Failure diagnosis of discrete-event systems with linear-time temporal logic specifications

The paper studies failure diagnosis of discrete-event systems (DESs) with linear-time temporal logic (LTL) specifications. The LTL formulas are used for specifying failures in the system. The LTL-based specifications make the specification specifying process easier and more user-friendly than the formal language/automata-based specifications; and they can capture the failures representing the violation of both liveness and safety properties, whereas the prior formal language/automaton-based specifications can capture the failures representing the violation of only the safety properties (such as the occurrence of a faulty event or the arrival at a failed state). Prediagnosability and diagnosability of DESs in the temporal logic setting are defined. The problem of testing prediagnosability and diagnosability is reduced to the problem of model checking. An algorithm for the test of prediagnosability and diagnosability, and the synthesis of a diagnoser is obtained. The complexity of the algorithm is exponential in the length of each specification LTL formula, and polynomial in the number of system states and the number of specifications. The requirement of nonexistence of unobservable cycles in the system, which is needed for the diagnosis algorithms in prior methods to work, is relaxed. Finally, a simple example is given for illustration.     

Safe reasoning with Logic LTS

Previous work has introduced the setting of Logic Labelled Transition Systems, called Logic LTS or LLTS for short, together with a variant of ready simulation as its fully-abstract refinement preorder, which allows one to compose operational specifications using a CSP-style parallel operator and the propositional connectives conjunction and disjunction.In this article, we show how a temporal logic for specifying safety properties may be embedded into LLTS so that (a) the temporal operators are compositional for ready simulation; (b) ready simulation, when restricted to pairs of processes and formulas, coincides with the logic’s satisfaction relation; (c) ready simulation, when restricted to formulas, is entailment.The utility of this setting as a semantic foundation for mixed operational and temporal-logic specification languages is demonstrated by means of a simple example. We also adopt the concept of may- and must-transitions from modal transition systems for notational convenience, and investigate the relation between modal refinement on modal transition systems and ready simulation on LLTS.     

Temporal logic query checking: a tool for model exploration

Temporal logic query checking was first introduced by W. Chan in order to speed up design understanding by discovering properties not known a priori. A query is a temporal logic formula containing a special symbol ?/sub 1/, known as a placeholder. Given a Kripke structure and a propositional formula /spl phi/, we say that /spl phi/ satisfies the query if replacing the placeholder by /spl phi/ results in a temporal logic formula satisfied by the Kripke structure. A solution to a temporal logic query on a Kripke structure is the set of all propositional formulas that satisfy the query. Query checking helps discover temporal properties of a system and, as such, is a useful tool for model exploration. In this paper, we show that query checking is applicable to a variety of model exploration tasks, ranging from invariant computation to test case generation. We illustrate these using a Cruise Control System. Additionally, we show that query checking is an instance of a multi-valued model checking of Chechik et al. This approach enables us to build an implementation of a temporal logic query checker, TLQSolver, on top of our existing multi-valued model checker /sub /spl chi//Chek. It also allows us to decide a large class of queries and introduce witnesses for temporal logic queries-an essential notion for effective model exploration.     

Model Checking Downward Simulations

This paper shows how downward simulation can be checked using existing temporal logic model checkers. In particular, we show how the branching time temporal logic CTL can be used to encode the standard downward simulation conditions. We do this for both a blocking, or guarded, interpretation of operations (often used when specifying reactive systems) as well as the more common non-blocking interpretation of operations used in many state-based specification languages (for modelling sequential systems). The approach is general enough to use with any state-based specification language, and any CTL model checker in which the language can be encoded.     

Verifying data refinements using a model checker

In this paper, we consider how refinements between state-based specifications (e.g., written in Z) can be checked by use of a model checker. Specifically, we are interested in the verification of downward and upward simulations which are the standard approach to verifying refinements in state-based notations. We show how downward and upward simulations can be checked using existing temporal logic model checkers.In particular, we show how the branching time temporal logic CTL can be used to encode the standard simulation conditions. We do this for both a blocking, or guarded, interpretation of operations (often used when specifying reactive systems) as well as the more common non-blocking interpretation of operations used in many state-based specification languages (for modelling sequential systems). The approach is general enough to use with any state-based specification language, and we illustrate how refinements between Z specifications can be checked using the SAL CTL model checker using a small example.     

具有多项式时间复杂性的离散事件系统安全诊断

离散事件系统的故障诊断能将已发生的不可观故障事件及时诊断出来,但往往容易忽略故障诊断期间系统的安全性.为解决这一问题,提出了一种具有多项式时间复杂性的安全故障诊断方法.先对离散事件系统的安全可诊断性进行了形式化,再通过构造一个非法语言识别器对系统被禁止操作序列进行识别,并在此基础上构建了一个对系统实施安全诊断的安全验证器,得到了一个关于离散事件系统安全可诊断性的充分必要条件,实现了对系统的安全故障诊断.同时,通过对安全验证器的构建与安全可诊断性的判定的复杂性分析,得到了该安全故障诊断方法可在多项式时间内实现等结论.     

