Diagnosis in Infinite-State Probabilistic Systems

In a recent work, we introduced four variants of diagnosability ( FA , IA , FF , IF ) in (ﬁnite) probabilistic systems (pLTS) depending whether one considers (1) ﬁnite or inﬁnite runs and (2) faulty or all runs. We studied their relationship and established that the corresponding decision problems are PSPACE -complete. A key ingredient of the decision procedures was a characterisation of diagnosability by the fact that a random run almost surely lies in an open set whose speciﬁcation only depends on the qualitative behaviour of the pLTS. Here we investigate similar issues for inﬁnite pLTS. We ﬁrst show that this characterisation still holds for FF -diagnosability but with a G δ set instead of an open set and also for IF - and IA -diagnosability when pLTS are ﬁnitely branching. We also prove that surprisingly FA -diagnosability cannot be characterised in this way even in the ﬁnitely branching case. Then we apply our characterisations for a partially observable probabilistic extension of visibly pushdown automata (POpVPA), yielding EXPSPACE procedures for solving diagnosability problems. In addition, we establish some computational lower bounds and show that slight extensions of POpVPA lead to undecidability.


Introduction
Diagnosis.Monitoring (hardware and/or software) systems prone to faults involves several critical tasks: controlling the system to prevent faults as much as possible, deducing the cause of the faults, etc.Most of these tasks assume that an observer has the capability to assess the status of the current run based on the outputs of the system: providing information about the possible occurrence of faults.Such an observer is called a diagnoser and its associated task is called diagnosis.This framework leads to interesting decision and synthesis problems: "Does there exist a diagnoser?"and in the positive case "How to build such a diagnoser?","Which kind of diagnoser is sufficient?", etc.The decision problem, on which we focus here, is called diagnosability [15].Diagnosis of discrete event systems.In order to formally reason about diagnosability, the systems were first modelled by finite labelled transition systems (LTS).Then the specification of a diagnoser is defined by two requirements: correctness, meaning that the information provided by the diagnoser is accurate, and reactivity, ensuring that a fault will eventually be detected.Within the framework of finite LTS, the decision problem was shown to be solvable in PTIME [10] and it is in fact NLOGSPACE-complete.

Diagnosis in Infinite-State Probabilistic Systems
Diagnosis of probabilistic systems.A natural way of modelling partially observable systems consists in introducing probabilities (e.g. when the design is not fully known or the effects of the interaction with the environment is not predictible).Thus the notion of diagnosability was later extended to Markov chains with labels on transitions, also called probabilistic labelled transition systems (pLTS) [16].In this context, the reactivity requirement now asks that faults will be almost surely eventually detected.Regarding correctness, two specifications have been proposed: either one sticks to the original definition and requires that the provided information is accurate, defining A-diagnosability; or one weakens the correctness by admitting errors in the provided information that should, however, have an arbitrary small probability defining AA-diagnosability.From a computational viewpoint, we recently proved that A-diagnosability is PSPACE-complete [3] and that AAdiagnosability can be solved in PTIME [4].
In case a system is not diagnosable, one may be able to control it, by forbidding some controllable actions, so that is becomes diagnosable.This property of active diagnosability has been studied for discrete-event systems [14,9], and for probabilistic systems [2].Interestingly, the diagnosability notion in the latter work slightly differs from the original one in [16].
Building on this variation, in [3] semantical issues have been investigated and four relevant notions of diagnosability (FA, IA, FF, IF) have been defined depending on (1) whether one considers finite or infinite runs and (2) faulty or all runs.In finite pLTS, it was shown that all these notions can be characterized by the fact that a random run almost surely lies in an open set, whose specification only depends on the qualitative behaviour of the pLTS.
Diagnosis of infinite-state systems.Diagnosability in infinite-state systems has been studied, on the one hand for restricted Petri nets [6], for which an accurate diagnoser can be designed, and on the other hand for visibly pushdown automata (VPA) [12], for which diagnosability can be decided via the determinisation procedure of [1].However to the best of our knowledge diagnosis of probabilistic infinite-state systems has not yet been studied.

