Multi-decision diagnosis: decentralized architectures cooperating for diagnosing the presence of faults in discrete event systems

Abstract

This article deals with decentralized diagnosis, where a set of diagnosers cooperate for detecting faults in a discrete event system. We propose a new framework, called multi-decision diagnosis, whose basic principle consists in using several decentralized diagnosis architectures working in parallel. We first present a generic form of multi-decision diagnosis, where several decentralized diagnosis architectures work in parallel and combine their global decisions disjunctively or conjunctively. We then study in more detail the inference-based multi-decision diagnosis, that is, in the case where each of the decentralized architectures in parallel is based on the inference-based framework. We develop a method that checks if a given specification is diagnosable under the inference-based multi-decision architecture. We also show that with our method, the worst-case computational complexity for checking codiagnosability for our inference-based multi-decision architecture is in the same order of complexity as checking codiagnosability for the inference-based architecture designed by Kumar and Takai. In fact, multi-decision diagnosis is fundamentally undecidable and we have formulated a decidable variant of it. Multi-decision diagnosis is formally based on language decomposition, but it is worth noting that our objective is not to answer the existential question of language decomposition in the general case. Our objective is rather to propose a decentralized diagnosis architecture that generalizes the decidable existing ones.

Appendices

Appendix A: Proofs of Section 4

1.1 Proof of Proposition 1

“Only If”: Consider \(\mathit{p}\) \(\mathcal{D}^{j}\)-diagnosers \((\mathit{Diag}^{j})_{j\in J}\), whose global diagnoses are fused conjunctively. Assume that the ∧-\((\mathcal{D}^{1},\cdots,\mathcal{D}^{\mathit{p}})\)-diagnoser \(\mathit{Diag}=((\mathit{Diag}^{j})_{j\in J},\wedge)\) satisfies Eqs. 1–3 w.r.t. \((\mathcal{F},\mathcal{H})\). Let us consider a set \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) of subsets of \(\mathcal{H}\) defined as follows:

$$ \forall j\in J, \mathcal{H}^{j}=\mathcal{H}\cap\{s|\,\mathit{Diag}^{j}(s)\neq1\}. $$

(24)

Equation 25 implies that \(s\not\in\mathcal{H}^{j}\) if \(s\not\in\mathcal{H}\) or \(\mathit{Diag}^{j}(s)=1\), ∀ j ∈ J. Let us now show that \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) is a decomposition of \(\mathcal{H}\), i.e., \(\bigcup_{j\in J}\mathcal{H}^{j}=\mathcal{H}\). Equation 25 implies that \(\mathcal{H}^{j}\subseteq \mathcal{H}\), ∀ j ∈ J. Therefore, \(\bigcup_{j\in J}\mathcal{H}^{j}\subseteq \mathcal{H}\). It remains to show that \(\mathcal{H}\subseteq \bigcup_{j\in J}\mathcal{H}^{j}\), as follows:

$$ \begin{array}{rll} s\in\mathcal{H}&&\Rightarrow \mathit{Diag}(s)\neq1 \qquad\qquad(\mbox{from} \mathit{Diag} \mbox{satisfies Eq}.~3 w.r.t. \mathcal{H})\\ &&\Rightarrow \exists j\in J \mbox{ s.t. } \mathit{Diag}^{j}(s)\neq1\qquad\qquad\mbox{(\mbox{from Eq}.~7)}\\ &&\Rightarrow \exists j\in J \mbox{ s.t. } s\in\mathcal{H}^{j}\qquad\qquad(\mbox{from Eq}.~24 \mbox{and} s\in\mathcal{H})\\ &&\Leftrightarrow s\in \bigcup\limits_{j\in J}\mathcal{H}^{j}, \end{array} $$

which means that \(\mathcal{H}\subseteq \bigcup_{j\in J}\mathcal{H}^{j}\).

• Equation  3 : Let us show that, ∀ j ∈ J, \(\mathit{Diag}^{j}\) satisfies Eq. 3 w.r.t. \(\mathcal{H}^{j}\). By the construction of the decomposition \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) of \(\mathcal{H}\) defined by Eq. 24, we have, ∀ j ∈ J, \(\mathit{Diag}^{j}\) satisfies Eq. 3 w.r.t. \(\mathcal{H}^{j}\).

• Equation  2 : Assume that \(\mathit{Diag}\) satisfies Eq. 2 w.r.t \(\mathcal{F}\), thus we have,

  $$ \begin{array}{rll} \forall s\in\mathcal{F}: \mathit{Diag}(s)\neq0&\Rightarrow\forall j\in J,\forall s\in\mathcal{F}: \mathit{Diag}^{j}(s)\neq0,&\mbox{(from Eq.~7)}\\ &&\Leftrightarrow\forall j\in J,\mathit{Diag}^{j} \mbox{ satisfies Eq.~2 w.r.t. } \mathcal{F}. \end{array} $$

• Equation  1 : Assume that \(\mathit{Diag}\) satisfies Eq. 1 w.r.t \(\mathcal{F}\), thus we have,

  $$ \begin{array}{rll} &&\exists\,l\in\mathbb{Z}^{+},\forall s\in\mathcal{F}_l:\mathit{Diag}(s)=1\\ &&\Rightarrow \exists\,l\in\mathbb{Z}^{+},\forall s\in\mathcal{F}_l, \forall j\in J:\mathit{Diag}^{j}(s)=1, \mbox{(from Eq.~7)} \\ &&\Leftrightarrow \forall j\in J,\exists\,l\in\mathbb{Z}^{+},\forall s\in\mathcal{F}_l:\mathit{Diag}^{j}(s)=1,\\ &&\Leftrightarrow \forall j\in J, \mathit{Diag}^{j} \mbox{ satisfies Eq.~1 w.r.t. }\mathcal{F}. \end{array} $$

“If”: Consider languages \(\mathcal{F}\) and \(\mathcal{H}\), and \(\mathcal{D}^{j}\)-diagnosers \((\mathit{Diag}^{j})_{j\in J}\). Assume that there exists a decomposition \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) of \(\mathcal{H}\) such that, ∀ j ∈ J, the \(\mathcal{D}^{j}\)-diagnoser \(\mathit{Diag}^{j}\) satisfies Eqs. 1–3 w.r.t. \((\mathcal{F},\mathcal{H}^{j})\).

• Equation  1 : Since \(\mathit{Diag}^{j}\) satisfies Eq. 1 w.r.t. \(\mathcal{F}\), we have,

  $$ \forall j\in J, \exists l_j \in \mathbb{Z}^{+}, \forall s \in \mathcal{F}_{l_j}:\mathit{Diag}^{j}(s)=1. $$

  (25)

  Consider \(l_1,\cdots,l_\mathit{p}\) corresponding to Eq. 25, and let l =  max _j ∈ J l _j . Then, ∀ j ∈ J, if \(s\in\mathcal{F}_l\) then \(s\in \mathcal{F}_{l_j}\) (because l _j  ≤ l, and thus, \(\mathcal{F}_l\subseteq \mathcal{F}_{l_j}\)). Hence, from Eq. 25, \(\forall s\in\mathcal{F}_l\), ∀ j ∈ J, \(\mathit{Diag}^{j}(s)=1\). It follows from Eq. 7 that \(\mathit{Diag}(s)=1\). Therefore, \(\mathit{Diag}\) satisfies Eq. 1 w.r.t. \(\mathcal{F}\).

• Equation  2 : Since, ∀ j ∈ J, the \(\mathcal{D}^{j}\)-diagnoser \(\mathit{Diag}^{j}\) satisfies Eq. 2 w.r.t. \(\mathcal{F}\), we have,

  $$ \forall j\in J,\forall s\in\mathcal{F}: \mathit{Diag}^{j}(s) \neq 0. $$

  (26)

  Consider \(s\in\mathcal{F}\), and thus, ∀ j ∈ J, \(\mathit{Diag}^{j}(s)\neq0\) (from Eq. 26). Hence, from Eq. 7, \(\mathit{Diag}(s)\neq0\). Therefore, \(\mathit{Diag}\) satisfies Eq. 2 w.r.t. \(\mathcal{F}\).

• Equation  3 : Since, ∀ j ∈ J, the \(\mathcal{D}^{j}\)-diagnoser \(\mathit{Diag}^{j}\) satisfies Eq. 3 w.r.t. \(\mathcal{H}^{j}\), we have,

  $$ \forall j\in J,\forall s\in\mathcal{H}^{j}: \mathit{Diag}^{j}(s) \neq 1. $$

  (27)

  Consider \(s\in\mathcal{H}\), and thus, there exists j ∈ J s.t. \(s\in\mathcal{H}^{j}\) (because \(\mathcal{H}=\bigcup_{j\in J}\mathcal{H}^{j}\)), and then from Eq. 27, \(\mathit{Diag}^{j}(s)\neq 1\). Hence, from Eq. 7, \(\mathit{Diag}(s)\neq 1\). Therefore, \(\mathit{Diag}\) satisfies Eq. 3 w.r.t. \(\mathcal{H}\).

