fault diagnosis

1. Decentralized Fault Free Model Approach for Fault Detection and Isolation of
Discrete Event Systems
Moamar Sayed-Mouchaweh
Univ Lille Nord de France, F-59000 Lille, France
EMDouai, IA, F-59500 Douai, France
moamar.sayed-mouchaweh@mines-douai.fr
Abstract: This paper presents a Boolean discrete event model based approach for Fault Detection and
Isolation (FDI) of manufacturing systems. This approach considers a system as a set of independent
components composed of discrete actuators and their associated discrete sensors. Each component model
is only aware of its local desired fault free behavior. The occurrence of a fault entailing the violation of
the desired behavior is detected and the potential responsible candidates are isolated using event
sequences, time delays between correlated events and state conditions, characterized by sensor readings
and control signals issued by the controller. The proposed approach is applied to a flexible manufacturing
system.
Keywords: Discrete Event Systems, Decentralized Approaches, Diagnosis, Manufacturing Systems.

1 Introduction
The complexity of man-made systems, such as communication networks, manufacturing systems, electric
power systems, etc., increases rapidly with the course of time. It results from the large number of subcomponents
of these systems and the large volume of information flow. This increasing complexity enhances the probability
of occurrence of faults.
The basic idea of Fault Detection and Isolation (FDI) is to collect sequences of observations (or symptoms), in
order to decide whether or not a system is working normally (fault detection). Then, if a fault is detected, FDI
reports (fault isolation) which fault has occurred (deterministic diagnosis) or the most likely to have occurred
(probabilistic diagnosis). Each fault that can result in a certain symptom, or sequence of observations, is
considered as a possible fault candidate.
Generally, FDI approaches are divided into model reasoning and model based approaches. Model reasoning
approaches [7, 11] construct a model about the system behavior based on an initial human experience, e.g. expert
systems, on a set of historical data, e.g. pattern recognition and signal processing methods, etc. Model based
approaches [4, 5, 10, 15, 20, 21, 25] establish a mathematical or analytical model about the behavior of a system.
The model can contain the normal or nominal behavior (fault free behavior) or the normal behavior as well as the
system behavior for a predefined set of faults. The model may be quantitative, e.g. expressed in
1

2. differential/difference equations, transfer functions, etc., or qualitative, e.g. a finite-state automaton, a set of
logic expressions, a combination of both, a Petri net, etc.
The principal advantage of approaches using both normal and fault behaviors, is the precision of the fault
isolation. However, integrating the system behavior in response to a predefined set of faults increases
significantly the model size. In addition, only predefined faults can be diagnosed. These disadvantages can be
avoided using a fault free model. However, the fault isolation cannot be as precise as the one using normal and
fault behaviors.
Performing the diagnosis of a large scale Discrete Event System (DES) by using a global model is unrealistic.
In addition, this type of systems is naturally decentralized, i.e. they are composed of several subsystems or
components possessing their own local information. An alternative to achieve the diagnosis of systems of this
type is the decentralized or distributed approaches. In decentralized approaches [6, 8, 19, 25], the diagnosis is
performed based on a set of local diagnosers. Each local diagnoser is responsible for a restricted area of the
system. Since no communication is allowed among the local diagnosers, a global model of the system is required
to take into account the links between the interrelated components. In distributed approaches [4, 9, 12, 24], there
is no need for a global model. The latter is described by a set of local models. Each local model is only aware of
its own behavior. The links, or dependencies, among components are considered via exchange among local
diagnosers using communication protocols [9, 24] or via a merging strategy [1, 4]. The merging is performed by
successive synchronous operations of component local diagnoses [4] or by propagating hypotheses from a local
diagnoser to its neighbors [1].
In this paper, we propose a decentralized fault free model based approach to diagnose plant faults of DESs.
The independence property between system components is exploited in order to describe the global model by the
fault free models of its components. Each component is composed of an actuator and its associated sensors.
These models are represented as Boolean DES models. Each behavior which does not correspond to a normal
one is considered as a fault behavior. Component elements (actuators/sensors), responsible for this fault
behavior, are considered as fault candidates.
The paper is structured as follows. In section 2, the proposed approach is presented. In section 3, the approach
is applied to a flexible manufacturing system. The last section concludes the paper and presents future research
directions.
2 Proposed approach for fault detection and isolation
2.1 Boolean models of system components
We use Boolean DES (BDES) modeling, presented in [2], to model the equipment (sensors/actuators) behavior
of a system. The system model G consists of n local models: G1,…, Gn, each one owns its local observable
events responsible for a particular component ci, i  1,..., n . The model G   Σ , Q, Y , δ, h, q0  is represented as
a Moore automaton and L = L(G) denotes its corresponding prefixed closed language. Σ is a finite set of events
and it includes the observable and unobservable events. Q is the set of states, Y is the output space, δ : Σ * x Q 
Q is the partial transition function, and Σ * is the set of all event sequences of the language L(G). The partial
transition function δ (σ , q) provides the next state if σ occurs at q. h: Q  Y is the output function. h(q) is the
2

