Estimation and Verification of Partially-Observed Discrete-Event Systems
Xiang Yin

TL;DR
This paper addresses state estimation and verification challenges in Discrete-Event Systems, a key class of cyber-physical systems, focusing on methods to improve their reliability and safety.
Contribution
It introduces novel approaches for estimation and verification specifically tailored for partially-observed Discrete-Event Systems.
Findings
Enhanced estimation accuracy in partially-observed DES
Improved verification methods for system safety
Framework applicable to complex cyber-physical systems
Abstract
This article considers state estimation and veri cation problems for an important class of man-made cyber-physical systems called Discrete-Event Systems (DES).
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPetri Nets in System Modeling · Formal Methods in Verification · Radiation Effects in Electronics
∎
11institutetext: X. Yin 22institutetext: Department of Automation, Shanghai Jiao Tong University, Shanghai 200240, China.
22email: [email protected]
Estimation and Verification of Partially-Observed Discrete-Event Systems
Xiang Yin
Keywords:
Discrete-Event Systems Partial Observation State Estimation Verification Detectability Diagnosability Opacity
††journal: Encyclopedia of Electrical and Electronics Engineering
1 Introduction
State estimation is one of the most fundamental problems in the systems and control theory. In many real-world systems, it is not always possible to access the full information of the system due to measurement noises/uncertainties and the existence of adversaries. Therefore, how to estimate the state of the system is crucial when one wants to make decisions based on the limited and incomplete information.
Given a system, one of the most important questions is to prove/disprove the correctness of the system with respect to some desired requirement (or specification). In particular, we would like to check the correctness of the system in a formal manner in the sense that the checking procedures are algorithmic and results have provable correctness guarantees. Such a formal satisfaction checking problem is referred to as the verification problem. Performing formal property verification is very important for many complicated but safety-critical infrastructures.
This article considers state estimation and verification problems for an important class of man-made cyber-physical systems called Discrete-Event Systems (DES). Roughly speaking, DES are dynamic systems with discrete state-spaces and event-triggered dynamics. DES models are widely used in the study of complex automated systems where the behavior is inherently event-driven, as well as in the study of discrete abstractions of continuous, hybrid, and/or cyber-physical systems. Over the past decades, the theory of DES has been successfully applied to many real-world problems, e.g., the control of automated systems, fault diagnosis/prognosis and information-flow security analysis.
The main purpose of this article is to provide a tutorial and an overview of state estimation techniques and their related property verification problems for partially-observed DES. Specifically, we focus on the verification of observational properties, i.e., information-flow properties whose satisfactions are based on the observation of the system. The outline of this article is as follows:
- •
In Section 2, we briefly introduce some necessary terminologies and the partially-observed DES model considered in this article.
- •
In Section 3, we introduce three types of state estimation problems, namely, current state estimation, initial state estimation and delayed state estimation. Then we provide state estimation techniques for different state estimation problems.
- •
In Section 4, we introduce several important observational properties that arise in the analysis of partially-observed DES. In particular, we consider detectability, diagnosability, prognosability, distinguishability and opacity, which cover most of the important properties in partially-observed DES. One feature of this section is that we study all these properties in a uniform manner by defining them in terms of state estimates introduced in Section 3.
- •
In Section 5, we provide verification procedures for all properties introduced in Section 4. All verification procedures are summarized as detailed algorithms using state estimation techniques provided in Section 3.
- •
In Section 6, some related problems and further readings on estimation and verification of partially-observed DES are provided.
The entire article is self-contained. Related references are provided in each section.
2 Partially-Observed Discrete-Event Systems
This section provides the basic model of partially-observed DES and some related terminologies. The reader is referred to the textbook Lbook for more details on DES.
Let be a finite set of events. A string is a finite sequence of events. We denote by the set of all strings over including the empty string . For any string , we denote by its length with . A language is a set of strings. For any string in language , we denote by the post-language of in , i.e., . The prefix-closure of language is defined by ; is said to be prefix-closed if .
