Petri Nets 2000

Petri Nets 2000
21st International Conference on Application and Theory of Petri Nets Aarhus, Denmark, June 26-30, 2000
Introductory Tutorial Petri Nets
Organised by Gianfranco Balbo Jrg Desel o Kurt Jensen Wolfgang Reisig Grzegorz Rozenberg Manuel Silva
June 2000
DEPARTMENT OF COMPUTER SCIENCE UNIVERSITY OF AARHUS

Ny Munkegade, Bldg. 540 DK-8000 Aarhus C, Denmark
Table of Contents
Wolfgang Reisig An Informal Introduction to Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . . Grzegorz Rozenberg Elementary Net Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jrg Desel o Place/Transition Nets I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5 85
Kurt Jensen Coloured Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Grzegorz Rozenberg Behaviour of Elementary Net Systems . . . . . . . . . . . . . . . . . . . . . . . . . 161 Manuel Silva Place/Transition Nets II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Gianfranco Balbo An Introduction to Generalised Stochastic Petri Nets . . . . . . . . . . . . . . . . . 217
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
Introductory Tutorial
Place/Transition-Nets I
Jorg Desel, Catholic University in Eichstatt
I. Introduction to place/transition-nets II. Basic analysis techniques
I. Introduction to place/transition nets
An example Different features of place/transition-nets Place/transition-nets vs en-systems Formal denitions Place/transition-nets Occurrence sequences and reachability Marking graphs Behavioral properties Deadlock-freedom and liveness Boundedness and 1safety Reversibility Capacities and complements Weak and strong capacities Weak and strong complements Inhibitor arcs 85
An example: a vending machine

Control structure of a vending machine
eady for insertion
nsert coin
eady for insertion nsert coin
reject coin dispense item
holding coin ispense item
holding coin reject coin
ccept coin ready to dispense ccept coin eady to dispense
an en-system
its behaviour
4 Adding concurrency: a vending machine with capacity 1 ...

item storage ready for insertion insert coin
reject coin refill dispense item
holding coin
request for refill
ready to dispense
accept coin
... and its behaviour

refill insert coin insert coin
reject coin ispense item accept coin refill
reject coin refill
accept coin
86
5 Adding bounded storages: a vending machine with capacity 4 ...

tem storage eady for insertion nsert coin
reject coin efill ispense item
holding coin
equest for refill
eady to dispense
accept coin

refill ac refill ic refill ac refill refill ac ic refill
ic
ac
ic refill
ic refill
ac
rc refill
di
rc refill
di
rc
di refill
rc refill
di
rc
6 Adding unbounded counters: the control part with a counter ...

ready for insertion insert coin coins in machine
holding coin dispense item reject coin
ready to dispense
accept coin

insert coin insert coin
reject coin dispense item
reject coin
accept coin
accept coin
dispense item
0 coins in machine
1 coin in machine
2 coins in machine
87
7 Adding arc weights: the vending machine selling pairs ...

holding coin
equest for refill
eady to dispense
accept coin
... or storing pairs

holding coin
equest for refill
eady to dispense
accept coin
8 Adding limited capacities: replacing the place request for rell ...
holding coin
equest for refill
eady to dispense
accept coin
... by a capacity restriction

=4
tem storage
holding coin efill ispense item eject coin
eady to dispense
accept coin
88
Marked place/transition-nets generalize en-systems

Each contact-free en-system is a 1-safe marked place/transition-net
Terminology: en-system condition event case / state marked p/t-net place transition marking
;! ;! ;! ;!
conditions
m:
places
! f 0 1g
sequential case graph
marking graph (reachability graph, state graph)
Formal denition of marked place/transition-nets

A marked place/transition-net (p/t-net) is a tuple ( (
10
S T F k w m0 ) where
S T F ) is a net with S set of places (Stellen), nonempty, nite (often P is used) T set of transitions , nonempty, nite F (S T ) (T S ) ow relation k : S ! f1 2 3 . . .g f1g partial capacity restriction (default: 1) w : F ! f 1 2 3 . . .g weight function (default: 1) m0 : S ! f0 1 2 . . .g a marking satisfying 8s 2 S : k(s) = 1 _ m0(s) k(s)
(initial marking )
89
The occurrence rule

A transition
11
t is enabled at a marking m if every place s 2 t satises m(s) w(s t) and every place s 2 t satises m(s) + w(t s) k (s)
The occurrence of
8 > > > < 0 m (s) = > > > :
t leads to the successor marking m0 , dened by m(s) if s 2 t and s 2 t = = m(s) ; w(s t) if s 2 t and s 2 t = m(s) + w(t s) if s 2 t and s 2 t = m(s) ; w(s t) + w(t s) if s 2 t and s 2 t
Notation:
t m ;! m0 (m[tim0 )
3 2
3 2
k=4
Occurrence sequences and reachability

A nite sequence = 1 2 . . . n of transitions is a
12
t t
nite occurrence sequence leading from
m0 to mn if
t1 t2 m0 ;! m1 ;!
A marking
tn ;! mn
m is reachable mi
(from
m0 ) if
there is an occurrence sequence leading from
m0 to m
Notation: [ 0 is the set of all reachable markings An innite sequence = 1 2 3 . . . is an
t t t
innite occurrence sequence enabled at
m0 if
t1 t2 t3 m0 ;! m1 ;! m2 ;!
90
Marking graphs
The marking graph of a marked p/t-net is an edge-labeled graph with initial vertex initial vertex vertices labeled edges Example:
t1
13
initial marking
m0 (denoted ! ) set of reachable markings [m0 i t set of triples (m t m0 ) such that m ;! m0

t2 (1,1,0) t1 t2 t3 (1,0,1) t1 t2
s2
2 s1 t3 s3
(0,2,0) t2 (0,1,1)
(0,0,2)
Lemma
Each occurrence sequence corresponds to the labels of a directed path of the marking graph starting with the initial vertex, and vice versa. 14
Behavioral properties of marked p/t-nets

A marked p/t-net is terminating deadlock-free live if there is no innite occurrence sequence if each reachable marking enables a transition if each reachable marking enables an occurrence sequence containing all transitions bounded if, for each place , there is a bound ( )
1safe reversible
s bs such that m(s) b(s) for every reachable marking m if b(s) = 1 is a bound for each place s if m0 is reachable from each other reachable marking
Example
The vending machines are deadlock-free and live. Some are 1safe, some are bounded, some are unbounded. The bounded vending machines91 reversible. are
15 A marked p/t-net which is not deadlock-free and its marking graph

t2 t1 t2 t1 t3 t4 t4 t3 t2 t4
Proposition A marked p/t-net is deadlock-free if and only if its marking graph has no vertex without successor
Proposition No deadlock-free marked p/t-net is terminating (but the converse does not necessarily hold) 16 A deadlock-free marked p/t-net which is not live
t2 t3 t4 t2 t3 t5 t1 t5 t4
t1
Proposition Every live marked p/t-net is deadlock-free (this does not hold for nets without transitions) Proposition A marked p/t-net is live if and only if at no reachable marking a transition is dead (cannot become enabled again) Example Some transitions are dead at a reachable marking
2 3 t4 4
5 92
t5
17 Proposition A marked p/t-net is bounded if and only if its set of reachable markings is nite (its marking graph is nite) Proof
() ())
(
The maximal number of tokens on a place can be taken as its bound. If a place
s is bounded by b(s) then it can be in at most b(s) + 1 different states, vic. m(s) = 0 m(s) = 1 bs bs
...
m(s) = b(s):
( ( n ) + 1)
So the number of reachable markings does not exceed ( ( 1 ) + 1) ( ( 2 ) + 1) where
bs
fs 1 s 2
...
sn g is the (nite !) set of places n
Corollary A 1safe marked p/t-net with places has at most 2n reachable markings 18 Proposition A marked p/t-net is reversible if and only if its marking graph is strongly connected Example a 1safe non-live marked p/t-net which is not reversible
t2 t3 t4 t2 t3 t5 t1 t5 t4
t1
Example an unbounded marked p/t-net which is not reversible
Example a live and 1safe marked p/t-net which is not reversible

t1 t3 t3 t5 t2 t4 t4 t3 t1 t4 t2 t5
93
Substituting capacities ...

19
=4
tem storage
holding coin efill ispense item eject coin
eady to dispense
accept coin
... by complement places

holding coin
equest for refill
eady to dispense
accept coin
Weak capacities
. . . guarantee bounds of places weak enabling condition: a transition
20
t is enabled at a marking m if every place s 2 t satises m(s) w(s t) and every place s 2 t n t satises m(s) + w(t s) k (s) and every place s 2 t \ t satises m(s) ; w(s t) + w(t s) k (s)
If ( ) is nite then
Proposition
ks
s is k(s)-bounded
Replacing a weak capacity restrictiction by a weak complement
k=3
94
Strong capacities
. . . generalize contact of en-systems strong enabling condition: a transition
21
t is enabled at a marking m if every place s 2 t satises m(s) w(s t) and every place s 2 t satises m(s) + w(t s) k (s)
each en-system is equivalent to a marked p/t-net without arc weights and with the strong capacity restriction ( ) = 1 for every place
Proposition
ks
Replacing a strong capacity restrictiction by a strong complement
=3
Inhibitor arcs for null tests

inhibitor enabling condition: If (
22
t is only enabled at a marking m if m(s) = 0
s t) is an inhibitor arc then
Replacing an inhibitor arc at a bounded place by a weak complement
k=3
95
23
II. Basic analysis

techniques
Linear-algebraic techniques The marking equation Place invariants Transition invariants Structural techniques Siphons Traps The siphon/trap property Restricted net classes State machines Marked graphs Free-choice nets Causal Semantics Occurrence nets Process nets
Linear-algebraic representation of markings and transitions

1 s3 3
24
t1
t2
t5
s4
s2
vector representation of the marking
m0 : m0 = (4 0 0 0 1) ~ ~ vector representation of the transition t2 : t2 = (;1 1 1 0 ;1)

t2 m0 ;! m1 ) m0 + t~2 = m1 ~ ~
= (3 1 1 0 0)
96
Matrix representation of a net

1 s3 3
25
t1
t2
t5
s4
s2
incidence matrix of the net:
N ;=
s1 1 ;1 0 0 0 ~ s 2 ;1 1 0 0 0 ~ s 3 0 1 ;1 0 1 ~ s 4 0 0 1 ; 1 ;1 ~ s5 0 ;1 0 1 0 ~
26
t~1 t~2 t~3 t~4 t~5
The marking equation

t t3 t t t m0 2 ; 5 1 3 m ) m0 + t~2 + t~3 + t~5 + t~1 + t~3 = m ;;! ~ ~ m0 + (1 t~1 ) + (1 t~2 ) + (2 t~3 ) + (0 t~4 ) + (1 t~5 ) = m ~ ~ m0 + N ; ~ (1 1 2 0 1) =m ~
Parikh vector of t2 t3 t5 t1 t3
| {z }
The Marking Equation
If
m0 ;! m and
P(
) denotes the Parikh vector of )=
then
m0 + N ; P ( ~
A marking
m ~
. . . yields a necessary condition for reachability of a marking:
m0 + ~
m is only reachable from m0 if x N ~ = m has a solution for ~ in IN x ~

;
97
Example: a live and 1safe marked p/t-net

t1 1 2 3 t4 5 2 3 4 5
27
reachable markings (1 0 0 0 0) (0 1 0 0 1) (0 0 1 1 0) (0 0 0 1 1) non-reachable marking (0 1 1 0 0)
solutions to the marking equation (0 0 0 0 0) (1 0 1 0 1) (0 1 0 1 1) . . . (1 0 0 0 0) . . . (0 1 0 0 0) . . . (1 0 1 0 0) (0 1 0 1 0) . . . solutions to the marking equation (1 1 0 0 1) . . .
Consequence: solubility of the marking equation is not sufcient for reachability
Place invariants
Example: mutual exclusion
t1 process 1 s1 s2 s3 s4 t3 process 2 s5
28
t2
t4
Every reachable marking
m satises m(s2 ) + m(s4 )
m(s2 ) + m(s3 ) + m(s4 ) = 1 holds initially 2) m(s2 ) + m(s3 ) + m(s4 ) = 1 is stable ! will be shown by a place invariant 3) m(s2 ) + m(s3 ) + m(s4 ) = 1 ) m(s2 ) + m(s4 ) 1
1)
98
Place invariants
Three equivalent denitions: A place invariant of a net (1) (2)
s2 t s= s 2t
29
X ~i X
i N is a vector ~ satisfying ~s for every transition t of N i
~ ~ = 0 for every transition t of N i t ; i (3) ~ N = (0 0 . . . 0)

The token conservation law for a place invariant : If Proof:
m is reachable from m0 then ~ m0 = ~ m i ~ i ~
~ i
m0 ;! m ) m0 + N ; P [ ] = m ~ ~ ) ~ m0 + ~ N ; P [ ] = ~ m i ~ i i ~
=(0 ... 0)
| {z }
) ~ m =~ m i ~ i ~
0
Proving stability
30
t2
t4
The number of tokens on by transition occurrences.
fs s s g is not changed
2 3 4
) ~ = (0 1 1 1 0) is a place invariant. i
~ m0 = 1 implies ~ m = 1 for each reachable marking M . i ~ i ~ ) m(s2) + m(s3) + m(s4) = 1 is stable.
99
Further place invariants

31
t2
t4
(0 1 1 1 0) (0 1 1 0
mutual exclusion
;1) m(s ) + m(s ) = m(s )

2 3 5
(1 1 0 0 0)
s2 is marked then s5 is marked m(s1 ) + m(s2 ) = 1 m(s1 ) m(s2 ) 1, the places s1 and s2 are bounded
if
A necessary condition for liveness

Proposition: In a live marked p/t-net without isolated places, each place invariant
32
Proof:
~ without negative entries and i i i ~ with some positive entry ~s satises ~ m0 > 0. otherwise transitions in s s are dead.
1 3 1 2 4 s5 t3
t4
Examples:
place invariants (1 1 0 0 0), (0 0 0 1 1), (0 1 1 1 0)

100
A sufcient condition for boundedness:

Proposition:
33
Proof:
~s > 0 for each place s is bounded. i i ~ i ~ m is reachable ) ~ m = ~ m0 . ) ~s ms ~ m = ~ m0. i ~ i ~ i ~ ~ m0 ) m(s) = ms i ~ ~ ~ is

1 3 1 2 4 t3
Each marked p/t-net with a place invariant
~ satisfying i
s5
t4
Example:
place invariant (1 2 1 2 1) 34
Place invariants and the marking equation

Proposition There is a place invariant
m0 + ~
Example:
~ satisfying ~ m0 6= ~ m if and only if i i ~ i ~ ; N ~ = m has no rational-valued solution for ~ . x ~ x

s1 s2 s3 s4 t3 t2 t4 s6 s7 s8
1 2 1 ) 2
s5
t1
t5
) no place invariant proves the non-reachability of m.