基于时态逻辑的工作流分析

工作流的属性规约语言需要具有高表达力以及基于状态和事件的推理能力。本文提出了一种时态逻辑规约语言E-CTL^＊，该语言集成了状态和事件，能够精确和直觉地表示验证的属性。工作流的畅通性验证无论在时间上还是空间上代价都是非常高的，状态空间爆炸是验证的主要困难所在。利用E-CTL^＊描述畅通性，可以使用存在的符号化模型检测工具验证畅通性，在一定程度上克服了状态爆炸问题。同时模型检测技术给出失效路径的优点可以引导我们纠正工作流的错误。工作流的变动需要具有正确性。从时态逻辑的角度讨论了变动正确性问题，得出了保持变动正确性的一般特征。     

Active diagnosis of discrete-event systems

The need for accurate and timely diagnosis of system failures and the advantages of automated diagnostic systems are well appreciated. However, diagnosability considerations are often not explicitly taken into account in the system design. In particular, design of the controller and that of the diagnostic subsystem are decoupled, and this may significantly affect the diagnosability properties of a system. The authors present an integrated approach to control and diagnosis. More specifically, they present an approach for the design of diagnosable systems by appropriate design of the system controller. This problem, which they refer to as the active diagnosis problem, is studied in the framework of discrete-event systems (DESs); it is based on prior and new results on the theory of diagnosis for DESs and on existing results in supervisory control under partial observations. They formulate the active diagnosis problem as a supervisory control problem where the legal language is an “appropriate” regular sublanguage of the regular language generated by the system. They present an iterative procedure for determining the supremal controllable, observable, and diagnosable sublanguage of the legal language and for obtaining the supervisor that synthesizes this language. This procedure provides both a controller that ensures diagnosability of the closed-loop system and a diagnoser for online failure diagnosis. The procedure can be implemented using finite-state machines and is guaranteed to converge in a finite number of iterations. The authors illustrate their approach using a simple pump-valve system     

Temporal-logic property preservation under Z refinement

Formal specification languages such as Z, B and VDM are used in the incremental development of abstract specifications (suitable for establishing required properties) to more concrete specifications (resembling the final implementation). This incremental development process, known as refinement, preserves all observable properties of the original abstract specification. Recent research has looked at applying temporal-logic model checking to such specification languages. While this assists in the establishment of properties of the abstract specification, temporal-logic properties typically refer to state variables which are regarded as non-observable. Hence, such properties are not guaranteed to be preserved by refinement. This paper investigates the classes of temporal-logic properties which are preserved by refinement, and for some of those properties that are not preserved in general, the restrictions on the refinement process under which they are preserved. Results are presented for the temporal logics LTL, CTL and the μ-calculus and the formal specification language Z. They apply equally, however, to related formal specification languages such as B and VDM.     

A unified concurrent-composition method to state/event inference and concealment in labeled finite-state automata as discrete-event systems

Discrete-event systems (DESs) usually consist of discrete states and transitions between them caused by spontaneous occurrences of labeled events. In this review article, we study DESs modeled by labeled (nondeterministic) finite-state automata (LFSAs). Due to the partially-observed feature of DESs, fundamental properties therein can be classified into two categories: state/event-inference-based properties (e.g., strong detectability, diagnosability, and predictability) and state-concealment-based properties (e.g., opacity). Intuitively, the former category describe whether one can use observed output sequences to infer the current and subsequent states, past occurrences of faulty events, or future certain occurrences of faulty events; while the latter describe whether one cannot use observed output sequences to infer whether secret states have been visited (that is, whether the DES can conceal the status that its secret states have been visited). Over the past two decades these properties were studied separately using different methods, and particularly, in most works inference-based properties were verified based on two fundamental assumptions of deadlock-freeness and divergence-freeness, where the former implies that an automaton will always run, the latter implies that an automaton has no reachable unobservable cycle, hence the running of such an automaton will always be eventually observed. In this article, for LFSAs, a unified concurrent-composition method is shown to verify all above inference-based and concealment-based properties, resulting in a unified mathematical framework for the two categories of properties. In addition, compared with the previous methods in the literature, the concurrent-composition method does not depend on assumptions and is currently the most efficient. Finally, based on concurrent composition, we represent the negations of the above inference-based properties as linear temporal logic (LTL) formulae; by combining the concurrent composition and an additional tool called observer (i.e., the classical powerset construction for LFSAs), we also represent the above concealment-based properties as LTL formulae. Although LTL formulae model checking algorithms do not provide more efficient verification for these inference-based and concealment-based properties, the obtained LTL formulae show common similarities among these properties.     

On controlling prioritized discrete event systems with real-time constraints

We study a class of prioritized Discrete Event Systems (DESs) that involve the control of resources allocated to tasks under real-time constraints. Our work is motivated by applications in communication systems, computing systems, and manufacturing systems where the objective is to minimize energy consumption while guaranteeing that task deadlines are always met. In the off-line setting, we discover several structural properties of the optimal sample path of such DESs. Using the structural properties, we also propose a greedy algorithm which is shown numerically near optimal. For on-line control, we design a Receding Horizon (RH) controller. Using worst-case estimation, the RH control is able to guarantee feasibility (when the off-line problem is feasible) and achieve good performance.     

