Rule-Invariants in Graph Transformation Systems for ... - CiteSeerX

Rule-Invariants in Graph Transformation Systems for Analyzing Safety-Critical Systems J. Padberg?, B.E. Enders Technical University of Berlin, University of Essen e-mail: [email protected], [email protected]

Abstract The aim of this paper is to analyze graph transformation systems. Since Petri nets are famous for their powerful analysis techniques we have started to transfer several notions from Petri nets to graph transformation systems. Especially, invariants provide vast possibilities for investigating a model. Hence, we have transferred transition invariants to rule invariants in graph transformation systems. Moreover, we have given a characterization of rule invariants. Due to the greater expressiveness of graph transformation this characterization is more complex than the one of transition invariants. The main fact about transition invariants is recaptured for rule invariants. Therefore, suitable Petri net notions like reachability, liveness, and boundedness are transferred to graph transformation systems. This allows a suitable analysis of graph transformation systems as is exempli ed by a safetycritical system speci cation in the area of human-computer interaction. After a presentation of a graph grammar specifying a safety-critical system concerning interaction on the ight deck of an aircraft several notions of Petri nets are transferred to graph transformation systems. The corresponding notions concerning graph transformation systems are then demonstrated using the safety-critical example.

Keywords: Graph Transformations, Petri Nets, Analysis, Safety-Critical Systems, Transition Invariants, Rule Invariants

1 Introduction In this paper we undertake the transfer of Petri net notions to graph transformation systems in order to obtain similar possibilities of analyzing the model. Analysis of the model is especially crucial in the area of safety-critical systems due to their high quality demands for the software. Although there are many dierent ideas to express Petri nets as special cases of graph transformation systems [Kre81,KR95,Cor00] it is not useful to x one of these representations in order to transfer notions of Petri nets to graph transformation systems. Any xed representation restricts in certain ways the possibility of transfer. Instead it is more promising to express the corresponding notions directly in terms of graphs, rules and transformations. The diculty of this transfer stems from the higher expressiveness and complexity of graph transformation systems in comparison to Petri nets. Among the notions transferred from Petri nets to graph transformation systems in this contribution are lifeness, boundedness, and especially, the notion of transition invariants. In the following we roughly state these correspondences.

{ The initial marking of a Petri net denotes the initial state of the system from which the process develops. Clearly this corresponds to the initial graph in a graph transformation system. { A marking of a net denotes some state of the system, this intuitively corresponds to a graph.

The higher complexity of graph transformation systems can be seen clearly. A state of a Petri net is given by a (multi-)set, namely of tokens, whereas a state of a graph transformation system is a graph. Thus the description of a single state is much more complex. { The ring of a transition describes a local and deterministic system change. Analogously, a rule together with a given match describes a local and deterministic system change.

?

Research partly supported by the TMR network GETGRATS

{ A marking is reachable if it can be obtained from the initial marking by ring several transi-

tions. And a graph is reachable if it is deduced from the initial graph via some transformation steps. { Lifeness of a net means that from any reachable marking every transition can re eventually after ring some others. So, reachability of a graph transformation system means that from any reachable graph every graph rewrite rule can be applied after some more transformation steps. { A net is bounded if the amount of tokens on each place in any reachable marking has some upper bound. Analogously, if the amount of nodes and edges of each reachable graph has an upper bound the graph transformation system is bounded. { Transition invariants describe possible cycles in a net. Correspondingly, rule invariants describe possible cyclic transformations. The main niceness of transition invariants is their computation using linear algebra. Since graph transformations are far more expressive than Petri nets this computation cannot be transferred. Instead we have developed a more complex characterization of rule invariants. The advantage of transition invariants is that they can be computed from the static net structure and need not the investigation of possibly in nite runs. Similarly, rule invariants can be computed from the rules of a graph transformation system and need not the investigation of all possibly in nite computations. Obviously, the paper is based on results in Petri nets, as e.g. in [Rei85]. Related work concerns on the one hand dierent approaches to verifying graph transformation systems using temporal logic as in [GHK98,Koc99]. On the other hand, a rst attempt to analyze cycles in graph transformation systems has been presented in [Mul98]. But no transfer of the notion of invariants from Petri nets has been undertaken. The paper is organized as follows. In chapter 2 a graph grammar specifying a suitable part of a safety-critical system concerning the interaction between the pilot and the ight management system on the ight deck of an aircraft is presented. This example system is used in order to demonstrate the particular notions in chapter 3. The transfer of the corresponding Petri net notions to graph transformation systems is presented in chapter 3. First we de ne basic notions in section 3.1. In section 3.2 we introduce rule invariants and give a characterization based on the construction of the minimal graphs of change of the left hand and right hand sides of the rules. There we also give the main result, namely that a nite, bounded and live graph transformation system is covered by rule invariants. Finally, this contribution closes with a conclusion and an overview of future research.

