Georg Frey ANALYSIS OF PETRI NET BASED CONTROL ALGORITHMS

Georg Frey ANALYSIS OF PETRI NET BASED CONTROL ALGORITHMS Proceedings SDPS, Fifth World Conference on Integrated Design and Process Technologies, IEEE International Conference on Systems Integration, Dallas, June 2000 ABSTRACT Petri nets (PN) have shown good properties in modeling control algorithms. However, they provide no means for modeling the connection between the algorithm and its environment. To overcome this problem, different extensions of the basic PN model have been introduced. The synchronized PN and its further extension to the interpreted PN are the most common ones. In these models, the transitions are associated with a firing condition that depends on external events. However, the notion of external events is not necessary in the description of control algorithms. Hence, in this contribution a model is used that associates transitions with firing conditions depending on external signals instead. Furthermore the model sets output signals depending on its marking. This model is called Signal Interpreted Petri Net (SIPN). However, the impact of such extensions on the formal analysis of the PN has to be considered. The problems arising by applying results of standard PN analysis methods to SIPN are illustrated and the source of these problems - dynamic synchronization (DS) - is identified. Based on DS, necessary and sufficient conditions for the validity of PN analysis results are given. The described problems caused by DS show that an SIPN analysis based on the underlying PN is not sufficient to determine the SIPNs properties. Therefore, an algorithm for the calculation of the SIPNs reachability graph is presented and it is shown how the SIPNs properties can be determined using this reachability graph. NOMENCLATURE PN = Petri Net IPN = Interpreted Petri Net SIPN = Signal Interpreted Petri Net DS = Dynamic Synchronization RS = Reachability Set RG = Reachability Graph INTRODUCTION Petri nets are able to express the causality as well as the concurrency of a control algorithm in a transparent way. To model non-autonomous behavior Interpreted Petri Nets (IPN) have been introduced by Moalla and König independently in the early 80 s, see (König and Quäck, 1988; David and Alla, 1992). IPN are an extension of the basic Petri net framework. They are ordinary Petri nets with binary markings. Moreover, in addition to the potential of graphical representation and mathematical treatment of ordinary Petri nets, IPN allow explicit description of input/output facilities in a transparent way. Hence, IPN have been applied to logic control systems by many authors, e. g. Logic Control Interpreted Petri Nets (LCIPN) in (David and Alla, 1992; König and Quäck, 1988). In opposition to the use in (David and Alla, 1992), IPN are used very restrictively by most authors. The dynamic behavior of the IPN used in this contribution differs in some aspects from the Logic Control IPN presented in (David and Alla, 1992) Therefore, the name SIPN is used. Originally, S stands for Steuerung, a German word which means logic control. However it also refers to the S-identifier (from switch) used in P&ID (piping and instrumentation diagram) according to ISA S5.1 (ISA, 1984) to indicate a connection to a logic controller. In this contribution as in (Frey and Schettler, 1998) the SIPN is referred to as Signal IPN to stress the fact, that the influence of the environment on the system is based on signals instead of events as in most other models. The paper is structured as follows. The first section presents the SIPN model in some detail. In the second section the specific dynamic behavior and the reachability problem of SIPN are described. The third section defines the properties of SIPN which are the aim of the analysis methods presented in the forth and fifth section. The paper concludes with a summary and an outlook on open questions.