Contributions.
The characterisations of diagnosability established in [3] strongly relied on the finiteness of the models.Our first aim is thus to establish characterisations in the infinite-state case.FF-diagnosability (the original notion of diagnosability) states that almost surely a faulty run will be detected in finite time.We establish that FF-diagnosability can be characterised by the fact that a random run almost surely lies in a G δ set, only depending on the qualitative behaviour of the system.This characterisation also applies to IF-diagnosability for finitely-branching systems, since then the two notions coincide.An ambiguous infinite correct (resp.faulty) run is a run indistinguishable from a faulty (resp.correct) run.IA-diagnosability states that almost surely a run is unambiguous.The set of ambiguous runs is an analytic set (so a priori not known to be a Borel set).However in the finitely-branching case, we establish that the set of unambiguous runs is a G δ set, yielding a characterisation of IA-diagnosability.FA-diagnosability states that the probability that a finite run is unambiguous goes to 1 when its length goes to infinity.Surprisingly, despite the fact that IA-diagnosability and FA-diagnosability are very close, we prove that FA-diagnosability cannot be characterised by the fact that a random run almost surely lies in a G δ set.Furthermore we strenghten this result by another inexpressivess result also related to FA-diagnosability.
We then introduce partially observable probabilistic visibly pushdown automata (POpVPA), a model generating infinite-state probabilistic systems.We show how to exploit the above characterisations to design a decision procedure for diagnosability in POpVPA.More precisely we show that we can "encode" our characterisations in an enlarged probabilistic VPA and then exploit the decision procedures of [8] leading to an EXPSPACE algorithm.
Since our characterisations are not regular, this requires some tricky machinery.Finally we complete this work by exhibiting an EXPTIME lower-bound and showing that slight extensions of POpVPA lead to undecidability of the diagnosability problem.Organisation.In Section 2, we introduce probabilistic infinite-state systems, equip them with partial observation and faults, and define diagnosability notions.In Section 3, we establish characterisations of the diagnosability notions and inexpressiveness results.We exploit the characterisations to design decision procedures for POpVPA in Section 4, also proving hardness and undecidability results.We conclude and give some perspectives in Section 5.More details and all the proofs can be found in the associate research report [5].

2
Diagnosis specifications for infinite-state probabilistic systems

Probabilistic labelled transition systems
Probabilistic labelled transition systems (pLTS) are labelled transition systems equipped with probability distributions on transitions outgoing from a state.

▸ Definition 1.
A pLTS is a tuple M = ⟨Q, q 0 , Σ, T, P⟩ where: Q is a finite or countable set of states with q 0 ∈ Q the initial state; Σ is a finite set of events; Given a pLTS M, the transition relation of the underlying LTS L is defined by q a → q ′ for (q, a, q ′ ) ∈ T ; this transition is then said to be enabled in q.In order to emphasise the relation between the pLTS and the LTS, we sometimes write M = (L, P).Note that since we assume the state space to be at most countable, a pLTS is by definition at most countably branching: from every state q, there are at most countably many transitions enabled in q.
▸ Example 2. The pLTS of Figure 1 represents a server that accepts jobs (event in) until it randomly decides to serve the jobs (event serve).When a job is done the result is delivered (event out).When all jobs are done, the server waits for a new batch of jobs.However randomly, the server may trigger a fault (event f ) and then abort all remaining jobs (event abort).Afterwards, the server is reset (event reset).In the figure, the label of a transition (q, a, q ′ ) is depicted as P[q, a, q ′ ] ⋅ a. q 0 q 10 f 10 Let us now introduce some important notions and notations that will be used throughout the paper.A run ρ of a pLTS M is a (finite or infinite) sequence ρ = q 0 a 0 q 1 . . .such that C O N C U R 2 0 1 6

