Verification of Prognosability for Labeled Petri Nets

Transcription

1 738 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 63, NO. 6, JUNE 8 Verification of Prognosability for Labeled Petri Nets Xiang Yin, Member, IEEE Abstract This technical note is concerned with the fault prognosis problem for partially observed discrete-event systems modeled by unbounded labeled Petri nets. The goal of this problem is to predict the occurrence of each fault before its occurrence. The condition of prognosability provides the necessary and sufficient condition under which any fault can be predicted with no missed detection and no false alarm. In this technical note, we investigate the verification of prognosability for unbounded labeled Petri nets. First, we show that checking prognosability is decidable for Petri net languages. Our approach is based on a reduction from this verification problem to an existing Petri nets model checking problem. Then, we show that the complexity of this problem is EXPSPACEcomplete. Our results extend previous works on the verification of language-based prognosability from regular languages to Petri net languages. Index Terms Computational complexity, discrete-event systems (DES, fault prognosis, Petri nets. I. INTRODUCTION Fault prognosis is an important task in many safety-critical cyberphysical systems. In this problem, we want to predict the occurrences of faults and to generate corresponding fault alarms in order to protect the system. In this technical note, we are concerned with the problem of fault prognosis of discrete-event systems (DES [9]. In the context of DES, model-based fault prognosis was initially studied in [5] and [6], where a language-based condition called prognosability (or predictability was proposed. Specifically, prognosability is proposed to determine aprioriwhether or not a fault prognoser can be designed such that no false alarm, i.e., a fault is guaranteed to occur within a finite number of steps whenever a fault alarm is generated; and no missed detection, i.e., any fault will be alarmed before its occurrence. Since then, fault prognosis of DES has drawn consideration attention in the DES literature (see, e.g., [6], [], [8], [9], [4], [8], [9], [3], [3], [34], [36], [37]. For example, the notion of prognosability has been extended to decentralized systems, where the notion of coprognosability was proposed [8], [9], [36], [37]. The fault prognosis problem has also been studied in the distributed setting [9], [3], [3]. In [34], the authors investigated the enforcement of prognosability by sensor activation. The robust fault prognosis problem was studied in [8]. Finally, prognosability analysis has also been studied in timed systems [] and stochastic systems [6], [], [4]. Most of the existing works on fault prognosis of DES are based on finite-state automata models. In many concurrent systems, however, Petri nets provide a more compact and natural way for modeling DES without explicitly enumerating the entire state space. Moreover, it is well known that Petri net languages are strictly more expressive than Manuscript received July 9, 7; accepted September 3, 7. Date of publication September 6, 7; date of current version May 3, 8. Recommended by Associate Editor S. Takai. The author is with the Department of Automation, Shanghai Jiao Tong University, Shanghai 4, China ( xiangyin@umich.edu. Color versions of one or more of the figures in this paper are available online at Digital Object Identifier.9/TAC regular languages, languages generated by finite-state automata. Therefore, Petri nets can model some infinite-state systems that cannot be represented by finite-state automata, e.g, manufacturing systems with infinite buffers. Due to these advantages, in the context of Petri nets, many works have been done on the fault diagnosis problem, a problem related to the fault prognosis problem (see, e.g., [3] [5], [7], [8], [4], [7], [], [3], [6], [7]. Recently, there have been works on fault prognosis based on Petri nets [], [], where procedures for online prognosis were provided. In this technical note, we investigate the verification of prognosability in unbounded labeled Petri nets. Specifically, we follow the language-based definition of prognosability in [5] and [9] to determine aprioriwhether or not a fault can be predicted with no missed detection and with no false alarm. The main contributions of this technical note are as follows. First, we show that prognosability is decidable for labeled Petri nets by effectively reducing the prognosability verification to a model checking problem for Petri nets. In the context of unbounded Petri nets, several (undecidability results have been established for related notions. For example, it has been shown that the verification of diagnosability is decidable [35], while the verification of opacity is shown to be undecidable [3]. To the best of our knowledge, the decidability status of prognosability is still open and our result provides positive answer to this question. Second, we establish the precise computational complexity for the prognosability verification problem. Specifically, we show that checking prognosability for unbounded Petri nets is EXPSPACE-complete, i.e., exponential memory is required for this verification problem. II. PRELIMINARIES A. Petri Nets A place/transition net is defined as a 4-tuple N =(P, T, A, w, where P = {p,p,...,p n } is the set of n places, T = {t,t,..., t m } is the set of m transitions, A (P T (T P is the set of arcs, and w : A N is the weight function that assigns to each arc a nonnegative integer. For any place p P,wedenoteby p its preset, i.e., p = {t T :(t, p A}; we denote by p its postset, i.e., p = {t T :(p, t A}. For a transition t T, its preset t and its postset t are defined analogously, which are sets of places. Given a net N, a marking M is a vector M =[M (p M (p M (p n ] N n, where M (p is the number of tokens in place p P.APetri net is a -tuple N,M,whereN is a net and M N n is the initial marking. We say that transition t T is enabled at marking M if p t : M (p w(p, t. Ift is enabled, then it may fire and yield a new marking determined by M = M w(,t+w(t,. Weuse M t N to denote that transition t T is enabled at M in net N and M t N M means that firing t yields M in net N. Hereafter, we will also omit the subscript N when it is clear from the context. Let T be the set of all finite sequences of transitions including the empty transition λ, which means that no transition is fired, and, for any T,wehaveλ = λ =. We say that a sequence of transitions (or, for simplicity, a sequence = t t t k T is enabled at M IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See standards/publications/rights/index.html for more information.

