Extending Decentralized Discrete-Event Modelling to Diagnose Reconfigurable Systems

(1)

HAL Id: inria-00000524

https://hal.inria.fr/inria-00000524

Submitted on 27 Oct 2005

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

Extending Decentralized Discrete-Event Modelling to

Diagnose Reconfigurable Systems

Alban Grastien, Marie-Odile Cordier, Christine Largouët

To cite this version:

Alban Grastien, Marie-Odile Cordier, Christine Largouët. Extending Decentralized Discrete-Event

Modelling to Diagnose Reconfigurable Systems. 15 international workshop on principles of diagnosis,

Jun 2004, Carcasonne / France. �inria-00000524�

(2)

Diagnose Re ongurable Systems

AlbanGrastien

1

and Marie-Odile Cordier

1

and Christine Largouët

2

Abstra t.

On-linere ongurationistheabilitytorearrange

dynami- allytheelementsofasystemtoa ommodatefailureevents

ornewrequirements.Duetothemodularrepresentation,

de- entralizeddis rete-eventapproa h,re entlyproposedforthe

diagnosis of systems,is parti ularly wellsuited to the

diag-nosisofre ongurablesystems.The ontributionofthis

arti- leisto extendourde entralizedapproa htore ongurable

dis rete-eventsystems.Arststepinthisdire tionis to

ex-tend the way a de entralized system is modelled. The idea

onsists inmodellingseparately the behavior of the

ompo-nentsand thesystemtopology.A se ondstepisto formally

dene what is a re onguration. A property of

re ongura-tion,thatwe allsafety,isidentiedtobeimportant.When

satised, we showthat ourde entralized diagnosis approa h

aneasilybeextendedtore ongurablesystems.

1 INTRODUCTION

Real-world de entralized systemsare designed to enable

re- onguration, i.e., the modi ation of the onne tions

be-tweenthe omponentsand/ortheadditionorremovalof

om-ponents.Thisisparti ularlythe asewhenthosesystemsare

networksof omponentssu hastele ommuni ationorpower

transportationnetworks.Thereasonofare onguration an

betheupdateofthesystem(substitution/additionof

ompo-nents)oranemergen ypro eduretoprote tthesystemfrom

a failure ina subsystem (removalof onne tions). Another

benet of on-linere ongurationarises fromits possible

in-tegration withdiagnosis [5 ℄. Thus arelevant re onguration

anbe hosentorenethedis riminationbetweendiagnoses

andthentogainamountoftimeande ien yinndingthe

rightfault.

Inthose examples,it is lear that re onguring a system

should not stop the diagnosis task, even if it is done

on-line.However,mostofthediagnosisapproa hesare

topology-dependent,asfor exampleexpertsystemsor hroni le-based

systems [3℄. Model-based diagnosers [11 , 10℄ are also

gener-allyunabletodealwiththistasksin etheyrelyonaglobal

system modelwhi h eitheris too large if ita ounts for all

possible topologies, or too ostly to ompute on-line if the

modelhas to be hanged during thediagnosis task.Due to

the greatnumberoftopologiesof highly re ongurable

sys-1

Irisa,UniversitédeRennes1,CampusdeBeaulieu,35042Rennes

Cedex,Fran e,{agrastie, ordier}irisa.fr

2

UniversityofNew Caledonia,BP.4477,98847 NouméaCedex,

NewCaledonia,largouetuniv-n .n

tems, it is thusnot reasonable to rely onanexpli it global

modelespe iallywhenthemodeloffuture omponentsisnot

ne essarilyknownatthetimeofits onstru tion.

De entralizedapproa hes, aspresentedin[7 ,9℄,are

inter-estingsin etheydonotrequireto omputeanexpli itglobal

modeland onsider a system as a set of onne ted

ompo-nents.Su essfullyusedfor diagnosis, theyappear thuswell

suitedforon-linere ongurationbe auseoftheirmodular

ar- hite ture:onthey omputationoflo aldiagnosesisexible

enoughtoaddorremove omponentsinthesystem.However,

untilnowitisgenerallyassumedthatthetopologyofthe

sys-temdoesnot hangeon-line.

Inthis paper, we extendthede entralizedapproa hin[9 ℄

tore ongurabledis rete-eventsystems.There onguration

a tionsarede idedbyanoperatorthatinformsthe

diagnos-ingsystemwhi hthereforeknowsexa tlythetopologyofthe

supervizedsystem.Arststepinthisdire tionis toextend

thewayade entralizedsystemismodelled.Theideaisto

mo-delseparatelythebehaviorofthe omponentsandthesystem

topology.Thenotionoftopologyisformallyintrodu ed and

denesthe onne tionsbetweenthe omponents.Itbe omes

possibleto hangeitinamodularway.Evenifnotexpli ited,

thesystemmodelisthenwell-denedasthesyn hronization

ofmodelsof onne ted omponents.A se ondstepisto

for-mallydeneare onguration

3

.Apropertyofre onguration,

thatwe allsafety,isidentiedtobeimportant.When

satis-ed,weshowthatthe de entralizeddiagnosis approa h

pro-posedin[9 ℄ aneasilybeextendedtore ongurablesystems.

