Preserving Liveness with Rule-Based Refinement

Integrated Design and Process Technology, IDPT-2002 Printed in the United States of America, June, 2002 c 2002 Society for Desing and Process Science

Preserving Liveness with Rule-Based Refinement of Place/Transition Systemsy ˇ M. Urba´ sek, J. Padberg Institute for Software Technology and Theoretical Computer Science, Technical University Berlin, Germany E-mail: furbasek, [email protected] ABSTRACT: The focus of this paper is to endow stepwise modification of nets with refinement that preserves liveness. Modification of nets uses rules that allow substituting subnets of the left hand side by subnets of the right hand side of the rule. Such rules are then restricted so that the liveness is preserved. Rule-based modification is expressed in terms of spans of morphisms and two pushout constructions, thus being in line with the so-called double pushout approach to graph transformations. We then extend the span of morphisms with collapsing morphisms from the right-hand side to the left-hand side of the rule. As these morphisms respect liveness the extended rules preserve liveness from left to right. Under adequate matches of the rule to a net the corresponding transformation preserves liveness as well. I. I NTRODUCTION One of the main perceptions in the software industry during the recent years is that software development occurs permanently and is the more costly the less documented it is. As the cost of the software development is one of the main success factors of a product, the reduction and manageability of costs is crucial. One widely accepted strategy for cost reduction of software development is stepwise refinement of the model. There the model is enriched step by step incorporating more detail, more functionality, exception handling etc. This contribution is based on Petri nets, one of the formal specification techniques for the description of the operational behavior of a system. Petri nets have a long and successful history and are by now widely used in various application domains. In this paper we employ one of the most basic Petri net formalisms, namely place/transition nets (see e.g. [Rei85]). We aim at a more powerful and descriptive technique for the refinement and stepwise development of place/transition nets. Place/transition nets themselves are not fully adequate for modeling systems in practice, but the basic ideas apply to high-level Petri nets as well. Refinement of nets in a way that preserves liveness is one of the thoroughly investigated areas of Petri nets. In this y This work is part of the joint research project “DFG- Forschergruppe P ETRINETZ -T ECHNOLOGIE” between H. Weber (Coordinator), H. Ehrig (both from the Technical University Berlin) and W. Reisig (HumboldtUniversität zu Berlin), supported by the German Research Council (DFG).

paper we use the usual Petri net notion of liveness as e.g. in [Rei85] and not the notion of liveness properties as used in temporal logic, e.g. [MP92], [Lam94]. Liveness is one of the most important concepts for the description of the operational behavior of a net. Liveness states the fact that in a net all transitions can become enabled from all reachable markings. So no deadlock situation can occur. Nevertheless, the combination with stepwise modification of nets based on replacement rules has not been investigated yet. The basis of our formal technique is category theory. So we can employ morphisms and their structural properties. Moreover we gain the basis for rule-based refinement in terms of the well-known double-pushout approach. Certain properties such as safety conditions or in this paper liveness can be either preserved or respected by morphisms. Preservation of properties means that properties in the source net of the morphism imply similar properties in the target net. Morphisms respect properties in the complementary case. One of the main results of this paper is the characterization of a specific class of morphisms that respect liveness. Collapsing morphisms do so as they collapse live subnets to one transition. Hence, if the target net is live the source net can be deduced to be live as well. The second main results concerns the use of collapsing morphisms for obtaining transformations that preserve liveness. A related idea has been pursued in [DA92], where various reduction methods for ordinary nets have been proposed. These methods operate on the net structure and also preserve liveness, basically by shortening paths in the net. The analysis in this case is based on a Petri net reduction. One disadvantage is that the whole Petri net has to be developed entirely and only after the design of a Petri net is finished, analysis can start. Consequently, in case of faults the development has to be redone which is quite costly as well. In contrast to this approach we have focused on rule-based transformations which allow propagation of liveness during the development of a net. Similar remarks hold for reductions presented by other authors in [ES91], [Esp94], [CT90], [FWL88]. These authors also use reductions algorithms to decrease the size of a net. J. Esparza et al. in [ES91], [Esp94] investigated the class of free-choice Petri nets, J. Favrel in [FWL88] is focused on a class of colored Petri nets based on the results for generalized Petri nets proposed earlier. In [CT90] a certain subclass of Petri nets,

