Proceedings of the 5th IFAC Workshop on

Proceedings of the 5th

Dependable Control IFAC Workshop
of Discrete on
Systems
Proceedings
Dependable of the 5th
Control IFAC Workshop
of Discrete on
Systems
Available online at www.sciencedirect.com
May 27-29, 2015. Cancun, Mexico
Dependable Control
May 27-29, 2015. of Discrete
Cancun, MexicoSystems
May 27-29, 2015. Cancun, Mexico
ScienceDirect
IFAC-PapersOnLine 48-7 (2015) 085–090
Model repair of Time Petri Nets
Model
Model repair of
of Time Petri
Petri Nets
withrepair
temporal Time
anomalies Nets
with temporal
with temporal anomalies
anomalies
∗
F. Basile ∗ P. Chiacchio ∗ J. Coppola ∗
∗ ∗
F. Basile ∗∗ P. Chiacchio ∗∗ J. Coppola ∗∗
∗
F. Basile P. Chiacchio J. Coppola
∗
Dip. Ingegneria dell’Informazione, Ingegneria elettrica e Matematica
∗ Dip. Ingegneria dell’Informazione, Ingegneria elettrica e Matematica
∗ applicata, Univ. diIngegneria
Dip. Ingegneria dell’Informazione, Salerno, Italy.elettrica e Matematica
applicata, Univ.
(email: {fbasile,jcoppola}@unisa.it).
applicata, Univ. di
di Salerno,
Salerno, Italy.
Italy.
(email: {fbasile,jcoppola}@unisa.it).
(email: {fbasile,jcoppola}@unisa.it).
Abstract: In this paper the model repair of Time Petri net models with temporal anomalies is considered
Abstract:that
assuming In this
the paper
nominal themodel
model repair of and
Time Petri net models
timed with temporal anomalies is considered
Abstract: In this paper the modelisrepair known of TimeanPetriobserved
net models sequence
with temporal is given. The nominal
anomalies model
is considered
assuming
is updatedthat
assuming that the
online, nominal
if the durations
the nominal model is
model isofknownknown
systemand and an observed
activities change
an observed timed sequence
whilesequence
timed their initial is given.
instant
is given. The
The does nominal model
not, without
nominal model
is
is updated
updated online,
modifying if
if the
the structure
online, the of durations
the PN of
durations system
nominal
of systemmodel activities change
but just
activities while
while their
extending
change initial
the firing
their instant
initialinterval
instantof does not,
not, without
transitions. The
modifying
approach the structure
requires the of
solutionthe PN of anominal
Mixed-Integermodel but just
Linear extending
Programming. the firing interval ofdoes transitions. without
The
modifying the structure of the PN nominal model but just extending the firing interval of transitions. The
approach
approach requires
requires the solution
the solution of a Mixed-Integer
of a Mixed-Integer Linear
Linear Programming.
Programming.
© 2015, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved.
Keywords: Time Petri Nets, Discrete Event Systems, Identification, Process Mining
Keywords: Time Petri Nets, Discrete Event Systems, Identification, Process Mining
Keywords: Time Petri Nets, Discrete Event Systems, Identification, Process Mining
1. INTRODUCTION be due to different reasons: workers start handling activity dif-
1. be due
due to different reasons:
reasons: workers
degrade,start handling activity dif-
1. INTRODUCTION
INTRODUCTION ferently,
be
ferently, tosystem
different
system
components
components workers
degrade,
action
start
action
of external
handling activity
of external
agents,
dif-
agents,
etc. The occurrence of one of these
ferently, system components degrade, action of external agents, circumstances modifies
Automated modeling of discrete event processes/systems from etc. The
Automated modelingofoftheir discrete eventisprocesses/systems from the
the The occurrence
etc. system
system
dynamic asof
occurrence one
one asof
ofwell ofthe these
these circumstances
duration modifies
of the activities
circumstances modifies of
external observation behavior a challenging problem system
Automated modeling of discrete event processes/systems from the system dynamic as well as the duration of the activities dynamic
and as as well
consequence as the
the duration
nominal of the
model activities
needs of
to be
external observation of their behavior is a challenging problem of
that received a lot of attention in the last decade. This the system
modified.
external observation of their behavior is a challenging problem the system and as consequence the nominal model needs to be and as consequence the nominal model needs to be
that
has received
that been
received aa lot
addressedlot ofofbyattention
the Discrete
attention in
in the
theEventlast
last decade.
SystemsThis
decade. (DESs)
This problem
problemand modified.
has been addressed by the Discrete Event Systems (DESs) and modified.
The model repair technique has been introduced for the first
Workflow
has Management
been addressed by the Systems
Discrete communities,
Event Systems under(DESs)different
and The
Workflow
approaches Management
and names - Systems Systems communities,
DES Identification in Giuaunder Seatzu The model
different
anddifferent time in Fahland
model repair
repairand technique
and van derhas
technique Aalst been introduced
(2012). In such for
for aathe first
work,
Workflow Management
approaches and names - DES
communities,
Identification in
under
Giua and Seatzu timenew
the in Fahland
model (i.e. the derhas
van “repaired”
Aalst been(2012).
one)
introduced
is In such
obtained
thework,
first
adding
(2005), and Process mining in IEEE
approaches and names - DES Identification in Giua and Seatzu the Task Force on Process time in Fahland and van der Aalst (2012). In such a work,
one) is obtained adding
(2005),
Mining and
and Process
(2005), (2012) and van
Process mining in
in IEEE
der Aalst
mining IEEE (2014).Task Force
Force on
TaskAlthough Process
onthere
Processare new the new
new model
model (i.e.
subprocesses to the
(i.e. the “repaired”
thenominal
“repaired” model
model one) in the manner that
is obtained addingthe
Mining
several (2012)
proposed and van
approaches der Aalst
in each (2014).
community, Although much there
remainsare new
new subprocesses
resulting model
subprocesses to
fits
to the
the
the nominal
observed
nominal behavior
model in
in the
and
the manner
it is
manner as that
that the
similar
the
Mining
several (2012) and
proposed van der in
approaches Aalst
each (2014).
community, Although much there
remainsare resulting
as possible model
to thefits the
original observed
one. When behaviorthe and
nominalit is as
model similar
