Generic characterization of diagnosis and prognosis for complex heterogeneous systems

Maintenance efficiency of complex industrial systems is an important economical and business issue. Main difficulties come from the choice of maintenance actions. A wrong choice can lead to maintenance costs that are not acceptable. In this paper, we propose a generic health monitoring system that integrates some diagnostic and prognostic capabilities to determine the current and future state of a large and complex system such as an aircraft. The diagnostic function aims at identifying faulty components that may cause global system failures. The prognostic function estimates the remaining time until the next global system failure. A formal and generic modeling framework for a complex system encapsulating the knowledge required to get the consistent coordination of the diagnostic and prognostic functions is presented. We propose in this framework to take into account component redundancies which is common in systems like aircrafts. Moreover, an original coupling of diagnosis and prognosis is established based on the characterization of the system operational modes and on a decentralized architecture of the monitoring system.


INTRODUCTION
Maintenance efficiency of industrial systems, like aircrafts or cars, is an economical and business issue.It is a way to improve reliability, security, safety and reduce the final cost of systems.The main difficulties come from the choice of maintenance actions.A maintenance action consists in replacing a component of the system which is not able to perform its set of functions any more.A wrong choice of maintenance action can lead to the system unavailability and implies unac- Pauline Ribot et.al.This is an open-access article distributed under the terms of the Creative Commons Attribution 3.0 United States License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.ceptable costs.That is the reason why automated diagnostic capabilities are required to efficiently detect and isolate the faults throughout the system.Moreover, in order to reduce the system unavailability, it is necessary to perform preventive maintenance, that is to replace components before they get faulty and propagate failures in the system and then to reduce the number of replacements after the occurrence of a fault.Generally preventive maintenance only relies on reliability analyses and does not take the real solicitations of the system into account.
Nowadays, with help of new technologies and sensors, it is still possible to improve the maintenance capabilities of a complex system by deploying a complete on-board health monitoring system with two capabilities: on-line diagnosis and on-line prognosis.By analyzing the flow of observations (measurements), diagnosis aims at precisely determining online the present set of faulty components that cause the system failures and which have to be replaced (Hamscher, Console, & De Kleer, 1992;Isermann, 2005).As opposed to reliability analyses, prognosis aims at evaluating/updating the system remaining useful life (RUL for short) (Kirkland, Pombo, Nelson, & Berghout, 2004;Wilkinson, Humphrey, Vermeire, & Houston, 2004) by taking into account the real solicitations (temperature, humidity, vibrations, voltage, or any other stress factor) of the system at operating time.Indeed, solicitations at operating time may accelerate or slow down the system degradation and the on-line analysis of these solicitations can optimize the cost of preventive maintenance by a more accurate RUL estimation (Engel, Gilmartin, Bongort, & Hess, 2000).In particular, faulty components may induce abnormal solicitations on the other components of the system and could modify the overall system RUL (Kacprzynsk, Sarlashkar, Roemer, Hess, & Hardman, 2004).
The main contribution of this paper is a formal characteriza-International Journal of Prognostics and Health Management, ISSN2153-2648, 2013 023 tion of a generic on-line health monitoring system (HMS for short) for the maintenance of complex system like an aircraft that embeds diagnosis and prognosis capabilities.
This contribution relies on a detailed analysis of a real industrial HMS that is developed by our aeronautical partner AIRBUS.This analysis has been done thanks to a strong collaboration with the AIRBUS maintenance department. 1   Our characterization is formal and modular and defines the requirements that local diagnosis/prognosis methods should implement to guarantee the global health monitoring function.This characterization is motivated by a set of challenges and difficulties that any realistic HMS should deal with (see Section 2 for details).The second contribution of this paper is the formal characterization of an original coupling between diagnosis and prognosis that shows how diagnosis can assist prognosis.Introduced concepts are finally illustrated on a complete example and a scenario.
The paper is organized as follows.We first present the motivations and the challenges of this work in Section 2. The generic modeling framework of a complex system is presented in Section 3. The characterization of the diagnostic and prognosis functions is then described in Section 4 as well as their coupling.Section 5 illustrates this framework on an example inspired from the PHM literature.Related Work is presented in Section 6.

MOTIVATIONS AND CHALLENGES
Optimising the maintenance cost of a system is a very difficult problem as the maintenance process can fail or be delayed for many reasons and its global cost can explode.To ensure a successful maintenance process, one crucial part is the use of a HMS that maintainers can trust.
An HMS that can be trusted must be able to always provide a complete and consistent understanding of the current health of the system (for emergency repair) and an estimate about the remaining time before the system globally fails (for preventive maintenance).Completeness is obviously necessary as any replaceable part of the system can fail.Consistency is also necessary to avoid wrong maintenance actions: if the health monitoring system only suspects healthy components instead of the faulty ones, maintenance actions derived from this wrong statement are obviously unnecessary and the global cost for troubleshooting and maintenance can dramatically increase due to the use of off-line testing methods to really isolate the problem and fix it.To develop and deploy a HMS that is complete and consistent, the first step is thus its formal characterization.With a formal characterization, it is then possible: 1. to define how the different parts of the HMS will com-1 This work is partly supported by the ARCHISTIC project in collaboration with Airbus France and National Engineering School of Tarbes, France.municate to provide a consistent, accurate and complete estimate of the system health state, 2. to select the modeling and engineering tools and/or the formal language to develop one part of the HMS in particular; as long as any developed part of the HMS fulfills the formal characterization, it is then easier to guarantee the global consistency of the HMS.
The second challenge before developing a HMS is to deal with the fact that a real system (like an aircraft) is a large assembling of components whose nature can be very different (mechanical, hydraulic, electrical, software, etc).This reality has two consequences.The first and most obvious one is that the HMS must be modular: it requires the development of different diagnosis/prognosis techniques (a technique depending on the type of component) that are able to communicate together.The second consequence is that components may be designed by different companies and confidentiality issues raise.The developer of the system may not have the right to know how a component really works internally: the HMS must then be decentralized, some sub-parts are designed by the owners of the components and the system owner is in charge of developing the communication between these parts to reach global consistency.
The third challenge we are dealing with when developing a modern HMS is about the redundancy in the system.In critical systems, there exist several set of resources/components that can perform the same set of functions to avoid that if a failure occurs on one set, the system functions are not lost because the system can switch on the redundant components to operate (this is typical in an aircraft).From a maintenance point of view, redundancy implies that a system can work properly even if it contains faulty components, maintenance actions may not be immediately required, the diagnosis of the current health of the system should be able to take redundancy into account.
Last but not least, modern HMSes must provide two types of information, one for normal maintenance (what is the current health of the system?) and another one for preventive maintenance (what is the prediction for the time of the next fault occurrence?).It implies that an HMS must implement diagnosis processes and prognosis processes.Prognosis methods now can benefit of aging sensors, health indicators to estimate the current aging of a component and then predicts its RUL.Moreover, prognosis and diagnosis are not independent in the sense that the result of the diagnosis can be useful to improve the performance of the prognosis by providing other estimates of the current aging of a component.

