Systems formulation of a theory of diagnosis from first principles

38 IEEE TRANSACTIONS ON RELIABILITY, VOL. 41, NO. 1, 1992 MARCH

Systems Formulation of a Theory of Diagnosis from First Principles

Bernard P. Zeigler, Senior Member IEEE University of Arizona, Tucson

Key Words - Diagnosis, Troubleshooting, Artificial intelligence, Systems theory, Logic-based diagnosis, Theory of diagnosis, Expert systems

Reader Aids - Purpose: Widen the state of the art Special math needed for explanations: Set theory & notation Special math needed to use results: Same Results useful to: System theorists, artificial-intelligence researchers

Abstract - This article reformulates the Reiter logic-based, “A theory of diagnosis from first principles”, in a systems theory framework and extends it to explicitly cover admissible fault models. The reformulation allows us to use straightforward set theoretic and algebraic concepts to characterize the main theorem relating diagnoses and conflict sets. We distinguish between weak and strong diagnoses and show that non-minimal strong diagnoses (multiple faults) may arise where the class of admissible fault models of components is restricted. We argue that the effectiveness of troubleshooting may be greatly enhanced by taking such diagnoses into account. This is true since the nature of the admissible fault model classes can dramatically affect the diagnoses generated. In particular, diagnoses that are not based on models of potential fault behaviors may be quite deceptive in relation to actual failed system behavior. The full family of strong diagnoses, although potentially much more computationally demanding than the minimal diagnoses, should be taken as the basis for troubleshooting.

1. INTRODUCTION

This article reformulates the Reiter logic-based, “A theory of diagnosis from first principles” [7], in a systems theory framework. The Reiter theory, which requires that the fault- prone system be described in a suitable logic, provides an elegant characterization of the diagnosis search problem and a rigorous basis for further developments. However, its very power also tends to obscure the underlying factors that interplay in more prosaic, albeit less general, settings. Our reformulation, in the context of memoryless nets, allows us to use straightforward set-theoretic and algebraic concepts to characterize the main theorem relating diagnoses and conflict sets. Our intent is not to improve upon the Reiter general algorithm for generating diagnoses (see also [ 5 ] ) but to help readers with realistic reliability background to gain insight into the strengths and limitations of the current theory. Our approach also facilitates studying how incorporating knowledge of abnormal behavior, through admissible fault models, can improve the effectiveness of troubleshooting.

In our reformulation, we characterize diagnoses directly in terms of consistency of the constraint sets they impose on a network. We introduce a concept of weak diagnosis as a convenient mathematical and computational construct. A subset of the weak diagnoses, the minimal weak diagnoses, turn out to be the ones of interest in troubleshooting. Our concept of strong diagnosis is the equivalent of Reiter’s concept of diagnosis. Although used in the same way in his theory, Reiter does not explicitly label weak diagnoses as such. Our rephrasing of the Reiter main theorem states the equivalence of minimal weak and minimal strong diagnoses. Reiter takes for granted that, by the principle of parsimony, only the minimal strong diagnoses are of interest. This is appropriate in the absence of specification for abnormal behavior where weak and strong concepts coincide. Reiter’s examples are of this nature. However, we show that non-minimal strong diagnoses may exist where information is available to restrict the class of admissible versions of components. Hence, minimal diagnoses should be seen as merely the smallest elements in an ordering of all diagnoses by cardinality (size of set). Investigation might well begin with minimal diagnoses but might have to proceed to larger sized diagnoses as well. Also, we shall show that the nature of the admissible fault model classes can dramatically affect the diagnoses generated. In particular, the family of minimal diagnoses obtained under the unrestricted fault scenario (where no information on faulty behavior is employed) may bear little resemblance to the family obtained when some fault behavior assumptions are included in the problem formulation. We conclude that the full family of strong diagnoses, although potentially much more computationally demanding than that required for generating minimal diagnoses, should be taken as the basis for troubleshooting. In the conclusions we suggest this to be a fruitful area for extension of the theory.

Standard notation is given in “Information for Readers & Authors” at the rear of each issue.

2. BACKGROUND

A commonly held notion of a diagnosis is the identification of components that when replaced in a real system by correctly working counterparts will restore the system to its proper behavior. Such a diagnosis may be founded on an explanation of a slightly different nature: that the faulty components are causing the network to produce the observed anomalous behavior. In troubleshooting, such explanations may be taken as hypotheses to be tested by actual replacement of faulty components or treatment to restore their functions, or indeed, to guide further observations to narrow down the set of candidates. Research in model based diagnosis [2-41 employs models of systems to generate such explanatory diagnoses. It contrasts with

0018-9529/92$03.00 0 1992 IEEE

ZEIGLER: SYSTEMS FORMULATION OF A THEORY OF DIAGNOSIS FROM FIRST PRINCIPLES

~

39

so-called shallow reasoning approaches common in first generation expert systems. The latter employ rules or other knowledge derived from first hand experience with actual systems and devices [ 1,9] rather than the more basic knowledge of structure and behavior provided by suitable models of the system. Early work in the model based approach focussed on the diagnosis of single faults, ie, where only one component was assumed to fail at a time. Recent work has attempted to deal with the multiple-fault case, where several components may fail at once [3,4]. In networks of interacting components the latter is clearly much more conceptually, and computationally, complex.

