H-Systems: Observability, Diagnosability, and Predictability of Hybrid Dynamical Systems 3031204468, 9783031204463

Table of contents :
Preface
Intended Audience and Organization of the Book
Possible Reading Paths
Acknowledgements
Contents
Main Symbols and Notation
Main Symbols
Notation
1 Introduction
References
2 H-Systems
2.1 Definition of an H-System
2.2 H-Systems and Impulsive Systems
2.3 H-Systems and PWA Systems
2.4 More on H-Systems Modeling and Properties
2.5 Illustrative Examples
2.6 Notes and Further Reading
References
3 Discrete Structure of H-Systems and Background on Finite State Machines
3.1 Analysis of the Discrete State Space
3.2 Transformations on FSMs
3.2.1 From Mealy to Moore
3.2.2 From Partially Visible to Fully Visible Output
3.3 Notes and Further Reading
References
4 Observability, Diagnosability, and Predictability of Finite State Machines
4.1 Observability of M
4.1.1 Definitions
4.1.2 Indistinguishability Notions. The Sets Sast and Bast( )
4.1.3 Characterization of Current and Critical Location Observability of M
4.2 Diagnosability of M
4.2.1 Definition
4.2.2 The Sets Fast and ast
4.2.3 Diagnosability Characterization
4.3 Predictability of M
4.3.1 Definition
4.3.2 Predictability Characterization
4.4 Notes and Further Reading
References
5 Extending Diagnosability Properties for Finite State Machines
5.1 A Parametric Definition of Diagnosability
5.1.1 The Set ast
5.1.2 Characterization of Parametric -Diagnosability
5.1.3 Characterization of Eventual and Critical -Diagnosability
5.1.4 Examples
5.2 Notes and Further Reading
References
6 Observability of H-Systems
6.1 Observability Definition
6.2 Illustrative Examples
6.3 Notes and Further Reading
References
7 Continuous Dynamics Distinguishability
7.1 Mode Distinguishability
7.2 Transition and Switching Time Detection
7.3 The Case of Discrete-Time Systems
7.4 Identifying the Evolving Dynamical System
7.4.1 Input-Generic Distinguishability Approach
7.4.2 Residual Generation Approach
7.5 Mode Distinguishability for Systems Under Attack
7.5.1 Secure Mode Distinguishability
7.5.2 Attack Detection
7.6 Identifying the Evolving Dynamical System with Unknown Input
7.7 Comparing Distinguishability Notions
7.8 Notes and Further Reading
References
8 Enriching Discrete Information in H-Systems
8.1 Preliminary Remarks and Definitions
8.2 Enriching Procedure
8.3 An Example for Systems Under Attack
8.4 Notes and Further Reading
References
9 Observability Characterization for H-Systems
9.1 Preliminary Remarks and Assumptions
9.2 Current and Critical Location Observable H-Systems
9.2.1 Checking Current Location Observability: Purely Discrete Information
9.2.2 Checking Current Location Observability: Mixed Continuous and Discrete Information
9.2.3 Leveraging Information on Elapsed Time
9.3 Checking Observability of an LH-System
9.4 Simplifying Verification of Observability Conditions
9.4.1 Checking Observability by Traps Decomposition
9.4.2 Checking Observability by Removing Observable Components
9.4.3 Checking Observability by Removing Persistent Components
9.5 Notes and Further Reading
References
10 Relaxing the Observability Notion
10.1 Almost Always Observability
10.2 Characterizing Almost Always Observability: The Cyclic Case
10.3 Characterizing Almost Always Observability: The Case of General Topology
10.4 State Estimation
10.5 Sensors Location Design
10.6 Hybrid Systems with Known Switching Times
10.7 Examples
10.8 Notes and Further Reading
References
11 Diagnosability and Predictability for H-Systems
11.1 Definitions
11.2 Diagnosability and Predictability Analysis
11.3 Symbolic Systems Approach
11.3.1 Notation
11.3.2 Pseudo-metric Systems and Approximate Simulations
11.3.3 Approximate Diagnosability and Predictability for Pseudo-metric Systems
11.3.4 Relations Between Approximate Properties and Approximate Simulation
11.3.5 Approximate Diagnosability of Nonlinear Systems
11.3.6 Approximate Predictability of Piecewise-Affine Systems
11.3.7 Checking Approximate Diagnosability and Predictability for FSMs
11.3.8 Illustrative Examples
11.4 Notes and Further Reading
References
12 Observer Design for LH-Systems
12.1 Hybrid Observer Design
12.2 Location Observability with Purely Discrete Output Information
12.2.1 Location Observer
12.2.2 Continuous Observer
12.2.3 Observer Convergence
12.3 Location Observability with Mixed Information
12.3.1 Enriched Output Generator
12.3.2 Location Observer
12.3.3 Continuous Observer
12.3.4 Observer Convergence
12.4 Notes and Further Reading
References
13 Some Applications to Automotive Control
13.1 On-Line Identification of Engaged Gear
13.1.1 Design of the Hybrid Observer
13.1.2 Experimental Results
13.2 Driveline Elastic Behavior Control
13.3 Notes and Further Reading
References
Index

Citation preview

Communications and Control Engineering

Elena De Santis Maria Domenica Di Benedetto

H-Systems Observability, Diagnosability, and Predictability of Hybrid Dynamical Systems

Communications and Control Engineering Series Editors Alberto Isidori, Roma, Italy Jan H. van Schuppen, Amsterdam, The Netherlands Eduardo D. Sontag, Boston, USA Miroslav Krstic, La Jolla, USA

Communications and Control Engineering is a high-level academic monograph series publishing research in control and systems theory, control engineering and communications. It has worldwide distribution to engineers, researchers, educators (several of the titles in this series find use as advanced textbooks although that is not their primary purpose), and libraries. The series reflects the major technological and mathematical advances that have a great impact in the fields of communication and control. The range of areas to which control and systems theory is applied is broadening rapidly with particular growth being noticeable in the fields of finance and biologically inspired control. Books in this series generally pull together many related research threads in more mature areas of the subject than the highly specialised volumes of Lecture Notes in Control and Information Sciences. This series’s mathematical and control-theoretic emphasis is complemented by Advances in Industrial Control which provides a much more applied, engineering-oriented outlook. Indexed by SCOPUS and Engineering Index. Publishing Ethics: Researchers should conduct their research from research proposal to publication in line with best practices and codes of conduct of relevant professional bodies and/or national and international regulatory bodies. For more details on individual ethics matters please see: https://www.springer.com/gp/authors-editors/journal-author/journal-author-hel pdesk/publishing-ethics/14214

Elena De Santis · Maria Domenica Di Benedetto

H-Systems Observability, Diagnosability, and Predictability of Hybrid Dynamical Systems

Elena De Santis Department of Information Engineering, Computer Science and Mathematics (DISIM) University of L’Aquila Center of Excellence for Research DEWS L’Aquila, Italy

Maria Domenica Di Benedetto Department of Information Engineering, Computer Science and Mathematics (DISIM) University of L’Aquila Center of Excellence for Research DEWS L’Aquila, Italy

ISSN 0178-5354 ISSN 2197-7119 (electronic) Communications and Control Engineering ISBN 978-3-031-20446-3 ISBN 978-3-031-20447-0 (eBook) https://doi.org/10.1007/978-3-031-20447-0 © Springer Nature Switzerland AG 2023 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

To Bernardino and Lucia with love and to Vado Lucoli, the smallest village I know, where it all began To Maria and Marco my deeply loved

Preface

Observation is the most enduring of the pleasures of life —George Meredith

Our interest in Hybrid Systems goes back more than 20 years when we started working on engine control design. Engine control had been traditionally carried out using a mix of heuristic techniques validated by approximate average-value models, simulation, and prototyping. However, to meet increasingly stringent specifications of comfort, safety, emissions, and fuel consumption, it was necessary to think of more complex models than mean values ones. This need led to a hybrid representation of the engine, with a behavior determined by the combination of a discrete event subsystem modeling the torque generation process and a continuous-time sub-system modeling the powertrain. This difficulty has turned out to be true in general for safetycritical embedded control systems, such as aircraft, trains, or industrial plants, where hybrid characteristics arise not only from the possible hybrid nature of the plant itself, but also from the combination of the plant with other parts, such as computational systems whose behavior is event-driven. The term Cyber-Physical System (CPS) arose precisely from the need to represent the integration and mutual influence of parts of the system that are described by continuous in time behavior (often the physical system or part of it) and parts of the system that include computational elements whose behavior is event-driven. Hybrid systems have proven to be a powerful representation of heterogeneous systems, such as CPS, composed of interacting discrete event and continuous-time dynamics. Theoretical properties of hybrid systems have been the subject of intense research in the last decades. In this book, we focus on the possibility of reconstructing the hybrid system’s internal behavior, i.e. its state, on the basis of available measurements. This observability question has been a central problem in control theory, for many reasons, the first being that the availability of the system’s state is often essential for control. But not less important is the property by itself, which is related to the possibility of solving problems such as fault diagnosis or malicious attack detection. In fact, diagnosability and predictability can be seen as extensions

vii

viii

Preface

of observability, where for the one we must deduce from available measurements the past system’s behavior, and for the other the future behavior. Last but not least, an additional motivation for investigating hybrid systems’ observability is that solving observability problems for linear systems subject to data losses, a phenomenon rather common in networked control and CPS, is equivalent to solving observability problems for a particular class of hybrid systems. Recently, the concept of observability has gained importance not only for control engineering applications, but also, for example, in the area of cloud computing, where it is analyzed for computational systems and corresponds to the ability of a software architecture to make itself trackable and controllable in all aspects by addressing the distributed and dynamic nature of cloud-native applications. Hybrid systems’ observability involves both the discrete structure and the continuous dynamics of the system, and their interaction gives rise to particular properties that do not simply generalize the ones that are well known for traditional dynamical systems. It is this aspect that makes the analysis complex and on which we therefore focus attention in this book, where we extend our preliminary work on this topic published in the series Foundations and Trends in Systems and Control, in 2016. We do not cover more specific research topics that are concerned with, for example, the use of the observer in output feedback control or distributed observability. However, the notes at the end of every chapter present the most relevant literature on that chapter’s topic. Because of the continuously growing number of papers in the field of hybrid systems and hybrid observability, the literature review is by no means exhaustive, but is also intended to offer the readers potential avenues of further study of the material presented.

Intended Audience and Organization of the Book This book provides concepts, theories, and algorithms for hybrid state estimation, prediction, and diagnosis. It is aimed at graduate students, post-doctoral students, and researchers interested in learning about observability properties of hybrid systems, their analysis, and verification. It contains mainly research topics but it can also be useful for a course on hybrid systems focused on observability, diagnosability, and predictability. It could also be used as part of a general course on hybrid systems, with the addition of stability concepts and analysis tools. The prerequisites are a graduate course in linear systems and an introduction to finite state systems. Note that Chap. 3 provides the background on finite state systems that is needed in the following treatment. Because of the multiplicity of different notions of observability existing in the literature, in our exposition, we need rigor and precision in the definitions and derivations in order to avoid confusion. As a consequence, notation is at times complex. However, when necessary, we sacrifice mathematical precision to provide intuition about the topics. Hence, the way we address the audience of the paper is a compromise between mathematical rigor and informal descriptions.

Preface 1

ix 2

3

4

6 5

7

8

9

12

13

10 11

Fig. 1 Chapters’ flow

The book is essentially structured into three parts. We refer to the graph in Fig. 1 in showing how to proceed in reading this text, depending on the topics of interest and on the desired level of depth. After the definition of the hybrid system’s general model in Chap. 2, the first part (light blue color in Fig. 1), containing Chaps. 3 to 5, is dedicated to analyzing the discrete structure associated with the hybrid system. Readers who are familiar with Finite State Machines (FSM) should find their content easy to read and could also skip this part except for the notation that is used subsequently. However, since the FSM we deal with corresponds to the discrete structure of a hybrid system, time is associated with each discrete state and represents for how long the continuous dynamics dwells in that particular state. This gives rise to definitions that deviate from the purely discrete case as shown in Chaps. 3 and 4. Chapter 5 presents some extensions of the diagnosability concept for FSM, which can be skipped because they are independent of the subsequent chapters. The second part consisting of Chaps. 6–11 (violet color in Fig. 1) deals with hybrid systems. While Chap. 6 defines hybrid observability and illustrates the peculiarities that arise precisely from the interaction between continuous and discrete dynamics, Chaps. 7 and 8 introduce the tools that are needed in later chapters. In particular, Chap. 7 shows how to derive information about the discrete state of the hybrid system by focusing only on the continuous dynamics (this is why the color in Fig. 1 is pink). Chapter 10 relaxes the observability concept introduced in Chap. 6. Chapter 11 introduces the properties of predictability and diagnosability for hybrid systems and illustrates methods for checking them. The content of both Chaps. 10 and 11 can be skipped without prejudice to the reading of subsequent chapters. Finally, in the last part of the book (yellow color in Fig. 1), Chaps. 12 and 13 move on to the design of a hybrid observer, under different observability conditions and illustrate some applications. These two chapters are aimed at readers who are interested not only in state estimation but also in its use for controller design. Going into more detail, the parts that follow constitute a more in-depth analysis of the main content, so they can be bypassed depending on what one wants to get out of the reading: • Chapter 2: Sects. 2.3 and 2.4 contain a comparison of the model we use in the book with other hybrid models used in the literature. • Chapter 5: Extends Chap. 4.

x

Preface

1

2

3

4.1

9.1-9.2.1

12.1-12.2

9

12.1-12.3

6 7

8

13

Fig. 2 Observability and observer design. Upper branch: hybrid observer design in the case of purely discrete information. Lower branch: hybrid observer design in the case of mixed discrete– continuous information

7 1

2

3

8

11.1-11.2

4 11.1-11.3

Fig. 3 Diagnosis/Prediction. Upper branch: design of a diagnoser/predictor of the discrete states of a hybrid system. Lower branch: design of a diagnoser/predictor of hybrid states of a hybrid system

• Chapter 7: Sect. 7.3 deals with discrete-time systems, Sect. 7.5 deals with systems under attacks, Sect. 7.6 deals with the particular case of unknown input, and Sect. 7.7 compares different notions of observability. • Chapter 8: Sect. 8.3 deals with systems under attacks. • Chapter 9: Sect. 9.4 contains some methods for simplifying observability verification. • Chapter 10: Relaxes definitions of Chap. 6 and conditions of Chap. 9. • Chapter 11: Observability is extended leading to diagnosability and predictability properties. For checking those properties, a method based on symbolic models is introduced in Sect. 11.3, where the notation and techniques are self-contained and may be of interest in their own right.

Possible Reading Paths Depending on the reader’s specific goal or desired level of insight, Figs. 2 and 3 show different possible reading paths. For example, if the focus is on observer design, • the upper branch in Fig. 2 shows the most basic path for understanding how a hybrid observer can be constructed when the discrete state is known or when it is possible to identify it without any delay with respect to the commutation

Preface

xi

occurrence. This is the case that no knowledge about the continuous dynamics is exploited to reconstruct the discrete state (called “purely discrete information”). In the simplest case where the discrete state is known, Sects. 3.2.2 and 4.1 can be skipped. • In the lower branch, the observer design is extended to the case where the continuous information is necessary to identify the current discrete case (called “mixed discrete–continuous information”). On the other hand, if one is interested in diagnosis and prediction, in Fig. 3, • the upper branch shows how to proceed with the design of a diagnoser/ predictor of the discrete states of a hybrid system. In the simpler case of purely discrete information, Chaps. 7 and 8 can be skipped. If the discrete state is known, diagnosis is trivially obtained and Sect. 3.2.2 can be skipped; • the lower branch shows how to proceed with the design of a diagnoser/ predictor of the hybrid states of a hybrid system by means of the so-called symbolic approach. L’Aquila, Italy

Elena De Santis Maria Domenica Di Benedetto

Acknowledgements

We would like to thank the many people who helped make the writing of this book possible. We are indebted to our colleagues and friends Andrea Balluchi, Luca Benvenuti, Claudio Pinello, and Alberto Sangiovanni-Vincentelli. Our first results on the topic of this book and the interest that later led us to explore it further over the years arose through a strong and fruitful collaboration on automotive control problems and hybrid observers. We are grateful to Giordano Pola, Stefano Di Gennaro, Alessandro D’Innocenzo, Gabriella Fiore, and Claudio Arbib, for intense research collaboration over many years on the topics addressed in this book. We would like to acknowledge the many stimulating exchanges with Alfredo Germani, Costanzo Manes, and Pierdomenico Pepe. We also fondly remember the lively and inspiring discussions with our friend Paolo Caravani who sadly passed away some years ago. We wish to thank Françoise Lamnabhi-Lagarrigue, Henk Blom, John Lygeros, Karl Henrik Johansson, Maria-Gabriella Di Benedetto, Frank Marzano, Mauro Feliziani, Fortunato Santucci, Gilberto Burgio, Richard M. Murray, Arjan van der Schaft, George Pappas, Maria Prandini, Tiziano Villa, Antonella Ferrara, Mireille Broucke, Raphaël Jungers, Carlo Fischione, and Gilney Damm, for the rich scientific exchanges that broadened our research perspective in the many collaborative opportunities that DEWS Center of Excellence activities and projects have provided. Special thanks go to all our current and former students who have contributed with their ideas to enrich our research environment, in particular Alessandro Borri, Domenico Bianchi, Giovanni Girasole, Alessio Iovine, Mario Di Ferdinando, Nicola Epicoco, Vittorio De Iuliis, Ubaldo Tiberi, Yurij Zacchia Lun, Mohammed Fakhroleslam, Naeimeh Fakhr Shamloo, Emmanuele Serra, Francesco Smarra, Luca Berardi, Giovanni Domenico Di Girolamo, Alessandro Petriccone, Davide Pezzuti, and Annalisa Scacchioli. We are especially grateful to Ilaria Di Loreto, Tommaso Masciulli, and Marco Mirabilio, for their help in the drafting of the figures.

xiii

xiv

Acknowledgements

We thankfully acknowledge Giordano Pola for important contributions to Chap. 11, Andreu Llabres for the software development used in Chap. 11, Pierdomenico Pepe for his revision of Chap. 2, and Corrado Possieri for useful comments on Chaps. 2, 9, and 10. The research presented in this book would not have been possible without the support of the Center of Excellence DEWS of the University of L’Aquila, of MagnetiMarelli, of European Networks of Excellence HYCON and HYCON2, of European projects HYBRIDGE and MAREA, and of project ASSIOMI of the Italian Ministry of Economic Development. We thank our Publishing Editor, Oliver Jackson, and our Production Administrator, Balaganesh Sukumar, for their valuable help and support. (EDS) My thoughts are with all those who introduced me to the exciting world of scientific research and accompanied me along the way. Special thanks to Paolo d’Alessandro, an inspiring mentor and friend. My loving gratitude to my parents, Adolfina and Antonio, for being always present in my life. (MDDB) I wish to express my gratitude to Alberto Isidori for his inspiring example and guidance. I am grateful to Gabriel Ruget for his total openness and trust. I cannot forget the time I spent with Jessy Grizzle, Shankar Sastry, and Claude Moog. I thank them for sharing a part of their research path with me, and for their infectious enthusiasm and unforgettable friendship. Finally, I wish to heartfully thank my family for their continuous support: Alberto, Maria, Marco, Matteo, Valerio, and the little ones, Cesare and Pietro, an irrepressible and contagious source of joy. I wholeheartedly thank my late parents, Pupa and Felice, irreplaceable models of life, who always and with total generosity supported me in my journey, and my sister Gabry for the Etoile Vénitienne, the star continues to shine. University of L’Aquila, Italy 2023

Elena De Santis Maria Domenica Di Benedetto

Contents

1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 4

2

H-Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Definition of an H -System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 H -Systems and Impulsive Systems . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 H -Systems and PWA Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 More on H -Systems Modeling and Properties . . . . . . . . . . . . . . . . 2.5 Illustrative Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7 7 14 19 25 30 39 42

3

Discrete Structure of H-Systems and Background on Finite State Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Analysis of the Discrete State Space . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Transformations on FSMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1 From Mealy to Moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.2 From Partially Visible to Fully Visible Output . . . . . . . . . 3.3 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

45 45 53 54 57 66 68

4

Observability, Diagnosability, and Predictability of Finite State Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Observability of M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.2 Indistinguishability Notions. The Sets S ∗ and B ∗ (Σ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.3 Characterization of Current and Critical Location Observability of M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Diagnosability of M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.2 The Sets F ∗ and Λ∗ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

69 69 69 71 75 78 78 79

xv

xvi

Contents

4.2.3 Diagnosability Characterization . . . . . . . . . . . . . . . . . . . . . Predictability of M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.2 Predictability Characterization . . . . . . . . . . . . . . . . . . . . . . 4.4 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

82 86 87 87 92 95

Extending Diagnosability Properties for Finite State Machines . . . . 5.1 A Parametric Definition of Diagnosability . . . . . . . . . . . . . . . . . . . 5.1.1 The Set Γ ∗ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.2 Characterization of Parametric Ω-Diagnosability . . . . . . 5.1.3 Characterization of Eventual and Critical Ω-Diagnosability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

97 97 103 104 105 108 112 113

6

Observability of H-Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Observability Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Illustrative Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

115 115 118 123 125

7

Continuous Dynamics Distinguishability . . . . . . . . . . . . . . . . . . . . . . . . 7.1 Mode Distinguishability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 Transition and Switching Time Detection . . . . . . . . . . . . . . . . . . . . 7.3 The Case of Discrete-Time Systems . . . . . . . . . . . . . . . . . . . . . . . . . 7.4 Identifying the Evolving Dynamical System . . . . . . . . . . . . . . . . . . 7.4.1 Input-Generic Distinguishability Approach . . . . . . . . . . . 7.4.2 Residual Generation Approach . . . . . . . . . . . . . . . . . . . . . 7.5 Mode Distinguishability for Systems Under Attack . . . . . . . . . . . . 7.5.1 Secure Mode Distinguishability . . . . . . . . . . . . . . . . . . . . . 7.5.2 Attack Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6 Identifying the Evolving Dynamical System with Unknown Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.7 Comparing Distinguishability Notions . . . . . . . . . . . . . . . . . . . . . . . 7.8 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

127 127 131 133 135 136 138 140 140 145

Enriching Discrete Information in H-Systems . . . . . . . . . . . . . . . . . . . 8.1 Preliminary Remarks and Definitions . . . . . . . . . . . . . . . . . . . . . . . . 8.2 Enriching Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.3 An Example for Systems Under Attack . . . . . . . . . . . . . . . . . . . . . . 8.4 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

161 161 163 170 173 173

4.3

5

8

148 151 154 158

Contents

xvii

9

175 175 176

Observability Characterization for H-Systems . . . . . . . . . . . . . . . . . . . 9.1 Preliminary Remarks and Assumptions . . . . . . . . . . . . . . . . . . . . . . 9.2 Current and Critical Location Observable H -Systems . . . . . . . . . 9.2.1 Checking Current Location Observability: Purely Discrete Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.2.2 Checking Current Location Observability: Mixed Continuous and Discrete Information . . . . . . . . . . . . . . . . 9.2.3 Leveraging Information on Elapsed Time . . . . . . . . . . . . . 9.3 Checking Observability of an L H -System . . . . . . . . . . . . . . . . . . . 9.4 Simplifying Verification of Observability Conditions . . . . . . . . . . 9.4.1 Checking Observability by Traps Decomposition . . . . . . 9.4.2 Checking Observability by Removing Observable Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.4.3 Checking Observability by Removing Persistent Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.5 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10 Relaxing the Observability Notion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.1 Almost Always Observability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.2 Characterizing Almost Always Observability: The Cyclic Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.3 Characterizing Almost Always Observability: The Case of General Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.4 State Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.5 Sensors Location Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.6 Hybrid Systems with Known Switching Times . . . . . . . . . . . . . . . 10.7 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.8 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Diagnosability and Predictability for H-Systems . . . . . . . . . . . . . . . . . . 11.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Diagnosability and Predictability Analysis . . . . . . . . . . . . . . . . . . . 11.3 Symbolic Systems Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3.2 Pseudo-metric Systems and Approximate Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3.3 Approximate Diagnosability and Predictability for Pseudo-metric Systems . . . . . . . . . . . . . . . . . . . . . . . . . 11.3.4 Relations Between Approximate Properties and Approximate Simulation . . . . . . . . . . . . . . . . . . . . . . . 11.3.5 Approximate Diagnosability of Nonlinear Systems . . . . 11.3.6 Approximate Predictability of Piecewise-Affine Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

177 178 180 181 186 187 189 191 193 194 195 195 197 200 203 203 206 208 209 210 213 213 216 219 220 221 223 224 228 231

xviii

Contents

11.3.7 Checking Approximate Diagnosability and Predictability for FSMs . . . . . . . . . . . . . . . . . . . . . . . . 11.3.8 Illustrative Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

235 236 240 241

12 Observer Design for L H-Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.1 Hybrid Observer Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2 Location Observability with Purely Discrete Output Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2.1 Location Observer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2.2 Continuous Observer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2.3 Observer Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.3 Location Observability with Mixed Information . . . . . . . . . . . . . . 12.3.1 Enriched Output Generator . . . . . . . . . . . . . . . . . . . . . . . . . 12.3.2 Location Observer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.3.3 Continuous Observer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.3.4 Observer Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.4 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

243 243 247 248 253 254 257 258 262 262 263 269 270

13 Some Applications to Automotive Control . . . . . . . . . . . . . . . . . . . . . . . 13.1 On-Line Identification of Engaged Gear . . . . . . . . . . . . . . . . . . . . . 13.1.1 Design of the Hybrid Observer . . . . . . . . . . . . . . . . . . . . . . 13.1.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.2 Driveline Elastic Behavior Control . . . . . . . . . . . . . . . . . . . . . . . . . . 13.3 Notes and Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

273 273 276 280 283 288 289

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Main Symbols and Notation

Main Symbols H = (Ξ, Ξ0 , Υ, h, S, E, R) M = (Q, Q 0 , Y, h, E) τ tk χ (Γ, G, dwell) Q+ Q ⊂ Q+ r each(Q  ) ⊂ Q r each −1 (Q  ) ⊂ Q Q∞ ⊂ Q Qp ⊂ Q Q = Q p ∪ r each(Q ∞ ) Q

V(M) Π ⊂Q×Q Θ⊂Q×Q S∗ ⊂ Π B ∗ (Σ) F∗ ⊂ Π U R(Ω) ⊂ Q

Cσ Pσ F(Ω) ⊂ Q Oh Oh Sns CSspT He

H -system Finite State Machine associated with H Hybrid time basis Switching time Hybrid state execution of H Constraints on the state execution of H Set of all state executions of M Set of all executions in Q+ starting from Q 0 Set reached from Q  ⊂ Q Set from which Q  ⊂ Q can be reached Set of states with infinite maximum dwell Set of persistent states Set of persistent in time states Silent states Visible FSM associated to M Pairs of states with the same output Pairs of states (i, j) with i = j Pairs reached by indistinguishable executions Backward indistinguishable pairs in Σ Forward indistinguishable pairs of states States reached from Ω with a silent execution Set of finite continuations of the string σ Set of prefixes of the string σ Precursor of the set Ω ⊂ Q Observability matrix of the linear system Sh Luenberger observer for the linear system Sh Set of all the s-sparse vectors in Rn Set of all the cyclic s-sparse vectors in R pT Enriched H -system associated to H xix

xx

Main Symbols and Notation

H0 D P S = (X, X 0 , U, E, Y, H ) Bρ (x) F OH H OM EOG 

Unobservable H -system associated to H Diagnoser for H Predictor for H Pseudo-metric, metric, symbolic system Closed ball centered at x ∈ X with radius ρ Set of faulty states of S Hybrid observer of H Composition of H with OH Observer of the FSM M Enriched Output Generator for H

Notation R R+ R+ 0 Z N [a, b] (a, b) (a, b] ([a, b]) [a; b] 0 x Im (M) ker(M)   x tk− |X |, card(X) int(X) ⊂ aX Y Ws f (X  ) f −1 (y)

ε |σ | σ (i) σ1 ◦ σ2 |σ |[a,b] succ(i)

Real numbers Real positive numbers Real nonnegative numbers Integer numbers Nonnegative integer numbers {x ∈ R : a ≤ x ≤ b}, for a, b ∈ R {x ∈ R : a < x < b} {x ∈ R : a < x ≤ b} ({x ∈ R : a ≤ x < b}, respectively) {x ∈ Z : a ≤ x ≤ b}, for a, b ∈ Z Matrix with all zero components, with suitable dimensions Euclidean norm of x ∈ Rn Range space of M ∈ Rn×m Null space of M ∈ Rn×m limt→tk ,t tk−1 , for t ∈ (tk−1 , tk , denotes the (unique) solution of the dynamical system S(q(tk−1 , k)), with initial time tk−1 , initial state x (tk−1 , k) and control law u(.)|[tk−1 ,t) = γ(., k)|[tk−1 ,t) . Otherwise, if tk = tk−1 , x (tk , k) = x (tk−1 , k). Finally, x(tk , k + 1) = R (e, x(tk , k), γ (tk , k)) and e = (q(tk , k), q(tk , k + 1)) ∈ E. Note that, in the definition above, in order to simplify notation, we use the symbol x that is also used in Definition 2.3 to denote the continuous state of the continuous dynamical system (2.2). Given a hybrid state execution, the triple (q0 , τ , q)

(2.7)

describes the evolution in time of the discrete state, whereas (x0 , τ , γ, x)

(2.8)

describes the evolution in time of the continuous state. Given a  state execution χ, let υ : R × N → Υ be the output function, which for (Ik × {k}) is defined as: (t, k) ∈ k∈{1,...,L}

υ (t, k) = (yd (t, k), y(t, k)) where yd (t, k) is the discrete component of the output

(2.9)

12

2 H -Systems

yd (tk−1 , k) = h (q(tk−1 , k)) , k = 1, . . . , L − 1 yd (t, k) = , ∀t = tk

(2.10)

and, recalling Eq. (2.2), y(t, k) is the continuous component of the output y(t, k) = cq(t,k) (x(t, k)).

(2.11)

The set of all output evolutions of H is denoted by Y. The H -system model can be enriched by defining constraints on the state, the input and the executions, as follows. Given the sets Γi ⊂ Rn × Rm , i ∈ Q, let us define the set Γ ⊂ Q × (Rn × Rm ) as:  {i} × Γi . (2.12) Γ = i∈Q

Let ΓΞ ⊂ Q × Rn be the projection of Γ on Ξ , i.e. ΓΞ =



{i} × ΓΞ,i

(2.13)

i∈Q

  x = x ∈R : ∈ Γi . u 

where ΓΞ,i

n

Then, state and input constraints can be modeled as ξ(tk , k) ∈ ΓΞ , k = 1, . . . , L − 1

(2.14)

Ξ0 ⊂ Γ Ξ

(2.15)

where and, if tk > tk−1 , 

ξ(t, k) γ(t, k)

 ∈ Γ, t ∈ [tk−1 , tk ), k = 1, . . . , L .

(2.16)

In general, E is strictly contained in Q × Q, so that not all discrete transitions are admissible. Moreover, a restriction that determines when a discrete transition can take place can be introduced by defining G : E → 2R

n

×Rm

.

(2.17)

Then, for a transition e = (q(tk , k), q(tk , k + 1)) ∈ E, the so-called guard condition (x(tk , k), γ(tk , k)) ∈ G(e) indicates if the execution may take the transition e.

(2.18)

2.1 Definition of an H -System

13

Finally, a constraint can be imposed on the switching times in the execution by writing (2.19) tk − tk−1 ∈ dwell(q(tk−1 , k)) where

+

dwell : Q → 2R0 .

(2.20)

At a given switching time tk−1 , the set {tk−1 + dwell(q(tk−1 , k))} ⊂ [tk−1 , ∞), if bounded, defines the time interval in which a transition must occur, when the discrete state at the switching time tk−1 is q(tk−1 , k). When it is unbounded, either the discrete state remains equal to q(k, tk−1 ) for all t ≥ tk−1 , i.e. no commutation takes place after tk−1 , or a commutation occurs but there is no upper bound for the switching time tk . We do not consider the two cases separately, because for the properties we will deal with in the following chapters, the two possible behaviours are equivalent. The constraints on the evolution of the H -system (2.4) can be summarized by the triple (Γ, G, dwell). (2.21) The H -system with the associated triple (2.21) will be called constrained H -system. An execution of a constrained H -system is an execution such that all the constraints are satisfied. In particular, a transition from a state i ∈ Q to a state j ∈ Q may occur at time t if e = (i, j) ∈ E and if the continuous state x(t, k) belongs to the guard set G(e) ⊂ Rn . The role of the guard set is to enable a transition, not to enforce it. Whenever a transition e = (i, j) occurs at time t, tk = t, the continuous state x(tk , k) is instantly reset to the new value R (e, x(tk , k), γ(tk , k)) and k is reset to k + 1. Moreover, the switching times must satisfy the constraints defined in (2.19) by the function dwell. Remark 2.1 Constraints on the switching times can also be represented by defining an additional continuous state variable, denoted e.g. w, for each system S(i), which satisfies the equation w(t) ˙ =1 with initial condition w(0) = 0, and is reset to zero after each transition. For example, if the function dwell defines the constraint δi < tk − tk−1 ≤ Δi with i = q(tk−1 , k), the same constraints can be equivalently written by adding the condition w ≤ Δi in the definition of each set Γi , i ∈ Q, and the condition

14

2 H -Systems

w > δi in the definition of any set G(e), with e = (i, j) ∈ E.



In characterizing the observability properties, linearity may in some cases play an important role. Therefore, we end this section by giving the definition of linearity for an H -system. Definition 2.4 An H -system H is linear if the continuous output functions ci in (2.11) are linear for all i ∈ Q and if for any two state executions χ1 = {(q0 , x0,1 ), τ , γ1 , (q, x1 )} and χ2 = {(q0 , x0,2 ), τ , γ2 , (q, x2 )} with the same discrete state evolution {(q0 , αx0,1 + βx0,2 ), τ , αγ1 + βγ2 , (q, αx1 + βx2 )} is a state execution of H, for all α and β ∈ R.

2.2

H-Systems and Impulsive Systems

Impulsive systems have been extensively investigated in the literature (see Sect. 2.6 for references). They combine continuous evolution, modeled by ordinary differential equations, with instantaneous state jumps or resets, called also impulses, from which the name of this class of systems derives. The aim of this section is to compare the formalism used to define the class of H -systems and the one used to define the class of impulsive systems as in [20]. For simplicity, differently from what was done in the first part of the chapter, we do not associate an output to the system. We start by recalling the definition of hybrid time domain, as given in [20]: Definition 2.5 (Hybrid time domain) A set F ⊂ R+ × N is a hybrid time domain if, for each (T, K ) ∈ F, K ≥ 1 the set F ∩ ([0, T ] × {1, . . . , K }) can be written in the form

2.2 H -Systems and Impulsive Systems

15



  tk−1 , tk × {k}

k∈{1,...K }

for some finite sequence of times 0 = t0 ≤ t1 ≤ t2 · · · ≤ t K . An impulsive system is described by two possible “modes”, flow mode and jump mode, as follows: Definition 2.6 ([20]) Let Ic and Id two sets of indices, with finite cardinality. Let the sets C ⊂ Rn and D ⊂ Rn be given. The state evolution of the impulsive system S is described by 

˙ k) ∈ f c,i (φ(t, k), γ(t, k)) , i ∈ Ic ∧ (φ(t, k), γ(t, k)) ∈ C (2.22) φ(t,

 φ(t, k + 1) ∈ f d,i (φ(t, k), γ(t, k)) , i ∈ Id ∧ (φ(t, k), γ(t, k)) ∈ D (2.23) respectively, where (t, k) belongs to a hybrid time domain, φ(0, 1) is the initial hybrid state. In the definition above, the Eq. (2.22) represents the flow mode and the Eq. (2.23) represents the jump mode. The function φ is a hybrid arc and the function γ is a hybrid input. A hybrid arc φ is a function with hybrid time domain dom(φ) such that, for each fixed k, the function t → φ(t,  k) has a derivative, at least for almost every point in Ik = {t : (t, k) ∈ dom(φ)} = tk−1 , tk . More specifically, a hybrid arc φ is such that, for each k ∈ N, k ≥ 1, t → φ(t, k) is absolutely continuous on intervals of flow Ik with non-zero Lebesgue measure. Similarly, a hybrid input γ is a function on a hybrid time domain such that, for each k ∈ N, the function t → γ(t, k) is Lebesgue measurable and locally essentially bounded on Ik . A simple relationship exists between the hybrid time basis as in Definition 2.2 and the hybrid time domain as defined in [20] and recalled in Definition 2.5. In fact, by construction, the functions ξ, q, x and γ in Definition 2.3 are defined over the set 

Ik × {k}

(2.24)

k∈{1,...,L}

which is a hybrid time domain, and for f ∈ {ξ, q, x, γ}, will be called dom( f ). We will now compare state evolutions of the impulsive system of Definition 2.6 and an H -system represented by the tuple in Eq. (2.4), where the symbols Υ and h will be omitted since they have no role in this comparison. Given an impulsive system S, consider the H -system HS = (Ξ, Ξ0 , S, E, R)

(2.25)

(Γ, G, dwell)

(2.26)

with constraints

where

16

2 H -Systems

1. Ξ , Ξ0 and S are defined as follows: associate to each i ∈ Ic the discrete state i, with S(i) described by the equation ˙ k) = f c,i (φ(t, k), γ(t, k)) φ(t, and associate to each i ∈ Id the discrete state i, with S(i) described by the equation ˙ k) = 0 φ(t, Let Q = Ic ∪ Id , Q 0 = Q and Ξ0 = Ξ = Q × Rn . 2. E = E ∪ E , where E = {(i, j) : i = j, i ∈ Ic , j ∈ Ic ∪ Id } E = {(i, j) , i ∈ Id , j ∈ Ic ∪ Id }. 3. The reset function is defined as: R(e, x, v) = x, e ∈ E R(e, x, v) = f d,i (x, v) , e = (i, j) ∈ E . 4. The tuple (Γ, G, dwell) is defined as: ⎛ Γ =⎝



i∈Ic

⎞ {i} × C ⎠



⎛ ⎝



⎞ {i} × Rn × Rm ⎠

i∈Id

G(e) = Rn × Rm , ∀e ∈ E G(e) = D, ∀e ∈ E dwell(i) = R+ , i ∈ Ic dwell(i) = {0} , i ∈ Id. We now analyze the relationship between S and HS . Proposition 2.1 (i) For any state evolution φ of S, there exists a continuous state execution x of HS such that ∀(t, k) ∈ dom(φ)

φ(t, k) = x t, k ∧ (t, k ) ∈ dom(x).

2.2 H -Systems and Impulsive Systems

17

(ii) For any state execution ξ of HS , there exists a state evolution x of S such that ∀(t, k) ∈ dom(x)

x(t, k) = φ t, k ∧ (t, k ) ∈ dom(φ). Proof (i) Let us consider a continuous state execution of S, with given input function γ. Given a flow interval [tk , tk+1 ], suppose that φ(tk , k + 1) = x(tk , k + 1) for some k ≥ k and tk = tk . In flow mode, in the formalism of S, commutations between dynamics are allowed in the same time interval Ik . In the H formalism, even if the reset function is the identity, at each commutation corresponds an update of the discrete argument of the function x. Therefore, by construction, by applying the same input function γ to S and to HS , there exists an integer ρ ≥ 1 and a discrete state execution of the H -system such that tk +ρ = tk+1 and ˆ ˆ φ(t, k + 1) = x(t, kˆ + 1), ∀t ∈ [tkˆ , tk+1 ˆ ], ∀k : k ≤ k ≤ k + ρ.

In jump mode, Eq. (2.23) holds. Again, by construction, this part of execution of S corresponds to an execution of H S , with the same input function γ and with discrete state in Id . The commutation between flow mode and jump mode corresponds to transitions in the set {(i, j) , i ∈ Ic , j ∈ Id } ⊂ E ⊂ E. Conversely, the commutation between flow mode and jump mode corresponds to transitions in the set {(i, j) , i ∈ Id , j ∈ Ic } ⊂ E ⊂ E. Therefore at the beginning of the first flow interval after the jumps, the state of S and the continuous state of HS coincides, and, by induction, starting from φ(0, 1) = x(0, 1), the entire executions of the two systems coincide. (ii) By definition of constraints (2.26), if q(t, k) ∈ Ic then (γ(t, k), x(t, k)) ∈ C, the continuous state evolution is determined by functions f c,i , and therefore Eq. (2.22) holds. If q(t, k) ∈ Id , then (γ(t, k), x(t, k)) ∈ D. Since dwell (i) = {0}, then the continuous state evolution is determined by functions f d,i , and therefore Eq. (2.23) holds.  The proposition above shows that, given S, it is possible to define an H -system that is equivalent to S from the point of view of state evolutions. We now show the reverse property, i.e. given H, it is possible to define an equivalent impulsive system SH . Let us consider the H -system as in (2.4) H = (Ξ, Ξ0 , S, E, R) where Ξ = Q × Rn , Ξ0 =



{i} × X 0i , with constraints defined by the pair

i∈Q 0

(Γ, G).

18

2 H -Systems

Although the constraints for H are in general described by the triple (2.21), here we assume that there are no constraints on the dwell time. Notice that this assumption can be done without any loss of generality (see Remark 2.1). In order to define SH , here we represent Q as a subset of R. Given the input function γ as in Definition 2.3, let us define the function   γ (t, k) =

γ(t, k) σ(t, k)

 ∈ Rm × (E ∪ )

(2.27)

where with  we are representing the absence of discrete transition. We can now define the system SH as follows:   q 1. φ = ∈ R1+n is the state of SH , where the first component is q ∈ Q. x  {i} × X 0i , the initial state of SH is φ0 ∈ Ξ0 ⊂ R1+n . 2. Given Ξ0 = i∈Q 0 ⊂Q

3. Define the flow mode by the equation ˙ k) = φ(t,



q(t, ˙ k) x(t, ˙ k)



γ (t, k)) ∧ (q(t, k), x(t, k), γ (t, k)) ∈ C =  f c (φ(t, k),

where  γ (t, k)) = f c (φ(t, k),



0 f q(t,k) (x(t, k), γ(t, k))



and C = Γ × {}. 4. Define the jump mode by the equation  φ(t, k + 1) =

q(t, k + 1) x(t, k + 1)



γ (t, k)) ∧ (φ(t, k), γ (t, k)) ∈ D =  f d (φ(t, k),

where  γ (t, k)) = f d (φ(t, k),



δ(q(t, k), σ(t, k)) R(e, x(t, k), γ(t, k))



δ(q(t, k), σ(t, k)) = q : (q(t, k), q ) = σ(t, k) and D=

  q : (q, q ) = e × G (e) × {e}. e∈E

Then, Proposition 2.2 (i) For any state execution ξ of H, there exists a continuous state evolution x of SH such that ∀(t, k) ∈ dom(x)

2.3 H -Systems and PWA Systems

19



x(t, k) = φ t, k ∧ (t, k ) ∈ dom(φ). (ii) For any state evolution φ of SH , there exists a continuous state execution x of H such that ∀(t, k) ∈ dom(φ)

φ(t, k) = x t, k ∧ (t, k ) ∈ dom(x). Proof (i) Let us consider a hybrid execution ξ of H with input function γ. By construction, there exists a state execution φ of SH , with dom(φ) = dom(ξ). Let φ (0, 1) = ξ (0,  1). Suppose that φ (tk−1 , k) = ξ (tk−1 , k). Then φ (t, k) = ξ (t, k), γ of SH defined as in (2.27). Suppose that at tk ∀t ∈ tk−1 , tk with the input function  the transition e = (q(tk , k), q(tk , k + 1)) ∈ E occurs. This implies that there exists an input  γ (tk , k) such that φ (tk , k + 1) = ξ (tk , k + 1). Since φ (0, 1) = ξ (0, 1), then, by induction, φ(t, k) = ξ (t, k), ∀(t, k) ∈ dom(ξ) = dom (φ). γ . Suppose that  us consider a state execution φ of SH with input function   (ii) Let tk−1 ,tk is a flow interval, and φ (tk−1 , k) = ξ (tk−1 , k). Then φ (t, k) = ξ (t, k), γ (t, k). At tk the mode ∀t ∈ tk−1 , tk with γ(t, k) equal to the first m components of  γ (tk , k)) ∈ D. Let the last component of  γ (tk , k) be γe , is jump. Hence (φ (tk , k) , e = (q(tk , k), q(tk , k + 1)) ∈ E. Then x(tk , k) ∈ G (e), the transition e is possible for H, and φ (tk , k + 1) = ξ (tk , k + 1). Since φ (0, 1) = ξ (0, 1), then, by induction, φ(t, k) = ξ (t, k), ∀(t, k) ∈ dom(ξ) = dom (φ), and the proof is complete.  Propositions 2.1 and 2.2 show that the classes of systems H and S are equivalent from the expressive power point of view.

2.3

H-Systems and PWA Systems

In this section, we show how a Piecewise-Affine system (PWA system) can be represented as an H -system. Consider an index set Q and sets Pi such that 

Pi = Rn

i∈Q

and Pi ∩ P j = ∅. An affine discrete-time system S(i) is associated with each set Pi and is defined by the equation (2.28) x(t + 1) = Ai x(t) + Bi u(t) + vi

20

2 H -Systems

where t ∈ Z, Ai ∈ Rn×n , Bi ∈ Rn×m and vi ∈ Rn , with evolution in time of the PWA system described by S(i), whenever x(t) ∈ Pi . Since the dynamical system (2.28) evolves in the discrete-time domain, the PWA system is well-defined, as in e.g. [2]. If each dynamical system S(i) were a continuous-time one, the PWA system would in general not be well defined. In fact, consider as an example the case of a ¯ and one-dimensional state space, partitioned into two subsets, P1 = {x ∈ R : x ≤ x} ¯ where x¯ ∈ R+ , the system S(1) is described by the equation P2 = {x ∈ R : x > x}, x(t) ˙ =u

(2.29)

with u constant and positive, and S(2) by the equation x(t) ˙ = −αx(t)

(2.30)

¯ the evolution with α ∈ R+ . Then, starting from any initial state x0 in the set (−∞, x), ¯ 0 , and x(t ) = x. ¯ However, startis determined by S(1), for t ∈ [0, t1 ], with t1 = x−x 1 u ing from x(t1 ), there is a blocking phenomenon. In fact, for x(t1 ) = x¯ the evolution is still determined by S(1), but, just after t1 , the evolution is determined by S(2), and ¯ the value x(t) = x¯ is reached hence the system cannot evolve. Similarly, if x0 > x, at time t = t2 = ln x0α−ln x¯ and, for the same reason as above, the evolution cannot be defined for t > t2 . A mathematical solution to this problem is provided by considering the so-called Filippov’s solutions. In the example above, this approach leads to define for x0 = x¯ the solution x(t) = x, ¯ ∀t ≥ 0. However, as noticed e.g. in [14], from the switched system viewpoint, a solution of this sort can be interpreted as infinitely fast switching, also called chattering. A mathematical model that exhibits this phenomenon is not in general a good representation of a real life system. For example, Eqs. (2.29) and (2.30) could represent the model of a temperature regulation system, where the desired temperature is x¯ and the control action can be actuated by heater switching on/off. Then, the commutation between S(1) and S(2) corresponds to the heater switching off, while the commutation between S(2) and S(1) corresponds to the heater switching on. This model would show a chattering behavior and the Filippov solution does not correspond to any behaviour of the physical system. To avoid blocking phenomena, the authors in [5, 10] suggest to introduce some guard conditions. Here, starting from the polyhedra Pi , i ∈ Q, we construct overlapping polyhedra that approximate the given ones. Then, a PWA system in the continuous-time domain can be redefined as a particular instance of a constrained H- system (see (2.4)) by the following tuple H = (Ξ, Ξ0 , Υ, h, S, E, R) where – Ξ = Q × Rn is the hybrid state space and Ξ0 =

 i∈Q 0

initial hybrid states.

(2.31)

{i} × X 0i ⊂ Ξ is the set of

2.3 H -Systems and PWA Systems

21

– Υ = Y × R p is the hybrid output space. Usually, for this class of systems, h(i) is set to , ∀i ∈ Q, i.e. no discrete output is defined, but the more general case of hybrid output space can be considered in a similar way. – S(i) is described by the equation x(t) ˙ = Ai x(t) + Bi u(t) + vi y(t) = Ci x(t) + ci

(2.32)

where t ∈ R, x(t) ∈ Rn , u(t) ∈ Rm , vi ∈ Rn , y(t) ∈ R p and ci ∈ R p . – E ⊂ Q × Q = {(i, j) : Pi,ε ∩ P j = ∅}. – R : E × Rn × Rm → Rn is the identity reset function, i.e. R ((i, j), x, γ) = x, ∀(i, j) ∈ E, ∀x ∈ Rn and ∀γ ∈ Rm . Let us consider closed polyhedral sets Pi , with interior, and index set Q = {1, 2, . . . , N }, such that  Pi = Rn (2.33) i∈Q

and

int (Pi ) ∩ int P j = ∅.

(2.34)

Let each Pi be described as 

Pi = x ∈ Rn : F (i) x ≤ g (i)

(2.35)

with F (i) ∈ R pi ×n and g (i) ∈ R pi and define the sets

 Pi,ε = x ∈ Rn : F (i) x ≤ g (i) + ε1

(2.36)

where the symbol 1 denotes the vector of all ones in the space R pi and ε is a positive real. Then input-state constraints are defined by the set (see (2.12) ): Γ =



{i} × Γi ⊂ Q × (Rn × Rm )

(2.37)

i∈Q

where Γi = Pi,ε × Rm . Since the constraints above must be satisfied during the whole state execution (see (2.16)), we suppose without any loss of generality that X 0i ⊂ Pi . Given the polyhedron Pi,ε , described in (2.36), the symbol F j(i) denotes the jth row of the matrix F (i) ∈ R pi ×n . For x ∈ Pi,ε ,   + ε Ii,x = j ∈ [1; pi ] : F j(i) x = g (i) j

22

2 H -Systems

x2 Pi,ε x1 Ii,ε (x1 ) Ii,ε (x2 )

Fig. 2.3 Tangent cones

(i) with g (i) j jth component of the vector g . Let Ti,ε (x) be the tangent cone to Pi,ε in x, i.e. if Ii,x = ∅,   Ti,ε (x) = z ∈ Rn : F j(i) z ≤ 0, j ∈ Ii,x

otherwise, if Ii,x = ∅,

Ti,ε (x) = Rn .

The following proposition is a straightforward consequence of the so-called subtangentiality condition or Nagumo condition (see [18]). It simply means that starting from some x ∈ Pi,ε , it is possible to remain in the set if and only if the vector x˙ belongs to the tangent cone at that point x, i.e. roughly speaking, at x the vector x˙ points inside the set Pi,ε . In Fig. 2.3 the tangent cones at x1 and x2 are represented. The arrows in x1 and x2 represent some of the directions of x˙ such that the state trajectory originating from x1 and x2 , respectively, remains in the set Pi,ε . Proposition 2.3 Suppose the δ>0  current state is x(t ) = x ∈ Pi,ε . There exists m , ∀t ∈ t , t + δ , if and only if there exists u ∈ R : A such that x (t) ∈ P i,ε ix +

Bi u + vi ∈ Ti,ε x .

The constraints on the transitions can be defined as in (2.17), i.e. for e = (q(tk , k), q(tk , k + 1) ∈ E (x(tk , k), γ(tk , k)) ∈ G(e)

(2.38)

2.3 H -Systems and PWA Systems

23

where for e = (i, j) ∈ E, G is the map 

/ Ti,ε (x) ∧ j = ς(Jx ) G(e) = (x, u) ∈ Pi,ε × Rm : Ai x + Bi u + vi ∈

(2.39)



where Jx = j ∈ Q : x ∈ P j and ς is a selection function ς : 2Q → Q

(2.40)

that defines a rule for the selection of a state in a subset of Q. For example, if Jx = {3, 1, 7}, and the rule we want to define is to select the index with minimum value, then ς(Jx ) = 1. In Eq. (2.39) we are implicitly assuming that γ(tk , k) = γ(tk , k + 1)

(2.41)

in order to be consistent with the formalism introduced previously. In other words, when the current continuous state is x ∈ Pi,ε and the current continuous input is such that it is not possible to remain in the set Pi,ε , then a transition may take place and the continuous state after the transition belongs to the set P j ⊂ P j,ε uniquely determined by the function ς, while the continuous input after the transition is the one that determined the transition. We now illustrate some properties of the evolution of the PWA system defined by (2.31), with constraints (2.37) and (2.39). The first proposition establishes that the switching times are well defined: Proposition 2.4 For all ε > 0, given the current switching time tk , the value ξ(tk , k + 1) = (i, x) ¯ and the input function u(.) / Ti,ε (x(t)) (2.42) tk+1 = inf t such that x(t) ∈ Pi,ε and Ai x(t) + Bi u(t) + vi ∈ where x(t) is the solution of system S(i), starting from initial state x, ¯ under control input u(t), t ∈ [tk , t). Moreover, tk+1 > tk . Proof (Sketch) Given x(t) ∈ Pi,ε and given some input function u(.), a transition occurs if and only if there exists some real δ > 0 such that x(t + τ ) does not belong to Pi,ε , ∀τ ∈ (0, δ). Therefore, from Proposition 2.3, Eq. (2.42) follows. Then, by construction, tk+1 > tk since at tk the continuous state x¯ belongs to Pi , and at tk+1 the continuous state belongs to the boundary of Pi,ε . Notice that this is true also for  k = 0, because we have supposed X 0i ⊂ Pi . The second proposition is about the existence and uniqueness of infinite evolutions.

24

2 H -Systems

Proposition 2.5 For any ε > 0, for any input function u(.) ∈ U, defined over [0, ∞) and for any initial hybrid state, there exists a unique state execution of infinite time duration.1 Proof (Sketch) The existence of an execution with infinite time duration for any initial state depends on condition (2.33). Its uniqueness depends on the fact that the dynamical systems are affine and on the definition of the selection function (2.40).  Finally, let UU be the set of piecewise-continuous input functions that take value in a compact set U ⊂ Rm . Given i ∈ Q, let τi : Rn × Rn × UU → R+ 0 be the function that associates to x , x ∈ Rn and u(.) ∈ UU the time t¯ = τi (x , x , u(.)), such that the evolution of the dynamical system S(i) with input function u|[0,t¯) satisfies the conditions: x(0) = x x(t¯) = x . If for some x , x and u(.) the two conditions above are not satisfied for any finite t ∈ R+ , then τi (x , x , u(.)) = ∞. If τi (x , x , u(.)) = ∞ for all x ∈ Pi and for all x ∈ ∂ Pi,ε , then starting from any initial state in Pi , the state evolution of the system S(i) remains in the interior of the set Pi,ε for any input function u(.) ∈ UU . Then, when the current continuous t. In our framework, state at some time  t belongs to Pi , no transition occurs for t ≥  this situation can be represented in the FSM associated with the H -system with a discrete state i with no successors.2 Otherwise, the dwell time in the mode i ∈ Q is greater than or equal to the time  τi , solution of the following problem inf

inf τi (x , x , u(.))

x ∈Pi ,x ∈∂ Pi,ε u(.)∈UU

(2.43)

where ∂ Pi,ε denotes the boundary of the set Pi,ε . Since  τi > 0, for all ε > 0, the H -system is non-Zeno, as defined in Sect. 2.4. Remark 2.2 The optimization problem in (2.43) is not convex, in general. However, by leveraging the polyhedral structure of the involved sets, described in (2.35) and (2.36), the problem (2.43) can be replaced by the following simpler problem, which, if the set U is a convex, bounded polyhedron, can be solved by using standard algorithms: 1

An H -system with this property is non-blocking, as defined in Sect. 2.4. Moreover, since the state execution of infinite time duration is unique, the system is deterministic in the sense of [16]. 2 A discrete state with no successor will be named sink in the next chapter.

2.4 More on H -Systems Modeling and Properties

min

25

inf τi (x , x , u(.))

inf

(2.44)

j∈{1... pi } x ∈Pi ,x ∈P j u(.)∈UU i,ε

j

where Pi,ε is the half-space obtained by considering the parameters of the jth inequality which defines the set Pi,ε , i.e. Pi,ε = {x ∈ Rn : F j(i) x ≥ g (i) j + ε}. j

(2.45)

Notice that the time computed by (2.44) is non-zero and is less than or equal to the time computed by (2.43). 

2.4 More on H-Systems Modeling and Properties In the following chapters, for notational simplicity, we will assume that the dwell time is greater than zero: Assumption 2.1 For all i ∈ Q, dwell(i) ⊂ R+ . Remark 2.3 The Assumption 2.1 is equivalent to the constraint tk > tk−1 , k = 1, . . . , L. A very useful simplification in the notation is obtained under this hypothesis, without any conceptual loss because the expressive power of the model is not limited. In fact, if the time elapsed between two consecutive commutations has no role (for example, when commutations represent logical events that determine the transitions and the continuous dynamics plays no role), we can model this situation by defining modes in which there is no continuous evolution. Example 2.2 will illustrate this modeling possibility.  Under Assumption 2.1, Definition 2.2 of time basis boils down to the following simplified version: Definition 2.7 The hybrid time basis τ is an infinite or finite sequence of time intervals Ik = [tk−1 , tk ), k = 1, . . . , L with tk > tk−1 and t0 = 0, where L = car d(τ ), and with time duration

L 

(tk − tk−1 ).

k=1

Note that in Definition 2.7, setting t0 = 0 is without loss of generality. A time basis is said to be – finite, if L is finite and t L = ∞; L  – infinite, if L = ∞ or (tk − tk−1 ) = ∞. k=1

26

2 H -Systems

Moreover, it is said to be – Zeno, if L = ∞ and

L 

(tk − tk−1 ) = ∞.

k=1

A non-Zeno time basis is a time basis that is not Zeno. The conditions defined above are represented in the following table: L  k=1

(tk − tk−1 ) = ∞

L 

(tk − tk−1 ) = ∞

k=1

L = ∞ finite and non-Zeno infinite and non-Zeno L = ∞ infinite and Zeno infinite and non-Zeno

For notational simplicity, we assume the following: Assumption 2.2 The reset is not controlled, i.e. R : E × Rn → Rn . Although with Assumption 2.2 we lose some generality, when deriving observability conditions the absence of the control γ in the reset function makes the detection of a commutation more difficult, because the knowledge of the control γ could be of help in understanding that a discrete transition occurred. Under the assumptions above, state and output executions (see Definition 2.3, Eqs. (2.9), (2.10) and (2.11))

may be redefined as follows, where for a function x : R → Rn and t ∈ R, x t− denotes limt→t,t 0 ), only the right-hand side (resp. left- hand side), of the inequality constraint in Eq. (2.54) must be considered. In what follows, we will sometimes abuse terminology by using the expression infinite maximum dwell time with the meaning just explained. A constrained H -system may exhibit a blocking behaviour. For example, if in a discrete state the function Δ imposes a finite maximum dwell time and this maximum has been reached by the continuous evolution, whenever the continuous state does not belong to the guard set that may be a proper subset of Rn , the evolution freezes. Also, the solution of the continuous dynamical system may fail to exist on the entire semi-axis [0, ∞) (finite-escape time phenomenon). We therefore use the following definitions: Definition 2.9 A hybrid state ξ ∈ Ξ is reachable if there exists a finite execution of H ending in ξ.

2.4 More on H -Systems Modeling and Properties

29

Definition 2.10 A hybrid state ξ ∈ Ξ is non-blocking if there exists an infinite execution of H having initial state ξ. The H -system H is non-blocking if each state reachable from Ξ0 is non-blocking. In principle, H -systems where the executions have bounded time duration could be meaningful. However, to simplify formalism and definitions, we assume that Assumption 2.5 H is non-blocking. The above assumption is obviously satisfied if the systems S(i) are linear, the continuous state is not constrained and if for any i ∈ Q for which Δ(i) is finite, there exists e = (i, σ, j) ∈ E which is not constrained, i.e. with G(e) = Rn . Without loss of generality we make the following assumption: Assumption 2.6 For each discrete state in q ∈ Q there exists a finite execution of H ending in (q, x) for some x ∈ Rn . Under Assumption 2.6, H is non-blocking only if for any discrete state with no successors the maximum dwell time is infinite. This property is formalized in the following assumption: Assumption 2.7 If succ(i) = ∅ then Δ(i) = ∞. In summary, we consider H -systems as in (2.4), under the Assumptions 2.1 to 2.7, with state executions as in Definition 2.8, output executions defined in (2.47), and constraints represented by the tuple (Γ, G, δ, Δ)

(2.55)

where the set Γ and its role is defined in Eq. (2.50). The functions G, δ and Δ are defined in Eqs. (2.51), (2.52) and (2.53), respectively. Finally, we introduce a subclass of H -systems: Definition 2.11 An L H -system is an H -system where – each dynamical system S(i) is described by the equations x˙ (t) = Ai x (t) + Bi u (t) y (t) = Ci x (t)

(2.56)

where Ai ∈ Rn×n , Bi ∈ Rn×m , Ci ∈ R p×n . – R : E × Rn → Rn is a linear reset function and R (e, x) = Re x, where Re ∈ Rn×n . Proposition 2.6 An L H -system is a linear H -system, as in Definition 2.4. In general, a constrained L H -system is not linear. It is linear if Γ is a hybrid subspace of Q × (Rn × Rm ), i.e. Γi is a linear subspace of Rn × Rm for all i ∈ Q, and G(e) is a linear subspace of Rn , for all e ∈ E.

30

2 H -Systems

The definitions we will introduce in the following chapters are valid for general hybrid systems, not only for linear ones. However, most of the results do depend on linearity. For this reason, we will make explicit reference either to the class of H -systems or to the class of L H -systems, to make sure that the validity of the results is understood clearly.

2.5 Illustrative Examples In this section, some simple examples provide an intuition for the meaning of the elements of the tuple H = (Ξ, Ξ0 , Υ, h, S, E, R) that defines an H -system as in Eq. (2.4) and their role in defining the time evolution of H. More realistic examples taken from our everyday life, which show the richness and power of the modeling framework, can be found e.g. in [9, 15, 17, 24]. Example 2.1 An autonomous H -system with guard conditions and constrained switching times The hybrid state space is Ξ = Q × R2 with discrete state space Q = {1, 2}. The set of initial hybrid states is  Ξ0 = Q 0 ×

10 0



with Q 0 = {1}. The hybrid output space is Υ =Y ×R with Y = {a, b, }. The discrete output function h : Q → Y is given by h(1) = a h(2) = b. The set of the admissible transitions is (Fig. 2.6). E = {(1, 2) , (2, 1) , (1, 1)}. The FSM M = (Q, Q 0 , Y, h, E) associated with H (see Eq. (2.5)) is represented in Fig. 2.6. The continuous-time dynamical systems S(1) and S(2) associated with the discrete states 1 and 2 are described by the following equations for i = 1, 2, respectively:

2.5 Illustrative Examples

31 x2

x2

1 x1

2 x1

Fig. 2.4 The hybrid state space Ξ = {1, 2} × R2

x(t) ˙ = Ai x(t) y(t) = Ci x(t) 

where A1 = with α > 0 and

   0 −1 0 0 , A2 = 1 0 0 −α

C1 = C2 = 1 0 .

The constraints are defined by the tuple (Γ, G, δ, Δ) Suppose that the input and state are not constrained so that Γ = Q × Rn × Rm . Moreover, suppose that the transitions between states 1 and 2 are not restricted by guard conditions, while the transition (1, 1) is allowed only if the components of the current continuous state have the same value. Then the function G is defined as

32

2 H -Systems

a y

b y

Fig. 2.5 The hybrid output space Υ = {a, b} × R a

b

1

2

Fig. 2.6 FSM associated with H

2 G(e) = R

 e ∈ {(1, 2) , (2, 1)}

, G(e) = x ∈ R2 : 1 −1 x = 0 , e = (1, 1).

When a transition between states 1 and 2 occurs, the continuous states before and after the transition have the same value, while there is a reset of the state when the transition (1, 1) takes place: R(e, x) =  x,  e ∈ {(1, 2) , (2, 1)} 10 R(e, x) = x, e = (1, 1). 00 Finally, the minimum and maximum dwell times are δ(i) = 0 i ∈ {1, 2} Δ(1) = ∞ Δ(2) = Δ > 0. We suppose that Assumption 2.3 holds (note that the conditions above on dwell times do not imply that H is non-Zeno). The maximum dwell time in mode 2 is finite. However, since the transition (2, 1) is unconstrained and no state-input constraints are imposed, it is seen by inspection that the system is non-blocking. Hence, Assumption 2.5 holds. We give some examples of executions of H. Let us consider the evolution in time of the discrete state illustrated in Fig. 2.7.

2.5 Illustrative Examples

33

2 1

t0

t1

t2

t3

t4

t2

t3

t4

Fig. 2.7 A discrete state evolution

b a

t0

t1

Fig. 2.8 The discrete output evolution corresponding to the discrete state evolution of Fig. 2.7

The evolution in time of the discrete component of the output is represented in Fig. 2.8. The evolution of the continuous component of the state is shown in Fig. 2.9. The dashed line in the picture represents the guard set, which has no role in this execution. Finally, the evolution in time of the continuous component of the output is represented in Fig. 2.10. Note that the execution where the evolution in time of the discrete state is the one depicted in Fig. 2.11 is also possible, so the H -system H is non-deterministic, in the sense that for the same initial hybrid state and for the same time basis, different infinite executions are possible. In this second case, the discrete output evolution and the continuous state trajectory are represented in Figs. 2.12 and 2.13, respectively. The discontinuities in the trajectory are due to the state reset associated with the transition (1, 1). Finally, the continuous output evolution is depicted in Fig. 2.14.  Example 2.2 An autonomous H -system with recursive update of the continuous state Suppose we want to model a system where the state evolves according to some known differential equations until an external event occurs. This event causes the recursive update of the state until the state assumes some desired value. Then, the

34

2 H -Systems x2

t3

t1

t4

t2 t0 10

x1

Fig. 2.9 Continuous state trajectory

t0

t1

t2

t3

Fig. 2.10 Continuous output evolution in time

t4

t

2.5 Illustrative Examples

35

2 1

t0

t1

t2

t3

t4

t

t3

t4

t

Fig. 2.11 The discrete state evolution

b a

t0

t1

t2

Fig. 2.12 The discrete output evolution

system evolves again according to the given differential equations. We define an H -system representing this kind of behavior as follows: H = (Ξ, Ξ0 , Υ, h, S, E, R) with Q = {1, 2}, Ξ = Q × R, Ξ0 = {1} × R, Υ = Ξ , h(i) = i, i ∈ Q. The FSM associated with H is represented in Fig. 2.15. Let S(1) be a dynamical system described by the equations x(t) ˙ = αx(t) (2.57) y(t) = x(t) with α > 0 and let S(2) be described by the equations x˙ (t) = 0 y (t) = x(t).

(2.58)

The set of admissible transitions is E = {(1, 2), (2, 1), (2, 2)}. Suppose that the reset function is linear and R((1, 2), x) = R((2, 2), x) = βx, β ∈ (0, 1) R((2, 1), x) = x.

36

2 H -Systems x2

t− 1 t− 2 t3 t4 t2

t1

t0

x1

Fig. 2.13 Continuous state trajectory

t0

t1

t2

t3

t4

Fig. 2.14 Continuous output evolution in time 1

Fig. 2.15 FSM associated with H (Example 2.2)

2

t

2.5 Illustrative Examples

37

Assume also that each update requires T units of time. The evolution is described by S(1) while the state remains below a given threshold s, and the updates are required until the state is below a threshold z. More precisely, given s, s, z, z ∈ R+ with s=s>z>z z = βz we define the following constraints (Γ, G, δ, Δ) where ξ(t) ∈ Γ =



{i × Γi } , ∀t ≥ 0

i∈Q

with Γ1 = {x ∈ R : |x| < s} 

Γ2 = x ∈ R : |x| > z and the guard sets are: 

G((1, 2)) = x ∈ R : |x| ≥ s

 G((2, 2)) = x ∈ R : β |x| > z G((2, 1)) = {x ∈ R : |x| ≤ z} . Finally, δ(1) = 0 Δ(1) = ∞ δ(2) = T Δ(2) = T. From the definition of δ the system is non-Zeno. We now show that if x0 ∈ Γ1 the hybrid system is non-blocking. Consider Fig. 2.16. Suppose that the initial continuous  state is x0 = 0, with x0 ∈ Γ1 . The continuous state at time t ∈ [0, t1 ), t1 = α1 ln xs0 , is x(t) = eαt x0 . At t = t1 > 0, the transition (1, 2) occurs, and x(t1 ) = βeαt1 x0 ∈ Γ2 . Then, x(t) = x(t1 ) ∈ Γ2 , t ∈ [t1 , t1 + T ). At time t2 = t1 + T a transition must take place, because of − the definition  of δ(2) and Δ(2). If x(t2 ) ≤ z, the transition (2, 1) occurs, x(t2 ) = − x(t2 ) ∈ z, z , and hence, since s > z, x(t2 ) ∈ Γ1 and the execution can continue.

38

2 H -Systems

x s

z z

x0

t0

t1 t2 t3 t4

t5 t6 t7 t8

t

Fig. 2.16 Continuous state evolution in time. The deterministic case

If x(t2− ) > z, as is the case depicted in Fig. 2.16, the transition

 (2, 2) is enabled, x(t2 ) = βx(t2− ) ∈ Γ2 . At time t3 = t2 + T , either x(t3− ) ∈ z, z or x(t3− ) > z, and therefore the execution can continue, as described above. Therefore, the constrained H -system is non-blocking, and the continuous state trajectory is eventually bounded between z and s. What we have described is an application of the non-blocking condition established in [16] (Lemma III.1): roughly speaking, for each hybrid state reached by an execution, when it is not possible to remain in the same discrete state, a discrete transition is enabled. The description above shows also that the system is deterministic (see [16], (Lemma III.2)). If s > s then  a commutation from state

1 to state 2 is possible at any time in the interval t , t¯ , such that x(t ) = s and x t¯− = s. Hence the system in this case is not deterministic. If z < βz then G((2, 2)) ∪ G((2, 1)) = ∅, both transitions (2, 2) and (2, 1) can occur at t if x(t) ∈ G((2, 2)) ∪ G((2, 1)). Hence the system also in this case is not deterministic. Figure 2.17 depicts one of the possible continuous state evolutions, compatible with s > s and z < βz. The evolution in Fig. 2.16 is compatible with the thresholds above, in Fig. 2.16 and in Fig. 2.17 the initial states are the same, but the evolutions are different, as expected. 

