Integrated Fault Diagnosis Based on Petri Net Models

Transcription

1 16th IEEE International Conference on Control Applications Part of IEEE Multi-conference on Systems and Control Singapore, 1-3 October 2007 TuC05.3 Integrated Fault Diagnosis Based on Petri Net Models Manuel Manyari-Rivera, João Carlos Basilio, Amit Bhaya Abstract This paper extends an existing sensor mapping procedure, defines compatibility of models and proposes an integrated methodology based on existing methodologies for the construction of diagnosers for discrete ent systems modeled by Petri Nets. An industrial application is used as a case study to illustrate the theoretical results of the paper. I. INTRODUCTION Modern industrial production systems and process control possess significant complexity in modeling analysis, reliability and planning, so that it is important to take appropriate decisions in order to maintain them in safe operation. Online fault diagnosis and isolation systems aim at determining the fault type, size, location and time of occurrence. Recent research in this area includes the study of quantitative and qualitative methods using analytical redundancy, fault tree methods, expert systems, methods based on statistical hypothesis testing and signature analysis, and discrete ent systems (DES) approaches (see [1] and the references therein). This last approach makes possible to represent a wide variety of industrial applications, since, to some lel of abstraction, any continuous-variable dynamical system can be viewed as a DES. In [2], [3], Sampath et. al. introduce the definition of language diagnosability and present a necessary and sufficient condition for diagnosability, namely that, a language L is diagnosable if and only if its diagnoser has no indeterminate cycles (cycles with states labeled with both faulty and nonfaulty ents). It is assumed in [2], [3] that the DES is modeled as a finite state automaton. Another approach is to model DES using Petri nets. A Petri net is a tool that can be used both to describe and study systems modeled as concurrent, asynchronous, distributed, parallel and stochastic [5], [6]. Ushio et. al. [7] consider some extensions of Sampath s work for systems modeled by Petri nets with an infinite number of reachable markings. Wen and Jeng [8] continue the study presented in [7] and consider an approach to verify diagnosability based on the structural properties of the diagnoser; in [7], [8] it was assumed that some places were observable and that all transitions were unobservable. More recently [11], an algebraic approach has been deloped to build an automaton to be used as a diagnoser of Petri nets, without considering the construction of models, and, in [10], a distributed algorithm The authors gratefully acknowledge the support of the Brazilian Research Councils (CNPq, CAPES and FAPERJ) M. Manyari-Rivera, J. C. Basilio and A. Bhaya are with the Dept. of Electrical Engineering, Federal University of Rio de Janeiro, PEE/COPPE/UFRJ. PO Box 68504, Rio de Janeiro, , Brazil. manuel@vishnu.coep.ufrj.br, basilio@dee.ufrj.br, amit@nacad.ufrj.br was presented for fault detection of DES modeled by Petri nets, without studying its diagnosability properties. The focus of this paper is to extend the theory of sensor mapping given in [2], [3], to systems modeled by Petri nets, by extracting qualitative characteristics from quantitative measures, and to define the notion of compatibility of models, with the view to integrating the diagnosability study and techniques given in [2], [3], [7] for the construction of diagnosers, as well as to propose a systematic procedure for the design of automatic fault diagnosis systems for real DES, using Petri net models. It is important to remark that, in contrast to the assumptions of [7] and [8], in this paper, places and transitions can be either observable or unobservable. This assumption is more realistic, since ents are associated with transitions, and it is the latest that change the place markings (states) of the Petri net. II. MODELING OF SYSTEMS WITH PETRI NETS In this section, a few concepts on Petri nets, essential to the delopment of the paper, are riewed. A. Basic definitions and notation A Petri net N is defined by the