MODELING FRAMEWORK FOR MONITORING A COM-PLEX SYSTEM
To characterize a HMS on a complex system, it is required to find an abstracted but common formal framework based on which the different maintenance functions (monitoring, diagnosis, prognosis, troubleshooting,...) can be defined and then implemented.This section is about such a formal framework.

Preliminaries
Definition 1 (Parameter).A parameter is a variable that represents a quantity or a property in a model.
A parameter may have a continuous domain (for instance a temperature, a pressure, a speed,...), a discrete domain (for instance a boolean signal, a counter).In this framework, for the sake of generality, any time-variant quantity is a parameter.Any subset of the domain of a parameter p is called a range and is denoted r(p), the domain of p being the biggest range r max (p).Let P = {p 1 , . . ., p n } denotes the set of parameters of the system and r max a trajectory τ from time t 0 to time t 1 is thus a subset of the space r max (P) × [t 0 , t 1 ] such that for any t ∈ [t 0 , t 1 ], there exists one and only one (v 1 , . . ., v n ) ∈ r max (P), v i is called the value of p i at time t in this trajectory τ .The set of possible trajectories of the system between t 0 and t 1 is denoted T (t 0 , t 1 ).The principle of modeling a system that evolves from time t 0 to t 1 is thus to design a set of relations R over Depending on the type of system, there are many ways to define R. For continuous systems, R is usually written as a set of differential equations, for instance a linear time invariant system is modelled by ẋ = Ax + Bu, y = Cx + Du, where x is called the state of the system, u the inputs, y the outputs and A, B, C, D are constant matrices.In our framework, x, u and y gather the set of parameters P. Similarly, for discrete systems, R comes usually from equations like where k is the number of samples over time that can be equivalently represented by automata, Petri nets, etc.For hybrid systems, it is a mix of both representations.And finally, for logical systems, behaviour models are represented with logics, especially first-order logic with statement like ¬abnormal(x) ∧ adder(x)∧input(x, u1)∧input(x, u2)∧sum(u1, u2, y) ⇒ woutput(x, y) which represents the nomimal behaviour of an digital adder (Reiter, 1987), here also P = {abnormal(x) ∈ {true, f alse}, u1 ∈ N, u 2 ∈ N, y ∈ N}.

System and components
Following the preliminaries and for the sake of generality, a system is defined as follows.
Definition 2 (System).A complex system Σ is defined by a pair Σ = P, R where: • P is the set of system parameters, • R is the set of relations over r max (P) × R + such that Equation (1) holds.
Modeling a system usually requires a compositional approach that models a set of N interacting components Comps = {C 1 , . . ., C N }.A component C i is modeled as a part of the system and contains a subset of parameters and a subset of relations (Ribot, Pencolé, & Combacau, 2009a) and is a system on its own.Definition 3 (Component).A component C i ∈ Comps is defined by a pair C i = P i , R i where: • P i ⊆ P is the set of component parameters, • R i ⊆ P is a set of relations between parameters of P i modeling the set of trajectories of C i .
In the compositional modeling approach, the model of the system is obtained by composing the component models with help of a structural model (Chitttaro, Guida, Tasso, & Toppano, 1993).

Structural model
Structural models describe the possible set of interactions between components.Usually, interactions are modeled with ports (also called terminals) (Pencolé & Cordier, 2005) which can exchange data, data flow corresponding to a physical flow (like voltage, intensity, pressure, etc.) in the system.Here, ports are parameters.
Definition 4 (Structural model).The structural model of the system is the partial function St : P St −→ 2 P that represents a flow of information coming from the parameter op and going to the set of parameters St(op).
As St represents a flow of information, it is assumed that {op} ∩ St(op) = ∅.From the structural model follow the underlying relations H Struct about the structural interactions: Intuitively speaking, if op is structurally linked with ip, it means that for any trajectory of the system and at any time, op and ip share the same value.The structural model induces some new notions.Definition 5 (Output/Input system parameters).The output parameters OP is the subset of P where St is defined.The input parameters IP is IP = {ip ∈ P, ∃op ∈ OP, St(op) ip}.
Any input parameter of IP is involved in only one connection, which means that ∀op, op ∈ OP, op = op ⇒ St(op) ∩ St(op ) = ∅.Definition 6 (Output/Input/Private component parameters).Let C i ∈ Comps denote a component: Intuitively, the value of an input parameter in IP i is determined by H Struct conditions.Mechanisms and internal resources of component C i cannot modify the value of an input parameter.The value of an output parameter in OP i results from the internal resources and the mechanisms implemented by C i and its input parameters.A private parameter represents an internal characteristic, specific to a component like a physical property, an internal state and more importantly, as described in Section 3.5, a fault in a diagnosis/prognosis problem.

Component and parameters
Finally, the compositional modeling is obtained as follows: for any subsystem Σ = P , R composed of the family of components {C i } i∈I⊂{1,...,N },I =∅ : (3) The compositional modeling of the whole system is the one of the subsystem defined by I = {1, . . ., N }.
Figure 2 shows such a sub-system of 4 components } represented by the four oriented connectors.
Components and structure

