The document discusses model-based diagnosis of discrete event systems via automatic planning. It begins with an introduction to model-based diagnosis and the hypothesis space approach. The talk then describes representing diagnosis as a planning problem by defining the diagnosis problem in a hypothesis space with a mapping function. Algorithms are presented that use AI planners to compute the diagnosis as the preferred hypotheses. Experimental results applying these algorithms to challenging diagnosis problems are also discussed.

1. Model-Based Diagnosis of Discrete Event Systems
via Automatic Planning
PhD. candidate Luca Ceriani
Department of Information Engineering, University of Brescia
Brescia, Italy. March 16th, 2015.
1 / 54

2. Outline
Introduction & Background;
Hypothesis Space Approach to DES Diagnosis;
Diagnosis as Planning;
Regular Hypothesis Spaces;
Physically-Possible Hypotheses;
Experimental Results;
Conclusions and Future Work.
2 / 54
Notes:
At first, the model-based approach to diagnosis of discrete-event
systems (DESs) is introduced, along with an overview of the
well-known ”classical approach” (AKA Diagnoser Approach)
described in the literature. This talk is about the hypothesis-based
approach , i.e. the most recent approach to DES diagnosis: several
algorithms are presented. All such algorithms use AI Planning
technologies to compute the diagnosis. To improve the scalability of
the proposed algorithms, a property of regularity of hypothesis
spaces defined as partially-ordered sets will be presented along with
the concept of physically possible hypothesis. The last part presents
and discuss the experimental results obtained running the algorithms
over a suite of challenging diagnosis problems.

3. Model-Based Diagnosis (MBD)
It is the leading approach to Artificial Intelligence (AI) diagnosis;
A system is described through a model that represents the
system behavior (MBD);
An observation represents the observed behavior of the system
over a finite period of time;
Diagnosis reasoning consists in explaining the observation of the
system by exploiting the model.
3 / 54
Intuitively, a doctor determines the disease affecting a patient
according to a model-base reasoning approach:
• The doctor learns a model of the system to diagnose (the human body)
through his/her studies: to simplify, the doctor knows the behaviour of
a healthy human body as well as the behaviour in the presence of a
known disease.
• The doctor examines the patient and collects the observation: he/she
listens to the patient, sees the visible symptoms, the results of a blood
tests, etc.
• The doctor explains the collected observation according to the model.

4. Some Application Domains
Power-grids;
Unmanned vehicles;
Digital circuits;
Air-crafts and space-crafts.
4 / 54
These are some application domains where MBD has successfully
been applied. In general, the context is the following: we are dealing
with complex systems (for example, highly engineered system).
When dealing with such systems, sooner or later, something goes
wrong. When a problem occurs, a manual intervention is infeasible
and an automated diagnostic support is needed to understand the
problem and schedule a suitable action (for example, a repair action).

5. Discrete Event System
DES
Discrete-state, event-driven, dynamic system whose evolution
depends entirely on the occurrence of discrete events over time.
C. Cassandras & S. Lafortune, Introduction to Discrete Events Systems.
Springer, 2nd ed., 2008.
5 / 54
The models I use are the Discrete Event Systems (DES) and here we
have a the typical textbook definition.

6. Research Goal & Activity
Research Goal
Exploiting existing planning technologies to perform MBD of DESs.
Research Activity
Design of algorithms to exploit planners as DES diagnosis solvers;
Definition of a meta-model to represent a DES diagnosis problem as a
planning problem.
6 / 54
AI Planning has made huge progress in the last two decades thanks
to the effort of the scientific community. The idea behind my work is to
exploit existing planning technologies for the benefit of DES
diagnosis. The research activity was divided in two parts as
described.

7. DES Model
A DES M is typically defined as a finite automaton (FA) that
represents the complete behavior of the considered system.
Definition
M=(X, Σo, Σu, Σf , T, xo), where:
X is the set of discrete states;
T ⊆ X × (Σo ∪ Σu) × X is the state transition relation;
Σo is the set of observable events;
Σu is the set of unobservable events: Σu ∩ Σo=∅;
Σf ⊆ Σu is the set of faulty events;
x0 ∈ X is the initial state.
7 / 54
A DES is typically represented as a finite automata that represents at
least the normal behaviour of the system and possibly the behaviour
in the presence of specific faults. Intuitively, a fault can be a broken
component as well as an undesired situation (for example, the system
should never be operating in a specific configuration). The slide
shows the formal definition. Let’s see the example in the next slide for
a more intuitive understanding.

8. Example
Observable events: Σo = {o1, o2}
Unobservable events: Σu = {u, a, b, c}
Σu ∪ Σo = ∅
Partially observable DES
Faulty events Σf = {a, b, c}
Σf ⊆ Σu
8 / 54
Here we can see a graphical representation of the automaton
associated with a simple DES:
• The discrete states are represented as numbered circles with state
zero as initial state;
• The directed edges represent the allowed state transitions. Each edge
is associated with an event (label): a state transition takes place
when the associated event occurs while the system is in a suitable
state.
• The events can be either observable or unobservable. An event is
observable if it can be detected by an external observer of the system
(a sensor). An event can be unobservable either for physical or cost
constraints (sensors are expensive). The transitions associated with
the observable events are depicted as full edges while, the transitions
associated with unobservable events are depicted as dashed edges.
Unobservable transitions take place unnoticed: in order to reconstruct
the evolution of the system, only the observable transitions are
available.
• For this reason, the diagnosis task is hard: it is intrinsically
characterized by uncertainty. Moreover, to make the scenario even
harder, we typically assume the faulty events as unobservable.

9. Regular Language
L = { , o2 , o2, c , o2, u , o2, c, u , . . .};
each σ ∈ L is a trace (or word);
obs(σ) is the projection of σ on Σo.
Example: if σ = o2, u, o1 then obs(σ) = o2, o1 .
9 / 54
An automaton generates a regular language (L) which is the (possibly
infinite) set of all traces. A trace, denoted as σ, is obtained by
following a directed path of the automaton and concatenating the
events associated with the transitions met along the path.

