Generating on-board diagnostics of dynamic automotive systems basedon qualitative models*

Fulvio Cascio t , Luca Console', Marcella Guagliumi3, Massimo Osellal,

Corso

Andrea Panati2 , Sara Sottanol , Daniele Theseider Dupre2

(1) Centro Ricerche Fiat, Strada Torino 50;10043 Orbassano (Torino) . Italy, email : {f.cascio,in .osella,s .sottano} Lcrf.i t

(2) Dip. Informatica, University di Torino,Svizzera 185, 10149 Torino, Italy, email : {lconsole, panati, dtd}~Vdi .unito .i t

(3) Magneti Marelli Electronic Systems Division,Viale Carlo Emanuele 11 118, 10078 Venaria R,eale (Torino), Italy,

e-mail : Ma,rcella.Guagliumi(CA)venaria .marelli .i t

Abstract

On-board diagnostic systems play an important role inthe current generation of cars and will play an increas-ingly important role in the next future . The design ofon-board diagnostic systems is a challenging problemunder several points of view . In this paper we dis-cuss the experience we made on such a problem withinthe VMBD project . In particular, we discuss an ap-proach which tries to reconcile two goals : satisfyingall the requirements and constraints imposed by theon-board application, and exploiting the advantages ofthe model-based approach as much as possible . Theapproach is based on qualitative deviation models forthe automatic derivation of on-board diagnostics basedon decision trees . In the paper we use a specific ap-plication, the Common Rail fuel defivery system, as aconcrete example, briefly discussing the on-board diag-nostics we designed for such a system and its prototypeimplementation and demonstration .

IntroductionThe aim of this paper is to discuss the experience wemade, within the VMBD project, on the design of on-board diagnostic systems for automotive applications .VMBD aims at demonstrating the utility of model-based diagnosis in the automotive domain for bothon-board and off-board diagnosis . This goal has beenachieved through the definition of a general formalism

This work was partially supported by the Euro-pean Commission, DG XII (project BE 95/2128, "VMB-D") . VMBD (Vehicle Model-Based Diagnosis) is a Brite-Euram project involving the following partners : DaimlerBenz . Centro Ricerche Fiat, Volvo, Bosch, Magneti Marelli,Genrad, Dassault Electronique, University di Torino, Uni-versite Paris XIII (Paris Nord), University of Wales atAberystwyth .

QR99 Loch Awe, Scotland

for building a library of (qualitative) models of com-ponents, the definition of an architecture for off-boardand on-board diagnostic problem solving, and the ex-perimentation on three guiding applications . Withinthe VMBD project, our group mainly focused on on-board diagnostic problem solving, which is interestingunder several points of view . First of all, there is afixed set of sensors, and tests can hardly be performed .Further, the on-board context imposes specific hard-ware requirements (memory and computing power) onthe design of the diagnostic system . However, the re-sponse time should be short, especially for safety criticalsystems, and should concentrate on taking the appro-priate action, without necessarily identifying the fault .Finally, systems to be diagnosed on-board are in al-most all cases dynamic feedback systems with an ac-tive control which is in most cases performed by theECU (Electronic Control Unit) software, which can of-ten compensate for faults .

Thus, these systems are a. challenging applicationfor testing state-of-the-art model-based diagnostic tech-niques . In the paper we analyse how the requirementssketched above can be taken into consideration in thedesign of a diagnostic architecture for on-board systemswith the following goals :1 . producing a diagnostic system that can be conceiv-

ably used on-board, given the technologies that willbe feasible on cars in the next few years ;

2 . exploiting the advantages of the model-based ap-proach as much as possible .As a running example we use one of the guiding ap-

plications in the VMBD project : the Common Rail fueldelivery system . It has all the features discussed above(safety critical, real time recovery, dynamic feedbackwith active control) and is interesting for both on-board

265

diagnosis (performing recovery actions in the presenceof malfunctions) and off-board diagnosis . Moreover, theCommon Rail involves hydraulic, electric and electroniccomponents, which are, at least in part, similar to thoseused in other systems . Thus, generic models of thesecomponents can be reused in different systems (as re-gards VMBD, the Common Rail has a number of com-mon components with another application, the Distrib-utor Type Injection) . In the paper :1 . We first introduce the Common Rail system used as

a guiding application, and the models based on qual-itative deviations we adopted for it, motivating thesuitability of this kind of models for our goals .

