A State Class Construction for Computing the Intersection of Time Petri Nets Languages
Yannick Pencol\'e (LAAS-DISCO), \'Eric Lubat (LAAS-VERTICS), Silvano, Dal Zilio (LAAS-VERTICS), Didier Le Botlan (LAAS-VERTICS), Audine Subias, (LAAS-DISCO)

TL;DR
This paper introduces a novel method for computing the intersection of languages in Time Petri nets using a new product construction and the State Class approach, implemented in the Twina tool.
Contribution
It presents a new product construction for TPN language intersection that is concise, expressive, and does not increase the model's expressive power.
Findings
The method effectively computes TPN language intersections.
The approach enables applications like diagnosability analysis and property checking.
Experimental results demonstrate the tool's practical utility.
Abstract
We propose a new method for computing the language intersection of two Time Petri nets (TPN); that is the sequence of labels in timed traces common to the execution of two TPN. Our approach is based on a new product construction between nets and relies on the State Class construction, a widely used method for checking the behaviour of TPN. We prove that this new construct does not add additional expressive power, and yet that it can leads to very concise representation of the result. We have implemented our approach in a new tool, called Twina. We report on some experimental results obtained with this tool and show how to apply our approach on two interesting problems: rst, to dene an equivalent of the twin-plant diagnosability methods for TPN; then as a way to check timed properties without interfering with a system.
| Twina (LSCG) | IPTPN (SSCG) | |||||
|---|---|---|---|---|---|---|
| Model | Exp. | States | Trans. | States | Trans. | Ratio |
| jdeds | plain | % | ||||
| jdeds | twin | % | ||||
| jdeds | obs | % | ||||
| train3 | plain | % | ||||
| train3 | twin | % | ||||
| train3 | obs | % | ||||
| train4 | plain | % | ||||
| train4 | twin | % | ||||
| train4 | obs | % | ||||
| plant | plain | % | ||||
| plant | twin | % | ||||
| plant | obs | % | ||||
| wodes | plain | % | ||||
| wodes | twin | % | ||||
| wodes | obs | % | ||||
| wodes232 | plain | % | ||||
| wodes232 | twin | % | ||||
| wodes232 | obs | % | ||||
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
11institutetext: LAAS-CNRS, Université de Toulouse, CNRS, INSA, Toulouse, France
11email: [email protected]
A State Class Construction for Computing the Intersection of
Time Petri Nets Languages
Éric Lubat 11
Silvano Dal Zilio 11
Didier Le Botlan 11
Yannick Pencolé 11
Audine Subias 11
Abstract
We propose a new method for computing the language intersection of two Time Petri nets (TPN); that is the sequence of labels in timed traces common to the execution of two TPN. Our approach is based on a new product construction between nets and relies on the State Class construction, a widely used method for checking the behaviour of TPN. We prove that this new construct does not add additional expressive power, and yet that it can leads to very concise representation of the result. We have implemented our approach in a new tool, called Twina. We report on some experimental results obtained with this tool and show how to apply our approach on two interesting problems: first, to define an equivalent of the twin-plant diagnosability methods for TPN; then as a way to check timed properties without interfering with a system.
Keywords:
Time Petri nets Model Checking State Classes Realtime Systems Modeling and Verification.
1 Introduction
Formal languages, and the problem of efficiently checking intersection between languages, play an important role in formal verification. For instance, automata-theoretic approaches to model-checking often boils down to a language emptiness problem; that is finding whether there is a trace, in a system, that is also “in the negation of a property” [25]. Similarly, in the study of Discrete Event Systems [28], basic control-theoretic properties are often expressed in terms of language properties and language composition. We consider examples of these two problems at the end of this paper.
In this context, there is a large body of research where systems are expressed using Petri nets (PN). Indeed, PN are well-suited for modelling notions such as concurrency or causality in a very compact way; and they can be used for verification by building a Labeled Transition System out of them. Just as important, PN come equipped with a structural construct for synchronous composition, that coincides with language intersection when the set of labels of the nets are equal. Unfortunately, the situation is not as simple when we consider extensions of Petri nets that deal with time.
In this paper, we propose a new method for computing the language intersection of two Time Petri nets (TPN) [26, 10]. This problem is quite complex and is hindered by two main problems. First, the state space associated with a TPN is typically infinite when we work with a dense time model; that is when time delays can be arbitrarily small. Therefore we need to work with an abstraction of their transition system. Second, there is no natural way to define the (structural) composition of two transitions that have non-trivial time constraints (meaning different from the interval ). These problems limit the possibility for compositional reasoning on TPN.
