design, analysis and verification of real-time systems based on time

7/30/2019 Design, Analysis and Verification of Real-Time Systems Based on Time

1/18

4

Design, Analysis and Verification of Real-Time Systems Based onTime Petri Net Refinement

ZHIJUN DING and CHANGJUN JIANG, Key Laboratory of Embedded System and ServiceComputing, Ministry of Education, Tongji University, China

MENGCHU ZHOU, New Jersey Institute of Technology

A type of refinement operations of time Petri nets is presented for design, analysis and verification of com-plex real-time systems. First, the behavior preservation is studied under time constraints in a refinementoperation, and a sufficient condition for behavior preservation is obtained. Then, the property preservationis considered, and the results indicate that if the refinement operation of time Petri nets satisfies behav-ior preservation, it can also preserve properties such as boundedness and liveness. Finally, based on thebehavior preservation, a reachability decidability algorithm of a refined time Petri net is designed usingthe reachability trees of its original net and subnet. The research results are illustrated by an example ofdesigning, analyzing and verifying a real-time manufacturing system.

Categories and Subject Descriptors: D.2.2 [Software Engineering]: Design Tools and TechniquesPetrinets, top-down programming; D.4.1 [Operating Systems]: Process ManagementConcurrency, multitask-ing; D.4.7 [Operating Systems]: Organization and DesignReal-time systems and em bedded systems

General Terms: Design, Verification, Theory

Additional Key Words and Phrases: Real-time, refinement, reachability, automated manufacturing system

ACM Reference Format:

Ding, Z., Jiang, C., and Zhou, M. 2013. Design, analysis and verification of real-time systems based on timePetri net refinement. ACM Trans. Embed. Comput. Syst. 12, 1, Article 4 (January 2013), 18 pages.DOI:http://dx.doi.org/10.1145/2406336.2406340

1. INTRODUCTION

Along with the development of its theory and application, Petri net has been graduallyapplied to real-time systems that are an important research branch in the realms ofcomputer applications and have been widely used in embedded system, computer com-munication, process control, factory automation, and robotics. All tasks in a real-timesystem are time-constrained. Its correctness not only depends on the logic correctness,

but also time constraints of system outputs. Therefore, it is necessary to build a Petrinet model involving time factors for analyzing a real-time system [Murata 1989].When timing issues are introduced in Petri nets, several extended models are pro-

posed including timed Petri nets [Hu and Li 2009a; Zuberek 1991], time Petri nets

This research was partially supported by National Basic Research Program of China (973 Program)(2010CB328100), National High-Tech Research and Development Plan of China under Grant No.(62009AA01Z141), National Natural Science Funds (60803032, 90818023), Program for New Century Ex-cellent Talents in University, and Shanghai Rising-Star Program.

Authors addresses: Z. Ding, Department of Computer Science & Technology, Tongji University, Shanghai201804; email: zhijun [email protected]; C. Jiang, Department of Computer Science & Technology, TongjiUniversity, Shanghai 201804; M. Zhou, Department of Electrical and Computer Engineering, New JerseyInstitute of Technology, Newark, NJ.Permission to make digital or hard copies of part or all of this work for personal or classroom use is grantedwithout fee provided that copies are not made or distributed for profit or commercial advantage and thatcopies show this notice on the first page or initial screen of a display along with the full citation. Copyrights

for components of this work owned by others than ACM must be honored. Abstracting with credit is per-mitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any componentof this work in other works requires prior specific permission and/or a fee. Permissions may be requestedfrom Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212)869-0481, or [email protected] 2013 ACM 1539-9087/2013/01-ART4 $15.00DOI:http://dx.doi.org/10.1145/2406336.2406340

ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.


2/18

4:2 Z. Ding et al.

[Berthomieu et al. 2007; Merlin and Farber 1976], and stochastic timed Petri nets[Molloy 1982]. Among these models, time Petri nets (TPN) proposed by Merlin andFarber [1976] are the most widely used formal models for real-time system design,simulation, and verification. However, it is still a great challenge for modeling andanalysis of a complex real-time system via a TPN, since, first, building a TPN model

is hard itself, and second, the model often faces a state explosion problem. To solvethese problems, Wang et al. [2000b] define compositional time Petri net models for acommand and control system, and propose a set of component-level reduction rules forTPN to implement the reduction of a complex model under the condition of preserv-ing behavior properties with time constraints. Using basic routing structures, Tangand Liu [2006] transform TPN workflow model into hierarchical TPN workflow modelto implement model abstraction and simplification. Liu et al. [2002] introduce linear-time reasoning rules of TPN workflow models based on basic routing structures ofworkflow, which can be used to stepwisely simplify a complex workflow model. Thesestudies mainly focus on the aspect of equivalent reduction or transformation of a com-plex Petri net with time constraints to decrease the analysis complexity, but complexreal-time system modeling and property analysis remain unaddressed. Since the re-finement operation of Petri nets supports hierarchical modeling and decreases anal-ysis complexity, it has been used as an effective method for designing, analyzing and

verifying complex systems [Suzuki and Murata 1983; Valette 1979; Zhou et al. 1993].Gurovic et al. [2000] introduce a refinement technique into TPN, define a type of refine-ment operations of TPN, and apply these operations to hierarchical modeling and anal-ysis of traffic control systems. Felder et al. [1998] mainly study the temporal semanticpreservation of refinement operations. They establish TRIO formulas for the tempo-ral semantic representation of TPN, and define a set of refinement rules that satisfytemporal semantic preservation. Huang et al. [2004] provide a method for the refine-ment of a transition or place in Petri nets. Both behavioral and structural propertypreservations are studied. Furthermore, Ding et al. [2008] generalize the refinementmodel [Huang et al. 2004] to obtain a more general net refinement model and presentthree types of refined Petri nets according to the different composition of subsystems.Then, the language and property relationships among a subnet, an original net and arefined net are studied to demonstrate behavior characteristics and property preserva-tion in a system synthesis process. But their work does not consider time constraints

in the model. This article extends the model [Huang et al. 2004] into TPN, defines therefinement operations of TPN, and studies their behavior and property preservation.Furthermore, we provide an algorithm to decide if a state can be reached in a refinedTPN given the reachability trees of its original net and subnet.

Compared with the work in Wang et al. [2000a, 2000b] and Liu et al. [2002], thisarticle not only addresses behavior preservation of refinement operations with timeconstraints, but also studies their property preservation, which provides an effectiveway for complex system analysis and verification. Gurovic et al. [2000] consider prop-erty preservation of refinement operations based on a refinement model in Suzuki andMurata [1983], while our work is based on a refinement model in Huang et al. [2004].Different models lead to different applications and verification methods. Due to the in-troduction of a time factor, it is more difficult to analyze the reachability of a TPN thanthat of a Petri net without time constraints. In this article, a reachability decidabilitymethod of TPN is for the first time presented based on refinement operations, whichcan effectively alleviate state explosion problem to analyze a complex system.