2 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 63, NO. 6, JUNE t if i {,...,k} : M i t i, wherem = M and M i i Mi+, i. Similarly, we denote by M that T is enabled at M and by M M that firing yields M. Given a Petri net N,M, L(N,M denotes the set of finite sequences that can be fired from M, i.e., L(N,M ={ T : M }. For any sequence T, we denote by the set of prefixes of, i.e., = { T : T s.t. = }.Finally,wedenoteby the length of sequence. Let Σ be a finite set of alphabets (or events. A string is a finite sequence of events and we denote by Σ the set of all strings including the empty string ɛ. Alabeled Petri net is a triple N,M, L, where N,M is a Petri net and L : T Σ {ɛ} is a labeling function. That is, for any t T, L(t specifies the event that can be observed when t fires. For any transition t T,ifL(t Σ, then we say that transition t is observable; otherwise, t is unobservable. Therefore, T is partitioned as T = T o T uo,wheret o and T uo are the set of observable transitions and the set of unobservable transitions, respectively. Function L is also extended from T to T recursively by (i L(λ =ɛ ;and (ii T,t T : L(t =L(L(t. Then, the language generated by labeled Petri net N,M, L is a set of strings L(L(N,M := {L( : L(N,M }. B. Yen s Problem In this paper, we will leverage an existing path logic model checking problem for unbounded Petri nets in the literature originally studied by Yen [33]. For any sequence T and transition t T, we denote by # (t the number of times t occurs in. Then, Yen s problem is formulated as follows. Definition II. (Yen s Problem: Given a Petri net N,M, decide whether or not there exists a sequence M M k...mk Mk ( such that a predicate F (M,...,M k,,..., k holds, where F (M,...,M k,,..., k is a predicate obtained from the following syntax. The following are predicates: M i (p c, M i (p M j (p, # i (t c, # i (t c, and# i (t # j (t,wherec is an arbitrary constant. For any predicates F and F, F F and F F are also predicates. In general, Yen s problem is decidable and it is as hard as the reachability problem. Furthermore, it has been shown in [] that, when the predicate satisfies the constraint that F (M,...,M k,,..., k M M k, this problem can be solved in EXPSPACE. Hereafter, we will only use the fact that this problem is decidable and the restricted case can be solved with exponential space in the size of N and the size of the predicate. Details on how to solve this problem can be found in [] and [33]. III. PROGNOSABILITY OF LABELED PETRI NETS In the fault prognosis problem, we assume that the set of transitions is partitioned into two disjoint sets T = T F T N,whereT F denotes the set of fault transitions and T N denotes the set of nonfault transitions. For any sequence = t t t k T, with a slight abuse of notation, we write that T F if a fault transition occurs in, i.e., i {,...,k} : t i T F. As we mentioned earlier, the main purpose of the fault prognosis problem is to predict any fault correctly before its occurrence, where correctly means that In the original paper [33], it is claimed that the general case is in EXPSPACE, which is not correct as pointed out by []. Fig.. Examples of prognosability, where for each system, t f is the unique fault transition. Bold lines are used to denote observable transitions and the event associated with each observable transition denotes its observation label. (a Prognosable system. (b Nonprognosable system. any fault should be alarmed before it occurs, i.e., no missed detection; and once a fault alarm is generated, a fault is guaranteed to occur within a finite number of steps, i.e., no false alarm. In [5] and [9], the notion of prognosability (or predictability was proposed as the necessary and sufficient condition under which there exists a prognosis mechanism such that the above two requirements can be achieved. Although [5], [9] only study the verification of prognosability for regular languages, the definition of prognosability itself is applicable to any class of languages. Here, we present the definition of prognosability for Petri net languages. Definition III. (Prognosability: Let N,M, L be a labeled Petri net. We say that N,M, L is prognosable w.r.t. T F if ( α L(N,M :T F α( α : T F / ( θ L(N,M :L(θ =L( T F / θ ( K N( θγ L(N,M [ γ K T F γ]. Intuitively, prognosability can be used to determine aprioriif any fault occurrence in the system can be correctly predicted. More specifically, it requires that, for any fault sequence, it must has a