is a
to be done regarding the modeling of
several proposed approaches in each community, much remains logical timed discrete event resulting model fits the observed behavior and it is as similar
to be done regarding the modeling of timed discrete event as possible
PN to the the
model, original
adding one.of When
new the nominalresults
subprocesses modelinisthea
processes/systems.
to be done regarding the modeling of timed discrete event logical as possible to the original one. When the nominal model is a
processes/systems.
processes/systems. logical PN
adding PN model,
of new
model, the
the adding
transitions.
adding of
of new
Hence, newthe subprocesses
structure ofresults
subprocesses in
in the
the original
results the
The explicit consideration of time is crucial for the specification adding net is of new
changed. transitions. Hence, the structure of the original
The explicit consideration of time is crucial for the specification adding
net is of new transitions. Hence, the structure of the original
changed.
and
The the verification
explicit considerationof some ofDESs
time issuch crucialas communication
for the specification pro-
and the verification of some DESs such net ispaper
This changed.focuses on temporal anomalies for Time Petri Nets
tocols,
and the circuits,
verificationor real-time
of some systems.
DESs suchTwoas as communication
main techniques were
communication pro-
pro- This
tocols,
developed circuits,
from or real-time
Petri Nets systems.
(PNs): Two
timed main
PNs techniques
(Ramchandani, were (TPNs)
This paper
paper focuses
models.
focuses Goalon
on temporal
of this paper
temporal anomalies
anomalies is thefor Time
Time Petri
model
formodel repairNets
Petri for
Nets
tocols,
developed circuits,
from orPetri
real-time
Nets systems.
(PNs): Two main
timed PNs techniques
(Ramchandani, were timed (TPNs)DESs models.that Goal
can of this temporal
exhibit paper is the
anomalies. repair
Temporal for
1974)
developed and time
from PNs Petri(Merlin,
Nets (PNs): 1974).timed In thePNs first, a fixed firing (TPNs) models. Goal of this paper is the model repair for
(Ramchandani, timed DESs
anomalies that the
regard can exhibit temporal anomalies. Temporal
1974)
1974) and time PNs (Merlin, 1974). In the first, aa the
duration and is time PNs
associated (Merlin,
with each 1974).
transition In the first,
while, in fixed
fixed firing
second, timed DESs
firing anomalies that can duration of activities:
exhibit temporal they occur
anomalies. Temporalwhen
duration
the firing is associated
duration of with
a each
transition transition
t can while,
assume in
any the second,
value of a an execution regard
of an the duration
operation hasof a activities:
duration
anomalies regard the duration of activities: they occur when they
different occur from when
the
duration
the firing isduration
associated of with each transition
a transition t can assume while,any in the second,
value of a an execution
nominal one. Inof an
Cook operation has
et al. (2001) aaand
duration
Rogge-Soltidifferentandfrom Kasneci the
given
the interval
firing I(t).
duration an execution of an operation has duration different from the
given interval I(t). of a transition t can assume any value of a (2014) nominalmethodologies
nominal
one. In Cook ettoal.detect
one. In Cook et al.
(2001)
(2001)
and Rogge-Solti
temporal
and anomalies
Rogge-Solti
and
and haveKasneci
been
Kasneci
given interval
Process mining I(t).
aims to discover, monitor and improve real presented; (2014) methodologies
instead, in this to detect
papertemporal
a methodology anomalies have been
to modify the
Process mining aims toknowledge
discover, monitor andlogs.improve (2014) methodologies
real presented; to detect temporal anomalies have been
processes by extracting from
Process mining aims to discover, monitor and improve real nominal event An event instead,
model on thein this paper
basispaper a methodology
of theaobserved to
anomalies modify
is given.the
processes by extracting knowledge from event logs. An event presented; instead, in this methodology to modify the
log is a collection of sequential events
processes by extracting knowledge from event logs. An event The and information about nominal model on the basis of the observed anomalies is given.
log nominal model on the basis of the observed
problem of modifying the nominal model as consequence anomalies is given.
log is
the is aa collection
system; event of
collection logs
of sequential
can be events
sequential used toand
events and information
conduct
information three about
types
about The problem
the
of
the system;
process event
mining:
system;mining:event logs logs
i) can
discovery be
can be -used -usedthe to
model conduct
to conduct of the three
system
three types
types is of
The probleminof
changes ofthemodifying
system behavior
modifying the
the nominal
nominal model
has been as
as consequence
modelinvestigate
consequence in the
of process
obtained starting from i) discovery the model of the system is of
fieldchanges
of DES in the system
identification behavior
too, and has
in been investigate
particular it has in the
been
of process mining: i) event
discoverylogs,-withoutthe model any ofothertheknowledge
system is treated of changes
field of inDES in identification
the system behavior
Cabasino et al. too, and
(2014).
hasin been
In such
investigate
particular
a work, hasinbeen
itanomalies the
obtained
of the starting
system; ii)from event
conformance logs, without
checking
obtained starting from event logs, without any other knowledge treated-any
an other
existing knowledge
process field of DES identification too, and in particular it has been
of to are in
in Cabasino
called faults andet al.
al. (2014).
et the model In such
suchisaa presented
repair work,
work, anomalies as the
of the
the system;
model is compared
system; ii)
ii) conformance
with an event
conformance log of --the
checking
checking an existing
an same
existing process
process
process treated
are called
identification
Cabasino
faults
of and
the the
faulty
(2014).
model
model of
In
repair
a is
logical presented
anomalies
PN system: as the
the
model
check
model is
if compared
reality,
isreality,
compared as with
recorded an
with an in event
in
eventthe log
log,
log of of the
conforms same
the same to process
the model
process to are
to occurrence called faults and the model repair is presented as the