2 . We then discuss the diagnostic approach we adopted .In particular, we briefly recall a sirnuIation-based ap-proach to deal with dynamic behavior ; we then anal-yse the problem of on-board diagnosis, motivatingand discussing an approach which uses the model-based system for automatically synthesizing efficienton-board diagnostics in the form of decision trees .

3 . We finally provide an example of model-based diabnosis results used in the generation of on-board di-agnostics for the Common Rail and we sketch theprototype demonstration on board of a Lancia car .

The Common Rail systemThe Common Rail fuel injection system (Stumpp &Ricco 1996) for direct injection diesel engines is de-signed in order to be able to control the injection pres-sure, as well as injection timing, which allows betterengine performance and lower noise and emissions . Tothis end, pressurised fuel is stored in the rail and itspressure is controlled by the Electronic Control Unit(ECU) through a pressure regulator .In more detail, the purpose of the main components

(see figure 1) is as follows . The high pressure pumpdelivers fuel to the rail, which, together with the highpressure pipes between the high pressure pump and theinjectors, behaves as an accumulator . The pressure reg-ulator, an overflow valve controlled by the ECU, variespressure in the rail . When the driving current is in-creased, the regulator closes an orifice . This determinesa decrease of the overflowing fuel amount and a conse-quent increase of the pressure in the rail . The overflow-ing fuel is returned to the tank .The ECU controls the fuel injection system . The tar-

get pressure value for the fuel pressure is determinedgiven the engine operating conditions . If the rail pres-sure, measured by the pressure sensor, deviates fromthe target value, the command to the pressure regulatoris varied in order to reduce the difference between themeasured pressure and the target value . Injectors alsoreceive commands from the Electronic Control Unit,which computes both the amount of fuel to be injectedand injection timing . In case of faults, possible actionsto be taken by the ECU are :" limiting performances, i .e . lowering the maximum

value for the rail pressure (which also limits theachievable acceleration) ;" switching to a "limp home" mode where the sys tem

variables are forced to be in idle mode . In this waythe rail pressure is low, and the engine speed is keptconstant, while still allowing the driver to reach e .g .a service bay ;" stopping the engine when some dangerous fault issuspected .The fuel delivery subsystem has been modified in thetest car in the following ways :

" A sensor in the low pressure subsystem (between thefilter and the high pressure pump) has been intro-duced ; it detects whether the pressure is sufficient todeliver fuel to the high pressure pump.

" The effect of introducing a "virtual" (i .e ., software)sensor based on engine speed has been considered .Such a type of sensor has been developed by Cen-tro Ricerche FIAT for torque measurement (to de-tect anomalous injection amount and timing), i .e . forcomputing whether a cylinder provides a significantlydifferent torque with respect to other cylinders . Thisis a "virtual" sensor since it provides an indirect mea-sure based on actual measures . In principle, therewould be no need for such a concept of virtual sen-sor in a model-based diagnostic system ; this one, inparticular, could be substituted with just the enginespeed sensor and models of combustion and of theengine dynamics . But since such models would bemuch more complex than the rest, the virtual sensorabstraction has been preferred as a more viable solu-tion . Admittedly, this is an ad-hoc abstraction ; gen-eral and principled ways of abstracting models havenot been the purpose of this work .

" Hardware has been included for introducing in thesystem some of the faults considered in the models ; inparticular, for switching off the electric pump in thelow pressure subsystem, for switching pff the P`VM(pulse width modulation) command to the pressureregulator (so that it rernains open), or for supplyingor not supplying one injector with current, so that itremains always open, or always closed, regardless ofthe opening commands from the ECU.