SIGNAL INTERPRETED PETRI NETS The SIPN is presented as follows: First a formal definition is given then the graphical representation is described. With the definition of the dynamic behavior the model is complete. To give a guideline on how to specify control algorithms with this model the chapter closes with the introduction of logic control semantics for the SIPN. Formal Definition A Signal Interpreted Petri Net (SIPN) is described by a 9-tuple SIPN = ( P, T, F, m 0, I, O, φ, ϖ, Ω) with: (P, T, F, m 0 ) an ordinary, PN with places P, transitions T, arcs F and binary initial marking m 0 I a set of logical input signals O a set of logical output signals with I O =. ϕ a mapping associating every transition t i T with a firing condition ϕ(t i ) = Boolean function in I ϖ a mapping associating every place p i P with an output ϖ(p i ) {0, 1, -} O Ω the output function of the net Ω: m {-, 1, 0, c, r 0, r 1, c 0, c 1, c 01 } O Ω is defined component-wise as m( p) 1 Ω m = = ϖ p, i = 1, ( ) ( ) O i i, p P where ({-, 1, 0, c, r 0, r 1, c 0, c 1, c 01 }, ) is a commutative semi-group as defined in Table 1. Graphical Representation In a similar way to PN, Places of SIPN are represented by circles, transitions by bars, the flow relation by arcs and the tokens by dots in the circle of the corresponding place. In addition to this basic representation the transitions of SIPN are labeled with the corresponding firing condition and the places are labeled with their output. Given larger numbers of output signals it is convenient to represent the output not in the vectorial form but by explicitly specifying the influence on variables e.g. if I = {e 1..., e 100 } then ϖ(p i ): e 1 := 1; e 3 := 0 is better than ϖ(p i ) = {1, -, 0, -,...-}. Dynamic behavior The dynamic behavior of an SIPN is given by the movement or flow of tokens through the net i.e. the change of its marking. This flow is realized by the firing of transitions. The firing of a transitions t i removes a token from each of its pre-places (places p j with (p j, t i ) F) and puts a token on each of its post-places (places p j with (t i, p j ) F). For the firing process there are several rules. 1. A transition is enabled, if all its pre-places are marked and the firing doesn t result in more than one token in any of its post-places. This is the safe enabling rule whereas the general enabling rule used in PN theory doesn t check the post-places. 2. A transition fires immediately, if it is enabled and its firing condition is fulfilled. 3. All fireable transitions that are not in conflict fire simultaneously. 4. The firing process is iterated until a stable marking is reached (i.e. until no transition can fire anymore). Since firing of a transition is supposed to take no time, iterated firing is interpreted as simultaneous. 5. After a new stable marking is reached, the output signals are recalculated by applying Ω to the marking. Based on these rules the transitions that can fire in a given situation are detected and the next marking is calculated. Logic Control Semantics Some demands in SIPN analysis get more intuitive if the semantics of the model is clear. Hence in the following places and transitions get a meaning: Places in an SIPN mean situations. A situation is a local state of the controller. A situation can be active or nonactive. While a situation is active it can influence the controllers environment i.e. setting actuator signals in the process or input signals in other control algorithms via a corresponding output function. Transitions specify under what circumstances a situation ends and a new situation gets active. The firing condition of the transition specifies when the change of situations is allowed to happen. With this semantics it is clear that the firing of transitions can take no time. If the switch from one set of situations to another one would take time, then there would be an intermediate situation. The correspondence of places to situations, leaves a binary marking as single meaningful marking concept for SIPN. Relation to other models As already indicated in the introduction, there are several other models to specify control algorithms by PN proposed in the literature. The models most closely related to the proposed SIPN are Synchronized PN introduced by Moalla et. al. (1978) and LCIPN studied by König and Quäck (1988). In Synchronized PN the firing condition depends on external events in contrast to external signals in SIPN. The dynamic behavior differs considerably from the SIPN since the occurrence of an event cannot trigger the sequential firing of several transition receptive to that event, and the events cannot occur simultaneously. The presented SIPN differs only slightly from König and Quäcks model in two aspects: firstly König and Quäck allow the direct dependence of output functions from the input signals. And secondly they have a different definition of the output function. Moreover, the problem of DS is not addressed in their model. REACHABILITY AND DYNAMIC SYNCHRONIZATION Reachability A marking m is said to be reachable from a state m if there exist a combination of input signals such that a firing sequence starting from m has m as stable final marking. Reachability set (RS): The reachability set of an SIPN is the set of all markings reachable from m 0.