check
and viceif versa; as
iii) recorded
enhancement the - log,
an conforms
existing to
process the model
model identification
identification of of
of a the
faulty
the faulty
faulty model
firing sequence
model of
of a
a logical
(i.e.,
logical aPN
PN system:
sequence
system: the
that
the
check if reality, as recorded in the log, conforms to the model model cannot occurrence of a faulty
be generated by firing sequence
the nominal model(i.e.,ofa the
sequence
system)that is
and
is vice
vice versa;
andextended versa; iii)
iii) enhancement
or improved enhancement -- an
using information an existing
existingabout process
process the model
actual occurrence of a faulty firing sequence (i.e.,ofa the
sequence that
is extended or improved using information about the actual cannot
associated be generated
to the by
unobservablethe nominal
firings model
of fault system)
transitions, is
that
process recorded in some event log.
is extended or improved using information about the actual associated cannot be generated by the nominal model of the system) is
process recorded in some event log. must
associated to
to the
the unobservable
be opportunely added and firings
unobservable linked to
firings of fault
of the
fault transitions,
nominal modelthat
transitions, of
that
process recorded in some event log.
Model repair is a particular case of enhancement; it consists in must the be
system,opportunely
to obtain added
the and
faulty linked
model. to the
Hence, nominal
also in model
this case,of
must be opportunely added andmodel.
linked to the nominal model of
Model
modifying repairtheis aa particular
isnominal modelcase
caseof of
ofaa enhancement;
system as consequence it
it consists
consists of in
in the the structure
system, to obtain the faulty Hence, also in this case,
Model
modifying repairthe particular
nominal model of enhancement;
system as consequence of the system, toofobtain the nominal
the faulty model
model. is changed.
Hence, also in this case,
the occurrence of the observation
model of of discrepancies between the of the
modifying
the occurrence the nominal
ofbehavior
the observation a system
of as consequence
discrepancies between the the structure
structure from
Differently
of
of the nominal
nominal model
the Fahland model
and van
is
is changed.
changed.
der Aalst (2012) and
system nominal and the system observed
the occurrence of the observation of discrepancies between the Cabasino behavior, in
system nominal behavior and the system observed behavior, in Differentlyet al. from Fahland
(2014), this and focuses
paper van deron Aalst TPNs and (2012) and
presents
the manner
system nominalthat behavior
the modified and the model system completely
observeddescribes
behavior,the Differently from
in Cabasino Fahland and focusesvan deron Aalst (2012) and
aCabasino et al.
method etofal.model (2014), this
repair paper
that does not on TPNs
change and presents
the
the manner
observed
manner that
behavior.
that the
the modified
These
modified model
discrepancies,
model completely describes
named anomalies,
completely describes the
can
the (2014), this paper focuses TPNs the andstructure
presents
observed behavior. These discrepancies, named anomalies, can aa method method of of model
model repair repair thatthat does
does not not change
change the the structure
structure
observed behavior. These discrepancies, named anomalies, can
Copyright
2405-8963 © © 2015,
2015 IFAC
IFAC (International Federation of Automatic Control)85 Hosting by Elsevier Ltd. All rights reserved.
Copyright
Peer review©under
2015 responsibility
IFAC 85 Control.
of International Federation of Automatic
Copyright © 2015 IFAC 85
10.1016/j.ifacol.2015.06.477
DCDS 2015
86
May 27-29, 2015. Cancun, Mexico F. Basile et al. / IFAC-PapersOnLine 48-7 (2015) 085–090
of the nominal model but modifies the firing interval of the
nominal transitions. This is possible since temporal anomalies
modify the durations of system activities but do not affect their
initial instant.
Contribution of this paper is the formulation of a Mixed-
Integer Linear Programming Problem (MIPP) to repair the
given nominal TPN model of a system on the basis of an
observed timed sequence, in which temporal anomalies are
detected. Such temporal anomalies are modeled by an extension
of the firing interval of the nominal transitions, i.e. an extension
of the lower and/or upper bound of the firing time of each
nominal transition.
2. NOTIONS AND ASSUMPTIONS
2.1 Background on Petri nets
For a complete review on Petri nets the reader can refer to Mu-
rata (1989). A Place/Transition net (P/T net) is a 4-tuple N =
(P, T, Pre, Post), where P is a set of m places (represented
by circles), T is a set of n transitions (represented by boxes),
Pre : P × T → N (Post : P × T → N) is the pre (post)
incidence matrix. Pre(p, t) = w (Post(p, t) = w) means
that there is an arc with weight w from p to t (from t to p);
C = Post − Pre is the incidence matrix. A marking is a
function m : P → N that assigns to each place of a net a
nonnegative integer number of tokens, drawn as black dots. It is
useful to represent the marking of a net with a vector m ∈ Nm .
A net system S = N, m0  is a net N with an initial marking
m0 . A transition t is enabled at m iff m ≥ Pre(·, t) and this is
denoted as m[t. An enabled transition t may fire yielding the
marking m = m + C(·, t) and this is denoted as m[tm .
A firing sequence from m is a sequence of transitions
σ = t1 . . . tk such that m t1 m1 t2 m2 . . . tk mk , and
this isdenoted as m[σmk . An enabled sequence σ is denoted
as m σ, while tj ∈ σ denotes that transition tj belongs
to the sequence σ. A marking m is said to be reachable
from m0 iff there exists a sequence σ such that m0 [σm .
R(N, m0 ) denotes the set of reachable markings of the net
system N, m0 . Given a sequence σ it is denoted with |σ| its
length. The function σ : T → N, where σ(t) represents the
number of occurrences of t in σ, is called firing count vector of
the firing sequence σ. As it has been done for the marking of a
net, the firing count vector is often denoted as a vector σ ∈ Nn .
Note that, if a sequence is made up of a single transition, i.e.,
σ = tj , then the corresponding firing count vector is the j-th
canonical basis vector denoted as ej .
If m0 [σm, then it is possible to write in vector form
 
