Generalized stochastic Petri nets

lEEE TRANSACTIONS O N SOFTWARE ENGINEERING, VOL. 19, NO. 2, FEBRUARY 1993

89

Generalized Stochastic Petri Nets: A Definition at the Net Level and Its Implications Giovanni Chiola, Marco Ajmone Marsan, Senior Member, ZEEE, Gianfranco Balbo, and Gianni Conte, Member, ZEEE

Abstmct- The original proposals of several stochastic Petri net modeling techniques and of generalized stochastic Petri nets (GSPN) in particular were based mainly on the characteristics of their underlying stochastic processes. This led to the use of GSPN only as a shortened notation for the description of stochastic models. Although already quite useful in practice, this approach did not fully exploit the benefits of a Petri net description; in particular, it did not use any of the results of classical net theory. The integration of qualitative net theory results, together with the probabilistic analysis approach, requires a deep structural foundation of the GSPN definition. In this paper, the class of Petri nets obtained by eliminating timing from GSPN models while preserving the qualitative behavior is identified. Structural results for those nets are also derived, thus obtaining the first structural analysis of Petri nets with priority and inhibitor arcs. A revision of the GSPN definition based on the structural properties of the models is then presented. The main advantage is that for a (wide) class of nets, the definition of firing probabilities of conflicting immediate transitions does not require the information on reachable markings (which was, instead, necessary with the original definition). Identification of the class of models for which the net-level specification is possible is also based on the structural analysis results. The new procedure for the model specification is illustrated by means of an example, which shows the usefulness of the new approach. A net level specification of the model associated with efficient structural analysis techniques can have a substantial impact on model analysis as well.

immediate transitions is made through firing probabilities forming the so-called random switches. GSPN’s were successfully applied to the performance analysis of a variety of systems whose main characteristics include concurrency and synchronization. Several successful areas of application of GSPN’s are worth mentioning: distributed computing systems (both in their hardware and software components) [7]-[ 111, local area network communication protocols [121-[ 141, and flexible manufacturing systems [E], [16]. Nevertheless, acceptance of GSPN’s as a modeling tool has not been as widespread as the descriptive and analysis power of the tool deserves. This was due to two reasons: difficulty in the construction of the models and computational complexity in the model solution. Difficulty in the construction of the model derives essentially from the fact that, according to the original definition of GSPN’s [l],specification of random switches requires the information about the set of reachable markings. Complexity in the computation of the model solution stems from the very large state space typical of PN models of distributed systems and is encountered both with the simulative and the Markovian (numerical) analysis approach.’ In this paper, we focus on the model construction issue. Index Terms-Conflicts and concurrency, Markovian models, However, the structural results that we present, and the new performance modeling, probabilistic specification, stochastic Petri GSPN definition that depends only on the structure of the net, nets, structural Petri net analysis, timed and immediate transi- constitute the first necessary step to address the complexity tions, transition priorities. problem as well. Indeed, the new definition will hopefully allow us to develop analysis techniques capable of exploiting I. INTRODUCTION the information inherent in the structure of the Petri net. ENERALIZED stochastic Petri nets (GSPN) [l], [2] This was simply not possible using the original definition of are a performance analysis tool based on the graphical GSPN given at the state-space level because of the lack of system representation typical of Petri nets (PN) [3]-[6], in correspondence between the semantics of the underlying net which some transitions are timed, while others are immediate. and the behavior of the timed model. Some partial successes Random, exponentially distributed firing delays are associ- in this direction have already been obtained, and the most ated with timed transitions, whereas the firing of immediate significant examples are these: reduction rules that allow the elimination of immediate transitions takes place in zero time, with priority over timed transitions from GSPN’s, producing equivalent (from transitions. The selection among possibly conflicting enabled the point of view of the underlying stochastic process) SPN models [17] and thus eliminating all vanishing markings (this technique cannot be applied unless firing Manuscript received March 16, 1992; revised June 15, 1992. This work has probabilities are defined completely at the net level), been partially supported by the CNR under Contract 90.04.085.CT12 and by MURST. Recommended by Tadao Murata. computation of bounds on model performance for some G. Chiola and G. Balbo are with the Dipartimento di Informatica, Universitl special net classes [18], [19] (the computation is based

G

di Torino, Torino, Italy. M. A. Marsan is with the Dipartimento di Elettronica, Politecnico di Torino, Torino, Italy. G. Conte is with the Dipartimento di Ingegneria dell’Informazione, Universith di Parma, Parma, Italy. IEEE Log Number 9206639.

In the case of simulation, complexity is due to the requirements in terms of CPU time, whereas in the case of Markovian analysis the complexity issue arises both in time and in space.

