A Petri net approach for performance modelling of polymer electrolyte membrane fuel cell systems

Fuel cells are promising technologies for zero-emission energy conversion and power generation. However, durability and reliability are among the main barriers to their commercialisation. Clearly the system performance depends on the reliability of the overall system including both the stack and the balance of plant. This paper seeks to introduce a modelling approach based on the Petri net method for the performance analysis of fuel cell systems. The proposed Petri net model intends to simulate the operation of the fuel cell stack and its supporting system to predict the system performance based on the system structure, along with the components deterioration process. The model considers the causal relationship between the operation of the balance of plant and the fuel cell stack performance. Purging is performed periodically in order to restore some of the voltage loss due to water accumulation or impurities within the cell. Failures of single components of the supporting systems are considered, which will have an immediate effect on the output voltage as well as long term effects on the stack performance.


Introduction
Reducing carbon emission by developing innovative, high quality and highly reliable low emission power generation sources is a main aim of the UK energy sector in order to meet the UKs Climate Change Act (2008) target to reduce emissions by 80% by 2050. In this context hydrogen and fuel cells are promising technologies for zero-emission energy conversion and power generation. Fuel cells are electrochemical devices that convert the chemical energy of a fuel into electrical energy by reaction with oxygen or other oxidising agents. As a result of the chemical reactions taking place within the cell, electrical energy is produced along with heat and water. Fuel cell technologies are suited to a wide range of applications, from portable to transport and stationary systems. In order to meet the power demand of a given application, single cells are connected in series to form a stack. The stack is only the core of a wider system supporting the stack operation, including equipment for storage and supply of reactants, cooling and water management system, power conditioning and a control unit. High costs, short lifetime, durability and reliability are the main barriers to their commercialisation. Quantifying the long-term performance and durability of fuel cell is difficult because of the lack of a deep understanding of the deterioration processes occurring within the cell. Lifetime, durability and performance requirement of fuel cells stacks vary with the application. The required lifetime of fuel cells stacks range from 3000/5000 operating hours for automotive applications, up to 40,000 h for stationary applications [1,2]. However, the lifetime of a fuel cells stack is difficult to estimate; standard engineering measures of lifetime such as mean time to failure (MTTF) are difficult to specify since fuel cell's performance degrades gradually due to the ageing of its components and degradation rates strongly depend on the cell operating conditions. The gradual decline of voltage is usually given in units of millivolts per 1000 h and an average degradation rate range of 1e10 mV h À1 over the entire lifetime is commonly accepted for most applications [1]. The fuel cells stack is considered to fail whenever it is not able to provide the required power output, either temporarily and permanently, in which case the stack needs to be replaced. The purging of the stack is performed periodically in order to eliminate impurities and water accumulated inside the stack and therefore to restore the reversible voltage losses.
Very little information on polymer electrolyte membrane (PEM) fuel cell systems reliability is available in the literature. In Ref. [3] Feitelberg discusses the field reliability of a fleet of PEM fuel cell systems developed over a period of three years and shows its improvement by means of a combination of hardware and software changes to the original product. The authors provide the most frequent causes of failure observed and specify that the stack contributes to failure more than any other component. Literature on modelling of fuel cell reliability is still at its infancy and is mainly focused on the application of fault tree analysis. A fault tree is a top-down representation of the state of the system given in terms of the state of its components. Placca [4] performs a fault tree quantitative analysis for modelling degradation mechanisms affecting a single PEM fuel cell. The authors construct quantitative fault trees listing the basic events leading to degradation of the membrane, the catalyst layers and the gas diffusion layers. Degradation rates are collected from the literature and specified for each basic event, along with the test conditions in which those degradation rates were obtained. However, the data used refer to different materials, operating conditions and test methodologies and therefore are subjected to uncertainty. Yousfi-Steiner [5] uses fault tree analysis to gain a better understanding of PEM degradation associated with water management. Water management has a determining impact on fuel cell performance, compromising cell stability, reliability and durability. The authors classify the failures related to improper water management into two groups: flooding and drying out. The authors review in detail the influence of operating conditions and parameters, concluding that gas flow rate, relative humidity, temperature and current density have a major effect on water balance. Then they build simplified fault trees where variations of the aforementioned parameters are given as basic event for flooding and membrane dry-out issues. Rama [6] provides a structured review of the degradation processes occurring within PEM fuel cells and leading to performance losses and cell failures. Causes and effects of degradation mechanisms and failures are systematically organized in terms of irreversible increase of activation losses, ohmic losses, mass transportation and efficiency losses. For each loss mechanism the authors provide a table detailing the components involved, the fault as well as the cause. In Ref. [7] the authors translate the failure mode and effect analysis performed in their previous work into fault tree diagrams. The degradation mechanisms that induce performance losses are organized into five fault trees. Each diagram depicts how basic events involving the different fuel cell components can develop into each of the five losses mechanisms (activation, ohmic, mass transportation, efficiency losses and catastrophic cell failures). Although fault tree diagrams can provide a list of causes leading to cell degradation, this analysis technique is not capable to reproduce the complexity of the degradation mechanisms leading to performance loss. Fuel cells loss of performance and failures are the result of continuous degradation processes. Degradation rates can vary drastically depending on the concurrency and combination of different operating conditions, and fault tree diagrams do not catch those dependencies between events and influencing factors. In order to account for data unavailability and uncertainty, Mangoni [8] suggests a probabilistic approach to evaluate the reliability of a single PEM fuel cell. The reduction of power output is modelled as a random variable described via a beta distribution. Tanrioven [9] presents a state-space method for modelling reliability of PEM Fuel cell power plants. In particular the authors use the Markov state-space equation to calculate system reliability. The Weibull distribution is used to generate transition rates, while fuzzy logic is applied in order to estimate the state of health of the auxiliary components during operational lifetime. Mathematical models based on mechanistic and empirical approaches have been used in the literature to predict both the steady-state and the dynamic performance of a single fuel cell or a stack. In order to compute the stack (or single cell) voltage, most of these models make use of empirical equations providing the voltage variation vs the current based on observation and data fitting of polarization curves. The most used empirical equation for the description of the voltage as a function of current density over the entire current density region was first introduced by Kim [10]. However, the coefficients appearing in those formulations depend on the operating conditions and therefore need to be re-evaluated for every change of the operational parameters.
This paper seeks at introducing an initial modelling method for the performance analysis of fuel cell systems including the stack and the supporting system. The model intends to simulate the operation of the fuel cell stack and its supporting system over the prescribed lifetime to predict the system performance based on the system structure and the components deterioration processes. The model takes into account the causal relationships between the operation of the balance of plant (BOP) and the fuel cell stack performance. Malfunctioning  shape parameter of the Weibull distribution g location parameter of the Weibull distribution i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0 inadequate operating conditions, with both immediate and long term effects on stack performance. The model describes  the influence of those faulty operating conditions on stack  voltage losses. The model uses stochastic distributions to  generate times when failures occur or threshold values for  performance indicators such as fuel cells voltage are reached given the mean time to failure of components and degradation rates. The stochastic approach also accounts for the variability of degradation rates with operating conditions. In this paper, the Petri Net method has been considered as a modelling framework for the description of the fuel cell and its supporting system. To the best of the authors' knowledge there is only one example in the literature featuring the application of Petri net for computing the reliability of polymer electrolyte membrane fuel cell stacks [11]. However, while the model in Ref. [11] includes the stack only, in the paper presented here the boundaries of the model are extended to include the balance of plant. Numerical applications are performed using data collected from the literature. However, voltage decay rates collected from the literature are subject to uncertainty because they refer to different tests methodologies and conditions as well as different materials and stack structure. The use of a stochastic approach allows taking into account data uncertainty and variability but clearly the accuracy of results depends on the amount of available data.