Based on results of earlier unformalized approaches, Ray- mond Reiter presented a general theory of diagnosis from first principles [7]. The theory requires that a system model be cast in a suitable logic and that a suitable theorem prover be available to determine consistency of sets of sentences in the logical formalism. Reiter defines a diagnosis to be a minimal set, A C COMPONENTS, such that:

SD U OBS U {AB(c)(c E A}

U { 1 AB(c) I C E COMPONENTS - A}

is consistent.

Notation

AB implies: abnormal SD OBS

a set of sentences expressing the system model a set of sentences expressing the observations made on the system expressing apparently anomalous behavior

AB (c) , ( -I AB (c) ) terms asserting the abnormality, normali- 0 ty of any component, c

Intuitively, a diagnosis is a conjecture that a set A of components of a system are faulty (ABnormal) and the rest normal. Such a set is justified by the fact that system description becomes consistent with the observation when components in A are assumed to be abnormal with the rest being normal. The system description, SD plays a major role in this formulation. To characterize normal operation, it contains sentences of the form:

i A B ( c ) * ...

Notation

... expresses the normal behavior of component c 0

A complete system description would contain one such sentence for each component.

Similarly, to characterize abnormal behavior, the SD may contain sentences of the form:

AB(c) * ... .

Notation

. . . expresses possible abnormal behaviors of component c, as well as possible effects of such abnormality on other components. 0

Reiter requires diagnoses to be minimal, based on appeal to a principle of parsimony. This means that we should not bother with a larger (in the sense of number of faulty components specified) diagnosis when a smaller subset will do the same job. However, as indicated, we shall have reason to question this assumption.

The Reiter main theorem characterizes such diagnoses, which we shall distinguish as strong, in terms of subsets of the following kind, we shall call weak diagnoses:

SD U OBS U { l A B ( c ) ( c E COMPONENTS - A}.

There are no assertions that components in A are abnormal in such a weak diagnosis. It apparently requires only their removal from the system (or better, suspension of their constraints [ 2 ] ) to restore consistency with the observation. This interpretation is only partly true since Reiter shows that when such weak diagnoses are minimal they must necessarily include the effects of the faulty components. Roughly, this occurs due to the ap- pearance of the ‘‘AB ( e ) . . . ” sentences in the system description which are brought into play when their 1.h.s.’~ are violated.

We note the following:

Minimal weak diagnoses are identical to minimal strong diagnoses (Reiter Proposition 3.4). Minimal weak diagnoses are amenable to computationally efficient generation given by the Reiter hitting-set algorithm and its subsequent improvement [ 5 ] . The weak diagnoses are nicely ordered in the sense that all supersets of a weak diagnosis are also weak diagnoses. This justifies considering only the minimal weak diagnoses as important, independently of a principle of parsimony. When specification of abnormal behavior is totally absent from the system description, the weak and strong concepts are again identical. 0

These facts may account for Reiter’s and other researcher’s [3] focus on minimality of strong diagnoses. Their intent seems to have been to glean the most out of a system model without requiring assumptions about the faulty behaviors of its components. When knowledge of faulty behaviors is absent, restricting attention to the minimal diagnoses is fully justified. Although Reiter’s framework opens the way for inclusion of such knowledge, his examples, based on previous informal approaches, do not explore this possibility.

In the balance of this paper we reformulate the Reiter theory, based on system theory concepts [6,10,11]. Our reformulation, while much less general, preserves the important features of the Reiter theory and serves to elucidate what is hid- den, hence perhaps, obscured by the power of the logical calculi abstractions. After review of basic system modeling concepts, we reformulate the Reiter theory in more basic form using

~

40 IEEE TRANSACTIONS ON RELIABILITY, VOL. 41, NO. 1 , 1992 MARCH

standard set theory. Then we reprove the Reiter fundamental theorems in the new formulation. A side benefit is that the proofs are also briefer and more straightforward than the originals. We then go on to consider examples of system descriptions in which fault behavior knowledge is, and is not, incorporated. Finally, we draw conclusions concerning the necessity for employing the full family of strong diagnoses in troubleshooting and discuss some issues relating to this use.

3. SYSTEMS MODELING CONCEPTS

Loosely speaking, a system (network) is an interconnec- tion of components; such components may themselves be systems, thus leading to hierarchical construction [12]. Thus there are two kinds of systems: basic and coupled. Various modeling formalisms provide means to specify basic systems. Examples of such formalisms are those based on differential equations, difference equations, and discrete event concepts [ 121. Basic systems have input and output ports; coupled systems are specified by a set of components (which may be basic systems or previously defined coupled systems) and a coupling scheme. Such a scheme has three parts:

1 . extemal-input coupling, which dictates how input ports of the coupled system are linked to input ports of its components,

2. internal coupling, which connects output ports of components to input ports of other components,

3 . extemal-output coupling, which dictates how output ports of components are linked to output ports of the coupled

A formalism is closed under coupling if any coupled system can be described as (behaviorally equivalent to) a basic system in the formalism, provided each of its components can be so described. Various formalisms require certain restrictions on the coupling scheme in order to be closed under coupling. Hierarchical model construction is supported in formalisms which are closed under coupling. This is so since coupled models have equivalent basic model representations and thus can be coupled with other coupled or basic models to create yet more complex coupled models. Readers who are not familiar with these concepts can refer to [12] for a more complete discussion and for a simulation environment that supports them.

