Fault Modeling in Discrete Event Systems Using Petri Nets

12

Fault Modeling in Discrete Event Systems Using Petri Nets

PAYAM NAZEMZADEH, ABBAS DIDEBAN, and MEISAM ZAREIEE, Semnan University, Iran

In this article a model-based controller reconfiguration method for fault-tolerant control of discrete eventsystems has been introduced. In this method, we model the fault conditions for each specified fault as a newmodel called fault model. The system then consists of three different models called process, specificationand fault. The faulty parts of the system are not permitted to do any job and the controller tries to enforcethe specifications by other parts of the system. With this method, the controller reconfiguration problem forfault- tolerant control of discrete event systems converts to the problem of synchronizing the process, spec-ification and fault model. We must synthesize a supervisor that can enforce both specifications and faultsstatus. If this supervisor can be determined, we can achieve a fault-tolerant controller. Implementing bothspecification and fault models in the system, may lead to a large number of forbidden states and constraintsand so on a more complicated forbidden states problem must be solved. The application of constraints sim-plification methods is shown. By the existing methods for offline simplifying of constraints, we can arrive ata simplified fault tolerant controller.

Categories and Subject Descriptors: B.1.2 [Control Structures and Microprogramming]: Control Struc-ture Performance Analysis and Design Aids—Formal models; C.4 [Performance of Systems]: Fault tol-erance; D.2.2 [Software Engineering]: Design Tools and Techniques—Petri nets; I.6.4 [Simulation andModeling]: Model Validation and Analysis

General Terms: Design, Performance, Reliability

Additional Key Words and Phrases: Discrete event systems, fault-tolerant, Petri nets, supervisory control,forbidden states

ACM Reference Format:Nazemzadeh, P., Dideban, A., and Zareiee, M. 2013. Fault modeling in discrete event systems using Petrinets. ACM Trans. Embed. Comput. Syst. 12, 1, Article 12 (January 2013), 19 pages.DOI:http://dx.doi.org/10.1145/2406336.2406348

1. INTRODUCTION

Today discrete event systems have many applications in the synthesis and controlof industrial processes, networks and transportation. The theory of supervisory con-trol of discrete event systems was first introduced by Ramadge and Wonham [1989].They used formal languages and finite automata to model the system. The goal of thesupervisory control is to enforce the desired properties of the process, called specifi-cation. Modeling the supervisory control of discrete event systems by Petri nets wasintroduced for resolving some of the problems of automata, such as the state explosionproblem [Giua et al. 1991; Holloway and Krogh 1990]. Now Petri net is a very appro-priate and useful tool for the study of discrete event systems because of its modelingpower and mathematical properties.

Authors’ address: P. Nazemzadeh, A. Dideban, and M. Zareiee, Electrical and Computer Engineering De-partment, Semnan University, Semnan, Iran; emails: p [email protected], [email protected],[email protected] to make digital or hard copies of part or all of this work for personal or classroom use is grantedwithout fee provided that copies are not made or distributed for profit or commercial advantage and thatcopies show this notice on the first page or initial screen of a display along with the full citation. Copyrightsfor components of this work owned by others than ACM must be honored. Abstracting with credit is per-mitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any componentof this work in other works requires prior specific permission and/or a fee. Permissions may be requestedfrom Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212)869-0481, or [email protected]© 2013 ACM 1539-9087/2013/01-ART12 $15.00DOI:http://dx.doi.org/10.1145/2406336.2406348

ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 12, Publication date: January 2013.

12:2 P. Nazemzadeh et al.

Fault is anything that changes the behavior of a system such that the system doesno longer satisfy its purpose. Fault may occur due to different reasons such as internalevents in the system, Change in the environmental conditions, wrong control actiongiven by the operator and error in the design of the system [Blanke et al. 2006]. Todayfault tolerance is an important issue considered in many industrial processes becausethe automated systems cannot protect themselves against the faults [Blanke et al.2000]. In the presence of a fault-tolerant controller, the goal is to diagnose faults whenthey occur and implement a method to keep the system accomplishing its specificationseven in a degraded performance, and if the specifications cannot be accomplished anymore, keep the system away from failure and danger states.

Much research has been conducted on detecting and diagnosing faults in discreteevent systems [Supavatanakul et al. 2005; Paoli and Lafortune 2005; Liu and Qiu2008; Hashtrudi Zad et al. 2005]. There are several methods for fault diagnosis ofdiscrete event systems modeled by Petri nets. Tabakow [2005] used p-invariants todiagnose faults. Li et al. [2004] determined a redundant Petri net model to detectfaults. Diagnosing faults based on timed Petri nets introduced by Jiroveanu and Boel[2006]. Using knowledge-based models via neural networks was introduced [Miyagiand Riascos 2006].

After a fault is detected, usually the controller is redesigned or reconfigured to keepthe performance of the system. Wen et al. [2008] introduced a framework for fault-tolerant supervisory control of discrete event systems and defined two different spec-ifications for nonfaulty and overall process. Then a supervisor is designed to enforcea certain specification for the nonfaulty plant and another specification for the over-all plant. But in this method we must be sure that the plant recovers from any faultwithin a bounded delay.

Darabi et al. [2003] suggested a method for switching the control policy when theobservation channels fail or are repaired. A method for model reconfiguration wasintroduced by Iordache and Antsaklis [2004]. They used the supervision based on placeinvariants for the reconfiguration for faults that are modeled by token loss, token gain,certain changes in constraints and certain changes in controllability or observabilityof the system.

Miyagi and Riascos [2006] used knowledge-based model and neural networks to de-fine the necessary treatment for each fault. Although this method can obtain goodtreatments after fault occurs, but it changes some rules of Petri nets and we may needsome different treatment models for any different systems.

Sampath et al. [2008] presented a reconfiguration method for a class of discreteevent systems whose control specifications can be changed at runtime. Although themethod is great and applicable, it can be used in discrete event systems where all thespecifications can be introduced by linear constraints. Furthermore, on the subject offault tolerance, if we want to change the constraints after the occurrence of faults inlarge systems, a large number of new constraints may result and applying the integerprogramming problem on-line may face difficulties.

