Design, Analysis and Verication of Real-Time Systems Based on

Time Petri Net Renement

ZHIJUN DING and CHANGJUN JIANG, Key Laboratory of Embedded System and Service
Computing, Ministry of Education, Tongji University, China

MENGCHU ZHOU, New Jersey Institute of Technology

A type of refinement operations of time Petri nets is presented for design, analysis and verification of complex real-time systems. First, the behavior preservation is studied under time constraints in a refinement
operation, and a sufficient condition for behavior preservation is obtained. Then, the property preservation
is considered, and the results indicate that if the refinement operation of time Petri nets satisfies behavior preservation, it can also preserve properties such as boundedness and liveness. Finally, based on the
behavior preservation, a reachability decidability algorithm of a refined time Petri net is designed using
the reachability trees of its original net and subnet. The research results are illustrated by an example of
designing, analyzing and verifying a real-time manufacturing system.
Categories and Subject Descriptors: D.2.2 [Software Engineering]: Design Tools and TechniquesPetri
nets, top-down programming; D.4.1 [Operating Systems]: Process ManagementConcurrency, multitasking; D.4.7 [Operating Systems]: Organization and DesignReal-time systems and embedded systems
General Terms: Design, Verification, Theory
Additional Key Words and Phrases: Real-time, refinement, reachability, automated manufacturing system
ACM Reference Format:
Ding, Z., Jiang, C., and Zhou, M. 2013. Design, analysis and verification of real-time systems based on time
Petri net refinement. ACM Trans. Embed. Comput. Syst. 12, 1, Article 4 (January 2013), 18 pages.
DOI:http://dx.doi.org/10.1145/2406336.2406340

1. INTRODUCTION

Along with the development of its theory and application, Petri net has been gradually
applied to real-time systems that are an important research branch in the realms of
computer applications and have been widely used in embedded system, computer communication, process control, factory automation, and robotics. All tasks in a real-time
system are time-constrained. Its correctness not only depends on the logic correctness,
but also time constraints of system outputs. Therefore, it is necessary to build a Petri
net model involving time factors for analyzing a real-time system [Murata 1989].
When timing issues are introduced in Petri nets, several extended models are proposed including timed Petri nets [Hu and Li 2009a; Zuberek 1991], time Petri nets
This research was partially supported by National Basic Research Program of China (973 Program)
(2010CB328100), National High-Tech Research and Development Plan of China under Grant No.
(62009AA01Z141), National Natural Science Funds (60803032, 90818023), Program for New Century Excellent Talents in University, and Shanghai Rising-Star Program.
Authors addresses: Z. Ding, Department of Computer Science & Technology, Tongji University, Shanghai
201804; email: zhijun ding@hotmail.com; C. Jiang, Department of Computer Science & Technology, Tongji
University, Shanghai 201804; M. Zhou, Department of Electrical and Computer Engineering, New Jersey
Institute of Technology, Newark, NJ.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted
without fee provided that copies are not made or distributed for profit or commercial advantage and that
copies show this notice on the first page or initial screen of a display along with the full citation. Copyrights
for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component
of this work in other works requires prior specific permission and/or a fee. Permissions may be requested
from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212)
869-0481, or permissions@acm.org.
c 2013 ACM 1539-9087/2013/01-ART4 $15.00

DOI:http://dx.doi.org/10.1145/2406336.2406340
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

4:2

Z. Ding et al.

[Berthomieu et al. 2007; Merlin and Farber 1976], and stochastic timed Petri nets
[Molloy 1982]. Among these models, time Petri nets (TPN) proposed by Merlin and
Farber [1976] are the most widely used formal models for real-time system design,
simulation, and verification. However, it is still a great challenge for modeling and
analysis of a complex real-time system via a TPN, since, first, building a TPN model
is hard itself, and second, the model often faces a state explosion problem. To solve
these problems, Wang et al. [2000b] define compositional time Petri net models for a
command and control system, and propose a set of component-level reduction rules for
TPN to implement the reduction of a complex model under the condition of preserving behavior properties with time constraints. Using basic routing structures, Tang
and Liu [2006] transform TPN workflow model into hierarchical TPN workflow model
to implement model abstraction and simplification. Liu et al. [2002] introduce lineartime reasoning rules of TPN workflow models based on basic routing structures of
workflow, which can be used to stepwisely simplify a complex workflow model. These
studies mainly focus on the aspect of equivalent reduction or transformation of a complex Petri net with time constraints to decrease the analysis complexity, but complex
real-time system modeling and property analysis remain unaddressed. Since the refinement operation of Petri nets supports hierarchical modeling and decreases analysis complexity, it has been used as an effective method for designing, analyzing and
verifying complex systems [Suzuki and Murata 1983; Valette 1979; Zhou et al. 1993].
Gurovic et al. [2000] introduce a refinement technique into TPN, define a type of refinement operations of TPN, and apply these operations to hierarchical modeling and analysis of traffic control systems. Felder et al. [1998] mainly study the temporal semantic
preservation of refinement operations. They establish TRIO formulas for the temporal semantic representation of TPN, and define a set of refinement rules that satisfy
temporal semantic preservation. Huang et al. [2004] provide a method for the refinement of a transition or place in Petri nets. Both behavioral and structural property
preservations are studied. Furthermore, Ding et al. [2008] generalize the refinement
model [Huang et al. 2004] to obtain a more general net refinement model and present
three types of refined Petri nets according to the different composition of subsystems.
Then, the language and property relationships among a subnet, an original net and a
refined net are studied to demonstrate behavior characteristics and property preservation in a system synthesis process. But their work does not consider time constraints
in the model. This article extends the model [Huang et al. 2004] into TPN, defines the
refinement operations of TPN, and studies their behavior and property preservation.
Furthermore, we provide an algorithm to decide if a state can be reached in a refined
TPN given the reachability trees of its original net and subnet.
Compared with the work in Wang et al. [2000a, 2000b] and Liu et al. [2002], this
article not only addresses behavior preservation of refinement operations with time
constraints, but also studies their property preservation, which provides an effective
way for complex system analysis and verification. Gurovic et al. [2000] consider property preservation of refinement operations based on a refinement model in Suzuki and
Murata [1983], while our work is based on a refinement model in Huang et al. [2004].
Different models lead to different applications and verification methods. Due to the introduction of a time factor, it is more difficult to analyze the reachability of a TPN than
that of a Petri net without time constraints. In this article, a reachability decidability
method of TPN is for the first time presented based on refinement operations, which
can effectively alleviate state explosion problem to analyze a complex system.
The rest of the article is arranged as follows: Section 2 introduces the basic concepts and related terms of TPN, and defines a refinement operation of TPN based on
a standard subnet model. Section 3 defines the behavior preservation of the refinement operation, introduces a sufficient condition of a refinement operation to preserve
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement

4:3

behavior and properties. Section 4 presents a reachability decidability algorithm of a

refined TPN using the reachability trees of its original net and subnet. Section 5 illustrates the method by designing and analyzing a real-time manufacturing system.
Section 6 makes concluding remarks.
2. PRELIMINARIES