For expository purposes we restrict attention to menwryless systems in which the Reiter and previous authors [2-4,7] examples are expressed. A memoryless system maps current values on its input ports to current values on its outputs (without effect of previous inputs as represented in an internal state). A coupling scheme for a coupled memoryless systems is a pair of ports satisfying the external-input, extemal-output, and internal formats, and in addition, the requirement that the internal coupling does not contain any cycles in its directed graph representation.

system. 0

3.1 Representation of Behavior by Constraints

Figure 1 shows examples of a coupled model that corresponds to the network in [7, figure 81. Figure la is a

(NIT(

Y I

Figure 1. The Multiplier-Adder Network [Represented in 2 Ways As a Coupled Model]

version in which individual ports of the multiplier components M1,M2,M3 appear as external-input ports for the resulting coupled model. Figure l b shows a different external-input coupling in which there are two input ports for the coupled model that broadcast to respective ports of the component multipliers. To represent the behavior of such systems for the purposes of diagnosis we associate a variable with each port of the coupled model. These components and coupling scheme place constraints on the assignments of values to the variables such that (under normal operation) if legal values are assigned to the input ports of the coupled model, then legal values are uniquely specified at the output ports (a value is legal for a port if it belongs to the range set prespecified for that port).

Notation

X an assignment of values to the ports: x = ( x , 1x29.. .x, )

ports. 0 Xi the value assigned to port i in a fixed listing of the

A (normal) component imposes constraints on the values of its input and output ports. Such a constraint may be expressed as

ZEIGLER: SYSTEMS FORMULATION OF A THEORY OF DIAGNOSIS FROM FIRST PRINCIPLES 41

a proposition Cx. For example, M1 in figure la imposes the constraint:

MIX * xi3 = XI x xg,

while Al imposes the constraint:

Alx * x20 = x16 + x17. The coupling scheme imposes constraints corresponding

to each pair of ports. For example the external-input couple N e t h l - Ml.inl requires that:

NMlx * XI = ~ 7 .

The internal couple Ml.outl - Al.inl requires that:

MAlx * Xi3 = X16,

etc. A third set of constraints derives from observations of in-

puts and outputs. These constraints represent actual value assignments to input and output ports. For example, the value 2 imposed on Net.in1 is represented by:

NIlx * XI = 2.

The output observed on port Net.out1 is represented by:

NOlx ~ 2 2 = 3.

Dejnition 1. An assignment x is a solution to a set of constraints, CON, if it satisfies each one, ie,

x satisfies CON * (v C E CON)(Cx). 0

Dejnition 2. CON is consistent if it has a solution, ie,

CON is consistent * ( 3 x ) (x satisfies CON). 0

We can select subsets of constraints associated with a coupled model in many ways. The output computed for a given input is obtained by letting -

CON = Comp U Coup U I.

Notation

Comp set of component constraints Coup set of coupling constraints I set of assignment constraints assumed by imposing a

o The restrictions imposed on the coupling scheme ensure

that exactly one solution satisfies these constraints. The projection of this solution on the coupled model output ports is the response of the system to the solution’s projection on the input

value on each input port

ports (the imposed input).

stimulated and some of the output ports measured. More generally, only some of the input ports need be

Notation

Obs corresponding constraints 0

The coupled model exhibits normal behavioral with respect to this observation if -

CON = Comp U Coup U Obs

is consistent. For example, the observation,

x1 = 3, x2 = 2, x3 = 3, x4 = 2, x22 = 1 2 7

indicates normal behavior for the system in figure la.

Dejnition 3. A coupled model exhibits abnormal behavior with respect to an observation Obs if -

CON = Comp U Coup U Obs,

is inconsistent. 0

Thus, the observation,

x1 = 3, x2 = 2, x3 = 3, x4 = 2, x22 = 10,

indicates abnormal behavior for the system in figure la.

4. BASIC DEFINITIONS & DERIVATIONS

Given an inconsistent set of constraints, we can remove member constraints until a smaller consistent set is found. However, we may wish to restrict the kinds of constraints to be removed. For example, following Reiter [7] we may hold inviolable the coupling and observation constraint classes, leav- ing only the component constraint class as fair game (Inviolabili- ty of the coupling constraints is implicit in Reiter’s network examples). However, allowing suspension of coupling constraints might be interpreted as allowing faults to occur in interconnec- tions. In the following we restrict the removable constraints to the Comp set. However, our basic theorem does not intrinsically depend on which set of constraints can be removed.

Notation

C a component CF the set of faulty versions under consideration for C:

set of constraints (4, c$, . , . d} , exactly one of which may replace the constraint imposed by the component in its normal state.

0 cf 4 v c$ v ... v 4 a fault constraint

We may roll the fault model set of constraints for each component into one constraint, Cs, which is their disjunction. From


here on, we use this one so-called, fault constraint, to represent the fault family for a component.

For example, in the multiplier-adder network in figure 1, suppose that the multipliers can become inaccurate by at most 1 unit. Thus, for M I we have:

Uniting these into an overall fault constraint yields:

M ' f x - 1x13 - (x7 x Xg)) = 1.

Definition 4. A strong diagnosis (relative to a fault model family,

is a set D E Comp, such that,

d U [Comp-D] U Coup U Obs,

is consistent.