1.2 Proof of Proposition 2

“Only If”: Consider \(\mathit{p}\) \(\mathcal{D}^{j}\)-diagnosers \((\mathit{Diag}^{j})_{j\in J}\), whose global diagnoses are fused disjunctively. Assume that the ∨-\((\mathcal{D}^{1},\cdots,\mathcal{D}^{\mathit{p}})\)-diagnoser \(\mathit{Diag}=((\mathit{Diag}^{j})_{j\in J},\vee)\) satisfies Eqs. 1–3 w.r.t. \((\mathcal{F},\mathcal{H})\). We consider an integer l such that \(\mathit{Diag}(s)=1\) for every \(s\in\mathcal{F}_l\). Such l exists from the satisfaction of Eq. 1. Let us consider a set \(\{\mathcal{F}^{1},\cdots,\mathcal{F}^{\mathit{p}}\}\) of subsets of \(\mathcal{F}\) defined as follows:

$$ \forall j\in J, \mathcal{F}^{j}=\{s\in\mathcal{F}_l|\,\mathit{Diag}^{j}(s)=1\}\cup\{s\in\mathcal{F}\backslash\mathcal{F}_l|\,\mathit{Diag}^{j}(s)\neq0\}. $$

(28)

Let us now show that \(\{\mathcal{F}^{1},\cdots,\mathcal{F}^{\mathit{p}}\}\) is a decomposition of \(\mathcal{F}\), i.e., \(\bigcup_{j\in J}\mathcal{F}^{j}=\mathcal{F}\). Equation 29 implies that \(\mathcal{F}^{j}\subseteq \mathcal{F}\), ∀ j ∈ J. Therefore, \(\bigcup_{j\in J}\mathcal{F}^{j}\subseteq \mathcal{F}\). It remains to show that \(\mathcal{F}\subseteq \bigcup_{j\in J}\mathcal{F}^{j}\), as follows:

$$ \begin{array}{rll} s\in\mathcal{F}&\Rightarrow \mathit{Diag}(s)\neq0, \qquad\mbox{($\mathit{Diag}$ satisfies Eq.~2 w.r.t. $\mathcal{F}$)}\\ &&\Leftrightarrow [s\in\mathcal{F}_l\wedge\mathit{Diag}(s)\neq0]\vee[s\in\mathcal{F}\backslash\mathcal{F}_l \wedge \mathit{Diag}(s)\neq0],\\ &&\Leftrightarrow [s \in \mathcal{F}_l\wedge\mathit{Diag}(s)=1] \vee[s \in \mathcal{F}\backslash\mathcal{F}_l \wedge \mathit{Diag}(s)\neq 0],{\kern4pt} \mbox{($\mathit{Diag}$ satisfies Eq.~1 w.r.t. $\mathcal{F}$)}\\ &&\Rightarrow [\exists j\in J: s\in\mathcal{F}_l\wedge \mathit{Diag}^{j}(s) = 1] \vee [\exists j \in J : s \in \mathcal{F}\backslash\mathcal{F}_l \wedge \mathit{Diag}^{j}(s) \neq 0],{\kern4pt} \mbox{(from Eq.~8)}\\ &&\Rightarrow \exists j\in J: s\in\mathcal{F}^{j},\qquad\mbox{(from Eq.~28)}\\ &&\Leftrightarrow s\in \bigcup\limits_{j\in J}\mathcal{F}^{j}, \end{array} $$

which means that \(\mathcal{F}\subseteq \bigcup_{j\in J}\mathcal{F}^{j}\).

• Equation  3 : Since \(\mathit{Diag}\) satisfies Eq. 3 w.r.t. \(\mathcal{H}\), thus we have,

  $$ \begin{array}{rll} \forall s\in\mathcal{H}: \mathit{Diag}(s)\neq1&\Rightarrow\forall j\in J,\forall s\in\mathcal{H}: \mathit{Diag}^{j}(s)\neq1,&\mbox{(from Eq.~8)}\\ &&\Leftrightarrow\forall j\in J,\mathit{Diag}^{j} \mbox{ satisfies Eq.~3 w.r.t. } \mathcal{H}. \end{array} $$

• Equation  2 : Let us show that, ∀ j ∈ J, \(\mathit{Diag}^{j}\) satisfies Eq. 2 w.r.t. \(\mathcal{F}^{j}\). By the construction of the decomposition \(\{\mathcal{F}^{1},\cdots,\mathcal{F}^{\mathit{p}}\}\) of \(\mathcal{F}\) defined by Eq. 28, we have, ∀ j ∈ J, \(\mathit{Diag}^{j}\) satisfies Eq. 2 w.r.t. \(\mathcal{F}^{j}\).

• Equation  1 : Consider the l from which the decomposition \((\mathcal{F}^{j})_{j\in J}\) has been constructed using Eq. 28. Consider \(s\in \mathcal{F}^{j}_l\) for some j ∈ J.

  $$ \begin{array}{rll} s\in\mathcal{F}^{j}_l&\Rightarrow s\in\mathcal{F}_l\wedge s\in\mathcal{F}^{j},\\ &&\Rightarrow\mathit{Diag}^{j}(s)=1\qquad\mbox{(from Eq.~28)}. \end{array} $$

“If”: Consider languages \(\mathcal{F}\) and \(\mathcal{H}\), and \(\mathcal{D}^{j}\)-diagnosers \((\mathit{Diag}^{j})_{j\in J}\). Assume that there exists a decomposition \(\{\mathcal{F}^{1},\cdots,\mathcal{F}^{\mathit{p}}\}\) of \(\mathcal{F}\) such that, ∀ j ∈ J, the \(\mathcal{D}^{j}\)-diagnoser \(\mathit{Diag}^{j}\) satisfies Eqs. 1–3 w.r.t. \((\mathcal{F}^{j},\mathcal{H})\).

• Equation  1 : Since, ∀ j ∈ J, the \(\mathcal{D}^{j}\)-diagnoser \(\mathit{Diag}^{j}\) satisfies Eq. 1 w.r.t. \(\mathcal{F}^{j}\), we have,

  $$ \forall j\in J,\exists l_j \in \mathbb{Z}^{+}, \forall s \in \mathcal{F}^{j}_{l_j} :\mathit{Diag}^{j}(s)=1. $$

  (29)

  Consider \(l_1,\cdots,l_\mathit{p}\) corresponding to Eq. 29, and let l =  max _j ∈ J l _j . Consider \(s\in\mathcal{F}_l\), and thus, \(\exists j\in J\) such that \(s \in\mathcal{F}^{j}_{l}\) (because \(\mathcal{F}_l=\bigcup_{j\in J}\mathcal{F}^{j}_l\)). Then, since \(\mathcal{F}^{j}_{l}\subseteq \mathcal{F}^{j}_{l_j}\) (because l _j  ≤ l), \(s\in\mathcal{F}^{j}_{l_j}\). It follows from Eq. 29 that \(\mathit{Diag}^{j}(s)=1\). Hence, from Eq. 8, \(\mathit{Diag}(s)=1\). Therefore, \(\mathit{Diag}\) satisfies Eq. 1 w.r.t. \(\mathcal{F}\).

• Equation  2 : Since, ∀ j ∈ J, the \(\mathcal{D}^{j}\)-diagnoser \(\mathit{Diag}^{j}\) satisfies Eq. 2 w.r.t. \(\mathcal{F}^{j}\), we have,

  $$ \forall j\in J,\forall s\in\mathcal{F}^{j}: \mathit{Diag}^{j}(s) \neq 0. $$

  (30)

  Consider \(s\in\mathcal{F}\), and thus, \(\exists j\in J\) s.t. \(s\in\mathcal{F}^{j}\) (because \(\mathcal{F}=\bigcup_{j\in J}\mathcal{F}^{j}\)). Hence, from Eq. 30, \(\mathit{Diag}^{j}(s)\neq 0\). It follows from Eq. 8 that \(\mathit{Diag}(s) \neq 0\). Therefore, \(\mathit{Diag}\) satisfies Eq. 2 w.r.t. \(\mathcal{F}\).

• Equation  3 : Since, ∀ j ∈ J, the \(\mathcal{D}^{j}\)-diagnoser \(\mathit{Diag}^{j}\) satisfies Eq. 3 w.r.t. \(\mathcal{F}^{j}\), we have,

  $$ \forall j\in J,\forall s \in \mathcal{H} : \mathit{Diag}^{j}(s) \neq 1. $$

  (31)

  Consider \(s\in\mathcal{H}\), and thus, ∀ j ∈ J, \(\mathit{Diag}^{j}(s)\neq 1\) (from Eq. 31). It follows from Eq. 8 that \(\mathit{Diag}(s)\neq1\). Therefore, \(\mathit{Diag}\) satisfies Eq. 3 w.r.t. \(\mathcal{H}\).

Appendix B: Proofs of Section 6

2.1 Proof of Proposition 4

Consider a decomposition \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) of \(\mathcal{H}\), and the ∧-\((\mathit{Inf}_{N_1},\cdots,\mathit{Inf}_{N_{\mathit{p}}})\)-diagnoser \(\mathit{Diag}=((\mathit{Diag}^{j})_{j\in J},\wedge)\) defined by Eqs. 9–15 and 7 w.r.t. \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\). I.e., every \(\mathit{Diag}^{j}\) is an \(\mathit{Inf}_{N_{j}}\)-diagnoser given by Eqs. 9–15 w.r.t. \((\mathcal{F},\mathcal{H}^{j})\). Hence, from Lemma 2, ∀ j ∈ J, \(\mathit{Diag}^{j}\) satisfies Eqs. 2 and 3 w.r.t. \((\mathcal{F},\mathcal{H}^{j})\). It follows, from Proposition 1, that \(\mathit{Diag}\) satisfies Eqs. 2 and 3 w.r.t. \((\mathcal{F},\mathcal{H})\).

