diagnosis of discrete event systems using satisfiability algorithms: a theoretical and empirical...

3070 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 58, NO. 12, DECEMBER 2013

Diagnosis of Discrete Event Systems UsingSatisfiability Algorithms: A Theoretical

and Empirical StudyAlban Grastien and Anbu Anbulagan

Abstract—We propose a novel algorithm for the diagnosis of sys-tems modelled as discrete event systems. Instead of computing allpaths of the model that are consistent with the observations, weuse a two-level approach: at the first level diagnostic questions aregenerated in the form does there exist a path from a given subsetthat is consistent with the observations?, whilst at the second level asatisfiability (SAT) solver is used to answer the questions. Our ex-periments show that this approach, implemented in SAT, can solveproblems that we could not solve with other techniques.

Index Terms—Diagnosis, discrete event systems, propositionalsatisfiability.

I. INTRODUCTION

B ECAUSE of imperfect design, bad conception, improperuse or simply natural aging, or uncontrollability of the en-

vironment, any system is prone to malfunction. These malfunc-tions or faults may reduce the quality of service of the systemand be harmful for the system (through the cascading effect) orto the users. Monitoring the observations generated by sensorson the system or by the system itself is necessary to determinethe occurrence of faults (detection), to determine which faultstook place (identification), and to determine where faults tookplace (isolation). This is the task of diagnosis [1].We are interested here in model-based diagnosis (MBD)

where the diagnostic task is performed using only a descriptionof the system’s behavior (the model); furthermore, we assumethe model is a finite-state discrete event system (DES) [2],i.e., a model for dynamic systems where the state evolutionis discrete and its domain is finite. The traditional approachto diagnosis of DES is to compute all model paths consistentwith the observations, and to extract the diagnosis information(such as, which faulty events occurred) from these paths. Thisapproach is very expensive for large systems as the size ofthe model is exponential in the number of components; mosttechniques developed in the last 15 years aim at reducing this

Manuscript received June 09, 2011; revised March 20, 2012, December 02,2012, May 30, 2013; accepted May 30, 2013. Date of publication July 31, 2013;date of current version November 18, 2013. This work was supported by theNICTA, which is funded by the Australian Government as represented by theDepartment of Broadband, Communications and the Digital Economy and theAustralian Research Council through the ICT Centre of Excellence program.Recommended by Associate Editor H. Marchand.A. Grastien is with the Optimisation Research Group of NICTA, Canberra

ACT 2601, Australia and also with the AI Group, Australian National Univer-sity, Canberra ACT 2600, Australia (e-mail: [email protected]).A. Anbulagan is with the Australian National University, Canberra ACT

2600, Australia (e-mail: [email protected]).Digital Object Identifier 10.1109/TAC.2013.2275892

complexity but the class of systems they can diagnose is stillvery limited. In general however, we are not interested in allpossible system behaviors but in more specific information.Diagnosis of DES can be seen as finding specific paths on the

system model. Similar path-finding problems include classicalAI planning, model-checking, and diagnosability. A successfulapproach that has been developed for these three problems isthe use of propositional satisfiability (SAT) algorithms [3]–[5].Given a propositional formula defined on a set of Boolean vari-ables, SAT is the problem of finding an assignment to the vari-ables that makes the formula logically true, or determining thatno such assignment exists. The path-finding problem is trans-formed into a propositional formula that is satisfiable if and onlyif a path exists; a SAT solver is then run to find a solution to thisproblem, if any; finally the path is trivially reconstructed fromthe satisfying assignment.We propose a similar approach for the diagnosis of DES. Our

approach does not search for all the paths consistent with theobservations; instead we use a two-level approach that looks forspecific paths:1) At the first level the diagnostic problem is transformed intosimple problems that we call diagnostic questions. Eachquestion is a decision problem of the following form:Doesthe DES allow for a path generating the observations andsatisfying a certain property?

2) Each diagnostic question is answered at the second level.If the answer is yes, a path is returned that supports thepositive answer. We implemented this level with SAT.

To illustrate the feasability of this method, we solve a simpli-fied diagnostic problem whose purpose is to find an explanationthat minimizes the number of fault occurrences; the relevanceof such a problem is discussed in the next section, and the moregeneral case is discussed in the Extension section. This allowsus to concentrate on the second level of this approach, i.e., thetranslation of the diagnostic question into a SAT problem andits resolution.This two-level approach allows us to use efficient SAT algo-

rithms to solve hard diagnostic problems. Using this approachwe can generate the miniminal-cardinality diagnosis and de-tect the occurrence of specific events. We make the followingcontributions.1) We define a formal framework for a two-level approach todiagnosis of DES based on diagnostic questions.

2) We show how diagnostic questions can be translated intoSAT problems (illustrated for the class of questions re-quired for our simplified diagnostic problems).

0018-9286 © 2013 IEEE

GRASTIEN AND ANBULAGAN: DIAGNOSIS OF DISCRETE EVENT SYSTEMS 3071

3) We provide experimental results showing that this ap-proach is able to compute the preferred diagnosis for aclass of hard diagnostic problems.

4) We discuss the resolution of more general diagnostic prob-lems and SAT-related improvements.

A. Related Work

DES diagnosis has been very well-studied since the seminalwork from Sampath et al. [6]. The main issue addressed in thelast 15 years is the complexity of the task, which is in generalexponential in the number of components. The general approachis to compute a representation of all the system behaviors com-patible with the observations, from which the diagnostic infor-mation can be extracted. Sampath et al. proposed to compile themodel in a diagnoser that returns diagnosis in linear time; how-ever, the compiled structure is double exponential in the numberof components [7]. Decentralized [8], distributed [9]–[11], andsymbolic [12] methods have been used to contain the exponen-tial blow-up, with real yet unsufficient impact.Petri net modelling was proposed to address the complexity

issue [13]–[15]. Petri nets are often more compact than au-tomata and represent concurrency more elegantly. The class ofsystems they can represent is different from that of automata:unbounded Petri nets can have an infinite state space; on theother hand, work on Petri nets often assumes no unobserv-able cycles. However the unfolding of Petri nets is subject tobranching explosion which makes their use difficult. Recentlya new approach was proposed [16], [17] that reduces the gener-ation of diagnosis explanations to a sequence of Mixed-IntegerProgramming problems; while this reduction is very similar toour reduction to SAT, the existing approaches generate all ex-planations which seems inapplicable in practice. Furthermore,how to diagnose fault patterns [18] in this framework is stillopen.More similar to our paper Pencolé et al. proposed to diagnose

each fault separately [19]. Grastien and Torta [20] studied howdifferent diagnostic questions can be reformulated in a series ofquestions.Outline: The next section presents the diagnosis of DES. Our

two-level approach is discussed in Section III. The use of SATfor solving diagnostic questions is discussed in Section IV.We present a translation from a diagnostic question to SAT inSection V. An experimental validation is given in Section VI.Possible extensions are discussed in Section VII.

II. DIAGNOSIS OF DISCRETE EVENT SYSTEMS

Different approaches can be used for diagnosis, but the mostrobust are model-based techniques [1]. Model-based diagnosis(MDB) uses a description of the system—themodel—and com-pares the possible system evolutions predicted by the model tothe actual observations on the system to determine which evo-lutions may have taken place.

A. Discrete Event Systems

In this paper, we are interested in DES, a class of models fordynamic systems. The state of a DES is usually the compositionof states from each of its components. Because the componentsbehave independently (to some extent), the state space is usu-ally exponential in the number of components in the system. It

is therefore inefficient or even impossible to build a DES withexplicit enumeration of all system states. Two methods can beused to alleviate this problem:• The decentralized approach: The DES can be implicitlydefined as the composition of component (local) models.All components being relatively simple, their models canbe constructed easily and reused for different instances ofthe same component type. The synchronization betweenthe local models must also be defined.