3. observed output at q. q0 is the initial state. Let Σ f be the set of fault events. Σ f is partitioned into different fault
types. Each fault type requires the identification not of the fault event itself, but of the type of fault, when such
an event occurs in the system. This fault type corresponds to some kinds of faults in an equipment element
(sensor/actuator). Let Σ f Σ F1  ...  Σ Fr where Σ Fj , j  1,..., r denote disjoint sets of fault events
corresponding to different fault types. It consists of the set of faults which have the same effect according to
either the configuration or maintaining procedure. When a fault of type Fj has occurred, this means that some
event from the set Σ Fj , j  1,..., r has occurred.
In [3], controllable events Σc  Σ are defined as controller outputs sent to actuators and uncontrollable events
Σu  Σ as controller inputs coming from sensors. Σo  ( Σc  Σu )  Σ is the set of observable events.
Typically, observable events in a system are either enabled/disabled commands issued by the controller or
changes of sensor readings. Unobservable events are failure events or other events which cause changes in the
system state not recorded by sensors.
Let Gi and its corresponding prefixed closed language, Li = L(Gi), be the local model of the restricted area of

the system observed by this model. Gi  Σ i , Qi , Y i , δ i , hi , qi0  is represented as a Moore automaton.
Σo  Σci  Σu is the set of local observable events by Gi, and Σo  Σo . The other notations have the usual
i i i
definition but for the restricted area observed by Gi. The model G is the synchronous composition of all the local
models: G = G1 ║G2║...║Gn. G observes the system by one global projection function or mask,
PL : Σ *  ε  Σo , where ε denotes the empty sequence. Thus, PL erases the unobservable events in an event
*
sequence. The inverse projection function is defined as: PL1 (u)  s  L: PL (s)  u . It establishes all the event
sequences producing the same observable event sequence u. Similarly, a local projection function can be defined
for each local model Gi as: PLii : Σ i*  ε  Σo* . A state qj of G is represented by an output vector hj considered
i
as a Boolean vector whose components are Boolean variables. Let d denote the number of state variables of G,
the output vector hj of each state qj can be defined
as: q j  Q, h(q j )  h j  (h j1 ,..., h jp ,..., h jd ), h jp  0,1 , h j  Y  0,1 . A transition from one state to another is
d
defined as a change of a state variable from 0 to 1, or from 1 to 0. Thus, each transition produces an event α
characterized by either rising, α  h jp , or falling, α  h jp , edges where p   ,2,...,d  .
1
In order to describe the effect of the occurrence of an event α  Σo , a displacement vector E is used. It is
defined as a Boolean vector E  (e1 ,...,ep ,...,ed ) in 0,1 . If ep = 1, then the value of pth state variable
d
hjp will be complemented when α occurs. While if ep = 0, the value of pth state variable hjp will remain
unchanged when α occurs. Thus, the output vector can be calculated by:
qi , q j  Q, α  Σo , q j  δ(α, qi )  hj  hi  Eα . (1)
The symbol “  ” denotes the logical operator Exclusive-OR.
3

4. Similarly, we can define the displacement vectors for the other observable events. The set of all the
displacement vectors of all the events provides the displacement matrix E. For each event α  Σo , an enablement
condition, en (qi )  0,1 , is defined in order to indicate if event α can occur at state qi, en (qi )  1 , or not,
en (qi )  0 . Consequently, (1) can be re-written as:
 hi  Eα if enα (qi )  1
qi , q j  Q, α  Σo , q j  δ (α, qi )  h j   . (2)
 hi if enα (qi )  0
2.2 Constrained Boolean models of system components
Let S   Σ , QS , Y , δS , h, q0  denote the constrained system model, characterized as a Moore automaton. It
defines the global desired behaviour of the system and it is represented by the prefixed closed specification
language K = L(S)  L(G) . S can be obtained using different algorithms from the literature as the ones
developed in [17, 26] and the references therein. To obtain the transition function δS , the enablement conditions
for all system events, α  Σo , at each state must satisfy all the specifications K, representing the desired
behavior:
 hi  Eα if enα (qi )  1
α  Σo , qi , q j  QS , q j  δS (α, qi )  enα (qi )  1, h j   . (3)
 hi if enα (qi )  0
Thus, the constrained system model contains only the authorized events at each state. When the enablement
condition of an event is not satisfied, this indicates the occurrence of a fault.
Each local model Gi has a local constrained model Si, which is a part of the global constrained model S. Si is
represented by the specification language Ki = L(Si), which is included in K. Si is a Moore automaton:

S i  Σ i ,QS ,Y i ,δS ,hi ,qi0
i i
 and QS  Q i . All these notations have the usual definition but for the local
i
constrained system model Si.
2.3 Modeling timing delays of events
Most sensors and actuators in manufacturing systems produce correlated events since state changes are usually
affected by a predictable flow of materials [14]. Therefore, a temporal model centred on the notion of expected
event sequencing and timing relationships can be used.
In this paper, we define a set of expected consequences EC  for each controllable event β  Σc , in order to
predict uncontrollable but observable consequent events within predefined time intervals. EC  is constructed
for observable events and it describes the next events that should occur and the relative time intervals in which
they are expected. The predefined time intervals are determined by experts or by learning according to the
system dynamics and to the desired behavior. Let β u be an observable event sequence starting by controllable
event β , and ending by observable but non controllable event sequence u = α1α2 ...αk  Σo . Then, the set of
*
4

