Decentralized Critical Observers of Networks of Finite State Machines and Model Reduction
Davide Pezzuti, Giordano Pola, Elena De Santis, Maria D. Di Benedetto
DDECENTRALIZED CRITICAL OBSERVERS OF NETWORKS OF FINITE STATEMACHINES AND MODEL REDUCTION
GIORDANO POLA, DAVIDE PEZZUTI, ELENA DE SANTIS AND MARIA D. DI BENEDETTO
Abstract.
Motivated by safety–critical applications in cyber–physical systems, in this paper we study thenotion of critical observability and design of observers for networks of Finite State Machines (FSMs). Criticalobservability is a property of FSMs that corresponds to the possibility of detecting if the current state ofan FSM belongs to a set of critical states modeling operations that may be unsafe or, in general, operationsof specific interest in a particular application. A critical observer is an observer that detects on–line theoccurrence of critical states. When a large–scale network of FSMs is considered, the construction of suchan observer is prohibitive because of the large computational effort needed. In this paper we propose adecentralized architecture for critical observers of networks of FSMs, where on–line detection of critical statesis performed by local critical observers, each associated with an FSM of the network. For the efficient designof decentralized critical observers we first extend on–the–fly algorithms traditionally used in the communityof formal methods for the formal verification and control design of FSMs. We then extend to networks ofFSMs, bisimulation theory traditionally given in the community of formal methods for single FSMs. Theproposed techniques provide a remarkable computational complexity reduction, as discussed throughout thepaper and also demonstrated by means of illustrative examples. Finally, we propose an example in thecontext of biological networks, which illustrates the applicability of our results and also the interest arisingfrom concrete application domains. Introduction
In recent years, Cyber–Physical Systems have been intensively investigated by both academic and industrialcommunities because they offer a solid paradigm for the modeling, analysis and control of many next gen-eration large–scale, complex, distributed and networked engineered systems. Among them, safety–criticalapplications, as for example Air Traffic Management (ATM) systems, play a prominent role, see e.g. [14, 18].Ensuring safety in large–scale and networked safety–critical applications is a tough but challenging problem.In particular, complexity is one of the most difficult issues that must be overcome to make theoretical method-ologies applicable to real industrial applications.In this paper we address the analysis of critical observability and design of observers for networks of FiniteState Machines (FSMs). A network of FSMs is a collection of FSMs whose interaction is captured by the no-tion of parallel composition. Critical observability is a property that corresponds to the possibility of detectingif the current state of an FSM belongs to a set of critical states, modeling operations that may be unsafe or,in general, operations of specific interest in a particular application. This notion has been introduced in [8]for linear switching systems and is relevant in safety–critical applications where the timely recovery of humanerrors and device failures is of primary importance in ensuring safety. Current approaches available in theliterature to check critical observability are based on regular language theory as in [10] or on the design ofthe so–called critical observers [4, 8]. The computational complexity of the first approach is polynomial inthe number of states of the FSM, while the one of the second is exponential. Although disadvantageous fromthe computational complexity point of view, the construction of critical observers cannot be avoided at theimplementation layer since it is necessary for the automatic on–line detection of critical situations. Motivatedby this issue we elaborated on some results which can reduce, in some cases drastically, the computationaleffort in designing critical observers for large–scale networks of FSMs. We first propose a decentralized ar-chitecture for critical observers of the network, which is composed of a collection of local critical observers,
The research leading to these results has been partially supported by the Center of Excellence DEWS.. a r X i v : . [ m a t h . O C ] F e b GIORDANO POLA, DAVIDE PEZZUTI, ELENA DE SANTIS AND MARIA D. DI BENEDETTO each associated with an FSM of the network. Efficient algorithms for the synthesis of critical observers areproposed, which extend on–the–fly techniques traditionally used by the community of formal methods forverification and control of FSMs (see e.g. [7, 27]). We then propose results on model reduction which extendto networks of FSMs, bisimulation theory [15, 17] traditionally given by the community of formal methods forsingle FSMs. We define a bisimulation equivalence that takes into account criticalities. We then reduce theoriginal network of FSMs to a smaller one, obtained as the quotient of the original network induced by thebisimulation equivalence. In the reduction process, FSMs composing the network are never composed, a keyfactor in complexity reduction. We first show that critical observability of the original network implies andis implied by the critical observability of the quotient network. We then show that a decentralized criticalobserver for the original network can be easily derived from the one designed for the quotient network. Finally,we propose an example in the context of biological networks, which illustrates the applicability of our resultsand also the interest arising from concrete applications domain (see also [18] for ATM applications).While our approach that extends some techniques from formal methods (see e.g. [5]) is important per se at a theoretical level, it also provides a set of new methodologies for computational complexity reduction indesigning observers. Critical observability belongs to the set of observability concepts extensively studied inthe literature of discrete event systems. To the best of our knowledge, the formal methods techniques proposedin this paper have not yet been explored in the community of discrete event systems neither for the analysisof critical observability nor for the analysis of any other observability notion, with the only exception of [32].We defer to the last section a discussion on connections with the existing literature.This paper is organized as follows. Section 2 introduces notation, networks of FSMs and the critical observabil-ity property. Section 3 presents decentralized critical observers and Section 4 model reduction via bisimulationequivalence. An example on the analysis of a biological network is reported in Section 5. In Section 6 weprovide a discussion on connections with existing literature and outlook.2. Networks of Finite State Machines and critical observability
In this section, we start by introducing our notation in Subsection 2.1. We then recall the notions of networksof finite states machines in Subsection 2.2 and of critical observability in Subsection 2.3.2.1.
Notation and preliminary definitions.
The symbols ∧ and ∨ denote the And and Or logical oper-ators, respectively. The symbol N denotes the set of nonnegative integers. Given n, m ∈ N with n < m letbe [ n ; m ] = [ n, m ] ∩ N . The symbol | X | denotes the cardinality of a finite set X . The symbol 2 X denotes thepower set of a set X . Given a function f : X → Y we denote by f ( Z ) the image of a set Z ⊆ X through f , i.e. f ( Z ) = { y ∈ Y |∃ z ∈ Z s.t. y = f ( z ) } ; if X (cid:48) ⊂ X and Y (cid:48) ⊂ Y then f | X (cid:48) → Y (cid:48) is the restriction of f todomain X (cid:48) and co–domain Y (cid:48) , i.e. f | X (cid:48) → Y (cid:48) ( x ) = f ( x ) for any x ∈ X (cid:48) with f ( x ) ∈ Y (cid:48) . We now recall from [4]some basic notions of language theory. Given a set Σ, a finite sequence w = σ σ σ ... with symbols σ i ∈ Σis called a word in Σ; the empty word is denoted by ε . The Kleene closure w ∗ of a word w is the collectionof words ε , w , ww , , ... . The symbol Σ ∗ denotes the set of all words in Σ, including the empty word ε .The concatenation of two words u, v ∈ Σ ∗ is denoted by uv ∈ Σ ∗ . Any subset of Σ ∗ is called a language. Theprojection of a language L ⊆ Σ ∗ onto a subset (cid:98) Σ of Σ is the language P (cid:98) Σ ( L ) = { t ∈ (cid:98) Σ ∗ |∃ w ∈ L s.t. P (cid:98) Σ ( w ) = t } where P (cid:98) Σ ( w ) is inductively defined for any w ∈ L and σ ∈ Σ by P (cid:98) Σ ( ε ) = ε and P (cid:98) Σ ( wσ ) = P (cid:98) Σ ( w ) σ if σ ∈ (cid:98) Σand P (cid:98) Σ ( wσ ) = P (cid:98) Σ ( w ), otherwise.2.2. Networks of Finite State Machines.
In this paper we consider the class of nondeterministic FSMswith observable labels:
Definition 2.1.
A Finite State Machine (FSM) M is a tuple ( X, X , Σ , δ ) where X is the set of states, X ⊆ X is the set of initial states, Σ is the set of input labels and δ : X × Σ → X is the transition map. Here, the term ”observability” is used in a broader sense.
