On Robust Reachability of Input/State Switched Asynchronous Sequential Machines

Seong Woo Kwak$^1$ and Jung–Min Yang$^2$

$^1$Department of Electronic Engineering, Keimyung University, 1095 Dalgubeol-daero, Dalseogu, Daegu, 42601, Korea
$^2$School of Electronics Engineering, Kyungpook National University, 80 Daehakro, Bukgu, Daegu, 41566, Korea

Keywords: Asynchronous Sequential Machines, Switched Systems, Robust Reachability, Fault Tolerance.

Abstract: Switched asynchronous sequential machines are composite systems consisting of a number of single asynchronous machines, or submachines, and a rule that orchestrates switching operations between submachines. In this paper, we investigate robust reachability of switched asynchronous machines. If each submachine has equivalent state space with one another, it can be used in fault recovery against any unauthorized state transition caused by transient faults. The robust reachability of switched asynchronous machines is addressed in terms of simple matrix expressions. The use of robust reachability in fault-tolerant corrective control is also outlined.

1 INTRODUCTION

Asynchronous sequential machines are hardware/software systems that operate sequentially with no global synchronizing clock (Sparsø and Furber, 2001). Since first invented in mid 1950’s (Huffman, 1954), asynchronous sequential machines have been used in various areas as an important building block of the system, e.g., digital systems (Unger, 1995), communication networks (Schwartz, 1996), parallel computation, etc. It is also expected that the notion and control of asynchronous sequential machines can be applied to the field of systems biology and bioinformatics (Hammer, 1995; Saadatpour, Albert, and Albert, 2010), as biological systems inherently have the feature of asynchrony, and the state space of biological systems can be expressed in discrete dynamics, which fits into the mechanism of asynchronous machines.

In this paper, we address robust reachability of switched asynchronous sequential machines. The switched systems are a kind of hybrid systems that consist of several submachines and a rule that coordinates switching operations between them. Due to their importance in both theoretical and practical applicability, the study of switched systems has drawn a great attention, especially in the field of linear systems (Sun and Ge, 2006). In event-driven dynamics, however, few studies on switched systems have been reported so far. Notable among them are switched Boolean networks for gene regulatory networks (Zhang and Feng, 2012) and control of switched asynchronous sequential machines by the authors (Yang, 2016).

In the prior work (Yang, 2016), the problem of model matching for switched asynchronous sequential machines is investigated in the framework of corrective control, which is a novel automatic control theory developed exclusively for asynchronous machines (Murphy, Geng, and Hammer, 2003). The control objective in Yang (2016) is to elucidate the existence condition and design algorithm for a corrective controller that matches the stable-state behavior of the closed-loop system to that of a prescribed reference model. In the present study, we are concerned with fault-tolerant controllability of switched asynchronous machines. We assume that the considered switched machine may suffer from transient faults (Krishna and Shin, 1997). Transient faults cause unauthorized state transitions to the machine, making the next behavior unpredictable if not recovered. Note that our study can be also applied to intermittent faults. While the adverse effect of transient faults vanish immediately after the fault occurrence, that of intermittent faults lasts for finite time. Hence once an asynchronous machine undergoes an unauthorized transition by the intermittent fault, it cannot return to the original state immediately and more rigorous procedure of fault tolerance is needed.

In this paper, we derive and quantify inherent
reachability of switched asynchronous sequential machines necessary to overcome both transient and intermittent faults. We show that compared with the case of transient faults, the switched machine must have more reachability to tolerate the effect of intermittent faults. Though this reachability analysis is a requisite for designing a fault-tolerant corrective controller, in this study we omit the controller construction and instead outline the correction procedure as a remark.

The rest of this work is organized as follows. Section 2 provides a modeling formalism of switched asynchronous sequential machines with transient faults. In Section 3, the reachability of switched asynchronous machines is described in terms of numerical matrices and the condition for fault-tolerant controllability is addressed. A simple example is provided in Section 4 to support the proposed methodology. Finally, Section 5 concludes the paper.

