Vietnam Journal of Computer Science (2018) 5:143–155

https://doi.org/10.1007/s40595-018-0110-3

REGULAR PAPER

Failures in discrete-event systems and dealing with them by means of

Petri nets
František Čapkovič1

Received: 13 July 2017 / Accepted: 10 May 2018 / Published online: 19 May 2018
© The Author(s) 2018

Abstract
An approach based on Petri nets pointing to the manner how to deal with failures in discrete-event systems is presented. It
uses the reachability tree and/or reachability graph of the Petri net-based model of the real system as well as the synthesis of
a supervisor to remove the possible deadlock(s). To illustrate the applicability of the approach to the detection and recovery
of failures in DES modelled by Petri nets the case study on a railroad crossing is introduced.

Keywords Detection · Discrete-event systems · Failure · Modelling · Petri nets · Reachability · Recovery

1 Introduction Error recovery is [12,19,25] the set of actions that must be

A failure can be defined [2,3,10] as a deviation of a sys-
tem from its intended (normal) behaviour. The process of
detecting a potential failure in the system behaviour fol-
lowed by isolating the cause or the source of the failure,
is called the system diagnosis. In the discrete-event systems
(DES) diagnosis, faults may correspond to any discrete event.
Unfortunately, the predisposition of systems to fail increases
with their complexity. The research effort has been spent in
the development of diagnostic systems. It is necessary to dis-
tinguish (according to the manner in which faults are reset
after they occur) [2,14] between permanent and intermit-
tent faults. In case of the permanent fault the recovery event
occurs only due to repairing the controllable and observ-
able fault. In case of the intermittent fault the recovery event
occurs either spontaneously or due to repairing, and such
event has a tendency to be uncontrollable and unobservable.
The fault diagnosability [27] is interested in whether the sys-
tem is diagnosable or not—i.e., in the fact whether the system
can detect the occurrence of the fault in a finite number of
steps or not.
This paper is an expanded version of the paper [5] presented at the
conference ACIIDS 2017, Kanazawa, Japan, April 3–5, 2017.
B František Čapkovič
performed in order to return the system to its normal state.
At least one sequence of actions should exist in order to
bring the system into its normal operation. When there exist
more sequences, the best one is chosen with respect to a
prescribed criterion. Usually it is the sequence of actions
which minimally disorganizes the system.
For systems without failures usage of Petri nets (PN) is
very useful for modelling, analysing and control synthesis.
However, practically any system is not failure-free. Failures
can emerge in any device or software. It is gratifying that PN
can be used [3,7,10,11,15–17,19,21–23,26] also for systems
where failures occur. There failures can be categorized into
hardware failures and software ones. To minimize the hard-
ware failures of devices, it is necessary to timely execute
maintenance of devices, test and/or check as well as timely
replace their components.
To decrease occurrence of software failures, fault-tolerant
software techniques are necessary. Error recovery is possible
only for the so called soft failures [6]. Hard (catastrophic)
failures in systems are classified as functional and/or struc-
tural failures.
Strategies and forms for detection and recovery of system
soft failures are based on the so called error treatment and fail-
ure treatment. The error treatment contains error detection,
damage assessment and error recovery. The failure treatment
includes localization, identification, system repair and con-

[email protected] tinued service. However, the hard failures can be overcome
in most systems by means of redundancy [1].
1 Institute of Informatics, Slovak Academy of Sciences,
Dúbravská cesta 9, 845 07 Bratislava, Slovakia

