Automated Verification of Switched Systems Using Hybrid Identification
Abstract
Verification of switched systems has to include the continuous trajectories as well as the discrete states of the system. For strongly interconnected systems with mutual dependencies it is not sufficient to verify the two system parts individually. It is necessary to examine the combined behaviour in such a setting. The approach presented in this paper is based on the well known concept of using system identification methods for verification which is extended to switched systems. The authors introduce the idea to tackle the verification of complex mechatronical systems as hybrid identification problem. Therefore the specification is given by the user in terms of the parameters of linear dynamic systems and a superimposed state machine. The implemented system under test can be transformed into the same representation using input/output measurement data and a recently developed hybrid identification procedure. Finally it is possible to compare the two representations automatically and calculate a formal statement about the consistency between specification and implementation.
Keywords
Test automation Hybrid identification Switched systems1 Introduction
Testing is still a time and resources consuming activity based on the expert knowledge of the responsible engineer [22, 32]. While this was a feasible solution in the past, the growing complexity of current and future systems renders the manual approach impossible. Especially the combination of discrete and continuous system parts to systems showing hybrid behaviour leads to verification questions that are not solved today [28, 32]. Even though there is no satisfying solution available, the problem is present in the everyday engineering practice.
The unsolved verification^{1} question is given as follows: Is the behaviour of a given System under Test (SUT) - composed of a time continuous plant and its controller - consistent with the given specification? Does this consistency hold for all possible excitation signals and during all discrete states of the resulting hybrid system?
One possible solution is to tackle the controller and the plant individually. Focusing on the discrete verification problem of the embedded controller, there are several automatic verification methods available [10, 30]. Those methods are concerned with properties of the controller code (e.g. semantic correctness or determination of loops) [7, 12, 13] or runtime errors (e.g. overflow, divide by zero, out of bounds array access and others) [18, 27]. Some of these properties can be determined automatically using theorem prover or model checker [32].
As the behaviour of the overall system is given by the controller and the plant, focusing on the discrete part is not enough. There are systematic approaches for the verification of hybrid systems based on the so called “state space exploration” principle or “reachability analysis” [3, 4, 9, 12, 13]. A sound review of current state of the art reachability analysis tools is given in [28]. The basic idea is to discretize the regarded space and run simulations using different combinations of the values until a given coverage criterion is fulfilled [12]. To constrain the number of necessary simulations, equivalence classes can be formed [2, 8, 12, 31]. Equivalence classes combine input values that lead to the same result. Thereby is the correct behaviour of one representative used to reason about the correct behaviour of the whole equivalence class. Another possibility is to use additional knowledge about the system or the user of the system to extract excitation signals that are very likely to occur during operation (statistical testing, scenario testing) [13, 19].
When regarding continuous subsystems the discretization has to be very fine over the whole signal range thus prohibiting the use of equivalence classes and increasing the necessary computation time [6, 12]. This is due to the fact that it is not sufficient to check one specific, time constant value of an equivalence class any more. The whole continuous dynamic trajectory has to be taken into account to allow a profound verification [6]. Signal based features like maximum values or static tolerances can be verified using temporal logics as shown in [22].
Other hybrid verification approaches use Simulink models to verify the combined behaviour of controllers and their respective plants [23, 24, 25]. The excitation signals are thereby derived using meta-heuristic search algorithms based on random search, adaptive random search, hill climbing or simulated annealing. The resulting output signals are then analysed with respect to specified signal properties.
A wide range of different methods and theories for hybrid verification was developed in [1]. This paper’s approach to solve the problem is based on the well known concept of using system identification methods for verification as given in [21] which is extended to hybrid systems using the idea presented in [14].
In the engineering society diagnosis methods are used to monitor the correctness of running applications [11, 17]. This is often done using “analytical redundancy” meaning that the real values of a process are compared to the expected values of the process [29]. The needed expected values are calculated using a model of the process and the measured input data.
