Multiple Enabledness of Transitions in Petri Nets with Time - CiteSeerX

Multiple Enabledness of Transitions in Petri Nets with Time Marc Boyer and Michel Diaz LAAS – CNRS 7, avenue du Colonel Roche 31077 Toulouse Cedex 4 France fboyer,[email protected] Abstract

1. Introduction

well adapted to model important real system behaviours. In this paper, we first point out the benefits of this notion, both in modelling and analysis. Besides, we highlight two major problems for defining a semantics for multiple enabledness in time Petri nets3 . As an example, we will define an extension of semantics dealing with multiple enabledness for Merlin’s time Petri nets ([17, 6]). We do not consider this model as the unique solution, but more as a working example, showing how to introduce a semantics for multiple enabledness in a model. We believe that the different existing models underly to different needs, and that multiple enabledness has to be formalised in function of the corresponding pragmatic paradigms.

Although time constraints have been introduced as an extension of Petri nets (PN) long ago ([17, 18]), most of the proposed models and studies do not handle the full model. For instance, [4] deals with 1-bounded Petri nets, [10, 20] only use Petri nets having arcs with weight of 1, and [8, 6] restrict their developments to “T-safe” nets1 . All these conditions are designed to avoid or limit the multiple enabledness of transitions. All these theories are not able to handle a timed version of the Petri net in Figure 1. Conversely, GSPN [2], PH-SPN [12] handle such a model2 , and it will be shown how and why in Section 5.

The paper is organised as follows: after a brief introduction of Merlin’s time Petri nets4 in Section 2, the discussion will present what is multiple enabledness in time Petri nets, and what are the benefits of such a semantics (Section 3). Section 4 will give the semantic choices needed to handle multiple enabledness and will emphasise two points of view: considering token ages or just considering a number of similar tokens. Section 5 will present how multiple enabledness is handled in stochastic PNs. Section 6 will formally present a semantics for general Merlin’s time Petri nets and give an example of use.

This paper discusses and formalises the benefits of using multiple enabled transitions for extensions of Petri nets having quantitative notions of time. It also points out that what could be thought as a straightforward extension actually implies some subtle underlying semantic choices. As an example, a complete semantics for Merlin’s time Petri nets is defined, based on the threshold notion.

Keywords timed nets; system design using nets

p

2

2. Definitions related to (time) Petri nets

t

To deal with extensions of Petri nets with time in general, examples may help the reader to catch the concepts discussed in this paper. Therefore, as these examples have to be written using a model of Petri nets dealing with time, Merlin’s time Petri nets have been selected, because it is

Figure 1. Petri net out of all timed theories

Nevertheless, multiple enabledness of transitions is an important part of the expressive power of Petri nets, and is 1 That is such that for each reachable marking, there is not enough tokens to fire a transition twice : t T; p P : M (p) < 2:B (p; t). 2 In the stochastic community, it is called multiple enabling [2, 3.5, p. 63]

82 9 2

3 Notice that the expression “time Petri nets” does not refer in this paper to a particular model, but denotes the set of extensions of Petri nets dealing with quantitative time. 4 used as support for our examples

x

1

was the first developed model. However, it will first be presented in an informal way, in order to keep in mind the fundamental notions without being tied to a formal definition.

[2;4]

t1

[2;4]

t0

2.1. Petri nets

[2;4]

2

t2

[4;5]

t3

We assume the reader is aware of Petri nets theory, so we only recall the definition and notations that will be used in this paper.

Figure 2. Example of Merlin’s time Petri net

Definition 1 (Petri Net) A Petri Net is a tuple hP; T; B; F; M0 i where P and T are two finite disjoint sets called places and transitions; B and F are two functions from P  T to N called backward and forward incidence functions; and M0 is a function from P to N called the initial marking.

[4; 5℄

[2; 4℄ [2; 4℄

1

=

N Definition 2 (Enabling and Firing) Let hP; T; B; F; M0 i be a Petri net. Let t be a transition and M P ! N a marking. Then, t is said to be enabled in M (written as M ti) iff 8p 2 P M p  B p; t . An enabled transition can be fired, leading to a new marking M 0 . This is denoted by M ti M 0 and M 0 is defined by 8p 2 P M 0 p M p B p; t F p; t .