Thispaperisorganizedasfollows.InSe tion2,wepresent

anillustrativeexamplethatweusethroughoutthewhole

pa-per.Se tion3introdu esthemodellingofre ongurable

sys-temsbystatingsomesimplifyinghypotheses.Se tion4denes

re ongurationandpresentsthesafetyproperty.Se tion5

il-lustratesour ontributionbyexaminingsu essive

re ongu-rations ona runningexample. Finally, the methodused for

takingintoa ount re ongurablesystemsby the

de entral-izeddiagnosisapproa hissket hedinSe tion6.

2 AN ILLUSTRATIVEEXAMPLE

Inthisse tionwepresentanexampleofasystemthatsupport

dierent ongurations.Thedevi eis omposedofapumpP

andtwopipesPI1andPI2.Thepumpdeliversthewaterwhile

the pipes arry it to other omponents (out of the studied

system).

3

Thewaythisre ongurationis hosenisoutofthes ope. Su h designproblemsaredis ussedin[12℄forexample.

(3)

and two faulty behaviors (leaking and blo ked).Firstly the

pump anleak(fault

f1

) andthentheoutputowbe omes

low.Se ondly,thepump anblo k(

f2

)andtheoutputowis

null.Inea hmode,thepump anbestopped(a tiono)and

startedagain(a tionon)byanoperator.Duringana tionon

oro,themodeofthepumpisnot hanged.

Thepipesexhibittwomodesofbehavior,theOKbehavior

(allthere eivedwaterisdeliveredtotheoutput)andafaulty

behavior(fault

F

)whenthepipeis leaking :inthis ase, all

orpartoftheinputowislost.

Theoutputowof ea h omponent anbehigh (denoted

by

h

),low(denotedby

l

)orzero(denotedby

z

).

As will be seen later inthe models (subse tion3.1), two

non-deterministi ases are onsidered for a pipe when it is

leaking and whenit re eivesa low ow (from the pumpor

fromthe otherpipe). Itsoutputowis lowerthanitsinput

ow.We onsiderthatit anbemeasuredeitheras alowor

zeroow,a ordingtotheimportan e oftheleaking.

P

PI1

PI2

components

of the device

P

PI1

P

PI1

PI2

P

PI2

Top1

Top2

Top3

Top4

P

PI2

PI1

Figure1. Possibletopologiesofthesystem

Oursystemdeliverswatertoanexternal omponent.The

modularity of the system enables us to use it for dierent

tasks.Forexample,thepump anbeusedwithauniquepipe

(PI1)asdepi tedinthetopology

T op1

ofFigure1.Ifaleak

o ursonPI1,PI1 anberepla edbythepipePI2asdepi ted

inthetopology

T op2

.If anewfun tionalityis required, the

se ondpipeis onne ted,asdepi tedbythetopologies

T op3

or

T op4

,attheendoftherstone.Thoseevolutionsof

topol-ogyare alledre ongurations.

Somere ongurationa tionsarenotallowedinsomestates

of thesystem. For example,the a tionof onne ting apipe

tothepump annotberealizedwhileitisdeliveringwater.It

isrstne essarytostopthepump.

Consideringanon-linediagnosistaskasmonitoringtheow

outofapipe,theon-linere ongurationshouldnotstopthe

diagnosis taskand itshould take intoa ount theevolution

ofthetopologyinthemodel.

3 MODELLINGRECONFIGURABLE

SYSTEMS

Thisse tion on ernsthemodellingofre ongurablesystems.

It must rst be noted that, sin e physi al omponents (or

onne tions between them) an bemodied on-line, the

de- entralizedwayofmodellingasystemaspresentedin[7 ,9℄is

adequateforre ongurablesystems.Thede entralizedmodel

proposedin[9 ℄is onsequentlyextended inorderto allowa

morepre isedes riptionoftheway omponentsarephysi ally

onne tedby onne tion points (orports). Inthe following,

wesu essivelyexaminethe omponent model,thetopology

modeland the system model. To simplifythe presentation,

wemakesomehypotheseswhi haregivenalongthetext.

3.1 Component model

A omponentisa(physi alorabstra t)element.Ea h

om-ponentmayhave onne tionpoints(sometimes alledpoints).

Ea hpoint maybe linkedbya onne tion to apoint of

an-other omponent(theformerpointis alledinternalpoint)or

tothesystemenvironment(externalpoint).

Communi ations (ow, messages, et .) between

ompo-nents are made through onne tions. By abuse of language

the ontent ofa ommuni ationis alled amessage. A

mes-sageissaidto beinternalwhenitissentbyanother

ompo-nent.Itissaidtobeexogeneouswhenitissentbythesystem

environment.It anbesupposed, withoutloss ofgenerality,

that nomorethan oneexogeneous message anbe re eived

bya omponentatthesametime.Consequently,wehavethe

followinghypothesis:

Hypothesis1 Ea h omponenthasaunique onne tionpoint

with the environment. This only external point is denoted

p

ext

.

