GENERAL INSTRUCTION

• Authors: Please check and confirm whether the name of the corresponding author is correct as set.
• Authors: Carefully check the page proofs (and coordinate with all authors); additional changes or updates WILL NOT be
accepted after the article is published online/print in its final form. Please check author names and affiliations, funding,
as well as the overall article for any errors prior to sending in your author proof corrections.
• Authors: Please note that we cannot accept new source files as corrections for your article. If possible, please annotate the
PDF proof we have sent you with your corrections, using Adobe Acrobat editing software, and upload it via the Author
Gateway. Alternatively, you may send us your corrections in a simple .txt file, utilizing the line numbers in the margins of
the proof to indicate exactly where you would like for us to make corrections. You may, however, upload revised graphics

f
via the Author Gateway.

oo
QUERIES
Q1. Author: Please confirm if the name of the corresponding author and postal codes are correct in the first footnote.
Q2. Author: Please confirm or add details for any funding or financial support for the research of this article.
Q3. Author: Please provide the complete details in Ref. [4].
Q4. Author: Please provide the issue number and month in Ref. [13].
Q5. Author: Please provide a higher resolution image for the author "Lalit Kumar Singh."
Q6. Author: Please provide the subject in which author “Chiranjeev Kumar” received the Ph.D. degree.
Pr
E E
IE
 IEEE TRANSACTIONS ON RELIABILITY 1

1 Reliability and Performance Measurement of

2 Safety-Critical Systems Based on Petri
3 Nets: A Case Study of Nuclear
4 Power Plant

f
5 Nand Kumar Jyotish , Student Member, IEEE, Lalit Kumar Singh , Senior Member, IEEE,
6 Chiranjeev Kumar , Senior Member, IEEE, and Pooja Singh , Senior Member, IEEE

oo
7 Abstract—Safety-critical systems (SCSs) mitigate the risk of age, or loss of goal-oriented mission, if they fail. These are 35
8 catastrophic loss of assets and hence do have high dependability the computer-based systems (CBSs) on which we rely on a 36
9 targets. Performance and reliability are the critical dependability
daily basis [1]. The most effective strategy to avoid these 37
10 attributes, particularly in control and safety systems, and hence es-
11 sential to measure to ensure the dependability. Traditional methods failures is to remove or minimize dangers early in the design 38
12 either are not capable to capture the system dynamics or encounter and development phase, instead of later when the system be- 39
13 state explosion problem. Also, the methods are not able to measure
Pr comes unmanageable complex. Such systems have grown in 40
14 all critical performance attributes. This article proposes a novel network connectivity and distribution, and thus become more 41
15 approach to measure the performance and reliability of SCSs. Such perplexed. The growing complexity of the system may impact 42
16 systems contain multiple interconnecting processing nodes, the
17 functional requirements of which are modeled using Petri net (PN). their overall performance. Therefore, it is necessary to model 43
18 A set of ordinary differential equations (ODEs) is derived from the such systems for performance measurement before its actual 44
19 PN model that represents the state of the system. The ODE solution implementation. 45
20 can be used to measure the critical performance attributes, such as Instrumentation and control (I&C) systems are nervous sys- 46
21 latency time and throughput of the system. The proposed method tems of nuclear power plant (NPP), which are CBS. These 47
22 can avoid the state explosion problem and also introduces new
23 metrics of performance, along with their measurement: deadlock, systems perform their functions in normal, abnormal, and emer- 48
24 liveness, stability, boundedness, and steady state. The proposed gency conditions [2]. I&C systems identify fundamental physi- 49
E
25 technique is applied to a case study of nuclear power plant. We cal elements, monitors performance, combine data, and automat- 50
26 obtained 99.887% and 99.939% accuracy of performance and re- ically change plant operations to keep process variables within 51
27 liability measurement, respectively, which proves the effectiveness the design limits. I&C systems, in conjunction with the human 52
28 of our approach.
operator, is responsible for ensuring the plant’s safety and its 53
29 Index Terms—Latency time, Markov chain, ordinary differential efficient power generation [3]. Therefore, this system should 54
30 equation (ODE), performance measurement, Petri nets (PN),
E

be carefully planned, designed, built, and maintained to allow 55

31 reliability, safety-critical systems (SCSs), throughput.
the human operator to take appropriate action during abnormal 56
operations. Various logic circuits maintain the NPP’s protection 57
32 I. INTRODUCTION and safety in an abnormal situation. Some of the significant I&C 58
logic circuits that provide protection and ensure the performance 59
AFETY-CRITICAL systems (SCSs) could result in a loss
33

S of safety systems of NPPs, such as emergency shutdown sys-

IE

60
34 of life, significant property damage, environmental dam-
tem (SDS), initiation of auxiliary feedwater system, streamline 61
isolation, and the initiation of the safety injection system [4]. 62
Even though I&C is only a small part of a typical plant’s 63
Manuscript received 16 May 2022; revised 3 August 2022; accepted 8
February 2023. Associate Editor: R. Kuhn. (Corresponding author: Nand Kumar maintenance and capital upgrade budget, it considerably impacts 64
Q1 Jyotish.) system dependability issues [2], [4]. Reliability and performance 65
Nand Kumar Jyotish and Chiranjeev Kumar are with the Department of Com- analysis are two important attributes of dependability and hence 66
Q2 puter Science & Engineering, Indian Institute of Technology, Dhanbad 826004,
India (e-mail: [email protected]; [email protected]). must be measured. 67
Lalit Kumar Singh is with the Department of Computer Science & En- The results of performance measurement using system model 68
gineering, Indian Institute of Technology, Varanasi 221005, India (e-mail: help to identify any potential bottlenecks to take design deci- 69
[email protected]).
Pooja Singh is with the Department of Mathematics, SIES-Graduate sions. A model can be thought of as a conceptual abstraction 70
School of Technology, Navi Mumbai 400706, India (e-mail: poojasingh1615@ of a particular system. In the past few decades, researchers have 71
gmail.com). increasingly relied on analytical tools to measure various perfor- 72
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TR.2023.3244365. mance metrics. Many of these analytical methods use the Petri 73
Digital Object Identifier 10.1109/TR.2023.3244365 net (PN), which can explain the information flow of a system 74

0018-9529 © 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
 2 IEEE TRANSACTIONS ON RELIABILITY

75 in a more meaningful way and compute several dependability for quantification. The authors developed a linear-programming- 131
76 attributes [5]. based technique for state-space reduction. Only reliability is the 132
77 Many CBSs are used to measure critical process parameters main focus of this article and the accuracy of reliability is not 133
78 to take important decisions [6], [7] and hence measuring their measured. 134
79 performance and reliability is essential. In this article, a novel Jyotish et al. [11] surveyed various approaches for evaluating 135
80 approach is devised to measure the performance and reliability the performance of PN-based models of SCS, their limitations, 136
81 of SCS that is based on Closed Process net (a variant of PN). We the tools utilized, and the performance measures employed. This 137
82 have derived the ODEs system from PN model and evaluated the survey paper discusses the suitability analysis of SCS usage in an 138
83 different performance parameters using MATLAB. The design NPP. Based on our findings, some of the papers used determinis- 139

f
84 of a system with merely an informal definition is more difficult. tic approach for performance evaluation and hence are not able 140
85 Under such scenarios, the proposed method can aid in this to quantify the performance during run time. The approaches 141

oo
86 situation. The modeled system can be analyzed by satisfying that are based on state-space of the system have considered 142
87 various PN properties, such as liveness, reversibility, bound- many unrealistic assumptions, such as constant failure rate of 143
88 edness, deadlock absence, etc., that are performance indicators. the hardware and software components. Some approaches lack 144
89 Reliability and other performance indices, such as response time validation also. 145
90 and throughput, are also measurable. The proposed approach is Ding et al. [12] presented a Business Process Execution 146
91 validated on multiple SCS of NPP, and exhibited on SDS. The Language based technique for measuring the performance of 147
92 obtained measurement accuracy of performance and reliability service compositions. The method is described using a collec- 148
93 are 99.887% and 99.939%, respectively, which proves the effec- tion of fuzzy differential equations, each of which specifies 149
94 tiveness of our approach. Pr a state change in the service composition. Each service state 150
95 The rest of this article is organized as follows. Section II is quantified by a time-dependent fuzzy number indicating 151
96 summaries known techniques as well as their shortcomings. The the degree to which the state is reachable during execution. 152
97 preliminary concepts and definitions are covered in Section III. However, fuzzy-logic-based approaches are based on unrealistic 153
98 Section IV gives the brief idea about proposed methodology assumptions and hence contain several parametric and epistemic 154
99 for performance and reliability analysis. Section V discusses and aleatoric uncertainties. Therefore, such approaches are not 155
100 the case study of the SDS and its PN model. Performance suitable for SCS. Furthermore, a single equation category can 156
101 and reliability analysis is described in Section VI. Section VII contain several equations, and MATLAB may not have the 157
102 discusses the validation of our approach. Finally, Section VIII computing power to handle such calculations. 158
103 concluded the article. Singh and Singh [13] proposed a method to measure the 159
E
dependent failures of the components in a system, known as 160
common cause failures. The proposed framework performs 161
104 II. RELATED WORK qualitative and quantitative screening analysis and detailed anal- 162
105 Singh et al. [1] and [8] used PN to present a framework ysis, in which a probability model is developed to estimate the 163
106 for modeling and prediction of the performability of SCS. An common cause basic event probabilities. Although the authors 164
E

107 SCS of NPP is used to demonstrate the technique. It deals with consider these dependencies for risk and reliability measure- 165
108 the dynamic simulation of a test facility for an SCS used in ment, however, such dependencies need to be considered for 166
109 an NPP. However, because the methodology depends solely on performance measurement of the system. 167
110 the TimeNET tool for calculation, it cannot properly consider Rodríguez et al. [14] transformed unified modeling language 168
111 the component interfaces. Authors assume that firing delays profiles into PN for analyzing software performance based on 169
of the transitions can be approximated by their mean values. the maximum productive capacity. The authors employ the
IE

112 170
113 Additionally, the provided technique does not support more than PeabraiN tool to determine the maximum throughput bounds 171
114 one parallel transition and hence fails to model the concurrency. using the iterative LPP algorithm. The proposed transformation 172
115 Further, the article does not discuss any method to measure the improves the data analysis capability. However, there is no 173
116 response time of the systems. method mentioned for measuring the performance. As a result, 174
117 Liu et al. [9] suggested a deterministic and stochastic PNs the model only ensures the performance in subjective manner 175
118 (SPNs) based methodology for evaluating the subsea blown-out and does not provide its quantitative assessment. 176
119 prevention system’s performance. The method breaks the system Kumar et al. [15] measured SCS performance by using the 177
120 into two parts to determine the system’s performability: 1) timed PNs (TPNs) and Markov Chain. System functional re- 178
121 mechanical system and 2) CBS. Additionally, the component quirements are first modeled in PN, which was transformed into 179
122 failure’s effect along with their maintenance period on total Markov chain. However, for large-scale system, the number of 180
123 system performance is also examined. However, the authors states can grow exponentially and hence leads to state-space 181
124 assume a constant component’s failure rate, which is not a true explosion problem. The proposed method does not consider 182
125 in practical scenarios in case of SCS. Existing models cannot many important metrics, such as liveness, deadlock, steady-state 183
126 efficiently assess SCS software’s performance due to a lack of analysis, and boundedness, which are important performance 184
127 failure data and unreal assumptions. indicators. 185
128 Singh and Rajput [10] employed PN to analyze the depend- Xia et al. [16] evaluated the performance of Canada 186
129 ability of an SCS’s SDS-2. The suggested method takes advan- Deuterium Uranium (CANDU) reactor SDS-1 using 187
130 tage of the PN’s modeling power by turning it to a Markov Chain MATLAB/Simulink, signal processing system, and existing 188
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 3

189 power management. The proposed methodology significantly characteristics are gathered from diverse sensors, which are fed 247
190 improves trip response time in comparison to the present to neural networks and these fused feature vectors are health 248
191 system. Additionally, it enhances the safety margin and indicators of the machine. However, performance is also an 249
192 provides economic benefits to the NPP. However, the validity essential health indicator, which has not been considered in this 250
193 of considering all the functional requirements is not ensured, article. 251
194 which may lead to conservative estimates. Singh and Singh [25], [26], and [27] emphasized on the 252
195 Rhee et al. [17] developed a three-dimensional computational dependability aspects of SCS. Practitioners from the leading 253
196 fluid dynamics (CFD) system for analyzing the performance of research organizations, e.g., aerospace, nuclear energy, petro- 254
197 the SDS-2 CANDU reactor’s liquid poison injection process. chemical defense, etc., were interviewed to discuss the cur- 255

f
198 The authors conducted a series of studies to construct a re- rent state-of-the-art and practices adopted by the industries to 256
199 stricted validation CFD model. However, the experiment does ensure the dependability of SCS. The different methodologies 257

oo
200 not provide a detailed dispersion profile of the liquid poison’s used for quantitative assessment of the dependability were also 258
201 distribution in the moderator CANDU reactor. discussed, which are based on stochastic modeling techniques 259
202 By leveraging observations of safety parameters in an NPP’s that include PNs and Markov Chains. 260
203 SDS, Rankin and Jiang [18] suggested a Kalman-filter-based For an autonomous vehicle system, Seo et al. [28] pre- 261
204 technique for developing predictive SDS and predicting the at- sented SCS feedback control architecture. While building the 262
205 tainment of trip set-points. When compared to traditional SDSs, framework, the authors considered the major challenges of au- 263
206 the given prognostic SDS significantly brings down time-to-trip. tonomous vehicle systems, such as safety and trajectory tracking 264
207 As a result, a large power spike is less likely to harm the reactor performance. The model was built using a differential flatness 265
208 core and other crucial components. However, the method is just a
Pr approach, and then the trajectory tracking performance was 266
209 preliminary step toward developing a potentially beneficial plan achieved using a dynamic inversion method. The safety con- 267
210 to improve the performance of ceremonious SDS. straint is fulfilled using the control barrier function. However, 268
211 Aslansefat et al. [19] suggested a method for evaluating per- model predictive control, the most promising control tool for 269
212 formance using the semi-Markov process of the threshold alarm performance measurement, is not included in the proposed 270
213 system. The authors demonstrated three cases and analyzed technique. As a result, the accuracy of performance evaluation 271
214 their performance based on the Priority-AND gate and a semi- is questionable. 272
215 Markov process. It is difficult to identify complete state-space of Ding et al. [29] proposed a flow-based multimodal safety- 273
216 large-scale system, and hence, the Markov model would not be critical scenario generator for assessing decision-making algo- 274
217 complete. Therefore, the accuracy of reliability and performance rithms. This technique provides efficient and diversified eval- 275
E
218 measure of the system is doubtful. Also, it is not possible to uations of decision-making algorithms by evaluating their ro- 276
219 model event-driven systems. bustness against worst-case scenarios that span all risk modes 277
220 Tripathi et al. [20] emphasized on the importance of de- more comprehensively. To accelerate the training process, an 278
221 pendability of safety critical systems and study the existing adaptive sampler-based feedback mechanism is provided, which 279
222 methodologies for reliability quantification of such methods. can adjust the sampling region based on the generator’s learn- 280
E

223 Authors give a comparative study of two methods: dynamic ing process. However, combining the evaluation and training 281
224 flowgraph and PN, which are used for reliability measurement. processes may give the existing algorithm a stronger boost for 282
225 Experimental study was carried out on a safety critical system safety-related attacks and can jeopardize the performance. 283
226 of NPP. In conclusion, PN model is able to measure many Jiang et al. [30] considered various levels of criticality into 284
227 dependability attributes with higher accuracy. account for designing the SCSs on a common hardware platform. 285
Cheung et al. [21] enhanced Wang’s [22] work by incorpo- These mixed-criticality systems (MCSs) have been extensively
IE

228 286
229 rating performance and reliability studies to support a variety studied in academics, but they are challenging to implement 287
230 of architectural types. However, they make performance pre- in industrial circumstances. The authors found practical gaps 288
231 dictions based on the information from operational profile and between theory and reality and proposed a generic industrial 289
232 testing data, and the intuition of software architecture and hence architecture known as P-MCS. The P-MCS is then assessed for 290
233 the method is not fruitful to take early design decisions. safety and for performance metrics, such as system schedulabil- 291
234 Mamdikar et al. [23] employed a transformation process in ity, throughput, and overheads. The presented technique incurs 292
235 which the UML model is converted into the PNs for the non- additional costs to meet industrial safety requirements and its 293
236 functional requirement analysis of SCSs. The authors analyzed hardware-based implementation. Also, reliability analysis of the 294
237 dynamic behaviors and state-transition probabilities of SCS to technique is not validated. 295
238 evaluate the performance and reliability accuracy. The suggested Weng et al. [31] provided a scenario-based evaluation 296
239 framework is tested with the 32 SCS instances of NPP on the framework to give the safety performance of a black-box 297
240 reactor core isolation cooling system module. However, the system. Under a test subject, the proposed scenario sam- 298
241 methodology uses the assumed probabilities, which can lead pling algorithm is asymptotically optimal to obtain the 299
242 to an erroneous result. safe invariant with high accuracy. However, work does not 300
243 Chen and Li [24] used sparse autoencoder and artificial neural address the nonscenario-based testing regime and system 301
244 network for multisensory feature fusion to perform the fault reliability. 302
245 diagnosis of the bearing and also to improve the reliability of Thota et al. [32] suggested a new safety broadcast system to 303
246 fault diagnosis. In this method, time- and frequency-domain meet the requirements of vehicle-to-vehicle (V2V) applications 304
 4 IEEE TRANSACTIONS ON RELIABILITY

305 for latency and reliability. The authors then tested the system’s
306 performance in rural and urban areas with a varying number of
307 vehicles using various wireless technologies, such as cellular
308 and IEEE 802.11p. The application layer raptor Q codes help
309 to enhance the performance of the V2V system. However, due
310 to the half-duplex nature of cellular V2V, this improvement is
311 reduced in the urban situation. Also, the IEEE 802.11p suffers
312 from preamble channel estimation and excessive collision, both
313 of which can affect the system reliability.

f
314 Hammadi et al. [33] used human brainwaves and a new Fig. 1. Petri net execution. (a) Initial Marking. (b) Marking after T1 fires.
315 framework based on deep learning to find the insider threats (c) Marking after T2 fires.

oo
316 for the safety-critical industrial infrastructure. The authors used
317 electroencephalograms (EEGs) to record the brainwaves, which
318 they then fed into a network of long short-term memories to make is described as a five-tuple PN = {P, T, α, β, M0 }, where 361
319 a detection network for detecting the threats. The EEG-based P = {p1 , p2 , p3 , . . . , pm } is a nonempty finite set of places, 362
320 threat detection is more accurate and reliable than the previous which describe the state of a system, T = {t1 , t2 , . . . , tn } is a 363
321 method. But the technique does not consider system dynamics nonempty finite set of transitions which help in changing the 364
322 while evaluating the performance. state of the system, α : (P × T ) → N is the preincidence 365
323 The authors in [34] used the dynamic fault trees (DFTs) function that defines directed arcs from place to transition, and 366
324 framework to conduct a reliability analysis of dynamic systems.
Pr β : (T × P ) → N is the postincidence function that defines 367
325 The strategy reduces the state-space explosion problem to some directed arcs from transition to place. Here, N refers set of natural 368
326 extent by putting input/output interactive Markov chains. The numbers. M0 : P → {0, 1, 2, . . .} is the initial marking, i.e., 369
327 authors explained that the standard analysis for DFT is state an m-vector whose element representing the token present in 370
328 based, and treating as continuous time Markov chain, is not each of the m places of the net. Also, P ∩ T = φ and P ∪ T = 371
329 applicable in all the scenarios due to a possibility of multiple φ [5]. 372
330 interpretations in DFT. A semantic interpretation of DFT is The token movement in PN model delineates the dynamic 373
331 introduced that make easy to understand the interactions among behavior of the system, represented by a change in token distri- 374
332 FT building blocks. This approach helps in addressing state bution among the places. The necessary condition to change the 375
333 explosion problem by exploiting the DFT structure to build token distribution is that at least one transition must be in the 376
E
334 the smallest Markov chain. Aslansefat and Latif-Shabgahi [35] enabled state. When every input place(s) p of transition t contains 377
335 also try to address state explosion problem using semi-Markov a minimum number of tokens equal to the weight of the arc (p, 378
336 process theorem for DFT solution. The approach considers t), then the transition t is said to be in the enabled state. The 379
337 nonexponential failure distribution through a hierarchical so- enabled transition can fire. When transition t fires, it takes token 380
338 lution. Kabir et al. [36] proposed a framework by incorporating from each of their input place(s) p, based on the weight of the 381
E

339 complicated fundamental events in hierarchically performed arc(s) (p, t) and adds them in their every output places. 382
340 hazard origin and propagation studies, which may effectively Fig. 1 depicts the working of a PN-modeled system. Fig. 1(a) 383
341 ensure the modeling capabilities for complex failures and the demonstrates that each of the place X and Y holds one token, 384
342 effectiveness of model-based safety analysis. The approach enabling the transition T1 . After firing of T1 , the new configura- 385
343 combines PNs with other methods like algebraic solutions to tion of the net is depicted in Fig. 1(b). The firing of T1 takes the 386
reduce the state explosion and improve the calculation. Cai et al. token from X and Y, and puts it into Z. The place Z in Fig. 1(b)
IE

