Link Failure Detection in Multi-hop Control Networks

Link Failu re Detection in Multi-hop C ontrol Networks Alessand ro D’Innocenzo , Maria Dome nica Di Benede tto and Emma nuele Se rra Abstract — A Multi-hop Contr ol Network (MCN) consists of a plant where the communication between sensors, actuators and computational unit is su pported by a wireless multi-hop communication netw ork, and data flow is p erf ormed using scheduling and routing of sensing an d actuation data. W e characterize the problem of d etecting the f ailure of links of th e radio connectivity graph and provide necessary and sufficient conditions on the plant dynamics and on the communication protocol. W e also prov ide a methodology to explicitly d esign the network topology , sched uling and routing of a communication protocol in order to satisfy the above conditions. I . I N T RO D U C T I O N W ir eless networked control systems are spatially dis- tributed c ontrol systems where the communication betwee n sensors, actuato rs, and computational un its is supported by a shared wireless commun ication network . Control with wire- less technolog ies typically inv o lves multiple commun ication hops for con ve ying informa tion from sensors to the controller and from the controller to actuators. The use of wireless networked c ontrol systems in ind ustrial autom ation results in flexible ar chitectures an d generally r educes installation, debugging, diagnostic and maintenanc e costs with respect to wired networks. The main m otiv a tion for studying such systems is the emerging use of wireless techn ologies in control systems (see e.g., [1], [2], a nd [3]). Although Multi-hop Control Networks (MCNs) offer many advantages, their use for con trol is a challenge when one has to take in to account the jo int dynamics of the p lant and o f the co mmunica tion p rotocol. W ide dep loyment of wireless ind ustrial autom ation require s substantial p rogre ss in wirele ss tran smission, networking an d co ntrol, in order to provide formal mod els and verification/d esign method ologies for wireless networked c ontrol system. The de sign of th e control system has to c onsider th e presence of the network, as it represents the inter connection b etween th e plant an d the contr oller , and th us affects the d ynamical beh avior of the system. The analysis of stability , p erforman ce, a nd relia- bility of real implementations of wireless networked con trol systems require s addr essing issues such a s schedu ling and routing usin g real co mmunicatio n protocols. Recently , a huge effort has been made in scientific research on Networked Con trol System s ( NCSs), see [4], [5], [6], [7], and [8], and ref erences therein f or a g eneral overvie w . The authors are with the Department of El ectric al a nd Informa- tion Engineering, Univ ersity of L ’Aquila. Address: V ia G. Gronchi, 18 Nucleo Industriale di Pile, L ’Aquila, 67100 Italy . T el: +39 328 941 5922 . Email: { mari adomenic a.dibene detto, alessandro.dinnoc enzo, em- manuele.serr a } @uni vaq.it. The research leading to these results has re- cei ved funding from the European Union Se venth Frame work Programme [FP7/2007-201 3] under grant agreemen t n257462 HYCON2 Netw ork of exc ellen ce. Howe ver, the li terature on NCSs usu ally d oes not take into acc ount the no n–idealities introdu ced b y sche duling and routing co mmunica tion p rotocols o f Multi-hop Contr ol Networks. In [9], a simulative environment of co mputer nodes a nd co mmunicatio n network s interacting with the continuo us-time dynam ics of the real w orld is presented. T o the b est of o ur kn owledge, the only fo rmal model o f a Multi- hop Con trol Network h as been pr esented in [ 10], [ 11], where the m odeling and stability verification pro blem has b een addressed f or a MIM O L TI plant em bedded in a MCN, wh en the controller is already designed. A mathem atical fr ame- work has be en prop osed, that allows mo deling the MAC layer (commu nication sche duling) an d the Network layer (routing ) of the recen tly dev eloped wireless industrial control protoco ls, such as WirelessHAR T ( www. hartcomm2.org ) and ISA-1 00 ( www.isa .org ). Consider the networked contr ol architectu re illu strated in Figure 1, that consists o f a plant P interconnected to a con- troller C v ia two multi-hop wireless commu nication network s G R and G O . W e proved in [12] that f or any time-invariant topolog y i of G R and G O , ch aracterized b y at le ast o ne p ath between the con troller an d the plan t, it is always po ssible to d esign a con troller C i , a r outing and a sched uling to arbitrarily assign the eig en values of the closed lo op system. Consider the following two a pplication scen arios. In the fir st scenario (e. g. th e min e application in vestigated in [13]), an industrial plan t is con nected to a contr oller via a mu lti-hop wireless com munication network: the grap h topolog y of the wireless network is time-varying be cause o f link failures an d battery d ischarge of the com munication no des. I n th e secon d scenario, a plan t is conn ected to a co ntroller v ia a swarm of mobile agents ( e.g. robots [14] or UA Vs [15]) equipped with wireless communication nodes: the gr aph to pology of the wireless network is time-varying because of m otion of the ag ents. In both scenario s, the time-varying topolog y perturb s the dyn amics of the interconnected system N , and the co ntroller is required to detec t the curr ent topo logy i of G R and G O to ap ply the correspo nding control law C i . In th is paper we supp ose th at the to pology o f G R and G O is time-varying because of lin k failures, and provide a methodo logy to detect the set o f faulty links using Fault Detection an d Id entification (FDI) m ethods. I n the taxo nomy of fault diagno sis tech niques, we leverage on the model- based appro ach introduced by the pione ering works in [16], [17] o n obser ver-based