2.2 Proof of Proposition 5

Consider a decomposition \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) of \(\mathcal{H}\), and the ∧-\((\mathit{Inf}_{N_1},\cdots,\mathit{Inf}_{N_{\mathit{p}}})\)-diagnoser \(\mathit{Diag}=((\mathit{Diag}^{j})_{j\in J},\wedge)\) defined by Eqs. 9–15 and 7 w.r.t. \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\). Hence, every \(\mathit{Diag}^{j}\) is an \(\mathit{Inf}_{N_{j}}\)-diagnoser given by Eqs. 9–15 w.r.t. \((\mathcal{F},\mathcal{H}^{j})\). It follows, from Lemma 3, ∀ j ∈ J, \(\mathit{Diag}^{j}\) satisfies Eq. 1 w.r.t. \(\mathcal{F}\). Therefore, from Proposition 1, \(\mathit{Diag}\) satisfies Eq. 1 w.r.t. \(\mathcal{F}\).

2.3 Proof of Theorem 2

“Only If”: Assume that \((\mathcal{F},\mathcal{H})\) is ∧-\((\mathit{Inf}_{N_1},\cdots,\mathit{Inf}_{N_\mathit{p}})\)-F-CODIAG. Hence, from Definition 5, there exists a decomposition \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) of \(\mathcal{H}\) such that, ∀ j ∈ J, \((\mathcal{F},\mathcal{H}^{j})\) is \(\mathit{Inf}_{N_j}\)-F-CODIAG. Consider the multi-decision decentralized diagnoser \(\mathit{Diag}=((\mathit{Diag}^{j})_{j\in J},\wedge)\) defined by Eqs. 9–15 w.r.t. \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\). By Propositions 3, 4 and 5, \(\mathit{Diag}\) is a ∧-\((\mathit{Inf}_{N_1},\cdots,\mathit{Inf}_{N_\mathit{p}})\)-diagnoser satisfying Eqs. 1–3 w.r.t. \((\mathcal{F},\mathcal{H})\).

“If”: We consider a ∧-\((\mathit{Inf}_{N_1},\cdots,\mathit{Inf}_{N_{\mathit{p}}})\)-diagnoser \(\mathit{Diag}=((\mathit{Diag}^{j})_{j\in J},\wedge)\), thus, ∀ j ∈ J, Diag ^j is a \(\mathit{Inf}_{N_j}\)-diagnoser. We assume that \(\mathit{Diag}\) satisfies Eqs. 1–3 w.r.t. \((\mathcal{F},\mathcal{H})\). We consider the decomposition \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) of \(\mathcal{H}\) defined by Eq. 24. We have shown in the proof of Proposition 1 that, ∀ j ∈ J, \(\mathit{Diag}^{j}\) satisfies Eqs. 1–3 w.r.t. \((\mathcal{F},\mathcal{H}^{j})\). Hence, from Theorem 1, \((\mathcal{F},\mathcal{H}^{j})\) is \(\mathit{Inf}_{N_j}\)-F-CODIAG for every j ∈ J. From Definition 5, we deduce that \((\mathcal{F},\mathcal{H})\) is ∧-\((\mathit{Inf}_{N_1},\cdots,\mathit{Inf}_{N_{\mathit{p}}})\)-F-CODIAG.

Appendix C: Proofs of Section 7

3.1 Proof of Lemma 4

Let us first show by induction on k that, ∀ k ≥ 0, \(\mathcal{H}^{\nu_1}[k]\subseteq \mathcal{H}^{\nu_2}[k]\) and \(\mathcal{F}^{\nu_1}[k]\subseteq \mathcal{F}^{\nu_2}[k]\). In the basis case k = 0, we have \(\mathcal{H}^{\nu_1}[0]=\mathcal{H}^{\nu_1}\subseteq \mathcal{H}^{\nu_2}=\mathcal{H}^{\nu_2}[0]\) and \(\mathcal{F}^{\nu_1}[0]=\mathcal{F}\subseteq \mathcal{F}=\mathcal{F}^{\nu_2}[0]\). Assume that for a given integer k ≥ 0, \(\mathcal{F}^{\nu_1}[k]\subseteq \mathcal{F}^{\nu_2}[k]\) and \(\mathcal{H}^{\nu_1}[k]\subseteq \mathcal{H}^{\nu_2}[k]\) and let us show that \(\mathcal{H}^{\nu_1}[k+1]\subseteq \mathcal{H}^{\nu_2}[k + 1]\) and \(\mathcal{F}^{\nu_1}[k+1]\subseteq \mathcal{F}^{\nu_2}[k + 1]\). Since P _i and \(P^{-1}_{i}\) are maps and \(\mathcal{H}^{\nu_1}[k]\subseteq \mathcal{H}^{\nu_2}[k]\), we have, ∀ i ∈ I, \(P^{-1}_{i}P_{i}(\mathcal{H}^{\nu_1}[k])\subseteq P^{-1}_{i}P_{i}(\mathcal{H}^{\nu_2}[k])\) and then \(\bigcap_{i\in I}P^{-1}_{i}P_{i}(\mathcal{H}^{\nu_1}[k])\subseteq \bigcap_{i\in I}P^{-1}_{i}P_{i}(\mathcal{H}^{\nu_2}[k])\). From the latter inclusion and the fact that \(\mathcal{F}^{\nu_1}[k]\subseteq \mathcal{F}^{\nu_2}[k]\), we deduce

$$\mathcal{F}^{\nu_1}[k+1]=\mathcal{F}^{\nu_1}[k]\cap\bigcap\limits_{i\in I}P^{-1}_{i}P_{i}(\mathcal{H}^{\nu_1}[k])\subseteq \mathcal{F}^{\nu_2}[k]\cap\bigcap\limits_{i\in I}P^{-1}_{i}P_{i}(\mathcal{H}^{\nu_2}[k])=\mathcal{F}^{\nu_2}[k+1].$$

By the same approach, we can show that \(\mathcal{H}^{\nu_1}[k+1]\subseteq \mathcal{H}^{\nu_2}[k+1]\).

Now we assume that \((\mathcal{F},\mathcal{H}^{\nu_2})\) is \(\mathit{Inf}_{N}\)-F-CODIAG, i.e., there exists l ∈ \(\mathcal{N}\) such that \(\mathcal{F}^{\nu_2}[N+1]\cap\mathcal{F}_l=\emptyset\). From the latter and the fact that \(\mathcal{F}^{\nu_1}[N+1]\subseteq \mathcal{F}^{\nu_2}[N+1]\), we deduce that \(\mathcal{F}^{\nu_1}[N+1]\cap\mathcal{F}_l=\emptyset\), i.e., \((\mathcal{F},\mathcal{H}^{\nu_1})\) is \(\mathit{Inf}_{N}\)-F-CODIAG.

3.2 Proof of Proposition 6

“Only If”: Assume that there exists a state x of \(\mathcal{A}_{\mathcal{H}}\) such that \((\mathcal{F},\mathcal{L}(\mathcal{A}_{\mathcal{H}},x))\) is not \(\mathit{Inf}_{N_x}\)-F-CODIAG for any N _x  ≤ N. For any decomposition \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) of \(\mathcal{H}\) satisfying Assumption A3 (w.r.t. \(\mathcal{A}_{\mathcal{H}}\)), \(\exists j\in J\), such that \(\mathcal{L}(\mathcal{A}_{\mathcal{H}},x)\subseteq \mathcal{H}^{j}\). Since \((\mathcal{F},\mathcal{L}(\mathcal{A}_{\mathcal{H}},x))\) is not \(\mathit{Inf}_{N_x}\)-F-CODIAG for any N _x  ≤ N, then from Lemma 4 we have that \((\mathcal{F},\mathcal{H}^{j})\) is not \(\mathit{Inf}_{N_x}\)-F-CODIAG for any N _x  ≤ N. We have shown that for any decomposition \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) of \(\mathcal{H}\) satisfying Assumption A3 (w.r.t. \(\mathcal{A}_{\mathcal{H}}\)), we can find a \(\mathcal{H}^{j}\) such that \((\mathcal{F},\mathcal{H}^{j})\) is not \(\mathit{Inf}_{N_x}\)-F-CODIAG for any N _x  ≤ N. Hence, from Definition 8, \((\mathcal{F},\mathcal{H})\) is not ∧-\(\mathit{Inf}_{{\leq N}}^{{\geq1}}\)-F-CODIAG w.r.t. \(\mathcal{A}_{\mathcal{H}}\).

“If”: Assume that for every marked state x _j of \(\mathcal{A}_{\mathcal{H}}\), \((\mathcal{F}, \mathcal{L}(\mathcal{A}_{\mathcal{H}},x_j))\) is \(\mathit{Inf}_{N_j}\)-F-CODIAG for some N _j  ≤ N. This means that every \((\mathcal{F},\mathcal{H}^{j})\) is \(\mathit{Inf}_{N_j}\)-F-CODIAG for some N _j  ≤ N, for the special partition \((\mathcal{H}^{j})_{j\in J}\) defined as follows. Every \(\mathcal{H}^{j}=\mathcal{L}(\mathcal{A}_{\mathcal{H}},x_j)\) for some marked state x _j of \(\mathcal{A}_{\mathcal{H}}\), and conversely, for every marked state x _j of \(\mathcal{A}_{\mathcal{H}}\) there exists a unique \(\mathcal{H}^{j}\) such that \(\mathcal{H}^{j}=\mathcal{L}(\mathcal{A}_{\mathcal{H}},x_j)\). Note that this special partition satisfies Assumption A3, and its corresponding \(\mathit{p}\) is the number of states of \(\mathcal{A}_{\mathcal{H}}\). Therefore, from Definition 7, \((\mathcal{F},\mathcal{H})\) is ∧-\((\mathit{Inf}_{N_1},\cdots,\mathit{Inf}_{N_{\mathit{p}}})\)-F-CODIAG w.r.t. \(\mathcal{A}_{\mathcal{H}}\) for some \(N_1,\cdots,N_\mathit{p} \leq N\). From Definition 8, \((\mathcal{F},\mathcal{H})\) is ∧-\(\mathit{Inf}_{{\leq N}}^{{\geq1}}\)-F-CODIAG w.r.t. \(\mathcal{A}_{\mathcal{H}}\).