0098-5589/93$03.00 0 1993 IEEE

90

IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 19, NO. 2, FEBRUARY 1993

on the analysis of the net structure rather than its state space), improvement of time and space efficiency of the computer programs implementing the numerical algorithms for the solution or simulation of GSPN models [20]-[24] (obtained by implementing concurrent firing of immediate transitions or by recognizing symmetries at the net level), and simplified procedure for solution of DSPN models [25] in which the analysis is performed by taking separate subnets into consideration individually (thus needing a definition at the net level since the solution is driven by the structure of the net). A modeling technique that is not supported by analysis algorithms is of little use, no matter how powerful the formalism is in terms of descriptive power. In the particular case of GSPN’s, the relevance of efficient software tools cannot be emphasized enough since the GSPN approach would be impossible in real applications if it is not adequately automated. Introduction of some of the foregoing features into GrearSPN [23] (the tool for the development and analysis of GSPN models) has already produced a remarkable improvement in the efficiency of the software, expanding its applicability to larger models.2 Much research work was performed in the past on the analysis of the structural properties of PN’s, but neither priority nor timing were considered in those studies. When priority is absent and timing is associated with all the transitions in the net by means of continuous random variables with infinite support distributions, the presence of timing does not alter the logical behavior of the net. Stochastic Petri nets (SPN) [26], [27], in which an exponentially distributed delay is associated with each transition, are an example of timed nets with no priority that may preserve the reachability graph of the untimed model even in the timed environment. Unfortunately, there are many other cases in which the presence of priority and/or timing alters the structural characteristics of the model. Hence, the need for extending the known results arises. Models in which PN transitions are associated with generally distributed firing delays, such as ESPN’s [28], do indeed exhibit qualitative behavior, which in general differs from that of the untimed PN. In the particular case of GSPN’s, the priority of immediate transitions over timed transitions and the mixing of exponentially distributed and null firing delays induces a qualitative behavior that is drastically different from that of the untimed PN if priorities are not taken into account at the PN level. The difference in qualitative behavior was not recognized as a problem in the definition of models such as GSPN’s and ESPN’s since the need for structural analysis was initially overlooked. GSPN’s, for instance, were defined at the behavioral (state-space) level not at the level of the net structure.

*The actual improvement depends on the model and may vary for different applications and different styles of modeling. On average, newest versions of the state space and Markovian analysis algorithms that take structural properties into account allow the solution of models 10 times larger than previous versions that did not, using the same amount of computational resources (memory and CPU time).

Definition of GSPN’s at the structural level, i.e., on the net itself rather than its state space, requires the development of the structural analysis of (untimed) PN’s with priorities. In this paper we expand on the work presented in [2] and introduce definitions and results concerning the structure of PN’s with priority and inhibitor arcs and then exploit these results for a definition of GSPN’s based on their structural properties. The main modeling advantage of the new definition is in a much simpler procedure for the model construction than was previously possible. In particular, the definition of random switches [l] is simplified and requires no information on reachable markings. The paper is divided into eight sections. Sections 11, 111, and IV present definitions and properties concerning the type and structure of PN’s with priorities and inhibitor arcs: these are the nets derived from GSPN’s by removing timing while preserving qualitative behavior. An effort is made to integrate formal definitions with examples and informal descriptions, trying to ease the reader’s task (with some sacrifice in conciseness). Note that results that we present on the structural analysis of PN’s with priority and inhibitor arcs are novel. Later attempts to formally introduce priorities into PN’s (with different semantics) and to develop the structural analysis are reported in [29]-[31]. The structural results obtained for PN’s with priority and inhibitor arcs carry over to GSPN’s, and allow the identification of a class of models for which the specification of the firing probabilities of conflicting immediate transitions is possible at the net level. Section V discusses the introduction of temporal specifications into SPN and GSPN models, emphasizing the shortcomings inherent to the GSPN definition at the state-space level. Again, examples are used to support the statements. Section VI contains the definition of GSPN at the net level for the class of models identified in the previous sections by using the structural analysis. For such models, the definition of random switches does not require any information about reachable markings, SO that the model specification can be performed independently of its state space analysis. Section VI1 details the construction of the GSPN model of a flexible manufacturing system cell, trying to emphasize the advantages of the approach. (A nonstandard example in an important application field in which other performance evaluation tools prove not to be satisfactory was selected on purpose.) Finally, Section VI11 contains the concluding remarks and comments on future research topics. 11. BASICPN NOTATION AND PROPERTIES In this section, we introduce and study some properties of the class of nets that are obtained form GSPN’s by removing temporal specifications. The formalism is illustrated on a running example, with the hope of reducing the reader’s effort in mastering notation and concepts. A Petri net with priorities and inhibitor arcs can be defined as a seven-tuple:

(1) PN = ( P , T , lX.1, W - ( . ) ,W+(.),W H ( . )MO). ,

CHIOLA et al.: GENERALIZED STOCHASTIC NETS: A DEFINITION AT THE NET LEVEL

It comprises a set of places P, a set of transitions T (with P n T = 0), four functions defined on transitions, and an initial marking MO.This definition is a direct extension of the class of PIT nets formalized in [6]. Although the notions of priorities and inhibitor arcs are quite old in the Petri net literature (see, e.g., [4]) they were seldom studied from a structural point of view [ 3 2 ] . It is only very recently, due to the demand posed by GSPN’s, that a comprehensive study of their semantics and structural properties has been attempted [30], [31].

91

K= 5

P1

n

’U

T1

P4

t5

P 7 n

Fig. 1. Example of a Petri net.