The concept of analytical redundancy is transferred from monitoring to verification in this paper. The redundancy is thereby achieved by the identification of the dynamical system parameters from input/output data. This is possible because the generating system parameters describe the system behaviour exhaustively. The idea presented in this paper is to use the control engineering notation of hybrid systems and a recently developed hybrid identification procedure to verify complex hybrid systems. The continuous part of the hybrid system is thereby used to describe the system dynamics of the controlled plant. Note that the dynamics of the controlled plant are different from the genuine dynamics of the plant. This is due to the fact that the goal of the controller is to influence - and thus change - the genuine plant dynamics in a desired way. Furthermore note that it is hence not necessary to know or model the genuine dynamics of the plant. The discrete part of the hybrid system is predominantly used to describe the behaviour of the controller. Nevertheless the plant might contain switches in its continuous dynamics that are also modelled in the discrete part.
The necessary specification parameters have to be given directly by the user. The resulting parametrized system description can be used to reason about the consistency between specification and implementation. One advantage of this identification based method is the independence from specific input signals. This is due to the fact that different input/output pairs lead to the same parameters if they were generated using the same system dynamics.
The proposed method is introduced as follows: In Sect. 2 a formal specification consisting of a state machine and respective dynamical systems for each state is defined. Afterwards a method for the identification of data - measured using the SUT - is presented in Sect. 3. The identification can be interpreted as transformation of the SUT in a formal description. After the identification, the specification and the SUT are given in the same form. The automatic comparison is outlined in Sect. 4.
2 Formal Specification
Industrial specifications are often given in natural language or as a table containing a collection of more or less formal requirements [20]. Such a form is not suitable as basis for an automated verification algorithm. To allow the usage of automated methods a formal and strict notation has to be used for the specification. We focus on embedded systems consisting of a time, value and event discrete controller and a time and value continuous plant. We propose to model the resulting system as a hybrid system \(\mathcal {H}\) according to Fig. 1. Thereby the embedded controller as well as the switching part of the physical plant are modelled using the state machine \(\mathcal {Z}\). The controlled dynamics of the continuous plant are represented by a set of linear dynamic systems \(\mathbb {S}\). The input u is applied to the state machine. Based on the resulting state, a switch signal is determined that activates the respective subsystem \(s^{(i)}\in \mathbb {S}\). The continuous input is also applied to this continuous subsystem. The output of the active subsystem is fed to the output of the hybrid system and also used as feedback signal for the generating subsystem.
The state machine \(\mathcal {Z}\) is used to describe the switching behaviour between distinctive states representing operation modes of the specification. Possible operation modes that are available in nearly all systems are for example “start up mode”, “normal mode”, “exception mode” or “shut down mode”. Specific examples will provide even more, task specific operation modes.
The structure of the transitions \(\mathbb {T}\) between the states \(\mathbb {Q}\) of state machine \(\mathcal {Z}\) is given by the adjacency matrix \(\mathbf {A}\). With \(a_{i,j}=1\) if there exists a transition from state i to state j and \(a_{i,j}=0\) otherwise.
Note that the specification parameters in \(\mathbb {S}\) are parameters of the overall system (controller and plant) that describe the combined dynamics. Those parameters are different from the needed controller parameters and can thus not be used to parametrize the controller directly. The used controller structure as well as the controller parameters are an important part of the system design which is assumed to be done manually here. Please note that there are several controller structures and respective parametrizations that are suitable to meet the specification [26].
During the measurement time of \(T=\varDelta T K\) seconds the hybrid system shows the behaviour of the different active subsystems. Switches between the subsystems and thus the states of \(\mathcal {Z}\) are often tightly coupled with conditions on the process. These conditions can be used to refine the state machine by the introduction of switching thresholds. The switching thresholds need to be fulfilled to allow the change of the active subsystem. Without switching thresholds, the state machine can switch between states at arbitrary values or after infinitely short dwell times, thus leading to undesired behaviour.
The switching thresholds are user-defined restrictions on a threshold signal \(\varOmega =[\omega _k]_{k=0}^{K}\) that can also be chosen by the user. The specified switching thresholds are given as interval entries of a matrix \(\mathbf {B}\) with \(b_{i,j}=[\underline{l} \ \bar{l}]\) if \(a_{i,j}\ne 0\) and \(b_{i,j}=[-\infty \ \infty ]\) otherwise. Thereby are \(\underline{l}\) and \(\bar{l}\) lower and upper limits of the value of \(\omega _k\). As long as \(\omega _k\ \in \ [\underline{l} \ \bar{l}]\) the state machine is allowed to change the state, i.e. to perform a switch, but not necessarily has to.