The same kind of proof can be made for ∧-\(\mathit{Inf}_{{\geq 0}}^{{\geq 1}}\)-F-CODIAG.

3.3 Proof of Proposition 7

Consider FSAs \(\mathcal{A}_{\mathcal{H},1}\) and \(\mathcal{A}_{\mathcal{H},2}\) accepting \(\mathcal{H}\) such that, for every marked state x of \(\mathcal{A}_{\mathcal{H},1}\), there exists a state y of \(\mathcal{A}_{\mathcal{H},2}\) such that \(\mathcal{L}(\mathcal{A}_{\mathcal{H},1},x)\subseteq \mathcal{L}(\mathcal{A}_{\mathcal{H},2},y)\). Assume that \((\mathcal{F},\mathcal{H})\) is ∧-\(\mathit{Inf}_{{\leq N}}^{{\geq1}}\)-F-CODIAG w.r.t. \(\mathcal{A}_{\mathcal{H},2}\). Hence, from Proposition 6, for every marked state y of \(\mathcal{A}_{\mathcal{H},2}\), \((\mathcal{F},\mathcal{L}(\mathcal{A}_{\mathcal{H},2},y))\) is \(\mathit{Inf}_{N_y}\)-F-CODIAG for some N _y  ≤ N. From \(\mathcal{L}(\mathcal{A}_{\mathcal{H},1},x)\subseteq \mathcal{L}(\mathcal{A}_{\mathcal{H},2},y)\) and \((\mathcal{F},\mathcal{L}(\mathcal{A}_{\mathcal{H},2},y))\) is \(\mathit{Inf}_{N_y}\)-F-CODIAG, we deduce from Lemma 4 that \((\mathcal{F},\mathcal{L}(\mathcal{A}_{\mathcal{H},1},x))\) is \(\mathit{Inf}_{N_y}\)-F-CODIAG. To recapitulate, for every marked state x of \(\mathcal{A}_{\mathcal{H},1}\), \((\mathcal{F},\mathcal{L}(\mathcal{A}_{\mathcal{H},1},x))\) is \(\mathit{Inf}_{N_x}\)-F-CODIAG for some N _x  ≤ N. It follows, from Proposition 6, that \((\mathcal{F},\mathcal{H})\) is ∧-\(\mathit{Inf}_{{\leq N}}^{{\geq1}}\)-F-CODIAG w.r.t. \(\mathcal{A}_{\mathcal{H},1}\).

3.4 Proof of Proposition 10

Assume that \((\mathcal{F},\mathcal{H})\) is not diagnosable. Hence, ∀ l ∈ \(\mathcal{N}\), there exist \(s\in\mathcal{F}_l\) and \(u\in\mathcal{H}\) such that P(s) = P(u). For any decomposition \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) of \(\mathcal{H}\), there exists j ∈ J such that \(u\in\mathcal{H}^{j}\). Since P(s) = P(u) we have P _i (s) = P _i (u) for any i ∈ I. Let us prove by induction that, ∀ k ≥ 0, \(s\in\mathcal{F}^{j}[k]\neq\emptyset\) and \(u\in\mathcal{H}^{j}[k]\neq\emptyset\).

Basis:

We have \(s\in\mathcal{F}=\mathcal{F}^{j}[0]\) and \(u\in\mathcal{H}^{j}=\mathcal{H}^{j}[0]\).

Induction step:

Assume that \(s\in\mathcal{F}^{j}[k]\) and \(u\in\mathcal{H}^{j}[k]\) for some k ≥ 0. Let us prove that \(s\in\mathcal{F}^{j}[k+1]\) and \(u\in\mathcal{H}^{j}[k+1]\). Since P _i (s) = P _i (u) for any i ∈ I, we have \(s\in\bigcap_{i\in I}P^{-1}_{i}P_{i}(\mathcal{H}^{j}[k])\) and \(u\in\bigcap_{i\in I}P^{-1}_{i}P_{i}(\mathcal{F}^{j}[k])\). Since \(s\in\mathcal{F}^{j}[k]\) and \(u\in\mathcal{H}^{j}[k]\), we obtain \(s\in\mathcal{F}^{j}[k]\cap\bigcap_{i\in I}P^{-1}_{i}P_{i}(\mathcal{H}^{j}[k])=\mathcal{F}^{j}[k+1]\) and \(u\in\mathcal{H}^{j}[k]\cap\bigcap_{i\in I}P^{-1}_{i}P_{i}(\mathcal{F}^{j}[k])=\mathcal{H}^{j}[k+1]\).

We have proved by induction that \(s\in\mathcal{F}^{j}[k]\) and \(u\in\mathcal{H}^{j}[k]\), ∀ k ≥ 0. Since \(s\in\mathcal{F}_l\), it follows that, ∀ N _j  ≥ 0, \(s\in\mathcal{F}_l\cap\mathcal{F}^{j}[N_j+1]\neq\emptyset\), i.e., \((\mathcal{F},\mathcal{H}^{j})\) is not \(\mathit{Inf}_{N_j}\)-F-CODIAG, and then \((\mathcal{F},\mathcal{H})\) is not ∧-\(\mathit{Inf}_{{\geq0}}^{{\geq1}}\)-F-CODIAG.

Appendix D: Proofs of Section 8

4.1 Proof of Lemma 5

Lemma 5 can be deduced from the following known result:

Result 1:

Consider n nondeterministic FSA A ₁, ⋯ ,A _n over an alphabet of cardinality e. Let q _i be the number of states of A _i , for i = 1 ⋯ n, and q = q ₁× ⋯ ×q _n . Let A be the synchronized product of all the A _i , i = 1 ⋯ n. The number of states of A is in O(q) and its number of transitions is in O(q.(q.e)) = O(q ².e).

Let us apply Result 1 to \(\mathcal{A}_{\mathcal{H}[k+1]}\) which is the synchronized product of \(\mathcal{A}_{\mathcal{H}[k]}\) with \(P^{-1}_{i}P_{i}(\mathcal{A}_{\mathcal{F}[k]})\), i = 1 ⋯ n. Each \(P^{-1}_{i}P_{i}(\mathcal{A}_{\mathcal{F}[k]})\) is computed by a projection P _i of \(\mathcal{A}_{\mathcal{F}[k]}\) without determinization and then by adding self-loops. Therefore the number of states of each \(P^{-1}_{i}P_{i}(\mathcal{A}_{\mathcal{F}[k]})\) is in O(|Y[k]|). Using Result 1, we obtain:

• the number of states |X[k + 1]| of \(\mathcal{A}_{\mathcal{H}[k+1]}\) is in O(|X[k]|.|Y[k]|ⁿ),

• the number of transitions |α[k + 1]| of \(\mathcal{A}_{\mathcal{H}[k+1]}\) is in

  $$O(|X[k+1]^2|.|\Sigma|)=O(|X[k]|^2.|Y[k]|^{2n}.|\Sigma|).$$

With the same approach, if we apply Result 1 to \(A_{\mathcal{F}[k+1]}\) which is the synchronized product of \(\mathcal{A}_{\mathcal{F}[k]}\) with \(P^{-1}_{i}P_{i}(\mathcal{A}_{\mathcal{H}[k]})\), i = 1 ⋯ n, we obtain:

• the number of states |Y[k + 1]| of \(\mathcal{A}_{\mathcal{F}[k+1]}\) is in O(|Y[k]|.|X[k]|ⁿ),

• the number of transitions |β[k + 1]| of \(\mathcal{A}_{\mathcal{F}[k+1]}\) is in

  $$O(|Y[k+1]|^2.|\Sigma|)=O(|Y[k]|^2.|X[k]|^{2n}.|\Sigma|).$$

4.2 Proof of Lemma 6

Lemma 6 can be deduced from the following known result:

Result 2:

The computational complexity for constructing an automaton is in the order of its number of transitions.

By applying Result 2 to \(\mathcal{A}_{\mathcal{H}[k+1]}\), we obtain that the computational complexity for constructing \(\mathcal{A}_{\mathcal{H}[k+1]}\) is in O(|α[k + 1]|) = O(|X[k]|².|Y[k]|²ⁿ.|Σ|) (from Lemma 5). Let us apply Result 2 to \(\mathcal{A}_{\mathcal{F}[k+1]}\) whose number of transitions is |β[k + 1]| = O(|Y[k]|².|X[k]|²ⁿ.|Σ|) (from Lemma 5). We obtain that the computational complexity for constructing \(\mathcal{A}_{\mathcal{F}[k+1]}\) is in O(|β[k + 1]|) = O(|Y[k]|².|X[k]|²ⁿ.|Σ|).

4.3 Proof of Lemma 7

Consider a decomposition \(D=\{X_{m}^{1},\cdots,X_{m}^{\mathit{p}}\}\) of X _m s.t. D satisfies Eq. 19. Let us prove Lemma 7 by induction on the inference steps k ≥ 1.