: ( )= ( )

[

(4)

0

2

1

the enabled transitions become t1 , t2 and t3 , with respec, and . From this state t2 tive firing intervals will never be firable: whereas transition t2 can not be fired before time units, transition t3 has to be fired at least after time unit, because it is enabled since the initial state. Conversely, transition t1 will always be fired, independently from the firing date of transition t0 . Notice that, when a transition is disabled7 , its timed informations are reseted, like a prd policy [7] or an enabling memory policy [1].

def

: ()

d()

t

= fp 2 P B(p; t)  1g the = ft 2 T B(p; t)  1g) the

[

4

! an aging of  time units and d by ! the firing of a transition t: S ! S t!0 S . Then, state, that is, denoting by

As usual, we denote by  t def set of ingoing places and p set of outgoing transitions.

:

[2; 4℄

and the one of t3 is The firing interval related to t0 is . Assume t0 is fired after time units from the initial

( )

( )+ ( )

[0; 1℄

2

3. What is multiple enabledness?

2.2. Merlin’s time Petri nets The multiple enabledness of a Petri net is a notion that only appears with the semantics of real parallelism or with interleaving semantics of timed systems. This notion refers to the fact that “a transition has enough tokens to be enabled at least twice in the same state”. We do not give now a more formal definition because, as it will be shown later, giving a definition is already assuming a semantics.

Merlin’s time Petri nets are Petri nets to which have been added intervals It on transitions. The semantics of such an interval is: once a transition is enabled (M ti), a timer xt is associated to this transition with initial value 0. The transition can be fired only when the timer value belongs to the interval5 . If this or another transition is fired, removing the tokens enabling t, then the timer is disabled. When the timer reaches the upper bound of the interval, the transition has to be fired. An equivalent point of view is to create a firing interval FIt once a transition t is enabled. The initial value of FIt is It . Time passing decreases the bounds of the interval. The transition may be fired once the lower bound has reached and has to be fired when the upper bound reaches . The Figure 2 gives an example of a time Petri net. In the initial state6 S0 , only transitions t0 and t3 are enabled.

[

0

p

t

Figure 3. Simple multiple enabling

0

A starting example is given in Figure 3. In the interleaving semantics, there is no multiple enabledness in this example: transition t is enabled in the initial state M0 and is still enabled after one firing of t, and can be fired once more (M0 ti M 0 ti M 00 ). The reachabilt t ity graph of this system is simply: M0 ! M 0 ! M 00 . With a truly concurrent semantics, this transition could also be fired twice “in parallel” (denoted by M0 t k ti M 00 ).

[

5 In most Petri net theories, a transition is firable when it is enabled. Conversely, in timed theories, “enabling” is only related to the marking, and a firable transition is an enabled transition that, furthermore, satisfies timed conditions [6, 4]. 6 In a timed Petri net, the marking is not sufficient to describe a state: some timed information as to be added. Hence, a state is denoted by S as M is only the marking.

[

[

7 by

2

its own firing, or the firing of a transition in conflict

The reachability graph becomes M0

t

// M 0

t

k

t t

// M 00 . ==

Capacity

p

In a timed theory, even with an interleaving semantics, appears the notion of multiple enabledness: let us assume a delay of 3 time units is associated with transition t, that is to say, the transition has to be fired 3 time units after its enabling date. In the example of Figure 3 the transition is enabled “twice”, there are two occurrences of the t transition8 , transition t has to be fired twice, and the relationship between the firings and their dates has to be formalised. Then the question arises: does the system need to wait 3 time units between both firings or not? Because transition t is enabled twice in parallel, the common solution considers that both firings are independent (there exists enough tokens) and that both occurrences of transition will be fired at the same date, 3 time units after the starting instant. Thus, with an interleaving semantics, the reachability graph is S0 ! S1 both firings. d(3)

!S !S. t

2

t

3

t

Figure 4. Serialisation with a capacity place

3.2. Benefits of multiple enabledness Multiple enabledness in time Petri nets has multiple benefits. It offers not only a natural way for modelling paradigms like multiple servers and multiple instances of codes10 , but also enables to study system bounded by time constraints and to allow better scaling. 3.2.1 Systems bounded by time constraints

There is no delay between

The theoretical study of unbounded systems has a high interest because a theoretical tool to handle unbounded systems is useful to deal with timed systems who are known bounded but whose bound is unknown. In fact, this is a common situation: a lot of distributed systems are bounded by timers and their bounds values are driven by time constraints. For instance, in many protocols, the losses are detected by watchdogs, and the provided bandwidth depends on their values.