m = m0 + Post − Pre · σ = m0 + C · σ , (1)
which is called the state equation of the net system.
Definition 1. (Time Petri net system,(Seatzu et al., 2013)). Let I
be the set of closedintervals with a lower bound in Q and an
upper bound in Q ∞. A Time Petri net (TPN) system is the
triple S = N, m0 , I, where N is a standard P/T net, m0 is
the initial marking, and I : T → I is the statical firing time
interval function which assigns a firing interval [lj , uj ] to each
transition tj ∈ T .
It is assumed that there is a start-up transition that fires only
once at time zero producing tokens considered by the initial
marking. A transition tj can be fired at time τ if the time elapsed
86
from the enabling belongs to the interval I(tj ); moreover, an
enabled transition must fire if the upper bound of I(tj ) is
reached, thus enforcing urgency. 
Given a set S, |S| denotes the cardinality of S.
2.2 Assumptions
Assumption 1. (Observed system properties). The observed sys-
tem is modeled by a TPN system with the following assump-
tions
(1) Free labeled nets, i.e., there is an isomorphism between
the label set E and the transition set T . Observing the
evolution of a net, it is common to assume that to each
transition t is assigned a label, and the firing of t is an
event that generates the label as observable output. This
assumption restricts to free labeled nets the net subclass
considered in the proposed approach, but it allows to
speak of event observation as well as of firing of transi-
tions without any difference. As more it implies that the
firing of each transition can be directly observed.
(2) Single-server firing semantic (more details in Seatzu et al.
(2013)), i.e., no concurrent firings of the same transition
are possible.
(3) Enabling memory policy of timed transitions, i.e., when
a new marking is reached and a timed transition is not
enabled, the elapsed time is reset. 
For a better presentation of the approach proposed in this paper
the definition of timed firing sequence σ is needed. At this aim,
it is useful to formally represent all those transitions that fire at
the same time τq .
Definition 2. (Timed firing sequence). A sequence
σ = (T1 , τ1 ) . . . (Tq , τq ) . . . (TL , τL ) ,
where Tq is the set of transitions fired at time τq and τ1 <
τ2 · · · < τL denote firing time instants is called timed firing
sequence. The position q the couple (Tq , τq ) occupies in the
sequence is called time step, so (T1 , τ1 ) is associated with step
1, (T2 , τ2 ) is associated with step 2 and so on; the number of
triples (Tq , τq ) in σ is called length L = |σ| of the timed firing
sequence.
The notation m[σm is used to denote that m is reached from
m by firing σ. 
Definition 3. (Timed Language). Given a TPN system S =
N, m0 , I, its timed language, named L(S), is defined as the
set of timed firing sequences generated by S from the initial
marking m0 . 
The marking the system reaches after the firing of all the
transitions in Tq is called mq .
This paper focuses on the context of automated manufacturing
systems, where a control architecture interacts with a plant
according to a scan time faster than the time evolution of the
system. In this context the multiple firing of a transition at the
same time has no sense. This motivates the next assumption.
Assumption 2. A transition can fire once in the same time
instant.
The set Tq is made up of nq = |Tq | transitions whose firing is
observed at the same instant τq . The firings of these transitions
are enabled either by a marking mk reached at a time τk < τq
 DCDS 2015
May 27-29, 2015. Cancun, Mexico F. Basile et al. / IFAC-PapersOnLine 48-7 (2015) 085–090 87