A. The Net Structure The structure of a PN can be graphically represented with a directed bipartite graph in which the two types of nodes (places and transitions) are drawn as circles and either bars or boxes, respectively. The priorityfunction II( .) maps transitions into nonnegative natural numbers, representing their priority level. We use the shortened notation ~ r instead j of rI(tj) to indicate the priority level of any transition tj E T. In the graphical representation of PN, transitions have a label indicating their associated priority level; by default, priority 0 transitions are drawn as boxes, and transitions at priority 2 1 as bars. The default priority value for a transition represented by a bar is 1. We denote by T M A X the maximum priority level of the net, defined as T M A X = maxtJETIrj.Without loss of generality, 1 5 T M A X , 3tk E T : Irk = 1. we assume that VO I The input, output, and inhibition functions ( W - ( . ) ,W+(.), and W H ( . ) map ) transitions on “bags” (or multisets, i.e., sets with multiplicity) of places. Finite bags can always be represented by vectors of nonnegative integers of appropriate dimension, and we employ the usual vector notation for bag operations whenever convenient. In particular, we denote by W i ( t k ) , W f ( t k ) ,and W r ( t k )the multiplicity of input, output and inhibitor arcs connecting place p j to transition tk. We denote by ‘ t , t o , and Ot, respectively, the set of input, output, and inhibition places of transition t , i.e., Vt E T, ‘ t = {pj E PI w i ( t ) > 0 } , etc. The input and output functions are represented by directed arcs from places to transitions and vice versa, respectively. The inhibition function is represented by circle-headed arcs connecting every place p j E ‘tk to the transition tk itself. When multiplicity is greater than one, it is written as a number next to the arc. For example, in Fig. 1 the graphical representation of a PN is shown. It consists of seven places (P = { P I , P Z , p 3 , p 4 , p 5 , P 6 , ~ 7 ) )and Seven transitions (T = { t l , t2, t 3 , t4, t5, t6, t 7 ) ) . Transitions t l , t 6 , and t7 have priority 0 (default for boxes), transitions tz and t3 have priority 2 (indicated by the ‘‘r= 2” label), and transitions t4 and t5 have priority 1 (default for bars). Transition tl is connected to p l through an input arc, and to p z through an output arc. Place p5 is both input and output for transition t4. Only one inhibitor arcs exists in the net, connecting p6 to t5.

each place. The PN state is usually called the PN marking and is a bag of places M represented by the p-component vector ( m l , . . . ,m p )whose j t h component is a natural number representing the multiplicity of place p j into marking M. MO is called the initial marking of a PN and determines its initial state. In specifying the initial marking of a net, when the number of tokens to be allocated into a place is large or may vary within a range without changing the semantics of the model, positive integer parameters may be defined. In these cases the token representation in places is substituted by the name of the parameter. In the initial marking of the net in Fig. 1, p l contains K tokens (where the parameter K assumes the value 5 in this case), p5 contains one token, and all other places are empty.

C. Firing Rules The dynamic behavior of a PN is defined in terms of the so called “token game.” A transition t is said to have concession in marking M iff M 2 W - ( t ) nVpj E Ot, mj < w r ( t ) .Let r ( M ) denote the set of all transitions that have concession in marking M . A transition tj is defined to be enabled in marking M (denoted [ M , t j ) ) iff tj E r ( M ) and vtk E r ( M ) , rj 2 T k . Consequently in this definition, only transitions of the same priority level can be enabled in a marking. Any transition t that is enabled in a marking M can fire, producing a new marking:

M’ = M

+ W + ( t )- W - ( t ) .

(2)

B. The Marking

The firing operation is denoted as M [ t ) M ’ , meaning that [MI t ) , and that M’ satisfies (2). We define a transition sequence starting from marking M, as UM = ( t l , .. . , t k )to be any sequence of transitions t j (the j t h transition) such that: 3M1,. . . ,Mk such that M [ t l ) M 1 ,and V j : 1 < j 5 k, M j - l [ t j ) M j . Given any transition sequence O M , we can define its firing count as the bag of transitions W ( U M ) = x,k=l[tk].3 A marking M’ is said to be reachable from a marking M (denoted by M [ o M ) M ’ )iff there exists a sequence UM such that Mk ‘= hi!‘. In our example in Fig. 1, only transition tl is enabled in the initial marking. Its firing yields Mo[tl)Ml.Marking M I has K - 1 tokens in place p l , one token in places p2 and p5, and no tokens in the other four places of the net. In marking M I , transition tl is not enabled any more due to the priority

Places may contain tokens, drawn as black dots. The state of a PN is defined by the number of tokens contained in

3The sum on bags is defined by V n , m E I N , V t , , t b E [nta] [ m t ~=] [ ( n m)ta]. [mtb]= [ n t ~mtb] ,

+

+

T,[nt,] +

~

92


structure of the net; only the two transitions enabled.