FDI, later pursu ed in [18] for lin ear systems and in [19] fo r non- linear systems. As c an b e inferred fr om th e rece nt sur vey [ 20], fault tolerant co ntrol and fault d iagnosis is one of the main issues addressed in the re search on NCSs. Howe ver , mo st of the P y(t) T y(kT) v y G O G O v c y(kT) N ZOH u(t) P T u(kT) v u G R u(kT) v c G R C Ø C C 1 FDI C |F| Switch Fig. 1. Proposed control scheme of a MCN. existing literature on NCSs fault diagnosis (e .g. [21], [15]) usually ad dresses com munication delay s, and does not co n- sider the effect of the comm unication pro tocol introduced by a Mu lti-hop Contro l N etwork. In [22], a pro cedure to minimize the nu mber and cost of ad ditional sensors, req uired to solve the FDI problem for structured syst ems , is presented . In [23], th e d esign of an intrusion detection system is presented f or a MCN, where the n etwork itself acts as the con troller . Our mo deling framework differs f rom that developed in [23], sinc e we mode l the MCN as an inpu t- output system where the wir eless networks transfer sensing and actua tion d ata between a plant an d a controller (they are r e lay networks), while in [23] the MCN is an autonomo us system wh ere th e wireless network itself acts as a contro ller . Moreover , in our model we explicitly take into account the effect of the sched uling or dering of the n ode transmissions in th e sensing an d actuation data re lay . Our work differs from the existing literature since we characterize the c ommun ication link failures detection prob- lem in a MCN as a FDI problem, and state nece ssary and sufficient con ditions on the plant dynamics and on the com- munication pr oto col . Moreover , we p rovide a methodolog y to explicitly design the network topo logy , scheduling and routing of a commu nication protocol in order to satisfy link failure detection cond itions o f a MCN f or any failure of commun ication links. The explicit design of schedu ling and routing is a funda mental aspect of our contrib ution. In fact, as evidenced in [13], when applying a wireless ind ustrial con trol protoco l to the real scenario the top ology of the wir eless network intro duces har d limitations in the choice of the scheduling . This is du e to the fact th at most of the wireless industrial co ntrol pro tocols sugg est that the commu nication scheduling satisfies a specific or dering (see [13], [ 24] for more d etails). Th e results in [12] an d in this paper mitigate these constraints, by proving that it is not required to perform scheduling according to a specific ordering . Th is allo ws to strongly red uce the sch eduling leng th, as illustrated in [ 12]. I I . M O D E L I N G O F M C N S The challenges in mo deling M CNs ar e best explain ed by considerin g the re cently developed wireless indu strial con- trol pro tocols, such as W irelessHAR T and ISA- 100. These standards requir e that d esigners of wireless co ntrol network s define a co mmunicatio n schedu ling for all co mmunica tion nodes of a wireless network . For each workin g freq uency , time is divided in to slots o f fixed d uration ∆ , and grou ps of Π time slo ts are called f rames of duratio n T = Π∆ (see Figu re 2) . For each frame, a commun ication sched uling allows each node to tra nsmit data only in a specified tim e slot and f requency , i.e. a m ixed TDMA and FDMA MAC protoco l is used. Th e comm unication scheduling is p eriodic with perio d Π , i.e. it is repeated in all fr ames. The standard T = D P Cyclen Cyclen−1 Cyclen+1 D 3 ... P -1 P 1 2 3 ... P 1 2 3 ... P -1 Fig. 2. Time -slotte d structure of frames. specifies a sy ntax for definin g scheduling and rou ting and a mechanism to apply th em, b ut the issue of designing them remains a challeng e for engineer s and is cu rrently done using heuristic rules. T o allow systema tic methods for designing the comm unication protocol configura tion, a mathematical model of th e ef fect o f scheduling and routing on the con trol system is needed . Definition 1: A SISO Multi-h op Control Network is a tuple N = ( P , G R , η R , G O , η O , ∆) where : • P = ( A c P , B c P , C c P ) m odels a plant dyn amics in ter ms of matric es of a co ntinuou s-time SISO L TI system. • G R = ( V R , E R , W R ) is the co ntrollability radio c on- nectivity acyclic graph, where the vertice s correspon d to the nodes of the network, and an edge from v to v ′ means that v ′ can receive message s transmitted by v through the wireless comm unication link ( v , v ′ ) . W e denote v c the sp ecial node of V R that corr esponds to the co ntroller, an d v u ∈ V R the special nod e that correspo nds to the actuator of the in put u of P . T he weight fu nction W R : E R → R + associates to each link a positiv e c onstant. Th e role of W R will b e clear in the following definition of η R . • η R : N → 2 E R is the con trollability commu nication scheduling functio n, th at associates to each time slot of eac h fra me a set o f edg es of the co ntrollability radio co nnectivity graph. Sin ce in this p aper we only consider a per iodic scheduling that is rep eated in all frames, we defin e the con trollability commu nication scheduling function b y η R : { 1 , . . . , Π } → 2 E R . The integer co nstant Π is the period o f the controllability commun ication schedulin g. T he seman tics of η R is th at ( v , v ′ ) ∈ η ( h ) if and only if at time slot h of each frame the da ta c ontent of th e node v is transmitted to the nod e v ′ , multiplied by the weight W R ( v , v ′ ) . W e assume th at each link can be scheduled only o ne time for each frame. Th is does not lea d to loss of generality , since it is always possible to o btain an equ iv alen t model that satisfies this constra int by appro priately splitting the nodes of the graph , as already illustrated in the memor y slot gr aph definition of [1 1]. • G O = ( V O , E O , W O ) is the o bservability radio co nnec- ti vity acyclic g