A DES is modeled as a non-deterministic finite-state automaton (NFA)
[TABLE]
where is a finite set of states, is a finite set of events, is the (partial) non-deterministic transition function, where for any , means that there exists a transition from state to state with event label , and is the set of initial states. The transition function is also extended to recursively by: (i) ; and (ii) for any , we have . For the sake of simplicity, we write . We define as the set of strings that can be generated by from state , where “” means “is defined”. We define the language generated by system . System is a deterministic finite-state automaton (DFA) if (i) ; and (ii) . We say that a sequence of state forms a cycle in if (i) ; and (ii) .
Let and be two automata. The product of and , denoted by , is defined as the accessible part of a new NFA
[TABLE]
where the transition function is defined by: for any , for any , we have
[TABLE]
In the partial observation setting, not all events generated by the system can be observed. Formally, we assume that the event set is partitioned as follows
[TABLE]
where is the set of observable events and is the set of unobservable events. The natural projection from to is a mapping defined recursively as follows:
[TABLE]
That is, for any string , is obtained by erasing all unobservable events in it. We denote by the inverse projection, i.e., for any , we have . Note that the codomain of is as the inverse projection of a string is not unique in general. We also extend the natural projection to by: for any , . The inverse mapping is also extended to analogously.
Hereafter, we make the following standard assumptions in the analysis of partially-observed DES:
- A1
System is live, i.e., ; and 2. A2
System does not contain an unobservable cycle, i.e., .
3 State Estimation under Partial Observation
3.1 State Estimation Problems
Since the system is partially-observed, one important question is what do we know about the system’s state when a (projected) string is observed. This is referred to as the state estimation problem in the system’s theory.
One of the most fundamental state estimation problems is the current state estimation problem, i.e., we want to estimate all possible states the system can be in currently based on the observation.
Definition 1
(Current-State-Estimate) Let be a DES with observable events and be an observed string. The current-state-estimate upon the occurrence of , denoted by , is the set of states the system could be in currently based on observation , i.e.,
[TABLE]
Instead of knowing the current state of the system, in some applications, one may also be interested in knowing which initial states the system may start from. This is referred to as the initial state estimation problem defined as follows.
Definition 2
(Initial-State-Estimate) Let be a DES with observable events and be an observed string. The initial-state-estimate upon the occurrence of , denoted by , is the set of initial states the system could start from initially based on observation , i.e.,
[TABLE]
Note that, in the current-state-estimate, we use the observation up to the current instant to estimate the set of all possible states the system can be in at this instant. If we keep observing more events in the future, our knowledge of the system’s state at that instant may be further improved as some states in the current-state-estimate may not be consistent with the future observation. In other words, we can use future information to further improve our knowledge about the system’s state for some previous instant. This is also referred to as the “smoothing” process; such a smoothed state estimate is also called the delayed-state-estimated defined as follows.
Definition 3
(Delayed-State-Estimate) Let be a DES with observable events and be an observed string. The delayed-state-estimate for the instant of upon the occurrence of , denoted by , is the set of states the system could be in steps ago when is observed, i.e.,
[TABLE]
Example 1
Let us consider system shown in Figure 1(a), where and . Let us consider observable string . We have . Then we know that the system may start from states [math] or , i.e, . Also, the system may be currently in states or , i.e., . From string , if we further observe event in the next instant, then we know that , since event cannot occur from state .
3.2 State Estimation Techniques
In this subsection, we provide techniques for computing different notions of state-estimates.
3.2.1 Computation of Current-State-Estimate
The general idea for computing the current-state-estimate is to construct a structure that tracks all possible states consistent with the current observation. This construction is well-known as the subset construction technique that can be used to convert a NFA to a DFA. In the DES literature, this structure is usually referred to as the observer automaton.
Definition 4
(Observer) Given system with observable events , the observer is a new DFA
[TABLE]
where is the set of states, is the unique initial state and is the deterministic transition function defined by: for any , we have
[TABLE]
For the sake of simplicity, we will only consider the accessible part of .
Intuitively, the observer state tracks all possible states the system can be in currently based on the observation. Formally, we have the following result.
Proposition 1
For any system with , its observer has the following properties:
; and 2. 2.
For any , we have .
Therefore, given an observation , its current-state-estimate can simply be computed by Algorithm 1. Note that the complexity of building is , which is exponential in the size of . However, we can update the current-state-estimate recursively online and each update step only requires a polynomial complexity.
3.2.2 Computation of Initial-State-Estimate
We provide two approaches for the computation of initial-state-estimate.
