Using High-Level Replacement Systems to Preserve Safety Properties ...

Using High-Level Replacement Systems to Preserve Safety Properties in Place/Transition Net Transformations J. Padberg, M. Gajewsky1 Technical University of Berlin

e-mail: fpadberg, [email protected]

Extended Abstract

Summary: The application of the general theory of high-level replacement systems has proven to be most rewarding in many dierent areas, especially in Petri nets [EGPP98a]. In this paper the abstract extension of high-level replacement systems to re nement morphisms [Pad98] is applied to place/transition nets. The combination of morphisms, that preserve safety properties [Peu97], with transformations of place/transition nets leads to rules and transformations, that preserve safety poperties. Keywords: High-Level Replacement System, Petri Net Transformation, Safety Property, Temporal Logic, Rule-Based Re nement

1 Introduction The generalization of graph transformations, namely high-level replacement (HLR) systems can successfully be employed in other areas, as Petri nets, to obtain results that are relevant for software engineering. In this paper we apply an extension of high-level replacement systems to Petri nets in order to achieve an integration of transformations, and hence all its advantages, with the preservation of (safety) properties. In contrast to the graph transformation approach, where rules and transformations describe dynamic behavior, in the area of Petri nets we use rules and transformations to represent stepwise modi cation of nets. This is considered to be a vertical structuring technique in software engineering and is known as rule-based modi cation. But note, rule-based modi cation does not allow preserving system properties, and thus cannot be considered a re nement technique. The combination of transformations with the preservation of safety properties is very relevant in software engineering as the veri cation of large and complex systems is often necessary, but very complicated (if possible at all) and thus expensive. Thus, it is desirable to state and prove (safety) properties at an early state. The idea of developing a system while preserving safety properties is illustrated in section 2, in which we introduce a small example. We give a place/transition net that models a very simple elevator and satis es safety properties concerning the opening and closing of the doors to the elevator shaft. Then we stepwise introduce exclusive requests for opening the doors using rules and transformations that preserve safety properties. Thus we gain a model of the elevator with request, that satis es the safety properties concerning the doors without proving these properties again for this new model. High-level replacement systems have been introduced in [EHKP91] as a categorical generalization of the double pushout approach to graph transformations, there the rst application to place/transition nets has been given as well. The application of high-level replacement systems to a special domain as place/transition nets, algebraic speci cation etc. requires a suitable category and the satisfaction of the HLR-conditions. In the case of place/transition nets with an initial marking this follows as a direct consequence of the results presented in [RP94]. In [Pad96] high-level replacement systems have been extended in order to allow dierent kinds of morphisms within the transformation step. This enables the expression of re nement using a morphism, called Q-morphism, directly from the left hand side of the rule to the right hand side. Based on this extension we can integrate net transformations with place preserving morphisms [Peu97], that preserve safety properties in terms of speci c temporal logic formulas. The main result of this paper is the integration of the place preserving morphisms with the rules and transformations. This is achieved by proving three nontrivial conditions, called Q-conditions, see fact 4.6, fact 4.7 and fact 4.8. These proofs require detailed information about the involved categories, morphisms 1 This work is part of the joint research project \DFG-Forschergruppe Petrinetz-Technologie" between H. Weber (Coordinator), H. Ehrig (both from the Technical University Berlin) and W. Reisig (Humboldt-Universitat zu Berlin), supported by the German Research Council (DFG).

and constructions, and are { due to space limitations { omitted in this paper. These technical result yield the important outcome for software engineering, stated in thm. 4.12 (Q-Transformations Preserve Safety Properties), that the concept of rules together with place preserving morphisms and transformations, allows the preservation of safety properties in the sense of [MP92] given as a temporal logic formula. The paper is organized the following way: Section 2 illustrates the main ideas in terms of a small example. Then we review high-level replacement systems in section 3. Subsequently we give place/transition nets together with morphisms in section 4 and then we show that place/transition nets together with place preserving morphisms satisfy the Q-conditions, leading to the main theorem. As a conclusion we discuss future work in section 5.