We assume that readers have some knowledge of various terminologies of Petri nets.
Readers who are unfamiliar with Petri nets, please refer to [Girault and Valk 2003;
Hruz and Zhou 2007; Li and Zhou 2009; Murata 1989; Zhou and Venkatesh 1998] for
the basic definitions and terms.
2.1. Time Petri Nets (TPN)

In a TPN, for each transition t T, two time values are defined SEFT(t) and SLFT(t),
where SEFT(t) is the minimum time that the transition must wait after it is enabled
and before it fires, i.e., its static earliest firing time, and SLFT(t) is the maximum time
that the transition can wait before firing if it is still enabled, i.e., its static latest firing
time. Formally, a TPN is defined as follows:




Definition 1. Let Z = P, T, F, W, M0 , SI be a TPN, where PN = P, T, F, W, M0 is a
Petri net, P is a finite set of places, T is a finite set of transitions, F (P T) (T P)
is
flow relation, W : F {1, 2, 3, } is a weight function, and SI : T Q+
 a
+
Q  is a time interval
 function defined on transition sets, that is, for t T,
SI (t) = SEFT (t) , SLFT (t) , in which Q+ is a set of positive rational numbers.
The state of a TPN is represented as a pair S = (M, I), where M is a marking, and
I is a firing interval set of enabled transitions at state S, which is related with the
arriving time value of state S. Because every state in a TPN is closely related with
its arrival time, a reachable marking, reached from the initial marking, may have
different arrival times corresponding to the same firing sequence. That is, the state
space may be infinite. To solve this problem, Berthomieu and Diaz [1991] present a
state class method, in which a state class of TPN is defined as C = (M, D), where
M is a marking, and all states in a class have the same marking; D is a firing time
interval set of all enabled transitions at the state class C, which is not related with
the arriving time of a specific state, but related with relative firing time interval of
state class C. It has been proven that for a bounded TPN the number of reachability
state classes is finite. Therefore, a state class method can effectively solve the problem
of the infinite number of states. However, state class is only associated with relative
time interval, and time span between reachability states cannot be obtained, which
results in the inconvenience of timeliness analysis or verification of modeled systems.
Consequently, based on a state class, Wang et al. [2000a] define a clock-stamped state
class introducing a global time to represent global arriving time interval of the
 state
class. In addition,
the
following
interval
arithmetic
will
be
used
later:
Let
I
=
a1 , b1
1


i
=
1,
2.
Then
we
define
I
+
I
to
be the
and I2 = a2 , b2 , with 0 ai bi +,
1
2


interval a1 + a2 , b1 + b2 and I1 + I2 to be a1 a2 , b1 b2 [Wang et al. 2000a].
Definition
2. A clock-stamped state class (CS-class) of a TPN is defined as a 3-tuple

C = M, D, ST , where M is a marking; D is a firing domain, i.e., a set of constraints on
the values of
by
M, in details,

 current marking

 
 the time to fire for transitions
  enabled
for ti : M ti > , its firing interval is D ti = EFT ti , LFT ti , where EFT ti is
the earliest firing time of ti , and LFT ti is the latest firing time of ti ; ST is a global
clock stamp providing arriving time interval of the state class.
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

4:4

Z. Ding et al.

Fig. 1. TPN model Z1.

In the following definition, a set of firing rules of TPN and a method for computing
CS-class are given.


Definition 3. A transition tj T is said to be firable at a CS-class Ck = Mk , Dk , STk
if the following transition firing rules are met:

(1) tj is enabled at Mk , i.e., Mk tj > . The set of transitions enabled at Mk is denoted
 
as E C
 k ;

 
 
(2) EFTk tj min LFTk ti , ti E Ck ;
 
 
(3) Let NE Ck be a set of transitions that begin to be enabled at Mk . If tj NE Ck ,
 

 
then SEFT tj min SLFT (t) , t NE Ck holds.
If tj is firable at CS-class Ck , then its firing results in a new CS-class


Ck+1 = Mk+1 , Dk+1 , STk+1 , where:




p P, Mk+1 (p) = Mk (p) W p, tj + W tj , p ;


tf E Ck+1 ,
 
Dk+1 tf =




 


SI t + STk+1 , tf NE Ck+1
  f
 
 


max EFTk tj , EFTk tf , LFTk tf , tf / NE Ck+1


 

 

 
STk+1 = EFTk tj , min LFTk ti , ti E Ck


Given a TPN model Z, its initial CS-class is C0 = M0 , D0 , ST0 , where M0 is an
initial marking, D0 contains all the firing time intervals of transitions at C0 , ST0 =
[0, 0]. According to the transition firing rules, firing t0 at C0 leads to a new CS-class
C1 . Similarly, firing t1 leads to CS-class C2 . Following this way, at Ci , firing ti leads to
Ci+1 . Finally, we can generate a firing sequence = t0 t1 ti of Z.
With the above
firing
rules and computing method, we can generate a reachability


tree of Z, RT Z, C0 with root node C0 . Every node of the tree corresponds to a reachability state class. If firing t at CS-class Ci results in Cj , then connect Ci and Cj with a
directed arc, and label the arc with t.
It is noted that the third condition of Definition 3 does not exist in Wang et al. [2000].
Let us consider a TPN model Z1 shown in Figure 1.
In TPN model Z1 , transitions t2 and t3 must be enabled simultaneously. However, t2
is always firable but t3 is not because static earliest firing time of t3is more than
that

of t2 . According
to
Wang
et
al.
[2000],
t
is
firable
at
CS-class
C
=
M,
D,
ST
,
where
3


 
M = p2 , D = D (t2 ) = [1, 6] , D t3 = [4, 10] and ST = [1, 4], which satisfy the firing
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement

4:5

rules as defined in Wang et al. [2000a]. Clearly, we have to add the third condition in
Definition 3 to avoid the above problem.
Wang et al. [2000a] analyzed the soundness and completeness of the global time
interval ST, and proved that a CS-class can be uniquely mapped into a traditional state
class presented in Berthomieu and Diaz [1991]. Here the addition of third condition
only avoid wrong transition firing, and cannot change definition of CS-class. Then we
still obtain essentially same results as those in Wang et al. [2000a], and thus omitted.
In this work, we introduce some related notations to be used later. (Z, ) denotes
a CS-class that is generated by firing the sequence from the initial CS-class C0 of a
TPN Z. (Z, ) the global time at which CS-class (Z, ) arrives. R (Z, ) is a marking
set composed of all markings reached in the execution process of sequence . R (Z)
is a set of all reachable markings of Z. L (Z) is a sequence set composed of all fired
sequences in Z.
Z is live iff t T, M R (Z), there exists M  reached from M such that M  [t > . A
place p Pis said to be bounded or K-bounded iff M (p) K for all M R (Z), where K
is a positive integer. Z is said to be bounded iff every place in it is bounded. A place is
said to be safe iff it is 1-bounded. Z is said to be safe iff every place is 1-bounded. It is
noted that the liveness and boundedness of a TPN cannot be equivalent to it untimed
counterpart [Berthomieu and Diaz 1991].
Let X P T be a node subset of Z, Z |X denotes a new time Petri net that consists
of only elements in Xand related arcs, which is a subgraph of Z. Z X is defined as

Z X , where X = P T X. All the above notation is applicable to markings and firing
sequences. L (Z) |X indicates for every firing sequence of Z, only elements fromX are
preserved. Similarly, L (Z) X = L (Z) |(T X ) .
2.2. Renement Operation of TPN

Huang et al. [2004] define a type of refinement operations of Petri nets. Here we extend
it to TPN.