nonfault prefix for which we know for sure that a fault is guaranteed to occur within a finite number of steps, i.e., a fault alarm can be correctly issued. In other words, if the system is not prognosable, then it implies that there must exist a fault sequence for which we cannot claim that the fault will occur unambiguously along its nonfault prefixes. Therefore, any fault prognosis mechanism cannot correctly predict this fault before it occurs. Remark III.: Note that here we do not assume that T F T uo, which is the (nontrivial case for the fault diagnosis problem. This is because that, in the fault prognosis problem, we are mainly interested in the behavior of the system before the occurrences of faults. Therefore, even if a fault transition is observable and can be distinguished from other nonfault transitions, it is still possible that a fault alarm cannot be issued unambiguously before it occurs. We illustrate the notion of prognosability in Petri nets by the following examples. Example III.: Let us consider labeled Petri net N,M, L shown in Fig. (a, where T o = {t,t } and T F = {f }. Also, let Σ= {a, b}, L(t =b and L(t =a. This system is prognosable, since transition t has to occur before the occurrence of fault transition f, and once t occurs, the token in place p will be consumed, i.e., the only transition can occur next is the fault transition f. Therefore, once we observe event L(t =a, which can only be generated by transition t in this example, we can claim unambiguously that the fault will occur within one step. Example III.: Let us consider labeled Petri net N,M, L shown in Fig. (b, where we have T o = {t,t },T F = {f },andσ={a}. We consider a labeling function defined by L(t =L(t =a. This system is not prognosable. To see this, let us consider fault sequence t f L(N,M. Then, for t t f : T F / t, we can find

3 74 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 63, NO. 6, JUNE 8 t L(N,M such that L(t =L(t =a and for any K N, a nonfault sequence t (t K is defined in N,M. Intuitively, the nonprognosability here can also be explained as follows. To avoid missed detection, we have to issue a fault alarm upon the occurrence of t, i.e., by observing event a. However, sequences t and t are indistinguishable and an arbitrarily long nonfault behavior can still occur after t. Therefore, this fault alarm cannot guarantee a fault to occur within a finite number of steps, i.e., it may be a false alarm. Next, we will provide a characterization of prognosability for labeled Petri nets. First, motivated by relevant notions in [9] for finite-state automata, we introduce the notions of boundary marking and nonindicator marking. Definition III.: A marking M N n is said to be a Boundary Marking if ( t f T F [M t f ]; and a NonIndicator Marking if ( K N( TN [M K]. Intuitively, a boundary marking is a marking from which a fault transition can occur immediately and a nonindicator marking is a marking from which an arbitrarily long nonfault sequence can occur. Note that, since vectors of integers form a well quasi-ordering [3], for any M, there does not exists an infinite sequence of vectors M,M,M 3,... such that M i M j for any i<j. Therefore, M is a nonindicator marking if and only if (, TN [M M M M M ]. The following result provides a characterization of prognosability in terms of boundary markings and nonindicator markings. Lemma III.: Labeled Petri net N,M, L is not prognosable w.r.t. T F, if and only if, there exist two nonfault sequences, TN such that M is a nonindicator marking, where M M ; M is a boundary marking, where M M ;and 3 L( =L(. Proof: ( Suppose that there exist two nonfault sequences, TN such that the above-mentioned conditions hold. Since M M and M is a boundary marking, we know that there exists t f t f T F such that M. Then, for any nonfault prefix of t f, say,sincel( =L(, we know that there exists a prefix of,sayθ such that L(θ =L(. SinceM M θ ( /θ and M is a nonindicator marking, where ( /θ is the sequence such that θ( /θ =, we know that ( K N( TN [M θ ( /θ K]. Overall,wehave ( t f L(N,M :T F t f ( : T F / ( θ L(N,M :L(θ =L( T F / θ ( K N( θ( /θ L(N,M [ γ K T F / γ] ( where γ =( /θ. That is, the system is not prognosable. ( Suppose that the system is not prognosable, i.e., ( α L(N,M :T F α( α : T F / ( θ L(N,M :L(θ =L( T F / θ ( K N( θγ L(N,M [ γ K T F / γ]. (3 Let α be a string satisfying (3. We take as the longest prefix of α such that T F /, i.e., t f α for some t f T F. We know that M is a boundary