5. expected consequences ECβ (u ) is created when controllable event β occurs. α1α2 ...αk is the longest non
controllable but observable event sequence in response to controllable event β .
EC  (u ) has the following form: EC  (u ) = C α1
β
α1
α
α2 α αi α
, C β , Cβ 2 , C β ,..., Cβ i , C β ,..., Cβ k , C β
αk
. C αi
β is a positive
αi
expected consequence which should be satisfied in the case of a normal behavior. C β is a negative expected
αi
α
consequence which should not be satisfied in the case of a normal behaviour. C β i and C β are expected after the
occurrence of controllable event β and are defined, respectively, as follows:
 
αi
 αi

Cβi  αi ,(qαi , tmin  tαi  tmax , l αi ) , C β  αi , (qαi , tmax  tαi  tmax  Δαi , l β ) . Δαi is the maximal time period
α αi αi
β
αi αi
within which event αi is expected to occur. When i is equal to one, this indicates the occurrence of the first
observable but non controllable event in response to the occurrence of controllable event β . The positive
i 
expected consequence means that event αi should happen at state q i and within the time interval [ t min , t max ].
i
If it is the case, then the positive expected consequence is satisfied. Otherwise, the positive expected
α
consequence is not satisfied and it provides the set of fault labels l β i as the cause of this non satisfaction. The
i
negative expected consequence means that if event αi occurred after t max , then this satisfaction indicates a fault
αi
behavior and it provides the set of fault labels l β as the cause of this satisfaction. Positive consequences are used
to infer the fault candidates in the case of non occurrence of an event. While negative consequences are used to
infer the fault candidates in the case of too late event occurrences. The late occurrence of an event characterizes
a degraded behavior of a system. Fault behavior causes the production halt while a degraded one reduces the
optimal production performance. The set of fault labels can include one or several fault labels. Each one of them
indicates a fault candidate as the responsible for the fault occurrence.
Each expected positive/negative consequence C αi
β ,C β
αi
 is evaluated by an expected function EFβ (αi ) .
α
EFβ (αi ) is equal to 1 if the positive consequence C β i related to event αi is not satisfied or its associated
αi
negative consequence C β is satisfied. While it is equal to zero if the positive expected consequence is satisfied.
If a positive consequence is satisfied, then its associated negative one is not satisfied.
2.4 Fault detection and isolation
We adopt the hypothesis that each behavior which does not correspond to a normal one is considered as a fault
behavior. Thus, a fault can occur starting from any state of the desired behavior. This fault occurrence is
unobservable and it leads the system to a fault state. Each fault state must be reached within a finite time delay
for all the event sequences that can lead to this state starting from any other one of the desired behavior states.
Let ΨF j define the set of all event sequences ending by a fault belonging to fault partition Σ F j . Thus,
ΨF  r
j 1 (ΨFj ) denotes the set of all event sequences ending by a fault belonging to a fault partition of Σ f .
5

6. Consequently, ΨF  (L – K), i.e. all the fault sequences ending by a fault belonging to one of fault partitions of
Σ f are considered as violation of the specification language K.
The FDI of a global model G is defined as follows. Let βρθ be an event sequence starting by controllable
event β. ρ is an event sequence that ends by a failure event and θ is a continuation of ρ. In order to ensure the
fault detection, the following condition must hold:
(βρθ  L : ρ  ψF ) ( PL (θ )  α1...αk , θ  k  ) (q  Q)  enαk (q)  0 or EFβ (αk )  1. (4)
The satisfaction of (4) ensures that any event sequence violating the global desired behavior, due to the
occurrence of a fault, must be detected by:
- the non satisfaction of the positive expected consequence related to event αk ,
- the satisfaction of the negative consequence related to event αk ,
- the non satisfaction of the enablement condition of the latest observable but non controllable event αk in
the event sequence.
This detection is performed in a finite time delay ; specifically at k event transitions after ρ.
In this paper, we assume that at most one fault may occur at a time. The set of fault candidates can be
determined as follows. Let hjp denote the state variable describing the discrete status (on/off) of sensor p. Let
 h jp ,  h jp  be the events produced by this state variable at state qj. The non occurrence of  h jp in the
α
expected time interval generates the following three fault candidates: l β = {“sensor p blocked at 1”, “associated
actuator with sensor p stuck-off”, “associated actuator with sensor p acting too slowly according to its normal
α
behavior”}. The too late occurrence of  h jp generates the fault candidate: l β = {“associated actuator with
sensor p acting too slowly according to its normal behavior”}. If the enablement condition enα (q j )  0 because
α
hjp = 1, then the fault candidate lq j is {“sensor p blocked at 1”}. In the contrary case, i.e. hjp = 0, the fault
α
candidate lq j is {“sensor p blocked at 0”}.
2.5 Progressive monitoring
Progressive monitoring aims at reducing the number of fault candidates thanks to the occurrence of new
events. The fault candidates which are no more consistent with the occurrence of a new event will be removed
from the set of fault candidates. In addition, only the common fault candidates explaining together the non
satisfaction of positive consequences and enablement conditions or the satisfaction of negative consequences are
kept. This is justified since one fault may occur at a time. Let FCAN β be the set of fault candidates in the case of
the occurrence of controllable event β . If enαi (q j )  0 , then FCAN β  lq ji . If αi  h jp (respectively
α
αi  h jp ) and its enablement condition is satisfied: enαi (q j )  1 , then sensor p is not blocked at 0 (respectively
6

