Control and Error Recovery of Petri Net Models with Event ... - CiteSeerX

Control and Error Recovery of Petri Net Models with Event Observers Alessandra Fanni, Alessandro Giua, Nicola Sanna

Dip. di Ing. Elettrica ed Elettronica, Universita di Cagliari, Piazza d'Armi, 09123 Cagliari, Italy email:[email protected], tel: +39 (70) 675-5892, fax: +39 (70) 675-5900

Abstract This paper discusses the problem of controlling a Petri net whose marking cannot be measured. A special net structure, called \observer net" is used to estimate the actual marking of the plant based on event observations. This estimate is used to design a state feedback controller, to ensure that the controlled plant never enters a set of forbidden states. The use of marking estimates may cause the controlled plant to block. We show in a detailed example how suitable time-out mechanisms may be introduced to recover from a blocking. All simulations have been carried out with SmallPet, a software tool for Petri net simulation and analysis we have developed.

Keywords: Petri nets, observers, state feedback control, simulation tools.

1 Introduction This paper discusses the problem of controlling a Petri net whose marking cannot be measured. Observers are used to estimate the actual marking of the plant based on event observations. A software tool for simulation and analysis of controlled plants with observers is described. When the structure and the inital marking of a net is known, the knowledge of the transition rings is sucient to reconstruct the marking that each new ring yields. In this work we assume that only the net structure is known and consider the cases in which the initial marking is know to belong to a \macromarking", i.e., we know the token contents of subsets of places but not the exact token distribution. In [7] it was shown how it is possible to estimate the actual marking of the net based on the observation of a word of events (i.e., transition rings) and an algorithm was given for computing the marking estimate M^ w and error bound Bw . The estimate is always a lower bound of the actual marking. The system that computes the estimate is called an observer. In this paper we show that a special net structure, called observer net , can be used to describe the observer: such a net has a set of places corresponding to the places of the plant whose marking is at each step M^ w , plus a set of bounding places (one for each place subset in the partition induced by inital macromarking) whose marking is Bw . The special structure of Petri nets allows us to use a simple linear algebraic formalism for estimate and error computation. In particular, the set of markings consistent with an observed word, i.e., the set of marking in which the system may actually be given the observed word, can easily be characterized in terms of the observer marking. 1

Finally, we show how the estimate generated by the observer may be used to design a state feedback controller, that ensures that the controlled system never enters a set of forbidden states. We consider a special class of speci cations that limit the weighted sum of markings in subset of places. Clearly, the use of marking estimates (as opposed to the exact knowledge of the actual marking of the plant) leads to a worse performance of the closed-loop system in the sense that to rule out the possibility that the plant enter a forbidden marking, the controller may prevent the ring of transitions whose ring is perfectly legal given the actual marking of the plant. It may also be the case that, as a result of this, the controlled system is blocking. We show in a detailed example how suitable time-out mechanisms may be introduced to recover from a blocking. We also describe a software tool, that is an extention of [5], that we have developed using Smalltalk (a well known object-oriented language). The tool can be used for the simulation and the construction of the reachability graph of a Petri net controlled in a closed loop. The tool can make use of the actual marking of net (if it can be measured) or of the estimate computed by an observer (if the actual marking cannot be directly measured). The present work has several motivations. The assumption that only event occurences may be observed, while the plant state cannot, is common in discrete event control. The assumption that the marking of the plant is not known (or is only partially known) is natural during error recovery. Consider for instance the case of a plant remotely controlled: if the communication fails the state may evolve and when the communication is restablished the state will be at best partially known. In a manufacturing environment, one may consider the case in which resources (i.e., tokens) enter unobserved, or in which we know how many resources have entered the system but not their exact location. Control and state estimation under partial observation has been discussed in the discrete event control literature. The use of state-feedback control under partial (state) observation has been discussed by Li and Wonham [10, 11] and by Takai et al. [14]. In these works the partial observation is due to a static mask, that maps the plant state space into an observation space. The main focus was in nding necessary and sucient conditions for the existence of \optimal" state feedback control laws given a mask: in this context, optimal means that the resulting closed-loop behavior is the the same for the controller with mask and the controller with complete (state) observation. In this paper, on the contrary, the mask is induced by the computed estimate, and it changes as the plant evolves. Initially, when the estimate is crude, it is often the case that these restrictive conditions are not veri ed. We propose a control scheme that tries to make the best use of the estimate to ensure the correct behaviour of the plant under control. The idea of constructing estimates of the unknown plant state for systems represented as nite automata has also been discussed in literature. In particular Caines et al. [2] showed how it is possible to use the information contained in the past sequence of observations (given as a sequence of observation states and control inputs) to compute the set of consistent states. In [3] the observer output is used to steer the state of the plant to a desired terminal state. The approach of Caines is based on the construction of an observer tree to determine the set of markings consistent with the observed behaviour: the tree contains all consistent markings. A similar approach was also used by Kumar et al. [9] when de ning observer based dynamic controllers in the framework of supervisory predicate control problems. On the contrary, the procedure we present simply produces an estimate of the state and the special structure of Petri net permits to determine if a given marking is consistent without explicite enumeration of the (possibly in nite) consistent set. The notion of macromarking is similar to the notion of uncertain marking , as described by Cardoso et al. [4]. The authors considered high-level nets as models of manufacturing systems and they assumed as theoretical basis of uncertain markings possibilistic (i.e., fuzzy) logic. In our approach, we restrict 2

our attention to purely logical models (place/transition nets) and we assume that all possible markings have equal probability.