2.6 Notes and Further Reading

39

x s s

z

z x0

t0

t1 t2 t3 t4 t5 t6

t7 t8 t9

t10

t

Fig. 2.17 Continuous state evolution in time. The non-deterministic case

2.6 Notes and Further Reading Hybrid systems can be classified on the basis of different keys, such as: • switching mechanism: event-based, time-dependent, state-dependent, or any combination of them; • structure of the controlled input space and of the disturbances space: the input and the disturbance can determine the evolution of the continuous component of the hybrid state or of the discrete state; • hybrid state space structure: e.g. the discrete state space can be finite, infinite, countable infinite; • constrained or unconstrained commutations; • reset mechanism of the continuous state after switching: linear or nonlinear, point to point or point to set mapping, autonomous or controlled; • structure of the output space. Within any instance of the above, the dynamics can be linear or nonlinear, continuous-time or discrete-time. The literature is therefore quite vast and varied. In defining H -systems we kept separate the description of the system from the information structure (i.e. the output available for measurements) and from the definition of the restrictions imposed on its behaviour, so that this framework encompasses a very large set of models and makes their analysis easier. The information structure is in general related to the specific problem under consideration, e.g. stabilizability, observability, etc. Obviously, there are classes of systems that do not fit this description. For example, systems as in [12] where the knowledge of the average dwell time

40

2 H -Systems

cannot be expressed as a constraint on the time separation between two consecutive switching times, but has to be considered as an a priori information about the system behaviour. As far as the discrete input is concerned, as mentioned in Definition 2.1, the set W can be partitioned as W = U ∪ V, where U is the finite set of discrete controls, V is the finite set of discrete disturbances and U ∩ V = ∅. H -systems with U = ∅, V = ∅ and unbounded maximum dwell time are sometimes called in the literature “switching systems” (see e.g. [7]), while H -systems with V = ∅, U = ∅, identity reset, guard set equal to Rn for each transition, and no constraints on the switching times are called “switched systems” (see [21, 22] and references therein). However, this is not a general practice: for example, in [14] systems with controlled or uncontrolled switchings are both called switched systems. If we compare the class of H -systems with the model described in [15, 16], the main differences are the following: • In [15, 16] the dynamical systems S(i) are autonomous, and the reset is defined by the point to set mapping R : E × Rn → 2 X . • In [15], a set is associated with each discrete state, and hence to each dynamical system S(i), by means of a function I nv : Q → 2 X that assigns to each discrete state i ∈ Q a set I nv (i) ⊂ X , called invariant set (called domains in [16]). A switching event from a discrete state i to a different discrete state must be enforced as soon as the current continuous state does not belong anymore to the invariant set associated with i. This definition of invariant sets is a special case of a constraint defined  as in (2.50). {i} × i × In fact, if Γi = i × i , with i ⊂ Rn and i ⊂ Rm , then Γ = i∈Q

i , the sets i play the role of I nv (i) and the sets i describe input constraints, which are independent of the continuous state. From the terminology point of view, an invariant set for a classical dynamical system is defined as a set starting from which the state evolution of the system remains in it forever (in free evolution, under suitable control, robustly with respect to disturbances, etc.), see e.g. [3]. In the hybrid systems framework, under the assumption precisely the set  of non-Zeno executions, the sets I nv (i) are invariant (or, more {i} × I nv (i) is invariant) if and only if the system with Ξ0 = {i} × I nv (i) i∈Q

i∈Q

is non-blocking, as defined in Definition 2.10.If the set Ξ0 is strictly contained  {i} × I nv (i), then not all the states in {i} × I nv (i) may be reachable, in i∈Q i∈Q  {i} × I nv (i) would not be invariant in the usual sense (on these and the set i∈Q

aspects, see also [16]). • In defining the constraints, we have introduced the minimum and maximum dwell times as an a priori information that is assumed to be available. Time constraints can equivalently be represented by defining time as an additional state variable, as explained in Sect. 2.1, but we prefer to consider time constraints explicitly described by the functions δ(.) and Δ(.). Under the assumption of non-Zeno executions, the class of H -systems with suitable defined maximum and minimum

2.6 Notes and Further Reading

41

dwell times can be viewed as an abstraction of the class of systems with stateinput constraints. The interested reader is referred to the paper [8] for an example of how to derive such an abstraction to address the idle speed control problem in an automotive application. • We cannot compare the information structure of the two models since the observability problem was not addressed in [15], and hence the output function was not defined. Following the definition in [17], an H -system H is non-blocking if for any ξ0 ∈ Ξ0 there exists a state execution χ = (ξ0 , τ , u, ξ) with τ ∈ T∞ . This notion is weaker than the one we consider in Definition 2.10, following [19]. For the class of piecewise-affine hybrid systems, besides the already cited papers [2, 5, 10] and references therein, we cite also conewise linear systems (see e.g. [4] and reference therein), which are an interesting subclass of piecewise-affine hybrid systems where the invariant sets are polyhedral cones. The class of systems analyzed in [23] is characterized in general by a countable infinite set of discrete states. Therefore it is not a particular case of H -systems, although the two classes have a non-trivial intersection. In fact, in the model of [23], a linear controlled system is associated with each discrete state and, after a discrete transition, the continuous state is reset to a new continuous state, according to a reset function R that is linear both in the state and in a control vector: R : E × Rn × Rs → Rn with R (e, x, v) = Re x + De v, where Re ∈ Rn×n , De ∈ Rn×s and v is a control input. A reset function of this form was analyzed in [6], to establish duality results between hybrid systems. In what follows, we do not consider controlled reset in the definition of H -systems (see Assumption 2.2), because this generalization only very marginally affects the results we will present. In fact, the controlled reset may have an impact only on the detection of the transition occurrence based on the continuous output information (see Sect. 7.2). As for the information structure, in [23] the discrete state sequence and the dwell time in each mode are assumed to be known a priori, while they are unknown in our setting. Results about impulsive differential equations have long been established (see e.g. [11, 13]). In this framework, the hybrid model description proposed in [9] is elegant and concise and it is general enough to include the class of H -systems, as shown always in [9]. Section 2.2 proves that the viceversa is also true, that is the class of H -systems includes that of impulsive systems. The full set of elements in the tuple (2.1) yields a more explicit description of the hybrid system. The properties of the associated FSM, of the dynamical systems and of the reset map, as well as the geometry of the involved sets play a role in assessing the observability properties of the H -system. This is why our analysis is based on the H -system model where those elements appear explicitly.

42

2 H -Systems

Fundamental questions such as the existence and uniqueness of solutions for hybrid systems have been extensively investigated in the literature. In our setting, we have introduced two assumptions: non-Zeno and non-blocking executions. We refer to [16, 25] for necessary and sufficient conditions for the existence of Zeno executions, and for a general analysis of non-blocking conditions, respectively. The case of H -systems with constraints as in Eq. (2.50) is presented in [7], where a procedure for the approximation of the maximal safe set for H -systems, (i.e. of the maximal subset of the given constraining set such that non-blocking executions are possible) is illustrated. Further results in this framework can be found in [1].

References 1. Athanasopoulos N, Smpoukis K, Jungers RM (2017) Invariant sets analysis for constrained switching systems. IEEE Control Syst Lett 1(2):256–261 2. Bemporad A, Ferrari-Trecate G, Morari M (2000) Observability and controllability of piecewise affine and hybrid systems. IEEE Trans Autom Control 45(10):1864–1876 3. Blanchini F, Miani S (2008) Set-theoretic methods in control. Birkhäuser, Basel 4. Camlibel MK, Pang JS, Shen J (2006) Conewise linear systems: non-zenoness and observability. Siam J Control Optim 45(5):1769–1800 5. Collins P, van Schuppen JH (2007) Observability of piecewise-affine hybrid systems. In: Alur R, Pappas GJ (eds) Hybrid systems: computation and control (HSCC’04). Lecture notes in computer science, vol 2993. Springer, Berlin, pp 265–279 6. De Santis E (2008) Invariant dual cones for hybrid systems. Syst & Control Lett 57:971–977 7. De Santis E, Di Benedetto MD, Berardi L (2004) Computation of maximal safe sets for switching systems. IEEE Trans Autom Control 49(2):184–195 8. De Santis E, Di Benedetto MD, Pola G (2006) Digital idle speed control of automotive engines: a safety problem for hybrid systems. Nonlinear Anal 65:1705–1724 9. Goebel R, Sanfelice RG, Teel AR (2012) Hybrid dynamical systems: modeling, stability, and robustness. Princeton University Press, New Jersey 10. Habets LCGJM, Collins PJ, van Schuppen JH (2006) Reachability and control synthesis for piecewise-affine hybrid systems on simplices. IEEE Trans Autom Control 51:938–948 11. Hespanha J, Liberzon D, Teel AR (2008) Lyapunov conditions for input-to-state stability of impulsive systems. Automatica 44(11):2735–2744 12. Hespanha JP, Morse AS (1999) Stability of switched systems with average dwell-time. In: Proceedings of the 38th IEEE conference on decision and control, Phoenix, AZ, USA, pp 2654–2660 13. Lakshmikantham V, Bainov DD, Simeonov PS (1989) Theory of impulsive differential equations. World Scientific, Singapore 14. Liberzon D (2003) Switching in systems and control. Springer, Berlin 15. Lin H, Antsaklis PJ (2014) Hybrid dynamical systems: an introduction to control and verification. Foundations and trends in systems and control, vol 1 (1). NOW 16. Lygeros J, Johansson KH, Simic SN, Zhang J, Sastry S (2003) Dynamical properties of hybrid automata. IEEE Trans Autom Control 48(1):2–17 17. Lygeros J, Sastry S, Tomlin C (2020) Hybrid systems: foundations, advanced topics and applications. https://inst.eecs.berkeley.edu/~ee291e/sp21/ 18. Nagumo M (1942) Über die lage der integralkurven gewöhnlicker differentialgleichungen. Proc Phys-Math Soc Jpn 24(3):551–559 19. Rashidinejad A, van der Graaf P, Reniers M, Fabian M (2020) Timed automata using forcible events. In IFAC PapersOnLine 53(4):356–362

References

43

20. Sanfelice RG (2015) Analysis and design of cyber-physical systems: a hybrid control systems approach. In: Rawat DB, Rodrigues JJPC, Stojmenovic I (eds) Cyber-physical systems from theory to practice. CRC Press, Boca Raton, pp 1–30 21. Sun Z, Ge SS (2005) Analysis and synthesis of switched linear control systems. Automatica 41:181–195 22. Sun Z, Ge SS (2005) Switched linear systems, control and design. Springer, London 23. Tanwani A, Shim H, Liberzon D (2015) Observer design for switched linear systems with state jumps. In: Djemai M, Defoort M (eds) Hybrid dynamical systems. Lecture notes in control and information sciences, vol 457. Springer, Berlin, pp 179–204 24. van der Schaft AJ, Schumacher JM (2000) An introduction to hybrid dynamical systems. Springer, Berlin 25. Zhang J, Johansson KH, Lygeros J, Sastry S (2001) Zeno hybrid systems. Int J Robust Nonlinear Control 11:435–451

Chapter 3

Discrete Structure of H-Systems and Background on Finite State Machines

In this chapter, some properties of the Finite State Machine M = (Q, Q 0 , Y, h, E) defined in Eq. (2.5), which abstracts the dependence of the discrete dynamics of H from its continuous evolution, are analyzed. In particular, we introduce the notions of Strongly connected components, Persistent states, and Traps. Then, several transformations of the FSM are illustrated, which preserve the relevant information needed to check observability properties of the H -system.

3.1 Analysis of the Discrete State Space Consider the H -system H = (Ξ, Ξ0 , Υ, h, S, E, R, ), as in (2.4), and the associated Finite State Machine (FSM) M = (Q, Q 0 , Y, h, E), as in (2.5). Given a time basis τ with car d(τ ) = L and the evolution in time (q0 , τ , q) of the discrete state of H, as defined in (2.7), the event-based state evolution of M is described by a string σ where

For i ∈ Q, define

σ(k) = q(tk−1 ), k = 1, 2 . . . , L .

(3.1)

succ (i) = { j ∈ Q : (i, j) ∈ E}

(3.2)

pr e (i) = { j ∈ Q : ( j, i) ∈ E} .

(3.3)

and

For the sake of notational simplicity and clarity of exposition, in some cases, we will assume M to be alive:

© Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_3

45

46

3 Discrete Structure of H -Systems and Background on Finite State Machines

Definition 3.1 (Liveness) An FSM is alive if succ(i) = ∅, ∀i ∈ Q. A state i ∈ Q such that succ(i) = ∅ is called a sink. A state execution (or state trajectory, or state evolution) of the FSM M is any finite or infinite string σ with symbols in Q that satisfies the condition σ (1) ∈ Q σ (k + 1) ∈ succ (σ (k)) , k = 1, 2, . . . , |σ| − 1.

(3.4)

The singleton {i ∈ Q} is an execution. We denote by Q+

(3.5)

the set of all finite and infinite state executions of M and by Q ⊂ Q+

(3.6)

the set of all finite and infinite state executions of M with σ (1) ∈ Q 0 . If σ  and σ  are two strings, with σ  finite, the symbol σ  ◦ σ  denotes their concatenation, σ  ◦  = σ  and  ◦ σ  = σ  . Let Y be the set of strings with symbols in Y . The function that associates to a state execution of M the corresponding output string is defined as h : Q+ → Y where, for σ ∈ Q+

(3.7)

h (σ) = h (σ(1)) ◦ · · · ◦ h (σ(|σ|))

if σ is finite. Otherwise h (σ) = s∞ where s∞ is recursively defined as s1 = h(σ(1)) sk+1 = sk ◦ h(σ(k + 1)).   Given Q  ⊂ Q, r each Q  is the set of states that can be reached starting from Q:     r each Q  = i ∈ Q : (σ(1) ∈ Q  ) ∧ (σ(k) = i) ∧ (σ ∈ Q+ ) .

(3.8)

Conversely, r each −1 (Q  ) is the set of states starting from which the set Q  can be reached, i.e.

3.1 Analysis of the Discrete State Space

47

  r each −1 (Q  ) = i ∈ Q : (σ(1) = i) ∧ (σ(k) ∈ Q  ) ∧ (σ ∈ Q+ ) . Obviously,

(3.9)

  Q  ⊂ r each Q    Q  ⊂ r each −1 Q  .

Given an FSM M, Ac(M) denotes the accessible part of M, as defined, e.g. in [2], i.e. the FSM obtained from M by removing from Q all the states that do not belong to r each(Q 0 ) and from E all the transitions from or to a state that is not in r each(Q 0 ). An FSM M is called accessible if r each(Q 0 ) = Q

(3.10)

and hence in this case Ac(M) = M. We denote by Q ∞ the set of states for which the maximum dwell time is infinite: Q ∞ = {i ∈ Q : Δ (i) = ∞} .

(3.11)

We now review some background definitions and results. Definition 3.2 An FSM (Q, Q 0 , Y, h, E) is strongly connected if Q is a set of mutually reachable states. Given M = (Q, Q 0 , Y, h, E), we define M as the set of all strongly connected FSMs associated with M as   , i = 1, 2, . . . |M| (3.12) , Y, h, E| M = Q (i) , Q (i) (i) (i) Q ×Q 0 (i) where Q (i) ⊂ Q and Q (i) is the set of initial states defined as 0 ⊂ Q

⎛ Q (i) 0

= ⎝ Q0



⎞ succ(q)⎠



Q (i) ,

(3.13)

q∈Q\Q (i)

i.e. the states in Q (i) that either are initial states for M or can be reached “from the outside” of M (i) . Figure 3.1 shows an example of a strongly connected FSM ({1, 2, 3}, {1, 3}, Y, h, {(1, 2), (2, 3), (3, 1)}) belonging to M.

48

3 Discrete Structure of H -Systems and Background on Finite State Machines

1

2

1

2

3 3 5

4

6

Fig. 3.1 An example of strongly connected FSM associated with M M

M

2

1

3 M 5

4

6

M

Fig. 3.2 An example of strongly connected FSM associated with M and the resulting DAG (on the right)

Definition 3.3 (Strongly connected component) Given M, the finite state machine    is a  = Q,  Q 0 , Y, h, E| Q× M  Q  ∈ M is a strongly connected component of M if Q maximal set of mutually reachable states. A connected FSM can be decomposed into its strongly connected components and there is a partial ordering among such components [6]. Moreover, the strongly connected components of the FSM determine a directed acyclic graph (DAG). By Definition 3.3, an FSM ({i} , {i} , Y, h, ∅) where the state i ∈ Q does not belong to any cycle is a strongly connected component of (Q, Q 0 , Y, h, E). Figure 3.2 shows an example of decomposition of an FSM into its strongly connected components M and M and the associated DAG.

3.1 Analysis of the Discrete State Space

49

In order to introduce the notion of trap, we now refer not only to the FSM associated with the H -system but also to the H -system itself. Recall that in Chap. 2 we assumed that all the transitions are uncontrolled, i.e. W = V in the tuple (2.1). Moreover, hereafter in this chapter, unless otherwise explicitly said, we consider constraints defined by the tuple (Rn × Rm , G, δ, Δ)

(3.14)

with G(e) = Rn , ∀e ∈ E, i.e. only the interval of time between two consecutive commutations could be constrained, as defined by the functions δ and Δ. Roughly speaking, a trap corresponds to a set of mutually reachable discrete states starting from which it is not possible to guarantee that, by means of a control action, the future state evolution will leave the set, or, in other words, a set of mutually reachable discrete states starting from which for any control action there exists a disturbance such that the evolution remains “entrapped” in the set. This concept was introduced in [17] and adapted to the framework of H -systems in [3]. Obviously, the concept can be generalized by considering a trap as a subset of the hybrid state space, rather than of the discrete state space. In our current setting, by definition of the constraints given in (3.14), any transition occurrence is independent from the value of the continuous state, and hence it is independent from the value of the continuous input function u. Therefore, we consider the following:   Given and H -system H, let M be its associated FSM. M = Definition 3.4 (Trap)    Q, Q, Y, h, E| Q×  Q  ∈ M is a trap of H if for any i ∈ Q there exists an execution  ∀t ≥ 0. of H with q(0) = i and q (t) ∈ Q, We can define a maximal trap M (i) as a trap such that Q (i) ∩ Q ( j) = ∅ for any other trap M ( j) , j = i, thanks to the following proposition: Proposition 3.1 Given any two traps M (i) and M ( j) , if Q (i) ∩ Q ( j) = ∅, then the FSM   M (i, j) = Q (i, j) , Q (i, j) , Y, h, E| Q (i, j) ×Q (i,l) with

(i, j)

Q (i, j) = Q 0

= Q (i) ∪ Q ( j)

is a trap. In the sequel, for simplicity, the term “trap” will stand for “maximal trap”.  and M  denote the set of strongly connected components of M, and the set Let M of traps of M, respectively. In our current setting, the notions of strongly connected component and of trap are very akin, as established in the next proposition: Proposition 3.2 Given an H -system H, let M be its associated FSM. Then  ⊂M  ⊂M M

50

3 Discrete Structure of H -Systems and Background on Finite State Machines

 \M  is the set of all strongly connected components ({ j} , { j} , Y, h, ∅) such and M that j ∈ / Q∞. Proof For any hybrid initial state, the input has no effect on the switching times.  ⊂ M.  The fact that a strongly connected component ({ j} , { j} , Y, h, ∅) Hence M such that j ∈ / Q ∞ is not a maximal trap is a consequence of the definition of maximal trap.  However, if some guard set is a proper subset of Rn or if Γ is a proper subset of Q × Rn × Rm , the relationship between the two notions becomes more subtle. The next example shows that, in general, a strongly connected component may or may not be a trap, and a trap may or may not be a strongly connected component. Example 3.1 (Strongly connected components and traps) Consider the system in Fig. 3.3. Q = {1, 2, 3, 4, 5, 6} δ(i) = δm = ∞, Δ(i) = Δ M = ∞, ∀i ∈ Q δm < Δ M G((i, j)) = Rn , ∀(i, j) ∈ E/ {(2, 4)} G((2, 4)) = {0} . Suppose that S(2) is a dynamical system with continuous input. Then the strongly connected components are defined by the set of states {1} , {2, 3, 4} , {5, 6} and the traps are defined by the set of states {3, 4} , {5, 6} . The singleton {1} is not a trap, because the maximum dwell time is finite. The strongly connected component {2, 3, 4} is not a trap: in fact, if the current discrete state at time t = t1 (i.e. after the first switching occurred) is 2, since u such that the continuous state Δ M − δm > 0, there exists a control input function  is not equal to 0, for all times t ∈ [t1 , t1 + Δ M ]. Hence the transition (2, 4) is never enabled with such a control  u . Since the maximum dwell is finite and since the H -system is non-blocking, the only enabled transition is (2, 5). The set {3, 4} defines a trap: in fact, whenever the transition (2, 4) occurs, since G((i, j)) = Rn , ∀(i, j) ∈ E/ {(2, 4)}, then there is no continuous input that allows escaping from the cycle {3, 4}. However, the set {3, 4} does not correspond to a strongly connected component: in fact, it defines a strongly connected FSM, which is not maximal.

3.1 Analysis of the Discrete State Space

51

The set {5, 6} is both a trap and a strongly connected component.



We now define a state to be a persistent state if it may be visited after an arbitrarily long sequence of events: Definition 3.5 (Persistent state) Given the FSM (Q, Q 0 , Y, h, E), a state i ∈ Q is ˆ Let Q p denote the set of persistent persistent if ∀kˆ ∈ Z, ∃σ ∈ Q : σ(k) = i ∧ k ≥ k. states. Remark 3.1 By recalling that Q ∞ = {i ∈ Q : Δ (i) = ∞} (see Eq. (3.11)), the set of states that are persistent or that can be reached starting from some q ∈ Q ∞ Q = Qp (3.15) r each(Q ∞ ) ˆ can be interpreted as the set of persistent in time  states. In fact for any t ∈ R there  exists an execution of H such that q(t) ∈ Q p r each(Q ∞ ), for some t ≥ tˆ. The following property holds: Lemma 3.1 There exists a finite time t  such that q(t) ∈ Q, ∀t ≥ t  , for all infinite executions of H. Proof By definition of Q, if for some nonnegative t ∈ R, q(t) ∈ Q, then q(t) ∈ Q for all t ≥ t. Given H, let us consider the set of all discrete state trajectories, for which the ending state is in Q and no other discrete state of the trajectory belongs to Q. Then no trajectory in this set has cycles. Therefore, the cardinality of the above set of trajectories is finite. By definition of Q, the time duration of each of those state trajectories is bounded. Let D be the set of such bounds. Obviously, D has finite  cardinality. Therefore, t  is the maximum over D. The next example compares the different notions introduced in this section.

2

1

4

5

6

3

Fig. 3.3 A strongly connected component is not in general a trap, because of guard sets

52

3 Discrete Structure of H -Systems and Background on Finite State Machines

0

1

2

7

8

3

4

5

9

6

Fig. 3.4 The H -system. Q ∞ = {4, 6, 7}

0

1

2

7

8

3

4

5

9

6

Fig. 3.5 The states r each(Q ∞ ) (inside dashed line) and the persistent state (inside solid line)

Example 3.2 (Strongly connected components, persistent states, and traps) Figure 3.4 represents an H -system, where the initial discrete state is the state 0, the gray states have infinite maximum dwell time, and the other ones have finite maximum dwell time. Therefore, Q ∞ = {4, 6, 7}. As depicted in Fig. 3.5 r each(Q ∞ ) = {4, 5, 6, 7, 8, 9}, the persistent states are Q p = {1, 2, 3, 4, 5, 6, 9}

3.2 Transformations on FSMs

0

1

7

53

2

3

8

4

5

9

6

Fig. 3.6 The strongly connected components (inside ellipses). The traps (inside rectangles)

and the set of persistent in time states is Q = Q p ∪ r each(Q ∞ ) = Q \ {0}. In Fig. 3.6, the FSMs inside the dashed circles are the strongly connected components. Under the assumptions of Proposition 3.2, the FSMs inside the rectangles are the traps.  Notice that in general the traps do not determine a DAG (see Fig. 3.6).

3.2 Transformations on FSMs In this section, we describe two procedures which will be instrumental in analyzing observability properties for H -systems. The first procedure transforms an FSM with possible information about the discrete inputs (as the one associated with an H -system defined in Eq. (2.1)) into an FSM with no output associated with the transitions (as the one associated with an H -system defined in Eq. (2.4)). The second procedure transforms an FSM where the output symbol associated with some states may be  into an FSM where the output is always different from , i.e. all states have visible output.

54

3 Discrete Structure of H -Systems and Background on Finite State Machines

3.2.1 From Mealy to Moore Consider the H -system H = (Ξ, Ξ0 , W, Υ, h, S, E, R) as in (2.1) and suppose that W = V, i.e. all transitions are uncontrolled. Moreover suppose that there is at least a transition e = (i, v, j) ∈ E with h(e) = . The FSM associated with H is M = (Q, Q 0 , V, Y, h, E) .

(3.16)

In this subsection, we assume for simplicity and without any loss of generality that (i, v, j) ∈ E only if i = j. The first step consists in transforming M into an FSM M (0) with pr e(i) = ∅, for each initial state i. Given the set P = {i ∈ Q 0 : pr e(i) = ∅} we split any state i ∈ P into the pair of states i and g(i) by defining the injection g : Q → Z where g(i) = i, i ∈ Q \ P and g(i) ∈ Z \ Q, i ∈ P. Hence, g(i) can assume an arbitrary value in Z \ Q. Algorithm 3.1 procedure P0(M, M (0) ) Transforming M into an FSM M (0) with pr e(i) = ∅, for each i ∈ Q 0 Q (0) = Q ∪ {g(i), i ∈ P} Q (0) 0 = (Q 0 \ P) ∪ {g(i), i ∈ P} E (0) = E ∪ {(g(i), v, j) : i ∈ P, (i, v, j) ∈ E} h (0) (i) = h(i), i ∈ Q h (0) (g(i)) = h(i), i ∈ P h (0) (e) = h(e), e ∈ E h (0) (e ) = h(e),e = (g(i), v, j), e = (i, v,j) ∈ E, i ∈ P (0) (0) return M (0) = Q (0) , Q (0) 0 , V, Y, h , E end procedure We can suppose now without loss of generality that the FSM M defined in (3.16) is such that pr e(i) = ∅, for all i ∈ Q 0 . Following the procedure described, e.g. in [8], the FSM M can be transformed into a purely Moore FSM

3.2 Transformations on FSMs

55

  M  = Q  , Q 0 , V, h  , E 

(3.17)

where all the available information is described by the function h  : Q  → Y  and E  ⊂ Q × Q. Roughly speaking, such procedure splits a state of the given FSM M into a number of states such that all the transitions ending in each of these new states share the same output symbol in V. The following algorithm precisely describes the procedure taking as input the FSM M and giving as output the FSM (3.17). For a state i ∈ Q \ Q 0 , we define the set of outputs Yi ⊂ Y where a ∈ Yi if and only if there exists e = ( j, σ, i) ∈ E, with h(e) = a. The set Yi is such that a = b, for any a, b ∈ Yi and the symbol μi denotes car d(Yi ). Let f : Q → 2Q be a point to set mapping, where Q = {i k : i ∈ Q, k = 1, 2, . . . k}, k = max μi i∈Q

and f (i) = {i k , k = 1, . . . μi } , i ∈ Q \ Q 0 f (i) = {i} , i ∈ Q 0 . For s ∈ Q, the symbol f −1 (s) denotes the state i such that s ∈ f (i). We include symbol  in Y by setting Y = Y ∪  and define Y  = {a ◦ b : a, b ∈ Y }. Then, the FSM M  as in (3.17) will be returned by the following algorithm. Algorithm 3.2 procedure Mealy- - Moore(M,M  ) initialize Q  = Q, Q 0 = Q 0 , E  = ∅, E  = E for i ∈ Q\Q  0 do Q  = Q  \{i} ∪ f (i);  E  = E  \ e ∈ E  : (e = ( j, v, i)) ∨ (e = (i, v, j)) ; E  = E  ∪ {( j, v, i k ) : ( j, v, i) ∈ E, k = 1, ...μi }; E  = E  ∪ {(i k , v, j) : (i, v, j) ∈ E, k = 1, ...μi }; end for for i ∈ Q  \Q 0 do h  (i) = h(e) ◦ h( f −1 (i)), e = ( j, v, i) ∈ E  end for for i ∈ Q 0 do h  (i) =  ◦ h(i)

56

3 Discrete Structure of H -Systems and Background on Finite State Machines 11 a

b 0

a

1

a

3

a

0

3 b

a

b

b

12 a

2 b 2

Fig. 3.7 The Mealy FSM (left) is transformed in another Mealy FSM (right), by splitting the state 1 a

Fig. 3.8 The resulting Moore FSM

11 

b 3

0 b 12

a 2

end for for e ∈ E  do E  = E  ∪ {(i, j) : e = (i, v, j)} end for   return M  = Q  , Q 0 , Y  , h  , E  end procedure Figure 3.7 illustrates the first step of Algorithm 3.2. The resulting Moore FSM is depicted in Fig. 3.8.

3.2 Transformations on FSMs

57

3.2.2 From Partially Visible to Fully Visible Output In this section, we consider a Moore FSM M = (Q, Q 0 , Y, h, E) ,

(3.18)

where the initial state has no predecessors (if M does not satisfy this condition, Algorithm 3.1 can be applied). Let Q  be the set of silent states, i.e. Q  = {q ∈ Q : h(q) = }

(3.19)

and suppose that any cycle has at least a state q with h(q) = .  having no silent In this section, we describe an algorithm for deriving an FSM M state and having the same set of output strings as the FSM M. We start by illustrating a simple procedure that, given M, returns an FSM  M  = Q  , Q 0 , Y, h, E  where h(q) = , ∀q ∈ Q 0 . Thanks to Algorithm 3.1, we can assume without loss of generality that the initial states in Q 0 have no predecessors. In the procedure, when a state is removed from the state space, the transitions from that state are also removed, and for the sake of simplicity, this is not explicitly stated. Algorithm 3.3 procedure nosilentInitial(M, M  ) initialize M  = M while Q 0 ∩ Q  = ∅ do for i ∈ Q0 ∩ Q  do  Q 0 = Q 0 ∪ { j : (i, j) ∈ E  } \ {i} Q  = Q  \ {i} end for end while end procedure Therefore, we can assume without any loss of generality that there is no silent state in Q 0 . Moreover, we assume that any sink state is not silent. By following the notation used, e.g. in [4], let U R(w) ⊂ Q 

(3.20)

be the unobservable reach of w ∈ Q, i.e. the set of states reached from w ∈ Q with a silent execution. More precisely, q ∈ U R(w) if there exists a finite state execution σ ∈ Q+ such that σ(1) = w σ (|σ|) = q and

58

3 Discrete Structure of H -Systems and Background on Finite State Machines

h(σ) = h(w).    is constructed as described in the following  = Q,  Q 0 , Y,  h, E The FSM M  with   algorithm that, given M with h(q) =  ∀ initial q, returns M h(q) =  ∀q ∈ Q. The details of Algorithm 3.4 are illustrated step by step by referring to the example depicted in Figs. 3.9, 3.10, 3.11, 3.12, and 3.13. In the description of the algorithm, when a state is removed from the state space, the transitions to and from that state are also removed, but this will not be explicitly said for the sake of simplicity.  Algorithm 3.4 procedure nosilent(M, M) STEP 0: Returns an FSM where each state has either all silent or all nonsilent successors INITIALIZE STEP 1 STEP 2 STEP 3 STEP 4  return M end procedure STEP 0 Split any q ∈ Q  into two states, q  and q  , the former with only nonsilent successors, and the latter with only silent successors. If q has only nonsilent successors, rename it as q  . The predecessors of q  , q  , and q are the same. Update M accordingly. The given FSM M is shown in Fig. 3.9. The set of initial states is equal to {0, 1} and Q  = {2, 8}. The cyan state 7 belongs to Q ∞ . The set Q0  Q p r each(Q ∞ ) is the one inside the dashed line. Figure 3.10 shows the updated

a

b

a

0

4

5

a 3 a



a

b

1

2

7

6

a



9

8

Fig. 3.9 Removing the silent states. The given FSM M (1/5)

3.2 Transformations on FSMs

59

a 0  2

b

a

4

5

a

b

7

6

a



3

a



1

2 a



9

8

Fig. 3.10 Removing the silent states. The given FSM M after STEP 0 (2/5)

a 0 a

a

29

21

b

a

4

5

a

b

7

6

a 3

a 1 

a

a

2

9

81

a 89

 after STEP 1 (3/5) Fig. 3.11 Removing the silent states. The FSM M

60

3 Discrete Structure of H -Systems and Background on Finite State Machines

a 0 a

a

4

5

a

b

7

6

a

21

3

a 1 

a

a



9

81

2

b

a 89

 after STEP 3 (4/5) Fig. 3.12 Removing the silent states. The FSM M Fig. 3.13 Removing the silent states. The given FSM  after STEP 4 (5/5) M

a 0

a 21

b

a

4

5

a

b

7

6

a 3

a 81

a

a

1

89

3.2 Transformations on FSMs

61

FSM. The state 2 ∈ Q  has been replaced by the pair of states 2 , with nonsilent successor 3, and 2 , with the silent successor 8. The state 8 has only nonsilent successors, and therefore, it has been renamed 8 ; pr e(2 ) = pr e(2 ) = {1}.  = M. Let INITIALIZE M Q F ⊂ Q \ Q be the set of nonsilent states with at least a silent successor and let Q L ⊂ Q be the set of silent states with no silent successor. In Fig. 3.10, which represents  the set Q F is equal to {1, 9} and Q L = {2 , 8 }. also the FSM M,  the set Q L is removed and STEP 1 Split any q ∈ Q L into |Q F | states: i.e. in Q 0 . Therefore, replaced by the set {qw , q ∈ Q L , w ∈ Q F }. If w ∈ Q 0 , then qw ∈ Q  = (Q\Q L ) Q 0 = Q 0 Q





{qw , q ∈ Q L , w ∈ Q F }

{qw , q ∈ Q L , w ∈ Q 0 } .

Moreover,  h (qw ) = h(w), ∀q ∈ Q L , ∀w ∈ Q F .  obtained after STEP 1. The states 2 and 8 have been Figure 3.11 shows the FSM M removed and substituted by the sets of states {21 , 29 } and {81 , 89 }, respectively. The set of initial states Qˆ 0 is equal to {0, 1, 21 , 81 }, and this is represented in Fig. 3.11 with an input arrow to states 21 and 81 . STEP 2 for q ∈ Q L do for w ∈ Q F do  if q is reached from w with a silent execution of M then qw ∈ Q  otherwise remove qw from the state space Q. endfor endfor The given FSM M has been updated in STEP 0, and this updated M is the one to be considered in the current STEP 2. In our running example, the state 29 (see Fig. 3.11) can be removed, because in M (see Fig. 3.10) there is no silent execution / U R(9). starting from 9 and ending in 2 , i.e. 2 ∈  E  is updated in such a way that STEP 3 For qw ∈ Q,    : j ∈ succ (q) succ M (qw ) = succ (q) ∪ z j ∈ Q

(3.21)

and    : z ∈ pr e(w) ∩ Q  pr e M (qw ) = ( pr e(w) ∩ (Q\Q  )) ∪ z j ∈ Q

(3.22)

where, to avoid ambiguities, the operators succ and pr e, without subscript, are related to the FSM M and succ M and pr e M denote the same operators succ

62

3 Discrete Structure of H -Systems and Background on Finite State Machines a

Fig. 3.14 The given FSM M. Q F = {2, 4} and Q L = {3, 5} (1/4)

1 a

b 2

4  3

b

 6

5

 Given qw , if w ∈ succ (q), then (qw , qw ) ∈ E.  and pr e related to the FSM M.  Figure 3.12 depicts M, after STEP 3. In the running example succ M (qw ) = succ (q)

(3.23)

because for all the states q ∈ Q L , succ(q) ∩ Q F = ∅. Therefore, in Eq. (3.21) 

  : j ∈ succ (q) = ∅. zj ∈ Q

   : j ∈ succ (q) takes into account the case In fact, for a given q, the set z j ∈ Q of succ(q) ∩ Q F = ∅ and hence the states z j that can be reached with a silent execution of M starting from a successor of q must be considered in the definition of succ M (qw ). Similarly, in the running example pr e M (qw ) = pr e(w)

(3.24)

of Q\Q  and hence because, for all the states qw ∈ {21 , 81 , 89 }, pr e(w) is a subset   : z ∈ pr e(w)∩ pr e(w) ∩ Q L = ∅. In fact, for a given w ∈ Q F , the set z j ∈ Q Q  } takes into account the case of silent predecessors of w, in the FSM M. Therefore, the states z j (see STEP 1) must be considered in the definition of pr e M (qw ). STEP 4 Remove all sink states belonging to Q F and all silent states from the state  Figure 3.13 shows the resulting FSM with no silent states, after STEP 4. space Q. The example described in Figs. 3.14, 3.15, 3.16, and 3.17 shows the application of formulas (3.21) and (3.22).  We now analyze the relationship between the FSM M and the FSM M. Given the FSM M, any state execution σ ∈ Q can be written as the composition of executions with the following structure:

3.2 Transformations on FSMs

63

 after Fig. 3.15 The FSM M STEP 1 (2/4)

a 1 a

b 2

4 a 32

b

b 54

6

 after Fig. 3.16 The FSM M STEP 3. The red dashed arrows represent the transitions defined by formulas (3.21) and (3.22) (3/4)

a 1 a

b 2

4 a 32 b

b

54

6

 after Fig. 3.17 The FSM M STEP 4. The sink state 2 ∈ Q F has been removed (4/4)

a 1 b 4 a 32 b

b 6

54

64

3 Discrete Structure of H -Systems and Background on Finite State Machines

σ ◦ σ  ∈ Q+

(3.25)

where σ  ∈ Q+ , with |σ  | ≥ 0, is a silent execution and σ ∈ Q+ , with |σ| ≥ 1, is an execution with all nonsilent states. Suppose |σ  | > 0. Let σ = σ(1) . . . σ( p) and

σ  = σ  (1) . . . σ  (s).

Then, if p > 1, to each execution of M σ ◦ σ  = σ(1) . . . σ( p − 1)σ( p)σ  (1) . . . σ  ( p)

(3.26)

 an execution corresponds in M σ(1) . . . σ( p − 1) (σ  ( p))σ( p)

(3.27)

where the symbol (σ  ( p))σ( p) encodes the fact that in the given execution σ, the state σ  ( p) has a nonsilent successor, and there is a silent execution of M, which starts from the state σ( p) and reaches the state σ  ( p). If p = 1, to the execution σ ◦ σ  = σ( p)σ  (1) . . . σ  ( p)

(3.28)

 the state execution corresponds in M (σ  ( p))σ( p) .

(3.29)

The output symbols associated with σ(1) . . . σ( p − 1) remain the same in (3.26) and (3.27) and the output associated with (σ  ( p))σ( p) is equal to the output associated with σ( p). The case |σ  | = 0 can be easily understood by considering our running example. In fact, given M represented in Fig. 3.9, the state execution σ = 1-9-8-7-(6-5) can be partitioned as follows: σ = (1-9-8) ◦ (7-(6-5)) where each of the two executions corresponds to an execution as in (3.25), the former  is with |σ  | > 0, the latter with |σ  | = 0. The corresponding state execution of M

3.2 Transformations on FSMs

65

 σ = 1-89 -7-(6-5) where 89 is the same as 89 , because the state 8 in M has all nonsilent successors. Notice that the partition of σ is not unique: in fact, we can also write σ = (1-9-8) ◦ (7) ◦ (6-5). However, σ = (1-9) ◦ (8-7-(6-5)) is not allowed, because in (3.25) we require |σ| ≥ 1, and this condition is not satisfied by the execution 8-7-(6-5). In the running example, let us now consider the state execution σ = 1-2-8-7-(6-5) ∈ Q written as σ = ((1) ◦ (2-8)) ◦ (7-(6-5)) where (2-8) is a silent execution. This is the case of p = 1. In fact, the state execution  corresponding to σ is in M  σ = 81 -7-(6-5) where 81 is the same as 81 , because the state 8 in M has all nonsilent successors and 81 has been labeled “initial state”. Obviously, any execution of M with all nonsilent states is mapped into an identical  This situation is represented by condition |σ  | = 0 in (3.25). execution of M.  Hence, we can introduce Algorithm 3.4 associates to a given FSM M a unique M. the function V such that    .  = Q,  Q 0 , Y,  h, E V(M) = M

(3.30)

Moreover, Algorithm 3.4 defines a point to set mapping 

ζ : Q → 2Q

(3.31)

 In the running which establishes the relationship between states of M and states of M. example described in Fig. 3.9, Q = {0, 1, . . . 9}    = 0, 1, 21 , 3, 4, 5, 6, 7, 81 , 89 Q and the mapping ζ is defined as follows:

66

3 Discrete Structure of H -Systems and Background on Finite State Machines

ζ (i) = {i} , i = 0, 3, 4, 5, 6, 7   ζ (1) = 1, 21 , 81 ζ (2) = ζ (8) = ∅ ζ (9) = {89 } . Let h be the function defined in (3.7). Similarly, let  h be the corresponding function = that associates the output string to the string representing a state execution of M V(M).  denotes the set of state executions of V(M) starting in the initial The symbol Q  set Q 0 . The discussion above leads to the following relationship between the FSM M and the FSM V(M): Proposition 3.3 (i) For any state execution σ ∈ Q of M, there exists a state exe of V(M), such that h (σ) =  cution  σ∈Q h ( σ ). Conversely, for any state execution  h ( σ ), ∀σ ∈ Q .  σ ∈ Q, there exists a set Q ⊂ Q such that h (σ) =   Q (ii) There exists a point to set mapping ζ : Q → 2 , such that – ζ(q) = {q}, if h(q) =  and h(q  ) = , ∀q  ∈ succ(q); – ζ(q) = ∅, if h(q) =  and h(q  ) = , ∀q  ∈ succ(q);  in all the other cases. – ζ(q) ⊂ Q  In particular, the silent states Proof The statements are true by construction of M. removed at the last step of Algorithm 3.4 correspond to states of M which are reached from a silent state and have only silent successors. A sink state removed at the same step corresponds to a nonsilent state of M, with only silent states as successors.  In the next Chap. 4, the relation between the observability properties of M and V(M) will be established. Finally, we analyze the complexity of Algorithm 3.4.   Proposition 3.4 The space and time complexity of the Algorithm 3.4 is o N 3 . Proof (Sketch) After the execution of STEP 0, the number of states in Q is less than 2N , where N is the original number of states of Q. After STEP 1, the cardinality of  is bounded by 4N 2 . The effort in checking the condition at STEP 2, i.e. whether Q q is reached from w with a silent execution of M, is linear in the maximal length of a silent string (recall that by assumption there are no silent cycles in M, and hence such maximal length is less than N ), and the statement follows. 

3.3 Notes and Further Reading In this chapter, traps were defined for a hybrid system with uncontrolled discrete transitions. In the case where some transitions may be due to a control action, the

3.3 Notes and Further Reading Fig. 3.18 A strongly connected component is not in general a trap, because of controlled transitions

67

1

2

3

4

definition of trap must be modified accordingly. For example, in Fig. 3.18 let the dwell time be finite for any state and the dashed line represent a controlled transition. Then it is easy to see that the strongly connected component with discrete states {2, 3} is not a trap, the strongly connected component with discrete state {4} is a trap, and the FSM associated with the singleton {3} is a trap. If all the transitions were uncontrolled, the traps would be {4} and {2, 3}. In verifying the properties of a hybrid system, complexity reduction can be obtained by finding a system that is “equivalent” to the original one with respect to those properties, but that is “simpler” to analyze. A powerful tool for complexity reduction is bisimulation equivalence introduced in [12, 15]. Extensions of the notion of bisimulation to continuous and hybrid systems were explored in a number of papers (e.g. [1, 5, 7, 9, 10, 13, 14, 16]). If two systems are bisimilar, then the so-called sequence properties [11], such as reachability and safety, are preserved. Using the concept of traps, it is possible to reduce the complexity of verification problems that involve checking whether a property, which may be more general than a sequence property, e.g. stabilizability, observabilit,y or detectability, holds for a hybrid system. For an in-depth analysis of the use of traps for general hybrid systems, the reader is referred to [3], where the structure of the FSM associated with the hybrid system and the characteristics of the subsystems corresponding to the nodes of the FSM are exploited to simplify verification of asymptotic properties such as stabilizability. The interested reader can find a vast literature on the transformation from a Mealy to a Moore FSM. We cited [8] as one of the most recent papers on this topic. As for the transformation of the given FSM into an “output equivalent” FSM with no silent states, a similar transformation can be obtained by constructing a state observer of the given FSM [2], but the number of states of the observer can grow exponentially. Following our procedure, the maximal number of states of the transformed FSM is bounded by N 3 , where N is the number of states of the original FSM.

68

3 Discrete Structure of H -Systems and Background on Finite State Machines

References 1. Alur R, Henzinger T, Lafferriere G, Pappas G (2000) Discrete abstractions of hybrid systems. Proc IEEE 88(2):971–984 2. Cassandras CG, Lafortune S (1999) Introduction to discrete event systems. Kluwer Academic Publishers, Dordrecht 3. De Santis E, Di Benedetto MD (2013) Theory and computation of discrete state space decompositions for hybrid systems. Eur J Control 19:1–10 4. Hadjicostis CN (2020) Estimation and inference in discrete event systems. A model-based approach with finite automata. Communications and control engineering. Springer International Publishing, Berlin 5. Haghverdi E, Tabuada P, Pappas GJ (2005) Bisimulation relations for dynamical, control and hybrid systems. Theor Comput Sci 342(2–3):229–261 6. Harary F (1969) Graph theory. Addison-Wesley, Boston 7. Henzinger TA (1995) Hybrid automata with finite bisimulations. Lecture notes in computer science, vol 944, pp 324–335 8. Klimovich AS, Solovev VV (2010) Transformation of a mealy finite-state machine into a moore finite-state machine by splitting internal states. J Comput Syst Sci Int 49:900–908 9. Lafferriere G, Pappas GJ, Sastry S (1999) Hybrid systems with finite bisimulations. Lecture notes in computer science, vol 1567, pp 186–203 10. Lafferriere G, Pappas GJ, Sastry S (2000) O-minimal hybrid systems. Math Control Signals Syst 13:1–21 11. Manna Z, Pnueli A (1992) The temporal logic of reactive and concurrent systems: specification. Springer, Berlin 12. Milner R (1989) Communication and concurrency. Prentice, Prentice Hall 13. Pappas GJ (2003) Bisimilar linear systems. Automatica 39(12):2035–2047 14. Pappas GJ (2004) Bisimilar control affine systems. Syst & Control Lett 52:49–58 15. Park DMR (1981) Concurrency and automata on infinite sequences. Lecture notes in computer science, vol 104, pp 167–183 16. Tabuada P, Pappas GJ, Lima P (2002) Composing abstractions of hybrid systems. Lecture notes in computer science, vol 2289, pp 436–450 17. Zielonka W (1998) Infinite games on finitely coloured graphs with applications to automata on infinite trees. Theor Comput Sci 200:135–183

Chapter 4

Observability, Diagnosability, and Predictability of Finite State Machines

In this chapter, we refer to the discrete structure of the H -system to define and characterize observability, diagnosability, and predictability of a Finite State Machine (FSM). Observability corresponds to the reconstruction of the system’s discrete state, while diagnosability and predictability correspond to the possibility of determining the past and the future occurrence, respectively, of some particular states, on the basis of the observations. Observability, diagnosability, and predictability are defined with respect to a critical set, i.e. a set of discrete states representing a set of interests, for example a set of faults, or an unsafe set. Those properties are characterized in terms of set membership. In addition, the diagnosability conditions provide an estimation of the delay required for the detection of a critical state, while the predictability conditions provide an upper bound for the prediction horizon.

4.1 Observability of M In this section, current location observability and critical observability are defined and characterized for an FSM.

4.1.1 Definitions Given the H -system H, consider the associated FSM introduced in Chap. 2, Eq. (2.5), M = (Q, Q 0 , Y, h, E) . Equation (3.1) establishes a relation between the state evolution in time of the H -system H and the event-based evolution of M, Eqs. (3.5) and (3.6) define the set of all state executions Q+ and the set of initialized state executions Q, and Eq. (2.48) © Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_4

69

70

4 Observability, Diagnosability, and Predictability of Finite State Machines

defines the discrete component of the output. Then, by using the notation introduced in those equations, we can write h (σ (k)) = h (q(tk−1 )) = yd (tk−1 ).

(4.1)

We first define the property of current location observability by which, after a finite number of steps, the discrete state of the FSM can be identified from the knowledge of the output sequence. Definition 4.1 An alive FSM M is current location observable if there exists k ∈ N, such that for any infinite string σ ∈ Q σ |[|σ |− p,|σ |] σ |[k,k+ p] =     for any p ∈ N and for any string  σ ∈ h−1 h σ |[k,k+ p] ∩ Q. In the more general case where liveness is not required, the previous definition becomes as follows:  be the set of strings σ ∈ Q that are infinite or Definition 4.2 Given a FSM M, let Q end in a sink state. M is current location observable if there exists k ∈ N, such that  for any string σ ∈ Q   σ |[kσ ,kσ + p] =  σ |[|σ |− p,|σ |] for some(kσ ≤ k), forany p ∈ N with 0 ≤ p < |σ | + 1 − kσ , and for any string  σ ∈ h−1 h σ |[kσ ,kσ + p] ∩ Q. A different notion arises when we require to identify the location only if it belongs to a specific set of states, but we ask for this identification to happen in zero time. Location observability is in this case called critical to comply with the terminology introduced in [10] where, in the framework of Air Traffic Management, the specific states to be detected represent unsafe or dangerous behaviors of the system. Definition 4.3 A FSM M is critically {i}-observable, with i ∈ Q, if for any string σ ∈ Q and for any k ∈ N, with 1 ≤ k < |σ | + 1, whenever σ (k) = i,  σ (| σ |) = i    for any string  σ ∈ h−1 h σ |[1,k] ∩ Q. If M is critically {i}-observable ∀i ∈ Q, then it is called critically location observable. Figure 4.1 shows an example of current location observable FSM, which is critically {i}-observable for i = 3, 5, 6, but which is not critically location observable. Figure 4.2 shows an example of critically location observable FSM.

4.1 Observability of M

71

4.1.2 Indistinguishability Notions. The Sets S∗ and B ∗ (Σ) In this subsection, we assume that the set of outputs does not contain the null event : Assumption 4.1  ∈ / Y. Given the FSM M = (Q, Q 0 , Y, h, E), define the sets Π = {(i, j) ∈ Q × Q : h(i) = h( j)}

(4.2)

Θ = {(i, j) ∈ Q × Q : i = j} ⊂ Π.

(4.3)

and By definition, the set Π and all its subsets are symmetric, i.e. (i, j) ∈ Π ⇐⇒ ( j, i) ∈ Π. Fig. 4.1 A current location observable FSM, which is critically {i}-observable for i = 3, 5, 6

(4.4)

a

a

1

3

b 5

a 0 b

Fig. 4.2 A critically location observable FSM



a

2

4

a

a

1

3

6

b 5

a 0 b b

a

2

4

6

72

4 Observability, Diagnosability, and Predictability of Finite State Machines

For a set Γ ∈ Q × Q, the symbol Γ s denotes the symmetric closure of Γ . For i ∈ Q, we denote by (4.5) Q{i} ⊂ Q+ the subset of finite executions with last state equal to i (i.e. ending in state i), and by Q{i} ⊂ Q+

(4.6)

the subset of trajectories with initial state equal to i. Moreover, for a given Ψ ⊂ Q, QΨ denotes the subset of trajectories of Q+ with σ (1) ∈ Ψ . We will refer to the following indistinguishability notions. Definition 4.4 Two state trajectories σ1 and σ2 in Q+ are called indistinguishable if h (σ1 ) = h (σ2 ). The pair (i, j) ∈ Σ ⊂ Π is k-backward indistinguishable in Σ if there exist σ1 ∈ Q{i} and σ2 ∈ Q{ j} , such that |σ1 | = |σ2 | = k, σ1 (h) ∈ Σ, σ2 (h) ∈ Σ, ∀h ∈ [1, k], and h (σ1 ) = h (σ2 ). The pair (i, j) ∈ Π is called backward indistinguishable if it is k-backward indistinguishable ∀k ∈ N, k ≥ 1. Note that in Definition 4.4, k ≥ 1 because no pair belonging to Π may be 0distinguishable. The following subsets of Π will be instrumental in characterizing the observability properties described in Definitions 4.1 and 4.3. • S ∗ ⊂ Π : Set of pairs of states reachable from Q 0 with two indistinguishable state trajectories; • B ∗ (Σ) ⊂ Σ ⊂ Π : Set of backward indistinguishable pairs in Σ, for a given set Σ ⊂ Π. In the following subsections, we will formally define the above sets and give algorithms for their computation. We will prove that the computation of these sets has polynomial complexity in the state cardinality |Q|. In fact the sets S ∗ , B ∗ (Σ) are computed as fixed points of appropriate recursions, whose convergence is assured after a number of steps denoted by s ∗ and b∗ all upper bounded by |Q|2 . For the sake of clarity, we first give a simple example where the sets defined above can be determined by inspection. Example 4.1 Consider the FSM depicted in Fig. 4.3, with Q 0 = {1, 6}. It is easily seen that  Θ S ∗ = {(1, 6) , (2, 5)}s  ∗ B (Π ) = {(2, 5) , (3, 4) , (3, 9) , (4, 9)}s (Θ\ {(1, 1) , (6, 6) , (7, 7) , (8, 8)}) . 

4.1 Observability of M

73 a

Fig. 4.3 FSM M (Example 4.1)

7

a

c

b

1

2

3

b 9

a 6

c

b 5

4

b 8

4.1.2.1

The Set S∗

The set S ∗ can be formally defined as follows: Definition 4.5 The set S ∗ is the maximal set of pairs (i, j) ∈ Π such that there exist two indistinguishable state executions σ1 ∈ Q{i} ∩ Q and σ2 ∈ Q{ j} ∩ Q. The set S ∗ can be computed as follows. Define the recursion, with k = 1, 2, . . . Sk+1 = {(i, j) ∈ Π : ( pr e(i) × pr e( j)) ∩ Sk = ∅} ∪ Sk

(4.7)

where S1 = (Q 0 × Q 0 ) ∩ Π. Proposition 4.1 Consider Eq. (4.7). Then, (i) Sk is the set of pairs (i, j) in Π such that there exist two indistinguishable state executions σ1 ∈ Q{i} ∩ Q and σ2 ∈ Q{ j} ∩ Q, with |σ1 | = |σ2 | ≤ k; (ii) the least fixed point of the recursion, containing (Q 0 × Q 0 ) ∩ Π , exists, is unique, and is equal to S ∗ ; (iii) the recursion reaches the fixed point S ∗ in at most s ∗ < |Q|2 steps.

74

4 Observability, Diagnosability, and Predictability of Finite State Machines

Proof Statement (i) is true by definition. The set Π is a fixed point of the recursion and the intersection of fixed points is a fixed point. Therefore, the least fixed point S denote such a fixed point. containing (Q 0 × Q 0 ) ∩ Π exists and is unique. Let  Then    S = (i, j) ∈ Π : ( pr e(i) × pr e( j)) ∩  S = ∅ ∪  S   S. and hence (i, j) ∈ Π : ( pr e(i) × pr e( j)) ∩  S = ∅ ⊂  S. Suppose that Sk ⊂       Then, Sk+1 is a subset of (i, j) ∈ Π : ( pr e(i) × pr e( j)) ∩ S = ∅ ∪ Sk ⊂ S. Since S1 ⊂  S, then, by induction, Sk ⊂  S, ∀k = 1, 2, . . .. If Sk+1 = Sk for some k then Sk+i = Sk , ∀i ≥ 0, and hence Sk is a fixed point. But a finite k such that k be the minimum value Sk+1 = Sk exists because of the finite cardinality of Π . Let  k is bounded by the number of not ordered of k such that Sk+1 = Sk . It is clear that  . Therefore, Sk =  S. The fact that S ∗ = Sk comes pairs in Π . Hence,  k ≤ |Q|(|Q|−1) 2 ∗ from the maximality of S (see Definition 4.5), and the statements (ii) and (iii) are proved.  Let n k = |Sk |, p = |Π |, and ν = maxi∈N | pr e (i)|. Then, at step k + 1, the algorithm involves at most ν 2 ( p − n k ) n k elementary computations, where an elemen tary computation is: (i, j) ∈ Π \Sk and the pair i  , j  ∈ pr e (i) × pr e ( j) check   whether i  , j  ∈ Sk . Since ν 2 ( p − n k ) n k ≤ ν 2 |Q|4 , the algorithm will stop after atmost2ν 2 |Q|4 ln |Q| elementary computations. Hence, the spatial complexity is   o |Q|2 and the time complexity is o |Q|5 . Similar considerations on complexity hold for all the algorithms that will be described in the following sections. The Set B ∗ (Σ)

4.1.2.2

Given Σ ⊂ Π , the set B ∗ (Σ) can be formally defined as follows: Definition 4.6 The set B ∗ (Σ) is the maximal set of pairs (i, j) ∈ Σ which are k-backward indistinguishable in Σ, ∀k ∈ N, k ≥ 1. For the sake of simplicity, if Σ = Π the set B ∗ (Σ) is denoted by B ∗ . Define the recursion, with k = 1, 2, . . ., Bk+1 (Σ) = {(i, j) ∈ Bk (Σ) : ( pr e(i) × pr e( j)) ∩ Bk (Σ) = ∅}

(4.8)

where B1 (Σ) = Σ. Proposition 4.2 Consider Eq. (4.8). Then, (i) Bk (Σ) is the set of all k-backward indistinguishable pairs in Σ;

(4.9)

4.1 Observability of M

75

(ii) if B ∗ (Σ) = ∅, then the maximal fixed point of the recursion (4.8), contained in Σ, is unique, nonempty, and is equal to B ∗ (Σ). Otherwise ∃k < |Q|2 such that Bk (Σ) = ∅; (iii) if B ∗ (Σ) = ∅, the recursion reaches its maximal fixed point in b∗ < |Q|2 steps. Proof Statement (i) is true by definition of k-backward indistinguishable pairs, since Σ ⊂ Π . Suppose that B ∗ (Σ) = ∅. Then, B ∗ (Σ) ⊂ Bk (Σ), ∀k = 1, 2, . . .. and it is a fixed point of the recursion (4.8). The union of fixed points in Σ is a fixed point and hence the maximal fixed point of the recursion is contained in Σ, is nonempty, and is unique. Let  B be such fixed point. Then ∀ (i, j) ∈  B, ( pr e(i) × pr e( j)) ∩  B = ∅. B ⊂ Bk+1 (Σ). Since  B ⊂ B1 (Σ), then, by inducSuppose that  B ⊂ Bk (Σ). Then  tion,  B ⊂ Bk (Σ), ∀k = 1, 2, . . .. Moreover, Bk+1 (Σ) ⊂ Bk (Σ), ∀k = 1, 2, . . .. If Bk+1 (Σ) = Bk (Σ) for some k then Bk+i (Σ) = Bk (Σ), ∀i ≥ 0, and hence Bk (Σ) is a fixed point. But a finite k such that Bk+1 (Σ) = Bk (Σ) exists because of the finite cardinality of Π . Let  k be the minimum value of k such that Bk+1 (Σ) = Bk (Σ). B, then Bk (Σ) =  B. It is clear that  k is bounded by the numSince  B ⊂ Bk (Σ) ⊂  ber of not ordered pairs in Π . Hence  k ≤ |Q|(|Q|−1) . The fact that B ∗ (Σ) = Bk (Σ) 2 ∗ ∗ comes from the definition of the set B (Σ). If B (Σ) = ∅, then by definition of recursion (4.8) there exists k such that Bk (Σ) = ∅. The statements (ii) and (iii) are therefore proved.  In what follows, we set b∗ = min b : B ∗ (S ∗ ) = Bb (S ∗ )

(4.10)

which is a well-defined finite nonnegative value. The set of persistent states Q p , as in Definition 3.5, is related to the set of backward indistinguishable pairs in B ∗ (Θ) as follows: Proposition 4.3 Q p = {i ∈ Q : (i, i) ∈ B ∗ (Θ)}.

4.1.3 Characterization of Current and Critical Location Observability of M In this subsection, we characterize current location observability and critical location observability of the FSM M in terms of set membership. This characterization has the advantage of being very simple and of paving the way to the solution of related problems, such as, for example, complexity reduction in observer design. A necessary condition for current location observability of M is given in the following: Proposition 4.4 M is current location observable only if h (i) = , for all persistent states i ∈ Q p .

76

4 Observability, Diagnosability, and Predictability of Finite State Machines

In a similar way, by recalling Eq. (3.20), a necessary condition for critical observability is given in the following: Proposition 4.5 M is critically {i}-observable, i ∈ Q, only if h (i) =  and U R(i) = {i}. The statements of Propositions 4.4 and 4.5 recast the properties established in [1] in the current framework. Their proofs are straightforward and are therefore omitted. As shown in Chap. 3, by using Algorithm 3.4 of Sect. 3.2.2, the FSM M =  = Q,  Q 0 , Y,   h, E (Q, Q 0 , Y, h, E) can be transformed into an FSM V(M) = M  such that h(i) =  for all states i ∈ Q. Then, under the necessary condition stated in Proposition 4.4 for M, the following result can be established: Proposition 4.6 Suppose that M is such that h (i) =  for all states i ∈ Q p . Then M is current location observable if and only if the FSM V(M) derived from M by Algorithm 3.4 is current location observable. Proof By Proposition 3.3 and the discussion in Sect. 3.2.2, after Algorithm 3.4, the result follows.  Similarly, under the necessary condition stated in Proposition 4.5 for M, the following holds: Proposition 4.7 Suppose that M is such that h (i) =  and U R(i) = {i} for some i ∈ Q. Then M is critically {i}-observable if and only if the FSM V(M) derived from M by Algorithm 3.4 is critically {i}-observable. Proof From Proposition 3.3, if h (i) =  and U R(i) = {i}, then ζ (i) = {i}. Therefore, by construction of the FSM V(M), the result follows.  As a consequence of the propositions above, we can assume without loss of generality that M satisfies Assumption 4.1, i.e.  ∈ / Y , so that the sets introduced in Sect. 4.1.2 under this hypothesis can be used to characterize current location observability and critical location observability of M. Theorem 4.1 Suppose that M is alive. If Assumption 4.1 holds, then M is current location observable if and only if B ∗ (S ∗ ) ⊂ Θ.

(4.11)

Proof If Assumption 4.1 holds, B ∗ (S ∗ ) is by definition the set of all pairs of states which can be reached by two indistinguishable state trajectories of unbounded length. Therefore, M is current location observable if and only if all pairs (i, j) ∈ B ∗ (S ∗ ) are such that i = j.  In the more general case, the FSM M may have some sink states, and an additional condition is needed for current location observability to hold:

4.1 Observability of M

77

Fig. 4.4 FSM M (Example 4.2)

a

a

b

1

2

3

a

a

8

5

c

c 4

c 7

6

Theorem 4.2 If Assumption 4.1 holds, then M is current location observable if and only if the following two conditions hold: (i) M is critically { j}-observable, for any sink state j; (ii) B ∗ (S ∗ ) ⊂ Θ. Proof Sufficiency: Condition (i) implies the possibility of distinguishing the current sink state, after a bounded number of steps, from the initial step. Then, by Theorem 4.1, sufficiency follows. Necessity: By definition of current location observability, for each execution ending in a sink state, that state has to be identified. Therefore, condition (i) is necessary. Suppose that condition (ii) is false. Then, by definition of B ∗ (S ∗ ), there exists a pair of states (i, j) with i = j, which cannot be distinguished for any arbitrary long pair of executions that end in i and j. Hence, condition (ii) is necessary.  Theorem 4.3 If Assumption 4.1 holds, then M is critically {i}-observable if and only if ∀( j, h) ∈ S ∗ , j = i ⇔ h = i. (4.12) Proof The result follows by definition of the set S ∗ .



The inclusion B ∗ (S ∗ ) ⊂ B ∗ (Π ) is obvious by definition of B ∗ (S ∗ ) and because S ∗ ⊂ Π . If the initial state may be any state in Q, we have the following: Proposition 4.8 If Q 0 = Q, then B ∗ (S ∗ ) = B ∗ (Π ). Proof If Q 0 = Q, then by definition of S ∗ , S ∗ = Π and the result follows.



Example 4.2 Consider the FSM depicted in Fig. 4.4, with Q 0 = {1, 8} and Q ∞ = {1, 4}.

78

4 Observability, Diagnosability, and Predictability of Finite State Machines

It is easily seen that

and

S ∗ = {(1, 8) , (2, 5) , (4, 6)}s ∪ Θ

(4.13)

B ∗ (S ∗ ) = {(2, 5) , (4, 6)}s ∪ (Θ \ (1, 1)) .

(4.14)

Therefore, the FSM is not current location observable. Note that the pair (1, 1) does not belong to B ∗ (S ∗ ) because the state 1 has no predecessors and hence the pair (1, 1) is not k-backward indistinguishable for any k, as required by Definition 4.4. By testing the condition in Theorem 4.3 on the set S ∗ , one can see that the FSM is critically {i}-observable for i = 3, 7. 

4.2 Diagnosability of M In this section, diagnosability is defined with respect to a subset of the state space Ω ⊂ Q called critical set. The set Ω may represent unsafe states, faulty states, or more generally any set of states of interest. Diagnosability, a property that is closely related to observability but is more general, corresponds to the possibility of detecting the occurrence of states belonging to Ω on the basis of the observations, after a finite number of transitions since the fault occurred. The complement of Ω is denoted by Ω. For simplicity of notation and exposition, in this section, we assume (as in [26]) that the FSM M is alive, as defined in Definition 3.1, i.e. Assumption 4.2 For each i ∈ Q, succ(i) = ∅.

4.2.1 Definition For an infinite state execution σ ∈ Q, two cases are possible: (i) σ (k) ∈ Ω, for some k ∈ N; (ii) σ (k) ∈ / Ω, ∀k ∈ N. In case (i), let kσ be the minimum value of k such that σ (k) ∈ Ω, i.e. such that the following two conditions hold: kσ ∈ {k ∈ N : σ (k) ∈ Ω} / Ω, ∀h ∈ [1, kσ − 1] . kσ = 1 ∨ σ (h) ∈ Otherwise, in case (ii), set kσ = ∞.

(4.15)

4.2 Diagnosability of M

79

Whenever σ (k) ∈ Ω for some k ∈ N, the condition σ (k) ∈ Ω is called crossing event, and k is the step at which the crossing event occurs. The FSM M is diagnosable if for any execution it is possible to detect the occurrence of a crossing event, possibly with some delay represented by a parameter denoted δ. Definition 4.7 The FSM M is diagnosable with respect to a set Ω ⊂ Q (Ω-diag) if there exists δ ∈ N, suchthat σ ∈ Q for which kσ = ∞, it follows that  for any infinite  σ (k) ∈ Ω, for some k ∈ [1, kσ + δ]. If for any string  σ ∈ h−1 h σ |[1,kσ +δ] ∩ Q,  the property holds with δ = 0, M is be said to be observable with respect to a set Ω ⊂ Q (Ω-obs). If Ω ⊂ Q 0 , M is said to be Ω-initial state observable. Roughly speaking, when Ω = {i}, Ω-observability corresponds to the ability of detecting that the state is equal to i the first time this happens. On the other hand, critically {i}-observability is a stronger notion, since it corresponds to the ability of detecting that the state is equal to i every time this happens.

4.2.2 The Sets F ∗ and Λ∗ In this subsection, Assumption 4.1 holds, i.e. we assume that the set of outputs does not contain the null event. Definition 4.4 introduces the notion of backward indistinguishability for a pair of states. In characterizing Ω-diagnosability, the notion of forward indistinguishability is necessary, because of the delay allowed in the detection of the crossing event: Definition 4.8 The pair (i, j) ∈ Π is k-forward indistinguishable if there exist σ1 ∈ Q{i} and σ2 ∈ Q{ j} , such that |σ1 | = |σ2 | = k and h (σ1 ) = h (σ2 ). The pair (i, j) ∈ Π is called forward indistinguishable if it is k-forward indistinguishable ∀k ∈ N, k ≥ 1. In addition to the sets already defined in Sect. 4.1.2, we need the following two additional sets: – F ∗ ⊂ Π : Set of forward indistinguishable pairs of states; – Λ∗ ⊂ (F ∗ ∩ S ∗ ): Set of pairs (i, j) ∈ Π , with i ∈ Ω and j ∈ Ω (or vice versa i ∈ Ω and j ∈ Ω) for which there exist two indistinguishable infinite state trajectories starting from {i} and { j}, respectively, such that the latter is contained in Ω (or vice versa the former is contained in Ω). In the following subsections, we will formally define the above sets and present some algorithms for their computation. We will prove that the computation of these sets has polynomial complexity in the state cardinality |Q|. In fact, the sets S ∗ , B ∗ (Σ), F ∗ , and Λ∗ are computed as fixed points of appropriate recursions, whose convergence is assured after a number of steps denoted by s ∗ , b∗ , f ∗ , and l ∗ , all upper bounded by |Q|2 . Those sets will be instrumental not only in characterizing diagnosability but also to determine, in the case M is Ω-diag, the maximum delay in detecting the crossing event.

80

4 Observability, Diagnosability, and Predictability of Finite State Machines

4.2.2.1

The Set F ∗

The set F ∗ can be formally defined as follows: Definition 4.9 The set F ∗ is the maximal set of pairs (i, j) ∈ Π which are k-forward indistinguishable, ∀k ∈ N, k ≥ 1. Define the recursion, with k = 1, 2, . . ., Fk+1 = {(i, j) ∈ Fk : (succ(i) × succ( j)) ∩ Fk = ∅}

(4.16)

F1 = Π.

(4.17)

where

Proposition 4.9 Consider Eq. (4.16). Then, (i) Fk is the set of all k-forward indistinguishable pairs; (ii) the maximal fixed point of the recursion, contained in Π , is unique, nonempty, and is equal to F ∗ ; (iii) the recursion reaches its maximal fixed point F ∗ in f ∗ < |Q|2 steps. Proof Statement (i) is true by definition of k-forward indistinguishable pairs. Because of the liveness assumption, the set Θ is a fixed point of the recursion (4.16), contained in Π . The union of fixed points in Π is a fixed point in Π and therefore the maximal fixed point of the recursion, contained in Π , is unique and nonempty.  be such fixed point. Then ∀ (i, j) ∈ F,  (succ(i) × succ( j)) ∩ F  = ∅. Let us Let F    ⊂ Fk ,  suppose that F ⊂ Fk . Then F ⊂ Fk+1 . Since F ⊂ F1 , then, by induction, F ∀k = 1, 2, . . .. Moreover, Fk+1 ⊂ Fk , ∀k = 1, 2, . . .. If Fk+1 = Fk for some k, then Fk+i = Fk , ∀i ≥ 0, and hence Fk is a fixed point. But a finite k such that Fk+1 = Fk exists because of the finite cardinality of Π . Let  k be the minimum value of k such  ⊂ Fk ⊂ F  and hence Fk = F.  It is clear that  k is bounded by that Fk+1 = Fk . Then F |Q|(|Q|−1)  . The fact that F ∗ = Fk the number of not ordered pairs in Π . Hence, k ≤ 2 ∗ comes from the definition of the set F and the statements (ii) and (iii) are proved.  In what follows, we set f ∗ = min f : F ∗ = F f

(4.18)

which is a well-defined finite nonnegative value.

4.2.2.2

The Set Λ∗

Given S ∗ and Ω ⊂ Q, we now define the sets Λk and Λ∗ that are subsets of Fk and F ∗ , respectively.

4.2 Diagnosability of M

81

Definition 4.10 Λk is the set of pairs (i, j) ∈ S ∗ , with i ∈ Ω and j ∈ Ω (or viceversa i ∈ Ω and j ∈ Ω) for which there exist two indistinguishable executions σ1 ∈ Q{i} and σ2 ∈ Q{ j} , |σ1 | = |σ2 | = k, such that σ2 (h) ∈ Ω, ∀h ∈ [1, k] (σ1 (h) ∈ Ω, ∀h ∈ [1, k], respectively). Λ∗ is the set of pairs (i, j) ∈ S ∗ such that ∀k ∈ N, ∃k ≥ k : (i, j) ∈ Λk . The sets Λk and Λ∗ can be computed by defining the recursion, k = 1, 2, . . . Ψk+1 = {(i, j) ∈ Ψk : (succ(i) × succ( j)) ∩ Ψk = ∅}

(4.19)

  Ψ1 = Q × Ω ∩ S ∗

(4.20)

where

as the following result shows: Proposition 4.10 Consider Eq. (4.19). Then,   s (i) Λk = Ψk ∩ Ω × Ω ; (ii) if Ψk = ∅, ∀k = 1, 2, . . ., the maximal fixed point Ψ ∗ of the recursion defined in (4.19), contained in Q × Ω, is nonempty and unique. Otherwise ∃k < |Q|2 such that Ψk = ∅ and Ψ ∗ = ∅; (iii) if Ψ ∗ = ∅ the recursion defined in (4.19) reaches this maximal fixed point in l ∗ < |Q|2 steps;   s (iv) Λ∗ = Ψ ∗ ∩ Ω × Ω . Proof The recursion defined in (4.19) is identical to the one in (4.16), except for the initialization. Therefore, Ψk is the set of k-forward indistinguishable pairs (i, j) for which there exist two indistinguishable state trajectories σ1 ∈ Q(i) and σ2 ∈ Q( j) , with |σ1 | = |σ2 | = k, such that σ2 (h) ∈ Ω, ∀h = 1. . .k. Hence, statement (i) is true by definition of Λk . By using the same arguments as in the proof of Proposition 4.9, the maximal fixed point Ψ ∗ of the recursion (4.19), contained in Q × Ω, is unique. If Ψ ∗ = ∅, then again by using the same arguments as in the proof of Proposition 4.9, there exists  k < |Q|2 such that Ψk+1 = Ψk and hence statements (ii) and (iii) hold. ∗ k < |Q|2 , and again statements (ii) and (iii) hold. If Ψ = ∅, then Ψk = ∅, for some   The last statement comes from the definition of Λ∗ . In what follows, we set

l ∗ = min l : Λ∗ = Λl

(4.21)

which is a well-defined finite nonnegative value. It can be easily seen that Λ1 =

    Ω × Ω ∪ Ω × Ω ∩ S∗

  Λk+1 ⊂ Λk ⊂ Fk ∩ S ∗

(4.22)

(4.23)

82

4 Observability, Diagnosability, and Predictability of Finite State Machines c 3

a

b

1

2

b

b 4

5

c 6

b 7

Fig. 4.5 The FSM M with Ω = {3, 4, 5}

Λ∗ =



  Λk ⊂ F ∗ ∩ S ∗ .

