Model-based Diagnosis and Generation of Hypothesis Space via AI Planning

Luca Ceriani and Marina ZanellaDepartment of Information Engineering, University of Brescia, Brescia, Italy

e-mail: luca.ceriani@ing.unibs.it, marina.zanella@unibs.it

AbstractThe hypothesis space approach to model-baseddiagnosis (MBD) of discrete-event systems(DESs) finds out candidates by checking each hy-pothesis, this being a subset of all the possiblefaults of the system. The hypothesis is a candi-date if, assuming that all - and only - the faultsin the hypothesis itself are affecting the system,is consistent with the system description and theobservation. In this paper first we address DES di-agnosis by taking advantage of the regular struc-ture of partially ordered hypothesis spaces. Sec-ond, we consider the problem of generating (only)physically possible hypotheses, given the DESmodel and independently of the specific observa-tion. The hypothesis generation problem is en-coded as a planning problem.

1 IntroductionA general definition of a DES [Cassandras and Lafortune,2008] reads a discrete-state, event-driven system, that is,its state evolution depends entirely on the occurrence ofasynchronous discrete events over time. A DES is usuallypartially observable: the diagnosis task is aimed at findingout if something went wrong with the DES at hand (andwhat), given the observable events gathered from it duringa time interval of interest. Diagnosis of DESs is an im-portant task in the real world as several systems, such asdigital circuits, can most naturally be modeled as DESs,and also many others can be modeled as DESs as someabstraction level. In the literature, MBD of DESs is typ-ically applied to intelligent alarm processing in a remotecontrol room, where the received alarms are the observ-able events taken as input by the diagnosis process. Forinstance, in [Lamperti and Zanella, 2011] the protectiondevices of power transmission lines are considered as acase study for diagnosis and monitoring of DESs. Analo-gously, experimental diagnosis results inherent to the realalarm log from the operations center of a company thatowns and operates an electricity transmission network inAustralia are presented in [Grastien and Haslum, 2011;Grastien et al., 2012]. In addition [Grastien and Haslum,2011] address the set of event logs recorded on the groundduring test flights of an autonomous unmanned helicopter(UAV), while in [Pencol and Cordier, 2005] the alarmsreceived by the supervision center of a telecommunicationnetwork are taken into account.

Despite the efforts of the research community, MBD ofDESs is still a challenging task. DES diagnosis approachesexploit both normal and faulty behavior modes of a sys-tem to determine the possible faults that explain a givenobservation of the events that have occurred while the sys-tem was running. A solution of a diagnosis problem iscalled a candidate. The same diagnosis problem may haveseveral alternative solutions: either all or only some ofthem can be computed, depending on the approach. Inthe last decades, the above coarse definition of the taskhas been refined by proposing formal methods to computeseveral kinds of diagnosis results [Grastien et al., 2007;Lamperti and Zanella, 2003]. In [Grastien et al., 2012] ageneral framework to diagnose both DESs and static sys-tems is proposed. The approach is based on the explorationof a hypotheses space H , which is the universe of all so-lutions relevant to a given DES, according to a given no-tion of diagnosis and independently of the specific obser-vation. Since not all solutions are equally interesting, theapproach aims at singling out only the ones that satisfy aspecific preference criterion. For example, if according tothe considered notion of diagnosis, a candidate (and, hence,each hypothesis) is a set of faults, then the hypothesis spaceHset = 2

f is the power set of the alphabet of faulty eventsf , and a preference criterion set is subset minimality.Each hypothesis has to be checked against the given obser-vation in order to find out whether it is a candidate. How-ever, if the hypothesis space is a poset under the preferencecriterion, such a space can be explored according to a best-first order, as suggested by the algorithm we propose.

While the algorithms in the literature, including the onewe propose, are designed to efficiently explore H and com-pute the set of preferred candidates, the generation of H isblind in that it does not take into account that only a sub-set H H of the hypothesis space is consistent with themodel of the system, where such a consistency is a nec-essary condition for a hypothesis to be physically possible(PP). If a hypothesis is not PP, it can never be true, so it isuseless to check it. Physical impossibility of hypotheses canbe considered at two different levels, that is, without takinginto account any specific observation or based on a specificobservation of the DES at hand. Asserting that a hypoth-esis is PP without taking into account any specific obser-vation means that there is one or several evolutions of thesystem that are consistent with such a hypothesis. Assertingthat a hypothesis is PP based on a given observation meansthat there is one or several evolutions of the system that areconsistent with such a hypothesis and that produce such an

observation. In this paper we address the problem of gen-erating only PP hypotheses given a DES model and withouttaking into account any specific observation. This allows foroff-line reasoning and possible knowledge compilation, thatis, such PP hypotheses can be generated off-line once andexploited at run time every time that is necessary. Or, alter-natively, such PP hypotheses can be generated on-line andthen saved, so as to be reused in the next diagnosis sessions.We show how to generate new PP hypotheses by encodingthe problem as a planning problem.