t2

and t3 are

D. Effective Conflict

Informally, when the firing of a transition tl disables another previously enabled transition t,, we say that t , is in conflict with tl. The usual conflict relation for ordinary Petri nets [6] does not account for priorities and is defined to be commutative. The notion of effective conflict can be introduced in nets with priorities as a binary relation between transitions. This relation is, in general, noncommutative, unreflexive, and intransitive. Transition t , is said to be in effective conflict with tl in marking M (and this will be indicated as tlEC(M)t,) if and only if t , has concession in M , tl is enabled in M , and marking M’ obtained after the firing of tl ( M [ t l ) M ’ )is such that t , has not concession in MI. STATIC PROPERTIES OF PETRI NETS WITH PRIORITIES AND INHIBITOR ARCS

inhibitor arcs, a minimal initial marking always exists such that all T invariants are firable. In case of extended nets with priorities and inhibitor arcs, a T invariant may be firable as a transition sequence for no initial marking. In any case, the actual fireability should be checked for a given MO. Place invariants identify marking-conservative place bags (i.e., positive integer weights associated with places that yield a constant weighted token count, independently of any transition firing). The invariance relation is totally independent of the initial marking and of the presence of priorities and inhibitor arcs. The scalar product between a P invariant y and any marking M reachable from MOyields a constant T ~ ( M o(whose ) value depends only on MO),the (weighted) token count of the invariant. The linear equation resulting from this scalar product

111.

In this section, we develop for the class of PN’s under consideration concepts and definitions of properties that can be computed statically from the net structure and initial marking, independently of information that can be obtained by playing the token game. A. Linear Invariants If we define the incidence function C(.) = W +(.) - W - (.), we can rewrite ( 2 )in a form in which the composition between the incidence function and the transition looks like a “scalar product” in linear algebra: M’ = M+C.t. Due to the linearity of the firing operator, it is trivial to obtain the equation: Mk = M C . w ( o ~ )Priorities . and inhibitor arcs are simply neglected, so that we can use standard Petri net concepts and techniques to compute place and transition invariants [5]. Any column vector x’ of nonnegative integers (having the cardinality of T as dimension) that is a nontrivial solution of the matrix equation C . x’ = 0 (and that is called “transition invariant”) can be the representation of the firing count of a transition sequence o~ that brings the PN back to the starting marking M . On the other hand, any row vector y’ of nonnegative integers (having the cardinality of P as dimension) that is a nontrivial solution of the matrix equation y’.C = 0 (and that is called “place invariant”) has the property that do^, V j 5 IC, y’ . M = y’ . Mj. All place invariants of a PN can be obtained as positive linear combinations of a finite set P I of generators y, called minimal-support placeinvariants ( P invariants). Similarly, all transition invariants can be obtained as positive linear combinations of a finite set T I of generators x, called minimal-support transition invariants (T invariants). Efficient algorithms exist for the computation of P and T invariants [33]. Transition invariants identify possible repetitive components of transition sequences (i.e., subsequences of transitions that, if firable, make the net perform a tour from a marking back to itself,). The actual possibility of firing a T invariant as a (repetitive) transition sequence depends on the initial marking. In case of ordinary Petri nets without priorities or

+

is called a marking invariant ( M invariant). Other interesting invariant relations could be stated on the reachable markings of a net besides M invariants once the initial marking MO is defined. In particular, the computation of M invariants does not account for the presence of inhibitor arcs and priorities in the net, so that, in general, the list of M invariants is certainly not an exhaustive list of the invariant relations that hold independently of the firing of transition sequences. It is, however, an exhaustive representation of the invariant relations that can be expressed in linear form in nonnegative arithmetics, as argued in [32]. Experience, however, shows that in several cases, if inhibitor arcs are not abused: the information gained by observing M invariants can be quite useful. In [ll], a complete example of formal correctness proof of a complex (colored) GSPN model based on structural properties (mostly P invariants) is shown, despite the presence of two priority levels and of several inhibitor arcs. In our example depicted in Fig. 1, two minimal-support place invariants can be identified, composed of places p l , p 2 , p 3 , p4, p 6 , p 7 , and places p5r p 7 , respectively, all with multiplicity 1. Thus, P I = { y l , y 2 } , with y , = . first-place [pl , p z , P 3 , p 4 , p 6 , ~ 7 1 and , Y 2 = [ p 5 , ~ 7 1 The invariant has a token count of K , while the second one has a ) K and 7y2(M0)= 1. Since token count of 1, i.e., ~ y , ( M o = each place of the net is contained in at least one P invariant with a token count less than or equal to K (=5), it is not possible to accumulate more than K tokens in a place, hence the net in Fig. 1 is (structurally) K (in this case, 5 ) bounded. Similarly, two minimal-support transition invariants can be computed. They consist of transitions t l , t2, t4, t 6 , and transitions t l , t3, t5, t7, respectively. Both T invariants can be “implemented” as firing sequences starting from the initial marking of the net.

4Normally, one can express most of the characteristics of a Petri net model using input and output arcs and conveniently use inhibitor arcs only in particular situations where they yield substantially more compact model representations. Hence, usually most of the behavioral characteristics can be derived from the net structure even if inhibitor arcs are neglected.