2 Graph Grammar Specifying a Safety-Critical System: Human-Computer Interaction on the Flight Deck Concerning the goal of transferring notions of Petri nets to graph transformation systems an accompanying example is presented in this chapter: a graph grammar specifying a part of a safety-critical system, namely the interaction between the pilot or the crew and the ight management system (FMS) on the ight deck of an aircraft. Although several notions of Petri nets can be transferred to graph transformation systems comprising directed attributed graphs in this contribution as a rst step graphs without labels at nodes and edges are considered due to clarity. Dealing with attributed graphs will then be the focus of future work. In section 2.1 the complex attributed start graph GStart (cf. gure 1) specifying the start state of the interaction between pilot and FMS will be presented and explained for motivation. The rewrite rules of the underlying graph grammar are only brie y mentioned due to completeness. A detailed description of the entire system can be found in [ES00] where the aim is to describe a continuous collaborative speci cation process of human-computer interaction. Transferring Petri net notions to graph transformation systems can be demonstrated clearly by using a suitable small part of the complex interaction between the pilot and the FMS. Therefore, a particular part of this system will be considered in a detailed manner in section 2.2. It will be

speci ed by very simple graphs and corresponding transformation rules. All graphs playing a role in this context will be entirely unlabeled. This particular part of the interaction between pilot and FMS will concern, especially, the highly important mode changes during the ight.

2.1 The Interaction between the Pilot and the FMS As pointed out already in [ES00] and [Suc97] interaction between human and machine can nicely be understood by modelling it using the concept of information resources (cf. [WFH99], [WFH96], [FWH96]) and by specifying it formally by the notation of graph grammars (cf. [CMR+ 97] for a detailed presentation of the graph transformation approach used in this contribution). The speci cation of the interaction between the pilot and the ight management system on the ight deck of an aircraft is given here at an abstract level. This speci cation captures the entire interaction between the pilot and the FMS required to tackle the stages beginning with the take-o and ending up with the touch-down of the aircraft. The start graph GStart of the graph grammar specifying this interaction is presented in gure 1. It appears in an intuitive manner due to comprehensibility. However, the graph consists of nodes, edges and attributes for names and for types of graph elements, as well as attributes for describing certain features of particular graph elements. Although there exist only constant attributes in this case, moreover, sets of functions, relations, and the like could be used as attributes as well. done=false

Start

st

St

fl

Fl

done=false done=false

TLG

Fly done=false

Land modeflag=true

CNM

cn

Cn

ed

Ed

done=false

EDI done=false

TD

td

Td

M TRK U FPA M

Figure 1. Start graph GStart of the interaction speci cation between the pilot and the ight management system (FMS) on the ight deck of an aircraft The root node on the left hand side of graph GStart in gure 1 speci es the top level goal

TLG with the meaning of a speci c ight. This goal is decomposed into three subgoals Start, Fly and Land, landing in turn is decomposed into the subgoals CNM (Changing Navigation Mode), EDI (Entering Descent Input) and TD (Touch Down). All goals not further decomposed are associated

to subparts of the system's user interface speci ed by the right hand side of the graph. Actioneect edges indicate that actions of a speci c type could be performed within the respective parts of the system's user interface in order to approach or, even, to complete the respective goals. The goal Start, e.g., can be completed by performing the action st within the user interface part St. Whether a goal has been completed already or not is indicated by the boolean attribute done attached to the respective node. It should be noted here that only the goal CNM does not have such an attribute. This is due to the fact that this goal exists within a certain context of switching modes. The navigation and the descent mode constitute an important safety-critical aspect within this system. A mode change during the ight by the pilot is sometimes necessary in order to comply with radar guidance. The safety-critical aspect in this context is, that these modes are automatically coupled in the autopilot system so that one mode change enforces the change of the other one immediately (cf. [KJ96]). In fact, the pilot has always to be aware of the actual mode values, especially of the automatically coupled mode change she or he did not intend. For reason of this tight connection the parts of the system's user interface corresponding to the goals CNM

and EDI are grouped together by specifying them as subwidgets Cn and Ed, respectively, with a common superwidget U. Because of the importance of the actual modes in every situation during the ight a mode node is added attributed by the current mode value of its associated system part and connected to it by a special edge. The navigation mode has the actual mode value TRK (Track ) and the descent mode has the actual mode value FPA (Flight Path Angle ). Changing the modes would lead to the respective values HDG (Heading ) and V/S (Vertical Speed ). Graph rewrite rules specify the interactions. The system discussed here contains six rules specifying its dynamics. One rule describes the start of the ight, a second one the opening of the

