State-Burst Feedback Control for Fault Recovery of Input/State Asynchronous Sequential Machines

: Static corrective controllers are more efﬁcient than dynamic ones since they consist of only logic elements, whereas their existence conditions are more restrictive. In this paper, we present a static corrective control scheme for fault diagnosis and fault tolerant control of input/state asynchronous sequential machines (ASMs) vulnerable to transient faults. The design ﬂexibility of static controllers is enlarged by virtue of using a diagnoser and state bursts. Necessary and sufﬁcient conditions for the existence of a diagnoser and static fault tolerant controller are presented, and the process of controller synthesis is addressed based on the derived condition. Illustrative examples on practical ASMs are provided to show the applicability of the proposed scheme. control. The case studies on the home security system and the asynchronous error counter validate the applicability of the proposed control scheme.


Introduction
Aiming at compensating for the stable-state behavior of asynchronous sequential machines (ASMs), corrective control theory has been extensively studied in both theoretical [1][2][3][4][5] and experimental studies [6][7][8]. While the performance of corrective control is remarkable, especially in fault tolerant control against various kinds of faults [9][10][11], most of the developed controllers are dynamic ones having the form of ASMs with states, which need significant resource usage [7,8].
Static corrective controllers [12,13] are a promising alternative to dynamic ones. Consisting of only combinational logic with no states, static controllers are superior to dynamic ones in terms of not only resource usage, but also robustness against exogenous disturbances, as memory elements representing system states are frequently offended by faults [14,15]. On the other hand, they have a drawback in that their existence conditions are more restrictive than dynamic ones, due to the absence of the controller's states. In this paper, a novel methodology of static fault tolerant control is proposed for ASMs subject to transient faults causing unauthorized state transitions. We address the existence condition and synthesis procedure for a static controller that realizes immediate fault recovery.
Compared with the prior work [12,13], this study has the following contributions. First, we show that static corrective control can be adopted to solve various control problems for ASMs. The objective in [12,13] was model matching, namely, refining the stablestate behavior of the closed-loop system to that of a reference model. The present work extends that of [12,13] so as to achieve fault diagnosis and fault tolerance. Next, the condition for designing a static controller is much improved. In [12,13], the flexibility of the static controller is restrictive since the control input is determined only by the external input and state feedback. To alleviate this harshness, we use a diagnoser that detects and isolates every fault occurrence and provides the fault information by switching an indicator signal.
With this additional argument, the static controller is given greater easiness in generating the control input. The reachability condition required for the proposed controller is the same as that for dynamic ones. To facilitate the design of a diagnoser and controller, we utilize the state burst, or the fast sequence of transient states traversed by the machine during transitions.
As a similar subject to the present study, the diagnosability of discrete event systems (DESs) is much investigated in supervisory control of DESs [16][17][18][19][20]. The proposed diagnoser differs from these results in that while the diagnosers in supervisory control receive traces of inputs (events), the proposed diagnoser utilizes stable bursts traversed by the ASM. Moreover, the diagnosers in supervisory control cannot be applied to corrective control since they do not discriminate between stable and transient states, nor do they comply with fundamental mode operations.
Here, transient faults are referred to as short-lived violation of the system's normal behavior, each fault showing no correlation with one another. Typical examples of transient faults include radiation particles, surging voltage, etc. Though not considered in this paper, there are other types of faults-permanent faults and intermittent ones. If the adverse effect of a fault persists indefinitely, it is classified as a permanent fault. Occurrences of permanent faults are mainly attributed to a physical defect or an inadequacy in the design of the system. On the other hand, an intermittent fault is a malfunction of a device or system that occurs at intervals. It may be caused by unstable or marginally stable hardware or inadequacy in the design, for example, by loose wires [21].
The outcome of transient faults caused by the adversarial input bears a strong resemblance to intelligent attacks in cyber-physical systems, where attackers may change the enablement of actuators commanded by a supervisor or sensor readings of the controlled system [22][23][24]. However, the adversarial input addressed in this study does not come from an intelligent entity; it is regarded as a randomly generated outer disturbance, e.g., single event upset (SEU) faults in radiation environments [14,15], or intrinsic faults occurring to the actuator [25][26][27]. Still, the considered fault situation is severe since the transient fault may occur at arbitrary moments.
