On the automatic synthesis of functional dependency graphs from libraries of component models

The idea system developed by Centro Ricerche Fiat is one of the most successful practical applications of model-based diagnosis. However, idea is based on functional dependency models that have to be built ad-hoc for each speci(cid:12)c device to be diagnosed. Thus, the models are not easily reusable and this increases the cost of building new applications. In this paper we show how models of the sort used by idea can be derived automatically from a library of generic component models, given a description of the structure of the device to be diagnosed. In this way we can reconcile two goals: (i) exploiting libraries of component models that can be reused in many applications (both in diagnostic applications and for other tasks), cutting down the cost of developing a new application and (ii) leaving the idea system unchanged. The latter is a major goal since idea is a fully engineered system, installed in more than 1500 car repair centers in Italy and integrated with on-board and o(cid:11)-board equipment.


Introduction
One of the major advantages of the component-oriented approach t o model-based diagnosis 4 is the possibility of re-using models. Given a device, according to such an approach, a diagnostic system requires: a description of the structure of the device, i.e., a decomposition of the device into minimal diagnosable replaceable or repairable components and a description of the connections between them; a description of the behavior of each t ype of component.
While the former is device-dependent, the latter can be device independent. Thus, libraries of models for component t ypes can be built and used to provide models of di erent systems that have components in common. For example, a generic description of the behavior of a pipe in the library can be re-used for diagnosing any device having a pipe as a component. Moreover, the description can be independent of the reasoning task diagnosis so that it can be used for other tasks e.g., simulation can be applied to automate FMEA 6 .
In order to achieve this goal the description of the component types in the library must be context-independent, ful lling the nofunction-in-structure" principle 3 : a component's behavior must be described independently of the speci c function that the component can have in di erent devices.
Reusing libraries of models can dramatically reduce the cost of developing a new diagnostic application. However, there are many diagnostic systems which are based on models that are not easily reusable. This is the case, in particular, of all those systems whose models rely on the behavior of aggregates of components.
The diagnostic system idea 1 is an example of these systems. idea has been developed by Centro Ricerche Fiat to diagnose di erent car subsystems; currently the applications concern most of the electronic and electrical subsystems of all cars of the Fiat group.
idea is an advancement with respect to earlier systems developed by Centro Ricerche Fiat and based on fault trees. A speci c knowledge representation and acquisition methodology has been devised, which allows for cheaper knowledge acquisition, as discussed in 1 . However, the types of models used by idea which will be described in the next section are still not directly reusable and indeed there is a group of technicians in Fiat working on the development of idea models for new devices. On the other hand, idea is a fully engineered and broadly used system. Currently, more than 1500 installations have been made in car repair centers and the system is used frequently. Moreover a signi cant engineering e ort has been made to make the system easily usable: idea has a friendly interface, sophisticated explanation capabilities and, which is more important, is able to dialogue with all electronic equipment used in the modern cars and in the repair centers. Thus modifying the implemented system would be very costly.  Figure 1: Architecture of the system.
In this paper we present an approach to reconcile the two following goals: changing the idea system as less as possible; converting idea to exploiting libraries of reusable components models, thus reducing the cost of knowledge acquisition.
The approach is based on the automatic synthesis of the models used by idea starting from: a library of generic components models; a description of the structure of the device to be diagnosed.
Thus the nal architecture of the system is the one reported in gure 1. In order to build a new application for a new device or a new version of a device, only a description of the structure of the device must begiven. The actual model used by idea is generated automatically by a compiler. If new components, that are not modeled in the library, are used in a speci c device, such | presumably few | component t ypes must be added to the library.
Additional advantages of the approach are the following: the models can be reused for other reasoning tasks e.g. automated FMEA or simulation; diagnostic assumptions and strategies di erent from those of idea can be experimented on the same models; in particular, some extensions of idea can be devised to exploit the same way of synthesizing models, but relaxing some of the restrictive assumptions in the system. The paper is organised as follows. In the next section we brie y sketch the formalism and diagnostic algorithm used by idea. We then introduce the languages for de ning generic component models and for describing the structure of a device. In the fourth section we discuss how the models used in idea can be automatically synthesized from a model library. We then sketch some extensions to idea that can be obtained using the compilation approach from a library of models.

The idea diagnostic system
In this section we shall brie y describe the core of idea 1 , namely the formalism it uses for modeling the device to be diagnosed and the diagnostic strategies it exploits.