ying stage. During the ying stage the pilot can change the modes for navigation and descent arbitrarily often: if she or he changes one mode which is speci ed by one rule, the other mode changes automatically speci ed by an enforced second rule. The safety-critical aspect at this point concerns the awareness of the automatically coupled mode change by the pilot: she or he has to be aware of the new value and must not rely upon the old one. A mode speci cation of this kind together with special modal subdialogs (cf. [ES00], [Suc97]) allows to ensure that the pilot is always aware of the current mode situation. This is a very important issue in order to avoid mode errors (due to confusion of the pilot caused by the modes) which already have led to accidents claiming casualties in the past (for a detailed information see [KJ96] and [Mon92]). At the end, the pilot can enter the descent rate and nally perform the touch-down. A detailed explanation of this system is presented in [ES00]. Based on changes of the modes for navigation and descent the transfer of the notion transition invariant concerning Petri nets to the so-called rule invariant for graph transfomation systems can be demonstrated comprehensibly in chapter 3. After this motivation concerning the whole complex safety-critical system a small part of it is considered in section 2.2 where it is speci ed by a suitable simple graph transformation system based on unlabeled graphs. This subsystem is introduced with the goal of demonstrating the transfer of several notions of Petri nets to graph transformation systems in chapter 3.

2.2 Subsystem of the Interaction between Pilot and FMS The interaction between the pilot and the FMS on the ight deck of an aircraft presented in section 2.1 will now be simpli ed as follows. It will be concentrated upon the mode changes only, that is being in the ying stage and switching between the two possible mode value combinations concerning navigation and descent mode during the ying stage. The combined change of mode values is chosen here due to comprehensibility. Therefore, the safety-critical aspect of the awareness by the pilot is not yet considered in a very detailed manner in this simple system. However, based on it and, especially, on the notion rule invariant to be introduced for graph transformation systems according to transition invariant concerning Petri nets this will become possible within an extended and more complex system. Further stages like opening the ight, entering the descent input and performing the touch-down are omitted due to simplicity. Thus, the graph transformation system specifying this simple example system is a graph grammar consisting of an unlabeled start graph and two graph rewrite rules. For the following detailed explanations gures 2, 3 and 4 are helpful. The start graph G0 ( gure 2) characterizes the ying stage (nodes v1 , v2 and edges e1 , e2 inbetween). G0 further characterizes the existence of the two kinds of mode: the navigation mode (speci ed by node v3 and edge e3) and the descent mode (speci ed by node v4 and edge e4 ). The single edge e0 attached to node v2 speci es the actual mode value combination TRK { FPA concerning navigation and descent mode respectively. A single edge belonging to every state in this system speci es the actual mode value situation during the

ight: the pilot can arbitrarily often change one of the two modes implying thus the automatically coupled change of the other mode. Thus, a state in which a single edge is attached to the other node v1 speci es the second possible mode value combination HDG { V/S concerning navigation and descent mode respectively. Such combined mode value changes from the mode value combination TRK { FPA to HDG { V/S and vice versa are speci ed by the two rules P1 ( gure 3) and P2 ( gure 4). Both rules change the actual mode value combination into the respective other one. Thus, in all states a single edge at node v1 or v2 speci es the actual mode combination HDG { V/S or TRK { FPA respectively.

The graph grammar specifying this simple subsystem concerning the interaction between pilot and FMS is de ned by GGPilot?FMS = fG0 ; P g where P = fP1 ; P2 g and G0 = fV; E; s; tg with V = fv1 ; v2 ; v3 ; v4 g; E = fe0; e1 ; e2 ; e3 ; e4 g; s(e1 ) = v2 ; t(e1 ) = v1 ; s(e2 ) = v1 ; t(e2 ) = v2 ; s(e0 ) = t(e0 ) = v2 ; s(e3 ) = v3 ; t(e3 ) = v2 ; s(e4 ) = v4 ; t(e4 ) = v2 : v3

v4 e3 e4

G0

v2 e2 v1

e0 e1

Figure 2. Start graph G0 of the simple subsystem specifying the interaction between pilot and FMS

L1

K1 r1

l1

P1

R1

Figure 3. Graph rewrite rule P1 specifying a change of the actual mode value combination concerning navigation and descent mode

L2 P2

K2

R2 r2

l2

Figure 4. Graph rewrite rule P2 specifying a change of the actual mode value combination concerning navigation and descent mode

Due to the simplicity of this system the dynamics of its graph grammar speci cation GGPilot?FMS can be described as follows (as can easily be seen): (P1 ; m1 )

G0 () G1 (P2 ; m2 )