A solution to the first problem was proposed by Berthomieu and Menasche in [9], where they define a state space abstraction based on state classes. This approach is used in several model-checking tools, such as Romeo [22] and Tina [12] for instance. In the following, we propose a simple solution to overcome the second problem. Our approach is based on an extension of TPN with a dedicated product operator, called Product TPN, that can be viewed as an adaptation of Arnold-Nivat synchronization product [3] to the case of TPN. We show that it is possible to extend the state class construction to this new extension, which gives an efficient method for computing the intersection of two TPN when the nets are bounded.
Verification of Time Petri Nets. In the following, we consider TPN where transitions may have observable labels. In this context, an execution is the timed-event word obtained by recording the transitions that have been fired together with the delays between them. Our goal is to provide a method for symbolically computing the set of executions that are common to two labeled TPN. Without time, it is well-known that we can compute the language of a net from its marking graph. This gives a Labeled Transition System (LTS); an automaton that is finite as soon as the net is bounded. Likewise, we can compute the (language) intersection of two timed nets by computing the LTS of their synchronous composition, denoted thereafter. Actually, like in the untimed case, we are more interested by the synchronous product of two languages, rather than by their intersection.
The situation is quite different when we take time into account. Indeed, we may have fewer traces with a TPN than with the corresponding, “untimed” net (the one where timing constraints are deleted). This is because timing constraints may prevent a transition from firing, but never enable it. One solution to recover a finite abstraction of the state space is to use the State Class Graph (SCG) construction. Actually, SCG is an umbrella term for a family of different abstractions, each tailored to a different class of properties, or to a different extension of TPN. The first such construction, called Linear State Class Graph (LSCG) [9], is based on firing domains, that is the delays before a transition can fire. The LSCG preserves the set of reachable markings of a net as well as its language; which is exactly what is needed in our case. This is also the construction that we use in Sect. 3.
In the following we also mention the Strong SCG construction (SSCG) [11], based on clock domains, that is the duration for which a transition has been enabled. The SSCG preserves more information than the linear one. For example, we can infer from clocks when two transitions are enabled “at the same time”, meaning we can handle priorities. The added expressiveness of the strong construction comes at a cost; the SSCG (for a given net) has always more classes than the corresponding LSCG, sometimes by a very large amount. (We give some examples of this in Sect. 6.) This is why we prefer to use the LSCG when possible.
Related Works and Review of Existing Methods. A motivation for our work is that we cannot rely on a synchronous product of TPN. Indeed, a major limitation with TPN is that there are no sensible way to define the composition of “non-trivial” transitions, and therefore no sensible way to define the synchronous composition of “non-composable” TPN; we say that a transition is trivial when it is associated to the time interval and that a net is composable when all its observable transitions are trivial. (We illustrate the problem at the end of Sect. 2). Likewise we cannot rely on the product of their SCG either. Indeed, the product of two SCG provides an over-approximation of the expected result, since it cannot trace time dependencies between events from different nets.
The situation is not the same with other “timed models”. A notable example is Timed Automata [2], an extension of finite automata with variables, also called clocks, whose values progress synchronously as time elapses. Timed Automata (TA) can use boolean conditions on clocks to guard transitions and as local invariants on states. It is also possible to reset a clock when “firing” a transition. The classical product operation on finite automata can be trivially extended to TA: we only need to use the conjunction of guards, invariants and resets where needed. This provides a straightforward method for computing the (language) intersection of two TA, and also a trivial proof that the class of languages accepted by a TA are closed under intersection. Another related work is based on the definition of Timed Regular Expressions [4], that provides a timed analogue of Kleene Theorem for TA.
These results seem to promote Timed Automata as an algebraic model of choice for reasoning about timed words, and many works have studied the relation between TPN and TA. (On another note, we can remark that even a slight change in semantics may complicate the product construction; see for instance the case with signal-event languages [16].) For instance, Cassez and Roux [19] propose a structural encoding of TPN into TA that preserves the semantics in the sense of timed bisimulation, and therefore that preserves timed language acceptance. This encoding generates one automata and one clock for every transition in the TPN and can be extended in order to accommodate strict timing constraints; that is static time intervals that have a finite, open bound. Later, Bérard et al. [7, 15] showed that TPN and TA are indeed equivalent with respect to language acceptance, but that TA are strictly more expressive in terms of weak timed bisimulation (). These results are based on semantic encodings from TPN into TA and from TA into TPN that can be chained together to build an encoding from a TPN to an equivalent composable one. A similar result is also found in [27], which provides a structural encoding from a TPN, , into a composable TPN that is of size linear with respect to . But none of these encodings handle timing constraints that are bounded and right-open.