2

called regular blocks, is investigated. The work on synthesis methods preserving liveness has also been made. In the area of free-choice Petri nets the synthesis preserving liveness was described along the reduction methods by J. Esparza et al. in [ES91], [Esp94]. Similar ideas, not only for place/transition nets, can be found in [BGV91], [Sou91]. In the area of workflow modeling the notion of soundness which comprises liveness has turned out to be of special importance. In a row of papers, see e. g. [vdA97], [vdA98], W.M.P. v. d. Aalst has stated important results concerning composition of sound nets [vdA98]. These also comprise preservation, resp. reflection of soundness, free-choice and other properties, but are formulated for ordinary nets only. Local replacement has been examined in [Des90] as well as one of our referees has pointed out. The investigation of the refinement of algebraic Petri nets and the application in distributed systems has been done in [Peu01]. But this work does not employ categorical constructions either. In these papers the synthesis and/or reduction rules are depicted on more intuitive level. In some papers there are no results available concerning confluence, side effects, or compatibility with structuring. Although our approach is close to these papers, formalization and net class make an important difference. We often employ similar constructions (like completion of a net to a cycle, see e.g. [vdA97]), which are applied to the class of marked place/transition nets. Moreover, we use a formal notion of rules for which e. g. compatibility concerning structuring is already available [EHKP91]. The paper is organized as follows: In Section II our approach is illustrated by the development of a small producer-consumer system. In Section III we state our first main theorem (Theorem 18: Collapsing Morphisms Respect Liveness) after introducing the corresponding notion of morphism. In order to employ these morphisms for rulebased refinement we extend the underlying theory in Section IV. Subsequently, our second main result is stated in Theorem 32 (Transformations via LP-Rules Preserve Liveness) in Section V. Section VI concludes the paper, followed by References. II. CASE S TUDY We will illustrate our concept of liveness preserving transformations with an example of a ProducersConsumers system. Many variations of such systems can be found in producing lines or manufacturing processes. The Producers-Consumers system is a typical example of a system which is not bounded. The main analysis questions of the system concentrate on the liveness. Analysis of liveness may reveal possible deadlocks in the behavior of the modeled system. A simple version of the Producers-Consumers system might look like the one in the Figure 1. There are two producing lines involved in the process of producing two parts needed for the final products. After producing these parts are assembled and delivered to the customer for

Producer 2

Producer 1

Producing

2

2

Assembling

Delivering Consumer 1

Consumer 2

Consumer 3

Fig. 1. Producers-Consumers system

Removal of an old protection

Delivering

Preparation of a new cover

Availability of the packing line

interface

Packing & Delivering

Fig. 2. A rule for transition refinement

being consumed. After the first abstract view of the system model designers usually focus on details of the system and try to refine it. During this refinement the techniques of hierarchical decomposition are employed. The focus is on methods preserving main properties of the modeled system. Here we are concerned with the liveness preservation of the refinement and we focus on the special case of transition refinement, one of the basic refinement techniques. We show that the transition refinement preserves liveness and even more, that such a case of refinement is based on rule based transformations. Hence it can be employed automatically during the design of the system. Figure 2 shows a transformation rule which refines the boldface transition on the left-hand side of the rule and replaces it by a more complex expression of the behavior of the system on the right-hand side. The idea of a transformation is that a left-hand side subnet (in our case Delivering) is mapped to an existing Petri net. Then, the image of this subnet is deleted except for the interface (the middle part of the rule, called also gluing object) in the Petri net. The right-hand side (Packing & Delivering) of the rule is then glued to the interface which remains unchanged. In our example the refining step corresponds to the refinement of the product delivering phase into two phases. The first one is a packing phase, the other phase is proper delivering of a product. Packing involves two parallel subprocesses. At one particular moment exactly one product can be in the packing line. This condition is modeled by the marked place – Availability of the packing line. When

3

A. Preliminaries

Producer 2

Producer 1

Producing

2

2

Assembling

Packing & Delivering

Consumer 1

Consumer 2

Consumer 3

Fig. 3. Refined structure of the Producers-Consumers system

we refine the boldface transitions in the Figure 1, we obtain the system in the Figure 3. There were three transitions in the system replaced according to the rule for transition refinement. This approach is often used in hierarchical decomposition modeling. Remember that one rule can be applied several times (in our case three times). This fact is one of the main advantages of the rule-based approach. The transformation is described as fully local and the application therefore does not depend on the other parts of the net. Both nets in Figures 1 and 3 are live in the sense that every transition can become enabled from any reachable marking of the net. Liveness of the abstract place/transition system Producers-Consumers system has to be proven by standard techniques. Liveness of the refined system in Figure 3 can be deduced easily by employing our results from Theorems 18 and 32: There is a collapsing morphism from the right-hand side to the left-hand side nets in Figure 2, which respects liveness by Theorem 18. This liveness respecting morphisms on the level of the rule is propagated to the level of the derivation by Theorem 32. Consequently the performed transformation does not change the liveness of the net. We also show that this concept can be treated categorically. The use of liveness preserving transformations guarantees the refined system to be live if the original system was. III. LIVENESS R ESPECTING M ORPHISMS In this section we first define abstracting morphisms and subsequently those that collapse subnets into one transition. In Section III-C we investigate the relationship between the behavior of the source net, the collapsing subnet and the behavior of the target net. This is then the basis to show that collapsing morphisms respect liveness.