ECENTRALIZED CRITICAL OBSERVERS OF NETWORKS OF FINITE STATE MACHINES AND MODEL REDUCTION 3
A state run r of an FSM M is a sequence x σ (cid:45) x σ (cid:45) x σ (cid:45) x ... such that x ∈ X , x i ∈ X , σ i ∈ Σand x i +1 ∈ δ ( x i , σ i +1 ) for any x i and σ i in the sequence; the sequence σ σ σ ... is called the trace associatedwith r . For X (cid:48) ⊆ X and σ ∈ Σ, we abuse notation by writing δ ( X (cid:48) , σ ) instead of (cid:83) x ∈ X (cid:48) δ ( x, σ ). The extendedtransition map ˆ δ associated with δ is inductively defined for any w ∈ Σ ∗ , σ ∈ Σ and x ∈ X by ˆ δ ( x, ε ) = { x } and ˆ δ ( x, wσ ) = (cid:83) y ∈ ˆ δ ( x,w ) δ ( y, σ ). The language generated by M , denoted L ( M ), is composed by all tracesgenerated by M , or equivalently, L ( M ) = { w ∈ Σ ∗ |∃ x ∈ X s.t. ˆ δ ( x , w ) (cid:54) = ∅ } . An FSM M is deterministicif | X | = 1 and | δ ( x, σ ) | ≤
1, for any x ∈ X and σ ∈ Σ. In this paper we are interested in studying whether itis possible to detect if the current state of an FSM M is or is not in a set of critical states C ⊂ X modelingoperations that may be unsafe or, in general, operations of specific interest in a particular application. Werefer to an FSM ( X, X , Σ , δ ) equipped with a set of critical states C by the tuple ( X, X , Σ , δ, C ). Wealso refer to an FSM with outputs by a tuple ( X, X , Σ , δ, Y, H ), where Y is the set of output labels and H : X → Y is the output function. For simplicity we call an FSM equipped with critical states or withoutputs as an FSM. The operator Ac( · ) extracts the accessible part from an FSM M = ( X, X , Σ , δ, C )(resp. M = ( X, X , Σ , δ, Y, H )), i.e. Ac( M ) = ( X (cid:48) , X , Σ , δ (cid:48) , C (cid:48) ) (resp. Ac( M ) = ( X (cid:48) , X , Σ , δ (cid:48) , Y, H (cid:48) )) where X (cid:48) = { x ∈ X |∃ x ∈ X ∧ w ∈ Σ ∗ s.t. x ∈ ˆ δ ( x , w ) } , δ (cid:48) = δ | X (cid:48) × Σ → X (cid:48) , C (cid:48) = C ∩ X (cid:48) and H (cid:48) = H | X (cid:48) → Y .Interaction among FSMs is captured by the following notion of composition. Definition 2.2.
The parallel composition M || M = (cid:0) X , , X , , Σ , , δ , , C , (cid:1) between two FSMs M =( X , X , Σ , δ , C ) and M = ( X , X , Σ , δ , C ) is the FSM Ac( X (cid:48) , , X (cid:48) , , , Σ (cid:48) , , δ (cid:48) , , C (cid:48) , ) where X (cid:48) , = X × X , X (cid:48) , , = X × X , Σ (cid:48) , = Σ ∪ Σ , C (cid:48) , = ( C × X ) ∪ ( X × C ) and δ (cid:48) , : X (cid:48) , × Σ (cid:48) , → X (cid:48) , isdefined for any x ∈ X (cid:48) , x ∈ X (cid:48) and σ ∈ Σ (cid:48) , by δ ( x , σ ) × δ ( x , σ ) , if δ ( x , σ ) (cid:54) = ∅ ∧ δ ( x , σ ) (cid:54) = ∅ ∧ σ ∈ Σ ∩ Σ ,δ ( x , σ ) × { x } , if δ ( x , σ ) (cid:54) = ∅ ∧ σ ∈ Σ \ Σ , { x } × δ ( x , σ ) , if δ ( x , σ ) (cid:54) = ∅ ∧ σ ∈ Σ \ Σ , ∅ , otherwise.By definition, a state ( x , x ) ∈ C , , i.e. ( x , x ) is considered as critical for M || M , if and only if x ∈ C or x ∈ C . Vice versa, ( x , x ) / ∈ C , if and only if x / ∈ C and x / ∈ C . It is well known that Proposition 2.3. [4]
The parallel composition operation is commutative up to isomorphisms and associative.
By the above property of parallel composition, we may write in the sequel M || M || M , X , , and C , , instead of M || ( M || M ), X , (2 , and C , (2 , or, instead of ( M || M ) || M , X (1 , , and C (1 , , .In this paper we consider a network N = { M , M , ..., M N } of N FSMs M i whose interaction is captured by the notion of parallel composition; the corresponding FSMis given by M ( N ) = M || M || ... || M N . The FSM M ( N ) is well defined because the composition operator || is associative. The definition of parallel composition among an arbitrary number of FSMs is reported ine.g. [4] and coincides with the recursive application of the binary operator || , as in Definition 2.2. For thecomputational complexity analysis, we will use in the sequel the number n max = max i ∈ [1; N ] | X i | as indicator ofthe sizes of the FSMs composing the network N . An upper bound to space and time computational complexityin constructing M ( N ) is O (2 N log( n max ) ).2.3. Critical observability and observers.
Critical observability corresponds to the possibility of detectingwhether the current state x of a run of an FSM is or is not critical on the basis of the information given bythe corresponding trace at state x : Definition 2.4.
An FSM M = ( X, X , Σ , δ, C ) is critically observable if [ˆ δ ( x , w ) ⊆ C ] ∨ [ˆ δ ( x , w ) ⊆ X \ C ] , for any initial state x ∈ X and any trace w ∈ L ( M ). GIORDANO POLA, DAVIDE PEZZUTI, ELENA DE SANTIS AND MARIA D. DI BENEDETTO
7 8 b b a b e e b
3 4 b d a b a a c Figure 1.
FSM M in the left and FSM M in the right.Any FSM M having an initial state that is critical and another initial state that is not critical, is nevercritically observable. Moreover, if X = C then FSM M is critically observable and no further analysis for thedetection of critical states is needed. For these reasons in the sequel we assume that [ X ⊂ C ] ∨ [ X ⊆ X \ C ]for any FSM M . An illustrative example follows. Example 2.5.
Consider FSMs M i = ( X i , X i , Σ i , δ i , C i ), i = 1 ,
2, depicted in Fig. 1, where X = { , , , } , X = { } , Σ = { a, b, c, d } , C = { } , X = { , , , } , X = { } , Σ = { a, b, e } , C = { , } and transitionmaps δ and δ are represented by labeled arrows in Fig. 1; labels on the arrows represent the input labelassociated with the corresponding transition. FSM M is not critically observable because it is possible toreach both noncritical state 3 and critical state 4 starting from the initial state 1, by applying the same inputlabel a . FSM M is critically observable because by applying traces b ( ab ) ∗ and b ( ab ) ∗ a to the initial state 5,the state reached is always in X \ C while by applying any trace other than the previous ones, states reachedare always critical. Remark . The notion of critical observability has been inspired by the notion of current location observ-ability, e.g. [3]. We recall that an FSM M is current location observable if there exists an integer K suchthat for any run x σ (cid:45) x σ (cid:45) x σ (cid:45) x σ (cid:45) ... σ k (cid:45) x k of M with length k ≥ K , the currentstate x k of M can be reconstructed on the basis of the sequence σ σ ... σ k . Current state observability isalso termed strong detectability in e.g. [25]. While in current state observability the issue is to detect thecurrent state from some step on, in critical observability the issue is to detect if the current state is or isnot in a set of critical states. Moreover, we now show that critical observability does not imply and is notimplied by current state observability. Consider the FSM M = ( X , X , Σ , δ , C ) where X = { , , } , X = { } , Σ = { a } , δ (0 , a ) = { , } , δ (1 , a ) = { } , δ (2 , a ) = { } and C = { , } : FSM M is criticallyobservable (starting from state 0 with label a only critical states 1 and 2 are reached) and is not currentstate observable (from the sequence aa ∗ it is not possible to detect if the current state is 1 or 2). Conversely,consider the FSM M = ( X , X , Σ , δ , C ) where X = { , , , } , X = { } , Σ = { a } , δ (0 , a ) = { , } , δ (1 , a ) = δ (2 , a ) = { } , δ (3 , a ) = { } and C = { } : FSM M is not critically observable (starting fromstate 0 with label a both critical state 1 and noncritical state 2 are reached) and is current state observablewith K = 2 (after the second transition the current state will be 3 for ever).On–line detection of critical states of critically observable FSMs can be obtained by means of critical observers,as defined hereafter. Definition 2.7.
A deterministic FSM Obs = ( X Obs , X , Σ Obs , δ
Obs , Y
Obs , H
Obs ) with output set Y Obs = { , } is a critical observer for an FSM M = ( X, X , Σ , δ , C ) if Σ Obs = Σ and for any state run r : x σ (cid:45) x σ (cid:45) x σ (cid:45) x ... of M , the corresponding (unique) state run r Obs : z σ (cid:45) z σ (cid:45) z σ (cid:45) z ... of Obs issuch that H Obs ( z i ) = 1 if x i ∈ C and H Obs ( z i ) = 0 otherwise, for any state z i in r Obs .For later use, we report from e.g. [4] the following construction of observers.
ECENTRALIZED CRITICAL OBSERVERS OF NETWORKS OF FINITE STATE MACHINES AND MODEL REDUCTION 5
Definition 2.8.
Given an FSM M = ( X, X , Σ , δ, C ), define the deterministic FSM Obs( M ) as the accessiblepart Ac(Obs (cid:48) ) of Obs (cid:48) = ( X Obs (cid:48) , X (cid:48) , Σ
Obs (cid:48) , δ
Obs (cid:48) , Y
Obs (cid:48) , H
Obs (cid:48) ), where X Obs (cid:48) = 2 X , X (cid:48) = { X } , Σ Obs (cid:48) =Σ, δ Obs (cid:48) : X Obs (cid:48) × Σ Obs (cid:48) → X (cid:48) Obs is defined by δ Obs (cid:48) ( z, σ ) = { (cid:83) x ∈ z δ ( x, σ ) } , Y Obs (cid:48) = { , } and H Obs (cid:48) ( z ) = 1if z ∩ C (cid:54) = ∅ and H Obs (cid:48) ( z ) = 0, otherwise.An upper bound to the space and time computational complexity in constructing Obs( M ) for an FSM M with n = | X | states is O (2 n ) from which, an upper bound to the space and time computational complexityin constructing Obs( M ( N )) is O (2 N log( n max) ). A direct consequence of Definitions 2.4, 2.7 and 2.8 is thefollowing: Proposition 2.9.