• The symbolic approach: The state of the system can be de-fined as the assignment of state variables to finite (small)domains. As opposed to the decentralized approach, thetransition rules from one state to the other potentially in-volve not only the local state but any state variable.

The symbolic approach is very appealing for the SAT imple-mentation we provide in this paper because it makes the trans-lation natural. The decentralized model, however, is generallythe easiest to construct. Therefore in this paper we define a newmodel that combines both types of model and take advantage ofboth approaches; the expressiveness of this model is howeversimilar to most DES formalisms.1

In our framework a DES is defined as a set of interconnectedcomponent models and each component is modelled in a sym-bolic fashion.1) Component:Definition 1 (Component Model): A component is mod-

elled by a tuple where• is a set of state variables; each variable is definedon a finite domain ;

• is a set of events partitionned in exogeneous events, input events , observable events , and

output events ;• is a set of rules (see after);• is the initial assignment of .

A rule is a tuple where• is the precondition of the rule defined as a proposi-tional formula over ,

• is the triggering event of rule ,• is the (possibly empty) set of eventsgenerated by the rule trigger,

• is the (possibly null) effects of the rule defined as apartial assignment of .

A state (or simply ) of component is defined as thetotal assignment of each state variable on its domain

: . The value of variable in state isdenoted . Exogeneous events correspond to spontaneousevents; input events to events triggered by other components;output events to events generated as a reaction of a rule trigger(some of which might trigger an input event on another compo-nent); observable events are similar to output events except thatan external observer will notice the occurrence of such events.In this framework, a triggering event cannot be observable, al-though it is possible to define two events to circumvent this lim-itation. For instance, later in Example 1, a component may re-

1As opposed to finite-state DES, Petri nets (PN) for instance allow for infinitestate spaces, but most works on PN are restricted to the so-called safe sub-classof PN where the expressiveness is the same [13]; similarly, process algebra (PA)are potentially more powerful but, again, all existing works restrict themselvesto a class of PA with finite state space [21].


Fig. 1. Model of a single component. (a) Automaton representing how the com-ponent state may change; (b) transitions label for Automaton (a); (c) symbolicencoding of the component states.

boot and this reboot is observable; this behavior is captured bytwo separate events: is an event that models the triggeringaspect of the reboot while is an event that models the alarmemitted. The evolution of component is modelled through thetrigger of a sequence of rules, each of which has to satisfy thecurrent state and may affect this state.Definition 2 (Path on a Component): A path on com-

ponent modelled by is a sequence

s.t. there exists a se-quence of rules where• , we define as ,• , ,• , and ,• and

if is defined,otherwise.

The component model hence implicitly represents an au-tomaton where each node is a state of the component modeland each transition links state to state if there exists a path

of length one between the two states. When onlythe paths from the initial state are requested, the initial state ofthe automaton is the initial state .Example 1: There is no benchmark in diagnosis of DES and

this paper formally presents a model we used in previous work.2

Figs. 1(a) and 1(b) show one instance of the components inthe model. This component models a fictional server in a net-work. The nominal state is . When a fault takes place (event, transition from to ), the component emits the mes-

sage to each of its neighbors (there is therefore asingle transition with as many output events as this compo-nent has neighbors), asking them to reboot. The eventmodels the asynchronous effect of an event. The two observ-able events are represented with uppercase letters: corre-sponds to the alarm saying the component is rebooting;

2The model is available at www.grastien.net/ban/data/tac11/.

corresponds to the alarm saying the component has finishedrebooting. Finally the event corresponds to the recep-tion of a rebooting message for a neighboring component ;there are hence as many transitions between and as there areneighbors to .Each component has exactly four neighbors. The compo-

nent state is modelled by four Boolean variables: indicateswhether a fault just took place on the component; indicateswhether a neighbor forced this component to reboot; modelsthe asynchronous behavior before and after the componentreboots; indicates the component finished rebooting. Allstates assignments are given in Fig. 1(c). To illustrate, thetransitions leading to state are modelled by the followingrule: .2) System: A system is a set of interconnected components.

All components evolve separately but the connections restricttheir evolutions and force them to synchronize.Definition 3 (System Model): A system model is a tuple

where• is a set of components ,• is a mapping that associates each component

with its model s.t.,

• is a set ofpairs where is an output event of componentand is an input event of component s.t.

.We define , ,

, and . A synchronizationmeans that the output event must take place at the sametime as the input event . These two events model the samephysical reality, from the point of view of component ,from the point of view of component .The system state is defined as a tuple of states for each

component: where ,. The system behavior is modelled by a path that corre-

sponds to the synchronized execution of paths on eachcomponent. The component path definition needs to be ex-tended to allow empty transitions where nothing happens onthe component.Definition 4 (Extended Component Path): The extended set

of rules of component modelled by is definedby where .An extended path of component modelled by

is a path on the fictional component modelledby .Definition 5 (Synchronized Transitions): Let

be a system and letbe a set of component transitions s.t. ,

is an extended path of component . The setof transitions is synchronized if there existss.t.:1) ,2)

,3)

.


The synchronization of is the path defined by:• ,• ,• ,

• .

In Definition 5 the first property ensures an exogeneous eventtriggers the transition (on component ); the second propertyensures that if a transition takes place on another component ,then it is triggered by the occurrence of an input event synchro-nized with an output event of another component ; finally thethird property ensures any output event that is part of a synchro-nization is indeed synchronized. In the following, the subset ofnonempty transitions of (i.e., those transitions s.t. )is called a macrotransition.The definition of a transition label and, consequently, the defi-

nition of synchronization are generally simpler in the literature.A transition is usually associated with a single event and thesynchronization simply makes sure that events that are sharedby different components occur at the same time on each of thesecomponents. The expressiveness of our model is very similarto the traditional models. One advantage is that the model ofa single component is less dependant from the other compo-nents in our approach. For instance, in an electrical circuit, aswitch being closed may lead to a circuit-breaker to trip, de-pending on the current state of the circuit; this can be modeledby complex events such as, e.g., switch_closed_trip-ping_breaker but an approach based on sets of events ismore appealing.Observe also that a transition label can be used to symbol-

ically represent the set of transitions where this label appears;this is particularly useful if the label has real semantics and doesnot correspond to an arbitrary set of transitions. By associatingseveral labels with each transition, we increase the number ofsets of transitions that can be represented easily, which is veryuseful for SAT solvers as they naturally manipulate transitionssymbolically.Definition 6 (System Path): A path on the DES

is a sequence s.t.

, is an extended

path of component and each path is the

synchronization of the set of paths .Example 2: The system in the benchmark we introduce here

contains 20 components. The synchronizations are defined asfollows: for all pair of neigh-boring components.The system topology is represented in Fig. 2 where compo-

nents are represented by rectangles and connections by linesbetween the rectangles. To fully illustrate the connectivity onecomponent (in coordinate ) and its four neighbors are filledin gray. Formally the topology forms a torus: the position ofeach component is defined by two integersand ; two components and areneighbors if their values and vary in total by one unit:

Fig. 2. System topology. Each box corresponds to a component whosemodel isgiven in Fig. 1. The gray boxes represent one component and its four neighbors.

B. Diagnostic Problem

The system dynamically evolves from external and internalstimuli. We assume that each possible evolution of the systemis represented by a path on the DES. When an evolution takesplace, the system generates a sequence of observations which isexactly the sequence of observable events that takes place in thecorresponding path.Definition 7 (Observations): The observations of path

are defined as the sequence.

