design, analysis and verification of real-time systems based on time
Post on 14-Apr-2018
219 Views
Preview:
TRANSCRIPT
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
1/18
4
Design, Analysis and Verification of Real-Time Systems Based onTime Petri Net Refinement
ZHIJUN DING and CHANGJUN JIANG, Key Laboratory of Embedded System and ServiceComputing, Ministry of Education, Tongji University, China
MENGCHU ZHOU, New Jersey Institute of Technology
A type of refinement operations of time Petri nets is presented for design, analysis and verification of com-plex real-time systems. First, the behavior preservation is studied under time constraints in a refinementoperation, and a sufficient condition for behavior preservation is obtained. Then, the property preservationis considered, and the results indicate that if the refinement operation of time Petri nets satisfies behav-ior preservation, it can also preserve properties such as boundedness and liveness. Finally, based on thebehavior preservation, a reachability decidability algorithm of a refined time Petri net is designed usingthe reachability trees of its original net and subnet. The research results are illustrated by an example ofdesigning, analyzing and verifying a real-time manufacturing system.
Categories and Subject Descriptors: D.2.2 [Software Engineering]: Design Tools and TechniquesPetrinets, top-down programming; D.4.1 [Operating Systems]: Process ManagementConcurrency, multitask-ing; D.4.7 [Operating Systems]: Organization and DesignReal-time systems and em bedded systems
General Terms: Design, Verification, Theory
Additional Key Words and Phrases: Real-time, refinement, reachability, automated manufacturing system
ACM Reference Format:
Ding, Z., Jiang, C., and Zhou, M. 2013. Design, analysis and verification of real-time systems based on timePetri net refinement. ACM Trans. Embed. Comput. Syst. 12, 1, Article 4 (January 2013), 18 pages.DOI:http://dx.doi.org/10.1145/2406336.2406340
1. INTRODUCTION
Along with the development of its theory and application, Petri net has been graduallyapplied to real-time systems that are an important research branch in the realms ofcomputer applications and have been widely used in embedded system, computer com-munication, process control, factory automation, and robotics. All tasks in a real-timesystem are time-constrained. Its correctness not only depends on the logic correctness,
but also time constraints of system outputs. Therefore, it is necessary to build a Petrinet model involving time factors for analyzing a real-time system [Murata 1989].When timing issues are introduced in Petri nets, several extended models are pro-
posed including timed Petri nets [Hu and Li 2009a; Zuberek 1991], time Petri nets
This research was partially supported by National Basic Research Program of China (973 Program)(2010CB328100), National High-Tech Research and Development Plan of China under Grant No.(62009AA01Z141), National Natural Science Funds (60803032, 90818023), Program for New Century Ex-cellent Talents in University, and Shanghai Rising-Star Program.
Authors addresses: Z. Ding, Department of Computer Science & Technology, Tongji University, Shanghai201804; email: zhijun ding@hotmail.com; C. Jiang, Department of Computer Science & Technology, TongjiUniversity, Shanghai 201804; M. Zhou, Department of Electrical and Computer Engineering, New JerseyInstitute of Technology, Newark, NJ.Permission to make digital or hard copies of part or all of this work for personal or classroom use is grantedwithout fee provided that copies are not made or distributed for profit or commercial advantage and thatcopies show this notice on the first page or initial screen of a display along with the full citation. Copyrights
for components of this work owned by others than ACM must be honored. Abstracting with credit is per-mitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any componentof this work in other works requires prior specific permission and/or a fee. Permissions may be requestedfrom Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212)869-0481, or permissions@acm.org.c 2013 ACM 1539-9087/2013/01-ART4 $15.00DOI:http://dx.doi.org/10.1145/2406336.2406340
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
2/18
4:2 Z. Ding et al.
[Berthomieu et al. 2007; Merlin and Farber 1976], and stochastic timed Petri nets[Molloy 1982]. Among these models, time Petri nets (TPN) proposed by Merlin andFarber [1976] are the most widely used formal models for real-time system design,simulation, and verification. However, it is still a great challenge for modeling andanalysis of a complex real-time system via a TPN, since, first, building a TPN model
is hard itself, and second, the model often faces a state explosion problem. To solvethese problems, Wang et al. [2000b] define compositional time Petri net models for acommand and control system, and propose a set of component-level reduction rules forTPN to implement the reduction of a complex model under the condition of preserv-ing behavior properties with time constraints. Using basic routing structures, Tangand Liu [2006] transform TPN workflow model into hierarchical TPN workflow modelto implement model abstraction and simplification. Liu et al. [2002] introduce linear-time reasoning rules of TPN workflow models based on basic routing structures ofworkflow, which can be used to stepwisely simplify a complex workflow model. Thesestudies mainly focus on the aspect of equivalent reduction or transformation of a com-plex Petri net with time constraints to decrease the analysis complexity, but complexreal-time system modeling and property analysis remain unaddressed. Since the re-finement operation of Petri nets supports hierarchical modeling and decreases anal-ysis complexity, it has been used as an effective method for designing, analyzing and
verifying complex systems [Suzuki and Murata 1983; Valette 1979; Zhou et al. 1993].Gurovic et al. [2000] introduce a refinement technique into TPN, define a type of refine-ment operations of TPN, and apply these operations to hierarchical modeling and anal-ysis of traffic control systems. Felder et al. [1998] mainly study the temporal semanticpreservation of refinement operations. They establish TRIO formulas for the tempo-ral semantic representation of TPN, and define a set of refinement rules that satisfytemporal semantic preservation. Huang et al. [2004] provide a method for the refine-ment of a transition or place in Petri nets. Both behavioral and structural propertypreservations are studied. Furthermore, Ding et al. [2008] generalize the refinementmodel [Huang et al. 2004] to obtain a more general net refinement model and presentthree types of refined Petri nets according to the different composition of subsystems.Then, the language and property relationships among a subnet, an original net and arefined net are studied to demonstrate behavior characteristics and property preserva-tion in a system synthesis process. But their work does not consider time constraints
in the model. This article extends the model [Huang et al. 2004] into TPN, defines therefinement operations of TPN, and studies their behavior and property preservation.Furthermore, we provide an algorithm to decide if a state can be reached in a refinedTPN given the reachability trees of its original net and subnet.
Compared with the work in Wang et al. [2000a, 2000b] and Liu et al. [2002], thisarticle not only addresses behavior preservation of refinement operations with timeconstraints, but also studies their property preservation, which provides an effectiveway for complex system analysis and verification. Gurovic et al. [2000] consider prop-erty preservation of refinement operations based on a refinement model in Suzuki andMurata [1983], while our work is based on a refinement model in Huang et al. [2004].Different models lead to different applications and verification methods. Due to the in-troduction of a time factor, it is more difficult to analyze the reachability of a TPN thanthat of a Petri net without time constraints. In this article, a reachability decidabilitymethod of TPN is for the first time presented based on refinement operations, whichcan effectively alleviate state explosion problem to analyze a complex system.