Definition 4. TPN Z = P, T, F, W, M0 , SI is a time Petri net module (module) iff the
following conditions hold:
(1) Z has two special places: i and o, where i is an initial (import) place, i.e., i = , o is
a terminal (export) place, i.e., o = ;
(2) M0 (i) = 1, M0 (o) = 0, and t / i ,M0 [t > holds;

(3) L (Z), where (Z, ) = Cf = Mf , Df , STf , satisfying that Mf (o) = 1, Mf (i) = 0,
and Mf (p) = M0 (p) for p P {i, o}, and t T, Mf [t > . Mf is called a terminal




marking. Moreover,  L (Z) and  = , where Z,  = C = M  , D , ST  , if
M  (o) 1, then M  = Mf .
(4) There are no dead transitions in Z, i.e., t T, there exists a CS-class Ci reached
from initial CS-class C0 of Z such that t fires at Ci .
Condition (1) states that a module Z is a kind of time Petri nets with a special structure, i.e., it has one initial place i and terminal one o. If a new transition t is added
intoZ, and connects with o andi, namely, t = {o}, and t = {i}, then an extended net Z is
generated. Conditions (2) constrains the initial marking of a module, requiring one token in the initial place and no token in the terminal place, and also requiring that the
module execution must begin with the firing of post-set transitions of the initial place,
and that other transitions cannot be enabled at M0 . Condition (3) indicates that the
module can be executed, and terminated, and its terminal marking is marked when
the terminal place includes a token. In another words, the execution of a module stops
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

4:6

Z. Ding et al.

Fig. 2. Refinement operation of TPN.

as long as a token enters the terminal place. Condition (4) states that any transition
can fire in Z.
By replacing a transition of a TPN with a module, we can obtain a new time Petri net.
This process is just corresponding to a refinement operation, and its formal definition
is given:


Definition 5. Let TPN Z = P, T, F, W, M0 , SI , where for tr T, ri = {tr } = ro ,


| tr | = |tr | = 1, and place ri is safe. Let B = PB , T B ; F B , W B , M0B , SIB be a module, the

B/tr 
refinement operation of net Z and module B,Z
Z , is implemented
by replacing tr

in Z with B, and generating a new TPN Z = P , T  ; F  , M0 , SI , where:

(1) P = P PB {pi , po } {ri , ro , i, o};

(2) T  = T T B {t
 r };

B
(3) F = F F {(pi , x) |x i } {(x, po ) |x o } {(x, pi ) |x ri }

{(po , x) |x ro }




ri , tr , (tr , ro ) {(x, ri ) |x ri } {(ro , x) |x ro }


{(i, x) |x i } {(x, o) |x o } ;
 

M0 ri , p = pi

M0 (ro ) , p = po
(4) M0 (p) =
;

M (p) , p P {ri , ro }

0B
M0 (p) , p PB {i, o}
(5) (5) SI = SI SIB {SI (tr )}.
Net Z is called a refined TPN, tr a refinement transition, and Z an original net
system. Figure 2 shows the refinement process of TPN.
3. BEHAVIOR AND PROPERTY PRESERVATION OF TPN REFINEMENT OPERATION

This section discusses the behavior and property preservation of TPN in the refinement operation. First a sufficient condition of behavior preservation is given, and then
property preservation is discussed.
3.1. Behavior Preservation



6. Let
TPN Z = P, T; F, M0 , SI be an original net system, Z =
 Definition

P , T  ; F  , M0 , SI is a refined TPN by replacing transition tr in Z with module B. Let
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement

4:7

Table I. The Description of State Class of Z2



1: C20 = M20 , D20 , ST20 : M20 = p1 , D20 = {D20 (t1 ) = [3, 3]}, ST20 = [0, 0]


2: C21 = M21 , D21 , ST21 : M21 = p2 + p4 , D21 = {D21 (tr ) = [4, 9] , D21 (t3 ) = [6, 7]}, ST21 = [3, 3]


3: C22 = M22 , D22 , ST22 : M22 = p3 + p4 , D22 = {D22 (t2 ) = [5, 8] , D22 (t3 ) = [6, 7]}, ST22 = [4, 7]


4: C23 = M23 , D23 , ST23 : M23 = p2 + p5 , D23 = , ST23 = [6, 7]


5: C24 = M24 , D24 , ST24 : M24 = p6 , D24 = , ST24 = [5, 7]


6: C25 = M25 , D25 , ST25 : M25 = p3 + p5 , D25 = , ST25 = [6, 7]

 
B/tr
U = T {tr }, if L Z |U = L (Z) |U , then the refinement operation E
E satisfies
behavior preservation.
T HEOREM 1. For any transition firing sequence B L (B)such that M B = Mf , where



B, B = CB = M B , DB , ST B , if ST B = SI (tr ), then the refinement operation satisfies behavior preservation.

P ROOF. See Appendix A.
It is suggested in Theorem 1 that for any transition firing sequence that leads to a
terminal marking in module B, if its global execution time is equal to the firing time
interval of refined transition tr in the original net Z, then the refined TPN Z generated
by replacing tr with B keeps the same behavioral characteristic as that of the original
net. This characteristic is very important for real-time system synthesis, modeling,
and analysis, because a system synthesis process first should meet system behavior
consistency with time constraints, then its property preservation is required [Ding
et al. 2008; Jiang et al. 2002]. We will discuss the property preservation in next section.
Example 1. Z2 is an original net system shown in Figure 3(a) , tr is a refinement
transition, modules B1 and B2 are given in Figure 3(b) and Figure 3(c), respectively.
For B1 and B2 , their global time intervals are easily computed and equal to [0,2]
B2
1
and [1,6], respectively. Let ZB
2 (Z2 ) be a refined TPN by replacing tr in Z2 with B1
B1 /tr B1 
B2 /tr B2 
cannot (can) satisfy the
(B ), the refinement operation of Z
Z Z
Z
2

conditions of Theorem 1.
B2
1
Three state class reachability trees of TPN Z2 , ZB
2 , and Z2 are shown in Figure
4(a)(c), and the description of their state classes is listed in Tables 13. Clearly, 21 =
t1 t3 is a transition firing sequence of Z2 , i.e., 21 L (Z2 ). However, any transition

B1 
1
firing sequences 2B1 in ZB
2 cannot satisfy
2  T2 {tr } = 21 because t3 is never




firable. Moreover, it is proved easily that L ZB2 T2 {tr } = L (Z2 ) T2 {tr } .
2

3.2. Property Preservation

For a refinement operation, if the above criterion of behavior preservation is met, then
the following theorem should also hold.
T HEOREM 2. If Z is K  -bounded, so is Z.
L (Z), according
to behavior preservation, there exists
P ROOF. For


U L Z |U, that is  L Z ,  |U =  |U holds.
i , ro },
 p P {r

 Obviously,
  for





M (p) = M (p) K holds, where (Z, ) = M, D, ST
 , and Z , = M , D , ST .
Furthermore, according to Definition 5, we know M ri 1 and M (ro ) 1. Therefore,
p P, M (p) K  holds, that is, Z is K  -bounded.
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

4:8

Z. Ding et al.

Fig. 3. TPN model.

