Robust Diagnosability Analysis of Discrete Event Systems Using Labeled Petri Nets

Over the past decades, fault diagnosis of discrete event systems has many applications and attracts much attention from researchers and practitioners. With the increasingly high requirements on the reliability of cyber-physical systems such as automated manufacturing systems, fault detection technology has been unprecedentedly developed. Traditional approaches to diagnosability analysis of discrete event systems assume that all the communications between sensors and diagnosers work normally and correctly. However, communication failures may occur anytime, which may cause the loss of observations. This observation loss makes the traditional diagnoser fail or report incorrect information. The problem of fault diagnosis against intermittent loss of observations is addressed, i.e., robust diagnosability. In this paper, an approach to robust diagnosability analysis based on labeled Petri nets is presented. A necessary and sufficient condition for robust diagnosability is proposed. We also introduce a verification procedure of robust diagnosability using robust reachability diagnosers.


I. INTRODUCTION
Discrete event systems (DESs) [1] serve as a technical alias of a class of man-made systems, where computers are extensively integrated. Their modeling, analysis and control have received much attention from researchers and practitioners. Many problems are addressed by using Petri nets and finite state automata [2]- [6].
Fault detection is a necessary guarantee for the healthy and stable operation of a system, which motivates extensive studies in recent years [7]- [9]. For instance, in a manufacturing system, a fault may cause incorrect statistics of the remaining amount of raw materials. Besides, in a warehouse management system, wrong records of storage information will make the product be shipped out unexpectedly, which is also a sort of fault.
In the field of fault detection, a primary focus is on the problem of fault diagnosis (on-line diagnosis) [10], [11] and diagnosability analysis (off-line diagnosis) [12]. Fault diagnosis aims at telling whether a fault event has happened by analyzing and processing an observed string generated by a system. As for diagnosability analysis, one should recognize if the occurrence of a fault is able to be detected within a finite time delay. In this work, we focus on diagnosability analysis.
In the framework of automata, a method of fault diagnosis [13]- [15] is first proposed, where systems are modeled with nondeterministic finite-state automata, and failures are assumed as unobservable events. In these studies [13]- [15], a diagnoser is introduced to detect fault events, which provides diagnostics based on on-line observations. As a graphical description of a DES, Petri nets have exact semantics and powerful expression capabilities [16], [17]. Due to their excellent modeling capability, especially their classification on different transitions [2], [18], labeled Petri nets (LPNs) are widely used to solve the problems such as unreliable observation [19]- [22], deadlock prevention [23]- [25], opacity verification [26], [27], etc.
Traditional diagnosis approaches rely on sensors to obtain information. Sensors may malfunction in practice, which cannot provide correct and accurate information for a diagnoser. Therefore, the notion of robust diagnosis [28]- [30] is proposed to cope with this situation.
To overcome the deficiency of potential sensor failures, a robust diagnoser that provides redundancy in the diagnosis bases is designed in [28], which ensures the fault diagnosis with the occurrence of permanent sensor failures, i.e., failed sensors never recover anymore. In [31], a polynomial time construction procedure of a diagnoser verifier automaton is given to test the existence of controllers under permanent sensor failures.
In [29] and [30], the authors successively define robust diagnosability subject to intermittent sensor failures and intermittent loss of observations. In [29], sensors are supposed to fail at any time when collecting information, but they may recover at any time as well. To deal with the problem of fault diagnosis in the presence of intermittent sensor failures, the authors define a language operation, namely language dilation. This newly proposed operation takes the influence caused by intermittent sensor failures into account. As an extension work, the authors consider a more complex situation in [30], i.e., not only sensors but also the communication channels between sensors and the controller may fail at any time.
The authors in [32] solve the problem of finding sets of observabe events that ensure the language diagnosability of DESs in the framework of automata. An approach is proposed to obtain some certain event bases by inspecting the structure of a diagnoser automaton.
Based on LPNs, the authors of [33]- [35] present fault diagnosis approaches for DESs. According to [33], some transitions and failures are unobservable in a net system. Notions of basis markings and justifications are proposed to describe the markings that are consistent with observations [34], which improve the efficiency of fault diagnosability analysis.