2 Background 2.1 Generalities We recall the Petri net formalism used in this paper. For a more comprehensive introduction to Petri nets see [13]. A Place/Transition net (P/T net) is a structure N = (P; T; Pre; Post), where P is a set of m places ; T is a set of n transitions ; Pre : P  T ! N and Post : P  T ! N are the pre- and post-incidence functions that specify the arcs. The incidence matrix of the net is de ned as C (p; t) = Post(p; t) ? Pre(p; t). A marking is a vector M : P ! N that assigns to each place of a P/T net a non-negative integer number of tokens, represented by black dots. A P/T system or net system hN; M0 i is a net N with an initial marking M0 . A transition t is enabled at M if M  Pre(
; t) and may re yielding the marking M 0 = M + C (
; t). We write M [wi M 0 to denote that the enabled sequence of transitions w may re at M yielding M 0 . A marking M is reachable in hN; M0 i i there exists a ring sequence w such that M0 [i M .

2.2 Observers and macromarkings In [7] an algorithm was given for estimating the marking of a net system hN; M0 i whose marking cannot be directly measured when partial information about its initial marking is given in the form of a macromarking . De nition 1. Let us assume that the set of places P be partitioned in r + 1 subsets: P = P0 [ P1 [


[ Pr , with P0 \ Pj = ; for all j > 0. The number of tokens contained in Pj (j > 0) is known to be bj , while the number of tokens in P0 is unknown. For each Pj , let ~vj be its characteristic vector (i.e., ~vj (p) = 1 if p 2 Pj , else ~vj (p) = 0). Let V = [~v1 ~v2


~vr ] and ~b = [b1 b2


br ]T . Then the macromarking (V; ~b) is de ned as the set fM 2 NjP j j V T
M = ~bg. We make the following assumptions. A1) The structure of the net N = (P; T; Pre; Post) is known, while the initial marking M0 is not. A2) The event occurences (i.e., the transition rings) can be observed.

A3) The initial marking M0 is known to belong to the macromarking (V; ~b), i.e., it is known to satisfy the equation V T
M0 = ~b.

The use of macromarkings comes out quite naturally when describing systems containing a known set of resources (e.g., parts, machines) whose actual conditions (e.g., exact location of parts within the plant, state of a machine) is unknown [4]. After the word w has been observed we de ne the set M(w j V; ~b) of w consistent markings as the set of all markings in which the system may be given the observed behaviour and the inital macromarking. 3

De nition 2. Given an observed word w and an initial macromarking (V; ~b), the set of w consistent markings is

M(w j V; ~b) = fM j 9M 0 2 NjP j ; V T
M 0 = ~b; M 0 [wiM g:

Given an evolution of the net M0 [t1 iM1 [t2 iM2 [t3 i


, we use the following algorithm to compute the estimate M^ w of each actual marking Mi based on the observation of the word of events wi = t1 ; t2 ;


; ti , and of the knowledge of the initial macromarking (V; ~b). We denote the empty word as w0 , and the estimate of the initial marking as M^ w0 . Algorithm 3 ([7]). Marking Estimation with Event Observation and Initial Macromarking i

1. Let the initial estimate be M^ w0 , with M^ w0 (p) = min M (p) such that V T
M = ~b. 2. Let the initial bound be Bw0 = ~b ? V T
M^ w0 . 3. Let i = 1. 4. Wait until ti res. 5. Update the estimate M^ w ?1 to M^ w0 ?1 with M^ w0 ?1 (p) = maxfM^ w ?1 (p); Pre(p; ti )g. 6. Let M^ w = M^ w0 ?1 + C (
; ti ). i

i

i

i

i

i

7. Let Bw = Bw ?1 ? V T
(M^ w0 ?1 ? M^ w ?1 ). 8. Let i = i + 1. 9. Goto 4. i

i

i

i

In [7] a meaningful measure of the estimation error was de ned as the token dierence between a marking and its estimate and was studied under which conditions an observed word leads to a null estimation error. If place p belongs to a subset Pj (j > 0) of the partition induced by the initial macromarking, it is possible to prove that the place estimation error between a marking M and its estimate M^ w is such that M (p) ? M^ w (p)  Bw (j ), where Bw (j ) is the j ?th component of Bw . Furthermore, the set of consistent markings can be characterized in terms of a set of linear inequalities as a function of M^ w and Bw . Theorem 4 ([7]). Given an observed word w 2 L(N; M0 ) with initial macromarking (V; ~b), the corresponding estimated marking M^ w and bound Bw computed by Algorithm 3, the set of w consistent markings is M(w j V; ~b) = fM 2 NjP j j V T
M = V T
M^ w + Bw ; M  M^ w g: A note about the computation of the initial estimate in step 1 of Algorithm 3. This computation requires to solve an integer problem of the form: max ~cT
M s.t. M 2 M(w j V; ~b) A similar integer problem needs also be solved at each step by the controller to compute m, as described in Algorithm 7. Given the linear algebraic representation of the set of w consistent markings, one may assume that nding a solution requires integer programming methods, that are notoriously computationally hard. Let us consider, however, the following assumption (to be added to A1 - A3). 4

A4) The partition P = P0 [ P1 [


[ Pr induced by the initial macromarking is disjoint, i.e., Pj \ Pj0 = ; for all j 6= j 0 . Under assumption A4, it is easy to prove that V is unimodular, thus an integer solution of the integer problem above can also be found by the computationally ecient simplex method [1]. Furthermore, the columns of V are orthogonal, and a closed form solution of this problem can be given. Proposition 5 ([7]). Consider the integer problem max ~cT
M s.t. V T
M = V T
M^ w + Bw M  M^ w Here V , Bw , and M^ w are given as in Algorithm 3 (thus we assume the problem is feasible); P = P0 [ P1 [