The first approach is based on the augmented automaton that augments the state-space of the original system by tracking where each state starts from. This approach sometimes is also referred to as the trellis-based approach in the literature.
Formally, given a system , its augmented automaton is a new NFA
[TABLE]
where is the set of states, is the transition function defined by: for any , we have , and is the initial state.
We can see easily that and for each state in , its first component contains its initial state information and its second component contains its current state information. Let be the observer of . We can easily show that
[TABLE]
where for any , denotes the projection to its first component, i.e., . This observation suggests Algorithm 2 for computing the initial-state-estimate.
The idea of the augmented-automaton-based approach is also very useful for many other purposes, e.g., control synthesis for initial state estimation, as it only uses the dynamic of the system up to the current point. However, the complexity of Algorithm 2 is as the size of is quadratic in the size of . Here we provide the second approach for computing the initial-state-estimate with a lower complexity based on the reversed automaton of .
For any NFA , its reversed automaton is a new NFA
[TABLE]
where the transition function is defined by: . Note that the initial state of is the entire state space. For any string , we denote by its reversed string, i.e., . Then the following result shows that the initial-state-estimate of a string in can be computed based on the current-state-estimate of its reversed string in the reversed automaton .
Proposition 2
wu2013comparative * For any , we have .*
Based on the above result, Algorithm 3 is proposed to compute the initial-state-estimate and its complexity is only .
3.2.3 Computation of Delayed-State-Estimate
For any , the delayed-state-estimate involves two parts of information: the current information and the future information . Recall that we are interested in estimating states for the instant of . The following result shows that the delayed-state-estimate can simply be separated as two parts that do not depend on each other.
Proposition 3
yin2017new * For any , we have*
[TABLE]
Based on Proposition 3, Algorithm 4 can be used to compute the delayed-state-estimate and its complexity is also .
Example 2
We still consider system shown in Figure 1(a), where and . Its observer is shown in Figure 1(b). For example, string reaches state from the initial state in . Therefore, we have . To preform initial state estimation and delayed state estimation, we need to build the reversed automaton and its observer shown in Figures 2(a) and 2(b), respectively. For example, string reaches state from the initial state in . Therefore, we have , i.e., we know for sure that the system was initially from state [math]. To computed the delayed-state-estimate , we have .
4 Properties of Partially-Observed DES
In this section, we discuss several important properties in partially-observed DES. As we mentioned before, we will only focus on observational properties.
4.1 Detectability
In the previous section, we have provided algorithms for computing state estimates. Then the natural question arises as to can the state estimation algorithm (eventually) provides precise state information. This is referred to as the detectability verification problem. Here, we consider three most fundamental types of detectability.
Definition 5
(Detectability shu2007detectability ; shu2013detectability ; shu2013delayed ) Let be a DES with . Then is said to be
- •
current-state detectable if ;
- •
initial-state detectable if ;
- •
delayed detectable (w.r.t. parameters ) if .
Intuitively, current-state detectability (respectively, initial-state detectability) requires that the current state (initial state) of the system can always be detected unambiguously within a finite delay. Note that, for initial-state-estimate, once the initial state is detected, we know it for sure forever, which is not the case for current-state-estimation. Delayed detectability requires that, for any specific instant after steps, we can always unambiguously determine the precise state of the system at that instant with at most steps of information delay. That is, one is allowed to use future information to “smooth” the state estimate of a previous instant.
The concept of detectability was initially proposed by Shu and Lin in shu2007detectability , which generalizes the concept of observability studied in ozveren1990observability . There are also other notions of detectability proposed in the literature. For example, weak detectability shu2007detectability requires that the state of the system can be detected for some path generated by the system. Also, shu2007detectability proposed the notion of periodic detectability, which requires that the state of the system can be detected periodically. In hadjicostis2016k , the authors proposed the notion of -detectability by replacing the detection condition as , where is a positive integer specifying the detection precision. A generalized version of detectability was proposed in shu2011generalized . The reader is referred to sasi2018detectability ; keroglou2017verification ; masopust2019complexity ; masopust2018complexity ; shu2008state ; yin2017verification ; zhang2017problem for more references on detectability.