Qualitative deviation modelsApplying model-based diagnosis to dynamic controlledsystems is one of the main focuses ofresearch in the field(e.g . (Chantler et al . 1996 ; Loiez & Taillibert 1996 ;Mosterman & Biswas 1996 ; 1997 ; Malik & Struss 1996 ;Struss 1997)) . In (Malik k Struss 1996), in particu-lar, an approach based on qualitative deviations hasbeen used . The system is modeled in terms of differen-tial equations that include appropriate parameters forcomponents, whose values correspond to different (cor-rect or faulty) behavior modes of the component . Fromthese equations, corresponding equations for qualitativedeviations are derived :

" for each variable x, its deviation Ax(l) is defined asAx(t) = x(t) - x, ef(t), where x,ef(l) is a referencebehavior ;

" from any equation A = B, the corresponding equa-tion AA = AB is derived ;

" finally, the corresponding qualitative equation [AA]= [.AB] is derived ; it equates the signs of the two de-viations . There are rules for expressing this equationin terms of signs of deviations of individual variablesrather than expressions .Similar ways for deriving qualitative models from

quantitative equations have been proposed in (Gallantiet al . 1989 ; Biswas, Kapadia, & Yu 1997) . This formof qualitative modeling has been chosen for this sys-tem, especially because the fuel pressure in the rail israpidly varying, according to the position of the accel-erator pedal and a number of other inputs, thereforea normal range of values cannot be given . This meansthat reasoning in terms of absolute values would be verydifficult . A main problem in applying this approachis however the choice of the reference behavior . Thechoice in (Malik & Struss 1996), which is shown to beuseful at least in some cases, is to have a. steady stateas the reference behavior . We regarded the referencebehavior as the evolution of the system when all com-ponents are not faulty. As we will discuss later, thischoice has strong influences on the way diagnosis is ac-tivated, i .e . how it is detected that there is a fault in thesystem . The model used for our experiments is shown

Figure l : The Common Rail fuel injection system for the 5-cylinder car used for demonstration, with an additionalpressure sensor in the low pressure part . One of the 5 injectors is enlarged for better readability .

in the block diagram in figure 2 ; some simplificationshave been done with respect to a model that would bederived from models of individual components :" the low pressure part of the system has been ab-

stracted to a single component ; similarly for the railand the high pressure pipes ;the "torque measurement" virtual sensor has been at-tached directly as an output to the injector compo-nent, rather than introducing the engine component .Variable names on the arcs correspond to pairs of

interface variables of components, which are imposedto be equal by the connection . The meaning of suchvariables is the following :" flowp: flow from the low pressure subsystem (into

the high pressure pump)" plowp: pressure in the low pressure subsystem" lowp-obs : sensor reading for the low pressure subsys-

tem" f-pump: outflow of the high pressure pump" p-rail : pressure in the rail" p-obs : reading of the pressure sensor in the rail

" PIVM : actuation command to the pressure regulator" f-pr : flow through the pressure regulator" f-inj : flow through the injectors" lrn : torque measurement (virtual sensor)

As an example of qualitative deviation modeling,the following qualitative deviation equation is includedin the model of the high pressure pipes and rail :aAp-rail = [ofpump] - [ofpr] - [Af-inj] - [Afleak]where :. fleak is the flow through possible leaks ; it is a pa-

rameter of the component and its reference value is 0 ;the "ok" mode for the component imposes [0f-leak]= 0, that is, there are no leaks, while the only faultmode considered for the component, "leaking", im-poses [A fleak] = -1- ;

. aAp-rail is the derivative of the deviation (or, equiv-alently, the deviation of the derivative) of the railpressure . The equation implies that if the balanceof flows becomes different (e .g . smaller) from theexpected one (e.g ., due to a smaller- than-expectedinflow from the pump, or a higher-than-expected out-flow through the regulator, or the injectors, or a leak),then the derivative of the rail pressure deviates (e.g .becomes smaller) . This will make the rail pressureitself deviate (e.g . become smaller) with respect tothe expected trend .The list of fault modes considered for the components

comes from the system FMEA and is the following .The high pressure pump (hp-pump) has fault modes

blocked, with obvious meaning, and insuff whichmeans it has a reduced efficiency. The high pres-sure pipes and rail (hp-pipes-rail) have leak as theonly fault mode . The pressure regulator (p-regulator)has the fault modes blocked closed and blocked open .The injectors have fault modes blocked open andblocked closed, as well as recycle low and recycle highwhich correspond to an abnormal amount of fuel re-turned to the tank (part of the fuel flowing through

ECU pressurecontrol

p

r ail

PWM

Rail & highiressme pipe

f-Prp

r ailf ir>j

p obs

High pressureP'MP

Figure 2 : Diagram of the model of the Common Rail .

the injectors is in fact going back to the tank) . Thelow pressure subsystem (lp-system) has the only faultmode insuff which means it does not deliver enoughfuel ; this includes a fault of the electric fuel pump . Forthe sensor in the low pressure system no fault modesare considered, for the sensor in the high pressure part,the faults low, high and blocked are considered . Usu-ally, sensor faults can be identified by an implausiblesensor reading, i .e . through a range check . This couldbe modeled introducing additional qualitative values fordeviations, but in the running example it has not beendone for the sake of simplicity (as a consequence, inthe diagnostic results discriminating sensor faults fromsome other faults will not be possible) .

