Reliability Analysis of Component Software Based on Stochastic Petri Nets

Lianzhang Zhu
China University of Petroleum (East China)
zhulz@mail.hdpu.edu.cn

Yanchen Li
China University of Petroleum (East China),
lidiao123876@163.com

Abstract

performance parameters and provide references for

system structure and the choices of parameters [6].
Therefore from the point of view of fault modeling and
fault rate analysis, the paper proposes a method based
on SPNs that evaluates component software reliability
by analyzing the characteristic and reliability factors of
software architecture. The method is able to
dynamically track software reliability, assist in
reducing complexity of describing and analyzing
software reliability, and improve the precision of
reliability evaluation and forecast.
The paper is organized as follows. Section 2 gives a
brief review of the SPN concepts. Section 3 explains
the fundamental approach of reliability analysis and
evaluation of software based on SPNs. The solutions to
the state space explosion are introduced in Section 4.
Section 5 illustrates and discusses the numerical
reliability results obtained from the proposed method.
Conclusions are presented in Section 6.

The models suggested at present have certain

application conditions and ranges, and most of them
are not able to satisfy the requirements of complicated
and volatile application environments. This paper
presents a method based on stochastic Petri nets (SPNs)
that evaluates component software reliability at the
early stages of software development. The reliability
model built with that method can describe the process
of dynamic changes of software well and it also
considers the factors that affect software reliability by
analyzing the characteristic of software architecture.
The major drawback of SPN models is the state space
explosion with increasing model complexity. In this
paper, the problem is resolved by the decomposition of
software architecture and one kind of decomposition
technique introduced by reference [1]. Finally, we
illustrate and discuss the numerical reliability results
obtained from the proposed method. It has been shown
that the suggested method provides a powerful means
of analyzing software reliability after software running
for a period of time.

1. Introduction
Composite systems composed of software
components are called component software [2].
Relative to software development in the past, the
design of software architecture is more emphasized by
the component technology [3]-[5]. Therefore reliability
analysis in the stage of designing software architecture
can find out more software problems as soon as
possible. However, for a long time, most of reliability
analyses and evaluation in the software engineering
practice are based on the fundamental characteristic of
software and testing data. All that work ignores the
significance of software architecture.
SPN is one kind of powerful tool of dynamic
modeling and performance evaluation. It not only helps
to understand the dynamic behavior of system
described, but also can calculate the various

2. Some notions on stochastic Petri nets

(SPNs)
The basic Petri net (PN) structures are State
Machine (SM) structure, Marked Graph (MG) structure,
Free Choice (FC) structure [7].
In the case of PN models with timed transitions
adopting the race policy, a random delay with negative
exponential pdf can be associated with each transition.
This guarantees that the qualitative behavior of the
resulting timed PN model is the same as the qualitative
behavior of the PN model with no temporal
specification. The timed PN models that are obtained
with such an approach are SPNs [8]. SPNs can express
the relationship between the cause and effect of event
as well as the dynamic behavior of system using
graphic symbols.
In the process of researching SPNs, SPNs have
been developed and extended greatly, such as
generalized stochastic Petri nets (GSPNs), stochastic
reward nets (SRNs), deterministic and stochastic Petri
nets (DSPNs), etc. [6]. GSPNs introduce immediate
transitions, timed transitions and inhibitor arcs.

6th IEEE/ACIS International Conference on Computer and Information Science (ICIS 2007)
0-7695-2841-4/07 $25.00 2007

Immediate transitions fire as soon as they are enabled,

while timed transitions fire after a random period of
time which is a random variable ruled by an
exponential distribution whose parameter is the firing
rate of the transition. White rectangles represent timed
transitions and thin bars represent immediate
transitions. Inhibitor arc is denoted as an arc terminated
with a small hollow circle.

3. Reliability analysis and evaluation based

on SPNs
As for the component software composed of the
components whose lifetime obeys an exponential
distribution, we can build a model of software
reliability based on SPNs which are able to describe
the relationship among components well. And then we
can make use of continuous time Markov chains
(CTMCs) which are isomorphic to SPNs to analyze
software reliability.

malfunction with the fault transfer rate A ;

component Bs own defect is also able to result in the
fault of B. Perhaps the fault of A and the defect of B
leads B to malfunction together, as shown in Figure 2
(b).