Fig. 4. State class reachability trees of TPNs Z2 , Z2 1 and Z2 2 .

T HEOREM 3. If Z and B are bounded, so is Z .

P ROOF. Let original net Z and module B be K-bounded and K B -bounded respec 
tively, and then the extended net B of module B is also K B -bounded.  L Z ,

according to behavior preservation, we know
   |U L(Z) |U, namely,
 L (Z),



|U = |U holds. Suppose that Z , = M , D , ST , and (Z, ) = M, D, ST .
Then p P {ri , ro }, M  (p) = M (p) K holds. Following Theorem 1, there exists
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement

4:9

Fig. 5. TPN models of a real-time manufacture process.

Fig. 6. Refined TPN model Z of a real-time manufacture process.

B L B , where B, B = M B , DB , ST B , such that M  (p) = M B (p), where

 
p PB {i, o}. It is obvious thatM  pi  M B (i) K B , and M  (po ) M B (o) K B .
Therefore, p P , M  (p) max K, K B holds, and thus Z is bounded.
T HEOREM 4. If Z is live, so is Z.

 
U L Z |U holds, i.e.,
P ROOF
.
Let

L
Z
,
follow
the
behavior
preservation,

(
)


 L Z , such that  |U = |U . Since Z is live, t T, there is a sequence 1
 
composed of elements in T  ,  1 t L Z holds. Moreover, from behavior preserva   
tion, we know that 1 t |U L (Z) |U holds. According to the proof of Theorem
1, we know that there exists a sequence 1 composed of elements in T, satisfying
1 |U = 1 |U , and 1 t L (Z). Therefore, Z is live.
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

4:10

Z. Ding et al.
B

Table II. The Description of State Class of Z2 1

1: C201
B

 B B
 B
 B

B
B
B
= M201 , D201 , ST201 : M201 = p1 , D201 = D201 (t1 ) = [3, 3] , ST201 = [0, 0]
 B1 B1


B1
B1
B1
B1
B1

2: C211 = M21 , D21 , ST21 : M21 = p11 + p4 , D21 =

3:

B
C221

4:

B
C231

5:

B
C241

=
=
=





B
B
B
M221 , D221 , ST221
B
B
B
M231 , D231 , ST231

B1
 STB211 = [3, 3]

: M22 = p12 + p4 , D221 =

B

ST221 = [3, 4]

= [3, 4]

B
: M231
B1
ST23
B1
B1
B1
B
M24 , D24 , ST24 : M241

= p13 + p4 , D231 =
B

D21 (t11 ) = [3, 4], D21 (t3 ) = [6, 7] ,

B

D221 (t12 ) = [3, 4], D221 (t3 ) = [6, 7] ,

B

D231 (t2 ) = [4, 5], D231 (t3 ) = [6, 7] ,

= p6 , D241 = , ST241 = [4, 5]

B

Table III. The Description of State Class of Z2 2

1: C202
B

 B B
 B
 B

B
B
B
= M202 , D202 , ST202 : M202 = p1 , D201 = D201 (t1 ) = [3, 3] , ST202 = [0, 0]
 B2 B2


B2
B2
B2
B2
B2

2: C212 = M21 , D21 , ST21 : M21 = p11 + p4 , D21 =

B
ST211 = [3, 3]

B2
B2

B2
 STB222 = [3, 4]

3: C222 = M222 , D222 , ST22 : M22 = p12 + p4 , D222 =

4:

B
C232

B
B
B
M232 , D232 , ST232

: M23 = p13 + p4 , D232 =

ST

5:
6:
7:

B
C242
B
C252
B
C262

B2

D21 (t11 ) = [3, 4], D21 (t3 ) = [6, 7] ,

B

D222 (t12 ) = [4, 9], D222 (t3 ) = [6, 7] ,

B

D232 (t2 ) = [5, 8], D232 (t3 ) = [6, 7] ,

= [4, 7]

 B B
 B23
B
B
B
= M242 , D242 , ST242 : M242 = p12 + p5 , D242 = , ST242 = [6, 7]
 B2 B2
 B2
B2
B2
B2
= M25 , D25 , ST25 : M25 = p6 , D25 = , ST23 = [5, 7]
 B2 B2
 B2
B2
B2
B2
= M26 , D26 , ST26 : M26 = p13 + p5 , D26 = , ST26 = [6, 7]

T HEOREM 5. If Z and B are live, so is Z .


 

 
P ROOF. Let  L Z , and Z ,  = M  , D , ST  . According to behavior preservation,  |U L (Z) |U holds, i.e., L (Z), such that |U =  |U . t T  , two cases
t T {tr }, and t T B are considered.
Case 1. If t T {tr }, since Z is live, there exists a sequence 1 composed of ele-
ments in T, such that 1 t L (Z). If 1 does not include tr , then  1 t L Z
holds. Otherwise, suppose that 1 = 1 tr 2 tr tr n1 tr n , where sequence i is composed of elements in T {tr }. Following the proof of Theorem 1, the
of
 ith occurrence
B tB tB B L B
and tB is an adtr can be simulated by sequence iB , where 1B tB

0 2 0
0 n
0
Thus we can construct a corresponding sequence  composed
ditional transition in B.
1
 
of elements in T  , such that 1 |U = 1 |U and  1 t L Z . Therefore, t is live
in Z .


Case 2. If t T B , according to the proof of Theorem 1, we know that B L B ,


B, B = M B , DB , ST B , such that p PB {i, o}, M  (p) = M B (p) holds. (1) if M B =
M0B , i.e., B is in the state of the initial marking, then from the liveness of Z, we know
 
that there exists a sequence 1 composed of elements in T, such that  1 L Z
 

 

and M1 (p) = M B (p) for p PB , where Z ,  1 = M1 , D1 , ST1 , i.e., M1 pi = 1.
Since B is live, there exists a sequence 1B composed of transitions in B, such that


B
B 1B t L B . Suppose that there is no additional transition tB
0 in 1 , then we can
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:11

Algorithm 1: A reachability decidability algorithm of refined TPN






Input: reachability tree RT Z, C0 and RT B, CB
0 , marking Md , time d
Output: a Boolean variable Exist
Exist False;

ZS ;

BS ;





Md Md P {ri , ro } ; MdB Md PB {i, o} ;




,
find
all
possible
states
C
=
M,
D,
ST
satisfying
Traverse
tree RT
Z,
C
0




M P {ri , ro } = Md and LB d RB, and then record them into a set ZS.
IF ZS = THEN{

