State estimation is one of the central problems in systems and control theory. It plays a key role in many problems where one needs to estimate the state of the system based on imperfect observations. We investigate an important property of the state estimation problem calleddetectability for discrete event systems (DESs) modeled by labeled Petri nets (LPNs).
In the context of DESs, the problem of state estimation has been extensively investigated due to its applications in many different problems OzverenW1990; Ramadge1986; ShuLinYing2007. In particular, Shu and Lin ShuLinYing2007 proposed the concept of detectability for DES modeled by finite-state automata that characterizes a priori whether or not the current and subsequent states can be determined based on observations. The property of detectability has drawn a considerable attention in the literature keroglou2017verification; ShuLin2011; shu2013delayed; yin2017initial, including the complexity studies on the verification of different notions of detectability Masopust2017d; YinLafortune17; Zhang17 and the generalization of the notion to, e.g., stochastic discrete-event systems keroglou2015detectability; keroglou2017verification; yin2017initial.
In this paper, we study the existence of algorithms for the verification of strong and weak detectability in the context of the work of Shu and Lin ShuLinYing2007, generalized from finite-state automata to unbounded LPNs. Specifically, we assume that both the Petri net structure and the initial marking are known, and that the system is partially-observed via a labeling function.
Strong detectability requires that we can always determine, after a finite number of observations, the current and subsequent markings of the system, and weak detectability requires that we can determine, after a finite number of observations, the current and subsequent markings for some trajectories of the system.
For systems modeled by finite-state automata, one can construct an algorithm checking strong detectability in polynomial time ShuLin2011 (actually, one can construct an efficient parallel algorithm Masopust2017d). On the other hand, any algorithm checking weak detectability requires at least polynomial space, since this problem is PSPACE-complete YinLafortune17; Zhang17. It is open whether there are polynomial-time algorithms for PSPACE-complete problems, but it is known that there are no efficient parallel algorithms for PSPACE-complete problems. The results for weak detectability hold even for a very restricted type of automata Masopust2017d.
For systems modeled by bounded LPNs, the results for automata imply that both of these properties are decidable for bounded LPNs, since we can explicitly enumerate the reachable markings and use the verification techniques for automata.
However, whether the properties are also decidable for unbounded LPNs is no longer straightforward, because the reachable space of such a system is infinite in general. Very recently, Zhang and Giua ZhangGiua2018 showed undecidability of weak detectability for LPNs with inhibitor arcs, which are computationally universal models, and stated the decidability questions of strong and weak detectability for LPNs, which are not computationally universal, as open problems. We resolve these questions.
First, we show that verifying strong detectability for LPNs is decidable by expressing the property as a path formula in Yen’s logic, for which satisfiability was shown decidable by reduction to reachability yen1992unified; AtigH11. Hence strong detectability is reducible to reachability as well. We further show that deciding strong detectability is EXPSPACE-hard, and hence any algorithm verifying strong detectability requires at least exponential space, and is thus infeasible. If the conjecture that reachability is in EXPSPACE is true, then deciding strong detectability is EXPSPACE-complete.
Then, we show that checking weak detectability for LPNs is undecidable, solving thus the second open problem that improves the recent result of Zhang and Giua ZhangGiua2018. We prove the result by reducing the language inclusion problem of two LPNs to the weak detectability verification problem. Our proof is similar, but more involved, than the construction of Tong et al. TongLSG17 showing that the current-state opacity problem is undecidable. The secret set in the construction of Tong et al. is as large as the reachable set of one of the Petri nets under consideration111Tong et al. write the secret set as , which is the set of all markings with a token in place ., and hence infinite in general. It is a natural question whether undecidability of current-state opacity follows from the infinity of the secret set. In other words, whether current-state opacity is decidable if the secret set is finite. As a consequence of our result, we show that current-state opacity is undecidable even if the secret set consists of a single marking. This result strengthens and completes the study of Tong et al. TongLSG17.
Our work is related to several works on state estimation of Petri nets basile2015state; GiuaSeatzu2002; ramirez2003observability; ru2010sensor; tong2016equivalence; ZhangGiua2018. In particular, it is closely related to the work of Giua and Seatzu GiuaSeatzu2002 who proposed several different observability properties for (unlabeled) place/transition nets. Specifically, they proposed two observability properties—marking observability and strong marking observability; the former requires that there exists a word under which the marking of the system can be precisely determined, while the latter requires that the marking of the system can be precisely determined after a finite delay .
