Provably Correct Design of Observations for Fault Detection with Privacy Preservation Zhe Xu, Sayan Saha and Agung Julius Abstract— During the operation of complex cyber-physical systems, detection of faults needs to be performed using limited state information for practicality and privacy concerns. While a well-designed observation can distinguish a faulty behavior from the normal behavior, it can also represent the action of hiding some of the state information or discrete mode transi- tions. In this paper, we present a framework for constructing the observation maps in the form of metric temporal logic (MTL) formulae that can be formally proven to detect fault in a switched system while preserving certain privacy conditions. We simulate finitely many nominal trajectories and use the robustness tubes around the simulated trajectories to cover the infinite trajectories that constitute the system behavior. Thus the inferred MTL formulae from the simulated trajectories can be used for classifying the system behaviors in a provably correct fashion. We implement our approach on the simulation model of a smart building testbed to detect the open window fault while preserving the privacy of the room occupancy. I. I NTRODUCTION Consider the task of designing a monitoring system that can detect faults during the operation of a safety critical cyber-physical system. To do so, the monitor needs to collect enough information from the cyber-physical system that can distinguish potential faulty operation from normal operation. On the other hand, practicality and privacy limit the amount of information that can be collected. For example, the num- ber of sensors that can be deployed may be limited, or certain information is withheld by the system owner for privacy concerns. It is imperative to determine how information can be extracted from the operation of a cyber-physical system to enable fault detection, while respecting limitations such as privacy. Presently, there are mainly two categories of approaches for fault detection (identifying whether a fault has occurred). The first category relies on the pattern recognition of sensor readings using reasoning or learning based techniques, such as neural networks [1], support vector machine [2], etc. The second category relies on the mathematical model of systems as they compare available measurements with information analytically derived from the system model. As modeled, whenever the difference between the actual system’s output and the estimated output (the residual) [3] is above a certain threshold value, one can assume that a fault has occurred. For hybrid systems and switched systems, the main challenge of the model-based fault detection is due to the difficulty in cap- turing the combined continuous and discrete measurements. Zhe Xu, Sayan Saha and Agung Julius are with the Department of Electrical, Computer, and Systems Engineering, Rensselaer Polytechnic Institute, Troy, NY 12180, USA e-mail: xuz8, sahas3, juliua2@rpi.edu. In this paper, we propose an approach that utilizes both the pattern recognition techniques and the model-based methods for switched system fault detection and privacy preservation. We first approximate the switched system behavior using finitely many simulated execution trajectories of the systems. With the notion of trajectory robustness, we provide a guarantee on how far the system’s state trajectories can deviate as a result of initial state variations [4]. Then we design an observation map that projects the different be- haviors (normal, faulty, presence and absence of the privacy conditions) into an observation space where the images of the normal behavior and the faulty behavior are separate (fault detection) while the images of the behavior with the presence and absence of the privacy conditions are close (privacy preservation). As the fault detection is essentially a classification between the normal behavior and the faulty behavior, we modify the methods in [5], [6], [7], [8], [9] to automatically infer metric temporal logic (MTL) formu- lae directly from the simulated trajectories to classify the faulty and normal trajectories while considering the initial state variations and preserving the privacy conditions. We extend the previous works above in the following aspects: (i) instead of classifying trajectories in different sets, we classify robustness tubes of trajectories with initial state variations and disturbances; (ii) in performing the classification for fault detection (such as detecting the open window fault in a smart building), we also consider the preservation of privacy conditions (such as the room occupancy). II. PRELIMINARIES A. Switched Systems Definition 1 (Switched System): A switched system is a 5-tuple S =(Q, X , X 0 , F , E ) where • Q = {1, 2,...,M } is the set of indices for the modes (or subsystems). • X is the domain of the continuous state, x ∈X is the continuous state of the system, X 0 ⊂X is the initial set of states. • F = {f q |q ∈ Q} where f q describes the continuous time-invariant dynamics for the mode ˙ x = f q (x), which is assumed to admit a unique global solution ξ q (t, x 0 q ), where ξ q satisfies ∂ξq (t,x 0 q ) ∂t = f q (ξ q (t, x 0 q )), and ξ q (0,x 0 q )= x 0 q is an initial condition in mode q. • E is a subset of Q×Q which contains the valid transitions. If a transition e =(q,q ′ ) ∈E takes place, the system switches from mode q to q ′ . 2017 IEEE 56th Annual Conference on Decision and Control (CDC) December 12-15, 2017, Melbourne, Australia 978-1-5090-2873-3/17/$31.00 ©2017 IEEE 5620