7. sensor p is not blocked at 1). Thus, the fault candidate: “sensor p blocked at 0” (respectively “sensor p blocked at
1”) will be removed from the set of fault candidates. The same reasoning is applied for the satisfaction of the
positive expected consequence or the non satisfaction of the negative expected consequence related to the
occurrence of an event αi . Therefore, the set of fault candidates is reduced by both eliminating the fault
candidates which are no more consistent with the occurrence of an event and by keeping the candidates
explaining together the non satisfaction of positive consequences and enablement conditions and the satisfaction
of negative consequences. Let NFCAN β be the set of fault candidates to be removed from FCAN β . The set of
fault candidates is reduced as it is depicted in Fig 1.
Activation of a command β  Σc
FCAN β  {}; NFCAN β  {}
For each αi  Σo , i  1,..., k
No α
C β i is satisfied
Yes
FCAN β  {}  FCAN β  ( FCAN β  l ) NFCAN β
αi
β NFCAN β  NFCAN β  l βi
α
FCAN β  {}  FCAN β  l β i NFCAN β
α
FCAN β  FCAN β NFCAN β
αi
Yes
C β is satisfied FCAN β  ( FCAN β  lβαi ) NFCAN β
No
αi
NFCAN β  NFCAN β  l β
FCANDβ  FCANDβ NFCANDβ
No
enαi (q)  1
Yes
FCAN β  {}  FCAN β  ( FCAN β  lq i ) NFCAN β
α NFCAN β  NFCAN β  lq i
α
FCAN β  FCAN β NFCAN β
FCAN β  {}  FCAN β  lq i NFCAN β
α
No
i=k
Yes
Fig. 1. Progressive monitoring flowchart. “  ” is the union set operation, “  ” is the intersection set operation,
and “” is the difference set operation.
A preference order among candidates, when the set of fault candidates contains more than one candidate, can
be established by learning. In this case, historic records of past fault occurrences and their associated real fault
candidates are constructed. Then, for each fault occurrence, the probability of its potential fault candidates is
7

8. established as the number of times that these candidates were the real responsible divided by the total number of
fault occurrences. The preference order can also be established based on the expert knowledge.
2.6 Independent fault detection and isolation property
The system considered in this paper is composed of a set of independent components: ci, i  1,..., n . Two
components ci and cj, respectively, their local models Gi and Gj, are considered as independent if they verify the
following two proprieties: the state-independent and the transition-independent ones. The first property [4] states
that if Gi and Gj are a decomposition of their global model Gij  Gi G j , then each one of them has a unique
initial state. In other words, it expresses that when decomposing a model Gij into two local models Gi and Gj, no
constraints on their initial states have been lost. In this case, the synchronization of the two local models Gi and
Gj ensures that we get exactly the model Gij. Indeed, when the two local models interact (the state-independence
property is not satisfied), the decomposition of the model Gij into two local models Gi and Gj leads to lose the
information about the constraints existing between the local models initial states to represent the model initial
state. Thus, composing Gi and Gj does not ensure to get exactly Gij ; it may lead to get an automaton including
Gij. The transition-independence property is satisfied between two local models Gi and Gj if their automata do
not have any common synchronisation event.
We adapt the notions of independent diagnosis [22], jointly diagnosis [23] and local diagnosis [16], defined in
the case of models integrating both normal and fault behaviors, for the case of models containing only the
normal behavior. The FDI of a system can be achieved independently if its components are independent. The
system is independently FDI if the occurrence of a fault can be detected and the fault candidates can be
generated without any need for inter-local models communication and within a finite number of event
occurrences. The system can be independently FDI if it is jointly and locally FDI. The system is jointly FDI if
the occurrence of a fault can be detected and the fault candidates can be generated at at least one local model and
within a finite number of event occurrences. The system is locally FDI if all the faults occurring at a component
can be detected and their candidates can be generated at the local model of this component.
2.7 Decentralized fault detection and isolation
We adapt the notion of decentralized diagnosis [23], defined for models containing both normal and fault
behaviors, for the case of normal behavior models. A system is decentrally FDI iff each fault occurrence can be
detected and its associated set of responsible candidates can be generated based on a set of local models and a set
of inter-local models message events. In order to ensure the decentralized FDI, the following conditions must
hold:
(βθ  L) (θ  K : PLii (θ )  α1...αk )(i  1, 2,..., n)(q  Q)  enαk (q)  1.
i
(5)
(βρθ  L)( ρ  L  K )( PLii (θ )  α1...αk )(i  1, 2,..., n)(q  Q)  enαk (q)  0 or EFβ (αk )  1.
i
(6)
8

9. Condition (5) means that all the enablement conditions of all the local desired models must be satisfied for any
event of a sequence belonging to the global desired behavior. Thus, this condition ensures that no conflict can
occur between local desired models for the enablement of events at any state of the desired behavior. The
satisfaction of (6) ensures that any event sequence violating the global desired behavior, due to the occurrence of
a fault, must be detected by reaching at least one state q. At this state, the detection is based on the non
satisfaction of the enablement condition of the latest event αk in the event sequence, of its positive expected
consequence or on the satisfaction of its negative expected consequence.
If the system is composed of independent components, there is no need for inter-models messages to ensure a
decentralized FDI equivalent to the centralized FDI. Fig 2 illustrates the decentralized FDI for the case of two
independent components.
Global system
c1 c2
G
G1 G2
S S1 S2
FDI
FDI1 FDI2
FDI of faults FDI of faults
related to c1 related to c2
Fig. 2. Decentralized FDI for the case of two independent components.
3. Manufacturing system example
To illustrate the proposed approach, we use the example of Fig. 3 which presents a flexible manufacturing
system platform called cellflex (http://meserp.free.fr/).
9