The following statements are equivalent:(i) M is critically observable;(ii) Obs( M ) = ( X Obs , X , Σ Obs , δ
Obs , Y
Obs , H
Obs ) is a critical observer for M ;(iii) For any z ∈ X Obs , if H Obs ( z ) = 1 then z ⊆ C . Design of decentralized critical observers
In this section, we first show that critical observability of all the FSMs composing a network ensures thecritical observability of their parallel composition, i.e. of the network itself. However, a network of FSMs canbe critically observable even though not all the FSMs composing the network are critically observable. Thismeans that for checking the critical observability of a network we need to compose the FSMs, and this maybe problematic especially when dealing with large-scale networks where a large number of FSMs has to becomposed.
Proposition 3.1.
If FSMs M and M are critically observable then FSM M || M is critically observable.Proof. Set M i = (cid:0) X i , X i , Σ i , δ i , C i (cid:1) , i = 1 ,
2. By contradiction, assume that M || M is not critically observ-able. Thus, there exists a pair of state runs r and r with initial states ( x , x ) , ( x , x ) ∈ X , and commontrace w such that [( x , x ) ∈ ˆ δ , (( x , x ) , w )] ∧ [( x , x ) ∈ ˆ δ , (( x , x ) , w ))] and [( x , x ) ∈ X , \ C , ] ∧ [( x , x ) ∈ C , ]. By definition of the projection operator P Σ i ( · ) we then get [ x ∈ ˆ δ ( x , P Σ ( w ))] ∧ [ x ∈ ˆ δ ( x , P Σ ( w ))] ∧ [ x ∈ ˆ δ ( x , P Σ ( w ))] ∧ [ x ∈ ˆ δ ( x , P Σ ( w ))]. Moreover, by definition of C , we then get[[ x ∈ X \ C ] ∧ [ x ∈ X \ C ]] ∧ [[ x ∈ C ] ∨ [ x ∈ C ]]. Hence, either M or M is not critically observableand a contradiction holds. (cid:3) The converse implication is not true in general, as shown in the following example.
Example 3.2.
Consider FSMs M and M in Example 2.5 and depicted in Fig. 1. As discussed in Example2.5, FSM M is critically observable while FSM M is not. It is readily seen that FSM M || M , depicted inFig. 2, is critically observable because by applying traces b (( cd ) ∗ ab ) ∗ and b ( cd ) ∗ a ( b ( cd ) ∗ a ) ∗ to the initial state(1 , X , \ C , and by applying any trace other than the previous ones, statesreached are always in C , .As a consequence, critical observability of each FSM composing N is not necessary for M ( N ) to be criticallyobservable. We now show how decentralized observers can be used for detecting critical states of the networkof FSMs M ( N ). The notion of isomorphism will be used: Definition 3.3.
Two FSMs M i = ( X i , X i , Σ i , δ i , Y i , H i ) , i = 1 ,
2, are isomorphic, denoted M = iso M , ifΣ = Σ , Y = Y and there exists a bijective function φ : X → X , such that:(i) φ ( X ) = X ;(ii) φ ( X ) = X ;(iii) φ ( δ ( x , σ )) = δ ( φ ( x ) , σ ), for any accessible state x ∈ X of M and σ ∈ Σ ;(iv) H ( x ) = H ( φ ( x )), for any x ∈ X . GIORDANO POLA, DAVIDE PEZZUTI, ELENA DE SANTIS AND MARIA D. DI BENEDETTO (1,5) e (1,7) (4,6) (2,6) (1,8) (2,8) (2,7) (4,8) (4,7) e a b c d b b c c d d Figure 2.
Parallel composition M || M of FSMs M and M . Proposition 3.4.
Given FSMs M i ( i ∈ [1; 4] ), if M = iso M and M = iso M then M || M = iso M || M . Given N , consider the collection of deterministic FSMs(3.1) Obs( M i ) = ( X Obs ,i , X ,i , Σ i , δ Obs ,i , Y Obs ,i , H Obs ,i ) , each associated to the FSM M i and define the decentralized observer Obs d ( N ) as the FSMObs( M ) || Obs( M ) || ... || Obs( M N )with output set Y Obs d = { , } and output function H Obs d ( z , z , ..., z N ) = (cid:87) i ∈ [1; N ] H Obs i ( z i ). The followingresult shows that the decentralized observer Obs d ( N ) can be used for detecting on–line critical states of theFSM M ( N ). Theorem 3.5.
Obs d ( N ) = iso Obs( M ( N )) .Proof. We start by showing the result for the network N (cid:48) = { M , M } where M i = ( X i , X i , Σ i , δ i , C i ), i.e.(3.2) Obs( M ) || Obs( M ) = iso Obs( M || M ) . Let be Obs d ( N (cid:48) ) = ( X Obs d , X d , Σ Obs d , δ Obs d , Y Obs d , H Obs d ) and Obs( M ( N (cid:48) )) = ( X Obs , X , Σ Obs , δ
Obs ,Y Obs , H
Obs ). Define φ : X Obs d → X Obs such that φ (( z , z )) = z × z , for any ( z , z ) ∈ X Obs d with z i ∈ X Obs ,i . First of all note that Σ Obs d = Σ Obs = Σ ∪ Σ and Y Obs d = Y Obs = { , } . Moreover, withreference to Definition 3.3, we get: Condition (i).
By Definitions 2.2 and 2.8 we get φ ( X d ) = φ ( X , × X , ) = φ ( { X } × { X } ) = φ ( { ( X , X ) } ) = { φ (( X , X )) } = { X × X } = X . Conditions (ii) and (iii).
We proceed by induction and show that if φ (( z , z )) = z × z for a pair of ac-cessible states ( z , z ) ∈ X Obs d and z × z ∈ X Obs then φ ( δ Obs d (( z , z ) , σ )) = δ Obs ( φ (( z , z )) , σ ), for any σ ∈ Σ ∪ Σ . With reference to Definition 2.2, we have three cases: (case 1) σ ∈ Σ ∩ Σ , (case 2) σ ∈ Σ \ Σ ,and (case 3) σ ∈ Σ \ Σ . We start with case 1. By Definitions 2.2 and 2.8 we get δ Obs ( φ (( z , z )) , σ ) = δ Obs ( z × z , σ ) = { (cid:83) ( x ,x ) ∈ z × z δ , (( x , x ) , σ ) } = { (cid:83) ( x ,x ) ∈ z × z δ ( x , σ ) × δ ( x , σ ) } = { (cid:83) x ∈ z δ ( x , σ ) × (cid:83) x ∈ z δ ( x , σ ) } = { φ ( (cid:83) x ∈ z δ ( x , σ ) , (cid:83) x ∈ z δ ( x , σ )) } = φ ( { ( (cid:83) x ∈ z δ ( x , σ ) , (cid:83) x ∈ z δ ( x , σ )) } ) = φ ( { (cid:83) x ∈ z δ ( x , σ ) } × { (cid:83) x ∈ z δ ( x , σ ) } ) = φ ( δ Obs , ( z , σ ) × δ Obs , ( z , σ )) = φ ( δ Obs d (( z , z ) , σ )). Cases 2and 3 can be shown by using similar arguments. Condition (iv).
Suppose H Obs d ( z , z ) = 1. By definition of H Obs d ( . ) we get that [ H Obs , ( z ) = 1] ∨ [ H Obs , ( z ) = 1], or by Definition 2.8 equivalently that [ z ∩ C (cid:54) = ∅ ] ∨ [ z ∩ C (cid:54) = ∅ ]. By definition of the set C , , the last conditions imply that z × z ∩ C , (cid:54) = ∅ which by Definition 2.7, implies H Obs ( z × z ) = 1. Sup-pose now H Obs d ( z , z ) = 0 . By definition of H Obs d ( . ) we get that [ H Obs , ( z ) = 0] ∧ [ H Obs , ( z ) = 0], or by ECENTRALIZED CRITICAL OBSERVERS OF NETWORKS OF FINITE STATE MACHINES AND MODEL REDUCTION 7
Obs(M ) OR w Obs 𝑑 (N) y y Obs(M ) y Obs(M N ) y N . . . M w M w M N w N . . . 𝐌 (N) Figure 3.
