Quick and Easy Ebook Downloads – Start Now at ebookball.

com for Instant Access

Diagnosability Security and Safety of Hybrid

Dynamic and Cyber Physical Systems 1st ediiton by
Moamar Sayed Mouchaweh ISBN 3319749617 â€
978-3319749617

https://ebookball.com/product/diagnosability-security-and-
safety-of-hybrid-dynamic-and-cyber-physical-systems-1st-
ediiton-by-moamar-sayed-mouchaweh-
isbn-3319749617-aeurz-978-3319749617-16668/

OR CLICK BUTTON

DOWLOAD NOW

Instantly Access and Download Textbook at https://ebookball.com

 Your digital treasures (PDF, ePub, MOBI) await
Download instantly and pick your perfect format...

Read anywhere, anytime, on any device!

Diagnosability Security and Safety of Hybrid Dynamic and

Cyber Physical Systems 1st edition by Moamar Sayed
Mouchaweh ISBN 3319749617 978-3319749617
https://ebookball.com/product/diagnosability-security-and-safety-of-
hybrid-dynamic-and-cyber-physical-systems-1st-edition-by-moamar-sayed-
mouchaweh-isbn-3319749617-978-3319749617-16676/

ebookball.com

Safety and Security of Cyber Physical Systems Engineering

dependable Software using Principle based Development 1st
Edition by Frank Furrer ISBN 9783658371821 365837182X
https://ebookball.com/product/safety-and-security-of-cyber-physical-
systems-engineering-dependable-software-using-principle-based-
development-1st-edition-by-frank-furrer-
isbn-9783658371821-365837182x-20088/
ebookball.com

Security and Resilience in Cyber Physical Systems 1st

edition by Masoud Abbaszadeh 303097166X 9783030971663

https://ebookball.com/product/security-and-resilience-in-cyber-
physical-systems-1st-edition-by-masoud-
abbaszadeh-303097166x-9783030971663-20040/

ebookball.com

Cyber Physical Systems Architecture Security and

Application 1st edition by Song Guo, Deze Zeng ISBN
3030064611 9783030064617
https://ebookball.com/product/cyber-physical-systems-architecture-
security-and-application-1st-edition-by-song-guo-deze-zeng-
isbn-3030064611-9783030064617-17050/

ebookball.com
Cyber Physical Systems Architecture Security and
Application 1st Edition by Song Guo, Deze Zeng ISBN
3319925644 9783319925646
https://ebookball.com/product/cyber-physical-systems-architecture-
security-and-application-1st-edition-by-song-guo-deze-zeng-
isbn-3319925644-9783319925646-15834/

ebookball.com

Security of Cyber Physical Systems Vulnerability and

Impact 1st Edition by Hadis Karimipour, Pirathayini
Srikantha, Hany Farag ISBN 9783030455415 3030455416
https://ebookball.com/product/security-of-cyber-physical-systems-
vulnerability-and-impact-1st-edition-by-hadis-karimipour-pirathayini-
srikantha-hany-farag-isbn-9783030455415-3030455416-20086/

ebookball.com

Security and Resilience of Cyber Physical Systems 1st

edition by Krishan Kumar, Sunny Behal, Abhinav Bhandari,
Sajal Bhatia ISBN 1032028637 9781032028637
https://ebookball.com/product/security-and-resilience-of-cyber-
physical-systems-1st-edition-by-krishan-kumar-sunny-behal-abhinav-
bhandari-sajal-bhatia-isbn-1032028637-9781032028637-16628/

ebookball.com

Security Engineering for Embedded and Cyber Physical

Systems 1st edition by Saad Motahhir, Yassine Maleh
1000644235 9781000644234
https://ebookball.com/product/security-engineering-for-embedded-and-
cyber-physical-systems-1st-edition-by-saad-motahhir-yassine-
maleh-1000644235-9781000644234-20190/

ebookball.com

Cyber Physical Systems Security 1st edition by Çetin Kaya

Koç 9783319989358 3319989359

https://ebookball.com/product/cyber-physical-systems-security-1st-
edition-by-a-etin-kaya-koass-9783319989358-3319989359-16782/

ebookball.com
Editor
Moamar Sayed-Mouchaweh

Diagnosability, Security and Safety of

Hybrid Dynamic and Cyber-Physical
Systems
Editor
Moamar Sayed-Mouchaweh
Institute Mines-Telecom Lille Douai, Douai, France

ISBN 978-3-319-74961-7 e-ISBN 978-3-319-74962-4

https://doi.org/10.1007/978-3-319-74962-4

Library of Congress Control Number: 2018934979

© Springer International Publishing AG, part of Springer Nature 2018

This work is subject to copyright. All rights are reserved by the

Publisher, whether the whole or part of the material is concerned,
specifically the rights of translation, reprinting, reuse of illustrations,
recitation, broadcasting, reproduction on microfilms or in any other
physical way, and transmission or information storage and retrieval,
electronic adaptation, computer software, or by similar or dissimilar
methodology now known or hereafter developed.

The use of general descriptive names, registered names, trademarks,

service marks, etc. in this publication does not imply, even in the
absence of a specific statement, that such names are exempt from the
relevant protective laws and regulations and therefore free for general
use.

The publisher, the authors and the editors are safe to assume that the
advice and information in this book are believed to be true and accurate
at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, express or implied, with respect to the material
contained herein or for any errors or omissions that may have been
made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.
Printed on acid-free paper

This Springer imprint is published by the registered company Springer

International Publishing AG part of Springer Nature.
The registered company address is: Gewerbestrasse 11, 6330 Cham,
Switzerland
Preface
Cyber-physical systems (CPS) are characterized as a combination of
physical (physical plant, process, network) and cyber (software,
algorithm, computation) components whose operations are monitored,
controlled, coordinated, and integrated by a computing and
communicating core. The interaction between physical and
computational components in CPS is intensive. They cover an
increasing number of real life applications such as autonomous
vehicles, aircrafts, smart manufacturing processes, surgical robots and
human robot collaboration, smart electric grids, home appliances, air
traffic control, automated farming, and implanted medical devices. The
interaction between both physical and cyber components requires tools
allowing analyzing and modeling both the discrete (discrete event
control, communication protocols, discrete sensors/actuators,
scheduling algorithms, etc.) and continuous (continuous dynamics,
physics, continuous sensors/actuators, etc.) dynamics. Therefore, many
CPS can be modeled as hybrid dynamic systems in order to take into
account both discrete and continuous behaviors as well as the
interactions between them.
Many critical infrastructures, such as power generation and
distribution networks, water networks and mass transportation
systems, autonomous vehicles and traffic monitoring, are CPS. Such
systems, including critical infrastructures, are becoming widely used
and covering many aspects of our daily life. Therefore, the security,
safety, and reliability of CPS is essential for the success of their
implementation and operation. However, these systems are prone to
major incidents resulting from cyberattacks and system failures. These
incidents affect significantly their security and safety. Attacks can be
represented as an interference in the communication channel between
the supervisor and the system intentionally generated by intruders in
order to damage the system or as the enablement, respectively
disablement, of actuators events that are disabled, respectively enabled,
by the supervisor. In general, intruders hide, create, or even change
intentionally events that transit from one device (actuator, sensor) to
another in a control communication channel. These attacks in a
supervisory control system can lead the plant to execute event
sequences entailing the system to reach unsafe or dangerous states that
can damage the system.
Therefore, reliable, scalable, and timely fault diagnosis is crucial in
order to improve the robustness of CPS to failures. In addition, it is
primordial to detect intrusions that exploit the vulnerabilities of
industrial control systems in order to alter intentionally the integrity,
confidentiality, and availability of CPS. These cyberattacks affect the
control commands of the controller [Programmable Logic Controller
(PLC)], the reports (sensors readings) coming from the plant as well as
the communication between them. Moreover, a thorough
understanding of the vulnerability of CPS’ components against such
incidents can be incorporated in future design processes in order to
better design such systems. Finally, the timely fault diagnosis can help
operators to have better situation awareness and give them ample time
to implement correction (maintenance) actions.
However, guaranteeing the security and safety of CPS requires
verifying their behavioral or safety properties either at design stage
such as state reachability, diagnosability, and predictability or online
such as fault detection and isolation. This is a challenging task because
of the inherent interconnected and heterogeneous combination of
behaviors (cyber/physical, discrete/continuous) in these systems.
Indeed, fault propagation in CPS is governed not only by the behaviors
of components in the physical and cyber subsystems but also by their
interactions. This makes the identification of the root cause of observed
anomalies and predicting the failure events a hard problem. Moreover,
the increasing complexity of CPS and the security and safety
requirements of their operation as well as their decentralized resource
management entail a significant increase in the likelihood of failures in
these systems. Finally, it is worth mentioning that computing the
reachable set of states of HDS is an undecidable matter due to the
infinite state space of continuous systems.
This edited Springer book presents recent and advanced
approaches and techniques that address the complex problem of
analyzing the diagnosability property of CPS and ensuring their
security and safety against faults and attacks. The CPS are modeled as
hybrid dynamic systems using different model-based and data-driven
approaches in different application domains (electric transmission
networks, wireless communication networks, intrusions in industrial
control systems, intrusions in production systems, wind farms, etc.).
These approaches handle the problem of ensuring the security of CPS
in presence of attacks and verifying their diagnosability in presence of
different kinds of uncertainty (uncertainty related to the event
occurrences, to their order of occurrence, to their value etc.).
Finally, the editor is very grateful to all authors and reviewers for
their very valuable contribution allowing setting another cornerstone
in the research and publication history of studding the diagnosability,
security, and safety of CPS modeled as hybrid dynamic systems. I would
like also to acknowledge Mrs. MaryE. James for establishing the
contract with Springer and supporting the editor in any organizational
aspects. I hope that this volume will be a useful basis for further fruitful
investigations and fresh ideas for researcher and engineers as well as a
motivation and inspiration for newcomers to address the problems
related to this very important and promising field of research.
Moamar Sayed-Mouchaweh
Douai, France
Contents
1 Prologue
Moamar Sayed-Mouchaweh
2 Wind Turbine Fault Localization:​A Practical Application of
Model-Based Diagnosis
Roxane Koitz, Franz Wotawa, Johannes Lü ftenegger,
Christopher S. Gray and Franz Langmayr
3 Fault Detection and Localization Using Modelica and Abductive
Reasoning
Ingo Pill and Franz Wotawa
4 Robust Data-Driven Fault Detection in Dynamic Process
Environments Using Discrete Event Systems
Edwin Lughofer
5 Critical States Distance Filter Based Approach for Detection and
Blockage of Cyberattacks in Industrial Control Systems
Franck Sicard, É ric Zamai and Jean-Marie Flaus
6 Active Diagnosis for Switched Systems Using Mealy Machine
Modeling
Jeremy Van Gorp, Alessandro Giua, Michael Defoort and
Mohamed Djemaï
7 Secure Diagnosability of Hybrid Dynamical Systems
Gabriella Fiore, Elena De Santis and Maria Domenica Di Benedetto
8 Diagnosis in Cyber-Physical Systems with Fault Protection
Assemblies
Ajay Chhokra, Abhishek Dubey, Nagabhushan Mahadevan,
Saqib Hasan and Gabor Karsai
9 Passive Diagnosis of Hidden-Mode Switched Affine Models with
Detection Guarantees via Model Invalidation
Farshad Harirchi, Sze Zheng Yong and Necmiye Ozay
10 Diagnosability of Discrete Faults with Uncertain Observations
Alban Grastien and Marina Zanella
11 Abstractions Refinement for Hybrid Systems Diagnosability
Analysis
Hadi Zaatiti, Lina Ye, Philippe Dague, Jean-Pierre Gallois and
Louise Travé-Massuyès
Index
© Springer International Publishing AG 2018
Moamar Sayed-Mouchaweh (ed.), Diagnosability, Security and Safety of Hybrid
Dynamic and Cyber-Physical Systems
https://doi.org/10.1007/978-3-319-74962-4_1
1. Prologue
Moamar Sayed-Mouchaweh1

(1) Institute Mines-Telecom Lille Douai, Douai, France

Moamar Sayed-Mouchaweh
Email: [email protected]