Diagnostic strategiesAs we noticed before, we are interested in both off-board and on-board diagnosis . While offboard diagno-sis can take full advantage of the model-based approach,on-board diagnosis requires some further considerationsand taking into account some important practical con-straints . First of all, in the on-board case the diag-nostic system must react promptly to anomalies andmust run fast in order to interpret the anomalies and,which is most important, in order to take an appropri-ate recovery action . This means also that the on-boarddiagnostics should be focused only on performing re-covery actions, rather than on the actual isolation ofthe fault(s) . However, keeping track of more detailedinformation about the fault(s) that occurred can be ex-tremely important, as it is a valuable information tobe passed to the diagnostic system that will be used inthe workshop to actually locate and identify the fault .Moreover, only a few measurements can be available on-board and the possibility of performing tests/probes is

f lowp Low pressuresubsystem lowp obs

p lowpf-purnp Low pressure

sensor

very limited . Finally, even though integrating the diag-nostic system within the ECU is not one of the goals ofVMBD, we must build a diagnostic system that takesinto account the kind of hardware that is available onboard (or that will be presumably available in the nextyears) . For example, the total amount of memory avail-able on the ECU (for both control and diagnosis) of thetest car is 64K . Therefore, we must, reconcile two goalsthat are, at. least partially, conflicting :1 . the aim of showing that the model-based technology

provides interesting advantages and can be exploitedand have an impact also for on-board applications ;

2 . the constraint of not requiring a major revolution inthe hardware (and software) technologies currentlyused on-board .Such requirements show that, the direct adoption of

model-based diagnosis on board can be problematic .Moreover, using the full power of the model-based ap-proach on board could be unnecessary, especially asregards selecting measurements and tests, since littlespace for performing additional measurements and testsis available .The on-board diagnostic task can be better per-

formed using simpler technologies, such as "pattern-action" rules or decision trees . Such technologies in factcan be easily implemented on current ECUs and couldthus be practically used immediately . However, we be-lieve that the model-based approach can neverthelessplay a fundamental role in automatically synthesizingthe simpler knowledge base and diagnostic strategy tobe implemented on-board .In the two following sections we discuss the defini-

tion of diagnosis for dynamic systems we adopted andhow such a definition can be exploited for compilingautomatically the on-board diagnostic system .

Diagnosis of dynamic systemsIn (Theseider Dupre & Panati 1998) several alternativesare considered for defining diagnosis of dynamic sys-tems, including state-based diagnosis (Malik & Struss1996 ; Struss 1997) and some simulation-based defini-tions which take into account the discontinuity in thebehavior associated with abrupt faults, i .e . the suddentransition of a component from the correct mode of be-havior to a faulty behavior . It is shown that, given ad-ditional knowledge on causality in the system, reason-ing on such transitions and using simulation can leadto reducing the set of state-based diagnoses, under in-creasingly restrictive assumptions on the observabilit.yof the system, i .e . on fault detection .The assumptions on fault detection are important .

Differently from (Malik & Struss 1996), we assumed asa reference behavior the correct behavior of the sys-tem ; that is, a deviation should be detected (and thendiagnosis activated) when the system deviates from itsexpected behavior . But, given noise in measurementsand imprecise knowledge about the quantitative behav-ior of the system under correct behavior, it cannot be

QR99 Loch Awe, Scotland

assumed that. arbitrarily small deviations can be de-tected . Moreover, some assumptions must be done,based on observation on the real system, on the rel-ative speed on which deviations of different variablescan be detected .As we shall briefly describe in the final section, in

the Common Rail application different. approaches havebeen applied for detecting deviations for the differentvariables .The simulation-based approach in (Theseider Dupre

& Panati 1998) has been used as a definition of diagno-sis, and it has been assumed that all deviations can bedetected "at. the same time", in the sense that no qual-itative state is missed by fault detection (this is similarto the "gapless observations" in (Malik & Struss 1996)) .