First we give a short intuition of the underlying basics. The precise definitions can be found in [GPU01]. We use the algebraic notion of place/transition nets as introduced in [MM90]. Hence a place/transition system is given by the set of transitions and the set of places and the pre and post pre // // P ; m b ), where P is domain function. N = (T post the free commutative monoid over P , or the set of finite multi-sets over P and markings are elements of P , especially m b is the initial marking. The category of place/transition nets has net homomorphisms (also called plain morphisms) as morphisms. They consist of two functions f = (fT ; fP ). Elements of the free commutative monoid over P are given mostly as finite linear sums. Hence we use the extended operations ; ; ; etc. Moreover we need to state how often a basic element is given within an element of the free commutative monoid. We define this for p 2 P , 2 N and w 2 P with wjp = p 2 P . This can be extended to subsets P 0 P with wjP 0 so that there is w = w0 w00 with wjP 0 = w0 2 (P n P 0 ) and w00 2 P 0 . The notions e, e stand for sets of input and output elements of an element e (transition or place) of a net. For the firing of Petri nets we use the usual notations, that is m[ti means marking m enables transition t, m[tim0 denotes firing of transition t under marking m yielding marking m0 . Reachable markings from m are given by the set [mi. Paths of firing steps are denoted by arrows with the follow ing special meanings: m ! m0 arbitrary, but possibly no t1 ;:::;tn firing steps from m to m0 . m ! m0 denotes firing steps using transitions t1 ; :::; tn .

PTSys

B. Abstracting and Collapsing Morphisms First we introduce abstracting morphisms. These allow abstracting transitions and places onto a single transition. In this sense they are related to vicinity respecting morphisms given in [DM90], but generalized to marked place/transition nets here. These abstracting morphisms are the basis for collapsing morphisms. The collapsing morphisms abstract live subnets to a single transition and hence respects liveness of the target net. Definition 1 (Abstracting Morphism)

prei // // Pi ; m

i) posti for i = 1; 2. An abstracting morphism f : N1 N2 is given by f = (fT ; fP ) with functions fT : T1 T2 and fP : P1 (T2 P2 ) such that the following conditions are satisfied: 1. for all t T1 we have fP ( t) = fT (t) or pr fP pre1 (t) = pre2 (fT (t));

Given two place/transition nets Ni

!

= (Ti

! !

℄

2

Æ

Æ

f

g

4

where pr : (T2 ℄ P2 ) ! P2 is the corresponding projection analogously for the post function. 2. For all t2 2 fT (T1 ) we have: 9tin 2 T1 with fT (tin ) = t2 and pr Æ fP Æ pre1 (tin ) = pre2 (t2 ) analogously for the post function. 3. for all p 2 P1 with fP (p) 2 P2 we have : 4. for all

fP (m1 jp ) = m2 jfP (p) (marking strict) p P1 with fP (p) T2 we have fT ( p) = fP (p) analogously for the post function.

2

T1

fT

T2

pre1

post1

////

post2

g

P1

fP

(T2

pre2

2 f

℄ P2 )

pr //// {{ P2

Definition 4 (Live In-Out Cycle)

pre // // P ; m b ). We post call N live in-out cycle if the following conditions hold: 1. there are two distinguished subsets Tin and Tout of T , called set of in-transitions Tin and set of out-transitions Tout of N such that there is a place P , called guarding place, which is in the predomain of all in-transitions ti Tin , and in the post-domain of all out-transitions to Tout with 1 ;t Tin pre(t)j = ; t = Tin and 1 ;t Tout post(t)j = ; t = Tout 2. m b j = 1 3. N is live 4. place is safe (1-bounded)

Given a place/transition net N

2

2 2

fP :=prÆfP

= (T

2 2 2 2

2

2

Remark 2 (Monotonicity of f P) Note that f := pr Æ f is monotonous and compatible P P with as well as fP . 2 In order to capture what has been abstracted from by an abstracting morphism, we define the collapsing subnet subst. In some limited sense it can be considered as the reverse of an abstracting morphism. Definition 3 (Collapsing Subnet) Given an abstracting morphism f : N1 ! N2 . We have for all transitions t 2 T2 the collapsing subnet substf (t) = t;f g t;f et;f ; Tet;f ; g (P pre ; post ;m

t ) N1 with Pet;f = fp1 2 P1 j fP (p1 ) = tg these are all places mapped to t Tet;f = ft1 2 T1 j fT (t1 ) = tg these are all transitions mapped to t t;f et;f g pre (t1 ) = pre1 (t1 )jP t;f for all t1 2 T the pre- and post-domain restricted to collapsing places g t;f is defined analogously. post m

t = m 1jP t;f Moreover, we define following sets: Sf T2 with Sf = fStjPet;f 6= ;g Tf T1 with Tf = t2Sf Tet;f S Pf P1 with Pf = t2Sf Pe t;f We omit the superscripts ( )t;f and ( )f if unambiguous.

e

e

2

Live In-Out Cycles describe those subnets that are live and are equipped with a guarding place. This guarding place ensures that each run within the subnet has to be completed before it may run again.