[ Pr is given as De nition 1 and satis es assumption A4. Let I (j ) = fp j ~vj (p) = 1; (8p0 3 ~vj (p0 ) = 1) c(p)  c(p0 )g. The optimal solution M  is: 1. Unbounded, if P0 6= ;. However, if for all p 2 P0 c(p) = 0, a nite optimal solution may be found by imposing the additional constraints M (p) = M^ w (p) for all p 2 P0 . 2. Finite and unique if: P0 = ; and for all j , either I (j ) is a singleton, or Bw (j ) = 0. In this case the solution is:  ^ w (p) + Bw (j ) if p 2 I (j )  M (p) = M ^ Mw (p) otherwise 3. Finite and not unique if: P0 = ; and there exists j , such that I (j ) is not a singleton and Bw (j ) > 0. In this case, for all j let J (j ) be an arbitrarily chosen singleton subset of I (j ). Then an optimal solution is:  ^ w (p) + Bw (j ) if p 2 J (j )  M (p) = M M^ w (p) otherwise

3 Net structure of observers Given a net N = (P; T; Pre; Post) and an initial macromarking (V; ~b), (that induces a partition P = P0 [ P1 [


[ Pr ) the corresponding observer net can be constructed as follows. The observer net Nob = (P; T; Pre; Post; B; L) will have the same net structure of N with in addition:

 A set of r bounding places B. Each bounding place j in B is associated to a subset Pj (j > 0) of the partition induced by the initial macromarking.  A set of links L = Sr (P f g). A link (p; ) connects each place p 2 P to the corresponding bounding place j .

j =1

j

j

j

j

The initial marking of the set of places P is M^ w0 , while the initial marking of the set of bounding places B is Bw0 (as computed by Algorithm 3). Note that, in general a place p may be linked to more than one bounding place. Under assumption A4, however, it is clear that each place is linked to one bounding place at most. Let the observer be in a marking [M^ wT = Bw ]T . As the plant evolves ring a transition t the correT = B T ]T is computed sponding transition is red on the observer and the new observer marking [M^ wt wt as described in Algorithm 3. That is: 5

p1

t2

t1

p2

p1

t3

t1

p2

t2

β1

p3

p3

(a)

(b)

t3

Figure 1: Net system (a) and corresponding observer (b) in Example 5.

 max fM^ w (p); Pre(
; t)(p)g tokens are taken from each place p 2 P .  If M^ w (p) < Pre(
; t)(p) then Pre(
; t)(p) ? M^ w (p) tokens are taken from each bounding place

linked to p. T = B T ]T .  Post(
; t)(p) tokens are added to each place p 2 P to obtain [M^ wt wt Example 6. Consider the net system in Figure 1. It represents a communication (sender) process with three servers. Each token represents a server that may be in any of three states: sending (token in place p1 ), idle (token in place p2 ), preprocessing (token in place p3 ). The initial macromarking M (p1 ) + M (p2 ) + M (p3 ) = 3 captures our knowledge that there are three servers in the process. Their initial state is, however, unknown. Here the partition induced by the macromarking is P = P0 [ P1 , with P0 = ; and P1 = P . The bounding place 1 is shown as a thick circle. The links from 1 to the places in P1 are shown as thick dotted arcs. The initial estimate computed by Algorithm 3 is M^ w0 = [0 0 0]T , Bw0 = [3], thus the initial marking of the observer net (shown in Figure 1.b) is [M^ wT0 = BwT 0 ]T = [0 0 0 = 3]T . The set of w0 consistent markings is M(w0 j V; ~b) = fM j M (p1 ) + M (p2 ) + M (p3 ) = 3g. If t1 res from M0 , the observed word is w1 = t1 and the system reaches the marking M = [2 1 0]T , while the observer net reaches the new marking [M^ wT1 = BwT 1 ]T = [1 0 0 = 2]T . The set of w1 consistent markings is M(w1 j V; ~b) = fM j M (p1 ) + M (p2 ) + M (p3 ) = 3; M (p1 )  1g.

4 Control using observers In this section, we show how the marking estimate computed by an observer can be used by a control agent to enforce a given speci cation on the plant behaviour. In general, a speci cation is given as a set of forbidden markings F that should never be reached by the system under control, or, equivalently, by set of legal markings L = NjP j ? F . We make several assumptions that are brie y discussed here. 6

PLANT

γ L

w

CONTROLLER

^ B M w w

OBSERVER

Figure 2: State feedback control loop with observer.

 The set of legal markings is given in the format of linear constraints, i.e., L = fM 2 NjP j j S T
M  ~kg where S = [~s1


~su ] with ~sj 2 ZjP j and ~k = [k1


ku ]T with kj 2 Z. This kind

of speci cations, that we call generalized mutual exclusion constraints , have been considered by various authors [8, 12, 15].  The controller may disable transitions to prevent the plant from entering a forbidden marking. From the knowledge of M^ w and Bw , the controller computes a control pattern : T ! f0; 1g. If (t) = 0 then t is disabled by the controller.  All transitions are controllable, i.e., can be disabled by the controller.