Figure 2. 1:1 mapping

(2) 1: n mapping: As shown in Figure 3(a), the fault
of A will lead B and C to malfunction with the fault
transfer rate A at the same time. The influences on
B and C of A may be not simultaneous, and the degrees
of influences may be different, as shown in Figure 3
(b). The fault of A with the defect of B or C may also
lead respectively B or C to malfunction, as shown in
Figure 3(c). As shown in Figure 3(d) is that the fault of
A with defects of B and C will result in the faults of B
and C simultaneously.

3.1. SPN reliability model

When analyzing software faults, places can
represent component faults, component defects and
man-made faults etc.; transitions represent the dynamic
changes of software states and the transfers of fault
events; arcs represent the orientations of fault
propagations. Besides, the firings of transitions result
in the change of the number of tokens.
The information of faults flowing in SPNs
expresses logical relationships among fault events as
shown in the Figure 1 [9].

Figure1.Logical relationships among fault events

There are three types of the fundamental factors
resulting in the failure of component software. Some
are components own defects; some are the transfers of
component faults caused by the dependency among the
components; others are the combination of two former
cases.
According to the dependency among the
components, we use four kinds of mapping to describe
the relationships among the components and build the
SPN reliability model of component software based on
the four mappings [10].
(1) 1:1 mapping: As shown in Figure 2(a), the
defect of component A leads A to malfunction with the
fault rate A ; the fault of A leads component B to

Figure 3. 1: n mapping
(3) n :1 mapping: As shown in Figure 4(a), in
addition to component Cs own defect, the faults of
component A and B may make C malfunction together
with the fault transfer rate AB . As shown in Figure 4
(b), fault of A or B may cause bad influences on C
independently. Perhaps the fault of A or B with the
defect of C leads C to malfunction, as shown in Figure
4(c). As shown in Figure 4(d) is that the faults of A and
B with the defect of C will result in the fault of C
simultaneously.
(4) n: n mapping: this case can be transformed into
1:n mapping and n:1 mapping to be analyzed.

Figure 4. n:1 mapping

There are three kinds of transitions in the SPN

6th IEEE/ACIS International Conference on Computer and Information Science (ICIS 2007)
0-7695-2841-4/07 $25.00 2007

modeling: 1) the malfunction of component due to the

defect of component, 2) the transfer of fault, 3) the
repair of component (four kinds of mappings above
dont think of it). The firing rates of the transitions,
which obey exponential distribution, ought to be
ascertained according to the known component
reliability and the relations among components. The
reachability set of markings of the SPN reliability
model which reflects software failure is called the set
of the failure states of software system.

3.2. Reliability analysis

space explosion, and it increases complexity of

analyzing model.

4.1. Decomposition of component software

According to the analysis results of software
architecture, we can reduce the state space size by
decomposing component software into several
subsystems and analyze the reliability of every
subsystem by using the method proposed in section3.
Then, according to the relations among subsystems,
applying combinatorial analysis method, calculate the
reliability of entire software system.

When evaluating software reliability, the process of

the development and changes of software states is
analyzed as a Markov process.
Firstly, according to requirement analysis, take
marking M k of SPN as node and transition Tk as
arc to build reachability tree of SPN, and ascertain the
reachability set of markings (i.e. the set of failure states)
and its subsets by means of reachability tree.
Secondly, transform SPN into the CTMC which is
isomorphic to the SPN, and construct n n transition
matrix of CTMC A= [Ai,j] (1 i, j n ).
Thirdly, analyze every marking of CTMC.
Define P[ M i ](t ) = x i (t ) representing the transient
probability of every marking; define P[ M i ] = yi ,

Y = ( y1 , y2 ," , yn ) , representing the steady state

distribute of markings. According to ergodic property
of CTMC, two equations can be obtained as follows.
( x1' (t ), x2' (t ), " xn' (t )) = ( x1 (t ), x2 (t )," xn (t )) A

xi (t ) = 1,1 i n

(1)

YA = 0

y
i = 1,1 i n

(2)
Then, transient probability and steady state probability
of every marking can be calculatedGet the probability
of software failure according to the steady state
probability and transient probability of failure states in
the set of failure states. Accordingly obtain the
transient reliability of software R(t ) = 1 P[ M j ](t ) and
the steady reliability R = 1 P[M j ] (where M j is the
element in the set of failure states).
Finally, ascertain other reliability index of software
according to the SPN model, CTMC and reliability of
software.