Notice that we consider every transition of the path is ob-servable; a transition that corresponds to no observable eventis still observed and generates an empty observation. This as-sumption is relaxed in Section V. Some frameworks considerstate-based observations; such a framework can be easily recastin our framework.Observations on the system allow us to monitor its behavior,

although it may not be sufficient to determine precisely thesystem behavior. The system takes an unknown evolutionmodelled by an unknown path on DES ; what we do knowabout path is the sequence of observations which isexactly the sequence generated by the system. The diagnoser’stask is to reason on the model to determine what happened onthe system. In general, there may be many explanations forthe system observations; a diagnosis is therefore generally acollection of diagnosis candidates, each diagnosis candidatebeing associated with one or more explanations (or even zero ifthe diagnoser is imprecise). The expected output of diagnosis isoften which faults occurred, i.e., particular unexpected events.In the seminal work from Sampath et al. [6], a diagnosiscandidate is the set of faults that occurred on the system, i.e.,a diagnosis is a collection of sets of faults. For intermittentfaults [22], the number of occurrences becomes relevant [23].Of interest is also the order in which the failure took place, ascertain sequences can be more harmful than others; we startedinvestigating such problems, including using methods devel-opped in this paper [24], [25]. Several approaches prefer tocompute a structure (for instance an automaton) that representsall system behaviors consistent with the observations, fromwhich structure it is assumed any relevant information can beeasily retrieved [8], [9].


For this paper however, we consider a simplified diagnosticproblem, which allows us to concentrate on the SAT part of thediagnostic algorithm. Notice however that all these definitionsof diagnosis can be handled by this approach.We propose to do adiagnosis-based alarm clustering. In a large system where manyincidents can take place roughly at the same time, alarm clus-tering is the problem of grouping the observations (alarms) thatpertain to the same incident to simplify the presentation of thesealarms. To this end, we proposed [26] to compute a single expla-nation of the observations from which the relations between theobservations can be retrieved. Using several explanations wouldnot help here as the inferences from each explanation would becontradictory. In order to provide the best clustering possible,the single explanation returned by the diagnosis should be themost probable. Therefore, we compute the explanation that min-imizes the number of (rare) “unexpected events” (to make iteasier to relate to existing works, these events are later referredto as “faults” although they may not correspond to faults). Con-centrating on the preferred explanation is by no means new, andhas been used, e.g., for Livingstone [27], a model-based diag-noser developed by the U.S. National Aeronautics and SpaceAdministration for self-reconfiguring autonomous spacecrafts,although Livingstone considered a probabilitic model to decidewhich explanation is most likely.Definition 8 (Diagnostic Problem and Diagnosis): A diag-

nostic problem is a pair where is a systemmodel, represents the observations of some path on themodel, and is a subset of system events.The diagnosis of diagnostic problem is a path

on that generates and that minimizes the number ofoccurrences of events from set .

III. PROPOSED APPROACH

This approach generalizes the work presented in [28]; it canbe used to solve more general problems than the simplified di-agnostic problem considered in this paper [24], [25], althoughthis line of research is still on-going work.Diagnosis aims at explaining what is going on in the system.

As we have shown previously existing algorithms usually com-pute all possible evolutions that can lead to the observations, andthen extract the relevant information. We propose an oppositeapproach where we check the existence of evolutions that sup-port certain diagnostic results. To this end, we introduce the con-cept of diagnostic question and recast the diagnostic problem ina sequence of such problems.Definition 9 (Diagnostic Question): A diagnostic questionis a tuple where is a

system model, is a sequence of observations, and is a setof paths.The answer to the diagnostic question is

yes if there exists a path on s.t. and, together with path ,

no otherwise.

For a given diagnostic problem, a diagnostic question is de-fined solely by the set of paths .

We solve the diagnostic problem by translating it into a se-quence of diagnostic questions. Hence the two levels of thealgorithm.

1) In the first level, the algorithm chooses the diagnosticquestions. This choice can be made statically or based onthe result of the previous diagnostic questions.

2) In the second level, the algorithm solves the diagnosticquestions. In this paper, the solver is based on a SATprocedure.

In our particular definition of diagnosis, the first level is im-plemented as follows. For the first diagnostic question, the setis defined as the set of paths that contains no fault (nom-

inal behavior). If the answer to this question is positive, thenwe just found a path that minimizes the number of faults; oth-erwise, a new question is generated with the set of paths thatallow one fault occurrence. New questions with sets allowingan increasing number of faults are generated until a positive an-swer is obtained, at which stage a preferred diagnosis is found.More general diagnostic problems can be solved using a moresophisticated first level; however, this paper concentrates on thesecond level.

IV. SAT AND DIAGNOSTIC QUESTIONS

In this section we present SAT and discuss how diagnosticquestions can be solved using SAT. The precise translation toSAT is given in the next section.

A. SAT Problem: Definition and Algorithms

Let be a set of propositional variables and let be a propo-sitional formula over . The Boolean satisfiability problem(SAT) is the problem of determining whether there existsan assignment that makes the formulalogically true. SAT solvers usually return such an assignment.The formula is often expressed in conjunctive normal form(CNF), but this is not a strong restriction as any formula canbe transformed to an equivalent CNF formula by introducingonly a linear number of variables. A CNF is a conjunction ofclauses, each clause being a disjunction of literals, each literalbeing a variable or its negation. An example of a clause is

(1)

which specifies that either should be set to , to , or toto satisfy the clause. Each clause can be seen as a constraint

on the assignment .SAT was the first problem shown to be NP-Complete [29],

which makes it a hard problem in general. However the lasttwo decades have seen massive energy deployed by the SATcommunity to develop fast and efficient algorithms based onsystematic methods and on stochastic local search (SLS). SLSalgorithms are unable in general to demonstrate a formula isunsatisfiable; we therefore ignore them in the following.Current systematic algorithms are based on the DPLL pro-

cedure [30]. The algorithm picks a branching variable, assignsit arbitrarily to or , propagates the information, and recur-sively picks another variable until all variables are assigned. Theinformation propagation serves two purposes. First it allows to


infer certain assignments; for instance, if and are both as-signed to and the clause (1) belongs to the SAT problem,then has to be assigned to ; this is known as unit propaga-tion (UP). Second, it allows to detect inconsistencies when allliterals of a clause are negated; in this case, the SAT algorithmbacktracks to the last relevant branching decision to assign thevariable differently.An improvement that is intensively used is the conflict-di-

rected clause learning (CDCL) mechanism. When an inconsis-tency (a conflict) is detected, the graph of UP is studied to ex-tract a set of assignments that, together with the UP mechanism,led to the conflict. This set can be rewritten into a clause that isadded to the SAT problem. This clause allows to avoid similarconflicts in the future: thanks to UP, this clause will allow to de-rive the nonconflicting assignment. Of importance is the choiceof the branching variable; existing procedures favour the vari-ables involved in the last conflicts [31]. Another improvementis the one-step lookahead [32] used as a heuristic for the nextbranching variable.The results published by the SAT competition3 show that

solvers based on clause learning (such as zChaff [33], MINISAT[34], RSat [35], or glucose [36]) are very good on industrialproblems; lookahead algorithms (such as Dew_Satz [37], Kcnfs(an improvement of cnfs [38]), and March_dl [39]) performbetter on random problems. All these solvers can be accessedfrom the SAT competition website.

B. How to Express Diagnostic Questions in SAT

A diagnostic question is the problem of determining whetherthere exists a path on the DES that satisfies specific properties: itshould be consistent with the observations and it should belongto a set of paths . Similar path-finding problems have alreadybeen successfully reduced to SAT, e.g., in planning [3], model-checking [4], and diagnosability [5].

Consider a path of fixedlength .4 The transitions define timesteps: the initial stateis in timestep 0, the first transition takes place at timestep 1,etc. We now propose a set of variables such that the pathcan be modelled by an assignment , i.e.,such that all paths are associated with a different assignment.Constraints will be defined to ensure that the paths which aresolutions to the diagnostic question are exactly those associatedwith an assignment that satisfies these constraints. Solving theSAT problem will therefore exhibit a solution to the diagnosticquestion. The set must represent all possible paths and istherefore defined as follows:• For all component , for all state variable

of component , for all value in the domainof variable , for all timestep ,

. Assignment assigns to iff

. These variables are used to record the systemstate at each timestep of the path.