T
t6
t5 t5
t4
t3 T3 t4
t1, [1,3] t5, [2,2] t1, [1,3] t5, [2,2] t1, [1,3] t5, [2,2]
t2 t6
… … … … … …
t1 t3
 
t2, [1,4] t3, [1,3] t4, [0,0] t6, [0,2] t2, [1,4] t3, [1,3] t4, [0,0] t6, [0,2] t2, [1,4] t3, [1,3] t4, [0,0] t6, [0,2] τ0 τ1 τ2 τ3 τ   ≡ 
… … … m0 m1 m2 m3 m q
3 3 3

(a) (b) (c) (d) (e)

Fig. 1. (a)-(c) Evolution of the net system; (d) enabling and firing time of each transition of the net: for timed firings of transitions,
dots represent the enabling instant, the arrow points individuate the firing instant and the length of the arrows coincides with
the firing duration value; diamonds individuate enabling and firing instants for immediate firings of transitions; (e) firing
sequence for T3 .

or by the firing of another transition fired at τq with null firing of concurrent transition firings. Hence, firing of transitions in
duration. Tqim can be considered occurred in nimq substeps; each substep
Definition 4. (Firing Duration). Given a timed transition tj is denoted qs , with s ∈ [2, nim q + 1]. Finally, it holds that
fired at q-th step, enabled at k-th step, so that mk [tj , let mk  nim
+1
Tqim = s=2 q
Tqim .
be the first marking that enables tj since its previous firing, s

the function δ(tj , k, q) : T × N × N → Q returns the time As shown in Fig. 1(e), the marking reached after the firing of
elapsed from the enabling of tj at τk until its firing at τq , i.e. transitions in the last of these subsets corresponds to mq ; as
δ(tj , k, q) = τq − τk .  more the firing sequence associated to T3 = {t3 , t4 , t5 , t6 } is
shown. In detail, T3t = {t3 , t5 }, T2im = {t4 , t6 }; as more,
From now on, δ(tj , k, q) is referred as the firing duration of the
 im
T32 = t4 , T33 = t6 . In figure, triangles indicate the
im
transition tj ∈ Tq from the marking mk . When δ(tj , k, q) = 0 firing of timed transitions that leads to the reaching of the first
the firing of tj at τq is called immediate, otherwise, when marking m31 , while diamonds indicate the immediate firings
δ(tj , k, q) > 0 the firing of tj is called timed. of transitions in T3im .
Let m0 be the initial marking of the system, the set of candidate
markings for the enabling of a transition tj ∈ Tq can be 3. PROBLEM FORMULATION
    
formally defined as M(tj , q) = mk | ∃σT , σT , σ = σT σT ,
   Temporal anomalies can be modeled as an extension of the
 k [σT mq , with tj ∈ σT , k < q : τk + lj ≤ τq ≤
m0 [σT m
firing interval of the transitions. As far as the observed behavior
τk + uj , having cardinality |M(tj , q)|. of a system where temporal anomalies occur, the firing of
The set Tq can be partitioned into the couple of sets (Tqt , Tqim ): transitions at an unexpected time with respect to the model
is observed. The firing of a transition tj occurred at time τq
Tqt = {tj ∈ Tq | ∃k, mk ∈ M(tj , q)} is the set of transitions
is enabled by a marking mks reached at a time τk ≤ τq : a
fired at τq with timed firing, with cardinality ntq = |Tqt |; temporal anomaly occurs when τq is such that τq − τk ∈ / I(tj ).
q , is the set of transitions
Tqim = Tq \ Tqt , with cardinality nim In particular if τq is lower than τk + lj an early firing of tj is
fired at τq with immediate firing. observed while if it is grater than τk + uj a delayed firing of tj
The firing of transitions in the set Tqt is concurrent, however occurs.
each firing can have been enabled at a different marking. As In practice a large set of malfunctionings can be modeled as
example consider the system of Fig. 1(a)  and assume  that temporal anomalies (a slowing down of a conveyor belt speed
the sequence σ=({t1 }, τ1 ) ( t2 , τ2 ) ( t3 , t4 , t5 , t6 , τ3 ) is due to the wear, a shorter duration of a work phase due to an
observed. At step 3, on the basis of the nominal model of the incorrect handling of the operator, a casual change in a timer
system, the set T3 can be decomposed in the couple (T3t = duration, etc.) while there are some other malfunctionings, as
{t3 , t5 }, T3im = {t4 , t6 }). for example breakdowns or changes in work phase sequence,
As shown in Fig. 1(d), the firing of t5 and t3 have been enabled that cannot be modeled just extending the transition firing
at m1 (Fig. 1(b)) and m2 (Fig. 1(c)), respectively but, since the interval. To model this kind of faults, the net structure must be
firing duration of t5 from m1 is equal to 2 while δ(t3 , 2, 3) = 1, changed. However, in this paper only temporal anomalies are
their firings are observed at the same time τ3 . considered.

Denote by mq1 , the marking reached by firing of transitions
belonging to Tqt , i.e., with reference to the example of Fig. 1,
after the firing of transitions {t3 , t5 } ∈ T3t marking m31 is
reached.
On the other hand, the firing of transitions in Tqim may be
sequential as well as concurrent. Given the set of transitions
Tqim , these transitions can fire in any order, that, anyway, can
include concurrent transition firings. Denote mqs , with s ≥ 2
the marking reached after the immediate firings of transitions.
Given the firing sequence associated to the set Tqim , it can
be considered made up of the union of nimq disjoint subsets
Goal of this work is to opportunely modify the transition firing
intervals, every time that the occurrence of a temporal anomaly
is detected during the system observation, in the manner that
the obtained system is able to generate the observed language.
The approach is based on the formulation of a MIPP.
4. TEMPORAL ANOMALIES MODELING ALGORITHM
The algorithm shown in Fig. 2 describes the steps to execute to
repair the system model on the basis of the current observation.
Let N, m0 , I nom  be the nominal model of the system. Ini-
tially it is assumed that the current model of the system,