Xue et al. [2005] demonstrated that each fault leads to some new forbidden statesin a fault-tolerant controller. They introduced a method to estimate the occurrence ofa fault transition and used a state-avoidance method to prevent the system from acti-vating the forbidden states produced by the fault. Because a new controller is designedon-line after the detection of each fault, the speed of estimation stage is important andmay pose problems in large systems.

The purpose of this article is to determine a model which ensures safety of the sys-tem for specified faults by forbidding the working of the faulty parts of the system aswell as raising the level of dependability by synthesizing the controller with supervi-sory control methods. When a fault occurs, certain elements or devices should not be


Fault Modeling in Discrete Event Systems Using Petri Nets 12:3

allowed to operate to keep the safety of the system. In many applications, it is commonto model faults as uncontrollable transitions of the main model. In this article, a Petrinet model is defined to obtain the faulty and nonfaulty states of elements whose faultsneed to be considered. This model is referred to as the fault model. The fault model issynchronized with the main model (The main model is the model that contains bothspecifications and process) and disables the transitions that can transfer the state ofthe system to a state which is not safe and should be forbidden after occurrence of afault. Thus, the system remains safe even if a fault occurs. Using supervisory controltheory in designing the process model and applying the specifications, the supervisorcan accomplish the duties of the faulty part, which has been stopped and forbidden, bythe other parts of the system where possible.

The additional fault model makes the synchronizing stage more complicated and ifthe system has uncontrollable transitions, it may cause a larger number of forbiddenstates. Synthesizing the supervisor for this large number of forbidden states, makesthe model so large and unusable. However, by the offline simplification methods wecan arrive at a simple controller.

This article is organized as follows. Section 2 presents the basic preliminaries. Sec-tion 3 gives a motivation to clarify the proposed method of this article. Section 4 givesthe model for one fault of a system and then expands it to all of the specified faults.Section 5 gives a method for synthesizing the final controller. In Section 6 a summaryof the method for reduction of constraints to achieve a simplified supervisor is intro-duced. Section 7 gives an example of the introduced method for fault-tolerant controlof discrete event systems. The conclusion of this article is given in Section 8.

2. PRELIMINARY PRESENTATION

In this section we will define some basics of Petri nets and its properties that are usefulin this article. We suppose that the reader is familiar with the basics of Petri nets.

A Petri net is a 5-tuple R = {P,T,W–, W+, Mo} where P is the set of places with nmembers, T ={TC

⋃TU} is the set of transitions. TC is the set of controllable transi-

tions and TU is the set of uncontrollable transitions. W– : (P × T) → N is the inputfunction, W+ : (T × P) → N is the output function and M0 is the initial marking. Theincidence matrix W is a n ×τ matrix calculated by W = W+ – W– (τ is the number oftransitions) [David and Alla 2005].

Definition 1. •Pi is the set of input transitions of place pi and can be determinedeasily using the output function (W+) by scanning the row of W+ which is related to pi.If the column representing transition tj is nonzero, tj is a member of •Pi [David andAlla 2005].

Definition 2. The function M : P → N is called marking. M is an n-member vectorrepresenting the number of tokens in each place (n is the number of places) [David andAlla 2005].

In a binary Petri net, a marking is an n-member vector of the set {0,1}n

Markings present the states of the system. For example, in a Petri net with 5 places,the marking MT

1 ={1 0 0 1 0} shows that in that state, places 1,4 are marked.

Definition 3. The function support(X) is the set of marked places in marking X.

In the example of definition 2, support(M1) = {p1, p4} (or support(M1) = p1p4)In an autonomous process, there are some desired properties that limit the system

performance, called specifications. The goal of supervisory control is to enforce thesepredefined specifications. This may lead to some authorized states and some forbiddenstates. MR is the set of markings that can be reached after occurrence of a finite set of



transitions. MA is a subset of MR that denotes authorized states and Mf is a subset ofMR that shows forbidden states. The set of forbidden states corresponds to two groups[Dideban and Alla 2008].

(1) The states which violate the specifications or are deadlock states. These states areshown by M′

F.(2) The states where occurrence of uncontrollable events lead to the states in M′

F.

After eliminating the set of forbidden states from the set of reachable states, theresidual set is the set of authorized states and is shown by MA.

In the set of forbidden states, there is a very important subset which called the setof border forbidden states and is denoted as MB. This subset is defined by Definition 4.

Definition 4. MB is the set of border forbidden states and is defined as follows:

MB = {Mi ∈ Mf |∃t ∈ TC and ∃Mj ∈ MA, Mj [t>Mi}

where Tc is the set of controllable transitions and “Mj [t>Mi” means that firing of tleads from markings Mj to Mi.

By disabling the controllable transitions when their firings lead to a border forbid-den state, prevention of the reachability of the forbidden states is possible. Moreover,to avoid all the forbidden states, it is sufficient to avoid the border forbidden states.

Property 1. Forbidden states can be converted to linear constraints [Giua et al.1992]. Consider that Mi(MT

i =[m1, m2, . . . , mn]) is a forbidden state, where Sup-port(Mi) = {pi1, pi2, . . . , piN}. a linear constraint is derived from this forbidden stateas follows [Dideban and Alla, 2008]:

n∑k–1

mik ≤ N – 1, (1)

where N = Card [Support(Mi)] is the number of marked places of Mi, and mik is themarking of place Pik of the state Mi. applying this relation will make Mi forbidden.For instance, consider that the state MT

1 = {1 0 0 1 0}must be forbidden. Whilesupport(M1) = {p1, p4}, Card [Support (M1)] = 2 and consequently we can forbid thisstate by applying the below linear constraint in the system.

m1 + m4 ≤ 1

Constraints can be introduced in the form of L.M ≤ b; where M is a general marking(MT = [m1, m2, . . . , mN], n is the number of places), b is a constant and L is a c ×n matrix comprise the coefficient of places in each constraint. For example, in theexample discussed in Property 1, the constraints can be formulated as:

[10010].[m1 m2 m3 m4 m5]T ≤ 1

Property 2. [Yamalidou et al. 1996]. The Petri net controller for implementing con-straints of the form L.M ≤ b:

Wc = –L.W (2)Mc0 = b – L.M0,

where W is the incidence matrix of the plant model. In this method, one place is addedto the model for applying one constraint.