1.1 Cyber-Physical Systems as Hybrid Dynamic

Systems
Cyber-physical systems (CPS) [1] are characterized as a combination of
physical (physical plant, process, network) and cyber (software,
algorithm, computation) components whose operations are monitored,
controlled, coordinated, and integrated by a computing and
communicating core. The interaction between physical and
computational components in CPS is intensive. They cover increasing
number of real life applications such as autonomous vehicles, aircrafts,
smart manufacturing processes, surgical robots and human robot
collaboration, smart electric grids, home appliances, air traffic control,
automated farming and implanted medical devices.
Hybrid dynamic systems (HDS) [2] are systems in which the
discrete and continuous dynamics cohabit. The discrete dynamics is
described by discrete state variables while the continuous dynamics is
described by continuous state variables. HDS exhibit different
continuous dynamic behavior depending on the current operation
mode q as follows:

where X is the state vector and u is the input vector. In the case of linear
systems, A (q) and B (q) are constant matrices of appropriate
dimensions.
 The interaction between both physical and cyber components
requires tools allowing analyzing and modeling both the discrete
(discrete event control, communication protocols, discrete
sensors/actuators, scheduling algorithms, etc.) and continuous
(continuous dynamics, physics, continuous sensors/actuators, etc.)
dynamics. Therefore, many CPS can be modeled as hybrid dynamic
systems [3, 4] in order to take into account both discrete and
continuous behaviors as well as the interactions between them.
There are different classes of HDS, e.g., autonomous switching
systems [5], discretely controlled switching systems [2], pricewise
affine systems [6], discretely controlled jumping systems [7]. Many
complex systems are embedded in the sense that they consist of a
physical plant with a discrete controller. Therefore, the system has
several discrete changes between different configuration modes
through the actions of the controller exercised on the system plant (e.g.,
actuators). This kind of HDS is called discretely controlled continuous
or switching systems (DCCS) [7]. Piecewise affine systems [6] are
another important class of HDS where complex nonlinearities are
substituted by a sequence of simpler piecewise linear behaviors.
The three-cellular power converter [8], depicted in Fig. 1.1, presents
an example of DCCS. The continuous dynamics of the system is
described by state vector X = [Vc 1 Vc 2 I] T , where Vc 1 and Vc 2
represent, respectively, the floating voltage of capacitors C 1 and C 2 and
I represents the load current flowing from source E towards the load (R,
L) through three elementary switching cells S j , j ∈ {1, 2, 3}. The latter
represent the system discrete dynamics. Each discrete switch S j has
two discrete states: S j opened or S j closed. The control of this system
has two main tasks: (1) balancing the voltages between the switches
and (2) regulating the load current to a desired value. To accomplish
that, the controller changes the switches’ states from opened to closed
or from closed to opened by applying discrete commands ”CS j ” or “OS j
” to each discrete switch S j , j ∈ {1, 2, 3} (see Fig. 1.1) where CS j refers to
“close switch S j ” and OS j to “open switch S j .” Thus, the considered
example is a DCCS.
Fig. 1.1 Three-cell power converter as discretely controlled continuous system
(DCCS) where capacitors C 1 and C 2 represent the continuous components (Cc) and
switches S 1, S 2 and S 3 the discrete components (Dc)
There are three major modeling tools widely used in the literature
to model HDS. These tools are hybrid Petri nets [9], hybrid bond graphs
[10], and hybrid automata [11].
Hybrid Petri nets (HPN) model HDS by combining discrete and
continuous parts. HPN is formally defined by the tuple:

where P = P d ∪ P c is a finite, not empty, set of places partitioned into a

set of discrete places P d , represented as circles, and a set of continuous
places P c , represented as double circles. T = T d ∪ T c is a finite, not
empty, set of discrete transitions T d and a set of continuous transitions
T c represented as double boxes. h : P ∩ T → {D, C}, called “hybrid
function,” indicates for every node whether it is a discrete node (D) or a
continuous node (C). Pre : P c xT → ℝ+ or Pre : P d xT → ℕ is a function
that defines an arc from a place to a transition. Post : P i xT j → ℝ+ or
Post : P d xT → ℕis a function that defines an arc from a transition to a
place.
Hybrid bond graph is a graphical description of a physical dynamic
system with discontinuities. The latter represent the transitions
between discrete modes. Similar to a regular bond graph, it is an
energy-based technique. It is directed graphs defined by a set of
summits and a set of edges. Summits represent components. The latter
are: (1) passive components which transform energy into potential
energy (C-components), inertia energy (L-components), and dissipated
energy (T-components), (2) active components that can be source of
effort or source pf flow. The edges, called bonds (drawn as half arrows),
represent ideal energy connections between the components. The
components interconnected by the edges construct the model of the
global system. This model is represented by 1 junction for components
having a common flow, 0 junction for common effort and transformers
and gyrators to connect different kinds of energy. In order to take into
account the information during the transitions between discrete
modes, hybrid bond graph is extended by adding controlled junctions
(CJs). The latter allow considering the local changes in individual
component modes due to discrete transitions. The CJs may be switched
ON (activated) or OFF (deactivated). An activated CJ behaves like a
conventional bond graph junction. Deactivated CJs turn inactive the
entire incident junction and hence do not influence any part of the
system.
Hybrid automata are a mathematical model for HDS, which
combines, in a single formalism, transitions for capturing discrete
change with differential equations for capturing continuous dynamics.
A hybrid automaton is a finite state machine with a finite set of
continuous variables whose values are described by a set of ordinary
differential equations. A hybrid automaton is defined by the tuple:

where Q is the set of states, Σ is the set of discrete events, X is a finite set
of continuous variables describing the continuous dynamics of the
system, flux : Q × X → ℝ n is a function characterizing the continuous
dynamics of X in each state q of Q, Init = (q ∈ Q, X(q), flux(q)) is the set of
initial conditions and δ : Q × Σ → Q is the state transition function. A
transition δ(q, e) = q + corresponds to a change from state q to state q +
after the occurrence of discrete event e ∈ Σ.

1.2 Diagnosability, Security, and Safety in Cyber-

Physical Systems: Problem Formulation, Methods,
and Challenges
A fault can be defined as a non-permitted deviation of at least one
characteristic property of a system or one of its components from its
normal or intended behavior. Fault diagnosis is the operation of
detecting faults and determining possible candidates that explain their
occurrence. Online fault diagnosis is crucial to ensure safe operation of
complex dynamic systems in spite of faults affecting the system
behaviors. Consequences of the occurrence of faults can be severe and
result in human casualties, environmentally harmful emissions, high
repair costs, and economical losses caused by unexpected stops in
production lines. Therefore, early detection and isolation of faults is the
key to maintaining system performance, ensuring system safety, and
increasing system life.
Faults may manifest in different parts of the system, namely, the
actuators (loss of engine power, leakage in a cylinder, etc.), the system
(e.g., leakage in the tank), the sensors (e.g., reduction of the displayed
value relative to the true value, or the presence of a skew or increased
noise preventing proper reading), and the controller (i.e., the controller
does not respond properly to its inputs sensor reading). Faults can be
abrupt (e.g., the failed-on or failed-off of the pump and the stuck
opened or stuck closed of the valve), intermittent or gradual
(degradation of a component). Faults also may occur in a single or a
multiple scenario. In the former, one fault candidate explains the
observations (is responsible for the fault behavior). In the latter, several
fault candidates are responsible for the fault behavior.
In HDS, faults can occur as a change in the nominal values of
parameters characterizing the continuous dynamics, and are called
parametric faults. Faults can also occur in the form of abnormal or
unpredicted mode-changing behavior and are called discrete faults.
Therefore, two types of faults should be considered for HDS depending
on the dynamics that is affected by faults (parametric or discrete).
Discrete faults are related to faults in actuators and usually exhibit
great discontinuities in system behavior, whilst parametric faults are
related to tear and wear and introduce faults with much slower
dynamics. For parametric faults, after the fault detection and isolation
(determining the fault candidate), a fault identification phase is
required in order to estimate the amplitude (e.g., the section of leakage
of a tank) of the fault, its time of occurrence, its importance, etc.
For the example of three-cellular converters, eight faults can be
considered for the diagnosis [7] as it is depicted in Fig. 1.2. Parametric
faults (abnormal deviation of the nominal value of capacitors) are
principally due to the effect of aging or pollution. The discrete faults
(switch stuck-on or stuck-off) are more frequent and their
consequences are more destructive. For instance, in open-circuit
(stuck-off) failure, the system operates in degraded performance.
However, unstable load may lead to further damage on the system.
Therefore, the fault diagnosis of these faults is necessary to ensure the
system safety and quality.

Fig. 1.2 Faults for the diagnosis of three-cell converters

The fault diagnosis task [12, 13] is generally performed by

reasoning over differences between desired or expected behavior,
defined by a model, and observed behavior provided by sensors. This
task can be performed offline or online. Offline diagnosis assumes that
the system is not operating in normal conditions but it is in a test bed,
i.e., ready to be tested for possible prior failures. The test is based on
inputs, e.g. commands, and outputs, e.g. sensors readings, in order to
observe a difference between the resulting signals with the ones
obtained in normal conditions. In online diagnosis, the system is
assumed to be operational and the diagnostic module is designed in
order to continuously monitor the system behavior, isolate and identify
failures. Within these methods, we can distinguish between active
diagnosis that uses both inputs and outputs, and passive diagnosis that
uses only system outputs. The diagnosis can also be non-incremental
(i.e., the diagnosis inference engine is built offline) or incremental (the
diagnosis inference engine is built online in response to the
observation).
Diagnosability notion [13] aims at verifying if the system model is
rich enough in information in order to allow the diagnosis inference
engine, generally called diagnoser, to infer the occurrence of parametric
and discrete faults within a bounded delay after their occurrence. The
diagnosability notion was initially defined for discrete event systems
(discrete faults) but it can be extended for HDS (parametric and
discrete faults). In general, there are two categories of methods to build
fault diagnosis inference engine allowing taking into account both the
discrete and continuous dynamics in HDS as well as the interactions
between them. In the first category, [14], the system’s model is an
extension of the continuous model by adding the system discrete
modes. The fault-free continuous behavior is defined in each discrete
mode by relations over observable variables. These relations are used
in order to generate residuals sensitive to a certain subset of faults. A
fault is diagnosed when the value of the sensitive residuals to this fault
is different from zero. In the second category, the discrete model is
extended or enriched by adding events generated by the abstraction of
system’s continuous dynamics.
There are numerous methods in the literature that are used to build
the fault diagnosis inference engine in HDS. They can be divided into
internal, or model-based, and external, or data-driven, methods. The
internal methods (see Fig. 1.3) use a mathematical or/and structural
model to represent the relationships between measurable variables by
exploiting the physical knowledge or/and experimental data about the
system dynamics. They can be categorized into residual-based and set-
membership [15] approaches. In residual-based approaches, the
response of the mathematical model is compared to the observed
values of variables in order to generate indicators used as a basis for
the fault diagnosis. Generally, the model is used to estimate the system
state, its output or its parameters. The difference between the system
and the model responses is monitored on the basis of residual
generation. Then, the trend analysis of this difference can be used to
detect changing characteristics of the system resulting from a fault
occurrence. Set-membership based fault diagnosis techniques are used
for the detection of some specific faults. Generally, they discard models
that are not compatible with observed data, in contrast to the residual-
based approaches which identify the most likely model.

Fig. 1.3 Internal methods for fault diagnosis

The external methods [6, 16–19] (see Fig. 1.4) consider the system
as a black box, in other words, they do not need any mathematical
model to describe the system dynamical behaviors. They use
exclusively a set of measurements or/and heuristic knowledge about
system dynamics to build a mapping from the measurement space into
a decision space. They include expert systems and machine learning
and data mining techniques.

Fig. 1.4 External methods for fault diagnosis

Many critical infrastructures, such as power generation and
distribution networks, water networks and mass transportation
systems, autonomous vehicles and traffic monitoring, etc., are CPS. Such
systems, including critical infrastructures, are becoming widely used
and covering many aspects of our daily life. Therefore, the security,
safety, and reliability of CPS is essential for the success of their
implementation and operation. However, these systems are prone to
major incidents resulting of cyberattacks and system failures. These
incidents affect significantly their security and safety. Attacks can be
represented as an interference [20, 21] in the communication channel
between the supervisor and the system intentionally generated by
intruders in order to damage the system or as the enablement,
respectively disablement, of actuators events that are disabled,
respectively enabled, by the supervisor. In general, intruders hide,
create, or even change intentionally events that transit from one device
(actuator, sensor) to another in a control communication channel.
These attacks in a supervisory control system can lead the plant to
execute event sequences entailing the system to reach unsafe or
dangerous states that can damage the system. Therefore, reliable,
scalable, and timely fault and attack diagnosis is crucial in order to
improve the robustness of CPS to failures and adversarial attacks.
Moreover, a thorough understanding of the vulnerability of CPS’
components against such incidents can be incorporated in future
design processes in order to better design such systems. Finally, the
timely fault diagnosis can help operators to have better situation
awareness and give them ample time to implement correction
(maintenance) actions.
However, guaranteeing the security and safety of CPS requires
verifying their behavioral or safety properties either at design stage
such as state reachability, diagnosability, and predictability or online
such as fault detection and isolation. This is a challenging task because
of the inherent interconnected and heterogeneous combination of
behaviors (cyber/physical, discrete/continuous) in these systems.
Indeed, fault propagation in CPS is not only governed by the behaviors
of components in the physical and cyber sub-systems but also by their
interactions. This makes the identification of the root cause of observed
anomalies and predicting the failure events a hard problem. Moreover,
the increasing complexity of CPS and the security and safety
requirements of their operation as well as their decentralized resource
management entail a significant increase in the likelihood of failures in
these systems. Finally, it is worth to mention that computing the
reachable set of states of HDS is an undecidable matter due to the
infinite state space of continuous systems.

