Available online at www.sciencedirect.

com

Procedia Technology 7 (2013) 257 – 264

The 2013 Iberoamerican Conference on Electronics Engineering and Computer Science

Synthesis of fault recovery sequences in a class of controlled discrete

event systems modelled with Petri nets
Alberto Lutz-Leya, Ernesto López Melladoa*
a
CINVESTAV Unidad Guadalajara Av. Del Bosque 1145, Col El Bajío 45019 Zapopan, Mexico

Abstract

In this paper a fault recovery method for controlled discrete event systems is presented. It focuses on systems that are modeled by a class
on Interpreted Petri nets which describes modularly the controller, the plant components, and the closed loop relationship. First, the notion
of fault recovery is introduced, which is based on the state stability property. Then, a class of output tracking closed-loop model is
described. Afterwards, a method for the synthesis of fault tolerant controllers based on the augmenting of the existing specification is
proposed and illustrated with a case study from the manufacturing area.
© 2013 The Authors. Published by Elsevier Ltd.
© 2013 Published by Elsevier Ltd.
Selection and peer-review under responsibility of CIIECC 2013
Keywords: Discrete event systems; Stability analysis; Petri nets; Fault Tolerance; Fault Recovery; Closed-loop controller.

1 Introduction

On very recent years, the size and complexity of man-made systems namely computer networking protocols and automated
manufacturing processes has been increasing at a very fast pace. Also, the importance of a robust implementation of those
systems has become crucial for many aspects of our current lives. As technology advances, we are being increasingly
surrounded by autonomous systems whose correct operation has a great influence on fundamental aspects like our own
safety, or the huge losses related to manufacturing downtimes.
In particular, the issue of developing systems that behave predictably and correctly under the occurrence of undesired and
unavoidable events is of high importance. However, the size and complexity of current information systems has made this
objective difficult and costly to reach, both in time and resources. For these reasons, we are interested in providing the
systems the ability to recover from faults.
This ability has been studied first by E.W. Dijkstra [1], who introduced the concept of self-stabilization, which has been
proved to be a formal and unifying approach to fault tolerance analysis. This work motivated research on fault tolerance on
computer sciences [2][3][4] and automatic control [5][6] communities.
Among these papers, a method for stabilization of discrete event systems was presented in [5]. The objective was to find a
control law to guarantee convergence to a so-called legal state in a finite number of steps on a finite automata (FA) model.
However, it neither considers that the control should enforce some plant behaviour in addition to stabilization, nor takes into

* Corresponding author. Tel.: +52-33-3777-3600; fax: +52-33-3777-3609.

E-mail address: [email protected].

2212-0173 © 2013 The Authors. Published by Elsevier Ltd.

Selection and peer-review under responsibility of CIIECC 2013
doi:10.1016/j.protcy.2013.04.032
258 Alberto Lutz-Ley and Ernesto López Mellado / Procedia Technology 7 (2013) 257 – 264

account the type of events (normal or abnormal).

Recently, a similar approach was presented in [7][8][9]. While being also for FA, this work considered that the plant must
comply with a specification in addition to state stability. Also, this work does not consider the uncertainty of event
occurrence.
In [10] the recoverability property was presented as a notion based on state stability. In order to look at event uncertainty it
considers a distinction between normal and exceptional events like in [11]. Proposals in [12][13] tackle the issue of fault
diagnosis on a class of Petri nets.
In [14][15][16] and [17]-[19] the recovery problem is addressed through a controller reconfiguration approach for FA.
Two operating modes (normal and degraded) are considered in [14][15][16]. Particularly, in [15][16] the authors proposed
an integrated diagnostic/recovery architecture. The work presented in [17]-[19] approaches the problem relying on system
redundancy. All of those proposals consider permanent faults that effectively limit system behaviour.
In this paper, we are interested in faults that do not hinder the plant behaviour; in other words, the plant is still capable of
complying with the nominal specification after fault occurrence. Our proposal is to augment the specification of an already
controlled system in order to handle unavoidable events. Particularly, we consider closed loop systems modelled with a
class of Petri nets (PN). PN have an advantage over FA in terms of system representation, in the sense that they can
represent the same behaviour with a more compact and clear model, especially when concurrent tasks are dealt. Our
proposal is based on concepts of [10], thus it also takes into account event uncertainty.
The remaining of this paper is now outlined. Section II presents basic PN concepts. In section III the notion of fault
recovery is presented. A class of closed loop systems modeled as Petri nets is described at section IV. Then, a method for
synthesizing recovery sequences is presented at section V. Finally, concluding remarks are given and future work is stated.

