A Survey on Dynamic Corrective Control of Asynchronous Sequential Machines

Abstract

As a feedback control methodology exclusively targeting asynchronous sequential machines (ASMs), corrective control has been rapidly developing for the past two decades. This paper presents a comprehensive survey on the theory and application of dynamic corrective control in which the controller also has the form of an ASM. First, basic notions and principles of dynamic corrective control, including models of ASMs and configurations of closed-loop systems, are reviewed. Next, assorted dynamic corrective control schemes are presented aiming at solving specific control problems of ASMs, such as model matching and fault-tolerant control. Variations of control aspects are classified according to modeling formalisms of controlled ASMs—input/state, input/output, and composite ASMs—and involved fault characteristics, such as transient, permanent, and intermittent faults and intelligent attacks. Representative results on the application of fault-tolerant corrective control to real-world engineering systems are also provided with an emphasis on space-borne digital systems. Finally, some challenging topics for future studies on corrective control are discussed.

1. Introduction

Asynchronous sequential machines (ASMs) are referred to as event-driven dynamic systems whose operations are governed by no global synchronizing clock. Since being pioneered by Huffman [1] in the mid 1950s, the design and implementation of ASMs has been an active area of research in a variety of fields, especially in digital systems; see [2,3,4,5,6,7] and the references cited therein for the relevant results accumulated so far. As pointed out in [4], the lack of a synchronizing clock gives ASMs several benefits such as no clock skew in the design process, low power consumption, average case performance rather than worst case, mitigation of global timing issues, greater technology migration potential, etc. On the other hand, the problem of asynchronous design needs delicate consideration since inherent drawbacks such as races and infinite cycles underlying ASMs should be avoided to ensure design integrity [8,9,10,11].

Corrective control is a unique automatic control theory aiming at compensating for the stable-state behavior of ASMs. At first glance, the goal of corrective control sounds odd as the inner logic of an ASM is regarded as unchangeable once implemented in a physical system. But the key aspect of corrective control is not to re-design the existent functionality of the controlled ASM, but to make the ASM interact with the controller so that the closed-loop system can exhibit the desired behavior from the viewpoint of external users. The latter feature is made possible by virtue of the inherent property of ASMs that their transient transitions are very fast—zero time, ideally.

The origin of corrective control dates back to a series of studies by Hammer [12,13,14,15] among which [12] first used the terminology “corrective control”. Though not employing the ASM formulation, these publications address the design of feedback controllers that correct the faulty behaviors of general sequential machines caused by corrupted inputs [12], incomplete knowledge of models [13], and external disturbances [14]. These studies can be said to serve as the foundation for initiating the study of corrective control for ASMs.

Beginning from a preliminary study [16], the research on corrective control has greatly progressed over the past two decades in both theoretical development and application to real-world systems. As will be shown later, the subject of corrective control encompasses a wide range of control problems including model matching (or model following control), robust control with respect to model uncertainty and design flaws, fault diagnosis and fault-tolerant control against attacks of random faults or intelligent adversaries, etc.

The objective of this paper is to provide a comprehensive survey of the present state of the art for dynamic corrective control and to consider the direction of future research. Dynamic corrective controllers represent a class of corrective controllers, the structure of which is also an ASM having inner states and asynchronous transitions in response only to changes in the input. This survey will not consider static controllers [17,18,19], another class of corrective controllers which consist of purely logic components with no inner states. Hereafter, “corrective controllers” implies only dynamic ones. For research on static corrective control, readers are referred to related studies (e.g., [20]).

Before proceeding with our discussion, it is worthwhile to compare corrective control with the supervisory control of discrete-event systems (DESs) [21,22,23,24,25,26], a representative control theory for event-driven systems based on formal languages.

(i)

Supervisors for DESs receive traces of inputs (or events) so as to generate commands specifying whether the current (controllable) input be enabled or disabled. Hence a supervisor cannot enlarge the controlled behavior of a DES; the supervisor can only curtail it to meet a given specification. On the other hand, since a corrective controller generates its own control input sequences while suppressing the current external input, it can provide the controlled ASM with new stable-state behaviors that otherwise could not be displayed.

(ii)

Rather than using the method of formal languages, corrective control theory exploits transition equivalence in evaluating the success of control goals. In the case of model matching, for example, the stable-state behavior of the closed-loop system is deemed to be matched with that of the reference model if, staying at the same state, they move to the same next stable state in response to a common input. In this sense, the control specification of corrective control is stricter than supervisory control.

(iii)

Although having a conceptual similarity to corrective control, supervisory control cannot be applied to controlling ASMs since it does not consider intrinsic characteristics of ASMs such as discrimination between stable and transient states and abiding by the principle of fundamental mode operations.

The remainder of this article is organized as follows. Section 2 reviews the mathematical formulation of ASMs utilized in corrective control and the basic configuration of corrective control systems. Section 3 examines preliminary results on describing the reachability and detectability of ASMs. Section 4 addresses important accomplishments of corrective control for the model matching problem with respect to the class of controlled ASMs. In Section 5, corrective control schemes are presented that are associated with fault diagnosis and fault-tolerant control. Representative publications are reviewed depending on the fault type, and application studies of fault-tolerant corrective control are summarized with an emphasis on space-borne digital systems. Finally, in Section 6, conclusions are drawn and prospects for future research topics of dynamic corrective control are considered.

This paper intends to provide a state-of-the-art review on the theory and application of dynamic corrective control. It is anticipated that this paper can be utilized as a quick reference to corrective control theory by providing both primary knowledge about corrective control and a detailed literature survey. Furthermore, theoretical and practical challenges in corrective control are discussed to encourage participatory research.

2. Mathematical Formulation of Corrective Control

$\mathbb{N}$ denotes the set of natural numbers. For a finite set A, $P\left(A\right)$ is the power set of A, $\left|A\right|\in \mathbb{N}$ is the cardinality of A, and $A^{+}$ is the set of non-empty strings made of characters in A. For a string $p\in A^{+}$, $\left|p\right|\in \mathbb{N}$ is the length of p.