A omponentismodelledasadis rete-eventsystem,whi h

means that its state is only hanged on the re eption of a

message.Asusual,wemakethefollowing assumption:

Hypothesis2 A omponent anre eiveonlyone(internalor

exogeneous)messageatthesametime.

The omponentbehaviorisdes ribedbyanitestate

ma- hine

Σ

.

Denition1(ComponentModel) The model of the

om-ponent is des ribed by the nite state ma hine

Σ =

hQ, E, P, T, Q

o

_i

where:

• Q

isthesetof omponentstates,

• E

isthesetofmessages,

• P

isthesetof( onne tion)points,

p

ext

∈ P

istheexternal

point,

• T ⊆ (Q × (P × E) × (P × E)

⋆

_{× Q)}

isthesetoftransitions,

• Q

o

isthesetofinitialstates.

A transition

t

= (q, (p, e),

{(p1

, e

1), . . . , (pk, ek)}, q

′

)

an

bereadasfollows:inthestate

q

,the omponentre eivesthe

message

e

onthe point

p

. Then,it goes inthe state

q

′

and

emitsthemessages

ei

onthepoints

pi

(

i

∈ {1, . . . , k}

).

Inordertoallowreusability,twoormore omponentsmay

havethesame omponentmodel.A omponent

ck

is

asso i-atedwithitsmodelbythefun tion

M od

,where

M od(ck) =

Σk

,aninstan eofa omponent model

Σ

.Thedieren e

be-tweentwodierentinstan esof

Σ

,

Σi

and

Σj

,is thatlabels

aredistin tandindi edbyrespe tively

i

and

j

.

Toillustratethedenitionof omponentmodel,themodels

ofapumpandof apipearegiveninFigure 2and Figure3.

Thetransition label

p: e|{(pi

: ei)}

meansthatthe transition

istriggeredbythere eptionofamessage

e

atthe onne tion

point

p

and that ea h message

ei

is sent to the onne tion

(4)

5 ext:f1|

{out:l}

1

2

4

6 ext:off|

{}

ext:on|

{out:l}

ext:on|

{}

{out:z}

ext:off|

3 ext:f2|{out:z}

ext:f2|{out:z}

ext:off|{out:z}

ext:on|{out:h}

Figure2. Modelofa pump

1

2

3 ext:F|

{out:l}

ext:F|

{out:l}

ext:F|

{out:z}

in:l|{out:l}

in:h|{out:l}

in:l|{out:l}

in:h|{out:l}

4 in:l|{out:l}

in:z|{out:z}

in:l|{out:l}

in:h|{out:h}

5

6 in:l|{out:z}

in:l|{out:l}

in:z|{out:z}

in:h|{out:h}

in:z|{out:z}

in:l|{out:z}

ext:F|

{}

in:l|{}

in:z|{}

Figure3. Modelofapipe

3.2 Topology model

Asseen before, a omponentis modelledas adis rete-event

system,whi hmeansthatitsstate hangesonthere eption

ofamessageandthatthe omponentrea tsbysending

mes-sages. It is then lear that the behavior of onne ted

om-ponents is onstrained by the way they ommuni ate. This

onstraintis alledsyn hronizationandisdes ribedbya

syn- hronizationset.

Denition2(Syn hronizationset) Asyn hronizationset,

de-noted

|

, between two models of omponents

Σ1

=

hQ1, E1, P1, T1, Q

o

1i

and

Σ2

=

hQ2, E2

, P2

, T2, Q

o

2i

is a

sub-setofthe pairsofmessagesofthetwonitestatema hines:

| ⊆ E1

× E2

.

Inour example,thesyn hronizationsetindi atesthat the

ow emitted by thepumpis onne ted tothe input ow of

thepipe(forexample,alowowinoutputofthepump

orre-spondstoalowowininputofthepipe).Thesyn hronization

setisthentheidentityfun tion,i.e.,

{(h, h), (l, l), (z, z)}

.

A onne tionisdes ribedbythe onne tedpointsandthe

syn hronizationsetwhi hhastobesatised.

Denition3(Conne tion) A onne tion

co

isdenedasa

n-uplet

((c1, p1), (c2, p2),

|)

su hthat:

• c1

6= c2

,

• ∀k ∈ {1, 2}, Σk

=

hQk, Ek, Pk, Tk, Q

o

_{ki = M od(ck), pk}

_∈

Pk

,

• |

isasyn hronizationsetbetween

M od(c1)

and

M od(c2)

.

Bydenition,a omponent annotbe onne tedtoanother

omponentbyitsexternalpoint:

∀k ∈ {1, 2}, pk

6= p

ext

k

.

Thesetof onne tionsinthesystemis alledthetopology

(orthe onguration).

