# Input/Output Switched Asynchronous Sequential Machines with Transient Faults

Jung-Min Yang and Seong Woo Kwak

Abstract—Robust model matching control of input/output switched asynchronous sequential machines is addressed in this paper. The control objective is to determine the existence condition and design algorithm for a corrective controller that can match the stable-state behavior of the closed-loop system to that of a reference model, while invalidating any transient faults that cause unauthorized state transitions. Switching operations and correction procedures are incorporated using output feedback so that the controlled switched machine can show the desired input/output behavior and fault tolerance. A matrix expression is presented to address reachability of switched asynchronous sequential machines with output equivalence with respect to a model. The proposed reachability condition for the existence of a controller and its design procedure are outlined in a simple example.

Index Terms—asynchronous sequential machines, switched systems, corrective control, fault tolerance.

# I. INTRODUCTION

Asynchronous sequential machines, or clockless logic circuits as they are often called, are hardware/software systems that operate sequentially with no global synchronizing clock [1]. Since first invented in mid 1950's [2], asynchronous sequential machines have been used in various areas as an important building block of the system, e.g., digital systems [3], communication networks [4], parallel computation [5], etc. Corrective control is a novel automatic control theory developed exclusively for asynchronous machines. It utilizes the unique feature of asynchronous machines that the speed of their transient transitions is very fast (in zero time, ideally). As long as the stable reachability is guaranteed from a given state to a desired state, a corrective controller can generate a control input sequence that drives the considered machine towards the desired state. With the aforementioned capability, corrective control has been successfully applied to compensating the stable-state behavior of a given asynchronous machine with various faulty behavior [6]-[9].

In this paper, we address the robust model matching problem of switched asynchronous sequential machines. The switched systems are a kind of hybrid systems that consist of several submachines and a rule that coordinates switching operations between them. Due to their importance in both

J.-M. Yang is with the School of Electronics Engineering, Kyungpook National University, Daegu, 41566, Republic of Korea. E-mail: jmyang@ee.knu.ac.kr.

S. W. Kwak is with the Department of Electronic Engineering, Keimyung University, Daegu, 42601, Republic of Korea. E-mail: ksw@kmu.ac.kr (corresponding author).

theoretical and practical applicability, the study of switched systems has drawn a great attention, especially in the field of linear systems [10]. In event-driven dynamics, however, few studies on switched systems have been reported so far. Notable among them are switched Boolean networks for gene regulatory networks [11] and control of switched asynchronous sequential machines by the author [12].

In the prior work [12], the problem of model matching for switched asynchronous sequential machines is investigated in the framework of corrective control wherein submachines have the characteristics of input/state machines, namely the present state is given as the output. Compared with the prior work [12], the contribution of the present study is summarized as follows.

- (i) In this study, we focus our concern on the case that submachines have the form of input/output machines whose output value is different from the present state [7]. In contrast to the case of switched machines with input/state submachines, the closed-loop system does not have to match the behavior of the model in terms of the input/state specification. Instead, model matching is regarded as complete if the controlled machine provides the same output as that of the reference model in response to a given external input. The necessary and sufficient reachability condition for the existence of an appropriate corrective controller will be addressed based on corrective control theory and asynchronous mechanism.
- (ii) We also consider the problem of fault tolerance for switched asynchronous machines. In particular, we assume that each submachine may suffer from a transient fault that causes an unauthorized state transitions to the submachine. In the case of controlling a single asynchronous sequential machine, the condition for tolerating this fault is that the machine must have potential reachability from the deviated state to the original state at which the fault occurs [13]. On the other hand, this condition is relaxed in the case of switched machines since there are other submachines that have the same state space as the faulty submachine. Hence fault tolerance is regarded as complete if the machine can return to an equivalent state of the original state in another submachine. A detailed analysis on fault tolerance capability is addressed in this paper.

The rest of this work is organized as follows. Section II provides a modeling formalism of input/output switched asynchronous machines with transient faults and the problem statement for model matching and robust corrective control. In Section III, we address stable reachability of input/output switched asynchronous machines in terms of Boolean matrices and the condition for corrective controllability that

The research of J.–M. Yang was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (No. 2015R1D1A1A01056764) and by the Ministry of Science, ICT and future Planning (No. 2015R1A2A1A15054026). The research of S. W. Kwak was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (No. 2016R1D1A1B02012959).

achieves both model matching and fault tolerance. A simple example is provided in Section IV to demonstrate the proposed methodology. Finally, Section V summarizes the paper.