10. Observation
An observation O is a temporally (un)certain record of observable
events e ∈ Σo generated by a DES M while running over a finite period
of time.
10 / 54
In the context of DES diagnosis, the observation O is represented as
a directed acyclic graph (DAG) where the states represent the
observed events while the directed edges reflect the temporal
precedence relation of emission of the events. Since the channel
between the system and the observer may be affected by delay, the
actual order of emission of the observed events may be unknown, i.e.
the observation can be temporally uncertain. A DAG allows to
represent such uncertainty: the first of the two DAG on the left of the
slide represents a totally-ordered observation (no uncertainty) while
the other reflects an observation where the relative order of emission
of the second and the third observed events is unknown: we only
know that they both occurred after the first event and before the fourth
one. Such uncertainty makes the diagnosis task hard. An
observation, either uncertain or not, is always consistent with the
considered DES model (the automaton).

11. Classical Definitions
Diagnosis Problem
D = (L, O)
Solution
∆id = {σ ∈ L|obs(σ) ∈ ||O||}
∆id is the diagnosis;
σ ∈ ∆id is a candidate;
||O|| is the set of all the topological orderings of O.
11 / 54
A classical diagnosis problem is defined as a tuple composed of the
language L generated by the DES and an observation O. The
diagnosis ∆id is the solution of the diagnosis problem D and is the
set of all traces σ whose projection over the alphabet of observable
events is consistent with the observation. Each trace in the diagnosis
is a candidate. Let’s see an example.

12. Example
Given O = o2, o3, o1 ,
σ = o2, c, u, u, u, o3, u, o1 ,
σ ∈ ∆id : it may be the actual system behavior.
12 / 54
Here we have a simple diagnosis problem. The given observation is a
totally-ordered sequence of events. The red path of the automaton,
starting in the initial state zero, is a possible evolution of the system
consistent with O. The path corresponds to the shown trace sigma:
the projection of the observable events in σ (highlighted in green)
corresponds to O, indeed σ is a candidate. Since a DES is usually
partially observable, there may be several paths consistent with a
given observation O, thus the diagnosis is a set: we generally don’t
know which of the candidates in the set is the actual evolution of the
system.
This example reflects the so called ”classical approach” to DES
diagnosis. The main issue of such an approach is the scalability of
the diagnosis algorithms: for complex systems, the correspondent
automaton is huge and the algorithms described in the literature
cannot compute the diagnosis within a reasonable time limit.
Moreover, the candidates are defined (and computed) at the
minimum abstraction level possible, i.e. a trace consistent with O. A
user is typically interested in more abstract definitions of candidates.
For example, a candidate may be defined as the set of faulty events
included in at least a trace σ consistent with the given observation.

13. Hypothesis Space Approach to DES Diagnosis
A. Grastien, P. Haslum, and S. Thiebaux (DX11, KR12).
The authors propose a general diagnosis algorithm that can
exploit any type of solver as a hypothesis tester;
The algorithms proposed in my work of thesis are specifically
designed to exploit:
A planner as both a hypothesis generator and tester.
The regularity of the hypothesis space.
13 / 54
To overcome the limitations of the classical approach, the Hypothesis
Space Approach to DES Diagnosis has been proposed.

14. Map Function
Hid = L;
Hset = 2Σf (finite space);
Hseq = Σ∗
f (infinite space).
14 / 54
The new approach is based on the concept of hypothesis space. The
(implicit) hypothesis space of the classical approach is the regular
language L generated by the system (left oval in the picture). Given
an observation O, the diagnosis is the set of all the traces σ
consistent with O, i.e. a non-empty subset of the left oval. Unlike the
classical approach, the new approach starts explicitly defining the
space H of all hypothesis h at the desired abstraction level (the right
oval): given the alphabet of faulty events Σf , each hypothesis h may
be defined as a subset of the alphabet. In such a case, H is the
power-set of Σf , denoted as Hset. Then, mapping function map()
associates each trace in L with a hypothesis h ∈ H according to a
specified semantic (see the next slide for examples). The space H
can be defined in several ways: for example, a hypothesis h can be
defined as a sequence of faulty events. In such a case, space
H = Σ∗
f is the Kleene-closure of the alphabet of faulty events,
denoted as Hseq.
Note that, depending on the chosen level of abstraction, the
hypothesis space can either be finite, such as Hset, or infinite such as
Hseq.

15. Example in Hset
Given Σf ={a, b, c} and σ = o2, c, u, a, o1 ;
map1(σ) = {ei ∈ σ | ei ∈ Σf };
map1(σ) = {a, c};
map2(σ) = {ei ∈ σ | ei ∈ Σf {a}};
map2(σ) = {c}.
15 / 54
Given Σf a trace σ and Hset as hypothesis space, the first mapping
function associates to σ a hypothesis h ∈ Hset composed of the faulty
events included in σ. Since the semantics of the second mapping
function is different, the same trace σ is associated with a different
hypothesis.

16. Definitions
Abstract Diagnosis Problem
D = (L, O, H, map)
Abstract Diagnosis
∆ = {h ∈ H | ∃σ ∈ L, obs(σ) ∈ ||O||, h = map(σ)}
16 / 54
Formally, the diagnosis problem in the hypothesis space is a
quadruple composed of L and O (like in the classical approach
definition), the hypothesis space H at the desired abstraction level
and, a mapping function map(). The solution of the problem is the
diagnosis ∆, defined as the set of hypotheses h ∈ H associated
through function map with at least a trace σ consistent with O. Note
that the diagnosis is sub-set of H, i.e. the right oval. Both definitions
are abstract since they hold for whatever definition of H and map.
Unlike the classical approach, the hypothesis space approach
computes the diagnosis at the level of abstraction defined by the user
(through H and map). This, as well as meeting a user requirement,
simplifies the computational burden of the diagnosis algorithms:
despite a hypothesis h may be associated with several traces σ, we
just need to compute only one trace to determine whether h is a
candidate hypothesis.

17. Preference
Hypotheses are not all equally preferable, hence a preference relation,
denoted as , can be defined over H.
If h h , then h is at least as preferable as h ;
if is a partial order relation, then H is a poset;
incomparable hypotheses.
17 / 54
Not all hypotheses of the space H are equally interesting. Indeed,
some hypotheses can be preferred to others according to a given
preference criterion: intuitively, a fault may be more likely than
another, or, a faulty may be more safety-critical then another. A
preference criterion suggests which hypotheses should be verified
first by the diagnosis algorithms.