The hypothesis space approach is a general method toperform MBD of DESs, thus being an alternative to previ-ous approaches in the literature. An asset of the hypothesisspace approach is that, instead of exploiting ad hoc diag-nosis engines, it enables to solve DES MBD problems byinvoking existing efficient solvers, such as SAT solvers orplanners. The modeling encompassed in Section 2, whichis based on synchronous composition, is general enough torepresent also distributed DESs whose components com-municate asynchronously, as explained in [Lamperti andZanella, 2013], to which the reader can refer also for com-plexity issues inherent to the considered task. Thus, alto-gether, the method dealt with in this paper does not constrainthe class of DESs to be diagnosed.

2 ContextThis section presents the notion of a DES diagnosis prob-lem and the foundation of the hypothesis space approach.Subsections from 2.1 to 2.4 basically survey (with some mi-nor additions) previous contributions in the literature. Sec-tion 2.5 is instead a novelty, the same as Definition 2 in Sec-tion 2.6.

A diagnosis problem consists in a DES D and a finitepartially temporally ordered observation O, the latter repre-senting what has been observed whileD was running duringa time interval of interest.

2.1 SystemFollowing [Grastien et al., 2011], a (partially observable)DES D is a triple (, L, obs) where is the finite set ofevents that can take place in the system, L is the be-havior space, that is, a language that models all (and only)the possible sequences of events, or traces, that can takeplace in the system, and obs is a function that associateseach trace uwith an observation obs(u) o, defined as theprojection of u on the subset o of observable events,i.e. obs(u) is a copy of u where all non observable eventshave been removed. The set of fault events, or faults, is de-noted as f , where f . Such events usually representabnormal system behaviors, that is, behaviors the systemmay exhibit but that are undesired; typically, when a faultevent takes place in an artifact, such an artifact is not behav-ing as expected according to its specifications. In a broadersense, a fault is an event whose occurrence we want to trackin the system under diagnosis, an event we are specificallyinterested in.

Model L is assumed to be complete, i.e. it contains all thepossible sequences of events of the system, normal and/orfaulty. No assumption is made about the number of occur-rences of a fault in a trace (i.e. faults may be permanent,transient or intermittent), or about their diagnosability. Lan-guage L can be represented by a finite automaton (FA).

A DES is distributed if it consists of several interactingcomponents, each of which is a DES (i, Li, obsi) itself,where i . If an event belongs to the set of events iof several components, then it occurs only if and when itcan occur simultaneously in all the components that shareit, that is, if it triggers a transitions starting from all the cur-rent states of the FAs of all the components that share it.Therefore, the FA relevant to the whole system is the one(implicitly) resulting from the parallel composition (oftencalled synchronous composition [Cassandras and Lafortune,2008]) of all the component FAs, where such a synchroniza-tion is based on shared transitions, which are in fact calledsynchronous transitions.

2.2 ObservationFormally, O is a (possibly disconnected) directed acyclicgraph (N,T ), where N is the set of nodes and T the set ofarcs. The value of each node belongs to o and it representsan observed event, while each arc represents a strict tempo-ral precedence relationship (say @) according to the orderthe observed events took place in the DES. Note that, givena pair of nodes n, n N , there is an arc (n n) T iff@n N,n @ n @ n. Each pair of nodes that are not con-nected by any path in the graph represents a temporal uncer-tainty [Lamperti and Zanella, 2002], that is, we do not knowwhether the observed event relevant to one node took placeeither before or after the event relevant to the other. Thus,O cumulatively represents all the sequences of observableevents that are compliant with the constraints imposed bythe observation graph: the set containing all such sequencesis called the observation extension, denoted as ||O||.

2.3 Hypothesis SpaceBy definition [Grastien et al., 2011], a hypothesis space His the set of all behavior types of the considered DES at acertain abstraction level. Each trace u L, which is a be-havior type in L, is associated by a mapping function witha single hypothesis (u) in H . The hypothesis space mayequal the behavior space, that is, (u) = u: this is the leastabstract hypothesis space, here denoted as Hid for its map-ping is the identity function. Space Hid may be not finitesince a trace may include any number of iterations of any(cyclic) sequence of events. On the other end of the spec-trum, the most abstract (and the smallest) hypothesis spacemay simply have two elements, nominal and faulty, thatis, we are only interested in fault detection: we call it thedetection space and denote it as Hnorm. More common isthe so-called set space, Hset, which considers each set offault events that may have occurred as a distinct hypothesis,or the multiset space, Hms, where each hypothesis recordsthe exact number of occurrences of each fault, or the se-quence space, Hseq , whose mapping associates a trace withthe sequence of fault events included in it, thus preservingthe order of faults in addition to their type and number. Notethat, while Hnorm and Hset are finite, both Hms and Hseqare not.

2.4 Preferred HypothesesIn most cases, not every hypothesis in a space H is equallyinteresting: therefore, it is assumed that H is ordered by areflexive preference relation, denoted by , with h hmeaning that hypothesis h is either more preferable than oras preferable as h. The set of preferred hypotheses in a

generic set S H , denoted as min(S), is defined as fol-lows: {h S|h S, h h h = h}. In particular,the set min(H) includes all and only the so-called mostpreferred hypotheses in H .