Here, the homomorphisms m1 and m2 are the matches at which the respective graph rewrite rules P1 and P2 are applied to the graphs G0 and G1 . The graph grammar GGPilot?FMS specifying the simple subsystem of the interaction between pilot and FMS will serve for demonstration of transferring notions concerning Petri nets like marking , enabling , ring , reachability , lifeness , boundedness and, especially, transition invariant , to graph transformation systems in chapter 3. Based on these results many important aspects in the area of safety-critical systems like the entire complex aspect of the awareness by the pilot during the ight may be formulated more concretely and more comprehensibly. Moreover, such a formulation allows a suitable investigation of the corresponding model. And it is especially the safety-critical features which have to be considered deeply while developing systems in this area. The reason for these suitable investigation and analysis possibilities lies in the high expressiveness of graph transformation. Additionally, the transfer of notions from Petri nets which are famous for their powerful analysis techniques helps much in analyzing models expressed in terms of graph transformation systems. For example, the computation of all reachable graphs within the simple safety-critical subsystem introduced above provides all possible states specifying all possible situations during the ight. These situations can then be further analyzed with the goal of characterizing the safety-critical ones the pilot by all means has to be aware of during the ight. This shows the importance and advantage of transferring the notion reachability from Petri nets to graph transformation systems. Usually, an adequate model of a system should be bounded, nite and live. So, if the characterization of rule invariants presented in this paper shows that the graph transformation system is not covered by rule invariants this gives a strong suspicion that the model may be severely wrong. Suppose, for example, the simple safety-critical subsystem introduced above is not covered by rule invariants and especially, it is not life. This implies that at least one of its two graph rewrite rules is not life. Thus, there must exist a reachable state graph such that the respective rule can not be applied anymore according to the dynamics of the system. This, in turn, shows that one important mode change which is highly necessary for a safe ight can not be performed in the corresponding model. Therefore, the model has to be corrected by all means wrt this safety-critical aspect of mode change! On the other hand, let an already complex system speci cation be covered by a rule invariant. This rule invariant then contains all rules concerning changes of modes necessary in order to comply with radar guidance. The fact that the corresponding transformation sequence is cyclic allows to make constructive statements about the dierent mode changes and, especially, about how they in uence each other. Thus, the corresponding model helps much in detecting and characterizing especially the safety-critical aspects in the system. In order to allow for a powerful analysis of safety-critical systems as described above several notions concerning Petri nets are transferred to graph transformation systems in chapter 3.

3 From Transition-Invariants to Rule-Invariants We rst reconsider the usual notions of unlabeled graphs and rules and transformations in the algebraic double-pushout (DPO) approach (cf. [Ehr79,CMR+ 97]). Unlabeled graphs are given in the algebraic style by the sets of nodes and edges together with the functions that map each edge to its source and target node.

De nition 1 (Graphs and Graph).

/ V ) is given by E the set of edges and V the A (unlabeled) graph G = (E; V; s; t : E / V maps each edge to its source node and the function set of nodes. The function s : E / V maps each edge to its target node. t:E Rules in the DPO approach are given by a span of morphisms, where the interface K denotes the positive application condition in the sense that K has to be present in the target Graph G. l L describes by LnK what is deleted in the sense that the pushout complement C is the K ?! r R describes by RnK what is added since the resulting graph context that is not changed. K ?! H is pushout of C and R.

De nition 2 (Rules and Transformations). r R with name p in Graph consists of the graphs L, K and R, called the 1. A rule L l? K ?!

left hand side, the interface (or gluing object) and the right hand side respectively, and two l L and K ?! r R with both morphisms l; r injective. morphisms K ?! We have a rule without empty interface if K consists at least of a node. r R) with name p, a direct transforma2. Given a rule (L l? K ?! Lo l K r /R (p;m) tion G =) H from a graph G to a graph H using the rule p is m (1) k (2) n given by the following two pushout diagrams (1) and (2) in the    Go g C h /H category Graph. m G is called match of L in G and m is also injective. The morphism L ?!

Note, l; r; m injective implies that all morphisms in the diagram are injective. Based on this we de ne graph transformation systems where the rules have explicit names (see also [HCEL96]). Moreover, we have to assume that the interfaces of the rules are not empty.

De nition 3 (Graph Transformation System).

A graph transformation system GTS = (GS ; Rules; ) consists of a start graph GS 2 ObjGraph , r R)jl; r 2 MOR the class of rules Rules = f(L l? K ?! Graph and l; r injectiveg, and the / Rules. naming function  : P A graph transformation system GTS is nite if P is nite.

3.1 Transferring Petri Net Notions to Graph Transformation Systems Petri nets1 are given in their classical presentation with N = (S; T; F; W; M0 ) where we have the / N + , and the initial marking M0 :

ow relation F  S  T [ T  S , the weight W : F / S N . They correspond to graph transformation systems based on labeled graphs without any edges (see [Kre81]). Here we consider in a rst step only unlabeled graphs. Nevertheless, the intuition can be transferred from Petri nets to these graph transformation systems. / N of a Petri net corresponds to the start In this analogy the initial marking M0 : S graph GS 2 ObjGraph of a graph transformation system GTS = (GS ; Rules; ). The enabling of a transition is given by M (s)  W (s; t) for all s 2 t. A rule can be applied if there is / G such that the gluing condition (see [CMR+ 97]) is satis ed and m is injective. m:L The ring of a transition M [t > M 0 corresponds to a direct transformation G (=p;m )) H . This transfer of basic notions from Petri nets to graph transformation systems can now be demonstrated using the simple example system introduced in section 2.2. Remark 1. The graph grammar GGPilot?FMS is a GTS = (GS ; Rules; ) (Rules and  as in de nition 3) with GS = G0 and P = fP1 ; P2 g (cf. gures 2, 3 and 4). The GTS GGPilot?FMS is nite since P is nite. The GTS GGPilot?FMS thus corresponds to a nite Petri net. Remark 2. The start graph G0 2 ObjGraph of GGPilot?FMS corresponds to the initial marking of a Petri net. Remark 3. The match m1 : L1 ?! G0 of the graph rewrite rule P1 2 P corresponds to an enabling within a Petri net as m1 is injective and the gluing condition for applying P1 to G0 at this match m1 is satis ed: l1?1(m?1 1 (v2 )) 2 K1 for v2 2 G0 (cf. gure 5). 1 More precisely, we here have Place/Transition nets without capacities.