10. Stock station
Bottles conveyer
Pick and place station
Processing
station
Bottles
supply
Station of
manipulation of
caressed bottles
Corks supply station Filling and screwing
station
Fig. 3. Flexible manufacturing system.
We focus on the pick and place station; the other stations can be treated by the same reasoning. Pick and place
station performs import and export of pieces by a gripper using a pneumatic system of 3 axes (Fig. 4). Symbol 
refers to Z axis displacement,  to X axis displacement,  to Y axis displacement, and  to the pneumatic
system gripper. This station is composed of 4 actuators piloted by 6 pre-actuators. The information about the
behavior of the station is provided by 9 sensors (Fig. 5).
Fig. 4. Pick and place station.
10

11. PLANT
Gripper
X axis cylinder
Y axis cylinder
CONTROLLER
Z axis cylinder
Actuators
Z axis in upper end position
Z axis in lower end position
Y axis in retracted position (station side)
Y axis in extended position
(conveyor side)
X axis at feeding belt
X axis at slide 2
X axis at middle position (slide 1)
Gripper opened
Gripper closed
Sensors Effector
Fig. 5. Actuators and sensors of pick and place station.
3.1 Fault free models of Y axis plant elements
We illustrate the construction of the Y axis model; the same reasoning can be followed for the construction of
the other axis models. The Y axis actuator is a Double Acting Cylinder (DAC) where retracted and extended
positions are indicated respectively by two sensors yR and yE (Fig. 6).
yR yE
VIn V<- V-> VOut
Out In
Fig. 6. Elements of the Y axis.
Fig. 7 and Fig. 8 illustrate the fault free models of Y axis plant elements. The model GDAC (Fig. 8) evolves from
its initial state q0/VIn after the occurrence of ↑Out. State q0/VIn indicates that the piston rod is in home position.
The occurrence of ↑Out leads the piston rod to move forward. This piston rod movement is represented by
dynamic state q*1/V->. The output V-> indicates that the piston rod is in movement towards its fully extended
position. The time Ts required to reach this position is assigned to the time variable Δ . In the same time, a local
clock t is initiated to calculate the spent time during the forward movement. At this dynamic state, when the
value of t becomes equal to the one allocated to Δ , this means that the actuator has reached its fully extended
position. Therefore, GDAC reaches state q2 with the output VOut. The deactivation of Out leads the system to be in
state q3 with the output VOut. At this state, control signal ↑In can occur. This activation leads the piston rod to
return to its home position. Thus, GDAC evolves to dynamic state q*4 with the output V<- indicating that the piston
rod is in inverse movement. The time Ts is assigned to Δ . Then, the local clock is initiated again to calculate the
elapsed time in the inverse movement. When this time becomes equal to the one allocated to Δ , the piston
11

12. arrives to its home position when reaching state q5/VIn. The deactivation of In transits the system to its initial
state.
↓ yR ↓ yE
q1 q0 q1 q0
yR /yR yE /yE
↑ yR ↑ yE
a) Sensor yR fault-free model b) Sensor yE fault-free model
Fig. 7. Fault free models of sensors yR and yE.
q0  Out, Ts->∆ q*1 Out . t := ∆ q2
VIn V-> VOut
 In  Out
q5 In . t := ∆ q*4  In, Ts->∆ q3
VIn V<- VOut
Fig. 8. DAC fault free model.
For each plant element, we can enumerate, with the help of an expert, the potential fault or degraded behaviors
and their responsible candidates. Table 1 shows the labels indicating the fault candidates of the fault and
degraded behaviors of Y axis plant elements.
Table 1. Fault and degraded behaviors and their responsible candidates for Y axis plant elements.
Type Label Description
ByR sensor yR blocked at 1
Fault behaviors
B/yR sensor yR blocked at 0
ByE sensor yE blocked at 1
B/yE sensor yE blocked at 0
BVin DAC blocked in retracted direction
BVout DAC blocked in extended direction
Degraded
DV-> DAC acting too slowly in extended direction compared to its normal behavior
behaviors
DAC acting too slowly in retracted direction compared to its normal behavior
DV<-
3.2 Desired behavior model of the Y axis
Y axis plant elements can be represented as a block for which the inputs are control signals of the controller, In
and Out, and the outputs are sensor readings yR and yE (Fig. 9). The controller is supposed to be safe and
12