2 PRELIMINARIES

2.1 Switched Asynchronous Sequential Machines

Let us consider a switched asynchronous sequential machine $\Sigma$ with $m$ submachines. Assume that each submachine is a single input/state asynchronous sequential machine, namely the present state of the machine is given as the output. $\Sigma$ is represented as

$$\Sigma = \{\Sigma_i | i \in M\}$$

$$\Sigma_i = (A, X, f_i)$$

where $M = \{1, \ldots, m\}$, $\Sigma_i$ is the $i$th submachine, $A$ is the input set, $X$ is the state set with $n$ states, and $f_i : X \times A \rightarrow X$ is the state transition function of $\Sigma_i$ partially defined on $X \times A$. Since every submachine is assumed to have an equal operational domain, the input and state set of $\Sigma_i$ is the same for every $i \in M$. $\Sigma$ is further divided into $A = A_u \sqcup A_d$ where $A_u$ and $A_d$ are the set of normal and adversarial inputs, respectively.

Each submachine $\Sigma_i$ is operated according to the characteristics of a single asynchronous sequential machine, that is, it is not governed by any synchronizing clock and the state transition is executed only in response to changes of external inputs. A state–input pair $(x, x') \in X \times A$ is a stable pair of $\Sigma_i$ if $f_i(x, x') = x$ and $x$ is a stable state. If $f_i(x, x') \neq x$, on the other hand, $x$ is a transient state and $(x, x')$ is a transient pair. Note that $x$ may be stable or transient depending on the value of the present input. Denote by

$$U_i(x) = \{ v \in A_u | f_i(x, v) = x \}$$

the set of normal inputs that make a stable pair with $x$ in $\Sigma_i$. Owing to the absence of a synchronizing clock, $\Sigma_i$ stays at a stable pair $(x, x')$ indefinitely. If the input $x'$ changes to another value $v$ for which $(x, v)$ is a transient pair, $\Sigma_i$ engages in a series of transient transitions $f_i(x, v) = s_1, f_i(s_1, v) = s_2, \ldots$ where $v$ remains fixed. Assuming no infinite cycles, $\Sigma_i$ reaches the next stable state $x_k$ such that $x_k = f_i(x_k, v)$ at the end of the chain with $k$ transient transitions. Since the transition speed of asynchronous sequential machines is very fast, the meaningful behavior of asynchronous sequential machines may be described only in terms of stable states. To this end, we introduce the stable recursion function $s$ as follows (Murphy et al., 2003): $s_1 : X \times A \rightarrow X$, and $s_i(x, v) = x'$ where $x'$ is the next stable state of a valid state–input pair $(x, v)$. A chain of transient transitions from a stable state to its next stable state, as represented by $s$, is termed a stable transition. The domain of $s_i$ can be expanded to $X \times A^+$ in a natural way as follows, where $A^+$ is the set of all nonempty strings of characters in $A$.

$$s_i(x, v_1v_2\cdots v_k) = s_i(s_i(x, v_1), v_2\cdots v_k), \quad v_1v_2\cdots v_k \in A^+$$

2.2 Control Configuration

A control configuration for the switched asynchronous sequential machine $\Sigma$ with transient faults is shown in Figure 1. $C$ is the corrective controller, also designed in the form of an asynchronous sequential machine. $C$ provides $\Sigma$ with the control signal $u \in A_u$ or the switching signal $\sigma \in M$, either of which is generated at a time, but not simultaneously. The control input is delivered to $D$, the demultiplexer. $D$ plays the role of determining the active submachine whose dynamics is manifested by $\Sigma$. The latter is realized by changing the value of $\sigma$. Whenever $\sigma$ is changed to a new value in $M$, $D$ gives the new active submachine the control signal $u$, which can be interpreted as the switching operation. $P$, the multiplexer, receives $m$ state feedback.
values from all submachines $\Sigma_1, \ldots, \Sigma_m$ and selects $x$, the feedback value generated by the active submachine $\Sigma_c$. $P$ forwards $x$ and $i \in M$, the index of the active submachine, to $C$. Let $\Sigma_i$ denote the closed-loop system consisting of $C, D, P$, and $\Sigma$.