The rest of the article is arranged as follows: Section 2 introduces the basic con-cepts and related terms of TPN, and defines a refinement operation of TPN based ona standard subnet model. Section 3 defines the behavior preservation of the refine-ment operation, introduces a sufficient condition of a refinement operation to preserve



3/18

Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:3

behavior and properties. Section 4 presents a reachability decidability algorithm of arefined TPN using the reachability trees of its original net and subnet. Section 5 il-lustrates the method by designing and analyzing a real-time manufacturing system.Section 6 makes concluding remarks.

2. PRELIMINARIES

We assume that readers have some knowledge of various terminologies of Petri nets.Readers who are unfamiliar with Petri nets, please refer to [Girault and Valk 2003;Hruz and Zhou 2007; Li and Zhou 2009; Murata 1989; Zhou and Venkatesh 1998] forthe basic definitions and terms.

2.1. Time Petri Nets (TPN)

In a TPN, for each transition t T, two time values are defined SEFT(t) and SLFT(t),where SEFT(t) is the minimum time that the transition must wait after it is enabledand before it fires, i.e., its static earliest firing time, and SLFT(t) is the maximum timethat the transition can wait before firing if it is still enabled, i.e., its static latest firingtime. Formally, a TPN is defined as follows:

Definition 1. Let Z =P, T,F, W,M0,SI

be a TPN, where PN =

P, T,F, W,M0

is a

Petri net, P is a finite set of places, T is a finite set of transitions, F (P T) (TP)is a flow relation, W : F {1,2,3, } is a weight function, and SI : T Q+

Q+

is a time interval function defined on transition sets, that is, for t T,

SI(t) =SEFT(t) ,SLFT(t)

, in which Q+ is a set of positive rational numbers.

The state of a TPN is represented as a pair S = (M,I), where M is a marking, andI is a firing interval set of enabled transitions at state S, which is related with thearriving time value of state S. Because every state in a TPN is closely related withits arrival time, a reachable marking, reached from the initial marking, may havedifferent arrival times corresponding to the same firing sequence. That is, the statespace may be infinite. To solve this problem, Berthomieu and Diaz [1991] present astate class method, in which a state class of TPN is defined as C = (M,D), where

M is a marking, and all states in a class have the same marking; D is a firing time

interval set of all enabled transitions at the state class C, which is not related withthe arriving time of a specific state, but related with relative firing time interval ofstate class C. It has been proven that for a bounded TPN the number of reachabilitystate classes is finite. Therefore, a state class method can effectively solve the problemof the infinite number of states. However, state class is only associated with relativetime interval, and time span between reachability states cannot be obtained, whichresults in the inconvenience of timeliness analysis or verification of modeled systems.Consequently, based on a state class, Wang et al. [2000a] define a clock-stamped stateclass introducing a global time to represent global arriving time interval of the stateclass. In addition, the following interval arithmetic will be used later: Let I1 =

a1, b1

and I2 =

a2, b2

, with 0 ai bi +, i = 1,2. Then we define I1 + I2 to be the

interval

a1 + a2, b1 + b2

and I1 +I2 to be

a1 a2, b1 b2

[Wang et al. 2000a].

Definition 2. A clock-stamped state class (CS-class) of a TPN is defined as a 3-tuple

C =M,D,ST

, where M is a marking; D is a firing domain, i.e., a set of constraints on

the values of the time to fire for transitions enabled by current marking M, in details,for ti : M

ti > , its firing interval is D

ti

=EFT

ti

,LFT

ti

, where EFT

ti

is

the earliest firing time of ti, and LFT

ti

is the latest firing time of ti; ST is a globalclock stamp providing arriving time interval of the state class.

ACM Transactions on E mbedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.


4/18

4:4 Z. Ding et al.

Fig. 1. TPN model Z1.

In the following definition, a set of firing rules of TPN and a method for computingCS-class are given.

Definition 3. A transition tj T is said to be firable at a CS-class Ck =Mk,Dk,STk

if the following transition firing rules are met:

(1) tj is enabled at Mk, i.e., Mk

tj > . The set of transitions enabled at Mk is denoted

as E Ck;(2) EFTk

tj

min

LFTk

ti

, ti E

Ck

;

(3) Let NE

Ck

be a set of transitions that begin to be enabled at Mk. Iftj NE

Ck

,

then SEFT

tj

min

SLFT(t) , t NE

Ck

holds.

Iftj is firable at CS-class Ck, then its firing results in a new CS-class

Ck+1 =Mk+1,Dk+1,STk+1

, where:

p P, Mk+1 (p) = Mk (p) Wp, tj

+ W

tj,p

;

tf E

Ck+1

,

Dk+1 tf = SItf +STk+1, tf NE Ck+1max

EFTk

tj

,EFTk

tf

,LFTk

tf

, tf / NE

Ck+1

STk+1 =EFTk

tj

,min

LFTk

ti

, ti E

Ck

Given a TPN model Z, its initial CS-class is C0 =M0,D0,ST0

, where M0 is an

initial marking, D0 contains all the firing time intervals of transitions at C0, ST0 =[0, 0]. According to the transition firing rules, firing t0 at C0 leads to a new CS-classC1. Similarly, firing t1 leads to CS-class C2. Following this way, at Ci, firingti leads toCi+1. Finally, we can generate a firing sequence = t0 t1 ti ofZ.

With the above firing rules and computing method, we can generate a reachabilitytree ofZ, RT

Z, C0

with root node C0. Every node of the tree corresponds to a reacha-

bility state class. If firing t at CS-class Ci results in Cj, then connect Ci and Cj with adirected arc, and label the arc with t.

It is noted that the third condition of Definition 3 does not exist in Wang et al. [2000].

Let us consider a TPN model Z1shown in Figure 1.In TPN model Z1, transitions t2 and t3 must be enabled simultaneously. However, t2

is always firable but t3 is not because static earliest firing time of t3 is more than thatof t2. According to Wang et al. [2000], t3 is firable at CS-class C =

M,D,ST

, where

M = p2, D =

D (t2) = [1, 6] ,D

t3

= [4,10]

and ST = [1, 4], which satisfy the firing



5/18


rules as defined in Wang et al. [2000a]. Clearly, we have to add the third condition inDefinition 3 to avoid the above problem.

Wang et al. [2000a] analyzed the soundness and completeness of the global timeintervalST, and proved that a CS-class can be uniquely mapped into a traditional stateclass presented in Berthomieu and Diaz [1991]. Here the addition of third condition

only avoid wrong transition firing, and cannot change definition of CS-class. Then westill obtain essentially same results as those in Wang et al. [2000a], and thus omitted.