Marking observability and strong observability are similar (but not identical) notions to weak and strong detectability, respectively. The main difference between our results and the results of Giua and Seatzu is that LPNs are more general than the unlabeled models used by Giua and Seatzu, which is also reflected in the results—we show that weak detectability for LPNs is undecidable whereas Giua and Seatzu show that marking observability for their unlabeled models is decidable. Moreover, in the case of strong marking observability, there is a given pre-specified detection bound . Therefore, this property is trivially decidable by explicitly enumerating the reachable markings of the system within steps. Notice that we do not pre-specify any such detection bound for checking strong detectability, which makes the verification of strong detectability for unbounded LPNs non-trivial because the search space is infinite in general.
Our work is also related to the work of Ramírez-Treviñ et al. ramirez2003observability, who proposed marking detectability, which is a property closely related to strong detectability. However, Ramírez-Treviñ et al. only provide sufficient conditions for checking marking detectability and, to the best of our knowledge, (un)decidability of checking strong and weak detectability in the context of Shu and Lin ShuLinYing2007 for LPNs has not been established in the literature so far.
Finally, we would like to point out that detectability is a property that determines a priori whether the marking of the system can be detected. On the other hand, there is a large body of the literature on the online marking estimation for Petri nets. This topic is, however, beyond the scope of this paper; an interested reader is referred to the literature basile2015state; cabasino2017marking; dotoli2009line for more details.
2 Preliminaries and Definitions
We assume that the reader is familiar with the basic notions of Petri nets Peterson1981. For a set , denotes the cardinality of . An alphabet is a finite nonempty set (of events). A word over is a sequence of events of . Let denote the set of all finite words over , where the empty word is denoted by , and let denote the set of all infinite words over . For a word , denotes its length. Let denote the set of all non-negative integers.
A Petri net is a structure , where is a finite set of places, is a finite set of transitions, and , and and are the pre- and post-incidence functions specifying the arcs directed from places to transitions and vice versa, respectively. A marking is a function that assigns to each place a number of tokens. A Petri net system is the Petri net with the initial marking . A transition is enabled in a marking if for every place . An enabled transition can fire and the resulting marking is defined as for every . We write to denote that the sequence of transitions is enabled in the marking of , and to denote that the firing of the sequence of transitions results in a marking . For simplicity, we omit the subscript if the net is clear from the context. We write to denote the set of all transition sequences enabled in the marking . A marking is reachable in the Petri net system if there is a sequence of transitions such that . The set of all markings reachable from the marking defines the reachability set of the Petri net system , denoted by .
A labeled Petri net system is a quadruple , where is a Petri net system, is an alphabet (a set of labels), and is a labeling function that assigns to each transition a symbol from . The labeling function can be extended to defining for and ; we define for the empty transition sequence . We say that a transition is observable if ; unobservable otherwise. The language of is defined as the set . Similarly, denotes the set of all infinite words generated by . Finally, for a word , denotes the set of all reachable markings consistent with the observation .
As usual when detectability is discussed ShuLin2011, we make the following two assumptions on the system : (i) is deadlock free, that is, in every reachable marking of the system, there is at least one transition that can fire, and (ii) cannot generate an infinite unobservable sequence. Notice that for finite-state systems, this assumption is equivalent to avoiding cycles of unobservable transitions.
Considering the checking of these assumptions. Deadlock-freedom is reducible to reachability, and hence it is decidable, and EXPSPACE-hard. The existing algorithms use non-primitive recursive space esparza. Checking the second assumption is EXPSPACE-complete (see A).
3 Strong Detectability
Strong detectability is a property requiring that we can determine, after a finite number of observations, the current and subsequent states for all trajectories of the system. This property is formally defined as follows.
An LPN system is strongly detectable if there exists an integer such that for every infinite word and every finite prefix of , if is longer than , then .
To check strong detectability, it suffices to verify whether or not there are two arbitrarily long sequences with the same observation and leading to two different markings. To formalize this idea, we use the twin-plant construction for Petri nets used in the literature to test diagnosability cabasino2012new; yin2017decidability and prognosability yin2018prognosis.
Let be an LPN, and let be a place-disjoint copy of , that is, where is a disjoint copy of and the functions and are adjusted in the natural way. The copy has the same initial marking as , that is, for every . We define a Petri net that is essentially the (label-based) synchronization of and , where the set of places is , the initial marking is the concatenation of the initial markings of and , the transitions are pairs of transitions of and without the empty pair, and the functions and are defined as follows:
for every and every with , we define and ;
for every and every with , we define and ;
for every and every with , we define and ;
for every and every with , we define and ;
otherwise, no arc is defined ().
Essentially, is constructed to track all pairs of sequences that have the same observation. More specifically, for any , we have . On the other hand, for any such that , there exists a sequence in whose first and second components are and , respectively (possibly by inserting the empty transition sequence ). For an example illustrating the construction, we refer the reader to the literature cabasino2012new; yin2018prognosis.
The following result shows how to use the structure to verify strong detectability.