1.3 Contents of the Book

This edited Springer book presents recent and advanced approaches
and techniques that address the complex problem of analyzing the
diagnosability property of cyber-physical systems and ensuring their
security and safety against faults and attacks. The CPS are modeled as
hybrid dynamic systems using different model-based and data-driven
approaches in different application domains (electric transmission
networks, wireless communication networks, intrusions in industrial
control systems, intrusions in production systems, wind farms, etc.).
These approaches handle the problem of ensuring the security of CPS
in presence of attacks and verifying their diagnosability in presence of
different kinds of uncertainty (uncertainty related to the event
occurrences, to their order of occurrence, to their value, etc.).

1.3.1 Chapter 2
This chapter treats the problem of fault diagnosis of complex dynamic
systems and its application to the aid of conditional maintenance of
wind turbines. The proposed approach is an abductive model-based
diagnosis where the system behavior is described logically by a set of
propositions as premises (hypotheses) that entail conclusions
(diagnoses). The set of propositions, describing how failures affect the
system variables (i.e., components), represents the knowledge base
that the diagnosis engine uses to provide an explanation for an
observation. The proposed approach is based on three main phases:
offline/online model development, online fault detection, and fault
identification. The offline portion of the model is automatically built by
exploiting failure assessments (e.g., Failure Mode Effect Analysis
(FMEA) allowing failure modes characterizations and their
manifestations or symptoms). The online portion of the model is built
based on the fault detection phase. When the latter detects a new,
unrecorded, abnormal behavior, the knowledge base of the model is
updated in order to integrate this new abnormal behavior. The fault
identification engine is triggered when an incorrect behavior is
detected. It uses both the observed symptoms and the offline
constructed model to compute the abductive diagnoses or explanations.
The latter are continuously refined over time thanks to the discovered
new symptoms and to the interactions with the maintenance
technicians. The interactions with the latter are achieved through an
interface allowing supporting the service technicians in preparing all
spare parts and tools necessary before traveling to a wind turbine to
ensure minimal downtime. In addition, on site, this interface provides
contextual information as well as interactive questions in order to
facilitate the diagnosis refinement or/and the discovering of new
failures/abnormal behaviors. The advantage of the proposed approach
is mainly related to its capacity to explain the occurrence of a failure
using taxonomy adapted to the mode reasoning of technicians,
operators, and supervisors. It is also related to its capacity to interact
with technicians in order to facilitate the refinement of diagnosis
candidates and the discovering of new failures/abnormal behaviors.
The latter lead to enrich continuously the model/knowledge base over
time. However, the computational complexity of the model/fault
identification computation remains an issue to be solved in particular
for large scale systems.

1.3.2 Chapter 3
This paper presents a solution in order to perform abductive fault
diagnosis using the popular modeling language Modelica. The latter is
an object-oriented, open, and multi-domain language used for
representing hybrid cyber-physical systems. It allows generating
intuitively models that are used to simulate the system normal
behavior. The presented solution enriches Modelica models by creating
a knowledge base (i.e., rules) used for abductive diagnosis. The
knowledge base is built by extracting cause-effect rules from Modelica
models. These rules are intuitive to designers familiar with failure
mode and effect analysis (FMEA). When the difference is significant
between a simulation of the normal (fault-free) model and the one
where individual fault’s effects are integrated, a rule is extracted
automatically. This rule is used for the identification of this individual
fault. Therefore, the set of these extracted rules represents the behavior
deviations of a system in response to a set of pre-defined individual
faults. To compute the difference (deviation) between the signals
representing normal (fault-free) and faulty behaviors, three different
approaches are used: the average values (reference signal) and pre-
defined tolerances, temporal band sequences, and the Pearson
correlation coefficient. The time when a significant deviation is
detected represents the fault detection time. The chapter uses two
examples (voltage divider circuit and a switch circuit with a bulb and
capacitor) in order to illustrate the proposed solution. The switch
circuit is an example of a hybrid dynamic system where the continuous
dynamics is represented by the current and voltage of the capacitor and
resistor and the discrete dynamics is represented by the switch state
(on/off). The represented solution is flexible in the sense that the
augmented Modelica models can be reused for other components. The
adaptation of these Modelica models to perform the abductive
diagnosis allows them to be used in decision support tools to aid
human operators to make decisions as the conditional/predictive
maintenance. However, the robustness of the proposed solution against
outliers, noises, environment, and load variations as well as other types
of uncertainties need to be improved.

1.3.3 Chapter 4
This chapter presents a data-driven modeling approach in order to
perform the fault diagnosis of a production system represented as a
multi-sensor network. The sensors are spatially distributed and
measuring one or more channels. The different data streams, generated
by the sensors, are gathered in a central data sink together with the
discrete control events coming from the process control system. The
fault diagnosis is performed by investigating the causal relations and
dependencies between the system variables (channels). These causal
relations and dependencies characterize the system states
(normal/faulty) and are represented as causal relation network where
nodes and vertices denote the channels and input/output variables,
respectively. The use of such causal relation network may help
operators and experts to gain insights into the interpretation and
understanding of a failure mode development and causes. The
reference models, representing the causal relations and dependencies,
in fault-free conditions are used to compare the measurements issued
from current conditions with the normal ones. This comparison
generates residuals that are used to form a feature space. In the latter,
the data measurements corresponding to normal operation conditions
occupy restricted zones. When a fault occurs, the measurements occupy
spaces far from these “normal” zones. The reference models are
regularly updated in order to include the novelties of the system (new
normal operation conditions, fault operation conditions) and thus to
omit high false alarms and missed fault detection due to wrong
predictions and quantifications on new samples. This update leads to
more reliable fault detection and more stable model updates. A drift
detection mechanism is used in order to detect a fault in early stage
before becoming more severe or downtrends in the quality of
components or products. The main advantages of the proposed
approach are its capacity to update the generated models in response
to the novelties and changes in the system environment and internal
state and the use of drift detection mechanism to detect a fault in its
early stage. However, updating the causal relation network (vertices
and nodes) is a time-consuming task in particular for a hybrid dynamic
system with multiple discrete modes.

1.3.4 Chapter 5
This chapter presents an approach for detecting intrusions in industrial
control systems (ICS). These intrusions exploit the vulnerabilities of ICS
in order to alter intentionally the integrity, confidentiality, and
availability of the production system. These cyberattacks affect the
control commands of the controller (Programmable Logic Controller
PLC), the reports (sensors readings) coming from the plant as well as
the communication between them. The proposed approach is based on
the use of two filters: control and report filters. The control filter aims
at verifying the consistency of control commands according to the
current state and the sensor outputs while the report filter checks the
integrity of the measurements (reports) according to the current state
and the predicted (sent) control commands. Both filters are integrated
out the production system and communicate through an independent
and secured network in order to limit the cyberattack surface. They are
based on three steps. The first and second steps aim at identifying
offline the critical and prohibited states as well as the sequences
(actions/sensor outputs) required to reach the prohibited states from
any other normal (initial) state. The third state aims at detecting the
cyberattacks online by observing a deviation from the normal behavior.
The latter is described by the sequences of the pairs (state/action). This
deviation is computed as a distance between the current state and the
prohibited one. This distance is characterized by the minimal number
of actions that can be applied on the process in order to reach a
prohibited state. The main advantages of this approach are: (1) it is a
non-intrusive approach since it does not need to install new probes in
the production system and (2) it limits the cyberattack surface since
the control and report filters are installed out the PLC and the plant and
they communicate through an independent and secure network.
However, the proposed approach cannot adapt to new cyberattacks
(new prohibited and dangerous states) and its computation complexity
grows exponentially for large scale systems with multiple discrete
states.
1.3.5 Chapter 6
This chapter presents an approach to fault diagnosis of switched
systems modeled by a Mealy machine (an automaton with inputs and
outputs). Some transitions of this automaton, including those
corresponding to faults, may occur in the absence of a control input and
therefore are unobservable. Consequently, several states of the
diagnoser (the model performing the fault diagnosis) are uncertain in
the sense that they contain several fault labels (indicating several faulty
components) and therefore they cannot isolate the responsible
component of the fault occurrence. The diagnosis, performed by the
proposed approach, is active in the sense that it ensures simultaneously
the control and the diagnosability of the system. In order to remove the
diagnosis uncertainty, the proposed approach computes the fault
isolating sequence that leads to reach a certain diagnosis state with one
fault label indicating the fault component. The proposed approach
considers the initial conditions of the system are known and the initial
mode is without fault. It considers also that only control input that
drives the evolution of the system is represented by the switching
function. This function specifies the active mode. Furthermore, discrete
outputs are also available, as a result of each mode transition, in order
to detect and isolate the fault. When a fault is detected, the nominal
control is suspended for safety reason. The proposed approach requires
building the system model with all its nominal and fault discrete states.
This model, called diagnose, is then associated with the minimal fault
isolating sequences for all uncertain states in the diagnoser. The
proposed approach is illustrated and tested using a multicellular power
converter in order to diagnose the discrete faults (switch blocked-
on/blocked-off). The discrete dynamics of the power converter is
represented by the on/off switches, while the continuous dynamics are
related to the charging/discharging of the capacitors. The advantage of
the proposed approach is related to its improvement of the system
diagnosability by applying the fault isolating sequences. However, the
proposed approach does not scale well according to the system size in
particular with multiple discrete modes.

1.3.6 Chapter 7
This chapter studies and investigates the security issues for hybrid
dynamic systems in presence of attacks. The latter are represented by
compromised sensor measurements exchanged by the means of a
wireless communication network. The challenge to ensure the system
security and safety is to correctly estimate or reconstruct
instantaneously or within a finite time interval the system internal state
despite the presence of corrupted sensor measurements by external
hackers. This chapter formalizes the required conditions in order to
perform a secure state estimation despite the malicious attacks. To this
end, the continuous dynamics is abstracted in order to generate
discrete events that are used to enrich the system model. Only a subset
of sensors of fixed size is considered to be corrupted. However, the
sensors of this subset are unknown. Then, the link between
diagnosability notion, developed for discrete event systems, and the
secure state estimation is explored. The goal is to determine the
conditions that allow distinguishing normal states from corrupted ones.
The main advantage of the proposed approach is its capacity to
estimate the secure state in the context of hybrid dynamic states where
problems of decidability and computational complexity arise because
of the cohabitation of both discrete and continuous dynamics. However,
the proposed approach is restricted to linear non-Zeno systems with
fixed size of corrupted sensors.

1.3.7 Chapter 8
This chapter proposes a hierarchical component-based approach for
fault diagnosis and prognosis as well as failure mitigation in critical
cyber-physical systems (CPS). The latter is composed by the physical
system (plant), the actuators, the protection devices, and the discrete
controllers. The latter try to arrest the failure effect if detected. The
proposed approach uses temporal causal diagrams in order to describe
the consequences of fault occurrence and propagation in physical and
cyber components. The built model accounts for normal and fault
behaviors. Each behavior is represented by a sequence of states and
events. A state is characterized as safe or harmful. When a primary fault
occurs, its propagation enforces the protection devices to be activated.
This leads the system to a blackout state. The fault prognosis is based
on the determination whether the system at its current state satisfies
the constraints to reach a blackout state. If the answer is yes, then the
trajectory (set of states and transitions) reachable from the current
state is computed. The proposed approach is used for fault diagnosis
and prognosis as well as failure mitigation of power systems, in
particular electric transmission networks. The physical system consists
of generators, buses, transmission lines and loads, while actuators are
the circuit breakers and the protection devices are the relays. The latter
cause system reconfiguration by instructing actuators to change their
state. Two types of faults are considered: phase to phase faults and
phase to ground fault. The faults of the breakers (breaker stuck-closed
and breaker stuck-opened) and distance relays (missed detection faults
and false alarms) are considered. The observable events in the case of
power transmission system are commands sent by relays to breakers,
messages sent by relays to each other, state change of breakers,
physical fault detection alarms, etc. The faults are the unobservable
events. The proposed approach is modular in the sense that each
component has its proper model and its proper local diagnoser and a
reasoner is used to compute the global diagnosis decision. However, a
global model is needed to build the diagnosers and the reasoner.

1.3.8 Chapter 9
This chapter presents a model-based and data-driven approach to
perform the fault diagnosis of cyber-physical systems that are safety
critical, yet prone to system failures. Fault refers to any fault, attack, or
anomaly. The nominal behaviors and the fault modes are represented
by hidden-mode switched affine models with time-varying parametric
uncertainty subject to process and measurement noise. The proposed
approach is based on three steps: model invalidation, fault detection,
and fault isolation. Model invalidation aims at determining whether an
input–output sequence over a horizon T is compatible with a switched
affine model. If the data is not compatible with the nominal model, then
the model is invalidated and a fault is detected. When a fault is detected,
the fault isolation step aims at uniquely determining which specific
fault model is validated or rather, not invalidated, based on the
measured input–output data. The proposed approach is evaluated for
the simple and multiple fault diagnosis of the Heating, Ventilating, and
Air Conditioning (HVAC) system. The considered faults are: faulty fan
(the fan rotates at half of its nominal speed), faulty chiller water pump
(the pump is stuck and spins at half of its nominal speed), and faulty
humidity sensor (the humidity measurements are biased by an amount
of +0.005). The advantage of this approach is its ability to diagnose
simple and multiple faults either discrete or continuous (parametric)
by taking into account the noises and parameter uncertainties.
However, it requires an important effort and depth knowledge to build
offline the nominal and fault models. Moreover, it needs to determine
the horizon T (time delay) required to distinguish between normal and
fault behaviors (T-detectability) and between two different fault models
(I-isolability).