4. The solutions to state space explosion

It can be seen from analysis above, the state space
size of SPN model rapidly increases with places and
transitions increasing. That is the problem of state

Figure5. Failure of software with basic architecture

Figure 5 describes that the software with basic
architecture (i.e. simple, series or parallel architecture)
becomes failure due to the faults of its subsystems [11].
Upi represents operational state; downi represents
failure state; failurei represents the event resulting in
component failure and its corresponding failure rate is
i; T represents the event triggering the transition of
system failure. Besides, the same model can describe
different failure processes by different predicates of
transitions.
For the series software, provided the lifetime of
subsystem_i is Z i its reliability at the time t is Ri (t ) ,

Z1, Z 2 ," , Z n are independent of one another, the

lifetime of entire software is Z s and its reliability at
the time t is Rs (t ) , then a reliability function is as
follows:
n
(3)
R (t ) =
R (t )
s

i =1

For the parallel software, provided the lifetime of

subsystem_i is Z i its reliability at the time t is Ri (t ) ,
Z1, Z 2 ," , Z n are independent of one another, the

6th IEEE/ACIS International Conference on Computer and Information Science (ICIS 2007)
0-7695-2841-4/07 $25.00 2007

lifetime of entire system is Z s and its reliability at the

time t is Rs (t ) , then a reliability function is as
follows:
n
(4)
R (t ) = 1 (1 R (t ))

i =1

For other complex software architectures, the

software system is decomposed step by step based on
the basic structures till every submodel has only the
basic structure. Then make use of reliability analysis
method of the basic structures to backtrack step by step,
and the reliability of entire software system can be
obtained [12].

4.2. Decomposition and compression of SPN

reliability model
Decomposition and compression is one kind of
the effective method of resolving the state space
explosion. Decomposition is that of net structure or
state space of model; compression, namely the
compression of model, means submodel is compressed
to simpler model, model element or model parameter.
Finally calculate the performance parameters of the
reduced model.
At present, most of decomposition and compression
techniques only obtain the steady state of large SPN
performance models. Because the SPN reliability
model of component software that we use here consists
of k subnets interacting via common places and/or
transitions, we adopt the kind of decomposition and
compression technique introduced by reference [1].
This technique can reduce the complexity of describing
and analyzing the software reliability effectively, and
expand the applicability of decomposition techniques.
It may also get the transient state of SPN reliability
model and assure the precision of evaluating and
forecasting reliability.
First SPN reliability model of system is split into k
subnet_i1 i kbased on the SM structure or MG
structure of the SPN through the common places
and/or transitions among these subnets. Then, calculate
the average time TCTN required by one token starting
i

from the entry place of the subnet_i to return to the

entry place again after it has been distributed
throughout the places of this subnet where 1/ is the
average time that the token spend in the entry place of
the subnet_i. Next, the subnet_i is compressed (i.e.
the whole subnet_i is compressed into a single

equivalent module consists of one transition t or one

place p and one transition t ) and then combined

(this module is associated with the subnet_i+1) to a
subnet_i+1 to obtain a state space representation of

both subnets. In this process, the time behavior of

subnet_i is calculated and then associated with the
transition t . The aggregation rate Ni associated with

t is calculated as follows:
N = /( TCTN 1)
i

(5)

Finally, we repeat this compress and combine

operation on the remaining subnets until they induce
the state space representation of the whole system
model.