The formalism
The representation formalisms distinguishes three types of entities that can occur in a model: 1. components, which are the minimal entities that can be replaced or repaired; each component i s c haracterized by a set of modes of behavior including the correct mode and, possibly, a set of fault modes; 2. signals between such components e.g. inputs and outputs to components; 3. functional dependencies between signals and components or between signals and signals. The signals are the most important entities in the formalism; each signal corresponds to an interface between two or more components and can assume two v alues: a normal one and an abnormal one. Some signals may beobservable; according to idea terminology these are Dependencies between signals. If a signal s 1 depends on s 2 , then s 2 is regarded as a precondition for s 1 . For example, given a bulb, the signal light from bulb" depends functionally on the signal voltage to the bulb". Dependencies between signals and components. A signal may depend on the correct or faulty behavior of a component. For example, the signal light from bulb" depends functionally on the fact that the bulb is OK. Given a device, the functional dependencies between the signals and the components in the device can be represented by means of a graph such that: nodes correspond to components or to modes of behavior of the components or to signals; arcs correspond to functional dependencies. Figure 2 reports the example electrical circuit in 8 and the corresponding dependency graph: a battery b is connected in parallel to three bulbs b1, b2, b3. For the sake of simplicity each wire wi corresponds to a pair of wires of the circuit for example, w1 corresponds to the wires connecting b to b1. In the dependency graph, the nodes corresponding to the components are in square boxes; the other nodes correspond to signals. As an example the signal b2:light corresponding to the fact that the bulb b2 is lit or not depends on the component b2 i.e., on the fact that b2 is correct or faulty and on the signal on wire w2 w2:voltage, which in turn depends on the component w2 and on the signal on wire w1.
An example of a dependency graph for a real application can be found in 1 .
As we noticed, the signals considered in idea are binary, where one of the two values correspond to the normal one and the other to the abnormal one. The development of idea knowledge bases is easy if the following inferences are correct: given a signal s and the component c having s as an output, then: 1. if s is abnormal, then either c is faulty or at least one of the inputs to c that are relevant for s is in turn abnormal; 2. if s is normal, then both c and all of its inputs that are relevant for s must be normal.
This is clearly a restrictive assumption since it imposes that there is a strict duality b e t w een normal and faulty behavior. The duality i s re ected by the simple form of the dependency graphs. In fact, representing dependencies between signals and signals and components is su cient, without considering values of signals. The node labeled with a signal s corresponds to both the normal and abnormal value of s. Thus, the dependencies starting from s can be read in two different w a ys: if we assume that s is abnormal, then each dependency points to a signal component whose abnormality is a possible cause of s; i f w e assume that s is normal then the dependencies point to all the signals and components that must be normal.
The assumption above does not hold, for example, in case signals are not binary, and when the signal s produced by c under faulty b ehavior depends also on the inputs to c. In these cases the construction of idea models requires coding the actual signals into binary signals and a hand made transformation of actual dependencies into relations from symptoms to causes. This transformation can beautomatised if generic models of component t ypes are available.
In the section entitled Extended dependency graphs" we shall introduce an extended de nition of functional dependency graphs that are not based on the assumptions above but are still similar to those used by idea and can beused adopting similar diagnostic strategies.

Diagnostic strategy
The diagnostic strategy adopted by idea can be regarded as a special form of abduction with corroboration and relies on the assumptions discussed in the previous section. Abduction 5, 2 is used to search for explanations of abnormal signals: if a signal s is abnormal, then at least one of the components or signals on which i t depends must be abnormal. Corroboration see the alibi" principle in 7 is used to exonerate components: if a signal s is normal, then all the signals and components on which it depends are assumed to be normal notice that in this way idea cannot deal properly with masking faults, which, anyway, are not very common in the domain of application of the system. Corroboration can also be interpreted abductively in the sense that it gives the minimal abnormality explanation for the normality o f s .
The form of reasoning sketched above is obtained by means of constraint propagation on the functional dependency graph. Two forms of propagation are performed by idea: failure p r opagation, which starts from an abnormal signal symptom and labels as candidate explanations all the signals and components modes on which i t depends directly or indirectly through chains of arcs. functionality propagation, which starts from a signal which is observed to be normal and labels as exonerated normal all the signals and components on which it directly or indirectly depends.
Let us consider a simple example, referring again to gure 2. Let us suppose that b2:light is observed to be abnormal i.e. b2 is not lit and b1:light is observed to be normal i.e. b1 is lit. Two candidate explanations for the abnormality o f b2:light are: i b2 is abnormal broken and ii signal w2:voltage is abnormal. The latter can be explained either by a fault of w2 or by the fact that signal w1:voltage is abnormal. In summary, failure propagation leads to four candidate single faults: b2, w2, w1 and b. These are, in fact, the components on which the signal b2:light directly or indirectly depends and thus at least one of them must befaulty when b2:light is abnormal. Functionality propagation starting from the observation that b1:light is normal leads to exonerating b1 and w1:voltage which in turn exonerates w1 and via b:voltage the battery b. Thus two candidates remain: b2 and w2. These candidates could bediscriminated by making further measurements in the example w2:voltage.
idea uses some focusing techniques in order to speed-up search in the functional dependency graph; for example fault probabilities can be used to investigate the most probable faults rst.

