Calculating duration of concurrent scenarios in time Petri nets

efficient for concurrency: it often leads to a combinatory explosion because of interleaving. ... The derived time information will only be accurate if and only if.
Télécharger le PDF
156KB taille 1 téléchargements 289 vues
commentaire
Report
Calculating duration of scenarios in time Petri nets

concurrent

Brigitte Pradin-Chézalviel *,** — Luis Allan Künzle *** — François Girault * — Robert Valette * *

LAAS-CNRS, 7, Av. du colonel Roche F-31400 Toulouse FRANCE {chezalviel, girault, robert}@laas.fr **

and IUT « A », Université Paul Sabatier, Toulouse, FRANCE

***

CPGEI/CEFET-PR, Av. 7 de Setembro, 3165 80230-901 Curitiba (PR) BRASIL [email protected]

ABSTRACT. Using basic notions such as sequence and parallelism, this paper shows how to describe a scenario with maximal concurrency. Because of the equivalence between reachability problem in Petri nets and provability of a linear logic sequent, using the sequent calculus rules, it is possible to derive the scenario from the linear logic proof tree. The maximal concurrent scenario, and its associated partial order, is then deduced from this tree by changing the application order of the sequent calculus rules. Using this method, it is possible to characterize both the structural concurrency and the dynamic one (concurrency due to the marking of the net). With this partial order, we then can calculate the scenario duration for time Petri nets without generating the global state graph. We are so capable to deal with cyclic Petri nets and the method is not restricted to 1-bounded ones. RÉSUMÉ. Cet article montre comment il est possible de décrire un scénario à parallélisme maximal en utilisant les notions de base que sont la séquence et le parallélisme. Grâce à l’équivalence entre l’accessibilité en réseau de Petri et la prouvabilité d’un séquent en logique linéaire, le scénario est déduit de l’arbre de preuve du séquent. Le scénario à parallélisme maximal est ensuite obtenu à partir de cet arbre par permutation de l’ordre d’application des règles du calcul des séquents. Cela nous permet de prendre en compte à la fois le parallélisme structurel et celui dû au marquage. L’ordre partiel de ce scénario étant connu, il est alors possible d’en déduire la durée du scénario du réseau de Petri temporel directement, sans avoir à générer complètement son graphe d’accessibilité. Les réseaux traités peuvent être non saufs et cycliques ce qui rend la méthode relativement générale. KEY WORDS : Petri nets, linear logic, sequent calculus, concurrency MOTS-CLES : réseaux de Petri, logique linéaire, calcul des séquents, parallélisme

1. Introduction In order to reason about temporal evolutions of discrete event systems it is necessary to build models of their dynamic behavior. Time Petri nets are an interesting tool for this purpose. A time interval is attached to each transition: it represents the enabling time interval during which the transition can be fired when all its input places are marked. Sequences duration is then defined by imprecise intervals. The main method for analyzing time Petri nets is the class graph proposed in [MEN 83], [MEN 85], [BER 91]. It permits to correctly characterize reachable states but it can only be applied in case of safe Petri nets. This method is not very efficient for concurrency: it often leads to a combinatory explosion because of interleaving. More, when looking at duration of such concurrent scenarios, interleaving increases time imprecision because, in this class graph method, clocks are reset after each transition firing. Other approaches propose different tools to reason about the dynamic behavior of a Petri net. Frequently they assume that places are logical propositions and they are thus limited to safe and non cyclic Petri nets. This limitation is not acceptable when modeled systems are complex manufacturing ones, for example. In this paper, we are going to see how it is possible to get a correct characterization of imprecise duration of scenarios, denoted by intervals. A scenario is defined as a multi-set of transition firings provided with a partial order relation between these firings. Such a partial order relation permits, for example, to deal with two concurrent sub-scenarios. In addition, an initial marking and a final one are associated to this partially ordered multi-set. The originality of our work is that we are able to derive duration intervals without constructing any class graph: the only considered parts of the Petri net are those involved in the scenario. In order to do this, we use linear logic because of its ability to handle resources and specially multiple copies. Because of linear logic we are able to analyze non safe and cyclic Petri nets. The calculus is constructed on two main steps: firstly, we derive the scenario structure (partial order relation) from the proof of the linear logic formula associated to the scenario and, secondly the duration interval is calculated from this scenario structure, using time intervals associated to transitions included in this multi-set. The derived time information will only be accurate if and only if concurrency is correctly taken into account: it is necessary to get the maximal concurrency included in this scenario, otherwise results will be too much imprecise. Section 2 presents relationships between Petri nets and linear logic. Starting from a representation of a Petri net by means of a set of linear logic formulas, it is possible to prove reachability between two markings of a Petri net. We exploit in this paper the equivalence between reachability in Petri nets and sequent provability in linear logic. In order to prove a sequent we first construct the proof tree using the sequent calculus rules. This proof tree is then used to derive the partial order relations between transitions firings: this order depends on the application order of the sequent calculus rules and is then used to calculate the duration. However the proof tree of a linear logic sequent is not unique. In section 3 we look