Vacuity detection in temporal model checking

One of the advantages of temporal-logic model-checking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no witness for the satisfaction of the specification. In the last few years there has been growing awareness as to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. Many such errors can be detected by further automatic reasoning about the system and the environment. In particular, Beer et al. described a method for the detection of vacuous satisfaction of temporal logic specifications and the generation of interesting witnesses for the satisfaction of specifications. For example, verifying a system with respect to the specification ϕ=AG(reqAFgrant) (“every request is eventually followed by a grant”), we say that ϕ is satisfied vacuously in systems in which requests are never sent. An interesting witness for the satisfaction of ϕ is then a computation that satisfies ϕ and contains a request. Beer et al. considered only specifications of a limited fragment of ACTL, and with a restricted interpretation of vacuity. In this paper we present a general method for detection of vacuity and generation of interesting witnesses for specifications in CTL^*. Our definition of vacuity is stronger, in the sense that we check whether all the subformulas of the specification affect its truth value in the system. In addition, we study the advantages and disadvantages of alternative definitions of vacuity, study the problem of generating linear witnesses and counterexamples for branching temporal logic specifications, and analyze the complexity of the problem. Published online: 22 January 2002     

ITL semantics of composite Petri nets

interval temporal logic (itl) and Petri nets are two well developed formalisms for the specification and analysis of concurrent systems. itl allows one to specify both the system design and correctness requirements within the same logic based on intervals (sequences of states). As a result, verification of system properties can be carried out by checking that the formula describing a system implies the formula describing a requirement. Petri nets, on the other hand, have action and local state based semantics which allows for a direct expression of causality aspects in system behaviour. As a result, verification of system properties can be carried out using partial order reductions or invariant based techniques. In this paper, we investigate a basic semantical link between temporal logics and compositionally defined Petri nets. In particular, we aim at providing a support for the verification of behavioural properties of Petri nets using methods and techniques developed for itl.     

Design of multi-invariant data structures for robust sharedaccesses in multiprocessor systems

Multiprocessor systems are widely used in many application programs to enhance system reliability and performance. However, reliability does not come naturally with multiple processors. We develop a multi-invariant data structure approach to ensure efficient and robust access to shared data structures in multiprocessor systems. Essentially, the data structure is designed to satisfy two invariants, a strong invariant, and a weak invariant. The system operates at its peak performance when the strong invariant is true. The system will operate correctly even when only the weak invariant is true, though perhaps at a lower performance level. The design ensures that the weak invariant will always be true in spite of fail-stop processor failures during the execution. By allowing the system to converge to a state satisfying only the weak invariant, the overhead for incorporating fault tolerance can be reduced. We present the basic idea of multi-invariant data structures. We also develop design rules that systematically convert fault-intolerant data abstractions into corresponding fault-tolerant versions. In this transformation, we augment the data structure and access algorithms to ensure that the system always converges to the weak invariant, even in the presence of fail-stop processor failures. We also design methods for the detection of integrity violations and for restoring the strong invariant. Two data structures, namely binary search tree and double-linked list, are used to illustrate the concept of multi-invariant data structures     

An Equivalent CTL Formulation for Condition Sequences

A condition system is a form of Petri net that interacts with other condition systems and the environment via state-based signals called conditions. The condition language framework has been used in previous papers to characterize the input/output behavior of such interacting systems, as well as to specify desired control behavior among other things. In this paper, we show that condition sequences (the specification) and condition systems (the model of the system) have an equivalent structure in the computation tree logic (CTL) framework. The primary goals of this work are to be able to utilize existing tools for program verification for our systems, and to make our work more accessible to the temporal logic community.     

Failure diagnosis and recovery based on DES framework

As many industrial systems become more complex, it becomes extremely difficult to diagnose the cause of failures. This paper presents a new failure diagnosis approach based on discrete-event systems (DES) framework. In particular, the approach is a hybrid of event-based and state-based ones leading to a simpler failure diagnoser with supervisory control capability. In our approach, we include the failure recovery events for failures in the system model in order to derive a diagnoser we refer to as a recoverable diagnoser. Further, in order to reduce the state size of the recoverable diagnoser, a procedure to construct a high-level diagnoser is presented. The design procedure for diagnoser is presented along with a pump-valve system as a illustrative example.     

Towards a Hybrid Dynamic Logic for Hybrid Dynamic Systems

We introduce a hybrid variant of a dynamic logic with continuous state transitions along differential equations, and we present a sequent calculus for this extended hybrid dynamic logic. With the addition of satisfaction operators, this hybrid logic provides improved system introspection by referring to properties of states during system evolution. In addition to this, our calculus introduces state-based reasoning as a paradigm for delaying expansion of transitions using nominals as symbolic state labels. With these extensions, our hybrid dynamic logic advances the capabilities for compositional reasoning about (semialgebraic) hybrid dynamic systems. Moreover, the constructive reasoning support for goal-oriented analytic verification of hybrid dynamic systems carries over from the base calculus to our extended calculus.