The considered control scheme is shown in Figure 2. Assume that the initial marking M0 of the plant does not necessarily belong to L (this is a natural assumption when considering error recovery problems). Then, given a marking M we may want to prevent the ring of transition t such that M [tiM 0 when both these two conditions are veri ed: (a) There exists ~sj with ~sj
M 0 > kj , i.e., M 0 2 F ; (b) ~sj
M 0 > ~sj
M , i.e., the ring of t either leads to a violation of the constraint (if M 2 L) or to a "worse" violation of the constraint (if M 2 F ). In this case the following algorithm taken from [7] may be used to compute the control pattern at each step. Algorithm 7. Let w be the observed word and M(w j V; ~b) the set of w consistent markings. Let the speci cation be L = fM 2 NjP j j S T
M  ~kg with S = [~s1


~su ] and ~k = [k1


ku ]T . for all t 2 T

begin

(t) := 1; j := 1; while j  u and (t) = 1 do

begin


:= ~sTj
C (
; t); if
> 0 then

begin

m := max f~sTj
M j M 2 M(wt j V; ~b)g; if m > kj then (t) := 0; 7

end;

j := j + 1;

end.

end;

Thus a transition is disabled at M only if its ring leads to a marking M 0 such that for at least one constraint j : ~sTj
M 0 > ~sTj
M (i.e.,
> 0) and there exists a consistent marking M 00 in M(wt j V; ~b) that violates the constraint (i.e., ~sTj
M 00 > kj ). Note that to compute m we need to solve an integer problem as discussed in Section 2. If assumption A4 holds, however, the result of Proposition 5 may be used to eciently compute m. Example 8. Consider again the net system in Figure 1. Assume that the speci cation on the system behavior requires that at most two servers may be simultaneously sending, i.e., the set of legal markings is L = fM 2 N3 j M (p1 )  2g. From the initial marking of the plant, shown in Figure 1.a, all transitions may re without violating the constraint. However, when Algorithm 7 is used to compute the control pattern, given the initial marking estimate [M^ wT0 = BwT 0 ]T = [0 0 0 = 3]T (corresponding to the observer net marking in Figure 1.b), the control pattern is = ft2 ; t3 g, i.e., transition t1 is not enabled. This is because the ring of t1 increases the number of tokens in p1 (
> 0) and there exists a marking (M 00 = [3 0 0]T ) that is consistent with the observer marking [M^ wT1 = BwT 1 ]T and that violates the constraint. The condition under which a controller that uses partial state observations is optimal (i.e., it prevents only transition rings that lead from L to F ) has been discussed in [10, 11, 14]. Furthermore, we also note that there exist initial states of the plant from which the use of the observer net in the control loop leads to blocking. In the case of the net in Figure 1, consider as initial marking M0 = [0 0 3]T . We have seen that the initial marking of the observer net, as computed by Algorithm 7, is that shown in Figure 1.b and from this estimate the control pattern is = ft2 ; t3 g. Thus the net is blocked. In Section 6, we will discuss a more complex example, and will show how time-out transitions may be set up to recover from blocking.

5 Simulation tool We have developed a software tool for simulation and analysis of place/transition and timed nets, called SmallPet. The tool is based on the software described in [5] with several extensions. SmallPet was developed very quickly using Smalltalk, an object-oriented language famous for its productivity. The complete control over the code and the powerful programming environment allow one to very easily make even deep upgrades and modi cations to the program. The base classes are: Place, Transition, Arc, Net and Simulator as in Figure 3. While the classes Net,Place and Arc are mainly used for structuring the Petri net and for holding some basic information (like the arc weights and the number of tokens in the places), the class Transition has the responsibility of performing the actual computations. In the framework of the present paper we need not consider timed nets. However, to cope with controllers and observer nets, it was necessary to upgrade the previouous version of SmallPet adding a new set of classes and methods. The upgraded version is capable of performing simulations of open8

SmallPet

Place

BoundingPlace

Arc

Link

Inhibitor

Transition

Immediate

Net

Timed

Simulator

ObserverNet

Deterministic

Stochastic

Marking dependent

Marking dependent

Figure 3: Classes hierarchy of the tool SmallPet. loop or controlled plants, with or without observers. The reachability graph of the plant-observer system under control can also be automatically constructed.

 A new class

ObserverNet is used to represent an observer net. This required creating the new classes BoundingPlace and Link. The evolution of an observer net is simulated following Algorithm 3.  For reasons of code eciency, rather than implementing the controller as a new class, we chose to implement it as a new method of the class Simulator. The only kind of speci cation considered in this version is that given by generalized mutual exclusion constraints as described in Section 4. Given a net whose marking is measurable , the controller computes all markings reachable in one step from the current (legal) marking and disables those transitions whose ring will lead to a forbidden marking. If the initial marking is not legal, the controller will enable only transitions whose ring leads to a lesser violation of the constraints. Given a net whose marking is not measurable , an observer net is used to estimate the marking. Thus, the computation of all markings reachable in one step from the current marking is performed on the observer net (using Algorithm 3), while the computation of the control pattern follows Algorithm 7. The computation of m is done using the result of Proposition 5, thus in this case assumption A4 must hold, i.e., each place p may be linked to one bounding place at most.