Different from the monolithic architecture, the robust diagnosability of decentralized DESs is called robust codiagnosability [36]- [38], which is first proposed in [39]. Due to the distributed property of some specific systems, their facilities may be scattered in different regions. Under this circumstance, centralized robust diagnosers cannot always be deployed. To solve this problem, a coordinator is designed. Each local diagnoser site is only allowed to communicate via the coordinator, which processes the information according to some set rules. Meanwhile, the authors in [30] and [46] also extend their conclusions to robust co-diagnosability.
In practice, traditional diagnosis models relying on sensors may fail due to the occurrences of an electronic component failure, communication failure, or atmospheric electromagnetic interference, etc. As a result, a system may experience intermittent loss of observations. Compared with [31] and [28], we investigate not only the permanent but also intermittent failure situations in this work, which expands the scope of the robustness. The work in [30] is based on the systems modeled with automata. In this paper, we also use LPNs, which highlights their advantages in exact semantics and powerful expression capabilities. Compared with the verifier net approach in [12], we construct a reachability diagnoser with through simple computation process with less computational cost.
This work is devoted to diagnosability analysis, especially the robust diagnosability problem in the framework of LPNs. To verify the language diagnosability of a specific bounded LPN, a diagnosis model namely a reachability diagnoser is designed based on reachability graphs. An algorithm is given to generate the reachability diagnoser of an LPN. Due to some external interference or internal malfunctions, observation information once transmitted normally may not reach the diagnoser. This observation loss may occur or disappear at any moment. Thus, traditional diagnosers may fail intermittently. In this case, we may never obtain accurate diagnosis information due to the lack of robustness of a diagnoser. Therefore, a new robust diagnosis model of LPNmodeled systems namely a robust reachability diagnoser is designed, which takes into account the intermittent loss of observations. We also derive a necessary and sufficient condition of language robust diagnosability by defining implicit indeterminate cycles in a robust reachability diagnoser. It can be summarized from the performance of a specific example in different situations. The proof is provided. This paper is structured as follows. In Section II, we present the background and some notations of automata and Petri nets. Section III introduces the problem of diagnosability of DESs and the robust diagnosability problem. Section IV formulates the problem of language diagnosability in the framework of LPNs. The definition and condition of language diagnosability are followed. Section V illustrates the robust diagnosability analysis based on LPNs. An example under several situations is used to explore the necessary and sufficient condition for language robust diagnosability. Besides, the proofs of relevant theorems are given. Finally, conclusions are drawn in Section VI.

A. AUTOMATA
Let G = (Q, Σ, f, q 0 , Q m ) denote an automaton model of a DES, where Q is the set of states, Σ is the finite alphabet of symbols denoting event labels, f : Q × Σ → Q is the transition function, q 0 is the initial state, and Q m is the set of marked states. Assume that the event set Σ can be partitioned as Σ o∪ Σ uo , where Σ o and Σ uo denote the sets of observable and unobservable events, respectively. The language generated by G, denoted by L(G) or simply by L, is defined as L = {s ∈ Σ * | (∃q ∈ Q)f (q 0 , s) = q}. Let L/s = {u ∈ Σ * | su ∈ L} denote the post-language of L after string s ∈ L, where Σ * denotes the Kleene-closure of Σ. Let ε be the empty string with its length being zero and ε ∈ σ * .
The projection operation P o is defined as The inverse projection operation P −1 o , for u ∈ σ o , is defined as Let G 1 = (Q 1 , Σ 1 , f 1 , q 0,1 , Q m,1 ) and G 2 = (Q 2 , Σ 2 , f 2 , q 0,2 , Q m,2 ) be two automata. The parallel (or synchronous) composition is defined as where Ac(·) denotes the accessible part of an automaton, which means all the states and transitions that are not reachable from the initial state are trimmed from the original automaton, and f 1 2 is the transition function of G sync .
Let Γ : Q → 2 Q denote the active event set at a state. The transition function f 1 2 satisfies:  A language L ⊆ Σ * is said to be live if for all s ∈ L, there exists an event σ ∈ Σ such that sσ ∈ L. Let Σ f ⊆ Σ uo . For the sake of simplicity, we assume that there is only one fault event throughout this work, i.e., Σ f = {σ f }. Let Ψ(Σ f ) denote the set of all finite strings ending with the event in Σ f , s denote the length of string s, ands = {u ∈ Σ * | (∃v ∈ Σ * )uv = s} denote the prefix-closure of string s.