Fuel cell performance degradation
Fuel cells performance gradually degrades due to chemical, thermal and mechanical deterioration. Ageing of materials and contamination are irreversible and unavoidable processes leading to long term degradation and culminating in the loss of performance below a given threshold value. Ageing mechanisms within PEM and DMFC are reviewed by Knights [1]. Ageing mechanisms include catalyst migration and agglomeration leading to a gradual loss of the electrochemically active surface. The catalyst can dissolve into the electrolyte and reduce its proton conductivity. Contamination is due to air pollutants and fuel impurities, as well as ions resulting from corrosion of different parts of the cell such as sealing materials. Impurities can also be deposited on the catalyst compromising the active surface. The membrane can be subjected to cracks formation due to congenital defects and/or improper membrane assembly fabrication; cracks, perforations and pinholes usually lead to early life failures. A general review of PEM fuel cells durability issues is given in Ref. [12] where degradation mechanisms and corresponding mitigation strategies for the membrane, gas diffusion layers (GDL), catalyst and bipolar plates (BPP) are considered. Those deterioration processes can be exacerbated by detrimental operating conditions. For instance one or more cells in the stack may undergo phenomena such as reactants starvations and flooding or membrane dryness due to inadequate water management. A review of the main parameters affecting longterm performance and durability of PEM fuel cells is provided by Schmittinger [13]. In this paper the authors analyse flooding and membrane dehydration, as well as corrosion of electrodes, fuel cell contamination and reactant gases starvation.
Heat management impact on fuel cell performance and durability is considered as well. Disadvantageous operating conditions involve inadequate reactant flow rate, high stack temperature, and low or high relative humidity. The degradation of fuel cell components results in reduction of the output voltage. In the next section the effect of the variation of such operating parameters and water management on fuel cell deterioration and output voltage degradation are summarized.