6 A manufacturing example In this section we consider a manufacturing example composed of two machines, m1 and m2 connected through a buer of limited capacity. The net associated to each machine is composed of two places: idle (p1 for m1, p3 for m2) and working (p2 for m1, p4 for m2). The parts within this ow-shop are processed rst by m1 and then by m2. The net associated to the routing of the parts is composed of three places: p5 (parts to be processed), p6 (parts in the buer between the machines), p7 (parts processed and ready to be removed). There are 5 pallets in the 9

system, and the ring of transition t5 corresponds to the removal of a processed part from a pallet and the positioning of a new part to be processed on this pallet. The net corresponding to this system is shown in Figure 4.a (ignore places p8 and p9 , transitions t6 and t7 , and the dashed arcs). The controller must enforce two speci cations. A rst speci cation requires that at most a machine may be working at any time: this can be represented by the constraint M (p2 ) + M( p4 )  1. A second speci cation requires that at most 3 parts may be simultaneously in the buer: this can be represented by the constraint M (p6 )  3. The observer net for this plant is shown in Figure 4.b. Since each machine can be either idle or working and there are 5 pallets in the system, our knowledge of the initial marking can be expressed by the macromarking: M (p1 ) + M (p2 ) = 1; M (p3 ) + M (p4 ) = 1; M (p5 ) + M (p6 ) + M (p7 ) = 5. Thus there are three bounding places: 1 , 2 , 3 . The initial marking of the observer net (computed by Algorithm 3) is that shown in Figure 4.b.

6.1 First test case In a rst test case, we assume that the plant is initially in the state represented by the marking in Figure 4.a. We ignore places p8 and p9 , transitions t6 and t7 , and the dashed arcs. If the marking of the net is measurable, the reachability graph of the net under control constructed by SmallPet is that shown in Figure 5. There are 45 reachable markings, and by inspection it is possible to see that the net is live. If the marking of the plant is not measurable, an observer must be used in the control loop. The resulting closed loop behaviour is represented in the reachability graph in Figure 6. Here each node Mi is labeled as: (M j Mw =Bw ), where M is a marking of the plant, and [Mw =Bw ] the corresponding marking of the observer. This graph contains 147 nodes but in the gure we have only represented part of it. We observe that:

 The closed loop behavior with observer is not optimal. As an example in Figure 6 from node

M 1, that corresponds to the plant marking M0 = [1 0 1 0 2 2 1]T , only transitions t3 and t5 may re, while in Figure 5 from node M 1 (that corresponds to the same plant marking) t1 may re as well.  There exist repetitive sequences that may be red without ever reconstructing the plant marking (when the plant marking is reconstructed by the observer the bounding places are empty). As an example, in Figure 6 consider from M 11 the sequence t3 ; t4 ; t5 ; t1 ; t2 .  The closed loop net is live and from any reachable marking it is possible to reach a marking in which the plant marking is reconstructed by the observer.

6.2 Second test case In a second case we considered a dierent initial marking for the plant: M0 = [1 0 0 1 2 2 1]T . Since the initial macromarking is the same of the previous case, the initial marking of the observer, computed by Algorithm 3, clearly does not change. 10

p

p

1

t

t

2

p p

5

5

1

2

8

p

p 3

6

t

t6 t

t

4

p

p

9

t

5

7

3

p

4

7

(a)

p

p

1

t

β

1

2

p p

t

5

5

1

2

8

p

p

3

5

6

β

t6

3

t p

9

β 4

2

p

4

t

t

5

3

p

7

(b)

Figure 4: Plant (a) and observer net (b) for a manufacturing example with time-outs. 11

t7

M0 : M1 : M2 : M3 : M4 : M5 : M6 : M7 : M8 : M9 : M10: M11: M12: M13: M14: M15: M16: M17: M18: M19: M20: M21: M22: M23: M24: M25: M26: M27: M28: M29: M30: M31: M32: M33: M34: M35: M36: M37: M38: M39: M40: M41: M42: M43: M44:

(0 (1 (0 (1 (1 (1 (0 (1 (1 (1 (1 (1 (1 (1 (1 (0 (0 (1 (0 (0 (1 (1 (1 (1 (0 (1 (1 (1 (1 (1 (0 (0 (1 (0 (1 (0 (1 (1 (1 (1 (1 (1 (1 (1 (1

1 0 1 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0 0 0 1 0 0 0 0 0 1 1 0 1 0 1 0 0 0 0 0 0 0 0 0

1 1 1 1 0 1 1 1 0 1 0 1 0 1 1 1 1 1 1 1 0 0 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 0 0 0 0 1 0 0 0

0 0 0 0 1 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 1 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 1 1 1 1 0 1 1 1

2 2 1 1 1 1 0 0 0 0 0 0 0 0 1 0 1 1 0 1 1 2 2 3 2 2 3 3 4 4 3 4 4 3 3 2 2 2 3 3 4 5 5 1 2

2 2 3 3 2 2 3 3 2 2 1 1 0 0 0 1 1 1 2 2 0 0 0 0 1 1 1 0 0 0 1 1 1 2 2 3 3 2 2 1 1 0 0 1 1

1) 1) 1) 1) 2) 2) 2) 2) 3) 3) 4) 4) 5) 5) 4) 4) 3) 3) 3) 2) 4) 3) 3) 2) 2) 2) 1) 2) 1) 1) 1) 0) 0) 0) 0) 0) 0) 1) 0) 1) 0) 0) 0) 3) 2)

t2-->M1 t1-->M2 t2-->M3 t3-->M4 t4-->M5 t1-->M6 t2-->M7 t3-->M8 t4-->M9 t3-->M10 t4-->M11 t3-->M12 t4-->M13 t5-->M14 t1-->M15 t2-->M11 t2-->M17 t1-->M18 t2-->M9 t2-->M5 t4-->M14 t4-->M22 t1-->M16 t1-->M24 t2-->M25 t1-->M19 t1-->M0 t4-->M23 t4-->M29 t1-->M30 t2-->M26 t2-->M32 t1-->M33 t2-->M34 t1-->M35 t2-->M36 t3-->M37 t4-->M1 t4-->M34 t4-->M26 t4-->M32 t1-->M31 t4-->M41 t4-->M17 t4-->M25

