developed to transform the problem of coobservability to the problem of codiagnosability in the context of dynamic observations. This proves that problems of coobservability are transformable to problems of codiagnosability and enables us to leverage the large literature available for codiagnosability to solve problems of coobservability. Furthermore, in the case of dynamic observations, the known polynomial-complexity tests for the property of codiagnosability based on verifier automata with fixed observable event set(s) are no longer directly applicable. A new testing procedure is developed that can handle transition-based dynamic observations and remains of polynomial complexity in the state space of the system. This new testing procedure employs a covering of the state space of the system based on cluster automata, which enhances its computational efficiency. Based on cluster automata, a new type of verifier automaton is built, called the C-VERIFIER, for verification of codiagnosability. As an application of the above mentioned transformation, the C-VERIFIER becomes a unified method for verifying both codiagnosability and coobservability. Index Terms—Discrete event systems (DES), diagnosability, observability.

I. INTRODUCTION

I

N MANY applications of discrete event systems (DES), the agents’ observations of the system are not only dependent on particular events but also on system dynamics. We consider the properties of codiagnosability and coobservability in DES in the case of dynamic observations in this paper. Codiagnosability arises where agents are trying to infer the past occurrence of a significant unobservable event (e.g., a fault event), based on their own observations of the system behavior and based on the system model. Coobservability determines whether or not agents are able to make enough observations such that control conflicts can be resolved.

Manuscript received May 01, 2009; revised October 28, 2009; accepted January 14, 2011. Date of publication January 28, 2011; date of current version July 07, 2011. This work was supported in part by the U.S. Air Force Research Laboratory (AFRL) under Grant FA 8650-07-2-3744 and by the National Science Foundation (NSF) under Grant ECCS-0624821, Grant CNS-0930081, and Grant ECCS-0624828. Recommended by Associate Editor S. Haar. W. Wang and A. R. Girard are with the Department of Aerospace Engineering University of Michigan, Ann Arbor, MI 48109 USA (e-mail: weilinw@umich. edu; [email protected]). S. Lafortune is with the Department of Electrical Enjgineering and Computer Science, University of Michigan, Ann Arbor, MI 48109 USA (e-mail: [email protected]). F. Lin is with the Department of Electrical and Computer Engineering, Wayne State University, Detroit, MI 48202 USA (e-mail: [email protected]). Digital Object Identifier 10.1109/TAC.2011.2108410

The properties of codiagnosability and coobservability are addressed separately in the literature. The study of event diagnosis started with the work in [1], [2] for the centralized case and in [3] for the decentralized case. This problem has received considerable attention since then; see, e.g., [4]–[7]. In the centralized case, the property of diagnosability was defined and investigated. Its corresponding version in the case of decentralized-information systems is now termed codiagnosability and was first presented as “diagnosability under Protocol 3” in [3]. In parallel, several works have addressed control problems under partial observation; see, e.g., [8]–[14]. The DES-theoretic properties of observation that we consider in this paper are termed observability [8] for centralized systems and coobservability [9], [11] for decentralized systems. Almost all of the published literature on both (co)diagnosability and (co)observability is concerned with the case where the sets of observable events for the agents are fixed a priori. In this case, an efficient methodology for testing the properties of diagnosability and codiagnosability off-line based on verifier automata has been developed for centralized systems with a single diagnosing agent [15], [16] and for decentralized systems with several diagnosing agents that do not communicate among each other [17], [18]. Diagnosability and codiagnosability can also be tested using diagnoser automata, as shown in [2], [3]. Verifier automata have the advantage that their state space is in worst-case polynomial in the state space of the system model. Such an efficient test is required in design problems where one wishes to optimize the sets of events observable for each agent off-line for instance. Note that diagnoser automata must still be constructed for performing event diagnosis on-line during the operation of the system. For observability, an efficient off-line testing method is developed in [19] and it is extended to testing coobservability based on M-Machines in [20]. Recently, there has been interest in studying observation problems in situationswherethe sets of observable events at each agent are not fixed a priori, but rather the observation of an event is trace-dependent: the same event could be observable along one path of the system, but unobservable along another path. This situation is termed “dynamic observation.” It occurs in sensor activation problems where each agent can turn its sensors on/off dynamically during the evolution of the system, as considered in [21]–[23] for diagnosability and codiagnosability and in [24] for observability and coobservability for instance. It also occurs in distributed systems where agents can communicate with one anothertoexchangeinformationabouteventoccurrences[25]–[31]; an event occurrence is observable to an agent when the agent can either directly observe the event or will learn about the occurrence from another agent who has observed it.

0018-9286/$26.00 © 2011 IEEE

1552

The research on dynamic observations, either in the context of event diagnosis or in the context of control problems, has been motivated by many considerations, including sensors with limited energy, limited bandwidth for communication from sensors to agents or among agents, or security issues about communication. Essentially, while an event is deemed “observable”, it may not be desirable to enforce that every occurrence of it be observable. Our first original contribution is to show that a given problem of coobservability may always be transformed to a problem of codiagnosability in language-based dynamic observations. In the DES community, it is generally believed that the problems of observability and coobservability are more complicated than the problems of diagnosability and codiagnosability [28]. This intuition comes from the fact that diagnosability and codiagnosability are usually considered as properties of open loop systems and, thus, do not consider interdependencies of observation and control actions. However, we show that the problems of observability and coobservability are transformable to the problems of diagnosability and codiagnosability. This unifies existing DES frameworks and means that results developed for the problems of diagnosability and codiagnosability are also applicable to the problems of observability and coobservability. For example, the verification method of codiagnosability presented in Section VI of this paper can be extended to the verification of coobservability for a system of multiple agents. Also, the sensor activation methods for preserving diagnosability presented in [22], [23] can be used for solving similar problems for observability. The analogy between coobservability and codiagnosability can also be appreciated by the use of similar inference-based architectures in [32], [33]. In transition-based dynamic observations, the observability of event occurrences are defined over the transition structure of the automaton model. Our second original contribution is to solve the problem of testing codiagnosability under transition-based dynamic observations in polynomial time for a fixed number of agents. The corresponding test for diagnosability follows as a special case. A verifier for diagnosability under dynamic observations is presented in [22], where the method is based on the fact that the dynamic observations are given by a deterministic observer. However, the deterministic observer in [22] is different from the transition-based dynamic observation model used in this paper. The dynamic versions of the properties of observability and coobservability also have been considered in [24] in the context of sensor activation. Polynomial testing methods for transition-based dynamic observations are developed in [34] for observability and in [35] for coobservability of two-agent systems. Because the observations for different occurrences of the same event can be different for an agent, testing properties such as codiagnosability and coobservability in the case of dynamic observations is more intricate than may appear at first glance. In the case of coobservability, recent work in [35] shows that while the methodology of the so-called M-machine in [20] for fixed observable event sets can be extended to handle dynamic observations (referred to as transition-based coobservability in that paper), the required modified M-machine is considerably more complex and “a non-trivial extension of the work in [20]”

