Application and Theory of Petri Nets and Concurrency

L. Pomello

Joint Proceedings of: »PNSE’13« International Workshop on Petri Nets and Software Engineering »ModBE’13« International Workshop on Modeling and Business Environments Satellite events of the 34th International Conference on Application and Theory of Petri Nets and Concurrency Milano, Italy, June, 2013 Compilation Editor: Daniel Moldt University of Hamburg Department of Informatics Theoretical Foundations of Informatics Vogt-Kölln-Str. 30 D-22527 Hamburg Germany http://www.informatik.uni-hamburg.de/TGI/ These proceedings are published online by the editor as Volume 989 at CEUR Workshop Proceedings ISSN 1613-0073 http://ceur-ws.org/Vol-989 Copyright c 2013 for the individual papers by the papers’ authors. Copying permitted only for private and academic purposes. This volume is published and copyrighted by its editors. Contents PNSE’13 Proceedings Part I PNSE’13: Invited Talk Coordination for Situated MAS: Towards an Event-driven Architecture Andrea Omicini and Stefano Mariani . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Part II PNSE’13: Long Presentations A Canonical Contraction for Safe Petri Nets Thomas Chatain and Stefan Haar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Symbolic Verification of ECA Rules Xiaoqing Jin, Yousra Lembachar and Gianfranco Ciardo . . . . . . . . . . . . . . 41 Soundness of Workflow Nets with an Unbounded Resource is Decidable Vladimir A. Bashkin and Irina A. Lomazova . . . . . . . . . . . . . . . . . . . . . . . . 61 Modeling Distributed Private Key Generation by Composing Petri Nets Luca Bernardinello, Görkem Kılınç, Elisabetta Mangioni and Lucia Pomello . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Integrating Web Services in Petri Net-based Agent Applications Lawrence Cabac, Tobias Betz, Michael Duvigneau, Thomas Wagner and Matthias Wester-Ebbinghaus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Petri Nets as a Means to Validate an Architecture for Time Aware Systems Francesco Fiamberti, Daniela Micucci and Francesco Tisato . . . . . . . . . . . 117 Part III PNSE’13: Short Presentations A Framework for Efficiently Deciding Language Inclusion for Sound Unlabelled WF-Nets Dennis Schunselaar, Eric Verbeek, Wil van der Aalst and Hajo A. Reijers135 Introducing Catch Arcs to Java Reference Nets Lawrence Cabac and Michael Simon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 A System Performance in Presence of Faults Modeling Framework Using AADL and GSPNs Belhassen Mazigh and Kais Ben Fadhel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Coloured Petri Nets Refinements Christine Choppy, Laure Petrucci and Alfred Sanogo . . . . . . . . . . . . . . . . . . 187 Petri Nets-Based Development of Dynamically Reconfigurable Embedded Systems Tomáš Richta, Vladimír Janoušek and Radek Kočí . . . . . . . . . . . . . . . . . . . 203 Decomposing Replay Problems: A Case Study Eric Verbeek and Wil van der Aalst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Part IV PNSE’13: Short Papers Building Petri Nets Tools around Neco Compiler Łukasz Fronc and Franck Pommereau . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 RT-Studio: A Tool for Modular Design and Analysis of Realtime Systems Using Interpreted Time Petri Nets Rachid Hadjidj and Hanifa Boucheneb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Part V PNSE’13: Poster Abstracts A Tool to Synthesize Intelligible State Machine Models from Choreography using Petri Nets Toshiyuki Miyamoto and Hiroyuki Oimura . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Transforming Platform Independent CPN Models into Code for the TinyOS Platform: A Case Study of the RPL Protocol Vegard Veiset and Lars Michael Kristensen . . . . . . . . . . . . . . . . . . . . . . . . . . 259 ModBE’13 Proceedings Part VI ModBE’13: Invited Talk Knowledge and Business Intelligence Technologies in CrossEnterprise Environments for Italian Advanced Mechanical Industry Ernesto Damiani and Paolo Ceravolo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Part VII ModBE’13: Long Presentations Optimizing Algebraic Petri Net Model Checking by Slicing Yasir Imtiaz Khan and Matteo Risoldi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 A Proposal for the Modeling of Organizational Structures and Agent Knowledge in MAS Lawrence Cabac, David Mosteller, Matthias Wester-Ebbinghaus . . . . . . . . 295 Mining Declarative Models Using Time Intervals Jan Martijn van der Werf, Ronny Mans and Wil van der Aalst . . . . . . . . 313 Part VIII ModBE’13: Short Presentation Improving Emergency Department Processes Using Coloured Petri Nets Khodakaram Salimifard, Seyed Yaghoub Hosseini and Mohammad Sadegh Moradi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Part IX ModBE’13: Poster Abstracts Advantages of a Full Integration between Agents and Workflows Thomas Wagner and Lawrence Cabac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Cloud Transition for QoS Modeling of Inter-Organizational Workflows Soﬁane Bendoukha and Lawrence Cabac . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Editors: Daniel Moldt and Heiko Rölke Proceedings of the International Workshop on P etri N ets and S oftware E ngineering PNSE’13 University of Hamburg Department of Informatics These proceedings are published online by the editors as Volume 989 at CEUR Workshop Proceedings ISSN 1613-0073 http://ceur-ws.org/Vol-989 Copyright for the individual papers is held by the papers’ authors. Copying is permitted only for private and academic purposes. This volume is published and copyrighted by its editors. Preface These are the proceedings of the International Workshop on Petri Nets and Software Engineering (PNSE’13) in Milano, Italy, June 24–25, 2013. It is a co-located event of Petri Nets 2013, the 34th international conference on Applications and Theory of Petri Nets and Concurrency. More information about the workshop can be found at http://www.informatik.uni-hamburg.de/TGI/events/pnse13/ For the successful realisation of complex systems of interacting and reactive software and hardware components the use of a precise language at diﬀerent stages of the development process is of crucial importance. Petri nets are becoming increasingly popular in this area, as they provide a uniform language supporting the tasks of modelling, validation, and veriﬁcation. Their popularity is due to the fact that Petri nets capture fundamental aspects of causality, concurrency and choice in a natural and mathematically precise way without compromising readability. The use of Petri Nets (P/T-Nets, Coloured Petri Nets and extensions) in the formal process of software engineering, covering modelling, validation, and veriﬁcation, will be presented as well as their application and tools supporting the disciplines mentioned above. The program committee consists of: Wil van der Aalst (The Netherlands) Kamel Barkaoui (France) Didier Buchs (Switzerland) Lawrence Cabac (Germany) Piotr Chrzastowski-Wachtel (Poland) Gianfranco Ciardo (USA) José-Manuel Colom (Spain) Jörg Desel (Germany) Raymond Devillers (Belgium) Jorge C.A. de Figueiredo (Brasilia) Giuliana Franceschinis (Italy) Luís Gomes (Portugal) Stefan Haar (France) Serge Haddad (France) Xudong He (USA) Kees van Hee (The Netherlands) Thomas Hildebrandt (Danmark) Kunihiko Hiraishi (Japan) Vladimír Janoušek (Czech republic) Gabriel Juhás (Slovakia) Peter Kemper (USA) Astrid Kiehn (India) 10 PNSE’13 – Petri Nets and Software Engineering Hanna Klaudel (France) Radek Kočí (Czech republic) Fabrice Kordon (France) Maciej Koutny (United Kingdom) Lars Kristensen (Norway) Michael Köhler-Bußmeier (Germany) Johan Lilius (Finland) Robert Lorenz (Germany) Daniel Moldt (Germany) (Chair) Chun Ouyang (Australia) Wojciech Penczek (Poland) Laure Petrucci (France) Lucia Pomello (Italy) Heiko Rölke (Germany) (Chair) Catherine Tessier (France) H.M.W. (Eric) Verbeek (Netherlands) Karsten Wolf (Germany) We received 25 high-quality contributions. For each paper three to four reviews were made. The program committee has accepted six of them for full presentation. Furthermore the committee accepted six papers as short presentations and two short papers. Two more contributions were accepted as posters. The international program committee was supported by the valued work of Edmundo López Bóbeda, Görkem Kılınç, Reng Zeng, Benoît Barbot, Alexis Marechal and Artur Meski as additional reviewers. Their work is highly appreciated. Furthermore, we would like to thank our colleagues in the local organization team at the University of Milano, Italy, for their support. Without the enormous eﬀorts of authors, reviewers, PC members and the organizational team this workshop wouldn’t provide such an interesting booklet. Thanks! Daniel Moldt and Heiko Rölke Hamburg, June 2013 PNSE’13 Proceedings Part I PNSE’13: Invited Talk Coordination for Situated MAS: Towards an Event-driven Architecture Andrea Omicini and Stefano Mariani . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Part II PNSE’13: Long Presentations A Canonical Contraction for Safe Petri Nets Thomas Chatain and Stefan Haar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Symbolic Verification of ECA Rules Xiaoqing Jin, Yousra Lembachar and Gianfranco Ciardo . . . . . . . . . . . . . . 41 Soundness of Workflow Nets with an Unbounded Resource is Decidable Vladimir A. Bashkin and Irina A. Lomazova . . . . . . . . . . . . . . . . . . . . . . . . 61 Modeling Distributed Private Key Generation by Composing Petri Nets Luca Bernardinello, Görkem Kılınç, Elisabetta Mangioni and Lucia Pomello . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Integrating Web Services in Petri Net-based Agent Applications Lawrence Cabac, Tobias Betz, Michael Duvigneau, Thomas Wagner and Matthias Wester-Ebbinghaus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Petri Nets as a Means to Validate an Architecture for Time Aware Systems Francesco Fiamberti, Daniela Micucci and Francesco Tisato . . . . . . . . . . . 117 Part III PNSE’13: Short Presentations A Framework for Efficiently Deciding Language Inclusion for Sound Unlabelled WF-Nets Dennis Schunselaar, Eric Verbeek, Wil van der Aalst and Hajo A. Reijers135 Introducing Catch Arcs to Java Reference Nets Lawrence Cabac and Michael Simon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 A System Performance in Presence of Faults Modeling Framework Using AADL and GSPNs Belhassen Mazigh and Kais Ben Fadhel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Coloured Petri Nets Refinements Christine Choppy, Laure Petrucci and Alfred Sanogo . . . . . . . . . . . . . . . . . . 187 Petri Nets-Based Development of Dynamically Reconfigurable Embedded Systems Tomáš Richta, Vladimír Janoušek and Radek Kočí . . . . . . . . . . . . . . . . . . . 203 Decomposing Replay Problems: A Case Study Eric Verbeek and Wil van der Aalst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Part IV PNSE’13: Short Papers Building Petri Nets Tools around Neco Compiler Łukasz Fronc and Franck Pommereau . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 RT-Studio: A Tool for Modular Design and Analysis of Realtime Systems Using Interpreted Time Petri Nets Rachid Hadjidj and Hanifa Boucheneb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Part V PNSE’13: Poster Abstracts A Tool to Synthesize Intelligible State Machine Models from Choreography using Petri Nets Toshiyuki Miyamoto and Hiroyuki Oimura . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Transforming Platform Independent CPN Models into Code for the TinyOS Platform: A Case Study of the RPL Protocol Vegard Veiset and Lars Michael Kristensen . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Part I PNSE’13: Invited Talk Coordination for Situated MAS: Towards an Event-driven Architecture Andrea Omicini and Stefano Mariani Dipartimento di Informatica–Scienza e Ingegneria (DISI) Alma Mater Studiorum–Università di Bologna, Italy {andrea.omicini, s.mariani}@unibo.it Abstract Complex software systems modelled as multi-agent systems (MAS) are characterised by activities that are generated either by agents, or by the environment in its most general acceptation—that is, environmental resources and the spatio-temporal fabric. Modelling and engineering complex multi-agent systems (MAS) – such as pervasive, adaptive, and situated MAS – requires then to properly handle diverse classes of events: agent operations, resource events, spatio-temporal situation. In the following, ﬁrst we devise out the requirements for a software architecture for an agent-based middleware based on boundary artefacts, then we sketch a concrete architecture based on the TuCSoN middleware for MAS coordination. 1 Motivation Today’s complex computational systems more and more require strict coupling with the environment: pervasive, adaptive, self-organising systems need to work as situated systems, able to react to relevant changes in the environment, and to possibly act over it appropriately and timely. Interaction with the environment is then one of the main issue in complex computational systems nowadays [1]. On the other hand, agent-oriented abstractions and technologies provide a solid ground for complex system modelling and engineering: in particular, metamodels like A&A [2], middlewares like CArtAgO [3], JADE [4], TuCSoN [5], agent-oriented methodologies like Gaia [6], PASSI [7] and SODA [8] already proved their eﬀectiveness in dealing with the engineering of complex software systems [9]. The reactive nature of situated systems, however, does not cope well with the proactive nature of agency, at least not with no compromise: in particular, the event-driven computational model pushed by system situation does not match straightforwardly the typical high-level programming model of agent-oriented languages—in particular those for intelligent agents. While such issues are typically faced with more articulated agent languages and architectures – like hybrid agents architectures –, their increasing complexity (in particular in size and number of components and events) mandates for principled solutions, possibly at system level rather than at single-component level. Accordingly, in the following we sketch an event-driven architecture for agent middleware exploiting coordination abstractions for event handling, discuss its 18 PNSE’13 – Petri Nets and Software Engineering abstract features, and describe a possible reiﬁcation as a concrete architecture based on the TuCSoN middleware for multi-agent system (MAS) coordination. 2 MAS as Event-driven Systems Situated systems have to deal with the environment as the main source of activity, as well as the foremost target for their own activity. Environment activity is typically modelled in terms of events, whose interaction with computational systems is articulated in a number of stages: at least, selection of potentiallyrelevant events, perception of selected events, delivering of perceived events to designed components, elaboration of events by components. Moreover, situatedness also means reactiveness to the spatio-temporal fabric: perceiving and reacting to events related to location and motion in space, and to the passage of time, are essential features of mobile and pervasive computing applications. In the overall, dealing with situatedness basically requires an event-driven programming model, along with a suitable choice of the representation language for environment events. On the other hand, modelling a complex computational system as a MAS basically accounts to encapsulating system activities within agents. Whereas the notion of environment as a sort of external source of event is more or less easy to accept, the same does not hold for agents. However, agents in an open MAS are possibly not designed and controlled by the MAS designer: so, their activity should be in principle handled again as an unpredictable source of events: either for openness, or for the intrinsic complexity that an agent behaviour may in principle encapsulate. Accordingly, both organisation and security issues require modelling agents, too, as (possibly unpredictable) event sources within MAS, to be possibly handled via event-driven engineering techniques. As a result, an event-driven view of MAS is possible, where agents and the environment are the sources of all activities, and the overall behaviour of the MAS is obtained by suitably modelling activities as events, and governing them through suitable event-driven models and technologies. 