four-tuple N = (P, T, Pre, Post), where P is the set of places, T is the set of transitions, T = T o T u, with T o and T u denoting, respectively, the set of observable and unobservable transitions, P = m, T = n, with. denoting cardinality, Pre : P T N is the input weighting function, and Post : T P N is the output weighting function. Throughout this paper I(t j ) and O(t j ) denote, respectively, the sets of input and output places of transition t j, and M(p), the number of markings in the place p (tokens in p). Therefore the marking vector M (state vector) is of the following form: M = [M(p 1 ) M(p 2 )... M(p m )] T, M N m. A Petri net N with initial marking (state) M 0 will be denoted by N, M 0. A place p s in a Petri net N, M 0 with no input transition (I(p s ) = ) and such that the initial state M 0 has one token in p s and no tokens elsewhere is called a starting place; the corresponding Petri net N, M 0 will be referred to as a Petri net with starting place [5]. A transition t j T is said to be enabled if and only if M(p) Pre(p), p I(t j ). Assume that t j is enabled in M and let M be the marking defined as: M (p) = M(p) Pre(p, t j ) + Post(t j, p). (1) Therefore, according to equation (1), the firing of t j takes M to M, being denoted as M[t j > M. Let T denote the Kleene closure of T /07/$ IEEE. 958

2 A marking M is reachable in N, M 0 if and only if there exists a sequence t T such that M 0 [t > M, and the reachable set is: R(N, M 0 ) := {M N m t T : M 0 [t > M}. B. Labeled Petri nets A labeled Petri net is a sen-tuple, N = (P, T, Pre, Post, Σ, l, M 0 ), (2) where (P, T, Pre, Post) is the Petri net graph, Σ is the set of ents, M 0 is the initial marking, and l : T Σ {ε} is the labeling function, i.e., a function that associates transitions to ents of Σ or to the empty trace ε, where ε corresponds to unobservable transitions. A transition can only be associated with a unique ent, whereas an ent may correspond to different transitions. A language generated by a labeled Petri net N, is L(N) := {l(s) Σ : s T and M 0 [s > M}, i.e. the language L(N) represents the sequences of transition labels that are obtained by all possible sequences of transition firings in N starting in M 0. M[σ > M denotes that the firing of t j, with σ = l(t j ), takes M to M. Let L(N) = L and s Σ be any given sequence. Then, the post-language of L after s, denoted by L/s, is defined as L/s = {t Σ : st L}. Note that, if s / L, then L/s =. Let Σ be given as the union of the disjoint sets Σ o and Σ uo of observable and unobservable ents, respectively, and assume that l maps T o and T uo (the sets of observable and unobservable transitions) into Σ o and Σ uo, respectively. Then, the mapping P : Σ Σ o, where (i) P(σ) = σ if σ Σ o, (ii) P(σ) = ε if σ / Σ o, and (iii) P(sσ) = P(s)P(σ), s Σ, σ Σ, is defined as the projection of the traces of Σ er Σ o. As a consequence, the inverse projection P 1 : Σ o 2Σ is defined as P 1 L (y) = {s L : P(s) = y}, where 2 Σ denotes the power set of Σ. Consider a marking M R(N, M 0 ), a transition σ that labels an ent in Σ o, a sequence of transitions u that label ents in Σ uo. Then L σ (N, M) = {s = uσ : M R(N, M 0 ), M[s > M }. The set of all markings M L σ (N, M) is called the reach of M with respect to σ and is denoted as S(M, σ). An important operation for Petri Nets is parallel composition which represents the synchronous composition of the system component models 1. III. SENSOR MAPPING IN PETRI NETS The present section gives a systematic procedure for mapping the information coming from sensors of the process into the general Petri net model of the system. The model complexity will be determined by the number of sensors used to obtain information on the system behavior. It is 1 Details of the parallel composition procedure for Petri nets are available at amit/tr_cca07.pdf therefore important to compare Petri nets, not only for the generated language, but also for the olution of its internal dynamics and the physical interpretation of these olutions. This observation leads to the definition of compatibility of Petri nets. A. Compatibility of Petri nets Definition 1: Two Petri nets N = (P, T, Pre, Post, Σ, l, M 0 ) and Ñ = ( P, T, Pre, Post, Σ, l, M 0 ) are said to be compatible