2 Background

In this section basic notions and notation on PN and interpreted PN are overviewed.
Definition 1: An ordinary PN structure G is a bipartite digraph represented by the 4-tuple G = (P, T, I, O) where: P = {p1,
p2, ..., p|P|} and T = {t1, t2, ..., t|T|} are finite sets of vertices named places and transitions respectively; I(O) : P × T {0,1}
is a function representing the arcs going from places to transitions (from transitions to places).
The incidence matrix of G is C = C+ C , where C = [cij ]; cij = I(pi, tj); and C+ = [cij+]; cij+ = O(pi, tj) are the pre-
incidence and post-incidence matrices respectively.
A marking function M : P Z+ represents the number of tokens residing inside each place; it is usually expressed as an
|P|-entry vector. Z+ is the set of nonnegative integers.
Definition 2: A Petri Net system or Petri Net (PN) is the pair N = (G,M0), where G is a PN structure and M0 is an initial
marking.
In a PN system, a transition tj is enabled at marking Mk if pi P, Mk(pi ) I(pi, tj); an enabled transition tj can be fired
reaching a new marking Mk+1 which can be computed as Mk+1 = Mk + Cvk, where vk(i) = 0, i vk(j) = 1, this equation is
called the PN state equation. The reachability set of a PN is the set of all possible reachable markings from M0 firing only
enabled transitions; this set is denoted by R(G,M0). A PN is called safe if Mk R(G, M0), pi P, Mk(pi) 1.
Now IPN is defined, an extension to PN that allows associating input and output signals to PN models.
Definition 3: An Interpreted Petri Net (IPN) (Q, M0) is a net structure Q = (G, , , , ) with an initial marking M0, where
G is a PN structure, = { 1, 2, ..., r} is the alphabet of input symbols i , = { 1, 2,..., q} is the alphabet of output
symbols i, : T { } is a labeling function of transitions with the following constraint: tj,tk T, j pi I(pi,tj) =
I(pi,tk) (tj) , (tk) , then (tj) (tk); represents a system internal event externally uncontrollable. :
R(Q,M0) {0,1}q is an output function, that associates to each marking in R(Q,M0) a q-entry output vector; q is the number
of outputs. is represented by a q×n matrix (where n =|P|), in which if the output symbol i is present (turned on) every
time that M(pj) (i,j)=1, otherwise (i,j)=0.
If a transition tj T of an IPN is enabled at marking Mk, there are two possibilities: a) If (tj) = i is provided to the
system then tj can be fired. b) If (tj) = and tj is enabled then tj must be fired. When an enabled transition tj is fired in a
marking Mk, then a new marking Mk+1 is reached. This behavior is represented as ; Mk+1 can be computed using
the state equation given above and complemented with the output function: yk = Mk, where yk (Z +)q is the k-th output
vector (or marking projection) of the IPN.
According to functions and , transitions and places of an IPN (Q,M0) can be classified as follows.
Definition 4: If (ti) the transition ti is said to be controllable. Otherwise it is uncontrollable. A place pi P is said to be
measurable if the i-th column vector of is not null, i.e. ( ,i) n-measurable. P = Pm Pu where Pm is
u
the set of measurable places and P is the set of non-measurable places.
 Alberto Lutz-Ley and Ernesto López Mellado / Procedia Technology 7 (2013) 257 – 264 259

3 Recoverability analysis of Petri net models

In the occurrence of non-prevented events that detour the operation out of a given subset E of system states representing an
expected behaviour, it is important to know if it is guaranteed that the system would eventually return to the expected
behaviour.