Remark 5 (Behavior of the Live In-Out Cycle) The role of the distinguished place is twofold: on the one hand it establishes the cycle, because of condition 1. In this sense it is crucial for liveness in condition 3. On the other hand it implements a mutual exclusion of the in-transitions including the prevention of parallel firing of one transition with itself. With respect to the number of tokens in the place , the evolution of the live in-out cycle can be expressed in the form of the finite automaton below. The number inside the particular state is the number of tokens which reside in the place . t62Tin ?>=< / 89:; 1 d I

t2Tin nTout

$

89:; ?>=< 0 h

t62Tout

t2Tin \Tout t2Tout nTin

Due to the definition the state 1 is the initial state. From the behavior of this automaton one can infer an important property of every live in-out cycle. The firing of one of the input transitions alternates (sooner or later) with the firing of one of the output transitions. 2 Definition 6 (Collapsing Morphism) A collapsing morphism f : N1 ! N2 is an abstracting morphism which additionally satisfies the following conditions: 1. fT is surjective and fP is quasi-surjective, i.e. the restriction fP : P1 n P ! P2 is surjective 2. fT and fP are quasi-injective, i.e. for all t; t0 2 T1 n T we have fT (t) = fT (t0 ) implies t = t0

5

for all p; p0 2 P1 n P we have fP (p) = fP (p0 ) implies p = p0 3. 8t 2 Sthe following holds: substf (t) is a live in-out cycle with t the guarding place so that it is only connected to the rest of N1 via the in- and out-transitions, formally (a) for all ti 2 Tin Tet hold: t pre2 (t) = f P (pre1 (ti ) ) t e (b) for all to 2 Tout T hold:

P (post1 (to ) t) post2 (t) = f (c) for all ts 2 Tet n Tin hold ts Pet (d) for all ts 2 Tet n Tout hold ts Pe t

1. m e ! mf0 in substf (t) so that in N1 there is a firing path m e ! mf0 mR where mR = or mR = ! m 2. m ℄ f in subst ( t ) j 1 j f so that in N1 there are firing paths ! m m ℄ fj for 1 j j 1

post

pre

2

The pre-domain of each collapsing subnet substf (t) is the pre-domain of the in-transitions without the guarding place. Similarly the post-domain is based on the out-transition. Definition 8 (Pre and Post-Domain of Coll. Subnets) Given a collapsing subnet substf (t) for t 2 S T2 of a collapsing morphism f : N1 ! N2 then we define: t := pre (t ) et 1. 1 i j(P nP ) for some ti 2 Tin T t et 2. := post1 (to )j(P nP ) for some to 2 Tout T

pre

2

post

Moreover there is ) [ti f ℄ ) = fP ( P (m j 1

P (m f fj ) in net N2. f =m f0 in substf (t) 3. m ^ 1 !m so that in N1 there is a firing path ! m f0 mR m ^ f = m 1 where mR = or mR =

pre post

Remark 7 (Quasi-Bijectivity) Quasi-surjective and quasi-injective functions are called quasi-bijective: fT : T1 n T ! T2 is bijective and fP : P1 n P ! P2 is bijective 2

pre post

post

t are well-defined due to Items 3(a) and t and The 3(b) in Definition 6. Note that fP ( t ) = pre2 (t).

pre

pre

In this subsection we treat mainly the way a collapsing morphism maps firing steps. Then we conclude that it respects and preserves reachability in specific ways. Lemma 9 concerns the relation between paths in a collapsing subnet and subpaths in the supernet N1 . Due to the guarding place 2 Pe any path in the subnet fires in-transition and :::;t ;:::;t :::;t ;::: out-transitions alternatingly: m e in out in // f0 . m

For each subpath starting with an in-transition there is a corresponding subpath in N1 that needs additionally tokens on the pre-domain of the collapsing subnet and yields additionally those on the post-domain of the collapsing subnet . This leads then to our first main result: collapsing morphisms respect liveness.

pre

post

Lemma 9 (Paths through Collapsing Subnets) Given a path m e ! me 0 in substf (t) for some collapsing morphism f : N1 ! N2 , then there is the maximal firing of in-transitions with = max(m e ! me 0 ; Tin ) := j fk j tk 2 Tin and 1 k ng j in m e ! me 0 = me [t1i:::[tnime 0 . Moreover, there are the following subpaths:

fP (

post )

=

post

The proof can be found in [GPU01].

