SIST EN 62551:2013

SLOVENSKI STANDARD
01-marec-2013
Tehnike analize zagotovljivosti - Tehnike Petrijeve mreže
Analysis techniques for dependability - Petri net techniques
Techniques d'analyse de sûreté de fonctionnement - Techniques des réseaux de Petri
Ta slovenski standard je istoveten z: EN 62551:2012
ICS:
21.020 =QDþLOQRVWLLQQDþUWRYDQMH Characteristics and design of
VWURMHYDSDUDWRYRSUHPH machines, apparatus,
equipment
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN 62551
NORME EUROPÉENNE
November 2012
EUROPÄISCHE NORM
ICS 21.020
English version
Analysis techniques for dependability -
Petri net techniques
(IEC 62551:2012)
Techniques d'analyse de sûreté de Analysemethoden für Zuverlässigkeit -
fonctionnement - Petrinetze
Techniques des réseaux de Petri (IEC 62551:2012)
(CEI 62551:2012)
This European Standard was approved by CENELEC on 2012-11-06. CENELEC members are bound to comply
with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard
the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the CEN-CENELEC Management Centre or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and notified
to the CEN-CENELEC Management Centre has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus,
the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany,
Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland,
Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Management Centre: Avenue Marnix 17, B - 1000 Brussels

© 2012 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 62551:2012 E
Foreword
The text of document 56/1476/FDIS, future edition 1 of IEC 62551, prepared by IEC/TC 56
"Dependability" was submitted to the IEC-CENELEC parallel vote and approved by CENELEC as
The following dates are fixed:
(dop) 2013-08-06
• latest date by which the document has
to be implemented at national level by
publication of an identical national
standard or by endorsement
(dow) 2015-11-06
• latest date by which the national
standards conflicting with the
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such
patent rights.
Endorsement notice
The text of the International Standard IEC 62551:2012 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards indicated:

IEC 61508 Series NOTE Harmonised as EN 61508 Series (not modified).
IEC 61508-4:2010 NOTE Harmonised as EN 61508-4:2010 (not modified).
IEC 61508-1:2010 NOTE Harmonised as EN 61508-1:2010 (not modified).
IEC 61165:2006 NOTE Harmonised as EN 61165:2006 (not modified).
IEC 60812:2006 NOTE Harmonised as EN 60812:2006 (not modified).
IEC 61025:2006 NOTE Harmonised as EN 61025:2007 (not modified).
IEC 61078:2006 NOTE Harmonised as EN 61078:2006 (not modified).
IEC 61511-3:2003 NOTE Harmonised as EN 61511-3:2004 (not modified).
IEC 61703:2001 NOTE Harmonised as EN 61703:2002 (not modified).

- 3 - EN 62551:2012
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.

NOTE  When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HD
applies.
Publication Year Title EN/HD Year

IEC 60050-191 1990 International Electrotechnical Vocabulary - -
(IEV) -
Chapter 191: Dependability and quality
of service
IEC 62551 ®
Edition 1.0 2012-10
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Analysis techniques for dependability – Petri net techniques

Techniques d'analyse de sûreté de fonctionnement – Techniques des réseaux

de Petri
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
CODE PRIX XB
ICS 21.020 ISBN 978-2-83220-370-5

– 2 – 62551 © IEC:2012
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 8
2 Normative references . 8
3 Terms, definitions, symbols and abbreviations . 8
3.1 Terms and definitions . 8
3.2 Symbols and abbreviations . 10
4 General description of Petri nets . 12
4.1 Untimed low-level Petri nets . 12
4.2 Timed low-level Petri nets . 12
4.3 High-level Petri nets . 13
4.4 Extensions of Petri nets and modelling with Petri nets . 13
4.4.1 Further representations of Petri net elements . 13
4.4.2 Relationship to the concepts of dependability . 14
5 Petri net dependability modelling and analysis. 15
5.1 The steps to be performed in general . 15
5.2 Steps to be performed in detail . 16
5.2.1 General . 16
5.2.2 Description of main parts and functions of the system (Step 1) . 16
5.2.3 Modelling the structure of the system on the basis of Petri net-
submodels and their relations (Step 2). 16
5.2.4 Refining the models of Step 2 until the required level of detail is
achieved (Step 3) . 18
5.2.5 Analysing the model to achieve the results of interest (Step 4) . 18
5.2.6 Representation and interpretation of results of analyses (Step 5) . 19
5.2.7 Summary of documentation (Step 6) . 20
6 Relationship to other dependability models . 20
Annex A (informative) Structure and dynamics of Petri nets . 22
Annex B (informative) Availability with redundancy m-out-of-n . 33
Annex C (informative) Abstract example . 39
Annex D (informative) Modelling typical dependability concepts . 43
Annex E (informative) Level-crossing example . 45
Bibliography . 62