3.1 Stability analysis

We understand fault recovery as a notion largely based on state stability, which has been studied in [5] for Discrete Event
systems (DES) modelled with finite state automata. It is assumed that there is a predefined set of “good” system states E,
such that, starting from these states and in the absence of errors or anomalous events, only desired event sequences are
possible. A given state X is said to be stable if it does not exist a cycle of states, reachable from X, that does not have at
least one state in E. A system is stable if every state in the system is stable. In this way, if errors or anomalous events are not
very common, the system would exhibit legal behaviour most of the time. For that reason, state stability has been used to
characterize fault tolerance/recovery.
On the issue of verifying fault tolerance of a system, we proposed a further condition in addition to the stability property
[10] related to the nature of the events required to occur in a recovery sequence. That is, if we consider that certain events
do not occur as a part of the normal system behaviour (exceptions or faults), and one of those events is required to occur in a
recovery sequence, even if a given state is stable it is not guaranteed that the system can go back to the nominal behaviour.
In the next subsections, notions of state-stability and fault recovery are presented for PN-modelled systems.

3.2 Stability and fault recovery of PN models.

The state stability notion for DES modelled as PN is now presented. The expected behaviour is represented then by a set of
markings, which can be leaved when an unexpected event occurs.
Definition 5. Let (Q, M0) be an IPN system, and let E R(Q, M0) be the set of expected markings. A marking M R(Q,
M0) is stable w.r.t. E if M is guaranteed to eventually reach at least one Me E by the firing of a finite length transition
sequence. The system (Q, M0 ) is stable w.r.t. E iff Mk R(Q, M0), Mk is stable w.r.t. E.
The stability notion, as it was stated, is clearly not enough to guarantee that the states in E can be reached. Thus, a more
detailed analysis must be done regarding the nature of events. For this purpose, it is useful to distinguish between events that
are expected to occur normally during the system operation (normal events: n) and events appearing rarely, e.g. faults
(abnormal events: an ) in the behaviour of the system; then an= \ n. All the controllable events are normal; thus in
general, an u where u includes the uncontrollable events. In [12] a distinction of the events is similarly considered in
the study of fault-tolerant controllers.
Now, based in the new classification of events, the notion of recoverability is introduced.

Fig. 1. Recoverability on PN reachability graph.

Definition 6: Let (Q, M0) be an IPN, and E R(Q, M0 ) be the desired marking set. A stable marking M* is recoverable
w.r.t. E if there exists a firing sequence wk n* such that , where M’ E.
In other words, the sequences that lead to E from recoverable markings must not contain abnormal events; that is, recovery
must not rely on events whose occurrence is rare or uncertain. A characterization of recoverability and an algorithm to
decide the property are presented in [10].
The difference between the notions of state stability and recoverability are shown in Fig. 1. Markings M8 and M9 are not
stable. Marking M5 is stable, but it is not recoverable because it requires the occurrence of an abnormal event to recover.
260 Alberto Lutz-Ley and Ernesto López Mellado / Procedia Technology 7 (2013) 257 – 264

4 A class of Petri net systems

IPN have been widely used for modelling concurrent discrete manufacturing systems. In this work, we focus our study on
controlled DES whose closed-loop behavior is expressed by a class of IPN. In this class, the plant and the specification sub-
models are clearly distinguishable; also their interaction is clearly stated.
More specifically, the control in this class of systems is dedicated to restrict the plant behavior to reach a sequence of
outputs stated by the specification sub-model. This is achieved by enabling at each specification state those controllable
sequences that allow the plant to reach the output expressed by the specification itself. When the plant output matches that
of the specification, the latter is then enabled to proceed to the next output. The mechanism used to enable and disable
events between the sub-models are the so-called self-loop arcs. A self-loop arc exists between place and transition if
, = , = 1; a more explicit description is provided in Fig. 2. The DES class described before is called Output
Tracking Closed-Loop Model (OTCLM), and is formally defined below.

Fig. 2. General scheme for OTCLM

Definition 7: Let ( , ) be an IPN. ( , ) is an Output Tracking Closed-Loop Model (OTCLM) if:

a) It includes two clearly distinguishable sub-models ( , ) and ( , ), representing the specification and
plant respectively. ( , ) is a safe strongly connected state machine.
b) There exist self-loop arcs between ( , ) and ( , ) such that
1. If there is a self-loop arc between and , then .
2. If there is a self-loop arc between and , is measurable.
3. Let and with I( , )=1 ( is an input place for ). Then, has self-loop arcs with a
set of measurable places on that represents the same output of .

Notice that, whilst the desired sequence of outputs is given as a strongly connected state machine, concurrency is allowed
on the plant, so, the complete closed-loop behaviour is more complex.