Functional modeling
A system is usually designed in order to provide a set of functions FU.Among these functions are the goal functions FU g (Chitttaro et al., 1993).To perform the goal functions, the components have to implement a set of basic functions FU b ⊂ FU.The set of basic functions implemented by a component C i is denoted FU i , thus FU b = N i=1 FU i .These basic functions rely on the component behavior and are modeled as functional conditions that fully determine an output parameter op i j of C i with respect to its input parameters and its private parameters.Definition 7 (Functional condition).The functional condition associated to a basic function of FU i is a relation rel ∈ R i such that there exists at least an output parameter op i j ∈ OP i so that for any time t, if A basic function is said to be available on a component if its associated functional condition is satisfied.The relations ar 1,1 , ar 1,2 in Figure 1 model conditions of two basic functions implemented by C 1 , they respectively determine op 1,1 and op 1,2 (see also Section 5.1.2).Depending on the nature of the system, functional conditions can be written in different forms.For instance, for continuous system, a functional condition is a relation like y = Cx + Du.For logical systems, a functional condition in a logical property that determines the output with respect to its input.The logical formula presented in section 3.1 is typically a functional condition as it determines the output y as the sum of u 1 and u 2 and represents the adding function.
The functional model of a complex system defines the set of basic functions implemented by components and describes how they are combined in order to perform the goal functions.The composition of basic functions relies on functional dependencies that can be described as follows.The mapping P red defines the predecessors of functions in FU: (4) If F u k ∈ P red(F u j ), the function F u k is called a predecessor of F u j , and the function F u j is available if F u k is available.P red can be used to formalize the concepts of basic and goal function.
The mapping P red can be graphically represented as a tree structure, called a function tree in Rausand and Hoyland (2004).The definition of the mapping P red is not accurate enough in the case where a function F u j has several predecessors i.e. ||P red(F u j )|| ≥ 2. Indeed, in case of functional redundancies, the availability of F u j may only require the availability of a subset of P red(F u j ).The mapping n/m is used for this purpose: (5) Each Y ∈ n/m[P red(F u j )] is a subset of n predecessors of F u j whose availability is a sufficient condition for the availability of F u j .It must be noticed that the mapping n/m is a generalization of the classical AN D and OR logical operators: These mappings can be used to express redundancies in an functional tree., F u 1,2 , F u 2,1 , F u 3,1 and F u 4,1 that are composed in order to perform some intermediate functions and then to realize the system goal function F u g .The intermediate functions F u 1 and F u 2 rely on the implementation of F u 1,2 , F u 3,1 and F u 4,1 and are modeled by: The intermediate function F u 3 is correctly performed if at least one of the intermediate functions F u 1 or F u 2 is correctly performed: This expression describes a functional redundancy.To realize the goal function F u g , all function predecessors in P red(F u g ) must be available: The sets Comps, FU and the mapping P red derive from the knowledge available at the design stage.

Modes
As written in Section 3.1, any trajectory τ ∈ T (t 0 , t 1 ) of the system is a time-continuous subset of elements from r max (P) × [t 0 , t 1 ] from time t 0 till time t 1 .All along this trajectory, the system is going through a set of modes.Generally speaking, a mode is a subset of r max (P).The interest of defining a mode is that it is always characterizing a property that the supervisor wants to detect/isolate by observing the system.Typical properties are failures, faults, degradations... Definition 8 (Mode).A mode m of the system Σ = P, R is a subset of r max (P).

Component modes
Straightforwardly from the definition of functional conditions, one can characterize a set of functional modes on a component: considering a functional condition with its relation rel, the functional mode associated to this functional condition is the projection on r max (P) of the set rel ∩ (r max (P) × R + ).And then we can say that the component is in such a functional mode iff the associated basic functions are available at this time.The problem is that the definition of functional modes is not sufficient.Detecting that a component is failing (i.e. it is out of at least one of the functional modes) is not sufficient to know whether the component must be replaced as the failure may be due to a fault in another component, component that must be replaced (failure propagation due to a fault).That is the reason why, in the context of maintenance, the purpose is to detect/isolate/predict fault modes that can explain the loss of functional modes.
A fault f in a component C is an internal property of the component usually representing a physical problem in the component.In Automatic Control, a fault is usually represented as an input (exogenous) perturbation from the environment.
In our framework, it is represented as a private parameter p f ∈ PP.The fault f is said to be present at time t iff The fact that the fault f is represented as a private parameter (endogenous) is crucial, as written before, fault represents physical problems and physical problems may be due to degradation, aging.By representing a fault by a private parameter, we allow to model degradation that cause the fault and thus to introduce degradation models for prognosis (see Section 4.3).It is now time to define the classes of operational modes.Operational modes describe fault propagation in the system that induces failures (loss of functions).Definition 9 (Nominal mode).The nominal mode m i n of the component The nominal mode is unique by definition.No fault is present and all the basic functions are available.From the nominal mode, we can derive the nominal range of each parameter p ∈ r n (p) as the projection of the nominal mode to r max (p).
The knowledge about the nominal mode m i n usually comes from the specification/design stage of the component C i .Definition 10 (Fault mode).The fault mode m i f of the component C i = P i , R i is characterized by: • the value of the fault parameter p i f ∈ PP i is in r f (p i f ).A fault mode always induces a loss of function (at least one of the function condition does not hold in a fault mode).A failure will occur as soon as the lost function is utilized.A fault mode of a component C i is an operational mode with an explicit model (i.e. the relations that rule the mode are known).This means that the fault is perfectly known at the design stage (Hamscher et al., 1992).It is also possible to define multiple fault modes as long as knowledge about how the component behaves under several faults is available (Pencolé & Cordier, 2005).Definition 11 (Abnormal mode).An abnormal mode m i a of the component C i = P i , R i is characterized by: An abnormal mode always induces a loss of function (at least one of the function condition does not hold in an abnormal mode).This loss is due to the fact that an input is out of range and violates at least one functional condition.An abnormal mode may not be represented with explicit relations like fault modes but just characterized by an input parameter out of its range.Finally, for the sake of completeness, we can also cite the so-called unknown mode defined as the complement of the set of known modes in r max (P).2

Mode of components and system
According to the previous definitions, a set of operational modes is associated to a component C i ; let M i be this set3 .At a given time t, a component C i is in one mode only that is either the nominal mode (m i n ) or a mode that can be faulty, abnormal or both.Definition 12 (Component mode).
For a complex system Σ with N components C 1 . . .C N a system mode can also be defined from the knowledge of each component mode.A system mode x is noted m Σ x and is formalized by the mapping M ode Σ .Definition 13 (System mode).
The definitions of nominal, fault and abnormal mode can be extended to the system mode as follows: • nominal mode m Σ n : all components are in nominal mode; • fault mode m Σ f : at least one component is in a fault mode; • abnormal mode m Σ a : at least a component is in an abnormal mode.
Fault propagation is fully represented by an operational system mode.In Figure 2, if C 1 is in a fault mode, C 2 , C 3 are in the nominal mode and C 4 is in an abnormal but non-faulty mode, it means that a fault has occurred in C 1 that propagates through op 1,2 (but not through op 1,1 ) and implies failures on C 4 .Note that here it also implies that the goal function is failing (see Figure 3) and from a maintenance viewpoint, C 1 must be replaced.If in the tree of Figure 3, F u 4,1 and F u 3,1 were interchanged, the goal function would be still available because of the redundancy, C 1 could be replaced later.