Figure 1 – Weighted inhibitor arc . 13
Figure 2 – Place p is a multiple place . 14
Figure 3 – Marking on p after firing of transition t . 14
Figure 4 – The activation of t depends on the value of V . 14
Figure 5 – Methodology consisting mainly of ‘modelling’, ‘analysing’ and ‘representing’
steps. 15
Figure 6 – Process for dependability modelling and analysing with Petri nets . 15
Figure 7 – Modelling structure concerning the two main parts 'plant' and 'control' with
models for their functions and dependability . 17
Figure 8 – Indication of the analysis method as a function of the PN model . 19

62551 © IEC:2012 – 3 –
Figure A.1 – Availability state-transition circle of a component . 22
Figure A.2 – Transition ‘failure’ is enabled . 23
Figure A.3 – ‘Faulty’ place marked due to firing of ‘failure' . 23
Figure A.4 – Transition ‘comp repair’ is enabled . 24
Figure A.5 – The token at the ‘maintenance crew available’ location is not used . 24
Figure A.6 – Transition is not enabled . 25
Figure A.7 – Marking before firing . 25
Figure A.8 – Marking after firing . 25
Figure A.9 – PN with initial marking . 25
Figure A.10 – Corresponding RG . 25
Figure A.11 – Transitions ‘comp repair’ and ‘comp failure’ are enabled . 26
lp hp
Figure A.12 – Marking after firing of transition ‘comp repair’ . 27
lp
Figure A.13 – A timed PN with two exponentially distributed timed transitions . 28
Figure A.14 – The corresponding stochastic reachability graph . 28
Figure A.15 – Petri net with timed transitions . 29
Figure B.1 – Two individual item availability nets with specific failure- and repair-rates . 33
Figure B.2 – Stochastic reachability graph corresponding to Figure B.1 with global
states (as an abbreviation c is used for “comp faulty”) . 33
1 1
Figure B.3 – Three individual item availability nets with specific failure rates and repair
rates . 33
Figure B.4 – Stochastic reachability graph corresponding to Figure B.3 with global
states (as an abbreviation c is used for ‘comp faulty’) . 34
Figure B.5 – Specifically connected 1-out-of-3 availability net . 35
Figure B.6 – Specifically connected 2-out-of-3 availability net . 35
Figure B.7 – Specifically connected 3-out-of-3 availability net . 36
Figure B.8 – Stochastic reachability graph with system specific operating states . 36
Figure B.9 – Specifically connected 1-out-of-3 reliability net . 37
Figure B.10 – Reachability graph for the net in Figure B.9 . 37
Figure B.11 – Specifically connected 2-out-of-3 reliability net . 37
Figure B.12 – Reachability graph for the net in Figure B.11 . 37
Figure B.13 – Specifically connected 3-out-of-3 reliability net . 38
Figure B.14 – Reachability graph for the net in Figure B.13 . 38
Figure C.1 – Individual availability net . 39
Figure C.2 – Stochastic availability graph of the net in Figure C.1 with its global states
and aggregated global states according to availability and safety . 39
Figure C.3 – Basic reliability and function modelling concept . 40
Figure C.4 – General hierarchical net with supertransitions to model reliability . 41
Figure C.5 – General hierarchical net with supertransitions and superplaces . 41
Figure C.6 – General hierarchical net with supertransitions to model availability . 41
Figure C.7 – General hierarchical net with supertransitions and superplaces . 42
Figure E.1 – Applied example of a level crossing and its protection system . 45
Figure E.2 – Main parts of the level crossing example model . 46
Figure E.3 – Submodels of the level crossing example model . 47
Figure E.4 – PN model of car and train traffic processes . 48