5 A method for fault recovery

Given an OTCLM system with a specification that does not include the handling of faults, the objective in this problem is to
augment the closed-loop behaviour model to take into account unexpected occurrences of events, and consequently
providing to the controller the ability to recover from faults.

5.1 Problem statement

Initially, two OTCLM are considered: ( , ) which represents the system faultless closed-loop operation, and
( , ) which represents the system behaviour including the possibility of fault occurrence. specifies the abnormal
events in the system . For every fault, there exists a measurable diagnostic place that is marked after the
eventual occurrence of the fault. This is because fault diagnosis is required for recovery although it is not part of our study.
Additionally, we can unmark this place using a controllable event. The Set of expected markings is given by: =
( , ).
The following assumptions are held for this study:
 Alberto Lutz-Ley and Ernesto López Mellado / Procedia Technology 7 (2013) 257 – 264 261

a) The plant sub-model ( , ) is safe when it evolves in closed loop behaviour.

b) The occurrence of a fault eventually leads the system to deadlock state, by preventing the plant reaching an output
required by the specification.
c) One-fault at a time scenario is considered.

5.2 Synthesis of the recovery sequence

In order to present the technique for computing the recovery sequences, let us first introduce several useful notions.
Definition 8: The set of markings susceptible to is ={ ( , )| } ; they are the
markings in which the occurrence of is possible. The set of post- markings is = ,
, }.

Definition 9: The set of fixed-value places of is ={ | ( )= ( ) , }; they are the

places that invariantly have the same value on every marking susceptible to the fault .

As an additional assumption, we consider the case where every place on the specification is fixed-value for every fault. This
means that a potential fault may occur at only one state of the specification. The place of the specification where fault can
occur is represented by .

Definition 10: Let ( , ) be a Petri net and ( , ) its generated language. A firing sequence is called normal
controllable if ( , ) , such that ( ) = and every event in is a normal event; denotes the
prefix language of .

Definition 11: A fault is said to be recoverable if every marking, that is reachable after the occurrence of and until
returning to E, is recoverable.

Now, we have the necessary concepts for developing a method for the synthesis of a fault recovery mechanism on
( , ). In order to recover from fault , our approach consists of two steps: 1) first, we find a firing sequence that
stabilizes the system from any post- marking to an expected marking; then, 2) the specification is augmented to enable
such firing sequence only after the occurrence of . The recovery sequence synthesis method for one fault is presented next.

Step 1:Find a recovery sequence

0
1.a) Define the partial markings: ( )= = + , where is any marking in , is an
( )
unitary vector with entry corresponding to equal to 1, and is the incidence matrix of the faulty plant submodel.
1.b) Solve the following linear programming problem.
min v
subject to:
1) ( ) + = ( ), . . ( ) ( )
,
2) = 0, . . ( )= ( )
,

where is the , -entry of the faulty plant incidence matrix and = .

,
1.c) Using the resulting firing vector , perform a partial reachability analysis to find a transition firing sequence , such
that = . The obtained sequence w should be normal controllable; this condition can be checked at the
moment of carrying out the reachability analysis.

It is possible that, starting from , we are unable to fire the entire sequence. A clear example of this situation is when an
unmarked place should be marked to enable a transition. A quick glance to step 1.a) reveals that those places which are not
fixed-value ( ) remain unmarked ( ( ) = 0). This means that there are preconditions needed for recovery which are
not guaranteed to hold in every marking susceptible to the fault.

Step 2:Augment the specification model to handle a fault.

2.a) In the closed loop model, every controllable transition already needs permission from some place of the specification.
For this reason we need to duplicate those controllable transitions required to fire in . This will allow the firing of the
262 Alberto Lutz-Ley and Ernesto López Mellado / Procedia Technology 7 (2013) 257 – 264

transitions on other places of the specification

2.b) Add new transitions , and a new place to the specification submodel; then add corresponding arcs such that
, = 1, , = 1, , = 1. After that, add self-loop arcs between and ’s diagnostic place
and between and the controllable transition used to clear ’s diagnostic place. Finally, add an inhibitor arc between
and ’s diagnostic place.
2.c) Add a place-transition sequence to the specification that enables the recovery sequence starting with a place and ending
with a transition. If is the first place and the last transition, we add arcs such that , = 1 and , =
1. Transition should be enabled when the system marking is inside E, considering that the specification should be in
. After the firing of , system should have recovered.