In Figure 1, $v \in A_n$ is the external input and $w_1, \ldots, w_m \in A_d$ are the adversarial input occurring to $\Sigma_1, \ldots, \Sigma_m$, respectively. When $w_i$ occurs, $\Sigma_i$ experiences an unauthorized state transition. For instance, if the active submachine of $\Sigma$ is $\Sigma_i$ staying at a stable state $x$ at which $w_i$ is defined, $\Sigma_i$ must be forced to reach $s_i(x, w_i)$ as the result of the fault. If an immediate fault recovery to the original state is not conducted, the next behavior of $\Sigma$ with respect to the new external input would show incorrect state/input behavior. Thus the objective of fault diagnosis and tolerance is that the corrective controller $C$ must be designed such that the closed-loop system $\Sigma$ can achieve instantaneous fault recovery upon diagnosing an occurrence of a fault.

One point to be reminded is that immediate fault recovery is impossible in the case that the fault shows intermittent characteristics. When $w_i$ represents the intermittent fault, $\Sigma_i$ cannot return to $x$ upon diagnosing an occurrence of $w_i$. But since $\Sigma$ has $m$ submachines and each submachine has the same state space made of $X$, we can regard that fault tolerance is achieved if $\Sigma$ returns to the state $x$ of another submachine. Whether $\Sigma$ has such robust reachability will be discussed in detail in the next section. To avoid unpredictable behaviors caused by the absence of a synchronizing clock, we assume that $\Sigma_i$ always preserves the principle of fundamental mode operations (Kohavi and Jha, 2010) whereby a variable must change its value when both $C$ and $\Sigma$ are in stable states, and no two or more variables can be altered simultaneously.

3 ROBUST REACHABILITY

3.1 Skeleton Matrix

Assuming $|X| = n$, we denote the state set by $X = \{x_1, \ldots, x_n\}$. Reachability of switched asynchronous sequential machines is classified into two aspects: (i) stable reachability of each submachine, and (ii) switching capability between different submachines. In corrective control of single asynchronous machines, reachability of a machine is described by a Boolean matrix, termed the skeleton matrix (Murphy et al., 2003; Peng and Hammer, 2012), as follows.

**Definition 1.** $K(\Sigma_i)$, the skeleton matrix of $\Sigma_i = (A, X, f_i)$, is an $n \times n$ matrix whose $(p, q)$ entry is

$$K_{pq}(\Sigma_i) = \begin{cases} 1 & \exists t \in A^+_n \text{ s.t. } x_q = s_i(x_p, t) \\ 0 & \text{otherwise} \end{cases}$$

If $K_{pq}(\Sigma_i) = 1$, a corrective controller can be constructed that takes $\Sigma_i$ from $x_p$ toward $x_q$ in the asynchronous mechanism using an input string $t \in A^+_n$ such that $x_q = s_i(x_p, t)$. For a detailed procedure of controller construction, the readers are referred to Murphy et al. (2003); Peng and Hammer (2012).

Switching capability of $\Sigma$ implies the ability of $\Sigma$ to change its mode from a submachine to another submachine at a specific stable state. In the prior work (Yang, 2016), a constraint is imposed on the switching operation that as the result of switching, the active submachine always takes the same state possessed by the previous submachine. In this study, we generalize the switching operation by relaxing the foregoing constraint. In other words, the new active submachine does not necessarily transfer to the same state at which the old one has stayed before switching. To address the switching relation between two submachines, we define the following matrix.

