Transcript Document

CS 367: Model-Based Reasoning
Lecture 6 (01/31/2002)
Gautam Biswas
Today’s Lecture
Last Lecture:





Parallel Composition
Observer Automata
State Space Refinement
Automata with Input and Output
Analysis of Discrete Event Systems: Safety, Blocking, State
Estimation, Diagnostics
Today’s Lecture:



Diagnoser Automata
Notion of Diagnosability (Sampath paper)
Supervisory Control


Feedback control with supervisors
Specifications on Controlled Systems
Analysis of Discrete Event Systems
Safety and Blocking Properties
Safety: avoiding undesirable states, or undesirable
sequence of events for a composed automaton – “legal”
or “admissible” language
 Determine if state y is reached from state x : perform
accessible operation on automaton with x as initial
state, look for y in result
 Determine if substring possible in automaton:
“execute” substring for all accessible states
Parallel composition complexity: O ( n1 n 2 )
Accessible, Coaccessible algorithms are linear in size of
automaton
 Blocking Properties: L m ( G )  L ( G ) or
Lm (G )  L (G )

State Estimation
Unobserved events:


 events can be attributed to: (i) absence of sensors, (ii) event
occurred remotely, not communicated, (iii) fault events
Genuine unobservable events: E uo  {e d , u , v}
Daignostics
Determine whether certain events with
certainty: fault events
Build new automata like observer, but
attach “labels” to the states of Gdiag
Building Gdiag
To build

Step 1: Label the unobservable reach from x0




Attach N label to states that can be reached from x0 by
unobservable strings in [ E uo \ {e d }] *
Attach Y label to states that can be reached from x0 by unobservable
strings that contain at least one occurrence of ed
If state z can be reached both with and without executing ed then
create two entries in the initial state set of Gdiag: zN and zY.
Step 2: Build the subsequent states of Gdiag by following
the rules for building Gobs (following Step 1 to maintain
the unobservable reaches) and by propagating the label Y
(i.e., any state reachable from zY should get the label Y)
Diagnoser Automata
G
Gobs
Gdiag
Diagnosability
G  ( X , E , , x0 )
E  E o  E uo ;
Failure events : E
Goal : Identify elements of E
Partition Failures : E f  E
Partitions represent
f1
f
f
 E
by observing
 .......  E
: ( i ) inadequate
traces from E o
fm
sensors , ( ii ) may not be required
to isolate every fault event uniquely
Failure  some event E
fi
has occurred
G : mod els normal and failed operation of system
L ( G ) is live ; G does not have cycle of unobservab le events
Diagnosability
Definition: (informal)
Let s be any trace generated by the system that ends in a failure event from set
Efi and t is a sufficiently long continuation of s
Diagnosability implies that every trace that belongs to the language that
produces the same record of observable events as st should contain in it a
failure event from Efi
Along every continuation t of s one can detect the failure of type Fi with finite
delay, specifically in atmost ni transitions of the system after s
Alternately, diagnosability requires that every failure event leads to
observations distinct enough to enable unique identification of failure type with
a finite delay
Diagnosability must hold for all traces in L(G) that contain a failure event
Relaxed definition: I-diagnosability – diagnosability condition holds only for
those in which a failure is followed by certain indicator events associated with
every failure type
Supervisory Control
Feedback Control
Automaton G with event set E – G models uncontrolled behavior of DES -- plant
Not satisfactory – restrict behavior to subset of L(G)
Done by supervisor denoted by S
Issues:
(1) How do we define restricted behaviors? -- specifications
L(G) contains strings that violate conditions that we want to impose on plant,
e.g., strings that lead us to blocking states, physically inadmissible
substrings of strings that violate a norm
L r  L a  L (G ) ; Lr: minimal required behavior, La: maximal admissible behavior
(2) How do we get S to modify the behavior of G ?
S observes (some or all) events that G executes. S has the capability of disabling
some but not all feasible events of G. It tells G to disable some of its feasible events.
equivalent to dynamic feedback control.
Supervisory Control: Issues
S limited by which events it can observe in G –
observable events in E
S limited by which events it can disable in G –
controllable events in E
First answer Ques. 2: How to build feedback
loop?
Then Ques. 1: How to define admissible behavior?
Supervisory Control Theory: attributed to W.M.
Wonham and P.J. Ramadge (note Wonham is
Sherif’s thesis advisor).
Feedback Loop for Supervisory Control
DES
G
S(s)
L (G )  L ; L m (G )  L m
ss
S
G  ( X , E , f , , x0 , X m )
E  E c  E uc
E c : controllab le events
E uc : uncontroll able events
Assume all events are observable: s all events executed by G so far
and S has seen them all
How is control achieved? Controllable events of G can be
dynamically enabled or disabled by S
Formally, a supervisor is a function S : L (G )  2 E
For each s  L (G )generated by G (supervised by S) S ( s )   ( f ( x 0 , s ))
is the set of enabled events that G can execute at it current state f ( x
G cannot execute event unless it belons to S(s)
0
, s)
Supervisory Controller: Terminology
Supervisory controller is admissible if
 s  L (G ),
E uc   ( f ( x 0 , s ))  S ( s )
S(s) : control action at s
S is the control policy
For dynamic feedback domain of function S is
L(G) and not X; so control action is not function of
state, but function of event sequence s
Closed loop system is denoted by S/G
Language generated by S/G
  L( S / G )
[ s  L ( S / G )  ( s   L ( G ))  (  S ( s ))]  [ s   L ( S / G )
L ( S / G )  L ( G ), and it is prefix  closed , by defn .
Language marked by S/G: Lm ( S / G )  L ( S / G )  Lm (G )
Overall:
  L m ( S / G )  L m ( S / G )  L ( S / G )  L (G )
Therefore, the controlled DES S/G is an automaton
that generates L(S/G) and marks Lm(S/G)
Marking implies completion of task or particular operation
In this context, S is nonblocking if S/G is nonblocking
L ( S / G )  Lm ( S / G )
Control under Partial Observation
E  E c  E uo
G
SP[P(s)]
E c : controllab le events
P
E uo : unobservab le events
P : E  E 0 : natural projection
*
S
*
Because of P supervisor cannot distinguish between s1 and s2, i.e.,
P ( s1 )  P ( s 2 )
For such s1 , s 2  L ( G ) supervisor
will generate same control action
Control action under partial supervision S P : P [ L (G )]  2 E
SP: P-supervisor
Control Action can change only after occurrence of an
observable event; but this action happens before an unobservable
event occurs
Projections
Event Set E  E o  E uo
P natural projection P : E  E o
*
*
P ( )  
e
P (e )  