When forbidden states and constraints are obtained, we must prevent the systemfrom entering forbidden states to achieve the final controller. In large systems witha large number of forbidden states, this prevention may cause a large, complicatedand useless model. In this case, we can use offline methods for simplifying constraintsto achieve a simplified and useful Petri net model. In this article we use the methodintroduced in Dideban and Alla [2008] and Dideban et al. [2009] for constraints sim-plification. A summary of this method will be introduced in Section 6.

3. MOTIVATION

The main goal of fault tolerance is to allow the system to continue working after theoccurrence of certain specified faults even with a degraded performance or at leastkeep the system in a safe state. For this, it is necessary to add the ability of hazardousstates avoidance to the system and try to use other parts of the system to do the duty ofthe faulty parts. Thus, in a fault-tolerant controller, certain states should be forbiddenafter the occurrence of a fault. They are the ones which are hazardous or the ones thatmay lead to a hazardous state. Then, the controller should try to use other parts ofthe system to do the duty of the faulty part. If this is not possible, the system may belocked; however, it will remain in a safe mode. This is clarified by the following threeexamples.

Example 1. Consider an industrial device such as a robot. If a fault occurs in thisdevice, it will not be safe to use it before fixing the problem, because of the possibility offailure or damage to the system. Therefore, the states in which the device is operating,should be avoided. In this condition, if there is any other device that can do the dutyof the faulty device, the supervisor should summon it in place of the faulty device.

Example 2. Consider a tank in which chemical materials are mixed. If the tankcracks, the controller should prevent entry to it. Otherwise, the tank may be broken.Thus, the new forbidden states comprise all the states in which at least one of theinputs of the tank is operated. In this situation, if there is no other tank which can beused in place of the faulty tanks, this part of the system may not be able to continueto work. However, by disallowing any inputs to the tank, the tank and the system willremain in a safe state.

Example 3. Consider an AGV system. If a fault occurs in one of the paths, no vehicleshould be permitted to go through the path and the states that show the possibilityof the faulty path should be forbidden until the fault is repaired. Then, the controllershould guide the vehicles to go through other available paths.

As seen in the examples, a fault produces new forbidden states in the system. Thus,in a fault-tolerant system, forbidden states change depending on the faults that occur.

In this article, the controller has been designed by considering all of the specifiedfaults of the system as well as the performance of the system after occurrence of eachfault. Using a new model, called “fault model”, and synchronizing it with the mainmodel, we prevent the system from entering new forbidden states resulting from faultsin the presence of their respective faults. For example, if a robot becomes faulty, thenew model can avoid all of the states where the robot is operating, by preventing theactivation of the places which show the operating condition of the robot.

In the presence of uncontrollable events in the process model, the problem will bemore complicated. This will be addressed in Section 5.

4. FAULT MODEL

Fault is any change in the behavior of the system that make the process unable toenforce its desired specifications. The goal of this article is to make the system enforce



its specifications after occurrence of fault, and if this is not possible, keep the systemin a safe state, even if the system needs to be locked.

Each fault may produce new forbidden states which are different from the forbiddenstates resulting from another fault. For example, if the designer has been asked toprevent materials from entering a tank while it is cracked or broken, the fault is thecrack of the tank and the new forbidden states are all of the states in which at leastone of the inputs of the tank is activated.

Let us have a look at the new forbidden states caused by the fault in some examples.In the example of the mixing tank, the new forbidden states are all of the states thatconsist of the conditions of filling the tank. In an industrial device, the new forbiddenstates are the states which show the operating conditions of the device. As can be seen,for each fault, a specific operation condition of one or more elements of the system iscommon to all of the new forbidden states, e.g., for the fault of the robot, the motor isin a working position in all of the new forbidden states.

On the other hand, in Petri nets, the different operation conditions of each elementof the system are shown by places. Therefore, the activation of one or more places inthe presence of a fault leads to some new forbidden states that are not desired. Hence,if these places are prevented from being activated after the fault occurrence, the newforbidden states of the system can be avoided. In this article, these places are called“faulty places” and the first goal is to design a controller that can avoid the activationof the faulty places.

The simplest way to forbid the activation of a place and prevent the system fromentering forbidden states is to disable the input transitions of the forbidden place.Therefore, a supervisor is needed to disallow the firing of the input transitions of faultyplaces. For this purpose, a new model is designed for the position of each fault. Thismodel must be able to enable or disable some transitions, depending on the faults,after it is synchronized with the main model. The model which is achieved for differentpositions of each specified fault is called fault model.

4.1. Fault Model of One Place

A model is needed to indicate the conditions of each fault. While this model shouldavoid the activation of certain “faulty places,” we can describe it as the fault model ofthe faulty places which are related to that fault.

In this section, the fault model of one place has been defined. Then, this model willbe expanded to all of the specified faults and faulty places. If the fault respective toplace pi occurs, its future activations must be avoided.

Definition 5. The fault model of place pi is a 5-tuple Rfi = {Pfi, Tfi, Wfaulti, Mfi0

}.

Pfi is a set of two places, Pfi ={pfi1, pfi2}. pfi1 shows the absence of the respectivefault, while pfi2 shows the existence of that fault.

Tfi is a triple set of transitions, Tfi = {tfi, tri , •Pi }where tfi is a transition showingthe occurrence of the fault and is labeled by event fi, while tri is a transition that occurswhen the fault is repaired and is labeled by ri. also, •Pi = {ti1, ti2,. . . , til} is the set ofinput transitions of pi.

