Model-based Diagnosis and Generation of Hypothesis Space via AI Planning

Luca Ceriani and Marina Zanella

Department of Information Engineering, University of Brescia, Brescia, Italy
e-mail: luca.ceriani@ing.unibs.it, marina.zanella@unibs.it

Abstract
The hypothesis space approach to model-based
diagnosis (MBD) of discrete-event systems
(DESs) finds out candidates by checking each hypothesis, this being a subset of all the possible
faults of the system. The hypothesis is a candidate if, assuming that all - and only - the faults
in the hypothesis itself are affecting the system,
is consistent with the system description and the
observation. In this paper first we address DES diagnosis by taking advantage of the regular structure of partially ordered hypothesis spaces. Second, we consider the problem of generating (only)
physically possible hypotheses, given the DES
model and independently of the specific observation. The hypothesis generation problem is encoded as a planning problem.

Introduction

A general definition of a DES [Cassandras and Lafortune,

2008] reads a discrete-state, event-driven system, that is,
its state evolution depends entirely on the occurrence of
asynchronous discrete events over time. A DES is usually
partially observable: the diagnosis task is aimed at finding
out if something went wrong with the DES at hand (and
what), given the observable events gathered from it during
a time interval of interest. Diagnosis of DESs is an important task in the real world as several systems, such as
digital circuits, can most naturally be modeled as DESs,
and also many others can be modeled as DESs as some
abstraction level. In the literature, MBD of DESs is typically applied to intelligent alarm processing in a remote
control room, where the received alarms are the observable events taken as input by the diagnosis process. For
instance, in [Lamperti and Zanella, 2011] the protection
devices of power transmission lines are considered as a
case study for diagnosis and monitoring of DESs. Analogously, experimental diagnosis results inherent to the real
alarm log from the operations center of a company that
owns and operates an electricity transmission network in
Australia are presented in [Grastien and Haslum, 2011;
Grastien et al., 2012]. In addition [Grastien and Haslum,
2011] address the set of event logs recorded on the ground
during test flights of an autonomous unmanned helicopter
(UAV), while in [Pencol and Cordier, 2005] the alarms
received by the supervision center of a telecommunication
network are taken into account.

Despite the efforts of the research community, MBD of

DESs is still a challenging task. DES diagnosis approaches
exploit both normal and faulty behavior modes of a system to determine the possible faults that explain a given
observation of the events that have occurred while the system was running. A solution of a diagnosis problem is
called a candidate. The same diagnosis problem may have
several alternative solutions: either all or only some of
them can be computed, depending on the approach. In
the last decades, the above coarse definition of the task
has been refined by proposing formal methods to compute
several kinds of diagnosis results [Grastien et al., 2007;
Lamperti and Zanella, 2003]. In [Grastien et al., 2012] a
general framework to diagnose both DESs and static systems is proposed. The approach is based on the exploration
of a hypotheses space H, which is the universe of all solutions relevant to a given DES, according to a given notion of diagnosis and independently of the specific observation. Since not all solutions are equally interesting, the
approach aims at singling out only the ones that satisfy a
specific preference criterion . For example, if according to
the considered notion of diagnosis, a candidate (and, hence,
each hypothesis) is a set of faults, then the hypothesis space
Hset = 2f is the power set of the alphabet of faulty events
f , and a preference criterion set is subset minimality.
Each hypothesis has to be checked against the given observation in order to find out whether it is a candidate. However, if the hypothesis space is a poset under the preference
criterion, such a space can be explored according to a bestfirst order, as suggested by the algorithm we propose.
While the algorithms in the literature, including the one
we propose, are designed to efficiently explore H and compute the set of preferred candidates, the generation of H is
blind in that it does not take into account that only a subset H H of the hypothesis space is consistent with the
model of the system, where such a consistency is a necessary condition for a hypothesis to be physically possible
(PP). If a hypothesis is not PP, it can never be true, so it is
useless to check it. Physical impossibility of hypotheses can
be considered at two different levels, that is, without taking
into account any specific observation or based on a specific
observation of the DES at hand. Asserting that a hypothesis is PP without taking into account any specific observation means that there is one or several evolutions of the
system that are consistent with such a hypothesis. Asserting
that a hypothesis is PP based on a given observation means
that there is one or several evolutions of the system that are
consistent with such a hypothesis and that produce such an

observation. In this paper we address the problem of generating only PP hypotheses given a DES model and without
taking into account any specific observation. This allows for
off-line reasoning and possible knowledge compilation, that
is, such PP hypotheses can be generated off-line once and
exploited at run time every time that is necessary. Or, alternatively, such PP hypotheses can be generated on-line and
then saved, so as to be reused in the next diagnosis sessions.
We show how to generate new PP hypotheses by encoding
the problem as a planning problem.
The hypothesis space approach is a general method to
perform MBD of DESs, thus being an alternative to previous approaches in the literature. An asset of the hypothesis
space approach is that, instead of exploiting ad hoc diagnosis engines, it enables to solve DES MBD problems by
invoking existing efficient solvers, such as SAT solvers or
planners. The modeling encompassed in Section 2, which
is based on synchronous composition, is general enough to
represent also distributed DESs whose components communicate asynchronously, as explained in [Lamperti and
Zanella, 2013], to which the reader can refer also for complexity issues inherent to the considered task. Thus, altogether, the method dealt with in this paper does not constrain
the class of DESs to be diagnosed.