Denition4(Topologymodel) Thetopologymodelofa

sys-tem

T op

is a set of onne tions between the omponents

of the system su h that no point is onne ted more than

on e:

∀co, co

′

∈ T op, co = ((c1, p1), (c2, p2),

|), co

′

=

((c

′

1 , p

′

1 ), (c

′

2 , p

′

2 ),

|

′

), co

6= co

′

,

∀i ∈ {1, 2}, j ∈ {1, 2}, ci

=

c

′

j

⇒ pi

6= p

′

j

. 3.3 Systemmodel

The modelof the system depends on the modelof ea h of

its omponentsand ofthe topology model. Werst present

simplifyinghypotheses.Then,thede entralizedmodelofthe

systemand the expli it behavior it des ribes are dened.It

anbe noti edthatthesedenitionsare dire textensionsof

thedenitionswhi hare givenin[9 ℄. Themaindieren eis

theadditionoftheexpli ittopologyofthesystemwhi hwas

onlyimpli itin[9℄. The expli itdes ription ofthe topology

isne essarywhendealingwithre ongurablesystems.It an

alsobenotedthatthistopologymodelisasimpliedformof

thelinkmodelsproposedin[7 ℄.

3.3.1 Simplifyinghypotheses

The system is modelled as a dis rete-event system whi h

meansthat it evolveson the o uren e of exogeneous

mes-sages.Wemakethefollowinghypothesis:

Hypothesis3 The system an re eive only one exogeneous

messageatthesametime.

Thenexthypothesisstatesthat we fo us onsyn hronous

systems. To onsider ommuni ations with delays and/or

lossesduringthetransmissionofmessagesinoursystem,the

ommuni ation hannelshouldbe modelledas a omponent

onne tedtothe omponentsit onne ts.

Hypothesis4 Communi ations between omponents are

in-stantaneous.

Assaid previously, omponents are modelled as

dis rete-eventsystems,whi hmeansthat,whena omponentre eives

anexogeneousmessage,itmayrea tbysendingmessagesto

other omponents,whi hmaythemselvesrea t.This

propa-gation ofmessages has tosatisfy someniteness properties,

whi hexplainsthefollowinghypothesis:

Hypothesis5 Thepropagationofamessagethroughthe

om-ponents anbedes ribedbyatreeofvisited omponents.In

thistree,a omponent anonlybevisitedon e.

3.3.2 De entralizedmodelofthesystem

Denition5(De entralizedModeloftheSystem)

A de entrali-zed model of the system is a n-uplet

(Comp, M od, T op)

where:

• Comp

isthesetof omponentsofthesystem,

• M od

mapsea h omponenttoitsmodel,

• T op

isthetopologyofthesystem.

3.3.3 Expli it behaviorofthesystem

Thede entralizedmodelofthesystem ompletelydenesthe

behaviorofthesystem.Thisbehaviorisimpli it,but anbe

expli itly omputedasfollows.

Weintrodu ethenotionof

ε

-transition,whi h orresponds

tothefa tthatnomessage isre eivedbya omponent.The

(5)

Denition6(Freeprodu t) Let

Σi

=

hQi, Ei, Pi, Ti, Q

o

i

be

the models of the

n

omponents

ci

, the free produ t of

n

nite state ma hines

Σi

is a nite state ma hine

Σ =

hQ, E, P, T, Q

o

i

where:

• Q = Q1

× · · · × Qn

,

• E = E1

∪ · · · ∪ En

,

• P = P1

∪ · · · ∪ Pn

,

• T

=

(T1

∪ {ε}) × . . . × (Tn

∪ {ε})

is the set of transitions

(q1

, . . . , qn)

(m

₁

,...,m

n

)

−→

(q

′

1 , . . . , q

′

n)

=

(q1

_{−→ q}

m

1 ′

1 , . . . qn

m

n

−→ q

′

n)

, where

qi

m

i

−→ q

′

i

is a transi-tionof

Ti

oran

ε

-transition,

• Q

o

_{= Q}

o

1 × . . . × Q

o

n

.

Thefreeprodu t omputesthebehaviorofthesystemwithout

any onstraintonthe onne tions.

Let

t

be a transition

(t1, . . . , tn)

, with

ti

=

(qi,

(pi, ei),

{((pi,1

, ei,1), . . . , (pi,k

, ei,k))}, q

′

i)

or

ti

=

ε

.

We denote

t

= (q, eed, eeg, q

′

)

, where

q

= (q1, . . . , qn)

,

q

′

= (q

′

i

, . . . q

′

n)

,

eed

is the set of the messages re eived

by the omponents and

eeg

the set of the messages sent

by the omponents. They are omputed by these formulæ:

eed

=

S

_i

{(pi, ei)}

and

eeg

=

S

i,j

{(pi,j, ei,j

)}

(

∀i

su h that

ti

isnotan

ε

-transition).

Denition7(Syn hronizationona onne tion) A transition

t

= (q, eed, eeg, q

′

)

is syn hronized on a onne tion

((cj, pj), (ck, pk),

|)

if:

• (∃ej,

(pj, ej)

∈ eeg) ⇒ (∃ek,

(pk, ek)

∈ eed ∧ (ej, ek)

∈ |)

,

• (∃ek,

(pk, ek)

∈ eed) ⇒ (∃ej,

(pj, ej)

∈ eeg ∧ (ej, ek)

∈ |)

.