The input function W–faulti

is a 2× (2+l) matrix and is defined as follows:

W–faulti

=f1 r1 ti1 ti2 . . . til

pfi1 1 0 1 1 . . . 1pfi2 0 1 0 0 . . . 0.



Fig. 1. The fault model for place pi.

The output function W+faulti

is a 2× (2+l) matrix and is defined as follows:

W+faulti

=f1 r1 ti1 ti2 . . . til

pfi1 0 1 1 1 . . . 1pfi2 1 0 0 0 . . . 0.

Mfi0 is the vector {1 0}The fault model for place pi is shown in Figure 1.

4.1.1. Fault Model for Faults That Produce More than One Faulty Place. The fault model ofone place was described in the last section. Sometimes, a fault leads to more thanone faulty place. In this situation, the future activations of all of these faulty placesshould be avoided after occurrence of fault. For instance, in example 3, if more thanone material entrance to the tank be available, more than one place show the entryconditions of the tank.

One fault model can be determined for all of these places. The model is acquired thesame as the model described in the last section. The only difference is in the set ofinput transitions (•Pi). This set is calculated by collecting the set of input transitionsof all respective faulty places.

Definition 6. The fault model of places “pi and pj”, which are respected to a samefault, is a 5-tuple Rfi,j = {Pfi,j, Tfi,j, W–

faulti,j, W+

faulti,j, Mfi,j0}

Pfi,j is a set of two places, Pfi,j ={pfi,j1, pfi,j2}= Pfi and is determined absolutely thesame as Pfi in the last section.

Tfi,j is a triple set of transitions, Tfi,j = {tfi,j, tri,j , •Pi,j} where tfi,j, tri,j are similarto the ones introduced in Section 4.1 and •Pi,j = {ti1, ti2,. . . , til, tj1, tj2, . . . , tjk} =•Pi

⋃ •Pj is the collection of the set of input transitions of pi and pj.

4.2. Synchronizing Fault and Main Models

The fault model for a specific forbidden place was defined in Section 4.1. Now, thismodel must be synchronized with the main model. The synchronization process isa simple synchronized composition commonly used in Petri nets [Giua and Dicesare1990]. Adding the fault model to the main model in the synchronization process, thesystem will have two additional places and two additional transitions for each fault,i.e., two rows and two columns are added to the input and output matrices.



Thus, after synchronizing one fault model, the new input and output matrices,W–

fi, W+fi are as follows.

Algorithm 1 can be used to determine the input and output matrices mentionedabove.

ALGORITHM 1:step 1. Create two 2 × (τ+2) matrices called W–

fi, W+fi

step 2. Set j = 1.step 3. Check if transition jis a member of the set •Pi as difined in definition 1.

� If no, set both rows of the column i to zero in both matrices.� If yes, set row one of that column to one and the second row to zero.

step 4. i=i+1.

Repeat step 3 and 4 until i = τ .

step 5. in matrix W–fi set column n+1 to

[10

]and column n+2 to

[01

]

step 6. in matrix W+fi set column n+1 to

[01

]and column n+2 to

[10

]

step 7. END.

For faults that lead to more than one faulty place only •Pi changes in Algorithm 1.It can easily be seen that the input transitions of place pi (•Pi) can be enabled so

long as the event of fault fi has not occurred. However, as soon as fi occurs, the tokenof place pfi1 is transferred to pfi2 and pfi1 is deactivated. Therefore, all of the inputtransitions of pi will remain disabled and consequently, the faulty place (pi) will not beactive before the occurrence of the repair event.

Now the determined model must be extended to all of the faulty places caused byevery specified fault. With the new input and output functions (W–

fi, W+fi) the new Petri

net model with the whole process, specifications and faults can be defined.

4.3. Petri Net with the Fault Models of All Specified Faults

In the previous sections, one fault was modeled and synchronized with the main model.Now this idea must be developed for more than one fault. For each fault, a modelsimilar to the one introduced in Section 4.1, should be determined and synchronizedwith the main model. Thus, after synchronization, two places and two transitions are



added to the model and as a result two rows and two columns are supplemented to theinput and output matrices for each fault.

Definition 7. A fault-tolerant Petri net is a 5-tuple RFT = {PFT, TFT, W–FT, W+

FT,MFT0

} where:

PFT = P⋃⎛

⎝ ⋃pi∈PF

Pfi

⎞⎠ (3)

TFT = T⋃⎛

⎝ ⋃pi∈PF

Tfi

⎞⎠ . (4)

PF is the set of all faulty places which must be prevented from activating after theoccurrence of at least one of the specified fault of the system. Pfi and Tfi are the setof places and transitions of the fault model of place pi (or places pi, pj, . . . which arebecome faulty places due to a same fault) introduced in Section 4.

W–FT, W+

FT are fault-tolerant input and output matrices and are determined by syn-chronizing all fault models (Rfi) with the main model and MFT0

is the initial marking.In other words, the fault-tolerant model is the collection of all fault models synchro-

nizing with the main model. PFT is the collection of the places of the main model (P)and the fault models (Pfi) and TFT is the collection of the transitions of the main model(T) and the transitions of the fault models (Tfi).

4.4. Example

Example 4. Consider a system with one tank, a valve for chemical materials, a motorwhich pumps the input liquid, a mixing motor and an output valve. The tank has twolevel detectors for high and low levels. When the low level switch is activated, the inputpump Min turns on to transfer the liquid to the tank so long as the high level is notactivated. After the action of high level switch, the valve of chemical materials Vc mustbe turned on for 10 seconds. Then, the motor turns on for 2 minutes to merge the liquidwith chemical materials. After that, the output valve turns on and transfers producedmaterials of the tank to the output valve so long as the low level switch is activated.Two mixing motors are used, but one of them is used as redundancy. Figure 2 showsthe main model of the system and the places description and events action of the modelare introduced in Table I. In this example the aim is to consider two different faults inthe system; (a) failure of the main mixing motor and (b) a leakage in the tank. Supposethat the designer is asked to synthesis a controller that can perform the following.