marking, where M M.Letθ be a nonfaulty sequence such that L(θ =L( and ( K N( θγ L(N,M [ γ K T F / γ]. By definition, we know that M is a nonindicator marking, where M θ M. Therefore, by taking = θ and =, all conditions in the lemma hold. Fig.. Petri nets N N,M and Ñ, M, L for the Petri net shown in Fig. (b. (a Petri net N N,M, L. (b Petri net Ñ, M. Finally, we denote by N N,M, L the labeled Petri net obtained by removing transitions in T F from N,M, L. Specifically, N N = (P N,T N,A N,w N,whereP N = P, A N is obtained by restricting A to domain (P T N (T N P and w N is obtained by restricting w to domain A N. This net is also referred to as the normal net hereafter. For example, for labeled Petri net N,M, L shown in Fig. (b, its normal net N N,M, L is shown in Fig. (a. For the sake of clarity, we add superscript N for each transition and each place in the normal net in order to distinguish them from transitions and places in the original net. IV. VERIFICATION OF PROGNOSABILITY In this section, we first provide a necessary and sufficient condition for prognosability in terms of a formula satisfying the syntax in Yen s problem. Then, we show that the verification of prognosability is decidable and it is in EXPSPACE. By Lemma III., to verify prognosability, it suffices to verify the existence of two observationally equivalent sequences such that one goes to a boundary marking and the other goes to a nonindicator marking. Similarly result can also be found in the fault diagnosis problem (see, e.g., [7], []. The basic idea to verify this is to use a twin-plantlike approach in order to track all pairs of sequences that look the same. However, to implement this idea, the following difficulty arises. For boundary markings, it is straightforward to obtain a closed-form representation; however, obtaining such a closed-form representation for nonindicator markings seems to be difficult. To resolve this technique challenge, we first define a new net Ñ,M, L and then use this net together with the normal net for the twin-plant construction. Let N,M, L be the labeled Petri net under consideration. We define a new labeled Petri net Ñ, M, L, whereñ =( P, T,Ã, w, as follows: P = P {pfault },wherep fault is a new place; T = T {t e : e Σ}, where each t e is a new transition; 3 Ã and w are defined by the following. a For any t T N, t and t are the same in N and p P : w(p, t =w(p, t, w(t, p =w(t, p. b For any t T F, t is the same in N and p P : w(p, t = w(p, t, while t = {p fault } with w(t, p fault =. c For any t e,e Σ, wehave t e = t e = {p fault } and w(t e, p fault = w(p fault,t e =. The initial marking is M =[M ] (we assume that the last place is p fault. The labeling function L : T Σ {ɛ} is defined by L(t if t T N L(t = ɛ if t T f. (4 e if t = t e Intuitively, for any nonfault transition, the dynamic of Ñ is consistent with N. However, for any fault transition, Ñ will send a token to a new place p fault, which denotes the occurrence of fault. For each event e Σ, a self-loop transition t e labeled with e is defined at p fault.for example, let us still consider labeled Petri net N,M, L shown in Fig. (b. Then, its corresponding net Ñ, M, L is shown in Fig. (b.

4 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 63, NO. 6, JUNE 8 74 Next, we define a new (unlabeled Petri net N,M, that synchronizes N N,M, L and Ñ, M, L based on their labeling functions. Specifically, N,M,,whereN =(P,T,A,w,isdefinedas follows: P = P N P ; T (T N {λ} ( T {λ} \{(λ, λ}; 3 A and w are defined by the following. a For any t T N and t T such that L(t = L(t Σ, we have that (t,t T with (t,t = t t and (t,t = t t.also, { wn (t,p if p P N w ((t,t,p= w(t,p if p P (5 { wn (p, t if p P N w (p, (t,t =. (6 w(p, t if p P b For any t T N such that L(t =ɛ, wehave(t, λ T with (t, λ = t and (t, λ = t. Then, for any p P N, w ((t, λ,p=w N (t,p, andw (p, (t, λ = w N (p, t. c For any t T such that L(t =ɛ, wehave(λ,t T with (λ,t = t and (λ,t = t. Then, for any p P, w ((λ,t,p= w(t,p,andw (p, (λ,t = w(p, t. 4 M, = [ ]. M M Remark IV.: The construction of N,M, follows the idea of twin-plant (or verifier net that is used in the literature for the verification of diagnosability (see, e.g., [7], [3], [35]. However, the difference here is that we need to modified one net before the construction in order capture the feature of the fault prognosis problem. Intuitively, N,M, tracks and only tracks all pairs of two sequences, one in N N and the other one in Ñ, that have the same observation. For