But the marking equation has no solution in
m0 + N ; ~
(1 0 1
m = (1 ~
0 1 0 1 1 0 0)
! modulo place invariants 101
IN
Transition invariants
A transition invariant of a net
35
N ; ~ = (0 j
1
N is a vector ~ satisfying j
0 . . . 0)
Example:
t3 3 1 2 4 s5
t4
Transition invariants: (1 1 0 0), (0 0 1 1), (2 2 1 1) Proposition Let
Proof:
m0 ;! m be an occurrence sequence. m0 = m if and only if P [ ] is a transition invariant ; follows immediately from m0 + N P [ ] = m ~ ~

36
A necessary condition for liveness and boundedness

Proposition:
~ satisfying j ~ (t) > 0 for each transition t. j

has a transition invariant
Each live and bounded marked p/t-net
Proof:
By liveness, there exist occurrence sequences
1 2 3 m0 ;! m1 ;! m2 ;!
such that all transitions occur in every i . By boundedness,
mi = mj for some i < j .

j ] is a suitable transition invariant.
+1 ) mi ;!
i
;! mj = mi.
j
) ~ = P[ j
i+1
102
Structural Techniques
A siphon is a set of places which, once unmarked, never gains a token again
37
S is a siphon
if
S S
, i.e. if
t \S = 6
implies
t\S = 6
.
A trap is a set of places which, once marked, never looses all tokens
S is a trap if S
s1
S , i.e. if t \ S = 6
s2 s3
implies
t \S = 6
s4
a siphon {s1,s2}
a trap {s3, s4}
m satises m(s1 ) = m(s2 ) = 0 then so do all follower markings. If a marking m satises m(s3 ) + m(s4 ) > 0 then so do all follower markings.
If a marking
Example for the use of a trap
38
1 1 2
s4 t5
t4
fs s s g is an initially marked trap ) the marking (0 1 1 0 0) is not reachable.

1 4 5
103
Siphons and traps, liveness and deadlock-freedom

Proposition: In a live marked p/t-net without isolated places, each nonempty siphon contains an initially marked place Proof: otherwise, for each place
39
s of the siphon, all transitions in s s
are dead.
Proposition:
Assume a marked p/t-net with some transition, without capacity restrictions and arc weights. If each nonempty siphon includes an initially marked trap then the marked p/t-net is deadlock-free
Proof:
the set of unmarked places at a dead marking is a nonempty siphon.
) It contains no initially marked trap.

Restricted net classes
State machines are marked p/t-nets without branched transitions, i.e. 40
This siphon contains no marked trap.
j tj = jt j = 1 for each transition,
without arc weights and without capacity restrictions. Example
Proposition Proposition
Each marked state machine is bounded. A marked state machine is live if and only if it is strongly connected and some place is initially marked.
104
41 Marked graphs are marked p/t-nets without branched places, i.e.
j sj = js j = 1 for each place,
without arc weights and without capacity restrictions. Example
Proposition A marked graph is live if and only if each cycle carries a token initially. Proposition It is moreover 1safe if and only if each place belongs to a cycle with exactly one token. 42 Free-choice nets are marked p/t-nets without arc weights and capacity restrictions satisfying (
s t) 2 F ) t s
F
then
for each place
s and transition t
If
Proposition A free-choice net without isolated places is live if and only if each nonempty siphon includes an initially marked trap. Example
s1 s3 s5 s2
1 2 5
s4
fs s s g is a siphon which includes no nonempty trap ) this free-choice net is not live. 105
Causal semantics of marked p/t-nets

Example: a producer / consumer system
produced consumed
43
produce
send
full
receive
consume
sent
received
a causal run of the producer /consumer system

ent roduce ull onsumed eceive eceived onsumed consume receive roduced end ent roduce ull eceived roduced send sent
Causal runs
A causal run of a marked p/t-net is given by a labeled Petri net (
44
B E K)
Interpretation of causal runs net element places transitions arcs name conditions events causal relation symbol interpretation tokens on system places system transition occurrences ow of tokens
B E K
106
Occurrence nets
An occurrence net is a net ( it has no cycles (i.e.
45
B E K ) with the following properties

)
K + is a partial order b
it has no branched places, i.e.
j bj jb j
1 for each condition
events have nite fan-in and fan-out, i.e.
e and e
are nite sets for each event
it has neither input nor output-events, i.e.
j ej je j
1 for each event
no node has innitely many predecessors, i.e. the set
fx 2 (B E ) j x yg is nite for each node y
Process nets of marked p/t-nets represent causal runs

Assume a marked p/t-net (
46
S T F k w m0 ) without capacity restrictions An occurrence net (B E K ) together with labels : (B E ) ! (S T ) is a process net of N if
sorts of nodes are respected by , i.e.
S and (E ) T m0 agrees with min(B ), i.e. m0 (s) = jfb 2 B j b = and (b) = sgj for every place s 2 S
( ) transition vicinities are preserved, i.e. ( ) = ( ( )),
e e jfb 2 e j (b) = sgj = w(s (e)) for each event e (e ) = ( (e)) , jfb 2 e j (b) = sgj = w( (e) s) for each event e
107
Occurrence sequences versus process nets

occurrence sequences provide total orders of events that respect causality but add arbitrary interleavings of independent events. Information about causal relationships can get lost. process nets provide partial orders reecting causality. Example:
d a f c h
g b f d a f c h
47
g
d a f h
abc bac acb bca

maximal occurrence sequences
f e b g
maximal process nets 48
Two process nets corresponding to t1 t3 t5 t2 t3 t5 t2 t3 t4

s1 t1 t2 t4 s5 s2 s4 b4 s3 b1 s1 b2 s2 b3 s4 b4 s3 b1 s1 b2 s2 b3 t1 e3 s1 b8 s2 b9 t3 e1 s5 b5 t5 e2 s6 b6 e4 t2 s3 b7 t3 e5 t1 e3 t3 e1 s5 b5 t5 e2 s6 b6 e4 t2 s3 b7 s1 b8 s2 b9 s4 b10 s5 b11 t5 e6 s6 b12 e7 t2 s3 b13 t3 e8 s2 b14 s4 b15 s5 b16 t4 e9 s3 b17 t3 e5 s6 t5 s4 b10 s5 b11 t5 e6 s6 b12 e7 t2 s3 b13 t3 e8 s4 b15 s5 b16 t4 e9 s3 b17 s3 t3 s4
108
s2 b14
Two process nets without a common occurrence sequence

s1 t1 t2 t4 s5 s2 s4 b4 s3 b1 s1 b2 s2 b3 t1 e3 t3 e1 s5 b5 t5 e2 s6 b6 e4 t2 s3 b7 s1 b8 s2 b9 s2 b14 t3 e5 s6 t5 s4 b10 s5 b11 t5 e6 e7 s6 t2 b12 s3 b13 t3 e8 s4 b15 s5 b16 t4 e9 s3 b17 s3 t3 s4
49
s4 b4 s3 b1 s1 b2 s2 b3 s2 b8 t3 e1 s5 b5 t5 e2 s6 b6 e3 t2 s3 b7 t3 e4
s4 b9 s5 b10 t4 e6 s3 t3 b11 e7
s4 b13 s5 b14 t5 e8 e9 s6 t2 b15 s3 b16
t1 e5
s1 b12
s2 b17
109
110
Coloured Petri Nets
Coloured Petri Nets
Part 1: Introduction to CP-nets

An ordinary Petri net (PT-net) has no types and no modules: Only one kind of tokens and the net is flat.
Kurt Jensen Computer Science Department University of Aarhus
Ny Munkegade, Building 540 DK-8000 Aarhus C, Denmark
Phone: +45 89 42 32 34 Telefax: +45 89 42 32 55 E-mail: kjensen@daimi.au.dk URL: http://www.daimi.au.dk/~kjensen
With Coloured Petri Nets (CP-nets) it is possible to use data types and complex data manipulation: Each token has attached a data value called the token colour. The token colours can be investigated and modified by the occurring transitions.
111
THEORY models basic concepts verification methods
TOOLS editing simulation verification
With CP-nets it is possible to make hierarchical descriptions: A large model can be obtained by combining a set of submodels. Well-defined interfaces between the submodels. Well-defined semantics of the combined model. Submodels can be reused.
PRACTICAL USE specification investigation verification implementation
Coloured Petri Nets
3
Coloured Petri Nets
Resource allocation example

2
Occurrence of enabled binding

2`(p,0)
P
B
(x,i)
T2
3`(q,0)
P
A
(x,i)
(x,i)
E
S 3
if x=q then 1`(x,i+1) else empty

P
C
case x of p => 2è | q => 1è
Declarations: type U = with p | q; type I = int; type P = product U * I; type E = with e; var x : U; var i : I;
T1
e
P
B
2`(p,0)
3è
[x=q] (x,i)
e
T2
2`(p,0)
P
B
1
1è
P
C
Binding: <x=p, i=0>
112
(x,i)
T3
2
case x of p => 2è | q => 1è
(x,i) if x=p then 1`(x,i+1) else empty (x,i)

case x of p => 2è | q => 1è 2è
E
S 3
(x,i)
T2
1
1`(p,0)
if x=q then 1è else empty (x,i)

P
D
3è
(x,i)
P
C
1`(p,0)
if x=p then 1è else empty (x,i)

T4
3è New Marking

1
e (x,i)
P
E
1`(p,0)
P
B
2è
2è (x,i)
T5
(x,i) case x of p => 2è | q => 1è

T2
case x of p => 2è | q => 1è
(x,i)
E
S 1
1è
1`(p,0)
Coloured Petri Nets
5
Coloured Petri Nets
Binding which is not enabled

3 2
A more complex example

1`(p,2)+1`(p,4)+1`(q,3)
P
B
2`(p,0) (x,i)
T2
(x,i) (x,i)
E
S
case x of p => 2è | q => 1è

P
3 C
T2
case x of p => 2è | q => 1è
(x,i) 3è
3
3 2
3è 1`(p,2)+1`(p,4)+1`(q,3)
P
B
1
2`(p,0)
Binding: <x=q, i=2> case x of p => 2è | q => 1è

2
Binding: <x=p, i=2>
(x,i)
T2
1
1`(p,2)
113
E
(x,i)
1`(q,2)
case x of p => 2è | q => 1è

S 3
T2
(x,i)
1`(q,2)
(x,i) 2è
P
C
1`(p,2)
1è
3è
3
3è 1`(p,2)+1`(p,4)+1`(q,3) Binding: <x=q, i=3>

P
B
1
Binding cannot occur
(x,i) case x of p => 2è | q => 1è

1
1`(q,3)
T2
1
(x,i)
E
1`(q,3) 1è
S 3
3è
Coloured Petri Nets
7
Coloured Petri Nets
Concurrency
3
Conflict
1`(p,2)+1`(p,4)+1`(q,3) Binding: <x=p, i=2>
P
1
Binding: <x=p, i=2>

B
3 T2
1
1`(p,2)+1`(p,4)+1`(q,3) 1`(p,2)
C
(x,i)
1`(p,2)
Binding: <x=q, i=3> (x,i)

2
(x,i)
E
S
1`(p,2)+1`(q,3) 2è
P
3
case x of p => 2è | q => 1è
case x of p => 2è | q => 1è 3è

3
T2
(x,i)
1`(p,2)+1`(q,3)
3è 1`(p,2)+1`(p,4)+1`(q,3)
P
B
1
3è
Binding: <x=p, i=4>
114
2
1`(p,4)
(x,i)
T2
1
1`(p,4)
(x,i)
E
S
case x of p => 2è | q => 1è 2è
(x,i)
P
3 C
1`(p,4)
case x of p => 2è | q => 1è
T2
(x,i)
3è
1`(p,2)+1`(q,3)
These two bindings cannot occur concurrently. The reason is that they need the same tokens.
The two bindings may occur concurrently. This is possible because they use different tokens.
Coloured Petri Nets
9
Coloured Petri Nets
10
Resource allocation system

Declarations: Types, functions, operations and variables.
Coloured Petri Nets
Two kinds of processes: Three cyclic q-processes (states A,B,C,D and E). Two cyclic p-processes (states B,C,D and E). Each place has the following inscriptions: Name (for identification).
Three kinds of resources:
Represented by the places R, S and T.
Colour set (specifying the type of tokens which may reside on the place). Initial marking (multi-set of token colours). Each transition has the following inscriptions: Name (for identification). Guard (boolean expression containing some of the variables). Each arc has the following inscriptions: Arc expression (containing some of the variables). When the arc expression is evaluated it yields a multi-set of token colours.
During a cycle a process reserves some resources and releases them again:
115
Tokens are removed from and added to the resource places R, S and T.
A cycle counter is increased each time a process completes a full cycle.
It is rather straightforward to prove that the resource allocation system cannot deadlock. What happens if we add an additional token to place S i.e., if we start with four S-resources instead of three?
Coloured Petri Nets
11
Coloured Petri Nets
12
Enabling and occurrence

Combination of text and graphics.
Main characteristics of CP-nets
A binding assigns a colour (i.e., a value) to each variable of a transition.
A binding element is a pair (t,b) where t is a transition while b is a binding for the variables of t. Example: (T2,<x=p, i=2>).
A binding element is enabled if and only if: There are enough tokens (of the correct colours on each input-place).
Declarations and net inscriptions are specified by means of a formal language, e.g., a programming language. Types, functions, operations, variables and expressions. Net structure consists of places, transitions and arcs (forming a bi-partite graph). To make a CP-net readable it is important to make a nice graphical layout. The graphical layout has no formal meaning. CP-nets have the same kind of concurrency properties as Place/Transition Nets.
116
The guard evaluates to true.
When a binding element is enabled it may occur:
A multi-set of tokens is removed from each input-place.
A multi-set of tokens is added to each output-place.
A binding element may occur concurrently to other binding elements iff there are so many tokens that each binding element can get its "own share".
Coloured Petri Nets
13
Coloured Petri Nets
14
Formal definition of CP-nets

Definition: A step is a multi-set of binding elements.
Formal definition of behaviour
Definition: A Coloured Petri Net is a tuple CPN = (, P, T, A, N, C, G, E, I) satisfying the following requirements:
(i) p P: E(p,t)<b> M(p).