Relative humidity
Water management has a great impact on cell performance and it is a key factor for cell reliability and durability. Water management is aimed at balancing two conflicting needs: to maintain adequate membrane hydration and avoid electrodes flooding. For PEM fuel cells the voltage degradation mechanisms associated with water management are reviewed by Yousfi-Steiner [5], where the factors influencing flooding and membrane dry-out issues are analysed. Water is formed at the cathode as a result of the oxygen reduction. Back diffusion transport drives part of the water through the membrane towards the anode due to the concentration gradient of water between the two electrodes. The excess water at the cathode must be eliminated from the catalyst layers in order to avoid water accumulation which eventually leads to cathode flooding and blockage of the GDL pores and the flow channels in the bipolar plates. Water flooding issues are investigated by Li [14] where the effects of the gas diffusion layer, flow field design and operating conditions on flooding are considered. Flooding at the cathode is more common than anode flooding but the latter has hazardous effects on cell functionality since it results in fuel starvation and carbon support corrosion, with disastrous consequences on cell performance. Water is eliminated by evaporation in the reaction air and then exhausted through the GDL and the flow channels at the outlet. Operating conditions such as high current densities, low reactants flow and low temperature create the conditions for flooding phenomena. Flooding leads to immediate voltage drops due to the water blocking the pores of the GDL and the flow channels of the BPP thus preventing the reactant gases from reaching the catalyst layers and leading to starvation. Persistent flooding conditions promote electrodes and BPP corrosion and aggravate contamination phenomena by increasing diffusion of contaminants leaking from corroded components or other impurities. The relationship between water management, contamination and fuel cell lifetime degradation is considered by St. Pierre [15]. Flooding is particularly harmful at sub-zero temperature conditions as water in the flow channels may freeze leading to complete reactant gases starvation. In order to remove excess water a periodic purging of both cathode and anode needs to be performed. Purging is also necessary to remove impurities and accumulated inert gases from the cell. Air is used to purge the cathode while hydrogen is usually used at the anode. In addition high temperature and low current densities lead to insufficient water content resulting in membrane dryness. This causes a reduced proton conductivity of the membrane and slows down the kinetics of the chemical reactions, increasing activation and ohmic losses and resulting in voltage drops. Dry membranes are prone to cracks and gas crossover leading to mass transportation losses and consequential voltage losses. In order to maintain a desirable humidification level within the cells, reactant gases are often humidified before entering the stack.

Stack temperature
PEM fuel cells are designed to operate at relatively low temperatures, between 60 and 80 C. In order to prevent cell overheating, the heat produced at the cathode side during operation must be dissipated. High temperatures mainly promote membrane and catalyst degradation while low temperatures are not favourable for the reactions kinetics and produce flooding. Although part of the heat is removed by the reactant gases and product stream, an external cooling system is needed in order to maintain the desired stack temperature. The system at hand includes an air cooling system with separate air flow. A fan blows the cooling air that will circulate inside the stack through separate channels of the BPP. Any reduction in the cooling system performance will increase stack operating temperature leading to a reduction of output voltage. The temperature of the inlet reactants is controlled and regulated by means of intercoolers. Temperature reduction is needed particularly for the reactant air coming from the compressor.

Low reactants flow and reactants starvation
Reactant starvation occurs when the fuel cell operates at substoichiometric conditions, namely when the quantity of the reactants is not sufficient to complete the chemical reactions. Improper gas supply may be due either to failures in the reactants supply system or flooding conditions which cause uneven gases distribution among cells in the stack, or even complete starvation of single cells. Fuel and oxidant starvation causes sudden voltage drops and accelerate cell performance degradation. Starvation issues are analysed in terms of causes, consequences and diagnosis by Yousfi-Steiner [16]. A main issue of gas starvation is the cell reversal phenomenon related to the presence of hydrogen at the cathode and oxygen at the anode, which leads to a reversal of the cell potential.
Complete fuel starvation of one or more cells in a working stack can occur. In such a case, the hydrogen is not available for the oxidant reaction at the anode and the cell is driven in the so called "reversal" state, with the anode potential being higher than the cathode. The anode potential will rise to a level that triggers water hydrolysis with consequent formation of oxygen at the anode, and carbon corrosion in order to provide the protons and electrons in order to sustain the required load during operation. Consequently, carbon corrosion releases CO and CO 2 contributing to cell contamination, and causes loss of catalyst. Fuel cell reversal increases corrosion of cell components leading rapidly to unrecoverable damage. Partial fuel starvation of the active anode area of the cell can be caused by a local undersupply of hydrogen and hydrogen/air front passing over the anode active area during start-up and shut-down of the stack. During shut down, air may diffuse into the anode creating an air/fuel front. After shut-down and during restart the presence of air at the anode may cause local fuel starvation; the cathode potential may rise above the open circuit voltage (OCV) value (z1 V) leading to cathode carbon corrosion [17]. Therefore, complete or local fuel starvation causes abnormal electrodes potential leading to quick and irreversible corrosion of the carbon support layers. Eventually, carbon corrosion leads to accelerated loss of the active surface area and change in GDL porosity, thus contributing to irreversible voltage losses. Inadequate reactants flow rate also lead to low partial pressure of reactants gases. As the air flows through the cell, the oxygen is used, therefore the oxygen concentration decreases and its partial pressure will reduce. Similarly, the hydrogen partial pressure decreases as the chemical reactions proceed. The concentration of reaction products decreases along with the corresponding partial pressure, resulting in a further decrease of output voltage. This effect is worst near the outlet channels as the reactants are used. A drop in gases partial pressure means a drop in their chemical activity and therefore results in reversible voltage.

The fuel cell system model
This research seeks to introduce a modelling approach based on the Petri net method for the simulation of fuel cell systems performance during operation over the prescribed lifetime. The model will support availability and reliability analysis of the fuel cell system. Petri net is a modelling tool very well suited to model dependencies and concurrencies within complex systems. Stack voltage decay is related to the value of the important operating parameters by means of empirical relationships. Failures of single components of the supporting systems are considered, which affect the value of the operating parameters and, in turn, the stack performance in terms of output voltage. Purging of the anode is modelled by specifying the intervals and duration of the purging cycles. The Petri net model of the fuel cells stack and its supporting system is organised in modules, each one dealing with a particular aspect of the system. The BOP module describes possible operating modes of the different parts of the supporting system which may cause the stack unit to either shut down or operate in a derated mode. The stack voltage module accounts for the voltage decay induced by stack ageing and non-ideal operating conditions. The modules are linked so that a failure in any components of the supporting system will affect the value of the operating parameters and, in turn, the voltage decay in the stack.