L1

K1

R1 r1

l1 P1

m1

m*1

c1

l*1

v2

r*1

G0

G1

C1

Figure 5. Application of graph rewrite rule P1 to graph G0 at match m1 (yielding graph G1 ) Remark 4. The direct transformation G P=2 ;m )2 G corresponds to the ring of a transition be0

(

)

1

longing to a Petri net. Now we can transfer reachability in Petri nets, computed by M0 2 [M0 > and M 0 2 [M0 > ^M 0 [t > M 00 =) M 00 2 [M0 >, to graph transformation systems in the following way.

De nition 4 (Reachability for Graph Transformation Systems).

The set of reachable graphs [GS > of a graph transformation systems GTS = (GS ; Rules; ) is computed by: GS 2 [GS > G0 2 [GS > and G0 (=p;m )) G00 implies G00 2 [GS > Remark 5. The set of reachable graphs of the GTS GGPilot?FMS is the set fG0 ; G1 g as (cf. de nition 4):

G0 (P=1 ;m )1 ) G1 (P=2 ;m )2 ) G0 : Lifeness of Petri nets is de ned by t 2 T is life if and only if 8M 2 [M0 >: 9M 0 2 [M >: 0 M [t > M 00 . Moreover, N is life i 8t 2 T : t is life. The analogous de nition for graph transformation systems is the following.

De nition 5 (Lifeness for Graph Transformation Systems). Given a graph transformation system GTS = (GS ; Rules; ), then p 2 P is life if and only if 8G 2 [GS >: 9G0 2 [G >: G0 =p;m ) G00 GTS is life if and only if p is life for all p 2 P . Remark 6. The graph rewrite rule P is life: G P=1 ;m )1 G and G P=1 ;m )1 G (cf. de nition 5). The graph rewrite rule P is life as well: G P=2 ;m )2 G and G P=2 ;m )2 G . (

)

1

2

1

1

(

(

)

)

0

0

0

0

(

(

)

)

1

1

Remark 7. The GTS GGPilot?FMS is life since both of its graph rewrite rules P1 and P2 are life (cf. de nition 5). Similarly we can transfer the concept of boundedness. Boundedness of Petri nets is de ned by N is bounded if and only if 8M 2 [M0 >: M (s)  n 2 N Boundedness of graph transformation systems is de ned in the following way.

De nition 6 (Boundedness of Graph Transformation Systems). GTS is bounded if and only if 8G 2 [GS >: jV [ E j  n 2 N Corollary 1. Boundedness of GTS implies that the set of reachable graphs [GS > is nite. Remark 8. The GTS GGPilot?FMS is bounded because 8G 2 [G >: jV [ E j  n 2 N . Of course, the boundedness of the GTS GGPilot?FMS implies that the set of reachable graphs [G > is nite: [G >= fG ; G g (cf. de nition 6 and corollary 1). 0

0

0

0

1

3.2 Rule-Invariants

Transition invariants in Petri nets are transition vectors (or multisets, or elements of the free commutative monoid over T ) such that the sum of the pre domain of the involved transitions equals the sum of the post domain. For Petri nets this can be achieved just by adding up places, in case of graph transformation we suggest to use the following constructions. The basic intuition of this construction of R-invariants is to glue together all left hand sides resulting in a graph L. This construction glues everything that is within the interfaces and keeps anything else distinct. The same construction for the right hand sides yields R. Hence, we make each arc that is really deleted (respectively added) explicit. So, if there is a cyclic derivation (up to isomorphism) the resulting graph is isomorphic to the source graph. Hence, for each subgraph that is deleted at some step during the derivation this subgraph has to be added in some other steps of the derivation and vice versa. So we have an R-invariant if L and R are isomorphic. The subsequent de nition of the minimal graphs of change for the left and right hand sides yields the gluing of the left hand sides and the gluing of the right hand sides respectively.