(4.24)

k∈N

4.2.3 Diagnosability Characterization Given the FSM M = (Q, Q 0 , Y, h, E), suppose that Assumption 4.1 holds. In the last part of this section, we will show how this assumption can be removed. Define the FSM   = (Q, Q 0 , Y, h, E) (4.25) M where

Let

 ⇐⇒ ( (i, j) ∈ E ∧ i ∈ / Ω) . (i, j) ∈ E

(4.26)

 S∗

(4.27)

be the set of pairs reachable from Q 0 with two indistinguishable state evolutions,  Obviously  computed for M. S ∗ ⊂ S ∗ . We set  S ∗ ) = Bb ( S∗) b∗ = min b : B ∗ (

(4.28)

which is a well-defined finite nonnegative value. As an example, consider the FSM represented in Fig. 4.5, where Ω = {3, 4, 5}.  is represented in Fig. 4.6. The FSM M The set  S ∗ ∩ Λ∗ is the set of pairs (i, j), which are the ending states of a pair of  with initial state in Q 0 , where indistinguishable state executions of the system M,

4.2 Diagnosability of M

83 c 3

a

b

b

c

1

2

5

6

b 7

 corresponding to FSM M in Fig. 4.5 Fig. 4.6 The FSM M,

only one of the two states i or j belongs to Ω. Suppose that i belongs to Ω. Then the execution ending in j never crosses Ω. Moreover, i and j are the initial states of a pair of arbitrarily long indistinguishable state executions of the system M, such that the one starting in j never crosses Ω. Therefore, we can prove the following: Theorem 4.4 The FSM M is Ω-diag if and only if  S ∗ ∩ Λ∗ = ∅.

(4.29)

 is the set of pairs that can be Proof Sufficiency: The set  S ∗ , by definition of M, reached with two indistinguishable state executions, such that only the last state may belong to Ω. Suppose that (i, j) ∈  S ∗ , with only i ∈ Ω. If condition (4.29) holds, ∗ then by definition of Λ , there exists a finite δ such that for any pair of executions of M of length δ starting from (i, j) it is possible to detect which one crossed the set Ω at some step between 1 and δ. For (i, j) ∈  S ∗ , with i and j both in Ω or both outside Ω, such detection is not required. S∗ ∩ Necessity: If  S ∗ ∩ Λ∗ = ∅, since Λ∗ ⊂ F ∗ , for any l ∈ N, there exists (i, j) ∈  ∗ F , such that (i, j) ∈ Λl . Then, there exists σ ∈ Q such that σ (k) = i (or j), and the  pair (i, j) cannot be distinguished at step k + f , given the output string h σ |[1,k+ f ] , ∀ f ∈ N. Since (i, j) ∈ Λ∗ , there exists a pair (σ1 , σ2 ) of infinite indistinguishable evolutions starting from (i, j), with the property that only one of them crosses the set Ω. Therefore, there does not exist δ such that at step k + δ there is evidence that a crossing event occurred in the interval [1, k + δ]. Hence, the given condition is necessary.  An equivalent condition expressed in terms of the parameters for which Ωdiagnosability holds is the following: Corollary 4.1 The FSM M is Ω-diag if and only if there exist positive integer parameters f ≤ f ∗ and l ≤ l ∗ such that

84

4 Observability, Diagnosability, and Predictability of Finite State Machines

 ∗   S ∩ F f ⊂ Λl .

(4.30)

Proof By recalling Propositions 4.9 and 4.10, the result is straightforward consequence of the proof of Theorem 4.4.  Condition (4.30) explains how the on-line detection can be achieved and gives the tools for the computation of the delay between the occurrence of the critical event and its detection. In fact, suppose (4.30) holds for some f and l. If f = l = 1 then ∀(i, j) ∈  S ∗ , either (i, j) ∈ Ω × Ω or (i, j) ∈ Ω × Ω, and hence the crossing event is immediately detected. Therefore, suppose that max{ f, l} > 1. Given an infinite execution σ and the output string up to current step k, let  σ (k) ∈ 2 Q

(4.31)

be the set of discrete states at step k − (max{ f, l} − 1) that are compatible with the  observations up to step k, where  σ (k) ∩ Ω =  k < max{ f, l}. Let k be the first  ∅,  k ≥ max { f, l} such that  σ (k) ∩ Ω = ∅. If  σ k ⊂ Ω, then we can deduce that the  − (max { f, l} − 1). Otherwise, suppose set Ω was crossed for the first time at step k   σ k  , each pair (i, j), by simplicity that  σ k  = {i, j, h}. Then, by definition of  S ∗ ∩ F f . Since the inclusion (4.30) holds, then any pair (i, h), and ( j, h) belongs to  of indistinguishable state evolution of M starting from  S ∗ ∩ F f crosses the set Ω  within at most l steps. Therefore, at step  are sure that the actual evolution of M

k , we is such that σ (h) ∈ Ω, for some h ∈ h  , h  , where h  = k  − (max { f, l} − 1) and σ (k) ∩ Ω = ∅, detection occurs at step h  = k  − max { f, l} + l. Hence, whenever  k with a delay δ = max { f, l} − 1. The value γ = h  − h  = l − 1 gives a bound, called uncertainty radius, for the uncertainty in the reconstruction of the step at which the crossing event occurred. Then, the next result follows: Proposition 4.11 If condition (4.30) holds, then M is Ω-diag with delay δ = max { f, l} − 1 and uncertainty radius γ = l − 1. The next result characterizes Ω-initial state observability (see Definition 4.7), a special case of Ω-diagnosability: Corollary 4.2 M is Ω-initial state observable if and only if      (Q 0 × Q 0 ) ∩ F ∗ ⊂ (Ω × Ω) ∪ Ω × Ω .

(4.32)

Proof The necessity is obvious. For sufficiency, since Ω ⊂ Q0 , then  S∗ = (Q 0 × ∗ ∗ Q 0 ) ∩ Π . If F ⊂ Π , F = F f ∗ ⊂ Π , and Λ1 = (Ω × Ω) ∪ Ω × Ω , then con dition (4.30) holds, with l = 1 and f = f ∗ and the result follows. Propositions 4.6 and 4.7 extend the results on current and critical location observability to the case of an FSM where some states are silent. We will show how the same generalization can be obtained for the diagnosability property as well. Given M and the critical set Ω ⊂ Q, let U R(Ω) be the set of silent states reached from Ω with a silent execution, i.e. by recalling (3.20):

4.2 Diagnosability of M Fig. 4.7 Part of an FSM M with Ω = {1} and U R(Ω) = {1, 3, 4, 6}. The output symbol c is not equal to 

85 a



c

1

3

5

b

Fig. 4.8 The only predecessor of the noncritical state 3 in U R(Ω) is a critical state (see Fig. 4.7). Hence, state 3 becomes critical. State 4 in U R(Ω) is split into 4 and 4 , the former with critical predecessors, the latter with noncritical predecessors. State 4 is critical. At this point, the critical set is {1, 3, 4 }





2

4

6

a



c

1

3

5

 4



b



2

4

U R(Ω) =



U R(w).

 6

(4.33)

w∈Ω

If for a state q ∈ Ω there exists a state execution σ ∈ Q such that, at some step ¯ σ (k) ¯ = q ∧ σ (k) = q, ∀k ∈ [1; k], ¯ and the collected information up to step k¯ is k, not sufficient to establish that q ∈ Ω, then Ω-diag is possible only if there are no cycles in the set U R(q). Hence, the following assumption can be made without loss of generality: Assumption 4.3 The set U R(Ω) does not contain any cycle. Since diagnosis is based on the output trajectory, a noncritical state q in U R(Ω) “inherits” from Ω the criticality. But q may be reached from a noncritical state. Therefore, in this case, we have to split q into two states, one that is critical and the other that is not. By applying recursively this splitting procedure, we obtain an FSM, denoted M  , such that each silent critical state is reached either from states that are all critical or from states that are all not critical. The set of critical states for M  is denoted Ω  . Figures 4.7, 4.8, and 4.9 illustrate the steps of this splitting procedure that leads to M  from M. Proposition 4.12 A FSM M is Ω-diag if and only if the FSM M  is Ω  -diag.

86

4 Observability, Diagnosability, and Predictability of Finite State Machines

Fig. 4.9 State 6 is split into 6 and 6 and state 6 is critical. The critical set is now {1, 3, 4 , 6 } and the procedure stops, since for any critical state q, all the states in U R(q) are critical, and each of them has either all critical predecessors or all noncritical predecessors. Then, at this point, we have obtained the FSM M 

a



c

1

3

5







6

b





2

4

6

4



Proof Obvious, by construction of M  and Ω  .



Procedure NOSILENT(M, V(M)), described by Algorithm 3.4, associates to the given FSM M a fully visible FSM V(M) and defines the point to set mapping ζ that associates to each state of M a subset of states of V(M) (see (3.31) and Proposition 3.3). Procedure NOSILENT(M, V(M)) is now updated in order to map the  such that Ω-diag  critical set Ω in a set Ω for V(M) implies Ω-diag for M. Let the set Ω be the additional input argument of Procedure NOSILENT(M, V(M)). The  is obtained as follows: set Ω – if ζ (q) = {q}, then the state q in the new state space keeps its property of being critical or not; – at all steps, when a state q of M is split into two or more states, those states inherit from q the property of being critical or not. The updated procedure, called Procedure NOSILENT+ , has input arguments M  and Ω  and produces as outputs the fully visible FSM V (M  ) and the critical set  . Then, Ω  -diag. Proposition 4.13 An FSM M is Ω-diag if and only if the FSM V (M  ) is Ω Proof By Proposition 4.13 and Definition of Procedure NOSILENT+ .



As a consequence of Proposition 4.13, Theorem 4.4, Corollaries 4.1 and 4.2 can be applied to the FSM V (M  ), and the property for the given FSM M is thereby characterized even if Assumption 4.1 does not hold.

4.3 Predictability of M In this section, we investigate predictability, a complementary property to diagnosability, which corresponds to the possibility of predicting in a deterministic way the

4.3 Predictability of M

87

future occurrence of specific discrete states on the basis of the observations. As done for diagnosability, predictability is defined with respect to the critical set Ω, representing faulty states or, more generally, any subset of states which is of particular interest from the system’s behavior point of view. For predictability to be meaningful, we assume that Ω ∩ Q 0 = ∅.

(4.34)

4.3.1 Definition For a finite σ ∈ Q∗ , Cσ denotes the set of all its finite “continuations”, i.e.   Cσ = η ∈ Q+ : σ η ∈ Q+ .

(4.35)

For σ ∈ Q+ , the set of its prefixes is   Pσ = z n ∈ Q+ : σ |[1,n] = z n , n = 1, . . . , |σ | .

(4.36)

A prefix z ∈ Pσ is proper if z = σ . The next definition rephrases in our framework Definition 1 of [14]: Definition 4.11 The FSM M is predictable with respect to a set Ω ⊂ Q (shortly, Ω-pred) if for any finite state trajectory σ ∈ Q ending in Ω, with σ (k) ∈ / Ω, ∀k ∈ [1, |σ | − 1] there exists a proper prefix z ∈ Pσ such that, for any v ∈ h−1 (h(z)) ∩ Q, v(k) ∈ / Ω, ∀k ∈ [1, |z|], and for any sufficiently long s ∈ Cv there exists k  such that  s(k ) ∈ Ω. In the definition above |σ | − |z| ≥ 1, and the value |σ | − |z| is called prediction horizon. If the prediction horizon is greater than or equal to some p ≥ 1 for all σ , then M is called Ω-pred with prediction horizon p. Definition 4.11 requires being able to predict a critical situation before its first occurrence. Hence, we can replace the FSM M with the accessible part of the FSM  obtained from the given one by removing all the transitions (i, j) with i ∈ Ω, as M in (4.25). This means that all states in Ω become sinks, and the following holds:    is predictable. Proposition 4.14 The FSM M is predictable if and only if Ac M

4.3.2 Predictability Characterization    . By Proposition 4.14, we assume without loss of generality that M = Ac M

88

4 Observability, Diagnosability, and Predictability of Finite State Machines

We first introduce the notion of n-precursor of a given set Ω ⊂ Q, where n is a positive integer: Definition 4.12 A set Fn (Ω) ⊂ Q is the n-precursor of the set Ω if the following two conditions hold: (i) Fn (Ω) is the set of all states not belonging to Ω starting from which the set Ω can be reached after at least n steps; (ii) there exists a bound n  ≥ n such that all trajectories starting from any state of Fn (Ω) reach Ω in a number of steps less than or equal to n  . Hence, states in the n-precursor Fn (Ω) reach Ω in at least n steps and at most n steps, where n is the minimum value in the set of integers n  that satisfy the definition above. It is easy to verify that ∀n ≥ 1 Fn (Ω) ∩ Fn+1 (Ω) = ∅.

(4.37)

Fn (Ω) = ∅ =⇒ Fi (Ω) = ∅, ∀i = 1, . . . , n − 1

(4.38)

Fn (Ω) = ∅ =⇒ Fi (Ω) = ∅, ∀i ≥ n.

(4.39)

Moreover for n > 1

and conversely Definition 4.13 Suppose that F1 (Ω) = ∅ and let n be the largest value of n for which there exists an n-precursor of Ω. The set F (Ω) =



Fn (Ω)

(4.40)

n=1...n

is called the precursor of Ω. If F1 (Ω) = ∅, then we set F (Ω) = ∅.

(4.41)

Roughly speaking, if at some step it is possible to deduce from the collected output information that the current state belongs to the set F (Ω), then the crossing event can be predicted. Knowing that the current state belongs to Fn (Ω) not only implies predictability but also ensures that the critical situation will not occur before the next n steps. Therefore, the value n is the upper bound of the prediction horizon for the given FSM. In what follows, we will assume that F (Ω) = ∅, since this condition is necessary for predictability even in the case of full knowledge of the state. Given the FSM M = (Q, Q 0 , Y, h, E), define the FSM M−1 = (Q, Q 0 , Y, h, E −1 )

4.3 Predictability of M Fig. 4.10 FSM F

89 a

b

c

1

2

3

a

b

4

5

c 6

∗ where (i, j) ∈ E −1 if and only if (i, j) ∈ E and i ∈ / F1 (Ω). Let S−1 be the set of pairs of states reachable from Q 0 with two indistinguishable state executions of M−1 . Then, we can state the following:

Theorem 4.5 Suppose that Assumption 4.1 holds. Then, the FSM M is Ω-predictable if and only if   ∗ S−1 ∩ F1 (Ω) × F (Ω) = ∅. (4.42) Proof Sufficiency: Consider a finite state evolution σ of M, with initial state in Q 0 ∗ and having only the last state in F1 (Ω). By definition of S−1 and by condition (4.42), all the state evolutions of M which are indistinguishable from σ have the last state    . Therefore, M is Ω-predictable. in F (Ω) and never crossed Ω since M = Ac M Necessity: Suppose that condition (4.42) is false. Then there exist two indistinguishable state evolutions of M, σ  and σ  , such that the last state of σ  is in F1 (Ω) and the last state of σ  is in F (Ω). By definition of M−1 , this last state does not belong to Ω, and by definition of F (Ω), there is no state in σ  belonging to F (Ω). Therefore, M is not Ω-predictable.  Example 4.3 In this example, we what happens if the precursors are computed  show   . Figure 4.10 represents the FSM M where the with respect to M, if M = Ac M set Ω is the singleton {3}. This F S M is Ω-predictable, because at the occurrence of symbol b in the output string we can predict that the set Ω will be reached at the next step. Let us now compute the precursors. By Definition 4.12, the set of all states starting from which the set Ω can be reached after at least 1 step is {2, 5}, which is not a precursor since there is no bound in the length of the executions that start from the state 5 and end in the set Ω. Therefore, by (4.39), F (Ω) = ∅, and thenec  , essary condition for predictability is not verified. By considering the FSM Ac M represented in Fig. 4.11, F1 (Ω) = {2}, n = 1, because the precursor F2 (Ω) does ∗ not exist, and  F (Ω) = F1 (Ω).  Since S1 = {(1, 1), (2, 2), (4, 4)}, F (Ω) = {1, 3, 4}, ∗ then S−1 ∩ F1 (Ω) × F (Ω) = ∅, and hence by Theorem 4.5, the FSM M is Ωpredictable.  Let us now characterize predictability with a given prediction horizon. Given the FSM M = (Q, Q 0 , Y, h, E) and the set Ω ∈ Q, and given the integer p ∈ [1, n], define the FSM

90

4 Observability, Diagnosability, and Predictability of Finite State Machines

   Fig. 4.11 FSM Ac M

a

b

c

1

2

3

a 4

M− p = (Q, Q 0 , Y, h, E − p ) / F p (Ω). Let S−∗ p be the set of where (i, j) ∈ E − p if and only if (i, j) ∈ E and i ∈ pairs of states reachable from Q 0 with two indistinguishable state executions of M− p . The following generalization of Theorem 4.5 holds: Theorem 4.6 Suppose that Assumption 4.1 holds. Then the FSM M is Ω-pred with prediction horizon p ∈ [1, n] if and only if S−∗ p

∩ F p (Ω) ×



Fn (Ω) = ∅.

(4.43)

n= p...n

The proof is omitted since it follows the same arguments as the one of Theorem 4.5. Obviously, condition (4.43) boils down to condition (4.42) for p = 1. Example 4.4 In this example, we illustrate the application of Theorems 4.5 and 4.6. In the FSM M depicted in Fig. 4.12, the states in Ω = {4, 7} are sinks. Hence, we can compute the precursor of Ω on the given FSM M. We have F1 (Ω) = {3, 6} F2 (Ω) = {2, 9}. The n-precursor with n = 3 does not exists, hence n = 2 and F(Ω) = {2, 3, 6, 9}. The FSM M−1 , which is the FSM obtained from M by removing the transitions (i, j) with i ∈ F1 (Ω), is depicted in Fig. 4.13. ∗ With respect to M−1 , the set S−1 is ∗ = {(8, 9), (2, 6)}s ∪ Θ S−1

and therefore the FSM M is Ω-predictable, as established in Theorem 4.5.

4.3 Predictability of M

91

Fig. 4.12 FSM M

a

b

a

a

1

2

3

4

a

b

a

6

7

a

b

a

1

2

3

5

a

a

8

9

Fig. 4.13 The FSM M−1

b

a 5

6

a

a

8

9

Notice that even if in this case n = 2, we can predict the critical situation at most one step in advance. In fact, we are in general not able to distinguish between two states, namely 2 and 6, belonging to F2 and F1 , respectively. Moreover, we are not able to distinguish between 8 and 9, where only the latter belongs to the precursor F(Ω).  We now show that the results in Theorems 4.5 and 4.6 can be generalized without Assumption 4.1. Given M and Ω ⊂ Q, let U R −1 (Ω) be the set of states from which the critical set is reached with a silent execution, i.e. U R −1 (Ω) = {q ∈ Q : U R(q) ∩ Ω = ∅}.

(4.44)

By definition of U R −1 (Ω) and of F (Ω), the following proposition holds: Proposition 4.15 An FSM M is Ω-predictable if and only if U R −1 (Ω) \ Ω ⊂ F (Ω) and M is U R −1 (Ω) -predictable.

92

4 Observability, Diagnosability, and Predictability of Finite State Machines

Fig. 4.14 Ω = {6, 7}, U R −1 (Ω) = {1, 2, 3, 6, 7}, F(Ω) = {1, 2, 3, 4, 5}

a







1

2

3

7



b

c

4

5

6

Fig. 4.15 Prediction must be made with respect to the set {1, 6}

a 1



b

c

4

5

6

For a set Ψ , given the point to set mapping ζ in (3.31), the symbol ζ (Ψ ) denotes  such that j ∈ ζ (i), with i ∈ Ψ . Therefore, by Procedure NOSIthe set of all j ∈ Q LENT, defined in Algorithm 3.4, and by definition of the set U R −1 (Ω), the following property holds: Proposition If UR −1 (Ω) \ Ω ⊂ F (Ω), then M is Ω-predictable if and only if   4.16 −1 V(M) is ζ U R (Ω) -predictable, where ζ U R −1 (Ω) is the image of U R −1 (Ω) under the map ζ . Figure 4.14 shows part of an FSM, where U R −1 (Ω) \ Ω ⊂ F(Ω). From Proposition 4.15, the prediction must be made with respect to the set U R −1 (Ω), i.e. with respect to the set {1, 6} (see Fig. 4.15) obtained by removing all the transitions (i, j) with i ∈ U R −1 (Ω). Finally, let us consider the FSM depicted in Fig. 4.16. The FSM is U R −1 (Ω)pred, but the condition U R −1 (Ω) \ Ω ⊂ F(Ω) is not verified. In fact, the FSM is not Ω-predictable.

4.4 Notes and Further Reading In this chapter, the definitions of diagnosability and predictability are inspired by those given in [14, 26]. In this chapter, for a discrete state system, we use the term observability in the traditional meaning used in [39], which corresponds to the reconstruction of the current system’s discrete state. However, the term observability is also used with a different meaning in the discrete systems literature. For example, in the classical

4.4 Notes and Further Reading

93

Fig. 4.16 Ω = {6, 7}, U R −1 (Ω) = {1, 2, 3, 6, 7}, F(Ω) = {3, 5}

a 4

a 1

a 0





2

3

7

b

c

5

6



textbook [4], it is said that “Intuitively, observability means the following: If you cannot differentiate between two strings, then these strings should require the same control action”. Hence, in that case, observability is related to the controllability of the system in the presence of partial information, which is a completely different notion related to a desired language. Readers interested in observability properties for FSMs have a huge literature to explore. The papers [9, 39] may offer a good overview of this topic. The paper [2] embeds observability and diagnosability of FSMs in the framework of Resilience and Cyber Security. The notion of critical location observability was introduced in [11, 12], with respect to a set of critical states, rather than with respect to a singleton {i} as done in this chapter. A state belonging to the critical set is called critical state. This idea comes from safety-critical applications, e.g. Air Traffic Management [10, 12], where the critical set of discrete states represents dangerous situations that must be detected to avoid unsafe or even catastrophic behavior of the system. However, the critical set can represent a set of faults, or more generally any set of interest. Critical location observability has been recently characterized in [17] for the class of Max-Plus Automata and in [7, 20] for Petri nets. For discrete event systems, the diagnosability verification problem was investigated in several papers, e.g. [13, 22, 26, 38]. For timed automata it was addressed in [32]. An excellent survey of advances on diagnosis methods for discrete systems can be found in [39]. Some effort was made also in the direction of a decentralized approach to observability and diagnosability, e.g. in [6, 25] where the observability with respect to a language [19] was generalized to the case of decentralized systems by introducing the notion of coobservability. In [34, 36], it was proved that coobservability and codiagnosability can be mapped to each other. To consider more recent developments, but without any attempt of completeness, we cite [33], where the new notion of at least one can tell condition was introduced in the decentralized framework.

94

4 Observability, Diagnosability, and Predictability of Finite State Machines

Predicting the future occurrence of specific discrete states allows one to proactively perform operations on the system to enhance its reliability, optimize performance, or ensure safety by avoiding abnormal behaviors. This is of paramount importance especially in safety-critical applications, such as, for example, Air Traffic Management (ATM) systems where, due to an ever-increasing air traffic volume, capacity needs to be augmented while preserving safety. For example, in ATM procedures, non-nominal modes of operation need to be properly and timely predicted to avoid malfunctioning or disruption of technical devices or potential hazardous situations caused by human operator errors [8, 23]. For discrete event systems, fault prediction has received considerable attention in the last two decades; see [39] and references therein for a synthetic overview of existing results dealing with discrete event systems. Predictability with respect to a specific subset of the state space was introduced in [14], where the predictability property was defined with respect to the occurrence of events in systems modeled by regular languages, by also providing a necessary and sufficient condition for events to be predictable. Recent works on predictability focus on stochastic [5, 21] and fuzzy [3] discrete event systems. Decentralized and distributed architectures have also been proposed in [16, 28–30, 37]. While in the literature on discrete event systems a transition-based model is used, here we adopted a state-based approach, similar to what was done in [18] where an on-line diagnosability problem for a deterministic Moore automaton with partial state observation was solved, in [15] where the focus was on the complexity reduction in the diagnoser design, and in [31] where verification of codiagnosability is performed. We have characterized observability, diagnosability, and predictability in the set membership-based formalism introduced in [9]. This formalism and the derived algorithms are very simple and intuitive and allow checking the properties without constructing an observer. Using the proposed conditions, we can check diagnosability of a critical event, such as a faulty event, and at the same time compute the delay of the diagnosis with respect to the occurrence of the event (see Corollary 4.1 and subsequent discussion). Similarly, we can check predictability of a critical event and at the same time compute the safe horizon before the event occurrence (see Theorem 4.6). These evaluations are useful to better understand the characteristics of the system and can be used in the implementation of the diagnoser and of the predictor. An analysis that does not require the construction of an observer was also offered in other papers ( see, e.g. [27, 35] and references therein). In particular, the pairs of states in S ∗ are indistinguishable in the sense of [27, 35]. The difference is that, in this chapter, the set S ∗ is defined and computed under the assumption that the set of outputs does not contain the null event  (see Assumption 4.1). On the contrary, in [35] partially observable transitions are allowed. However, Algorithm 3.4 transforms the given FSM into an FSM satisfying Assumption 4.1 and we have established the relationship between the two FSMs with respect to the properties addressed in this chapter. Therefore, there is no loss of generality in the approach described in this chapter. Indistinguishability was defined in [24] with a different meaning with respect to the one we adopted to define S ∗ . From the definitions of [24] recasted in our

References

95

framework, two states i and j are said to be indistinguishable if any pair of state trajectories, one starting from i and the other from j, are indistinguishable. In the same paper, two forward indistinguishable states as in Definition 4.4 were called possibly indistinguishable, while two backward indistinguishable states were called possibly indistinguishable with respect to an FSM associated to the given FSM M, called reverse FSM.

References 1. Balluchi A, Benvenuti L, Di Benedetto MD, Sangiovanni-Vincentelli AL (2002) Design of observers for hybrid systems. In: Tomlin CJ, Greenstreet MR (eds) Hybrid systems: computation and control. Lecture notes in computer science, vol 2289. Springer, Berlin, pp 76–89 2. Basilio JC, Hadjicostis CN, Su R (2021) Analysis and control for resilience of discrete event systems. Fault diagnosis, opacity and cyber security. Foundations and trends in systems and control, vol 8, no 4, pp 285–443 3. Benmessahel B, Touahria M, Nouioua F (2017) Predictability of fuzzy discrete event systems. Discrete Event Dyn Syst 27(4):641–673 4. Cassandras CG, Lafortune S (1999) Introduction to discrete event systems. Kluwer Academic Publishers, Dordrecht 5. Chang M, Dong W, Ji Y, Tong L (2013) On fault predictability in stochastic discrete event systems. Asian J Control 15(5):1458–1467 6. Cieslak R, Desclaux C, Fawaz AS, Varaiya P (1988) Supervisory control of discrete-event processes with partial observations. IEEE Trans Autom Control 33(3):249–260 7. Cong X, Fanti MP, Mangini AM, Li Z (2022) Critical observability of discrete-event systems in a petri net framework. IEEE Trans Syst Man Cybernet 52(5):2789–2799 8. De Santis E, Di Benedetto MD, Petriccone A, Pola G (2009) A compositional hybrid system approach to the analysis of air traffic management systems. In: Proceeding of the 8th innovative research workshop & exhibition, EUROCONTROL, Paris, France 9. De Santis E, Di Benedetto MD (2017) Observability and diagnosability of finite state systems: a unifying framework. Automatica 81:115–122 10. De Santis E, Di Benedetto MD, Di Gennaro S, D’Innocenzo A, Pola G (2006) Critical observability of a class of hybrid systems and application to air traffic management. Lecture notes in control and information sciences, vol 337. Springer, Berlin, pp 141–170 11. Di Benedetto MD, Di Gennaro S, D’Innocenzo A (2005) Critical observability and hybrid observers for error detection in air traffic management. In: Proceedings of 13th mediterranean conference on control and automation, Limassol, Cyprus 12. Di Benedetto MD, Di Gennaro S, D’Innocenzo A (2005) Error detection within a specific time horizon and application to air traffic management. In: Proceedings of the joint 44th IEEE conference on decision and control and European control conference (CDC–ECC’05), Seville, Spain, pp 7472–7477 13. Frank PM (1990) Fault diagnosis in dynamic systems using analytical and knowledge-based redundancy - a survey and some new results. Automatica 26(3):459–474 14. Genc S, Lafortune S (2009) Predictability of event occurrences in partially-observed discreteevent systems. Automatica 45(2):301–311 15. Hashtrudi Zad S, Kwong RH, Wonham WM (2003) Fault diagnosis in discrete-event systems: framework and model reduction. IEEE Trans Autom Control 48(7):1199–1212 16. Kumar R, Takai S (2010) Decentralized prognosis of failures in discrete event systems. IEEE Trans Autom Control 55(1):48–59 17. Lai A, Lahaye S, Komenda J (2022) Observer construction for polynomially ambiguous maxplus automata. IEEE Trans Autom Control 67(3):1582–1588

96

4 Observability, Diagnosability, and Predictability of Finite State Machines

18. Lin F (1994) Diagnosability of discrete event systems and its applications. Discrete Event Dyn Syst 4(1):197–212 19. Lin F, Wonham WM (1988) On observability of discrete-event systems. Inf Sci 44:173–198 20. Masopust T (2020) Critical observability for automata and petri nets. IEEE Trans Autom Control 65(1):341–346 21. Nouioua F, Dague P, Ye L (2017) Predictability in probabilistic discrete event systems. In: Soft methods for data science. Springer, Berlin, pp 381–389 22. Paoli A, Lafortune S (2005) Safe diagnosability for fault tolerant supervision of discrete event systems. Automatica 41(8) 23. Petriccone A, Pola G, Di Benedetto MD, De Santis E (2012) Safety criticality analysis of complex air traffic management systems via compositional bisimulation. IFAC Proc Vol 45(9):370– 375. 4th IFAC conference on analysis and design of hybrid systems 24. Ramadge PJ (1986) Observability of discrete event systems. In: Proceedings of the 25th IEEE conference on decision and control, Athens, Greece, pp 1108–1112 25. Rudie K, Wonham W (1989) Think globally, act locally: decentralized supervisor control. IEEE Trans Autom Control 37(11):1692–1708 26. Sampath M, Sengupta R, Lafortune S, Sinnamohideen K, Teneketzis D (1995) Diagnosability of discrete-event systems. IEEE Trans Autom Control 40(9):1555–1575 27. Sears D, Rudie K (2014) On computing indistinguishable states of nondeterministic finite automata with partially observable transitions. In: Proceedings of the 53rd IEEE conference on decision and control, Los Angeles, California, USA, pp 6731–6736 28. Takai S, Kumar R (2011) Inference-based decentralized prognosis in discrete event systems. IEEE Trans Autom Control 56(1):165–171 29. Takai S, Kumar R (2012) Distributed failure prognosis of discrete event systems with boundeddelay communications. IEEE Trans Autom Control 57(5):1259–1265 30. Takai S, Kumar R (2017) A generalized inference-based prognosis framework for discrete event systems. IFAC-PapersOnLine 50(1):6819–6824. 20th IFAC World Congress 31. Takai S, Ushio T (2012) Verification of codiagnosability for discrete event systems modeled by mealy automata with nondeterministic output functions. IEEE Trans Autom Control 57(3):798– 804 32. Tripakis S (2002) Fault diagnosis for timed automata. In: Damm W, Olderog ER (eds) Lecture notes in computer science, vol 2469. Springer, Berlin, pp 205–221 33. Tripakis S, Rudie K (2022) Decentralized observation of discrete-event systems: at least one can tell. IEEE Control Syst Lett 6:1652–1657 34. Wang W, Girard AR, Lafortune S, Lin F (2011) On codiagnosability and coobservability with dynamic observations. IEEE Trans Autom Control 56(7):1551–1566 35. Wang W, Lafortune S, Lin F (2007) An algorithm for calculating indistinguishable states and clusters in finite-state automata with partially observed transitions. Syst & Control Lett 656–661 36. Yin X, Lafortune S (2015) Codiagnosability and coobservability under dynamic observations: transformations and verifications. Automatica 61:241–252 37. Yin X, Li Z (2016) Decentralized fault prognosis of discrete event systems with guaranteed performance bound. Automatica 69:375–379 38. Yoo T, Lafortune S (2002) Polynomial-time verification of diagnosability of partially-observed discrete-event systems. IEEE Trans Autom Control 47(9):1491–1495 39. Zaytoon J, Lafortune S (2013) Overview of fault diagnosis methods for discrete event systems. Ann Rev Control 37(2):308–320

Chapter 5

Extending Diagnosability Properties for Finite State Machines

In this chapter, we refer to the discrete structure of the H -system to extend the diagnosability properties illustrated in Chap. 4. In particular, in addition to the delay required for the detection of a critical state, some additional parameters are introduced, which represent the precision of the delay estimation and the duration of a possible initial transient where the properties are not satisfied or are not required to hold. This general framework allows a precise comparison with the observability and diagnosability definitions existing in the literature.

5.1 A Parametric Definition of Diagnosability In this section, we extend the definitions of diagnosability given in the previous chapter. We introduce some additional parameters that describe the capability of inferring that the state belongs to the critical set Ω at some step during the execution, after a finite transient or after a finite delay, with the possibility of an uncertainty in the determination of that step. Recall that for a state execution σ of a given FSM, kσ is the minimum value of k such that σ (k) ∈ Ω or is set to ∞ if the string σ never crosses Ω (see (4.15 )). Definition 5.1 The FSM M is parametrically diagnosable with respect to a set Ω ⊂ Q (shortly parametrically Ω-diag) if there exist τ ∈ N, γ ∈ N, δ ∈ N, δ ≥ γ, and T ∈ N such that for any string σ ∈ Q for which kσ = ∞, whenever σ (k) ∈ σ∈ Ω, with   max {kσ, (τ + 1)} ≤ k < kσ + T + 1, it follows that for any string  σ (h) ∈ Ω, for some h ∈ [max {1, (k − γ)} , k + γ]. h−1 h σ|[1,k+δ] ,  The parameter δ corresponds, as in Definition 4.7, to the maximum delay of the crossing event detection while τ corresponds to an initial interval where the crossing event is not required to be detected. The value γ is the uncertainty radius in the reconstruction of the step at which the crossing event occurred. The detection of the © Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_5

97

98

5 Extending Diagnosability Properties for Finite State Machines Crossing events occurring in this interval do not need to be detected

1

kσ

1

1 kσ

Any crossing event occurring in this interval has to be detected

1+τ

1+τ

kσ + T

1+τ

k

kσ + T

kσ

kσ + T

k

k

Fig. 5.1 Illustration of parameters kσ , τ and T . The blue interval represents the “observation window” after the first occurrence of the crossing event. The crossing events occurring in the gray interval do not need to be detected. Any crossing event occurring in the magenta interval has to be detected (Reprinted from Automatica, Vol. 81, E. De Santis, M. D. Di Benedetto, Observability and Diagnosability of Finite State Systems: a Unifying Framework, pp. 115–122, Copyright (2017), with permission from Elsevier)

crossing event is required when it occurs in the window defined by the horizon T after the first crossing event. To better understand the role of these parameters, consider the examples in Fig. 5.1. For fixed values τ , T , δ and γ, three possible cases are represented, corresponding to three different executions, with different values for kσ . In the first case max {kσ , (τ + 1)} = (τ + 1). Hence, any crossing event occurring at k, (τ + 1) ≤ k < kσ + T + 1 must be detected, with maximum delay δ and with maximum uncertainty γ. Detection of crossing events occurring in [1, τ ] is not required. In the second case, max {kσ , (τ + 1)} = kσ , and therefore any crossing event up to step kσ + T must be detected, with maximum delay δ and with maximum uncertainty γ. Finally, in the last case, no detection is required. Obviously, T = 0 and τ = 0 mean that only the first crossing event must be detected. Moreover, δ = 0 implies γ = 0, but γ = 0 does not imply in general δ = 0. As an example, the FSM in Fig. 5.2, where Ω = {3}, is not parametrically Ω-diag: for any τ , there exists a state execution that crosses the set Ω for the first time at some k > τ , and it is not possible to detect the crossing event neither immediately nor with delay, neither exactly nor with uncertainty.

5.1 A Parametric Definition of Diagnosability

99

Fig. 5.2 The FSM M with Ω = {3} is not parametrically Ω-diagnosable

c 3 a

b

d

1

2

5 c 4

By definition of parametric diagnosability, the following monotonicity property holds: Proposition 5.1 If M is parametrically Ω-diag with parameters τ , δ, T and γ then it is parametrically Ω-diag with parameters τ  , δ  , T  and γ, where τ  ≥ τ , δ  ≥ δ, T  ≤ T and γ ≤ γ  ≤ δ  . Depending on the values taken by τ , δ and T , special instances of Definition 5.1 are obtained. Consider the following table to better explain the role of these parameters when the diagnosability property of Definition 5.1 holds: Case (o) Case (a) Case (b) Case (c) Case (d) Case (e)

T T T T T T

=0 =0 =∞ =∞ =∞ =∞

τ τ τ τ τ τ

>0 =0 >0 >0 =0 =0

δ δ δ δ δ δ

≥0 ≥0 >0 . =0 >0 =0

(5.1)

Case (a) Since T = 0 the crossing event can be detected the first time it occurs, immediately or with some delay. If Ω ⊂ Q 0 , Case (a) corresponds to Ω-initial state observability, defined in Chap. 4. Case (b) In this case, the crossing event can be detected with a maximum delay of δ steps whenever it occurs for k ≥ τ + 1. However, since τ ≥ 1, the event σ (k) ∈ Ω, k ∈ [1, τ ] may not be detected. In this case, parametric diagnosability is an “eventual” property. Case (c) With respect to Case (b), in this case the crossing event can be detected without any delay, and the FSM M is said to be current Ω-observable. It is again an eventual property. Case (d) The meaning is the same as in Case (b), but with τ = 0. In this case, the FSM M is said to be critically diagnosable with respect to Ω. Critical diagnosability is an “always” property.

100 Fig. 5.3 The FSM M with Ω = {2, 3} is parametrically Ω-diag, with T = 0, τ = 1, and δ = 0

5 Extending Diagnosability Properties for Finite State Machines a

a

a

1

2

3

a

b

5

4

Case (e) The meaning is the same as in Case (c), but with τ = 0. In this case, the FSM M is said to be critically observable with respect to Ω. It is again an always property. Case (o) is the same as Case (a) but the crossing event detection is not required in a transient of finite duration τ . As an example, the FSM represented in Fig. 5.3, where the critical set Ω is {2, 3}, is diagnosable in the sense of Case (o): by setting T = 0 and τ = 2, for all state trajectories with prefix 1 − 2, the detection is not required because kσ = 2 < τ + 1. For all the trajectories with prefix 1 − 5, since kσ > τ + 1, then the detection of the first crossing is required, which corresponds to the state 3 in the picture. In this example, the FSM is parametrically Ω-diag with T = 0, τ = 2, γ = 0 and δ = 0. The property corresponding to Case (o) is the least demanding compared with the other properties defined in the table, as established in the following result that will be instrumental in the sequel. Lemma 5.1 An FSM M is parametrically Ω-diag if and only if there exists τ˜ > 0 such that M is parametrically Ω-diag with T = 0 and τ = τ˜ . Proof The sufficiency is obvious. Suppose that, for any τ˜ > 0, M is not parametrically Ω-diag with T = 0. This means that there is in Ω a state q that can be reached after an arbitrarily long execution that does not cross the critical set before reaching that state, and q belonging to Ω cannot be detected with any arbitrary long delay. The necessity follows.  Finally, for an exhaustive analysis, in addition to the cases above, let us consider also T finite and non-zero. In this last case, if δ is strictly positive, we obtain special cases of (o) or (a). The property when T is finite and non-zero and δ = 0 corresponds to Case (c) or (e) on a finite window after the first crossing. Since Case (a) corresponds to the Ω-diagnosability property already addressed in Definition 4.7, we no longer dwell on this case. We now formally define two eventual and critical properties, which correspond to Cases (b) and (c) and to Cases (d) and (e) respectively. Definition 5.2 (Cases (b) and (c)) The FSM M is eventually diagnosable with respect to a set Ω ⊂ Q (eventually Ω-diag) if there exist τ , γ and δ ∈ N, with

5.1 A Parametric Definition of Diagnosability

101

δ ≥ γ such that for any infinite string σ ∈ Q with finite kσ , whenever Ω   σ (k) ∈  σ ∈ h−1 h σ|[1,k+δ] , and k ≥ max {kσ , (τ + 1)}, it follows that for any string   σ (h) ∈ Ω, for some h ∈ [max {1, k − γ} , k + γ]. If the condition holds with δ = 0, M is called eventually observable with respect to a set Ω ⊂ Q (eventually Ω-obs). Definition 5.3 (Cases (d) and (e)) The FSM M is critically diagnosable with respect to a set Ω ⊂ Q (critically Ω-diag) if there exist γ and δ ∈ N, with δ ≥ γ, such that for any infinite string  σ ∈ Q with  finite kσ , whenever σ (k) ∈ Ω, it follows that for σ (h) ∈ Ω, for some h ∈ [max {1, k − γ} , k + γ]. any string σ ∈ h−1 h σ|[1,k+δ] , If the condition holds with δ = 0, the FSM M is called critically observable with respect to Ω ⊂ Q (critically Ω-obs). The following relationship can be established between the diagnosability properties introduced above. Proposition 5.2 M is critically Ω-diag if and only if it is Ω-diag and eventually Ω-diag. Proof The necessity is obvious. Sufficiency: suppose that M is eventually Ω-diag with parameters γ  , τ  and δ  and that it is Ω-diag with parameter δ  . Then, M is eventually Ω-diag with parameters      τ = 0, δ = max τ , δ , δ , γ = δ, and hence it is critically Ω-diag. We now characterize the properties in Definitions 5.1 and 5.2. The characterization of the property in Definition 5.3 will follow by Proposition 5.2 as a simple corollary. Remark 5.1 If Q 0 = Q and τ = δ = 0, Definition 5.2 becomes trivial since, in that case, it corresponds to an instantaneous detection of the crossing event, i.e. h(i) = h( j), ∀i, j such that i ∈ Ω and j ∈ / Ω.  We end this section with two examples. The first is an FSM M which is eventually Ω-diag, with τ = 1, δ = 1, but not with τ = 0 or δ = 0. The second shows an FSM which is eventually Ω-diag, with τ = 1, δ = 2, γ = 1, but not with τ = 1, δ = 2 and γ = 0. Example 5.1 Let M=(Q, Q 0 , Y, h, E), Q = Q 0 = {1, 2, 3, 4, 5, 6}, Y = {a, b, c}, h (1) = h (3) = h (5) = a, h (2) = h (4) = b, h (6) = c, E = {(1, 6) , (2, 1) , (2, 3) , (6, 2) , (3, 4) , (4, 6) , (5, 4) , (6, 5)} be represented in Fig. 5.4. Let Ω = {3}. M is not eventually Ω-diag, with δ = 0. In fact for any state execution ending in state 3 there is a state execution ending in state 1, with the same output string. M is not eventually Ω-diag, with τ = 0. In fact for any state execution starting from 3 there is a state execution starting from 5, with the same output string. M is eventually Ω-diag, with τ = 1, δ = 1 and γ = 0: in fact any output finite string ending with the string “bab” allows the detection of the crossing event and of the step at which the crossing occurred. 

102

5 Extending Diagnosability Properties for Finite State Machines

Fig. 5.4 (Example 5.1) M is eventually Ω-diag, with τ = 1, δ = 1 and γ = 0

Fig. 5.5 (Example 5.2) M is eventually Ω-diag, with τ = 1, δ = 2, γ = 1

b

4

5

a

a

3

6

c

b

2

1

a

a

a

2

3

a

c

1

6 a

a

4

5

c 7

Example 5.2 Let M=(Q, Q 0 , Y, h, E), Q = Q 0 = {1, 2, 3, 4, 5, 6, 7}, Y = {a, c}, h (i) = a, i = 1. . .5, h (i) = c, i = 6, 7 and E equal to the set {(1, 2) , (2, 3) , (3, 6) , (1, 4) , (4, 5) , (5, 6) , (6, 6) , (6, 7) , (7, 1)} be represented in Fig. 5.5. Let Ω = {3, 4}. By inspection, we see that M is eventually Ω-diag, with τ = 1, δ = 2, γ = 1. M is not eventually Ω-diag with γ = 0. In fact it is possible to detect the crossing event, but not the step at which the crossing occurred. Note that if Q 0 ⊂ {1, 2, 4, 6, 7}, then M is eventually Ω-diag, with τ = 0, δ = 2, γ = 1 and hence it is critically Ω-diag. If Q 0 = {3, 5}, M is not critically Ω-diag, because it is not possible to establish if the initial state was critical or not, for any γ and for any delay.  In the next sections, we characterize the properties introduced in Definitions 5.1, 5.2 and 5.3. We first derive necessary and sufficient conditions for each of those properties to hold. Then, some equivalent conditions are given in terms of simple

5.1 A Parametric Definition of Diagnosability

103

set inclusions depending on the existence of some suitable parameters. The values of these parameters allow the computation of an upper bound for the delay of the diagnosis, and of a lower bound for the uncertainty radius of the diagnosis.

5.1.1 The Set Γ ∗ Let us introduce the set Γ ∗ ⊂ B ∗ (S ∗ ) ⊂ S ∗ which is the set of pairs (i, j) ∈ Π , with i ∈ Ω and j ∈ Ω (or vice versa i ∈ Ω and j ∈ Ω) for which there exist two indistinguishable finite state trajectories of arbitrary length ending in {i} and in { j}, respectively, both contained in S ∗ , such that the latter is contained in Ω (or vice versa the former is contained in Ω). The formal definition is the following: Definition 5.4 Γk is the set of pairs (i, j) ∈ S ∗ , with i ∈ Ω and j ∈ Ω (or vice versa σ1 ∈ Q{i} i ∈ Ω and j ∈ Ω) for which there exist two indistinguishable executions  { j} ∗ and σ2 ∈ Q , |σ1 | = |σ2 | = k, such that (σ1 (h) , σ2 (h)) ∈ S ∩ Q × Ω , ∀h ∈   [1, k] (vice versa (σ1 (h) , σ2 (h)) ∈ S ∗ ∩ Ω × Q ∀h ∈ [1, k], respectively). Γ ∗ is the set of pairs (i, j) ∈ S ∗ such that ∀k ∈ Z, ∃k ≥ k : (i, j) ∈ Γk . The sets Γk and Γ ∗ take into account the “backward executions” of the FSM. In fact they are subsets of Bk (S ∗ ) and of B ∗ (S ∗ ), respectively. Define the recursion, with k = 1, 2, . . .

where

Ξk+1 = {(i, j) ∈ Ξk : ( pr e(i) × pr e( j)) ∩ Ξk = ∅}

(5.2)

  Ξ1 = Q × Ω ∩ S ∗ .

(5.3)

Proposition5.3 Consider Eq.  s (5.2). Then, (i) Γk = Ξk ∩ Ω × Ω ; ∗ (ii) if Ξk = ∅ ∀k, then the maximal fixed point Ξ of the recursion, contained in Q × Ω ∩ S ∗ , is unique and non-empty. Otherwise ∃k < |Q|2 such that Ξk = ∅ and Ξ ∗ = ∅; (iii) if Ξ ∗ = ∅, the recursion reaches this maximal fixed point in g ∗ < |Q|2 steps;   s (iv) Γ ∗ = Ξ ∗ ∩ Ω × Ω . Proof The recursion defined in Eq. (5.2), except for the initialization, is identical to the recursion defined in (4.8). Therefore, Ξk is the set of k-backward indistinguishable pairs (i, j) for which there exists two indistinguishable state trajectories σ1 ∈ Q(i) and σ2 ∈ Q( j) , with |σ1 | = |σ2 | = k, such that σ2 (h) ∈ Ω, ∀h = 1. . .k.

104

5 Extending Diagnosability Properties for Finite State Machines

Hence, statement (i) is true by definition of Γk . By using the same arguments as in the proof of 4.2, the maximal fixed point Ξ ∗ of the recursion (5.2),   Proposition ∗ contained in Q × Ω ∩ S is unique. However it could be equal to the emptyset. If Ξ ∗ = ∅, then again by using the same arguments as in the proof of Proposition 4.2, there exists  k < |Q|2 such that Ξk+1 = Ξk and hence statements (ii) and (iii) hold. ∗ k < |Q|2 , and therefore statements (ii) and (iii) If Ξ = ∅, then Ξk = ∅, for some  ∗  hold. By definition of Γ , (iv) holds. In what follows, the parameter g ∗ is defined as g ∗ = min g : Γ ∗ = Γg .

(5.4)

    Ω × Ω ∪ Ω × Ω ∩ S∗

(5.5)

It is easily checked that: Γ1 =

  Γk+1 ⊂ Γk ⊂ Bk S ∗  Γ∗ =



Γk

  ⊂ B ∗ S∗ ⊂ S∗.

(5.6)

(5.7)

k∈Z

5.1.2 Characterization of Parametric Ω-Diagnosability  ∗ S ∩ Λ∗ . By definition of those Consider  S ∗ defined as in (4.27 ) and the set B ∗    ∗ ∗ ∗ sets, a pair of states (i, j) in the set B S ∩ Λ is such that only one of the two states i or j belongs to Ω. Such i and j are the ending states of a pair of arbitrarily  (which are also executions long indistinguishable state executions of the system M of M) with initial states in Q 0 , with one of these executions never crossing the set Ω. Moreover, i and j are the initial states of a pair of arbitrarily long indistinguishable state executions of the system M, with one of these executions that never crosses the set Ω. Therefore, given these executions, however long the transient and the delay are, and however loose is the required accuracy, it will not be possible to decide whether the critical set Ω has been crossed or not. As a conse and the equivalence between parametric quence, bearing in mind the definition of M Ω-diag and parametric Ω-diag with T = 0 and τ > 0, established in Lemma 5.1, the following necessary and sufficient condition for an FSM to be parametrically Ω-diag is obtained: Theorem 5.1 M is parametrically Ω-diag if and only if  ∗ S ∩ Λ∗ = ∅. B∗ 

(5.8)

5.1 A Parametric Definition of Diagnosability

105

 and of  Proof Sufficiency: by definition of M S ∗ , the set  ∗   S , i = j i ∈ Ω : (i, j) ∈ B ∗  describes the set of all states i in Ω, such that for any k ≥  b∗ there exists a state execution σ ∈ Q, with finite kσ ≥ k, σ(kσ ) = i, but the value of the state  σ(k  σ ) cannot S ∗ = ∅, then be reconstructed on the basis of the output evolution up to step kσ . If B ∗   ∗ there exists that any execution in Q is such that either kσ = ∞ or kσ < k  .  k ≥ b such ∗ ∗ ∗  b∗ . Hence the condition in Definition 5.1 But B S = Bb∗ ( S ), and therefore k  =  ∗  is satisfied with T = 0, τ = b and δ = 0. By definition of Λ∗ , if Λ∗ = ∅ then given a pair (i, j) ∈ Ω × Ω, any infinite state execution σ ∈ Q{ j} is such that σ(h) ∈ Ω, 5.1 is satisfied for some h ∈ [1, l ∗ ]. Therefore if Λ∗ = ∅ the condition in Definition  ∗ S ∩ Λ∗ = ∅, then the with T = 0, τ = 0, δ = l ∗ − 1, γ = l ∗ − 1. Finally, if B ∗  condition in Definition 5.1 is satisfied with T = 0, τ =  b∗ , δ = l ∗ − 1, γ =  l∗ − 1 and the proof of sufficiency is complete. Necessity: by Definition M is parametrically Ω-diag only  ∗  5.1,  ∗ if it is∗so with T = 0. S ∩ Λ∗ = ∅. Then since Λ∗ ⊂ F ∗ , B ∗  S ∩ F is not a subset Suppose that B ∗    ∗ ∗ ∗ ∗ of Λ . Hence, there exists a pair (i, j) ∈ B S ∩ F belonging to Λ∗ . Then, by  ∗ definition of B ∗  S and of Λ∗ , it is not possible to detect the crossing of the set Ω however long the delay is. Hence M is not parametrically Ω-diag with T = 0. Therefore, it is not parametrically Ω-diag.  Condition (5.8) is obviously necessary for Ω-diagnosability, eventual and critical Ω-diagnosability to hold.

5.1.3 Characterization of Eventual and Critical Ω-Diagnosability Consider the eventual Ω-diagnosability property as defined in Definition 5.2. For simplicity, in this sub-section, the sets B ∗ (S ∗ ) and Bk (S ∗ ) will be denoted by B ∗ and Bk . A pair (i, j) in the set Γ ∗ ∩ Λ∗ is such that only one state of the pair belongs to Ω. The states i and j are the ending states of a pair of arbitrarily long indistinguishable state executions of the system M, with initial state in Q 0 , such that one of these executions never crosses the set Ω, and are the initial states of a pair of arbitrarily long indistinguishable state executions of M, such that one of these executions never crosses the set Ω. Therefore, we can prove the following: Theorem 5.2 The FSM M is eventually Ω-diag if and only if Γ ∗ ∩ Λ∗ = ∅.

(5.9)

106

5 Extending Diagnosability Properties for Finite State Machines

Proof Sufficiency: let τ = g ∗ . By definition of Γ ∗ , if Γ ∗ = ∅ then if for  some  k ≥ τ + 1 the execution σ ∈ Q is such that σ(k) ∈ Ω, then any σ  ∈ h−1 h σ|[1,k] is such that σ  (h) ∈ Ω, for some h ∈ [k − (g ∗ − 1), k]. Hence, Definition 5.2 is satisfied with parameters τ = g ∗ , γ = g ∗ and δ = g ∗ . By definition of Λ∗ , if Λ∗ = ∅ then given a pair (i, j) ∈ Ω × Ω, any pair of indistinguishable state executions σ  and σ  starting from i and j, respectively, are such that σ  (h) ∈ Ω, for exesome h ∈ [1, l ∗ ]. Therefore, Λ∗ = ∅ implies that, if forsome  k ≥ τ + 1 the  cution σ ∈ Q is such that σ(k) ∈ Ω, then any σ  ∈ h−1 h σ|[1,k+max{ f ∗ ,l ∗ }−1] is such that σ  (h) ∈ Ω, for some h ∈ [k, k + (l ∗ − 1)]. Hence, Definition 5.2 is satisfied with parameters τ = g ∗ , γ = l ∗ and δ = l ∗ − 1. Finally, it is straightforward to check that if Γ ∗ ∩ Λ∗ =∅ then, if for some k≥ τ + 1, σ ∈ Q is such that σ(k) ∈ Ω, then any σ  ∈ h−1 h σ|[1,k+max{ f ∗ ,l ∗ }−1] is such that σ  (h) ∈ Ω, for some h ∈ [k − (g ∗ − 1), k + (l ∗ − 1)]. Therefore, Definition 5.2 is satisfied with parameters τ = g ∗ , γ = max {g ∗ , l ∗ } − 1 and δ = l ∗ − 1. j) ∈ B ∗ ∩ F ∗ such that Necessity: Suppose that Γ ∗ ∩ Λ∗ = ∅.Then, there (i,   exists  ∗ ∗ (i, j) ∈ Γ ∩ Λ . Therefore, (i, j) ∈ Ω × Ω ∪ Ω × Ω . Hence, (i, j) cannot be in general distinguished and there exist two indistinguishable infinite and left unbounded trajectories crossing i and j, but only one of them crosses the set Ω. As a consequence, M is not eventually Ω-diag and condition (5.10) is necessary.  The following equivalent characterization of eventual Ω-diagnosability is obtained: Corollary 5.1 M is eventually Ω-diag if and only if there exist integers b ∈ [1, b∗ ], f ∈ [1, f ∗ ], g ∈ [1, g ∗ ] and l ∈ [1, l ∗ ] such that 

   Bb ∩ F f ⊂ Γg ∩ Λl .

(5.10)

Proof Necessity: if M is eventually Ω-diag then Γ ∗ ∩ Λ∗ = ∅. Since Γ ∗ = Γg∗ and Λ∗ = Λl ∗ , then Γ ∗ ∩ Λ∗ = ∅ can be rewritten as Bb∗ ∩ F f ∗ ∩ Γg∗ ∩ Λl ∗ = ∅.     This last condition is equivalent to Bb∗ ∩ F f ∗ ⊂ Γg∗ ∩ Λl ∗ , and hence condition (5.10) holds. Sufficiency: suppose that condition (5.10) holds. For b ∈ [1, b∗ ], f ∈ [1, f ∗ ], g ∈     [1, g ∗ ] and l ∈ [1, l ∗ ], if Bb ∩ F f ⊂ Γg ∩ Λl we can write 

       Bb∗ ∩ F f ∗ ⊂ Bb ∩ F f ⊂ Γg ∩ Λl ⊂ Γg∗ ∩ Λl ∗ .

Since Γ ∗ = Γg∗ ⊂ B ∗ = Bb∗ and Λl ∗ = Λ∗ ⊂ F ∗ = F f ∗ , then  ∗  Γ ∩ Λ∗ ⊂ (Γ ∗ ∩ Λ∗ ). Hence Γ ∗ ∩ Λ∗ = ∅ and the sufficiency follows from Theorem 5.2.



We now show how condition (5.10) allows the determination of the delay in diagnosing the crossing event, of the uncertainty about the step at which the event occurred

5.1 A Parametric Definition of Diagnosability

107

and of the duration of the transient where the diagnosis is not possible or not required. Let  σ (k) ∈ 2 Q be the set already defined in (4.31), i.e. the set of discrete states at step k − (max{ f, l} − 1) that are compatible with the observations up to step k, where   σ (k) = ∅ for k < max{ f, l}. Suppose (5.10) holds for some b, f , gand  l. Let k be any  k ≥ max {b, g} + max { f, l} − 1 such that  σ (k) ∩ Ω = ∅. If  σ k ⊂ Ω, then we can deduce thatthe set Ω was crossed at step k  = k  − (max { f, l} − 1). Otherwise suppose that  σ k  = {i, j, h}, with only the state i belonging to Ω. Then each pair (i, j), (i, h) and ( j, h) belongs to Bb ∩ F f . Since the inclusion (5.10) holds, then each pair of state evolutions σ1 and    σ2 , compatible with the observations up to step k, and such that σ1 k  = i and σ2 k  ) = j, has the property that both evolutions crossed   Ω in the interval k  − g + 1, k  , if (i, j) ∈ Γg , or in the interval k  , k  + l − 1 , if (i, j) ∈ Λl . Therefore at step k  the actual evolution of M is such that σ(h) ∈ Ω, for some h ∈ k  − (g − 1), k  + l − 1 . Hence detection occurs with a maximum delay δ = max { f, l} − 1, with uncertainty γ = max {g,l} − 1 and with  τ = max {b, g} − 1. Since B1 = S ∗ , F1 = Π , Γ1 = Λ1 = Ω × Ω ∪ Ω × Ω , then if (5.10) holds    in the very special case of b = g = f = l = 1, then S ∗ ⊂ (Ω × Ω) ∪ Ω × Ω , and detection occurs with a maximum delay δ = 0, with uncertainty γ = 0 and with τ = 0. The discussion above proves the following statement: Proposition 5.4 If condition (5.10) holds for some integers b, g, f and l, then M is eventually Ω-diag with τ = max {b, g} − 1, δ = max { f, l} − 1, γ= max {g, l} − 1. As a consequence of Theorem 5.2, we also obtain the following characterizations of diagnosability in two interesting special cases. The first one requires no delay in the detection (Case δ = 0). Corollary 5.2 (Case δ = 0) M is eventually Ω-diag with δ = 0 if and only if    B ∗ ⊂ (Ω × Ω) ∪ Ω × Ω .

(5.11)

Proof Sufficiency: ifwe set f = 1 and l =1, then δ = 0. Since F1 = Π , B ∗ ⊂ S ∗ ⊂ Π and Γ1 = Λ1 = Ω × Ω ∪ Ω × Ω , then condition (5.10) with b = b∗ and g = 1 becomes    B ∗ ⊂ (Ω × Ω) ∪ Ω × Ω and hence M is eventually Ω-diag with δ = 0. Necessity: suppose that there exists (i, j) ∈ B ∗ such that        (i, j) ∈ (Ω × Ω) ∪ Ω × Ω = Ω × Ω ∪ Ω × Ω . Hence for any k such that σ(k) = i ∈ Ω, it is not possible to decide at step k if σ(k) ∈ Ω or not. Hence M is not eventually Ω-diag with δ = 0. 

108

5 Extending Diagnosability Properties for Finite State Machines

The second special case requires the exact detection of the step at which the crossing event occurred (Case γ = 0). Corollary 5.3 (Case γ = 0) M is eventually Ω-diag with γ = 0 if and only if condition (5.10) holds with g = 1 and l = 1, i.e. there exist b and f such that 

   Bb ∩ F f ⊂ (Ω × Ω) ∪ Ω × Ω .

(5.12)

Proof Sufficiency: straightforward from Corollary 5.1. Necessity: if B ∗ = ∅ then M is eventually Ω-diag with γ = 0 and condition (5.12) holds with b = b∗ . Otherwise, suppose that for any b and f there exists (i, j) ∈         Bb ∩ F f , and (i, j) ∈ (Ω × Ω) ∪ Ω × Ω . Since (Ω × Ω) ∪ Ω × Ω =     Ω ×Ω ∪ Ω ×Ω , there exists such that (i, j) ∈ B ∗ ∩ F ∗     (i, j) ∈ Ω × Ω ∪ Ω × Ω . Hence, for any τ and for any δ there exists an execution such that whenever σ(k) = i, k ≥ τ + 1, it is not possible to deduce from the output whether σ(k) ∈ Ω. Hence M is not eventually Ω-diag with γ = 0.  Finally, we characterize properties of Definition 5.3. By Proposition 5.2 and from Eqs. (4.29) and (5.9), the following characterization of critical Ω-diagnosability is obtained: Corollary 5.4 M is critically Ω-diag if and only if ( S ∗ ∩ Λ∗ ) ∪ (Γ ∗ ∩ Λ∗ ) = ∅.

(5.13)

The next proposition characterizes critical Ω-observability. Proposition 5.5 (Case δ = 0 and τ = 0) M is critically Ω-obs if and only if   S ∗ ⊂ (Ω × Ω) ∪ Ω × Ω .

(5.14)

Proof Sufficiency: since B ∗ ⊂ S ∗ , then by Corollary 5.2 M is eventually Ω-diag with δ = 0. Since F f ⊂ S ∗ , then by Corollary 5.4 M is eventually  Ω-diag with  τ = 0. Necessity: by Corollary 5.2, it is necessary that B ∗ ⊂ (Ω × Ω) ∪ Ω × Ω . / B ∗ and (i, j) ∈ Suppose there exists (i, j) ∈ S ∗ , such that (i, j) ∈        (Ω × Ω) ∪ Ω × Ω = Ω × Ω ∪ Ω × Ω . Then there exist an integer k and an execution σ such that σ(k) = i ∈ Ω, and it is not possible to decide at step k if σ(k) ∈ Ω or not. Hence, M is not eventually Ω-diag with τ = 0. 

5.1.4 Examples The first example of this section shows a very simple case where the FSM is not parametrically Ω-diag. The property was already established before by inspection (see Fig. 5.2). Here we check the property by applying Theorem 5.1.

5.1 A Parametric Definition of Diagnosability

109

Example 5.3 (M is not parametrically Ω-diag) Consider the FSM represented  S ∗ = {(3, 4)}s ∪ Θ and Λ∗ = in Fig. 5.2. Let Q 0 = {1} and Ω = {3}. Since B ∗   ∗ {(3, 4)}s , then B ∗  S ∩ Λ∗ = {(3, 4)}s and hence by Theorem 5.1 M is not parametrically Ω-diag.  In the second example, we consider the FSM already described in Example 5.1 and we show the effectiveness of Theorem 5.2 in checking eventual Ω-diag. By applying Theorem 4.4, we also check that M is not Ω-diag. In this case by evaluating the parameters as established in Corollary 5.1, detection can be obtained after one step transient, with a delay of one step and with no uncertainty on the crossing step. Example 5.4 (M is eventually Ω-diag but not Ω-diag) Consider the FSM defined in Example 5.1 and depicted in Fig. 5.4, where Q 0 = Q. Π = {(1, 3) , (1, 5) , (3, 5) , (2, 4)}s ∪ Θ S∗ = Π B ∗ = {(1, 3)}s ∪ Θ, b∗ = 2 F ∗ = {(3, 5)}s ∪ Θ, f ∗ = 2 Γ ∗ = {(1, 3)}s , g ∗ = 2 Λ∗ = {(3, 5)}s , l ∗ = 2. Since Γ ∗ ∩ Λ∗ = ∅, M is eventually Ω-diag with δ = 1, τ = 1, γ = 1. Moreover,  S ∗ ∩ Λ∗ = ∅, and hence M is not Ω-diag. Corollary 5.1 allows a better S∗ = Π ,  estimation of the parameters. In fact B ∗ ∩ F ∗ = Θ which is not a subset of Γ1 ∩ Λ1 . Therefore M is eventually Ω-diag with δ = 1, τ = 1, γ = 0.  The third example shows a situation similar to the one already addressed in the previous Example 5.4, but now it is not possible to detect exactly the crossing step. Example 5.5 (M is eventually Ω-diag but not Ω-diag) Consider the FSM represented in Fig. 5.5. If Q 0 = Q then Π = (({1} × {2, 3, 4, 5}) ∪ ({2} × {3, 4, 5}) ∪ {(3, 4), (3, 5), (4, 5) , (6, 7)})s ∪ Θ S∗ = Π B ∗ = F ∗ = {(2, 4) , (3, 5)}s ∪ Θ Γ ∗ = {(2, 4)}s Λ∗ = {(3, 5)}s . Therefore (Γ ∗ ∩ Λ∗ ) = ∅ and by Theorem 5.2 M is eventually Ω-diag. Moreover f ∗ = b∗ = 3 and g ∗ = l ∗ = 2. Hence M is eventually Ω-diag with δ = max { f ∗ , l ∗ } − 1 = 2, τ = max {b∗ , g ∗ } − 1 = 2, γ = max {g ∗ , l ∗ } − 1 = 1. Since  S ∗ = S ∗ = Π and  S ∗ ∩ F ∗ is not a subset of Λ∗ , then M is not Ω-diag, and hence it is not critically Ω-diag. 

110

5 Extending Diagnosability Properties for Finite State Machines

Fig. 5.6 (Example 5.6) M is critically Ω-diag

a

a

2

3

a

c

1

6 a

a

4

5

c 7

In the next example we consider the same FSM as in the Example 5.5, but with a different set of initial states. Example 5.6 (M is critically Ω-diag) Consider the FSM represented in Fig. 5.6 where Q 0 = {1}. Then S∗ Γ∗ Λ∗  S∗

= {(2, 4) , (3, 5)}s ∪ Θ = {(2, 4)}s = {(3, 5)}s = {(2, 4)}s .

We can show that M is critically Ω-diag. In fact, (Γ ∗ ∩ Λ∗ ) = ∅ and hence by Theorem 5.2 M is eventually Ω-diag. Moreover,  S ∗ ∩ Λ∗ = ∅ and hence by Theorem 4.4 M is Ω-diag. Then, by Proposition 5.2 it is critically Ω-diag, and therefore it is also eventually Ω-diag with τ = 0.  In the last example, the FSM M is Ω-diag but not eventually Ω-diag. In this case we also show that we can decide either to have a prompt detection of the crossing event, but with some uncertainty, or to accept some delay, with the advantage of a more precise detection. Example 5.7 (M is Ω-diag but not eventually Ω-diag) Consider the FSM M depicted in Fig. 5.7. Let Q 0 = {1} and Ω = {3, 6, 10}

5.1 A Parametric Definition of Diagnosability

111

S ∗ = {(2, 6) , (3, 7) , (4, 8) , (10, 5)}s ∪ Θ  S ∗ = {(2, 6)}s ∪ {(1, 1) , (2, 2) , (3, 3) , (6, 6)} B ∗ = {(10, 5)}s F1 = Π F2 = {(2, 6) , (2, 3) , (6, 7) , (10, 5)}s ∪ Θ F3 = {(2, 6) , (10, 5)}s ∪ Θ F ∗ = F4 = {(10, 5)}s ∪ Θ, f ∗ = 4 Λ1 = {(2, 6) , (3, 7) , (10, 5)}s Λ∗ = Λ2 = {(10, 5)}s , l ∗ = 2 Γ ∗ = {(10, 5)}s . ∗ ∗  ∗Since∗ Γ ∩ Λ = ∅, by Theorem 5.2 M is not eventually Ω-diag, but, since  S ∩ Λ = ∅, by Theorem 4.4, it is Ω-diag. Corollary 4.1 allows the estimation of the parameters δ and γ, and hence the estimation of the delay δ and of the uncertainty radius  ∗ γ, by applying the formulas δ = max{ f, l} − 1 and γ = l − 1. The condition  S ∩ F f ⊂ Λl in Corollary 4.1 is satisfied with different pairs of parameters f ≤ f ∗ = 4 and l ≤ l ∗ = 2, as illustrated in the following table, where also the corresponding values of δ and γ are shown:

f f f f

=4 =4 =3 =2

l l l l

=2 =1 =2 =2

→ → → →

δ δ δ δ

=3 =3 =2 =1

γ γ γ γ

=1 =0 . =1 =1

(5.15)

Selecting a value of δ for which the FSM is Ω-diag, determines the design of the “diagnoser” i.e. of the algorithm to be used for the diagnosis. Therefore the table above offers two alternatives: either a longer delay (δ = 3) with the advantage of a precise identification of the step in which the crossing occurred γ = 0 or a quicker diagnosis (δ = 1), but with uncertainty radius γ = 1.  a

a

a

b

2

3

4

5

a

b

1

10 a

a

a

c

6

7

8

9

Fig. 5.7 FSM M (Example 5.7)

112

5 Extending Diagnosability Properties for Finite State Machines

5.2 Notes and Further Reading The formal definition and analysis of observability and diagnosability depend on the model, on the available output information, and on the objective for which state reconstruction is needed, e.g. for control purposes, for detection of critical situations, and for diagnosis of past system evolutions. In this chapter, based on [1], the definitions of observability and diagnosability are given in a general form that is parametric with respect to the delay required for the detection of a critical state, and the precision of the delay estimation. Using the proposed conditions that characterize those properties, we can check diagnosability of a critical event, such as a faulty event, and at the same time compute the delay of the diagnosis with respect to the occurrence of the event, the uncertainty about the step at which that event occurred, and the duration of a possible initial transient where the diagnosis is not possible or not required. These evaluations are useful to better understand the characteristics of the system and can be used in the implementation of the diagnoser. While in the literature on discrete event systems a transition-based model is used, we adopt a state-based approach, similarly to what was done in [7] where an online diagnosability problem for a deterministic Moore automaton with partial state observation was solved, in [6] where the focus was on the complexity reduction in the diagnoser design, and in [12] where verification of codiagnosability is performed. Because of the different formalism used in the transition-based and state-based approaches, a comparison between the definitions given using using different models is very hard to achieve without a unifying framework where the different notions can all be formulated and compared. Using the formalism illustrated in this chapter, precise relationships between some of the many diagnosability concepts that exist in the literature can be established. For example, Case (a) analyzed in this chapter corresponds to the property given in [10], where only the detection of the condition σ (h) ∈ Ω, for some h ∈ [1, kσ + δ], is required but not the estimation of the step at which the crossing event occurs. The notion of (k1 , k2 )-detectability, as introduced in [11], can be retrieved as a special case of parametric {i}-diagnosability, ∀i ∈ Q, with parameters T = ∞, τ = k1 , δ = k2 and γ = 0. If M is current {i}-observable then the state i is always observable, as defined in [8]. If M is current {i}-observable for all i ∈ Q, then it is current location observable as in Definition 4.2. The notion of critical observability for an FSM was introduced in [3, 4], and extended in [2] to linear switching systems with minimum and maximum dwell time. Finally, in [9] the analysis of critical observability was extended to the case of networks of Finite State Machines. In [5] the predictability property discussed in Chap. 4 has been extended by defining and characterizing eventual and critical predictability properties, by means of the set-membership-based formalism already used for diagnosability properties.