, find all possible states CB = M B , DB , ST B satisfying

Traverse tree R B, CB

 0

M B PB {i, o} = MdB , then orderly record them into a set BS.
IF BS = THEN{


FOR every element C = M, D, ST in the set ZS DO{
Compute sequence satisfying (Z, ) = C;
IF there is no marking in enabling tr , THEN{
IF CB BS, such that M B = M0B THEN Exist True;
ELSEIF tr cannot be enabled any more after post-set element of ro during
fires for the last time, THEN
IF CB BS, such that M B = M0B THEN Exist True;
ELSE{
time during ,
Take the beginning state
of tr enabled


 at the last
Ci = Mi , Di , STi , where STi = LBi , RBi ;
IF CB BS, such that LBi + LBB d RBi + RBB THEN
Exist True}}}}

 
B
directly get the result:  1 1B t L Z . If there is an additional transition tB
0 in 1 ,
obviously, firing of tB
0 will result in that tokens in place o transfer into place i. Since Z is
B
live, for every time of transition tB
0 appearing in 1 , there always exists a sequence i
composed of elements in T to transfer token
 po into pi . In this way,
 a new sequence

 in
2 is generated, such that  1 2 L Z , and t can fire at Z ,  1 2 . (2)
if M B = M0B , that is, at this time B is not in the state of the initial marking, then


according to liveness of B, there exists a sequence 1B , such that B 1B t L B .
In the same way as (1), after considering different cases of 1B , we conclude that there
 
exists 2 , such that  2 t L Z . Therefore, t is live in Z .
On the ground of behavior preservation, the refinement operation of TPN can also
preserve boundedness and liveness. These results are useful for analyzing and verifying large complex systems. By analyzing and verifying the relatively smaller models,
we can derive the properties of a complex one, thereby alleviating the state space explosion problem and reducing the analysis complexity.
4. REACHABILITY OF REFINED TPN

Based on behavior preservation, the reachability problem of a refined TPN can be

solved by the reachability tree of its original net and module, i.e., given marking
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

4:12

Z. Ding et al.

Md and time d , the problem is whether there exists a reachable state of Z , C =
  

M , D , ST  , such that M  = Md and LB d RB . To solve this problem, we
introduce two sets ZS and BS to store useful information
respectively.
In detail,



ZS is a set composed of some states C = M, D, ST of Z such that M P {ri , ro } =



Md P {ri , ro } and LB d RB, and BS a set composed of some states CB =



M B , DB , ST B of B such that M B PB {i, o} = MdB . The reachability decidability
algorithm is given as follows:
This algorithm is based on the behavior preservation of a refinement operation,
which ensures that there is a corresponding relationship between the original and
refined nets, and also the relationship meets the same time constraint. Consequently,
for the decided marking, according to a given marking arrival time, find its matching
states in the reachability tree of Z, record them in the set ZS, in a similar way, find its
matching states in the reachability tree of B, record them in the set BS. Because there
is a corresponding relationship between a firing sequence of the original net and that
of refined net, the firing sequence of every state in ZS is found and discussed with
the following two cases.
(1) If tr cannot be enabled at all reachability states in , similar to Case 1 in Theorem
1s proof, it is suggested that t T B , t cannot fire in Z . Therefore, if the initial
marking of B is in BS, then it can be ensured that marking Md can be reachable
with a given time d in Z .
(2) If there exists a reachability state in sequence that can enable tr , then two different subcases are as follows.
(2.1) After post-set elements of place ro fire at the last time, tr cannot be enabled
any more at any possible reachability state, which is similar to the third case
in Theorem 1s proof, and, hence, all the firing of tr has been finished. At this
time, B is executed in Z , then enters a terminal state, and is waiting for the
next execution, that is, it corresponds to the first case;
(2.2) Otherwise, the case is similar to Cases 2 and 4 in Theorem 1s proof. Determine the beginning state of tr enabled at the last time during . According to
its global arriving time interval, for its corresponding state in BS, calculate
the global arriving time interval in Z . If the given time condition is met, then
the decided marking is reachable at the given time.
In the way similar to that proving Theorem 1, the correctness of the algorithm can
be proved.
Suppose that the number of CS-classes in reachability trees of Z and B is m and n
respectively, where m, n > 1. First, at most m + n comparisons are needed to determine the elements of sets ZS and BS by traversing the reachability trees of Z and B
respectively. Second, a firing sequence that leads to a CS-class C is only determined by
a path from root node to node C. Clearly, it needs at most m2 iterations that finding all
paths from a root node to other nodes in the reachability tree of Z. Finally, for every
element in ZS, we need to check all elements in BS to determine whether there exists
a solution. Thus there are at most m n iterations for all checking
work. Therefore,



the worst case computational complexity of this algorithm is O max m2 , m n .
5. A CASE STUDY

In this section, the above refinement operation method of TPN is applied to the design,
modeling and analysis of a real-time manufacture process. A component is assembled
by two parts, A and B, which are required to be processed, respectively. The assembly
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:13

Fig. 7. State class reachability trees of TPNs.

process is carried out after both are completed. Part A must visit machine 1, then
machine 2, and both machines 1 and 2 need tool 1. Part B is processed by a processing
subsystem. It is first processed on machine 3. Then it has alternative routes, that is,
either on machine 5, and then on machine 6, or on machine 4. Machines 3, 4, and 5
need tool 2. Moreover, parts are transferred via a conveyor.
According to the above system description, we design a TPN model Z given in
Figure 5(a) and a module B for Part Bs processing subsystem shown in Figure 5(b).
The meanings of their places and transitions are described in Table 4. Every transition is associated with a time interval as shown in Figure 2, which stands for execution
time of its corresponding process as shown in Figure 5.
Module B conforms to the definition of a TPN module, and it is easy to verify that
place ri is safe in model Z. With the refinement operation of TPN presented, tr in Z is
replaced with module B, resulting in a final TPN Z as shown in Figure 6.
Two state class reachability trees of TPN Z and B are respectively shown in
Figure 7(a) and Figure 7(b), and the specific description of state classes is in Table
V. The markings of state classes C23 and C26 stand for terminal markings of module
B, and their corresponding global time intervals meet ST23 = ST26 = SI (tr ). Thus
the conditions in Theorem 1 are met. Therefore, we have the result that refinement
B/tr 
operation of Z
Z satisfies behavior preservation.
According to reachability trees in Figure 7, we know that both Z and B are bounded.
Hence, following Theorem 3, we know that Z is also bounded. Model Z represents one
process in the whole system, if places p6 and p1 are connected with a transition with
firing time interval [0,0], then generate an extended net Z of net Z that represents continuous execution of the manufacture process. It is easy to verify that Z is live, and also
extended net B is live. Hence, following Theorem 5, extended refined net Z is also live.
Furthermore, based on the behavior preservation, we can decide the reachability
of refined Petri net Z . Supposed that the problem is whether there exists marking
M  = p4 + p8 + p14 + p16 at the time  = 42, that is, at the time of 42, whether part A
has been transferred to machine 2 by the conveyor? At the same time, has part B been
finished by machine 5, and is waiting for its transferring to machine 6?
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