123
144
Here, in this paper, failures in DES and their recovery
will be examined by means of utilizing Petri nets (PN). DES
are systems discrete by nature. They persist in a steady state
until the occurrence of a discrete event which will cause their
transition into another state. Typical representatives of DES
are discrete manufacturing systems, transport systems, com-
munication systems, etc. PN are frequently used for DES
modelling, analysing and control synthesizing.
1.1 Preliminaries about Petri nets
Petri nets (PN) [8,18,20] are (as to their structure) bipar-
tite directed graphs—i.e., graphs with two kinds of nodes
(places and transitions) and two kinds of edges (arcs directed
from places to transitions and arcs directed contrary)—
P, T , F, G with P ∩ T = ∅ and P ∪ T = ∅ (∅ is the
empty set), where P, |P| = n, is a finite set of places and T ,
|T | = m, is a finite set of transitions; F ⊆ P ×T , G ⊆ T × P
are subsets of the directed arcs. The set B = F ∪ G con-
tains all directed arcs. The so called preset (a set of input
places) of a transition t is defined as ( p) t = { p|( p, t) ∈ B},
while the so called postset (a set of output places) of t is
defined as t ( p) = { p|(t, p) ∈ B}. On the contrary, the pre-
set of a place p (a set of input transitions) is defined as
(t) p = {t|(t, p) ∈ B} while the postset (a set of output
transitions) of p is defined as p (t) = {t|( p, t) ∈ B}. P/T
PN is said to be pure if no self-loops occur in it, i.e., if for
p ∈ P, t ∈ T , {( p, t) ∈ B) ⇒ (t, p) ∈ / B}.
Places model some particular activities or operations of a
modelled DES being a real object (plant). This is expressed
by putting tokens inside the places. Such a marking m is a vec-
tor m : P → Z≥0 (Z≥0 represents positive integers including
0). The marking enables a set of transitions τ ⊆ T . Namely,
∀ p ∈ P, m( p) ≥ | p (t) ∩ τ | (i.e., m( p) is greater than the
number of transitions in τ for which p is the input place
or equal to this number). The enabled transitions may be
(but need not be) fired. After their firing the PN marking is
changed.
As to the marking development (marking propagation can
be understood to be PN dynamics), the PN can be formally
defined as X , U , δ, x0 , where X is a set of PN states, U is
a set of discrete events; δ : X × U → X symbolizes the fact
that the new state of marking depends on existing state and an
occurred discrete event; x0 ∈ X is the initial state of marking.
The state equation (PN model of DES) is as follows:
xk+1 = xk + B · uk , k = 0, 1, . . . , N , (1)
F · uk ≤ xk , (2)
where B = GT − F. It expresses the PN dynamics. Here,
xk = (σ pk1 , . . . , σ pkn )T with entries σ pki ∈ {0, 1, . . . , ∞},
representing the states of particular places, is the PN state
vector in the k-th step of the dynamics development; uk =
123
Vietnam Journal of Computer Science (2018) 5:143–155
(γtk1 , . . . , γtkm )T with entries γ pki ∈ {0, 1}, representing the
states of particular transitions (either enable—when 1, or
disable—when 0) is the control vector; F, GT are incidence
matrices of arcs corresponding, respectively, to the sets F, G
mentioned above.
A firing sequence from the initial state x0 (i.e., from the
initial marking m 0 ) is a sequence of transition sets T =
{τ1 τ2 . . . τk } such that x0 [ τ1 > x1 [ τ2 > x2 > · · · τk >
xk−1 [ τk > xk . The set may be also empty, of course. The
notation x0 [ T denotes that the sequence T can be fired at
x0 and the notation x0 [ T > xk denotes that the firing of T
yields xk .
More than one transition can be fired at any instant. Thus
there are two possibilities (i) to fire more than one transition
at any instant (concurrency assumption); (ii) to fire only one
of them at any instant [no concurrency (NC) assumption].
Under the NC assumption, each τi is a singleton set, and
T is a sequence of transitions. It can also be written that
x0 [ T > xk to denote that firing of T the state xk can be
reached from x0 . In general, the state xk is reachable from x0
if there exists a firing sequence T such that x0 [ T > xk . For
PN the set of reachable state vectors is R(PN, x0 ). All these
vectors create columns of the matrix Xreach .
The PN reachability tree (RT) expresses all states reach-
able from x0 as well as how (by means of firing which
transitions) they can be reached. Thus, the nodes of the RT
are labelled with the actual PN marking (state vectors) and
the arcs are labelled with the transitions between the states.
The RT root is represented by the initial state x0 and the RT
leafs are expressed by the states reachable from x0 . Connect-
ing the leafs with the same name the reachability graph (RG)
arises.
The PN T-invariants and P-invariants [9,13,18] are impor-
tant too, respectively, at diagnosability [16] and supervision
[4] (and subsequently for deadlocks elimination). While T-
invariants restore an initial state, P-invariants ensure the
token preservation. A T-invariant v is a solution of the equa-
tion Bv = 0. A P-invariant y is a solution of the equation
BT y = 0. For any state x reachable from x0 the relation
yT · x = yT · x0 is valid. This fact was utilized at the super-
visor synthesis [4] based on P-invariants.
To express time, we can use timed Petri nets (TPN), where
time is assigned to the transitions as their duration function
D : T → Q≥0 , where Q≥0 symbolizes non-negative rational
numbers.
To illustrate the PN-based approach to the detection and
recovery of failures in DES modelled by PN let us introduce
the following case study.
This paper is an expanded version of the paper [5] pre-
sented at the conference ACIIDS 2017. In comparison with
the conference paper, the part concerning the safety of tech-
nical systems in general was added. Because the introduced
Case Study concerns the accident on a railroad crossing, cer-
Vietnam Journal of Computer Science (2018) 5:143–155
Fig. 1 The illustrative examples of such accidents
tain illustrations of formidable effects of such accidents were
introduced. Also the passage concerning the supervisor syn-
thesis was modified, to be more comprehensible to readers.
2 Safety of technical systems
The safety of different kind of technical systems is very
important. Especially, in case of the systems where the human
life is endangered. From this point of view the transport sys-
tems belong to the systems where the human life is often
endangered. At present, man is directly endangered at the
contact with the transport systems during whole day. The
mass transport is dangerous not only for the road user(s) who
are crossing a road as pedestrian(s) but also for car drivers and
their travel companion. For example the car collisions occur
very frequently. Likewise, collisions on railroad crossings are
not unusual. Only in such small country like Slovakia, tragic
collisions between cars and/or trucks with trains occur prac-
tically every month—see e.g., Fig. 1. The train having a many
times bigger mass, speed and consequently, also dynamics,
destroys not only human lives (being inside of the road vehi-
cles and the train) but also the vehicles and some times also
the train itself ends completely destroyed.
145
During last several years such collisions caused many
casualties—130 human lives and huge material damages.
Consequently, it is necessary to be concerned with such prob-
lems and to find possibilities how to improve security in
that area. Also PN can help along this line. Of course, it
is impossible to anticipate failures caused by people them-
selves. The failures due to the human behaviour like the
absent-mindedness, willful and wanton acts of law breaking,
infringement of traffic regulations, etc., cannot be removed
simply. To prevent the bad habits the education or training, in
extreme cases a punishment, are necessary. Only right way
to the improvement of the safety of systems is to increase
the reliability of the software and equipment. The following
simple case study on railroad crossing offers the approach
how to do this in such a case.
2.1 Case study on simple railroad crossing
Consider the simple railroad crossing where the railroad
crossing gate prevents a direct contact of vehicles on the
road with trains. The PN model of such system consists of
three cooperating sub-models expressing in Fig. 2(left) the
behaviour of the train, crossing gate and control system. Here,
the sense of the places in the failure-free case is the following:
(i) the train has the states: p1 = approaching to the cross-
123
146 Vietnam Journal of Computer Science (2018) 5:143–155