t5-->M33 t3-->M44 t5-->M35 t5-->M36 t5-->M37 t3-->M43 t5-->M2 t5-->M3 t5-->M4 t5-->M5 t5-->M43 t5-->M17 t5-->M20 t5-->M22 t5-->M16 t5-->M24 t3-->M20 t5-->M19 t5-->M0 t5-->M21 t5-->M27 t5-->M23 t5-->M29 t5-->M30 t3-->M21 t3-->M27 t5-->M28 t5-->M42 t5-->M41 t5-->M31

t5-->M34

t5-->M1

t5-->M25

t5-->M26 t5-->M32

t3-->M28 t3-->M39 t5-->M38 t5-->M40

t5-->M44 t5-->M39

Figure 5: Reachability graph of the net in Figure 4.a under control without time-outs.

12

M0 : (0 M1 : (1 M2 : (1 M3 : (1 M4 : (1 M5 : (1 M6 : (0 M7 : (1 M8 : (0 M9 : (1 M10: (1 M11: (1 M12: (1 M13: (1 M14: (1 M15: (0 M16: (0 M17: (1 M18: (1 M19: (1 M20: (1 M21: (1 M22: (0 M23: (1 M24: (0 M25: (1 M26: (1 M27: (1 M28: (1 M29: (1 M30: (0 M31: (1 M32: (1 M33: (0 M34: (1 M35: (1 M36: (1 M37: (0 M38: (1 M39: (1 M40: (1 M41: (0 M42: (1 M43: (1 M44: (1 M45: (1 M46: (1 M47: (1 M48: (1 . . . .

1 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 0 0 1 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 .

1 1 0 1 0 1 1 1 1 1 0 1 0 1 1 1 1 1 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 1 0 1 1 1 0 1 0 1 0 1 .

0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 0 1 0 1 0

2 2 2 2 2 2 1 1 0 0 0 0 0 0 1 0 1 1 1 2 2 3 2 2 1 1 1 2 3 3 2 2 3 2 2 2 2 1 1 1 1 0 0 0 0 0 0 0 0

2 2 1 1 0 0 1 1 2 2 1 1 0 0 0 1 1 1 0 0 0 0 1 1 2 2 1 1 1 1 2 2 2 3 3 2 2 3 3 2 2 3 3 2 2 1 1 0 0

1 1 2 2 3 3 3 3 3 3 4 4 5 5 4 4 3 3 4 3 3 2 2 2 2 2 3 2 1 1 1 1 0 0 0 1 1 1 1 2 2 2 2 3 3 4 4 5 5

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

0 1 1 1 1 1 0 1 0 1 1 1 1 1 1 0 0 1 1 1 1 1 0 1 0 1 1 1 1 1 0 1 1 0 1 1 1 0 1 1 1 0 1 1 1 1 1 1 1

0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 0 0 1 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0

0 0 0 1 0 1 1 1 1 1 0 1 0 1 1 1 1 1 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 1 1 1 0 1 1 1 0 1 0 1 0 1

0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 0 1 0 1 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 2 2 3 2 2 1 1 1 2 3 3 2 2 3 2 2 2 2 1 1 1 1 0 0 0 0 0 0 0 0

0 0 0 0 0 0 1 1 2 2 1 1 0 0 0 1 1 1 0 0 0 0 1 1 2 2 1 1 1 1 2 2 2 3 3 2 2 3 3 2 2 3 3 2 2 1 1 0 0

0 0 1 1 2 2 2 2 2 2 3 3 4 4 3 3 2 2 3 2 2 1 1 1 1 1 2 1 0 0 0 0 0 0 0 1 1 1 1 2 2 2 2 3 3 4 4 5 5

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

5) 5) 4) 4) 3) 3) 2) 2) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 0) 0) 0) 0) 0) 0) 0) 0) 0) 0) 0) 0) 0) 0) 0) 0) 0)

t2-->M1 t3-->M2 t4-->M3 t3-->M4 t4-->M5 t1-->M6 t2-->M7 t1-->M8 t2-->M9 t3-->M10 t4-->M11 t3-->M12 t4-->M13 t5-->M14 t1-->M15 t2-->M11 t2-->M17 t1-->M8 t4-->M14 t4-->M20 t1-->M16 t1-->M22 t2-->M23 t1-->M24 t2-->M25 t3-->M26 t4-->M17 t4-->M23 t4-->M29 t1-->M30 t2-->M31 t3-->M27 t1-->M33 t2-->M34 t3-->M35 t4-->M36 t1-->M37 t2-->M38 t3-->M39 t4-->M40 t1-->M41 t2-->M42 t3-->M43 t4-->M44 t3-->M45 t4-->M46 t3-->M47 t4-->M48 t5-->M49

t5-->M146 t5-->M143 t5-->M141 t5-->M139 t5-->M137 t5-->M121 t5-->M85 t3-->M81 t5-->M24 t5-->M25 t5-->M26 t5-->M17 t5-->M18 t5-->M20 t5-->M16 t5-->M22 t3-->M18 t5-->M19 t5-->M77 t5-->M21 t5-->M79 t5-->M80 t3-->M19 t5-->M30 t5-->M31 t5-->M27 t5-->M28 t5-->M75 t3-->M77 t5-->M56 t5-->M32 t3-->M74 t5-->M76 t3-->M73 t5-->M33 t5-->M34 t5-->M35 t3-->M72 t5-->M37 t5-->M38 t5-->M39 t5-->M40 t5-->M72 t5-->M52 t5-->M57

t5-->M86

t5-->M23

t5-->M29

t5-->M69

t5-->M32

t5-->M36

Figure 6: Reachability graph (partial) of the net/observer in Figure 4 under control without time-outs. M0 M1 M2 M3