Therefore, diagnosis is activated for the first. qual-itative state where non-zero deviations are detected .Given the set of observations OBS for such a state, theconsistency of a mode assigmnent F with OBS (i .e . itsbeing a state-based diagnosis for the observations) isnot sufficient, to consider F a diagnosis . In fact, it isalso imposed that this state (S� in figure 3) must bereachable from an initial state (So) where all compo-nents are "ok" and all deviations are zero, through asequence of states satisfying the following conditions :" The first. state (S1 ) derives from causal knowledge

about the system that gives the result of "inject-ing" the fault F into the initial state . For exam-ple, consider the sample equation given above for therail component : 8Ap-rail = [Af-pump] - [Af-pr] -[A f-inj] - [Afleak] If the rail starts leaking, i .e . thevalue of [A fleak] changes from 0 (in So) to positive(in Sl), some other change must occur in order forthe equation to hold in St ; but due to the causalityin the system, the only change that can occur in thefirst state is 8,,p-rail becoming negative, which willmake [Ap-rail] negative (i .e . the rail pressure smallerthan expected) in S2 .Changes to the other variables will occur later due tofeedback in the system : in fact, flows depend on pres-sure, and therefore they will actually change (or, bet-ter, deviate from their expected value), but only afterthe pressure itself deviates . Note that flows dependon pressure both "naturally" and due to the pressurecontrol system : the ECU will command the pressureregulator to close more than it should (and then re-duce the outflow) when the pressure (read throughthe pressure sensor) deviates negatively .

" The subsequent states, up to the final state (Sn ) con-sistent with the observations, are each one a succes-sor state of the previous one according to qualitativesimulation .

" The sequence Si, . . ., S,,-, cannot contain qualitativestates with deviations that would have been detectedbefore the one (or ones) that actually activated di-agnosis . What this actually means depends on theassumptions on fault detection . In principle, it couldmean that no deviation of observable variables should

269

state with no deviationsand all components

in OK mode

S 0

W'00'

S 1

causal constraintson injecting fault F

occur in S1, . . . , S,,-,, .

In practice, this strong con-dition should be relaxed, at least to allow in the se-quence qualitative states with observable deviationsif they are states that only hold for a time point andnot for an interval . An example of such a state isthe one mentioned above where OAp-rail is negativebut [Op-rail] is zero . Moreover, since detecting de-viations requires elaboration of actual data, the timenecessary for detecting deviations of different vari-ables may be different .

For a formal description the reader is referred to(Theseider Dupre & Panati 1998) .

Compiling on-board diagnostics

We already discussed the problems that have to be facedin the design of on-board diagnostic systems and wemotivated the choice of precompiling knowledge for theon-board system .

In this section we discuss in more detail how thecompilation can be performed taking advantage of themodel-based diagnostic approach discussed in the pre-vious section . Examples will be provided in the nextsection . As we noticed before, the basic : type of knowl-edge needed in the on-board system is a set of associ-ations between patterns of values of observable param-eters and recovery actions . We decided to implementsuch associations and the classification process to beused for selecting the best action in a given situation asdecision trees . In fact, a decision tree interpreter can beimplemented very efficiently and easily on any hardwaresupport, using little memory : therefore, these method-ologies could be easily used on current ECUs . More-over, there are well known and established algorithmsfor building trees from examples (see e.g . algorithmssuch as ID3 (Quinlan 1986)) . In our case an exampleis an association between a pattern of values of the ob-servable parameters and the corresponding action (anddiagnoses) . What is most interesting is that the setof examples can be produced automatically using a di-agnostic engine that is directly based on models, andcould be the same one used for of board diagnosis . We

Figure 3 : Simulation-based diagnosis .

state consistentwith fault F

and observations

1

Sn

qualitative simulation

thus have the following scheme for the generation oftheon-board diagnostic system :1 . Determine a set of significant cases that must be faced

on-board . In case the number of parameters and theset of qualitative values of the parameters are small,one may even consider an exhaustive set of cases .