Fault diagnosis and fault tolerant control is an area of active research not only in event-driven systems, but also in continuous-time dynamic systems. Notable among the recent results is [28] that addresses adverse effects on time delay between fault occurrence and fault accommodation in T-S fuzzy systems. Further, references [29,30] present active fault tolerant control for overcoming un-modeled actuator faults while considering time delay attributed to fault diagnosis. Transient faults in our study are conceptually similar to actuator faults, although the results of [25][26][27]29,30] are not applicable to controlling ASMs.
The remainder of this paper is organized as follows. In Section 2, we first address the mathematical formulation of input/state ASMs with transient faults and the overall structure of static fault tolerant control with a diagnoser. In Section 3, we present the operation of a diagnoser that can detect and isolate unauthorized transitions. Based on the fault indicator signal generated by the diagnoser, we elucidate in Section 4 the necessary and sufficient condition and synthesis procedure for a static corrective controller that realizes immediate fault recovery against every transient fault. Two illustrative examples are provided in Section 5 to demonstrate the design procedure of the proposed static controller. Finally, some conclusions are drawn in Section 6.

Preliminaries
For a finite set D, |D| is the cardinality of D, and D`is the set of non-empty strings made of characters in D. For p, q P D`, |p| P N is the length of p, p is a strict prefix of q if q " pr with r P D`. sppqq Ă D`denotes the set of all strict prefixes of q. We also denote N 0 :" t0, 1, . . . , nu for some n P N. Table 1 summarizes the notations used in this paper. Stable recursion function of Σ and Σ 1 αpx, uq P X`State burst with respect to x P X and u P A z f , z l P X First and last element of state burst z P XẀ pxq Ă A d Set of adversarial inputs that occur at x P X Γpxq Ă X Set of states reached as a result of Wpxq ASMs are classified as input/state machines in which the current state is given as the output, and input/output ones that generate the output different from the state. In this study, we focus our concern on input/state ASMs. An input/state ASM Σ is modeled by a quadruple as follows: where A is the input set, X " tx 1 , . . . , x n u with |X| " n is the state set,x P X is the initial state, and f : XˆA Ñ X is the state transition function partially defined on XˆA. A is divided into A " A n 9 YA d where A n and A d are the set of normal and adversarial inputs, respectively. px, vq P XˆA is valid if f px, vq is defined. A valid pair px, vq is stable if f px, vq " x, and transient if f px, vq ‰ x. Let Upxq :" tv P A| f px, vq " xu and Tpxq :" tv P A| f px, vq ‰ xu denote the set of inputs that make stable and transient pairs with x, respectively.
Owing to the absence of a synchronizing clock, Σ responds only to the input change. It rests in a stable pair px 0 , a 1 q with a 1 P Upx 0 q indefinitely as long as a 1 remains fixed. If a 1 changes to another value a P Tpx 0 q, Σ engages in a chain of transient transitions as follows: while a remains fixed. Provided that Σ possesses no infinite cycles, Σ reaches the next stable state as follows: after k steps, where 1 ď k ď n´1. As transient states are traversed instantaneously, it is convenient to describe this chain of transitions only in terms of stable states, omitting instantaneous transient transitions. To this end, the stable recursion function s [1,9] is defined on every valid pair as follows: s : XˆA Ñ X, spx, vq :" x 1 , where x 1 is the next stable state of px, vq. If px, vq is a stable pair, spx, vq :" x. The chain of transient transitions characterized by s is termed a stable transition. In this study, spx, vq " x 1 is alternatively described as follows: The domain of s is often extended to XˆAǹ through the following relation: where x 1 is said to be stably reachable from x if spx, tq " x 1 for some t P Aǹ [1,9]. With |X| " n, every state of Σ is stably reachable in at most n´1 steps of stable transitions. Thus, the length of t is bounded by 1 ď |t| ď n´1.
When Σ goes through a stable transition, it generates a state burst [31], or a fast state sequence consisting of underlying transient states and next stable state. If each generated state is separately delivered to the controller, the resultant configuration has the state feedback control mechanism. If, on the other hand, the controller has access to the state burst, the closed-loop system is endowed with burst-feedback control. In this study, we utilize the burst feedback control scheme, as it gives more flexibility of controller synthesis, albeit needing an additional resource to record the state burst.