344 387
345 [37] proposed a Markov model to perform reliability analysis of has one token, which enables transition T2 . Fig. 1(c) is the final 388
346 subsea blowout preventer control systems subjected to multiple configuration of the net after firing of T2 . 389
347 error shocks. The authors addressed the state explosion problem The performance of the systems depends on its reliability and 390
348 by splitting the system into three independent modules, and safety [25], [26], [27], [38], [39]. Therefore, while assessing per- 391
349 the corresponding Markov models are proposed subsequently. formance, we must analyze factors that might endanger SCS’s 392
350 However, system analyst needs to design the interfaces very reliability and safety. Deadlock, boundedness, liveness, stability, 393
351 carefully and mechanism to analyze the results of integration reachability, and reversibility are the important metrics of safety 394
352 should be effective. Also, the validation of the approaches on and reliability. 395
353 safety critical systems is an important concern. The liveliness or deadlock presence in a PN is determined by 396
a set of places known as a siphon. A nonempty set S  P is 397
called a siphon iff °S  S ◦ and it is a trap iff S ⊆ S, where °S 398
III. PRELIMINARY CONCEPTS AND DEFINITIONS
denotes collection of input transitions of the place set S and S ◦
354
399
355 A PN is a directed, weighted, and bipartite graph containing refers collection of output transitions of the place set S. Once a 400
356 two different types of nodes: places (shown by circles) and tran- siphon becomes token-free under some marking, it stays empty 401
357 sitions (depicted by bars or boxes). The positive weight-labeled for subsequent marking. Whereas if a trap has any token in it, 402
358 directed arcs connect these places and transitions. Places may it remains marked for the rest of the time. As long as a marked 403
359 contain zero or more tokens. The black dots inside the places trap exists in the siphon, there is no danger of potential deadlock 404
360 denote tokens held by that respective place. Formally, a PN in any siphon and therefore PN is deadlock-free and live [5]. 405
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 5

406 The bounded property assures the absence of overflow at any and |p◦e | = 0; F ⊂ (P × T ) ∪ (T × P ) denotes a collection of 445
407 place of the PN. The token count at any place of a bounded arcs connecting places and transitions. Here, ◦ ps is a set of input 446
408 PN never surpasses a finite integer l for any marking reachable transitions of ps and p◦s is a set of output transition of ps . Simi- 447
409 from initial marking and PN is safe in all cases for l = 1. If larly, ◦ pe and p◦e can be defined. A process net becomes closed 448
410 the boundedness property is satisfied for every possible firing process net if ps = pe . The term “strongly connectedness” refers 449
411 sequence, then PN becomes stable, and it is called steady if the to the fact that when ps is removed, the resulting net becomes 450
412 following conditions are met [5], [11], [15]: acyclic. It means that there is a directed path between any pair 451
of nodes of the net. Consistency is described as a presence of 452
(ΔM (t)) /Δt = 0, where Δt = t − t0 . (1)
firing sequence from M0 to M0 such that each transition fires 453

f
413 PN can exist in steady state, and hence steady-state analysis at least once. The closed process net has strong reversibility 454
414 can be performed. The proof is given as follows. properties, which means we can always return to M0 from 455
Lemma: PN(N, M0 ) can stay in steady-state condition. any other marking M ∈ R(M0 ) upon firing of transitions [40],

oo
415 456
416 Proof: We know that the change in markings in PN model [41]. 457
417 with time is given by the following equation:
M  = M + [N ] · σ (Δt) IV. PROPOSED METHODOLOGY FOR PERFORMANCE AND 458
 RELIABILITY ANALYSIS 459
418 where M and M are the markings of a place at time t and t0 ,
419 respectively, [N] is the incidence matrix of the PN, and σ (Δt) = The existing literature deals with mean latency time and 460
420 σ (t) − σ (t0 ) denotes the firing count vector between t and t0 . system throughput for performance analysis. However, it is 461
421 We have, M  − M = [N ] · σ (Δt) Pr essential to consider deadlock, liveness, stability, boundedness, 462
and steady-state metrics as well. Deadlock may lead to delay 463
⇒ ΔM = [N ] · σ (Δt)
in process execution or even hold the state of the system for 464
ΔM σ (Δt) σ (t) − σ (t0 ) infinite time. Liveness refers to a set of properties that require a 465
⇒ = [N ] · = .
Δt Δt t − t0 system to make progress despite the fact that it is concurrently 466
executing components. Stability is a property to ensure that the 467
422 Because PN is consistent, therefore firing sequence causes the
output of the system is under control. Boundedness ensures that 468
423 system to go from M to M, i.e., [N]·σ = 0
all the entities in the system is restricted to some finite region of 469
σ (t) − σ (t0 ) space. Steady-state analysis verifies the consistent behavior of 470
⇒ = Ξ · σ : [N ] · σ (Δt) = 0
Δt system. Therefore, these are good performance indicators and 471
E
ΔM hence must be analyzed. In order to compute these metrics, the 472
∴ ∃ = 0. (2) systems requirements are modeled using PNs. The computation 473
Δt
methodology of these metrics is demonstrated on a case study of 474
424 It demonstrates that the PN can exist in a steady state. NPP system in Section VI. The framework for performance and 475
425 Reachability is a key basis to study the dynamic aspects of the reliability analysis is based on the concept of continuous Petri 476
426 system. A firing sequence in a PN leads to a marking sequence. If
E

net (CPN) and is generic in nature. So it can be applied to any 477

427 a sequence of firing transforms marking M1 to another marking type of SCS in any domain. 478
428 Mn , then Mn is said to be reachable from M1 . In a reversible CPN is a relaxation strategy of SPN, which helps to pre- 479
429 net, one can always go back to the initial marking M1 or some vent exponentially growing reachable marking resulting from 480
430 home state [5]. increased PN size. The CPN markings are assigned time- 481
431 The above structural properties must exist for the PN-based dependent nonnegative real numbers. Formally, it is defined as
IE

482
432 modeled system. The PN model’s steady-state probability dis- a three-tuple CPN = {PNM , M0 , R}, where {PNM , M0 } is a 483
433 tribution is computed after creating an equivalent Markov Chain marked message passing (MP) net [12], [40], [41]. An MP net is 484
434 from its reachability graph and solving the following linear a subclass of PN in which places are categorized as idle, activity, 485
435 system: and buffer; whereas transitions are characterized as activity, in- 486

Π×Q=0

put communication, and output communication. The place is idle 487
n (3)
i=0 πi = 1
if it contains no token, it becomes activity place if it processes 488
the token, and it is called a buffer place if it holds token(s). 489
436 and
j=n, j=i CPN consists of a set of closed process nets, along with various 490

qij = − qij (4) synchronous and asynchronous mechanisms; R: T → (0, +), 491
j=1
R(ti ) = ri (i = 1,2, …, m) is a function which assigns a firing 492
437 where Π = (π1 , π2 , π3 , · · · , πn ) is the steady-state probability rate ri to ti . In the synchronous mechanism, one closed process 493
438 and πi denotes the probability of being in state Si . Q = [qij ] net sends a request to other and waits for acknowledgment. 494
439 is the transition rate matrix such that (i = j) and qij denotes Whereas, in asynchronous mechanism, other closed process can 495
440 the transition rate from state Si to Sj [10]. For no transition, continue further without sending the acknowledgment. If all the 496
441 qij = 0. input places of a CPN transition have nonzero markings, then 497
442 A process net PRN = (P ∪ {ps , pe }, T, F, M0 ) is a strongly the transition is said to be enabled. 498
443 connected, conservative, and live PN. Where, ps is a start place Let p1k and p2k are the input places of transition ti with their 499
444 with |◦ ps | = 0, and |p◦s | = 1; pe is an end place with |◦ pe | = 1, respective markings m1k and m2k . Suppose the transition ti fires 500
 6 IEEE TRANSACTIONS ON RELIABILITY

Fig. 4. One place to two places model.

f
oo
Fig. 2. Framework for performance and reliability analysis.

Fig. 3. Two places to two places model.

Pr Fig. 5.

⇒
Two places to one place model.

m (τ + Δτ ) − m (τ )
Δτ
= r1 · min{m1 (τ ) , m2 (τ )}

− r2 · min{m (τ ) , m3 (τ )}.
501 at time τ during a period Δτ , then 523

∀pk ∈◦ ti : mk (τ + Δτ ) = mk (τ ) − vi (τ ) Δτ (5) Let Δτ → 0, then we get the following ODE: 524

E
∀pk ∈ t◦i : mk (τ + Δτ ) = mk (τ ) + vi (τ ) Δτ (6) m (τ) = r1 ·min {m1 (τ ) , m2 (τ)}−r2 ·min {m (τ ) , m3 (τ )}.
(7)
502 where vi is the instantaneous firing speed of transition ti and Case B: One place to two places model: As Fig. 4 shows, place 525
503 equals the maximum firing speed (defined by David and Alla) p gets marking from p1 , and it produces some marking with the 526
504 given by vi = ri × min {m1k , m2k } [41], [42]. help of p2 . If every transition fires, then for a time interval Δτ ,
E

527
505 The proposed framework for performance and reliability anal- the marking m can be represented as 528
506 ysis consists of four steps, as shown in Fig. 2 and explained as
507 follows. m(τ + Δτ ) = m (τ ) + r1 m1 (τ ) Δτ
− r2 · min{m (τ ) , m2 (τ )}Δτ
508 A. Step 1: Formulation of ODE System
IE

m (τ + Δτ ) − m (τ )
509 A collection of ODEs of a PN model are developed based on ⇒ = r1 m1 (τ )
510 (5) and (6), and semantics, discussed in Section III. These ODEs Δτ
511 help in computing the marking. Let mi and m are the markings − r2 · min{m (τ ) , m2 (τ )}.
512 of places pi and p, respectively, and ri denotes the firing rate of
529
513 transition ti . We consider the following cases in the formulation
514 of ordinary differential equation (ODE) system: 1) two places Let Δτ → 0, then we obtain ODE as follows: 530

515 to two places model, 2) one place to two places model, and 3) m (τ ) = r1 m1 (τ ) − r2 · min {m (τ ) , m2 (τ )} . (8)
516 two places to one place model.
517 Case A: Two places to two places model: As Fig. 3 shows, Case C: Two places to one place model: As Fig. 5 shows, place 531

518 place p is getting markings from both the place p1 and place p2 , p obtains marking from p1 and p2 , and it produces a marking 532

519 while it sends some marking along with place p3 . That is, p1 for another place. Then, we can derive the differential equation 533

520 and p2 are the input places for t1 , while p and p3 are the input as follows: 534

521 places for t2 . If each transition fires, then the marking m for a m (τ ) = r1 · min{m1 (τ ) , m2 (τ )} − r2 · m (τ ) . (9)
522 time increment Δτ is written as
535
m(τ + Δτ ) = m (τ ) + r1 · min{m1 (τ ) , m2 (τ )}Δτ
Readers can refer [12] and [41] for more details on CPN, 536
− r2 · min{m (τ ) , m3 (τ )}Δτ closed process nets, and the formulation of ODEs using CPN. 537
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 7

538 B. Step 2: Solution of ODEs Using Runge–Kutta Method TABLE I

TRIP PARAMETERS AND DETECTORS USED
539 The Runge–Kutta method can be used to solve a family of
540 ODEs. It can be implemented using the MATLAB function
541 “ode45.” The ode45 function is the fourth or fifth order of
542 Runge–Kutta method.

543 C. Step 3: Evaluation of Performance Measures Using ODE

544 Solution

f
545 The ODEs solution is used to find the various performance
546 measures of a system. These performance metrics can be mean

oo
547 latency time, system throughput, etc. The mean latency time can
548 be evaluated based on the queueing theory and Little’s law [43],
549 whereas the system throughput can be measured by using the
550 firing frequency of the transition.

551 D. Step 4: Reliability Measure

552 By using the system throughput value, we can measure the
553 reliability of the system using equation, R(t) = e−λt , where λ
Pr
554 is the firing rate of transition and t is the target time.

555 V. CASE STUDY: SDS AND ITS PN MODEL

556 The SDS is a safety system that allows the reactor to shut-
557 down in any unfavorable plant conditions to avoid potentially
558 dangerous situations. Safety systems of NPP are deployed to
559 ensure the safety of the plant and public in all the normal
560 operating conditions, anticipated operational occurrences and
E
561 emergency conditions. The regulatory board of each country
562 sets and imposes the guidelines/standards for robust design of Fig. 6. Simplified diagram of SDS-2 liquid poison injection system.
563 these safety systems. The pressurized heavy water reactor has
564 two independent, fast-acting, and diverse SDS to ensure safe
565 shutdown. Each of these SDSs, SDS1 and SDS2, operates on There is a poison tank, from which the poison is injected 589
E

566 a distinct concept and can completely shutdown the reactor in into the calandria, where the nuclear chain reaction is taking 590
567 case of a design basis accident. place, to terminate the nuclear reaction. The poison tank is 591
568 Both the systems are fully automated, however, can be ac- cylindrical in shape and are fixed to the exterior fence of reactor 592
569 tivated manually also, for increased reliability. SDS1 stops the vault [10]. The nozzle connects with all the poison tanks so 593
570 reactor operation and keeps it safe by dropping mechanical rods that the poison can be pumped into the moderator. The poison 594
tank contains a plastic ball that floats. The poison is injected,
IE

571 into the reactor core. SDS2 is intended to function at greater 595
572 “trip” set-point as compared to SDS1 to ensure the reactor when any of the trip parameters deviates from its normal range, 596
573 shutdown in case of unavailability or failure of SDS1. It rapidly for which instrumentation logics are implemented. This poison 597
574 injects the poison into the NPP reactor, which absorbs neutrons tank is connected with Helium supply tank through six quick 598
575 and terminates the fission reaction. We have taken SDS2 as a opening valves (QOVs). These six QOVs are arranged in series 599
576 case study to illustrate our approach to measure reliability and and parallel combination as shown in Fig. 6. There are three 600
577 performance. parallel lines, in each of which two QOVs are arranged. These 601
QOVs normally remain in close state, i.e., when reactor is in 602
operating mode. Because they operate on the principle of air 603
578 A. SDS-2
closure and spring opening mechanism, the QOVs ensure that 604
579 To achieve shutdown criteria, certain essential factors, known they open reliably on demand. There are three vent valves, one in 605
580 as trip parameters, must be monitored at all times. There are two each line to vent the helium pressure, if any, during the operating 606
581 types of trip parameters: absolute and conditional. The absolute mode of the reactor. These vent valves remain in open state 607
582 trip parameters are applicable at any power level of the reactor, normally. 608
583 while the conditional parameters are applicable only when the When any trip parameter deviates with the normal range, the 609
584 power level of the reactor is equal to or higher than 2% of the full vent valves get closed by energizing the relays, followed by 610
585 power of the reactor [44]. SDS-2 triggers in auto mode when any opening of the QOV and helium pressurizes poison into the 611
586 of the nine parameters, as listed in Table I [45] deviated from calandria, and the poison ball is driven into the lower seat of 612
587 its normal range. Fig. 6 is the simplified schematic diagram of the poison tank. The ball takes position at the poison tank exit 613
588 SDS-2.
 8 IEEE TRANSACTIONS ON RELIABILITY

TABLE IIa
SDS-2 PROCESS TRANSITIONS

f
oo
TABLE IIb
SDS-2 PROCESS PLACES

614
Fig. 7.
Pr
Petri net model of poison injection system of SDS-2.

in the bottom, preventing helium gas from overpressurizing the

615 calandria.
616 After shutting down the reactor, it is taken into maintenance
617 and to restart the reactor, the vent valves are opened followed
618 by closing of QOV.
E
619 The functional requirements of SDS2 are implemented in
620 a CBS that consists of various hardware and software com-
621 ponents, such as sensors, actuators, digital I/O cards, relay
622 output modules, software for data processing, graphical user
623 interface, etc. The liquid poison is injected into the calandria via
E

624 a two-out-of-three trip circuit employing control valves.

625 B. PN Model of SDS-2

place m13 is included to prioritize t6 over t2 when they are race 646
626 The failure of SDS-2 will result in exponential increase in the conditions. This will ensure the opening of QOV, in case any 647
power and the deign parameters will exceed its range that may
IE

627 security threat leads to false information (closed state) about the 648
628 jeopardize the integrity of mechanical components by which QOV state. The description of transitions and places of Fig. 7 649
629 the radioactivity may get exposed to the public. The SDS-2 are shown in Tables II(a) and (b), respectively. 650
630 is composed of many components, including sensors, logic, As shown in Fig. 7, our model consists of following two closed 651
631 actuators, and a specific human–machine interface to achieve process nets: 652
632 its intended function. Each QOV line has two vent valves: First set of closed process net is {m1 , m2 , m3 , m4 }. 653
633 both are normally open (during normal conditions) to relieve Second set of closed process net is made up of 654
634 pressure in that line, if any, and prevent an erroneous poison {m5 ,m6 , m13, m3, m11, m7 , m8, m12, m9 , m10 ,m14 , m1 }. 655
635 injection. Fig. 7 shows PN model of SDS-2 and is explained as These two closed process nets communicate with each other 656
636 follows. via asynchronous MP mechanism. 657
637 A token in place m1 represents the deviation of any of the trip
638 parameters from their design limits. A token in m2 represents
VI. PERFORMANCE AND RELIABILITY ANALYSIS 658
639 the creation of logic condition (LC) and a token in m3 represents
640 the hold state of LC. A relay is energized to close the vent 1) Deadlock and Liveness Analysis: The modeling of SDS-2 659
641 valves, which is represented by a token in m5 . The poison is was carried out using a TPN, as shown in Fig. 7. The 660
642 injected into the moderator when the QOV is opened, which is deadlock and liveness analysis using siphons and traps is 661
643 represented by a token in place m10 . For improved reliability, a explained in Section III. We run the TimeNET tool [46] 662
644 duplicate information about QOV state, from redundant sensor to calculate the number of siphons and traps present in 663
645 is monitored, which is represented by a token in m8 place. The the SDS-2 PN model. It has 12 minimal siphons and 12 664
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 9

665 marked traps. The siphons are as follows:

S1 = {m6, m13, m3, m11, m7 },
S2 = { m3, m11, m12, m14, m1 m5, m6, m13 }
S3 = {m1 , m5 , m6 , m13 , m3 , m4 }
S4 = {m1 , m2 , m3 , m4 }
S5 = {m1 , m2 , m3 , m11 , m12 , m14 }

f
S6 = {m3 , m11 , m12 , m9 , m13 }
S7 = {m3 , m4 , m1 , m5 , m8 , m12 , m9 , m13 }

oo
S8 = {m1 , m2 , m3 , m11 , m7 , m6 , m10 , m14 }
S9 = {m7 , m8 } Fig. 8. Solutions (state measures) of the Petri net model of SDS-2.
S10 = {m5 , m8 , m12 , m14 , m1 }
S11 = {m9 , m10 } be able to inject poison into the nuclear core within 1 s 686
[10] to ensure the termination of nuclear chain reaction 687
S12 = {m5 , m6, m10 , m14 , m1 }. in safe manner. We use the proposed framework shown 688

666 The traps are as follows: Pr in Fig. 2 to perform the performance analysis described 689
below. 690
T1 = {m1, m5, m8 , m12, m14 },
T2 = {m1, m5, m6, m13, m3, m11, m12, m14 } , A. Step 3.1: Formulation of ODE System 691

T3 = {m1, m2, m3, m11, m12, m14 }, As structure of Figs. 3, 4, and 5 are part of our PN model of 692
Fig. 7. Therefore, we use (7), (8), and (9) to derive the ODEs 693
T4 = {m3, m11, m7 , m6, m13 }, system from the PN model. Assume that it is possible to achieve 694

T5 = {m3, m11, m12, m9, m13 }, the firing constants ri in advance for every activity modeled by 695
a transition. Then, the ODEs system of the PN model given in 696
T6 = {m1, m2, m3, m4 } , Fig. 7 can be formulated as follows: 697
E
T7 = {m1, m5, m8, m12, m9, m13, m3, m4 }, ⎫
m1 = r4 min{ m4 , m14 } − r1 m1 ⎪
⎪
⎪
⎪
T8 = {m7, m8 }, m2 = r1 m1 − r2 min{ m2 , m13 } ⎪
⎪
 ⎪
⎪
m3 = r2 min{ m2 , m13 } − r3 m3 ⎪
⎪
T9 = {m1, m5, m6, m10, m14 },  ⎪
⎪
m4 = r3 m3 − r4 min {m4 , m14 } ⎪
⎪
⎪
E

T10 = {m9, m10 }, 

m5 = r1 m1 − r5 min { m5 , m7 } ⎪
⎪
⎪
⎪

m6 = r5 min { m5 , m7 } − r6 min { m6 , m9 } ⎪
⎪
T11 = {m3, m4, m1, m5, m6, m13 }, 
⎪
⎬
m7 = r7 min { m8 , m11 } − r5 min { m5 , m7 }
 .
and T12 = {m1, m2, m3, m11, m7, m6, m10, m14 }. m8 = r5 min { m5 , m7 } − r7 min { m8 , m11 } ⎪ ⎪
 ⎪
⎪
m9 = r8 min { m10 , m12 } − r6 min { m6 , m9 } ⎪ ⎪
We can observe that S1 , S2 , S3 , S4 , S5 , S6 , S7 , S9 , S10 , S11 , ⎪
m10 = r6 min { m6 , m9 } − r8 min { m10 , m12 } ⎪
IE

667
⎪
⎪
668 and S12 are also marked trap but S8 do not contain any trap. It  ⎪
⎪
m11 = r3 m3 − r7 min { m8 , m11 } ⎪
⎪
means our PN model is deadlock-free. Also, the PN satisfies the ⎪
m12 = r7 min { m8 , m11 } − r8 min { m10 , m12 } ⎪

669
⎪
⎪
670 liveness criteria as mentioned in Section III because it has no  ⎪
⎪
m13 = r6 min { m6 , m9 } − r2 min{ m2 , m13 } ⎪
⎪
671 potential deadlock.  ⎭
m14 = r8 min { m10 , m12 } − r4 min{ m4 , m14 }
672 1) Stability, Boundedness, and Steady-State Analysis: From (10)
673 SDS-2 PN-model, shown in Fig. 7, each place contains The initial values for the ODE system are m1 (0) = m7 (0) = 698
674 either zero or one token for each marking, which is m9 (0) = 1, and all others are 0, where mi is marking of the 699
675 reachable from the initial marking M0 , i.e., M0 ≤ 1. It respective place and ri is the firing rate assigned to ti . 700
676 concludes that the system is stable. Additionally, because
677 the model is one-bounded, it indicates that it is safe. We
678 can also see that ΔM/Δt = 0. As a result of (1), the B. Step 3.2: Solution of ODEs Using Runge–Kutta Method 701

679 system is steady also. Thus, the SDS from the analysis We use step 2 of the proposed framework, as explained in 702
680 of PN model of SDS-2, it satisfies all of the performance Section IV, to solve the above ODEs system. For the ODEs 703
681 metrics. system (10) of the SDS-2 PN model, with the simulation data, we 704
682 2) Performance Analysis: To carry out the performance anal- have r1 = 0.05, r2 = 0.40, r3 = 0.25, r4 = 0.15, r5 = 0.3, 705
683 ysis, PN model is transformed into a CPN that can be rep- r6 = 0.03, r7 = 0.10, and r8 = 0.20. Using this method, 706
684 resented by a collection of ODEs. The CPN is explained in we get the result as illustrated in Fig. 8. When t >133.6481 ms, 707
685 Section IV. The success criteria of SDS-2 is that it should every result approaches a unique fixed value: m1 (t) ≈ 0.2355, 708
 10 IEEE TRANSACTIONS ON RELIABILITY

709 m2 (t) ≈ 0.4621, m3 (t) ≈ 0.0472, m4 (t) ≈ 0.2552, m5 (t) ≈

710 0.0393, m6 (t) ≈ 0.3933, m7 (t) ≈ 0.4321, m8 (t) ≈ 0.5899,
711 m9 (t) ≈ 0.7488, m10 (t) ≈ 0.2535, m11 (t) ≈ 0.1179, m12 (t)
712 ≈ 0.0590, m13 (t) ≈ 0.0295, and m14 (t) ≈ 0.0784. The ODEs
713 solution is used to find the system’s delay.