3 Boundary & Coordination Artefacts Whereas agents and environment are the most suitable abstractions to handle activities in a MAS, artefacts – being reactive by deﬁnition – are the most suitable abstractions to encapsulate reactive behaviours—so, the most suitable way to handle events in a complex MAS, according to the A&A meta-model [2]. The ﬁrst issue is to map activities of any sort – even possibly unpredictable ones – upon a set of admissible events—that is, those events that are accepted and handled by the MAS. Apart from an appropriate model, this requires suitably-deﬁned architectural abstractions embedding such a mapping. This is in fact the role of boundary artefacts, which mediate between agents and the MAS, as well as between the MAS and its environment. A. Omicini and S. Mariani: Coordination for Situated MAS 19 In particular, we envision a principled MAS architecture where each agent and each resource in the environment is associated to its own boundary artefact, working on the one hand as a proxy for the agent / resource within the MAS, on the other hand as a sort of interface for the agent / resource towards the MAS. Known examples of boundary artefacts are Agent Communication Contexts [10] and the abstractions of Law-Governed Linda [11]. However, once brought within a MAS by a boundary artefact, an admissible event has to be handled to possibly generate other events and / or computational activities, deﬁning the overall behaviour of a MAS: for instance, to aggregate events from resources, like a bunch of sensors. This is the role of coordination artefacts [12], which capture admissible MAS events, and associate them to computational activities implementing coordination laws, possibly generating further events, and giving raise to event chains. With respect to the classiﬁcation of artefacts introduced by the A&A metamodel [13], individual and resource artefacts are basically represented here by boundary artefacts, whereas social artefacts play roughly the role of coordination artefacts, here. In principle, however, boundary artefacts have a much more limited function with respect to individual and resource artefacts, which are devoted also to contain the basic coordination policies related to individual agents and resources. Then, a more precise architectural mapping would require individual coordination artefacts to be associated to boundary artefacts in order to achieve the same sort of architectural functionality provided by A&A individual artefacts. 4 A Concrete Event-driven Architecture in TuCSoN The abstract architecture sketched above essentially models complex MAS as composed of proactive entities (agents, environment resources, space-time fabric) and reactive entities (boundary and coordination artefacts), connected together by a net of co-ordinated events. Quite unsurprisingly, a possible reiﬁcation of such an abstract architecture can be designed upon the TuCSoN middleware for MAS coordination [5]. First of all, it is quite easy to map coordination artefacts upon ReSpecT tuple centres [14], which are the coordination abstraction provided by TuCSoN. There, computational activities devoted to MAS coordination can be represented in terms of the ReSpecT logic-based speciﬁcation language [15], allowing admissible events to be associated to reactions, possibly generating further events within a MAS. Then, two middleware abstractions play the role of boundary artefacts in TuCSoN: agent coordination contexts (ACC) [16], for agents, and transducers [17], for resources. On the one hand, ACC play the role of security and organisation abstractions [18]: each agent has an associated ACC that mediates all the agent interactions with the TuCSoN system, working both as its representative within the TuCSoN-coordinated MAS, and as its interface towards the MAS itself, providing the agent with available operations. On the other hand, trans- 20 PNSE’13 – Petri Nets and Software Engineering ducers [17] are in charge of representing individual resources, along with their own peculiar ways of interacting: each portion of the MAS environment represented by a resource is associated to its speciﬁc transducer, capable of two-way interaction to map meaningful resource events upon admissible MAS events. Mapping our abstract event-driven architecture upon the TuCSoN middleware obviously mandates for a complete event driven model. In TuCSoN, this is achieved by (i) generalising the TuCSoN notion of admissible event, and (ii) extending ReSpecT as a full-ﬂedge event-driven language, capable of dealing with general-purpose events, enabling ReSpecT tuple centres to work as event-driven abstractions for MAS coordination—as discussed in [19]. In order to test the eﬀectiveness of the abstract architecture depicted above, as well as of the corresponding TuCSoN-based concrete architecture for eventdriven engineering of complex MAS, experiments were conducted, by exploiting the TuCSoN technology in complex application scenarios. In particular, TuCSoN is currently adopted for the implementation of the Molecules of Knowledge (MoK for short) model for knowledge self-organisation [20], and for the testing of the SAPERE middleware for pervasive adaptive services [21]. The TuCSoN middleware is available as an open source project [22], and in its current stage of development features ACC in its main distribution. The most general notion of transducers (with transducer managers for middleware lifecycle) and the complete situated version of ReSpecT are instead currently under testing. Acknowledgements The authors would like to thank the organisers of PNSE’13 and ModBE’13 – and in particular Daniel Moldt – for inviting our contribution. This work has been supported by the EU-FP7-FET Proactive project SAPERE – Self-Aware PERvasive service Ecosystems, under contract no. 256873. References 1. Weyns, D., Omicini, A., Odell, J.J.: Environment as a ﬁrst-class abstraction in multi-agent systems. Autonomous Agents and Multi-Agent Systems 14(1) (February 2007) 5–30 Special Issue on Environments for Multi-agent Systems. 2. Omicini, A., Ricci, A., Viroli, M.: Artifacts in the A&A meta-model for multiagent systems. Autonomous Agents and Multi-Agent Systems 17(3) (December 2008) 432–456 Special Issue on Foundations, Advanced Topics and Industrial Perspectives of Multi-Agent Systems. 3. Ricci, A., Viroli, M., Omicini, A.: CArtAgO: A framework for prototyping artifactbased environments in MAS. In Weyns, D., Parunak, H.V.D., Michel, F., eds.: Environments for MultiAgent Systems III. Volume 4389 of LNAI. Springer (May 2007) 67–86 3rd International Workshop (E4MAS 2006), Hakodate, Japan, 8 May 2006. Selected Revised and Invited Papers. A. Omicini and S. Mariani: Coordination for Situated MAS 21 4. Bellifemine, F.L., Caire, G., Greenwood, D.: Developing Multi-Agent Systems with JADE. Wiley (February 2007) 5. Omicini, A., Zambonelli, F.: Coordination for Internet application development. Autonomous Agents and Multi-Agent Systems 2(3) (September 1999) 251–269 Special Issue: Coordination Mechanisms for Web Agents. 6. Zambonelli, F., Jennings, N.R., Wooldridge, M.J.: Developing multiagent systems: The Gaia methodology. ACM Transactions on Software Engeneering Methodologies 12(3) (2003) 317–370 7. Cossentino, M., Gaglio, S., Sabatucci, L., Seidita, V.: The PASSI and agile PASSI MAS meta-models compared with a unifying proposal. In Pechoucek, M., Petta, P., Varga, L.Z., eds.: Multi-Agent Systems and Applications IV. Volume 3690 of LNCS., Springer (2005) 183–192 4th International Central and Eastern European Conference on Multi-Agent Systems, CEEMAS 2005, Budapest, Hungary, September 15-17, 2005, Proceedings. 8. Molesini, A., Omicini, A., Denti, E., Ricci, A.: SODA: A roadmap to artefacts. In Dikenelli, O., Gleizes, M.P., Ricci, A., eds.: Engineering Societies in the Agents World VI. Volume 3963 of LNAI. Springer (June 2006) 49–62 6th International Workshop (ESAW 2005), Kuşadası, Aydın, Turkey, 26–28 October 2005. Revised, Selected & Invited Papers. 9. Zambonelli, F., Omicini, A.: Challenges and research directions in agent-oriented software engineering. Autonomous Agents and Multi-Agent Systems 9(3) (November 2004) 253–283 Special Issue: Challenges for Agent-Based Computing. 10. Di Stefano, A., Santoro, C.: Modeling multi-agent communication contexts. In: 1st International Joint Conference on Autonomous Agents & Multiagent Systems (AAMAS 2002), Bologna, Italy, ACM Press (15–19 July 2002) 174–175 Proceedings. 11. Minsky, N.H., Leichter, J.: Law-Governed Linda as a coordination model. In Ciancarini, P., Nierstrasz, O., Yonezawa, A., eds.: Object-based Models and Languages for Concurrent Systems. Volume 924 of LNCS. Springer (1995) 125–146 12. Omicini, A., Ricci, A., Viroli, M., Castelfranchi, C., Tummolini, L.: Coordination artifacts: Environment-based coordination for intelligent agents. In Jennings, N.R., Sierra, C., Sonenberg, L., Tambe, M., eds.: 3rd international Joint Conference on Autonomous Agents and Multiagent Systems (AAMAS 2004). Volume 1., New York, USA, ACM (19–23 July 2004) 286–293 13. Omicini, A., Ricci, A., Viroli, M.: Agens Faber: Toward a theory of artefacts for MAS. Electronic Notes in Theoretical Computer Science 150(3) (29 May 2006) 21–36 1st International Workshop “Coordination and Organization” (CoOrg 2005), COORDINATION 2005, Namur, Belgium, 22 April 2005. Proceedings. 14. Omicini, A., Denti, E.: From tuple spaces to tuple centres. Science of Computer Programming 41(3) (November 2001) 277–294 15. Omicini, A.: Formal ReSpecT in the A&A perspective. Electronic Notes in Theoretical Computer Science 175(2) (June 2007) 97–117 5th International Workshop on Foundations of Coordination Languages and Software Architectures (FOCLASA’06), CONCUR’06, Bonn, Germany, 31 August 2006. Post-proceedings. 16. Omicini, A.: Towards a notion of agent coordination context. In Marinescu, D.C., Lee, C., eds.: Process Coordination and Ubiquitous Computing. CRC Press, Boca Raton, FL, USA (October 2002) 187–200 17. Casadei, M., Omicini, A.: Situated tuple centres in ReSpecT. In Shin, S.Y., Ossowski, S., Menezes, R., Viroli, M., eds.: 24th Annual ACM Symposium on Applied Computing (SAC 2009). Volume III., Honolulu, Hawai’i, USA, ACM (8–12 March 2009) 1361–1368 22 PNSE’13 – Petri Nets and Software Engineering 18. Omicini, A., Ricci, A., Viroli, M.: Agent Coordination Contexts for the formal speciﬁcation and enactment of coordination and security policies. Science of Computer Programming 63(1) (November 2006) 88–107 Special Issue on Security Issues in Coordination Models, Languages, and Systems. 19. Mariani, S., Omicini, A.: Event-driven programming for situated MAS with ReSpecT tuple centres. In: Workshop on Agent Based Computing: From Model to Implementation X (ABC:MI 2013), Koblenz, Germany (September 2013) Proceedings. 20. Mariani, S., Omicini, A.: Molecules of Knowledge: Self-organisation in knowledgeintensive environments. In Fortino, G., Bădică, C., Malgeri, M., Unland, R., eds.: Intelligent Distributed Computing VI. Volume 446 of Studies in Computational Intelligence., Springer (2013) 17–22 6th International Symposium on Intelligent Distributed Computing (IDC 2012), Calabria, Italy, 24-26 September 2012. Proceedings. 21. Zambonelli, F., Castelli, G., Ferrari, L., Mamei, M., Rosi, A., Di Marzo Serugendo, G., Risoldi, M., Tchao, A.E., Dobson, S., Stevenson, G., Ye, Y., Nardini, E., Omicini, A., Montagna, S., Viroli, M., Ferscha, A., Maschek, S., Wally, B.: Self-aware pervasive service ecosystems. Procedia Computer Science 7 (December 2011) 197–199 Proceedings of the 2nd European Future Technologies Conference and Exhibition 2011 (FET 11). 22. TuCSoN: Home page. http://tucson.apice.unibo.it Part II PNSE’13: Long Presentations A Canonical Contraction for Safe Petri Nets⋆ Thomas Chatain and Stefan Haar INRIA & LSV (CNRS & ENS Cachan) 61, avenue du Président Wilson 94235 CACHAN Cedex, France {chatain, haar}@lsv.ens-cachan.fr Abstract. Under maximal semantics, the occurrence of an event a in a concurrent run of an occurrence net may imply the occurrence of other events, not causally related to a, in the same run. In recent works, we have formalized this phenomenon as the reveals relation, and used it to obtain a contraction of sets of events called facets in the context of occurrence nets. Here, we extend this idea to propose a canonical contraction of general safe Petri nets into pieces of partial-order behaviour which can be seen as “macro-transitions” since all their events must occur together in maximal semantics. On occurrence nets, our construction coincides with the facets abstraction. Our contraction preserves the maximal semantics in the sense that the maximal processes of the contracted net are in bijection with those of the original net. 1 Introduction and Motivation The properties of the long-run, maximal behaviour of discrete event systems contains also correlations between occurrences, i.e. relations of the type “if a ﬁres, then b will ﬁre sooner or later – unless it already has”. This could be exploited in predicting (in the sense e.g. of failure prognosis, see [8]) events that inevitably will occur: Consider the sequential system shown in Figure 1(a). It is given here as a Petri net for convenience, but easily translated into an equivalent ﬁnite automaton of six states, eight transitions and initial state 0. When in state 0, the system can perform either a, e, or h. Whatever the choice of the ﬁrst transition, however, in each case the second choice is imposed: after a no other transition than b is possible, after e only f , and after h only i. It is known that structural transformations can facilitate veriﬁcation of some system properties, as witnessed by e.g. Berthelot [3], Desel and Merceron [5], and other works. Here, we focus on other properties, those that depend only on the language of the maximal runs of the system, such as liveness properties, or particular other properties such as diagnosability or predictability, see [9,10]. In such a perspective, the system can be thought of as contracted : any stretch of consecutive transitions that occur always together in a maximal behavior provided that any one of them occurs, is fused into a single macro-transition that inherits pre- and post-places from the ﬁrst and (if it exists) last transitions. In Figure 1(b): each of the new transitions is labeled with the transition chain that ⋆ This work is supported by the French ANR project ImpRo (ANR-2010-BLAN-0317). 