– 4 – 62551 © IEC:2012
Figure E.5 – PN model of the traffic processes and traffic dependability . 49
Figure E.6 – PN model of the traffic process with an ideal control function . 50
Figure E.7 – PN model of the level crossing example model . 51
Figure E.8 – Collected measures of the road traffic flow of a particular level crossing:
Time intervals between two cars coming to the level crossing . 52
Figure E.9 – Approximated probability distribution function based on the measures
depicted in Figure E.5 . 53
Figure E.10 – Collected measurements of time spent by road vehicle in the danger
zone of the level crossing . 53
Figure E.11 – Approximated probability distribution function based on measurements
depicted in Figure E.10 . 54
Figure E.12 – Aggregated RG and information about the corresponding states . 59
Figure E.13 – Results of the quantitative analysis showing the level crossing average
availability for road traffic users as a function of the protection equipment hazard rate
for different used activation and approaching times T . 60
AC
Figure E.14 – Results of the quantitative analysis showing the individual risk of the
level crossing users as a function of the protection equipment hazard rate for different
used activation and approaching times T . 60
AC
Figure E.15 – Availability safety diagram based on the quantitative results of the model
analysis shown in Figure E.13 and Figure E.14 . 61

Table 1 – Symbols in untimed Petri nets . 10
Table 2 – Additional symbols in timed Petri nets . 11
Table 3 – Symbols for hierarchical modelling . 11
Table 4 – Corresponding concepts in systems, Petri nets and dependability . 15
Table 5 – Mandatory and recommended parts of documentation . 20
Table A.1 – Corresponding concepts in systems, Petri nets, reachability graphs and
dependability . 26
Table A.2 – Place and transition with rewards . 32
Table D.1 – Dependability concepts modelled with PN structures . 43
Table D.2 – Modelling costs of states and events. 44
Table E.1 – Car-related places in the submodel ‘Traffic process’ (see Figure E.4) . 52
Table E.2 – Car-traffic related transitions in the submodel ‘Traffic process’ and Traffic
dependability (see Figure E.7) . 55
Table E.3 – Train-traffic related places in the submodel ‘Traffic process’ (see
Figure E.7) . 55
Table E.4 – Train-traffic related transitions in the submodel ‘Traffic process’ (see
Figure E.7) . 56
Table E.5 – Places in the submodel ‘Traffic dependability’ (see Figure E.7) . 56
Table E.6 – Transitions in the submodel ‘Traffic dependability’ (see Figure E.7) . 56
Table E.7 – Places in the submodel ‘Control function’ (see Figure E.7) . 57
Table E.8 – Transitions in the submodel ‘Control function’ (see Figure E.7) . 57
Table E.9 – Places in the submodel ‘Control equipment dependability’ (see Figure E.7) . 57
Table E.10 – Transitions in the submodel ‘Control equipment dependability’ (see
Figure E.7) . 58
Table E.11 – Specification of boolean conditions for states to be subsumed in an
aggregated state . 59

62551 © IEC:2012 – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
ANALYSIS TECHNIQUES FOR DEPENDABILITY –
PETRI NET TECHNIQUES
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62551 has been prepared by committee 56: Dependability.
The text of this standard is based on the following documents:
FDIS Report on voting
56/1476/FDIS 56/1484/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.

– 6 – 62551 © IEC:2012
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
62551 © IEC:2012 – 7 –
INTRODUCTION
This International Standard provides a basic methodology for the representation of the basic
elements of Petri nets (PNs) [1] and provides guidance for application of the techniques in
the dependability field.
The inherent power of Petri net modelling is its ability to describe the behaviour of a system
by modelling the relationship between local states and local events. Against this background,
Petri nets have gained widespread acceptance in many industrial fields of application (e.g.
information, communication, transportation, production, processing and manufacturing and
power engineering).
The conventional methods are very limited when dealing with actual industrial systems
because they are neither able to handle multi-state systems, nor able to model dynamic
system behaviour (e.g. fault tree or reliability Block diagrams), and can be subject to the
combinatory explosion of the states to be handled (e.g. Markov process). Therefore,
alternative modelling and calculating methods are needed.
Dependability calculations of an industrial system intend to model the various states of the
system and how it evolves from one state to another when events (failures, repairs, periodic
tests, night, day, etc.) occur.
Reliability engineers need a user-friendly graphical support to achieve their models. Due to
their graphical presentation, Petri nets are a very promising modelling technique for
dependability modelling and calculations.
Analytical calculations are limited to small systems and/or by strong hypothesis (e.g.
exponential laws, low probabilities) to be fulfilled. A qualitative increase is needed to deal with
industrial size systems. This may be done by going from analytical calculation to Monte Carlo
simulation.
This standard aims at defining the consolidated basic principles of the PNs in the context of
dependability and the current usage of Petri net PN modelling and analysing as a means for
qualitatively and quantitatively assessing the dependability and risk-related measures of a
system.
—————————
Figures in square brackets refer to the bibliography.