2 Example: Introducing Control to Elevator While Preserving Safety Properties A basic notion in the context of software engineering are models faciliating the development of systems. This section gives a rough and intuitive impression of the models (place/transition nets), temporal logic formulas, and re nement of models by transformations. In the subsequent sections 3 and 4 these notions will be formalf3 c3 dc3 ized. o3 do3 Consider the following example in g. 1: There is the elevator for three oors, denoted by f1, f2 and f3. The elevad2 u2 tor depicted moves arbitrarily up and down, denoted by the transitions u1 , u2 , d1 and d2 . Moreover, the opening of the doors of the elevator shaft is modelled. For each oor the c2 f2 dc2 doors can be opened and closed, o1 , c1 , ... and the state of the doors is given either open or closed do1, dc1. o2 do2 The initial marking, M0 := f1  dc1  dc2  dc3 denoted by black dots, describes the elevator being in the rst oor and d1 u1 all doors are closed. In def. 4.9 we de ne temporal logic formula over nets and their validity wrt. markings. Intuitively, a temporal logic c1 f1 dc1 formula states facts about the markings and is given in terms of numbers of tokens on places. That is, the static formula do1 o1 5a _ 2b is true for a marking M where at least 5 tokens are on place a and at least 2 tokens are on place b. The always Figure1: Simple Elevator E0 operator in an invariant formula (5a _ 2b) states that this is true for all reachable markings from M. Note, that this use corresponds to the use of temporal logic in graph transformation (see [HEWC97]), where it is also used to describe the dynamics of a system. One criterion for the adequacy of the model is that the elevator can only move, if the doors are closed. This can be easily described for each oor by the temporal formula ' = (don ) fn), that is the safety property "The door in oor n is open always implies the elevator is at oor n" . This formula holds in the sample net, but for reasons of space we omit the explicit proof. Next, we introduce three rules (see g. 2 { 4), that introduce exclusive requests to this elevator. If there is a request at a oor the elevator may not leave that oor, unless the door has been opened and subsequently closed. Further rules may introduce control of movement, but would exceed the limits of this paper. 3 1+r 2 E2 E1 =r) The following transformation sequence yields the intended elevator: E0 r1+=r) Now the main problem is the transfer of the safety property ' "The door in oor n is open always implies the elevator is at oor n" from E0 to E2. This transfer should be induced by the rules ri = (Li Ki ! Ri) for 1  i  3. Thus, we have to nd a property of the rules such that the transformation preserves the safety property. We are looking for proof rules of the following form:

some property for ri , E0 sati es ' E2 satis es ' The main idea of our approach is to use the class of place preserving morphisms, that on the one hand preserve safety properties [Peu97] and on the other hand are stable under transformations (section 4) in order to transfer safety properties via transformations. The fact that fi : Li ! Ri preserve safety properties implies that f : E0 ! E2 preserves safety properties (theorem 4.12). Thus we have the desired property so that the following proof rule holds: (ri; fi : Li ! Ri) preserve safety properties, E0 satis es ' E2 satis es ' As we use this new kind of rules and transformation, we ensure the validity of ', that is the property "The door in oor n is open always implies the elevator is at oor n" . Thus, we can conclude the resulting net E2 satis es '. The rules are: f

1 f’

all places, no transitions, no arcs

f’

m

f

dc o

c do

nrq

m

f

dc o

c do rq

r

Figure 2: Rule r1 f

2

f’’

f’’

f

dc o

m1

c do

all places, no transitions, no arcs

m2

m2

nrq

f

dc o

c do

m1 rq

f’

r

f’

Figure 3: Rule r2 The insertion of requests to oors where only one direction of movement is possible is described by rule r1. The marked place nrq designating no request and transitions r (requesting) and c (clear request) are added. Furthermore, the elevator may only move if there is no request on this oor which is captured by an additional arc to the transition m . Similarly rule r2 describes the insertion of requests to intermediate oors. The dierence to rule r1 is that the elevator may not move in neither direction if there is a request. This is achieved by the additional arcs both to transitions m1 and m2 .