• For all component , for all event ofcomponent , for all timestep , .

3Cf. www.satcompetition.org/.4Choosing the appropriate value for is a problem on its own; as this value

depends on how many and what type of observations were received, this issueis discussed in the Section V-B dedicated to translating the observations.

Assignment assigns to iff . Thesevariables are used to record which events took place at eachtimestep.

Additional variables, which are not strictly necessary, mayalso be introduced. Such auxilliary variables can make theSAT problem more compact and easier to solve; this will beillustrated in Section V.By definition each path is associated with exactly one as-

signment . Given an assignment , it is trivial to retrievethe corresponding path .Answering a diagnostic question consists

in finding a path on generating observations . Thecorresponding SAT problem is a collection of constraintsthat ensures that is a satisfying assignment to iffis a positive path of . These constraints are partitioned in thefollowing three sets:• should be a path on the model: constraints .• should generate : constraints .• should be a path of : constraints .The SAT-based solving of a diagnostic question is imple-

mented as follows: the SAT problem is generated andpassed to a SAT solver. If the problem is not satisfiable, thenthe answer to the diagnostic question is negative; otherwise, asatisfying assignment is produced from which a positivepath can be extracted. It should be clear that the SAT solverneeds to be complete, i.e., it should be able to determine that aSAT problem is unsatisfiable.

C. Expected Performance of SAT-Based Diagnosis Algorithm

We now provide the intuitions that explain how SAT-baseddiagnosers can be expected to perform compared to more tradi-tional approaches.SAT has already been proposed to solve similar problems

such as classical AI planning, model-checking, or diagnos-ability with some success. Let us turn to the latter problemwhich the readers may be more familiar with. A system isdiagnosable if a fault can always be detected and identifiedby a diagnoser a bounded number of steps after it occurred.A system is not diagnosable if it exhibits a pair of paths thati) cycle and ii) produce the same observations, one of whichbeing faulty and the other not [40]. Similarly to diagnosis,assuming an upper bound on the length of these paths, we lookfor a so-called critical path on the twin plant (the product of thesystem with itself) that satisfies certain properties, which canbe recast as a SAT problem [5]. This approach allowed to provenondiagnosability of systems with states in seconds.(Diagnosability however cannot be proved with SAT as thelength of the smallest critical path is quadratic in the numberof states in the worst-case, which leads to an untractable SATproblem.)By definition, each diagnostic question aims at finding a

single path. The existing approaches explore all paths, andmuch of the effort is targetted at representing these paths effi-ciently and compactly (hence, the Sampath diagnoser states, theuse of BDDs or Petri nets, etc.). Even if the diagnostic problemrequires little search (i.e., not many paths are dead-ends), theeffort of keeping all those paths is often prohibitive.Considering more specifically SAT now, one very powerful

aspect of the SAT algorithms is that they are very flexible in


Fig. 3. Illustration of the unit propagation. and are observable, is not. Iffollowed by are observed, a SAT solver will trivially (i.e., without search

effort) determine the system took transitions .

which variable they should instantiate first. On the contrary, ex-isting algorithms generally develop a forward search startingfrom the initial state and trying to explain each observation in-crementally. This aspect is clearly illustrated in the unit propa-gation, which accounts for most variable instantiations in SATand which is illustrated on Fig. 3. In this example, and startingfrom state 0, if observable event is observed, a classical algo-rithm will have to consider both transitions and .If the observation is later made, the diagnoser will determinethat the only first transition that allows the second observationis the one to state 2. On the other hand, a SAT-based diagnoserusing a DPLL procedure, will be able to immediately infer that

the second observation was generated from the transition(because this is the only transition generating ); hence, thefirst transition can be inferred without any search. Thisheuristic is very powerful, and it has been proved that SAT al-gorithms are stronger than the existing heuristics in classical AIplanning [41].SAT solvers have sophisticated procedures to find the best

(nonunit propagation) variable to assign [31]. Furthermore, theproblem can be more or less difficult depending which variableyou start the search from; therefore, the SAT solver can stop thesearch if it considers it has been running for too long, and restartwith a different set of variables [42].These benefits are furthermore enhanced by the clause

learning capability. If a partial assignment of the SAT vari-ables, i.e., a partially defined path on the model, is consistentwith the observations, then the variables involved in the in-consistency are identified and a clause is generated that willprevent a similar incorrect assignment in the future. Assumea diagnostic problem where the first observations can be ex-plained by a very large number of paths involving a sensorbeing faulty; assume that the next observations prove that thesensor is not faulty. In the classical approach, all these pathswill be explored and then discarded. SAT, on the other hand,will explore one such path, determine that the sensor is notfaulty, and will ignore any other path that involves this fault.Finally, the diagnosis question allows to focus on a small part

of the state space. For instance, if we look for a path withfaults, then as soon as the path being built involves this numberof faults, we can disregard any other faulty transition. We haveshown [43] that a careful implementation of the set of pathsconsidered in the question can lead to powerful inferences thatcan dramatically affect the runtime.We would like to stress a weakness of the SAT-based ap-

proach. In the traditional approach, all paths of the DES con-sistent with the observations are computed, from where the di-agnosis is extracted. In our approach however, each diagnosticquestion is solved independently, the resolution of each question

may lead to discovering over and over again the same (sub)re-sults. We think two possible approaches can be used to alle-viate this issue: i) as diagnostic questions on the same diagnosticproblem share many clauses, it is possible to use incrementalSAT solvers [44] which are specifically designed to reuse learntinformation; ii) reasonably expensive preprocessing can be per-formed on the diagnostic problem before calling the SAT solverin order to include additional knowledge of the problem at hand(e.g., the assignment of state variable at timestep couldbe determined by local reasoning); the cost of preprocessingmight pay off if used to accelerate the resolution of many SATproblems.

V. TRANSLATING DIAGNOSTIC QUESTIONS INTO SAT

The previous section gave the intuition how SAT can be usedto solve diagnostic questions. In this section we present pre-cisely the translation of each set , , .

A. Translating the Model

This subsection introduces , which is the set of con-straints ensuring the returned path is indeed a path from themodel . To simplify and reduce the CNF, we define the fol-lowing set of variables:• For all component , for all rule ,for all timestep , . Assignment

assigns to iff the rule is triggered in the thmacrotransition of .

With these additional variables, the translation is given inFig. 4. Each constraint has the following meaning:

(2) At each timestep, each state variable must be associatedwith at least one value.

(3) At each timestep, each state variable can be associatedwith at most one value (equivalent to a cardinalityconstraint [45]).

(4) A rule can be triggered only if its precondition issatisfied.

(5) If the rule is triggered, its effects apply.

(6) A state variable changes value only as an effect of arule. (The set of rules assigning value to state variableis represented by .)

(7) A rule triggers only if its input event takes place.

(8) A rule triggering implies its output events taking place.

(9) An event occurring implies one of the rules it isassociated with being triggered. (The set of rulesassociated with is represented by .)

(10) Synchronization events have to take place together.

(11) At most one rule can trigger at a time on a component.

(12) The path should start in the initial state.Notice that the encoding presented above does not enforce

the occurrence of a single exogeneous event per timestep. Thisis intentional and due to the number of transitions in the pathbeing unknown in general. The estimate of depends on the


Fig. 4. Clauses enforcing to be a path on the model.

type of observations on the system and is therefore discussed inSection V-B.Several improvements can be introduced in the modelling:1) Removing redundant variables: The goal is to reduce thenumber of variables in the SAT problem. This simplifiesthe work for the solver while maintaining correctness.When an input event is associated with only one rule,or when two events always take place together (e.g.,synchronization events), their variables may be merged.