This simple example has no other purpose that to present the basic and intuitive notion of multiple enabledness. It will be shown further that defining a complete semantics for multiple enabledness of timed systems is in fact much more sophisticated.

3.1. Multiple enabledness as multi-server Source

Medium [3;4]

The multiple enabledness is a well known notion in stochastic PN community, as multiple server semantics [2, x 3.5]. This paper focuses on the infinite server semantics, which generalise other semantics and is designed to model client-server systems with multiple equivalent servers. Often, it it takes about twice as much time to answer two requests than to answer a unique one. With this assumption and an infinite server semantics, the PN of Figure 3 does not represent a single server with two clients but two servers working in parallel. Nevertheless (with a prd policy), the requests can be serialised by introducing a place named “Capacity”, like in Figure 4, with a single token inside. The same way, a single transition can model “k” servers, with “k” the marking of place “Capacity”9 , or an infinite number of servers, when there is no “Capacity” place. Thus, the infinite server semantics generalise the single and multiple server semantics [2].

[7;13]

Buffer

Sink [2;3]

Figure 5. Producer - Consumer system bounded by time constraints

The system informally described in Figure 5 is an example of system bounded by time constraints. It is composed of a “Source” producing data packets: it takes between and time units to produce each packet. The data are send to a “Medium”, whose transmission delay is between 7 and time units. Received data are stored in a “Buffer”, where a “Sink” can read the data, with a reading delay between an time units. This system is bounded because the sink runs faster than the source. The component “Medium” will never transmit more than 5 data packets at the same time, and the “Buffer” will never contains more than 4 data packets (its bound depends on the size of the bursts). Despite the fact we have not yet defined any semantics for multiple enabledness, we would like the time Petri net

4

13

3

8 The expression “transition occurrence” is sometimes used as a short for “occurrence of a transition firing”. In this paper, it means that the transition is enabled more than once. It does not imply a firing. 9 Notice that this marking can be dynamic, modelling server failure.

3

2

10 The Petri net structure models the code itself, and the different tokens inside the model represent the instances of the process.

3

Sink [3;4]

Medium

[7;13]

could simulate the multiply enabled transition “Received”. This theoretical solution has at least two drawbacks:

Buffer

Source

[2;3] Send

Received



Read

Figure 6. Producer - Consumer system bounded by time constraints



it assumes the designer is able to guess the upper bound of the system; it is possible in simple examples, but could be more complex in sophisticated systems; it will increase the resources needed to analyse the system, ignoring some internal symmetries: a state in which clock values are x1 and x2 will be considered different than the same state with values x1 and x2 despite the fact they model the same state of the real system.

=0

1

of Figure 6 to be a model for our system. While considering the untimed underlying Petri net, it is clear that places “Medium” and “Buffer” are unbounded: in the timed system, they both should be bounded. This example was presented in order to show that an a priori unbounded theoretical system is sometimes needed to model a bounded system. One could object that, using a model without multiple enabledness, one can do the same by introducing 5 transitions “Received-1” to “Received-5”. We will show in Subsection 3.2.3 why this solution is not suitable.

=1

=

=0

never too many timers: The other side of the dynamic number of timers, that appears much more interesting than the previous one, is to have, in each state, only the set of the active timers. In a timed automaton for example, the values of all clocks are kept in memory, because there is no way to say that some are useless until to be reset. In a time Petri net, there is no timer associated to a disabled transition. This will reduce the size and numbers of states.

3.2.2 Scaling factor As already presented in Subsection 3.1, multiple enabledness allows the designer to represent some systems in a very compact way. Adding new resources to a system can be done without changing the structure of the net, by simply adding new tokens in the marking. This achieves a good scaling power in the design of systems.