Extending idea to exploit model libraries
The models used by idea are tailored for a diagnostic task and strategy and do not include a notion of component t ype to be reused for all components of the same type. In the rest of the paper we show how they can bederived from a library of task-independent models of component t ypes. Such generic models can then be reused: to generate input to idea for di erent instances of the same component t ype in the same device and in di erent devices; for diagnostic strategies di erent from those of idea; for reasoning tasks di erent from diagnosis, e.g. qualitative simulation for FMEA. In this section we describe the language we assumed for the library of models; the compilation algorithm will be discussed in the next section. The languages we shall use are fairly general and indeed several other languages could have been used to the purpose of the paper.
The library must contain a description of each t ype of component of the systems to be diagnosed. In particular, we assume that such a description contains at least the following set of items: A set of modes of behavior of the component. This must include the correct ok" mode and, possibly, a set of distinguished fault modes. A list of the interface variables for the component. In particular this includes the list of input and output ports of the component. The domain of each variable is also speci ed; this is the set of the qualitative v alues that the variable can assume.  Such a relation provides constraints on the correct and faulty behavior of the component and can be de ned extensionally e.g., by means of tables or by means of equations, logical formulae and similar.
Thus, the description of each t ype of component i s v ery general and is independent of the role that the component can assume in di erent devices. For example, gure 3 reports the model of a generic bulb whose behavior is de ned extensionally by means of a table.
The program for compiling dependency graphs uses the model library and takes as input a description of the structure of the speci c device to be diagnosed. Also in this case we make very general assumptions on the language we use. The description must include at least: A declaration of the components of the device. For each component, its type must be de ned.  One simple way to specify inputs and outputs is by way of ordered pairs where the rst element corresponds to an output port and the second one to an input port. Figure 4 reports the structural description of the circuit in gure 2. The rst pair in the Connections" item speci es that the output b:voltage is connected to w1:voltage.

Automatic synthesis of functional dependencies
In this section we describe the module for the automatic synthesis of dependency graphs the compiler" according to gure 1. The inputs to the module are the model library and the description of the structure of the device. The output is the graph of functional dependencies to be used by idea for performing diagnosis, according to the strategy discussed previously. This means that the output is abnormal if and only if the mode is abnormal independently of the inputs or one input is abnormal independently of the mode and the other inputs.
Under these hypotheses, the inferences mentioned in the section introducing idea are correct.
The starting point of the compilation algorithm is the set of observable signals which correspond to the outputs of the device to be diagnosed. The algorithm builds the dependency graphs by moving backward from such signals; in this way it can determine the components and other signals on which they depend. Let S be a set of signals; S is initialised with the set of observable signals. In particular we consider only the abnormality v alues for such signals. The algorithm proceeds iteratively until S is empty i.e., until