(t,b) Y
is a finite set of non-empty types, called colour sets.
A step Y is enabled in a marking M iff the following property is satisfied:
(ii)
P is a finite set of places.
(iii)
T is a finite set of transitions.
(iv)
A is a finite set of arcs such that:
P T = P A = T A = .
When a step Y is enabled in a marking M1 it may occur, changing the marking M1 to another marking M2, defined by: p P: M2(p) = (M1(p) E(p,t)<b>) + E(t,p)<b>.
(t,b) Y (t,b) Y
(v)
N is a node function. It is defined from A into P T T P.
(vi)
C is a colour function. It is defined from P into .
117
(vii) G is a guard function. It is defined from T into expressions such that: t T: [Type(G(t)) = Bool Type(Var(G(t))) ].
The first sum is called the removed tokens while the second is called the added tokens. Moreover we say that M2 is directly reachable from M1 by the occurrence of the step Y, which we also denote: M1 [Y M2.
(viii) E is an arc expression function. It is defined from A into expressions such that: a A: [Type(E(a)) = C(p(a))MS Type(Var(E(a))) ] where p(a) is the place of N(a).
An occurrence sequence is a sequence of markings and steps: M1 [Y1 M2 [Y2 M3 Mn [Yn Mn+1 such that Mi [Yi Mi+1 for all i 1.. n. We then say that M n+1 is reachable from M1. We use [M to denote the set of markings which are reachable from M.
(ix)
I is an initialization function. It is defined from P into closed expressions such that: p P: [Type(I(p)) = C(p)MS].
Coloured Petri Nets
15
Coloured Petri Nets
16
Formal definition
High-level contra low-level nets

The relationship between CP-nets and Place/Transition Nets (PT-nets) is analogous to the relationship between high-level programming languages and assembly code. In theory, the two levels have exactly the same computational power. In practice, high-level languages have much more modelling power because they have better structuring facilities, e.g., types and modules. Each CP-net has an equivalent PT-net and vice versa. This equivalence is used to derive the definition of basic properties and to establish the verification methods. In practice, we never translate a CP-net into a PT-net or vice versa. Description, simulation and verification are done directly in terms of CP-nets.
The existence of a formal definition is very important: It is the basis for simulation, i.e., execution of the CP-net. It is also the basis for the formal verification methods (e.g., state spaces and place invariants). Without the formal definition, it would have been impossible to obtain a sound net class.
118
It is not necessary for a user to know the formal definition of CP-nets: The correct syntax is checked by the CPN editor, i.e., the computer tool by which CP-nets are constructed. The correct use of the semantics (i.e., the enabling rule and the occurrence rule) is guaranteed by the CPN simulator and the CPN tools for formal verification.
Coloured Petri Nets
17
Coloured Petri Nets
18
Other kinds of high-level nets

INTxDATA
""
Simple protocol
Send (n,p)
INTxDATA
Received
DATA
1`(1,"Modellin")+ 1`(2,"g and An")+ 1`(3,"alysis b")+ 1`(4,"y Means ")+ 1`(5,"of Colou")+ 1`(6,"red Petr")+ 1`(7,"i Nets##")+ 1`(8,"########")
str
INTxDATA
Send Packet (n,p) A s n

8 1
CP-nets have been developed from Predicate/Transition Nets. Hartmann Genrich & Kurt Lautenbach. With respect to description and simulation the two models are nearly identical. With respect to formal verification there are some differences.
(n,p) Transmit Packet if Ok(s,r) then 1`(n,p) else empty (n,p) B RP
Int_0_10
1
if n=k andalso p<>stop then str^p else str
k NextRec
8
NextSend
INT Int_0_10
RA s
INT
Receive Packet if n=k then k+1 else k Transmit C
k n
119
Receive Acknow. n
D
INT
if n=k then k+1 else k if Ok(s,r) Acknow. then 1`n else empty n
INT
Several other kinds of high-level Petri Nets exist. They all build upon the same basic ideas, but use different languages for declarations and inscriptions. A detailed comparison is outside the scope of this talk.
Sender
Network
Receiver
type INT = int; type BOOL = bool; type DATA = string; type INTxDATA = product INT * DATA; var n, k : INT; var p,str : DATA; val stop = "########"; type Int_0_10 = int with 0..10; type Int_1_10 = int with 1..10; var s : Int_0_10; var r : Int_1_10; fun Ok(s : Int_0_10, r : Int_1_10) = (rs);
Coloured Petri Nets
19
Coloured Petri Nets
20
Send packet
INTxDATA
(n,p) if Ok(s,r) then 1`(n,p) INTxDATA else empty
Transmit packet
A
1 1`(1,"Modellin") s 8
INTxDATA
Send
Transmit Packet B
(n,p)
1`(1,"Modellin") + 1`(2,"g and An") 8 + 1`(3,"alysis b") + 1`(4,"y Means ") + 1`(5,"of Colou") + 1`(6,"red Petr") + 1`(7,"i Nets##") + 1`(8,"########")
INTxDATA
RP
Int_0_10
1 1`8
(n,p)
Send Packet
120
NextSend
INT
1 1`1
There are now 10 enabled bindings: They are all of the form <n=1, p= "Modellin", s=8, r=>. The variable r can take 10 different values, because the type of r is defined to contain the integers 1. .10. The function Ok(s,r) checks whether r s. For r 1. .8, Ok(s,r) = true. This means that the token is moved from A to B, i.e., that the packet is successfully transmitted over the network. For r 9. .10, Ok(s,r) = false. This means that no token is added to B, i.e., that the packet is lost. The CPN simulator make random choices between enabled bindings. Hence there is 80% chance for successful transfer.
Only the binding <n=1, p= "Modellin"> is enabled. When the binding occurs it adds a token to place A. The token represents that the packet (1,"Modellin") is sent to the network. The packet is not removed from place Send and the NextSend counter is not changed.
Coloured Petri Nets
21
Coloured Petri Nets
22
Receive packet
1 1`""
1 1`"Modelling and An"
Correct packet number

Received
""
Received
DATA
INTxDATA
str
str
1 1`(3,"alysis b")
(n,p)

1`(3,"alysis b") (n,p) B 1
1 1`(1,"Modellin")
1`3 1 k 1`4 1`"Modelling and Analysis b" 1 1
1
1 1`3
NextRec
NextRec
Receive Packet
1 1`4 if n=k then k+1 else k if n=k then k+1 else k
121
C
INT
Receive Packet
1 1`1
if n=k then k+1 else k
INT
The data in the packet is concatenated to the data already received. The NextRec counter is increased by one. An acknowledgement message is sent. It contains the number of the next packet which the receiver wants to get.
It is checked whether the number of the incoming packet n matches the number of the expected packet k.
Coloured Petri Nets
23
Coloured Petri Nets
24
Wrong packet number

8
Transmit acknowledgement
Int_0_10
s
Received
RA
1 1`8
1`"Modelling and An"
str
INT
if Ok(s,r) then 1`n else empty
D
n
Transmit Acknow.
C
INT
1 1`2
1`(2,"g and An") (n,p) B 1
1 1`(2,"g and An")
1`3
This transition works in a similar way as Transmit Packet. The token on place RA determines the success rate for transmission of acknowledgements. When RA contains a token with value 8, the success rate is 80%. When RA contains a token with value 10, no acknowledgements are lost. When RA contains a token with value 0, all acknowledgements are lost.
122
NextRec
1`3
Receive Packet
1 1`3
1`3
The data in the packet is ignored. The NextRec counter is unchanged.
An acknowledgement message is sent. It contains the number of the next packet which the receiver wants to get.
Coloured Petri Nets
25
Coloured Petri Nets
26
Receive acknowledgement
INTxDATA
Intermediate state
Send
(n,p) 1 1`"Modelling and Analysis by Means of Colou" ""
NextSend
Received
DATA
INT
1 1`1
INTxDATA
(n,p) (n,p)
k
if Ok(s,r) then 1`(n,p) else empty
n
Send Packet A
s n 8 1
INTxDATA
(n,p)
str
Transmit Packet
B
1 1`(5,"of Colou")
Receive Acknow.
RP
Int_0_10
INT
NextSend
INT
1 1`5 k n 8
1 1`8 1
1 1`2
NextRec
Int_0_10
RA
s
1 1`8
INT
Receive Packet
123
Receive Acknow.
n 1 1`6
D
INT
Transmit Acknow.
n 1 1`6
C
INT
When an acknowledgement arrives to the Sender it is used to update the NextSend counter. In this case the counter value becomes 2, and hence the Sender will begin to send packet number 2.
Sender
Network
Receiver
The Receiver is expecting package no. 6. This means that it has successfully received the first 5 packets. The Sender is still sending packet no. 5. In a moment it will receive an acknowledgement containing a request for packet no. 6. When the acknowledgement is received the NextSend counter is updated and the Sender will start sending packet no. 6.
Coloured Petri Nets
27
Coloured Petri Nets
28
Final state
""
Part 2: Hierarchical CP-nets

Received
DATA
INTxDATA
Send
Simple Protocol
str (n,p)
INTxDATA INTxDATA
1`"Modelling and Analysis by Means of Coloured Petri Nets##"
A hierarchical CP-net contains a number of interrelated subnets called pages.
(n,p)
INTxDATA
(n,p)
(n,p)
INTxDATA
Send Packet B
A B
Transmit Packet
8 k 1
HS HS
Sender
Network
Receiver
HS
""
RP NextRec
INT
1 1`9 if n=k then k+1 else k
1 1`8
Received
DATA
Int_0_10
Sender Network
NextSend
D
INTxINT
Receiver
INT
1 1`9
Int_0_10
RA
1 1`8
Receive Packet
C
INT
124
n
Receive Acknow. C
Sender
INTxDATA
D
INT
Transmit Acknow.
Network
Receiver
I/O ""
INT

Send
(n,p)
Received
DATA
Sender
Network
Receiver
INTxDATA
(n,p)
INTxDATA
INTxDATA
INTxDATA
(n,p)
str
Send Packet
n
A
Out
A
In
(n,p)
Transmit Packet
s 8 1
B
Out
B
In
RP
Int_0_10
k 1
NextSend
INT
k n In Out 8
NextRec
Int_0_10
RA
s In
INT
if n=k then k+1 else k Out
Receive Packet
Receive Acknow.
D
INT
D
INT
Transmit Acknow.
C
INT
C
INT
When the last packet, i.e., packet no. 8 reaches the Receiver an acknowledgement with value 9 is sent. When this acknowledgement reaches the Sender the NextSend counter is updated to 9. This means that the Send Packet transition no longer can occur, and hence the transmission stops.
Coloured Petri Nets
29
Coloured Petri Nets
30
Substitution transitions
Simple Protocol with 2 Receivers
INTxDATA INTxDATA
Pages can be used more than once

A RecNo1
INTxDATA
HS ""
B1
Received
DATA
B2 Sender
HS HS
Network
Receiver B1->B C1->C RecNo2

HS ""
Sender C1
INT
Network
Received
DATA
A page may contain one ore more substitution transitions. Each substitution transition is related to a page, i.e., a subnet providing a more detailed description than the transition itself. The page is a subpage of the substitution transition.
D
INTxINT
C2
INT
Receiver B2->B C2->C
There is a well-defined interface between a substitution transition and its subpage:

Sender
INTxDATA
Network
INTxDATA
if Ok(s,r1) then 1`(n,p) else empty
Receiver
I/O
125
Send
(n,p)
B1
INTxDATA
Out
""
Received A
In s
DATA
(n,p)
Transmit Packet
INTxDATA
INTxDATA
B2
(n,p) 8
if Ok(s,r2) then 1`(n,p) else empty
INTxDATA
str
Send Packet
n 1
A
Out
Int_0_10
RP
Out
(n,p)
B
In 8
Int_0_10
RA1 NextSend
INT
k min(n1,n2) In if Ok(s,r) then 1`(n,1) else empty Out s In n
k 1
NextRec
INT
Receive Packet Transmit Acknow. D Receive Acknow. D

INTxINT
1`(n1,1)+ 1`(n2,2) INTxINT n if Ok(s,r) then 1`(n,2) else empty
C1
INT
In Out
C Transmit Acknow.
s 8
C2
INT
The places surrounding the substitution transition are socket places. The subpage contains a number of port places. Socket places are related to port places in a similar way as actual parameters are related to formal parameters in a procedure call. A socket place has always the same marking as the related port place. The two places are just different views of the same place.
INT
RA2
Int_0_10
Substitution transitions work in a similar way as the refinement primitives found in many system description languages e.g., SADT diagrams.
There are two different instances of the Receiver page. Each instance has its own marking.
Coloured Petri Nets
31
Coloured Petri Nets
32
Ring network
HS Site 1to2->Incoming 2to3->Outgoing
Ring Network
PACK
Formal definition of hierarchical CP-nets

The syntax and semantics of hierarchical CP-nets have formal definitions similar to the definitions for non-hierarchical CP-nets
HS
1to2
Site 4to1->Incoming 1to2->Outgoing
Site1
Site2
PACK
4to1
PACK
2to3
HS Site 2to3->Incoming 3to4->Outgoing
HS
Site 3to4->Incoming 4to1->Outgoing
Site4
Site3
3to4
PACK
Each hierarchical CP-net has an equivalent non-hierarchical CP-net and vice versa. The two kinds of nets have the same computational power but hierarchical CP-nets have much more modelling power.
126
PACK Outgoing Out
if #re p <> this() then 1`p else empty
Site
{se=this(), re=r, no=n}
Package
PACK
The equivalence is used for theoretical purposes. In practice, we never translate a hierarchical CP-net into a non-hierarchical CP-net or vice versa.
NewPack
Send
n+1
PackNo
if #re p = this() then 1`p else empty
if #re p <> this() then 1`p else empty
INT
Received
if #re p = this() then 1`p else empty
Receive
PACK
Incoming
PACK
In
Coloured Petri Nets
33
Coloured Petri Nets
34
CP-nets may be large
Protocol for telephone network

Transport layer of a protocol for digital telephone communication.
ISDN#1 DECLARE#4 HIERARCHY#10010 Networks Users USER_TOP#2
U0
A typical industrial application of CP-nets contains: 10-200 pages. 50-1000 places and transitions.
UREQ_GEN#39 NET_TOP#19
N0 N2 N3 N4
10-200 colour sets.

NULL#3 CALL_INI#6 OVERLAP#9 OUTGOING#15 CALL_DEL#16
U7
ROUTING#24
N_SETUP#22
NULL_SET#5
NULL#20 OVERLAP#29 OUTGOING#26 CALL_DEL#28
U_SETUP#21 N_HOLD#44
U1 U2 U3 U4
This corresponds to thousands/millions of nodes in a Place/Transition Net.