In [Grastien et al., 2011], some relations are introduced:

in Hset, subset minimality, denoted as set, which isdefined as follows: h set h iff h h;

in Hms, multiset minimality, denoted as ms, whichprefers the hypothesis that has fewer occurrences of ev-ery type of fault. Formally, denoted as h(f) the numberof occurrences of fault f in hypothesis h, h ms h ifff f , h(f) h(f);

in Hseq , subsequence minimality, seq , according towhich h seq h iff h is a subsequence of h.

If the preference relation over a set (a hypothesis spaceis a set), besides being reflexive, is also transitive and an-tisymmetric (that is, h, h H , if h h and h h,then h = h), then H is a partially ordered set (or poset)under relation . A poset is not totally ordered if there ex-ists some pair of incomparable elements of the set (that is,h, h H such that neither h h nor h h). Notethat minset(Hset), minms(Hms), and minseq (Hseq)are singletons1, the most preferred hypothesis in Hset beingthe empty set, in Hms being the empty multiset, in Hseq theempty sequence.

2.5 Regularity in Hypothesis SpacesWe conveniently represent a poset as a graph, where eachelement of the poset is a node. Since we are dealing witha partial order, we implicitly know that the relation must bereflexive and transitive. Thus we can simplify the graph asfollows: remove all self-loops, remove all transitive edges,remove arrowheads in the pictorial representation, that is,we assume that the orientations are implicitly downward.Note that, once self-loops have been removed, such a graphis necessarily acyclic as the order relation is antisymmetric.In other words, the graph, instead of representing the posetunder relation , represents it under relation . The strictorder associated with a partial order is transitive andantireflexive, which means that h H , h 6 h. If h h,h is a predecessor of h and, dually, h is a successor of h.In particular, if there is some h H , h h, and there isno h such that h h h, h is an immediate prede-cessor of h, and, dually, h is an immediate successor of h.An element may have more than one immediate predecessorand/or more than one immediate successor.

Figure 1 displays Hset, under set when f = {a, b, c}.The graph in Figure 1 is actually the (upside down) Hassediagram2 [Enderton, 1977] of the powerset of f . This pic-torial representation highlights the regular structure ofHset,as ordered by relation set, a regularity that holds also forHms and Hseq . Let us call depth of a hypothesis h, anddenote it as |h|, the length of every path from the most pre-ferred hypothesis to it. The meaning of h depends on the

1This is a general property: given a poset X , if there is someelement m X such that, x X , m x, then m is unique.In the general case, min(X) includes all and only the nodes thathave no predecessor in X , where all such nodes are necessarilyincomparable with each other.

2A Hasse diagram is a pictorial representation of a finite poset,however it can be adopted also for portions of infinite posets, suchas Hms and Hseq .

a b c

a, b

a, b, c

a, c b, c

Figure 1: Space Hset as ordered by set

considered hypothesis space H , for instance in Hset it rep-resents the number of faulty events in h, while in Hseq itrepresents the length of the sequence h of faulty events. Thegraph consists of several layers: layer 0 contains the mostpreferred hypothesis, and each layer i contains all the hy-potheses whose depth is i. Note that, i 0, layer i + 1contains all and only the immediate successors of the hy-potheses in layer i, thus, edges connect just nodes belong-ing to adjacent layers. The edges connect a hypothesis h inlayer i to its immediate successors in layer i+ 1.

In the figure relevant to Hset, the set of all the imme-diate successors in layer i + 1 of a hypothesis h in layeri is partitioned into succg(h) and succng(h). The edgesfrom h to any hypothesis in succg(h) are plain lines, whilethe edges toward hypotheses in succng(h) are dashed lines.This partition is used in the diagnosis algorithm (see Sec-tion 3), which generates the immediate successors of h insuccg(h) by manipulating h, while the immediate succes-sors of h in succng(h) are not generated by manipulating h,instead each of them is generated by manipulating anotherimmediate predecessor, which belongs to the same layer ash but precedes h if we scan the hypotheses in each layerfrom left to right.

Note that, h Hset, the hypotheses in succg(h) aredisplayed in Figure 1 in a specific order, which is based onan order assigned to the faults in f (the alphabetical or-der in this example). In other words, succg(h) is actuallya sequence of hypotheses. This entails an order among hy-potheses that belong to the same layer of the space, thusproviding an additional regularity to the space, besides thatenforced by the preference relation. The overall regularityof the space is exploited by the diagnosis algorithm.

2.6 Diagnosis and Preferred DiagnosisA hypothesis in a space H is a candidate if it may be theactual system behavior type that explains the observation.Formally:

Definition 1. Given a diagnosis problem (D,O), let id L be the set of all the traces u that are consistent with theobservation, that is id = {u L|obs(u) ||O||}.

Given a hypothesis space H whose mapping is , a hy-pothesis h is a candidate if u id s.t. (u) = h. Giventhis definition of a candidate, id is the set of all candidatesin Hid.

Let H be the set of all candidates in a generic hy-pothesis space H , and min() be a subset of it,including preferred candidates only according to relation.Set is called a diagnosis and min(), which is con-cisely denoted also as , a preferred diagnosis.

A diagnosis depends on the adopted hypothesis space,that is = (D,O,H) (or, equivalently, =(D,O, ), where is the mapping from L to H). Notethat id is actually (D,O,Hid). The preferred diagnosis,, depends on , which univocally identifies the chosenH , and on the preference relation adopted on H .

