Beruflich Dokumente
Kultur Dokumente
_
Q
+
_
is a time interval function dened on transition sets, that is, for t T,
SI (t) =
_
SEFT (t) , SLFT (t)
, in which Q
+
is a set of positive rational numbers.
The state of a TPN is represented as a pair S = (M, I), where M is a marking, and
I is a ring interval set of enabled transitions at state S, which is related with the
arriving time value of state S. Because every state in a TPN is closely related with
its arrival time, a reachable marking, reached from the initial marking, may have
different arrival times corresponding to the same ring sequence. That is, the state
space may be innite. To solve this problem, Berthomieu and Diaz [1991] present a
state class method, in which a state class of TPN is dened as C = (M, D), where
M is a marking, and all states in a class have the same marking; D is a ring time
interval set of all enabled transitions at the state class C, which is not related with
the arriving time of a specic state, but related with relative ring time interval of
state class C. It has been proven that for a bounded TPN the number of reachability
state classes is nite. Therefore, a state class method can effectively solve the problem
of the innite number of states. However, state class is only associated with relative
time interval, and time span between reachability states cannot be obtained, which
results in the inconvenience of timeliness analysis or verication of modeled systems.
Consequently, based on a state class, Wang et al. [2000a] dene a clock-stamped state
class introducing a global time to represent global arriving time interval of the state
class. In addition, the following interval arithmetic will be used later: Let I
1
=
_
a
1
, b
1
and I
2
=
_
a
2
, b
2
, with 0 a
i
b
i
+, i = 1, 2. Then we dene I
1
+ I
2
to be the
interval
_
a
1
+ a
2
, b
1
+ b
2
and I
1
+ I
2
to be
_
a
1
a
2
, b
1
b
2
[t >. A
place p Pis said to be bounded or K-bounded iff M(p) K for all M R(Z), where K
is a positive integer. Z is said to be bounded iff every place in it is bounded. A place is
said to be safe iff it is 1-bounded. Z is said to be safe iff every place is 1-bounded. It is
noted that the liveness and boundedness of a TPN cannot be equivalent to it untimed
counterpart [Berthomieu and Diaz 1991].
Let X P T be a node subset of Z, Z|X denotes a new time Petri net that consists
of only elements in Xand related arcs, which is a subgraph of Z. Z X is dened as
Z
= ;
(2) M
0
(i) = 1, M
0
(o) = 0, and t / i
, M
0
[t > holds;
(3) L(Z), where (Z, ) = C
f
=
_
M
f
, D
f
, ST
f
_
, satisfying that M
f
(o) = 1, M
f
(i) = 0,
and M
f
(p) = M
0
(p) for p P {i, o}, and t T, M
f
[t >. M
f
is called a terminal
marking. Moreover,
L(Z) and
= , where
_
Z,
_
= C
=
_
M
, D
, ST
_
, if
M
(o) 1, then M
= M
f
.
(4) There are no dead transitions in Z, i.e., t T, there exists a CS-class C
i
reached
from initial CS-class C
0
of Z such that t res at C
i
.
Condition (1) states that a module Z is a kind of time Petri nets with a special struc-
ture, i.e., it has one initial place i and terminal one o. If a new transition t is added
intoZ, and connects with o andi, namely,
t = {o}, and t
i
= {t
r
} =
r
o
,
|
t
r
| = |t
r
| = 1, and place r
i
is safe. Let B =
_
P
B
, T
B
; F
B
, W
B
, M
B
0
, SI
B
_
be a module, the
renement operation of net Z and module B, Z
B
/
tr
Z
, is implemented by replacing t
r
in Z with B, and generating a new TPN Z
=
_
P
, T
; F
, M
0
, SI
_
, where:
(1) P
= P P
B
{p
i
, p
o
} {r
i
, r
o
, i, o};
(2) T
= T T
B
{t
r
};
(3) F
= F F
B
_
{(p
i
, x) |x i
} {(x, p
o
) |x
o} {(x, p
i
) |x
r
i
}
{(p
o
, x) |x r
o
}
_
___
r
i
, t
r
_
, (t
r
, r
o)
_
{(x, r
i
) |x
r
i
} {(r
o
, x) |x r
o
}
{(i, x) |x i
} {(x, o) |x
o}
_
;
(4) M
0
(p) =
M
0
_
r
i
_
, p = p
i
M
0
(r
o) , p = p
o
M
0
(p) , p P {r
i
, r
o
}
M
B
0
(p) , p P
B
{i, o}
;
(5) (5) SI
= SI SI
B
{SI (t
r)}.