Extended dependency graphs
As we noticed in the previous sections, the assumptions that all signals are binary and that there is a strict duality b e t w een correct and faulty behavior can be restrictive in some domains.
Let us consider a hydraulic example in which we have a pump and a tank whose generic models are reported in gure 5. The pump can have two faults: it may either pump less than the normal value or more than the normal value. The tank may h a v e a hole or it may leak 1 . In the model we distinguish di erent qualitative v alues for the interface variables. In particular, the values low and high for the output of the pump and the input of the tank should be intended as deviations from the normal value. Therefore, the value low means any v alue lower than normal, including zero. This is the reason why, in the behavior of the tank, when the input is low, waterLevel may be either low or zero.
The speci c device we consider is formed by a pump p1 and a tank t1 , connected in such a w a y that the output of p1 is the input to t1 see gure 6. The only observable signal is the level of water in t1 waterLevel.
In this example the signals are not binary and the observable e ects of correct and faulty behavior of the tank depend on the input to the tank and can coincide for some particular inputs to the tank. Moreover, we m a y h a v e fault masking: if the pump is abHigh i.e., it provides more water than it should and the tank is leaking, then the  signal can assume. The dependency graph will still contain dependencies between signals and between signals and nodes corresponding to modes of behavior of components. However, arcs corresponding to dependencies between signals are labeled with the fact that a compo-nent is in a speci ed behavioral mode. In particular, given a signal sx which is output of a component c, we can have the following types of dependencies: a dependency from sx to a mode m i of c, i f c can produce the output sx, regardless of the input when in mode m i ; a dependency from sx to another signal s 0 y, with a label m j if c can produce the output sx, when in mode m j and with the input iy corresponding to the output s 0 y of some other component.
For example, the extended dependency graph for the device in gure 6 is reported in gure 7.
This slightly extended form of dependency graphs can describe more general forms of behavior than the simpler ones discussed in the previous section.
A modi ed reasoning strategy wrt the one in idea should be used on extended dependency graphs. The diagnostic process starts from the nodes corresponding to the observed symptoms and moves along the dependency arcs looking for explanations of the symptoms.
The dependency arcs starting from a signal s correspond to candidate explanation of s. If an arc points to a node corresponding to a mode m of a component c, then this mode is a candidate explanation of s. If an arc points to another signal s 0 and is labeled with the mode m 0 of a component c, then the union of m 0 and of a candidate explanation of s 0 is a candidate explanation of s.
For example, starting from the observation t1:waterLevelzero in gure 7, we h a v e that t1:holed is a candidate explanation; other explanations can beobtained by assuming t1:leaking and looking for explanations of p1:outlow in this case we get only one explanation f t1:leaking, p1:low g; similarly, following the other arc with the label t1:ok, we exonerate the tank t1 and we obtain the candidate f p1:low g.
The extended dependency graphs discussed in this section can be easily compiled by the following variation of the algorithm introduced in the previous section: all possible values for observable signals have to be considered; this means that the set S of signals is formed by all possible instances of observable signals; in case a signal s can be produced by a component c in mode m i , regardless of the inputs, then we create a dependency from s to m i ; in case a signal s can be produced by a component c in mode m i with input signals fi 1 ; : : : i k g , which correspond to output signals fo 1 ; : : : o k g of some other components, then we create a dependency from s to fo 1 ; : : : o k g with the label m i c. Then fo 1 ; : : : o k g have to be added to S.

Simpli cations under the single-fault assumption
The resulting dependency graph can be further postprocessed to be able to deal with non-binary observations, but restricting the diagnostic strategy to reason on single faults. In this way we a c hieve an intermediate result between dealing only with simple systems that satisfy the duality condition discussed above, and dealing with systems with arbitrarily complex interactions between faults.
Interestingly enough, the simpli ed graphs that result from the postprocessing resemble closely the structure of dependency graphs in idea.
In order to de ne the postprocessing, notice that a path in the original graph identi es a mode assignment, i.e. an assignment of correct or faulty modes to components, such that hypothesizing such mode assignment implies the values for signals along the path. The goal is then to reconstruct a graph with a similar property, but without labels on the edges, therefore with only paths corresponding to single faults. The postprocessing can then be de ned as follows: initial nodes i.e. nodes with no entering edge with normal observations are ignored.
A label L with a mode for a component i s m o v ed to the node to which the edge points; if a label has already been put, a copy o f the node is created. From the node, the label L is moved along the edges, except in case of an edge E labeled with a fault mode if L also contains a faulty mode 2 ; in this case the edge entering the node where E comes out is removed. The label moving is continued until a nal node is found with a mode of a component. If such a mode is an ok mode and L contains a faulty mode, the mode in L is put in place of the ok mode. If both modes are faulty modes, the last arc is removed 3 .
Finally, labels are removed from nodes.
The result of this postprocessing on the dependency graph in gure 7 is shown in gure 8. Such graphs resemble more closely a decisiontree-like structure and can therefore be used more e ciently than general dependency graphs.

Conclusions
In this paper we presented an approach to the automatic synthesis of functional dependency graphs from a library of reusable component models and a description of the structure of the device to be diagnosed. The graphs we generate can be given as input to the idea diagnostic system. In this way we showed that the process of generating the models used by idea can be signi cantly simpli ed.
In the paper we pointed out the assumptions that simplify the development of diagnostic applications in idea and we introduced an extended notion of functional dependency graph which can overcome such limitations. Moreover, we showed that also these extended graphs can be generated automatically starting from a library of reusable component models, and that they can besimpli ed under the single-fault assumption. The compiler has been implemented in C++; we plan to experiment the approach to derive functional dependencies for electrical electronic and hydraulic devices.