Fuel cell stack and balance of plant
The fuel cells stack is only the core of a bigger engineering system called the balance of plant. The BOP includes all the subsystems necessary to store and supply the reactants at the required pressure, flow rate, temperature and humidity. Those subsystems consist of pumps, control valves, blowers, pressure regulators, compressors, electric motors, intercoolers and power conditioning to regulate or convert the output voltage, and a system control. However, the overall structure of the BOP depends on the type of fuel cell, the fuel used and the application. The reliability of the entire fuel cell system depends on both the reliability of the stack and the i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0 auxiliary components of the BOP. The system analysed in this paper ( Fig. 1) consists of a four PEM fuel cell stack fuelled with pure hydrogen. The oxidant reactant is oxygen and is provided by blowing the stack with pressurised air. The desired air flow rate and pressure are assured by a compressor driven by an electric motor (air reaction supply system). The hydrogen is stored in a high pressure tank and is provided to the stack at the required flow rate by means of a reduction valve (hydrogen supply system). PEM fuel cells are designed to operate at a temperature range of 60e80 C, therefore a cooling system is needed to dissipate the heat produced during operation and keep the stack temperature within this range. The system at hand is cooled by air blown by a fan through the proper channels inside the bipolar plates. A purge valve is located at the anode exhaust to perform periodic purge of the anode.
During operation, failure of BOP components contributes to reduce the power output and may lead to system breakdown. The correct operation of the different parts of the engineering system directly affects the main operating parameters such as reactants flow rate and gases partial pressure, stack temperature, total pressure and water content thus influencing the stack performance. Variations in the value of the aforementioned parameters may hasten the deterioration processes occurring within the stack, thus accelerating physical degradation of components and reducing stack durability. Therefore the lifetime achievable is a trade-off between cells physical characteristics, depending on the materials used, the design and assembly of the cells and the stack, the operating conditions and the reliability of the BOP components.

Petri nets
A Petri net is a directed, weighted bi-partite graph where nodes are places and transitions connected by arcs [18]. Places may represent physical resources, conditions or the state of a components/system. Tokens are held in places and the number of tokens in each place, referred to as marking of the petri net, represents the state of the system at a certain time. The flow of tokens through the network represents the dynamic of the system and is governed by transitions.
Transitions represent events that make the status of the system change. Arcs only connect places with transitions (input arcs) and vice versa (output arcs). A particular type of arc called inhibitor edge can be used to inhibit the firing of a transition under certain circumstances. Arcs are characterised by a multiplicity. The distribution of the tokens over the places of the net is called marking. The marking of the net along with the multiplicity of the arcs determine the enabling conditions for each transition. Petri nets in which a firing time is associated to transitions are called Timed Petri net. Firing of transitions is ruled as follow.
, The transition must be enabled, namely the number of tokens contained in the input places must be at least equal to the multiplicity of the associated input arcs, and the number of tokens in the places connected by inhibitor arcs must be lower than the arcs multiplicity. , Once the transition is enabled, the transition will fire after a period of time t whose value depends on the type of transition. Deterministic transitions have an associated fixed firing time which is 0 for immediate transitions. For stochastic transitions the firing time is sampled from a probabilistic distribution. , When the firing time is reached and the transition fires, a number of tokens is removed from the input places, which is equal to the associated arc multiplicity. Analogously, a multiplicity of tokens is added to the output places.
Petri nets can be further extended for a better description of complex systems into Timed Coloured Petri nets [19,20], in which tokens carry information called "colours". Token colours may contribute to define enabling conditions for the transitions. Furthermore, different "firing modes" can be defined for the same transition depending on the colour of the tokens involved. In a Petri net representation, places are represented by circles and transitions by rectangular boxes; input and output arcs are represented by arrows while inhibitor edges have circular head instead of arrow head.
The Petri net is clearly a modelling methodology featuring great potential for extension in order to account for more complex systems' behaviours. In this paper the authors have  introduced new features for a more efficient description of the fuel cell system. A description of the extended Petr net is provided in the next section.

New definitions for Petri nets
The extended Petri net presented in this paper is a tuple ðP; T; A; E; S; FÞ where P is the finite set of places P ¼ fp 1 ; p 2 ; …; p m g, T is the finite set of transitions T ¼ ft 1 ; t 2 ; …; t n g, A is the finite set of arcs A4ðP Â TÞ∪ðT Â PÞ; E is the finite set of expressions defined for the arcs that contribute to the enabling conditions for the transitions, S is the set of tokens type S ¼ f,; x; y; …g, G is the set of functions associated to the transitions G ¼ fg 1 ; g 2 ; …; g k g.
Along with the standard tokens which simply represent a mark in a place and are therefore comparable to Boolean variables, the model contains tokens which represent the value taken by the variables of the fuel cell system such as the hydrogen flow, the stack temperature and the stack voltage. All the variables used to describe the system dynamic will be defined in the following sections. Standard tokens are represented by black marks <> and are used to mark places that represent the state of a component, for example working or failed. Coloured tokens are indicated by the corresponding variable between brackets, for example <x> and are used to mark places representing system variables. A number of functions can be defined for transitions, each function representing a specific firing mode. Such functions involve the variables defined for the input places. The arcs are labelled with expressions that contribute to define the enabling conditions for transitions. A transition may be enabled with respect to one or more of its functions. When the transition fires, the enabled functions are evaluated and the resulting values are then transferred to the output places according to the arcs multiplicity. Unlike standard Petri net, where a multiplicity of tokens is always removed from the input places when transitions fire, in this extended Petri net transitions not always remove tokens from their input places but simply "read"the token value. In such cases the input arc is represented as a dotted arrow. Fig. 2 shows the symbols used in this paper to represent the conventional and non-conventional places and transitions.
The example in Fig. 3 shows a non-conventional Petri net before (a) and after (b) the transition fires.
Place p1 is a conventional place containing a standard token; places p2 and p3 contain non-standard tokens. As indicated in the label, transition t1 is stochastic with firing time exponentially distributed with rate m. Transition t1 when firing, read the values of the variables <x> and <y> in p2 and p3 respectively, and add a non-standard token <z> to place p4 with value given by <x þ y>.