Sequence of modes
During the system operation, from t 0 till t, the mode of the component C i changes each time a fault or an abnormal solicitation occurs on it.So, along the operation time of the system, the component C i follows a sequence of modes (m i 0 m i 1 . . .m i j ).This sequence named the component mode trajectory is defined at time t by T C (C i , t) with At time t, a sequence of system modes m Σ x is named a system mode trajectory, is noted T Σ and is defined by the mapping This definition implicitly defines that the system mode m Σ j holds between time t j and time t j+1 as shown in Figure 4.This convention will be used in the sequel of the paper.
Very often, at time t 0 , the system is in its nominal mode m Σ n .A complete trajectory always ends with a failure mode m . Mode trajectory of the system in which a goal function is not available any more and thus the system is considered to be non-operational, maintenance is then required (see the example described above).

Aging modeling
As stated in Section 3.5, a fault is represented by a private parameter that deviated and is out of nominal range, this deviation represents a degradation of the component.Knowledge about degradation comes from security analyses of the system components and is contained in aging models (also called degradation models or life consumption models in Wilkinson et al. (2004)).An aging model can be a statistical model established by reliability analyses (Kaufman, Grouchko, & Cruon, 1975) or a physical model involving parameters that represent the solicitations on the component (humidity, pressure, vibrations, normal and abnormal inputs, etc.).
Still for the sake of generality in this framework, an aging model is characterized as follows: Definition 14 (Aging model).An aging model ag i,k is a relation in R i associated to a private parameter pp i,k of the component C i .
Aging model ag i,k is the means for predicting the value pp i,k (t) of the parameter pp i,k over the time t.An aging model relies on health indicators describing environmental conditions and faults that are represented as input and private parameters of the component (Ribot, Pencolé, & Combacau, 2009b).

FROM DIAGNOSIS TO PROGNOSIS
Section 3 describes the formal characterization of the models that are necessary to perform health monitoring of a complex system.With the notion of mode, the evolution of the system can be abstracted as a trajectory (sequence of modes) that is the sufficient piece of information to provide at the maintenance agent.From a maintenance point of view, two questions must now be answered.
1. What is the current global mode?In other words, are there faulty components that must be replaced immediately?
2. When does a global mode implying a system failure occur in the future?In other words, what is the maximal time before replacing a component that will avoid the next system failure?
The aim of diagnosis and prognosis is to respectively answer questions 1 and 2.

Observations and mode compatibility
Within this framework, the goal of diagnosis is to determine, at time t, the current mode of the system from which it is possible to determine which components have to be replaced.
Definition 15 typically characterizes consistency-based diagnosis.In the logical framework (Reiter, 1987), this notion of compatibility is implemented as checking satisfiability of the diagnosis problem (SD(C i ), {Obs(p i,k , t)}, m i x ) where SD(C i ) is a first-order logic representation of the relations R i : in other words, is the theory SD(C i ) ∧ Obs(p i,k , t) ∧ m i x ) satisfiable or not?In the FDI community, compatibility is usually expressed as a set of residuals resulting from the observations {Obs(p i,k , t)} that are below a threshold (Isermann, 2005).Definition 16 (Compatibility between a system mode and a set of observations).At time t, a system mode m Σ x = m 1 x1 , . . ., m N xN is said to be compatible with the set of observations i {Obs(p i,k , t)} iff: Definition 16 characterizes the decentralized diagnosis problem (Pencolé & Cordier, 2005).Indeed a mode m i of a component C i may not be consistent with a mode m j , j = i of a component C j as m i and m j imply inconsistent constraints on a set of parameters (it is the case when m i asserts that a given parameter p is a range R i whereas m j asserts p is a range R j but the structural model H struct asserts that R i ∩ R j = ∅).Definition 16 ensures the global consistency checking of component modes.
Using Reiter (1987) again, the global consistency checking consists in checking whether the theory ∧H Struct is satisfiable or not.In the context of discrete event systems (Pencolé & Cordier, 2005), this is implemented by the synchronization of shared events defined by H struct .In continuous system, finally, a way to implement this checking between component modes that rely on shared parameters can be found in Indra, Travé-Massuyès, and Chanthery (2011).

Diagnosis characterization
For complex systems, it is very difficult to think globally in order to directly obtain a diagnosis of the whole system.That is why a set of diagnostic modules is deployed in order to compute local diagnoses at the component level and then provide a global diagnosis for the whole system (Pencolé & Cordier, 2005).
Note that the presented definition is the consistency-based diagnosis (see Definition 15): this is the most generic one.Depending on the type of knowledge available in the R i , it is obviously possible to implement diagnosis methods that can be more accurate/less ambiguous (that is they compute only a subset of modes of ∆ i (t) using abductive reasoning as defined in the spectrum of diagnosis definitions in Console and Torasso (1991)).The use of abductive reasoning on a component is typical if an FMEA is available as a model of the given component.Finally, a system diagnosis at time t is built from the knowledge of local diagnosis at time t.Any system mode of the global diagnosis is the assignment of a component mode for any component of the system so that the result is compatible with the whole set of observations (see Definition 16).Definition 18 (System diagnosis).A system diagnosis, at time t, ∆ Σ (t) is the subset of system modes formally defined as follows:

Prognosis characterization
As the diagnosis of the system at time t consists in determining the trajectory of past modes of the system from t 0 , the prognosis consists in calculating at time t, the trajectory of future fault modes of the system until t p , the time of the system failure (failure mode).This coupling is illustrated by Figure 5.
Diagnosis and prognosis of a system Σ It will never be possible to determine the real trajectory of future modes because the prognosed trajectory has not happened yet.The prognosis at time t consists in estimating the next mode changes based on an evaluation of the system health status.

What can diagnosis offer to prognosis?
Diagnostics and Prognostics are different problems.On one hand, Diagnostics relies on structural, functional and behavioural models to explain the observations by a set of faults that occurred in the system and generate failures throughout the system (see Section 4.2).On the other hand, Prognostics mainly relies on structural and aging models to predict when next faults will occur and generate the same system failures, as it will be formally defined later in Section 4.3.2 and Section 4.3.3.The success of Prognostics requires to solve two sub-problems: the acquisition of the aging models (M.Roemer, Byington, Kacprzynski, & Vachtsevanos, 2005;Ferreiro & Arnaiz, 2008), the acquisition of on-line health indicators.Diagnostics can assist to solve the latter problem.As stated in Section 3.6, the prognosis function relies its computation on the aging model ag i,k available for the component C i and associated to the parameter pp i,k to predict the value pp i,k (t ) for a given time t > t.This computation relies on values of health indicators about C i that can be directly observed (measured by sensors).However, such health indicators can also be estimated by the current diagnosis ∆ i (t) issued from the system diagnosis ∆ Σ (t) (in other words we only retain in ∆ i (t) the set of modes of C i that appear at least once in ∆ Σ (t)).Formally, the prognosis function of C i will base its computation on the following values of health indicators {p i,j }: • direct observation: if p i,j ∈ P i Obs (t), then p i,j (t) = Obs(p i,j , t); , it is possible to assign at least one value v i,j ∈ r x (p i,j ).