2

The next lemma describes the partitioning of reachable markings in N1 . This partition depends on the fact whether the guarding places of the collapsing subnets are marked or not. Lemma 10 (Markings in N1 ) Given a collapsing morphism f : N1 ! N2 then we define for each reachable marking m1 of the net N1 the set S := ft 2 S j m1 j t = g T2 of involved collapsing subnets for each guarding place t in the collapsing subnet substf (t). Then each reachable marking m1 of net N1 has the following form: 1. For S = ; m1 = mO f1 with 1 m (a) mO 2 (P n P) 1

C. Collapsing Morphisms Respect Liveness

pre

1

(b) m f1

f

1

2 PP with

f1t so that t2S m m f1tt [m

t and m f1j t = 1 t

m1 =

2. For S

6= ;

2

i

f 2 Pn P

m1 = mO preS m1 1 (a) mO (P1 ) 1 t (b) preS = t2S (c) m1 with t m1 = t2S m1 so

pre

f 2 PP f f that m f1tt 2 [m

ti and m f1j = 1 t for t 2 Sn S m f1tj = for t 2 S t

t

Proof is given in [GPU01].

2

Remark 11 (Markings in N1 ) Marking mO 1 describes the part of a marking where tokens are on places that are mapped quasi-bijectively. m f1 describes the part of a marking where tokens are on places that are collapsing into one transition. Moreover, firing steps

6

already may have taken place in that subnet as in Item 2. preS describes those pre-domain of collapsing subnets in S , where these tokens are already used but there are not yet tokens in the post-domain of this subnet (hence t is not marked). Note that Item 1 is a special case of Item 2. Due to its importance in the following it is stated separately. 2 Corollary 12 (Preservation of Initial Marking) For the initial marking we have m

1 = mO1 mbe with O O 1. m1 2 (P1 n P) and fP (m1 ) = m

2 P b 2. m e = t2S m

t

m1

! m0 with f (m0 ) 2 [m

2i P 1 1

Proof by induction using Lemma 14 and Corollary 12.

The following Lemma states that a firing step of net N2 is either to be respected directly or by a path. In the second case there is a path through a collapsing subnet in N1 that represents the firing of the substituted transition in N2 . Lemma 16 (Coll. Morphisms Respect Firing (Weakly)) Given m2 [t2 im02 in N2 then there is t1 ;:::;tn 0 m1 ! m1 in N1 with 0

0 f ( m ) = m P 1 2 and fP (m1 ) = m2 and k fT (t ) = t2 for 1 k n

Proof due to Lemma 10 Item 1. and as collapsing morphisms are quasi-bijective. 2

Proof – see [GPU01].

The next lemma states the following fact: For any marking that has been reached within collapsing subnets S using their pre-domains there is a marking of the net N1 that comprises the subnets’ post-domains.

Corollary 17 (Coll. Morphisms Respect Reachability) Given m2 2 [m

2i then there is m1 2 [m

1i with f P (m1 ) = m2.

Lemma 13 (Completion of Paths through Coll. Subnets) Given a collapsing morphism f : N1 ! N2 then reachable f1 (as in markings of the net N1 with m1 = mO 1 preS m Lemma 10) can be completed in the following way: m0 ! m1 ! m01 with m0 = mO f0 1 m m01 = mO f10 1 preS postS m Moreover, in theP net N2 : 0 f P (m0 )[ t2S tif P (m1 ) 1 t ;:::;tn so that for m0 ! m01 holds fT (tk ) 2 S for 1 k n The proof is given as well in [GPU01].

2

2

The following lemma states a fact that for a firing step of the net N1 there is a path through a collapsing subnet including the given firing step. And this path may either be preserved by an empty step or by a direct step or by a path.

2

Proof by induction using Lemma 16 and Corollary 12.

2

We now achieve one of our main results: collapsing morphisms respect liveness. This means for a collapsing morphism f : N1 ! N2 we have the following implication: if N2 live then N1 as well. Theorem 18 (Coll. Morphisms Respect Liveness) Given a collapsing morphism f : N1 ! N2 and let N2 be live, then N1 is live as well.

2

The proof – see [GPU01]. IV. R EVIEW AND E XTENSION OF THE Q-T HEORY

In this section we mainly review the notions introduced for high-level replacement systems [EHKP91] and their extension to Q-morphisms [Pad99]. We extend the theory for Q-transformations slightly in order to include certain compatibility restrictions. A. Basic Ideas of High-Level Replacement Systems

Lemma 14 (Coll. Morphisms Preserve Firing (Weakly)) Given m1 [t1 im01 in N1 with m1 2 [m