3.3. Theoretical concerns Does a full theory of multiple enabledness increase the expressive power of timed Petri nets and decrease the decidability results or not? This question has to be solved for every semantics. As the aim of this paper is just to highlight the semantic choices, and not to give the definitive one, let us just present some key points.

3.2.3 A suitable number of clocks The main difference between time Petri nets allowing multiple enabledness and other discrete transition systems is the dynamic number of timers. In timed automata, for instance, the number of clocks is given and static. This dynamic aspect leads to two aspects: the system always has enough timers, and never too many.

First, a multiple enabledness semantics has to be compliant with the standard one when the marking is such that, 8t; 9p M p  B p; t . While [15] has shown these problems are undecidable in such a case, then, the reachability and boundedness problems are undecidable for Petri nets with multiple enabledness too. Second, from the analysis point of view, as long as the firing conditions only depend on a set of inequalities of the form ai  ti  bi and ti tj  ij (where ai ; bi ; ij are constants and ti ; tj variables), the class graph construction is still adapted [6].

: ()

enough timers: We have shown in Subsection 3.2.1 that one aspect of multiple enabledness is to create tokens and timers “on demand”, from the system requirements (see Figure 6). As already said, one could object that a bounded timed system with multiple enabledness could be simulated by an expanded system with a static (but great enough) number of clocks. In example of Figure 6, five transitions “Received-1”. . . “Received-5”, with timers x1 ; :::; x5 , in a model without multiple enabledness

( )

While considering that tokens have an age, and considering only normalised Petri nets ( B; F P  T ! f ; g), some very complete works have been done, in particular [10, 9]. In this context, [11] shows that, when having semantics without urgency, in a model with interval on arcs, reachability is undecidable but covering is decidable.

:

4

01

which is the interval associated to tb ?

4. Toward a semantics for multiple enabledness

S:

After showing the benefits of multiple enabledness in time Petri nets, the aim of this section is to point out that building a semantics of a time Petri net model including the multiple enabledness of transition is not straightforward. Some choices appear, and they imply to take care of two major problems11: the dependency relations between all transition occurrences in conflict and the set of backward arcs12 with weight greater than 1. These two choices are of great importance, not only as semantic choices, but also because they imply a change of the internal representation of the states.

[0,0]

1

S

tb

[0; 3℄

S0 :

[0; 0℄ t0 d t1 [2; 2℄ ! ! ! S :

(

ta : tb :

[2; 5℄

[2; 5℄

2

S0,

[0; 3℄

( 0 ! S : ta :

[0; 1℄; [0; 3℄ tb : [0; 1℄; [0; 3℄

d(2)

(

a! ta :

t

? tb : ?

[0; 3℄; [2; 5℄ [0; 3℄; [2; 5℄ [2; 5℄

[0; 3℄

2

Notice that the representation of a state has to keep enough information to be able to express the links between occurrences of transitions in conflict.

4.2. Backward arcs with weight greater than 1 The main question with backward arcs having weight greater than 1 is how the arrival and departure of the tokens in the ingoing places are handled at the different dates? In Merlin’s timed Petri nets, for instance, the only date taken into account is the one of the arrival of the latest token. In our example of Figure 2, the firing interval of transition t2 is only driven by the arrival date of token produced by t0 . This semantics is suitable for this model, because it is compatible with the classical decomposition scheme, considering that an arc with weight is “the same” as two arcs

In S , transition ta and tb are both enabled twice, with firing intervals and . Assume ta is fired after delay. The only remaining occurrence of ta is , but

[0; 3℄

[0; 1℄

4 [0; 1℄

2

(2)

S 0 ).

A point of view, used in [10, 16], is to consider that each token has an age (0 when a token arrives in a place, and increasing with time). Then, a “choice function”14 is used, that points out, for each firing, the dates of tokens used. Then, the firing of ta from M 0 could be done using the to, or ken with age , and the remaining occurrences are using the token with age , and the remaining occurrence in ta and tb is . Yet, it has to be emphasised that other semantic choices could have been done, like keeping the oldest occurrence, or the younger one. In the following (section 6), we will present a new one: the threshold semantics.