One of the main difference between TA and TPN is that, with TA, we can loose the ability to fire a transition just by waiting long enough (until some guards become false). The same behaviour can be observed with TPN when we add a notion of priorities. In particular, Berthomieu et al. [10, 11] prove that (bounded) TPN with priorities are very close to TA, in the sense of . They also define an extension of TPN [27] with inhibitor arcs between transitions (similar to priorities) and a dual notion of permission arcs. In this extension, called IPTPN, a net can always be transformed into a composable one. (We show an example of this construction in Sect. 5).
All these results can be used to define three different methods for computing the intersection of TPN. A first method is to use the structural translation from TPN to TA given in [19] and then to use the product construction on TA. This encoding is at the heart of the tool Romeo [22] and has been used to build a TCTL model-checker for TPN (which, incidentally, relies on the “product” of a net with observers for the formulas). Unfortunately, to the best of our knowledge, it is not possible to analyse the product of two nets with Romeo and therefore we have not been able to experiment with this method. Moreover, this approach is closer in spirit to the SSCG construction.
A second method is to use the (combination of) encodings defined in [15] to replace a TPN with an equivalent, composable one. Unfortunately, this construction relies on a semantic encoding that requires the computation of the entire symbolic state space of the net, and is only applicable on net that have closed timing constraints; meaning that we cannot use constraints of the form for example. While this method is not usable in practice, it could be used to prove expressiveness results. For example, it gives a proof that the set of TPN with closed timing constraints is closed under intersection; something we silently admitted until now.
A third method also relies on generating composable nets as a preprocessing step. In this case, the idea is to use the IPTPN of [27]. Like in the first method, the main drawback of this approach is that we need to use the strong SCG construction, which means that we could compute much more classes than with a method based on the LSCG. We describe the experimental results obtain with this method in Sect. 6.
Outline of the Paper and Contributions. In the next section we define the semantics of TPN and provide the technical background necessary for our work. Section 3 contains the semantics of Product TPN, while our two main results are given in Sect. 4 and 5, where we show that it is possible to extend the State Class Graph construction to the case of Product TPN and that this extension does not add additional expressiveness power. By construction, our method can be applied even when the TPN are not bounded and without any restrictions on the timing constraints.
We have implemented our approach in a new tool, called Twina [21] Before concluding, we report (Sect. 6) on some experimental results obtained with this tool. We also show some practical applications for our approach on two problems: first, to define an equivalent of the twin-plant diagnosability methods for TPN; then as a way to check timed properties without interfering with a system.
2 Time Petri Nets and other Technical Background
A Time Petri Net (TPN) is a net where each transition, , is decorated with a (static) time interval that constrains the time at which it can fire. A transition is enabled when there are enough tokens in its input places. Once enabled, transition can fire if it stays enabled for a duration that is in the interval . In this case, is said time enabled.
A TPN is a tuple in which: is a net (with and the set of places and transitions); are the precondition and postcondition functions; is the initial marking; and is the static interval function. We use for the set of all possible time intervals. To simplify our presentation, we only consider the case of closed intervals of the form or , but our results can be extended to the general case. TPN can be k-safe, which means the net has at most reachable markings. We say that a TPN is safe when it is 1-safe.
We consider that transitions can be tagged using a countable set of labels, . We also distinguish the special constant (not in ) for internal, silent transitions. In the following, we use a global labeling function that associates a unique label in to every transition111We may assume that there is a countable set of all possible transitions (identifiers) and that different nets have distinct transitions.. The alphabet of a net is the collection of labels (in ) associated to its transitions.
A Semantics for TPN Based on Firing Domains. A marking of a net is defined as a function from places to natural numbers. A transition in is enabled at if and only if (we use the pointwise comparison between functions) and denotes the set of transitions enabled at .
A state of a TPN is a pair in which is a marking, and is a mapping from transitions to time intervals, also called firing domains. Intuitively, if is enabled at , then contains the dates at which can possibly fire in the future. For instance, when is newly enabled, it is associated to its static time interval . Likewise, a transition can fire immediately only when [math] is in and it cannot remain enabled for more than its timespan, i.e. the maximal value in .
For a given delay in and in , we denote the time interval shifted (to the left) by :, e.g. . By extension, we use \varphi\mathbin{\text{\ooalign{\raise 4.30554pt\hbox{.}\cr-\cr}}}\theta for the partial function that associates the transition to the value . This operation is useful to model the effect of time passage on the enabled transitions of a net.
The following definitions are quite standard, see for instance [7, 10]. The semantics of a TPN is a (labeled) Kripke structure with only two possible kinds of actions: either s\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{-}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\ a\ }}}}s^{\prime}, meaning that the transition is fired from with ; or s\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{-}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\ \theta\ }}}}s^{\prime}, with , meaning that time elapses from . A transition can fire from the state if is enabled at and firable instantly. When we fire a transition from state , a transition (with ) is said to be persistent if is also enabled in the marking , that is if . The other transitions enabled after firing are called newly enabled.