– 8 – 62551 © IEC:2012
ANALYSIS TECHNIQUES FOR DEPENDABILITY –
PETRI NET TECHNIQUES
1 Scope
This International Standard provides guidance on a Petri net based methodology for
dependability purposes. It supports modelling a system, analysing the model and presenting
the analysis results. This methodology is oriented to dependability-related measures with all
the related features, such as reliability, availability, production availability, maintainability and
safety (e.g. safety integrity level (SIL) [2] related measures).
This standard deals with the following topics in relation to Petri nets:
a) defining the essential terms and symbols and describing their usage and methods of
graphical representation;
b) outlining the terminology and its relation to dependability;
c) presenting a step-by-step approach for
1) dependability modelling with Petri nets,
2) guiding the usage of Petri net based techniques for qualitative and quantitative
dependability analyses,
3) representing and interpreting the analysis results;
d) outlining the relationship of Petri nets to other modelling techniques;
e) providing practical examples.
This standard does not give guidance on how to solve mathematical problems that arise when
analysing a PN; such guidance can be found in [3] and [4].
This standard is applicable to all industries where qualitative and quantitative dependability
analyses is performed.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 60050-191:1990, International Electrotechnical Vocabulary – Chapter 191: Dependability
and quality of service
3 Terms, definitions, symbols and abbreviations
For the purposes of this document, the terms and definitions given in IEC 60050-191, as well
as the following terms and definitions, apply.
3.1 Terms and definitions
3.1.1
component
constituent part of a device which cannot be physically divided into smaller parts without
losing its particular function

62551 © IEC:2012 – 9 –
[SOURCE: IEC 60050-151:2001, 151-11-21] [5]
3.1.2
event
something that happens in time
Note 1 to entry: In pure physics, an event is considered as a point in space-time.
[SOURCE: IEC 60050-111, Amendment 1:2005, 111-16-04] [6]
3.1.3
system
set of interrelated elements considered in a defined context as a whole and separated from
their environment
Note 1 to entry: A system is generally defined with the view of achieving a given objective, e.g. by performing a
definite function.
Note 2 to entry: Elements of a system may be natural or man-made material objects, as well as modes of thinking
and the results thereof (e.g. forms of organization, mathematical methods, programming languages).
Note 3 to entry: The system is considered to be separated from the environment and the other external systems
by an imaginary surface, which cuts the links between them and the system.
Note 4 to entry: The term ‘system’ should be qualified when it is not clear from the context to what it refers, e.g.
control system, colorimetric system, system of units, transmission system.
[SOURCE: IEC 60050-351:2006, 351-21-20] [7]
3.1.4
safety integrity level
SIL
discrete level (one out of a possible four) corresponding to a range of safety integrity values,
where safety integrity level 4 has the highest level of safety integrity and safety integrity
level 1 has the lowest
Note 1 to entry: The target failure measures (see 3.5.17 of IEC 61508-4:2010) [8] for the four safety integrity
levels are specified in Tables 2 and 3 of IEC 61508-1:2010 [9].
[SOURCE: IEC 61508-4:1998, 3.5.8, modified]
3.1.5
Petri net
PN
bipartite graph with two kinds of nodes, places and transition, and directed arcs, to model
local states and local events, respectively
Note 1 to entry: Petri-net are often used to model the behaviour of distributed systems.
3.1.6
directed arc
oriented connection of a pair of nodes depicted by a line with arrow
Note 1 to entry: In general, the arcs in Petri nets are directed. They can only connect two different types of
nodes.
Note 2 to entry: In addition to directed arcs. alternative representations exist.
3.1.7
place
type of node in a Petri-net to model local states or conditions

– 10 – 62551 © IEC:2012
3.1.8
transition
type of node in a Petri-net to model local events, i.e. state changes
3.1.9
transition type
type of transition modelling a particular event of a group of events belonging to a given class
Note 1 to entry: In general, there exist various types of transitions in a Petri-net, e.g. to model causal events, to
model events taking place after a certain time delay, etc.
3.1.10
supernode
type of node in a Petri-net to hide subnets, especially used in models with hierarchies
3.1.11
superarc
type of arc in a Petri-net that hides the various connections of two supernodes
Note 1 to entry: These two supernodes hide two subnets that may be connected with various kinds of arcs.
3.1.12
reachability graph
RG
state transition diagram, representing the behaviour of a system
Note 1 to entry: The reachability graph may be generated on the basis of a Petri-net with an initial marking.
3.1.13
marking
graphical representation of the state of the system that is modelled by a Petri-net
3.2 Symbols and abbreviations
NOTE The graphical representation of a Petri net requires symbols, identifiers and labels which should be used in
a consistent manner. A collection of commonly used graphical representations is given in Table 1, Table 2 and
Table 3.
The following symbols in Table 1 are recommended in untimed Petri nets. The label ‘n’ of the
normal arc specifies an integer value.
Table 1 – Symbols in untimed Petri nets