2.1. Modeling of ASMs

ASMs in corrective control have one of two types of dynamics: input/state machines in which the current state is given as the output, and input/output machines in which the output different from the state is provided. The modeling formalism for input/state ASMs is addressed in [16,27,28], and that for input/output ASMs in [29,30,31]; see also [32,33] for general theory on switching and finite automata.

An input/state ASM $\Sigma$ is described by a quadruple

$$\begin{array}{c}\hfill \Sigma =(A,X,\overline{x},f),\end{array}$$

where A is the input set, X is the state set with $\left|X\right|=n$, $\overline{x}\in X$ is the initial state, and $f:X\times A\to X$ is the state transition function partially defined on $X\times A$. The behavior of $\Sigma$ is characterized by the distinction between stable and transient states. If $f(x,v)=x$, $(x,v)\in X\times A$ is a stable pair; if $f(x,v)\ne x$, $(x,v)$ is a transient one. In the absence of a synchronizing clock, $\Sigma$ stays at a stable state $x^0\in X$ indefinitely as long as the current input remains unchanged. If the input changes to another value $a\in A$ such that $(x^0,a)$ is transient, $\Sigma$ engages in a chain of transient transitions

$$\begin{array}{c}\hfill x^1:=f(x^0,a),x^2:=f(x^1,a),\dots ,\end{array}$$

(1)

where a remains fixed. If $\Sigma$ does not possess infinite cycles, $\Sigma$ reaches the next stable state $x^k$ such that

$$\begin{array}{c}\hfill x^k:=f(x^{k-1},a)=f(x^k,a),1\le k\le n-1.\end{array}$$

(2)

As transient transitions of ASMs are very fast, intermediate transient states $x^1,\dots ,x^{k-1}$ are almost imperceptible. Thus one often omits them and describes the chain of transient transitions only in terms of stable states. The stable recursion function $s:X\times A\to X$ [28] plays the role of the latter compression. For a valid pair $(x,v)\in X\times A$,

$$\begin{array}{c}\hfill s(x,v):=x^{\prime }\end{array}$$

where $x^{\prime }$ is the next stable state of $(x,v)$. The chain of transient transitions represented by s is termed a stable transition. The domain of s is often extended to $X\times A^{+}$ as

$$\begin{array}{c}\hfill s(x,v_1{v}_2\cdots v_k):=s(s(x,v_1),v_2\cdots v_k),v_1{v}_2\cdots v_k\in A^{+}.\end{array}$$

When $\Sigma$ has the form of an input/output ASM, it is represented by a six-tuple

$$\begin{array}{c}\hfill \Sigma =(A,Y,X,\overline{x},f,h),\end{array}$$

where Y is the output set and $h:X\to Y$ is the output function.

When $\Sigma$ undertakes a stable transition, it generates a burst, or fast outburst of output characters. If $\Sigma$ is an input/state ASM, it gives a state burst. If $\Sigma$ is an input/output ASM, an output burst is generated instead. Since repeating characters are not noticeable in the dynamics of ASMs, they must be interpreted as a single one in the burst. Let $\beta (x,v)\in X^{+}\cup Y^{+}$ be the burst $\Sigma$ generates when it engages in a stable transition from $(x,v)$. In view of (1) and (2), $\beta (x^0,a)$ is written as

$$\begin{array}{c}\hfill \beta (x^0,a):=\left\{\begin{array}{cc}{x}^0{x}^1\cdots x^k\hfill & \mathrm{input}/\mathrm{state}\mathrm{ASM}\hfill \\ \gamma (h\left(x^0\right)h\left(x^1\right)\cdots h\left(x^k\right))\hfill & \mathrm{input}/\mathrm{output}\mathrm{ASM}\hfill \end{array}\right.\end{array}$$

where $\gamma :Y^{+}\to Y^{+}$ is the mapping that replaces repeating characters by one. Note that the burst formulation of input/state ASMs needs not involve $\gamma$ since no repeating states appear in them.

2.2. Closed-Loop System

Figure 1 illustrates the basal structure of the corrective control system for input/state ASMs (Figure 1a) and input/output ASMs (Figure 1b). C is the corrective controller, B is the state observer that is used when $\Sigma$ is an input/output ASM, $v\in A$ is the external input, $u\in A$ is the control input provided by C, $x\in X$ is the state feedback, and $b\in Y^{+}$ is the output burst. The closed-loop system consisting of C and $\Sigma$ (and B) is denoted by ${\Sigma }_c$.

C is represented by an input/output ASM

$$\begin{array}{c}\hfill C=(A\times X,A,\Xi ,{\xi }_0,\varphi ,\eta ),\end{array}$$

where $A\times X$ and A are the input and output set, respectively, $\Xi$ is the state set, ${\xi }_0\in \Xi$ is the initial state, $\varphi :\Xi \times A\times X\to \Xi$ is the recursion function, and $\eta :\Xi \to A$ is the output function.

The necessity of B in Figure 1b stems from the constraint that direct access to the state is impossible when dealing with input/output ASMs. B is endowed with the form of a stable-state input/state ASM as follows.

$$\begin{array}{c}\hfill B=(A\times Y^{+},X,\overline{x},\sigma ),\end{array}$$

where $A\times Y^{+}$ is the input set corresponding to u and b and $\sigma :X\times A\times Y^{+}\to X$ is the stable recursion function. Since the main task of B is to deduce the current stable state of $\Sigma$ with reference to u and b, it has the same state set and initial state as those of $\Sigma$.

To prohibit unpredictable behaviors attributed to asynchronous operations, ASMs must comply with the principle of fundamental mode operations [33,34,35] under which no two variables can alter their values simultaneously. In view of Figure 1, the conditions for guaranteeing that ${\Sigma }_c$ operates in fundamental mode are reduced as follows [28,31].