Local prognosis
The local prognostic function aims at predicting at time t the next mode changes for each component C i .For this purpose the date t d of each possible fault occurrence on the components must be computed.At time t, the remaining time until a private parameter pp i,k becomes faulty is denoted rtf (pp i,k , t) (rtf for remaining time to fault): The estimated date t i j+1 of the next fault mode of the component C i is then computed with The next fault occurrence corresponds to the private parameter pp f with the shortest rtf , the next fault mode can thus be evaluated as follows: let m i j be the current mode of component C i at time t, Definition 19 (Next fault mode for a component).The set of possible next fault modes NFM (m i j , t) of a component Informally, the mode m is possible if the faulty parameter pp f is estimated to be in the range of m at time t i j+1 and the estimation of the other private parameters belong to both range of m i j and m.In the case where the same rtf is computed for several private parameters of the component, there are several hypotheses about the next fault mode of the component.Definition 20 (Local prognosis).A local prognosis Π i (t) for a component C i at time t is the set of next fault modes which match with a local diagnostic candidate of ∆ i (t): If the local diagnosis contains more than one local diagnostic candidate ∆ i (t) = {m i j }, the date t i j+1 of the next mode change is determined from each local diagnostic candidate.As opposed to classical definitions of prognosis, this one does not rely on the component RUL but is more detailed.As soon as a private parameter is faulty, the component cannot implement all the set of basic functions which follows that the RUL of a component C i is:

Global prognosis
A next system mode m Σ j+1 is obtained by first determining the date t j+1 of the next mode change through the system, that is: t j+1 = min i∈{1,...,n} (t i j+1 ).Let min denote the index of the component C min where the next fault should occur (i.e.t j+1 = t min j+1 ), the next system mode is then composed of a mode m min from the local prognosis Π min (t).Obviously this local prediction has global consequences.Firstly, the system mode m Σ j+1 predicted to change at time t j+1 must respect the structural condition H Struct .Secondly, the predicted mode m min may change the conditions on some output parameter op min of C min and generate abnormal solicitations on a parameter ip i of a component C i such that ip i ∈ St(op min ).In this case, it is possible that at time t j+1 , the component C i also switches to an abnormal mode m i but it is not a new fault mode (as the local prediction states that only C min switches on a new fault mode at time t j+1 ).
The following definition formally summarizes how a next system mode is built.Using an abuse of language, let St : Comps → 2 Comps denote the function such that St(C) is the set of components C which have an input parameter ip such that St(op) ip where op is an output parameter of C. Let also St * : Comps → 2 Comps be the transitive closure: denotes then the set of components that may have a mode change at time t j+1 .Definition 21 (Next system mode).The set of possible next system modes N SM (m Σ j , t) is: Once a date t j+1 and its corresponding system mode m Σ j+1 are estimated, it is then possible to reiterate the procedure in order to estimate a date t j+2 and a mode m Σ j+2 and so on.For each component C i switching in abnormal mode at time t j+1 because of an abnormal solicitation on an input parameter ip i , a new value v i ∈ r a (ip i ) has to be assigned to the parameter ip i at time t j+1 .If this parameter is involved in the aging model ag i,k of the component C i , that modifies the estimation of private parameter pp i,k that is required to compute the date t j+2 .These predictions in future values of input parameters represents fault propagation in components of the system.A global prognostic candidate for a complex system Σ at t is then a system mode trajectory m Σ j+1 . . . . .m Σ p such that m Σ p is a failure mode.Definition 22 (Global prognosis).The global prognosis Π Σ s (t) for a system Σ at time t is the set of next system mode trajectories { m Σ j+1 . . .m Σ p } that match the current diagnosis ∆ Σ (t): As stated above, the global prognostic procedure is recursive and stops when a failure mode m Σ p is estimated at time t p which means that at every step of the mode estimation, it is necessary to determine whether the estimated mode is a failure mode.In the following, we suppose that the procedure is at step h and we try to figure out whether m Σ h+1 is a failure mode or not, that is p = h + 1.When a failure mode occurs at the date t p , the system cannot correctly ensure the whole set of goal functions FU g .Goal functions are obtained by the composition of basic functions described by the functional model of the system (see Section 3.4).A basic function F u i,j fails only if one of the private parameters P P (F u i,j )) of C i involved in the functional condition F u i,j is faulty.The estimated time to failure (ettf for short) of a basic function F u i,j is then evaluated at time t h as follows: In complex systems, basic functions are often implemented by redundant components.When a redundant component is faulty, the function may still be available on the second one.For this reason, the global prognosis must take the system functional aspect into account like in Voisin, Levrat, Cocheteux, and Iung (2010) or Dragomir, Gouriveau, Zerhouni, and Dragomir (2007) to estimate the ettf of any non-basic function F u i .The ettf of a non-basic function F u i derives from the ettf of the functions that belong to P red(F u i ) that can be either basic functions or non-basic functions.From the functional dependencies defined in Section 3.4, it follows that: where Y = n and P red(F u i ) = m.We can then check whether m Σ h+1 is a failure mode or not if there exists a goal function F u i g such that: Finally, the global RUL of a complex system Σ corresponds to the remaining time until the system cannot perform one of the goal functions (Goebel & Eklund, 2007).At time t, the RUL is:

Discussion
Section 4 proposes a complete characterization of what is required to develop a decentralized architecture for an HMS that embeds diagnosis and prognosis functions.Deliberately, the proposed framework is deterministic in the sense that the diagnosis result is the complete set of system modes that are compatible with the observations.One could argue that it is unrealistic and this set can be very large so stochastic methods could be used to only compute a subset of candidates (the most likely ones) for example.Such stochastic approaches come with a price in a decentralized architecture, the loss of consistency due to the difficulty to mix local/global probabilities distribution if the hypothesis of event independence does not hold.It may happen that most likely local diagnoses are globally inconsistent so that the HMS is unable to return any global candidate.We claim that the use of probability is interesting to rank or prefer diagnoses and then rank and prefer prognosis and not for filtering and/or pruning candidates that would affect the correctness of the whole HMS.Using probability or any ranking system on our framework simply consists in adding a weight function of the local/global diagnosis to rank/prefer the component/system modes.Another way to minimize the ambiguity relies on diagnosability analysis which consists in determining the source of ambiguity at design time and add new sensors in the system for a better observation of it by the HMS and therefore a better discrimination of the ambiguity.