2

at the method proposed in [GEH 89], [GEH 91] to obtain a proof tree with maximal concurrency. This method gives interesting results for structural concurrency but cannot represent dynamic concurrency induced by markings and does not correctly characterize partial orders in case of conflicts. We exhibit some basic examples in order to show it and so, we explain why it is not sufficient. Section 4 proposes to improve this method to solve some issues presented in previous section. We specially treat some cases where dynamic concurrency (due to markings) is essential for an accurate time evaluation. The most important point is that the duration is exact when partial order relations are correctly derived. This method is based on two basic operations (“sequence” and “parallelism”) but they are not always sufficient to handle complex structures. We propose an example illustrating this limitation. In such cases we get a valid but too imprecise scenario duration. Conclusion permits to compare this method with the class graph one and gives some ideas about how it would be possible to characterize complex order relations.

2. Petri nets and linear logic Linear logic was proposed by J.Y. Girard [GIR 87]: because of its new connectors, it is able to handle resources. Indeed, it clearly differentiates a unique copy of a resource p (expressed by proposition p) from the presence of two copies of this resource (proposition p⊗p) [GIR 97a]. The sequent calculus associated to this logic is based on a new set of connectors and rules: main differences with classical logic are due to the absence of usual contraction and weakening rules. Theses rules are precisely the ones forbidding the correct handling of multiple copies because of the equivalence (in classical logic) between propositions p AND p and p. Deleting these rules leads to split each one of the classical AND and OR connectors into two different ones. In place of these two connectors, we get four different ones and these new definitions also have consequences on implication and negation semantics. In this paper we will only use two linear logic connectors: ⊗ to represent resource accumulation (formula a⊗b⊗b expresses that one copy of resource a and two copies of resource b are available) and ο that is the linear logic implication. This implication permits to handle resource production and consuming: doing so we can represent system changes. For example, formula a ο b states that resource a is consumed when resource b is produced.

2.1. Representing a Petri net by means of a set of linear logic formulas We use in this paper the representation of ordinary Petri nets by means of linear logic proposed by [GIR 97a], [KUN 97], [GIR 97b], where any marking is defined by a formula including the ⊗ connector to express the resource accumulation. A logical proposition P is associated to any place P of the net: it expresses the availability of one token in place P. In case of several tokens, there are several propositions P tied up by a ⊗ connector. For example, formula P⊗P⊗Q denotes a

3

marking with two tokens in place P and one in place Q. Each transition is defined by a formula involving the ο connector: its left part defines the minimal marking necessary to fire this transition t and the right one denotes the marking produced by the transition firing. Each transition is then defined by: t : ( ⊗ i∈ Pre(t) Pi

ο

⊗ o∈Post(t) Po )

[1]

If edge weight is greater than 1, the corresponding place proposition is repeated. In case of elementary loops the same place proposition appears both in the left and right part because, according to linear logic rules, it cannot be simplified. The transition firing of this transition t is described by a linear logic sequent:

M 1 , ( ⊗ Pi ο ⊗ Po)

| M2

[2]

where markings M1 and M2 respectively denote the marking before and after the transition firing. 2.2. Scenario definition This transition firing formula can be extended to a multi-set of transitions. We then get sequents of type [3] where ti denotes a formula expressed by [1] :