Context

This section presents the notion of a DES diagnosis problem and the foundation of the hypothesis space approach.
Subsections from 2.1 to 2.4 basically survey (with some minor additions) previous contributions in the literature. Section 2.5 is instead a novelty, the same as Definition 2 in Section 2.6.
A diagnosis problem consists in a DES D and a finite
partially temporally ordered observation O, the latter representing what has been observed while D was running during
a time interval of interest.

2.1

System

Following [Grastien et al., 2011], a (partially observable)

DES D is a triple (, L, obs) where is the finite set of
events that can take place in the system, L is the behavior space, that is, a language that models all (and only)
the possible sequences of events, or traces, that can take
place in the system, and obs is a function that associates
each trace u with an observation obs(u) o , defined as the
projection of u on the subset o of observable events,
i.e. obs(u) is a copy of u where all non observable events
have been removed. The set of fault events, or faults, is denoted as f , where f . Such events usually represent
abnormal system behaviors, that is, behaviors the system
may exhibit but that are undesired; typically, when a fault
event takes place in an artifact, such an artifact is not behaving as expected according to its specifications. In a broader
sense, a fault is an event whose occurrence we want to track
in the system under diagnosis, an event we are specifically
interested in.
Model L is assumed to be complete, i.e. it contains all the
possible sequences of events of the system, normal and/or
faulty. No assumption is made about the number of occurrences of a fault in a trace (i.e. faults may be permanent,
transient or intermittent), or about their diagnosability. Language L can be represented by a finite automaton (FA).

A DES is distributed if it consists of several interacting

components, each of which is a DES (i , Li , obsi ) itself,
where i . If an event belongs to the set of events i
of several components, then it occurs only if and when it
can occur simultaneously in all the components that share
it, that is, if it triggers a transitions starting from all the current states of the FAs of all the components that share it.
Therefore, the FA relevant to the whole system is the one
(implicitly) resulting from the parallel composition (often
called synchronous composition [Cassandras and Lafortune,
2008]) of all the component FAs, where such a synchronization is based on shared transitions, which are in fact called
synchronous transitions.

2.2

Observation

Formally, O is a (possibly disconnected) directed acyclic

graph (N, T ), where N is the set of nodes and T the set of
arcs. The value of each node belongs to o and it represents
an observed event, while each arc represents a strict temporal precedence relationship (say @) according to the order
the observed events took place in the DES. Note that, given
a pair of nodes n, n0 N , there is an arc (n n0 ) T iff
@n00 N, n @ n00 @ n0 . Each pair of nodes that are not connected by any path in the graph represents a temporal uncertainty [Lamperti and Zanella, 2002], that is, we do not know
whether the observed event relevant to one node took place
either before or after the event relevant to the other. Thus,
O cumulatively represents all the sequences of observable
events that are compliant with the constraints imposed by
the observation graph: the set containing all such sequences
is called the observation extension, denoted as ||O||.

2.3

Hypothesis Space

By definition [Grastien et al., 2011], a hypothesis space H

is the set of all behavior types of the considered DES at a
certain abstraction level. Each trace u L, which is a behavior type in L, is associated by a mapping function with
a single hypothesis (u) in H. The hypothesis space may
equal the behavior space, that is, (u) = u: this is the least
abstract hypothesis space, here denoted as Hid for its mapping is the identity function. Space Hid may be not finite
since a trace may include any number of iterations of any
(cyclic) sequence of events. On the other end of the spectrum, the most abstract (and the smallest) hypothesis space
may simply have two elements, nominal and faulty, that
is, we are only interested in fault detection: we call it the
detection space and denote it as Hnorm . More common is
the so-called set space, Hset , which considers each set of
fault events that may have occurred as a distinct hypothesis,
or the multiset space, Hms , where each hypothesis records
the exact number of occurrences of each fault, or the sequence space, Hseq , whose mapping associates a trace with
the sequence of fault events included in it, thus preserving
the order of faults in addition to their type and number. Note
that, while Hnorm and Hset are finite, both Hms and Hseq
are not.

2.4

Preferred Hypotheses

In most cases, not every hypothesis in a space H is equally

interesting: therefore, it is assumed that H is ordered by a
reflexive preference relation, denoted by , with h  h0
meaning that hypothesis h is either more preferable than or
as preferable as h0 . The set of preferred hypotheses in a

generic set S H, denoted as min (S), is defined as follows: {h S|h0 S, h0  h h0 = h}. In particular,
the set min (H) includes all and only the so-called most
preferred hypotheses in H.
In [Grastien et al., 2011], some relations are introduced:

in Hset , subset minimality, denoted as set , which is

defined as follows: h set h0 iff h h0 ;
in Hms , multiset minimality, denoted as ms , which
prefers the hypothesis that has fewer occurrences of every type of fault. Formally, denoted as h(f ) the number
of occurrences of fault f in hypothesis h, h ms h0 iff
f f , h(f ) h0 (f );
in Hseq , subsequence minimality, seq , according to
which h seq h0 iff h is a subsequence of h0 .
If the preference relation over a set (a hypothesis space
is a set), besides being reflexive, is also transitive and antisymmetric (that is, h, h0 H, if h  h0 and h0  h,
then h = h0 ), then H is a partially ordered set (or poset)
under relation . A poset is not totally ordered if there exists some pair of incomparable elements of the set (that is,
h, h0 H such that neither h  h0 nor h0  h). Note
that minset (Hset ), minms (Hms ), and minseq (Hseq )
are singletons1 , the most preferred hypothesis in Hset being
the empty set, in Hms being the empty multiset, in Hseq the
empty sequence.