any transition (t,t T,ift i = λ for some i, thenitmeans that its corresponding net stays silently when the other net fires an unobservable transition; if t,t λ, then it means that two nets are moved simultaneously by firing observable transitions with a same label. Then, for any sequence L(N,M,, we denote by and its first and second components, respectively. Then, we know that L( = L(. Similarly, for any two sequences L(N N,M and L(Ñ, M, such that L( = L(, then there exists a sequence L(N,M, such that its first and second components are and, respectively. Based on net N,M,,wearenowreadytopresentanecessary and sufficient condition for prognosability. Theorem IV.: Labeled Petri net N,M, L is not prognosable w.r.t. T F, if and only if, there exists a sequence M, α N M N M (7 in N =(P,T,A,w,M,, such that (M M # α (t # (t. t {λ} T F t T N ( T {λ} (8 Remark IV.: Before we formally prove the above theorem, let us first explain intuitively how it works. For a sequence in (7, since t {λ} T F # α (t, we know that a boundary marking can be reached by a prefix of the second component of α. Moreover, the last condition guarantees that is non-λ for its first component. This condition together with M M ensures that any marking reached by a prefix of the first component of α is a nonindicator marking. Therefore, the conditions in (8 essentially guarantee that there are two observationally equivalent sequences that can reach a nonindicator marking and a boundary marking, respectively, which disproves prognosability. On the other hand, suppose that the system is not prognosable, i.e., there exist a nonindicator marking M, and a boundary marking M, that can be reached by α and α, respectively, such that α and α look the same. Then, we know that M α, N M = [ ] M, M, for some α whose first and second components are α and α, respectively. Since M, is a boundary marking and any fault transition is unobservable in L, we know that M (λ,t f [ ] N M, M, for some t f T F.SinceM, = M, is a nonindicator marking, we know that can be extended from M, to obtain a covering for places in P N. Moreover, M, contains a token in p fault. Therefore, the self-loops in the form of t e can track the sequence, which contributes to the covering in N N, without changing markings in P. This yields a covering for all places in P that satisfies (8. This is also the reason why we add such self-loop transitions at place p fault in Ñ. With the above-explained intuition, we are now ready to formally prove Theorem IV.. Proof: ( Let M, α N M N M be a sequence satisfying the conditions in (8. We denote by α and α the first and the second components of α, respectively. The same for notations and. Let us consider the longest nonfault prefix of α,sayα α, i.e., α TN and α t f L(N,M for some t f T F. This means that M, α is a boundary marking, where M N M,. By the construction of N,M,, we know that L(α = L(α. Moreover, since α TN, we know that L(α =L(α. Therefore, L(α =L(α. Then, for α, there exists a nonfault sequence α α such that L(α =L(α. Moreover, since M M, we know that M, α M,,whereM NN M, (α/α NN M, NN M,.Therefore, M, is a nonindicator marking. By Lemma III., we know that the system is not prognosable. ( Suppose that system is not prognosable. By Lemma III., we know that there exist two nonfault sequences, T N such that (i M M, M is a nonindicator marking; and (ii M M, M is a boundary marking; and (iii L( =L(. First, since only contains nonfault transitions, by the definition of Ñ, we know that L(Ñ, M. Moreover, by the definition of L,we know that L( = L(. Therefore, by the property of N,M,, we know that there exists a sequence α L(N,M, such that its first component is and its second component is. Moreover, since M is a boundary marking, we know that t f L(N,M for some t f T F. By the definition of L, we know that L(t f =ɛ. Therefore, by the definition of N, we know that α(ɛ, t f L(N,M,. Also, recall that M is a nonindicator marking. Therefore, there exists a nonfault sequence v TN,wherev = v v v v,andan integer k< v, such that M v...v k NN M v k +...v v NN M and M M. Then, we define a sequence in N := (v,v (v,v... ( v v,v v where for each i v,wehave { te if L(v v i i =e Σ =. ( λ if L(v i =ɛ Next, we show that α(ɛ, t f is a well-defined sequence in N,M,. Note that, since we have shown that α(ɛ, t f L(N,M,,itsuf- (9