raph, and is defined similarly to G R . W e denote with v c the special node of V O that corresponds to the con troller, and v y ∈ V O the special node that correspo nds to the senso r of the ou tput y of P . • η O : { 1 , . . . , Π } → 2 E O is the o bservability com mu- nication scheduling functio n, and is define d similarly to η R . W e r emark tha t Π is the same period as the controllab ility scheduling period. • ∆ is the time slot du ration. As a conseq uence, T = Π∆ is the frame du ration. Definition 1 allows modelin g comm unication pr otocols that specify TDMA, FDMA and /or CDMA access to a shared commun ication resourc e, fo r a set of commun ication nod es interconn ected by an arbitrar y radio conn ectivity g raph. In particular, it allows modeling wireless multi-hop comm u- nication networks tha t im plement p rotocols such as Wire- lessHAR T and ISA-100. Our MCN mo del d iffers fro m the framework dev eloped in [11], s ince it allows modelin g redun - dancy in d ata communica tion sending contr ol da ta through multiple paths in the same frame and then merging these compon ents ac cording to the weight function. This kind of redund ancy is called mu lti-path r outing (or flo oding , in the communica tion scientific community), and aims at rendering the MCN robust with respect to link failures and to mitigatin g the effect of packet losses. For any given radio connectivity graph that models the commun ication range of eac h node, de signing a schedu ling function ind uces a communicatio n scheduling (na mely the time slot wh en each no de is allowed to transmit) a nd a mu lti- path ro uting (name ly the set o f paths tha t conve y d ata fro m the inp ut to the outpu t of the conn ectivity graph ) of the commun ication proto col. Since the schedu ling f unction is periodic the in duced commun ication scheduling is p eriodic, and the induced m ulti-path rou ting is static. W e defin e a conn ectivity pr operty of the co ntrollability and ob servability g raphs with respe ct to th e corre sponding scheduling . Definition 2: Given a con trollability graph G R and scheduling η R , we define G R ( η R ( h )) the sub-g raph of G R induced by keepin g th e edges sched uled in the time slot h . W e define G R ( η R ) = Π S h =1 G R ( η R ( h )) the sub -graph of G R induced by keeping th e un ion of edges sched uled du ring the whole fr ame. Definition 3: W e say that a con trollability graph G R is jointly connected by a con trollability sched uling η R if and only if there exists a path from the controller n ode v c to the actuator nod e v u in G R ( η R ) . The above definition s can be gi ven similarly fo r observability graph G O and sched uling η O . The d ynamics of a MCN N can be mod eled b y the interconn ection of block s as in Figure 1. The b lock P T is characterized by the discrete-tim e state spac e represen tation ( A P , B P , C P ) obtain ed by discretizing ( A c P , B c P , C c P ) with sampling time T = Π∆ . W e assume that the plant P is stabilizable and detectable, and that P = ( A c P , B c P , C c P ) is th e contro llable and ob servable min imal represen tation. If th is assumptio n does not h old, then e ven with an id eal interconn ection between th e controller and the plan t it is clearly no t possible to stabilize the closed loo p system, a nd the co ntrol scheme in Figure 1 lo oses any interest. The bloc k G R models the dynamics introd uced by the data flow of the actuation data throug h the commu nication network represented by G R accordin g to the applied con - trollability sched uling η R . In or der to d efine the dy namical behavior of G R , we need to define the dy namics of the d ata flow through the n etwork, accordin g to the scheduling η R . W e associate to the controller no de v c a real value µ c ( k T ) at time k , a nd we assume that v c is periodically upda ted with a n ew co ntrol comman d at the b eginning o f each fr ame and holds th is value for the whole d uration o f the fr ame. Formally , µ c ( k T ) = u ( k T ) . The dynam ics o f the other node s n eeds to be defined at the le vel of time slots. W e associate to ea ch other n ode v j ∈ V R \ { v c } a real value µ i,j ( h ) a t tim e slot h for each node v i belongin g to the set inc ( v j ) = { v ∈ V R : ( v , v j ) ∈ E R } of edge s incoming in v j . When the link fro m v i to v j is not sched uled at time slot h , the v ariable µ i,j ( h ) is not updated. When the link from v i to v j is scheduled at time slot h , the variable µ i,j ( h ) is updated with the sum o f the variables associated to node v i in the time slot h multiplied by the link weight W R ( v i , v j ) . Formally , for e ach v j ∈ V R \ { v c } an d for each time slot h ∈ { 1 , . . . , Π } : µ i,j ( h + 1 ) =        µ i,j ( h ) if ( v i , v j ) / ∈ η R ( h ) , W R ( v i , v j ) · P v k ∈ inc ( v i ) µ k,i ( h ) if ( v i , v j ) ∈ η R ( h ) . Finally , the actuator node v u periodically actua tes a new actuation c ommand at the b eginning of each fram e on th e basis of its variables µ i,u , and h olds this value for the whole duration o f the fr ame. Formally , ˜ u ( k T ) = X v i ∈ inc ( v u ) µ i,u ( k T ) . The fo llowing proposition proved in [12] characterize s the dynamics of G R at the lev el of frames, induced by the data flow through the n etwork at the level of time slots. Pr op osition 1: [12] Given G R and η R , the controllability graph can be mo deled as a discrete time SISO L TI system with samp ling time equ al to the fram e duratio n T = Π∆ , and ch aracterized by the following transfer function : G R ( z ) = D R X d =1 γ R ( d ) z d , where D R ∈ N is the max imum delay introdu ced by G R , and ∀ d ∈ { 1 , . . . , D R − 1 } , γ R ( d ) ∈ R + 0 , γ R ( D R ) 6 = 0 . ZOH u(t) P(s) y(t) P (z) T T y(kT) G (z) R u(kT) u(kT) N(z) G (z) O y(kT) Fig. 3. Tra nsfer function of the MCN interconne cted system. G O ( z ) can be compu ted similar ly . Th e dynam ics o f a MCN N can b e mo deled