2) Factorizing: The purpose of this operation is to expressa set of constraints as compactly as possible to reducethe SAT solver memory requirements [46]. A typical ex-ample is Constraint (11) which states that only one rulecan take place at a time; for all pair of rules, these tworules cannot take place together. It is possible to factorizethe constraints for the rules associated with different inputevents by forbidding the simultaneous occurrence of twodifferent input events on any component; for each com-ponent, a set of rules is defined that forbids the simulta-neous occurrence of different input events, and a set ofrules is defined that forbids the simultaneous occurrenceof different rules associated with the same input event.Consider input events associated with rules each; thefirst encoding requiresbinary clauses while the second encoding requires only

binaryclauses.

Fig. 5. Hyperresolution inference technique: the bottom clause can be deducedfrom the top clauses; contrary to the top clauses, the bottom clause allows to easydetermine that is true if is true.

Fig. 6. Constraints representing timestamped observations.

3) Information: The purpose here is to include redundant in-formation in the SAT problem in order to allow the solverto infer more information during the search. Consider theclauses Fig. 5. The last clause can be inferred from theformer ones; it is therefore unnecessary. Consider now thatis set to ; the last clause allows to infer immediately

that should be set to as well. This additional clausemakes the problem simpler to solve. In our instance it isoften the case that a single event is associated with sev-eral rules , all of which share an assignment .The following clause can be added to the SAT problem:

.More techniques could be used to include addition infor-mation, such as if event takes place at timestep , eventcannot take place at timestep , etc. We did not imple-ment these additional enhancements. There is a trade-offbetween adding useful information and increasing the sizeof the CNF and the SAT solver memory requirements.

Notice that the improvements introduced by these techniquesapply to all timesteps and are therefore worth investing someenergy as they will be intensively used.

B. Translating the Observations

This subsection introduces , which is the set of con-straints ensuring the returned path generates the observationson the system. Depending on the system considered, varioustypes of observations may be received which lead to differenttranslations. We consider here three types of observations:timestamped observations, totally ordered observations andpartially ordered observations. All these cases make thecommon assumption that no observation is lost.1) TimestampedObservations: The simplest case is when the

observations are timestamped, i.e., they are defined exactlyas presented in Section II. The translation is given in Fig. 6. Eachconstraint has the following meaning:

(13) If observable event is observed at timestep , thisevent is enforced at timestep .

(14) If observable event is not observed at timestep ,this event is disabled at timestep .

One benefit of timestamped observations is that the numberof transitions is known exactly. This also implies that exactly

one macrotransition takes place at each time step. This is en-forced by the constraints Fig. 7:


Fig. 7. Constraints restricting paths with one transition per timestep.

(15) No two exogeneous events take place at the sametimestep. Note that using a cardinality constraintencoding as in [45] would probably be more efficient.

(16) At least one exogeneous event takes place at eachtimestep.

2) Totally Ordered Observations: The most common hy-pothesis assumes a total order of observations. In this case, theobservations emitted by the system is a sequence of nonemptysets of observations. Compared to the timestamped observa-tions, the empty sets of observations are removed from .Each set of simultaneous observations is called a salve. For in-stance, if the observations are ( was emitted atthe same time as , and was emitted later again), then the firstsalve is and the second salve is .An immediate consequence is that the number of transitions

is unknown and the exact timestep when the observations wereemitted is also unknown. For instance the timestamped observa-tions , , and are in-distinguishable when translated as totally ordered: .What value should be chosen for to make sure that all pathson the DES are considered and that the SAT-based solving ofa diagnostic question is sound? Before answering this question,we start with the following two remarks:Remark one: We mentioned in Section V-A that our trans-

lation of the model in SAT does not enforce a transitionto take place at each timestep (the corresponding constraint isthe Constraint 15 defined for the timestamped observations).Thanks to this omission the standard translation of Section V-Anot only represents paths of length but also any path of smallerlength. If any path generating salves includes at mosttransitions, then the value can be safely used.Some DESs contain silent cycles defined as paths

s.t.:• ,• , ,• .

In other words is a nonempty cycling path that generates noobservations. The system may take an unbounded number ofsuch cycles without generating observations, which means that

does not exist. Some approaches such as [47] forbid silentcycles. However, silent cycles are usually not a problem for di-agnosis. Indeed silent cycles represent sequences of events thatcannot be diagnosed since they generate no observation; fur-thermore shorter paths are usually more likely explanations thanlonger paths and they are considered as preferred explanation.Therefore, we may compute as the maximal number oftransitions that the system can take without taking silent cyclewhile generating salves of observations.

Fig. 8. DES illustrating the difference between the two strategies for finding. and being the only observable events, any two observable events areseparated by at most two events, which means we can assume timestepsand the observations were generated every three timesteps. On the other hand,the upper-bound could be tighten to but the timestep when eachobservation was emitted is uncertain.

Remark two: The translation does not enforce a maximumnumber of transitions per timestep (the corresponding constraintis Constraint (15) defined for the timestamped observations).Large systems exhibit many independent (concurrent) behav-iors where some components interact for a moment without in-terfering with the rest of the network. Consider two eventsand associated with different components and . Con-

sider two paths and

. These two pathsare generally similar from the point of view of diagnosis. Fur-thermore the two transitions could be merged as follows:

. This is formally not a path but the twopaths and may be retrieved from . In this example, thepaths of length two will be considered by the SAT solver al-though . This technique allows to reduce considerably thevalue of .With these remarks in mind, several possible strategies can

be used to determine :1) can be computed globally, i.e., the maximum number oftransitions for salves is computed.

2) The maximum number of unobservable transitions be-tween two consecutive observations is computed and isdetermined by (as usual, we do not con-sider the events after the last observation).

Notice that in both cases the second remark above applies, i.e.,independent macrotransitions may be reordered and may applyat the same timestep. The benefit of the first strategy over thesecond one is that it generates a smaller value for . This is il-lustrated by Fig. 8: we can easily show that salves correspondto at most ; however since up to two invisibletransitions may occur between two salves, the second strategywill lead to . Although the second strategy requires moretimesteps, it allows to fix the timestep where the observationsare generated. Therefore, the observations will be representedby variable assignments (unit clauses) fromwhich the unit prop-agation technique (the principal deduction technique used bySAT solvers) will be able to automatically deduce useful knowl-edge.Having defined , it is possible to recast totally

ordered observations in timestamped observations where• the th salve was produced at timestep ,• no observation was produced at timestep

,• any number of macrotransitions may take place at the sametime, i.e., the sets of constraints 14 and 15 do not apply.

3) Partially Ordered Observations: A difficulty that ariseswith large systems that are naturally decentralized is that the


Fig. 9. Constraints enforcing the values of and .

order in which the salves of observations were emitted is notobvious. A typical example is when the observations are alarmsthat warn of the existence of a fault somewhere in the system;because the fault and its side effects affect many componentsat the same time, all these components generate observations atroughly the same time. Many works in diagnosis of DES dealwith partially ordered observations, e.g., [8], [9], [13], [48].The observations are now defined as a set of salves

equipped with a partial order relation . To model the obser-vations in the SAT problem, we define a number of auxiliaryvariables that represent when each salve took place.• For all timestep (as previously noobservation is emitted at timestep ),for all salve , . Assignment assigns

to iff the salve is emitted at timestep .• For all timestep , for all salve ,

. Assignment assigns to iff the salveis emitted at timestep .

Many of those variables can actually be removed as their valueis trivial. For instance consider two salves such that ; thencannot be emitted at time because has to be

emitted before. The constraints on Fig. 9 enforce the semanticsof the new variables:

(17) A salve is emitted before or at timestep iff it isemitted at timestep or at the previous timestep

.

(18) A salve is emitted only once

(19) but all salves are emitted.

(20) When a salve is emitted, the corresponding observableevents take place.

(21) Observable events take place only when acorresponding salve is emitted.

Finally the partial order between the salves must be enforced.This is done by the constraints in Fig. 10:

(22) The order between salves and is enforced.

(23) Two salves cannot be emitted at the same time.