**Definition 2.** $W(i, j)$, the switching incidence matrix of two submachines $\Sigma_i$ and $\Sigma_j$, is an $n \times n$ matrix whose $(p, q)$ entry is

$$W_{pq}(i, j) = \begin{cases} 1 & \Sigma_i \text{ switches the mode from } \Sigma_i \text{ at } x_p \text{ to } \Sigma_j \text{ at } x_q \\ 0 & \text{otherwise} \end{cases}$$

$W(i, j)$ represents switching capability of $\Sigma$ in the most general way, that is, the state of the present submachine may differ from the previous one after switching. The motivation for introducing $W(i, j)$ stems from the fact that some switched machines have multiple submachines that share the same system module to realize the state space. As the switching operation depends on this implementation restraint, the next state may be different from the previous one.

Note that for switching from $\Sigma_i$ at $x_p$ to $\Sigma_j$ at $x_q$, there must exist an input $a \in A_n$ that makes a stable pair with both $x_p$ of $\Sigma_i$ and $x_q$ of $\Sigma_j$, i.e.,

$$W_{pq}(i, j) = 1 \Rightarrow U_i(x_p) \cap U_j(x_q) \neq \emptyset \quad (1)$$

Under the principle of fundamental mode operations, $\Sigma_i$ should stay at the stable state $x_p$ at the moment that the switching signal $\sigma$ changes. Hence the present control signal is $u \in U_i(x_p)$. Moreover, $u$ must also make a stable pair with $x_q$ in $\Sigma_j$, namely $u \in U_j(x_q)$; otherwise $\Sigma_j$ could not maintain $x_q$ upon completion of the switching operation. However, the condition $u \in U_j(x_q)$ may not be always valid since $u$ is determined only by the past state trajectory of $\Sigma$. Still, as long as $U_i(x_p) \cap U_j(x_q) \neq \emptyset$ is held true, $C$ can achieve
the switching operation by changing the control signal to \( u' \in U(x_p) \cap U(x_q) \) right before transmitting the switching signal \( s = j \). In this sense, (1) is a requisite for guaranteeing consistent switching.

The following definitions depict stable reachability and switching capability of \( \Sigma \) in a single matrix, respectively.

**Definition 3.** \( K(\Sigma) \), the skeleton matrix of \( \Sigma \) for submachines, is an \( nn \times nn \) matrix defined as

\[
K(\Sigma) = \begin{pmatrix}
K(\Sigma_1) & 0_{n\times n} & \cdots & 0_{n\times n} \\
\vdots & \ddots & \ddots & \vdots \\
0_{n\times n} & \cdots & K(\Sigma_n) & 0_{n\times n}
\end{pmatrix}
\]

\( W(\Sigma) \), the switching incidence matrix of \( \Sigma \), is an \( nn \times nn \) matrix defined as

\[
W(\Sigma) = \begin{pmatrix}
0_{n\times n} & W(1,2) & \cdots & W(1,m) \\
W(2,1) & 0_{n\times n} & \cdots & W(2,m) \\
\vdots & \ddots & \ddots & \vdots \\
W(m,1) & \cdots & W(m,m-1) & 0_{n\times n}
\end{pmatrix}
\]

**Definition 4.** The one-step switching skeleton matrix \( S^1(\Sigma) \) is an \( nn \times nn \) Boolean matrix defined as

\[
S^1(\Sigma) = \begin{pmatrix}
K(\Sigma_1) & W(1,2) & \cdots & W(1,m) \\
W(2,1) & K(\Sigma_2) & \cdots & W(2,m) \\
\vdots & \ddots & \ddots & \vdots \\
W(m,1) & \cdots & W(m,m-1) & K(\Sigma_n)
\end{pmatrix}
\]

The \( k \)-step switching skeleton matrix \( S^k(\Sigma) \) \((k \geq 2)\) is recursively defined as

\[
S^k(\Sigma) = S^{k-1}(\Sigma) \times_{_{2}} S^1(\Sigma)
\]

where \( \times_{_{2}} \) denotes the Boolean product of two Boolean matrices where logic AND and OR are used instead of multiplication and plus operations in the matrix product.