The state burst of a valid state-input pair is described as the following mapping: αpx, uq P X`denotes the state burst with respect to a valid pair px, uq P XˆA, namely, αpx, uq is generated when Σ takes the stable transition from px, uq. For instance, px 0 , aq addressed in (1) and (2) leads to the following state burst: For a state burst z P X`, let z f P X and z l P X be its first and last element, respectively. In terms of the foregoing notations, α f px 0 , aq " x 0 and α l px 0 , aq " x k . Figure 1 shows the proposed static fault tolerant corrective control system, where C is the static corrective controller, G is the diagnoser, v P A n is the external input, u P A n is the control input provided by C, w P A d is the adversarial input, z P X`is the state burst, and x P X and m P N 0 are respectively the state feedback and the fault indicator signal generated by G. Σ c denotes the closed-loop system consisting of Σ, C, and G. When w enters Σ c , it overrides u and causes a transient fault, forcing Σ to undergo an unauthorized state transition whenever it is valid with respect to the current state. w represents an external disturbance that infiltrates into Σ c through the control input channel. As addressed before, a typical instance of w is an SEU fault [14,15] that upsets the logic value of memory bits expressing the control input. Inherent mechanical or electrical faults to the actuator can be also modeled by w. For x P X, let Wpxq :" Tpxq X A d be the set of adversarial inputs that cause unauthorized transitions to Σ when it stays at the stable state x, and let Γpxq :" tspx, wq|w P Wpxqu be the set of states Σ reaches as a result of a transient fault occurring at x. Note that w is unobservable from both C and G, which fits into the characteristics of adversarial entities. G provides C with the next stable state x P X and the fault indicator signal m P N 0 based on the state burst z and the control input u. Thus G has the following mapping: G : X`ˆA n Ñ XˆN 0 .
With the state notation X " tx 1 , . . . , x n u, m " 0 indicates that Σ has undergone a nominal stable transition. On the other hand, m " i ‰ 0 implies that Σ has undergone an unauthorized transition from x i caused by an unspecified adversarial input w P Wpx i q.
Referring to Figure 1, C receives the input triplet px, v, mq and generates the control input u as the output. Being a static controller, C is represented by the following function: During the normal behavior of Σ, C just relays the external input to Σ without modification. When a transient fault is diagnosed, C provides appropriate control input sequences. The control objective is to achieve immediate fault recovery, namely, to take Σ from the faulty state to the original state at which the fault occurs before further change in the external input. Since neither C nor G is governed by a synchronizing clock, their operations are also conducted instantaneously under asynchrony. Hence the procedure of fault diagnosis and fault tolerant control can be completed before the external input changes to the next value, rendering Σ c to show the normal input/state behavior as if no fault has happened. Σ c is assumed to preserve fundamental mode operations [32], wherein no two variables change simultaneously. Under the fundamental mode, w is supposed to occur to Σ only when Σ stays at a stable state. This is not a burdensome constraint since the speed of transient transitions is so fast that the possibility of fault occurrences during the transitions is negligible. Hence the stable state at which the fault occurs serves as the goal state for the corresponding fault tolerant control. In a similar sense, it is also supposed that v is not altered during the correction procedure.

Remark 1.
Whereas the present study focuses on transient faults of which influence on the machine vanishes right after its occurrence, there exist other kinds of faults differing in the durability of their influences. If the adverse effect persists for a finite time after initial occurrence, the fault is termed an intermittent fault [33]; if the effect remains indefinitely (or irreversible), it is termed a permanent fault [34]. For input/state ASMs, fault recovery is impossible for either intermittent or permanent faults since immediate return to the original state cannot be implemented. The latter problem can be tackled for input/output ASMs, where the output differs from the present state [35], or switched ASMs that possess redundant states which may substitute faulty states [8].

Remark 2.
In the field of DESs, the stability and stabilizability of the system under static feedback control means that starting from any arbitrary initial state, the system can (or can be controlled to) go to a "legal state" and stay there after a finite number of transitions [36]. In our problem setting, the original state at which a fault occurs can be regarded as a legal state. With no infinite cycles, further, fault recovery implies that Σ must be controlled to the original state in finite steps of stable transitions. In this sense, the fault tolerant controllability of Σ is equivalent to the stabilizability of DESs in supervisory control. Note that a stable pair px, vq P XˆA just implies that x is a fixed point of f , irrelevant to the stability of Σ.

Diagnoser
For G to determine whether or not a transient fault occurs, z f and z l of the current state burst z are investigated with respect to u P A n . Assume first that pz f , u, z l q P s. This implies that Σ undergoes a nominal stable transition z f u Ý Ñ z l . To signify this, we assign the fault indicator signal m :" 0. Accordingly, G is set to be Gpz, uq :" pz l , 0q if pz f , u, z l q P s.