[2,5]

t1

In the initial state S0 , transitions t0 and t1 are enabled. First, t0 is fired, putting a token in p, which enables transitions ta and tb . After time units, t1 , ta and tb can be fired. Let us study S the state reached after t1 firing. There are two tokens in p, and both transitions ta and tb are enabled twice, with two timers separated by two time units: the enand . abled firing intervals are, for each transition, We give here a partial view on the sequence13:

t0 : t1 :

[2; 5℄ ?

(S ! In the new state the firing intervals of transitions are and . Now, if transition ta is fired, which are the remaining occurrences of ta ? and tb ? d(2)

Figure 7. Links between transition occurrences in conflict

(

ta : tb :

a [2,5]

p [2,2]

(

Now, let us show a more subtle example of these links between occurrences, where the conflict exists between two occurrences of the same transition. Turn back to S . Let us assume an aging of time units

t

t0

[0; 3℄; [2; 5℄ ta! [0; 3℄; [2; 5℄

[2; 5℄

The example given in Figure 7 will be the starting point of our discussion. 0

ta : tb :

Keeping seems a “natural” choice as it is the peer occurrence in tb of the remaining in ta . Nevertheless, others choices could be done, like keeping the oldest occurrence, or non deterministic choice...

4.1. Links between transition occurrences in conflict

[0; 0℄p [2; 2℄ [2; 5℄ p

(

0

11 We do not claim that solving these two problems is sufficient to define a complete semantics: such a proof is out of the scope of this paper. We only point the special cases out. 12 Backward arcs are arcs from places to transitions, also known as input arcs. 13 The sequence is partial, as we do not write every state but only significant ones and because we do not fully describe the states (the marking is missing), but only the firing intervals.

2

14 The

5

term “choice function” is from [10].

1

[2;2]

with weight , as in Figure 8. With a model with interval on arcs, like in [19, 10, 21], to be compliant to this constraint, a weighted arc allows a transition to be fired only of all tokens ages are in the interval (and not only the youngest, as in Merlin’s model).

2

t

t0 t1

Figure 9. Enabling date or age of tokens

t S0 : S0

But even with this constraint, considering weighted arcs, choices exist to define the evolution rules of transition timed occurrences. In fact, there are at least two possibilities:



ta

2

[5;5]

Figure 8. Decomposition of a Petri net



[3;6]

p

(

t0 : [2; 2℄f0g t1 : [5; 5℄f0g

! t!1 S 00 :

d(3)

n

! ! S0 :

d(2)

t0

(

t1 : [3; 3℄f2g ta : [3; 6℄f0;2g

ta : [0; 3℄f3;5g ; [3; 6℄f0;5g ; [3; 6℄f0;3g

Let us consider the ages of the tokens. In S 00 , place p contains three tokens, with ages , and . The transition ta is enabled tree times: once with tokens f ; g, creating a firing interval , once with tokens f ; g, with interval , and once with tokens f ; g, with interval . Conversely, considering the number of tokens, this tran, because it sition is enabled just once, with interval had been enabled time units ago, at the arrival of the second token.

53

considering (as [10]) that tokens have an age, a transition t is enabled by a set of tokens in its input places  t, and the firing interval is computed by taking into account the youngest token of the set (the last arrived), or,

[0; 3℄

[3; 6℄

03

0 35 05

[0; 3℄

3

considering only a number of tokens, the firing interval is computed only considering the enabling date of the transition.

S0 :

These two points of view are a classical opposition in the interpretation of Petri nets, a difference between the formal model, where a marking is a number, and the graphical representation, where a marking is a multi-set of tokens. In section 3, we have said that multiple enabledness is a notion that appears with concurrent semantics or timed semantics. An interesting point appears in [13]: it shows that the concurrent semantics of Petri nets under the “individual token interpretation” and under the “collective token interpretation” are different. In the following, we will refer to the first as age semantics and to the second as threshold semantics. As the age semantics is quite well developed, our contribution consists in defining the threshold semantics.