Reachability graph (RG): The reachability graph is a graph G=(V, E) with the reachable markings as vertices (V = RS and E RS RS). An edge e = (v i, v j ) indicates that there exists a combination of input signals such that the marking m j corresponding to e j is the next stable marking reached from m i (corresponding to e i ). The edges are labeled with the corresponding firing conditions and the vertices are labeled with the marking and the output of the net (cf. Figure 2). The example in Figure 2 shows that there is an effect in SIPN not known in ordinary PN: several transitions fire simultaneously. This effect is defined in (Frey and Schettler, 1998) as dynamic synchronization. Dynamic Synchronization Two transitions t 1 and t 2 form a (weak) dynamic synchronization if a reachable marking exists such that the firing of t 1 implies the simultaneous firing of t 2 for (at least one of) all combinations of input signals. With DS, the algorithm jumps from a state to another state without passing through the intermediate states. Hence, states reachable in the underlying PN are not part of the reachability set (RS) of the SIPN. With weak DS the algorithm jumps for some combinations of input signals and proceeds normally for others. This introduces shortcuts (additional arcs) in the reachability graph of the SIPN that are not part of the underlying PN s RG. From this definition the following conclusions for RS SIPN and RG SIPN can be drawn: (strong) DS: RS SIPN RS PN weak DS: RS SIPN = RS PN and RG SIPN RG PN no DS: RS SIPN = RS PN and RG SIPN = RG PN SIPN ANALYSIS Frey and Litz (1998) describe a method to analyze SIPN based on coupling the control algorithm to a model of the process under control. However, there are two arguments against this model-based analysis: 1. In industrial applications a process model is seldom at hand. Moreover, in many cases the building of a model is too time-consuming and hence too expensive. 2. Some of the analyzed criteria are essential for the correct functioning of the controller. By analysis in combination with a process model, the correct behavior can only be guaranteed for the behavior specified in the process model. Unexpected process behavior e.g. caused by some mechanical defect failure lead to an undetected malfunction of the controller. Due to these reasons Frey and Schettler (1998) proposed that basic properties of an SIPN should hold for arbitrary sequences of input signals. With this approach no process model is needed and an algorithm that fulfils the criteria is exhibiting robustness in case of unexpected process behavior. In general there are four different types of properties that can be checked by SIPN analysis. They are related to the reachability set or the reachability graph of the net: m: con there exists a reachable marking m RS SIPN such that con holds. m: con con holds for all markings m RS SIPN. p: con there is a path p RG SIPN, such that con holds. p: con con holds for every path p RG SIPN. Methods to check these criteria for PN are well known. The question is whether the results derived by checking a property in the underlying PN are valid for the SIPN. The answer for the basic properties can directly be derived from the definition of DS in the previous chapter and is summoned up in Table 2, where n (s) means that the validity of a property in the underlying PN is necessary (sufficient) for its validity in the SIPN. Basic PN Properties adapted to SIPN Some basic properties of a PN defined in PN theory are of special interest in SIPN. In the following these properties are redefined in the SIPN framework and their relevance for controller analysis is described. Safety: Safety means that the number of tokens in a place does not exceed one. In this sense an SIPN is a priori safe due to its firing rule. However, it is worthwhile to check the behavior of the net neglecting the safe enabling rule (i.e. checking