Thesyn hronizationona onne tion he ksthatanyemitted

messageisre eivedand onversely.

Denition8(Syn hronizationonatopology) A transition

t

= (q, eed, eeg, q

′

)

is syn hronized onthe topology

T op

of

thesystemif:

•

itissyn hronizedonea h onne tionofthetopology,

• ∀(p, e), (p, e) ∈ eed ⇒ (∃c1

, p1, c2,

|, ((c1, p1), (c2, p),

|) ∈

T op)

∨(∃i, p = p

ext

i

)

,

• ∃!p, (∃i, p

ext

i

= p)

∧ (∃e, (p, e) ∈ eed)

TherstpropositionofDenition8ensuresthatthemessages

aresyn hronizedonthe onne tions.These ondproposition

ensuresthat everyre eivedmessage belongstoa onne tion

oris re eivedonanexternalpoint.Notethatamessage an

besentevenifno omponentre eiveditwhenthe onne tion

point is de onne ted. The third proposition ensures that a

transition ontainsexa tlyoneexogeneousmessage.

Denition9 The expli it behavior of the system

(Comp, M od, T op)

is the nite state ma hine

Σ

′

=

hQ

′

, E, P, T

′

, Q

o

i

fromthe freeprodu t

Σ =

hQ, E, P, T, Q

o

i

su hthat

Q

′

⊆ Q

isthesetofstatesand

T

′

⊆ T

isthesetof

syn hronizedtransitionsof

E

.

4 RECONFIGURINGDISCRETEEVENT

REACTIVESYSTEMS

Asystemisanetworkof onne ted omponentsandthesetof

urrent onne tionsis alledthe topology(orthe

ongura-tion).Themodi ationofatopologyis alled a

re ongura-a tion while the removalof a onne tion is alled a

de on-ne tiona tion.Asystemissaidtobere ongurablewhenits

topologymaybere ongured.

Denition10(De onne tiona tion) A de onne tion a tion

ad

removes a onne tion from the system. The

de onne -tion a tion is denoted by the onne tion that is removed:

ad

= ((c1

, p

1), (c2

, p

2),

|)

.

Denition11(Conne tiona tion) A onne tion a tion

ac

addsa onne tiontothesystem.The onne tiona tionis

de-notedbythe onne tionthatisadded:

ac

= ((c1

, p

1 ), (c2

, p

2),

|

)

.

Are ongurationis aset of onne tion and de onne tion

a tions.We onsiderthatthesea tionsare instantaneous.It

meansthatnoevent ano urbetweentwoa tions.

Denition12(Re onguration) A re onguration

R

in a

topology

T op

isapair

(DA

R, CAR

)

where

DAR

isa

de onne -tiona tionset(

DA

R

⊆ T op

)and

CA

R

isa onne tiona tion

set,su hthat:

R(T op)

=

(T op

\ DA

R)

∪ CA

R

isatopology.

R(T op)

isthetopologyofthesystemafterthe re ongura-tion.

We onsiderthat are onguration annotbeexe utedin

anystateofthesystem omponents.Forexample,itis learly

notsafe to dis onne t the outputof apump while it is

de-liveringwater.Morepre isely,thesafetyofare onguration

depends on the onne tion points on erned by the

re on-guration. For instan e, we an imagine a pump with two

onne tion points,one onne tedwith apipeand the other

witha ontainer;thepumphastobestoppedwhen onne ted

toanewpipebuthas nottobestoppedwhen onne tedto

anew ontainer.

Itiswhy,beforeformallydeningthere ongurationsafety,

weextendthe omponentmodelandasso iatewithea h

on-ne tionpoint the set of statesinwhi ha re ongurationis

allowed.

The omponentmodelisextendedbytheadditionof

G

as

follows:

Denition13(Extendedmodelofa omponent) The model

ofthe omponent

c

is des ribed by the nitestate ma hine

Σ =

hQ, E, P, T, G, Q

o

_i

where:

• Q

isthesetof omponentstates,

• E

isthesetofmessages,

• P

isthesetof( onne tion)points,

p

ext

∈ P

istheexternal

point,

• T ⊆ (Q × (P × E) × (P × E)

⋆

× Q)

isthesetoftransitions,

• G ∈ (P − {p

ext

} → 2

Q

₎

isafun tionthatasso iateswith

ea hinternal onne tionpointthesetofstatesthatsupport

are onguration,

• Q

o

isthesetofinitialstates.

Inourexample,thesetofstatesinwhi hthepump(see

Fig-ure2)maybere ongured,isgivenby

GP

(out) =

{1, 4, 5, 6}

(

out

is the only internal onne tion point). These states

are those where there is nooutow.For the pipe (see

(6)

GP I

(in) =

{1, 4}

, and

GP I(out) =

{1, 4, 5}

,

1

and

4

being

states wherethere is noinow,and

1

,

4

and

5

being states

wherethereisnooutow.