B. PETRI NETS
A Petri net is a four-tuple N = (P, T, P re, P ost), where P is a set of m places, T is a set of n transitions, depicted by circles and bars (or boxes), respectively. P re : P × T → N and P ost : P × T → N are the pre-and post-incidence functions that specify the arcs from places to transitions and transitions to places, respectively, where N is the set of nonnegative integers. P re and P ost can be represented by m×n integer matrices indexed by P and T . The incidence matrix of Petri net N is defined as C = P ost − P re.
Let x ∈ P ∪ T be a node in a Petri net. The preset of x is defined as • x = {y ∈ P ∪ T |P re(y, x) > 0}. The postset of x is defined as x • = {y ∈ P ∪ T |P ost(y, x) > 0}. A net is said to be pure (or self-loop free) if it contains no self-loop; it is said to be acyclic if it has no circuit.
A marking is a mapping M : P → N assigns a nonnegative integer number of tokens (depicted by black dots) to a place. A marking can be tabulated and represented by an m-dimensional vector indexed by P . The marking of place p at M is denoted by M (p), which indicates the number of tokens in place p at marking M . For economy of space, a marking M can be compactly written as a multi-set, i.e., According to the definition of incidence matrix C, M can be calculated as where t j is an n-dimensional canonical basic vector with its j-th entry being one. A Petri net system N, M 0 is a structure with an initial The set of all the markings reachable from M 0 defines the reachability set of a Petri net, denoted as R(N, M 0 ). A firing sequence σ ∈ T * is said to be faulty (or normal) if there has (or has not) at least a faulty transition where N, M 0 is a Petri net system, E is an alphabet (a set of labels), and : T → E ∪ {ε} is the labeling function that assigns to each transition t ∈ T a symbol from E or the empty word ε. The transition set can be partitioned into two disjoint sets, i.e., T = T o ∪T u , where T o and T u denote the set of observable transitions and that of unobservable transitions, respectively. The reachability set of an LPN is denoted by The unobservable subnet N us = (P, T us , P re us , P ost us ) is the net generated by removing all transitions t ∈ T o from N , where P re us and P ost us are the restrictions of P re VOLUME 4, 2016 and P ost to T u , respectively. The incidence matrix of the unobservable subnet is denoted as C u = P ost us − P re us .
For a transition sequence σ ∈ T * and the labeling function , w = (σ) is called an "observed word" or simply an "observation". The set of observed words (observations) from a marking M is denoted as: which is also called the language generated from M ∈ R N . L(N, M ) is equivalently denoted as L N is this paper.
Given an observation w of an LPN N = (N, M 0 , E, ), we define as the set of firing sequences consistent with w ∈ E * and Note that all the contribution in the framework of LPNs in this work is based on bounded LPNs.

III. DIAGNOSABILITY ANALYSIS USING AUTOMATA A. DIAGNOSABILITY
Simply speaking, a language L is diagnosable if a failure of any type can be detected by observing an existing event record within a finite delay. The formal definition of language diagnosability can be stated as follows [13]. Definition 1 (Language diagnosability using automata): A live language L G generated by an automaton G = (Q, Σ, f, q 0 , Q m ) is diagnosable with respect to projection where the diagnosability condition C D can be stated as: In plain words, a language is said to be diagnosable with respect to P o and Σ f if and only if for any string s ending with a fault event and an arbitrarily long bounded string u, there is no fault-free string w such that P o (su) = P o (w). One can easily verify the diagnosability of a specific language with the help of the diagnoser automaton. A diagnoser automaton G d is defined as where Obs(G, Σ o ) denotes the observer automaton of G with respect to Σ o . The label automaton denoted as G l is shown in Fig. 2.
Meanwhile, the definition of indeterminate observed cycles and a theorem about language diagnosability are also given in [13], which can be stated as follows. Definition 2 (Indeterminate cycles): A set of uncertain states q d1 , q d2 , . . . , q dn ∈ Q d is said to form an indeterminate cycle if: . . , n, k = 1, 2, . . . , m and r = 1, 2, . . . , m in such a way that the sequence of states {q k j | j = 1, 2, . . . , n, k = 1, 2, . . . , m} and {q r j | j = 1, 2, . . . , n, r = 1, 2, . . . , m } form their corresponding cycles in G , where A generator automaton G can be simply understood as an Theorem 1: Assume that L is live, i.e., Γ(q i ) = ∅ for all q i ∈ Q, and there is no cycle of unobservable events in G. The language L generated by automaton G is diagnosable with respect to P o and Σ f if and only if its diagnoser automaton G d has no indeterminate cycle.
