Elsevier

Automatica

Volume 125, March 2021, 109430
Automatica

Liveness enforcing supervisory policies tolerant to controllability failures for discrete-event systems modeled by Petri Nets

https://doi.org/10.1016/j.automatica.2020.109430Get rights and content

Abstract

A Discrete Event System (DES) modeled by a Petri Net (PN) is live if it is possible to fire any transition, although not necessarily immediately, from any marking that is reachable from the initial marking. A Liveness Enforcing Supervisory Policy (LESP) for a PN enforces liveness by preventing the firing of a subset of transitions called the controllable transitions, which correspond to the preventable events in a DES.

In this paper, we consider the existence and synthesis of LESPs for arbitrary PNs in the presence of faults, where a subset of controllable transitions become temporarily uncontrollable, for a finite number of event occurrences. Following the formal specification of the fault model, we present a necessary and sufficient condition for the existence of Fault-Tolerant LESPs (FT-LESPs) for arbitrary PNs. We show that, even when an LESP is given, the existence of an FT-LESP for an arbitrary PN is undecidable. We then identify a class of PNs for which the existence of FT-LESPs is decidable. We conclude with some suggestions for future research.

Introduction

A Discrete Event System (DES) is a discrete-state system, where the state changes at discrete-time instants due to the occurrence of events. We consider DES modeled by Petri nets (PNs) (Peterson, 1981). PNs are directed bipartite graphs in which the two sets of nodes are referred to as places and transitions. Places contain tokens, which can be interpreted as resources. Tokens move from one set of places to the other due to the firing of transitions. The firing of transitions is equivalent to the occurrence of events in the DES context. The arcs connecting a transition to its input places, along with their weights encode the conditions that must be satisfied for that transition (event) to be state-enabled. Specifically, all input places of a transition must have at least the respective arc-weight-many tokens in them for the transition to be state-enabled. The weights of arcs connecting a transition to its output places encode consequences of the firing of the transition. Firing of a transition removes (resp. adds) the respective arc-weight-many tokens from (resp. to) its input (resp. output) places. Thus, the firing of a transition creates a new token distribution at which a different set of transitions can become state-enabled. This process continues as often as necessary. The (non-negative) integer-valued vector denoting the token distribution in the places of a PN denotes the marking (state) of the system. PN models are useful for modeling concurrent and asynchronous systems (Peterson, 1981). The execution of a PN is non-deterministic in nature. That is, if at any point more than one transition is enabled, then any of the enabled transitions can be the next to fire. These features of PNs make it useful for modeling situations where several events occur in parallel, and the order of occurrence of events is not unique.

A PN is said to be live if it is possible to fire any transition, although not necessarily immediately, from any marking that is reachable from the initial marking. If a PN model of a DES is not live, it is of interest to investigate the existence of a supervisory policy that can make the supervised-PN live. The supervisory policy enforces liveness by preventing the firing of a subset of controllable transitions, which correspond to controllable activities (or events) of the DES. The set of uncontrollable transitions represent activities (or events) which cannot be prevented from occurring by the supervisory policy.

Liveness analysis of PN models has gained considerable attention in literature. Giua (1992) introduced monitors to supervisory control of PNs. Iordache and Antsaklis (2007) and Moody and Antsaklis (2012) used monitors to enforce liveness in certain classes of PNs. Cordone et al., 2013, Ghaffari et al., 2003 and Reveliotis, Roszkowska, and Choi (2007) study the problem of liveness and deadlock avoidance in resource allocation systems (RASs) respectively. Chen and Li (2011) proposed a minimally restrictive control policy for flexible manufacturing systems using the vector covering approach. Basile, Recalde, Chiacchio, and Silva (2009) and Marchetti and Munier-Kordon (2009) presented a sufficient condition for liveness for a class of PNs. Basile, Cordone, and Piroddi (2015) addresses the design of maximally permissive decentralized supervisors for Petri nets based on generalized mutual exclusion constraints and treats the problem of liveness with the problems of forbidden states in a very general context.