Fig. 2 The PN model of the failure-free case together with its RT (left) and the PN model with three potential failures (right)

ing, p2 = being before the crossing, p3 = being within the gate is mechanically damaged), and t f5 represents a control
crossing, p4 = being after the crossing; (ii) the barrier of the system failure (when an illegitimate signal occurs).
crossing gate has the states: p11 = it is up, p12 = it is down. It is practically impossible to recover the human fail-
The transitions t6 and t7 model, respectively, the events of ure of the engine-driver. Likewise, the technical problem in
raising and lowering the barrier; (iii) the control system has the crossing gate caused by a wrong function of the bar-
the states: p5 , p6 , p7 , p8 , p9 , p10 ; (iv) the place p13 repre- rier raising/lowering can be hardly recovered. However, the
sents the interlock giving the warning signal for the train that erroneous function of the control system can be detected and
the barrier is still up. The reachable states xi , i = 0, . . . , 7 recovered. Consequently, let us consider in Fig. 2(right) only
(RT/RG nodes Ni+1 ), of the failure-free system are expressed the failure represented by t f5 and neglect the failures repre-
as the rows of the following matrix sented by the transitions t f2 and t f6 . Then the coverability
tree and graph are given in Fig. 3. The reachable states of
1 0 0 0 0 1 0 00 0 1 0 0
 
this model (nodes of the RT/RG) are given as the columns of
0 1 0 0 1 1 0 00 0 1 0 0 the following matrix, where
 
0 1 0 0 0 0 1 01 0 1 0 0
 
T
0 1 0 0 0 0 1 00 0 0 1 1
Xreach =
0
 (3) 
1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 1 0 0 0 1 00 0 0 1 0

0
 0 1 0 1 1 1 1 0 1 1 0 0 0 1 0 0 0 0 0 0 0 0
0 0 1 0 0 1 10 0 0 1 0 
0


0
 0 0 0 0 0 0 1 0 0 0 1 1 0 0 0 0 1 0 0 0 0
0 0 1 0 1 0 00 1 0 1 0 
0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 1 0 1 1 1 1

0 0 0 1 0 1 0 00 0 1 0 0 
0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

 
1 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 1
The RT is displayed just by the failure-free PN model in
 