26 PNSE’13 – Petri Nets and Software Engineering i 5 hiω 0• h e a g 4 1 3 f b c ef d 2 (a) (A Petri net representation of) an automaton 0• cgf ab d 2 (b) Its contraction Fig. 1. Contracting automata by removing non-branching states (here 1, 3, 4 and 5) it represents. Note that the inﬁnite word hiω is obtained via a single macrotransition without post-place, since the word has no last transition. Of course, not all temporal properties of the system are preserved, since not all ﬁnite words survive the contraction: abcg is a word produced by a run in Figure 1(a), but not in Figure 1(b) which has no intermediate word between (ab) and (ab)(cgf ). However, one sees quickly that the maximal words – which coincide with the inﬁnite words – of the original system of Figure 1(a) are in bijection with the inﬁnite words of the contracted system in Figure 1(b). This contraction represents a reduction of the original system onto its essential behavior. When concurrent behavior in partial order semantics is considered, the language of words is replaced by a collection of partial orders representing the non-sequential runs. Best and Randell [4] considered atomicity of subnets in occurrence graphs, focusing on non-interference in the temporal behavior and identifying atomic and hence contractable blocks of behavior. The structures obtained can be embedded into non-branching occurrence nets, allowing the approach to be compared with ours. However, while the construction of facets appears geometrically similar, the approach of [6,7,1,2] focuses on the question of logical occurrence regardless of the order in which events occur. The theory of the reveals relation and of reduced occurrence nets is given in [6,7,1,2]. Figure 3(a) (whose formal discussion is postponed to Section 2) illustrates the facets of an occurrence net; the contraction of its facets yields the reduced occurrence net in Figure 3(b). The present work is based on a combination of the ideas shown, on the one hand, in the automata contraction such as in the example of Figure 1, and on the other hand of the facet contraction in the context of occurrence nets. We will identify macro-transitions in safe Petri nets that allow contraction with preservation of maximal semantics, and thus to give a contracted normal form for any given Petri net. If the deﬁnition is applied to occurrence nets, we obtain exactly the facets according to [6,7,1,2]. At the same time, the reduced net has never more, and generally much fewer, transitions than the original net. The paper is organized as follows: We begin by recalling the basic deﬁnitions on unfoldings, and results from [6,7,1,2] concerning facets in occurrence nets, based on the reveals-relation, in Section 2. Section 3 contains the core of the present work, with the study of macro-transitions that generalize facets from Th. Chatain et al.: A Canonical Contraction for Safe Petri Nets 0• t1 t0 0′ • 0• t′1 t1 t′1 1 4 t2 2 t5 3 t4 t0 t′2 4 t′3 t4 tω 5 2 t′3 t3 0′ • 1 t′2 t2 27 5 (a) A safe Petri net t3 t4 3 5 (b) Its canonical contraction. (Place 3 is not used any more and could be forgotten.) Fig. 2. Overview of the canonical contraction of a safe Petri net occurrence nets to safe Petri nets. In Section 4, we identify the canonical reduced version for a given safe net. The relation between the operations of reduction and of unfolding is studied in Section 5. Finally, Section 6 concludes. 2 Reveals Relation and Facets in Occurrence Nets Petri Nets, Occurrence Nets and Unfoldings. This part collects several basic deﬁnitions used below. In this paper, only safe Petri nets are considered. Definition 1 (Petri Net). A Petri net (PN), or simply net, is a tuple (P, T, F, M 0 ) where P and T are sets of places and transitions respectively, F ⊆ (P × T ) ∪ (T × P ) is a ﬂow relation, and M 0 ⊆ P is an initial marking. For any node x ∈ P ∪T , we call pre-set of x the set • x = {y ∈ P ∪T | (y, x) ∈ F } and post-set of x the set x• = {y ∈ P ∪ T | (x, y) ∈ F }. A marking of a net is a subset M of P . A transition t is enabled at M iﬀ • t ⊆ M . Then t can ﬁre, t leading to M ′ = (M \ • t) ∪ t• . In that case, we write M −→ M ′ . A marking M def S t is reachable if M 0 −→∗ M , where −→ = t∈T −→. A PN is safe iﬀ for each reachable marking M , for each transition t enabled at M , (t• ∩ M ) ⊆ • t. As usual, in ﬁgures, transitions are represented as rectangles and places as circles. If p ∈ M , a black token is drawn in p (see Figure 2(a)). Partial-order Semantics. Occurrence nets are used to represent the partialorder behaviour of Petri nets. We need a few deﬁnitions to introduce them. Denote by ⋖ the direct causality relation deﬁned as: for any transitions s and t, def s ⋖ t ⇔ s• ∩ • t 6= ∅. We write < for its transitive closure and ≤ for its reﬂexive 28 PNSE’13 – Petri Nets and Software Engineering def transitive closure, called causality. For any transition t, the set ⌈t⌉ = {s | s ≤ t} is the causal past of t, and for T ′ ⊆ T , the causal past of T ′ is deﬁned as def S ⌈T ′ ⌉ = t∈T ′ ⌈t⌉. Two distinct transitions s and t are in direct conﬂict, denoted by s #d t, iﬀ • s ∩ • t 6= ∅. Two transitions s and t are in conﬂict, denoted by s # t, iﬀ ∃s′ ∈ ⌈s⌉, t′ ∈ ⌈t⌉ : s′ #d t′ , and the conﬂict set of t is deﬁned as def #[t] = {s | s # t}. Finally, two transitions s and t are concurrent, denoted by s co t, iﬀ ¬(s # t) ∧ ¬(s ≤ t) ∧ ¬(t ≤ s). Definition 2 (Occurrence net). An occurrence net (ON) is a Petri net (B, E, F, C 0 ) where elements of B and E are called conditions and events, respectively, and such that: 1. 2. 3. 4. 5. ∀b ∈ C 0 • b = ∅, ∀b ∈ B \ C 0 |• b| = 1 (no backward branching), ∀e ∈ E ¬(e < e) (≤ is a partial order), ∀e ∈ E ¬(e # e) (no self-conﬂict), ∀e ∈ E |⌈e⌉| < ∞ (ﬁnite cones). Figure 3(a) gives an example of ON. Occurrence nets are branching structures which have several possible executions in general. Each execution appears under the form of a conﬁguration. Definition 3 (Configurations and Maximal Configurations). A conﬁguration of an ON is a conﬂict-free and causally closed set of events, i.e. ω ⊆ E is a conﬁguration iﬀ ∀e ∈ ω, (#[e]∩ω = ∅)∧(⌈e⌉ ⊆ ω). A conﬁguration is maximal iﬀ it is maximal w.r.t. ⊆. We write Ωgen for the set of all conﬁgurations and Ωmax for the set of maximal conﬁgurations. Executions of safe Petri nets will be represented as non-branching processes, using occurrence nets related to the original Petri net by a net homomorphism. Definition 4 (Net homomorphism). A net homomorphism from N = (P, T, F, M 0 ) to N ′ = (P ′ , T ′ , F ′ , M ′0 ) is a pair of maps π = (πP , πT ), where πP : P → P ′ and πT : T → T ′ , such that: – for all t ∈ T , πP |• t (the restriction of πP to • t) is a bijection between • t and • • πT (t), and πP |t• is a bijection between t• and πT (t) ; – and πP |M 0 maps injectively M 0 to (a subset of ) M ′0 . We will often write simply π instead of πP or πT . Net homomorphisms preserve the semantics of nets in the sense that they map every ﬁring sequence of N to a ﬁring sequence of N ′ , and πP |M 0 needs not be a bijection for that. If a place p′ of N ′ is not the image of any place of N , it simply means that the images in N ′ of the ﬁring sequences of N do not use the token initially in p′ . We need this subtlety to deﬁne macro-transitions later. Definition 5 (Branching process). Let N = (P, T, F, M 0 ) be a PN. A branching process of N is a pair (O, π), where O = (B, E, F ′ , C 0 ) is an ON and π is a homomorphism from (B, E, F ′ , C 0 ) to (P, T, F, M 0 ) such that for all t, t′ ∈ E, • t = • t′ ∧ π(t) = π(t′ ) ⇒ t = t′ . Th. Chatain et al.: A Canonical Contraction for Safe Petri Nets t0 0• 0′ • t1 t′1 0• t1 t′1 1 t2 t′2 2 2 4 t3 t′3 t3 t′3 3 3 3 3 t4 t4 t4 t4 .. . 5 1 .. . 5 1 5 t2 t′2 2 2 t5 2 5 .. . 1 .. . t2 t′2 2 2 4 t3 t 4 t′3 t4 t3 t4 t′3 t4 1 1 1 1 .. . 5 .. . 5 5 .. . 5 5 t2 tω 5 t′2 tω 5 t5 2 t5 2 0′ • t0 1 1 29 5 t5 5 2 .. . 5 (a) A preﬁx of the unfolding of the Petri net of Figure 2(a). Dashed boxes indicate facets. (b) The corresponding reduced ON. The condensed labels of facets indicate the events that they contain; e.g. the facet labeled t1 t′1 is the one depicted in Figure 4(b). Fig. 3. An ON and its reduction through the facet abstraction. Definition 6 (Run). A run of a safe Petri net N = (P, T, F, M 0 ) is a branching process (O, π) of N with O = (B, E, F ′ , C 0 ) such that E is a conﬁguration and π(C 0 ) = M 0 . Definition 7 (Prefix). For Π1 , Π2 two branching processes, Π1 is a preﬁx of Π2 , written Π1 ⊑ Π2 , if there exists an injective homomorphism h from ON1 into ON2 , such that the composition π2 ◦ h coincides with π1 . Definition 8 (Maximal run). A run ρ is maximal if it is not a proper preﬁx of any run, i.e. for every run ρ′ , if ρ is a preﬁx of ρ′ , then ρ and ρ′ are isomorphic. 30 PNSE’13 – Petri Nets and Software Engineering We deﬁne a function µ which allows us to construct the run µ(ω) corresponding to a conﬁguration ω of an ON. Definition 9 (µ). Let O = (B, E, F, C 0 ) be an occurrence net. Every conﬂict• free set of events E ′ ⊆ E deﬁnes a run µ(E ′ ) of the Petri net (B, E, F, • E ′ \E ′ )1 . The occurrence net µ(E ′ ) has E ′ as events, their pre- and post-sets as conditions, • and • E ′ \ E ′ as initial conditions. The arcs are the restriction of F to these events and conditions, and the folding homomorphism π is the identity. Definition 10 (Unfolding). Let N be a PN. By Theorem 23 of [11], there exists a unique (up to an isomorphism) ⊑-maximal branching process, called the unfolding of N and denoted U (N ); by abuse of language, we will also call unfolding of N the ON obtained by the unfolding. Remark. Occurrence nets are linked to safe Petri nets in the sense that the partial order unfolding semantics of such Petri nets yields occurrence nets, as deﬁned above. The converse is true for occurrence nets corresponding to regular trace languages: Following Zielonka [12], any regular trace language L is accepted by an asynchronous automaton AL ; moreover, AL can be synthesized directly from L. As there are natural translations from asynchronous automata into safe Petri nets, the approach extends immediately into a procedure that takes as input an occurrence net ON and synthesizes a safe Petri net N whose unfolding semantics yields again ON (up to isomorphism). The present paper aims not at mimicking this synthesis but rather provides a contraction on the generating safe Petri net itself; the relation between unfolding and reduction will be clariﬁed below, in particular Theorems 4 and 5, as well as Figure 6. Reveals Relation and Facets Abstraction. The structure of an ON deﬁnes three relations over its events: causality, conﬂict and concurrency. But these structural relations do not express all logical dependencies between the occurrence of events in maximal conﬁgurations. A central fact is that concurrency is not always a logical independency: it is possible that the occurrence of an event implies, under the perspective of maximal runs, the occurrence of another one, which is structurally concurrent. This happens with events t1 and t′1 in Figure 3(a): we observe that t1 is in conﬂict with t0 and that any maximal conﬁguration contains either t0 or t′1 . Therefore, if t1 occurs in a maximal conﬁguration, then t0 does not occur and eventually t′1 necessarily occurs. Yet t1 and t′1 are concurrent. Another case is illustrated by events labeled t3 and t4 on the left of the same ﬁgure: because t3 is a causal predecessor of t4 , the occurrence of t4 implies the occurrence of t3 ; but in any maximal conﬁguration, the occurrence of t3 also implies the occurrence of t4 , because t4 is the only possible continuation to t3 and nothing can prevent it. Then t3 and t4 are actually made logically equivalent by the maximal progress assumption. 1 Notice that (B, E, F, • E ′ \ E ′ ) is not an occurrence net in general: it satisﬁes items 3, 4 and 5 of Deﬁnition 2, but items 1 and 2 may not hold. • Th. Chatain et al.: A Canonical Contraction for Safe Petri Nets 31 Definition 11 (Reveals relation [6,7,1,2]). We say that event e reveals event f , and write e ⊲ f , iﬀ ∀ω ∈ Ωmax , (e ∈ ω ⇒ f ∈ ω). Definition 12 (Facets Abstraction in Occurrence Nets[6]). Let ∼ be the def equivalence relation deﬁned by ∀ e, f ∈ E : e ∼ f ⇔ (e ⊲ f ) ∧ (f ⊲ e). Then a facet of an ON is an equivalence class of ∼. In Figure 3(a), the facets are highlighted in grey. If ψ is a facet, then for any maximal conﬁguration ω ∈ Ωmax and for any event e such that e ∈ ψ, e ∈ ω iﬀ ψ ⊆ ω. In this sense, facets can be seen as atomic sets of events (under the maximal semantics). Denote the set of O’s facets as Ψ (O). For any facet and for any conﬁguration, either all events in the facet are in the conﬁguration or no event in the facet is in the conﬁguration. Therefore, facets can be seen as events. Definition 13 (Reduced occurrence net). A reduced ON is an ON (B, E, F, C 0 ) such that ∀e1 , e2 ∈ e, e1 ∼ e2 ⇐⇒ e1 = e2 . As shown in [6,1], every occurrence net O = (B, E, F, C 0 ) has a uniquely deﬁned reduction ON O whose events are the facets of O and whose conditions those from B that are post-conditions of a maximal event of some facet: Definition 14 (Reduction of an occurrence net). The reduction of occurrence net O = (B, E, F, C 0 ) is the occurrence net O = (B, Ψ (O), F , C 0 ), where B = C 0 ∪ {b ∈ B : ∃ ψ ∈ Ψ (O) , e ∈ ψ : (e, b) ∈ F ∧ b• ∩ ψ = ∅} F = (b, ψ) : b ∈ B ∧ ∃ e ∈ ψ : (b, e) ∈ F ∪ (ψ, b) : b ∈ B ∧ ∃ e ∈ ψ : (e, b) ∈ F (1) (2) Figure 3 shows the facets of an occurrence net and its reduction. 3 Generalizing Facets to Safe Petri Nets Preliminaries. We propose to identify pieces of partial-order behaviour of a safe Petri net, under the form of macro-transitions which group events that always occur together when at least one of them occur in any maximal run of the original net. There will be a fundamental diﬀerence in the approach here with respect to the work in [6,7,1,2]: there, the set of events to be contracted (the facets) were obtained as the strongly connected components of a transitive binary reveals-relation, where a reveals b iﬀ any run containing a also contains b. Here , such a relation is not available on the level of transitions. Our approach is thus to identify directly sets of transitions such that, if any one of them ﬁres, all others ﬁre sooner or later. Definition 15 (Macro-transition). Let N = (P, T, F, M 0 ) be a PN. A macrotransition of N is a run φ = (O, π) of (P, T, F, π(C 0 )) (the net N initialized with the image of the initial conditions C 0 of O) such that for any reachable marking M of N with π(C 0 ) ⊆ M and for any maximal run ρ of (P, T, F, M ) (the net N starting at M ), if there exists a nonempty preﬁx φ′ of φ which is also a preﬁx of ρ, then the entire φ is a preﬁx of ρ. 32 PNSE’13 – Petri Nets and Software Engineering 1• 0• 0• 0′ • t2 t1 t1 t′1 2 1 1 5• t5 4 2 5 t5 2 (a) φ1 (b) φ2 5 (c) φ3 Fig. 4. Examples of macro-transitions of the Petri net of Figure 2(a) Figures 4 and 5 show examples and counter-examples of macro-transitions of the Petri net of Figure 2(a). – φ1 is trivially a macro-transition. – In φ2 we have two events: an occurrence of t1 and one of t′1 . The initial conditions of φ2 are mapped to places 0 and 0′ of N . The only reachable marking of N which contains {0, 0′ } is {0, 0′ } itself; in {0, 0′ }, if one of the two transitions ﬁre, the other one will necessarily ﬁre in any maximal run. – Consider now φ3 : again the only reachable marking of N which contains {1, 5} is {1, 5} itself. From it, if t2 ﬁres, it is necessarily followed by an inﬁnite sequence of ﬁrings of t5 . φ3 is exactly a preﬁx of it. We also ﬁnd counter-examples here: – φ4 is not a macro-transition as it is not a run: t0 and t1 are in conﬂict. – φ5 is not a macro-transition because an occurrence of t1 is not necessarily followed by an occurrence of t2 . – Concerning φ6 , it is exactly a preﬁx of every maximal run from {1, 0′ } starting by an occurrence of t2 , but not