In this work, we introduce some related notations to be used later. (Z,) denotesa CS-class that is generated by firing the sequence from the initial CS-class C0 of aTPN Z. (Z,) the global time at which CS-class (Z,) arrives. R (Z,) is a markingset composed of all markings reached in the execution process of sequence . R (Z)is a set of all reachable markings of Z. L (Z) is a sequence set composed of all firedsequences in Z.

Z is live iff t T, M R (Z), there exists M reached from M such that M [t > . Aplace p Pis said to be bounded or K-bounded iffM(p) K for all M R (Z), where Kis a positive integer. Z is said to be bounded iff every place in it is bounded. A place issaid to be safe iff it is 1-bounded. Z is said to be safe iff every place is 1-bounded. It isnoted that the liveness and boundedness of a TPN cannot be equivalent to it untimedcounterpart [Berthomieu and Diaz 1991].

Let X P T be a node subset ofZ, Z |X denotes a new time Petri net that consistsof only elements in Xand related arcs, which is a subgraph of Z. Z X is defined as

ZX, where X = P T X. All the above notation is applicable to markings and firing

sequences. L (Z) |X indicates for every firing sequence of Z, only elements fromX arepreserved. Similarly, L (Z) X = L (Z) |(TX) .

2.2. Refinement Operation of TPN

Huang et al. [2004] define a type of refinement operations of Petri nets. Here we extendit to TPN.

Definition 4. TPN Z =P, T,F, W,M0,SI

is a time Petri net module (module) iff the

following conditions hold:

(1) Z has two special places: i and o, where i is an initial (import) place, i.e., i = , o isa terminal (export) place, i.e., o = ;(2) M0 (i) = 1, M0 (o) = 0, and t / i

, M0 [t > holds;(3) L (Z), where (Z,) = Cf =

Mf,Df,STf

, satisfying thatMf (o) = 1,Mf (i) = 0,

and Mf (p) = M0 (p) for p P {i, o}, and t T, Mf [t > . Mf is called a terminal

marking. Moreover, L (Z) and = , where Z,

= C =

M,D,ST

, if

M (o) 1, then M = Mf.(4) There are no dead transitions in Z, i.e., t T, there exists a CS-class Ci reached

from initial CS-class C0 ofZ such that t fires at Ci.

Condition (1) states that a module Z is a kind of time Petri nets with a special struc-ture, i.e., it has one initial place i and terminal one o. If a new transition t is addedintoZ, and connects with o andi, namely, t = {o}, and t = {i}, then an extended net Z isgenerated. Conditions (2) constrains the initial marking of a module, requiring one to-ken in the initial place and no token in the terminal place, and also requiring that themodule execution must begin with the firing of post-set transitions of the initial place,and that other transitions cannot be enabled at M0. Condition (3) indicates that themodule can be executed, and terminated, and its terminal marking is marked whenthe terminal place includes a token. In another words, the execution of a module stops



6/18

4:6 Z. Ding et al.

Fig. 2. Refinement operation of TPN.

as long as a token enters the terminal place. Condition (4) states that any transitioncan fire in Z.

By replacing a transition of a TPN with a module, we can obtain a new time Petri net.This process is just corresponding to a refinement operation, and its formal definitionis given:

Definition 5. Let TPN Z =P, T,F, W,M0,SI

, where for tr T, ri = {tr} = ro,

|tr| = |tr| = 1, and place ri is safe. Let B =

PB, TB;FB, WB,MB0 ,SI

B

be a module, the

refinement operation of net Z and module B, ZB/tr Z, is implemented by replacingtr

in Z with B, and generating a new TPN Z =P, T;F,M0,SI

, where:

(1) P = P PB {pi,po} {ri, ro, i, o};

(2) T = T TB {tr};

(3) F = FFB

{(pi,x) |x i } {(x,po) |x

o } {(x,pi) |x ri }

{(po,x) |x ro }

ri, tr

, (tr, ro)

{(x, ri) |x

ri } {(ro,x) |x ro }

{(i,x) |x i

} {(x, o) |x

o }

;

(4) M0 (p) =

M0

ri

, p = piM0 (ro) , p = poM0 (p) , p P {ri, ro}

MB0 (p) , p PB {i, o}

;

(5) (5) SI = SISIB {SI(tr)}.

Net Z is called a refined TPN, tr a refinement transition, and Z an original netsystem. Figure 2 shows the refinement process of TPN.

3. BEHAVIOR AND PROPERTY PRESERVATION OF TPN REFINEMENT OPERATION

This section discusses the behavior and property preservation of TPN in the refine-ment operation. First a sufficient condition of behavior preservation is given, and then

property preservation is discussed.

3.1. Behavior Preservation

Definition 6. Let TPN Z =P, T;F,M0,SI

be an original net system, Z =

P, T;F,M0,SI

is a refined TPN by replacing transition tr in Z with module B. Let



7/18


Table I. The Description of State Class of Z2

1: C20 =

M20,D20,ST20

: M20 = p1, D20 = {D20 (t1) = [3, 3]}, ST20 = [0, 0]

2: C21 =

M21,D21,ST21

: M21 = p2 + p4, D21 = {D21 (tr) = [4, 9] ,D21 (t3) = [6, 7]}, ST21 = [3, 3]

3: C22 = M22,D22,ST22: M22 = p3 + p4, D22 = {D22 (t2) = [5, 8] ,D22 (t3) = [6, 7]}, ST22 = [4, 7]4: C23 =

M23,D23,ST23

: M23 = p2 + p5, D23 = , ST23 = [6, 7]

5: C24 =

M24,D24,ST24

: M24 = p6, D24 = , ST24 = [5, 7]

6: C25 =

M25,D25,ST25

: M25 = p3 + p5, D25 = , ST25 = [6, 7]

U = T {tr}, if LZ

|U = L (Z) |U, then the refinement operation EB/tr E satisfies

behavior preservation.

THEOREM 1. For any transition firing sequence B L (B)such that MB = Mf, where

B,B

= CB =

MB,DB,STB

, if STB = SI(tr), then the refinement operation satis-

fies behavior preservation.

PROOF. See Appendix A.

It is suggested in Theorem 1 that for any transition firing sequence that leads to aterminal marking in module B, if its global execution time is equal to the firing timeinterval of refined transition tr in the original net Z, then the refined TPN Z

generatedby replacingtr with B keeps the same behavioral characteristic as that of the originalnet. This characteristic is very important for real-time system synthesis, modeling,and analysis, because a system synthesis process first should meet system behaviorconsistency with time constraints, then its property preservation is required [Dinget al. 2008; Jiang et al. 2002]. We will discuss the property preservation in next section.

Example 1. Z2 is an original net system shown in Figure 3(a) , tr is a refinementtransition, modules B1 and B2 are given in Figure 3(b) and Figure 3(c), respectively.