The proof of Theorem 1 can be found in [13], therefore omitted here. With Theorem 1, one can efficiently determine the diagnosability of a specific language.

B. ROBUST DIAGNOSABILITY
A robust diagnosability problem has been proposed in [30], where it assumes that some sensors or communication channels between sensors and diagnosers may fail intermittently. Under this circumstance, Σ o is partitioned as Σ o = Σ ilo∪ Σ nilo , where Σ ilo denotes the set of events subject to intermittent loss of observations and Σ nilo denotes the set of events not subject to intermittent loss of observations. Observable events in Σ ilo may convert into unobservable ones with respect to the occurrence of observation losses, which makes the original diagnoser stall or provide wrong diagnosis information. To describe the intermittent loss of observations mathematically, Σ ilo = {σ : σ ∈ Σ ilo } is defined and σ representing that the unobservable fault event is assigned to each σ ∈ Σ ilo .
The dilation operation D can be executed to not only strings but also languages, i.e., Meanwhile, the modified automaton model, namely a dilated automaton G dil = (Q, Σ dil , f dil , q 0 , Q m ) and the projection operation P dil,o : Σ * dil → Σ * o can be defined in [30].
where the robust diagnosability condition C RD is there does not exist w ∈ L such that According to Definition 3, language L(G) is robustly diagnosable with respect to D, P dil,o , and Σ f if and only if for any string s ending with a fault event and an arbitrarily long bounded string u, there is no fault-free string w such that P dil,o (D(su)) = P dil,o (D(w)). In [30], two ways including robust diagnosers and verifiers are given to test the robust diagnosability.

IV. DIAGNOSABILITY ANALYSIS IN THE FRAMEWORK OF LPNS
Let T o , T u , and T f denote the sets of observable transitions, unobservable transitions, and faulty transitions, respectively.
Let Ω(T f ) denote the set of all finite firing sequences ending with a transition in T f . The definition of language diagnosability in the framework of LPNs can be stated as follows.
Obviously, σ 1 is the catenation of a faulty sequence s 1 = t 1 t 2 t 3 and a bounded arbitrarily long normal sequence u 1 = t 4 t 5 t 12 t n 10 whose corresponding words are zaε and aed n , respectively. It is not difficult to find that the system cannot reach the same marking with anyone in C(w f1 ) by firing any sequence that has no faulty transition in it. The firing of a sequence including faulty transitions such as σ 1 can be strictly distinguished from the firing of other normal transition sequences. By observing the word generated by N , we can always infer whether a faulty transition has been fired. Thus the language generated by the LPN system is diagnosable.
Using diagnosers can readily verify the language diagnosability of a system. Similar to the method using automata, we here propose a new concept, i.e., the reachability diagnoser VOLUME 4, 2016 of an LPN. Let N d denote the reachability diagnoser of N , which can be obtained from N with Algorithm 1 as follows. In plain words, to construct a reachability diagnoser, we first need to construct the reachability graph of N . Then we construct an automaton G having the same scale of space with the reachability graph of N . Markings and transitions in the reachability graph should be converted into states and transitions in the automaton. Obviously, these two models are isomorphic, which guarantees that the conversion can be finished successfully. Finally, N d can be obtained by generating the observer over G G l with respect to Σ o . It is not difficult to find that each node in either the reachability graph or the automaton is traversed once. For the consistent size of the two models, Algorithm 1 has an O(n) time complexity for the conversion process, where n represents the number of markings in the reachability graph of N .  With the definition of indeterminate cycles of N d , a necessary and sufficient condition for LPN language diagnosability can be obtained, as presented below. Theorem 2: A live language L N generated by an LPN N = (N, M o , E, ) whose unobservable subnet is acyclic is diagnosable with respect to : T → E ∪ {ε} and T f = {t f : (t f ) = ε} if and only if its reachability diagnoser N d has no observable indeterminate cycles.