2 . Run the off board model-based diagnostic system oneach one of the cases, computing the set of candi-date diagnoses for each case and the correspondingrecovery action .

3 . Use a learning algorithm to derive the decision treesfrom the examples produced in the previous items .Let us analyse in more detail the last step above . The

input to the learning algorithm is a table with one rowfor each one of the significant cases selected in step (1) .The columns correspond to the observable parametersthat will constitute the nodes of the decision tree ; twospecial columns store the decision (recovery action) andthe set of candidate diagnoses for each one of the cases,computed in step (2) . The decision tree is built by se-lecting, at each step, the observable whose values bestdiscriminate between the possible decisions (a measureof the discrimination power is computed dsing entropy) .At the initial step the selection is made on the whole ta-ble and this leads to selecting the observable A which isthe root of the tree . Such a node has one descendant foreach possible value of A . The descendant correspond-ing to the value ai of A is a decision in case all theexamples in the table for which A = ai correspond tothe same decision . Otherwise, a subtree is built usingas examples those for which A = ai .The decision tree representation has some advantages

with respect to other forms of associational knowledge .In case all the values for the observations are knownto the ECU, the decision tree is anyway more compactthan a lookup table . Pattern-matching rules could alsobe used . However, the decision tree is better generalizedto the case (which is conceivable, even if not widelyused in ECUs in the automotive domain) where somedecision requires an active test to be performed . Infact, the decision tree can provide an order on data to

Table 1 : Combinations of observations with corresponding single fault diagnoses and recovery actions . The selectedaction is shown in boldface font .

be used and, more importantly, the tests are performedonly when actually necessary, i .e . when values of otherdata are not sufficient for discriminating between therecovery actions . Cost of tests could be used, togetherwith entropy, to select the best observation at each stepin the tree generation .

An exampleIn this section we provide an example of the processfor compiling decision trees according to the strategydefined in the previous section . -We consider the threefollowing observables in the common rail model : therail pressure, the pressure in the low pressure subsystemand the torque measurement . In particular, we considerthe qualitative values for the deviations of these mea-surements, i .e ., respectively, [Op_obs], [Alowp-obs] and[Atm].We then consider (see table 1) the combination of

qualitative values for these variables with the corre-sponding single fault diagnoses computed with the dy-namic diagnosis approach described before, and the re-covery action corresponding to each one of the cases .Cases not listed have no single fault diagnosis . Whenthere is more than one candidate diagnosis associatedwith a set of observations (which means that the can-didates cannot be discriminated with the available ob-servables), the recovery action associated with the set ofcandidates (the one in boldface) is the most critical one,that is the one associated with the most critical fault .The cases considered include the 4 fault's that can be ar-tificially introduced in the demonstrator car, which are :lp-system insuff ; pressure-regulator blocked open ;injectors blocked open ; injectors blocked closed . No-tice that in three cases the actual fault can be identifiedas the only single fault diagnosis ; in other cases, thereare multiple diagnoses but all of them are sensible di-agnoses for the given observations .

It is important to notice that the use of the dynamic

diagnosis approach outlined in a previous section is es-sential to the results in table 1 .

In fact, applying state-based diagnosis (in the samecontext, i .e . with the same interpretation of deviations)provides some unexpected solutions : e.g . for the sec-ond case in table 1, i .e . Alowp-obs = 0, Ap_obs =[-], Atin = 0 : Pressure-regulator blocked-closed,Sensor high, Injectors recycle-low, and the emptydiagnosis (all the components ok) .The presence of spurious diagnoses could lead

to selecting an unnecessary restrictive action : inthe example, Stop would be selected instead ofLimp home, because of the spurious diagnosisPressure-regulator blocked-closed .

Moreover, the fact that the "all ok" mode is consis-tent would contradict fault detection : some "abnormal"observation is detected, but the system can anyway andit would be assumed to be ok by any sensible preferencecriterion for diagnoses ; e .g . we have used cardinality,preferring single fault diagnoses, and this would makethe "all ok" candidate the preferred diagnosis .Given this table, the process for compiling the deci-

sion tree can be started . The result is the decision treeshown in figure 4, which indeed captures the intendedbehavior for the on-board diagnostic system .