ILLUSTRATIVE EXAMPLE
In this section, we show how the presented generic formalism can be used to model a fuel distribution system.This studied application is composed of common heterogeneous elements (pumps and valve) that can be found in in (Roychoudhury & Daigle, 2011).This example points out how the system heterogeneity and the functional redundancies are taken into account.

Modeling
The studied Distribution System (DS) receives liquid delivered by two pumps P 1 and P 2 .The liquid is stored in a tank T before being distributed to user systems through a valve V 3 .The components of the system are illustrated in Figure 6.An intelligent sensor I 3 is added to build indicator in orh

Distribution tank T
Pump P 1 Pump P 2 V 3 q V3 q d1 q d2 q e2 q e1 Figure 6.Distribution System der to monitor the valve V 3 .The distribution system is then composed of five components that interact with each other: Comps = {P 1 , P 2 , T, V 3 , I 3 }.

Structural modeling
Figure 7 depicts the interactions between the DS components.For both pumps P 1 and P 2 , input parameters are control signals equivalent to a flow reference and output parameters are the actual delivered outflow: (20) The private parameters A 1 and A 2 are introduced for diagnosis and prognosis purpose.They are wear parameters used to represent the component degradation leading to the pump failure.
For the valve V 3 , input parameters are the liquid level h in the tank and a control signal u 3 to open or close the valve: The private parameter w V3 is a wear parameter used to represent the valve fault modes, stuck open or stuck closed.The valve output parameter is the outflow and i w V 3 represents an image of the valve private parameter to interact with the sensor component I 3 .
The intelligent sensor I 3 provides a fault indicator value a V3 that is built from the following input parameters: Here the sensor is supposed to be reliable and non faulty.
Fluid delivered by pumps is then stored in a tank T .The input parameters of this component are the flows delivered by pumps and the output parameter is the fluid level h in the tank: For the sake of simplicity, the tank is assumed to be perfect with no degradation.

Functional modeling
The DS components implement some basic functions in order to realize the system goal function F u g that is to store and distribute fuel to consumer systems.The pump function is to deliver pressurized fuel consistently to the control signal: For more detail about equations describing the pump behavior, we can refer to (Roychoudhury & Daigle, 2011).The pump P 1 is default used to fill the tank.The flow control q e1 describes a square signal : it is equal to 600 for 5 hours and is null for the next 5 hours.The pump P 2 is started only if a problem is detected with P 1 .At start P 1 is assumed to be nominal, so the control signal q e2 is null.
The basic function of the tank T is to store fluid provided by the pumps P 1 and P 2 .The water level h in the tank is computed through the following mass balance equation: where S is the tank sectional area.The relation ar T is represented by a differential equation.The output parameter value h is obtained by integrating it.The tank is assumed to be perfect without leak faults, so its function is always available in the system.
The basic function of the valve V 3 is to distribute liquid contained by the tank to consumer systems consistently to the control signal u 3 .The flows through the valve is computed from the Torricelli law: where A 3 is the valve cross-sectional area and g is the gravity constant.The command signal u 3 is equal to zero to close the valve or equal to one to open it.This basic function is correctly performed when the wear parameter w V3 is null.
The basic function of the intelligent sensor I 3 is to built a fault indicator a V3 for the valve V 3 from its control signal u 3 and its outflow q V3 : This sensor verifies the inputs u 3 and q V3 to assign a value to a V 3 .For example, a V 3 = 1 indicates a fault (w V3 = 1) for the valve when the following conditions on input parameters hold: As said before, the component is assumed to be non faulty, so, this function is always available.
The basic functions are composed in order to realize a set of intermediate functions on which relies the realization of the DS goal function: where, • F u 1 is to provide fuel (this intermediate function is built from pump functional redundancy F u P1 and F u P2 ), • F u T is to store fuel delivered by pumps, • F u V3 is to distribute fuel through a controlled valve.
This composition can be represented as a functional tree and is represented in Figure 8.The sensor function does not participate to the realization of the system goal function, that is why it is not represented in the functional tree.
3/3,Fu g with λ 3 = 2, 25.10 −5 and p max is a non accepted probability threshold fixed a priori.w V3 = 0 means a fault has occurred on the valve V 3 and the component is either stuck open or stuck closed.Reliability data-based models do not consider component real solicitations, then they do not depend on component input parameters.
A stress-based model can be used for pumps.A physical analytical law is identified from series of real experiments (like accelerated life testing) and determines a degradation level to evaluate the wear parameter value like in Gorjian, Ma, Mittinty, Yarlagadda, and Sun (2009).In Roychoudhury and Daigle (2011), two degradations are studied for the pump, the bearing wear and the impellar wear.The bearing wear provokes an increase in the pump friction coefficient and the impellar wear appears as a decrease of the impellar area due to erosion of the rotating element in contact with fluid.Here, we choose to represent only the impellar wear with the following equation that depends on the control signal q ei of the pump P i : where w A = 3.10 −8 for both pumps and the initial value of the impellar area is A i (t 0 ) = 60.The value of A i is then computed by integrated the differential equation explained for relation ar Pi .When the pump is degraded the impellar A i decreases and as a consequence q di also decreases.The minimal value A i = 55 was identified from tests for a non faulty pump.