# II. NOTATION AND BASIC

# A. Modeling

Let us consider a switched asynchronous sequential machine  $\Sigma$  with *m* submachines. Assume that each submachine is a single input/output asynchronous sequential machine, namely the present output of the machine is different from the state value.  $\Sigma$  is represented as

$$\Sigma = \{\Sigma_i | i \in M\}$$
  
 $\Sigma_i = (A, Y, X, x^0, f_i, h_i)$ 

where  $M := \{1, ..., m\}$ ,  $\Sigma_i$  is the *i*th submachine, A is the input set, Y is the output set, X is the state set with n states,  $x^0 \in X$  is the initial state,  $f_i : X \times A \to X$  is the state transition function partially defined on  $X \times A$ , and  $h_i : X \to Y$  is the output function. Since every submachine is assumed to have an equal operational domain, the input, state, and output sets of  $\Sigma_i$  are the same for every  $i \in M$ ; only  $f_i$  and  $h_i$  differ from one another. A is divided into

$$A = A_n \dot{\cup} A_d$$

where  $A_n$  is the set of normal inputs and  $A_d$  the set of adversarial inputs causing unauthorized state transitions.

Each submachine  $\Sigma_i$  is operated according to the characteristics of a single asynchronous sequential machine, that is, it is not governed by any synchronizing clock and the state transition is executed only in response to changes of external inputs. A state–input pair  $(x, v') \in X \times A$  is a stable pair of  $\Sigma_i$  if  $f_i(x, v') = x$  and x is a stable state. If  $f_i(x, v') \neq x$ , on the other hand, x is a transient state and (x, v') is a transient pair. Note that x may be stable or transient depending on the value of the present input. Denote by

$$U_i(x) := \{ v \in A | f_i(x, v) = x \}$$

the set of external inputs that make a stable pair with x in  $\Sigma_i$ . Owing to the absence of a synchronizing clock,  $\Sigma_i$  stays at a stable pair (x, v') indefinitely. If the input v' changes to another value v for which (x, v) is a transient pair,  $\Sigma_i$  engages in a series of transient transitions

$$f_i(x, v) = x_1$$
  
$$f_i(x_1, v) = x_2$$
  
:

where v remains fixed. Assuming no infinite cycles,  $\Sigma_i$  reaches the *next stable state*  $x_k$  such that  $x_k = f_i(x_k, v)$  at the end of the chain with k transient transitions. Since the transition speed of asynchronous sequential machines is very fast, the meaningful behavior of asynchronous sequential machines may be described merely in terms of stable states. To this end, we introduce the stable recursion function s as follows [6]:

$$s_i : X \times A \to X$$
  
 $s_i(x, v) = x'$ 

where x' is the next stable state of a valid state-input pair (x, v). A chain of transient transitions from a stable state to its next stable state, as represented by  $s_i$ , is termed a stable transition. The domain of  $s_i$  can be expanded to  $X \times A_n^+$  in a natural way as follows, where  $A_n^+$  is the set of all nonempty strings of characters in  $A_n$ .

$$s_i(x, v_1v_2 \cdots v_k) = s_i(s_i(x, v_1), v_2 \cdots v_k),$$
  
$$v_1v_2 \cdots v_k \in A_n^+.$$

# B. Closed-Loop System

Fig. 1 shows the architecture of the corrective control system for the switched asynchronous sequential machine  $\Sigma$ . Here, *C* is the corrective controller, *D* is the demultiplexer, *P* is the multiplexer,  $v \in A$  is the external input,  $u \in A$  is the control signal,  $\sigma \in M$  is the switching signal,  $y_i \in Y$ ,  $i \in M$ , is the output of  $\Sigma_i$ , and  $w_i \in A_d$ ,  $i \in M$ , is the adversarial input occurring to  $\Sigma_i$ . Let  $\Sigma_c$  denote the closed-loop system consisting of *C*, *D*, *P*, and  $\Sigma$ .



Fig. 1. Corrective control system for the switched asynchronous sequential machine  $\Sigma$ .

Since *C* is also designed in the form of an asynchronous sequential machine,  $\Sigma_c$  has the asynchronous mechanism. *C* provides  $\Sigma$  with *u* or  $\sigma$ , either of which is generated at a time, but not simultaneously. *D* plays the role of determining the *active submachine* whose dynamics is manifested by  $\Sigma$ . Upon receiving  $\sigma$ , *D* selects  $\Sigma_{\sigma}$  as the active submachine and delivers the present control signal *u* to  $\Sigma_{\sigma}$ . Hence changing  $\sigma$  equals the activation of switching operation. *P* receives *m* output feedback values from all submachines  $\Sigma_1, \ldots, \Sigma_m$  and selects *y*, the feedback value generated by  $\Sigma_{\sigma}$ . *P* forwards *y* and  $i \in M$ , the index of the active submachine, to *C*.