87
DCDS 2015
88
May 27-29, 2015. Cancun, Mexico F. Basile et al. / IFAC-PapersOnLine 48-7 (2015) 085–090
Start
Assume the nominal model as
the current one: S:=<N,m0,Inom>
σ:=ε
Observe a new couple (Tq,τq)
σ:= σ (Tq,τq)
Is an anomaly no
occurred?
yes
Determine the interval extension
Assume =<N,m0,Iext> as
the current model: S:=
Fig. 2. Temporal Anomalies Modeling Algorithm.
(S in Fig. 2), coincides with the nominal one (thus S =
N, m0 , I nom ). Then, the observation starts: any time a new
couple (Tq , τq ) is observed, the current timed firing sequence
σ is extended, queueing (Tq , τq ) to the previous observations σ
(initially σ = ε, i.e., it is the empty sequence).
Successively it is tested if any anomaly has occurred or not,
thus it is verified if the current model S of the system is
able to generate the observed sequence σ. If not, a temporal
anomaly has occurred for sure, so the procedure to determine
the extended firing interval starts, otherwise a new observation
starts.
The current model of the system S is repaired on the basis
of σ and the repaired model S̃ = N, m0 , I ext  is assumed
as the current model of the system: it will be used to test the
occurrence of a new anomaly.
In Subsection 4.1, it is shown how to determine if an anomalous
behavior has occurred. Logical conditions to determine the
extension of the firing time interval when an anomaly has
been detected at time τq are presented in Subsection 4.2, then
in Subsection 4.3 it is shown how these conditions can be
transformed into sets of linear constraints. Finally the MIPP
to obtain the repaired model S̃ of the system is presented in
Section 4.4.
4.1 Testing of anomalous behavior
Let S = N, m0 , I be the current model of the system, with
N = (P, T, Pre, Post), that generates the nominal language
L(S).
For each timed firing sequence σ = σprev (Tq , τq ) such that:
• σprev ∈ L(S);
• σprev is a subsequence of σ, of length q − 1;
an anomaly has occurred if σ ∈
/ L(S).
The current model of the system generates the observed behav-
ior until the step (q − 1), i.e., until the time τq−1 , and it must be
tested if an anomalous behavior has occurred at the step q, i.e.,
at time τq .
88
t1, [3,3] t2, [0,1] t1, [3,3] t2, [0,1]
(a) (b)
Fig. 3. Evolution of the net system of Example 1.
A system exhibits an anomalous behavior at time τq if some
unexpected (early as well as delayed) firings occurs at τq .
Given the observed couple (Tq , τq ), the set of fired transitions
Tq can be partitioned in 2 subsets: Tqu - the set of transitions for
which an unexpected firing occurred at time τq ; Tqn = Tq \ Tqu
- the set of transitions for which the firing at time τq is coherent
with the current model.
The set Tqu characterizes the anomalous behavior of the system
at time τq .
The firings of each transition tj ∈ Tq is enabled by a marking
mks reached at a time τk ≤ τq : if a temporal anomaly has
occurred then τq is such that τq − τk ∈
/ I(tj ). Consequently, a
transition tj belong to Tqu iif
mks = m0 + (Post − Pre) · σ ks ≥ Pre(·, tj )
  
 2.1
(2)
τ q − τk ∈/ I(tj )
2.2
where σks is the the timed firing sequence obtained terminating
σ at the substep ks and σ ks : T → N is its firing count vector,
with σ ks (tj ) the number of occurrence of tj in σks .
Hence, to test if an anomaly has occurred it is needed to
compute an enabling instant, named τk , for the firing of tj at
τq . Since σprev ∈ L(S), it is possible to compute τk , selecting
the marking mks from the set of markings candidate for the
enabling of tj by means of the Algorithm 1. When, more than
one candidate marking is obtained, Algorithm 1 will choose the
oldest one: this is coherent with the concept of urgency, stated
in Definition 1, i.e. a transition tj must fire if a time equal to its
firing interval upper bound uj is elapsed from its enabling.
Algorithm 1: Selection of mks .
Step 1: Let τprevj be the time of the last firing of tj before τq :
if it does not exist, i.e. tj fires for the first time at τq ,
then τprevj := 0;
Step 2: Collect in the set, named Men (tj , q), each marking
mks reached at a time τk such that τk ≥ τprevj and
τk : τq −τk ≤ lj , for which condition (2.1) holds. The
markings in the set Men (tj , q) are candidate markings
for the enabling of tj ∈ Tq .
Step 3: Choose mks as the oldest marking of Men (tj , q) thus
mks ∈ Men (tj , q) and ks = min∀ks s.t. mk ∈Men (tj ,q) ks .
s
The following example better clarifies as the occurrence of an
anomalous behavior is tested.
Example 1. Consider the system of Fig. 3(a) and the observed
timed firing sequence σ = σprev (Tq , τq ) such that σprev =
({t1 , t2 }, 3) and (Tq , τq ) = (T2 , τ2 ) = ({t1 }, 7). The initial
marking of the system, m0 , is the one shown in Fig. 3(a).
 DCDS 2015
May 27-29, 2015. Cancun, Mexico F. Basile et al. / IFAC-PapersOnLine 48-7 (2015) 085–090 89

