Reachability and temporal conflicts in t-time P ETRI nets Nicolas RIVIERE Brigitte PRADIN-CHEZALVIEL LAAS-CNRS LAAS-CNRS and IUT A - UPS F-31077 Toulouse Cedex 4 F-31077 Toulouse Cedex 4 [email protected] [email protected]

Abstract The first aim of this paper is to characterize marking reachability within scenarios defined on t-time Petri nets. This reachability can be structural (does not depend on the enabling durations), necessary (for all the possible values of the enabling durations within some given enabling intervals) or possible (for some values of the enabling durations). This approach is based on the computation of sojourn times of tokens in places by means of the construction of proof trees in linear logic. The second aim is to illustrate the fact that these sojourn times can also be used to analyze the conflicts between two scenarios, taking into account all the temporal constraints. In some cases, one of the scenarios will invalidate the other one: the temporal constraints are such that this scenario will never occur.

1

Introduction

Studying the temporal behavior of concurrent systems requires to accurately characterize reachability and conflicts. Most Petri nets approaches use a state based approach for this purpose: the basic idea is to construct some reachability graph, including or not time considerations. All these approaches are faced to some difficulties, inherent to the reachability graph method: combinatory explosion due to interleaving and time, imprecision resulting from this interleaving treatment. Indeed, concurrency produces branching parts in the graph in the same way as non-determinism does. The objective of this paper is to show how it is possible to get some interesting temporal results without constructing complete reachability graphs and without using interleaving notions in order to better characterize the temporal behavior. The purpose is not to consider all possible evolutions of any Petri net but focusing about more particular scenarios and deriving accurate temporal data about them. A scenario is characterized by two markings (the initial and the final one) and the multi-set of considered transition fir-

Robert VALETTE LAAS-CNRS F-31077 Toulouse Cedex 4 [email protected]

ings. The objective of our work is to derive the causality relations between these firings in order to be able to get valid temporal informations. Our approach ensure that no spurious causality is introduced as it will be explained in section 3.1. Among different temporal Petri nets models we use Merlin’s one [7], named t-time Petri nets (enabling duration), because of its generality: timed Petri nets (firing duration) can be translated into t-time ones. In such Petri nets the time interval associated with every transition characterizes an imprecise enabling
duration and even ordinary Petri nets  is then attached to every trancan be represented ( sition). The most used tool for this Petri nets class is the reachability class graph proposed in [1, 6]. This tool permits to give a decision on state reachability taking into account time constraints but temporal results are too imprecise because of bad exploitation of concurrency relations and because of the time manipulation: at each transition firing, the time is reset to zero. Each class represents a set of states (same marking but different time values) and can only be constructed for defined numerical values: no symbolic reasoning is available. Our work is within the Linear Logic framework and exploits its proof syntactic abilities: the sequent calculus. The basic result authorizing such an approach is due to the equivalence between the Petri net reachability problem and the linear logic sequent provability one [5]. Linear logic has been chosen because it allows to accurately characterize state changes, production/consumption and concurrency notions. The approach differs from the reachability graph one because of the time treatment: we use a symbolic time representation. Firstly, this paper expands to t-time Petri nets the work presented in [8] that was considering scenario durations of ttimed ones. For this purpose we use a pair of symbolic temporal stamps respectively representing production and consumption dates. These stamps are easily computed during the sequent proof process and produce valid symbolic dates attached to atomic propositions, but intermediary states are no more available.

Secondly, these results are exploited along two directions.

We can use these symbolic time atomic stamps to give a decision on reachability. We will show that it is possible to differentiate structural reachability (not depending on temporal values) from temporal one (reachability depends on temporal intervals associated to transitions). More, among reachable markings, it is possible to derive time interval constraints permitting to distinguish necessarily reachable cases from possibly reachable ones.

We can use these symbolic time stamps to give a decision on conflicts between two scenarios. Both scenarios are considered and treated: dates are generated for each of them. Then, these dates can be exploited to determine if this conflict could be resolved by the strong semantics.

Two semantics exist for conflicts in t-time Petri nets: either we suppose that an enabled transition  must necessarily be fired at the latest when its enabling duration reaches    (strong semantics), or we simply suppose that the    enabling duration takes its value in     when  is fired, but that  may remain enabled during more than    if it is not fired (weak semantics). In this case, it will no longer be possible to fire it. Looking at a sequence of transitions firings, it is necessary  to consider that en  abling durations are included in the     ! intervals whether the semantics is the strong or the weak one. Conversely, in presence of a conflict, the two semantics correspond to very different resolution strategies. Let us consider the t-time Petri net in figure 1 with two conflicting transitions #" and $ and two different marking situations. If production dates for tokens equal 0 in %'& and %'( and 2 for the token in %*) , strong semantics imposes to + ,- fire #" ./ in!01the interval because $ could only be fired  in the interval ( $ enabling time instant is 2), i.e., after the maximum wait for #" . On the contrary with the weak se.20- . In the mantics, we can choose to fire $ in the interval first case, the conflict is resolved by the temporal considerations, whereas in the second one, it is externally resolved.