Asafere ongurationisdenedasfollows:

Denition14(Safere onguration) A re onguration

R

is

safeif

∀((c1

, p

1 ), (c2

, p

2),

|) ∈ DA

R

∪ CA

R

,the urrent state ofthe omponent

ci

isin

Gi(pi)

,

∀i ∈ {1, 2}

.

The safety property of are onguration ensures that the

stateofany omponentisnot hangedbythere onguration.

Forinstan e,itseemsnormaltorequirethatthepipeisempty

and the pumpis stopped when de onne ting a pipe from a

pump.Otherwise, it is di ult to predi t what happens to

thepumpandtothepipe(whereisthewaterowing?).Ifwe

a eptonlysafere ongurations,wehave:

Property1 The state of any omponent of a system is not

hangedbyare onguration.

Thissafetypropertyofare ongurationisimportantsin e

oneknowsexa tlywhathappenstoasystemwhenitis

re on-gured. Itallows onsequentlytoextendthe(de entralized)

on-linediagnosisinordertotakeintoa ountre onguration

a tionsinaneasywayassket hedinSe tion6.

5 ILLUSTRATION

In this se tion, we illustrate the way our model rea t to

theo urren eofre ongurationa tionsandexternalevents

in a simulation way. Starting from the very beginning (a

set of un onne ted omponents), a sequen e of interleaved

(re) ongurationa tionsandexternaleventsissimulatedand

thewaytheseeventsare takenintoa ount by themodelis

ommented.Wealsoshowthemodi ationoftheglobal

mo-delindierenttopologiesduetothere ongurations.

5.1 One pipedeliveringwater

Let ussuppose thatwestart froms rat h.The omponents

arestillnot onne tedandareintheirinitialstates:thepump

is

OK

ando (state

1

)andthetwopipesare

OK

and

empty

(state

1

).Themodelsystemisthen

(Comp, M od, T op)

,where

Comp

=

{

P

,

PI

1,

PI

2}

,

M od

is su hthat the models of the

pumpandthetwopipesareinstan esofthemodelsgivenin

Figure2andFigure3and

T op

=

∅

.

Let us suppose now that we want to deliver water to a

ontainerthatis losetothepump.Theoperatorhasrstto

onne tthepumptoapipe(we hoosePI

1

)andtostartthe

pump.

A rst re onguration onsists in onne ting

the pump and the pipe.

R1

=

(DA

R

1 =

{},

CAR

₁

=

{((

P

, p::out), (

PI

1, pi1::in),

|)})

. (

|

is the

syn- hronisationsetpresentedinsubse tion3.2,i.e., theidentity

fun tion.) No onne tion is removed and a onne tion

between the output of the pump (P) and the input of

the rst pipe (PI

1

) is added. It an be he ked that this

re onguration is safe with respe t to the urrent (initial)

states of the omponents.After re onguration, the model

of the system is des ribed by

(Comp, M od, T op

′

)

, where

T op

′

= (T op

∪ CA

R

1 ) = CA

R

1

.

Thebehaviorofthesystemdependsonlyonthebehaviors

ofthepumpandofthepipe.Thesyn hronizationisrealized

onthe onne tionsregardingtheowthroughthesetwo

om-ponents.Theglobalmodelofthesystem,whi hdependsonly

onthe pumpand the onne ted pipe, is given onFigure 4

(theinternalmessagesareremovedforsimpli ation).

Thestate ofthe pumpis

1

and the state ofthe pipe PI

1

is

1

.Inorderto startthepump,arsta tionis exe utedto

putonthe pumpwhi h orrespondsto sendingthe message

on

onthe

p

ext

point ofthepump.Thepumpgoesintostate

2

sendingthemessage

h

onitspoint alled

out

.Thetopology

indi ates that this message is re eived by the input of the

pipe as

h

.Thepipe then hangesitsstate into

3

and sends

themessage

h

to itsoutput.Sin etheoutputofthe pipeis

not onne ted, the message is lost. Inthe expli it modelof

the onne tedsystem,this hange orrespondstogoingfrom

thestate

(1, 1)

into thestate

(2, 3)

bythetransition labeled

{(

P

::ext, on), (

PI

1::in, h)} | {(

P

::out, h), (

PI

1::out, h)}

.

p:ext:off|

{pi:out:z}

{pi:out:l}

p:ext:on|

{pi:out:h}

p:ext:off|

{pi:out:z}

p:ext:off|

{}

p:ext:on|

{}

3,2

5,1

p:ext:f1|{pi:out:l}

p:ext:f2|{pi:out:z}

1,1

4,1

6,1

2,3

{pi:out:l}

p:ext:on|

3,5

3,6

1,4

4,4

{pi:out:l}

5,4

p:ext:f2|{}

p:ext:on|

p:ext:off|

{pi:out:z}

p:ext:on|

p:ext:off|

{}

p:ext:off|

{pi:out:z}

p:ext:off |

{}

p:ext:f1|{pi:out:z}

p:ext:f1|{pi:out:l}

p:ext:on|

{}

p:ext:f2|{pi:out:z}

2,6

6,4

pi:ext:F |

{}

{pi:out:z}

{pi:out:l}

pi:ext:F |

Figure4. ModeloftheSystem

Letus now onsider the o uren e ofa faultonthe pipe,

whi hstartsleaking.Thestateofthepipeisthen hangedto

6

.Itsoutowbe omes low.If we onsiderthe globalmodel,

thesystemevolvesto thestate(2,6)sin etheleaking ofthe

pipedoesnotinuen ethestateofthepump.