The rest of the article is arranged as follows: Section 2 introduces the basic con-cepts and related terms of TPN, and defines a refinement operation of TPN based ona standard subnet model. Section 3 defines the behavior preservation of the refine-ment operation, introduces a sufficient condition of a refinement operation to preserve
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
3/18
Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:3
behavior and properties. Section 4 presents a reachability decidability algorithm of arefined TPN using the reachability trees of its original net and subnet. Section 5 il-lustrates the method by designing and analyzing a real-time manufacturing system.Section 6 makes concluding remarks.
2. PRELIMINARIES
We assume that readers have some knowledge of various terminologies of Petri nets.Readers who are unfamiliar with Petri nets, please refer to [Girault and Valk 2003;Hruz and Zhou 2007; Li and Zhou 2009; Murata 1989; Zhou and Venkatesh 1998] forthe basic definitions and terms.
2.1. Time Petri Nets (TPN)
In a TPN, for each transition t T, two time values are defined SEFT(t) and SLFT(t),where SEFT(t) is the minimum time that the transition must wait after it is enabledand before it fires, i.e., its static earliest firing time, and SLFT(t) is the maximum timethat the transition can wait before firing if it is still enabled, i.e., its static latest firingtime. Formally, a TPN is defined as follows:
Definition 1. Let Z =P, T,F, W,M0,SI
be a TPN, where PN =
P, T,F, W,M0
is a
Petri net, P is a finite set of places, T is a finite set of transitions, F (P T) (TP)is a flow relation, W : F {1,2,3, } is a weight function, and SI : T Q+
Q+
is a time interval function defined on transition sets, that is, for t T,
SI(t) =SEFT(t) ,SLFT(t)
, in which Q+ is a set of positive rational numbers.
The state of a TPN is represented as a pair S = (M,I), where M is a marking, andI is a firing interval set of enabled transitions at state S, which is related with thearriving time value of state S. Because every state in a TPN is closely related withits arrival time, a reachable marking, reached from the initial marking, may havedifferent arrival times corresponding to the same firing sequence. That is, the statespace may be infinite. To solve this problem, Berthomieu and Diaz [1991] present astate class method, in which a state class of TPN is defined as C = (M,D), where
M is a marking, and all states in a class have the same marking; D is a firing time
interval set of all enabled transitions at the state class C, which is not related withthe arriving time of a specific state, but related with relative firing time interval ofstate class C. It has been proven that for a bounded TPN the number of reachabilitystate classes is finite. Therefore, a state class method can effectively solve the problemof the infinite number of states. However, state class is only associated with relativetime interval, and time span between reachability states cannot be obtained, whichresults in the inconvenience of timeliness analysis or verification of modeled systems.Consequently, based on a state class, Wang et al. [2000a] define a clock-stamped stateclass introducing a global time to represent global arriving time interval of the stateclass. In addition, the following interval arithmetic will be used later: Let I1 =
a1, b1
and I2 =
a2, b2
, with 0 ai bi +, i = 1,2. Then we define I1 + I2 to be the
interval
a1 + a2, b1 + b2
and I1 +I2 to be
a1 a2, b1 b2
[Wang et al. 2000a].
Definition 2. A clock-stamped state class (CS-class) of a TPN is defined as a 3-tuple
C =M,D,ST
, where M is a marking; D is a firing domain, i.e., a set of constraints on
the values of the time to fire for transitions enabled by current marking M, in details,for ti : M
ti > , its firing interval is D
ti
=EFT
ti
,LFT
ti
, where EFT
ti
is
the earliest firing time of ti, and LFT
ti
is the latest firing time of ti; ST is a globalclock stamp providing arriving time interval of the state class.
ACM Transactions on E mbedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
4/18
4:4 Z. Ding et al.
Fig. 1. TPN model Z1.
In the following definition, a set of firing rules of TPN and a method for computingCS-class are given.
Definition 3. A transition tj T is said to be firable at a CS-class Ck =Mk,Dk,STk
if the following transition firing rules are met:
(1) tj is enabled at Mk, i.e., Mk
tj > . The set of transitions enabled at Mk is denoted
as E Ck;(2) EFTk
tj
min
LFTk
ti
, ti E
Ck
;
(3) Let NE
Ck
be a set of transitions that begin to be enabled at Mk. Iftj NE
Ck
,
then SEFT
tj
min
SLFT(t) , t NE
Ck
holds.
Iftj is firable at CS-class Ck, then its firing results in a new CS-class
Ck+1 =Mk+1,Dk+1,STk+1
, where:
p P, Mk+1 (p) = Mk (p) Wp, tj
+ W
tj,p
;
tf E
Ck+1
,
Dk+1 tf = SItf +STk+1, tf NE Ck+1max
EFTk
tj
,EFTk
tf
,LFTk
tf
, tf / NE
Ck+1
STk+1 =EFTk
tj
,min
LFTk
ti
, ti E
Ck
Given a TPN model Z, its initial CS-class is C0 =M0,D0,ST0
, where M0 is an
initial marking, D0 contains all the firing time intervals of transitions at C0, ST0 =[0, 0]. According to the transition firing rules, firing t0 at C0 leads to a new CS-classC1. Similarly, firing t1 leads to CS-class C2. Following this way, at Ci, firingti leads toCi+1. Finally, we can generate a firing sequence = t0 t1 ti ofZ.
With the above firing rules and computing method, we can generate a reachabilitytree ofZ, RT
Z, C0
with root node C0. Every node of the tree corresponds to a reacha-
bility state class. If firing t at CS-class Ci results in Cj, then connect Ci and Cj with adirected arc, and label the arc with t.
It is noted that the third condition of Definition 3 does not exist in Wang et al. [2000].
Let us consider a TPN model Z1shown in Figure 1.In TPN model Z1, transitions t2 and t3 must be enabled simultaneously. However, t2
is always firable but t3 is not because static earliest firing time of t3 is more than thatof t2. According to Wang et al. [2000], t3 is firable at CS-class C =
M,D,ST
, where
M = p2, D =
D (t2) = [1, 6] ,D
t3
= [4,10]
and ST = [1, 4], which satisfy the firing
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
5/18
Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:5
rules as defined in Wang et al. [2000a]. Clearly, we have to add the third condition inDefinition 3 to avoid the above problem.
Wang et al. [2000a] analyzed the soundness and completeness of the global timeintervalST, and proved that a CS-class can be uniquely mapped into a traditional stateclass presented in Berthomieu and Diaz [1991]. Here the addition of third condition
only avoid wrong transition firing, and cannot change definition of CS-class. Then westill obtain essentially same results as those in Wang et al. [2000a], and thus omitted.
In this work, we introduce some related notations to be used later. (Z,) denotesa CS-class that is generated by firing the sequence from the initial CS-class C0 of aTPN Z. (Z,) the global time at which CS-class (Z,) arrives. R (Z,) is a markingset composed of all markings reached in the execution process of sequence . R (Z)is a set of all reachable markings of Z. L (Z) is a sequence set composed of all firedsequences in Z.