To test if an anomaly has occurred at time τ2 = 7, it is necessary C1

to verify if t1 belongs to T2u , i.e., if condition 2 holds. a h1B c
Algorithm 1 is executed to compute the enabling instant of the h1A
C2 t1,[1,1.3] t3,[2,2]
firing of t1 at time τ2 : the last firing of t1 before τ2 occurs b h2B d t7,[0,0] t6,[1.7,2]
at time τ1 = 3, consequently τprev1 = 3; the set Men (t1 , 2) 1 h2A 2
is composed by the markings m11 , shown in Fig. 3(b), and 1.3 1.7 t5,[0,0]
2 3 t2,[1,1.3] t4,[3,3]
m12 , equal to m0 , since both markings satisfy condition (2.1)
and are reached at the time τ1 such that τ1 = τprev1 and, (a) (b)
τ1 < τ2 − l1 = 4, since l1 = 3; marking m0 ∈ / Men (t1 , 2)
since τ0 = 0 < τprev1 . Since step 11 precedes step 12 (see Fig. 4. (a) System of the case study: two cars going towards
Section 2.2), m11 is selected as the enabling marking of the right and returning; (b) TPN modeling the nominal behav-
firing of t1 at time τ2 , consequently τk = τ1 = 3. ior of the system.
Since τq − τk = 7 − 3 = 4 ∈ / I(t1 ), also condition (2.2) holds Proof. Proof follows from the results presented in Proposition
and hence t1 ∈ T2u , thus an unexpected firing of t1 has occurred 1. 
at time τ2 . 
4.3 Transformation of logical conditions into linear constraints
4.2 Determining of the extended firing interval
Applying the rules presented in Basile et al. (2013) the logical
conditions used in this paper are transformed into a set of
Let S = N, m0 , I be the current model of the system, with linear constraints. As for example, the logical condition (3) is
N = (P, T, Pre, Post), that generates the nominal language transformed in the following set of linear constraints
L(S).

For each timed firing sequence σ = σprev (Tq , τq ) such that:  τq − τk − uj + K1 rd > 0

 τq − τk − lj − K1 re < 0


• σ∈/ L(S); ∆uj − (τq − τk − uj ) + K1 rd ≥ 0
• σprev ∈ L(S); (5)
 ∆lj − (τk − τq + lj ) + K1 re ≥ 0
• σprev is a subsequence of σ, of length q − 1; 
 r d + re = 1


rd , re = {0, 1}
the problem is to determine the extended firing interval I ext
such that I ext (tj ) = [lj − ∆lj , uj + ∆uj ], with ∆lj ≥ 0 where K1 is a real number such that K1 > max((τq − τk −
and ∆uj ≥ 0, in the way that the resulting system S̃ = uj ), (τk − τq + lj )), and rd (re ) is a boolean dummy variable
N, m0 , I ext  generates the language L(S̃) that includes σ. such that when rd = 1 (re = 1) the first and third (second
and fourth) equations of (5) are redundant. As more, the fifth
Notice that L(S̃) ⊇ L(S), since the net structure is the same equation of (5) imposes that when rd = 1, re = 0 and vice
and transition firing intervals have been extended. versa.
Proposition 1. (Unexpected firing of tj at τq ). Let tj be a tran-
The same rules can be applied to condition GA (Tqu ) to obtain
sition belonging to the set Tqu , i.e. an early or a delayed firing
the corresponding set of linear constraints: from now on, with
of tj occurs at τq , enabled at time τk by the marking mks . The
an abuse of notation GA (Tqu ) is used to indicate both the logical
unexpected firing of tj at τq is modeled by an extension of the
condition (4) and its corresponded algebraical linear system.
firing interval of tj if there exists a value ∆lj ∈ Q or a value
∆uj ∈ Q for which the logical condition named Gun (tj , q, k)
4.4 Determining of the repaired model
holds, with
Gun (tj , q, k) : The repaired model of the system is obtained solving the
following algebraical linear system.
IF τq − τk > uj THEN ∆uj ≥ τq − τk − uj ,
(3) |σ|
ELSEIF τq − τk < lj THEN ∆lj ≥ τk − τq + lj . 
G(σ) = GA (Tqu ) (6)
Proof. Since an enabled timed transition must fire in a time q=1
belonging to I(tj ) from its enabling, condition (3) imposes that Since in general the solution of G(σ) is not unique, to select
1) in the case of a delayed firing (i.e. τq −τk > uj ) an extension one among these solutions a performance index is given and,
∆uj has occurred to explain the firing of tj in a time greater solving an appropriate MIPP, a TPN system that minimizes the
than uj while 2) in the case of an early firing (i.e. τq − τk < lj ) considered performance index is determined.
an extension ∆lj has occurred to explain the firing of tj in a  
time minor than lj .  In particular if f ∆l, ∆u is the considered performance in-
dex, where ∆l, ∆u ∈ Qn are, respectively the vectors of the
Proposition 2. (Anomalous behavior of the system at τq ). The
extension of the lower and upper bounds firing times of the
firing time extension I ext justifies the anomalous behavior of
nominal transitions, then the MIPP can be formally stated as
the system at time τq if the following logical condition named
follows
GA (Tqu ) holds with 
min f ∆l, ∆u

(7)
s.t. G(σ)
GA (Tqu ) :
 Different choices can be made for the cost function, in particu-
Gun (tj , q, k) lar if the cost function is chosen as
(4)  
∀tj ∈Tqu
f ∆l, ∆u = 1Tn · ∆l + 1Tn · ∆u , (8)