5.2 Two pipesdeliveringwater

Letusnowsupposethatwewanttoprovidewatertoanother

ontainer,whi hisfartherfromthepumpthantheprevious

one.So,wede ideto onne tthese ondpipetotherstone.

Sin e the urrent state of the rst pipe is

6

, its output

onne tion annotbere ongured(thesetofstatesinwhi h

thepipe ansupportre ongurationonitsoutput onne tion

(7)

theexternalpoint ofthepump,whi hrea ts bysending the

message

z

to the pipe. Thenew state of the pipe is then

4

andfromthatstatethere ongurationisnowpossible.

The re onguration is

R2

=

(DA

R

2 =

{},

CAR

₂

=

{((

PI

1, pi1::out), (

PI

2, pi2::in),

|)})

. The resulting topologyis:

T op

′′

=

R2

(T op

′

) =

{((

P

, p::out) (

PI

1, pi1::in),

|)

,

((

PI

1, pi1::out), (

PI

2, pi2::in),

|)})

. Theexpli itmodelof the

systemistoolargetobegiven.

Thepumpmaynowbestartedagain.Amessage

on

issent

onits externalpoint. Thepump delivers ahigh ow to the

rst pipe,whi honlydelivers alow owto the se ondpipe

sin eitisleaking.

Let usnow onsider that a failureo urs over thepump.

Themessage

f1

isre eivedbytheexternalpointofthepump.

Thepumpsendsalowowtotherstpipe.Asthemodelof

aleaking pipeisnotdeterministi asexplainedinSe tion2,

(twotransitionsexitfromstate

5

inthe modelofFigure 3),

twooutputows anbepredi tedattheoutputofthepipe.

Thisse tion illustrates howthe system modeltakesinto

a ount the re ongurationa tions. Due to Property 1, the

statesofthesystem omponentsarewell-identiedevenwhen

re ongurationa tionshappenon-line. Itisthenpossibleto

rely on it in a diagnosis perspe tive: observable events are

now olle tedanddiagnosis andidatesarelookedforby

on-frontingthemto thosepredi tedbythemodel.Letus re all

thatallre ongurationa tionsaresupposedtobe ontrolled

bytheoperatorandthusobservable.Inthenextse tion,we

explainhowourde entralizeddiagnosis approa h,developed

fortopology-stablesystems[9 ℄is urrentlyextendedto

re on-gurablesystems.Thisdiagnosis stepisnowunder

develop-mentandwillbethesubje tofanextpaper.

6 FUTUREWORK:DIAGNOSING

RECONFIGURABLESYSTEMS

Several frameworks have been proposed for a de entralized

approa h to diagnosis of dis rete-event systems [7, 6 ,1, 9 ℄.

Inourdiagnosisde entralizedapproa h[9℄,asinrelatedones

[7 ,6℄, ea h omponent is observed by sensors that send

ob-servationsto asinglesupervisor. The ontributionproposed

by [9 ℄ onsists in omputing lo al diagnoses for subsystems

and thentoe ientlymergetheselo aldiagnosestoobtain

aglobaldiagnosisforthewholesystem.Themainroleofthe

mergeoperationistolterthediagnoseswhi hdonotsatisfy

thesyn hronization onstraintsbetween omponents.To

ex-tend thisapproa hto re ongurable systems,it issu ient

(thankstothehypotheseswetakeandtotheProperty1)to

orre tlyupdatethesyn hronization onstraintswhen

re on-guration a tions o ur. These syn hronization onstraints

are then used as before by the merge operation when

om-putingtheglobaldiagnosis fromthelo aldiagnoses.

Whenin rementally omputingthediagnosisasin[9 ℄, the

observationsare onsideredonsu essivetemporalwindows.

The urrentdiagnosis is updatedby takingintoa ount the

owofobservationsofthenexttemporalwindow.Inthe ase

of re ongurable systems, the denition of these temporal

windows,andespe iallythepropertyofsafety,hastobe

ex-thee ien yof thealgorithm is amajor problem.The

rea-sonisthatmostofde entralizeddiagnosisapproa hesrelyon

expli itrepresentation ofmodels(oftenautomata), whi his

prohibitive, even with partially ompiled representations as

diagnosers. As inour re ent works, we intend to use

te h-niques su h as Partial Order Redu tion [8 ℄ or Inversibility

[4℄toimprovethe omputationofdiagnosisbyexploitingthe

stru tureofthemodel.Inthesamevein,symboli

representa-tionor model- he kingte hniques[2 ℄,knowntosigni antly

improvesear honautomata, ouldbeusedfor thediagnosis

ofpotentiallylargere ongurationsystems.