References

113

References 1. De Santis E, Di Benedetto MD (2017) Observability and diagnosability of finite state systems: a unifying framework. Automatica 81:115–122 2. De Santis E, Di Benedetto MD, Di Gennaro S, D’Innocenzo A, Pola G (2006) Critical observability of a class of hybrid systems and application to air traffic management. Lecture notes in control and information sciences, vol 337. Springer, Berlin, pp 141–170 3. Di Benedetto MD, Di Gennaro S, D’Innocenzo A (2005) Critical observability and hybrid observers for error detection in air traffic management. In: Proceedings of 13th mediterranean conference on control and automation, Limassol, Cyprus 4. Di Benedetto MD, Di Gennaro S, D’Innocenzo A (2005) Error detection within a specific time horizon and application to air traffic management. In: Proceedings of the joint 44th IEEE conference on decision and control and European control conference (CDC–ECC’05), Seville, Spain, pp 7472–7477 5. Fiore G, De Santis E, Di Benedetto MD (2018) Predictability for finite state machines: a set-membership approach. In: 2018 14th international workshop on discrete event systems (WODES), IFAC-PapersOnLine, vol 51, no 7, pp 355–360 6. Hashtrudi Zad S, Kwong RH, Wonham WM (2003) Fault diagnosis in discrete-event systems: framework and model reduction. IEEE Trans Autom Control 48(7):1199–1212 7. Lin F (1994) Diagnosability of discrete event systems and its applications. Discrete Event Dyn Syst 4(1):197–212 8. Ozveren CM, Willsky AS (1990) Observability of discrete event dynamic systems. IEEE Trans Autom Control 35(7):797–806 9. Pola G, Pezzuti D, De Santis E, Di Benedetto MD (2017) Design of decentralized critical observers for networks of finite state machines: a formal method approach. Automatica 86:174– 182 10. Sampath M, Sengupta R, Lafortune S, Sinnamohideen K, Teneketzis D (1995) Diagnosability of discrete-event systems. IEEE Trans Autom Control 40(9):1555–1575 11. Shu S, Lin F (2013) Delayed detectability of discrete event systems. IEEE Trans Autom Control 58(4):862–875 12. Takai S, Ushio T (2012) Verification of codiagnosability for discrete event systems modeled by mealy automata with nondeterministic output functions. IEEE Trans Autom Control 57(3):798– 804

Chapter 6

Observability of H-Systems

Hybrid systems’ observability involves both the discrete structure and the continuous dynamics of the system, but it is not a simple extension of the same concept established for discrete state systems and for standard dynamic systems, because of the interaction between discrete and continuous components. In this chapter, we define observability for an H -system as the property of exactly reconstructing the discrete as well as the continuous current state of the system from the observed input and output information. Some examples then illustrate the given definitions and in particular how the hybrid nature of the system affects the observability properties.

6.1 Observability Definition Before formally defining observability, we need to specify what is meant by generic subset of Rn and generic input u ∈ U. A set Ψ ⊂ Rn is a generic subset of Rn if it is dense in Rn , i.e. if the interior of its complement is a set of measure zero in Rn . Consider the set of piecewise-continuous functions U. For an input u ∈ U, we define the norm of u as (6.1) u = supt∈R u(t) where u(t) is the standard Euclidean norm1 of the vector u(t) in the space Rm . A generic input  u ∈ U is any input function that belongs to a dense subset of the set U equipped with the norm (6.1). Given an H -system as in Definition 2.4, under the assumptions of Sect. 2.4, we define observability as follows: Definition 6.1 An H -system H is observable if there exists a function  ξ :Y ×U → Ξ and a real  t > 0 such that, by setting 1

Or any other norm, because of the equivalence of the norms in a finite dimensional space.

© Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_6

115

116

6 Observability of H -Systems

 q (t) ,  x (t)) , ξ( υ|[0,t] , u|[0,t) ) = ( for any infinite execution χ = (ξ0 , τ , u, (q, x)), with generic u ∈ U, the conditions  q (t) = q (t)

(6.2)

 x (t) = x(t)

(6.3)

and   are satisfied for almost all t ∈  t, ∞ . Definition above applies to both unconstrained and constrained H -systems. As shown in Example 6.4, knowing the constraints can be of help in reconstructing the state of the system. Moreover, thanks to Assumptions 2.3 and 2.5, the system H is non-Zeno and non-blocking, i.e. for any ξ0 ∈ Ξ0 there exists a state execution χ = (ξ0 , τ , u, ξ) with infinite time duration. We now analyze Definition 6.1 in some detail. We assume here that the initial state of H is not known. However, in the framework of H -systems, the problem of characterizing observability in the case of known initial hybrid state is not trivial. In fact, while for a dynamical system described by x˙ (t) = f (x (t) , u (t)) y (t) = c (x (t))

(6.4)

the knowledge of the initial state and of the input function allows the exact computation of the current state, provided that the solution of the differential Eq. (6.4) exists and is unique, this is not the case for H -systems where the discrete evolution is not uniquely determined given the initial discrete state. The second question that deserves some discussion is the role of the input function in Definition 6.1. Starting from any initial hybrid state with continuous component equal to zero, the control input u (t) = 0 for all t ≥ 0, will always produce zero output. Hence, no L H -system is observable for any initial state and any input function. In general, some “bad input functions”, related to the so-called zero dynamics of some appropriate extended system (see e.g. [2]) always make the L H -system H not observable. The simple Example 6.5 in Sect. 6.2 will illustrate this fact. For a classical linear dynamical system defined by matrices A, B and C, i.e. x˙ (t) = Ax (t) + Bu (t) y = C x (t) observability is independent of the input, since the input is assumed to be known, and hence the forced response of the system is known too. Therefore, observability only depends on the pair (A, C), and the system is observable if and only if  rank

λI − A C

 =n

(6.5)

6.1 Observability Definition

117

for any eigenvalue λ of A. For a nonlinear system described by the equations x˙ (t) = f (x (t) , u (t)) y = c(x (t)) different observability notions can be defined, depending on the role of the input (see e.g. [15]). Consider now the class of L H -systems, which are linear systems in the sense of Definition 2.4. In this case, if the input function is known, then the forced state evolution is also known when the discrete state q (t) is known. For example, if the discrete output function h is an isomorphism, the discrete state q (t) is known for all t ≥ 0. However, in general, the value of the current discrete state q (t) cannot be deduced from the discrete output information only, but needs the knowledge of the continuous component of the output function. Hence the input function plays a role in reconstructing the current mode of the system. As a consequence, the value q (tk ) is not instantaneously known at the switching time tk , but q(t) may be reconstructed, at least theoretically, at any t ∈ (tk , tk+1 ), as illustrated in the following Chap. 7. Those are the reasons why observability in Definition 6.1 is defined with respect to time belonging to a generic subset of R, and with respect to a generic input function. Let us now focus on the minimum dwell time. For linear continuous-time systems, Definition 6.1 boils down to the classical definition of observability by setting Q = {q}, h(q) = q, E = ∅ and Δ(q) = ∞. In this case, since the input function plays no role, we can assume that it is identically zero. If the system is observable, then it is theoretically possible to exactly reconstruct the current state at any arbitrary small instant of time  t and obviously there is no role of the minimum dwell time δ (q). In fact, knowing the values of the time derivatives up to order n − 1 (where n is the state-space dimension) of the output function y at the initial time t = 0, at each t > 0 we can compute the exact value of the initial state, and hence also of the current state. From a practical point of view, given t¯ > 0, it is possible to determine exactly the current state at time t¯ from the output information y|[0,t¯) using e.g. the algorithm in [6]. Consider now the case of an L H -system H with unbounded maximum dwell time in each discrete state and full discrete state information, i.e. Δ (i) = ∞ and h (i) = i, ∀i ∈ Q. Suppose that the system is not constrained to dwell in any discrete state for a finite amount of time, i.e. δ(i) = 0, ∀i ∈ Q. Let Ξ0 = Ξ . Then yd (t) = q (t) , ∀t ≥ 0. Suppose that the systems S (i) are autonomous and described by the matrices Ai and Ci . Since Δ(i) = ∞, ∀i ∈ Q, the observability of each pair (Ai , Ci ) is necessary for the observability of H. Since full discrete state information is available, and since by Definition 2.8 any two consecutive switching times tk and tk+1 are such that tk+1 − tk > 0, then the observability of (Ai , Ci ), for all i in Q, is also sufficient for the observability of H. In fact, if no switching occurs, i.e. q(t) = q(0), ∀t ≥ 0, then the same reasoning as before for a single linear system applies. On the other hand, if a switching occurs at time t1 > 0, then since at each t ∈ (0, t1 ) we are able to exactly

118

6 Observability of H -Systems

reconstruct the continuous state and since the discrete state is known at each t ≥ 0, the current continuous state can be determined for all t > 0. Even in the case of full discrete state information, in the general case of observable H -systems, the value  t appearing in Definition 6.1 is finite but cannot in general be chosen arbitrarily small. As a simple example, consider the case of Q = {1, 2}, Q 0 = Q, E = {(1, 2)} and h(i) = i, i = 1, 2. Suppose that the continuous output of S(1) is identically zero, that S(2) is observable, and that δ(i) = d > 0. Then  t = d. In summary, it is seen from Definition 6.1 that observability requires the exact identification of the discrete state of the H -system in finite time. In Chap. 4 we analyzed the problem of determining the discrete state for a Finite-State Machine, by introducing the notions of current location and critical observability. In the following Chap. 9, after having introduced the appropriate instrumental tools in Chap. 7 and in Chap. 8, we will extend the notions and results illustrated in Chap. 4 to solve the problem of reconstructing the discrete state and continuous component of the state of an L H -system.

6.2 Illustrative Examples Observability can be viewed as the possibility of exactly reconstructing the hybrid state for all initial hybrid states in Ξ0 , for almost all instants of time t greater than a finite  t, and for almost all input functions  u ∈ U, given that the output hybrid evolution in the interval [0, t] is known. In this section, we illustrate some examples that show the relationship between observability of the H -system and observability of the systems S(i), and highlight the complexity of a hybrid system observability analysis because of the role played by some of its characteristics such as the dwell time, the graph topology or the reset. Example 6.1 (Case of finite maximum dwell time. The observability of each system is not necessary for the observability of the L H -system) Consider an autonomous L H -system H = (Ξ, Ξ0 , S, Υ, h, E, R) (see Fig. 6.1) with Ξ = {1, 2} × R2 , Ξ0 = Ξ . Each system S(i), i = 1, 2, is described by the matrices Ai , Ci

1

Fig. 6.1 The system of Examples 6.1 and 6.5

2

6.2 Illustrative Examples

119

1

2

3

Fig. 6.2 The system of Examples 6.2 and 6.3

 A1 =  A2 =

10 01 10 01

 

  C1 = 1 0   C2 = 0 1 .

The only constraints are those on the switching times. Let δ (i) = 0 and Δ (i) = Δ = ∞, ∀i ∈ Q. Suppose there is full discrete state information, i.e. h (i) = i; E = {(1, 2) , (2, 1)}, Re = I , ∀e ∈ E. The pairs (Ai , Ci ) are not observable. However, H is observable: starting from any discrete state, at most after Δ time units a switching occurs, and both the first and the second component of the state are then observed.  Example 6.2 (The role of the graph topology in observability) Let H be an autonomous L H -system (see Fig. 6.2) with Ξ = {1, 2, 3} × R2 , Ξ0 = Ξ . The systems S(i), i = 1, 2, 3 are described by the matrices  A1 =  A2 =  A3 =

10 01 10 01 10 01

  

  C1 = 0 0   C2 = 1 0   C3 = 0 1

Υ = Q × R, h (i) = i, ∀i ∈ Q, E = {(1, 2) , (2, 3) , (3, 2)}, Re = I , ∀e ∈ E. Let δ (i) = 0 and Δ (i) = Δ, ∀i ∈ Q. Starting from the discrete states 2 or 3, the discrete evolution remains in a cycle, and hence the continuous state is reconstructed at most after Δ time units (see Example 6.1). If the initial discrete state is 1, at most after Δ time units the state 2 is reached. Therefore, for any initial state in Q, at most after 2Δ time units the continuous state is reconstructed, and H is observable. With a different graph, for example if E were {(1, 1) , (2, 1) , (2, 3) , (3, 2)}, H would not be observable, because starting from 1 the discrete state remains 1 forever, and hence, whatever the value of the reset matrix R(1,1) is, the continuous state cannot be reconstructed. 

120

6 Observability of H -Systems

2

1

3

Fig. 6.3 The system of Example 6.4

Example 6.3 (The role of the reset function in observability. Only discrete output information is available) Let H be an autonomous L H -system (see Fig. 6.2), with Ξ = {1, 2, 3} × R2 , Ξ0 = Ξ . The systems S(i), i = 1, 2, 3, are described by the matrices     12 C1 = 0 0 A1 = 01  A2 =  A3 =

11 −1 1 10 03





  C2 = 0 0   C3 = 0 0

Υ = Q × R, h (i) = i, i ∈ Q, E = {(1, 2) , (2, 3) , (3, 2)}, Re = I for e ∈ {(1, 2) , (2, 3)}, Re = 0 for e = (3, 2), δ (i) = 0 and Δ (i) = Δ ∀i ∈ Q. Because of the reset function, the state is equal to 0 at most after 3Δ units of time. Hence, H is observable.  Example 6.4 (The role of the guard conditions in observability) Let H be an autonomous L H -system (see Fig. 6.3), with Ξ = {1, 2, 3} × R2 , Ξ0 = {1} × R2 , S(i) is described by the matrices Ai , Bi , Ci :  A1 =  A2 =  A3 =

0 −1 1 0 10 02 10 03

 



  C1 = 0 0   C2 = 0 1   C3 = 1 1

Υ = Q × R, h (i) = i, i ∈ Q, E = {(1, 2) , (2, 3) , (3, 2)}, Re = I , ∀e ∈ Q. The following guard conditions are defined   G(e) = x ∈ R2 : x1 = 0 for e = (1, 2)

6.2 Illustrative Examples

121

G(e) = R2 for e ∈ {(2, 3) , (3, 2)}. Starting from state 1, if a switching occurs at time t1 ≤ Δ, we know that x1 (t1 ) = 0. The value of x2 (t1 ) is known from the output, and hence the continuous state is reconstructed for all t ≥ t1 . However, H is not observable, because the guard condition G((1, 2)) only enables a transition and hence there is no upper bound for the switching time t1 . Consider now the same example, but suppose there is the following state constraint Ξ (t) ∈ Γ, ∀t ≥ 0 where Γ =



{i} × Γi ⊂ Q × R2

i∈Q

with Γ1 = {x ∈ R2 : x1 = 0} and Γ2 = Γ3 = R2 . Given an initial continuous state x0 ∈ Γ1 , a transition must occur at time t such that the vector e A1 t x0 has the first component equal to 0. Therefore, since by definition of the matrix A1 there exists a finite time T such that, for any x0 ∈ Γ1 , e A1 t x0 has the first component equal to 0 at some time t ≤ T , then H is observable.  Example 6.5 (Observability with no discrete output information) Consider the system H (see Fig. 6.1) with Ξ = {1, 2} × R, Ξ0 = Ξ , where S(i), i = 1, 2, is described by the matrices Ai , Bi , Ci A1 = 1

B1 = 1

C1 = 1

A2 = −1 B2 = −3 C2 = −1 Υ = {} × R, h (i) = , ∀i ∈ Q, E = {(1, 2) , (2, 1)}, Re = 1, ∀e ∈ E, δ (i) = 0 and Δ (i) = ∞ ∀i = 1, 2. Suppose that no discrete output signal is available, i.e. yd (t) = ε, ∀t ≥ 0, while the continuous component of the output y (t) is available. Consider the linear system S12 defined by the equations z˙ (t) = A12 z(t) + B12 u(t), y12 (t) = C12 z(t) 

with A12 =

A1 0 0 A2 

B12 =

B1 B2



 =



 =

1 0 0 −1

1 −3





    C12 = C1 | − C2 = 1 1 .

(6.6)

122

6 Observability of H -Systems

Given an input function u and initial hybrid states (1, x01 ) and (2, x02 ), the output of S(1) starting  (1, x01 ) and the output of S(2) starting from (2, x02 ) coincide  from x01 ∈ V12 , where V12 is the maximal controlled invariant subspace if and only if x02 2 of R (see [1]) for system S12 contained in ker(C12 ). The set V12 is the maximal subspace F ⊂ R2 satisfying the following sets inclusion: A12 F ⊂ F + I m(B12 ), F ⊂ ker C12 , (6.7) 

i.e.

1 0 0 −1



 F ⊂ F + Im

Therefore

   1 , F ⊂ ker 1 1 . −3

(6.8)

  V12 = ker 1 1 .

Let U12 be the set of all control laws that make the subspace V12 invariant, i.e. the set of functions u such that     1 0 1 z (t) + u (t) ∈ V12 , z (t) ∈ V12 . 0 −1 −3  By setting z (t) = α (t) β (t) ∈ R such that  α (t) Therefore

1 −1

1 0 0 −1







∈ V12 , u ∈ U12 if and only if ∀α (t) ∈ R there exists

1 −1



 +

   1 1 u (t) = β (t) . −3 −1

     1 1 1 u (t) = β (t) − α (t) −3 −1 1

and hence u (t) = α (t) i.e. equivalently

  u (t) = 1 0 z (t).

  Therefore, if x01 = −x02 and u(t) = 1 0 z (t), where z(t) is the state of the closedloop system   2 0 z˙ (t) = z(t) −3 −1 we obtain

6.3 Notes and Further Reading

123

y12 (t) = C12 z(t) = 0. Therefore, if the initial hybrid state is (1, x01 ) and 



u(t) = 1 0 exp



   2 0 1 t x = e2t x01 −3 −1 −1 0

(6.9)

we are not able to understand whether the initial discrete state is 1 or 2. For any other control law, the two systems produce different outputs. Hence, for a generic control law, the two systems produce different outputs. Suppose now that the switching (1, 2) occurs at some time t1 . Since we were able to reconstruct the value of q (t0 ), we know the value x (t1 ). Therefore, the occurrence of switching (1, 2) at t1 can be reconstructed at any t > t1 . The same is true for the transition (2, 1). Then we can conclude that the current hybrid state of H can be exactly reconstructed for almost all control laws, and hence that H is observable.  Example 6.6 (Observability of system in Example 2.1) In this last example, we consider the L H -system described in Example 2.1, Sect. 2.5, where now we assume that the initial state is unknown, i.e. Ξ0 = Ξ . We also assume that some information ˆ where δˆ > 0 is about the switching mechanism is available, in particular δ(1) = δ, a finite known minimum dwell time. The discrete output function is invertible, and hence the discrete state is known at each time. Let t0 be the initial time instant. The linear system S(1) is observable. Therefore, if the initial discrete state is 1, at each ˆ i.e. before the first switching may occur, the contintime in the interval (t0 , t0 + δ), uous component of the state can be exactly reconstructed. Recall that the role of the guard set is to enable (and not to enforce) a transition, and hence an execution with no switchings at all is also possible, because the maximum dwell time in state 1 is unbounded. Since the discrete evolution of the state is known from the output, the continuous component of the state can be computed at each time. Suppose now that the initial state is 2. The system S(2) is not observable. Let t1 be the first switching time. Since the maximum dwell time in state 2 is bounded (i.e. Δ(2) = Δ < ∞), ˆ the continuous current state then t0 < t1 < t0 + Δ. At each instant t ∈ (t1 , t1 + δ), can be exactly reconstructed, since S(1) is observable and for t > t1 + δˆ the continuous current state can be computed. Therefore, the continuous component of the state can eventually be reconstructed and the L H -system is observable. 

6.3 Notes and Further Reading For an overview of different observability properties for particular classes of hybrid systems, the papers [3] and the survey in [12] can be of interest. We refer here only to some references on this general topic, which are more closely related to what was illustrated in this chapter.

124

6 Observability of H -Systems

By assuming a priori full discrete state information, the observability notion introduced in Definition 6.1 is akin to forward observability (as in [19]), determinability (as in [17, 18]), final-state observability (as in [16]). The results on observability in [17] are stated in the framework of switched systems, i.e. systems where the discrete state evolution (q0 , τ , q) can be controlled by means of a discrete input that determines the switching time ad the commutation from the current discrete state to the next discrete state, or to a set of possible next states in the non-deterministic case. In this framework, the observability of a continuous state x means that starting from x there exists a discrete state evolution such that, for any continuous input function, the actual output evolution of the switched system can be distinguished from the output evolution associated with the same discrete state evolution and continuous input but with 0 initial continuous state. This notion of observability is similar to controlled observability, which, loosely speaking, is the possibility of reconstructing the state based on the output by using a suitable input (see e.g. [7, 9, 12]). In [19] forward observability is defined with respect to a given discrete state evolution (q0 , τ , q). However, in the same paper the dependence on τ is relaxed. In fact, if the system is forward observable for some (q0 , τ , q), then it is forward observable for (q0 , τ , q), for almost all τ . In our setting, only the model of the system is known a priori, but the observability definition requires the exact reconstruction of both the discrete and the continuous components of the hybrid state. For the class of switched systems, the notion of generic state observability (which coincides with the determinability notion of [18]) was analyzed and characterized in [11] following a graph-theoretic approach. Observability for the class of conewise linear systems was defined and analyzed in [3, 14]. The class of linear hybrid systems with periodic jumps is considered in [13]. In this model, there is one linear dynamic system where the state is periodically reset, with known period. Therefore, it is an L H -system. The notion of observability addressed in this paper is a generalization of standard observability for linear systems. In fact, it is based on the indistinguishability between the initial state and the origin, and it can be retrieved from our Definition 6.1 when the reset matrix has full rank. Obviously, for this class of systems there is no problem in reconstructing the discrete mode nor the switching time. Always in [13], the definition of strong observability (i.e. the property of exactly reconstructing the initial state, despite the action of a disturbance) originally given in [20] is adapted for the class of linear hybrid systems with periodic jumps. In the next chapters, our analysis will mainly focus on the case of hybrid systems with linear continuous dynamics. Quite recent results for nonlinear hybrid systems can be found in the Lecture Notes [5, 10]. An interesting application to power systems control is presented in [4]. The paper [8] establishes very precise relationships between different observability notions that can be formulated for nonlinear switched systems.

References

125

References 1. Basile G and Marro G (1992) Controlled and conditioned invariants in linear system theory. Prentice Hall, Englewood Cliffs, New Jersey 2. Callier FM, Desoer CA (1991) Linear system theory. Springer, Berlin 3. Camlibel MK, Pang JS, Shen J (2006) Conewise linear systems: non-zenoness and observability. Siam J Control Optim 45(5):1769–1800 4. Defoort M, Van Gorp J, Djemai M (2015) Multicellular converter: a benchmark for control and observation for hybrid dynamical systems. In: Djemai M, Defoort M (eds) Hybrid dynamical systems. Lecture notes in control and information sciences, vol 457. Springer, Berlin, pp 293– 314 5. Djemai M, Manamanni N, Barbot JP (2015) Nonlinear observer for autonomous switching systems with jumps. In: Djemai M, Defoort M (eds) Hybrid dynamical systems. Lecture notes in control and information sciences, vol 457. Springer, Berlin, pp 103–128 6. Engel R, Kreisselmeier G (2002) A continuous-time observer which converges in finite time. IEEE Trans Autom Control 47(7):1202–1204 7. Guo Y (2018) Observability of boolean control networks using parallel extension and set reachability. IEEE Trans Neural Netw Learn Syst 29(12):6402–6408 8. Hespanha J, Liberzon D, Angeli D, Sontag ED (2005) Nonlinear norm-observability notions and stability of switched systems. IEEE Trans Autom Control 50(2):154–168 9. Liu B, Marquez H (2008) Controllability and observability for a class of controlled switching impulsive systems. IEEE Trans Autom Control 53(10):2360–2366 10. Manamanni N, Djemai M, Barbot JP (2014) On the observation analysis and observer design for a class of hybrid continuous-discrete dynamic system. In: Lecture notes in control and information sciences. Lecture notes in computer science (LNCS), vol 457. Springer, Berlin, pp 129–149 11. Martinez-Martinez S, Messai N, Hamelinb F, Manamanni N, Boukhobza T (2014) Graphic approach for the determination of the existence of sequences guaranteeing observability of switched linear systems. Automatica 50:584–590 12. Petreczky M, Tanwani A, Trenn S (2015) Observability of switched linear systems. In: Djemai M, Defoort M (eds) Hybrid dynamical systems observation and control. Lecture notes in control and information sciences, vol 457. Springer, Berlin, pp 205–240 13. Ríos H, Davila J, Teel AR (2020) Linear hybrid systems with periodic jumps: a notion of strong observability and strong detectability. IEEE Trans Autom Control 65(6):2640–2646 14. Shen J (2010) Observability analysis of conewise linear systems via directional derivative and positive invariance techniques. Automatica 46:843–851 15. Sontag ED (1979) On the observability of polynomial systems, i: finite-time problems. SIAM J Control Optim 17(1):139–151 16. Sontag ED (1998) Mathematical control theory: deterministic finite dimensional systems, 2nd edn. Springer, New York 17. Sun Z, Ge SS (2005) Switched linear systems, control and design. Springer, London 18. Sun Z, Ge SS, Lee TH (2002) Controllability and reachability criteria for switched linear systems. Automatica 38(5):775–786 19. Tanwani A, Shim H, Liberzon D (2015) Observer design for switched linear systems with state jumps. In: Djemai M, Defoort M (eds) Hybrid dynamical systems. Lecture notes in control and information sciences, vol 457. Springer, Berlin, pp 179–204 20. Trentelman HL, Stoorvogel AA, Hautus M (2001) Control theory for linear systems. Springer, Berlin

Chapter 7

Continuous Dynamics Distinguishability

In this chapter, we analyze the possibility of determining the current discrete state of an L H -system by using only the continuous output information. The identification of the discrete mode of a hybrid system corresponds to understanding which continuous dynamical system is evolving. The main role in the solution to this problem is played by the notion of distinguishability of a pair of dynamical systems, i.e. the possibility of inferring on the basis of the continuous output information which of the two systems is indeed active. This property is characterized in terms of input–output behavior. Always using the continuous information, we investigate the possibility of determining only the switching times, not the complete information about which discrete mode is active. Algorithmic tools are provided for the reconstruction of the current evolving system, in the continuous and discrete time domain. The analysis is extended to the case of discrete time systems with output corrupted by external malicious attacks on sensors.

7.1 Mode Distinguishability The identification of the discrete mode of a hybrid system corresponds to understanding which is the continuous dynamical system that is evolving. In solving this problem, the possibility of distinguishing the evolutions of dynamical systems on the basis of the measurements plays a crucial role. Many different distinguishability notions are possible, as illustrated in Sects. 7.7 and 7.8 at the end of this chapter. The most appropriate one for our purposes is the following, where distinguishability of the modes is asked for generic inputs and for all initial states. As defined in Chap. 6, a generic input  u ∈ U is any input function that belongs to a dense subset of the set U equipped with the norm u = supt∈R u(t), where U is the class of piecewise-continuous functions.

© Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_7

127

128

7 Continuous Dynamics Distinguishability

Definition 7.1 Two linear systems Si and S j with output functions denoted by yi and y j , respectively, are input-generic distinguishable if, given an arbitrarily small t > 0, for any pair of initial states x0i and x0 j , and for a generic input u ∈ U, yi |[0,t) = y j [0,t) . The systems Si and S j are called indistinguishable if they are not inputgeneric distinguishable. If two systems Si and S j are distinguishable or indistinguishable, we will also say in an equivalent way that the pair (Si , S j ) is distinguishable or indistinguishable, respectively. In this chapter, for simplicity, the term input-generic distinguishability will be shortened in distinguishability when there is no ambiguity. Consider two systems Si and S j described respectively by the matrices1 Ai ∈ Rn×n , Bi ∈ Rn×m , Ci ∈ R p×n and A j ∈ Rn×n , B j ∈ Rn×m , C j ∈ R p×n . Given the matrices Ai , Bi and Ci , let Oi (t) be defined as ⎛

Ci ⎜ C i Ai ⎜ 2 ⎜ Oi (t) = ⎜ Ci (Ai ) ⎜ .. ⎝.

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

(7.1)

Ci (Ai )t−1

and ⎛

Ci Bi ⎜ Ci Ai Bi ⎜ Mi (t) = ⎜ . ⎝ ..

0 Ci Bi .. .

... 0 ... 0 . . . . ..

⎞ ⎟ ⎟ ⎟. ⎠

(7.2)

Ci (Ai )t−1 Bi Ci (Ai )t−2 Bi . . . Ci Bi

For t equal to the dimension of the square matrix Ai , Oi (t) is the observability matrix of system Si , denoted by Oi for simplicity. In order to characterize the input-generic distinguishability property, we consider the linear system Si j represented in Fig. 7.1 and described by the matrices:

Ai j = 1

Ai 0 0 Aj



, Bi j =

Bi Bj





. , Ci j = Ci .. − C j .

(7.3)

In our setting, the state dimension is the same for all the involved linear systems. The results on distinguishability also hold if the state dimensions of the given systems are not the same, since, as it will be seen, the necessary and sufficient conditions for distinguishability are based on the systems’ input-output responses.

7.1 Mode Distinguishability

129

The observability matrix for system Si j is ⎛

⎞ Ci j ⎜ C i j Ai j ⎟ ⎜ ⎟ ⎜ C i j Ai j 2 ⎟ Oi j = ⎜ ⎟ ⎜ .. ⎟ ⎝. ⎠ 2n−1 C i j Ai j

(7.4)

which is related to the corresponding matrices of systems Si and S j by

Oi j = Oi (2n) | − O j (2n) .

(7.5)

Finally, consider the matrix associated with system Si j ⎛

Ci j Bi j ⎜ Ci j Ai j Bi j ⎜ Mi j = ⎜ .. ⎝. 2n−1 C i j Ai j Bi j

0 Ci j Bi j .. . 2n−2 C i j Ai j Bi j

⎞

... 0 ... 0 . . . . ..

⎟ ⎟ ⎟ ⎠

(7.6)

. . . Ci j Bi j

where Mi j = Mi (2n) − M j (2n).

(7.7)

Si and S j have different input-output behaviors, i.e. k ∃k ∈ {0, 1, . . . , 2n − 1} : Ci (Ai )k Bi = C j A j B j ,

(7.8)

Mi j = 0.

(7.9)

if and only if

The next theorem establishes the relation between distinguishability of Si and S j and their input-output behaviours: Theorem 7.1 Two linear systems Si and S j are input-generic distinguishable if and only if

Fig. 7.1 System Si j

Si

yi (t) +

u(t)

– Sj

yj (t)

y(t)

130

7 Continuous Dynamics Distinguishability

Mi j = 0.

(7.10)

Proof Consider the linear system Si j , described by matrices Ai j , Bi j and Ci j and let x(t) denote its state at time t. Necessity: Mi j = 0 implies that Im(Bi j ) ⊂ ker (Oi j ). Therefore, if the initial state is in ker (Oi j ) the output of Si j is equal to 0, ∀t ≥ 0, for all input functions. Then Si and S j are not input-generic distinguishable. Sufficiency: suppose that Mi j = 0 but there exist a pair of initial states x0i and x0 j , a function  u ∈ U and a positive real ε for which the following condition holds u  ≤ ε. yi = y j , ∀u ∈ U : u − 

(7.11)



x0i belongs to Fi j , the maximal Ai j , Bi j Recall that if yi = y j then x0 = x0 j controlled invariant subset of ker Ci j . Since Mi j = 0, then ker Ci j is a proper subspace of R2n and therefore Fi j is a proper subspace of R2n . ˙ ∈ Fi j ∀t ≥ 0. Hence, starting from x0 ∈ Fi j , x(t) ∈ Fi j ∀t ≥ 0 if and only if x(t) Therefore condition (7.11) implies that

Ai j x0 + Bi j u(0) ∈ Fi j ∀u(0) : u(0) −  u (0) ≤ ε, or equivalently u (0) + ) ⊂ Fi j Ai j x0 + Bi j (  = {z ∈ Rm : z ≤ ε}. Since Fi j is a subspace then

L w + Bi j  ⊂ Fi j where L (.) denotes the linear hull and w = Ai j x0 + Bi j  u (0). Since

Im Bi j ⊂ L w + Bi j  then

Im Bi j ⊂ Fi j

and therefore, by definition of Fi j Ai j Fi j ⊂ Fi j + Im Bi j = Fi j and hence Fi j is the maximal Ai j -invariant subset of ker Ci j , i.e. Fi j = ker Oi j .

7.2 Transition and Switching Time Detection

131

This last condition implies that Mi j = 0, which is a contradiction. Hence, Mi j = 0 implies that yi = y j , for any pair of initial states x0i and x0 j and for any generic input function in U. The result follows.  As a consequence of Definition 7.1 and Theorem 7.1, Corollary 7.1 Indistinguishability is a transitive property. The following result derives directly from Theorem 7.1: Proposition 7.1 Two

linear systems Si and S j are indistinguishable if and only if Im Bi j ⊂ ker Oi j . A different and more intuitive characterization of indistinguishability can be obtained from Proposition 7.1: Proposition 7.2 Two linear systems Si and S j with output functions denoted by yi and y j , respectively, are indistinguishable if and only if there exist a pair of initial  states x0i and x0 j and a time t > 0 such that yi |[0,t) = y j [0,t) , for any input u ∈ U. Proof Sufficiency is obvious. Necessity: if Mi j = 0, and x0i = x0 j = 0 then yi = y j , for any input u ∈ U, and the result follows. 

7.2 Transition and Switching Time Detection In this section, we investigate a weaker property than continuous dynamics distinguishability. Given an L H -system H, we suppose as in the previous section that the continuous output is available, and we want to investigate under which conditions it is possible to detect, by using only the output information, if a transition occurs between two modes of the hybrid system, i.e. if the active dynamical system switches for example from S(i) to S( j). Let us assume that the active system is S(i) = Si and a transition to system S( j) = S j occurs. We formally state the property we want to analyze as follows: Definition 7.2 Consider the L H -system H. A discrete transition e = (i, j) ∈ E is said to be x-observable, ¯ x¯ ∈ Rn , if for any arbitrarily small d > 0, for any generic input function u and for any switching time tk , whenever x(tk− ) = x¯  yi |[tk ,tk +d] = y j [tk ,tk +d]

(7.12)

where yi and y j denote the outputs of Si and S j with initial states xi (tk ) = x(tk− ) and x j (tk ) = Ri j x(tk− ), and input u. The transition (i, j) is called observable if it is x-observable ¯ ∀x¯ ∈ Rn . Input-generic distinguishability of two systems is necessary and sufficient for the transition between those two systems to be observable:

132

7 Continuous Dynamics Distinguishability

Proposition 7.3 Consider the L H -system H. A transition e = (i, j) ∈ E is observable if and only if the pair Si , S j is input-generic distinguishable. Proof The sufficiency is a straightforward consequence of the definition of inputgeneric distinguishability, which requires condition (7.12) to hold for arbitrary states xi (tk ) and x j (tk ). Vice versa, if Mi j = 0, then Im(Bi j ) ⊂ ker(Oi j ). Then, if x(tk− ) = 0 it is not possible to detect the transition, which is therefore not observable.  A weaker condition holds for x-observability: ¯ Proposition 7.4 Consider the L H -system H. Given a transition e = (i, j) ∈ E, suppose that the pair Si , S j is indistinguishable. The transition (i, j) is x-observable ¯ if and only if

(7.13) x¯ ∈ / ker Oi − O j Ri j .

Proof If the pair Si , S j is indistinguishable, then Si and S j have the same input-output behaviour. Then, without loss of generality, we can set u(t) = 0, ∀t ∈ [tk − d, tk + d] for some d > 0. Hence, for a given d > 0 the outputs of Si and S j starting at time tk from x¯ and Ri j x¯ coincide ∀t ∈ [tk , tk + d] if and only if  x¯ ∈ ker Oi − O j Ri j . The next example shows that, by using the condition in Proposition 7.4, the transition can be detected even though the condition in Proposition 7.3 does not hold. Example 7.1 Consider two autonomous linear systems Si and S j described by the matrices:



1 −1 Ai = Ci = 1 1 0 1

Aj =

1 0

0 2





C j = 0 −1 .

Suppose there is a switching

with identity reset from system Si to system S j . It is easy to see that the pair Si , S j is not input-generic distinguishable, nor distinguishable in the sense of Theorem 7.5. In fact ⎛ ⎞ 1 1 0 −1 ⎜ 1 0 0 −2 ⎟ ⎟ Oi j = ⎜ ⎝ 1 −1 0 −4 ⎠ 1 −2 0 −8

and rank(Oi j ) = 3 < 2n. A trivial computation shows that ker Oi − O j Ri j = {0} and hence by Proposition 7.4, the transition can be detected if at the switching time the continuous state is not equal to zero.  The next proposition establishes that if the transition (i, j) is observable, then the switching time associated with the transition (i, j) can be detected even if the mode i is not known.

7.3 The Case of Discrete-Time Systems

133

Proposition 7.5 Consider the L H -system H. Given a time interval (t , t

), suppose that only one transition e = (i, j) ∈ E occurs in that interval (t , t

). Let tk ∈ (t , t

) be the associated switching time. For any generic input function, the switching time tk can be determined from the knowledge of the output function y|(t ,t

] if and only if the pair (Si , S j ) is distinguishable. Proof Necessity: follows from Proposition 7.3. Sufficiency: if the mode i has been identified from the information y|[t0 ,tk ) , then the statement is true because Proposition 7.3 holds, i.e. any continuous output evolution after the commutation cannot correspond to a state evolution of the system S(i). Otherwise, suppose that mode i has not been identified. Then there exists h such that , S Distinguishability of the pair S the pair (Si , Sh ) is indistinguishable. i j implies

 distinguishability of the pair Sh , S j and the result follows.

As a consequence of the proposition above, if the pair Si , S j is not input-generic distinguishable, the possibility of detecting the switching time tk depends on the value of the continuous state at tk− . Moreover, from Proposition 7.4, if Oi = O j Ri j the detection of the switching time is never possible. Remark 7.1 In the case of an L H -system with constraints, the conditions in Propositions 7.3, 7.4 and 7.5 are sufficient but in general not necessary if the guard set G(e) is a proper subset of Rn (see (2.51)), since G(e) represents a restriction for the transition e to occur. 

7.3 The Case of Discrete-Time Systems In the previous sections of this chapter, distinguishability conditions for continuoustime systems were given. The same conditions characterize distinguishability for discrete-time systems Sh , h ∈ {i, j} described by the recursive equations: x(t + 1) = Ah x (t) + Bh u (k) y (t) = C h x (t).

(7.14)

In fact, we can adapt to the discrete-time setting the notion of input-generic distinguishability as in the following definition, where an input sequence u|[0;t−1] ∈ Rmt , t ∈ Z, is called generic if it belongs to a dense subset of the finite dimensional space Rmt equipped with any norm. Definition 7.3 Two discrete-time linear systems Si and S j with output functions denoted by yi and y j , respectively, are input-generic distinguishable (shortly distinguishable) if there exists t ∈ Z, such that for any pair of initial  states x0i and x0 j and for a generic input sequence u|[0;t−1] ∈ Rmt , yi |[0;t] = y j [0;t] . The systems Si and S j are called indistinguishable if they are not input-generic distinguishable.

134

7 Continuous Dynamics Distinguishability

As proved in [18], two discrete-time systems Si and S j described by the pair of matrices (Ai , Ci ) and (A j , C j ) are input-generic distinguishable if and only if condition (7.10) holds. Moreover, the same conditions established in Propositions 7.3 and 7.4 for continuous-time systems ensure the possibility of detecting a commutation in the case of discrete time systems. The difference is that, while in the case of two distinguishable continuous-time systems any arbitrarily small interval of time is theoretically sufficient to discriminate which of the two systems is evolving, for discrete-time systems a finite number of steps is required to make this decision. The following proposition gives an estimate of this finite number. Proposition 7.6 Let Si and S j be distinguishable. Then

t ≤ dim ker Ci j − 1 ≤ 2n − 2.

Proof If Si and S j are distinguishable, then dim ker Ci j ≤ 2n − 1, and hence the inequality on the right hand-side holds. Condition (7.10) implies that Si and S j are distinguishable if and only if there exist an input function  and a finite t ∈ Z such that for any pair of initial states x0i and x0 j , yi |[0;t] = y j [0;t] . Suppose that for any 

input function yi |[0;t] = y j [0,t] , with t ≥ dim ker Ci j . This implies that for any  input function the output sequences yi |[0;t] = y j [0;t] are the same for any t ∈ Z and

hence Si and S j are not distinguishable. Therefore t ≤ dim ker Ci j − 1.  A discrete-time system can either follow from the discretization of a continuoustime system, or be a discrete system by its own nature. In the case of discretization, the input-generic distinguishability property is preserved. Let us first recall that if the continuous time dynamical system Si is defined by the triple Ai , Bi , Ci then the corresponding discretization is defined by the triple Ai,T = ex p(Ai T ) T Bi,T =

exp (Ai (T − τ )) Bi dτ 0

Ci,T = Ci where T is the sampling period.



Given a pair of systems Si , S j , let Si,T , S j,T be the corresponding discretized pair, with sampling period T . By Theorem 7.1, we have

Proposition 7.7 Given any T ∈ R+ , the pair Si , S j is input-generic distinguishable if and only if the pair Si,T , S j,T is input-generic distinguishable.

7.4 Identifying the Evolving Dynamical System

135

Example 7.2 There are cases in which the process to be described evolves in discrete time, by its own nature. Consider for example a dynamical network made up of n nodes, where each node updates its state xi ∈ R, i = 1, . . . , n on the basis of the states of its neighbors and other m external nodes providing an external input. We also assume to measure the state of p nodes. The network topological structure can be represented by an undirected graph G = (V, E), where V = {1, . . . , n} is the set of nodes, and E is the set of edges. The collective dynamics of the network can be written as a discrete-time system, where the discrete “time” has the meaning of logical step. The recursive equations describing the system are: x(t + 1) = −L x (t) + Bu (k) y (t) = C x (t)

(7.15)

where L is the Laplacian induced by the graph G = (V, E) (see [42] for more information on graphs), x ∈ Rn , u ∈ Rm , y ∈ R p . Given the nominal dynamics of the network, a node or link disconnection changes the network’s topology, thus modifying the network collective dynamics. We can represent this scenario by means of an L H -system where each discrete state q ∈ Q is associated with a particular network topology. A linear dynamical system S(q) is associated with each discrete state q ∈ Q, where S(q) is described by the equations: x(t + 1) = −L q x(t) + Bq u(t) y (t) = C x(t)

(7.16)

where the matrix C is not affected by changes in the network topology if we are able to measure the output of the same p nodes during the evolution of the system. In the case of an intermittent availability of measurements, then the commutations of the discrete states depend both on changes in the network topology and changes of the output matrix, so that in general the system S(q) would be described by the equations x(t + 1) = −L q x(t) + Bq u(t) (7.17) y (t) = Cq x(t). A discrete label belonging to the discrete output set Yd may be associated with each discrete state, depending on the available information about the actual network topology. 

7.4 Identifying the Evolving Dynamical System In this section, we focus on identifying which is the dynamical system that is actually evolving. The input function has no role in the definition of the input-generic distinguishability property. However, if we want to identify which system is evolving, the knowledge of the input is in general needed, as the following example shows.

136

7 Continuous Dynamics Distinguishability

Example 7.3 Let Si and S j be two continuous-time linear systems described by the matrices Ai = α, Bi = 1, Ci = 1 and A j = β, B j = 1, C j = 1 where α and β are some constants belonging to R. If α = β, the two systems are input-generic distinguishable. In fact, a generic input function produces different output evolutions in the two systems, for any pair of initial states. Suppose that the actual system is Si and the input function u is not known. Since Ci = 1, the output evolution y coincides with the state evolution x. Therefore for any t > 0, x|[0,t] is known. It is easy to see that for any u|[0,t) there exists v|[0,t) such that x|[0,t] is a state evolution of system S j , with input function v. In fact, if v(t) = (α − β) x(t) + u(t) then the system Si with input u and the system S j with input v are described by the same equations. Hence the knowledge of the input u|[0,t) is necessary to identify which of them is evolving.  The discussion above can be formalized as follows: Proposition 7.8 Let y|[0,t] with t > 0 be the measured output function of one of the two systems Si or S j . If Si and S j are input-generic distinguishable, the current evolving system can be identified on the basis of y|[0,t] if the input function u|[0,t) is known. Proof By definition of input-generic distinguishability, given the input function u|[0,t) , there exists an initial state x0 starting from which the computed evolution of the system S ∈ {Si , S j } is equal to the measured output function y|[0,t] only if S is the actual evolving system.  In the next subsection, we show how to determine the actual evolving dynamics by exploiting input-generic distinguishability. The current mode is identified correctly if and only if distinguishability holds, and this requires the online solution of an optimization problem. In the second subsection, a sufficient condition is given for the identification of the current dynamics but a procedure is illustrated based on the so-called residual generator, which is computationally less expensive.

7.4.1 Input-Generic Distinguishability Approach Given two discrete-time systems Si and S j , a straightforward consequence of inputgeneric distinguishability is the following:

7.4 Identifying the Evolving Dynamical System

137

Proposition 7.9 Given the pair of discrete-time systems Si , S j , let y|[0;t] and u|[0;t−1] be the measured output sequence

up to time t and the known input sequence up to time t − 1, respectively. If Si , S j are input-generic distinguishable, then the equation (7.18) y|[0;t] = Oi (t)x0 + Mi (t) u|[0;t−1] with t = 2n, has a solution x0 for a generic input sequence u|[0;t−1] ∈ Rmt if and only if the current evolving system is Si . Consider now the case of continuous time systems. Let ⎛

y|[1;2n]

⎞ y(0) ⎜ y˙ (0) ⎟ ⎟ =⎜ ⎝... ⎠ y (2n) (0)

(7.19)

denote the vector of the time derivative of the output, up to order 2n and let ⎛

u|[1;2n−1]

⎞ u(0) ⎜ u(0) ⎟ ˙ ⎟ =⎜ ⎝... ⎠ (2n−1) u (0)

(7.20)

denote the vector of the time derivative of the input, up to order 2n − 1. Proposition

Given the pair of input-generic distinguishable continuous-time 7.10 systems Si , S j , the equation y|[1;2n] = Oi (2n)x0 + Mi (2n) u|[1;2n−1]

(7.21)

has a solution x0 for a generic input function u if and only if the current evolving system is Si . Consider now the index set Q = {1, . . . , N }. On the basis of the previous proposition, the following procedure determines the dynamical system that is evolving: Proposition 7.11 Suppose that ∀(i, j) ∈ Q × Q the discrete time systems Si and S j are input-generic distinguishable. Let the input sequence u|[0;2n−1] and the output sequence y|[0;2n] of the current evolving system be known and let

Then

vh = y|[0;2n] − Mh (2n) u|[0;2n−1] .

(7.22)

 arg min minn (Oh (2n − 1)) z − vh  = h

(7.23)

h∈Q

z∈R

if and only if the current evolving system in the set {Si , i ∈ Q} is Sh .

138

7 Continuous Dynamics Distinguishability

Proof Suppose that the current evolving system is Sh , h ∈ Q. From Proposition 7.9, since ∀(i, j) ∈ Q × Q the discrete time systems Si and S j are distinguishable, (Oh (2n − 1)) z − vh  = 0 if and only if h = h and the result follows.  A similar result holds for continuous-time input-generic distinguishable systems. Proposition 7.12 Suppose that ∀(i, j) ∈ Q × Q the continuous-time systems Si and S j are input-generic distinguishable. Let the vectors y|[1;2n] and u|[1;2n] of the current evolving system be known and let

Then

vh = y|[0;2n] − Mh (2n) u|[0;2n−1] .

(7.24)



arg min minn (Oh (2n − 1)) z − vh  = h

(7.25)

h∈Q

z∈R

if and only if the current evolving system in the set {Si , i ∈ Q} is Sh . Proof From the proof of Proposition 7.11 above, and recalling that, for a given dynamical system Sh , y|[0;2n] = Mh (2n) u|[0;2n−1] , the result follows.  The proposition above requires the knowledge of the vector vh and hence of the time derivatives of the input and of the output functions. If this information is not available, by Proposition 7.7 we can discretize the systems, and by Proposition 7.11 identify with a piecewise constant input function the current evolving discretized system.

7.4.2 Residual Generation Approach The approach described in the previous section allows the identification of the current mode in a guaranteed finite time interval, but, as Eqs. (7.23) and (7.25) show, it requires the online solution of an optimization problem. In this subsection we describe a different, more easily implementable technique, based on residual generation. When the conditions for its applicability hold, the computational effort is strongly mitigated. For this reason, the residual generation approach is preferred in industrial applications, as illustrated in Chap. 13. For a linear system Sh , the Luenberger observer Oh (see [39]) is defined by the equation (7.26) z˙ h (t) = (Ah − L h C h )z h (t) + Bh u(t) + L h yh (t) where the gain matrix L h is a design parameter. Let us consider two systems, Si and S j , with Ci = C j = C, and suppose we want to identify the unknown evolving system. If we connect Si with Oh , h ∈ {i, j}, then, given the input u(t) and the output yi (t) of Si , we can define the error

7.4 Identifying the Evolving Dynamical System

139

ei h (t) = z h (t) − xi (t)

(7.27)

rˆi h (t) = C z h (t) − yi (t) = Cei h (t).

(7.28)

and the residual

Therefore e˙i h (t) = (Ah − L h C)z h (t) + Bh u(t) + L h yi (t) − Ai xi (t) − Bi u(t).

(7.29)

Since z h (t) = ei h (t) + xi (t), then e˙i h (t) = (Ah − L h C)(ei h (t) + xi (t)) + (Bh − Bi )u(t) + L h yi (t) − Ai xi (t) (7.30) and finally h ei h (t) +  Bi h vi (t) (7.31) e˙i h (t) = A where

n×n 

Ah = Ah − L h C ∈ R ..  Bi h = (Bh − Bi ) . (Ah − Ai ) ∈ Rn×(m+n)



and vi (t) =

u(t) xi (t)

 ∈ Rm+n .

The following result holds: Proposition 7.13 Let us consider two systems, Si and S j , with Ci = C j = C. Suppose that the current evolving system is Si and that: – Si and S j are observable and input-generic distinguishable;  ∀h ∈ {i, j}; – the matrix

Ah is Hurwitz, h , C) is observable, for h = j. h ,  Bi h is controllable and the pair ( A – the pair A Then the residual rˆi h (t) in (7.28) goes asymptotically to zero, for any initial state of the system Si and of the observer Oh and for any generic input function, if and only if h = i. Proof Let us consider (7.31) and (7.28). The sufficiency is obvious. Suppose h = i, but the residual asymptotically goes to zero. Then, because of the hypothesis of controllability and observability, if the residual goes asymptotically to zero for any initial states of Si and Oh and for generic input functions, then x(.) and u(.) go asymptotically to zero, for any initial states of Si and Oh and for generic input functions, which is obviously false. Then the result follows.  The assumption on distinguishability is without loss of generality. In fact, if Si and S j were not distinguishable, there would exist a pair of initial states such that, for

140

7 Continuous Dynamics Distinguishability

all input functions, the output functions of the two systems would coincide. Hence, there would exist a pair of initial states of Si and of O j such that the residual would converge to zero, for all input functions. Given a set of dynamical systems, the result of Proposition 7.13 allows the identification of each system in the set, in the case of all pairwise input-generic distinguishable systems. Otherwise, the possibility of a correct identification depends on the initial state of the system and of the observer. The convergence of the residual is asymptotic. Hence, in order to achieve the identification in finite time, an appropriate threshold has to be defined, which could depend on the system parameters (e.g. minimum dwell time), on the gains of the Luenberger observers, on the presence of possible disturbances, etc. In the next Chap. 13, implementations of the residual generation approach are described for some applications in the automotive domain.

7.5 Mode Distinguishability for Systems Under Attack In this section, the case of systems subject to malicious attacks is investigated. We first define secure distinguishability. Then we solve the problem of attack detection.

7.5.1 Secure Mode Distinguishability Given a physical process, we consider the scenario illustrated in Fig. 7.2, where sensor measurements are sent to the controller through a wireless communication network. The controller estimates the state of the system and, based on this estimation, sends the control signal to the actuators. We assume that sensor measurements may be compromised by an external malicious attacker. Since information through the communication network is available at sampling instants of time, it is appropriate to formalize the problem in a discrete-time setting. In general, the attacker may compromise the sensor nodes and affect the communication links between sensors and controller, for example by spoofing sensor measurements or launching deception attacks [57]. In this section, we consider only the case of attacks on the sensors nodes. The complete analysis can be found in [24, 26]. We suppose that the attack is not represented by a specific model, but is unbounded and affects only a small subset of sensors, i.e. the attack intensity may be unbounded but it is sparse. More precisely, an attack is said to be s-sparse when it has the ability to compromise s nodes on a set of p devices. We assume that the actual number of nodes under attack is unknown, but an upper bound is known, i.e. s ≤ s  p. It is in fact reasonable to think that the attacker cannot reach the whole set of monitoring devices in a real system. We also assume that the set of attacked nodes is unknown,

7.5 Mode Distinguishability for Systems Under Attack

141

but fixed over time. This is compatible with the assumption that the attacker does not have arbitrary access to the whole set of devices. Within this framework, we now formally describe the corrupted discrete-time linear dynamical system. We first introduce some notation. Given a vector x ∈ Rn , supp(x) is its support, that is the set of indexes of the non-zero elements of x; x0 is the cardinality of supp(x), that is the number of non-zero elements of x. The vector x ∈ Rn is said to be s-sparse if x0 ≤ s. The symbol Sns indicates the set containing all the s-sparse vectors x ∈ Rn such that x0 ≤ s. The corrupted discrete-time linear dynamical system can be described as follows: x(t + 1) = Ax(t) + Bu(t) y(t) = C x(t) + w(t)

(7.32) (7.33)

where t ∈ N, x(t) ∈ Rn is the system’s state, y(t) ∈ R p is the output signal, u(t) ∈ p Rm is the input signal, and w(t) ∈ Ss is the s-sparse attack vector on sensor measurements. Let K w ⊂ {1, . . . , p} be the unknown set of attacked nodes, with car d(K w ) ≤ s. A function f : Z → R p is said to be cyclic s-sparse if, given a set Γ ⊂ {1, . . . , p}, p such that |Γ | = s, y(t) ∈ Ss and supp(y(t)) ⊂ Γ , for all t ∈ N. Assumption 7.1 The attack function w is cyclic s-sparse (for brevity, s-sparse). Assumption 7.1 means that we know that the set of attacked sensors has bounded cardinality (that is, |K w | ≤ s < p), but we do not know which nodes are actually compromised. In the example of the dynamical network, described by Eq. (7.16), an s-sparse attack models the situation in which the information about the state of at most s nodes could be wrong.

Controller

Estimator

x ˆ

u(t) State Feedback

y(t) Plant

Communication Network

Fig. 7.2 Conceptual block diagram of the control system. Sensor measurements y(t) are exchanged by means of a communication network, xˆ indicates the estimate of the state

142

7 Continuous Dynamics Distinguishability wi x(t + 1) = Ai x(t) + Bi u(t) y(t) = Ci x(t)

+ + + −

u x(t + 1) = Aj x(t) + Bj u(t) y(t) = Cj x(t)

y

+ + wj

Fig. 7.3 Attack on sensors and secure actuators: the augmented controlled linear system Si j

Let wk (t) denote the kth component of w(t) ∈ R p , k ∈ {1, . . . , p} (i.e. the component of w(t) corresponding to the kth sensor), at time t ∈ N. If k ∈ / K w , then wk (t) = 0 for all t ∈ N and the kth sensor is said to be secure (i.e. not attacked). If k ∈ K w , then wk (t) can assume any value and this corresponds to the case where the attacker has access to the kth sensor. Obviously the attacker may choose not to compromise the actual information coming from the kth sensor, even if it has access to that sensor. Let CSspT be the set containing all the cyclic s-sparse vectors y ∈ R pT . Definition 7.4 Two discrete-time linear systems Si and S j are securely input-generic distinguishable for all s-sparse attacks on sensors (shortly, s-securely distinguishable), if there exists t ∈ N such that for any pair of initial  states x0i and x0 j and for a generic input sequence u|[0,t−1] ∈ Rmt , yi |[0,t] = y j [0,t] , for any pair of unknown s-sparse attack vectors wi |[0,t] ∈ CSsp(t+1) and w j |[0,t] ∈ CSsp(t+1) . Given a matrix V ∈ Rn×m and a set Γ ⊂ {1, . . . n}, we denote by V Γ ∈ R(n−|Γ |)×m the matrix obtained from V by removing the rows whose indexes are contained in Γ . For simplicity, for an indexed matrix Vi the matrix obtained from V by removing the rows whose indexes are contained in Γ is denoted V i,Γ . In order to characterize the s-secure distinguishability property, we consider the augmented linear system Si j depicted in Fig. 7.3, which is described by the equations ˆ + Bi j u(t) x(t ˆ + 1) = Ai j x(t) y(t) = Ci j x(t) ˆ + w(t)

(7.34) (7.35)

with w(t) = wi (t) − w j (t) and where the triple (Ai j , Bi j , Ci j ) has been already defined in Eq. (7.3). Given a set Γ ⊂ {1, . . . , p}, let Mi j,Γ ∈ R2n( p−|Γ |)×(2n−1)m be the matrix as in Eq. (7.6), but obtained from the triples (Ai , Bi , C i,Γ ) and (A j , B j , C j,Γ ).

7.5 Mode Distinguishability for Systems Under Attack

143

Theorem 7.2 Two discrete-time linear systems Si and S j are s-securely distinguishable if and only if 2s ≤ p − 1 (7.36) and Mi j,Γ = 0

(7.37)

for any set Γ , with Γ ⊂ {1, . . . , p}, |Γ | ≤ 2s. Proof Necessity: suppose that 2s ≥ p. Then there exists a pair of attacks wi and w j with supp(wi (t) − w j (t)) = {1, . . . , p}.  Therefore, if x0i = x0 j = 0, for all input functions there exist wi |[0;t] and w j [0;t] such that y|[0;t] = 0, for any nonnegative integer t. Hence the systems are not s-securely distinguishable. Suppose that condition (7.36) holds, but Mi j,Γ = 0, for some Γ ⊂ {1, . . . , p}, |Γ | ≤ 2s. Let Γi ⊂ {1, . . . , p} and Γ j ⊂ {1, . . . , p} with |Γi | ≤ s and Γ j  ≤ s be such that Γ = Γi ∪ Γ j . Then there exist wi and w j with supp(wi (t)) = Γi and supp(w j (t)) = Γ j . Thus wi (t) − w j (t) has support Γ . If Mi j,Γ = 0, then also Mi j,Γ (t) = 0, ∀t >  n. Therefore, if x0i = x0 j = 0, for all input functions there exist wi |[0;t] and w j [0;t] such that y|[0;t] = 0, for any nonnegative integer t. Hence the systems are not ssecurely distinguishable.  Sufficiency: suppose that conditions (7.36) and (7.37) hold but yi |[0;t] − y j [0;t] = 0, for all t ∈ N, for almost all input functions, for some pair of initial states, and for a pair  of attacks wi and w j , with supp(wi (t)) = Γi and supp(w j (t)) = Γ j , |Γi | ≤ s and Γ j  ≤ s. Then the components of y(t) not belonging to Γ = Γi ∪ Γ j are equal to zero, for all t ∈ N, for some pair of initial states and for almost all input functions. This implies that the systems described by the matrices Ai , Bi , C i,Γ and

A j , B j , C j,Γ are not input-generic distinguishable. But since the condition (7.37) implies input-generic distinguishability of the above two systems, for all |Γ | ≤ 2s, by contradiction the result follows.  The statement of the previous theorem can be simplified as follows: Theorem 7.3 Two discrete-time linear systems Si and S j are s-securely distinguishable if and only if 2s ≤ p − 1 and there exists k ∈ [0; n − 1] such that the matrix Ci j Ak i j Bi j has at most p − 2s − 1 identically zero rows. In the following, we extend Definition 7.2, Propositions 7.3 and 7.4 to the case of a system under attacks. We thereby provide conditions to detect the occurrence of a transition between two systems, by using only the (corrupted) continuous output information (the control signals are assumed to be secure). The proofs are similar to the ones illustrated in the case of no attacks on the sensors and are therefore omitted. Definition 7.5 A discrete transition e = (i, j) ∈ E is said to be x-observable, x ∈ Rn , if there exists d ∈ N such that yi |[tk ;tk +d] = y j |[tk ;tk +d] , for any switching time tk ∈ dp N, for any pair of s-sparse attack vectors wi |[tk ;tk +d] ∈ CSdp s and w j |[tk ;tk +d] ∈ CSs , and for any generic input sequence u|[tk ;tk +d) . The transition is said to be observable if it is x-observable for any x ∈ Rn .

144

7 Continuous Dynamics Distinguishability

When considering the transition between mode i and mode j, yi |[tk ,tk +d] represents the continuous output of the linear system Si with initial state xi (tk ) = x(tk− ), whereas y j |[tk ,tk +d] represents the continuous output of the linear system S j with initial state x j (tk ) = Ri j x(tk− ), where x(tk− ) is the continuous state before the transition takes place and Ri j is the reset map. Proposition 7.14 A discrete transition e = (i, j) ∈ E is observable if and only if the pair (Si , S j ) is s-securely distinguishable. A weaker condition holds for a transition to be x-observable, where the pair of linear systems (Si , S j ) is not required to be distinguishable. Proposition 7.15 A discrete transition e = (i, j) ∈ E is x-observable if and only if the following holds:

(7.38) x∈ / ker O i,Γ − O j,Γ Ri j for any set Γ such that |Γ | ≤ 2s. Finally, we reformulate Proposition 7.9 for systems under attacks as follows: Proposition 7.16 Suppose that Si and S j are s-securely distinguishable. Suppose that the actual system is Si . Then, given y|[0;t] , u|[0;t−1] and Γ ⊂ {1, . . . , p}, |Γ | ≤ s, either the equation Oh (t)x0 + w|[0,t] = y|[0,t] − Mh (t) u|[0,t−1]

(7.39)



with t = 2n has no solution x0 , w|[0,t] , h ∈ Rn × CS2np × {i, j}, with supp(w(t)) s ⊂ Γ , ∀t ∈ [0, k], or, if a solution exists, h = i. For t = 2n, there always exists Γ ⊂ {1, . . . , p}, Γ  ≤ s for which Eq. (7.39) has a solution. Proof Similarly to Proposition 7.9, the statement is a straightforward consequence of the definition of s-secure distinguishability definition.  The solution of Eq. (7.39) is in general not unique. The following example shows a case in which the pair Si , S j is s-securely distinguishable, with s = 1, but the detection of the attacked sensors is not possible. Example 7.4 Let the discrete-time systems Si and S j be described by the triples ⎛

⎞ ⎛ ⎞ ⎛ ⎞ α00 1 100 Ai = ⎝ 0 β 0 ⎠ , Bi = ⎝ 1 ⎠ , Ci = ⎝ 0 1 0 ⎠ 0 0γ 1 001 and

⎛

⎛ ⎞ ⎛ ⎞ ⎞ α 0 0 1 100 A j = ⎝ 0 β 0 ⎠ , B j = ⎝ 1 ⎠ , C j = ⎝ 0 1 0 ⎠. 1 001 0 0 γ

7.5 Mode Distinguishability for Systems Under Attack

Then



Ci j = I −I , Ai j =



145

Ai 0 0 Aj

 , Bi j = 1

where 1 is a vector in R6 with all the components equal to 1. Then k ⎞ αk − α

⎟ ⎜ 1 = ⎝ βk − β k ⎠ k γk − γ

⎛



k

Ci j Aikj Bi j = Aik −A j

and, by assuming α = α , β = β and γ = γ , since 2s = p − 1 = 2, the conditions of Theorem 7.2 are satisfied. Therefore, the pair Si , S j is s-securely distinguishable, with s = 1. Suppose that the current system is Si . Since the input function is known, we have to solve the following equation with unknowns x0 ∈ R3 and wi |[0;5] ∈ CS18 1 L x0 + wi |[0;5] = yi |[0;5] − Mi u|[0;4]

(7.40)

where ⎞ ⎛ 5 ⎞ ⎞

⎞⎛ ⎞⎛ 2 α 0 0 α 0 0 1 0 0 α 0 0 L = ⎝ ⎝ 0 1 0 ⎠ ⎝ 0 β 0 ⎠ ⎝ 0 β2 0 ⎠ · · · ⎝ 0 β5 0 ⎠ ⎠ . 0 0 1 0 0 γ 0 0 γ2 0 0 γ5 ⎛⎛

In our example Γ ∈ {{1} , {2} , {3}}, and it is easy to verify that for any initial state x0 and for any Γ , there exist values of the actual attack wi , with supportΓ , such that an initial state x0 , x0 = x0 , is solution of Eq. (7.40), with an attack wi [0,5] , having all zero components. 

7.5.2 Attack Detection In this section, we suppose that the problem of secure mode estimation has been solved, and we face the problem of detecting the attack, i.e. determining which sensors have an output that by an external action. In the Example 7.4, the

is compromised pairs (Ai , Ci ) and A j , C j are both observable, but this property is not sufficient for the attack detection. In fact, we will prove that the attacked sensors can be detected if and only if the actual system is s-securely observable, according to the following definition: Definition 7.6 A system is s-securely observable if there exists t ∈ N such that for any w|[0;t] ∈ CSts p the initial state x0 can be uniquely reconstructed from y|[0;t] .

146

7 Continuous Dynamics Distinguishability

By Definition above, a system can be s-securely observable only if it is observable, because 0 ∈ CSts p . Let the system S be described by the triple (A, B, C). Let O be the observability matrix obtained from the pair (A, C). Proposition 7.17 An observable system S is s-securely observable if and only if rank O Γ = n, ∀Γ ⊂ {1, . . . , p} , |Γ | = 2s Proof Necessity: if rank O Γ < n, for some Γ ⊂ {1, . . . , p}, with |Γ | = 2s, then np there exists z ∈ Rn , z = 0 and w ∈ CS2s such that Oz = w, where w = 0 because S is observable. Therefore there exist w [0,n] , w

[0,n] ∈ CSnp s such that   Oz = w [0;n] − w

[0;n]   np because w [0;n−1] − w

[0;n−1] ∈ CS2s . This implies that ∃x , x

∈ Rn , x = x

, such that z = x

− x . Hence   O x + w [0;n] = O x

+ w

[0;n] = y|[0;n] . By Cayley–Hamilton Theorem, the above equation holds also for a number of observations greater than n. Therefore, the system is not s-securely observable. Sufficiency: let us consider the equation O x0 + w|[0;n] = y|[0;n] . Given Γ , let G Γ be the matrix such that G Γ O = O Γ . If rank O Γ = n, ∀Γ ⊂ {1, . . . , p}, with |Γ | = 2s, then, since rank O Γ = n, either the equation G Γ O x0 = G Γ y|[0;n]

(7.41)

has a unique solution x0 , or has no solutions. Since there exists Γ ⊂ {1, . . . , p}, with |Γ | = 2s, such that G Γ w|[0;n] = 0, then for that Γ the Eq. (7.41) has a solution, and the result follows.  The next corollary evaluates the parameter t in Definition 7.6 Corollary 7.2 If S is s-securely observable, then t = n. Proof See the necessity part of the proof of Proposition 7.17.



The next statement shows that s-secure observability is a necessary and sufficient condition for the detection of attacked sensors, if any. Corollary 7.3 Let w|[0;t] ∈ CStsp , t ≥ n, be an unknown nonzero attack. Then w|[0;t] can be univocally computed, known y|[0;t] , if and only if the system is s-securely observable.

7.5 Mode Distinguishability for Systems Under Attack

147

Proof Sufficiency: if a system is s-securely observable, then the attack can be reconstructed, at any t ≥ n because, if the initial state and input function are known, the vector w|[0;t] can be easily computed. Necessity: straightforward from the proof of necessity of Proposition 7.17 above.  Finally, we can state the following: Proposition 7.18 Suppose that S is s-securely observable. Then, given y|[0,t] , u|[0,t−1] and Γ ⊂ {1, . . . , p}, |Γ | ≤ s, either the equation O(t)x0 + w|[0,t] = y|[0,t] − M(t) u|[0,t−1]

(7.42)

p , with supp(w(k)) ⊂ Γ , with t ≥ n has no solution x0 , w|[0,t] ∈ Rn × CS(t+1) s ∀k ∈ [0; t], or, if a solution exists, it is unique. For t ≥ n, there exists Γ ⊂ {1, . . . , p},   Γ  ≤ s for which the Eq. (7.42) has a solution. The statement of the proposition above means that the solution of Eq. (7.42) allows discovering the attacked sensors and the value of the attack vector, after having collected input and output information up to step n − 1 and n, respectively. Moreover, it says that for all t ≥ n the solution of equation exists for some support Γ . Even when there is no attack, the solution of (7.42) returns the null vector w|[0,t] , p . which is an element of CS(t+1) s In monitoring the system, rather than solving Eq. (7.42), whose dimension increases step by step, we can equivalently solve at each step the equation O x(t − n) + w|[t−n,t] = y|[t−n,t] − M u|[t−n,t−1]

(7.43)

with x(t − n), w|[t−n,t] ∈ Rn × CSs(t+1) p . Finally, solving Eq. (7.43) is equivalent to solve the optimization problem arg

min

z∈Rn ×CSs(n+1) p

 

 O I z − v

(7.44)

where v = y|[0;n] − M u|[0;n−1] and I is the identity matrix of suitable dimension. The symbol . denotes any p is nonconvex, norm in the finite dimensional space Rnp . The set Rn × CS(n+1) s and the combinatorial nature of the problem is evident. However, some sufficient conditions allow to mitigate the computational effort, by applying results derived from compressed sensing technique. References are provided in the last section of this chapter. Similarly, determining an index in {i, j} such that Eq. (7.39) has a solution is equivalent to solve the optimization problem

148

7 Continuous Dynamics Distinguishability



 arg min

h∈{i, j}

min

z∈Rn ×CS2np s

 

 O h I z − vh 

(7.45)

where vh = y|[0;2n] − Mh (2n) u|[0;2n−1] .

7.6 Identifying the Evolving Dynamical System with Unknown Input To identify which of the two systems of a pair of input-generic distinguishable systems is the current evolving one, in Proposition 7.8 one makes use of the knowledge of the input function. If the input is not known, input-generic distinguishability is not sufficient for identifying the active system, as the following example shows. Example 7.5 Let Si and S j be two continuous-time systems described by the matrices Ai = α, Bi = 1, Ci = 1 and A j = β, B j = 0, C j = 1 respectively. The two systems are input-generic distinguishable. Suppose that the current evolving system is Si and the input function u is not known. Then, given y|[0,t] , the system Si can be correctly identified, for any generic unknown input u, for any values of α and β. However, if the actual system is S j , known y|[0,t] , we are not able to decide whether this output has been generated by system S j , or by system  Si with input u(t) = (β − α)x(t). The example above shows that even if the pair of systems is input-generic distinguishable, Si could be identifiable while S j cannot be, or vice versa. We therefore introduce the following stronger definition: Definition 7.7 Two linear systems Si and S j with input functions denoted by u i and u j , respectively, and with output functions denoted by yi and y j , respectively, are strongly input-generic distinguishable (shortly strongly distinguishable) if, given an arbitrarily small t > 0, for any pair of initial states x0i and x0 j the following conditions hold:  (i) for any generic input u i ∈ U, yi |[0,t) = y j [0,t) , for any input u j ∈ U;  (ii) for any generic input u j ∈ U, yi |[0,t) = y j [0,t) , for any input u i ∈ U. The next example shows a case of strongly input-generic distinguishable systems.