1i. Then there is some path m ! m1 [t1 im01 ! m0 containing t1 so that: or or

0 f P (m) = f P (m )

fP (m) [fT (t1 )i fP (m0 ) P 0 f P (m) [ fT (ti )i f P (m ) with t1

= ti

for some i

2


Corollary 15 (Coll. Morphisms Preserve Reachability) Given m1 2 [m

1i then we have:

fP (m1 )

or

2 [m 2i

Here we just give the basic definitions. The underlying assumptions and conditions can be found in e.g. [EHKP91], [Pad99], [GPU01]. A rule consists of a deleting part L, an adding part R, and an l r interface K . The rule p is given by p = (L K ! R) where l and r are morphisms. These morphisms belong to a distinguished class M of morphisms in the category . By application of the rule those part of the net L are deleted which are not in the image of the morphism l : K ! L. In general terms, the ‘difference’ between L and K is deleted. Adding works symmetrically: all those parts of R are added which are not in the image of the morphism r : K ! R. p The transformation from object G to object H , G =) H is

CAT

7

defined using two pushouts (1) and (2) in the diagram given in the Definition 19. The rule p is applied to the net G via an occurrence morphism m : L ! G. The deletion step is expressed by the construction of a net C , called context net or pushout complement. C is given together with morphisms k : K ! C and g : C ! G so that the square (1) is a pushout. In fact, the occurrence morphism m has to satisfy a specific condition, called gluing condition. This condition ensures that the deletion step yields a well-defined context net C . Otherwise the rule cannot be applied with occurrence m. Once we have the context net C with k : K ! C the addition is achieved by the construction of the pushout (2). Definition 19 (Rules and Transformations) l r A rule p = (L K ! R) in consists of the objects L, K and R, called left-hand side, interface (or gluing object), and right-hand side, respectively, and two l r morphisms K ! L and K ! R with both morphisms l; r 2 M, a distinguished class of morphisms in . l r Given a rule p = (L K ! R) a direct transformation p G =) H from a place/transition net G to a place/transition net H is given by two pushout diagrams (1) and (2) in the as shown below. category

CAT

CAT

CAT

L

oo

m

l (1)

G oo

g

K

k

C

r

// R

h

Q-morphisms, or re-

2. Then we have the following Q-conditions: Closedness: Q has to be closed under composition. Preservation of Pushouts: The inclusion functor I : ! 0 preserves pushouts, that is, f0 g f g given C ! D B a pushout of B A ! C 0 0 I (f ) I (g ) in , then I (C ) ! I (D) I (B ) is a pushout I (f ) I (g) of I (B ) I (A) ! I (C ) in .

CAT

QCAT

CAT

QCAT

Inheritance of Q-morphisms under Pushouts: The class Q in is closed under the construction of pushouts in for the class Of of occurrences with respect to f . That means, given f0 g0 f g C ! D B a pushout of B A ! C in , then f 2 Q and g 2 Of implies f 0 2 Q.

QCAT QCAT

QCAT

Inheritance of Q-morphisms under Coproducts: The class Q in is closed under the construction f of coproducts in , that is, for A ! B and 0 f A0 ! B 0 we have f; f 0 2 Q =) f + f 0 2 Q f +f 0 provided the coproduct A + A0 ! B + B 0 of f and f 0 exists in .

QCAT QCAT

2

// H

m n The morphisms L ! G and R ! H are called occurrences of L in G and R in H , respectively. By an l r occurrence of the rule p = (L K ! R) in a place/transition net G we mean an occurrence of the lefthand side L in G. A transformation sequence G =) H , succinctly transformation, between objects G and H means G is isomorphic to H or there is a sequence of n 1 direct transformations: p1 p2 pn G = G0 =) G1 =) : : : =) Gn = H 2

B. Rule-Based Refinement The main idea in the following definition is to enlarge the given HLR-category in order to include morphisms, that are adequate for refinement. The Q-conditions [Pad99] state additional requirements that an HLR-category has to satisfy for the extension to refinement morphisms. Here we have extended these conditions by a class Of of adequate occurrence morphisms with respect to some refinement morphism f 2 Q. Definition 20 (Q-Conditions) Let be a category, so that is a subcategory and Q a class of morphisms in . Moreover, in let O = (Of )f 2Q be the indexed

QCAT CAT QCAT QCAT

1. The morphisms in Q are called finement morphisms.

QCAT

n

(2)

class of adequate occurrence morphisms with respect to some refinement morphism f 2 Q.

CAT

QCAT

The subsequent definition uses Q-morphisms for rules that then lead to transformations preserving system properties. Definition 21 (Respecting Q-Rules) A respecting Q-rule (p; q ) is given by a rule l r p = (L K ! R) in (see above) and a Q-morphism q : R ! L, so that q Æ r = l in . 2

CAT

QCAT

The next lemma states that Q-morphisms are preserved by transformations provided that an adequate occurrence has been chosen. This is the formal basis to preserve system properties . If morphisms in the class Q respect properties , then the corresponding Q-transformations preserve properties .