Operational modes
Some fault modes have been identified for the components P 1 , P 2 and V 3 by defining private parameters.The following tables express for each component the parameter ranges according to the component operational mode.There exist as many abnormal modes as combinations of input parameters for each component but for the sake of simplicity, they are not described here.We recall that the components T and I 3 are assumed to be always nominal.
Table 1.P 1 operational modes Table 1 represents operational modes for the pump P 1 .In nominal mode, the control signal q e1 is either equal to 600 or null and the delivered flow is then also equal to 600 or null.
The private parameter that represents the impellar area is initially equal to 60.In fault mode, while input parameter q e1 remains in the same range, the delivered flow is inferior to 600 and the impellar area is inferior to 55 the minimal accepted value.The basic function of P 1 is not available.The component fails to provide liquid consistently to the command signal q e1 .Table 2 represents operational modes for the pump P 2 that is similar to the ones explained for P 1 .Table 3 Table 3. V 3 operational modes

Scenarios
The proposed characterization is illustrated with a scenario in two steps.At the operating start t 0 = 0, the health monitoring system identifies the current system mode and predict the RUL.Then, a fault for the pump P 1 is injected at time t 1 = 30 000.
5.2.1.Scenario at time t 0 = 0 Diagnosis Diagnosis aims at determining the current mode of components at time t 0 which is consistent with the component models and the available observations.Sensors measure the flow delivered by pumps P 1 and P 2 , another sensor measures the liquid level h in the tank and the intelligent sensor provides the indicator a V 3 .The acquired measures, the pump and valve controls are observable.Then, we assume that the set of observed parameter is invariant : At t 0 , the values of observed parameters are : {600, 600, 0, 0, 10, 0, 0} Every local observation is in nominal range.The system is in nominal mode at the operating start then all functions are available on the components.
Prognosis The prognostic function aims at determining the future mode for the system which is consistent with the diagnosis and the aging models of component parameters.The aging models {ag i,k } are used to estimate the value of private parameters { pp i,k } and compute the fault date t d at which the private parameters are out of the nominal ranges defined in Section 5.1.4.explained in Section 5.1.3.For the pump P 1 , this evolution takes future inputs for q ei into account from the definition of the square control signal.We recall that the components T and I 3 are supposed to be perfect, not degrading and thus no prognosis is performed on them.
The rtf of components that define the remaining time until a fault occurrence are computed from these aging models (see As only one private parameter is defined in this illustration for each component, the RU L of components is equivalent to the rtf .These numerical values show P 1 is predicted to be the next faulty component.Its RUL is shorter than the one for P 2 because P 1 is the default pump.Then the second component predicted to be faulty is V 3 . As stated by Definition 21 in Section 4.3.3, the next system mode m Σ +1 is determined from m min ∈ Π min (t 0 ), the next mode of the component C i with a minimal t i +1 .As t min +1 = t P1 +1 , the next fault mode for the system is In order to compute the system RUL, the date t p of the system failure mode m Σ p must be computed.For this purpose, the availability of basic and intermediate functions implemented by components have to be evaluated at time t min +1 = 35 250.As the components have only one private parameter, the ettf of basic functions can be directly evaluated to the rtf of their private parameters (see Equation 16).
As described by the functional model in Figure 8, the intermediate function F u 1 is available as long as F u P1 or F u P2 is available.It expresses the redundancy of pumps.The ettf of F u 3 is then computed using Equation 17 as follows: ettf (F u 1 , t 0 ) = max(ettf (F u P1 , t 0 ), ettf (F u P2 , t 0 )) = max(35 250, 166 650) = 166 650.
(38) The RUL of the system corresponds to the remaining time until it cannot correctly perform its goal function F u g , then RU L(Σ, t 0 ) = t p − t 0 = 102 040.

Scenario at time t 1 = 30000
In this scenario, all the components are in nominal mode between t 0 and t 1 and degrade normally according to the aging model.At time t 1 , a fault is injected in the component P 1 .Diagnosis result is the same as the one in t 0 between these two dates and prognosis is currently updated by evaluating the rtf of private parameters, the ettf of functions and the system RUL according to the current operating time, in particular at t 1 RU L(Σ, t 1 ) = t p − t 1 = 72 040. (39) Diagnosis At t 1 = 30 000, the values of observed parameters are: {q e1 , q d1 , q e2 , q d2 , h, u 3 , a V3 } = {600, 550, 0, 0, 5, 0, 0} (40) For each component, the local diagnosis is computed by checking the compatibility between local observations and the modes (see Definition 15 in Section 4.1): Obs(q e1 , t 1 ) = 600 and Obs(q d1 , t 1 ) = 550 are compatible with one mode of P 1 : Obs(q e2 , t 1 ) = 0 and Obs(d e1 , t 1 ) = 0 is compatible with two modes of P 2 but as the component is supposed to be nominal at operating start and P 2 has not started yet, only the nominal mode is considered: Obs(q V3 , t 1 ) = 0 and Obs(u 3 , t 1 ) = 0 are compatible with two modes of V 3 : The local diagnosis of V 3 is ambiguous.From local observations, it cannot be disambiguised.
The system mode at t 1 = 30 000 is obtained by merging local diagnostic candidates and excluding the system modes that do not satisfy the H struct hypothesis (see Definition 16 in Section 4.1).By merging local diagnoses, we obtain two global system mode (44) These system modes need to be compatible with all observations.The fault indicator Obs(a V3 , t 1 ) = 0 means that V 3 cannot be faulty then the second system mode is not compatible with observations and is removed from global diagnosis: Prognosis At t 1 = 30.000,the component P 1 is diagnosed faulty, the component P 2 is then started with the same square control signal as P 1 previously.This naturally modifies the degradation of the component P 2 according to new solicitations as illustrated in Figure 12.
As for the scenario at time t 0 , the fault date t d associated to each private parameter of components is computed from aging models and nominal ranges defined in operational modes.
(49) We recall that the rtf and the ettf values represent durations from time t 1 = 30 000 and not a fault or a failure date.The RUL of the system at time t 1 is now RU L(Σ, t 1 ) = t p −t 1 = 28 850.If the pump P 1 had correctly worked until predicted rtf , P 2 would have been solicited much later and the system RUL would have been longer.This example illustrates each part of our generic modeling framework for the diagnosis and the prognosis of a heterogeneous complex system.It also points out the need of diagnosis to update predictions for prognosis.