Petri net analysis
The Petri net model of the considered system is solved via Monte Carlo simulation [20,21]. For each simulation, the firing times of stochastic transitions are randomly sampled from the appropriate statistical distributions and tokens are moved accordingly through the network until the prescribed lifetime of the system is reached. Each simulation run represents a statistical experiment. For each run, data of interest to evaluate the performance of the system are collected. An adequate number of experiments must be run, each of them by sampling data from probabilistic distributions, in order to achieve convergence of the results. During simulations, information such as the number of times a specific place is marked or the time duration that a token resides in a particular place can be recorded. This provides knowledge of the number of times the stack voltage is below a given thresholds and for how long.

The balance of plant module
The balance of plant of the system at hand accounts for six main subsystems: the hydrogen supply system, the air reaction supply system, the cooling system, the reactants humidification system, the control unit and the power demand system. The latter only models electrical load variations. The control unit is responsible for controlling and regulating the operating parameters based on the measurements revealed by sensors. A basic assumption is that in normal operating conditions and steady-state operation the controllable operating parameters are kept constant. Therefore the gas flow rate is kept constant and such to provide a stoichiometric ratio for hydrogen and reaction air of 1.2 and 2 respectively. Equally, the humidification system operates in order to humidify the gases to 100% relative humidity at 60 C. In the following sections the Petri net models for each subsystem are described; details of all places and transitions are also detailed in Table A.1 and A.2 in Appendix A.

The hydrogen supply system
The stack unit must be provided with a continuous flow of fuel in order to sustain the power demand. Insufficient fuel supply leads to fuel starvation with consequences on both the stack output and the stack health. Hydrogen is supplied from a pressurised tank by means of a pressure valve which regulates the flow and pressure of the inlet fuel (Fig. 4).
A sensor located after the valve, measures the flow and sends the measurement to the control unit. Based on the measured and the desired flow, the control unit sends a signal to the actuator that will set the valve to the position required in order to provide the desired hydrogen flow.
Inadequate hydrogen flow supply may depend either upon a failure of the valve or a failure of the sensor. In fact, incorrect measurements prevent the control unit from setting the valve to the proper position, while a failure of the valve will prevent the actuator from changing the valve position when requested. The PN in Fig. 5 represents the hydrogen supply module including both the sensor and the valve failures.
The required hydrogen flow rate is indicated here by the non-standard token <H r > held in place p1. On the other hand, the actual flow rate provided by the system is indicated by the non-standard token <H a > held in place p2. Two possible states are defined for the valve: a working state represented by place p10 and a failed state represented by place p11. Places p10 and p11 are marked with standard Boolean tokens. When the valve is working correctly, the control unit can set the position of the valve in order to provide the required flow. During operation the valve may fail. The valve may remain stuck in the current position so that no control can be applied on it in order to regulate the flow (none of transitions t5 to t7 are enabled). This event is represented by the firing of transition t14 that will remove a token from place p10 and add a token in place p11 meaning that the valve is now in the failed state. In this situation the actual flow cannot be adjusted according to the new demand and therefore starvation occurs, or alternatively loss of fuel may arise if the flow is below or above the required flow respectively. However the control action also depends on the measurement provided by the sensor. The working state for sensor is represented by place p7. When p7 is marked, transition t3 is enabled and fires. Firing of t3 involves (1) resetting to null any previous measurement (this function is indicated by the symbol R placed next to the transition), (2) reading the value <H a > in place p2, and (3) adding a token <H m > with the same value as <H a > to place p4 which indicates the correct measurement. Upon failure, two possible failed states can be reached. A failed state where the sensor detects lower measurements is represented by place p6, while place p8 indicates a failed state causing higher measurements. Firing of stochastic transitions t8 or t9 represents the occurrence of such failure events. If the sensor is in state p6 (lower measurement), transition t2 is enabled. Firing of t2 implies (1) resetting any previous measurement, (2) reading the current value <H a >, and (3) adding to place p3 a token <H m > with a value lower than <H a >. The control action set the position of the valve based on the measurements provided by the sensor. Therefore, depending on which place among p3, p4, and p5 is marked, one of transitions t5 to t7 will fire. This involves reading the value of the required flow <H r > in p1, changing the flow currently provided in p2 by the difference between the measurement and the required flow. The loop p13-t17-p14-t18 represents the inspection process. When the system is inspected place p13 is marked and failures of the sensor and the valve, if occurred, are revealed (transitions t12, t13 and t15 may fire adding a token in places p9 or p11). Once a failure is revealed, it is assumed that a maintenance action takes place, represented by firing of transitions t10 or t11 for the sensor, and t16 for the valve. The transition time is randomly selected from a stochastic distribution and depends on the mean time to repair of the component involved. When repair is performed on the failed component, the marking indicating the working state is restored. At this stage it is assumed that after repair, components are restored to the normal working state.

