Design, Analysis and Verification of Real-Time Systems Based On Time

4
Design, Analysis and Verication of Real-Time Systems Based on

Time Petri Net Renement
ZHIJUN DING and CHANGJUN JIANG, Key Laboratory of Embedded System and Service
Computing, Ministry of Education, Tongji University, China
MENGCHU ZHOU, New Jersey Institute of Technology
A type of renement operations of time Petri nets is presented for design, analysis and verication of com-
plex real-time systems. First, the behavior preservation is studied under time constraints in a renement
operation, and a sufcient condition for behavior preservation is obtained. Then, the property preservation
is considered, and the results indicate that if the renement operation of time Petri nets satises behav-
ior preservation, it can also preserve properties such as boundedness and liveness. Finally, based on the
behavior preservation, a reachability decidability algorithm of a rened time Petri net is designed using
the reachability trees of its original net and subnet. The research results are illustrated by an example of
designing, analyzing and verifying a real-time manufacturing system.
Categories and Subject Descriptors: D.2.2 [Software Engineering]: Design Tools and TechniquesPetri
nets, top-down programming; D.4.1 [Operating Systems]: Process ManagementConcurrency, multitask-
ing; D.4.7 [Operating Systems]: Organization and DesignReal-time systems and embedded systems
General Terms: Design, Verication, Theory
Additional Key Words and Phrases: Real-time, renement, reachability, automated manufacturing system
ACM Reference Format:
Ding, Z., Jiang, C., and Zhou, M. 2013. Design, analysis and verication of real-time systems based on time
Petri net renement. ACM Trans. Embed. Comput. Syst. 12, 1, Article 4 (January 2013), 18 pages.
DOI:http://dx.doi.org/10.1145/2406336.2406340
1. INTRODUCTION
Along with the development of its theory and application, Petri net has been gradually
applied to real-time systems that are an important research branch in the realms of
computer applications and have been widely used in embedded system, computer com-
munication, process control, factory automation, and robotics. All tasks in a real-time
system are time-constrained. Its correctness not only depends on the logic correctness,
but also time constraints of system outputs. Therefore, it is necessary to build a Petri
net model involving time factors for analyzing a real-time system [Murata 1989].
When timing issues are introduced in Petri nets, several extended models are pro-
posed including timed Petri nets [Hu and Li 2009a; Zuberek 1991], time Petri nets
This research was partially supported by National Basic Research Program of China (973 Program)
(2010CB328100), National High-Tech Research and Development Plan of China under Grant No.
(62009AA01Z141), National Natural Science Funds (60803032, 90818023), Program for New Century Ex-
cellent Talents in University, and Shanghai Rising-Star Program.
Authors addresses: Z. Ding, Department of Computer Science & Technology, Tongji University, Shanghai
201804; email: zhijun ding@hotmail.com; C. Jiang, Department of Computer Science & Technology, Tongji
University, Shanghai 201804; M. Zhou, Department of Electrical and Computer Engineering, New Jersey
Institute of Technology, Newark, NJ.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted
without fee provided that copies are not made or distributed for prot or commercial advantage and that
copies show this notice on the rst page or initial screen of a display along with the full citation. Copyrights
for components of this work owned by others than ACM must be honored. Abstracting with credit is per-
mitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component
of this work in other works requires prior specic permission and/or a fee. Permissions may be requested
from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212)
869-0481, or permissions@acm.org.
c 2013 ACM 1539-9087/2013/01-ART4 $15.00
DOI:http://dx.doi.org/10.1145/2406336.2406340
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.
4:2 Z. Ding et al.
[Berthomieu et al. 2007; Merlin and Farber 1976], and stochastic timed Petri nets
[Molloy 1982]. Among these models, time Petri nets (TPN) proposed by Merlin and
Farber [1976] are the most widely used formal models for real-time system design,
simulation, and verication. However, it is still a great challenge for modeling and
analysis of a complex real-time system via a TPN, since, rst, building a TPN model
is hard itself, and second, the model often faces a state explosion problem. To solve
these problems, Wang et al. [2000b] dene compositional time Petri net models for a
command and control system, and propose a set of component-level reduction rules for
TPN to implement the reduction of a complex model under the condition of preserv-
ing behavior properties with time constraints. Using basic routing structures, Tang
and Liu [2006] transform TPN workow model into hierarchical TPN workow model
to implement model abstraction and simplication. Liu et al. [2002] introduce linear-
time reasoning rules of TPN workow models based on basic routing structures of
workow, which can be used to stepwisely simplify a complex workow model. These
studies mainly focus on the aspect of equivalent reduction or transformation of a com-
plex Petri net with time constraints to decrease the analysis complexity, but complex
real-time system modeling and property analysis remain unaddressed. Since the re-
nement operation of Petri nets supports hierarchical modeling and decreases anal-
ysis complexity, it has been used as an effective method for designing, analyzing and
verifying complex systems [Suzuki and Murata 1983; Valette 1979; Zhou et al. 1993].
Gurovi c et al. [2000] introduce a renement technique into TPN, dene a type of rene-
ment operations of TPN, and apply these operations to hierarchical modeling and anal-
ysis of trafc control systems. Felder et al. [1998] mainly study the temporal semantic
preservation of renement operations. They establish TRIO formulas for the tempo-
ral semantic representation of TPN, and dene a set of renement rules that satisfy
temporal semantic preservation. Huang et al. [2004] provide a method for the rene-
ment of a transition or place in Petri nets. Both behavioral and structural property
preservations are studied. Furthermore, Ding et al. [2008] generalize the renement
model [Huang et al. 2004] to obtain a more general net renement model and present
three types of rened Petri nets according to the different composition of subsystems.
Then, the language and property relationships among a subnet, an original net and a
rened net are studied to demonstrate behavior characteristics and property preserva-
tion in a system synthesis process. But their work does not consider time constraints
in the model. This article extends the model [Huang et al. 2004] into TPN, denes the
renement operations of TPN, and studies their behavior and property preservation.
Furthermore, we provide an algorithm to decide if a state can be reached in a rened
TPN given the reachability trees of its original net and subnet.
Compared with the work in Wang et al. [2000a, 2000b] and Liu et al. [2002], this
article not only addresses behavior preservation of renement operations with time
constraints, but also studies their property preservation, which provides an effective
way for complex system analysis and verication. Gurovi c et al. [2000] consider prop-
erty preservation of renement operations based on a renement model in Suzuki and
Murata [1983], while our work is based on a renement model in Huang et al. [2004].
Different models lead to different applications and verication methods. Due to the in-
troduction of a time factor, it is more difcult to analyze the reachability of a TPN than
that of a Petri net without time constraints. In this article, a reachability decidability
method of TPN is for the rst time presented based on renement operations, which
can effectively alleviate state explosion problem to analyze a complex system.
The rest of the article is arranged as follows: Section 2 introduces the basic con-
cepts and related terms of TPN, and denes a renement operation of TPN based on
a standard subnet model. Section 3 denes the behavior preservation of the rene-
ment operation, introduces a sufcient condition of a renement operation to preserve
Design, Analysis and Verication of Real-Time Systems Based on Time Petri Net Renement 4:3
behavior and properties. Section 4 presents a reachability decidability algorithm of a
rened TPN using the reachability trees of its original net and subnet. Section 5 il-
lustrates the method by designing and analyzing a real-time manufacturing system.
Section 6 makes concluding remarks.
2. PRELIMINARIES
We assume that readers have some knowledge of various terminologies of Petri nets.
Readers who are unfamiliar with Petri nets, please refer to [Girault and Valk 2003;
Hruz and Zhou 2007; Li and Zhou 2009; Murata 1989; Zhou and Venkatesh 1998] for
the basic denitions and terms.
2.1. Time Petri Nets (TPN)
In a TPN, for each transition t T, two time values are dened SEFT(t) and SLFT(t),
where SEFT(t) is the minimum time that the transition must wait after it is enabled
and before it res, i.e., its static earliest ring time, and SLFT(t) is the maximum time
that the transition can wait before ring if it is still enabled, i.e., its static latest ring
time. Formally, a TPN is dened as follows:
Denition 1. Let Z =
_
P, T, F, W, M
0
, SI
_
be a TPN, where PN =
_
P, T, F, W, M
0
_
is a
Petri net, P is a nite set of places, T is a nite set of transitions, F (PT) (T P)
is a ow relation, W : F {1, 2, 3, } is a weight function, and SI : T Q
+
_
Q
+