When setting up the formal specification the physical signals that are interpreted as input and output of the linear dynamic subsystem have to be chosen. The choice of the signals depends on the objective of the test and the investigated hierarchical level. It is possible to define specifications on different levels and thus map a variety of different goals. Nevertheless, the choice of the input signal \(\mathbf {U}=[u_k]_{k=0}^{K}\) and the output signal \(\mathbf {Y}=[y_k]_{k=0}^{K}\) of all subsystems and levels have to fulfil controllability constraints. The choice of the input and output signal has to be the same for all systems of \(\mathbb {S}\).
To allow precise notation for the remainder of the paper, all variables of the formalized specification \(\mathcal {H}^* = \left[ \mathcal {Z}^*,\mathbb {S}^*\right] \) are marked with an asterisk. All variables belonging to the identified SUT \(\mathcal {H}' = \left[ \mathcal {Z}',\mathbb {S}'\right] \) are marked with a dash. The complete setting is shown in Fig. 2. The specification \(\mathcal {H}^*\), consisting of the state machine \(\mathcal {Z}^*\) and the linear dynamic behaviour \(\mathbb {S}^*\) has to be given by the user. Based on this information an SUT that fulfils the specification is developed. Nevertheless, it is likely that failures are made during the implementation process.
2.1 Example
Exemplary parameters for the system \(\mathbb {S}^*\) consisting of 3 subsystems with \(n_a^{(i)}=n_c^{(i)}=1 \forall i\)
Subsystem | \(a_1^*\) | \(c_1^*\) |
---|---|---|
1 | 1, 000 | 0, 003 |
2 | 0, 975 | 0, 040 |
3 | 1, 020 | −0, 040 |
The implementation of the System under Test \(\mathcal {H}'\) is done based on the given formal specification \(\mathcal {H}^*\). As the implementation is done by one or more human developers, it is likely that there exist inconsistencies in the resulting system \(\mathcal {H}'\). Note that the implemented system \(\mathcal {H}'\) consists of real hard- and software and includes a given plant that can not be changed. Therefore the implemented state machine \(\mathcal {Z}'\) and its dynamical subsystems \(\mathbb {S}'\) are not directly known. Nevertheless it is possible to excite the system and measure its output signal.
3 Identification of the SUT
Now assume the output signal of the system \(\mathbf {Y}'=[y'_k]_{k=0}^{K}\) was measured using a known, suitable and persistent excitation signal \(\mathbf {U}'=[u'_k]_{k=0}^{K}\) lasting for \(T=\varDelta T K\) seconds. It is now possible to calculate the actual generating subsystems \(\mathbb {S}'\) based on the measured data \(\left[ \mathbf {U}',\mathbf {Y}'\right] \) using the identification and segmentation algorithm from [14, 15] which is given as follows:
The algorithm uses an alternating iterative procedure to identify the system parameters as well as the unknown switching times. Thereby the system parameters are calculated using the first \(\max ({n_a^{(i)},n_c^{(i)}})+n_a^{(i)}+n_c^{(i)}\) measurement values as estimation interval \(k_{est}\) and a Least-Squares-Estimator.
4 Comparison of SUT and Specification
The results can now be compared with the given specification \(\mathcal {H}^*\). Matching parameters mean that the dynamic behaviour of \(\mathbb {S}'\) is consistent with the specified behaviour \(\mathbb {S}^*\). Manual inspection shows that the identified parameters in Table 2 match the specified parameters in Table 1. The identified state sequence of the signal in Fig. 4 is 1\(\rightarrow \)2\(\rightarrow \)3\(\rightarrow \)2\(\rightarrow \)1 which is consistent with the state machine in Fig. 3. Therefore it can be concluded that the system that produced the signal in Fig. 4 is consistent with the given specification \(\mathcal {H}^*\).
4.1 Automatic Comparison
The comparison of the specification \(\mathcal {H}^*\) and the SUT \(\mathcal {H}'\) can also be done automatically. Therefore it is necessary to check the consistency of the parameters, the consistency of the transitions and the consistency of the switching thresholds. There are three possible results: full consistency, partial consistency and inconsistency for each part.