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 56, NO. 7, JULY 2011

[35]. The same comment applies to the property of codiagnosability and to the contributions of this paper vis-à-vis the algorithms in [17], [18]. The verification approach adopted in this paper is different from the one chosen by [35] for extending the results of [20], in the case of the property of coobservability, to transition-based dynamic observations. It is also different from the work in [34], where a method is presented for transforming the verification of “transition-based observability” to a state disambiguation problem. Specifically, inspired by the notion of state clusters introduced in [34], we employ cluster automata as the basic element for computation, instead of the original states of the automaton model. A cluster automaton is a subautomaton of the system model whose initial state is a state of the system that is entered by an observed event occurrence, and whose states and transitions correspond to the reach of unobserved event occurrences from its initial state. The number of cluster automata is no larger, and usually smaller, than the number of states of the system. We then proceed to build the so-called C-VERIFIER, which is a nondeterministic automaton of polynomial complexity in the set of cluster automata of the system; we show how to use the C-VERIFIER for testing the property of codiagnosability under dynamic observations. This paper is organized as follows. We present the system model and the concept of observation mapping and information mapping for capturing dynamic observation situations in Section II. Then, we present the definitions of diagnosability and codiagnosability to accommodate information mappings in Section III. After that, procedures are presented to transform the problems of coobservability to the problems of codiagnosability in Section IV. It is followed by their application in solving problems that are related to coobservability in Section V. After introducing the notion of cluster automata, the C-VERIFIER for testing codiagnosability under dynamic observations is presented in Section VI. Then, the examples that illustrate the C-VERIFIER-algorithm are presented in Section VII. A brief conclusion follows in Section VIII. II. SYSTEM MODEL AND INFORMATION MAPPING A. System Model A deterministic finite-state automaton model is used to describe untimed DES. It is defined as , where is the finite set of states; is the finite set of events; is the transition function and means that there is a transition labelled by event from state to state ; and is the initial state. in the usual The transition function is extended to and , . We way as, for assume that is accessible. The language generated by is denoted by . The set of transitions of is defined . by , denoted by , The prefix-closure of a string . is the set is of all natural numbers including 0. In a string with , superscript at the event means that consecutively occurs times.

WANG et al.: ON CODIAGNOSABILITY AND COOBSERVABILITY WITH DYNAMIC OBSERVATIONS

1553

Diagnosis is implemented by a set of local diagnosing agents. local diagnosing agents We assume that there is a set of . Each agent can observe a subset of events . is used to denote the set of events that are potentially observable by at least one diagnosing agent. is the set of always unobservable events in . B. Language-Based Dynamic Observations We present a language-based model of dynamic observation, in which the agents’ observations of the system depend on both the event which is observed and the trajectory which is followed. Whether or not an event occurrence is observable by agent , , is described by the following observation mapping . Specifically, for a trajectory , is the subset of corresponding to the events that are ob, we servable after . Using the observation mapping , define the corresponding information mapping (or projection) recursively as follows. For the empty string , , and for all with if otherwise. In words, after the occurrence of , the next event is seen or observed by agent when it occurs after if and only if it is . Therefore, if a string occurs in , diagnosing agent in will see . The range of is instead of because agent may know some occurrences of when other agents communicate such information to it. For a centralized system which has only one agent, and are the observation mapping and information mapping corresponding to that agent, respectively. A communication policy is a function that determines whether or not agent communicates the occurrence of events after to agent for all events , , and , [30], [31]. Agent nonempty traces is able to communicate the occurrence of after to other agents only if it directly observes the occurrence of after or if some other agent who observes after communicates such information to . Different communications for the same event after different traces cause dynamic observations. A sensor activation policy is a function that determines whether or not agent activates a sensor for observing event after trace , for all nonempty traces and [23], [24]. Agent is able to activate a sensor to observe only . Turning if is potentially observable to agent , i.e., on/off sensors for the same event after different traces causes dynamic observations. Besides communication and sensor activation, some observations are naturally dynamic, as shown in the following example. Example 1: We consider a military operation scenario, whose simplified discrete event system model is given in Fig. 1. Suppose that we know there is a hidden hostile missile launcher, which has a radar for guiding the missile, in a region , but we do not know the precise position of the launcher. In addition, suppose we have a reconnaissance unmanned aerial vehicle (UAV), an attacker, and a jammer. The reconnaissance UAV is able to enter or leave region . The goal of the hostile side is to launch a

Fig. 1. System

G for Example 1.

missile to attack, whereas our goal is to disable the hostile missile launcher. In this scenario, the corresponding event set is , where : reconnaissance UAV enters region , : reconnaissance UAV leaves region , : hostile side starts to set missile launcher, : hostile side turns on launcher radar, : jammer jams hostile radar, : jammer : attacker disables hostile radar, : unjams hostile radar, hostile side launcher becomes ready, : a time threshold has passed since hostile side turned on radar, : hostile side radar becomes ready, and : hostile side launches a missile. Suppose that the set of controllable events is and the set of uncontrollable events . For the hostile side to successfully is launch a missile, it needs to complete all events (tasks) , , , , and . Events need not necessarily occur in this order, but must occur before all other events, must occur before , and must occur after all other events. Consequently, to prevent the system from ending up at state 22, at which the hostile side has launched a missile, we either disable the launcher ) or jam the radar (enabling event ) before (enabling occurs. We want to prevent event from occurring at states 11 and 18. However, since and are uncontrollable, we need at states 8 and 20 at the latest, and we also need to disable to disable at states 10 and 15; this is achieved by enabling at these states (this explains why and are included in ). Since the missile launcher is hidden, we are only able to disable it after the hostile side has started to set the launcher (after an occurrence of ). The hostile side needs to turn on again its radar after the radar is jammed and then unjammed. Our goal is achieved if the system ends up at state 9, which is marked by double circles in Fig. 1. In this scenario, observations of events are dynamic. Since the reconnaissance UAV is not in the region when the system is at state 0, we cannot observe the occurrence of at state 0. Therefore, we are not able to evaluate how long the hostile side has prepared its launcher and are not able to observe the occurrence of event at states 15 and 16. On the other hand, since the reconnaissance UAV is in the region when the system is at state 1, we are able to observe the occurrence of at state 1. Thus, we are able to evaluate how long the hostile side has prepared its launcher and able to observe the event at states 4, 5, and

1554

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 56, NO. 7, JULY 2011

10. The observations for events and are also dynamic. An occurrence of event is only observed when the corresponding sensor for detecting the radar signal is activated, and whether or not an occurrence of event is observed depends on the observation of the most recent occurrence of event . C. Transition-Based Dynamic Observations Given a cyclic automaton , the cardinality of language is infinite. For efficiently solving problems that relate to sensor activation or communication of event occurrences, it is convenient to consider sensor activation policies or communication policies defined over a finite domain. Setting dynamic observations to be a subset of the transitions of is a commonlyused approach for such a purpose [24], [30], [31]. Moreover, as shown in Example 1, some observations are naturally transition dependent. In transition-based dynamic observations, event strings that end up at the same state of the modeling automaton need to have the same observation mapping. In this context, for a given and set of agents , we consider system the observation mappings that satisfies . The observation mapping of agent with such restrictions can be de. And scribed by the set . For the convenience of presentation, transition-based dynamic observation can also be specified by an index function [30], [31]. The subset of transitions that can be observed by is specified by . Here means that the transition is observable to diagnosing agent , i.e., . This is to say, for all strings , and implies that the occurrence of event right after string is observable to agent . And means that it is not or, equivalently, . Using the index function, what can be seen by each diagnosing agent can be described by the following information : mapping (or projection) where denotes the empty string if if .