 $w_i$  represents a transient fault occurring to  $\Sigma_i$ .  $w_i$  forces  $\Sigma_i$  to undergo an unauthorized state transition. Unless corrected immediately, the next behavior of  $\Sigma$  would show unpredictable and violating behavior. Assume that  $w_i$  is defined at a state x of  $\Sigma_i$ . Then, the transient fault caused by  $w_i$  is described as follows.

$$s_i(x, w_i) = x$$

where x' is the deviated state reached from x as the result of the fault occurrence.

The control objective is to present the existence condition and design algorithm for a corrective controller *C* that not only invalidates all the transient faults, but also matches the stable-state behavior of  $\Sigma_c$  to that of a reference model

$$\Sigma' = (A, Y, Z, z^0, f', h').$$

Proceedings of the International MultiConference of Engineers and Computer Scientists 2017 Vol I, IMECS 2017, March 15 - 17, 2017, Hong Kong

Note that  $\Sigma'$  has the same input and output set as those of  $\Sigma$  whose (p,q) entry is defined as whereas its state set

$$Z = \{z_1, \ldots, z_r\}$$

differs from X. Accordingly, f' and h' have mapping relations  $f': Z \times A \rightarrow Z$  and  $h': Z \rightarrow Y$ . We also assume that h'is an injective function, namely each  $z \in Z$  corresponds to a distinctive output value.

We regard that model matching between  $\Sigma_c$  and  $\Sigma'$  is accomplished if two machines show the same input/output behavior, i.e., for an external input, they provide an identical output value. Moreover, each submachine  $\Sigma_i$  can serve as structural redundancy of  $\Sigma$  in model matching control. In the case of input/output control for single asynchronous machines [7], model matching is infeasible if the considered machine does not have enough reachability to realize the matched behavior with  $\Sigma'$ . However, the switched machine  $\Sigma$  can change its mode to another submachine whenever the active submachine does not have the required reachability, and can active the correction procedure to take the new active submachine toward the desired state. The foregoing property will be similarly applied to constructing fault-tolerant control mechanism.

To avoid unpredictable behaviors caused by the absence of a synchronizing clock, we assume that  $\Sigma_c$  always preserves the principle of fundamental mode operations [14] whereby a variable must change its value when both C and  $\Sigma$  are in stable states, and no two or more variables can be altered simultaneously.

# III. MAIN RESULT

#### A. Skeleton Matrices

We first introduce several skeleton matrices that are needed to describe stable reachability of switched machines for model matching control.

**Definition 1.** Given  $\Sigma' = (A, Y, Z, z^0, f', h')$  with the stable recursion function s', the one-step skeleton matrix  $S^{1}(\Sigma')$  is an  $r \times r$  matrix whose (p,q) entry is defined as

$$S_{p,q}^{1}(\Sigma') = \begin{cases} 1 & \exists v \in A_n \text{ such that } s'(x_p, v) = x_q \\ 0 & otherwise \end{cases}$$

 $S^{1}(\Sigma')$  epitomizes stable reachability of the model  $\Sigma'$  via unit input characters. Note that we have to consider only onestep stable reachability of  $\Sigma'$  since model matching control will be activated upon the transmission of an input character to  $\Sigma$  and  $\Sigma'$ .

**Definition 2.** Given  $\Sigma_i = (A, Y, X, x^0, f_i, h_i)$  and  $\Sigma' =$  $(A, Y, Z, z^0, f', h')$ , the output equivalence list of  $\Sigma_i$  with respect to  $\Sigma'$  is  $E(\Sigma_i, \Sigma') := \{E_1^i, \ldots, E_r^i\}$  where

$$E_p^i := \{x \in X | h_i(x) = h'(z_p)\}, \ p = 1, \dots, r.$$

 $E_p^i \in X$  represents the subset of X every element of which has the same output as  $z_p \in Z$ . If  $\Sigma_i$  and  $\Sigma'$  stay at  $x \in E_p^i$ and  $z_i$ , respectively, they are said to have output equivalence.

**Definition 3.** Given the output equivalence list  $E(\Sigma_i, \Sigma') =$  $\{E_1^i, \ldots, E_r^i\}$ , the fused skeleton matrix  $\Delta(i)$  is an  $r \times r$  matrix

$$\Delta_{p,q}(i) = \begin{cases} 1 & \forall x \in E_p^i, \exists x' \in E_q^i \text{ and } t \in A_n^+ \\ \text{ such that } s_i(x,t) = x' \\ 0 & \text{otherwise} \end{cases}$$

 $\Delta(i)$  depicts stable reachability of  $\Sigma_i$  in terms of elements of  $E(\Sigma_i, \Sigma')$ .  $\Delta_{p,q}(i) = 1$  if every state of  $E_p^i$  can reach at least a state of  $E_q^i$  via a chain of stable transitions  $(s_i(x_p, t) = x_q)$ . Note that the final state of  $E_q^i$  is unspecified since stable reachability between elements of  $E(\Sigma_i, \Sigma')$  is measured with respect to outputs, that is, any state of  $E_q^i$  shows identical output characteristic.