Notation

Df set {Cf} of fault constraints, one for each component, Ci E D 0

In other words, a strong diagnosis specifies a set of faulty components, which together with the remaining normal components, is capable of explaining how the observed anomalous behavior could arise. Clearly the underlying family of faulty models plays a major role in the diagnosis produced. With a small family, there may be no diagnosis possible; with a large family, there may be many alternative diagnoses, few of which represent real world possibilities. Fault modeling is therefore a critical methodological component of such an approach.

For brevity, we omit reference to the underlying fault model classes when these are understood.

Definition 5. A minimal strong diagnosis is a strong diagnosis that has no proper subset which is also a strong diagnosis.0

Note: Reiter calls a minimal strong diagnosis simply a diagnosis. For reasons given above, we find a more refined ter- minology useful.

It is convenient to combine the normal constraint and the fault constraint for each component into one.

Notation

Choth C V Cf: combined constraint for C 0

For example,

Definition 6. A subset D E Comp is a weak diagnosis if -

Dhoth U [Comp-D] U Coup U Obs

is consistent.

Notation

Dbo" set {Gib"}} of combined constraints, one for each component in D U

In a weak diagnosis we restore consistency with the observation by assigning to each component (in the diagnosis set) its combined constraint. This is the same as saying that either the normal or the fault constraint can be used for each component in the diagnosis to bring about consistency. (In a strong diagnosis, only the fault constraint can be used for this purpose.) This seems to be - and is - a rather artificial construct. However, it turns out to correspond to the Reiter working characterization of diagnosis and has the right properties to establish the main theorem.

Definition 7. A minimal weak diagnosis is a weak diagnosis that has no proper subset which is also a weak diagnosis. 0

Reiter proposition 3.4 can be interpreted as saying that a minimal weak diagnosis is a minimal strong diagnosis, and con- versely. His main theorem goes on to characterize minimal weak diagnoses in terms of conflict sets. We now proceed along similar lines.

Proposition 1. D is a minimal weak diagnosis U D is a minimal strong diagnosis. 0

Proof: See appendix.

The proposition justifies our use, in the sequel, of the term minimal diagnosis to refer to both minimal strong and weak diagnosis. It is convenient to rephrase weak diagnoses in terms of the following conflict sets.

De$nition 8. S G Comp is a conjlict set if -

[Comp-SJhoth U S U Coup U Obs

is inconsistent. A minimal conflict set (MCS) is a conflict set 0 for which no proper subset is also a conflict set.

Proposition 2. D is a weak diagnosis Comp - D is not a conflict set. 0

Proofi Follows immediately from the definitions.

A conflict set specifies the set of n o m 1 components, with the complement specifying the abnormal components. The exact


opposite holds for diagnoses - these specify the abnormal components, the complement, the normal ones.

Phrased this way, conflict sets turn out to have the following property which is evident for subsets of constraints:

Property. Let A and B be sets of constraints, with A E B. If B is consistent so is A (and contrapositively, if A is inconsistent so is B ) . 0

(“B is consistent” means that it has a solution. Removing some constraints to arrive at A preserves such a solution. Looked at from the contrapositive view, “ A is inconsistent” means it has no solutions. This will not change if we add the additional constraints in B, thus placing yet stronger restriction on feasi- ble assignments.)

Analogously, we have:

Lemma 1. Every superset of a weak diagnosis is a weak diagnosis; every superset of a conflict set is a conflict set.[?

Proofi See appendix.

It is not true that every superset of a strong diagnosis is a strong diagnosis, as an example in section 5 . 2 reveals.

The main theorem shows that a minimal diagnosis intersects each MCS.

Theorem 1. D is a weak diagnosis U D fl C # 4 for each minimal conflict set C. 0


Theorem 1 can be interpreted to say that weak diagnoses can be represented as hitting sets over the minimal conflict sets.

Definition 9. A hitting set over the MCSs contains at least one element from each MCS. A minimal hitting set contains exactly one element from each MCS. (If it contained more than one, we could eliminate an element and still have a hitting set). 0

Corollary 1. D is a minimal weak diagnosis e D is a minimal 0 hitting set over the MCSs.

Proof See appendix.

5 . INCORPORATING KNOWLEDGE OF ABNORMAL BEHAVIOR: FAULT MODELS

Reiter [7] proceeds to develop a general purpose algorithm to find minimal hitting sets, hence minimal diagnoses (see also [5 ] ) . It calls on a theorem prover capable of deciding inconsistency of expressions in a particular formalism. Our purpose here is not to explicate or improve on this algorithm but rather to throw some light on the theoretical constructs just introduced.

5.1 Unrestricted Fault Classes

First we consider the case where no information is available concerning the faulty versions of components. This is assumed

to be the case in the circuit and multiplier-adder examples of [2,3,7]. This lack of information can be formally represented by taking the fault constraint associated with a component to be the always true constraint or what is the same, an unrestricted class of faults. Physically, this corresponds to assuming that the outputs of failed components are free floating, rather than being forced to certain values by the particular fault that has occurred [3]. Naturally, this is a questionable basis for pro- ceeding when components are known to fail in only certain ways. Weak diagnoses take on a particularly simple form for such unrestricted fault classes:

Proposition 3. A subset D G Comp is a weak diagnosis for the unrestricted fault case if [Comp-D] U Coup U Obs is consistent. 0


Figure 2. A Model Demonstrating That Observations Can Be Inconsistent With Respect To Coupling

In the unrestricted fault case, it follows directly if Comp is not a diagnosis then no subset of Comp is a diagnosis either. This means that any inconsistency lies in the observation/coupling interaction as in figure 2; it cannot be in the coupling constraints alone since these are all equality statements whose tran- sitive closure always exists. We therefore require that the diagnosis problem be well posed in the sense of assumptions 1 & 2 .