(I) when a leakage is detected in the tank, avoid any entrance to the tank.(II) When the main mixing motor becomes faulty, prevent it from being operated and

use the redundant motor where needed.

There are two specified faults in the system. Thus, the set of faults can be introducedas F = {f 1, f2}, where f1 is the notation showing the leakage of the tank and f2 is usedfor the fault of the main motor.

When f1 occurs, no tank inputs should be allowed to enter the tank. As defined inthe example, two entrance conditions are possible: the liquid which is entered by theinput pump and chemical materials entered by the chemical valve. Thus, the new for-bidden states are all of states in which at least one of the filling conditions of the tankis activated. From Figure 2, it is clear that places p2 and p4 represent the conditionsin which the tank is filling. Thus, the faulty places for this fault are p2 and p4.



Fig. 2. The main model of the example.

On the other hand, if f2 occurs, the mixing motor should not be allowed to work anylonger. Therefore, the new forbidden states are the states in which the mixing motoris working. Because the place p7 depicts the working mode of the motor, it is the onlyfaulty place for this fault.

Due to the specified faults discussed above, the set of faulty places is as follows:

PF = {p2, p4, p7}.

For each fault, a fault model is needed. Hence, 4 places and 4 transitions are addedto the overall model of the system. As p2 and p4 become faulty places depending on asame fault, the set of input transitions in Tf2 is the collection of •P2 and •P4.

Pf2 = Pf4 = fpf21, pf22g = fp18, p19g, Tf2 = ftf2, tr2,• P2,• P4g = ft11, t12, t1, t3g

Pf7 = fpf71, pf72g = fp20, p21g, Tf7 = ftf7 , tr7,• P7g = ft13, t14, t5g

PFT = P⋃

Pf2⋃

Pf7, TFT = T⋃

Tf2⋃

Tf7

After obtaining the three fault models, they must be synchronized with the mainmodel. The final model is shown in Figure 3.

As can be seen in Figure 3, if the mixing motor fails, its input transition (t5) is dis-abled by removing the token of place p20. Thus, when a mixing process is required, thesupervisor fires t7 and causes the redundant motor to do the mixing process. In thissituation, the system continues working even if the mixing motor becomes faulty. How-ever, if a leakage appears in the tank, the supervisor stops the process by forbiddingthe activation of the tank inputs. In this situation, although the system will finally bedisabled to work, it will remain in a safe state. Because all of the transitions of this



Table I. Place Description and Event Action of Example 4

Place description Transition actionp1 Tank is empty t1 Start command of the input tankp2 Tank is filling by t2

Activation of the high level switchthe input liquid

p3 Tank is filled by t3Start command of the chemical material entrance

the input liquidp4 Tank is filling by t4

10 secondschemical materials

p5 The filling process hast5

Start command of the mixing motorfinished and the system

is ready for mixingp6 main mixing motor off t6 120 secondsp7 main mixing motor on t7 Start command of the mixing motor +1 secondsp8 redundant mixing motor off t8 120 secondsp9 redundant mixing motor on t9 Start command of the output valvep10 The mixing process

t10

Activation of the low level switchhas finished and

the system is readyto make the tank empty

p11 Tank is emptyingp12 Input pump offp13 Input pump onp14 Chemical valve offp15 Chemical valve onp16 output valve offp17 output valve on

system are controllable, no additional forbidden states are produced and the modelshown in Figure 3 is the model of the final controller.

To achieve the final controller where some of the events are uncontrollable, we mustobtain the additional forbidden states that may be generated by the uncontrollabletransitions of the system and prevent the system from entering those states. Synthesisof the final controller is presented in the next section.

5. THE FINAL CONTROLLER SYNTHESIS

When the whole Petri net model is obtained, the final controller can be determined.If all of the transitions of •Pi are controllable the fault model can easily synchronize

with the process model without any problem and there will be no additional forbiddenstate. In this case, the obtained model in Section 4 is the final controller.

If there are some uncontrollable transitions in the set •Pi, some new forbidden stateswill be generated after the synchronized composition. By the algorithm presented inKumar and Holloway [1996], we can calculate all of the forbidden states and by themethod introduced in Dideban and Alla [2008] and Dideban et al. [2009] we can syn-thesize a controller that can enforce all the previous and new specifications. If thiscontroller could be synthesized, the fault-tolerant controller is achieved. This situa-tion will be shown by the example in Section 7.

Note that if we consider the uncontrollability of tfi, the system may be locked inthe initial marking after the synthesizing of the final controller. So, for calculatingforbidden states by Kumar algorithm we will not consider the uncontrollability ofthese transitions. This situation may cause some weakly forbidden states in the finalcontroller.

In such states, the controller may not tolerate some faults of the system. If so, a su-pervisor must detect these states and alarm the operator before the safety of systemis violated. In these states, occurrence of an uncontrollable event causes a forbiddenstate and we cannot prevent the system from going to the forbidden state. As explained



Fig. 3. The final model of example 4 after synchronizing the main model with the fault models.

earlier, we have synthesized the controller to prevent the system from going to forbid-den states. Thus, achieving a weakly forbidden state violates the Petri nets rules, be-cause a fault transition fires, while it is not enabled. In these situations, the supervisormust alarm the operator before the occurrence of that uncontrollable event. the super-visor can detect the alarm states when Petri nets rules violation occurs. This problemwill be clarified by the example in Section 7.

So for fault-tolerant control of discrete event dynamic systems, we can take thesesteps.

Step 1. Denote the places whose activation must be forbidden after occurrence of spec-ified faults. The set PF with k elements will be obtained.

Step 2. Determine the fault model (Rfi) for each specified fault using the method in-troduced in Section 4.

Step 3. Synchronize all of the fault models with the main model.Step 4. If all of the input transitions of the members of PF are controllable, the fault

models will not lead to any additional forbidden state and the final controlleris achieved. Go to step 7. If not, continue.