Rule 1.

The closed-loop system ${\Sigma }_c$ in the configuration of Figure 1 shows fundamental mode operations if and only if the following two requirements are satisfied:

(a) 

When one of B, C, and Σ changes its output or undertakes state transitions, the others must maintain their stable states.

(b) 

The external input v must remain unchanged when either of B, C, or Σ is under transient transitions.

B and C should be designed so as to satisfy Rule 1(a). To ensure Rule 1(b), on the other hand, one must expect that v changes only when all of B, C, or $\Sigma$ rest in stable states, even though v is an exogenous entity independent of ${\Sigma }_c$. However, this expectation is not overwhelming since all of B, C, and $\Sigma$ operate in an asynchronous mechanism so that their interactions are executed instantaneously. Hence the possibility that v is altered when any of B, C, or $\Sigma$ goes through transient transitions is very low.

3. Stable Reachability and Detectability

The mathematical representation of stable reachability of $\Sigma$ is indispensable to deriving the corrective controller. Stable reachability implies that $\Sigma$ can reach a goal state from a beginning state through a chain of stable transitions. In the case of input/output ASMs, another condition, termed detectability, should be considered to evaluate this property. Stable reachability of input/state ASMs was first established in [27,28], and the counterpart of input/output ASMs was in [29,30,31].

3.1. Stable Reachability of Input/State ASMs

To address the stable reachability of $\Sigma$, denote the state set by $X:=\{x_1,\dots ,x_n\}$ whenever necessary hereafter.

Definition 1.

Given $\Sigma =(A,X,\overline{x},f)$, $R(\Sigma )\in {\left(P\left(A^{+}\right)\right)}^{n\times n}$ is the matrix of stable transitions of which $(i,j)$ entry is defined as ($i,j\in \{1,\dots ,n\}$)

$$\begin{array}{c}\hfill R_{i,j}(\Sigma ):=\{t\in A^{+}|s(x_i,t)=x_j,1\le \left|t\right|\le n-1\}.\end{array}$$

$K(\Sigma )\in {\{0,1\}}^{n\times n}$ is the skeleton matrix of Σ of which $(i,j)$ entry is defined as

$$\begin{array}{c}\hfill K_{i,j}(\Sigma ):=\left\{\begin{array}{cc}1\hfill & R_{i,j}(\Sigma )\ne \varnothing \hfill \\ 0\hfill & R_{i,j}(\Sigma )=\varnothing \hfill \end{array}\right.\end{array}$$

where ‘∅’ denotes the empty set.

$R_{i,j}(\Sigma )$ contains all the input strings in response to which $\Sigma$ moves from $x_i$ to $x_j$ via a sequence of stable transitions. Since every state of $\Sigma$ is reachable in at most $n-1$ steps of stable transitions (in the absence of infinite cycles), the length of $t\in A^{+}$ in $R_{i,j}(\Sigma )$ does not exceed $n-1$. On the other hand, $K_{i,j}(\Sigma )$ serves a compact representation of the stable reachability from $x_i$ to $x_j$.

Polynomial algorithms for computing $R(\Sigma )$ and $K(\Sigma )$ are presented in the previous work [27,28]. Recently, an interesting and promising branch of corrective control has been developed based on the semi-tensor product (STP) of matrices [36,37,38,39,40,41,42]. Among relevant results, [43,44] propose numerical methods of deriving $R(\Sigma )$ and $K(\Sigma )$ in which tedious symbolic computations used in [27,28] are avoided by presenting a numerical approach in the framework of STP.

3.2. Detectability and Stable Reachability of Input/Output ASMs

In contrast to input/state ASMs, direct access to the state is impossible in input/output ASMs and the output feedback has the form of a burst. Thus one must take into account an additional condition for representing stable reachability, termed detectability. As shown below, detectability specifies whether one can determine the end of a stable transition only by referring to the output burst [29,30,31].

To describe detectability of an input/output ASM $\Sigma$, define the following notation associated with $\beta (x^0,a)$ (see (1) and (2)).

$$\begin{array}{c}\hfill {\beta }_{-1}(x^0,a):=\left\{\begin{array}{cc}\gamma (h\left(x^0\right)h\left(x^1\right)\cdots h\left(x^{k-1}\right))\hfill & k\ge 1\hfill \\ \varnothing \hfill & k=0\hfill \end{array}\right.\end{array}$$

$\Sigma$ is said to be detectable at $(x^0,a)$ if

$$\begin{array}{c}\hfill {\beta }_{-1}(x^0,a)\ne \beta (x^0,a).\end{array}$$

To interpret the meaning of the above relation, assume on the contrary that ${\beta }_{-1}(x^0,a)=\beta (x^0,a)$. Then, at the moment C in Figure 1b receives the output feedback ${\beta }_{-1}(x^0,a)$, it is faced with ambiguity, namely, $\Sigma$ may reach the next stable state $s(x^0,a)=x^k$, or it may be in the middle of the current stable transition, passing through the last transient state $x^{k-1}$. Note that one must consider only detectable transitions in depicting stable reachability since otherwise ${\Sigma }_c$ could not preserve fundamental mode operations. Clearly, all input/state ASMs are detectable trivially. Including detectability into the chain of stable transitions, one can describe the stable reachability of input/output ASMs in a similar way to Definition 1.

Definition 2.