It is worth noting that in this case the diagnostic sys-tem is better than the diagnostic procedures currentlyused in the Common Rail system, which, however, can-not use the measurements of the pressure in the lowpressure system and the torque (but uses other piecesof information and plausibility checks concerning thevalues of internal variables in the ECU) . This is an in-teresting result of the adoption of our approach sincethe experimentation with the model allowed us to studythe effect of adding additional sensors . The exampleshows a compromise in which better on-board discrim-ination on the recovery action to be performed can beobtained with additional sensors .

Observations Diagnoses Actionsowp-o s -Ap-obs trn

- - 0 Lp-system insuff Performance limitation0 - 0 Pressure-regulator blocked-open Performance limitation.

Hp-pipes-and-rail leak Limp homeHp-pump blocked Performance imitation.

p-purn.p insu, Performance imitationSensor low Open loop

Sensor blocked Open loopInjectors recycle-high Performance limitation-

0 - + Injectors blocked-open Stop0 0 - Injectors blocked-closed Go0 + 0 Pressure-regulator blocked-closed Stop

Sensor loin Open To-opSensor blocked o pen loop

Injectors recycle-low o

Prototype implementation anddemonstration

In this section we briefly discuss the implementationof the diagnostic system described in the previous sec-tions . In order to have a first prototype at an earlystage and make experiments as regards both model-ing and the diagnostic strategy, we implemented a firstversion of the diagnostic system using ECLiPSe, a con-straint logic programming language . These kinds oflanguages are in fact well suited for rapid prototyping,and constraint propagation for simulating models canbe implemented very easily . One strategy has also beenimplemented in C++ . As regards the generation of theon-board decision trees we used an implementation ofthe standard ID3 algorithm (Quinlan 1986) .

For the demonstration, a prototype Lancia car witha pre-series 2 .4 Litres Common Rail engine has beenequipped with appropriate hardware and software fordata acquisition (see figure 5) . ETI{ is a hardware in-terface attached to the ECU, providing access to thecontroller data bus ; MAC is a protocol conversion box ;INCA- PC (by ETAS) is the software for acquisition anddisplay of data, running on a portable PC together withthe on-board diagnostic system developed for VMBD .We regard this system as "on-board" even if it does

not run on the ECU itself ; this solution was out of thescope of the project, but it is already feasible, even giventhe current ECU hardware limitations . Such a systemincludes :" A module for the conversion of signals (acquired byINCA) into qualitative deviations ; this is easily donefor the sensor in the low pressure part of the system,where the pressure has a nominal range of values .while for the pressure sensor in the high pressure parta comparison is made on the desired pressure com-puted by the ECU, relying on an approximation onthe expected behavior of the actual pressure .

" The decision tree interpreter .Experiments on the demonstrator system were suc-

cessful in checking that, when one of the faults wasintroduced in the system, the appropriate values for

Figure 4 : Compiled decision tree .

qualitative deviations were acquired . Therefore, sincetable 1 contains sensible diagnoses for each case, thesystem can suggest the most appropriate action .

ConclusionsIn this paper we discussed our experience in the designof on-board diagnostic, systems for automotive domains .We analysed the peculiarities of on-board applications,discussing their requirements and the consequences thatthe requirements have on the design of the diagnosticsystem . In doing that we took into account a furthermain goal : trying to exploit as much as possible theadvantages of the model-based approach also for on-board applications . The results discussed in the pa-per is a compilation-based approach : the model-basedapproach is used for simulating diagnostic situations ;the results of simulations (diagnoses and actions corre-sponding to a set of observations) are used by a learningalgorithm to derive the decision trees that will form theon-board diagnostic system .We claim that this approach has significant advan-

tages on other ones . With respect to the adoption ofon-board model-based systems, our approach has theadvantage of being close to be implemented with cur-rent ECU technology, even for a dynamic, controlledsystem . With respect to a manual generation of thedecision tree (as it is currently done in many diagnosticsystems), on the other hand, we have all the advantagescoming from relying on reusable models, which can sig-nificantly reduce the effort in generating the tree for anew system . Moreover, the experimentation with themodel-based approach can lead to studying how to im-prove the diagnosability of the system, e .g . by addingextra sensors (as it is indeed shown by our example) .The idea of compiling diagnostic rules from examples

has been used in other approaches, even if with somedifferences . In (Price et at. 1996), which shares sev-eral characteristics of our approach, models are usedfor generating FMEA, which is in turn used for gen-erating diagnostic trees for offboard diagnosis . Pre-vious approaches used qualitative models for runninga set of simulations and induce diagnostic rules from