CALL_REC#11
U8
U_HOLD#45
N_E_PART#27 U_PROG#41 U_INFO#42

N7 N6
N_D_PART#31 CALL_PRE#38 U_REL#25 U_DISC#23 U_REL_CO#40

N8
CONNECT#12
U9 U10 U11 U12 U19
CALL_REC#32 CONNECT#30
N9
127
Fig. 7.1
INCOMING#13 ACTIVE#7 DISCONNE#8 DISC_IND#18 RELEASE#17
INCOMING#37
N10 N11 N12 N19
ACTIVE#36 DISCONNE#33 DISCONNE#34 RELEASE#35
Most of the industrial applications would be totally impossible without: Colours. Hierarchies.
Computer tools. Overview of the hierarchy structure: Each node represents a page, i.e., a subnet. Each arc represents a transition substitution.
Coloured Petri Nets
35
Coloured Petri Nets
36
Two of the most abstract pages

UserState
U8 In InternalUserReq (u,cref,b,s) (u,m)
Typical page for the user site

In NetworkToUser
Message UserToNetwork
Users
UIntReq
(u,{mt=CLEAR_REQ, ai=Callref cref})
Networks
Message
(u,m)
NetworkToUser Message
CLEAR_REQ
-----------------------------------------------------------------------------------------------------------In NetworkToUser
[#mt m = CONN_ACK, cref= #cr m] [#mt m = DISC, cref= #cr m]
[#mt m = REL, cref= #cr m]
[#mt m = REL_COM, cref= #cr m]
[#mt m = STATUS_ENQ, cref= #cr m]
UREQ
(u,{mt=DISC, cr=cref, ai=null})
(u,{mt = REL_COM, cr = cref, ai = null})
(u, {mt=STATUS, cr=cref, ai=Status 8})
Message
Message
UserToNetwork Out (u,cref,b,s) U11 (u,cref,b,s) U10 (u,cref,b,s) U12 (u,0,none,s)
UIntReq
128
U10 U11 U12 U19
IntUserReq
U0
U0
U1
U2
U3
U4
U7
U8
U9
This page describes the possible actions that can happen when the user site is in state U8: From the network five different kinds of messages may be received. In addition there is one kind of internal user request. In three of the cases a new message is sent to the network site.
UserToNetwork
Out
Message
Coloured Petri Nets
37
Coloured Petri Nets
38
Typical transition
8 CONNECT REQUEST
SDL description of user page
NetworkToUser
Message
(u,m)
CLEAR REQUEST DISC REL CONN ACK REL COM STATUS ENQ ANY OTHER MESSAGE
U8
DISC CONNECT B-CHANNEL TO USER 12 REL COM
(u,cref,b,s)
UserState
[#mt m = STATUS_ENQ, cref= #cr m]
type MessageRec = record mt : MessageType * cr : CallReference * ai : MessageData; type Message = product User * MessageRec;
11 10 RELEASE CRV
RELEASE CRV
FORM CAUSE CALL STATE (U8 OR U10)
OPTION
STATUS
(u, {mt=STATUS, cr=cref, ai=Status 8})
type UserState = product User * CallRef * BChanName * HoldStatus;
129
UserToNetwork Message
Each vertical string of SDL symbols describes a sequence of actions which is translated into a single CPN transition. The translation from SDL to CPN was done manually. The translation is straightforward and it could easily be automated. The graphical shape of a node has a well-defined meaning in SDL. In the CP-net the shape is retained to improve the readability. It has no formal meaning.
This transition describes the actions that are taken when a Status Enquiry message is received in state U8: The guard checks that the message is a Status Enquiry message. It also checks that the Call Reference is correct (i.e., matches the one in the User State token at place U8). A Status message is sent to the network site. It tells that the user site is in state U8.
Coloured Petri Nets
39
Coloured Petri Nets
40
Typical page for the network site

6 CALL PRESENT
SDL description of network page
NetState
N6
(n,u,cref,b,nnr) In NetFromNet
CALL PROC REL COMP
Message
D
ALERT
In
E
UserToNetwork
(u,m)
T303 EXPIRES
NTimerCount NIntReq
STOP T303
(u,m)
PT. MULT. NO YES NO FIRST TIMEOUT YES
(n,cref,second)
T303
(n,cref,second)
(n,cref,first) NBC (n,b,cref, in_use)

START T310 RETAIN CAUSE FROM FIRST REL COMP STOP T303
TimeOutEnab BChan
RECORD INDICATED TERMINAL
(n,cref,count)
(n,cref,count)
RELEASE B-CHANNEL AND CRV STOP T303
SETUP
(n,b, 0,free)
START T303
[#mt m = CALL_PROC, cref= #cr m] "E" FIRST TIMEOUT T303
[#mt m = REL_COM, cref= #cr m]
"D"
[#mt m = ALERT, cref= #cr m]
SECOND TIMEOUT T303
SEND PROG TO CALLING USER WITH CAUSE = NO USER RESPONDING
(n,cref)
T310
(n,b,cref, in_use)
(n,b, 0,free)
SEND PROG WITH SIG = AUD. RING AND RETAINED CALLS TO CALLING USER
FIRST ALERT YES
(n,{mt= N_PROG, ai=nnull}, nnr) (n,{mt= N_PROG, ai=nnull}, nnr)

9 INCOMING CALL PROCEEDING
(u,{mt= SETUP, cr=cref, ai=null})
NO
130
NetToNet Out NetworkToUser Out (n,u,cref,b,nnr)
NTimer
NBC
(n,u,cref, b,nnr)
(n,no,0, none,0)
BChan
(n,u,cref, b,nnr)
[count= first]% (n,{mt= N_ALERT, ai=nnull}, nnr)
(n,{mt=N_PROG, ai=nnull},nnr)
RELEASE B-CHANNEL AND CRV
SEND CALLING USER ALERT
SEND PROG TO CALLING USER WITH SIG = AUD. RING AND IN-BAND AUDIBLE RING
0 NULL
NIntReq
0 NULL 7 CALL RECEIVED 6 CALL PRESENT
N9
N0
N7
NetState
NetState
NetState
Message
Similar structure as for the user page but slightly more complex.
Similar structure as for the user page but slightly more complex. It is easy to see that there is a very straightforward relationship between the SDL page and the corresponding CPN page.
Coloured Petri Nets
41
Coloured Petri Nets
42
Some pages are used many times

ROUTING#24 N_SETUP#22
Practical use of CP-nets
ISDN#1
DECLARE#4
HIERARCHY#10010
Networks
Users
USER_TOP#2
UREQ_GEN#39
NET_TOP#19
U0
NULL#3 OVERLAP#29 OUTGOING#26 CALL_DEL#28 N_E_PART#27 CALL_PRE#38 CALL_REC#32 CONNECT#30 INCOMING#37 ACTIVE#36 DISCONNE#33 DISCONNE#34 RELEASE#35 N_D_PART#31 N_HOLD#44
NULL_SET#5
N0
NULL#20
U_SETUP#21
U1
CALL_INI#6
N2
U2
OVERLAP#9
N3
CP-nets are used in many different areas. A few selected examples are: Communication protocols (BRI, DQDB, ATM). VLSI chips (clocked and self-timed). Banking procedures (check processing and funds transfer). Correctness of ADA programs (rendezvous structure).
U3
OUTGOING#15
U_HOLD#45
N4
U4
CALL_DEL#16
U7
U_PROG#41
CALL_REC#11
N6
U8
U_INFO#42
CONNECT#12
N7
U_REL#25
U9
INCOMING#13
U10
U_DISC#23
N8
U_REL_CO#40
N9
ACTIVE#7
U11
DISCONNE#8
N10
U12
DISC_IND#18
N11
131
U19
RELEASE#17
N12
N19
Fig. 7.1
43 pages with more than 100 page instances. The entire modelling of this fairly complex protocol was made in only 3 weeks (by a single person).
Teleshopping systems. Military systems (radar control post and naval vessel). Security systems (intrusion alarms, etc.). Flexible manufacturing.
According to engineers at the participating telecommunications company, the CPN model was the most detailed behavioural model that they had ever seen for such protocols.
Coloured Petri Nets
43
Coloured Petri Nets
44
Summary of practical experiences
Graphical representation and executability are extremely important.
Part 3: Construction and Simulation of CP-nets

CP-nets have an integrated set of robust computer tools with reliable support: Construction and modification of CPN models. Syntax checking (e.g., types and module interfaces). Interactive simulation, e.g., to gain additional understanding of the modelled system. Can also be used for debugging. Automatic simulations, e.g., to obtain performance measures. Can also be used for prototyping. Verification to prove behavioural properties. State spaces (also called reachability graphs and occurrence graphs). Place invariants. The computer tools are available on: Sun Sparc with Solaris. HP with HPUX Intel PCs with Linux. Macintosh with Mac OS.
Most practical models are large. They cannot be constructed without the hierarchy concepts. Neither can they be constructed or verified without the computer tools.
132
CP-nets are often used together with other graphical description languages, such as SADT, SDL and block diagrams.
This means that the user does not have to learn a completely new language.
CP-nets are well-suited for verification of existing designs in particular concurrent systems.
CP-nets can also be used to design new systems. Then it is possible to use the insight gained through the modelling, simulation and verification activities to improve the design itself.
Coloured Petri Nets
45
Coloured Petri Nets
46
CPN editor
Editor knows syntax of CP-nets

Some kinds of errors are impossible, e.g.: An arc between two places or two transitions. A place with two colour sets or an arc with two arc expressions. A transition with a colour set. Port assignment involving a place which is a non-socket or a non-port. A cyclic set of substitution transitions. The editor behaves intelligently:
U
133
A (x,y) [x<>y] Trans f(x,y)
U
A (x,y) [x<>y] Trans
A (x,y) Trans [x<>y] f(x,y) f(x,y)
Each page is shown in its own window.

B
The user performs an operation by selecting an object and a command for it, e.g.:
Select a transition (by pointing with the mouse). Select the desired command (by pointing in the corresponding drop-down menu). Commands can be performed on a set of objects.
When a node is repositioned or resized the surrounding arcs and inscriptions are automatically adjusted. When a node is deleted the surrounding arcs are automatically deleted.
Coloured Petri Nets
47
Coloured Petri Nets
48
Attributes
In
Easy to experiment
P1
TRANS_REQ
Each graphical object has its own attributes.

(t,r)
FG
[not(locked(r))] ldb Get Record Lock

C
Lock Table
LOCK_DB
They determine how the object appears on the screen/print-outs:

(t,r)
HS
@+CPUlock() In Line Cleaning
P2 PageCleaning (t,r)
TRANS_REQ
Text attributes
(t,r) [buffered(r)] Bypass Disk Access
C
Transition
Transition
[need_disk_read(r), page_clean_proc()] Queue Request

C
Transition
i
tq P3
(trl1,trl2) ([],[])
Graphical attributes
@+CPUbypass() i (TAPP t, DiskReqOfRec(r))
FG
TRANS_REQ_QUEUE
((t,r)::trl1,trl2) i
tq Reserve Page [i>1] i -1

C
P6
APP_REQ
134
(TAPP t,dr) i Read Data From Buffer
C
Shape attributes
Buffer Table
BUFFER_DB
@+CPUreserve() (TAPP t, DiskReqOfRec(r))
P4
APP_REQ
Each kind of objects has its own defaults:
Record Read
HS
DiskAccess @+CPUread() t P5
APP_REQ
Initial Marking
Place Name
Out
Colour Set
(ap,dr) P7
TRANS
(ap,dr) Update Buffer

C
Arc Expression
@+CPUupdate()
Transition Name
[Guard]
Can we improve the layout of this page?
Defaults can be changed and they can be overwritten (for individual objects).
Coloured Petri Nets
49
Coloured Petri Nets
50
Improved layout
DataBase#1
FG
How to make a new subpage

Mes(s) (s,r)
MES
LOCK_DB
In
P1
TRANS_REQ
(t,r)
[not(locked(r))] Lock Table
Sent
Get Record Lock
ldb
(t,r)
@+CPUlock()
P2
s e Mes(s)
MES
In Line Cleaning
HS
Update and Send Messages s r e

e DBM
Receive a Message (s,r)
TRANS_REQ
(t,r)
(t,r)
[buffered(r)]
[need_disk_read(r), page_clean_proc()]
Bypass Disk Access
Queue Request
Waiting
DBM E MES E
Active
Unused Passive
Inactive
DBM
Received
MES
Performing
DBM
@+CPUbypass()
tq
(trl1,trl2)
PageCleaning
e Mes(s) e s s Receive all Acknowledgments
(s,r) r r Send an Acknowledgment
([],[])
P3
TRANS_REQ_QUEUE
((t,r)::trl1,trl2)
tq
FG
135
APP_REQ
HS
Buffer Table
Reserve Page
[i>1]
Mes(s)
Acknowledged
MES
(s,r)
BUFFER_DB
i -1
@+CPUreserve() (TAPP t, DiskReqOfRec(r))
P4
(TAPP t, DiskReqOfRec(r)) DiskAccess
Record Read
i
APP_REQ
P5 (ap,dr)
Update Buffer
C
We want to move the four selected nodes to a new page and replace them by a substitution transition: This is done by a single command called Move to Subpage.
@+CPUupdate()
(ap,dr)
P6
APP_REQ
(TAPP t,dr)
Read Data From Buffer
@+CPUread()
Out
P7
TRANS
Coloured Petri Nets
51
Coloured Petri Nets
52
Result of Move to Subpage