Next, some results are presented to establish the correctness of the procedure presented here.

Proposition 1: Let be a fault. If a normal controllable recovery sequence is found in step 1, then can fire from every
post- marking.
Proof: By construction, sequence can definitely fire from marking (step 1.c ensures this). Marking has a token
only on those places which have a fixed-value equal to 1, with the notable exception of preconditions (which had 1 in ,
but became 0 after occurrence in step 1.a. Now, every post- marking has the same fixed-values than (including
preconditions because they are post- ). So, sequence can be fired from any post- marking.

Proposition 2: Let be a fault. The plant ends in a marking after firing sequence found in step 1, starting from
any post- marking.
Proof: Marking (defined in 1.a) has the same values than any marking on with the exception of the non-fixed
value places. Now, the firing sequence , found on step 1, leads the plant to . Thus, we only have to prove that non-fixed
values are preserved. In the case where occurrence does not affect the non-fixed values, these will be zero both in and
, and after firing , these values will not change. Otherwise, if occurrence of changes non-fixed values, they will be
zero in but not in . Anyway, the sequence is found in such a way that starts in and ends in ; so, the non-zero
values will be made zero after the firing of . This means that the non-fixed places will have the same value they started
with, regardless if it was 0 or 1, because the recovery sequence removes a mark from a non-fixed place only if it had an
extra mark by the effect of fault . Now, by Proposition 1, starting from any post- marking the plant ends in a
marking .
Theorem 1: Let ( , ) be a faulty system and one of the possible faults. After applying the method described
before, is recoverable.
Proof: By Propositions 1 and 2, we know that if a sequence is found at step 1, starting from any post- marking, the
system can reach an expected marking ( are Expected markings by definition) by the firing of sequence . Let
be a post- marking, and be an expected marking such that . We make = such
that . We know that is normal controllable, then should enable controllable events
and uncontrollable events which are normal and are included in . Because controllable events which are not in can be
disabled, enables only normal events that are in , for any possible. Thus, every reachable marking,
starting from any post- marking until returning to E is recoverable. Hence, is recoverable.

5.3 Example
Consider the system depicted in figure 3. It is composed of three conveyor belts, a robotic arm, and an assembly machine.
The desired behaviour of the system is the following: first, the robotic arm takes part A and part B from input conveyors and
places them at machine 1. When both parts are placed, machine 1 assembles them into a finished product, which is
withdrawn from the machine by the robotic arm to be placed on conveyor 3.
The Petri net model of the system is shown in Fig. 4. The desired output sequence is enforced by the specification;
output A (B) represents that part A (B) is present at the input conveyor, outputs R1 and R2 are active when the parts are at
the assembly machine and output R3 is active when the finished part is placed at the output conveyor. There is a transition
labelled as f1, which represents the abnormal event of dropping part A before placing it at the assembly machine. The fault
free model can be obtained by removing transition f1. We have that: = { [0 0 1 1 0 0 0 1 0 0 0 0 1 0 0 1 0 0], [0 0 0 1
0 0 0 1 1 0 0 0 1 1 0 1 0 0] } where the shaded entries are the fixed places. The place of occurrence of f1 is R1R2 according
to the previous markings. After applying step 1 of the method, we find that there exists a plant recovery sequence PA, GA
which is normal controllable. After executing step 2, the resulting model is shown in figure 5.
 Alberto Lutz-Ley and Ernesto López Mellado / Procedia Technology 7 (2013) 257 – 264 263

Fig. 3. Assembly cell system

Fig. 4. Model of the assembly cell system

Conclusions

A method for providing fault recovery capabilities to controlled discrete event systems has been presented. The synthesised
recovery sequences are added to the specification without modifying the original controller design; this feature is due thanks
to the modularity of the models built using the PN class OTCLM, which additionally facilitates the syntheses of such
sequences. Although the proposed method overcomes the previously published works on the matter given that it uses PN for
a more compact representation and considers event uncertainty, further research can be done by exploring other PN classes,
and for improving the efficiency of the method.