III. DIAGNOSABILITY AND CODIAGNOSABILITY UNDER INFORMATION MAPPINGS Whenever a sensor activation or communication policy is given, the agents’ observations of the system are captured by the corresponding information mappings, defined in Section II. The set of fault events which should be diagnosed is denoted . The objective is to identify the occurrence of by events, if any, in the set of fault events by tracking the observed traces generated by the system. The set of fault events is partitioned into disjoint sets corresponding to different fault . This partition is denoted by . types: has occurred” is Hereafter, the meaning of “a fault of type that some event in the set has occurred.

is used to We recall some notations from [2]. is a fault event of denote that the last event of a trace . type . That is, denotes the postlanguage of after , i.e., . With a slight abuse of notation, we write to denote that . For an event string , is the number of event occurrences in . For a set , is the cardinality of . A language is live if, for all and , there exists a string with , such that . We assume that is live when diagnosability and codiagnosability are considered. The definition of diagnosability in [2] for a fixed set of observable events is extended to the case of dynamic observations in [23] (i.e., information mappings) as follows: is said Definition 1: A prefix-closed and live language to be diagnosable with respect to and on if the following holds:

where the diagnosability condition

is

The definition of diagnosability says that, for any string in which contains any type of fault events, the diagnosing agent can distinguish that string from strings that do not contain that type of fault events within finite delay. Codiagnosability [3], [17], [18] is an extension of diagnosdistributed diagnosing ability to a decentralized system of agents. It says that for any string in the system that contains any type of fault event, at least one local diagnosing agent can distinguish that string from strings without that type of fault events, within finite delay. The definition of codiagnosability in the context of information mappings is recalled from [23]. is said Definition 2: A prefix-closed and live language to be codiagnosable with respect to , , and on if the following holds:

(1) where the codiagnosability condition

is

We say that a prefix-closed and live language is codiagwith respect to , , if (1) holds nosable for fault type . Clearly, diagnosability is a specific case for a fixed in of codiagnosability with only one diagnosing agent. Therefore, from now on, we consider only the property of codiagnosability. Remark 1: Definitions 1 and 2 presented above are based (or in the decentralized on the information mapping from observation mapping in case). While we defined Section II-B and restricted to transition-dependent index functions in Section II-C, we note that Definitions 1 and 2 are not subject to such a can still be used when and transition-dependent restriction, since these definitions are language-based.

WANG et al.: ON CODIAGNOSABILITY AND COOBSERVABILITY WITH DYNAMIC OBSERVATIONS

IV. TRANSFORMATION ALGORITHMS In this section, we present methods to transform the problem of coobservability to the problem of codiagnosability. Thus, as shown in Sections V and VII-B, results related to diagnosability and codiagnosability are applicable for solving observability and coobservability problems. The goal of decentralized supervisory control is to find local supervisors such that the supervised system, denoted , generates the legal language , that is, by . For a partially observable system, the notion of coobservability is used to classify whether or not local controllers are able to make sufficient observations of the system such that the correct control decisions can be made. As shown in [11], the two necessary and sufficient conditions for the existence of local supervisors are controllability and coobservability. The controllability condition for decentralized systems is the same as its centralized counterpart and is simple to check. What makes the problem of decentralized control more intricate than its centralized counterpart is that local agents can have different observations of the system. Because of such differences, different control decisions have to be made by different controllers for common controllable events after the same trajectory. This is captured by the notion of coobserv(see [8]) is used to ability. In [11], the natural projection describe the controller’s observation of the system. The natural projection is extended to the general mapping in [35]. , , be the set of events that are controlLet be the set of controllable lable to agent and , be the observation mappings defined events, and let , on language . For an event , is the set of agents . that are able to control , i.e., is the automaton that generates Suppose language . Formally, for a system under dynamic observation that is described by observation mappings , , the definition of coobservability is as follows. Definition 3: A prefix-closed language is coobservable with respect to , , and , , if, for all and with , the existence of with for all implies that , where is the information mapping for supervisor corresponding to . Remark 2: The observation mappings only are defined on because, if the system is coobservlanguage instead of are eliminated by able and controllable, all traces in control. is a subauWithout loss of generality, we assume that . We can always change the tomaton of , denoted by and to achieve this goal. automaton representation of with , and a controlFor given automata and lable event , suppose and , , , . and . We Let construct the automaton by Algorithm COOBS-TO-CODIAG-I as follows. Algorithm COOBS-TO-CODIAG-I . Add state to state space of . Step 0: Set into , i.e., Step 1: Then, add self-loop .

1555

, if , add Step 2: For all to with ; if transition , add transition to with . Step 3: Add an observable self-loop with event label at each that is a deadlock state in . state , specify observation mapping Step 4: For all for as follows. For all but , set . For all , set . For all , and , set and . Remark 3: We note that, for all , holds, namely, the specification of is free from any structural restrictions. Hence, the transformation algorithm works for language-based dynamic observations. The purpose live. The of step 3 is to make the language generated by is denoted by information mapping corresponding to . Remark 4: In Algorithm COOBS-TO-CODIAG-I, the transformation is done individually for each of the controllable . We added state in the original system and events an observable self-loop with event label at state . Since , an occurrence of controllable event needs to be iff transition but disabled at state . For each state where needs to be disabled, we connect that state to state using unobservable fault event . For each state where should not be disabled, we connect that state to state using unobservable event . In this way, for two arbitrary traces and , if the controller needs to disable after but should not disable after , we have implies for all . Consequently, if two traces and cannot be distinguished by any agent and cause a control conflict in the original system, they cause a violation of codiagnosability in the transformed system, and vice-versa. With the above construction, we have the following theorem about the transformation. is coobservable with reTheorem 1: Language spect to language , controllable event sets , and dy, namic observations given by observation mappings , , is codiagnosable for the set of iff, for all with respect to the dynamic observadiagnosing agents tion given by , , and the set of fault events . Suppose that, for some , is Proof: with not codiagnosable for the set of diagnosing agents , respect to the dynamic observation that is specified by , and fault event . We have, by definition

Since, by Step 4 of the construction of , the occurrences of event are always observable, we have . For the and, then, have same reason, we write . Therefore, we have

1556

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 56, NO. 7, JULY 2011

. Furthermore, by Step 2 of the construction, we have , with but and, for all , , with , . Therefore, is not coobservable. Suppose that is not coobservable with re, , and , . We have spect to

By Step 2 and Step 4 of the construction of and , we have , and Then, we have

, for all

and , if Step 2: For all , add transitions and to with and ; if , to with . add transition Step 3: We add an observable self-loop with event label at that is a deadlock state in . each state , we specify observation mapping Step 4: For all for as follows. For all such that and, for all , , set . For all , set . For all , such that , set

, .

if if For all

Hence, is not codiagnosable for the set of agents with respect to the dynamic observation that is specified by , , and the set of fault events . We have the following theorem for the worst-case complexity of Algorithm COOBS-TO-CODIAG-I. Theorem 2: If is a subautomaton of , the worst-case computational complexity for the transformation of the coobservability problem to the codiagnosability problem using Al. gorithm COOBS-TO-CODIAG-I is Proof: The computational effort at Steps 0 and 1 is a con, we examine whether or stant. At Step 2, for each state not and is defined at and, if necessary, add or at state . Therefore, the worst-case transition . At computational effort for this step is in the order of . At Step 3, the number of deadlock states cannot exceed Step 4, we set events and to be always unobservable and the events and to be always observable. Other than this, we copy and then paste them to the observation mappings of . Therefore, the worst case computational complexity of Algorithm COOBS-TO-CODIAG-I is . We need times. to run Algorithm COOBS-TO-CODIAG-I for Consequently, the worst-case complexity of the transformation . using Algorithm COOBS-TO-CODIAG-I is However, to show that the problem of coobservability are transformable to the problem of codiagnosability, we need to transform the problem of coobservability to the problem of codiagnosability of a single automaton. This can be done by Algorithm COOBS-TO-CODIAG-II as follows. , suppose Suppose automata and are given with and, for all , and , , , . Let . Let and . We construct the automaton by Algorithm COOBS-TOCODIAG-II as follows. Algorithm COOBS-TO-CODIAG-II . For all , add states to state Step 0: Set space of . into , i.e., Step 1: Then, add self-loop .

,

.