On the other hand, assume that pz f , u, z l q R s. This elucidates that the latest stable transition is caused not by u, but by w P Wpz f q such that spz f , wq " z l and z l P Γpz f q. In this case, we assign m :" i P N 0 zt0u, where i is the index of the state at which the fault occurs, i.e., z f " x i . Hence Gpz, uq :" pz l , iq if pz f , u, z l q R s and z f " x i .
Once a transient fault is diagnosed, Σ is controlled to return to the original state x i via a chain of stable transitions. This means that after diagnosing a transient fault, G receives a sequence of pairs of state bursts and control inputs characterizing nominal stable transitions. Since the procedure of fault recovery persists until Σ reaches x i , G must continue to give the same fault indicator signal m " i unless the state feedback x i is received. Thus m of Gpz, uq is set to be unchanged if pz f , u, z l q P s, m o " i ‰ 0, and z l ‰ x i , where m o is the previous value of m.
Finally, assume that fault recovery is accomplished as Σ reaches x i . Upon receiving the state feedback x i , G must signify the end of the recovery procedure. Hence G is designed to generate m " 0 at this phase, or Gpz, uq :" pz l , 0q if pz f , u, z l q P s, m o " i, and z l " x i .
Combining the above discussions, we encapsulate the algorithm of fault detection and isolation by G. A formal definition of G is constructed from the above algorithm as follows: pz l , iq pz f , u, z l q R s, u P Upz f q, and z f " x i pz l , -q pz f , u, z l q P s, m o " i, and z l ‰ x i pz l , 0q otherwise (3) where '-' in the second line implies 'unchanged'.
To comply with fundamental mode, G should provide C with px, mq only when Σ stays at a stable state. To this end, the end of every stable transition must be identified. In the nominal transitions, it is easily done by referring to z and u since the current stable transition will end at z l " spz f , uq. In the case of unauthorized transitions, however, one must determine it only by referring to z, as w is unobservable. The latter property is termed fault detectability [31]. The condition for fault detectability with respect to the state burst is that any state burst generated during the unauthorized transition is not a strict prefix of another one (Theorem 3.7 of [31]). The underlying reason is obvious as elicited in the following.
Proposition 2. For x P X with Wpxq ‰ H, Σ is fault detectable at x if and only if αpx, wq R sppαpx, w 1 qq, @w, w 1 P Wpxq with αpx, wq ‰ αpx, w 1 q.
Proof. (Only if) Assume that Σ is fault detectable at x but αpx, w 1 q P sppαpx, w 2 qq for some tw 1 , w 2 u Ă Wpxq. Assume further that while u remains unchanged, G receives the changed state burst αpx, w 1 q. Then, one cannot determine whether w 1 occurs so that Σ reaches the faulty state α l px, w 1 q P Γpxq, or w 2 occurs so that Σ is on its way to the corresponding faulty state α l px, w 2 q P Γpxq, passing through the intermediate transient state α l px, w 1 q. This contradicts the assumption of fault detectability at x.
(If) Suppose that G receives z " αpx, wq (w is unknown) such that pz f , u, z l q R s. Since αpx, wq R sppαpx, w 1 qq for all w 1 P Wpxq with αpx, wq ‰ αpx, w 1 q, one can identify the end of the unauthorized transition merely by referring to z. Hence Σ is fault detectable at x.

Controller Synthesis
A necessary condition for taking Σ from a beginning state to a goal state via corrective control is that the goal state is stably reachable from the beginning state, namely, an input string exists with which Σ stably reaches the goal state [9]. Such input strings are utilized by the controller in building feedback paths. For static controllers, another significant condition must be satisfied with respect to the set of utilized input sequences. Slightly relaxing the notion presented in [12,13], we define the implementability of static corrective controllers.

Definition 1. A static corrective controller is said to be implementable with respect to a set of control input sequences S Ă A`if by utilizing S, the controller's output is uniquely determined by each input combination of the controller.
Implementability is necessary for the integrity of the static controller since having no states, the static controller must always generate a unique output with respect to each input combination.