714 C. Step 3.3: Evaluation of Performance Measures Using ODE

715 Solution
716 Based on the ODE solution of step 3.2, we can now evaluate

f
717 the different performance measures of SCS as follows:
718 1) Mean Latency Time: It is defined as the delay time to inject

oo
719 the poison into calandria of the SDS-2, i.e., for the closed
720 process net based system, it is the delay time spent in a Fig. 9. Mean latency time of the poison injection process of SDS-2.
721 process, from the start of SDS-2 until the finish when the
722 poison is completely injected into the system. The mean
TABLE III
723 latency of a subsystem is computed while the system is TRANSITION’S FIRING RATE (IN PER MS)
724 present at the steady state. Based on the queueing theory
725 and Little’s law, the mean latency time can be computed
726 as

727
728
729
730
W = L/λ
Pr
the mean latency time of subsystem. Because the ODE solutions
indicate the average marking of each place while the system is
(11)
where L indicates the average token count present in the system,
λ is the mean token arrival rate in the system, and W represents
{m5 , m6 , m13, m3 , m11 , m7 , m8 , m12 , m9 , m10 , 752
m14, m1 }, which can accept the token request from 753
731 in steady state, therefore L can be calculated as m1 . Therefore, the state measure of m5 represents the 754

L= ml (12) token request, i.e., the token is accepted for the second 755
l∈M closed process nets {m3, m5 , m6 , . . . , m13 } from the 756
where M represents the set of places that model either other com- first closed process nets {m1, m2 , m3 , m4 } via the tran-
E
732 757
733 ponent of SDS-2 waiting for the token so that they can perform sition t5 . Hence, the throughput t of the system depends on 758
734 their task or their token request in the process. Therefore, in the the firing of the transition t5 . Thus, throughput of system, 759
735 steady state, the mean delay time is defined as the task’s queue t = marking rate of t5 = r5 m5 ,. i.e., it is given by 760
736 length divided by the average number of markings entering the
t = (0.30 × 0.0393) = 0.01179 ms. (16)
737 subsystem in unit time.
E

738 In our PN model as shown in Fig. 7, after the ini- 3) Reliability Analysis: The reliability criteria of SDS-2 is 761
739 tiation of poison injection process at the place m1 , that it must be able to inject the poison within the 1 s 762
740 all the remaining places from other closed process nets to ensure the safe shutdown of the reactor. Because of 763
741 {m5 , m6 , m13, m3 , m11 , m7 , m8 , m12 , m9 , m10 , the criticality of mission time, it is necessary to carry out 764
742 m14, m1 } are waiting for tokens so that they can perform their reliability analysis. In Fig. 7, the transition t5 is used as a
IE

765
743 intended task. Therefore trigger for proper closing of all the fast-acting valves and 766

L = m5 + m6 + m13 + m3 + m11 + m7 + m8 + m12 it is the first transition by which second closed process 767
net will get token. If the firing of t5 does not happen in 768
+ m9 + m10 + m14 + m1 = 3.0244. (13) a proper way, then our system may lead to the unreliable 769
condition. The reliability of the system is given by [47] 770
744 The mean token arrival rate λ is computed as
R (t) = e−λt . (17)
λ = r1 m1 = (0.05 × 0.2355) = 0.011772. (14)
745 Thus, mean delay time using ODE solution is Here, λ is the firing rate of transition t5 whose firing may 771
cause system to be in unreliable condition, and t is the system 772
3.0244
WODE = L/λ = = 256.91 ms. (15) throughput as calculated in (16). The PN model of Fig. 7 was 773
0.011772 run using TimeNET tool to measure the transition firing rates as 774
746 From Fig. 9, we find that when t >133.6486 ms, the mean indicated in Table III. λi denotes the firing rate of transition ti 775
747 latency time approaches a fixed value, i.e., 256.91 ms. Hence, (where i = 1, 2, …, 8). Therefore, the reliability of the system 776
748 the average delay of the SDS-2 system is computed as 0.25691 s. is 777
749 2) System Throughput: The firing frequency is a metric for
RODE (0.01179) = e−(0.148×0.01179)
750 measuring throughput. In Fig. 7, place m5 is the first place
751 of the subsystem among the place set of closed process nets = 0.9982566
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 11

decomposed into smaller functions and each function can be 797

implemented in a module, such as 1) data acquisition module to 798
acquire the state of process parameters, 2) processing module 799
to process the logic, and 3) decision module to actuate the 800
actuators according to the outcome of the processing logic. 801
However, a careful consideration is required to design the proper 802
interfaces to integrate the results of reliability and performance 803
analysis. Our proposed method is as follows. The polynomial 804
time complexity O(n5 ) of the state measure of ODE model 805

f
demonstrates that the proposed strategy is capable of avoiding 806
the state explosion problem, which is generally experienced by 807

oo
the traditional Markov-chain-based approaches. Since CPN is a 808
relaxation strategy of SPN and if both are able to model the same 809
system, then the following lemma holds good for the system 810
[41]: 811
Lemma: The mean token count at a place in SPN and the state 812
measure for that place in CPN are nearly equal. 813
Fig. 10. Reachability graph of the Petri net model of SDS-2.
Proof: We use the following notations and [48] to proof 814
this lemma. The random variables m(τ ) and mi (τ ) are used 815

Pr to express the marking of the places p and pi , respectively, at 816

time τ , which can take a value of either 0 or 1. The notation 817
(. . . , bi , b, . . .) denotes an SPN’s reachable state where bi and 818
b can take the value 0 or 1. B(..., bi , b,...) (τ ) is the probability 819
that the SPN stays in the state (. . . , bi , b, . . .) at time t. S 820
Fig. 11. Markov chain for the Petri net model of SDS-2. denotes every possible reachable state of SPN. 821
It is sufficient to show that the expectation of marking m of 822

TABLE IV SPN also satisfies the state measure m of ODE, i.e., if the ODE 823
STEADY-STATE PROBABILITIES for the place m is m (τ ) = f (τ, m(τ )), then it can be written as 824
(E[m(τ )]) = f (τ, E[m(τ )]). We consider Fig. 5 to prove the 825
E
above lemma. As this structure is a part of SPN, we can apply 826
the Chapman–Kolmogorov equation to find the average token 827
count for the associated SPN model, i.e. 828

B  (. . . , b1 , b2 , b, . . .) (τ )
= r1 min (b1 +1, b2 +1) B (. . . , b1 +1, b2 +1, b−1, . . .) (τ )
E

− r2 bB (. . . , b1 , b2 , b, . . .) (τ ) (19)

Unreliability = 1 − 0.9982566 = 0.0017434 (18) where r1 min(b1 + 1, b2 + 1) and r2 b are firing rates of tran- 829
sition at time τ . After summing all the possible states, we get 830
i.e., our model gives a reliability of 99.82%.
IE

778 831
779 1) Algorithmic Complexity Analysis of Performance Mea- 
780 surement: The complexity analysis lies in the solution of ODEs. B  (. . . , b1 , b2 , b, . . .) (τ )
(...,b1 , b2 ,b,...)∈S
781 In the framework of performance analysis, we employed Runge– 
782 Kutta method to solve a family of ODEs. This method is better = r1 min (b1 +1, b2 +1)
(..., b1 , b2 ,b,...)∈S
783 than Newton’s method if the accuracy is less than 0.000001. We
784 know that the Newton’s method has complexity O(mn3 ). Here, × B (. . . , b1 +1, b2 +1, b − 1, . . .) (τ )
785 m indicates number of iterations, whereas n is the number of 
variables. m is generally O(n) and never exceeds O(n2 ). As a − r2 bB (. . . , b1 , b2 , b, . . .) (τ ).
786 (..., b1 , b2 ,b,...)∈S
787 result, the Runge–Kutta method’s complexity is around O(n4 ) (20)
788 and never surpasses O(n5 ). Thus, computing the state measures
Since the marking of each place is either 0 or 1, thus (20) can 832
789 of an ODE model requires a maximum of O(n5 ), where n denotes
be written as 833
790 number of equations and n ≤ |P|. In our model, n = 14, i.e., 
791 systems have 14 places (as shown in Fig. 7) and 14 ODEs [as B  (. . . , 0, 0, 1, . . .) (τ )
(...,0, 0,1,...)∈S
792 shown in (10)]. For the more complex system having larger value

793 of n, the proposed approach may give higher latency time. = r1 B (. . . , 1, 1, 0, . . .) (τ )
794 2) Reduction of State-Space Explosion Problem: One (...,0,0 ,1,...)∈S

795 method to address the state explosion problem is proposed − r2 B (. . . , 0, 0, 1, . . .) (τ ). (21)
796 by Cai et al. [37], in which the functions of SDS-2 can be (...,0, 0,1,...)∈S
 12 IEEE TRANSACTIONS ON RELIABILITY

834 Since S does not have states like ( …,1,1,1, …), ( …,1,0,1, …), TABLE V
STEADY-STATE TOKEN PROBABILITY DENSITY VALUES
835 ( …,0,1,1, …), ( …,0,1,1, …), ( …,1,0,1, …) for the left-hand
836 side of (21), the expectation can be written as

(E [m (τ )]) = B  (. . . , 0, 0, 1, . . .) (τ ).
(...,0, 0,1,...)∈S
(22)
837 For the second term on the right-hand side of (21), we have

r2 B (. . . , 0, 0, 1, . . .) (τ ) = r2 · E [m (τ )].
(...,0, 0,1,...)∈S

f
(23)
838 For the first term on the right-hand side of (21), we have

oo
E[min (m1 (τ ) , m2 (τ ))]

= min (b1 , b2 ) B (. . . , b1 , b2 , 0, . . .) (τ )
(..., b1 , b2 ,0,...)∈S

+ min (b1 , b2) B (. . . , b1 , b2 , 1, . . .) (τ)
(..., b1 , b2 ,1,...)∈S

= B (. . . , 1, 1, 0, . . .) (τ )
(...,1,1,0,...)∈S

+ B (. . . , 1, 1, 0, . . .) (τ ).
Pr
(...,0,0,1,...)∈S RAM. Using the CPN approach, an ODE system with up 868

839 Therefore, (21) can be written as to 3000 nodes can be computed within 18 s. It proves that 869
our proposed strategy is capable to avoid the state explosion 870
(E [m (τ )]) = r1 E[min (m1 (τ ) , m2 (τ ))] − r2 · E[m (τ )]. problem.  871
(24)
840 Now, using the following assumption [48] in (24), for two
841 stochastic processes, m1 (τ ) and m2 (τ ), we have VII. PERFORMANCE AND RELIABILITY VALIDATION 872

E[min (m1 (τ ) , m2 (τ )) ]≈ min(E[ (m1 (τ ) , E[(m2 (τ )]). An effective method for performance assessment is proposed 873
recently, by Kumar et al. [15]. The authors claim that the 874
842 Hence, (24) becomes
E
proposed method is very effective and gives the performance 875
(E [m (τ )]) = r1 min(E[(m1 (τ ) , E[(m2 (τ )])−r2 · E[m (τ )]. estimates with an accuracy of more than 99% and demonstrated 876
(25) the approach on a case study of NPP. To prove the effectiveness 877
843 Equation (25) can be written as m (τ ) = r1 · of our proposed approach, we carried out two steps: 1) we 878
844 min{m1 (τ ), m2 (τ )} − r2 · m(τ ), which is an ODE measure of compute the performance of our case study using the recent 879
E

845 Fig. 5, as expressed in (9). We can give the similar explanation method proposed in [15] and compare the results with the real 880
846 for Figs. 3 and 4, which have been used in our CPN modeling. data to find the accuracy of this method; and 2) we compute 881
847 It proves that the mean token count at a place in SPN model the performance using our proposed ODE method and compare 882
848 is equal to the state measure of that place in the CPN model. the results with the real data to find the accuracy of our ODE 883
849 Also, our system can be modeled using SPN. As a typical method. Thereafter, both the accuracies are compared to find 884
SPN model requires the PN structure (as shown in Fig. 7), the the method that gives higher accuracy. In this section, we also
IE

850 885
851 reachability graph of the PN model (as shown in Fig. 10), and compare our approach with the existing approaches as follows: 886
852 the Markov Chain (as shown in Fig. 11). For the SPN model, 1) Performance validation with [15] and [23]: It involves 887
853 we used the TimeNET tool for the performance measurement following seven steps: 888
854 and for reachability graph creation. To check the performance, a) PN model creation 889
855 we have taken 17 different NPP system. The number of places We create TPN model of SDS-2 using the TimeNET tool, as 890
856 in our model [15], [23] are 14, 12, and 15, respectively, and the shown in Fig. 7. 891
857 number of states present in the respective reachability graph are b) Model parameter assignment: In this step, the delay of 892
858 8, 13, and 14. The TimeNET takes 25, 42, and 54 s to build the each transition is input into the model as per specification, 893
859 reachability graph of our model [15], [23], respectively. When expert’s elicitation, and experiences from similar projects. 894
860 we used TimeNET to model various NPPs with 19, 24, 36, 58, The model was run using TimeNET tool to measure the 895
861 and 62 places, the corresponding reachability graph contained transition firing rates as indicated in Table III. λi denotes 896
862 32, 43, 68, 112, and 144 states, and the time needed to construct the firing rate of transition ti (where i = 1, 2, …, 8). 897
863 these reachability graphs was 114, 322, 1019, 2751, and 3769 s, c) Reachability graph creation: The reachability graph de- 898
864 respectively. For the CPN method, we used MATLAB R2022a termines the system’s boundary conditions, which may 899
865 to solve ODEs. The experiment has been done using a personal indicate the number of possible states during the system’s 900
866 computer with the Windows 10 Operating System, Intel Core operational life. The total number of possible markings 901
867 i7-10750H CPU processor, CPU speed 2.60 GHz, and 16.0 GB shows the entire number of states that a system can go 902
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 13

903 through. From the PN-model depicted in Fig. 7, the cor- TABLE VI
FIRING RATE IN COMMUNICATION NETWORK OF SDS-2
904 responding reachability graph is constructed [5], [10] and
905 presented in Fig. 10.
906 d) Markov chain creation: The reachability graph of the PN
907 model is used to generate the Markov chain [5], [10].
908 Fig. 11 illustrates the Markov chain for a TPN model of
909 Fig. 7.
910 e) Steady-state marking probability calculation: Equa- V 3.9705
tions (3) and (4) can be used to calculate the steady-state ∴ S= = = 254.6498. (31)
911
D 0.015592

f
912 marking probabilities. The transition rate matrix Q is
913 shown in (26). The resulting equation is shown in (27). The So mean delay time by comparing other’s approach is 937

oo
914 steady-state marking probabilities are calculated using W[15] = 254.65 ms. (32)
915 (27) and the transition’s firing rate values of the Table III.
916 These values are shown in Table IV It means that, on average, a single token is in use for about 938
254.65 ms of time in the system. Therefore, the modeled SDS- 939
⎡ ⎤ 2 PN injects the poison to trip the reactor in 0.25465 s in an 940
S1 S2 S3 S4 S5 S6 S7 S8
⎢ S1 ⎥ emergency event. It depicts the SDS-2 system’s average delay. 941
⎢ q11 λ1 0 0 0 0 0 0 ⎥
⎢ S2 ⎥ 2) Performance Validation: An SDS-2 system is expected to 942
⎢ 0 q22 λ5 0 0 0 0 0 ⎥
⎢ S3 ⎥ inject poison into the calandria of the nuclear reactor if any 943
⎢ 0 0 q33 λ6 0 0 0 0 ⎥ of the trip parameters listed in the Table I deviates from
Q = ⎢ ⎥ 944
⎢ S4 0 0 0 q44 λ2 0 0 0 Pr ⎥ their intended values. As soon as the token is deposited in
⎢ S5 0 0 0 0 q55 λ3 0 0 ⎥ 945
⎢ ⎥ m1 , the poison injection procedure begins in accordance
⎢ S6 0 0 0 0 0 q66 λ7 0 ⎥ 946
⎢ ⎥ with the PN model, as shown in Fig. 7. However, prior
⎣ S7 0 0 0 0 0 0 q77 λ8 ⎦ 947
to the poison injection process, adequate communication 948
S8 λ4 0 0 0 0 0 0 q88
occurs between the various components of the SDS2. 949
(26) The communication between transitions requires reading 950

π1 • λ1 = π8 • λ4 ; π2 • λ5 = π1 • λ1 ; π3 • λ6 = π2 • λ5 ; a message, sending a message, and sending/receiving ac- 951

π4 • λ2 = π3 • λ6 ; π5 • λ3 = π4 • λ2 ; π6 • λ7 = π5 • λ3 ; knowledgment, each of which has an exponentially dis- 952

π7 • λ8 = π6 • λ7 ; π8 • λ4 = π7 • λ8 . tributed execution time. If a sent message is lost in transit, 953

or the sender does not receive an acknowledgment within
E
(27) 954
917 a time limit then there is a need to send the message again. 955
918 f) Steady-state token probability density calculation: It cal- The message retransmission is done after a fixed timeout 956
919 culates the likelihood of a specific amounts of token being interval, and it does not follow an exponential distribution. 957
920 present at a particular place in the steady state. These values It is important to note that the random variable time with 958
are shown in Table V for the presence of a single token at an Erlangian probability density function represents the 959
E

921
922 each place. timeout. The cyclic redundancy check computation is 960
923 g) Use queuing theory for the delay measurement: The mean also performed during communication. The trip values 961
924 latency of a subsystem while the system is present at the conveyed to the SDS-2 system are denoted by a token in 962
925 steady-state is computed using Little’s law. It is defined the place m1 having a poison rate of μ. Thus, the SDS-2 963
as D = mean tokens arrival rate in the system, S = mean system’s actual throughput is μ(1 − ρ). Here, ρ denotes 964
IE

926
927 latency of subsystem, and V = the system’s average token the probability that there is no token in place m1 implies 965
928 count. that the subsystem is too busy to take new messages. 966
929 Then, using Little’s law, In our scenario, the SDS-2 communication network’s baud 967
rate is 9600 with a 5% error rate and a packet size of 128 B. 968
V = DS. (28) Then, we conduct a performance analysis of our system using 969

930 The value of V is obtained after summing of all the steady-state the transition firing rates given in Table VI. The mean latency 970

931 probability density values obtained from Table V time can be calculated when the system is congested or there is 971
a loss of packet acknowledgment or is on-hold. In this situation, 972
∴ V = 3.9705. (29) we use Little’s law N = μT, to calculate the latency, where, μ 973

932 Initially, there is one token present in the positions m1 , m7 , is the throughput rate. Using the values mentioned above and 974

933 and m9 . Therefore, the mean token arrival rate can be found by throughput values of Table VI, the mean latency time for the 975

934 multiplying the values of these places’ steady-state probability poison injection in the SDS-2 is 0.2572 s. 976

935 density to their respective transition rates, and then they are So mean delay time using Little’s law is 977

936 added, i.e., WLL = 257.2 ms. (33)

D = (P (m1 ) • λ1 ) + (P (m7 ) • λ5 ) + (P (m9 ) • λ6 )
Comparing (15) and (33), the accuracy of our proposed ap- 978
∴ D = 0.015592 (30) proach for performance assessment using ODE can be computed 979
 14 IEEE TRANSACTIONS ON RELIABILITY

980 by TABLE VII

OPERATIONAL PROFILE DATA OF 880 DAYS OF SDS-2
|WLL − WODE |
error% = × 100%
WLL
|257.2 − 256.91|
= × 100 = 0.11275%
257.2
∴ Accuracy = (100 − 0.11275) % = 99.887%.
(34)

f
981 Now, comparing (32) and (33), the accuracy of other’s ap-
982 proach [15] for performance assessment can be computed as

oo
983
 
WLL − W[15] 
error% = × 100%
WLL
TABLE VIII
|257.2 − 254.65| ALERT/RECOVERY MESSAGE
= × 100 = 0.99145%
257.2
∴ Accuracy = (100 − 0.99145) % = 99.008%. (35)