Future work will onsider whether some of the

assump-tions we made an be relaxed. A rst ase ould introdu e

re ongurations a tions o urring at any time (for example

anobservationsent by asensor beforea re onguration

a -tionandre eivedbythe supervisoron ethe re onguration

isperformed).Another ase ouldbeto onsidermore

om-plex re ongurations as re onguration a tions taking time

or onne tionswithdelaysorlossofobservations.

7 CONCLUSIONS

On-linere ongurationreferstothemodi ationofthe

ar hi-te tureofasysteminvolvingthe reation,removalor

repla e-mentofelementswhilepreservingthe ontinuityofservi e.

Inthis paper we presented the foundations of a new

ap-proa h to re ongurable dis rete-event systems modelling

witha further diagnosis obje tive. We rstproposed to

ex-tendthede entralizedapproa htore ongurablesystemsin

ordertodes ribemorepre iselythe onne tionsbetweenthe

omponents.Thesystem model relieson the modelof ea h

omponentandonthetopologymodelthatdes ribesthe

on-ne tionsbetween omponentsthrough onne tionpoints.We

thenintrodu edthere ongurationformalismdenedasaset

of onne tionandde onne tiona tions.Sin ea ru ialissue

is to integrate on-line re onguration during the

de entral-izeddiagnosis task,westatedvehypothesesand an

impor-tant propertyof re onguration alled safety.Based onthis

property,the newstate of the system anbe inferred

with-outambiguityon eare ongurationhasbeenrealized.Then,

theproposedmodellingofre ongurablesystems anbeused

withafewadjustmentsforon-linediagnosisofdis rete-event

systems.

Our urrentwork onsistsinadaptingthede entralized

al-gorithmproposedby[9℄totreatre ongurationa tions.The

mostimportantforfutureworkhasbeengivenattheendof

Se tion6.Therstitemproposesto ontinueimprovingthe

e ien yofthealgorithm byusingsymboli representations

andredu tionte hniques.These onditem onsistsin

relax-ingourassumptionstodiagnosemoregeneralre ongurable

sytemswheresomeobservationsaredelayedorlostandwhen

re ongurationa tions take time.Finally,as a prioritytask

we plan to experiment this approa h ontele ommuni ation

networksaswedidin[9℄.

Referen es

[1℄ A. Aghasaryan, E. Fabre, A. Benveniste, R. Boubour, and

C.Jard,`Faultdete tionanddiagnosisindistributedsystems: anapproa hbypartiallysto hasti Petrinets',Dis reteEvent

(8)

L. Petru i, and Ph. S hnoebelen, Systems and Software

Veri ation.Model- he kingTe hniquesandTools,Springer,

2001.

[3℄ M.-O. Cordier and C. Dousson, `Alarm driven monitoring

based on hroni les', in 4th Symposium on Fault

Dete -tionSupervisionandSafetyforTe hni alPro esses (Safepro- ess'00),pp.286291,(2000).

[4℄ M.-O. Cordier, A. Grastien, C. Largouët, and Y. Pen olé,

`E ienttraje tories omputingexploitinginversibility prop-erties',in14thInternationalWorkshoponPrin iplesof

Diag-nosis(DX-03),pp.9398,Washington,USA,(2003).

[5℄ J.CrowandJ.Rushby,`Model-basedre onguration:Toward

anintegrationwithdiagnosis',inNationalConferen eon Ar-ti ialIntelligen e,pp.836841,(1991).

[6℄ R. Debouk, S. Lafortune, and D. Teneketzis, `Coordinated

de entralizedproto olsforfailurediagnosisofdis rete event

systems', Dis reteEvent Dynami Systems,10(12),3386,

(2000).

[7℄ G. Lamperti and M. Zanella, Diagnosisof A tiveSystems,

KluwerA ademi Publishers,2003.

[8℄ D. Peled, `On model he king using representatives', in

5thInternationalConferen eonComputer-AidedVeri ation

(CAV-1993),pp.409423,(1993).

[9℄ Y.Pen olé,M.-O.Cordier,andL.Rozé,`In remental

de en-tralized diagnosisapproa hforthe supervisionofa

tele om-muni ation network', in IEEE Conferen e on De ision and

Control,pp.435440,LasVegas,USA,(2002).

[10℄ L. Rozéand M.-O.Cordier, `Diagnosingdis rete-event

sys-tems : extending the diagnoser approa h to deal with

tele ommuni ationnetworks',JournalonDis rete-Event

Dy-nami Systems:TheoryandAppli ations(JDEDS),(2002).

[11℄ M.Sampath,R.Sengupta,S.Lafortune,K.Sinnamohideen,

andD.Teneketzis,`Diagnosabilityofdis reteeventsystems',

IEEETransa tionsonAutomati Control,15551575,(1995).

[12℄ M.StumptnerandF.Wotawa,`Re ongurationusing

model-baseddiagnosis',inTenthInternationalWorkshopon Prin i-plesofDiagnosis(DX-99),pp.266271,(1999).