A possible architecture for the decentralized observer Obs d ( N ).Definition 2.8 equivalently that [ z ∩ C = ∅ ] ∧ [ z ∩ C = ∅ ]. The last conditions imply that z × z ∩ C , = ∅ which, by Definition 2.8, implies H Obs ( z × z ) = 0.Hence, the isomorphic equivalence in (3.2) is proven. We now generalize (3.2) to the case of a genericnetwork N = { M , M , ..., M N } . By applying recursively the equivalence in (3.2) and by Proposition 3.4,we get Obs( M ( N )) = Obs( M || ( M || M || ... || M N )) = iso Obs( M ) || Obs( M || ( M || ... || M N )) = iso Obs( M ) || Obs( M ) || Obs( M || ... || M N ) = iso ... = iso Obs( M ) || Obs( M ) || ... || Obs( M N ) = Obs d ( N ). (cid:3) In the sequel, we will refer to the FSM Obs d ( N ) satisfying condition (iii) of Proposition 2.9 as a decentralizedcritical observer for N . Fig. 3 shows a possible implementation architecture for Obs d ( N ). Observer Obs d ( N )can be obtained as a bank on N local observers Obs( M i ) that act asynchronously. Each local observer Obs( M i )takes as input the trace w i ∈ L ( M i ) generated by M i in response to the input word w , and sends the outputboolean values y i to the OR (static) block. The OR block acts as a coordinator and whenever it receives oneor more boolean values y i as inputs, it outputs boolean value y as the logical operation or among y i . Notethat this architecture does not require the explicit construction of the parallel composition of local observersObs( M i ).Since space and time computational complexity in constructing Obs d ( N ) is O (2 n max N ), a direct consequenceof Theorem 3.5 is: Corollary 3.6.
An upper bound to space and time computational complexity in constructing
Obs( M ( N )) is O (2 n max N ) . Note that the above upper bound is lower than O (2 N log( n max) ).From Proposition 2.9 and Theorem 3.5, one way to check critical observability and to design decentralizedobservers of M ( N ) is illustrated in Algorithm 1. Algorithm 1
Check of critical observability of M ( N ). Construct N local observers Obs( M i ); Compose the N local observers Obs( M i ) to get Obs d ( N ); Apply Proposition 2.9 to Obs d ( N ). Algorithm 1 has space and time computational complexity O (2 n max N ). It can be improved from the compu-tational point of view, because:(D1) It constructs the whole local observer Obs( M i ) for each M i . A more efficient algorithm would construct,for each M i , only the sub–FSM of Obs( M i ) that is interconnected with the other local observers in Obs d ( N ).(D2) It constructs the whole observer Obs d ( N ), which is not required at the implementation layer (see Fig.3). A more efficient algorithm would check critical observability on the basis of local observers. GIORDANO POLA, DAVIDE PEZZUTI, ELENA DE SANTIS AND MARIA D. DI BENEDETTO (D3) It first constructs Obs d ( N ) before checking if states z of Obs d ( N ) satisfy condition (iii) of Proposition2.9. A more efficient algorithm would conclude that N is not critically observable when the first state z notsatisfying condition (iii) of Proposition 2.9, shows up.In order to cope with the aforementioned drawbacks, we now present a procedure that integrates each step ofAlgorithm 1 in one algorithm . This procedure extends on–the–fly algorithms for verification and control ofFSMs (see e.g. [7, 27]) to the design of decentralized critical observers and is reported in Algorithm 2.Algorithm 2 makes use of the notion of projected local observers. The projection π | Obs( M i ) (Obs d ( M ( N ))) Algorithm 2
Integrated design of decentralized observers Input:
FSMs M i = ( X i , X i , Σ i , δ i , C i ), with i ∈ [1; N ]; Init: X Obs ,i := { X i } , X ,i := { X i } , Y Obs ,i := { , } for any i ∈ [1; N ]; X Obs := { ( X , X , ..., X N ) } ; X tempObs := X Obs ; while X tempObs (cid:54) = ∅ do Z tempObs := ∅ for all ( z , z , ..., z N ) ∈ X tempObs do for all σ ∈ Σ ∪ Σ ∪ ... ∪ Σ N do for all i ∈ [1; N ] do if δ i ( z i , σ ) is defined then z + i := δ i ( z i , σ ); else z + i := z i ; end if end for if δ Obs d (( z , z , ..., z N ) , σ ) = { ( z +1 , z +2 , ..., z + N ) } then if ( z +1 , z +2 , ..., z + N ) / ∈ X Obs then if [ z +1 × z +2 × ... × z + N (cid:42) C , ,...,N ] ∧ [ z +1 × z +2 × ... × z + N (cid:42) X , ,...,N \ C , ,...,N ] then BREAK: M ( N ) is not critically observable; end if Z tempObs := Z tempObs ∪ { ( z +1 , z +2 , ..., z + N ) } ; for all i ∈ [1; N ] do if [ z + i (cid:54) = ∅ ] ∧ [ z + i / ∈ X Obs ,i ] then X Obs ,i := X Obs ,i ∪ { z + i } ; δ Obs ,i ( z i , σ ) := { z + i } ; if z + i ⊆ C i then H Obs ,i ( z + i ) := 1; else H Obs ,i ( z + i ) := 0; end if end if end for end if end if end for end for X Obs := X Obs ∪ Z tempObs , X tempObs := Z tempObs ; end while output: M ( N ) is critically observable;Projected local observers π | Obs( Mi ) (Obs d ( N )) = ( X Obs ,i , X ,i , Σ i , δ Obs ,i , Y Obs ,i , H Obs ,i ). of Obs d ( M ( N )) onto Obs( M i ), as in (3.1), is defined as the FSM Ac( X (cid:48) Obs ,i , X ,i , Σ i , δ Obs ,i , Y Obs ,i , H Obs ,i )where X (cid:48) Obs ,i contains states z i ∈ X Obs ,i for which there exist states z j ∈ X Obs ,j , j ∈ [1; N ] , j (cid:54) = i such that( z , z , ..., z N ) is a state of Obs d ( M ( N )).The input of Algorithm 2 is the collection of FSMs M i of N . The output is the collection of projected localobservers π | Obs( M i ) (Obs d ( N )) if M ( N ) is critically observable. In line 2, the initial state and the output setof the projected local observers are defined and their sets of states X Obs ,i are initialized to contain only theinitial states. At each iteration, the algorithm processes candidate new states of π | Obs( M i ) (Obs d ( N )) and addsthem to X Obs ,i whenever they are compatible with the parallel composition of π | Obs( M j ) (Obs d ( N )) with j (cid:54) = i .For each aggregate ( z , z , ..., z N ) in the temporary set X tempObs and for each σ ∈ Σ ∪ Σ ∪ ... ∪ Σ N (lines 5 and6), first, successors z + i of states z i in M i are computed (lines 7–12); in particular, if δ i ( x i , σ ) is defined (notethat maps δ i are in general partial) then z + i is set in line 9 to δ i ( x i , σ ); otherwise it is set in line 11 to z i .If in line 14, according to the definition of the transition map of Obs d ( N ), there is a transition in Obs d ( N ) ECENTRALIZED CRITICAL OBSERVERS OF NETWORKS OF FINITE STATE MACHINES AND MODEL REDUCTION 9 from aggregate ( z , z , ..., z N ) to aggregate ( z +1 , z +2 , ..., z + N ) with input label σ , then ( z +1 , z +2 , ..., z + N ) is furtherprocessed. Note that we are not storing information computed in line 14 on the transition map of Obs d ( N )but only states of Obs d ( N ) which cannot be avoided for computing the projections π | Obs( M i ) (Obs d ( N )). Bythis fact, Algorithm 2 overcomes drawback (D2) of Algorithm 1. Algorithm 2 first checks in line 15 if theaggregate ( z +1 , z +2 , ..., z + N ) was not processed before. If so, line 16 is processed. By definition of output function H Obs d , condition ( z +1 , z +2 , ..., z + N ) (cid:42) X , ,...,N \ C , ,...,N implies H Obs d ( z +1 , z +2 , ..., z + N ) = 1 which, combined withcondition ( z +1 , z +2 , ..., z + N ) (cid:42) C , ,...,N , implies that condition (iii) of Proposition 2.9 is not satisfied. Hence, byapplying Proposition 2.9, if ( z +1 , z +2 , ..., z + N ) satisfies such a condition, the algorithm immediately terminatesin line 17, concluding that N is not critically observable. By this fact, Algorithm 2 overcomes drawback(D3) of Algorithm 1. If ( z +1 , z +2 , ..., z + N ) does not satisfy condition in line 16, it is added to Z tempObs in line 19;the set of states X Obs ,i and the transition map δ Obs ,i of π | Obs( M i ) (Obs d ( N )) are updated in lines 22 and 23.Note that since δ Obs ,i is updated only if condition in line 14 holds, then Algorithm 2 constructs step–by–step π | Obs( M i ) (Obs d ( N )) and not Obs( M i ). By this fact, Algorithm 2 overcomes drawback (D1) of Algorithm 1.The outputs of states z + i are set in lines 24–27. In line 35, set X Obs is updated to X Obs ∪ Z tempObs and set X tempObs to Z tempObs ; the next iteration then starts. Algorithm 2 terminates when there are no more states in X tempObs to beprocessed (see line 5) or condition in line 16 is satisfied. From the above explanation, it is clear that Algorithm2 terminates in a finite number of states. Moreover it is also clear that in the worst case, the computationalcomplexity of Algorithm 2 is the same as the one in Algorithm 1, i.e. O (2 n max N ). This is typical for on–the–flybased algorithms. However, there are practical cases in which Algorithm 2 performs better than Algorithm 1;a pair of examples are included in the end of the next section.4. Model reduction via bisimulation
In this section we propose the use of bisimulation equivalence [15, 17] to reduce the computational complexityin checking critical observability and designing observers. We start by recalling the notion of bisimulationequivalence.