4.2 Diagnosability and Prognosability of Fault
Another important application of partially-observed DES is the fault diagnosis/prognosis problem. In this setting, we assume that system may have some fault modeled as fault events . For any string , we write if contains a fault event in . We define as the set of strings that end up with fault events. In the fault diagnosis problem, we assume that all fault events are unobervable; otherwise, it can be diagnosed trivially. Without loss of generality, we can further assume that the state space of is partitioned as fault states and non-fault states
[TABLE]
such that
- •
; and
- •
.
This assumption can be fulfilled by taking the product between and a new automaton with two states capturing the occurrence of fault; see, e.g., Lbook .
To diagnose the occurrence of fault, the current state estimation technique can be applied. Specifically, for any observation , we know that
- •
the fault has occurred for sure if ;
- •
the fault has not occurred for sure if ;
- •
the fault may have occurred but it is uncertain if and .
Then the natural question arises as to can we always determine the occurrence of fault within a finite number of delays. This is captured by the notion of diagnosability as follows.
Definition 6
(Diagnosability) System is said to be diagnosable w.r.t. and if .
Remark 1
For the sake of simplicity, our definition of diagnosability is based on the current-state-estimate and the pre-specified fault states. Diagnosability was originally defined by sampath1995diagnosability purely based on languages as follows
[TABLE]
One can easily check that the language-based definition and the current-state-estimate-based definition are equivalent. Also, in general, the non-fault behavior can be described as a specification language rather than fault events; this formulation can also be transformed to our event-based fault setting by refining the state-space of the system; see, e.g., yoo2008diagnosis .
The concept of diagnosability of DES was first introduced in lin1994diagnosability , where state-based faults are considered. In sampath1995diagnosability , the authors introduced the language-based formulation of diagnosability. Since then many variations of diagnosability have been studied in the literature. For example, model reduction for diagnosability was studied in zad2003fault . Diagnosability of repeated/intermittent faults was studied in jiang2003diagnosis ; contant2004diagnosis ; fabre2018diagnosability . The reader is referred to the recent survey zaytoon2013overview for more references on diagnosability analysis.
In some applications, we may want to predict the occurrence of fault before it actually occurs. This problem is referred to as the fault prognosis problem. Still, we assume that is the set of fault events and is the set of non-fault states. However, in the fault prognosis problem, a fault event needs not be unobservable. To formulate the problem, we define the following two sets of states:
- •
boundary states, ; and
- •
indicator states, .
Intuitively, a boundary state is a non-fault state from which a fault event may occur in the next step, and an indicator state is a state from which a fault event will occur for sure within a finite number of steps. With the help indicator states, we can also use current-state-estimation algorithm to perform online fault progsnosis. Specifically, for any observation , we know that
- •
the fault will occur for sure in a finite number of steps if ;
- •
the fault is not guaranteed to occur within any finite number of steps if .
Similarly, the natural question arises as to can we successfully predict the occurrence of fault in the sense that: (i) there is no missed fault; and (ii) there is no false alarm. This is captured by the notion of prognosability as follows.
Definition 7
(Prognosability) System is said to be prognosable w.r.t. and if .
Prognosability is also referred to as predictability in the literature. Intuitively, prognosability requires that, for any string that reaches a boundary state, it has a prefix for which we can claim unambiguously that fault will occur for sure in the future, i.e., we can issue a fault alarm. Still, for the sake of simplicity, here we characterize prognosability using current-state-estimate, boundary states and indicator states. Our definition is also equivalent to the language-based definition in jeron2008predictability ; genc2009predictability , where predictability was originally introduced. Prognosability also has several variations in the literature. For example, in yin2016decentralized , two performance bounds were proposed to characterize how early a fault alarm can be issued and when a fault is guaranteed to occur once an alarm is issued.
4.3 State Disambiguation and Observability
In some applications, the purpose of state estimation is to distinguish some states. This problem is referred to as the state disambiguation problem wang2007algorithm ; sears2014computing ; yin2018minimization . Formally, the specification of this problem is defined as a set of state pairs and we want to make sure that we can always distinguish between a pair of states in .
Definition 8
(Distinguishability) System is said to be distinguishable w.r.t. and if .