5 74 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 63, NO. 6, JUNE 8 Let us consider the following sequence in N,M, : =:α =: {}}{ ( t N,t (λ,f {}}{ ( t N,t a }{{} =:M }{{} =:M ( Fig. 3. Petri net N,M,. fices to show that M αtf N,whereM αtf =[M M ], M Ñ t f M Ñ M. We proceed by induction on the length of. Induction Basis: Since v L(N N,M, it suffices to show that v L(Ñ, M and L(v = L(v. We consider the following two cases: v T o ; and v T uo. For Case, we have v = t e, where e = L(v. Therefore, by the definition of L, wehave L(t e = L(v =. Moreover, since M is reached after firing a fault transition t f, we know that p fault contains a token, which implies that t e L(Ñ, M. For Case, we have v = λ. Therefore, L(v = L(v =ɛ and λ L(Ñ, M. Overall, we have α(ɛ, t f (v,v L(N,M,, i.e., the induction basis holds. (v,v Induction Step: We assume that M (v i,v i αtf N and we (v,v want to show that M (v i,v i (v i +,v i + αtf N Since v v i v i+ L(N N,M, it suffices to show that v v iv i+ L(Ñ, M and L(v i+ = L(v i+. Note that in marking M αtf, place p fault contains a token and v v i does not consume token in p fault.therefore, following the same reason in the induction basis, we have α(ɛ, t f (v,v (v i,v i(v i+,v i+ L(N,M,. Let M =[M M ] and M =[M M ] be markings such that ( ( (v,v...(v k,v k M αtf N M v k +,v... v k + v,v v N M. Since v i is either a self-loop transition in the form of t e or a λ-transition, we know that M = M = M. This together with the fact that M M imply that M M. Also, we know that t T N ( T {λ} # ( ( v k +,v k +... v v,v (t = v k. v Overall, we have the following sequence in N,M, : α(λ,t f (v,v...(v k,v k M, N M ( v k +,v k +... ( v v,v v N M ( satisfying the condition in the theorem. Let us show how to use Theorem IV. to verify prognosability by the following example. Example IV.: Again, let us consider labeled Petri net N,M, L shown in Fig. (b, wheret o = {t,t } and T F = {f }.Itscorresponding net N,M, is shown in Fig. 3. As we discussed in Example III., this system is not prognosable; hereafter, we show this using Theorem IV.. where the places in each marking are ordered by {p N,p N,p,p, p fault }. Now, let us check that the above-mentioned sequence satisfies (8. Clearly, we have M 4 = M 3. Also, we know that (λ,f {λ} T F and # α ((λ,f =.For, we know that (t N,t a T N ( T {λ} and # ((t N,t a =. Therefore, we know that the sequence in ( satisfies the conditions in (8, i.e., the system is not prognosable. Note that the conditions in (8 is a valid formula in Definition II.. Moreover, it satisfies the constraint that F M M k. Since the length of the formula in (8 is a constant, by Theorem IV. and [] we have the following result immediately. Theorem IV.: Checking prognosability for labeled Petri nets is decidable. Moreover, it is in EXPSPACE. V. EXPSPACE-COMPLETENESS OF PROGNOSABILITY In the previous section, we have shown that the verification of prognosability for unbounded Petri nets can be done in EXPSPACE. However, this is still an extremely high complexity and one may ask whether or not this complexity can be further improved. In this section, we show that this complexity is actually tight, i.e., the verification of prognosability is EXPSPACE-complete. For unbounded Petri nets, it is well known that the coverability problem, stated as follows, is EXPSPACE-complete [], [5]. GIVEN: APetrinet N,M and a marking M. TO DECIDE: Whether or not there exists M M such that M M. Next, we show that checking prognosability is EXPSPACE-hard by reducing the coverability problem to the prognosability verification problem. Theorem V.: Checking prognosability for unbounded labeled Petri nets is EXPSPACE-complete. Proof: In Theorem IV., we have shown that this problem is in EXPSPACE. Therefore, it remains to show that it is also EXPSPACEhard. To this end, we use the coverability problem for the purpose of reduction. Let N =(P, T, A, w,m and M be the instance of the coverability problem. We construct a new labeled Petri net ˆN = ( ˆP, ˆT,Â, ŵ, ˆM, ˆL as follows. First, ˆP is obtained by adding two new places, p new, and p new,,top ; ˆT is obtained by adding four new transitions, ɛ,ɛ,t f,andt loop,tot.foranyt T and p P, Â and ŵ are the same as A and w. However, for the newly added transitions and places, we have the following: for each i =,, ɛ i = {p P : M (p } with p P : ŵ(p, ɛ i =M (p; andɛ i = {p new,i } with ŵ(ɛ i,p new,i =; t f = {p new, } and t f = {p new, } with ŵ(p new,,t f =ŵ(t f, p new, =; 3 t loop = t loop = {p new, } with ŵ(p new,,t loop =ŵ(t loop,p new, =. The initial marking ˆM =[M ] (we assume newly added places p new, and p new, are the last two places in the marking. Finally, the labeling function ˆL is defined by the following: the only two unobservable transitions are ɛ and ɛ; all other transitions are observable