The constraint on implementability makes it impossible to apply the previous static controller [12,13] to fault recovery. To validate the latter assertion, assume that Σ undergoes an unauthorized transition from x to x 1 by w P Wpxq (spx, wq " x 1 ) during which both external and control inputs remain a P A n . Assume further that x is stably reachable from x 1 , e.g., spx 1 , bcdq " x for bcd P Aǹ . If we use the previous static controller with no indicator signal as its argument, we must assign the output b to the input combination px 1 , aq to start the correction procedure, that is, C p px 1 , aq " b. However, px 1 , aq may be a valid pair of Σ, e.g., a P Tpx 1 q. Then, in the normal behavior of Σ, C p must provide a as the control input without modification, i.e., one must design C p such that C p px 1 , aq " a to maintain the nominal stable transition from px 1 , aq. Since this conflicts with the foregoing assignment C p px 1 , aq " b, the previous static corrective controller cannot be applied to the present problem. The use of G and the addition of the related argument m to C resolve the aforementioned predicament. m is retained as i throughout the recovery procedure for the unauthorized transition from x i . Further, G gives C only the next stable state, discarding the underlying transient states. Hence the proposed static controller achieving fault recovery against Wpx i q can be designed if and only if x i is stably reachable from every x j P Γpx i q, which equals the following condition for the existence of a corresponding dynamic controller.

Lemma 1 ([31]
). Given Σ with Wpx i q ‰ H for x i P X, a dynamic corrective controller exists that achieves fault recovery against Wpx i q if and only if the following holds: @x j P Γpx i q, Dt j,i P Aǹ : spx j , t j,i q " x i .
Provided that the above condition is valid, we design the proposed static controller C : XˆA nˆN0 Ñ A n . First, if m " 0, C just relays the external input to the control input channel, as no transient fault occurs. For this purpose, we set the following: Cpx, v, 0q :" v, @px, vq P XˆA n .
To design the operation of fault recovery, take an arbitrary faulty state x j P Γpx i q and denote a proper input string by t j,i :" t " u 1¨¨¨u|t| with spx j , tq " x i . Denote further by x 1 , . . . , x |t| P X the intermediate stable states Σ traverses when it undertakes the chain of stable transitions in response to t, i.e., the following: where x 0 " x j and x |t| " x i . Suppose that Σ is staying at a stable pair px i , aq when w P Wpx i q infiltrates into Σ such that spx i , wq " x j . The input pair of G changes to pαpx i , wq, aq at this time, where α f px i , wq " x i and α l px i , wq " x j . Since px i , a, x j q R s, G generates m " i according to (3). Receiving px j , iq at the instant of the fault occurrence, C commences the correction procedure by generating u 1 until Σ reaches spx j , u 1 q " x 1 . Transient states underlying between x j and x 1 need not be considered since they are discarded by G. Hence we set C as follows: Cpx j , a, iq :" u 1 .
As soon as the state feedback changes to x 1 , C provides u 2 , which takes Σ toward spx j , u 1 u 2 q " x 2 , and so on. The following assignment materializes these recursive operations of C.
Fault recovery is accomplished when Σ reaches x i in response to u |t| . m is reset to 0 at this time. Since m " 0, C generates a again as the control input according to (6).
By Definition 1, the control input sequences should be selected in such a way that C is implementable. We assert that if the reachability condition for a dynamic corrective controller is valid for every x i with Wpx i q ‰ H, one can find a set of input sequences for which C is implementable. Proposition 3. If Lemma 1 is valid for every x i with Wpx i q ‰ H, a set of control input sequences exists such that C designed according to (6)-(8) is implementable.
Proof. If |Wpx i q| " 1, the implementability of C with respect to x i is ensured trivially since only one input string is used as the control input sequence for the transient fault. Else if |Wpx i q| ą 1, consider w, w 1 P Wpx i q with spx i , wq :" x j ‰ spx i , w 1 q :" x k . By assumption, t :" u 1¨¨¨u|t| and r :" u 1 1¨¨¨u 1 |r| exist such that spx j , tq " spx k , rq " x i . Let X j,i and X k,i be the set of intermediate stable states Σ traverses when Σ undertakes the chain of stable transitions from x j to x i and from x k to x i , respectively. Then, we have the following: If X j,i X X k,i " H, the use of t and r satisfies the implementability of C since each feedback path contains no common state. Otherwise, Σ passes through a common state x l P X j,i X X k,i when it is driven by C along two state trajectories x j Ñ x i and x k Ñ x i . Specifically, assume the following: where 0 ď p ă |t| and 0 ď q ă |r| (spx j , u 0 q :" x j and spx k , u 1 0 q :" x k ). If u p`1 " u 1 q`1 , the implementability of C is still valid with respect to x l since C will generate the same output u p`1 (" u 1 q`1 ) in response to x l . Else if u p`1 ‰ u 1 q`1 , we adjust one of t and r as follows to satisfy the implementability. First, the suffix lengths |t|´p and |r|´q are compared. Suppose that |t|´p ą |r|´q. Next, the suffix of t is substituted by the corresponding part of r, i.e., we induce an alternative input string t 1 from t and r as follows: Since spx j , t 1 q " x i by the definition of t and r, t 1 can be used instead of t for fault recovery from x j to x i . It is clear that C is implementable with respect to the derived input sequence. Since m is distinctive with respect to x i , the latter implies the implementability of C.