as in Figur e 3, wher e each blo ck is a discrete time SI SO L TI system with sampling time equal to the frame dur ation, char acterized b y the transfer fun ctions G R ( z ) , P T ( z ) and G O ( z ) . Let x O ∈ R n O , x P ∈ R n P and x R ∈ R n R be respectively the states of th e observability grap h, o f the plant, and of the controllability gr aph. W e will denote b y x =  x ⊤ O x ⊤ P x ⊤ R  ⊤ the extended state of N , with x ∈ R n , and n = n O + n P + n R . Th e dy namics of N can also be descr ibed by the following state space rep resentation: x (( k + 1) T ) = Ax ( kT ) + B u ( k T ) , y ( k T ) = C x ( k T ) , u ( k T ) , y ( k T ) ∈ R , (1) with: A =   A O B O C P 0 n O × n R 0 n P × n O A P B P C R 0 n R × n O 0 n R × n P A R   , B =   0 n O × 1 0 n P × 1 B R   , C =   C ⊤ O 0 n P × 1 0 n R × 1   ⊤ , and A R =   0 γ R ( D R ) γ R ( D R − 1) · · · γ R (2) 0 ( D R − 2) × 1 0 ( D R − 2) × 1 I D R − 2 0 0 0 1 × ( D R − 2)   , B R =   γ R (1) 0 1 × ( D R − 2) 1   , C R =  1 0 ( D R − 1) × 1  ⊤ . The matr ices ( A O , B O , C O ) are defined similar ly . I I I . F AU LT D E T E C T I O N O N M C N S In th is section we pr ovide a method ology to detect the current dy namics of a MCN subje ct to link failures using Fault Detection and Identificatio n (FDI) methods. The failure of a set of links f ⊆ E R ∪ E O on the dyn amics (1) can be modeled as follows: x (( k + 1) T ) = Ax ( k T ) + B u ( k T ) + L f m f ( k T ) y ( k T ) = C x ( k T ) (2) where m f ( k T ) : N → R n +1 is an arbitrary function o f time and L f : R n +1 → R n is called th e failure signature map associated to the configura tion o f failures f . W e define the failure signatur e maps as in Figure 4: where the d -th c ompon ents δ R ,f ( d ) an d δ O ,f ( d ) o f the row vectors δ R ,f =  δ R ,f ( D R ) · · · δ R ,f (1)  and δ O ,f =  δ O ,f ( D O ) · · · δ O ,f (1)  are the p ertur- bations in troduce d by the configu ration of failure s f in the paths of G R and G O characterized b y delay d . Since γ R ( d ) ≥ 0 and γ O ( d ) ≥ 0 , and a failure of each path redu ces the value of the co rrespon ding compon ent, then δ R ,f ( d ) ≥ 0 and δ O ,f ( d ) ≥ 0 for each f ⊆ E R ∪ E O . In the absen ce of failures L ∅ = 0 n × ( n +1) . The signal m f ( k T ) depends on the protocol applied by th e co mmunicatio n no des when the con figuration of failures f occurs. By an appro priate ch oice of m f ( k T ) , it is possible to mod el by ( 2) the dynam ics of N when a failure occu rs in the set of links f , for any protoco l applied by the commu nication nodes in case of failure. As a n examp le, if a node sets to 0 the d ata con tribution incoming from a faulty link, then we can m odel this be - havior by defining m f ( k T ) =  x ( k T ) ⊤ u ( k T ) ⊤  ⊤ . If a node uses the latest data received fr om a faulty link, then we can mo del this beh avior by defining m f ( k T ) =  x ( k T ) ⊤ u ( k T ) ⊤  ⊤ + ν , with ν ∈ R n +1 a co nstant vector of r eal nu mbers. T o perf orm failure detection of a MCN with the aim of a pplying an app ropriate con trol law for each dynamics induced by all failure configur ations, we first need to define the s et Φ ⊆ 2 E R ∪ E O of failures we are interested in distinguishing . In fact, we need to d istinguish two failures induced by sets of links f , f ′ only when they intr oduce different pertur bations of the dynam ics (1), namely when L f m f ( k T ) 6 = L f ′ m f ′ ( k T ) . F or this reason, we define Φ Ω the set o f equiv alence classes [ f ] , each consisting of sets of lin ks that a ffect the dyn amics (1) b y me ans of the same representative failure signal L f m f ( k T ) : [ f ] = { f ′ ⊆ E R ∪ E O : ∀ k ≥ 0 , L f ′ m f ′ ( k T ) = L f m f ( k T ) } . For simp licity of notation, we will den ote in the following the eq uiv alence class [ f ] by a represen tati ve set o f link s ϕ ∈ [ f ] . In order to take into account simultaneo us failures, we define the subset Φ Σ ⊂ Φ Ω of equ iv alen ce classes such that the p erturbatio n introduced can be obtain ed as the sum o f L f =     0 − δ O ,f 0 1 × n P 0 1 × n R 0 ( n O + n P − 1) × 1 0 ( n O + n P − 1) × n O 0 ( n O + n P − 1) × n P 0 ( n O + n P − 1) × n R 0 0 1 × n O 0 1 × n P − δ R ,f 0 ( n R − 1) × 1 0 ( n R − 1) × n O 0 ( n R − 1) × n P 0 ( n R − 1) × n R     , Fig. 4. Matrix L f . perturb ations introduced by eq uiv a lence classes of Φ Ω : Φ Σ = ( f ∈ Φ Ω :  ∃ p ∈ N , ∃ f 1 , . . . , f p ∈ Φ Ω \ f : L f m f ( k T ) = m X i =1 L f i m f i ( k T )  ) . Define the set of failures as Φ = Φ Ω \ Φ Σ . Φ always contains the equivalence class ∅ , th at correspon ds to the absence of failures. It is easy to prove that the set Φ always exists and is un ique. For this reason, we can associate to any giv en MCN N the co rrespond ing unique set of failures Φ we are interested in distinguishing, and mod el their si multaneou s occurre nce as follows: x (( k + 1) T ) = Ax ( kT ) + B u ( k T ) + X ϕ ∈ Φ L ϕ m ϕ ( k T ) , y ( k T ) = C x ( k T ) . (3) Giv en a MCN N an d the correspon ding faulty set Φ modeled by (3), we address t he problem of detecting a failure ϕ ∈ Φ tha t is per turbing the dy namics of N b y using the measures of the signals u ( · ) , y ( · ) . T o this aim we leverage on the model-based appr oach developed in [18], which exploits a ban k of L TI observer-like systems ( called the residual generato rs) that take as inp ut the signals u ( · ) , y ( · ) , and provides asymp totic estima tes o f m ϕ ( k T ) f or any failure ϕ ∈ Φ . This allo ws to identify which failur es a re af fecting the dynamics o f N . Th e problem of designing such residual generato rs with ar bitrary asy mptotic convergence rate on the model (3) is we ll k nown as the Extended Fun damenta l Pr ob lem in R esidual Generation (EFPRG). Necessary and sufficient conditio ns for solv ing the E FPRG have been stated in [ 18]: Theor em 2: Given the failure mod el (3), th e EFPRG has a solu tion for the failure ϕ ∈ Φ if and o nly if: S ∗ ( ¯ L