from M 0 and M 0, denoted as N, M 0 = Ñ, M 0, if they satisfy the following conditions: (i) P = {p 1, p 2,..., p n } and P = P {p n+1 }; (ii) T = {t 1, t 2,..., t m } and T = T {t m+1 }; (iii) l(t) = l(t) for all t T ; (iv) M0 = [M0 T 0 k] T ; (v) there exists a transition t p T such that I(t p ) P and O(t p ) = I(t m+1 ) = {p n+1 }; and (vi) O(t m+1 ) = O(t p ) = {p i } for some p i P. The following are immediate from definition 1. Fact 1: Let L(N) = L and L(Ñ) = L and let t T denote a sequence of transitions whose last transition is t p and is such that l(t) = s L. There exists a sequence t = tt m+1 L satisfying l( t) = l(t) l(t m+1 ) = ss m+1 such that, when M 0 [t > M and M 0 [ t > M, then M = [M T 0 k ] T. Fact 2: We have that L = P Σ ( L). A physical interpretation of the compatibility of models given by Petri nets is that N represents an intermediate step in the modeling of Ñ that does not modify the state with respect to N; therefore Ñ accounts for an additional degree of abstraction, including more information in the complete model; this, in practice, allows sensors to be added to observe the system behavior, as shown in the following section. B. Sensors Mapping in Petri nets Consider the Petri net N in (2). Given a sensor set in the system, define the associated mapping as h j : M Y j, j = 1,..., S where S denotes the number of sensors and Y j denotes the set of possible outputs of the j-th sensor. In addition, define Y = S j=1 Y j, as all the possible outputs of the sensor set, and let h : M Y be the mapping of sensors in each marking, such that: h(m) = (h 1 (M), h 2 (M),, h S (M)), M R(M 0 ) We assume that two distinct transitions associated to the same ent cannot fire simultaneously. Thus, from this point onwards, either transitions or ents will be used to indicate changes of marking in Petri nets. A net Ñ = { P, T, B, w, Σ, l, M 0 } can be constructed from N according to the following procedure, which is an extension to Petri nets of the procedure proposed in [3]. Procedure 1: Let σ Σ ( σ Σ) and assume that M[σ > M ( M[ σ > M ) and M R(M 0 ). For each ent σ of Σ, a marking M R( M 0 ) and a new ent are obtained as follows: (i) if σ is observable, then define σ = σ, h(m ), and M[ σ, h(m ) > M ; the new ent σ is observable in Σ; 959

3 (ii) if σ is unobservable and h(m) = h(m ), then σ = σ and M[σ > M ; the ent σ is unobservable in Σ; (iii) If σ is unobservable and if h(m) h(m ), then create a new place p n+1 in Ñ, and replace σ with the following two ents: (a) σ, such that p n+1 O(σ), M[σ > M and (b) h(m) h(m ), such that p n+1 I( h(m) h(m ) ), M [ h(m) h(m ) > M. Note that the new net Ñ contains a composition of ents (transitions), which are observable ( σ, h(m ) and h(m) h(m ) ) and unobservable ( σ ). Furthermore, the following result can be established. Fact 3: The Petri nets Ñ, formed according to procedure 1, and N are compatible 2. IV. FAULT DIAGNOSIS The heart of a fault diagnosis system is the diagnoser. The diagnoser is an automaton which prides an estimate of the current state of the system after the occurrence of an observable ent [2]. Furthermore, the diagnoser is also used to establish a necessary and sufficient condition of language diagnosability of a system modeled by Petri nets. In this section, a basic diagnoser for a DES modeled by Petri net is proposed. This diagnoser complements the methods given by [2] and [7], and differs from that proposed in [7] since it does not make use of a cerability tree. A. Diagnosability of language generated by Petri nets Let the DES to be diagnosed be modeled by the Petri net N of (2), where L(N) = L Σ, Σ = Σ o Σ uo, with Σ o and Σ uo denoting, respectively, the set of observable and unobservable ents. In addition, let Σ f Σ uo denote the set of fault ents and partition Σ f into disjoint subset Σ fi, i = 1, 2,...,n, i.e. Σ fi Σ fj =, i j and Σ f = Σ f1 Σ f2... Σ fm, corresponding to failures of different types [3]. In order to reduce the complexity and diversity of possible models, the following assumptions are made: A.1 N is live, i.e., always exists some path such that any transition can fire from a state reached. A.2 There does not exist any infinite cycle of only unobservable ents in L. A DES modeled by a Petri