Net Z
=
_
P
, T
; F
, M
0
, SI
_
is a rened TPN by replacing transition t
r
in Z with module B. Let
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
Design, Analysis and Verication of Real-Time Systems Based on Time Petri Net Renement 4:7
Table I. The Description of State Class of Z
2
1: C
20
=
_
M
20
, D
20
, ST
20
_
: M
20
= p
1
, D
20
= {D
20 (t
1) = [3, 3]}, ST
20
= [0, 0]
2: C
21
=
_
M
21
, D
21
, ST
21
_
: M
21
= p
2
+ p
4
, D
21
= {D
21 (tr) = [4, 9] , D
21 (t
3) = [6, 7]}, ST
21
= [3, 3]
3: C
22
=
_
M
22
, D
22
, ST
22
_
: M
22
= p
3
+ p
4
, D
22
= {D
22 (t
2) = [5, 8] , D
22 (t
3) = [6, 7]}, ST
22
= [4, 7]
4: C
23
=
_
M
23
, D
23
, ST
23
_
: M
23
= p
2
+ p
5
, D
23
= , ST
23
= [6, 7]
5: C
24
=
_
M
24
, D
24
, ST
24
_
: M
24
= p
6
, D
24
= , ST
24
= [5, 7]
6: C
25
=
_
M
25
, D
25
, ST
25
_
: M
25
= p
3
+ p
5
, D
25
= , ST
25
= [6, 7]
U = T {t
r
}, if L
_
Z
_
|U = L(Z) |U, then the renement operation E
B
/
tr
E
satises
behavior preservation.
THEOREM 1. For any transition ring sequence
B
L(B)such that M
B
= M
f
, where
_
B,
B
_
= C
B
=
_
M
B
, D
B
, ST
B
_
, if ST
B
= SI (t
r), then the renement operation satis-
es behavior preservation.
PROOF. See Appendix A.
It is suggested in Theorem 1 that for any transition ring sequence that leads to a
terminal marking in module B, if its global execution time is equal to the ring time
interval of rened transition t
r
in the original net Z, then the rened TPN Z
generated
by replacing t
r
with B keeps the same behavioral characteristic as that of the original
net. This characteristic is very important for real-time system synthesis, modeling,
and analysis, because a system synthesis process rst should meet system behavior
consistency with time constraints, then its property preservation is required [Ding
et al. 2008; Jiang et al. 2002]. We will discuss the property preservation in next section.
Example 1. Z
2
is an original net system shown in Figure 3(a) , t
r
is a renement
transition, modules B
1
and B
2
are given in Figure 3(b) and Figure 3(c), respectively.
For B
1
and B
2
, their global time intervals are easily computed and equal to [0,2]
and [1,6], respectively. Let Z
B
1
2
(Z
B
2
2
) be a rened TPN by replacing t
r
in Z
2
with B
1
(B
2
), the renement operation of Z
2
B
1/
tr
Z
B
1
2
_
Z
2
B
2/
tr
Z
B
2
2
_
cannot (can) satisfy the
conditions of Theorem 1.
Three state class reachability trees of TPN Z
2
, Z
B
1
2
, and Z
B
2
2
are shown in Figure
4(a)(c), and the description of their state classes is listed in Tables 13. Clearly,
21
=
t
1
t
3
is a transition ring sequence of Z
2
, i.e.,
21
L(Z
2
). However, any transition
ring sequences
B
1
2
in Z
B
1
2
cannot satisfy
B
1
2
_
T
2
{t
r
}
_
=
21
because t
3
is never
rable. Moreover, it is proved easily that L
_
Z
B
2
2
_
_
T
2
{t
r
}
_
= L(Z
2
)
_
T
2
{t
r
}
_
.
3.2. Property Preservation
For a renement operation, if the above criterion of behavior preservation is met, then
the following theorem should also hold.
THEOREM 2. If Z
is K
-bounded, so is Z.
PROOF. For L(Z), according to behavior preservation, there exists
U L
_
Z
_
|U, that is
L
_
Z
_
,
(p) K
_
=
_
M
, D
, ST
_
.
Furthermore, according to Denition 5, we know M
_
r
i
_
1 and M(r
o) 1. Therefore,
p P, M(p) K
-bounded.
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
4:8 Z. Ding et al.
Fig. 3. TPN model.
Fig. 4. State class reachability trees of TPNs Z
2
, Z
B
1
2
and Z
B
2
2
.
THEOREM 3. If Z and B are bounded, so is Z
.
PROOF. Let original net Z and module B be K-bounded and K
B
-bounded respec-
tively, and then the extended net B of module B is also K
B
-bounded.
L
_
Z
_
,
according to behavior preservation, we know
_
=
_
M
, D
, ST
_
, and (Z, ) =
_
M, D, ST
_
.
Then p P {r
i
, r
o
}, M
B
L
_
B
_
, where
_
B,
B
_
=
_
M
B
, D
B
, ST
B
_
, such that M
(p) = M
B
(p), where
p P
B
{i, o}. It is obvious that M
_
p
i
_
M
B
(i) K
B
, and M
(p
o) M
B
(o) K
B
.
Therefore, p P
, M
(p) max
_
K, K
B
_
holds, and thus Z
is bounded.
THEOREM 4. If Z
is live, so is Z.
PROOF. Let L(Z), follow the behavior preservation,
U L
_
Z
_
|U holds, i.e.,
L
_
Z
_
, such that
|U = |U. Since Z
1
composed of elements in T
1
t L
_
Z
_
holds. Moreover, from behavior preserva-
tion, we know that
_
1
t
_
|U L(Z) |U holds. According to the proof of Theorem
1, we know that there exists a sequence
1
composed of elements in T, satisfying
1
|U =
1
|U, and
1
t L(Z). Therefore, Z is live.
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
4:10 Z. Ding et al.