ϕ ) ∩ L ϕ = 0 , (4) where ¯ L ϕ := P ϕ ′ ∈ Φ \ ϕ L ϕ ′ . Giv en any L ⊆ R n , the c omputation o f S ∗ ( L ) can be perfor med by applyin g th e (C,A)-In v ariant Subspa ce Algo - rithm (CAISA) and the UnObservability Subspace Algorithm (UOSA), recursive algorithms pr ovided in [25]. W e define W ∗ ( L ) the fixed poin t of the following recursion (CAISA): W k +1 ( L ) = L + A  W k ( L ) ∩ N ( C )  , W 0 ( L ) = 0 . W e defin e S ∗ ( L ) the fix ed p oint of the f ollowing recursion (UOSA): S k +1 ( L ) = W ∗ ( L ) + A − 1  S k ( L )  ∩ N ( C ) , S 0 ( L ) = R n . The following lemma provides a useful proper ty of the CAISA and UOSA Alg orithms. Lemma 3: Le t L ⊆ N ⊥ ( C ) , then W ∗ ( L ) = L , and S ∗ ( L ) = L + K with K ⊆ N ( C ) . Moreover , if L =  N ( C )  ⊥ , the n S ∗ ( L ) = R n . Pr oo f: Let L ⊆  N ( C )  ⊥ , the n W 1 ( L ) = L + A  0 ∩ N ( C )  = L + A ( 0 ) = L , W 2 ( L ) = L + A  L ∩ N ( C )  = L + A ( 0 ) = L = W ∗ ( L ) . For each k > 0 , S k +1 ( L ) = L + A − 1  S k ( L )  ∩ N ( C ) = L + K k , with K k ⊆ N ( C ) . Moreover , if L =  N ( C )  ⊥ , the n: S 1 ( L ) = L + A − 1 ( R n ) ∩ N ( C ) = L + R n ∩ N ( C ) = L + N ( C ) =  N ( C )  ⊥ + N ( C ) = R n = S ∗ ( L ) . For t he sake of clarity , we addr ess the link failure detection problem starting by two special cases. In the first case, we consider a mu lti-hop interco nnection between the c ontroller and the actuator and a single-h op intercon nection between the sensor an d the controller , namely the controllability graph G O consists of two n odes connected by one link. In th e sec- ond case, we consider a single-hop interconne ction between the contro ller an d the actuator, namely the controllab ility graph G R consists o f two nodes con nected by one link , and a multi-hop intercon nection b etween th e sensor a nd the con troller . In the third case, we con sider the genera l case when b oth G R and G O are m ulti-hop com munication networks. A. G R multi-hop an d G O single-hop If G O consists of a single-hop, th en n O = 1 , A O = 0 , B O = C O = 1 . As illustrated in [18], each L ϕ can be a s- sumed monic with no loss of generality , since when failures are not present the correspo nding comp onents of m ϕ ( k T ) are identically zer o. For this reason, by an approp riate ch oice of m ϕ ( k T ) , we d efine the L ϕ in (3) as fo llows: L ϕ =   0 ( n O + n P ) × n R − δ ϕ 0 ( n R − 1) × n R   , where δ ϕ ∈ ( R + 0 ) n R is a row vector and L ϕ : R n R → R n . The fo llowing theorem states a negative result. Theor em 4: Let a MCN N an d th e cor respond ing faulty set Φ be given, where G R is multi-hop and G O is single- hop. Then the EFPRG can be solved for each ϕ ∈ Φ if a nd only if | Φ | ≤ 2 . Pr oo f: ( sufficiency ) If | Φ | = 1 then Φ = { ∅ } , and failures are no t defined. I f | Φ | = 2 th en Φ = { ∅ , ϕ } . Therefo re, ¯ L ϕ = L ∅ and ¯ L ∅ = L ϕ . Since L ∅ = 0 , it is easy to deri ve tha t S ∗ ( L ϕ ) ∩ L ∅ = 0 and that S ∗ ( L ∅ ) ∩ L ϕ = 0 . ( necessity ) Assume that | Φ | > 2 . Note that all the ele- ments of the matrix L ϕ are zeros, except the ( n O + n P + 1) -th row . For th is reason : ∀ ϕ ∈ Φ , L ϕ = span [ e n O + n P +1 ] := L R . Thus, for eac h ϕ ∈ Φ , ¯ L ϕ = L R . Since ¯ L ϕ ⊆ S ∗ ( ¯ L ϕ ) , for each ϕ ∈ Φ the following holds: S ∗  ¯ L ϕ  ∩ L ϕ = S ∗ ( L R ) ∩ L R = L R 6 = 0 . The above theorem states that if the contr ollability graph is multi-h op and the o bservability graph is single-hop, then it is no t possible to distingu ish failures in a set Φ , unless Φ is tri vial. In the following section, we will show tha t m ore can be d one if the con trollability g raph is single- hop an d the observability graph is multi-hop . B. G R single-hop a nd G O multi-hop If G R consists of a single-h op, then n R = 1 , A R = 0 , B R = C R = 1 . Using th e same reasoning as in the above section, we c an d efine a set Φ of equivalence classes of link failures tha t equ ally pertu rb the dyn amics (3). Since in this case the failures occur in the o bservability graph, by an ap propr iate choice o f m ϕ ( k T ) we define L ϕ : R n O → R n the failure signature map associated to the equivalence classes ϕ ∈ Φ : L ϕ =  − δ ϕ 0 ( n − 1) × n O  , (5) where δ ϕ ∈ ( R + 0 ) n O is a row vector and ea ch co mpone nt δ ϕ ( d ) is the per turbation intr oduced by a failure ϕ in th e paths of G O characterized by delay d . The following theo rem motiv ates an extension of th e mo del (3). Theor em 5: Let a MCN N an d th e cor respond ing faulty set Φ be given, where G R is single-hop and G O is multi- hop. Then the EFPRG can be solved for each ϕ ∈ Φ only if the f ollowing co ndition ho lds: d   N ( C )  ⊥  ≥ X ϕ ∈ Φ d ( L ϕ ) := n Φ . Pr oo f: E quation ( 5) implies th at L ϕ ⊆  N ( C )  ⊥ for each ϕ ∈ Φ . Theref ore P ϕ ∈ Φ L ϕ ⊆  N ( C )  ⊥ , wh ich imp lies that: d   X ϕ ∈ Φ L ϕ   ≤ d   N ( C )  ⊥  . (6) Condition (4) implies that ∀ ϕ, ϕ ′ ∈ Φ , L ϕ ∩ L ϕ ′ = 0 . Therefo re: d   X ϕ ∈ Φ L ϕ   = X ϕ ∈ Φ d ( L ϕ ) . (7) Applying (7 ) to (6 ) comp letes the pr oof. The above theorem shows that it is n ot possible to design a residu al generato r fo r each ϕ ∈ Φ if the rank o f the matrix C is smaller than n Φ . In par ticular, in system (1) th e rank of C is 1, an d n Φ is equal to 1 only if th e set Φ is tri vial, namely it contains th e equiv alence class ∅ and just one equiv alence c lass ϕ . For this reason , we need to con sider a mo re gener al m odel fo r the observability gr aph. More precisely , we consider observability graphs characterized by n S terminating nodes v 1 , . . . , v n S , with n S ≥ n Φ . This can be m odeled with out loss of generality by red efining m atrices A O , B O and C O as in Figure 5: where n O = D O + n S − 1 is the n ew dimension of the state space. The failure sign ature map s L ϕ : R D O → R n are: L ϕ =      − δ ϕ, 1 . . . − δ ϕ,n S 0 ( n − n S ) × D O      , (8) where δ ϕ,i ∈ ( R + 0 ) D O and each co mponen t δ ϕ,i ( d ) is the perturb ation