Z is live iff t T, M R (Z), there exists M reached from M such that M [t > . Aplace p Pis said to be bounded or K-bounded iffM(p) K for all M R (Z), where Kis a positive integer. Z is said to be bounded iff every place in it is bounded. A place issaid to be safe iff it is 1-bounded. Z is said to be safe iff every place is 1-bounded. It isnoted that the liveness and boundedness of a TPN cannot be equivalent to it untimedcounterpart [Berthomieu and Diaz 1991].
Let X P T be a node subset ofZ, Z |X denotes a new time Petri net that consistsof only elements in Xand related arcs, which is a subgraph of Z. Z X is defined as
ZX, where X = P T X. All the above notation is applicable to markings and firing
sequences. L (Z) |X indicates for every firing sequence of Z, only elements fromX arepreserved. Similarly, L (Z) X = L (Z) |(TX) .
2.2. Refinement Operation of TPN
Huang et al. [2004] define a type of refinement operations of Petri nets. Here we extendit to TPN.
Definition 4. TPN Z =P, T,F, W,M0,SI
is a time Petri net module (module) iff the
following conditions hold:
(1) Z has two special places: i and o, where i is an initial (import) place, i.e., i = , o isa terminal (export) place, i.e., o = ;(2) M0 (i) = 1, M0 (o) = 0, and t / i
, M0 [t > holds;(3) L (Z), where (Z,) = Cf =
Mf,Df,STf
, satisfying thatMf (o) = 1,Mf (i) = 0,
and Mf (p) = M0 (p) for p P {i, o}, and t T, Mf [t > . Mf is called a terminal
marking. Moreover, L (Z) and = , where Z,
= C =
M,D,ST
, if
M (o) 1, then M = Mf.(4) There are no dead transitions in Z, i.e., t T, there exists a CS-class Ci reached
from initial CS-class C0 ofZ such that t fires at Ci.
Condition (1) states that a module Z is a kind of time Petri nets with a special struc-ture, i.e., it has one initial place i and terminal one o. If a new transition t is addedintoZ, and connects with o andi, namely, t = {o}, and t = {i}, then an extended net Z isgenerated. Conditions (2) constrains the initial marking of a module, requiring one to-ken in the initial place and no token in the terminal place, and also requiring that themodule execution must begin with the firing of post-set transitions of the initial place,and that other transitions cannot be enabled at M0. Condition (3) indicates that themodule can be executed, and terminated, and its terminal marking is marked whenthe terminal place includes a token. In another words, the execution of a module stops
ACM Transactions on E mbedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
6/18
4:6 Z. Ding et al.
Fig. 2. Refinement operation of TPN.
as long as a token enters the terminal place. Condition (4) states that any transitioncan fire in Z.
By replacing a transition of a TPN with a module, we can obtain a new time Petri net.This process is just corresponding to a refinement operation, and its formal definitionis given:
Definition 5. Let TPN Z =P, T,F, W,M0,SI
, where for tr T, ri = {tr} = ro,
|tr| = |tr| = 1, and place ri is safe. Let B =
PB, TB;FB, WB,MB0 ,SI
B
be a module, the
refinement operation of net Z and module B, ZB/tr Z, is implemented by replacingtr
in Z with B, and generating a new TPN Z =P, T;F,M0,SI
, where:
(1) P = P PB {pi,po} {ri, ro, i, o};
(2) T = T TB {tr};
(3) F = FFB
{(pi,x) |x i } {(x,po) |x
o } {(x,pi) |x ri }
{(po,x) |x ro }
ri, tr
, (tr, ro)
{(x, ri) |x
ri } {(ro,x) |x ro }
{(i,x) |x i
} {(x, o) |x
o }
;
(4) M0 (p) =
M0
ri
, p = piM0 (ro) , p = poM0 (p) , p P {ri, ro}
MB0 (p) , p PB {i, o}
;
(5) (5) SI = SISIB {SI(tr)}.
Net Z is called a refined TPN, tr a refinement transition, and Z an original netsystem. Figure 2 shows the refinement process of TPN.
3. BEHAVIOR AND PROPERTY PRESERVATION OF TPN REFINEMENT OPERATION
This section discusses the behavior and property preservation of TPN in the refine-ment operation. First a sufficient condition of behavior preservation is given, and then
property preservation is discussed.
3.1. Behavior Preservation
Definition 6. Let TPN Z =P, T;F,M0,SI
be an original net system, Z =
P, T;F,M0,SI
is a refined TPN by replacing transition tr in Z with module B. Let
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
7/18
Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:7
Table I. The Description of State Class of Z2
1: C20 =
M20,D20,ST20
: M20 = p1, D20 = {D20 (t1) = [3, 3]}, ST20 = [0, 0]
2: C21 =
M21,D21,ST21
: M21 = p2 + p4, D21 = {D21 (tr) = [4, 9] ,D21 (t3) = [6, 7]}, ST21 = [3, 3]
3: C22 = M22,D22,ST22: M22 = p3 + p4, D22 = {D22 (t2) = [5, 8] ,D22 (t3) = [6, 7]}, ST22 = [4, 7]4: C23 =
M23,D23,ST23
: M23 = p2 + p5, D23 = , ST23 = [6, 7]
5: C24 =
M24,D24,ST24
: M24 = p6, D24 = , ST24 = [5, 7]
6: C25 =
M25,D25,ST25
: M25 = p3 + p5, D25 = , ST25 = [6, 7]
U = T {tr}, if LZ
|U = L (Z) |U, then the refinement operation EB/tr E satisfies
behavior preservation.
THEOREM 1. For any transition firing sequence B L (B)such that MB = Mf, where
B,B
= CB =
MB,DB,STB
, if STB = SI(tr), then the refinement operation satis-
fies behavior preservation.
PROOF. See Appendix A.
It is suggested in Theorem 1 that for any transition firing sequence that leads to aterminal marking in module B, if its global execution time is equal to the firing timeinterval of refined transition tr in the original net Z, then the refined TPN Z
generatedby replacingtr with B keeps the same behavioral characteristic as that of the originalnet. This characteristic is very important for real-time system synthesis, modeling,and analysis, because a system synthesis process first should meet system behaviorconsistency with time constraints, then its property preservation is required [Dinget al. 2008; Jiang et al. 2002]. We will discuss the property preservation in next section.
Example 1. Z2 is an original net system shown in Figure 3(a) , tr is a refinementtransition, modules B1 and B2 are given in Figure 3(b) and Figure 3(c), respectively.