An LPN is not strongly detectable if and only if, in , there exists a sequence
() Suppose that there is such a sequence. Let and , for , denote the first and the second components of , respectively, that is, where the lengths of and coincide and are equal to the number of places in . Let , , and . By the construction of , , , and . Since , either or is not the empty transition; without loss of generality, let .
Let be an arbitrary natural number. We consider an infinite sequence where is an arbitrary infinite continuation of the sequence such that ; such a continuation exists by the assumptions that the system is deadlock free and there is no infinite unobservable sequence. The sequence is well defined in because , and hence the sequence is also well defined in . Let and . Then
Let be a place such that . Then we can always find an integer such that . Since is a prefix of , we have that , and hence . Moreover, implies the existence of in , and hence , because would give , which contradicts the assumption that no such sequence exists. Therefore, . Since was chosen arbitrarily, the system is not strongly detectable.
() Suppose that the system is not strongly detectable, that is, for every there exist and a finite prefix of such that and . Then, for any , there are sequences such that (i) and , and (ii) and with . By (i) and the construction of , there exists a sequence in such that is in the form of . Let for some and , and let be the markings induced by the transitions, i.e., where .
Consider a computation tree consisting of the computations described above. There is such a computation of length at least for every , and hence the tree is infinite. Therefore, by König’s lemma koenig stating that every finitely branching infinite tree contains an infinite path, there is an infinite path in the tree, where is the initial marking
. Then, since vectors of natural numbers with the product order form a well-quasi-ordering, Dickson’s lemmadickson1913finiteness implies that there are such that . Since the tree consists only of computations of the above form, is a prefix of such a computation, and hence there is a sequence such that is a computation of the above form, that is, is of the form for some and satisfying (i) and (ii) above. Consider the sequence
Since and , there is a place such that . Finally, , because , and hence the sequence satisfies the statement of the theorem. ∎
To state our first result, we briefly recall a fragment of Yen’s path logic, the satisfiability of which is decidable yen1992unified; AtigH11. Let be variables representing markings and be variables representing finite sequences of transitions. Every mapping is a term. For all , if and are marking variables, then is a term, and if and are terms, then and are terms. If and , then and are transition predicates, where denotes the number of occurrences of in . If and are terms and are places, then , , and are marking predicates. A predicate is a positive boolean combination of transition and marking predicates. A path formula is a formula of the form where is a predicate.
Strong detectability is decidable for LPNs.
The formula of Theorem 2 can be expressed as the following path formula:
where is equivalent to and is equivalent to . Note that can be written as term , where and are terms ( and are marking variables but is a constant). Therefore, the last term is equivalent to
which is a valid predicate of Yen’s path logic. ∎
Although the satisfiability of path formulae of Yen’s logic is decidable, its complexity is open. There is a so-called increasing fragment of Yen’s logic that requires that the path formula uses only marking predicates and implies that . Deciding satisfiability of this fragment is EXPSPACE-complete AtigH11. However, the reader can see that our formula is not an increasing path formula, and hence the existing results do not imply any upper bound complexity.
To discuss the lower bound complexity, we show that checking strong detectability requires at least exponential space. Our approach is to reduce the coverability problem, which is know to be EXPSPACE-complete esparza.
Checking strong detectability is EXPSPACE-hard.
Given a Petri net system , the coverability problem asks whether there is a reachable marking that covers a given marking .
Let and be the instance of the coverability problem. We construct a new Petri net as follows (see Fig. 1 for an illustration).
We add two new unobservable transitions and , and two new place and initialized with zero tokens to , and we define for , and for ; unspecified mappings are defined as zero. We add a new isolated place initialized with one token, and define a new self-loop transition in to guarantee that the system is deadlock free. Finally, we define the labeling function by for , and .
By the construction, unobservable transitions and can be fired if and only if can be covered. Thus, if these two unobservable transitions are firable, then the modified system is not strongly detectable because we cannot distinguish between the tokens in and . On the other hand, if these two unobservable transitions are not firable, then all firable transitions are observable, which directly implies that the system is strongly detectable. Overall, the original system covers if and only if the modified system is strongly detectable. Hence, deciding strong detectability is EXPSPACE-hard. ∎
4 Weak Detectability
In some applications, we only need to determine, after a finite number of observations, the current and subsequent states for some trajectories of the system. This property is referred to as weak detectability and is defined as follows.
An LPN system is weakly detectable if there exists an integer and a word such that for any prefix of of length at least .
Deciding weak detectability for DES modeled by finite-state automata is a PSPACE-complete problem. We now show that it is undecidable for DES modeled by unbounded LPNs.
Weak detectability is undecidable for LPNs.
Let and be two LPNs with no unobservable transitions, i.e., is not the empty word for any transition . It is well-known that the inclusion problem, which asks whether , is undecidable Hack76 for LPNs even when all transitions are observable. Next, we reduce the inclusion problem to the weak detectability verification problem.