Step 5. Calculate the additional forbidden states of the system and synthesize a con-troller that can prevent the forbidden states. Do not consider the uncontrolla-bility of the fault transitions (tfi).

Step 6. Denote the states where the system cannot tolerate the faults. In these states,the supervisor must alarm the operator after occurrence of fault. These statesare the ones that a fault transition is fired, while it is not enabled. In thissituation, a Petri nets rule is violated.

Step 7. End.



Fig. 4. Petri net model of the example without attention to faults and forbidden states.

The most complicated step in this method is the prevention of the additional forbid-den states. In large systems with a large number of forbidden states, this step maycause a large and unusable model. Thus, we must reduce the number of forbiddenstates as much as possible. The next section introduces a method for preventing for-bidden states.

6. FINAL CONTROLLER SIMPLIFICATION

As introduced in Section 5, after the synchronized composition of fault models withthe main model, we must prevent the system from going to the forbidden states thatare produced due to uncontrollable transitions. In this section, we will introduce asummary of the method for reducing the number of forbidden states and prevent thesystem from going to these states. In this method, the forbidden states are reducedand changed to linear constraints. For more details, refer to Dideban and Alla [2008]and Dideban et al. [2009].

This method consists of five steps.

Step 1. Determine the set of border forbidden states (MB) using Kumar and Hollowayalgorithm [Kumar and Holloway 1996].

Step 2. Simplify the set of forbidden states using over-states concept [Dideban andAlla 2008].

Step 3. Reduce the number of forbidden states achieved from Step 3 using partial p-invariant method [Dideban et al. 2009].

Step 4. Convert the remained forbidden states to linear constraints using property 1.Step 5. Calculate control places using the method introduced in property 2.

7. EXAMPLE

Example 5. Consider a system with three machines and two robots [Dideban et al.2009]. Each machine is doing a certain job if transitions c1, c2, c3 occur respectively. Af-ter finishing each machining, the uncontrollable event of the end of machining process(e1,e2,e3) occurs and a robot must take the produced part and transfer it to the output.A machining process can be finished, when at least one robot is ready to respond tothat machine. The specifications of the system are the ready and working statuses ofboth robots. The finishing event of a machine leads a robot state to go from the readystate to the busy state and finishing event of a robot, makes it go from busy state tothe ready state.

After the synchronized composition of specifications and process models, themain model is achieved. This model is shown in Figure 4. Table II gives the places



Table II. Place Description and Event Action of the Example

Place description Transition Event actionp1 Machine 1 is ready t1 c1 Do the machining of the device in machine1p2 Machine 1 is working t2 e1 End of machining process in machine1p3 Machine 2 is ready t3 e1 End of machining process in machine1p4 Machine 2 is working t4 c2 Do the machining of the device in machine2p5 Machine 3 is ready t5 e2 End of machining process in machine2p6 Machine 3 is working t6 e2 End of machining process in machine2p7 Robot 1 is ready t7 c3 Do the machining of the device in machine3p8 Robot 1 is busy t8 e3 End of machining process in machine3p9 Robot 2 is ready t9 e3 End of machining process in machine3p10 Robot 2 is busy t10 Re1 End of holding a device by robot 1

t11 Re2 End of holding a device by robot 1

Table III. The Place Description and Transition Action of the Fault Statusof Robots

Place description Transition Event actionp11 Robot 1 is ok t12 f8 Robot 1 is failedp12 Robot 1 is faulty t13 r8 Robot 1 is repairedp13 Robot 2 is ok t14 f10 Robot 1 is failedp14 Robot 2 is faulty t15 r10 Robot 1 is repaired

description and transitions action of Figure 4. For more details refer to Dideban andAlla [2008] and Dideban et al. [2009].

The input and output functions of the model shown in Figure 4 are as follows:

W– =

⎡⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎣

1 0 0 0 0 0 0 0 0 0 00 1 1 0 0 0 0 0 0 0 00 0 0 1 0 0 0 0 0 0 00 0 0 0 1 1 0 0 0 0 00 0 0 0 0 0 1 0 0 0 00 0 0 0 0 0 0 1 1 0 00 1 0 0 1 0 0 1 0 0 00 0 0 0 0 0 0 0 0 1 00 0 1 0 0 1 0 0 1 0 00 0 0 0 0 0 0 0 0 0 1

⎤⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎦

, W+ =

⎡⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎣

0 1 1 0 0 0 0 0 0 0 01 0 0 0 0 0 0 0 0 0 00 0 0 0 1 1 0 0 0 0 00 0 0 1 0 0 0 0 0 0 00 0 0 0 0 0 0 1 1 0 00 0 0 0 0 0 1 0 0 0 00 0 0 0 0 0 0 0 0 1 00 1 0 0 1 0 0 1 0 0 00 0 0 0 0 0 0 0 0 0 10 0 1 0 0 1 0 0 1 0 0

⎤⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎦

.

Now suppose that we want to make the system tolerable to the fault of each robot. Ifa robot fails, any further operation of it must be forbidden and all of the machine mustorder the moving of their machined device to the other robot. It can be seen that, thesystem can still enforce all of the specifications but it works slower, i.e., with degradedperformance. So, we need to forbid the states that represent the operating condition ofrobots. As introduced earlier, places p8 and p10 show the operating condition of robots1 and 2 respectively. Thus, two fault models must be added to the model and we willhave:

PF = {p8, p10}

Pf8 = {pf81, pf82} = {p11, p12} and Tf8 = {f8, r•8, P8} = {(t2, t5, t8), t12, t13}

PF10 = {pf101, pf102} = {p13, p14} and TF10 = {f10, r10,• P10} = {(t3, t6, t9), t14, t15}

Table III shows the places description and transitions action of the faultstatus models.



Fig. 5. Petri Net model of the example in the existence of robots fault models.

Now the fault tolerant Petri net input and output functions can be determined asfollows:

]

By having W–FT and W+

FT, we can determine the fault-tolerant Petri net model. Thismodel is shown in Figure 5.