_
is a time interval function dened on transition sets, that is, for t T,
SI (t) =
_
SEFT (t) , SLFT (t)
, in which Q
+
is a set of positive rational numbers.
The state of a TPN is represented as a pair S = (M, I), where M is a marking, and
I is a ring interval set of enabled transitions at state S, which is related with the
arriving time value of state S. Because every state in a TPN is closely related with
its arrival time, a reachable marking, reached from the initial marking, may have
different arrival times corresponding to the same ring sequence. That is, the state
space may be innite. To solve this problem, Berthomieu and Diaz [1991] present a
state class method, in which a state class of TPN is dened as C = (M, D), where
M is a marking, and all states in a class have the same marking; D is a ring time
interval set of all enabled transitions at the state class C, which is not related with
the arriving time of a specic state, but related with relative ring time interval of
state class C. It has been proven that for a bounded TPN the number of reachability
state classes is nite. Therefore, a state class method can effectively solve the problem
of the innite number of states. However, state class is only associated with relative
time interval, and time span between reachability states cannot be obtained, which
results in the inconvenience of timeliness analysis or verication of modeled systems.
Consequently, based on a state class, Wang et al. [2000a] dene a clock-stamped state
class introducing a global time to represent global arriving time interval of the state
class. In addition, the following interval arithmetic will be used later: Let I
1
=
_
a
1
, b
1
and I
2
=
_
a
2
, b
2
, with 0 a
i
b
i
+, i = 1, 2. Then we dene I
1
+ I
2
to be the
interval
_
a
1
+ a
2
, b
1
+ b
2
and I
1
+ I
2
to be
_
a
1
a
2
, b
1
b
2
[Wang et al. 2000a].

Denition 2. A clock-stamped state class (CS-class) of a TPN is dened as a 3-tuple
C =
_
M, D, ST
_
, where M is a marking; D is a ring domain, i.e., a set of constraints on
the values of the time to re for transitions enabled by current marking M, in details,
for t
i
: M
_
t
i
>, its ring interval is D
_
t
i
_
=
_
EFT
_
t
i
_
, LFT
_
t
i
_
, where EFT
_
t
i
_
is
the earliest ring time of t
i
, and LFT
_
t
i
_
is the latest ring time of t
i
; ST is a global
clock stamp providing arriving time interval of the state class.
4:4 Z. Ding et al.
Fig. 1. TPN model Z
1.
In the following denition, a set of ring rules of TPN and a method for computing
CS-class are given.
Denition 3. A transition t
j
T is said to be rable at a CS-class C
k
=
_
M
k
, D
k
, ST
k
_
if the following transition ring rules are met:
(1) t
j
is enabled at M
k
, i.e., M
k
_
t
j
>. The set of transitions enabled at M
k
is denoted
as E
_
C
k
_
;
(2) EFT
k
_
t
j
_
min
_
LFT
k
_
t
i
_
, t
i
E
_
C
k
__
;
(3) Let NE
_
C
k
_
be a set of transitions that begin to be enabled at M
k
. If t
j
NE
_
C
k
_
,
then SEFT
_
t
j
_
min
_
SLFT (t) , t NE
_
C
k
__
holds.
If t
j
is rable at CS-class C
k
, then its ring results in a new CS-class
C
k+1
=
_
M
k+1
, D
k+1
, ST
k+1
_
, where:
p P, M
k+1
(p) = M
k
(p) W
_
p, t
j
_
+ W
_
t
j
, p
_
;
t
f
E
_
C
k+1
_
,
D
k+1
_
t
f
_
=
_
SI
_
t
f
_
+ ST
k+1
, t
f
NE
_
C
k+1
_
_
max
_
EFT
k
_
t
j
_
, EFT
k
_
t
f
__
, LFT
k
_
t
f
_
, t
f
/ NE
_
C
k+1
_
ST
k+1
=
_
EFT
k
_
t
j
_
, min
_
LFT
k
_
t
i
_
, t
i
E
_
C
k
__
Given a TPN model Z, its initial CS-class is C
0
=
_
M
0
, D
0
, ST
0
_
, where M
0
is an
initial marking, D
0
contains all the ring time intervals of transitions at C
0
, ST
0
=
[0, 0]. According to the transition ring rules, ring t
0
at C
0
leads to a new CS-class
C
1
. Similarly, ring t
1
leads to CS-class C
2
. Following this way, at C
i
, ring t
i
leads to
C
i+1
. Finally, we can generate a ring sequence = t
0
t
1
t
i
of Z.
With the above ring rules and computing method, we can generate a reachability
tree of Z, RT
_
Z, C
0
_
with root node C
0
. Every node of the tree corresponds to a reacha-
bility state class. If ring t at CS-class C
i
results in C
j
, then connect C
i
and C
j
with a
directed arc, and label the arc with t.
It is noted that the third condition of Denition 3 does not exist in Wang et al. [2000].
Let us consider a TPN model Z
1
shown in Figure 1.
In TPN model Z
1
, transitions t
2
and t
3
must be enabled simultaneously. However, t
2
is always rable but t
3
is not because static earliest ring time of t
3
is more than that
of t
2
. According to Wang et al. [2000], t
3
is rable at CS-class C =
_
M, D, ST
_
, where
M = p
2
, D =
_
D(t
2
) = [1, 6] , D
_
t
3
_
= [4, 10]
_
and ST = [1, 4], which satisfy the ring
rules as dened in Wang et al. [2000a]. Clearly, we have to add the third condition in
Denition 3 to avoid the above problem.
Wang et al. [2000a] analyzed the soundness and completeness of the global time
interval ST, and proved that a CS-class can be uniquely mapped into a traditional state
class presented in Berthomieu and Diaz [1991]. Here the addition of third condition
only avoid wrong transition ring, and cannot change denition of CS-class. Then we
still obtain essentially same results as those in Wang et al. [2000a], and thus omitted.
In this work, we introduce some related notations to be used later. (Z, ) denotes
a CS-class that is generated by ring the sequence from the initial CS-class C
0
of a
TPN Z. (Z, ) the global time at which CS-class (Z, ) arrives. R(Z, ) is a marking
set composed of all markings reached in the execution process of sequence . R(Z)
is a set of all reachable markings of Z. L(Z) is a sequence set composed of all red
sequences in Z.
Z is live iff t T, M R(Z), there exists M
reached from M such that M
[t >. A
place p Pis said to be bounded or K-bounded iff M(p) K for all M R(Z), where K
is a positive integer. Z is said to be bounded iff every place in it is bounded. A place is
said to be safe iff it is 1-bounded. Z is said to be safe iff every place is 1-bounded. It is
noted that the liveness and boundedness of a TPN cannot be equivalent to it untimed
counterpart [Berthomieu and Diaz 1991].
Let X P T be a node subset of Z, Z|X denotes a new time Petri net that consists
of only elements in Xand related arcs, which is a subgraph of Z. Z X is dened as
Z
X, where X = P T X. All the above notation is applicable to markings and ring

sequences. L(Z) |X indicates for every ring sequence of Z, only elements fromX are
preserved. Similarly, L(Z) X = L(Z) |(T X) .
2.2. Renement Operation of TPN
Huang et al. [2004] dene a type of renement operations of Petri nets. Here we extend
it to TPN.
Denition 4. TPN Z =
_
P, T, F, W, M
0
, SI
_
is a time Petri net module (module) iff the
following conditions hold:
(1) Z has two special places: i and o, where i is an initial (import) place, i.e.,