In the above proof, the suffix of the previous input sequence with a longer length (|t|´p) is replaced by the shorter one (|r|´q). This is intended to reduce the computational load of the controller by taking a shorter feedback path. Theorem 1. Given the configuration of Figure 1, assume that Wpx i q ‰ H for all x i PX Ă X of Σ. Then, C achieving fault recovery against transient faults by A d exists if and only if every unauthorized transition is fault detectable and @x i PX, @x j P Γpx i q, x i is stably reachable from x j .
Proof. (If) Since every unauthorized transition is fault detectable, we can design G by applying (3). In addition, since x i is stably reachable from every state of Γpx i q, by Proposition 3 we can find a set of control input sequences with which C is implementable and can design C by referring to (6)- (8). According to the foregoing discussions, Σ c is immune against any unauthorized transitions by A d .
(Only if) In view of Figure 1, the existence of C implies that the next stable state of every stable transition is identified solely by observing z. Hence every unauthorized transition is fault detectable by Proposition 2. Since C has access to Σ only by changing u, fault recovery ensures that for all x i with Wpx i q ‰ H and for all x j P Γpx i q, t j,i P Aǹ exists which takes Σ from x j to x i via a chain of stable transitions. Figure 2 illustrates the flowchart elucidating the execution of the proposed static corrective controller for achieving fault tolerance. Compared with dynamic controllers [31], the improvement of computational load in controller synthesis is obvious. The dynamic controller needs to define maximum n`1 states for the correction procedure of each unauthorized transition. Since there may be maximally npn´1q unauthorized transitions, the size (or number of states) of the overall controller has the complexity of Opn 3 q. On the other hand, the proposed static controller is much more efficient, as it needs no states. Of course, G requires memory elements as the state burst and the previous output m o must be recorded. Since the maximum length of the state burst is n´1, the construction of G is computed in Opnq, which is a mild degradation of resource usage. Note that a symbolic computation algorithm for inducing feasible control input sequences addressed in (5) is presented in the prior work [1,2]. Further, numerical algorithms avoiding tedious symbolic computations are found in the recent results [37,38].

Home Security System
Consider Σ 1 " pA, X,x, f q whose state flow diagram is shown in Figure 3, where A n " ta, b, c, du, A d " tw 1 , w 2 u, andx " x 1 . Σ 1 represents a home security system [12], where x 1 is the initial state and x 2 -x 4 are three alarm states that are reached by break-in events d, a, and b, respectively. c is the reset signal that is activated only at x 3 . As an example instance, let us take the case of x 1 with Upx 1 q " tcu and Wpx 1 q " tw 1 , w 2 u. To check the fault detectability, derive the state bursts caused by the elements of Wpx 1 q as αpx 1 , w 1 q " x 1 x 3 x 2 and αpx 1 , w 2 q " x 1 x 4 x 3 . Since αpx 1 , w 1 q R sppαpx 1 , w 2 qq and vice versa, Σ 1 is fault detectable at x 1 by Proposition 2.
If G receives x 1 x 3 x 2 or x 1 x 4 x 3 while u is equal to c, the unauthorized transition by w 1 or w 2 is diagnosed with certainty since px 1 , c, x 2 q R s and px 1 , c, x 3 q R s.