M 1 , t1 , ... , tn | M2

[3]

Markings M1 and M2 respectively denote the marking before and after the firing of the multi-set of transitions. In this multi-set each transition exactly appears the number of times it is fired (0, 1, 2, …). This sequent does not contain any information about the firing order because of the commutativity of linear logic (the transition multi-set description does not express any order relation). Nevertheless we will see later that such a partial order relation can be derived from the sequent proof. A scenario is then defined as a multi-set of transitions firings, an initial marking and a final one and can be expressed by a linear logic sequent. If time considerations are involved we are first interested in its validity (is the final marking reachable from the initial one by exactly firing all transitions of the multi-set ?) and second in the partial order between transition firings in order to calculate duration of this scenario.

2.3. Relationships between Petri net reachability and linear logic provability One of the main results of [GIR 97a] is the proof that the reachability problem between two markings of a Petri net (by firing scenario s = (t1,…,ts)) is equivalent to

4

the provability of the associated linear logic sequent defined by [3] : s M → M’



M , t1 , ... , ts | M’

This result is a very important one because it permits to state about the reachability between two states without considering the whole Petri net and without constructing the reachability graph. The answer is obtained by only considering those net elements which are involved in the scenarios s, (other elements of the net are not considered), and by proving the associated linear logic sequent.

2.4. Scenario duration The duration of any scenario s depends on the partial order relations among the different transition firings included in s. We are going to see how it is possible to derive this order from the proof net of the associated linear logic sequent. This proof net uses the usual sequent calculus but we restrict it to two basic rules defined in [KUN 97]. The first one, denoted SEQ, permits to build a scenario s = (s1 . s2) equal to a strict sequence of two sub-scenarios s1 and s2. The second rule, denoted PARA, permits to build a scenario s = (s1||s2) as the parallel composition of two subscenarios s1 and s2. With both rules, the multi-set of transition firings s is the union of the two multi-sets s1 and s2.

M 1 , s 1 | M 2 M 2 , s 2 | M 3 SEQ M 1 , s 1 , s 2 | M 3 M 1 , s 1 | M 2 M 3 , s 2 | M 4 PARA M 1 ⊗ M 3 , s1 , s 2 | M 2 ⊗ M 4 If the studied net is a time Petri net, it is then easy to get duration of the scenario s (expressed by an interval) from time intervals associated with the transitions. When using the SEQ rule, duration of scenario s_seq = (s1 . s2) is obtained by adding the two sub-scenarios durations : duration (s_seq) = duration(s1) + duration (s2). When using the PARA rule, as the two sub-scenarios are concurrently fired, the duration of scenario s_para = (s1||s2) is equal to the longest duration: duration (s_para) = max ( duration(s1), duration(s2) ). Durations being expressed by intervals (an [Lowi , Highi] interval is associated to each scenario si) the two duration calculus rules are: duration (s_seq) = [ (Low1 + Low2 ) , (High1 + High2 ) ] duration (s_para) = [ max (Low1 , Low2) , max (High1 , High2) ]

5

For example, for the Petri net in figure 1, duration of scenario (t1 . t2 ) is [2,5] and that of ((t1 . t2 ) || t3) is [3,5]. A

t1

B

[1,2]

t2

[1,3] [4,4]

[3,4]

D

C

t3

E

t4

F

Figure 1: a time Petri net involving concurrency

The efficiency of this method is tied up to the correct description of the partial order included in the scenario: if the maximal concurrency is not completely described, we will get imprecise durations (pessimistic durations because some useless wait state will be introduced). This partial order is derived from the proof tree generated by the linear logic sequent but, for a given sequent, the proof tree is not unique. So, we have to rewrite any proof tree in another one describing the maximal concurrency.

3.