The consistency of the parameters is determined by setting up the identified set of states \(\mathbb {Q}'\). This is done by comparing the identified parameters to the specified parameters. An identified subsystem \({s^{(i)}}'\) can be assigned to a specified state \(q_j\in \mathbb {Q}^*\) if the parameters of \({s^{(i)}}'\)and \({s^{(j)}}^*\) are the same. The matching state \(q_j\) is added to the identified set of states \(\mathbb {Q}'\). An identified subsystem \({s^{(i)}}'\) without a matching specification is considered to represent an additional dynamic belonging to a state \(q_m\notin \mathbb {Q}^*\). Nevertheless \(q_m\) is added to \(\mathbb {Q}'\).
The consistency can be determined by comparing \(\mathbb {Q}^*\) and \(\mathbb {Q}'\). The set of states is only fully consistent if \(\mathbb {Q}'=\mathbb {Q}^*\). If there are states missing and hence \(\mathbb {Q}'\subset \mathbb {Q}^*\) the states are partially consistent. Otherwise they are inconsistent as \(\mathbb {Q}'\not \subset \mathbb {Q}^*\) indicates that there are unspecified dynamics present in the SUT.
The consistency of the transitions is determined by comparing the adjacency matrices of the specification \(\mathbf {A}^*\in \mathbb {R}^{e\times e}\) and the SUT \(\mathbf {A}'\in \mathbb {R}^{f\times f}\). Therefore it is necessary to reorder the identified states such that they match the order of the specified states. Each specified system dynamic without an identified match leads to zero entries in \(\mathbf {A}'\), each unspecified system dynamic leads to an additional row and an additional column in \(\mathbf {A}'\).
Consistency of \(\mathcal {H}'\)
Consistency of | |||
---|---|---|---|
\(\mathbb {Q}'\) | \(\mathbf {A}'\) | \(\mathbb {T}'\) | \(\mathcal {H}'\) |
fully | fully | fully | fully |
partially | fully/partially | fully/partially | partially |
fully/partially | partially | fully/partially | |
fully/partially | fully/partially | partially | |
inconsistent | any | any | inconsistent |
any | inconsistent | any | |
any | any | inconsistent |
Thereby \(\mathcal {H}'\) is only fully consistent if all results were fully consistent. If there are fully and partially consistent results, \(\mathcal {H}'\) is partially consistent. Finally \(\mathcal {H}'\) becomes inconsistent with \(\mathcal {H}^*\) if there is at least one part evaluated as inconsistent.
4.2 Example
5 Conclusions and Future Work
5.1 Conclusions
This paper presented the idea of interpreting an automated verification of complex systems task as an identification of hybrid systems setting. Therefore the idea of using a formal hybrid model as specification for the complex system was presented. Each operation mode of the specification is interpreted as state of a state machine. The continuous linear system dynamics that govern the behaviour in every state are modelled as ARX systems and assigned to the respective state. Representing system behaviour as dynamic parameters leads to the advantage of being independent from specific input/output signals.
Knowledge about the implemented SUT is generated by exciting the SUT with a suitable input signal and measuring the resulting output signal. This signal can be generated by the responsible engineer and thus provides the possibility to include expert knowledge in the verification process. The measurement data is analysed by a hybrid identification algorithm that segments and identifies a hybrid system from its input/output behaviour. The resulting system parameters are then compared with the specified parameters. Based on the result, the state machine of the SUT can be set up. If the identified parameters and the identified state machine are consistent with the specification it can be concluded that the SUT itself is consistent with its specification.
5.2 Future Work
The requirement that the user has to define all elements of the 3-Tupel and all necessary parameters of the ARX-System when setting up the formalized specification is rather restricting. This should be improved in future work by providing a more intuitive way of setting up the specification. Therefore a graphical user interface (GUI) can be implemented, providing the user with the ability to define feasible input regions that are linked to their respective feasible output region. The specification parameters could hence be determined by the improved algorithm, based on this user specified input/output trajectories leading to a “specification by example” setting.
The restrictions on the choice of the input and output signal given in Sect. 2 are rather rigorous. Future work will focus on softening these restrictions to allow a wider scope of application.