Definition 1 (Semantics)
The semantics of a TPN , with the net , is the Timed Transition System (TTS) where is the smallest set containing and closed by \mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{-}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\ \ }}}}, where:
- •
is the initial state, with the initial marking and for every in ;
- •
the state transition relation is the relation such that for all state in :
- (i)
if is enabled at , and then (m,\varphi)\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{-}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\ a\ }}}}(m^{\prime},\varphi^{\prime}) where and is a firing function such that for any persistent transition and elsewhere.
- (ii)
if
then (m,\varphi)\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{-}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\ \theta\ }}}}(m,\varphi\mathbin{\text{\ooalign{\raise 4.30554pt\hbox{.}\cr-\cr}}}\theta).
Transitions in the case above are called discrete transitions; those labelled with delays (case ) are the continuous, or time elapsing, transitions. Like with nets, we say that the alphabet of a TTS is the set of labels, in , associated to discrete actions. Using labels, we can define the product of two TTS by extending the classical definition for the product of finite automata.
Definition 2 (Product of TTS)
Assume and are two TTS with respective alphabets and . The product of by is the TTS S_{1}\|S_{2}=\langle({{S}}_{1}\times{{S}}_{2}),(s^{0}_{1},s^{0}_{2}),\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{-}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\ \ }}}}\rangle such that \mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{-}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\ \ }}}} is the smallest relation obeying the following rules: {mathpar} \inferrules_1 - →^ α _1 s’_1
α∈(Σ_1 ∖Σ_2) ∪{ ϵ} (s_1, s_2) - →^ α (s_1’, s_2)
\inferrule
s_2 - →^ α _2 s’_2
α∈(Σ_2 ∖Σ_1) ∪{ ϵ} (s_1, s_2) - →^ α (s_1, s’_2)
\inferrule
s_1 - →^ α _1 s’_1
s_2 - →^ α _2 s’_2
α≠ϵ (s_1, s_2) - →^ α (s’_1, s’_2)
Executions, Traces and Equivalences. An execution of a net is a sequence in its semantics, , that starts from the initial state. It is a time-event word over the alphabet containing both labels (in ) and delays. Continuous transitions can always be grouped together, meaning that when (m,\varphi)\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{-}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\ \theta\ }}}}(m,\varphi^{\prime}) and (m,\varphi^{\prime})\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{-}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\ \theta^{\prime}\ }}}}(m,\varphi^{\prime\prime}) then necessarily (m,\varphi)\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{-}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\ \theta+\theta^{\prime}\ }}}}(m,\varphi^{\prime\prime}) (and the firing domain is uniquely defined from and ). Based on this observation, we can always consider executions of the form where each discrete transition is preceded by a single time delay. By contrast, a trace is the untimed word obtained from an execution when we keep only the discrete actions. Then the language of a TPN is the set of all its (finite) traces.
By definition, the language of a TPN is prefix-closed; and it is regular when the net is bounded [9]. It is also the case [27] that the “intersection” of two nets and —the traces obtained from (pairs of) executions common to the two nets—are exactly the traces in the TTS product . Our goal, in the next section, is to define a product operation, , that is a congruence, meaning that should be equivalent to .
Language equivalence would be too coarse in this context. In this paper, we will instead prefer (a weak version of) timed bisimulation, which rely on a weak version of the transition relation s\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{=}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{=}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\Rightarrow}}\limits^{\ \alpha\ }}}}s^{\prime} (with an action in and a delay in ) defined from the following set of rules: {mathpar} \inferrule s = ⇒^ ϵ s
\inferrule
s = ⇒^ ϵ s’
s’ - →^ α s”
s” = ⇒^ ϵ s”’ s = ⇒^ α s”’
\inferrule
s = ⇒^ θ s’
s’ = ⇒^ θ’ s” s = ⇒^ θ+ θ’ s”
Definition 3 (Behavioural Equivalence)
Assume and are two TTS. A binary relation over is a weak timed bisimulation if and only if and for all actions and pair of states we have: (1) if s_{1}\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{=}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{=}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\Rightarrow}}\limits^{\ \alpha\ }}}}s^{\prime}_{1} then there exists such that s_{2}\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{=}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{=}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\Rightarrow}}\limits^{\ \alpha\ }}}}s^{\prime}_{2} and ; and conversely (2) if s_{2}\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{=}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{=}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\Rightarrow}}\limits^{\ \alpha\ }}}}s^{\prime}_{2} then there exists such that s_{1}\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{=}}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{=}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\Rightarrow}}\limits^{\ \alpha\ }}}}s^{\prime}_{1} and . In this case we say that and are timed bisimilar, denoted , and we use for the union of all timed bisimulations .