Different approaches to MBD of DESs may adopt differ-ent notions of explanation of the observation as providedby a candidate. Definition 1 adopts the broadest meaning,however another approach can be aimed at finding out onlycandidates corresponding to traces ending with an observ-able event. The rationale behind this constraint is an interestin what has occurred to the DES as far as the last observedevent has taken place, not in what may (silently) have oc-curred or will occur after. Let us now define the set of tracesending with an observable event and the refined notion ofcandidate relevant to it.Definition 2. Given a diagnosis problem (D,O), let +id L be the subset of id that includes all the traces u thatend with an observable event, that is +id = {u id|u =po, p o o}.

Given a hypothesis space H whose mapping is , a hy-pothesis h is a refined candidate if u +id s.t. (u) = h.Let + H , where + , be the set of all re-fined candidates, cumulatively called refined diagnosis, andmin(

+) + be the subset of its, cumulatively calledpreferred refined diagnosis and concisely denoted as +,including preferred refined candidates only.

3 Computing Preferred DiagnosisWe want to compute the preferred diagnosis at a certain ab-straction level, represented by a hypothesis spaceH that is aposed under relation , that is, given the diagnosis problem(D,O), we want to compute min((D,O,H)) withoutcomputing id.

Several methods to compute min() are proposed in[Grastien et al., 2011; 2012], among which pfs and pfs+e.Since such methods are relevant to whichever H , be it aposet or not, they cannot rely on a layered structure of H ,thus they use just one open list of hypotheses, instead of thetwo queues (corresponding to two adjacent layers) used byour algorithm, and, although the first hypothesis to be pro-cessed is the same as in our algorithm, the following onesare different since the insertion of the successors of a hy-pothesis in the open list is not guided by any specific order.The method we propose here, instead, exploits the regularstructure of hypothesis spaces that are posets, and gener-ates hypotheses layer by layer, where the hypotheses in eachlayer are ordered according to an implicit total order over thefaults in f , which makes it easier to discard irrelevant hy-potheses. The algorithm can be regarded as a generalizationof the generation and testing of candidates in best-first orderproposed in [de Kleer and Williams, 1989], however herewe deal with DESs instead of static systems and our notionof preference relation is broader as we consider all the par-tial orders. Moreover, we can further prune space H basedon a kind of look-ahead within such a space every time ahypothesis is checked, provided that a solver that is capableof performing such a look-ahead is available. This resem-bles the speed-up of the search performed in [Williams andRagno, 2007].

Our method to compute min() consists in setting anempty set of preferred candidates and iteratively gen-

erating a hypothesis h according to a non-increasing pref-erence order, starting from the most preferred hypothesis.This generation order guarantees that any newly generatedhypothesis is not more preferable than any candidate in theset of candidates found so far, thus candidates never needto be removed from it. Note that generating H layer bylayer, starting from layer 0, provides this guarantee. Oncea candidate h has been found, we do not generate any ofits successors, since they are all less preferable than it. Thepseudo-code of the algorithm relevant to Hset under setis provided here below. The algorithms for the other posetspaces are analogous.

1. algorithm preferred_diagnosis(D,O)2. h most preferred hypothesis3. current h 4. 5. repeat6. next empty queue7. repeat8. h dequeue(current)9. result check(h,D,O)10. if result = pass11. then {h}12. if result = pass or result = fail_all13. then remove any hypothesis in succng(h) from next14. else if result = fail15. then h succg(h) do16. if all immediate predecessors (distinct from h)

of h are in current17. then enqueue(next, h)18. until current is empty19. current next20. until current is empty21. return

At any moment there are two queues, current and next,that are meant to include hypotheses belonging to the cur-rent and next layer of the graph, respectively. Initially, cur-rent includes the most preferred hypothesis only (line 3),while next is empty (line 6). Then two nested loops are run:at each iteration of the outer loop, a layer of the graph isconsidered as the current one (in a top-down order) until anempty layer is found; at each iteration of the inner loop, anew hypothesis in the current layer is considered (accordingto the order from left to right in Figure 1). The call check(h)(line 9) invokes a solver that checks whether h is a candi-date, returning pass, if it is, fail otherwise.

Optionally, a more powerful solver can be adopted atline 9 in order to perform a look-ahead. Such a solver re-turns pass, if h is a candidate, fail if h is not a candidatebut some of its (immediate or non immediate) successors isa candidate, and fail_ all, in case neither h nor any of its(immediate or non immediate) successors is a candidate. Ifthis powerful solver is adopted, the only difference in thepseudo-code is in line 12, which, in such a case continueswith operator or and the condition that follows it. This smallpseudo-code change may translate into a substantial reduc-tion of the execution time since, in case fail_ all is returned,it determines the pruning of all the (immediate or non imme-diate) successors of h in H . Some experimental results toshow cases when this happens can be found at link [Ceriani,2014].