of every run starting by an occurrence of t′1 (because t′2 can ﬁre instead of t2 ). The two following properties are immediate consequences of the deﬁnition. Property 1. Any single transition t ∈ T induces a macro-transition deﬁned as the (unique, up to isomorphism) non-branching process which contains a single event mapped to t and whose initial conditions are mapped to • t. For example, the facet induced by t1 in the net of Figure 2(a) is the one depicted in Figure 4(a). Property 2. Let φ be a macro-transition of a Petri net N . Then any preﬁx of φ with the same initial conditions as φ is also a macro-transition of N . Definition 16 (Φ-contracted net). Given a set Φ of macro-transitions of a Petri net N = (P, T, F, M 0 ), we construct the Φ-contracted net N/Φ by replacing Th. Chatain et al.: A Canonical Contraction for Safe Petri Nets 0• t1 0′ • t0 1 (a) φ4 33 0• 0′ • t1 t′1 1 1• t2 t2 2 2 (b) φ5 4 (c) φ6 Fig. 5. Counter-examples of macro-transitions of the Petri net of Figure 2(a) the transitions of N by new transitions which summarize the macro-transitions. The contracted net is formally deﬁned as the net N/Φ = (P, Φ, FΦ , M 0 ) where the macro-transitions are interpreted as transitions and with the ﬂow relation FΦ deﬁned such that, for every φ = (O, π) ∈ Φ, • φ is the image by π of the initial conditions of O, and φ• is the image by π of the conditions of O that are not consumed by any event of O. To express the soundness of this contraction, we deﬁne a function χ which maps any branching process (O, π) of the contracted net N/Φ to a branching process of N . Intuitively, χ simply expands every event e of O into a set of events corresponding to the content of the macro-transition π(e). For example, the reduced unfolding of Figure 3(b), viewed as a branching process of the contraction of the unfolding U of Figure 3(a), is mapped by χ to U . Definition 17 (χ). Let N = (P, T, F, M 0 ) be a Petri net, Φ a set of macrotransitions of N and ρ = (O, π) a branching process of the contracted net N/Φ , with O = (B, E, F, C 0 ). We deﬁne the branching process χ(ρ) of N as χ(ρ) = (O′ , π ′ ) with O′ = (C 0 ∪ χcond (E), χevents (E), χcond (E), χarcs (E), C 0 ) where χevents , χcond and χarcs associate to every event e ∈ E a set of events χevents (e), a set of conditions χcond (e) and a set of arcs χarcs (e), all speciﬁed below. Remember that e is an occurrence of transition π(e) of N/Φ , which is also a macro-transition of N and thus has the form (Oe , πe ) with Oe an occurrence net and πe a net homomorphism from Oe to (P, T, F, π(Ce0 )), where Ce0 are the initial conditions of Oe . The set χevents (e) is deﬁned as the set of pairs (e, f ) with f an event of Oe ; it represents an occurrence of each of the events that were grouped inside the macro-transition π(e) of the contracted net N/Φ . The set χconds (e) is deﬁned as the set of pairs (e, b) with b a condition created by an event of Oe ; it represents all conditions created by events in χevents (e). The initial conditions of π(e) are not reproduced since they will be merged with the ﬁnal conditions of the occurrence of the macro-transition that created them. Now the arcs in χarcs (e) connect naturally every event (e, f ) to the conditions (e, b) with b ∈ f • , and every condition (e, b) with b ∈ • f to the event (e, f ). 34 PNSE’13 – Petri Nets and Software Engineering It remains the case of the initial conditions of Oe : for every initial condition b of Oe , there exists a unique condition b′ ∈ • e such that π(b′ ) = πe (b) ∈ P . Either this b′ is an initial condition of O or it is created by an event e′ ∈ E. In the ﬁrst case, b′ is also an initial condition of O′ and an arc is added in χarcs (e) to connect it to any event (e, f ) ∈ χevents (e) representing an event f of Oe which consumes b. In the second case b′ comes from a ﬁnal condition of π(e′ ), which appears in χcond (e′ ) and serves as the origin of the arcs. Finally, we deﬁne the homomorphism π ′ from O′ to N . It maps simply every event (e, f ) to the transition πe (f ) ∈ T , and every condition (e, b) to πe (b) ∈ P . ′ . On the set C0 of initial conditions, π ′ coincides with π : π|C0 ≡ π|C 0 Lemma 1 (Soundness). Let N be a Petri net and Φ a set of macro-transitions of N . The function χ maps any branching process (O, π) of the contracted net N/Φ to a branching process of N . Proof. By construction of χ. ⊔ ⊓ Definition 18 (Completeness). A set Φ of macro-transitions of a Petri net N = (P, T, F, M 0 ) is complete if for every reachable marking M of the contracted net N/Φ = (P, Φ, F ′ , M 0 ) and every transition t ∈ T ﬁrable from M , the run of (P, T, F, M ) composed of all the events revealed by the initial occurrence of t in the unfolding of (P, T, F, M ), is the image by χ of a run of (P, Φ, F ′ , M ). Lemma 2. Let N be a Petri net and Φ a complete set of macro-transitions of N . Then every maximal run ρ of N is (isomorphic to) the image by χ of a maximal run ρ′ of N/Φ . Proof. To construct the ρ′ , start from the process with no events and initial conditions corresponding to the initial marking of N (which is also the initial marking of N/Φ ). Then, as long as there are events in ρ which are not in χ(ρ′ ), take one which is minimal w.r.t. causality and call it e. (Among the possible choices, e should be of minimal depth2 so that every event of ρ is eventually in χ(ρ′ ).) The transition t of N which is the image of e by the homomorphism of ρ, can ﬁre from the marking M reached after ρ′ (which is also the marking reached after χ(ρ′ )). By the completeness hypothesis, there exists a run of (P, Φ, F ′ , M ) whose image by χ yields all the events revealed by the ﬁring of t from M . Then ρ′ can be augmented by this run. Our e of ρ is now one of the new events in χ(ρ′ ); and the other new events are also in ρ because they are revealed by the occurrence of t from M and ρ is maximal. Notice that at each step, χ(ρ′ ) is a preﬁx of ρ. The iteration may not terminate but, since ρ′ always grows, we consider its limit (containing all the events that are eventually added). By construction this limit is the desired process. ⊔ ⊓ Definition 19 (Non-Redundancy). A set Φ of macro-transitions of a Petri net N = (P, T, F, M 0 ) is called non-redundant if for every transition t ∈ T , at most one macro-transition φ ∈ Φ starts by3 t. 2 3 The depth of an event e is the size of the longest path from an initial condition to e. By “φ starts by t”, we mean that there exists an event in φ which is mapped to t and consumes only initial conditions of φ. Th. Chatain et al.: A Canonical Contraction for Safe Petri Nets 35 Theorem 1 (Facets as Macro-Transitions). Let O = (B, E, F, C 0 ) be an occurrence net and ψ ⊆ E a facet of O. Then µ(ψ) is a macro-transition of O. Moreover the image by µ of all the facets of O is a complete non-redundant set of macro-transitions of O. Proof. Consider a reachable set of conditions C ⊇ • ψ, and let ω be a maximal run of (B, E, F, C) starting by a nonempty preﬁx of µ(ψ). Then ω starts by µ({e}) with e an initial event of ψ. By Deﬁnition 12, e reveals all the events in ψ. This implies that ω starts by the entire µ(ψ). For completeness, remark that for every run ρ of the contracted ON, the events in χ(ρ) are a union of facets of O. After such a run, every maximal run is again a union of facets. Non-redundancy holds because the facets are a partition of the events. ⊔ ⊓ 4 Canonical Contraction Before deﬁning our canonical contraction, we study the markings that are reachable after a run of a contracted net. For every conﬁguration O, we call cut of O the set of conditions which are created and not consumed along O. When O is the support of a ﬁnite run (O, π) of a net N , the homomorphism π maps the cut of O to a reachable marking of N . And conversely every reachable marking of N is the image of the ﬁnal conditions of a ﬁnite run. But in this paper we focus on maximal runs, which are in general inﬁnite. And the image of a cut of an inﬁnite run may be only a subset of a reachable marking of N . An example is the maximal run of the net of Figure 1(a) containing an occurrence of h and an inﬁnite chain of i’s. All the conditions are consumed, and the cut is empty. Yet the empty marking is not reachable after any ﬁnite run. Then we call asymptotically reachable (or a-reachable for short) in N any marking that is the image of the cut of a (possibly inﬁnite) run of N . Lemma 3 (A-Reachability in a Contracted Net). Let N be a Petri net and Φ a set of macro-transitions of N . Any marking a-reachable in N/Φ is also a-reachable in N . Proof. This is an immediate consequence of Lemma 1. ⊔ ⊓ Notice however that in general not every marking a-reachable in N is areachable in N/Φ . And this is actually what allows us to skip some intermediate markings and give a more compact representation of the behaviour of the net. In this sense we can say that a complete contracted net N/Φ is more compact than another N/Φ′ if all markings a-reachable in N/Φ are also a-reachable in N/Φ′ . We will show now that there exists a complete non-redundant contracted net which is optimal w.r.t. this criterion: i.e. all markings a-reachable in this contracted net are a-reachable in any complete non-redundant contracted net. 36 PNSE’13 – Petri Nets and Software Engineering Definition 20 (MN and RN ). We deﬁne inductively a set MN of markings of M and a set RN of runs as the smallest sets satisfying: – M 0 ∈ MN ; – for every M ∈ MN , for every transition t ﬁrable from M , µ(E) ∈ RN , where E is the set of events revealed by the initial occurrence of t in U ((P, T, F, M )); – for every M ∈ MN , for every ρ ∈ RN such that • ρ ⊆ M , the marking (M \ • ρ) ∪ ρ• reached after ﬁring ρ from M , belongs to MN ; – for every ρ1 , ρ2 ∈ RN , the largest common preﬁx of ρ1 and ρ2 is in RN . Theorem 2. Let N = (P, T, F, M 0 ) be a Petri net and Φ a non-redundant complete set of macro-transitions. All markings of MN are a-reachable in N/Φ . Proof. Let NΦ = (P, Φ, F ′ , M 0 ). The theorem is a direct consequence of the following lemma: for every marking M a-reachable in N every run ρ ∈ RN ﬁrable from M satisﬁes the property that ρ is the image by χ a run ρ′ of (P, Φ, F ′ , M ). This lemma is proved by induction, following the construction of RN : at each step of the construction, we prove that if all the runs in the current RN satisfy the property, then the new runs added to RN also satisfy it. Initialization of the induction is trivial since RN is initially empty. By completeness of Φ, the property is satisﬁed by all the runs of the form µ(E) with E the set of events revealed by the initial occurrence of a transition t in U ((P, T, F, M )). For every run ρ constructed as the largest common preﬁx of two runs ρ1 and ρ2 already in RN , assume that ρ1 and ρ2 satisfy our property and call ρ′1 and ρ′2 the corresponding runs of the contracted net. By non-redundancy of Φ, ρ′1 and ρ′2 must coincide on the largest common preﬁx ρ of ρ1 and ρ2 . Then ⊔ ⊓ ρ is the image by χ of the largest common preﬁx of ρ′1 and ρ′2 . Definition 21 (Canonical contraction N ). We deﬁne the canonical contracdef tion of a safe Petri net N as the contracted net N = NΦN where ΦN is the set of nonempty runs of RN which are minimal w.r.t. the preﬁx relation. Theorem 3. For every safe Petri net N , the set ΦN of macro-transitions in N is complete and non-redundant, and the set of states a-reachable in N is precisely MN . Moreover |ΦN | ≤ |T |. Proof. Completeness is ensured by the insertion in RN of all the runs of the form µ(E) with E the set of events revealed by the initial occurrence of a transition t in U ((P, T, F, M )). For redundancy, assume two runs ρ1 and ρ2 of RN both start by an occurrence of t. Then their common preﬁx ρ is nonempty and is in RN . Then ρ1 and ρ2 are not minimal in RN w.r.t. the preﬁx relation, and they are not in ΦN . By construction all the states a-reachable in N are in MN . Finally the inequality |ΦN | ≤ |T | is a direct consequence of the non-redundancy of ΦN . ⊔ ⊓ Illustration. Let us construct the canonical contraction of the net N of Figure 2(a). MN contains the initial marking {0, 0′ }. From this marking t0 , t1 and t′1 are ﬁrable. Since t1 and t′1 reveal each other, RN contains the runs t0 and Th. Chatain et al.: A Canonical Contraction for Safe Petri Nets 37 t1 t′1 , and MN contains the reached markings {} and {1, 4}. From {1, 4}, t2 and t′2 can ﬁre; they reveal nothing, so they are added as such to RN . The marking {2, 4} is now reachable; it is added to MN . From {2, 4}, t3 and t′3 can ﬁre, and in both cases an occurrence of t4 necessarily follows. Hence t3 t4 and t′3 t4 are added to RN . We can now reach {1, 5} and ﬁre t2 or t′2 again. But, from {1, 5} ﬁring ′ ω t2 (or t′2 ) reveals an inﬁnite sequence of occurrences of t5 . For this t2 tω 5 and t2 t5 are added to RN . But, since t2 and t′2 already appear “alone” – i.e. as singleton transitions – in RN , marking {2, 5} obtained after ﬁring them from {1, 5} must also be added to MN . And from it, tω 5 can ﬁre and is added to RN . Now, ΦN is constructed by extracting the runs of RN that are minimal w.r.t. the preﬁx ′ ω relation. Here we get all of them, except t2 tω 5 and t2 t5 . The resulting contracted net is shown in Figure 2(b). Contraction and Automata. It is clear that applying our contraction to the Petri net representation N of an automaton (i.e. a Petri where every transition has exactly one input- and one output-place) removes the deterministic states (or places), i.e. those from which there is no choice. Concretely, these places will not appear in the set MN . The macro-transitions are the paths between non-deterministic states with only deterministic intermediate states. 5 Reductions and Unfoldings When concurrent behavior in partial order semantics is considered, our contraction is related to the facets reduction [6]. Theorem 4 (Reduction as contraction of ONs). For every occurrence net O, the canonical contraction of O is isomorphic to its facet reduction. Proof. By Deﬁnition 20, all runs in RO correspond to unions of facets of O. Now, let ρ ∈ RO be a run containing more than one facet. By deﬁnition of facets, the reveals relation on facets is antisymmetric. Then one of O′ s initial facets, say ψ1 , does not reveal the other, say ψ2 . Take an initial event e of ψ1 and a marking M ∈ MO from which ρ can ﬁre; e is ﬁrable from M in O. Therefore RO contains the run ρ′ containing the events revealed by e from M . This run contains ψ1 but not ψ2 . By deﬁnition, RO contains the largest common preﬁx of ρ and ρ′ . Hence ρ is not minimal in RO w.r.t. the preﬁx relation, and is not in ΦO . ⊔ ⊓ As illustrated in Figure 6, the operation of reduction does not entirely commute with unfolding. That is, in general, the unfolding U (N ) of reduced Petri net N is coarser, as an occurrence net, than the reduction U (N ) of the original ′ ω net N ’s unfolding. In the example of Figure 6, the facets labeled t2 tω 5 and t2 t5 in U (N ) are both split into two events of U (N ). However, one retrieves the reduction of U (N ) from U (N ) as follows. Theorem 5. For every net N , applying the occurrence net facet reduction to U (N ) yields U (N ) up to isomorphism. 38 PNSE’13 – Petri Nets and Software Engineering 0• 0• 0′ • t1 t′1 t0 0′ • t1 t′1 t0 1 1 t2 t′2 2 2 4 t2 t′2 2 2 4 t3 t 4 t′3 t4 t3 t4 t′3 t4 t3 t4 t′3 t4 t 3 t4 t′3 t4 1 1 1 1 1 1 1 1 .. . 5 .. . 5 .. . 5 .. . 5 t′2 t2 2 2 tω 5 tω 5 5 t2 tω 5 5 (a) The unfolding of the contracted Petri net of Figure 2(b). Remark that the unfolding is not reduced: the last occurrence of t2 and the following tω 5 are in the same facet ′ (similarly for t2 and the following tω 5 ). N .. . contraction 5 .. . 