Distinguishability is very useful as many important properties in the literature can be formulated as distinguishability. For example, one can check that prognosability can actually be re-written as ditinguishability with specification . Observability is another important property in partially-observed DES, which together with controllability provide the necessary and sufficient conditions for the existence of a supervisor achieving a desired language. The reader is referred to lin1988observability ; cieslak1988 for formal definition of observability. This property is also a special case of distinguishability (possibly after state-space refinement) as it essentially requires that we can distinguish two states at which different control actions are needed; see, e.g., wang2007algorithm .
4.4 Opacity
Finally, state estimation is also useful in information-flow security analysis, which is an important topic in cyber-physical systems. In this setting, we assume that the system is also monitored by a passive intruder (eavesdropper) that can observe the occurrences of events in . Furthermore, we assume that the system has a “secret” that does not want to be revealed to the intruder. In general, what is a secret is problem dependent. Here, we consider a simple scenario where the secret is modeled as a set of secret states . Then we use the notion of opacity to characterize whether or not the secret can be revealed to the intruder.
Definition 9
(Opacity saboori2012verification ; saboori2013verification ; wu2013comparative ; yin2017new ) Let be a DES with and secret states . Then is said to be
- •
current-state opaque if, for any , we have ;
- •
initial-state opaque if, for any , we have ;
- •
infinite-step opaque if, for any , we have .
Essentially, opacity is a confidentiality property capturing the plausible deniability of the system’s “secret” in the presence of an outside observer that is potentially malicious. More specifically, current-state opacity (respectively, initial-state opacity) requires that the intruder should never know for sure that the system is currently at (respectively, initially from) a secret state. The system is said to be infinite-step opaque if the intruder can never determine for sure that the system was at a secret state for any specific instant even based on the future information.
Opacity was originally introduced in the computer science literature mazare2004using . Then it was introduced to the framework of DES by badouel2007concurrent ; bryans2008opacity ; saboori2007notions . There are also many variations of opacity studied in the literature. For example, in lin2011opacity , Lin formulated opacity using a language-based framework, where the notions of strong opacity and weak opacity are proposed. In wu2013comparative , a concept called initial-and-final-state opacity was provided; the authors also studied the transformations among several notions of opacity. When one is only allowed to used a bounded delayed information to improve the state estimate for a previous instant (or we do not care about the secret anymore after some delays), infinite-step opacity becomes to -step opacity saboori2011verification , where is a non-negative integer capturing the delay bound. Opacity is also closely related to another two information-flow security properties called anonymity sweeney2002k and non-interference hadj2005verification ; hadj2005characterizing . The reader is referred to the survey jacob2016overview for more references on opacity.
5 Verification Techniques
In this section, we provide techniques for verifying observational properties introduced in the previous section. First, we show that most of the properties in partially-observed DES can be verified using the observer structure and some important properties can be more efficienty verified using the twin-plant technique in polynomial-time.
5.1 Observer-Based Verification
5.1.1 Verification of Detectability
First, we study the verification of current-state detectability. Recall that, current-state detectability requires that . In other words, a system is not current-state detectable if there is an arbitrarily long observation string such that the current-state-estimate is not always a singleton starting from any instant. Since is a regular language, due to the Pumping lemma, the existence of such an arbitrarily long string is equivalent to the existence of a cycle in in which a state is not a singleton. This immediately suggests Algorithm 5 for the verification of current-state detectability. Initial-state detectability can also be checked in the same manner using . The only differences from Algorithm 5 are (i) we need to consider rather than in line 1; and (ii) in line 2, we need to check the existence of a cycle in such that for some .
To check delayed detectability (for parameters ), first we recall that the delayed-state-estimate can be computed by . Therefore, delayed detectability can be checked by the following steps:
- •
First, we compute all possible current-state-estimate reachable via some string whose length is greater than or equal to ;
- •
Then, we compute all possible current-state-estimate of in reachable via some string whose length is greater than or equal to ;
- •
Finally, we test whether or not there exist such and such that . If so, then it means that some instant after steps cannot be determined within steps of delay, i.e, the system is not delayed detectable.
This procedure is formalized by Algorithm 6, where states in lines 3 and 4 can be computed by a simple depth-first search or a breath-first search.