, and , , , set and . , let be the information mapping correfrom Step 4 of Algorithm COOBS-TO-CO-

For all sponding to DIAG-II. Remark 5: Algorithm COOBS-TO-CODIAG-II basically , constructed by Algorithm merges all automata COOBS-TO-CODIAG-I into single automaton . The transiin Step 2 are used to prevent agents , tions i.e., agents that cannot control event , from diagnosing event in the following way. By construction, any occurrence of and is unobservable to . Consequently, for all , such that and and , for all . But we have , any occurrence of is observable and, thus, for and . We have . Hence, for an arbitrary , any . occurrence of can only be diagnosed by an agent By the above construction, we have the following theorem about coobservability. is coobservable with reTheorem 3: Language , sets of controllable events , spect to language , and the dynamic observation given by the observation mappings , , iff is codiagnosable for the set with respect to the dynamic observaof diagnosing agents , , and the sets of fault events , tion given by , which are all the singleton subsets of . Suppose that is not codiagnosable for the set Proof: of diagnosing agents with respect to the dynamic observation , , and set of fault events . We that is specified by have, by definition

Since, by Step 4 of the construction of , the occurare always observable, we have rences of event . Hence, we have and, . Moreover, for all , then, is always observable for agent and, the occurrence of cannot occur in by consince can be followed by , struction. Thus, for all , we conclude that the

WANG et al.: ON CODIAGNOSABILITY AND COOBSERVABILITY WITH DYNAMIC OBSERVATIONS

last event of trace we write we have

1557

cannot be . Thus, for all , for some trace . Therefore,

. Thus, we have . Furthermore, by Step 2 of the conwith but and, struction, we have , , , with , . Therefore, for all language is not coobservable with respect to and the dynamic observation that is specified language . by the observation mappings , Suppose that language is not coobservable with respect to language and the dynamic observa. We tion that is specified by observation mappings , have . By construction, for all and , we have , , and . Then, we have . Furthermore, also by construction, we have . Hence, by definition, is not codiagnosable for the set of diagnosing agents with respect to the dynamic observation that is spec, , and the sets of fault events , ified by . Similar to the worst-case complexity of Algorithm COOBS-TO-CODIAG-I, the worst-case complexity of Algorithm COOBS-TO-CODIAG-II is determined by Step 2 of . the algorithm, which is

H

G

Fig. 2. System and the legal automaton with its observations for agents 1 and 2 for Example 2. (a) The system G. (b) Observations for 1. (c) Observations for 2.

Ha

Hb

Fig. 3. ~ ( ) with its observations for agent 1 and ~ ( ) with its observations for agent 2, respectively (a) ~ ( ). (b) ~ ( ).

Ha

Hb

V. APPLICATIONS OF THE TRANSFORMATION In this section, we show how to leverage the research on diagnosability and codiagnosability to solve the problems related to observability and coobservability by applying the transformation algorithms in Section IV. A. Transformation Examples for Transition-Based Dynamic Observations In the figures in this paper, a square bracket at event after state is used to show that transition for corresponding . Example 2: We consider the system in Fig. 2(a) with two . Let control agents and the event set and . The legal behavior and its observations that correspond to agent 1 and agent 2 are given in Fig. 2(b) and in and (c), respectively. We construct automata Fig. 3(a) and (b), respectively. Fig. 3(a) and (b) also show the for agent 1 and for agent 2, respecobservations of tively. In , transitions , , , , and are unobservable to agent 1. is coobservable with By Theorem 1, the language and the dynamic observation that is respect to language specified by Fig. 2(b) and (c) iff is diagnosable for agent is codiagnosable for agents 1 and 2. 1 and Example 3: Continue with Example 2. Using Algorithm COOBS-TO-CODIAG-II, we construct automaton in Fig. 4. The dynamic observations of for agents 1 and 2 are specified

H

Fig. 4. Automaton ~ in Example 3.

at Step 4 of Algorithm COOBS-TO-CODIAG-II. The correfor agents , 2, are sponding observation mappings and . Then, is coobservable with by Theorem 3, the language and the dynamic observation that is respect to language specified by Fig. 2(b) and (c) iff is codiagnosable for agents 1 and 2. Example 4: Continue with Example 1. Let the legal behavior be given by automaton .1 Using Algorithm COOBS-TO-CODIAG-I, the corresponding can be constructed by adding a state and transitions in set into such that, for all , . The corresponding can be constructed by adding a state and transitions in set into such that, for all , . After 1After crossed transitions in Fig. 1 are deleted, graph.

H is the accessible part of the

1558

that, we specify the observation mapping of and according to Step 4 of Algorithm COOBS-TO-CODIAG-I. is coobservable iff both Then, the original system and are codiagnosable. Using Algorithm COOBS-TO-CODIAG-II, the correcan be constructed by adding states and sponding and transitions in set , where

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 56, NO. 7, JULY 2011

but under the constraint of preserving observability, we can transform the system for ensuring diagnosability first using Algorithm COOBS-TO-CODIAG-II. Then, use the algorithms in [22], [23] to solve them. Sensor activation policies are a specific class of observation mappings that satisfy the so-called feasibility condition [23], [24]. This condition requires that the on/off decisions of a sensor for the same event following two indistinguishable strings must be the same. Formally, in a distributed system , an observation mapping is a feasible sensor activation policy iff

and (2)

such that, for all , and, for all , . The observation mapping of is specified at Step 4 of Algorithm COOBS-TO-CODIAG-II; then, is coobservable iff is codiagnosable. the original system

B. Applications in Event-Based Observations Most of the literature on partial observations in DES concerns event-based observations. Unlike the notion of dynamic observations in Section II, in event-based observations, the observation mapping for agent is completely specified by . Therefore, given the system , the set of agents , , for all and and the set of observable events , the observation mapping of agent is deiff . scribed by It is easy to verify that the specifications of the observation mappings for the transformed system at Step 4 of Algorithm COOBS-TO-CODIAG-I or in Step 2 of Algorithm COOBS-TOCODIAG-II are consistent with the above definition of . Thus, we are able to leverage the large volume of literature on diagnosability and codiagnosability under event-based observations to solve the corresponding problems of observability and coobservability. For example, the verifiers in [16], [17] are applicable to the verification of observability and coobservability under event-based observations. Furthermore, the optimization methods of sensor selection for diagnosability and codiagnosability in [36], [37] are also applicable to the corresponding problems for observability and coobservability, but Algorithm COOBS-TO-CODIAG-II should be used for doing the transformation. C. Application in Optimizing Sensor Activation Policy The transformation algorithms in Section IV are for language-based dynamic observations. Due to the generality of language-based dynamic observations, we are able to use solutions for the problems concerning codiagnosability to solve the corresponding problems concerning coobservability. For example, algorithms are developed in [22], [23] for calculating optimal sensor activation policies under the constraint of preserving diagnosability. If we want to solve similar problems

The following theorem is for the feasibility relationship between and its transformation . Theorem 4: Suppose the observation mapping for all events is fixed by Step 4 of Algorithm COOBS-TO-CO, is a feasible DIAG-II. Then, an observation mapping , sensor activation policy for iff the corresponding observation is a feasible sensor activation policy for . mapping Proof: By Step 4 of Algorithm COOBS-TO-COand for all , , DIAG-II, for all . Then, by definition of and , . Consequently, for all and , , , and for all , (2) is true for and iff it is true for and . Furthermore, for all and an arbitrary , by Step 4 of Algorithm COOBS-TO-CODIAG-II, given occurrences of are either all observable or all unobservable for the for and, thus, (2) is also true. Therefore, , is a feasible sensor activation policy iff original system , for the transformed system is a feasible sensor activation policy. Therefore, for all , if we fix the observations of events and optimize sensor activation under the constraint of preserving codiagnosability for the transformed system, then, we can simply use the optimized feasible sensor activation policy for the original system by setting for all . In this way, an optimum sensor activation policy for coobservability can be calculated. VI. CLUSTER-BASED VERIFIER FOR CODIAGNOSABILITY In Sections IV and V, we illustrated how to transform the problem of coobservability to the problem of codiagnosability. In this section, we present an efficient algorithm for verifying codiagnosability in the case of transition-based dynamic observations. A preliminary and partial version of the results in this section appeared in [38]. Since the problem of coobservability can be transformed to the problem of codiagnosability, this verifier can also be used for verifying coobservability. By definition, , one codiagnosability can be verified for each , the system is codiagnosable iff it is by one. Under , , . Therefore, without codiagnosable for every loss of generality, we only present the verification for one fault type, denoted by for simplicity (upper case is used to avoid confusion with fault event ).