References

[1] Dijkstra, E. W. Self-stabilizing systems in spite of distributed control. Commun. ACM 17, 11 (Nov. 1974), 643-644.
[2] Merlin J.A., Farber D.J., “Recoverability of communication protocols - implications of a theoretical study”, IEEE Trans. Commun.
COM-24, 9 (Sept .1976).
[3] Schneider M. “Self-stabilization”, ACM Comput. Surv. 25, 1 (March 1993), 45-67.
[4] Arora A., Gouda M. , “Closure and Convergence: A foundation of Fault-Tolerant Computing”, IEEE Transactions on Software
Engineering, 1993, 1015-1027.
[5] C.M Özveren, A.S. Willsky, P.J. Antsaklis, “Stability and Stabilizability of Discrete Event Dynamic Systems”, Journal of the
Association for Computing Machinery, Vol.38, No.3, 1991.
264 Alberto Lutz-Ley and Ernesto López Mellado / Procedia Technology 7 (2013) 257 – 264

Fig. 5. System resulting from applying method

[6] Brave Y., Heymann M., “Stabilization of Discrete-event processes”, International Journal of Control, vol.51, 1101- 1117, 1990.
[7] Q.Wen, R. Kumar, J.Huang, H.Liu, “Weakly Fault-Tolerant Supervisory Control of Discrete Event Systems”, American Control
Conference, 2007.
[8] Q. Wen, R. Kumar, J.Huang, H.Liu, “A Framework for Fault-Tolerant Control of Discrete Event Systems”, IEEE Transactions on
Automatic Control, Vol.53, No.8, 2008.
[9] Q. Wen, “Fault-tolerant supervisory control of discrete-event systems”, Pd.D. Thesis, Iowa State University, 2009.
[10] Lutz-Ley, A., E. López-Mellado “Stability-based Characterization of Fault Tolerance in Petri Net Models of Discrete Event
Systems”. Proc. of IEEE Conf. on Computational Engineering in Systems Applications (CESA’2012). Santiago, Chile. April 2012.
[11] S. Park, J.Lim, “Fault-tolerant robust supervisor for discrete event systems with model uncertainty and its application to a workcell”,
IEEE Transactions on Robotics and Automation, Vol. 15 issue 2, 1999.
[12] L. Li, C. N. Hadjicostis, and R. S. Sreenivas, “Designs of bisimilar Petri net controllers with fault tolerance capabilities,” IEEE
Trans. Syst., Man, Cybern. A, Syst., Humans, vol. 38, no. 1, pp. 207–217, Jan. 2008.
[13] Qu, Y.; Li, L.; Chen, Y.; Dai, Y.; , "An Optimal Design Approach for Fault-Tolerant Petri Net Controllers Using Arc Weights
Minimization," Systems, Man and Cybernetics, Part A: Systems and Humans, IEEE Trans. on , vol.42, no.5, pp. 1301 - 1308, 2012
[14] A. Khatab, E.Niel, “State feedback stabilizing controller for the failure recovery of Timed Discrete Event Systems”, International
Workshop on Discrete Event Systems, 2002.
[15] A. Paoli, M. Sartini, and S. Lafortune, “A fault tolerant architecture for supervisory control of discrete event systems” in Proceedings
of the 17th IFAC World Congress, Seoul, Korea, 2008, pp. 6542–6547.
[16] A. Paoli, M. Sartini, S. Lafortune, “Active fault tolerant control of discrete event systems using online diagnostics”, Automatica,
Volume 47, Issue 4, April 2011, Pages 639-649, ISSN 0005-1098,
[17] Alcaraz-Mejia, M.; Lopez-Mellado, E.; Ramirez-Treviño, A.; ,"A redundancy based method for Petri net model reconfiguration,"
Systems, Man and Cybernetics, 2007. ISIC. IEEE International Conference on , vol., no., pp.1382-1387, 7-10 Oct. 2007
[18] Alcaraz-Mejia, M.; Lopez-Mellado, E.; Ramirez-Treviño, A.; , "Fault recovery of manufacturing systems based on controller
reconfiguration," System of Systems Engineering, 2006 IEEE/SMC International Conference on , vol., no., pp.6 pp., 24-26 April 2006
[19] Alcaraz-Mejia, M.; Lopez-Mellado, E.; Ramirez-Treviño, A.; , "Redundancy Based Controller Reconfiguration for Fault Recovery of
Manufacturing Systems," Automation Science and Engineering, 2007. CASE 2007. IEEE International Conference on , vol., no.,
pp.128-133, 22-25 Sept. 2007