Switching capability of  $\Sigma$  implies the ability of  $\Sigma$  to change its mode from a submachine to another submachine at a specific stable state. In the prior work [12], a constraint is imposed on the switching operation that as the result of switching, the active submachine always takes the same state possessed by the previous submachine. In this study, we generalize the switching operation by relaxing the foregoing constraint. In other words, the new active submachine does not necessarily transfer to the same state at which the old one has stayed before switching. To address the switching relation between two submachines, we define the following matrix.

**Definition 4.** W(i, j), the switching incidence matrix of two submachines  $\Sigma_i$  and  $\Sigma_i$ , is an  $n \times n$  matrix whose (p,q) entry is

$$W_{p,q}(i,j) = \begin{cases} 1 & \Sigma \text{ switches the mode from } \Sigma_i \text{ at } x_p \\ & to \ \Sigma_j \text{ at } x_q \\ 0 & otherwise \end{cases}$$

W(i, j) represents switching capability of  $\Sigma$  in the most general way, that is, the state of the present submachine may differ from the previous one after switching. The motivation for introducing W(i, j) stems from the fact that some switched machines have multiple submachines that share the same system module to compose the state space. As the switching operation depends on this implementation restraint, the next state may be different from the previous one.

Note that for switching from  $\Sigma_i$  at  $x_p$  to  $\Sigma_j$  at  $x_q$ , there must exist an external input  $a \in A$  that makes a stable pair with both  $x_p$  of  $\Sigma_i$  and  $x_q$  of  $\Sigma_j$ , i.e.,

$$W_{p,q}(i,j) = 1 \Rightarrow U_i(x_p) \cap U_j(x_q) \neq \emptyset.$$
 (1)

Under the principle of fundamental mode operations,  $\Sigma_i$ should stay at the stable state  $x_p$  at the moment that the switching signal  $\sigma$  changes. Hence the present control signal is  $u \in U_i(x_p)$ . Moreover, u must also make a stable pair with  $x_a$  in  $\Sigma_i$ , namely  $u \in U_i(x_a)$ ; otherwise  $\Sigma_i$  could not maintain  $x_a$  upon completion of the switching operation. However, the condition  $u \in U_i(x_q)$  may not be always valid since u is determined only by the past state trajectory of  $\Sigma_i$ . Still, as long as  $U_i(x_p) \cap U_i(x_q) \neq \emptyset$  is held true, C can achieve the switching operation by changing the control signal to  $u' \in U_i(x_p) \cap U_i(x_q)$  right before transmitting the switching signal  $\sigma = j$ . In this sense, (1) is a requisite for guaranteeing consistent switching.

While the switching incidence matrix W(i, j) is defined based on states, it can be transformed into a matrix based on the entries of the output equivalence list as follows.

Proceedings of the International MultiConference of Engineers and Computer Scientists 2017 Vol I, IMECS 2017, March 15 - 17, 2017, Hong Kong

**Definition 5.** Let  $E(\Sigma_i, \Sigma')$  and  $E(\Sigma_j, \Sigma')$  be the output equivalence ist of  $\Sigma_i$  and  $\Sigma_j$  with respect to  $\Sigma'$ , and let W(i, j) be as defined in Definition 4. G(i, j), the switching incidence matrix of  $\Sigma_i$  and  $\Sigma_j$  with output equivalence with respect to  $\Sigma'$ , is an  $r \times r$  matrix whose (p, q) entry is

$$G_{p,q}(i,j) = \begin{cases} 1 & \forall x_{p'} \in E_p^i, \exists x_{q'} \in E_q^i \text{ s.t. } W_{p',q'}(i,j) = 1\\ 0 & otherwise \end{cases}$$

In short,  $\Delta(i)$  shows stable reachability of single submachines and G(i, j) provides switching capability of  $\Sigma$  between different submachines, both represented in terms of output equivalence with respect to  $\Sigma'$ . The following definition combines stable reachability and switching capability of  $\Sigma$  in one matrix expression.