n
(normal) arc
Place symbol, Transition Transition Relation Relation Relation Token
also used for symbol symbol with a symbols – symbols – symbols – symbol
multiple transition normal arcs test arcs inhibitor arcs
places weight
There are various possibilities to draw test- and inhibitor-arcs. The token symbol is not a symbol of the static structure
of the net but is used to symbolize the flow of information.

62551 © IEC:2012 – 11 –
Table 2 – Additional symbols in timed Petri nets

Type of transition
Deterministic Stochastic
Delay is Delay is d Exponentially or Arbitrarily distributed
zero geometrically
distributed
Parameter d ∅ Arbitrary distribution
λ
Symbol
NOTE In case of deterministic transitions, a Dirac distribution is often used. Furthermore, the parameters of timed
transition may be state- or time-dependent.

Table 3 – Symbols for hierarchical modelling

Identifier
Identifier Identifier
Superplace symbol Supertransition Supernode symbol Superarc symbol
symbol
Note that the symbol of a ‘superarc’ does not have a direction, because it may substitute more
than one arc with different directions.

Abbreviation Meaning
CDF Cumulative distribution function
ETA Event tree analysis
DZ Danger zone
FME(C)A Failure, mode, effects (and criticality) analysis
FTA Fault tree analysis
HR Hazard rate
LC Level crossing
MTBF Mean time between failures
MTTF Mean time to failure
PN Petri net
RBD Reliability block diagram
RG Reachability graph
SIL Safety integrity level
ir Impulse reward
rr Rate reward
– 12 – 62551 © IEC:2012
4 General description of Petri nets
4.1 Untimed low-level Petri nets
Petri nets (PNs) are graphs in which active and passive nodes are differentiated. The passive
elements are called places; they model local states or conditions for example, and are marked
with tokens if the local state is fulfilled. The active elements are called transitions. They model
the possible changes from one state to another (e.g. the potential events that may occur).
Places and transitions may be called nodes. The causal relations between the phenomena
represented by places and transitions are explicitly described through various kinds of
directed arcs that connect these nodes (see the basic symbols of a Petri net in Table 1 and
Clause A.1 for an introduction to PNs). Inhibitor arcs can only connect preset places with
transitions in their postset (see A.1.2).
A transition is enabled, if all its preset places that are connected with it by normal arcs or test
arcs are marked with a sufficient number of tokens and if all its preset places that are
connected with it by inhibitor arcs are unmarked. The number of tokens that are sufficient for
the enabling of a transition is annotated to the arc. In general, this annotation can be marking
dependent (see [3]). See 4.4 for commonly used generalizations of these concepts.
If a transition is enabled, it may fire, i.e. it may change the marking of the model. The firing of
a transition only changes the marking of places that are connected with it by normal arcs:
firing leads to absorbing tokens from corresponding places in its preset and to the production
of tokens in its postset. The number of tokens that is absorbed and produced is specified by
the arc label. If no arc label is given, the number is one.
That means that the places, transitions and arcs form the static elements and relations of a
system, whereas the tokens may be produced or may vanish according to the states of the
modelled system.
The reachability graph of a PN consists of all the global markings that can be reached from an
initial marking through an arbitrary sequence of transition firings. In this graph, a node
represents an individual global marking and each arc represents the firing of a transition that
transforms one global marking to another.
PNs may be non graphically represented by incidence matrices. If T is the set of transitions
and P is the set of places, then the incidence matrix is of dimension |P|×|T|. For every
transition, the changing of the global marking due to firing is specified in a corresponding
column.
4.2 Timed low-level Petri nets
In timed PN, both untimed as well as timed transitions may be used. In order to fire, a timed
transition shall be enabled for a specific time duration. This duration may be deterministic or
stochastic, depending on the transition-specific distribution function (cumulative distribution
function – CDF) and the corresponding parameters. If two or more transitions are enabled at
the same time, then the firing of transitions is determined by a further specification of the
transition, i.e. the ‘preselection policy’ or the ‘race policy’. In addition, choices about
execution policy and memory policy, aside from the firing time distributions, shall be specified
([3]). After this duration has elapsed, the transition is allowed to fire. Table 2 shows the
commonly used transitions in timed PNs.