Basis:

Let v = (v ₁, ⋯ ,v _n ,v _n + 1) ∈ Y _m [k] be an \(X_{m}^{j}\)-marked state such that \(\mathcal{C}_f(v)\neq\emptyset\), for some \(X_{m}^{j}\in D\). Then, since \(X_{m}^{j}\) satisfies Eq. 19, we have, \(\forall (a_1,\cdots,a_{n}) \in(v_1\cap X_{m}^{j})\times\cdots\times (v_{n}\cap X_{m}^{j})\), \(|\bigcup_{i\in\mathbb{I}}{\{a_i\}}|=1\), i.e., ∀ i ∈ I, \(v_i\cap X_{m}^{j}=\{x\}\), for some \(x\in X_{m}^{j}\). This means that v is {x}-marked and not \(\mathcal{X}\)-marked, \(\forall\mathcal{X}\subseteq X_{m}^{j}\) s.t. \(\mathcal{X}\neq\{x\}\).

Induction Step:

For some k ≥ 1, assume that for every marked state \(u\in{Y_{m}}[k]|_{X_{m}^{j}}\), for which \(\mathcal{C}_f(u)\neq\emptyset\), there exists \(x\in X_{m}^{j}\) such that u is {x}-marked and not \(\mathcal{X}\)-marked, \(\forall\mathcal{X}\subseteq X_{m}^{j}\) s.t. \(\mathcal{X}\neq\{x\}\). Let us show that for every marked state \(v\in{Y_{m}}[k+1]|_{X_{m}^{j}}\), for which \(\mathcal{C}_f(v)\neq\emptyset\), there exists \(z\in X_{m}^{j}\) such that v is {z}-marked and not \(\mathcal{X}\)-marked, \(\forall\mathcal{X}\subseteq X_{m}^{j}\) s.t. \(\mathcal{X}\neq\{z\}\). For that, let \(v^{k+1}=(v^{k+1}_1,\cdots,v^{k+1}_n,v^{k+1}_{n+1})\) be a \(X_{m}^{j}\)-marked state in Y _m [k + 1] (the superscript “k + 1” stands for the inference step), such that \(\mathcal{C}_f(v^{k+1})\neq\emptyset\), which implies that \(v^k=v^{k+1}_{n+1}\in{Y_{m}}[k]\) is \(X_{m}^{j}\)-marked (i.e., \(v^k=v^{k+1}_{n+1}\in Y_{m}[{k}]|_{X_{m}^{j}}\)). Let us show that \(\mathcal{C}_f(v^k)\neq\emptyset\). Since \(\mathcal{C}_f(v^{k+1})\neq\emptyset\), there exists traces λ,μ,ν ∈ Σ ^*, such that μ is faulty and \(\lambda\mu^*\nu\subseteq \mathcal{L}(\mathcal{A}_{\mathcal{F}[k+1]},v^{k+1})\), where \({\mathcal{L}}(\mathcal{A}_{\mathcal{F}[k+1]},v^{k+1})\) is the set of traces reaching v ^k + 1 in \(\mathcal{A}_{\mathcal{F}[k+1]}\). Since for every trace s reaching v ^k + 1 in \(\mathcal{A}_{\mathcal{F}[k+1]}\), i.e., \(s\in\mathcal{L}(\mathcal{A}_{\mathcal{F}[k+1]},v^{k+1})\), we have s reaches \(v^{k+1}_{n+1}=v^k\) in \(\mathcal{A}_{\mathcal{F}[k]}\), i.e. \(s\in\mathcal{L}(\mathcal{A}_{\mathcal{F}[k]},v^k)\). Hence, \(\mathcal{L}(\mathcal{A}_{\mathcal{F}[k+1]},v^{k+1})\subseteq \mathcal{L}(\mathcal{A}_{\mathcal{F}[k]},v^k)\). Thus, \(\lambda\mu^*\nu\subseteq \mathcal{L}(\mathcal{A}_{\mathcal{F}[k]},v^k)\), i.e., \(\mathcal{C}_f(v^k)\neq\emptyset\). Hence, from the induction hypothesis, there exists \(y\in X_{m}^{j}\) such that \(v^k=(v^{k}_{1},\cdots,v^{k}_{n},v^{k}_{n+1})\in{Y_{m}}[k]\) is {y}-marked and not \(\mathcal{X}\)-marked in Y _m [k], \(\forall\mathcal{X}\subseteq X_{m}^{j}\) s.t. \(\mathcal{X}\neq\{y\}\).

Assume for contradiction that v ^k + 1 is \(\mathcal{Y}\)-marked for some subset \(\mathcal{Y}\subseteq X_{m}^{j}\) such that \(y\in\mathcal{Y}\) (otherwise, \(y\not\in\mathcal{Y}\), v ^k + 1 is not \(\mathcal{Y}\)-marked). Hence, \(\exists l\in I\) such that \(v^{k+1}_l\) contains a state \(w^k=(w^{k}_{1},\cdots,w^{k}_{n},w^{k}_{n+1})\in X_{m}[k]\) which is \(\mathcal{Y}\)-marked, hence \(w^{k-1}=w^{k}_{n+1}\) is \(\mathcal{Y}\)-marked in X _m [k − 1] (see the definition of multi-marking in Section 8.2).

Since \(w^k\in v^{k+1}_l\), and from the definition of the natural projection of FSA (Hopcroft and Ullman 1979), there exits \(s\in\mathcal{F}[k]\) reaching the state \(v^k=v^{k+1}_{n+1}\in{Y_{m}}[k]\) and \(t\in\mathcal{H}[k]\) reaching the state \(w^k\in X_{m}[k]\) such that P _l (s) = P _l (t). Since s reaches \(v^k=(v^k_1,\cdots,v^k_n,v^k_{n+1})\) in \(\mathcal{A}_{\mathcal{F}[k]}\), then s reaches \(v^{k-1}=v^k_{n+1}\in{Y_{m}}[k-1]\) in \(\mathcal{A}_{\mathcal{F}[k-1]}\). Since t reaches \(w^k=(w^{k}_{1},\cdots,w^{k}_{n},w^{k}_{n+1})\in X_{m}[k]\) in \(\mathcal{A}_{\mathcal{F}[k]}\), then t reaches \(w^{k-1}=w^{k}_{n+1}\in X_{m}[k-1]\) in \(\mathcal{A}_{\mathcal{H}[k-1]}\). Since P _l (s) = P _l (t) and from \(\mathcal{F}[k]=\mathcal{F}[k-1]\cap\bigcap_{i\in I}P^{-1}_{i}P_{i}(\mathcal{H}[k-1])\), we have \(w^{k-1}\in v^{k}_{l}\) (recall that \(v^k=(v^k_1,\cdots,v^k_n,v^k_{n+1})\)). Since w ^k − 1 is \(\mathcal{Y}\)-marked and v ^k is {y}-marked, we have v ^k is \((\mathcal{Y}\cup\{y\})\)-marked. This contradicts the fact that v ^k is {y}-marked and not \(\mathcal{X}\)-marked in Y _m [k], \(\forall\mathcal{X}\subseteq X_{m}^{j}\) s.t. \(\mathcal{X}\neq\{y\}\). Thus, \(\mathcal{Y}=\{y\}\), and then w ^k is {y}-marked. Therefore, v ^k + 1 is {y}-marked and not \(\mathcal{X}\)-marked in Y _m [k + 1], \(\forall\mathcal{X}\subseteq X_{m}^{j}\) s.t. \(\mathcal{X}\neq\{y\}\).

4.4 Proof of Theorem 5

Consider a FSA \(\mathcal{A}_{\mathcal{H}}\) accepting \(\mathcal{H}\) and a decomposition \(\{X_{m}^{1},\cdots,X_{m}^{\mathit{p}}\}\) of X _m satisfying Eq. 19.

“If”: Assume that \((\mathcal{F},\mathcal{H})\) is ∧-\(\mathit{Inf}_{{\leq N}}^{{\geq1}}\)-F-CODIAG w.r.t. \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\), where, ∀ j ∈ J, \(\mathcal{H}^{j}=\{s\in\Sigma^{*}|\,\alpha(x_0,s)\in X_{m}^{j}\}\). Since, each \(\mathcal{H}^{j}\) contains only the traces leading to marked states of \(X_{m}^{j}\), the decomposition \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\) satisfies Assumption A3. Therefore, from Definitions 7 and 8, \((\mathcal{F},\mathcal{H})\) is ∧-\(\mathit{Inf}_{{\leq N}}^{{\geq1}}\)-F-CODIAG w.r.t. \(\mathcal{A}_{\mathcal{H}}\).

“Only If”: Assume that \((\mathcal{F},\mathcal{H})\) is not ∧-\(\mathit{Inf}_{{\leq N}}^{{\geq1}}\)-F-CODIAG w.r.t. \(\{\mathcal{H}^{1},\cdots,\mathcal{H}^{\mathit{p}}\}\), where \(\mathcal{H}^{j}=\{s\in\Sigma^{*}|\,\alpha(x_0,s)\in X_{m}^{j}\}\). Then, \(\exists j\in J\) such that \((\mathcal{F},\mathcal{H}^{j})\) is not \(\mathit{Inf}_{N}\)-F-CODIAG, i.e., there exists v ∈ Y _m [N + 1] that is \(X_{m}^{j}\)-marked and reached by traces through a cycle of faulty states in \(\mathcal{A}_{\mathcal{F}[N+1]}\). Since \(\mathcal{H}^{j}\) satisfies Eq. 19, this implies, from Lemma 7, that there exists \(x\in X_{m}^{j}\) for which v is {x}-marked and not \(\mathcal{X}\)-marked, \(\forall\mathcal{X}\subseteq X_{m}^{j}\) s.t. \(\mathcal{X}\neq\{x\}\).