only the pre-places of a transition). Taking into account the given semantics, if an SIPN is not safe non-causal behavior is implied: The transition from an actual situation to the next situation depends not only on the actual situation and the actual values of the input signals but also on the next (future) situation. In addition to this somewhat philosophical demand for safety in the PN sense there is also a very practical reason: The implementation of SIPN on a PLC using standard PLC programming languages results in considerably more compact and faster code if the SIPN is safe since the marking of a transition s post places need not to be checked in order to derive if it can fire. Note that safety is no condition for correctness. An algorithm may be unsafe but correct. However, safety is a criterion for transparency see Frey and Litz (1999). A place p i in an SIPN is said to be safe w.r.t. an initial marking m 0 iff the number of tokens on p i does not exceed one in all markings reachable from m o and in all intermediate unstable markings. An SIPN is said to be safe iff all its places are safe. Liveness: Liveness means that a transition can always fire again. When a transition or a set of transition is no longer fireable then part of the control algorithm doesn t work anymore. In this case there is an error in the design of the control algorithm that has to be corrected. A transition t i in an SIPN is said to be live w.r.t. an initial marking m 0 if for every marking m i reachable from m 0 a firing sequence from m i exists which contains transition t i. An SIPN is said to be live iff all its transitions are live. Reversibility: Reversibility means that the initial marking can always be reached again. Reversibility of an SIPN guarantees that the described controller reaches its initial state again. One problem in the design of logic controllers is the handling of erroneous

process behavior. In most industrial controllers routines for error recovery are considerably more extensive then the control routine as such. Following Desrochers and Al- Jaar (1994), reversibility of a Petri net that is used to model an (assembly) operation along with feasible recovery schemes implies that automatic error recovery is possible. An SIPN is said to be reversible w.r.t. an initial marking m 0 iff from every reachable marking m a firing sequence exists which reaches m 0 as a final stable marking. Specific properties of SIPN The analysis of SIPN covers four additional criteria, which are defined in the following Determinism: There must be no conflicts during control operation. If the control algorithm was not deterministic, implementational aspects would determine the behavior of the controller. This could not be the aim of a correct design. Termination: In a cyclic logic control algorithm, at least one marking must be stable. A cycle without stable marking would lead to an algorithm that does not terminate. Output-Correctness: The output signals have to be formally correct, i.e. 0 or 1 at every stage of the algorithm. In an SIPN, there could be several token activating different actions. This could lead to contradictory outputs. Another possible error is, the lack of a specification for the value of an output at a marking. In this case the behaviour of the controller depends on its implementation. In an implemented controller there is no don t care. No malfunction but a lack in transparency is caused by redundant output information. A trivial output, i.e. an output that is set to the same value at every reachable marking, implies a possible design error. Therefore, the absence of trivial outputs is no criterion for correctness but for transparency. Input-Dependence: Every input signals should have an influence on the behavior of the control algorithm. It is a possible design error, if the controller s behavior is independent of an input signal (trivial input). Hence, input-dependence is no criterion for correctness but for transparency. GRAPH-BASED ANALYSIS As already indicated in most cases the reachability graph of an SIPN (RG SIPN ) differs from the reachability graph of the underlying PN (RG PN ). Hence, to perform graph based analysis an algorithm that finds RG SIPN has to be developed. Basically there are two approaches to find RG SIPN : 1. Direct approach: Starting from the SIPNs initial marking the following markings are generated evaluation the SIPNs firing rules for all possible combinations of input signals. 