~

CHIOLA et al.: GENERALIZED STOCHASTIC NETS: A DEFINITION AT THE NET LEVEL

B. Mutual Exclusion Two transitions tl and t , are effectively mutually exclusive (denoted by t i E M E t m ) if and only if they cannot be simultaneously enabled in any reachable marking. This relation, which is peculiar for Petri nets with priorities and inhibitor arcs, is unreflexive and commutative. Unfortunately, the foregoing definition requires the complete knowledge of the possible firing sequences. It is not very difficult, however, to find a (by no means exhaustive) set of sufficient conditions for E M E that can be checked a priori (i.e., without playing the token game) and that are based either on structural properties or on M invariants. Trivially, two transitions belonging to different priority levels are mutually exclusive due to priority. Another more subtle case of M E due to priority (denoted U M E ) is: tlUME t , iff 3tk: T k > T i A T k > T m A v p j E P,

w j ( t k ) 5 max(w;(ti), w y ( t m ) )A (wjH(tk)= o v w y ( t k ) 2 min(wjH(tl),wjH(t,)) > 0). (4) Informally, two transitions (at the same priority level) are ITME if, in order to make both have concession at the same time, a third higher priority transition is always made to have concession. A condition for structural mutual exclusion due to the presence of inhibitor arcs is called H M E and is defined by tl H M E t , iff 3Pk E P:

o < w c ( t i >5 w i ( t m )v o < W f ( t m )0

(7)

i.e., a structural conflict exists when the firing of transition tl either decrements the marking of some input place or increments the marking of some inhibition place of transition t,. Structural conflict is a necessary, but not sufficient, condition for effective conflict; for example, two transitions that share some input place, but that are also mutually exclusive, are in structural, but not in effective, conflict. Moreover, there can be markings such that both tl and t , can fire without disabling each other. In our example in Fig. 1 transitions t2 and t3 are both in structural and in effective conflict with each other. Analogously, t4 is both in structural and in effective conflict with t5 due to the interaction on the input place p 5 , and, vice versa, t 5 is both in structural and in effective conflict with t4 due to the interaction on the outputfinhibition place p6.

Informally, the M M E condition requires that the token count of the M invariant prevent the two transitions from having simultaneously concession in any reachable marking. Any one of the foregoing four conditions can be checked without computing the actual transition sequences, and is sufD. Causal Connection ficient for the E M E relation. The notation ti S M E t , (strucA dual concept of structural conflict is one of causal tural mutual exclusion) is used as a synonym of ti H M E t, V tl H M E tm V tl M M E t,. The notion of structural mutual connection, which states that the firing of a transition t i can exclusion is computed independently of the actual possibility determine the enabling of another transition t, that was not of E M E in particular transition sequences (it depends only on previously enabled. Also, this relation is significant for nets the initial marking through the M M E relation). The drawback with inhibitor arcs. Formally, we say that transition t , is inherent in the use of S M E instead of E M E is that we causally connected (CC) to tl (denoted by tl CCt,) iff may be unable to recognize all cases of mutual exclusions W - ( t m ) C+(tl) W H ( t m )C - ( t , ) > o (8) in a net, so that we may sometimes be unable to prove the correctness of a correct net (where the correctness criteria i.e., causal connection exists when the firing of the first are based on M E ) by structural analysis (see Section III-H). transition either increments the marking of some input place

+

’

94


Fig. 2. An example of indirect conflict.

Fig. 3.

connection between two transitions tl and tk while a third transition t , is enabled. We call this situation “conditional causal connection” ( C C C ) . The relation between tl and tk is derived from the CC relation, but, since the effect of transition tl on tk is interesting only in the case that a third transition t , is already enabled, the input and inhibition places common to t , and tk need a special attention. The effect of tl must be combined with the condition that if common places exist between t , and tk, the fact that t , was already enabled prior to the firing of tl means that these common places already contained at least as many tokens as the multiplicity of the input arcs that connect them to t,. Similar considerations may be used for what concerns the inhibition places of t , and tk. Formally, these conditions are represented in the following definition:

Structural reduction of indirect conflict.

or decrements the marking of some inhibition place of the second one. The structural relation of causal connection is a necessary, but not sufficient, condition for the firing of a transition to enable another transition. In our example in Fig. 1, among others, the following C C relations hold: tl CC t2, t2 C C t4, t4 CC t6, t7 C C t4, and t6 C C t 5 . Only in the first case is the structural relation sufficient to determine the enabling of t2 after firing t l ; in the other cases, the second transition involved in the relation may remain disabled after the firing of the first one, either because of lack of concession (e.g., no token in place p 5 ) , or due to the priority structure (e.g., the firing of t7 when one token is present in p 4 and no tokens are present in p l ) .

E. Causally Connected Set and Indirect Conflict In the case of nets with many different priority levels, more complex situations of conflict may arise. A third concept of conflict can thus be introduced for PN, that of indirect conflict. The problem is best illustrated by an example. The net depicted in Fig. 2 represents one such situation. In this PN, transitions tl and t2 are at the same priority level, while transition t3 has a priority level higher than the others. Transitions t2 and t3 are in structural conflict with each other, but since t3 has higher priority, it certainly fires immediately after t l . Therefore, if t2 does not fire before t l , it has no chance to fire before t3, and the “actual choice” on whether to disable t2 is implemented already by the selection between tl and t2. In situations like this, we say that t2 is indirectly conflicting with t l . This problem can also be viewed at the structural level by transforming the net of Fig. 2 into that of Fig. 3, which is behaviorally equivalent for what concerns the lower priority levels. Indeed, firing transition ti is equivalent to the firing of tl when tz fires first, whereas the firing of transition ty represents the firing of tl first, immediately followed by the firing of t3 (which has priority over tz). From this “structurally reduced” net, it is apparent that ty and t2 are in conflict (both structural and effective in MO)with each other. In order to check for structural situations of the type depicted in Fig. 2, we need a more sophisticated relation of causal