18. Some Preference Relations
subset-minimality ( set) for Hset;
h1 set h2 ⇒ h1 ⊆ h2;
∀h ∈ Hset, h ⊂ Σf ;
subsequence-minimality ( seq) for Hseq;
h1 seq h2 ⇒ h1is a subsequence of h2;
∀h ∈ Hseq, h ∈ Σ∗
f .
18 / 54
Several preference criteria can be adopted. Such criteria can be
either domain dependent as the examples given in the previous slide
or, domain independent such as the examples described here below
or, a mixture of both.
Assuming Hset as hypothesis space, a hypothesis h1 is preferred to a
hypothesis h2 according to the subset-minimality preference criterion
if h1 is a subset of h2. Otherwise, assuming Hseq as hypothesis
space, a hypothesis h1 is preferred to a hypothesis a h2 according to
the subsequence-minimality preference criterion if h1 is a
subsequence of h2.

19. Preferred Diagnosis
Definition
∆ = {h ∈ ∆|∀h ∈ ∆, h h ⇒ h = h}.
Remark
∆ is the solution of the diagnosis problem in the hypothesis space.
Note that ∆ ⊆ ∆.
Theorem
In any hypothesis space H that is a poset under relation , the
preferred diagnosis ∆ is finite and not empty.
19 / 54
Set ∆ indicates the preferred-diagnosis, i.e. the set of all candidate
hypotheses h for which no other candidate hypothesis h is preferable
to, according to the given preference criterion . The preferred
diagnosis is the solution of the diagnosis problem in the hypothesis
space, it is a subset of the diagnosis ∆: we are not looking for all the
candidate hypotheses but only for the preferred ones. The preferred
diagnosis is also called the minimal diagnosis and the preferred
candidates are consequently called minimal candidates.
We always consider partial-order relations as preference criterion ,
thus the associated hypothesis space H is always a
partially-ordered set. In such a scenario, the minimal diagnosis ∆ is
a finite and not empty set, as stated by the proposed theorem
(borrowed from set theory).

20. Poset Representation
Upside-down Hasse Diagram (regular structure);
Most preferred hypothesis h0 (root).
20 / 54
Any partially-ordered set can be graphically represented by a Hasse
diagram. The figure shows a representation of Hset: each node of the
graph represents a hypothesis of the space. The empty hypothesis
h0, denoting the absence of faults, is the most preferred hypothesis of
the space. The edges are implicitly directed downward and reflect the
subset-minimality preference relation. Each hypothesis is preferred to
any of its descendants. The set of successors of a hypothesis h,
denoted as succ(h), includes h itself and all the hypotheses that can
be reached starting from h and following a downwardly directed path.

21. Proposed Algorithms
Basic Algorithm (BA)
Full look-ahead algorithm (FLA)
Full look-ahead algorithm with conflicts (FLAC)
Regular look-ahead algorithm (RLA)
Suffix look-ahead algorithm (SLA)
Generation algorithm (GEN+D)
21 / 54
All the diagnosis algorithms presented in my thesis explore the
hypothesis space, implicitly represented as a Hasse diagram, in an
increasing preference order (top-down order): starting from h0, the
hypotheses are generated in a breadth-first order. Each hypothesis h
generated is subsequently tested to verify if it is candidate. If h is a
candidate, then h is also a minimal candidate since the algorithms
explore the space in a breadth-first order. No child h of h is
generated since h cannot be minimal respect to h. If h is not a
candidate, the children of h may be generated, depending on the
diagnosis algorithm considered.
Here we have the list of all the algorithms presented in the thesis
document: this talk introduces only the algorithms highlighted in
green. All the algorithms listed perform an explore the hypothesis
space to compute the preferred diagnosis. When the algorithm stops,
either all the hypotheses have already been generated and tested or,
no hypothesis yet to be tested can be a minimal candidate.

22. Full Look-Ahead Algorithm with Conflicts (FLAC)
FLA(h) : succ(h) ∩ ∆
?
= ∅
FLA(h) outcomes:
pass: h ∈ ∆ ;
OK: succ(h) ∩ ∆ = ∅;
KO: succ(h) ∩ ∆ = ∅ (h is a conflict).
22 / 54
The first algorithm presented is FLAC: starting from h0, the
hypotheses are generated according to the given preference criterion.
Each hypothesis generated h is subjected to a full look-ahead test,
denoted as FLA(h). The test checks for the presence of at least a
candidate in the space succ(h) of successors of h. The three possible
outcomes are shown. If the outcome is pass then, h is a minimal
candidate. Otherwise, if the outcome is OK, then h is not a candidate
but there exists at least a candidate in succ(h). Finally, if the result is
KO then, neither h is a candidate nor there exists a candidate in
succ(h).
The implementation details of a FLA test are introduced in later
slides. The next slide only shows an intuitive example where a run of
the algorithm is simulated for a simple diagnosis problem.

23. FLA Example
Hset=2Σf
23 / 54
Let suppose that, for a given DES L and observation O, the
associated hypothesis space Hset is shown. Moreover, let suppose
the hypothesis highlighted in green as the only candidate of such a
problem. The algorithm is unaware of this information: it starts the
space exploration testing hypothesis h0. Since h0 is not a candidate
and, there exists a candidate (the green one) in succ(h0) then, the
test result is OK. As a consequence, the three children of h0, i.e. the
singleton hypotheses at level one, are generated and inserted in a
FIFO queue. The next hypothesis in the queue is considered, namely
ha = {a}. The test of such a hypothesis results in KO: indeed, the
hypothesis is not a candidate and there is no candidate among its
successors. Such a hypothesis is marked as a conflict (C) and none
of its children is generated: they cannot be candidates, otherwise the
test of h = {a} could not result in KO. The test of hb = {b} results in
OK and its right child is generated while the left one is not since it is
also a descendant of hypothesis ha marked as a conflict. The
subsequent test of hc = {c} results in OK, however none of the
children are generated: the left children is a descendant of a conflict
while, . . . (continues in the next slide)

24. Diagnosis as Planning
Related Work
S. Sohrabi, J. Baier, S. McIlraith (KR10)
The authors define the classical DES Diagnosis problem as a
Planning problem;
I define the DES Diagnosis problem in the hypothesis space (that
is not adopted in the quoted work) as a Planning problem;
I proposed a general PDDL encoding for a diagnosis problem,
while the quoted work just encoded observations.
24 / 54
. . . (from the previous slide) the right one has already been
generated. When FLAC starts exploring level two, the only generated
hypothesis is the candidate hypothesis thus, the test succeeds
resulting in pass. The children of such a candidate cannot be minimal
thus, they are not generated. At this point, the queue is empty and
the space is exhaustively explored.
A full look-ahead test of a hypothesis h, FLA(h), is encoded as a
planning problem and can be solved using a planning system.