(

t0 :[2; 2℄ t1 :[5; 5℄

[3; 6℄

! ! S0 :

d(2) t0

(

t1 :[3; 3℄ ta :[3; 6℄

! ! S 00 :

d(3) t1

n

ta :[0; 3℄

However, this example does not make any difference for the firing sequence, because in both cases transition ta has to be fired before 3 time units15 . Let us now show that, in some cases, the difference between both points of view leads to a different firing sequence. In this example, a server answers to requests, in 2 or 3 time units for each request and we would like to detect a heavy load of the system. We want to detect the presence of more than 40 requests during a period of 30 time units. The modelling of such a system is given in Figure 10. Using a semantics considering the age of the tokens, the transition “Loaded” will never be fired. Indeed, each token will stay at most 3 time units in place “Running”: no multiset of 40 tokens will exist with a token older than 3 time units. The threshold semantics gives the solution to the problem, because the transition “Loaded” will be enabled once

Two examples will be given: the one in Figure 9 describes a case where both possibilities lead to the same behaviour, and the one in Figure 10 points out a difference. In order to introduce the two points of view, the example of Figure 9 will be studied considering first the age of the youngest token, and second the enabling date of the transition. The behaviour of this Petri net, considering the age of the token, is given below. We have written as subscript to the interval the ages of the tokens that enable the transition.

15 This is Merlin time PN definition, and what [10] call a “strong semantics”, where an upper bound can not be overtaken. Nevertheless, some models, like [21], use a “weak semantics” that allows to overtake the upper bound. In this case, considering the number of tokens or their ages will lead to different behaviours.

6

Request

Server

Running

6.1. Defining a threshold semantics

[2;3] 40

As we want a semantics that does not consider the age of the tokens, but only their number, we have to define how are handled the links between transition occurrences in conflict (Section 4.1) and backward arcs with weight greater than 1 (Section 4.2).

40 Loaded

[30;30]

Figure 10. Usage detection of a server

The handling of backward arcs with weight greater that 1 is the starting point of our proposal: we will consider the enabling dates of the transitions, and not the age of each token. Then, a timer is not created each time a new token is created, but each the enabling degree16 is increased.

40 tokens will be in place “Running”, and it will stay enabled, as long as at least 40 tokens are in the place, independently of their ages.

5. Multiple enabledness and stochastic PN Handling the links between transition occurrences in conflict needs a short discussion. t0 d(2) t1 !! Consider the example of Figure 7 where S0 ! . Now, after the S ta ; tb ; firing of ta , which occurrence of tb has to be kept? To answer, we have to consider: “what is the enabling event of tb ?”. That is the arrival of one token (independently of its identity). Is there still one token in the place? Yes. That is to say, we have to keep the occurrence of transition . associated to the arrival of one token, the first one, From a more pragmatic point of view, what is the meaning of such a transition? In our example of Figure 10, we want to detect a load. If we remove the oldest occurrences, we will delay the alarm signal, because in fact the arrival of a second token, leads to a more heavy load, that is, in a worst situation, the alarm comes latter, which is not a suitable behaviour. Then, in a threshold semantics, in case of conflict, we have to keep the oldest occurrence of transition enablings, i.e. the smallest interval (like the Last Engaged policy of [14]).

The multiple enabledness has been studied for stochastic PN in a more general work on execution policies [1], that includes single/multiple/infinite server policies, transition selection, memory policy, interrupt and resume policy [2, 7, 12]. In this paper, we assume a infinite server semantics, and we do not discuss the points related to the behaviour for single enabledness (like memory policy), but only they consequences on the multiple enabledness. Notice that the multiple enabledness is strongly related to the memory of the PN. In a memoryless model (like GSPN), all firing policies (prd, prs) are often equivalents. In GSPN, the multiple enabledness of a timed transition simply increase the firing rate, as illustrated in figure 11.

2,0





2

= ( : [0; 3℄ [2; 5℄ ;

[0; 3℄

 1,1

2

: [0; 3℄ [2; 5℄)

0,2

Figure 11. GSPN and its Markov chain

While analysing PH-SPN for example [14], the problem of the information from the past arises (how to encode the stage of a client). Nevertheless, in most paper, focused on analyse and verification, different policies are shortly described (see [14, Table 1] or [12, x 5]), but discussed only from the analysis point of view.

6.2. Age vs. threshold semantics By lack of place, we can not present a complete comparison between both semantics. We believe that both points of view, based on token age or number, are relevant, depending of the context. Then, a model offering to the user the ability to choose for each transition between an age semantics and a threshold semantics could be defined, but, by lack of place, a model with only threshold one will be presented here. Notice that the difference between both semantics only appears when two transitions are in conflict. If each enabled transition is fired, both semantics leads to the same behaviors.