Table II. The Description of State Class of Z
B
1
2
1: C
B
1
20
=
_
M
B
1
20
, D
B
1
20
, ST
B
1
20
_
: M
B
1
20
= p
1
, D
B
1
20
=
_
D
B
1
20
(t
1) = [3, 3]
_
, ST
B
1
20
= [0, 0]
2: C
B
1
21
=
_
M
B
1
21
, D
B
1
21
, ST
B
1
21
_
: M
B
1
21
= p
11
+ p
4
, D
B
1
21
=
_
D
B
1
21
(t
11) = [3, 4], D
B
1
21
(t
3) = [6, 7]
_
,
ST
B
1
21
= [3, 3]
3: C
B
1
22
=
_
M
B
1
22
, D
B
1
22
, ST
B
1
22
_
: M
B
1
22
= p
12
+ p
4
, D
B
1
22
=
_
D
B
1
22
(t
12) = [3, 4], D
B
1
22
(t
3) = [6, 7]
_
,
ST
B
1
22
= [3, 4]
4: C
B
1
23
=
_
M
B
1
23
, D
B
1
23
, ST
B
1
23
_
: M
B
1
23
= p
13
+ p
4
, D
B
1
23
=
_
D
B
1
23
(t
2) = [4, 5], D
B
1
23
(t
3) = [6, 7]
_
,
ST
B
1
23
= [3, 4]
5: C
B
1
24
=
_
M
B
1
24
, D
B
1
24
, ST
B
1
24
_
: M
B
1
24
= p
6
, D
B
1
24
= , ST
B
1
24
= [4, 5]
Table III. The Description of State Class of Z
B
2
2
1: C
B
2
20
=
_
M
B
2
20
, D
B
2
20
, ST
B
2
20
_
: M
B
2
20
= p
1
, D
B
1
20
=
_
D
B
1
20
(t
1) = [3, 3]
_
, ST
B
2
20
= [0, 0]
2: C
B
2
21
=
_
M
B
2
21
, D
B
2
21
, ST
B
2
21
_
: M
B
2
21
= p
11
+ p
4
, D
B
2
21
=
_
D
B
2
21
(t
11) = [3, 4], D
B
2
21
(t
3) = [6, 7]
_
,
ST
B
1
21
= [3, 3]
3: C
B
2
22
=
_
M
B
2
22
, D
B
2
22
, ST
B
2
22
_
: M
B
2
22
= p
12
+ p
4
, D
B
2
22
=
_
D
B
2
22
(t
12) = [4, 9], D
B
2
22
(t
3) = [6, 7]
_
,
ST
B
2
22
= [3, 4]
4: C
B
2
23
=
_
M
B
2
23
, D
B
2
23
, ST
B
2
23
_
: M
B
2
23
= p
13
+ p
4
, D
B
2
23
=
_
D
B
2
23
(t
2) = [5, 8], D
B
2
23
(t
3) = [6, 7]
_
,
ST
B
2
23
= [4, 7]
5: C
B
2
24
=
_
M
B
2
24
, D
B
2
24
, ST
B
2
24
_
: M
B
2
24
= p
12
+ p
5
, D
B
2
24
= , ST
B
2
24
= [6, 7]
6: C
B
2
25
=
_
M
B
2
25
, D
B
2
25
, ST
B
2
25
_
: M
B
2
25
= p
6
, D
B
2
25
= , ST
B
2
23
= [5, 7]
7: C
B
2
26
=
_
M
B
2
26
, D
B
2
26
, ST
B
2
26
_
: M
B
2
26
= p
13
+ p
5
, D
B
2
26
= , ST
B
2
26
= [6, 7]
THEOREM 5. If Z and B are live, so is Z
.
PROOF. Let
L
_
Z
_
, and
_
Z
_
=
_
M
, D
, ST
_
. According to behavior preser-
vation,
|U. t T
, two cases
t T {t
r
}, and t T
B
are considered.
Case 1. If t T {t
r
}, since Z is live, there exists a sequence
1
composed of ele-
ments in T, such that
1
t L(Z). If
1
does not include t
r
, then
1
t L
_
Z
_
holds. Otherwise, suppose that
1
=
1
t
r
2
t
r
t
r
n1
t
r
n
, where sequence
i
is com-
posed of elements in T {t
r
}. Following the proof of Theorem 1, the ith occurrence of
t
r
can be simulated by sequence
B
i
, where
B
1
t
B
0
B
2
t
B
0
t
B
0
B
n
L
_
B
_
and t
B
0
is an ad-
ditional transition in
B. Thus we can construct a corresponding sequence
1
composed
of elements in T
, such that
1
|U =
1
|U and
1
t L
_
Z
_
. Therefore, t is live
in Z
.
Case 2. If t T
B
, according to the proof of Theorem 1, we know that
B
L
_
B
_
,
_
B,
B
_
=
_
M
B
, D
B
, ST
B
_
, such that p P
B
{i, o}, M
(p) = M
B
(p) holds. (1) if M
B
=
M
B
0
, i.e., B is in the state of the initial marking, then from the liveness of Z, we know
that there exists a sequence
1
composed of elements in T, such that
1
L
_
Z
_
and M
1
(p) = M
B
(p) for p P
B
, where
_
Z
1
_
=
_
M
1
, D
1
, ST
1
_
, i.e., M
1
_
p
i
_
= 1.