**Definition 5.** The combined switching skeleton matrix \( Z(\Sigma) \) of the switched asynchronous sequential machine \( \Sigma \) is an \( nn \times nn \) Boolean matrix defined as

\[
Z(\Sigma) = \sum_{k=1}^{nn-1} S^k(\Sigma)
\]

where \( \times_{_{2}} \) denotes the Boolean addition of two matrices.

Note that in the above definitions, state \( x_p \) \((p \in \{1, \ldots, n\})\) of the \( i \)th submachine \( \Sigma_i \) is assigned the index \( p' \in \{1, \ldots, nn\} \) such that

\[
p' = (i-1)n + p
\]

\( K(\Sigma) \) just assembles stable reachability of all the submachines. Referring to Definition 3, \( K(\Sigma) \) does not contain any reachability information between different submachines. If \( K_{p,q}(\Sigma) = 1 \) for some \( p', q' \in \{1, \ldots, nn\}, p' = (i-1)n + p, \) and \( q' = (j-1)n + q \), it follows that \( K_{p,q}(\Sigma) = 1 \), which means \( x_q \) is stably reachable from \( x_p \) in submachine \( \Sigma_i \).

\( W(\Sigma) \) epitomizes switching capability of \( \Sigma \). In contrast to \( K(\Sigma) \), \( W(\Sigma) \) does not contain any stable reachability measured within a single submachine. Having \( W(i, j) \) as sub-blocks, \( W(\Sigma) \) shows whether \( \Sigma \) can transfer from a state of a submachine to another state of another submachine through switching operations. If \( W_{p',q'}(\Sigma) = 1 \) for some \( p', q' \in \{1, \ldots, nn\}, p' = (i-1)n + p, \) and \( q' = (j-1)n + q \), we have \( W_{p,q}(i, j) = 1 \). Thus \( \Sigma \) can move from \( x_p \) of \( \Sigma_i \) to \( x_q \) of \( \Sigma_j \) via the switching operation.

\( S^1(\Sigma) \) in Definition 4 contains both stable reachability and switching capability of \( \Sigma \). Here, “one-step” implies that \( \Sigma \) takes either one switching operation or correction procedure. Indeed, a correction procedure by the controller involves more than one stable transitions if the length of the used input sequence is greater than one (Murphy et al., 2003).

The combined switching skeleton matrix \( Z(\Sigma) \) is a generalized description of stable reachability for the switched asynchronous sequential machine \( \Sigma \). Not only does \( Z(\Sigma) \) represent stable reachability within each submachine, it also elucidates whether a state of a submachine can be reached from another state of a different submachine by a combination of stable transitions and switching operations. Since \( \Sigma \) has \( nn \) states in total, any state in \( \Sigma \) can be reached within \( nn-1 \) steps of switching and correction procedures. Hence \( S^1(\Sigma), \ldots, S^{nn-1}(\Sigma) \) are sufficient to express the entire reachability of \( \Sigma \).

### 3.2 Robust Reachability Analysis

In order to address the robust reachability of \( \Sigma \), we must quantify the adverse effect of fault inputs. Define \( F^i(x) \subset A_d \) for \( x \in X \) and \( i \in M \) as

\[
F^i(x) = \{ w \in A_d | s_i(x, w)! \text{ and } s_i(x, w) \neq x \}
\]

where \( s_i(x, w)! \) means \( s_i(x, w) \) is defined in \( \Sigma_i \). \( F^i(x) \) is the set of adversarial inputs that cause unauthorized transitions at \( x \) of \( \Sigma_i \). In a similar way to \( K(\Sigma) \), we express the characteristics of all unauthorized state transitions by a simple matrix as follows:

**Definition 6.** \( K^d(\Sigma_i) \), the adversarial skeleton matrix of submachine \( \Sigma_i \), is an \( n \times n \) matrix whose \((p,q)\) entry is

\[
K^d_{p,q}(\Sigma_i) = \begin{cases} 1 & \exists w \in F^i(x_p) \text{ s.t. } s_i(x_p, w) = x_q \\ 0 & \text{otherwise} \end{cases}
\]
In particular, assume that there exists an adversarial input \( w_i \in F_i(x_p) \) such that \( s_i(x_p, w_i) = x_q \). According to the above definition, we have \( K_{p,q}^d(\Sigma_i) = 1 \). The fact that the unauthorized transition from \( x_p \) to \( x_q \) is manifested means that \( \Sigma_i \) is serving as the active submachine of \( \Sigma \). The condition for robust reachability varies depending on how many steps and submachines will be used for realizing the fault-tolerant control process.