(Sufficiency) Assume that the reachability diagnoser N d has no indeterminate cycle. Select any s ∈ L such that s ∈ Ψ(Σ f ) and let f (q 0 , s) = q. Select any There are now two cases to be discussed: 1) State q d1 is certain. Since su 1 is faulty, for each w ∈ P −1 o [P o (su 1 )] as a longer sequence containing all the symbols in su 1 , there must be a faulty event σ f in it. In addition, the assumptions in Theorem 2 require no unobservable cycles in G. Thus, w without any faulty event does not exist and L is diagnosable. 2) State q d1 is uncertain. Recall Definition 4 and two subcases arise here: a) There are no cycles of uncertain states in G d .
Having no cycles of uncertain states implies that one can always acquire a definite Y or N about whether any faulty event happens, which intuitively satisfies the requirement of language diagnosability. b) There exists a cycle of uncertain states q d1 , q d2 , . . ., q dn ∈ Q d , but it is not an indeterminate one. Suppose that the system cannot loop in the cycle for an arbitrarily long time after the occurrence of a faulty event such that the fault can be detected eventually. In that case, it can be determined that the language is diagnosable. If there is a cycle in G formed with N -states from G d , there cannot simultaneously exist any cycle formed with Y -states in G . Thus, G d will reach a Y -state once a fault happens. On the contrary, the existence of a cycle in G formed with Y -states from G d will make it impossible for any cycle formed with N -states to exist. Select any N -state from q d l ∈ Q d . It is obvious that it cannot be a successor of any Y -state along the corresponding sequence in G . Hence, G d will stay in the cycle forever if a fault has happened, or leave the cycle eventually if everything works normally.
In summary, we have proved that the live language generated by an LPN whose unobservable subnet is acyclic is diagnosable if and only if its reachability diagnoser has no indeterminate cycle. The condition and conclusion of the result are mutually necessary and sufficient.

V. ROBUST DIAGNOSABILITY ANALYSIS IN THE FRAMEWORK OF LPNS
In the previous part of this paper, we have introduced robust diagnosability. We will explain how to analyse robust diagnosability in the framework of LPNs by a specific example. Example 3: Consider the sequence σ 1 = t 1 t 2 t 3 t 4 t 5 t 12 t n 10 again. Assume that at some specific moment, the transitions labeled with a cannot be recorded as usual, i.e., transitions t 2 , t 4 are subject to intermittent loss of observations. Suppose that the firing information of t 2 cannot reach the diagnoser for a while and, somehow, the communication restores before the firing of t 4 . For N d , the first event to be recognized is z produced by t 1 . The reachability diagnoser N d move into (M 1 , N ). Since a produced by t 2 has been lost and the fault transition t 3 is unobservable, a produced by t 4 is the next letter N d receives, which makes N d move into (M 2 , N )(M 3 , Y ). Notice that the next letter N d should have dealt with is e, however, e is not a legal sequel event of That is to say, N d gets stuck due to the intermittent loss of a. Now consider another sequence σ 2 = t 1 t 2 t 3 t 6 t 7 t 12 t n 10 , w f2 = (σ 2 ) = zaεbcd n . Similarly, suppose that the transition labeled with a has been fired but failed to be recorded for some reason. After recognizing z, N d moves into (M 1 , N ) and the following sequence N d should have received is bcd n . N d individually recognizes all the letters successfully, and it stays in (M 8 , N ) finally, which indicates that the fault transition has never been fired. Under this circumstance, N d reports incorrect information about the occurrence of fault transitions.
