Transcript Document

CS 367: Model-Based Reasoning
Lecture 7 (02/05/2002)
Gautam Biswas
Today’s Lecture
Last Lecture:



Diagnoser Automata
Notion of Diagnosability (Sampath paper)
Supervisory Control


Feedback control with supervisors: Complete and Partial Observation
Specifications on Controlled Systems
Today’s Lecture:




Discussion of HW problems
Diagnosability and I-Diagnosability
Specifications on Controlled Systems
Controllability Theorem
Diagnoser Automata
G
Gobs
Gdiag
Diagnosability
G  ( X , E ,  , x0 )
E  E o  E uo ;
Failure events : E f  E
Goal : Identify elements of E f by observing traces from E o
Partition Failures : E f  E f 1  ....... E fm
Partitions represent : (i ) inadequatesensors, (ii ) may not be required
to isolate every fault event uniquely
Failure  some event E fi has occurred
G : models normal and failed operationof system
L(G ) is live; G doesnot have cycle of unobservable events
Diagnosability
Definition: (informal)
Let s be any trace generated by the system that ends in a failure event from set
Efi and t is a sufficiently long continuation of s
Diagnosability implies that every trace that belongs to the language that
produces the same record of observable events as st should contain in it a
failure event from Efi
Along every continuation t of s one can detect the failure of type Fi with finite
delay, specifically in atmost ni transitions of the system after s
Alternately, diagnosability requires that every failure event leads to
observations distinct enough to enable unique identification of failure type with
a finite delay
Diagnosability must hold for all traces in L(G) that contain a failure event
Relaxed definition: I-diagnosability – diagnosability condition holds only for
those in which a failure is followed by certain indicator events associated with
every failure type
Feedback Loop for Supervisory Control
DES
G
S(s)
L(G )  L ; Lm (G )  Lm
ss
S
G  ( X , E , f , , x 0 , X m )
E  E c  E uc
E c : controllable events
E uc : uncontrollable events
Assume all events are observable: s all events executed by G so far
and S has seen them all
How is control achieved? Controllable events of G can be
dynamically enabled or disabled by S
Formally, a supervisor is a function S : L(G)  2E
For each s  L(G )generated by G (supervised by S) S ( s)  ( f ( x0 , s))
is the set of enabled events that G can execute at it current state f ( x0 , s)
G cannot execute event unless it belons to S(s)
Control under Partial Observation
E  E c  E uo
G
SP[P(s)]
E c : controllable events
P
S
E uo : unobservable events
P : E *  E 0* : natural projection
Because of P supervisor cannot distinguish between s1 and s2, i.e.,
P ( s1 )  P ( s2 )
For suchs1 , s2  L(G) supe rvisorwillgene rate
samecontrolaction
Control action under partial supervision S P : P[ L(G)]  2 E
SP: P-supervisor
Control Action can change only after occurrence of an
observable event; but this action happens before an unobservable
event occurs
Specifications of Controlled System
Feedback supervisor S (SP) introduced to
eliminate “illegal” traces in G.
Legal behavior of L(G) is La, where a –
admissible
L( S / G)  La  L(G)
Lm ( S / G)  Lam  Lm (G)
Partially observable, replace S by SP
Specifications of Controlled System
La (or Lam) obtained after accounting for all specifications
of system; Lam when L(G) has blocking states
These specifications are themselves described by one or
more (possible marked) languages, Ks,i, i=1,…..,m
If specification language Ks,i is not given as subset of L(G)
(or Lm(G)), then we take
La ,i  L(G)  K s ,i
or Lam ,i  Lm (G)  K s ,i : events absent from K s ,i are illegal
or we take
La ,i  L(G) K s ,i
or Lam ,i  Lm (G) K s ,i : ( L(G) \ K s ,i ) is irrelevantto K s ,i
La ,i ' s (or Lam ,i ' s) are com binedto form La (or Lam )
by intersection or parallelcom position
Example: Plain Old Telephone System
(POTS)
No one can call user 0
successfully if user 0
has picked up the
handset
offho
Spec lang
Ks
La = L(G)Ks
OFFHOOK
offho
onho
INIT
con10
con20
onho
Events that define call processing features:
* phone i off hook
* phone i on hook
* request connection from user i to user j
* establish connection between users i and j
* forwarding calls from user i to j to k
* connection cannot be established because of
screening list of user j
Consider 3 user telephone system
Complete system model G is the shuffle of
individual models
Livelock occurs when:
user 1 forwards his calls to user 2, user2 to user 3, and
user 3 to user 1
Modifying Automata to Account for
Illegal Behavior
Illegal States in G: delete these states from G (remove state,
transitions, and perform Ac operation)
State Splitting: If spec requires remembering how state in
G reached in order to determine what future behavior is
legal, then split state
Event Alternance: spec requires alternation of two events,
build two state automata to capture this; parallel
composition with G
Modifying Automata to Account for
Illegal Behavior
Illegal Substring: Remove all strings of L(G) that contain
s f   1 ........ n  E *
H spec  ( X , E , f , x0 , X )
1. X  { ,  1 ,  1 2 ,..., 1... n 1}: associate a state with
every proper prefixof s f
2. Transition functionin two steps :
2.1 f ( 1 .... i ,  i 1 )   1 .... i 1 , i  0,....,n  2
2.2 Com pletef to E as follows states X , except for
state  1 ........ n 1 which is com pletedto E \ { n } :
f ( 1 .... i ,  )  state in X corresponding to the longest
suffix of  1 .... i
3. Take x0  
L( H spec )  Lm ( H spec )  E * \ E *{s f }E *
H a  H spec  G
Controllability
Nonblocking Controllability Theorem (NCT)
Consider a DES G where Euc  E is the set of uncontrollable
events. Consider also the language K  Lm(G), where K  
There exits a nonblocking supervisor S for G such that
Lm(S/G) = K ( L(S/G) = K)
iff the following two conditions hold:
1. [controllability] KEuc  L(G)  K
2. [Lm(G)-closure] K is Lm (G)  closed, i.e., K  K  Lm (G)