4:14

Z. Ding et al.
Table IV. Meanings of Places and Transitions in Figure 5
Element
p1
p2

part A on machine 1

ro

p3

finish processing on machine 1, and

wait for transfer
part A on machine 2
finish processing on machine 2, and
wait for assembly
finish a process
tool 1 available for machine 1
tool 1 available for machine 2
part B on machine 3 (Figure 3)
finish processing on machine 3, and
wait for transfer
part B on machine 4 or machine 5
finish processing on machine 5, and
wait for transfer
part B on machine 6
tool 2 available for machine 3
tool 2 available for machines 4 and 5
finish processing of part B, and wait
for assembly (Figure 3)

Meaning
part B entering the processing
subsystem
finish processing subsystem,
and wait for assembly
Start processing of part B

o
t1

finish processing of part B

transfer a part

t2
t3
t4
t5
t11

process on machine 1
transfer part A by conveyor
process on machine 2
assemble part A and part B
process on machine 3

t12
t13

transfer part B by conveyor

process on machine 4

t14
t15
t16
tr

process on machine 5
transfer part B by conveyor
process on machine 6
process subsystem

p4
p5
p6
p7
p8
p11
p12
p13
p14
p15
p16
p17
p18

Meaning
start a process

Element
ri

To solve this problem, the above reachability

decidability algorithm is applied. First,



M = M  P {ri , ro } = p4 + p8 , and M B = M  PB {i, o} = p14 + p16 . There are C9 ,




M9  P {ri , ro } = M, 
tree RT Z, C0 satisfying
C12 , and C
13 in the reachability



ST9 , M12 P {ri , ro } = M,  ST12 , and M13 P {ri , ro } =
M,  ST13 . Then



there is C24 in the reachability tree RT B, C20 satisfying M24 PB {i, o} = M B .
For C9 , = t1 t2 tr t3 is a corresponding firing sequence such that (E, ) = C9 . Then it
is determined that tr begins to be enabled at C1 with global time interval ST1 = [3, 5]
before its firing in . Hence, arriving time interval of C24 in Z is ST1 + ST24 = [33, 43].
It is obvious that  ST1 + ST24 . Thus there exists a firing sequence in Z that can
arrive at M  at time  .
6. CONCLUSIONS

By replacing a transition or place in an original net with a subnet, the refinement

operation of Petri nets implements the process of stepwise refinement of a Petri net
model, which well supports a top-down design method. Based on the idea of divide and
conquer, the property preservation of a refinement operation is helpful for decreasing analysis complexity and alleviating a state explosion problem. This article mainly
presents the following work.
(1) It define a type of refinement operations for time Petri nets. This simple structured
model can well support refinement design and modeling of real-time systems, such
as workflow [Li et al. 2003, 2004; Van der Aalst 2000], command and control systems [Wang et al. 2000], embedded system [Cho et al. 2010; Hu et al. 2009] and
manufacturing systems [Fanti and Zhou et al. 2004; Hu and Li 2009b; Jeng et al.
2004; Lee et al. 2007; Zhou et al. 1992, 1993].
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:15



C0 = M0 , D0 , ST0 :


C1 = M1 , D1 , ST1 :


C2 = M2 , D2 , ST2 :


C3 = M3 , D3 , ST3 :


C4 = M4 , D4 , ST4 :


C5 = M5 , D5 , ST5 :


C6 = M6 , D6 , ST6 :



C7 = M7 , D7 , ST7 :

Table V. The Description of State Class

M0 = p1 + p7 ,

D0 = {D0 (t1 ) = [3, 5]} ,

M1 = p2 +p7 +ri ,

ST0 = [0, 0]

D1 = {D1 (t2 ) = [33, 45] , D1 (tr ) = [40, 51]} ,

M2 = p2 + p7 + ro ,

D2 = {D2 (t2 ) = [40, 45]} ,

ST2 = [40, 45]

M3 = p3 + p8 + ro ,

D3 = {D3 (t3 ) = [43, 48]} ,

ST3 = [40, 45]

M4 = p4 + p8 + ro ,

D4 = {D4 (t4 ) = [55, 68]} ,

ST4 = [43, 48]

M5 = p5 + p7 + ro ,

D5 = {D5 (t5 ) = [67, 83]} ,

ST5 = [55, 68]

M6 = p6 + p7 ,

D5 = ,

M7 = p3 + p8 + ri ,
ST7 = [33, 45]
M8 = p3 + p8 + ro ,

ST1 = [3, 5]

ST6 = [67, 83]

D7 = {D7 (t3 ) = [36, 48] , D7 (tr ) = [40, 51]} ,



D8 = {D8 (t3 ) = [40, 48]} , ST8 = [40, 45]


C9 = M9 , D9 , ST9 : M9 = p4 + p8 + ro , D9 = {D9 (t3 ) = [52, 68]} , ST9 = [40, 48]


C10 = M10 , D10 , ST10 : M10 = p5 + p7 + ro , D10 = {D10 (t5 ) = [64, 83]} , ST10 = [52, 68]


C11 = M11 , D11 , ST11 : M11 = p6 + p7 , D11 = , ST10 = [64, 83]



C8 = M8 , D8 , ST8 :

C12 = M12 , D12 , ST12 :





C14 = M14 , D14 , ST14 :


C15 = M15 , D15 , ST15 :


C16 = M16 , D16 , ST16 :


C17 = M17 , D17 , ST17 :


C18 = M18 , D18 , ST18 :


C20 = M20 , D20 , ST20 :


C21 = M21 , D21 , ST21 :



C13 = M13 , D13 , ST13 :

C22 = M22 , D22 , ST22 :



C23 = M23 , D23 , ST23 :


C24 = M24 , D24 , ST24 :


C25 = M25 , D25 , ST25 :


C26 = M26 , D26 , ST26 :

M12 = p4 + p8 + ri ,
ST12 = [36, 48]
M13 = p4 + p8 + ro ,

D12 = {D12 (t4 ) = [48, 68] , D12 (tr ) = [40, 51]}

D13 = {D13 (t4 ) = [48, 68]} ,

ST13 = [40, 51]

M14 = p5 + p7 + ro ,

D14 = {D14 (t5 ) = [60, 83]} ,

ST14 = [48, 68]

M15 = p6 + p7 ,

D15 = ,

ST14 = [60, 83]

M16 = p5 + p7 + ri ,

D16 = {D16 (tr ) = [48, 51]} ,

ST16 = [48, 51]

M17 = p5 + p7 + ro ,

D17 = {D17 (t5 ) = [60, 71]} ,

ST17 = [48, 51]

M18 = p6 + p7 ,
M20 = i + p16 ,
M21 = p12 + p17 ,

D18 = ,

ST18 = [60, 71]

D20 = {D20 (t11 ) = [16, 17]} ,

D21 = {D21 (t12 ) = [19, 20]} ,

ST20 = [0, 0]
ST21 = [16, 17]