In this situation, a machine can order a robot to transfer the part it has produced, ifthe ready status and the nonfaulty status of the robot are marked synchronously.

As written in previous sections, after synchronizing the process and specifica-tion models, the final controller needs to be designed. Because of the uncontrollable



transitions in set •Pi of both robots, we have some new forbidden states in the model.Thus, we have a more complicated forbidden state problem. But we have changed thefault-tolerant problem to a forbidden states problem that has good methods to solve.The forbidden states of this system are states where:

(a) three machines work synchronously,(b) both robots are in the working status and a machining process may be finished,(c) both robots are in faulty status and a machining process may be finished,(d) one of the robots is working and the other is in a faulty status and a machining

process may be finished.

The levels (c) and (d) above generate the additional forbidden states because of apply-ing fault tolerance in the system.

If we determine reachable markings and calculate the forbidden states, 88 forbiddenstates and 46 border forbidden states will be obtained. As can be seen, a big problemof forbidden states must solve for designing the final controller. By the idea presentedby Giua et al. [1992], we can use one constraint for each forbidden state. It makes thesystem too large and complicated. So we must simplify these constraints to achieve asimpler supervisor.

After converting these 46 forbidden states to 46 constraints by the Guia et al. [1992]method, we can simplify these constraints by the method that uses the over-state con-cept. The over-states of a marking are all of the markings that are subnets of thatmarking. forbidding an over-state of a state, guarantees the forbidding of that state.But we must be sure that forbidding that over-state does not forbid any authorizedstate of the system. The reduction of constraints by over-states consists of three stepsas follows.

Step 1. Construct the set of all the over-states of border forbidden states, B1, and theset of all over-states of authorized states, A1.

Step 2. Remove all of the members in B1 existing in A1 and call the new set B2.Step 3. Remove the members of B2 whose over-states are also in B2. Call the new set

B3. The states in B3 are the simplified constraints.

By using this method in this example, we achieve 25 simplified over-states. The setof simplified over-states is as below.

B3 = {p2p4p6, p2p4p12, p2p4p14, p2p6p12, p2p6p14, p2p12p14, p4p6p12, p4p6p14,p4p12p14, p6p12p14, p2p4p8, p2p6p8, p2p8p14, p4p6p8, p4p8p14, p6p8p14, p2p4p10,p2p6p10, p2p10p12, p4p6p10, p4p10p12, p6p10p1, p2p8p10, p4p8p10, p6p8p10}

From this number of over-states we can achieve 25 constraints that are still large.Usually we can do more simplification on the constraints that are achieved from stagec by the partial p-invariant method [Dideban et al. 2009]. With this method we cancombine some of the constraints to reach one constraint. Using this method, a simpli-fied model with only 4 constraints is achieved.

The set of simplified constraints is as follows.Sc = {(p2p4p6p12p14,2), (p2p4p6p8p14,2), (p2p4p6p8p10,2), (p2p4p6p10p12,2)}(p2p4p6p12p14,2) specifies the constraint ( m2+m4+m6+m12+m14 ≤ 2 )Sc is the simplest set of constraints that can be reached. Now we can obtain the final

controller by implementing these constraints in the model using property 2.

L =

⎡⎢⎣

0 1 0 1 0 1 0 0 0 00 1 0 1 0 1 0 1 0 00 1 0 1 0 1 0 1 0 10 1 0 1 0 1 0 0 0 1

0 1 0 10 0 0 10 0 0 00 1 0 0

⎤⎥⎦



Wc = –L*W =

⎡⎢⎣

–1 1 1 –1 1 1 –1 1 1 0–1 0 1 –1 0 1 –1 0 1 1–1 0 0 –1 0 0 –1 0 0 1–1 1 0 –1 1 0 –1 1 0 0

0 –1 1 –1 10 0 0 –1 11 0 0 0 01 –1 1 0 0

⎤⎥⎦

Mc0 = b – L.M0 =

⎡⎢⎣

2222

⎤⎥⎦ .

The final controller is reached by adding Wc to the last incidence functions,w–

FT, W+FT.

W–Total =

[W–

FTW–

c

]

W–Total =

[W+

FTW+

c

].

W–Total and W+

Total show the input and output functions of the fault tolerant controllerfor this example. Figure 6 shows the model of fault tolerant controller for the example.

As defined in Section 5, in some states the uncontrollable transition of fault, fi, couldbe fired, while its firing is forbidden by the supervisor. These states are the stateswhere a fault event leads to a weakly-forbidden state. In this situation, the systemmust alarm its inability to tolerate fault. In this example, the controller cannot toleratefaults if:

(a) one of the robots goes faulty, while the other is in a working state and one machineis working.

(b) both of the robots go to a faulty state, while at least one machine is working.

For example, one of the authorized states of the final model is the marking M ={p2p3p5p7p10p11p13p15p16}. In this state, machine 1 and robot 2 are working and nofault exists. When the machining process of machine 1 is finished, robot 1 can respondto the request of machine 1 and hold the machined device to the output. Now considerthat robot 1 fails before the finishing of the machine 1 operation. Hence, the state of thesystem changes to state M′ = {p2p3p5p7p10p12p13p15p16}. In this situation, becauserobot 2 is busy and robot 1 is faulty, there will be no robot to respond to the request ofmachine 1, after its machining process is finished. However, due to the uncontrollabil-ity of the finishing event of the machine, it may be occurred and lead the system to aforbidden state. So, this state is a weakly-forbidden state. As can be seen in Figure 6,because place p18 is not marked, the fault transition of robot 1 is not enabled in stateM. So, if it is fired, it violates the Petri nets rules and the supervisor can detect thisviolation and alarm the operator.

8. CONCLUSION

A model-based control reconfiguration method for fault-tolerant control of discreteevent systems was presented. We introduced a method for modeling faults as a newmodel of the system and tried to synthesize a supervisor that can enforce both spec-ifications and faults in the process and avoid the danger or nonsafe states. With thismethod, we can reconstruct the system by offline methods of supervisory controllerdesign. This method usually arrives at a complicated forbidden state problem. Thus,this article presents a good application for methods of constraints reduction. By usingthese methods, a simplified fault-tolerant controller is achieved.