For every decomposition \(D=(\mathcal{X}^{1},\cdots,\mathcal{X}^{q})\) of X _m , \(\exists \mathcal{X}^{l}\in D\) such that \(x \in\mathcal{X}^{l}\), and thus v is \(\mathcal{X}^{l}\)-marked. Since, v is reached by traces through a cycle of faulty states in \(\mathcal{A}_{\mathcal{F}[N+1]}\), this implies from Theorem 4, that \((\mathcal{F},\mathcal{H})\) is not ∧-\(\mathit{Inf}_{{\leq N}}^{{\geq1}}\)-F-CODIAG w.r.t. \(\mathcal{A}_{\mathcal{H}}\), as required.

4.5 Proof of Proposition 11

From Lemma 6, the complexity of computing \(\mathcal{A}_{\mathcal{F}[k+1]}\) from \(\mathcal{A}_{\mathcal{H}}[k]\) and \(\mathcal{A}_{\mathcal{F}}[k]\) is in O(|β[k + 1]|) = O(|Y[k]|².|X[k]|²ⁿ.|Σ|). The complexity of computing \(\mathcal{A}_{\mathcal{F}^{j}[k+1]}\) from \(\mathcal{A}_{\mathcal{H}^{j}[k]}\) and \(\mathcal{A}_{\mathcal{F}^{j}[k]}\) is in the same order because \(\mathcal{A}_{\mathcal{F}^{j}[k+1]}\) is obtained from \(\mathcal{A}_{\mathcal{F}[k+1]}\) by: (1) keeping marked only the states of \(\mathcal{A}_{\mathcal{F}[k+1]}\) that are \(X_{m}^{j}\)-marked, and (2) removing every state from which no \(X_{m}^{j}\)-marked state is reachable. This procedure is in the worst case in O(|β[k + 1]|). Detecting cycles of faulty states in \(\mathcal{A}_{\mathcal{F}[k+1]}\) is linear in the size of \(\mathcal{A}_{\mathcal{F}[k+1]}\), i.e., O(|β[k + 1]|). Therefore, the complexity of computing \(\mathcal{A}_{\mathcal{F}[k+1]}\) from \(\mathcal{A}_{\mathcal{H}}[k]\) and \(\mathcal{A}_{\mathcal{F}}[k]\) and detecting cycles of faulty states in \(\mathcal{A}_{\mathcal{F}[k+1]}\) is in O(|β[k + 1]|) = O(|Y[k]|².|X[k]|²ⁿ. |Σ|).

4.6 Proof of Lemma 8

Given two subsets \(\mathcal{W},\mathcal{Z}\subseteq X_{m}\), we have:

$$ \begin{array}{rll} \mathrm{ID}_{v}(\mathcal{W}\cup\mathcal{Z})&=\{i\in I|\,v_i\cap(\mathcal{W}\cup\mathcal{Z})=\emptyset\} =\{i\in I|\,(v_i\cap\mathcal{W}=\emptyset)\wedge(v_i\cap\mathcal{Z}=\emptyset)\}\\ &&=\{i\in I|\, v_i\cap\mathcal{W}=\emptyset\}\cap\{i\in I |\, v_i\cap\mathcal{Z}=\emptyset\}=\mathrm{ID}_{v}(\mathcal{W})\cap\mathrm{ID}_{v}(\mathcal{Z}). \end{array} $$

4.7 Proof of Lemma 9

\(\mathcal{X}\subseteq X_{m}\) satisfies Eq. 19 means:

1. 1.

   ∀ v = (v ₁, ⋯ ,v _n + 1) ∈ Y _m [1] s.t. v is \(\mathcal{X}\)-marked and \(\mathcal{C}_f(v)\neq\emptyset\),

2. 2.

   \(\forall (a_1,\cdots,a_{n})\in(v_1\cap\mathcal{X})\times\cdots\times(v_{n}\cap\mathcal{X})\), we have | ∪  _i ∈ I {a _i }| = 1.

The above Item 1 can be rewritten: ∀ v ∈ Y _m [1] s.t. \(\mathcal{C}_f(v)\neq\emptyset\) and \(\mathrm{ID}_{v}(\mathcal{X})=\emptyset\). The above item 2 is equivalent to: \(|\bigcup_{i\in I}(\mathcal{X}\cap v_i)|=1\), which can be rewritten: \(|\mathcal{X}\cap(\bigcup_{i\in I}v_i)|=1\).

To recapitulate, \(\mathcal{X}\) satisfies Eq. 19 is equivalent to: ∀ v ∈ Y _m [1] s.t. \(\mathcal{C}_f(v)\neq\emptyset\): if \(\mathrm{ID}_{v}(\mathcal{X})=\emptyset\) then \(|\mathcal{X}\cap\bigcup_{i\in I}v_i|=1\).

4.8 Proof of Proposition 12

Consider x,y ∈ X _m . Let us prove that y ∈ Elig(x) iff \(y\in X_{m}\setminus[\{x\}\cup\bigcup_{\substack{v\in Y_{m}[{1}]\\\mathcal{C}_f(v)\neq\emptyset\\\mathrm{ID}_{v}(x)=\emptyset}} \bigcup_{i\in I}v_i\,\cup\,\bigcup_{\substack{v\in Y_{m}[{1}]\\\mathcal{C}_f(v)\neq\emptyset\\\mathrm{ID}_{v}(x)\neq I}} \bigcap_{i\in\mathrm{ID}_{v}(x)}v_i]\). By definition, we have,

$$ y\in\mathrm{Elig}({x})\Leftrightarrow [\{x,y\} \mbox{ satisfies Eq.~19}]\wedge[y\in X_{m}\setminus\{x\}] $$

The set of states \(A\subseteq X_{m}\) s.t., ∀ y ∈ A, {x,y} satisfies Eq. 19, can be obtained by computing the set of states \(B\subseteq X_{m}\) s.t. ∀ z ∈ B, {x,z} does not satisfy Eq. 19. Then we have A = B ^c, where B ^c is the complementary of B. For every z ∈ B, we have,

$$ \{x,z\} \mbox{ does not satisfy Eq.~19} $$

(32)

$$ \begin{array}{rll} \text{(32)}&&\Leftrightarrow \exists v\in Y_{m}[{1}] \mbox{ s.t. } \mathcal{C}_f(v)\neq\emptyset, \mathrm{ID}_{v}(\{x,z\})=\emptyset \mbox{ and } |\{x,z\}\cap\bigcup\limits_{i\in I}v_i|>1\\ \text{(32)}&&\Leftrightarrow \exists v\in Y_{m}[{1}] \mbox{ s.t. } \mathcal{C}_f(v)\neq\emptyset, \mathrm{ID}_{v}(\{x,z\})=\emptyset \mbox{ and } \{x,z\}\cap\bigcup\limits_{i\in I}v_i=\{x,z\} \end{array} $$

{x,z} ∩ ∪  _i ∈ I v _i  = {x,z} is equivalent to \(\{x,z\}\subseteq \bigcup_{i\in I}v_i\) which is equivalent to say that ID _v (x) ≠ I and ID _v (z) ≠ I. So, we have

$$ \text{(32)}\Leftrightarrow \exists v\in Y_{m}[{1}] \mbox{ s.t. } \mathcal{C}_f(v)\neq\emptyset, \mathrm{ID}_{v}(\{x,z\})=\emptyset, \mathrm{ID}_{v}(x)\neq I \mbox{ and } \mathrm{ID}_{v}(z)\neq I. $$

For every v ∈ Y _m [1] s.t. \(\mathcal{C}_f(v)\neq\emptyset\), ID _v ({x,z}) = ∅, ID _v (x) ≠ I and ID _v (z) ≠ I, two cases can be presented:

1. 1.

   ID _v (x) = ∅: in this case for every z ∈ ∪  _i ∈ I v _i , {x,z} does not satisfy Eq. 19.

2. 2.

   ID _v (x) ≠ ∅: since ID _v ({x,z}) = ∅, ∀ i ∈ I, {x,z} ∩ v _i  ≠ ∅. Hence, ∀ l ∈ I s.t. \(x\not\in v_l\), i.e., ∀ l ∈ ID _v (x), we have z ∈ v _l . It follows that \(z\in\bigcap_{l\in\mathrm{ID}_{v}(x)}v_l\). Therefore, for every \(z\in\bigcap_{l\in\mathrm{ID}_{v}(x)}v_l\), {x,z} does not satisfy Eq. 19

Since, either z ∈ ∪  _i ∈ I v _i (in the case ID _v (x) = ∅) or \(z\in\bigcap_{l\in\mathrm{ID}_{v}(x)}v_l\) (in the case ID _v (x) ≠ ∅) implies that ID _v (z) ≠ I, we have,

$$ \begin{array}{rll} \text{(32)}&\Leftrightarrow \exists v\in Y_{m}[{1}] \mbox{ s.t. } \mathcal{C}_f(v)\neq\emptyset:\\ &&\left[ \mathrm{ID}_{v}(x) \neq I \wedge \mathrm{ID}_{v}(x) = \emptyset\wedge z\in\bigcup\limits_{i\in I}v_i \right] \vee \left[ \mathrm{ID}_{v}(x) \neq I\wedge \mathrm{ID}_{v}(x)\neq\emptyset\wedge z\in\bigcap\limits_{l\in D_{v}({x})}v_l \right] \end{array} $$