Referring to Figure 3, x 1 is stably reachable from every state of Γpx 1 q " tx 2 , x 3 u, e.g., spx 2 , acq " x 1 and spx 3 , cq " x 1 . By Theorem 1, C exists which achieves fault recovery against Wpx 1 q. To check the implementability of C associated with ac and c, X 2,1 and X 3,1 defined in (9) are derived as X 2,1 " tx 2 , x 3 u and X 3,1 " tx 3 u. Although X 2,1 X X 3,1 " tx 3 u is non-empty, both ac and c have the common input c for x 3 . Hence they can be used as the control input sequences while guaranteeing the implementability of C.
The design procedure of C is straightforward. Since spx 2 , aq " x 3 and spx 3 , cq " x 1 , the control inputs with respect to m " 1 are assigned in line with (7) and (8) as follows: Cpx 3 , c, 1q " c.
When an unauthorized transition occurs so that m changes to 1 and the state feedback to x 2 or x 3 , C activates the recovery procedure by performing the above operations. When Σ 1 reaches x 1 , m is reset to 0, and upon receiving px 1 , 0q from G, C terminates the recovery procedure. To this end, set C as follows: Since the fault detectability condition in Proposition 2 and the reachability condition (5) are valid for the other states as well, the design of G and C for the rest of states and inputs can be similarly conducted.
As a comparative study, let us try to achieve the above fault tolerant control by the previous static controller C p receiving no fault indicator signal (see (4)). Assume that w 2 occurs when Σ 1 has been staying at px 1 , cq so that Σ 1 is forced to reach x 2 . In a similar way to (10), C p must generate a to initiate the correction procedure, namely, C p px 2 , cq " a. However, since spx 2 , cq " c in Figure 3, C p already has the assignment C p px 2 , cq " c for ensuring the nominal transition. As this contradicts the foregoing operation, one cannot design C p that accomplishes fault tolerant control for Σ 1 .

Asynchronous Error Counter
As the second example, we apply the proposed scheme to fault tolerant control for asynchronous error counters embedded in the satellite computers [39]. Since SEU faults caused by cosmic rays in space corrupt logic values of memory elements in the computers, periodic memory scrubbing is needed based on the amount of accumulated errors. Error counters play the role of detecting and recording the error occurrences by transferring to specific states that characterize the degree of error occurrences.
Consider an asynchronous 6-error counter Σ 2 " pA, X,x, f q whose state flow diagram is shown in Figure 4, where A n " ta i , b i |1 ď i ď 6u, A d " tn j , f j |0 ď j ď 2u, andx " x 1 . Σ 2 receives two kinds of error signals: a i with one-step resolution and b i with two-step resolution. Typical examples of a i and b i are 1-bit and 2-bit errors that frequently occur in space-born digital systems [14,15]. It is assumed that every character of A n can be generated for control purposes. In accordance with the meaning of each signal, Σ 2 advances one state in response to a i and two states in response to b i as depicted in Figure 4. A n x 1 x 5 x 4 x 3 x 2 x 6 n 0 ,f 1 n 1 ,f 2 n 2 ,n 0 n 1 ,f 0 Figure 4. State flow diagram of an asynchronous 6-error counter Σ 2 : state transitions with respect to A n are drawn on the left, and those with respect to A d are on the right. Σ 2 counts maximally six occurrences of a i 's and three occurrences of b i 's, after which Σ 2 is reset to x 1 . Supposing that Σ 2 is implemented as a digital circuit, we assign a three-bit binary number c 2 c 1 c 0 to each state as follows: x 1 " 000, x 2 " 001, x 3 " 011, x 4 " 111, x 5 " 110, and x 6 " 100.
Working in space, all the memory elements corresponding to c 2 c 1 c 0 are also exposed to SEU faults. In A d , n j and f j represent an SEU fault that upsets the logic value of c j from 0 to 1 and from 1 to 0, respectively, j " 0, 1, 2. The control goal is to design G and C, if any, that accomplish fault diagnosis and fault recovery against any adversarial input of A d .
It is found that Wpx i q ‰ H, @x i P X. Let us investigate fault detectability for the existence of G. For instance, consider the case of x 1 . The state bursts produced by Wpx 1 q are αpx 1 , n 0 q " x 1 x 2 and αpx 1 , n 2 q " x 1 x 6 . Since αpx 1 , n 0 q R sppαpx 1 , n 2 qq and vice versa, any unauthorized transitions occurring at x 1 are fault detectable by Proposition 2. In fact, fault detectability is ensured for the rest of the states and thus G can be designed.