DataBase#1
Move to Subpage is complex
Mes(s)
Sent
MES
(s,r)
Update and Send Messages
Mes(s)
HS
MES
DBM New#2
Waiting
Active
Unused
Passive
Inactive
DBM
MES
DBM
The Move to Subpage command is complex. The command: Checks the legality of the selection (all border nodes must be transitions). Creates the new page. Moves the subnet to the new page. Prompts the user to create a new transition which becomes the supernode for the new subpage.
Mes(s)
s (s,r)
Receive all Acknowledgments
Mes(s)
Acknowledged
136
New#2
r Performing
DBM
MES
In
Sent
(s,r)
MES
Receive a Message
Creates the port places by copying those places which were next to the selected subnet. Calculates the port types (in, out or in/out). Creates the corresponding port inscriptions. Constructs the necessary arcs between the port nodes and the selected subnet.
(s,r)
DBM
I/O
Inactive
Received
DBM
MES
(s,r) r
Send an Acknowledgment
Draws the arcs surrounding the new transition. Creates a hierarchy inscription for the new transition. Updates the hierarchy page. All these things are done in a few seconds.
Out
Acknowledged
(s,r)
MES
Coloured Petri Nets
53
Coloured Petri Nets
54
Top-down and bottom-up
Syntax checking
When a CPN diagram has been constructed it can be syntax checked. The most common errors are: Syntax errors in the declarations. Syntax errors in arc expressions or guards. Type mismatch between arc expressions and colour sets. Syntax checking is incremental: When a colour set, guard or an arc expression is changed, it is sufficient to recheck the nearest surroundings. Analogously, if an arc is added or removed.
137
Move to Subpage supports top-down development. However, it is also possible to work bottom-up or use a mixture of top-down and bottom-up. The Substitution Transition command is used to relate a substitution transition to an existing page. The command: Makes the hierarchy page active. Prompts the user to select the desired subpage; when the mouse is moved over a page node it blinks, unless it is illegal (because selecting it would make the page hierarchy cyclic). Waits until a blinking page node has been selected. Tries to deduce the port assignment by means of a set of rules which looks at the port/socket names and the port/socket types.
Creates the hierarchy inscription with the name and number of the subpage and with those parts of the port assignment which could be automatically deduced.
All CPN diagrams in this set of lecture notes are made by means of the CPN editor.
Updates the hierarchy page.
Coloured Petri Nets
55
Coloured Petri Nets
56
CPN simulator
INTxDATA
Interactive simulation
Send
(n,p) 1 1`"Modelling and Analysis by Means of Colou" ""
Received
DATA
When a syntactical correct CPN diagram has been constructed, the CPN tool generates the necessary code to perform simulations.
INTxDATA
(n,p) (n,p)
INTxDATA
(n,p)
str
Send Packet A
s n 8 1
Transmit Packet
B
1 1`(5,"of Colou")
RP
Int_0_10
1 1`8 1
NextSend
INT
1 1`5 k n 8
NextRec
Int_0_10
The simulation code: Calculates whether the individual transitions and bindings are enabled. Calculates the effect of occurring transitions and bindings.
RA
s 1 1`8
INT
Receive Packet
138
Receive Acknow.
n 1 1`6
The code generation is incremental. Hence it is fast to make small changes to the CPN diagram.
D
INT
Transmit Acknow.
n 1 1`6
C
INT
Sender
Network
Receiver
Simulation results are shown directly on the CP-net: The user can see the enabled transitions and the markings of the individual places. To execute a step, the user: Selects one of the enabled transitions. Then he either enters a binding or asks the simulator to calculate all the enabled bindings, so that he can select one.
We distinguish between two kinds of simulations: In an interactive simulation the user is in control, but most of the work is done by the system. In an automatic simulation the system does all the work.
Coloured Petri Nets
57
Coloured Petri Nets
58
Execution of a step
The simulator: Checks the legality and enabling of the binding. Calculates the result of the execution.
Interactive simulation with random selection of steps
The user determines whether the simulator displays the tokens which are added/removed:
Received
139
1`(3,"alysis b") (n,p) B 1
str
The simulator chooses between conflicting transitions and bindings (by means of a random number generator). The user can observe all details, e.g., the markings the enabling and the added/removed tokens. The simulator shows the page on which each step is executed by moving the corresponding window to the top of the screen. The user can set breakpoints so that he has the necessary time to inspect markings, enablings, etc. A simulation with this amount of graphical feedback is slow (typically a few transitions per minute): It takes a lot of time to update the graphics. A user has no chance to follow a fast simulation. It is possible to turn off selected parts of the graphical feedback, e.g.: Added and removed tokens. Observation of uninteresting pages.
1 1`(3,"alysis b")
1`3
1`"Modelling and Analysis b"
NextRec
1`4
Receive Packet
1 1`3
1`4
Coloured Petri Nets
59
Coloured Petri Nets
60
Automatic simulation
1 2 3 4 5 6 7 8 9 10 11 12 RecAck@(1:Top#1) RecPack@(1:Top#1) SendPack@(1:Top#1) SendPack@(1:Top#1) TranAck@(1:Top#1) TranPack@(1:Top#1) RecPack@(1:Top#1) SendPack@(1:Top#1) TranPack@(1:Top#1) SendPack@(1:Top#1) TranPack@(1:Top#1) RecPack@(1:Top#1)
Simulation report
The simulator chooses between conflicting transitions and bindings (by means of a random number generator).
The user does not intend to follow the simulation: The simulation can be very fast several hundred steps per second. The user specifies some stop criteria, which determine the duration of the simulation. When the simulation stops the graphics of the CP-net is updated.
13 14 15 16 17 18 19 20 TranAck@(1:Top#1) TranPack@(1:Top#1) RecAck@(1:Top#1) SendPack@(1:Top#1) TranAck@(1:Top#1) RecPack@(1:Top#1) RecAck@(1:Top#1) SendPack@(1:Top#1)
140
Then the user can inspect all details of the graphics, e.g., the enabling and the marking.
Automatic simulations can be mixed with interactive simulations.
{n = 1, p = "Modellin"} {n = 1, p = "Modellin", r = 6, s = 8} {n = 1, p = "Modellin"} {n = 1, p = "Modellin", r = 3, s = 8} {k = 1, n = 1, p = "Modellin", str = ""} {n = 1, p = "Modellin"} {n = 1, p = "Modellin"} {n = 2, r = 2, s = 8} {n = 1, p = "Modellin", r = 7, s = 8} {k = 2, n = 1, p = "Modellin", str = "Modellin"} {k = 1, n = 2} {k = 2, n = 1, p = "Modellin", str = "Modellin"} {n = 2, r = 7, s = 8} {n = 1, p = "Modellin", r = 6, s = 8} {k = 2, n = 2} {n = 2, p = "g and An"} {n = 2, r = 6, s = 8} {k = 2, n = 1, p = "Modellin", str = "Modellin"} {k = 2, n = 2} {n = 2, p = "g and An"}
To find out what happens during an automatic simulation the user has a number of choices.
The simulation report shows the transitions which have occurred. The user determines whether he also wants to see the bindings.
Coloured Petri Nets
61
Coloured Petri Nets
62
Charts
u(4) u(3) Inac Short u(2) u(5)
Other kinds of graphics
Packet No
Packets Received
Short
Long
10 9 8 7 6 5 4 3 2 1
u(6)
u(1)
Step No.
Ring Short
00
20
40
60
80
100 120 140 160 180 200
0
u(7)
1 5 5 7 5 4 Successes Failures Lost Enroute

Conn
10
u(10)
141
pack1
Packets
pack2
pack3
NoTo u(8) u(9)
pack4
pack5
pack6
Conn
Inac
pack7
pack8 10
These charts are used to show the progress of a simulation of the simple protocol:
The upper chart is updated each time a new packet is successfully received. The lower chart is updated for each 50 steps.
This graphic is used to display the state of a simple telephone system. The graphics is updated each time one of the telephones changes to a new state: Telephones u(7) and u(8) are connected. Telephone u(2) is calling u(6) which is ringing. Telephone u(10) is calling u(2). This call will not succeed because u(2) already is engaged.
Coloured Petri Nets
63
Coloured Petri Nets
64
Code segments
Standard ML
Each transition may have a code segment, i.e., a sequence of program instructions which are executed each time the transition occurs.
UxU
NoTone
Inactive
Request
(x,y)
Engaged
Free
input (x,y); action UpdateState(x,Long); UpdateState(y,Ringing); UpdateConn(x,y,Call);
(x,y)
Long
UxU
Ringing
Call
142
The instructions in code segment are used to update charts and graphics. This is done by calling a number of library functions. Usually, the code segment does not influence the behaviour of the CP-net (i.e., the enabling and occurrence). However, a code segment may read and write from files. In this way it is possible to input values to be used during the simulation, or to output simulation results.
Declarations, net inscriptions and code segments are specified in a programming language called Standard ML. Strongly typed, functional language. Data types can be: Atomic (integers, reals, strings, booleans and enumerations). Structured (products, records, unions, lists and subsets). Arbitrary complex functions and operations can be defined (polymorphism and overloading). Computational power of expressions are equivalent to lambda calculus (and hence to Turing machines). Developed at Edinburgh University by Robin Milner and his group. Standard ML is well-known, well-tested and very general. Several text books are available.
Coloured Petri Nets
65
Coloured Petri Nets
66
Time analysis
INTxDATA
""
A timed CP-net for protocol

Send
(n,p)
Received
DATA
(n,p)@+wait
INTxDATA INTxDATA
(n,p) str (n,p) (n,p) if OK(s,r) then 1`(n,p) else empty
100 Wait A
s 8 1
wait
Send Packet Transmit Packet
TIME
@+9
n
@+Delay()
k 1
Int_0_10
RP
8
NextSend
INT
k n
NextRec
Int_0_10
RA
s
INT
Receive Packet
CP-nets can be extended with a time concept. This means that the same language can be used to investigate: Logical correctness. Desired functionality, absence of deadlocks, etc. Performance. Remove bottlenecks. Predict mean waiting times and average throughput. Compare different strategies.
Receive Acknow.
n
@+17
D
INT
Transmit Acknow.
if OK(s,r) then 1`n else empty
143
Sender
@+7
@+Delay() Network
INT
In a timed CP-net each token carries a colour (data value) and a time stamp (telling when it can be used).
Receiver
Time stamps are specified by expressions: Time stamps can depend upon colour values.
For the three Send and Receive operations we specify a fixed delay. For the network we specify an interval delay, i.e., random delay between 25 and 75 time units. The token colour on place Wait specifies the delay between two retransmissions of the same packet. The computer tools for CP-nets also support simulation of timed CP-nets.
Time stamps can be specified by probability distributions.
This means that we, e.g., can specify fixed delays, interval delays and exponential delays.
Coloured Petri Nets
67
Coloured Petri Nets
68
Timed simulation of protocol

1
Timed simulations
Time: 570
""
Received
DATA
1`(1,"Modellin")@[218]+ 1`(2,"g and An")@[670]+ 1`(3,"alysis b")@[0]+ INTxDATA 1`(4,"y Means ")@[0]+ 1`(5,"of Colou")@[0]+ Send 1`(6,"red Petr")@[0]+ 1`(7,"i Nets##")@[0]+ (n,p) (n,p)@+wait 1`(8,"########")@[0]
INTxDATA
str (n,p) if OK(s,r) then 1`(n,p) else empty
1`100 B
INTxDATA
Wait
wait
(n,p)
(n,p)
TIME
Send Packet
Transmit Packet
@+9
k 1
@+Delay()
1`(2,"g and An") @[570] NextRec

INT
1
RP Receive Packet @+17
Timed simulations have the same facilities as untimed simulations, e.g.: We can switch between interactive and automatic simulation. Simulation reports tell the time at which the individual transitions occurred. We can use charts and other kinds of reporting facilities. It is easy to switch between a timed and an untimed simulation.
Int_0_10
NextSend 1`3@[548]
1 1`8
INT
1 1`8
1`2@[570]
Int_0_10
RA
144
n
Receive Acknow. C
INT
Transmit Acknow.
INT
@+7
if OK(s,r) then 1`n else empty
@+Delay()
1`3@[593]
Sender
Network
Receiver
Model time is now 570. Send Packet has sent a copy of packet no. 2 at time 570. If no acknowledgement arrives another copy of packet no. 2 will be sent at time 670. The only transition which is enabled at time 570 is Transmit Packet.
Coloured Petri Nets
69
Coloured Petri Nets
70
Charts for a timed simulation
Part 4: Verification of CP-nets
Run No.
Time
200 : 2014
100 : 1576
In this part of the talk we describe the two most important methods for verification of CP-nets: State spaces (also called reachability graphs and occurrence graphs). Place invariants. We also describe how the verification methods are supported by computer tools.
25 : 1080
3500 Time 4000
500
1000
1500
2000
2500
3000
Run No.
Step
145
Step 160
200 : 53
100 : 78
25 : 119
20
40
60
80
100
120
140
Short interval between retransmisions implies fast transmission with heavy use of the network.
Long interval between retransmisions implies slow transmission with less use of the network. To get reliable results it is necessary to make a large number of lengthy simulation runs.
Coloured Petri Nets
71
Coloured Petri Nets
72
State space analysis

(T5,P) #4
State space for resource allocation

x if x=q then 1`q else empty
#3 (T4,P) #2 (T3,P) QQQ 1 P 1 1 P (T1,Q) #6 1 1 0 QQQ P P (T1,Q) #8
3`q
type U = with p | q; type E = with e; var x : U;
e x
T1
2`p x
#1 (T2,P) (T1,Q)
(T4,P)
B if x=p then 1`p else empty

(T1,Q) #5
QQ 0 PQ 0 0 P
1è x
(T2,P)
T2
QQQ 1 P 1 P 2
(T3,P)
#7 QQ 0 PQ 0 1 P
case x of p => 2è | q => 1è

QQQ 1 PP 3 2
C x
QQ 0 PQ 0 P 2
if x=q then 1è else empty x
(T5,P)
146
x
#9
3è
T3
QQ 0 PPQ 2 2
(T5,Q) (T2,Q) #10 (T3,Q) 0 1 2 1 1 2 #11
if x=p then 1è else empty
D
(T1,Q)
Q 0 PPQ 0 2 Q (T4,Q) QQ PP Q QQ PP Q
(T4,Q)
2è x
T4
(T1,Q)
2è x
E
(T5,Q)
case x of p => 2è | q => 1è
QQ 1 PP 1 1 Q #12
Q 0 PPQ 0 1 Q #13
T5
To obtain a finite state space we remove the cycle counters. Otherwise there would be an infinite number of reachable markings.
Directed graph with: A node for each reachable marking (i.e., state). An arc for each occurring binding element.
Coloured Petri Nets
73
Coloured Petri Nets
74
Some questions that can be answered from state spaces

Statistics
Occurrence Graph Nodes: 13 Arcs: 20 Secs: 1 Status: Full Scc Graph Nodes: Arcs: Secs: 1 0 1
State space report for resource allocation system
Boundedness properties: What is the maximal number of tokens on the different places?
What is the minimal number of tokens on the different places? Boundedness Properties
What are the possible token colours?
Home properties:
147
Is it always possible to return to the initial marking?
Liveness properties:
Are all transitions live, i.e., can they always become enabled again?
Upper Integer Bounds A: 3 B: 3 C: 1 D: 1 E: 1 R: 1 S: 3 T: 2 Upper Multi-set Bounds A: 3`q B: 2`p+ 1`q C: 1`p+ 1`q D: 1`p+ 1`q E: 1`p+ 1`q R: 1è S: 3è T: 2è
Lower Integer Bounds A: 1 B: 1 C: 0 D: 0 E: 0 R: 0 S: 0 T: 0 Lower Multi-set Bounds A: 1`q B: 1`p C: empty D: empty E: empty R: empty S: empty T: empty
Coloured Petri Nets
75
Coloured Petri Nets
76
State space report (continued)
Strongly connected components
Home Properties
Home Markings:
All
Liveness Properties
Dead Markings:
None
Live Transitions:
All
Fairness Properties
148
T1: T2: T3: T4: T5:
No Fairness Impartial Impartial Impartial Impartial
Generation of the state space report takes only a few seconds. The report contains a lot of useful information about the behaviour of the CP-net. The report is excellent for locating errors or to increase our confidence in the correctness of the system.
Subgraph where all nodes are reachable from each other. Maximal subgraph with this property.
Coloured Petri Nets
77
Coloured Petri Nets
78
Strongly connected components are very useful

INTxDATA
""
State space for simple protocol

Send
(n,p) 1`(1,"Coloured")+ 1`(2," Petri N")+ 1`(3,"ets#####")+ 1`(4,"########")
Received
DATA
INTxDATA
(n,p) (n,p)
INTxDATA
(n,p)
str
Send Packet A
Max 1 token
s n 1 1
Transmit Packet
B
Max 2 tokens
RP
Int_0_2
NextSend
INT
k n 1
NextRec
Int_0_2
RA
s
INT
Receive Packet
There are often much fewer strongly connected components than nodes: A cyclic system has only one strongly connected component. This is, e.g., the case for the resource allocation system. The strongly connected components can be determined in linear time, e.g., by Tarjans algorithm.
Max 2 tokens
Max 1 token
149
Receive Acknow.
n
D
INT
Transmit Acknow.
C
INT
Strongly connected components can be used to answer questions about home properties and liveness properties.
Sender
Network
Receiver
To obtain a finite state space we limit the number of tokens on the buffer places A, B, C and D. Otherwise there would be an infinite number of reachable markings. Moreover, we now only have 4 packets and a binary choice between success and failure.
Coloured Petri Nets
79
Coloured Petri Nets
80
State space report for protocol