Corresponding to the specific type of a timed transition, it may be attributed by a time
parameter that specifies the fixed firing duration (transitions with deterministic firing time), the
constant firing rate (transitions with exponential or geometric distributed firing times) or the
probability distribution with its parameters (transitions with arbitrary distributed firing times).
Note that untimed transitions are a particular case of fixed firing duration transitions with a
deterministic delay of zero.
62551 © IEC:2012 – 13 –
As in the untimed case, the RG of a timed PN consists of nodes representing global markings
and of arrows, representing the firing of transitions. In addition to the untimed RG, the RG of a
timed net shall take the specific parameters of the transitions into account.
4.3 High-level Petri nets
In high-level Petri nets, a marking consists of individual, distinguishable tuples instead of
anonymous, black tokens. Thus, the tuples not only model the fulfillment of conditions or the
existence of states, but also the information itself. Against this background, the arc labels can
be formulated as a function of the existing information. Such a modelling support leads to
compact and intuitive models, even for complex systems. As the methodology presented in
this standard does not depend on these possibilities, for high-level PNs see ISO/IEC 15909-1
[10].
4.4 Extensions of Petri nets and modelling with Petri nets
NOTE When modelling with PNs, some commonly used notations, extensions and denotations are introduced in
this subclause.
4.4.1 Further representations of Petri net elements
4.4.1.1 General
In addition to the symbols that have been introduced in Table 1 the following symbols and
concepts for weighted inhibitor arcs, multiple places and global variables are also commonly
used.
4.4.1.2 Weighted inhibitor arcs
As for normal arcs, inhibitor arcs can be weighted, see Figure 1.
n
p t
IEC  1724/12
Figure 1 – Weighted inhibitor arc
Transition t in Figure 1 is enabled, only if the number of tokens on place p is lower than n.
Note, that the marking shall actually be lower, if there are n tokens on place p, transition t is
not enabled.
To improve the readability of complex nets, especially when modelling industrial sized
systems, various additional concepts are commonly used.
4.4.1.3 Multiple places
If the same place appears multiple times in a net, these places are called ‘multiple places’,
‘‘repeated places’ or ‘fusion places’. In doing so, the modular structure of a model can be
revealed. As multiple places are just identical copies of each other, their marking is the same
in every marking of the net.
– 14 – 62551 © IEC:2012
p
p t
IEC  1725/12
Figure 2 – Place p is a multiple place
p
p t
IEC  1726/12
Figure 3 – Marking on p after firing of transition t
4.4.1.4 Global variables
The use of global variables is similar to that of multiple places. The activation of a transition
can be conditioned on the value of global variables or predicates. In addition, firing such a
transition may change the value of global variables through the use of assertions and
predicates.
¬
?V !  V
q
p t
IEC  1727/12
Figure 4 – The activation of t depends on the value of V
In the net in Figure 4, transition t in the depicted state is only enabled, if the global variable V
is true (? is a ‘reading’ operator, i.e. ?V serves as guard, reading the value of the global
variable V). Firing t will mark place q, unmark place p and set V to false (! is a ‘writing’
operator, i.e. !¬ V sets the value of the global variable V to false: ¬V means ‘not V’). In this
context, one often speaks of ‘read’ and ‘write’ actions or of assertions.
4.4.2 Relationship to the concepts of dependability
Petri nets of industrial size are often modularized in various communicating sub-Petri nets,
see e.g. [11] and [12].
In the context of dependability, local events, such as failures or repairs, can be modelled by
transitions, and local states, such as faults, can be modelled by places. Therefore, the name
associated with every node primarily represents the corresponding dependability feature and
indicates the related device, if required. If the concepts of PNs are interpreted in this way, one
can speak of ‘dependability interpreted PNs’.
Table 4 gives an overview of corresponding concepts between systems in general, Petri nets
and concepts of dependability. It does not include all possible interpretations of failures or
faulty states.
62551 © IEC:2012 – 15 –
Table 4 – Corresponding concepts in systems, Petri nets and dependability
Aspect System Petri net Dependability
Dynamic Event Transition Failure Repair
Static Local state Place Faulty Operating
NOTE Failure and repair are only examples of events relating to dependability; faulty and operating are only
examples of states relating to dependability, further examples are first failure or degraded failures and states.
These concepts may be used as a ba
...