Assumption 1. Coup U Obs is consistent (ie, Comp is a weak diagnosis). 0

Assumption 2. Comp U Coup U Obs is inconsistent (thus giv- 0 ing rise to the diagnosis search problem).

These assumptions hold in the balance of this paper.

--+ l8.0

Figure 3. A Series Coupling Of Components Whose Normal Behavior Is The Identity Mapping With Anomalous I/O

Let us consider figure 3 as an example to aid intuition. Let each component compute the identity function. Thus the constraints imposed by the coupled model are:


Comp: x3 = x2, x5 = x4, x7 = x6;

Adding the observation,

creates the inconsistent set, Comp U Coup U Obs. Removing any of the component constraints, however,

results in two equivalence classes without conflict. For example, removing x3 = x2 (due to component A ) results in:

X I = x2 = 1,

Thus Comp = {A,B,C} is a minimal conflict set and indeed the only one. There are three hitting sets, or minimal diagnoses, viz, { A } , { B } , { C}. These could explain the anomalous behavior iff we assume that components fault to inverter elements. However, we return, below, to this example to show that in this case other viable explanations of faulty behavior are not generated as minimal hitting sets.

x 1 - 1 i --+ X 8 - 0

4 x9-1

(a)

: inconsistent

(b)

Figure 4. A Series-Parallel Coupling of Identity Components With Anomalous 110 and Its Lattice of Conflict Sets

Figure 4 shows that the approach does home in on por- tions of a network that are related to an inconsistent measure- ment. Rather than use the Reiter algorithm, we explore the lattice of subsets in a straightforward manner. The root { A B , C }

is a conflict set. The next-level sets {B,C} and {A,C} are consistent, but { A B } is inconsistent; thus {A,B,C} is not a MCS. Expanding { A , B } , we find that both { A } and { B } are consistent thus establishing that {A,B} is a MCS. The minimal diagnoses are thus { A } and { B } . This agrees with the intuition that only the path through { A } and { B } is implicated by the erroneous output.

I I

I A. B. C I' * : inconsistent

M C S = ( A )

Figure 5. The Effect Of An Additional Probe Reading For The Model in Figure 3

Figure 5 shows how additional sensor data help to pin down the possible fault. Reiter [7] shows however, that such monotonic behavior (where additional measurements always tend to refine the family diagnoses) is not necessarily the case in general. The virtue of this approach is also apparent: missing observations do not unnecessarily hamper the diagnostic process - it does the best it can with the data available [8].

Figure 6c shows the derivation of the two minimal conflict sets {Mi,M3,A1,A2} and { M l , M 2 , A l } for the well known example of figure 1. Since Ml belongs to both sets, {Ml} is a minimal hitting set. Similarly, A , belongs to both MCSs, so { A , } is a minimal hitting set. Removing M1 and A , from each MCS leaves {M3,A2} and { M 2 } . These give rise to hitting sets { M 3 , M 2 } and { A 2 , M 2 } which represent multiple fault diagnoses.

It is instructive to examine the two minimal conflict sets. Figure 6a shows the primary source of conflict. The MCS {Ml,M2,A1} results from removing the normal behavior path from M3 to AZ. Removing M1 or Al individually does remove the conflict, thus accounting for their occurrence in singleton (set with one member} diagnoses. Removing M2 however, is different since it is involved also in generating the second MCS . Figure 6b shows the MCS, {M1,M3,A1,A2} which results from removing M2. There is still a conflict in this set due to the coupling from M2 to both A I and A2. This induces a constraint propagation path from an input port of A2 to an input port of

ZEIGLER: SYSTEMS FORMULATION OF A THEORY OF DIAGNOSIS FROM FIRST PRINCIPLES

~

45

U I

I M l . M 2 . M3. A l . A2 1. * . Inconsislent

fl I M2. M3. A l . A 2 1 ( M I . M3, A l . A2 1.

( M I . A l . A21 IM2. A I . A21 (MI . M 2 . A I ) ' ( M I . M2. A21

(M3. A l . 4 A21 (Ml. A l . A21 ( M I . M3. A 2 1 ( M I . M3. A l l

Figure 6.

r . (M2. A l l (MI. A11 ( M I , M21

MCSl = (Ml . M3. AI , A2). MCS2 = (Ml . M2. A11

The Minimal Conflict Sets For Figure l a With Unrestricted Fault Classes [Suspended constraints are shown shaded. a) set {M1,MaAIJ b) set {M, ,~3Al ,A2J c) the conflict set lattice]

Al: [XI8 = ~ 1 4 and ~ 1 7 = x14] implies ~ 1 7 = x18. From figure 6b it is clear that removing any of the components does remove the conflict. However, since Ml and Al are already diagnoses, we would not get minimal diagnoses by combining them with M2. However, we can combine M2 with M3 or with A2 to get the minimal diagnoses {M2,M3} and {M2,A2} . This provides some insight into the mechanics behind theorem 1.

The induced coupling between A, and A2 exists only because we did not remove the coupling constraints associated with M2 when we removed its functional constraint. Had we removed this coupling, there would have been only the one MCS, {M, , M 2 , A 1 } , and three corresponding singleton diagnoses. This shows the importance of explicitly stating whether or not the coupling constraints are removable.