13. dependable. For example, it is impossible to have the activation of In and Out at the same time. When control
signal Out is activated, the normal response is ↓ yR followed by ↑ yE.
Y axis Plant Elements
In
CONTROLLER
Y axis cylinder
Out
yR
Y axis retracted (station side)
yE
Y axis extended (conveyor side)
Fig. 9. Observable events of Y axis plant elements.
Local constrained system model SY for submodel GY of the Y axis is depicted in Fig. 10. Since any DAC with 2
positions has always the same desired behavior, the constrained model can be obtained from a library. While in
the case of DAC with n positions, several constrained models can be obtained according to the global desired
behavior. This is due to the existence of several intermediate positions for the cylinder. In [17] an algorithm is
defined to extract the local desired behavior based on the global one. Thus, it can be used to obtain local desired
behaviors in the case of a DAC of n positions.
SY h : yR yE Out In
1000 1010 0010 0110
Out *  yR  yE
1 2 3 4
In Out
 yR  yE In
8 7 6* 5
1001 0001 0101 0100
Fig. 10. Local constrained-system model SY for submodel GY.
In BDES modelling, the desired behavior can be described using two tables; the first one explains the
enablement conditions for the occurrence of each event and the second one is the displacement matrix for the
estimation of the state output vector of each next state. These tables are shown respectively in Table 2 and Table
3 for SY. As an example we can notice that the only event allowed to take place in the initial state of SY,
characterized by output vector h1 = (yR yE Out In)=(1000), is controllable event ↑Out since its enablement
condition Y
enOut (q1 ) is satisfied and enablement conditions for all other events are false (See Table 2). The
displacement vector of this event is EOut  (0010) . The output vector of the next estimated state of SY is
Y
calculated using (2): en1Out (q1 )  1  h2  h1  EOut  (1000)  (0010)  (1010) . Similarly, we calculate the next

Y
output vector according to the occurrence of each authorized observable event.
13

14. Table 2. Enablement conditions for SY.
Event: σ of SY Y
Enable condition: en
↑ yR /yR . /yE . /Out . In
↓ yR yR . /yE . Out . /In
↑ yE /yR . /yE . Out . /In
↓ yE /yR . yE . /Out . In
↑Out yR . /yE . /Out . /In
↓Out /yR . yE . Out . /In
↑In /yR . yE . /Out . /In
↓In yR . /yE . /Out . In
Table 3. Displacement matrix EY for SY
State variable ↑ yR ↓ yR ↑ yE ↓ yE ↑Out ↓Out ↑In ↓In
yR 1 1 0 0 0 0 0 0
yE 0 0 1 1 0 0 0 0
Out 0 0 0 0 1 1 0 0
In 0 0 0 0 0 0 1 1
3.3 Definition of expected consequences
We use expected consequences to model cylinder response times which can be obtained by learning and/or by
technical documentation. For SY, we define 2 expected consequences: ECOut and EC In , one for each command
enablement: ↑Out and ↑In. The occurrence of ↑ Out entails events ↓ yR and ↑ yE to occur respectively at states q2
*
and q3. After the occurrence of ↑ Out, ↓ yR is expected to occur within the time interval [t1, t2] and ↑ yE within
the time interval [t3, t4]. These time intervals depend on system dynamics. We define the maximum time
Δ yR accepted for the cylinder response, in the case of degraded behavior, entailing the occurrence of event ↓ yR.
max
If ↓ yR does not occur at q2 within the time interval [t1, t2], then either: -) the cylinder has not responded, -) the
*
cylinder is acting too slowly, or -) sensor yR is blocked at 1. Thus, the non satisfaction of the corresponding
positive expected consequence at this state provides three fault candidates: “DAC blocked in retracted direction”
indicated by the label BVin, “DAC acting too slowly in extended direction” indicated by the label DV->, and
“sensor yR blocked at 1” indicated by the label ByR. If ↓ yR occurs but too lately, then the provided fault is “DAC
acting too slowly in extended direction” indicated by the label DV->. The same reasoning can be followed for
event ↑ yE. Consequently ECOut can be written as follows:

  yR  yR
   yR

 COut , C Out  { yR ,(q 2 , t1  t  t 2,{ByR ,BVin , DV  })},{ yR ,(q 2 , t 2  t  t 2  Δmax ,{DV  })} , 


* * 

.
 
ECOut
 
 yE
 C  yE , C Out  { yE ,(q3 , t 3  t  t 4,{B/ yE , BVin , DV  })},{ yE ,(q3 , t 4  t  t 4  Δ yE ,{DV  })} 
 Out

max


Similarly, the expected consequences for the enablement of command In is written as follows:
14

15. 
  yE  yE
   yE 
 C In , C  In  { yE , (q 6 , t1  t  t 2,{ByE ,BVout , DV  })},{ yE , (q 6 , t 2  t  t 2  Δmax ,{DV  })} , 


* *

.

 
EC In
 
 yR
 C , C  In  { yR , (q7 , t 3  t  t 4,{B/ yR , BVout ,DV  })},{ yR , (q7 , t 4  t  t 4  Δmax ,{DV  })} 
 yR  yE
  In
 