If h is a candidate, then it is added to the (initially empty)

set of preferred candidates . In case h is a candidate,the same as in case neither h nor any of its successors isa candidate, the immediate successors of h have not to beput in queue next. Since (either all or some of) the imme-diate successors of h in succng(h) may have already beengenerated (as they are also immediate successors of otherhypotheses that are on the left of h in the current layer) thenthey are removed from next (line 13). If h is not a candi-date, then its immediate successors in succg(h) have to beappended to next, in the order from left to right of the nextlayer. However, not all of them have to be appended butonly those that are successors of h but are not successors ofany pruned hypothesis. A hypothesis has been pruned if it isa successor either of a preferred candidate or of a hypothe-sis whose no successor is a candidate. Since queue currentdoes not include any pruned hypothesis, in order to checkwhether a hypothesis h in succg(h) has to be appended tonext or not (that is, it has to be pruned), we have to checkwhether in current there are all the immediate predecessorsof h or not (line 16). In fact, all the immediate predeces-sors of h that are distinct from h belong to the same layeras h and are on the its right, therefore, if they have not beenpruned, they are still in current. Only the hypotheses h insuccg(h) whose immediate predecessors are all in currentare appended to next (line 17).

When all the hypotheses in current have been processed,queue current is assigned the content of next. If this isempty, we have finished, otherwise next is emptied and anew iteration of cycle 520 is performed.

The algorithm is anytime in that, at whichever time therunning process is halted, set , as computed so far, in-cludes indeed only preferred candidates. If the algorithm isnot halted, at the end it returns the set of all preferred candi-dates, that is, it returns the preferred diagnosis. Terminationis guaranteed for finite hypothesis spaces, as Hset.

The role of the solver invoked at line 9 can be played bya classical AI planner, and that of a powerful solver by acomplete planner. This confirms that a DES diagnosis prob-lem (D,O) can be formulated as an AI planning problem[Sohrabi et al., 2010; Grastien and Haslum, 2011] where,roughly speaking, the FA representing the behavior of a sys-tem (or component) is encoded as a set of invariant factsasserted in the planning problem initial state and never fal-sified. The (partially temporally ordered) observation O is atemporally extended goal (TEG)3 that has to be satisfied byany solution plan, while an action represents the occurrenceof an event which triggers a transition, thus causing a statechange that complies both with the model description andthe current state of the system.

4 Physically Possible HypothesesThe generation of the hypotheses in H as done by previ-ous approaches in the literature as well as by algorithm pre-ferred_diagnosis, does not take into account that some hy-potheses in H may be inconsistent with the system modelD, regardless of any possible observation O. In particular,if the solver that is called at line 9 of the algorithm returnsfail, the reason for it may be twofold: either hypothesis h isnot PP or it is PP but it is inconsistent with the observation.

3As shown in [Sohrabi et al., 2010], a partially ordered ob-servation O expressed as a TEG can be compiled into a classicalplanning "final state" goal G.

Figure 2: DES model

Analogously, if at line 9 instead of a simple solver a power-ful solver is called, if its returned value is fail_all, then thereason for it may be twofold: either hypothesis h is not PPor it is PP but neither h nor any of its successors is consistentwith the observation. Formally:

Definition 3. Given a DES D = (, L, obs), and a hypoth-esis spaceH relevant to it, a hypothesis h H is physicallypossible if a trace u L such that (u) = h.

Figure 2 shows the behavioral model of a DES which issuch that only a subset of the hypotheses in Hset are PP,given f = {a, b, c} as the alphabet of faulty events. Eachtransition is marked by the relevant event. Dashed line tran-sitions are those that are not triggered by observable events.Figure 3 shows the subset of Hset containing (only) PP hy-potheses, denoted Hset. Hypotheses {b, c} and {a, b, c} arenot PP as checking their consistency against the model ofthe system results in a failure, regardless of the observation.Avoiding to check hypotheses that are not PP during on-linediagnostic processing can reduce the execution time of a di-agnostic algorithm. Unfortunately,H is typically unknownsince it depends on the specific DES model. Furthermore,producing the whole H off-line is usually impractical be-cause such a space may be huge or even infinite.

Note that, in any poset hypothesis space (as in Hset,Hseqand Hms), the most preferred hypothesis is a no-fault hy-pothesis, which is PP by assumption (as all DESs should beendowed with a normal behavior). In addition, in the threehypothesis spaces we are considering, any PP hypothesis isthe immediate successor of a PP hypothesis at least. Thismeans that a PP hypothesis may have some immediate pre-decessor(s) that are not PP but it necessarily has at least oneimmediate predecessor that is a PP hypothesis. This impliesthat PP hypotheses can be produced by checking the consis-tency against model D of the immediate successors of PPhypotheses only.

The integration of the generation of PP hypotheses withthe computation of the preferred diagnosis, so as to exploitthe regular structure of a poset hypothesis space, that is, thegeneration of PP hypotheses layer by layer, as done by al-gorithm preferred_diagnosis is difficult. In particular, thecheck at line 16 is incorrect in case current includes PP hy-potheses only, as the successors of a failed hypothesis haveto be generated although not all predecessors of any gener-ated hypothesis are included in current, provided that all themissing predecessors are not PP. However, it is difficult tosingle out whether a predecessor is missing for it is not PPor for it has been pruned.