5.2 Restricted Fault Classes

We now consider examples where information is available on the faulty behaviors of components, ie, where the fault classes are restricted. We show that the resulting diagnoses can differ dramatically from those where no non-trivial fault constraints are specified. Consider the coupled model in figure 3 and suppose that each component becomes an inverter when it becomes faulty. In other words, CF = {d}.

Notation

cfx * xi = 1 - x j

component C 0 xi, xj variables associated with the input, output ports of

It is easy to see that the only possible strong diagnoses that are consistent with the anomalous observation {xo = 1, xg = 0} are the singleton sets, { A } , { B } , { C } and the full set, {A,B,C} itself. The fact that pairs such as { A B } are not strong diagnoses provides a counter-example to show that lemma 1 (concerning supersets of diagnoses) holds only for weak, not strong, diagnoses.

To illustrate how conflict sets are used to compute minimal diagnoses, we form the combined constraints for each component:

x - x2 = x3 v x2 = 1 - x3, AbOh

We begin with the largest conflict set {A,B,C} representing the set of constraints:

{A,B,C} U Coup U Obs.

Since this set of constraints is inconsistent, we investigate each of the constraint sets corresponding to the next level subsets, such as the one associated with {B, C } :

{Ab",B,C} U Coup U Obs

This turns out to be consistent. Similarly, {A,B} and {B,C) are consistent. Thus, {A,B,C} is the minimal conflict set. The minimal diagnoses are its singleton subsets.

Thus far, speaking of minimal diagnoses, the restricted fault case has produced identical results to the unrestricted case.


However, consider the multiple fault in which all of the components convert to an inverter. This is the strong diagnosis {A,& C} representing the constraints:

{Af,Bf,Cf} U Coup U Obs.

This non-minimal strong diagnosis, {A$, C} is not included in the family of minimal diagnoses.

The above result suggests that restricting attention to minimal diagnoses is of limited value in troubleshooting. This is so since the family of single diagnoses suggests that we look for a fault in each component individually. Were the anomalous behavior actually caused by the three components simultaneously becoming inverters, we would find such a fault, say, in component A . Restoring A to normalcy we would anticipate restoring the circuit to normal behavior. When this does not happen we are left without a means to proceed - since we have been assured that only single faults need be considered. Thus it is too restrictive to extract only minimal diagnoses from the family of strong diagnoses.

Having to consider all subsets of components as potential diagnoses raises the issue of computational feasibility. A basic algorithm generates the lattice of all subsets and tests whether each subset is a strong diagnosis according to the definition:

Algorithm: For each subset, D C Comp, If @ U [Comp-D] U Coup U Obs is consistent then add D to the set of strong diagnoses. 0

Since, this algorithm is obviously of exponential complexity, the challenge is to develop more efficient approaches, perhaps by adapting the Reiter general algorithm for weak diagnoses [5,7]. We return to this question in the Conclusions.

Now let us see how the class of faults associated with components can fundamentally affect the diagnoses proposed for the same anomalous behavior. For the multiplier-adder network in figure 1, as suggested earlier, suppose that the multipliers can become inaccurate by at most 1 unit, eg,

diagnoses is now {A1}, {M1,M2,M3}, {M1,M2,A2} stemming from the family of minimal conflict sets {M&}, {M2,A1}, {M39A1+42}.

We conclude that the nature of the fault family can dramatically affect the sets of minimal diagnoses produced.

6 . HIERARCHICAL MODELS AND DIAGNOSIS

As indicated, model formalisms that are closed-under- coupling support hierarchical, modular construction. This hierarchical structure can be exploited in the diagnostic process. Recall that closure under coupling means that a coupled model can be represented by an equivalent basic model. By com- puting the basic equivalents of the top level components, a hierarchical model can always be put in the form of a coupled model of basic equivalents. Let us consider alternative top-down and bottom-up diagnosis strategies. In a top-down strategy the top-level normal and abnormal component models can be represented by their basic model equivalents and diagnoses can be generated as just discussed for the resulting coupled model. This ultimately results in identification of faulty components at the top level. However, since each such component has been represented by its basic model equivalent, this sets up a new diagnosis problem to identify next-level subcomponents that may be the causes of the faulty behavior identified at the higher level. The recursion can be continued until faulty components at the basic level have been identified.

Alternatively, a bottom-up strategy begins at the lowest- level basic components and attempts to identify the faulty component in the next-level coupled model closest to the detected site of the anomaly. If this process fails, then it is repeated within the scope of the next higher-level coupled model, and so on if necessary, until the overall hierarchical model is considered. The bottom-up strategy has the advantage that pre-compiling of coupled models into basic model equivalents is not necessary. The top-down strategy has on-line computational advantages that exploit the potentially reduced complexity of the basic model equivalents.