Timed bisimulation is preserved by product [27], meaning that for all TTS and we have implies . In the following we say that two nets are bisimilar, denoted , when .
Example. We give two examples of TPN with alphabet in Fig. 1. Executions for the net (left) include time-event words of the form (and their prefix) provided that . Executions for the net (middle) include time-event words of the form and (and their prefix) provided that . If we consider executions that are in the product of both nets, we find all executions of the form , with the constraint . We also have one execution of the form provided that and . This corresponds to the case where event fires exactly at date [math]; any other case eventually leading to a time deadlock (a situation where time cannot progress). In the same figure (right), we display the “untimed” synchronous product . It is clear that there are no possible choice of time constraint for transition that could lead to a net bisimilar to . This is a simple example of the “non-composability” of Time Petri nets.
3 Product TPN and their Semantics
We propose an extension of TPN with a synchronous product operation between TPN, , in the style of Arnold-Nivat synchronization of processes [3]. Our goal is to obtain a congruent composition operator, in the sense that . A product TPN, or PTPN, is a TPN augmented with two projections, and , such that the following properties hold:
- •
there are two sets and that partition the set of places .
- •
there are two sets and that partition the set of transitions .
- •
all the pre- and post-conditions of a transition in are places in : if and or then .
Basically, this means that a PTPN is the superposition of two distinct, non-interconnected components, that we call and for short.
Definition 4 (Product of TPN)
The product of two disjoint TPN and (such that ) is the PTPN obtained from the juxtaposition, preserving labels, of and with the two trivial projections and for all .
With our notations, a PTPN is equivalent to the composition . In the following, we use the notation to denote the restriction of a marking to the places in and similarly with and the transitions in . By convenience, denotes the state and we use for the alphabet of net .
To ease the presentation, we limit the composition to only two components (instead of a sequence) and we do not define the equivalent of “synchronization vectors”. As a result, we do not define the product over PTPN. This could be added, at the cost of more burdensome notations, but it is not needed in our applications (Sect. 6). This is also why we have the same limitations in our implementation [21].
Labels are not necessarily partitioned, so the same label can be shared between the two components of a product. We denote the set of labels occurring on “both sides” of a PTPN. We should also need the notation for the set of labels that can occur in concurrently with (and similarly for ). The semantics for PTPN relies largely on the semantics of TPN but makes a particular use of labels.
Definition 5
The semantics of a PTPN , with projections and , is the TTS {[\![}{N}{]\!]}_{\times}=\langle{{S}},s_{0},\mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{\raisebox{0.86108pt}{\scriptscriptstyle\mid}}\!\!\,-}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\raisebox{-1.20552pt}[0.0pt][-1.20552pt]{\scriptstyle\ \ }}}}}\rangle such that is the same initial state than in the TPN semantics , and \mathbin{\smash[t]{\mathrel{\mathop{\mathord{\smash{\raisebox{0.86108pt}{\scriptscriptstyle\mid}}\!\!\,-}\mkern-6.0mu\cleaders\hbox{\mkern-2.0mu\mathord{\smash{-}}\mkern-2.0mu}\hfill\mkern-6.0mu\mathord{\rightarrow}}\limits^{\raisebox{-1.20552pt}[0.0pt][-1.20552pt]{\scriptstyle\ \ }}}}} is the transition relation with actions in such that: {mathpar} \mprsetvskip=0.5ex \inferrule*[]α∈
s - →^ α s’ ∈[[ N ]] s - →^\scriptstyle\ \alpha\ s’
\inferrule
*[]t ∈T (t)=α∉Σ_1,2
s - →^ α s’ ∈[[ N ]] s - →^\scriptstyle\ \alpha\ s’
\inferrule
*[]a = (t_1) = (t_2) t_i ∈
_iT
_i s - →^ a
_i s’ ∈[[
_iN ]] i ∈1..2 s - →^\scriptstyle\ a\ s’
The only new case is for pairs of transitions, and , from different components but with the same label: . This is the equivalent of a synchronization. Indeed the premisses entail that both and can fire immediately, and the effect is to fire both of them simultaneously. As a side effect, our choice of semantics entails that a transition on a “shared label” (in ) is blocked until we find a matching transition, with the same label, on the opposite component. This may introduce a new kind of time deadlock that has no direct equivalent in a TPN: when a transition has to fire urgently (hence time cannot progress) while there are no matching transition that is time-enabled.
It is the case that the reachable states, in , are a subset of the states in . This is because we may forbid a synchronization on a shared label, but never create new opportunities to fire a transition. We also have a more precise result concerning the semantics of a PTPN and the product of its components.
Theorem 3.1
The TTS is isomorph to the product .