**Definition 6.**  $\mathscr{C}^k(\Sigma)$ , the one-step switching skeleton matrix of  $\Sigma$  with output equivalence with  $\Sigma'$  (k = 1, 2, ...), is an  $rm \times rm$  matrix recursively defined as

$$\mathscr{C}^{1}(\Sigma) := \begin{pmatrix} \Delta(1) & G(1,2) & \cdots & G(1,m) \\ G(2,1) & \Delta(2) & \cdots & G(2,m) \\ \vdots & \vdots & \vdots & \vdots \\ G(m,1) & \cdots & \cdots & \Delta(m) \end{pmatrix}$$
$$\mathscr{C}^{k}(\Sigma) := \mathscr{C}^{k-1}(\Sigma) \times_{\mathscr{B}} \mathscr{C}^{1}(\Sigma)$$

where ' $\times_{\mathscr{B}}$ ' denotes the Boolean product of two Boolean matrices where logic AND and OR are used instead of multiplication and plus operations in the matrix product.

**Definition 7.**  $\Pi(\Sigma)$ , the switching skeleton matrix of  $\Sigma$  with output equivalence with  $\Sigma'$ , is an  $rm \times rm$  matrix defined as

$$\Pi(\Sigma) := \sum_{k=1}^{nm-1} {}_{+\mathscr{B}} \mathscr{C}^k(\Sigma)$$

where  $'+_{\mathscr{B}}'$  denotes the Boolean addition of two matrices.

 $\mathscr{C}^k(\Sigma)$  shows whether an element of the output equivalence list of a submachine can be reachable from another element of the output equivalence list of another submachine in exactly k steps. Here, "one-step" implies that  $\Sigma$  takes either one switching operation or a chain of stable transitions.  $\Pi(\Sigma)$  is a generalized description of stable reachability for the switched asynchronous sequential machine  $\Sigma$  interpreted in term of output equivalence with respect to the given model  $\Sigma'$ . Not only does  $\Pi(\Sigma)$  represent stable reachability within each submachine, it also elucidates whether a state of a submachine can be reached from another state of a different submachine by a combination of stable transitions and switching operations wherein both start and final state are represented as entries of the corresponding output equivalence list. Since  $\Sigma$  has *nm* states in total, any state in  $\Sigma$  can be reached within nm - 1 steps of switching and correction procedures. Hence  $\mathscr{C}^1(\Sigma), \ldots, \mathscr{C}^{nm-1}(\Sigma)$  are sufficient to express the entire reachability of  $\Sigma$ .

Note that  $E_j^i \in E(\Sigma_i, \Sigma')$ , or the *j*th entry of the output equivalence list of  $\Sigma_i$ , has the *j*th position of the *i*th block of  $\mathscr{C}^k(\Sigma)$  and  $\Pi(\Sigma)$ . Denoting by  $\theta_j^i \in \{1, \ldots, rm\}$  the index of  $E_i^i$ , we have

$$\theta_j^i = (i-1)r + j. \tag{2}$$

# B. Model Matching

Remind that for  $\Sigma'$  with its state set  $Z = \{z_r, \ldots, z_r\}$ , the output equivalence list of submachine  $\Sigma_i$  is denoted by  $E(\Sigma_i, \Sigma') = \{E_1^i, \ldots, E_r^i\}, i = 1, \ldots, m$ . Hence for each  $z_j \in Z$ , we have *m* equivalent subsets of states, namely  $E_1^i, \ldots, E_j^m$ .

**Definition 8.** Given  $\Sigma$  and  $\Sigma'$ ,  $\Phi$ , a subordinate state list with output equivalence with respect to  $\Sigma'$ , is

$$\Phi := \{ x_j \in E_j^{\iota_j} | i_j \in M, j = 1, \dots, r \}.$$

 $K(\Phi)$ , the skeleton matrix of  $\Phi$ , is an  $r \times r$  matrix whose (p,q) entry is defined as  $(p,q \in \{1,...,r\})$ 

$$K_{p,q}(\Phi) := \prod_{p',q'}(\Sigma)$$

where  $\Pi(\Sigma)$  is the switching skeleton matrix of  $\Sigma$  with output equivalence with  $\Sigma'$  introduced in Definition 7, and  $p' = \theta_p^{i_p}$  and  $q' = \theta_q^{i_q}$  (see (2)).

 $\Phi$  consists of *r* states, each state  $x_j$  taken from an entry  $E_j^{i_j}$  of the output equivalence list of  $\Sigma_{i_j}$ .  $i_j$  implies that submachine  $\Sigma_{i_j}$  having the entry  $E_j^{i_j}$  may differ from each  $z_j$ . In other words,  $\Phi$  represents a collection of *r* states that are output equivalent with *Z*, while elements of  $\Phi$  may belong to different submachines.

Using  $\Phi$  and the skeleton matrices defined in the previous discussion, we now present the existence condition for a corrective controller that solves the model matching problem between  $\Sigma_c$  and  $\Sigma'$ .