i = , o is
a terminal (export) place, i.e., o
= ;
(2) M
0
(i) = 1, M
0
(o) = 0, and t / i
, M
0
[t > holds;
(3) L(Z), where (Z, ) = C
f
=
_
M
f
, D
f
, ST
f
_
, satisfying that M
f
(o) = 1, M
f
(i) = 0,
and M
f
(p) = M
0
(p) for p P {i, o}, and t T, M
f
[t >. M
f
is called a terminal
marking. Moreover,
L(Z) and
= , where
_
Z,
_
= C
=
_
M
, D
, ST
_
, if
M
(o) 1, then M
= M
f
.
(4) There are no dead transitions in Z, i.e., t T, there exists a CS-class C
i
reached
from initial CS-class C
0
of Z such that t res at C
i
.
Condition (1) states that a module Z is a kind of time Petri nets with a special struc-
ture, i.e., it has one initial place i and terminal one o. If a new transition t is added
intoZ, and connects with o andi, namely,

t = {o}, and t
= {i}, then an extended net Z is

generated. Conditions (2) constrains the initial marking of a module, requiring one to-
ken in the initial place and no token in the terminal place, and also requiring that the
module execution must begin with the ring of post-set transitions of the initial place,
and that other transitions cannot be enabled at M
0
. Condition (3) indicates that the
module can be executed, and terminated, and its terminal marking is marked when
the terminal place includes a token. In another words, the execution of a module stops
4:6 Z. Ding et al.
Fig. 2. Renement operation of TPN.
as long as a token enters the terminal place. Condition (4) states that any transition
can re in Z.
By replacing a transition of a TPNwith a module, we can obtain a newtime Petri net.
This process is just corresponding to a renement operation, and its formal denition
is given:
Denition 5. Let TPN Z =
_
P, T, F, W, M
0
, SI
_
, where for t
r
T, r
i
= {t
r
} =

r
o
,
|
t
r
| = |t
r
| = 1, and place r
i
is safe. Let B =
_
P
B
, T
B
; F
B
, W
B
, M
B
0
, SI
B
_
be a module, the
renement operation of net Z and module B, Z
B
/
tr
Z
, is implemented by replacing t
r
in Z with B, and generating a new TPN Z
=
_
P
, T
; F
, M
0
, SI
_
, where:
(1) P
= P P
B
{p
i
, p
o
} {r
i
, r
o
, i, o};
(2) T
= T T
B
{t
r
};
(3) F
= F F
B
_
{(p
i
, x) |x i
} {(x, p
o
) |x

o} {(x, p
i
) |x

r
i
}
{(p
o
, x) |x r
o
}
_
___
r
i
, t
r
_
, (t
r
, r
o)
_
{(x, r
i
) |x

r
i
} {(r
o
, x) |x r
o
}
{(i, x) |x i
} {(x, o) |x

o}
_
;
(4) M
0
(p) =
M
0
_
r
i
_
, p = p
i
M
0
(r
o) , p = p
o
M
0
(p) , p P {r
i
, r
o
}
M
B
0
(p) , p P
B
{i, o}
;
(5) (5) SI
= SI SI
B
{SI (t
r)}.
Net Z
is called a rened TPN, t

r
a renement transition, and Z an original net
system. Figure 2 shows the renement process of TPN.
3. BEHAVIOR AND PROPERTY PRESERVATION OF TPN REFINEMENT OPERATION
This section discusses the behavior and property preservation of TPN in the rene-
ment operation. First a sufcient condition of behavior preservation is given, and then
property preservation is discussed.
3.1. Behavior Preservation
Denition 6. Let TPN Z =
_
P, T; F, M
0
, SI
_
be an original net system, Z
=
_
P
, T
; F
, M
0
, SI
_
is a rened TPN by replacing transition t
r
in Z with module B. Let
Table I. The Description of State Class of Z
2
1: C
20
=
_
M
20
, D
20
, ST
20
_
: M
20
= p
1
, D
20
= {D
20 (t
1) = [3, 3]}, ST
20
= [0, 0]
2: C
21
=
_
M
21
, D
21
, ST
21
_
: M
21
= p
2
+ p
4
, D
21
= {D
21 (tr) = [4, 9] , D
21 (t
3) = [6, 7]}, ST
21
= [3, 3]
3: C
22
=
_
M
22
, D
22
, ST
22
_
: M
22
= p
3
+ p
4
, D
22
= {D
22 (t
2) = [5, 8] , D
22 (t
3) = [6, 7]}, ST
22
= [4, 7]
4: C
23
=
_
M
23
, D
23
, ST
23
_
: M
23
= p
2
+ p
5
, D
23
= , ST
23
= [6, 7]
5: C
24
=
_
M
24
, D
24
, ST
24
_
: M
24
= p
6
, D
24
= , ST
24
= [5, 7]
6: C
25
=
_
M
25
, D
25
, ST
25
_
: M
25
= p
3
+ p
5
, D
25
= , ST
25
= [6, 7]
U = T {t
r
}, if L
_
Z
_
|U = L(Z) |U, then the renement operation E
B
/
tr
E
satises
behavior preservation.
THEOREM 1. For any transition ring sequence
B
L(B)such that M
B
= M
f
, where
_
B,
B
_
= C
B
=
_
M
B
, D
B
, ST
B
_
, if ST
B
= SI (t
r), then the renement operation satis-
es behavior preservation.
PROOF. See Appendix A.
It is suggested in Theorem 1 that for any transition ring sequence that leads to a
terminal marking in module B, if its global execution time is equal to the ring time
interval of rened transition t
r
in the original net Z, then the rened TPN Z
generated
by replacing t
r
with B keeps the same behavioral characteristic as that of the original
net. This characteristic is very important for real-time system synthesis, modeling,
and analysis, because a system synthesis process rst should meet system behavior
consistency with time constraints, then its property preservation is required [Ding
et al. 2008; Jiang et al. 2002]. We will discuss the property preservation in next section.
Example 1. Z
2
is an original net system shown in Figure 3(a) , t
r
is a renement
transition, modules B
1
and B
2
are given in Figure 3(b) and Figure 3(c), respectively.
For B
1
and B
2
, their global time intervals are easily computed and equal to [0,2]
and [1,6], respectively. Let Z
B
1
2
(Z
B
2
2
) be a rened TPN by replacing t
r
in Z
2
with B
1
(B
2
), the renement operation of Z
2
B
1/
tr
Z
B
1
2
_
Z
2
B
2/
tr
Z
B
2
2
_
cannot (can) satisfy the
conditions of Theorem 1.
Three state class reachability trees of TPN Z
2
, Z
B
1
2
, and Z
B
2
2
are shown in Figure
4(a)(c), and the description of their state classes is listed in Tables 13. Clearly,
21
=
t
1
t
3
is a transition ring sequence of Z
2
, i.e.,
21
L(Z
2
). However, any transition
ring sequences
B
1
2
in Z
B
1
2
cannot satisfy
B
1
2
_
T
2
{t
r
}
_
=
21
because t
3
is never
rable. Moreover, it is proved easily that L
_
Z
B
2
2
_
_
T
2
{t
r
}
_
= L(Z
2
)
_
T
2
{t
r
}
_
.
3.2. Property Preservation
For a renement operation, if the above criterion of behavior preservation is met, then
the following theorem should also hold.
THEOREM 2. If Z
is K
-bounded, so is Z.
PROOF. For L(Z), according to behavior preservation, there exists
U L
_
Z
_
|U, that is
L
_
Z
_
,
|U = |U holds. Obviously, for p P{r

i
, r
o
},
M(p) = M
(p) K
holds, where (Z, ) =

_
M, D, ST
_
, and
_
Z
_
=
_
M
, D
, ST
_
.
Furthermore, according to Denition 5, we know M
_
r
i
_
1 and M(r
o) 1. Therefore,
p P, M(p) K
holds, that is, Z is K
-bounded.
4:8 Z. Ding et al.
Fig. 3. TPN model.
Fig. 4. State class reachability trees of TPNs Z
2
, Z
B
1
2
and Z
B
2
2
.
THEOREM 3. If Z and B are bounded, so is Z
.
PROOF. Let original net Z and module B be K-bounded and K
B
-bounded respec-
tively, and then the extended net B of module B is also K
B
-bounded.
L
_
Z
_
,
according to behavior preservation, we know
|U L(Z) |U, namely, L(Z),

|U =
|U holds. Suppose that

_
Z
_
=
_
M
, D
, ST
_
, and (Z, ) =
_
M, D, ST
_
.
Then p P {r
i
, r
o
}, M
(p) = M(p) K holds. Following Theorem 1, there exists