Xreach 0
= 0 0 1 0 1 1 1 1 1 1 1 1 1 0 1 1 1 0 0 1 0
Fig. 2. It is simple, without any branching. 0
 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 1 0 0 0 1 0
However, there can occur three potential failures, one in 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
1 1 ω 1 ω 1 ω 1 0 ω 1 0 ω ω 2 0 ω ω 1 ω ω ω
each subsystem. They are expressed by means of the failure  
1 1 1 1 1 0 1 0 1 0 0 1 0 1 0 1 0 1 1 0 1 1
transitions t f2 , t f5 , t f6 given in Fig. 2 (right). The transition 
0

0 0 0 0 1 0 1 0 1 1 0 1 0 1 0 1 0 0 1 0 0
t f2 takes a token from p2 and puts a token into p3 out of
0 0 0 0 0 1 0 0 1 1 0 0 0 1 0 0 0 0 0 0 0 0
the correct sequence, t f6 does the same for p12 and p11 ,
(4)
and t f5 involves an erroneous generation of a token in pl0
which directly influences the position of the barrier. Thus,
t f2 represents a human failure (when the engine-driver omits It can be seen that at the infinity number of t f5 occurrences,
or ignores the warning signal), t f6 expresses the failure of the one half of the 22 states have the self-loops (see Fig. 3 right)
crossing gate (when a premature gate raising occurs or the which are expressed by the symbol ω.

123
Vietnam Journal of Computer Science (2018) 5:143–155 147

Fig. 3 The coverability tree (left) and coverability graph (right) of the PN model with t f5 at the infinite number of possible occurrences of the
failure

In order to generate only the finite number of the failure

t f5 occurrences, the place p14 was added to the previous 13
places—see Fig. 4. In general, the failure can occur more
times. The more times the failure occurs, the more compli-
cated will be the structure and dimensionality of RT (RG).
Therefore, here we will suppose its occurrence only once as
displayed in Fig. 4 in order to demonstrate how to deal with
the failure. In case of more failures such process will be more
complicated. The model parameters are

 
1 0 0 0 0 0 0 0 00
0 1 0 0 0 0 0 0 0 0
 
0 0 1 0 0 0 0 0 0 0
 
0 0 0 0 0 0 0 0 0 0
 
0 0 0 1 0 0 0 0 0 0
 
0 0 0 1 0 0 0 0 0 0
 
0 0 0 0 1 0 0 0 0 1
 
F= ;
0 0 0 0 1 0 0 0 0 0
0 0 0 0 0 0 1 0 0 0
 
 
0 0 0 0 0 1 0 0 1 0
  Fig. 4 The PN model of the system with the failure represented by t f5
0 0 0 0 0 0 1 0 1 1
 
0 0 0 0 0 1 0 0 0 0
 
0 1 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 00

123
148 Vietnam Journal of Computer Science (2018) 5:143–155

Fig. 5 The RT of the system

with the finite number (namely
only once in this case) of
possible occurrences of the
failure represented by t f5 (left)
and the corresponding RG
(right)

   
0 0 0 0 0 0 0 0 00 1  
1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0000
0 0 0 0 0 0 0 0 0 0
0

0
   1 0 1 1 1 1 0 1 0 0 1 0 0 0 0 0 0 0
1 0 0 0 0 0 0 0 0 0 
0


0
   0 0 0 0 0 0 1 0 0 1 0 0 0 1 0 0 0 0
0 1 0 0 0 0 0 0 0
 0 
0


1
  0 0 0 0 0 0 0 0 1 0 0 1 1 0 1 1 1 1
0 0 0 0 0 0 0 0 0 0
  
   0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 1 0 0 0 0 0
 1  
   1 1 1 0 1 0 0 0 0 0 0 0 1 0 0 1 1 0 1
0 0 0 1 0 0 0 0 0 1 0
     
T
G =  ; x0 =   . (5) 0 0 0 1 0 1 1 1 1 1 1 1 0 1 1 0 0 1 0
 
0 0 1 0 0 0 0 0 0 0 0 Xr each = (6)
0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 0