2. Two-steps approach: In a first step RG PN is generated. In this step an upper bound of two for all markings can be applied since SIPN analysis is interested in safety but not in k-boundedness with k greater one. The second step generates RG SIPN based on RG PN and the firing conditions of the SIPN. The two-steps approach has two main advantages: 1. The intermediately generated RG PN can be used for some analysis problems. 2. The method shows whether the two reachability graphs differ in a given case. This allows to determine if the net exhibits DS. Which in turn allows two draw important conclusions for the following analysis. The algorithm to build RG SIPN based on RG PN compares the firing conditions of all combination of two edges e i and e k that share a common vertex, e i = (v a, v b ) and e k = (v b, v c ). If the two conditions are not disjoint a dynamic synchronization is found. To account for the DS a new edge is added to the graph. This edge e i e k = (v a, v c ) is the merger of the two original edges and its firing condition is the Boolean conjunction of the two original firing conditions ϕ(e i e k ) = ϕ(e i ) ϕ(e k ). If there is already an edge e n = (v a, v c ) in the graph then both edges are combined to e i e k e n with ϕ(e i e k e n ) = ϕ(e i ) ϕ(e k ) ϕ(e n ). The firing condition of the first edge in the comparison is replaced by a conjunction of itself and the negation of the second firing condition, ϕ(e i ) := ϕ(e i ) ϕ(e k ). If the new ϕ(e i ) is a contradiction (ϕ(e i ) = 0) the dynamic synchronization is strong and the edge is removed from the graph. This removal can result in a vertex without edges directed to it. This vertex corresponds to a state that is not reachable in the SIPN and can be removed together with all its outgoing edges and of course all vertices that can only be reached from the removed one together with their outgoing edges in a recursive manner. The new edges have to be included in this process in an iterative manner, until no new edges are produced anymore. Some extensions to this algorithm have to be made to account for special cases: 1. The vertex corresponding to the initial marking is not removed even if there are no edges directed to it, because the initial marking is always reachable. 2. Edges that are self-loops are not used in the process. 3. Two edges that share a common vertex corresponding to an unsafe marking are excluded form the process. 4. The removal of vertices includes those that are only reachable by themselves. Analysis of the underlying PNs RG The basic properties are also defined for ordinary PN. With the results on DS presented above, it is shown how these properties are related to the SIPN. For SIPN without strong DS (weak DS is allowed) safety, liveness and reversibility of the underlying PN are necessary and sufficient for the corresponding properties in the SIPN. 1. Safety is clear since RS SIPN = RS PN. 2. Liveness is clear because RG SIPN RG PN. 3. Reversibility is clear because RG SIPN RG PN. For SIPN with strong DS the analysis of the underlying PN gives weaker results:

1. Safety of the underlying PN is sufficient for the safety of the SIPN but not necessary. The sufficiency is clear because RS SIPN RS PN.. But given the safety definition for SIPN which also demands the safeness of all transient markings it seems that necessity also holds this is not the case as the counter example in Figure 2 shows. 2. Liveness of the underlying PN is necessary but not sufficient for the liveness of the SIPN. It is necessary since DS may induce additional arcs in the RG but these arcs are always combinations of existing ones. Therefore a transition which is not part of a cycle in the PN cannot be part of an SIPN cycle. It is not sufficient because arcs origination in an unstable marking in a DS are deleted in RG SIPN resulting in the death of the corresponding transition. In the example depicted in Figure 3 transitions t 3 and t 4 are dead in the SIPN whereas the underlying PN is live. 3. Reversibility is neither necessary nor sufficient. It is not necessary since a marking m RS PN with no path back to m 0 may not be part of RS SIPN. It is not sufficient in the special case that m 0 is not stable in the SIPN (cf. Figure 3 for an example). Hence if m 0 is a stable marking of the SIPN the reversibility of the underlying PN is sufficient for the SIPN to be reversible. Analysis based on RG SIPN Using the reachability graph all the above mentioned questions arising in SIPN analysis can be answered. Graph-based analysis methods for behavioral properties known in PN such as liveness, safety and reversibility can be applied to SIPN, if RG SIPN is used instead of RG PN : Safety: An SIPN is safe w.r.t. its initial marking m 0 if there is no node in RG SIPN with a component greater one. Liveness: An SIPN is live w.r.t. its initial marking m 0 iff from every node in RG SIPN there is a sequence of edges containing all transitions as labels. Reversibility: An SIPN is reversible w.r.t. its initial marking m 0 iff every node in RG SIPN lies in a directed circuit containing m 0. A necessary and sufficient condition for reversibility is that the RG SIPN is strong connected. The additional questions arising in SIPN analysis can also be decided using RG SIPN. Output-Correctness: To check output-correctness the calculation of the output function for all markings in RG SIPN is required. Termination: Cyclic behavior without a stable marking results in a self-loop in RG SIPN. Determinism: Deterministic behavior is guaranteed, if the firing conditions are disjoint at conjunctions of RG SIPN. Input-Dependence: The SIPN is independent of an input signal iff the signal is not part of any edge-label in RG SIPN. ALGEBRAIC ANALYSIS In addition to graph-based analysis there are also algebraic methods for PN analysis. The algebraic analysis of PN combines structural analysis (Transition and Place- Invariants) with information about the initial marking of the net. The main advantage of algebraic analysis over graph based methods is, that the problem of state space explosion is avoided. Hence, algebraic conditions are - in most cases - easier to check for large systems. Frey and Schettler (1998) give an algebraic criterion for the correctness of SIPN output signals. However, with DS the validity of the condition which is based on the underlying PN is neither necessary nor sufficient for the SIPN. CONCLUSION In this paper the Signal Interpreted Petri Net (SIPN) is presented. It is shown that the adaptation of results from standard PN analysis to SIPN is only possible in some restricted cases. The reason for this problem dynamic synchronization (DS) is identified and its impact on general analysis questions is studied. The described problems lead to the description of graphbased analysis methods using the newly defined reachability graph of an SIPN instead of the reachability graph. of the underlying PN. The presentation of an example from algebraic analysis shows where the open questions with SIPN lie. As graphbased methods the algebraic methods highly depend on DS. However, at the moment the only method to find DS is the construction of the reachability graph. Future work will concentrate on algorithms that find DS on a structural