A digression may be worthwhile at this point. In order tofacilitate the check at line 16, we could keep in current alsoall the hypotheses belonging to the current layer that are not

a b c

a, b a, c

Figure 3: Space Hset of physically possible hypotheses.

PP and are the successors neither of any candidate nor ofany failed_all hypothesis, assigning to every such hypoth-esis a special status, say not PP, so as to distinguish themfrom the others. This way, also the not PP hypotheses incurrent that are the immediate predecessor of a hypothesish are considered at line 16. However, doing so requires todeal with a larger number of nodes in any layer. Every timea not PP hypothesis hPP is dequeued from current atline 8, it should not be checked at line 9, and all the notPP hypotheses in succg(hPP ) should be appended to next.We conclude this digression here, and will never refer to itlater in this paper, as delving into the matter is a work forthe future.

In case we are looking for refined preferred candidates,we have not to generate all the hypotheses inH, instead wehave to generate only those belonging to subsetH+ H,where H+ = {h H|(h) = u, u +id}.Definition 4. Given a DES D = (, L, obs), and a hypoth-esis space H relevant to it, a hypothesis h H is refinedphysically possible if a trace u L such that (u) = hand u ends with an observable event, that is, u = po, wherep and o o.

Note that a refined PP hypothesis has necessarily a PPpredecessor which, however, is not bound to be a refinedone. This makes the integration of the generation of refinedPP hypotheses with the computation of + still more diffi-cult.

5 Generating Physically Possible HypothesesIn this section we describe an AI planning implementationaimed at solving the problem of generating hypotheses thatare PP, first according to Definition 3, then according toDefinition 4. We show how to encode such a problem inPDDL. A complete PDDL encoding example, relevant to acase study DES, can be found at the link [Ceriani, 2014].

EncodingWe assume that DES D and the hypothesis space H we areconsidering are implicitly known from the context.Each automaton transition is represented as an invariantfact asserted in the problem initial state and never falsified:predicate (edge ?s ?d ?e ?m) relates a source state ?s toa destination state ?d by a label ?e representing the eventthat triggers the transition in automaton ?m. To reduce themodel description in terms of number of predicates, eachedge is bound to a specific automaton mi. A full systemdescription typically requires to encode a number x ofdifferent models mi, where x nc, nc being the numberof components in the system. If x < nc, then severalcomponents share the same behavioral model. For eachcomponent ci, two additional predicates (is ?ci ?m) and

(current ?ci ?s) represent the model and the current state,respectively. The component model never changes whilethe component state may change as a consequence of anaction. Interactions among components are represented assynchronous events. A synchronous event ej labeling atransition relevant to component ci is represented by theinvariant fact (synch ci ej): all the transitions associatedwith the same event ej across different components cimust occur simultaneously, thus constraining the possibleevolutions of the system. A planner is enforced to findsolutions where, for each synchronous transition triggeredby an event ej , a correspondent atomic sequence of actionsappears in the plan : an action for each component ci suchthat (synch ci ej) holds. Predicate (faulty ?e) marks anevent ?e as faulty, and no additional predicate is needed tomark observable and unobservable events.

The following part of the encoding is dependent on theselected hypothesis space. In case Hset is considered, wesymbolically encode an unknown hypothesis h Hset asthe goal G of the planning problem. Such a hypothesis isthe composition of a known hypothesis h Hset and anunknown event e f , i.e. h = he. The goal G is a con-junction of facts (occurred fk) k [1 . . . |h|], each repre-senting a fault fk h and an additional predicate (extra-fault) representing the existence of h as a PP successor ofh. If the goal G is reached, then a PP hypothesis h is drawnfrom the solution plan h, otherwise there is no other PPhypothesis descending from h. In the planning phase, faultsfk in h are turned to (occurred fk) by the domain operatorhyp-fault-transition, partially described below:

(:action hyp-fault-transition:parameters(?c - comp ... ?e - event ?f - fault):precondition(and (not(occurred ?f))(hyp ?e ?f ?c)

(faulty ?e)...):effect(and (occurred ?f) (consumed ?c ?e)...))

The above operator has the purpose of asserting all thesingle faults fk composing the current hypothesis h, whichis a part of the goal G of the problem. The operator is notapplicable if a fault has already occurred. In such a case, thepossible subsequent occurrences of a fault fk are accountedfor by operator consumed-faulty-transition (described be-low), which is enabled only for consumed faults. In otherwords, once a faulty event e h has taken place, it be-comes both occurred and consumed. Occurred means that,since e has already taken place, if it will take place again,this does not change the set of already occurred faults. Con-sumed means that e cannot be the extra fault to be combinedwith h in order to obtain the successor hypothesis h.

The set of predicates (hyp ?e ?f ?c) lists all the faultyevents ?e composing h, explicitly representing the hypothe-sis. These predicates are asserted for each fk in the probleminitial state and never falsified. Their presence in the precon-dition ensures that all such faults are turned into an occurredstate, since the operator is the only one in the domain thatcan change their state.

The additional unknown faulty event ?e can be discoveredonly by the domain operator extra-fault-transition:

(:action extra-fault-transition

:parameters(?c - comp ... ?e - event):precondition(and (not (consumed ?c ?e)) (allowed ?e)((not (extra-fault)) (faulty ?e) ...)):effect(and (consumed ?c ?e) (extra-fault)...))