2406 11677 17
Statistics
Occurrence Graph Nodes: 4298 Arcs: 15887 Secs: 53 Status: Full
Scc Graph Nodes: Arcs: Secs:
Boundedness Properties
Upper Integer Bounds A: 1 B: 2 C: 1 D: 2 NextRec: 1 NextSend: 1 RA: 1 RP: 1 Received: 1 Send: 4
Lower Integer Bounds A: 0 B: 0 C: 0 D: 0 NextRec: 1 NextSend: 1 RA: 1 RP: 1 Received: 1 Send: 4
Upper Multi-set Bounds A: 1`(1,"Coloured")+ 1`(2," Petri N")+ 1`(3,"ets#####")+ 1`(4,"########") B: 2`(1,"Coloured")+ 2`(2," Petri N")+ 2`(3,"ets#####")+ 2`(4,"########") C: 1`2+ 1`3+ 1`4+ 1`5 D: 2`2+ 2`3+ 2`4+ 2`5 NextRec: 1`1+1`2+1`3+1`4+1`5 NextSend: 1`1+1`2+1`3+1`4+1`5 RA: 1`1 RP: 1`1 Received: 1`""+ 1`"Coloured"+ 1`"Coloured Petri N"+ 1`"Coloured Petri Nets#####" Send: 1`(1,"Coloured")+ 1`(2," Petri N")+ 1`(3,"ets#####")+ 1`(4,"########") Lower Multi-set Bounds A: empty B: empty C: empty D: empty NextRec: empty NextSend: empty RA: 1`1 RP: 1`1 Received: empty Send: 1`(1,"Coloured")+ 1`(2," Petri N")+ 1`(3,"ets#####")+ 1`(4,"########")
150
Coloured Petri Nets
81
Coloured Petri Nets
82
Investigation of dead marking

We ask the system to display marking number 452.
Home Properties
Home Markings:
[452]
Liveness Properties
452 8:0
452 NextSend = 5 NextRec = 5 Received = "Coloured Petri Nets#####"
Dead Markings: Live Transitions:
1 [452] None
Fairness Properties
Marking no. 452 is the desired final marking (all packets has been received in the correct order) Marking 452 is dead: This implies that the protocol is partially correct (if execution stops it stops in the desired final marking). Marking 452 is a home marking: This implies that we always have a chance to finish correctly (it is impossible to reach a state from which we cannot reach the desired final marking).
151
Send Packet: Transmit Packet: Receive Packet: Transmit Acknow: Receive Acknow:
Impartial Impartial No Fairness No Fairness No Fairness
Generation of the state space report takes only a few seconds.
The report contains a lot of useful information about the behaviour of the CP-net.
The report is excellent for locating errors or to increase our confidence in the correctness of the system.
Coloured Petri Nets
83
Coloured Petri Nets
84
Investigation of shortest path
Drawing of shortest path

We ask the system to draw the first six nodes in the calculated shortest path:
DisplayNodePath; [1,2,3,5,8,11]; > () : unit
We ask the system to calculate one of the shortest paths from the initial marking to the dead marking:
> val path = val path = NodesInPath(1,452); [1,2,3,5,8,11,15,20,27,38,50, 64,80,102,133,164,199,243, 301,375,452] : Node list
1 1:1
1->2 SendPack {p="Coloured",n=1}
1 NextSend = 1 NextRec = 1 Received = ""
Length(path);
> 20 : int
The calculated path contains 20 transitions.
2 1:2
2->3 TranPack {s=1,r=1,p="Coloured",n=1}
2 NextSend = 1 NextRec = 1 Received = "" A = 1`(1,"Coloured")
152
This is as expected because there are 4 packets which each needs 5 transitions to occur.
3 2:2
3->5 RecPack {str="",p="Coloured",n=1,k=1}
3 NextSend = 1`1 NextRec = 1`1 Received = "" B = 1`(1,"Coloured")
5 3:3
5->8 TranAck {s=1,r=1,n=2}
5 NextSend = 1 NextRec = 2 Received = "Coloured" C = 1`2
8 3:2
8->11 RecAck {n=2,k=1}
8 NextSend = 1 NextRec = 2 Received = "Coloured" D = 1`2
11 5:1
11 NextSend = 2 NextRec = 2 Received = "Coloured"
Coloured Petri Nets
85
Coloured Petri Nets
86
Draw subgraph
Non-standard questions
1 1:1
NextSend = 1 NextRec = 1 Received = ""
SendPack
LoosePack
2 1:2
NextSend = 1 NextRec = 1 Received = "" A = 1`(1,"Coloured")
We ask the system to search all arcs in the entire graph and return the first 10 arcs where NextSend has a larger value in the source marking than it has in the destination marking.
TranPack
3 2:2
NextSend = 1 NextRec = 1 Received = "" B = 1`(1,"Coloured")
SendPack
RecPack
LoosePack
4 1:3
5 3:3
NextSend = 1 NextRec = 2 Received = "Coloured" C = 1`2
PredArcs (EntireGraph, fn a => ((ms_to_col(Mark.NextSend 1 (SourceNode a))) > (ms_to_col(Mark.NextSend 1 (DestNode a)))), 10) end;
153
NextSend = 1 NextRec = 2 Received = "Coloured" D = 1`2
RecPack
SendPack
TranAck
TranPack
LoosePack
LooseAck
>[10179,10167,10165,10159,10055,10052,10035, 10031,10019,10007] : Arc list
9 2:2
SendPack RecAck
6 3:4
7 2:1
8 3:2
SendPack
TranPack
SendPack
RecPack
LooseAck
TranAck
14 1:2
13 4:3
12 2:2
10 3:3
11 5:1
NextSend = 4 NextRec = 5 Received = "Coloured Petri Nets#####" A = 1`(4,"########") B = 2`(4,"########") C = 1`5 D = 1`2+ 1`5
NextSend = 2 NextRec = 5 Received = "Coloured Petri Nets#####" A = 1`(4,"########") B = 2`(4,"########") C = 1`5 D = 1`5
NextSend = 1 NextRec = 1 Received = "" A = 1`(1,"Coloured") B = 2`(1,"Coloured")
NextSend = 1 NextRec = 2 Received = "Coloured" A = 1`(1,"Coloured") D = 1`2
2806 1:4
10179:2806->3075 RecAck = {n=2,k=4}
3075 1:4
Coloured Petri Nets
87
Coloured Petri Nets
88
Temporal logic
State spaces are powerful and easy to use. The main drawback is the state explosion, i.e., the size of the state space. The present version of our tool handles graphs with 250,000 nodes and 1,000,000 arcs. For many systems this is not sufficient.
State spaces pro/contra
It is also possible to make questions by means of a CTL-like temporal logic.
Usually CTL focuses on queries about state properties, e.g.: Inv(Pos(M)) checks whether M is a home marking. Ev(dead) checks whether there are any infinite occurrence sequences.
Fortunately, it is sometimes possible to construct much more compact state spaces without loosing information.
154
Our version of CTL also allows queries about transitions and binding elements. Inv(Pos(t in Arc)) checks whether transition t is live.
Timed CP-nets
This is done by exploiting the inherent symmetries of the modelled system. We define two equivalence relations (one for markings and one for binding elements). The condensed state spaces are often much smaller (polynomial size instead of exponential). The condensed state spaces contain the same information as the full state spaces.
The computer tools for CP-nets also support state space analysis of timed CP-nets.
Coloured Petri Nets
89
Coloured Petri Nets
90
Place invariants analysis

INVARIANTS
Example of place invariants

3`(q,0)
A (x,i)
INV
1: PR1
1: 2`p+3`q : U 2: 1è : E 3: 3è : E 4: 2è : E T1 2`(p,0) e 1è

INV
The basic idea is similar to the use of invariants in program verification. A place invariant is an expression which is satisfied for all reachable markings. The expression counts the tokens of the marking using a specified set of weights.
(x,i)
INV
P
e T2
B (x,i)
1: PR1 2: Q 3: Q
We first construct a set of place invariants.

2: ID R
case x of p => 2è | q => 1è
(x,i)
INV
P
3è
INV
C if x=q then 1è else empty T3 (x,i)
1: PR1 2: Q 3: 2*P+2*Q
155
3: ID S
if x=p then 1è else empty 2è e T
(x,i)
INV
D (x,i) T4
Then we check whether they are fulfilled. This is done by showing that each occurring binding element respects the invariants. The removed set of tokens must be identical to the added set of tokens when the weights are taken into account.
INV
1: PR1 3: 2*P+2*Q 4: P
4: ID
2è
(x,i)
INV
P
case x of p => 2è | q => 1è
E (x,i) T5
Finally, we use the place invariants to prove behavioural properties of the CP-net. This is done by a mathematical proof.
1: PR1 3: 2*P+2*Q 4: 2*P+Q
Coloured Petri Nets
91
Coloured Petri Nets
92
Place invariants for resource allocation system

PR1(A+B+C+D+E) = 2`p+3`q R + Q(B+C) = 1è S + Q(B) + (2*P+2*Q)(C+D+E) = 3è T + P(D) + (2*P+Q)(E) = 2è
A more readable version of the place invariants
To specify the weights we use three functions: PR1 is a projection function: (x,i) --> x.
P is an indicator function: (p,i) --> 1è; (q,i) -->. Q is an indicator function: (p,i) --> ; (q,i) -->1è. P and Q counts the number of p and q tokens.
PR1(M(A)+M(B)+M(C)+M(D)+M(E)) = 2`p+3`q
156
M(R) + Q(M(B)+M(C)) = 1è
The place invariants can be used to prove properties of the resource allocation system, e.g., that it is impossible to reach a dead marking.
M(S) + Q(M(B)) + (2*P+2*Q)(M(C)+M(D)+M(E)) = 3è
M(T) + P(M(D)) + (2*P+Q)(M(E)) = 2è
Coloured Petri Nets
93
Coloured Petri Nets
94
Tool support for place invariants
How to use place invariants

Invariants in ordinary programming languages: No one would construct a large program and then expect afterwards to be able to calculate invariants. Instead invariants are constructed together with the program.
Check of place invaritans: The user proposes a set of weights. The tool checks whether the weights constitute a place invariant.
Automatic calculation of all place invariants: This is possible, but it is a very complex task.
Moreover, it is difficult to represent the results on a useful form, i.e., a form which can be used by the system designer.
157
Interactive calculation of place invaritans: The user proposes some of the weights.
The tool calculates the remaining weights if possible.
For CP-nets we should do the same: During the system specification and modelling the designer gets a lot of knowledge about the system. Some of this knowledge can easily be formulated as place invariants. The invariants can be checked and in this way it is possible to find errors. It can be seen where the errors are. Some prototypes of computer tools for invariants analysis do exist. However, none of them are at a state where they can be widely used.
Interactive calculation of place invariants is much easier than a fully automatic calculation.
Coloured Petri Nets
95
Coloured Petri Nets
96
Place invariants pro/contra
Conclusion
One of the main reasons for the success of CP-nets is the fact that we simultaneously have worked with:
TOOLS editing simulation verification
THEORY models basic concepts verification methods
158
From place invariants it is possible to prove many kinds of behavioural properties. Invariants can be used to make modular verification because it is possible to combine invariants of the individual pages. Invariants can be used to verify large systems without computational problems. The user needs some ingenuity to construct invariants. This can be supported by computer tools interactive process. The user also needs some ingenuity to use invariants. This can also be supported by computer tools interactive process. Invariants can be used to verify a system without fixing the system parameters (such as the number of sites in the data base system).
PRACTICAL USE specification investigation verification implementation
Coloured Petri Nets
97
Coloured Petri Nets
98
More information on CP-nets
The following WWW pages contain a lot of information about CP-nets and their computer tools:
Some of the most important papers on high-level nets, their verification methods and applications have been reprinted in:
K. Jensen, G. Rozenberg (eds.): High-level Petri Nets. Theory and Application. Springer-Verlag, 1991, ISBN: 3-540-54125-X.
http://www.daimi.au.dk/CPnets/
A detailed introduction to CP-nets can be found in the following papers/books:
A list of papers that describe industrial use of CP-nets and their tools can be found on:
http://www.daimi.au.dk/CPnets/intro/example_indu.html
L.M. Kristensen, S. Christensen and K. Jensen: The Practitioners Guide to Coloured Petri Nets. Int. Journal on Software Tools for Technology Transfer, 2 (1998), Springer Verlag, 95-191
K. Jensen: An Introduction to the Theoretical Aspects of Coloured Petri Nets. In: J.W. de Bakker, W.-P. de Roever, G. Rozenberg (eds.): A Decade of Concurrency, Lecture Notes in Computer Science vol. 803, Springer-Verlag 1994, 230-272.
159
K. Jensen: An Introduction to the Practical Use of Coloured Petri Nets. In: W. Reisig and G. Rozenberg (eds.): Lectures on Petri Nets II: Applications, Lecture Notes in Compute Science Vol. 1492, Springer-Verlag 1998, 237-292.
K. Jensen: Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical Use. Monographs in Theoretical Computer Science, Springer-Verlag. Vol. 1: Basic Concepts, 1992, ISBN: 3-540-60943-1. Vol. 2: Analysis Methods, 1994, ISBN: 3-540-58276-2. Vol. 3: Practical Use, 1997, ISBN: 3-540-62867-3.
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
Outline
TIMED PETRI NETS Timed places, tokens, arcs, transitions Race and preselection Memory Single and multiple server semantics STOCHASTIC PETRI NETS The exponential distribution Markov chains Isomorphism between SPNs and MCs Example GENERALIZED SPNs Immediate transitions and priority GSPN denition Extended conict sets Isomorphism between GSPNs and MCs Performance indices Example AN APPLICATION OF GSPNS CONCLUSIONS
AN INTRODUCTION TO
GENERALIZED STOCHASTIC PETRI NETS
217
Gianfranco Balbo
Dipartimento di Informatica Universit` di Torino a
Prerequisites
The basic denitions of Petri net theory
places, transitions, arcs, tokens
marking
enabling, ring, reachability
(enabling degree)
TIMED PETRI NETS
conict, confusion
(invariants)
218
Some elementary notions of probability theory
random variable
stochastic process
pdf, PDF
state space
averages
sojourn times
(ergodicity)
(Littles formula)
Items in parentheses are optional.
Timing specications
Timed places
Time is introduced in Petri nets to model the interaction among several activities considering their starting and completion times
Several approaches are possible for the introduction of temporal specications in PN models: time may be associated with places (TPPN): tokens generated in an output place become available to re a transition only after a delay has elapsed; the delay is an attribute of the place
The introduction of time specications corresponds to an interpretation of the model by means of
observation of the autonomous (untimed) model
219
denition of a non-autonomous model
Time specications should provide
consistency among autonomous and non-autonomous models
non-determinism reduction on the basis of time considerations
support for the computation of performance indices
Timed tokens
Timed arcs
time may be associated with tokens:
time may be associated with arcs: a travelling delay is associated with each arc; tokens are available for ring only when they reach a transition
tokens carry a time stamp that indicates when they are available to re a transition; this time stamp can be incremented at each transition ring.
220
8
Timed transitions Atomic ring
time may be associated with transitions (TTPN); transitions represent activities
activity start corresponds to transition enabling, activity end corresponds to transition ring
We shall consider TTPN with atomic ring. TTPN with atomic ring can preserve the basic behaviour of the underlying untimed model. It is thus possible to qualitatively study TTPN with atomic ring exploiting the theory developed for untimed (autonomous) PN (reachability set, invariants, etc.). Timing specications may aect the qualitative behaviour of the PN when they describe constant and interval ring delays.
Dierent ring policies may be assumed:
three-phase ring 1. tokens are consumed from input places when the transition is enabled 2. the delay elapses 3. tokens are generated in output places
221
atomic ring tokens remain in input places for the transition delay; they are consumed from input places and generated in output places when the transition res
10
Internal timer Conicts
We can explain the behaviour of one timed transition with atomic ring by assuming that it incorporates a timer.
When more than one timed transition with atomic ring is enabled, the behaviour is similar, but a problem arises: Which one of the enabled transitions is going to re?
When the transition is enabled, its timer is set to the current delay value
Then, the timer is decremented at constant speed, until it reaches the value zero
222
At this point the transition res
11
12
Selection rules
Memory policies
Two alternative selection rules:
When a timed transition is disabled by a conicting transition, a problem arises: How is the transition timer set when the transition will again become enabled? How does the transition keep memory of its past enabling time?
preselection: the enabled transition that will re is chosen when the marking is entered, according to some metric (priority, probability, ...)
223
race: the enabled transition that will re is the one whose ring delay is minimum
13
14
Basic mechanisms
Transition memory policies
Two basic mechanisms can be dened:
From the two basic mechanisms it is possible to construct several transition memory policies; the usual ones are: Resampling: At each and every transition ring, the timers of all timed transitions in the timed PN system are discarded (restart mechanism). No memory of the past is recorded. After discarding all timers, new values of the timers are set for the transitions that are enabled in the new marking.
Continue: the timer associated with the transition holds the present value and will continue later on the countdown
224
Restart: the timer associated with the transition is restarted, i.e., its present value is discarded and a new value will be generated when needed
15
16
Enabling memory:
Age memory: At each transition ring, the timers of all timed transitions hold their present values (continue mechanism).
At each transition ring, the timers of all timed transitions that become disabled are restarted, whereas the timers of all timed transitions that remain enabled hold their present value (continue mechanism).
225
The memory of the past is recorded with an enabling memory variable associated with each transition.
The memory of the past is recorded with an age memory variable associated with each timed transition. The age memory variable accounts for the work performed by the activity associated with the transition since the time of its last ring. The age memory variable measures the cumulative enabling time of the transition since the last instant of time when it red.
The enabling memory variable accounts for the work performed by the activity associated with the transition since the last instant of time when its timer was set. The enabling memory variable measures the enabling time of the transition since the last instant of time it became enabled.
17
18
Transition enabling
Server semantics
The enabling degree of a transition is the number of times the transition could re in the given marking before becoming disabled. Single-server semantics Innite-server semantics Multiple-server semantics
Three cases are common:
When the enabling degree of a transition is > 1, attention must be paid to the timing semantics.
226
19
20
Single-server semantics:
Innite-server semantics: Every enabling set of tokens is processed as soon as it forms in the input places of the timed transition. Its corresponding ring delay is generated at this time, and the timers associated with all these enabling sets run down to zero concurrently. Multiple enabling sets of tokens are thus processed in parallel. The overall temporal specications of transitions with this semantics depend directly on their enabling degrees
A ring delay is set when the transition is rst enabled, and new delays are generated upon transition ring if the transition is still enabled in the new marking.
Enabling sets of tokens are processed serially and the temporal specication associated with the transition is independent of the enabling degree;
227
21
22
Example of server semantics