Furthermore the impact of noise has to be investigated. It is clear that the identified parameters will not perfectly match the specified parameters any more if there is noise present. The general procedure is assumed to be still applicable as [14] already provides the handling of noisy signals. Nevertheless it is not enough to simply introduce tolerances for the parameters, as even minor changes in the parameters might lead to tremendous changes of the system behaviour in some scenarios. On the other hand system identification can provide two distinct sets of parameters even though the input/output behaviour is very similar. Both cases have to be tackled by the introduction of a similarity measure based on the parameters.
Footnotes
- 1.
The term “verification” is used in the control engineering sense throughout this paper which is denoted as “conformance testing” in computer science.
References
- 1.Transregional collaborative research center “automatic verification and analysis of complex systems (avacs)”. http://www.avacs.org
- 2.Abel, A., Reineke, J.: Memin: sat-based exact minimization of incompletely specified mealy machines. In: Proceedings of the IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015, Austin, TX, USA, 2–6 November 2015, pp. 94–101 (2015)Google Scholar
- 3.Alur, R., Dang, T., Ivančić, F.: Reachability analysis of hybrid systems via predicate abstraction. In: Tomlin, C.J., Greenstreet, M.R. (eds.) HSCC 2002. LNCS, vol. 2289, pp. 35–48. Springer, Heidelberg (2002). doi:10.1007/3-540-45873-5_6 CrossRefGoogle Scholar
- 4.Alur, R., Dang, T., Ivančić, F.: Predicate abstraction for reachability analysis of hybrid systems. ACM Trans. Embed. Comput. Syst. 5(1), 152–199 (2006)CrossRefMATHGoogle Scholar
- 5.Anta, A., Majumdar, R., Saha, I., Tabuada, P.: Automatic verification of control system implementations. In: Proceedings of the Tenth ACM International Conference on Embedded Software, pp. 9–18 (2010)Google Scholar
- 6.Araiza-Illan, D., Eder, K., Richards, A.: Verification of control systems implemented in simulink with assertion checks and theorem proving: a case study. In: 2015 European Control Conference (ECC), pp. 2670–2675, July 2015Google Scholar
- 7.Badban, B., Fränzle, M., Peleska, J., Teige, T.: Test automation for hybrid systems. In: Proceedings of the 3rd International Workshop on Software Quality Assurance, SOQUA 2006, pp. 14–21. ACM, New York (2006)Google Scholar
- 8.Balluchi, A., Benvenuti, L., di Benedetto, M.D., Pinello, C., Sangiovanni-Vincentelli, A.L.: Automotive engine control and hybrid systems: challenges and opportunities. Proc. IEEE 88(7), 888–912 (2000)CrossRefGoogle Scholar
- 9.Bhatia, A., Frazzoli, E.: Incremental search methods for reachability analysis of continuous and hybrid systems. In: Alur, R., Pappas, G. (eds.) HSCC 2004. LNCS, vol. 2993, pp. 142–156. Springer, Berlin Heidelberg (2004)CrossRefGoogle Scholar
- 10.Broy, M., Jonsson, B., Katoen, J.-P., Leucker, M., Pretschner, A. (eds.): Model-Based Testing of Reactive Systems: Advanced Lectures. LNCS, vol. 3472. Springer, Heidelberg (2005)MATHGoogle Scholar
- 11.Chen, W., Chen, W.-T., Saif, M., Li, M.-F., Wu, H.: Simultaneous fault isolation and estimation of lithium-ion batteries via synthesized design of luenberger and learning observers. IEEE Trans. Control Syst. Technol. 22(1), 290–298 (2014)CrossRefGoogle Scholar
- 12.Dang, T.: Model-based testing of hybrid systems. In: Model-Based Testing for Embedded Systems, chap. 14, pp. 383–424Google Scholar
- 13.Denise, A., Gaudel, M.-C., Gouraud, S.-D.: A generic method for statistical testing. In: 15th International Symposium on Software Reliability Engineering, ISSRE 2004, pp. 25–34 (2004)Google Scholar
- 14.Diehm, G., Maier, S., Flad, M., Hohmann, S.: An identification method for individual driver steering behaviour modelled by switched affine systems. In: Proceedings of the 52nd IEEE Conference on Decision and Control, pp. 3547–3553 (2013)Google Scholar