RELATED WORK
Fault diagnosis has become a mature problem and a lot of research works are now considered as references in this field (Hamscher et al., 1992;Isermann, 2005;Lamperti & Zanella, 2003).It aims at identifying faults occurring on components that may cause a system failure.In the diagnosis community, a fault represents a deviation of one component characteristic or property.Diagnostic methods rely on the monitoring capabilities and a knowledge of the system behavior.This knowledge can be represented as an experience (Buchanan & Shortliffe, 1984;Jackson, 1998), a known qualitative or quantitative model in DX/FDI communities (Gertler, 1998;Hamscher et al., 1992) or an estimated model obtained by learning and classification methods (Fouladirad & Nikiforov, 2005;Takagi & Sugeno, 1985).
As opposed to diagnosis, prognosis is quite a new field of interests.In the more recent literature, a lot of definitions can be found for prognosis (Goh, Tjahjono, Baines, & Subramaniam, 2006).In Brotherton et al. (2002), prognosis is defined as the ability to assess the current health of a component or to predict the next time to failure.For Engel et al. (2000) it is the capability to provide early detection of incipient fault condition and to have the means to manage and predict the progression of this fault condition to the component failure.For both definitions, prognosis consists in predicting the remaining time until the system cannot perform successfully its function anymore and must be replaced, i.e. the time to failure.Whereas this prediction can be done all over the system operation in the first definition, it is performed only after a fault occurrence in the second definition.In our case, the preventive maintenance objective is ultimately to replace the component before a fault occurs on it which means that the prognosis process starts as soon as the system starts operating, and it continuously updates the prediction of the remaining time before the system failure.Moreover, faults may result in change in the solicitations of the neighboring subsystems (Abbas & Vachtsevanos, 2009) even if failures have not happened yet (latent faults for instance).These subsystems could deteriorate quickly.This temporal prediction relies on a knowledge about the health state of the system (Dasgupta & Pecht, 1991;Gorjian et al., 2009).In the literature, there already exist several prognostic approaches which rely on different models (Ghelam et al., 2006;Heng, Zhang, Tan, & Mathew, 2009;M. Roemer et al., 2005;Schwabacher & Goebel, 2007).In M. J. Roemer and Byington (2007), a spall initiation model is used to evaluate the current health of bearings and a progression model of crack length is used to obtain the RUL.Abbas and Vachtsevanos (2009) defines the fault progression as the evolution of a fault in a subsystem under given operational condition and the fault propagation as the effect of a fault on another fault both in the same system.In our framework, the fault progression is represented as an aging model and the fault propagation relies on a structural function that defines component interactions.
Finally, prognosis requires some health indicators of the system that can obviously be delivered by diagnosis techniques.
Very few works exist on this topic.Lebold and Thurston (2001) and Sheppard, Kaufman, and Wilmering (2008) defines standard architectures for PHM.They combine diagnostics and prognostics modules but no formalization of both problems is given and the link between both modules diagnostics-prognostics is not really explicit.In Daigle and Goebel (2011), the authors proposed a Model-Based Prognostics Approach to predict the end of life and the RUL of a pneumatic valve.This approach proposes an architecture with a fault detection, isolation and identification module that injects information to the prognostic module (damage estimation and prediction).This work presents a diagnostic/prognostic methodology by choosing specific models and method that does not aim at being generic.The prognostic method proposed in Daigle and Goebel (2011) could be a potential candidate to implement the local diagnosis and the local prognosis for a component like the proposed pneumatic valve.In Roychoudhury and Daigle (2011), a more detailed version of the diagnosis part of the previous architecture is introduced and is implemented by a classical observer technique based on residuals (Isermann, 2005) and qualitative reasoning (Mosterman & Biswas, 1999).
To the best of our knowledge, no research paper addresses the formal characterization of an embedded and decentralized diagnosis/prognosis HMS in charge of the monitoring of a complex system such as an aircraft.

CONCLUSION
A formal characterization of a modern on-line HMS has been presented in this paper.The objective of this characterization was to be as generic as possible in order to provide formal but consistent requirements for the development and the deployment of any HMS on a complex system like an aircraft.The characterization is modular, it introduces a decentralized architecture for diagnosis and prognosis (local/global) that is consistent.Within this framework, we also introduce the notion of mode trajectory which is an abstraction of the underlying evolution of the system that is sufficient for the maintenance decision.Both diagnosis and prognosis rely on this abstraction to provide results: diagnosis is in charge of determining the current mode of the system whereas prognosis is in charge of predicting the date of the next mode changes till the prediction of the occurrence of system failure.Consistency of the diagnosis, that is critical in a HMS, is based on the structural model.Moreover, our framework proposed that diagnosis takes into account the redundancy in the system by the use of a functional model that represents the minimal requirements for a global function to work properly even if some components are faulty.The prognosis process takes into account direct measurements or parameter estimates from the diagnosis part to tune the available aging models and performs the prognosis.Here also, prognosis takes into account redundancy to estimate when a system failure will occur.This characterization extends the framework that was initiated to model an HMS on a sub-part of the aeronautical system called the Engine Bleed Air System within the ARCHIS-TIC projet in collaboration with the AIRBUS maintenance department.Recent works on more specific problems started with help of this characterization.Vinson, Ribot, Prado, and Combacau (2013) uses the functional and aging modeling framework to model the functional behavior and health evolution through time of permanent magnet synchronous machines.In Chanthery and Ribot (2013), the integration of diagnosis and prognosis is investigated to develop a monolithic HMS on hybrid systems based on the characterization presented here.
One of our main perspectives is to fully deploy and integrate a set of specific techniques for the diagnosis/prognosis as the ones cited above to implement an HMS on a large assembling of components whose nature is different (continuous, discrete, hybrid systems).This HMS would have the guarantee that the global result is consistent.Another perspective is to provide generic algorithmic tools for the developed HMS to scale up, especially, we would like to investigate different ranking/preference methods (see Section 4.4) to sort the diagnoses/prognoses provided by the HMS for better maintenance decisions.Finally, we also would like to investigate whether the prognostic outputs provided by the HMS would not be relevant for improving the accuracy of the diagnosis part, in other words, can the diagnosability of a system be improved by prognosis?

Figure 9 .Figure 10 .Figure 11 .
Figure 9. P 1 aging model : evolution of wear parameter A 1 The diagnosis process involves the measured values of a subset of parameters called the observations.Some parameter values are recorded by available sensors within the system, these measurements are called observations.So the set of observations is directly linked to the system monitoring capability.Sensors record values of physical quantities that are represented as input, output or private parameters.A local observation, on a component C i , at time t is then a measure of the value of a parameter.Such a local observation is denoted Obs(p i,k , t) for the parameter p i,k .For a component C i , the set of parameters is partitioned at time t into the subset of observed parameters P i Obs (t) (i.e. the set of parameters whose value can be measured at time t) and the subset of non observed parameters P i ¬Obs (t).Let us note {Obs(p i,k , t)} the set of values of the observed parameters at time t.Definition 15 (Compatibility between a component mode and a set of observations).At time t, a mode m i x of component C i is said to be compatible with the set of local observations {Obs(p i,k , t)} iff : represents operational modes for valve V 3 .The range of control signal u 3 is either closed or open and represented by the value set {0, 1}.

Table 2 .
P 2 operational modes Figure12.P 2 aging model : evolution of wear parameter A f according to diagnosis result P 1 is already faulty and T and I 3 always assumed to be nominal.New local prognosis at time t 1 = 30.000are then computed for non faulty components: Then the rtf of components are updated : rtf (P 2 , t 1 ) = 58 850 rtf (V 3 , t 1 ) = 102 040.