For B1 and B2, their global time intervals are easily computed and equal to [0,2]

and [1,6], respectively. Let ZB12 (ZB22 ) be a refined TPN by replacing tr in Z2 with B1

(B2), the refinement operation of Z2B1/tr ZB1

2Z2 B2/tr ZB2

2 cannot (can) satisfy the

conditions of Theorem 1.Three state class reachability trees of TPN Z2, Z

B12 , and Z

B22 are shown in Figure

4(a)(c), and the description of their state classes is listed in Tables 13. Clearly, 21 =t1 t3 is a transition firing sequence of Z2, i.e., 21 L (Z2). However, any transition

firing sequences B12 in ZB12 cannot satisfy

B12

T2 {tr} = 21 because t3 is neverfirable. Moreover, it is proved easily that L

Z

B22

T2 {tr} = L (Z2) T2 {tr} .3.2. Property Preservation

For a refinement operation, if the above criterion of behavior preservation is met, thenthe following theorem should also hold.

THEOREM 2. If Z is K-bounded, so is Z.

PROOF. For L (Z), according to behavior preservation, there existsU L Z |U, that is L Z, |U = |U holds. Obviously, for p P {ri, ro},

M(p) = M (p) K holds, where (Z,) =M,D,ST

, and

Z,

=M,D,ST

.

Furthermore, according to Definition 5, we know M

ri

1 and M(ro) 1. Therefore,p P, M(p) K holds, that is, Z is K-bounded.



8/18

4:8 Z. Ding et al.

Fig. 3. TPN model.

Fig. 4. State class reachability trees of TPNs Z2, ZB12 and Z

B22 .

THEOREM 3. If Z and B are bounded, so is Z.

PROOF. Let original net Z and module B be K-bounded and KB

-bounded respec-tively, and then the extended net B of module B is also KB-bounded. L

Z

,according to behavior preservation, we know |U L (Z) |U, namely, L (Z), |U = |U holds. Suppose that

Z,

=M,D,ST

, and (Z,) =

M,D,ST

.

Then p P {ri, ro}, M (p) = M(p) K holds. Following Theorem 1, there exists



9/18


Fig. 5. TPN models of a real-time manufacture process.

Fig. 6. Refined TPN model Z of a real-time manufacture process.

B L

B

, where

B,B

=

MB,DB,STB

, such that M (p) = MB (p), where

p PB {i, o}. It is obvious that Mpi

MB (i) KB, and M (po) MB (o) KB.

Therefore, p P, M (p) max

K,KB

holds, and thus Z is bounded.

THEOREM 4. If Z is live, so is Z.

PROOF. Let L (Z), follow the behavior preservation, U L Z |U holds, i.e., L

Z

, such that |U = |U. Since Z is live, t T, there is a sequence 1composed of elements in T, 1 t L

Z

holds. Moreover, from behavior preserva-

tion, we know that 1 t

|U L (Z) |U holds. According to the proof of Theorem

1, we know that there exists a sequence 1 composed of elements in T, satisfying1 |U =

1 |U, and 1 t L (Z). Therefore, Z is live.



10/18

4:10 Z. Ding et al.

Table II. The Description of State Class of ZB12

1: CB120

=

MB120

,DB120

,STB120

: M

B120

= p1, DB120

=

DB120 (t1) = [3, 3]

, ST

B120

= [0, 0]

2: CB121 =

M

B121 ,D

B121 ,ST

B121

: M

B121 = p11 + p4, D

B121 =

D

B121 (t11) = [3,4],D

B121 (t3) = [6, 7]

,

STB121 = [3, 3]

3: CB122

=

MB122

,DB122

,STB122

: MB1

22= p12 + p4, D

B122

=

DB122 (t12) = [3,4],D

B122 (t3) = [6, 7]

,

STB122 = [3, 4]

4: CB123

=

MB123

,DB123

,STB123

: M

B123

= p13 + p4, DB123

=

DB123 (t2) = [4,5],D

B123 (t3) = [6,7]

,

STB123

= [3,4]

5: CB124 =

M

B124 ,D

B124 ,ST

B124

: M

B124 = p6, D

B124 = , ST

B124 = [4,5]

Table III. The Description of State Class of ZB22

1: CB220

=

MB220

,DB220

,STB220

: M

B220

= p1, DB120

=

DB120 (t1) = [3, 3]

, ST

B220

= [0, 0]

2: CB221 =

M

B221 ,D

B221 ,ST

B221

: M

B221 = p11 + p4, D

B221 =

D

B221 (t11) = [3,4],D

B221 (t3) = [6, 7]

,

STB121 = [3, 3]

3: CB222 = M

B222 ,D

B222 ,ST

B222 : M

B222 = p12 + p4, D

B222 = D

B222 (t12) = [4,9],D

B222 (t3) = [6, 7] ,

ST

B2

22 = [3, 4]4: C

B223

=

MB223

,DB223

,STB223

: M

B223

= p13 + p4, DB223

=

DB223 (t2) = [5,8],D

B223 (t3) = [6,7]

,

STB223 = [4, 7]

5: CB224 =

M

B224 ,D

B224 ,ST

B224

: M

B224 = p12 + p5, D

B224 = , ST

B224 = [6, 7]

6: CB225

=

MB225

,DB225

,STB225

: M

B225

= p6, DB225

= , STB223

= [5,7]

7: CB226

=

MB226

,DB226

,STB226

: M

B226

= p13 + p5, DB226

= , STB226

= [6, 7]

THEOREM 5. If Z and B are live, so is Z .

PROOF. Let LZ

, and Z,

=M,D,ST

. According to behavior preser-

vation, |U L (Z) |U holds, i.e., L (Z), such that |U = |U. t T, two cases

t T {tr}, and t TB are considered.

Case 1. If t T {tr}, since Z is live, there exists a sequence 1 composed of ele-ments in T, such that 1 t L (Z). If1 does not include tr, then

1 t LZ

holds. Otherwise, suppose that 1 = 1tr2tr trn1trn, where sequence i is com-posed of elements in T {tr}. Following the proof of Theorem 1, the ith occurrence of

tr can be simulated by sequence Bi , where B1 t

B0

B2 t

B0 t

B0

Bn L

B

and tB0 is an ad-

ditional transition in B. Thus we can construct a corresponding sequence 1 composed

of elements in T, such that 1 |U = 1 |U and 1 t L

Z

. Therefore, t is livein Z.

Case 2. If t TB, according to the proof of Theorem 1, we know that B L

B

,

B,B

=

MB,DB,STB

, such that p PB{i, o}, M (p) = MB (p) holds. (1) ifMB =

MB0 , i.e., B is in the state of the initial marking, then from the liveness of Z, we know

that there exists a sequence 1 composed of elements in T, such that 1 LZ

and M1 (p) = MB (p) for p PB, where

Z, 1

=M1,D

1,ST

1

, i.e., M1

pi

= 1.