However, these abnormal behaviors require the determination of the intervals defining the acceptable time of
displacement of the DAC in the case of normal and degraded behaviors. To determine these intervals, we have
established a learning phase about the system normal behavior. The goal of this learning is to obtain realistic
time response intervals related to the system dynamics and to the actuators technology. These intervals are
obtained by a learning extrapolation of the probability, chance, of the occurrence of an event in this interval. Fig.
11 presents the learning extrapolation when command Out is activated. This activation expects as normal
response events ↓ yR then ↑ yE within respectively the time intervals [t1, t2] and [t3, t4]. Fig 12 shows the time
interval between the activation of command Out and the cylinder response. This interval is calculated for 100
different activations of command Out. Fig. 13 presents the learning of time interval [t3, t4] of the occurrence of
event ↑yE after the activation of Out. This learning is obtained by exploiting the historic records of past required
time by the cylinder to reach its full extended position for different responses, 100 for the example of Fig. 13.
Out =1 ↓ yR ↑ yE
t
 yR  yE
t1 t2 Δ max t3 t4 Δ max
Fig. 11. Learning extrapolation for time intervals of sensor event occurrences in response to the activation of
command Out.
25
Number of occurrences of ↓ yR
20
15
10
5
0
45 48 51 54 57 60 63 66 69 72 75 78
Time (ms)
Fig. 12. Learning of the time interval and the number of the occurrence of event ↓ yR after the activation of Out.
50
↑ yEer
45
40
Number of occurrences of
35
30
25
20
15
10
5
0
120
123
126
129
132
135
138
141
144
147
150
Time (ms)
Fig. 13. Learning of the time interval and the number of the occurrence of event ↑ yE after the activation of Out.
15

16. 3.4 Generation of fault candidates for the Y axis
The candidates responsible for the occurrence of a fault in a plant element (sensor/actuator) can be determined
based on its normal models as well as on its temporal constraints represented by a set of positive/negative
expected consequences. The following hypotheses are considered:
 all components fail independently with equal likelihood,
 one fault may occur at a time,
 the controller is supposed to be dependable and safe. Consequently, the controller cannot be responsible
for any fault as the one of sending two conflicting control signals,
 the cylinder does not fail during operation, i.e. if it does fail, the fault occurs at the start of operation.
This means that a fault cannot occur during the cylinder movement.
The fault candidates are generated as follows. A fault is detected in one of the following cases: an unexpected
event occurs, an expected event does not occur, or it occurs too lately. In the first case, the enablement condition
of the event occurrence is not satisfied. The possible fault candidate is determined by identifying the state
variable responsible for this non satisfaction. As an example, when the cylinder of the Y axis is in the initial state
(Fig 10) and when command Out is activated, the system transits to the next desired state characterized by the
outputs Out = 1, In = 0, yR = 1, yE = 0. The output vector for this state is calculated using (1):
h2  (h1  1000)  ( EOut  0010)  (1010) . If the cylinder responds, then sensor event ↓yR will be observed
Y
within the time interval [t1, t2] indicating that the cylinder motor is not faulty. Since enYOut (q1 )  1 , see Table 2,

then this state corresponds to a state of the desired behaviour SY. If event ↑ yE occurs at the state q2 instead of
*
expected event ↓ yR, then en yE ( q2 ) = / yR . / yE .Out. / In = 0. The only reason for this non enablement, based on
Y *
 
the conditions of q2 , is the state variable of sensor yR. Thus, the fault candidate is FCANOut  ByR . If there is
*
 yR
no sensor event within the time interval [t1, t2], then positive expected consequence COut is not satisfied and the
 yR

fault candidates will be generated as follows: FCANOut  lOut  BVin , D V  , ByR . 
3.5 Progressive monitoring
The number of candidates can be reduced using a progressive monitoring (Fig 1). The occurrence of new
sensor events can lead to eliminate the inconsistent candidates with this new observation. As an example, if  yR
 yR
is observed within the time interval [t1, t2], then positive expected consequence COut as well as the enablement
 yR
condition of  yR are satisfied; while negative expected consequence C Out is not satisfied. Thus, we can
obtain: NFCANOut  {ByR , BVin , DV  } and FCANOut = {}. If  yE did not occur, then the non satisfaction of
 yE
COut generates the fault candidates:
 yE
FCANOut  (lOut  {B/ yE , BVin , DV  }) {ByR , BVin , DV  }  {B/ yE } .
If events  yR and  yE both did not occur, then the fault candidates are generated and then are reduced as it is
depicted in Fig 14.
16

17. Activation of a command Out  Σc
FCANOut  {}; NFCANOut  {}
Non occurrence of  yR in the expected normal time interval
command
 yR  yR

COut is not satisfied : FCANOut  lOut  ByR , BVin , D V  
Non occurrence of  yR in the expected degraded time interval
command
 yR
C Out is not satisfied :
NFCANOut  D V   , FCANOut  {ByR , BVin , D V }{D V }  {ByR , BVin }
Non occurrence of  yE in the expected normal time interval
command
 yE
COut is not satisfied :
     
FCANOut  ( BVin , ByR  (lOut  BVin , D V  , B/ yE )) D V    BVin
 yE
Fig 14. Progressive monitoring in the case of non occurrence of both  yR and  yE .
4. Conclusion and future works
This paper presents a fault free model based approach for the Fault Detection and Isolation of discrete
manufacturing system. This approach considers the plant as a set of plant elements composed of actuators and
their associated sensors. The goal is to take benefit of the composite structure of manufacturing systems. The use
of fault free models reduces the model construction complexity since the fault behaviors in response to a
predefined set of faults are not integrated in the system models.
A fault is detected by one of the following cases: the occurrence of an unexpected event, the non occurrence of
an expected event within predefined time intervals, or its too late occurrence. The occurrence of an unexpected
event is detected when the enablement condition of this event is not satisfied. The state variable, representing
sensor output, responsible for this non satisfaction, are considered as a fault candidate. The non occurrence of an
expected event, or its too late occurrence, within predefined time intervals, is detected using a template. The
latter is created for each control signal and it represents temporal constraints between events occurrences.
In this paper, the components are considered independent. Thus, a future work is to develop the proposed
approach for the case of a system of interrelated components. In this case, a communication protocol must be
defined in order to take into account the links among components. This protocol must be scalable with the
system size.
Acknowledgment
This work is supported by the Scientific Interest Group surveillance, safety and security of the big systems
(GIS3SGS).
17