M22 = p13 + p17 , D22 = {D22 (t13 ) = [37, 46] , D22 (t14 ) = [30, 38]}
ST22 = [19, 20]
M23 = o + p16 , D22 = , ST23 = [37, 46]
M24 = p14 + p16 ,
M25 = p15 + p16 ,
M26 = o + p16 ,

D24 = {D24 (t15 ) = [33, 41]} ,

ST24 = [30, 38]

D25 = {D25 (t16 ) = [37, 46]} ,

ST24 = [33, 41]

D26 = ,

ST26 = [37, 46]

(2) It investigates behavior and property preservation of the refinement operation, and
establish the corresponding preservation conditions, which provide a theoretical
support for system behavior analysis and property verification.
(3) It develops a reachability decidability algorithm. By this algorithm, the reachability of a refined TPN can be decided according to the reachability trees of the
original net and modules. It is unnecessary to generate the whole reachability tree
of the refined TPN. Therefore, by this method, the burden to solve the state space
explosion problem can be effectively reduced. This is very helpful for state identification and model checking of complex systems.
Additional properties, such as reversibility and fairness to support the qualitative
analysis of complex systems need to be discussed. Moreover, based on refinement operation, quantitative analysis of complex systems such as turnaround time and throughput is another research direction. The safeness of the input place of the refined transition can be major limitation in some real time systems. The extension to more general
cases requires additional work.
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

4:16

Z. Ding et al.

APPENDIX A

 
P
ROOF OF T HEOREM 1. To prove L Z |U = L (Z) |U , we need to prove that
 
 
L Z |U L (Z) |U and L (Z) |U L Z |U .
 
 
 
We first prove thatL Z |U L (Z) |U . For 1 L Z |U , let  L Z , where
 |U = 1 . We break our proof into four cases.

 

Case 1. For M  R Z ,  , M  pi = 0 holds, that is, place pi receives no token during the execution of sequence  . According to the definition of module B, it is obvious
that t T B , it cannot be enabled at reachability states during sequence  . Therefore,
1 =  holds, and according to the definition of refinement operation,  L (Z) holds.
Similarly, transition tr cannot fire during sequence  because it cannot be enabled, so
 |U =  holds, that is  L (Z) |U , consequently, 1 L (Z) |U holds.

 

Case 2. There exists only marking M1 R Z ,  such that M1 pi = 1, and M 
  
R Z , , M  (po ) = 0 holds, namely, during sequence  place pi received tokens, but
  , where  is the shortest prefix of  ,
place po receives no token. Let  = 11
12 
11 




 , D , ST  , and M 
= C11 = M11
satisfying Z, 11
11
11
11 pi = 1. According to Case

 is composed of transitions in B and Z, and
1, 11
L (Z) |U holds. Obviously, 12
according to the definition of the refinement operation, we know that transitions
in B

 , therefore   |U L Z
and transitions in Z execute concurrently during 12
( )
11
12

 

|U L (Z) |U holds. So 1 L (Z) |U holds.
holds, that is, 1 = 11
12




Case 3. There exists only markings M1 R Z ,  M2 R Z , 
such that
 


M1 pi = 1 (M2 (po ) = 1), that is, both places pi and po received tokens during the exe   , where  is the shortest prefix of  , satiscution of sequence  . Let  = 11
12 13


11
 



 , and M 


fying Z, 11 = C11 = M11 , D11 , ST11
11 pi = 1. 11 12 is also the shortest




 , D , ST  , and M  p = 1. Similarly
= C12 = M12
prefix of  , satisfying Z, 12
( o)
12
12
12 

 




 = Z ,  ,  = Z ,  ,

|U

L
Z
holds.
Suppose
that

with Case 2, 11
(
)
11
11
12
12
12

 T B
 
B
and B, 12
= CB = Mf , DB , ST B , then LBB 12

11 RB holds,


where ST B = LBB , RBB . According to the condition given in Theorem 1, we have
 in the original net Z, namely,
LBB = SEFT (tr ), Therefore tr can fire at time 12
 


 also can fire at state
11 12 |U tr L (Z) holds. Moreover, in the same way, 13

 
 
 




E, 11 12 |U tr . Consequently, 11 12 |U tr 13 L (Z) holds, that is,


  |U  =  L Z |U holds.
11
( )
12
13
1

Case 4. General case. Suppose that during sequence  , pi received k1 tokens, while
place po received k2 tokens. From the definition of module, we know that k1 = k2 ,
or k1 = k2 + 1. And for the above three cases, k1 = k2 = 0, k1 = 1 k2 = 0, and
k1 = k2 = 1 hold respectively. Since the firing of TPN transitions is only related with
a local time,
  repeat the proofs of Case 2 and Case 3, we have the conclusion that for
1 L Z |U , 1 L (Z) |U holds.
 
Next, we prove L (Z) |U L Z |U . For 1 L (Z) |U , let L (Z), where |U =
1 . We break our proof into four cases.
 
Case 1. For M R (Z, ), M ri = 0 holds, that is, place ri receives no token during
the execution of sequence. Obviously, there is no transition tr in , thus = 1 .
ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

Design, Analysis and Verification of Real-Time Systems Based on Time Petri Net Refinement 4:17

 
And according to the
  definition of the refinement operation, we know that L Z .
Therefore, 1 L Z |U holds.
 
Case 2. There exists only marking M1 R (Z, ), such that M1 ri = 1, and M
R (Z, ), M (ro ) = 0 holds, that is, during sequence  place ri received tokens, but
place ro receives no token. It is obvious that there is no transition tr in sequence ,
Otherwise, firing tr would
consequentially result in a token in ro . In the same way

with Case 1, 1 L Z |U holds.
Case
  3. There exists only markings M1 R (Z, ) and M2 R (Z, ) such that
M1 ri = 1 and M2 (ro ) = 1 respectively, that is, both place ri and place ro received
tokens during the execution of sequence . Let  = 11 12 13
 , where
 11 is the
ri = 1, and
shortest prefix of , satisfying (Z, 11 ) = C11 = M11 , D11 , ST11 , M
11



Z,

=
M
,
11 12 also the shortest prefix of  , satisfying
=
C
(
)
12
12
12 D12 , ST12 ,
 
M12 (ro ) = 1. Similarly with Case 2, 11 L Z holds. Moreover, we know that there
 

exists a sequence 11 1 L Z , satisfying 1 |U = 121 , and 1 T B = B , where



B, B = CB = Mf , DB , ST B . Suppose that 12 = 121 tr , (Z, 11 ) = 11 and
(Z, 12 ) = 12 . Since place pi received a token at time 11 during sequence 11 in
net Z , according to the definition of the module, there must be a transition ti pi
 
that can fire due to SEFT ti SEFT (tr ). Because the firing of sequence 121 has
no effect on the execution of the module in Z , after firing ti , there must exist tj T B
that can fire. Following this way, we can generate the execution sequence B of the
B
module.
can suppose
 to the condition in Theorem 1, ST = SI (tr ), we

 According


that Z , 11 1 = 12 . Therefore, 13 also can fire at state Z , 11 1 , and






11 1 13 L Z holds, that is, 11 1 13 |U = 1 L Z |U holds.
Case 4. General case. Suppose that during sequence , place ri received k1 tokens
and ro received k2 tokens. Then repeat the proofs of Case 2 and Case 3, Case 4 can be
proved.
 