Since B is live, there exists a sequence
B
1
composed of transitions in B, such that
B
B
1
t L
_
B
_
. Suppose that there is no additional transition t
B
0
in
B
1
, then we can
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
Design, Analysis and Verication of Real-Time Systems Based on Time Petri Net Renement 4:11
Algorithm 1: A reachability decidability algorithm of rened TPN
Input: reachability tree RT
_
Z, C
0
_
and RT
_
B, C
B
0
_
, marking M
d
, time
d
Output: a Boolean variable Exist
Exist False; ZS ; BS ;
M
d
M
_
P {r
i
, r
o
}
_
; M
B
d
M
_
P
B
{i, o}
_
;
Traverse tree RT
_
Z, C
0
_
, nd all possible states C =
_
M, D, ST
_
satisfying
M
_
P {r
i
, r
o
}
_
= M
d
and LB
d
RB, and then record them into a set ZS.
IF ZS = THEN{
Traverse tree R
_
B, C
B
0
_
, nd all possible states C
B
=
_
M
B
, D
B
, ST
B
_
satisfying
M
B
_
P
B
{i, o}
_
= M
B
d
, then orderly record them into a set BS.
IF BS = THEN{
FOR every element C =
_
M, D, ST
_
in the set ZS DO{
Compute sequence satisfying (Z, ) = C;
IF there is no marking in enabling t
r
, THEN{
IF C
B
BS, such that M
B
= M
B
0
THEN Exist True;
ELSEIF t
r
cannot be enabled any more after post-set element of r
o
during
res for the last time, THEN
IF C
B
BS, such that M
B
= M
B
0
THEN Exist True;
ELSE{
Take the beginning state of t
r
enabled at the last time during ,
C
i
=
_
M
i
, D
i
, ST
i
_
, where ST
i
=
_
LB
i
, RB
i
;
IF C
B
BS, such that LB
i
+ LB
B
d
RB
i
+ RB
B
THEN
Exist True}}}}
directly get the result:
B
1
t L
_
Z
_
. If there is an additional transition t
B
0
in
B
1
,
obviously, ring of t
B
0
will result in that tokens in place o transfer into place i. Since Z is
live, for every time of transition t
B
0
appearing in
B
1
, there always exists a sequence
i
composed of elements in T to transfer token in p
o
into p
i
. In this way, a new sequence
2
is generated, such that
2
L
_
Z
_
, and t can re at
_
Z
2
_
. (2)
if M
B
= M
B
0
, that is, at this time B is not in the state of the initial marking, then
according to liveness of B, there exists a sequence
B
1
, such that
B
B
1
t L
_
B
_
.
In the same way as (1), after considering different cases of
B
1
, we conclude that there
exists
2
, such that
2
t L
_
Z
_
. Therefore, t is live in Z
.
On the ground of behavior preservation, the renement operation of TPN can also
preserve boundedness and liveness. These results are useful for analyzing and verify-
ing large complex systems. By analyzing and verifying the relatively smaller models,
we can derive the properties of a complex one, thereby alleviating the state space ex-
plosion problem and reducing the analysis complexity.
4. REACHABILITY OF REFINED TPN
Based on behavior preservation, the reachability problem of a rened TPN can be
solved by the reachability tree of its original net and module, i.e., given marking
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
4:12 Z. Ding et al.
M
d
and time
d
, the problem is whether there exists a reachable state of Z
, C =
_
M
, D
, ST
_
, such that M
= M
d
and LB
d
RB
_
P {r
i
, r
o
}
_
=
M
_
P {r
i
, r
o
}
_
and LB
d
RB, and BS a set composed of some states C
B
=
_
M
B
, D
B
, ST
B
_
of B such that M
B
_
P
B
{i, o}
_
= M
B
d
. The reachability decidability
algorithm is given as follows:
This algorithm is based on the behavior preservation of a renement operation,
which ensures that there is a corresponding relationship between the original and
rened nets, and also the relationship meets the same time constraint. Consequently,
for the decided marking, according to a given marking arrival time, nd its matching
states in the reachability tree of Z, record them in the set ZS, in a similar way, nd its
matching states in the reachability tree of B, record them in the set BS. Because there
is a corresponding relationship between a ring sequence of the original net and that
of rened net, the ring sequence of every state in ZS is found and discussed with
the following two cases.
(1) If t
r
cannot be enabled at all reachability states in , similar to Case 1 in Theorem
1s proof, it is suggested that t T
B
, t cannot re in Z
d
can be reachable
with a given time
d
in Z
.
(2) If there exists a reachability state in sequence that can enable t
r
, then two dif-
ferent subcases are as follows.
(2.1) After post-set elements of place r
o
re at the last time, t
r
cannot be enabled
any more at any possible reachability state, which is similar to the third case
in Theorem 1s proof, and, hence, all the ring of t
r
has been nished. At this
time, B is executed in Z
as shown in Figure 6.
Two state class reachability trees of TPN Z and B are respectively shown in
Figure 7(a) and Figure 7(b), and the specic description of state classes is in Table
V. The markings of state classes C
23
and C
26
stand for terminal markings of module
B, and their corresponding global time intervals meet ST
23
= ST
26
= SI (t
r). Thus
the conditions in Theorem 1 are met. Therefore, we have the result that renement
operation of Z
B
/
tr
Z
is also live.