Since B is live, there exists a sequence B1 composed of transitions in B, such that

B B1 t L

B

. Suppose that there is no additional transition tB0 in B1 , then we can



11/18


Algorithm 1: A reachability decidability algorithm of refined TPN

Input: reachability tree RTZ, C0

and RT

B, CB0

, markingM

d, time d

Output: a Boolean variable Exist

Exist False; ZS ; BS ;

Md Md

P {ri, ro} ; MBd MdPB {i, o} ;

Traverse tree RTZ, C0

, find all possible states C =

M,D,ST

satisfying

MP {ri, ro} = Md and LB d RB, and then record them into a set ZS.

IF ZS = THEN{

Traverse tree R

B, CB0

, find all possible states CB =

MB,DB,STB

satisfying

MBPB {i, o} = MBd , then orderly record them into a set BS.

IF BS = THEN{FOR every element C = M,D,ST in the set ZS DO{

Compute sequence satisfying (Z,) = C;IF there is no marking in enablingtr, THEN{

IF CB BS, such that MB = MB0 THEN Exist True;ELSEIF tr cannot be enabled any more after post-set element of ro during

fires for the last time, THENIF CB BS, such that MB = MB0 THEN Exist True;

ELSE{Take the beginning state of tr enabled at the last time during,

Ci =Mi,Di,STi

, where STi =

LBi,RBi

;

IF CB BS, such that LBi +LBB

d RBi +RB

B THENExist True}}}}

directly get the result: 1

B

1t L Z. If there is an additional transition tB

0in B

1,

obviously, firing oftB0 will result in that tokens in place o transfer into place i. Since Z is

live, for every time of transition tB0 appearing in B1 , there always exists a sequence i

composed of elements in T to transfer token in po into pi. In this way, a new sequence2 is generated, such that

1 2 L

Z

, and t can fire at Z, 1

2

. (2)

if MB = MB0 , that is, at this time B is not in the state of the initial marking, then

according to liveness of B, there exists a sequence B1 , such that B B1 t L

B

.

In the same way as (1), after considering different cases ofB1 , we conclude that there

exists 2, such that 2 t L

Z

. Therefore, t is live in Z.On the ground of behavior preservation, the refinement operation of TPN can also

preserve boundedness and liveness. These results are useful for analyzing and verify-ing large complex systems. By analyzing and verifying the relatively smaller models,

we can derive the properties of a complex one, thereby alleviating the state space ex-plosion problem and reducing the analysis complexity.

4. REACHABILITY OF REFINED TPN

Based on behavior preservation, the reachability problem of a refined TPN can besolved by the reachability tree of its original net and module, i.e., given marking



12/18

4:12 Z. Ding et al.

Md

and time d

, the problem is whether there exists a reachable state of Z, C =M,D,ST

, such that M = M

dand LB

d RB. To solve this problem, we

introduce two sets ZS and BS to store useful information respectively. In detail,ZS is a set composed of some states C = M,D,ST of Z such that MP {ri, ro} =Md

P {ri, ro}

and LB d RB, and BS a set composed of some states C

B

=MB,DB,STB

of B such that MB

PB {i, o} = MBd . The reachability decidabilityalgorithm is given as follows:

This algorithm is based on the behavior preservation of a refinement operation,which ensures that there is a corresponding relationship between the original andrefined nets, and also the relationship meets the same time constraint. Consequently,for the decided marking, according to a given marking arrival time, find its matchingstates in the reachability tree of Z, record them in the set ZS, in a similar way, find itsmatching states in the reachability tree ofB, record them in the set BS. Because thereis a corresponding relationship between a firing sequence of the original net and thatof refined net, the firing sequence of every state in ZS is found and discussed withthe following two cases.

(1) Iftr cannot be enabled at all reachability states in , similar to Case 1 in Theorem1s proof, it is suggested that t TB, t cannot fire in Z. Therefore, if the initialmarking of B is in BS, then it can be ensured that marking M

dcan be reachable

with a given time d

in Z.(2) If there exists a reachability state in sequence that can enable tr, then two dif-

ferent subcases are as follows.(2.1) After post-set elements of place ro fire at the last time, tr cannot be enabled

any more at any possible reachability state, which is similar to the third casein Theorem 1s proof, and, hence, all the firing oftr has been finished. At thistime, B is executed in Z, then enters a terminal state, and is waiting for thenext execution, that is, it corresponds to the first case;

(2.2) Otherwise, the case is similar to Cases 2 and 4 in Theorem 1s proof. Deter-mine the beginning state oftr enabled at the last time during. According toits global arriving time interval, for its corresponding state in BS, calculate

the global arriving time interval in Z. If the given time condition is met, thenthe decided marking is reachable at the given time.

In the way similar to that proving Theorem 1, the correctness of the algorithm canbe proved.

Suppose that the number of CS-classes in reachability trees of Z and B is m and nrespectively, where m, n > 1. First, at most m + n comparisons are needed to deter-mine the elements of sets ZS and BS by traversing the reachability trees of Z and Brespectively. Second, a firing sequence that leads to a CS-class C is only determined bya path from root node to node C. Clearly, it needs at most m2 iterations that finding allpaths from a root node to other nodes in the reachability tree of Z. Finally, for everyelement in ZS, we need to check all elements in BS to determine whether there existsa solution. Thus there are at most m n iterations for all checking work. Therefore,

the worst case computational complexity of this algorithm is Omaxm2, m n.5. A CASE STUDY

In this section, the above refinement operation method of TPN is applied to the design,modeling and analysis of a real-time manufacture process. A component is assembledby two parts, A and B, which are required to be processed, respectively. The assembly



13/18


Fig. 7. State class reachability trees of TPNs.

process is carried out after both are completed. Part A must visit machine 1, thenmachine 2, and both machines 1 and 2 need tool 1. Part B is processed by a processingsubsystem. It is first processed on machine 3. Then it has alternative routes, that is,either on machine 5, and then on machine 6, or on machine 4. Machines 3, 4, and 5need tool 2. Moreover, parts are transferred via a conveyor.

According to the above system description, we design a TPN model Z given inFigure 5(a) and a module B for Part Bs processing subsystem shown in Figure 5(b).The meanings of their places and transitions are described in Table 4. Every transi-tion is associated with a time interval as shown in Figure 2, which stands for executiontime of its corresponding process as shown in Figure 5.

Module B conforms to the definition of a TPN module, and it is easy to verify thatplace r

iis safe in model Z. With the refinement operation of TPN presented, t

rin Z is

replaced with module B, resulting in a final TPN Z as shown in Figure 6.Two state class reachability trees of TPN Z and B are respectively shown in

Figure 7(a) and Figure 7(b), and the specific description of state classes is in TableV. The markings of state classes C23 and C26 stand for terminal markings of moduleB, and their corresponding global time intervals meet ST23 = ST26 = SI(tr). Thusthe conditions in Theorem 1 are met. Therefore, we have the result that refinement

operation ofZB/tr Z satisfies behavior preservation.