Section 2 presents the strong and weak semantics which are used in t-time Petri nets to resolve transition conflicts and why linear logic proofs are using the weak one. Then, section 3 explains the proof method and the atomic time stamps mechanism. The domains on which time stamps take their values are derived from the domains of the enabling durations. Section 4 exhibits how it is possible to derive information about state reachability from atomic stamps by computing potential marking durations. Section 5 deals with conflicts and shows how it is possible to give a decision on potential invalidation of some conflicting scenarios by using state durations defined in section 4. So, strong semantics can be considered although proofs are done with the weak one.

2

Let us now suppose that
the three tokens are simultaneously produced+ at,-the date . In such a case,

" may be fired  34- in the interval and $ in the interval . Reasoning with strong semantics, it is forbidden to overstep the date 3 without having fired 3" 5,!so the effective interval for $ firing 35!41 ,1 but . In such a case, temporal values is no more do not permit to resolve the conflict, but, even though, the interval of #" has an influence on the firing of $ . Considering weak semantics, where conflicts are always resolved by an external decision, transitions firings are fully independent and only constrained by the time interval attached to the considered transition.

T-time Petri nets: strong and weak semantics

We first construct linear logic proofs using the weak semantics but section 5 will explain how strong semantics can be considered. This choice is tied up to the linearity of the chosen logic (it corresponds to the monotonicity for ordinary Petri nets) : if a sequence is firable from a marking, it remains firable if some tokens are added to the current marking. It means that the presence or absence of a token in the place %'& of the net on the figure 1 does not have to influence the firing of $ . Furthermore, as we work with symbolic durations, we cannot use the strong semantics, that uses numerical values of intervals delimiting the enabling durations, to resolve conflicts. Weak semantics means that the enabling duration  of the transitions can be freely chosen in their domains   , independently from the conflicts.

In the timed nets model, the interval associated with transitions characterizes the firing duration. During this time interval tokens are neither in the input places (they are reserved) nor in the output ones. For the t-time nets, the time interval associated with the transition corresponds to an imprecise enabling duration [7]: tokens are available in the input places of the transition. Thus, the interval [3,5] indicates that the transition will be fired at least three time units after it has been enabled and, at the latest, five time units after this enabling instant. The transition is instantly fired and the marking notion is meaningful. It is a general model as every timed Petri net can be translated into a t-time one. Formally, an enabling duration  is associated with each transition  of the net. The domain for  is  : it is de fined as     .

Next section details how proofs are computed, with respect to this semantics choice. 2

%'&

%'(

%*) 

8

this branch, or a using the 7ML rule. + ,-

"

3

7

one that will be proved @

the 7 list.

@ the 7 L rule transforms a8 sequent such as E @ 7 E 8 @ into two identity ones and @ : so, are reached the both final leaves for these branches.

$

K

rule is used to transform a marking in an atoms 

8

E

8

The next example shows the beginning of a typical proof tree (scenario in the net in the figure 2 between markings 8 and RC7OR ): 7ONP7CQ

Linear logic’s proof tree with dates

3.1 Reminders about linear logic

SUTVOTXW

TZ*W

[]\U^ZjWkTYV>ZjWk[l\U^mT`_fabc

The translation of a Petri net in linear logic [4] has been presented in [8] (this approach differs from the work in [3] by explicitly introducing markings). A logic formula is associated to every marking and to every transition firing instance. in 7 , i.e., denoted A 8 marking 8>6 = is a monomial 8 8 "#7 $97;:1:9:= contains several tokens (n, for example), n instances of = 8 the proposition appear. A transition is a formula 6 "#? 6 $ where 6 " and 6 $ are markings (in fact, Pre and Post functions of the transition). This expression represents the transition firing: it will appear in a sequent as many times as this transition is fired. For example, a firing instance of the transition #" of the net 8 in figure 2 will be denoted: ?A@ 7CB . A sequent is associated to a scenario: the initial marking and the considered multiset of transition firings are the premises, the final marking is the conclusion. This sequent is then proved by applying the rules of the sequent calculus. Its provability is equivalent to the reachability of the final marking from the initial one [5] and the multiset of transition firings exhibits which transitions are fired. DFE The sequent 6 6HG represents a scenario with DJI  