0 0 0 1 0 0 0 0 0 0 0
   
0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0
 
   
0 0 0 0 1 0 0 1 0 0 0  
    0 0 1 0 1 0 1 0 1 0 1 0 1 1 0 0 2 0 1
0 0 0 0 0 1 0 0 1 0 1  
    1 1 1 1 1 0 1 0 0 0 0 1 0 0 1 1 0 1 1
0 0 0 0 0 0 1 0 0 1 0  
    0 0 0 0 0 1 0 1 1 1 1 0 1 1 0 0 1 0 0
0 0 0 0 0 0 1 0 00  0  
0 0 0 0 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 00 1
1 1 0 1 0 1 0 1 0 1 0 0 1 0 0 1000
Then, RT and RG of the failed system are given in Fig. 5.
The RT has 19 nodes. However, with the accruing number
It can be seen that the number of states as well as the RT/RG
of occurrences of the failure, the RT/RG dimensionality and
structure are completely different in comparison with RT
complexity escalate. When σ p14 = 2 RT has 30 nodes, when
of the failure-free system in Fig. 2. Namely, the branching
σ p14 = 5 RT has 63 nodes, when σ p14 = 10 RT has 118
occurs here. The states (nodes of the RT/RG) are the columns
nodes, etc. Although the procedure of RT computation is the
of the matrix Xreach .
same, computational time correspondingly increases.
To detect and recover the failure(s) we have to distinguish
whether the barrier is down or up. When the train is approach-
ing, in the standard situation (without any failure) the barrier
is down. However, in the non-standard situation (when the
failure t f5 occurs) the barrier is going up. This is very dan-

123
Vietnam Journal of Computer Science (2018) 5:143–155 149

 
1 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 1 0 1 1 0 1 1 1 1 0 1 1 1 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0
 
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 1 1 0 0 0 0 0 0 0
 
0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 1 0 0 1 1 1 1 1 1 1
 
0 1 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
1 1 1 0 1 1 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 1 1 1
 
0 0 0 1 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1 0 1 1 1 0 0 1 1 0 0 0
 
Xreach =
0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 1 1 0 0 0

 
0 0 0 1 0 0 0 1 1 0 0 0 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0
 
0 0 1 0 1 0 0 1 0 0 0 1 1 0 0 1 0 0 0 1 1 0 0 0 2 0 0 1 1 0
 
1 1 1 1 1 1 0 1 0 1 0 0 0 1 0 0 1 0 0 0 0 1 0 1 0 1 0 1 0 1
 
0 0 0 0 0 0 1 0 1 0 1 1 1 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0
 
0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0
1 1 0 1 0 0 1 0 1 0 1 0 0 0 1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0
(7)

The RT and RG of the recovered system are given in Fig. 7.

But the deadlock N19 (x18 ) occurs there.

2.2 Supervisor synthesis for deadlock(s) elimination

A general approach to the supervisor synthesis based on

P-invariants of PN was presented in [4]. Suitable linear
combinations of entries of the state vector x (i.e., L.x) are
restricted by means of entries of the constant vector b, i.e.,
n s ×n
L.x ≤ b, L ∈ Z≥0 , b ∈ Zn≥0
s ×1
. Then, in a nutshell, the
supervisor synthesis is as follows. Remove the inequality by
Fig. 6 The PN model of the final recovered system
adding the vector xs of the so called slacks, i.e.,

gerous situation, critical as to safety. To detect the failure it L.x ≤ b, (8)

is necessary to have redundant information. It must be con- L.x + Is .xs = b, (9)
tained in the control system itself. Because p6 and p7 in the
control system correspond to p11 and p12 in the real cross- where Is is the (s × s)-dimensional identity matrix. Now
ing gate, the failure is detected by checking if p7 and p11 suppose that Y is a matrix of invariants of the extended PN
are active simultaneously. If yes, there exists a contradiction model (the model of the plant and the supervisor together).
between the real (i.e., fault) situation and standard one. After Then
detecting the failure a kind of recovery can be applied. It
depends on which case is accepted as the true state. When it YT .(BT BsT )T = 0. (10)
is supposed that the barrier is up and drops down the recovery
is realized by means of tr1 . The PN model of the recovered Let us define
system is given in Fig. 6.
More detailed analysis is possible by means of the RT YT  (L Is ). (11)
and/or RG in Fig. 7 using information about the nodes given
in the matrix given by the relation (7). When the barrier is up After multiplying the matrices in (10), we obtain
and none train is approaching, the situation is considerably
simpler. Namely, by virtue of tr2 the fail signal p10 from the L.B + Is · Bs = 0, (12)
control system and the activity of p11 guarantee that the fail Bs = − L · B = GsT − Fs . (13)
signal can be practically ignored.
It has 30 states being the columns of the following matrix: The initial state vector of the supervisor follows from (9) in
the form

x0s = b − L.x0 . (14)

Bs is the supervisor structure and x0s is its initial state, Fs , Gs

are the incidence matrices of the supervisor. Consequently,
s B = (BT BT )T is the structure of the supervised system
s

123
150 Vietnam Journal of Computer Science (2018) 5:143–155

Fig. 7 The RT of the recovered system (left) and the corresponding RG (right)