net that generates a language L satisfying assumptions A.1 and A.2 is said to be diagnosable iff it is possible to infer the occurrence of a fault f i, i Σ f after a finite delay, namely, in a finite number of transition firings after the occurrence of fault f i [2]. The formal definition of language diagnosability is presented below. Definition 2: A language L is said to be diagnosable with respect to the projection P : Σ Σ o iff ( i Σ f )( n i N)[ s Σ fi ]( t L/s)[ t n i D], where the diagnosability condition D is given by w P 1 L [P(st)] Σ fi w. 2 The proofs of these facts and more details are available at amit/tr_cca07.pdf B. The diagnoser The diagnoser proposed in this paper is modeled by the following automaton: G d = (Q d, Σ o, δ d, Γ, q 0 ), where Q d is the set of reachable states, Σ o is the set of observable ents, δ d is the transition function of the diagnoser, Γ is the set of active ents for a given state, and q 0 is the initial state of the diagnoser. Let F = {F 1, F 2,...F mf } denote the fault label set, where F i denotes the occurrence of a failure belonging to set Σ fi and define the diagnoser label set as follows : = {N b } 2 F, where N b means normal behavior and F i means that a fault of type F i has occurred [7]. The initial state of a diagnoser for a DES modeled by the Petri net N, M 0 is q 0 = {(M 0, N b )} and the set of reachable states is Q d (Q d 2 R(M0) ) and is formed by elements of the following form: q d = {(M 1, l 1 ),...,(M n, l n )}, where M i R(M 0 ) and l i may be l i = {N b } or l i = {F 1, F 2,, F m }. In order to characterize the transition function δ d, it is necessary to introduce two functions: the fault label propagation function and the range function. Definition 3: Let s L σ (N, M 0 ). 1. The Fault Label Propagation function (LP) propagates the label l er s after a marking M R(N, M 0 ). LP : R(M 0 ) T {N b } if l = {N b } Σ fi s, i LP(M, l, s) = {F i } if F i l Σ fi s {F i, F j } if F i l Σ fj s 2. The Range function calculates all possible pairs (M i, l i ) of markings and labels that appear in a diagnoser state. RA : Q o Σ o Q d RA(q, σ) = (M,l) q s L σ(n,m 0) {(M[s >, LP(M, l, s)}. where M[s > denotes all transitions M R(N, M 0 ) such that M[s > M From definition 3, the transition function δ d can be defined as: δ d : Q d Σ o Q d q 2 = δ d (q 1, σ) q 2 = RA(q 1, σ). (3) Using the definitions of diagnoser state and transition function (Eq. 3), it is possible to delop a procedure for the construction of the automaton diagnoser. The procedure proposed in this paper is an extension of the algorithm presented in [2] to systems modeled by Petri nets, impring the procedure given in [7]. Procedure 2: Let q be the current state of G d, and let s = uσ, where u Σ uo and σ Σ o. The next state q of the diagnoser is calculated as follows: STEP 1 For all (M, l) q, obtain S(M, σ), the reach of M with respect to σ: STEP 2 Let (M, l ) S(M, σ). Propagate the label l in l, as follows:. 960

4 a) if l = {N b } and s contains no fault ent, then l = {N b }; c) if l = {F i } and s contains no fault ent, then l = {F i }; d) if l = {N b } and s contains fault ents from Σ fi, Σ fj, then l = {F i, F j }; e) if l = {F i, F j } and s contains fault ents from Σ fk, then l = {F i, F j, F k } STEP 3 Let q be the set of all (M, l ). Replace all (M, l i ), (M, l j ) q with (M, F i, F j ) for which F i and F j are components of l i e l j. The following properties are immediate from procedure 2: P.1 There may exist q Q d for which (M, l), (M, l ) q with l l. P.2 Let q 1, q 2 Q d and s Σ, such that (M 1, l 1 ) q 1, (M 2, l 2 ) q 2, M 1 [s > M 2, and δ d (q 1, P(s)) = q 2. If F i l 2 then F i l 1, and if N b l 2 then N b l 1. C. Necessary and sufficient condition for diagnosability In view of properties P.1 and P.2 abe, the diagnoser states can be defined as F i -certain or F i -uncertain, depending on the occurrence or not of different fault labels. Definition 4: A diagnoser state q of a diagnoser is said to be F i -certain if (M, l) q F i l, and F i -uncertain if (M, l), (M, l ) q such that F i l but F i l. Note that, according to definition 4, when the diagnoser is in a F i -certain state, it is certain about the occurrence of fault F i, i.e., if for some ent sequence s