WANG et al.: ON CODIAGNOSABILITY AND COOBSERVABILITY WITH DYNAMIC OBSERVATIONS

Fig. 6.

F -free automaton G

1559

.

G

Fig. 5. System and its corresponding observations for diagnostic agents 1 and 2, respectively. (a) Observations for agent 1. (b) Observations for agent 2.

A. Cluster Automata For the purpose of building an algorithmic verifier for codiagnosability, we need specific definitions and notations as follows. Definition 4: Under the observation of diagnosing agent , cluster is a subautomaton of whose initial state or is entered by some ob(cluster head) is the initial state servable transition in and whose set of transitions is the maximum set of unobservable and reachable transitions from state . is the set of all clusters of with respect to index function for diagnosing agent . Remark 6: The idea of cluster automaton is an important concept in this paper that is useful for capturing the system observation of agent . Let be a given system trajactory. Suppose that right after an occurrence of event is observed by agent . The system goes to state . After that if con, agent cannot see anything tinues with about such . In other words, an agent cannot see anything when the system evolves within one of its clusters. After that, assume event observed by agent occurs. Suppose there is another with and the octrace is observed by agent . Then, agent currence of after is not able to tell whether the system is at state or at state and, consequently, whether the system is or . In fact, if we in cluster build the observer for agent , any state in the observer can be viewed as the union of the state sets of some clusters for agent . We will use the following running example for the clusterbased verifier for codiagnosability. Example 5: We consider the system and its observations to diagnosing agents 1 and 2 in Fig. 5(a) and (b), respectively, where the unobservable transitions to the corresponding diagnosing agent are in square brackets. We assume that is the . only event of fault type , i.e., Let be a subautomaton of denoted by . Then, is the state space of . In the verifier in Section VI-C later on, to diagnose the fault of compares traces type , each diagnostic agent with traces such that . We define automaton to model the set of all traces with . is the accesDefinition 5: The -free automaton sible part of after deleting transitions whose event labels are , i.e., in . Example 6: Continuing with Example 5, the corresponding -free automaton is shown in Fig. 6.

Fig. 7. Set of clusters C based on the observations of agent 1 and the set of based on the observations of agent 2. (a) C . (b) C . clusters C

Let

be the set of states of , and let be the index function obtained by limiting the domain . For diagnosing agent , of to is the cluster with initial state , which is defined iff state is the initial state of or is entered by some is the set of clusters for transition observable to . And with respect to -free automaton . diagnosing agent , diagnostic agent needs For an arbitrary trajectory to keep track of traces that look the same as . For doing so, it updates its estimation of the possible set of clusters along with system evolution. We define with respect to for this purpose as follows. Definition 6: For the -free automaton and the obserof diagnosing agent , vation collects all clusters whose initial state follows , which is observable to agent , from some transition some state . Formally, for such that

Example 7: Recall the system whose observations are given is by Fig. 5(a) and (b) for agents 1 and 2, respectively. and , are given in Fig. 6. The two sets of clusters, shown in Fig. 7(a) and (b), respectively. There, each cluster consists of the states and event occurrences that are labeled by solid line arrows. The initial state of each cluster follows the labeled broken line arrows as the incoming observand , each able event occurrences. For follows the broken line arrow with observ. For instance, able event occurrence going out of cluster . in Fig. 7(b),

1560

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 56, NO. 7, JULY 2011

Fig. 8. Observations corresponding to pseudo index function I and its corresponding set of clusters. (a) The observations based on I . (b) The clusters based on I .

To compare type fault free traces with traces , diagnostic agents also keep track of all and . For this purpose, we need the following whether or not definitions. , the pseudo index Definition 7: For given and , is given by function

Fig. 9. Clusters of pseudo index function I containing cycles. (a) c (x) (b) c (x) 2 C .

C

2

the criteria for determining whether or not the system is codiand are used to agnosable. The definitions of describe those criteria in the verifier in Section VI-C. is the Definition 9: Under index function , contain a cycle that is set of all clusters whose elements with [Fig. 9(a)]. preceded by a string Formally

otherwise. The pseudo index function is useful for building the cluster-based verifier. As we will see later, the verifier updates its system estimation for an occurrence of event when the . Correspondingly, we define corresponding to be the cluster of state with respect to index function ; denotes the set of all . Example 8: The function for the system is shown in Fig. 8(a), where the transitions in square brackets are unobservable to both of the diagnosing agents. The set of clusters is given in Fig. 8(b). that correspond to index function Similarly to Example 7, each cluster consists of the states and events that are labeled by solid line arrows. The labeled broken line arrows correspond to event occurrences that are observable to at least one diagnosing agent and, thus, are not the part of those clusters; they are used to indicate the initial state of each cluster, the observable event occurrences that follow each cluster, and clusters that follow those observable event occurrences. For codiagnosability analysis, we need to define a special subset of cluster state sets. and fault type , Definition 8: For a given cluster collects all states in that are reachable from state by some string that contains one or more fault events of type . Formally, . Similarly, collects all states in that are reachable from state by some string that does not contain any fault events of type . Formally, . In the definition of codiagnosability, we allow the existence of cycles that are unobservable to every diagnostic agent. Although the existence of such unobservable cycles does not automatically make the system not codiagnosable, it does affect

Definition 10: Under index function , is the set of all clusters that contain cycles [Fig. 9(b)]. Formally, . will be used to mark whether or not a fault event of type has occurred for a state in the verifier. B. Transition Function The following important function will serve as the core for the cluster-based verification of diagnosability. such that Definition 11: For and , , and , is specified by the equation shown at the bottom of the next page. is a state in the verifier, If it means that there is at least one trace ending up at such that, for each , there exists a type fault-free ending up at state that looks the same as trace to agent ; moreover, the last event of observable to agent . Let be a trace whose subtrace is unobservable to any agent and whose last event is observable to , if some agents. As shown in Fig. 10, for all such we take transitions within clusters into account, the transition function captures a vector of fault-free traces such that looks the same as to agent . This is done eleby using a corresponding vector of clusters whose first ments correspond to agents and whose last element . The last element includes the label that is contains a fault event. The keeps tract of whether or not update of each cluster in the state vector is based on the previous cluster and whether or not the occurrence of the last event is observed by agent . The label at changes to label at when , i.e., does . Finally, we note that not contain any fault event, but

WANG et al.: ON CODIAGNOSABILITY AND COOBSERVABILITY WITH DYNAMIC OBSERVATIONS

1561

Fig. 11. F labeled cycle in the C-VERIFIER.