2.5

Regularity in Hypothesis Spaces

We conveniently represent a poset as a graph, where each

element of the poset is a node. Since we are dealing with
a partial order, we implicitly know that the relation must be
reflexive and transitive. Thus we can simplify the graph as
follows: remove all self-loops, remove all transitive edges,
remove arrowheads in the pictorial representation, that is,
we assume that the orientations are implicitly downward.
Note that, once self-loops have been removed, such a graph
is necessarily acyclic as the order relation is antisymmetric.
In other words, the graph, instead of representing the poset
under relation , represents it under relation . The strict
order associated with a partial order  is transitive and
antireflexive, which means that h H, h 6 h. If h h0 ,
h is a predecessor of h0 and, dually, h0 is a successor of h.
In particular, if there is some h H, h h0 , and there is
no h00 such that h h00 h0 , h is an immediate predecessor of h0 , and, dually, h0 is an immediate successor of h.
An element may have more than one immediate predecessor
and/or more than one immediate successor.
Figure 1 displays Hset , under set when f = {a, b, c}.
The graph in Figure 1 is actually the (upside down) Hasse
diagram2 [Enderton, 1977] of the powerset of f . This pictorial representation highlights the regular structure of Hset ,
as ordered by relation set , a regularity that holds also for
Hms and Hseq . Let us call depth of a hypothesis h, and
denote it as |h|, the length of every path from the most preferred hypothesis to it. The meaning of h depends on the
1

This is a general property: given a poset X, if there is some

element m X such that, x X, m  x, then m is unique.
In the general case, min (X) includes all and only the nodes that
have no predecessor in X, where all such nodes are necessarily
incomparable with each other.
2
A Hasse diagram is a pictorial representation of a finite poset,
however it can be adopted also for portions of infinite posets, such
as Hms and Hseq .

a, b

a, c

b, c

a, b, c

Figure 1: Space Hset as ordered by set

considered hypothesis space H, for instance in Hset it represents the number of faulty events in h, while in Hseq it
represents the length of the sequence h of faulty events. The
graph consists of several layers: layer 0 contains the most
preferred hypothesis, and each layer i contains all the hypotheses whose depth is i. Note that, i 0, layer i + 1
contains all and only the immediate successors of the hypotheses in layer i, thus, edges connect just nodes belonging to adjacent layers. The edges connect a hypothesis h in
layer i to its immediate successors in layer i + 1.
In the figure relevant to Hset , the set of all the immediate successors in layer i + 1 of a hypothesis h in layer
i is partitioned into succg (h) and succng (h). The edges
from h to any hypothesis in succg (h) are plain lines, while
the edges toward hypotheses in succng (h) are dashed lines.
This partition is used in the diagnosis algorithm (see Section 3), which generates the immediate successors of h in
succg (h) by manipulating h, while the immediate successors of h in succng (h) are not generated by manipulating h,
instead each of them is generated by manipulating another
immediate predecessor, which belongs to the same layer as
h but precedes h if we scan the hypotheses in each layer
from left to right.
Note that, h Hset , the hypotheses in succg (h) are
displayed in Figure 1 in a specific order, which is based on
an order assigned to the faults in f (the alphabetical order in this example). In other words, succg (h) is actually
a sequence of hypotheses. This entails an order among hypotheses that belong to the same layer of the space, thus
providing an additional regularity to the space, besides that
enforced by the preference relation. The overall regularity
of the space is exploited by the diagnosis algorithm.

2.6

Diagnosis and Preferred Diagnosis

A hypothesis in a space H is a candidate if it may be the

actual system behavior type that explains the observation.
Formally:
Definition 1. Given a diagnosis problem (D, O), let id
L be the set of all the traces u that are consistent with the
observation, that is id = {u L|obs(u) ||O||}.
Given a hypothesis space H whose mapping is , a hypothesis h is a candidate if u id s.t. (u) = h. Given
this definition of a candidate, id is the set of all candidates
in Hid .
Let H be the set of all candidates in a generic hypothesis space H, and min () be a subset of it,
including preferred candidates only according to relation .
Set is called a diagnosis and min (), which is concisely denoted also as  , a preferred diagnosis.