: : : :

(1 (1 (1 (1

0 0 0 0

0 1 1 0

1 0 0 1

2 2 3 3

2 2 2 2

1 1 0 0

| | | |

0 0 0 0

0 0 0 0

0 1 1 0

0 0 0 0

0 0 1 1

0 0 0 0

0 0 0 0

/ / / /

1 1 1 1

1 0 0 1

5) 5) 4) 4)

t4-->M1 t5-->M3 t5-->M2 (no transition is enabled) t4-->M2

Figure 7: Reachability graph from initial marking M0 = [1 0 0 1 2 2 1]T of the net/observer in Figure 4 under control without time-outs. 13

M0 M1 M2 M3

: : : :

(1 (1 (1 (1

0 0 0 0

0 1 1 0

1 0 0 1

3 3 4 4

1 1 1 1

1 1 0 0

| | | |

0 0 0 0

0 0 0 0

0 1 1 0

0 0 0 0

0 0 1 1

0 0 0 0

0 0 0 0

/ / / /

1 1 1 1

1 0 0 1

5) 5) 4) 4)

t4-->M1 t5-->M3 t5-->M2 (no transition is enabled) t4-->M2

Figure 8: Reachability graph from initial marking M0 = [1 0 0 1 3 1 1]T of the net/observer in Figure 4 under control without time-outs. If the marking of the net is measurable, the reachability graph of the net under control is similar to that obtained in the previous case and shown in Figure 5. There are 45 reachable markings, and the net is live. If the marking of the plant is not measurable, the use of an observer in the control loop results in a blocking closed loop behaviour, as shown in the reachability graph in Figure 7. The blocking is due to the following fact. Node M 2 is reached after ring t4 and t5 . After this observation, the observer has not yet reconstructed the marking of machine m1 and that of the net associated to the routing of parts. Since there may be three parts already in the buer, transition t1 is disabled by the controller. Since m1 may be working, transition t4 is disabled as well, an thus the block. In real applications, however, after a suciently long time has elapsed without observing any event occurrence, the plant operator would realize that a block has occurred and start an error recovery procedure. In this case, if the controlled system is blocked, necessarily both machines must be idle, since if M (p2 ) = 1 or if M (p4 ) = 1 then either transition t2 or transition t4 will eventually re. This means that if a long enought time has elapsed without observing any event occurrence, we may assume that M (p1 ) = M (p3 ) = 1. This inference is logically equivalent to the addition of a place p8 and of a time-out transition t6 as in Figure 4 (ignore place p9 , transition t7 , and the arcs connected to them). The arcs with a double arrow between t6 and p1 ; p3 represent a loop, i.e., Pre(p1 ; t6 ) = Post(p1 ; t6 ) = Pre(p3 ; t6 ) = Post(p3 ; t6 ) = 1. Place p8 contains initially one token. We assume that transition t6 is a timed transition with a very long delay and resampling enabling policy, thus it will re only if no other transition is enabled. If t6 res, then the observer, regardless of its previous marking, reconstructs the marking of the machine subnet, because Pre(p1 ; t6 ) = Pre(p3 ; t6 ) = 1. The reachability graph of the closed loop plant/observer with time-out t6 is not blocking and is similar to the graph of Figure 6 for the rst case.

6.3 Third test case In a third case we considered as initial marking for the plant: M0 = [1 0 0 1 3 1 1]T . If the marking of the net is measurable, the reachability graph of the net under control is similar to that obtained in the rst case and shown in Figure 5. There are 45 reachable markings, and the net is live. If the marking of the plant is not measurable, the use of an observer in the control loop results in a blocking closed loop behaviour, as shown in the reachability graph in Figure 8. The addition of the time-out t6 improves the situation, but a second blocking occurs, as shown in the reachability graph in Figure 9. Here the blocking is due to the fact that the observer has not yet reconstructed the marking of th net associated to the routing of parts. Since there may be three parts already in the buer, transition t1 is disabled by the controller. 14

M0 M1 M2 M3 M4 M5 M6 M7 M8

: : : : : : : : :

(1 (1 (1 (1 (1 (1 (1 (1 (1

0 0 0 0 0 0 0 0 0

0 1 1 1 0 1 1 0 0

1 0 0 0 1 0 0 1 1

3 3 4 4 4 4 5 5 4

1 1 1 1 0 0 0 0 1

1 1 0 0 1 1 0 0 0

1 1 1 0 0 0 0 0 1

| | | | | | | | |

0 0 0 1 1 1 1 1 0

0 0 0 0 0 0 0 0 0

0 1 1 1 0 1 1 0 0

0 0 0 0 1 0 0 1 0

0 0 1 1 1 1 2 2 1

0 0 0 0 0 0 0 0 0

0 0 0 0 1 1 0 0 0

0 0 0 0 0 0 0 0 0

/ / / / / / / / /

1 1 1 0 0 0 0 0 1

1 0 0 0 0 0 0 0 1

5) 5) 4) 4) 3) 3) 3) 3) 4)

t4-->M1 t5-->M8 t5-->M2 t6-->M3 t3-->M4 t4-->M5 t5-->M7 t5-->M6 (no transition is enabled) t4-->M6 t4-->M2

Figure 9: Reachability graph from initial marking M0 = [1 0 0 1 3 1 1]T of the net/observer in Figure 4 under control with time-out t6 . This blocking may be recovered noting that when the the state of the machines is reconstructed, a block can occur only if M (p6 ) = M (p7 ) = 0, hence all tokens in the routing subnet must be in place p5 . This is represented by the time-out transition t7 . The reachability graph of the closed loop plant/observer with time-outs t6 ; t7 is not blocking and is similar to the graph of Figure 6 for the rst case.