18. References
[1] Ardissono L, Console L, Goy A, Petrone G, Picardi C, Segnan M, Theseider Dupré D. Enhancing Web
Services with diagnostic capabilities. In: 3rd IEEE European Conference on Web Services. 2005, pp 143-
159.
[2] Aveyard RL. A boolean mode1 for a class of discrete event systems. IEEE Transactions Systems, Man, and
Cybernetics 1973; SMC4-3: pp 249-258.
[3] Balemi S, Hoffmann GJ, Gyugyi P, Wong Toi H, Franklin GF. Supervisory control of a rapid thermal
multiprocessor. IEEE Transactions on Automatic Control 1993; 38(7): 1040-1059.
[4] Cordier MO, Grastien A. Exploiting independence in a decentralised and incremental approach of diagnosis.
In: 20th International Joint Conference on Artificial Intelligence. 2007, pp 292-297.
[5] Darkhovski B, Staroswiecki M. Theoretic approach to decision in FDI. IEEE Transactions on Automatic
Control 2003; 48(5): pp 853-858.
[6] Debouk R, Lafortune S, Teneketzis D. Coordinated decentralized protocols for failure diagnosis of discrete
event systems. Discrete Event Dynamic Systems: Theory and Applications 2000; 10(1-2): pp 33-86.
[7] Devillez A, Sayed Mouchaweh M, Billaudel P. A process monitoring module based on fuzzy logic and
Pattern Recognition. International Journal of Approximate Reasoning 2004; 37(1): pp 43-70.
[8] Garcia HE, Yoo TS. Model-based detection of routing events in discrete flow networks. Automatica 2005;
41(4): pp 583-594.
[9] Genc S, Lafortune S. Distributed diagnosis of discrete-event systems using Petri nets. In: International
Conference on Application and Theory of Petri Nets. 2003, pp 316–336.
[10] Hadjicostis CN. Probabilistic Fault Detection in Finite-State Machines Based on State Occupancy
Measurements. IEEE Transactions on Automatic Control 2005; 50(12): pp 2078-2083.
[11] Isermann R. Supervision, Fault Detection and Fault-Diagnosis Methods-an Introduction. Control
Engineering Practice 1997; 5(5): pp 639-652.
[12] Jiroveanu G, Boel RK. A distributed approach for fault detection and diagnosis based on time Petri nets.
Mathematics and Computers in Simulation 2006; 70(5): pp 287-313.
[13] Lamperti G, Zanella M. On Processing Temporal Observations in Monitoring of Discrete-Event Systems.
Enterprise Information Systems 2008; 3(3): pp 135-146.
[14] Pandalai D, Holloway LE. Template Languages for Fault Monitoring of Timed Discrete Event Processes.
IEEE Transactions On Automatic Control 2000; 45(5): pp 868-882.
[15] Patton R, Clark RR, Frank M. Issues of Fault Diagnosis for Dynamic Systems. Springer, Berlin Heidelberg
New York 2000.
[16] Pencolé Y. Diagnosability analysis of distributed discrete event systems. In: European Conference on
Artificial Intelligence. 2004, pp 43-47.
[17] Philippot A, Sayed Mouchaweh M, Carré Ménétrier V. Unconditional decentralized structure for the fault
diagnosis of discrete event systems. In: 1st IFAC Workshop on Dependable Control of Discrete event
Systems. 2007, pp 255-260.
[18] Qiu W. Decentralized/distributed failure diagnosis and supervisory control of discrete event systems. Ph.D.
thesis of the Iowa State University 2005.
18

19. [19] Qiu W, Kumar R. Decentralized failure diagnosis of discrete event systems. IEEE Transactions on systems,
man and cybernetics-Part A: Systems and Humans 2006; 36(2): pp 628-643.
[20] Rozé L, Cordier MO. Diagnosing Discrete-Event Systems: Extending the “Diagnoser Approach” to Deal
with Telecommunication Networks. Discrete Event Dynamic Systems 2002; 12(1): pp 43-81.
[21] Sampath M. A Discrete Event Systems Approach to Failure Diagnosis. Ph.D. thesis of the University of
Michigan 1995.
[22] Sengupta R. Diagnosis and communications in distributed systems. In: International Workshop on Discrete
Event Systems. 1998, pp 144-151.
[23] Sengupta R, Tripakis S. Decentralized diagnosability of regular languages is undecidable. In: 40th IEEE
Conference on Decision and Control 2002, pp 423-428.
[24] Su R, Wonham WM. Global and local consistencies in distributed fault diagnosis for discrete event systems.
Transactions on Automatic Control 2005; 50(12): pp 1923-1935.
[25] Wang Y, Yoo TS, Lafortune S. Diagnosis of discrete event systems using decentralized architectures.
Discrete Event Dynamic Systems 2007; 17(2): pp 233-263.
[26] Wonham WM, Ramadge PJ. On the supremal controllable sublanguage of a given language. SIAM Journal
on Control and Optimization 1987; 25(3): pp 637-659.
19