984
985
986
987
988
Pr
The comparison of (34) and (35) proves that the accuracy
of the performance assessment method using ODE solution is
remarkable. The deviation in the accuracy of our approach is less
compare to some other approach on a real-time data of NPP. The
results were validated on 17 NPP systems, out of which nine are
runs (Nr ), and number of failures up to a given time
(Nf ).
1021
1022
989 control systems, six are SCSs, and two are monitoring systems. b) Data analysis to find the number of failures: The data 1023
990 This validates the effectiveness of our approach. gathered in the previous stage is thoroughly analyzed 1024
991 3) Reliability Validation: To validate our technique, we have to determine the number of failures. If the state changes 1025
992 used the operational profile data of 880 days of SDS2. from safe to unsafe then an alert message is displayed in 1026
993 The hardware components are inspected and maintained
E
red color, and if the state returns to normal state, then a 1027
994 on a regular basis and generally fail due to manufacturing recovery message is displayed in green color. Every 1028
995 defect. These practices ensure the high-reliability require- alert and recovery message has a timestamp in the 1029
996 ments of hardware components. Consequently, hardware format of “dd/mm/yyyy hr:min:sec:msec” as shown 1030
997 failures can be neglected compare to software failures. in Table VIII. From the Table VII, it can be observed 1031
998 Therefore, in our validation approach, we consider only
E

that there is no failure occur till 59 days. The second 1032

999 the software failures. We employed the Ramamoorthy failure was after 119 days and so on. 1033
1000 and Bastani [49] model, which has been shown to be c) Reliability computation: At this stage, we employed 1034
1001 the suitable model for the software-based safety critical Ramamoorthy and Bastani model to assess the relia- 1035
1002 systems. The experimental validation for the reliability bility, according to which 1036
1003 analysis includes three major steps as follows: operational  −λ  
IE

i
1004 profile data collection, data analysis to find the number of t
f (Ti (s))ds

1005 failures, and reliability computation. Ri (t) = Eλi e 0 (36)

1006 a) Operational profile data collection: The operational
1007 profile data is collected from six different running units Where λi : failure rate after ith failure; 0 ≤ λi ≤ , Ti (s) : 1037
1008 of NPP. A test and monitoring system is run once in testing process at time s after ith failure, and f (Ti (s)): severity 1038
1009 a day to monitor the healthiness of the system. While of testing process relative to operational distribution; 0 ≤ f(Ti (s)) 1039
1010 testing, the poison injection is disabled, and the logic ≤ . 1040
1011 circuitry and overall healthiness of the equipment are For operational profile data, let 
 −λ f(Ti (s)) = 1. Hence, (36) will 1041
t
1012 examined by simulating the trip parameters. Hardware
reduce to Ri (t) = Eλi e
i ds
0 . 1042
1013 logic automatically bypasses the test mode on actual
1014 trip parameters, and all equipment operates in accor- Therefore, the reliability of the poison injection system of 1043
1015 dance with the actual scenario. Every change in the SDS2 from the operational profile data (Table VII) can be 1044
1016 process state, such as an LC closed or the opening calculated as 1045
0∗1 −1∗1 0∗1 −1∗1 0∗1 −1∗1
1017 of a QOV, is timestamped and gets recorded in a 59e +e + 59e + e + 119e + e
1018 database of test and monitoring system. Table VII +149e0∗1 + e−1∗1 + 109e0∗1 + e−1∗1
1019 shows the collection of operational profile data for one +119e0∗1 + e−1∗1 + 139e0∗1 + 120
1020 unit in terms of number of test days (d), number of test Ropn =
860
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 15

TABLE IX both the performance and reliability of SCS considering 1076

COMPARATIVE ANALYSIS WITH OTHER EXISTING APPROACHES
important metrics, and addresses the state space explosion 1077
problem. It proves that our method outperforms the other 1078
methods. 1079

VIII. CONCLUSION 1080

This article aims to measure the performance and reliability 1081

of the SCS using an ODE and TPN. We introduced some impor- 1082

f
tant metrics of performance, which is essential to be verified 1083
in case of SCS such as deadlock, stability, steady state, etc. 1084

oo
The proposed approach is illustrated on an SCS of NPP. The 1085
suggested technique can address the constraints and limits of 1086
existing methods, as stated in Section II. The presented method- 1087
ology involves modeling of SCS using PN and then converting 1088
the model into a series of ODEs systems for the performance 1089

i.e., Ropn = 0.9988636 (37) evaluation. The proposed approach is demonstrated on a case 1090
study of SDS-2. The mechanism explained here calculates the 1091
∴ Unreliability = 1 − R = 0.0011364. time required for the successful poison injection to trip the 1092

Pr NPP by the SDS-2. The MATLAB simulation results help in 1093

1046 Comparing (37) and (18), the accuracy of our proposed ap-
the evaluation of the outcome. The system may give higher 1094
1047 proach for reliability assessment using ODE can be computed
latency time for the more complex system having large number 1095
1048 by
of places. It is to be noted that a major issue in developing PN 1096
|Ropn − RODE | model is state explosion problem when the number of states 1097
error% = × 100% of a system are more, which may occur in large scale systems.
Ropn 1098
The proposed ODE based solution is capable to deal with this 1099
|0.9988636 − 0.9982566| limitation. Furthermore, the state explosion problem can be dealt
= × 100 = 0.06077% 1100
0.9988636 with large-scale system through decomposition technique as 1101

∴ Accuracy = (100 − 0.06077) % = 99.939%. given in [1]. The obtained average accuracy of our method 1102
E
for performance and reliability assessment are 99.887% and 1103
1049 This proves that the accuracy of the reliability assessment 99.939%, respectively. The proposed technique can be applied 1104
1050 method using ODE solution is higher. The results were vali- to a class of concurrent systems that consist multiple processes, 1105
1051 dated on 17 NPP systems, the way it is done for performance which can communicate via MP. Such systems may also have 1106
1052 assessment. This validates the effectiveness of our approach. other mechanisms for synchronization, such as resource sharing. 1107
4) Comparison of our proposed approach with other ex- The proposed technique has not been validated for nonexponen-
E

1053 1108
1054 isting approaches: As shown in Table IX, to prove the tial failures, which will be considered in our future article. We 1109
1055 effectiveness of our proposed method, we compare it intend to expand this article in the future to improve the proposed 1110
1056 with various existing PN and ODE approaches that are technique for other classes of concurrent systems and to validate 1111
1057 used to measure performance and reliability. Table IX the technique for nonexponential failures. We shall also try 1112
1058 summarizes the details of various frameworks for mea- to integrate several dependability measures that influence the
IE

1113
1059 suring the performance and reliability of SCS along with performance and reliability of the SCS. 1114
1060 their measurement accuracies and indicates whether or
1061 not these frameworks can address the issue of state space
1062 explosion. From the available frameworks, it was found REFERENCES 1115

1063 that [15], [41], and [50] are only capable of measuring the [1] L. K. Singh, G. Vinod, and A. K. Tripathi, “Design verification of instru- 1116
1064 performance of SCS, while [1], [10], [20], and [51] can mentation and control systems of NPP,” IEEE Trans. Nucl. Sci., vol. 61, 1117
no. 2, pp. 921–930, Apr. 2014. 1118
1065 only assess the reliability of SCS. The method described in [2] Modern Instrumentation and Control for Nuclear Power Plants: A Guide- 1119
1066 [23] and our approach can measure both the performance book, International Atomic Energy Agency, 1999. 1120
1067 and reliability of SCS. Except for [41] and our solution, [3] Nuclear Power Plant Simulators for Use in Operator Training, U.S. Nuclear 1121
Regulatory Commission, 1981. 1122
1068 none of the strategies overcome the state-space explosion [4] W. C. Lipinski, “Nuclear power plant instrumentation and control—A 1123
1069 problem caused by conventional PN-based methods. Also, guidebook,” International Atomic Energy Agency, 1984. 1124 Q3
1070 the measurement accuracies of performance and reliability [5] T. Murata, “Petri nets: Properties, analysis and applications,” Proc. IEEE, 1125
vol. 77, no. 4, pp. 541–580, Apr. 1989. 1126
1071 measurement using our proposed method is significantly [6] J. Siebert, D. Petri, and M. Fedrizzi, “From measurement to decision: 1127
1072 higher as compare with other approaches. Further no Sensitivity of decision outcome to input and model uncertainties,” IEEE 1128
1073 method considers liveness, stability, boundedness, and Trans. Instrum. Meas., vol. 68, no. 9, pp. 3100–3108, Sep. 2019. 1129
[7] G. Xu, M. Liu, Z. Jiang, W. Shen, and C. Huang, “Online fault diagnosis 1130
1074 steady-state analysis, which are the critical metrics of method based on transfer convolutional neural networks,” IEEE Trans. 1131
1075 the performance. Consequently, our method can measure Instrum. Meas., vol. 69, no. 2, pp. 509–520, Feb. 2020. 1132
 16 IEEE TRANSACTIONS ON RELIABILITY

1133 [8] L. K. Singh, G. Vinod, and A. K. Tripathi, “Modeling and prediction [31] B. Weng, L. Capito, U. Ozguner, and K. Redmill, “A formal characteri- 1209
1134 of performability of safety critical computer based systems using Petri zation of black-box system safety performance with scenario sampling,” 1210
1135 nets,” in Proc. IEEE 23rd Int. Symp. Softw. Rel. Eng. Workshops, 2012, IEEE Robot. Automat. Lett., vol. 7, no. 1, pp. 199–206, Jan. 2022. 1211
1136 pp. 85–94. [32] J. Thota, N. F. Abdullah, A. Doufexi, and S. Armour, “V2V for vehicular 1212
1137 [9] Z. Liu, Y. Liu, B. Cai, X. Li, and X. Tian, “Application of Petri nets to safety applications,” IEEE Trans. Intell. Transp. Syst., vol. 21, no. 6, 1213
1138 performance evaluation of subsea blowout preventer system,” ISA Trans., pp. 2571–2585, Jun. 2020. 1214
1139 vol. 54, pp. 240–249, Jan. 2015. [33] A. Y. Al Hammadi et al., “Novel EEG sensor-based risk framework for 1215
1140 [10] L. K. Singh and H. Rajput, “Dependability analysis of safety critical real- the detection of insider threats in safety critical industrial infrastructure,” 1216
1141 time systems by using Petri nets,” IEEE Trans. Control Syst. Technol., IEEE Access, vol. 8, pp. 206222–206234, 2020. 1217
1142 vol. 26, no. 2, pp. 415–426, Mar. 2018. [34] H. Boudali, P. Crouzen, and M. Stoelinga, “A rigorous, compositional, 1218
1143 [11] N. K. Jyotish, L. K. Singh, and C. Kumar, “A state-of-the-art review on and extensible framework for dynamic fault tree analysis,” IEEE Trans. 1219
1144 performance measurement Petri net models for safety critical systems of Dependable Secure Comput., vol. 7, no. 2, pp. 128–143, Apr.–Jun. 2010. 1220

f
1145 NPP,” Ann. Nucl. Energy, vol. 165, Jan. 2022, Art. no. 108635. [35] K. Aslansefat and G.-R. Latif-Shabgahi, “A hierarchical approach for 1221
1146 [12] Z. Ding, H. Shen, and A. Kandel, “Performance analysis of service dynamic fault trees solution through semi-Markov process,” IEEE Trans. 1222
1147 composition based on fuzzy differential equations,” IEEE Trans. Fuzzy Rel., vol. 69, no. 3, pp. 986–1003, Sep. 2020. 1223

oo
1148 Syst., vol. 19, no. 1, pp. 164–178, Feb. 2011. [36] S. Kabir, K. Aslansefat, I. Sorokos, Y. Papadopoulos, and Y. Gheraibia, “A 1224
1149 [13] P. Singh and L. K. Singh, “Modeling and measuring common cause failures conceptual framework to incorporate complex basic events in HiP-HOPS,” 1225
1150 in measurement of reliability of nuclear power plant systems,” IEEE Trans. in Proc. Int. Symp. Model Saf. Assessment, 2019, pp. 109–124. 1226
Q4 1151 Instrum. Meas., vol. 70, 2021, Art. no. 3001608. [37] B. Cai, Y. Liu, Z. Liu, X. Tian, H. Li, and C. Ren, “Reliability analysis 1227
1152 [14] R. J. Rodríguez, “A Petri net tool for software performance estimation of subsea blowout preventer control systems subjected to multiple error 1228
1153 based on upper throughput bounds,” Automat. Softw. Eng., vol. 24, no. 1, shocks,” J. Loss Prevention Process Ind., vol. 25, no. 6, pp. 1044–1054, 1229
1154 pp. 73–99, Mar. 2017. 2012. 1230
1155 [15] P. Kumar, L. K. Singh, and C. Kumar, “Performance evaluation of safety- [38] R. A. Sahner, K. Trivedi, and A. Puliafito, Performance and Reliability 1231
1156 critical systems of nuclear power plant systems,” Nucl. Eng. Technol., Analysis of Computer Systems: An Example-Based Approach Using the 1232
1157 vol. 52, no. 3, pp. 560–567, Mar. 2020. SHARPE Software Package. Berlin, Germany: Springer, 2012. 1233
1158 [16] L. Xia, H. A. Gabbar, M. U. Isham, and V. Ponomarev, “Performance [39] N. G. Leveson and J. L. Stolzy, “Safety analysis using Petri nets,” IEEE 1234
1159
1160
1161
1162
1163
1164
1165
nol., vol. 53, no. 10, pp. 1513–1520, Oct. 2016.
Pr
evaluation of a new signal processing system design to improve CANDU
SDS1 trip response during large break LOCA events,” J. Nucl. Sci. Tech-

[17] B. W. Rhee, H. Choi, J. H. Park, K. M. Chae, and H. J. Yun, “A three-

dimensional CFD model for a performance verification of the liquid poison
injection system of a CANDU-6 reactor,” Nucl. Technol., vol. 159, no. 2,
pp. 158–166, Aug. 2007.
Trans. Softw. Eng., vol. SE-13, no. 3, pp. 386–397, Mar. 1987.
[40] M. Jeng, X. Xie, and M. Peng, “Process nets with resources for manufac-
turing modeling and their analysis,” IEEE Trans. Robot. Automat., vol. 18,
no. 6, pp. 875–889, Dec. 2002.
[41] Z. Ding, Y. Zhou, and M. Zhou, “A polynomial algorithm to performance
analysis of concurrent systems via Petri nets and ordinary differential
equations,” IEEE Trans. Automat. Sci. Eng., vol. 12, no. 1, pp. 295–308,
1235
1236
1237
1238
1239
1240
1241
1166 [18] D. J. Rankin and J. Jiang, “Predictive trip detection for nuclear power Jan. 2015. 1242
1167 plants,” IEEE Trans. Nucl. Sci., vol. 63, no. 4, pp. 2352–2362, Aug. 2016. [42] R. David and H. Alla, Discrete, Continuous, and Hybrid Petri nets, vol. 1. 1243
1168 [19] K. Aslansefat, M. Bahar Gogani, S. Kabir, M. A. Shoorehdeli, and M. Berlin, Germany: Springer, 2010. 1244
1169 Yari, “Performance evaluation and design for variable threshold alarm [43] S.-H. Kim and W. Whitt, “Statistical analysis with little’s law,” Oper. Res., 1245
1170 systems through semi-Markov process,” ISA Trans., vol. 97, pp. 282–295, vol. 61, no. 4, pp. 1030–1045, Aug. 2013. 1246
1171 Feb. 2020. [44] CANDU 6 Program Team, CANDU 6 Tech. Summary, May 2005. 1247
E
1172 [20] M. Tripathi, L. K. Singh, S. Singh, and P. Singh, “A comparative study on [45] T. L. Chu et al., “Workshop on philosophical basis for incorporat- 1248
1173 reliability analysis methods for safety critical systems using Petri-nets and ing software failures into a probabilistic risk assessment,” Brookhaven 1249
1174 dynamic flowgraph methodology: A case study of nuclear power plant,” Nat. Lab., Upton, NY, USA, Tech. Rep. BNL-90571-2009-IR, Nov. 1250
1175 IEEE Trans. Rel., vol. 71, no. 2, pp. 564–578, Jun. 2022. 2009. 1251
1176 [21] L. Cheung, R. Roshandel, N. Medvidovic, and L. Golubchik, “Early [46] TimeNET 4.0 A Zimmermann, M Knoke, 2007. [Online]. Available: 1252
1177 prediction of software component reliability,” in Proc. 30th Int. Conf. depositonce.tu-berlin.de 1253
1178 Softw. Eng., May 2008, pp. 111–120. [47] C. Lin and Y. Wei, “Stochastic process algebra and stochastic Petri nets,” 1254
E

1179 [22] W.-L. Wang, D. Pan, and M.-H. Chen, “Architecture-based software J. Softw., vol. 13, no. 2, pp. 203–213, 2002. 1255
1180 reliability modeling,” J. Syst. Softw., vol. 79, no. 1, pp. 132–146, Jan. 2006. [48] R. A. Hayden and J. T. Bradley, “A fluid analysis framework for a 1256
1181 [23] M. R. Mamdikar, V. Kumar, P. Singh, and L. Singh, “Reliability and Markovian process algebra,” Theor. Comput. Sci., vol. 411, no. 22, 1257
1182 performance analysis of safety-critical system using transformation of pp. 2260–2297, May 2010. 1258
1183 UML into state space models,” Ann. Nucl. Energy, vol. 146, Oct. 2020, [49] C. V. Ramamoorthy and F. B. Bastani, “Software reliability—Status and 1259
1184 Art. no. 107628. perspectives,” IEEE Trans. Softw. Eng., vol. SE-8, no. 4, pp. 354–371, 1260
IE

1185 [24] Z. Chen and W. Li, “Multisensor feature fusion for bearing fault diagnosis Jul. 1982. 1261
1186 using sparse autoencoder and deep belief network,” IEEE Trans. Instrum. [50] P. Singh and L. K. Singh, “Design of safety critical and control systems of 1262
1187 Meas., vol. 66, no. 7, pp. 1693–1702, Jul. 2017. nuclear power plants using Petri nets,” Nucl. Eng. Technol., vol. 51, no. 5, 1263
1188 [25] P. Singh and L. K. Singh, “Reliability and safety engineering for safety pp. 1289–1296, Aug. 2019. 1264
1189 critical systems: An interview study with industry practitioners,” IEEE [51] L. Singh, H. Rajput, G. Vinod, and A. K. Tripathi, “Computing transition 1265
1190 Trans. Rel., vol. 70, no. 2, pp. 643–653, Jun. 2021. probability in Markov Chain for early prediction of software reliability,” 1266
1191 [26] P. Singh and L. K. Singh, “Engineering education for development of Qual. Rel. Eng. Int., vol. 32, no. 3, pp. 1253–1263, 2016. 1267
1192 safety-critical systems,” IEEE Trans. Educ., vol. 64, no. 4, pp. 398–405, [52] S. Hinz, K. Schmidt, and C. Stahl, “Transforming BPEL to Petri nets,” in 1268
1193 Nov. 2021. Business Process Management. Berlin, Germany, 2005, pp. 220–235. 1269
1194 [27] P. Singh and L. K. Singh, “Reliability and safety engineering for safety-
1195 critical systems in computer science: A study into the mismatch between
1196 higher education and employment in Brazil and India,” IEEE Trans. Educ., Nand Kumar Jyotish (Student Member, IEEE) re- 1270
1197 vol. 64, no. 4, pp. 353–360, Nov. 2021. ceived the M.Tech. degree in computer science & 1271
1198 [28] J. Seo, J. Lee, E. Baek, R. Horowitz, and J. Choi, “Safety-critical con- engineering, in 2015, from the Indian Institute of 1272
1199 trol with nonaffine control inputs via a relaxed control barrier function Technology (Indian School of Mines), Dhanbad, 1273
1200 for an autonomous vehicle,” IEEE Robot. Automat. Lett., vol. 7, no. 2, India, where he is currently working toward the Ph.D. 1274
1201 pp. 1944–1951, Apr. 2022. degree in computer science & engineering. 1275
1202 [29] W. Ding, B. Chen, B. Li, K. J. Eun, and D. Zhao, “Multimodal His research interests include software reliabil- 1276
1203 safety-critical scenarios generation for decision-making algorithms eval- ity, mathematical modeling, safety critical systems, 1277
1204 uation,” IEEE Robot. Automat. Lett., vol. 6, no. 2, pp. 1551–1558, fog/edge computing, machine learning, and software 1278
1205 Apr. 2021. engineering. 1279
1206 [30] Z. Jiang et al., “Bridging the pragmatic gaps for mixed-criticality systems Mr. Jyotish is a Reviewer of IEEE TRANSACTIONS 1280
1207 in the automotive industry,” IEEE Trans. Comput.-Aided Des. Integr. ON RELIABILITY. 1281
1208 Circuits Syst., vol. 41, no. 4, pp. 1116–1129, Apr. 2022. 1282
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 17

1283 Lalit Kumar Singh (Senior Member, IEEE) re- Pooja Singh (Senior Member, IEEE) received the 1311
1284 ceived the Ph.D. degree in software reliability Ph.D. degree in mathematical sciences from the 1312
1285 from the Indian Institute of Technology, Varanasi, Indian Institute of Technology, Varanasi, India, in 1313
Q51286 India, in 2014. 2014. 1314
1287 He is currently a Scientist, level F, with the Nuclear She is currently working as an Assistant Professor 1315
1288 Power Corporation of India, Mumbai, India. with the Department of Mathematics, SIES-Graduate 1316
1289 Dr. Singh is the recipient of many prestigious School of Technology, Navi Mumbai, India. 1317
1290 awards and member of Indian Nuclear Society. He Dr. Singh is the recipient of many prestigious 1318
1291 is a Reviewer of several prestigious journals of high awards and member of Indian Nuclear Society. She 1319
1292 impact factor and supervising many Ph.D. students. is a Reviewer of several prestigious journals of high 1320
1293 He has completed several industrial projects. He plays impact factor and supervising many Ph.D. students. 1321
1294 a vital role in various academic committees. She has completed several industrial projects. 1322

f
1295 1323

oo
1296 Chiranjeev Kumar (Senior Member, IEEE) received
1297 the Ph.D. degree from the University of Allahabad,
Q61298 Allahabad, India, in 2006.
1299 He is currently working as a Professor with the
1300 Department of Computer Science and Engineering,
1301 Indian Institute of Technology (Indian School of
1302 Mines) Dhanbad, Dhanbad, India. His research inter-
1303
1304
1305
1306
1307
1308
1309
IoT, and software reliability.
Pr
ests include software testing, wireless sensor network,