Although undecidable for arbitrary PNs (Sreenivas, 1997), the existence of an LESP is decidable for PN structures that belong to certain classes (collectively identified as H-class) of PNs (Somnath and Sreenivas, 2013, Sreenivas, 2012, Sreenivas, 2013). Additional observations on the existence of LESPs for arbitrary PNs can be found in Chen, Raman, Hu, and Sreenivas (2020).

In this paper, we consider the existence and synthesis of LESPs for arbitrary PNs in the presence of faults, where a subset of controllable transitions become temporarily uncontrollable, at an arbitrary discrete-time instant, for a finite number of event occurrences. This could be due to a device- or line-fault, where communication between supervisor and plant is temporarily unavailable; or due to the activity of a malicious-user. We assume that the only information the supervisor has about the system is its PN model, and its current marking.

Fault-tolerance in DES modeled by PNs has largely been explored in the context of unreliable resources. Informally stated, resources are modeled as tokens and a resource (token) that was previously available can become unavailable due to faults. The unreliable availability of tokens in a PN model can take a PN from a live state to a deadlocked state. Hsieh, 2000, Hsieh, 2003, Hsieh, 2004, Lawley and Sulistyono, 2002 and Wang, Chew, and Lawley (2008) present Fault-tolerant deadlock avoidance algorithm with unreliable resources for assembly and several manufacturing processes respectively. Reveliotis and Fei (2017) present a supervisory control framework for deadlock avoidance in sequential RASs with resource outages. Feng, Xing, Gao, and Wu (2017) and Liu, Li, Li, and Wu (2018) discuss deadlock avoidance problem in Automated Manufacturing Systems modeled by PNs with unreliable resources. Li, Hadjicostis, and Sreenivas (2008) consider faults in controllers that are modeled by PNs. The concept of controllability failures was first studied in Raman and Sreenivas (2020), where they presented a necessary and sufficient condition for the existence of a supervisor that enforced a desired language specification for a finite automaton model of the DES.

The rest of the paper is organized as follows: In Section 2, we motivate the fault semantics using an example and formally specify the fault model. We also discuss relevant notations and definitions in this section. In Section 3, we present the necessary and sufficient conditions for the existence of a fault-tolerant LESP (FT-LESP) which is essentially dependent on the membership of the initial marking to an appropriately defined set. In Section 4 we prove that the existence of FT-LESPs is undecidable for arbitrary PNs even if an LESP for that initial marking is known. This result is significant as it shows that the complexity in the synthesis of an FT-LESP is not solely inherited from the complexity in the synthesis of an LESP. In Section 5, we prove that the existence of an FT-LESP is decidable for fully controllable ordinary Free Choice PNs. The decidability comes from the fact that the set of initial markings for which an FT-LESP is right-closed for fully controllable ordinary Free Choice PNs. We conclude the paper with some directions for future work in Section 6.

Section snippets

Notations, definitions, and fault-semantics

We use N (N+) to denote the set of non-negative (positive) integers. Given two integer-valued vectors x,yNk, we use the notation xy if xiyi, and max{x,y} to denote the vector whose ith entry is max{xi,yi}, for all i{1,2,k}. T denotes the set of all possible strings that can be constructed from an alphabet T.

A Petri net structure N=(Π,T,Φ,Γ) is an ordered 4-tuple, where Π={p1,,pn} is a set of n places, T={t1,,tm} is a collection of m transitions, Φ(Π×T)(T×Π) is a set of arcs, and Γ:ΦN

Preliminary results

Recall that Δ(N) is the set of initial markings for which a fault-free LESP exists for a PN structure N. In the discussion following Definition 1 we noted that an FT-LESP acts like a fault-free LESP before and after every detection of firing of transitions affected by the fault-event. Therefore, the marking before and after every detection of firing of affected transitions should belong to a set which satisfies the properties of Δ(N). Additionally, while discussing the example in Fig. 1, we saw

FT-LESP for arbitrary partially controlled PNs

Theorems 3.1 and 3.2 in Sreenivas (2012) prove that neither the existence nor the nonexistence of an LESP for an arbitrary PN is semidecidable. In light of this theorem, we expect that the existence of an FT-LESP for an arbitrary PN is also undecidable. We prove a stronger result in this section. We work our way through a construction and some related observations to establish that despite being given an LESP for N(m0), the existence of an FT-LESP for N(m0) is undecidable for an arbitrary PN.