**Theorem 1.** Given the switched asynchronous sequential machine  $\Sigma$  and the model  $\Sigma'$ , a corrective controller C in Fig. 1 exists that matches the stable-state behavior of  $\Sigma_c$  to that of  $\Sigma'$  if and only if a subordinate state list  $\Phi = \{x_j \in E_i^i | i_j \in M, j = 1, ..., r\}$  exists for which

$$K(\Sigma') \leqslant K(\Phi). \tag{3}$$

Condition (3) means that  $\Sigma$  possesses a subordinate state list  $\Phi = \{x_1, \ldots, x_r\}$  whose stable reachability is greater than the model  $\Sigma'$ . Provided that (3) is valid, assume  $K_{p,q}(\Sigma') = 1$ for some  $p, q \in \{1, \ldots, r\}$ , which implies that  $\Sigma'$  has a stable transition from  $z_p$  to  $z_q$ . But since  $K(\Sigma') \leq K(\Phi)$ ,  $K_{p,q}(\Phi) =$ 1. According to Definition 8, the latter leads to  $\Pi_{p',q'}(\Sigma)$  with  $p' = (i_p - 1)r + p$  and  $q' = (i_q - 1)r + q$ , which means that  $x_p \in \Phi$  of  $\Sigma_{i_p}$  can be reached to  $x_q \in \Phi$  of  $\Sigma_{i_q}$  through a sequence of switching operations and correction procedures. Hence we can design a controller module that realizes the corresponding feedback path.

### C. Fault Tolerance

Provided that a subordinate state list exists that satisfies condition (3) of Theorem 1, we now consider the problem of fault tolerance against transient faults. In a similar way to  $\Delta(i)$ , we can interpret the characteristics of all unauthorized state transitions from the input/output viewpoint and express them by an  $r \times r$  matrix  $K^d(\Sigma_i)$  whose (p, q) entry is defined as

$$K_{p,q}^{d}(\Sigma_{i}) = \begin{cases} 1 & \exists w_{i} \in A_{d}, \exists x \in E_{p}^{i}, \exists x' \in E_{q}^{i} \\ & \text{such that } s_{i}(x, w_{i}) = x' \\ 0 & \text{otherwise} \end{cases}$$

Proceedings of the International MultiConference of Engineers and Computer Scientists 2017 Vol I, IMECS 2017, March 15 - 17, 2017, Hong Kong

If  $K_{p,q}^d(\Sigma_i) = 1$ ,  $\Sigma_i$  may experience an unauthorized state transition such that the output value is changed from  $h'(z_q)$  to from  $h'(z_q)$ . Fault recovery against this unauthorized transition implies that  $\Sigma_i$  should be controlled to a state that provides the original output value  $h'(z_p)$ .

Meanwhile, recall that  $\Sigma$  must have a subordinate state list  $\Phi = \{x_j \in E_j^{i_j} | i_j \in M, j = 1, ..., r\}$  satisfying condition (3) of Theorem 1 to solve the model matching problem. This means that during the entire operation,  $\Sigma$  will have only an element of  $\Phi$  as its stable state. Hence we do not have to consider adversarial inputs that are not defined at the states of  $\Phi$ . Further, even though fault tolerance may be regarded as complete if the machine returns to a state that is output equivalent to the original state, in our problem setting the machine must return to the exact state at which it has stayed at the moment of fault tolerance to maintain model matching with  $\Sigma'$ .

To describe the fault situation for  $\Phi$ , we define the following fault indicator set:

**Definition 9.** For  $x_j \in \Phi$  with  $x_j \in E_j^{i_j}$  (i.e.,  $x_j$  is a state of submachine  $\Sigma_{i_j}$  having the output  $h'(z_j)$ ),  $D(x_j) \subset X$  is a subset of X such that

$$\forall x_k \in D(x_j), \exists w \in A_d \text{ s.t. } s_{i_j}(x_j, w) = x_k.$$

According to the above definition, if  $D(x_j) \neq \emptyset$ ,  $\Sigma_{i_j}$  can undergo an unauthorized state transition from  $x_j$  to  $x_k$ . To overcome this fault in the framework of corrective control,  $x_j$  must be stably reachable from  $x_k$  through a chain of stable transitions by a normal input string [6]. The former is addressed as follows.

$$\forall x_k \in D(x_j), \ \exists t \in A_n^+ \text{ s.t. } s_{i_j}(x_k, t) = x_j.$$
(4)

We combine condition (4) and Theorem 1 to induce the existence condition for a corrective controller that solves both model matching and fault tolerance. The following theorem is the main discussion of this paper.