Prof. Kumar is a Reviewer of several prestigious

journals of high impact factor and supervising many
Ph.D. students. He has completed several projects of government of India,
including the organizations CSIR, DRDO, IIT(ISM), UGC, and Coal India
Limited.
1310
E E
IE
 GENERAL INSTRUCTION
• Authors: Please check and confirm whether the name of the corresponding author is correct as set.
• Authors: Carefully check the page proofs (and coordinate with all authors); additional changes or updates WILL NOT be
accepted after the article is published online/print in its final form. Please check author names and affiliations, funding,
as well as the overall article for any errors prior to sending in your author proof corrections.
• Authors: Please note that we cannot accept new source files as corrections for your article. If possible, please annotate the
PDF proof we have sent you with your corrections, using Adobe Acrobat editing software, and upload it via the Author
Gateway. Alternatively, you may send us your corrections in a simple .txt file, utilizing the line numbers in the margins of
the proof to indicate exactly where you would like for us to make corrections. You may, however, upload revised graphics

f
via the Author Gateway.

oo
QUERIES
Q1. Author: Please confirm if the name of the corresponding author and postal codes are correct in the first footnote.
Q2. Author: Please confirm or add details for any funding or financial support for the research of this article.
Q3. Author: Please provide the complete details in Ref. [4].
Q4. Author: Please provide the issue number and month in Ref. [13].
Q5. Author: Please provide a higher resolution image for the author "Lalit Kumar Singh."
Q6. Author: Please provide the subject in which author “Chiranjeev Kumar” received the Ph.D. degree.
Pr
E E
IE
 IEEE TRANSACTIONS ON RELIABILITY 1

1 Reliability and Performance Measurement of

2 Safety-Critical Systems Based on Petri
3 Nets: A Case Study of Nuclear
4 Power Plant

f
5 Nand Kumar Jyotish , Student Member, IEEE, Lalit Kumar Singh , Senior Member, IEEE,
6 Chiranjeev Kumar , Senior Member, IEEE, and Pooja Singh , Senior Member, IEEE

oo
7 Abstract—Safety-critical systems (SCSs) mitigate the risk of age, or loss of goal-oriented mission, if they fail. These are 35
8 catastrophic loss of assets and hence do have high dependability the computer-based systems (CBSs) on which we rely on a 36
9 targets. Performance and reliability are the critical dependability
daily basis [1]. The most effective strategy to avoid these 37
10 attributes, particularly in control and safety systems, and hence es-
11 sential to measure to ensure the dependability. Traditional methods failures is to remove or minimize dangers early in the design 38
12 either are not capable to capture the system dynamics or encounter and development phase, instead of later when the system be- 39
13 state explosion problem. Also, the methods are not able to measure
Pr comes unmanageable complex. Such systems have grown in 40
14 all critical performance attributes. This article proposes a novel network connectivity and distribution, and thus become more 41
15 approach to measure the performance and reliability of SCSs. Such perplexed. The growing complexity of the system may impact 42
16 systems contain multiple interconnecting processing nodes, the
17 functional requirements of which are modeled using Petri net (PN). their overall performance. Therefore, it is necessary to model 43
18 A set of ordinary differential equations (ODEs) is derived from the such systems for performance measurement before its actual 44
19 PN model that represents the state of the system. The ODE solution implementation. 45
20 can be used to measure the critical performance attributes, such as Instrumentation and control (I&C) systems are nervous sys- 46
21 latency time and throughput of the system. The proposed method tems of nuclear power plant (NPP), which are CBS. These 47
22 can avoid the state explosion problem and also introduces new
23 metrics of performance, along with their measurement: deadlock, systems perform their functions in normal, abnormal, and emer- 48
24 liveness, stability, boundedness, and steady state. The proposed gency conditions [2]. I&C systems identify fundamental physi- 49
E
25 technique is applied to a case study of nuclear power plant. We cal elements, monitors performance, combine data, and automat- 50
26 obtained 99.887% and 99.939% accuracy of performance and re- ically change plant operations to keep process variables within 51
27 liability measurement, respectively, which proves the effectiveness the design limits. I&C systems, in conjunction with the human 52
28 of our approach.
operator, is responsible for ensuring the plant’s safety and its 53
29 Index Terms—Latency time, Markov chain, ordinary differential efficient power generation [3]. Therefore, this system should 54
30 equation (ODE), performance measurement, Petri nets (PN),
E

be carefully planned, designed, built, and maintained to allow 55

31 reliability, safety-critical systems (SCSs), throughput.
the human operator to take appropriate action during abnormal 56
operations. Various logic circuits maintain the NPP’s protection 57
32 I. INTRODUCTION and safety in an abnormal situation. Some of the significant I&C 58
logic circuits that provide protection and ensure the performance 59
AFETY-CRITICAL systems (SCSs) could result in a loss
33

S of safety systems of NPPs, such as emergency shutdown sys-

IE

60
34 of life, significant property damage, environmental dam-
tem (SDS), initiation of auxiliary feedwater system, streamline 61
isolation, and the initiation of the safety injection system [4]. 62
Even though I&C is only a small part of a typical plant’s 63
Manuscript received 16 May 2022; revised 3 August 2022; accepted 8
February 2023. Associate Editor: R. Kuhn. (Corresponding author: Nand Kumar maintenance and capital upgrade budget, it considerably impacts 64
Q1 Jyotish.) system dependability issues [2], [4]. Reliability and performance 65
Nand Kumar Jyotish and Chiranjeev Kumar are with the Department of Com- analysis are two important attributes of dependability and hence 66
Q2 puter Science & Engineering, Indian Institute of Technology, Dhanbad 826004,
India (e-mail: [email protected]; [email protected]). must be measured. 67
Lalit Kumar Singh is with the Department of Computer Science & En- The results of performance measurement using system model 68
gineering, Indian Institute of Technology, Varanasi 221005, India (e-mail: help to identify any potential bottlenecks to take design deci- 69
[email protected]).
Pooja Singh is with the Department of Mathematics, SIES-Graduate sions. A model can be thought of as a conceptual abstraction 70
School of Technology, Navi Mumbai 400706, India (e-mail: poojasingh1615@ of a particular system. In the past few decades, researchers have 71
gmail.com). increasingly relied on analytical tools to measure various perfor- 72
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TR.2023.3244365. mance metrics. Many of these analytical methods use the Petri 73
Digital Object Identifier 10.1109/TR.2023.3244365 net (PN), which can explain the information flow of a system 74

0018-9529 © 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
 2 IEEE TRANSACTIONS ON RELIABILITY

75 in a more meaningful way and compute several dependability for quantification. The authors developed a linear-programming- 131
76 attributes [5]. based technique for state-space reduction. Only reliability is the 132
77 Many CBSs are used to measure critical process parameters main focus of this article and the accuracy of reliability is not 133
78 to take important decisions [6], [7] and hence measuring their measured. 134
79 performance and reliability is essential. In this article, a novel Jyotish et al. [11] surveyed various approaches for evaluating 135
80 approach is devised to measure the performance and reliability the performance of PN-based models of SCS, their limitations, 136
81 of SCS that is based on Closed Process net (a variant of PN). We the tools utilized, and the performance measures employed. This 137
82 have derived the ODEs system from PN model and evaluated the survey paper discusses the suitability analysis of SCS usage in an 138
83 different performance parameters using MATLAB. The design NPP. Based on our findings, some of the papers used determinis- 139

f
84 of a system with merely an informal definition is more difficult. tic approach for performance evaluation and hence are not able 140
85 Under such scenarios, the proposed method can aid in this to quantify the performance during run time. The approaches 141

oo
86 situation. The modeled system can be analyzed by satisfying that are based on state-space of the system have considered 142
87 various PN properties, such as liveness, reversibility, bound- many unrealistic assumptions, such as constant failure rate of 143
88 edness, deadlock absence, etc., that are performance indicators. the hardware and software components. Some approaches lack 144
89 Reliability and other performance indices, such as response time validation also. 145
90 and throughput, are also measurable. The proposed approach is Ding et al. [12] presented a Business Process Execution 146
91 validated on multiple SCS of NPP, and exhibited on SDS. The Language based technique for measuring the performance of 147
92 obtained measurement accuracy of performance and reliability service compositions. The method is described using a collec- 148
93 are 99.887% and 99.939%, respectively, which proves the effec- tion of fuzzy differential equations, each of which specifies 149
94 tiveness of our approach. Pr a state change in the service composition. Each service state 150
95 The rest of this article is organized as follows. Section II is quantified by a time-dependent fuzzy number indicating 151
96 summaries known techniques as well as their shortcomings. The the degree to which the state is reachable during execution. 152
97 preliminary concepts and definitions are covered in Section III. However, fuzzy-logic-based approaches are based on unrealistic 153
98 Section IV gives the brief idea about proposed methodology assumptions and hence contain several parametric and epistemic 154
99 for performance and reliability analysis. Section V discusses and aleatoric uncertainties. Therefore, such approaches are not 155
100 the case study of the SDS and its PN model. Performance suitable for SCS. Furthermore, a single equation category can 156
101 and reliability analysis is described in Section VI. Section VII contain several equations, and MATLAB may not have the 157
102 discusses the validation of our approach. Finally, Section VIII computing power to handle such calculations. 158
103 concluded the article. Singh and Singh [13] proposed a method to measure the 159
E
dependent failures of the components in a system, known as 160
common cause failures. The proposed framework performs 161
104 II. RELATED WORK qualitative and quantitative screening analysis and detailed anal- 162
105 Singh et al. [1] and [8] used PN to present a framework ysis, in which a probability model is developed to estimate the 163
106 for modeling and prediction of the performability of SCS. An common cause basic event probabilities. Although the authors 164
E

107 SCS of NPP is used to demonstrate the technique. It deals with consider these dependencies for risk and reliability measure- 165
108 the dynamic simulation of a test facility for an SCS used in ment, however, such dependencies need to be considered for 166
109 an NPP. However, because the methodology depends solely on performance measurement of the system. 167
110 the TimeNET tool for calculation, it cannot properly consider Rodríguez et al. [14] transformed unified modeling language 168
111 the component interfaces. Authors assume that firing delays profiles into PN for analyzing software performance based on 169
of the transitions can be approximated by their mean values. the maximum productive capacity. The authors employ the
IE

112 170
113 Additionally, the provided technique does not support more than PeabraiN tool to determine the maximum throughput bounds 171
114 one parallel transition and hence fails to model the concurrency. using the iterative LPP algorithm. The proposed transformation 172
115 Further, the article does not discuss any method to measure the improves the data analysis capability. However, there is no 173
116 response time of the systems. method mentioned for measuring the performance. As a result, 174
117 Liu et al. [9] suggested a deterministic and stochastic PNs the model only ensures the performance in subjective manner 175
118 (SPNs) based methodology for evaluating the subsea blown-out and does not provide its quantitative assessment. 176
119 prevention system’s performance. The method breaks the system Kumar et al. [15] measured SCS performance by using the 177
120 into two parts to determine the system’s performability: 1) timed PNs (TPNs) and Markov Chain. System functional re- 178
121 mechanical system and 2) CBS. Additionally, the component quirements are first modeled in PN, which was transformed into 179
122 failure’s effect along with their maintenance period on total Markov chain. However, for large-scale system, the number of 180
123 system performance is also examined. However, the authors states can grow exponentially and hence leads to state-space 181
124 assume a constant component’s failure rate, which is not a true explosion problem. The proposed method does not consider 182
125 in practical scenarios in case of SCS. Existing models cannot many important metrics, such as liveness, deadlock, steady-state 183
126 efficiently assess SCS software’s performance due to a lack of analysis, and boundedness, which are important performance 184
127 failure data and unreal assumptions. indicators. 185
128 Singh and Rajput [10] employed PN to analyze the depend- Xia et al. [16] evaluated the performance of Canada 186
129 ability of an SCS’s SDS-2. The suggested method takes advan- Deuterium Uranium (CANDU) reactor SDS-1 using 187
130 tage of the PN’s modeling power by turning it to a Markov Chain MATLAB/Simulink, signal processing system, and existing 188
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 3

189 power management. The proposed methodology significantly characteristics are gathered from diverse sensors, which are fed 247
190 improves trip response time in comparison to the present to neural networks and these fused feature vectors are health 248
191 system. Additionally, it enhances the safety margin and indicators of the machine. However, performance is also an 249
192 provides economic benefits to the NPP. However, the validity essential health indicator, which has not been considered in this 250
193 of considering all the functional requirements is not ensured, article. 251
194 which may lead to conservative estimates. Singh and Singh [25], [26], and [27] emphasized on the 252
195 Rhee et al. [17] developed a three-dimensional computational dependability aspects of SCS. Practitioners from the leading 253
196 fluid dynamics (CFD) system for analyzing the performance of research organizations, e.g., aerospace, nuclear energy, petro- 254
197 the SDS-2 CANDU reactor’s liquid poison injection process. chemical defense, etc., were interviewed to discuss the cur- 255

f
198 The authors conducted a series of studies to construct a re- rent state-of-the-art and practices adopted by the industries to 256
199 stricted validation CFD model. However, the experiment does ensure the dependability of SCS. The different methodologies 257

oo
200 not provide a detailed dispersion profile of the liquid poison’s used for quantitative assessment of the dependability were also 258
201 distribution in the moderator CANDU reactor. discussed, which are based on stochastic modeling techniques 259
202 By leveraging observations of safety parameters in an NPP’s that include PNs and Markov Chains. 260
203 SDS, Rankin and Jiang [18] suggested a Kalman-filter-based For an autonomous vehicle system, Seo et al. [28] pre- 261
204 technique for developing predictive SDS and predicting the at- sented SCS feedback control architecture. While building the 262
205 tainment of trip set-points. When compared to traditional SDSs, framework, the authors considered the major challenges of au- 263
206 the given prognostic SDS significantly brings down time-to-trip. tonomous vehicle systems, such as safety and trajectory tracking 264
207 As a result, a large power spike is less likely to harm the reactor performance. The model was built using a differential flatness 265
208 core and other crucial components. However, the method is just a
Pr approach, and then the trajectory tracking performance was 266
209 preliminary step toward developing a potentially beneficial plan achieved using a dynamic inversion method. The safety con- 267
210 to improve the performance of ceremonious SDS. straint is fulfilled using the control barrier function. However, 268
211 Aslansefat et al. [19] suggested a method for evaluating per- model predictive control, the most promising control tool for 269
212 formance using the semi-Markov process of the threshold alarm performance measurement, is not included in the proposed 270
213 system. The authors demonstrated three cases and analyzed technique. As a result, the accuracy of performance evaluation 271
214 their performance based on the Priority-AND gate and a semi- is questionable. 272
215 Markov process. It is difficult to identify complete state-space of Ding et al. [29] proposed a flow-based multimodal safety- 273
216 large-scale system, and hence, the Markov model would not be critical scenario generator for assessing decision-making algo- 274
217 complete. Therefore, the accuracy of reliability and performance rithms. This technique provides efficient and diversified eval- 275
E
218 measure of the system is doubtful. Also, it is not possible to uations of decision-making algorithms by evaluating their ro- 276
219 model event-driven systems. bustness against worst-case scenarios that span all risk modes 277
220 Tripathi et al. [20] emphasized on the importance of de- more comprehensively. To accelerate the training process, an 278
221 pendability of safety critical systems and study the existing adaptive sampler-based feedback mechanism is provided, which 279
222 methodologies for reliability quantification of such methods. can adjust the sampling region based on the generator’s learn- 280
E

223 Authors give a comparative study of two methods: dynamic ing process. However, combining the evaluation and training 281
224 flowgraph and PN, which are used for reliability measurement. processes may give the existing algorithm a stronger boost for 282
225 Experimental study was carried out on a safety critical system safety-related attacks and can jeopardize the performance. 283
226 of NPP. In conclusion, PN model is able to measure many Jiang et al. [30] considered various levels of criticality into 284
227 dependability attributes with higher accuracy. account for designing the SCSs on a common hardware platform. 285
Cheung et al. [21] enhanced Wang’s [22] work by incorpo- These mixed-criticality systems (MCSs) have been extensively
IE

228 286
229 rating performance and reliability studies to support a variety studied in academics, but they are challenging to implement 287
230 of architectural types. However, they make performance pre- in industrial circumstances. The authors found practical gaps 288
231 dictions based on the information from operational profile and between theory and reality and proposed a generic industrial 289
232 testing data, and the intuition of software architecture and hence architecture known as P-MCS. The P-MCS is then assessed for 290
233 the method is not fruitful to take early design decisions. safety and for performance metrics, such as system schedulabil- 291
234 Mamdikar et al. [23] employed a transformation process in ity, throughput, and overheads. The presented technique incurs 292
235 which the UML model is converted into the PNs for the non- additional costs to meet industrial safety requirements and its 293
236 functional requirement analysis of SCSs. The authors analyzed hardware-based implementation. Also, reliability analysis of the 294
237 dynamic behaviors and state-transition probabilities of SCS to technique is not validated. 295
238 evaluate the performance and reliability accuracy. The suggested Weng et al. [31] provided a scenario-based evaluation 296
239 framework is tested with the 32 SCS instances of NPP on the framework to give the safety performance of a black-box 297
240 reactor core isolation cooling system module. However, the system. Under a test subject, the proposed scenario sam- 298
241 methodology uses the assumed probabilities, which can lead pling algorithm is asymptotically optimal to obtain the 299
242 to an erroneous result. safe invariant with high accuracy. However, work does not 300
243 Chen and Li [24] used sparse autoencoder and artificial neural address the nonscenario-based testing regime and system 301
244 network for multisensory feature fusion to perform the fault reliability. 302
245 diagnosis of the bearing and also to improve the reliability of Thota et al. [32] suggested a new safety broadcast system to 303
246 fault diagnosis. In this method, time- and frequency-domain meet the requirements of vehicle-to-vehicle (V2V) applications 304
 4 IEEE TRANSACTIONS ON RELIABILITY

305 for latency and reliability. The authors then tested the system’s
306 performance in rural and urban areas with a varying number of
307 vehicles using various wireless technologies, such as cellular
308 and IEEE 802.11p. The application layer raptor Q codes help
309 to enhance the performance of the V2V system. However, due
310 to the half-duplex nature of cellular V2V, this improvement is
311 reduced in the urban situation. Also, the IEEE 802.11p suffers
312 from preamble channel estimation and excessive collision, both
313 of which can affect the system reliability.

f
314 Hammadi et al. [33] used human brainwaves and a new Fig. 1. Petri net execution. (a) Initial Marking. (b) Marking after T1 fires.
315 framework based on deep learning to find the insider threats (c) Marking after T2 fires.

oo
316 for the safety-critical industrial infrastructure. The authors used
317 electroencephalograms (EEGs) to record the brainwaves, which
318 they then fed into a network of long short-term memories to make is described as a five-tuple PN = {P, T, α, β, M0 }, where 361
319 a detection network for detecting the threats. The EEG-based P = {p1 , p2 , p3 , . . . , pm } is a nonempty finite set of places, 362
320 threat detection is more accurate and reliable than the previous which describe the state of a system, T = {t1 , t2 , . . . , tn } is a 363
321 method. But the technique does not consider system dynamics nonempty finite set of transitions which help in changing the 364
322 while evaluating the performance. state of the system, α : (P × T ) → N is the preincidence 365
323 The authors in [34] used the dynamic fault trees (DFTs) function that defines directed arcs from place to transition, and 366
324 framework to conduct a reliability analysis of dynamic systems.
Pr β : (T × P ) → N is the postincidence function that defines 367
325 The strategy reduces the state-space explosion problem to some directed arcs from transition to place. Here, N refers set of natural 368
326 extent by putting input/output interactive Markov chains. The numbers. M0 : P → {0, 1, 2, . . .} is the initial marking, i.e., 369
327 authors explained that the standard analysis for DFT is state an m-vector whose element representing the token present in 370
328 based, and treating as continuous time Markov chain, is not each of the m places of the net. Also, P ∩ T = φ and P ∪ T = 371
329 applicable in all the scenarios due to a possibility of multiple φ [5]. 372
330 interpretations in DFT. A semantic interpretation of DFT is The token movement in PN model delineates the dynamic 373
331 introduced that make easy to understand the interactions among behavior of the system, represented by a change in token distri- 374
332 FT building blocks. This approach helps in addressing state bution among the places. The necessary condition to change the 375
333 explosion problem by exploiting the DFT structure to build token distribution is that at least one transition must be in the 376
E
334 the smallest Markov chain. Aslansefat and Latif-Shabgahi [35] enabled state. When every input place(s) p of transition t contains 377
335 also try to address state explosion problem using semi-Markov a minimum number of tokens equal to the weight of the arc (p, 378
336 process theorem for DFT solution. The approach considers t), then the transition t is said to be in the enabled state. The 379
337 nonexponential failure distribution through a hierarchical so- enabled transition can fire. When transition t fires, it takes token 380
338 lution. Kabir et al. [36] proposed a framework by incorporating from each of their input place(s) p, based on the weight of the 381
E

339 complicated fundamental events in hierarchically performed arc(s) (p, t) and adds them in their every output places. 382
340 hazard origin and propagation studies, which may effectively Fig. 1 depicts the working of a PN-modeled system. Fig. 1(a) 383
341 ensure the modeling capabilities for complex failures and the demonstrates that each of the place X and Y holds one token, 384
342 effectiveness of model-based safety analysis. The approach enabling the transition T1 . After firing of T1 , the new configura- 385
343 combines PNs with other methods like algebraic solutions to tion of the net is depicted in Fig. 1(b). The firing of T1 takes the 386
reduce the state explosion and improve the calculation. Cai et al. token from X and Y, and puts it into Z. The place Z in Fig. 1(b)
IE