6. Threshold semantics for Merlin time Petri nets Once highlighted the key points for the definition of a multiple enabledness semantics for a timed system, let us define a complete formal semantics for Merlin time Petri nets, based on the threshold notion (in opposition with the age notion from other models [10, 16]).

16 see

7

definition 6

(

This section gives the formal definitions of the model. Let us first introduce some notations. As usual b
R+ ! N will denote the floor of a real number17.

:

=

: ()

0

+

(

(

8t 2 T : j(t)j = min p2 t



)[

(

)

8p 2 P : M 0 (p) = M (p) 0 = _ [ 

)[

(

)

B (p; t) + F (p; t)

_

With,  the marking remaining once the transition t has fired (and before new tokens have been create) and + the marking created by the addition of F
; t , formally defined by :

:

M (p) B (p; t)

( )

+

Definition 4 (Marking of a time Petri net) The marking of a time Petri net is a pair M;  where M P ! N and  T ! R + . Obviously, it must verify

:

(3)

Definition 8 (Firing of a transition) Let t be an enabled transition ( M;  t; i). Then M;  t; i M 0 ; 0 denotes the firing of occurrence  of t leading to the marking M 0 ; 0 defined by:

Now, the definition of a state becomes more complex than the simple count of the tokens for each place: one has to keep the marking and a multi-set of dates for each transition (definitions and notations for multi-sets are in appendix B ).

)

(2)

Equation 2 means that the transition occurrence  is a occurrence of t (notice that, from equation 1, it implies 8p 2 P M p  B p; t 19 ). Equation 3 means that this occurrence respects the time constraints.

 hP; T; B; F; M i is a Petri net  I : T ! R  R [ f1g is the interval mapping,

(

)

fjjg  (t)  2 I (t)

Definition 3 (Time Petri net) A time Petri net is a tuple N hP; T; B; F; M0 ; I i where:

+

= ( ) ( )[

Definition 7 (Firable) Let N hP; T; B; F; M0 ; I i be a time Petri net, and M;  2 M N a state. A transition t 2 T is said to be firable18 in state M for occurrence  (denoted by M;  t; i) if it exists  2 R+ such that :

6.3. A formal definition

( )



8

fj


jg "

Loaded [9;12]

Slow down

[4;4]

A 

Figure 12. Example with both semantics

&

ed The main difference between using an age semantics instead of a threshold one is that, in case of short bursts of 5, the age semantics will send a Slow down message, whereas the threshold one will only send it for a real overload of more than 9 time units. This will contribute to the stability of the system

Description Input places of a transition t Multi-set Aging function Set of multi-sets over A Non increasing sequence of elements of  Enabling degree of a transition

B. A brief theory of multi-sets

:

If A is a set, a function  A ! N is a multi-set over A, and A is the set of multi-sets over A. This paper will only consider finite multi-sets, i.e.  2 A such 9

page 2 9 8 9 9 8

P def that a2A (a) < 1. The size is defined by jj = P a2A (a). A multi-set will be denoted by fj


jg, and , [ will denote the inclusion and union for multi-sets, as for sets. The operator : N  A ! A is defined by

[12]

(n )(a) = n  (a). For example 2 fj0; 3; 3jg = fj0; 0; 3; 3; 3; 3jg. If it exists , a total order on A, to each multi-set   2  A , it can be associated the non increasing sequence  2 Ajj defined by, 8i; j 2 [1::jj℄ : i  j ) i ::jj    i   j . For example,  = fj0; 2; 4; 2jg )  =

[13]

&

=1

&

&

&

4; 2; 2; 0.