6 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 63, NO. 6, JUNE REFERENCES Fig. 4. Suppose that, in N, we are interested in whether or not a marking M, in which each place in the red cycle contains the depicted number of tokens, can be covered. Then, a conceptual illustration of ˆN,M, ˆL is shown in the figure. with the same label a. A conceptual illustration showing the construction of ˆN is provided in Fig. 4. Intuitively, transitions ɛ and ɛ can be fired iff marking M is covered in N,M. For the above-constructed ˆN, ˆM, ˆL, now, let us assume that t f is the only fault transition we want to predict. Next, we show that M can be covered in N,M if and only if ˆN, ˆM, ˆL is not prognosable w.r.t. T F = {t f }. The if part is straightforward. Suppose that M cannot be covered in N,M. Then, by the construction of ˆN, ˆM, ˆL, we know that the only fault transition t f can never fire in ˆN, ˆM, ˆL. Therefore, ˆN, ˆM, ˆL is prognosable immediately. To see the only if part, we assume that M can be covered in N,M.Let L(N,M be a sequence such that M N M,whereM M. By the construction of ˆN, ˆM, ˆL, we know that ˆM ˆN [M ] ɛ. Therefore, we know that ˆM ˆN M ɛ and ˆM ˆN M, where M (p new, = and M (p new, =. t f Since M ˆN, we know that M is a boundary marking. Since (t loop M K ˆN for any K N, we know that M is a nonindicator marking. Moreover, ˆL(ɛ = ˆL(ɛ =a. By Lemma III., we know that ˆN, ˆM, ˆL is not prognosable w.r.t. {t f }. VI. CONCLUSION In this technical note, we presented new results for prognosability analysis of partially observed DES. A necessary and sufficient condition of prognosability for unbounded Petri nets was presented. In particular, this condition is stated in terms of a special class of formulas that can be effectively checked by existing model checking techniques. Moreover, we showed that the complexity of verifying prognosability for Petri nets is EXPSPACE-complete. This result reveals that extremely high computation complexity seems to be unavoidable in this verification problem. To mitigate the computational challenges, one possible direction is to find simple but sufficient conditions for prognosability using structural analysis. Another potential direction is to identify subclasses of Petri nets for which the necessary and sufficient condition for prognosability can be verified more efficiently. Note that the main purpose of verifying prognosability is to determine aprioriif fault can be correctly predicted. When prognosability holds, how to design an efficient online prognosis mechanism is also an interesting and important problem. In fact, some works have been done on this direction (see, e.g., [], []. Another future direction is to extend our results to the decentralized setting by considering the verification of coprognosability (see., e.g., [8], [9], [36] for the case of finite-state automata. ACKNOWLEDGMENT The author would like to thank an anonymous reviewer for bringing [] to our attention. [] R. Ammour, E. Leclercq, E. Sanlaville, and D. Lefebvre, Faults prognosis using partially observed stochastic Petri nets, in Proc. 3th Int. Workshop Discr. Event Syst., 6, pp [] M. Atig and P. Habermehl, On Yen s path logic for Petri nets, Reachability Problems. Berlin, Germany: Springer-Verlag, 9, pp [3] F. Basile, M. P. Cabasino, and C. Seatzu, State estimation and fault diagnosis of labeled time Petri net systems with unobservable transitions, IEEE Trans. Autom. Control, vol. 6, no. 4, pp , Apr. 5. [4] F. Basile, P. Chiacchio, and G. De Tommasi, On K-diagnosability of Petri nets via integer linear programming, Automatica, vol. 48, no. 9, pp ,. [5] A. Benveniste, E. Fabre, S. Haar, and C. Jard, Diagnosis of asynchronous discrete-event systems: A net unfolding approach, IEEE Trans. Autom. Control, vol. 48, no. 5, pp , May 3. [6] N. Bertrand, S. Haddad, and E. Lefaucheux, Foundation of diagnosis and predictability in probabilistic systems, in Proc. 34th IARCS Annu. Conf. Found. Softw. Technol. Theor. Comput. Sci., 4, pp [7] M. P. Cabasino, A. Giua, S. Lafortune, and C. Seatzu, A new approach for diagnosability analysis of Petri nets using verifier nets, IEEE Trans. Autom. Control, vol. 57, no., pp , Dec.. [8] M. P. Cabasino, A. Giua, and C. Seatzu, Fault detection for discrete event systems using Petri nets with unobservable