De nition 7 (Minimal Graphs of Change). r R rules without empty interfaces for i = 1; ::; n then we can conGiven (pi ) = Li l ? Ki ?! i i

i

struct the minimal graph of change of the left (respectively right) hand side by:

Q

the product K of all interfaces K = ni=1 Ki l L / Ki ?! and the multiple pushout (L; lbi ) of all left hand sides K i r R ). / Ki ?! (respectively the multiple pushout (R; rbi ) of all right hand sides K i The next lemma states the fact that everything from the interfaces is glued together in items 1 and 2. Items 3 and 4 state that everything else is kept distinct. Lemma 1. Given the minimal graph L of the left hand sides, then we have 1. for all v 2 Ki V there is exactly one vL 2 LV , so that lbi  li  ki (v) = vL 2. for all e 2 Ki E there is at most one eL 2 LE , so that lbi  li  ki (e) = eL 3. for all vi 2 Li nli (Ki ) and vj 2 Lj nlj (Kj ) we have lbi (vi ) = lbj (vj ) implies i = j _ vi = vj 4. for all ei 2 Li nli (Ki ) and ej 2 Lj nlj (Kj ) we have lbi (ei ) = lbj (ej ) implies i = j _ ei = ej Analogously for the minimal graph R of the right hand sides. Note that for the minimal graph of change L (and R respectively) all interfaces are glued together, namely to one node vL (resp. vR ) and at most one edge eL (resp. eR ) and all other nodes and edges are kept distinct. Proof. We have the following diagram: i

i

/ Ki

K

PO)

(

(1)

lj

Kb @ @ 



Kj / (2)



Lj

li / Li

lbj

lbi

@@ l @@ @@   /L

`

dV = ( ni=1 KiV )jR with R = By assumption we have KiV 6= ;. So for the nodes we have K Q dV has at most one element KV = f[vb]g with [v] = `ni=1 KiV and KV = ni=1 Ki V , hence K dE = ;. l([k]) =: vL. The same holds for edges KE = f[eb]g if no Ki E = ;. Otherwise we have K Since K consists of at most one node and one edge l has to be injective. Moreover, 1 and 2 hold, as (1) and (2) commute. 3 and 4 hold due to the pushout properties of L.

De nition 8 (R-Invariants). r R ) for i = 1; ::; n then there is the R-invariant, written Given (pi ) = (Li l ? Ki ?! i Fn p rules or p t p ::: t p if we have for the minimal graphs of change L and R (as in De nition i

i

i=1 i

7):

1

n

2

L =R

F

A graph transformation system is covered by R-invariants if there is some R-invariant p2P p p with all p > 0.

A cycle of transformations is a sequence starting and ending with the same graph up to isomorphism. In order to state precisely a cycle of transformations we have to exclude isomorphisms that are not compatible with the transformation sequence (see also remark 9).

De nition 9 (Cyclic Transformation). / Gn an isomorphism s.t. A transformation sequence G p=1 ;m )1 :: p=;m ) Gn with iso : G iso / L / G ?! Gn = K / Rn / Gn is called cyclic. K  G . Nevertheless, Remark 9. In gure 6 we have a cyclic transformation of two steps with G = / L / G = / R / G . 6 K we have K 0

1

(

)

( n

n)

0

0

2

0

1

0

2

2

K

L1

K1

G0

C1

R1

L2

G1

K2

R2

C2

G2

Figure 6. Not a Cyclic Transformation The next theorem states that cyclic transformations imply R-invariants. Hence, this notion corresponds to T-invariants in Petri nets.

Theorem 1 (R-Invariants).

r R Given a cyclic transformation sequence G0 (p=1 ;m )1 ) :: (p=;m ) ) Gn and (pi ) = Li l ? Ki ?! i rules without empty interfaces and all morphisms l ; r ; m injective, then we have the R-invariant i i i Fn p . i=1 i n

n

i

i

Proof. We have to show that L  = R for L and R constructed as in de nition 7. We rst construct / R. Then we construct injective g : R / L. Hence L  injective h : L = R. For reasons of space we only consider edges and omit the subscript E for the set of edges. The mapping of nodes is constructed analogously. Moreover, we omit the name of the involved morphisms for clarity and treat injections as inclusions.

/ R. { Construction of h : L For e 2 L we have the following cases:

e 2 l(Kb )

Since Kb consists of at most one edge we have e = l([k]). So we de ne h(e) := r([k]) and, since l and r are well-de ned, so is h here.

e 2 LnKb

Due to lemma 1 we have e 2 Li for exactly one i. e then has to be in the corresponding e 2 Gi?1 . We can now distinguish two more cases:

e 2= nj (Rj ) for all j with 0  j  i ? 1 Since e 2= nj (Rj ) implies e 2 Ci?1 and hence, e 2 Gi?2 . Then obviously, e 2 G0 and e 2= Gi . Since Gn  = G0 and due to de nition 9 there is some j with i ? 1  j  n so that e = nj (e1 ) 2 nj (Rj ) and e 2= nk (Rk ) for all k with i ? 1 < k < j. We now choose h(e) = e1 .

else

Then there is some j with 0  j  i ? 1 so that e = nj (e2 ) 2 nj (Rj ) and e 2= nk (Rk ) for all k with j < k < i ? 1. We now choose h(e) = e2 .