Given $\Sigma =(A,Y,X,\overline{x},f,h)$, $R(\Sigma )\in {\left(P\left(A^{+}\right)\right)}^{n\times n}$ is the matrix of stable transitions of which $(i,j)$ entry is defined as ($i,j\in \{1,\dots ,n\}$)

$$\begin{array}{cc}\hfill R_{i,j}(\Sigma ):=& \{t\in A^{+}|s(x_i,t)=x_j,1\le \left|t\right|\le n-1\mathit{and}\hfill \\ & \Sigma \mathit{is}\mathit{detectable}\mathit{at}\mathit{all}\mathit{the}\mathit{intermediate}\mathit{stable}\mathit{pairs}\}.\hfill \end{array}$$

$K(\Sigma )\in {\{0,1\}}^{n\times n}$ is the skeleton matrix of Σ of which $(i,j)$ entry is defined as

$$\begin{array}{c}\hfill K_{i,j}(\Sigma ):=\left\{\begin{array}{cc}1\hfill & R_{i,j}(\Sigma )\ne \varnothing \hfill \\ 0\hfill & R_{i,j}(\Sigma )=\varnothing \hfill \end{array}\right.\end{array}$$

The studies of [29,30,31] lay a theoretical foundation on detectability and stable reachability of input/output ASMs. Polynomial algorithms for deriving the matrices in Definition 2 are also found in [29,30,31]. As in the case of input/state ASMs, there exist STP-based approaches [44,45] in which the stable reachability of input/output ASMs is described in terms of Boolean matrices called the transition structure matrix (TSM) and the stable transition structure matrix (STSM).

4. Model Matching Control

4.1. Model Matching for Input/State ASMs

As a comprehensive control goal in corrective control, model matching ensures that a proper corrective controller C is designed so that it matches the stable-state behavior of the closed-loop system ${\Sigma }_c$ to that of a prescribed reference model. A key aspect of model matching is that it is sufficient for the closed-loop system to be stably equivalent with the model, namely, model matching is evaluated only in terms of stable behaviors. Thus even if the machine does not have desirable transitions, one can solve the model matching problem by applying the corrective controller which compensates for the stable-state transition characteristics of the controlled machine. An analogous notion of model matching for general finite state machines (FSMs) is established in [46].

The necessary and sufficient condition for the existence of a proper corrective controller achieving model matching for an input/state ASM $\Sigma$ is that the machine has stable reachability larger than or equal to that of the model. Assume that the reference model

$$\begin{array}{c}\hfill {\Sigma }^{\prime }=(A,X,\overline{x},s^{\prime })\end{array}$$

is given, where $s^{\prime }:X\times A\to X$ is the stable recursion function of ${\Sigma }^{\prime }$. Then the corrective controller C in Figure 1a achieving model matching between ${\Sigma }_c$ and ${\Sigma }^{\prime }$ exists if and only if

$$\begin{array}{c}\hfill K\left({\Sigma }^{\prime }\right)\le K(\Sigma ),\end{array}$$

where matrix inequality is valid entry by entry.

To sketch the operation of the corrective controller for model matching, suppose that the foregoing condition holds true with respect to two input/state ASMs $\Sigma$ and ${\Sigma }^{\prime }$. In particular, assume that ${\Sigma }^{\prime }$ has a stable transition $s^{\prime }(x_i,a)=x_j$ whereas $s(x_i,a)\ne x_j$ in $\Sigma$. In the beginning, C stays at its initial state ${\xi }_0$. When $\Sigma$ reaches the stable state $x_i$, C moves to the transition state ${\xi }_t$ to deal with a possible entrance of an input causing model mismatch. If the external input changes to another character causing no model mismatch, C relays it to the control input channel u (see Figure 1a) without modification and returns to ${\xi }_0$.

On the other hand, if the external input v changes to a, C commences the correction procedure since otherwise the subsequent transition of $\Sigma$ in response to a would violate the matched behavior. By Definition 1, $s^{\prime }(x_i,a)=x_j$ leads to $K_{i,j}\left({\Sigma }^{\prime }\right)=1$. But since $K\left({\Sigma }^{\prime }\right)\le K(\Sigma )$, $K_{i,j}\left({\Sigma }^{\prime }\right)=1$ implies $K_{i,j}(\Sigma )=1$ and again by Definition 1, there exists an input string $v_1\cdots v_k\in R_{i,j}(\Sigma )$ that takes $\Sigma$ from $x_i$ to $x_j$ via a chain of stable transitions, i.e., $s(x_i,v_1\cdots v_k)=x_j$. We design C utilizing $v_1\cdots v_k$. To this end, define k auxiliary states of C${\xi }_1,\dots ,{\xi }_k\in \Xi$. Upon receiving a, C first transfers to ${\xi }_1$ and generates $v_1$. In response to $v_1$, $\Sigma$ transfers to the first intermediate stable state $s(x_i,v_1):=z^1$. Receiving the changed state feedback $z^1$, C further moves to ${\xi }_2$ while generating $v_2$, which takes $\Sigma$ from $z^1$ to the second intermediate stable state $s(z^1,v_2):=z^2$, and so forth. At ${\xi }_k$, finally, the correction procedure is completed when $\Sigma$ reaches the desired state $x_j$.

Figure 2 illustrates the aforementioned interaction between C and $\Sigma$ in the process of model matching control. Although $\Sigma$ traverses a number of stable states $z^1,\dots ,z^{k-1}$ in the process, the asynchronous mechanism makes these stable states transient, namely, ${\Sigma }_c$ would seem to transfer from $x_i$ directly to $x_j$ in response to the external input a, thus realizing the matched behavior.

In [27,28], the model matching problem is first discussed for input/state ASMs with critical races where the controlled ASM shows nondeterministic transition features due to design flaws. In [47,48,49], model matching corrective control is considered for input/state ASMs with infinite cycles, which cause the ASM to circulate through a finite state sequence indefinitely. The authors of [48,49] introduce the notion of generalized states by designating an infinite cycle as a generalized state, and induce the existence condition and design procedure for the corrective controller with respect to generalized states. In [50], model matching corrective control is studied for the case that the reference model has the nondeterministic transition feature. Later the problem setting is extended by including the constraint that a number of external inputs are uncontrollable, meaning that they can never be disabled for the purpose of generating alternative control inputs.