**Theorem 2.** Given the switched asynchronous sequential machine  $\Sigma$  and the model  $\Sigma'$ , a corrective controller C in Fig. 1 exists that matches the stable-state behavior of  $\Sigma_c$  to that of  $\Sigma'$  while invalidating all the transient faults if and only if a subordinate state list  $\Phi = \{x_j \in E_j^{i_j} | i_j \in M, j = 1, ..., r\}$  exists for which the following two conditions are valid.

(i) 
$$K(\Sigma') \leq K(\Phi)$$
; and

(ii) 
$$\forall j = 1, \ldots, r, \ \forall x_k \in D(x_j), \ \exists t \in A_n^+ \ s.t. \ s_{i_j}(x_k, t) = x_j.$$

After constructing each controller module for all stable transitions of  $\Sigma'$  and all unauthorized state transitions characterized by  $D(x_j)$ 's, the overall controller *C* is completed by assembling each controller module using *join* operation [8] that combines two corrective controller modules. A detailed algorithm for constructing *C* is omitted in this study.

#### IV. Illustrative Example

Consider a simple switched asynchronous sequential machine  $\Sigma = {\Sigma_1, \Sigma_2}$  ( $M = {1, 2}$ ) shown in Fig. 2, where  $X = {x_1, x_2, x_3}$  with  $x^0 := x_1$ ,  $A_n = {a, b, c}$ ,  $A_d = {w_1, w_2}$ , and  $Y = {1, 2, 3}$ . The output of each state is marked after dash '/' in the figure. For simplicity, we set  $f_i(x, v) = s_i(x, v)$  for all i = 1, 2 and  $(x, v) \in X \times A$ . Solid arrows represent state transitions in submachines and dashed arrows switching

ISBN: 978-988-14047-3-2 ISSN: 2078-0958 (Print); ISSN: 2078-0966 (Online)



Fig. 2. State flow diagram of  $\Sigma = {\Sigma_1, \Sigma_2}$ .



Fig. 3. State flow diagram of  $\Sigma'$ .

capability between  $\Sigma_1$  and  $\Sigma_2$ . Fig. 3 shows the state flow diagram of the model  $\Sigma$ , where the state set is  $Z = \{z_1, z_2, z_3\}$ .

First, we derive the output equivalence list of  $\Sigma_1$  and  $\Sigma_2$  with respect to  $\Sigma'$ .

$$E(\Sigma_1, \Sigma') = (E_1^1, E_2^1, E_3^1) = (\{x_1, x_2\}, \{x_3\}, \emptyset)$$
  

$$E(\Sigma_2, \Sigma') = (E_1^2, E_2^2, E_2^2) = (\{x_1, x_2\}, \emptyset, \{x_3\}).$$

Next, referring to Figs. 2 and 3, we compute the fused skeleton matrix and switching incidence matrix as follows.

$$\Delta(1) = \begin{pmatrix} 1 & 1 & 0 \\ 1 & 1 & 0 \\ 0 & 0 & 0 \end{pmatrix}$$
$$\Delta(2) = \begin{pmatrix} 1 & 0 & 1 \\ 0 & 0 & 0 \\ 1 & 0 & 1 \end{pmatrix}$$
$$G(1,2) = \begin{pmatrix} 0 & 0 & 1 \\ 0 & 0 & 0 \\ 0 & 0 & 0 \end{pmatrix}$$
$$G(2,1) = \begin{pmatrix} 0 & 0 & 0 \\ 0 & 0 & 0 \\ 0 & 1 & 0 \end{pmatrix}$$

The one-step switching skeleton matrix  $\mathscr{C}^1(\Sigma)$  is derived as

Proceedings of the International MultiConference of Engineers and Computer Scientists 2017 Vol I, IMECS 2017, March 15 - 17, 2017, Hong Kong

The one-step skeleton matrix  $S^{1}(\Sigma')$  of the model  $\Sigma'$  is computed as

$$S^{1}(\Sigma') = \begin{pmatrix} 1 & 1 & 1 \\ 1 & 1 & 1 \\ 1 & 1 & 1 \end{pmatrix}$$

To determine the existence of a corrective controller for model matching between  $\Sigma$  and  $\Sigma'$ , we compute  $\mathscr{C}^k(\Sigma)$ ,  $k = 2, \ldots, 5$ , so as to derive the switching skeleton matrix  $\Pi(\Sigma)$ according to Definitions 6 and 7.

$$\Pi(\Sigma) = \begin{pmatrix} 1 & 1 & 0 & 1 & 0 & 1 \\ 1 & 1 & 0 & 1 & 0 & 1 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 1 & 1 & 0 & 1 & 0 & 1 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 1 & 1 & 0 & 1 & 0 & 1 \end{pmatrix}$$

Referring to the above result, take a subordinate state list  $\Phi$  as follows.