37:4
Diagnosis in Infinite-State Probabilistic Systems for all i, q i ∈ Q, a i ∈ Σ and when q i+1 is defined, q i ai → q i+1 .The notion of run can be generalised, starting from an arbitrary state q.We write Ω for the set of all infinite runs of M starting from q 0 , assuming the pLTS is clear from context.When it is finite, ρ ends in a state q and its length, denoted ρ , is the number of events occurring in it.Given a finite run ρ = q 0 a 0 q 1 . . .q n and a (finite or infinite) run ρ ′ = q n a n q n+1 . .., the concatenation of ρ and ρ ′ , written ρρ ′ , is the run q 0 a 0 q 1 . . .q n a n q n+1 . ..; the run ρ is then a prefix of ρρ ′ , which we denote ρ ⪯ ρρ ′ .The cylinder defined by a finite run ρ is the set of all infinite runs that extend ρ: C(ρ) = {ρ ′ ∈ Ω ρ ⪯ ρ ′ }.Cylinders form a basis of open sets for the standard topology on the set of runs (which can be viewed as an infinite tree).One equips a pLTS with a probability measure on Ω with σ-algebra being B, the set of Borel sets, and which is uniquely defined by Caratheodory's extension theorem from the probabilities of the cylinders: We will sometimes omit the C and write P(ρ) for P(C(ρ)).It is well-known that once the measure is fixed, one can enlarge the set of of measurable sets by considering the smallest σ-algebra containing B and the "null" sets: {A ∃B ∈ B A ⊆ B ∧ P(B) = 0} and then extend the original measure to a (complete) measure on this enlarged σ-algebra.We consider this measure in the sequel.
The sequence associated with ρ = qa 0 q 1 . . . is the word σ ρ = a 0 a 1 . .., and we write either ) for an infinite (resp.finite) run ρ.A state q is reachable (from q 0 ) if there exists a run such that q 0 ρ → * q, which we alternatively write q 0 → * q.The (infinite) language of pLTS M consists of all infinite words that label runs of M and is formally defined as

Partial observation and faults
The observation of a pLTS is given by a mask function.This function projects every event to its observation.This observation is partial as an event can have no observation or shares its observation with another event, but it is deterministic.

▸ Definition 3.
A partially observable pLTS (POpLTS) is a tuple N = ⟨M, Σ o , P⟩ consisting of a pLTS M equipped with a mapping P ∶ Σ → Σ o ∪ {ε} where Σ o is the set of observations.Note that our setting generalises most existing frameworks of fault diagnosis by considering a mask function P onto a possibly different alphabet rather than a partition of the event alphabet into observable and unobservable events.An event a ∈ Σ is said unobservable if P(a) = ε, otherwise, it is observable and we distinguish a being fully observable if P(a) ≠ ε and P −1 ({P(a)}) = {a} or partially observable if P(a) ≠ ε and P −1 ({P(a)}) > 1.The set of unobservable events is denoted Σ u .
Let σ ∈ Σ * be a finite word; its length is denoted σ .The mapping P is extended to finite words inductively: P(ε) = ε and P(σa) = P(σ)P(a).We say that P(σ) is the mask of σ.Write σ o for P(σ) .When σ is an infinite word, its mask is the limit of the masks of its finite prefixes.This mask function is applicable to runs via their associated sequence; it can be either finite or infinite.As usual the mask function is extended to languages.With respect to P, a POpLTS N is convergent if there is no infinite sequence of unobservable events from any reachable state: In the rest of the paper we assume that POpLTS are convergent.P can also be be viewed as a mapping from runs to Σ ω o by defining P(q 0 a 0 q 1 a 1 . ..) = P(a 0 a 1 . ..).Remark that this mapping is continuous.We will refer to a sequence for a finite or infinite word over Σ, and an observed sequence for a finite or infinite sequence over Σ o .Clearly, the application of the mask function onto Σ o of a sequence yields an observed sequence.
The observable length of a run ρ denoted ρ o ∈ N∪{∞}, is the number of observable events that occur in it: ρ o = σ ρ o .A signalling run is a finite run whose last event is observable.Signalling runs are precisely the relevant runs w.r.t.partial observation issues since each observable event provides additional information about the execution to an external observer.Given states q, q ′ and an observed sequence σ ∈ Σ + o , we write q σ ⇒ q ′ if there is a signalling run from q to q ′ with observed sequence σ.
In the sequel starting from the initial state q 0 , SR denotes the set of signalling runs, and SR n the set of signalling runs of observable length n.Since we assume that the POpLTS are convergent, for all n > 0, SR n is equipped with a probability distribution defined by assigning measure P(ρ) to each ρ ∈ SR n .Given ρ a finite or infinite run, and n ≤ ρ o , ρ ↓n denotes the signalling subrun of ρ of observable length n.For convenience, we consider the empty run q 0 to be the single signalling run, of null length.