25. Change of Perspective
Planning is the construction of a future story (a priori);
DESs diagnosis is the reconstruction of a past story (a posteriori);
Construction of stories is the task that subsumes the previous two.
25 / 54
Why using a planner to solve a diagnosis problem? DESs diagnosis
and AI planning have a common denominator, namely construction of
stories.

26. Diagnosis as Planning: encoding
PFLA(h) is the reduction of FLA(h) to a planning problem;
PFLA(h) = (FFLA(h), IFLA(h), AFLA(h), GFLA(h))
26 / 54
The slide introduces the formal definition of a diagnosis test as a
planning problem. Since a detailed description of the planning
encoding would take too long, an intuitive description is proposed:
PF LA(h) denotes the planning problem equivalent to a FLA(h) test of
a hypothesis h. Intuitively, the automaton representing the system
model, the given observation O and the hypothesis under test h are
encoded through a set of invariant predicates asserted in the
planning problem initial state IF LA(h) and never falsified. Other
predicates included in the initial states are required to correctly
update the current states of the automaton, the observation and the
hypothesis, respectively. Goal GF LA(h) is a conjunction of two
formulas: any valid plan (if any) must include all the events of in O
and all the faulty events in h. The planning operators in AF LA(h) are
defined in such a way that, if a plan exists, it represents an evolution
σ of the system, consistent with the system model, the observation O
and, the hypothesish: roughly speaking, the actions included in the
plan correspond to system transitions.

27. Hypothesis Encoding
PDDL encoding of PF LA(h), where h={a, b} ∈ Hset
Initial state IF LA(h):
{(as a f1),(as b f2)}
Goal formula GF LA(h):
(forall (fi - fault) (occurred fi))
27 / 54
The slide shows the encoding of hypothesis h = {a, b} in Hset: in the
initial state the faults composing h are listed. Objects fi are required
to decouple a faulty event from its occurrences. The goal condition
requires all the faulty event occurrences to be accounted in any valid
plan.

28. Faulty Transitions (1/2)
The operator below accounts for the faulty events included in h;
(:action faulty-trans
:parameters(s s - state e - event f - flt)
:precondition(and
(faulty e)(as e f)
(current s) (edge s e s ))
:effect(and
(when (not (= s s ))
(and (not(current s))(current s )))
(occurred f)))
28 / 54
How is the qualitative behaviour of a FLA test implemented? By
mean two distinct planning operators presented in the current and
next slide, respectively. Operator faulty-trans is need to account for
the faulty events included in the hypothesis under test h. Any valid
plan includes a number of actions instances of such an operator
equal to the number of faults included in h. Like any other operator
representing system transitions, the precondition enforces only state
transitions in accordance with the encoded system model. Moreover,
it checks if the faulty events considered e is included in hypothesis h.
The effect updates the current state of the automaton and marks the
faulty event f associated with e as occurred.

29. Faulty Transitions (2/2)
The operator below accounts for faulty events not included in h;
(:action faulty-trans-fla
:parameters(s s - state e - event)
:precondition(and
(faulty e)
(current s) (edge s e s ))
:effect(and
(when (not (= s s ))
(and (not(current s))(current s )))))
29 / 54
Operator faulty-trans-fla is the so called ”look-ahead operator”. It is
required to keep enabled all the system transitions labelled with a
faulty event not included in the current hypothesis under test h. Such
transitions may be required by the planner to produce a plan. Since
this operator may seem counter-intuitive, let’s see an example.

30. Example
Hset and Σf = {a, b, c}
O = o2, o3, o1, o3
h = {b}, h ∈ ∆
An OK plan:
1. observable-trans s0 s2 o2 obs1
2. observable-trans s2 s5 o3 obs2
3. faulty-trans s5 s6 b f1
4. silent-trans s6 s1 u
5. observable-trans s1 s7 o1 obs3
6. faulty-trans-fla s7 s4 a
7. observable-trans s4 s6 o3 obs4
30 / 54
At first, let suppose to have encoded problem PF LA(h) without the
look-ahead operator. The system model, the observation O and the
current hypothesis under test h are given. Assuming state zero as the
initial state, the red path is the only path consistent with O that
includes the fault b in h. However, such a problem has no solution
since the red path also includes a transition labelled with faulty event
a not included in h. The transition from state 7 to state 4 is not
enabled and the logical value of such a test is KO. If the look-ahead
operator is included, the problem has a solution and the plan
generated is reported on the right of the slide: actions 1, 3, 5 and 7
represent O, action 3 represent the fault included in h while, action 6
is an instance of the look-ahead operator representing the mentioned
faulty transition. The logical value of such a plan is KO. If a generated
plan does not include any action instance of the look-ahead operator,
then, the hypothesis under test h is a candidate and the logical value
of the plan is pass.
The look-ahead operator may be needed by a planner to satisfy either
the given observation O or, the considered hypothesis h or, both.