if e  E o
e  Eo
P ( se )  P ( s ) P ( e ) for s  E , e  E
*
Properties of P-supervisor
Supervisor is admissible if it does not
disable a feasible uncontrollable event
S P is admissible
E uc
 t  t'   P[L(G)]


    ( f ( x 0 , s ))   S P ( t ) ; L t : all strings in L ( G ) subject to control action
 s L t

All feasible continuations in L(G)
of all strings that SP(t) applies to
Language generated by SP/G
1 .  L ( S P / G )
2 .[( s  L ( S P / G )  ( s   L ( G ))  (  S P ( P ( s )])]  [ s   L ( S P / G )]
Language
marked
by S P / G : L m ( S P / G )  L ( S P / G )  L m ( G )
Specifications of Controlled System
Feedback supervisor S (SP) introduced to
eliminate “illegal” traces in G.
Legal behavior of L(G) is La, where a –
admissible
L ( S / G )  La  L (G )
L m ( S / G )  Lam  L m (G )
Partially observable, replace S by SP
Specifications of Controlled System
La (or Lam) obtained after accounting for all
specifications of system
These specifications are themselves
described by one or more (possible marked)
languages, Ks,i, i=1,…..,m
If specification language Ks,i is not given as
subset of L(G) (or Lm(G)), then we take
L a , i  L (G )  K s , i
or L am , i  L m ( G )  K s , i : events absent
from K s , i are illegal
or we take
L a , i  L (G ) K s , i
or L am , i  L m ( G ) K s , i : ( L ( G ) \ K s , i ) is irrelevant
to K s , i