Fault diagnosis for POpLTS
To model the problem of fault diagnosis in POpLTS, we assume the event alphabet Σ contains a special event f ∈ Σ called the fault.A run ρ is then said to be faulty if its associated sequence of events contains a fault, i.e. σ ρ ∈ Σ * f Σ ω ; otherwise it is correct.The set of faulty (resp.correct) runs is denoted F (resp.C).For n ∈ N, we write F n for the set of infinite runs ρ such that ρ ↓n is faulty and C n for the set of infinite runs ρ such that ρ ↓n is correct.By definition, for all n, In order to reason about faults we partition sequences of observations into three subsets: otherwise, it is ambiguous.For finite sequences, we need to rely on signalling runs: a finite observed sequence σ ∈ Σ * o is surely faulty (resp.surely correct) if for every signalling run ρ with P(σ ρ ) = σ, ρ is faulty (resp.correct); otherwise it is ambiguous.A (finite signalling or infinite) run ρ is surely faulty (resp.surely correct, ambiguous) if P(ρ) is surely faulty (resp.surely correct, ambiguous).
In order to specify various requirements for diagnosability we need to refine the notion of ambiguity.Let N be a POpLTS and n ∈ N with n ≥ 1. Then: FAmb ∞ (resp.CAmb ∞ ) is the set of infinite faulty (resp.correct) ambiguous runs of N ; FAmb n (resp.CAmb n ) is the set of infinite runs of N whose signalling subrun of observable length n is faulty (resp.correct) and ambiguous; At this point it is interesting to look at the status of the different subsets of runs we have introduced with respect to the Borel hierarchy.The complementary sets The first and second projections are exactly CAmb ∞ and FAmb ∞ which establishes that these sets are analytic sets (i.e.continuous images of Borel sets).The set of analytic sets is a strict superset of Borel sets but every analytic set is still measurable w.r.t. the complete measure [13, 2H8 p.83].
In the context of finite POpLTS, we introduced four possible specifications of diagnosability [3].There are two discriminating criteria: whether the non ambiguity requirement holds for faulty runs only or for all runs, and whether ambiguity is defined at the infinite run level or for longer and longer finite signalling subruns.
We recall in the next theorem all the implications that hold between these definitions.Missing implications do not hold, already for finite-state POpLTS.
▸ Theorem 5 ([3]).Let N be a POpLTS.Then N FA-diagnosable ⇒ N IA-diagnosable and FF-diagnosable; In order to illustrate the different kinds of diagnosability, we describe below some discriminating examples, already presented in [3].
Consider the POpLTS N on the left of Figure 2 where {u, f } is the set of unobservable events (represented by dashed arrows) and P is the identity over the other events.A faulty run will almost surely produce a b-event that cannot be mimicked by the single correct run.Thus this POpLTS is IF-diagnosable.The unique correct run ρ = q 0 uq 1 aq 1 . . .has probability 1  2 and its corresponding observed sequence a ω is ambiguous.Thus the POpLTS is not IA-diagnosable.This simple example shows that, already for finite-state POpLTS, IF-diagnosability does not imply IA-diagnosability.
Similarly, let us look at the POpLTS on the right of Figure 2 where {u, f } is the set of unobservable events and P is the identity over the other events.Any infinite faulty run will contain a b-event, and cannot be mimicked by a correct run, therefore FAmb ∞ = ∅.The two infinite correct runs have a ω as observed sequence, and cannot be mimicked by a faulty run, thus CAmb ∞ = ∅.As a consequence, this POpLTS is IA-diagnosable.Consider now the infinite correct run ρ = q 0 uq 1 aq 1 . ... It has probability 1  2 , and all its finite signalling subruns are ambiguous since their observed sequence is a n , for some n ∈ N. Thus for all n ≥ 1, P(CAmb n ) ≥ 1  2 , so that this POpLTS is not FA-diagnosable.