1.3.9 Chapter 10
This chapter proposes an extension of the diagnosability notion
proposed for discrete event systems (DES) for hybrid dynamic systems
(HDS) with uncertain observation. This chapter provides the answer to
the question: can diagnosability be achieved even if the observation is
uncertain? that is, when the order of the observed events and/or their
(discrete) values are partially unknown. Indeed, in many applications,
the temporal order of the observable events that have occurred within
the DES is not always known, in particular when they occur in a short
time span. In addition, the occurrence of some events is not certain in
the sense that they may have occurred or not. Therefore, the developed
diagnosability notion in this chapter considers the combination of these
two types of uncertainties. However, the time delay required to verify
the diagnosability for HDS is not proved to be bounded.

1.3.10 Chapter 11
This chapter proposes a diagnosability notion adapted to hybrid
dynamic systems (HDS). It proposed an algorithm able to verify at
design state if a fault that would occur at runtime could be
unambiguously detected within a given finite time using only the
allowed observations. The proposed algorithm is based on the
abstractions that discretize the infinite state space of the continuous
variables into finite sets. It starts by generating the most abstract
discrete event system (DES) model of the HDS and checking
diagnosability of this DES model. A counterexample that negates
diagnosability is provided based on the twin plant. This
counterexample is obtained when there is a path in the twin model
with at least one ambiguous state (state with two different diagnosis
labels) cycle. The model is then refined in order to try to invalidate the
counterexample and the procedure repeats as far as diagnosability is
not proved. If the counterexample is validated, then the system is not
diagnosable. If there is no validated counterexample, then the system is
diagnosable. The refinement is based on the understanding of the
causes that entailed the refusal of the counterexample. Then, this
spurious counterexample or any close spurious counterexamples will
be eliminated next time. This will make the best out of computation.
The proposed algorithm was illustrated using two examples. The first
example is a server with 4 buffers. Each buffer is assigned a workflow
and the switching between buffers is controlled by a user input. The
second example is a classical thermostat with two different faults. The
first fault is discrete fault due to a bad calibration of the temperature
sensor, while the second fault is parametric due to a problem in the
heater. The proposed algorithm has the advantage to account explicitly
for the hybrid dynamic nature of the system and to verify the
diagnosability in cost-effectiveness analysis. However, the time delay
required to verify the diagnosability is not proved to be bounded.

References
1. R. Rajkumar, I. Lee, L. Sha, J. Stankovic, Cyber-physical systems: the next
computing revolution, in Proceedings of the 47th Design Automation Conference
(ACM, 2010), pp. 731–736
2.
A.J. Van Der Schaft, J.M. Schumacher, An Introduction to Hybrid Dynamical Systems,
vol 251 (Springer, London, 2000)
[Crossref][MATH]
3.
A. Benveniste, T. Bourke, B. Caillaud, M. Pouzet, in Hybrid systems modeling
challenges caused by cyber-physical systems, cyber-physical systems (CPS)
foundations and challenges, ed. by J. Baras, V. Srinivasan. Lecture Notes in Control
and Information Sciences (2013)
4.
Y. Yalei, X. Zhou, Cyber-physical systems modeling based on extended hybrid
automata, in 5th IEEE International Conference on Computational and Information
Sciences (ICCIS) (2013)
5.
M.S. Branicky, V.S. Borkar, S.K. Mitter, A unified framework for hybrid control:
model and optimal control theory. IEEE Trans. Autom. Control 43(1), 31–45
(1998)
[MathSciNet][Crossref][MATH]
6.
L. Rodrigues, S. Boyd, Piecewise-affine state feedback for piecewise-affine slab
systems using convex optimization. Syst. Control Lett. 54(9), 835–853 (2005)
[MathSciNet][Crossref][MATH]
7.
H. Louajri, M. Sayed-Mouchaweh, Decentralized diagnosis and diagnosability of a
class of hybrid dynamic systems, in Informatics in Control, Automation and
Robotics (ICINCO), 2014 11th International Conference on, vol. 2 (2014)
8.
M. Shahbazi, E. Jamshidpour, P. Poure, S. Saadate, M.R. Zolghadri, Open-and short-
circuit switch fault diagnosis for nonisolated dc dc converters using eld
programmable gate array. IEEE Trans. Ind. Electron. 60(9), 4136–4146 (2013)
[Crossref]
9.
R. David, H. Alla, Discrete, Continuous, and Hybrid Petri Nets (Springer, Berlin,
2010)
[Crossref][MATH]
10.
D. Wang, S. Arogeti, J.B. Zhang, C.B. Low, Monitoring ability analysis and
qualitative fault diagnosis using hybrid bond graph. IFAC Proc. 41(2), 10516–
10521 (2008)
[Crossref]
11.
T.A. Henzinger, The theory of hybrid automata, in Verification of Digital and
Hybrid Systems, (Springer, Berlin, 2000), pp. 265–292
[Crossref]
12.
M. Sayed-Mouchaweh, E. Lughofer, Decentralized fault diagnosis approach
without a global model for fault diagnosis of discrete event systems. Int. J.
Control. 88(11), 2228–2241 (2015)
[MathSciNet][Crossref][MATH]
13.
M. Sayed-Mouchaweh, Discrete Event Systems: Diagnosis and Diagnosability
(Springer, New York, 2014)
[Crossref]
14.
T. Kamel, C. Diduch, Y. Bilestkiy, L. Chang, Fault diagnoses for the Dc filters of
power electronic converters, in Energy Conversion Congress and Exposition
(ECCE) (IEEE, 2012), pp. 2135-2141
15.
M. Tabatabaeipour, P.F. Odgaard, T. Bak, J. Stoustrup, Fault detection of wind
turbines with uncertain parameters: a set-membership approach. Energies 5(7),
2424–2448 (2012)
[Crossref]
16.
L. Hartert, M. Sayed-Mouchaweh, Dynamic supervised classification method for
online monitoring in non-stationary environments. Neurocomputing 126, 118–
131 (2014)
[Crossref]
17.
M. Sayed-Mouchaweh, N. Messai, A clustering-based approach for the
identification of a class of temporally switched linear systems. Pattern Recogn.
Lett. 33(2), 144–151 (2012)
[Crossref]
18.
H. Toubakh, M. Sayed-Mouchaweh, Hybrid dynamic data-driven approach for
drift-like fault detection in wind turbines. Evol. Syst. 6(2), 115–129 (2015)
[Crossref]
19.
M. Sayed-Mouchaweh, Diagnosis in real time for evolutionary processes in using
pattern recognition and possibility theory. Int. J. Comput. Cognit. 2(1), 79–112
(2004)
20.
L.K. Carvalho, Y.C. Wu, R. Kwong, S. Lafortune, Detection and prevention of
actuator enablement attacks in supervisory control systems, in 13th
International Workshop on Discrete Event Systems (2016), pp. 298–305
21.
D. Thorsley, D. Teneketzis, Intrusion detection in controlled discrete event
systems, in 45th IEEE Conference on Decision and Control (2006) pp. 6047–6054
© Springer International Publishing AG 2018
Moamar Sayed-Mouchaweh (ed.), Diagnosability, Security and Safety of Hybrid
Dynamic and Cyber-Physical Systems
https://doi.org/10.1007/978-3-319-74962-4_2

2. Wind Turbine Fault Localization: A

Practical Application of Model-Based
Diagnosis
Roxane Koitz1 , Franz Wotawa1 , Johannes Lü ftenegger1 ,
Christopher S. Gray2 and Franz Langmayr2

(1) Graz University of Technology, Graz, Austria

(2) Uptime Engineering GmbH, Graz, Austria

Roxane Koitz (Corresponding author)

Email: [email protected]

Franz Wotawa
Email: [email protected]

Johannes Lüftenegger
Email: [email protected]

Christopher S. Gray
Email: [email protected]

Franz Langmayr
Email: [email protected]

2.1 Introduction
The increasing complexity and magnitude of technical systems is
leading to a demand for effective and efficient automatic diagnosis
procedures to identify failure-inducing components in practice. This is
especially true in application areas experiencing excessive service costs
and idle time revenue loss. In the industrial wind turbine domain
operation and maintenance constitute significant factors in terms of
turbine life expenditure. Given the remote locations onshore and
offshore of wind turbine installations, accurate fault identification is
essential for reducing costs and risks of component failures as well as
turbine downtime [14]. Wind turbine diagnosis is complicated,
however, since their overall reliability is affected by a multitude of
failure modes concerning all major sub-systems and environments and
furthermore the load conditions change regularly [36]. While electrical
and control systems account for most wind turbine failures, other sub-
systems, such as gearboxes, cause extensive downtimes due to the
complexity of maintenance and thus pose a higher cost risk [35].
Unfortunately, currently implemented standard alarm systems deliver a
large number of false alarms and thus are not suitable for standalone
fault detection and identification [14].
Wind turbine operators often rely on time-based maintenance,
where turbines are inspected periodically to assess their condition.
This practice may lead to unnecessary turbine downtime for healthy
systems, while failure-inducing conditions between services remain
unnoticed. Due to these disadvantages predictive and condition-based
maintenance have become increasingly popular. Both rely on condition
monitoring software and diagnosis methods [23]. Condition monitoring
software utilizes the signals transmitted from the sensors integrated
within the turbine and further processes the information to derive
health information of critical components, e.g., gearboxes and main
bearings. Some specification indicators of the subsequent failure are
observable prior to around 99% of equipment fault occurrences [35].
Unnecessary maintenance activities can be avoided by scheduling
repair or replacement of components based on their present or
impending failure risks [1].
Numerous approaches exist for wind turbine diagnosis. Signal
processing techniques analyze the multidimensional turbine data
without considering an a priori developed mathematical model to
extract faults based on spectral analysis or trend checking techniques,
while machine learning methods, such as neural networks, can rely on
historic data for failure identifications [16]. Zaher and McArthur [41]
introduce a fault and degradation detection system for entire wind
turbine installations based on supervised learning of the nominal
behavior. By collecting data from various downtimes their system
computes an overall turbine operational behavior model. Schlechtingen
et al. [29] also adopt machine learning by creating neural networks
based on the normal wind turbine behavior in combination with fuzzy
rules representing expert knowledge on faults. Their approach requires
the availability of Supervisory Control And Data Acquisition (SCADA)
operation logs, which provide 10-min values of various measurements,
such as power output, rotor speed, or gearbox oil temperature [40].
Anomalies can be detected by comparing the normal-behavior model
with the actual performance. The fuzzy inference system then
automatically identifies the faulty components. Gray et al. [14, 15]
describe a combination of diagnostic and prognostic techniques
exploiting the relations between operational and environmental loads
as also damage accumulation rates. Based on an analysis of potential
component-based failure modes and their damage driving physics, a
mathematical model is computed that can be used to calculate the rate
at which damage accumulates in response to the operating
environment. This method offers a means for determining current and
projected failure probabilities based on the derived damage model and
statistical failure model. Statements about absolute remaining useful
life cannot be made, since the load capacity would have to be known in
advance to a high degree of accuracy. This is very rarely the case, and
considerable variation occurs due to, e.g., variations in material quality,
tolerances in component manufacture, influence of transport,
installation and configuration. Therefore the prognostic method
focuses on quantification of the applied loads instead, and uses
probabilistic methods to relate the said loads to damage accumulation.
Model-based diagnosis (MBD) techniques have been developed in
the Fault Detection and Isolation (FDI) and the Artificial Intelligence
(AI) community. Approaches stemming from the FDI field usually
depend on quantitative models, while the AI methods utilize
qualitative/symbolic representations of the underlying system to draw
conclusions regarding the state of the system and its components [1, 6,
9, 28]. For instance, Echavarria et al. [10] utilize qualitative physics to
formalize the behavior of wind turbines. Combined with a solver, their
model-based system is capable of detecting and identifying faults.
In this chapter, we focus on the AI variation of MBD. MBD relies on a
description of the system, which together with abnormal observations
of the current system state is exploited to derive root causes [9, 28].
Multiple applications have been developed for diverse fields, e.g., the
automotive industry [32] or environmental decision support systems
[39]. Even though MBD can look back on decades of research, a
widespread dissemination in practice is still lacking. The reasons for
this include the effort associated with the development of diagnosis
models [4] and the difficulties of adequately integrating MBD into
current industrial work processes [12, 24, 31].
In cooperation between Graz University of Technology and Uptime
Engineering1 a project was initiated with the aim of providing a
methodology and framework for MBD in the industrial domain. Due to
Uptime Engineering’s many years of experience and expertise in the
field of wind power plant maintenance, industrial wind turbines
constitute an ideal test bed and application area for MBD. In this
chapter, we present some of the results of the collaboration as well as
the ongoing realization of MBD in practice. With this work we aim to
bridge the gap between the theory of MBD and its practical application.
We first discuss the foundations of MBD and present a general process
for integration of this approach in real-world fault identification.
Subsequently, we introduce an application designed to facilitate
diagnosis in the industrial wind turbine domain. In particular, the
application’s graphical user interface (GUI) is presented, which has
been created taking the needs, work processes, and environments of
the maintenance personnel into consideration. Subsequently, we
discuss the current status of the integration of an MBD engine in the
industrial wind turbine domain and provide some concluding remarks.