L(N) such that δ d (q 0, s) = q, then ω P 1 L (s), Σ F i ω. Hower, when the diagnoser is in an F i -uncertain state, it is no longer certain if fault F i has occurred; in this case s 1, s 2 L such that Σ fi s 1 and Σ fi s 2 satisfying P(s 1 ) = P(s 2 ) and δ d [q 0, P(s 1 )] = q. When F i -uncertain states form a closed path, they may form an F i -indeterminate cycle. An F i -indeterminate cycle is a cycle formed only by F i -uncertain states, in which there exist at least two sequences s 1, s 2 Σ for M k l and M k l with the same projection, hower, fault F i is not present in s 1 but is present in s 2. A formal definition of an F i -indeterminate cycle is given below. Definition 5: The set of F i -uncertain states q 1, q 2,..., q nl Q d is said to form an F i -indeterminate cycle [2], [3] if: 1) q 1, q 2,...,q nl form a cycle in G d i.e., δ d (q l, σ l ) = q l+1, l = 1, 2,...n l 1 and δ d (q nl, σ nl ) = q 1, where σ l Σ o, l = 1, 2,...n l ; 2) There exist (Ml k, lk l ), ( M l r, l r l ) q l, l = 1, 2,...n l, k = 1, 2,..., n k and r = 1, 2,...,n r, such that: a) F i ll k, F i l l r ; l, k, r b) The marking sequences Ml k and M l k satisfy : Ml k[σ l > Ml+1 k, l = 1, 2,...n l and k = 1, 2,..., n k, Mn k l [σ nl > M1 k, k = 1, 2,...,n k 1, and M n k n l [σ nl > M1 1. M l r[σ l > M l+1 r, l = 1, 2,...n l and r = 1, 2,..., n r, Mr nl [σ nl > M 1 r, r = 1, 2,...,n r 1, and M n nr l [σ nl > M 1 1. Virtual Sensors Fig. 1. System Real Sensors Event Generator Diagnoser Fault System Controller Basic architecture of a diagnosis system Based on the abe definition, a necessary and sufficient condition for language diagnosability can be stated. Theorem 1: [2], [7] A language L generated by the Petri net N is diagnosable if and only if the diagnoser G d of N, does not contain any F i -indeterminate cycle, F i, i Σ f. Proof: The proof is the same as that given in [2]. V. DESIGN OF FAULT DIAGNOSIS SYSTEMS In real industrial systems, it is often necessary to make use of the so-called virtual sensors, due to limitations on the number of real sensors and to delop a hybrid diagnosis approach [4]. Fig. 1 shows the basic architecture of the diagnosis scheme. The variables measured by the real sensors and those generated by the virtual sensor module together with the information prided by the system controller are sent to the ent generator, which converts this signal into recognizable ents for the diagnoser module. The diagnoser, based on an estimate of the most likely current states of the system, determines if a fault has occurred. Therefore, the design of a fault diagnosis system can be carried out in a five-stage procedure, as follows: 1. Model each system component, actuators and controllers using Petri nets with initial places. If any of these Petri net models does not have an initial place, apply the procedure given in [5] to convert the net into an equivalent one with initial place. 2. Make the parallel composition of all the individual component models obtained in the step 1 to generate the complete model (synchronous behavior) of the system. 3. Make the mapping of all the sensors present in the complete model, according to procedure 1. This implies a prious analysis of the available sensors and possible implementation of virtual sensors. 4. Construct the diagnoser according to procedure Analyze the diagnosability of the system using Theorem 1. In case the preliminary analysis concludes that the system is not diagnosable for some fault F i, return to step 1 and modify, if possible, the system component models, or return to step 2 and modify or introduce new virtual sensors. Otherwise, conclude that the system is not diagnosable with this set of installed real sensors. VI. CASE STUDY In order to illustrate the diagnosis procedure proposed in the paper, the design of a diagnoser for a prototype of part of 961