FT-LESP for fully controllable ordinary free choice PNs

The main result of this section is that Δkr(N) is right-closed for a fully controllable Ordinary FCPN (O-FCPNs). We first prove an intermediate result that the minimally restrictive FT-LESP for a fully controlled O-FCPN will not disable any non-choice transitions. Recall that for an FCPN N=(Π,T,Φ,Γ), a transition tT is said to be a non-choice (resp. choice) transition if {t}=(t) (resp. if {t}(t)).

Let the initial marking m0Δkr(N) and consider a marking mΔk(N) reached under the

Conclusion

We considered the existence and synthesis of LESPs for arbitrary PNs in the presence of a single fault which renders a subset of controllable transitions temporarily uncontrollable for finite but possibly arbitrarily large number of transition firings. We proved necessary and sufficient conditions for the existence of a Fault-Tolerant LESP (FT-LESP) for an arbitrary PN. We also proved that the existence of an FT-LESP for an arbitrary PN is undecidable and that the undecidability is not

Arun Raman obtained his Ph.D. degree in Systems and Entrepreneurial Engineering at University of Illinois at Urbana–Champaign in August 2020. He is currently a C.V. Raman postdoctoral fellow at the Department of Computer Science and Automation in the Indian Institute of Science, Bengaluru. His research interests lie in the area of classical control, applied mathematics and control of discrete-event systems.

References (29)

  • GiuaA.

    Petri nets as discrete event models for supervisory control

    (1992)
  • HackM.H.T.

    Decidability questions for Petri nets

    (1976)
  • HsiehF -S

    Reconfigurable fault tolerant deadlock avoidance controller synthesis for assembly production processes

  • HsiehF -S

    Fault-tolerant deadlock avoidance algorithm for assembly processes

    IEEE Transactions on Systems, Man & Cybernetics, Part A (Systems & Humans)

    (2004)
  • Cited by (0)

    Arun Raman obtained his Ph.D. degree in Systems and Entrepreneurial Engineering at University of Illinois at Urbana–Champaign in August 2020. He is currently a C.V. Raman postdoctoral fellow at the Department of Computer Science and Automation in the Indian Institute of Science, Bengaluru. His research interests lie in the area of classical control, applied mathematics and control of discrete-event systems.

    Ramavarapu S. Sreenivas (S’83-M’93-SM’02) received the B.Tech. degree in electrical engineering from the Indian Institute of Technology, Madras, India, in 1985, and the M.S. and Ph.D. degrees in electrical and computer engineering from Carnegie Mellon University, Pittsburgh in 1987 and 1990, respectively. He was a Postdoctoral Fellow in Decision and Control at the Division of Applied Sciences, Harvard University, Cambridge before he joined the University of Illinois at Urbana–Champaign in 1992. He is currently a Professor of Industrial and Enterprise Systems Engineering, Research Professor with the Coordinated Science Laboratory, Information and Trust Institute, and the Center for Autonomy at the University of Illinois. His research interests include modeling, analysis, control and performance evaluation of discrete-event systems.

    This work was supported in part by the Office of Naval Research, United States of America under Grant N00014-20-1-2249. The material in this paper was not presented at any conference. This paper was recommended for publication in revised form by Associate Editor Christoforos Hadjicostis under the direction of Editor Christos G. Cassandras.

    1

    Formerly with Coordinated Science Laboratory, and Industrial and Enterprise Systems Engineering, University of Illinois at Urbana-Champaign.

    View full text