31. Comments on FLA
Sound & complete (if |∆| = ∞);
It may not terminate (for instance, it may not terminate in Hseq if L
includes faulty silent cycles);
if FLA(h)=KO the space succ(h) rooted in h is pruned;
Scalability issue: full look ahead test failures are computationally
expensive.
31 / 54
The algorithm terminates if the cardinality of the diagnosis is finite.
This may not happen if the cardinality of the hypothesis space is
infinite and, the system model includes faulty silent cycles, i.e. cycles
of silent transitions, at least one of which is a faulty transition.
Each look-ahead test resulting in KO determines a pruning of the
hypothesis space since the children of the considered hypothesis are
not generated (nor tested) and the hypothesis is marked as a conflict
for possible future pruning of the space. Despite this, such a test is
computationally expensive to compute as it is a planning problem with
no solutions: the classical planners exploited are heuristic planners.
A heuristic planner can efficiently compute a solution, if a solution
exists: in such a case, the heuristic function drives the planning
search towards the goal. However, if the problem has no solution, as
in the case of a FLA resulting in KO, the heuristic guidance is useless
and the planner have to explore the whole planning search space
before determining the test failure. Since such a kind of test is
repeated very frequently, a scalability problem arises: the algorithm is
not able to exhaustively explore the hypothesis space within a
reasonable time limit.

32. Regularity of Poset Hypothesis Spaces
Different space exploration strategy;
Reduced number of hypotheses tested;
Reduced computational burden of look-ahead tests.
32 / 54
The regular look-ahead algorithm (shortly RLA) has been designed to
overcome the limits of FLAC. Such an algorithm exploit the property
of regularity of hypothesis spaces defined as partially-ordered sets.
The property allows for a different exploration strategy of the space to
reduce the number of hypotheses tested and, to reduce the
computational burden of the tests resulting in KO.
Such a property consists in partitioning the set of children of a
hypothesis h in two parts: the set childreng(h) of children of h
generated by h and, the set childrenng(h) of children of h not
generated by h.
Recursive definition of sets succg(h) and succng(h) denoting the set
of successors generated starting from h and not generated starting
from h, respectively, are also possible.

33. Regularity in Hset
33 / 54
Let introduce the property of regularity with an intuitive example. Note
that, although the example focuses on space Hset, the property can
be defined in whatever hypothesis space. The figure shows a space
where two different type of edges are depicted: given a hypothesis h
set childreng(h) includes all the hypothesis directly connected to h
through a full edge. Vice versa, set childrenng(h) includes all the
hypothesis directly connected to h through a dashed edge. For
example, if h = {a}, then childreng(h) = {{a, b}{a, c}} while,
childrenng(h) = ∅. If h = {b} then childreng(h) = {{b, c}} while,
childrenng(h) = {{a, b}}
Set succg(h) (succng(h)) includes all the hypothesis that can be
reached following a full (dashed) path starting from h.
It is important to note that, if the dashed edges are virtually removed
from the graph, all the hypotheses of the space are reachable starting
from h0, through a single path. No hypothesis of the space is
lost/pruned. This is important to preserve the completeness of the
algorithm.

34. Regularity in Hseq
34 / 54
The slide shows space Hseq where only the full edges are drawn for
clarity. Intuitively, each hypothesis h ∈ Hseq is a prefix of each
hypothesis in succg(h).

35. Regular Look-Ahead Algorithm (RLA)
Regular Look-ahead
A regular look-ahead test RLA(h) looks for candidates in the sub-space
succg(h).
35 / 54
The algorithm explores the hypothesis space in a breadth-first order.
Likewise FLA, each hypothesis generated is tested to verify if it is a
candidate. Unlike FLAC, RLA executes regular look-ahead tests: a
regular look-ahead test of a hypothesis h, denoted as RLA(h), looks
for candidates only in set succg(h) of successors generated starting
from h.

36. RLA Example
36 / 54
The slide shows a simulation of RLA over the same example
proposed for FLA. When the test of a hypothesis h results in OK, only
the hypotheses in childreng(h) are generated. The test of hypothesis
hc = {c} results in KO since hc is not a candidate and succg(hc) = ∅:
the regular look-ahead search space is restricted and, the number of
tests resulting in OK decreases. In large hypothesis spaces, this idea
improves the overall performance of the algorithm: FLA generates
and tests more hypotheses than RLA since the presence of a
candidate δ in a deep level of the space determines a test resulting in
OK, for each hypothesis ha ancestor of δ. In other words, FLA may
unnecessarily reach δ via multiple paths of hypotheses all starting in
h0: along these paths, all the look-ahead tests resulting in OK drag
the space exploration towards the deeper levels of the space. As a
consequence, the children of each ancestor hypothesis ha may all be
unnecessarily generated and tested. RLA prevents this issue by
exploiting the property of regularity of the space and allowing the
generation of each hypothesis through a unique path of ancestors,
starting in h0.

37. Comments on RLA
Tests resulting in a failure are computationally easy since the
look-ahead search space is properly constrained;
Efficient hypothesis generation and pruning;
Tests resulting in a failure do not generate conflicts.
37 / 54
Here a summary of the benefits of using RLA over FLA. Note that, if
the regular look-ahead test of a hypothesis h results in KO, then h
cannot be marked as conflict. Indeed a hypothesis h is a conflict iff
succ(h) ∩ ∆ = ∅. However, RLA performs look-ahead tests looking for
candidates only in succg(h) ⊆ succ(h). This represents a trade-off
between the more effective pruning ability of FLA and a the
computationally easier type of look-ahead test of RLA.

38. Physically Possible (PP) Hypotheses
38 / 54
The algorithms presented so far adopted a blind space generation
strategy, i.e. they do not account for the given system model. As a
result, many of the hypotheses generated are inconsistent with such
a model and they cannot be candidates whatever observation is
considered. This is inefficient and we aim to design an algorithm able
to generated and test only hypotheses consistent with the model,
namely the physically-possible (PP) hypotheses.
The slide shows a graphical example: on the left we have a simple
DES model while on the right is reported the hypothesis space Hset
associated with such a model: the two hypotheses marked with a red
cross are not PP given such a model. Denoted as H∗
set the space of
PP hypotheses, typically |H∗
set| << |Hset|, i.e. H∗
set is a small fraction
of Hset.

39. Generating and Testing PP Hypotheses
h0 is PP;
A PP hypothesis h is generated as a child of a PP hypothesis h
under test;
h is the generator of h ;
only a PP hypothesis is checked to verify if it is a candidate.
39 / 54
The following are the basic assumption made: h0 is always a PP
hypothesis since it represents the normal behaviour of a system
(absence of faults). Each PP hypothesis h is generated a child of
another PP hypothesis h.