5.1.2 Verification of Diagnosability
The verification of diagnosability is very similar to the case of current-state detectability. Specifically, a system is not diagnosable if there is an arbitrarily long string after the occurrence of fault such that the current-state-estimate is not a subset of starting from any instant. Therefore, the general idea is to replaced condition in Algorithm 5 by . However, we need to do a little bit more here since we are only interested in arbitrarily long uncertain strings after the occurrence of fault; this is also referred to as an indeterminate cycles in the literature sampath1995diagnosability . In other words, the existence of an arbitrarily long uncertain but non-fault string does not necessarily violate diagnosability.
To this end, we need to compose with the dynamic of the original system . Specifically, let be the observer of . We define
[TABLE]
as the DFA by adding self-loops of all unobservable events at each state in . One can easily check that . Then, by looking at the first component of each state in , we know whether a fault event has occurred or not. Therefore, we can check diagnosability based on by Algorithm 7.
5.1.3 Verification of Distinguishability and Opacity
The verification of distinguishability is straightforward using the observer. Specifically, we just need to check whether or not there exists a state in such that . If so, the system is not distinguishable; otherwise, it is distinguishable. Since we have discussed that prognosability is a special case of distinguishability, it can also be checked in the same manner.
Similarly, current-state opacity can be verified by checking whether or not there exists a state in such that . If so, the system is not opaque; otherwise, it is opaque. To check initial-state opacity, we need to construct and to check whether or not there exists a state in such that .
The verification of infinite-step opacity is similar to the case of delayed detectability; both involve delayed-state-estimate that can be computed according to Proposition 3. The verification procedure for infinite-step opacity is provided in Algorithm 8 with complexity .
5.2 Twin-Plant-Based Verification
In the previous section, we have shown that the observer can be used for the verification of all properties introduced. However, the size of the observer is exponential in the size of the system. Then the natural question arises as to can we find polynomial-time algorithms for verifying these properties. Unfortunately, it has been shown in cassez2012synthesis that deciding opacity is PSPACE-complete; hence, no polynomial-time algorithm exists. However, it is indeed possible to check diagnosability, detectability and distinguishability in polynomial-time by using the twin-plant structure. This structure was originally proposed in tsitsiklis1989control for the verification of observability; later on it has been used for verifying diagnosability (under the name of “verifier”) by jiang2001polynomial ; yoo2002polynomial and for verifying detectability (under the name of “detector”) by shu2010detectability .
Definition 10
(Twin-Plant) Given system with observable events , the twin-plant is a new NFA , where
- •
* is the set of states;*
- •
* is the set of events;*
- •
* is the set of initial states;*
- •
* is the partial transition function defined by: for any state and event *
(a) If , then the following transition is defined
[TABLE]
(a) If , then the following transitions are defined
[TABLE]
Hereafter, we only consider the accessible part of .
Intuitively, the twin-plant tracks all pairs of observation equivalent strings in . Specifically, if are two strings in such that , then there exists a string in such that its first and second components are and , respectively. On the other hand, for any string in , we have that .
The twin-plant can be applied directly for the verification of distinguishability. Specifically, we need to check if contains a pair of states in the specification. This procedure is presented in Algorithm 9.
According to the definition of detectability, we know that the system is not detectable if and only if there exist two arbitrarily long strings having the same observation, such that these two strings lead to two different states. As we discussed above, all such string pairs can be captured by the twin-plant. This suggests Algorithm 10 for the verification of current-state detectability.
The case of diagnosability is similar. Specifically, a system is not diagnosable if there exist an arbitrarily long fault string and a non-fault string such that they have the same observation. This condition can be checked by Algorithm 11. Note that, we have already assumed that there is no unobservable cycle in . Otherwise, we need to add the following condition to the “if condition” in line 2 of Algorithm 11 to obtain an arbitrarily long fault string:
[TABLE]
Since the size of the twin-plant is only quadratic in the size of , distinguishability, detectability and diagnosability can all be checked in polynomial-time, which is better than the observer-based approach.