In [51], on the other hand, the problem of model matching inclusion is presented. When the existence condition for perfect model matching is not valid, one can still build a corrective controller that achieves the desired stable transitions for a subset of state pairs between which the controlled machine has the required stable reachability. The result of [51] is extended so as to address model matching inclusion under the setting that the length of control input sequences has a prescribed limit due to exogenous restraint. Finally, delayed model matching of input/state ASMs is also found in which, owing to the disparity in the initial state between the machine and model, the closed-loop system is controlled to exhibit the matched behavior after elapse of a number of stable transitions. Moreover, as mentioned, refs. [43,44] achieve the primary control objective of model matching by transforming the dynamics of input/state ASMs into the matrix formulation and applying numerical calculations based on the STP of matrices.

4.2. Model Matching for Input/Output ASMs

The procedure of model matching corrective control for input/output ASMs is conducted in a similar way to the case of input/state ASMs with the following two additional points to be considered. First, stable reachability of the controlled ASM must be described in terms of the input/output behavior with respect to the reference model. Next, the state feedback to the controller is delivered not by the controlled machine, but by the state observer.

Suppose that the reference model is given by

$$\begin{array}{c}\hfill {\Sigma }^{\prime }=(A,Y,\widehat{X},{\widehat{x}}_0,s^{\prime },h^{\prime }),\end{array}$$

where $\widehat{X}$ is the state set with $|\widehat{X}|=q$, ${\widehat{x}}_0\in \widehat{X}$ is the initial state, and $s^{\prime }:\widehat{X}\times A\to \widehat{X}$ and $h^{\prime }:\widehat{X}\to Y$ are the stable recursion and output function, respectively. Note that ${\Sigma }^{\prime }$ has the same input and output set as those of $\Sigma$, while its state set differs from X. In particular, let $\widehat{X}:=\{{\widehat{x}}_1,\dots ,{\widehat{x}}_q\}$.

Definition 3.

Given $\Sigma =(A,Y,X,\overline{x},f,h)$ and ${\Sigma }^{\prime }=(A,Y,\widehat{X},{\widehat{x}}_0,s^{\prime },h^{\prime })$, the output equivalence list of Σ with respect to ${\Sigma }^{\prime }$ is

$$\begin{array}{cc}\hfill E(\Sigma ,{\Sigma }^{\prime })& :=\{E_1,\dots ,E_q\}\hfill \\ \hfill E_i& :=\{x\in X|h\left(x\right)=h^{\prime }\left({\widehat{x}}_i\right)\},i=1,\dots ,q.\hfill \end{array}$$

$E_i\subset X$ contains all the states of $\Sigma$ whose outputs are equal to that of ${\widehat{x}}_i$. As we only have to investigate stable equivalence between $\Sigma$ and ${\Sigma }^{\prime }$ in terms of the input/output behavior, it is sufficient to quantify the stable reachability of $\Sigma$ between different output equivalent states.

Definition 4.

A non-deficient subordinate list Λ of $E(\Sigma ,{\Sigma }^{\prime })$, termed $\Lambda \prec E(\Sigma ,{\Sigma }^{\prime })$, is a collection of states $\Lambda :=\{x_{{\lambda }_1},\dots ,x_{{\lambda }_q}\}$ such that ${\lambda }_i\in \{1,\dots ,n\}$ and $x_{{\lambda }_i}\in E_i$, $i=1,\dots ,q$. The fused skeleton matrix $\Delta (\Sigma ,\Lambda )$ of Λ is a $q\times q$ Boolean matrix of which $(i,j)$ entry is defined as

$$\begin{array}{c}\hfill {\Delta }_{i,j}(\Sigma ,\Lambda ):=K_{{\lambda }_i,{\lambda }_j}(\Sigma ),i,j\in \{1,\dots ,q\}.\end{array}$$

Drawing on the prior result of input/state ASMs and referring to Definition 4, one can derive the existence condition on a model matching corrective controller for the input/output ASM $\Sigma$ as follows.

$$\begin{array}{c}\hfill \exists \Lambda \prec E(\Sigma ,{\Sigma }^{\prime }):K\left({\Sigma }^{\prime }\right)\le \Delta (\Sigma ,\Lambda ).\end{array}$$

The design algorithm for the state observer B and corrective controller C in Figure 1b is well established in [29,30,31]. Compared with the case of input/state ASMs, the study of model matching for input/output ASMs is relatively rare. In [52,53], the model matching problem is concerned with input/output ASMs with nondeterministic transition features caused by critical races. The approaches of [52,53] differ from [29,30,31] in that, instead of output bursts, unit output characters are delivered as output feedback to the controller. The authors of [54,55] also tackle model matching for input/output ASMs with nondeterministic behaviors, but fully utilizing output bursts in the operation of the state observer.

4.3. Model Matching for Composite ASMs

All of the controlled ASMs in the cited publications so far are unit ASMs whether they are of input/state or input/output type. Depending on the assigned operation, however, more than one ASM can be combined into forming a composite ASM. Recently, research concerning model matching corrective control for composite ASMs has been receiving much attention. Composite ASMs are further classified into switched ASMs, serially connected ASMs, and parallel connected ASMs.

Figure 3 illustrates the corrective control system for the switched ASM $\Sigma$, which is represented by

$$\begin{array}{c}\hfill \Sigma :=\left\{{\Sigma }_i\right|i\in \{1,\dots ,m\}\},{\Sigma }_i=(A,X,\overline{x},f_i),\end{array}$$

where $m\in \mathbb{N}$ is the number of submachines and ${\Sigma }_i$ denotes the ith submachine. Among m submachines, the active one ${\Sigma }_{\sigma }$ serves as the current dynamics of $\Sigma$ in accordance with the value of the switching signal $\sigma \in \{1,\dots ,m\}$. The demultiplexer in Figure 3 relays the control input u to the active submachine ${\Sigma }_{\sigma }$. Similarly, the multiplexer extracts the state feedback of ${\Sigma }_{\sigma }$ among m values and delivers it to C along with the index $i\in \{1,\dots ,m\}$ of the active submachine. In short, the switched ASM is an assembly of multiple ASMs that share the same state set but have different (while analogous) transition characteristics. Since C can change the mode of $\Sigma$ by manipulating the value of $\sigma$, a switched ASM has larger stable reachability than each submachine, hence facilitating the existence of a model matching corrective controller.