40. Algorithm
Algorithm GEN+D(L,O,H,map, )
1. S ←
2. C ← ∅
3. ∆ ← ∅
4. h ← h0
5. while h = null
6. h ← GT(L, h, S, C ∪ ∆ )
7. if h = null
8. h ← pop(S)
9. continue
10. else
11. result ← DT(L, O, h )
12. if result = pass
13. ∆ ← ∆ ∪ {h }
14. else if result = conflict
15. C ← C ∪ {h }
16. else
17. append(S,h )
18. return ∆
40 / 54
Algorithm GEN+D integrates both the generation of PP hypotheses
and the subsequent diagnostic test. A PP hypothesis h may be
generated (line 6) as a child of a PP hypothesis h generated in a
previous iteration of the algorithm (initialized to h0). If no hypothesis
h is generated (line 7), then h is discarded and another generator
hypothesis is selected (line 8). If no other generator is found, the
algorithm stops (line 5). Otherwise, if h is generated, h is
subsequently tested by one of the diagnosis algorithms proposed
(see slide 21) to verify if it is a candidate (line 11). The result of such
a diagnosis test depends on the diagnosis algorithm: for example, if
RLA is the selected algorithm, it can never return conflict (line 14) as
a test result. Regardless of the selected algorithm, the outcome of
each diagnosis test is stored to optimize the generation of the PP
hypotheses in the next iterations of the algorithm. Indeed, no PP
hypothesis descending from either a conflict or, a minimal candidate
can be generated (despite being a PP hypothesis!). This represents a
pruning of the (implicit and unknown) space of physically possible
hypotheses.

41. Generation Test
GT(L, h, S, C ∪ ∆ ) (GT(h) for short) generates a PP hypothesis h
such that:
h ∈ children(h)
h ∈ S
∀h ∈ C ∪ ∆ ⇒ h ∈ succ(h )
PGT (h) is the planning problem corresponding to GT(h):
PGT (h) = (FGT (h), IGT (h), AGT (h), GGT (h))
Observation O is irrelevant.
41 / 54
GT(h) denotes the generation test of a PP hypothesis h from a
generator hypothesis h such that: h is a children of h, h has not yet
generated in a previous iteration of the algorithm and, h is neither a
descendant of a candidate nor a descendant of a conflict.
Problem PGT (h) is the planning problem corresponding to GT(h): note
that no observation is needed since the PP hypotheses are
determined evaluated considering only the system model.

42. Encoding
Initial state IGT (h) includes:
The encoding of the generator hypothesis h;
The encoding of the forbidden faulty transitions in sets S and ∆ ∪ C.
Goal condition GGT (h) is the conjunction of the following facts:
All the faults in h must occur;
Fact (extra-fault) must hold.
42 / 54
The encoding of PGT (h) is similar to the proposed encoding of
PF LA(h). The main difference is the inclusion in the planning problem
initial state IGT (h) of the invariant predicates required to force the
generation of a PP hypothesis h compliant with the three constraints
discussed in the previous slide. Goal GGT (h) requires all the fi
objects associated with faulty events included in the generator
hypothesis h to occur and, predicate (extra-fault) to be asserted (see
next slide).

43. Extra Fault
(:action faulty-trans-gen
:parameters(s s - state e - event)
:precondition(and
(not (observable e))(faulty e)
(current s) (edge s e s ))
(not (extra-fault)) (not (forbidden e))
(forall (f - fault) (occurred f)))
:effect(and
(when (not (= s s ))
(and (not(current s))(current s )))
(extra-fault))
43 / 54
Operator faulty-trans-gen is the ”generator-operator” responsible to
assert predicate (extra-fault) included in the goal formula: the
operator is enabled only when all the faults included in the generator
hypothesis h have already occurred. The faults in h are still accounted
by the actions of operator faulty-trans (see slide 28). Any valid plan
must include exactly one action instance of such an operator.

44. Solution Plan
If a solution plan πGT (h) exists, the generated PP hypothesis h is the
combination of the faults of the generator hypothesis h and an arbitrary
additional fault;
Otherwise, the generator hypothesis h is exhausted, and another
generator is selected.
44 / 54
The generated hypothesis h associated with a plan (if any) is
obtained through a linear scan of the plan itself.

45. Comments on GEN+D
The number of test failures is highly reduced;
The approach is independent of the selected diagnosis algorithm;
The outcomes of the diagnosis tests are used to prune the PP
hypothesis space.
45 / 54
The number of test failures is drastically reduced since the
physically-impossible (PI) hypotheses are not generated nor tested.
The overhead introduced by the generation tests is minimal since
each generation test is computationally easy regardless of its
outcome. The overall time complexity of the approach is lower than
the time complexity of the diagnosis algorithms adopting a blind
generation strategy.

46. Test Cases
Distributed DES models (communicating automata);
Different degree of temporal uncertainty of the observation;
Space Hset and Hseq (implicit mapping).
A test case is considered as solved if the hypothesis space is
exhaustively explored within a timeout of 30 .
The reported experimental results are have been produced
exploiting the MFF planning system (robustness);
Several other planning systems have been used and the data
produced generally shows the same trend of MFF.
46 / 54
The last part of the talk is relative to the experimental results. The
DESs models used to run the experiments are more complex than the
examples shown in this presentation: a distributed DES is a network
of communicating automata where each automaton represents a
component (or sub-system) of a system. The communication among
the automata is represented through synchronous events shared by
the components. The distributed DESs used are defined at different
levels of complexity, where the complexity of a system is determined
by the number of its component, the topology, and the size of the
automaton representing each component. For each system, three
different degrees of uncertainty for the observation are considered
along with two more common hypothesis spaces, namely Hset and
Hseq. A test case is considered solved if the algorithm can
exhaustively explore the hypothesis space within a time limit of 30
minutes. If the algorithm stops without accomplishing an exhaustive
exploration of the space, than the minimal diagnosis may be
incomplete: there may exists minimal candidates not computed.
Note: the sizes of the hypothesis spaces considered are considerable
and ranges from a minimum of 210
up to 250
hypotheses, in the case
of Hset. Space Hseq is infinite.