P

P P

QCAT

Lemma 22 (Induced Q-Transformations in [Pad99]) Let the Q-conditions (see Definition 20) be satisfied. Given p a respecting Q-rule (p; q ) and a transformation G =) H f with the occurrence n 2 O in defined by the pushouts (1) and (2), then there is a unique q 0 2 Q, such that q 0 Æ h = g and q 0 Æ n = m Æ q in . The transfor(p;q 0 ) p 0 mation (G =) H; q : H ! G), or G =) H for short, is called Q-transformation.

CAT QCAT

8

The class O = (Of )f 2Q of morphisms is given by f consistent morphisms. 2

q L

wwoo

l K m (1) k g G oogg C

// r R n (2) h // H

Remark 26 (Surjectivity) Surjectivity here assures that the environment of places and transitions of a live in-out cycle does not change. It arises from the above condition together with f 0 being a plain morphism. 2

q0

q0 m n Moreover, L ! G H is the pushout of H q R ! L in . If morphisms in Q respect some property then we have the following : G j= implies H j=

QCAT

P

P

P

V. L IVENESS P RESERVING T RANSFORMATIONS In this section we show that collapsing morphisms are preserved under rule-based transformation of place/transition systems. We employ the theory of the Q-transformation as given in Section IV-B. We therefore employ the category (Definition 23) with abstracting morphisms and two further classes of morphisms, the class Q of collapsing morphisms as defined in the Definition 24 and the class O of f -consistent morphisms as in the Definition 25. Subsequently, we prove the Q-conditions given in the Definition 20. These lemmas lead to the important result: Liveness is preserved by rule-based transformation as stated in Theorem 32.

QPTSys

QPTSys

Definition 23 (Category ) The category is given by place/transition systems as objects and abstracting morphisms as in the Defini2 tion 1.

QPTSys

Definition 24 (Class Q) The class Q is given by collapsing morphisms as in the Definition 6. 2 Definition 25 (f -consistent Morphism and O) Given a collapsing morphism f : N1 ! N2 and correspondingly sets Pf P1 and Tf T1 of places and transitions which are part of some live in-out circle in N1 which is collapsed by f . A plain morphism f 0 : N1 ! N3 is called f -consistent if the following condition holds: f 0 is bijective on f -collapsed places and f -collapsed transitions: Injectivity: For f -collapsed places p1 6= p2 2 Pf we have fP0 (p1 ) 6= fP0 (p2 ) and analogously for f -collapsed transitions t1 6= t2 2 Tf . Surjectivity: For any f -collapsed place p1 2 Pf we have pre d3 (fP0 (p1 )) = fT0 (pre d1 (p1 )) and analogously d. for post The set of all f -consistent morphisms is denoted Of .

In the next section we summarize several lemmas, which together yield the Theorem 32. This theorem is the main result of this paper. Proofs are omitted. All proofs are fully elaborated in [GPU01].

QPTSys-Pushouts) PTSys ! QPTSys preserves

Lemma 27 (Preservation of The inclusion functor I : pushouts.

2


Lemma 28 (Preservation of Q under Pushouts) g0 g f0 f Given a pushout N2 ! N3 N1 of N2 N0 ! N1 where f is a collapsing morphism and f 0 is f -consistent as defined in Def. 25. Then, g 0 : N2 ! N3 is a collapsing morphism.

2


Lemma 29 (Preservation of Q under Coproducts) Given two collapsing morphisms f1 : N1 ! N10 and f2 N2 ! N20 and a coproduct N1 + N2 . Then f1 + f2 N1 + N2 ! N10 + N20 is a collapsing morphism.

:

2

Proof – see [GPU01]. Lemma 30 (Closedness of Q) Given two collapsing morphisms f N2 ! N3 . Then also g Æ f : N1 morphism.

:

: N1 ! N2 and g : ! N3 is a collapsing

2


Definition 31 (LP-Rule) l r A pair (p; f ) is called lp-rule, if p : L K ! R is a rule and f : R ! L is a collapsing morphism with f Æ r = l.

2

We now combine the results from Section III-C, namely liveness respecting morphisms with rule-based modification as reviewed in Section IV. Thus we achieve transformations of nets that preserve liveness by application of rules that employ liveness respecting morphisms. Theorem 32 (Liveness Preservation) Given an lp-rule (p; f ) and an f -consistent occurrence f 0 : (p;f ) R ! N 0 . Let N =) N 0 denote the transformation step via (p; f ). Then we have N

live

)

=

N0

live.