The modeling of switched ASMs and their model matching problem are first introduced in [56]. Based on the result, [56,57] present an alternative design procedure for the controller using the STP approach.

Figure 4 shows the corrective control system for the other kinds of composite ASMs—serially connected ASMs (Figure 4a) and parallel connected ones (Figure 4b). In Figure 4a, m input/state ASMs ${\Sigma }_1,\dots ,{\Sigma }_m$ are combined into one in a serial connection in which the state of a rear machine is transmitted to its front machine as the input. $w_1,\dots ,w_m$ denote adversarial inputs causing faults in each submachine; they will be discussed in the next section. The composite ASM in a serial connection has inherent uncertainty about the state since the current state of each submachine is unavailable to the controller except for the last submachine. Thus unlike unit input/state ASMs, the state estimation must be included in the design and operation of an appropriate corrective controller. The study on model matching for serially connected ASMs is first discussed in [58]. The author of [59] addresses a matrix approach to the same control problem. Not only does [59] present the design procedure of a model matching controller, it also elucidates a matrix scheme to derive the shortest control input for a given state pair.

The controlled machine in Figure 4b consists of two input/state ASMs ${\Sigma }_1$ and ${\Sigma }_2$ that have parallel connections with each other. When the control input u is transmitted to both ${\Sigma }_1$ and ${\Sigma }_2$ simultaneously, the two ASMs undertake their own state transitions, generating the next stable states x and y, respectively. The feedback value z is derived from x and y via an output function $h(x,y):=z$. As in the foregoing case of composite ASMs in serial connection, the controller C in Figure 4b is faced with uncertainty about the inner states of submachines. The notion of parallel interconnected ASMs is first introduced in a comment in [56]. Later, it becomes enriched so that it presents an efficient algorithm for controller synthesis while accommodating the inherent uncertainty about the state.

5. Fault-Tolerant Control

Fault diagnosis and fault-tolerant control [60,61,62] is one of most successful areas of corrective control, mainly due to the property that the corrective controller can allow the closed-loop system to exhibit immediate recovery to the original behavior. Figure 5 shows the general configuration of the fault-tolerant corrective control system for input/state ASMs; the counterpart of input/output ASMs has a similar structure. In Figure 5, three adversarial inputs $w_a$, $w_f$, and $w_c$ exist, causing faults to $\Sigma$. $w_a$ occurs to the control input channel or actuator module of ${\Sigma }_c$. When $w_a$ happens, it overrides the current control input u and causes $\Sigma$ to either undergo unauthorized state transitions or fall into faulty states. $w_f$ is the adversarial input occurring to the feedback channel. Since it corrupts the feedback value, its occurrence results in the delivery of false feedback to the controller. Hence the subsequent operation of C would invoke ${\Sigma }_c$ to violate the desired behavior. Finally, $w_c$ occurs to the external input channel to C. When this adversarial input enters, the controller itself experiences unauthorized state transitions or is stuck at faulty states. This fault is more serious than the other two because unauthorized state transitions of C may, in turn, take influences on $\Sigma$, i.e., the adverse effect of the fault may be propagated toward $\Sigma$.

5.1. Transient Faults

Let us first review the study on fault-tolerant corrective control against transient faults. In general, transient faults are defined as temporary violations of the system’s normal behaviour while having no correlation with each another [63,64,65]. In the dynamics of ASMs, transient faults usually mean the situation where ASMs undergo unauthorized state transitions, namely, they are forced to transfer to faulty next stable states by external adversarial entities charging the control input channel or internal malfunctions. Note that fault tolerance against transient faults is frequently studied in corrective control. The main reason for this popularity is that transient faults are the most common event happening to asynchronous digital systems working in hazardous environments such as space and nuclear power plants [66,67,68,69].

To describe fault-tolerant corrective control overcoming transient faults, suppose that $\Sigma$ has been staying at a stable state $x_i$ and C at the transition state ${\xi }_t$ (see also Figure 2). Suppose further that an adversarial input $w_a$ enters $\Sigma$ such that $s(x_i,w_a)=x_j$. Then $\Sigma$ undergoes the unauthorized transition from $x_i$ to $x_j$. C can identify an occurrence of the transient fault by observing that the state feedback changes to $x_j$ while both the external input v and the control input u remain unchanged. To represent the outcome of each transient fault, define the adversarial skeleton matrix as follows.

Definition 5.

Given $\Sigma =(A,X,\overline{x},f)$, $K^a(\Sigma )\in {\{0,1\}}^{n\times n}$ is the adversarial skeleton matrix of which $(i,j)$ entry is defined as

$$\begin{array}{c}\hfill K_{i,j}^a(\Sigma ):=\left\{\begin{array}{cc}1\hfill & \exists w_a\in A_d:s(x_i,w_a)=x_j\hfill \\ 0\hfill & \mathit{otherwise}\hfill \end{array}\right.\end{array}$$

where $A_d$ denotes the set of adversarial inputs.