7.6 Identifying the Evolving Dynamical System with Unknown Input

149

Example 7.6 Let Si and S j be two continuous-time systems described by the matrices



  α0 1 10 Ai = , Bi = , Ci = 00 0 01

and Aj =





 00 0 10 , Bj = ,Cj = 0α 1 01

respectively. Suppose that the evolving system is Si . The second component of the state is constant over time, while the first component is constant only with u(t) = −αx1 (t). Therefore for a generic input the system Si can be identified. Similarly, for a generic input the system S j can be identified, and hence Si and S j are strongly input-generic distinguishable.  If the input is not known, then we have to consider the system  Si j described by the matrices   



. Bi 0 i j = Ci j = Ci .. − C j i j = Ai 0 ,  Bi j = ,C (7.46) A 0 Aj 0 Bj i j = Ai j and C i j = Ci j , with Ai j and Ci j as in Eq. (7.3). i.e. A j i   i j such that Let Fi j and Fi j be the maximal subsets of ker C iij + Im  iij + Im  i j F Bi ⊂ F Bj A and

 j + Im   j + Im  i j F Bj ⊂ F Bi A ij ij

where  Bi =



Bi 0



, Bj =



0 Bj

 .

Then the following result holds: Theorem 7.4 Si and S j are strongly input-generic distinguishable if and only if i = F  j = ∅. F ij ij i = Proof The necessity is obvious. Let us prove the sufficiency. Let us prove that F ij i = ∅, and by contradiction ∅ implies condition (i) in Definition 7.7. Suppose that F ij that condition i) in Definition 7.7 is not satisfied, i.e. there exists an initial state Si j , an input function u i ∈ U and two reals t > 0 and ε > 0 such that  x (0) =  x0 of   ∀u : u − u i  ≤ ε, ∃u j ∈ U : yi |[0,t] = y j [0,t] .

(7.47)

Let F be the set of all initial states  x0 for which condition above

holds. Since this i j . condition has to hold also at the initial time, then F ⊂ ker C

150

7 Continuous Dynamics Distinguishability

By recalling (6.1), condition (7.47) implies that ∀ x ∈ F there exists  u ∈ Rm such that i j  (7.48) x+ Bi  u + ε Bi B ⊂ F + Im  Bj A where B is the set of u ∈ Rm for which u ≤ 1. Condition (7.48) implies that i j  x+ Bi  u + ε Bi B ⊂ L(F) + Im  Bj A

(7.49)

where L(.) denotes the linear hull. Since 0 ∈ B then condition (7.49) implies that i j  x+ Bi  u ∈ L(F) + Im  Bj A and hence also

Bj ε Bi B ⊂ L(F) + Im 

which implies

Bj . Im(Bi ) ⊂ L(F) + Im 

Therefore ∀ x ∈ F there exists  u ∈ Rm such that i j  x+ Bi  u + Im(Bi ) ⊂ L(F) + Im  Bj A i.e.

i j F + Im(  Bi ) ⊂ L(F) + Im  Bj A

i j F ⊂ L(F) + Im  and hence A B j and i j L(F) + Im(Bi ) ⊂ L(F) + Im  A Bj . i is non empty. Similarly, we can prove that F  j = ∅ implies condition Therefore, F ij ij (ii) in Definition 7.7 and the proof is complete.  For a linear system described by the equations x(t) ˙ = Ax(t) + B1 u 1 (t) + B2 u 2 (t) y(t) = C x(t)

(7.50)

with dimension n of the state space, let us define the matrices ⎛

C Bk ⎜ C ABk ⎜ Mk = ⎜ . ⎝ ..

0 C Bk .. .

... 0 ... 0 . . . . ..

C (A)n−1 Bk C (A)n−2 Bk . . . C Bk

⎞ ⎟ ⎟ ⎟ , k ∈ {1, 2}. ⎠

(7.51)

7.7 Comparing Distinguishability Notions

151

We can state the following result: Proposition 7.19 There exists a linear subspace F ⊂ ker(C) for which AF + Im(B1 ) ⊂ F + Im(B2 ) if and only if Im (M1 ) ⊂ Im (M2 ). Proof For each initial state x0 ∈ F, and for each input function u 1 (.) there exists an input function u 2 (.) such that x(t) ∈ F, ∀t ≥ 0. Therefore, given x ∈ F, for any h 1 ∈ Rmn there exists h 2 ∈ Rmn such that L x + M1 h 1 + M2 h 2 = 0 where

(7.52)

⎞ CA ⎜ C A2 ⎟ ⎟ ⎜ L = ⎜. ⎟ ⎠ ⎝ .. ⎛

C An

and h i is the vector of the time derivatives of u i (.) up to order n − 1, computed at t = 0. Since x is given, the equation above can be satisfied only if Im (M1 ) ⊂ Im (M2 ). Conversely, if Im (M1 ) ⊂ Im (M2 ), then the equation is satisfied at least for x = 0, and hence F is nonempty. Therefore the result follows.  By applying Proposition 7.19 to the linear system  Si j , an algebraic condition for strong input-generic distinguishability can be established, which is equivalent to the  j be the matrices corresponding to matrices i and M condition of Theorem 7.4. Let M i j , C with C i j , M1 and M2 in (7.51), respectively, obtained by substituting A with A   B1 with Bi and B2 with B j . Corollary input-generic distinguishable if and only if

S j are strongly

7.4 Si and  j and Im M  j ⊂ Im M i . i ⊂ Im M Im M Proof The result follows by combining Theorem 7.4 and Proposition 7.19.  i ⊂ Im M  j , but Let us consider Example 7.5. It is easy to verify that Im M  j ⊂ Im M i . In fact the two systems are input-generic distinguishable, but Im M not strongly input-generic distinguishable. On the other side, for the Example 7.6,



 1 0   since C Bi = and C Bj = , we can conclude that the two systems are 0 −1 strongly input-generic distinguishable.

7.7 Comparing Distinguishability Notions In this section, we introduce the notions of strict distinguishability and, for a controlled system, the notion of 0-input distinguishability by rephrasing the analogous

152

7 Continuous Dynamics Distinguishability

property already known in the literature for autonomous systems. We then discuss the relationships between the different distinguishability notions introduced in this chapter. In the case of two autonomous linear systems, if both have the origin as initial state, the output evolution is identically zero. Hence, two autonomous linear systems cannot be input-generic distinguishable for any initial state. If the origin is excluded from the possible initial state set, we can give the following: Definition 7.8 Two autonomous linear systems Si and S j with output functions denoted by yi and yj , respectively, are distinguishable if, given an arbitrarily small t > 0, yi |[0,t) = y j [0,t) for any pair of initial states x0i and x0 j with x0i = 0 or x0 j = 0. The following result has been established in [59]: Theorem 7.5 Two autonomous linear systems Si and S j are distinguishable if and only if (7.53) rank Oi j = 2n. Proof By Definition 7.8, considering the linear system Si j defined by the matrices in (7.3), two autonomous linear systems Si and S j are distinguishable if and only if for any nonzero x0 ∈ R2n , the output function y of Si j is identically zero. This is true if and only if y(0) = 0 and all derivatives of y with respect to time at t = 0 are equal to zero. Hence by standard arguments the result follows.  For non-autonomous systems, it is useful to introduce the following definition : Definition 7.9 Two linear systems Si and S j for which condition (7.53) holds are called 0-input distinguishable. Proposition 7.20 If Si and S j are 0-input distinguishable, then they are inputgeneric distinguishable. Proof The result follows by Theorem 7.1 and Proposition 7.1.



Suppose that at least one of the two systems is not autonomous, so that Bi j = 0. Then, if condition (7.53) holds, condition (7.10) also holds and the two systems are input-generic distinguishable by Proposition 7.20. However, if the two systems are input-generic distinguishable, condition (7.10) may hold even if condition (7.53) does not. This confirms that input-generic distinguishability is the most appropriate notion to be adopted when controlled systems are considered, since it is weaker than the distinguishability notion of Definition 7.8, characterized by condition (7.53). If we have to compare two autonomous linear systems, condition (7.10) is certainly not satisfied. Hence, either we can reasonably assume that the initial state is not zero, as required in Theorem 7.5, or we cannot ensure distinguishability. Let consider the notion introduced in [37], and called strict distinguishability in [45].

7.7 Comparing Distinguishability Notions

153

Definition 7.10 Two linear systems Si and S j with output functions denoted by yi and y j , respectively, are strictly distinguishable if yi = y j for any pair of nonzero initial states and for any nonzero input function u ∈ U. Denoting with Fi j the maximal (Ai j , Bi j )-controlled invariant subset of ker(Ci j ) (see the proof of Theorem 7.1), with matrices as in (7.3), the property above can be easily characterized as follows: Proposition 7.21 Two linear systems Si and S j are strictly distinguishable if and only if Fi j = {0}. In Definition 7.10 it is assumed that the same input, if applied to two different systems, produces different outputs. As for input-generic distinguishability, this property requires the knowledge of the input function, to reconstruct the current evolving system. The following definition takes into account the case of unknown input. Definition 7.11 Two linear systems Si and S j with output functions denoted by yi and y j , respectively, are strictly distinguishable with unknown input if yi = y j for any pair of nonzero initial states and for any nonzero pair of input functions u 1 , u 2 ∈ U. The characterization of this property is provided in the following statement, where i j denotes the maximal ( A i j ,  i j ), with Bi j )-controlled invariant subset of ker(C F matrices as in (7.46). Proposition 7.22 Two linear systems Si and S j are strictly distinguishable with i j = {0}. unknown input if and only if F The condition in the proposition above is a particular case of the results published in [28], where the case of partially unknown input was addressed. It is easy to verify that i j (7.54) Fi j ⊂ F and hence strict distinguishability with unknown input implies obviously strict distinguishability. Moreover, iij = F j = ∅ i j = {0} → F (7.55) F ij and therefore strict distinguishability with unknown input implies strong inputgeneric distinguishability. The following propositions establish relationships between the properties described above. Proposition 7.23 If Si and S j are strictly distinguishable then they are strongly input generic distinguishable. Proposition 7.24 If Si and S j are strictly distinguishable then they are 0-input distinguishable.

154

7 Continuous Dynamics Distinguishability

Strict Distinguishability with unknown input

Strict Distinguishability

0−input Distinguishability

Strong Distinguishability

Input Generic Distinguishability

Fig. 7.4 Relationship between different distinguishability notions

 0 h=0 Mi j with Oi j as in (7.4) and Mi j as in (7.6). Therefore necessarily ker(Oi j ) = {0}, and the result follows. 

i j = {0} then 0 is the only solution of the equation Oi j x + Proof If F



Figure 7.4 depicts the relationship between the distinguishability notions discussed in this section.

7.8 Notes and Further Reading Many authors have addressed the problem of distinguishing continuous dynamics from different perspectives. This problem is also known as discernibility or modes observability, and results have been established for systems with or without input, in continuous time as well as in discrete time, with or without disturbances, mostly for linear systems and sometimes for nonlinear systems: see e.g. [1–7, 12–14, 18–21, 27, 28, 33, 36–38, 47, 49, 54, 55, 58, 59, 62] and references therein. The approach illustrated in this chapter is based on [18] where, inspired by [53], an exhaustive analysis of distinguishability notions was presented in a discrete-time setting with techniques relying upon geometrical tools (see e.g. [8]). Those notions differ because of the roles of the input function and continuous initial state. The condition of Theorem 7.1 was first established in [20] as a characterization of distinguishability of two linear systems for any initial state and for an appropriate input function. Then in [18], in a discrete-time setting, it was proved that distinguishability with respect to a particular control input (single experiment framework, as defined in [53]) is equivalent to distinguishability with respect to a generic control law. A similar analysis can be carried out for continuous-time systems, leading to the same geometrical characterization of the distinguishability properties (see e.g. [28]). Single experiment distinguishability is in turn equivalent to the property called controlled-discernibility

7.8 Notes and Further Reading

155

in [2]. Controlled distinguishability for continuous-time bilinear systems has been addressed in [46]. Input-generic distinguishability, as in Definition 7.1, is weaker than distinguishability as in [37], where a pair of linear systems S1 and S2 is said to be distinguishable if for any nonzero (x10 , x20 , u(.)) ∈ Rn × Rn × L 1 (0, T ; Rm ), where x10 and x20 are initial states for S1 and S2 , and L 1 (0, T ; Rm ) is the class of L 1 functions on the interval [0, T ] taking value in Rm , the outputs y1 (.) and y2 (.) are not identical on the interval [0, T ]. The notion of input-generic distinguishability has been instrumental in the observer design in [29], where no knowledge of the switching signal is assumed. Example 7.2 is inspired by the paper [11]. Always in the framework of systems network, see also [10, 48] in the case of differential-algebraic equation networks. For the class of controlled continuous-time linear systems with disturbances, the paper [28] introduced the property called Observability for Almost Every Control Input. Such property corresponds to the possibility of distinguishing two dynamics, for a generic input, for all pairs of initial states and for all pairs of disturbance functions. Hence, when no disturbance is present, it boils down to input-generic distinguishability. For the same class of systems with disturbances, the notion of distinguishability for “almost any” initial state, input and disturbance sequences was investigated in [61]. The framework of [28] is similar to the one in [60] where the invertibility problem for switched systems (i.e. the problem of uniquely recovering the switching signal and the input, given an output and an initial state) is addressed. Robustness of a discerning control for linear systems subject to bounded unknown inputs is addressed in [44], where a discerning control is an input that generates different output signal for each mode, regardless of the initial state and the unknown inputs. The notion of T -detectability introduced in [31] has connections to mode observability and it is analyzed for the class of switched affine models. This property measures how long it takes for a fault to lead to an abnormal trajectory. For linear autonomous switched systems, under the conditions that ensure detectability of the switching times (as explained in Sect. 7.2), the paper [58] proposes a method for their on-line finite time estimation. Switching times estimates are given by explicit algebraic formulae that can be implemented using standard tools from computational mathematics. In [9], mode observability for a feedback linear switching system is introduced. This property corresponds to distinguishability of any two autonomous linear systems resulting from the interconnection of a plant with a linear dynamic controller. More precisely, at a given time t0 , supposing that a certain controller C j is inserted in the feedback loop, the active plant mode can be any Si . The aim is therefore to address the problem of discerning which plant modes could have produced the collected input/output data.   In [7], the quantity π j (Oi x) = minn  O j v − Oi x  is taken as a measurement of v∈R

a “distinguishability degree” of mode i with respect to mode j at state x. Evaluating the distinguishability degree is crucial whenever mode identification is addressed

156

7 Continuous Dynamics Distinguishability

in the presence of measurement noises, in order to quantify how noisy-corrupted measurements may affect mode identification in practice. As it can be easily checked, there exists some x = 0 such that π j (Oi x) = 0 if and only if the two autonomous linear systems Si and S j are not distinguishable in the sense of [59] (see Theorem 7.5). The paper [33] analyzes a relaxation of the modes distinguishability problem, under the name of set transition observability problem for switched linear systems. This problem considers a partition of the set of modes into two classes, which correspond for example to safe modes of operation and failure modes of operation. The observability problem consists in identifying mode sequence transitions that move from safe to failure on the basis of the output information, given that the system is initialized in a safe operating mode. The papers [15] and [41] focus on the problem of mode reconstructability of piecewise linear systems when a partition of the state space characterizes the switching modes. In [13] an algorithm is presented for identifying switching sequences and switching times of switched linear systems, in a discrete-time setting. The proposed methodology is based on the Discrete Particle Swarm Optimization technique. The paper [30] illustrates in a tutorial form and in a unified way model-based modes detection methods for switched linear (and by extension affine) discrete-time systems. The notion of strict distinguishability, i.e. the property of two systems to generate identical output signals only for the zero control input and the zero initial state vector, is introduced in [45] for linear systems, and extended to a class of nonlinear systems in [43]. Some effort has been dedicated also to a distributed framework, as for example in the work [14], where conditions are established for distributed mode identification. The distinguishability problem is of course related to the identification problem for hybrid systems (see e.g. [32]), but the approaches for solving these two problems are quite different, so we do not discuss here the literature related to identification. The “secure state estimation” problem, described in Sect. 7.5.2 to solve the attack detection problem, was introduced in [22], and corresponds to the estimation of the internal state of a system when sensors are corrupted by a malicious attacker. Recent results on security for dynamical systems focus on this case. Definition 7.6 is taken from [52] where secure state estimation can be expressed using the notion of strong observability for linear systems [34, 56]. The analysis of the secure state estimation problem offered in this chapter is inspired by the results in [23], where the authors propose a method to estimate the state of a linear time invariant system when a fixed set of sensors and actuators is corrupted by deception attacks. In [23] it is proved that, if the number of corrupted nodes is smaller than a certain threshold, it is possible to exactly recover the internal state of the system by means of an algorithm derived from compressed sensing and error correction over the reals. A computationally efficient recursive version of the algorithm is presented in [52]. In order to overcome the limitations imposed by the combinatorial nature of the problem, in [50] the authors formulate the problem

7.8 Notes and Further Reading

157

as a satisfiability one, and propose a sound and complete algorithm based on the Satisfiability Modulo Theory paradigm. This approach is extended to nonlinear differentially flat systems in [51]. The sparsity assumption on the attack signal is also made in [16, 25], where the more general case of a time-varying set of attacked nodes is considered. A similar approach is used in [17] for a continuous-time linear system. All of the above-mentioned works are concerned with state estimation for linear or nonlinear systems and cannot be directly applied to hybrid systems. To the best of our knowledge, [26] is the first contribution to secure state estimation problem for hybrid systems. In Sect. 7.4 we gave the tools for the reconstruction of the current mode. The first technique is a straightforward consequence of the definition of input-generic distinguishability. The second technique is based on the design of Luenberger observers, which under suitable hypotheses allow the identification of the current dynamics or, in the worst case, the set of dynamics that are not input-generic distinguishable with respect to the current system. This identification is based on the convergence to zero of the residual, namely the difference between the measured output of the system and the one estimated by the observer. Another possibility for discrete state identification, always based on residual generation, can be derived from a classical result in the failure detection and identification framework. Here we give some hints of how the results of [40] can be adapted to the mode identification problem. Consider a system described by the equations x(t) ˙ = Ax(t) + Bu(t) + L 1 m 1 (t) + L 2 m 2 (t)

(7.56)

y(t) = C x(t)

(7.57)

where u(t) is the control input and m i (t), i = 1, 2, represents an unknown, unbounded external input, which, if not zero, models a failure of the system. For simplicity, we consider the case of only two possible failures, but the results can be extended to multiple ones. A residual generator is a system that takes as inputs at t the values u(t) and y(t) and returns as output the signal r (t) (the residual), as described in the following equations: w(t) ˙ = Fw(t) − E y(t) + Gu(t) r (t) = Mw(t) − H y(t) + K u(t).

(7.58) (7.59)

Suppose we want to detect and identify the fault 1, i.e. the fault represented by the input m 1 (t). Then we have to compute matrices F, E, G, M, H and K such that the residual r (t) converges to zero if the fault 1 is not present, i.e. m 1 (t) = 0, t ∈ R, and it is not zero for almost all m 1 , regardless of the value of m 2 (t). Similarly if we want to detect and identify the fault 2. The problem above is addressed for linear systems by following a geometrical approach (see the already cited book [8]). In a hybrid systems framework, consider the systems S, S1 and S2 , described respectively by the triples (A, B, C), (A1 , B, C) and (A2 , B, C). Let S be the current mode, assumed to

158

7 Continuous Dynamics Distinguishability

be known, and suppose that at any time the system can switch either to mode S1 or to mode S2 . Then, the conditions under which the problem of residual generation for the system (7.56) with L i = Ai − A, i = 1, 2, is solvable, are sufficient conditions for the identification of S1 or S2 after switching. Another approach for discrete state identification can be based on the so-called higher-order sliding modes (HOSM) differentiator [35], which, under appropriate conditions, returns in finite time the ith time derivative of a given function at the initial time. This technique allows the use of Proposition 7.12 for mode reconstruction without discretizing the given system.

References 1. Babaali M, Egerstedt M (2004) Observability of switched linear systems. In: Alur R, Pappas GJ (eds) Hybrid systems: computation and control 2004. Lecture notes in computer science. Springer, Berlin, pp 48–63 2. Babaali M, Pappas GJ (2005) Observability of switched linear systems in continuous time. In: Morari LTM, Rossi F (eds) Hybrid systems: computation and control 2005. Lecture notes in computer science, vol 3414. Springer, Berlin, pp 103–117 3. Baglietto M, Battistelli G, Scardovi L (2007) Active mode observability of switching linear systems. Automatica 43:1442–1449 4. Baglietto M, Battistelli G, Scardovi L (2009) Active mode observation of switching systems based on set-valued estimation of the continuous state. Int J Robust Nonlinear Control 19(14):1521–1540 5. Baglietto M, Battistelli G, Tesi P (2014) Discerning controllers for switching linear systems: existence and genericity. Automatica 50:2358–2365 6. Baglietto M, Battistelli G, Tesi P (2014) Distinguishability of discrete-time nonlinear systems. IEEE Trans Automat Control 59(4):1014–1020 7. Baglietto M, Battistelli G, Tesi P (2014) Mode-observability degree in discrete-time switching linear systems. Syst & Control Lett 70:69–76 8. Basile G, Marro G (1992) Controlled and conditioned invariants in linear system theory. Prentice-Hall, Hoboken 9. Battistelli G (2013) On stabilization of switching linear systems. Automatica 49:1162–1173 10. Battistelli G, Tesi P (2016) Detecting topology variations in networks of linear systems with static coupling. In: Proceedings of the 55th conference on decision and control (CDC). ARIA Resort & Casino, Las Vegas, USA 11. Battistelli G, Tesi P (2018) Detecting topology variations in networks of linear dynamical systems. IEEE Trans Control Netw Syst 5(3):1287–1299 12. Bejarano FJ, Mera M (2020) Continuous state observability and mode reconstructability of switched nonlinear systems with unknown switching function. Int J Robust Nonlinear Control 31(3) 13. Boubaker S, Djemai M, Manamanni N, M’Sahlii F (2014) Active modes and switching instants identification for linear switched systems based on discrete particle swarm optimization. Appl Soft Comput 14:482–488 14. Caravani P, De Santis E (2012) On distributed mode-observability of multimodal systems. In: Proceedings of the 51st IEEE conference on decision and control, Maui, HI, USA, pp 2226–2231 15. Chaib S, Boutat D, Benali A, Barbot JP (2005) Observability of the discrete state for dynamical piecewise hybrid systems. Nonlinear Anal Theory Methods Appl, 63(3): 423–438 16. Chang YH, Hu Q, Tomlin CJ (2016) Secure estimation based Kalman filter for cyber-physical systems against adversarial attacks. arXiv:1512.03853v2

References

159

17. Chong MS, Wakaiki M, Hespanha JP (2015) Observability of linear systems under adversarial attacks. In: American control conference (ACC), pp 2439–2444 18. De Santis E (2011) On location observability notions for switching systems. Syst & Control Lett 60:807–814 19. De Santis E, Di Benedetto MD, Di Gennaro S, D’Innocenzo A, Pola G (2006) Critical observability of a class of hybrid systems and application to air traffic management. Lecture notes in control and information sciences, vol 337. Springer, Berlin, pp 141–170 20. De Santis E, Di Benedetto MD, Pola G (2003) On observability and detectability of continuoustime linear switching systems. In: Proceedings of the 42nd IEEE conference on decision and control, CDC 03, Maui, Hawaii, USA, pp 5777–5782 21. Debus TJ, Dupont PE, Howe RD (2005) Distinguishability and identifiability testing of contact state systems. Adv Robot 19(5):545–566 22. Fawzi H, Tabuada P, Diggavi S (2011) Secure state-estimation for dynamical systems under active adversaries. In: 2011 49th annual allerton conference on communication, control, and computing (Allerton), pp 337–344 23. Fawzi H, Tabuada P, Diggavi S (2014) Secure estimation and control for cyber-physical systems under adversarial attacks. IEEE Trans Autom Control 59(6):1454–1467 24. Fiore G (2017) Secure state estimation for cyber-physical systems. PhD thesis, University of L’Aquila, Department of Information Engineering, Computer Science and Mathematics 25. Fiore G, Chang YH, Hu Q, Di Benedetto MD, Tomlin CJ (2017) Secure state estimation for cyber physical systems with sparse malicious packet drops. In: 2017 American control conference (ACC), pp 1898–1903 26. Fiore G, De Santis E, Di Benedetto MD (2017) Secure mode distinguishability for switching systems subject to sparse attacks. IFAC-PapersOnLine 50(1):9361–9366. 20th IFAC World Congress 27. Fliess M, Join C, Perruquetti W (2008) Real-time estimation for switched linear systems. In: Proceedings of the 47th IEEE conference on decision and control, Cancun, Mexico, pp 941–946 28. Gómez-Gutiérrez D, Ramírez-Trevi´no A, Ruiz-Leõn J, Di Gennaro S (2012) On the observability of continuous-time switched linear systems under partially unknown inputs. IEEE Trans Autom Control 57(3):732–738 ˇ 29. Gómez-Gutiérrez D, Celikovský S, Ramírez-Trevi´no A, Castillo-Toledo B (2015) On the observer design problem for continuous-time switched linear systems with unknown switchings. J Frankl Instit 352:1595–1612 30. Halimi M, Millérioux G, Daafouz J (2015) Model-based modes detection and discernibility for switched affine discrete-time systems. IEEE Trans Autom Control 60:1501–1514 31. Harirchi F, Ozay N (2018) Guaranteed model-based fault detection in cyber-physical systems: a model invalidation approach. Automatica 93:476–488 32. Huang K, Wagner A, Ma Y (2004) Identification of hybrid linear time invariant systems via subspace embedding and segmentation. In: Proceedings of 43rd IEEE conference on decision and control, Atlantis, Paradise Island, Bahamas, pp 3227–3234 33. Johnson SC, DeCarlo RA, Zefran M (2014) Set-transition observability of switched linear systems. In: Proceedings of the 2014 American control conference, pp 3267–3272 34. Kratz W (1995) Characterization of strong observability and construction of an observer. Linear Agebra Appl 221:31–40 35. Levant A (2003) Higher-order sliding modes: differentiation and output-feedback control. Int J Control 76(9–10):924–941 36. Lomov AA (2003) Distinguishability conditions for stationary linear systems. Diff Equ 39(2):283–288 37. Lou H, Si P (2009) The distinguishability of linear control systems. Nonlinear Anal: Hybrid Syst 3:21–38 38. Lou H, Yang R (2011) Conditions for distinguishability and observability of switched linear systems. Nonlinear Anal: Hybrid Syst 5:427–445 39. Luenberger DG (1971) An introduction to observers. IEEE Trans Autom Control 16(6):596– 602

160

7 Continuous Dynamics Distinguishability

40. Massoumnia MA, Verghese GC, Willsky AS (1989) Failure detection and identification. IEEE Trans Autom Control 34(3):316–321 41. Mera M, Bejarano FJ (2020) On mode reconstructability and reconstructability sets of piecewise linear systems. Int J Control 0(0):1–9 42. Mesbahi M, Egerstedt M (2010) Graph theoretic methods in multiagent networks. Princeton University Press, Princeton 43. Motchon KMD, Pekpe KM, Cassar JP (2017) Conditions for strict distinguishability of singleoutput nonlinear control-affine systems. Syst & Control Lett 105:20–26 44. Motchon KMD, Pekpe KM, Cassar JP (2018) Robust discerning controls for the operating modes of linear switched systems subject to bounded unknown inputs. Automatica 96:159– 165 45. Motchon KMD, Pekpe KM, Cassar JP, De Bièvre S (2016) On the input-output distinguishability of single output continuous linear time-invariant systems. IEEE Trans Autom Control 61(7):1906–1911 46. Motchon MD, Pekpe KM (2019) Necessary and sufficient condition for controlled distinguishability of continuous-time bilinear systems. IEEE Trans Autom Control 64(7):3013–3018 47. Niu R, Hassaan SM, Yang L, Jin Z, Yong SZ (2022) Model discrimination of switched nonlinear systems with temporal logic-constrained switching. IEEE Control Syst Lett 6:151–156 48. Patil D, Tesi P, Trenn S (2019) Indiscernible topological variations in dae networks. Automatica 101:280–289 49. Ramdani N, Travé-Massuyes L, Jauberthie C (2018) Mode discernibility and bounded-error state estimation for nonlinear hybrid systems. Automatica 31:118–125 50. Shoukry Y, Chong M, Wakaiki M, Nuzzo P, Sangiovanni-Vincentelli AL, Seshia SA, Hespanha JP, Tabuada P (2016) SMT-based observer design for cyber-physical systems under sensor attacks. In: 2016 ACM/IEEE 7th international conference on cyber-physical systems (ICCPS), pp 1–10 51. Shoukry Y, Nuzzo P, Bezzo N, Sangiovanni-Vincentelli AL, Seshia SA, Tabuada P (2015) Secure state reconstruction in differentially flat systems under sensor attacks using satisfiability modulo theory solving. In: 2015 54th IEEE conference on decision and control (CDC), pp 3804–3809 52. Shoukry Y, Tabuada P (2016) Event-triggered state observers for sparse sensor noise/attacks. IEEE Trans Autom Control 61(8):2079–2091 53. Sontag ED (1979) On the observability of polynomial systems, i: finite-time problems. SIAM J Control Optim 17(1):139–151 54. Sun D, Hwang I (2022) On controlled mode discernibility for nonlinear hybrid systems with unknown exogenous input. Automatica 142 55. Sun D, Hwang I, Corless M (2022) Controlled mode distinguishability for cybersecurity. IEEE Control Syst Lett 6:998–1003 56. Sundaran S, Hadjicostis C (2011) Distributed function calculation via linear iterative strategies in the presence of malicious agents. IEEE Trans Autom Control 56(7):1495–1508 57. Teixeira A, Shames I, Sandberg H, Johansson KH (2015) A secure control framework for resource-limited adversaries. Automatica 51:135–148 58. Tian Y, Floquet T, Belkoura L, Perruquetti W (2011) Algebraic switching time identification for a class of linear hybrid systems. Nonlinear Anal: Hybrid Syst 5:233–241 59. Vidal R, Chiuso A, Soatto S (2002) Observability and identificability of jump linear systems. In: Proceedings of the 41st IEEE conference on decision and control, Las Vegas, Nevada, pp 3614–3619 60. Vu L, Liberzon D (2008) Invertibility of switched linear systems. Automatica 44:949–958 61. Vázquez CR, Gómez-Gutiérrez D, Ramírez-Trevi´no A (2020) Observer design for linear hybrid systems with unknown inputs and petri-net discrete dynamics. Nonlinear Anal: Hybrid Syst 36 62. Walter E, Pronzato L (1996) On the identifiability and distinguishability of non-linear parametric systems. Math Comput Simul 42(42):125–134

Chapter 8

Enriching Discrete Information in H-Systems

In an H -system, both continuous outputs and discrete outputs are in general available. In this chapter, we focus on how continuous and discrete information can be combined to obtain an H -system having only purely discrete outputs. Such a system will be shown to be useful in giving conditions for the observability of the given H -system. Similarly, for diagnosability and predictability. The case where only continuous information is available follows as a special case.

8.1 Preliminary Remarks and Definitions For an H -system defined as in Chap. 2, we defined observability in Chap. 6. In the next Chap. 11, we will introduce the notions of diagnosability and predictability with respect to a specific set of states, called critical. Our objective is to give conditions under which the H -system is observable, diagnosable, or predictable on the basis of the information provided by its continuous and discrete outputs. In addressing those properties, it is of fundamental importance to establish a systematic procedure to combine heterogeneous information such as the one provided by continuous and discrete outputs. The cases where only continuous information is available, i.e. an H -system such that h (i) = , ∀i ∈ Q, or where only discrete information is available follow as particular cases. In solving this problem, we will use the tools established in Chap. 7, where we introduced the notions of distinguishability for pairs of dynamical systems and of detectability of the switching events on the basis of the continuous output information. Since in Chap. 7 we analyzed the case of linear dynamical systems, in this chapter, we consider an L H -system defined as in Eq. (2.4) by the tuple1

1

The procedure we will introduce can be adapted to other subclasses of H -systems, provided that an appropriate notion of distinguishability is defined and characterized for that subclass. © Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_8

161

162

8 Enriching Discrete Information in H -Systems

Fig. 8.1 Switching from S(i) to S( j)

a



i

j b

Fig. 8.2 Distinguishability of (S(i), S( j)) allows the identification of the mode i and of the mode j

i a

a

a

b j

H = (Ξ, Ξ0 , Υ, h, S, E, R)

(8.1)

with constraints defined as in (2.55) by the tuple (Γ, G, δ, Δ).

(8.2)

We first offer a preliminary insight into our problem by commenting some examples. Consider Fig. 8.1, where the detection of the transition cannot be ensured by using the discrete information only. If the pair of systems (S(i), S( j)) is inputgeneric distinguishable (shortly distinguishable, in what follows), then the switching (i, j) can always be detected (see Proposition 7.3) but in general distinguishability of the pair (S(i), S( j)) does not allow the identification of the modes i and j. For example, consider an L H -system where, in addition to the transition depicted in Fig. 8.1, a transition between two discrete states i  and j  is defined, such that i  = i, j  = j, S(i  ) = S(i), S( j  ) = S( j), h(i  ) = h(i), h( j  ) = h( j). Then, the detection of a switching occurrence does not allow in general the reconstruction of the current state after the transition. However, the reconstruction may be possible by leveraging the information collected up to the occurrence of the transition. Under the same distinguishability condition for the pair (S(i), S( j)), the identification of i and j for the system in Fig. 8.2 is possible by combining the information about the continuous output and about the discrete structure. In fact, if the current output symbol is b, we can deduce that the current mode is either i or j. Since (S(i), S( j)) is a distinguishable pair, then we can identify using the continuous information which of the two locations i or j is indeed the current one. Note that, although no state is silent, the modes i and j cannot be distinguished only on the basis of the discrete output information. In Fig. 8.3, the persistent state i is silent since its output is . But, if the pairs (S(i), S( j)), (S(h), S(i)), and (S(h), S( j)) are all input-generic distinguishable,

8.2 Enriching Procedure Fig. 8.3 Distinguishability of the pairs (S(i), S( j)), (S(h), S(i)), and (S(h), S( j)) ensures identification of the current discrete state

163  i a

a

a

h  j

then also in this case the current location can be reconstructed by combining discrete and continuous information. We start by formalizing the notion of an H -system where only the discrete information is available, by adapting the definition of output function for an H -system given by (2.47). Definition 8.1 An H -system is called with purely discrete output information if Υ = Y , the output function υ : R → Υ is defined as υ (t) = yd (t)

(8.3)

and there is no information on the continuous input function u. In this chapter, given an L H -system, we analyze how to encode the information represented by the continuous outputs in additional discrete outputs in order to obtain an L H -system with enriched output, and purely discrete information. This L H system can be viewed as a discrete abstraction of the original system. In the next chapters, we will show that if such discrete abstraction enjoys some observability properties, then the same properties hold for the original L H -system.

8.2 Enriching Procedure As stated in Corollary 7.1, indistinguishability as in Definition 7.1 is a transitive property. Since indistinguishability is also reflexive and symmetric, we can group the discrete states of Q into equivalence classes on the basis of the indistinguishability of the dynamical systems associated with each discrete state. Let ∼ indicate the indistinguishability relation on the set of discrete modes Q, as defined in Chap. 7. We define the equivalence class of a state i ∈ Q as the set { j ∈ Q : S j ∼ Si }. The set of equivalence classes induces a partition of Q, which is called the quotient space of Q by the relation ∼ and is denoted by Q/ ∼. To each equivalence class, we associate a label in a set of labels Y∼ , where a different label is associated with each equivalence class.

164

8 Enriching Discrete Information in H -Systems

The Enriching Procedure consists of the following main steps. STEP 0 : Given the system H, define the quotient space Q/ ∼ and associate a label (in the set Y∼ ) to each equivalence class. STEP 1 : H → H(1) , where H(1) is an L H -system in which the initial states have no predecessors. STEP 2 : H(1) → H(2) , where H(2) has additional outputs associated with discrete transitions. STEP 3 : H(2) → H(3) , in which H(3) is an L H -system, as in Eq. (2.4). We now describe in detail the steps of the Enriching Procedure. STEP 0. Given the system H, we derive the quotient space induced by the indistinguishability relation. This step can be represented by the following algorithm, which returns the matrix Class. Each nonzero row of Class is associated with an equivalence class whose elements are the nonzero components of the same row. Recall that Q = {1, 2, . . . , N }. Algorithm 8.1 procedure Quotient space(Q) Initialize Nclass = 0, Class = zer os(N , N ) while Q = ∅ do Nclass = Nclass + 1, col = 1 for i ∈ Q do Class[Nclass, 1] = i Q = Q\i while Q = ∅ do for j ∈ Q do Check the distinguishability property if Mi j = 0 then col = col + 1 Class[Nclass, col] = j Q = Q\ j end if end for end while end for end while Return Class end procedure Then, we associate a label in the set Y∼ to each equivalence class. Finally, define the function c : Q → Y∼

(8.4)

which indicates the label associated with the equivalence class to which the discrete state i ∈ Q belongs.

8.2 Enriching Procedure

STEP 1.

165

Given the L H -system (8.1), consider the associated FSM M = (Q, Q 0 , Y, h, E)

and apply the procedure described in Algorithm 3.1, to obtain the FSM (1) (1) M (1) = (Q (1) , Q (1) 0 , Y, h , E )

in which the set of initial states has no predecessors, and the injection map g : Q → Z is defined in Sect. 3.2.1. Based on the FSM M (1) , the following L H system is defined: H(1) = (Ξ (1) , Ξ0(1) , Υ, h (1) , S (1) , E (1) , R (1) )

(8.5)

in which – – – –

Ξ (1) = Q (1) × Rn ; n Ξ0(1) = Q (1) 0 ×R ; S (1) (i) = S(i), S (1) (g(i)) = S(i), i ∈ Q; R (1) ((i, j)) = R((i, j)), R (1) ((g(i), j)) = R((i, j)), (i, j) ∈ E. Given the tuple (8.2), the constraints for H(1) are defined by the tuple (Γ, G (1) , δ (1) , Δ(1) )

(8.6)

where, recalling the injection map g defined in Sect. 3.2.1, the function G (1) is such that G (1) ((g(i), j)) = G(i, j), if (g(i), j) ∈ E (1) , and G (1) ((i, g( j)) = G(i, j), if ((i, g( j)) ∈ E (1) . Moreover, for j ∈ Q (1) , δ (1) ( j) = δ(i) and Δ(1) ( j) = Δ(i), where j = i or j = g(i), and i ∈ Q. STEP 2. In the rest of this chapter, we can now assume without loss of generality that the L H -system H has initial states with no predecessors, i.e. pr e(i) = ∅, ∀ i ∈ Q 0 . Hence, for notational simplicity, we write H(1) = H. We now describe how to obtain the L H -system H(2) , in which an additional binary output is associated with each discrete transition. In particular, a binary signal with logical value 1 (or 0) is associated with a transition that can (resp. cannot) be detected from the continuous or discrete output information. This additional signal associated with each transition can be modeled as a discrete input, and therefore, following the formalism of Eq. (2.1), H(2) can be described as H(2) = (Ξ, Ξ0 , W, Υ (2) , h (2) , S, E (2) , R)

(8.7)

where –

W = {1, 0} is the finite discrete input space (with input symbols being associated with discrete transitions);

166

– – –

8 Enriching Discrete Information in H -Systems

Υ (2) = Y (2) × R p , Y (2) = {a ◦ b : a ∈ Y∼ ∧ b ∈ Y } ∪ W; h (2) : (Q ∪ E (2) ) → Y (2) ; E (2) ⊂ Q × W × Q is the set of admissible discrete transitions (a transition from i ∈ Q to j ∈ Q determined by an input event σ ∈ W is indicated by the triple (i, σ, j)).

The set E (2) is constructed with the following procedure2 : procedure Set E (2) (H) Initialize E (2) = ∅ for (i, j) ∈ E do if h( j) =  then E (2) = E (2) ∪ {(i, 1, j)} else Case 1 The pair (S(i), S( j)) is distinguishable. According to Proposition 7.3, (i, j) ∈ E is observable, then E (2) = E (2) ∪ {(i, 1, j)} Case 2 The pair (S(i), S( j)) is not distinguishable and for any value of the state at the switching time, (i, j) ∈ E is not observable, then E (2) = E (2) ∪ {(i, 0, j)} Case 3 The pair (S(i), S( j)) is not distinguishable but for some value of the state at the switching time, (i, j) ∈ E is observable (see Proposition 7.4), then E (2) = E (2) ∪ {(i, 0, j), (i, 1, j)} end if end for end procedure As for the discrete output function,

and, for i ∈ Q

h (2) ((i, σ, j)) = σ

(8.8)

h (2) (i) = c(i) ◦ h(i)

(8.9)

where c(i) ∈ Y∼ identifies the equivalence class to which the discrete state i ∈ Q belongs (see (8.4)), and the symbol ◦ represents the concatenation between two strings. The set E (2) contains more transitions than the set E, since in Case 3 the transition (i, j) ∈ E corresponds to a pair of transitions in E (2) of the form (i, 0, j) and (i, 1, j).

2

8.2 Enriching Procedure

167

The constraining tuple for H(2) is (Γ, G (2) , δ, Δ)

(8.10)

and G (2) ((i, σ, j)) = G((i, j)). Remark 8.1 H(2) and H share the same hybrid state executions and the same continuous output evolutions. The discrete output information in H(2) is richer than the one in H. In fact, the continuous output information that allows distinguishability between the continuous dynamics is represented by a discrete output associated with the discrete transitions (therefore H(2) is modeled by a Mealy Machine). At this stage, a symbol is associated with each transition, and hence the transition occurrence could be detected even when in the system H this detection is not possible or cannot be guaranteed in general. Therefore, a further step is required to obtain a system that preserves the same properties as H related to transition detection.  STEP 3. The discrete behavior of H(2) is described by the Mealy Machine M (2) , which can be transformed into a Moore Machine (3) ,   (3) = (Q (3) , Q (3) h (3) , E (3) ) M 0 ,Y in which no information is associated with discrete transitions. The transformation procedure is described in Sect. 3.2.1, Algorithm 3.2, where, given a Mealy FSM with discrete state space Q, we have also defined the set Q  of discrete states of  the corresponding Moore FSM and the point to set mapping f : Q → 2 Q that associates to each discrete state of the Mealy FSM a set of discrete states of the corresponding Moore FSM. In our case, Q (3) = Q  =



f (i).

(8.11)

i∈Q

The discrete output space of the Mealy Machine M (2) is Y (2) = W ∪ {a ◦ b : a ∈ Y∼ ∧ b ∈ Y }. Therefore, (3) = {σ ◦ a ◦ b : σ ∈ W ∧ a ∈ Y∼ ∧ b ∈ Y }. Y (3) is the following. The first In summary, the meaning of the output strings in Y symbol is either 0 or 1, the second symbol is in the set Y∼ and denotes the class, and the third symbol is the given discrete output associated with the state. For h(i) = 0 ◦ a ◦ . example, suppose that for some i ∈ Q (3) the discrete output is  This means that the current state is in the same class as all its predecessors, the transition from each predecessor is not detected, and the given discrete output associated with i is not observable. This analysis motivates the introduction of a new Moore FSM (3) , h (3) , E (3) ) M (3) = (Q (3) , Q (3) 0 ,Y

168

8 Enriching Discrete Information in H -Systems

 (3) only for its outputs, according to the following table which differs from M  h (3) (i) 0◦a◦ 0◦a◦b 1◦a◦ 1◦a◦b

→ → → →

h (3) (i)  a◦b a a◦b

(8.12)

where a =  and b = . From the FSM M (3) , the L H -system H(3) = (Ξ (3) , Ξ0(3) , Υ (3) , h (3) , S (3) , E (3) , R (3) )

(8.13)

is derived, with – – – – –

Ξ (3) = Q (3) × Rn ; n Ξ0(3) = Q (3) 0 ×R ; (3) (3) p Υ =Y ×R ; S (3) (i) = S( f −1 (i)); R (3) (i, j) = R( f −1 (i), f −1 ( j)).

The tuple defining the constraints is (Γ, G (3) , δ (3) , Δ(3) )

(8.14)

where G (3) ((i, j)) = G (2) (( f −1 (i), f −1 ( j))), δ (3) (i) = δ (2) ( f −1 (i)), and Δ(3) (i) =

Δ(2) ( f −1 (i)).

Remark 8.2 By construction, the FSM associated to H(3) is a Moore FSM. Moreover, H(3) and H share the same continuous output and state evolutions. A unique discrete state evolution of H(3) is associated with each discrete state evolution of H. In fact, given a discrete state evolution q(t) of system H, q (3) (t) ∈ f (q(t)), ∀t ≥ 0 is the discrete state evolution of system H(3) . However, if f (q(t)) is not a singleton, then car d( f (q(t))) = 2, with the same dynamical system associated with both discrete states in f (q(t)). For one of the two states, none of the incoming transitions can be detected on the basis of only the continuous output information, while for the other all the incoming transitions can.  In what follows, for a given H, the system H(3) will be renamed He = (Ξe , Ξe,0 , Υe , h e , Se , E e , Re )

(8.15)

where the subscript e stands for “enriched”, because He is enriched with additional discrete output information derived from the continuous output information. The symbols in the tuple are renamed for notational coherence.

8.2 Enriching Procedure

169

In Chap. 12, the design of the hybrid observer will be based on the system He . The design of the module able to generate the enriched discrete output function of system He will be described, taking into account the realistic situation where some processing time is needed for switching time detection and for on-line identification of the equivalence class to which the current mode belongs. The function f defined at STEP 3 associates to a discrete state of H(2) a set of discrete states of He . Since Q (2) = Q, we abuse notation by using the same symbol f to denote the function that associates to discrete states of H a set of discrete states of He . Given the L H -system H, the Enriching Procedure gives as output the system He and defines the point to set mapping f : Q → 2 Q e . For each discrete state i ∈ Q e , the set f −1 (i) is a singleton, for all i ∈ Q e , the dynamical system and state constraints associated with i are the same as those associated with f −1 (i). In defining He , the information deriving from the continuous evolution of H is represented as additional information in the discrete component of the output function. Moreover, some discrete states of H have been duplicated in He , because the associated enriched discrete output depends also on the transition ending in those states of H. In the next chapters, we will establish a precise relation between the properties of H and He . Finally, we associate to He the system with purely discrete output information denoted He,d defined as He,d = (Ξe , Ξe,0 , Υe,d , h e , Se , E e , Re )

(8.16)

where Υe,d = Y (3) and the subscript d means “discrete”. A very simple example is provided in the following Figs. 8.4 and 8.5, which represent the FSM associated with the systems H and He . a

b



1

2

4

a 3

b 5

Fig. 8.4 L H -system H: the dynamical systems are linear and the reset is the identity function. Suppose that S(1) and S(2) are described by the same equations x(t) ˙ = −x(t) + u(t), y(t) = 2x(t) and the discrete state is 1 until x(t) < x, ¯ for some real x. ¯ Let S(3) and S(4) be described by the same equations x(t) ˙ = x(t) + u(t), y(t) = x(t), and the commutation occurs when the dwell time in mode 3 is greater or equal to some Δ. Finally, let S(5) be described by the equations x(t) ˙ = u(t), y(t) = 0. The continuous input function is available at each t. No discrete output is available when the current discrete state is 4

170

8 Enriching Discrete Information in H -Systems αa

αb

β

1

2

4

βa 3

γb 5

Fig. 8.5 L H -system He : the discrete output has been enriched with the label of the equivalence class. The systems S(1) and S(2) are in the class labeled α. The systems S(3) and S(4) are in the class labeled β and S(5) is the singleton of the class Γ

The Enriching Procedure can be applied also for different indistinguishability properties that are transitive, reflexive, and symmetric. In the next section, this will be shown for s-secure indistinguishability, defined in Sect. 7.5.

8.3 An Example for Systems Under Attack The procedure described in Sect. 8.2 can be easily rewritten for the case of systems under attack, by replacing the notion of distinguishability with the s-secure distinguishability notion. Here we propose an example to better understand the abstracting technique in this case. Consider the dynamical network already described in Example 7.2 composed of n nodes, where each node updates its state xi ∈ R, i = 1, . . . , n on the basis of the states of its neighbors and other m external nodes providing an external input. We assume that the states of the p nodes are available for measurement. The network topological structure can be represented by an undirected graph G = (V, E), where V = {1, . . . , n} is the set of nodes, and E is the set of edges. The discrete-time collective dynamics of the network can be written as x(t + 1) = −L x(t) + Bu(t) y(t) = C x(t)

(8.17)

where L is the Laplacian induced by the graph G = (V, E), x ∈ Rn , u ∈ Rm , y ∈ R p . Given the nominal dynamics of the network, a node or link disconnection changes the network’s topology, thus modifying also the network collective dynamics. We assume that some disconnections can be directly measured (this can be modeled by means of discrete labels corresponding to active or inactive state of a link/node), and some of them cannot be measured (the null event  is associated with them).

8.3 An Example for Systems Under Attack Fig. 8.6 Example: L H -system representing all the network’s topologies. Topologies associated with S1 and S2 are measured by means of discrete labels {a, b} ∈ Y , whereas topologies associated with S3 , S4 , and S5 cannot be measured

171

a

b





1

2

3

4

 5

We can represent this scenario by means of an L H -system, in which each discrete state q ∈ Q corresponds to a particular network topology. A discrete label belonging to the discrete output set Y is associated with each discrete state, as described above. Moreover, a linear dynamical system Sq is associated with each discrete state q ∈ Q, as described in Eq. (7.16) for the nominal case. Under attack, the description of Sq becomes x(t + 1) = −L q x(t) + Bq u(t) (8.18) y(t) = C x(t) + w(t) p

where w(t) ∈ Ss represents an s-sparse attack vector on continuous output measurements. Because of s-sparsity, only s nodes of the p nodes may be under attack, and the information about their state can assume any value, but we do not know which are the attacked nodes. From the analysis in Sect. 7.5, we know that a necessary condition for two different modes (i.e. network topologies in this example) to be distinguishable from the continuous output is 2s ≤ p − 1 (see condition (7.36) in Theorem 7.2). As an example, let us assume that all the network’s topologies can be represented by the L H -system in Fig. 8.6. Let ∼ indicate the s-secure indistinguishability relation on the set of discrete modes Q, as defined in Sect. 7.5. We define the equivalence class of a state i ∈ Q as the set { j ∈ Q | S j ∼ Si }. The set of equivalence classes induces a partition of Q, i.e. the quotient space of Q by the relation ∼ is denoted by Q/ ∼. In this case, we assume that Q/ ∼= {(1, 2, 3), (4, 5)}. To each equivalence class, we associate a label in the set Y∼ = {α, β}. The L H -system obtained as a result of the first step of the proposed Enriching Procedure is represented in Fig. 8.7. The second step of the procedure associates an additional binary output to each discrete transition e = (i, j) ∈ E, based on s-secure distinguishability of Si and S j and detectability of the transition e = (i, j) ∈ E, as described in Sect. 8.2. At the end of Step 2, the L H -system in Fig. 8.8 is obtained. In Fig. 8.8, there are two links between states 2 and 3, labeled with 0 and with 1, respectively. This representation encodes the case where the detectability of the

172

8 Enriching Discrete Information in H -Systems

Fig. 8.7 Example: L H -system obtained as a result of Step 1

αa

αb

α

β

1

2

3

4

β 5 1 αb

αa 1

1

β

α 0

2

1

1

3

4

0 β

1

5

Fig. 8.8 Example: L H -system obtained as a result of Step 2

transition depends on the value of the continuous state at the switching time (see Proposition 7.14).

αa 1



β



31

41

42

α

αb 2

32

β 5

Fig. 8.9 Example: L H -system obtained as a result of Step 3

References

173

The third step of the procedure transforms the Mealy Machine obtained at the end of the second step into a Moore Machine, and further manipulates the output labels, as shown in Fig. 8.9.

8.4 Notes and Further Reading The approach described in this chapter was inspired by the work [1], which was pioneering in exploiting the continuous output evolution information to generate some discrete signals that provide additional information useful in discriminating the discrete states. By combining continuous and discrete information, we have transformed the given system H into a system He , with enriched discrete output information, which will be shown in the next Chap. 9 to be “equivalent” to the given one from the observability properties point of view. By neglecting the continuous information of He , sufficient conditions can be derived to check observability of the discrete component of the state of the given system H. Equivalence notions for dynamical and hybrid systems can be found, e.g. in [6] and references therein. In [6], a general notion of hybrid bisimulation was proposed for the class of switching linear systems, and connections between the notions of bisimulation-based equivalence, state-space equivalence, algebraic, and input–output equivalence were investigated. The Enriching Procedure described in this chapter was first introduced in [2] for the nominal case. The case under attack was analyzed in [3–5]. The procedure can be applied to the case under attack by simply replacing the notion of distinguishability by s-secure distinguishability.

References 1. Balluchi A, Benvenuti L, Di Benedetto MD, Sangiovanni-Vincentelli AL (2002) Design of observers for hybrid systems. In: Tomlin CJ, Greenstreet MR (eds) Hybrid systems: computation and control. Lecture notes in computer science, vol 2289. Springer, Berlin, pp 76–89 2. De Santis E, Di Benedetto MD (2016) Observability of hybrid dynamical systems. Found Trends Syst Control 3(4):363–540 3. Fiore G (2017) Secure state estimation for cyber-physical systems. PhD thesis, University of L’Aquila, Department of Information Engineering, Computer Science and Mathematics 4. Fiore G, De Santis E, Di Benedetto MD (2017) Secure mode distinguishability for switching systems subject to sparse attacks. IFAC-PapersOnLine 50(1):9361–9366. 20th IFAC World Congress 5. Fiore G, De Santis E, Di Benedetto MD (2018) Secure diagnosability of hybrid dynamical systems. In: Sayed-Mouchaweh M (ed) Diagnosability, security and safety of hybrid dynamic and cyber-physical systems. Springer, Berlin 6. Pola G, van der Schaft AJ, Di Benedetto MD (2006) Equivalence of switching linear systems by bisimulation. Int J Control 79:74–92

Chapter 9

Observability Characterization for H-Systems

The observability property as defined in Chap. 6 requires the exact discrete state reconstruction in finite time. In the first part of this chapter, we focus specifically on this particular aspect and define the class of current location observable H -systems, that is H -systems for which the current location, i.e. the current discrete state, can be identified after a finite number of steps, either independently from the continuous evolution, or by using also the continuous evolution. The characterization of current location observability for H -systems requires the notion of critical observability, already introduced for FSMs. Then conditions such that an H -system is observable are given, with some results depending on the linearity of the involved dynamics, and hence specific for the class of L H -systems. Finally, we present an approach for reducing the complexity of the verification process, consisting in finding a system that is “equivalent” to the original one with respect to the property that we want to verify but that is “simpler” to analyze.

9.1 Preliminary Remarks and Assumptions Consider an H -system as in Eq. (2.4). Definition 6.1 of the observability property requires the exact reconstruction of the hybrid state in finite time. To characterize this property, we split the problem into two subproblems. The first one consists in the reconstruction only of the discrete component using the hybrid output information, and assuming that the continuous input is known. This analysis is carried out in Sect. 9.2. Then, in Sect. 9.3 we assume that the discrete component has been identified and address the reconstruction of the continuous state. In Sect. 9.4, we illustrate some techniques that simplify the verification of observability. Some of the results that will be illustrated are valid for general H -systems while others for L H -systems since they are based on the linearity of the dynamical systems. In this chapter, unless otherwise explicitly said, we consider an H -system with constraints defined by the tuple © Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_9

175

176

9 Observability Characterization for H-Systems

(Rn × Rm , G, δ, Δ)

(9.1)

with G(e) = Rn , ∀e ∈ E, i.e. an H -system where only the interval of time between two consecutive commutations can be constrained by means of the functions δ and Δ. We suppose that no information in available on the elapsed time in each mode, i.e. Assumption 9.1 Time elapsed from the initial time and time elapsed from the last switching time are unknown.

9.2 Current and Critical Location Observable H-Systems Current location observability and critical observability for H -systems go in parallel with Definitions 4.1 and 4.3 given for FSMs. Recalling the definition of output function υ : R → Υ in (2.47), we have: Definition 9.1 An H -system H is current location observable if there exist a function  q : Y × U → Q and a real  t > 0 such that for any infinite execution χ = (ξ0 , τ , u, (q, x)), with generic u ∈ U, the condition  q ( υ|[0,t] , u|[0,t) ) = q (t)

(9.2)

is satisfied for almost all t ∈ ( t, ∞). Definition 9.2 Given i ∈ Q, an H -system H is critically {i}-observable if there exists a function  q : Y × U → Q such that for any infinite execution χ = (ξ0 , τ , u, (q, x)), with generic u ∈ U, whenever q (tk ) = i  q ( υ|[0,t] , u|[0,t) ) = i, ∀t ∈ (tk , tk+1 ) .

(9.3)

H is critically location observable if it is critically {i}-observable, ∀i ∈ Q. If conditions (9.2) and (9.3) hold with the function  q depending only on the discrete component yd of the output υ, the system H is said to be current location observable with purely discrete output information and critically {i}-observable with purely discrete output information, respectively. Obviously, an H -system that is current location observable with purely discrete output information is current location observable, and for a system with purely discrete output, i.e. with no available continuous information, the two notions coincide. The same holds for critical {i}-observability. In general, current location observability (Definition 9.1) and critical {i}-observability (Definition 9.2) are independent properties. However, the following obvious equivalence holds:

9.2 Current and Critical Location Observable H -Systems

177

Proposition 9.1 H is critically location observable if and only if it is current location observable with  t = 0. Moreover, by recalling the definition of the set r each(Q ∞ ) (see (3.8) and (3.11)), a necessary condition for current location observability can be established: Lemma 9.1 H is current location observable only if it is critically {i}-observable for all i ∈ r each(Q ∞ ). Proof The condition is necessary because, by Assumption 2.6, for each discrete state i ∈ r each(Q ∞ ), there exists an execution of H which remains forever in that discrete state i, i.e. an execution with car d(τ ) = L such that q(t) = i ∈ Q ∞ , ∀t ≥ t L−1 . 

9.2.1 Checking Current Location Observability: Purely Discrete Information In this subsection, we consider the case where the current location is identified without using any information about the continuous evolution. The next results establish a link between critical observability and current location observability of the H -system H and of the associated FSM M. Theorem 9.1 The system H is critically {i}-observable with purely discrete output information if and only if M is critically {i}-observable. Proof By Assumption 9.1, no information about the time elapsed from the initial time or from the last switching is available. Therefore, the discrete output of H is the same as the output of M and the result follows.  Theorem 9.2 The system H is current location observable with purely discrete output information if and only if the following two conditions hold: (i) M is current location observable; (ii) M is critically {i}-observable ∀i ∈ r each(Q ∞ ). Proof Recall that, by Assumption 2.7, Δ(i) = ∞ if i is a sink state, and hence i ∈ r each(Q ∞ ). Sufficiency: if M is current location observable, there exists k such that, for any state execution σ, given the output execution, the current location is reconstructed for each k in the interval [min{|σ| , k}, |σ| + 1). Let μ = maxi∈Q\r each(Q ∞ ) Δ (i). Let us consider any infinite state execution ξ of H. If it is such that all its discrete states belong to Q\r each(Q ∞ ), then car d (τ ) = ∞, tk+1 − tk ≤ μ, ∀k ∈ N, and hence the current location can be reconstructed for all t greater than  t = μk. Otherwise, let  t be the first instant of time at which the discrete component of ξ belongs to r each(Q ∞ ).  If  t ∈ tk , tk+1 ), k ≥ k, current location observability of M ensures current location  observability of H, with  t = μk. Otherwise, if  t ∈ tk , tk+1 ), k < k, then condition

178

9 Observability Characterization for H-Systems

ii) ensures the reconstruction of the current location ∀t ≥ t˜, and t˜ ≤ μk. Therefore H is current location observable. Necessity: the necessity of the first condition is obvious. The necessity of the second condition follows from Lemma 9.1 and Theorem 9.1.  As a consequence of Propositions 4.4 and 4.5, Theorem 9.2 implies the following necessary condition, concerning the persistent in time discrete states Q = Q p ∪ r each(Q ∞ ) (see (3.15)): Proposition 9.2 The H -system H is current location observable with purely discrete output information only if h (i) = , ∀i ∈ Q. Recalling the sets introduced in Chap. 4, Theorem 9.2 can be equivalently rewritten as: Theorem 9.3 Suppose that h(i) = , ∀i ∈ Q. The system H is current location observable with purely discrete output information if and only if the following two conditions hold: (i) B ∗ (S ∗ ) ⊂ Θ; (ii) ∀i ∈ r each(Q ∞ ), (i, j) ∈ S ∗ if and only if j = i. Proof The first statement is equivalent to the first statement of Theorem 9.2, by Theorem 4.1. The second statement is equivalent to the second statement of Theorem 9.2, by Theorem 4.3. Therefore, the result follows.  In the theorem above, the assumption h(i) = , ∀i ∈ Q, is made for the sake of simplicity and without any loss of generality. In fact, by applying Algorithm 3.4, we can associate to the FSM M the FSM V(M) with all visible states, and Propositions 4.6 and 4.7 establish the equivalence between current and critical observability of the two systems. Recalling Propositions 4.1 and 4.2 concerning the computation of the sets S ∗ and ∗ ∗ B (S ), respectively, by Theorem 9.3 and Proposition 3.4 it follows that the space (time) complexity of the algorithm to check current location observability of H is polynomial in card(Q).

9.2.2 Checking Current Location Observability: Mixed Continuous and Discrete Information In this section, we make use of the Enriching Procedure described in Chap. 8. Since that procedure is based on the distinguishability properties established in Chap. 7, which require linearity of the involved dynamical systems, this section applies to the class of L H -systems. The generalization to H -systems requires the characterization of distinguishability for nonlinear dynamics. Given H, let He be the system (8.15) returned by the Enriching Procedure described in Sect. 8.2.

9.2 Current and Critical Location Observable H -Systems

179

In defining the system He we have implicitly assumed that the initial time of the execution is known, since we associated with the initial state the information about its class, and this information is deduced from the elaboration of the continuous input and output of H starting from the initial time. We can represent this implicit assumption by writing the condition h(i) = , ∀i ∈ Q 0 , if the initial states have no predecessors. This is why in this section we assume the following: Assumption 9.2 pr e(i) = ∅ and h(i) = , ∀i ∈ Q 0 . We can establish the following result: Theorem 9.4 The L H -system H is current location observable if and only if He is current location observable. Proof Consider the Enriching Procedure described in Chap. 8. The L H -system H is current location observable if and only if H(1) is current location observable, as a straightforward consequence of Algorithm 3.1. Therefore, we can continue our proof by assuming H = H(1) , without loss of generality. If He is current location observable, then there exists  t ≥ 0 such that for almost all  u ∈ U, the output information allows reconstructing the current discrete state, for any execution χ with u =  u , and for almost all t >  t. The discrete states of H(2) and of He are related by the point to set mapping f (see Algorithm 3.2) and if the current discrete state q of He has been reconstructed at some t, then the same holds for the current discrete state q of H(2) , where by construction q ∈ f (q ). But since the state executions of H coincide with the state execution of H(2) , then H is current location observable. Conversely, suppose that H is current location observable. By construction, as said in Remark 8.2, each discrete state evolution of H corresponds to a unique discrete state evolution of He , with qe (t) = q (3) (t) ∈ f (q(t)), for all t. Moreover, H and He have the same continuous state and continuous output evolution, and the discrete output function h e is such that for any w ∈ f (q) the output string h e (w) is “richer” than the output h(q), ∀q ∈ Q, since the symbol h(q) is an element of the string h e (w). Therefore,  He is current location observable. In the construction of He we used the notion of distinguishability between continuous dynamics to generate additional discrete outputs. Since we do not use all the information that can be extracted from the continuous dynamics, e.g. the reachability properties, sufficient conditions will be obtained when using He with purely discrete output information. Hence, from Theorem 9.4, we have: Corollary 9.1 H is current location observable if He is current location observable with purely discrete output information. As a consequence, the condition in Theorem 9.3 applied to He is sufficient to check current location observability of H. The next result states explicitly the necessary conditions required for He to be current location observable with purely discrete output information, as required in Corollary 9.1:

180

9 Observability Characterization for H-Systems

Proposition 9.3 He is current location observable with purely discrete output information only if H is such that: (i) ∀i ∈ Q p with h(i) = , (S( j), S(i)) is distinguishable, ∀( j, i) ∈ E such that j ∈ Q p; (ii) ∀i ∈ r each(Q ∞ ) with h(i) = , (S( j), S(i)) is distinguishable, ∀( j, i) ∈ E. Proof By construction of He , a persistent state for H corresponds to persistent states for He , and a state with infinite dwell time corresponds to states with the same property in He . Therefore, conditions (i) and (ii) are necessary for He to satisfy the conditions of Proposition 9.2. 

9.2.3 Leveraging Information on Elapsed Time In the case of purely discrete information, coherently with the event-based setting, we explicitly assumed that there is no information about the time elapsed from one event to another (see Assumption 9.1). In fact, Theorem 9.2 establishes necessary and sufficient conditions for current location observability of an H -system when only discrete information is available. The same assumption has been implicitly made in analyzing the mixed continuous– discrete information case where, however, we could have some information about time. In fact, the functions υ|[0,t] , u|[0,t) were assumed to be known, although the information about the time elapsed from the last detected transition was not used. In that case, the conditions for current location observability could be weaker. In this regard, consider the following example. Example 9.1 (The elapsed time is known) In this example, we show that the information about the dwell time can be used for assessing current location observability. Consider the L H -system in Fig. 9.1. State 3 has infinite maximum dwell time, all other states have finite maximum dwell time equal to Δ. The initial discrete state is the state 1. For all i = 1, 2, 3, 4, 5 the dynamical system S(i) is represented by the equation:

Fig. 9.1 The system of Example 9.1. State 3 has infinite maximum dwell time

b

c 2

4

b

d

3

5

a 1

9.3 Checking Observability of an L H -System

181

x˙ = βu(t) with β > 0 and the reset matrix Re is equal to 0 for all e ∈ E. Clearly, the dynamical systems are not distinguishable. Let us assume that the continuous output coincides with the continuous state, and the discrete output information is represented by the symbols a, b, c, d as in the picture. This L H -system is not current location observable with purely discrete output information because the states 2 and 3 have the same output b and the maximum dwell time in state 3 is infinite. Thus we are in the mixed information case. Since all the S(i) are the same, then the additional discrete output associated with the equivalence class of the systems S(i) does not give additional information. Therefore He can be represented by the same system H without loss of generality. Under Assumption 9.1, Lemma 9.1 implies that the L H -system H is not current location observable, because state 3 is not critically observable. Suppose now that Assumption 9.1 does not hold. The switching times are immediately detected because of the discrete outputs. Since Δ(1) = Δ, for each hybrid state execution the first interval of the time basis is [t0 , t1 ) with t1 ≤ Δ. Then, when receiving the discrete output b at time t1 , we are either in state 2 or 3. If after time t1 + Δ no discrete output is received, this means we are in state 3 and the current discrete state can be reconstructed for all t greater than t1 + Δ. Otherwise we can deduce that the current discrete state is either 4 or 5, and the discrete output resolves ambiguity. Hence, for any execution, after at most 2Δ units of time, the current discrete state is definitively reconstructed and the L H -system is current location observable. The example above suggests that it is possible to state less conservative conditions if some information about dwell times is available. The model information may be poor, for example the maximum dwell time is set to infinite for all states, or it may be inaccurate, so that for example only an upper bound for the maximum dwell time is defined. The more precise the information, the less conservative the observability conditions would be.

9.3 Checking Observability of an L H-System In this section, we characterize observability for an L H -system H. By Definition 6.1, current location observability is necessary for observability to hold. Therefore, in this section we can make the following assumption without any loss of generality: Assumption 9.3 The L H -system H is current location observable. The first simple result can be stated as follows: Proposition 9.4 Let H be an L H -system. (i) If the pair (Ai , Ci ) is observable, ∀i ∈ Q, then H is observable.

182

9 Observability Characterization for H-Systems

(ii) If Q 0 ⊂ Q ∞ then H is observable if and only if the pair (Ai , Ci ) is observable, ∀i ∈ Q 0 . Proof (i) Since H is current location observable and by definition of persistent in time states (see Remark 3.1), there exists a finite time  t > 0 such that the hybrid state can be reconstructed for almost all t ≥  t. Hence, H is observable. (ii) The necessity is obvious. By Theorem 9.3, current location observability implies critical {i}-observability for all i ∈ r each(Q ∞ ), and the sufficiency follows.  The case of Q ∞ = Q is a special case of the proposition above. Notice that in this case the two notions of current location observability and critical location observability of H coincide. The sufficient condition in the first statement of Proposition 9.4 is easily checked. However, the observability of each dynamical system in Q may be too restrictive or not feasible in practice. Therefore, we now characterize completely the observability property. Consider an L H -system H = (Ξ, Ξ0 , Υ, h, S, E, R) with S(i) described by the equations x˙ (t) = Ai x (t) + Bi u(t) y (t) = Ci x (t)

(9.4)

and with constraints on the dwell time, as defined in the tuple (9.1). Let us define the autonomous L H -system H0 as   H0 = Ξ, Ξ0 , Υ, h, S , E, R

(9.5)

where each system S (i) is described by the equations x˙ (t) = Ai x (t) y (t) = Ci x (t)

(9.6)

and the set of initial hybrid states is: Ξ0 =



{i} × Ii

(9.7)

i∈Q 0

where Ii denotes the linear subspace of states which are indistinguishable from the origin, i.e. ⎞ ⎛ Ci ⎜ C i Ai ⎟ ⎟ ⎜ Ii = ker (Oi ) , Oi = ⎜ ⎟. .. ⎠ ⎝ . n−1 C i Ai

9.3 Checking Observability of an L H -System

183

The constraints for H0 are defined by the tuple (Rn × Rm , G , δ, Δ)

(9.8)

where, for e = (i, j) ∈ E, we define the guard condition in such a way that the continuous state after the reset belongs to the set I j , i.e.   G (e) = R((e, .))−1 I j

(9.9)

  where R((e, .))−1 I j = {x ∈ Rn : R((e, x)) ∈ I j }. For simplicity, in what follows we call H0 the system (9.5) with constraints (9.8). The system H0 has the property that starting from any initial state in Ξ0 the continuous output evolution is identically zero. Moreover, by definition of H0 , we can establish the following relationship with H: Lemma 9.2 Any state execution of H0 is a state execution of H. Conversely, any state execution of H with identically zero input and identically zero continuous output evolution is a state execution of H0 . The lemma above suggests to call the system H0 unobservable system associated with H. The following theorem characterizes observability for an L H -system, by requiring that any infinite execution of H0 is such that its continuous component is eventually zero. Theorem 9.5 Consider an L H -system H. Suppose that Q 0 = Q. Then H is observable if and only if there exists  t ∈ R+ 0 such that, for any infinite execution of H0 , x(t) = 0, ∀t ≥  t

(9.10)

where x(t) is the continuous component of the hybrid state of H0 at time t. Proof Since H is current location observable by Assumption 9.3, there exists a finite time t¯ starting from which the discrete state evolution can be reconstructed for almost all t ≥ t¯.   Sufficiency: for any two state executions χ1 [t¯,∞) and χ2 [t¯,∞) which are both compatible with the same output evolution, the discrete component of the state is known, for almost all t ≥ t¯. Then, since H is a linear H -system (see Definition 2.4), the execution obtained by combining χ1 [t¯,∞) and χ2 [t¯,∞) with coefficients α = 1 and β = −1, is an execution of H, with identically zero continuous output. Therefore from Lemma 9.2 it is an infinite execution of H0 . Let xi (t) be the continuous component of the hybrid state of H i , at time t, i = 1, 2. Since condition (9.10) holds for any {i} × Ii , then x1 (t¯ +  t) = x2 (t¯ +  t) and therefore the initial hybrid state in Ξ0 = i∈Q

continuous state can be computed for almost all t ≥ t¯ +  t. Therefore the proof of the sufficiency follows.