5 an Oil Production Plant in an Offshore platform will now be considered [14]. For simplicity, only the oil heating stage, of the oil-gas separation system, carried out by a heat exchanger will be considered. This stage is composed of the following elements: an actuator (valve) and a temperature controller. In addition, temperature changes caused by external disturbances, such as variations in the input oil temperature, steam flows, etc., will be considered in the model. The first step for the diagnoser design of section V is to obtain models for each element. The Petri nets for the three elements, valve, temperature disturbances and controller, are shown in Fig. 2, and are characterized as follows: 1. Valve: N v = (P v, T v, Pre v, Post v, Σ v, l, M v0 ), where P v = {V I, V C, V O, V S, V SO}, T v = {t v1, t v2,..., t v14 }, Σ v = {,, fas, sv}, l : T v Σ v = {,,,,,,,, fas, fas,,, sv, sv}, and M v0 = [ ] T. The elements of P v denote, respectively, valve in initial state, valve closed, valve open, valve stuck partially open, valve stuck completely open. The ent labels are: close valve (), open valve (), fault in air supply (fas) and stuck valve (sv). There are two possible faults that may occur: the first one, modeled by ent fas is due to lack of incoming air from the pneumatic converter and causes the valve to either stick open or closed, depending on the spring configuration (we consider the case when the valve sticks open); the second fault, modeled by ent sv, occurs when the valve sticks in an intermediate position, and is due to mechanical failure. 2. Temperature disturbances: N d = (P d, T d, Pre d, Post d, Σ d, l, M d0 ), where P d = {TI, TL, TH}, T d = {t d1, t d2,..., t d6 }, Σ v = {, }, l : T d Σ d = {,,,,, }, M d0 = [1 0 0] T. The elements of P d denote respectively, initial temperature, low temperature and high temperature, and the ent labels are temperature below set point () and temperature abe set point (). 3. Controller: N c = (P p, T p, Pre p, Post p, Σ p, l, M p0 ), where P p = {c0, c1, c2, c3}, T p = {t p1, t p2, t p3, t p4 }, Σ v = {,,, }, l : T c Σ c = {,,, }, and M c0 = [ ] T. The second step in the diagnoser design is to carry out the parallel composition of all individual components. The model that represents the complete operation of the heat exchanger is given by N = N v N d N p and is shown in Fig. 3. For the purpose of defining markings, the place set of N will be written as P = {V I, V C, V O, TI, TL, TH, c0, c1, c2, c3, VS, V SO}. Finally define the partition Σ f1 = {fas} and Σ f2 = {sv} for the fault set Σ = {fas, sv} The next step is to perform a sensor mapping. In this work, only virtual sensors will be introduced. This is motivated by the fact that en the ents and require virtual sensors to calculate the difference between the temperature values acquired by the sensors and the set point. The following information will be obtained from virtual sensors: (i) the sign of temperature change; (ii) the sign of the error between the current value of the temperature and the set-point; (iii) the absolute value of the steady-state error. The following sets of possible outputs are defined: Y 1 = {T oa, T od }, Y 2 = N v N p c2 VC TH fsa VE Fig. 2. Petri net models of valve, disturbance and controller N v,n d and N p, respectively. Fig. 3. c3 VC TH fas sv c1 TI VSC VI TI c1 c0 VO fsa VSO fas VS VI c0 sv Petri net N for the heat exchanger without sensor mapping. {Err+, Err } and Y 3 = {Err > 0, Err 0, Err 0}, where T oa and T od denote respectively, temperature increasing and decreasing, Err+ and Err denote positive and negative errors, respectively, and Err > 0, Err 0, Err 0 denote, respectively, steady-state greater than zero, much greater than zero and approximately zero. The position where the virtual sensors are to be added in the Petri net N are defined by the so-called generic markings. Generic markings are basic marking vectors which represent the reachable markings in N, the numbers represent the place markings that have to be considered for the mapping, whereas denotes the unimportant markings. It can be checked that the generic markings for N are: M a = [ ] T, M a = [ ] T, TL VO TL c3 c2 N c 962