(9)

As mentioned previously, the use of S M E instead of E M E leads to less powerful, although correct, results but is necessary in order to avoid the computation of the reachability graph and to maintain the complexity of the analysis polynomial in the size of the net. The situation of indirect conflict represented in Fig. 2 shows a case of conditional causal connection between tl and t 3 given t2 (tl CCCo,t, t3), and can be generalized to more complex structures assuming that place p 3 is expanded into an arbitrarily long chain of places connected through transitions with priority level greater than II(t2) to make sure that the firing of tl actually interferes with that of tz. To test for the existence of similar structures, we can take the transitive and reflexive closure of the conditional causal connection with respect to priority levels higher than R , defining the causally connected set at priority R as

ccsr,t ,

( t k ) = {tl

1 R1 = R A tlCCCr, t , ccc:+,, t,

tk)

(10) where the star operator “ * ” represents the transitive and reflexive closure of a binary relation. The C C S associated with transition tk comprises all the transitions that are causally connected with tk without altering the enabling condition of transition t,. Using the notation just introduced, it is now possible to formalize the concept of indirect structural conflict: ti ISC t , iff

CHlOLA et al.: GENERALIZED STOCHASTlC NETS:A DEFTNITION AT THE NET LEVEL

95

@-:,-q

which represents a necessary condition for the firing of a transition tl to indirectly determine the disabling of a transition t , through sequences of higher priority transitions.

Pl

P3

F. Extended Conflict Set When possibly conflicting transitions are enabled in the same marking, a choice needs to be made in deciding which one among the effectively conflicting transitions is to be fired next. Partitioning the transitions belonging to the same priority level is thus needed to identify the sets of potentially conflicting sets, called extended conflict sets. A first proposal of structural identification of extended conflict sets was proposed in [2]. Here we improve that original proposal by using a more precise version of mutual exclusion relation. In order to define this partition, we need an equivalence relation derived from the structural conflict relations SC and I S C . First, we can symmetrize the conflict and account for mutual exclusion, defining a relation of symmetric structural conflict (SSC) :

The transitive and reflexive closure of the symmetric structural conflict SSC* is obviously an equivalence relation that can be used to group transitions into possibly conflicting classes. The extended conflict set for a transition tl is thus defined as follows:

E C S ( t i ) = { t m I ti SSC* t m } .

(13)

Note that the definition of ECS takes explicitly indirect conflict into account, so that transitions that may affect each other enabling either directly or through an arbitrarily long sequence of higher priority transitions belong to the same

ECS. In the case of the PN in Fig. 1, two nontrivial extended conflict sets can be computed:

ECS (t2) = { t z , t 3 } E C S (t3) = (t2, t 3 ) E C S ( t 4 ) = (t4, t s } e E C S ( t 5 ) = ( t 4 , t5) while the other three transitions cannot be enabled in conflict with any other transition.

G. Confusion In general Petri nets, the nondeterminism associated with the firing of simultaneously enabled transitions might, at first glance, suggest that the order of firing of simultaneously enabled transitions is immaterial for the evolution of the net: when simultaneously enabled transitions are not in conflict, one could even think that their concurrent firing could be attained without altering the general behavior of the net. In fact, the actual resolution of a conflict may depend on the firing of sequences of transitions that are not in conflict with each other. The problem, known in the literature under the name “confusion” [34], is illustrated by the net in Fig. 4. This

Fig. 4. Example of Confusion.

PN is identical to the one in Fig. 2, except for the fact that all three transitions have the same priority. The two enabled transitions tl and t2 are not in conflict with each other; nevertheless, if tl fires, then transition t 3 becomes enabled in conflict with t 2 , thus yielding a conflict resolution with an associated decision to be made. On the contrary, the firing of t2 first does not raise any conflict, thus resulting in a single final marking. Hence, transitions tl and t2 cannot fire concurrently even if they are not in conflict, and a decision on which one to fire first determines the subsequent behavior of the model. Models comprising confusion are usually considered to be semantically wrong; the absence of confusion can then be considered a correctness criterion for a PN model. The net in Fig. 4 illustrates the case in which confusion arises because of the enabling of a conflicting transition. This case is known in the literature as “asymmetric confusion” [34]. The problem of confusion is substantially affected by the availability of several priority levels. If we start with a PN in which transitions are partitioned into extended conflict sets satisfying the definition stated in (13), only asymmetric confusion may arise. Structural sufficient conditions for absence of confusion in priority nets are developed in the following for the first time.