Air reaction supply system
The oxygen used by the cells to complete the reaction at the cathode side is derived from air. Air is supplied to the stack by means of a blower (Fig. 6).   Failures causing the blower to stop or working at a lower speed than required result in a reduced air flow. It is assumed that in normal operating conditions the blower speed can be regulated in order to provide the required air reaction flow rate. The Petri net for the air supply system is given in Fig. 7.
The desired air reaction flow is indicated by non-standard token <A r >, held in place p15, while the actual air flow currently provided is indicated by <A a > held in place p16. Transitions t23, t24 and t25 simulate the control on the fan speed that depends on the measurement provided by the sensor according to the same principles as for the hydrogen supply system. The failure and repair processes of the sensor, as well as the sensor measurement process, are the same as for the hydrogen supply. Place p24 represents the fan in its working state. During operation the blower can either stop or spin at a lower speed. These possible failed states that the blower can experience are represented by places p25 and p26 respectively. If the fan stops, transition t33 will fire removing the token from place p24 and adding a token in place p25. If the fan spins at a lower speed transition t34 will remove the token from p24 and add a token in p26. In both the situations i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0 described above, no control can be applied on the fan in order to change the speed. This means that none of the three transitions t23, t24 and t25, representing the control action, will be enabled. When the fan is not working and therefore place p 24 is empty, transition t32 is enabled and by firing it changes the provided air flow <A a > in p16 to a lower value. Components' failures are revealed upon inspection and repair will bring the components back to their working state.

Cooling system
The cooling system is responsible for maintaining the stack temperature within the operating range. If the fan either slow down or stop working, the stack temperature will increase. Higher temperatures magnify the drying effect of the reaction air leading to low levels of cell relative humidity. On the contrary, if the system is overcooled, the stack temperature will decrease thus slowing down reaction kinetics and contributing to flooding. Flooding will exacerbate catalyst losses and therefore contributing to activation losses, while the membrane dryness will reduce membrane proton conductivity and increase ohmic losses. Furthermore, the membrane will be prone to cracks if subject to prolonged times in dry conditions, thus leading to fuel cross over. The recommended operating temperature is assumed to be within the range 60e70 C. When the current drawn increases to sustain a higher power demand, the heat production rate also increases. In such circumstances the cooling fan must be set to a higher speed in order to improve the heat dissipation rate and therefore maintaining the stack temperature within the desired range. The cooling air is provided by a blower as for the reaction air (Fig. 8).
The corresponding PN depicted in Fig. 9 is almost identical in structure to the one representing the air reaction fan, with just a few differences.
The current stack temperature is represented by the nonstandard token <T a > in place p29 while the desired stack   temperature is indicated by the non-standard token <T r > held in place p28. Failure and repair processes of the fan are the same as for the air reaction supply system. The same stands for the sensor failure and repair process, the measurement process, the control action and the inspection process. When the fan fails, and place p37 is therefore empty, transition t50 fires and changes the current stack temperature <T a > in p29 to a higher value.

Humidification system
In order to maintain the humidification of the membrane, reactant gases are humidified before entering the stack. Here it is assumed that the relative humidity of the system at 60 C must be 100%. Higher levels are not desirable because they contribute to flooding issues, while values below 100% lead to membrane dryness with consequent reduction of proton conductivity and mechanical deterioration of the membrane. The humidification system considered in this work accounts for two main components: a pump to provide water from a water tank, and a valve to regulate the water flow to be injected into the reactant gases (Fig. 10).
The sensor as well as the control action, works similarly to the other subsystems of the BOP. In the PN in Fig. 11 place p50 represents the humidification system in its working state. The humidification system may fail due to either a pump failure or a valve failure. The valve failure process is the same as for the hydrogen supply system. When the pump fails no water is provided at all. The failed state for the valve is indicated by place p52 while the failed state for the pump is represented by place p51. The occurrence of the failure events leading to the above mentioned failed states are represented by firing of stochastic transitions t69 and t70 respectively. If the humidification system fails, it is assumed that the relative humidity falls below the threshold value. This is indicated by firing of Fig. 9 e Petri net of the cooling system. Fig. 10 e Schematic representation of the humidification system. i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0 transition t68 as soon as the system fails (place p50 unmarked); this will change the current relative humidity <RH a > in p42 below threshold. However, the relative humidity of the stack is strongly influenced by the stack temperature and the air reaction flow as well. If the stack temperature and the air reaction flow are below and above the required values respectively, then transition t74 fires and changes the current relative humidity <RH a > in place p42 below 100% (dry conditions). On the other hand, if the stack temperature and the air reaction flow are above and below the required values respectively, then transition t74 fires and changes the current relative humidity <RH a > in place p42 above 100% (flooding).