6 Related Problems and Further Readings
6.1 State Estimation under General Observation Models
Throughout this article, we assume that the observation of the system is modeled as a natural projection. The natural projection mapping is essentially static in the sense that an event is always either observable or unobservable. One related topic is the sensor selection problem for static observations haji1996minimizing ; yoo2002np ; jiang2003optimal ; ru2010sensor ; cabasino2013optimal , i.e., we want to decide which events should be observable by placing with sensors such that a given observational property is fulfilled. Another related topic in the static observation setting is the robust state estimation problem when the observation is unreliable. This problem has been investigated in the context of detectability analysis yin2017initial , diagnosability anlaysis thorsley2008diagnosability ; takai2012verification ; carvalho2012robust ; carvalho2013robust and supervisory control rohloff2005sensor ; sanchez2006safe ; lin2014control ; alves2014robust ; ushio2016nonblocking ; yin2017supervisor for partially-observed DES.
In many situations, due to information communications and acquisitions, the observation mapping may be dynamic, i.e., whether or not an event is observable depends the trajectory of the system. One example is the dynamic sensor activation problem, where we can decide to turn sensors on/off dynamically online based on the observation history. In thorsley2007active ; cassez2008fault ; wang2010optimal ; dallal2014most , the fault diagnosis problem is studied under the dynamic observation setting. In huang2008decentralized ; wang2010minimization , observability is studied under the dynamic observation setting. In shu2010detectability ; shu2013online , the authors investigated the verification and synthesis of detectability under dynamic observations. Opacity under dynamic observations is also studied in cassez2012synthesis ; zhang2015max . A general approach for dynamic sensor activation for property enforcement is proposed by yin2019general . In wang2011codiagnosability ; yin2015codiagnosability , it has been shown that (co)diagnosability and (co)observability can be mapped from one to the other in the general dynamic observation setting. The reader is referred to the recent survey sears2016minimal for more references on state estimation problem under dynamic observations.
6.2 State Estimation in Coordinated, Distributed and Modular Systems
In the setting of this article, we only consider the scenario where the system is monitored by a single observer, which is referred to as the centralized state estimation. In many large-scale systems, sensors can be physically distributed and the system can be monitored by multiple local observers that have incomparable information. Each local observer can perform local state estimation and send it to a coordinator. Then the coordinator will fuses all local information according to some pre-specified protocol in order to obtain a global estimation decision. This is referred to as the decentralized estimation and decision making problem under coordinated architecture.
In the context of DES, the decentralized estimation and decision making problem was first studied by cieslak1988 ; rudie1992think ; rudie1995computational in the context of decentralized supervisory control, where the notion of coobservability is proposed. In debouk2000coordinated ; wang2007diagnosis , the problem of decentralized fault diagnosis problem was studied and a corresponding property called codiagnosability was proposed; the verification codiagnosability has also been studied in the literature moreira2011polynomial ; qiu2006decentralized . The decentralized fault prognosis has also been studied in the literature; see, e.g., kumar2010decentralized ; khoumsi2012conjunctive ; yin2016decentralized2 . Note that, in decentralized decision making problems, one important issue is the underlying coordinated architecture. For example, rudie1992think and qiu2006decentralized only consider simple binary architectures for control and diagnosis, respectively; more complicated architectures can be found in yoo2002general ; yoo2004decentralized ; kumar2009inference ; kumar2007inference ; takai2011inference ; chakib2011multi ; ricker2007knowledge ; yin2016decentralized ; khoumsi2018decentralized .
When each local observer is allow to communicate and exchange information with each other, the state estimation problem is referred to as the distributed estimation problem. Works on distributed state estimation and property verification can be founded in benveniste2003diagnosis ; su2005global ; genc2007distributed ; takai2012distributed . Finally, state estimation and verification of partially-observed modular DES have also been considered in the literature rohloff2005pspace ; contant2006diagnosability ; saboori2010reduced ; schmidt2013verification ; yin2017verification ; masopust2019complexity , where a modular system is composed by a set of local modules in the form of .
6.3 Estimation and Verification of Petri Nets and Stochastic DES
In this article, we focus on DES modeled as finite state automata. Petri nets, another important class of DES models, are widely used to model many classes of concurrent systems. In particular, Petri nets provide a compact model without enumerating the entire state space and it is well-known that Petri net languages are more expressive than regular languages. The problems of state estimation and property verification have also drawn many attentions in the context of Petri nets. For example, state (marking) estimation algorithms for Petri nets have been proposed in giua2007marking ; li2013minimum ; bonhomme2015marking ; basile2015state . Decidability and verification procedures for diagnosability berard2018complexity ; ran2018codiagnosability ; basile2012k ; cabasino2012new ; yin2017decidability , detectability masopust2018deciding ; giua2002observability , prognosability yin2018verification and opacity tong2017verification ; tong2017decidability are also studied in the literature for Petri nets.