344 387
345 [37] proposed a Markov model to perform reliability analysis of has one token, which enables transition T2 . Fig. 1(c) is the final 388
346 subsea blowout preventer control systems subjected to multiple configuration of the net after firing of T2 . 389
347 error shocks. The authors addressed the state explosion problem The performance of the systems depends on its reliability and 390
348 by splitting the system into three independent modules, and safety [25], [26], [27], [38], [39]. Therefore, while assessing per- 391
349 the corresponding Markov models are proposed subsequently. formance, we must analyze factors that might endanger SCS’s 392
350 However, system analyst needs to design the interfaces very reliability and safety. Deadlock, boundedness, liveness, stability, 393
351 carefully and mechanism to analyze the results of integration reachability, and reversibility are the important metrics of safety 394
352 should be effective. Also, the validation of the approaches on and reliability. 395
353 safety critical systems is an important concern. The liveliness or deadlock presence in a PN is determined by 396
a set of places known as a siphon. A nonempty set S  P is 397
called a siphon iff °S  S ◦ and it is a trap iff S ⊆ S, where °S 398
III. PRELIMINARY CONCEPTS AND DEFINITIONS
denotes collection of input transitions of the place set S and S ◦
354
399
355 A PN is a directed, weighted, and bipartite graph containing refers collection of output transitions of the place set S. Once a 400
356 two different types of nodes: places (shown by circles) and tran- siphon becomes token-free under some marking, it stays empty 401
357 sitions (depicted by bars or boxes). The positive weight-labeled for subsequent marking. Whereas if a trap has any token in it, 402
358 directed arcs connect these places and transitions. Places may it remains marked for the rest of the time. As long as a marked 403
359 contain zero or more tokens. The black dots inside the places trap exists in the siphon, there is no danger of potential deadlock 404
360 denote tokens held by that respective place. Formally, a PN in any siphon and therefore PN is deadlock-free and live [5]. 405
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 5

406 The bounded property assures the absence of overflow at any and |p◦e | = 0; F ⊂ (P × T ) ∪ (T × P ) denotes a collection of 445
407 place of the PN. The token count at any place of a bounded arcs connecting places and transitions. Here, ◦ ps is a set of input 446
408 PN never surpasses a finite integer l for any marking reachable transitions of ps and p◦s is a set of output transition of ps . Simi- 447
409 from initial marking and PN is safe in all cases for l = 1. If larly, ◦ pe and p◦e can be defined. A process net becomes closed 448
410 the boundedness property is satisfied for every possible firing process net if ps = pe . The term “strongly connectedness” refers 449
411 sequence, then PN becomes stable, and it is called steady if the to the fact that when ps is removed, the resulting net becomes 450
412 following conditions are met [5], [11], [15]: acyclic. It means that there is a directed path between any pair 451
of nodes of the net. Consistency is described as a presence of 452
(ΔM (t)) /Δt = 0, where Δt = t − t0 . (1)
firing sequence from M0 to M0 such that each transition fires 453

f
413 PN can exist in steady state, and hence steady-state analysis at least once. The closed process net has strong reversibility 454
414 can be performed. The proof is given as follows. properties, which means we can always return to M0 from 455
Lemma: PN(N, M0 ) can stay in steady-state condition. any other marking M ∈ R(M0 ) upon firing of transitions [40],

oo
415 456
416 Proof: We know that the change in markings in PN model [41]. 457
417 with time is given by the following equation:
M  = M + [N ] · σ (Δt) IV. PROPOSED METHODOLOGY FOR PERFORMANCE AND 458
 RELIABILITY ANALYSIS 459
418 where M and M are the markings of a place at time t and t0 ,
419 respectively, [N] is the incidence matrix of the PN, and σ (Δt) = The existing literature deals with mean latency time and 460
420 σ (t) − σ (t0 ) denotes the firing count vector between t and t0 . system throughput for performance analysis. However, it is 461
421 We have, M  − M = [N ] · σ (Δt) Pr essential to consider deadlock, liveness, stability, boundedness, 462
and steady-state metrics as well. Deadlock may lead to delay 463
⇒ ΔM = [N ] · σ (Δt)
in process execution or even hold the state of the system for 464
ΔM σ (Δt) σ (t) − σ (t0 ) infinite time. Liveness refers to a set of properties that require a 465
⇒ = [N ] · = .
Δt Δt t − t0 system to make progress despite the fact that it is concurrently 466
executing components. Stability is a property to ensure that the 467
422 Because PN is consistent, therefore firing sequence causes the
output of the system is under control. Boundedness ensures that 468
423 system to go from M to M, i.e., [N]·σ = 0
all the entities in the system is restricted to some finite region of 469
σ (t) − σ (t0 ) space. Steady-state analysis verifies the consistent behavior of 470
⇒ = Ξ · σ : [N ] · σ (Δt) = 0
Δt system. Therefore, these are good performance indicators and 471
E
ΔM hence must be analyzed. In order to compute these metrics, the 472
∴ ∃ = 0. (2) systems requirements are modeled using PNs. The computation 473
Δt
methodology of these metrics is demonstrated on a case study of 474
424 It demonstrates that the PN can exist in a steady state. NPP system in Section VI. The framework for performance and 475
425 Reachability is a key basis to study the dynamic aspects of the reliability analysis is based on the concept of continuous Petri 476
426 system. A firing sequence in a PN leads to a marking sequence. If
E

net (CPN) and is generic in nature. So it can be applied to any 477

427 a sequence of firing transforms marking M1 to another marking type of SCS in any domain. 478
428 Mn , then Mn is said to be reachable from M1 . In a reversible CPN is a relaxation strategy of SPN, which helps to pre- 479
429 net, one can always go back to the initial marking M1 or some vent exponentially growing reachable marking resulting from 480
430 home state [5]. increased PN size. The CPN markings are assigned time- 481
431 The above structural properties must exist for the PN-based dependent nonnegative real numbers. Formally, it is defined as
IE

482
432 modeled system. The PN model’s steady-state probability dis- a three-tuple CPN = {PNM , M0 , R}, where {PNM , M0 } is a 483
433 tribution is computed after creating an equivalent Markov Chain marked message passing (MP) net [12], [40], [41]. An MP net is 484
434 from its reachability graph and solving the following linear a subclass of PN in which places are categorized as idle, activity, 485
435 system: and buffer; whereas transitions are characterized as activity, in- 486

Π×Q=0

put communication, and output communication. The place is idle 487
n (3)
i=0 πi = 1
if it contains no token, it becomes activity place if it processes 488
the token, and it is called a buffer place if it holds token(s). 489
436 and
j=n, j=i CPN consists of a set of closed process nets, along with various 490

qij = − qij (4) synchronous and asynchronous mechanisms; R: T → (0, +), 491
j=1
R(ti ) = ri (i = 1,2, …, m) is a function which assigns a firing 492
437 where Π = (π1 , π2 , π3 , · · · , πn ) is the steady-state probability rate ri to ti . In the synchronous mechanism, one closed process 493
438 and πi denotes the probability of being in state Si . Q = [qij ] net sends a request to other and waits for acknowledgment. 494
439 is the transition rate matrix such that (i = j) and qij denotes Whereas, in asynchronous mechanism, other closed process can 495
440 the transition rate from state Si to Sj [10]. For no transition, continue further without sending the acknowledgment. If all the 496
441 qij = 0. input places of a CPN transition have nonzero markings, then 497
442 A process net PRN = (P ∪ {ps , pe }, T, F, M0 ) is a strongly the transition is said to be enabled. 498
443 connected, conservative, and live PN. Where, ps is a start place Let p1k and p2k are the input places of transition ti with their 499
444 with |◦ ps | = 0, and |p◦s | = 1; pe is an end place with |◦ pe | = 1, respective markings m1k and m2k . Suppose the transition ti fires 500
 6 IEEE TRANSACTIONS ON RELIABILITY

Fig. 4. One place to two places model.

f
oo
Fig. 2. Framework for performance and reliability analysis.

Fig. 3. Two places to two places model.

Pr Fig. 5.

⇒
Two places to one place model.

m (τ + Δτ ) − m (τ )
Δτ
= r1 · min{m1 (τ ) , m2 (τ )}

− r2 · min{m (τ ) , m3 (τ )}.
501 at time τ during a period Δτ , then 523

∀pk ∈◦ ti : mk (τ + Δτ ) = mk (τ ) − vi (τ ) Δτ (5) Let Δτ → 0, then we get the following ODE: 524

E
∀pk ∈ t◦i : mk (τ + Δτ ) = mk (τ ) + vi (τ ) Δτ (6) m (τ) = r1 ·min {m1 (τ ) , m2 (τ)}−r2 ·min {m (τ ) , m3 (τ )}.
(7)
502 where vi is the instantaneous firing speed of transition ti and Case B: One place to two places model: As Fig. 4 shows, place 525
503 equals the maximum firing speed (defined by David and Alla) p gets marking from p1 , and it produces some marking with the 526
504 given by vi = ri × min {m1k , m2k } [41], [42]. help of p2 . If every transition fires, then for a time interval Δτ ,
E

527
505 The proposed framework for performance and reliability anal- the marking m can be represented as 528
506 ysis consists of four steps, as shown in Fig. 2 and explained as
507 follows. m(τ + Δτ ) = m (τ ) + r1 m1 (τ ) Δτ
− r2 · min{m (τ ) , m2 (τ )}Δτ
508 A. Step 1: Formulation of ODE System
IE

m (τ + Δτ ) − m (τ )
509 A collection of ODEs of a PN model are developed based on ⇒ = r1 m1 (τ )
510 (5) and (6), and semantics, discussed in Section III. These ODEs Δτ
511 help in computing the marking. Let mi and m are the markings − r2 · min{m (τ ) , m2 (τ )}.
512 of places pi and p, respectively, and ri denotes the firing rate of
529
513 transition ti . We consider the following cases in the formulation
514 of ordinary differential equation (ODE) system: 1) two places Let Δτ → 0, then we obtain ODE as follows: 530

515 to two places model, 2) one place to two places model, and 3) m (τ ) = r1 m1 (τ ) − r2 · min {m (τ ) , m2 (τ )} . (8)
516 two places to one place model.
517 Case A: Two places to two places model: As Fig. 3 shows, Case C: Two places to one place model: As Fig. 5 shows, place 531

518 place p is getting markings from both the place p1 and place p2 , p obtains marking from p1 and p2 , and it produces a marking 532

519 while it sends some marking along with place p3 . That is, p1 for another place. Then, we can derive the differential equation 533

520 and p2 are the input places for t1 , while p and p3 are the input as follows: 534

521 places for t2 . If each transition fires, then the marking m for a m (τ ) = r1 · min{m1 (τ ) , m2 (τ )} − r2 · m (τ ) . (9)
522 time increment Δτ is written as
535
m(τ + Δτ ) = m (τ ) + r1 · min{m1 (τ ) , m2 (τ )}Δτ
Readers can refer [12] and [41] for more details on CPN, 536
− r2 · min{m (τ ) , m3 (τ )}Δτ closed process nets, and the formulation of ODEs using CPN. 537
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 7

538 B. Step 2: Solution of ODEs Using Runge–Kutta Method TABLE I

TRIP PARAMETERS AND DETECTORS USED
539 The Runge–Kutta method can be used to solve a family of
540 ODEs. It can be implemented using the MATLAB function
541 “ode45.” The ode45 function is the fourth or fifth order of
542 Runge–Kutta method.

543 C. Step 3: Evaluation of Performance Measures Using ODE

544 Solution

f
545 The ODEs solution is used to find the various performance
546 measures of a system. These performance metrics can be mean

oo
547 latency time, system throughput, etc. The mean latency time can
548 be evaluated based on the queueing theory and Little’s law [43],
549 whereas the system throughput can be measured by using the
550 firing frequency of the transition.

551 D. Step 4: Reliability Measure

552 By using the system throughput value, we can measure the
553 reliability of the system using equation, R(t) = e−λt , where λ
Pr
554 is the firing rate of transition and t is the target time.

555 V. CASE STUDY: SDS AND ITS PN MODEL

556 The SDS is a safety system that allows the reactor to shut-
557 down in any unfavorable plant conditions to avoid potentially
558 dangerous situations. Safety systems of NPP are deployed to
559 ensure the safety of the plant and public in all the normal
560 operating conditions, anticipated operational occurrences and
E
561 emergency conditions. The regulatory board of each country
562 sets and imposes the guidelines/standards for robust design of Fig. 6. Simplified diagram of SDS-2 liquid poison injection system.
563 these safety systems. The pressurized heavy water reactor has
564 two independent, fast-acting, and diverse SDS to ensure safe
565 shutdown. Each of these SDSs, SDS1 and SDS2, operates on There is a poison tank, from which the poison is injected 589
E

566 a distinct concept and can completely shutdown the reactor in into the calandria, where the nuclear chain reaction is taking 590
567 case of a design basis accident. place, to terminate the nuclear reaction. The poison tank is 591
568 Both the systems are fully automated, however, can be ac- cylindrical in shape and are fixed to the exterior fence of reactor 592
569 tivated manually also, for increased reliability. SDS1 stops the vault [10]. The nozzle connects with all the poison tanks so 593
570 reactor operation and keeps it safe by dropping mechanical rods that the poison can be pumped into the moderator. The poison 594
tank contains a plastic ball that floats. The poison is injected,
IE

571 into the reactor core. SDS2 is intended to function at greater 595
572 “trip” set-point as compared to SDS1 to ensure the reactor when any of the trip parameters deviates from its normal range, 596
573 shutdown in case of unavailability or failure of SDS1. It rapidly for which instrumentation logics are implemented. This poison 597
574 injects the poison into the NPP reactor, which absorbs neutrons tank is connected with Helium supply tank through six quick 598
575 and terminates the fission reaction. We have taken SDS2 as a opening valves (QOVs). These six QOVs are arranged in series 599
576 case study to illustrate our approach to measure reliability and and parallel combination as shown in Fig. 6. There are three 600
577 performance. parallel lines, in each of which two QOVs are arranged. These 601
QOVs normally remain in close state, i.e., when reactor is in 602
operating mode. Because they operate on the principle of air 603
578 A. SDS-2
closure and spring opening mechanism, the QOVs ensure that 604
579 To achieve shutdown criteria, certain essential factors, known they open reliably on demand. There are three vent valves, one in 605
580 as trip parameters, must be monitored at all times. There are two each line to vent the helium pressure, if any, during the operating 606
581 types of trip parameters: absolute and conditional. The absolute mode of the reactor. These vent valves remain in open state 607
582 trip parameters are applicable at any power level of the reactor, normally. 608
583 while the conditional parameters are applicable only when the When any trip parameter deviates with the normal range, the 609
584 power level of the reactor is equal to or higher than 2% of the full vent valves get closed by energizing the relays, followed by 610
585 power of the reactor [44]. SDS-2 triggers in auto mode when any opening of the QOV and helium pressurizes poison into the 611
586 of the nine parameters, as listed in Table I [45] deviated from calandria, and the poison ball is driven into the lower seat of 612
587 its normal range. Fig. 6 is the simplified schematic diagram of the poison tank. The ball takes position at the poison tank exit 613
588 SDS-2.
 8 IEEE TRANSACTIONS ON RELIABILITY

TABLE IIa
SDS-2 PROCESS TRANSITIONS

f
oo
TABLE IIb
SDS-2 PROCESS PLACES

614
Fig. 7.
Pr
Petri net model of poison injection system of SDS-2.

in the bottom, preventing helium gas from overpressurizing the

615 calandria.
616 After shutting down the reactor, it is taken into maintenance
617 and to restart the reactor, the vent valves are opened followed
618 by closing of QOV.
E
619 The functional requirements of SDS2 are implemented in
620 a CBS that consists of various hardware and software com-
621 ponents, such as sensors, actuators, digital I/O cards, relay
622 output modules, software for data processing, graphical user
623 interface, etc. The liquid poison is injected into the calandria via
E

624 a two-out-of-three trip circuit employing control valves.

625 B. PN Model of SDS-2

place m13 is included to prioritize t6 over t2 when they are race 646
626 The failure of SDS-2 will result in exponential increase in the conditions. This will ensure the opening of QOV, in case any 647
power and the deign parameters will exceed its range that may
IE

627 security threat leads to false information (closed state) about the 648
628 jeopardize the integrity of mechanical components by which QOV state. The description of transitions and places of Fig. 7 649
629 the radioactivity may get exposed to the public. The SDS-2 are shown in Tables II(a) and (b), respectively. 650
630 is composed of many components, including sensors, logic, As shown in Fig. 7, our model consists of following two closed 651
631 actuators, and a specific human–machine interface to achieve process nets: 652
632 its intended function. Each QOV line has two vent valves: First set of closed process net is {m1 , m2 , m3 , m4 }. 653
633 both are normally open (during normal conditions) to relieve Second set of closed process net is made up of 654
634 pressure in that line, if any, and prevent an erroneous poison {m5 ,m6 , m13, m3, m11, m7 , m8, m12, m9 , m10 ,m14 , m1 }. 655
635 injection. Fig. 7 shows PN model of SDS-2 and is explained as These two closed process nets communicate with each other 656
636 follows. via asynchronous MP mechanism. 657
637 A token in place m1 represents the deviation of any of the trip
638 parameters from their design limits. A token in m2 represents
VI. PERFORMANCE AND RELIABILITY ANALYSIS 658
639 the creation of logic condition (LC) and a token in m3 represents
640 the hold state of LC. A relay is energized to close the vent 1) Deadlock and Liveness Analysis: The modeling of SDS-2 659
641 valves, which is represented by a token in m5 . The poison is was carried out using a TPN, as shown in Fig. 7. The 660
642 injected into the moderator when the QOV is opened, which is deadlock and liveness analysis using siphons and traps is 661
643 represented by a token in place m10 . For improved reliability, a explained in Section III. We run the TimeNET tool [46] 662
644 duplicate information about QOV state, from redundant sensor to calculate the number of siphons and traps present in 663
645 is monitored, which is represented by a token in m8 place. The the SDS-2 PN model. It has 12 minimal siphons and 12 664
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 9

665 marked traps. The siphons are as follows:

S1 = {m6, m13, m3, m11, m7 },
S2 = { m3, m11, m12, m14, m1 m5, m6, m13 }
S3 = {m1 , m5 , m6 , m13 , m3 , m4 }
S4 = {m1 , m2 , m3 , m4 }
S5 = {m1 , m2 , m3 , m11 , m12 , m14 }

f
S6 = {m3 , m11 , m12 , m9 , m13 }
S7 = {m3 , m4 , m1 , m5 , m8 , m12 , m9 , m13 }

oo
S8 = {m1 , m2 , m3 , m11 , m7 , m6 , m10 , m14 }
S9 = {m7 , m8 } Fig. 8. Solutions (state measures) of the Petri net model of SDS-2.
S10 = {m5 , m8 , m12 , m14 , m1 }
S11 = {m9 , m10 } be able to inject poison into the nuclear core within 1 s 686
[10] to ensure the termination of nuclear chain reaction 687
S12 = {m5 , m6, m10 , m14 , m1 }. in safe manner. We use the proposed framework shown 688

666 The traps are as follows: Pr in Fig. 2 to perform the performance analysis described 689
below. 690
T1 = {m1, m5, m8 , m12, m14 },
T2 = {m1, m5, m6, m13, m3, m11, m12, m14 } , A. Step 3.1: Formulation of ODE System 691

T3 = {m1, m2, m3, m11, m12, m14 }, As structure of Figs. 3, 4, and 5 are part of our PN model of 692
Fig. 7. Therefore, we use (7), (8), and (9) to derive the ODEs 693
T4 = {m3, m11, m7 , m6, m13 }, system from the PN model. Assume that it is possible to achieve 694

T5 = {m3, m11, m12, m9, m13 }, the firing constants ri in advance for every activity modeled by 695
a transition. Then, the ODEs system of the PN model given in 696
T6 = {m1, m2, m3, m4 } , Fig. 7 can be formulated as follows: 697
E
T7 = {m1, m5, m8, m12, m9, m13, m3, m4 }, ⎫
m1 = r4 min{ m4 , m14 } − r1 m1 ⎪
⎪
⎪
⎪
T8 = {m7, m8 }, m2 = r1 m1 − r2 min{ m2 , m13 } ⎪
⎪
 ⎪
⎪
m3 = r2 min{ m2 , m13 } − r3 m3 ⎪
⎪
T9 = {m1, m5, m6, m10, m14 },  ⎪
⎪
m4 = r3 m3 − r4 min {m4 , m14 } ⎪
⎪
⎪
E

T10 = {m9, m10 }, 

m5 = r1 m1 − r5 min { m5 , m7 } ⎪
⎪
⎪
⎪

m6 = r5 min { m5 , m7 } − r6 min { m6 , m9 } ⎪
⎪
T11 = {m3, m4, m1, m5, m6, m13 }, 
⎪
⎬
m7 = r7 min { m8 , m11 } − r5 min { m5 , m7 }
 .
and T12 = {m1, m2, m3, m11, m7, m6, m10, m14 }. m8 = r5 min { m5 , m7 } − r7 min { m8 , m11 } ⎪ ⎪
 ⎪
⎪
m9 = r8 min { m10 , m12 } − r6 min { m6 , m9 } ⎪ ⎪
We can observe that S1 , S2 , S3 , S4 , S5 , S6 , S7 , S9 , S10 , S11 , ⎪
m10 = r6 min { m6 , m9 } − r8 min { m10 , m12 } ⎪
IE

667
⎪
⎪
668 and S12 are also marked trap but S8 do not contain any trap. It  ⎪
⎪
m11 = r3 m3 − r7 min { m8 , m11 } ⎪
⎪
means our PN model is deadlock-free. Also, the PN satisfies the ⎪
m12 = r7 min { m8 , m11 } − r8 min { m10 , m12 } ⎪

669
⎪
⎪
670 liveness criteria as mentioned in Section III because it has no  ⎪
⎪
m13 = r6 min { m6 , m9 } − r2 min{ m2 , m13 } ⎪
⎪
671 potential deadlock.  ⎭
m14 = r8 min { m10 , m12 } − r4 min{ m4 , m14 }
672 1) Stability, Boundedness, and Steady-State Analysis: From (10)
673 SDS-2 PN-model, shown in Fig. 7, each place contains The initial values for the ODE system are m1 (0) = m7 (0) = 698
674 either zero or one token for each marking, which is m9 (0) = 1, and all others are 0, where mi is marking of the 699
675 reachable from the initial marking M0 , i.e., M0 ≤ 1. It respective place and ri is the firing rate assigned to ti . 700
676 concludes that the system is stable. Additionally, because
677 the model is one-bounded, it indicates that it is safe. We
678 can also see that ΔM/Δt = 0. As a result of (1), the B. Step 3.2: Solution of ODEs Using Runge–Kutta Method 701

679 system is steady also. Thus, the SDS from the analysis We use step 2 of the proposed framework, as explained in 702
680 of PN model of SDS-2, it satisfies all of the performance Section IV, to solve the above ODEs system. For the ODEs 703
681 metrics. system (10) of the SDS-2 PN model, with the simulation data, we 704
682 2) Performance Analysis: To carry out the performance anal- have r1 = 0.05, r2 = 0.40, r3 = 0.25, r4 = 0.15, r5 = 0.3, 705
683 ysis, PN model is transformed into a CPN that can be rep- r6 = 0.03, r7 = 0.10, and r8 = 0.20. Using this method, 706
684 resented by a collection of ODEs. The CPN is explained in we get the result as illustrated in Fig. 8. When t >133.6481 ms, 707
685 Section IV. The success criteria of SDS-2 is that it should every result approaches a unique fixed value: m1 (t) ≈ 0.2355, 708
 10 IEEE TRANSACTIONS ON RELIABILITY

709 m2 (t) ≈ 0.4621, m3 (t) ≈ 0.0472, m4 (t) ≈ 0.2552, m5 (t) ≈

710 0.0393, m6 (t) ≈ 0.3933, m7 (t) ≈ 0.4321, m8 (t) ≈ 0.5899,
711 m9 (t) ≈ 0.7488, m10 (t) ≈ 0.2535, m11 (t) ≈ 0.1179, m12 (t)
712 ≈ 0.0590, m13 (t) ≈ 0.0295, and m14 (t) ≈ 0.0784. The ODEs
713 solution is used to find the system’s delay.