(i.e., original system plus supervisor) and s x0 = (x0T (x0s )T )T

is its initial state.
Let us deal with the deadlock state x18 by means of syn-
thesizing a suitable supervisor. Because the deadlock state is
N19 , i.e., x18 = (0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0)T ,
we have to avoid its activation.
Consider L = (0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0)
and b = 3, i.e., at most three of p2 , p7 , p9 , p12 can be
active together. Then, the supervisor structure is given as
Bs = (− 1, 1, 0, − 2, 1, 1, 0, 0, 0, − 1). After the break-
up of Bs the incidence matrices of arcs are acquired. Fs =
(1, 0, 0, 2, 0, 0, 0, 0, 0, 1) and GsT = (0, 1, 0, 0, 1, 1,
0, 0, 0, 0). The initial state of the supervisor is s x0 = 3−0 =
3. The supervisor is incorporated into the PN model of the
recovered system given in Fig. 6. Consequently, the form of
the PN model is changed into the form given in Fig. 8. Its RT
and RG are in Fig. 9. The reachable states of the deadlock-
free recovered system are given as the columns of the matrix:

Fig. 8 The PN model of the system with the recovered failure and the
deadlock removed by means of the supervisor

123
Vietnam Journal of Computer Science (2018) 5:143–155 151

Fig. 9 The RT of the recovered system with removed deadlock by means of the supervisor (left) and the corresponding RG (right)


1 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 th parameter concerns tr1 . Simulation in Matlab by means of
0
 1 0 1 1 0 1 1 1 0 1 1 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 the tool HYPENS [24] brings the results given in Figs. 10,
0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 1 1 0 0 0 0 0 0 0
  11 and 12. Till now the deterministic timing of all transitions
0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 1 1 1 1 1 1 1

0
 was used, including t f5 . To make sure that non-deterministic
1 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
timing of t f5 does not affect the results, consider for t f5 the
 
1 1 1 0 1 1 0 0 1 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 1 1 1
discrete uniform probability distribution of timing: u f x =
 
0 0 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 0 0 1 1 0 0 0
 
s
Xreach = 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 1 0 0 0 1/(b − a) if x ∈ (a, b), otherwise x = 0. Test two cases: (i)
 
0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
  a = 0.1, b = 1.2; (ii) a = 0.3, b = 0.7. The results are
0 0 1 0 1 0 0 1 0 0 1 0 0 1 0 0 1 1 0 0 0 2 0 0 1 1 0

1 1 1 1 1 1 0 1 1 0 0 1 0 0 1 0 0 0 1 0 1 0 1 0 1 0 1
 introduced in Fig.13.

0 0 0 0 0 0 1 0 0 1 1 0 1 1 0 1 1 1 0 1 0 1 0 1 0 1 0

As it can be seen, only the time instant of the failure
 
0
 0 0 0 0 0 1 0 0 0 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 incidence represented by t f5 manifests itself in marking of
1 1 0 1 0 0 1 0 0 1 0 0 1 0 0 0 1 0 0 0 1 0 0 0 0 0 0 p10 —compare both pictures in Fig.13 each other and both
3 2 3 0 2 3 0 0 2 1 0 0 1 1 1 0 2 1 2 1 3 2 2 1 3 2 3
of them with the corresponding part Fig.11 containing p10 .
(15) Courses of marking of all other places stay unchanged.

2.3 Time views on results

To give an image about time relations let us use TPN with time 3 Conclusion
parameters of the transitions (delays in a time unit) defined
by D = 0.2 × (1, 1, 1, 1, 1, 2, 2, 0.1, 0.05, 0.05), where The PN-based approach to dealing with failures in DES was
first 7 parameters concerns transitions t1 − t7 , 8-th parameter presented. It is based on utilizing RT/RG of the PN-based
is assigned to t f5 , 9-th parameter concerns tr2 and finally 10- model of DES. Moreover, the elimination of deadlock(s) by