According to reachability trees in Figure 7, we know that both Z and B are bounded.Hence, following Theorem 3, we know that Z is also bounded. Model Z represents oneprocess in the whole system, if places p6 and p1 are connected with a transition withfiring time interval [0,0], then generate an extended net Z of net Z that represents con-tinuous execution of the manufacture process. It is easy to verify that Z is live, and alsoextended net B is live. Hence, following Theorem 5, extended refined net Z is also live.

Furthermore, based on the behavior preservation, we can decide the reachabilityof refined Petri net Z. Supposed that the problem is whether there exists marking

M = p4 + p8 + p14 + p16 at the time = 42, that is, at the time of 42, whether part A

has been transferred to machine 2 by the conveyor? At the same time, has part B beenfinished by machine 5, and is waiting for its transferring to machine 6?



14/18

4:14 Z. Ding et al.

Table IV. Meanings of Places and Transitions in Figure 5

Element Meaning Element Meaning

p1 start a process ri part B entering the processingsubsystem

p2 part A on machine 1 ro finish processing subsystem,

and wait for assemblyp3 finish processing on machine 1, and

wait for transferi Start processing of part B

p4 part A on machine 2 o finish processing of part B

p5 finish processing on machine 2, andwait for assembly

t1 transfer a part

p6 finish a process t2 process on machine 1

p7 tool 1 available for machine 1 t3 transfer part A by conveyor

p8 tool 1 available for machine 2 t4 process on machine 2

p11 part B on machine 3 (Figure 3) t5 assemble part A and part B

p12 finish processing on machine 3, andwait for transfer

t11 process on machine 3

p13 part B on machine 4 or machine 5 t12 transfer part B by conveyor

p14 finish processing on machine 5, andwait for transfer

t13 process on machine 4

p15 part B on machine 6 t14 process on machine 5

p16 tool 2 available for machine 3 t15 transfer part B by conveyor

p17 tool 2 available for machines 4 and 5 t16 process on machine 6

p18 finish processing of part B, and waitfor assembly (Figure 3)

tr process subsystem

To solve this problem, the above reachability decidability algorithm is applied. First,

M = MP {ri, ro} = p4 + p8, and MB = M PB {i, o} = p14 + p16. There are C9,

C12, and C13in the reachability tree RTZ, C0

satisfying M9

P {ri, ro} = M, ST9, M12

P {ri, ro} = M, ST12, and M13 P {ri, ro} = M, ST13. Thenthere is C24 in the reachability tree RT

B, C20

satisfying M24

PB {i, o}

= MB.

For C9, = t1t2trt3 is a corresponding firing sequence such that (E,) = C9. Then it

is determined that tr begins to be enabled at C1 with global time interval ST1 = [3, 5]before its firing in . Hence, arriving time interval ofC24 in Z

is ST1 +ST24 = [33, 43].It is obvious that ST1 + ST24. Thus there exists a firing sequence in Z

that canarrive at M at time .

6. CONCLUSIONS

By replacing a transition or place in an original net with a subnet, the refinementoperation of Petri nets implements the process of stepwise refinement of a Petri netmodel, which well supports a top-down design method. Based on the idea of divide andconquer, the property preservation of a refinement operation is helpful for decreas-ing analysis complexity and alleviating a state explosion problem. This article mainlypresents the following work.

(1) It define a type of refinement operations for time Petri nets. This simple structuredmodel can well support refinement design and modeling of real-time systems, suchas workflow [Li et al. 2003, 2004; Van der Aalst 2000], command and control sys-tems [Wang et al. 2000], embedded system [Cho et al. 2010; Hu et al. 2009] andmanufacturing systems [Fanti and Zhou et al. 2004; Hu and Li 2009b; Jeng et al.2004; Lee et al. 2007; Zhou et al. 1992, 1993].



15/18


Table V. The Description of State Class

C0 =

M0,D0,ST0

: M0 = p1 + p7, D0 = {D0 (t1) = [3, 5]} , ST0 = [0, 0]

C1 =

M1,D1,ST1

: M1 = p2 +p7 +ri, D1 = {D1 (t2) = [33,45] ,D1 (tr) = [40,51]} , ST1 = [3, 5]

C2 = M2,D2,ST2 : M2 = p2 + p7 + ro, D2 = {D2 (t2) = [40, 45]} , ST2 = [40,45]C3 =

M3,D3,ST3

: M3 = p3 + p8 + ro, D3 = {D3 (t3) = [43, 48]} , ST3 = [40,45]

C4 =

M4,D4,ST4

: M4 = p4 + p8 + ro, D4 = {D4 (t4) = [55, 68]} , ST4 = [43,48]

C5 =

M5,D5,ST5

: M5 = p5 + p7 + ro, D5 = {D5 (t5) = [67, 83]} , ST5 = [55,68]

C6 =

M6,D6,ST6

: M6 = p6 + p7, D5 = , ST6 = [67,83]

C7 =

M7,D7,ST7

: M7 = p3 + p8 + ri, D7 = {D7 (t3) = [36,48] ,D7 (tr) = [40, 51]} ,

ST7 = [33, 45]C8 =

M8,D8,ST8

: M8 = p3 + p8 + ro, D8 = {D8 (t3) = [40, 48]} , ST8 = [40,45]

C9 =

M9,D9,ST9

: M9 = p4 + p8 + ro, D9 = {D9 (t3) = [52, 68]} , ST9 = [40,48]

C10 =

M10,D10,ST10

: M10 = p5 + p7 + ro, D10 = {D10 (t5) = [64,83]} , ST10 = [52,68]

C11 =

M11,D11,ST11

: M11 = p6 + p7, D11 = , ST10 = [64, 83]

C12 =

M12,D12,ST12

: M12 = p4 + p8 + ri, D12 = {D12 (t4) = [48, 68] ,D12 (tr) = [40,51]}

ST12 = [36, 48]C13 = M13,D13,ST13 : M13 = p4 + p8 + ro, D13 = {D13 (t4) = [48,68]} , ST13 = [40,51]C14 =

M14,D14,ST14

: M14 = p5 + p7 + ro, D14 = {D14 (t5) = [60,83]} , ST14 = [48,68]

C15 =

M15,D15,ST15

: M15 = p6 + p7, D15 = , ST14 = [60, 83]

C16 =

M16,D16,ST16

: M16 = p5 + p7 + ri, D16 = {D16 (tr) = [48, 51]} , ST16 = [48, 51]

C17 =

M17,D17,ST17

: M17 = p5 + p7 + ro, D17 = {D17 (t5) = [60,71]} , ST17 = [48,51]

C18 =

M18,D18,ST18

: M18 = p6 + p7, D18 = , ST18 = [60, 71]

C20 =

M20,D20,ST20

: M20 = i + p16, D20 = {D20 (t11) = [16, 17]} , ST20 = [0, 0]

C21 =

M21,D21,ST21

: M21 = p12 + p17, D21 = {D21 (t12) = [19, 20]} , ST21 = [16,17]

C22 =

M22,D22,ST22

: M22 = p13 + p17, D22 = {D22 (t13) = [37, 46] ,D22 (t14) = [30, 38]}

ST22 = [19, 20]C23 =

M23,D23,ST23

: M23 = o + p16, D22 = , ST23 = [37, 46]

C24 =

M24,D24,ST24

: M24 = p14 + p16, D24 = {D24 (t15) = [33, 41]} , ST24 = [30,38]

C25 = M25,D25,ST25 : M25 = p15 + p16, D25 = {D25 (t16) = [37, 46]} , ST24 = [33,41]C26 =

M26,D26,ST26

: M26 = o + p16, D26 = , ST26 = [37, 46]

(2) It investigates behavior and property preservation of the refinement operation, andestablish the corresponding preservation conditions, which provide a theoreticalsupport for system behavior analysis and property verification.