Proof
By induction on the shortest path from the initial state, , to a reachable state in and then a case analysis on the possible transitions from .∎
4 Construction of the State Class Graph for PTPN
We give a brief overview of the LSCG construction for a PTPN . In the following, we use the notation and for the left and right endpoints of interval . For the sake of simplicity, we only consider inequalities that are non-strict (our definitions can be extended to the more general case) and assume that when is infinite.
A state class is a pair , where is a marking and is a domain; a (finite) system of linear inequalities on the firing dates of transitions enabled at . We will use variable in to represent the possible firing time of transition . In the Linear SCG construction [8, 9], we build an inductive set of classes , where is a sequence of discrete transitions firable from the initial state. Intuitively, the class collects all the states reachable from the initial state by firing schedules of support sequence . For example, the initial class is where is the domain defined by the static time constraints in , that is: for all in .
The efficiency of the SCG construction relies on several factors: (1) First, we can restrict to domains that are difference systems, that is a sequence of constraints of the form and , where each variable in corresponds to an enabled transition (and ). (2) Next, we can always put domains in closure form, meaning that each bounds and are the tightest preserving the solution set of . Hence we can encode using a simple vector of values. This data structure, called Difference Bound Matrix (DBM), is unique to all the domains that have equal solution set. Hence testing class equivalence is decidable and efficient. (3) Finally, if is defined and is enabled at , we can incrementally compute the coefficients of the DBM , the domain obtained after firing from , from the coefficients of .
We only consider the new case where we simultaneously fire a pair of transitions from a class . We assume that the resulting marking is . First, we need to check that both transitions can eventually fire. This is the case only if the condition is true for all and enabled at (with ). In this case, the resulting domain can be obtained by following a short number of steps, namely:
add the constraints and to , for all (since must fire at the same date and before any other enabled transition); 2. 2.
introduce new variables for all transitions enabled in , that will become the variables in , and add the constraint if is persistent or if is newly enabled; 3. 3.
eliminate all the variables from relative to transitions in conflict with and put the resulting system in normal form.
Except for step 1 above, with the constraint that , this is exactly the procedure described in [8] for plain TPN. When both transitions can fire, it is possible to completely eliminate all occurrences of the “unprimed” variables in and the result is a DBM. Which is exactly what is needed in our case.
We can draw two useful observations from this result. First, we can follow the same procedure with any number of equality constraints, and still wind up with a DBM. Therefore it would be possible to fire more than two transitions simultaneously. Second, we have an indirect proof that forcing the synchronization of transitions is strictly less constraining than using priorities (because it is not possible to use the LSCG construction with priorities), something that was not obvious initially.
5 Expressiveness Results
It is not obvious that PTPN add any expressive power compared to TPN. On the one hand, the semantics of a PTPN is quite close to the semantics of its components. In particular, when there are no shared labels (). Moreover, in a PTPN like in a TPN, it is not possible to lose the ability of firing a transition just by waiting long enough; a behaviour that distinguishes TPN from TA, or from TPN with priorities for instance. On the other hand, PTPN introduces new kind of time deadlocks which are affected by time delays (see our example at the end of Sect. 2). Next, we prove that the two models are equally expressive (up-to ) when all timing constraints are either infinite or closed on the right (in which case we say the net is right-closed).
Theorem 5.1
Given a safe, right-closed PTPN , we can build a safe, composable TPN , whose size is linear with respect to , such that .
For the sake of brevity, we only sketch the proof. We rely on two auxiliary properties and on an encoding from TPN into composable net; meaning an equivalent net where all timing constraints have been “moved” to silent transitions. We find such result in [27, Def. 9], which provides a construction to build a composable net from every safe and right-closed TPN . Our restrictions on in Th. 5.1 come from this construction, as is our result on the size of .
Our first auxiliary property, (L1), compare the product of composable TPN with their synchronous product, namely: if and are composable TPN then . Property (L1) derives directly from the construction of the product of composable TPN. Indeed, with composable nets, the fusion of transitions sharing a common label are unaffected by continuous transitions. Hence they have the same behaviour in than in . (And this is the only place where the semantics of the two nets may diverge.)
Next, we use an equivalent of the congruence property for PTPN, (L2): given two pairs of TPN and such and we have that . Property (L2) can be proved by defining a “candidate relation”, , which contains the pair of initial states of and ; then proving that is a weak timed bisimulation. A suitable choice for is to take the smallest relation such that whenever and . Then the proof follows by simple case analysis.
Finally, we use construction (above) to build composable TPN from the nets and and to define . By property of we have for all . Hence by (L2) and (L1) we have . The property follows by transitivity of .