Another important generalization of the finite state automata model is the stochastic DES (or labelled Markov chains). Stochastic DES can not only characterize whether or not a system can reach a state, it can also capture the possibility of reaching a state. Hence it provides a model for the quantitative analysis and verification of DES. State estimation and verification of many important properties have also been extended to the stochastic DES setting; this includes, e.g., diagnosability yin2019robust ; liu2008decentralized ; thorsley2005diagnosability , detectability shu2008state ; keroglou2017verification ; yin2017initial ; zhao2019detectability , prognosability chen2015stochastic and opacity saboori2014current ; berard2015probabilistic ; yin2019infinite .
6.4 Control Synthesis of Partially-Observed DES
So far, we have only discussed property verification problems in partially-observed DES. In many applications, when the answer to the verification problem is negative, it is important to synthesize a supervisor or controller that provably enforces the property by restricting the system behavior but as permissive as possible. This control synthesis problem has been studied in the literature in the framework of the supervisory control theory initiated by Ramadge and Wonham ramadge1987supervisory . The reader is referred to the textbooks Lbook ; Cbook for more details on supervisory control of DES. Supervisory control under partial observation was originally investigated by cieslak1988 ; lin1988observability . Since then, many control synthesis algorithms for partial-observation supervisors have been proposed cho1989supremal ; kumar1991controllability ; takai2003effective ; yoo2006solvability ; cai2015relative . In particular, yin2016synthesis solves the synthesis problem for maximally-permissive non-blocking supervisors in the partial observation setting.
In the context of enforcement of observational properties, in sampath1998active , an approach was proposed for designing a supervisor that enforces diagnosability. Control synthesis algorithms have also been proposed in the literature for enforcing opacity; see, e.g. dubreil2010supervisory ; tong2018current ; saboori2012opacity . In shu2013enforcing , the authors studied the problem of synthesizing supervisors that enforce detectability. A uniform approach for control synthesis for enforcing a wide class of properties was recently proposed by Yin and Lafortune in a series of papers yin2018synthesis ; yin2017synthesis ; yin2016synthesis ; yin2016uniform .
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] M.V.S. Alves, J.C. Basilio, A.E. Carrilho da Cunha, L.K. Carvalho, and M.V. Moreira. Robust supervisory control against intermittent loss of observations. In 12th International Workshop on Discrete Event Systems , volume 12, pages 294–299, 2014.
- 2[2] E. Badouel, M. Bednarczyk, A. Borzyszkowski, B. Caillaud, and P. Darondeau. Concurrent secrets. Discrete Event Dynamic Systems: Theory & Applications , 17(4):425–446, 2007.
- 3[3] F. Basile, M.P. Cabasino, and C. Seatzu. State estimation and fault diagnosis of labeled time petri net systems with unobservable transitions. IEEE Transactions on Automatic Control , 60(4):997–1009, 2015.
- 4[4] F. Basile, P. Chiacchio, and G. De Tommasi. On K 𝐾 {K} -diagnosability of Petri nets via integer linear programming. Automatica , 48(9):2047–2058, 2012.
- 5[5] N. Ben Hadj-Alouane, S. Lafrance, F. Lin, J. Mullins, and M. Yeddes. Characterizing intransitive noninterference for 3-domain security policies with observability. IEEE Transactions on Automatic Control , 50(6):920–925, 2005.
- 6[6] N. Ben Hadj-Alouane, S. Lafrance, F. Lin, J. Mullins, and M. Yeddes. On the verification of intransitive noninterference in mulitlevel security. IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics) , 35(5):948–958, 2005.
- 7[7] A. Benveniste, E. Fabre, S. Haar, and C. Jard. Diagnosis of asynchronous discrete-event systems: a net unfolding approach. IEEE Transactions on Automatic Control , 48(5):714–727, 2003.
- 8[8] B. Bérard, K. Chatterjee, and N. Sznajder. Probabilistic opacity for markov decision processes. Information Processing Letters , 115(1):52–59, 2015.