5. Example
We present a SPN reliability model of a component
software composed of three series subsystems as
shown in Figure 6. P_i (2 i 19 and i14) represents
the component that composes the software system.
Each component has two states: operation or failure. In
the initial state, P_0 has one token, which represents
that the whole software system starts operating.
Immediate transition T_0 represents that the first
subsystem and components P_10, P_11, P_19
immediately start functioning normally as soon as
software system starts operating. As long as one token
enters P_20the whole software system will be failure.

Figure6. SPN reliability model of component

software
For the first subsystemwe can use the technique in
section4.2 to analyze its reliability. P_2P_8 are
divided into two groups. These groups are modeled by
{T_1,P_2,P_3,T_3,P_6,T_4,P_7,T_5,P_8,T_8}
and
{T_2,P_4,P_5,T_6,T_7,P_7,P_8,T_8}.
In
this
subsystem, if one group is enabled (working), the other
is disabled. This concept is modeled by the conflict
transitions {T_1,T_2}. Parallel or concurrent activities
are represented by transitions T_3,T_4,T_5 in the first
group as well as by transitions T_6,T_7 in the second
group. In an operational state, a component executes a
required task with a rate l , which is an exponentially

distributed random variable with mean 1/ l which

6th IEEE/ACIS International Conference on Computer and Information Science (ICIS 2007)
0-7695-2841-4/07 $25.00 2007

represents the operational time of the component. In a

failure state, a component may be failure with a
rate j ,which is an exponentially distributed random
variable with mean 1/ j .The transitions T_1T_8
model the operational behaviors of the components.
Also, the following transitions T_9T_12 model the
failure behavior of component P_9 due to its own
defect or the fault transfers of P_7, P_3, P_8 and P_5.
The failure of component P_9 results in the failure of
entire software. P_9 can be seen as an absorbing place
of the first SPN submodel. We have developed this
place to obtain CTMC with absorbing state(s).
According to the technique in section 4.2 the
submodel can be decomposed into two parts, as shown
in Figure7(a). Final cumulative subnet obtained after
compression and combination is as shown in
Figure7(b).

T_20
T_21
T_22

As for the third subsystemwhen transition T_23

fires (namely some fault occurs in P_19), one token
will enter P_20 and the whole software system will be
failure.
The firing rates associated with timed transitions
are shown in Table 2.
Table2. Firing rates associated with timed
transitions
Names of
transitions
T_1T_8

Transitions
T_14
T_15
T_16

T_17

T_18
T_19

Meaning of every transition

The fault transfer of component P_10
results in that some fault occurs in
component P_12
The fault transfer of component P_11
results in that some fault occurs in
component P_13
Some fault occurs in component P_13
when component P_12 has no faults
When there are faults in both component
P_12 and component P_13 and
component P_12 has faults firstnamely
P_14 has no tokens, the faults of both
components result in that some fault
occurs in component P_15
The failure of component P_13 causes
that component P_16 starts operating
Some fault occurs in component P_16
because of its own defects when
component P_16 has not operated

Names of firing
rates
1 8

Values of firing
rates(h
0.04

5.0 106

T_14

9 12
14

T_15

15

8.0 106

T_19

19

8.0 107

T_20

20

7.2 106

T_23

23

1.0 106

T_9T_12

Figure 7. The decomposition and combination of

the first submodel
As for the model of the second subsystem, most of
transitions represent components become failure
because of their own defects or the faults transferred by
other components. The detailed meaning of every
transition is seen in Table1:
Table1. Meaning of every transition in the second
submodel

Some fault occurs in component P_16

when component P_16 is operating
The entire software system becomes
failure because there are faults in both
component P_13 and component P_16
The entire software system becomes
failure because some fault occurs in
component P_15

5.0 105

According to the two techniques in section 4, the

numerical reliability results of three subsystems and
the entire system can be calculated. We also obtain the
reliability of SPN model shown in Figure 6 when the
SPN model has not been processed. The numerical
results shown in Table 3 clearly indicate that the
percentage error between the reliability results of both
the SPN model which has been processed and the
original one is very small. This percentage error can be
calculated as follows:
Error Ratio =100 R(t ) proc R(t )or i g / R(t )or i g % (6)
So the reliability analysis method is able to both
assure the precision of evaluating and forecasting
reliability and diminish the complexity of describing
and analyzing reliability.
Table3.Reliability results for the component
software
Time(h)