9

Proof: Due to Lemmas 27, 28, 29, and 30 we have that the preconditions for rule-based refinement in Def. 20 hold. Therefore, we obtain a collapsing morphism g : N 0 ! N which respects liveness shown in Theorem 18 yielding the proposition. VI. C ONCLUSION In this paper we have introduced a new notion of morphisms for place/transition systems, namely collapsing morphisms. These morphisms respect liveness and moreover they are preserved under rule-based transformation. Thus, in a transformation step liveness is propagated from the transformed to the resulting net. For a sequence of such transformation steps as performed for stepwise system development this means that liveness has to be proven only once in the initial net. This significantly eases verification within system development. We have illustrated this approach by the development of a small system, where we only used liveness preserving transformations for enhancing the coarse initial model by further details. As collapsing morphisms are highly specialized and thus quite restrictive, it might not always be possible to use exclusively liveness preserving rules and transformations in general. Nevertheless, each such transformation frees the developer from complex and costly verification of liveness. Moreover there are already various kinds of safety-preserving rules which are equally important for reducing complexity of verification. For a survey see [PU02]. Hence it is possible to choose between a wide range of refining rules according to the development step. R EFERENCES [BGV91]

[CT90]

[DA92] [Des90]

[DM90] [EHKP91] [ES91]

[Esp94] [FWL88]

W. Brauer, R. Gold and W. Vogler. A survey of behaviour and equivalence preserving refinements of Petri nets. In: Rozenberg, G.: LNCS 483; Advances in Petri Nets 1990, pages 1-46. Berlin, Springer-Verlag, 1991. Y. Chen and W.T. Tsai. An algebraic approach to Petri net reduction and its application to protocol analysis. Technical Report 90–43, pages 38 pp. University of Minnesota, Minneapolis, USA, 1990. R. David and H. Alla, editors. Petri nets and Grafcet. Prentice Hall (UK), 1992. J. Desel. Reduction and design of well-behaves concurrent systems. In: Baeten, J. C. M., Klop, J. W. (Hrsg.): Proceedings of CONCUR ’90, LNCS 458, pages 166 - 181. SpringerVerlag, 1990. J. Desel and A. Merceron. Vicinity respecting net morphisms. In Advances in Petri Nets, LNCS 483, pages 165– 185. Springer Verlag, 1990. H. Ehrig, A. Habel, H.-J. Kreowski, and F. Parisi-Presicce. Parallelism and concurrency in high-level replacement systems. Math. Struct. in Comp. Science, 1:361–404, 1991. J. Esparza and M. Silva. On the Analysis and synthesis of free choice systems. In: Rozenberg, G.: Advances in Petri Nets 1990, LNCS 483, pages 243-286. Berlin, SpringerVerlag, 1991. J. Esparza. Reduction and synthesis of live and bounded freechoice Petri nets. In: Information and Computation, Vol. 114, No. 1, pages 50-87, 1994. J. Favrel, H. Wu and K.H. Lee. Reduction method of coloured Petri nets. In: Shenyang, China; Vol. 2: Proc. IEEE Int. Conf. on Systems, Man, and Cybernetics, 1988, Beijing, pages 984-987, 1988.

[GPU01]

[Lam94] [MM90] [MP92] [Pad99] [PU02]

[Peu01] [Rei85] [Sou91]

[vdA97]

[vdA98]

M. Gajewsky, J. Padberg, and M. Urbásˇ ek. Rule-based refinement for place/transition systems: preserving livenessproperties. Technical Report 2001-08, Technical University Berlin, 2001. L. Lamport. The Temporal Logic of Actions. ACM Transactions on Programming Languages and Systems 16, Vol. 3, pages 872–923, 1994. J. Meseguer and U. Montanari. Petri nets are monoids. Information and Computation, 88(2):105–155, 1990. Z. Manna and A. Pnueli. The temporal logic of reactive and concurrent systems specification. Springer Verlag, 1992. J. Padberg. Categorical approach to horizontal structuring and refinement of high-level replacement systems. Applied Categorical Structures, 7(4):371–403, December 1999. J. Padberg and M. Urbásˇ ek. Rule-based refinement of Petri nets: A survey. accepted for H. Ehrig, W. Reisig, H. Weber: Petri Net Technology for Communication Based Systems Advances in Petri Nets: LNCS, Springer Verlag 2002. S. Peuker. Halbordnungsbasierte Verfeinerung zur Verifikation verteiler Algorithmen. PhD thesis, Humboldt University Berlin, 2001. W. Reisig. Petri nets, Vol. 4 of EATCS Monographs on Theoretical Computer Science. Springer Verlag, 1985. Y. Souissi. On liveness preservation by composition of nets via a set of place. In: Rozenberg, G.: Advances in Petri Nets 1991, LNCS 524, pages 277-295. Berlin, Springer Verlag, 1991. W.M.P. van der Aalst. Verification of workflow nets. In P. Azéma and G. Balbo, editors, Application and Theory of Petri Nets, LNCS 1248, pages 407–426. Springer Verlag, 1997. W. M. P. van der Aalst. Finding errors in the design of a workflow process: A Petri net based approach. In van der Aalst, W., Michelis, G., and Ellis, C. (eds.), Computing Science Reports/7: Proceedings of Workflow Management: Netbased Concepts, Models, Techniques and Tools (WFM’98), pages 60–81, Lisbon, 1998.