Definition 4.1.
Two FSMs M = (cid:0) X , X , Σ , δ , C (cid:1) and M = (cid:0) X , X , Σ , δ , C (cid:1) are bisimilar, denotedby M ∼ = M , if Σ = Σ and there exists a relation R ⊆ X × X , called bisimulation relation, such that forany ( x , x ) ∈ R the following conditions are satisfied:(i) x ∈ X if and only if x ∈ X ;(ii) for any σ ∈ Σ such that δ ( x , σ ) (cid:54) = ∅ and for any x +1 ∈ δ ( x , σ ) there exists x +2 ∈ δ ( x , σ ) such that( x +1 , x +2 ) ∈ R ;(iii) for any σ ∈ Σ such that δ ( x , σ ) (cid:54) = ∅ and for any x +2 ∈ δ ( x , σ ) there exists x +1 ∈ δ ( x , σ ) such that( x +1 , x +2 ) ∈ R ;(iv) x ∈ C if and only if x ∈ C .The above notion of bisimulation equivalence differs from the classical one [15, 17] because of the additionalcondition (iv). This condition is needed because for two states x and x to be considered as equivalent, theyhave to be either both critical or both noncritical states. Using this notion of bisimulation equivalence, we getthe following result: Proposition 4.2.
If FSMs M and M are bisimilar then:(i) M is critically observable if and only if M is critically observable;(ii) An FSM Obs is a critical observer for M if and only if it is a critical observer for M .Proof. Set M i = ( X i , X i , Σ i , δ i , C i ), i = 1 , R be a bisimulation relation between M and M .Proof of (i). By contradiction assume that M is critically observable and M is not critically observable.Hence, there exist a pair of state runs of M with initial states x , x ∈ X , common trace w ∈ L ( M ), andstates x ∈ ˆ δ ( x , w ), x ∈ ˆ δ ( x , w ) such that(4.1) x ∈ C ∧ x ∈ X \ C . Since M ∼ = M , there exist a pair of state runs of M with initial states x , x ∈ X , common trace w ∈ L ( M )and states x ∈ ˆ δ ( x , w ), x ∈ ˆ δ ( x , w ) such that ( x , x ) , ( x , x ) ∈ R which, by (4.1) and condition (iv)in Definition 4.1, implies x ∈ C and x ∈ X \ C . Thus, M is not critically observable and a contradictionholds.Proof of (ii). By contradiction assume that Obs is a critical observer for M but not for M . By Definition2.7, there exist a state run r : x σ (cid:45) x σ (cid:45) x σ (cid:45) x ... of M and the corresponding (unique) staterun r Obs : z σ (cid:45) z σ (cid:45) z σ (cid:45) z ... of Obs such that(4.2) [ H Obs ( z i ) = 1 ∧ x i / ∈ C ] ∨ [ H Obs ( z i ) = 0 ∧ x i ∈ C ] , for some i . Suppose first H Obs ( z i ) = 1 ∧ x i / ∈ C . By Definition 4.1, there exists a state run r : x σ (cid:45) x σ (cid:45) x σ (cid:45) x ... of M such that ( x i , x i ) ∈ R for all i . In particular for i = i we get by condition (iv) ofDefinition 4.1 that x i / ∈ C from which, Obs is not a critical observer for M and a contradiction holds. Thesecond case in (4.2) can be proven by using the same arguments. (cid:3) Space and time computational complexities in checking bisimulation equivalence between M and M with | X | = n and | X | = n states are O ( n + n ) and O (( n + n ) log( n + n )), respectively, see e.g. [16, 11].Bisimulation equivalence is an equivalence relation on the class of FSMs. We now define the network of FSMs N min as the quotient of the original network N induced by the bisimulation equivalence. More precisely given N , define the following equivalence classes induced by the bisimulation equivalence: E = { M i (1 , , M i (1 , , ..., M i (1 ,n ) } , E = { M i (2 , , M i (2 , , ..., M i (2 ,n ) } ,..., E N min = { M i ( N min , , M i ( N min , , ..., M i ( N min ,n N min ) } ,such that N = { M i ( k,j ) } j ∈ [1; n k ] ,k ∈ [1; N min ] and M i ( k,j ) , M i ( k,j ) ∈ E k if and only if M i ( k,j ) ∼ = M i ( k,j ) . Denoteby M i min k ∈ E k a representative of the equivalence class E k and define the network of FSMs N min = { M i min1 , M i min2 , ..., M i min N min } with M ( N min ) = M i min1 || M i min2 || ... || M i min N min . The following result holds. Theorem 4.3. If C i = ∅ for all i ∈ [1; N ] or C i = X i for all i ∈ [1; N ] then M ( N ) ∼ = M ( N min ) .Proof. From Proposition 3.1.5 in [18],(4.3) [[ M ∼ = M ] ∧ [ M ∼ = M ]] ⇒ [ M || M ∼ = M || M ] . If we show that(4.4) [ M ∼ = M ] ⇒ [ M || M ∼ = M ] , then the result holds as a straightforward application of (4.3) and (4.4) and by the definition of M ( N ) and M ( N min ). Let M i = ( X i , X i , Σ i , δ i , C i ) for i = 1 ,
2, and M || M = ( X, X , Σ , δ, C ). Define R ⊆ X × X suchthat (( x , x ) , x (cid:48) ) ∈ R if and only if x = x (cid:48) . Consider any (( x , x ) , x (cid:48) ) ∈ R . Condition (i) of Definition4.1 holds by definition of R and of initial states in Definition 2.2. As far as for condition (ii), first notethat since M ∼ = M then Σ = Σ = Σ and the parallel composition M (cid:107) M boils down to the productcomposition M × M (see e.g. [4]), i.e. only synchronized transitions are allowed; consider now any σ ∈ Σsuch that δ (( x , x ) , σ ) is defined and any ( x +1 , x +2 ) ∈ δ (( x , x ) , σ ). By Definition 2.2 and since Σ ∼ = Σ then x +1 ∈ δ ( x , σ ) from which, by setting x (cid:48) , +1 = x +1 we get (( x +1 , x +2 ) , x (cid:48) , +1 ) ∈ R . We now show condition(iii) of Definition 4.1. Consider any σ ∈ Σ such that δ ( x , σ ) is defined and any x (cid:48) , +1 ∈ δ ( x , σ ). Select x +1 = x (cid:48) , +1 . Since Σ ∼ = Σ then there exists x +2 ∈ δ ( x , σ ) such that the pair ( x +1 , x +2 ) is in a bisimulationrelation between Σ and Σ ; this in turn implies, by Definition 2.2, that ( x +1 , x +2 ) is a state in δ (( x , x ) , σ ); ECENTRALIZED CRITICAL OBSERVERS OF NETWORKS OF FINITE STATE MACHINES AND MODEL REDUCTION11
1 2 3 a a b b Figure 4.
FSM M in Example 4.4. (1,1) (2,2) (3,2) a a (4,4) b b (5,4) (2,3) (4,5) b (3,3) a b (5,5) a Figure 5.
FSM M (cid:107) M in Example 4.4.since by construction (( x +1 , x +2 ) , x (cid:48) , +1 ) ∈ R then condition (iii) holds. Condition (iv) is trivially satisfied by theassumptions placed on the sets of critical states C i . (cid:3) The above result extends bisimulation theory based model reduction, traditionally given in the community offormal methods for single FSMs , see e.g. [5] and the references therein, to networks of FSMs . It establishesconnections between the networks of FSMs M ( N ) and M ( N min ) under the assumption that each set C i iseither empty or coincides with the set of states X i . This assumption corresponds in fact to drop condition(iv) from Definition 4.1, thus obtaining the standard definition of bisimulation as in e.g. [15, 17]. If thisassumption is removed, the following example shows that the statement of Theorem 4.3 is not true in general. Example 4.4.
Consider the FSMs M depicted in Fig. 4 and M = M . Of course, M ∼ = M . FSM M || M is depicted in Fig. 5. While in M || M there are two transitions from critical states (2 ,
3) and (3 ,
2) to criticalstates (4 ,
5) and (5 , M from a critical state to a critical state. Hence,this is enough to conclude that FSMs M || M and M are not bisimilar.However, we now show that the proposed reduced network M ( N min ) preserves the critical observability prop-erties of the original network M ( N ). The forthcoming results rely upon the following technical results. Lemma 4.5.