To sum up, L Z |U = L (Z) |U holds.
REFERENCES
Berthomieu, B. and Diaz, M. 1991. Modeling and verification of time dependent systems using time Petri
nets. IEEE Trans. Softw. Engin. 17, 259273.
Berthomieu, B., Lime, D., Roux, O. H., and Vernadat, F. 2007. Reachability problems and abstract state
spaces for time Petri Nets with stopwatches. J. Discrete Event Dyn. Syst. Theory Appl. 17, 133158.
Cho, H., Ravindran, B., and Jensen, E. D. 2010. Lock-free synchronization for dynamic embedded real-time
systems. ACM Trans. Embed. Comput. Syst. 9, 128.
Ding, Z. J., Jiang, C. J., Zhou, M. C., and Zhang, Y. Y. 2008. Preserving languages and properties in stepwise
refinement-based synthesis of Petri nets. IEEE Trans. Syst. Man Cybern. Part A 38, 791801.
Ding, Z. J., Zhang, Y. Y., Jiang, C. J., and Zhang, Z. H. 2007. Refinement of Petri nets in workflow integration.
In Proceedings of the 10th International Conference Computer Supported Cooperative Work in Design,
Lecture Notes in Computer Science, vol. 4402, 667678.
Fani, M. P. and Zhou, M. C. 2004. Deadlock control methods in automated manufacturing systems. IEEE
Trans. Syst. Man Cybern. Part A 34, 522.
Felder, M., Gargantini, A., and Morzenti, A. 1998. A Theory of implementation and refinement in timed
Petri nets. Theor. Comput. Sci. 202, 127161.
Girault, C. and Valk, R. 2003. Petri Nets for Systems Engineering: A Guide to Modeling, Verification, and
Applications. Springer.
Gurovic, D., Fengler, W., and Nutzel. J. 2000. Development of real-time system specifications through the
refinement of duration interval Petri nets. In Proceedings of IEEE International Conference on Systems,
Man, and Cybernetics. 30933098.

ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.

4:18

Z. Ding et al.

Hruz, B. and Zhou, M. C. 2007. Modeling and Control of Discrete Event Dynamic Systems. Springer.
Hu, H. S. and Li, Z. W. 2009a. Modeling and scheduling for manufacturing grid workflows using timed Petri
nets. Int. J. Adv. Manuf. Technol. 42, 553568.
Hu, H. S. and Li, Z. W. 2009b. Clarification on the computation of liveness-enforcing supervisor for resource
allocation systems with uncontrollable behavior and forbidden states. IEEE Trans. Autom. Sci. Eng. 6,
557558.
Hu, H. S., Zhou, M. C., and Li, Z. W. 2009. Liveness enforcing supervision of video streaming systems using
non-sequential Petri nets. IEEE Trans. Multimedia 11, 14571465.
Huang, H. J., Cheung, T. Y., and Mak, W. M. 2004. Structure and behavior preservation by Petri-net-based
refinements in system design. Theor. Comput. Sci. 328, 245269.
Jeng, M. D., Xie, X. L., and Chung, S. L. 2004. ERCN* merged nets for modeling degraded behavior and
parallel processes in semiconductor manufacturing systems. IEEE Trans. Syst. Man Cybern. Part A 34,
102112.
Jiang, C. J., Wang, H. Q., and Liao, S. Y. 2002. Behavior relativity of Petri nets. J. Comput. Sci. Techn. 17,
770780.
Lee, J. S., Zhou, M. C., and Hsu, P. L. 2007. A Petri-net approach to modular supervision with conflict
resolution for semiconductor manufacturing systems. IEEE Trans. Autom. Sci. Eng. 4, 584588.
Li, J., Fan, Y. S., and Zhou, M. C. 2003. Timing constraint workflow nets for workflow analysis. IEEE Trans.
Syst. Man Cybern. Part A 33, 179193.
Li, J., Fan, Y. S., and Zhou, M. C. 2004. Performance modeling and analysis of workflow. IEEE Trans. Syst.
Man Cybern. Part A 34, 229242.
Li, Z. W. and Zhou, M. C. 2009. Deadlock Resolution in Automated Manufacturing Systems: A Novel Petri
Net Approach. Springer
Liu, T., Lin, C., and Liu, W. D. 2002. Linear temporal inference of workflow management system based on
timed Petri net models. Acta Electronica Sinica 30, 245248. (in Chinese)
Merlin, P. and Farber, D. 1976. Recoverability of communication protocolsImplication of a theoretical
study. IEEE Trans. Commun. 24, 10361043.
Molloy, M. K. 1982. Performance analysis using stochastic Petri nets. IEEE Trans. Comput. 31, 913917
Murata, T. 1989. Petri nets: Properties, analysis and applications. Proc IEEE, 541580.
Suzuki, I. and Murata, T. 1983. A method for stepwise refinement and abstraction of Petri nets. J. Comput.
Syst. Sci. 27, 5176.
Tang, D. and Liu, D. N. 2006. Method of reachability analysis in HTPN based workflow model. Comput.
Integr. Manuf. Syst. 12, 487493. (in Chinese)
Valette, R. 1979. Analysis of Petri nets by stepwise refinements. J. Comput. Syst. Sci. 18, 3546.
van der Aalst, W. M. P. 2000. Workflow verification: Finding control-flow errors using Petri-net-based techniques. In Proceedings of the International Workshop on Types for Proofs and Programs. Lecture Notes
in Computer Science 806, 161183.
Wang, J. C., Deng, Y., and Xu, G 2000a. Reachability analysis of real-time systems using time Petri nets.
IEEE Trans. Syst. Man Cybern. Part B 30, 725736.
Wang, J. C., Deng, Y., and Zhou, M. C. 2000b. Compositional time Petri nets and reduction rules. IEEE
Trans. Syst. Man Cybern. Part B 30, 562572.
Zhou, M. C. and Venkaesh, K. 1998. Modeling, Simulation and Control of Flexible Manufacturing Systems:
A Petri Net Approach. World Scientific, Singapore.
Zhou, M. C., Dicesare, F., and Desrochers, A. 1992. A hybrid methodology for synthesis of Petri nets for
manufacturing systems. IEEE Trans. Rob. Autom. 8, 350361.
Zhou, M C., Mcdermott, K., and Patel, P A. 1993. Petri net synthesis and analysis of a flexible manufacturing
system cell. IEEE Trans. Syst. Man Cybern. 23, 523531.
Zuberek, W. M. 1991. Timed Petri nets: Definitions, properties, and applications. Microelectron. Reliab. 31,
627644.
Received March 2010; accepted July 2010

ACM Transactions on Embedded Computing Systems, Vol. 12, No. 1, Article 4, Publication date: January 2013.