f

3

nrq3

dc3

nrq3

c3 do3 rq3

do3 r3

rq3

c2 do2 rq2

r2

all places, but no transitions, no arcs

nrq2

dc2

c3

dc3

r3 nrq2

dc2 do2 rq2

r2

nrq1

dc1

c1 do1 rq1

nrq1

dc1

c1 do1

r1

exr

c2

rq1

Rule r3 adds the exclusion of requests. We insert the marked place exr and connect it to the net in such a way that it realizes the mutual exclusion of the transitions r1 ; r2 and r3 for calling the elevator. Once, the token is withdrawn by any of these transitions the others cannot re and it is only released when the request is cleared on that oor. Applying two times rule r1 to the net E0 at the matches f 7! f1 resp. f 7! f3 and f 0 7! f2 and the remaining part in the obvious way, one time r2 at match f 7! f2, and one time r3 leads to the place/transition net E2. E2 is a more detailed model of the elevator system or in other words a re nement of the original model E0.

r1

Figure 4: Rule r3

3 Review of High-Level Replacement Systems In this section we review most shortly the concepts of high-level replacement systems in the sense of [EHKP91], a categorical generalization of graph grammars. High-level replacement systems are formulated for an arbitrary category C with a distinguished class M of morphisms which is used to classify dierent types of rules. Thus, high-level replacement systems allow a great variety of interpretations of the concept of rules. Whereas in graph grammars rules give raise to a notion of behavior based on dynamic changes of graphs, in high-level replacement systems they de ne any kind of evolution of the system. In [EGPP98a, EGPP98b] they have been instantiated by algebraic speci cations and Petri nets and used in the context of software engineering. In place/transition nets transformation via rules denotes the iterative development of the system. In general, rules are splitted into a deleting part L, an adding part R and an interface K which is preserved, such that the rule p is given by p = (L l K !r R) where l and r are morphisms. These morphisms belong to a distinguished subclass M of morphisms of the category C .

De nition 3.1 (Rules and Transformations)

A rule p = (L l K !r R) in C consists of the objects L, K and R, called left hand side, interface (or gluing object) and right hand side respectively, and two morphisms K !l L and K !r R with both morphisms l; r 2 M, a distinguished class of morphisms in C . Given a rule p = (L l K !r R) a direct transformation G =p) H, L l K r R from an object G to an object H is given by the following two pushout g1 (1) g2 (2) g3 g1 diagrams (1) and (2) in the category C . The morphisms L ! G and g3 G c1 C c2 H R! H are called occurrences of L in G and R in H, respectively. l r By an occurrence of rule p = (L K ! R) in a structure G we mean an occurrence of the left hand side L in G. /

o







o

/

A transformation sequence G =) H, short transformation, between objects G and H means G is isomor1 2 phic to H or there is a sequence of n  1 direct transformations: G = G0 =p) G1 =p) : : : =pn) Gn = H. p1;p2:::pn In this case we also denote the sequence as G =) H

4

De nition 3.2 (High-Level Replacement System)

Given a category C together with a distinguished class of morphisms M then (C ; M) is called a HLRcategory if (C ; M) satis es the HLR-Conditions (see [EGPP98a]). 4 In [Pad96, Pad98] we have introduced the notions of Q-morphisms and Q-rules, which are motivated by dierent kinds of re nement for Petri nets, found in literature. The main ideas is to enlarge the given HLR-category in order to include morphisms, that are adequate for the re nement. The Q-conditions [Pad98] state the additional requirements an HLR-category has to satisfy for the extension to re nement morphisms.

De nition 3.3 (Q: Re nement Morphism [Pad98]) Let QC be a category, so that C is a subcategory C QC and Q a class of morphisms in QC . 1. Then we have the following Q-conditions: Closedness: Q has to be closed under composition. Preservation of Pushouts: The inclusion functor I : C !QC preserves pushouts. Inheritance of Q-morphisms under Pushouts: The class Q in QC is closed under the construction of pushouts in QC . Inheritance of Q-morphisms under Coproducts: The class Q in QC is closed under the construction of coproducts in QC . 2. The morphisms in Q are called Q-morphisms, or re nement morphisms. 3. A Q-rule (p; q) is given by a rule p = L l K !r R in C and a Q-morphism q : L ! R, so that K !l L !q R = K !r R in QC . 4 The next fact states the class Q is also preserved under transformations. Fact 3.4 (Q-Transformations [Pad98]) q Let C , QC , Q, and I : C !QC satisfy the Q-conditions. Given a Qp rule (p; q) and a transformation G =) H in C de ned by the pushouts K R L (1) and (2) , then there is a unique q0 2 Q, such that q0  g = h and m n 1 2 q0  m = n  q in QC . The transformation (G =p) H; q0 : G ! H), or g G C h H short G =p;q) H, is called Q-transformation. q n H q G is pushout of G m L ! q Moreover, R ! R in QC . Proof Idea: Due to def. 3.3, item 3 and the pushout properties of (1) the outer square commutes. Thus, by decomposition lemma it is a pushout. 4 '