Fig. 5. TPN models of a real-time manufacture process.
Fig. 6. Rened TPN model Z
of a real-time manufacture process.
B
L
_
B
_
, where
_
B,
B
_
=
_
M
B
, D
B
, ST
B
_
, such that M
(p) = M
B
(p), where
p P
B
{i, o}. It is obvious that M
_
p
i
_
M
B
(i) K
B
, and M
(p
o) M
B
(o) K
B
.
Therefore, p P
, M
(p) max
_
K, K
B
_
holds, and thus Z
is bounded.
THEOREM 4. If Z
is live, so is Z.
PROOF. Let L(Z), follow the behavior preservation,
U L
_
Z
_
|U holds, i.e.,
L
_
Z
_
, such that
|U = |U. Since Z
is live, t T, there is a sequence
1
composed of elements in T
1
t L
_
Z
_
holds. Moreover, from behavior preserva-
tion, we know that
_
1
t
_
|U L(Z) |U holds. According to the proof of Theorem
1, we know that there exists a sequence
1
composed of elements in T, satisfying
1
|U =
1
|U, and
1
t L(Z). Therefore, Z is live.
4:10 Z. Ding et al.
Table II. The Description of State Class of Z
B
1
2
1: C
B
1
20
=
_
M
B
1
20
, D
B
1
20
, ST
B
1
20
_
: M
B
1
20
= p
1
, D
B
1
20
=
_
D
B
1
20
(t
1) = [3, 3]
_
, ST
B
1
20
= [0, 0]
2: C
B
1
21
=
_
M
B
1
21
, D
B
1
21
, ST
B
1
21
_
: M
B
1
21
= p
11
+ p
4
, D
B
1
21
=
_
D
B
1
21
(t
11) = [3, 4], D
B
1
21
(t
3) = [6, 7]
_
,
ST
B
1
21
= [3, 3]
3: C
B
1
22
=
_
M
B
1
22
, D
B
1
22
, ST
B
1
22
_
: M
B
1
22
= p
12
+ p
4
, D
B
1
22
=
_
D
B
1
22
(t
12) = [3, 4], D
B
1
22
(t
3) = [6, 7]
_
,
ST
B
1
22
= [3, 4]
4: C
B
1
23
=
_
M
B
1
23
, D
B
1
23
, ST
B
1
23
_
: M
B
1
23
= p
13
+ p
4
, D
B
1
23
=
_
D
B
1
23
(t
2) = [4, 5], D
B
1
23
(t
3) = [6, 7]
_
,
ST
B
1
23
= [3, 4]
5: C
B
1
24
=
_
M
B
1
24
, D
B
1
24
, ST
B
1
24
_
: M
B
1
24
= p
6
, D
B
1
24
= , ST
B
1
24
= [4, 5]
Table III. The Description of State Class of Z
B
2
2
1: C
B
2
20
=
_
M
B
2
20
, D
B
2
20
, ST
B
2
20
_
: M
B
2
20
= p
1
, D
B
1
20
=
_
D
B
1
20
(t
1) = [3, 3]
_
, ST
B
2
20
= [0, 0]
2: C
B
2
21
=
_
M
B
2
21
, D
B
2
21
, ST
B
2
21
_
: M
B
2
21
= p
11
+ p
4
, D
B
2
21
=
_
D
B
2
21
(t
11) = [3, 4], D
B
2
21
(t
3) = [6, 7]
_
,
ST
B
1
21
= [3, 3]
3: C
B
2
22
=
_
M
B
2
22
, D
B
2
22
, ST
B
2
22
_
: M
B
2
22
= p
12
+ p
4
, D
B
2
22
=
_
D
B
2
22
(t
12) = [4, 9], D
B
2
22
(t
3) = [6, 7]
_
,
ST
B
2
22
= [3, 4]
4: C
B
2
23
=
_
M
B
2
23
, D
B
2
23
, ST
B
2
23
_
: M
B
2
23
= p
13
+ p
4
, D
B
2
23
=
_
D
B
2
23
(t
2) = [5, 8], D
B
2
23
(t
3) = [6, 7]
_
,
ST
B
2
23
= [4, 7]
5: C
B
2
24
=
_
M
B
2
24
, D
B
2
24
, ST
B
2
24
_
: M
B
2
24
= p
12
+ p
5
, D
B
2
24
= , ST
B
2
24
= [6, 7]
6: C
B
2
25
=
_
M
B
2
25
, D
B
2
25
, ST
B
2
25
_
: M
B
2
25
= p
6
, D
B
2
25
= , ST
B
2
23
= [5, 7]
7: C
B
2
26
=
_
M
B
2
26
, D
B
2
26
, ST
B
2
26
_
: M
B
2
26
= p
13
+ p
5
, D
B
2
26
= , ST
B
2
26
= [6, 7]
THEOREM 5. If Z and B are live, so is Z
.
PROOF. Let
L
_
Z
_
, and
_
Z
_
=
_
M
, D
, ST
_
. According to behavior preser-
vation,
|U L(Z) |U holds, i.e., L(Z), such that |U =
|U. t T
, two cases
t T {t
r
}, and t T
B
are considered.
Case 1. If t T {t
r
}, since Z is live, there exists a sequence
1
composed of ele-
ments in T, such that
1
t L(Z). If
1
does not include t
r
, then

1
t L
_
Z
_
holds. Otherwise, suppose that
1
=
1
t
r
2
t
r
t
r
n1
t
r
n
, where sequence
i
is com-
posed of elements in T {t
r
}. Following the proof of Theorem 1, the ith occurrence of
t
r
can be simulated by sequence
B
i
, where
B
1
t
B
0
B
2
t
B
0
t
B
0
B
n
L
_
B
_
and t
B
0
is an ad-
ditional transition in

B. Thus we can construct a corresponding sequence
1
composed
of elements in T
, such that
1
|U =
1
|U and
1
t L
_
Z
_
. Therefore, t is live
in Z
.
Case 2. If t T
B
, according to the proof of Theorem 1, we know that
B
L
_
B
_
,
_
B,
B
_
=
_
M
B
, D
B
, ST
B
_
, such that p P
B
{i, o}, M
(p) = M
B
(p) holds. (1) if M
B
=
M
B
0
, i.e., B is in the state of the initial marking, then from the liveness of Z, we know
that there exists a sequence
1
composed of elements in T, such that

1
L
_
Z
_
and M
1
(p) = M
B
(p) for p P
B
, where
_
Z

1
_
=
_
M
1
, D
1
, ST
1
_
, i.e., M
1
_
p
i
_
= 1.
Since B is live, there exists a sequence
B
1
composed of transitions in B, such that
B