Consider a timed transition with enabling degree equal to 3. The three enablings are associated with ring delays equal to 3, 2, and 4 time units.
Multiple-server semantics:
Enabling sets of tokens are processed as soon as they form in the input places of the transition up to a maximum degree of parallelism (say K).
228
For larger values of the enabling degree, the timers associated with new enabling sets of tokens are set only when the number of concurrently running timers decreases below the value K.
0 3 5 9
The overall temporal specications of transitions with this semantics depend directly on their enabling degrees up to a threshold value K
23
24
Queueing policies
Firing and selection rules
Upon ring of a transition, input tokens are removed at random
We consider TTPN with atomic ring and race selection rule. Transitions within one TTPN can use Resampling Enabling memory Age memory and Single-server semantics Innite-server semantics Multiple-server semantics in any combination
229
Specic queueing policies must be explicitly represented at model level
25
26
Probabilistic interpretation
STOCHASTIC PETRI NETS
Timed Transition PN with atomic ring in which all transition delays are random variables with negative exponential distributions are called Stochastic PN (SPN).
230
The dynamic behaviour of a SPN is described through a stochastic process.
28
27
Denitions
Stochastic processes
A random variable is a real function dened over a probability space.
A sample path (or realization) of a stochastic process is a function of time.
Stochastic processes are mathematical models useful for the description of phenomena of a probabilistic nature as a function of a parameter that usually has the meaning of time.
X(t)
231
Xn
A stochastic process {X(t), t T } is a family of random variables dened over the same probability space, indexed by the parameter t and taking values in the state space S.
Continuous time
10
15
20
n Discrete time
29
30
The probabilistic description of a random variable X is given by its probability density function (pdf)
A process that satises the Markov property: P {X(t) x|X(tn) = xn, X(tn1) = xn1, X(t0) = x0} = P {X(t) x|X(tn) = xn } with t > tn > tn1 > > t0 is called a Markovian process.
fX (x) =
d P {X x} dx
<x<
The probabilistic description of a random process is given by the joint pdf of any set of random variables extracted from the process.
If the state space is denumerable, the process is a Markov chain.
232
P {X(t1) x1, X(t2) x2, ..., X(tn) xn } If the parameter t is continuous, the process is a continuoustime Markov chain (CTMC).
In the general case the complete probabilistic description of a random process is not feasible.
MARKOVIAN processes are one special class of stochastic processes for which the probabilistic description is simpler and of particular relevance.
31
32
Exponential distributions
A continuous-time Markov chain (CTMC) is a stochastic process where The exponential pdf fX (x) = ex
(x 0)
sojourn times in states are exponentially distributed random variables
is the only continuous pdf for which the memoryless property holds: P {X > x + |X > } = P {X > x}
the future evolution depends only on the present state, not on the past history
233
X
0
e-
a
normalization
33
34
Given two random variables X and Y with exponential pdf fX (x) = ex (x 0) fY (y) = ey (x 0) (y 0)
The exponential pdf
fX (x) = ex
is dened only by its rate , which is the inverse of its average value:
E[X] =
the new random variable Z = min(X, Y ) also has an exponential pdf fZ (z) = ( + )e(+)z (z 0)
234
In fact,
FZ (z) = 1 P r{Z > z} = 1 P r{X > z, Y > z} = 1 ez ez = 1 e(+)z
(z 0)
35
36
Markov chains
A CTMC can be described through a state transition rate diagram, or equivalently with a state transition rate matrix, also called innitesimal generator, denoted by Q.
The residual sojourn time in a state of a Markov chain is a random variable with the same distribution as the whole sojourn time.
235

Q=

37
38
The solution of a CTMC at time t is the probability distribution over the set of states: The solution of a CTMC at steady-state is the probability distribution over the set of states.
(t) = (1(t), 2(t), 3(t), )
with
i(t) = P {X(t) = i} The steady-state distribution exists for ergodic CTMCs.
It can be proven that The steady-state distribution = (1, 2, 3, ) with i = lim P {X(t) = i}
t
d( ) = ( )Q d whose solution can be formally written as
236
(t) = (0)H(t)
with
H(t) = eQt
is computed as the solution of the linear system of equations Q = 0 with the normalizing condition
i
This is a very elegant solution that is however usually very expensive to compute since the matrix exponentiation is dened by the following innite sum
i = 1
eQ =
(Q )k k! k=0
39
40
Denition of stochastic Petri nets
Formally, an SPN is dened through an 8-tuple: SPNs can be proved to be isomorphic to CTMCs: the reachability graph of the SPN corresponds to the state transition rate diagram of the MC.
SPN = (P, T, I(.), O(.), H(.), W (.), M0)
where
PN = (P, T, I(.), O(.), H(.), M0) is the marked PN underlying the SPN
237
W (.) is a function dened on the set of transitions that associates a rate with each transition. This rate is the inverse of the average ring time of the transition
This can be easily seen in the case of simple subclasses of Petri nets such as: Finite State Machines and Marked Graphs
41
42
SPNs without choices and synchronizations

The probabilistic model that represents the behaviour of the net (Marking Process) is a CTMC
The net has the structure of both a Finite State Machine (no transition has more than one input and one output place) and of a Marked Graph (no place has more than one input and one output transition);
p1 T1 p2 T2
p3 T3
the initial marking contains only one token
238
1 0 0
Each place of the net univocally identies a state of the net.
0 1 0
0 0 1
Each place of the net maps into a state of the corresponding probabilistic model.
The time spent by the token in each of its places is completely determined by the characteristics of the only transition that can withdraw it from that place.
43
44
SPNs with choices

resampling enabling memory age memory
When the ring times of the transitions of the net have negative exponential distributions, their memoryless property makes the distinction among
The net has the structure of a Finite State Machine (no transition has more than one input and one output place);
the initial marking contains only one token
irrelevant and the CTMC corresponding to the SPN is obtained from the net in a straightforward manner.
Conicts arise when several transitions share a common input place

p1 T1 p2
T2 T3 p3 p4
T4 T5
239
A race starts among the simultaneously enabled transitions.
The race is won by one of the transitions and the way of dealing with the partially completed activities of the transitions that were interrupted becomes an issue (in general).

1 0 0 0 0 0 1 0
0 1 0 0

46
0 0 0 1
45
A simple example
More complex situations arise already when several tokens are allowed in the initial markings of these simple models.
p1 T1 p2
T2
Service semantics adopted when the input place of a transition contains several tokens;
IS (on both transitions)

11 20 2 2 02
240
Queueing policy assumed with respect to the tokens residing in the input place of a transition.
SS (on both transitions)

11 20 02
47
48
In general, the CTMC associated with a given SPN system is obtained by applying the following simple rules: 1. The CTMC state space S = {si} corresponds to the reachability set RS(m0) of the PN associated with the SPN (mi si). 2. The transition rate from state si (corresponding to marking mi) to state sj (mj ) is obtained as the sum of the ring rates of the transitions that are enabled in mi and whose rings generate marking mj .
Queueing policy
It is possible to show that when the ring times are exponentially distributed and the performance gures of interest are only related to the moments of the number of tokens in the input place of a transition many queueing policies yield the same results and thus the random order (that is the most natural in the Petri net context) can be assumed.
241
where
Assuming that all the transitions of the net operate with a single-server semantics and marking-independent speeds, and denoting with Q the innitesimal generator, wk the ring rate of Tk , ej (mi) = {h : Th e(mi ) mi[Th mj } the set of transitions that bring the net from mi to mj , the components of Q are: qij =

Tk ej (mi )
wk qi qi =
Tk e(mi )
i = j i = j wk
49
50
Performance indices
Probability of a particular condition (m) of the SPN.
The steady-state distribution is the basis for a quantitative evaluation of the behaviour of the SPN expressed in terms of performance indices. Dene the following reward function: r(m) =

1 0
(m) = true otherwise
These results can be computed using a unifying approach in which proper index functions (also called reward functions) are dened over the markings of the SPN and an average reward is derived using the steady-state probability distribution of the SPN. P {} =
The desired probability is computed using the following expression: mi RS(m0 ) r(mi ) i = mi A i
242
where A = {mi RS(m0) : (mi ) = true}.
Assuming that r(m) represents one of such reward functions, the average reward can be computed using the following weighted sum:
R =
mi RS(m0)
r(mi) i
51
52
Expected value of the number of tokens in a given place.
Mean number of rings per unit of time of a given transition.
In this case the reward function is: A transition may re only when it is enabled, thus the reward function assumes the following form: r(m) =

r(m) = n i m(pj ) = n wj 0
Tj e(m) otherwise
The expected value of the number of tokens in pj is given by:

n>0
e[m(pj )] = [n P {A(j, n)}]
mi RS(m0 )
r(mi ) i = =
243
fj =
The mean number of rings of Tj per unit of time is then given by: mi RS(m0 ) r(mi ) i = =
Mi Aj
where A(j, n) = {mi RS(m0) : mi(pj ) = n} and the sum is obviously limited to values of n k; if the place is k-bounded.
wj i
where Aj = {mi RS(m0) : Tj e(mi )}.
53
54
Example
The SPN description of a simple parallel system P1 Tnewdata P2 Tstart P3 Tpar1 P5 Tsyn P7 TOK P8 TI/O P4 Tpar2 P6 Tcheck
The average steady-state delay spent in traversing a subnetwork can be computed from Littles formla
E[T ] =
E[N ] E[S]
where E[N ] is the average number of (equivalent) tokens in the subnet, and E[S] is the average input rate into the subnet.
244
Delay distributions are in general dicult to compute.
TKO
P9
55
56
P1
Computation of 1, 2:
W(T newdata )
Total rate out of P3 + P4 is: W (Tpar1) + W (Tpar2) With what probability Tpar1 is the rst to re?
P2
W(T start )
2 P4+P5
Therefore:
P3+P4
P3+P6
245
P9 W(T check )
W(T par1 )
W(T par2 )
W (Tpar1) W (Tpar1) + W (Tpar2)
P5+P6
W(T syn)
1 = (W (Tpar1) + W (Tpar2)) = W (Tpar1)
OK
P7
W (Tpar1) W (Tpar1) + W (Tpar2)
KO
P8
W(T I/O )
State space for M(P1) = 1
57
58
Computation of OK , KO :
Parameter specications:
same computation as before:
OK = W (TOK )
KO = W (TKO )
but . . .
246
what is the meaning of W (TOK ) and W (TKO ) ?
check activity: 0.0001
rate of 10, 000
probability of OK/KO is 99% vs. 1%
transition rate value semantics Tnewdata 1 innite-server Tstart 1000 single-server Tpar1 1 10 single-server Tpar2 2 5 single-server Tsyn 2500 single-server TOK 9900 single-server TKO 100 single-server TI/O 25 single-server Tcheck 0.5 single-server
W (TOK ) = 9, 900 and W (TKO ) = 100 The consistency check operation has an average duration 0.0001 time units, and results in a success 99% of the times, and in a failure 1% of the times.
59
60
Performance indices:
Throughput of transition TI/O :
1.504 success/time units
GENERALIZED STOCHASTIC PETRI NETS
Average number of items under test:
247
0.031
Average production time:
0.33 time units
61
62
Two classes of transitions exist in GSPNs:
timed transitions, whose delays are exponentially distributed random variables (like in SPNs)
Immediate transitions have priority over timed transitions.
immediate transitions, whose delays are deterministically zero
Several priority levels for immediate transitions can be dened. Immediate transitions at priority level n are called n-immediate.
Immediate transitions have been introduced in the model The autonomous model associated with a GSPN is a Petri net with priorities.
248
to
to account for instantaneous actions (e.g. choice among classes of clients);
to implement specic modelling features (e.g. empty a place);
to account for time scale dierences (e.g. bus arbitration and I/O accesses).
A transition t is said to have concession in marking M i M I(t) M < H(t). A transition tj is dened to be enabled in markijg M i it has concession in M and tk T that have concession in M , j k .
63
64
Eects induced by the presence of priorities