introduced by a failure ϕ in the path s of G O terminating with no de v i and ch aracterized by delay d . The following theorem states necessary and suf ficient conditions to solve the EFPRG when G O is multi-hop and G R is single- hop. Theor em 6: Let a MCN N an d th e cor respond ing faulty set Φ be g iv en, where G R is single-h op and G O is multi-h op with n S ≥ n Φ terminating no des. Then the EFPRG can be solved for eac h ϕ ∈ Φ if and on ly if th e fo llowing con dition holds: d ( L Φ ) = n Φ , (9) where the matrix L Φ :=  L ϕ 1 L ϕ 2 · · · L ϕ | Φ |  is th e juxtaposition of all failure signatu re maps in Φ and h as dimensions n S × n Φ . Pr oo f: W e need to s tate the equivalence b etween (9) and (4). For any ϕ ∈ Φ , L ϕ ⊆  N ( C )  ⊥ and ¯ L ϕ ⊆  N ( C )  ⊥ . Thus, Lem ma 3 im plies that: S ∗  ¯ L ϕ  = ¯ L ϕ + K ϕ , K ϕ ⊆ N ( C ) . Moreover , for any ϕ ∈ Φ , L ϕ ∩ K ϕ = 0 , thus: S ∗  ¯ L ϕ  ∩ L ϕ =  ¯ L ϕ + K ϕ  ∩ L ϕ = ¯ L ϕ ∩ L ϕ . It fo llows that (4) is equivalent to the following: ¯ L ϕ ∩ L ϕ = 0 . (10) Since n S ≥ n Φ by ass umption , then d ( L Φ ) ≤ n Φ . Since L ϕ are monic, Condition (10) implies that (4) holds if and only if d ( L Φ ) = n Φ . The following theorem character izes the relatio n b etween Condition (9) and th e top ology of G O ( η O ) . Theor em 7: Let a MCN N an d th e cor respond ing faulty set Φ be g iv en, where G R is single-h op and G O is multi-h op with n S terminating no des. Then , d ( L Φ ) = n Φ if an d on ly if G O ( η O ) is a tr ee, where v y is the ro ot n ode and v 1 , . . . , v n S are the leaves. A O =        0 1 × n S γ 1 ( D O ) γ 1 ( D O − 1) · · · γ 1 (2) . . . . . . . . . . . . . . . 0 1 × n S γ n S ( D O ) γ n S ( D O − 1) · · · γ n S (2) 0 ( D O − 2) × n S 0 ( D O − 2) × 1 I D O − 2 0 1 × n S 0 0 1 × ( D O − 2)        , B O =  γ 1 (1) · · · γ n S (1) 0 1 × ( D O − 2) 1  ⊤ , C O =  I n S 0 n S × ( D O − 1)  . Fig. 5. Matrice s A O , B O and C O . Pr oo f: ( sufficiency ) Let G O ( η O ) be a tree, where v y is the root node and th e terminating nodes v 1 , . . . , v n S are the leaves. Theref ore, fo r each termin ating no de v i , i ∈ { 1 , . . . , n S } the re exist a unique a link e i = ( v ′ i , v i ) ∈ E O , with v ′ i ∈ V O \ { v 1 , . . . , v n S } . De fine the con figuration s of failures f i = { e i } , i ∈ { 1 , . . . , n S } an d th e co rrespond ing failure sign ature maps { L f 1 , . . . , L f n S } , ea ch ch aracterized by n S rows and 1 column. Since G O ( η O ) is a tree, for each set f ∈ 2 E O \  f 1 , . . . , f n S  , there exist p ≤ n S and e 1 , . . . , e p such that L f m f ( k T ) = P p i =1 L f i m f i ( k T ) , ∀ k ≥ 0 . Since L f i ∩ L f j 6 = 0 for e ach i , j = 1 , . . . , n S , i 6 = j , then Φ = { f 1 , . . . , f n S } an d n Φ = n S . Since L f 1 , . . . , L f n S are monic, then d ( L Φ ) = n Φ . ( necessity ) Assume that G O ( η O ) is not a tree. Then there exist nodes v , v ′ , a nd v ′′ such tha t e ′ = ( v ′ , v ) , e ′′ = ( v ′′ , v ) ∈ E O . Define f ′ = { e ′ } an d f ′′ = { e ′′ } I n this case, L f ′ assumes the following form: L f ′ = −      δ ′ v y ,v 1 ( D O ) · · · δ ′ v y ,v 1 (1) . . . . . . . . . δ ′ v y ,v n S ( D O ) · · · δ ′ v y ,v n S (1) 0 ( n − n S ) × 1 · · · 0 ( n − n S ) × 1      , where δ ′ v y ,v i ( d ) is th e contribution on the dy namics (3) of all paths starting from v y , terminatin g in node v i , passing throug h e ′ , an d charac terized by a delay d . I t follows that: L f ′ ⊇ span             P D O d =1 δ ′ v y ,v 1 ( d ) . . . P D O d =1 δ ′ v y ,v n S ( d ) 0 ( n − n S ) × 1             If a failure occurs in link e ′ , then the co ntribution P D O d =1 δ ′ v y ,v i ( d ) on the dynam ics (3 ) can be decomposed as the pro duct of the con tributions of all p aths starting in v y and terminating in v passing through e ′ , and o f the contributions of all paths starting in v and termina ting in v i . Th us, L f ′ ⊇ span                P D O d =1 δ ′ v y ,v ( d )   P D O d =1 δ v, v 1 ( d )  . . .  P D O d =1 δ ′ v y ,v ( d )   P D O d =1 δ v, v n S ( d )  0 ( n − n S ) × 1               . Since L f ′′ can be defined similar ly , then : L f ′′ ⊇ sp an                P D O d =1 δ ′′ v y ,v ( d )   P D O d =1 δ v, v 1 ( d )  . . .  P D O d =1 δ ′′ v y ,v ( d )   P D O d =1 δ v, v n S ( d )  0 ( n − n S ) × 1               . It is clear that L f ′ ∩ L f ′′ 6 = 0 . If ∃ k ≥ 0 : L f ′ m f ′ ( k T ) 6 = L f ′′ m f ′′ ( k T ) , then the co nfiguratio ns o f failures f ′ and f ′′ belong to different equ i valence classes of Φ and thus d ( L Φ ) < n Φ . If L f ′ m f ′ ( k T ) = L f ′′ m f ′′ ( k T ) , ∀ k ≥ 0 , then the configura tions of failures of f ′ and f ′′ belong to the same equiv alence class [ L f ′ m f ′ ] of Φ , and we c an not conc lude that d ( L Φ ) < n Φ . Howev er , the simu ltaneous failure o f lin ks e ′ and e ′′ belongs to the equiv alence class [ L f ′ ∪ f ′′ m f ′ ∪ f ′′ ] , with L f ′ ∪ f ′′ 6 = L f ′ and L f ′ ∪ f ′′ ∩ L f ′ 6 = 0 , and thus d ( L Φ ) < n Φ . Cor ollary 8: Let a MCN N an d the correspondin g faulty set Φ be g iv en, where G R is single-h op and G O is multi-h op with n S terminating nodes. If the EFPRG can be solved f or each ϕ ∈ Φ , the n n S = n Φ and L Φ =  N ( C )  ⊥ . Pr oo f: Straightfo rward since G O ( η O ) is a tree, and thus to each ter minating node v i , i ∈ { 1 , . . . , n S } corr esponds only o ne path from v y to v i . The n ecessary an d sufficient con dition given in T heorem 7 p rovides a hard co nstraint on the to pology of G O ( η O ) induced by the schedulin g η O . Th is is no t surprising , since we require to solve the EFPRG for the set Φ of all con- figuration s of failures that pertu rb the dy namics (3). From an imp lementation p oint o f view , this con straint can be both inter preted as hard ware or software redu ndancy . In the form er ca se, the tree structur e of G O ( η O ) provides a hardware separation for a ll paths from v y to the terminating nodes. Ho we ver , a tree communication graph m ight be n ot always implemen table in real cases: therefo re, the constraint on G O ( η O ) can be implemented b y using, fo r those c om- munication no des th at receive d ata fro m multiple incoming links, separate mem ory slots for each of the incom ing data. These n odes will tran smit d istinct data for each m emory slot, thu s providing a software sep aration for all paths from v y to the terminating nod es. I n general, a combin ation of the above app roaches is reasonably implementab le in a real co mmunic ation network. An interesting future research direction is relating the properties of G O ( η O ) with Conditio n (9) when the numb er o f simu ltaneous failures that can occu r is bounded, or when failur es can not occur in some secure paths of the c ommun ication network.                                