123
152
Fig. 10 The courses of marking the places p1 − p4 wrt. (with respect to) time
means of supervision (synthesizing of the suitable super-
visor) based on P-invariants of PN, introduced in [4], was
utilized.
The presented approach consists of the following steps: (i)
creating the PN model of the investigated kind of DES; (ii)
finding its behaviour in the standard (failure-free) situation;
(iii) analysing the model with respect to possible failures
(in general, each system has its specificity and it is practi-
cally impossible to find a unified approach for all systems);
(iv) selecting the failures which can be successfully recov-
ered (because there are different kinds of failures and some
of them cannot be recovered—e.g., human failures of the
engine-driver or a mechanical problem in the crossing gate);
(v) finding the structure of the recovered PN model; (vi) test-
ing its behaviour with respect to deadlocks; (vii) removing
deadlocks and finding the deadlock-free PN model.
PN were used in all of the steps. They make possible to
create the uniform model of a system and compute its RT/RG.
However, in different systems different states can fail. Hence,
123
Vietnam Journal of Computer Science (2018) 5:143–155
the model recovering process is individual. As to the compu-
tational complexity of the approach, it corresponds especially
to that of computing RT, that depends on the structure of the
PN model in question.
To illustrate the soundness of the procedure, the case study
on the simple railroad crossing was introduced. Finally, the
deadlock-free recovery model was found. It is necessary to
emphasize that there are also the failures in DES which can-
not be recovered by means of the procedure. They depend on
human failures, bad properties and mistakes and/or on bad
technical state of devices. They must be precluded either by
means of the better preparation of human operators and/or
by means of better executing maintenance of devices, their
routine testing and/or checking, early replacing their compo-
nents, etc.
In future a possibility of generalization of the recovery
process by means of PN will be investigated.
Vietnam Journal of Computer Science (2018) 5:143–155 153

Fig. 11 The courses of marking the places p5 − p12 wrt. time. The marking of p10 is directly influenced by t f5 (i.e., by a failure)

123
154 Vietnam Journal of Computer Science (2018) 5:143–155

Fig. 12 The courses of marking the places p13 − p15 wrt. time. The place p15 expresses the state (marking) of the supervisor

Fig. 13 The courses of marking the place p10 in the case (i) the left picture, and in the case (ii) the right picture

Acknowledgements The research was partially supported by the Slo- to the original author(s) and the source, provide a link to the Creative
vak Grant Agency for Science VEGA under Grant # 2/0029/17. The Commons license, and indicate if changes were made.
author thanks VEGA for the support.

Open Access This article is distributed under the terms of the Creative
Commons Attribution 4.0 International License (http://creativecomm
ons.org/licenses/by/4.0/), which permits unrestricted use, distribution,
and reproduction in any medium, provided you give appropriate credit