Characterisation of diagnosability
The aim of this section is to establish "simple" characterisations of the diagnosability notions for a POpLTS N = ((L, P), Σ o , P) and more precisely to study whether one can express it as a Borel set B ∈ B only depending on the underlying LTS L and the mask function P, such that almost surely a random run belongs to B if and only if N is diagnosable.Furthermore if possible, one looks for a set B belonging to a low level of the Borel hierarchy.Observe that for all notions, this requires some machinery since the finite runs-based notions FF and 37:7 FA are expressed by a family of Borel sets and the infinite runs-based notions IF and IA are expressed by a set which is not a priori a Borel set.
Pursuing this goal, we introduce a language pathL for specifying Borel sets of runs.It is based on path formulae.A path formula α is a predicate over finite prefixes of runs.The (pseudo-)syntax of a formula of pathL is: φ ∶∶= α ¬φ φ 1 ∧ φ 2 φ where α is a path formula.In the sequel we use the standard shortcut ◻φ ≡ ¬ ¬φ.
A formula is evaluated at some position k of a run ρ = q 0 a 0 q 1 . ... The prefix ρ[0, k] of ρ is defined by ρ[0, k] = q 0 a 0 q 1 . . .q k .The semantics of pathL is inductively defined by: ρ, k ⊧ φ if and only if there exists k ′ ≥ k such that ρ, k ′ ⊧ φ.Finally ρ ⊧ φ if and only if ρ, 0 ⊧ φ.Due to the presence of path formulae (with no restriction) this language subsumes LTL and more generally any ω-regular specification language.In order to reason about the probabilistic behaviour of a POpLTS, we introduce qualitative probabilistic formulae P p (φ) with ∈ {<, >, =}, p ∈ {0, 1} and φ ∈ pathL.The semantics is obvious: N ⊧ P p (φ) if and only if P N ({ρ ∈ Ω ρ ⊧ φ}) p.Since pathL is closed by complementation the probabilistic formulae can be restricted to P =0 (φ) and P >0 (φ).
Let us give some examples of path formulae.Given a finite run ρ = q 0 a 0 q 1 . . .q k , let f be defined by f(ρ) = true if a i = f for some index i.This path formula characterises the faulty finite runs.Let U be defined by U(ρ) = true if there exists a correct signalling run ρ ′ with P(ρ) = P(ρ ′ ).Using the path formulae f and U, we exhibit a formula of pathL that characterises FF-diagnosability.
The POpLTS of Figure 3 illustrates the need for the finitely-branching assumption in Proposition 7. The set of unobservable events is {u, f } and P is the identity over the other events.Observation b occurs in every infinite correct run, while the observed sequence of the C O N C U R 2 0 1 6

37:8
Diagnosis in Infinite-State Probabilistic Systems single infinite faulty run is a ω .This POpLTS is thus IA-diagnosable.However, it does not satisfy P =0 ( ◻ (U ∧ W)) since the unique infinite faulty run has probability 1  2 and satisfies at the same time ◻W, by unicity, and ◻U.Indeed for every n ∈ N, there is a correct signalling run with observed sequence a n .
Observe that the sets of runs specified by the characterisations of FF-diagnosability ( ◻ (f ∧ U)) and IA-diagnosability ( ◻ (U ∧ W)) are F σ sets, i.e. countable unions of closed sets.Surprisingly, we show that such a characterisation is impossible for FA-diagnosability: there is no F σ set E such that a POpLTS N is FA-diagnosable if and only if N ⊧ P =0 (E).
▸ Proposition 8.There exists a finitely-branching LTS L and a mask function P such that for every F σ set E of runs, there exists a POpLTS N = ((L, P), Σ o , P) such that: either N is FA-diagnosable and P N (E) > 0; or N is not FA-diagnosable and P N (E) = 0.
We conjecture that the previous impossibility result also holds for all Borel sets.The next proposition shows that a positive probability condition (instead of a null condition) may not exist whatever the Borel set.
▸ Proposition 9.There exists a finitely-branching LTS L and a mask function P such that for every Borel set E of runs, there exists a POpLTS N = ((L, P), Σ o , P) such that: either N is FA-diagnosable and P N (E) = 0; or N is not FA-diagnosable and P N (E) > 0. Given these impossibility results for FA-diagnosability, we concentrate in the sequel on the other notions.

Diagnosis for probabilistic pushdown automata
We now turn to a concrete model for infinite-state POpLTS, namely the ones generated by probabilistic pushdown automata, and more specifically by probabilistic visibly pushdown automata.Our goal is to use the characterisations from the previous section to decide the diagnosability of POpLTS generated by partially observable probabilistic visibly pushdown automata (POpVPA).To do so, we face the difficulty that the Borel sets that characterise IF-, IAand IF-diagnosability are not a priori regular, even in the finite branching case.Yet, for POpVPA, we circumvent this problem, and manage to specify these sets by pLTL formulae on a determinisation of the model, tagged with the needed atomic propositions.
The decidability of the qualitative model checking for recursive probabilistic systems [8] then yields the decidability of the above three diagnosability notions for POpVPA.