Rn

| || || | ~| |

nn

Cn /



Gn o

KBB

=

BB BB BB

Ri?1G

L1 /

m1 

G0 o

C1 Ci?1

GG n mi z z z z G G i?1 GG zz G # }z z / Gi?1 o

Injection

for i = 2; :::; n

Li Ci

Due to 2 in Lemma 1 there is no e 2 L with e 6= eL and h(e) = eR . Due to 4 in Lemma 1, for each e 2 Lnl(Kb ) there is no e0 6= e with lbi (e0 ) = e. As 4 in Lemma 1 holds for R as well there is no e0 6= e with rbi (e0 ) = e. Hence, h is injective. / L. { Construction of g : R Analogously. We now have injective h : L /

R and g : R /

L, so we can nally conclude L  = R.

Remark 10. F The graph rewrite rules P1 and P2 of the GTS GGPilot?FMS constitute the Rinvariant 2i=1 Pi = P1 t P2 since for the minimal graphs of change L and R (as in de nition 7): L  = R (cf. gure 7 and de nition 8. The annotations a, b, 1, 2, u and v at the graph elements are given here due to comprehensibility.).

K1 x K2 1a

1b

2a

2b L2

L1

R1

K1 l1

2

m2

m*1

c1

l*1

m*2

c2

l*2

r*1

C1

G0

r2

l2

u

m1

R2

1

r1

a v b

K2

r*2

C2

G1

G2

R

L

u v

1a,1b, 2a,2b,

L ~ = R

u v

1a,1b, 2a,2b,

Figure 7. Presentation of the R-invariant F2i=1 Pi = P1 t P2 (P = fP1 ; P2 g) of the GTS GGP ilot?F MS F Remark 11. The R-invariant i Pi is an R-invariant for the GTS GGPilot?FMS (cf. gure 7 and theorem 1) since G  = G , the transformation sequence G =) G =) G is cyclic and for 1  i  2 the morphisms li , ri and mi (and therefore li, ri and mi as well) are all injective. 2 =1

0

2

0

1

2

Now we can transfer one of the main results concerning invariants from Petri nets to graph transformation systems. A net that is nite, life and bounded is covered by T-invariants ([Rei85]).

Theorem 2 (Covered by R-Invariants).

A nite, F bounded and life graph transformation system is covered with R-invriants, that is there is an ni=1 pi so that fpiji = 1; :::; ng = P . Proof. Analogously to Petri nets (see [Rei85]). In short we have the following argumentation: As the graph transformation system is nite and bounded, there are only nitely many reachable graphs. Since the graph transformation system is life as well, there have to be transformation sequences that involve all rules. Moreover, they can be prolonged to any reachable graph. Since there are only nitely many graphs and the sequence of all these transformations involves more steps than reachable graphs, some graph has to occur twice. Since there are only nitely many isomorphic automorphisms, eventually we obtain a cycle that includes all rules. Hence, we get due to theorem 1 an R-invariant that covers the graph transformation system. F Remark 12. The GTS GGPilot?FMS is covered by the R-invariant 2i=1 Pi = P1 t P2 since it is nite, bounded and life, and since P = fP1 ; P2 g (cf. theorem 2).

4 Conclusion Since this paper is the rst step of developing analysis techniques for graph transformation systems we conclude with a short summary and a discussion of future research.

4.1 Summary Graph transformation systems become more and more an adequate modeling technique in the area of safety critical systems. But this application area has strong demands on analysis and veri cation methods of the modeling technique. In contrast to graph transformation systems Petri nets are well investigated with respect to analysis and veri cation. Nevertheless, as graph transformation systems are much more powerful in their expressiveness, it is often advisable to use graph transformation systems. In this contribution we have taken a rst step to transfer the possibilities of analysis known for Petri nets to graph transformation systems. We have de ned some basic Petri net notions (namely lifeness, boundedness, and reachability) directly in terms of graph transformation systems. These correspondences are obvious and well-known. We have then transferred the very prominent notion transition invariant (T-invariant) from Petri nets to rule invariant (R-invariant) in graph transformation systems. Analogously to a Tinvariant an R-invariant denotes a possible cycle. The main result of this contribution is the characterization of R-invariants independent of concrete transformation sequences. This characterization corresponds to the computation of T-invariants in Petri nets based on the solution of the linear equation system induced by the net's incidence matrix. The computation of R-invariants uses a new construction of the minimal graphs of change of the left and right hand sides of the rules. So, only the changes induced by the rules are kept distinct. If these changes of the left hand sides are the same as the changes of he right hand sides this implies possible cycles of transformations. Given these R-invariants we could transfer a main result from Petri nets concerning lifeness, boundedness and T-invariants to graph transformation systems.