A diagnosis depends on the adopted hypothesis space,

that is = (D, O, H) (or, equivalently, =
(D, O, ), where is the mapping from L to H). Note
that id is actually (D, O, Hid ). The preferred diagnosis,
 , depends on , which univocally identifies the chosen
H, and on the preference relation  adopted on H.
Different approaches to MBD of DESs may adopt different notions of explanation of the observation as provided
by a candidate. Definition 1 adopts the broadest meaning,
however another approach can be aimed at finding out only
candidates corresponding to traces ending with an observable event. The rationale behind this constraint is an interest
in what has occurred to the DES as far as the last observed
event has taken place, not in what may (silently) have occurred or will occur after. Let us now define the set of traces
ending with an observable event and the refined notion of
candidate relevant to it.
Definition 2. Given a diagnosis problem (D, O), let +
id
L be the subset of id that includes all the traces u that
end with an observable event, that is +
id = {u id |u =
po, p o o }.
Given a hypothesis space H whose mapping is , a hypothesis h is a refined candidate if u +
id s.t. (u) = h.
Let + H, where + , be the set of all refined candidates, cumulatively called refined diagnosis, and
min (+ ) + be the subset of its, cumulatively called
preferred refined diagnosis and concisely denoted as +
,
including preferred refined candidates only.

Computing Preferred Diagnosis

We want to compute the preferred diagnosis at a certain abstraction level, represented by a hypothesis space H that is a
posed under relation , that is, given the diagnosis problem
(D, O), we want to compute min ((D, O, H)) without
computing id .
Several methods to compute min () are proposed in
[Grastien et al., 2011; 2012], among which pfs and pfs+e.
Since such methods are relevant to whichever H, be it a
poset or not, they cannot rely on a layered structure of H,
thus they use just one open list of hypotheses, instead of the
two queues (corresponding to two adjacent layers) used by
our algorithm, and, although the first hypothesis to be processed is the same as in our algorithm, the following ones
are different since the insertion of the successors of a hypothesis in the open list is not guided by any specific order.
The method we propose here, instead, exploits the regular
structure of hypothesis spaces that are posets, and generates hypotheses layer by layer, where the hypotheses in each
layer are ordered according to an implicit total order over the
faults in f , which makes it easier to discard irrelevant hypotheses. The algorithm can be regarded as a generalization
of the generation and testing of candidates in best-first order
proposed in [de Kleer and Williams, 1989], however here
we deal with DESs instead of static systems and our notion
of preference relation is broader as we consider all the partial orders. Moreover, we can further prune space H based
on a kind of look-ahead within such a space every time a
hypothesis is checked, provided that a solver that is capable
of performing such a look-ahead is available. This resembles the speed-up of the search performed in [Williams and
Ragno, 2007].
Our method to compute min () consists in setting an
empty set  of preferred candidates and iteratively gen-

erating a hypothesis h according to a non-increasing preference order, starting from the most preferred hypothesis.
This generation order guarantees that any newly generated
hypothesis is not more preferable than any candidate in the
set of candidates found so far, thus candidates never need
to be removed from it. Note that generating H layer by
layer, starting from layer 0, provides this guarantee. Once
a candidate h has been found, we do not generate any of
its successors, since they are all less preferable than it. The
pseudo-code of the algorithm relevant to Hset under set
is provided here below. The algorithms for the other poset
spaces are analogous.
1. algorithm preferred_diagnosis(D,O)
2.
h most preferred hypothesis
3.
current h h i
4.

5.
repeat
6.
next empty queue
7.
repeat
8.
h dequeue(current)
9.
result check(h, D, O)
10.
if result = pass
11.
then   {h}
12.
if result = pass or result = fail_all
13.
then remove any hypothesis in succng (h) from next
14.
else if result = fail
15.
then h0 succg (h) do
16.
if all immediate predecessors (distinct from h)
of h0 are in current
17.
then enqueue(next, h0 )
18.
until current is empty
19.
current next
20. until current is empty
21. return 
At any moment there are two queues, current and next,
that are meant to include hypotheses belonging to the current and next layer of the graph, respectively. Initially, current includes the most preferred hypothesis only (line 3),
while next is empty (line 6). Then two nested loops are run:
at each iteration of the outer loop, a layer of the graph is
considered as the current one (in a top-down order) until an
empty layer is found; at each iteration of the inner loop, a
new hypothesis in the current layer is considered (according
to the order from left to right in Figure 1). The call check(h)
(line 9) invokes a solver that checks whether h is a candidate, returning pass, if it is, fail otherwise.
Optionally, a more powerful solver can be adopted at
line 9 in order to perform a look-ahead. Such a solver returns pass, if h is a candidate, fail if h is not a candidate
but some of its (immediate or non immediate) successors is
a candidate, and fail_ all, in case neither h nor any of its
(immediate or non immediate) successors is a candidate. If
this powerful solver is adopted, the only difference in the
pseudo-code is in line 12, which, in such a case continues
with operator or and the condition that follows it. This small
pseudo-code change may translate into a substantial reduction of the execution time since, in case fail_ all is returned,
it determines the pruning of all the (immediate or non immediate) successors of h in H. Some experimental results to
show cases when this happens can be found at link [Ceriani,
2014].
If h is a candidate, then it is added to the (initially empty)