To construct G, we continue to concern the case of x 1 . A fault occurrence at x 1 is diagnosed when the state burst is observed to change to either x 1 x 2 or x 1 x 6 , while the control input remains unchanged. According to the first line of (3), G is set to be (Upx 1 q X A n " ta 6 , b 5 u) as follows: Gpx 1 x 2 , uq " px 2 , 1q, @u P ta 6 , b 5 u Gpx 1 x 6 , uq " px 6 , 1q, @u P ta 6 , b 5 u.
When Σ 2 is under the procedure of fault recovery, G must not change m as defined in the second line of (3). For the case of x 1 , the latter operation is materialized by setting the following: Gpz, uq " pz l , -q, pz f , u, z l q P s, m o " 1, z l ‰ x 1 .
Finally, when Σ 2 reaches the original state x 1 , m is reset to 0 as defined in the third line of (3). The operation of G at the other states is designed in a similar manner.
To determine the existence of C, we now investigate stable reachability between x i and Γpx i q. An examination of Figure 4 shows that for all i " 1, . . . , 6, x i is stably reachable from every state of Γpx i q. For instance, x 1 is stably reachable from x 2 via an input string b 2 b 4 a 6 (spx 2 , b 2 b 4 a 6 q " x 1 ), and from x 6 via an input string a 6 (spx 6 , a 6 q " x 1 ). By Theorem 1, therefore, C exists which achieves fault recovery against transient faults by A d .
C is constructed in line with (6)- (8). Let us keep focusing on the fault recovery to x 1 . As addressed above, we employ b 2 b 4 a 6 and a 6 in activating the correction procedure from x 2 and x 6 , respectively. Upon receiving b 2 b 4 a 6 , Σ 2 traverses two intermediate stable states spx 1 , b 2 q " x 4 and spx 4 , b 4 q " x 6 . With m fixed to 1, C is designed with respect to x 2 and b 2 b 4 a 6 as follows: Cpx 2 , u, 1q " b 2 , @u P ta 6 , b 5 u Cpx 4 , u, 1q " b 4 , @u P ta 6 , b 5 u (11) Cpx 6 , u, 1q " a 6 , @u P ta 6 , b 5 u.
On the other hand, Σ 2 transfers from x 6 directly to x 1 in response to a 6 , so C is designed as Cpx 6 , u, 1q " a 6 , @u P ta 6 , b 5 u. As (11) already contains this operation, it serves as the correction procedure realizing fault recovery to x 1 .
When Σ 2 reaches x 1 , m is reset to 0. Upon receiving px 1 , 0q from G, C terminates the recovery procedure. To this end, set C as follows: Cpx 1 , u, 0q " u, @u P ta 6 , b 5 u.
It is clear from (11) and (12) that the selected control input sequences preserve the implementability. The operation of C for the other states is attained by adopting (11) and (12). Since all the interactions between C, G, and Σ 2 are conducted in an asynchronous mechanism, the correction procedure can be accomplished instantaneously before further change of the external input.

Conclusions and Challenges
We have shown that static corrective controllers can solve the problem of fault diagnosis and fault tolerant control for input/state ASMs subject to transient faults. The state burst is used as feedback to design a diagnoser that detects and isolates any transient fault. Since the static controller receives only the stable state and fault indicator signal from the diagnoser, the reachability condition for designing the controller is greatly enhanced compared with the previous result. We have addressed the existence conditions for the diagnoser and static controller and formal algorithms for their synthesis in the framework of corrective control. The case studies on the home security system and the asynchronous error counter validate the applicability of the proposed control scheme.
Since the closed-loop system with the proposed static corrective controller preserves fundamental mode operations, we can code the system in very high speed integrated circuit hardware description language (VHDL) so as to implement it on configurable semiconductor devices such as field-programmable gate arrays (FPGAs); refer to [6][7][8] for the relevant prior work. We expect that the implementation of the closed-loop system will take significantly fewer resources than the case of dynamic corrective controllers, albeit the addition of the diagnoser G. The design and implementation of the proposed static corrective control scheme on digital systems will be conducted as a further study.
While the ASM in this study has the form of an input/state machine, many practical ASMs are modeled by input/output machines. Hence establishing a static corrective control scheme for input/output ASMs is an important future research topic. Further, although only transients faults were considered in this paper, fault tolerant control for other types of faults, e.g., permanent faults and intermittent ones, may be solved in input/output ASMs as addressed in Remark 1. Hence applying the proposed static control methodology to overcoming such faults in input/output ASMs is also an interesting future research topic.