Probabilistic visibly pushdown automata
Among probabilistic infinite-state systems the ones generated by probabilistic pushdown automata [11,8] support relevant decision procedures.Already in the non-probabilistic case, the subclass of visibly pushdown automata (VPA) [1] is more tractable than the general model.In VPA, the type of events determines whether the operation on the stack is a push, a pop, or possibly changes the top stack symbol, so that the languages defined by VPA enjoy most of the desirable properties regular languages have.
The semantics of a pVPA is an infinite-state pLTS whose states are pairs (q, z) consisting of a control state and a stack contents.
▸ Example 12. Figure 4 gives an example of a pVPA.The event alphabet is composed of local events {serve, empty, reset}, a push event in and pop events {out, f , abort}.A transition t = (q, γ, a, q ′ , w) is represented by an edge from state q to state q ′ and labelled by P[t] ⋅ γ, a, w.The semantics of this pVPA is precisely the pLTS from Figure 1.Indeed, the stack alphabet consists of two letters Γ = {γ, 0 } where the set of bottom stack symbol is Γ = { 0 }.Thus one can encode the stack using a counter that gives the number of γ in the stack.For instance, in the pLTS from Figure 1 the configuration (q 1 , 0 γ n ) of the pVPA corresponds to the state q 1n .

abort abort reset
Figure 4 A pVPA generating the pLTS from Figure 1 with two finite runs.
To define partially observable pVPA, we equip a pVPA with a mask function and require that only local events may be unobservable, and that pushes and pops can still be distinguished.This restriction is crucial since it ensures that the observed sequence of a signalling run of a POpVPA still provides the information about the height of the stack since it is equal to the difference of pushes and pops, plus one.▸ Definition 13.A partially observable pVPA (POpVPA) is a tuple ⟨V, Σ o , P⟩ consisting of a pVPA V equipped with a mapping P ∶ Σ → Σ o ∪ {ε} such that: In the sequel, we may identify a POpVPA with the POpLTS it generates.In particular, the various concepts of diagnosability are lifted from POpLTS to POpVPA.

Diagnosability for POpVPA
To obtain an algorithm for the diagnosability of POpVPA, we follow the finite-state case approach [3].First, we determinise POpVPA V into A(V), with the diagnosis objective in mind, building on the deterministic automaton recognising unambiguous sequences from [9].We therefore introduce tags that reflect the category of runs (faulty or correct) given an observed sequence with a distinction between "old" and "young" faulty runs.It then suffices to check whether the characterisations hold on the synchronised product V × A(V) where V enlarges V by keeping track of a fault occurrence.To reduce to a decidable model checking question, we specify the Borel sets from Section 3 by LTL formulae.