Furthermore, based on the behavior preservation, we can decide the reachability
of rened Petri net Z
= p
4
+ p
8
+ p
14
+ p
16
at the time
_
P {r
i
, r
o
}
_
= p
4
+ p
8
, and M
B
= M
_
P
B
{i, o}
_
= p
14
+ p
16
. There are C
9
,
C
12
, and C
13
in the reachability tree RT
_
Z, C
0
_
satisfying M
9
_
P {r
i
, r
o
}
_
= M,
ST
9
, M
12
_
P {r
i
, r
o
}
_
= M,
ST
12
, and M
13
_
P {r
i
, r
o
}
_
= M,
ST
13
. Then
there is C
24
in the reachability tree RT
_
B, C
20
_
satisfying M
24
_
P
B
{i, o}
_
= M
B
.
For C
9
, = t
1
t
2
t
r
t
3
is a corresponding ring sequence such that (E, ) = C
9
. Then it
is determined that t
r
begins to be enabled at C
1
with global time interval ST
1
= [3, 5]
before its ring in . Hence, arriving time interval of C
24
in Z
is ST
1
+ST
24
= [33, 43].
It is obvious that
ST
1
+ ST
24
. Thus there exists a ring sequence in Z
that can
arrive at M
at time
.
6. CONCLUSIONS
By replacing a transition or place in an original net with a subnet, the renement
operation of Petri nets implements the process of stepwise renement of a Petri net
model, which well supports a top-down design method. Based on the idea of divide and
conquer, the property preservation of a renement operation is helpful for decreas-
ing analysis complexity and alleviating a state explosion problem. This article mainly
presents the following work.
(1) It dene a type of renement operations for time Petri nets. This simple structured
model can well support renement design and modeling of real-time systems, such
as workow [Li et al. 2003, 2004; Van der Aalst 2000], command and control sys-
tems [Wang et al. 2000], embedded system [Cho et al. 2010; Hu et al. 2009] and
manufacturing systems [Fanti and Zhou et al. 2004; Hu and Li 2009b; Jeng et al.
2004; Lee et al. 2007; Zhou et al. 1992, 1993].
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
Design, Analysis and Verication of Real-Time Systems Based on Time Petri Net Renement 4:15
Table V. The Description of State Class
C
0
=
_
M
0
, D
0
, ST
0
_
: M
0
= p
1
+ p
7
, D
0
= {D
0 (t
1) = [3, 5]} , ST
0
= [0, 0]
C
1
=
_
M
1
, D
1
, ST
1
_
: M
1
= p
2
+p
7
+r
i
, D
1
= {D
1 (t
2) = [33, 45] , D
1 (tr) = [40, 51]} , ST
1
= [3, 5]
C
2
=
_
M
2
, D
2
, ST
2
_
: M
2
= p
2
+ p
7
+ ro, D
2
= {D
2 (t
2) = [40, 45]} , ST
2
= [40, 45]
C
3
=
_
M
3
, D
3
, ST
3
_
: M
3
= p
3
+ p
8
+ ro, D
3
= {D
3 (t
3) = [43, 48]} , ST
3
= [40, 45]
C
4
=
_
M
4
, D
4
, ST
4
_
: M
4
= p
4
+ p
8
+ ro, D
4
= {D
4 (t
4) = [55, 68]} , ST
4
= [43, 48]
C
5
=
_
M
5
, D
5
, ST
5
_
: M
5
= p
5
+ p
7
+ ro, D
5
= {D
5 (t
5) = [67, 83]} , ST
5
= [55, 68]
C
6
=
_
M
6
, D
6
, ST
6
_
: M
6
= p
6
+ p
7
, D
5
= , ST
6
= [67, 83]
C
7
=
_
M
7
, D
7
, ST
7
_
: M
7
= p
3
+ p
8
+ r
i
, D
7
= {D
7 (t
3) = [36, 48] , D
7 (tr) = [40, 51]} ,
ST
7
= [33, 45]
C
8
=
_
M
8
, D
8
, ST
8
_
: M
8
= p
3
+ p
8
+ ro, D
8
= {D
8 (t
3) = [40, 48]} , ST
8
= [40, 45]
C
9
=
_
M
9
, D
9
, ST
9
_
: M
9
= p
4
+ p
8
+ ro, D
9
= {D
9 (t
3) = [52, 68]} , ST
9
= [40, 48]
C
10
=
_
M
10
, D
10
, ST
10
_
: M
10
= p
5
+ p
7
+ ro, D
10
= {D
10 (t
5) = [64, 83]} , ST
10
= [52, 68]
C
11
=
_
M
11
, D
11
, ST
11
_
: M
11
= p
6
+ p
7
, D
11
= , ST
10
= [64, 83]
C
12
=
_
M
12
, D
12
, ST
12
_
: M
12
= p
4
+ p
8
+ r
i
, D
12
= {D
12 (t
4) = [48, 68] , D
12 (tr) = [40, 51]}
ST
12
= [36, 48]
C
13
=
_
M
13
, D
13
, ST
13
_
: M
13
= p
4
+ p
8
+ ro, D
13
= {D
13 (t
4) = [48, 68]} , ST
13
= [40, 51]
C
14
=
_
M
14
, D
14
, ST
14
_
: M
14
= p
5
+ p
7
+ ro, D
14
= {D
14 (t
5) = [60, 83]} , ST
14
= [48, 68]
C
15
=
_
M
15
, D
15
, ST
15
_
: M
15
= p
6
+ p
7
, D
15
= , ST
14
= [60, 83]
C
16
=
_
M
16
, D
16
, ST
16
_
: M
16
= p