From and , we construct an LPN as follows.
We create 10 new places up to , and we use new labels , , and as depicted in Fig. 2. Place (resp. , ) is connected by a self-loop to every transition of (resp. ). Intuitively, (resp. , ) allows to simulate (resp. . For every place of , we create a new transition labeled by to which the place is connected, and through which there is a self-loop from place back to place . The intuition is that allows to remove tokens from the part under a word from . The rest of the Petri net is as depicted in Fig. 2.
The initial marking of consists of a single token in place . At the beginning, only the transitions connected to place are enabled. Then, after the first transition (which is labeled by ), the net simulates either or from their corresponding initial markings, and hence the -language of is
where is finite and depends on the number of tokens in the net after generating the word .
We show that if and only if is not weakly detectable.
If , then there exists a word . We now consider all markings of after generating the word . There can be several, but a finite number of such markings, because the length of is finite and there are no transitions labeled by in . We sum the tokens in every such marking and let denote its maximum. This means that after generating , the marking of is such that a single token is in place , no tokens are in the part of , because is the maximum number of tokens in after generating , so we had to use all of them to generate , and the part of contains no tokens. If the net now keeps generating , we stay in this marking for ever. This is the only marking reachable by the -word , because . Thus, the net is weakly detectable; the from the definition is , which is a constant for such a fixed word .
If , then any word generated using the part with , that is, and is bounded by the number of tokens in any marking of reachable after generating in , can be simulated using the part of . Moreover, any word from generated by the part using always leads to at least two different markings because of the two identical parts in simulating , cf. the places and , and hence is not weakly detectable. ∎
4.1 Application to Opacity
Opacity is a property related to the privacy and security analysis. The system has a secret modeled as a set of markings and an intruder is modeled as a passive observer with limited observation. The system is opaque if the intruder never knows for sure that the system is in a secret marking. We first recall the definition of opacity for LPNs BryansKR05; TongLSG17.
Let be an LPN system and . System is current-state opaque with respect to if for every and such that , there exists such that and with .
Informally, an LPN system is current-state opaque if for every transition sequence leading to a marking in the secret set, there is another transition sequence whose firing leads to a non-secret marking, and the sequences produce the same observation .
Tong et al. TongLSG17 showed that deciding current-state opacity of an LPN system is undecidable. In their proof, they reduce the inclusion problem for LPNs (is ?) and construct a secret set as large as the reachability set of , which is infinite in general. It is a natural question whether undecidability of current-state opacity follows from the infinity of the secret set. Equivalently stated, the question is whether current-state opacity becomes decidable if the secret set is finite. As a consequence of our result, we show that it is not the case, since current-state opacity is undecidable even if the secret set consists of a single marking. This result strengthens and completes the study of Tong et al. TongLSG17.
Let be an LPN system, and let be a secret marking. System is single-marking current-state opaque with respect to if it is current-state opaque with respect to the set .
The following is a consequence of the proof of Theorem 6.
Single-marking current-state opacity for LPNs is undecidable.
Consider the net constructed in the proof of Theorem 6, and let the secret set consist of the marking having a single token in place and no tokens in other places. Then, is current-state opaque with respect to the secret set if and only if is not weakly detectable. ∎
We investigated the existence of algorithms to decide strong and weak detectability for LPNs. We showed that whereas there is an algorithm checking strong detectability, but this algorithm is infeasible because it requires at least exponential space, there is no algorithm checking weak detectability. We also discussed the question whether the undecidability of current-state opacity follows from the possibly infinite secret set and, as a consequence of our results, we showed that it is not the case. Namely, current-state opacity remains undecidable even if the secret set is a singleton.
Besides strong and weak detectability, there are other notions of detectability proposed in the literature, such as initial-state detectability shu2013detectability, generalized detectability ShuLin2011 or delayed detectability shu2013delayed. Investigating the verification of these variants for LPNs is an interesting future direction.
Appendix A Complexity of the Assumption
Here we discuss the complexity of checking that the system does not generate an infinite unobservable sequence and show that it is EXPSPACE-complete. Given a net, the property can be expressed in Yen’s path logic as a sequence such that . Eliminating the transition predicate according to Yen’s Lemma 3.2 of yen1992unified results in an increasing path formula AtigH11, and hence the satisfiability of this formula is in EXPSPACE. To show EXPSPACE-hardness, we reduce the coverability problem. Let be an LPN and be a marking. We modify by adding an unobservable transition that is a self-loop requiring all and exactly the tokens of to fire, returning the tokens back to . Then is coverable in if and only if the modified net has an infinite sequence of unobservable transitions (the added unobservable self-loop).