5 t′2 tω 5 (b) Its reduction (or contraction) is isomorphic to the reduction of the unfolding of N already represented in Figure 3(b). N unfolding unfolding U (N ) U (N ) contraction (or reduction) contraction U (N ) Fig. 6. Unfolding and contraction. Proof. By deﬁnition of macro-transitions, for every event e of U (N ), all the events of U (N ) which are in χevents (e), reveal each other. Then χevents (e) is included in a facet ψ of U (N ). And for two events e1 and e2 of U (N ), an event in χevents (e1 ) reveals (in U (N )) an event in χevents (e2 ) iﬀ e1 reveals e2 in U (N ). Therefore the facets reduction of U (N ) regroups e1 and e2 into the same facet iﬀ the events in χevents (e1 ) and those in χevents (e2 ) are in the same facet. ⊔ ⊓ Th. Chatain et al.: A Canonical Contraction for Safe Petri Nets 6 39 Conclusion We have presented a method for identifying and contracting macro-transitions in safe Petri nets. The procedure includes and justiﬁes our previous work in [6,7,1,2] focusing on facets in occurrence nets. The result is a unique contracted 1-safe Petri net with no more macro-transitions than transitions in the original net. The construction provides a unique canonical version for any given 1-safe Petri net, whose maximal behaviour oﬀers a condensed view of the maximal behaviour of the original net. By computing oﬄine the canonical version, veriﬁcation procedures for any property that depends only on the maximal run behavior can be run on the smaller contracted net instead. Computing the contraction (with ﬁnite representations of the macro-transitions) is in general costly (computing the reveals relation on the unfolding of a ﬁnite Petri net is PSPACE-complete [7]), but in practice many syntactic suﬃcient conditions can be used to identify macrotransitions. Hence our contraction appears as an optimal, canonical contraction, to which other contractions based on macro-transitions can be compared. References 1. S. Balaguer, T. Chatain, and S. Haar. Building tight occurrence nets from reveals relations. In Proceedings of the 11th International Conference on Application of Concurrency to System Design, pages 44–53. IEEE Computer Society Press, 2011. 2. S. Balaguer, T. Chatain, and S. Haar. Building occurrence nets from reveals relations. Fundamenta Informaticae, 123(3):245–272, 2013. 3. G. Berthelot. Checking properties of nets using transformation. In Applications and Theory in Petri Nets, volume 222 of LNCS, pages 19–40. Springer, 1985. 4. E. Best and B. Randell. A formal model of atomicity in asynchronous systems. Acta Informatica, 16(1):93–124, 1981. 5. J. Desel and A. Merceron. Vicinity respecting homomorphisms for abstracting system requirements. In Proc. Int. Workshop on Abstractions for Petri Nets and Other Models of Concurrency (APNOC), 2009. 6. S. Haar. Types of asynchronous diagnosability and the reveals-relation in occurrence nets. IEEE Transactions on Automatic Control, 55(10):2310–2320, 2010. 7. S. Haar, C. Kern, and S. Schwoon. Computing the reveals relation in occurrence nets. In Proceedings of GandALF’11, volume 54 of Electronic Proceedings in Theoretical Computer Science, pages 31–44, 2011. 8. R. Kumar and S. Takai. Decentralized prognosis of failures in discrete event systems. IEEE Transactions on Automatic Control, 55(1):48–59, 2010. 9. A. Madalinski and V. Khomenko. Diagnosability veriﬁcation with parallel LTLX model checking based on Petri net unfoldings. In Control and Fault-Tolerant Systems (SysTol’2010), pages 398–403. IEEE Computing Society Press, 2010. 10. A. Madalinski and V. Khomenko. Predictability veriﬁcation with parallel LTL-X model checking based on Petri net unfoldings. In Proc. of the 8th IFAC Symposium on fault detection, diagnosis and safety of technical processes (SAFEPROCESS’2012), pages 1232–1237, 2012. 11. M. Nielsen, G. D. Plotkin, and G. Winskel. Petri nets, event structures and domains, part I. Theoretical Computer Science, 13:85–108, 1981. 12. W. Zielonka. Notes on ﬁnite asynchronous automata. RAIRO, Theoretical Informatics and Applications, 21:99–135, 1987. 40 PNSE’13 – Petri Nets and Software Engineering Symbolic Verification of ECA Rules Xiaoqing Jin, Yousra Lembachar, and Gianfranco Ciardo Department of Computer Science and Engineering, University of California, Riverside {jinx,ylemb001,ciardo}@cs.ucr.edu Abstract. Event-condition-action (ECA) rules specify a decision making process and are widely used in reactive systems and active database systems. Applying formal veriﬁcation techniques to guarantee properties of the designed ECA rules is essential to help the error-prone procedure of collecting and translating expert knowledge. The nondeterministic and concurrent semantics of ECA rule execution enhance expressiveness but hinder analysis and veriﬁcation. We then propose an approach to analyze the dynamic behavior of a set of ECA rules, by ﬁrst translating them into an extended Petri net, then studying two fundamental correctness properties: termination and confluence. Our experimental results show that the symbolic algorithms we present greatly improve scalability. Keywords: ECA rules, termination, conﬂuence, veriﬁcation 1 Introduction Event-condition-action (ECA) [12] rules are expressive enough to describe complex events and reactions. Thus, this event-driven formalism is widely used to specify complex systems [1, 3], e.g., for industrial-scale management, and to improve efficiency when coupled with technologies such as embedded systems and sensor networks. Analogously, active DBMSs enhance security and semantic integrity of traditional DBMSs using ECA rules; these are now found in most enterprise DBMSs and academic prototypes thanks to the SQL3 standard [9]. ECA rules are used to specify a system’s response to events, and are written in the format “on the occurrence of a set of events, if certain conditions hold, perform these actions”. However, for systems with many components and complex behavior, it may be difficult to correctly specify these rules. Termination, guaranteeing that the system does not remain “busy” internally forever without responding to external events, and confluence, ensuring that any possible interleaving of a set of triggered rules yields the same final result, are fundamental correctness properties. While termination has been studied extensively and many algorithms have been proposed to verify it, confluence is particularly challenging due to a potentially large number of rule interleavings [2]. Researchers began studying these properties for active databases in the early 90’s [2, 4, 11, 14], by transforming ECA rules into some form of graph and applying various static analysis techniques on it to verify properties. These approaches 42 PNSE’13 – Petri Nets and Software Engineering based on a static methodology worked well to detect redundancy, inconsistency, incompleteness, and circularity. However, since static approaches may not explore the whole state space, they could easily miss some errors. Also, they could find scenarios that did not actually result in errors due to the found error states may not be reachable. Moreover, they had poor support to provide concrete counterexamples and analyze ECA rules with priorities. [2] looked for cycles in the rule-triggering graph to disprove termination, but the cycle-triggering conditions may be unsatisfiable. [4] improved this work with an activation graph describing when rules are activated; while its analysis detects termination where previous work failed, it may still report false positives when rules have priorities. [5] proposed an algebraic approach emphasizing the condition portion of rules, but did not consider priorities. Other researchers [11, 14] chose to translate ECA rules into a Petri Net (PN), whose nondeterministic interleaving execution semantics naturally model unforeseen interactions between rule executions. However, as the analysis of the set of ECA rules was through structural PN techniques based on the incidence matrix of the net, false positives were again possible. To overcome these limitations, dynamic analysis approaches using model checking tools such as SMV [15] and SPIN [6] have been proposed to verify termination. While closer to our work, these approaches require manually transforming ECA rules into an input script, assume a priori bounds for all variables, provide no support for priorities, and require the initial system state to be known; our approach does not have these limitations. [8] analyzes both termination and confluence by transforming ECA rules into Datalog rules through a “transformation diagram”; this supports rule priority and execution semantics, but requires the graph to be commutative and restricts event composition. However, most of these works show limited results, and none of them properly addresses confluence; we present detailed experimental results for both termination and confluence. UML Statecharts [17] provide visual diagrams to describe the dynamic behavior of reactive systems and can be used to verify these properties. However, event dispatching and execution semantics are not as flexible as for PNs [13]. Our approach transforms a set of ECA rules into a PN, then dynamically verifies termination and confluence and, if errors are found, provides concrete counterexamples to help debugging. It uses our tool SmArT, which supports PNs with priorities to easily model ECA rules with priorities. Moreover, a single PN can naturally describe both the ECA rules as well as their nondeterministic concurrent environment and, while our MDD-based symbolic model-checking algorithms [18] require a finite state space, they do not require to know a priori the variable bounds (i.e., the maximum number of tokens each place may contain). Finally, our framework is not restricted to termination and confluence, but can be easily extended to verify a broader set of properties. The rest of the paper is organized as follows: Sect. 2 recalls Petri nets; Sect. 3 introduces our syntax for ECA rules; Sect. 4 describes the transformation of ECA rules into a Petri net; Sect. 5 presents algorithms for termination and confluence; Sect. 6 shows experimental results; Sect. 7 concludes. X. Jin, Y. Lembachar and G. Ciardo: Symbolic Veriﬁcation of ECA Rules 2 43 Petri Nets As an intermediate step in our approach, we translate a set of ECA rules into a self-modifying Petri net [16] (PN) with priorities and inhibitor arcs, described by a tuple (P, T , π, D− , D+ , D◦ , xinit ), where: – P is a finite set of places, drawn as circles, and T is a finite set of transitions, drawn as rectangles, satisfying P ∩ T = ∅ and P ∪ T = 6 ∅. – π : T → N assigns a priority to each transition. – D− : P×T ×NP → N, D+ : P×T ×NP → N, and D◦ : P×T ×NP → N∪{∞} are the marking-dependent cardinalities of the input, output, and inhibitor arcs. – xinit ∈ NP is the initial marking, the number of tokens initially in each place. Transition t has concession in marking m ∈ NP if, for each p ∈ P, the input arc cardinality is satisfied, i.e., mp ≥ D− (p, t, m), and the inhibitor arc cardinality is not, i.e., mp < D◦ (p, t, m). If t has concession in m and no other transition t′ with priority π(t′ ) > π(t) has concession, then t is enabled in m and can fire and lead to marking m′ , where mp′ = mp − D− (p, t, m) + D+ (p, t, m), for all places p (arc cardinalities are evaluated in the current marking m to determine the enabling of t and the new marking m′ ). In our figures, tk(p) indicates the number of tokens in p for the current marking, a thick input arc from p to t signifies a cardinality tk(p), i.e., a reset arc, and we omit arc cardinalities 1, input or output arcs with cardinality 0, and inhibitor arcs with cardinality ∞. The PN defines a discrete-state model (Spot , Sinit , A, {Nt : t ∈ A}). The potential state space is Spot = NP (in practice we assume that the reachable set of markings is finite or, equivalently, that there is a finite bound on the number of tokens in each place, but we do not require to know this bound a priori). Sinit ⊆ Spot is the set of initial states, {xinit } in our case (assuming an arbitrary finite initial set of markings is not a problem). The set of (asynchronous) model events is A = T . The next-state function for transition t is Nt , such that Nt (m) = {m′ }, where m′ is as defined above if transition t is enabled in marking m, and Nt (m) = ∅ otherwise. Thus, the next-state function for a particular PN transition is deterministic, although the overall behavior remains nondeterministic due to the choice of which transition should fire when multiple transitions are enabled. 3 ECA syntax and semantics ECA rules have the format “on events if condition do actions”. If the events are activated and the boolean condition is satisfied, the rule is triggered and its actions will be performed. In active DBMSs, events are normally produced by explicit database operations such as insert and delete [1] while, in reactive systems, they are produced by sensors monitoring environment variables [3], e.g., temperature. Many current ECA languages can model the environment and distinguish between environmental and local variables [2, 4, 6, 11, 14, 15]. Thus, we designed a language to address these issues, able to handle more general cases and allow different semantics for environmental and local variables (Fig. 1). 