B
1
t L
_
B
_
. Suppose that there is no additional transition t
B
0
in
B
1
, then we can
Algorithm 1: A reachability decidability algorithm of rened TPN
Input: reachability tree RT
_
Z, C
0
_
and RT
_
B, C
B
0
_
, marking M
d
, time
d
Output: a Boolean variable Exist
Exist False; ZS ; BS ;
M
d
M
_
P {r
i
, r
o
}
_
; M
B
d
M
_
P
B
{i, o}
_
;
Traverse tree RT
_
Z, C
0
_
, nd all possible states C =
_
M, D, ST
_
satisfying
M
_
P {r
i
, r
o
}
_
= M
d
and LB
d
RB, and then record them into a set ZS.
IF ZS = THEN{
Traverse tree R
_
B, C
B
0
_
, nd all possible states C
B
=
_
M
B
, D
B
, ST
B
_
satisfying
M
B
_
P
B
{i, o}
_
= M
B
d
, then orderly record them into a set BS.
IF BS = THEN{
FOR every element C =
_
M, D, ST
_
in the set ZS DO{
Compute sequence satisfying (Z, ) = C;
IF there is no marking in enabling t
r
, THEN{
IF C
B
BS, such that M
B
= M
B
0
THEN Exist True;
ELSEIF t
r
cannot be enabled any more after post-set element of r
o
during
res for the last time, THEN
IF C
B
BS, such that M
B
= M
B
0
THEN Exist True;
ELSE{
Take the beginning state of t
r
enabled at the last time during ,
C
i
=
_
M
i
, D
i
, ST
i
_
, where ST
i
=
_
LB
i
, RB
i
;
IF C
B
BS, such that LB
i
+ LB
B

d
RB
i
+ RB
B
THEN
Exist True}}}}
directly get the result:
B
1
t L
_
Z
_
. If there is an additional transition t
B
0
in
B
1
,
obviously, ring of t
B
0
will result in that tokens in place o transfer into place i. Since Z is
live, for every time of transition t
B
0
appearing in
B
1
, there always exists a sequence
i
composed of elements in T to transfer token in p
o
into p
i
. In this way, a new sequence
2
is generated, such that
2
L
_
Z
_
, and t can re at
_
Z
2
_
. (2)
if M
B
= M
B
0
, that is, at this time B is not in the state of the initial marking, then
according to liveness of B, there exists a sequence
B
1
, such that
B

B
1
t L
_
B
_
.
In the same way as (1), after considering different cases of
B
1
, we conclude that there
exists
2
, such that
2
t L
_
Z
_
. Therefore, t is live in Z
.
On the ground of behavior preservation, the renement operation of TPN can also
preserve boundedness and liveness. These results are useful for analyzing and verify-
ing large complex systems. By analyzing and verifying the relatively smaller models,
we can derive the properties of a complex one, thereby alleviating the state space ex-
plosion problem and reducing the analysis complexity.
4. REACHABILITY OF REFINED TPN
Based on behavior preservation, the reachability problem of a rened TPN can be
solved by the reachability tree of its original net and module, i.e., given marking
4:12 Z. Ding et al.
M
d
and time
d
, the problem is whether there exists a reachable state of Z
, C =
_
M
, D
, ST
_
, such that M
= M
d
and LB
d
RB
. To solve this problem, we

introduce two sets ZS and BS to store useful information respectively. In detail,
ZS is a set composed of some states C =
_
M, D, ST
_
of Z such that M
_
P {r
i
, r
o
}
_
=
M
_
P {r
i
, r
o
}
_
and LB
d
RB, and BS a set composed of some states C
B
=
_
M
B
, D
B
, ST
B
_
of B such that M
B
_
P
B
{i, o}
_
= M
B
d
. The reachability decidability
algorithm is given as follows:
This algorithm is based on the behavior preservation of a renement operation,
which ensures that there is a corresponding relationship between the original and
rened nets, and also the relationship meets the same time constraint. Consequently,
for the decided marking, according to a given marking arrival time, nd its matching
states in the reachability tree of Z, record them in the set ZS, in a similar way, nd its
matching states in the reachability tree of B, record them in the set BS. Because there
is a corresponding relationship between a ring sequence of the original net and that
of rened net, the ring sequence of every state in ZS is found and discussed with
the following two cases.
(1) If t
r
cannot be enabled at all reachability states in , similar to Case 1 in Theorem
1s proof, it is suggested that t T
B
, t cannot re in Z
. Therefore, if the initial

marking of B is in BS, then it can be ensured that marking M
d
can be reachable
with a given time
d
in Z
.
(2) If there exists a reachability state in sequence that can enable t
r
, then two dif-
ferent subcases are as follows.
(2.1) After post-set elements of place r
o
re at the last time, t
r
cannot be enabled
any more at any possible reachability state, which is similar to the third case
in Theorem 1s proof, and, hence, all the ring of t
r
has been nished. At this
time, B is executed in Z
, then enters a terminal state, and is waiting for the

next execution, that is, it corresponds to the rst case;
(2.2) Otherwise, the case is similar to Cases 2 and 4 in Theorem 1s proof. Deter-
mine the beginning state of t
r
enabled at the last time during . According to
its global arriving time interval, for its corresponding state in BS, calculate
the global arriving time interval in Z
. If the given time condition is met, then

the decided marking is reachable at the given time.
In the way similar to that proving Theorem 1, the correctness of the algorithm can
be proved.
Suppose that the number of CS-classes in reachability trees of Z and B is m and n
respectively, where m, n > 1. First, at most m + n comparisons are needed to deter-
mine the elements of sets ZS and BS by traversing the reachability trees of Z and B
respectively. Second, a ring sequence that leads to a CS-class C is only determined by
a path from root node to node C. Clearly, it needs at most m
2
iterations that nding all
paths from a root node to other nodes in the reachability tree of Z. Finally, for every
element in ZS, we need to check all elements in BS to determine whether there exists
a solution. Thus there are at most m n iterations for all checking work. Therefore,
the worst case computational complexity of this algorithm is O
_
max
_
m
2
, mn
__
.
5. A CASE STUDY
In this section, the above renement operation method of TPN is applied to the design,
modeling and analysis of a real-time manufacture process. A component is assembled
by two parts, A and B, which are required to be processed, respectively. The assembly
Fig. 7. State class reachability trees of TPNs.
process is carried out after both are completed. Part A must visit machine 1, then
machine 2, and both machines 1 and 2 need tool 1. Part B is processed by a processing
subsystem. It is rst processed on machine 3. Then it has alternative routes, that is,
either on machine 5, and then on machine 6, or on machine 4. Machines 3, 4, and 5
need tool 2. Moreover, parts are transferred via a conveyor.
According to the above system description, we design a TPN model Z given in
Figure 5(a) and a module B for Part Bs processing subsystem shown in Figure 5(b).
The meanings of their places and transitions are described in Table 4. Every transi-
tion is associated with a time interval as shown in Figure 2, which stands for execution
time of its corresponding process as shown in Figure 5.
Module B conforms to the denition of a TPN module, and it is easy to verify that
place r
i
is safe in model Z. With the renement operation of TPN presented, t
r
in Z is
replaced with module B, resulting in a nal TPN Z
as shown in Figure 6.
Two state class reachability trees of TPN Z and B are respectively shown in
Figure 7(a) and Figure 7(b), and the specic description of state classes is in Table
V. The markings of state classes C
23
and C
26
stand for terminal markings of module
B, and their corresponding global time intervals meet ST
23
= ST
26
= SI (t
r). Thus
the conditions in Theorem 1 are met. Therefore, we have the result that renement
operation of Z
B
/
tr
Z
satises behavior preservation.