C. Translating the Type of Paths

This subsection introduces which is the set of constraintsenforcing the path to be part of certain set . There is no generic

Fig. 10. Partial order on the salves.

translation to SAT as such a translation is not an explicit enu-meration of all elements in set but an implicit (symbolic) rep-resentation. We recently briefly presented some encodings [24].As mentionned in Section III the sets used for our diag-

nostic problem are defined as the set of paths with occur-rences of faults. Let be the set of SAT variables that registerthe occurrence of faults:

Then the set can be encoded as the cardinality constraint thatexactly variables in are set to . We studied in [43]how carefully choosing the encoding can lead to dramatic per-formance improvement.Traditionally, the diagnosis is the collection of sets of faults

that label at least one path that explains the observations. Givena subset of faults , the class represents the set ofpaths that include an occurrence of iff . The setbelongs to the diagnosis iff the answer to diagnostic problem

is positive.For all , let be an auxiliary SAT variable that is

true iff occurs in the path:

Let also be an auxiliary variable that is true iff is the set offaults that occur in the path:

The set corresponding to can be encoded by the singleunit clause .The number of subsets of is , which can make the enu-

meration of all subsets of impractical. If we assume that thenumber of diagnoses is small compared to , a more cleverapproach can be adopted. Starting with the set of all paths,we search for any path consistent with the observation. When apath is found, we extract the set of faults that appear in thispath and iteratively ask another question that forbid this set offaults: . This is enforced by the set of constraints

.When the system is diagnosable [6], each fault can be diag-

nosed separately [20]. In this case, we can ask the diagnosticquestion with (respectively, ) that are defined as the setsof paths containing one or more (respectively, zero) occurrenceof . The corresponding set of constraints can be defined by aunit clause over variable .

VI. VALIDATION

The following experiments were performed to evaluate thefeasability of this paper’s approach.


Fig. 11. Runtime for different parameters: , , . a) Runtime for different observa-tions; b) runtime for different difficulties; c) runtime for different number of faults.

A. Experimental Set-Up

We use the benchmark presented in Section II; it is of interestto us because it shares many similarities with the type of systemwe want to diagnose [26]. The state of the system is modelledwith only 80 Boolean variables (4 variables per component 20components); the DES is therefore quite compact. However it isstill very hard to use for diagnosis purposes. Indeed the modelincludes many concurrent behaviors together with synchronousbehaviors. Furthermore the faults are not diagnosable in gen-eral [5], which means any model simplification or incompletealgorithm may introduce a loss of precision. All faults affectthe output of the other faults and they share many symptoms.We simulated a number of scenarios in the system, i.e., we

generated paths on the DES that we then proposed to diag-nose. We noticed that some parameters have a big influenceon how hard the problem is to solve. In particular a question iswhether the component should return quickly to its initial stateor whether additional faults may take place while some of thecomponents are rebooting. As it turns out, the latter case is easierto solve, possibly because it is easy to determine that a com-ponent is currently rebooting and to exonerate it from the fol-lowing faults. We therefore defined ten levels of difficulty basedon this property; level 1 for easy problems, level 10 for hardproblems. We also introduced different number of faults, from 1to 20. Finally we considered three types of observations: times-tamped observations, totally ordered observations, and partiallyordered observations; in the latter case the order between salveand salve is unknown if . Hence we generated

scenarios.5

The diagnostic problem is defined as finding a path on themodel consistent with the observations and that minimizes thenumber of faults (corresponding to the transition between stateand state ). We gave the solver 30 minutes (1 800 seconds).

The translation to SAT is very fast compare to solving theproblem and most of it can be done off-line; hence we onlygive the runtime for the SAT solver. We chose to use MINISAT

5Experimental data is available at: www.grastien.net/ban/data/tac11/.

2.0 core version.6 This solver was chosen as its source codeis free and very simple; this allows for further experimentsand diagnostic specific implementations in the future. Noticealso that all best CSDL-DPLL SAT solvers have very similarperformances. The experiments were performed on an IntelXeon CPU E5405 2.00 GHz with 4 GB memory running Linux.

B. Results

The runtime are presented in Fig. 11. The problems are sortedby category and ordered by increasing runtime. The mean andmedium runtime is given with respect to the problems solved in1800 s.• Fig. 11(a) shows that the type of observations has a clearimpact on the runtime. Diagnostic problems using partiallyordered observations are about 10 times harder to solvethan other diagnostic problems.

• Fig. 11(b) illustrates the effect of the difficulty mentionnedat the beginning of this section. In this case hard instancesare also 10 times harder that the easy instances.

• Fig. 11(c) shows that the number of faults is also an impor-tant factor for solving the diagnostic problem. The com-plexity is more than linear with respect to this parameter.

C. Analysis

The SAT-based approach is able to compute a diagnosis formost problems. It fails to return a diagnosis only when all hardconditions are met: imprecise observations, a hard scenario anda big number of faults. These results show that our approach issuitable for solving diagnostic problems.We now discuss performance and answer why certain param-

eters affect running time. We mentioned that the main power ofSAT is its ability to propagate efficiently inferences. Consideragain the DES in Fig. 3 where is unobservable and considerthe sequence of ordered observations . A diagnosis algo-rithm based on unfolding will first try to explain observationand next ; therefore the algorithm will branch before findingthat there is only one explanation. A SAT-based algorithm will

6Available at www.minizat.se.


immediately determine that observation came from transition

; therefore the solver will determine that the state beforeis state 2 and that observation was emitted by transition. More generally, the SAT solver may instantiate the vari-

ables of the paths in any order.If the timestep when an observable event occurred is known,

then many inferences can be made. If the observable eventdid not take place at timestep , then no rule associated totook place at time . If the observable event did take place attimestep , then one of these rules (and no other) was triggered.If the precondition or the effects of the possible rules share simi-larities (or if there is only one rule possible), then inferences canbe made on the state before the transition or after the transition.However if the timestep when the observable event occurred isunknown, inferences are more difficult. For instance in Fig. 3 ifthe occurrence date of is 1 and the occurrence date of is in{2,3}, then the SAT solver cannot automatically infer the tran-sition associated to .This is typically the case with partially ordered observations:

the solver cannot easily propagate the information. It is alsoillustrated with the difficulty of the scenario. When the scenariois easy the fact that a given component is not in state is easyto determine and the list of components responsible for a givenfault is much reduced.Finally the last parameter is the number of faults . This

number affects the runtime in several ways:• Because alarms are generated only when faults take place,the length of the scenario is linear in the number of faults(about ) which means the SAT instances have size atleast linear in . This feature holds only for this benchmark.

• The number of diagnostic questions to answer is linear in .Admittedly however, the diagnostic question foris usually trivially false and solved with little or no search.

• The complexity of solving cardinality constraints in-creases quickly with . The encoding we use [49] hassize where is linear in (first point above).We studied the impact of cardinality constraints, and inparticular how they should be encoded, in [43].

VII. EXTENSIONS

The work presented in this paper is the first approach to solvediagnosis of DES problems using SAT. The approach describedhere is somewhat simplistic, addressing a simplistic diagnosticproblem and using SAT in a very trivial manner. This section isdedicated to showing possible improvements in both directions.

A. Expressiveness

In this paper, we proposed to solve the problem of findinga preferred explanation to the observations. However, our ap-proach is much more ambitious and aims at solving more gen-eral problems such as returning all possible sets of faults. We al-ready took some steps in this direction [24], [25]. The diagnosticproblem then translates as finding solution in a space of diag-nostic hypotheses (each hypothesis being a potential diagnosticcandidate), and the diagnostic questions must be wisely chosento enable an efficient exploration of this space. Dealing withmore complex definitions of a fault [18] defined as pattern ofevents, although not illustrated in this paper, is also feasable.