Since \(\mathrm{ID}_{v}(x)=\emptyset \mbox{ implies }\mathrm{ID}_{v}(x)\neq I,\) and ID _v (x) = ∅ implies \(\bigcap_{l\in {\rm ID}_{v}({x})}v_l=\emptyset\), we have,

$$ \begin{array}{rll} \text{(32)}&&\Leftrightarrow \exists v\in Y_{m}[{1}] \mbox{ s.t. } \mathcal{C}_f(v)\neq\emptyset:\\ &&\left[\mathrm{ID}_{v}(x)=\emptyset\wedge z\in\bigcup\limits_{i\in I_{}}v_i\right]\vee\left[\mathrm{ID}_{v}(x)\neq I_{} \wedge z\in\bigcap\limits_{l\in {\rm ID}_{v}({x})}v_l\right]\\ &&\Leftrightarrow z\in\bigcup\limits_{\substack{v\in Y_{m}[{]1}\\\mathcal{C}_f(v)\neq\emptyset\\ \mathrm{ID}_{v}(x)=\emptyset}} \bigcup\limits_{i\in I}v_i\,\cup\,\bigcup\limits_{\substack{v\in Y_{m}[{1}]\\\mathcal{C}_f(v)\neq\emptyset\\\mathrm{ID}_{v}(x)\neq I}} \bigcap\limits_{i\in\mathrm{ID}_{v}(x)}v_i \end{array} $$

Therefore, \(B=\bigcup_{\substack{v\in Y_{m}[{1}]\\\mathcal{C}_f(v)\neq\emptyset\\\mathrm{ID}_{v}(x)=\emptyset}} \bigcup_{i\in I}v_i\,\cup\,\bigcup_{\substack{v\in Y_{m}[{1}]\\\mathcal{C}_f(v)\neq\emptyset\\\mathrm{ID}_{v}(x)\neq I}} \bigcap_{i\in\mathrm{ID}_{v}(x)}v_i\). Thus, we have,

$$ \begin{array}{rll} y\in\mathrm{Elig}({x})&\Leftrightarrow& [y\not\in B]\wedge[y\in X_{m}\setminus\{x\}]\\ &\Leftrightarrow& y\in X_{m}\setminus[\{x\}\cup\bigcup\limits_{\substack{v\in Y_{m}[{1}]\\\mathcal{C}_f(v)\neq\emptyset\\\mathrm{ID}_{v}(x)=\emptyset}} \bigcup\limits_{i\in I}v_i\,\cup\,\bigcup\limits_{\substack{v\in Y_{m}[{1}]\\\mathcal{C}_f(v)\neq\emptyset\\\mathrm{ID}_{v}(x)\neq I}} \bigcap\limits_{i\in\mathrm{ID}_{v}(x)}v_i] \end{array} $$

4.9 Proof of Proposition 13

Consider \(\mathcal{X} \subseteq X_{m}\), \(x \in \mathrm{Elig}({\mathcal{X}})\). We have to prove the equality S = T, where \(S=\mathrm{Elig}({\mathcal{X}\cup\{x\}})\) and \(T=(\mathrm{Elig}({\mathcal{X}})\cap\mathrm{Elig}({x}))\setminus[\bigcup_{\substack{v\in Y_{m}[{1}]:\\\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\neq I\\\mathcal{C}_f(v)\neq\emptyset}} \bigcap_{i\in\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})}v_i]\). Let us prove “\(S\subseteq T\)” and “\(T \subseteq S\)”. Hereafter, we consider only the states v ∈ Y _m [1] satisfying \(\mathcal{C}_f(v)\neq\emptyset\).

Proof \(S\subseteq T\)

Consider \(y\in\mathrm{Elig}({\mathcal{X}\cup\{x\}})\), which means that \(y \in X_{m} \setminus (\mathcal{X}\cup\{x\})\) and \(\mathcal{X}\cup\{y,x\}\) satisfies Eq. 19. Hence, \(y \in X_{m} \setminus \mathcal{X}\), y ∈ X _m  ∖ {x}, \(\mathcal{X}\cup\{y\}\) satisfies Eq. 19 and {y,x} satisfies Eq. 19. Therefore, \(y \in \mathrm{Elig}({\mathcal{X}}) \cap \mathrm{Elig}({x})\).

We now prove ad adsurbum \(y\not\in\bigcup_{\substack{v\in Y_{m}[{1}]:\\\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\neq I\\\mathcal{C}_f(v)\neq\emptyset}} \bigcap_{i\in\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})}v_i\). Assume that \(y\in\bigcup_{\substack{v\in Y_{m}[{1}]:\\\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\neq I\\\mathcal{C}_f(v)\neq\emptyset}} \bigcap_{i\in\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})}v_i\). Hence, \(\exists v=(v_1,\cdots,v_{n+1})\in Y_{m}[{1}]\) s.t. \(\mathcal{C}_f(v)\neq\emptyset\), \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\neq I\) and, \(\forall i\in\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\), y ∈ v _i . From the latter, we deduce that \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x,y\})=\emptyset\).

From \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\neq I\), we deduce \((\bigcup_{i\in I}v_i)\cap ({\mathcal{X}}\cup\{x\})\neq \emptyset\). The latter expression and the facts that \(y\not\in\mathcal{X}\cup\{x\}\) and y ∈ ∪  _i ∈ I v _i imply that \(|(\mathcal{X}\cup\{x,y\})\cap\bigcup_{i\in I}v_i| > 1\).

\(\mathrm{ID}_{v}(\mathcal{X}\cup\{x,y\})=\emptyset\) and \(|({\mathcal{X}}\cup\{x,y\})\cap \bigcup_{i\in I}v_i| > 1\) imply that \(\mathcal{X}\cup\{x,y\}\) does not satisfy Eq. 19 (Lemma 9), which contradicts the hypothesis that \(\mathcal{X}\cup\{x,y\}\) satisfies Eq. 19.□

Proof \(T \subseteq S\)

Consider \(y\in(\mathrm{Elig}({\mathcal{X}})\cap\mathrm{Elig}({x}))\setminus[\bigcup_{\substack{v\in Y_{m}[{1}]:\\\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\neq I\\\mathcal{C}_f(v)\neq\emptyset}} \bigcap_{i\in\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})}v_i]\). Hence, since \(y\in\mathrm{Elig}({\mathcal{X}})\), we have \(y \in X_{m} \setminus \mathcal{X}\) and \(\mathcal{X}\cup\{y\}\) satisfies Eq. 19. Since y ∈ Elig(x), we have y ∈ X _m  ∖ {x} and {x,y} satisfies Eq. 19. From \(y\in X_{m}\backslash\mathcal{X}\) and \(y\in X_{m}\backslash\{x\}\), we deduce \(y\in X_{m}\setminus(\mathcal{X}\cup\{x\})\).

In the following we will show that \(\mathcal{X}\cup\{x,y\}\) satisfies Eq. 19. For that, ∀ v ∈ Y _m [1] s.t. \(\mathcal{C}_f(v)\neq\emptyset\), we have to show that: if \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x,y\})=\emptyset\) then \(|(\mathcal{X}\cup\{x,y\})\cap\bigcup_{i\in I}v_i|=1\). Two cases can be considered:

• \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})=\emptyset\): this implies that \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x,y\})=\emptyset\). \(x\in\mathrm{Elig}({\mathcal{X}})\) implies \(\mathcal{X}\cup\{x\}\) satisfies Eq. 19. The latter and \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})=\emptyset\) implies \(|({\mathcal{X}}\cup\{x\})\cap(\bigcup_{i\in I}{v_i})|=1\) (Lemma 9). This means that either a unique \(z\in\mathcal{X}\) is contained in all v _i or x is contained in all v _i . This is equivalent to considering the two following:

  • \(\mathrm{ID}_{v}(\mathcal{X})=\emptyset\) and ID _v (x) = I: since \(\mathrm{ID}_{v}(\mathcal{X})=\emptyset\), we have \(\mathrm{ID}_{v}(\mathcal{X}\cup\{y\})=\emptyset\). Since \(y\in\mathrm{Elig}({\mathcal{X}})\), \(|(\mathcal{X}\cup\{y\})\cap(\bigcup_{i\in I}v_i)|=1\). Thus, since, ∀ i ∈ I, z ∈ v _i , it follows that \(y\not\in\bigcup_{i\in I}v_i\). Since ID _v (x) = I (i.e., \(x\not\in\bigcup_{i\in I}v_i\)), we deduce that \(|(\mathcal{X}\cup\{x,y\})\cap\bigcup_{i\in I}v_i|=1\).

  • ID _v (x) = ∅ and \(\mathrm{ID}_{v}(\mathcal{X})=I\): since ID _v (x) = ∅, we have ID _v ({x,y}) = ∅. Since y ∈ Elig(x), |({x,y}) ∩ ( ∪  _i ∈ I v _i )| = 1. Thus, since, ∀ i ∈ I, x ∈ v _i , it follows that \(y\not\in\bigcup_{i\in I}v_i\). Since \(\mathrm{ID}_{v}(\mathcal{X})=I\) (i.e., \(\mathcal{X}\cap\bigcup_{i\in I}v_i=\emptyset\)), we conclude that \(|(\mathcal{X}\cup\{x,y\})\cap\bigcup_{i\in I}v_i|=1\).

• \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\neq\emptyset\): two cases can be considered:

  • \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})=I\): ∀ i ∈ I, \(v_i\cap(\mathcal{X}\cup\{x\})=\emptyset\). If \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x,y\})=\emptyset\), we have ∀ i ∈ I, y ∈ v _i . It follows that \(|(\mathcal{X}\cup\{x,y\})\cap\bigcup_{i\in I}v_i|=|\{y\}|=1\).