For B1 and B2, their global time intervals are easily computed and equal to [0,2]
and [1,6], respectively. Let ZB12 (ZB22 ) be a refined TPN by replacing tr in Z2 with B1
(B2), the refinement operation of Z2B1/tr ZB1
2Z2 B2/tr ZB2
2 cannot (can) satisfy the
conditions of Theorem 1.Three state class reachability trees of TPN Z2, Z
B12 , and Z
B22 are shown in Figure
4(a)(c), and the description of their state classes is listed in Tables 13. Clearly, 21 =t1 t3 is a transition firing sequence of Z2, i.e., 21 L (Z2). However, any transition
firing sequences B12 in ZB12 cannot satisfy
B12
T2 {tr} = 21 because t3 is neverfirable. Moreover, it is proved easily that L
Z
B22
T2 {tr} = L (Z2) T2 {tr} .3.2. Property Preservation
For a refinement operation, if the above criterion of behavior preservation is met, thenthe following theorem should also hold.
THEOREM 2. If Z is K-bounded, so is Z.
PROOF. For L (Z), according to behavior preservation, there existsU L Z |U, that is L Z, |U = |U holds. Obviously, for p P {ri, ro},
M(p) = M (p) K holds, where (Z,) =M,D,ST
, and
Z,
=M,D,ST
.
Furthermore, according to Definition 5, we know M
ri
1 and M(ro) 1. Therefore,p P, M(p) K holds, that is, Z is K-bounded.
ACM Transactions on E mbedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
8/18
4:8 Z. Ding et al.
Fig. 3. TPN model.
Fig. 4. State class reachability trees of TPNs Z2, ZB12 and Z
B22 .
THEOREM 3. If Z and B are bounded, so is Z.
PROOF. Let original net Z and module B be K-bounded and KB
-bounded respec-tively, and then the extended net B of module B is also KB-bounded. L
Z
,according to behavior preservation, we know |U L (Z) |U, namely, L (Z), |U = |U holds. Suppose that
Z,
=M,D,ST
, and (Z,) =
M,D,ST
.
Then p P {ri, ro}, M (p) = M(p) K holds. Following Theorem 1, there exists
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
9/18
Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:9
Fig. 5. TPN models of a real-time manufacture process.
Fig. 6. Refined TPN model Z of a real-time manufacture process.
B L
B
, where
B,B
=
MB,DB,STB
, such that M (p) = MB (p), where
p PB {i, o}. It is obvious that Mpi
MB (i) KB, and M (po) MB (o) KB.
Therefore, p P, M (p) max
K,KB
holds, and thus Z is bounded.
THEOREM 4. If Z is live, so is Z.
PROOF. Let L (Z), follow the behavior preservation, U L Z |U holds, i.e., L
Z
, such that |U = |U. Since Z is live, t T, there is a sequence 1composed of elements in T, 1 t L
Z
holds. Moreover, from behavior preserva-
tion, we know that 1 t
|U L (Z) |U holds. According to the proof of Theorem
1, we know that there exists a sequence 1 composed of elements in T, satisfying1 |U =
1 |U, and 1 t L (Z). Therefore, Z is live.
ACM Transactions on E mbedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
10/18
4:10 Z. Ding et al.
Table II. The Description of State Class of ZB12
1: CB120
=
MB120
,DB120
,STB120
: M
B120
= p1, DB120
=
DB120 (t1) = [3, 3]
, ST
B120
= [0, 0]
2: CB121 =
M
B121 ,D
B121 ,ST
B121
: M
B121 = p11 + p4, D
B121 =
D
B121 (t11) = [3,4],D
B121 (t3) = [6, 7]
,
STB121 = [3, 3]
3: CB122
=
MB122
,DB122
,STB122
: MB1
22= p12 + p4, D
B122
=
DB122 (t12) = [3,4],D
B122 (t3) = [6, 7]
,
STB122 = [3, 4]
4: CB123
=
MB123
,DB123
,STB123
: M
B123
= p13 + p4, DB123
=
DB123 (t2) = [4,5],D
B123 (t3) = [6,7]
,
STB123
= [3,4]
5: CB124 =
M
B124 ,D
B124 ,ST
B124
: M
B124 = p6, D
B124 = , ST
B124 = [4,5]
Table III. The Description of State Class of ZB22
1: CB220
=
MB220
,DB220
,STB220
: M
B220
= p1, DB120
=
DB120 (t1) = [3, 3]
, ST
B220
= [0, 0]
2: CB221 =
M
B221 ,D
B221 ,ST
B221
: M
B221 = p11 + p4, D
B221 =
D
B221 (t11) = [3,4],D
B221 (t3) = [6, 7]
,
STB121 = [3, 3]
3: CB222 = M
B222 ,D
B222 ,ST
B222 : M
B222 = p12 + p4, D
B222 = D
B222 (t12) = [4,9],D
B222 (t3) = [6, 7] ,
ST
B2
22 = [3, 4]4: C
B223
=
MB223
,DB223
,STB223
: M
B223
= p13 + p4, DB223
=
DB223 (t2) = [5,8],D
B223 (t3) = [6,7]
,
STB223 = [4, 7]
5: CB224 =
M
B224 ,D
B224 ,ST
B224
: M
B224 = p12 + p5, D
B224 = , ST
B224 = [6, 7]
6: CB225
=
MB225
,DB225
,STB225
: M
B225
= p6, DB225
= , STB223
= [5,7]
7: CB226
=
MB226
,DB226
,STB226
: M
B226
= p13 + p5, DB226
= , STB226
= [6, 7]
THEOREM 5. If Z and B are live, so is Z .
PROOF. Let LZ
, and Z,
=M,D,ST
. According to behavior preser-
vation, |U L (Z) |U holds, i.e., L (Z), such that |U = |U. t T, two cases
t T {tr}, and t TB are considered.
Case 1. If t T {tr}, since Z is live, there exists a sequence 1 composed of ele-ments in T, such that 1 t L (Z). If1 does not include tr, then
1 t LZ
holds. Otherwise, suppose that 1 = 1tr2tr trn1trn, where sequence i is com-posed of elements in T {tr}. Following the proof of Theorem 1, the ith occurrence of
tr can be simulated by sequence Bi , where B1 t
B0
B2 t
B0 t
B0
Bn L
B
and tB0 is an ad-
ditional transition in B. Thus we can construct a corresponding sequence 1 composed
of elements in T, such that 1 |U = 1 |U and 1 t L
Z
. Therefore, t is livein Z.
Case 2. If t TB, according to the proof of Theorem 1, we know that B L
B
,
B,B
=
MB,DB,STB
, such that p PB{i, o}, M (p) = MB (p) holds. (1) ifMB =
MB0 , i.e., B is in the state of the initial marking, then from the liveness of Z, we know
that there exists a sequence 1 composed of elements in T, such that 1 LZ
and M1 (p) = MB (p) for p PB, where
Z, 1
=M1,D
1,ST
1
, i.e., M1
pi
= 1.