5
+ p
7
+ r
i
, D
16
= {D
16 (tr) = [48, 51]} , ST
16
= [48, 51]
C
17
=
_
M
17
, D
17
, ST
17
_
: M
17
= p
5
+ p
7
+ ro, D
17
= {D
17 (t
5) = [60, 71]} , ST
17
= [48, 51]
C
18
=
_
M
18
, D
18
, ST
18
_
: M
18
= p
6
+ p
7
, D
18
= , ST
18
= [60, 71]
C
20
=
_
M
20
, D
20
, ST
20
_
: M
20
= i + p
16
, D
20
= {D
20 (t
11) = [16, 17]} , ST
20
= [0, 0]
C
21
=
_
M
21
, D
21
, ST
21
_
: M
21
= p
12
+ p
17
, D
21
= {D
21 (t
12) = [19, 20]} , ST
21
= [16, 17]
C
22
=
_
M
22
, D
22
, ST
22
_
: M
22
= p
13
+ p
17
, D
22
= {D
22 (t
13) = [37, 46] , D
22 (t
14) = [30, 38]}
ST
22
= [19, 20]
C
23
=
_
M
23
, D
23
, ST
23
_
: M
23
= o + p
16
, D
22
= , ST
23
= [37, 46]
C
24
=
_
M
24
, D
24
, ST
24
_
: M
24
= p
14
+ p
16
, D
24
= {D
24 (t
15) = [33, 41]} , ST
24
= [30, 38]
C
25
=
_
M
25
, D
25
, ST
25
_
: M
25
= p
15
+ p
16
, D
25
= {D
25 (t
16) = [37, 46]} , ST
24
= [33, 41]
C
26
=
_
M
26
, D
26
, ST
26
_
: M
26
= o + p
16
, D
26
= , ST
26
= [37, 46]
(2) It investigates behavior and property preservation of the renement operation, and
establish the corresponding preservation conditions, which provide a theoretical
support for system behavior analysis and property verication.
(3) It develops a reachability decidability algorithm. By this algorithm, the reacha-
bility of a rened TPN can be decided according to the reachability trees of the
original net and modules. It is unnecessary to generate the whole reachability tree
of the rened TPN. Therefore, by this method, the burden to solve the state space
explosion problem can be effectively reduced. This is very helpful for state identi-
cation and model checking of complex systems.
Additional properties, such as reversibility and fairness to support the qualitative
analysis of complex systems need to be discussed. Moreover, based on renement oper-
ation, quantitative analysis of complex systems such as turnaround time and through-
put is another research direction. The safeness of the input place of the rened transi-
tion can be major limitation in some real time systems. The extension to more general
cases requires additional work.
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
4:16 Z. Ding et al.
APPENDIX A
PROOF OF THEOREM 1. To prove L
_
Z
_
|U = L(Z) |U, we need to prove that
L
_
Z
_
|U L(Z) |U and L(Z) |U L
_
Z
_
|U.
We rst prove thatL
_
Z
_
|U L(Z) |U. For
1
L
_
Z
_
|U, let
L
_
Z
_
, where
|U =
1
. We break our proof into four cases.
Case 1. For M
R
_
Z
_
, M
_
p
i
_
= 0 holds, that is, place p
i
receives no token dur-
ing the execution of sequence
. Therefore,
1
=
L(Z) holds.
Similarly, transition t
r
cannot re during sequence
|U =
holds, that is
1
L(Z) |U holds.
Case 2. There exists only marking M
1
R
_
Z
_
such that M
1
_
p
i
_
= 1, and M
R
_
Z
_
, M
(p
o) = 0 holds, namely, during sequence
place p
i
received tokens, but
place p
o
receives no token. Let
11
12
, where
11
is the shortest prex of
,
satisfying
_
Z,
11
_
= C
11
=
_
M
11
, D
11
, ST
11
_
, and M
11
_
p
i
_
= 1. According to Case
1,
11
L(Z) |U holds. Obviously,
12
is composed of transitions in B and Z, and
according to the denition of the renement operation, we know that transitions in B
and transitions in Z execute concurrently during
12
, therefore
11
_
12
|U
_
L(Z)
holds, that is,
1
=
_
11
12
_
|U L(Z) |Uholds. So
1
L(Z) |U holds.
Case 3. There exists only markings M
1
R
_
Z
_ _
M
2
R
_
Z
_ _
such that
M
1
_
p
i
_
= 1 (M
2
(p
o) = 1), that is, both places p
i
and p
o
received tokens during the exe-
cution of sequence
. Let
11
12
13
, where
11
is the shortest prex of
, satis-
fying
_
Z,
11
_
= C
11
=
_
M
11
, D
11
, ST
11
_
, and M
11
_
p
i
_
= 1.