According to reachability trees in Figure 7, we know that both Z and B are bounded.
Hence, following Theorem 3, we know that Z
is also bounded. Model Z represents one

process in the whole system, if places p
6
and p
1
are connected with a transition with
ring time interval [0,0], then generate an extended net Z of net Z that represents con-
tinuous execution of the manufacture process. It is easy to verify that Z is live, and also
extended net B is live. Hence, following Theorem 5, extended rened net Z
is also live.
Furthermore, based on the behavior preservation, we can decide the reachability
of rened Petri net Z
. Supposed that the problem is whether there exists marking

M
= p
4
+ p
8
+ p
14
+ p
16
at the time
= 42, that is, at the time of 42, whether part A

has been transferred to machine 2 by the conveyor? At the same time, has part B been
nished by machine 5, and is waiting for its transferring to machine 6?
4:14 Z. Ding et al.
Table IV. Meanings of Places and Transitions in Figure 5
Element Meaning Element Meaning
p
1
start a process r
i
part B entering the processing
subsystem
p
2
part A on machine 1 ro nish processing subsystem,
and wait for assembly
p
3
nish processing on machine 1, and
wait for transfer
i Start processing of part B
p
4
part A on machine 2 o nish processing of part B
p
5
wait for assembly
t
1
transfer a part
p
6
nish a process t
2
process on machine 1
p
7
tool 1 available for machine 1 t
3
transfer part A by conveyor
p
8
4
p
11
part B on machine 3 (Figure 3) t
5
assemble part A and part B
p
12
wait for transfer
t
11
p
13
part B on machine 4 or machine 5 t
12
transfer part B by conveyor
p
14
wait for transfer
t
13
p
15
part B on machine 6 t
14
p
16
15
transfer part B by conveyor
p
17
tool 2 available for machines 4 and 5 t
16
p
18
nish processing of part B, and wait
for assembly (Figure 3)
tr process subsystem
To solve this problem, the above reachability decidability algorithm is applied. First,
M = M
_
P {r
i
, r
o
}
_
= p
4
+ p
8
, and M
B
= M
_
P
B
{i, o}
_
= p
14
+ p
16
. There are C
9
,
C
12
, and C
13
in the reachability tree RT
_
Z, C
0
_
satisfying M
9
_
P {r
i
, r
o
}
_
= M,

ST
9
, M
12
_
P {r
i
, r
o
}
_
= M,
ST
12
, and M
13
_
P {r
i
, r
o
}
_
= M,
ST
13
. Then
there is C
24
in the reachability tree RT
_
B, C
20
_
satisfying M
24
_
P
B
{i, o}
_
= M
B
.
For C
9
, = t
1
t
2
t
r
t
3
is a corresponding ring sequence such that (E, ) = C
9
. Then it
is determined that t
r
begins to be enabled at C
1
with global time interval ST
1
= [3, 5]
before its ring in . Hence, arriving time interval of C
24
in Z
is ST
1
+ST
24
= [33, 43].
It is obvious that
ST
1
+ ST
24
. Thus there exists a ring sequence in Z
that can
arrive at M
at time
.
6. CONCLUSIONS
By replacing a transition or place in an original net with a subnet, the renement
operation of Petri nets implements the process of stepwise renement of a Petri net
model, which well supports a top-down design method. Based on the idea of divide and
conquer, the property preservation of a renement operation is helpful for decreas-
ing analysis complexity and alleviating a state explosion problem. This article mainly
presents the following work.
(1) It dene a type of renement operations for time Petri nets. This simple structured
model can well support renement design and modeling of real-time systems, such
as workow [Li et al. 2003, 2004; Van der Aalst 2000], command and control sys-
tems [Wang et al. 2000], embedded system [Cho et al. 2010; Hu et al. 2009] and
manufacturing systems [Fanti and Zhou et al. 2004; Hu and Li 2009b; Jeng et al.
2004; Lee et al. 2007; Zhou et al. 1992, 1993].
Table V. The Description of State Class
C
0
=
_
M
0
, D
0
, ST
0
_
: M
0
= p
1
+ p
7
, D
0
= {D
0 (t
1) = [3, 5]} , ST
0
= [0, 0]
C
1
=
_
M
1
, D
1
, ST
1
_
: M
1
= p
2
+p
7
+r
i
, D
1
= {D
1 (t
2) = [33, 45] , D
1 (tr) = [40, 51]} , ST
1
= [3, 5]
C
2
=
_
M
2
, D
2
, ST
2
_
: M
2
= p
2
+ p
7
+ ro, D
2
= {D
2 (t
2) = [40, 45]} , ST
2
= [40, 45]
C
3
=
_
M
3
, D
3
, ST
3
_
: M
3
= p
3
+ p
8
+ ro, D
3
= {D
3 (t
3) = [43, 48]} , ST
3
= [40, 45]
C
4
=
_
M
4
, D
4
, ST
4
_
: M
4
= p
4
+ p
8
+ ro, D
4
= {D
4 (t
4) = [55, 68]} , ST
4
= [43, 48]
C
5
=
_
M
5
, D
5
, ST
5
_
: M
5
= p
5
+ p
7
+ ro, D
5
= {D
5 (t
5) = [67, 83]} , ST
5
= [55, 68]
C
6
=
_
M
6
, D
6
, ST
6
_
: M
6
= p
6
+ p
7
, D
5
= , ST
6
= [67, 83]
C
7
=
_
M
7
, D
7
, ST
7
_
: M
7
= p
3
+ p
8
+ r
i
, D
7
= {D
7 (t
3) = [36, 48] , D
7 (tr) = [40, 51]} ,
ST
7
= [33, 45]
C
8
=
_
M
8
, D
8
, ST
8
_
: M
8
= p
3
+ p
8
+ ro, D
8
= {D
8 (t
3) = [40, 48]} , ST
8
= [40, 45]
C
9
=
_
M
9
, D
9
, ST
9
_
: M
9
= p
4
+ p
8
+ ro, D
9
= {D
9 (t
3) = [52, 68]} , ST
9
= [40, 48]
C
10
=
_
M
10
, D
10
, ST
10
_
: M
10
= p
5
+ p
7
+ ro, D
10
= {D
10 (t
5) = [64, 83]} , ST
10
= [52, 68]
C
11
=
_
M
11
, D
11
, ST
11
_
: M
11
= p
6
+ p
7
, D
11
= , ST
10
= [64, 83]
C
12
=
_
M
12
, D
12
, ST
12
_
: M
12
= p
4
+ p
8
+ r
i
, D
12
= {D
12 (t
4) = [48, 68] , D
12 (tr) = [40, 51]}
ST
12
= [36, 48]
C
13
=
_
M
13
, D
13
, ST
13
_
: M
13
= p
4
+ p
8
+ ro, D
13
= {D
13 (t
4) = [48, 68]} , ST
13
= [40, 51]
C
14
=
_
M
14
, D
14
, ST
14
_
: M
14
= p
5
+ p
7
+ ro, D
14
= {D
14 (t
5) = [60, 83]} , ST
14
= [48, 68]
C
15
=
_
M
15
, D
15
, ST
15
_
: M
15
= p
6
+ p
7
, D
15
= , ST
14
= [60, 83]
C
16
=
_
M
16
, D
16
, ST
16
_
: M
16
= p
5
+ p
7
+ r
i
, D
16
= {D
16 (tr) = [48, 51]} , ST
16
= [48, 51]
C
17
=
_
M
17
, D
17
, ST
17
_
: M
17
= p
5
+ p
7
+ ro, D
17
= {D
17 (t
5) = [60, 71]} , ST
17
= [48, 51]
C
18
=
_
M
18
, D
18
, ST
18
_
: M
18
= p
6
+ p
7
, D
18
= , ST
18
= [60, 71]
C
20
=
_
M
20
, D
20
, ST
20
_
: M
20
= i + p
16
, D
20
= {D
20 (t
11) = [16, 17]} , ST
20
= [0, 0]
C
21
=
_
M
21
, D
21
, ST
21
_
: M
21
= p
12
+ p
17
, D
21
= {D
21 (t
12) = [19, 20]} , ST
21
= [16, 17]
C
22
=
_
M
22
, D
22
, ST
22
_
: M
22
= p
13
+ p
17
, D
22
= {D
22 (t
13) = [37, 46] , D
22 (t
14) = [30, 38]}
ST
22
= [19, 20]
C
23
=
_
M
23
, D
23
, ST
23
_
: M
23
= o + p
16
, D
22
= , ST
23
= [37, 46]
C
24
=
_
M
24
, D
24
, ST
24
_
: M
24
= p
14
+ p
16
, D
24
= {D
24 (t
15) = [33, 41]} , ST
24
= [30, 38]
C
25
=
_
M
25
, D
25
, ST
25
_
: M
25
= p
15
+ p
16
, D
25
= {D
25 (t
16) = [37, 46]} , ST
24
= [33, 41]
C
26
=
_
M
26
, D
26
, ST
26
_
: M
26
= o + p
16
, D
26
= , ST
26
= [37, 46]
(2) It investigates behavior and property preservation of the renement operation, and
establish the corresponding preservation conditions, which provide a theoretical
support for system behavior analysis and property verication.
(3) It develops a reachability decidability algorithm. By this algorithm, the reacha-
bility of a rened TPN can be decided according to the reachability trees of the
original net and modules. It is unnecessary to generate the whole reachability tree
of the rened TPN. Therefore, by this method, the burden to solve the state space
explosion problem can be effectively reduced. This is very helpful for state identi-
cation and model checking of complex systems.
Additional properties, such as reversibility and fairness to support the qualitative
analysis of complex systems need to be discussed. Moreover, based on renement oper-
ation, quantitative analysis of complex systems such as turnaround time and through-
put is another research direction. The safeness of the input place of the rened transi-
tion can be major limitation in some real time systems. The extension to more general
cases requires additional work.
4:16 Z. Ding et al.
APPENDIX A
PROOF OF THEOREM 1. To prove L
_
Z
_
|U = L(Z) |U, we need to prove that
L
_
Z
_
|U L(Z) |U and L(Z) |U L
_
Z
_
|U.
We rst prove thatL
_
Z
_
|U L(Z) |U. For
1
L
_
Z
_
|U, let
L
_
Z
_
, where
|U =
1
. We break our proof into four cases.
Case 1. For M
R
_
Z
_
, M
_
p
i
_
= 0 holds, that is, place p
i
receives no token dur-
ing the execution of sequence
. According to the denition of module B, it is obvious