A SAT-based approach also allows to consider notions suchas conflicts [50]. A conflict is a diagnostic information about thesystem behavior, such as “a fault must have occurred in compo-nent or in component .” Being a different type of informa-tion about the system, a conflict can be useful to help a humanoperator understand the current situation.We also want to extend our approach to a larger class of sys-

tems. Hybrid systems, i.e., systems with a compound of discreteand continuous behaviors, and in particular nonlinear systems,are particularly difficult to diagnose. We want to use similartechniques based on SAT modulo Theories (SMT) [51]. SMTis an extension of SAT including additional constraints not ex-pressed in terms of propositional logic but possibly as contin-uous contraints.

B. Complexity

The approach proposed in this paper allows to use powerfultools to solve diagnostic problems that are computationally toohard to solve with traditional techniques. There are many direc-tions that can be used to improve the results.We already mentioned that the encoding of cardinality

constraints has a huge impact on the SAT solver performance[43]. Using dedicated solvers specifically designed to solveSAT problems with cardinality constraints could also be analternative.On-line diagnosis consists in diagnosing the system while it

is running. One of the issues associated with online diagnosisis updating the diagnosis when new observations are available.Such incremental diagnosis must be efficient (length indepen-dent [52]) lest the number of observations be too large to handle.One approach is to consider that the diagnosis related to old ob-servations is now correct and only update the diagnosis on thelast observations. Related issues include correctness and wereinvestigated in [53].The SAT translations of the diagnostic questions associated

with a given problem share many clauses. Techniques from in-cremental SAT [44], the problem of solving a SAT problem thatshare many clauses with an already solved SAT problem, shouldbe used to improve performance.Because we generated the SAT problem, we know the prop-

erties exhibited by these types of problems and we can designSAT solvers particularly efficient at solving them. A similar ap-proach has been proposed for SAT planning [54].We already mentionned that preprocessing can provide very

useful clauses to insert in the SAT problem. A possible prepro-cess is inexpensive local diagnosis [9] that can be used to restrictthe set of states and events at given timesteps.

VIII. CONCLUSION

The approach for diagnosing DES in this paper is quite noveland quite exciting. Instead of computing all paths consistentwith the observations, we propose to ask questions about the ex-istence of certain paths explaining the observations. We provedthat this approach can be quite efficient, and we believe it canalso be used for more general classes of systems, such as hybridsystems.The use of SAT techniques is novel in diagnosis of DES. The

strength of such algorithms is that the decomposition in Boolean


variablesmakes it easier to infer informations through unit prop-agation and clause learning.Application of such techniques for diagnosing the Smart

Grid is investigated. Smart Grids involve thousands of com-ponents and nonlinear continuous behaviors where SAT- andSMT-based approaches will be necessary to handle suchconstraints.

REFERENCES

[1] W. Hamscher, L. Console, and J. de Kleer, Readings in Model-BasedDiagnosis. San Mateo, CA, USA: Morgan Kaufmann, 1992.

[2] C. Cassandras and S. Lafortune, Introduction to Discrete Event Sys-tems. Dordrecht, The Netherlands: Kluwer Academic, 1999.

[3] H. Kautz and B. Selman, “Pushing the envelope: Planning, proposi-tional logic, and stochastic search,” in Proc. 13th Conf. Artificial Intel-ligence (AAAI-96), 1996, pp. 1194–1201.

[4] A. Biere, A. Cimatti, E. Clarke, and Y. Zhu, “Symbolic model-checking without BDDs,” in Proc. 5th Int. Conf. Tools and Algorithmsfor the Construction and Analysis of Systems (TACAS-99), 1999, pp.193–207.

[5] J. Rintanen and A. Grastien, “Diagnosability testing with satisfiabilityalgorithms,” in Proc. 20th Int. Joint Conf. Artificial Intelligence(IJCAI-07), 2007, pp. 532–537.

[6] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D.Teneketzis, “Diagnosability of discrete-event systems,” IEEE Trans.Autom. Control, vol. 40, no. 9, pp. 1555–1575, Sep. 1995.

[7] J. Rintanen, “Diagnosers and diagnosability of succinct transition sys-tems,” in Proc. 20th Int. Joint Conf. Artificial Intelligence (IJCAI-07),M. Veloso, Ed., 2007, pp. 538–544.

[8] Y. Pencolé and M.-O. Cordier, “A formal framework for the de-centralised diagnosis of large scale discrete event systems and itsapplication to telecommunication networks,” Artif. Intell., vol. 164,pp. 121–170, 2005.

[9] R. Su and W. Wonham, “Global and local consistencies in distributedfault diagnosis for discrete-event systems,” IEEE Trans. Autom. Con-trol, vol. 50, no. 12, pp. 1923–1935, 2005.

[10] M.-O. Cordier and A. Grastien, “Exploiting independence in a decen-tralised and incremental approach of diagnosis,” inProc. 20th Int. JointConf. Artificial Intelligence (IJCAI-07), 2007.

[11] P. Kan John and A. Grastien, “Local consistency and junction tree fordiagnosis of discrete-event systems,” in Proc. 18th Eur. Conf. ArtificialIntelligence (ECAI’08), 2008, pp. 209–213.

[12] A. Schumann, Y. Pencolé, and S. Thiébaux, “A spectrum of symbolicon-line diagnosis approaches,” in Proc. 19th National Conf. ArtificialIntelligence (AAAI-07), R. Holte, Ed., 2007.

[13] A. Benveniste, É. Fabre, S. Haar, and C. Jard, “Diagnosis of asyn-chronous discrete event systems, a net unfolding approach,” IEEETrans. Autom. Control, vol. 48, no. 5, pp. 714–727, May 2003.

[14] G. Jiroveanu, R. Boël, and B. Bordbar, “On-line monitoring of largePetri net models under partial observation,” J. Discrete Event Dynam.Syst., vol. 18, no. 3, pp. 323–354, 2008.

[15] M. P. Cabasino, A. Giua, and C. Seatzu, “Fault detection for discreteevent systems using Petri nets with unobservable transitions,” Auto-matica, vol. 46, no. 9, pp. 1531–1539, 2010.

[16] F. Basile, P. Chiacchio, and G. De Tommasi, “An efficient approachfor online diagnosis of discrete event systems,” IEEE Trans. Autom.Control, vol. 54, no. 4, pp. 748–759, Apr. 2009.

[17] M. Dotoli, M. P. Fanti, A. M. Mangini, and W. Ukovich, “On-line de-tection in discrete event systems by Petri nets and integer linear pro-gramming,” Automatica, vol. 45, pp. 2665–2672, 2009.

[18] T. Jéron, H. Marchand, S. Pinchinat, and M.-O. Cordier, “Supervisionpatterns in discrete-event systems diagnosis,” in Proc. 17th Int. Work-shop on Principles of Diagnosis (DX-06), 2006, pp. 117–124.

[19] Y. Pencolé, D. Kamenetsky, and A. Schumann, “Towards low-cost di-agnosis of component-based systems,” in IFAC Symposium on FaultDetection, Supervision and Safety of Technical Processes (SafePro-cess-06), 2006.

[20] A. Grastien and G. Torta, “Reformulation for the diagnosis of dis-crete-event systems,” presented at the 21st Int. Workshop Principlesof Diagnosis (DX-10), 2010.

[21] L. Console, C. Picardi, and M. Ribaudo, “Diagnosis and diagnosabilityanalysis using PEPA,” in Proc. 14th Eur. Conf. Artificial Intelligence(ECAI-00), 2000, pp. 131–135.

[22] L. Rozé and M.-O. Cordier, “Diagnosing discrete-event systems: Ex-tending the “diagnoser approach” to deal with telecommunication net-works,” J. Discrete Event Dynam. Syst., vol. 12, no. 1, pp. 43–81, 2002.

[23] S. Jiang, R. Kumar, and H. Garcia, “Diagnosis of repeated/intermittentfailures in discrete event systems,” IEEE Trans. Rob. Autom., vol. 19,no. 2, pp. 310–323, Feb. 2003.