- 15.Diehm, G., Maier, S., Flad, M., Hohmann, S.: Online identification of individual driver steering behaviour and experimental results. In: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, pp. 221–227 (2013)Google Scholar
- 16.Föllinger, O., Konigorski, U.: Regelungstechnik: Einführung die Methoden und ihre Anwendung, 11, völlig neu bearb. aufl. edn. VDE-Verl., Berlin (2013)Google Scholar
- 17.Frank, P.M.: Diagnoseverfahren in der Automatisierungstechnik. at - Automatisierungstechnik, 47–64 (1994)Google Scholar
- 18.Holling, D., Pretschner, A., Gemmar, M.: 8cage: lightweight fault-based test generation for simulink. In: Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, ASE 2014, pages 859–862. ACM, New York (2014)Google Scholar
- 19.Kaner, C.: An introduction to scenario testing (2003)Google Scholar
- 20.Lin, L., Poore, J.H., Eschbach, R., Hierons, R.M., Robinson-Mallett, C.: Augmenting sequence enumeration with string-rewriting for requirements analysis and behavioral specification. In: Cortellessa, V., Varró, D. (eds.) FASE 2013. LNCS, vol. 7793, pp. 179–193. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37057-1_13 CrossRefGoogle Scholar
- 21.Liu, D., Guo, X., Tang, G., Huang, Z.: Model Validation via System Identification and Hypothesis Test. Springer, Heidelberg (2012)CrossRefGoogle Scholar
- 22.Maler, O., Nickovic, D.: Monitoring temporal properties of continuous signals. In: Lakhnech, Y., Yovine, S. (eds.) FORMATS/FTRTFT-2004. LNCS, vol. 3253, pp. 152–166. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30206-3_12 CrossRefGoogle Scholar
- 23.Matinnejad, R., Nejati, S., Briand, L., Bruckmann, T., Poull, C.: Proceedings of the 5th International Symposium on Search based software engineering, SSBSE 2013, St. Petersburg, Russia, 24–26 August 2013, pp. 141–157 (2013)Google Scholar
- 24.Matinnejad, R., Nejati, S., Briand, L., Bruckmann, T., Poull, C.: Search-based automated testing of continuous controllers: framework, tool support, and case studies. Inf. Softw. Technol. 57, 705–722 (2015)CrossRefGoogle Scholar
- 25.Matinnejad, R., Nejati, S., Briand, L.C., Bruckmann, T.: Automated test suite generation for time-continuous simulink models, pp. 595–606 (2016)Google Scholar
- 26.Pajic, M., Park, J., Lee, I., Pappas, G.J., Sokolsky, O.: Automatic verification of linear controller software. In: Proceedings of the 12th International Conference on Embedded Software, EMSOFT 2015, pp. 217–226. IEEE Press, Piscataway (2015)Google Scholar
- 27.Schneider, J.: Tracking down root causes of defects in simulink models. In: Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, ASE 2014, pp. 599–604. ACM, New York (2014)Google Scholar
- 28.Schupp, S., Ábrahám, E., Chen, X., Makhlouf, I., Frehse, G., Sankaranarayanan, S., Kowalewski, S.: Current challenges in the verification of hybrid systems. In: Berger, C., Mousavi, M.R. (eds.) CyPhy 2015. LNCS, vol. 9361, pp. 8–24. Springer, Heidelberg (2015). doi:10.1007/978-3-319-25141-7_2 CrossRefGoogle Scholar
- 29.Simon, S.: Objektorientierte Methoden zum automatisierten Entwurf von modell-basierten Diagnosesystemen. PhD thesis, Berlin, 2015. Zugl.: Kaiserslautern, Techn. Univ., Diss. (2015)Google Scholar
- 30.Utting, M., Pretschner, A., Legeard, B.: A taxonomy of model-based testing (2006)Google Scholar
- 31.Yordanov, B., Belta, C.: Formal analysis of discrete-time piecewise affine systems. IEEE Trans. Autom. Control 55(12), 2834–2840 (2010)MathSciNetCrossRefGoogle Scholar
- 32.Zander-Nowicka, J.: Model-based testing of real-time embedded systems in the automotive domain (2009)Google Scholar
- 33.Zhao, F., Koutsoukos, X., Haussecker, H., Reich, J., Cheung, P.: Monitoring and fault diagnosis of hybrid systems. IEEE Trans. Syst. Man Cybern. Part B (Cybern.) 35(6), 1225–1240 (2005)CrossRefGoogle Scholar