To overcome the transient fault, C must initiate the correction procedure immediately after $\Sigma$ reaches $x_j$ so that $\Sigma$ can be controlled back to $x_i$. The existence condition for such a corrective controller is derived in a similar way to model matching as follows.

$$\begin{array}{c}\hfill K^a(\Sigma )\le {\left(K(\Sigma )\right)}^T,\end{array}$$

where ${\left(K(\Sigma )\right)}^T$ indicates the transpose of $K(\Sigma )$. According to Definition 5, the unauthorized transition from $x_i$ to $x_j$ is quantified by $K_{i,j}^a(\Sigma )=1$. If the above existence condition is valid, $K_{i,j}^a(\Sigma )=1$ leads to $K_{j,i}(\Sigma )=1$ and thus an input string, say $t^{\prime }\in A^{+}$, exists such that $s(x_j,t^{\prime })=x_i$. A fault-tolerant corrective controller can be designed utilizing $t^{\prime }$ in the identical framework of model matching control depicted in Figure 2.

Fault-tolerant corrective control against transient faults was first studied in [70]. It considers the problem with respect to input/state ASMs, while it differs from other related results in the accessibility of the adversarial input. Some publications assume that the controller can identify the value of the adversarial input, whereas [70] stipulates that the controller does not receive any information about the adversarial input, which is a more general and practical problem setting.

Following [70], a wide variety of approaches has been presented in the literature on fault-tolerant corrective control against transient faults. A study exists which applies the corrective controller of [70] to an asynchronous triple modular redundancy (TMR) memory embedded in space-borne digital systems. On the other hand, another report proposes fault-tolerant corrective control with bounded delays wherein if complete fault recovery is impossible, the controller is designed so that the control goal is achieved after elapse of a number of input changes. There also exists a novel approach to fault-tolerant corrective control which supposes that transient faults may occur in both fundamental and non-fundamental modes. In this case, a stricter existence condition is needed to ensure a proper corrective controller.

Fault tolerance against transient faults has been much investigated not only in input/state ASMs but also in input/output ASMs. Unlike input/state ASMs, transient faults occurring to input/output ASMs raise the necessity of indirect fault diagnosis, since the exact faulty state reached by the machine cannot be observed by the controller. A study exists that presents a synthesis procedure for a state observer serving as a diagnoser. The prior work also addresses a corrective controller which eliminates any adverse effect of transient faults to input/output ASMs, while solving the problem of model matching. The authors of [71] apply the previous result to controlling an asynchronous 5-clock divider. On the other hand, another report proposes a so-called simple fault-tolerant control system for input/output ASMs in which feedback paths for recovering the normal input/output behavior can be built without using the state observer, provided that some reachability condition on the machine is satisfied. Based on the controller addressed in [71], some approaches conduct experimental studies by applying the proposed scheme to acquiring a robust configuration controller for field programmable gate arrays (FPGAs). Since they do not employ the state observer, fault tolerance in their results implies that the controlled machine reaches a state that is output equivalent with the original state at which the fault occurs. On the other hand, a refined result exists that improves the previous result by elucidating the existence condition for a corrective controller that drives the input/output ASM toward the exact original state without using the state observer.

The problem of tolerating transient faults is also tackled in the framework of composite ASMs. First, a diagnosis scheme is presented for identifying transient faults happening to submachines of a composite ASM in serial connection. Another approach further proposes the fault diagnosis and fault-tolerant control configuration for composite ASMs in serial connection subject to transient faults. As with parallel interconnected ASMs and switched ASMs, some interesting reports are found in which a single corrective controller achieves fault tolerance for every submachine in a composite ASM vulnerable to transient faults, and in which model matching and fault-tolerant control are simultaneously realized for switched ASMs.

5.2. Permanent Faults and Intermittent Faults

Fault tolerance against permanent faults is more difficult than the case of transient faults since their adverse effect lasts indefinitely unless repaired by external operators [72,73]. Fault-tolerant corrective control against permanent faults has been studied pertaining to two fault aspects: permanent state faults and permanent state transition faults. The former represents a class of faults that degenerate a subset of states, namely, the ASM cannot reach failed states any more after fault occurrences. The latter class indicates that part of the state transitions in the considered ASM is permanently lost by fault. It is clear that both fault types severely reduce the reachability of the machine.

In [74], the author first addresses a strategy of fault diagnosis and fault-tolerant corrective control against permanent state faults happening to input/output ASMs. Figure 6a shows the notion of permanent state faults introduced in [74]. Here, the state X is divided into $p+1$ mutually exclusive subsets

$$\begin{array}{c}\hfill X:=X_N\dot{\cup }{X}_{f_1}\dot{\cup }\cdots \dot{\cup }{X}_{f_p},\end{array}$$

where $X_N$ is the nominal state set and $X_{f_i}$ is the ith failure mode with the ith permanent fault input $f_i$, $i=1,\dots ,p$. With no fault input, $\Sigma$ undertakes state transitions between states of $X_N$. When $f_i$ happens, $\Sigma$ irreversibly falls into the ith failure mode $X_{f_i}$ and its subsequent behavior is confined within $X_{f_i}$. The author of [74] presents the necessary and sufficient condition and synthesis procedure for a fault-tolerant controller which makes the closed-loop system retain the normal input/output behavior. Another study applies the controller of [74] to materializing a robust Johnson counter employed as the scrub controller in the satellite solid-state data recorder (SSDR) system. The result of [74] is further extended later so that the corrective controller achieves fault tolerance as well as model matching under the occurrence of a maximally allowable number of permanent state faults.

Figure 6b illustrates the fault-tolerant corrective control system for an input/state ASM $\Sigma$ subject to permanent state transition faults. In the framework of this configuration, a state feedback fault-tolerant controller is proposed to achieve both model matching and tolerance against permanent state transition faults.

Intermittent faults [75,76] lie between transient faults and permanent ones. In general, intermittent faults indicate a kind of faults in which influence on the machine lasts for a finite time after the initial occurrence. Intermittent faults are more general than transient faults since one can regard transient faults as intermittent ones having zero duration of their adverse effects. Compared with transient and permanent faults, studies examining the toleration of intermittent faults are rare in the field of corrective control. A study was reported that provides a preliminary result on the diagnosis and tolerance of intermittent faults in input/state ASMs. On the other hand, [77] analyzes the degraded reachability of switched ASMs caused by intermittent faults and proposes a state-feedback corrective controller that tolerates the influence of any intermittent fault under the single-fault scenario.