Maximal structural concurrency

3.1. The method proposed by Gehlot The purpose of the work presented in [GEH 91] is to get the maximal concurrency allowed by the structure of a Petri net. The author starts from a Petri net representation that differs from the one we introduced in this paper: he does not describe the transition firings but only the transitions themselves. For this representation, he introduces supplementary axioms (proper axioms) to linear logic: each transition is expressed by such a proper axiom. But there is not any representation of current marking: no marking (or state) information can be deduced from this purely structural representation. Then, he exhibits an algorithm permitting to rewrite any consistent proof tree in another one that expresses the maximal concurrency induced by the structure of the net. In order to simplify the presentation of his method we again use the previously defined rules (SEQ and PARA): in fact, Gehlot uses some slightly different rules, because of his different representation of Petri nets, but the purpose here is only to get an idea about his method. The Gehlot’s method consists in exchanging the application order of these two rules in order to eliminate non necessary uses of the SEQ rule: it takes its inspiration from the classical method used for cut reduction in logic proofs because the SEQ rule is a particular case of the CUT one. The objective in his method is not to suppress all the

6

SEQ rule occurrences in the proof tree, but to bring up them at the top of the tree. Doing so, he derives, when it is possible, sequences of basic transitions rather than sequences of compound sequences. The two basic rewriting rules are: — rewriting a scenario ( (s1 . s2) . s3) into (s1 . (s2 . s3) ) by exchanging the order of two occurrences of SEQ rule, — rewriting a scenario ( (s1 || s3) . (s2 || s4) ) into ( (s1 . s2) || (s3 . s4) ) by exchanging the application order of SEQ and PARA rules. Of course, these rewriting rules can only be applied if some specific conditions are verified (for a detailed presentation see [KUN 97] ). In addition, it is necessary to control the rewriting process in order, for example, to avoid loops: Gehlot creates a system consisting in marking the different SEQ and PARA rules occurrences. The most important rule of this algorithm is the second one because it permits to put in sequence scenarios longer than the original ones. The idea is to apply the SEQ rule to find, when they exist, maximal structural links between transitions rather than between scenarios already including concurrency. To get an idea about the results of this method, let us look at a scenario, on the Petri net in figure 1, starting from marking A⊗D and leading to marking C⊗F. It contains each transition exactly once. We are going to compare the results obtained by such a linear logic approach (characterizing a scenario by a linear logic formula and proving it) with results given by the usual class graph method. As this example is a very simple one, we are able to know its exact duration: with considered intervals, it is [7,8]. The class graph for this net is presented on figure 2: classes containing two nodes are classes where time is increasing without any marking change. For example, starting from marking A⊗D , one time unit is necessary before any transition can be fired. When class changes correspond to transition firings the name of the fired transition is written on the edge as well as the time interval value at the firing instant. In order to simplify the graph, we do not represent all interval values but only those that correspond to transition firings. Let us remind the principle of the class graph method: a class is defined both by its marking and by an inequality set representing relations between the firing dates of all enabled transitions. Starting from marking A⊗D this graph contains 2 paths leading to class C6 corresponding to the final marking C⊗F: the first one involves classes C4 and C5 and the second one classes C2 and C3. Their durations are respectively [4,11] and [6,11] and then the characterization of the scenario duration based on the class graph is [4,11]. When considering this example with a linear logic approach, we derive from the proof net the maximal concurrent scenario ( (t1 . t2) || (t3 . t4) ) which associated duration is max ( [2,5] , [7,8] ) = [7,8] ; this is the exact duration of this scenario. In this example concurrency is accurately characterized by linear logic and

7

imprecision has not been increased. On the other hand, the class graph proposes two possible durations (the exact interval is included in the derived ones) but in both cases imprecision has been increased.

C4

C5 [0,2]

C1

C0 [0,1]

1 AD

BE

AD

[0,2]

[2,4]

BD

t1

C6

t4

t3

1 BD

CE t2

CF [0,2]

[0,0] [0,2]

t2

CE

CD

t4

4 CE

t3 C2

C3

Figure 2 : the class graph starting from marking A⊗ D

3.2.