/

o

( )

(

0

)



( )





o

/

7

0

0

In [Pad98] it is shown, that well-known results from the double pushout approach to graph transformation and from high-level replacement systems, as Parallelism Theorem and Church-Rosser Theorems can be adapted to Q-transformations. We state them here because we need them in our ongoing example (see ex. 4.13).

Results 3.5 (Results for Q-Transformations [Pad98]) Given a HLR-category that satis es Q-conditions, the following results hold for Q-transformations under

adequate independence conditions:

Local Church-Rosser Theorem I and II Parallelism Theorem



4 Rule-Based Re nement Preserving Safety Properties In this section we are going to present the technical results leading to preservation of safety properties in place/transition nets by transformations. We introduce categories QPT and a subcategory PT in order to apply the theory of Q-transformations [Pad96]. Furthermore, we de ne formulas expressing safety properties and their preservation by special kinds of morphisms, namely place preserving morphisms, and special kinds of rules, the safety preserving rules. In our main theorem 4.12 we show that safety properties are preserved along sequences of transformations via safety preserving rules. Due to space limitations we can only sketch the proofs here. In [PGE98] we consider a similar problem, namely the preservation of safety properties by transformations of algebraic high-level nets (see e. g. [PER95]). Apart from the underlying categories there are signi cant dierences to this paper, e. g. in [PGE98] we do not consider sequences of transformations nor initial markings. But these are of a high importance as well in our motivating example in section 2 (without initial marking and the capability to add markings to new places via transformations the resulting model would not be adequate) as for modelling with place/transition nets in general. First, we recall place/transition nets and dierent kinds of morphisms.

De nition 4.1 (Place/Transition Nets)

A place/transition net is given by N = (P; T; pre; post; m; M) with P the set of places, T the set of transitions, pre; post : T ! P  the pre- and postdomain1 of transitions, M a set of tokens and their distribution over the places, that is initial marking2 m : M ! P 4

De nition 4.2 (PT-Morphisms and Categories) Given Ni = (Pi; Ti ; prei; posti ; mi ; Mi); i 2 f1; 2g two place/transition nets, then f = (fP ; fT ; fM ) : N ! N is called loose if the following embedding condition holds: (1) fP (pre (t))  pre (fT (t)) and fP (post (t))  post (fT (t)) for all t 2 T (2) fP  m = m  fM This gives rise to the category QPT. transition preserving if the following transition preserving conditions hold: (1') fP  pre = pre  fT and fP  post = post  fT (2) fP  m = m  fM This gives rise to the category PT as given in [RP94]. 1

2

1

2

1

2

1

1

1

2

1

2

1

2

2

Note, transition preserving morphisms are a special case of loose morphisms. place preserving [Peu97] if it is a loose morphism and the following place preserving conditions3 hold: (3) (fP (p)) = fT (p) and (fP (p)) = fT (p) for all p 2 P1 where p = ftjp  post(t)g and p = ftjp  pre(t)g de ne the pre and post sets of p. (4) fT ; fP and fM are injective (5) fP (p)  M2 , p  M1 , for all  2 N with Mi 2 Pi the initial markings corresponding to mi : Mi ! Pi 4 Remark: Condition (5) intuitively means, that no tokens are added nor deleted on \old" places, that is

those which are mapped by fP .