Since B is live, there exists a sequence B1 composed of transitions in B, such that
B B1 t L
B
. Suppose that there is no additional transition tB0 in B1 , then we can
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
11/18
Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:11
Algorithm 1: A reachability decidability algorithm of refined TPN
Input: reachability tree RTZ, C0
and RT
B, CB0
, markingM
d, time d
Output: a Boolean variable Exist
Exist False; ZS ; BS ;
Md Md
P {ri, ro} ; MBd MdPB {i, o} ;
Traverse tree RTZ, C0
, find all possible states C =
M,D,ST
satisfying
MP {ri, ro} = Md and LB d RB, and then record them into a set ZS.
IF ZS = THEN{
Traverse tree R
B, CB0
, find all possible states CB =
MB,DB,STB
satisfying
MBPB {i, o} = MBd , then orderly record them into a set BS.
IF BS = THEN{FOR every element C = M,D,ST in the set ZS DO{
Compute sequence satisfying (Z,) = C;IF there is no marking in enablingtr, THEN{
IF CB BS, such that MB = MB0 THEN Exist True;ELSEIF tr cannot be enabled any more after post-set element of ro during
fires for the last time, THENIF CB BS, such that MB = MB0 THEN Exist True;
ELSE{Take the beginning state of tr enabled at the last time during,
Ci =Mi,Di,STi
, where STi =
LBi,RBi
;
IF CB BS, such that LBi +LBB
d RBi +RB
B THENExist True}}}}
directly get the result: 1
B
1t L Z. If there is an additional transition tB
0in B
1,
obviously, firing oftB0 will result in that tokens in place o transfer into place i. Since Z is
live, for every time of transition tB0 appearing in B1 , there always exists a sequence i
composed of elements in T to transfer token in po into pi. In this way, a new sequence2 is generated, such that
1 2 L
Z
, and t can fire at Z, 1
2
. (2)
if MB = MB0 , that is, at this time B is not in the state of the initial marking, then
according to liveness of B, there exists a sequence B1 , such that B B1 t L
B
.
In the same way as (1), after considering different cases ofB1 , we conclude that there
exists 2, such that 2 t L
Z
. Therefore, t is live in Z.On the ground of behavior preservation, the refinement operation of TPN can also
preserve boundedness and liveness. These results are useful for analyzing and verify-ing large complex systems. By analyzing and verifying the relatively smaller models,
we can derive the properties of a complex one, thereby alleviating the state space ex-plosion problem and reducing the analysis complexity.
4. REACHABILITY OF REFINED TPN
Based on behavior preservation, the reachability problem of a refined TPN can besolved by the reachability tree of its original net and module, i.e., given marking
ACM Transactions on E mbedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
12/18
4:12 Z. Ding et al.
Md
and time d
, the problem is whether there exists a reachable state of Z, C =M,D,ST
, such that M = M
dand LB
d RB. To solve this problem, we
introduce two sets ZS and BS to store useful information respectively. In detail,ZS is a set composed of some states C = M,D,ST of Z such that MP {ri, ro} =Md
P {ri, ro}
and LB d RB, and BS a set composed of some states C
B
=MB,DB,STB
of B such that MB
PB {i, o} = MBd . The reachability decidabilityalgorithm is given as follows:
This algorithm is based on the behavior preservation of a refinement operation,which ensures that there is a corresponding relationship between the original andrefined nets, and also the relationship meets the same time constraint. Consequently,for the decided marking, according to a given marking arrival time, find its matchingstates in the reachability tree of Z, record them in the set ZS, in a similar way, find itsmatching states in the reachability tree ofB, record them in the set BS. Because thereis a corresponding relationship between a firing sequence of the original net and thatof refined net, the firing sequence of every state in ZS is found and discussed withthe following two cases.
(1) Iftr cannot be enabled at all reachability states in , similar to Case 1 in Theorem1s proof, it is suggested that t TB, t cannot fire in Z. Therefore, if the initialmarking of B is in BS, then it can be ensured that marking M
dcan be reachable
with a given time d
in Z.(2) If there exists a reachability state in sequence that can enable tr, then two dif-
ferent subcases are as follows.(2.1) After post-set elements of place ro fire at the last time, tr cannot be enabled
any more at any possible reachability state, which is similar to the third casein Theorem 1s proof, and, hence, all the firing oftr has been finished. At thistime, B is executed in Z, then enters a terminal state, and is waiting for thenext execution, that is, it corresponds to the first case;
(2.2) Otherwise, the case is similar to Cases 2 and 4 in Theorem 1s proof. Deter-mine the beginning state oftr enabled at the last time during. According toits global arriving time interval, for its corresponding state in BS, calculate
the global arriving time interval in Z. If the given time condition is met, thenthe decided marking is reachable at the given time.
In the way similar to that proving Theorem 1, the correctness of the algorithm canbe proved.
Suppose that the number of CS-classes in reachability trees of Z and B is m and nrespectively, where m, n > 1. First, at most m + n comparisons are needed to deter-mine the elements of sets ZS and BS by traversing the reachability trees of Z and Brespectively. Second, a firing sequence that leads to a CS-class C is only determined bya path from root node to node C. Clearly, it needs at most m2 iterations that finding allpaths from a root node to other nodes in the reachability tree of Z. Finally, for everyelement in ZS, we need to check all elements in BS to determine whether there existsa solution. Thus there are at most m n iterations for all checking work. Therefore,
the worst case computational complexity of this algorithm is Omaxm2, m n.5. A CASE STUDY
In this section, the above refinement operation method of TPN is applied to the design,modeling and analysis of a real-time manufacture process. A component is assembledby two parts, A and B, which are required to be processed, respectively. The assembly
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
13/18
Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:13
Fig. 7. State class reachability trees of TPNs.
process is carried out after both are completed. Part A must visit machine 1, thenmachine 2, and both machines 1 and 2 need tool 1. Part B is processed by a processingsubsystem. It is first processed on machine 3. Then it has alternative routes, that is,either on machine 5, and then on machine 6, or on machine 4. Machines 3, 4, and 5need tool 2. Moreover, parts are transferred via a conveyor.
According to the above system description, we design a TPN model Z given inFigure 5(a) and a module B for Part Bs processing subsystem shown in Figure 5(b).The meanings of their places and transitions are described in Table 4. Every transi-tion is associated with a time interval as shown in Figure 2, which stands for executiontime of its corresponding process as shown in Figure 5.
Module B conforms to the definition of a TPN module, and it is easy to verify thatplace r
iis safe in model Z. With the refinement operation of TPN presented, t
rin Z is
replaced with module B, resulting in a final TPN Z as shown in Figure 6.Two state class reachability trees of TPN Z and B are respectively shown in
Figure 7(a) and Figure 7(b), and the specific description of state classes is in TableV. The markings of state classes C23 and C26 stand for terminal markings of moduleB, and their corresponding global time intervals meet ST23 = ST26 = SI(tr). Thusthe conditions in Theorem 1 are met. Therefore, we have the result that refinement
operation ofZB/tr Z satisfies behavior preservation.