It is not difficult to find that the traditional diagnoser model has certain limitations when dealing with a system containing intermittent loss of observations. With the help VOLUME 4, 2016 of dilation operation, language robust diagnosability using LPNs is defined as follows. Definition 6 (Language robust diagnosability in the framework of LPNs): Given an LPN N = (N, M o , E, ) with N, M 0 satisfying T = T o ∪ T u and T f ⊆ T u , the prefixclosed language L N generated by N is robustly diagnosable if (∀n ∈ N)(∀s ∈ Ω(T f ))(∀u ∈ T * /s) where the robust diagnosability condition C LPNRD is Let us check the LPN in Fig. 3 again. According to the analysis in the previous section, L N is diagnosable with respect to Σ f and P o . Suppose again that the transitions labeled with a are subject to intermittent loss of observations. With the help of dilation operation, N can be dilated as N dil , as shown in Fig. 6. Two unobservable transitions t 2 and t 4 labeled with a are added and assigned to t 2 and t 4 . Meanwhile, the reachability graph of N dil is shown in Fig. 7. Faulty sequence s 1 u 2 := σ 2 is from Ω(T f ), for (σ 2 ) = w f2 = zaεbcd n . We have D(w f2 ) = {zaεbcd n , za εbcd n }. Notice that there exists a normal sequence σ 2,n = t 1 t 8 t 9 t n 10 , for (σ 2,n ) = w 2,n = zbcd n such that C(w 2,n ) = {M 8 }. In plain words, the system N dil can reach M 8 by firing either a faulty sequence σ 2 or a normal sequence σ 2,n . Therefore, the diagnoser cannot accurately distinguish whether a fault transition has fired. That is to say, the language generated by N is not robustly diagnosable when the transitions labeled with a are subject to intermittent loss of observations. Similar to diagnosability, language robust diagnosability can also be verified using corresponding diagnosers named robust reachability diagnosers. Fig. 8 shows N dil,d , the robust reachability diagnoser of N dil . By inspecting Fig.  8, the existence of the observed cycle labeled with d on Example 4: Now suppose that transitions t 10 and t 12 labeled with d are unsuccessfully observed intermittently. In Fig. 9, N dil shows the dilated net structure. The reachability graph and N dil,d are shown in Figs. 10 and 11, respectively.
Cycles depicted with dashed lines appear in N dil,d since t 10 forms a self-loop in the original net structure. When the firing of t 10 fails to be recognized by the reachability diagnoser, unobservable t 10 fires, which is denoted by dashed lines. It is not difficult to find that not only observable indeterminate cycles labeled with d but also unobservable cycles labeled with d can make L N no longer robustly diagnosable.
Consider Fig. 11. It seems that N dil,d will never know whether the faulty transition has happened if the transitions labeled with d never recover from malfunctions, which makes t 10 and t 12 keep firing silently. Now, it seems that not only observed indeterminate cycles but also unobservable cycles on uncertain states can influence language robust diagnosability. In order to improve relevant results, a subclass of indeterminate cycles has to be defined. Definition 7 (Implicit Cycles and Indeterminate Implicit Cy- cles of N dil,d ): A cycle formed with states q dil , d 1 , q dil , d 2 , . . ., q dil , d n ∈ N dil,d is defined as an implicit cycle if the following conditions hold: The implicit cycle is also indeterminate if it additionally satisfies the second condition: • q dil,d1 , q dil,d2 , . . . , q dil,dn form an indeterminate cycle in N dil,d .
In plain words, an implicit indeterminate cycle is an indeterminate cycle formed with unobservable events between uncertain states. Note that not all implicit cycles are indeterminate, i.e., the cycle on certain states cannot be counted, which brings no ambiguity to robust diagnosability. For instance, the cycle labeled with d on (M 8 Y ) is unobservable; however, it is not an indeterminate one. Meanwhile, indeterminate cycles satisfying only Definition 5 will be called explicit indeterminate cycles literally and their existence has been proven to make language not diagnosable. The word "explicit" is meant to contrast with "implicit", which emphasizes the observable property of an indeterminate cycle. An explicit indeterminate cycle here is exactly the indeterminate cycle defined in Definition 5.
Example 5: Consider N if transitions labeled with b, i.e., t 6 , t 8 are subject to intermittent loss of observations. By dilating t 6 and t 8 , N dil can be depicted as Fig. 12  It is not difficult to find that there exists a faulty sequence suv ∈ L N dil , for (suv) = w f . Sequence suv satisfies: 1) s is faulty, i.e., S(s) ∩ Ω(T f ) = ∅ such that f dil,d (q 0dil,d , P o (s)) = q dil,d holds, 2) u is unobservable, i.e., u ∈ (T ilo ∪ T u ) * such that f dil,d (q 0dil,d , P o (su)) = q dil,d holds, 3) v is also unobservable with a length of k, i.e., t ∈ (T ilo ∪ T u ) * such that f dil,d (q 0dil,d , P o (suv)) = q dil,d and M i1 [v M ij hold, where j = (k mod n) + 1. Notice that q dil,d is an uncertain state, implying that there also exists w ∈ L N dil such that S(s) ∩ Ω(T f ) = ∅ and P o (suv) = P o (w). In other words, the existence of an implicit indeterminate cycle indicates that the projection of a faulty sequence and a normal sequence are the same, which violates the condition of language robust diagnosability.