2.2 Model-Based Diagnosis

Model-based reasoning fosters the idea of reusing knowledge by relying
on a formalization of the system under consideration. The model
together with a set of observed symptoms can be exploited to obtain
diagnostic hypotheses for the observations. Two variations have
emerged in the literature: consistency-based and abductive MBD.
Consistency-based diagnosis utilizes a description of the correct system
behavior and identifies root causes through inconsistencies arising
from the model in combination with the given symptoms. A diagnosis is
then a set of abnormality assumptions about the system such that the
observations and assumptions are consistent [9, 28]. In contrast,
abductive diagnosis is based on the notion of logical entailment [26]. A
set of premises ψ logically entails a conclusion ϕ if and only if for any
interpretation in which ψ holds ϕ is also true. We write this relation as
ψ⊧ϕ and call ϕ a logical consequence of ψ. A set of abnormality
assumptions entailing the observations constitutes an abductive
diagnosis or explanation. To derive causes for observed anomalies by
utilizing this type of inference, the abductive MBD approach depends
on a model representing the links between faults and their
manifestations. Even though both variations are based on different
reasoning techniques, Console et al. [5] showed the close relation
between consistency-based and abductive diagnosis. In the upcoming
portion of the chapter, we focus on abductive MBD. First, we describe
an abductive diagnosis problem and its solution based on a subset of
propositional logic, namely Horn clauses. Subsequently, we discuss a
process facilitating the incorporation of abductive MBD in real-world
applications.

2.2.1 Propositional Horn Clause Abduction

A Horn clause is defined as a disjunction of literals featuring at most
one positive literal and can be described by a rule, e.g., {¬a 1, …, ¬a n , a
n+1} can be written as a 1 ∧… ∧ a n → a n+1. Similar to Friedrich et al. [13],
we define a knowledge base (KB) representing the abductive diagnosis
model in the context of propositional Horn clause abduction.

Definition 1 A knowledge base (KB) is a tuple (A,Hyp,Th) where A

denotes the set of propositional variables, Hyp ⊆ A the set of
hypotheses, and Th the set of Horn clause sentences over A.

A hypothesis, also referred to as an assumption, is a propositional

variable for which we can presume a certain truth value. Hypotheses
are the propositions which can be part of a diagnosis, while the Horn
theory depicts the relationships between the variables.

Example 1 Gearbox lubrication is an essential aspect of industrial

wind turbine reliability as it protects the contact surfaces of gears
and bearings from excessive wear and prevents overheating.
Considering a simplified scenario, insufficient lubrication can be
caused by a damaged oil pump, which leads to loss of oil pressure
and therefore a reduction in the flow rate of oil through the system.
Furthermore, a blockage of the filter in the oil cooling system may
cause overheating of the oil, which also negatively affects the
lubrication due to a reduction in the film thickness at the bearing
and gear contacts.
Starting from this description, we can identify two root causes of
insufficient lubrication: a blocked filter or a damaged oil pump.
These causes constitute the faults we want to identify during
diagnosis and thus their corresponding variables form the set of
hypotheses:

The set of propositional variables A comprises all hypotheses as also

propositions representing effects:

Given the set of propositional variables, the circumstances leading to

an insufficient greasing of the gearbox can be represented by a Horn
theory:
Definition 2 Given a knowledge base (A,Hyp,Th) and a set of
observations Obs ⊆ A then the tuple (A,Hyp,Th,Obs) forms a
propositional Horn clause abduction problem (PHCAP).

A diagnosis problem involves a KB plus a set of observations for which

the explanations are to be computed. In our context, these observables
may only be a conjunction of propositions and not an arbitrary logical
sentence. The solution to a PHCAP or diagnosis Δ is a set of hypotheses
explaining the propositions in Obs, i.e., entailing them together with the
theory Th. In other words, the observations are a logical consequence
of the failure relations described in the theory and the determined
explanation. An additional requirement is that only consistent
diagnoses are permitted, thus solutions leading to a contradiction are
disregarded. Imposing a parsimonious criterion on the solutions is a
principle commonly used in diagnosis. From our practical point of view
only subset minimal explanations are of interest.

Definition 3 Given a PHCAP (A,Hyp,Th,Obs). A set Δ ⊆ Hyp is a

solution if and only if Δ ∪ Th ⊧ Obs and Δ ∪ Th ⊭ ⊥. A solution Δ is
parsimonious or minimal if and only if no set Δ′ ⊂ Δ is a solution. Δ-Set
contains all solutions obtained from a PHCAP.

Example 1 (continued) Considering the PHCAP and assuming we

detect an insufficient lubrication of the gearbox, i.e., Obs =
{poor_lubrication}, we can derive two minimal explanations; either
the oil pump is faulty inducing a reduction of the oil flow ( Δ1 =
 {damaged_pump}) or a blocked filter causes poor cooling which
leads to insufficient greasing of the bearing and gear contacts ( Δ2 =
{blocked_filter}), i.e., Δ-Set = {{damaged_pump}, {blocked_filter}}.

While abductive reasoning provides an intuitive approach for fault

localization, its computational complexity for general propositional
theories is located within the second level of the polynomial hierarchy
[11]. Focusing on a less expressive modeling languages, such as in our
case Horn clause models, reduces the complexity. Yet, Friedrich et al.
[13] showed that computing the solution to a PHCAP is still NP-
complete. Thus, for practical applications efficient solvers are essential
to compute diagnoses in a reasonable time frame.

2.2.2 Incorporating Diagnosis into Practice

While MBD offers several attractive features, such as allowing the reuse
of already created system models and a clean separation between the
problem description and its solving mechanism, the dissemination of
implementations in practice is limited [31]. The integration of MBD in
industrial applications is impeded by two main drawbacks associated
with this type of reasoning. First, the computational complexity as
mentioned in the previous section discourages the practical use in
cases where diagnoses are to be computed within short periods of time.
Second, model-based reasoning techniques always demand the
existence of a system description, whether it is of the correct behavior
in consistency-based diagnosis or how failures affect system variables
in the context of the abductive variation. Developing a model is
associated with an initial effort and acquiring a technical description of
a system suitable for diagnostic purposes can be challenging and is
often hindered by organizational issues. Further, a lack of tools
facilitating the model generation and integrating it into existing work
processes complicates the modeling phase [2].
To counteract these factors Koitz and Wotawa [18] have defined a
process based on discussion with Uptime Engineering for applying
abductive MBD to real-world applications. The method relies on an
automated model creation on the one hand and on the other hand
ensures an efficient diagnosis computation by limiting the models to
Horn logic. A graphical representation of the activities is depicted in
Fig. 2.1. The process is divided into three phases: model development,
fault detection, and fault identification. In order to lower the entrance
barrier for implementing the MBD approach, models are automatically
built by exploiting failure assessments frequently used in practice. Such
analyses must characterize failures and their manifestations to be
mapped to a KB required for abductive reasoning. A wide-spread tool
which can be used for this purpose is Failure Mode Effect Analysis
(FMEA) incorporating expert knowledge on component failures [38].
Constructing the model from a fault assessment only needs to be
performed once—given that there are no updates to the analysis—and
can be accomplished offline. The online portion of the MBD process is
prompted once the presence of a fault has been detected by a
mechanism discovering the existence of an incorrect system behavior
such as a condition monitoring system. Based on the observed
symptoms and the offline constructed model, the fault can be identified
by deriving the abductive diagnoses. Various approaches are capable of
computing abductive explanations [17] and further additional
refinements to the initial diagnoses can be made via additional
observations and prioritization of the results in regard to certain
objectives, e.g., diagnosis likelihood or maintenance cost.

Fig. 2.1 Abductive MBD process (adapted from [18])

2.2.2.1 Model Development
Automatic generation of a suitable knowledge base using information
available a priori is an essential feature of the proposed diagnosis
process as it reduces additional modeling efforts. While different
assessments can be utilized, we show here an example of a conversion
based on FMEA [38]. FMEA is an established standardized reliability
approach, in which an expert group analyzes a system and determines
potential component-based single faults. Each failure mode is examined
in regard to its causes, consequences, and various other characteristics
[3]. Table 2.1 depicts an excerpt of an FMEA for the yaw drive of a wind
turbine presenting two failure modes.

Table 2.1 Example 2: FMEA excerpt (adapted from [27])

Component Failure Failure effect Likelihood Severity

mode
Yaw drive Fails to No yaw, safety system failure, 2.2E−5 V
rotate decrease of efficiency
Yaw drive Drive shaft No yaw, decrease of efficiency 1.3E−5 IV
blocked

While in general an FMEA can feature more columns than the ones
shown in Table 2.1 depending on the standard followed, the modeling
methodology as proposed by Wotawa [38] focuses on three aspects
which have to be considered within the analysis: the components
(COMP), the failure modes (MODES), and moreover, the existence of
propositions PROPS corresponding to observable failure effects.

Definition 4 An FMEA is a set of tuples (C, M, E) where C ∈ COMP is a

component, M ∈ MODES is a failure mode, and E ⊆ PROPS is a set of
effects.

As the FMEA typically contains a description of how each fault affects a

set of system variables, we can convert this information in a
straightforward manner to a logical KB, where the hypotheses comprise
the component-based failures and the theory consists of propositional
Horn clause sentences describing the cause-effect relation depicted in
the FMEA. A variable mode(C,M) is constructed for each component-
failure mode pair in the analysis, where C is the component and M is the
failure mode. These propositions compose the set of hypotheses:

(2.1)

To form the set of all variables A, the union over all hypotheses as well
as propositions representing effects is constructed:

(2.2)

Each record in the FMEA describes the effects of a single fault, thus, the
relations between defects and their manifestations can be transformed
into a Horn model in a straightforward way. Let HC be the set of Horn
clause sentences, then the mapping function

generates a set of Horn clauses which are a subset of HC for each record
in the FMEA.

Definition 5 Given an FMEA, the function is defined as follows:

(2.3)

where

(2.4)

Example 2
(continued) The FMEA in Table 2.1 features the two component-fault
mode pairs (Yaw Drive, Fails to rotate) and (Yaw Drive, Drive shaft
blocked). Their corresponding propositional variables are added to
Hyp.
 The set of all propositions then contains the hypotheses as well as all
variables corresponding to effects.

For each manifestation contained in a record, a rule is built such that

the single hypothesis representing the component-fault mode pair
implies the effect. The theory is then simply a union over all these
Horn clauses.

Due to the structure of an FMEA, the resulting logical system

description is acyclic2 and consists of bijunctive Horn clauses, i.e.,
implications always lead from one hypothesis to a single effect variable.
This results in an efficient diagnosis computation and a system
considering the single fault assumption [19].
A shortcoming of FMEA is that it does not take into account the
potential interdependencies between various manifestations, which
might be essential from a practical point of view to describe how a fault
affects the system. Thus, other failure assessments, such as fault trees,
can be used as the basis of the automatic modeling [20]. Depending on
the underlying failure analysis type, the resulting diagnosis system
description may feature different characteristics, such as being a non-
bijunctive Horn model.
 Independent of the assessment type, the accuracy and composition
of the failure analysis largely impact the quality of the automatically
generated diagnosis model. It is apparent that failures and
manifestations disregarded in the failure review are missing from the
system description and thus cannot be considered during fault
identification. Hence, to achieve precise diagnoses, model completeness
is an essential premise [24]. Furthermore, manifestations must be
detectable in order to be useful in a diagnostic context and effects as
well as failures have to be coherently reported throughout the
assessment to allow automatic processing.

2.2.2.2 Fault Identification

Abductive diagnosis, even in the case where the system description is
restricted in expressiveness to Horn sentences, is at least NP-complete
[13]. Hence, efficient methods for deriving diagnoses are required in
practice. There are various techniques capable of computing abductive
diagnoses such as SAT-based approaches [17], consequence finding
procedures [30], or the well-known Assumption-based Truth
Maintenance System (ATMS) [8]. Internally the ATMS operates on a
directed graph representing the logical relations contained in the
theory, where propositions and the contradiction are nodes and
implications determine the edges. Each node is equipped with a label
recording for the corresponding variable the sets of assumptions, i.e.,
hypotheses, it can be derived from. Thus, the ATMS documents the
entailment relations characterized within the theory [22] and ensures
that labels are consistent and minimal with respect to subsumption. To
compute the abductive diagnoses an additional implication is added to
the ATMS such that o 1 ∧… ∧ o n →ex, where {o1, …, o n } = Obs and ex
represents a new propositional variable not yet contained within A. The
label of ex then comprises all solutions to the PHCAP.
MBD may yield an exponential number of explanations in the worst
case. Thus, techniques assisting in distinguishing diagnoses are
required to allow for an effective decision making in regard to repair
and replacement activities. Subsequently, we present two methods
aiming at supporting fault identification: observation discrimination
and diagnosis ranking.
Observation Discrimination Probing has been proposed as a means
to decrease the solution space by supplying additional facts to the
diagnostic reasoner. While Friedrich et al. [13] propose an interleaved
process between diagnosis, probing and repair, Wotawa [37] suggests
computing all explanations and subsequently adding new symptoms,
which allows either the removing or confirming of diagnoses.
Definition 6
Given a PHCAP (A,Hyp,Th,Obs) and two diagnoses Δ1 and Δ2. A new
observation o ∈ A ∖ Obs discriminates two diagnoses if and only if Δ is a
diagnosis for (A,Hyp,Th,Obs ) but Δ2 is not.
Once discriminating observations have been selected, probes are
taken and the fault identification process is restarted with the
additional measurement information. Determining an ideal probing
point is essential in order to converge to a plausible solution efficiently.
The best new observation o is the probing point with the highest
entropy H(o). Entropy represents the information gain; thus, a higher
entropy value indicates a measurement with a greater discrimination
capability [9].