44 PNSE’13 – Petri Nets and Software Engineering env_vars := environmental env_var loc_vars := local loc_var read-only bounded natural read-and-write bounded natural f actor := loc_var | env_var | ( exp ) | number term := f actor | term ∗ term | term / term exp := exp − exp | exp + exp | term “/” is integer division “number” is a constant ∈ N rel_op := ≥ | ≤ | = assignment := env_var into loc_var [, assignment] ext_ev_decl := external ext_ev [ activated when env_var rel_op number ] [ read (assignment) ] int_ev_decl := internal int_ev ext_evs := ext_ev | (ext_evs or ext_evs) | (ext_evs and ext_evs) int_evs := int_ev | (int_evs or int_evs) | (int_evs and int_evs) condition := (condition or condition) | (condition and condition) | not condition | exp rel_op exp action := increase (loc_var, exp) | decrease (loc_var, exp) | set (loc_var, exp) | activate (int_ev) actions := action | (actions seq actions) | (actions par actions) ext_rule := on ext_evs [if condition] do actions int_rule := on int_evs [if condition] do actions [with priority number] system := [env_vars]+ [loc_vars]∗ [ext_ev_decl]+ [int_ev_decl]∗ [ext_rule]+ [int_rule]∗ Fig. 1. The syntax of ECA rules. Environmental variables are used to represent environment states that can only be measured by sensors but not directly modified by the system. For instance, if we want to increase the temperature in a room, the system may choose to turn on a heater, eventually achieving the desired effect, but it cannot directly change the value of the temperature variable. Thus, environmental variables capture the nondeterminism introduced by the environment, beyond the control of the system. Instead, local variables can be both read and written by the system. These may be associated with an actuator, a record value, or an intermediate value describing part of the system state; we provide operations to set (absolute change) their value to an expression, or increase or decrease (relative change) it by an expression; these expressions may depend on environmental variables. Events can be combinations of atomic events activated by environmental or internal changes. We classify them using the keywords external and internal. An external event can be activated when the value of an environmental variable crosses a threshold; at that time, it may take a snapshot of some environmental variables and read them into local variables to record their current values. Only the action of an ECA rule can instead activate internal events. Internal events are useful to express internal changes or required actions within the system. X. Jin, Y. Lembachar and G. Ciardo: Symbolic Veriﬁcation of ECA Rules 45 These two types of events cannot be mixed within a single ECA rule. Thus, rules are external or internal, respectively. Then, we say that a state is stable if only external events can occur in it, unstable if actions of external or internal rules are being performed (including the activation of internal events, which may then trigger internal rules). The system is initially stable and, after some external events trigger one or more external rules, it transitions to unstable states where internal events may be activated, triggering further internal rules. When all actions complete, the system is again in a stable state, waiting for environmental changes that will eventually trigger external events. The condition portion of an ECA rule is a boolean expression on the value of environmental and local variables; it can be omitted if it is the constant true. The last portion of a rule specifies which actions must be performed, and in which order. Most actions are operations on local variables which do not directly affect environmental variables, but may cause some changes that will conceivably be reflected in their future values. Thus, all environmental variables are readonly from the perspective of an action. Actions can also activate internal events. Moreover, to handle complex action operations, the execution semantics can be specified as any partial order described by a series-parallel graph; this is obtained through an appropriate nesting of seq operators, to force a sequential execution, and par operators, to allow an arbitrary concurrency. The keyword with priority enforces a priority for internal rules. If no priority is specified, the default priority of an internal rule is 1, the same as that of external rules. We now discuss the choices of execution semantics for our language, to support the modeling of reactive systems. The first choice is how to couple the checking of events and conditions for our ECA rules. There are (at least) two options: immediate and deferred. The event-condition checking is immediate if the corresponding condition is immediately evaluated when the events occur, it is deferred if the condition is evaluated at the end of a cycle with a predefined frequency. One critical requirement for the design of reactive systems is that the system should respond to external events from the environment [10] as soon as possible. Thus, we choose immediate event-condition checking: when events occur, the corresponding condition is immediately evaluated to determine whether to trigger the rule. We stress that deferred checking can still be modeled using immediate checking, for example by adding an extra variable for the system clock and changing priorities related to rule evaluation to synchronize rule evaluations. However, the drawback of deferred checking is that the design must tolerate false ECA rule triggering or non-triggering scenarios. Since there is a time gap between event activation and condition evaluation, the environmental conditions that trigger an event might change during this period of time, causing rules supposed to be triggered at the time of event activation to fail because the “current ” condition evaluation are now inconsistent. Another important choice is how to handle and model the concurrent and nondeterministic nature of reactive systems. We introduce the concept of batch for external events, similar to the concept of transaction in DBMSs. Formally, the boundary of a batch of external events is defined as the end of the execution 46 PNSE’13 – Petri Nets and Software Engineering of all triggered rules. Then, the system starts to receive external events and immediately evaluates the corresponding conditions. The occurrence of an external event closes a batch if it triggers one or more ECA rules; otherwise, the event is added to the current batch. Once the batch closes and the rules to be triggered have been determined, the events in the current batch are cleaned-up, to prevent multiple (and erroneous) triggerings of rules. For example, consider ECA rules ra : “on a do · · · ” and rac : “on (a and c) do · · · ”, and assume that the system finishes processing the last batch of events and is ready to receive external events for the next batch. If external events occur in the sequence “c, a, . . .”, event c alone cannot trigger any rule so it begins, but does not complete, the current batch. Then, event a triggers both rule ra and rac , and thus, closes the current batch. Both rules are triggered and will be executed concurrently. This example shows how, when the system is in a stable state, the occurrence of a single external event may trigger one or more ECA rules, since there is no “contention” within a batch on “using” an external event: rule ra and rac share event a and both rules are triggered and executed. If instead the sequence of events is “a, c, . . .”, event a by itself constitutes a batch, as it triggers rule ra . This event is then discarded by the clean-up so, after executing ra and any internal rule (recursively) triggered by it, the system returns to a stable state and the subsequent events “c, . . .” begin the next batch. Under this semantic, all external events in one batch are processed concurrently. Thus, unless there is a termination error, the system will process all triggered rules, including those triggered by the activation of internal events during the current batch, before considering new external events. This batch definition provides maximum nondeterminism on event order, which is useful to discover design errors in a set of ECA rules. We also stress that, in our semantics, the system is frozen during rule execution and does not respond to external events. Thus, rule execution is instantaneous, while in reality it obviously requires some time. However, from a verification perspective, environmental changes and external event occurrences are nondeterministic and asynchronous, thus our semantic allows the verification process to explore all possible combinations without missing errors due to the order in which events occur and environmental variables change. 3.1 Running example We now illustrate the expressiveness of our ECA rules on a running example: a light control subsystem in a smart home for senior housing. Fig. 2 lists the requirements in plain English (R1 to R5 ). Using motion and pressure sensors, the system attempts to reduce energy consumption by turning off the lights in unoccupied rooms or if the occupant is asleep. Passive sensors emit signals when an environmental variable value crosses a significant threshold. The motion sensor measure is expressed by the boolean environmental variable Mtn. The system also provides automatic adjustment for indoor light intensity based on an outdoor light sensor, whose measure is expressed by the environmental variable ExtLgt ∈ {0, ..., 10}. A pressure sensor detects whether the person is asleep and is expressed by the boolean environmental variable Slp. X. Jin, Y. Lembachar and G. Ciardo: Symbolic Veriﬁcation of ECA Rules 47 environmental Mtn, ExtLgt, Slp local lMtn, lExtLgt, lSlp, lgtsTmr, intLgts external SecElp read (Mtn into lMtn, ExtLgt into lExtLgt, Slp into lSlp) MtnOn activated when Mtn = 1 MtnOff activated when Mtn = 0 ExtLgtLow activated when ExtLgt ≤ 5 internal LgtsOff, LgtsOn, ChkExtLgt, ChkMtn, ChkSlp (R1 ) When the room is unoccupied for 6 minutes, turn oﬀ lights if they are on. r1 on MtnOff if (intLgts > 0 and lgtsTmr = 0) do set (lgtsTmr, 1) on SecElp if (lgtsTmr ≥ 1 and lMtn = 0) r2 do increase (lgtsTmr, 1) on SecElp if (lgtsTmr = 360 and lMtn = 0) r3 do ( set (lgtsTmr, 0) par activate (LgtsOff ) ) r4 on LgtsOff do ( set (intLgts, 0) par activate (ChkExtLgt) ) (R2 ) When lights are oﬀ, if external light intensity is below 5, turn on lights. on ChkExtLgt if (intLgts = 0 and lExtLgt ≤ 5) r5 do activate (LgtsOn) (R3 ) When lights are on, if the room is empty or a person is asleep, turn oﬀ lights. r6 on LgtsOn do ( set (intLgts, 6) seq activate (ChkMtn) ) on ChkMtn if (lSlp = 1 or (lMtn = 0 and intLgts ≥ 1) ) r7 do activate (LgtsOff ) (R4 ) If the external light intensity drops below 5, check if the person is asleep and set the lights intensity to 6. If the person is asleep, turn oﬀ the lights. r8 on ExtLgtLow do ( set (intLgts, 6) par activate (ChkSlp) ) r9 on ChkSlp if (lSlp = 1) do set (intLgts, 0) (R5 ) If the room is occupied, set the lights intensity to 4. r10 on MtnOn do ( set (intLgts, 4) par set (lgtsTmr, 0) ) Fig. 2. ECA rules for the light control subsystem of a smart home. MtnOn, MtnOff , and ExtLgtLow are external events activated by the environmental variables discussed above. MtnOn and MtnOff occur when Mtn changes from 0 to 1 or from 1 to 0, respectively. ExtLgtLow occurs when ExtLgt drops below 6. External event SecElp models the system clock, occurs every second, and takes a snapshot of the environmental variables into local variables lMtn, lExtLgt, and lSlp, respectively. Additional local variables lgtsTmr and intLgts are used. Variable lgtsTmr is a timer for R1 , to convert the continuous condition “the room is unoccupied for 6 minutes” into 360 discretized SecElps events. Rule r1 initializes lgtsTmr to 1 whenever the motion sensor detects no motion and the lights are on. The timer then increases as second elapses, provided that no motion is detected (rule r2 ). If the timer reaches 360, internal event LgtsOff is activated to turn off the lights and to reset lgtsTmr to 0 (rule r3 ). Variable intLgts acts as an actuator control to adjust the internal light intensity. Our ECA rules contain internal events to model internal system actions or checks not observable from the outside. LgtsOff , activated by rule r3 or r7 , turns the lights off and activates another check on outdoor light intensity through internal event ChkExtLgt (rule r4 ). ChkExtLgt activates LgtsOn if lExtLgt ≤ 5 48 PNSE’13 – Petri Nets and Software Engineering EnvMotOn if(tk(MtnOn)=0) 0 1 3 Mtn CleanUp lMtn 1 MtnOff lSlp 2 tk(Slp) if(tk(SecElp)=0) tk(ExtLgt) SecElp lExtLgt lgtsTmr r2Act1 r2Trg1 CleanUp r2Tst if(tk(Ready)=0) 1 3 Ready r4Trg1 lMtn if(tk(Ready)=0) 1 ChkExtLgt r4Act2 r4Trg2 3 r4Tst 360 r3Tst 1 1 lgtsTmr 1 2 1 r6Trg1 r6Tst r6Act1 ExtLgt 0 r6Trg1 Seq1 1 r7Tst1,1 r7Trg1 0 EnvAwake 0 ChkMtn intLgts Slp 0 6 1 EnvAsleep 1 r7Act1 if(tk(ExtLgt)=6 and tk(ExtLgtLow)=0) r8Act1 r8Trg1 1 CleanUp 2 LgtsOff 1 r9Act1 CleanUp EnvExtLgtDec 6 r6Act1Seq 1 lMtn r7Tst1,2 1 2 10 1 1 lSlp intLgts r3Act2 LgtsOff EnvExtLgtInc r5Trg1 1 360 r3Trg2 CleanUp LgtsOn r3Act1 r3Trg1 1 r5Act1 r1Act1 r1Tst 0 r4Act1 r1Trg1 3 EnvSecElp 6 intLight r5Tst 4 Ready if(tk(Ready)=0) tk(Mtn) intLgts 1 2 if(tk(MtnOff)=0) 0 r10Trg1 r Act 10 1 if(tk(Ready)=0) EnvMotOff lgtsTmr r10Trg2 r10Act 2 r10Tst MtnOn 1 r9Trg1 r8Tst 3 r8Act2 r Trg 8 2 Ready ChkSlp 1 ExtLgtLow r9Tst lSlp if(tk(Ready)=0) duplicate reset arc Fig. 3. The PN for ECA rules in Fig. 2. (rule r5 ). ChkSlp is activated by rule r8 to check whether a person is asleep. If true, the event triggers an action that turns the lights off (rule r9 ). Internal event ChkMtn, activated by rule r6 , activates LgtsOff if the room is unoccupied and all lights are on, or if the room is occupied but the occupant is asleep (rule r7 ). 4 Transforming a set of ECA rules into a PN We now explain the procedure to transform a set of ECA rules into a PN. First, we put each ECA rule into a regular form where both events and condition are X. Jin, Y. Lembachar and G. Ciardo: Symbolic Veriﬁcation of ECA Rules 49 disjunctions of conjunctions of events and relational expressions, respectively. All rules in Fig. 2 are in this form. While this transformation may in principle cause the expressions for events and conditions to grow exponentially large, each ECA rule usually contains a small number of events and conditions, hence this is not a problem in practice. Based on the immediate event-condition checking assumption, a rule is triggered iff “trigger ≡ events ∧ condition” holds. Next, we map variables and events into places, and use PN transitions to model event testing, condition evaluation, and action execution. Any change of variable values is achieved through input and output arcs with appropriate cardinalities. Additional control places and transitions allow the PN behavior to be organized into “phases”, as shown next. ECA rules r1 through r10 of Fig. 2 are transformed into the PN of Fig. 3 (dotted transitions and places are duplicated and arcs labeled “if (cond)” are present only if cond holds). 4.1 Occurring phase This phase models the occurrence of external events, due to environment changes over which the system has no control. The PN firing semantics perfectly matches the nondeterministic asynchronous nature of these changes. For example, in Fig. 3, transitions EnvMotOn and EnvMotOff can add or remove the token in place Mtn, to nondeterministically model the presence or absence of people in the room (the inhibitor arc from place Mtn back to transition EnvMotOn ensures that at most one token resides in Mtn). Firing these environmental transitions might nondeterministically enable the corresponding external events. Here, firing EnvMotOn generates the external event MtnOn by placing a token in the place of the same name, while firing EnvMotOff generates event MtnOff , consistent with the change in Mtn. To ensure that environmental transitions only fire if the system is in a stable state (when no rule is being processed) we assign the lowest priority, 0, to these transitions. As the system does not directly affect environmental variables, rule execution does not modify them. However, we can take snapshots of these variables by copying the current number of tokens into their corresponding local variables using marking-dependent arcs. For example, transition EnvSecElp has an output arc to generate event SecElp, and arcs connected to local variables to perform the snapshots, e.g., all tokens in lMtn are removed by a reset arc (an input arc that removes all tokens from its place), while the output arc with cardinality tk(Mtn) copies the value of Mtn into lMtn. 4.2 Triggering phase This phase starts when trigger ≡ events ∧ condition holds for at least one external ECA rule. If, for rule rk , events and condition consist of nd and nc disjuncts, respectively, we define nd · nc test transitions rk Tst i,j with priority P + 2, where i and j are the index of a conjunct in events and one in condition, while P ≥ 1 is the highest priority used for internal rules (in our example, all internal rules have default priority P = 1). Then, to trigger rule rk , only one of these transitions, e.g., r7 Tst 1,1 or r7 Tst 1,2 , needs to be fired (we omit i and j if nd = nc = 1). Firing 50 PNSE’13 – Petri Nets and Software Engineering a test transition means that the corresponding events and conditions are satisfied and results in placing a token in each of the triggered places rk Trg 1 , . . . , rk Trg N , to indicate that Rule rk is triggered, where N is the number of outermost parallel actions (recall that par and seq model parallel and sequential actions). Thus, N = 1 if rk contains only one action, or an outermost sequential series of actions. Inhibitor arcs from rk Trg 1 to test transitions rk T sti,j ensure that, even if multiple conjuncts are satisfied, only one test transition fires. The firing of test transitions does not “consume” external events, thus we use double-headed arrows between them. This allows one batch to trigger multiple rules, conceptually “at the same time”. After all enabled test transitions for external rules have fired, place Ready contains one token, indicating that the current batch of external events can be cleared: transition CleanUp, with priority P + 1, fires and removes all tokens from external and internal event places using reset arcs, since all the rules that can be triggered have been marked. This ends the triggering phase and closes the current batch of events. 