Fig. 10. Transition function is used to capture the possible traces that go through cluster c (x ) for each agent i 2 A and look the same as some traces that go through c (x ), with e being the last observable event occurrence to some agents.

equals the empty exist for any agent . set when no such Example 9: For the system whose observations are given by Fig. 5(a) and (b) for agents 1 and 2, respectively, suppose event is the only fault event of type . We have

and

Algorithmic Verifier of Codiagnosability For a given system modeled by automaton , local diagnosing agents , the set of fault events , and , the C-VERIFIER the corresponding index functions , for verifying codiagnosability for faults of type can be constructed by the following algorithm. Algorithm C-VERIFIER as iniStep 0: Set . tial state and mark it with 0. Let Step 1: Find a state with mark 0. Then, for each transition with state and , calculate . Add new states to the C-VERIFIER if

and mark with 0. Construct an arrow that starts at and ends at each of and label it with event . After all that, change the mark of from 0 to 1. is marked with Step 2: Iterate Step 1 until every state in 1. Then proceed to Step 3. Step 3: Verification. If is found with corresponding 1) a state [Fig. 9(a)]; 2) with labeled [Fig. 9(b)]; 3) an labeled cycle exists in the C-VERIFIER (Fig. 11); we conclude that the system is not codiagnosable with respect and fault type . Otherwise, we conclude that the to , system is codiagnosable with respect to fault type . Intuitively, let us start with the initial state of the ver. If we take the ifier transitions within clusters into account, the C-VERIFIER exhaustively captures all vector of event traces of the from of such that looks the same as to agent . The C-VERIFIER by labeling also keeps track of whether or not with or , respectively. In this way, by the definition of codiagnosability, a system is codiagnosable (i.e., an occurrence of a fault event can be distinguished unambiguously within finite delay) iff none of three conditions at Step 3 of Algorithm C-VERIFIER is true. A formal proof of correctness is given in Section VII. Proof of Correctness We prove the correctness of Algorithm C-VERIFIER in this section. Lemma 1 below says that if two strings have the same information mapping, then for each prefix of one string, there exists at least one prefix of the other string having the same information mapping.

if if if if

1562

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 56, NO. 7, JULY 2011

Lemma 1: Let , mation mapping. Then

and

be corresponding inforiff

. Proof: The proof follows directly from the recursive application of the definition of information mapping. Theorem 5: Algorithm C-VERIFIER is correct. Suppose that, by Definition 2, system is Proof: . Then, since not codiagnosable under index functions , , there there is only one fault type, we have that, for all with and with , exists such that, for all , there exists with and . We note that is a redundant , we can always replace constraint since, in case of by being the shortest trace in ending with an event . , it must be Since the above statement is true for all . Since , we have true for for all . By Lemma 1, we can write with , such that, for all with , we have . By definition of the pseudo index function and its corre, we write sponding information mapping, for string for some , , where is the nonempty set used to denote that the the superscript is observable by all of corresponding occurrence of event the diagnosing agents in . We can write and for some , . for Then, we write with some , for . To detail the first occurrence of within , we write with . Then, also by the definitions of pseudo index function and , by its corresponding information mapping, for a given letting whenever , for with we have, for if otherwise. In this way, we can write integer larger than we can write for some

with

, where for

and is the smallest . Then,

, with , for . Since the number of all possible is finite, Algorithm C-VERIFIER will , for all end within finite iterations. Since , and we have . , for , Write and , for . From Step 0 of Algorithm C-VERIFIER, we have . Recursively, by Step 1 of the algorithm, we have

, where, for , is the largest integer less that with . Then, we have , where , is the largest integer less than or equal with for . is the set of all clusters that have Note that . If, in Step 2 of the algocycles preceded by some with corresponding rithm, we do not find and also do not find labeled with corresponding , we have , , , and . Since and

, we have . Therefore, starting at , we have that the visits at least one of the states in more trace than once. Hence, a cycle in the C-VERIFIER must be formed. Thus, as at Step 3, Algorithm C-VERIFIER concludes that the system is not codiagnosable for fault type . Suppose, as Step 3, Algorithm C-VERIFIER concludes is not codiagnosthat system under index function , able for fault type . Then, there exists some state with corresponding , or with labeled , or a cycle with label was found. Let . In the first two cases, by Step 1 of the algorithm, there exists a , that starts trace in the resulting C-VERIFIER, say and ends at state . Let whenever . Then, at also by Step 1 of the algorithm, for all , there exist and with and traces , such that and . where is the smallest number less than with , is the largest number less than with , , is the smallest number larger than and, for with . In this way, suppose there exists such that and or with . corresponding Then, by the definitions of and , there exists with and with such that . Since , by the definitions of codiagnos, we have that is not codiagnosable with reability and and index function , . spect to the set of fault events Next, for the third case, suppose that there exists a cycle with label . Let be a state of the C-VERIFIER within that cycle. Then, for some , with , there exists a trace, with trace that say and ends at and trace that starts at and also ends at . Let whenstarts at ever . By Step 1 of the algorithm, there exist traces and , with , , , and such and that where, for , is the smallest number larger than with , is the smallest number with ,

WANG et al.: ON CODIAGNOSABILITY AND COOBSERVABILITY WITH DYNAMIC OBSERVATIONS

is the largest number less than with , and is the largest number less than with . Since and , for arbitrary and for all , we have , and , where and are strings that repeat times, respectively. Since the information traces and mapping is defined on transition-based index function, we . have Since has label , we have . Furthermore, since , we have . Since is arbitrary, by the definition of codiagnosability under the index function , , we have that the system is not codiagnosable with respect to . From Algorithm C-VERIFIER, we have the following theorem about its complexity. Theorem 6: For a system modeled by automaton with diagnostic agents, where is a fixed number, the verification of codiagnosability can be done in worst-case polynomial complexity in the size of the state space of . Proof: The verification can be done for one fault type at a time. For each fault type , the number of iterations of Step 1 of Algorithm C-VERIFIER is upper bounded by , where is the number of diagnosing agents. Within each iteration, we call transition function once, . which at most produces a set of size Since for all , is upper bounded by the , the whole amount of size of the state space of the system calculations for constructing a C-VERIFIER is further upper . Since each fault type can be verified bounded by independently, the worst-case complexity of verifying codiagnosability in terms of the state space of the modeling automaton , where is the number of fault types. is VII. ILLUSTRATIVE EXAMPLES FOR ALGORITHM C-VERIFIER In this section, we show how Algorithm C-VERIFIER works for verifying both codiagnosability and coobservability using examples. A. Verification of Codiagnosability The following example deals with the verification of codiagnosability. Example 10: We continue with our running example. The entire C-VERIFIER automaton is shown in Fig. 12. By Step 0, and mark it with 0. we have , , and , we have Then, by Step 1, for transitions

and

1563

Fig. 12. C-VERIFIER corresponding to Example 10.

Fig. 13. New observations for agent 1 and pseudo index function I of Example 11, respectively. (a) New observations for agent 1. (b) Updated Observations for I .

have . In this case, we only need to change from 0 to 1. Suppose we finish the iterathe mark for state tions of Step 1 and go to Step 2. By examining the C-VERIFIER, and no cycle with label is found. We conclude that the system is codiagnosable. Example 11: Suppose we change the observations of agent 1 in Example 10 to Fig. 13(a) by making transition unobservable. Then, the corresponding pseudo index function is shown in Fig. 13(b). The sets of clusters corresponding to the new and are shown in Fig. 14(a) and (b), respectively. A part of the C-VERIFIER is shown in Fig. 15, where the states with outgoing events are marked by 1, otherwise they are marked by 0. An labeled cycle is found, from which we conclude that the system is not codiagnosable. B. Verification of Coobservability

We add these four new states and transitions to the C-VERIFIER. The new states are marked with 0, and we change the from 0 to 1. We iterate Step 1 as above. Suppose we mark of are now examining state . We

Since the problem of coobservability can be transformed to the problem of codiagnosability using the algorithms in Section IV, Algorithm C-VERIFIER becomes a unified method for verifying both codiagnosability and coobservability, which is shown by the next example. Example 12: Continuing with Example 2, by Algorithm is diagnosable C-VERIFIER (the verifier is not shown),

1564

Fig. 14. Sets of clusters C and C based on new observations of agent 1 in Fig. 13(a), respectively. (a) The updated set of clusters C . (b) The updated set of Clusters C .