47. Experimental Results in Hset (1/4)
M U%
BASIC FLAC RLA
NH time min/max CD NH LAT CF time min/max CD NH LAT time min/max CD
A
0 769 12 2/2 1 12 3 8 0 2/2 1 19 2 2 2/2 1
25 769 6 2/2 1 12 3 8 0 2/2 1 19 2 24 2/2 1
50 769 5 2/2 1 12 3 8 0 2/2 1 19 2 0 2/2 1
B
0 68 1 1/1 4 17 5 8 0 1/1 4 11 1 6 1/1 4
25 68 3 1/1 4 19 7 9 1 1/1 4 13 3 2 1/1 4
50 72 2 1/2 6 20 8 9 2 1/2 6 14 4 2 1/2 6
C
0 134044 OT 1/3 8 197 43 146 17 1/3 8 145 10 2 1/3 8
25 132454 OT 1/3 9 198 44 145 32 1/3 9 170 12 3 1/3 9
50 80115 OT 1/3 9 198 44 145 61 1/3 9 170 12 4 1/3 9
D
0 72684 OT 3/3 1 38 21 16 5 3/3 1 53 3 2 3/3 1
25 86268 OT 3/3 1 38 21 16 10 3/3 1 53 3 2 3/3 1
50 66659 OT 3/3 1 38 21 16 40 3/3 1 53 3 9 3/3 1
E
0 70454 OT 2/4 27 267 141 124 OT 2/2 1 1756 127 142 2/4 27
25 69997 OT 2/4 27 281 149 130 OT 2/2 1 1756 127 138 2/4 27
50 70358 OT 2/4 27 207 108 97 OT 2/2 1 1791 129 187 2/4 27
47 / 54
The table is relative to space Hset and, it is divided in two parts (2nd
half in the next slide). Here we can see the five more simple systems
considered (labelled with letters from A to E). The second column
reports the level of temporal uncertainty of the observation: 0%
correspond to a totally-ordered observation, 25% (50%) corresponds
to an observation where a fourth (half) of the temporal precedence
constraints among the observed events are removed. The three
macro columns represent the algorithms considered. BASIC
corresponds to the brute force approach, i.e. it tests of each
hypothesis in the space without any look-ahead capabilities
(infeasible). Column NH reports the number of hypotheses tested.
Column time reports the seconds spent to exhaustively explore the
space, where OT indicates that the algorithm was not able to
exhaustively explore the space in 30 . Column min/man reports the
minimum/maximum depth of the minimal candidates found. Column
CD indicates the number of minimal candidates found: the numbers
in bold indicate that the problem is exhaustively solved.

48. Experimental Results in Hset (2/4)
M U%
BASIC FLAC RLA
NH time min/max CD NH LAT CF time min/max CD NH LAT time min/max CD
F
0 53972 OT 3/3 1 307 201 105 578 3/3 1 85 3 31 3/3 1
25 77780 OT 3/3 1 307 201 105 1527 3/3 1 85 3 55 3/3 1
50 57485 OT 3/3 1 30 14 15 OT ?/? 0 85 3 223 3/3 1
G
0 39667 OT 1/3 12 62 47 13 OT 1/1 1 1919 73 907 1/4 13
25 52148 OT 1/3 12 46 41 3 OT 1/1 1 1919 73 1172 1/4 13
50 51711 OT 1/3 13 46 41 3 OT 1/1 1 3487 166 1764 1/4 14
H
0 51041 OT ?/? 0 5 2 2 OT ?/? 0 231 8 1209 4/5 3
25 39566 OT ?/? 0 2 1 0 OT ?/? 0 76 2 OT ?/? 0
50 53903 OT ?/? 0 2 1 0 OT ?/? 0 35 1 OT ?/? 0
I
0 31081 OT 1/3 13 7 6 0 OT ?/? 0 277 43 OT 1/2 3
25 29874 OT 1/3 14 7 6 0 OT ?/? 0 298 22 OT 1/1 1
50 37226 OT 1/3 14 7 6 0 OT ?/? 0 253 17 OT 1/1 1
J
0 36585 OT 3/3 1 2 1 0 OT ?/? 0 45 1 OT ?/? 0
25 36344 OT 3/3 1 2 1 0 OT ?/? 0 46 1 OT ?/? 0
50 29448 OT 3/3 1 2 1 0 OT ?/? 0 47 1 OT ?/? 0
48 / 54
Algorithm BASIC does not scale when the size of the considered
system grows. FLA performs slightly better by solving more than half
of the test cases. However, the test cases that are not solved are the
most complex ones. The reason of such poor performance is the high
computational complexity of the full look-ahead test: such a type of
test is an unbounded search in the sub-space of hypotheses rooted in
the current hypothesis under test h. This sub-space is typically huge:
if the sub-space does not include any candidate, a planner have to
completely explore the planning search space before determining a
failure. The performance of the algorithm degrades since the number
of hypotheses whose test result is KO is typically large and grows
with the size of the considered hypothesis space. RLA performs
slightly better than FLA but still a scalability problem persists.