Consider FSMs M i = ( X i , X i , Σ i , δ i , C i ) with i ∈ [1; 3] and suppose that M and M arebisimilar. Then an FSM Obs is a critical observer for M || M if and only if it is a critical observer for M || M || M .Proof. Let be Obs = ( X Obs , X , Σ Obs , δ
Obs , Y
Obs , H
Obs ) and R be a bisimulation relation between M and M . (Sufficiency.) By contradiction assume that Obs is not a critical observer for M || M || M . By Definition2.7 , there exist a state run r : ( x , x , x ) σ (cid:45) ( x , x , x ) σ (cid:45) ... σ n (cid:45) ( x n , x n , x n ) of M || M || M andthe corresponding state run r Obs : z σ (cid:45) z σ (cid:45) ... σ n (cid:45) z n of Obs such that (case 1) [( x n , x n , x n ) / ∈ C , , ∧ H Obs ( z n ) = 1] or (case 2) [( x n , x n , x n ) ∈ C , , ∧ H Obs ( z n ) = 0]. Construct the sequence r , :( x , x ) σ (cid:45) ( x , x ) σ (cid:45) ... σ n (cid:45) ( x n , x n ), where r , has been obtained by removing the third componentin the states of run r . It is readily seen that r , is a state run of M || M . Construct the sequence ˆ r , :( x , ˆ x ) σ (cid:45) ( x , ˆ x ) σ (cid:45) ... σ n (cid:45) ( x n , ˆ x n ) such that (ˆ x i , x i ) ∈ R for any i ∈ [0; n ]. By construction,ˆ r , is a state run of M || M . We start by considering case 1. Since ( x n , x n , x n ) / ∈ C , , then x n / ∈ C and x n / ∈ C from which, the last state ( x n , x n ) of run r , is such that ( x n , x n ) / ∈ C , . Since H Obs ( z n ) = 1,FSM Obs is not a critical observer for M || M and a contradiction holds. We now consider case 2. Since( x n , x n , x n ) ∈ C , , then (case 2.1) [ x n ∈ C ∨ x n ∈ C ] or (case 2.2) x n ∈ C . We start by considering case 2.1.Since [ x n ∈ C ∨ x n ∈ C ] or equivalently, the last state ( x n , x n ) of run r , is such that ( x n , x n ) ∈ C , and byassumption H Obs ( z n ) = 0, a contradiction holds. We conclude with case 2.2. Since x n ∈ C , by definition of runˆ r , , state ˆ x n ∈ C which implies that the last state ( x n , ˆ x n ) of run ˆ r , is such that ( x n , ˆ x n ) ∈ C , . This lastcondition combined with the assumed condition H Obs ( z n ) = 0, leads to a contradiction, as well. (Necessity.)By contradiction assume that Obs is not a critical observer for M || M . By Definition 2.7, there exist a staterun r : ( x , x ) σ (cid:45) ( x , x ) σ (cid:45) ... σ n (cid:45) ( x n , x n ) of M || M and the corresponding state run r Obs : z σ (cid:45) z σ (cid:45) ... σ n (cid:45) z n of Obs such that (case 1) [( x n , x n ) / ∈ C , ∧ H Obs ( z n ) = 1] or (case 2) [( x n , x n ) ∈ C , ∧ H Obs ( z n ) = 0]. Construct the sequence r (cid:48) : ( x , x , x ) σ (cid:45) ( x , x , x ) σ (cid:45) ... σ n (cid:45) ( x n , x n , x n ),where ( x i , x i ) ∈ R for any i ∈ [0; n ]. By construction r (cid:48) is a state run of M || M || M . We start byconsidering case 1. By condition (iv) of Definition 4.1, we get [ ( x n , x n ) / ∈ C , ] iff [ x n / ∈ C ∧ x n / ∈ C ] iff[ x n / ∈ C ∧ x n / ∈ C ∧ x n / ∈ C ] iff [ ( x n , x n , x n ) / ∈ C , , ]. Since H Obs ( z n ) = 1, FSM Obs is not a criticalobserver for M || M || M and a contradiction holds. We now consider case 2. By condition (iv) of Definition4.1, we get [ ( x n , x n ) ∈ C , ] iff [ x n ∈ C ∨ x n ∈ C ] iff [ x n ∈ C ∨ x n ∈ C ∨ x n ∈ C ] iff [ ( x n , x n , x n ) ∈ C , , ].Since H Obs ( z n ) = 0, FSM Obs is not a critical observer for M || M || M and a contradiction holds. (cid:3) Corollary 4.6.
Consider FSMs M i = ( X i , X i , Σ i , δ i , C i ) with i ∈ [1; 3] and suppose that M and M arebisimilar. Then M || M is critically observable if and only if M || M || M is critically observable.Proof. The result follows by combining Proposition 2.9 and Lemma 4.5. (cid:3)
We now have all the ingredients to present the main results of this section.
Theorem 4.7. M ( N ) is critically observable if and only if M ( N min ) is critically observable.Proof. By applying Corollary 4.6, for any M i ( N min ,j ) ∈ N \N min , FSM M ( N min ) = ( M i min1 || M i min2 || ... || M i min N min − ) || M i min N min is critically observable if and only if FSM ( M i min1 || M i min2 || ... || M i min N min − ) || M i min N min || M i ( N min ,j ) is criticallyobservable (recall that M i ( N min ,j ) ∼ = M i min N min for any j ∈ [1; n N min ]). Hence, by applying recursively Corollary4.6 to all other FSMs M i ( k,j ) ∈ N \N min and by making use of Proposition 2.3 to properly rearrange terms inthe composed FSM, the result follows. (cid:3) Theorem 4.8.
Obs( M ( N min )) is a critical observer for M ( N min ) if and only if it is a critical observer for M ( N ) .Proof. By applying Lemma 4.5, Obs( M ( N min )) is a critical observer for M ( N min ) = ( M i min1 || M i min2 || ... || M i min N min − ) || M i min N min if and only if it is a critical observer for ( M i min1 || M i min2 || ... || M i min N min − ) || M i min N min || M i ( N min ,j ) for any FSMs M i ( N min ,j ) ∈ N \N min (recall that M i ( N min ,j ) ∼ = M i min N min for any j ∈ [1; n N min ]). Hence, byapplying recursively Lemma 4.5 to all other FSMs M ∈ N \N min and by making use of Proposition 2.3 toproperly rearrange terms in the composed FSM, the result follows. (cid:3) The above results reduce the computational complexity effort since they show that it is possible to consider thereduced network N min to check critical observability and to design critical observers for the original network ECENTRALIZED CRITICAL OBSERVERS OF NETWORKS OF FINITE STATE MACHINES AND MODEL REDUCTION13 N . We stress that the model reduction via bisimulation equivalence that we propose here is performed onthe collection of FSMs M i and not on the FSM M ( N ), as done for example in [32]; this may allow a drasticcomputational complexity reduction when several bisimilar FSMs are present in the network.Results above and in Section 3 can be combined together as illustrated in Algorithm 3. Algorithm 3
Integrated design of decentralized observers with model reduction Compute the network N min ; Apply Algorithm 2 to N min ; if M ( N min ) is not critically observable then BREAK: M ( N ) is not critically observable; else M ( N ) is critically observable; end if Define projected local observers π | Obs( M i ( k,j )) (Obs d ( N )) = π | Obs( M i min k ) (Obs d ( N min )) for any j ∈ [1; n k ] , k ∈ [1; N min ]. As a consequence of Proposition 4.2 (ii), the composition of local observers computed in line 8 of Algorithm3 is a decentralized critical observer for N .We now provide a computational complexity analysis. We focus on computational complexity with respectto parameters n max , N and N min . A traditional approach to check critical observability of the network N = { M , M , ..., M N } consists in computing Obs( M ( N )), whose space and time computational complexityby Corollary 3.6 is O (2 n max N ), as reported in the second column of Table 1. Computational complexityanalysis of Algorithm 3 follows. In line 1, one needs to check bisimulation equivalence between any pair ofFSMs M i , M j in N whose space computational complexity is O ( n N ) and time computational complexityis O ( n N log( n max )). Space and time computational complexities associated with line 2 are O (2 n max N min )and those with line 8 are zero. Resulting computational complexity bounds are reported in the third columnof Table 1. For example, for N = 10, N min = 7 and n max = 10, space and time computational complexities inconstructing Obs( M ( N )) are 2 and the ones in constructing Obs d ( N min ) are 2 .We conclude this section with two illustrative examples. In both examples, the goal is to check if a network N is critically observable and if so, to design a decentralized critical observer for N . For this purpose weapply Algorithm 3. In the sequel, space complexity of an FSM is computed as S + S where S is the sum ofthe data needed to be stored for each transition and S is the number of output data associated with states.Date stored for a transition from a state ( z , z , ..., z m ) to a state ( z +1 , z +2 , ..., z + m + ) with a given input labelare counted as (cid:80) i ∈ [1; m ] | z i | + (cid:80) i ∈ [1; m + ] | z + i | + 1. Time complexity is computed as the number of transitionsgenerated in composed FSMs and observers, which represent macro iterations in the algorithms. Example 4.9.