Example 4.3 (Place Preserving Morphisms in Elevator Example)

are transition preserving, as in the interfaces K r1, K r2, In g. 2 to 4 the morphisms denoted by and K r3 no transitions are given. The morphisms denoted by are place preserving, as in the right hand sides R r1, R r2, and R r3 all new arcs are connected only to new places. 3

Elements w of the free commutative monoid X  for some set X can be represented as w = Px2X x x with coecients x 2 N. They can be considered as multisets. Free commutative monoids imply the operations ; ;  on linear sums. 2 m : M ! P is equivalent to the presentation as a linear sum (M = P  p2P p p) 2 P . Coecients p are given by ? 1 jm (p)j. But the rst representation gives rise to a cocomplete category satisfying the HLR-conditions (see [RP94]). 3 Note, that we adapted the notion of [Peu97] to the algebraic approach and place/transition nets. 1

Fact 4.4 (PT satis es HLR conditions) Proof Idea: Analogously to the proof of thm. 4.1 in [RP94]. 4 We show next, that the category QPT with the subcategory PT and the class Q of place-preserving morphisms (see def. 4.2) satis es the Q-conditions (see def. 3.3). The following facts are the technical backbone of this paper, its implications to software engineering are stated subsequently.

Fact 4.5 (The class Q of place-preserving morphisms is closed under composition) Proof: Trivial 4 Fact 4.6 (Preservation of Pushouts) f The inclusion functor I : PT ! QPT preserves pushouts that is, given C ! D g B a pushout of B f A !g C in PT, then I(C) I!f I(D) I g I(B) is a pushout of I(B) I f I(A) I!g I(C) in QPT. 4 Proof Idea: The proof uses the fact that pushouts in PT are constructed componentwise in SETS. Thus, there are unique induced morphisms in this category, whose combination is a unique QPT0

(

0

)

(

0

)

( )

0

( )

morphism.

Fact 4.7 (Inheritance of Q-morphisms under Pushouts) The class Q of place-preserving morphisms in QPT is closed under the construction of pushouts in QPT, f g that is, given C ! D g B a pushout of B f A ! C in QPT, then f 2 Q ) f 0 2 Q. 4 Proof Idea: The conditions of de nition 4.2 for place preserving morphisms can be shown as follows: 0

0

Condition 3 can be shown by the mutual inclusion of sets. The injectivity (condition 4) immediately follows by preservation of monomorphisms under pushouts. Condition 5 follows by the injectivity of fM , condition 2, and the construction of the pushout object in SETS as the amalgamated sum for MD .

Fact 4.8 (Inheritance of Q-morphisms under Coproducts) The class Q of place preserving morphisms in QPT is closed under the construction of coproducts in QPT, f f 0 B we have f; f 0 2 Q ) f + f 0 2 Q that is, for A ! B and A0 ! provided the coproduct A + A0 f!f B + B 0 of f and f 0 exists in QPT. 4 Proof Idea: Coproducts in QPT are constructed componentwise in SETS and furthermore the inclu0

+

0

sions are place preserving. In the proof mainly the properties of inclusions are exploited. To formulate our main theorem we have to recall formulas over markings and their translations via morphisms. This allows expressing safety properties and their preservation via morphisms (see [Peu97]). The invariant formula ' expresses safety properties in the sense of [MP92].

De nition 4.9 (Formulas, Translations) p is a static formula for  2 N and p 2 P, static formulas are build up using the logical operators ^ and :. Let ' be a static formula over N. Then ' is an invariant formula. The validity of formulas is given with respect to the marking of a net. Let M 2 P  be a marking then M j=N p i p  M. For M j=N :' i :(M j=N ' ) and M j=N ' ^ ' i (M j=N ' ) ^ (M j=N ' ). The invariant formula ' holds in N under M i ' holds in all states reachable from M: M j=N ' () 8M 0 2 [M >: M 0 j=N ' The translation of formulas Tf over N along a place preserving morphism f = (fP ; fT ; fM ) : N ! N under the marking M 2 P  to formulas over N is given for atoms by Tf (p) = fP (p). The translation of formulas is given recursively by Tf (:') = :Tf ('), and Tf (' ^ ' ) = Tf (' ) ^ Tf (' ), and Tf (') = Tf (') 4 1

1

1

2

1

1

1

1

2

1

2

1

2

Now we recall the preservation of formulas by place preserving morphisms.