11
12
is also the shortest
prex of
, satisfying
_
Z,
12
_
= C
12
=
_
M
12
, D
12
, ST
12
_
, and M
12
(p
o) = 1. Similarly
with Case 2,
11
12
|U
_
L(Z) holds. Suppose that
11
=
_
Z
11
_
,
12
=
_
Z
12
_
,
and
_
B,
12
T
B
_
= C
B
=
_
M
f
, D
B
, ST
B
_
, then LB
B
12
11
RB
B
holds,
where ST
B
=
_
LB
B
, RB
B
_
. According to the condition given in Theorem 1, we have
LB
B
= SEFT (t
r), Therefore t
r
can re at time
12
in the original net Z, namely,
11
_
12
|U
_
t
r
L(Z) holds. Moreover, in the same way,
13
also can re at state
_
E,
11
_
12
|U
_
t
r
_
. Consequently,
11
_
12
|U
_
t
r
13
L(Z) holds, that is,
11
_
12
|U
_
13
=
1
L(Z) |U holds.
Case 4. General case. Suppose that during sequence
, p
i
received k
1
tokens, while
place p
o
received k
2
tokens. From the denition of module, we know that k
1
= k
2
,
or k
1
= k
2
+ 1. And for the above three cases, k
1
= k
2
= 0, k
1
= 1 k
2
= 0, and
k
1
= k
2
= 1 hold respectively. Since the ring of TPN transitions is only related with
a local time, repeat the proofs of Case 2 and Case 3, we have the conclusion that for
1
L
_
Z
_
|U,
1
L(Z) |U holds.
Next, we prove L(Z) |U L
_
Z
_
|U. For
1
L(Z) |U, let L(Z), where |U =
1
. We break our proof into four cases.
Case 1. For M R(Z, ), M
_
r
i
_
= 0 holds, that is, place r
i
receives no token during
the execution of sequence. Obviously, there is no transition t
r
in , thus =
1
.
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
Design, Analysis and Verication of Real-Time Systems Based on Time Petri Net Renement 4:17
And according to the denition of the renement operation, we know that L
_
Z
_
.
Therefore,
1
L
_
Z
_
|U holds.
Case 2. There exists only marking M
1
R(Z, ), such that M
1
_
r
i
_
= 1, and M
R(Z, ), M(r
o) = 0 holds, that is, during sequence
place r
i
received tokens, but
place r
o
receives no token. It is obvious that there is no transition t
r
in sequence ,
Otherwise, ring t
r
would consequentially result in a token in r
o
. In the same way
with Case 1,
1
L
_
Z
_
|U holds.
Case 3. There exists only markings M
1
R(Z, ) and M
2
R(Z, ) such that
M
1
_
r
i
_
= 1 and M
2
(r
o) = 1 respectively, that is, both place r
i
and place r
o
received
tokens during the execution of sequence . Let =
11
12
13
, where
11
is the
shortest prex of , satisfying (Z,
11
) = C
11
=
_
M
11
, D
11
, ST
11
_
, M
11
_
r
i
_
= 1, and
11
12
also the shortest prex of
, satisfying (Z,
12
) = C
12
=
_
M
12
, D
12
, ST
12
_
,
M
12
(r
o) = 1. Similarly with Case 2,
11
L
_
Z
_
holds. Moreover, we know that there
exists a sequence
11
1
L
_
Z
_
, satisfying
1
|U =
121
, and
T
B
=
B
, where
_
B,
B
_
= C
B
=
_
M
f
, D
B
, ST
B
_
. Suppose that
12
=
121
t
r
, (Z,
11
) =
11
and
(Z,
12
) =
12
. Since place p
i
received a token at time
11
during sequence
11
in
net Z
i
that can re due to SEFT
_
t
i
_
SEFT (t
r). Because the ring of sequence
121
has
no effect on the execution of the module in Z
, after ring t
i
, there must exist t
j
T
B
that can re. Following this way, we can generate the execution sequence
B
of the
module. According to the condition in Theorem 1, ST
B
= SI (t
r), we can suppose
that
_
Z
,
11
1
_
=
12
. Therefore,
13
also can re at state
_
Z
,
11
1
_
, and
11
1
13
L
_
Z
_
holds, that is,
_
11
1
13
_
|U =
1
L
_
Z
_
|U holds.
Case 4. General case. Suppose that during sequence , place r
i
received k
1
tokens
and r
o
received k
2
tokens. Then repeat the proofs of Case 2 and Case 3, Case 4 can be
proved.
To sum up, L
_
Z
_
|U = L(Z) |U holds.
REFERENCES
Berthomieu, B. and Diaz, M. 1991. Modeling and verication of time dependent systems using time Petri
nets. IEEE Trans. Softw. Engin. 17, 259273.
Berthomieu, B., Lime, D., Roux, O. H., and Vernadat, F. 2007. Reachability problems and abstract state
spaces for time Petri Nets with stopwatches. J. Discrete Event Dyn. Syst. Theory Appl. 17, 133158.
Cho, H., Ravindran, B., and Jensen, E. D. 2010. Lock-free synchronization for dynamic embedded real-time
systems. ACM Trans. Embed. Comput. Syst. 9, 128.
Ding, Z. J., Jiang, C. J., Zhou, M. C., and Zhang, Y. Y. 2008. Preserving languages and properties in stepwise
renement-based synthesis of Petri nets. IEEE Trans. Syst. Man Cybern. Part A 38, 791801.
Ding, Z. J., Zhang, Y. Y., Jiang, C. J., and Zhang, Z. H. 2007. Renement of Petri nets in workow integration.
In Proceedings of the 10th International Conference Computer Supported Cooperative Work in Design,
Lecture Notes in Computer Science, vol. 4402, 667678.