set of preferred candidates  . In case h is a candidate,

the same as in case neither h nor any of its successors is
a candidate, the immediate successors of h have not to be
put in queue next. Since (either all or some of) the immediate successors of h in succng (h) may have already been
generated (as they are also immediate successors of other
hypotheses that are on the left of h in the current layer) then
they are removed from next (line 13). If h is not a candidate, then its immediate successors in succg (h) have to be
appended to next, in the order from left to right of the next
layer. However, not all of them have to be appended but
only those that are successors of h but are not successors of
any pruned hypothesis. A hypothesis has been pruned if it is
a successor either of a preferred candidate or of a hypothesis whose no successor is a candidate. Since queue current
does not include any pruned hypothesis, in order to check
whether a hypothesis h0 in succg (h) has to be appended to
next or not (that is, it has to be pruned), we have to check
whether in current there are all the immediate predecessors
of h0 or not (line 16). In fact, all the immediate predecessors of h0 that are distinct from h belong to the same layer
as h and are on the its right, therefore, if they have not been
pruned, they are still in current. Only the hypotheses h0 in
succg (h) whose immediate predecessors are all in current
are appended to next (line 17).
When all the hypotheses in current have been processed,
queue current is assigned the content of next. If this is
empty, we have finished, otherwise next is emptied and a
new iteration of cycle 520 is performed.
The algorithm is anytime in that, at whichever time the
running process is halted, set  , as computed so far, includes indeed only preferred candidates. If the algorithm is
not halted, at the end it returns the set of all preferred candidates, that is, it returns the preferred diagnosis. Termination
is guaranteed for finite hypothesis spaces, as Hset .
The role of the solver invoked at line 9 can be played by
a classical AI planner, and that of a powerful solver by a
complete planner. This confirms that a DES diagnosis problem (D, O) can be formulated as an AI planning problem
[Sohrabi et al., 2010; Grastien and Haslum, 2011] where,
roughly speaking, the FA representing the behavior of a system (or component) is encoded as a set of invariant facts
asserted in the planning problem initial state and never falsified. The (partially temporally ordered) observation O is a
temporally extended goal (TEG)3 that has to be satisfied by
any solution plan, while an action represents the occurrence
of an event which triggers a transition, thus causing a state
change that complies both with the model description and
the current state of the system.

Physically Possible Hypotheses

The generation of the hypotheses in H as done by previous approaches in the literature as well as by algorithm preferred_diagnosis, does not take into account that some hypotheses in H may be inconsistent with the system model
D, regardless of any possible observation O. In particular,
if the solver that is called at line 9 of the algorithm returns
fail, the reason for it may be twofold: either hypothesis h is
not PP or it is PP but it is inconsistent with the observation.
3
As shown in [Sohrabi et al., 2010], a partially ordered observation O expressed as a TEG can be compiled into a classical
planning "final state" goal G.

Figure 2: DES model

Analogously, if at line 9 instead of a simple solver a powerful solver is called, if its returned value is fail_all, then the
reason for it may be twofold: either hypothesis h is not PP
or it is PP but neither h nor any of its successors is consistent
with the observation. Formally:
Definition 3. Given a DES D = (, L, obs), and a hypothesis space H relevant to it, a hypothesis h H is physically
possible if a trace u L such that (u) = h.
Figure 2 shows the behavioral model of a DES which is
such that only a subset of the hypotheses in Hset are PP,
given f = {a, b, c} as the alphabet of faulty events. Each
transition is marked by the relevant event. Dashed line transitions are those that are not triggered by observable events.
Figure 3 shows the subset of Hset containing (only) PP hy
. Hypotheses {b, c} and {a, b, c} are
potheses, denoted Hset
not PP as checking their consistency against the model of
the system results in a failure, regardless of the observation.
Avoiding to check hypotheses that are not PP during on-line
diagnostic processing can reduce the execution time of a diagnostic algorithm. Unfortunately, H is typically unknown
since it depends on the specific DES model. Furthermore,
producing the whole H off-line is usually impractical because such a space may be huge or even infinite.
Note that, in any poset hypothesis space (as in Hset ,Hseq
and Hms ), the most preferred hypothesis is a no-fault hypothesis, which is PP by assumption (as all DESs should be
endowed with a normal behavior). In addition, in the three
hypothesis spaces we are considering, any PP hypothesis is
the immediate successor of a PP hypothesis at least. This
means that a PP hypothesis may have some immediate predecessor(s) that are not PP but it necessarily has at least one
immediate predecessor that is a PP hypothesis. This implies
that PP hypotheses can be produced by checking the consistency against model D of the immediate successors of PP
hypotheses only.
The integration of the generation of PP hypotheses with
the computation of the preferred diagnosis, so as to exploit
the regular structure of a poset hypothesis space, that is, the
generation of PP hypotheses layer by layer, as done by algorithm preferred_diagnosis is difficult. In particular, the
check at line 16 is incorrect in case current includes PP hypotheses only, as the successors of a failed hypothesis have
to be generated although not all predecessors of any generated hypothesis are included in current, provided that all the
missing predecessors are not PP. However, it is difficult to
single out whether a predecessor is missing for it is not PP
or for it has been pruned.
A digression may be worthwhile at this point. In order to
facilitate the check at line 16, we could keep in current also
all the hypotheses belonging to the current layer that are not

a, b

a, c

Figure 3: Space Hset

of physically possible hypotheses.