Consider N = { M , M , M , M } where FSMs M and M are depicted in Fig. 1 and FSMs M and M in Fig. 8, and apply Algorithm 3. (Line 1) It is easy to see that FSMs M and M are bisimilar withbisimulation relation R = { (1 , , (2 , , (3 , , (3 , , (4 , } and that FSMs M and M are bisimilar withbisimulation relation R = { (5 , , (6 , , (7 , , (7 , , (7 , , (8 , , (8 , , (8 , } . Equivalence classesinduced by the bisimulation equivalence on N are E = { M , M } and E = { M , M } . The resulting network N min can be chosen as { M , M } . (Line 2) By applying Algorithm 2 we get that N min is critically observable.The resulting projected local observers π | Obs( M ) (Obs d ( N min )) and π | Obs( M ) (Obs d ( N min )) are depicted in Fig.6. (Line 8) Define π | Obs( M i ) (Obs d ( N )) as π | Obs( M ) (Obs d ( N min )) for i = 1 , π | Obs( M ) (Obs d ( N min ))for i = 2 ,
4. Space and time complexities in constructing projected local observers are 54 and 8. A traditionalapproach would first construct explicitly M ( N ) and then construct Obs( M ( N )). The number of states of M ( N ) is 21 and the one of Obs( M ( N )) is 6. Resulting space and time complexities are 633 and 39. Example 4.10.
Consider N = { M , M , M , M , M } where FSMs M i , i ∈ [1; 4] are as in Example 4.9and M is depicted in Fig. 7 with C = { } , and apply Algorithm 3. (Line 1) It is easy to see thatfor any i ∈ [1; 4], FSMs M and M i are not bisimilar from which, N min can be chosen as { M , M , M } .(Line 2) In the first iteration of Algorithm 2, starting from the initial state z = ( { } , { } , { } ) with label b , state z + = ( { } , { } , { , } ) is reached. Since state z + does not satisfy the condition in line 12 ofAlgorithm 2, Algorithm 2 terminates from which, Algorithm 3 terminates as well, giving as output that N is {5} {6} {7,8} a b e {1} {2} {4} d a b c b
0 0 1
Figure 6.
Projected local observers π | Obs( M ) (Obs d ( N min )) in the left and π | Obs( M ) (Obs d ( N min )) in the right.
19 20 21 b d a b a c 23
24 22 c c c d
Figure 7.
FSM M .
17 18 b b a b e e b 16 b b e 9
12 13 b a b a a c 11 b a d Figure 8.
FSM M in the left and FSM M in the right.not critically observable. Data stored in line 1 of Algorithm 2 are 72 while those in lines 2–9 are 19 from which,space complexity at line 12 is 91. Since Algorithm 2 terminates at the first iteration and no transitions aregenerated, time complexity is evaluated as 0. A traditional approach would first construct explicitly M ( N ) tothen construct Obs( M ( N )). The number of states of M ( N ) is 24 and the one of Obs( M ( N )) is 6. Resultingspace and time complexities are 895 and 39. Complexity Obs( M ( N )) Obs d ( N min )Space O (2 n max N ) O ( n N + 2 n max N min )Time O (2 n max N ) O ( n N log( n max ) + 2 n max N min ) Table 1.
Computational complexity analysis.
ECENTRALIZED CRITICAL OBSERVERS OF NETWORKS OF FINITE STATE MACHINES AND MODEL REDUCTION15 An application to the analysis of a biological network
The advantages of our approach to model reduction and critical observability analysis have been illustratedin [18] for Air Traffic Management systems. To show the applicability of our method in a different contextwe now consider a biological system. Systems biology is the mechanism by which macromolecules producethe functional properties of living cells through dynamic interactions [1]. The understanding of such complexbiological systems requires the integration of experimental and computational research [12].Here we propose a network of FSMs to build up a simplified model underlining the transcription networkinvolved in bacterium
Escherichia coli sensing different nutrient conditions. In particular, we consider thesystem for the transport of secondary sugar galactose. We model the system by following [24] and thesupplementary material therein. We start by defining an FSM for each gene product involved in the galactosenetwork. According to a widespread simplifying assumption [2], we do not distinguish between transcripts (i.e.mRNA) and proteins: hence, we consider only the proteins and their interactions. The first FSM, depictedin Figure 9(a), models the cAMP Receptor Protein (CRP). Starting from the initial state 0 of inactivity,the presence of chemical signal cAMP, representing the absence of glucose 6-phosphate (the preferred sugarfor
E. coli ), forces CRP protein to jump to a state of full activity, represented as state 1 in the FSM .When in state 1, the cAMP-CRP complex influences the transcription of other proteins; label c in the FSMserves to this purpose. The presence of glucose 6-phosphate (represented as the logical negation cAMPof label cAMP) decreases the cAMP-CRP level bringing back the protein at state 0 of inactivity. FSMassociated with GalR is depicted in Figure 9(b) and works in a similar way; the difference is that this proteinrepresents the intracellular presence of D-galactose sugar. Thus it jumps to a state of full activity in thepresence of label D − gal. Figure 10 depicts FSMs modeling the two proteins GalP and MglB involved inthe permease and transport of the galactose sugar. We start by describing the FSM modeling GalP. The fullexpression of GalP (state 3) requires the full activity of both proteins in Figure 9. Hence, from a modelingviewpoint, state 3 is reached after both events c and g, in any order, occur. (Events c and g are interpretedas the logical negations of events c and g, respectively). The internal concentration of glucose 6-phosphateis assumed to be not known which implies that the set of initial states is given by { , } . Since we areinterested in the full activity of the proteins involved in the transport of galactose sugar (state 3 in Figure10(a)), we consider as critical, the states representing low or partial activity, i.e. states 0, 1 and 2. FSMmodeling the MglB system works similarly. Detection of full activity of the proteins involved on the basis0 1 cAMPc cAMP c (a) FSM CRP. D − galg D − gal g (b) FSM GalR. Figure 9.
Regulation of galactoseof available information can be rephrased as a critical observability problem. Consider the whole networkof FSMs N := { CRP , GalR , GalP , MglB } . The first step of Algorithm 3 consists in computing the quotientnetwork N min . Since GalP and MglB are isomorphic (hence, bisimilar), the equivalence classes induced by thebisimulation equivalence on N are E := { CRP } , E := { GalR } , E := { GalP , MglB } . The resulting network N min can be chosen as { CRP , GalR , GalP } . By applying Algorithm 2 we get that N min is not criticallyobservable. This is also evident from the fact that FSM GalP is not critically observable (with stimulus gthere is a transition from the initial state 0 to the critical state 2 and a transition from the initial state 1to the non critical state 3) and this situation lasts even after the composition of the whole network. Fromthe systems biology perspective, this means that we cannot know the activity level of proteins needed for the , g c c , ggg c , g gg c , gcc (a) FSM GalP. , g c c , ggg c , g gg c , gcc (b) FSM MglB. Figure 10.
Permease and transport of galactosetransport of galactose inside the bacterium without any further information, which could instead be obtainedby additional measurements at the expense of higher costs of the experimental set-up. The model proposedin this section is simplified and hence, it does not capture the complexity of the whole network, which in factis out of the scope of the present paper. In future work we plan to extend the proposed model along twodirections: (i) The proposed network of FSMs provides a description of the proteins at steady state (in factthe work in [24], inspiring our model, makes use of boolean networks). In future work we plan to extend thedescription to the transient regime which is of great interest in the systems biology community and which alsois possible with the use of FSMs formalism (and not with boolean networks as used in [24]); (ii) A secondresearch future direction consists in considering a larger and possibly more realistic transcription network. Theoutcome of the analysis would assist scientists in better understanding interaction mechanism in large-scalecomplex transcription networks. 6.
Discussion
In this paper, we proposed decentralized critical observers for networks of FSMs. On–line detection of criticalstates is performed by local critical observers, each one associated with an FSM of the network. For thedesign of local observers, efficient algorithms were provided which are based on on–the-fly techniques. Modelreduction of networks of FSMs via a notion of bisimulation equivalence that takes into account criticalitieswas shown to facilitate the design of distributed observers for the original network.A discussion on connections with observability notions available in the current literature follows. Thesenotions can be roughly categorized along the following directions: language (L) vs. state space (S) basednotions; centralized (C) vs. decentralized (D) architectures; notions employed for purely analysis purposes (A)vs. notions instrumental to address control design (CD). An exhaustive review of existing literature in thisregard is out of the scope of the present paper. We only recall here: within (L)–(C)–(A) the notions of lan-guage observability [13] and of diagnosability [22]; within (L)–(C)–(CD) optimal sensor activation in [31, 29];within (L)–(D)–(A) the notion of co–diagnosability in e.g. [33, 6, 9, 23, 26], extending the one of diagnos-ability to a decentralized setting; within (L)–(D)–(CD) the notion of co–observability [20] extending the oneof language observability to a decentralized setting, and the work [28] proposing an extension of the notionof co–observability to dynamic observations in controlled DESs and results for translating co–observabilityproblems into co–diagnosability problems; within (S)–(C)–(A) the notions of diagnosability with a state space Here, the term ”observability” is used in a broader sense.