7 Conclusions and future work In this paper we have discusses the problem of controlling a Petri net whose marking cannot be measured. Assuming that only the net structure of the plant is known while the initial marking is know to belong to a macromarking, it is possible to estimate the actual marking of the net based on the observation of a word of events and a special net structure, called observer net , can be used to represent the observer. The estimate generated by the observer may be used to design a state feedback controller, that ensures that the controlled system never enters a set of forbidden states. We considered a special class of speci cations that limit the weighted sum of markings in subsets of places. The use of marking estimates (as opposed to the exact knowledge of the actual marking of the plant) may cause the controlled plant to block. We showed in a detailed example how suitable time-out mechanisms may be introduced to recover from a blocking. All simulations were carried out using SmallPet, a software tool that we have developed in Smalltalk. The tool can be used for the simulation and the construction of the reachability graph of a Petri net controlled in a closed loop. The tool can make use of the actual marking of net (if it can be measured) or of the estimate computed by an observer (if the actual marking cannot be directly measured). Several extensions of this work are envisionable. In this paper we have considered generalized mutual exclusion constraints as state speci cations of the desidered controlled behavior. This class of speci cations is rich enough. However, it may be interesting to apply this approach to other classes of speci cations considered in the literature such event sequencing constraints [6]. Time-outs have been introduced with an \ad hoc" reasoning. We plan to study a general approach to automatically construct the time-out structure to associate to a given control problem (de ned by a plant, observer, controller). 15

The observer theory may also be extended to timed net. In this case, informations on the plant marking may be gather not only from the order of event occurences, but from the timing of event occurences as well.

References [1] M.S. Bazaraa, J.J. Jarvis, Linear Programming and Network Flows, John Wiley & Sons, 1977. [2] P.E. Caines, R. Greiner, S. Wang, \Dynamical Logic Observers for Finite Automata," Proc. 27th Conf. on Decision and Control (Austin, Texas), pp. 226{233, December, 1988. [3] P.E. Caines, S. Wang, \Classical and Logic Based Regulator Design and its Complexity for Partially Observed Automata," Proc. 28th Conf. on Decision and Control (Tampa, Florida), pp. 132{137, December, 1989. [4] J. Cardoso, R. Valette, D. Dubois, \Petri Nets with Uncertain Markings," Advances in Petri Nets 1990 , G. Rozenberg (ed.), LNCS Vol. 483, pp. 64{78, Springer-Verlag, 1991. [5] A. Fanni, A. Giua, M. Marchesi, N. Sanna, \A Petri Net Simulator Based on Object-Oriented Programming," Proc. Annual Conf. Operational Research Society of Italy AIRO (Perugia, Italy), pp. 557{560, September, 1996. [6] A. Giua, \Petri Net Techniques for Supervisory Control of Discrete Event Systems," Proc. 1st Int. Work. on Manufacturing and Petri Nets. (Osaka, Japan), pp. 1{30, June, 1996. [7] A. Giua, \Petri Net State Estimators Based on Event Observations," submitted to 36th Conf. on Decision and Control (San Diego, California), December, 1997. [8] A. Giua, F. DiCesare. M. Silva, \Generalized Mutual Exclusion Constraints on Nets with Uncontrollable Transitions," Proc. 1992 IEEE Int. Conf. on Systems, Man, and Cybernetics (Chicago, Illinois), pp. 974{979, October, 1992. [9] R. Kumar, V. Garg, S.I. Markus, \Predicates and Predicate Transformers for Supervisory Control of Discrete Event Dynamical Systems," IEEE Trans. on Automatic Control , Vol. 38, No. 2, pp. 232{247, February, 1993. [10] Y. Li, W.M. Wonham, \Controllability and Observability in the State-Feedback Control of Discrete-Event Systems," Proc. 27th Conf. on Decision and Control (Austin, Texas), pp. 203{207, December, 1988. [11] Y. Li, W.M. Wonham, \Control of Vector Discrete-Event Systems | Part I: The Base Model," IEEE Trans. on Automatic Control , Vol. 38, No. 8, pp. 1215{1227, August, 1993. [12] Y. Li, W.M. Wonham, \Control of Vector Discrete-Event Systems | Part II: Controller Synthesis," IEEE Trans. on Automatic Control , Vol. 39, No. 3, pp. 512{531, March, 1994. [13] T. Murata, \Petri Nets: Properties, Analysis and Applications," Proceedings IEEE , Vol. PROC77, No. 4, pp. 541{580, April, 1989. [14] S. Takai, T. Ushio, S. Kodama, \Static-State Feedback Control of Discrete-Event Systems Under Partial Observation," IEEE Trans. Automatic Control , Vol. 40. No. 11, pp. 1950{1955, November, 1995. [15] K. Yamalidou, J.O. Moody, M.D. Lemmon, P.J. Antsaklis, \Feedback Control of Petri Nets Based on Place Invariants," Automatica, Vol. 32. No. 1, 1996. 16