6 TABLE I <,Tod> <,Toa> h 1 h 2 h 3 M a T oa Err Err 0 M a T od Err+ Err 0 M b T od Err Err 0 M b T oa Err+ Err 0 M c T oa Err Err 0 M c T oa/t od Err /Err+ Err > 0 M b = [ ] T, M b = [ ] T, M c = [ 0 1 0] T, and M c = [ 0 0 1] T. The mapping of sensors versus the generic markings of N is given in Table I. Using procedure 1, a new Petri net N map is obtained from N (Fig. 4). Notice that, although N, M N0 = N map, M Nmap0, the markings of N map retain the behavior information of N, since, as shown by Fact 3, N and N map are compatible. The diagnoser G Diag for N map is shown in Fig. 5, where the loops A, B, C, D and E, characterize the behaviour of the system.. It is easy to see that G Diag does not have any indeterminate cycle, and therefore the language generated by N map is diagnosable for fas (F 1 ) and sv (F 2 ). We deloped the simulation of the oil heat stage in MATLAB using Simulink and its diagnoser module using Stateflow. The simulation allows the interaction of the continuous and discrete models. We analyzed the subsystem in both normal and faulty modes (faults F 1 and F 2 ), with the presence of disturbances. The diagnoser detected and recognized the generated faults with different observation times. In general, the diagnoser is able to diagnose the occurrence of faults. Fig. 4. c3 <,Tod> VC <,Tod> <,Toa,Err-> < * YErr>> <> TH Vn1 <,Tod> <,Toa,Err-> Vn3 c1 TI VSC <,Toa> <,Tod> Vn4 < * YErr> < * YErr> VI c0 VE <,Tod,Err+> <,Toa,Err-> < * YErr>> <,Toa> Vn2 <> TL VO <,Tod,Err+> <,Toa> <,Toa> c2 <,Tod,Err+> Petri net model (N map) after the introduction of sensor mappings. VII. CONCLUSIONS We conclude that is possible to design a fault diagnosis systems of DES modeled by Petri nets, based on sub-models and iterative procedures given in this paper, that can be automated in toolboxes. This methodology, the diagnosability theory and the use of simulation tools are important for analyzing and validating a fault diagnoser, before implementation in real processes. REFERENCES [1] S. Lafortune, D. Teneketzis, M. Sampath, R. Sengupta, and K. Sinnamohideen, Failure diagnosis of dynamic systems: an approach based on discrete ent systems. Proceedings of the American Control Conference, Arlington, USA, pp , 2001 [2] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen and D. Teneketzis, Diagnosability of discrete-ent systems, IEEE Trans. on Automatic Control, vol. 40, no. 9, 1995, pp [3] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen and D. Teneketzis, Failure diagnosis using discrete ent models, IEEE Trans. Control Systems Technology, vol. 4, no. 2, 1996, pp [4] M. Sampath, A Hybrid Approach to Failure Diagnosis of Industrial Systems, Proc. of the American Control Conf., 2001, pp [5] J. Peterson, Petri net theory and the modeling of systems, Prentice Hall, Englewood Cliffs, NJ, [6] R. Murata, Petri nets: Properties, analysis and applications, Proceedings of the IEEE, vol. 77, no. 4, 1989, pp [7] T. Ushio, I. Onishi and K. Okuda, Fault detection based on Petri net models with faulty behaviour, IEEE Proc. of the Int. Conference on Systems, Man and Cybernetics, 1998, pp [8] Y. Wen, and M. Jeng, Diagnosability of Petri nets, IEEE Proc. of the Int. Conf. on Systems, Man and Cybernetics, 2004, pp << Y >> <Err Err M=[ ],N b < a sp,t od,e > rr- < b sp,t oa,e > rr+ M=[ ],N b <,Tod> M=[ ],N b M=[ ],F1 M=[ ],F2 M=[ ], F1 D <,Tod> M=[ ],N b M=[ ],F1 <,Tod> A < b sp,t od,err+ > M=[ ],F1 M=[ ],Nb <o v,toa> <,Toa> <Err~0Y Err>> M=[ ],F1 B M=[ ],N b M=[ ],N b <,Toa> M=[ ],N b M=[ ],F1 M=[ ],F2 C < b sp,t od,err+ > <,Toa> M=[ ],Nb <Err~0Y Err> M=[ ],F2 M=[ ],F2 <,Tod> Fig. 5. Final Diagnoser G Diag. M=[ ],F2 < a sp,t oa,e < a sp,t oa,err- > < b sp,t od,e > rr- > rr+ <,Toa> M=[ ],F2 <,Tod> <Err<< YErr> b,t od,err+ < b sp,t od,e > rr+ M=[ ],F2 M=[ ],F2 E < sp > [9] C. Reutenauer, The Mathematics of Petri nets, Prentice Hall, Paris, [10] S. Genç and S. LafortuneDistributed Diagnosis of Place-Bordered Petri Nets, IEEE Transactions on Automation Science and Engineering, vol. 4, no. 2, April 2007, pp [11] A. Giua and C. Seatzu, Fault detection for discrete ent systems using Petri nets with unobservable transitions. IEEE Proc. 44th Int. Conf. on Decision and Control and European Control Conference, Silla, Spain, 2005, pp [12] R. Isermann, Supervision fault-detection and fault-diagnosis methodsan introduction, Control Eng. Practice, vol. 5, no. 5, 1997, pp [13] C. Cassandras, S. Lafortune, Introduction to discrete ent systems, Kluwer, Massachusetts, [14] E. Kaszkurewicz, A. Bhaya and N. F. F. Ebecken, A Fault Detection and Diagnosis Module for Oil Production Plants in Offshore Platforms, Expert System with applications, vol. 12, no. 2, 1997, pp