 :9:1:

 is the non ordered list of the different firing instances of the concerned transitions whereas 6 and 6HG are respectively the initial and final markings. As usually within the sequent calculus framework, the proof is materialized by a tree which is read from bottom to up: the sequent to prove is written at the bottom of the tree. The proof stops when all the leaves of the tree are E 8 8 identity sequents ( , for example). Several proof trees are possible but the proof is constructed in a canonical way [8]. The rules that we use for this canonical proof (which are formally shown in the Annex part) are:

8

35!41

Figure 1. Example of transitions in conflict

E @

Zhg Z

\UZ*\

g

followed by VnckV

Id

Woc>W

VOTXWpckV>Z'W ShTXVOTW

TZ'W

Id

Z*q

[]\U^\ r



E

€



and R

.

y (p¡ b$

Step 4: Here, we are firing € . ŠhYV

T`V

‘1”

¢ ”

^/cdŠ‰VOYV

^ T`WkYV ‘9¤ T ^²>¸³{¹ 6



$

€9|©¡ }n €

4

This durations computation points out why using the symbolic dates is powerful: it permits to compare dates and get causality relations in order to take into account common past included into two different dates.

Reachability

4.1 Potential markings We previously saw that symbolic dates could be very easily computed for each atom (token) during the proof tree construction but, as markings are not used in our approach, we have no information about their reachability. In this section we are going to see it is possible to derive marking reachability from the atom symbolic dates. In addition, when a marking is reachable, information about its production and consumption dates can be derived.

3.5 Delimitation of the domains This subsection presents an approach to delimit the domains on which dates and durations take their values. In

 takes the t-time Petri nets model, any enabling duration IÀ        ! its values on a time interval  . As dates and durations computed in the previous section are functions of the  , their domains will also be time intervals. Stating that the domain of  is the time interval

Definition 4 A potential marking is a set of atoms. Each atom has to appear at least one time in one of the steps of the proof tree. 5

| 

A first remark is that durations being positive numbers, their domain has to be restricted to positive values. A second remark is that working with symbolic expressions reduces imprecision. Duration of atom B in section 3.4 is 

€ taking its values on €   €  ! . Imprecision due to a common past is eliminated. If we had computed it from the domains of its product and consumption dates, we would have had an influence of the imprecision on "  ( "  !O} "!  ). The domain would have been:

N{&on "en b$ I



N

N{&l

€9|©¡ 

NC&]¡ 5"

8d²>³ 8

$

8>²

œUµO6A% I

z &

|

 @k!







!

8

 8

 

²>¸³C¹

B N

NC&o

;

I

@

·

@





«¶¬b­jx 

@

 8

|

 8

 $

n

&

³C¹ 6

"

;

N



«¶ÂX¼*x

IÁ 8 }



For example, let us consider the symbolic expression of the production date of R in the table of the section 3.4. Its domain will be the time interval of:

NC& I

@ 

8

@ 

8

IÁ 8



Q

|





«•¬b­'x IA

@

 8

|



«•Â¼*x

N

IÁ @

8

8d²

N¶µ·B



8

which is always greater

²>¸³C¹

%C´

8

$

€|i}n

³ 6

8

$

!

«•¬b­'x

is equal to ¡«•¬b­jx

or equal than  .

X 

8

Figure 2. A Petri net 



and that selecting a value of  on this domain is free (weak semantics) is equal to stating that  is an imprecise value delimited by a disjunctive interval. As imprecision is a particular case of fuzziness, we’ll use the operations on intervals developed in [2] for fuzzy intervals to delimit dates and durations domains. I  8  I 8 8   From two intervals and @   @  @k! , several operations are defined:  

|

,

,

A potential marking is a way of considering a set of atoms in order to study its reachability. They have not to necessarily appear in the same step of the proof tree. We denote it as a monomial in 7 . A potential marking is reachable if it is a fragment (partial marking) of a marking which belongs to a trajectory between the initial and the final marking of the scenario represented by the considered sequent. An example of potential marking in the completely specified scenario studied in section 3.3 (the net is in figure 2) is:

The major difference with respect to the sojourn duration of atoms is that N z ~}ÈN y  is not necessarily positive. As the computation of the production and consumption dates of the atoms is based on a linear logic proof tree, we have the guarantee that an atom cannot be consumed before its production. This guarantee does not exist for potential markings. Let us consider again the potential marking 3, from the expressions of N z  and N y  given in 5 and 4 we derive a sojourn duration which is equal to b$}Å € .