Limitations of the Gehlot’s method

This algorithm is efficient but it has two serious drawbacks: — it only considers the structural concurrency of a Petri net and is totally unable to take into account concurrency generated by the net marking. Indeed, as we previously said, Gehlot’s representation of Petri nets in linear logic never involves markings. For example, let us again consider the net in figure 1, and specifically two scenarios including only transitions t1 and t2: these scenarios correspond to two different initial markings. With A as initial marking, the maximal concurrent scenario is (t1.t2) but if the initial marking is A⊗B the most concurrent one is (t1||t2). Indeed in this last case, both transitions are concurrently enabled. Of course the associated durations differ: they are respectively [2,5] and [1,3]. It is a prime necessity to be able to characterize the duration difference between these 2 scenarios that do not differ on the involved transitions but only on the initial and final markings. In the following of this paper, we will denote such a type of concurrency as “dynamic concurrency”: we will propose in next section a set of new rewriting rules and an algorithm to take into account such a type of concurrency. — it only derives a unique scenario but in some cases there are several accurate characterizations expressing structural concurrency. In such situations the Gehlot’s

8

algorithm, at random, gives one expression and does not permit to detect that there are several ones. In case of multiple structural concurrent expressions it is necessary to analyze all of them because they can lead to very different durations. To solve this problem we propose a new rewriting rule: it consists in splitting the proof tree into two different ones to analyze the two ways to solve the conflict. Let us give an example of such a structural concurrency. If we consider the Petri net in figure 3 and the scenario starting from marking A⊗D and leading to marking C⊗F, it involves exactly once each transition t1 to t4. As a matter of fact, there are two possible scenarios satisfying the maximal structural concurrency condition : either s1 = (t1 . t2 ) || (t3 . t4 ) or s2 = (t1 . t4 ) || (t3 . t2 ) as this Petri net includes a conflict between t2 and t4. With values presented in figure 3 their respective durations are: duration (s1) = [ 6 , 8 ] duration (s2) = [ 4 , 8 ] As values are not considered during the scenario characterization process, it is not possible to detect, at the logical level, which is the best. Moreover, in this case conflict resolution depends on decisions that are external to the usual Petri net behavior. So, in such cases it is absolutely necessary to be able to detect all scenarios that are maximally concurrent and to generate them. Let us note that the scenario characterization process is generic as it is independent from the time interval values: the derived algebraic expressions for these scenarios can then be used whatever the time values. t1

A

t2

C

B

D

[1,2]

[1,4]

[3,4]

[3,4] t3

t4

F

Figure 3: several maximal structural concurrent scenarios

This Petri net exhibits a very interesting case of structural concurrency. One could think that it is possible to express it by another more powerful expression as s3 = (t1 || t3 ) . (t2 || t4 ) . But, this scenario s3 is not the most concurrent one because it introduces some non existent condition: it enforces that both transitions t1 and t3 have been fired before firing any of transitions t2 and t4. Clearly, it does not correspond to the Petri net behavior and fortunately both methods (the one presented by Gehlot and the method we propose in this paper) are able to detect this and to respectively propose either a unique (and random among s1 and s2) scenario in case of Gehlot’s algorithm or both scenarios (s1 and s2) for our method.

9

4. Maximal structural and dynamic concurrency The target of the method proposed in this paper is to clear up the two difficulties presented in previous section: first, the ability to characterize dynamic concurrency as well as structural one and second the possibility to detect multiple maximally concurrent scenarios. The description of the algorithm can be found in [KUN 97] : we only give in this paper the principles and broad outlines of our approach. It is based upon the Petri net representation presented in section 2: as it takes into account markings, it is then possible to deal with dynamic concurrency. The second difficulty will be solved by detecting situations where there are several maximally concurrent scenarios: in such cases, linear logic proof net will be split into several ones (one for each scenario).

4.1. Method principles In order to accurately consider dynamic concurrency we have to both consider the minimal necessary partial marking to fire any scenario (this is done by our Petri net representation of a scenario firing) and current partial marking of the net (the firing context). These firing contexts appear in any proof tree as some particular linear logic sequents (identity ones) named “marking sequents”. Their generic form is M | M where M is a partial marking. It is then necessary to create a particular instance of the PARA rule, derived from the same original sequent calculus one, that exhibits the firing of a scenario in a marking context greater than the minimal necessary one. M | M M1 , s1 | M2 CONTEXT M ⊗ M1 , s1 | M2 ⊗ M