H. Structurally Confusion-Free Nets Since the structural pattern to be checked for is the same as in the case of indirect conflict, we can exploit the concept of the causally connected set defined in (10) also to check for structural confusion freeness. In particular, we are interested in deriving conditions that guarantee the absence of confusion only in subnets comprising transitions with priority higher than a given threshold. A sufficient condition for a PN to be confusionfree at priority levels greater than or equal to T is that

CF,(PN)

if Vtl E T:

~1

2 r, Vti E ECS(t1): IC # 1,

Vtm E CCSxl,tl(tk), tt S M E t m . (14) The condition is not necessary since, as already discussed, we use the notion of S M E instead of the stronger (but more difficult to compute) notion of E M E . Also, in this case, obtaining a necessary and sufficient condition appears not to be possible without the observation of all sequences of markings and transition firings. The largest structural class of nets that is known to be confusion free is the one of “free-choice” nets [35], which is, however, too restrictive for the modeling of many real systems. Moreover, they cannot be extended to priority nets

96


since, due to the possibility of indirect conflicts, the absence of confusion is guaranteed only if the whole net (independently of priority levels) is free choice; nets in which subnets comprising transitions of equal priority levels are individually free choice are not guaranteed to be confusion free. The test represented by (14) obviously recognizes free-choice nets to be confusion free, but employing additional information on the structure of the PN and on the invariant properties of its reachable markings recognizes the absence of confusion also in nets with a more complex structure. By applying the check of (14) to the example in Fig. 1, it is possible to determine that the model is confusion free at priority level 1,despite the presence of the triples of transitions t 2 , t 4 , t 5 , and t 3 , t 4 , t 5 that apparently exhibit a structural pattern of the type outlined in Fig. 4. However, no confusion may occur because of the higher priority level (T = 2) of transitions t 2 and t 3 .

Given two positive transition batches x and y, it is very easy to prove that if x E r ( M ) and if y 5 x , then y E r ( M ) . A necessary condition for a transition batch x to have concession, is thus that all its component transitions have concession. Focusing the attention on the concession of unitary transition batches, we return to the case of transition concession. Any positive transition batch x is defined to be enabled in marking M iff x E r ( M ) and V t j such that xj > 0 and V t k E r ( M ) , ~j 2 T k . As a consequence of this definition, only batches composed of transitions of the same priority level can be enabled in a marking. We extend the notation [M, x) to indicate that the positive transition batch x is enabled in marking M. We define the enabling degree function E i ( M ) associated with transition ti, as the maximum multiplicity of transition t i in any transition batch x that is enabled in marking M, i.e., Vti

Iv. DYNAMICS OF PETRI NETS

E T,

& ( M ) = max x;. z : [ M ,z)

Any transition batch x that is enabled in a marking M can In Section 11-C, we introduced the dynamic behavior of a PN fire, producing a new marking: M [ z ) M ’ = M W + ( x )by describing its token game. We also introduced the concept W ( x ) . We can then define a transition batch sequence of marking as the current state of the model and the change of state from a marking verifying some enabling preconditions to starting from a marking M, as u~ = ( x l , . . . , x k )to be another by the firing of one enabled transition. The dynamics any sequence of transition batches xj (the jth batch) such specified by the token game can be interpreted as the definition that 3 M l 1 . . . , M k such that M [ x l ) M 1 , and v j : 1 < j 5 sequence O M , of a state machine whose states are the markings reachable IC, M j - l [ x J ) M j .Given any transition batch k we can define its firing count w ( u ~ = ) C j = l x k . A marking from MO and whose state changes correspond to transition firings. This apparently trivial mapping of the PN dynamics M’ is said to be reachable from a marking M (denoted ’ ) there exists a sequence O M such that into its state space behavior should, however, be modified in by M [ ~ M ) M iff k f k = M’. All the static properties and results derived in the order to account for the intrinsic concurrency of PN’s. Indeed, enabling-and-firing rules allow concurrent transition previous section still hold when transition batches, together firings when several nonconflicting transitions are enabled in with their concession and enabling conditions, are substituted the same marking (the standard term in the literature on P/T in the appropriate definitions. In the initial marking of the net depicted in Fig. 1 only nets, is “transition steps” [6]). The extension to nets with tlis enabled (as already noted), but as many transitransition priority [29] and inhibitor arcs is not trivial [30]. To take this possibility of concurrency into account, we introduce a tion batches are enabled as the number of tokens in place p l , new concept of state space based on the firing of “transition corresponding to a different number of instances of firing of transition tl. Since xmax = Ktl has concession in MO,the batches.” enabling degree of transition tl is in this case & ( M O ) = K . This example shows how transition batches can take the A. Concurrent Transition Firing concurrency intrinsic in each transition (multiple enabling or A transition batch x is defined as a bag of transitions. A reentrance of a transition) into account, but this is only a very transition batch x is said to be positive iff at least one transition simple type of concurrency. A different type of concurrency t j E T is contained in x . We define the class of unitary captured by the concept of transition batch is illustrated in Fig. batches t j as transition bags containing only transition t j with 5. Here, transitions t 2 and t 3 become enabled concurrently multiplicity one. Functions mapping transitions onto transition after the firing of t l so that transition batches t 2 , t 3 , and bags are trivially extended to transition bag domains by taking x = t z t 3 are all enabled and any one of them can fire. the sum of the functions applied to the individual components This example shows that the composition of transition batches of the argument. is determined by the concurrency inherent to the structure of A positive transition batch x is said to have concession in the PN. Thus positive nonunitary transition batches represent marking M iff the projection on the global state of the model of the result of concurrent transition firings. v t j : xj > 0 M 2 xj . w-(tj) c - ( x - xj . t j ) In the case of confusion-free PN’s, the choice of transition r\vpk E O t j , mk W k + ( X - t j ) < W f ( t j ) (15) batches to be fired cannot alter the behavior of the model, i.e., if any individual transition comprised in the batch x can since conflicts arise and are solved in the same way for any proceed concurrently with the rest of the batch itself. We choice of transition batches. The model can thus be studied, denote by r ( M ) the set of all transition batches that have for example, by firing maximal transition batches only, if this is convenient from an implementation point of view. concession in marking M.