Diagnosis-oriented determinisation
The determinisation of V (where probabilities are irrelevant for this transformation) into A(V) exploits some ideas of the original determinisation by Alur and Madhusudan [1], yet, it is customised to diagnosis.In particular, it uses tags that were first defined to construct a deterministic Büchi automaton recognising the unambiguous sequences of a finite LTS [9].The complete definition of the estimate VPA A(V) associated with a POpVPA V is technical and detailed in [5].We emphasise here some aspects of the construction and illustrate them on an example.Figure 5 represents the deterministic VPA associated with our example POpVPA.For readability, we use shortcuts on the transitions in this figure, namely symbols a X 0 , a X 1 , etc. denote stack symbols of A(V).
The VPA A(V) associated with the POpVPA V of Figure 4. (run, { 0 ,U,q 0 0 ,U,q 0 } ) (run, { γ,U,q 0 0 ,U,q 0 } { 0 ,U,q 0 0 ,U,q 0 } ) (run, { γ,U,q 0 γ,U,q 0 } { γ,U,q 0 0 ,U,q 0 } { 0 ,U,q 0 0 ,U,q 0 } ) (run, { γ,U,q 1 γ,U,q 0 } { γ,U,q 0 0 ,U,q 0 } { 0 ,U,q 0 0 ,U,q 0 } ) ({ U,q1 γ,U,q0 , W,f1 γ,U,q0 }, { γ,U,q 0 0 ,U,q 0 } { 0 ,U,q 0 0 ,U,q 0 } ) (run, { γ,U,q 1 0 ,U,q 0 , γ,W,f 1 0 ,U,q 0 } { 0 ,U,q 0 0 ,U,q 0 } ) ({ U,q1 0 ,U,q0 , W,f1 0,U,q0 }, { 0 ,U,q 0 0 ,U,q 0 } ) (run, { 0 ,U,q 1 0 ,U,q 0 , 0 ,W,f 1 0 ,U,q 0 } ) (run, { 0 ,U,q 0 0 ,U,q 0 } ) (run, { 0 ,W,q 0 0 ,U,q 0 } ) States and stack symbols.The VPA A(V) tracks all runs with the same observation in parallel memorising their status w.r.t.faults.More precisely to the current set of runs corresponds the symbol on the top of the stack which is a set of tuples where each tuple is written as a fraction γ,X,q γ − ,X − ,q − .Let us describe the meaning of this tuple: q is the current state of the run and γ is the symbol on the top of its stack; X ∈ Tg = {U, V, W} is the status of the run: U for a correct run, V for a young faulty run and W for an old faulty run; The denominator (γ − , X − , q − ), is related to the configuration just after the last push event of the run: γ − is the stack symbol under the top symbol, while X − is the status of the run reaching this configuration and q − the state of this configuration.A priori, a single state run would be enough.However the simulation of a pop event in the original VPA is performed in two steps requiring some additional states that we explain later.Illustration.The initial configuration of the VPA A(V) of Figure 5 (run, { 0,U,q0 0,U,q0 } ) corresponds to the empty run represented by a singleton.The denominator of bottom stack symbols is by convention ( 0 , U, q 0 ) and is irrelevant for specifying the transitions of A(V).Tag updates.Let us explain how the tag X of an item γ,X,q γ − ,X − ,q − of the current stack symbol is determined.If this item corresponds to a correct run then X = U. When, in a current state, after a transition of A(V) a (tracked) correct run becomes faulty in the next state, there are two cases.Either there was no tag W in (the numerators of items of) the top stack symbol of the current state then the run is tagged by W. Otherwise it is tagged by V meaning that it is a young faulty run.The tag V (young) becomes W (old) when, in the previous state, there was no tag W in the top stack symbol.A tag W is unchanged along the run.Push transitions.Given an observed push event o ∈ Σ o,♯ , from the control state run with top stack symbol bel, there is a looping push transition (run, bel, o, run, bel ′ bel ′′ ) in A(V) that encodes the possible signalling runs with observation o in V.More precisely for every transition sequence (q, α) o ⇒ (r, β − β) in V (i.e. a sequence of unobservable local events ending by an event e with P(e) = o) and α,X,q α − ,X − ,q − ∈ bel one inserts β − ,Y,r α − ,X − ,q − in bel ′ and β,Y,r β − ,Y,r in bel ′′ .The value of Y follows the rules of tag updates.Illustration.In Figure 5 several transitions correspond to the transition (q 0 , 0 , in, q 0 , 0 γ) of V, including (run, { 0 ,U,q0 0 ,U,q0 }, in, run, { 0,U,q0 0,U,q0 }{ γ,U,q0 0 ,U,q0 }) and several transitions correspond to the transition (q 0 , γ, in, q 0 , γγ) of V, including (run, { γ,U,q0 0 ,U,q0 }, in, run, { γ,U,q0 0 ,U,q0 }{ γ,U,q0 γ,U,q0 }).Here, the specification of the tag updates is straightforward since it does not involve faulty runs.The runs represented in Figure 6  with top stack symbol bel, there is a looping local transitions (run, bel, o, run, bel ′ ) in A(V) that encodes the possible signalling runs with observation o in V.More precisely for every transition sequence (q, α) o ⇒ (r, β) in V (i.e. a sequence of unobservable local events ended by an event e with P(e) = o) and α,X,q α − ,X − ,q − ∈ bel one inserts β,Y,r α − ,X − ,q − in bel ′ .The value of Y follows the rules of tag updates.Illustration.In the VPA A(V) of Figure 5 there are several transitions corresponding to transition (q 0 , γ, serve, q 1 , γ) of V including (run, { γ,U,q0 γ,U,q0 }, serve, run, { γ,U,q1 γ,U,q0 }).The runs represented in Figure 6 use this transition.Pop transitions.Given an observed local event o ∈ Σ o,♭ , from the control state run with top stack symbol bel, the "pop operation" is performed by a sequence of two transitions: a pop transition labelled by o that keeps in the next state all the information needed by the next (local) transition labelled by ε to move back to state run with a consistent stack symbol.Given an intermediate stack symbol, there is exactly one possible such transition.Thus despite these transitions, A(V) is still deterministic.The first transition (run, bel, o, , ε) in A(V) is specified as follows.The next state is a set of items of the following shape X,q α − ,X − ,q − .More precisely for every transition sequence (q, α) o ⇒ (r, ε) in V (i.e. a sequence of unobservable local events ended by an event e with P(e) = o) and α,X,q α − ,X − ,q − ∈ bel one inserts Y,r α − ,X − ,q − in .The value of Y follows the rules of tag updates.A transition ( , bel, ε, run, bel ′ ) is specified as follows.For every X ′ ,q ′ γ,X,q in and γ,X,q γ − ,X − ,q − in bel (i.e. the denominator of the first fraction and the numerator of the second fraction match), one inserts γ,X ′ ,q ′ γ − ,X − ,q − in bel ′ .Illustration.Let us describe how the pop event is performed by two transitions in the runs of the VPA of Figure 6 from the state reached after event serve.From q 1 with γ as top of the stack there are two transitions whose observation is pop: (q 1 , γ, out, q 1 , ε) and (q 1 , γ, f , f 1 , ε).Thus starting from run with top stack symbol { γ,U,q1 γ,U,q0 }, one reaches state = { U,q1 γ,U,q0 , W,f1 γ,U,q0 }.The faulty run is tagged with W as there was no tag W in the former top stack symbol.In the next configuration, the top stack symbol is { γ,U,q0 0,U,q0 }.So the transition labelled by ε moves back to state run with updated top stack symbol { γ,U,q1 0,U,q0 , γ,W,f1 0,U,q0 }.