(Sufficiency) Assume that L N is not robustly diagnosable with respect to D and T f . According to Definition 6 of language robust diagnosability using LPNs, for some w f = (su), where s ∈ Ω(T f ), u ∈ T * /s, and u ≥ n for n ∈ N, there exists some w ∈ L N such that C(D(w f )) = C(D(w)) and S(w) ∩ Ω(T f ) = ∅ hold, where w could have bounded or unbounded length.
Since the sets of reachable markings consistent with D(w f ) and D(w) are the same and N dil,d is deterministic, there exists an uncertain state q dil,d ∈ Q dil,d satisfying Because of the arbitrary length of w stipulated in Definition 6, we assume that the number of states in Q dil,d is x with w > x. A cycle of states formed with corresponding transitions will exist in N dil,d . There are two cases that need to be discussed: 1) There exists at least one observable transition in the cycle. Under this circumstance, the cycle is an explicit indeterminate cycle. 2) All transitions in the cycle are unobservable. It this case, the cycle is an implicit indeterminate cycle. These two cases show us that the existence of an (explicit or implicit) indeterminate cycle is inevitable as long as a language is not robustly diagnosable.
Note that in the proof of necessity, we omit the situation of explicit indeterminate cycle since it has been proven in the proof of Theorem 1. In summary, we have explored three different situations: 1) The transitions labeled with a influenced by intermittent loss of observations: Explicit indeterminate cycles appear in N dil,d such that L N is not robustly diagnosable, as we have discussed in the previous section.
2) The transitions labeled with d influenced by intermittent loss of observations: We find that the existence of implicit indeterminate cycles in N dil,d also makes a language lose its robust diagnosability. Hence, we give a necessary and sufficient condition for language robust diagnosability and prove it.
3) The transitions labeled with b influenced by intermittent loss of observations: No more (explicit or implicit) indeterminate cycles exist in N dil,d this time. Language L N is robustly diagnosable. By analyzing these three situations, we have derived a necessary and sufficient condition for robust diagnosability. The situation in which any other transition is affected by the intermittent loss of observations always falls into one of the three above. Therefore, we do not spell them out anymore.

VI. CONCLUSIONS
In this paper, we address the problem of robust diagnosability against intermittent loss of observations using LPNs. Communications between transitions (sensors) in a system and the diagnoser may sometimes fail, which makes the diagnoser get stuck or report incorrect information. With the help of a dilation operation, possible malfunctions between sensors and the diagnoser can be taken into account. We first summarize the definition of language diagnosability, indeterminate cycles, and robust diagnosability using automata. Then we extend the relevant definitions and theorems to the system modeled with LPNs. We introduce a dilation operation and a construction algorithm of robust reachability diagnoser using it. Two necessary and sufficient conditions C LPND and C LPNRD for language diagnosability and robust diagnosability generated by the system modeled with LPNs are derived. The proof of the relevant theorem is given. Thus, the robust diagnosability problem against intermittent loss of observations of language generated by LPNs can be solved.
The research is conducted under the framework of bounded LPNs. For unbounded LPNs, the construction complexity of their reachability graphs increases exponentially, which is difficult to be coped with when using reachability diagnosers introduced in this work. In fact, there is a more compact way representing reachable markings and the relation between them of an LPN, namely a basis reachability graph. Its applications to supervisory control and fault diagnosis under other settings [40]- [44] and performance in robust diagnosability analysis are worthy of further exploration [46].
This work is carried out based on a centralized diagnoser. In the future, the problem of robust co-diagnosability analysis with a decentralized architecture deserves to be explored further, i.e., whether or how the conclusion drawn in this work should be modified to apply to distributed systems. Meanwhile, fault events are assumed to be unobservable in this work. Suppose that some malicious attacks can change the behavior of a system, i.e., operations such as insertion, removal, and replacement of transition labels. In this case, deciding how to carry out the robust diagnosability analysis if a wrong symbol or label is observed from the fault event is worthy of consideration. It is of interest to consider the rumor propagation mechanism for fault diagnosis and propagation [45].