Fig. 15. Part of the C-VERIFIER in Example 11.

for agent 1 and is codiagnosable for agents 1 and 2. Thereis coobservable fore, by Theorem 1, the language with respect to language and the dynamic observation that is specified by Fig. 2(b) and (c). Or, equivalently, continuing with Example 3, by Algorithm C-VERIFIER (the verifier is not shown), is codiagnosable to , , and , , 2. Therefore, by is coobservable with respect to , Theorem 3, , and , , 2. Example 13: Continue with Example 4. Suppose the system is centralized with transition-based dynamic observations for specified by . Then the system is diagnosable with respect to the sets of fault events and . Thus, is observable with

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 56, NO. 7, JULY 2011

and . It means that, if we keep our radar derespect to tector on such that all occurrences of are observable and jam the hostile radar promptly, we are able to prevent the hostile side from launching a missile and eventually disable the hostile missile launcher even though our reconnaissance UAV cannot always stay in region . The worst-case computational complexity of the above methods for the verification of coobservability is as follows. For a system with a fixed number of diagnostic agents, Algorithm C-VERIFIER is of polynomial complexity in the cardinalities of both the state space and the event set of the for each , we transfer the system. By building problem of the verification of coobservability to the problem of the verification of codiagnosability in a computational effort . Then, for each , we verify codiof agnosability. Therefore, the overall worst-case computational times the amount of complexity is upper bounded by computational effort for verifying codiagnosability for the system. Hence, for a system with a fixed number of agents, the worst-case computational complexity of the method of verifying coobservability proposed in this section is polynomial with respect to both the state space and the event set. More precisely, the computational complexity for the verification of coobservability by our method is upper bounded in terms of the cardinality of the set of clusters of each local agent, which can be much smaller than the cardinality of the state space of the system. For example, if we add an agent whose set of observable transitions is empty, the computational effort remains the same for the method in this section (since there is only one cluster for the added agent). There is another verifier in [35] for testing coobservability in the case of transition-based dynamic observations; this verifier is only presented for a system of two agents. The verifier for codiagnosability and the transformation algorithms presented in this paper work for any number of agents. Another merit of our method is the fact that, if Algorithm COOBS-TO-CODIAG-I is used for the transformation, we are able to verify coobservability by verifying codiagnosability for each of , separately. In most practical problems, the number of agents that control a single event is much less than the total number of the agents in the system, which reduces the computational complexity of verifying coobservability.

VIII. CONCLUSION We have extended the notions of codiagnosability and coobservability to fit the general scenario of dynamic observations. Then, we have presented polynomial algorithms to transform the problem of coobservability to the problem of codiagnosability. This enables us to leverage the large literature available for diagnosability and codiagnosability to solve problems of observability and coobservability. We also have proposed a new procedure for the verification of the property of codiagnosability in DES for transition-based dynamic observations. We defined cluster automata and used them to build the C-VERIFIER automaton. For a system with fixed number of agents, the complexity of building the C-VERIFIER automaton is of worst-case

WANG et al.: ON CODIAGNOSABILITY AND COOBSERVABILITY WITH DYNAMIC OBSERVATIONS

polynomial time in the state space of the system. Testing diagnosability or codiagnosability in the case of dynamic observations using the C-VERIFIER is straightforward and reduces to simple tests on states or cycles of states of the C-VERIFIER. As an application, our verification method for codiagnosability can be extended to the verification of coobservability for multiple-agent systems. The new testing procedure that we have developed will be useful in solving sensor activation problems or distributed diagnosis and control with communication problems, where efficient tests for diagnosability, codiagnoability, observability, and coobservability under dynamic observations are required. REFERENCES [1] F. Lin, “Diagnosability of discrete event systems and its applications,” Discrete Event Dyn. Syst.: Theory Appl., vol. 4, no. 2, pp. 197–212, May 1994. [2] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. Teneketzis, “Diagnosability of discrete event systems,” IEEE Trans. Autom. Control, vol. 40, no. 9, pp. 1555–1575, Sep. 1995. [3] R. Debouk, S. Lafortune, and D. Teneketzis, “Coordinated decentralized protocols for failure diagnosis of discrete-event systems,” Discrete Event Dyn. Syst.: Theory Appl., vol. 10, no. 1/2, pp. 33–86, Jan. 2000. [4] L. Rozé and M.-O. Cordier, “Diagnosis discrete-event systems: Extending the diagnoser approach to deal with telecommunication networks,” Discrete Event Dyn. Syst.: Theory Appl., vol. 12, pp. 43–81, 2002. [5] A. Benveniste, E. Fabre, S. Haar, and C. Jard, “Diagnosis of asynchronous discrete event systems: A net unfolding approach,” IEEE Trans. Autom. Control, vol. 48, no. 5, pp. 714–727, May 2003. [6] S. Jiang and R. Kumar, “Failure diagnosis of discrete-event systems with linear-time temporal logic specifications,” IEEE Trans. Autom. Control, vol. 49, no. 6, pp. 934–945, Jun. 2004. [7] S. Zad, R. Kwong, and W. Wonham, “Fault diagnosis in discrete-event systems: Incorporating timing information,” IEEE Trans. Autom. Control, vol. 50, no. 7, pp. 1010–1015, Jul. 2005. [8] F. Lin and W. Wonham, “On observability of discrete-event systems,” Inform. Sci., vol. 44, no. 3, pp. 173–198, 1988. [9] R. Cieslak, C. Desclaux, A. Fawaz, and P. Varaiya, “Supervisory control of discrete-event processes with partial observations,” IEEE Trans. Autom. Control, vol. AC-33, no. 3, pp. 249–260, Mar. 1988. [10] C. M. Özveren and A. S. Willsky, “Observability of discrete event dynamic systems,” IEEE Trans. Autom. Control, vol. 35, no. 7, pp. 797–806, Jul. 1990. [11] K. Rudie and W. Wonham, “Think globally, act locally: Decentralized supervisory control,” IEEE Trans. Autom. Control, vol. 37, no. 11, pp. 1692–1708, Nov. 1992. [12] P. Caines and S. Wang, “COCOLOG: A conditional observer and controller logic for finite machines,” SIAM J. Control Optim., vol. 33, no. 6, pp. 1687–1715, 1995. [13] S. L. Ricker and K. Rudie, “Know means no: Incorporating knowledge into discrete-event control systems,” IEEE Trans. Autom. Control, vol. 45, no. 9, pp. 1656–1668, Sep. 2000. [14] A. Overkamp and J. van Schuppen, “Maximal solutions in decentralized supervisory control,” SIAM J. Control Optim., vol. 39, no. 2, pp. 492–511, 2000. [15] S. Jiang, Z. Huang, V. Chandra, and R. Kumar, “A polynomial time algorithm for testing diagnosability of discrete event systems,” IEEE Trans. Autom. Control, vol. 46, no. 8, pp. 1313–1318, Aug. 2001. [16] T.-S. Yoo and S. Lafortune, “Polynomial-time verification of diagnosability of partially-observed discrete event systems,” IEEE Trans. Autom. Control, vol. 47, no. 9, pp. 1491–1495, Sep. 2002. [17] W. Qiu and R. Kumar, “Decentralized failure diagnosis of discrete event systems,” IEEE Trans. Syst., Man Cybern. A, vol. 36, no. 2, pp. 384–395, Mar. 2006. [18] Y. Wang, T. Yoo, and S. Lafortune, “Diagnosis of discrete event systems using decentralized architectures,” Discrete Event Dyn. Syst.: Theory Appl., vol. 17, no. 2, pp. 233–263, Jun. 2007. [19] J. Tsitsiklis, “On the control of discrete event dynamical systems,” Math. Control, Signals Syst., vol. 2, no. 2, pp. 95–107, 1989. [20] K. Rudie and J. C. Willems, “The computational complexity of decentralized discrete-event control problems,” IEEE Trans. Autom. Control, vol. 40, no. 7, pp. 1313–1318, Jul. 1995.