The stack output voltage module
Stack voltage output gradually decreases as a result of ageing and deterioration processes. The voltage decay rate can increase severely as an effect of adverse operating conditions. In particular, high stack temperature, low humidity levels, inadequate gases flow rates, presence of contaminants agents, load cycles and OCV can be classified as non-ideal operating conditions that negatively affect stack lifetime. Purging is performed periodically in order to recover part of the voltage lost. Fig. 12 shows the Petri net for the stack voltage module.
The stack voltage is represented here by the non-standard token <V> that moves between places p58 and p59 depending on its value being above or below the required threshold respectively. Transition t74 represents the degradation of stack voltage. Transition t75 fires when changes of the operating conditions cause an increase of the degradation rate. Firing of this transition will remove the token <V> from p58 (or p59), update its value according to the new decay rate, and finally adding the new value <V> to either p58 or p59 depending on the update value being above or below threshold. Clearly the voltage decay rate according to which the stack output voltage decreases over time depends on the particular operating conditions. The values of the operating Fig. 11 e Petri net of the humidification system. i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0 parameters indicated by the marking of places p2, p16, p29, p42, p54, p55, p56, p57, contribute to define the operating conditions. For instance if <T a > in place p29, falls above the prescribed stack temperature, the corresponding operating condition defined in the model is "high temperature", to which correspond a given range of voltage decay rate (see Table 2, Section 4.2). The voltage decay rate is then considered as uniformly distributed within such range. The different operating conditions considered in the model analysis, along with the corresponding ranges of voltage decay rates, are defined in Section 4.2. Purging is periodically performed in order to recover part of the voltage lost. The purging cycle is represented in the Petri net by the loop p60-t76-p61-t77. When place p60 is marked, transition t76 is enabled and by firing it removes the token <V> from either p58 or p59, increases its value by a given percentage and then adds the new <V> to either p58 or p59. Transition t77 is deterministic and its firing time depends on the frequency of purging D p . The voltage variation over time due to changes of the decay rate, is approximated with a sequence of linear functions with slope depending on the particular operating conditions.

Model analysis
The Petri net presented in this paper contains nonconventional features that require the development of purpose-built software rather than exploiting commercially available programs for the model execution. The Petri net is simulated using the Monte Carlo method [21,22], widely used for the evaluation and optimisation of stochastic systems. Simulation aims at duplicating the system behaviour and can be considered a statistical experiment with each run of the model being an observation. The outcome of each simulation is recorded and the probability of a particular outcome can be evaluated. The goal is to estimate the expected system performance with respect to pre-defined performance criteria.   i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0 Sampling from a distribution is required for all stochastic transitions in the Petri net which represent events whose times of occurrence is not deterministic but follows a statistical distribution. Any distribution can be associated to the stochastic transition in order to sample the firing time. If it is assumed that the components of the BoP degrade over time, the time to failure follow a 2-parameter Weibull distribution [20] with cumulative distribution given by: where b is the shape parameter and h is the scale parameter.
Values of b > 1 indicate that the failure rate is increasing with time; this is representative of components that undergo ageing and wear out during their lifetime. A value of b ¼ 1 is representative of components with a constant failure rate. In this last case, the Weibull distribution becomes an exponential distribution and the scale parameter h is known as the mean time to failure (MTTF). The firing times of all stochastic transitions representing a component's failure event, are sampled from the associated Weibull distribution. For calculation of firing times, a random number X uniformly distributed in the range [0, 1] is generated and equated to the cumulative probability (1) This gives the sample time In the special case of b ¼ 1 the cumulative function is given by: and the sample time is Firing of transitions will then move the tokens around the network determining the dynamic evolution of the system state over time. When a transition fires, meaning that a particular event such as a component failure has occurred, the marking of the net changes indicating the new state that the system resides in. Each simulation represents one life cycle of the system and during the simulation statistics are collected in order to provide an indication of the system performance. N independent simulation runs of the system are performed from the specified initial conditions (initial marking of the Petri net), with N big enough to reach convergence of the results. The value of the variable of interest, which for the problem at hand is the system lifetime, is obtained and recorded in each run, and the estimate is evaluated as the average over the number of simulations.

System specification
In order to demonstrate the capability of the proposed methodology, the model has been simulated with the following assumptions and corresponding input data. A constant failure rate has been assumed for the components of the BoP and the corresponding values of MTTF and MTTR used in the simulations are detailed in Table 1.
In this paper, the observed voltage degradation rates obtained from long-term experimental tests have been collected from the literature [12,23e26], along with the corresponding test conditions whenever specified. Data from the literature and expert knowledge can provide only a qualitative assessment of the relationship between operating conditions and voltage decay rate because they refer to different materials and stack characteristics. However, based on the data collected, a ranking of the voltage decay rates with the variation of the operating parameters has been attempted ( Table  2) and implemented within the model.
It should be noted that the combination of undesirable values of the individual operating parameters can lead to even more severe degradation. These values have been used to demonstrate the capability of the model presented. Clearly, for real applications, the characteristics of the particular fuel cell system need to be used.
For normal operating conditions (steady-state operation, T stack ¼ 60e70 C, RH ¼ 100%) the voltage decay is assumed to vary in the range 1e10 mVh À1 . It is difficult to isolate and quantify the effect of individual operating parameters in terms of the voltage degradation rate because very often additional detrimental conditions were encountered during the tests reported in the literature. For instance in Ref. [23] the lifetime behaviour of a PEM fuel cell was studied for low humidification of the feed stream. Test results showed an initial voltage degradation rate of about 14 mVh À1 ; the degradation rate increased to 54 mVh À1 when fuel starvation occurred, and i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0 then decreased to 26 mVh À1 after adequate hydrogen flow rate was restored.
The voltage decay rate is considered here as a random variable uniformly distributed within each of the ranges detailed in Table 2. The system operation has been simulated under steady state conditions. Simulations are stopped when the voltage drops below the established threshold and is not recovered to an acceptable value (above threshold) after purging. The occurrence time of this event is considered to be the system lifetime and is recorded for each simulation along with the voltage variation over time. Fig. 13 shows the voltage variation over time resulting from a single experiment when