Product VPA
To recover the probabilistic behaviour of V, we need to construct a synchronised product of V and the deterministic VPA A(V).In order to track the presence of a fault in a run of this product, we first enrich V to track occurrences of f .We thus define the POpVPA V whose set of states Q is a duplication of Q in correct states Q c and faulty states Q f .Given a transition of V starting from q leading to q ′ , there is in V a transition starting from q f leading to q ′ f and a transition starting from q c leading either to q ′ c if the event is not f or to q ′ f otherwise.We then construct V A(V) = V × A(V) the product automaton of V and A(V) synchronised on the alphabet of observed events Σ o .The transitions of V labelled by unobservable events do not change the second component of the state and the transitions of A(V) labelled by ε do not change the first component of the state.Due to the determinism of A(V), V A(V) has the same probabilistic behaviour as the one of V except that it memorises additional information along the run.More precisely, let ρ be a run of V, then ρ, a run of V A(V) , is obtained from ρ by following the same transitions and adding the single ⊖ transition firable after any pop transition.One immediately gets P V A(V) (ρ) = P V (ρ).
Let us explain how to transform the paths formulae f, U and W into atomic propositions on the pairs ((q, run)(γ, bel)) consisting of a control state of V A(V) together with a top stack contents.For path formula f, we define the corresponding atomic proposition ν f by
F n and C n are unions of cylinders; so they are open (and by complementation) closed sets.The set of faulty (resp.correct) runs F (resp.C) is an open (resp.closed) set as a union (resp.intersection) of open (resp.closed) sets.The sets FAmb n and CAmb n are unions of cylinders; so they are open.The sets FAmb ∞ and CAmb ∞ may be defined as follows.Consider (Σ 2 o ) ω and Ω 2 both equipped with the product topology.SameObs = {(ρ, ρ ′ ) P(ρ) = P(ρ ′ )} is the inverse image by a continuous mapping of the closed set {

Figure 6
Figure 6  displays two finite runs of the deterministic VPA A(V) from Figure5sharing most transitions to the exception of the last one.

Figure 6
Figure 6 Two runs of the VPA from Figure 5.
use these two transitions from the initial state.Local transitions.Given an observed local event o ∈ Σ o,♮ , from the control state run C O N C U R 2