714 C. Step 3.3: Evaluation of Performance Measures Using ODE

715 Solution
716 Based on the ODE solution of step 3.2, we can now evaluate

f
717 the different performance measures of SCS as follows:
718 1) Mean Latency Time: It is defined as the delay time to inject

oo
719 the poison into calandria of the SDS-2, i.e., for the closed
720 process net based system, it is the delay time spent in a Fig. 9. Mean latency time of the poison injection process of SDS-2.
721 process, from the start of SDS-2 until the finish when the
722 poison is completely injected into the system. The mean
TABLE III
723 latency of a subsystem is computed while the system is TRANSITION’S FIRING RATE (IN PER MS)
724 present at the steady state. Based on the queueing theory
725 and Little’s law, the mean latency time can be computed
726 as

727
728
729
730
W = L/λ
Pr
the mean latency time of subsystem. Because the ODE solutions
indicate the average marking of each place while the system is
(11)
where L indicates the average token count present in the system,
λ is the mean token arrival rate in the system, and W represents
{m5 , m6 , m13, m3 , m11 , m7 , m8 , m12 , m9 , m10 , 752
m14, m1 }, which can accept the token request from 753
731 in steady state, therefore L can be calculated as m1 . Therefore, the state measure of m5 represents the 754

L= ml (12) token request, i.e., the token is accepted for the second 755
l∈M closed process nets {m3, m5 , m6 , . . . , m13 } from the 756
where M represents the set of places that model either other com- first closed process nets {m1, m2 , m3 , m4 } via the tran-
E
732 757
733 ponent of SDS-2 waiting for the token so that they can perform sition t5 . Hence, the throughput t of the system depends on 758
734 their task or their token request in the process. Therefore, in the the firing of the transition t5 . Thus, throughput of system, 759
735 steady state, the mean delay time is defined as the task’s queue t = marking rate of t5 = r5 m5 ,. i.e., it is given by 760
736 length divided by the average number of markings entering the
t = (0.30 × 0.0393) = 0.01179 ms. (16)
737 subsystem in unit time.
E

738 In our PN model as shown in Fig. 7, after the ini- 3) Reliability Analysis: The reliability criteria of SDS-2 is 761
739 tiation of poison injection process at the place m1 , that it must be able to inject the poison within the 1 s 762
740 all the remaining places from other closed process nets to ensure the safe shutdown of the reactor. Because of 763
741 {m5 , m6 , m13, m3 , m11 , m7 , m8 , m12 , m9 , m10 , the criticality of mission time, it is necessary to carry out 764
742 m14, m1 } are waiting for tokens so that they can perform their reliability analysis. In Fig. 7, the transition t5 is used as a
IE

765
743 intended task. Therefore trigger for proper closing of all the fast-acting valves and 766

L = m5 + m6 + m13 + m3 + m11 + m7 + m8 + m12 it is the first transition by which second closed process 767
net will get token. If the firing of t5 does not happen in 768
+ m9 + m10 + m14 + m1 = 3.0244. (13) a proper way, then our system may lead to the unreliable 769
condition. The reliability of the system is given by [47] 770
744 The mean token arrival rate λ is computed as
R (t) = e−λt . (17)
λ = r1 m1 = (0.05 × 0.2355) = 0.011772. (14)
745 Thus, mean delay time using ODE solution is Here, λ is the firing rate of transition t5 whose firing may 771
cause system to be in unreliable condition, and t is the system 772
3.0244
WODE = L/λ = = 256.91 ms. (15) throughput as calculated in (16). The PN model of Fig. 7 was 773
0.011772 run using TimeNET tool to measure the transition firing rates as 774
746 From Fig. 9, we find that when t >133.6486 ms, the mean indicated in Table III. λi denotes the firing rate of transition ti 775
747 latency time approaches a fixed value, i.e., 256.91 ms. Hence, (where i = 1, 2, …, 8). Therefore, the reliability of the system 776
748 the average delay of the SDS-2 system is computed as 0.25691 s. is 777
749 2) System Throughput: The firing frequency is a metric for
RODE (0.01179) = e−(0.148×0.01179)
750 measuring throughput. In Fig. 7, place m5 is the first place
751 of the subsystem among the place set of closed process nets = 0.9982566
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 11

decomposed into smaller functions and each function can be 797

implemented in a module, such as 1) data acquisition module to 798
acquire the state of process parameters, 2) processing module 799
to process the logic, and 3) decision module to actuate the 800
actuators according to the outcome of the processing logic. 801
However, a careful consideration is required to design the proper 802
interfaces to integrate the results of reliability and performance 803
analysis. Our proposed method is as follows. The polynomial 804
time complexity O(n5 ) of the state measure of ODE model 805

f
demonstrates that the proposed strategy is capable of avoiding 806
the state explosion problem, which is generally experienced by 807

oo
the traditional Markov-chain-based approaches. Since CPN is a 808
relaxation strategy of SPN and if both are able to model the same 809
system, then the following lemma holds good for the system 810
[41]: 811
Lemma: The mean token count at a place in SPN and the state 812
measure for that place in CPN are nearly equal. 813
Fig. 10. Reachability graph of the Petri net model of SDS-2.
Proof: We use the following notations and [48] to proof 814
this lemma. The random variables m(τ ) and mi (τ ) are used 815

Pr to express the marking of the places p and pi , respectively, at 816

time τ , which can take a value of either 0 or 1. The notation 817
(. . . , bi , b, . . .) denotes an SPN’s reachable state where bi and 818
b can take the value 0 or 1. B(..., bi , b,...) (τ ) is the probability 819
that the SPN stays in the state (. . . , bi , b, . . .) at time t. S 820
Fig. 11. Markov chain for the Petri net model of SDS-2. denotes every possible reachable state of SPN. 821
It is sufficient to show that the expectation of marking m of 822

TABLE IV SPN also satisfies the state measure m of ODE, i.e., if the ODE 823
STEADY-STATE PROBABILITIES for the place m is m (τ ) = f (τ, m(τ )), then it can be written as 824
(E[m(τ )]) = f (τ, E[m(τ )]). We consider Fig. 5 to prove the 825
E
above lemma. As this structure is a part of SPN, we can apply 826
the Chapman–Kolmogorov equation to find the average token 827
count for the associated SPN model, i.e. 828

B  (. . . , b1 , b2 , b, . . .) (τ )
= r1 min (b1 +1, b2 +1) B (. . . , b1 +1, b2 +1, b−1, . . .) (τ )
E

− r2 bB (. . . , b1 , b2 , b, . . .) (τ ) (19)

Unreliability = 1 − 0.9982566 = 0.0017434 (18) where r1 min(b1 + 1, b2 + 1) and r2 b are firing rates of tran- 829
sition at time τ . After summing all the possible states, we get 830
i.e., our model gives a reliability of 99.82%.
IE

778 831
779 1) Algorithmic Complexity Analysis of Performance Mea- 
780 surement: The complexity analysis lies in the solution of ODEs. B  (. . . , b1 , b2 , b, . . .) (τ )
(...,b1 , b2 ,b,...)∈S
781 In the framework of performance analysis, we employed Runge– 
782 Kutta method to solve a family of ODEs. This method is better = r1 min (b1 +1, b2 +1)
(..., b1 , b2 ,b,...)∈S
783 than Newton’s method if the accuracy is less than 0.000001. We
784 know that the Newton’s method has complexity O(mn3 ). Here, × B (. . . , b1 +1, b2 +1, b − 1, . . .) (τ )
785 m indicates number of iterations, whereas n is the number of 
variables. m is generally O(n) and never exceeds O(n2 ). As a − r2 bB (. . . , b1 , b2 , b, . . .) (τ ).
786 (..., b1 , b2 ,b,...)∈S
787 result, the Runge–Kutta method’s complexity is around O(n4 ) (20)
788 and never surpasses O(n5 ). Thus, computing the state measures
Since the marking of each place is either 0 or 1, thus (20) can 832
789 of an ODE model requires a maximum of O(n5 ), where n denotes
be written as 833
790 number of equations and n ≤ |P|. In our model, n = 14, i.e., 
791 systems have 14 places (as shown in Fig. 7) and 14 ODEs [as B  (. . . , 0, 0, 1, . . .) (τ )
(...,0, 0,1,...)∈S
792 shown in (10)]. For the more complex system having larger value

793 of n, the proposed approach may give higher latency time. = r1 B (. . . , 1, 1, 0, . . .) (τ )
794 2) Reduction of State-Space Explosion Problem: One (...,0,0 ,1,...)∈S

795 method to address the state explosion problem is proposed − r2 B (. . . , 0, 0, 1, . . .) (τ ). (21)
796 by Cai et al. [37], in which the functions of SDS-2 can be (...,0, 0,1,...)∈S
 12 IEEE TRANSACTIONS ON RELIABILITY

834 Since S does not have states like ( …,1,1,1, …), ( …,1,0,1, …), TABLE V
STEADY-STATE TOKEN PROBABILITY DENSITY VALUES
835 ( …,0,1,1, …), ( …,0,1,1, …), ( …,1,0,1, …) for the left-hand
836 side of (21), the expectation can be written as

(E [m (τ )]) = B  (. . . , 0, 0, 1, . . .) (τ ).
(...,0, 0,1,...)∈S
(22)
837 For the second term on the right-hand side of (21), we have

r2 B (. . . , 0, 0, 1, . . .) (τ ) = r2 · E [m (τ )].
(...,0, 0,1,...)∈S

f
(23)
838 For the first term on the right-hand side of (21), we have

oo
E[min (m1 (τ ) , m2 (τ ))]

= min (b1 , b2 ) B (. . . , b1 , b2 , 0, . . .) (τ )
(..., b1 , b2 ,0,...)∈S

+ min (b1 , b2) B (. . . , b1 , b2 , 1, . . .) (τ)
(..., b1 , b2 ,1,...)∈S

= B (. . . , 1, 1, 0, . . .) (τ )
(...,1,1,0,...)∈S

+ B (. . . , 1, 1, 0, . . .) (τ ).
Pr
(...,0,0,1,...)∈S RAM. Using the CPN approach, an ODE system with up 868

839 Therefore, (21) can be written as to 3000 nodes can be computed within 18 s. It proves that 869
our proposed strategy is capable to avoid the state explosion 870
(E [m (τ )]) = r1 E[min (m1 (τ ) , m2 (τ ))] − r2 · E[m (τ )]. problem.  871
(24)
840 Now, using the following assumption [48] in (24), for two
841 stochastic processes, m1 (τ ) and m2 (τ ), we have VII. PERFORMANCE AND RELIABILITY VALIDATION 872

E[min (m1 (τ ) , m2 (τ )) ]≈ min(E[ (m1 (τ ) , E[(m2 (τ )]). An effective method for performance assessment is proposed 873
recently, by Kumar et al. [15]. The authors claim that the 874
842 Hence, (24) becomes
E
proposed method is very effective and gives the performance 875
(E [m (τ )]) = r1 min(E[(m1 (τ ) , E[(m2 (τ )])−r2 · E[m (τ )]. estimates with an accuracy of more than 99% and demonstrated 876
(25) the approach on a case study of NPP. To prove the effectiveness 877
843 Equation (25) can be written as m (τ ) = r1 · of our proposed approach, we carried out two steps: 1) we 878
844 min{m1 (τ ), m2 (τ )} − r2 · m(τ ), which is an ODE measure of compute the performance of our case study using the recent 879
E

845 Fig. 5, as expressed in (9). We can give the similar explanation method proposed in [15] and compare the results with the real 880
846 for Figs. 3 and 4, which have been used in our CPN modeling. data to find the accuracy of this method; and 2) we compute 881
847 It proves that the mean token count at a place in SPN model the performance using our proposed ODE method and compare 882
848 is equal to the state measure of that place in the CPN model. the results with the real data to find the accuracy of our ODE 883
849 Also, our system can be modeled using SPN. As a typical method. Thereafter, both the accuracies are compared to find 884
SPN model requires the PN structure (as shown in Fig. 7), the the method that gives higher accuracy. In this section, we also
IE

850 885
851 reachability graph of the PN model (as shown in Fig. 10), and compare our approach with the existing approaches as follows: 886
852 the Markov Chain (as shown in Fig. 11). For the SPN model, 1) Performance validation with [15] and [23]: It involves 887
853 we used the TimeNET tool for the performance measurement following seven steps: 888
854 and for reachability graph creation. To check the performance, a) PN model creation 889
855 we have taken 17 different NPP system. The number of places We create TPN model of SDS-2 using the TimeNET tool, as 890
856 in our model [15], [23] are 14, 12, and 15, respectively, and the shown in Fig. 7. 891
857 number of states present in the respective reachability graph are b) Model parameter assignment: In this step, the delay of 892
858 8, 13, and 14. The TimeNET takes 25, 42, and 54 s to build the each transition is input into the model as per specification, 893
859 reachability graph of our model [15], [23], respectively. When expert’s elicitation, and experiences from similar projects. 894
860 we used TimeNET to model various NPPs with 19, 24, 36, 58, The model was run using TimeNET tool to measure the 895
861 and 62 places, the corresponding reachability graph contained transition firing rates as indicated in Table III. λi denotes 896
862 32, 43, 68, 112, and 144 states, and the time needed to construct the firing rate of transition ti (where i = 1, 2, …, 8). 897
863 these reachability graphs was 114, 322, 1019, 2751, and 3769 s, c) Reachability graph creation: The reachability graph de- 898
864 respectively. For the CPN method, we used MATLAB R2022a termines the system’s boundary conditions, which may 899
865 to solve ODEs. The experiment has been done using a personal indicate the number of possible states during the system’s 900
866 computer with the Windows 10 Operating System, Intel Core operational life. The total number of possible markings 901
867 i7-10750H CPU processor, CPU speed 2.60 GHz, and 16.0 GB shows the entire number of states that a system can go 902
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 13

903 through. From the PN-model depicted in Fig. 7, the cor- TABLE VI
FIRING RATE IN COMMUNICATION NETWORK OF SDS-2
904 responding reachability graph is constructed [5], [10] and
905 presented in Fig. 10.
906 d) Markov chain creation: The reachability graph of the PN
907 model is used to generate the Markov chain [5], [10].
908 Fig. 11 illustrates the Markov chain for a TPN model of
909 Fig. 7.
910 e) Steady-state marking probability calculation: Equa- V 3.9705
tions (3) and (4) can be used to calculate the steady-state ∴ S= = = 254.6498. (31)
911
D 0.015592

f
912 marking probabilities. The transition rate matrix Q is
913 shown in (26). The resulting equation is shown in (27). The So mean delay time by comparing other’s approach is 937

oo
914 steady-state marking probabilities are calculated using W[15] = 254.65 ms. (32)
915 (27) and the transition’s firing rate values of the Table III.
916 These values are shown in Table IV It means that, on average, a single token is in use for about 938
254.65 ms of time in the system. Therefore, the modeled SDS- 939
⎡ ⎤ 2 PN injects the poison to trip the reactor in 0.25465 s in an 940
S1 S2 S3 S4 S5 S6 S7 S8
⎢S1 q11 λ1 0 ⎥ emergency event. It depicts the SDS-2 system’s average delay. 941
⎢ 0 0 0 0 0 ⎥
⎢S2 0 q22 λ5 0 ⎥ 2) Performance Validation: An SDS-2 system is expected to 942
⎢ 0 0 0 0 ⎥
⎢ S3 0 ⎥ inject poison into the calandria of the nuclear reactor if any 943
⎢ 0 q33 λ6 0 0 0 0 ⎥ of the trip parameters listed in the Table I deviates from
Q = ⎢ ⎥ 944
⎢ S 4 0 0 0 q 44 λ 2 0 0 0 Pr ⎥
⎢ S5 0 ⎥ their intended values. As soon as the token is deposited in 945
⎢ 0 0 0 q 55 λ 3 0 0 ⎥
⎢ S6 0 ⎥ m1 , the poison injection procedure begins in accordance 946
⎢ 0 0 0 0 q66 λ7 0 ⎥
⎣ S7 0 ⎦ with the PN model, as shown in Fig. 7. However, prior 947
0 0 0 0 0 q77 λ8
to the poison injection process, adequate communication 948
S8 λ4 0 0 0 0 0 0 q88
occurs between the various components of the SDS2. 949
(26) The communication between transitions requires reading 950

π1 • λ1 = π8 • λ4 ; π2 • λ5 = π1 • λ1 ; π3 • λ6 = π2 • λ5 ; a message, sending a message, and sending/receiving ac- 951

π4 • λ2 = π3 • λ6 ; π5 • λ3 = π4 • λ2 ; π6 • λ7 = π5 • λ3 ; knowledgment, each of which has an exponentially dis- 952

π7 • λ8 = π6 • λ7 ; π8 • λ4 = π7 • λ8 . tributed execution time. If a sent message is lost in transit, 953

or the sender does not receive an acknowledgment within
E
(27) 954
917 a time limit then there is a need to send the message again. 955
918 f) Steady-state token probability density calculation: It cal- The message retransmission is done after a fixed timeout 956
919 culates the likelihood of a specific amounts of token being interval, and it does not follow an exponential distribution. 957
920 present at a particular place in the steady state. These values It is important to note that the random variable time with 958
are shown in Table V for the presence of a single token at an Erlangian probability density function represents the 959
E

921
922 each place. timeout. The cyclic redundancy check computation is 960
923 g) Use queuing theory for the delay measurement: The mean also performed during communication. The trip values 961
924 latency of a subsystem while the system is present at the conveyed to the SDS-2 system are denoted by a token in 962
925 steady-state is computed using Little’s law. It is defined the place m1 having a poison rate of μ. Thus, the SDS-2 963
as D = mean tokens arrival rate in the system, S = mean system’s actual throughput is μ(1 − ρ). Here, ρ denotes 964
IE

926
927 latency of subsystem, and V = the system’s average token the probability that there is no token in place m1 implies 965
928 count. that the subsystem is too busy to take new messages. 966
929 Then, using Little’s law, In our scenario, the SDS-2 communication network’s baud 967
rate is 9600 with a 5% error rate and a packet size of 128 B. 968
V = DS. (28) Then, we conduct a performance analysis of our system using 969

930 The value of V is obtained after summing of all the steady-state the transition firing rates given in Table VI. The mean latency 970

931 probability density values obtained from Table V time can be calculated when the system is congested or there is 971
a loss of packet acknowledgment or is on-hold. In this situation, 972
∴ V = 3.9705. (29) we use Little’s law N = μT, to calculate the latency, where, μ 973

932 Initially, there is one token present in the positions m1 , m7 , is the throughput rate. Using the values mentioned above and 974

933 and m9 . Therefore, the mean token arrival rate can be found by throughput values of Table VI, the mean latency time for the 975

934 multiplying the values of these places’ steady-state probability poison injection in the SDS-2 is 0.2572 s. 976

935 density to their respective transition rates, and then they are So mean delay time using Little’s law is 977

936 added, i.e., WLL = 257.2 ms. (33)

D = (P (m1 ) • λ1 ) + (P (m7 ) • λ5 ) + (P (m9 ) • λ6 )
Comparing (15) and (33), the accuracy of our proposed ap- 978
∴ D = 0.015592 (30) proach for performance assessment using ODE can be computed 979
 14 IEEE TRANSACTIONS ON RELIABILITY

980 by TABLE VII

OPERATIONAL PROFILE DATA OF 880 DAYS OF SDS-2
|WLL − WODE |
error% = × 100%
WLL
|257.2 − 256.91|
= × 100 = 0.11275%
257.2
∴ Accuracy = (100 − 0.11275) % = 99.887%.
(34)

f
981 Now, comparing (32) and (33), the accuracy of other’s ap-
982 proach [15] for performance assessment can be computed as

oo
983
 
WLL − W[15] 
error% = × 100%
WLL
TABLE VIII
|257.2 − 254.65| ALERT/RECOVERY MESSAGE
= × 100 = 0.99145%
257.2
∴ Accuracy = (100 − 0.99145) % = 99.008%. (35)