(3) It develops a reachability decidability algorithm. By this algorithm, the reacha-bility of a refined TPN can be decided according to the reachability trees of theoriginal net and modules. It is unnecessary to generate the whole reachability treeof the refined TPN. Therefore, by this method, the burden to solve the state spaceexplosion problem can be effectively reduced. This is very helpful for state identifi-cation and model checking of complex systems.

Additional properties, such as reversibility and fairness to support the qualitativeanalysis of complex systems need to be discussed. Moreover, based on refinement oper-ation, quantitative analysis of complex systems such as turnaround time and through-put is another research direction. The safeness of the input place of the refined transi-tion can be major limitation in some real time systems. The extension to more generalcases requires additional work.



16/18

4:16 Z. Ding et al.

APPENDIX A

PROOF OF THEOREM 1. To prove LZ

|U = L (Z) |U, we need to prove that

LZ

|U L (Z) |U and L (Z) |U LZ

|U.

We first prove thatLZ

|U L (Z) |U. For 1 LZ

|U, let LZ

, where |U = 1. We break our proof into four cases.

Case 1. For M RZ,

, M

pi

= 0 holds, that is, place pi receives no token dur-ing the execution of sequence . According to the definition of module B, it is obviousthat t TB, it cannot be enabled at reachability states during sequence . Therefore,1 =

holds, and according to the definition of refinement operation, L (Z) holds.Similarly, transition tr cannot fire during sequence because it cannot be enabled, so |U = holds, that is L (Z) |U, consequently, 1 L (Z) |U holds.

Case 2. There exists only markingM1 RZ,

such that M1

pi

= 1, and M

RZ,

, M (po) = 0 holds, namely, during sequence

place pi received tokens, butplace po receives no token. Let = 11

12, where

11 is the shortest prefix of

,

satisfyingZ,

11

= C

11 =M

11,D

11,ST

11

, and M

11pi

= 1. According to Case1, 11 L (Z) |U holds. Obviously, 12 is composed of transitions in B and Z, and

according to the definition of the refinement operation, we know that transitions in Band transitions in Z execute concurrently during12, therefore

11

12 |U

L (Z)

holds, that is, 1 =11

12

|U L (Z) |Uholds. So 1 L (Z) |U holds.

Case 3. There exists only markings M1 RZ,

M2 R

Z,

such that

M1pi

= 1 (M2 (po) = 1), that is, both places pi and po received tokens during the exe-cution of sequence . Let = 11

12

13, where

11 is the shortest prefix of

, satis-

fyingZ,11

= C11 =

M11,D

11,ST

11

, and M11

pi

= 1. 11 12is also the shortest

prefix of, satisfyingZ,12

= C12 =

M12,D

12,ST

12

, and M12 (po) = 1. Similarly

with Case 2, 11 12 |U

L (Z) holds. Suppose that 11 =

Z,11

, 12 =

Z,12

,

and B,12 TB = CB = Mf,DB,STB, then LBB 12 11 RBB holds,where STB =

LBB,RBB

. According to the condition given in Theorem 1, we have

LBB = SEFT(tr), Therefore tr can fire at time 12 in the original net Z, namely,

11 12 |U

tr L (Z) holds. Moreover, in the same way, 13 also can fire at state

E,11

12 |U

tr

. Consequently, 11

12 |U

tr 13 L (Z) holds, that is,

11 12 |U

13 =

1 L (Z) |U holds.

Case 4. General case. Suppose that during sequence , pi received k1 tokens, whileplace po received k2 tokens. From the definition of module, we know that k1 = k2,or k1 = k2 + 1. And for the above three cases, k1 = k2 = 0, k1 = 1 k2 = 0, andk1 = k2 = 1 hold respectively. Since the firing of TPN transitions is only related witha local time, repeat the proofs of Case 2 and Case 3, we have the conclusion that for1 L Z |U, 1 L (Z) |U holds.

Next, we prove L (Z) |U LZ

|U. For 1 L (Z) |U, let L (Z), where |U =1. We break our proof into four cases.

Case 1. For M R (Z,), M

ri

= 0 holds, that is, place ri receives no token duringthe execution of sequence. Obviously, there is no transition tr in , thus = 1.



17/18


And according to the definition of the refinement operation, we know that LZ

.

Therefore, 1 LZ

|U holds.

Case 2. There exists only marking M1 R (Z,), such that M1

ri

= 1, and M R (Z,), M(ro) = 0 holds, that is, during sequence place ri received tokens, but

place ro receives no token. It is obvious that there is no transition tr in sequence ,Otherwise, firing tr would consequentially result in a token in ro. In the same waywith Case 1, 1 L

Z

|U holds.

Case 3. There exists only markings M1 R (Z,) and M2 R (Z,) such thatM1

ri

= 1 and M2 (ro) = 1 respectively, that is, both place ri and place ro receivedtokens during the execution of sequence . Let = 11 12 13, where 11 is theshortest prefix of, satisfying (Z,11) = C11 =

M11,D11,ST11

, M11

ri

= 1, and

11 12 also the shortest prefix of, satisfying (Z,12) = C12 =

M12,D12,ST12

,

M12 (ro) = 1. Similarly with Case 2, 11 LZ

holds. Moreover, we know that there

exists a sequence 11 1 L

Z

, satisfying1 |U = 121, and 1

TB = B, where

B,B

= CB =

Mf,DB,STB

. Suppose that 12 = 121 tr, (Z,11) = 11 and

(Z,12) = 12. Since place pi received a token at time 11 during sequence 11 in

net Z, according to the definition of the module, there must be a transition ti pithat can fire due to SEFT

ti

SEFT(tr). Because the firing of sequence 121 has

no effect on the execution of the module in Z, after firing ti, there must exist tj TB

that can fire. Following this way, we can generate the execution sequence B of themodule. According to the condition in Theorem 1, STB = SI(tr), we can supposethat

Z,11

1

= 12. Therefore, 13 also can fire at state

Z,11

1

, and

11 1 13 L

Z

holds, that is,11

1 13

|U = 1 L

Z

|U holds.