Reachability M RS() M RS( ) but M RS( ) M RS() Boundedness bounded bounded but not bounded not bounded t1 p1 t2
Eects induced by the presence of priorities
Properties
safety (invariant): must hold in all states
eventuality (progress): must hold in some state
249
RS() RS( )
safety properties are maintained (absence of deadlocks, boundedness, mutual exclusion, . . . )
eventuality properties are not necessarily maintained (reachability, liveness, . . . )

t3 p2 t4
Liveness - home states priority can introduce or remove liveness

66
65
Some ne points:
Markings that enable timed transitions only are said to be tangible, whereas markings that enable n-immediate transitions are said to be vanishing.
1. Need for priority

p1 T2 T1 p2 t1 p3 T2
1 2
p1
p1 T1 p2 t1 p3 t2 p4 T3
1
T3 t2 p4
250
2. Irrelevance of distinction between resampling - enabling - age due to the memoryless property of exponential distributions
p1
2 + +
3. Impossibility of two timers to expire at the same time
probability of extracting a specic sample x is equal to zero
p3
p4
67
68
Denition of generalized stochastic Petri nets

The function W (.) allows the denition of the stochastic component of a GSPN model. In particular, it maps transitions into real positive numbers.
Formally, a GSPN is an 8-tuple: The quantity W (tk ) = wk is called the rate of transition tk if tk is timed the weight of transition tk if tk is n-immediate
GSPN = (P, T, (.), I(.), O(.), H(.), W (.), M0)
where
PN = (P, T, (.), I(.), O(.), H(.), M0) is the marked PN with priority underlying the GSPN
251
W (.) is a function dened on the set of transitions
Rates are used like in SPNs.
The subnets formed by n-immediate transitions must be confusion-free.
Weights are used for the probabilistic resolution of conicts of immediate transitions.
69
70
When a tangible marking is entered, the timed transitions that become enabled for the rst time since their last ring, sample a ring delay instance and set their timer to the sampled value.
Then, all timers of the enabled (timed) transitions are decremented at equal speed, until one of them reaches the value zero.
When a vanishing marking is entered, the weights of the enabled n-immediate transitions are used to probabilistically select the (n-immediate) transition(s) to re. The time spent in any vanishing marking is deterministically equal to zero.
252
72
At this point the transition whose timer reached zero res.
All the transitions that did not re keep their timer readings, and their timers will be again decremented in the next marking in which the transition is enabled.
(Enabling memory was used in the description, but is irrelevant)
71
p1 p1+p4
W(t2) W(t1)+W(t2)
p4
p6
The denition of weights requires the identication of the sets of immediate transitions that can be simultaneously enabled in conict.
W(t1) W(t1)+W(t2)
t1 p2+p4 p3
t2
t3
p2
p3
p5
Such sets of transitions are called Extended Conict Sets (ECSs). W (t3) = 44
W (t1) = 10
W (t2) = 20
note:
253
ECS confusion
The weight of t2 with respect to t1 is always the same, regardless of whether t3 is enabled or not.
When all the ECSs in a GSPN are known, the association of weights to transitions is easy, provided that no confusion exists.
Extensions to marking dependent rates have been dened. The structural and behavioural analysis of the marked PN with priority underlying the GSPN allows the qualitative study of the GSPN behaviour, and in particular the identication of
73
74
Confusion produces dierent transition probabilities
Confusion destroys the locality of conicts

+ 0
p0+p2 t2 t0 p1+p2
0 + 0
p0
t0
p1
p0+p4
1
p3
w0
t1
t0
(a)
t2 p1+p4
t1 p2+p3
p4
p2
t2
254
+ 0
t1 (b) t2 p4 p3
p0+p2 t2 t0
p0
t0
pa
ta
p1
0 + 0
w0
wa
p0+p4
1
pa+p2 t0 pa+p4
1
t2
+ 0
0 ta + 0
p2
p1+p2 ta p1+p4 t2
+ t1 +
p2+p3
75
76
In the case of vanishing markings, the weights of the enabled n-immediate transitions can be used to determine which one will actually re in a marking M that enables more than one conicting n-immediate transitions.
It may however happen that several ECSs comprising transitions of the same priority level are simultaneously enabled in a vanishing marking.
255
wk
When several transitions belonging to the same ECS are the only ones enabled in a given marking, one of them, say transition ti, is selected as a candidate to re with probability: wi P{ ti | M } = WI (M )
The characteristic of the subnets of n-immediate transitions of being confusion-free guarantees that the way in which this choice is performed is irrelevant with respect to the resulting stochastic model.
where WI (M ) is the weight of ECS(ti ) in marking M , and is dened as follows:
WI (M )
k: tk ECS(ti )E(M)
77
78
GSPNs can be proved to be isomorphic to Semi-Markov processes.
The analysis of a GSPN can be performed by studying a CTMC.
The sojourn time in a tangible marking is exponentially distributed with a parameter that is the sum of the rates of all enabled timed transitions, so that the average time spent in marking M is given by:
The state transition rate diagram of the MC corresponds to the tangible reachability graph of the GSPN.
E[SJ(M )]
256
tE(M)
W (t)
The memoryless property of the exponential distribution makes the distinction among
resampling
enabling memory
age memory
irrelevant.
79
80
Numerical solution of GSPN models

Three dierent approaches can be used:
Identify a reduced Embedded Markov Chain dened over the set of tangible markings only;
An embedded Markov chain (EMC) can be recognized disregarding the concept of time and focusing the attention on the set of states of the semi-Markov process.
The specications of a GSPN system are sucient for the computation of the transition probabilities of such a chain.
Compute the transition probabilities among tangible markings directly by applying (on-the-y) a depthrst algorithm that explores all complete vanishing paths emanating from each tangible state. The method assumes that no loops among vanishing states exist and memory saving is traded-o with (possible) repeated computations; Reduce the GSPN to an equivalent SPN obtained by fusing immediate transitions with preceding timed transitions using an algorithm that in the simple cases produces the following reductions
257
t1 p1
Several techniques have been devised for restricting the computation to reduced models accounting for the tangible markings only.
pa Ta pa t2 p2 t3 p3 T1 p1
pa
T2 p2
T3 p3
81
82
Computational considerations Performance indices
The mathematically elegant solution of the model using the REMC suers in practice of the diculties deriving from the size of the CTMC and from time-scale dierences that may exist among the ring rates of the transitions of a model.
From the steady-state probability distribution of markings it is possible to obtain several performance indices that are the basis for a quantitative evaluation of the behaviour of the GSPN.
Approaches that can be used to overcome these diculties are the following:
258
Transient solution
As in the case of SPNs, these results can be computed using the unifying approach based on the denition of reward functions.
Uniformization method
Steady state solution
Time scale decomposition
Tensor algebras and compositionality
Symmetries and exact lumping
Simulation
83
84
Tools
Example
The GSPN description of a simple parallel system P1 Tnewdata P2 tstart P3 Tpar1 P5 tsyn P7 tOK P8 TI/O P4 Tpar2 P6 Tcheck
The applicability of the [(G)S]PN approach to anything but the smallest toy examples rests on the availability of ecient tools for the
model construction (top-down, bottom-up, compositionality)
model debugging (structural analysis)
denition of performance indices
259
model solution (analysis and/or simulation)
computation of aggregate results
tKO
P9
display of results
Good software tools are a must.
The user-friendliness and the graphical capabilities of the tool are of paramount importance.
85
86
transition rate value semantics Tnewdata 1 innite-server Tpar1 1 10 single-server Tpar2 2 5 single-server TI/O 25 single-server Tcheck 0.5 single-server The GSPN model generates 20 tangible markings 18 vanishing markings
260
transition weight priority ECS tstart 1 1 1 tsyn 1 1 2 tOK 99 1 3 tKO 1 1 3
As an example, with the numerical values chosen for the model parameters, the probability of at least one process waiting for synchronization is computed to be 0.238.
The consistency check operation results in a success 99% of the times, and in a failure 1% of the times.
87
88
A case study
The basic model
a kanban system
BBi Ki
OUTPUT BUFFER PART CELL i+1
INPUT BUFFER
PART
idleMi
CELL i-1
JOIN
MACHINE
CARD
IBi enterCelli
CELL i
busyMi inMi outMi
OBi exitCelli
BULLETIN BOARD
CARD
261
A kanban cell and the parts and cards that ow into and out of it
GSPN model of a single Kanban cell
89
90
n-cell sequential Kanban Qualitative analysis
enterCell1
IB1
inM1
busyM1
idleM1
BB1 K1
outM1
A n-cell Kanban model has 2n minimal P-semiows, whose associated P-invariants are: i, 1 i n: M (BBi) + M (IBi) + M (busyMi) + M (OBi) = Ki
OB1
enterCell2
IB2
inM2
busyM2
idleM2
BB2 K2
262
It follows that:
outM2
M (idleMi) + M (busyMi) = 1
OB2
enterCell3
BB3 K3
enterCelln
BBn1 Kn1
The number of parts in cell i is at most Ki, the number of cards in the cell; Each machine can process only one part at a time; Places idleMi and busyMi are mutually exclusive.
IBn
inMn
busyMn
idleMn
BBn Kn
outMn
OBn
exitCelln
91
92
Quantitative analysis
All transitions of the GSPN model are covered by a single minimal T-semiow: it represents the deterministic ow of the unique type of parts processed by the system.
We consider K cards and n = 5 cells of equal machine time (the rate of transitions outMi is 4.0) First case: Input and output inventory in the cells
263
The net behaviour is deterministic: no structural conicts exist, hence neither eective conicts nor confusion can ever arise.
Input buer inventory Output buer inventory Cell 1 Card 2 Cards 3 Cards 1 Card 2 Cards 3 Cards 1 0.486 1.041 1.474 0.514 0.958 1.526 2 0.486 1.040 1.470 0.383 0.713 1.131 3 0.486 1.047 1.478 0.282 0.524 0.811 4 0.486 1.056 1.490 0.170 0.316 0.472 5 0.486 1.073 1.515 0.000 0.000 0.000
The input inventory is fairly constant, while the output inventory decreases as the cell position increases.
93
94
Second case: fault free versus failure prone systems Failure rate is 0.02; Repair rate is 0.4.
Relative Throughput Reduction Throughput
3.00 2.80 2.60 2.40 0.034 2.20
Cells can fail independently;
BBi Ki
Failure free system
0.040
idleMi
Failure prone system
0.038
0.036
Failure in middle cell
264
OBi exitCelli
2.00 1.80 1.60 1 2
IBi
busyMi
enterCelli
inMi
outMi
0.032
Failure in last cell

0.030
repairi
0.028 3
OKi
F AILEDi
f ailurei
Failure free vs. all cells can fail
Middle cell failure vs. nal cell failure In a perfectly balanced Kanban system the cell performance is position-dependent.
Model of a Kanban cell that can fail
95
96
Stochastic Petri net techniques are attractive because they provide a performance evaluation approach based on a formal description.
CONCLUSIONS
This allows the use of the same language for the specication validation performance evaluation implementation documentation of a system.
265
97
98
Two are the main directions of the research being presently conducted in the eld of GSPN-based performance evaluation.
1. Extensions of the GSPN analysis approach to environments in which tokens possess an identity has already been proposed by several authors, and more work is being performed to obtain an environment with a high descriptive power in which the model specication is simple.
266
2. Various approaches are being pursued for the reduction of the complexity of the solution computation with stochastic techniques, possibly producing only partial or approximate results.
Successes in these two elds would make GSPN a prominent modeling technique in the whole area of distributed systems.
99

Petri Nets 2000

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Petri Nets 2000

Uploaded by

Copyright:

Available Formats

Petri Nets 2000

Introductory Tutorial Petri Nets

DEPARTMENT OF COMPUTER SCIENCE UNIVERSITY OF AARHUS

I. Introduction to place/transition-nets II. Basic analysis techniques

I. Introduction to place/transition nets

An example: a vending machine

eady for insertion

eady for insertion nsert coin

reject coin dispense item

holding coin ispense item

holding coin reject coin

ccept coin ready to dispense ccept coin eady to dispense

4 Adding concurrency: a vending machine with capacity 1 ...

reject coin refill dispense item

request for refill

... and its behaviour

reject coin ispense item accept coin refill

reject coin refill

5 Adding bounded storages: a vending machine with capacity 4 ...

reject coin efill ispense item

equest for refill

... and its behaviour

6 Adding unbounded counters: the control part with a counter ...

holding coin dispense item reject coin

... and its behaviour

reject coin dispense item

7 Adding arc weights: the vending machine selling pairs ...

reject coin efill ispense item

equest for refill

... or storing pairs

reject coin efill ispense item

equest for refill

reject coin efill ispense item

equest for refill

... by a capacity restriction

holding coin efill ispense item eject coin

Marked place/transition-nets generalize en-systems

sequential case graph

marking graph (reachability graph, state graph)

Formal denition of marked place/transition-nets

The occurrence rule

8 > > > < 0 m (s) = > > > :

Occurrence sequences and reachability

nite occurrence sequence leading from

there is an occurrence sequence leading from

Notation: [ 0 is the set of all reachable markings An innite sequence = 1 2 3 . . . is an

innite occurrence sequence enabled at

m0 (denoted ! ) set of reachable markings [m0 i t set of triples (m t m0 ) such that m ;! m0

Behavioral properties of marked p/t-nets

15 A marked p/t-net which is not deadlock-free and its marking graph

So the number of reachable markings does not exceed ( ( 1 ) + 1) ( ( 2 ) + 1) where

sn g is the (nite !) set of places n

Example an unbounded marked p/t-net which is not reversible

Example a live and 1safe marked p/t-net which is not reversible

Substituting capacities ...

holding coin efill ispense item eject coin

... by complement places

reject coin efill ispense item

equest for refill

Replacing a weak capacity restrictiction by a weak complement

Replacing a strong capacity restrictiction by a strong complement

Inhibitor arcs for null tests

t is only enabled at a marking m if m(s) = 0

s t) is an inhibitor arc then