184 Fig. 9.2 The system of Example 9.2: condition (9.10) is not sufficient to ensure observability of H if Q 0 = Q

9 Observability Characterization for H-Systems a 2 a

b

1

4 a 3

 Necessity: suppose that for any  t ∈ R+ ¯ of H0 0 there exists t ≥ t and an execution χ such that x(t) = 0. Since by definition of execution of an L H -system, x(t) belongs to a trajectory which is the solution of a linear differential equation, then there exists a finite time interval [t − τ , t + τ ] in which the value of the state is non-zero. Hence, from Lemma 9.2, there exist at least two executions of H having the same output, where the difference between the continuous evolutions is equal to the continuous evolution of χ. ¯ Therefore, the system H is not observable.  If Q 0 = Q, the condition (9.10) is not sufficient to ensure observability of a current location observable H -system H, as the following example shows: Example 9.2 Consider an autonomous L H -system H, with associated FSM represented in Fig. 9.2. The discrete state is Q = {1, 2, 3, 4}, the initial discrete state is 1 and E = {(1, 2), (1, 3), (2, 4), (3, 4), (4, 4)}. Suppose that h(1) = h(2) = h(3) = a and h(4) = b. Let a finite maximum dwell time be defined for each mode. Then H is current location observable. Suppose that the dynamical system S(1) is observable, all the reset functions are the identity, but no continuous output is available for systems S(i), i ∈ {2, 3, 4}. Suppose that the systems S(2) and S(3) are not described by the same differential equations. Then H0 satisfies condition (9.10), but H is not observable. The H -system in the example above is not observable because the current location observability implies the possibility of reconstructing the current discrete state 4, for all times greater than some finite time t¯, but not of reconstructing the past discrete state trajectory, with initial state 1 and with ending state 4. Hence the knowledge of the continuous state in the interval (t0 , t1 ), where t1 is the first switching time, is not sufficient for the reconstruction of the continuous state, for all times greater than some finite time  t. To give a sufficient condition of observability without the assumption Q 0 = Q, in the following corollary to Theorem 9.5 we require a property stronger than current location observability. Corollary 9.2 If an L H -system H is observable, then there exists  t ∈ R+ 0 such that, for any infinite execution of H0

9.3 Checking Observability of an L H -System

185 a 1

Fig. 9.3 The FSM associated with a linear system with periodic jump

x(t) = 0, ∀t ≥  t.

(9.11)

Conversely, if the condition above holds and H is critically location observable then H is observable. Proof The proof of the first statement follows the same lines as the proof of necessity of Theorem 9.5. In the second statement, since the discrete component of the state can be reconstructed for almost all t ≥ 0, then the arguments used in the sufficient part of the proof of Theorem 9.5 can be used by replacing t¯ with 0.  Finally, again as a corollary to Theorem 9.5, we can give a sufficient condition for the observability of an L H -system without assuming Q 0 = Q, by requiring finite time convergence to zero for all infinite executions of H0 , starting from any persistent in time discrete state. Let Q be the set of persistent in time discrete states of H, as defined in (3.15). Corollary 9.3 H is observable if there exists  t ∈ R+ 0 such that x(t) = 0, ∀t ≥  t for any infinite execution of H0 , with initial hybrid state in the set Ξ0 =

(9.12) 

{i} × Ii .

i∈Q

Proof The proof follows from the proof of sufficiency of Theorem 9.2, because the set Q is reached by any state execution of H in finite time (see Lemma 3.1), and starting from any hybrid state in Ξ0 the evolution of H0 reaches the origin in finite time.  Testing the condition of Theorem 9.5, as well as those of its corollaries, is in general not easy. However, it may be simple in some particular cases, as shown in the following example. Example 9.3 (Linear system with periodic jumps) Consider the H -system   H = Ξ = {1} × Rn , Ξ0 = Ξ, Υ = {a} × R p , h, S, E = {(1, 1)}, R

(9.13)

with the unique dynamical system assumed autonomous and described by the matrices A ∈ Rn×n and C ∈ R p×n (see Fig. 9.3). The linear reset function is described by the matrix R ∈ Rn×n . The constraints are described by the condition: δ(1) = Δ(1) = τd .

(9.14)

186

9 Observability Characterization for H-Systems

The system H represents a linear system with periodic jumps. By denoting with I the unobservable subspace related to the pair (A, C), the system H0 is described by the tuple:   Ξ = {1} × Rn , Ξ0 = {1} × I, Υ = {a} × R p , h, S, E = {(1, 1)}, R with guard condition

G ((1, 1)) = {x ∈ Rn : Rx ∈ I}.

(9.15)

(9.16)

In this case the set of all infinite state executions of H0 can be characterized as the executions with initial continuous state in the maximal subspace F ⊂ ker(C) with the following properties: R exp(Aτd )F ⊂ F (9.17) AF ⊂ F. Since I is the largest A-invariant subspace of ker(C), then F ⊂ I. For the system H, the set Γ ⊂ Rn starting from which the continuous state reaches the origin is (9.18) Γ = ker(R exp(Aτd ))n . Therefore, from Theorem 9.5, the system (9.13) with constraints (9.14) is observable if and only if F ⊂Γ (9.19) which is exactly the condition that characterizes the so-called constructability property in [10], which corresponds to the observability notion of Definition 6.1.

9.4 Simplifying Verification of Observability Conditions For a general L H -system, Theorem 9.5 fully characterizes the observability property, which is shown to be equivalent to current location observability of the given L H -system and finite-time reachability of the origin of an autonomous L H -system associated with the given one. In this section, we show how to simplify the verification process, by constructing a system that is equivalent to the original one with respect to the property we want to verify but that is simpler to analyze. We illustrate some techniques based on the decomposition of the discrete state space, while the continuous state description remains unchanged.

9.4 Simplifying Verification of Observability Conditions

187

9.4.1 Checking Observability by Traps Decomposition The first technique we describe is based on the identification of particular structures in the discrete state space. = H, consider the set of traps, as introduced in Definition 3.4,1 M  Given (i) M , i = 1, 2, . . ., |M| . Given a trap,   M (i) = Q (i) , Q (i) 0 , Y, h, E| Q (i) ×Q (i) let H(i) be the associated L H -system, i.e.   H(i) = Ξ (i) , Ξ0(i) , Υ, h, S, E| Q (i) ×Q (i) , R

(9.20)

n (i) where Ξ0(i) = Q (i) 0 × R . For notational simplicity, the symbol R in H denotes the function R in H, restricted to the appropriate domain, according with the definitions of Ξ (i) , Ξ0(i) and E| Q (i) ×Q (i) in Eq. (9.20). Given H(i) , let (9.21) H0(i)

be the associated unobservable system. We can prove the following: Theorem 9.6 Assume that Ξ0 = Ξ and that H is critically location observable. Then H is observable if and only if, ∀i = 1, 2, . . . |M|, H(i) is observable. Proof From the results in [5], under the assumption of full discrete state information, observability of H is equivalent to observability of all the systems H(i) . Since critical location observability implies the possibility of reconstructing each discrete state within an arbitrarily small time interval after the switching time, the result follows.  Critical location observability with Q 0 = Q is equivalent to the possibility of identifying every discrete location univocally and “immediately”, on the basis either of the discrete output or of the continuous output. By relaxing this hypothesis, a sufficient condition is obtained: Theorem 9.7 Suppose that H is current location observable. If for any i = 1, 2, . . ., |M|, H(i) , with Ξ0(i) = Ξ (i) , is observable, then H is observable. Proof Since H is current location observable, then there exists a finite  t such that the current discrete state can be exactly determined for any t >  t. Therefore, for t >  t we are in the hypothesis of [5] as far as the discrete state information is concerned. Moreover, the result in [5] holds for any hybrid initial state. Hence, the result follows.  1

With the term “trap” we mean “maximal trap” (see Proposition 3.1 and subsequent remark).

188

9 Observability Characterization for H-Systems

Fig. 9.4 The system of Example 9.4: H is critically location observable, but observability of H does not imply observability of the trap H(1) (inside the dashed rectangle)

b

a

2

4

c

a

3

5

a 1

In general, if in Theorem 9.6 we remove the condition Ξ0 = Ξ , observability of H does not imply observability of H(i) , as the following example shows. Example 9.4 Consider the critically location observable autonomous L H -system H represented in Fig. 9.4. Suppose that the maximum dwell time is Δ = ∞ for all locations and that the reset is the identity map. Then there is just one trap, which corresponds to the discrete states 4 and 5. Let H(1) be the L H -system associated with such trap. Suppose that the systems S(4) and S(5) are described by the matrices  A4 =  A5 =

1 0 1 −1



1 0 −2 −3

  C4 = 1 0 

  C5 = 1 0 .

Then H(1) is not observable, because it is not possible to determine the current discrete state neither on the basis of the discrete information nor on the basis of the continuous one. The continuous state cannot be reconstructed, even if the discrete state were known. However, suppose that the systems S(2) and S(3) are such that   C2 = C3 = 0 1 then it is easy to verify that the system H is observable, whatever the matrices A2 and A3 are. In the next example, we show that observability of all traps, with Ξ0(i) = Ξ (i) , does not imply observability of the given system H. This is because current location observability of the traps does not imply current location observability of H, as required by Theorem 9.7. Example 9.5 Consider the autonomous L H -system H represented in Fig. 9.5. Suppose that the maximum dwell time is equal to Δ = ∞ for all locations and that the

9.4 Simplifying Verification of Observability Conditions

189

Fig. 9.5 The system of Example 9.5

a 3 a

b

1

2

b 5 a 4

reset is the identity map for all transitions. Suppose also that the systems S(1) and S(2) are observable, while the systems S(3), S(4) and S(5) are represented by the matrices:     1 0 C3 = 1 0 A3 = 1 −1  A4 =  A5 =

1 0 −2 −3 1 −2

2 1

 

  C4 = 1 0   C5 = 1 1 .

In this case, we have two traps, one associated with states 1 and 2 and the other with states 3, 4 and 5. Let H(1) and H(2) be the corresponding L H -systems. H(1) and H(2) are both observable, but the system H is not observable, because after an arbitrarily long execution, since it is not possible to distinguish between discrete state 3 and discrete state 4, neither on the basis of the discrete evolution nor on the basis of the continuous evolution.

9.4.2 Checking Observability by Removing Observable Components We now illustrate another technique that allows simplifying the verification of observability, based on the following remark. If starting at a given location all the evolutions reach a location corresponding to an observable system after a bounded interval of time, then those evolutions certainly allow the reconstruction of the state. Hence, those evolutions can be skipped in checking the observability property. Consider H = (Ξ, Ξ0 , S, Υ, h, E, R) and i ∈ Q such that S (i) is observable. We  by removing from the discrete state space of H all the states define a new system H starting from which the mode i is eventually reached, for any execution.

190

9 Observability Characterization for H-Systems

Fig. 9.6 The state-space reduction of Example 9.6 (1/3). The figure depicts the FSM associated with H. S(1) is observable. Starting from 6 the discrete state 1 is reached at most after Δ units of time

4

5

6

3

1

2

 ⊂ r each −1 (i) the set of discrete states j ∈ Q such that any By denoting with Q execution starting from j reaches the state i in finite time, let us define the sets  × Rn ⊂ Ξ = Q Ξ   0 × Rn ⊂ Ξ0 ∩ Ξ 0 = Q  Ξ where

= Q\Q  Q  0 = Q 0 \ Q. Q

 is defined as follows: The system H   = Ξ , Ξ 0 , S, Υ, h, E|Ξ×Ξ , R . H

(9.22)

We obtain the following necessary and sufficient condition for observability: Theorem 9.8 Assume that H is critically location observable. Then H is observable  is observable. if and only if H  as in By recursively applying the procedure above, we can obtain a system H (9.22), where all the dynamic systems are not observable, and for which Theorem 9.8 holds. Example 9.6 Consider the system H depicted in Fig. 9.6. A cyan discrete state means infinite maximum dwell time associated with that discrete state. The maximum dwell time is finite and equal to Δ for all the other states. The set of initial states is Ξ . We assume that H is critically location observable. The linear system S(1) is

9.4 Simplifying Verification of Observability Conditions Fig. 9.7 The state-space reduction of Example 9.6 (2/3). By removing the states 1 and 6, the figure depicts the  FSM associated with H

191

4

5

3

2

 = Q \ {1, 6}, then by applying Theorem 9.8 we have to check observable. Since Q  depicted in Fig. 9.7. Finally, since Theorem 9.6 holds, observability of the system H we further decompose the system into two traps, and hence checking observability of H is equivalent to checking observability of the two L H -systems in Fig. 9.8.

9.4.3 Checking Observability by Removing Persistent Components We finally present a technique for simplifying verification of the observability property, based on the following remark. When the maximum dwell time in the current discrete state is equal to infinity, the evolution may remain in that state forever, without any further discrete transition. Hence, in that case, the system is observable only if the current continuous state has been exactly reconstructed. Moreover, if the current continuous state is known and we can ensure that reconstruction of the discrete state in the future, then we can also ensure the reconstruction of the continuous state.  such that there is no Given H = (Ξ, Ξ0 , S, Υ, h, E, R), define the system H discrete transition starting from a mode with unbounded maximum dwell time:    = Ξ, Ξ0 , S, Υ, h, E,  R H

(9.23)

 ⊂ E and E  = {(i, j) ∈ E : Δ (i) = ∞}. where E Theorem 9.9 Let H be current location observable. H is observable if and only if  is observable. H

192

9 Observability Characterization for H-Systems

Fig. 9.8 The state-space reduction of Example 9.6 (3/3). The two traps of the  are represented. H system H is observable if and only if the H -systems associated with these two traps are observable

2

4

5

4

1

2

2

4

3

5

1

3

5

 (on the Fig. 9.9 The structural simplification of Theorem 9.9. System H (on the left) and system H right). The state 3 belongs to Q ∞ . A finite maximum dwell time is associated with the other states.  is obtained by removing transitions from states with infinite maximum dwell time. Since state H , an additional simplification is obtained by removing 5 cannot be reached by any execution of H  state 5 and transition from 5 to 4 from H

 is not observable. Then either there is an infinite execuProof Necessity: suppose H tion χ1 with Δ (q (t)) = ∞ ∀t, such that y (t) = 0, ∀t > 0, or there exists an infinite execution χ2 with car d (τ ) = L = ∞, with Δ (q (t L )) = ∞, such that y (t) = 0, ∀t > 0. Since χ1 and χ2 are both executions of H, then H is not observable.  observable implies that the Sufficiency: if (i, x) ∈ Ξ0 is such that Δ (i) = ∞, H linear system S (i) is observable, and hence at any time t > 0 the state x (t) can be reconstructed from the information y|[0,t] . By definition of current location observability for H, if x (t) is known at t >  t, then the  value x (t) can be computed at t,  t is not known at some t >  t, the for any t > t such that q is known at t. If q (t)  / Ξ0 is value x t can be computed at time t > t as limt→t + x (t). If the state (i, x) ∈  any finite execution with last discrete state such that Δ (i) = ∞, by definition of E, equal to i, i.e. with q (t L ) = i is such that Δ (q (t)) = ∞, ∀t < t L . Therefore either  t (see the discussion above), or the t < t L , and hence x (t) is known for almost all t >   implies the observability of S (i), and  observability of H t = t L . The observability  implies the observability of H. of H  An example of the structural simplification that can be obtained by Theorem 9.9 is illustrated in Fig. 9.9.

9.5 Notes and Further Reading

193

9.5 Notes and Further Reading In Sect. 9.2, we extended to H -systems the notion of critical and current location observability, previously introduced in Chap. 4 for Finite-State Machines. In describing the mixed continuous–discrete information in Sect. 9.2.2, we considered the class of L H -systems to leverage the Enriching Procedure described in Chap. 8, which associates to the given L H -system another L H -system which encompasses the continuous output information by encoding it with suitable discrete outputs. The two systems are equivalent with respect to the observability property. For a systematic analysis of equivalence notions for hybrid systems, the reader is referred to the paper [9]. The approach presented in this chapter is inspired by the work [2] where the technique of exploiting the continuous output evolution to generate discrete signals used to discriminate discrete states was introduced (see also Chap. 8). In Sect. 9.3, we characterized observability for a current location observable L H system. The condition is based on the unobservable system associated with the given one, i.e. a system with continuous output function identically equal to zero, if the input is identically equal to zero. This condition was introduced in [7] and further discussed in [6]. In the same section, we considered as an example the class of linear systems with periodic jump. This class has been widely studied in the literature, see e.g. [4, 10, 11] and references therein. In Sect. 9.4, we described some techniques to mitigate the difficulty of verifying the observability of a general L H -system, based on appropriate decompositions of the discrete state space, without modifying the dynamical systems evolving in the continuous state space. This approach is based on the paper [5]. In [6], following [8], a parallel analysis was performed, where only the continuous state space is acted upon while the discrete structure is left unchanged. Following Definition 6.1, current location observability of an H -system is necessary for observability to hold. However, some authors address the issue of estimating the continuous state for a switching system without estimating the discrete state. In general, sufficient conditions are provided such as in [1], where an algorithm for estimating the continuous state is proposed. In the compressed sensing literature, the idea is to minimize a weighted cost functional, resulting in “forcing” the sparsity of a vector that accounts for the error due to the mismatch between the estimated current mode and the actual mode, making the exact knowledge of the sequence of discrete modes unnecessary. Taking a different approach, a structural condition is offered in [3] such that, given a set of linear systems, it is possible to recover the continuous state without knowledge of the current active mode. In this chapter, we considered an H -system where the only constraints concern the dwell time (see (9.1)). Therefore, in the general case of a constrained H -system, the sufficient condition in Corollary 9.1 still holds. However, if available, information about reset functions and guard sets can be leveraged. As an example, suppose that the continuous output coincides with the continuous state, the current mode i is known

194

9 Observability Characterization for H-Systems

and the transitions (i, j) and (i, s) are defined with j = s, S( j) = S(s). Let the pair (S(i), S( j)) be distinguishable. Then the pair (S(i), S(s)) is also distinguishable. Suppose that R(i, j) x = x, R(i,s) x = −x and G((i, j)) = G((i, s)). By applying the Enriching Procedure, the two transitions (i, j) and (i, s) are encoded exactly in the same way. However, for any generic input function, from the continuous evolution it is possible to distinguish between the two transitions, because of the reset function. Similarly, for the same pair of transitions (i, j) and (i, s), suppose that R(i, j) = R(i,s) and G((i, j)) ∩ G((i, s)) = {0}. Then, knowing the continuous state before switching, if it is non-zero, allows one to distinguish between the two transitions.

References 1. Bako L, Lecoeuchei S (2013) A sparse optimization approach to state observer design for switched linear systems. Syst & Control Lett 62:143–151 2. Balluchi A, Benvenuti L, Di Benedetto MD, Sangiovanni-Vincentelli AL (2002) Design of observers for hybrid systems. In: Tomlin CJ, Greenstreet MR (eds) Hybrid systems: computation and control. Lecture notes in computer science, vol 2289. Springer, Berlin, pp 76–89 3. Bejarano FJ, Mera M (2021) Continuous state observability and mode reconstructability of switched nonlinear systems with unknown switching function. Int J Robust Nonlinear Control 31:3827–3840 4. Carnevale D, Galeani S, Menini L, Sassano M (2015) Hybrid output regulation for linear systems with periodic jumps: Solvability conditions, structural implications and semi-classical solutions. IEEE Trans Autom Control 61(9):2416–2431 5. De Santis E, Di Benedetto MD (2013) Theory and computation of discrete state space decompositions for hybrid systems. Eur J Control 19:1–10 6. De Santis E, Di Benedetto MD (2016) Observability of hybrid dynamical systems. Found Trends Syst Control 3(4):363–540 7. De Santis E, Di Benedetto MD, Pola G (2009) A structural approach to detectability for a class of hybrid systems. Automatica 45:1202–1206 8. De Santis E, Di Benedetto MD, Pola G (2010) A complexity reduction approach to detectability of switching systems. Int J Control 83:1930–1938 9. Pola G, van der Schaft AJ, Di Benedetto MD (2006) Equivalence of switching linear systems by bisimulation. Int J Control 79:74–92 10. Possieri C, Teel A (2016) Structural properties of a class of linear hybrid systems and output feedback stabilization. IEEE Trans Autom Control 62(6):2704–2719 11. Ríos H, Davila J, Teel AR (2019) Linear hybrid systems with periodic jumps: a notion of strong observability and strong detectability. IEEE Trans Autom Control 65(6):2640–2646

Chapter 10

Relaxing the Observability Notion

In this chapter, L H -systems with full discrete state information are considered. We have shown in Chap. 9 that observability as defined in Chap. 6 can be characterized in terms of finite time convergence to zero of all the trajectories with infinite time duration of an appropriate L H -system associated with the given one. However, verifying this condition may be difficult in general. More easily checkable conditions can be obtained with a relaxation of the observability definition, by requiring the continuous state reconstruction not for all possible switching times but for almost all switching times.

10.1 Almost Always Observability In this chapter, we consider the case of L H -systems with full discrete state information. Hence, we don’t loose generality in considering autonomous L H -systems. In Chap. 6, the important role played by the input in reconstructing the discrete state of an L H -system from the continuous output information was highlighted. Since here we are assuming that the discrete state is known,1 the case of non autonomous linear systems is a simple generalization if the input is known at each t. Systems with unknown input are not addressed in this chapter. Consider the autonomous L H -system H = (Ξ, Ξ0 , Υ, h, S, E, R).

(10.1)

1

For the sake of simplicity, we address here the case of full discrete state information. However, the analysis can be easily extended to current location observable hybrid systems, where the current state is known after a transient. © Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_10

195

196

10 Relaxing the Observability Notion

Since the discrete component of the state is assumed to be known, and by recalling that υ : R → Υ is the output function of H (see (2.47)), the observability definition introduced in Chap. 6 specializes as follows: Definition 10.1 An L H -system H is observable if there exists a function  x :Y→ t > 0 such that Rn and a finite time    t  x υ|[0,t] = x(t), ∀t > 

(10.2)

for any infinite execution of H. Observability as in Definition 10.1 is characterized by Theorem 9.5 in terms of finite time convergence to zero of all the trajectories with infinite time duration of an appropriate L H -system associated with H. However, this condition in general is not easily checkable. For this reason, in Chap. 9 we illustrated some techniques that mitigate this difficulty by decomposing the original problem into smaller subproblems, each associated with a subsystem of the given system. We will show that more easily checkable conditions can be obtained by relaxing the observability definition. To this aim, we need a metric for the set of time bases of the L H -system. Let T L be the set of time bases with cardinality equal to L. Given τ , τ  ∈ T L , let λ ∈ R L and λ ∈ R L be the vectors with k-th component λk = tk − tk−1 and  , where tk and tk are the k-th switching times of τ and τ  , respectively. λk = tk − tk−1 Then the distance between τ and τ  is a function d : T L × T L → R+ 0 defined as     d τ , τ  = λ − λ 

(10.3)

where . is any standard norm in the finite dimensional space R L . A property will be said to hold for almost all time bases in T L if it holds for time bases with λ generic in R L , i.e. λ belonging to a dense subset of R L . Throughout this chapter, we make the following assumption: Assumption 10.1 Ξ0 = Ξ , i.e. there are no restrictions on the initial hybrid state. As a consequence, it is possible to reconstruct the current continuous state only if the pair (Ai , Ci ) is observable for all i ∈ Q ∞ . Moreover, we assumed that the dwell time in any sink state is infinite (see Assumption 2.7). Then, recalling Theorem 9.8 and Assumption 2.5, we can suppose without loss of generality that: Assumption 10.2 The FSM associated with the L H -system is alive and the maximum dwell time in each discrete state is finite. We introduce now the notion of almost always observability. Definition 10.2 An L H -system H is almost always observable if there exist a function  x : Y → Rn and a finite integer  k > 0 such that      x υ|[0,t] = x(t), t ∈ tk−1 , tk

(10.4)

10.2 Characterizing Almost Always Observability: The Cyclic Case

197

for almost all time bases τ in Tk and for all executions χ = (ξ0 , τ , ξ). Since in this chapter we are assuming full discrete state information, then condition (10.4) implies that the continuous state can be computed for all t ≥ tk . For L H -systems with a bounded maximum dwell time in each location, Definition 10.2 is a relaxation of Definition 10.1, i.e. an observable L H -system is almost always observable, but the converse implication is not true in general. Nevertheless, an almost always observable L H -system may also be observable, depending on the value of the bounds for the maximum dwell times, as we will show in Example 10.1. In the next sections, we will characterize almost always observability for the cyclic case with non-identity reset, and for the case of a general graph topology with identity reset. Recall that the hybrid state space Ξ is equal to Q × Rn , with car d(Q) = N . A cycle of length μ in the graph G = (Q, E) associated with an L H -system H is an ordered set q1 q2 . . . qμ such that qi ∈ Q, ∀i = 1, . . . ,μ, qi =  q j , ∀i, j = 1, . . . , μ with i = j, (qi , qi+1 ) ∈ E, ∀i = 1, . . . , μ − 1, and qμ , q1 ∈ E. The symbol C denotes the set of all cycles in G.

10.2 Characterizing Almost Always Observability: The Cyclic Case Suppose that the graph associated with H is itself a cycle c = q1 q2 . . .q N . Then C = {c}. Because of the cyclic graph topology, given the initial discrete state, the discrete trajectory is known even if the switching times are unknown a priori. For a given i ∈ Q, let Fi be a linear subspace of Rn . Given the system described by the equation x(t) ˙ = Ai x(t) the symbol Ii (Fi ) denotes the maximal Ai -invariant subspace contained in Fi , i.e. the maximal set G i such that Ai G i ⊂ G i and G i ⊂ Fi . An invariant subspace for an autonomous L H -system can be defined as follows [5]:  {i} × Definition 10.3 Given an autonomous L H -system, the hybrid subspace i∈Q

Fi ⊂ Ξ is said to be invariant if Ai Fi ⊂ Fi , ∀i ∈ Q and R(i, j) Fi ⊂ F j , ∀(i, j) ∈ E.   {i} × {0} is an invariant hybrid subspace contained in {i} × ker(Ci ) Since i∈Q

i∈Q

and the set of invariant hybrid subspaces is closed with  respect to the union, then the {i} × ker(Ci ) exists, is unique maximal invariant hybrid subspace contained in i∈Q

198

10 Relaxing the Observability Notion

and is denoted by I∗ =



{i} × Λi∗

(10.5)

i∈Q

where the sets Λi∗ , i ∈ Q can be computed as follows: Lemma 10.1 Consider the recursions   k  −1 , i ∈ Q, (i, j) ∈ E. Λik+1 = Ii ker(Ci ) ∩ R(i, j) Λ j

(10.6)

The sets Λi∗ , i ∈ Q are the fixed points of the recursions over k = 0, 1, . . ., by setting Λi0 = ker(Ci ). Such fixed points are obtained at most after K ≤ n N steps. Proof By definition of invariant hybrid subspace, the sets Λi∗ are fixed points of the ∗ {i} × Λik , ∀k = 0, 1, . . ., and Λik+1 ⊂ Λik , ∀k = recursions (10.6). Since I ⊂ 0, 1, . . ., the result follows.

i∈Q



Let Γ ⊂ Ξ be a set of hybrid states such that, starting from Γ and for any execution of H, the continuous component reaches the origin in a finite number of steps. In other words, Γ is characterized by the following property: ∃k˜ > 0 : x(t) = 0 ∀ (q0 , x0 ) ∈ Γ, ∀t ≥ tk˜ , ∀χ : ξ0 = (q0 , x0 ).

(10.7)

Since the family of sets with the property (10.7) is closed with respect to set union, the maximal set Γ ∗ having this property is well defined. Moreover, note that starting from an initial nonzero continuous state, the continuous trajectory will reach the origin in finite time only if there are singular reset maps. The set Γ ∗ can be computed as established in the following: Lemma 10.2 The maximal set Γ ∗ with property (10.7) is 

{i} × Γi∗

i∈Q

where Γi∗ , i ∈ Q, is the fixed point of the recursion over k = 0, 1, . . .     −1 k , i ∈ Q, (i, j) ∈ E Γik+1 = Ii ker R(i, j) + R(i, j) Γ j

(10.8)

   where Γi0 = Ii ker R(i, j) . The set Γ ∗ is a hybrid subspace and is obtained after K ≤ n N steps at most.  Proof The set {i} × {0} has property (10.7). The class of sets with property (10.7) i∈Q

is therefore nonempty, and by definition it is closed with respect to set-union. Hence

10.2 Characterizing Almost Always Observability: The Cyclic Case

199

there exists a maximal set in the class. As for the recursion, suppose that Γik is the set of all continuous states such that, starting from {i} × Γik , the origin of Rn is reached after k + 1 switches. Then, from Eq. (10.8), since we are considering the cyclic case, Γik+1 is the set of all continuous states such that, starting from {i} × Γik+1 , the origin of Rn is reached after k + 2 switches. Now, Γi0 is the set of all continuous states such that, starting from {i} × Γi0 , the origin of Rn is reached after the first switch: thus by induction we can conclude that Γik is the set of all continuous states such that, starting from {i} × Γik , the origin of Rn is reached after k + 1 switches. Hence, because of the linearity assumptions, we have Γik ⊂ Γik+1 , ∀i ∈ Q, ∀k = 0, 1, 2, . . ..    Suppose that Γik+1 = Γik , ∀i ∈ Q, for some  k. Then Γik = Γik , ∀i ∈ Q, ∀k ≥  k, the  fixed point is reached and Γik is a linear subspace of Rn , ∀i ∈ Q. Therefore, at step k either Γik ⊂ Γik+1 , strictly for some i, or the fixed point has been reached. Since we are considering a cycle with N discrete states, and because, ∀i ∈ Q, Γik is a linear subspace of Rn , it follows that the inclusion Γik ⊂ Γik+1 holds strictly only if the dimension of Γik+1 is stricly greater than the dimension of Γik . Hence there exists    k ≤ n N such that Γik = Γik , ∀i ∈ Q. We can now state the main result of this section. Its proof is based on the fact that ˆ any two state executions H is almost always observable if and only if, for some k, that produce the same output for almost all time bases in Tkˆ have the same value of the continuous state at time tkˆ . This is equivalent to say that there exists kˆ such that a state execution gives zero output for almost all time bases in Tkˆ only if the initial state is in Γ ∗ . Theorem 10.1 H is almost always observable if and only if I ∗ ⊂ Γ ∗ . Proof The necessity is obvious, because the set of initial hybrid states is the entire state space. Let us prove the sufficiency. Suppose that I ∗ ⊂ Γ ∗ , but the system is not almost always observable. Then for any K > 0 there exist an execution χ = (ξ0 , τ , ξ), with car d(τ ) = K , and a real γ > 0 such that 

 , 0≤k ≤ K −1 x  (t) ∈ ker Cq(tk ) ∧ x  (t) = 0, ∀t ∈ tk , tk+1   for any execution χ = ξ0 , τ  , ξ  where   – ξ  (t) = q  (t), x  (t) – car d(τ  ) = K – d(τ , τ  ) ≤ γ – χ and χ share the same initial discrete state and the same discrete evolution (i.e. q(tk ) = q  (tk ), 0 ≤ k ≤ K − 1). This implies       −1 ker C x  (t) ∈ Iq(tk ) ker Cq(tk ) ∩ R(q(t q(t ) k k ),q(tk+1 ))

200

10 Relaxing the Observability Notion



 , ∀k = 1. . .K ∀t ∈ tk , tk+1 and

x  (t) = 0, ∀t ∈ [0, t K +1 ).

Recalling Lemma 10.1, with arguments similar to those used in the proof of Lemma 10.2, if K > n N , then (i, x0 ) ∈ I ∗ . But since I ∗ ⊂ Γ ∗ , then x  (t) = 0,  ∀t > t K . The result then follows by contradiction. The following result comes from the proof of Theorem 10.1: Corollary 10.1 If I ∗ ⊂ Γ ∗ then H is almost always observable with  k = n(N + 1). As a special case, if Re is nonsingular ∀e ∈ E, then Γ ∗ = Q × {0}, and hence we can establish the following: Corollary 10.2 If Re is nonsingular ∀e ∈ E, H is almost always observable if and only if I ∗ = Q × {0}. Remark 10.1 In the case that all the reset functions are the identity, I ∗ = Q × F where F is the maximal subspace which is Ai -invariant ∀i ∈ Q, and contained in  ker (Ci ). i∈Q

10.3 Characterizing Almost Always Observability: The Case of General Topology Consider an arbitrary graph structure. For a cycle c ∈ C, let Q c be the set of discrete states in the cycle and let I ∗c and Γ ∗c be the sets corresponding to I ∗ and Γ ∗ , respectively, defined in the previous section and computed with respect to the restriction of H to cycle c. Since there are no restrictions on the initial hybrid states, the following necessary condition can be easily established: Theorem 10.2 H is almost always observable only if I ∗c ⊂ Γ ∗c , ∀c ∈ C. In the case of an identity reset, the necessary condition above is also sufficient: Theorem 10.3 Suppose that Re = I , ∀e ∈ E. Then H is almost always observable if and only if I ∗c = Q c × {0}, ∀c ∈ C. Proof The necessity being obvious, we only prove sufficiency. Suppose that I ∗c = Q c × {0}, ∀c ∈ C, but the system is not almost always observable. Then for any K > 0 there exist an execution  χ = (ξ0 , τ , ξ), car d(τ ) = K , and a real γ > 0 such that, for any execution χ = ξ0 , τ  , ξ  , with car d(τ  ) = K , d(τ , τ  ) ≤ γ, and with χ, χ sharing the same initial discrete state and the same discrete evolution, it follows that

10.3 Characterizing Almost Always Observability: The Case of General Topology

201



 , 0≤k ≤ K −1 x  (t) ∈ ker(Oq(tk ) ) ∧ x  (t) = 0, ∀t ∈ tk , tk+1 ⎛

where

Ci ⎜ C i Ai ⎜ 2 ⎜ Oi = ⎜ Ci (Ai ) ⎜ .. ⎝.

⎞ ⎟ ⎟ ⎟ ⎟. ⎟ ⎠

(10.9)

Ci (Ai )n−1

 The above condition implies that ∀t ∈ [tk , tk+1 ), 0 ≤ k ≤ K − 1,

where

x  (t) ∈ Ωk

(10.10)

     Ωk = Iq(tk ) ker Oq(tk ) ∩ ker Oq(tk+1 ) = {0}

(10.11)

  Ω K = ker Oq(t K ) .

(10.12)

and

It is easy to see that Ωk ⊂ Ωk+1 , 0 ≤ k ≤ K − 1 and obviously the sets Ωk are linear subspaces of Rn . Let K = n (N + 1) and consider the last N + 1 switches. Since the states in Q are N , there is at least a cycle c in the sequence q(t K −N )q(t K −N +1 ). . .q(t K ). Therefore, there exists a subsequence q(tk  −μ )q(tk  −μ+1 ). . .q(tk  ) with q(tk  −μ ) = q(tk  ). If Ωk  −μ = Ωk  , then Ωk  is invari ant for all the systems in the cycle c , and hence I ∗c = Q c × {0}. Hence, the inclusion Ωk  ⊂ Ωk  −μ must hold strictly. So we can conclude that, after any (N + 1) backward switches, the dimension of Ωk strictly decreases. Being Ωk a linear subspace of Rn , it follows Ω0 = {0} after n (N + 1) backward switches, and the result follows by contradiction.  From the proof above, we can establish the following corollary: Corollary 10.3 If I ∗c = Q c × {0}, ∀c ∈ C, then H is almost always observable with  k = n(N + 1). Testing the condition I ∗c = Q c × {0} for a given c ∈ C is easy, but computational problems arise due to the cardinality of the set C. However, the next result shows that, under the hypothesis of Theorem 10.3, the computational effort to test almost always observability condition can in most cases be mitigated. In fact, we will prove that the condition I c = {0} does not need to be checked for all cycles c ∈ C, but only for those in a subset of C. Recall the following definitions:

202

10 Relaxing the Observability Notion

Fig. 10.1 Example of graph with N = 2ν vertices and 2ν holes (one is indicated in blue) (Reprinted from Nonlinear Analysis: Hybrid Systems, Vol. 36, C. Arbib, E. De Santis, Almost always observable hybrid systems, Copyright (2020), with permission from Elsevier)

Definition 10.4 An induced subgraph G  = (Q  , E  ) of G = (Q, E) is a graph where Q  ⊂ Q and E  = {(u, v) ∈ E : u, v ∈ Q  }. Definition 10.5 A hole is an induced subgraph of G isomorphic to a cycle. We let C denote the set of all holes in G. Theorem 10.4 Suppose that Re = I , ∀e ∈ E. Then H is almost always observable  if and only if I ∗c = Q c × {0}, ∀c ∈ C. Proof The necessity is obvious. As for the sufficiency, for any given c ∈ C, either  or there is a subsequence c of c which is a cycle belonging to C.  Since c ∈ C, ∗c I = Q c × {0}, for some c , implies I ∗c = Q c × {0} for all c such that c ⊂ c (see Remark 10.1), the result follows.     N Unfortunately, in the worst case car d C = o 2 , as shown by the example in Fig. 10.1. Note that this worst case occurs in a special subclass of G: the symmetric support of the graph in Fig. 10.1 (i.e. the undirected graph obtained by neglecting edge directions) is in fact bipartite. However, there are non-trivial cases in which Theorem 10.4 allows for a significant reduction in computational effort. For example, if the symmetric support of G is chordal (that is, every cycle of G has a chord), then its holes coincide with its triangles and therefore they are at most N (N − 1)(N − 2) 6 whereas the cycles of G can grow exponentially with N . A particularly interesting case is when all transitions between two different discrete states are allowed. Corollary 10.4 Suppose that E = (i, j) ∈ Q × Q : i = j and Re = I , ∀e ∈ E.  Then H is almost always observable if and only if I ∗c = {0}, ∀c = qi q j ∈ C.

10.5 Sensors Location Design

203

10.4 State Estimation Suppose that H is almost always observable. The symbol Pi denotes the orthogonal projector on the subspace (ker (Oi ))⊥ , with Oi defined in (10.9), and where (.)⊥ denotes the orthogonal subspace. For simplicity, here we abuse notation and write q(k) instead of q(tk ). It is well known that, for any execution of H, given q(k), the value z k = Pq(k) x(tk ) can be computed from the knowledge of the continuous output function in the time interval [tk , tk + ε), for any arbitrarily small real ε > 0. We can establish the following result: Theorem 10.5 If H is almost always observable, then there exists an integer m such that, for any nonnegative integer h, any generic time basis and any execution of H, the system of equations Pq(h+k) x(th+k ) = z h+k , k = 0, 1, . . ., m

(10.13)

with given z h+k , and where, for k = 0, 1, . . ., m − 1,   R(q(h+k),q(h+k+1)) exp(Aq(h+k) λh+k ) x(th+k ) = x(th+k+1 ) has a unique solution x(th+m ). Proof By definition of almost always observability and since Pq(k) x(tk ) is the information about x(tk ) that we can gather from the knowledge of q(k) and from the  continuous output function in the time interval [tk , tk + ε), the result follows. Once almost always observability property has been checked (e.g. by Theorem 10.1 or 10.4), Theorem 10.5 above allows for the design of a deadbeat observer that returns the exact value of the current continuous state after a finite number of switches. In practice, some finite time after th+k is required for the computation of z h+k . Moreover, in general, we have to take into account unavoidable precision bounds in the computation. Hence an estimate of x(th+m ) may be available with some delay after th+m , by solving an optimization problem after each switching time. The estimation error of the current continuous state remains bounded at each time t, and the value of the bound depends on the accuracy of computations. The drawback is related to the online computational effort required, and hence the applicability of this approach is very much problem-dependent.

10.5 Sensors Location Design Suppose that H is not almost always observable. Then an interesting question is the optimal location of additional sensors that make the system almost always observable. In this perspective, the problem of minimizing a cost function over all possible finite options can be formulated. Note that, by Theorem 10.4, one can limit the introduction

204

10 Relaxing the Observability Notion

 as stated in the of additional sensors to systems belonging to induced cycles C, following simple proposition: Proposition 10.1 If ∀c ∈ C there exists a discrete state i ∈ c such that the linear system S(i) is observable, then H is observable. Proof (Sketch) Starting from any initial discrete state, any execution will eventually  Since the observability of (Ai , Ci ) for some i ∈ c implies the visit a cycle c ∈ C. exact reconstruction of the current continuous state, whenever the current discrete state is i, then the continuous state will be exactly known forever.  One can define a simpler optimization problem by trying to minimize the number of linear systems that, if observable, imply observability of the overall system as stated in Proposition 10.1. Since the observability of a hybrid system implies that the system is almost always observable, an optimal solution for this new problem is also a solution to the former problem (although in general suboptimal). A set of observable linear systems that implies the observability of the overall system corresponds to a set of nodes of Q whose removal leaves G with no directed cycles. Such a set is known as a feedback vertex set (see [8] for a survey). Finding a feedback vertex set of minimum size is NP-hard even if the graph is undirected and its vertices have maximum degree 4 (but can be solved in polynomial time for maximum degree 3). Note that by Erdös–Pósa Theorem [7], for any integer k an undirected graph either contains k vertex-disjoint cycles, or all its cycles can be covered by at most k log(k) vertices. This means that maximizing the size k of a cycle-packing of G is equivalent to finding both a lower and an upper bound to a  with vertices in Q. cover of C (and hence of C) More generally, let w(i) be the cost of observing the linear system S(i), and for Q  ⊂ Q define the cost of observing set Q  : w(Q  ) =



w(i).

i∈Q 

We can then introduce the following: Problem 10.1 Compute a minimum cost feedback vertex set of G, i.e. a set Q ∗ ⊂ Q such that Q ∗ ∩ c = ∅, ∀c ∈ C and w(Q ∗ ) ≤ w(Q  ) for each feedback vertex set Q  ⊂ Q. For example, consider the graph G of Fig. 10.2, where vertices are labeled with the observation costs of the relevant systems. The set C of G contains cycles c1 = {1, 5, 4}, c2 = {2, 1, 5}, c3 ={2, 1, 5, 4, 7, 8, 9, 3}, c4 ={3, 4, 7, 8, 9}, c5 = {4, 6, 5}, c6 = {2, 1, 5, 4, 6, 7, 8, 9, 3}, c7 = {3, 4, 6, 7, 8, 9}, that can all be eliminated by removing, e.g. vertex sets {1, 4}, {5, 8} or {4, 5} from Q. Set Q ∗ = {5, 8} costs less

10.5 Sensors Location Design

205

Fig. 10.2 Minimum cost of observation: feedback vertex set Q ∗ = {5, 8} costs 6 (Reprinted from Nonlinear Analysis: Hybrid Systems, Vol. 36, C. Arbib, E. De Santis, Almost always observable hybrid systems, Copyright (2020), with permission from Elsevier) 6

1

4

1

5

3

7

2

6

3

4

7

12

5

2

9

Fig. 10.3 The cycle-less graph G \ Q ∗

9

8

1

2

6

3

4

7

9

than the others, and in fact is optimal. The set Ccontains ci , i = 1, 2, 4, 5. Figure 10.3 shows the graph obtained by removing the states in Q ∗ . Problem 10.1 can be solved in polynomial time in several graph classes [8], but for directed graphs no exact algorithms with running time of o(γ n n o(1) ), where γ < 2, and no polynomial time approximation algorithms with constant ratio have been found so far. The problem is generally formulated by the following 0-1 linear program:  w(i)xi (10.14) min x∈{0,1} N

subject to

 i∈c

xi ≥ 1

i∈Q

∀c ∈ C

(10.15)

206

10 Relaxing the Observability Notion

In the example of Fig. 10.2, the inequalities of problem (10.14) read x1 + x4 + x5 ≥ 1 x1 + x2 + x5 ≥ 1 x1 + x2 + x3 + x4 + x5 + x7 + x8 + x9 ≥ 1 x3 + x4 + x7 + x8 + x9 ≥ 1 x4 + x5 + x6 ≥ 1 x1 + x2 + x3 + x4 + x5 + x6 + x7 + x8 + x9 ≥ 1 x3 + x4 + x6 + x7 + x8 + x9 ≥ 1. Note that the first inequality dominates the ones associated with cycles c3 and c6 . The fifth inequality dominates the one associated with cycle c7 . Therefore, the dominated inequalities can be eliminated. Equivalently, by substituting C with C in (10.15), the set of inequalities is: x1 + x4 + x5 ≥ 1 x1 + x2 + x5 ≥ 1 x3 + x4 + x7 + x8 + x9 ≥ 1 x4 + x5 + x6 ≥ 1. Both x  = (0 0 0 1 1 0 0 0 0) and x  = (1 0 0 1 0 0 0 0 0) are feasible solutions, the former costs 16 and the latter 13. Solution x ∗ = (0 0 0 0 1 0 0 1 0) is optimal. Unlike the simple case illustrated, in Problem (10.14) the number of inequalities can increase exponentially with the cardinality of Q. These inequalities can however be separated in polynomial time. Let in fact x˜ be a fractional solution of the LP relaxation of (10.14). Then an inequality which is maximally violated by x˜ can be found by solving, for each pair u, v ∈ Q, a shortest (v, u)-path in G under node weights x˜q , q ∈ Q. For a polyhedral approach to the solution of (10.14) see [9].

10.6 Hybrid Systems with Known Switching Times In this section, we analyze autonomous linear hybrid systems where the switching times are known a priori. This situation can be represented by adding to the L H system H the constraint: δ(i) = Δ(i) = Δi , ∀i ∈ Q

(10.16)

where Δi is a given positive real. Let Hc denote the system H with constraints (10.16). Then, Theorem 10.1 implies the following:

10.6 Hybrid Systems with Known Switching Times

207

Theorem 10.6 Suppose that the graph associated with H is cyclic. The constrained system Hc is observable only if H is almost always observable. Conversely, if H is almost always observable, then Hc is observable, for almost all Δi ∈ R+ , i ∈ Q. Proof Suppose that Hc is observable but that H is not almost always observable. Theorem 10.1 implies that the set of unobservable states is not contained in the set of states that reach the origin in finite time. Therefore, there exists an initial state such that the state evolution produces identically zero output, for all switching times. Hence, Hc is not observable. The converse statement of the theorem follows by definition of almost always observability.  By Theorem 10.3, the same result established in Theorem 10.6 can be proved also in the case of a general topology, under the assumption of identity reset. A linear systems with periodic jumps (see e.g. [2]) falls in the class of L H -systems we are considering in this section. In fact, it can be represented as :   H = Ξ = {1} × Rn , Ξ0 = Ξ, Υ = {} × R p , h, S, E = {(1, 1)}, R

(10.17)

where S(1) is the linear autonomous dynamical system defined by matrices A and C, and the reset map R is linear, represented by a matrix in Rn×n , which for notational simplicity is denoted here by R instead of R(1,1) . Moreover, the constraints are defined by the conditions δ(1) = Δ(1) = Δ (10.18) with Δ ∈ R+ a given time period. In Chap. 2, we defined the output function with a discrete and a continuous component (see (2.9)). Here, the discrete component has no role because there is a unique discrete state. The continuous component associates to x(t) a value y(t) ∈ Rm at each time t ∈ [tk , tk+1 ). Let O be the observability matrix of S(1) and let F be the largest Re AΔ -invariant subspace contained in ker (O), the unobservable subspace of system S(1). Then, F is the unobservable subspace of the hybrid system, i.e. the set of all initial states starting from which the output evolution is identically zero. Therefore, the following result holds: Proposition 10.2 The L H -system (10.17) with constraints (10.18) is observable if and only if   (10.19) F ⊂ ker (Re AΔ )n .   Proof The set ker (Re AΔ )n is the set of states starting from which the state evolution reaches the origin in finite time. Since F is the unobservable subspace of the constrained hybrid system, the result follows. 

208

10 Relaxing the Observability Notion 1

2

Fig. 10.4 The FSM associated with the H -system of Example 10.1

10.7 Examples Example 10.1 (The cyclic case) Let us consider the L H -system having the discrete structure depicted in Fig. 10.4, where Ξ = Ξ0 = {1, 2} × R2 , Υ = {1, 2} × R, h(i) = i, i ∈ {1, 2}, S(1) and S(2) are the autonomous dynamical systems with 

   0 −1 , C1 = 0 0 1 0     0 0 A2 = , C2 = 0 1 . 0 0 A1 =

Suppose that the reset functions are the identity and that a finite maximum dwell time is associated with each mode. Then I1 = ker(O1 ) = R2   I2 = ker(O2 ) = x ∈ R2 : x2 = 0 and I ∗ = {1, 2} × {0}. Therefore, from Corollary 10.2, the system is almost always observable. In fact, it is easy to verify by inspection that the state trajectories of S(1) are circles around the origin, anticlockwise starting from the initial state, with time period 2T , T = π. Suppose that the initial discrete state is 1. Then for any value of t1 the output is identically zero in [t0 , t1 ). The state evolution of the L H -system gives zero output on the whole time interval [t1 , t2 ) only if t1 coincides with the time instant in which the circle intersects the line I2 . After that, for any value of t2 the output remains equal to zero for the interval [t2 , t3 ), but will still be zero in [t3 , t4 ) only if t3 coincides with the instant at which the current trajectory of S(1) intersects the line I2 , and so on. A similar evolution occurs when the initial state equals 2, hence the L H -system is almost always observable. If the maximum dwell time is the same for the two modes and is equal to Δ ≥ T , then the L H -system in our example is not observable according to Definition 10.1. In fact, recalling (9.5),   (10.20) H0 = Ξ, Ξ0 , Υ, h, S, E, R

10.8 Notes and Further Reading

with Ξ0 =



209

{i} × Ii and with guard conditions :

i∈{1,2}

G  (e) = I2 , e = (1, 2) G  (e) = R2 , e = (2, 1). Following the same reasoning as above, and since Δ ≥ T , for any initial state in Ξ0 there exists a state trajectory of H0 , with infinite time duration, which does not reach the origin in finite time. Therefore, by Theorem 9.5, the system is not observable. It is straightforward to verify that the system is observable if 0 < Δ < T . Example 10.2 (The case of general topology) Let us consider an L H -system with the discrete structure depicted in Fig. 10.2, where Q = {1, . . .9}, Ξ = Q × R2 , Υ = Q × R. Systems S(1) and S(2) are the same as the dynamical systems S(1) and S(2) in Example 10.1, system S(4) is described by the matrices  A4 =

   1 2 , C4 = 1 0 0 −1

system S(5) is described by the matrices  A5 = Moreover,

   1 0 , C5 = 1 0 . 0 −1

  C6 = C7 = C8 = C9 = 0 0

and the values of the matrices Ai , i = 6. . .9 do not matter. Suppose also that the reset functions are the identity. By Theorem 10.4, we must check that I ∗c = Q c × {0}, ∀c ∈ {c1 , c2 , c4 , c5 }, where c1 = {1, 4, 5}, c2 = {2, 1, 5}, c4 = {3, 4, 7, 8, 9}, c5 = {4, 5, 6}. Since the pair (A4 , C4 ) is observable, then I ∗c = Q c × {0},∀c ∈ {c1 , c4 , c5 }.Therefore, we just have to check cycle c2 . Since ker(O5 ) = x ∈ R2 : x1 = 0 , then ker(O1 ) ∩ ker(O2 ) ∩ ker(O5 ) = {0}, and it is straightforward to see that I ∗c2 = {2, 1, 5} × {0}. Hence, the L H -system is almost always observable.

10.8 Notes and Further Reading This chapter is mainly based on the paper [1].

210

10 Relaxing the Observability Notion

The results discussed in this chapter have relationships with the papers [14, 15], where observability (in the sense of reconstruction of the current continuous state, a property called determinability in those papers). In [14, 15] the focus was on a subclass of L H -systems, with full discrete state information, with given initial discrete state, and with mode sequence and switching times known a priori. Hence, the cyclic case analyzed in Sect. 10.2 falls in the framework of [15]. One of the results in [15] is that if the system is observable for given switching times, then it is also observable in a neighborhood of those switching times, thus the same property established in Theorem 10.6. The case of fixed and known a priori switching times addressed in Sect. 10.6 generalizes the discrete topology of the model in [12]. However, for simplicity, in Sect. 10.6 we did not consider additional output information associated with the state during “jump mode”, i.e. to the value x(tk− ), as done in [12]. Another possible relaxation of the observability notion is the detectability property [4], which corresponds to the possibility of reconstructing the current hybrid state asymptotically. A linear continuous-time dynamical system is detectable if all free evolutions with initial states belonging to the unobservable subspace ker (O) asymptotically converge to zero. If the system is described by the matrices A, B, C, a well known necessary and sufficient condition for detectability is: rank((λI − A) |C  ) = n for all eigenvalues λ of A, with nonnegative real part. A limited number of papers deal with detectability for hybrid systems. In [3, 6], detectability was characterized for L H -systems. In [11] the focus is on detectability and stabilizability of switched linear systems (i.e. L H -systems where the switchings can be controlled) in the discrete-time domain, under the assumption of full discrete state information. In [13] detectability was defined for nonlinear impulsive systems in a very broad framework and connected to the Invariance Principles for Hybrid Systems. Under the assumption that switching times are available as an output signal, in [10] detectability was addressed and characterized for a class of linear impulsive systems, as those in Sect. 2.2 but with switching times independent of the state.

References 1. Arbib C, De Santis E (2020) Almost always observable hybrid systems. Nonlinear Anal: Hybrid Syst 36 2. Carnevale D, Galeani S, Menini L, Sassano M (2015) Hybrid output regulation for linear systems with periodic jumps: solvability conditions, structural implications and semi-classical solutions. IEEE Trans Autom Control 61(9):2416–2431 3. De Santis E, Di Benedetto MD (2016) Observability of hybrid dynamical systems. Found Trends Syst Control 3(4):363–540 4. De Santis E, Di Benedetto MD, Pola G (2003) On observability and detectability of continuoustime linear switching systems. In: Proceedings of the 42nd IEEE conference on decision and control, CDC 03, Maui, Hawaii, USA, pp 5777–5782 5. De Santis E, Di Benedetto MD, Pola G (2008) Stabilizability of linear switching systems. Nonlinear Anal: Hybrid Syst 2:750–764

References

211

6. De Santis E, Di Benedetto MD, Pola G (2009) A structural approach to detectability for a class of hybrid systems. Automatica 45:1202–1206 7. Erdös P, Pósa L (1965) On independent circuits contained in a graph. Canad J Math 17:347–352 8. Festa P, Pardalos PM, Resende MGC (1999) Feedback set problems. In: Du D-Z, Pardalos PM (eds) Handbook of combinatorial optimization, supplement, vol A. Kluwer Academic Publishers, Dordrecht, pp 209–258 9. Funke M, Reinelt G (1996) A polyhedral approach to the feedback vertex set problem. Integer programming and combinatorial optimization. Lecture notes in computer science, vol 1084. Springer, Berlin, pp 445–459 10. Lawrence DA (2012) Detectability of linear impulsive systems. Dyn Contin Discrete Impuls Syst A: Math Anal 19(4):431–452 11. Lee JW, Khargonekar PP (2009) Detectability and stabilizability of discrete-time switched linear systems. IEEE Trans Autom Control 54(3):424–437 12. Possieri C, Teel A (2016) Structural properties of a class of linear hybrid systems and output feedback stabilization. IEEE Trans Autom Control 62(6):2704–2719 13. Sanfelice RG, Goebel R, Teel AR (2007) Invariance principles for hybrid systems with connections to detectability and asymptotic stability. IEEE Trans Autom Control 52(12):2282–2297 14. Tanwani A, Shim H, Liberzon D (2013) Observability for switched linear systems: characterization and observer design. IEEE Trans Autom Control 58(4):891–904 15. Tanwani A, Shim H, Liberzon D (2015) Comments on “observability for switched linear systems: characterization and observer design”. IEEE Trans Autom Control 60(12):3396–3400

Chapter 11

Diagnosability and Predictability for H-Systems

In this chapter, after extending to H -systems the diagnosability and predictability definitions already given for FSMs in Chap. 4, we propose two different approaches to check those properties. The first one applies to the subclass of L H -systems and is based on the Enriching Procedure, described in Sect. 8.2. This procedure encodes in the discrete output of a modified system the information coming from the continuous output evolution of the given system. This approach leads to sufficient conditions to predict that the discrete component of the hybrid state belongs to some critical set, independently of the continuous component. A similar approach is presented for diagnosis. The second approach is based on the approximation of the H -system with a symbolic model, i.e. a system with a finite number of states, for which the tools developed in Chap. 4 can be used. Numerical examples illustrate the theory.

11.1 Definitions The following definitions extend to H -Systems the Definitions 4.7 and 4.11 given for FSMs. Recall that, for notational simplicity, we have assumed that t0 = 0 and, regarding observability properties, we suppose that at each t > 0 the input in the interval [0, t) is available. Given the set U of piecewise-continuous input functions, let  denote the null element with respect to concatenation, i.e. if ◦ denotes the concatenation operator, for u ∈ U and t1 , t1 ∈ R, t1 < t2 , u|[t1 ,t2 ) ◦  = u|[t1 ,t2 ) .1 For simplicity in what follows we abuse notation by writing u|[0,0) with the meaning of u|[0,0) = . Diagnosability can be defined on the basis of the existence of a diagnoser, as specified hereafter:

The symbol  has already been used to denote the null event or, equivalently, the empty string (see e.g. Chap. 2). For simplicity we use here the same symbol with a different meaning.

1

© Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_11

213

214

11 Diagnosability and Predictability for H-Systems

 ⊂ Ξ (shortly, Definition 11.1 The H -system H is diagnosable with respect to Ξ -diagnosable) if there exist T ∈ R+ Ξ and a function D : × Y) → {0, 1}, called (U 0 diagnoser, such that for any infinite execution χ = (ξ0 , τ , u, (q, x)), with generic u ∈ U, the following two conditions hold: t ≥0 1. If for some real          ∧  , ∀t ∈ 0,  t ∈Ξ t = 0 ∨ ξ (t) ∈ /Ξ t ξ  then there exists d ∈ [0, T ] such that for t =  t +d   D u|[0,t) , υ|[0,t] = 1. 2. Conversely, if for some real t ≥ 0          D u|[0,t) , υ|[0,t] = 1 ∧ t = 0 ∨ D u|[0,t ) , υ|[0,t ] = 0, ∀t ∈ [0, t) then

  ξ  t ∈Ξ

for some  t ∈ [max {0, t − T } , t]. In the definition above, the first condition means that if at some time  t the state belongs to the critical set for the first time, then the diagnoser outputs 1 with a maximum delay of T with respect to that instant. The second condition ensures that if the diagnoser gives output 1, this means that the state belonged to the critical set at a previous instant, at most T since the diagnoser gave output 1. We therefore ensure the absence of false positives and false negatives. Similarly, predictability corresponds to the existence of a predictor as specified hereafter:  ⊂ Ξ (shortly, Definition 11.2 The H -system H is predictable with respect to Ξ

+

 Ξ -predictable) if there exist T, T ∈ R , with T > T , and a function P : (U × Y) → {0, 1}, called predictor, such that the following conditions hold for any infinite execution χ = (ξ0 , τ , u, (q, x)), with generic u ∈ U: 1. If for some real  t≥T        ∧ ξ (t) ∈ , ∀t ∈ 0,  ξ  t ∈Ξ /Ξ t then for t =  t−T

  P u|[0,t) , υ|[0,t] = 1.

2. Conversely, if for some real t ≥ 0          P u|[0,t) , υ|[0,t] = 1 ∧ t = 0 ∨ P u|[0,t ) , υ|[0,t ] = 0, ∀t ∈ [0, t) then

11.1 Definitions

215

  ξ  t ∈Ξ for some  t ∈ (t + T, t + T ]. In the definition above, the first condition indicates that if at a certain instant  t the state belongs to the critical set, then the predictor outputs 1, T instants of time before the critical event. The second condition ensures that if the predictor outputs 1 at the instant  t, this means that the state will certainly belong to the critical set at a later instant between t + T and t + T . We therefore guarantee, as for diagnosability, the absence of false positives and false negatives. For a linear dynamical system, observability implies diagnosability with respect to any subset of the state space. In fact, if a system is observable, its state can be exactly reconstructed in an arbitrarily small amount of time after the initial time. Hence, it is possible to immediately detect if the state belongs to a given set by computing the state trajectory. This is not true for H -systems, where observability is neither sufficient nor necessary for diagnosability. In fact, eventually reconstructing the current hybrid state, as required by Definition 6.1, does not lead to the possibility of computing the hybrid state trajectory backwards in time, not even in the case of L H -systems with invertible reset functions. For example, consider an L H -system with the associated FSM depicted in Fig. 11.1. Suppose that all the reset matrices are the identity. The systems S(i), i = 1. . .4 are autonomous and described by the pairs of matrices, respectively: 

   00 , C1 = 0 1 00



   10 , C2 = 0 1 00



   20 , C3 = 0 1 00

A1 = A2 = A3 =  A4 =

   10 , C4 = 0 1 . 11

b

Fig. 11.1 The H -system is not {3} × Rn -diagnosable

2 a

a

1

4 b 3

216

11 Diagnosability and Predictability for H-Systems

Let the maximum dwell time in modes 1, 2, 3 be bounded by a finite positive value Δ. No bound on the dwell time in mode 4 is imposed. The L H -system is observable, because it is current location observable and the system S(4) is observable. However, the available information does not allow to distinguish between the two discrete state trajectories 1 − 2 − 4 and 1 − 3 − 4. Hence the system is not {3} × Rn -diagnosable. The next example shows that, even if the initial hybrid state is known, the nondeterminism of the hybrid automaton implies that in general neither observability, as in Definition 6.1, nor diagnosability, as in Definition 11.1, hold. Consider again the same L H -system associated with the FSM depicted in Fig. 11.1 but let the system S(4) be not observable, for example by setting A4 = I . Even if we suppose that the initial hybrid state is given, the L H -system is neither observable nor {3} × Rn -diagnosable. In the particular case where H is critically {i}-observable and S(i) is observable, , then H is Ξ -diagnosable, for any T > 0. In fact, it is critically Ξ ∀i : (i, x) ∈ Ξ observable. Conversely, it is obvious that diagnosability with respect to a given set does not imply the possibility of reconstructing the current hybrid state. As for predictability, for an observable linear dynamical system, predictability is equivalent to a reachability problem, provided that the initial state does not belong to the set with respect to which prediction is required. In the case of an H -system, eventual reconstruction of the current hybrid state does not allow reformulating the  could be reached predictability problem as a reachability problem since the set Ξ before reconstructing the current state. In the following sections, we propose two different approaches for deriving conditions that ensure diagnosability or predictability for an H -system. The first approach applies to the subclass of L H -systems and is based on the Enriching Procedure described in Sect. 8.2, which encodes in the discrete output the information coming from the continuous input and output evolutions. Sufficient conditions are thereby obtained for the diagnosis and prediction of the discrete component of the hybrid state. The second approach is based on the approximation of the H -system by a symbolic system, i.e. a system with a finite number of states that simulates the evolution of the given system. Such a symbolic system exists under some stability conditions for the given H -system. Then, diagnosability and predictability of the symbolic system, which can be checked as described in Chap. 4, imply diagnosability and predictability of the H -system in an approximate sense.

11.2 Diagnosability and Predictability Analysis In this section, we derive sufficient conditions for diagnosability and predictability for the discrete component of the hybrid state belonging to some critical set. An unbounded dwell time plays a role in the analysis of diagnosability and predictability, as in observability. In fact, if for some q ∈ Q the dwell time is unbounded, diagnosability of M in general does not imply diagnosability of the H -system. For example, Fig. 11.2 represents an FSM where the critical set is the singleton {4}. The FSM is {4}-diagnosable: in fact, whenever an output string has abb as suffix, we can

11.2 Diagnosability and Predictability Analysis Fig. 11.2 The FSM is {4}-diagnosable, but the associated H -system is not, in general, {4} × Rn -diagnosable

217

a

b

a

b

1

2

4

5

b 3

b 6

deduce that the state 4 has been crossed. However, if the FSM is associated with an H -system with infinite dwell time in locations 5 and 3, after the acquisition of the string abab, there is no bound on the time to wait before having the next discrete signal. Hence, it is not possible to detect the crossing of the critical set {4} within a finite interval of time, as required by Definition 11.1. A similar reasoning shows that predictability for M does not imply predictability for H. Under the hypothesis of finite dwell time in some particular modes, we can establish the following two propositions about diagnosability and predictability. Proposition 11.1 Consider an H -system H with purely discrete output information, n  = Q as in Definition 8.1, and with hybrid critical set Ξ   × R . If a maximum dwell  -diagnosable if time is associated with all modes of the set r each Q , then H is Ξ  and only if M is Q-diagnosable. Proof By Definition 11.1, diagnosis must be achieved within a finite time interval  for the first time. after the hybrid state evolution has touched the critical set Ξ    , checking Therefore, if the dwell time is bounded in each mode of the set r each Q the property for H is equivalent to checking the property for M.   be a proper subset of the state space Q of M. Following the notation Let Q  denote the subset of Q \ Q  such that any introduced in Chap. 4 (Eq. (4.40)), let F( Q)  state trajectory starting from it reaches the set Q in a finite number of steps. Then, Proposition 11.2 Consider an H -system H with purely discrete output information  × Rn . Suppose that a maximum dwell time is asso= Q and hybrid critical set Ξ    . Then H is Ξ -predictable if and only if M is ciated with all modes of the set F Q  Q-predictable. Proof By Definition 11.2, prediction must be achieved within a bounded interval of time before a critical occurrence, i.e. before the hybrid state evolution eventually  for the first time. Therefore, if the dwell time is bounded in touches the critical set Ξ  since all the precursors of Q  for M are contained in F( Q)  each mode of the set F( Q), by definition of precursor (see Eq. (4.40)), checking the property for H is equivalent to checking the property for M.  Propositions 11.1 and 11.2 hold for an H -system with purely discrete output information. For an L H -system H with discrete and continuous information, the

218

11 Diagnosability and Predictability for H-Systems

Enriching Procedure returns the enriched system He associated with H, where the continuous information is encoded in the discrete output. Thus, we can reformulate for the system He the diagnosability/predictability problem defined for H. Then we can associate to He the system with purely discrete output information He,d , by simply neglecting the continuous information, and finally we can apply the results of Propositions 11.1 and 11.2 to He,d . Therefore, first we have to establish the relations between H and He . Let f be thepoint to set mapping defined in the Enriching Procedure. For a given set = e be the corresponding set in He , i.e. {i} × Ωi ⊂ Ξ , let Ξ Ξ  i∈ Q

e = Ξ



{ j} × Ω f −1 ( j) ⊂ Ξe

e j∈ Q

where

 e = { j ∈ f (i) : i ∈ Q}. Q

Then the following proposition holds.  ⊂ Ξ be given. Proposition 11.3 Let an L H -system H and a hybrid critical set Ξ -diagnosable (resp. predictable) if and only if He is Ξ e -diagnosable Then H is Ξ (resp. predictable). The proof follows the same lines as the proof of Theorem 9.4.  × Rn be = Q Proposition 11.4 Let an L H -system H and a hybrid critical set Ξ   given. If He,d is Ξe -diagnosable (resp. predictable) then H is Ξ -diagnosable (resp. predictable). Remark 11.1 Propositions 11.1, 11.2 and 11.4 give the tools for diagnosis and prediction of the discrete component of the hybrid state. In the case of an H -system with constraints, it is possible to reformulate the diagnosability/predictability problem with respect to a hybrid set as a diagnosability/predictability problem of the discrete components of the states. For example, suppose that we need to predict a situation where the mode of the H -system is q and the continuous state belongs to some set  X . Then the mode q can be split into two different modes q and q

, the former with state constraint  X , the latter with state constraint given by the complement of  X in Rn . Then q is the critical discrete state to diagnose/predict, and it is enough to ensure diagnosability/predictability with respect to that discrete component of the hybrid state. Propositions 11.1, 11.2 and 11.4 can be applied for this purpose. However, this would require to distinguish between q and q

from the output information, which is not an easy task, especially when only the continuous information is available. Less conservative conditions than those stated in Propositions 11.1, 11.2 and 11.4 can be obtained by taking into account the available information on the system and on the constraints, for example the information about the dwell time. 

11.3 Symbolic Systems Approach

219

11.3 Symbolic Systems Approach In this section, because of the complexity of checking diagnosability and predictability for a hybrid set, we approach this problem in an approximate setting, with no assumption of linearity. The price to pay is in the computational complexity of the procedures involved, which grows as the required precision increases. We give conditions for approximate diagnosability and predictability of an H -system on the basis of a system with a finite number of states that approximates the given H -system with a given degree of accuracy. An H -system belongs to the general class of pseudo-metric systems, which will be defined in Sect. 11.3.2 and will be used as a unifying mathematical paradigm to properly describe heterogeneous dynamics. Given an accuracy ρ ≥ 0 and a set of faulty states F, approximate diagnosability in Sect. 11.3.3 corresponds to the possibility of distinguishing within a finite delay Δ state runs that have reached the set of faulty states F from state runs that have not reached the set Bρ (F), obtained by “enlarging” F by the factor ρ. The ambiguity around the set F may reflect uncertainties introduced by measurement errors. When the accuracy ρ is equal to zero, approximate diagnosability translates to pseudometric systems the notion of diagnosability as in Definition 4.7 for FSM and as in Definition 11.1 for H -systems. In Sect. 11.3.3, we also introduce approximate predictability, which extends to pseudo-metric systems the notion of (exact) predictability given in Definition 4.11 for FSMs and in Definition 11.2 for H -systems. Similarly to approximate diagnosability, approximate predictability corresponds to the possibility of distinguishing state runs that will reach the set of faulty states F from state runs that will not reach the set F enlarged by ρ, before the occurrence of the fault. When the accuracy ρ is equal to zero, approximate predictability translates to metric systems the notion of predictability as in Definition 4.11 for FSMs and in Definition 11.2 for H -systems. A key notion we will use is that of approximate simulation: a pseudo-metric system is approximately simulated by another pseudo-metric system when for any output trajectory of the former there exists an output trajectory of the latter which is close to the former with the desired accuracy. As illustrated in the previous section, checking diagnosability and predictability for an H -system is a hard task. However, the relations that we will establish between approximate diagnosability (resp. predictability) of a given pseudo-metric system and approximate diagnosability (resp. approximate predictability) of a pseudo-metric system that approximately simulates the given one will allow for checking approximate diagnosability or predictability of a system Σ having an infinite number of states, for example an H -system. This can be done provided that it is possible to construct a metric system that is symbolic (i.e. with a finite number of states and inputs), which approximates Σ in the sense of approximate simulation. For the construction of symbolic models for continuous and hybrid control systems, numerous results can be found in the literature as discussed in Sect. 11.4.

220

11 Diagnosability and Predictability for H-Systems

To present this method, we will show how to solve the approximate diagnosability problem for an incrementally stable discrete-time nonlinear system, which can be viewed as an H -system with one discrete state. We will also show how to apply this method to approximate predictability of Piecewise-Affine (PWA) systems.