4.2 Open Questions and Future Work The following questions and ideas give rise to fruitful further investigations. { The characterization of R-invariants yields the possibility to state these from the inspection of the rules of a graph transformation system. It is an fruitful task to explore the possibilities for a computation of all R-invariants as it can be achieved for T-invariants by solving the linear equations system given by the net's incidence matrix. { The next interesting idea is to transfer the notion place invariant from Petri nets to graph transformation systems: What reasonable corresponding interpretation can be found? How can such invariants be characterized? { In this paper we have dealt with the most unelaborate kind of graph transformation systems. An exciting task is to nd out that all these corresponding notions not only yield for graph transformation systems dealing with unlabeled graphs. Rather, they can be used for attributed graphs as well, where the relevant label sets are not only simple at alphabets, but, moreover, sets of functions, relations, and the like. This implies the consideration of another more complex category than the one Graph as considered up to now.

References [CMR+ 97] A. Corradini, U. Montanari, F. Rossi, H. Ehrig, R. Heckel, and M. Lowe. Algebraic Approaches to Graph Transformation { Part I: Basic Concepts and Double Pushout Approach, volume 1, chapter 3, pages 163{245. World Scienti c, 1997. G. Rozenberg (ed.). [Cor00] Andrea Corradini. Concurrent computing: from Petri nets to graph grammars. In A. Corradini and U. Montanari, editors, Electronic Notes in Theoretical Computer Science, volume 2. Elsevier Science Publishers, 2000. [Ehr79] H. Ehrig. Introduction to the Algebraic Theory of Graph Grammars (A Survey). In Graph Grammars and their Application to Computer Science and Biology. Springer LNCS 73, 1979. [ES00] B.E. Enders-Sucrow. Describing a Continuous Collaborative Speci cation Process of HumanComputer Interaction by Graph Rewriting. To appear in a Special Issue of the Transactions of the SDPS: Journal of Integrated Design and Process Science , 2000.

[FWH96] B. Fields, P. Wright, and M. Harrison. Designing Human-System Interaction Using The Resource Model. In Proceedings of APCHI'96: Asia Paci c Conference on Human-Computer Interaction, Singapore, June 1996. [GHK98] F. Gadducci, R. Heckel, and M. Koch. Model checking graph-interpreted temporal formulas. In G. Engels and G. Rozenberg, editors, Proc. 6th International Workshop on Theory and Applications of Graph Transformation (TAGT'98), number tr{ri{98{201 in Reihe Informatik, pages 292{299. Universitat{Gesamthochschule Paderborn, Fachbereich Mathematik{ Informatik, 1998. [HCEL96] R. Heckel, A. Corradini, H. Ehrig, and M. Lowe. Horizontal and vertical structuring of typed graph transformation systems. Math. Struc. in Comp. Science, 6(6):613{648, 1996. Also as techn. report no 96-22, TU Berlin. [KJ96] V. De Keyser and D. Javaux. Human Factors in Aeronautics, pages 28{45. Springer, Vienna, 1996. F. Bodart and J. Vanderdonckt (eds.). [Koc99] M. Koch. Integration of Graph Transformation and Temporal Logic for the Speci cation of Distributed Systems. PhD thesis, Technische Universitat Berlin, FB 13, 1999. [KR95] M. Kor and L. Ribeiro. Formal relationship between graph grammars and Petri nets. In J. Cuny, H. Ehrig, G. Engels, and G. Rozenberg, editors, Graph Grammars and their Applications to Computer Science, pages 288 { 303. Springer, LNCS 1073, 1995. 5th International Workshop , Williamsburg, USA, November 1994, Selected Papers. [Kre81] H.-J. Kreowski. A comparison between Petri-nets and graph grammars. In Lecture Notes in Computer Science 100, pages 1{19. Springer, 1981. [Mon92] A. Monnier. Rapport preliminaire de la Commission d'enquebte administrative sur l'accident du Mont Saint-Odile du 20 janvier 1992. Technical report, Ministere de l'Equipement, du Logement, des Transports et de l'Espace, Paris, France, 1992. [Mul98] J. Muller. Terminating and cyclic graph rewriting. In Proc. 6th Int. Workshop on Theory and Application of Graph Transformation (TAGT'98), pages 316{323, Paderborn, Germany, November 1998. [Rei85] W. Reisig. Petri Nets, volume 4 of EATCS Monographs on Theoretical Computer Science. Springer, 1985. [Suc97] B.E. Sucrow. Formal Speci cation of Human-Computer Interaction by Graph Grammars under Consideration of Information Resources. In Proceedings of the 1997 Automated Software Engineering Conference (ASE'97), pages 28{35. IEEE Computer Society, November 1-5 1997. [WFH96] P. Wright, B. Fields, and M. Harrison. Distributed Information Resources: A New Approach to Interaction Modelling. In T. Green and J. Canas and C. Warran, editor, EACE, pages 5{10, 1996. [WFH99] P. Wright, B. Fields, and M. Harrison. Analysing Human-Computer Interaction as Distributed Cognition. Draft{Revised, August 1999.