(2.5)
Equation (2.5) defines the entropy value for an observation o, where
p(o) is the probability of o defined as the ratio between the diagnoses
entailing the symptom together with the theory and the total number of
explanations:

(2.6)

Diagnosis Ranking
Depending on the underlying logical theory and set of observations,
there might not be a single solution available. Thus, in these cases a
prioritization of the diagnosis results can be useful to initiate
appropriate maintenance activities. A common strategy is to exploit
probabilities. Considering Bayes rule for conditional probability, we can
define the probability of an explanation Δ given an observation o as
 (2.7)

Under the presumption that there is no uncertainty in the

measurement, i.e., the data has not been subjected to errors or noise,
we can state for any o ∈ Obs that p(o) = 1. As we known from the
entailment relation required by abductive diagnosis that the
explanation logically implies the observation, we can assign p(o∣ Δ) = 1.
Consequently from these two assignments and Eq. (2.7) it follows that
p( Δ∣o) = p( Δ). Assuming independence amongst faults, the probability
of each diagnosis Δ can be computed based on the a priori probabilities
p(h) of the hypotheses:

(2.8)

Given a PHCAP’s solutions we compute p(Δ) for all diagnoses in Δ-Set

and subsequently assign ranks accordingly. FMEA, for instance, holds
additional information such as failure likelihoods, which can be utilized
for prioritization. Other criteria, such as repair and replacement costs
or fault and diagnosis severity, i.e., seriousness of consequences in
regard to safety or monetary considerations, could also be considered
instead [34].

2.3 Industrial Wind Turbine Diagnosis

Wind turbine reliability presents a very interesting use-case for the
application of diagnostic methods. The cost of electrical energy
produced depends strongly on the operational efficiency of the
machines as also on the availability. Component faults leading to
unplanned downtime have been shown to impact the overall energy
production significantly, the financial motivation for optimization in
this respect is thus high. The use of remote detection and diagnostic
technology is an area which is receiving an increasing level of focus, in
particular in the offshore wind energy industry, where turbine failures
are even more critical due to the difficulties related to accessing and
repairing the machines in potentially harsh environmental conditions.
 All modern wind turbines use sensors, data acquisition, and on-
board processing as part of the closed-loop control system.
Furthermore, a range of diagnostic functions is typically included
within the system controller, so that at least basic status information
can be provided in case of faulty operation. However, such on-board
diagnostics are limited by the computing resources of the turbine
controller and the absence of instant access to a long-term historical
database.
The turbine continuously stores operational data logs (SCADA logs),
which can be retrieved and transferred to a central data store. The use
of such data stores for detailed performance analysis and diagnostic
work is becoming standard in the wind industry, since the data is
readily available and provides information about a number of systems
and components within the turbine.
Today most medium to large scale operators of wind turbine fleets
have installed centralized data management systems to collect and
store such SCADA logs. Uptime Engineering has developed a software
application that is capable of performing automated and continuous
analysis of such data, typically with the aim of detecting anomalies in
the behavior of individual turbines. Continuous advances have been
made in the capabilities of the analytic models, and it is now possible to
detect outlying behavior with a high degree of sensitivity. The results of
such analysis are combined with the above-mentioned on-board
diagnostic results together with general information concerning the
turbine age, type and build status, in order to support the turbine
operator in efficiently reacting to detected anomalies.
However, such analysis activities often produce a high volume of
information (multiple turbines monitored, multiple alarms originating
from many systems and accompanied by a range of heterogeneous
supporting information). The main challenge facing the user of such a
system is efficient interpretation of the results and the derivation of an
effective response strategy. Therefore a strong need has been identified
to provide the software user with “decision support”; i.e., an additional
layer of intelligence built in to the software, which combines all
generated observations and produces clear recommendations for
action. MBD is a highly relevant solution, due to the strong capability of
the approach in combining state information from a multitude of
sources and identifying the root cause with the highest likelihood.
The project between Uptime Engineering and Graz University of
Technology aims at integrating an abductive MBD engine, created by
the university, taking into account the process shown in Sect. 2.2.2 into
Uptime Engineering’s wind turbine condition monitoring software.
Uptime Engineering continuously extends and updates a
comprehensive failure assessment of industrial wind turbines,
providing a structured evaluation of faults and their manifestations.
This analysis can be exploited by the MBD engine as the basis of the
model development phase to construct a suitable diagnostic system
description. Once an anomaly has been detected by Uptime
Engineering’s condition monitoring software, an MBD computation is
triggered taking into account of the abductive KB created and the
symptom discovered. Given the results of the diagnosis, the MBD engine
then provides additional information on the next best measurement
based on entropy values. To ensure a suitable integration into the actual
wind turbine maintenance workflow, we collaborate with an energy
provider employing Uptime Engineering’s condition monitoring. In this
section, we first describe the interface and interaction design of the
diagnosis engine and how it will be incorporated into the work
processes of the maintenance personnel of the energy provider. We
then describe the phases of the integration and its current status.

2.3.1 Abductive Model-Based Diagnosis Prototype

To enable MBD in industrial practice as proposed in Sect. 2.2.2, the
necessary failure information must be available to automatically extract
a suitable diagnostic model and an anomaly detection method is
needed to initiate the fault identification phase. Furthermore, in order
to yield benefits from deploying such a system, solutions need to be
computed efficiently3 and effectively reflecting defects present in the
system. We argue, however, that these technical features are not the
only deciding factors determining the success of a newly integrated
diagnosis software. While current research frequently focuses on
developing and improving reasoning techniques, the suitable
integration of MBD in operational processes is rarely addressed [24,
33]. In addition, it is well known that the acceptance of new technology
is tightly linked to the perceived usefulness of the product as well as its
perceived ease of use [7]. The former refers to the benefits for the users
and other stakeholders in regard to the performance of work tasks,
whereas the latter is on par with the usability of a product.
Hence, in developing an MBD application for use in the field within
our project, we focus not only on the technical aspects of feasibility but
further account for the human factor. An interface and interaction
design was incrementally developed for an abductive MBD engine,
which should function as a template for the actual implementation of
the tools which will be integrated into Uptime Engineering’s software.
Various prototypes were created iteratively, starting from a low-fidelity
paper mock-up to a clickable prototype depicting a usual fault
identification scenario. These prototypes reflect the above-described
general process of abductive MBD in the context of wind power plants.
Particular attention was paid to respecting current work processes and
accounting for a usable design.
The design process started with eliciting the requirements of the
diagnosis application in consideration of the stakeholders involved in
the project, who were:
the service technicians, who are the users, will operate the diagnosis
software for troubleshooting from the service center as also in the
field, and are responsible for performing the turbines’ planned
maintenance, repair as well as replacement activities
the management of a wind energy provider, planning on extending
their self-maintenance activities for their wind turbine plants in the
future
Uptime Engineering, who currently develops condition monitoring
software for wind turbines and will extend their portfolio with
usable and extendable diagnosis software

2.3.1.1 Requirements
A list of requirements in regard to the final diagnosis application was
established during the course of the various design iterations. The
three distinct stakeholder groups have differing requests, which were
analyzed in order to resolve conflicts and prioritize the resulting
requirements. Since the success of the application depends to a great
extent on being used by the service technicians, special attention was
given to their suggestions and needs.
An important observation is that current fault detection activities
performed by the service personnel typically rely on visual inspection.
Hence, in order to support diagnosis, images should be used for easier
recognition. Once a fault has been identified, the repair or replacement
task is executed according to the wind turbine manufacturer’s
instruction manuals. Therefore, such documents need to be easily
accessible via the software. After the maintenance activities have been
completed, the service technicians are required to create a report of the
task and the actions performed. The software should thus support
automation of the reporting step to reduce the overall effort. The
working environment inside a wind turbine is often uncomfortable and
limited in space, and work is performed under time pressure in
potentially difficult weather conditions. The user interface therefore
needs to be intuitive in use and must guide the user through a strictly
defined sequence with minimal user interactions. Considering the
overall work process, the software should feature a desktop software
part operated in the service center as well as a mobile application,
which should be used within the turbine itself.
The management of the energy provider is interested in promoting
digitalization as well as increasing the productivity and safety of their
wind operations in use. On the one hand, the software should support
the service technicians in preparing all spare parts and tools necessary
before traveling to a wind turbine to ensure minimal downtime, while
on the other hand given the hazardous environment in the field it
should support the safety processes already in place, e.g., the service
technicians personal safety equipment. In addition to the user and
management requirements, the specifications of Uptime Engineering
needed to be satisfied. To extend and update the knowledge base, i.e.,
abductive model, the users should be able to report new fault modes,
which have not been previously contemplated. Further, the user
interface should be extendable and adaptable to satisfy other
customers as well as other domains for future projects.