1565

[21] D. Thorsley and D. Teneketzis, “Active acquisition of information for diagnosis and supervisory control of discrete event systems,” Discrete Event Dyn. Syst.: Theory Appl., vol. 17, no. 4, pp. 531–586, Dec. 2007. [22] F. Cassez and S. Tripakis, “Fault diagnosis with static and dynamic observers,” Fundamenta Inform., vol. 88, no. 4, pp. 497–540, Dec. 2008. [23] W. Wang, S. Lafortune, A. R. Girard, and F. Lin, “Optimal sensor activation for diagnosing discrete event systems,” Automatica, vol. 46, no. 7, pp. 1165–1175, Jul. 2010. [24] W. Wang, S. Lafortune, F. Lin, and A. R. Girard, “Minimization of sensor activation in discrete event systems for the purpose of control,” IEEE Trans. Autom. Control, vol. 55, no. 11, pp. 2447–2461, Nov. 2010. [25] K. C. Wong and J. H. van Schuppen, “Decentralized supervisory control of discrete-event systems with communication,” in Proc. Int. Workshop Discrete Event Syst. (WODES’96), London, U.K., 1996, pp. 284–289. [26] S. L. Ricker and J. H. van Schuppen, “Decentralized failure diagnosis with asynchronuous communication between supervisors,” in Proc. Eur. Control Conf. (ECC’01), 2001, pp. 1002–1006. [27] R. K. Boel and J. H. van Schuppen, “Decentralized failure diagnosis for discrete-event systems with costly communication between diagnosers,” in Proc. 8th Int. Workshop Discrete Event Syst. (WODES’02), Los Alamitos, CA, 2002, pp. 175–181. [28] J. H. van Schuppen, “Decentralized control with communication between controllers,” in Unsolved Problems in Mathematical Systems and Control Theory, V. D. Blondel and A. Megretski, Eds. Princeton, NJ: Princeton Univ. Press, 2004, pp. 144–150. [29] S. Ricker and B. Caillaud, “Mind the gap: Expanding communication options in decentralized discrete-event control,” in Proc. 46th IEEE Conf. Decision Control, New Orleans, LA, Dec. 2007, pp. 5924–5929. [30] W. Wang, S. Lafortune, and F. Lin, “Minimization of communication of event occurrences in acyclic discrete event systems,” IEEE Trans. Autom. Control, vol. 53, no. 9, pp. 2197–2202, Oct. 2008. [31] W. Wang, S. Lafortune, and F. Lin, “On the minimization of communication in networked systems with a central station,” Discrete Event Dyn. Syst.: Theory Appl., vol. 18, no. 4, pp. 415–443, Sep. 2008. [32] R. Kumar and S. Takai, “Inference-based ambiguity management in decentralized decision-making: Decentralized control of discrete event systems,” IEEE Trans. Autom. Control, vol. 52, no. 10, pp. 1783–1794, Oct. 2007. [33] R. Kumar and S. Takai, “Inference-based ambiguity management in decentralized decision-making: Decentralized diagnosis of discrete-event systems,” IEEE Trans. Autom. Sci. Eng., vol. 6, no. 3, pp. 479–491, Jul. 2009. [34] W. Wang, S. Lafortune, and F. Lin, “An algorithm for calculating indistinguishable states and clusters in finite-state automata with partially observable transitions,” Syst. Control Lett., vol. 56, no. 9, pp. 656–661, Sep. 2007. [35] Y. Huang, K. Rudie, and F. Lin, “Decentralized control of discreteevent systems when supervisors observe particular event occurrences,” IEEE Trans. Autom. Control, vol. 53, no. 1, pp. 384–388, Feb. 2008. [36] S. Jiang, R. Kumar, and H. Garcia, “Optimal sensor selection for discrete-event systems with partial observation,” IEEE Trans. Autom. Control, vol. 48, no. 3, pp. 369–381, Mar. 2003. [37] R. Debouk, S. Lafortune, and D. Teneketzis, “On an optimization problem in sensor selection,” Discrete Event Dyn. Syst.: Theory Appl., vol. 12, no. 4, pp. 417–445, Oct. 2002. [38] W. Wang, A. Girard, S. Lafortune, and F. Lin, “The verification of codiagnosability in the case of dynamic observations,” in Proc. Eur. Control Conf., Budapest, Hungary, Aug. 2009, pp. 2578–2583.

Weilin Wang (SM’10) received the M.S. degree in electrical engineering systems, the M.S.E. degree in industrial engineering, and the Ph.D. degree in electrical engineering: systems from the University of Michigan, Ann Arbor, in 2003, 2006, and 2007, respectively. He is currently a Research Fellow in the Department of Aerospace Engineering, University of Michigan. Prior to enrolling at the University of Michigan, he worked for the Zhejiang Department of Transportation, Hangzhou, China. His research interests are in networked autonomous systems; control theory and applications, unmanned systems; cooperative vehicle control; and human in the loop systems.

1566

Anouck R. Girard received the Ph.D. degree in mechanical/ocean engineering from the University of California, Berkeley, in 2002. She was a Post-Doctoral Researcher and Lecturer at the University of California, Berkeley, from 2002 to 2004, an Assistant Professor of Mechanical Engineering at Columbia University, New York, NY, from 2004 to 2006, and is currently an Assistant Professor of Aerospace Engineering at the University of Michigan, Ann Arbor. She is the Director and Principal Investigator of the Michigan/AFRL Collaborative Center in Control Science. She is the author of over 50 archival and conference publications. She has been a Summer Faculty Fellow at the Control Science Center for Excellence at Air Force Research Laboratory, Air Vehicles Directorate in 2005, 2006, and 2007, respectively. Dr. Girard is a member of AIAA and ASME. She serves on the AIAA Guidance, Navigation and Control Technical Committee and was selected to be a part of the National Academy of Engineering’s Frontiers of Engineering Program in 2007. She has organized invited sessions at the CDC (2001, 2004) and ECC (2001), as well as a tutorial (CDC 2001).

Stéphane Lafortune (F’99) received the B.Eng. degree from the Ecole Polytechnique de Montréal, Montreal, QC, Canada, in 1980, the M.Eng. degree from McGill University, Montreal, QC, Canada, in 1982, and the Ph.D. degree from the University of California, Berkeley, in 1986, all in electrical engineering. Since September 1986, he has been with the University of Michigan, Ann Arbor, where he is a Professor of Electrical Engineering and Computer Science. He is a member of the editorial boards of the Journal of Discrete Event Dynamic Systems: Theory and Applications and of the International Journal of Control. He is co-Developer of the software packages DESUMA and UMDES. He coauthored the textbook Introduction to Discrete Event Systems—Second Edition (Springer, 2008). His research interests are in discrete event systems and include multiple problem domains: modeling, diagnosis, control, optimization, and applications to computer systems. Dr. Lafortune received the Presidential Young Investigator Award from the National Science Foundation in 1990 and the George S. Axelby Outstanding Paper Award from the Control Systems Society of the IEEE in 1994 and 2001.

IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 56, NO. 7, JULY 2011

Feng Lin (F’09) received the B.Eng. degree in electrical engineering from Shanghai Jiao-Tong University, Shanghai, China, in 1982, and the M.A.Sc. and Ph.D. degrees in electrical engineering from the University of Toronto, Toronto, ON, Canada, in 1984 and 1988, respectively. From 1987 to 1988, he was a Postdoctoral Fellow at Harvard University, Cambridge, MA. Since 1988, he has been with the Department of Electrical and Computer Engineering, Wayne State University, Detroit, MI, where he is currently a Professor. He was a consultant for GM, Ford, Hitachi and other auto companies. He authored the book Robust Control Design: An Optimal Control Approach. His research interests include discrete-event systems, hybrid systems, robust control, and image processing. Dr. Lin received the George Axelby Outstanding Paper Award from the IEEE Control Systems Society, a Research Initiation Award from the National Science Foundation, an Outstanding Teaching Award from Wayne State University, a Faculty Research Award from ANR Pipeline Company, and a Research Award from Ford. He was an Associate Editor of the IEEE TRANSACTIONS ON AUTOMATIC CONTROL.