First, assume an extreme case that we would like to maintain the active submachine as the same despite an occurrence of the fault. In the foregoing case, this means that submachine \( \Sigma_i \) must have fault-tolerance capability against \( w_i \). Clearly, the condition for driving \( \Sigma_i \) back to the original state \( x_p \) is that \( \Sigma_i \) must have stable reachability from \( x_q \) to \( x_p \). Thus, we have

\[
K_{p,q}^d(\Sigma_i) = 1 \Rightarrow K_{q,p}(\Sigma_i)
\]

Generalizing the above relation, we derive as follows the robust reachability for fault tolerance using a single submachine.

\[
(K^d(\Sigma_i))^T \leq K(\Sigma_i)
\]

where the inequality is taken entry by entry and \((K^d(\Sigma_i))^T\) denotes the transpose of \( K^d(\Sigma_i) \). Note that an intermittent fault cannot be tolerated using this robust reachability, since the instantaneous recovery to \( x_q \) is infeasible.

Next, assume that we would like to involve one more submachine in realizing fault-tolerant control. This means that upon diagnosing a fault occurrence, the controller will provide a switching signal, with which \( \Sigma \) will change its mode to another submachine, say \( \Sigma_j \). Then fault tolerance is conducted in \( \Sigma_j \) by enforcing \( \Sigma_j \) to reach the desired state \( x_p \). With the skeleton matrices, the reachability condition for the latter case is described as

\[
W_{q,r}(i,j) = 1 \text{ and } K_{r,p}(\Sigma_j) = 1
\]

where we suppose that \( \Sigma \) reaches \( x_r \) of \( \Sigma_j \) as the result of the switching operation from \( \Sigma_i \) at \( x_q \). Submachine \( \Sigma_j \) can be arbitrarily chosen so long as the above condition is satisfied. We represent in formal terms this robust reachability condition as follows.

\[
\forall i \in M, \exists j \in M \text{ such that } (K^d(\Sigma_i))^T \leq W(i,j) \times \otimes K(\Sigma_j)
\]

Finally, assume that fault-tolerant procedures can be implemented using either only submachine \( \Sigma_i \) or \( \Sigma_j \) and another submachine, and that different submachines can be used in the entire fault-tolerant control procedure. To this end, we introduce another Boolean matrix as follows.

**Definition 7.** For \( \Sigma \), let

\[
\mathcal{K}(\Sigma) = W(\Sigma) + \otimes W(\Sigma) \times \otimes K(\Sigma)
\]

\( \mathcal{Z}(\Sigma_i) \), the augmented skeleton matrix of submachine \( \Sigma_i \), is an \( n \times n \) matrix whose \((p,q)\) entry is

\[
Z_{p,q}(\Sigma_i) = \max_{j \in M, j \neq i} \mathcal{K}^d_{p,j}(\Sigma_i)
\]

where \( p_j = (i-1)n + p \) and \( q_j = (j-1)n + q \).

Using \( \mathcal{Z}(\Sigma_i) \), we derive the following robust reachability condition for fault-tolerant controllability of \( \Sigma \).

\[
\forall i \in M, (K^d(\Sigma_i))^T \leq \mathcal{Z}(\Sigma_i)
\]

Whereas (2) cannot solve fault tolerance against intermittent faults, (3) and (4) ensure fault-tolerant controllability against them, since \( \Sigma \) does not return to the original state at which the fault occurs. Although not used in this paper, the combined skeleton matrix \( Z(\Sigma) \) in Definition 5 can be applied to represent the overall fault-tolerant controllability of \( \Sigma \), namely whether \( \Sigma \) can overcome any unauthorized state transition using arbitrary number of submachines and correction procedures. Once the robust reachability conditions (2)–(4) are guaranteed, a fault-tolerant corrective controller can be easily designed based on the previous algorithm for the model matching problem (see, e.g., Murphy et al. (2003); Peng and Hammer (2012); Yang (2016)).