According to reachability trees in Figure 7, we know that both Z and B are bounded.Hence, following Theorem 3, we know that Z is also bounded. Model Z represents oneprocess in the whole system, if places p6 and p1 are connected with a transition withfiring time interval [0,0], then generate an extended net Z of net Z that represents con-tinuous execution of the manufacture process. It is easy to verify that Z is live, and alsoextended net B is live. Hence, following Theorem 5, extended refined net Z is also live.
Furthermore, based on the behavior preservation, we can decide the reachabilityof refined Petri net Z. Supposed that the problem is whether there exists marking
M = p4 + p8 + p14 + p16 at the time = 42, that is, at the time of 42, whether part A
has been transferred to machine 2 by the conveyor? At the same time, has part B beenfinished by machine 5, and is waiting for its transferring to machine 6?
ACM Transactions on E mbedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
14/18
4:14 Z. Ding et al.
Table IV. Meanings of Places and Transitions in Figure 5
Element Meaning Element Meaning
p1 start a process ri part B entering the processingsubsystem
p2 part A on machine 1 ro finish processing subsystem,
and wait for assemblyp3 finish processing on machine 1, and
wait for transferi Start processing of part B
p4 part A on machine 2 o finish processing of part B
p5 finish processing on machine 2, andwait for assembly
t1 transfer a part
p6 finish a process t2 process on machine 1
p7 tool 1 available for machine 1 t3 transfer part A by conveyor
p8 tool 1 available for machine 2 t4 process on machine 2
p11 part B on machine 3 (Figure 3) t5 assemble part A and part B
p12 finish processing on machine 3, andwait for transfer
t11 process on machine 3
p13 part B on machine 4 or machine 5 t12 transfer part B by conveyor
p14 finish processing on machine 5, andwait for transfer
t13 process on machine 4
p15 part B on machine 6 t14 process on machine 5
p16 tool 2 available for machine 3 t15 transfer part B by conveyor
p17 tool 2 available for machines 4 and 5 t16 process on machine 6
p18 finish processing of part B, and waitfor assembly (Figure 3)
tr process subsystem
To solve this problem, the above reachability decidability algorithm is applied. First,
M = MP {ri, ro} = p4 + p8, and MB = M PB {i, o} = p14 + p16. There are C9,
C12, and C13in the reachability tree RTZ, C0
satisfying M9
P {ri, ro} = M, ST9, M12
P {ri, ro} = M, ST12, and M13 P {ri, ro} = M, ST13. Thenthere is C24 in the reachability tree RT
B, C20
satisfying M24
PB {i, o}
= MB.
For C9, = t1t2trt3 is a corresponding firing sequence such that (E,) = C9. Then it
is determined that tr begins to be enabled at C1 with global time interval ST1 = [3, 5]before its firing in . Hence, arriving time interval ofC24 in Z
is ST1 +ST24 = [33, 43].It is obvious that ST1 + ST24. Thus there exists a firing sequence in Z
that canarrive at M at time .
6. CONCLUSIONS
By replacing a transition or place in an original net with a subnet, the refinementoperation of Petri nets implements the process of stepwise refinement of a Petri netmodel, which well supports a top-down design method. Based on the idea of divide andconquer, the property preservation of a refinement operation is helpful for decreas-ing analysis complexity and alleviating a state explosion problem. This article mainlypresents the following work.
(1) It define a type of refinement operations for time Petri nets. This simple structuredmodel can well support refinement design and modeling of real-time systems, suchas workflow [Li et al. 2003, 2004; Van der Aalst 2000], command and control sys-tems [Wang et al. 2000], embedded system [Cho et al. 2010; Hu et al. 2009] andmanufacturing systems [Fanti and Zhou et al. 2004; Hu and Li 2009b; Jeng et al.2004; Lee et al. 2007; Zhou et al. 1992, 1993].
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
15/18
Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:15
Table V. The Description of State Class
C0 =
M0,D0,ST0
: M0 = p1 + p7, D0 = {D0 (t1) = [3, 5]} , ST0 = [0, 0]
C1 =
M1,D1,ST1
: M1 = p2 +p7 +ri, D1 = {D1 (t2) = [33,45] ,D1 (tr) = [40,51]} , ST1 = [3, 5]
C2 = M2,D2,ST2 : M2 = p2 + p7 + ro, D2 = {D2 (t2) = [40, 45]} , ST2 = [40,45]C3 =
M3,D3,ST3
: M3 = p3 + p8 + ro, D3 = {D3 (t3) = [43, 48]} , ST3 = [40,45]
C4 =
M4,D4,ST4
: M4 = p4 + p8 + ro, D4 = {D4 (t4) = [55, 68]} , ST4 = [43,48]
C5 =
M5,D5,ST5
: M5 = p5 + p7 + ro, D5 = {D5 (t5) = [67, 83]} , ST5 = [55,68]
C6 =
M6,D6,ST6
: M6 = p6 + p7, D5 = , ST6 = [67,83]
C7 =
M7,D7,ST7
: M7 = p3 + p8 + ri, D7 = {D7 (t3) = [36,48] ,D7 (tr) = [40, 51]} ,
ST7 = [33, 45]C8 =
M8,D8,ST8
: M8 = p3 + p8 + ro, D8 = {D8 (t3) = [40, 48]} , ST8 = [40,45]
C9 =
M9,D9,ST9
: M9 = p4 + p8 + ro, D9 = {D9 (t3) = [52, 68]} , ST9 = [40,48]
C10 =
M10,D10,ST10
: M10 = p5 + p7 + ro, D10 = {D10 (t5) = [64,83]} , ST10 = [52,68]
C11 =
M11,D11,ST11
: M11 = p6 + p7, D11 = , ST10 = [64, 83]
C12 =
M12,D12,ST12
: M12 = p4 + p8 + ri, D12 = {D12 (t4) = [48, 68] ,D12 (tr) = [40,51]}
ST12 = [36, 48]C13 = M13,D13,ST13 : M13 = p4 + p8 + ro, D13 = {D13 (t4) = [48,68]} , ST13 = [40,51]C14 =
M14,D14,ST14
: M14 = p5 + p7 + ro, D14 = {D14 (t5) = [60,83]} , ST14 = [48,68]
C15 =
M15,D15,ST15
: M15 = p6 + p7, D15 = , ST14 = [60, 83]
C16 =
M16,D16,ST16
: M16 = p5 + p7 + ri, D16 = {D16 (tr) = [48, 51]} , ST16 = [48, 51]
C17 =
M17,D17,ST17
: M17 = p5 + p7 + ro, D17 = {D17 (t5) = [60,71]} , ST17 = [48,51]
C18 =
M18,D18,ST18
: M18 = p6 + p7, D18 = , ST18 = [60, 71]
C20 =
M20,D20,ST20
: M20 = i + p16, D20 = {D20 (t11) = [16, 17]} , ST20 = [0, 0]
C21 =
M21,D21,ST21
: M21 = p12 + p17, D21 = {D21 (t12) = [19, 20]} , ST21 = [16,17]
C22 =
M22,D22,ST22
: M22 = p13 + p17, D22 = {D22 (t13) = [37, 46] ,D22 (t14) = [30, 38]}
ST22 = [19, 20]C23 =
M23,D23,ST23
: M23 = o + p16, D22 = , ST23 = [37, 46]
C24 =
M24,D24,ST24
: M24 = p14 + p16, D24 = {D24 (t15) = [33, 41]} , ST24 = [30,38]
C25 = M25,D25,ST25 : M25 = p15 + p16, D25 = {D25 (t16) = [37, 46]} , ST24 = [33,41]C26 =
M26,D26,ST26
: M26 = o + p16, D26 = , ST26 = [37, 46]
(2) It investigates behavior and property preservation of the refinement operation, andestablish the corresponding preservation conditions, which provide a theoreticalsupport for system behavior analysis and property verification.