Fig. 6. The model of a fault-tolerant controller for the example of 3 machines and 2 robots.

Our future works will include extending this method to nonbinary Petri nets and de-termining an algorithmic and systematic method for detecting the states in which thesystem cannot tolerate to faults and the operator should be warned by the controller.

REFERENCES

Blanke, M., Frei, C. W., Kraus, F., Patton, R. J., and Staroswiecki, M. 2000. What is fault-tolerant control?In Proceedings of the 4th IFAC Symposium on Fault Detection, Supervision and Safety for TechnicalProcesses.

Blanke, M., Kinnaert, M., Lunze, J., and Staroswiecki, M. 2006. Diagnosis and Fault-Tolerant Control.Springer.

Darabi, H., Jafari, M. A., and Buczak, A. L. 2003. A control switching theory for supervisory control ofdiscrete event systems. IEEE Trans. Rob. Autom. 19, 1, 131–137.

David, R. and Alla, H. 2005. Discrete, Continuous, and Hybrid Petri Nets. Springer.Dideban, A. and Alla, H. 2008. Reduction of constraints for controller synthesis based on safe Petri nets.

Automatica 44, 7, 1697–1706.Dideban, A., Zareiee, M., and Alla, H. 2009. Controller synthesis with very simplified linear constraints in

PN model. In Proceedings of the 2nd IFAC Workshop on Dependable Control of Discrete Systems.



Giua, A. and Dicesare, F. 1990. Easy synchronized Petri nets as discrete event models. In Proceedings of the29th IEEE International Conference on Decision and Control. 2839–2844.

Giua, A. and Dicesare, F. 1991. Supervisory design using Petri Nets. In Proceedings of the 30th IEEEInternational Conference on Decision and Control. 92–97.

Giua, A., Dicesare, F., and Silva, M. 1992. Generalized mutual exclusion constraints on nets with uncontrol-lable transitions. In Proceedings of the IEEE International Conference on Systems, Man and Cybernetics.974–979.

Hashtrudi Zad, S., Kwong, R. H., and Wonham, W. M. 2005. Fault diagnosis in discrete-event systems:Incorporating timing information. IEEE Trans. Autom. Control 50, 7, 1010–1015.

Holloway, L. E. and Krogh, B. H. 1990. Synthesis of feedback control logic for a class of controlled Petri nets.IEEE Trans. Autom. Control 35, 8, 514–523.

Iordache, M. V. and Antsaklis, P. J. 2004. Resilience to failure and reconfigurations in the supervision basedon place invariants. In Proceedings of the American Control Conference. 4477–4482.

Jiroveanu, G. and Boel, R. K. 2006. A distributed approach for fault detection and diagnosis based on TimePetri Nets. Math. Comput. Simul. 70, 287–313.

Krogh, B. H. and Holloway, L. E. 1991. Synthesis of feedback control logic for discrete manufacturing sys-tems. Automatica 27, 4, 641–651.

Kumar, R. and Holloway, L. E. 1996. Supervisory control of deterministic Petri Nets with regular specifica-tion languages. IEEE Trans. Autom. Control 41, 2, 245–249.

Li, L., Hadjicostis, C. N., and Sreenivas, R. S. 2004. Fault detection and identification in Petri net controllers.In Proceedings of the 43rd IEEE Conference on Decision and Control. 5248–5253.

Liu, F. and Qiu, D. 2008. Safe Diagnosability of Stochastic Discrete Event Systems. IEEE Trans. Autom.Control 53, 5, 1291–1296.

Miyagi, P. E. and Riascos, L. A. M. 2006. Modeling and analysis of fault-tolerant systems for machiningoperations based on Petri Nets. Control Eng. Pract. 14, 397–408.

Paoli, A. and Lafortune, S. 2005. Safe diagnosability for fault-tolerant supervision of discrete-event Systems.Automatica 41, 1335–1347.

Ramadge, P. J. and Wonham, W. M. 1989. The control of discrete event systems. Proc. IEEE 77, 1, 81–98.Sampath, R., Darabi, H., Buy, U., and Liu, J. 2008. Control reconfiguration of discrete event systems with

dynamic control specifications. IEEE Trans. Autom. Sci. Eng. 5, 1, 84–100.Supavatanakul, P., Lunze, J., Puig, V., and Quevedo, J. 2005. Diagnosis of timed automata: Theory and

application to the DAMADICS actuator benchmark problem. Control Engin. Pract. 14, 609–619.Tabakow, I. G., 2005. Fault diagnosis of discrete event systems using place invariants. In Proceedings of

the 9th International Conference on Knowledge-Based Intelligent Information and Engineering Systems,Lecture Notes in Computer Science, vol. 3682, 541–547.

Wen, Q., Kumar, R., Huang, J., and Liu, H. 2008. A framework for fault-tolerant control of discrete eventsystems. IEEE Trans. Autom. Control 53, 8, 1839–1849.

Xue, F. and Zheng, D. Z. 2005. Fault tolerant supervisory for discrete event systems based on event observer.In Proceedings of the International Conference on Intelligent Computing. Lecture Notes in ComputerScience, vol. 3645, 655–664.

Yamalidou, C., Moody, J., Lemmon, M., and Antsaklis, P. 1996. Feedback control of Petri nets based on placeinvariants. Automatica 32, 1, 15–28.

Yang, X. and Chen, L. J. 2009. Design and fault diagnosis of Petri Net controllers for Petri Nets with uncon-trollable and unobservable transitions. J. Manuf. Syst. 28, 17–22.

Received March 2010; revised July 2011; accepted August 2011


Fault Modeling in Discrete Event Systems Using Petri Nets

Documents

Transcript of Fault Modeling in Discrete Event Systems Using Petri Nets