$$\Phi = \{ x_1 \in E_1^1, x_3 \in E_2^1, x_3 \in E_3^2 \}.$$

The corresponding index set of  $\Phi$  is  $\{1, 2, 6\}$ . Finally, by Definition 8, we derive the skeleton matrix  $K(\Phi)$  of  $\Phi$  as

$$K(\Phi) = \begin{pmatrix} 1 & 1 & 1 \\ 1 & 1 & 1 \\ 1 & 1 & 1 \end{pmatrix}$$

For instance,  $K_{1,3}(\Phi) = \Pi_{1,6}(\Sigma) = 1$  and  $K_{3,2}(\Phi) = \Pi_{6,2}(\Sigma) = 1$ . Clearly, since  $\Phi$  satisfies condition (3), by Theorem 1 a corrective controller *C* can be designed that solves the model matching problem between  $\Sigma$  and  $\Sigma'$ .

To consider fault tolerance, we derive the fault indicator set  $D(x_i)$  according to Definition 9 as follows.

$$\Sigma_1 :: D(x_1) = \{x_3\}$$
$$D(x_2) = D(x_3) = \emptyset$$
$$\Sigma_2 :: D(x_3) = \{x_1\}$$
$$D(x_1) = D(x_2) = \emptyset.$$

Referring to Fig. 2, it is clear that  $s_1(x_3, a) = x_1$  and  $s_2(x_1, c) = x_3$ . Therefore, condition (4) is held true and by Theorem 2 a corrective controller exists that solves model matching as well as fault tolerance, and the subordinate state list  $\Phi$  derived above can be still used to realize fault-tolerant control procedures.

# V. CONCLUSION

In this paper, we have presented a control theoretic strategy for model matching and fault tolerance of a class of switched asynchronous sequential machines. When switched asynchronous sequential machines are endowed with submachines having the form of input/output machines, their reachability are described in terms of output equivalence with respect to a given model. We have addressed that stable reachability and switching capability of switched asynchronous sequential machines can be represented by matrix expressions, which leads to the existence condition for a corrective controller solving the problem of model matching and fault tolerance against transient faults. The examination of the controller existence has been provided in the illustrative example.

#### References

- J. Sparsø and S. Furber, Principles of Asynchronous Circuit Design A Systems Perspective, Kluwer Academic Publishers, 2001.
- [2] D. A. Huffman, "The synthesis of sequential switching circuits," J. Franklin. Inst., vol. 257, pp. 161–190, 1954.
- [3] S. H. Unger, "Hazards, critical races, and metastability," *IEEE Trans. Computers*, vol. 44, no. 6, pp. 754–768, 1995.
- [4] M. Schwartz, *Broadband Integrated Networks*, New Jersey: Prentice Hall, 1996.
- [5] P. D. Hough, T. G. Kolda, and V. J. Torczon, "Asynchronous parallel pattern search for nonlinear optimization," *SIAM J. Sci. Comput.*, vol. 23, no. 1, pp. 134–156, 2001.
- [6] T. E. Murphy, X. Geng, and J. Hammer, "On the control of asynchronous machines with races," *IEEE Trans. Autom. Control*, vol. 48, no. 6, pp. 1073–1081, 2003.
- [7] X. Geng and J. Hammer, "Input/output control of asynchronous sequential machines," *IEEE Trans. Autom. Control*, vol. 50, no. 12, pp. 1956–1970, 2005.
- [8] N. Venkatraman and J. Hammer, "On the control of asynchronous sequential machines with infinite cycles," *Int. J. Control*, vol. 79, no. 7, pp. 764–785, 2006.
- [9] X. Xu and Y. Hong, "Matrix approach and model matching of asynchronous sequential machines," *IEEE Trans. Autom. Control*, vol. 58, no. 11, pp. 2974–2979, 2013.
- [10] Z. Sun and S. S. Ge, Switched Linear Systems: Control and Design, London: Springer-Verlag, 2006.
- [11] L. Zhang and J. Feng, "Controllability and observability of switched Boolean control networks," *IET Control Theory Appl.*, vol. 6, no. 16, pp. 2477–2484, 2012.
- [12] J.-M. Yang, "Modeling and control of switched asynchronous sequential machines," *IEEE Trans. Autom. Control*, vol. 61, no. 9, pp. 2714– 2719, 2016.
- [13] J.-M. Yang and S. W. Kwak, "Corrective control for transient faults with application to configuration controllers," *IET Control Theory Appl.*, vol. 9, no. 8, pp. 1213–1220, 2015.
- [14] Z. Kohavi and N. K. Jha, Switching and Finite Automata Theory, 3rd ed., Cambridge University Press: Cambridge, UK, 2010.