5.3. Intelligent and Cyber Attacks

Recently, research into fault-tolerant corrective control has started a new phase with interesting research reports being published on fault-tolerant corrective control for ASMs vulnerable to intelligent and cyber attacks [78,79,80]. For example, refs. [81,82] first address fault-tolerant corrective control against an intelligent attacker, termed defensive control. In [81,82], consideration is given to how to fulfill automated protection against programmed attackers which attempt to subvert the normal operation of an input/state ASM under the assumption that the attacker and defender (or corrective controller) take turns providing the input signal to the machine. A state-feedback corrective control scheme is presented to defend against an intelligent attacker that yields false signals via both the control input and feedback channel, i.e., by generating $w_a$ and $w_f$, as shown in Figure 5.

On the other hand, ref. [83] presents a unique problem setting, termed the controller’s self-repair, in which not only the controlled input/state ASM, but also the corrective controller suffers from cyber attack. In view of Figure 5, an intelligent attacker provides an attack signal $w_c$ so that it deceives the value of the external input to the controller. In particular, ref. [83] investigates how to overcome the aggravated outcome of an attack in which after the controller experiences unauthorized transitions, it is forced to falsely change the control input so that the machine must also experience its own unauthorized transition.

5.4. Applications to Space-Borne Digital Systems

Among various engineering systems, it turns out that space-borne digital systems [84] are the most suitable for corrective control theory to be applied to, mainly because of the feature that they can be modeled by ASMs and the adverse effects of the faults frequently occurring to them can be formulated in the schema of corrective control. Transient faults in space-borne digital systems mostly occur as the result of single event upsets (SEUs) wherein the logic value of a memory cell is upset from 0 to 1 or vice versa caused by radiation or ionized particles abundant in space [85,86,87,88,89]. Permanent faults in space-borne digital systems manifest themselves if a memory bit comprising the state or input signal is stuck at a certain value owing to internal failures or external disturbances including SEUs [90,91]. Finally, intermittent faults happen for various reasons including temporary loss of actuator outputs (or buffers), temporary disconnections of wires in the input channel, abrupt change of voltage, etc. [92].

Motivated by the aforementioned features of space-borne digital systems, researchers have successfully applied various existent corrective control schemes to building robust space-borne digital systems subject to faults. In broad terms, the case study systems with which fault-tolerant corrective controllers yield convincing experimental results are classified into six types: asynchronous error counters including error detection and correction (EDAC) counters for on-board computers (OBCs) of satellite systems and asynchronous clock dividers [93,94,95,96]; scrubbing schedulers for memory including Johnson counters in satellite SSDR systems [97,98,99]; payload data and operation managers [100,101]; ROM controllers for OBC [102]; configuration controllers for FPGA [103,104,105]; and asynchronous TMR memory [90,106]. The utilized modeling formalisms of ASMs, considered fault types, and relevant publications regarding these case study systems are summarized in

Table 1. Application study of fault-tolerant corrective control on space-borne digital systems.

System	ASM Type	Fault Type	Result
Error counter [93,94,95,96]	Input/output	Transient fault	[71]
	Input/state	Input constraint
Scrubbing scheduler	Input/output	Permanent fault	[83]
for memory [97,98,99]	Input/state	Attack to controller
ROM controller [102]	Switched	Intermittent fault	[77]
		Transient fault
TMR memory [90,106]	Input/state	Transient fault	[107]

.

To sketch the experimental environments in the above results, let us review, in particular, the implementation setting of [71] as illustrated in Figure 7. The closed-loop system of the controlled ASM (asynchronous 5-clock divider) is coded in VHSIC Hardware Description Language (VHDL), a common design-entry language for FPGA. QUARTUS^® II (ver. 9.1) is employed for the compilation and synthesis of the VHDL code to the target EP1C6Q240C8 FPGA. The hardware net-list is relayed from the experimental PC into the target FPGA board via a byte blaster cable. Further, a synthetic fault injector is inserted to produce adversarial inputs into the controlled ASM. The major signals of the control system and the fault injector, e.g., the control input, adversarial input, and output, are extracted from the FPGA board and are displayed on a digital oscilloscope.

6. Conclusions and Future Studies

An overview of recent advances in dynamic corrective control for ASMs has been presented in this paper. In the first place, the modeling formalisms of ASMs and closed-loop systems have been reviewed according to the type of ASMs. We then reviewed the matrix formulation for the stable reachability and detectability of ASMs. The main research results of corrective control were summarized according to the control objectives, i.e., model matching and fault-tolerant control.

Although many notable studies on dynamic corrective control have been reported in the literature, there still exist promising avenues and challenging problems which can provide topics for future research:

(i)

It is anticipated that fault-tolerant corrective control schemes can be further developed by presenting dominant cyber attacks, e.g., false data injection attacks [108,109,110] and denial of service (DoS) attacks [111,112,113], to the configuration of the corrective control system in a more practical way. To this end, previous research on network attacks in cyber-physical systems (CPSs) [114,115,116] must be incorporated into corrective control theory.

(ii)

Though many convincing experimental evaluations of corrective controllers exist, there is still a lack of application studies which validate that asynchronous digital systems embedded with the corrective controller show fault-hardening ability [117,118,119] against real radiation-related faults. For this purpose, radiation exposure experiments [120] on the implemented corrective control systems must be conducted.

(iii)

All previous researches on dynamic corrective control aim at controlling ASMs only. However, synchronous sequential machines comprise the majority of existing digital systems. Hence, it would represent trailblazing work if a novel corrective control methodology is developed that can improve the behavior of synchronous sequential machines, possibly under the globally asynchronous locally synchronous (GALS) architecture [121,122,123].