[14]

References

[15]

[1] M. Ajmone Marsan, G. Balbo, A. Bobbio, g. Chiola, G. Conte, and A. Cumani. The effect of execution policies on the semantics and analysis of stochastic Petri nets. IEEE Transations on Software Engineering, 15(7):832–846, July 1989. [2] M. Ajmone Marsan, G. Balbo, G. Conte, S. Donatelli, and G. Franceschinis. Modelling with Generalized Stochastic Petri Nets. Series in parallel computing. Wiley, 1995. [3] R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer Science, 126:183–235, 1994. [4] T. Aura and J. Lilius. Time processes for time Petri nets. In Az´ema and Balbo [5], pages 136–155. [5] P. Az´ema and G. Balbo, editors. Proceedings of the 18th International Conference on Application and Theory of Petri nets (ICATPN’97), volume 1248 of Lecture Notes in Computer Sciences, Toulouse, France, June 1997. SpringerVerlag. [6] B. Berthomieu and M. Diaz. Modeling and verification of time dependant systems using Time Petri Nets. IEEE Transactions on Software Engineering, 17(3):259–273, March 1991. [7] A. Bobbio, A. Puliafito, and M. Tekel. A modeling framework to implement preemption policies on nonMarkovian SPNs. IEEE Transations on Software Engineering, 26(1):36–54, January 2000. [8] H. Boucheneb and G. Berthelot. Toward a simplified building of Time Petri Nets reachability graph. In Proceedings of the 5th International Workshop on Petri Nets and Performance Models (PNPM’93), pages 46–55, Toulouse, France, October 1993. SITEF and LAAS-CNRS, IEEE Computer Society Press. [9] M. Boyer and F. Vernadat. Language and bisimulation relations between subclasses of timed Petri nets with strong timing semantic. Technical Report 00146, LAAS/CNRS, Toulouse, France, March 2000. Submitted to TCS. [10] A. Cerone and A. Maggiolo-Schettini. Time-base expressivity of time Petri nets for system specification. Theoretical Computer Science, 216(1–2):1–53, March 1999. [11] D. de Frutos Escrig, V. Valero Ruiz, and O. M. Alonsa. Decidability of properties of timed-arc Petri nets. In M. Nielsen and D. Simpson, editors, Proceedings of the 21st International Conference on Application and Theory of Petri Nets

[16]

[17]

[18]

[19]

[20]

[21]

10

(ICATPN 2000), volume 1825 of LNCS, pages 187–206, Aarhus, Denmark, June 2000. Springer-Verlag. S. Donatelli, S. Haddad, and P. Moreaux. Structured characterization of the markov chain of phase-type stochastic Petri nets. In Proceedings of Tenth International Conference for Computer Performance Evaluation (TOOLS’98), Palma de Majorque, Spain, September 1998. R. v. Glabbeek and G. Plotkin. Configuration structures (extended abstract). In D. Kozen, editor, Proceedings 10th Annual IEEE Symposium on Logic in Computer Science, (LICS’95), pages 199–209, San Diego, USA, June 1995. IEEE Computer Society Press. S. Haddad, P. Moreaux, and G. Chiola. Efficient handling of phase-type distributions in generalized stochastic Petri nets. In Az´ema and Balbo [5], pages 175–194. N. D. Jones, L. H. Landweber, and Y. E. Lien. Complexity of some problems in Petri nets. Theoretical Computer Science, 4:277–299, 1977. W. Khansa, J. Denat, and S. Collart-Dutilleul. P-Time Petri nets for manufacturing systems. In Proc. of WODES’96, pages 94–102, Edimburgh, UK, 1996. P. Merlin. A study of the recoverability of computer system. PhD thesis, Dep. Comput. Sci., Univ. California, Irvine, 1974. C. Ramchandani. Analysis of Asynchronous Concurrent Systems by Timed Petri Nets. PhD thesis, MIT, Cambridge, Feb 1974. P. S´enac, M. Diaz, A. L´eger, and P. de Saqui-Sannes. Modelling logical and temporal synchronization in hypermedia systems. IEEE Journal on Selected Areas in Communications, 14(1):84–103, Januar 1996. V. Valero Ruiz, D. de Frutos Escrig, and F. Cuartero G´omez. On non-decidability of reachability for timed-arc Petri nets. In P. Buchailz and M. Silva, editors, Proceeding of International Workshop on Petri Nets and Performance Models (PNPM’99), pages 188–196, Zaragoza, Spain, September 1999. IEEE Computer Society. B. Walter. Timed net for modeling and analysing protocols with time. In Proceedings of the IFIP Conference on Protocol Specification Testing and Verification, North Holland, 1983.