Probability -Weibull
Time, (t) Unreliability, F(t) 10  the threshold for the stack voltage is set to 3.6 V. The saw tooth shape is due to the purging which is assumed to be performed every hour and recovers part of the voltage lost.
Results 5000 simulations have been executed to ensure convergence of results is achieved. At the end of each simulation, the system lifetime, as defined in the previous section, is recorded and the expected value is evaluated providing the system average lifetime. It is assumed that the stack voltage reduction is required not to exceed 0.05%. Therefore, for the 4-cells stack with initial voltage 4 V, the stack voltage threshold is set to V lim ¼ 3.8 V. A plot of the average lifetime of the system against the number of simulations when the voltage threshold is set to V lim ¼ 3.8 V, is shown in Fig. 14  can be observed that the lifetime value stabilises at just over 6720 h. Fitting a distribution to the lifetime values generated by the model, it was found that they follow a 3-parameter Weibull distribution as shown in Fig. 15, where a histogram of the lifetime data for V lim ¼ 3.8 is plotted along with the estimated Weibull probability density function.
The cumulative distribution and density function for the Weibull distribution are given below: where h, b and g are the scale, shape and location parameters respectively. The scale parameter h is also called the characteristic life and indicates the life time at which approximately two-thirds of the population will have reached the prescribed threshold. The shape parameter b gives an indication of the rate of wear-out of the system. The location parameter, also known as minimum lifetime, indicates the minimum lifetime value in the population. The Weibull distribution plotted in Fig. 15 has a characteristic life h ¼ 5768.84, a shape parameter b ¼ 2.641 and a minimum life g ¼ 1605.7. The lifetime data resulting from the simulations can be analysed to extrapolate information on the unreliability of the system. In Fig. 16 the lifetime data is plotted in a linear form. If the data fit a 2-parameter Weibull distribution, the plot of the cumulative distribution values will form a straight line.
The curvature, as indicated here (plot on the right in Fig. 16), shows the existence of a failure free period of 1605.7. When this is accounted for, the resulting plot (plot on the left in Fig. 16) closely follows a straight line and therefore the 3parameter Weibull can be used to accurately represent the fuel cell system life. Fig. 17 shows the Weibull cumulative distribution function of the lifetime data, which represents the unreliability function giving the chance of experiencing a failure over any specified lifetime. For instance, the probability that the system will fail within 8000 h is approximately 0.76. Fig. 18 represents the system failure rate, also known as hazard rate, as a function of time. Since the shape parameter is greater than 1, the fuel cell system experiences an increasing failure rate. This is due to the wearing-out of the stack as a consequence of ageing and degradation mechanisms.
The behaviour of the system when different voltage threshold values are considered has been also simulated. In particular, five sets of simulations have been run, each for a different value of the stack voltage threshold, each set consisting of 5000 simulations. The corresponding average lifetime values and the parameters of the Weibull distributions are detailed in Table 3. The confidence intervals for the parameters of the Weibull distributions are provided as well in Table 4.
The model can be used to test different purging strategies. Fig. 19 shows the average lifetime plotted against the voltage threshold for two different purging intervals of 90 and 60 min. The plots show a non-linear relationship between the average lifetime and the voltage threshold. The average lifetime  i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0 decreases with increasing values of the voltage threshold. It also can be observed that the system performance in terms of average lifetime increases with the frequency of purging.

Conclusions
This paper introduces a model for the performance evaluation of fuel cell systems during operation. The model simulates the operation of the fuel cell stack and its supporting systems taking into account the causal relationships between the operation of the balance of plant and the fuel cell stack performance. The voltage degradation is related to the important operating parameters by means of empirical relationships.
Failures of single components of the supporting systems are considered, which affect the operating conditions and, in turn, the stack performance in terms of output voltage. Voltage degradation rates are needed in order to evaluate time to failure of the system. Numerical simulations are performed using data for voltage degradation rates collected from the literature. These data have been used here in order to demonstrate the capability of the model presented. The use of a stochastic approach allows taking into account data uncertainty and variability. The modelling process produces distributions of the output parameters as an alternative to the point estimates delivered by alternative methods. This enables an appreciation of the best and worst possible output lifetime as well as the expected system performance. The model can be used to support the design, operation and maintenance of fuel cell systems.  Sensor failed state revealed <> p50 Humidification system working <> p51 Pump failed <> p52 Valve failed <> p53 Failure revealed <> p54 Current drawn <I> p55 Number of start-up cycles <N> i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0  i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0 Non-conventional; 0 Partial recover of voltage due to purging t77 Conventional; 60 min and 90 min Start of purging process i n t e r n a t i o n a l j o u r n a l o f h y d r o g e n e n e r g y 4 1 ( 2 0 1 6 ) 1 2 2 4 2 e1 2 2 6 0