Fani, M. P. and Zhou, M. C. 2004. Deadlock control methods in automated manufacturing systems. IEEE
Trans. Syst. Man Cybern. Part A 34, 522.
Felder, M., Gargantini, A., and Morzenti, A. 1998. A Theory of implementation and renement in timed
Petri nets. Theor. Comput. Sci. 202, 127161.
Girault, C. and Valk, R. 2003. Petri Nets for Systems Engineering: A Guide to Modeling, Verication, and
Applications. Springer.
Gurovic, D., Fengler, W., and Nutzel. J. 2000. Development of real-time system specications through the
renement of duration interval Petri nets. In Proceedings of IEEE International Conference on Systems,
Man, and Cybernetics. 30933098.
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
4:18 Z. Ding et al.
Hruz, B. and Zhou, M. C. 2007. Modeling and Control of Discrete Event Dynamic Systems. Springer.
Hu, H. S. and Li, Z. W. 2009a. Modeling and scheduling for manufacturing grid workows using timed Petri
nets. Int. J. Adv. Manuf. Technol. 42, 553568.
Hu, H. S. and Li, Z. W. 2009b. Clarication on the computation of liveness-enforcing supervisor for resource
allocation systems with uncontrollable behavior and forbidden states. IEEE Trans. Autom. Sci. Eng. 6,
557558.
Hu, H. S., Zhou, M. C., and Li, Z. W. 2009. Liveness enforcing supervision of video streaming systems using
non-sequential Petri nets. IEEE Trans. Multimedia 11, 14571465.
Huang, H. J., Cheung, T. Y., and Mak, W. M. 2004. Structure and behavior preservation by Petri-net-based
renements in system design. Theor. Comput. Sci. 328, 245269.
Jeng, M. D., Xie, X. L., and Chung, S. L. 2004. ERCN* merged nets for modeling degraded behavior and
parallel processes in semiconductor manufacturing systems. IEEE Trans. Syst. Man Cybern. Part A 34,
102112.
Jiang, C. J., Wang, H. Q., and Liao, S. Y. 2002. Behavior relativity of Petri nets. J. Comput. Sci. Techn. 17,
770780.
Lee, J. S., Zhou, M. C., and Hsu, P. L. 2007. A Petri-net approach to modular supervision with conict
resolution for semiconductor manufacturing systems. IEEE Trans. Autom. Sci. Eng. 4, 584588.
Li, J., Fan, Y. S., and Zhou, M. C. 2003. Timing constraint workow nets for workow analysis. IEEE Trans.
Syst. Man Cybern. Part A 33, 179193.
Li, J., Fan, Y. S., and Zhou, M. C. 2004. Performance modeling and analysis of workow. IEEE Trans. Syst.
Man Cybern. Part A 34, 229242.
Li, Z. W. and Zhou, M. C. 2009. Deadlock Resolution in Automated Manufacturing Systems: A Novel Petri
Net Approach. Springer
Liu, T., Lin, C., and Liu, W. D. 2002. Linear temporal inference of workow management system based on
timed Petri net models. Acta Electronica Sinica 30, 245248. (in Chinese)
Merlin, P. and Farber, D. 1976. Recoverability of communication protocolsImplication of a theoretical
study. IEEE Trans. Commun. 24, 10361043.
Molloy, M. K. 1982. Performance analysis using stochastic Petri nets. IEEE Trans. Comput. 31, 913917
Murata, T. 1989. Petri nets: Properties, analysis and applications. Proc IEEE, 541580.
Suzuki, I. and Murata, T. 1983. A method for stepwise renement and abstraction of Petri nets. J. Comput.
Syst. Sci. 27, 5176.
Tang, D. and Liu, D. N. 2006. Method of reachability analysis in HTPN based workow model. Comput.
Integr. Manuf. Syst. 12, 487493. (in Chinese)
Valette, R. 1979. Analysis of Petri nets by stepwise renements. J. Comput. Syst. Sci. 18, 3546.
van der Aalst, W. M. P. 2000. Workow verication: Finding control-ow errors using Petri-net-based tech-
niques. In Proceedings of the International Workshop on Types for Proofs and Programs. Lecture Notes
in Computer Science 806, 161183.
Wang, J. C., Deng, Y., and Xu, G 2000a. Reachability analysis of real-time systems using time Petri nets.
IEEE Trans. Syst. Man Cybern. Part B 30, 725736.
Wang, J. C., Deng, Y., and Zhou, M. C. 2000b. Compositional time Petri nets and reduction rules. IEEE
Trans. Syst. Man Cybern. Part B 30, 562572.
Zhou, M. C. and Venkaesh, K. 1998. Modeling, Simulation and Control of Flexible Manufacturing Systems:
A Petri Net Approach. World Scientic, Singapore.
Zhou, M. C., Dicesare, F., and Desrochers, A. 1992. A hybrid methodology for synthesis of Petri nets for
manufacturing systems. IEEE Trans. Rob. Autom. 8, 350361.
Zhou, M C., Mcdermott, K., and Patel, P A. 1993. Petri net synthesis and analysis of a exible manufacturing
system cell. IEEE Trans. Syst. Man Cybern. 23, 523531.
Zuberek, W. M. 1991. Timed Petri nets: Denitions, properties, and applications. Microelectron. Reliab. 31,
627644.
Received March 2010; accepted July 2010
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.