11.3.1 Notation The notation we will use is specific to this section. We therefore list here some symbols and preliminary definitions. Given a pair of sets X and Y and a relation R ⊂ X × Y , the symbol R−1 denotes the inverse relation of R, i.e. R−1 = {(y, x) ∈ Y × X : (x, y) ∈ R}. Given X ⊂ X and Y ⊂ Y , we denote R(X ) = {y ∈ Y |∃x ∈ X s.t. (x, y) ∈ R} and R−1 (Y ) = + {x ∈ X |∃y ∈ Y s.t. (x, y) ∈ R}. A continuous function γ : R+ 0 → R0 , is said to belong to class K if it is strictly increasing and γ(0) = 0; γ is said to belong to class K∞ if γ ∈ K and γ(r ) → ∞ as r → ∞. Given a vector x ∈ Rn we denote by x ∞ the infinity norm of x. Given ϑ ∈ R+ and x ∈ Rn , we define n (x) = {y ∈ Rn |yi ∈ [−ϑ + xi , ϑ + xi ), i ∈ [1; n]}, where xi and yi denote B[−ϑ,ϑ) the ith component of vectors x and y, respectively. Note that for any ϑ ∈ R+ , the n (x), with x ranging in 2ϑ Zn , is a partition of Rn . We now collection of sets B[−ϑ,ϑ) define the quantization function. Given a quantization parameter ϑ ∈ R+ , the quantizer in Rn with accuracy ϑ is a function [ · ]ϑ : Rn → 2ϑZn , associating to any n ([x]ϑ ). Definition of x ∈ Rn the unique vector [x]ϑ ∈ 2ϑZn such that x ∈ B[−ϑ,ϑ) n [ · ]ϑ naturally extends to sets X ⊂ R when [X ]ϑ is interpreted as the image of X through function [ · ]ϑ . A polyhedron P ⊂ Rn is a set obtained by the intersection of a finite number of (open or closed) half-spaces. A polytope is a bounded polyhedron. Finally, given a set X and a function d : X × X → R+ 0 ∪ {∞} let us consider the following properties: (i) (ii) (iii) (iv)

for any x, y ∈ for any x, y ∈ for any x, y ∈ for any x, y, z

X , if x = y then d(x, y) = 0; X , if d(x, y) = 0 then x = y; X , d(x, y) = d(y, x); ∈ X , d(x, y) ≤ d(x, z) + d(z, y).

Then the function d is said to be: – – – –

a metric for X if conditions (i), (ii), (iii) and (iv) hold; a quasi-metric for X if conditions (i), (ii) and (iv) hold; a pseudo-metric for X if conditions (i), (iii) and (iv) hold; a quasi-pseudo-metric for X if conditions (i) and (iv) hold.

Figure 11.3 depicts the relationships between the different notions of metrics described above. From [27], given a quasi-pseudo-metric space (X, d), a sequence {xi }i∈N over X is left (resp. right) d-convergent to x ∗ ∈ X , denoted lim→ xi = x ∗ (resp. lim← xi = x ∗ ) if for any ε ∈ R+ there exists N ∈ N such that d(xi , x ∗ ) ≤ ε (resp. d(x ∗ , xi ) ≤ ε) for any i ≥ N .

11.3 Symbolic Systems Approach

221

M

QM

PM

QPM

Fig. 11.3 Relationship among metrics

Given X ⊂ Rn we denote by dh the Hausdorff pseudo-metric induced by the infinity norm · ∞ on 2 X ; we recall that for any X 1 , X 2 ⊂ X , dh (X 1 , X 2 ) := max{dh (X 1 , X 2 ), dh (X 2 , X 1 )} where dh (X 1 , X 2 ) = sup inf x1 − x2 ∞ x1 ∈X 1 x2 ∈X 2

is the Hausdorff quasi-pseudo-metric.

11.3.2 Pseudo-metric Systems and Approximate Simulations We start with the definition of system. For the reader’s convenience, the notation we use is specific to this section. Definition 11.3 A system is a tuple S = (X, X 0 , U, E, Y, H )

(11.1)

consisting of a set of states X , a set of initial states X 0 ⊂ X , a set of inputs U , a transition relation E ⊂ X × U × X , a set of outputs Y and an output function H : X → Y. We follow standard practice and denote a transition (x, u, x ) in the set E of S by x →u x . Given a sequence of transitions of S x(0) →u(0) x(1) →u(1) . . . →u(l−1) x(l)

(11.2)

with x(0) ∈ X 0 , and l ∈ N, the sequences x(·) : x(0) x(1) . . . x(l),

(11.3)

y(·) : H (x(0)) H (x(1)) . . . H (x(l)),

(11.4)

222

11 Diagnosability and Predictability for H-Systems

are called a state run and an output run of S, respectively. State x(l) is called the ending state of the state run in (11.3). The accessible part of a system S, denoted Ac(S), is the set of all ending states of state runs of S. System S in (11.1) is said to be symbolic, if Ac(S) and U are finite sets, and is said pseudo-metric (metric) if X is equipped with a pseudo-metric (metric, respectively). For the sake of simplicity, we assume that the inputs u of S are not available; this assumption corresponds to the point of view of an external observer who cannot have access to the inputs of the system S. Definitions 11.1 and 11.2 can be easily adapted to this case by requiring that the diagnoser and the predictor do not make use of the input function. Remark 11.2 The evolution of a system may be described by state and output runs. The concept of time is not part of Definition 11.3. An FSM is a particular system, as in Definition 11.3, and in this case the notion of state run parallels that of eventbased evolution (or execution) we recalled in Chap. 3. A continuous-time system can also be represented as a system (see e.g. [21]). Hence, the same mathematical framework can represent different heterogeneous systems. However, a state run can also be viewed as an evolution in discrete-time, and this corresponds to the setting adopted in the symbolic systems approach illustrated in this section.  Consider a pair of pseudo-metric systems Si = (X i , X 0,i , Ui , E i , Yi , Hi ), i ∈ {1, 2}

(11.5)

with X 1 and X 2 subsets of some set X equipped with pseudo-metric d. Definition 11.4 Let ε ∈ R+ 0 be a given accuracy. A relation R ⊂ X1 × X2 is an ε-approximate simulation relation from S1 to S2 if it satisfies the following conditions: (i) (ii) (iii) (iv)

∀x1 ∈ X 0,1 ∃x2 ∈ X 0,2 such that (x1 , x2 ) ∈ R; d(x1 , x2 ) ≤ ε, ∀(x1 , x2 ) ∈ R; H1 (x1 ) = H2 (x2 ), ∀(x1 , x2 ) ∈ R; ∀(x1 , x2 ) ∈ R if x1 →u1 1 x1 then there exists x2 →u2 2 x2 with (x1 , x2 ) ∈ R.

System S1 is ε-simulated by S2 , denoted S1 ε S2 , if there exists an ε-approximate simulation relation from S1 to S2 . Relation R is an ε-approximate bisimulation relation between S1 and S2 if R is an ε-approximate simulation relation from S1 to S2 , and R−1 is an ε-approximate simulation relation from S2 to S1 . Systems S1 and S2 are ε-bisimilar if there exists an ε-approximate bisimulation relation between S1 and S2 .

11.3 Symbolic Systems Approach

223

11.3.3 Approximate Diagnosability and Predictability for Pseudo-metric Systems We now introduce the notions of approximate diagnosability and approximate predictability. For a set X equipped with pseudo-metric d, let Bρ (x) denote the closed ball +

induced by metric d centered at x ∈ X and with radius  ρ ∈ R0 , i.e. Bρ (x) = {x ∈



X |d(x, x ) ≤ ρ}. Given X ⊂ X , define Bρ (X ) = x ∈X Bρ (x ). Definition 11.5 Given a system S = (X, X 0 , U, E, Y, H ) with pseudo-metric d, consider a set F ⊂ X of faulty states of S. Given a desired accuracy ρ ∈ R+ 0 , system S is (ρ, F)-diagnosable if there exists a finite delay Δ ∈ N, such that for any pair of state runs x f (.), x s (.) of S for which there exists t ∈ N such that    / F, ∀ t ∈ [0; t − 1] x f (t) ∈ F ∧ t = 0 ∨ x f (t ) ∈ and / Bρ (F), ∀ t

∈ [0; t + Δ] , x s (t

) ∈ the corresponding output runs y f (.), y s (.) satisfy y f (t ) = y s (t ), for some t ∈ [0; t + Δ]. Approximate diagnosability corresponds to the possibility of distinguishing, within a finite delay Δ, state runs that have reached the set of faulty states F from state runs that have not reached the set Bρ (F). This ambiguity around the set F reflects uncertainties introduced by measurement errors. Definition 11.6 Given a system S = (X, X 0 , U, E, Y, H ) with pseudo-metric d, consider a set F ⊂ X of faulty states of S with F ∩ X 0 = ∅. Given a desired accuracy ρ ∈ R+ 0 , system S is (ρ, F)-predictable if there exists Δ ∈ N, such that for any /F finite state run x f (·) of S for which the ending state x f (t f ) ∈ F, and x f (t) ∈ for any t ∈ [0; t f ), there exists T ∈ [t0 , t f ) such that for any state run x s (.), with y s |[t0 ,T ] = y f [t0 ,T ] , the following properties hold: (i) x s |[t0 ,T ] does not contain states in F; (ii) x s (T + δ) ∈ Bρ (F), for some δ ≤ Δ. Approximate predictability corresponds to the possibility of distinguishing, on the basis of the observations collected in a certain time interval [t0 ; T ], state runs that will reach for the first time the set of faulty states F in at most Δ > 0 time steps (i.e. within T + Δ), from both state runs that will not reach the set Bρ (F) and state runs that already reached F at a previous time instant t < T . Figure 11.4 is a graphical representation of a state trajectory x f (.) that has to be distinguished from both trajectories x2s (.) and x1s (.) on the basis of the output information collected in the time interval [0; T ]. A symbolic pseudo-metric system is nothing but an FSM, with state space equipped with a pseudo-metric. Therefore, checking approximate diagnosability (resp. predictability) of symbolic pseudo-metric systems is a decidable problem with

224

11 Diagnosability and Predictability for H-Systems

Fig. 11.4 Approximate predictability holds only if the state trajectory x f (.) can be distinguished from both trajectories x2s (.) and x1s (.) on the basis of the output information collected in the time interval [0; T ]

polynomial computational complexity. This is discussed in Sect. 11.3.7, where we provide an extension of the algorithms proposed in Chap. 4 from exact to approximate diagnosability (resp. predictability) of FSMs.

11.3.4 Relations Between Approximate Properties and Approximate Simulation In this section we establish the relations between approximate diagnosability/ predictability and approximate simulation. For the pair of pseudo-metric systems in (11.5), suppose that S1 ε S2 and let R denote the ε-approximate simulation relation from S1 to S2 , The ε-approximate simulation relation from S1 to S2 induces the following assumption, where the faulty states for S2 are uniquely determined given the faulty states for S1 : Assumption 11.1 Consider a set F1 ⊂ X 1 of faulty states for S1 . Then F2 = Bε (F1 ) ∩ X 2 is the set of faulty states for system S2 . If S1 ε S2 , in view of conditions (i) and (iv) of Definition 11.4, we have R(F1 ) = ∅. Then, since R(F1 ) ⊂ Bε (F1 ) by condition (ii) of Definition 11.4, implying R(F1 ) ∩ X 2 ⊂ Bε (F1 ) ∩ X 2 , the set F2 is non-empty. Theorem 11.1 If S2 is (ρ2 , F2 )-diagnosable ((ρ2 , F2 )-predictable) for some accuracy ρ2 ∈ R+ 0 , then S1 is (ρ1 , F1 )-diagnosable (resp. (ρ1 , F1 )-predictable) for all ρ1 ≥ ρ2 + 2ε. Proof Let R be an ε-approximate simulation from S1 to S2 , which exists because S1 ε S2 . Diagnosability. By contradiction, suppose that S1 is not (ρ1 , F1 )-diagnosable, with some ρ1 ≥ ρ2 + 2ε. Then, for any Δ ∈ N there exists a state run

11.3 Symbolic Systems Approach

225

x f (0) x f (1) . . .

(11.6)

y f (0) y f (1) . . .

(11.7)

   / F1 , ∀t ∈ [0; t − 1]) , x f (t) ∈ F1 ∧ t = 0 ∨ (x f (t) ∈

(11.8)

of S1 with output run such that for some t ≥ 0 

and a state run

of S1 with output run

x s (0) x s (1) . . .

(11.9)

y s (0) y s (1) . . .

(11.10)

/ Bρ1 (F1 ), ∀t ∈ [0; t + Δ], x s (t) ∈

(11.11)

y f (t) = y s (t), ∀t ∈ [0; t].

(11.12)

such that

and Since S1 ε S2 , by (11.8) there exist a state run ξ f (0) ξ f (1) . . .

(11.13)

of S2 and some t ∈ [0; t] such that  f

 ξ (t ) ∈ R(F1 ) ∧   (t = 0) ∨ (ξ f (t) ∈ / R(F1 ), ∀t ∈ [0; t − 1])

(11.14)

with output run υ f (0) υ f (1) . . . coinciding with the corresponding output run (11.7) of S1 , i.e. (11.15) υ f (t) = y f (t), ∀t ∈ [0; t]. Since by definition of R (see condition (ii) of Definition 11.4) R(F1 ) ⊂ (Bε (F1 ) ∩ X 2 ) and, since Bε (F1 ) ∩ X 2 = F2 by definition of F2 , condition (11.14) implies that for some t

∈ [0; t ]     f

/ F2 , ∀t ∈ [0; t

− 1]) . ξ (t ) ∈ F2 ∧ (t = 0) ∨ (ξ f (t) ∈ Since S1 ε S2 , by (11.11) there exists a state run

(11.16)

226

11 Diagnosability and Predictability for H-Systems

of S2 with output run

ξ s (0) ξ s (1) . . .

(11.17)

υ s (0) υ s (1) . . .

(11.18)

coinciding with the corresponding output run (11.10) of S1 , i.e. υ s (t) = y s (t), ∀t ∈ [0; t],

(11.19)

/ R(Bρ1 (F1 )), ∀t ∈ [0; t + Δ], implying and such that ξ s (t) ∈ / Bρ1 −ε (F1 ), ∀t ∈ [0; t + Δ]. ξ s (t) ∈

(11.20)

Since by assumption ρ1 − 2ε ≥ ρ2 , we have Bρ1 −ε (F1 ) = Bρ1 −2ε (Bε (F1 )) ⊃ Bρ2 (Bε (F1 )) / Bρ2 (Bε (F1 )), ∀t ∈ [0; t + Δ] from and hence condition (11.20) implies ξ s (t) ∈ which / Bρ2 (Bε (F1 ) ∩ X 2 ) = Bρ2 (F2 ), ∀t ∈ [0; t + Δ]. (11.21) ξ s (t) ∈ Conditions (11.12), (11.15) and (11.19) imply υ f (t) = υ s (t), ∀t ∈ [0; t ].

(11.22)

Hence, for any Δ ∈ N there exists a pair of state runs (11.13) and (11.17) of S2 such that conditions (11.16), (11.21) and (11.22) hold, i.e. the output runs corresponding to the state runs (11.13) and (11.17) coincide, and ξ f terminates in F2 while ξ s stays in the complement of Bρ2 (F2 ). We then conclude that S2 is not (ρ2 , F2 )-diagnosable and a contradiction holds. Predictability. By contradiction, suppose that S2 is (ρ2 , F2 )-predictable but S1 is not (ρ1 , F1 )-predictable, with some ρ1 ≥ ρ2 + 2ε. Then, for any Δ ∈ N there exists a state run of S1 as in (11.6), with output run as in (11.7), such that for some t f > 0 

   / F1 , ∀t ∈ [0; t f − 1] , x f (t f ) ∈ F1 ∧ x f (t) ∈

(11.23)

and a state run (11.9) of S1 with output run (11.10) such that

and



y f (t) = y s (t), ∀t ∈ [0; t f ],

(11.24)

 x s (t) ∈ / Bρ1 (F1 ), ∀t ∈ [0; t f + Δ]   ∨ x s (t) ∈ F1 , t ∈ [0; t f − 1] .

(11.25)

11.3 Symbolic Systems Approach

227

Since S1 ε S2 , by (11.23) there exists a state run (11.17) of S2 with output run (11.18) that coincides with the corresponding output run (11.7) of S1 , i.e. υ f (t) = y f (t), ∀t ∈ [0; t f ]

(11.26)

and some T ∈ [0; t f ] such that  f    ξ (T ) ∈ R(F1 ) ∧ (t f = 0) ∨ (ξ f (t) ∈ / R(F1 ), ∀t ∈ [0; T − 1]) .

(11.27)

Since by definition of R, see condition (ii) of Definition 11.4, R(F1 ) ⊂ Bε (F1 ) ∩ X 2 , and, since Bε (F1 ) ∩ X 2 = F2 by definition of F2 , condition (11.27) implies that for some T ∈ [0; T ]  f

   ξ (T ) ∈ F2 ∧ (T = 0) ∨ (ξ f (t) ∈ / F2 , ∀t ∈ [0; T − 1]) .

(11.28)

Since S1 ε S2 , by (11.25) there exists a state run (11.17) of S2 with output run (11.18) coinciding with the corresponding output run (11.19) of S1 , i.e.

and such that

implying

υ s (t) = y s (t), ∀t ∈ [0; t f ],

(11.29)

 s  ξ (t) ∈ / R(Bρ1 (F1 )), ∀t ∈ [0; t f + Δ]   ∨ ∃T

∈ [0, t f ) : ξ s (T

) ∈ R(F1 ) ,

(11.30)

 / Bρ1 −ε (F1 ), ∀t ∈ [t0 ; t f + Δ] ξ s (t) ∈   ∨ ∃t ∗ ∈ [0, T

) : ξ s (t ∗ ) ∈ F2 .

(11.31)



Since by assumption ρ1 − 2ε ≥ ρ2 , we have Bρ1 −ε (F1 ) = Bρ1 −2ε (Bε (F1 )) ⊃ Bρ2 (Bε (F1 )) and hence condition (11.31) implies  s  ξ (t) ∈ / Bρ2 (Bε (F1 )), ∀t ∈ [0; t f + Δ]   ∨ ∃t ∗ ∈ [t0 , T

) : ξ s (t ∗ ) ∈ F2 from which,   s / Bρ2 (Bε (F1 ) ∩ X 2 ) = Bρ2 (F2 ), ∀t ∈ [0; t f + Δ] ξ (t) ∈   ∨ ∃t ∗ ∈ [0; T

− 1] : ξ s (t ∗ ) ∈ F2 .

(11.32)

(11.33)

228

11 Diagnosability and Predictability for H-Systems

Conditions (11.24), (11.26) and (11.29) imply υ f (t) = υ s (t), ∀t ∈ [t0 ; T ].

(11.34)

Hence, for any Δ ∈ N there exists a pair of state runs (11.13) and (11.17) of S2 such that conditions (11.28), (11.33) and (11.34) hold, i.e. the output runs corresponding to state runs (11.13) and (11.17) coincide, and ξ f terminates in F2 at a certain time instant, whereas ξ s stays in the complement of Bρ2 (F2 ) or it has already reached F2 at a previous time instant than ξ f . We then conclude that S2 is not (ρ2 , F2 )-predictable and a contradiction holds.  The result above allows checking approximate diagnosability and predictability of a pseudo-metric system S1 on the basis of approximate diagnosability and predictability, respectively, of a pseudo-metric system S2 for which S1 ε S2 . When S1 and S2 are symbolic and S2 has fewer states than S1 , Theorem 11.1 can be useful to reduce computational complexity in checking approximate diagnosability and predictability of S1 by using S2 . In particular, provided that one is able to construct a symbolic pseudo-metric system approximating a continuous or hybrid control system Σ in the sense of approximate simulation, Theorem 11.1 allows leveraging the results reported in Sect. 11.3.7 to check approximate diagnosability and predictability of Σ.

11.3.5 Approximate Diagnosability of Nonlinear Systems Consider the discrete-time nonlinear system described by2 : ⎧ ⎨ x(t + 1) = f (x(t), u(t)),   Σ : y(t) = [z(t)]η , with z(t) = I p 0 x(t), ⎩ x(0) ∈ X 0 , x(t) ∈ X, u(t) ∈ U, y(t) ∈ Y, t ∈ N,

(11.35)

where x(t), u(t) and y(t) denote, respectively, the state, the input and the (quantized) output, at time t ∈ N; X = Rn is the state space; X 0 ⊂ Rn is the set of initial states; U ⊂ Rm is the input set; Y = [R p ]η = ηZ p is the output space with p < n; f : Rn × Rm → Rn is the vector field; I p is the identity matrix in R p ; η ∈ R+ is the accuracy of the quantizer. We assume that X0 is compact, U is compact and contains the origin, f is continuous in its arguments and satisfies f (0, 0) = 0. In this section, U denotes the collection of input functions from N to U . In (11.35), we are assuming that the output variables of Σ are the quantization of a selection of state variables, as it happens in many concrete applications. The general case of nonlinear output functions can be considered at the expense of a heavier notation, as done in [23]. Moreover, we make the following In this section we abuse notation by using for Σ the same symbols x, u, U and y used for pseudo-metric systems to denote states, inputs, inputs set and outputs.

2

11.3 Symbolic Systems Approach

229

Assumption 11.2 Given the nonlinear system Σ, there exists a locally Lipschitz function V : Rn × Rn → R+ 0 , which satisfies the following inequalities for some K∞ -functions α, α, λ and K-function σ:     (i) α(x − x ) ≤ V (x, x ) ≤ α(x − x ), for any x, x ∈Rn ;  (ii) V ( f (x, u), f (x , u )) − V (x, x ) ≤ −λ(V (x, x )) + σ(u − u ), for any x, x ∈ Rn and any u, u ∈ U . The function V is called an incremental input-to-state stable (δ-ISS) Lyapunov function [1, 2] for Σ. Assumption 11.2 has been shown in [2] to be a sufficient condition for Σ to fulfill the so called δ-ISS property [1, 2]. We now use the results established in the previous section to derive sufficient conditions for checking approximate diagnosability of the nonlinear system Σ. To this purpose, we start by providing an equivalent representation of Σ in terms of a pseudo-metric system. Definition 11.7 Given Σ, define the system S(Σ) = (X, X 0 , U, E, Y, H ), where + – (x, u, x + ) ∈ E if and only  if x  = f (x, u); – H (x) = [z]η where z = I p 0 x, for all x ∈ X .

We equip X = Rn with the metric d(x, x ) = x − x ∞ , x, x ∈ Rn

(11.36)

so that S(Σ) is metric, and hence pseudo-metric. Since Σ and S(Σ) are different mathematical representations of the same entity, then Σ is (ρ, F)-diagnosable if and only if S(Σ) is (ρ, F)-diagnosable as in Definition 11.5. In order to check approximate diagnosability of S(Σ), we now construct a symbolic approximation of S(Σ). We start by giving the following Definition 11.8 ([24]) Given Σ, a state and output quantization parameter η ∈ R+ and an input quantization parameter μ ∈ R+ , define the system Sη (Σ) = (X η,μ , X η,0 , Uμ , E η,μ , Yη , Hη ) where – – – – – –

X η = [Rn ]η ; X η,0 = [X 0 ]η ⊂ X η ; Uμ = [U ]μ ; E η,μ ⊂ X η × Uμ × X η and (ξ, v, ξ + ) ∈ E η,μ if ξ + = [ f (ξ, v)]η ; Yη = Y ;   Hη (ξ) = I p 0 ξ, for all ξ ∈ X η .

The basic idea in the construction above is to replace each state x of Σ by its quantized value ξ = [x]η and each input u ∈ U by its quantized value v = [u]μ in Sη,μ (Σ). Accordingly, the evolution of Σ with initial state x and input v to state

230

11 Diagnosability and Predictability for H-Systems

Fig. 11.5 State evolution of a quantized system (Reprinted from Journal of Process Control, Vol. 81, M. Fakhroleslam, G. Pola, E. De Santis, M. D. Di Benedetto, Time-optimal symbolic control of a changeover process based on an approximately bisimilar symbolic model, pp. 126–135, Copyright (2019), with permission from Elsevier)

x + = f (ξ, v), is captured by the transition ξ→vη ξ + in Sη,μ (Σ), where ξ and ξ + are the quantized values of x and x + , respectively, i.e. ξ = [x]η and ξ + = [x + ]η . Figure 11.5 offers a graphical representation. The parameter η describes the state space quantization. The quantization of the input space, parameterized with μ, is not represented. Starting from any state ξ in left-hand coloured square-cell at time t, the states in right-hand coloured square-cell are reached at time t + 1, depending on the input quantized values. All the states in each square-cell are represented by their quantized value, i.e. the dots ξ1 or ξ2 inside the cell. System Sη,μ (Σ) is metric; in the sequel we use the same metric d in (11.36) as for S(Σ) and this choice is allowed because X η ⊂ X . The following result follows from Theorem 11.1: Corollary 11.1 Suppose that Assumption 11.2 holds and let L be a Lipschitz constant of function V in Rn × Rn . Given a set F ⊂ Rn of faulty states for Σ and a desired accuracy ε ∈ R+ , consider the sets Fε = Bε (F) ∩ [Rn ]η and Fε = {x ∈ F : Bε (x) ⊂ F} ∩ [Rn ]η . Consider a pair of quantization parameters η, μ ∈ R+ satisfying the following inequalities Lη + σ(μ) ≤ (λ ◦ α)(ε), α(η) ≤ α(ε). The following statements hold:

(11.37)

11.3 Symbolic Systems Approach

231

(i) If Sη,μ (Σ) is (kη, Fε )-diagnosable, for some k ∈ N, then Σ is (ρ, F)diagnosable, for any ρ > 2ε + kη. 3

(ii) Suppose that set F is with interior and parameter ε ∈ R+ is such that   Fε  = + ∅. If Σ is (ρ, F)-diagnosable, for some ρ ∈ R0 , then Sη,μ (Σ) is k η, Fε diagnosable, for any integer k > min{h ∈ N : (ρ + 2ε) ≤ hη}. Proof By Proposition 1 of [24], systems S(Σ) and Sη,μ (Σ) are ε-bisimilar and hence, S(Σ) is ε-simulated by Sη,μ (Σ). Therefore, the result follows as a direct application of Theorem 11.1.  If the state space is bounded, the following holds: Proposition 11.5 Suppose that X is a bounded subset of Rn . Under Assumption 11.2, systems S(Σ) and Sη,μ (Σ) are ε-bisimilar, and system Sη,μ (Σ) is symbolic. Proof See the proof of Proposition 2 in [7].



The result above allows checking approximate diagnosability of Σ through the pseudo-metric system Sη,μ (Σ). Since Sη,μ (Σ) is symbolic (see Proposition 11.5), the algorithms illustrated in Sect. 11.3.7 can be applied. In particular, while statement (i) of Corollary 11.1 is useful to check if Σ is (ρ, F)-diagnosable, statement (ii) can be used in its logical negation form as a tool to check if Σ is not (ρ, F)-diagnosable. Since no assumptions are placed on the set of faulty states F, the proposed results are applicable to different domains of interest.

11.3.6 Approximate Predictability of Piecewise-Affine Systems In Sect. 2.3, Piecewise-Affine (PWA) Systems have been cast in the H -systems formalism. In the continuous time domain, to avoid blocking phenomena, we introduced overlapping polyhedra as state constraints associated with each discrete state. In this section, in order to illustrate our method, we consider discrete-time PWA-systems with quantized output and bounded state space. Hence an ad-hoc formalism can be adopted and a PWA-system is now described by the tuple: Σ = (X, U, Y, {Σ1 , Σ2 , . . ., Σ N })

(11.38)

where – X ⊂ Rn is the state space and X is a polytope with interior, – U ⊂ Rm is the set of control inputs. We suppose that the set U is a polytope, – Y = [R p ]η = η Z p is the output space, where η ∈ R+ is the quantization parameter for the output variable, 3

Since F is with interior there always exists ε ∈ R+ satisfying Fε = ∅.

232

11 Diagnosability and Predictability for H-Systems

– Σi , i = 1, . . . , N is an affine control system defined by: ⎧ ⎨ xi (t + 1) = Ai xi (t) + Bi u i (t) + f i , xi (t) ∈ X i , u i (t) ∈ U, ⎩ y (t) =  I 0  x (t) , y (t) ∈ Y, p i i i η

(11.39)

where f i ∈ Rn , i = 1, · · · , N is a constant vector, the sets X i ⊂ Rn are polytopes, with interior, and their collection is a partition of X . We denote by x(t, x0 , u) the state reached by Σ at time t ∈ N starting from an initial state x0 ∈ Rn with control input u : N → U . The output function of Σ is given as the quantization with accuracy η of the first p components of the state variable. As already noted for the discrete-time nonlinear system (11.35), the quantization of the output variable allows considering sensor measurements with accuracy η. The general case of nonlinear output functions can be considered at the expense of a heavier notation, as done in [23]. Denote by P(X ) the set of polytopic subsets of X , where X ∈ P(X ) and for any x ∈ X , {x} ∈ P(X ). Let S(P(X ), dh ) be the set of pseudo-metric systems with pseudo-metric space (P(X ), dh ), where we recall that dh is the Hausdorff pseudo-metric induced by the infinity norm · ∞ on P(X ). The notion of approximate simulation relation induces a pseudo-metric on S(P(X ), dh ): Definition 11.9 Consider two systems S1 , S2 ∈ S(P(X ), dh ). The simulation pseudo-metric d s from S1 to S2 is defined by: d s (S1 , S2 ) = inf{ε ∈ R+ 0 : S1 ε S2 }.

(11.40)

The pair (S(P(X ), dh ), d s ) is a quasi-pseudo-metric space, as proved in [14], where quasi-pseudo-metric spaces are termed directed pseudo-metric spaces. The notion of system as in Definition 11.3 is general enough to describe the evolution of the PWA system (11.38), as formally stated in the following: Definition 11.10 Given the PWA system Σ, define the system S(Σ) ∈ S(P(X ), dh ): S(Σ) = (X, X0 , U, E, Y, H)

(11.41)

where: – X = X0 = X , equipped with dh , u

– E ⊂ X × U × X. . .. x →  x , if x ∈ X i and x = Ai x + Bi u + f i , – H(x) = [z]η , with z = I p 0 x, for all x ∈ X. System S(Σ) preserves important properties of Σ, such as reachability and determinism. Also, since dh ({x}, {y}) = x − y , metric properties of Σ are naturally

11.3 Symbolic Systems Approach

233

transferred to S(Σ) and vice versa. System S(Σ) correctly describes Σ within the bounded set X but it is not symbolic since X and U are not finite sets. For this reason, in the sequel we introduce a sequence of symbolic models A M (Σ) that approximate the PWA system Σ. To this purpose, we need to introduce three operators. Definition 11.11 Given PWA system Σ, the bisimulation operator is the map: Bisim : 2 X → 2 X

(11.42)

that associates to any finite collection of sets Z 1 , Z 2 , . . ., Z L ⊂ X the collection Bisim({Z 1 , Z 2 , . . ., Z L }) of sets {x ∈ Z j : ∃u ∈ U s.t. Ai x + Bi u + f i ∈ Z j , x ∈ X i } with i ∈ [1; N ] and j, j ∈ [1; L]. To introduce the second operator, we recall that the diameter Diam(Ω) of a set Ω ⊂ Rn is defined by: Diam(Ω) = sup x − y . (11.43) x,y∈Ω

Definition 11.12 Consider a finite collection of polytopes P = {P1 , P2 , . . ., PN } ⊂ P(X ). A splitting policy with contraction rate λ ∈ (0, 1) for P is a map Φλ : P → 2P(X )

(11.44)

enjoying the following properties: (i) the cardinality of Φλ (Pi ) is finite; (ii) Φλ (Pi ) is a partition of Pi ; j j (iii) Diam(Pi ) ≤ λDiam(Pi ) for all Pi ∈ Φλ (Pi ). To introduce the third operator, let Splitλ denote a splitting policy with contraction  rate λ and we abuse notation by writing Splitλ ({P1 , P2 , . . ., PN }) instead of i∈[1;N ] Split λ (Pi ). Given k = ( k1 k2 . . . k p ) ∈ Z p , let  [−ki η/2, ki η/2) × Rn− p ⊂ Rn (11.45) Strip(k) = i∈[1; p]

where



Strip(k) = Rn .

k∈Z p

Consider a finite collection of polytopes P = {P1 , P2 , . . ., PN } ⊂ P(X ). The output splitting policy SplitYη (P) with quantization parameter η is defined by:

234

11 Diagnosability and Predictability for H-Systems

  SplitYη (P) = Strip(k) ∩ Pi , k ∈ Z p , i ∈ [1; N ] .

(11.46)

We now introduce a sequence of abstractions A M (Σ) approximating the PWA system Σ. Consider the following recursive equations: 

X0 = {X 1 , X 2 , . . ., X N }, X M+1 = SplitYη (Splitλ (Bisim(X M ))), M ∈ N.

(11.47)

At each order M ≥ 1, the set X M naturally induces a system that is formalized as follows. Definition 11.13 Given the set X M , define the system A M (Σ) ∈ S(P(X ), dh ) A M (Σ) = (X M , U M , E M , Y, H M )

(11.48)

where:

 j – X M = X M ∪ {X \ W ∈X M W }; a state in X M is denoted by X M . By definition of p operator SplitYη in (11.46), there exists k ∈ Z such that j

X M ⊂ Strip(k),

(11.49)

– U M ⊂ 2U ,   j j j

– E M ⊂ X M × U M × X M and for X M ⊂ X i , X M , V, X M ∈ E M if V = ∅, where j

j

V is the set of all u ∈ U such that Ai x + Bi u + f i ∈ X M , for some x ∈ X M ,   j j – H M (X M ) = [z]η , with z = I p 0 x, with x ∈ X M . Notice that by (11.49), [z]η is j the same for all x ∈ X M . By construction, system A M (Σ) is symbolic. Symbolic system A M+1 (Σ) can be viewed as a refinement of A M (Σ). We now proceed with a step further by providing our approximation scheme and a quantification of its accuracy. By construction of XM j j max Diam(X M+1 ) < max Diam(X M ) j

j

X M+1 ∈X M+1

X M ∈X M

hence, by defining j

Gran(A M (Σ)) = max Diam(X M ) j

X M ∈X M

(11.50)

we obtain that Gran(A M (Σ)) strictly decreases with M. Function Gran provides a measure of the “granularity” of the symbolic system A M (Σ) (i.e. how fine is the covering of the set X ). The following result provides an upper bound for the distance between the PWA system Σ and the abstraction A M (Σ). Theorem 11.2 d s (S(Σ), A M (Σ)) ≤ Gran(A M (Σ)).

11.3 Symbolic Systems Approach

235

Convergence of the sequence {A M (Σ)} M∈N to the system representation S(Σ) of the PWA system Σ is stated in the following: Theorem 11.3 S(Σ) = lim→ A M (Σ). Theorems 11.2 and 11.3 are straightforward generalizations of Theorem 2, Lemma 1 and Theorem 3 in [20], respectively, to PWA systems with outputs, and their proofs are therefore omitted. A direct application of Theorems 11.1 and 11.2 gives the following: Corollary 11.2 Consider a set F1 ⊂ Rn of faulty states for Σ. If there exists M ∈ N such that A M (Σ) is (ρ2 , F2 )-predictable with F2 = Bε (F1 ) ∩ X M , with ε = Gran(A M (Σ)) and for some ρ2 ∈ R+ 0 , then Σ is (ρ1 , F1 )-predictable, for all ρ1 ≥ ρ2 + 2ε. Remark 11.3 It is well known that predictability is in general an undecidable problem for systems with an infinite number of states. However, it was shown in [32] that this property is decidable for unbounded (infinite) Petri nets. The corollary above shows that PWA systems are another class of systems with an infinite number of states for which predictability is decidable, though in an approximate sense. 

11.3.7 Checking Approximate Diagnosability and Predictability for FSMs In Chap. 4 we characterized exact diagnosability and predictability for FSMs. If the state space of an FSM is equipped with a pseudo-metric, the FSM can be viewed as a symbolic model. Hence it is possible to extend the algorithms proposed in Chap. 4 for an FSM to check approximate diagnosability (resp. predictability) of an FSM equipped with a metric. By using the same notation as in Chap. 4, consider an FSM M = (Q, Q 0 , Y, h, E)

(11.51)

with the state space Q equipped with a metric d, obtaining what will be called a metric FSM. Given a set Ω ⊂ Q, the set Bρ (Ω) is well defined. S ∗ defined in Chap. 4, consider now the set In addition to the sets S ∗ and  Λ∗ρ

(11.52)

which is the set of all pairs (i, j) ∈ , with i ∈ Ω and j ∈ Bρ (Ω) (or vice versa i ∈ Bρ (Ω) and j ∈ Ω) for which there exist two indistinguishable infinite state runs starting from i and j, respectively, such that the latter is contained in Bρ (Ω) (or vice versa the former is contained in Bρ (Ω)). Obviously, for ρ = 0, Λ∗ρ = Λ∗ .

236

11 Diagnosability and Predictability for H-Systems

If the output is always different from , the metric FSM M in Eq. (11.51) is a pseudo-metric system and Definitions 11.5 and 11.6 can be applied to M. Under this hypothesis, the next two theorems characterize (ρ, Ω)-diagnosability and (ρ, Ω)predictability for M. Theorem 11.4 The metric FSM M is (ρ, Ω)-diagnosable if and only if  S ∗ ∩ Λ∗ρ = ∅. 

Proof Straightforward from Theorem 4.4.

Theorem 11.5 Given ρ ≥ 0, the metric FSM M is (ρ, Ω)-predictable if and only if    ∗  S−1 ∩ F1 (Ω) × F Bρ (Ω) = ∅.

(11.53)

Proof Straightforward from Theorem 4.5.



11.3.8 Illustrative Examples Example 11.1 (Approximate diagnosability) Consider the nonlinear system: ⎧ x1 (t + 1) = γ(cos(x1 (t) − 1) + δ(sech(x2 (t) − 1) + u, ⎪ ⎪ ⎪ ⎪ x2 (t + 1) = α sin(x2 (t)) + β tanh(x1 (t)), ⎪ ⎪ ⎨ y(t) = [x1 (t)]nη , Σ: x(0) ∈ X 0 , ⎪ ⎪ ⎪ ⎪ x(t) = [−10, 10] × [−10, 10], ⎪ ⎪ ⎩ u(t) ∈ U = [−2.5, 2.5], t ∈ N, where α = 0.22, β = 0.25, γ = 0.15 and δ = 0.18 and where set X 0 is specified later on. It is possible to show that function V (x, x ) = x − x , x, x ∈ R2 satisfies Assumption 11.2 with α(s) = α(s) = σ(s) = s, λ(s) = 0.1s, s ∈ R+ 0 and L = 2 is a Lipschitz constant for V . For ε = 1 we pick μ = 0.01 and η = 0.045 satisfying the inequality in (11.37). We consider two scenarios: – For X 0 = [−1.25, 1.25] × [6.75, 8.55], a symbolic system Sη,μ (Σ) with 1,145 (accessible) states and 64,782 transitions is obtained. Consider the faulty set F = [−2.8, 2.6] × [−0.1, 0.1]. By using the algorithms in Sect. 11.3.7, we derive that Sη,μ (Σ) is (2η, Fε )-diagnosable. By applying Corollary 11.1, Σ is then (ρ, F)diagnosable for any ρ > 2(ε + η) = 2.09. – For X 0 = [6.75, 8.55] × [−1.25, 1.25], a symbolic system Sη,μ (Σ) with 1,141 (accessible) states and 64,662 transitions is obtained. Consider Fε = [−0.1, 0.1] × [−0.1, 0.1]. By using the algorithms in Sect. 11.3.7, we derive that Sη,μ (Σ) is not (46η, Fε )-diagnosable. By applying Corollary 11.1, Σ is then not (ρ, F)diagnosable for any ρ < 0.07. 

11.3 Symbolic Systems Approach

237

Example 11.2 (Approximate predictability) Consider the PWA system Σ as in (11.38), described by the following matrices:  A1 =  A2 =  A3 =  A4 =

0.5 0.0 0.0 −0.5 0.3 0.1 0.0 0.2 0.8 0.0 0.2 0.2 0.2 0.0 0.0 0.2



 B1 =



 B2 =



 B3 =



 B4 =

0.0 0.0 0.0 0.0 0.1 0.0 0.0 0.2 0.1 0.0 0.0 0.2 0.5 0.0 0.0 0.5



 f1 =



 f2 =



 f3 =



 f4 =

3.0 0.7 0.0 0.4

 

−2.5 0.0 1.7 1.0



(11.54)



with output function yi (t) ∈ Y = η Z, η = 0.5, i = 1, 2, 3, 4, where yi (t) = and with



  1 0 xi (t) η ,

X 1 = [−3, −1) × [0, 3) X 2 = [−1, 1) × [0, 3) (11.55) X 3 = [1, 3) × [0, 3) X 4 = [−3, 3) × [−3, 0).

Therefore X=



X i = [−3, 3) × [−3, 3).

(11.56)

i∈[1;4]

Finally, U = [−0.25, 0.25] × [−0.25, 0.25]. Consider the set of faulty states described by:  F1 = conv

           1.8 1.0 1.0 1.5 0.5 1.5 , , , , , , 0.0 0.7 −0.7 −0.5 0.5 0.5

and the set of initial states X 0 = X 1.

238

11 Diagnosability and Predictability for H-Systems

Fig. 11.6 Abstractions A M of the PWA system Σ for M = 1 (Reprinted from Nonlinear Analysis: Hybrid Systems, Vol. 36, E. De Santis, M. D. Di Benedetto, G. Fiore, G. Pola, Approximate predictability of pseudo-metric systems, Copyright (2020), with permission from Elsevier)

It is possible to construct abstractions A M (Σ) for M = 1, 2, 3, with contraction rate λ = 0.95. Abstractions obtained for M = 1 and for M = 2 are illustrated in Figs. 11.6 and 11.7, respectively. Abstraction for M = 3 is not illustrated because of its large size. The initial states of A1 (Σ) are the integers of the interval [1; 8] and the set of faulty states is {11, 13, 15, 17, 19, 21, 23, 34, 35, 36, 37, 38, 39} (see Fig. 11.6). For simplicity, no details are given on A2 (Σ) and A3 (Σ), since the cardinality of their set of initial states is 18 and 52, respectively, and the cardinality of their set of faulty states is 32 and 88, respectively. Some additional data related to the abstractions are reported in the following table: M 1 2 3

card(X M ) 40 124 499

card (E M ) 70 455 2547

Gran(A M ) 3.00 1.50 0.75

For ρ2 = 0.6, we obtain that abstractions A M (Σ) with M = 1, 2, 3 are (ρ2 , F2 )predictable, with ε = Gran(A M (Σ)) and F2 = Bε (F) ∩ X M . For example, it is possible to show that A1 (Σ) is (ρ2 , F2 )-predictable with ε = 3, because any state run starting from the initial state, which is known by definition of Σ, will reach the faulty set after a finite number of steps. As a consequence, by Corollary 11.2, in view of approximate predictability of the abstraction A M (Σ), we have that Σ is (ρ1 , F1 )predictable with ρ1 depending on the order of abstraction M, i.e. ρ1 = ρ2 + 2ε with ε = Gran(A M ).

Fig. 11.7 Abstractions A M of the PWA system Σ for M = 2 (Reprinted from Nonlinear Analysis: Hybrid Systems, Vol. 36, E. De Santis, M. D. Di Benedetto, G. Fiore, G. Pola, Approximate predictability of pseudo-metric systems, Copyright (2020), with permission from Elsevier)

11.3 Symbolic Systems Approach 239

240

11 Diagnosability and Predictability for H-Systems

Since ε is a strictly decreasing function of order M, Theorem 11.2 ensures that the parameter ρ∗1 = ρ2 + 2ε is also a strictly decreasing function of order M. This means that prediction for Σ is more and more accurate as M increases. Obviously, because of the output quantization, we in general expect a bound in such accuracy. 

11.4 Notes and Further Reading In the hybrid domain, checking diagnosability and determining its decidability and computational complexity are difficult issues and several problems remain open [6]. Some efforts in this direction can be found in [3, 8–12, 16, 18]. The approach to diagnosis presented in Sect. 11.2 is based on the procedure illustrated in Chap. 8, which generates additional discrete signals on the basis of the distinguishability of continuous dynamics. The continuous dynamics distinguishability is characterized by the conditions in Chap. 7. A similar approach to diagnosis is proposed in [3, 10–12]. In [16, 18], the authors formulate the hybrid diagnosis problem as a model selection problem, to detect and isolate a component fault causing a deviation from the nominal system operation. In [9] an abstraction procedure is presented, which allows diagnosability verification of a hybrid automaton by means of an equivalent durational graph (a special subclass of timed automata [31]). In [8] a trajectory-based abstraction is proposed to take into account also the presence of measurement uncertainty. For a more extensive literature review, the interested reader is referred to the volume [29] and the references therein. In this chapter and the references cited above the diagnosability problem is faced by following a model-based approach. Other techniques have been proposed in the literature, based on machine learning algorithms (as described e.g. in [28]). The comparison between data-based and model-based approaches is out of the scope of this chapter. Predictability in a hybrid systems framework has received some attention in the literature, (e.g. [4, 26, 33] and references therein). If the hybrid state is known at some current time, predicting that it will belong to some given set is equivalent to solve a reachability problem. In our setting, there is partial information on the state, and this is why a different problem arises. In the first part of this chapter, we extended the notions of diagnosability and predictability given for FSMs in Definitions 4.7 and 4.11 to the class of H -systems. The characterization of those properties was explored following two different approaches. First, some sufficient conditions for an L H -system to be diagnosable or predictable were derived. The basic ideas for achieving these conditions are from the paper [13], where the notion of Secure Diagnosability of a hybrid system was introduced. Secure diagnosability is more general than the notion in Definition 11.1 since it

References

241

addresses security issues in the presence of attacks, represented by compromised sensor measurements exchanged by means of a wireless communication network. Secondly, a more general framework was considered, developed on approximate notions. Section 11.3 is mainly based on the papers [5, 25], and provides also a slight extension from metric systems to pseudo-metric systems. The notions of system, as defined in [30], and of approximate simulation relation between systems (see [14, 23]) are exploited. In this second approach, the key idea is the possibility of approximating the behaviour of a given system by means of a symbolic system for which techniques and algorithms previously studied for FSMs can be leveraged because of the finiteness of its state space. Definition 11.3 follows the paradigm introduced in [30]. Definition 11.4 extends the classical definition of bisimulation equivalence of [17, 19] for concurrent processes to pseudo-metric systems, in the sense of Definition 11.3. When condition (ii) is removed, Definition 11.4 becomes an adaptation to systems of the definition given in [17, 19] for concurrent processes. Definition 11.4 slightly differs from the one given in [14] where it is assumed that sets Y1 = Y2 are metric spaces with metric d, and conditions (ii) and (iii) are replaced by d(H1 (x1 ), H2 (x2 )) ≤ ε, ∀(x1 , x2 ) ∈ R. The part of Sect. 11.3.6 corresponding to the construction of approximate abstractions of PWA systems is a slight extension of the results reported in [20], from PWA systems without outputs to PWA systems with outputs. We recall that the literature on symbolic models approximating continuous or hybrid control systems is very broad, see e.g. [30] and the references therein. Works that fit precisely the framework of this chapter and illustrate how to construct symbolic models are [22, 24] for incrementally stable nonlinear systems, [34] for possibly unstable nonlinear systems, [15] for incrementally stable switched systems and [20] for piecewise-affine systems.

References 1. Angeli D (2002) A Lyapunov approach to incremental stability properties. IEEE Trans Autom Control 47(3):410–421 2. Bayer B, Burger M, Allgower F (2013) Discrete-time incremental ISS: a framework for robust NMPS. In: European control conference, Zurick, Switzerland, pp 2068–2073 3. Bayoudh M, Travé-Massuyès L (2014) Diagnosability analysis of hybrid systems cast in a discrete-event framework. Discrete Event Dyn Syst 24(3):309–338 4. Daigle M, Roychoudhury I, Bregon A (2015) Model-based prognostics of hybrid systems. In: Annual conference of the PHM society, vol 7 5. De Santis E, Di Benedetto MD, Fiore G, Pola G (2020) Approximate predictability of pseudometric systems. Nonlinear Anal: Hybrid Syst 36 6. De Santis E, Di Benedetto MD (2016) Observability of hybrid dynamical systems. Found Trends ® Syst Control 3(4):363–540 7. De Santis E, Pola G, Di Benedetto MD (2017) On approximate diagnosability of nonlinear systems. In: 2017 technical report. arXiv:1704.02138 [math.OC] 8. Deng Y, D’Innocenzo A, Di Benedetto MD, Di Gennaro S, Julius AA (2016) Verification of hybrid automata diagnosability with measurement uncertainty. IEEE Trans Autom Control 61(4):982–993

242

11 Diagnosability and Predictability for H-Systems

9. Di Benedetto MD, Di Gennaro S, D’Innocenzo A (2011) Verification of hybrid automata diagnosability by abstraction. IEEE Trans Autom Control 56(9):2050–2061 10. Diene O, Moreira MV, Alvarez VR, Silva EA (2015) Computational methods for diagnosability verification of hybrid systems. In: 2015 IEEE conference on control applications (CCA), pp 382–387 11. Diene O, Moreira MV, Silva EA, Alvarez VR, Nascimento CF (2019) Diagnosability of hybrid systems. IEEE Trans Control Syst Technol 27(1):386–393 12. Diene O, Silva ER, Moreira MV (2014) Analysis and verification of the diagnosability of hybrid systems. In: 53rd IEEE conference on decision and control, pp 1–6 13. Fiore G, De Santis E, Di Benedetto MD (2018) Diagnosability, security and safety of hybrid dynamic and cyber-physical systems. Secure diagnosability of hybrid dynamical systems. Springer International Publishing, Berlin, pp 175–200 14. Girard A, Pappas GJ (2007) Approximation metrics for discrete and continuous systems. IEEE Trans Autom Control 52(5):782–798 15. Girard A, Pola G, Tabuada P (2010) Approximately bisimilar symbolic models for incrementally stable switched systems. IEEE Trans Autom Control 55(1):116–126 16. McIlraith S, Biswas G, Clancy D, Gupta V (2000) Hybrid systems diagnosis. Springer, Berlin, pp 282–295 17. Milner R (1989) Communication and concurrency. Prentice Hall, Englewood Cliffs, New Jersey 18. Narasimhan S, Biswas G (2007) Model-based diagnosis of hybrid systems. IEEE Trans Syst Man Cybern - Part A: Syst Hum 37(3):348–361 19. Park DMR (1981) Concurrency and automata on infinite sequences. Lecture notes in computer science, vol 104, pp 167–183 20. Pola G, Di Benedetto MD (2014) Symbolic models and control of discrete-time piecewise affine systems: an approximate simulation approach. IEEE Trans Autom Control 59(1):175–180 21. Pola G, Di Benedetto MD (2019) Control of cyber-physical-systems with logic specifications: a formal methods approach. Ann Rev Control 89(47) 22. Pola G, Girard A, Tabuada P (2008) Approximately bisimilar symbolic models for nonlinear control systems. Automatica 44:2508–2516 23. Pola G, Di Benedetto MD (2017) Approximate supervisory control of nonlinear systems with outputs. In: 2017 56th conference on decision and control, pp 2991–2996 24. Pola G, Pepe P, Di Benedetto MD (2016) Symbolic models for networks of control systems. IEEE Trans Autom Control 61(11):3663–3668 25. Pola G, De Santis E, Di Benedetto MD (2018) Approximate diagnosis of metric systems. IEEE Control Syst Lett 2 26. Prakash O, Samantaray K, Bhattacharyy R (2018) Model-based multi-component adaptive prognosis for hybrid dynamical systems. Control Eng Pract 72:1–18 27. Reilly IL, Subrahmanyam PV, Vamanamurthy MK (1982) Cauchy sequences in quasi-pseudometric spaces. Monatshefte für Mathematik 93(2):127–140 28. Sayed-Mouchaweh M, Lughofer E (2012) Learning in non-stationary environments: methods and applications. Springer Science & Business Media, Berlin 29. Sayed-Mouchaweh M (ed) (2018) Diagnosability, security and safety of hybrid dynamic and cyber-physical systems. Springer International Publishing, Berlin 30. Tabuada P (2009) Verification and control of hybrid systems: a symbolic approach. Springer, Berlin 31. Tripakis S (2002) Fault diagnosis for timed automata. Formal techniques in real-time and fault-tolerant systems. Lecture notes in computer science. Springer, Berlin, pp 205–221 32. Yin X (2018) Verification of prognosability for labeled petri nets. IEEE Trans Autom Control 63(6):1828–1834 33. Yu M, Wang D, Luo M (2014) Model-based prognosis for hybrid systems with mode-dependent degradation behaviors. IEEE Trans Ind Electron 61(1):546–554 34. Zamani M, Mazo M, Pola G, Tabuada P (2012) Symbolic models for nonlinear control systems without stability assumptions. IEEE Trans Autom Control 57(7):1804–1809

Chapter 12

Observer Design for L H-Systems

The previous chapters were centered on the analysis of observability, diagnosability and predictability properties of a hybrid system, without explicitly addressing the observer design problem. In this section, we illustrate a methodology for the design of hybrid observers for current location observable L H -systems, and we show the role of the rate of convergence of the observer and the minimum dwell time in each mode of the hybrid system in the design of the observer gains. Morerover, in the case of mixed continuous–discrete information, the estimated time required for mode identification will explicitly appear in the design procedure.

12.1 Hybrid Observer Design In this chapter, we consider an L H -system H as in Definition 2.11 where only the switching times are constrained: Assumption 12.1 For any discrete state of H, the minimum dwell-time is non-zero. Since the number of discrete states of H is finite, Assumption 12.1 implies that there exists D ∈ R+ such that δ(i) ≥ D > 0, ∀i ∈ Q.

(12.1)

Since a different dwell time could be associated with the different discrete states, an improvement in the hybrid observer performance could be achieved. However, for simplicity, our results will be given with respect to the lower bound D since this has no implication on the existence of the hybrid observer and on its stability properties. We assume that the given system is an observable L H -system H, as in Definition 6.1. Hence H is current location observable, as in Definition 9.1. We denote by OH © Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_12

243

244

12 Observer Design for L H -Systems

u(t)

yd (t) Hybrid System H

Hybrid Observer OH

y(t)

q(t) x (t)

Fig. 12.1 General scheme of the hybrid observer

the hybrid observer of H. We introduce the hybrid observer by first giving its high level functional description. The structure of OH will be described in Sect. 12.2 in the case of location observability with purely discrete output information. The case where mixed continuous and discrete information is used for obtaining current location observability will be described in Sect. 12.3. In both cases, the task of the hybrid observer is to provide at each time t an x (t) estimation  q (t) ∈ 2 Q of the current discrete state q(t) of H and an estimation  of the current continuous state x(t) of H. In fact, as represented in Fig. 12.1, at each t ≥ t0 , OH • receives, as discrete input, the discrete output yd (t) of H and, as continuous inputs, the continuous input u(t) and the continuous output y(t) of H; x (t) ∈ Rn of the current location q(t) and con• provides estimates  q (t) ∈ 2 Q and  tinuous state x(t) of the hybrid system H, respectively. Recall from (2.48) and (2.49) that the output function υ : R → Υ of an H -system is defined as: υ (t) = (yd (t), y(t)) where yd (t) is the discrete component of the output yd (tk ) = h (q(tk )) , k = 0, 1, . . ., L − 1 yd (t) = , ∀t = tk and y(t) is the continuous component of the output y(t) = cq(t) (x(t)), ∀t ∈ [0, t f ). In order to synchronize the executions of H and of OH , we will use the following

12.1 Hybrid Observer Design

245

Assumption 12.2 For any execution of H, yd (t0 ) =  where t0 can be set to 0 as in previous chapters, which is with no loss of generality. In fact, since the set of initial states is known, the knowledge of the initial time can be represented in the model as a discrete output associated with the initial discrete states of the system, whenever the initial states have no predecessors. If the initial states have predecessors, by Algorithm 3.1 the FSM can be transformed into an equivalent one where the initial states have no predecessors. If the initial time is unknown, and some of the initial states are silent, then by Algorithm 3.3 the FSM can be transformed into an equivalent one with no silent initial state, and the initial time of the observer can be set equal to the first instant of time in which yd (t) = . Let  H (12.2) denote the system obtained by composing the system H with its hybrid observer. We present here a slightly modified version of the methodology proposed in [7] for the design of a hybrid observer that satisfies the following stability property: Definition 12.1 Given an L H -system H, the hybrid observer OH is said to be exponentially ultimately bounded if there exist real numbers t ≥ 0, c ≥ 1, μ > 0 and b ≥ 0 t, the such that for every infinite execution of H, by setting K = max k ∈ N : tk ≤   is such that the following two conditions hold: system H q (t) = {q(tk )} ∀t ∈ [tk , tk+1 ), ∀k : K ≤ k < L ∃tk ∈ [tk , tk+1 ) : 

 x (t) − x(t) ≤ c  x (tK ) − x(tK ) e−μt + b ∀t ≥ tK .

(12.3) (12.4)

If the property above holds with b = 0, the hybrid observer OH is said to be exponentially convergent. In Definition 12.1, μ is the rate of convergence of the observer and b is the ultimate t, instead of the initial time bound. In condition (12.4), time tK is overbounded by  t0 , as is usual in defining stability properties. Remark 12.1 By Lemma 3.1, there exists a finite time t such that q(t) ∈ Q, ∀t ≥ t , for all infinite executions of H, where Q is the set of states that are persistent in time for H (see (3.15)). Moreover, if H is current location observable, there exists a finite time  t such that thecurrent t. Given an execution  discrete state at t is identified ∀t ≥   of H, let t = max t , t , and let K = max k ∈ N : tk ≤ t.

(12.5)

The discrete state is identified for all t ≥ tK . Therefore, current location observability implies condition (12.3).  For a matrix A ∈ Rn×n , the symbol κ(A) = T T −1 denotes the condition number, with respect to inversion of the matrix T such that T −1 AT is in the Jordan canonical form of A, and α(A) denotes the spectral abscissa of the matrix A.

246

12 Observer Design for L H -Systems

We will use the following lemma, which is part of a more general result published in [44]. Lemma 12.1 Let A ∈ Rn×n be a matrix with real and distinct eigenvalues. Then  At  e  ≤ κ(A)eα(A)t , ∀t ≥ 0.

(12.6)

Proof Since the eigenvalues are real and distinct, then T −1 AT = Λ where Λ = diag(λi , i = 1. . .n). Therefore

e At = T eΛt T −1 ≤ T

eΛt

T −1 = = κ(A) diag(eλi t , i = 1. . .n) ≤ κ(A)eα(A)t .  Finally, we recall the so called Squashing Lemma published in [36], which we reformulate here in a slightly modified version: Lemma 12.2 Let (A, C) be a fixed and observable matrix pair, with A ∈ Rn×n and C ∈ R p×n . For all positive reals δ, τ and λ there exists a constant output-injection matrix G ∈ Rn× p for which  (A+GC)t   ≤ δe−λ(t−τ ) , ∀t ≥ 0 e

(12.7)

with λ ≥ λ. Proof We follow the proof given in [36]. Let λ1 , λ2 , . . .λn be any set of n distinct n  positive real numbers. Then π(s, λ) = (s + λ (1 + λi )) is a monic polynomial i=1

of degree n in s, whose coefficients are polynomials in λ. Since the pair (A, C) is observable, there exists a polynomial matrix H (λ) which assigns to A + H (λ)C the characteristic polynomial π(s, λ). Hence, for λ > 0, the eigenvalues of A + H (λ)C are real, distinct, and bounded above by −λ. Because of this, the matrix T (λ) of eigenvectors which diagonalizes A + H (λ)C is rational and continuous on (0, ∞) −1 Λt where as is its inverse (T (λ))−1 . Since for λ > 0, e(A+H (λ)C)t = (T (λ))  Λt e T (λ),  Λ is the diagonal matrix of the eigenvalues of A + H (λ)C, and e  ≤ e−λt it must be that  ( A+H (λ)C)t  e  ≤ ρ (λ) e−λt , t ≥ 0   where ρ(λ) = (T (λ))−1  (T (λ)) . In view of the properties of T (λ) and its inverse, ρ (λ) must be rational and continuous on (0, ∞). Since eλt eventually

12.2 Location Observability with Purely Discrete Output Information

247

increases faster than any continuous rational function in λ, we can pick λ ≥ λ so large that  ρ λ e−λ τ ≤ δ. Therefore, for t ≥ 0      ( A+H (λ )C )t   ≤ ρ λ e−λ t = ρ λ e−λ τ eλ τ e−λ t ≤ δe−λ (t−τ ) e and hence the result follows by setting G = H (λ ).



12.2 Location Observability with Purely Discrete Output Information We start by considering the case where current location observability is obtained by using only discrete output information. In particular, we refer to the setting and results of Sect. 9.2.1. In this case, the discrete state of the hybrid system can be identified independently of the system’s continuous evolution. We will design a hybrid observer OH which is an H -system as in Definition 2.1.1 It is also an L H -system, where the discrete state space is 2 Q , the finite set of discrete inputs W is equal to the discrete output space Y of H and the discrete input function is yd (t). By referring to the formalism of an L H -system, let  yd : R → 2 Q be the discrete n y : R → R its continuous output, which coincide with its continoutput of OH and  uous state. Then, recalling from (2.48) that, by definition, the discrete output of an H -system is equal to  for all t = tk , we obtain the following relationships between the hybrid state estimation of H and the output of OH :  q (t) =  yd (tk ), ∀t ∈ [tk , tk+1 ), k = 0, 1. . .L − 1

(12.8)

 x (t) =  y(t), ∀t ≥ t0 .

(12.9)

and

The scheme of the proposed hybrid observer is shown in Fig. 12.2, inside the dashed box. As established in Theorem 9.2, the FSM M associated with H is current location observable and critically {i}-observable ∀i ∈ r each(Q ∞ ). Then, the observer’s design may consist of two parts:

1

Here we need the formalism of Definition 2.1 because the hybrid observer must be defined with the discrete input associated with transitions. However, with respect to Definition 2.1, we may use only the time argument t for all the functions depending on the argument (t, k) because of the assumption on the minimum dwell-time.

248

12 Observer Design for L H -Systems yd (t)

u(t) Hybrid System

y(t)

Location Observer

q(t)

Continuous Observer

x (t)

Fig. 12.2 Scheme of the hybrid observer (inside the red dashed box) for a hybrid system which is current location observable with purely discrete output information

• the location observer design, which gives an FSM that identifies, after a finite number of steps, the current location of the hybrid system using the discrete output information only; • the continuous observer design, which associates to each state of the location observer a continuous dynamics and to each transition of the location observer a reset map, in such a way that the continuous evolution of the resulting L H -system OH converges exponentially to that of the given hybrid system H. The location observer determines the discrete structure of the L H -system OH . The continuous observer completes the description of OH . The evolution in time of OH when connected to H will be explained in the next subsections.

12.2.1 Location Observer In the case of purely discrete information, at each time t the location observer receives yd (t), from which the estias input the discrete output yd (t) of H and gives as output  mation of the current mode of H is derived (see (12.8)). By assuming that the location yd are synchroobserver is able to complete its task immediately, the signals yd and  yd (t) = . Therefore, the time elapsed between nized, i.e. yd (t) =  if and only if  two consecutive signals that are not equal to  has no role. Then, by abstracting time,

12.2 Location Observability with Purely Discrete Output Information

249

the location observer coincides with the state observer of the FSM M, denoted as O M . This state observer is a deterministic FSM whose states are subsets of Q. At each step, the observer produces the subset of states that are compatible with the discrete output of H up to that step. The state observer O M can be constructed by following, for example, the algorithm in [15]. In what follows, we adapt this algorithm to our framework (see also the algorithm for the computation of the current-state observation tree in [13]). Given an FSM M = (Q, Q 0 , Y, h, E) the observer is the FSM   Q 0 , W, Y ,   h, E O M = Q,

(12.10)

 ⊂ 2Q , Q 0 ⊂ Q,  W = Y, Y  = Q,   →Y  is the identity function and where Q h:Q ⊂ Q  × W × Q.  The state space Q,  the set of initial states Q 0 and the set of E  are returned by the following algorithm, where, by using the notation transitions E of [15], given i ∈ Q\Q  , the symbol U R(i) denotes the set of all silent states reached from i with a silent execution (see Sect. 3.2.2, for the formal definition of silent state reached with a silent execution). In what follows, we abuse notation by denoting with  and with   the estimation  q an element of Q, q (t), which is of course an element of Q, of the current discrete state at time t of H.   Q 0 , E)) Algorithm 12.1 procedure FSM Observer(M,( Q,    q0 } = {∅}, E = ∅ Initialize: Q 0 = Q = { for γ ∈ Y do qγ = i∈Q 0 :h(i)=γ U R(i)  

= Q  {qγ }, E = E ∪  q0 , γ, qγ if qγ = ∅ then Q end if end for repeat = Q  Q  do for  q∈Q for γ ∈ Y do for i ∈  q

do Ωi = j:(i, j)∈E∧h( j)=γ U R( j) end for

qγ = i∈q Ωi   = E ∪  E q , γ, qγ = Q  ∪ {qγ } Q end for end for = Q  until Q   0 , E RETURN Q, Q end procedure

250

12 Observer Design for L H -Systems

As shown in Proposition 9.2, a necessary condition for H to be current location

observable is that h (i) = , for all persistent in time states i ∈ Q=Q p r each(Q ∞ ). If this necessary condition holds, given the FSM M associated with H, we can construct (following the procedure illustrated in Algorithm 3.4, Sect. 3.2.2) the FSM V(M) having as outputs the observable outputs of M and generating the same output language as M. Theorem 9.2 states the conditions for H to be current location observable, which can be checked on V(M). Current location observability of H may also be checked using the observer O M . As illustrated in Chap. 9, current location observability of H corresponds to the possibility of identifying all states of M, except for a finite number of steps at the beginning of the execution. Moreover, all discrete states in the set r each(Q ∞ ) have to be identified immediately. Therefore, Theorem 9.2 is equivalent to the following: Theorem 12.1 The L H -system H is current location observable with purely discrete output information if and only if the following conditions hold: (C1) (C2)

each persistent state of O M is a singleton; for any i ∈ r each(Q ∞ ), there exists a singleton state {i} in the observer O M and it is the only state of O M containing i.

Proof By construction of the observer and by definition of Q p , each persistent state of O M is a subset of the persistent states of M. Therefore, condition (C1) is necessary for current location observability of H. The necessity of condition (C2) is obvious. As for sufficiency, condition (C2) implies condition (ii) of Theorem 9.2. Condition (C1) implies conditions (i) of Theorem 9.2. In fact, by definition of Q p , there exists a finite k such that, for all infinite state trajectories of M, the state belongs to Q p for all steps k ≥ k. Since each persistent state of M belongs to a persistent state of the observer, and recalling that by Assumption 2.7, Δ(i) = ∞ for each sink state i, the result follows.  Note that conditions (C1) and (C2) correspond to conditions (i) and (ii) of Theorem 9.2, respectively. Also, as expected, they imply the necessary condition for current location observability of H already established in Proposition 9.2, i.e. h (i) = , ∀i ∈ Q. As an example, let the FSM M associated with H be as in Fig. 12.3, and suppose that r each(Q ∞ ) = ∅. The system H is not current location observable. In fact, the observer O M depicted in Fig. 12.4 does not meet condition (C1). The same result can be obtained by applying Theorem 4.1 to system V(M), depicted in Fig. 12.5. In fact, S ∗ = {(2, 3), (5, 65 )}s ∪ Θ and B ∗ (S ∗ ) = {(4, 4), (5, 5), (5, 65 )}s . Hence, B ∗ (S ∗ ) = {(5, 65 )}s and it is not a subset of Θ. Then, by Proposition 4.6, V(M) is not current location observable, and hence M is not current location observable (see also the observer of V(M) shown in Fig. 12.6). Finally, the same conclusion can be drawn by noticing that the necessary condition of Proposition 9.2 is not met. The discrete behavior of the hybrid observer OH is defined by the observer O M . Let  th , h = 0, 1, . . .,  t0 = t0 = 0 (12.11)

12.2 Location Observability with Purely Discrete Output Information

251

s

Fig. 12.3 The FSM M

1 a

a

2

3



a

b 4

5

Fig. 12.4 The observer O M

6

∅ s {1} a {2, 3} a {5, 6}

b a

b {4}

a

be the instants of time at which  the hybrid system H sends to the location observer an th , 0 ≤ h <  observable output, i.e. yd  L} th = . Then, for each execution of H, { is the set of the hybrid observer switching times, which is a subset of the switching L ≤ L. For current location observable times {tk , 0 ≤ k < L} of H, and therefore  hybrid systems with purely discrete information, given  t of Definition 9.1, for each execution  t . (12.12) ∃K ∈ N : ( q (t) = {q(t)}, ∀t ≥ tK ) ∧ tK ≤  Therefore, for t ≥ tK the transitions of the FSM O M are synchronous with all the hybrid system transitions, while for t ∈ [t0 , tK ) a transition of H may not correspond to a transition of O M . Given O M , and bearing in mind Eq. (12.8), for each execution of H the estimation of the current discrete state is defined as follows, for 0 ≤ h <  L:

252

12 Observer Design for L H -Systems

Fig. 12.5 The FSM V (M)

s 1 a

a

2

3

a

b 4

a 65

5

Fig. 12.6 The observer of V (M)

∅ s {1} a {2, 3} a {5, 65 }

b a

b {4}

a

     t∈  :  q ∈ E,  q (t) =  q∈Q q  th+1 th ,  th ,  th−1 , yd 

(12.13)

 q0 . with q  t−1 =  Remark 12.2 In general, current location observability (see Definition 9.1) implies property (12.3) of Definition 12.1. The Eq. (12.13) shows that in the case of a current location observable L H -system with purely output information, the condition (12.3) holds with tk = tk . Hence, exponential ultimate boundedness of the hybrid observer as in Definition 12.1 implies current location observability. 

12.2 Location Observability with Purely Discrete Output Information

253

Remark 12.3 The observer O M takes into account all possible evolutions of the FSM M. Therefore, if the observer is stored in memory, given the discrete output yd (t) of H, the estimation of the current state can be immediately computed on the basis of (12.13) with the additional advantage of formally describing the hybrid observer as an L H -system. However, the number of states of the observer can grow exponentially with respect to the cardinality of the set Q. To overcome this problem, an alternative approach consists in storing in the memory the model of the plant M itself, rather than O M . Then, the space complexity of the algorithm which returns the estimation of the current discrete state is of the order of N = car d(Q), and the time complexity is polynomial in N . In fact, once current location observability has been checked offline, the current states that are compatible with the current output information can be computed online on the basis of the computation carried out at the previous step. More precisely, for each execution of H, the function which returns th ,  th+1 :  q (t) can be defined “on the fly”2 as follows for t ∈    q (t) =  q  U R( j), th =   q (t) =  q  th =

j∈I 0





U R( j),

h=0   1≤h1

(12.14) (12.15)

i∈ q ( th−1 ) j∈I i

where

 t0 } I 0 = { j ∈ Q 0 : h( j) = yd     I i = j ∈ Q : (i, j) ∈ E ∧ h( j) = yd  th .

By construction, at each time t,  q (t) takes exactly the same value as the one computed with Eq. (12.13). 

12.2.2 Continuous Observer Recall that for each i ∈ Q, the linear system S(i) is described by the equations x˙ (t) = Ai x (t) + Bi u (t) y (t) = Ci x (t)

(12.16)

where Ai ∈ Rn×n , Bi ∈ Rn×m , Ci ∈ R p×n . The continuous dynamics of the hybrid observer, which determines the evolution of the estimate  x (t) of the continuous state x(t) of H, is defined as follows. 2

The term “on the fly” is inspired by research on on-the-fly verification and control of finite state machines (see e.g. [19, 42]).

254

12 Observer Design for L H -Systems

1. Let Q obs ⊂ Q be the set of discrete states i such that the associated pair (Ai , Ci ) is observable. The continuous dynamics  x˙ (t) =  fq ( x (t), u(t), y(t))

(12.17)

is associated with each observer location  q , where the function  fq is defined as follows:

q = {i} ∧ i ∈ Q obs x (t) + Bi u(t) + G i y(t) if  (Ai − G i Ci )   . (12.18) fq = 0 otherwise The observer gain-matrix G i ∈ Rn× p is the design parameter used to set the convergence rate in each location i ∈ Q and ensure the hybrid observer’s convergence. As in the definition of location observer, let  th, h = 0, 1, . . . be the time instants th ,  th+1 the current discrete state at which yd (t) = . If in some time interval  has not been identified, i.e.  q (t) is not a singleton in that interval, or if the current dynamical system is not observable, the function  fq is such that the continuous t, if  q = {i} ∧ i ∈ Q obs , observer state  x is locked at its value  x ( th ). Then, for t ≥  the function  fq implements a Luenberger’s observer [29] and the hybrid observer’s transitions and the hybrid system’s transitions are synchronous. 2. The reset   − (12.19) x   x ( th ) = R (i, j),  th is associated with each location observer transition from singleton state {i} to singleton state { j}, with {i}, { j} ∈ Q obs , where R : E × Rn → Rn is the linear reset function and R(e, x) = Re x. The identity reset is associated with all the other location observer transitions, which involve at least a discrete state which is not a singleton, i.e.  −  x  (12.20)  x  th . th =  Due to the synchronization between the location observer and the hybrid system’s transitions, for t ≥  t the hybrid observer applies the same reset as the hybrid system at the same time.