PP and are the successors neither of any candidate nor of

any failed_all hypothesis, assigning to every such hypothesis a special status, say not PP, so as to distinguish them
from the others. This way, also the not PP hypotheses in
current that are the immediate predecessor of a hypothesis
h are considered at line 16. However, doing so requires to
deal with a larger number of nodes in any layer. Every time
a not PP hypothesis hP P is dequeued from current at
line 8, it should not be checked at line 9, and all the not
PP hypotheses in succg (hP P ) should be appended to next.
We conclude this digression here, and will never refer to it
later in this paper, as delving into the matter is a work for
the future.
In case we are looking for refined preferred candidates,
we have not to generate all the hypotheses in H , instead we
have to generate only those belonging to subset H + H ,
where H + = {h H |(h) = u, u +
id }.
Definition 4. Given a DES D = (, L, obs), and a hypothesis space H relevant to it, a hypothesis h H is refined
physically possible if a trace u L such that (u) = h
and u ends with an observable event, that is, u = po, where
p and o o .
Note that a refined PP hypothesis has necessarily a PP
predecessor which, however, is not bound to be a refined
one. This makes the integration of the generation of refined
PP hypotheses with the computation of +
 still more difficult.

Generating Physically Possible Hypotheses

In this section we describe an AI planning implementation

aimed at solving the problem of generating hypotheses that
are PP, first according to Definition 3, then according to
Definition 4. We show how to encode such a problem in
PDDL. A complete PDDL encoding example, relevant to a
case study DES, can be found at the link [Ceriani, 2014].

Encoding
We assume that DES D and the hypothesis space H we are
considering are implicitly known from the context.
Each automaton transition is represented as an invariant
fact asserted in the problem initial state and never falsified:
predicate (edge ?s ?d ?e ?m) relates a source state ?s to
a destination state ?d by a label ?e representing the event
that triggers the transition in automaton ?m. To reduce the
model description in terms of number of predicates, each
edge is bound to a specific automaton mi . A full system
description typically requires to encode a number x of
different models mi , where x nc, nc being the number
of components in the system. If x < nc, then several
components share the same behavioral model. For each
component ci , two additional predicates (is ?ci ?m) and

(current ?ci ?s) represent the model and the current state,
respectively. The component model never changes while
the component state may change as a consequence of an
action. Interactions among components are represented as
synchronous events. A synchronous event ej labeling a
transition relevant to component ci is represented by the
invariant fact (synch ci ej ): all the transitions associated
with the same event ej across different components ci
must occur simultaneously, thus constraining the possible
evolutions of the system. A planner is enforced to find
solutions where, for each synchronous transition triggered
by an event ej , a correspondent atomic sequence of actions
appears in the plan : an action for each component ci such
that (synch ci ej ) holds. Predicate (faulty ?e) marks an
event ?e as faulty, and no additional predicate is needed to
mark observable and unobservable events.
The following part of the encoding is dependent on the
selected hypothesis space. In case Hset is considered, we

symbolically encode an unknown hypothesis h0 Hset

as
the goal G of the planning problem. Such a hypothesis is

the composition of a known hypothesis h Hset

and an
0
unknown event e f , i.e. h = he. The goal G is a conjunction of facts (occurred fk ) k [1 . . . |h|], each representing a fault fk h and an additional predicate (extrafault) representing the existence of h0 as a PP successor of
h. If the goal G is reached, then a PP hypothesis h0 is drawn
from the solution plan h , otherwise there is no other PP
hypothesis descending from h. In the planning phase, faults
fk in h are turned to (occurred fk ) by the domain operator
hyp-fault-transition, partially described below:
(:action hyp-fault-transition
:parameters
(?c - comp ... ?e - event ?f - fault)
:precondition
(and (not(occurred ?f))(hyp ?e ?f ?c)
(faulty ?e)...)
:effect
(and (occurred ?f) (consumed ?c ?e)...)
)

The above operator has the purpose of asserting all the

single faults fk composing the current hypothesis h, which
is a part of the goal G of the problem. The operator is not
applicable if a fault has already occurred. In such a case, the
possible subsequent occurrences of a fault fk are accounted
for by operator consumed-faulty-transition (described below), which is enabled only for consumed faults. In other
words, once a faulty event e h has taken place, it becomes both occurred and consumed. Occurred means that,
since e has already taken place, if it will take place again,
this does not change the set of already occurred faults. Consumed means that e cannot be the extra fault to be combined
with h in order to obtain the successor hypothesis h0 .
The set of predicates (hyp ?e ?f ?c) lists all the faulty
events ?e composing h, explicitly representing the hypothesis. These predicates are asserted for each fk in the problem
initial state and never falsified. Their presence in the precondition ensures that all such faults are turned into an occurred
state, since the operator is the only one in the domain that
can change their state.
The additional unknown faulty event ?e can be discovered
only by the domain operator extra-fault-transition:
(:action extra-fault-transition

:parameters
(?c - comp ... ?e - event)
:precondition
(and (not (consumed ?c ?e)) (allowed ?e)
((not (extra-fault)) (faulty ?e) ...))
:effect
(and (consumed ?c ?e) (extra-fault)...)
)