4.3 Performing phase This phase executes all actions of external rules marked in the previous phase. It may further result in triggering and executing internal rules. Transitions in this phase correspond to the actions of rules with priority in [1, P ], the same as that of the corresponding rule. An action activates an internal event by adding a token to its place. This token is consumed as soon as a test transition of any internal rule related to this event fires. This is different from the way external rules “use” external events. Internal events not consumed in this phase are cleared when transition CleanUp fires in the next batch. When all enabled transitions of the performing phase have fired, the system is in a stable state where environmental changes (transitions with priority 0) can again happen and the next batch starts. 4.4 ECA rules to PN translation The algorithm in Fig. 4 takes external and internal ECA rules Rext , Rint , with priorities in [1, P ], environmental and local variables Venv , Vloc , and external and internal events Eext , Eint , and generates a PN. After normalizing the rules and setting P to the highest priority among the rule priorities in Rint , it maps environmental variables Venv , local variables Vloc , external events Eext , and internal events Eint , into the corresponding places (Lines 5, 6, and 8). Then, it creates phase control place Ready, transition CleanUp, and reset arcs for CleanUp (Lines 4-5). We use arcs with marking-dependent cardinalities to model expressions. For example, together with inhibitor arcs, these arcs ensure that each variable v ∈ Venv remains in its range [vmin , vmax ] (Lines 8-10). These arcs also model the activated when portion of external events (Line 17), rule conditions (Line 33), and assignments of environmental variables to local variables (Lines 19-20 and lines 14-15). The algorithm models external events and environmental changes (Lines 11-24); it connects environmental transitions such as tvInc and tvDec to their corresponding external event places, if any, with an arc X. Jin, Y. Lembachar and G. Ciardo: Symbolic Veriﬁcation of ECA Rules 51 TransformECAintoPN (Rext , Rint , Venv , Vloc , Eext , Eint ) 1 normalize Rext and Rint into regular form and set P to the highest rule priority 2 create a place Ready • to control “phases” of the net 3 create transition CleanUp with priority P +1 and Ready −[1]→ CleanUp 4 for each event e ∈ Eext ∪ Eint do 5 create place pe and pe −[tk(pe )]→ CleanUp 6 create place pv , for each variable v ∈ Vloc 7 for each variable v ∈ Venv with range [vmin , vmax ] do 8 create place pv and transitions tvInc and tvDec with priority 0 9 create tvDec −[if(tk(pv ) > vmin )1 else 0]→ pv 10 create tvInc −[1]→ pv and pv −[vmax ]−◦ tvInc 11 for each event e ∈ Eext activated when v op val, for op ∈ {≥ | =} do 12 create tvInc −[if(tk(pv ) op val)1 else 0]→ pe 13 if e reads v ∈ Venv into v ′ ∈ Vloc then 14 create pv′ −[if(tk(pv ) op val)tk(pv′ ) else 0]→ tvInc 15 create tvInc −[if(tk(pv ) op val)tk(pv ) else 0]→ pv′ 16 for each event e ∈ Eext activated when v op val, for op ∈ {≤ | =} do 17 create tvDec −[if(tk(pv ) op val)1 else 0]→ pe 18 if e reads v ∈ Venv into v ′ ∈ Vloc then 19 create pv′ −[if(tk(pv ) op val)tk(pv′ ) else 0]→ tvDec 20 create tvDec −[if(tk(pv ) op val)tk(pv ) else 0]→ pv′ 21 for each event e ∈ Eext without an activated when portion do 22 create te and te −[if(tk(pe ) = 0)1 else 0]→ pe 23 if e reads v ∈ Venv into v ′ ∈ Vloc then 24 create pv′ −[tk(pv′ )]→ te and te −[tk(pv )]→ pv′ 25 for each rule rk ∈ Rext ∪ Rint with nd event disjuncts, nc condition disjuncts, actions A, and priority p ∈ [1, P ] do 26 create trans. rk Tst i,j ,i ∈ [1, nd ], j ∈ [1, nc ],w/priority P + 2 if rk ∈ Rext , else p 27 for each event e in disjunct i do 28 create pe −[1]→ rk Tst i,j 29 create rk Tst i,j −[1]→ pe , if e ∈ Eext 30 for each conjunct v ≤ val or v = val in disjunct j do 31 create pv −[val + 1]−◦ rk Tst i,j 32 for each conjunct v ≥ val or v = val in disjunct j do 33 create pv −[val]→ rk Tst i,j and rk Tst i,j −[val]→ pv 34 if actions A is “(A1 par A2 )” then na = 2 else na = 1, A1 = A 35 for each l ∈ [1, na ] do 36 create places rk Trg l and transitions rk Act l with priority p 37 create rk Trg l −[1]→ rk Act l and rk Tst i,j −[1]→ rk Trg l 38 SeqSubGraph(Al , “rk Acl l ”, l, p) 39 for each rk ∈ Rext , i ∈ [1, nd ], j ∈ [1, nc ] do 40 create rk Tst i,j −[if(tk(Ready) = 0)1 else 0]→ Ready and rk Trg 1 −[1]−◦ rk Tst i,j Fig. 4. Transforming ECA rules into a PN: a −[k]→ b means “an arc from a to b with cardinality k; a −[k]−◦ b means “an inhibitor arc from a to b with cardinality k. whose cardinality evaluates to 1 if the corresponding condition becomes true upon the firing of the transition and the event place does not contain a token already, 0 otherwise (e.g., the arcs from EnvExtLigDec to ExtLgtLow). Next, rules are considered (Lines 25-40). A rule with nd event disjuncts and nc condition disjuncts generates nd ·nc testing transitions. To model the parallelsequential action graph of a rule, we use mutually recursive procedures (Fig. 5 and Fig. 6). Procedure SeqSubGraph first tests all atomic actions, such as “set”, 52 PNSE’13 – Petri Nets and Software Engineering ParSubGraph(Pars, Pre, p) • Pars: parallel actions, Pre: prefix 1 for each l ∈ {1, 2} do • according to the syntax Pars 2 has two components 2 create place PreAct l Trg l Seq l and transition PreAct l w/priority p 3 create Pre −[1]→ PreAct l and PreAct l −[1]→ PreAct l Trg l Seq l 4 SeqSubGraph(Pars l , “PreAct l Trg l Seq l ”, l, p); Fig. 5. Processing par. SeqSubGraph(Seqs, Pre, i, p) • Seqs: sequential actions, Pre: prefix 1 if Seqs sets variable v to val then 2 create pv −[tk(pv )]→ Pre and Pre −[val]→ pv 3 else if Seqs increases variable v by val then 4 create Pre −[val]→ pv 5 else if Seqs decreases variable v by val then 6 create pv −[val]→ Pre 7 else if Seqs activates an internal event e then 8 create Pre −[1]→ pe 9 else if the outermost operator of Seqs is par then 10 ParSubGraph(Seqs, “Pre”, p) • Recursion on parallel part 11 else if the outermost operator of Seqs is seq then 12 SeqSubGraph(Seqs 1 , “Pre”, 1, p) • Seqs 1 is the first part of Seq 13 create place PreTrg i Seq 1 and transition PreAct i Seq 1 14 create Pre −[1]→ PreTrg i Seq 1 and PreTrg i Seq 1 −[1]→ PreAct i Seq 1 15 SeqSubGraph(Seqs 2 , “PreTrg i Seq 1 ”, 2, p) • Seqs 2 is the second part of Seq Fig. 6. Processing seq. “increase”, “decrease”, and “activate”. Then, it recursively calls ParSubGraph at Line 10 if it encounters parallel actions. Otherwise, it calls itself to unwind another layer of sequential actions at Line 12 and Line 15 for the two portions of the sequence. Procedure ParSubGraph creates control places and transitions for the two branches of a parallel action and calls SeqSubGraph at Line 4. 5 Verifying properties The first step towards verifying correctness properties is to define Sinit , the set of initial states, corresponding to all the possible initial combinations of system variables (e.g., ExtLgt can initially have any value in [0, 10]). One could consider all these possible values by enumerating all legal stable states corresponding to possible initial combinations of the environmental variables, then start the analysis from each of these states, one at a time. However, in addition to requiring the user to explicitly provide the set of initial states, this approach may require enormous runtime, also because many computations are repeated in different runs. Our approach instead computes the initial states symbolically, thanks to the nondeterministic semantics of Petri nets, so that the analysis is performed once starting from a single, but very large, set Sinit . To this end, we add an initialization phase that puts a nondeterministically chosen legal number of tokens in each place corresponding to an environmental variable. This phase is described by a subnet consisting of a transition InitEnd X. Jin, Y. Lembachar and G. Ciardo: Symbolic Veriﬁcation of ECA Rules InitExtLgt InitEnd 4 4 Init InitSlp InitMtn 10 53 ExtLgt 4 Slp 4 Mtn Fig. 7. The initialization phase for the smart home example. with priority P + 3, a place Init with one initial token, and an initializing transition with priority P +3 for every environmental variable, to initialize the number of tokens in the corresponding place. Fig. 7 shows this subnet for our running example. We initialize the Petri net by assigning the minimum number of tokens to every environmental variable place and leaving all other places empty, then we let the initializing transitions nondeterministically add a token at a time, possibly up to the maximum legal number of tokens in each corresponding place. When InitEnd fires, it disables the initializing transitions, freezes the nondeterministic choices, and starts the system’s normal execution. This builds the set of initial states, ensuring that the PN will explore all possible initial states, and avoids the overhead of manually starting the PN from one legal initial marking at a time. Even though the overall state space might be larger (it equals the union of all the state spaces that would be built starting from each individual marking), this is normally not the case, and, anyway, having to perform just one state space generation is obviously enormously better. After the initialization step, we proceed with verifying termination and confluence using our tool SmArT, which provides symbolic reachability analysis and CTL model checking with counterexample generation [7]. 5.1 Termination Reactive systems constantly respond to external events. However, if the system has a livelock, a finite number of external events can trigger an infinite number of rule executions (i.e, activate a cycle of internal events), causing the system to remain “busy” internally, a fatal design error. When generating the state space, all legal batches of events are considered, due to the PN execution semantics, again avoiding the need for an explicit enumeration, this time, of event batches. A set G of ECA rules satisfies termination if no infinite sequence of internal events can be triggered in any possible execution of G. This can be expressed in CTL as ¬EF(EG(unstable)), stating that there is no cycle of unstable states reachable from an initial, thus stable, state. Both traditional breadth-first-search (BFS) and saturation-based [19] algorithms are suitable to compute the EG operator. Fig. 8 uses saturation, which tends to perform much better in both time and memory consumption when analyzing large asynchronous systems. We encode transitions related to external 54 PNSE’13 – Petri Nets and Software Engineering bool 1 2 3 4 5 Term(mdd Sinit , mdd2 Nint ) mdd Srch ← StateSpaceGen(Sinit , Next ∪ Nint ); mdd Sunst ← Intersection(Srch , ExtractUnprimed(Nint )); mdd Sp ← EF(EG(Sunst )); if Sp 6= ∅ then return false • provide error trace else return true; mdd ExtractUnprimed(mdd2 p) • p unprimed 1 if p = 1 then return 1; 2 if CacheLookUp(EXTRACTUNPRIMED, p, r) return r; 3 foreach i ∈ Vp.v do 4 mdd ri ← 0; 5 if p[i] 6= 0 then • p[i] is the node pointed edge i of node p 6 foreach j ∈ Vp.v s.t. p[i][j] 6= 0 do 7 ri ← Union(ri , ExtractUnprimed(p[i][j])) 8 mdd r ← UniqueTableInsert({ri : i ∈ Vp.v }); 9 CacheInsert(EXTRACTUNPRIMED, p, r); 10 return r; Fig. 8. Algorithms to verify the termination property. events and environmental variable changes into Next . Thus, the internal transitions are Nint = N \Next . After generating the state space Srch using constrained saturation [18], we build the set of states Sunst by symbolically intersecting Srch with the unprimed, or “from”, states extracted from Nint . Then, we use the CTL operators EG and EF to identify any nonterminating path (i.e., cycle). 5.2 Confluence Confluence is another desirable property to ensure consistency in systems exhibiting highly concurrent behavior. A set G of ECA rules satisfying termination also satisfies confluence if, for any legal batch b of external events and starting from any particular stable state s, the system eventually reaches a unique stable state. We stress that what constitutes a legal batch b of events depends on state s, since the condition portion of one or more rules might affect whether b (or a subset of b) can trigger a rule (thus close a batch). Given a legal batch b occurring in stable state s, the system satisfies confluence if it progresses from s by traversing some (nondeterministically chosen) sequence of unstable states, eventually reaching a stable state uniquely determined by b and s. Checking confluence is therefore expensive [2], as it requires verifying the combinations of all stable states reachable from Sinit with all legal batches of external events when the system is in that stable state. A straightforward approach enumerates all legal batches of events for each stable state, runs the model, and checks that the set of reachable stable states has cardinality one. We instead only check that, from each reachable unstable state, exactly one stable state is reachable; this avoids enumerating all legal batches of events for each stable state. Since X. Jin, Y. Lembachar and G. Ciardo: Symbolic Veriﬁcation of ECA Rules 55 bool ConfExplicit(mdd Sst , mdd Sunst , mdd2 Nint ) 1 foreach i ∈ Sunst 2 mdd Si ← StateSpaceGen(i, Nint ); 3 if Cardinality(Intersection(Si , Sst )) > 1 then return false; • provide error trace 4 return true; bool ConfExplicitImproved(mdd Sst , mdd Sunst , mdd2 Nint , mdd2 N ) 1 mdd Sf rontier ← Intersection(RelProd(Sst , N ), Sunst ); 2 while Sf rontier 6= ∅ do • if Sf rontier is empty, it explores all Sunst 3 pick i ∈ Sf rontier ; 4 mdd Si ← StateSpaceGen(i, Nint ); 5 if Cardinality(Intersection(Si , Sst )) > 1 then return false; • provide error trace 6 else Sf rontier ← Sf rontier \ Intersection(Si , Sunst ); • exclude all unstable states reached by i 7 return true; Fig. 9. Explicit algorithms to verify the conﬂuence property. bool 1 2 3 ConfSymbolic(mdd Sst , mdd Sunst , mdd2 Nint ) mdd2 T C ← ConstraintedTransitiveClosure(Nint , Sunst ); mdd2 T Cu2s ← FilterPrimed(T C, Sst ); return CheckConf (T Cu2s ); bool 1 2 3 4 5 6 7 8 9 10 11 12 CheckConf (mdd2 p) if p = 1 then return true if CacheLookUp(CHECKCONF , p, r) return r; foreach i ∈ Vp.v , s.t. exist j, j ′ ∈ Vp.v , j 6= j ′ , p[i][j] 6= 0, p[i[j ′ ] 6= 0 do foreach j, j ′ ∈ Vp.v , j 6= j ′ s.t. p[i][j] 6= 0, p[i[j ′ ] 6= 0 do if p[i][j] = p[i][j ′ ] return false; • Confluence does not hold mdd fj ← ExtractUnprimed(p[i][j]); • Result will be cached mdd fj ′ ← ExtractUnprimed(p[i][j ′ ]); • No duplicate computation if Intersection(fi , fj ′ ) 6= 0 then return false; foreach i, j ∈ Vp.v s.t. p[i][j] 6= 0 do if CheckConf (p[i][j]) = false return false; CacheInsert(CHECKCONF , p, true); return true; Fig. 10. Fully symbolic algorithm to verify the conﬂuence property. nondeterministic execution in performing phase is the main reason to violate confluence and the system is in