References

the results of the simulations (see, e.g ., (Mozetic 1991 ;Pearce 1988)) . Thus there are two main differences withrespect to the approach presented in this paper : theyrun simulations of combinations of faults, while our ex-amples are sets of observables corresponding to the di-agnostic problems to be solved (which is more focused) ;they perform induction from examples while we synthe-size decision trees . A different approach based on ex-planation based learning has been adopted in (Steels kVan de Velde 1985) : they start from a single exampleand trv to induce rules from the solution to the exam-ple . This, however, is a critical step in the inductionof diagnostic rules, as discussed in detail in (Console,Portinale, k Theseider Dupre 1996) .

AcknowledgementsWe wish to thank all partners in the VMBD project,and especially Bosch for cooperation on the CommonRail demonstrator . We also thank Peter Bidian, PeterStruss, Reinhard Weber and the anonymous reviewersfor useful comments on earlier versions of this paper.

Biswas, G . ; Kapadia, R. ; and Yu, X. 1997 . Com-bined qualitative-quantitative steady-state diagnosisof continuous-valued systems . IEEE Trans . on Sys-tems, Man and Cybernetics 27(2) :167-185 .Chantler, M. ; Daus, S . ; Vikatos, T . ; and Coghill, G .1996 . The use of quantitative dynamic models anddependency recording for diagnosis . In Proc . 7th Int.Work . on Principles of Diagnosis, 59-68 .Console, L . ; Portinale, L . ; and Theseider Dupre, D .1996 . Using compiled knowledge to guide and focusabductive diagnosis . IEEE Transactions on Knowl-edge and Data Engineering 8(5) :690-706 .Gallanti, M . ; Roncato, M . ; Stefamm, A . ; and Tornielli,G. 1989 . A diagnostic algorithm based on models atdifferent levels of abstraction . In Proc . 11th IJCAI,1350-1355 .

QR99 Loch Awe, Scotland

Figure 5 : Equipment for the demonstrator .

Loiez, E., and Taillibert, P . 1996 . Polynomial temporalband sequences for analog diagnosis . In Proc . 7th Int.Work . on Principles of Diagnosis, 139--146 .Malik, A ., and Struss, P . 1996 . Diagnosis of dynamicsystems does not necessarily require simulation . InProc . 7th Int. Work. on Principles of Diagnosis, 147-156 .Mosterman, P., and Biswas, G . 1996 . An integratedarchitecture for model-based diagnosis of dynainicalphysical systems . In Proc . 7th Int. l4%ork . on Principlesof Diagnosis, 167-174 .Mosterman, P., and Biswas, G . 1997 . Monitoring,prediction and fault isolation in dynamic physical sys-tems . In Proc . AAAI 97, 100-105 .Mozetic, I . 1991 . Hierarchical model-based diagnosis .Int. J. of Man-Machine Studies 35(3) :329-362 .Pearce, D .

1988 . The induction of fault diagnosissystems from qualitative models . In Proc AAA] 88,353-357 .Price, C . ; Wilson, M . ; Timmis, J . ; and Cain, C. 1996 .Generating fault trees from FMEA. In Proc . 7th Int.IVork. on Principles of Diagnosis, 183-19Q .Quinlan, J . R. . 1986 . Induction of decision trees . Ala-chine Learning 1 :81-106 .Steels, L., and Van de Velde, W . 1985 . Learning insecond generation expert systems . In Kowalik, R ., ed .,Knowledge-based Problem Solving. Prentice Hall .Struss, P . 1997 . Fundamentals of model-based diagno-sis of dynamic systems . In Proc . IJCAI 97, 480-485 .Stumpp, G ., and Ricco, M . 1996 . Common rail - anattractive fuel injection system for passenger cars . J.Society of Autom.itive Engineers.Theseider Dupre, D ., and Panati, A . 1998 . State-basedvs simulation-based diagnosis of dynamic systems . InProc. DX 98, 9th Int. VI'orkshop on Principles of Di-agnosis.

273