that t T
B
, it cannot be enabled at reachability states during sequence
. Therefore,
1
=
holds, and according to the denition of renement operation,
L(Z) holds.
Similarly, transition t
r
cannot re during sequence
because it cannot be enabled, so
|U =
holds, that is
L(Z) |U, consequently,
1
L(Z) |U holds.
Case 2. There exists only marking M
1
R
_
Z
_
such that M
1
_
p
i
_
= 1, and M

R
_
Z
_
, M
(p
o) = 0 holds, namely, during sequence
place p
i
received tokens, but
place p
o
receives no token. Let
11

12
, where
11
is the shortest prex of
,
satisfying
_
Z,
11
_
= C
11
=
_
M
11
, D
11
, ST
11
_
, and M
11
_
p
i
_
= 1. According to Case
1,
11
L(Z) |U holds. Obviously,
12
is composed of transitions in B and Z, and
according to the denition of the renement operation, we know that transitions in B
and transitions in Z execute concurrently during
12
, therefore
11

_
12
|U
_
L(Z)
holds, that is,
1
=
_
11

12
_
|U L(Z) |Uholds. So
1
L(Z) |U holds.
Case 3. There exists only markings M
1
R
_
Z
_ _
M
2
R
_
Z
_ _
such that
M
1
_
p
i
_
= 1 (M
2
(p
o) = 1), that is, both places p
i
and p
o
received tokens during the exe-
cution of sequence
. Let
11

12

13
, where
11
is the shortest prex of
, satis-
fying
_
Z,
11
_
= C
11
=
_
M
11
, D
11
, ST
11
_
, and M
11
_
p
i
_
= 1.
11

12
is also the shortest
prex of
, satisfying
_
Z,
12
_
= C
12
=
_
M
12
, D
12
, ST
12
_
, and M
12
(p
o) = 1. Similarly
with Case 2,
11
12
|U
_
L(Z) holds. Suppose that
11
=
_
Z
11
_
,
12
=
_
Z
12
_
,
and
_
B,
12
T
B
_
= C
B
=
_
M
f
, D
B
, ST
B
_
, then LB
B

12

11
RB
B
holds,
where ST
B
=
_
LB
B
, RB
B
_
. According to the condition given in Theorem 1, we have
LB
B
= SEFT (t
r), Therefore t
r
can re at time
12
in the original net Z, namely,
11

_
12
|U
_
t
r
L(Z) holds. Moreover, in the same way,
13
also can re at state
_
E,
11

_
12
|U
_
t
r
_
. Consequently,
11

_
12
|U
_
t
r

13
L(Z) holds, that is,
11

_
12
|U
_

13
=
1
L(Z) |U holds.
Case 4. General case. Suppose that during sequence
, p
i
received k
1
tokens, while
place p
o
received k
2
tokens. From the denition of module, we know that k
1
= k
2
,
or k
1
= k
2
+ 1. And for the above three cases, k
1
= k
2
= 0, k
1
= 1 k
2
= 0, and
k
1
= k
2
= 1 hold respectively. Since the ring of TPN transitions is only related with
a local time, repeat the proofs of Case 2 and Case 3, we have the conclusion that for
1
L
_
Z
_
|U,
1
L(Z) |U holds.
Next, we prove L(Z) |U L
_
Z
_
|U. For
1
L(Z) |U, let L(Z), where |U =
1
. We break our proof into four cases.
Case 1. For M R(Z, ), M
_
r
i
_
= 0 holds, that is, place r
i
receives no token during
the execution of sequence. Obviously, there is no transition t
r
in , thus =
1
.
And according to the denition of the renement operation, we know that L
_
Z
_
.
Therefore,
1
L
_
Z
_
|U holds.
Case 2. There exists only marking M
1
R(Z, ), such that M
1
_
r
i
_
= 1, and M
R(Z, ), M(r
o) = 0 holds, that is, during sequence
place r
i
received tokens, but
place r
o
receives no token. It is obvious that there is no transition t
r
in sequence ,
Otherwise, ring t
r
would consequentially result in a token in r
o
. In the same way
with Case 1,
1
L
_
Z
_
|U holds.
Case 3. There exists only markings M
1
R(Z, ) and M
2
R(Z, ) such that
M
1
_
r
i
_
= 1 and M
2
(r
o) = 1 respectively, that is, both place r
i
and place r
o
received
tokens during the execution of sequence . Let =
11

12

13
, where
11
is the
shortest prex of , satisfying (Z,
11
) = C
11
=
_
M
11
, D
11
, ST
11
_
, M
11
_
r
i
_
= 1, and
11

12
also the shortest prex of
, satisfying (Z,
12
) = C
12
=
_
M
12
, D
12
, ST
12
_
,
M
12
(r
o) = 1. Similarly with Case 2,
11
L
_
Z
_
holds. Moreover, we know that there
exists a sequence
11

1
L
_
Z
_
, satisfying
1
|U =
121
, and
T
B
=
B
, where
_
B,
B
_
= C
B
=
_
M
f
, D
B
, ST
B
_
. Suppose that
12
=
121
t
r
, (Z,
11
) =
11
and
(Z,
12
) =
12
. Since place p
i
received a token at time
11
during sequence
11
in
net Z
, according to the denition of the module, there must be a transition t

i
p
i
that can re due to SEFT
_
t
i
_
SEFT (t
r). Because the ring of sequence
121
has
no effect on the execution of the module in Z
, after ring t
i
, there must exist t
j
T
B
that can re. Following this way, we can generate the execution sequence
B
of the
module. According to the condition in Theorem 1, ST
B
= SI (t
r), we can suppose
that
_
Z
,
11