+

+

+

+

CHIOLA et al.: GENERALlZED STOCHASTIC NETS A DEFINITION AT THE NET LEVEL

91

contains only 80 markings: 31 that enable priority 0 transitions, 28 that enable priority 1 transitions, and 21 that enable priority 2 transitions. All the places are bounded by the constant K (which is 5 in this case), so that the net is said to be K (5) bounded. The reachability graph of the PN is strongly connected and no transition is dead, so that the net is live. Fig. 5. Another example of Concurrency.

C. Reduced State Space

B. State Space The initial marking, together with the net structure and the firing rule, define the state space of a PN model. The reachability set of a PN, denoted by R S ( MO),is defined as the set comprising MO together with all markings that can be reached from MO itself by firing any legal transition batch sequence. The reachability set of a net may contain either a finite or an infinite number of markings. In the case of finite R S , positive integer constants can be determined that bound the maximum number of tokens in places. When the number of tokens in a place never exceeds the integer constant k , the place is said to be k bounded. A PN is said to be k bounded (or just “bounded”) if all of its places are k bounded (for some finite number k). The reachability graph of a PN is defined as a labeled directed graph, whose set of nodes is the net R S , and whose set of arcs A represents all possible transition batch firing relations between pairs of marking.

The priority structure defined on transitions can be used to partition the reachability set of a PN according to the priority level of the transitions enabled in the markings. In particular, for the analysis of GSPN’s, it is convenient to consider the projection of the state space on the subset of states enabling only lower priority transitions. In general, we define a reduced reachability set at a given priority level T as

RRS,(Mo) = { M E R S ( M 0 ) l v ~ i[:M ,~ i ) ,~i

As a shorthand, we use the symbol TRS to denote the set of (tangible) markings that enable only priority zero transitions (i.e., RRSo (MO)). Similarly, we define the projection of the reachability graph on the subset of transitions of priority lower than a given threshold as

where A C (RRS,(Mo) x RRS,(Mo) x B a g s ( T )x B a g s ( T x 2 T ) ) such that (Mi, M j , x, y) E A iff

VZ: xl where A C ( R S ( M 0 )x RS(M0) x Bags(T)) such that

(Mi, M j , xk) E A

5 T}. (18)

> 0,

~l

5T

and

3n E N ,v1 5 k

M ~ [ Z ) M ( ~ and )

< n,

E T,

S(k)

E 2 T , M(k)

Mi[zk)Mj.

That is, an arc connecting Mi E R S ( M 0 ) to Mj E R S ( M 0 ) and labeled with the transition batch xk represents then the firing relation ~ i [ x ~ ) ~ j . Transition batch sequences can be interpreted as paths through the reachability graph of a PN. Transition tl E T is said to be live iff VMi E R S ( M 0 ) a path can be found in the reachability graph starting from Mi such that a marking Mj is reached in which [ M j ,t l ) . Conversely, transition tl is said to be dead iff it is not enabled in any reachable marking. Usually, a PN model of a dynamic system comprising dead transitions is considered to be semantically incorrect (even though dead transitions may be used to define invariant assertions). A PN is said to be live iff all its transitions are live. A sufficient condition for a PN to be simultaneously live and bounded is that its reachability graph is strongly connected, provided that the net does not contain dead transitions (the condition is not necessary, as shown in an example in [36]). The reachability graph of a PN is strongly connected iff a path exists from each marking of the RS to reach the initial marking MO (the initial marking is a home-state). The net in Fig. 1 defines a reachability set comprising 161 markings, 31 of which enable priority 0 transitions, 85 enable priority 1 transitions, and 45 enable priority 2 transitions if concurrent (nonunitary batch) firing is allowed. If the firing is restricted to unitary transition batches, the reachability set

__

That is, an arc connecting Mi E RRS,(Mo) to M J E RRS,(Mo) and labeled with bags x and y, represents the firing of the transition batch x of priority T,possibly followed by the firing of a sequence of higher priority transitions. The information on the transitions enabled in the same conflict set of the higher priority transitions that fire is also maintained in order to capture the stochastic behavior of the net as defined as follows. In case of nonconfused PN’s (see definition in Section 111-H),the local information on the enabling of transitions in the same conflict set is shown to be sufficient. We adopt the special notation T R G to indicate RRGo(Mo), the tangible reachability graph of a PN, i.e., the projection of the PN reachability graph on priority zero transitions.