Our proof gives a constructive method to build a net with (at most) four extra transitions and places, compared to , for each non-trivial labeled transition. We can use the SCG of to compute the language of (and to compute the intersection of two nets when we choose ). Unfortunately this approach does not scale well. For example, the composition of the two nets given in Fig. 1 has 16 classes with this method instead of only with our approach (and the intermediary TPN has 11 places and 7 transitions). Likewise, for the simple example in Fig. 2 we have a net with 25 places, 211 transitions and classes instead of simply classes with PTPN.
Another limitation of this approach are the restrictions imposed on the timing constraints of . Indeed, to the best of our knowledge, there are no equivalent of construction in the case of “right-open” transitions.
Composable Time Petri nets using IPTPN. Berthomieu et al. [27] define an extension of TPN with “inhibition and permission” that provides another method for building composable nets. With this extension, it is always possible to build a composable IPTPN from a TPN. For example, Fig. 5 displays the IPTPN corresponding to the “product” of the two nets in Fig. 1. In this construction, we create a silent, extra-transition for every non-trivial observable transition . These transitions cannot fire (they self-inhibit themselves with an arc) but “record the timing constraints” of the transition they are associated with. Then a permission arc ( ) is used to transfer these constraints on the (product of) labeled transitions.
Tina provides a SCG construction for IPTPN but, like with the addition of priorities, it is necessary to use the strong construction in this case. We use the encoding into IPTPN we just sketched above in our experiments.
6 Experimental Results and Possible Applications
We have implemented the state class construction for PTPN in a tool called Twina [21] that can generate the LSCG of both “plain” and product TPN. The tool and models mentioned here are available online at https://projects.laas.fr/twina/, with instructions on how to reproduce our results.
Performances Compared with IPTPN We compare the results obtained with PTPN and an encoding into IPTPN, which appears to be the best alternative among the three methods mentioned in Sect. 1. By default, Twina uses option -W, that computes the Linear SCG of a net. We also provide option -I to compute the LSCG for the product of two nets using the construction defined in Sect. 4. We use the same syntax for nets in Twina than in Tina [12]. In particular, our method can be used with nets that are not 1-safe and without any restriction on the timing constraints (so we accept right-open transitions). We also allow read- and inhibitor-arcs with the same semantics than in Tina. We compare the size of the LSCG with the results obtained using IPTPN and Tina in Table 1. The results are reported with the sizes of the SCG in number of classes and edges; we also give the ratio of classes saved between the LSCG and the SSCG. So a ratio means twice as much states in the strong SCG.
We use different models for our benchmarks: jdeds is an example taken from [23] extended with time; train is a modified version of the train controller example in [13] with an additional transition that corresponds to a fault in the gate; plant is the model of a complex automated manufacturing system from [32]; wodes is the WODES diagnosis benchmark of Giua (see e.g. [18]) with added timed constraints. For each model, we give the result of three experiments: plain where we compute the SCG of the net, alone; twin where we compute the intersection between the TPN and a copy of itself with some transitions removed; and obs where we compute the intersection of the net with a copy of the TPN in Fig. 5. We explain the relevance of the last two constructions just afterwards.
We see that, in some of our examples, there is a large difference between the size of the LSCG and the size of the SSCG for the same example. This was one of our main reason for developing a specific tool. This is important since, on the extreme case, we can have a quadratic blow-up in the number of classes when analysing a twin product. (This is almost the case in example jdeds.) We also observe that, on model plant-twin, the size of the intersection may be much smaller than the size of one of the component alone; classes compared to million. This is to be expected, since the intersection may have only one class. Nonetheless this emphasizes the need to have methods that can build the intersection on the fly, without computing a symbolic representation for each component first.
Diagnosability and the Twin Plant Method. One possible application of Twina—and our initial motivation for this work—is to check fault diagnosability [29] in systems modelled as TPN [5, 17]. In this context, a system is described as a TPN with a distinguished unobservable event that models a fault. (Any transition labelled with is faulty.) Fault is diagnosable if it is always possible to detect when a faulty transition has fired, in a finite amount of time, just by looking at the observable flow of events [31]. Under the assumptions that the system does not generate Zeno executions, and that any possible execution is not infinitely unobservable, one way to check diagnosability is to look for infinite critical pairs [20]. A critical pair consists of a couple of infinite executions of the TPN, one faulty the other one not, that have equal timed observations. Then fault is diagnosable if no such pair exists. By using Twina, we aim at checking diagnosability by adapting the twin-plant method [24] to TPN. The idea is to make two copies of the same system, one with the fault, , and the other without it, , and to relabel all unobservable events to avoid collisions. Then checking for the existence of an infinite critical pair amounts to finding an infinite execution with in the product .