89
DCDS 2015
90
May 27-29, 2015. Cancun, Mexico F. Basile et al. / IFAC-PapersOnLine 48-7 (2015) 085–090
Table 1. Meaning of transitions of the case study.
Transition Event
t1 (t2 ) C1 (C2) has arrived at a (b).
t3 (t4 ) C1 (C2) has arrived at c (d).
t5 Both cars have arrived at destination.
t6 Both cars have returned in their home position.
t7 Cycle starts again.
the solution minimizes the extension of the firing interval I(tj )
for each nominal transition.
The computational complexity of (7) can be characterized in
terms of the number of constraints and unknowns that com-
posed it, i.e., the number of constraints and unknowns of G(σ).
Let Nanq be the number of temporal anomalies detected at time
τq , then the number of constraints of G(σ) is 5 · Nanq while
the number of unknowns is 4 · Nanq (precisely, 2 · Nanq real
unknowns representing the lower and upper extension of the
firing interval and 2 · Nanq boolean dummy variables).
5. CASE STUDY
The considered example is an adapted version of the system
used in Ould El Mehdi et al. (2012): it is made up of two cars
C1 and C2 (Fig. 4(a)), that starting from an arbitrary position in
the home space (delimited by points h1A and h1B for C1 and
h2A and h2B for C2, in the figure) move independently to reach
points a and b respectively. When C1 (C2) arrives at a (b), the
car starts to move along right direction until c (d) is reached (the
time units (t.u.) a car takes to arrive in the designed points are
shown in the figure). Then, C1 (C2) stops and remains in this
state until both cars are in their right positions. It takes from
1.7 to 2 t.u. to return cars in home position, then a new cycle is
immediately started.
The net modeling the nominal behavior of such a system is
shown in Fig. 4(b); in Table 1 the meaning of each transition
is reported.
c
Cplex has been used as optimization tool.
Consider the timed sequence σ = ({t7 }, 0) ({t2 }, 1) ({t4 , t1 },
3.5): it is an anomalous sequence since 1) an early firing of t4
and 2) the delayed firing of t1 are observed at time τ3 = 3.5.
The solution of the problem G(σ) when the objective function
is the one in (8), leads to the the following firing interval
 Institute of Technology, Cambridge, MA, USA.
[l1 , u1 + 2.2] if j = 1
I ext (tj ) = [l4 − 0.5, u4 ] if j = 4

I(tj ) ∀j ∈/ {1, 4}
The occurrence of σ can have been caused by the following
temporal anomalies: 1) an early arrive of C2 to the point c, that
can be due to an increase of C2 speed or to an accidental change
of position of the corresponding sensor and 2) the delayed
starting of C1. As consequence 1) the lower bound of t4 has
been reduced of the amount ∆l4 = 0.5 and 2) the upper bound
of t1 have been increased of the amount ∆u1 = 2.2.
6. CONCLUSION
A mixed-integer linear programming approach for the auto-
mated modeling of temporal anomalies in timed discrete event
systems modeled by PNs has been proposed. The nominal
model of the system, assumed to be known, can be updated
90
online, if the durations of system activities change while their
initial instant does not, without modifying the structure of the
PN nominal model but just acting on the firing interval of nom-
inal transitions. Such an approach can be used in the context of
model repair as a first repairing step, as example for systems
where the observed temporal anomalies under a fixed threshold
must not be considered as a fault, but only as an effect of system
degradation.
REFERENCES
Basile, F., Chiacchio, P., and Coppola, J. (2013). An ap-
proach for the identification of time Petri net systems. IEEE
18th Conf. on Emerging Technologies Factory Automation
(ETFA13), Cagliari, Italy, 1–8.
Cabasino, M.P., Giua, A., Hadjicostis, C.N., and Seatzu, C.
(2014). Fault model identification and synthesis in Petri nets.
Discrete Event Dynamic Systems, 1–22.
Cook, J.E., He, C., and Ma, C. (2001). Measuring behavioral
correspondence to a timed concurrent model. IEEE Int. Conf.
on Software Maintenance, 332–341.
Fahland, D. and van der Aalst, W.M. (2012). Repairing process
models to reflect reality. In A. Barros, A. Gal, and E. Kindler
(eds.), Business Process Management, volume 7481 of Lec-
ture Notes in Computer Science, 229–245. Springer Berlin
Heidelberg.
Giua, A. and Seatzu, C. (2005). Identification of free-labeled
Petri nets via integer programming. 44th IEEE Conf. on
Decision and Control (CDC05), Seville, Spain, 7639–7644.
IEEE Task Force on Process Mining (2012). Process mining
manifesto. In F. Daniel, K. Barkaoui, and S. Dustdar (eds.),
Business Process Management Workshops, volume 99 of
Lecture Notes in Business Information Processing, 169–194.
Springer Berlin Heidelberg.
Merlin, P.M. (1974). A study of the recoverability of computing
systems. Ph.D. thesis, University of California, Irvine.
Murata, T. (1989). Petri nets: Properties, analysis and applica-
tions. Proceedings of IEEE, 77(4), 541–580.
Ould El Mehdi, S., Bekrar, R., Messai, N., Leclercq, E., Lefeb-
vre, D., and Riera, B. (2012). Design and identification
of stochastic and deterministic stochastic Petri nets. IEEE
Trans. on Systems, Man and Cybernetics, Part A: Systems
and Humans, 42(4), 931–946.
Ramchandani, C. (1974). Analysis of asynchronous concurrent
systems by timed Petri nets. Technical report, Massachusetts
Rogge-Solti, A. and Kasneci, G. (2014). Temporal anomaly
detection in business processes. In S. Sadiq, P. Soffer,
and H. Völzer (eds.), Business Process Management, vol-
ume 8659 of Lecture Notes in Computer Science, 234–249.
Springer International Publishing.
Seatzu, C., Silva, M., and van Schuppen, J.H. (eds.) (2013).
Control of Discrete-Event Systems, volume 433 of Lecture
Notes in Control and Information Sciences. Springer.
van der Aalst, W.M. (2014). Process mining in the large: A
tutorial. In E. Zimányi (ed.), Business Intelligence, volume
172 of Lecture Notes in Business Information Processing,
33–76. Springer International Publishing.