(3) It develops a reachability decidability algorithm. By this algorithm, the reacha-bility of a refined TPN can be decided according to the reachability trees of theoriginal net and modules. It is unnecessary to generate the whole reachability treeof the refined TPN. Therefore, by this method, the burden to solve the state spaceexplosion problem can be effectively reduced. This is very helpful for state identifi-cation and model checking of complex systems.
Additional properties, such as reversibility and fairness to support the qualitativeanalysis of complex systems need to be discussed. Moreover, based on refinement oper-ation, quantitative analysis of complex systems such as turnaround time and through-put is another research direction. The safeness of the input place of the refined transi-tion can be major limitation in some real time systems. The extension to more generalcases requires additional work.
ACM Transactions on E mbedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
16/18
4:16 Z. Ding et al.
APPENDIX A
PROOF OF THEOREM 1. To prove LZ
|U = L (Z) |U, we need to prove that
LZ
|U L (Z) |U and L (Z) |U LZ
|U.
We first prove thatLZ
|U L (Z) |U. For 1 LZ
|U, let LZ
, where |U = 1. We break our proof into four cases.
Case 1. For M RZ,
, M
pi
= 0 holds, that is, place pi receives no token dur-ing the execution of sequence . According to the definition of module B, it is obviousthat t TB, it cannot be enabled at reachability states during sequence . Therefore,1 =
holds, and according to the definition of refinement operation, L (Z) holds.Similarly, transition tr cannot fire during sequence because it cannot be enabled, so |U = holds, that is L (Z) |U, consequently, 1 L (Z) |U holds.
Case 2. There exists only markingM1 RZ,
such that M1
pi
= 1, and M
RZ,
, M (po) = 0 holds, namely, during sequence
place pi received tokens, butplace po receives no token. Let = 11
12, where
11 is the shortest prefix of
,
satisfyingZ,
11
= C
11 =M
11,D
11,ST
11
, and M
11pi
= 1. According to Case1, 11 L (Z) |U holds. Obviously, 12 is composed of transitions in B and Z, and
according to the definition of the refinement operation, we know that transitions in Band transitions in Z execute concurrently during12, therefore
11
12 |U
L (Z)
holds, that is, 1 =11
12
|U L (Z) |Uholds. So 1 L (Z) |U holds.
Case 3. There exists only markings M1 RZ,
M2 R
Z,
such that
M1pi
= 1 (M2 (po) = 1), that is, both places pi and po received tokens during the exe-cution of sequence . Let = 11
12
13, where
11 is the shortest prefix of
, satis-
fyingZ,11
= C11 =
M11,D
11,ST
11
, and M11
pi
= 1. 11 12is also the shortest
prefix of, satisfyingZ,12
= C12 =
M12,D
12,ST
12
, and M12 (po) = 1. Similarly
with Case 2, 11 12 |U
L (Z) holds. Suppose that 11 =
Z,11
, 12 =
Z,12
,
and B,12 TB = CB = Mf,DB,STB, then LBB 12 11 RBB holds,where STB =
LBB,RBB
. According to the condition given in Theorem 1, we have
LBB = SEFT(tr), Therefore tr can fire at time 12 in the original net Z, namely,
11 12 |U
tr L (Z) holds. Moreover, in the same way, 13 also can fire at state
E,11
12 |U
tr
. Consequently, 11
12 |U
tr 13 L (Z) holds, that is,
11 12 |U
13 =
1 L (Z) |U holds.
Case 4. General case. Suppose that during sequence , pi received k1 tokens, whileplace po received k2 tokens. From the definition of module, we know that k1 = k2,or k1 = k2 + 1. And for the above three cases, k1 = k2 = 0, k1 = 1 k2 = 0, andk1 = k2 = 1 hold respectively. Since the firing of TPN transitions is only related witha local time, repeat the proofs of Case 2 and Case 3, we have the conclusion that for1 L Z |U, 1 L (Z) |U holds.
Next, we prove L (Z) |U LZ
|U. For 1 L (Z) |U, let L (Z), where |U =1. We break our proof into four cases.
Case 1. For M R (Z,), M
ri
= 0 holds, that is, place ri receives no token duringthe execution of sequence. Obviously, there is no transition tr in , thus = 1.
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
17/18
Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:17
And according to the definition of the refinement operation, we know that LZ
.
Therefore, 1 LZ
|U holds.
Case 2. There exists only marking M1 R (Z,), such that M1
ri
= 1, and M R (Z,), M(ro) = 0 holds, that is, during sequence place ri received tokens, but
place ro receives no token. It is obvious that there is no transition tr in sequence ,Otherwise, firing tr would consequentially result in a token in ro. In the same waywith Case 1, 1 L
Z
|U holds.
Case 3. There exists only markings M1 R (Z,) and M2 R (Z,) such thatM1
ri
= 1 and M2 (ro) = 1 respectively, that is, both place ri and place ro receivedtokens during the execution of sequence . Let = 11 12 13, where 11 is theshortest prefix of, satisfying (Z,11) = C11 =
M11,D11,ST11
, M11
ri
= 1, and
11 12 also the shortest prefix of, satisfying (Z,12) = C12 =
M12,D12,ST12
,
M12 (ro) = 1. Similarly with Case 2, 11 LZ
holds. Moreover, we know that there
exists a sequence 11 1 L
Z
, satisfying1 |U = 121, and 1
TB = B, where
B,B
= CB =
Mf,DB,STB
. Suppose that 12 = 121 tr, (Z,11) = 11 and
(Z,12) = 12. Since place pi received a token at time 11 during sequence 11 in
net Z, according to the definition of the module, there must be a transition ti pithat can fire due to SEFT
ti
SEFT(tr). Because the firing of sequence 121 has
no effect on the execution of the module in Z, after firing ti, there must exist tj TB
that can fire. Following this way, we can generate the execution sequence B of themodule. According to the condition in Theorem 1, STB = SI(tr), we can supposethat
Z,11
1
= 12. Therefore, 13 also can fire at state
Z,11
1
, and
11 1 13 L
Z
holds, that is,11
1 13
|U = 1 L
Z
|U holds.