7. CONCLUSIONS The fault class associated with the adders is unrestricted as before.

The strong diagnosis {MI,M2,M3} is an explanation of the anomalous behavior if faulty versions of M1,M2,M3 generate the outputs 5,5,7 respectively. This diagnosis is also minimal since if any one of M1,M2,M3 outputs 6 (normal) then consistency would force at least one other outside its allowable faulty range. This minimal diagnosis is not one of the four diagnoses {Ml}, { A l } , (M3,M2}, {M2,A2} obtained when the fault class is unrestricted. Indeed, {M,} and {M3,M2} are clearly no longer diagnoses. Neither is {M2,A2) since M2 is restricted in its faulty output (being forced to output 4 with normal M I and A , ) . Thus only the diagnosis { A , } survives of the original family for the unrestricted fault case. Indeed, by generating the lattice of conflict sets, it can be verified that the family of minimal

Reformulating the Reiter logic-based theory, we have characterized weak and strong diagnoses directly in terms of consistency of the constraint sets they impose on a coupled model (network). The weak diagnosis concept is an artifact introduced for mathematical and computational convenience. Only the minimal weak diagnoses are important for troubleshooting because they correspond to the minimal strong diagnoses. However, we showed that non-minimal strong diagnoses may exist where information is available to restrict the class of models that represent faulty versions of components. Also, we have demonstrated how the nature of the fault model classes assumed for components can dramatically affect the diagnoses generated. In particular, the family of minimal diagnoses obtained under the unrestricted fault scenario (where no information on faulty


behavior is included) may bear little resemblance to the family obtained when some fault behavior assumptions are included in the problem formulation. Thus the minimal weak diagnoses obtained in the absence of fault behavior knowledge may prove rather deceptive when applied to the real device under diagnosis.

The full family of strong diagnoses should be taken as the basis for troubleshooting. There are two major impediments to such an approach.

1. The prohibitive computational complexity of managing the complete family of strong diagnoses. However it is unclear that the latter complexity is necessarily greater than that of managing the minimal element subset. While combinatorially explosive in the unrestricted fault case, the constraints embodied in fault-model classes can severely reduce the space of candidates. As in other contexts, knowledge (here, of admissible faulty behaviors) can greatly reduce search. Moreover, it should be possible to develop weaker criteria for removing redundant diagnoses and to generate diagnoses in order of increasing cardinality, terminating as soon as one has been verified. Means such as these for handling the complete family of strong diagnoses is a fruitful area of research.

2. The need to develop models of faulty components. Davis [2] claims that “traditional fault models are not needed when the task is diagnosis and when a fault is defined as anything different from the correct behavior.” Yet he later backs off from this claim and acknowledges the utility of systematic generation of categories of failure. As indicated, the Reiter theory of- fers a flexible and powerful framework for expressing knowledge about fault behavior and propagation, although the means for developing such knowledge is left open.

Ref [13] deals with a hierarchical, modular methodology that develops and incorporates fault models. Discrete-event symbolic simulation is used to automatically generate full families of strong diagnoses for autonomous robotic systems.

ACKNOWLEDGMENT

This research was supported by NASA-Ames Co-operative Agreement No. NCC 2-525, “A Simulation Environment for Laboratory Management by Robot Organization”.

APPENDIX

Proof of Proposition I

( - ) Let D U Comp be a minimal weak diagnosis. Thus from Definition 6 , Dbo* U [Comp-D] U Coup U Obs has a solution. If to achieve this solution, any of the combined constraints in Db* could be normal constraints, we could remove them from D, and add them to Comp-D while still retaining the same solution. This would produce a proper subset of D as a diagnosis and therefore, violate the minimality of D. Thus in a minimal weak diagnosis, D, all elements in Db* have to

be fault constraints, ie, Dbo* = 6. Indeed, D is then patent- ly a strong diagnosis.

(e) By inspection, a strong diagnosis is also a weak diagnosis in which Dbo* = &. If D were not minimal as a weak diagnosis it would ipso facto not be minimal as a strong diagnosis. Q. E. D.

Proof of Proposition 3

The Dm set of constraints is reduced to the always true constraint. Being redundant we can drop it from consideration.

In the unrestricted fault case, a diagnosis is a subset of components, such that suspending their constraints from the network removes the conflict between its observed behavior and its normal behavior. Diagnostic subsets are, in this special sense, responsible for the observed anomalous behavior. It is temp- ting to assert that for the unrestricted fault case, Comp itself is always a weak diagnosis but figure 2 shows that this need not be the case. Here the simultaneous observation of both output ports is inconsistent with the coupling (the set {x4 = I , x5

= 0, x3 = x4, x3 = x5} has no solution). Q. E. D.

Proof of Lemma 1

Let S be a weak diagnosis. This means there is a solution satisfying the normal constraints of Comp-S and the combined constraints of S. Let T be a non-empty set disjoint from S. Now remove the constraints of T from Comp-S, these being normal constraints, and add them to the combined constraints of S. Then the same solution just mentioned satisfies the combined constraints of S U T together with the normal constraints in Comp- S-T. Thus S U Tis also a weak diagnosis.

Part 2 of the lemma is basically a restatement of part 1 using proposition 2. Let S be a conflict set. Suppose that a superset S’ is not a conflict set. By proposition 2, Comp-S’ is a weak diagnosis. Now from set theory, Comp-S is a superset of Comp-S’ . Therefore from what we have just shown, Comp- S is also a weak diagnosis. By proposition 2 again, S is not a conflict set, a contradiction. Q. E. D

Proof of Theorem 1

( * ) Let D G Comp be a weak diagnosis. Then by proposition 2, Comp-D is not a conflict set. Suppose that D fl Ci = I$ for some MCS, Ci. Then Ci E Comp-D. By lemma 1, since Ci is a conflict set, so is its superset, Comp-D, a contradiction.