The action can only occur once in any solution plan asthe effect sets predicate (extra-fault) to true and no other ac-tion can falsify it. Even if it is not explicitly shown, thisoperator is encoded in such a way that its precondition isenabled only if fk (occurred ?fk) is true, i.e. the addi-tional faulty event e can be found only as an extension ofhypothesis h. In other words, h is a PP prefix enforced bythe model of the eventual hypothesis PP he. Notice that,since hypothesis space Hset is being considered, no orderis assumed among the faults of h, the precondition only re-quiring that they have all occurred to enable the operator.Predicate (not (consumed ?c ?e)) assures that event e is notone of the faulty events in h. Since a PP hypothesis h canhave several (different) PP successors h, predicate (allowed?e) assures that a different hypothesis h is (possibly) gen-erated at each run of the problem: the omission of the pred-icate (allowed ?e) in the problem initial state, prevents theplanner from generating the same PP successor of h morethan once.According to the definition of Hset, a hypothesis only dis-criminates between the occurrence (or not occurrence) offaulty events. However, this does not mean that a faultcannot occur several times: a different operator consumed-faulty-transition is needed to keep enabled all the transitionslabeled by a faulty event contained in h that has alreadytaken place.

(:action consumed-faulty-transition:parameters(?s1 ?s2 - state ?c - comp ... ?e - event ?m

- mod):precondition(and (faulty ?e) (is ?c ?m) (consumed ?c ?e)

(current ?c ?s1) (edge ?s1 ?s2 ?e ?m)):effect(and (not (current ?s1 ?c)) (current ?s2 ?c)

))

Note that the details of the operators above are not re-ported and other operators are not shown at all. In general,the precondition of an operator assures that each state transi-tion of a component occurs in the proper model by checkingthat (isinstance ?c ?m) holds for the actual action parametersci and mj , representing the component where the transitiontakes place and the model of the component, respectively.Furthermore, the existence of a state transition (edge ?s ?d?e ?m) from a source state parameter ?s to a destinationstate parameter ?d is also ascertained. The effect changesthe current state of component ?c from ?s to ?d.The encoding described so far is an implementation of Def-inition 3. The implementation of Definition 4 can be ob-tained by extending such an encoding as follows: the ad-ditional predicate (last-observable) is joined to the goal Gof the planning problem, while a fact (observable oi) isadded in the problem initial state, for each observable eventoi o. The following (mutually exclusive) conditionaleffects are added to each domain operator:

:effect(and ...(when (observable ?e) (last-observable))(when (not (observable ?e))(not (last-observable))))

If the event ?e that triggers the transition is observable,then the predicate (last-observable) is asserted, otherwisesuch a predicate is falsified. Finally, an additional la-faulty-transition operator is defined as follows:(:action la-faulty-transition:parameters(?s1 ?s2 - state ?c - comp ... ?e - event ?m

- mod):precondition(and (faulty ?e)(extra-fault)(is ?c ?m)(consumed ?c ?e) (current ?c ?s1) (edge ?s1

?s2 ?e ?m)):effect(and (not (current ?s1 ?c)) (current ?s2 ?c)

))

This operator keeps enabled all the faulty transitions la-beled by an event that is not consumed after the extra-fault-transition has finished, thus allowing the planner to (possi-bly) find an observable transition according to Definition 4.Without such an operator, hypothesis h = he would be re-fined PP only if there exists a continuation of the trace end-ing with extra fault e that does not contain other faults andends with an observable event. This definition would be toorestrictive.

Finally, given a PP hypothesis h such that n = |h|, bothencodings described above are relevant to computing a PPhypothesis h, which is an immediate successor of h, thatis, such that |h| = |h| + 1. Moreover, given algorithmpreferred_diagnosis, the goal is to generate a PP hypothesish H as an immediate successor of a given hypothesish such that h succg(h). In Hset, this is achieved byadding to h a single fault event out of an implicitly knownset f f .

6 ConclusionsThe purpose of this paper is twofold: to propose a method toapply the hypothesis space approach [Grastien et al., 2011;2012] to MBD of DESs in such a way as to exploit the reg-ularity of poset hypothesis spaces, and to introduce a pre-liminary investigation on the topic of physical impossibilityso as to rule out from such a space all the hypotheses thatare not PP. This topic can be faced regardless of any ob-servation, so as to answer the question "is this hypothesisconsistent with the DES model?": if it is not, then the hy-pothesis can permanently be removed from the hypothesisspace whenever a diagnosis problem inherent to such a DESis considered. The topic can be faced also when a diag-nosis problem, and hence a specific observation, is given,so as to answer the question "is this hypothesis consistentwith an evolution of the DES model that, in turn, is con-sistent with the given observation?". While the first ques-tion, which is the one we have focused on in this paper, canbe tackled both off-line and on-line, the second one can betackled just on-line, that is, when a diagnosis problem hasto be solved. Tackling the first question off-line opens theway to knowledge compilation. Tackling it anyway opensthe way to knowledge reuse.