transitions, Automatica, vol. 46, no. 9, pp ,. [9] C. G. Cassandras and S. Lafortune, Introduction to Discrete Event Systems, nd ed. Berlin, Germany: Springer-Verlag, 8. [] F. Cassez, A note on fault diagnosis algorithms, in Proc. 48th IEEE Conf. Decis. Control, 9, pp [] F. Cassez and A. Grastien, Predictability of event occurrences in timed systems, in Proc. th Int. Conf. Formal Model. Anal. Timed Syst.,3, pp [] J. Chen and R. Kumar, Stochastic failure prognosability of discrete event systems, IEEE Trans. Autom. Control,vol.6,no.6,pp.57 58,Jun. 5. [3] L. Dickson, Finiteness of the odd perfect and primitive abundant numbers with n distinct prime factors, Amer. J. Math.,vol. 35,no.4,pp.43 4, 93. [4] M. Dotoli, M. P. Fanti, A. M. Mangini, and W. Ukovich, On-line fault detection in discrete event systems by Petri nets and integer linear programming, Automatica, vol. 45, no., pp , 9. [5] S. Genc and S. Lafortune, Predictability of event occurrences in partiallyobserved discrete-event systems, Automatica,vol.45,no.,pp.3 3, 9. [6] T. Jéron, H. Marchand, S. Genc, and S. Lafortune, Predictability of sequence patterns in discrete event systems, in Proc. 7th IFAC World Congr., 8, pp [7] G. Jiroveanu and R. K. Boel, The diagnosability of Petri net models using minimal explanations, IEEE Trans. Autom. Control, vol. 55, no. 7, pp , Jul.. [8] A. Khoumsi and H. Chakib, Conjunctive and disjunctive architectures for decentralized prognosis of failures in discrete-event systems, IEEE Trans. Autom. Sci. Eng., vol. 9, no., pp. 4 47, Apr.. [9] R. Kumar and S. Takai, Decentralized prognosis of failures in discrete event systems, IEEE Trans. Autom. Control, vol. 55, no., pp , Jan.. [] D. Lefebvre, Fault diagnosis and prognosis with partially observed Petri nets, IEEE Trans. Syst., Man, Cybern., Syst., vol. 44, no., pp , Oct. 4. [] D. Lefebvre, On-line fault diagnosis with partially observed Petri nets, IEEE Trans. Autom. Control, vol. 59, no. 7, pp , Jul. 4. [] R. Lipton, The reachability problem requires exponential space, Dept. Comput. Sci.,, Yale Univ., New Haven, CT, Res. Rep. 6, 976. [3] A. Madalinski, F. Nouioua, and P. Dague, Diagnosability verification with Petri net unfoldings, Int. J. Knowl.-Based Intell. Eng. Syst., vol. 4, no., pp ,. [4] F. Nouioua, P. Dague, and L. Ye, Predictability in probabilistic discrete event systems, in Soft Methods for Data Science. Berlin, Germany: Springer, 7, pp [5] C. Rackoff, The covering and boundedness problems for vector addition systems, Theor. Comput. Sci., vol. 6, no., pp. 3 3, 978. [6] A. Ramírez-Treviño, E. Ruiz-Beltrán, I. Rivera-Rangel, and E. López- Mellado, Online fault diagnosis of discrete event systems: A Petri netbased approach, IEEE Trans. Autom. Sci. Eng., vol. 4, no., pp. 3 39, Jan. 7.

7 744 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 63, NO. 6, JUNE 8 [7] Y. Ru and C. N. Hadjicostis, Fault diagnosis in discrete event systems modeled by partially observed Petri nets, Discr. Event Dyn. Syst., Theor. Appl., vol. 9, no. 4, pp , 9. [8] S. Takai, Robust prognosability for a set of partially observed discrete event systems, Automatica, vol. 5, pp. 3 3, 5. [9] S. Takai and R. Kumar, Distributed failure prognosis of discrete event systems with bounded-delay communications, IEEE Trans. Autom. Control, vol. 57, no. 5, pp , May. [3] Y. Tong, Z. Li, C. Seatzu, and A. Giua, Decidability of opacity verification problems in labeled Petri net systems, Automatica, vol. 8, pp , 7. [3] L. Ye, P. Dague, and F. Nouioua, Predictability analysis of distributed discrete event systems, in Proc. 5nd IEEE Conf. Decis. Control, 3, pp [3] L. Ye, P. Dague, and F. Nouioua, A predictability algorithm for distributed discrete event systems, in Proc. Int. Conf. Formal Eng. Methods, 5, pp. 6. [33] H.-C. Yen, A unified approach for deciding the existence of certain Petri net paths, Inf. Comput., vol. 96, no., pp. 9 37, 99. [34] X. Yin and S. Lafortune, A general approach for solving dynamic sensor activation problems for a class of properties, in Proc. 54th IEEE Conf. Decis. Control, 5, pp [35] X. Yin and S. Lafortune, On the decidability and complexity of diagnosability for labeled Petri nets, IEEE Trans. Autom. Control, 7. [36] X. Yin and Z.-J. Li, Decentralized fault prognosis of discrete event systems with guaranteed performance bound, Automatica, vol. 69, pp , 6. [37] X. Yin and Z.-J. Li, Reliable decentralized fault prognosis of discreteevent systems, IEEE Trans. Syst., Man, Cybern., Syst., vol. 49, no., pp , Nov. 6.