1
_
=
12
. Therefore,
13
also can re at state
_
Z
,
11

1
_
, and
11

1

13
L
_
Z
_
holds, that is,
_
11

1

13
_
|U =
1
L
_
Z
_
|U holds.
Case 4. General case. Suppose that during sequence , place r
i
received k
1
tokens
and r
o
received k
2
tokens. Then repeat the proofs of Case 2 and Case 3, Case 4 can be
proved.
To sum up, L
_
Z
_
|U = L(Z) |U holds.
REFERENCES
Berthomieu, B. and Diaz, M. 1991. Modeling and verication of time dependent systems using time Petri
nets. IEEE Trans. Softw. Engin. 17, 259273.
Berthomieu, B., Lime, D., Roux, O. H., and Vernadat, F. 2007. Reachability problems and abstract state
spaces for time Petri Nets with stopwatches. J. Discrete Event Dyn. Syst. Theory Appl. 17, 133158.
Cho, H., Ravindran, B., and Jensen, E. D. 2010. Lock-free synchronization for dynamic embedded real-time
systems. ACM Trans. Embed. Comput. Syst. 9, 128.
Ding, Z. J., Jiang, C. J., Zhou, M. C., and Zhang, Y. Y. 2008. Preserving languages and properties in stepwise
renement-based synthesis of Petri nets. IEEE Trans. Syst. Man Cybern. Part A 38, 791801.
Ding, Z. J., Zhang, Y. Y., Jiang, C. J., and Zhang, Z. H. 2007. Renement of Petri nets in workow integration.
In Proceedings of the 10th International Conference Computer Supported Cooperative Work in Design,
Lecture Notes in Computer Science, vol. 4402, 667678.
Fani, M. P. and Zhou, M. C. 2004. Deadlock control methods in automated manufacturing systems. IEEE
Trans. Syst. Man Cybern. Part A 34, 522.
Felder, M., Gargantini, A., and Morzenti, A. 1998. A Theory of implementation and renement in timed
Petri nets. Theor. Comput. Sci. 202, 127161.
Girault, C. and Valk, R. 2003. Petri Nets for Systems Engineering: A Guide to Modeling, Verication, and
Applications. Springer.
Gurovic, D., Fengler, W., and Nutzel. J. 2000. Development of real-time system specications through the
renement of duration interval Petri nets. In Proceedings of IEEE International Conference on Systems,
Man, and Cybernetics. 30933098.
4:18 Z. Ding et al.
Hruz, B. and Zhou, M. C. 2007. Modeling and Control of Discrete Event Dynamic Systems. Springer.
Hu, H. S. and Li, Z. W. 2009a. Modeling and scheduling for manufacturing grid workows using timed Petri
nets. Int. J. Adv. Manuf. Technol. 42, 553568.
Hu, H. S. and Li, Z. W. 2009b. Clarication on the computation of liveness-enforcing supervisor for resource
allocation systems with uncontrollable behavior and forbidden states. IEEE Trans. Autom. Sci. Eng. 6,
557558.
Hu, H. S., Zhou, M. C., and Li, Z. W. 2009. Liveness enforcing supervision of video streaming systems using
non-sequential Petri nets. IEEE Trans. Multimedia 11, 14571465.
Huang, H. J., Cheung, T. Y., and Mak, W. M. 2004. Structure and behavior preservation by Petri-net-based
renements in system design. Theor. Comput. Sci. 328, 245269.
Jeng, M. D., Xie, X. L., and Chung, S. L. 2004. ERCN* merged nets for modeling degraded behavior and
parallel processes in semiconductor manufacturing systems. IEEE Trans. Syst. Man Cybern. Part A 34,
102112.
Jiang, C. J., Wang, H. Q., and Liao, S. Y. 2002. Behavior relativity of Petri nets. J. Comput. Sci. Techn. 17,
770780.
Lee, J. S., Zhou, M. C., and Hsu, P. L. 2007. A Petri-net approach to modular supervision with conict
resolution for semiconductor manufacturing systems. IEEE Trans. Autom. Sci. Eng. 4, 584588.
Li, J., Fan, Y. S., and Zhou, M. C. 2003. Timing constraint workow nets for workow analysis. IEEE Trans.
Syst. Man Cybern. Part A 33, 179193.
Li, J., Fan, Y. S., and Zhou, M. C. 2004. Performance modeling and analysis of workow. IEEE Trans. Syst.
Man Cybern. Part A 34, 229242.
Li, Z. W. and Zhou, M. C. 2009. Deadlock Resolution in Automated Manufacturing Systems: A Novel Petri
Net Approach. Springer
Liu, T., Lin, C., and Liu, W. D. 2002. Linear temporal inference of workow management system based on
timed Petri net models. Acta Electronica Sinica 30, 245248. (in Chinese)
Merlin, P. and Farber, D. 1976. Recoverability of communication protocolsImplication of a theoretical
study. IEEE Trans. Commun. 24, 10361043.
Molloy, M. K. 1982. Performance analysis using stochastic Petri nets. IEEE Trans. Comput. 31, 913917
Murata, T. 1989. Petri nets: Properties, analysis and applications. Proc IEEE, 541580.
Suzuki, I. and Murata, T. 1983. A method for stepwise renement and abstraction of Petri nets. J. Comput.
Syst. Sci. 27, 5176.
Tang, D. and Liu, D. N. 2006. Method of reachability analysis in HTPN based workow model. Comput.
Integr. Manuf. Syst. 12, 487493. (in Chinese)
Valette, R. 1979. Analysis of Petri nets by stepwise renements. J. Comput. Syst. Sci. 18, 3546.
van der Aalst, W. M. P. 2000. Workow verication: Finding control-ow errors using Petri-net-based tech-
niques. In Proceedings of the International Workshop on Types for Proofs and Programs. Lecture Notes
in Computer Science 806, 161183.
Wang, J. C., Deng, Y., and Xu, G 2000a. Reachability analysis of real-time systems using time Petri nets.
IEEE Trans. Syst. Man Cybern. Part B 30, 725736.
Wang, J. C., Deng, Y., and Zhou, M. C. 2000b. Compositional time Petri nets and reduction rules. IEEE
Trans. Syst. Man Cybern. Part B 30, 562572.
Zhou, M. C. and Venkaesh, K. 1998. Modeling, Simulation and Control of Flexible Manufacturing Systems:
A Petri Net Approach. World Scientic, Singapore.
Zhou, M. C., Dicesare, F., and Desrochers, A. 1992. A hybrid methodology for synthesis of Petri nets for
manufacturing systems. IEEE Trans. Rob. Autom. 8, 350361.
Zhou, M C., Mcdermott, K., and Patel, P A. 1993. Petri net synthesis and analysis of a exible manufacturing
system cell. IEEE Trans. Syst. Man Cybern. 23, 523531.
Zuberek, W. M. 1991. Timed Petri nets: Denitions, properties, and applications. Microelectron. Reliab. 31,
627644.
Received March 2010; accepted July 2010

Design, Analysis and Verification of Real-Time Systems Based On Time

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Design, Analysis and Verification of Real-Time Systems Based On Time

Uploaded by

Copyright:

Available Formats

4

Design, Analysis and Verication of Real-Time Systems Based on

[Wang et al. 2000a].

reached from M such that M

X, where X = P T X. All the above notation is applicable to markings and ring

= {i}, then an extended net Z is

is called a rened TPN, t

|U = |U holds. Obviously, for p P{r

holds, where (Z, ) =

holds, that is, Z is K

|U L(Z) |U, namely, L(Z),

|U holds. Suppose that

(p) = M(p) K holds. Following Theorem 1, there exists

of a real-time manufacture process.

is live, t T, there is a sequence

|U L(Z) |U holds, i.e., L(Z), such that |U =

. To solve this problem, we

. Therefore, if the initial

, then enters a terminal state, and is waiting for the

. If the given time condition is met, then

satises behavior preservation.

is also bounded. Model Z represents one

. Supposed that the problem is whether there exists marking

= 42, that is, at the time of 42, whether part A

. According to the denition of module B, it is obvious

holds, and according to the denition of renement operation,

because it cannot be enabled, so

L(Z) |U, consequently,

, according to the denition of the module, there must be a transition t

You might also like