1

2

2

Fact 4.10 (Place Preserving Morphisms Preserve Safety Properties) Let f : N ! N be a place preserving morphism and M 2 P  and M 2 P  be initial markings of N and N . Let ' be an invariant formula. Then the following holds: M j=N1 ' =) M j=N2 Tf (') 4 Proof Idea: Analogously to the corresponding proof of thm. 2 for elementary nets in [Peu97]. 1

2

1

2

1

2

1

2

2

1

The following theorem provides sucient conditions for propagating safety properties along transformation sequences. The general idea is that the application of a rule that preserves safety properties leads to a net transformation that preserves the same safety properties. In fact, these rules that have place preserving morphisms from the left to the right hand side, preserve safety properties.

De nition 4.11 (Safety Preserving Rules and Q-Transformations)

Rules (r; f) with r = (L K ! R) and f : L ! R place preserving morphisms are called safety preserving rules. Transformations via a safety preserving rule are called Q-transformations. 4

Theorem 4.12 (Q-Transformations Preserve Safety Properties)

;::::;r ) N2 is the Q-transformation sequence via ri to the Let (ri; fi )1in be safety preserving rules, N1 r1= net N2 . Then there is a well-de ned morphism f : N1 ! N2 with f := f n  :::  f 1 induced by fi : Li ! Ri for 1  i  n, so that we have: M1 j=N1 ' =) M2 j=N2 Tf (') with the initial markings M1 of N1 and M2 of N2 . 4 n

Proof Idea: Due to fact 4.6, fact 4.7, and fact 4.8 we have satis ed the Q-conditions. Thus we can

use fact 3.4 to induce that for each safety preserving rule (ri ; fi)1in we obtain an induced place preserving morphism f i. As place preserving morphisms are closed under composition (fact 4.5), we have that f := f n  : : :  f 1 is place preserving as well. Thus we can conclude due to fact 4.10 the stated proposition.

Example 4.13 (Q-Transformations for the Elevator) Again we consider the example given in section 2 with respect to the safety property ' = (don ) fn) meaning "The door in oor n is open always implies the elevator is at oor n" : We have the following sequence of Q-transformations: L_r1 + L_r1 + L_r2

E

0

K_r1 + K_r1 + K_r2

R_r1 + R_r1 + R_r2

L_r3

E

C1 f 1,2

1

K_r3

R_r3

E

C2

f 3

2

Figure 5: Sequence of Q-Transformations In the rst Q-transformation from E0 to E1 we apply rules r1 and r2 (see g. 2 and 3) in parallel. More precisely, we apply r1 twice and one time r2 as described in section 2. The parallel rule (r1 + r1 + r2 ) de ned by (Lr1 +Lr1 +Lr2 Kr1 +Kr1 +Kr2 ! Rr1 +Rr1 +Rr2 ; f1 +f1 +f2 ) is also safety preserving (see result 3.5). Its application yields the safety preserving morphism f1;2 . Analogously transformation from E1 to E2 via r3 (see g. 4) yields the safety preserving morphism f3 . Thus, due to thm. 4.12 ' = (don ) fn) is propagated to the place/transition net E2. More detailed, we have: The translated formula T(f3 f1 2 ) (') is equal to ' because fi are inclusions and hence fi are inclusions as well. The marking M2 := f1  dc1  dc2  dc3  nr1  nr2  nr3  exr of E2 is obtained by the transformation sequence and satis es ' in E2. 3 ;