123
Vietnam Journal of Computer Science (2018) 5:143–155
References
1. Bernardi, S. et al.: Model-driven availability evaluation of railway
control systems. In: Proceedings of 30th International Conference
on Computer Safety, Reliability and Security—SAFECOMP 2011,
Naples, Italy. LNCS vol. 6894, pp. 15–28, Springer (2011)
2. Cabasino, M.P., Giua, A., Pocci, M., Seatzu, C.: Discrete event
diagnosis using labeled Petri nets. An application to manufacturing
systems. Control Eng. Pract. 19(9), 989–1001 (2011)
3. Cabasino, M.P., Giua, A., Lafortune, S., Seatzu, C.: New approach
for diagnosability analysis of Petri nets using verifier nets. IEEE
Trans. Autom. Control 57(12), 3104–3117 (2012)
4. Čapkovič, F.: Petri net-based synthesis of agent cooperation by
means of modularity and supervision principles. In: Dimirovski,
G.M. (ed.) Complex Systems. Relationships Between Control,
Communications and Computing, Chapter 20, Springer Series:
Studies in Systems, Decision and Control, pp. 429–450. Springer,
Cham (2016)
5. Čapkovič, F.: Failures in discrete event systems and dealing with
them by means of Petri nets. In: Nguyen, N.T., et al. (eds.) ACIIDS
2017, Part I, LNAI 10191, pp. 379–391. Springer, Cham (2017)
6. Chang, S.J., DiCesare, F., Goldbogen, G.: Failure propagation trees
for diagnosis in manufacturing systems. IEEE Trans. SMC 21(4),
767–776 (1991)
7. Chung, S., Wu, C., Jeng, M.: Failure diagnosis: a case study on
modeling and analysis by Petri nets. In: Proceedings of IEEE Inter-
national Conference on Systems, Man & Cybernetics, Washington,
DC, 5–8 October 2003, pp. 2727–2732 (2003)
8. Desel, J., Reisig, W.: Place/transition Petri nets. In: Reisig, W.,
Rozenberg, G. (eds.) Lectures on Petri Nets I: Basic Models.
Advances in Petri Nets, LNCS, vol. 1491, pp. 122–173. Springer,
Heidelberg (1998)
9. Desel, J., Esparza, J.: Free Choice Petri Nets. Cambridge Tracts
in Theoretical Computer Science, vol. 40. Cambridge University
Press, Cambridge (1995)
10. Fanni, A., Giua, A., Sanna, N.: Control and error recovery of Petri
net models with event observers. In: Proceeding of Second Inter-
national Workshop on Manufacturing and Petri Nets, Toulouse,
France, pp. 53–68 (1997)
11. Giua, A.: State estimation and fault detection using Petri nets.
In: Kristensen, L.M. and Petrucci, L. (Eds.): Proceedings of 32nd
International Conference on Applications and Theory of Petri Nets
2011, Newcastle, UK, June 20–24, 2011. Lecture Notes in Com-
puter Science, vol. 6709, pp. 419–428, Springer, New York (2011)
12. Guo, Z. et al: Failure recovery: when the cure is worse than the dis-
ease. In: Proceedings of 14th Workshop on Hot Topics in Operating
Systems, Santa Ana Pueblo, New Mexico, USA, May 13–15 2013,
USENIX, Berkeley. https://www.usenix.org/conference/hotos13/
failure-recovery-when-cure-worse-disease (2013)
13. Haar, S.: Types of Asynchronous Diagnosability and the Reveals-
Relation in Occurrence Nets. Research Report RR-6902. INRIA,
Rennes (2009)
14. Huang, Z., Chandra, V., Jiang, S., Kumar, R.: Modeling discrete
event systems with faults using a rules based modeling formalism.
Math. Comput. Model. Dyn. Syst. 9(3), 233–254 (2003)
155
15. Leveson, N.G., Stolzy, J.L.: Safety analysis using Petri nets. IEEE
Trans. Softw. Eng. SE–13(3), 386–397 (1987)
16. Li, B., Khlif-Bouassida, M., Toguyéni, A.: On-the-Fly Diag-
nosability Analysis of Labeled Petri Nets Using T-invariants.
IFAC-Papers OnLine 48-7, pp. 064–070. Elsevier, Amsterdam
(2015)
17. Liu, B.: An Efficient Approach for Diagnosability and Diagnosis of
DES Based on Labeled Petri Nets—Untimed and Timed Contexts.
Ph.D. Thesis, Laboratoire d’ Automatique, Génie Informatique et
Signal, École Centrale de Lille, Lille (2014)
18. Murata, T.: Petri nets: properties, analysis and applications. Proc.
IEEE 77, 541–580 (1989)
19. Odrey, N.G.: Error recovery in production systems: a Petri net based
intelligent system approach. In: Kordic, V. (ed.) Petri Net,Theory
and Applications, pp. 302–336. I-Tech Education and Publishing,
Vienna (2008)
20. Peterson, J.L.: Petri Net Theory and the Modeling of Systems.
Prentice-Hall Inc., Englewood Cliffs (1981)
21. Ramaswamy, S., Valavanis, K.P.: Modeling, analysis and simula-
tion of failures in a materials handling system with extended Petri
nets. IEEE Trans. Syst. Man Cybern. 24(9), 1358–1373 (1994)
22. Ramírez-Treviño, A., Ruiz-Beltrán, A.E., Rivera-Rangel, I.,
López-Mellado, E.: Online fault diagnosis of discrete event sys-
tems. A Petri net-based approach. IEEE Trans. Autom. Sci. Eng.
4(1), 31–39 (2007)
23. Ramírez-Treviño, A., Ruiz-Beltrán, A.E., Arámburo-Lizárraga, J.,
López-Mellado, E.: Structural diagnosability of DES and design
of reduced Petri net diagnosers. IEEE Trans. Syst. Man Cybern. A
42(2), 416–429 (2012)
24. Sessego, F., Giua, A., Seatzu, C.: HYPENS: a matlab tool for timed
discrete, continuous and hybrid petri nets. In: van Hee, K.M., Valk,
R. (eds.) Applications and Theory of Petri Nets, LNCS, vol. 5062,
pp. 419–428. Springer, New York (2008)
25. Urban, S.D. et al.: The assurance point model for consistency and
recovery in service composition. In: Innovations, Standards and
Practices of Web Services: Emerging Research Topics, Chapter
12, pp. 250–287, IGI Global (2012)
26. Wen, Y., Jeng, M.: Diagnosability analysis based on T-invariants of
Petri nets. In: Proceedings of 2005 IEEE International Conference
on Networking, Sensing and Control, March 2005, pp. 371–376
(2005)
27. Zaytoon, J., Lafortune, S.: Overview of fault diagnosis methods for
discrete event systems. Annu. Rev. Control 37, 308–320 (2013)
Publisher’s Note Springer Nature remains neutral with regard to juris-
dictional claims in published maps and institutional affiliations.
123