ECENTRALIZED CRITICAL OBSERVERS OF NETWORKS OF FINITE STATE MACHINES AND MODEL REDUCTION17 approach in [32], current state observability [3], opacity [21], detectability e.g. [25] and efficient algorithms forthe computation of indistinguishable states in e.g. [30]; within (S)–(D)–(A) the concept of states disambigua-tion in e.g. [19] and the notion of critical observability in [10] and in the present paper.Many papers mentioned above consider deterministic FSMs with partially observable transitions while in ourpaper we consider nondeterministic FSMs with observable transitions; however, it is well known how to trans-late the first class of FSMs into the latter and vice versa. Moreover, the discussion in [30] shows that theproblems of guaranteeing observability in the sense of [13, 20], can be transformed into problems of statesdisambiguation.Connections with the concept of states disambiguation in e.g. [19] which is in (S)–(D)–(A) as our paper,follow. The work [19] deals with states disambiguation of DESs communicating each other: given a pair ofDESs, the problem addressed consists in finding minimal information needed to be shared between two agentsso that each agent is able to distinguish between the states of its DES. States disambiguation deals withstudying conditions under which any pair of states of a DES can be distinguished on the basis of the tracesassociated to state runs of the DES and ending in the two states. It is readily seen that an FSM where all states are disambiguated is also critically observable. The converse implication is not true in general: forexample the FSM M in Remark 2.6 is critically observable but states 1 and 2 are not disambiguated. In fact,the notion of critical observability can be viewed as an extension of the concept of states disambiguation to sets disambiguation , where states in the set of critical states C of an FSM M = ( X, X , Σ , δ, C ) need to bedisambiguated from states in the set X \ C obtained as the complement of C on X .Apart from technical differences between the concepts of states disambiguation of e.g. [19] and critical ob-servability, the present paper approaches the efficient design of decentralized critical observers by extendingtechniques based on formal methods. To the best of our knowledge, the proposed approach was not exploredbefore in the literature on discrete event systems with the only exception of [32].A discussion on connections with [32] follows. While our work is within (S)–(D)–(A), the work [32] is within(S)–(C)–(A): it proposes a state space approach to the study of diagnosability of single FSMs and modelreduction via bisimulation, as a tool to facilitate the check of the fault diagnosability property. Regarding thenotions employed, while critical observability requires the immediate detection of a critical state, diagnosabil-ity notions as also the one considered in [32] allow for a finite delay before fault detection; moreover, whilecritical states are needed to be detected whenever they are reached, faults are detected only the first time theyare reached. Regarding model reduction schemes employed, while [32] performs bisimulation–based reductionof single FSMs, our approach proposes a bisimulation–based reduction of networks of FSMs such that theFSMs composing the network are never composed; this approach allows model reduction at a higher level ofabstraction, and therefore is more effective, as also substantiated by the computational complexity analysisperformed and Example 4.9 presented.In future work we plan to extend the formal methods techniques proposed in this paper, from decentralizedcritical observability to co–diagnosability. Useful insights in this regard are reported in [32].
Acknowledgements:
We wish to thank Sina Lessanibahri for participating in fruitful discussions at thebeginning of this project. We also thank Pasquale Palumbo for fruitful discussions on the systems biologyexample in Section 5.
References [1] L. Alberghina and H. V. Westerhoff.
Systems Biology. Definitions and Perspectives . Topics in Current Genetics, Springer,2005.[2] U. Alon.
An Introduction to Systems Biology: Design Principles of Biological Circuits . Chapman and Hall/CRC Press, 2007.[3] A. Balluchi, L. Benvenuti, M.D. Di Benedetto, and A.L. Sangiovanni-Vincentelli. Design of observers for hybrid systems. InC.J. Tomlin and M.R. Greenstreet, editors,
Hybrid Systems: Computation and Control , volume 2289 of
Lecture Notes inComputer Science , pages 76–89. Springer Verlag, Berlin, 2002.[4] C.G. Cassandras and S. Lafortune.
Introduction to Discrete Event Systems . Kluwer Academic Publishers, 1999.[5] E.M. Clarke, O. Grumberg, and D. Peled.
Model Checking . MIT Press, 1999.[6] O. Contant, S. Lafortune, and D. Teneketzis. Diagnosability of Discrete Event Systems with Modular Structure.
DiscreteEvent Dynamic Systems , 16:9–37, 2006. [7] C. Courcoubetis, M. Vardi, P. Wolper, and M. Yannakakis. Memory-efficient algorithms for the verification of temporalproperties.
Formal Methods in System Design , 1(2-3):275–288, 1992.[8] E. De Santis, M.D. Di Benedetto, S. Di Gennaro, A. D’Innocenzo, and G. Pola. Critical observability of a class of hybridsystems and application to air traffic management.
Book Chapter of Lecture Notes on Control and Information Sciences,Springer Verlag , 2005.[9] R. Debouk, R. Malik, and B. Brandin. A modular architecture for diagnosis of discrete event systems. In
Proceedings of the th Conference on Decision and Control, Las Vegas, Nevada, USA , pages 417–422, December 2002.[10] M.D. Di Benedetto, S. Di Gennaro, and A. D’Innocenzo. Discrete state observability of hybrid systems.
International Journalof Robust and Nonlinear Control, Special Issue on Observability and Observer Design for Hybrid Systems , 19(14):1564–1580,2008.[11] A. Dovier, C. Piazza, and A. Policriti. An efficient algorithm for computing bisimulation.
Theoretical Computer Science ,311(1–3):221–256, 2004.[12] H. Kitano. Computational systems biology.
Nature , 420:206–210, 2002.[13] F. Lin and W. Wonham. On observability of discrete-event systems.
Information Sciences , 44:173–198, 1988.[14] MAREA. Mathematical Approach Towards Resilience Engineering in ATM. Technical Tender Public version, March 2011.http://complexworld.eu/wiki/MAREA.[15] R. Milner.
Communication and Concurrency . Prentice Hall, 1989.[16] R. Paige and R.E. Tarjan. Three partition refinement algorithms.
SIAM Journal on Computing , 16(6):987–989, 1987.[17] D.M.R. Park. Concurrency and automata on infinite sequences. volume 104 of
Lecture Notes in Computer Science , pages167–183, 1981.[18] D. Pezzuti. Formal methods for complexity reduction in the analysis of safety critical systems.
PhD Thesis , 2015. Universityof L’Aquila (Italy).[19] K. Rudie, S. Lafortune, and F. Lin. Minimal communication in a distributed discrete-event system.
IEEE Transactions onAutomatic Control , 48:957–975, 2003.[20] K. Rudie and W. Wonham. Think globally, act locally: decentralized supervisor control.
IEEE Transactions on AutomaticControl , 37(11):1692–1708, 1989.[21] A. Saboori and C.N. Hadjicostis. Notions of security and opacity in discrete event systems. In , pages 5056–5061, New Orleans, LA, USA, Dec. 12-14 2007.[22] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. Teneketzis. diagnosability of discrete-event systems.
IEEE Transactions on Automatic Control , 40(9):1555–1575, 1995.[23] K. W. Schmidt . Verification of modular diagnosability with local specifications for discrete-event systems.
IEEE Transactionson Systems, Man and Cybernetics , 43(5):1130–1140, 2013.[24] S. Semsey, S. Krishna, K. Sneppen, and S. Adhya. Signal integration in the galactose network of
Escherichia coli . MolecularBiology , 65(2), 2007.[25] S. Shu, F. Lin, and H. Ying. Detectability of discrete event systems.
IEEE Transactions on Automatic Control , 52(12):2356–2359, December 2007.[26] R. Su and W.M. Wonham. Global and local consistencies in distributed fault diagnosis for discrete-event systems.
IEEETransactions on Automatic Control , 50(12):1923–1935, 2005.[27] S. Tripakis and K. Altisen. On-the-fly controller synthesis for discrete and dense-time systems. In
World Congress on FormalMethods in the Development of Computing Systems , volume 1708 of
Lecture Notes in Computer Science , pages 233 – 252.Springer Verlag, Berlin, September 1999.[28] W. Wang, A.R. Girard, S. Lafortune, and F. Lin. On codiagnosability and coobservability with dynamic observations.
IEEETransactions on Automatic Control , 56(7):1551–1566, 2011.[29] W. Wang, S. Lafortune, A. R. Girard, and F. Lin. Optimal sensor activation for diagnosing discrete event systems.
Automatica ,46:1165–1175, 2010.[30] W. Wang, S. Lafortune, and F. Lin. An algorithm for calculating indistinguishable states and clusters in finite-state automatawith partially observable transitions.
Systems and Control Letters , 56:656–661, 2007.[31] W. Wang, S. Lafortune, F. Lin, and A. R. Girard. Minimization of dynamic sensor activation in discrete event systems forthe purpose of control.
IEEE Transactions on Automatic Control , 55:2447–2461, 2010.[32] S.H. Zad, R.H. Kwong, and W.M. Wonham. Fault diagnosis in discrete-event systems: Framework and model reduction.
IEEE Transactions on Automatic Control , 48(7):51–65, July 2003.[33] C. Zhou, R. Kumar, and R. S. Sreenivas. Decentralized modular diagnosis of concurrent discrete event systems. In
Proceedingsof the th International Workshop on Discrete Event Systems Gteborg, Sweden , pages 28–30, May 2008. Department of Information Engineering, Computer Science and Mathematics, Center of Excellence DEWS, Uni-versity of L’Aquila, 67100 L’Aquila, Italy
E-mail address : { giordano.pola,davide.pezzuti,elena.desantis,mariadomenica.dibenedetto }}