  • \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\neq I\): since \(y\not\in\bigcup_{\substack{v\in Y_{m}[{1}]:\\\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\neq I\\\mathcal{C}_f(v)\neq\emptyset}} \bigcap_{i\in\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})}v_i\), then there exists i ∈ I s.t. \(y \not\in v_i\) and \(v_i\cap(\mathcal{X}\cup\{x\})=\emptyset\), thus, \(v_i\cap(\mathcal{X}\cup\{x,y\})=\emptyset\). Therefore, \(\mathrm{ID}_{v}(\mathcal{X}\cup\{x,y\})\neq\emptyset\), and thus from Lemma 9, we deduce \(\mathcal{X}\cup\{x,y\}\) satisfies Eq. 19 w.r.t. v.

From \(y\in(\mathrm{Elig}({\mathcal{X}})\cap\mathrm{Elig}({x}))\setminus[\bigcup_{\substack{v\in Y_{m}[{1}]:\\\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})\neq I\\\mathcal{C}_f(v)\neq\emptyset}} \bigcap_{i\in\mathrm{ID}_{v}(\mathcal{X}\cup\{x\})}v_i]\), we have deduced \(y \in X_{m}\setminus(\mathcal{X}\cup\{x\})\) and \(\mathcal{X}\cup\{x,y\}\) satisfies Eq. 19, which means \(y \in \mathrm{Elig}({\mathcal{X}\cup\{x\}})\).□

4.10 Proof of Lemma 10

Consider that Elig(x) is computed by Eq. 22 of Proposition 12. Given v ∈ Y _m [1] s.t. \(\mathcal{C}_f(v)\neq\emptyset\), and x ∈ X _m , the most costly operation for computing ID _v (x) is checking whether v _i  ∩ {x} = ∅, ∀ i ∈ I. Checking whether v _i  ∩ {x} = ∅ is in O(|X|) because \(v_i\subseteq X\). The complexity of checking for all v _i of v is obtained by multiplying the above complexity by n, that is, O(n.|X|).

4.11 Proof of Lemma 11

Consider that \(\mathrm{Elig}({\mathcal{X} \cup \{x\}})\) is computed from \(\mathrm{Elig}({\mathcal{X}})\) and Elig(x) by Eq. 23 of Proposition 13. Given x ∈ X _m and v ∈ Y _m [1] such that \(\mathcal{C}_f(v)\neq\emptyset\), the complexity for computing v _i  ∪ v _i + 1 and v _i  ∩ v _i + 1 is in O(|X|²), and the complexity of computing \(\bigcup_{i\in I}v_i\) and \(\bigcap_{i\in\mathrm{ID}_{v}(x)}v_i\) is bounded by multiplying the above complexity by n, that is, O(n.|X|²).

The complexity of computing \(\bigcup_{\substack{v\in Y_{m}[{1}]\\\mathrm{ID}_{v}(x)=\emptyset\\\mathcal{C}_f(v)\neq\emptyset}}\bigcup_{i\in I}v_i\) and \(\bigcup_{\substack{v\in Y_{m}[{1}]\\\mathrm{ID}_{v}(x)\neq I\\\mathcal{C}_f(v)\neq\emptyset}} \bigcap_{i\in\mathrm{ID}_{v}(x)}v_i\) is bounded by multiplying the above complexity by |Y _m [1]| that is, O(n.|Y _m [1]|.|X|²). The union with {x} is in O(|X|). The subtraction X _m  ∖ ⋯ is in \(O(|X|.|X_{m}|) \leq O(|X|^2)\). Therefore the complexity of computing Elig(x) is in O(n.|Y _m [1]|.|X|²).

4.12 Proof of Lemma 12

The complexity for computing \(\bigcup_{\substack{v\in Y_{m}[{1}]\\\mathrm{ID}_{v}(x)\neq I\\\mathcal{C}_f(v)\neq\emptyset}} \bigcap_{i\in\mathrm{ID}_{v}(x)}v_i\) is O(n.|Y _m [1]|.|X|²) (from Lemma 11). The complexity of the intersection Elig(X) ∩ Elig(x) is in \(O(|X_{m}|^2)\leq O(|X|^2)\). The complexity of the subtraction [Elig(X) ∩ Elig(x)] ∖ ⋯ is in \(O(|X_{m}|.|X|) \leq O(|X|^2)\). Therefore, the total complexity of computing Elig(X) is O(n.|Y _m [1]|.|X|²).

4.13 Proof of Proposition 14

Let us consider the two steps of the procedure.

1. 1.

   Initializations: Z _m ←X _m is in O(|X _m |), \(X_{m}^{1} \leftarrow \emptyset\) is in O(1). Therefore Step 1 is in O(|X _m |),

2. 2.

   Compute \(\mathrm{Elig}({X_{m}^{1}})\) knowing Elig(x) and \(\mathrm{Elig}({X_{m}^{1}\setminus\{x\}})\):

   • Compute Elig(x) is in O(n.|Y _m [1]|.|X|²) (Lemma 11).

   • Compute \(\mathrm{Elig}({X_{m}^{1}})\) from Elig(x) and \(\mathrm{Elig}({X_{m}^{1}\setminus\{x\}})\) is in O(n.|Y _m [1]|.|X|²) (Lemma 12).

Then from \(\mathrm{Elig}({X_{m}^{1}}))\) and Z _m : computing \(\mathrm{Elig}({X_{m}^{1}}))\cap Z_m\) is in \(O(|X_{m}|^2) = O(|X|^2)\); checking if \(\mathrm{Elig}({X_{m}^{1}}))\cap Z_m\) is empty is in \(O(|X_{m}|^2) \leq O(|X|^2)\); selecting randomly x in \(\mathrm{Elig}({X_{m}^{1}})\cap Z_m\) is in O(1); and moving the selected x from Z _m to \(X_{m}^{1}\) is in O(1). To construct the whole partition, the while-loop is repeated at most |X _m | times. Therefore, the total complexity is in \(O(n.|{Y_{m}}[1]|.|X|^2.|X_{m}|)\leq O(n.|{Y_{m}}[1]|.|X|^3)\).

Appendix E: Proofs of Section 9

5.1 Proof of Theorem 6

The algorithm computes \(\mathcal{A}_{\mathcal{H}}\), \(\mathcal{A}_{\mathcal{F}}\), \(\mathcal{A}_{\mathcal{H}[1]}\) and \(\mathcal{A}_{\mathcal{F}[1]}\) as indicated in Section 8.1. If there is no cycle of faulty states in Y _m [1], then from Def. 4, \((\mathcal{F},\mathcal{H})\) is \(\mathit{Inf}_{0}\)-F-CODIAG. This is the only situation where the algorithm generates the output “\((\mathcal{F},\mathcal{H})\) is \(\mathit{Inf}_{0}\)-F-CODIAG”. Therefore, the latter output is generated if and only if it is true.

The algorithm computes every ID _v (x), using its definition given by Eq. 20, and Elig(x), using Eq. 22 of Proposition 12. Then the algorithm constructs iteratively sets \(X_{m}^{1},\cdots,X_{m}^{\mathit{p}}\) that constitute a partition of X _m , such that each \(X_{m}^{j}\) satisfies Eq. 19. The construction of each \(X_{m}^{j}\) is based on: \(\mathrm{ID}_{v}(X_{m}^{j})\), which is computed using Lemma 8; and \(\mathrm{Elig}({X_{m}^{j}})\), which is computed using Eq. 23 of Proposition 13.

Then, the algorithm searches the smallest \(N_1,\cdots,N_\mathit{p} \leq N\) such that there is no cycle of faulty states in \(\mathcal{A}_{\mathcal{F}[N_j+1]}\), for every \(j=1,\cdots,\mathit{p}\). For that purpose, the algorithm computes \(\mathcal{A}_{\mathcal{H}[k]}\) and \(\mathcal{A}_{\mathcal{F}[k]}\) for \(k=1,\cdots,\max(N_1,\cdots,N_\mathit{p})\) as indicated in Section 8.1.

If such \((N_j)_{j=1,\cdots,\mathit{p}}\) exists (and thus, is found by the algorithm), then from Def. 4, every \((\mathcal{F},\mathcal{H}^{j})\) is \(\mathit{Inf}_{N_j}\)-F-CODIAG. From Def. 5, \((\mathcal{F},\mathcal{H})\) is ∧-\((\mathit{Inf}_{N_1},\cdots,\mathit{Inf}_{N_{\mathit{p}}})\)-F-CODIAG. This is the only situation where the algorithm generates the output “\((\mathcal{F},\mathcal{H})\) is ∧-\((\mathit{Inf}_{N_1},\cdots,\mathit{Inf}_{N_{\mathit{p}}})\)-F-CODIAG”. Therefore, the latter output is generated if and only if it is true.

If such \((N_j)_{j=1,\cdots,\mathit{p}}\) does not exist (and thus, is not found by the algorithm), then from Theorem 5, \((\mathcal{F},\mathcal{H})\) is not ∧-\(\mathit{Inf}_{{\leq N}}^{{\geq1}}\)-F-CODIAG. This is the only situation where the algorithm generates the output “\((\mathcal{F},\mathcal{H})\) is not ∧-\(\mathit{Inf}_{{\leq N}}^{{\geq1}}\)-F-CODIAG”. Therefore, the latter output is generated if and only if it is true.