Main steps of the algorithm are: — to rewrite any linear logic proof tree in order to get the maximal structural concurrent scenario (we use a method similar to Gehlot’s one but slightly modified in order to detect conflicts), — to split every marking sequent into elementary ones (an elementary marking sequent involves a unique token), — to lead (as far as possible) the marking sequents down to the bottom of the proof tree: the objective is to permit to further rewrite the tree by transforming a SEQ rule instance into a PARA one, — to use these marking sequents up to the top of the tree trying to get the maximal dynamic concurrency in both branches of the tree (left and right ones). Let us just give some typical examples of the rewriting process. The most meaningful one is a case where current marking permits to concurrently fire 2 transitions that structurally are sequential ones: it exactly represents the

10

“dynamic concurrency” notion. When a marking sequent permits to transform a scenario (s1 . s2) into (s1 || s2), it corresponds to rewrite an application of a SEQ rule followed by a CONTEXT one into a PARA rule occurrence. The rewriting of the following proof tree

M 1 , s1 | M 2 M 2 , s 2 | M 3 SEQ M 1 , s 1 , s 2 | M 3 M2 ⊗ M 1 , s1 , s 2 | M2 ⊗ M 3

M 2 | M 2 CONTEXT

by using marking M2 to concurrently fire s1 and s2 results in:

M 1 , s 1 | M 2 M 2 , s 2 | M 3 PARA M2 ⊗ M 1 , s 1 , s 2 | M2 ⊗ M 3 Let us remark that, in the new proof tree, the marking sequent is no more available for another deduction, so indicating that corresponding tokens have been “consumed” by the concurrent firing.

Another interesting rewriting example concerns the way it is possible to move up in the tree any marking sequent in case of concurrent scenarios. Let us look at such a partial tree.

M 1 , s1 | M 2 M 3 , s 2 | M 4 PARA M | M M1 ⊗ M 3 , s 1 , s 2 | M2 ⊗ M 4 M ⊗ M1 ⊗ M 3 , s 1 , s 2 | M ⊗ M2 ⊗ M 4

CONTEXT

This marking context M cannot be immediately used since scenarios are concurrent but it can be useful to transform any internal SEQ rule occurrence into a PARA one either in s1 or s2. As we do not know which one contains such a situation we have to split the tree into two different ones: so, all possible maximal concurrent scenarios will be generated. The two different trees to be considered are: M 1 , s1 | M 2 M | M CONTEXT M 3 , s 2 | M 4 M ⊗ M 1 , s1 | M ⊗ M 2 M ⊗ M1 ⊗ M 3 , s 1 , s 2 | M ⊗ M2 ⊗ M 4

PARA

and M 3 , s 2 | M 4 M | M CONTEXT M ⊗ M 3 , s 2 | M ⊗ M 4 M ⊗ M1 ⊗ M 3 , s1 , s 2 | M ⊗ M2 ⊗ M 4

M 1 , s1 | M 2

PARA

11

4.2. Some examples As a first example, let us consider the net in figure 1 and two different scenarios: both involve firings of transitions t1 to t4 (once) but they differ about initial and final markings. If we consider the scenario

A ⊗ D , t 1 , t 2 , t 3 , t 4 | C ⊗ F the algorithm derives s1 = (t1 . t2) || (t3 . t4) as maximal concurrent scenario expression. We previously saw that its duration is [7,8] and is exact. The parallel operator used in this expression corresponds to structural concurrency. Consider now the second scenario on the same net:

A ⊗ D ⊗ E , t 1 , t 2 , t 3 , t 4 | C ⊗ F ⊗ E The maximal concurrent scenario derived is s2 = (t1 . t2) || t3 || t4 ; it contains 2 parallel operators, the second occurrence expressing dynamic concurrency while the first one stands for structural concurrency. Scenario duration is [4,5] and is very different from the previous one: this example again shows the necessity to accurately characterize all existing concurrency relations. The purpose of the second example is to illustrate the effect of dynamic concurrency in a more complex situation. We again consider the Petri net in figure 3 and look at two different scenarios only differing about initial and final markings (they both involve one firing of transitions t1 to t4). Whatever the scenario, this example cannot be studied with the class graph method because this Petri net is a non safe one. The first scenario is:

A ⊗ D , t 1 , t 2 , t 3 , t 4 | C ⊗ F As it contains a conflict, the algorithm treats the two different ways to solve it and, consequently, there are 2 possible maximally concurrent scenarios : s1 = (t1 . t2) || (t3 . t4) and s2 = (t1 . t4) || (t3 . t2) Their respective durations are [6,8] et [4,8]. The second scenario is: A ⊗ D ⊗ B , t 1, t 2 , t 3 , t 4 | C ⊗ F ⊗ B As initial marking contains a token in B, it introduces dynamic concurrency but, because of the conflict, several ways of concurrently firing transitions have to be considered. We finally get 4 possible expressions corresponding to maximal concurrent scenarios. s11 = t1 || t2 || (t3 . t4) and s12 = (t1 . t2) || t3 || t4 s21 = t1 || t4 || (t3 . t2) and s22 = (t1 . t4) || t3 || t2

12

Their respective durations are [6,8], [3,6], [4,8] and [4,6]. These both examples exhibit how it is crucial to correctly handle partial order relations in order to calculate durations associated to scenarios. But example in next section is going to exhibit some case where it is more difficult to express partial order .

4.3. More complex partial orders, limitations of the approach This method is efficient but it admits limitations: some maximal concurrency situations cannot be expressed because the only sequential and parallel operators are not able to describe complex partial orders. As an example, consider the Petri net in figure 4. For sake of simplicity we only consider precise values and intervals associated to transitions are precise ones (high and low bounds are equal) but it does not change the linear logic derived results since the interval values are not considered when trying to get maximal concurrency. t1

B A

t2

C

tbeg

D tend

[5,5]

[α,α]

Z

M [5,5]

[1,1] E

t3

[1,1] F

t4

[1,1] G

Figure 4 : a Petri net with complex concurrency relations The behavior of this net depends on values of α parameter (1 and 10 for example). The structure of this net contains some special characteristics: there are two concurrent paths (t1.t2 and t3.t4) but place M creates a partial link between these paths. Consider first the scenario starting from marking A and leading to Z by firing exactly once each transition of this net:

A , t beg , t 1 , t 2 , t 3 , t 4 , t end

|

Z

Its exact duration depends on α value. Our method proposes s1 = tbeg . (t1 || t3) . (t2 || t4) . tend as algebraic expression for this scenario. Synchronization induced by place M has been taken into account: there is a “sequence” operator between (t1 || t3) and (t2 || t4). Using this algebraic expression, durations are 12 and 17 according to α values: this is not an accurate characterization. For some values of α parameter, duration results can be correct but this is not true for every α value (in this example, this characterization is correct when duration of t1 is greater than t3 one).

13

Some other algebraic formulas can be tried but all of them fail to always describe the real behavior of this net: existing order relations are correctly characterized but all these formulas introduce some non-existing ones. Scenario expressions tbeg . (t1 || t3) . (t2 || t4) . tend tbeg . (t1. t2 ) || t3) . t4) . tend tbeg . t1 . ( (t3 . t4) || t2) . tend Net behavior

α=1 12 9 9 8

α = 10 17 18 18 17

Non-existing order relations t3 . t2 t2 . t4 t1 . t3

The reason of this bad concurrency characterization is the limited set of operators used (“sequence” and “parallel” ). Such a type of partial order needs more sophisticated ones to be expressed: for example “begins with…” or “ends with…” could be helpful. They express less strong relations than the “parallel” operator because this “parallelization” creates waiting intervals that do not exist in the real behavior of the net. In this example, relations to formalize the partial order could be: — t1 et t3 can be concurrently fired, — t2 firing happens after t1 one (but there is no link with t3 firing), — t4 firing happens after t1 and t3 firings. These constraints can be expressed by 2 algebraic formulas, (t1. t2) and ((t1 || t3). t4), but not with a unique one. As there are several formulas, there is a proof tree for each one and duration calculus is no more possible. Consequently, the most important limit of this method is due to the set of used operators: it is not able to express complex partial order relations. Indeed, the Petri net in figure 4 illustrates the fact that some scenario cannot be characterized by an algebraic expression with the operators “sequence” and “parallel”: therefore, no proof tree with SEQ and PARA rules can express the maximally concurrent proof net. The second limit is due to the method itself: it consists in rewriting any linear logic proof tree but its efficiency is not guaranteed in every situation. There exist a lot of possible proof trees differing on their concurrency degree. The algorithm gives interesting results when starting from a non concurrent one but it does not ensure that all maximal concurrent ones have been generated. For example, in case of conflicts generating multiple maximal concurrent scenarios, when starting from one of the two maximal concurrent scenarios, it is necessary to go back to the “least concurrent” one to be able to detect that another one exists.