12.2.3 Observer Convergence In Sects. 12.2.1 and 12.2.2 we described the components of the hybrid observer OH . Both H and OH are L H -systems. It is possible to see, from the way it is constructed,  is also an L H -system: that their composition H  is an L H -system. Proposition 12.1 The system H We will now show how to select the gain matrices G i of the continuous observer so that the hybrid observer is exponentially convergent.

12.2 Location Observability with Purely Discrete Output Information

255

By Eqs. (12.16) and (12.18), for t ≥  t the observation error ζ =  x − x is described by

˙ = (Ai − G i Ci ) ζ(t) ζ(t)

(12.21)

with, by (12.19), resets at system switching times tk equal to ζ(tk ) = R(i, j) ζ(tk− ).

(12.22)

In what follows, we will give bounds on the evolution ζ(.) of the error system defined by (12.21) and (12.22) such that exponential convergence of the hybrid observer is ensured. In Proposition 9.4 we gave two sufficient conditions for a current location observable hybrid system to be observable. Under the first of those two conditions, the next theorem states that exponential convergence of the hybrid observer dynamics can always be achieved. The theorem is an extension of a well-known result on switching systems stability [24] to the case of hybrid systems with continuous state resets. It was first established in [6, 7] in a more general setting where bounded disturbances are taken into account. Here we consider the nominal case. Theorem 12.2 Given a current location observable with purely discrete output information L H -system H, suppose that for every state i ∈ Q the pair (Ai , Ci ) is observable. Then for any rate of convergence μ > 0 and for any value of D there exist gains G i , i ∈ Q, such that the hybrid observer OH is exponentially convergent with rate of convergence μ ≥ μ. ¯ Each gain G i is such that μ ≥ −α(Fi ) −

max {0, log (ri κ(Fi ))} ≥μ D

(12.23)

where Fi = Ai − G i Ci and ri = 0 if succ(i) = ∅ ri = max j∈succ(i) Ri j if succ(i) = ∅. Proof Since H is current location observable, for an infinite execution let K and tK be as in Remark 12.1. The discrete state is identified for all t ≥ tK . The switching times of H and those of OH are synchronous for t ≥ tK . Hence in what follows we may refer only to the switching times of H. If L − K = 1, the result obviously follows. Let L − K > 1 and consider tk and tk+1 with k ≥ K and k + 1 < L. Let  q (tk ) = {i}. For t ∈ tk , tk+1 ) we have ζ(t) = e Fi (t−tk ) ζ(tk ) and for j ∈ succ(i)

(12.24)

256

12 Observer Design for L H -Systems − ζ(tk+1 ) = Ri j ζ(tk+1 ).

(12.25)

Since each pair (Ai , Ci ) with i ∈ Q is observable, then there exists a matrix G i such that Fi has real and distinct eigenvalues. Then, from Lemma 12.1, we have  −  ζ(t ) ≤ κ (Fi ) eα(Fi )(tk+1 −tk ) ζ(tk )

k+1

(12.26)

ζ(tk+1 ) ≤ ri κ (Fi ) eα(Fi )(tk+1 −tk ) ζ(tk )

(12.27)

which implies that

and hence Eqs. (12.26) and (12.27) hold for any j ∈ succ (i). By following the same arguments used in the proof of Lemma 12.2, let λ1 , λ2 , . . ., λn be n distinct nonnegative real numbers and consider the polynomial p(s, λ) =

n 

(s + λ (λi + 1)) .

i=1

Since the pair (Ai , Ci ) is observable, then there exists a polynomial matrix Hi (λ) which assigns to Fi (λ) = Ai + Hi (λ) Ci the characteristic polynomial p(s, λ) and therefore the eigenvalues of Fi (λ) are real, distinct and bounded above by −λ. Then the matrix T (λ) which diagonalizes Fi (λ) and its inverse T −1 (λ) are both rational and continuous on (0, ∞). Then also κ (Fi (λ)) is rational and continuous on (0, ∞). If we pick λ1 = 0 then λ coincides with α(Fi ). Therefore, for any arbitrarily small real ε > 0 there exists G i ∈ Rn× p and hence there exists Fi ∈ Rn×n such that i κ(Fi ))} ≤ ε. Therefore for any D > 0 and for any ε > 0 there α(Fi ) < 0 and max{0,ln(r −α(Fi ) exists G i ∈ Rn× p and hence there exists Fi ∈ Rn×n such that   max {0, ln (ri κ(Fi ))} ≥ −α(Fi )(1 − ε ) −α(Fi ) 1 − −Dα(Fi ) and therefore for any D > 0 and for any μ > 0 there exists a sufficiently large μ −α(Fi ) ≥ 1−ε such that − α(Fi ) −

max {0, ln (ri κ(Fi ))} ≥ μ. D

(12.28)

By the dwell time hypothesis, tk+1 − tk ≥ D. Then, since  ln (ri κ (Fi )) + α (Fi ) (tk+1 − tk ) ≤ and

 max {0, ln (ri κ (Fi ))} + α (Fi ) (tk+1 − tk ) D

ri κ (Fi ) eα(Fi )(tk+1 −tk ) = eln(ri κ(Fi ))+α(Fi )(tk+1 −tk ) .

12.3 Location Observability with Mixed Information

From (12.28)

ri κ (Fi ) eα(Fi )(tk+1 −tk ) ≤ e−μ(tk+1 −tk ) .

257

(12.29)

Hence, from (12.27) and (12.29), for all integers k with K ≤ k < L − 1

ζ(tk+1 ) ≤ e−μ(tk+1 −tk ) ζ(tk ) .

(12.30)

Finally, since α(Fi ) < −μ for all i ∈ Q, from Lemma 12.1 it follows that ∀t ∈ tk , tk+1 ) with K ≤ k < L

ζ(t) ≤ κ (Fi ) eα(Fi )(t−tk ) ζ(tk ) ≤  κe−μ(t−tk ) ζ(tk )

(12.31)

where  κ = maxi∈Q κ (Fi ). By (12.31) the norm of the observation error is upper bounded by an exponential with rate μ. Therefore, the hybrid observer is exponen tially convergent with rate μ ≥ μ.

12.3 Location Observability with Mixed Information As illustrated in Chap. 9, the discrete state of a hybrid system H may be correctly identified even when the associated FSM M is not current location observable. In fact, current location observability of H may be achieved not only by using the discrete outputs but also by processing the continuous inputs and outputs of H to obtain some additional information for discrete state identification, as explained in Sect. 9.2.2. More precisely, by Proposition 9.4 and Corollary 9.1, if the system He is current location observable with purely discrete output information, we can apply the technique described in Sect. 12.2 to design a hybrid observer for the system He to q (t) of H follows estimate its state  qe (t). Then, the estimation of the discrete state  from the relation between  q (t) and  qe (t) given by the function f (see Algorithm 3.2 and the Enriching Procedure in Sect. 8.2). From a theoretical point of view, the additional discrete output corresponding to the equivalence class of the current mode can be obtained from the continuous evolution in an arbitrarily small amount of time. Therefore, the systems H and He are not exactly synchronized, but the delay between the switching times of the former and of the latter may be arbitrarily small. However, from a practical point of view, the design of the observer has to take into account the time necessary for the generation of the additional output. Hence, a system called Enriched Output Generator (EOG) is designed, which elaborates the continuous input and output functions of H, generates the additional discrete output in the realistic situation where some processing time is needed to detect the switching time and identify the equivalence class of the current mode, combines the result of this computation with the discrete output of H, and provides an enriched output function denoted  ye,d (t). The details of the EOG will be described in the next section.

258

12 Observer Design for L H -Systems

Current location observability requires the identification of the discrete state for almost all instants of times. In the case of mixed information, this is not possible because of the elaboration time necessary for the EOG to complete its task after the switching time of H. In that finite interval, because of the mismatch between the actual current evolving system and the identified one, the gain of the observer causes a persistent error in the continuous state estimation. As a consequence, the observer cannot be exponentially convergent, as in the case described in Sect. 12.2, and we will refer to the weaker property of exponential ultimately boundedness. Figure 12.7 shows the structure of the hybrid observer OH (inside the red dashed box) and the connections of the EOG with the other components. The location observer and the continuous observer are designed for the system He . This is why the estimation of the discrete state made by the location observer and used by the continuous observer is denoted by  qe (t) in the picture. Thanks to the function f described in Chap. 8, which relates the states of He and those of H, we can derive the estimation  q (t) of the discrete state of H from  qe (t). The observer OH is the composition of the EOG with the hybrid observer OHe of He with the EOG. The  defined in (12.2). composition of H and OH is the system H The design procedure is the same as the one already described in Sect. 12.2, with an appropriate sizing of the gains of the continuous observer, so that the hybrid observer OH is exponentially ultimately bounded. In the next subsection, we will describe the design of the EOG. Then, we will illustrate how the location observer and the continuous observer can be constructed. As already noted, the hybrid observer is not synchronized with the given system H, and the switchings are triggered by the function  yd (t).

12.3.1 Enriched Output Generator The Enriched Output Generator (EOG) is composed of a Class Detector and an Output Generator, as depicted in Fig. 12.8. In Sect. 8.2, the discrete states in Q were grouped into equivalence classes on the basis of the indistinguishability of the dynamical systems associated with each discrete state. A different label in the set Y∼ was associated with each equivalence class. The Class Detector is an algorithm that processes the continuous input u(t) and the continuous component y(t) of the hybrid output υ(t) of H, and generates the signal  c(t) where  c : R → Y∼ {ν} is defined as  c(t) = α ∈ Y∼ if at time t, u|[max{0,t−D},t) and y|[max{0,t−D},t] are compatible with the equivalence class labeled with α, i.e. a system in the class α may have output y|[max{0,t−D},t] if the input is u|[max{0,t−D},t) . Otherwise  c(t) = ν

12.3 Location Observability with Mixed Information

u(t)

259 yd (t)

Hybrid System H

y(t)

EOG

yd (t)

q(t) Location Observer

qe (t)

Continuous Observer

x (t)

Fig. 12.7 Scheme of the hybrid observer for a current location observable L H -system H. The hybrid observer OH is represented inside the red dashed box. The hybrid observer OHe is represented inside the blue dashed box

where ν is a symbol that indicates that no equivalence class is compatible with u|[max{0,t−D},t) and y|[max{0,t−D},t] . Then, whenever  c(t) = ν and  c(t − ) = ν, we can deduce that a switching has occurred. In the following assumption, we introduce the real parameter  δ ∈ (0, D), which is an upper bound for the elaboration time needed for the identification of the equivalence class.  δ , Assumption 12.3 Let tk be a switching time of H. Then at some tk ∈ tk , tk +   δ ∈ (0, D), the Class Detector identifies the equivalence class of the system evolving in the interval [tk , tk ).

260

12 Observer Design for L H -Systems yd (t)

u(t) Hybrid System

y(t)

Class Detector

c(t)

Output Generator

ye,d (t)

q(t) Location Observer

qe (t)

Continuous Observer

x (t)

Fig. 12.8 Scheme of the EOG (inside the magenta dashed box)

12.3 Location Observability with Mixed Information

261

The assumption above implies that whenever  c(t) = ν and  c(t − ) = ν, we can deduce that  a switching occurred at a switching time belonging to the interval t − δ, t . Given H, the enriched system He is defined in (8.15). The Output Generator is a c(t), logical unit that receives as input the discrete output yd (t) of H and the signal  and generates the output  ye,d : R → Ye , where Ye is the discrete output set for the system He . If  th , h = 1, 2. . ., denote the switching times of the observer, then th ,  th+1 ).  ye,d (t) = , ∀t ∈ ( th are recursively defined as follows. Let Set  t0 = t0 = 0. The switching times  t = min t >  th such that the next switching is detected either through the discrete output yd of the system or through the signal  c. More precisely, a switching is detected at some t through the discrete output if yd (t) =  ∧ yd (t − ) =  and it is detected through the signal  c if  c(t) = ν ∧  c(t − ) = ν. The two conditions above cannot hold at the same time because in δ , a non-zero elaboration time has been Assumption 12.3, by setting tk ∈ tk , tk +  assumed. If yd (t) =  ∧ yd (t − ) =  for t = t, then either the class is determined by the Class Detector within the time interval t, t +  δ and therefore   δ : c(t) = ν ∧  c(t − ) = ν th+1 = min t ∈ t, t + 

(12.32)

  c   ye,d  th+1 =  th+1 ◦ yd (t)

(12.33)

or the class of the current mode cannot be determined. In this last case it follows that  th+1 = t +  δ

(12.34)

  ye,d  th+1 = yd (t).

(12.35)

If  c(t) = ν ∧  c(t − ) = ν for t = t, then a transition occurred but we will certainly not receive a discrete output from the system before the next commutation. Therefore,  th+1 = t

(12.36)

262

12 Observer Design for L H -Systems

and  th+1 =  c(t).  ye,d 

(12.37)

In the case of (12.32) and (12.33), the function  ye,d returns at most at time tk +  δ the discrete output of H enriched with the information obtained from the elaboration of the continuous output and continuous input. However, if the information yd (t) were sufficient to obtain current location observability, the delay  δ could cause a degradation of the observer’s performance. A similar phenomenon occurs also in the other cases described above. However, the redundant information encoded in c(t) can be useful in monitoring the behaviour of H, allowing for example for a warning to be generated whenever there is a mismatch among different signals coming from the actual system with respect to those predicted by the model. By using a terminology introduced recently in the context of Smart Factory [23], the hybrid observer has the role of a digital twin of H. Moreover, note that measurements of the continuous input and output is necessary for the identification of the current continuous component of the state, so the additional cost of achieving this redundancy is only due to the processing of the continuous signals.

12.3.2 Location Observer By construction, under the hypothesis of current location observability for He,d , the discrete output function  ye,d allows for the identification of the current discrete state of He , and hence of H since the point to set mapping f : Q → 2 Q e defined in Chap. 8 is known. The discrete output  ye,d (t) is generated by the EOG and the instants of time such that  ye,d (t) =  are the switching times of the observer. For the reasons explained in Sect. 12.2.1, the location observer coincides with the state observer qe (t) be the state estimated by O Me at O Me of the FSM Me associated with He . Let  time t. The estimation of the discrete state  q (t) of H follows from the equation  q (t) = {i ∈ Q : f (i) ∩  qe (t) = ∅} .

(12.38)

12.3.3 Continuous Observer The continuous observer is designed with respect to He . In fact in the following description we consider the location  q of the location observer described in the previous section. The behavior of the hybrid observer, which determines the evolution of the estimate  x (t) of the continuous state x(t) of H, is defined as follows: 1. Each observer location  q is associated with the continuous dynamics

12.3 Location Observability with Mixed Information

263

 x˙ (t) =  fq ( x (t), u(t), y(t))

(12.39)

where, by denoting with Q obs ⊂ Q e the set of discrete states i of He such that the associated pair (Ai , Ci ) is observable, the function  fq is defined as follows:  fq =

x (t) + Bi u(t) + G i y(t) (Ai − G i Ci )  0

if  q = {i} ∧ i ∈ Q obs otherwise

(12.40)

and the observer gain matrix G i ∈ Rn× p is the design parameter used to set the velocity of convergence in each location i ∈ Q e and to ensure the hybrid tk+1 ) the state  q (t) is not a observer’s convergence. If in some time interval [ tk ,  singleton, i.e. the current discrete state has not been identified or the dynamical  system is not observable, the function fq is such that the continuous observer state  x is locked at its value  x  tk . 2. The identity reset is associated with all the location observer transitions, i.e.  −  x   x  tk . tk = 

(12.41)

Differently from the case of current location observability with purely output information, here for each transition of the observer we define an identity reset since there is a delay in the mode identification. The effect of the reset in the system is part of the error due to the mismatch between the modes of the system and of the observer just after the discrete transition.

12.3.4 Observer Convergence By construction, the composition of the location observer and of the continuous observer forms the hybrid observer OHe of the L H -system He . As in the case of current location observability with purely discrete output information, OHe is an L H -system. As in the case addressed in Sect. 12.2.3, even in the case of mixed information we have that:  is an L H -system. Proposition 12.2 H Let us now analyze the convergence properties of the observer OH , which is the composition of the EOG with OHe . The connection of OHe to the given L H system H through the EOG introduces a delay in the exchange of information, and hence, as already noted, the transitions of H and those of its hybrid observer are not synchronized. The first result shows that exponential convergence of OH is not possible, but OH can be proved to be exponentially ultimately bounded. Exponential convergence can be obtained when closing the loop with a suitable hybrid controller, as shown in the last theorem of this section. Recall that in the analysis we have performed so far, the input u(t) at time t is available at t, but it is an arbitrary value that we cannot control. Hence, u(t) has the

264

12 Observer Design for L H -Systems

role of a measurable disturbance. For k ≥ K, to each switching time tk of the system corresponds a switching time of the observer, denoted for simplicity with the symbol  tk , with tk <  tk . At each tk , with commutation from mode j to mode i, the estimation error is such that  ζ(tk ) = ζ(tk− ) + I − R( j,i) x(tk− ).  estimation error at time In general the term I − R( j,i) x(tk− ) causes an unbounded  tk . If the continuous state x(t) is bounded, the term I − R( j,i) x(tk− ) causes an estimation error that is bounded in norm, but the bound is independent of all the other parameters, such as  δ or D, and it is also independent from the structure and from the parameters of the continuous observer. Moreover, the mismatch between the dynamical systems associated with q(t) = i and  q (t) = j during the time interval tk ), causes an additional estimation error, which becomes smaller and smaller as [tk ,   δ tends to zero, if both the continuous state and the continuous input are bounded. In the following theorem, we prove that the above estimation errors are persistent so that exponential ultimately boundedness of the hybrid observer OH can be obtained but not exponential convergence. Theorem 12.3 Given an L H -system H, suppose that He is current location observable with purely discrete output information. Suppose that the pair ( Ai , Ci ) is observable, for all i ∈ Q. Moreover, suppose that x(t) ≤ βx , u(t) ≤ βu , ∀t ≥ 0, for δ ∈ (0, D) and for any rate of convergence μ ≥ 0 some βx and βu in R. Then, for any  there exist matrices G i , i ∈ Q, such that the hybrid observer OH is exponentially ultimately bounded with rate of convergence μ ≥ μ. Proof Since He is current location observable, for an infinite execution let K and tK be as in Remark 12.1. The discrete state is identified for all t ≥ tK . For an execution with L − K = 1 the result obviously follows. Let L − K > 1 and consider the switching  times tk and tk+1 with k −1 ≥ K and k < L. Suppose that q(t) = {i}, tk and  tk+1 . For simplicity, we will  q (t) = { j}, ∀t ∈  tk ,  tk−1 ,  ∀t ∈  tk the continuous observer is described by start with identity reset. For t ∈  tk−1 ,  the equation:   x˙ (t) = A j  x (t) − G j C j  x (t) − y(t) + B j u(t). Since q(t) = j, ∀t ∈ [tk−1 , tk ) and q(t) = i, ∀t ∈ [tk , tk+1 ), by denoting the estimation error with ζ(t) =  x (t) − x(t) the error dynamics is described by:   ˙ = A j − G j C j ζ(t) t ∈  tk−1 , tk ζ(t)  ˙ = A j − G j C j ζ(t) + v ji (t) t ∈ tk ,  ζ(t) tk where v ji (t) =



   A j − Ai − G j C j − Ci x(t) + B j − Bi u(t)

12.3 Location Observability with Mixed Information

and

265

 −  tk . ζ  tk = ζ 

By Lemma 12.2, for all δ > 0 there exists a gain G j and a sufficiently large μ j ≥ μ such that    (A j −G j C j )(t−tk−1 )   tk−1 (12.42)  ≤ δe−μ j ((t−tk−1 )−τ ) , ∀t ≥  e with τ = D −  δ. Let μ be such  that (12.42) holds for all j ∈ Q. Therefore in the interval  tk−1 , tk we will have  

ζ(t) ≤ δe−μ((t−tk−1 )−τ ) ζ( tk−1 )

(12.43)

 and in the interval tk ,  tk  

ζ(t) ≤ δe−μ((t−tk−1 )−τ ) ζ( tk−1 ) + γ ji

(12.44)

where γ ji represents the effect of the mismatch disturbance v ji (t), which is bounded, because of the assumption of boundedness on x and u. Since Q is finite, there  exists a bound γ not depending on the modes. By selecting δ = e−μ(D−δ) , since tk−1 ) − τ ≤ 0 for t ∈ [ tk−1 ,  tk−1 + (D −  δ)) and (t −  tk−1 ) − τ ≥ 0 for μ ≥ μ, (t −  δ),  tk ), by substituting for τ , we have t ∈ [ tk−1 + (D −    

ζ(t) ≤ e(μ−μ)(D−δ) ζ( tk−1 ) ,

t ∈ [ tk−1 ,  tk−1 + (D −  δ))

(12.45)

t ∈ [ tk−1 + (D −  δ),  tk ).

(12.46)

and  

ζ(t) ≤ e−μ(t−tk−1 ) ζ( tk−1 ) + γ, Then, by recursion, from (12.46)     ζ( tk ) + e−μ(tk+1 −tk ) γ + γ tk+1 ) ≤ e−μ(tk+1 −tk ) ζ( tk ≥ D then and since  tk+1 −      ζ( tk ) + e−μD γ + γ. tk+1 ) ≤ e−μ(tk+1 −tk ) ζ(

(12.47)

Therefore  

ζ(t) ≤ e(μ−μ)(D−δ) e−μ(t−tK ) ζ(tK ) +

γ 1 − e−μD

 (12.48)

and the proof is complete for the case of identity reset. The case of nonidentity reset can be easily addressed  by considering the effect of the free evolution of the system S(i) in the interval tk ,  tk , starting from the state (I − R( j,i) )x(tk ) at time tk . This

266

12 Observer Design for L H -Systems

effect can be represented by a value γ R which, as γ, is independent of the current mode. Therefore the ultimate bound in the general case is 

b = e(μ−μ)(D−δ)

γ + γR . 1 − e−μD

(12.49) 

As expected from the discussion at the beginning of this section, the ultimate bound (12.49) is the sum of two terms. The first one requires the computation of γ (see (12.44)). The value of γ depends on the bounds βx and βu and on  δ. If  δ tends to zero, then γ tends to zero. The second term of the sum in (12.49) can be computed, given βx . It is equal to zero in the case of identity reset matrices. For both terms, if there is no bound on the continuous state of the system, the estimation error is unbounded for any design of the continuous observer. However, we now show that a separation principle holds for hybrid systems, i.e. that the observer may be used to asymptotically stabilize a hybrid system by means of a dynamic feedback controller from the estimated hybrid state. This will also prove the exponential convergence of the hybrid observer when considered in the feedback loop, without the need for a boundedness assumption on the state. δ + D < D. Given OH Given the parameters D and  δ, let D > 0 be such that   and its switching times tk , let us define the continuous input as u(t) = K q (t) x (t)

 t∈  tk + D tk , 

u(t) = Kq (t) x (t)

 t∈  tk+1 ) tk + D, 

(12.50)

where we set K q (t) = Kq (t) = 0 if  q (t) is not a singleton.  tk+1 is split into two sub-intervals. We In defining u(t), the time interval  tk ,  define the continuous state observer accordingly  x˙ (t) = Ai  x (t) − G i (Ci  x (t) − y(t)) + Bi u(t)

 t∈  tk + D tk , 

 x˙ (t) = Ai  x (t) − G i (Ci  x (t) − y(t)) + Bi u(t)

 t∈  tk+1 . tk + D, 

(12.51)

As we will show in the proof of the next theorem, in the first sub-interval the gains are designed to compensate the error due to modes mismatch between H and OH in tk . In the second one, the gains are designed to obtain exponential the interval tk ,  convergence to the origin both of the continuous state of H and of the estimation error. Let us denote with Hc the closed loop system obtained by composing H and OH (with continuous state observer as in (12.51)) controlled with u(t) as in (12.50).

12.3 Location Observability with Mixed Information

267

It can be easily verified that the system Hc is an autonomous L H -system where the continuous state at time t is   x(t) . (12.52)  x (t) We prove the following result: Theorem 12.4 Given an L H -system H, suppose that He is current location observable with purely output information and suppose that the pair (Ai , Ci ) is observable and the pair (Ai , Bi ) is controllable for all i ∈ Q. Moreover, suppose that δ(i) > D, δ) and μ > 0 there exist for all i ∈ Q. Then for all reals  δ ∈ (0, D), D ∈ (0, D −  matrices G i , G i , K i , K i , i ∈ Q, such that, for all initial hybrid states, the continuous state of Hc satisfies the following two conditions, for some real c ≥ 0, ∀t ≥ tK :

 x (t) − x(t) ≤ c  x (t K ) − x(tK ) e−μt

(12.53)

x(t) ≤ c x(tK ) e−μt

(12.54)

and

with rate of convergence μ ≥ μ. Proof Since He is current location observable, for an infinite execution let K and tK be as in Remark 12.1.  The discrete  state is identified for all t ≥ tK . Let us consider the time intervals tk−1 , tk ), and tk , tk+1 ), k − 1 ≥ K and k < L, where switching ( j, i) occurs at tk , i.e. in tk− the mode of He is j and in t ∈ tk , tk+1 ) the mode  is i. tk ,  tk At  tk the current mode i is estimated by the EOG. Therefore in the interval  tk+1 it the state of the location observer is the singleton { j} and in the interval  tk ,  is {i}, where  tk+1 − tk+1 ≤  δ. The time evolution of the continuous state of Hc for t ≥ tK is described as follows:  • t ∈ tk ,  tk 

x(t) ˙ z˙ (t)



 =

Bi K j Ai A j + G j Ci B j K j − G j C j



x(t) z(t)

 (12.55)

with x(tk ) = R( j,i) x(tk− ) z(tk ) = z(tk− ) 

•t ∈  tk + D tk , 



with

x(t) ˙ z˙ (t)



 =

Bi K i Ai Ai + G i Ci Bi K i − G i Ci



x(t) z(t)



268

12 Observer Design for L H -Systems

x( tk ) = x( tk− ) z( tk ) = z( tk− ) and, by setting ζ(t) = z(t) − x(t) 

x(t) ˙ ˙ ζ(t)



 =

Bi K i Ai + Bi K i 0 Ai − G i C i



x(t) ζ(t)

 (12.56)

with t −) x( tk ) = x(  −  k− ζ( tk ) = z  tk tk − x  

•t ∈  tk + D, tk+1



x(t) ˙ ˙ ζ(t)



 =

Ai + Bi K i Bi K i 0 Ai − G i C i



x(t) ζ(t)

 (12.57)

with  −   tk + D  −  ζ( tk + D) = ζ  . tk + D

x( tk + D) = x

−μD . Given any D ∈  Let us consider Eq. (12.57). Given D and μ, let γ = e  0, D − δ and (Ai , Bi , Ci ), i ∈ Q, from Lemma 12.2 there exist gains G i and K i such that ∀i ∈ Q

     x(t)   x( tk + D)  ≤  γe−μ((t−(tk +D))−τ )   ζ(t)   ζ( tk + D)   with τ = D −  δ + D and t ∈ [ tk + D, tk+1 ). Then,  −   −   x(t )   x(t )  k k      z(t − )  ≤ 2  ζ(t − )  k k and there exists α > 0 such that  −   −   −   x(t )   x(t )   x( tk )  k k      ≤ α ≤ 2α   ζ(t − )   z( tk− )  z(tk− )  k ∀ ( j, i) ∈ E. Hence,

 −   −   x(  x(t )  tk )  k     ≤ 4α −  ζ(  ζ(t − )  .  tk ) k

(12.58)

12.4 Notes and Further Reading

269

By Lemma 12.2, ∀i ∈ Q there exist G i and K i such that ⎛  −  ⎞   −   tk + D   x(t )   x  k  ⎝   −  ⎠  ≤  ζ(t − )  .  k tk + D   ζ  Therefore, from (12.58), 

x((tk+1 )− ) ζ((tk+1 )− )



 −   x(t )  −μ t −t +δ ( k+1 k ) k  ≤  ζ(t − )  e k



 −   x(t )  −μ(t −t ) k k+1 k  ≤  ζ(t − )  γe k

δ, recalling that  tk − t k ≤  

x((tk+1 )− ) ζ((tk+1 )− )

and hence the result follows.



The case of a current location observable L H -system with purely discrete output information and with output feedback controller can be retrieved by setting tk =  tk , k ≥ K and  δ = D = 0 in the result above, obtaining also in this case exponential convergence to the origin of the system and of the observer state trajectories.

12.4 Notes and Further Reading In this chapter, we presented a design methodology based on [7, 8] for dynamical observers of hybrid systems with linear continuous-time dynamics. The interested reader may find in [7] an extension of the results presented here to the case where bounded disturbances are present. The proposed method allows addressing observer synthesis for hybrid systems with partial discrete information on the current location, spanning the gap between the case of complete knowledge of current location (i.e. the hybrid plant produces as discrete output its current location), treated for instance in [4] and the case of absence of any discrete output information (i.e. the hybrid plant produces no discrete output), considered in [10, 22]. When the discrete output information is not sufficient to identify the hybrid system location, the processing of the continuous plant input/output signals in the EOG (Extended Output Generator) is independent from the continuous state observation process. This is different from previous approaches (see e.g. [25, 33]) where the estimated values of the plant continuous state were used to supply the missing information for the identification of the plant location. The approach presented in this chapter allows for separate tuning of the EOG and the continuous observer. This aspect is quite appealing since the EOG has in general to provide discrete informa-

270

12 Observer Design for L H -Systems

tion with fast transients regardless possible overshoots, while the continuous observer has to produce a smooth estimate of the continuous state with low sensitivity to noise. The proofs of Theorems 12.2, 12.3 and 12.4 are based on the so-called Squashing Lemma, published in [36]. The results of [36] were refined in [16, 17, 26] with tighter bounds evaluation that could be useful in obtaining a better estimation error for the continuous observer, without affecting the results offered in this chapter. Exponential stabilization of the continuous observation error dynamics is obtained by extending the results by [24, 32] to the class of L H -systems with dwell-time and resets. In order to overcome the boundedness assumptions of Theorem 12.3, output feedback control of L H -systems is used in Theorem 12.4. A limited number of contributions is available on output-feedback control in the hybrid systems framework. The interested reader is referred e.g. to [2, 3, 5, 9, 12, 14, 18, 28, 43]. The state observer design problem has been the subject of intensive study for many years by both the computer science and the control community in the discrete domain (see [13, 35, 38]), and the control community in the continuous domain (see the pioneering work of [1, 27, 29]), and the hybrid system domain (e.g. see [11, 21, 25, 30, 33, 34, 37, 39, 41, 45–47]). In particular, in [37], switching linear systems without reset are considered. Conditions are given for the existence of an observer based on the existence of a Lyapunov function that is common to the components of the system. In [41], observability for switching systems with reset is geometrically characterized (see also [40] where this approach was used first). By assuming to know the current discrete state, an observer is designed, which generates the state estimate that converges to the actual state under persistent switching and under some hypotheses on the discrete state evolution. The problem of designing an observer that reconstructs the continuous and discrete states for a particular class of switched linear system is also addressed in [31]. In [20] conditions are given for the convergence of a switching Luenberger-like observer for detectable switching systems. A design methodology for observers for mixed logical dynamical systems (MLD) was presented in [10] (see also [22]). This approach may be applicable to any hybrid system that can be approximated by an MLD system. However, even if a hybrid system could be well approximated by an MLD system, when “the observability horizon becomes large, solving the optimization problem can become computationally intractable” [10].

References 1. Ackerson GA, Fu KS (1970) On state estimation in switching environments. IEEE Trans Autom Control 15(1):10–17 2. Alessandri A, Bedouhene F, Bouhadjra D, Zemouche A, Bagnerini P (2021) Observer-based control for a class of hybrid linear and nonlinear systems. Discrete Contin Dyn Syst Ser S 14(4):1213–1231 3. Alessandri A, Bedouhene F, Khelouf H, Zemouche A (2013) Output feedback control for discrete-time linear systems by using Luenberger observers under unknown switching. In:

References

4.

5. 6.

7.

8.

9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.

21. 22. 23. 24.

25.

271

Proceedings of the 52nd IEEE conference on decision and control, Florence, Italy, pp 5321– 5326 Alessandri A, Coletta P (2001) Switching observers for continuous-time and discrete-time linear systems. In: Proceedings of the American control conference Arlington, VA, USA, pp 2516–2521 Baglietto M, Battistelli G, Tesi P (2013) Stabilization and tracking for switching linear systems under unknown switching sequences. Syst & Control Lett 62:11–21 Balluchi A, Benvenuti L, Di Benedetto MD, Sangiovanni-Vincentelli A (2012) The design of dynamical observers for hybrid systems: theory and application to an automotive control problem. Technical Report, Dipartimento di Informatica e Sistemistica Antonio Ruberti, pp 1–34 Balluchi A, Benvenuti L, Di Benedetto MD, Sangiovanni-Vincentelli A (2013) The design of dynamical observers for hybrid systems: theory and application to an automotive control problem. Automatica 49:915–925 Balluchi A, Benvenuti L, Di Benedetto MD, Sangiovanni-Vincentelli AL (2002) Design of observers for hybrid systems. In: Tomlin CJ, Greenstreet MR (eds) Hybrid systems: computation and control. Lecture notes in computer science, vol 2289. Springer, Berlin, pp 76–89 Bejarano FJ, Mera M (2020) Robust Luenberger-like observer for control of linear switched systems under arbitrary unknown switched function. Asian J Control 1–10 Bemporad A, Ferrari-Trecate G, Morari M (2000) Observability and controllability of piecewise affine and hybrid systems. IEEE Trans Autom Control 45(10):1864–1876 Bernard P, Sanfelice RG (2020) On notions of detectability and observers for hybrid systems. In: Proceedings of the 59th conference on decision and control (CDC), pp 5767–5772 Blanchini F, Miani S, Mesquine F (2009) A separation principle for linear switching systems and parametrization of all stabilizing controllers. IEEE Trans Autom Control 54(2):279–292 Caines PE, Greiner R, Wang S (1988) Dynamical logic observers for finite automata. In: Proceedings of the 27th conference on decision and control, Austin, TX, pp 226–233 Caravani P, De Santis E (2009) Observer-based stabilization of linear switching systems. Int J Robust Nonlinear Control 19(14):1541–1563 Cassandras CG, Lafortune S (1999) Introduction to discrete event systems. Kluwer Academic Publishers, Dordrecht Cheng D, Guo L, Lin Y, Wang Y (2004) A note on overshoot estimation in pole placement. J Control Theory Appl 2(2):161–164 Cheng D, Guo L, Lin Y, Wang Y (2005) Erratum to: a note on overshoot estimation in pole placement. J Control Theory Appl 3(3):258 Cheng D, Guo L, Lin Y, Wang Y (2005) Stabilization of switched linear systems. IEEE Trans Autom Control 50(5):661–666 Courcoubetis C, Vardi M, Wolper P, Yannakakis M (1992) Memory-efficient algorithms for the verification of temporal properties. Formal Methods Syst Design 1(2–3):275–288 De Santis E, Di Benedetto MD (2005) Design of Luenberger-like observers for detectable switching systems. In: Proceedings of the 2005 IEEE international symposium on intelligent control, Limassol, Cyprus, pp 30–35 De Santis E, Di Benedetto MD, Pola G (2009) A structural approach to detectability for a class of hybrid systems. Automatica 45:1202–1206 Ferrari-Trecate G, Mignone D, Morari M (2002) Moving horizon estimation for hybrid systems. IEEE Trans Autom Control 47(10):1663–1676 Grieves M (2014) Digital twin: manufacturing excellence through virtual factory replication. Digital Twin White Paper Hespanha JP, Morse AS (1999) Stability of switched systems with average dwell-time. In: Proceedings of the 38th IEEE conference on decision and control, Phoenix, AZ, USA, pp 2654–2660 Hofbaur MW, Williams BC (2002) Mode estimation of probabilistic hybrid systems. In: Tomlin CJ, Greenstreet MR (eds) Hybrid systems: computation and control 2002. Lecture notes in computer science, vol 2289. Springer, Berlin, pp 253–266

272

12 Observer Design for L H -Systems

26. Ji Z, Guo X, Chandra V, Xu S (2007) A further note on overshoot estimation in pole placements. J Control Theory Appl 5:57–59 27. Kalman RE (1960) A new approach to linear filtering and prediction problems Trans ASME – J Basic Eng 35–45 28. Li ZG, Wen CY, Soh YC (2003) Observer-based stabilization of switching linear systems. Automatica 39(3):517–524 29. Luenberger DG (1971) An introduction to observers. IEEE Trans Autom Control 16(6):596– 602 30. McIlraith S, Biswas G, Clancy D, Gupta V (2000) Hybrid systems diagnosis. In: Lynch N, Krogh BH (eds) Hybrid systems: computation and control. Lecture notes in computer science, vol 1790. Springer, Berlin, pp 282–295 31. Mincarelli D, Pisano A, Floquet T, Usai E (2016) Uniformly convergent sliding mode-based observation for switched linear systems. Int J Robust Nonlinear Control 26(7):1549–1564 32. Morse AS (1996) Supervisory control of a families of linear set-point controllers-part 1: exact matching. IEEE Trans Autom Control 41(10):1413–1431 33. Mosterman PJ, Biswas G (1999) Building hybrid observers for complex dynamic systems using model abstractions. In: Vaandrager F, van Schuppen J (eds) Hybrid systems: computation and control. Lecture notes in computer science, vol 1569. Springer, Berlin, pp 178–192 34. Narasimhan S, Biswas G, Karsai G, Pasternak T, Zhao F (2000) Building observers to address fault isolation and control problems in hybrid dynamic systems. In: Proceedings of the IEEE international conference on systems, man, and cybernetics, Nashville, TN, USA, pp 2393–2398 35. Ozveren CM, Willsky AS (1990) Observability of discrete event dynamic systems. IEEE Trans Autom Control 35(7):797–806 36. Pait FM, Morse AS (1994) A cyclic switching strategy for parameter-adaptive control. IEEE Trans Autom Control 39(6):1172–1183 37. Pettersson S (2006) Designing switched observers for switched systems using multiple lyapunov functions and dwell-time switching. In: Proceedings of the 2nd IFAC conference on analysis and design of hybrid systems, pp 18–23 38. Ramadge PJ (1986) Observability of discrete event systems. In: Proceedings of the 25th IEEE conference on decision and control, Athens, Greece, pp 1108–1112 39. Ríos H, Dávila J, Teel AR (2020) State estimation for linear hybrid systems with periodic jumps and unknown inputs. Int J Robust Nonlinear Control 30:5966–5988 40. Tanwani A, Shim H, Liberzon D (2011) Observability implies observer design for switched linear systems. In: Proceedings of the ACM conference hybrid systems: computation and control, pp 3–12 41. Tanwani A, Shim H, Liberzon D (2015) Observer design for switched linear systems with state jumps. In: Djemai M, Defoort M (eds) Hybrid dynamical systems. Lecture notes in control and information sciences, vol 457. Springer, Berlin, pp 179–204 42. Tripakis S, Altisen K (1999) On-the-fly controller synthesis for discrete and dense-time systems. In: Proceeding of the world congress formal methods development. Lecture notes in computer science, vol 1708, pp 233–252 43. Vale J, Miller D (2010) Step tracking in the presence of persistent plant changes. IEEE Trans Autom Control 56(1):43–58 44. Van Loan C (1977) The sensitivity of the matrix exponential. SIAM J Numer Anal 14(6):971– 981 45. Vázquez CR, Gómez-Gutiérrez D, Ramírez-Teviño A (2017) Observer synthesis for linear hybrid systems with constrained discrete dynamics. Nonlinear Anal: Hybrid Syst 26:254–273 46. Vázquez CR, Gómez-Gutiérrez D, Ramírez-Teviño A (2020) Observer design for linear hybrid systems with unknown inputs and petri-net discrete dynamics. Nonlinear Anal: Hybrid Syst 36 47. Zhang J, Johansson KH, Lygeros J, Sastry S (2001) Zeno hybrid systems. Int J Robust Nonlinear Control 11:435–451

Chapter 13

Some Applications to Automotive Control

In this chapter, we describe two automotive control applications of the hybridobserver design methodology illustrated in the previous chapter. We first consider the problem of on-line identification of the actual engaged gear for a car. The relevance of this problem is related to engine control strategies achieving high performance and efficient emissions control, which depend critically on the knowledge of the engaged gear. The problem is solved by designing a hybrid observer for the driveline, which is modeled as a hybrid system where the engaged gear and connection clutch state are represented as discrete states. As a second example of application, we consider the task of controlling the elastic behavior of the driveline during fast engine-torque transients to minimize driveline oscillations. Efficient control can be achieved by full state-feedback. However, among the driveline state variables, only the crankshaft speed is available. The driveline torsion angle and the wheel revolution speed are estimated by means of a hybrid observer.

13.1 On-Line Identification of Engaged Gear This section is based on [3, 5, 6]. We consider the problem of on-line identification of the actual engaged gear for a car. The relevance of this problem is related to engine control strategies achieving high performance and efficient emissions control, which depend critically on the knowledge of the engaged gear. In fact, this information is necessary in engine torque control to compensate the equivalent inertia of the vehicle on the crankshaft. The actual engaged gear is usually identified by comparing the revolution speed of the wheels with the revolution speed of the crankshaft. However, since both speeds are affected by oscillations due to the elasticity of the transmission shafts and the tires, this approach implies large time delays and may produce significant errors. Here, we present a solution based on a hybrid model of the driveline in which the © Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0_13

273

274

13 Some Applications to Automotive Control

! e ( t)

! c ( t)

gear ! w( t)

crankshaft clutch plates

driveline equivalent elasticity

vehicle inertia road

Fig. 13.1 Scheme of the driveline model (Reprinted from Automatica, Vol. 49, A. Balluchi, L. Benvenuti, M. D. Di Benedetto, and A. Sangiovanni Vincentelli, The design of dynamical observers for hybrid systems: Theory and application to an automotive control problem, pp. 915–925, Copyright (2013), with permission from Elsevier)

engaged gear and connection clutch state are represented as discrete states (see [6] for details). The model of the driveline is represented as two main inertias (the crankshaft and the vehicle chassis) connected by an elasticity, a gear and a clutch, as depicted in Fig. 13.1. Since the gear engages different gear ratios and the clutch can be in different operating modes (locked, open or slipping), the behavior of the driveline is described by a hybrid model H where the engaged gear and connection clutch state are represented as discrete states. In more detail, the model H has 7 locations, i.e. Q = {q1 , q2 , q3 , q4 , q5 , q R , q N } where locations qi , for i = 1, . . . , 5, correspond to ith gear engaged and clutch locked, location q R models reverse gear engaged and clutch locked, and location q N represents either driveline open (idle gear and/or clutch open) or clutch slipping. The connection pressure of the clutch plates Pc (t) and the torque generated by the engine Te (t) are the continuous inputs. The position of the gear lever, denoted lever ∈ {1, 2, 3, 4, 5, R, N }, produces the discrete transitions. Moreover, the torque acting on the wheels Tw (t) is unknown and must be considered as a continuous-time input disturbance. The continuous state variables are the driveline torsion angle α(t), the crankshaft revolution speed ωe (t), the clutch revolution speed ωc (t) and the wheel revolution speed ωw (t). When the clutch is locked, then ωe (t) = ωc (t) and the crankshaft transmits to the driveline the torque   ωw (t) Tc (t) = ki α(t) + bi ωe (t) − τi

(13.1)

where τi is the transmission ratio, while ki and bi are the driveline equivalent elasticity and damping coefficients, respectively, for the ith engaged gear. The clutch remains locked until the transmitted torque Tc (t) exceeds the static friction capacity, μs Pc (t), where μs is the static friction coefficient. The continuous dynamics in location qi , with i = 1, . . . , 5, and q R , is described by a third order linear system

13.1 On-Line Identification of Engaged Gear

275

x(t) ˙ = Ai x(t) + Bu(t) + Fd(t) y(t) = C x(t)

(13.2)

where u(t) = Te (t), d(t) = Tw (t) ⎛

α(t)

⎞

⎜ ⎟ ⎜ ⎟ ⎜ x(t) = ⎜ ωe (t) ⎟ ⎟, ⎝ ⎠ ωw (t)

⎛ y(t) = ⎝

The matrices are defined as follows ⎛ 1 1 − ⎜ 0 τi ⎜ ⎜ ⎜ ki bi be + bi Ai = ⎜ ⎜ − je − je τi je ⎜ ⎜ ⎝ ki bi τi bw + bi − τi jw τi jw τi jw

ωe (t) ωw (t)

⎞ ⎠.

⎞

⎛ ⎞ ⎟ 0 ⎟ ⎜ ⎟ ⎟ ⎜ ⎟ ⎟ ⎟, B = ⎜ 1 ⎟ ⎜ je ⎟ ⎟ ⎟ ⎝ ⎠ ⎟ ⎠ 0

(13.3)

⎛

⎞ 0   ⎜ 0 ⎟ ⎟, C = 0 1 0 F =⎜ ⎝ 1 ⎠ 0 0 1 − jw

(13.4)

where je is the crankshaft inertia, jw the vehicle equivalent inertia, bw the driveline equivalent viscous coefficient, and be the crankshaft viscous coefficient. The continuous dynamics in location q N depends on the clutch state (open or slipping) and, when the clutch is slipping, also on the engaged gear. The FSM M describing the discrete dynamics of H is depicted in Fig. 13.2. The transitions are caused by the internal discrete inputs ai , with i ∈ {1, . . . , 5, R} and the exogenous input event b. In particular, the event b is generated when the following condition holds: Pc (t) = 0

|Tc (t)| > μs Pc (t)

∨

∨ lever = N

(13.5)

and the events ai when the following condition is verified: ωe (t) = ωc (t)

∧

|Tc (t)| ≤ μs Pc (t)

∧ lever = i.

(13.6)

Since the engaged gear and connection clutch state are represented as discrete states, the on-line identification of the actual engaged gear corresponds to the iden-

276

13 Some Applications to Automotive Control b 1 a1

...

Fig. 13.2 The FSM M associated with the driveline hybrid model H (the events causing the transitions are not measurable) (Reprinted from Automatica, Vol. 49, A. Balluchi, L. Benvenuti, M. D. Di Benedetto, and A. Sangiovanni Vincentelli, The design of dynamical observers for hybrid systems: Theory and application to an automotive control problem, pp. 915–925, Copyright (2013), with permission from Elsevier)

b

N

5 a5 b R aR

tification of the current location of the driveline hybrid model H, while we are not interested here in the estimation of the continuous state of H. Moreover, the events causing discrete transitions are not measurable and no discrete output is associated with the discrete states. Therefore, the hybrid model H does not provide any discrete output signal and, as a consequence, it is not current location observable using only discrete output information. Hence, the hybrid observer design consists in the construction of the Extended Output Generator (EOG) (as defined in Chap. 12) and of the location observer for the composition of the driveline hybrid model H and the EOG, i.e. for the hybrid system He . The simplified structure of the hybrid observer to be considered for this case is shown in Fig. 13.3. As it will be clear in the sequel, our focus will be on the EOG design since if He turns out to be current location observable by purely discrete information, the location observer design becomes a trivial task.

13.1.1 Design of the Hybrid Observer A Class Detector must be designed to produce the signals

c(t) described in Chap. 12, by processing the available inputs and outputs of H, i.e. the measure of the crankshaft revolution speed ωe (t), the measure of the wheel revolution speed ωw (t) and an estimate T¯e (t) of the mean-value of the engine torque Te (t). These signals, processed as described in Sect. 12.3.1 of Chap. 12, result in the outputs

ye,d (t) in Fig. 13.3, generated by the Output Generator. These functions take value different from  only at switching times. Therefore, for the sake of simplicity, we represent them by abstracting time as discrete outputs, denoted by s1 , s2 , . . ., s5 , s R and s N , which are the inputs to the location observer.

13.1 On-Line Identification of Engaged Gear

u(t)

277

y(t) Hybrid System

Class Detector

c(t)

Output Generator

ye,d (t)

q(t) Location Observer

Fig. 13.3 Simplified hybrid observer for engaged gear identification. The EOG is represented inside the magenta dashed box

By applying condition (7.10) of Theorem 7.1, it is easy to check that the dynamics (13.2) are input-generic distinguishable. Therefore, by Proposition 7.13, the EOG will indeed generate the signals that allow the identification of the discrete state, i.e. the engaged gear. The compound FSM Me associated with the composition of the hybrid model H and the EOG is shown in Fig. 13.4. If the EOG generates the discrete outputs s1 , . . . , s5 , s R , s N when it detects the transitions to location q1 , . . . , q5 , q R , q N , respectively, then the introduction of the outputs generated by the EOG makes the FSM Me current location observable. The observer O Me for the FSM Me is depicted in Fig. 13.5. We now illustrate how the EOG is implemented. The proposed scheme is depicted in Fig. 13.6. Each discrete output s1 , s2 , . . ., s5 , s R is generated independently from the others by using three cascade blocks: a Residual Generator, a Decision Function and an Event Generator.

278

13 Some Applications to Automotive Control

The ith residual generator produces a residual signal rˆi (t) converging to zero when the hybrid system is in location i. A simple and reliable approach for this purpose is to use a Luenberger observer, tuned on the continuous-time dynamics associated with location i: z˙ i (t) = (Ai − L i C)z i (t) + Bu(t) + L i y(t) rˆi (t) = C z i (t) − y(t) where L i are design parameters. If the hybrid system is in location i, then the residual rˆi (t) converges to zero with rate adjustable by L i (see Sect. 7.4.2). Such residual rˆi (t) is affected by several unknown disturbances: – the quantization error and the delay on the measurements of ωe (t) and ωw (t); – the mismatch between the actual continuous-time and pulsating engine torque u(t) = Te (t) and its estimate T¯e (t) used as input to Luenberger observers; – the non-measurable wheel torque Tw (t) that acts as a continuous-time disturbance. The effects of the disturbances on the residual signals are minimized by appropriately tuning the residuals generators. The ith Decision Function outputs a binary signal ri (t), called signature, at the rising edge of rˆi (t). A very simple implementation is:  ri (t) =

1 if rˆi (t) ≤ ε 0 if rˆi (t) > ε

where the threshold ε is a design parameter. In order to reduce chattering of the signatures ri (t), a more sophisticated decision function was used in [6], which consists of the cascade of a passive-hysteresis relay

sN s1 1

...

Fig. 13.4 The FSM Me associated with the composition of the driveline hybrid model H and the EOG (Reprinted from Automatica, Vol. 49, A. Balluchi, L. Benvenuti, M. D. Di Benedetto, and A. Sangiovanni Vincentelli, The design of dynamical observers for hybrid systems: Theory and application to an automotive control problem, pp. 915–925, Copyright (2013), with permission from Elsevier)

N

s5 5

sR R

13.1 On-Line Identification of Engaged Gear

279 sN {1} s1

...

s1

∅

sN

s5

{N }

{5} s5

sR

sN {R} sR sN

Fig. 13.5 The observer O Me of the FSM Me (Reprinted from Automatica, Vol. 49, A. Balluchi, L. Benvenuti, M. D. Di Benedetto, and A. Sangiovanni Vincentelli, The design of dynamical observers for hybrid systems: Theory and application to an automotive control problem, pp. 915–925, Copyright (2013), with permission from Elsevier)

and a debouncing algorithm. The aim of the debouncing algorithm is that of reducing false detections when the residuals cross the zero. The Event Generators output events si at the rising edges of the signatures ri (t). Finally, location q N , representing either driveline open or clutch slipping, cannot be detected using the residual approach. This is because the continuous dynamics associated with this location is more sensitive to torque disturbances, especially during clutch slipping when the clutch plate torque Tc (t) is non-zero. Furthermore, perturbations acting on the continuous dynamics cannot be satisfactorily compensated by the residual, since only one output is available for feedback, namely the the engine speed. Hence, an additional signature r N (t) detecting location q N is produced by negation of the others in the complementary output logic, i.e. r N (t) = ¬(r1 (t) ∨ r2 (t) ∨ r3 (t) ∨ r4 (t) ∨ r5 (t) ∨ r R (t)) where ¬ denotes the logic negation symbol.

(13.7)

280

13 Some Applications to Automotive Control 



, T¯e (t)

Residual generator

Residual generator

rˆ1 (t)

rˆ2 (t)

Decision function

...

ωw (t) ωe (t)

Decision function

r1 (t)

r2 (t)

Event generator

Event generator

...

Residual generator rˆR (t)

...

Decision function

rR (t)

NOR Event generator sN

s1

s2

...

Event generator sR

Fig. 13.6 Implementation of the EOG (Reprinted from Automatica, Vol. 49, A. Balluchi, L. Benvenuti, M. D. Di Benedetto, and A. Sangiovanni Vincentelli, The design of dynamical observers for hybrid systems: Theory and application to an automotive control problem, pp. 915–925, Copyright (2013), with permission from Elsevier)

13.1.2 Experimental Results The performance of the proposed observer for actual engaged gear identification was tested with experimental data obtained in Magneti Marelli Powertrain using an Opel Astra equipped with a Diesel engine and a SeleSpeed AMT. The experimental data collected the measurements of the estimated engine torque T¯e (t), the crankshaft speed ωe (t), and the wheel speed ωw (t) obtained by the engine control unit installed on the vehicle. The specification given by Magneti Marelli Powertrain was to achieve correct identification on a set of maneuvers within a delay of 250 ms, using an implementation of the algorithm in discrete-time with a sampling period of 12 ms. The measurements of ωe (t) and ωw (t) were affected by delays, but the algorithm proved to be robust with respect to this non-ideal situation. For the validation of the identification algorithm, the estimated engaged gear was compared to the signal on actual engaged gear provided by the AMT control unit. The algorithm was tested on several maneuvers for a total of 250 gear engagements. The actual engaged gear was successfully identified within a delay lower

13.1 On-Line Identification of Engaged Gear

281

6 4 2 0

0

2

4

6

8

10

12

14

16

18

20

0

2

4

6

8

10

12

14

16

18

20

0

2

4

6

8

10

12

14

16

18

20

0

2

4

6

8

10

12

14

16

18

20

0

2

4

6

8

10 time (sec)

12

14

16

18

20

40 20 0

3 2 1 N

3 2 1 N

1.5 1 0.5 0

Fig. 13.7 Gear identification experimental data. From the top: residual norm rˆN (t) ; resid with uals norm rˆ1 (t) , rˆ2 (t) , rˆ3 (t) ; estimated engaged gear; actual engaged gear; estimated gear identification error (Reprinted from Automatica, Vol. 49, A. Balluchi, L. Benvenuti, M. D. Di Benedetto, and A. Sangiovanni Vincentelli, The design of dynamical observers for hybrid systems: Theory and application to an automotive control problem, pp. 915–925, Copyright (2013), with permission from Elsevier)

than 250 ms in 90% of cases. The unsuccessful cases have been obtained in very critical maneuvers such as gear engagements during sharp braking or clutch abrupt releases. In these cases, the residuals exhibit large oscillations that cause a delay up to 500 ms in the identification. This delay could be reduced by using more sophisticated decision functions. The plots of Fig. 13.7 report the results on actual engaged gear identification for the following maneuver: initially the car is at rest, clutch open and first gear engaged. After a clutch slipping phase, the clutch is locked. Later, second gear and then third gear are engaged, passing through idle and clutch slipping. The first plot of the figure shows the norm of the residual rˆN (t) of the idle gear obtained by using a dynamic residual while the second plot shows the residuals norm rˆi (t) associated to the gear in engaged states. As the figure makes clear, the residual

282

13 Some Applications to Automotive Control

20 15 10 5 0 12

12.5

13

13.5

14

13.5

14

14.5

15 tdelay

15.5

16

15

15.5

16

1.5 1 0.5 0 0.5 12

12.5

13

14.5

3 2 1

delay

N 12

12.5

13

13.5

14

14.5

15

15.5

16

3 advance

2 1 N 12

12.5

13

13.5

14

14.5

15

15.5

16

time (sec) Fig. 13.8 Detail of the transition from second to third gear (Reprinted from Automatica, Vol. 49, A. Balluchi, L. Benvenuti, M. D. Di Benedetto, and A. Sangiovanni Vincentelli, The design of dynamical observers for hybrid systems: Theory and application to an automotive control problem, pp. 915–925, Copyright (2013), with permission from Elsevier)

rˆN (t) is more affected by noise than the residuals rˆi (t) and this is due to a larger degree of uncertainty for the friction and loads during idle. This is the reason why the signature r N (t) detecting location q N has been obtained by negation of the other signatures. The last three plots of the figure show the comparison of the estimated engaged gear to the actual engaged gear as provided by the AMT. Figure 13.8 illustrates in more detail the transition from second to third gear. The figure clearly shows that there is a delay in detecting the idle and slipping location. In fact, since the signature r N (t) is obtained by negation of the others, then

13.2 Driveline Elastic Behavior Control

283

the location q N is identified only when the residual norm rˆ2 (t) increases over the high threshold of the relay. The figure also shows that the location q3 is identified in advance with respect to the actual transition. To understand this situation, notice that during the slipping phase that precedes each clutch engagement, since the new gear has been already engaged, the continuous dynamics in location q N tends, as the slipping decreases, to that of the entering location qi . Due to this behavior, transitions dynamics of the residual from q N to qi never cause abrupt changes in the continuous generators. Consequently, the residual norm rˆi (t) gradually decreases during slipping and approaches the low value of the relay threshold before the driveline enters location qi . Hence, occasionally the observer is able to identify the new location qi in advance with respect to completion of the actual transition. Finally, the second plot of Fig. 13.8 shows the signal to the input of the debouncing algorithm in the Decision Function. Notice that, when the residual norm rˆ3 (t) decreases below the low threshold of the relay, the debouncing algorithm sets the signature r3 (t) to 1 only if the residual norm rˆ3 (t) is still below the threshold after some delay.

13.2 Driveline Elastic Behavior Control In this section, based on [4], we present the application of the proposed hybridobserver design methodology to a power-train control problem. In power-train control, a critical task is controlling the elastic behavior of the driveline during fast engine-torque transients to minimize driveline oscillations. Efficient solutions can be obtained using full-state feedback (see e.g. [2, 7]). However, among the driveline state variables, only the crankshaft speed is available, while the others need to be estimated. Due to driveline discontinuities, the evolution of the plant is best represented by a hybrid system. We consider the dynamics of an automotive power-train with closed clutch and fixed gear. In particular, we concentrate our attention to the case of a low gear selection and small vehicle velocities, where the undesired oscillating behavior of the driveline is more apparent. For bounded excursions of vehicle velocity, the most important nonlinearity affecting the behavior of the driveline is due to the variations of the elasticity of the driveline, represented by discrete changes of the elastic coefficient between two values k1 and k2 , with k2 >> k1 . The components of the driveline state x ∈ R3 are the driveline torsion angle αe , the crankshaft revolution speed ωc , and the wheel revolution speed ω p . Switching of the driveline elastic coefficient are located at some values α1 and α2 of the torsion angle as described in Fig. 13.9.

284

13 Some Applications to Automotive Control

The driveline input u ∈ R collects the torque Te generated by the engine and the wheel torque Tv . The measurable output y ∈ R is the crankshaft speed ωc , from which the non-measurable components αe and ω p must be estimated. The nonlinear driveline dynamics can be viewed as a PWA system, which can be modelled as an H -system by using the formalism introduced in Sect. 2.3. The discrete structure of the H -system is depicted in Fig. 13.10. The locations q1 and q2 correspond to the two possible values of the driveline elastic coefficient (k1 and k2 respectively). The sets P1,ε = {x ∈ R3 : −α2 ≤ x1 ≤ α2 } P2,ε = {x ∈ R3 : −αm ≤ x1 ≤ −α1 ∨ α1 ≤ x1 ≤ α M } where ε = 0.5(α2 − α1 ), and αm and α M are the minimum and maximum values of αe , are associated with q1 and q2 , respectively. The system matrices are ⎛

τ

−1

2 − τ Jbesm

τ bsm Je

τ bsm Jv

− bJsmv

0

⎜ ⎜ k1 τ A1 = ⎜ ⎜ − Je ⎝ k1 Jv

⎞

⎛

0

⎜ ⎟ ⎜ ⎟ ⎟ , A 2 = ⎜ − k2 τ ⎜ Je ⎟ ⎝ ⎠ k2 Jv

τ

−1

2 − τ Jbesm

τ bsm Je

τ bsm Jv

− bJsmv

⎞ ⎟ ⎟ ⎟, ⎟ ⎠

k k2

k1

−α2

−α1

Fig. 13.9 Driveline elastic coefficient discontinuity

α1

α2

αe

13.2 Driveline Elastic Behavior Control

285

q1

q2

Fig. 13.10 Hybrid model of the driveline Table 13.1 Hybrid model parameters τ Je α1 k1

Transmission ratio Primary driveline inertia First discontinuity point Low driveline elasticity

bsm Jv α2 k2

Driveline viscous coef. Secondary driveline inertia Second discontinuity point High driveline elasticity

Fig. 13.11 Evolution of the torsion angle αe and switching in the hybrid driveline model

⎛ ⎜ ⎜ B1 = B2 = B = ⎜ ⎜ ⎝

0 1 Je

0

⎞

⎟ ⎟

 0 ⎟ ⎟ , C1 = C2 = C = 0 1 0 . ⎠

0 − J1v Model parameters are summarized in Table 13.1.

286

13 Some Applications to Automotive Control

Fig. 13.12 Profile of the plant location q, the identified location q˜ and the identification error q(t) XOR q(t) ˜

In Fig. 13.11 a typical evolution of the torsion angle αe during a torque transient is reported. The simulation starts from a steady state with torsion angle αe (0) < α1 and approaches a new steady state with torsion angle greater than α2 . During this transient, the elasticity of the driveline is excited and large oscillations are exhibited. Before the new steady state is reached, the hybrid automaton undergoes a number of location switchings and, correspondingly, significant changes in the continuous dynamics of the driveline take place. A minimum separation time between location switching (that depends on α2 − α1 ) is guaranteed, so that the condition on the existence of a minimum dwell time for the proposed observer design approach is satisfied. In Fig. 13.12, the results on plant location identification are reported. Since the plant has no discrete outputs, the given hybrid model is not current-location observable by purely discrete information. Hence, residual generators must be introduced to identify the current dynamics. Residual generators are tuned so to obtain correct location identification in a time  δ smaller than the dwell time. Just after each plant location switching, both residuals exhibit a very large transient due to the high gains used in the Luenberger based residual generators. Hence, as soon as the residuals become greater than a suitable threshold, the Decision Function filters out all the

13.2 Driveline Elastic Behavior Control

287

Fig. 13.13 Estimation of continuous plant state: components of the continuous observation error x(t) ˜ − x(t) and its modulo

residual transients for a time equal to  δ, after which a stable value of the residual is available. Then, the location observer identifies the plant location with a constant delay equal to  δ with respect to the plant switching. The evolution of the continuous state estimation error x(t) ˜ − x(t) is reported in Fig. 13.13. Vertical lines denote plant and observer location changes. Despite switchings and location identification delays, exponential ultimate boundedness is achieved. The observer gains G i are tuned in order to satisfy the conditions of Theorem 12.3 and to reduce as much as possible observation error overshoots at plant location switchings. In Fig. 13.14, the simulation is zoomed for t ∈ [0.86, 1.06]: the continuous observation error has approached low values but, due to the mismatch between the plant dynamics and the continuous observer dynamics introduced by the residual delay, only ultimate boundedness can be ensured. This portion of the evolution shows the effect of location mismatch on the error evolution and how convergence is recovered after the correct identification of the plant dynamics.

288

13 Some Applications to Automotive Control

Fig. 13.14 Ultimate boundedness of the continuous state estimation: zoom on the components of the continuous observation error x(t) ˜ − x(t) and its modulo

13.3 Notes and Further Reading In the applications presented in this chapter, only the discrete location had to be identified on the basis of the continuous inputs and outputs. The complexity of the observer design methodology that we illustrated in Chap. 12 is mitigated by decoupling the identification of the discrete location and the estimation of the continuous state. We exploited this characteristic in the illustrated case studies, where the designed observers were implemented on real vehicles. Many applications described in the literature take advantage of the design of a hybrid observer, for example, autonomous driving and vehicle safety [10]; design of semiautonomous multivehicle systems that are guaranteed to be safe [15]; development of a robust friction coefficient estimation algorithm for vehicle active safety systems [1]; fault detection and isolation of faults in the fuel supply system and the nozzle actuator of a single-spool turbojet engine [13]; multi-phase batch processes control [16]; interacting autonomous robots [12]; safety problems in Air Traffic Management [9]; general cooperating manipulation systems [8]; DC/DC converters [11, 17]; mobile robots [14].

References

289

References 1. Ahn CS (2011) Robust estimation of road friction coefficient for vehicle active safety systems. PhD thesis, The University of Michigan 2. Balluchi A, Benvenuti L, Di Benedetto MD, Ferrari A, Pinello C, Sangiovanni-Vincentelli AL (1998) Hybrid systems and the design of embedded controllers for automotive engine management. In: Proceedings of the 37th IEEE conference on decision and control, pp 2656– 2661 3. Balluchi A, Benvenuti L, Di Benedetto MD, Sangiovanni-Vincentelli A (2013) The design of dynamical observers for hybrid systems: Theory and application to an automotive control problem. Automatica 49:915–925 4. Balluchi A, Benvenuti L, Di Benedetto MD, Sangiovanni-Vincentelli AL (2001) A hybrid observer for the driveline dynamics. In: Proceedings of the 2001 European control conference, Porto, PT, pp 618–623 5. Balluchi A, Benvenuti L, Di Benedetto MD, Sangiovanni-Vincentelli AL (2002) Design of observers for hybrid systems. In: Tomlin CJ, Greenstreet MR (eds) Hybrid systems: computation and control. Lecture notes in computer science, vol 2289. Springer, Berlin, pp 76–89 6. Balluchi A, Benvenuti L, Lemma C, Sangiovanni-Vincentelli A, Serra G (2005) Actual engaged gear identification: a hybrid observer approach. In: Proceedings of the 16th IFAC world congress, Prague, CZ 7. Balluchi A, Di Benedetto MD, Pinello C, Rossi C, Sangiovanni-Vincentelli AL (1999) Hybrid control in automotive applications: the cut-off control. Automatica 35:519–535 8. Chaib S, Boutat D, Benali A (2006) Sensors optimization-based control of two planar robots in lifting. In: 2006 IEEE conference on computer aided control system design, 2006 IEEE international conference on control applications, 2006 IEEE international symposium on intelligent control, pp 2866–2871 9. Colageo M, Di Francesco A (2008) Hybrid system framework for the safety modelling of the in trail procedure. In: ICRAT 2008–3rd international conference on research in air transportation, pp 207–214 10. Gadepally V, Krishnamurthy A, Ozguner U (2014) A framework for estimating driver decisions near intersections. IEEE Trans Intell Transp Syst 15(2):637–646 11. Kamri D (2015) Observer-based practical control technique for multicell converters. In: 3rd international conference on control, engineering and information technology (CEIT), pp 1–7 12. Martini S, Fagiolini A, Zichittella G, Egerstedt M, Bicchi A (2001) Decentralized classification in societies of autonomous and heterogenous robots. In: IEEE international conference on robotics and automation, pp 32–39 13. Mohammadi R (2009) Fault diagnosis of hybrid systems with applications to gas turbine engines. PhD thesis, Concordia University 14. Serra E (2015) Complexity of monitors for cyber-physical systems and their implementation on a mobile robot. PhD thesis, University of Illinois at Chicago 15. Verma R, Del Vecchio D (2011) Semiautonomous multivehicle safety. IEEE Robot Autom Mag 18(3):44–54 16. Wang Y, Yang Y, Gao F, Zhou D (2007) Control of multi-phase batch processes: formulation and challenge. In: IFAC proceedings volumes, pp 339–344 17. Yoshimura VL, Assunçao E, da Silva ERP, Teixeira MCM, Barros E (2013) Observer-based control design for switched affine systems and applications to dc–dc converters. J Control Autom Electr Syst 24:535–543

Index

A Accessible part, 47 Almost always observability, 196 Approximate bisimulation relation, 222 Approximate diagnosability, 219 Approximate predictability, 219 Approximate simulation relation, 222 Attack detection, 145 Attack, s-sparse, 140 Autonomous H -system, 9

B Backward indistinguishability, k-backward indistinguishable pair, 72

C Chattering, 20 Class Detector, 258, 260, 276 Constrained H -system, 13, 20, 38, 175, 206 Constraints, 12 Critical diagnosability, 99, 101 Critical location observability, 70 Critically location observable H -system, 176 Critical observability, 100 Critical -observability, 101 Critical set, 78 Current location observable FSM, 70 Current location observable H -system, 176 Current -observability, 99 Cyclic s-sparse function, 141 © Springer Nature Switzerland AG 2023 E. De Santis and M. D. Di Benedetto, H-Systems, Communications and Control Engineering, https://doi.org/10.1007/978-3-031-20447-0

D Decision function, 277 Diagnosable FSM, 79 Diagnoser for an H -system, 214 Digital twin, 262 Discrete abstraction, 163 Driveline hybrid model, 276 Dwell, 13 Dwell time (minimum, maximum), 28, 29

E Ending state, 222 Enriched output, 163 Enriched Output Generator (EOG), 257–260 Enriched system He , 168, 178 Enriching procedure, 164, 171, 178, 218, 257 Event generator, 277 Eventual diagnosability, 100

F Finite-escape time, 28 Finite State Machine (FSM), 8, 9, 54 Finite time basis, 25 Flow mode, 15

G Guard condition, 12, 30, 183, 186, 209 Guard set, 13, 27, 37, 51

H Hole, 202 291

292 Hybrid state execution (or evolution), 10 Hybrid subspace, 29 Hybrid system (H -system), 7 Hybrid time basis, 9 Hybrid time domain, 14 I Impulsive systems, 14 Incremental Input-to-State Stable (δ-ISS) Lyapunov function, 229 Indistinguishable state trajectories, 72 Induced subgraph, 202 Initial state observability, 79, 99 Input-generic distinguishability, 128 Invariant hybrid subspace, 197 J Jump mode, 15 L Linear H -system (L H -system), 29 Linear system with periodic jumps, 186 Liveness, 46 Luenberger observer, 138, 254, 278 M Mealy FSM, Moore FSM, 9, 54, 167 Metric system, 222 N Nagumo condition, 22 Non-blocking H -system, 29, 37, 41 Non-Zeno H -system, 27 O Observable FSM, 79 Observable H -system, 115 Observable transition, 131 Output function (hybrid), 11 Output generator, 258, 260, 277 Output run, 222 P Parametric diagnosability, 97 Persistent in time state, 51, 52, 178, 181 Persistent state, 51, 52, 75, 180, 250 Piecewise-Affine systems (PWA systems), 19, 231

Index Power-train control, 283 Precursor, 88 Predictable FSM, 87 Predictor for an H -system, 214 Pseudo-metric system, 222 Purely discrete output information, 163, 247, 276, 286 Q Quantizer, 220 R Reachable hybrid state, 28 Residual generation, 138 Residual generator, 277 S Secure distinguishability, 142 Secure observability, 145 Silent state, 57 Sink, 46 Squashing Lemma, 246 State run, 222 Strongly connected component, 48, 52 Strongly connected FSM, 47 Strongly input-generic distinguishability, 148 Subtangentiality condition, 22 Support, 141 Switching time, 10 Symbolic system, 222 T Tangent cone, 22 Trap, 49 Traps decomposition, 187 U Uncertainty radius, 84, 97, 109, 111 Unobservable reach, 57, 76, 84, 85, 249 Unobservable system, 183, 186 W Wireless communication network, 140 Z Zeno time basis, 26 Zero dynamics, 116