49. Experimental Results in Hset (3/4)
M U%
GBASIC GFLAC GSLA
NH GT time min/max CD NH LAT CF GT time min/max CD NH LAT GT time min/max CD
A
0 23 44 1 2/2 1 11 3 7 13 2 2/2 1 14 3 16 1 2/2 1
25 23 44 1 2/2 1 11 3 7 13 2 2/2 1 14 3 16 1 2/2 1
50 23 44 1 2/2 1 11 3 7 13 4 2/2 1 14 3 16 1 2/2 1
B
0 11 17 0 1/1 4 7 1 2 7 3 1/1 4 9 1 9 4 1/1 4
25 13 19 2 1/1 4 90 31 51 120 3 1/1 4 10 2 12 4 1/1 4
50 13 19 3 1/2 6 91 32 50 122 5 1/2 6 10 2 12 7 1/2 6
C
0 131 253 9 1/3 8 91 32 50 122 6 1/3 8 154 36 189 9 1/3 8
25 131 252 8 1/3 9 37 17 19 53 7 1/3 9 154 37 190 9 1/3 9
50 131 252 9 1/3 9 37 17 19 53 10 1/3 9 143 32 174 8 1/3 9
D
0 174 346 17 3/3 1 37 17 19 53 4 3/3 1 78 17 94 5 3/3 1
25 174 346 13 3/3 1 785 512 246 1296 6 3/3 1 78 17 94 6 3/3 1
50 174 346 14 3/3 1 785 512 246 1296 26 3/3 1 78 20 97 11 3/3 1
E
0 1986 3944 1044 2/4 27 793 519 247 1311 319 2/4 27 2798 703 3500 290 2/4 27
25 1986 3944 1031 2/4 27 258 204 53 461 357 2/4 27 2795 689 3483 232 2/4 27
50 1986 3944 1031 2/4 27 258 204 53 461 386 2/4 27 2762 679 3440 238 2/4 27
49 / 54
This table also is divided in two parts and reports the experimental
results relative to the combined algorithms (PP generation +
diagnosis) in space Hset. GSLA combines the generation approach
with SLA, an enhanced variant of RLA. Thanks to the combined
approach, the scalability of the proposed algorithms improves,
although not dramatically.

50. Experimental Results in Hset (4/4)
M U%
GBASIC GFLAC GSLA
NH GT time min/max CD NH LAT CF GT time min/max CD NH LAT GT time min/max CD
F
0 2437 4643 OT 3/3 1 258 204 53 461 115 3/3 1 1001 178 1178 122 3/3 1
25 2437 4648 OT 3/3 1 287 224 61 296 206 3/3 1 1083 216 1298 171 3/3 1
50 2436 4631 OT 3/3 1 217 174 41 223 732 3/3 1 1146 256 1401 399 3/3 1
G
0 5930 7232 OT 1/4 13 215 176 37 221 OT 1/1 1 10300 2928 11462 OT 1/4 13
25 5960 7273 OT 1/4 13 31 12 18 30 OT 1/1 1 10908 2691 12133 OT 1/4 12
50 6172 7550 OT 1/4 14 9 4 4 8 OT 1/1 1 9821 2513 10887 OT 1/4 14
H
0 6235 7465 OT ?/? 0 2 1 0 2 OT ?/? 0 3678 427 4104 1650 4/5 3
25 6325 7589 OT ?/? 0 58 53 3 58 OT ?/? 0 323 83 334 OT 4/5 3
50 5899 7043 OT ?/? 0 49 47 0 49 OT ?/? 0 157 76 180 OT 4/5 3
I
0 6373 6838 OT 1/3 13 60 54 4 60 OT 1/1 1 3282 1925 3442 OT 1/3 14
25 6208 6661 OT 1/3 14 2 1 0 2 OT 1/1 1 2459 1416 2576 OT 1/3 15
50 6142 6591 OT 1/3 14 2 1 0 2 OT 1/1 1 2595 1429 2722 OT 1/3 14
J
0 6342 6778 OT 3/3 1 2 1 0 2 OT ?/? 0 908 1134 2036 OT 3/3 2
25 6426 6869 OT 3/3 1 11 3 7 13 OT ?/? 0 889 1513 1987 OT 3/3 1
50 6270 6703 OT 3/3 1 11 3 7 13 OT ?/? 0 845 1467 1505 OT 3/3 1
50 / 54
Although the proposed algorithms can solve diagnosis problems that
cannot be solved through the classical DES diagnosis approaches,
further work is needed to achieve more substantial improvements.

51. Conclusions
Definition of a meta-model to represent a large class of DES diagnosis
problems;
Proposal of several algorithms to compute the preferred diagnosis in
hypothesis spaces;
Solved test cases that cannot be solved by traditional DES
diagnosis approaches;
Definition of the problem of generating PP hypotheses as a planning
problem;
Proposal of an integrated procedure to generate and test PP
hypotheses.
51 / 54

52. Future Work
Meta-model extensions to represents logical uncertainty and loss of
events in the observation;
Classical planning heuristics to detect unsolvability more efficiently;
Hoffman et al. (ECAI 2014);
Distributed approach to DES diagnosis in the hypothesis space;
Diagnosability;
Planning & Diagnosis from different perspectives.
52 / 54
Hoffman et al. raise an interesting question: the planning community
put a lot of effort in developing increasingly efficient heuristics to
compute solution plans faster and faster. No attention has been
devoted the the study of heuristics function able to easily determine
when the problem has no solutions. The proposed diagnosis
algorithms may benefit from the future developments of this new line
of research. Another possibility is the definition of a distributed DES
diagnosis problem in the hypothesis space: the system is
decomposed in several sub-systems. Each sub-system has its own
local hypothesis space and carries out the diagnosis task locally. A
coordination phase is required to determine if a locally computed
candidate is globally consistent. This approach sounds promising to
tackle the scalability issues of the centralized approach.
Diagonalisability is an important property of a system that allows to
determine to what extent an occurred fault can be detected. A
diagonalisability test could be formalized as a planning problem.
Active diagnosis consists in obtaining the most informative
observation of the system, to best discriminate among a set of
candidates. Determining such an observation is a non-trivial task that
can be carried out exploiting a planner.

53. Thank you!
53 / 54

54. References
Xiangfu Zhao and Luca Ceriani, Minimal Sequential Diagnosis of
Discrete-Event Systems, in Proc. of the 24th International Workshop on
Principles of Diagnosis (DX), 2013.
Luca Ceriani and Alfonso Emilio Gerevini, Planning with Preferences by
Compiling Soft Always Goals into STRIPS with Action Costs, Proc. of
the 5th Workshop on Knowledge Engineering for Planning and
Scheduling (KEPS), 2014.
Eric Huang and Andres Quiroz and Luca Ceriani, Automating Data
Integration with HiperFuse, Proc. of the 2014 IEEE International
Conference on Big Data, 2014.
Luca Ceriani and Marina Zanella, Model-based Diagnosis and
Generation of Hypothesis Space via AI Planning, Proc. of the 25th
International Workshop on Principles of Diagnosis (DX), 2014.
54 / 54