The action can only occur once in any solution plan as

the effect sets predicate (extra-fault) to true and no other action can falsify it. Even if it is not explicitly shown, this
operator is encoded in such a way that its precondition is
enabled only if fk (occurred ?fk ) is true, i.e. the additional faulty event e can be found only as an extension of
hypothesis h. In other words, h is a PP prefix enforced by
the model of the eventual hypothesis PP he. Notice that,
since hypothesis space Hset is being considered, no order
is assumed among the faults of h, the precondition only requiring that they have all occurred to enable the operator.
Predicate (not (consumed ?c ?e)) assures that event e is not
one of the faulty events in h. Since a PP hypothesis h can
have several (different) PP successors h0 , predicate (allowed
?e) assures that a different hypothesis h0 is (possibly) generated at each run of the problem: the omission of the predicate (allowed ?e) in the problem initial state, prevents the
planner from generating the same PP successor of h more
than once.
According to the definition of Hset , a hypothesis only discriminates between the occurrence (or not occurrence) of
faulty events. However, this does not mean that a fault
cannot occur several times: a different operator consumedfaulty-transition is needed to keep enabled all the transitions
labeled by a faulty event contained in h that has already
taken place.
(:action consumed-faulty-transition
:parameters
(?s1 ?s2 - state ?c - comp ... ?e - event ?m
- mod)
:precondition
(and (faulty ?e) (is ?c ?m) (consumed ?c ?e)
(current ?c ?s1) (edge ?s1 ?s2 ?e ?m))
:effect
(and (not (current ?s1 ?c)) (current ?s2 ?c)
)
)

Note that the details of the operators above are not reported and other operators are not shown at all. In general,
the precondition of an operator assures that each state transition of a component occurs in the proper model by checking
that (isinstance ?c ?m) holds for the actual action parameters
ci and mj , representing the component where the transition
takes place and the model of the component, respectively.
Furthermore, the existence of a state transition (edge ?s ?d
?e ?m) from a source state parameter ?s to a destination
state parameter ?d is also ascertained. The effect changes
the current state of component ?c from ?s to ?d.
The encoding described so far is an implementation of Definition 3. The implementation of Definition 4 can be obtained by extending such an encoding as follows: the additional predicate (last-observable) is joined to the goal G
of the planning problem, while a fact (observable oi ) is
added in the problem initial state, for each observable event
oi o . The following (mutually exclusive) conditional
effects are added to each domain operator:

:effect
(and ...
(when (observable ?e) (last-observable))
(when (not (observable ?e))
(not (last-observable)))
)

If the event ?e that triggers the transition is observable,

then the predicate (last-observable) is asserted, otherwise
such a predicate is falsified. Finally, an additional la-faultytransition operator is defined as follows:
(:action la-faulty-transition
:parameters
(?s1 ?s2 - state ?c - comp ... ?e - event ?m
- mod)
:precondition
(and (faulty ?e)(extra-fault)(is ?c ?m)
(consumed ?c ?e) (current ?c ?s1) (edge ?s1
?s2 ?e ?m))
:effect
(and (not (current ?s1 ?c)) (current ?s2 ?c)
)
)

This operator keeps enabled all the faulty transitions labeled by an event that is not consumed after the extra-faulttransition has finished, thus allowing the planner to (possibly) find an observable transition according to Definition 4.
Without such an operator, hypothesis h0 = he would be refined PP only if there exists a continuation of the trace ending with extra fault e that does not contain other faults and
ends with an observable event. This definition would be too
restrictive.
Finally, given a PP hypothesis h such that n = |h|, both
encodings described above are relevant to computing a PP
hypothesis h0 , which is an immediate successor of h, that
is, such that |h0 | = |h| + 1. Moreover, given algorithm
preferred_diagnosis, the goal is to generate a PP hypothesis
h0 H as an immediate successor of a given hypothesis
h such that h0 succg (h). In Hset , this is achieved by
adding to h a single fault event out of an implicitly known
set 0f f .

Conclusions

The purpose of this paper is twofold: to propose a method to

apply the hypothesis space approach [Grastien et al., 2011;
2012] to MBD of DESs in such a way as to exploit the regularity of poset hypothesis spaces, and to introduce a preliminary investigation on the topic of physical impossibility
so as to rule out from such a space all the hypotheses that
are not PP. This topic can be faced regardless of any observation, so as to answer the question "is this hypothesis
consistent with the DES model?": if it is not, then the hypothesis can permanently be removed from the hypothesis
space whenever a diagnosis problem inherent to such a DES
is considered. The topic can be faced also when a diagnosis problem, and hence a specific observation, is given,
so as to answer the question "is this hypothesis consistent
with an evolution of the DES model that, in turn, is consistent with the given observation?". While the first question, which is the one we have focused on in this paper, can
be tackled both off-line and on-line, the second one can be
tackled just on-line, that is, when a diagnosis problem has
to be solved. Tackling the first question off-line opens the
way to knowledge compilation. Tackling it anyway opens
the way to knowledge reuse.