basis, without constructing the reachability graph. REFERENCES David, R. and Alla, H., 1992, Petri Nets and Grafcet - Tools for Modelling Discrete Event Systems, Prentice Hall, New York, London. Desrochers, A. A. and Al-Yaar, R. Y., 1994, Application of Petri Nets in Manufacturing systems, IEEE Press, Piscataway, USA. Frey, G. and Litz, L., 1998, Verification and Validation of Control Algorithms by Coupling of Interpreted Petri Nets, Proceedings of the IEEE conference on Systems Man and Cybernetics, SMC 98, Vol. 1, pp. 7-12. Frey, G. and Litz, L., 1999, A measure for transparency in net based control algorithms, To appear in: Proc. of the IEEE Conf. on Systems Man and Cybernetics, 1999. Frey, G. and Schettler, H.-G., 1998, Algebraic Analysis of Petri Net based Control Algorithms, Proc. of the IEE 4 th Workshop on Discrete Event Systems, pp. 94-96. Instrument Society of America (ISA), 1984, ANSI/ISA-Standard S5.1: Instrumentation Symbols and Identification, (Reaffirmed 1992). König, R., Quäck, L., 1988, Petri-Netze in der Steuerungs- und Digitaltechnik, R. Oldenbourg Verlag, München, Wien. (in german). Moalla, M., Pulou, P. and Sifakis, J., 1978, Synchronized Petri Nets: A Model for the Description of nonautonomous Systems, LNCS 64, pp. 374-384, Springer, Berlin, New York.

FIGURES ϕ(t 2 ) = i 3 i 4 ϕ(t 5 ) = i 1 i 2 i 3 m 0 =(1,0,0,0,0,0) Ω = (0,0,0) t 1 : i 3 a) SIPN m 1 =(0,1,0,0,0,0) Ω = (0,1,0) t 2 : i 3 i 4 m 2 =(0,0,1,0,1,0) Ω = (1,0,1) t 3 : i 1 m 3 =(0,0,0,1,1,0) Ω = (c,0,-) ϖ(p 1 )= (0, 0, 0) ϕ(t 1 ) = i 3 ϖ(p 2 )= (0, 1, 0) ϖ(p 3 )=(o 3 :=1) ϖ(p 5 )=(1, 0, -) ϕ(t 3 ) = i 1 ϕ(t 4 ) = i 1 ϖ(p 4 )=(o 1 :=0) ϖ(p 6 )=(-, 0, 1) b) RG PN c) RG SIPN t 5 : i t 5 : i 1 i 2 i 1 i 2 i 3 3 m 4 =(0,0,1,0,0,1) t 4 : i 1 Ω = (-,0,r1) t 4 : i 1 t 3 : i 1 m 5 = (0,0,0,0,1,1) Ω = (0,0,1) m 0 =(1,0,0,0,0,0) Ω = (0,0,0) t 1 t 2 : i 3 i 1 t 1 t 2 t 3 t 4 : i 3 i 1 m 2 =(0,0,1,0,1,0) Ω = (1,0,1) t 3 t 4 : i 1 m 5 =(0,0,0,0,1,1) Ω = (0,0,1) Figure 1: Example for output correctness. RG PN implies that o 1 is contradictory and o 3 is incomplete whereas o 2 is correct. However, RG SIPN shows that instead o 1 and o 3 are correct and o 2 is trivial. a) SIPN b) RG PN ϖ(p 1 )= (0, 1) m 0 = (1,0,0,0) t 4 : i 2 = 0 Ω = (0, 1) ϕ(t 1 ) = i 1 i m 2 3 = (0,0,1,0) t 1 : i 1 i 2 = 1 Ω = (1, 0) ϖ(p 2 )=(-, 0) m 1 = (0,1,1,0) Ω = (1, 0) t 3 : i 1 = 1 ϕ(t 2 ) = i 1 t 2 : i 1 = 0 ϖ(p 3 )=(1, -) m 2 = (0,0,2,0) Ω = (1, -) ϕ(t 3 ) = i 1 c) RG SIPN ϖ(p 4 )=(1, 0) t 4 : i 2 = 0 m 0 = (1,0,0,0) m 3 = (0,0,1,0) Ω = (0, 1) Ω = (1, 0) ϕ(t 4 ) = i 2 t 1 t 3 : i 1 i 2 = 1 Figure 2: Counter example for safety condition. The PN is not safe and not reversible whereas the SIPN is safe and reversible (both are not live) a) SIPN b) RG PN ϖ(p 1 )= (0) ϕ(t 1 ) = i 1 ϖ(p 2 )=(0) ϕ(t 2 ) = i 1 i 2 ϖ(p 3 )=(1) ϕ(t 3 ) = i 3 i 1 ϕ(t 5 ) = i 1 ϖ(p 4 )=(0) ϕ(t 4 ) = i 2 ϖ(p 5 )=(1) ϕ(t 6 ) = i 1 m 0 = (1,0,0,0,0) t 1 : i 1 = 1 m 1 = (0,1,0,0,0) t 2 : i 1 i 2 = 1 m 2 = (0,0,1,0,0) Ω = (1) c) RG SIPN t 3 : i 3 i 1 = 1 m 3 = (0,0,0,1,0) m 0 = (1,0,0,0,0) t 1 : i 1 = 1 m 1 = (0,1,0,0,0) t 6 : i 1 = 1 m 4 = (0,0,0,0,1) Ω = (1) t 5 : i 1 = 0 t 4 : i 2 = 0 t 6 t 1 : i 1 = 1 t 2 t 5 : i 1 i 2 = 1 m 4 = (0,0,0,0,1) Ω = (1) Figure 3: Example for liveness and reversibility. The PN is live and reversible whereas the SIPN is neither life nor reversible (both are safe). The behavior of the SIPN is independent of the input signal i 3. TABLES Table 1: Definition of - 0 1 c r 0 r 1 c 0 c 1 c 01 - - 0 1 c r 0 r 1 c 0 c 1 c 01 0 r 0 c c 0 r 0 c 1 c 0 c 01 c 01 1 r 1 c 1 c 0 r 1 c 01 cr 1 c 01 c (contradiction) c 01 c 0 c 1 c 01 c 01 c 01 r 0 (redundant0) r 0 c 01 c 0 c 01 c 01 r 1 (redundant1) r 1 c 01 c 1 c 01 c 0 (contradiction and r 0 ) c 01 c 01 c 01 c 1 (contradiction and r 1 ) c 01 c 01 c 01 (contradiction, r 0, r 1 ) c 01 Table 2: Impact of DS on analysis results m: con m: con p: con p: con weak DS n & s n & s s n DS n s - -