0 1 × n S − 1 0 0 γ 1 (1) C P B P 2 P i =1 γ 1 ( i ) C P A 2 − i P B P · · · D O − 1 P i =1 γ 1 ( i ) C P A ( D O − 1 − i ) P B P D O P i =1 γ 1 ( i ) C P A ( D O − i ) P B P D O P i =1 γ 1 ( i ) C P A ( D O +1 − i ) P B P · · · 0 0 γ 2 (1) C P B P 2 P i =1 γ 2 ( i ) C P A 2 − i P B P · · · D O − 1 P i =1 γ 2 ( i ) C P A ( D O − 1 − i ) P B P D O P i =1 γ 2 ( i ) C P A ( D O − i ) P B P D O P i =1 γ 2 ( i ) C P A ( D O +1 − i ) P B P · · · I n s − 1 . . . . . . . . . . . . . . . . . . . . . . . . · · · 0 0 γ n S (1) C P B P 2 P i =1 γ n S ( i ) C P A 2 − i P B P · · · D O − 1 P i =1 γ n S ( i ) C P A ( D O − 1 − i ) P B P D O P i =1 γ n S ( i ) C P A ( D O − i ) P B P D O P i =1 γ n S ( i ) C P A ( D O +1 − i ) P B P · · · 0 1 × n S − 1 0 0 0 0 · · · C P B P C P A P B P C P A 2 P B P · · · 0 1 × n S − 1 0 0 0 0 · · · C P A P B P C P A 2 P B P C P A 3 P B P · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 1 × n S − 1 0 0 0 0 · · · C P A D O − 4 P B P C P A D O − 3 P B P C P A D O − 2 P B P · · · 0 1 × n S − 1 0 0 0 C P B P · · · C P A D O − 3 P B P C P A D O − 2 P B P C P A D O − 1 P B P · · · 0 1 × n S − 1 0 0 C P B P C P A P B P · · · C P A D O − 2 P B P C P A D O − 1 P B P C P A D O P B P · · · 0 1 × n S − 1 0 B P A P B P A 2 P B P · · · A D O − 1 P B P A D O P B P A D O +1 P B P · · · 0 1 × n S − 1 1 0 0 0 · · · 0 0 0 · · · 0 n R − 1 × n S − 1 0 n R − 1 × 1 0 n R − 1 × 1 0 n R − 1 × 1 0 n R − 1 × 1 · · · 0 n R − 1 × 1 0 n R − 1 × 1 0 n R − 1 × 1 · · ·                                Fig. 6. Inducti ve defini tion of matrix Ψ ∞ . C. G R and G O multi-hop When both G R and G O are multi-hop , we need to define the set Φ = Φ R ∪ Φ O of equ iv alen ce classes tha t equally perturb the d ynamics (3 ). I n th is case, failures occur in both th e controllab ility and observability graphs. Therefo re, by an appro priate choice of m ϕ ( k T ) , we define the failure signature maps assoc iated to the equ iv alen ce classes ϕ R ∈ Φ R and ϕ O ∈ Φ O by: L ϕ R =   0 ( n O + n P ) × n R − δ ϕ R 0 ( n R − 1) × n R   , L ϕ O =  − δ ϕ O 0 ( n − n S ) × n O  , with δ ϕ R ∈ ( R + 0 ) D R a row vector, and δ ϕ O ∈ ( R + 0 ) n S × D O as defin ed in (8 ). W e r ecall that, for ea ch ϕ R ∈ Φ R non-em pty , L ϕ R = span ( e n O + n P +1 ) . Ther efore, we will consider w .l.o.g. on ly one failure in the reachability graph , namely Φ R = { ∅ , ϕ R } with L ϕ R = span ( e n O + n P +1 ) . Moreover , by Theorem 7, a necessary con dition to solve the EFPRG fo r any ϕ O ∈ Φ O is th at G O is a tree. The refore, we will consider w .l.o. g. a failure in the observability gra ph for each path, namely Φ O = { ϕ 1 , . . . , ϕ n S } with L ϕ i = span ( e i ) . The f ollowing theor em states that it is no t possible to detect failures in the co ntrollability a nd o bservability graph s using the measureme nts of the observability graph. Theor em 9: Let a MCN N an d th e cor respond ing faulty set Φ be g iv en, wh ere G R is multi-h op and G O is m ulti-hop with n S terminating no des. Then the EFPRG is not so lvable for any ϕ R ∈ Φ R and any ϕ O ∈ Φ O . Pr oo f: W e first show that S ∗  ¯ L ϕ R  ∩ L ϕ R 6 = 0 . By Corollary 8, P ϕ O ∈ Φ O L ϕ O =  N ( C )  ⊥ , and S ∗ ( P ϕ O ∈ Φ O L ϕ O ) = R n by Lemm a 3. Since ¯ L ϕ R = P ϕ O ∈ Φ O L ϕ O , the n S ∗  ¯ L ϕ R  ∩ L ϕ R 6 = 0 . T o complete the p roof, we need to show that for each i ∈ { 1 , . . . , n S } , S ∗  ¯ L ϕ i  ∩ L ϕ i 6 = 0 , with ϕ i ∈ Φ O . W e will on ly provide the pr oof for i = 1 : the same reasoning can be used for i ∈ { 2 , . . . , n S } . The space W ∗  ¯ L ϕ 1  is generated by the sub matrix Ψ h , which con sists of the first h colu mns o f the matrix Ψ ∞ with infinite colum ns induc ti vely defined in Figure 6, an d wh ere the value o f h depen ds on the termin ating con dition of the CAISA Algorithm . More p recisely , h is the smallest integer such that r ank  span (Ψ h ) ∩ N ( C )  = r ank  span (Ψ h +1 ) ∩ N ( C )  . The above terminatin g cond ition o ccurs at colum n h if an d only if one of the f ollowing two cond itions h olds: (i) the 1 - st r ow of c olumn h (whic h is a scalar) is eq ual to zero and colum n h is linearly depen dent on all the previous columns 1 , . . . , h − 1 ; (ii) the 1 - st row of colu mn h is dif ferent from zero. W e show in the following that con dition (ii) will always stop the CAISA alg orithm bef ore condition (i) can occur . Let m ∈ N ∪ { 0 } be the smallest value such that C P A m P B P 6 = 0 . Since ( A P , B P ) is contr ollable and ( C P , A P ) is o bservable, then m ≤ n P − 1 . Note that the first n s + 1 column s of Ψ ∞ are alr eady pr esent, since they belon g to ¯ L ϕ 1 . Th e subsequen t m colu mns are linearly indepen dent from th e p revious columns since ( A P , B P ) is c ontrollable and m ≤ n P − 1 . Since the scalar C P A m P B P 6 = 0 appears at row n S + D O − 1 and at column n S + 2 + m , th e subseque nt D O − 2 column s a re linearly independent from the previous columns. Therefo re, c olumn h can be linearly dependen t on all the previous columns fo r h ≥ h 1 = n S + m + D O + 1 . Let 1 ≤ d 1 ≤ D O be the smallest value such that γ 1 ( d 1 ) 6 = 0 . T herefor e, the 1 -st row of Ψ ∞ will have a non-zer o value for the first time at r ow column h 2 = n S + m + d 1 + 1 . Since h 2 ≤ h 1 , then cond ition (ii) will always stop the CAISA algorithm be fore cond ition (i) can o ccur . Therefo re: W ∗  ¯ L ϕ 1  = span   I n S − 1 0 ψ 1 0 0 ψ 2 0 I l ψ 3   , where l ≤ n − n S , ψ 1 is a n S − 1 column vector, ψ 2 6 = 0 is a scalar , an d ψ 3 is a l column vecto r . Apply ing the UOSA algorithm , we obtain : S 1  ¯ L ϕ 1  = W ∗  ¯ L ϕ 1  + N ( C ) = R n = S ∗  ¯ L ϕ 1  , which clear ly implies that S ∗  ¯ L ϕ 1  ∩ L ϕ 1 6 = 0 . Theorem 9 states that, in order to detect failures in the observability grap h, th e controllab ility graph mu st n ot be subject to failures. By a p ractical point o f view , th e com- munication protoco l in the controllability graph is re quired to imp lement failure detection using handshak ing messages between nod es an d inform the controller abou t th e set of faulty links. R E F E R E N C E S [1] I.F . Akyildiz and I.H. Kasimoglu, “W irel ess Sensor and Actor Net- works: Research Ch allen ges, ” Ad Hoc Net works , vol. 2, no. 4, pp. 351–367, 2004. [2] J. Song, S. Han, A.K. Mok, D. Chen, M. L ucas, M. Nixon, and W . Pratt, “W irele ssHAR T: Applyin g Wi reless T echnology in Real- Time Industrial Process Control, ” in RT AS , 2008. [3] J. Song, S. Han, X. Zhu, A.K. Mok, D. Chen, and M. Nixon, “A Complete Wirel essHAR T Network, ” in ACME , 2008, pp. 381–382. [4] W . Z hang, M.S. Branick y, and S.M. Phillips, “Stabil ity of Network ed Control Systems, ” IEEE Contr ol Systems Magazine , vol. 21, no. 1, pp. 84–99, February 2001. [5] G.C. W alsh and H. Y e, “Scheduling of Network ed Control Systems, ” IEEE Contr ol Systems Magazine , pp. 57–65, February 2001. [6] P . Antsaklis and J. Bail lieul , “Guest Editorial Special Issue on Net- work ed Contro l Syste ms, ” IEEE T ransac tions on Automatic Contr ol , vol. 49, no. 9, pp. 1421–1423, September 2004. [7] J.P . Hespanha, P . Naghshta brizi , and Y . Xu, “A Surv ey of Recent Results in Network ed Control Systems, ” Proce edings of the IEEE , vol. 95, no. 1, pp. 138–162, January 2007. [8] W .P .M.H. Heemels, A. R. T eel , N. van de W ouw, and D. Ne ˇ si ´ c, “Net- work ed Control Systems Wit h Communication Constraints: Trad eof fs Betwee n Tra nsmission Interv als, Delays and Performance, ” IEEE T ransactions on Automat ic Contr ol , vol. 55, no. 8, pp. 1781 –1796, August 2010. [9] M. A ndersson, D. H enriksson, A. Cervin, and K. Arzen, “Simulation of Wirel ess Network ed Control Systems, ” in Proce edings of the 44th IEEE Confer ence on Decision and Contr ol and Europe an Contr ol Confer ence , 2005, pp. 476–481. [10] R. Alur , A. D’Innocenzo, K. H. Johansson, G. J. Pappas, and G. W eiss, “Modeling and Analysis of Multi-Hop Contro l Netw orks, ” in Pr oceed ings of the 15th IEEE R eal-T ime and Embedded T echnolo gy and Applications Symposium (RTAS) , 2009. [11] R. Alur, A. D’Innocenzo, K.H. Johansson, G.J. Pappas, and G. W eiss, “Compositional Modeling and Analysis of Multi-Hop Control Networ ks, ” IEEE T ransactions on Automatic Contr ol , 2011, accepted for publication as regular paper . [12] M.D. Di Benedett o, A. D’Innocenzo, and E. Serr a, “Fault T olerant Stabili zabil ity of Multi-Hop Control Networks, ” in Proc eedin gs of the 18th IF AC W orld Congre ss, Milan, Italy , 2011, preprint av ail able at arXi v:110 3.4340v1. [13] A. D’Innocenz o, G. W eiss, R. Al ur , A.J. Isaksson, K.H. Johansson, and G.J. Pappas, “Scala ble Scheduli ng Algorith ms for W irel ess N etw orked Control Systems, ” in Proce edings of the 5th IEEE Confer ence on Automat ion Science and Engineering (CASE) , 2009. [14] M.M. Zavlanos and G.J. Pappas, “Distribut ed Connecti vity Control of Mobile Networks, ” in Pro ceedi ngs of the 46th IEEE Confer ence on Decision and Contr ol , Dece mber 2007, pp. 3591 –3596. [15] N. Meskin and K. Khorasani, “ Actuator Fault Detection and Isolation for a Network of Unmann ed V ehi cles, ” IEEE T ransact ions on Auto- matic Contr ol , vol. 54, no. 4, pp. 835 –840, April 2009. [16] R. Be ard, “F ailur e Accomondat ion in Linea r Systems Through Self- Reor ganiza tion, ” Ph.D. dissertatio n, MIT, 1971. [17] H. Jones, “Fai lure Detection in Linear Systems, ” Ph.D. dissertatio n, MIT, 1973. [18] M.-A. Massoumnia, G.C. V erghe se, and A.S . Will sky , “F ail ure De- tecti on and Identification , ” IEE E T ransact ions on Aut omatic Contr ol , vol. 34, no. 3, pp. 316 –321, Mar . 19 89. [19] C. De Persis and A. Isidor i, “ A Geometric Approach to Nonlinear Faul t Detectio n and Isolation, ” IEEE Tr ansact ions on Automati c Con- tr ol , vol. 46, no. 6, pp. 853 –865, June 2001. [20] R. Gupta an d M. -Y . Chow , “Netw ork ed Control System: Overvie w and Research Trend s, ” IEEE T ransac tions on Industrial Electr onics , vol. 57, no. 7, pp. 2527 –2535, July 2010. [21] Y . W ang, S.X. Ding, H. Y e, a nd G. W ang, “A New Fault Dete ction Scheme for Network ed Control Syste ms Subjec t to Unc ertain T ime- V arying Dela y, ” IEEE T ransactions on Signal Pr ocessing , vol. 56, no. 10, pp. 5258 –5268, October 2008. [22] C. Commault and J.-M. Dion, “Sensor Location for Diagnosis in Lin- ear Systems: A Structural Analysis, ” IEEE T ra nsaction s on Automatic Contr ol , v ol. 52, no. 2, pp. 155 –169, February 2007. [23] S. Sundaram, M. Pajic, C.N. Hadjic ostis, R. Mangharam, and G .J. Pappa s, “The Wir eless Contro l Netw ork: Monito ring for Malicious Beha vior, ” in P r ocee dings of th e 49th IEEE Confer ence on Decision and Contr ol (CDC) , D ecember 2010, pp. 5979 –5984. [24] M.D. Di Benedett o, A. D’Innocenzo, and E. Serra, “Dynamical Powe r Optimiza tion by Decentr alize d Routing Control in Multi-Hop Wirel ess Control Networks, ” in Proce edings of the 18th IF AC W orld Congr ess, Milan, Italy , 2011. [25] W . M. W onham, Linear Multivariab le Contr ol: a Geometric A ppr oach , 2nd ed., ser . Appl icat ions of Mathematics. Springer-V er lag, 1979.