[24] A. Grastien, P. Haslum, and S. Thiébaux, “Exhaustive diagnosis ofdiscrete event systems through exploration of the hypothesis space,”in 22nd Int. Workshop on Principles of Diagnosis (DX-11), 2011, pp.60–67.

[25] A. Grastien, P. Haslum, and S. Thiébaux, “Conflict-based diagnosisof discrete event systems: Theory and practice,” in Proc. Int. Conf.Knowledge Representation (KR-12), 2012, to appear.

[26] A. Bauer, A. Botea, A. Grastien, P. Haslum, and J. Rintanen, “Alarmprocessing with model-based diagnosis of discrete event systems,” inProc. 22nd Int. Workshop on Principles of Diagnosis (DX-11), 2011,pp. 52–59.

[27] B. Williams and P. Nayak, “A model-based approach to reactiveself-configuring systems,” in Proc. 13th Confe. Artificial Intelligence(AAAI-96), 1996, pp. 971–978.

[28] A. Grastien, Anbulagan, J. Rintanen, and E. Kelareva, “Diagnosis ofdiscrete-event systems using satisfiability algorithms,” in Proc. 22ndConf. Artificial Intelligence (AAAI-07), 2007.

[29] S. A. Cook, “The complexity of theorem proving procedures,” in Proc.3rd ACM Symp. Theory of Computing, OH, USA, 1971, pp. 151–158.

[30] M. Davis, G. Logemann, and D. Loveland, “A machine program fortheorem proving,” Commun. ACM, vol. 5, pp. 394–397, 1962.

[31] M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, and S. Malik,“Chaff: Engineering an efficient SAT solver,” in Proc. 38th Design Au-tomation Conf. (DAC-01), 2001, pp. 530–535.

[32] C. M. Li and Anbulagan, “Heuristics based on unit propagation forsatisfiability problems,” in Proc. 15th Int. Joint Conf. Artificial Intelli-gence (IJCAI-97), 1997, pp. 366–371.

[33] L. Zhang, C. F. Madigan, M. W. Moskewicz, and S. Malik, “Efficientconflict driven learning in a Boolean satisfiability solver,” in Proc. Int.Conf. Computer Aided Design (ICCAD-01), 2001.

[34] N. Eén and N. Sorensson, “An extensible SAT-solver,” in RevisedSelected Papers of 6th Conf. Theory and Applications of SatisfiabilityTesting, 2004, vol. 2919, Lecture Notes in Computer Science, pp.502–518.

[35] K. Pipatsrisawat and A. Darwiche, Rsat 2.0: SAT Solver DescriptionAutomated Reasoning Group, Comput. Sci. Dept., UCLA, Tech. Rep.D-153, 2007.

[36] G. Audemard and L. Simon, “Predicting learnt clauses quality inmodern SAT solvers,” in Proc. 21st Int. Joint Conf. Artificial Intelli-gence (IJCAI-09), Pasadena, CA, USA, 2009, pp. 399–404.

[37] Anbulagan and J. Slaney, “Lookahead saturation with restriction forSAT,” in Proc. 11th Int. Conf. Principles and Practice of ConstraintProgramming (CP-05), 2005, pp. 727–731.

[38] O. Dubois and G. Dequen, “A backbone-search heuristic for efficientsolving of hard 3-SAT formulae,” in Proc. 17tth Int. Joint Conf. Artifi-cial Intelligence (IJCAI-01), Seattle, WA, USA, 2001, pp. 248–253.

[39] M. Heule and H. van Maaren, “March_dl: Adding adaptive heuristicsand a new branching strategy,” J. Satisf., Boolean Modeling Comput.,vol. 2, pp. 47–59, 2006.

[40] S. Jiang, Z. Huang, V. Chandra, and R. Kumar, “A polynomialalgorithm for diagnosability of discrete-event systems,” IEEE Trans.Autom. Control, vol. 46, no. 8, pp. 1318–1321, 2001.

[41] J. Rintanen, “Planning with SAT, admissible heuristics and A*,” inProc. 22nd Int. Joint Conf. Artificial Intelligence (IJCAI-11), 2011, pp.2015–2020.

[42] J. Huang, “The effect of restarts on the efficiency of clause learning,”in Proc. 20th Int. Joint Conf. Artificial Intelligence (IJCAI-07), 2070,pp. 2318–2323.

[43] Anbulagan and A. Grastien, “Importance of variables semantic in CNFencoding of cardinality constraints,” in Proc. 8th Symp. Abstraction,Reformulation and Approximation (SARA-09), 2009.

[44] J. Hooker, “Solving the incremental satisfiability problem,” J. LogicProgram., vol. 15, no. 1–2, pp. 177–186, 1993.

[45] J. Marques Silva and I. Lynce, “Towards robust CNF encodings of car-dinality constraints,” in Proc. 13th Int. Conf. Principles and Practiceof Constraint Programming (CP-07), 2007, pp. 483–497.

[46] J. Rintanen, “Compact representation of sets of binary constraints,”in Proc. 17th Eur. Conf. Artificial Intelligence (ECAI-06), 2006, pp.143–147.

[47] G. Jiroveanu and R. Boël, “Petri net model-based distributed diagnosisfor large interacting systems,” in Proc. 16th Int. Workshop on Princi-ples of Diagnosis (DX-05), 2005, pp. 25–30.


[48] Y. Wang, T.-S. Yoo, and S. Lafortune, “New results on decentralizeddiagnosis of discrete event systems,” in Proc. 42nd Annu. AllertonConf. Communication, Control, and Computing, Illinois, USA, 2004.

[49] O. Bailleux and Y. Boufkhad, “Efficient CNF encoding of Booleancardinality constraints,” in Proc. 9th Int. Conf. Principles and Practiceof Constraint Programming (CP-03), 2003, pp. 108–122.

[50] R. Reiter, “A theory of diagnosis from first principles,” Artif.l Intell.,vol. 32, no. 1, pp. 57–95, 1987.

[51] L. de Moura, B. Dutertre, and N. Shankar, “A tutorial on satisfiabilitymodulo theories,” in Proc. 19th Int. Conf. Computer Aided Verification(CAV), 2007, pp. 20–36.

[52] A. Bauer and P. Haslum, “Ltl goal specifications revisited,” inProc. 19th Eur. Conf. Artificial Intelligence (ECAI-10), 2010, pp.881–886.

[53] A. Grastien and Anbulagan, “Incremental diagnosis of DES with anon-exhaustive diagnosis engine,” in Proc. 20th Int. Workshop on Prin-ciples of Diagnosis (DX-09), 2009, pp. 345–352.

[54] J. Rintanen, “Heuristics for planningwith SAT,” inProc. 16th Int. Conf.Principles and Practice of Constraint Programming (CP-10), 2010, pp.414–428.

Alban Grastien received the Ph.D degree in 2005from the Université de Rennes 1, Rennes, France.He moved to the Canberra Research Laboratory

of NICTA, Canberra, Australia, in 2006 where heis now a Senior Researcher in the OptimisationResearch Group. He also holds an adjunct position inthe AI Group at the Australian National University.His main topic of research is the use of artificialintelligence paradigms and tools for diagnosis anddiagnosability of large-scale discrete event and hy-brid systems. His work is applied in the supervision

of future energy systems.

Anbu Anbulagan received the Ph.D degree in com-puter science from the Université de Technologie deCompiègne (UTC), Compiègne, France, in 1998.He was a Research Scientist at NICTA from 2003

to 2009. He was the Founding Director of Green In-telligence Software Solutions (Gissio) in Australia.He is currently an Information Analyst at the Aus-tralian National University, Canberra, Australia. Hisresearch interests include satisfiability modeling andsolving, optimization, search in artificial intelligence,big data analysis, and social network analysis.

diagnosis of discrete event systems using satisfiability algorithms: a theoretical and empirical...

Documents