2.3.1.2 Design Process

Another Random Scribd Document
with Unrelated Content
He caught up his hat and gloves; his overcoat he had not taken off.
"What is it?"
"Bobs, it's—it's that."
"That? What? Can't you speak out?"
Out in the air she took a deep breath. "It wasn't me at all that was
in trouble," she announced desperately.
"Not you?" Stupefaction was in his voice. Gathering wrath
superseded it as he demanded, "Is this some kind of an infernal
joke?"
"No. It was Dee all the time. As I told you at first."
"Then why in the name——"
"You wouldn't help her because she's married. So I thought you
might help me, if you thought it was me, because I wasn't."
"An admirable little game. But I'm still not sure that I quite get the
point of it." His voice was so ugly that Pat's shook as she said:
"The point was to get you to tell me, if you wouldn't help me
yourself, about one of those men in the newspaper——"
"Dee went to one of them?" he broke in.
She looked up at him piteously, pleadingly. "Bobs, it was terrible. He
was so—so ghastly business-like."
"What did you expect?" he returned grimly. "And now she's ill?"
"Yes."
"Fever?"
"I—I think so."
With a barked-out oath he increased his pace. Pat, striding fast to
keep up said: "Bobs, dear; Dee doesn't know about it."
"About what?"
"About my pretending that I was the one. It was my own notion."
"Then you will tell her," he ordained with chill command, "as soon as
she is well enough to hear it. If she gets well enough," he added.
"If? Bobs! You don't think there's any real danger——"
"Of course there is danger. What do you think fever means in such a
case? You take things into your own hands, perpetrate a piece of
criminal folly——"
"Bobs! I couldn't have stopped her."
"You could have told me the truth and let me handle the situation.
She would never have dared if she knew that I knew. Now, if Dee
dies——"
"Don't, Bobs!"
"It will be your lie that killed her."
For once the reckless soul of Pat shrunk back upon itself in awed
remorse. "You've never spoken to me that way in your life," she
whimpered.
"I've never felt toward you before as I feel now."
"I'm sorry, Bobs. But I had to do it. I'd do it again to save Dee."
"Save her? Aid her in a cowardly shirking of her first duty as a
woman and a wife. It is bad enough to find you lying to me. But to
find her a coward and a slacker——"
"You're more angry at her than you are at me, aren't you?" said Pat,
in wonder and some resentment. She did not like to have anyone
else put before her even for indignation.
He made no reply, but turned in at the gateway to the James
ground. As they passed under the portico she stole a glance at his
face. It had, by the magic of his will, become calm, cheerful, self-
possessed, exorcised of all wrath and dismay, the face of the
confident, confidence-inspiring physician going on his duty of aid.
Pat marvelled and admired.
For her it was a long and thought-haunted half hour before he
emerged from Dee's room.
"Is it bad?" she whispered, striving to read his expression.
"No. A slight nervous shock. Nothing more."
"Oh, Bobs! I could cry with thankfulness."
"Save your tears," he advised, "for those on whom they might make
an impression."
"You don't like me much, do you?" she sighed. "Did you tell Dee
about my trick?"
"Haven't I made it clear that you are to make that explanation?"
"What if I don't choose to?"
"I think you will. Whether you like it or not."
Pat said with slow malice: "Shall I tell her that you asked me to
marry you?"
"Why not?"
"Oh, very well!" She could think of nothing more effective to say.
He took his coat and hat from the chair upon which he had tossed
them.
"Bobs."
He turned at the door, eyeing her with an uncompromising regard.
"Don't look at me in that poisonous way. Say you're sorry, or I'm
sorry, or something."
He did not move but seemed to be considering. When he spoke his
voice shook her with its gravity: "It is not going to be easy to forgive
you, Pat."
"How about Dee?" she shot at him.
"That is between Dee and myself. She at least did not lie to me."
Pat flamed with a sense of unmerited injuries. "Oh, you go to hell!"
she muttered. But her eyes were wondering and frightened after he
left her. Dee's voice calling gave her something else to think about.
She ran upstairs.
"What were you and Bobs quarrelling about?" demanded the patient.
"Nothing."
"You were. Was it about me? Is he very bitter against me?"
"I'll tell you to-morrow. You must go to sleep now."
"There's something back of this." Dee jumped from her bed and set
her back to the door. "You won't leave this room till you tell me."
"Get back into bed," implored the alarmed Pat. "I'll tell you. Truly I
will."
"Tell, then."
Pat related the tale of the stratagem with increasing relish in the
unfolding of the drama. "Pretty clever of little Pat, what?"
"I'm sorry you had to lie to Bobs, though."
"I've kept the best of it. When I told him, Bobs asked me to marry
him."
"Asked you?"
"Yes. Isn't that a scream!" Between nervousness and exaltation of
her diplomatic powers Pat burst into laughter.
"And you laugh?"
The mirth died on her lips. "Don't you think it's fun——"
"You—dirty—little—beast."
"What did I do?" faltered the younger sister. "Why pick on me? I did
it all for you anyway, and I think it's pretty rotten, if you ask me, to
——"
"You didn't laugh at Bobs for me."
"I didn't laugh at him at all. I was too paralysed."
"If you had I hope he'd have killed you. I would."
A monstrous conjecture rose in Pat's excited brain. "He isn't the
man, is he? It isn't Bobs that you're crazy about, and the other man
just a bluff? It couldn't be."
"Why couldn't it?"
"Dee! It isn't."
"No; it isn't. But there's no reason why it couldn't be with any
woman who had heart and sense enough to know him for what he
is. He's the best and finest person I've ever known. And when he
does the biggest and noblest thing a man could do and offers his
name and honour to shield a little heartless fool, he gets laughed
at."
"But it wasn't any of it true," cried Pat feebly. "Don't you see what a
difference that makes?"
"No. He thought it was true."
"Oh, very well! I guess I'm pretty rotten. But I'm just as fond of
Bobs as you are, Dee Fentriss. Only, the idea of marrying him—well,
it's a scream. That's all; a simple scream."
"Oh, do get out of here," said Dee wearily. She slumped down into
her bed and drew the covers up.
"Good-night," said Pat, and made her exit.
Before the hall mirror she paused to contemplate herself. "There you
are, Pattie-pat," she remarked, with the little triple jerk of the head
that set her shaggy locks rippling over her ears and neck. "You still
look pretty good to me. But if this family was running a popularity
contest with peanuts for ballots, you wouldn't get one shuck. Lord-
ee! I wish Cary Scott was here for just one minute! I need moral
support."
 CHAPTER XXIII
Spring was turbulent in the sap of young trees and the blood of
young humans when Mary Delia James rolled along Fifth Avenue in
the quietly elegant limousine provided for her special use by a
correctly generous husband. Nothing about her suggested
participation in the turbulence of the season. Rather, life with that
most unvernal young man, T. Jameson James, would have served to
allay any tendencies toward ebullience which she might otherwise
have exhibited. She gave the impression of a cool impassivity.
The car had just turned into a side street when her languid
expression livened. She signalled to her chauffeur, leaned out of the
window and called:
"Cary! Cary Scott!"
The object of the summons turned in mid-crossing and came back,
his eyes shining with pleasure.
"Dee! It is good to see you again. How's James?"
"All right, thank you. What do you mean by turning up and not
letting us know?"
"Unexpected," he explained. "I hardly had time to find it out before I
was here."
"The telegraph, that useful invention, is still operating. Get in; we're
blocking traffic. You're dining and spending the night with us, of
course."
"If I stay over," he answered dubiously. "I don't know yet. Tell me
about the family."
"As usual. We're all flourishing in true Fentriss style."
"Pat? And Mr. Fentriss? And the Brownings?"
"Separated. No; I don't mean Fred and Con," she amended, laughing
at the dismay in his face. "Dad and the Brownings. Fred's sticking to
business and to Con; they've got a cottage over beyond the Club;
addition in June, not to the cottage, to the family. Pat's running
Holiday Knoll like a veteran, though just now she's in Boston. She'll
be sunk in desolation when she finds you've been here and she's
missed you."
"Perhaps I'll be back again when she returns," he said carelessly, but
his words belied his inward resolution so to arrange his schedule that
he would run no risk of the peace-destroying encounter. As a minor
determination, he decided to accept Dee's invitation for the night,
since it involved no danger of seeing Pat.
"Yes; Pat's quite doing her job," continued Dee. "It's good for her to
have the responsibility. But she's still a queer, restless, morbid kid.
You saw a lot of her at one time, Cary. I always thought you had a
steadying influence on her. What's the matter with Pat, do you
think?"
"The fever of the age, perhaps."
"Oh, we've all got that. But Pat's temperature is particularly high.
She rushes from one whirl to another, playing Billy-old-hell with Mark
Denby one week, and Emslie Selfridge another, and Selden Thorpe,
a third, and what does she get out of it? Not even excitement, or
else she's a little liar. She's beaten it now because she says she's
bored to suicide with this place."
"And you yourself, Dee? How is it with you?"
"Oh, I've everything I want," she said restlessly.
"Everything should include happiness; I'm glad."
"What's that? Don't know—yeh." Her voice was hard. "Please stop
looking at me like a solemn owl, as if you were probing for
symptoms. Bobs does all that I need in that line."
"Osterhout? How is he?"
"Go and see him. He needs stirring up. You are coming to us to-
night, aren't you?"
"Only too charmed. What's this place?" he asked, as the car drew to
the curb.
"My tailor's. Will you wait for me?"
"Heavens, no!" he laughed. "I'm nearly forty now. Can't spare the
time."
"Then account for yourself before you go. What brings you here so
suddenly and without any announcement?"
"A peculiar mission."
"Private, for a guess. Not hooked, are you, Cary?"
"Nothing of that nature. It's private, but not secret, from you. In
fact, you may be able to help me."
"I? In what possible way?"
"I want to find Stanley Wollaston."
At the name a slow colour rose in Dee's cheeks until it tinged even
the broadly and beautifully modelled forehead. "He's gone away. To
Richmond. I can give you his address."
"Good! I've some important news for him. There's no reason why
you shouldn't know it. His aunt in England has died and left him the
estate. Stan's lean days are over."
The rich hue ebbed out of Dee's face. "He'll go back, then," she
mused. At once she recovered herself. "I am glad," she said.
"I knew you would be," he answered. But he thought with pity: "She
still loves him"; and, with uneasiness, "and still sees him." He
continued: "He'll be going back within a month at the latest. I'll go
on to-morrow to find him."
He got out, bared his head, and helped her to alight.
"At seven o'clock then," she said. "Shall I get some people in? Who
do you want to see?"
"No one else in the world," he answered with such conviction that
she smiled up at him.
"You are a dear, Cary. I can't tell you how much we've missed you.
Pat almost went into mourning."
She did not see his expression change, ever so slightly, as he turned
away. Business of his own kept Scott busy most of the afternoon.
When he reached the club he found Jameson James waiting to
motor him out. James was amiable in his stiff and carefully
measured way.
Scott went to his room immediately upon their arrival, bathed,
dressed, drank the preliminary cocktail which Dee had mixed with
her own hands and sent up to him, and had started to go downstairs
when he stopped, his breath piling up, as it were, in his throat from
an emotion half dismay, half rapture. The unforgettable, luscious
huskiness of a voice floated up from below.
"Dee; where are you? Do come and hook this last hook for me. I
can't get the dam' thing to stay."
He took a step forward. Pat looked up. "Oh, Mist-er Scott!" she
crowed. "It's too flawless to see you again. I thought you were
never coming back."
 CHAPTER XXIV
He walked back with her to Holiday Knoll after dinner. Pat's face was
thoughtful, moody. As they paced in silence he studied it intently,
with passionate longings, with passionate misgivings. Out of a
reverie she spoke.
"I've never missed anyone in my life as I've missed you. You were
right."
"About what, Pat?"
"That day you took me to Philadelphia. You said I'd miss you more
than I thought. D'you remember, I told you then what I thought
about it. 'Oh, well, I'll miss him for a few days and then—pouf!'"
There followed the impatient, boyish wriggle and hunch of the lithe
shoulders. "'It'll be all over.' It wasn't all over."
"For me it has never been over. Not for a single minute."
"Have you wanted me so much?" Beneath the conscious coquetry
there was a more wistful note.
"Oh, God, Pat!" His voice sounded thick and rough. "There has been
no colour or savour, no music or fragrance in life without you."
"Why did you go away?" she demanded accusingly.
"You know, I had to go."
"Why did you come back?"
"Not to see you. I didn't want to see you. Dee told me that you were
away."
"She told me you were here. I'd phoned over about some clothes.
So I just thought I'd like to see you again. Don't scowl at me. You
look as if you think I ought not to have come."
"No; you oughtn't."
"Are you sorry I did?"
He looked away from her into the wind-swept night.
"Are you angry because I did?"
"I love you," he burst out. "God, how I love you!"
She laughed softly. Her hand slid down his arm, clasped for a
moment the wrist in which his pulses leapt madly to her touch,
wreathed itself, cool and strong and smooth, around his palm. "And I
love you," she half-whispered gaily. "I'm terribly in love with you"—a
pause of deliberate intent—"to-night. Because you've been away
from me so long."
"Ah, yes, to-night!" He made no effort to keep the bitterness out of
his voice. "But, to-morrow——"
"To-night's to-night," she broke in happily. "We've got lots of it to
ourselves. It's only nine o'clock. I broke away early on purpose."
Arrested by the look on his face, she added with exasperation and
protest: "Cary! You're not going to play propriety to-night? When we
haven't seen each other for so long?"
She shook the gleamy mist of her hair about her face, gave a
gnomish bend and twist to body and neck and peered sidelong at
him from out the tangle.
Suddenly her face darted upward. Her mouth met his in a grotesque
parody of a passion-laden kiss.
"Oh, bad bunny!" she admonished herself in mock reproach. He
stopped, gazing at her from beneath bent brows.
"You hated that, didn't you?" she said.
"Yes."
"Because it wasn't real?"
"Because it was mockery."
"Petite gamine stuff. But I'm not petite gamine to-night; I'm
something else. I don't know what I am. Do you?"
"No."
"Don't be cross with me. Whatever it is that I am, it's sorry that it
kissed you that way. I didn't mean to make a josh of it."
He smiled. "One might as well try to be cross with a moonbeam."
They had come around by the side street, and now he held the
garden gate back for her. The house was dim. Pat kissed her hand to
the clematis arbour.
"D'you remember?" she murmured.
"Is there one moment ever spent with you that I've forgotten?"
"Would you like to forget?"
"There are times when I would give anything in the world to forget."
"But I don't want you to forget."
"You want me to have to bear this always?"
"No. I don't want you to be unhappy about it. I want—I don't know
what I do want. Except now. Now I want to have this evening just to
ourselves." She opened a side door, spoke to a servant, moving
about in the kitchen. "It's all right, Katie." Then to Scott: "Aren't you
coming in?"
He hesitated, but when she added impatiently, "Oh, don't be such a
crab!" he followed her.
"Go into the small conservatory," she bade him. "That's my work.
I've fussed it up into a sort of den."
She bounded upstairs and ran into her room, shook out her hair,
gathered it, studied herself in the glass. Her eyes were brilliant,