R(t )or i g

R(t )pr oc

Error(%)

500

0.999439

0.999441

2.03 104

1000

0.998759

0.998766

7.24 104

2000

0.997055

0.997087

3.20 103

3000

0.994918

0.994989

7.15 103

4000

0.992378

0.992505

1.28 102

5000

0.989459

0.989659

2.02 102

According to the transitions of model, the failure

6th IEEE/ACIS International Conference on Computer and Information Science (ICIS 2007)
0-7695-2841-4/07 $25.00 2007

paths of software can be ascertained. Applying those

analysis results as above, we can choose the right
components, optimize the software architecture,
compile testing casestest with the pertinence and
accelerate the speed of fault diagnosis.

6. Conclusions
From the point of view of the fault modeling and
fault rates analysis, the paper has put forward one kind
of the reliability analysis method of component
software based on SPNs at the early stages of software
development. The paper mainly discussed three aspects:
the expression of component software based on SPNs,
the techniques for solving the state space explosion of
SPNs, and the steps of obtaining the analysis results of
software reliability. The transient and steady
probabilities of software system in every state can be
obtained in this paper, and they have provided a
powerful means of analyzing software reliability after
software running for a period of time. Besides, the
results of analyzing and evaluating software reliability
have the direct guidance to further software
development and reliability management.
At the same time, it can be seen from the analysis
process that ascertaining the fault rates of components
has certain influence on the analysis effect of
evaluating the entire model. Ascertaining the fault rates
of components can only depend on the experience in
the past in addition to fulfilling this according to the
relations among the components at present. Therefore,
we still need do further research on the method of
ascertaining the fault rates.

Applications, Proceedings of the IEEE, 1989, pp.541-580.

[8] M.A.Marsan, G.Balbo, G.Conte et al, Modeling with
Generalized Stochastic Petri Nets, JOHN WILEY&SONS,
Chichester et al, 1995.
[9] G.Shen, C.Su, Y.Xu, Research on the Method of
Reliability Analysis for Dynamic System Based on Petri Net,
Mechanical Engineering & Automation, Taiyuan, 2006,
pp.1-4.
[10] G.Li, Y.Chen, Evaluation for Component Software
Reliability Using SPN in Early Stage, Computer
Engineering and Application, Beijing, 2005, pp.84-87.
[11] C.LIN, Research on Network Dependability Analysis
Methods Based on Stochastic Petri Net, Acta Electronica
Sinica, Beijing, 2006, pp.322-422.
[12] Y.Zhang, X.Li, Reliability Analysis of Software
Architecture Based on Petri Net, Computer Engineering and
Applications, Beijing, 2006, pp.69-73.

References
[1] S.M.Koriem, Fast and Simple Decomposition
Techniques for the Reliability Analyses of Interconnection
Networks, The Journal of Systems and Software, Elsevier,
1999, pp.155-171.
[2] C.Szyperski, D.Grunlz, and S.Murer, Component
Software: Beyond Object-Oriented Programming, Second
Edition, Publishing House of Electronics Industry, Beijing,
2003.8.
[3] L.Bass, P.Clements, R.Kazman, Software Architecture in
Practice, Addison-Wesley, 1998.
[4] H.Mei, F.Chen, Y.Feng et al, ABC: An Architecture
Based, Component Oriented Approach to Software
Development, Journal of Software, 2003, pp.721-732.
[5] D.Garlan, M.Shaw, An Introduction to Software
Architecture, Advances in Software Engineering and
Knowledge Engineering, Volume I, World Scientific
Publishing Company, New Jersey, 1993.
[6] C.Lin, Stochastic Petri Net and System Performance
Evaluation, Second Edition, Tsinghua University Press,
Beijing, 2005.4.
[7] T.Murata, Petri Nets: Properties, Analyses and

6th IEEE/ACIS International Conference on Computer and Information Science (ICIS 2007)
0-7695-2841-4/07 $25.00 2007