### 4 EXAMPLE

Consider a simple switched asynchronous machine \( \Sigma = \{\Sigma_1, \Sigma_2\} \) shown in Figure 2, where \( X = \{x_1, x_2, x_3\} \), \( A_n = \{a, b, c\} \), and \( A_d = \{w_1, w_2\} \). For simplicity, we set \( f_i(x, v) = s_i(x, v) \) for all \( i = 1, 2 \) and \((x,v) \in X \times A\). A slight examination of Figure 2 leads to

\[
K(\Sigma_1) = \begin{pmatrix} 1 & 1 & 1 \\ 1 & 1 & 1 \\ 1 & 1 & 1 \end{pmatrix} \quad K(\Sigma_2) = \begin{pmatrix} 1 & 1 & 1 \\ 1 & 1 & 1 \\ 0 & 0 & 1 \end{pmatrix}
\]

Figure 2: Switched asynchronous machine \( \Sigma = \{\Sigma_1, \Sigma_2\} \).
We assume that $\Sigma$ has switching capability expressed by the following switching skeleton matrix:

$$W(1, 2) = W(2, 1) = \begin{pmatrix}
1 & 0 & 0 \\
0 & 1 & 0 \\
0 & 1 & 0
\end{pmatrix}$$

Following Definition 6 and referring to Figure 2, we quantify the adverse effect of $A_d$ by

$$K^d(\Sigma_1) = \begin{pmatrix}
0 & 0 & 0 \\
0 & 0 & 0 \\
1 & 0 & 0
\end{pmatrix}, \quad K^d(\Sigma_2) = \begin{pmatrix}
0 & 0 & 1 \\
0 & 0 & 0 \\
0 & 0 & 0
\end{pmatrix}$$

Consider the adversarial input $w_1$ in the first. Clearly, we have $(K^d(\Sigma_1))^T \leq K(\Sigma_1)$. Hence the unauthorized transition $s_1(x_3, w_1) = x_1$ caused by $w_1$ can be invalidated (if $w_1$ has the transient feature) by employing only $\Sigma_1$, as $\Sigma_1$ has sufficient robust reachability $(K_{1,1}(\Sigma_1) = 1$ and $s_1(x_1, bc) = x_3$). Next, consider the case of $w_2$. We see that $K^d_{1,1}(\Sigma_2) = 1$ but $K_{3,1}(\Sigma_2) = 0$. This implies that fault tolerance cannot be achieved within $\Sigma_2$. However, since $W_{1,2}(1, 1) = 1$ and $K_{2,1}(\Sigma_1) = 1$, fault-tolerant control may be realized by activating a two-step procedure: switching to $\Sigma_1$ ($\sigma = 1$) upon diagnosing an occurrence of $w_2$, and initiating the correction procedure from $x_2$ to $x_1$ in $\Sigma_1$. This argument can be also asserted by applying condition (4).

5 CONCLUSION

In this study, fault-tolerant controllability for a class of switched asynchronous sequential machines has been investigated. We have presented matrix expressions to describe robust reachability of switched asynchronous sequential machines in a quantitative manner. We have found that the condition for fault-tolerant controllability is determined by the number of submachines that are used in fault-tolerant control procedures. The examination of the controller existence has been demonstrated in a simple example.

ACKNOWLEDGEMENTS

The research of S. W. Kwak was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (No. 2016R1D1A1B02012959). The research of J.-M. Yang was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (No. 2015R1D1A1A01056764) and by the Ministry of Science, ICT and future Planning (No. 2015R1A2A1A15054026).

REFERENCES