( e = ) Let D fl Ci # 6 for each MCS, Ci. Suppose that D is not a diagnosis. Then Comp-D is a conflict set and it includes some MCS, C,. This Cj has the property that Cj C Comp-D which contradicts the premise that D fl C, # 6.

Q. E. D.

Proof of Corollary 1

) Let D E Comp be a minimal weak diagnosis. Then by theorem 1, it is a hitting set over the MCSs. Suppose D is not a minimal hitting set. Then D includes a proper subset, D‘ which is also a hitting set, ie, D’ intersects all the MCSs. By

(

48 IEEE TRANSACTIONS ON RELIABILITY, VOL. 41, NO. 1, 1992 MARCH

theorem 1, applied in the reverse direction, D ’ iS a weak diagnosis, contradicting the fact that D is minimal.

Models: Intelligent Agents and Endomorphic Systems, 1990; Academic Press.

(e ) The direction is in fashion. [13] B. P. Zeigler, S. Chi, “Symbolic discrete event system specification”, Proc. 2“d Cont AI, Simulation, Planning for High Autonomy, 1991 Apr, pp 13-141; Cocoa Beach; IEEE Computer Soc. Press.

REFERENCES

[ l ] B. G. Buchanan, E. H. Shortliffe, Rule-Based Expert Systems, 1984; Addison- Wesley.

[2] R. Davis, “Diagnostic reasoning based structure and behavior”, Artificial Intelligence, vol 24, 1984, pp 347-410.

[3] J. de Kleer, B. C. Williams, “Diagnosing multiple faults”, Artijcial In- telligence, vol 23, 1987, pp 97-140.

[4] M. R. Gensereth, “The use of design descriptions in automated diagnosis”, Artijcial Intelligence, vol 23, 1984, pp 411-436.

[5] R. Greiner, B. A. Smith, R. W. Wilkerson, “A correction to the algorithm in Rieter’s theory of diagnosis”, Artificial Intelligence, vol41, 1989, pp

[6] M. D. Mesarovic, Y. Takahara, General Systems Theory: Mathematical

[7] R. Reiter, “A theory of diagnosis from first principles”, Artijcial In-

[8] E. Scarl, “Diagnostic tolerance for missing sensor data”, Telemarics &

[9] D. A. Waterman, A Guide to Expert Systems, 1985; Addison-Wesley. [lo] A. W. Wymore, A Mathematical Theory of Systems Engineering: The

[ l l ] L. A. Zadeh, C. A. Desoer, Linear System Theory, The State Space Ap-

[12] B. P. Zeigler, Object-Oriented Simulation with Hierarchical, Modular

79-88.

Foundations, 1975; Academic Press.

telligence, vol 32, 1987, pp 57-95.

Informatics, 1989 NovIDec.

Elements, 1967; John Wiley & Sons.

proach, 1%3; McGraw Hill.

AUTHOR

Dr. Bernard P. Zeigler; ECE Dept; University of Arizona; Tucson, Arizona 85721 USA.

Bernard P. Zeigler (M’87, SM’87) is Professor of Electrical and Com- puter Engineering at The University of Arizona, Tucson. He received his BEng Phys from McGill University, 1962; MSEE from MIT, 1964; and PhD from the University of Michigan in 1969. He has published over 100 journal and conference articles in modeling and simulation, knowledge-based systems, and high autonomy systems. His first book lkeory of Modelling and Simulation (1976) is regarded as one of the foundations in the field. A second book Multifaceted Modelling and Discrete Event Simulation (1984). was given the outstanding simulation publication award by TIMS College on Simulation in 1988. Zeigler’s current research on simulation methodology is described in a new book, Object-oriented Simulation with Hierarchical, Modular Models: In- telligent Agents and Endomorphic Systems (1990). His research has been supported by US Federal Agencies including NSF, NASA, and the Army, as well as industrial sponsors including Siemens, McDonnell Douglas, and Motorola. He is founder of a university spin-off company for technology transfer of his simulation environment concepts, and is the recipient of an SBIR (Small Business Innovative Research) grant from the US Army.

Manuscript TR91-093 received 1991 February 12; revised 1991 May 21.

IEEE Log Number 02286 4TRb

FROM THE EDITORS FROM THE EDITORS FROM THE EDITORS FROM THE EDITORS FROM THE EDITORS FROM THE EDITORS

Change: To Voluntary Page Charges

Effective with the 1992 March issue, this Transactions has reluctantly adopted the IEEE schedule of Voluntary Page Charges. The reason for the change is: The Reliability Society’s net income has dropped drastically in the past few years, due in part to the many extra publications that were sent to full members at no extra charge. The explanation in “Information for Readers & Authors” at the rear of each issue is:

Vooluntary Page Charges: When the page proofs of an accepted paper are delivered to the author, they are accompanied by the form, “IEEE Author Return Form for ReprintdVoluntary Page Charges”. On that form you will state that, “I/my organization will pay 1-1 will not pay 1-1 voluntary page charges.” A separate sheet will give some more detail on those charges. While your response does not affect the publication of your paper, we do strongly encourage you to see that such charges are paid. If they are paid, you will receive, at no extra charge, 100 reprints of the paper. 4 T R b

Date post:	21-Sep-2016
Category:	Documents
Upload:	bp
View:	217 times
Download:	3 times

Systems formulation of a theory of diagnosis from first principles

Documents