As shown in the paper, the generation of the PP hypothe-ses of a hypothesis space can easily be encoded as an AIplanning problem. A critical point in such encoding is rep-resented by synchronous transitions in distributed DES.

In this paper we have considered just three hypothesisspaces and basically focused on one of them, Hset, whichis relevant to the abstraction according to which a candidateis a set of faults. Facing the first question on-line, by in-tegrating the generation of PP hypotheses in Hset with theproduction of diagnosis results, while at the same time ex-ploiting the regularity of Hset, is not simple. In fact, if ahypothesis is not PP, its successors may be PP. Thereforethe hypothesis that is not PP is removed from the space butwe cannot remove its successors without further processing.Instead, if a hypothesis is a candidate, then all its successorshave to be removed. Since the hypothesis space is implicit,and we can just generate new hypotheses and check whetherthey are candidates or not, these two different kinds of prun-ing make the generation of new hypotheses more complexas such hypotheses have not to be the successors of any can-didate but they can be the successors of non PP hypotheses.

Actually, the integrated generation of PP hypotheses anddiagnosis results is much more promising inHseq , the spacewhere a candidate is a sequence of faults, since, if a se-quence is not PP, then all the sequences that include it asa prefix are not PP themselves, which means that if weprune a hypothesis h that is not PP, then all its hypothesesin succg(h) have to be pruned as well. We think that a gainin efficiency can be achieved in this space, as we will ascer-tain through future experiments. A closer investigation willbe performed also for space Hms, given not only the pref-erence relations encompassed in this paper but also furtherones.

Finally, we are going to investigate the second questiontoo, that is, we aim at exploiting on-line the given observa-tion so as to rule out every hypothesis that cannot be consis-tent with it, possibly without performing any check of thehypothesis against the observation itself.

References[Cassandras and Lafortune, 2008] C.G. Cassandras and

S. Lafortune. Introduction to Discrete Event Systems.Springer Science+Business Media, LLC, New York, NY,second edition, 2008.

[Ceriani, 2014] L. Ceriani.https://github.com/lucacerio84/DX14. 2014.

[de Kleer and Williams, 1989] J. de Kleer and B.C.Williams. Diagnosis with behavioral modes. In 11thInternational Joint Conference on Artificial Intelligence IJCAI89, pages 13241330, Detroit, MI, 1989.

[Enderton, 1977] H.B. Enderton. Elements of Set Theory.Academic Press, first edition, 1977.

[Grastien and Haslum, 2011] A. Grastien and P. Haslum.Diagnosis as planning: two case studies. In Schedulingand Planning Applications Workshop SPARK11, pages3744, Freiburg, D, 2011.

[Grastien et al., 2007] A. Grastien, Anbulagan, J. Rintanen,and E. Kelareva. Diagnosis of discrete-event systemsusing satisfiability algorithms. In 22nd National Con-ference on Artificial Intelligence AAAI07, pages 305310, Vancouver, BC, 2007.

[Grastien et al., 2011] A. Grastien, P. Haslum, andS. Thibaux. Exhaustive diagnosis of discrete eventsystems through exploration of the hypothesis space. In22nd International Workshop on Principles of Diagnosis DX11, pages 6067, Murnau, D, 2011.

[Grastien et al., 2012] A. Grastien, P. Haslum, andS. Thibaux. Conflict-based diagnosis of discrete eventsystems: Theory and practice. In 13th InternationalConference on Principles of Knowledge Representationand Reasoning KR 2012, pages 49894996, Rome, I,2012.

[Lamperti and Zanella, 2002] G. Lamperti and M. Zanella.Diagnosis of discrete-event systems from uncertain tem-poral observations. Artificial Intelligence, 137(12):91163, 2002.

[Lamperti and Zanella, 2003] G. Lamperti and M. Zanella.Diagnosis of Active Systems Principles and Techniques,volume 741 of The Kluwer International Series in Engi-neering and Computer Science. Kluwer Academic Pub-lisher, Dordrecht, NL, 2003.

[Lamperti and Zanella, 2011] G. Lamperti and M. Zanella.Monitoring of active systems with stratified uncertain ob-servations. IEEE Transactions on Systems, Man, and Cy-bernetics Part A: Systems and Humans, 41(2):356369,2011.

[Lamperti and Zanella, 2013] G. Lamperti and M. Zanella.Preliminaries on complexity of diagnosis of discrete-event systems. In 24th International Workshop on Prin-ciples of Diagnosis DX13, pages 192197, Jerusalem,IL, 2013.

[Pencol and Cordier, 2005] Y. Pencol and M.O. Cordier.A formal framework for the decentralized diagnosis oflarge scale discrete event systems and its applicationto telecommunication networks. Artificial Intelligence,164:121170, 2005.

[Sohrabi et al., 2010] S. Sohrabi, J.A. Baier, and S. McIl-raith. Diagnosis as planning revisited. In 12th Inter-national Conference on Knowledge Representation andReasoning KR 2010, pages 2636, Toronto, Canada,2010.

[Williams and Ragno, 2007] B.C. Williams and R.J.Ragno. Conflict-directed A* and its role in model-based embedded systems. Journal of Discrete AppliedMathematics, 155(12):15621595, 2007.