 @

xXN

&

"

n

& N

"

¡

$ |*7

¡

 QPxXN{&o» "j¡

4.3 Reachability of a potential marking 

N{&l; "eÅÄ]ƍÇ/x b$ €



€ |©;

(3) 

Property 1 Let us consider a sequent defining a completely specified scenario (a unique partial order among the transition firings). If the sojourn duration of a potential marking is strictly positive, then it is reachable in the scenario.

4.2 Dates and sojourn duration of potential markings

As a matter of fact, all the atoms of the potential marking will be simultaneously present during the sojourn duration of the potential marking. From definition 6, the sojourn duration of a potential marking is the difference between two dates which are formal expressions of the durations  attached to the transitions. We may have three cases:

The proposed method assigns production and consumption symbolic dates to each atom involved in the studied scenario but none for markings as they are not directly managed. However, it is possible to derive such information by using simple «•Â¼ and «•¬b­ operators about atom stamps. The presence of the potential marking is indeed derived by the intersection of the time intervals during which each of its atoms is present.

the symbolic expression of the sojourn duration can be proven positive, then the potential marking is structurally reachable (for any value of all the  ),

the symbolic expression of the sojourn duration can be proven negative, then the potential marking is structurally not reachable (for any value of all the  ),

reachability of the potential marking depends on the values of the enabling durations  .

Definition 5 The production date N y  of a potential marking is equal to the maximum of the production dates of all atoms of this marking. The consumption date N z  of a potential marking is equal to the minimum of the consumption dates of all atoms of this marking.



For example, if we consider the potential marking of formula 3, its production date is I



Ndy 

«¶¬f­'xXN

&

"

n

N

&

¡

"

¡ €9|

I N

&

¡

"



(4)

» €

$

The potential marking 3 corresponds to the third case, if is greater than € then it is reachable. The duration of the potential marking

and its consumption one is  @ I NCz 

 «¶ÂX¼*xN

&

;

I N{&o» "j¡ b$

"

n

$

xN

&

¡

"

& N

»

N

&

;

"

n n«¶¬b­jx

$

"

¡

$ |j7

  N]xNC&o¡ "s¡ b$

€#||

(5)

 NC&]¡ 5"j;ÄlÆÉÇ5xX b$

is xN & ¡ " ¡ $ |'}ÊxXN & n " ; $ able whatever the values of all the  . If we consider

From these dates, it is now possible to derive the duration of such potential markings. As previously for atoms, we have the following definition:

IJ


Definition 6 The sojourn duration of a potential marking is defined by N z ~}ÈN y  .

€

 |

(6)

 N{&l; "eÅÄ]ƍÇ/x b$

 QPxXN{&on "j¡

€ |©¡

: it is not reach-

|

 N]xXN{&o» "jn b$





€ |©;

 |'7

€ |©¡

 |

 N{&l¡ "jnÄ]ƍÇ5x f$



(7)

its sojourn duration is  and the potential marking is reachable for any values of all the  . 6

4.4 Delimitations of the domains for potential markings As for the case of the production and consumption dates of the atoms and for their sojourn durations, we can use the delimitation of the domains of the values of the durations  

 (time intervals     ) in order to delimit the domains of the production and consumption dates and of the sojourn durations of the potential markings. We focus here on the sojourn durations because we are interested in characterizing the reachability of potential  markings. Let y d  y d  be the domain of the sojourn duration of a potential marking 6]y  derived by using the computation rules introduced in the subsection 3.5. We have to point out the fact that the bound8 of the domain are not necessarily reachable when the rule } @ is used with 8 shared variables between and @ . We have the three following cases:

B

A

if

G Figure 3. A Transition conflict in a Petri net this section we illustrate the fact that it is possible in some cases to construct scenarios and calculate sojourn times of tokens and potential markings with the weak semantics and to derive from this analysis that some scenario can invalidate another one in the context of strong semantics.



is negative, then the potential marking is necessarily not reachable (whatever the values of the durations  on their domains   ), in other word (with the vocabulary of possibilistic logic) it is not possibly reachable, y d 

5.1 Potentially invalidating scenarios

otherwise the potential marking 6 y  is possible, it is possible (but not necessary) to find values of the  in the interval  such that 6 y  is reachable and other ones such that it is not reachable.