Case 4. General case. Suppose that during sequence , place ri received k1 tokensand ro received k2 tokens. Then repeat the proofs of Case 2 and Case 3, Case 4 can beproved.
To sum up, L
Z
|U = L (Z) |U holds.
REFERENCES
Berthomieu, B. and Diaz, M. 1991. Modeling and verification of time dependent systems using time Petrinets. IEEE Trans. Softw. Engin. 17, 259273.
Berthomieu, B., Lime, D., Roux, O. H., and Vernadat, F. 2007. Reachability problems and abstract statespaces for time Petri Nets with stopwatches. J. Discrete Event Dyn. Syst. Theory Appl. 17, 133158.
Cho, H., Ravindran, B., and Jensen, E. D. 2010. Lock-free synchronization for dynamic embedded real-timesystems. ACM Trans. Embed. Comput. Syst. 9, 128.
Ding, Z. J., Jiang, C. J., Zhou, M. C., and Zhang, Y. Y. 2008. Preserving languages and properties in stepwiserefinement-based synthesis of Petri nets. IEEE Trans. Syst. Man Cybern. Part A 38, 791801.
Ding, Z. J., Zhang, Y. Y., Jiang, C. J., and Zhang, Z. H. 2007. Refinement of Petri nets in workflow integration.In Proceedings of the 10th International Conference Computer Supported Cooperative Work in Design,Lecture Notes in Computer Science, vol. 4402, 667678.
Fani, M. P. and Zhou, M. C. 2004. Deadlock control methods in automated manufacturing systems. IEEETrans. Syst. Man Cybern. Part A 34, 522.
Felder, M., Gargantini, A., and Morzenti, A. 1998. A Theory of implementation and refinement in timed
Petri nets. Theor. Comput. Sci. 202, 127161.Girault, C. and Valk, R. 2003. Petri Nets for Systems Engineering: A Guide to Modeling, Verification, and
Applications. Springer.
Gurovic, D., Fengler, W., and Nutzel. J. 2000. Development of real-time system specifications through therefinement of duration interval Petri nets. In Proceedings of IEEE International Conference on Systems,Man, and Cybernetics. 30933098.
ACM Transactions on E mbedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
-
7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time
18/18
4:18 Z. Ding et al.
Hruz, B. and Zhou, M. C. 2007. Modeling and Control of Discrete Event Dynamic Systems. Springer.
Hu, H. S. and Li, Z. W. 2009a. Modeling and scheduling for manufacturing grid workflows using timed Petrinets. Int. J. Adv. Manuf. Technol. 42, 553568.
Hu, H. S. and Li, Z. W. 2009b. Clarification on the computation of liveness-enforcing supervisor for resourceallocation systems with uncontrollable behavior and forbidden states. IEEE Trans. Autom. Sci. Eng. 6,557558.
Hu, H. S., Zhou, M. C., and Li, Z. W. 2009. Liveness enforcing supervision of video streaming systems usingnon-sequential Petri nets. IEEE Trans. Multimedia 11, 14571465.
Huang, H. J., Cheung, T. Y., and Mak, W. M. 2004. Structure and behavior preservation by Petri-net-basedrefinements in system design. Theor. Comput. Sci. 328, 245269.
Jeng, M. D., Xie, X. L., and Chung, S. L. 2004. ERCN* merged nets for modeling degraded behavior andparallel processes in semiconductor manufacturing systems. IEEE Trans. Syst. Man Cybern. Part A 34,102112.
Jiang, C. J., Wang, H. Q., and Liao, S. Y. 2002. Behavior relativity of Petri nets. J. Comput. Sci. Techn. 17,770780.
Lee, J. S., Zhou, M. C., and Hsu, P. L. 2007. A Petri-net approach to modular supervision with conflictresolution for semiconductor manufacturing systems. IEEE Trans. Autom. Sci. Eng. 4, 584588.
Li, J., Fan, Y. S., and Zhou, M. C. 2003. Timing constraint workflow nets for workflow analysis. IEEE Trans.Syst. Man Cybern. Part A 33, 179193.
Li, J., Fan, Y. S., and Zhou, M. C. 2004. Performance modeling and analysis of workflow. IEEE Trans. Syst.Man Cybern. Part A 34, 229242.
Li, Z. W. and Zhou, M. C. 2009. Deadlock Resolution in Automated Manufacturing Systems: A Novel PetriNet Approach. Springer
Liu, T., Lin, C., and Liu, W. D. 2002. Linear temporal inference of workflow management system based ontimed Petri net models. Acta Electronica Sinica 30, 245248. (in Chinese)
Merlin, P. and Farber, D. 1976. Recoverability of communication protocolsImplication of a theoreticalstudy. IEEE Trans. Commun. 24, 10361043.
Molloy, M. K. 1982. Performance analysis using stochastic Petri nets. IEEE Trans. Comput. 31, 913917
Murata, T. 1989. Petri nets: Properties, analysis and applications. Proc IEEE, 541580.
Suzuki, I. and Murata, T. 1983. A method for stepwise refinement and abstraction of Petri nets. J. Comput.Syst. Sci. 27, 5176.
Tang, D. and Liu, D. N. 2006. Method of reachability analysis in HTPN based workflow model. Comput.Integr. Manuf. Syst. 12, 487493. (in Chinese)
Valette, R. 1979. Analysis of Petri nets by stepwise refinements. J. Comput. Syst. Sci. 18, 3546.
van der Aalst, W. M. P. 2000. Workflow verification: Finding control-flow errors using Petri-net-based tech-niques. In Proceedings of the International Workshop on Types for Proofs and Programs. Lecture Notes
in Computer Science 806, 161183.Wang, J. C., Deng, Y., and Xu, G 2000a. Reachability analysis of real-time systems using time Petri nets.
IEEE Trans. Syst. Man Cybern. Part B 30, 725736.
Wang, J. C., Deng, Y., and Zhou, M. C. 2000b. Compositional time Petri nets and reduction rules. IEEETrans. Syst. Man Cybern. Part B 30, 562572.
Zhou, M. C. and Venkaesh, K. 1998. Modeling, Simulation and Control of Flexible Manufacturing Systems:A Petri Net Approach. World Scientific, Singapore.
Zhou, M. C., Dicesare, F., and Desrochers, A. 1992. A hybrid methodology for synthesis of Petri nets formanufacturing systems. IEEE Trans. Rob. Autom. 8, 350361.
Zhou, M C., Mcdermott, K., and Patel, P A. 1993. Petri net synthesis and analysis of a flexible manufacturingsystem cell. IEEE Trans. Syst. Man Cybern. 23, 523531.
Zuberek, W. M. 1991. Timed Petri nets: Definitions, properties, and applications. Microelectron. Reliab. 31,627644.
Received March 2010; accepted July 2010
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
top related