984
985
986
987
988
Pr
The comparison of (34) and (35) proves that the accuracy
of the performance assessment method using ODE solution is
remarkable. The deviation in the accuracy of our approach is less
compare to some other approach on a real-time data of NPP. The
results were validated on 17 NPP systems, out of which nine are
runs (Nr ), and number of failures up to a given time
(Nf ).
1021
1022
989 control systems, six are SCSs, and two are monitoring systems. b) Data analysis to find the number of failures: The data 1023
990 This validates the effectiveness of our approach. gathered in the previous stage is thoroughly analyzed 1024
991 3) Reliability Validation: To validate our technique, we have to determine the number of failures. If the state changes 1025
992 used the operational profile data of 880 days of SDS2. from safe to unsafe then an alert message is displayed in 1026
993 The hardware components are inspected and maintained
E
red color, and if the state returns to normal state, then a 1027
994 on a regular basis and generally fail due to manufacturing recovery message is displayed in green color. Every 1028
995 defect. These practices ensure the high-reliability require- alert and recovery message has a timestamp in the 1029
996 ments of hardware components. Consequently, hardware format of “dd/mm/yyyy hr:min:sec:msec” as shown 1030
997 failures can be neglected compare to software failures. in Table VIII. From the Table VII, it can be observed 1031
998 Therefore, in our validation approach, we consider only
E

that there is no failure occur till 59 days. The second 1032

999 the software failures. We employed the Ramamoorthy failure was after 119 days and so on. 1033
1000 and Bastani [49] model, which has been shown to be c) Reliability computation: At this stage, we employed 1034
1001 the suitable model for the software-based safety critical Ramamoorthy and Bastani model to assess the relia- 1035
1002 systems. The experimental validation for the reliability bility, according to which 1036
1003 analysis includes three major steps as follows: operational  −λ  
IE

i
1004 profile data collection, data analysis to find the number of t
f (Ti (s))ds

1005 failures, and reliability computation. Ri (t) = Eλi e 0 (36)

1006 a) Operational profile data collection: The operational
1007 profile data is collected from six different running units Where λi : failure rate after ith failure; 0 ≤ λi ≤ , Ti (s) : 1037
1008 of NPP. A test and monitoring system is run once in testing process at time s after ith failure, and f (Ti (s)): severity 1038
1009 a day to monitor the healthiness of the system. While of testing process relative to operational distribution; 0 ≤ f(Ti (s)) 1039
1010 testing, the poison injection is disabled, and the logic ≤ . 1040
1011 circuitry and overall healthiness of the equipment are For operational profile data, let 
 −λ f(Ti (s)) = 1. Hence, (36) will 1041
t
1012 examined by simulating the trip parameters. Hardware
reduce to Ri (t) = Eλi e
i ds
0 . 1042
1013 logic automatically bypasses the test mode on actual
1014 trip parameters, and all equipment operates in accor- Therefore, the reliability of the poison injection system of 1043
1015 dance with the actual scenario. Every change in the SDS2 from the operational profile data (Table VII) can be 1044
1016 process state, such as an LC closed or the opening calculated as 1045
1017 of a QOV, is timestamped and gets recorded in a 59e0∗1 + e−1∗1 + 59e0∗1 + e−1∗1 + 119e0∗1 + e−1∗1
1018 database of test and monitoring system. Table VII +149e0∗1 + e−1∗1 + 109e0∗1 + e−1∗1
1019 shows the collection of operational profile data for one +119e0∗1 + e−1∗1 + 139e0∗1 + 120
1020 unit in terms of number of test days (d), number of test Ropn =
860
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 15

TABLE IX both the performance and reliability of SCS considering 1076

COMPARATIVE ANALYSIS WITH OTHER EXISTING APPROACHES
important metrics, and addresses the state space explosion 1077
problem. It proves that our method outperforms the other 1078
methods. 1079

VIII. CONCLUSION 1080

This article aims to measure the performance and reliability 1081

of the SCS using an ODE and TPN. We introduced some impor- 1082

f
tant metrics of performance, which is essential to be verified 1083
in case of SCS such as deadlock, stability, steady state, etc. 1084

oo
The proposed approach is illustrated on an SCS of NPP. The 1085
suggested technique can address the constraints and limits of 1086
existing methods, as stated in Section II. The presented method- 1087
ology involves modeling of SCS using PN and then converting 1088
the model into a series of ODEs systems for the performance 1089

i.e., Ropn = 0.9988636 (37) evaluation. The proposed approach is demonstrated on a case 1090
study of SDS-2. The mechanism explained here calculates the 1091
∴ Unreliability = 1 − R = 0.0011364. time required for the successful poison injection to trip the 1092

Pr NPP by the SDS-2. The MATLAB simulation results help in 1093

1046 Comparing (37) and (18), the accuracy of our proposed ap-
the evaluation of the outcome. The system may give higher 1094
1047 proach for reliability assessment using ODE can be computed
latency time for the more complex system having large number 1095
1048 by
of places. It is to be noted that a major issue in developing PN 1096
|Ropn − RODE | model is state explosion problem when the number of states 1097
error% = × 100% of a system are more, which may occur in large scale systems.
Ropn 1098
The proposed ODE based solution is capable to deal with this 1099
|0.9988636 − 0.9982566| limitation. Furthermore, the state explosion problem can be dealt
= × 100 = 0.06077% 1100
0.9988636 with large-scale system through decomposition technique as 1101

∴ Accuracy = (100 − 0.06077) % = 99.939%. given in [1]. The obtained average accuracy of our method 1102
E
for performance and reliability assessment are 99.887% and 1103
1049 This proves that the accuracy of the reliability assessment 99.939%, respectively. The proposed technique can be applied 1104
1050 method using ODE solution is higher. The results were vali- to a class of concurrent systems that consist multiple processes, 1105
1051 dated on 17 NPP systems, the way it is done for performance which can communicate via MP. Such systems may also have 1106
1052 assessment. This validates the effectiveness of our approach. other mechanisms for synchronization, such as resource sharing. 1107
4) Comparison of our proposed approach with other ex- The proposed technique has not been validated for nonexponen-
E

1053 1108
1054 isting approaches: As shown in Table IX, to prove the tial failures, which will be considered in our future article. We 1109
1055 effectiveness of our proposed method, we compare it intend to expand this article in the future to improve the proposed 1110
1056 with various existing PN and ODE approaches that are technique for other classes of concurrent systems and to validate 1111
1057 used to measure performance and reliability. Table IX the technique for nonexponential failures. We shall also try 1112
1058 summarizes the details of various frameworks for mea- to integrate several dependability measures that influence the
IE

1113
1059 suring the performance and reliability of SCS along with performance and reliability of the SCS. 1114
1060 their measurement accuracies and indicates whether or
1061 not these frameworks can address the issue of state space
1062 explosion. From the available frameworks, it was found REFERENCES 1115

1063 that [15], [41], and [50] are only capable of measuring the [1] L. K. Singh, G. Vinod, and A. K. Tripathi, “Design verification of instru- 1116
1064 performance of SCS, while [1], [10], [20], and [51] can mentation and control systems of NPP,” IEEE Trans. Nucl. Sci., vol. 61, 1117
no. 2, pp. 921–930, Apr. 2014. 1118
1065 only assess the reliability of SCS. The method described in [2] Modern Instrumentation and Control for Nuclear Power Plants: A Guide- 1119
1066 [23] and our approach can measure both the performance book, International Atomic Energy Agency, 1999. 1120
1067 and reliability of SCS. Except for [41] and our solution, [3] Nuclear Power Plant Simulators for Use in Operator Training, U.S. Nuclear 1121
Regulatory Commission, 1981. 1122
1068 none of the strategies overcome the state-space explosion [4] W. C. Lipinski, “Nuclear power plant instrumentation and control—A 1123
1069 problem caused by conventional PN-based methods. Also, guidebook,” International Atomic Energy Agency, 1984. 1124 Q3
1070 the measurement accuracies of performance and reliability [5] T. Murata, “Petri nets: Properties, analysis and applications,” Proc. IEEE, 1125
vol. 77, no. 4, pp. 541–580, Apr. 1989. 1126
1071 measurement using our proposed method is significantly [6] J. Siebert, D. Petri, and M. Fedrizzi, “From measurement to decision: 1127
1072 higher as compare with other approaches. Further no Sensitivity of decision outcome to input and model uncertainties,” IEEE 1128
1073 method considers liveness, stability, boundedness, and Trans. Instrum. Meas., vol. 68, no. 9, pp. 3100–3108, Sep. 2019. 1129
[7] G. Xu, M. Liu, Z. Jiang, W. Shen, and C. Huang, “Online fault diagnosis 1130
1074 steady-state analysis, which are the critical metrics of method based on transfer convolutional neural networks,” IEEE Trans. 1131
1075 the performance. Consequently, our method can measure Instrum. Meas., vol. 69, no. 2, pp. 509–520, Feb. 2020. 1132
 16 IEEE TRANSACTIONS ON RELIABILITY

1133 [8] L. K. Singh, G. Vinod, and A. K. Tripathi, “Modeling and prediction [31] B. Weng, L. Capito, U. Ozguner, and K. Redmill, “A formal characteri- 1209
1134 of performability of safety critical computer based systems using Petri zation of black-box system safety performance with scenario sampling,” 1210
1135 nets,” in Proc. IEEE 23rd Int. Symp. Softw. Rel. Eng. Workshops, 2012, IEEE Robot. Automat. Lett., vol. 7, no. 1, pp. 199–206, Jan. 2022. 1211
1136 pp. 85–94. [32] J. Thota, N. F. Abdullah, A. Doufexi, and S. Armour, “V2V for vehicular 1212
1137 [9] Z. Liu, Y. Liu, B. Cai, X. Li, and X. Tian, “Application of Petri nets to safety applications,” IEEE Trans. Intell. Transp. Syst., vol. 21, no. 6, 1213
1138 performance evaluation of subsea blowout preventer system,” ISA Trans., pp. 2571–2585, Jun. 2020. 1214
1139 vol. 54, pp. 240–249, Jan. 2015. [33] A. Y. Al Hammadi et al., “Novel EEG sensor-based risk framework for 1215
1140 [10] L. K. Singh and H. Rajput, “Dependability analysis of safety critical real- the detection of insider threats in safety critical industrial infrastructure,” 1216
1141 time systems by using Petri nets,” IEEE Trans. Control Syst. Technol., IEEE Access, vol. 8, pp. 206222–206234, 2020. 1217
1142 vol. 26, no. 2, pp. 415–426, Mar. 2018. [34] H. Boudali, P. Crouzen, and M. Stoelinga, “A rigorous, compositional, 1218
1143 [11] N. K. Jyotish, L. K. Singh, and C. Kumar, “A state-of-the-art review on and extensible framework for dynamic fault tree analysis,” IEEE Trans. 1219
1144 performance measurement Petri net models for safety critical systems of Dependable Secure Comput., vol. 7, no. 2, pp. 128–143, Apr.–Jun. 2010. 1220

f
1145 NPP,” Ann. Nucl. Energy, vol. 165, Jan. 2022, Art. no. 108635. [35] K. Aslansefat and G.-R. Latif-Shabgahi, “A hierarchical approach for 1221
1146 [12] Z. Ding, H. Shen, and A. Kandel, “Performance analysis of service dynamic fault trees solution through semi-Markov process,” IEEE Trans. 1222
1147 composition based on fuzzy differential equations,” IEEE Trans. Fuzzy Rel., vol. 69, no. 3, pp. 986–1003, Sep. 2020. 1223

oo
1148 Syst., vol. 19, no. 1, pp. 164–178, Feb. 2011. [36] S. Kabir, K. Aslansefat, I. Sorokos, Y. Papadopoulos, and Y. Gheraibia, “A 1224
1149 [13] P. Singh and L. K. Singh, “Modeling and measuring common cause failures conceptual framework to incorporate complex basic events in HiP-HOPS,” 1225
1150 in measurement of reliability of nuclear power plant systems,” IEEE Trans. in Proc. Int. Symp. Model Saf. Assessment, 2019, pp. 109–124. 1226
Q4 1151 Instrum. Meas., vol. 70, 2021, Art. no. 3001608. [37] B. Cai, Y. Liu, Z. Liu, X. Tian, H. Li, and C. Ren, “Reliability analysis 1227
1152 [14] R. J. Rodríguez, “A Petri net tool for software performance estimation of subsea blowout preventer control systems subjected to multiple error 1228
1153 based on upper throughput bounds,” Automat. Softw. Eng., vol. 24, no. 1, shocks,” J. Loss Prevention Process Ind., vol. 25, no. 6, pp. 1044–1054, 1229
1154 pp. 73–99, Mar. 2017. 2012. 1230
1155 [15] P. Kumar, L. K. Singh, and C. Kumar, “Performance evaluation of safety- [38] R. A. Sahner, K. Trivedi, and A. Puliafito, Performance and Reliability 1231
1156 critical systems of nuclear power plant systems,” Nucl. Eng. Technol., Analysis of Computer Systems: An Example-Based Approach Using the 1232
1157 vol. 52, no. 3, pp. 560–567, Mar. 2020. SHARPE Software Package. Berlin, Germany: Springer, 2012. 1233
1158 [16] L. Xia, H. A. Gabbar, M. U. Isham, and V. Ponomarev, “Performance [39] N. G. Leveson and J. L. Stolzy, “Safety analysis using Petri nets,” IEEE 1234
1159
1160
1161
1162
1163
1164
1165
nol., vol. 53, no. 10, pp. 1513–1520, Oct. 2016.
Pr
evaluation of a new signal processing system design to improve CANDU
SDS1 trip response during large break LOCA events,” J. Nucl. Sci. Tech-

[17] B. W. Rhee, H. Choi, J. H. Park, K. M. Chae, and H. J. Yun, “A three-

dimensional CFD model for a performance verification of the liquid poison
injection system of a CANDU-6 reactor,” Nucl. Technol., vol. 159, no. 2,
pp. 158–166, Aug. 2007.
Trans. Softw. Eng., vol. SE-13, no. 3, pp. 386–397, Mar. 1987.
[40] M. Jeng, X. Xie, and M. Peng, “Process nets with resources for manufac-
turing modeling and their analysis,” IEEE Trans. Robot. Automat., vol. 18,
no. 6, pp. 875–889, Dec. 2002.
[41] Z. Ding, Y. Zhou, and M. Zhou, “A polynomial algorithm to performance
analysis of concurrent systems via Petri nets and ordinary differential
equations,” IEEE Trans. Automat. Sci. Eng., vol. 12, no. 1, pp. 295–308,
1235
1236
1237
1238
1239
1240
1241
1166 [18] D. J. Rankin and J. Jiang, “Predictive trip detection for nuclear power Jan. 2015. 1242
1167 plants,” IEEE Trans. Nucl. Sci., vol. 63, no. 4, pp. 2352–2362, Aug. 2016. [42] R. David and H. Alla, Discrete, Continuous, and Hybrid Petri nets, vol. 1. 1243
1168 [19] K. Aslansefat, M. Bahar Gogani, S. Kabir, M. A. Shoorehdeli, and M. Berlin, Germany: Springer, 2010. 1244
1169 Yari, “Performance evaluation and design for variable threshold alarm [43] S.-H. Kim and W. Whitt, “Statistical analysis with little’s law,” Oper. Res., 1245
1170 systems through semi-Markov process,” ISA Trans., vol. 97, pp. 282–295, vol. 61, no. 4, pp. 1030–1045, Aug. 2013. 1246
1171 Feb. 2020. [44] CANDU 6 Program Team, CANDU 6 Tech. Summary, May 2005. 1247
E
1172 [20] M. Tripathi, L. K. Singh, S. Singh, and P. Singh, “A comparative study on [45] T. L. Chu et al., “Workshop on philosophical basis for incorporat- 1248
1173 reliability analysis methods for safety critical systems using Petri-nets and ing software failures into a probabilistic risk assessment,” Brookhaven 1249
1174 dynamic flowgraph methodology: A case study of nuclear power plant,” Nat. Lab., Upton, NY, USA, Tech. Rep. BNL-90571-2009-IR, Nov. 1250
1175 IEEE Trans. Rel., vol. 71, no. 2, pp. 564–578, Jun. 2022. 2009. 1251
1176 [21] L. Cheung, R. Roshandel, N. Medvidovic, and L. Golubchik, “Early [46] TimeNET 4.0 A Zimmermann, M Knoke, 2007. [Online]. Available: 1252
1177 prediction of software component reliability,” in Proc. 30th Int. Conf. depositonce.tu-berlin.de 1253
1178 Softw. Eng., May 2008, pp. 111–120. [47] C. Lin and Y. Wei, “Stochastic process algebra and stochastic Petri nets,” 1254
E

1179 [22] W.-L. Wang, D. Pan, and M.-H. Chen, “Architecture-based software J. Softw., vol. 13, no. 2, pp. 203–213, 2002. 1255
1180 reliability modeling,” J. Syst. Softw., vol. 79, no. 1, pp. 132–146, Jan. 2006. [48] R. A. Hayden and J. T. Bradley, “A fluid analysis framework for a 1256
1181 [23] M. R. Mamdikar, V. Kumar, P. Singh, and L. Singh, “Reliability and Markovian process algebra,” Theor. Comput. Sci., vol. 411, no. 22, 1257
1182 performance analysis of safety-critical system using transformation of pp. 2260–2297, May 2010. 1258
1183 UML into state space models,” Ann. Nucl. Energy, vol. 146, Oct. 2020, [49] C. V. Ramamoorthy and F. B. Bastani, “Software reliability—Status and 1259
1184 Art. no. 107628. perspectives,” IEEE Trans. Softw. Eng., vol. SE-8, no. 4, pp. 354–371, 1260
IE

1185 [24] Z. Chen and W. Li, “Multisensor feature fusion for bearing fault diagnosis Jul. 1982. 1261
1186 using sparse autoencoder and deep belief network,” IEEE Trans. Instrum. [50] P. Singh and L. K. Singh, “Design of safety critical and control systems of 1262
1187 Meas., vol. 66, no. 7, pp. 1693–1702, Jul. 2017. nuclear power plants using Petri nets,” Nucl. Eng. Technol., vol. 51, no. 5, 1263
1188 [25] P. Singh and L. K. Singh, “Reliability and safety engineering for safety pp. 1289–1296, Aug. 2019. 1264
1189 critical systems: An interview study with industry practitioners,” IEEE [51] L. Singh, H. Rajput, G. Vinod, and A. K. Tripathi, “Computing transition 1265
1190 Trans. Rel., vol. 70, no. 2, pp. 643–653, Jun. 2021. probability in Markov Chain for early prediction of software reliability,” 1266
1191 [26] P. Singh and L. K. Singh, “Engineering education for development of Qual. Rel. Eng. Int., vol. 32, no. 3, pp. 1253–1263, 2016. 1267
1192 safety-critical systems,” IEEE Trans. Educ., vol. 64, no. 4, pp. 398–405, [52] S. Hinz, K. Schmidt, and C. Stahl, “Transforming BPEL to Petri nets,” in 1268
1193 Nov. 2021. Business Process Management. Berlin, Germany, 2005, pp. 220–235. 1269
1194 [27] P. Singh and L. K. Singh, “Reliability and safety engineering for safety-
1195 critical systems in computer science: A study into the mismatch between
1196 higher education and employment in Brazil and India,” IEEE Trans. Educ., Nand Kumar Jyotish (Student Member, IEEE) re- 1270
1197 vol. 64, no. 4, pp. 353–360, Nov. 2021. ceived the M.Tech. degree in computer science & 1271
1198 [28] J. Seo, J. Lee, E. Baek, R. Horowitz, and J. Choi, “Safety-critical con- engineering, in 2015, from the Indian Institute of 1272
1199 trol with nonaffine control inputs via a relaxed control barrier function Technology (Indian School of Mines), Dhanbad, 1273
1200 for an autonomous vehicle,” IEEE Robot. Automat. Lett., vol. 7, no. 2, India, where he is currently working toward the Ph.D. 1274
1201 pp. 1944–1951, Apr. 2022. degree in computer science & engineering. 1275
1202 [29] W. Ding, B. Chen, B. Li, K. J. Eun, and D. Zhao, “Multimodal His research interests include software reliabil- 1276
1203 safety-critical scenarios generation for decision-making algorithms eval- ity, mathematical modeling, safety critical systems, 1277
1204 uation,” IEEE Robot. Automat. Lett., vol. 6, no. 2, pp. 1551–1558, fog/edge computing, machine learning, and software 1278
1205 Apr. 2021. engineering. 1279
1206 [30] Z. Jiang et al., “Bridging the pragmatic gaps for mixed-criticality systems Mr. Jyotish is a Reviewer of IEEE TRANSACTIONS 1280
1207 in the automotive industry,” IEEE Trans. Comput.-Aided Des. Integr. ON RELIABILITY. 1281
1208 Circuits Syst., vol. 41, no. 4, pp. 1116–1129, Apr. 2022. 1282
 JYOTISH et al.: RELIABILITY AND PERFORMANCE MEASUREMENT OF SAFETY-CRITICAL SYSTEMS BASED ON PETRI NETS 17

1283 Lalit Kumar Singh (Senior Member, IEEE) re- Pooja Singh (Senior Member, IEEE) received the 1311
1284 ceived the Ph.D. degree in software reliability Ph.D. degree in mathematical sciences from the 1312
1285 from the Indian Institute of Technology, Varanasi, Indian Institute of Technology, Varanasi, India, in 1313
Q51286 India, in 2014. 2014. 1314
1287 He is currently a Scientist, level F, with the Nuclear She is currently working as an Assistant Professor 1315
1288 Power Corporation of India, Mumbai, India. with the Department of Mathematics, SIES-Graduate 1316
1289 Dr. Singh is the recipient of many prestigious School of Technology, Navi Mumbai, India. 1317
1290 awards and member of Indian Nuclear Society. He Dr. Singh is the recipient of many prestigious 1318
1291 is a Reviewer of several prestigious journals of high awards and member of Indian Nuclear Society. She 1319
1292 impact factor and supervising many Ph.D. students. is a Reviewer of several prestigious journals of high 1320
1293 He has completed several industrial projects. He plays impact factor and supervising many Ph.D. students. 1321
1294 a vital role in various academic committees. She has completed several industrial projects. 1322

f
1295 1323

oo
1296 Chiranjeev Kumar (Senior Member, IEEE) received
1297 the Ph.D. degree from the University of Allahabad,
Q61298 Allahabad, India, in 2006.
1299 He is currently working as a Professor with the
1300 Department of Computer Science and Engineering,
1301 Indian Institute of Technology (Indian School of
1302 Mines) Dhanbad, Dhanbad, India. His research inter-
1303
1304
1305
1306
1307
1308
1309
IoT, and software reliability.
Pr
ests include software testing, wireless sensor network,

Prof. Kumar is a Reviewer of several prestigious

journals of high impact factor and supervising many
Ph.D. students. He has completed several projects of government of India,
including the organizations CSIR, DRDO, IIT(ISM), UGC, and Coal India
Limited.
1310
E E
IE