5 Future Work First we want to rise the open question, what applications of these re nement morphisms can be found in other instances of high-level replacement systems, as graphs, algebraic speci cations, etc. Because safety as well as liveness properties require a dynamic behavior, these obviously cannot be transferred from one graph or algebraic speci cation to another. But certainly the examination of other properties, that can be propagated in the frame of Q-morphisms, as graph theoretic properties or persistency for algebraic speci cations, is an interesting and presumably fruitful task. Nevertheless, we want to focus on extensions in the area of place/transition nets. We review our small example and examine how to improve the possible development steps and what extensions of our results are desirable from software engineering point of view. 1. Rules, that introduce safety properties: Considering the example in section 2. For explicitly re ecting repetitions in systems it would be more appropriate to introduce models for the control of the doors for each oor separately instead of beginning with the start net as given in gure 1. The rule in g. 6 allows modeling each oor separately, but it requires introducing the safety conditions as a part of the rule (see bottom of the right hand side). This extension permits adding one oor by one rule combined with a safety condition. The iterated application of this rule yields an elevator with many oors and corresponding safety conditions. Nevertheless this safety condition Figure 6: Introducing a New Safety Property only once has to be proven, namely for the rule. In general this extension provides the possibility to add new parts to the model and safety properties related to these new parts. 2. Rules, that allow fusion of transitions: The above stated extension enforces another one, as we now have to be able to connect the dierent subnets for each oor. This could be achieved with a rule as f’ f’ f’ depicted in gure 7, where the transitions m 0 and m 00 are fused together. It is obvious that the morphisms m’ m from the left hand side to the right hand side preserves m’’ safety properties. Nevertheless it violates the notion of place preserving morphism, that requires injectivity. f dc f dc f dc Thus the notion of place preserving should be broadened, so that this morphism can be considered place Figure 7: Fusion of Transitions preserving as well. 3. Independence conditions for propagating safety properties: Remember the rule r3 in our example, where the exclusion of multiple requests is introduced in one step for all three oors. Especially, when considering more oors, it would be more convenient to use recursion. The rst rule adds the place exr, and the second allows connecting this new place with transitions (see gure 8.) But then the second rule is no longer place preserving as new arcs are added to the existing place exr. Nevertheless, the transformation from N to N 00 is place preserving as the \new" place is not part of N. In order to allow this we need suitable independence conditions, that dierentiates between places that have just been introduced and those that originate from the source net. d

u

f

dc

o1

do

c

do

f

exr

exr

exr

exr

N

exr

exr

N’

exr

N’’

Figure 8: Independence Condition

References

[EGPP98a] H. Ehrig, M. Gajewsky, and F. Parisi Presicce, High-Level Replacement Systems with Applications to Algebraic Speci cations and Petri Nets, vol. 3: Concurrency, Parallelism, and Distribution, ch. 4, to appear, Handbook of graph grammars and computing by graph transformations ed., 1998. [EGPP98b] H. Ehrig, M. Gajewsky, and F. Parisi Presicce, High-Level Replacement Systems with Applications to Algebraic Speci cations and Petri Nets, Lecture during the European School on Graph Transformations, Bremen, march 1998. [EHKP91] H. Ehrig, A. Habel, H.-J. Kreowski, and F. Parisi Presicce, Parallelism and concurrency in high-level replacement systems, Math. Struct. in Comp. Science 1 (1991), 361{404. [HEWC97] R. Heckel, H. Ehrig, U. Wolter, and A. Corradini, Integrating the Speci cation Techniques of Graph Transformation and Temporal Logic , Proc. MFCS'97,, Springer, LNCS 1295,, 1997. [MP92] Zohar Manna and Amir Pnueli, The temporal logic of reactive and concurrent systems, speci cation, Springer-Verlag, 1992. [Pad96] J. Padberg, Abstract Petri Nets: A Uniform Approach and Rule-Based Re nement, Ph.D. thesis, Technical University Berlin, 1996, Shaker Verlag. [Pad98] J. Padberg, Categorical Approach to Horizontal Structuring and Re nement of High-Level Replacement Systems, Applied Categorical Structures (1998), accepted. [PER95] J. Padberg, H. Ehrig, and L. Ribeiro, Algebraic high-level net transformation systems, Math. Struct. in Comp. Science 5 (1995), 217{256. [Peu97] S. Peuker, Invariant property preserving extensions of elementary petri nets, Technical Report No.9721, TU Berlin (1997). [PGE98] J. Padberg, M. Gajewsky, and C. Ermel, Rule-Based Re nement of High-Level Nets Preserving Safety Properties, Springer-Verlag, LNCS 1382 (1998), 221{238 [RP94] L. Ribeiro and J. Padberg, Algebraic High-Level Nets and Transformations with Initial Markings, Tech. Report 94 - 7, Technical University of Berlin, 1994.