14

5. Conclusion This paper shows how it is possible to calculate a scenario duration from an algebraic characterization of its partial order. This partial order expression uses “sequence” and “parallel” operators and is derived from the proof tree of the linear logic sequent associated to this scenario. As this proof tree is not unique, a set of rewriting rules is proposed in order to obtain a proof tree expressing maximal concurrency. The interest of this method is that it can handle non-safe Petri nets as well as cyclic ones. Using some examples, we exhibited the necessity to take into account both structural and dynamic concurrency (the one induced by marking). The duration correctness is very related to exact characterization of partial order relations. This approach is very different from the usual one, the class graph method, that often gives too imprecise scenario durations, specially when several transitions are concurrently enabled. Owing to the fact that we only consider the part of the net involved of the scenario, without generating the whole graph, combinatory explosion is avoided: this is the major difference with state graph approach. Moreover, we only work with absolute time with regard to the date of scenario beginning. In opposite, as clocks are reset after any transition firing, state graph method works with relative time. Last example exhibited that some concurrency relations cannot be expressed only using “sequence” and “parallel” operators: to solve this problem, it is necessary to look at different representations. In the proposed approach, as SEQ and PARA rules denote transition firings, temporal information is attached to transition firing: addition and maximum operations about intervals are associated to SEQ and PARA occurrences. Current work tries to overcome this problem by directly associating temporal labels to tokens [PRA 99]. Basic idea is to directly obtain a canonical proof tree (no necessary rewriting step): token temporal labels are updated along the linear logic proof tree construction.

Bibliography [BER 91] Berthomieu B., Diaz M., « Modeling and verification of time dependent systems using Petri nets », IEEE Transactions on Software Engineering, vol. 17, n°3, 1991. [GEH 89] Gehlot V. and Gunter C. A. , « Nets as tensor theories », Tenth International Conference on Application and Theory of Petri Nets, Bonn, Germany, 1989. [GEH 91] Gehlot V., « A proof-theoric approach to semantics of concurrency », Ph.D. Thesis, University of Pennsylvania, 1991. [GIR 87] Girard J.Y., « Linear logic », Theoretical Computer Science, vol. 50, North_Holland, 1987. [GIR 97a] Girault F., « Formalisation en logique linéaire du fonctionnement des réseaux de Petri », Thèse de Doctorat, Université Toulouse 3, 1997.

15

[GIR 97b] Girault F., Pradin-Chézalviel B., Valette R., « A logic for Petri nets », RAIROAPII-JESA Journal, vol. 31, n°3, pp 525-542, Ed. Hermès, 1997. [KUN 97] Künzle L.A., « Raisonnement temporel basé sur les réseaux de Petri pour des systèmes manipulant des ressources », Thèse de Doctorat, Université Toulouse 3, 1997. [MEN 83] Menasche M., Berthomieu B., « Time Petri nets for analysing and verifying time dependent protocols », Third International workshop on Protocol Specification, Testing and Verification, Zürich, June 1983. [MEN 85] Menasche M., « PAREDE : an automated tool for the analysis of time Petri nets », International workshop on Timed Petri nets, Torino, Italy , July 1985, pp 162-169. [PRA 99] Pradin-Chézalviel B., Valette R., Künzle L. A., « Scenario durations characterization of t-timed Petri nets using linear logic », PNPM’99, 8th International Workshop on Petri Nets and Performance Models, Zaragoza, Spain, September 6-10, 1999, pp 208-217.

16