Definition 7 Let us consider two scenarios œe× and œ*× w . We say that œ*× w potentially invalidates œ*×! if and only if

Let us consider the example of the potential marking 3 with specific values:+ 4- +!Ìs ÌAÍÎ+ 35Ï2 IË
NC&

" in , , b$ in ( ), € in ÏÐÍÊ3 35!41 ( ) and  in . As the sojourn duration of the potential marking 3 is reachability depends on the values of the en $ }Ë € abling durations  (no structural reachability or unreachability). #The bounds of Ï the domain of the sojourn duraÑ IF+ tion are (which is always negative) and ¯   } #Ñ IÒÌ 3 ! . This marking is possibly reachable if ¯  } Ì¡ÍÓ3 ÌÕÔÓ3 andÏ unreachable if . Reachability is independent from .

5

E

€

Ö

6]y 



F





if y d  is positive, then the potential marking 6]y  is necessarily reachable (it is reachable whatever the values of the durations  on their domains   ),

"

C





D

$

œ*×!

and œ*× w

have the same initial current step,



contains at least one transition Xw which does not œ*×y  and NCz  , the sojourn duration of a potential marking can be derived. The considered potential markings are effectively reachable if their durations are not negative ones. Using these potential durations, it is possible to characterize different degrees of reachability that depends or not on the numerical values of the  . Structural reachability is valid whatever the intervals associated with transitions. When marking reachability depends on these values, it is possible to derive reachability conditions. At last, we have studied how temporal conflicts resolution could be evaluated in the context of the strong semantics by using dates obtained with the weak semantics. We have shown examples where a scenario is effectively invalidated and others ones where both conflicting scenarios can occur. Such information is derived from comparison between the duration of potential markings and the enabling durations of conflicting transitions. As the symbolic date computation is derived within a specific scenario framework, we first have to compute both conflicting scenarios time stamps. Watch dogs mechanisms can so be considered. The main characteristics of this work is the way time is manipulated. Symbolic dates are generated for each atom, and from these atomic stamps marking reachability and conflict resolution can be accurately studied. Causality relations expressed within these time stamps allow an interesting result: imprecision due to common past is eliminated. More, this method is not limited to 1-bounded Petri nets. Future work will concern conflict treatment by using, for example, some others linear logic connectives (additive ones). They are well suited for expressing choices but the proof tree construction, using such connectives, needs further work.

Conclusion

We have shown in this paper that it was possible to give a decision on reachability and conflicts in a temporal framework such as t-time Petri nets with help of linear logic. In order to get such results, we had to use two different approaches: the weak semantics and the strong semantics. The weak semantics has been used, in order to respect the linearity of linear logic and to be consistent with the monotonicity of Petri nets, to solve the reachability aspect. Indeed, for this aspect, we want to build proof trees with symbolic values because we have seen that working with numerical values increases imprecision on dates and the causality information is lost. The strong semantics approach would have imposed the use of numerical values and, by the way, increased imprecision. Furthermore, using symbolic dates

References [1] B. Berthomieu and M. Diaz. Modeling and verification of time dependent systems using Time Petri nets. IEEE Trans. on Software Engineering, 17:259–273, 1992. [2] D. Dubois and H. Prade. Processing fuzzy temporal knowledge. IEEE transactions on Systems, Man and Cybernetics, 19(4):729–744, 1989. 9

[3] V. Gehlot. A proof theoretic approach to semantics of concurrency. Phd thesis, University of Pennsylvania, 1992.

ANNEX RULES OF THE INTUITIONIST LINEAR LOGIC (ILL) USED IN THIS PAPER

[4] Jean-Yves GIRARD. Linear logic. Theoretical Computer Science, 50:1–102, 1987.

u

R t

[5] Fran¸cois GIRAULT. Formalisation en logique lin´eaire du fonctionnement des r´eseaux de Petri. PhD thesis, Universit´e Paul Sabatier, Toulouse, France, D´ecembre 1997.

, v and are formulas (not necessarily atomic ones) and  are blocks (with possibly the meta connective ,)

Identity group

[6] M. Menasche and B. Berthomieu. Time Petri nets for analysing and verifying time dependent protocols. Third international workshop on protocol specification, testing and verification, June 1983.

id

\oc>\

ÜCc

\ÙÝ

T\oc

Ü2TXÝÅc

[7] P. Merlin and D.J. Farber. Recoverability of communication protocols: implementation of a theoretical study. IEEE Trans. on communications, COM-24(9 September):1036–1043, 1976.

Þ

cut Þ

Structural group

[8] B. Pradin-Ch´ezalviel, R. Valette, and L.A. K¨unzle. Scenario duration characterization of t-timed Petri nets using linear logic. In IEEE PNPM’99, pages 208–217, Zaragoza, Spain, September 6-10 1999.

Ü/T\©T“ßhT