heavy-lidded, dreamy. She shook herself impatiently; her strong,
supervitalised young body felt cramped and pent in the close-fitting
tailor-made which she had on. She plucked at the buttons with
hurried fingers, wriggled out of the garment which she kicked from
her feet and left lying on the floor, tossed her corsets after it, and
exhaled a long, luxurious "Ooo-oo-oofff!" of satisfaction and
voluptuous relief.
Opening the door of her clothes-press, she rummaged for a moment
and pulled out a long, sweeping robe, which she drew about her,
moulding it to the boyish set of her shoulders and the woman's
depth and contour of her bosom. She caught up a cigarette, lighted
a match, then, lapsing into thought, let it droop from her fingers
until the scorching brought an angry "Damn!" of pain. She threw the
cigarette after the expiring match. No; she wouldn't smoke, much as
her tense nerves demanded it. She would keep her mouth fresh and
sweet for Cary's first kiss.
She ran down to him, putting on the far light in the hallway, so that
only a dim glow invaded the conservatory-den. Scott stood at the
window in an attitude of attention.
"What are you doing?" she asked.
"Listening."
"Music! A violin. Oh, I know. It's a visitor at the Eastmans', next
door. He's good. And how flawless of him to be playing just now.
Open the window. Let's hear it all."
He obeyed. She drew in to him. Her ready fingers sought his palm.
"Want me to mix you a drink?"
"No, dear."
"That's better," she approved. "Though," she added, with her old air
of gaminerie, "it might go further and not get a call-down. What is it
he's playing?"
"'The Élégie.'"
The violin was sobbing, panting, pleading like a woman in sweet
distress. The wind swept the notes to them until the whole room
was surcharged with the passion and grief of it.
Pat lifted Scott's hand, cuddled it to her cheek, flipped it away
carelessly, turned from him, drifted out of the den into the hallway,
back again, and to the divan in the far corner, where she threw
herself, snuggling amidst the pillows. Her eyes grew heavy,
languorous; in their depths played a shadowed gleam like the far
reflection of flame in the heart of sombre waters. The long, thrilling,
haunted, wind-borne prayer of the violin penetrated to the
innermost fibre of her, mingling there with the passionate sense of
his nearness, swaying her to undefined and flashing languors, to
unthinkable urgencies.
"Oh, Cary!" she breathed, in the breaking seduction of her voice, a
voice that blended and was one with the resistless pleading of the
music. And again: "Oh, Cary!"
Her arms yearned out to him, drawing him through the dimness.
With a cry he leapt to her, clasped her, felt her young strength and
lissome grace yield to his enfoldment. Through her sundered lips he
drew the wine of her breath deep, deep into his veins, until all his
self was merged and lost in her passion.
Outside the great wind possessed the world, full of the turbulence,
the fever, the unassuaged desire of Spring, the allegro furioso of the
elements, and through it pierced the unbearable sweetness of the
stringed melody.
The strain died. Was it after a minute, or an hour, or a night that
was an age in their intertwined lives? He was back at the window,
leaning against the casement, drawing the rushing wind into his
lungs, his heart bursting, his soul a whirl of fire.
Behind him, in the gloom, sounded the shaken softness of her
breathing. He bent his head upon his arms.
"Oh, God!" he said. "Pat. Little Pat!"
She came to him then, spread her gracious arms wide, flung the
gleaming fog of her hair to the wind, enclasped him, claimed his soul
with her lips.
"I'm not sorry," she panted. "I'm not! I'm not! I'm glad!"
 CHAPTER XXV
Nothing irked Pat more than being awakened too early.
Consequently Katie's knock upon her door, at the third discreet
repetition, elicited a plaintive growl of protest.
"Oh, go away!"
"Special delivery letter for you, Miss Pat."
"Shove it under the door and don't bother me." She flumped over in
bed, burrowing her face among the pillows like an annoyed baby.
Very much did Pat wish to sleep. Until long after midnight she had
lain awake, thinking excitedly. To be roused out of the profound
oblivion which she had finally achieved, thus untimely, was a little
too much. But that letter got between her and her rest. From Cary
Scott, of course. She visualised the oblong blue stamp, insistent,
intrusive, "immediate." Oh, well! Up she jumped, caught the
envelope from the floor, and dived back into bed to read it.
It was mainly repetition of what he had said last night when they
parted: nothing but the absolute necessity of going would have
taken him away from her at such a time; he would be back in a few
days at the latest; she must wait until then; must not let herself
worry, must not make herself unhappy, must trust in him. It ended,
"I love you, Pat." Through the quiet directness of the wording Pat
felt the stress of an overwhelming emotion. It was not so much
worry or unhappiness that filled Pat's thoughts as a confused and
colourful bewilderment, a sense of unreality. There intervened a
reflection from her mis-education through the media of flash fiction
and the conventional false moralizings of the screen. In a variety of
presentations they all taught the same lesson, that when girls "went
wrong" they invariably "got into trouble." She passed her hands
down along her slender, boyish body and experienced a sharp qualm
of fear and disgust and anger, a visualisation of gross and sodden
changes in those slim contours. It couldn't happen to her. In spite of
the movies, other girls "took a chance" and "got away with it." Ada
Clare, for instance, according to common gossip; nothing had
happened to her. Cissie Parmenter had lightly hinted at
"experiences." Pat thought it would be exciting to tell Cissie. But
would it be safe? She would like to have Cissie's reassurance that
everything would be all right. But why should she need reassurance?
She steadied herself with the thought, entertained wholly without
idea of blasphemy or irreverence, that God wouldn't let anything like
that come about, the God to whom she had paid such assiduous
homage by going regularly to church and asking every night for
what she specially wanted on the morrow or in the further future. It
was her naïve idea of an unwritten pact with the Deity that the
performance of her little ritual, be it never so self-seeking, entitled
her, of right, to definite rewards and exemptions, claimable as
required. This was one of them. Surely He would keep to His part of
the bargain. Otherwise, what good would religion be to anyone?
It occurred to her uncomfortably that He had somewhere said, "The
wages of sin is death," which she secretly deemed bad grammar
even if it was in the Bible. But Pat did not really feel that this was
sin; rather it was accident. Technically it might be sin; she admitted
so much. But if it were really sin she would, as a sound Christian,
feel remorse. And she did not feel remorse. Therefore it could not in
any serious sense be sin. Irrefutable logic! What did she feel? She
asked herself. A sense of the fullness of life, of adventure boldly
dared. She had met one of the great crises of a woman's life, the
crisis, indeed. It must be so, since all the stories and movies and
plays agreed on the point. The singular aspect of it was that she was
conscious of no inner change. She was the same Pat Fentriss, only a
day older than yesterday. Being a "woman," if this was it, was not so
different from being a "girl."
And Mr. Scott. According to the conventions, as she had absorbed
them through the sensationalised and distorted lens to which her
intellectual vision had become habituated, the lover should lose all
"respect" for the unfortunate girl, this being the first symptom of the
waning of his love. Well, it wasn't working that way with her lover.
The few, broken words of parting last night, the still passion of his
letter, told a different story. Possibly, reflected Pat, the people who
set forth what purported to be life, on screen, stage, and the printed
page, didn't know so much about it after all. Or possibly she and
Cary Scott were different from other people. She felt convinced that
she was.
From this she fell to speculating upon Scott's probable attitude
toward the ingenious and comforting theory of conduct and
responsibility which she just had formulated specially to fit the
present crisis. Somehow it did not seem quite satisfactory in the
illumination of his imagined view. She had thought of him always
and rather mournfully as a non-religious if not actually irreligious
man; but it was disturbingly cast up from the depths of her mind
that if Cary Scott had a God, he would never try either to make
cheap excuses to nor shift responsibility upon Him. And suddenly in
that light her exculpatory arguments seemed shallow and paltering.
This uncomfortable consideration she thrust determinedly into the
background, and concentrated her thought upon her next meeting
with Scott.
All things considered, she was not, on the whole, sorry that he had
gone away, assuming, of course, that he came back very soon. It
gave her time to think, to figure things out free from the immediate
glamour of his presence and the disturbing gladness of his return
after the long disseverance. Did she really love him? She supposed
she must; otherwise—— Yet there was still strong within her the
impulse toward the companionship of youth which had inspired her
petulant remonstrance to Dr. Bobs over his opinion as to the
desirable age for her husband: "I don't want to marry my
grandfather!" Would she marry Cary Scott if he were free? Even now
she doubted it. Not at once, anyway. She wanted her own freedom
for a time yet, freedom to enjoy life, to range, to pick and choose.
But she had made her choice. Tradition would hold that she had
taken an irrevocable step, committed herself. Tradition be damned!
She didn't believe it. Would Cary take that view? If, on his return, he
should assume the proprietary attitude, evince a sense of
possessiveness—Pat clenched her fists but at once softened with the
recollection of his sure comprehension, his unerring tact, his
instinctive sense of her deeper emotions and reactions.
So far as the immediate future went, he was not free to marry her,
nor likely to be. That problem need not be faced now. Suppose later
she fell in love and wanted to marry someone else; what would be
her course then? Oh, well! Let that take care of itself when it came.
Meantime she had something more immediate to look forward to in
Cary's return. She anticipated it with a mingling of trepidation,
eagerness, warmth, and excited curiosity, the latter element being
predominant.
On the following morning she had another letter, and still a third on
the day after. She quite gloried in his devotion. But she did not
answer the letters. She rather wanted to but found a difficulty in
beginning. She preferred to plan out what she should say to him
when they met again, and was in the act of building up a quite
thrilling and eloquent statement of her feelings when the phone
summoned her.
"Pat?" It was Dee's voice, queer and strained. "Can you come over
at once?"
"Yes. What's happened?"
"Jim has been hurt."
"Jim? How?"
"Hit by a car."
"Oh, Dee! Is it bad?"
"Yes. I think so. They're bringing him here."
"I'll be right over."
Pat made a dash for her runabout. When she reached the James
house there were two cars in the driveway, Dr. Osterhout's and a
large touring car strange to her. There was blood on the steps which
Pat mounted.
"Is he killed?" she asked, chokingly, of a maid who was hurrying
through the hall.
"No'm," said the girl. "I don't think so." Then added in awe-stricken
tones: "He was swearin' somethin' awful when they brung him in.
The poo-er man!"
Pat followed her to the front room. Dr. Osterhout's head was thrust
out, at her knock.
"What can I do, Bobs?" she asked.
He nodded, approving the steadiness of her voice and control.
"Locate a trained nurse and bring her here."
"I'll have one in half an hour. How is he?"
"Bad."
Within the time prescribed Pat was back with the nurse. She found
Dee in the library waiting. The young wife's face was sallow, her
eyes wide and shining and fixed.
"Oh, Dee! don't!" begged Pat. "You look so afraid."
"I am afraid," was the monotoned reply.
"Is he going to die?"
"I don't know. That's what I'm afraid of. I'm afraid he isn't."
"Dee!"
"I know, I know how it sounds. I don't care. When the word first
came they said he was killed. I was glad."
Pat stared at her aghast.
"Why should I lie and pretend?" whispered the wife fiercely. "Why
shouldn't I want to be free of him? You know how it is between us.
I'm a marriage-slave to a man who has no thought of anything but
himself." She gulped and writhed in an access of strong physical
nausea.
Pat's strong hands fell upon her wrists. "Stop, Dee! You mustn't let
yourself go that way. Tell me how it happened."
"I don't know anything about it. The Marburys' car struck him, down
near the station."
"Poor Jimmie!"
"Poor Jimmie? Poor me! Shall I tell you what happened last week?"
"No. Not now, Dee. You're——"
"I'm all right, I tell you. And I'm going to tell you. We fought it out to
a finish. He wants to have children. Children, after the agreement he
broke! Well, I couldn't tell him the whole reason why I wouldn't; but
I told him this, and it's true, too, as far as it goes. I said to him:
'Jim, if you'd ever had one single thought for anybody in your life but
yourself I might feel different. But if there's anything in heredity I'd
as soon hand down idiocy to a child as your strain. Now, if you want
a separation, get it.' What do you think he said? 'Oh, no, my dear.
That's heroics. I'm just about the same as other men. You don't get
off so easily. As for selfishness, you didn't marry me in any spirit of
altruism.'"
"He had you there, Dee."
"Yes; he had me there. Then he said, 'I'm going to hold you until
you make good or break away yourself.'"
"'Then I'll break,' I said. 'I'll leave you.' He only smiled. 'You won't
find it too easy,' he said. I could have killed him."
"Are you really going to leave him?" asked Pat, wide-eyed.
"I was. Now"—she jerked her hand upward—"how can I? What kind
of a brute would I look?"
"Perhaps he will die. Poor Jimmie!"
"If you say 'Poor Jimmie' once again I'll scream at the top of my
voice."
A man in chauffeur's livery came down the stairs. He looked
beseechingly at Dee. "I couldn't help it, Mrs. James," he gulped. "I
never seen him until he grabbed the kid an' then I couldn't turn."
"What kid?" asked Pat.
"Didn't you hear how it happened?"
"No. Tell us."
"I was comin' down the road by the turn above the bridge when a
little girl run out from the curb. Mr. James must have been right
behind her. I honked and the kid stopped dead. I give the wheel a
twist and the kid jumped right under the fender. I knew there wasn't
no chance, but I jerked her again and felt her hit somethin' hard,
and the kid yelled once, and there was Mr. James under the wheels.
He'd seen the little girl and he made a dive for her and shoved her
out from under just as I—I got him. It was the nerviest thing"—the
man's rough voice broke. "He must-a knowed he didn't have a
chance. A—a—man's thinkin' little of himself to do that for a Dago
kid he never seen before."
Dee was leaning forward with fixed stare and twitching lips which
barely formed the words: "Did Jim do that?"
"Yes'm. He sure did. He'd oughta get the Carnegie medal for it."
Welcome to Our Bookstore - The Ultimate Destination for Book Lovers
Are you passionate about books and eager to explore new worlds of
knowledge? At our website, we offer a vast collection of books that
cater to every interest and age group. From classic literature to
specialized publications, self-help books, and children’s stories, we
have it all! Each book is a gateway to new adventures, helping you
expand your knowledge and nourish your soul
Experience Convenient and Enjoyable Book Shopping Our website is more
than just an online bookstore—it’s a bridge connecting readers to the
timeless values of culture and wisdom. With a sleek and user-friendly
interface and a smart search system, you can find your favorite books
quickly and easily. Enjoy special promotions, fast home delivery, and
a seamless shopping experience that saves you time and enhances your
love for reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!

ebookball.com