We give an example of this construct in Fig. 2 where and are both observable. In system , fault is not diagnosable if we do not consider time, as we always observe after an in both faulty and non-faulty executions. Now considering the observation of time, is diagnosable as the date of is always discriminant. In the intersection of and , every execution where transition fires leads to a time deadlock. Indeed, in this case, we must wait at least to fire transitions and at most to fire (and both have label ).
The twin-plant construction is quite useful and we provide an option to directly build a twin TPN in our tool (option -twin). This is the construction we use in our experiments for Table 1. In this case, we can generate a LTS for the twin plant and check that every fault eventually leads to a deadlock in the product, meaning that the system is diagnosable. For instance using a LTL model-checker and a property such as [23]. We also provide a dedicated algorithm (option -diag) to check this property on-the-fly. When the system is not diagnosable, it allows us to find a counter-example before exploring the whole behaviour of the twin-plant.
Observer-based verification. Another application of our product construction is model checking TPN, in much the same way some “observer-based” verification techniques rely on the product of a system with an observer [1, 30]. The idea is to express a property as the language of an observer, , then check the property on the system by looking at the behaviour of . A major advantage of this approach is that there is no risk to disrupt the system under observation, which is not always easy to prove with other methods.
We give an example of observer in Fig. 5. In this net, sequences of events and may occur in any order and at any date. On the other hand, the only way to fire is to “find” two successive occurrences of and with a delay (strictly) bigger than . Hence we can check if such behaviour is possible in a system, , by checking whether can fire in . This is the problem we consider in the obs experiments of Table 1. We only consider one small example here. Nonetheless, the same approach could be used to check more complex timed properties. This will be the subject of future works.
7 Conclusion
We propose an extension of TPN with a product operation in the style of Arnold-Nivat. The semantics of our extension is quite straightforward. What is more surprising is that it is possible to adapt the LSCG construction to this case—which means that we do not need the equivalent of clocks or priorities—and that this extension does not add any expressive power. This is a rather promising result, complexity-wise, since it means that we can hope to adapt the same optimization techniques than with “plain” TPN, such as specific symmetry reduction techniques for instance [14].
We have several opportunities for extending our work. Obviously we can easily extend our product to a sequence of nets and add a notion of “synchronization vectors”. This could lead to a more compositional framework for TPN, in the style of the BIP language [6]. Another promising application of our approach would be to extend classical results from the theory of supervisory control to the context of TPN. We already mentioned a possible application for diagnosability (which was the initial motivation for our work). A next step could be to study the “quotient” of two TPN language—the dual of the product—which can be used to reason about the controlability of a system and that is at the basis of many compositional verification methods, such as Assume-Guarantee for example.
Acknowledgments. The authors are grateful to Thomas Hujsa and Pierre-Emmanuel Hladik for their valuable comments. We also want to thank Bernard Berthomieu, without whom none of this would have been possible; our work is a tribute to the versatility and the enduring qualities of the state class construction that he pioneered more than 30 years ago.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Abid, N., Dal Zilio, S., Le Botlan, D.: A formal framework to specify and verify real-time properties on critical systems. International Journal of Critical Computer-Based Systems (IJCCBS) 5 (1/2) (2014). https://doi.org/10.1504/IJCCBS.2014.059593 · doi ↗
- 2[2] Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science 126 (2) (1994). https://doi.org/10.1016/0304-3975(94)90010-8 · doi ↗
- 3[3] Arnold, A.: Nivat’s processes and their synchronization. Theor. Comput. Sci. 281 (1-2) (2002). https://doi.org/10.1016/S 0304-3975(02)00006-3 · doi ↗
- 4[4] Asarin, E., Caspi, P., Maler, O.: Timed regular expressions. Journal of the ACM 49 (2) (2002). https://doi.org/10.1145/506147.506151 · doi ↗
- 5[5] Basile, F., Cabasino, M.P., Seatzu, C.: Diagnosability analysis of labeled time Petri net systems. IEEE Transactions on Automatic Control 62 (3) (2017). https://doi.org/10.1109/TAC.2016.2588736 · doi ↗
- 6[6] Basu, A., Bozga, M., Sifakis, J.: Modeling Heterogeneous Real-Time Components in BIP. In: Software Engineering and Formal Methods (SEFM). IEEE (2006). https://doi.org/10.1109/SEFM.2006.27 · doi ↗
- 7[7] Bérard, B., Cassez, F., Haddad, S., Lime, D., Roux, O.H.: Comparison of the expressiveness of timed automata and time Petri nets. In: Formal Modeling and Analysis of Timed Systems (FORMATS). LNCS, vol. 3829. Springer (2005)
- 8[8] Berthomieu, B., Diaz, M.: Modeling and verification of time dependent systems using time Petri nets. IEEE Trans. on Software Engineering 17 (3) (1991). https://doi.org/10.1109/32.75415 · doi ↗