As shown in the paper, the generation of the PP hypotheses of a hypothesis space can easily be encoded as an AI
planning problem. A critical point in such encoding is represented by synchronous transitions in distributed DES.
In this paper we have considered just three hypothesis
spaces and basically focused on one of them, Hset , which
is relevant to the abstraction according to which a candidate
is a set of faults. Facing the first question on-line, by integrating the generation of PP hypotheses in Hset with the
production of diagnosis results, while at the same time exploiting the regularity of Hset , is not simple. In fact, if a
hypothesis is not PP, its successors may be PP. Therefore
the hypothesis that is not PP is removed from the space but
we cannot remove its successors without further processing.
Instead, if a hypothesis is a candidate, then all its successors
have to be removed. Since the hypothesis space is implicit,
and we can just generate new hypotheses and check whether
they are candidates or not, these two different kinds of pruning make the generation of new hypotheses more complex
as such hypotheses have not to be the successors of any candidate but they can be the successors of non PP hypotheses.
Actually, the integrated generation of PP hypotheses and
diagnosis results is much more promising in Hseq , the space
where a candidate is a sequence of faults, since, if a sequence is not PP, then all the sequences that include it as
a prefix are not PP themselves, which means that if we
prune a hypothesis h that is not PP, then all its hypotheses
in succg (h) have to be pruned as well. We think that a gain
in efficiency can be achieved in this space, as we will ascertain through future experiments. A closer investigation will
be performed also for space Hms , given not only the preference relations encompassed in this paper but also further
ones.
Finally, we are going to investigate the second question
too, that is, we aim at exploiting on-line the given observation so as to rule out every hypothesis that cannot be consistent with it, possibly without performing any check of the
hypothesis against the observation itself.

References
[Cassandras and Lafortune, 2008] C.G. Cassandras and
S. Lafortune. Introduction to Discrete Event Systems.
Springer Science+Business Media, LLC, New York, NY,
second edition, 2008.
[Ceriani, 2014] L.
Ceriani.
https://github.com/lucacerio84/DX14. 2014.
[de Kleer and Williams, 1989] J. de Kleer and B.C.
Williams. Diagnosis with behavioral modes. In 11th
International Joint Conference on Artificial Intelligence
IJCAI89, pages 13241330, Detroit, MI, 1989.
[Enderton, 1977] H.B. Enderton. Elements of Set Theory.
Academic Press, first edition, 1977.
[Grastien and Haslum, 2011] A. Grastien and P. Haslum.
Diagnosis as planning: two case studies. In Scheduling
and Planning Applications Workshop SPARK11, pages
3744, Freiburg, D, 2011.
[Grastien et al., 2007] A. Grastien, Anbulagan, J. Rintanen,
and E. Kelareva. Diagnosis of discrete-event systems
using satisfiability algorithms. In 22nd National Conference on Artificial Intelligence AAAI07, pages 305
310, Vancouver, BC, 2007.

[Grastien et al., 2011] A. Grastien, P. Haslum, and

S. Thibaux. Exhaustive diagnosis of discrete event
systems through exploration of the hypothesis space. In
22nd International Workshop on Principles of Diagnosis
DX11, pages 6067, Murnau, D, 2011.
[Grastien et al., 2012] A. Grastien, P. Haslum, and
S. Thibaux. Conflict-based diagnosis of discrete event
systems: Theory and practice. In 13th International
Conference on Principles of Knowledge Representation
and Reasoning KR 2012, pages 49894996, Rome, I,
2012.
[Lamperti and Zanella, 2002] G. Lamperti and M. Zanella.
Diagnosis of discrete-event systems from uncertain temporal observations. Artificial Intelligence, 137(12):91
163, 2002.
[Lamperti and Zanella, 2003] G. Lamperti and M. Zanella.
Diagnosis of Active Systems Principles and Techniques,
volume 741 of The Kluwer International Series in Engineering and Computer Science. Kluwer Academic Publisher, Dordrecht, NL, 2003.
[Lamperti and Zanella, 2011] G. Lamperti and M. Zanella.
Monitoring of active systems with stratified uncertain observations. IEEE Transactions on Systems, Man, and Cybernetics Part A: Systems and Humans, 41(2):356369,
2011.
[Lamperti and Zanella, 2013] G. Lamperti and M. Zanella.
Preliminaries on complexity of diagnosis of discreteevent systems. In 24th International Workshop on Principles of Diagnosis DX13, pages 192197, Jerusalem,
IL, 2013.
[Pencol and Cordier, 2005] Y. Pencol and M.O. Cordier.
A formal framework for the decentralized diagnosis of
large scale discrete event systems and its application
to telecommunication networks. Artificial Intelligence,
164:121170, 2005.
[Sohrabi et al., 2010] S. Sohrabi, J.A. Baier, and S. McIlraith. Diagnosis as planning revisited. In 12th International Conference on Knowledge Representation and
Reasoning KR 2010, pages 2636, Toronto, Canada,
2010.
[Williams and Ragno, 2007] B.C. Williams and R.J.
Ragno. Conflict-directed A* and its role in modelbased embedded systems. Journal of Discrete Applied
Mathematics, 155(12):15621595, 2007.