Case 4. General case. Suppose that during sequence , place ri received k1 tokensand ro received k2 tokens. Then repeat the proofs of Case 2 and Case 3, Case 4 can beproved.

To sum up, L

Z

|U = L (Z) |U holds.

REFERENCES

Berthomieu, B. and Diaz, M. 1991. Modeling and verification of time dependent systems using time Petrinets. IEEE Trans. Softw. Engin. 17, 259273.

Berthomieu, B., Lime, D., Roux, O. H., and Vernadat, F. 2007. Reachability problems and abstract statespaces for time Petri Nets with stopwatches. J. Discrete Event Dyn. Syst. Theory Appl. 17, 133158.

Cho, H., Ravindran, B., and Jensen, E. D. 2010. Lock-free synchronization for dynamic embedded real-timesystems. ACM Trans. Embed. Comput. Syst. 9, 128.

Ding, Z. J., Jiang, C. J., Zhou, M. C., and Zhang, Y. Y. 2008. Preserving languages and properties in stepwiserefinement-based synthesis of Petri nets. IEEE Trans. Syst. Man Cybern. Part A 38, 791801.

Ding, Z. J., Zhang, Y. Y., Jiang, C. J., and Zhang, Z. H. 2007. Refinement of Petri nets in workflow integration.In Proceedings of the 10th International Conference Computer Supported Cooperative Work in Design,Lecture Notes in Computer Science, vol. 4402, 667678.

Fani, M. P. and Zhou, M. C. 2004. Deadlock control methods in automated manufacturing systems. IEEETrans. Syst. Man Cybern. Part A 34, 522.

Felder, M., Gargantini, A., and Morzenti, A. 1998. A Theory of implementation and refinement in timed

Petri nets. Theor. Comput. Sci. 202, 127161.Girault, C. and Valk, R. 2003. Petri Nets for Systems Engineering: A Guide to Modeling, Verification, and

Applications. Springer.

Gurovic, D., Fengler, W., and Nutzel. J. 2000. Development of real-time system specifications through therefinement of duration interval Petri nets. In Proceedings of IEEE International Conference on Systems,Man, and Cybernetics. 30933098.



18/18

4:18 Z. Ding et al.

Hruz, B. and Zhou, M. C. 2007. Modeling and Control of Discrete Event Dynamic Systems. Springer.

Hu, H. S. and Li, Z. W. 2009a. Modeling and scheduling for manufacturing grid workflows using timed Petrinets. Int. J. Adv. Manuf. Technol. 42, 553568.

Hu, H. S. and Li, Z. W. 2009b. Clarification on the computation of liveness-enforcing supervisor for resourceallocation systems with uncontrollable behavior and forbidden states. IEEE Trans. Autom. Sci. Eng. 6,557558.

Hu, H. S., Zhou, M. C., and Li, Z. W. 2009. Liveness enforcing supervision of video streaming systems usingnon-sequential Petri nets. IEEE Trans. Multimedia 11, 14571465.

Huang, H. J., Cheung, T. Y., and Mak, W. M. 2004. Structure and behavior preservation by Petri-net-basedrefinements in system design. Theor. Comput. Sci. 328, 245269.

Jeng, M. D., Xie, X. L., and Chung, S. L. 2004. ERCN* merged nets for modeling degraded behavior andparallel processes in semiconductor manufacturing systems. IEEE Trans. Syst. Man Cybern. Part A 34,102112.

Jiang, C. J., Wang, H. Q., and Liao, S. Y. 2002. Behavior relativity of Petri nets. J. Comput. Sci. Techn. 17,770780.

Lee, J. S., Zhou, M. C., and Hsu, P. L. 2007. A Petri-net approach to modular supervision with conflictresolution for semiconductor manufacturing systems. IEEE Trans. Autom. Sci. Eng. 4, 584588.

Li, J., Fan, Y. S., and Zhou, M. C. 2003. Timing constraint workflow nets for workflow analysis. IEEE Trans.Syst. Man Cybern. Part A 33, 179193.

Li, J., Fan, Y. S., and Zhou, M. C. 2004. Performance modeling and analysis of workflow. IEEE Trans. Syst.Man Cybern. Part A 34, 229242.

Li, Z. W. and Zhou, M. C. 2009. Deadlock Resolution in Automated Manufacturing Systems: A Novel PetriNet Approach. Springer

Liu, T., Lin, C., and Liu, W. D. 2002. Linear temporal inference of workflow management system based ontimed Petri net models. Acta Electronica Sinica 30, 245248. (in Chinese)

Merlin, P. and Farber, D. 1976. Recoverability of communication protocolsImplication of a theoreticalstudy. IEEE Trans. Commun. 24, 10361043.

Molloy, M. K. 1982. Performance analysis using stochastic Petri nets. IEEE Trans. Comput. 31, 913917

Murata, T. 1989. Petri nets: Properties, analysis and applications. Proc IEEE, 541580.

Suzuki, I. and Murata, T. 1983. A method for stepwise refinement and abstraction of Petri nets. J. Comput.Syst. Sci. 27, 5176.

Tang, D. and Liu, D. N. 2006. Method of reachability analysis in HTPN based workflow model. Comput.Integr. Manuf. Syst. 12, 487493. (in Chinese)

Valette, R. 1979. Analysis of Petri nets by stepwise refinements. J. Comput. Syst. Sci. 18, 3546.

van der Aalst, W. M. P. 2000. Workflow verification: Finding control-flow errors using Petri-net-based tech-niques. In Proceedings of the International Workshop on Types for Proofs and Programs. Lecture Notes

in Computer Science 806, 161183.Wang, J. C., Deng, Y., and Xu, G 2000a. Reachability analysis of real-time systems using time Petri nets.

IEEE Trans. Syst. Man Cybern. Part B 30, 725736.

Wang, J. C., Deng, Y., and Zhou, M. C. 2000b. Compositional time Petri nets and reduction rules. IEEETrans. Syst. Man Cybern. Part B 30, 562572.

Zhou, M. C. and Venkaesh, K. 1998. Modeling, Simulation and Control of Flexible Manufacturing Systems:A Petri Net Approach. World Scientific, Singapore.

Zhou, M. C., Dicesare, F., and Desrochers, A. 1992. A hybrid methodology for synthesis of Petri nets formanufacturing systems. IEEE Trans. Rob. Autom. 8, 350361.

Zhou, M C., Mcdermott, K., and Patel, P A. 1993. Petri net synthesis and analysis of a flexible manufacturingsystem cell. IEEE Trans. Syst. Man Cybern. 23, 523531.

Zuberek, W. M. 1991. Timed Petri nets: Definitions, properties, and applications. Microelectron. Reliab. 31,627644.

Received March 2010; accepted July 2010


design, analysis and verification of real-time systems based on time

Documents