unstable states in our definition, checking the evolution starting from unstable states will fulfill the purpose. The brute force algorithm ConfExplicit in Fig. 9 enumerates unstable states and generates reachable states only from unstable states using constrained saturation [18]. Then, it counts the stable states in the obtained set. We observe that, starting from an unstable stable u, the system may traverse a large set of unstable states before reaching a stable state. If unstable state u is reachable, so are the unstable states reachable from it. Thus, the improved version ConfExplicitImproved first picks an unstable state i and, after generating the states reachable from i and verifying that they include only one stable state, it excludes all visited unstable states (Line 6). Furthermore, it starts only from states i in the frontier, i.e., unstable states reachable in one step from stable 56 PNSE’13 – Petri Nets and Software Engineering Termination (time: sec, memory: MB) |Srch | Tt Tc Mp Mf 6 0.009 9.665 358.68 88.36 PN c 6 2.61·10 0.005 9.497 344.42 87.88 PN 1 8.99·106 0.010 11.559 391.52 89.78 PN 2 7 0.010 24.477 673.33 158.66 PN 3 7 2.61·10 0.010 85.171 1686.46 559.52 PN 4 5.02·107 0.010 14.541 491.80 105.90 Model PN t 2.66·10 1.78·10 Conﬂuence (time: min, memory: GB, –: out of memory) Model Best Explicit |Srch | Symbolic Tbe Mp Mf Ts Mp Mf PN c 2.38·106 4.51 4.24 4.10 5.11 2.02 0.22 PN 1 8.12·106 40.25 14.53 14.33 6.40 2.31 0.27 PN 2 7 1.61·10 34.40 0.85 0.08 10.11 2.59 0.25 PN 3 2.33·107 > 120.00 – – 60.09 2.59 0.25 PN 4 4.55·107 > 120.00 – – 23.33 4.66 0.52 Table 1. Results to verify the ECA rules for a smart home. states (all other unstable reachable states are by definition reachable from this frontier). However, we stress that these, as most symbolic algorithms, are heuristics, thus they are not guaranteed to work better than the simpler approaches. Next, we introduce a fully symbolic algorithm to check confluence in Fig. 10. It first generates the transition transitive closure (TC) set from Nint using constrained saturation [19], where the “from”’ states of the closure are in Sunst (Line 1). The resulting set encodes the reachability relation from any reachable unstable state without going through any stable state. Then, it filters this relation to obtain the relation from reachable unstable states to stable states by constraining the “to” states to set Sst . Thus, checking confluence reduces to verifying whether there exist two different pairs (i, j) and (i, j′ ) in the relation: Procedure CheckConf implements this check symbolically. While computing TC is a an expensive operation [19], this approach avoids separate searches from distinct unstable states, thus is particularly appropriate when Sunst is huge. 6 Experimental results Table 1 reports results for a set of models run on an Intel Xeon 2.53GHz workstation with 36GB RAM under Linux. For each model, it shows the state space size (|Srch |), the peak memory (Mp ), and the final memory (Mf ). For termination, it shows the time used to verify the property (Tt ) and to find the shortest X. Jin, Y. Lembachar and G. Ciardo: Symbolic Veriﬁcation of ECA Rules ... lgtsTmr = 1 r6Trg1 = 1 lgtsTmr = 1 LgtsOn=1 r6Act1 lgtsTmr = 1 r6Trg1Seq1= 1 intLgts = 6 lgtsTmr = 1 ChkMtn = 1 intLgts = 6 r7Tst1,2 r7Act1 r6Tst lgtsTmr = 1 intLgts = 6 LgtsOff = 1 r6Act1Seq 1 r4Act2 r5Act1 lgtsTmr = 1 r5Trg1 =1 r5Tst lgtsTmr = 1 ChkExtLgt=1 lgtsTmr = 1 r4Trg1 =1 r4Act1 57 lgtsTmr = 1 intLgts = 6 r7Trg1 =1 r4Tst lgtsTmr = 1 intLgts = 6 r4Trg1 =1 r4Trg2 =1 Fig. 11. A termination counterexample (related to rules r4 to r7 ). s2 ... ExtLgtLow = 0 intLgts = 0 ChkSlp=0 lSlp = 1 s0 ... ExtLgtLow = 1 intLgts = 0 ChkSlp=0 lSlp = 1 s1 ... ExtLgtLow = 0 intLgts = 6 ChkSlp=1 lSlp = 1 ... Fig. 12. A conﬂuence counterexample (related to rules r8 and r9 ). counterexample (Tc ). For confluence, it reports the best runtime between our two explicit algorithms (Tbe ) and for our symbolic algorithm (Ts ). Memory consumption accounts for both decision diagrams and operation caches. Net PN t is the model corresponding to our running example, and fails the termination check. Even though the state space is not very large, counterexample generation is computationally expensive [20] and consumes most of the runtime. The shortest counterexample generated by SmArT has a long tail consisting of 1885 states and leads to the 10-state cycle of Fig. 11 (only the nonempty places are listed for each state, and edges are labeled with the corresponding PN transition). Analyzing the trace, we can clearly see (in bold) that, when lights are about to be turned off due to the timeout, lMtn = 0, and the external light is low, ExtLgt ≤ 5, the infinite sequence of internal events (LgtsOff , ChkExtLgt, LgtsOn, ChkMtn)ω prevents the system from terminating. Thus, rules r4 , r5 , r6 , and r7 need to be investigated to fix the error. Among the possible modifications, we choose to replace rule r5 with r5′ : on ChkExtLgt if ((intLgts= 0 and lExtLgt ≤ 5) and lMtn= 1) do activate (LgtsOn), resulting in the addition of an input arc from lMtn to r5 Tst. The new corrected model is called PN c in Table 1, and SmArT verifies it holds the termination property. We then run SmArT on PN c to verify confluence, and found 72,644 bad states. Fig. 12 shows one of these unstable states, s0 , reaching two stables states, s1 and s2 . External event ExtLgtLow closes the batch in s0 and triggers rule r8 , which sets intLgt to 6 and activates internal event ChkSlp, which in turn sets intLgt to 0 (we omit intermediate unstable states from s0 to s1 and to s2 ). We correct rules r8 and r9 , replacing them with r8′ : on ExtLgtLow if lSlp=0 do set (intLgt, 6) and r9′ : on ExtLgtLow if lSlp=1 do set (intLgt, 0); resulting in model PN f c . Checking this new model against for confluence, we find that the number of bad states decreases from 72,644 to 24,420. After investigation, we determine that the remaining problem is related to rules r2 and r3 . After 58 PNSE’13 – Petri Nets and Software Engineering changing rule r2 to on SecElp if ((lgtsTmr ≥ 1 and lgtsTmr ≤ 359) and lMtn = 0) do increase (lgtsTmr, 1), the model passes the check. This demonstrates the effectiveness of counterexamples to help a designer debug a set of ECA rules. We then turn our attention to larger models, which extend our original model by introducing four additional rules and increasing variable ranges. In PN 1 and PN 2 , the external light variable ExtLgt ranges in [0, 20] instead of [0, 10]; for PN 4 , it ranges in [0, 50]. PN 2 also extends the range of the light timer variable lgtTmr to [0, 720]; PN 3 to [0, 3600]. We observe that, when verifying termination or confluence, the time and memory consumption tends to increase as the model grows; also, our symbolic algorithm scales much better than the best explicit approach when verifying confluence. For the relatively small state space of PN t , enumeration is effective, since computing TC is quite computationally expensive. However, as the state space grows, enumerating the unstable states consumes excessive resources. We also observe that the supposedly improved explicit confluence algorithm sometimes makes things worse. The reason may lie in the fact that a random selection of a state from the frontier has different statistical properties than for the original explicit approach, and also in the fact that operation caches save many intermediate results. However, both explicit algorithms run out of memory on PN 3 and PN 4 . Comparing the results for PN 3 and PN 4 , we also observe that larger state spaces might require less resources. With symbolic encodings, this might happen because the corresponding MDD is more regular than the one for a smaller state space. 7 Conclusion Verifying termination and confluence of ECA rule bases for reactive systems is challenging due to their highly concurrent and nondeterministic nature. We proposed an approach to verify these properties using a self-modifying PN with inhibitor arcs and priorities. Our approach is general enough to give precise answers to questions about other properties, certainly those that can be expressed in CTL. As an application, we showed how a light control system can be captured by our approach, and we verified termination and confluence for this model using SmArT. In the future, we would like to improve our approach in the following ways. The confluence algorithm must perform constrained state space generation starting from each unstable state, which is not efficient if Sunst is large. In that case, a simulation-based falsification approach might be more suitable, using intelligent heuristic sampling and searching strategies. However, this approach is sound only if the entire set Sunst is explored. Another direction to extend our work is the inclusion of abstraction techniques to reduce the size of the state space. Acknowledgement Work supported in part by UC-MEXUS under grant Verification of active rule bases using timed Petri nets and by the National Science Foundation under grant CCF-1018057. X. Jin, Y. Lembachar and G. Ciardo: Symbolic Veriﬁcation of ECA Rules 59 References 1. D. J. Abadi, D. Carney, U. Çetintemel, M. Cherniack, C. Convey, S. Lee, M. Stonebraker, N. Tatbul, and S. Zdonik. Aurora: a new model and architecture for data stream management. The VLDB Journal, 12(2):120–139, 2003. 2. A. Aiken, J. Widom, and J. M. Hellerstein. Behavior of database production rules: termination, conﬂuence, and observable determinism. Proc. ACM SIGMOD, pp. 59–68. ACM Press, 1992. 3. J. C. Augusto and C. D. Nugent. A new architecture for smart homes based on ADB and temporal reasoning. Toward a Human-Friendly Assistive Environment, vol. 14, pp. 106–113, 2004. 4. E. Baralis, S. Ceri, and S. Paraboschi. Improved rule analysis by means of triggering and activation graphs. Rules in Database Systems, LNCS 985, pp. 163–181. 1995. 5. E. Baralis and J. Widom. An algebraic approach to static analysis of active database rules. ACM TODS, 25(3):269–332, Sept. 2000. 6. E.-H. Choi, T. Tsuchiya, and T. Kikuno. Model checking active database rules under various rule processing strategies. IPSJ Digital Courier, 2:826–839, 2006. 7. G. Ciardo, R. L. Jones, A. S. Miner, and R. Siminiceanu. Logical and stochastic modeling with SMART. Proc. Modelling Techniques and Tools for Computer Performance Evaluation, LNCS 2794, pp. 78–97. 2003. 8. S. Comai and L. Tanca. Termination and conﬂuence by rule prioritization. IEEE TKDE, 15:257–270, 2003. 9. K. G. Kulkarni, N. M. Mattos, and R. Cochrane. Active database features in SQL3. Active Rules in Database Systems, pp. 197–219. Springer, New York, 1999. 10. E. A. Lee. Computing foundations and practice for cyber-physical systems: A preliminary report. Technical Report UCB/EECS-2007-72, UC Berkeley, May 2007. 11. X. Li, J. M. Marín, and S. V. Chapa. A structural model of ECA rules in active database. Proc. Second Mexican International Conference on Artificial Intelligence: Advances in Artificial Intelligence, pp. 486–493. Springer, 2002. 12. D. McCarthy and U. Dayal. The architecture of an active database management system. ACM SIGMOD Record, 18(2):215–224, 1989. 13. T. Murata. Petri nets: properties, analysis and applications. Proc. of the IEEE, 77(4):541–579, Apr. 1989. 14. D. Nazareth. Investigating the applicability of Petri nets for rule-based system veriﬁcation. IEEE TKDE, 5(3):402–415, 1993. 15. I. Ray and I. Ray. Detecting termination of active database rules using symbolic model checking. Proc. East European Conference on Advances in Databases and Information Systems, pp. 266–279. Springer, 2001. 16. R. Valk. Generalizations of Petri nets. Mathematical foundations of computer science, LNCS 118, pp. 140–155. 1981. 17. D. Varró. A formal semantics of UML statecharts by model transition systems. Proc. Int. Conf. on Graph Transformation, pp. 378–392. Springer, 2002. 18. Y. Zhao and G. Ciardo. Symbolic CTL model checking of asynchronous systems using constrained saturation. Proc. ATVA, LNCS 5799, pp. 368–381. 2009. 19. Y. Zhao and G. Ciardo. Symbolic computation of strongly connected components and fair cycles using saturation. ISSE, 7(2):141–150, 2011. 20. Y. Zhao, J. Xiaoqing, and G. Ciardo. A symbolic algorithm for shortest EG witness generation. Proc. TASE, pp. 68–75. IEEE Comp. Soc. Press, 2011. 60 PNSE’13 – Petri Nets and Software Engineering Soundness of Workflow Nets with an Unbounded Resource is Decidable⋆ Vladimir A. Bashkin1 and Irina A. Lomazova2,3 Yaroslavl State University, Yaroslavl, 150000, Russia v_bashkin@mail.ru 2 National Research University Higher School of Economics, Moscow, 101000, Russia Program Systems Institute of the Russian Academy of Science, Pereslavl-Zalessky, 152020, Russia i_lomazova@mail.ru 1 3 Abstract. In this work we consider modeling of workﬂow systems with Petri nets. A resource workﬂow net (RWF-net) is a workﬂow net, supplied with an additional set of initially marked resource places. Resources can be consumed and/or produced by transitions. We do not constrain neither the intermediate nor ﬁnal resource markings, hence a net can have an inﬁnite number of diﬀerent reachable states. An initially marked RWF-net is called sound if it properly terminates and, moreover, adding any extra initial resource does not violate its proper termination. An (unmarked) RWF-net is sound if it is sound for some initial resource. In this paper we prove the decidability of both marked and unmarked soundness for a restricted class of RWF-nets with a single unbounded resource place (1-dim RWF-nets). We present an algorithm for computing the minimal sound resource for a given sound 1-dim RWF-net. 1 Introduction Petri nets constitute a popular formalism for modeling and analysis of distributed systems. In this paper we consider workﬂow systems, or, to be more precise, workﬂow processes. To model workﬂow processes a special subclass of Petri nets, called WF-nets [1, 2], is used. In the context of WF-nets a crucial correctness criterion is soundness [1, 3]. We say that a workﬂow case execution terminates properly, iﬀ its ﬁring sequence (starting from the initial marking with a single token in the initial place) terminates with a single token in the ﬁnal place (i.e. there are no “garbage” tokens after the termination). A model is called sound iﬀ a process can terminate properly starting from any reachable marking. ⋆ This work is supported by the Basic Research Program of the National Research University Higher School of Economics, Russian Fund for Basic Research (projects 11-01-00737, 12-01-31508, 12-01-00281), and by Federal Program "Human Capital for Science and Education in Innovative Russia" (Contract No. 14.B37.21.0392). 62 PNSE’13 – Petri Nets and Software Engineering Soundness of WF-nets is decidable [1]. Moreover, a number of decidable variations of soundness are established, for example, k-soundness [9], structural soundness [14] and soundness of nested models [11]. One of important aspects in workﬂow development concerns resource management. Resources here is a general notion for executives (people or devices), raw materials, ﬁnances, etc. To take resources into account diﬀerent extensions of a base formalism where introduced, having diﬀerent versions of soundness criteria. In [5, 6] a speciﬁc class of WFR-nets with decidable soundness is studied. In [10, 13] a more general class of Resource-Constrained Workﬂow Nets (RCWFnets) is deﬁned. Informally, the authors impose two constraints on resources. First, they require that all resources that are initially available are available again after terminating of all cases. Second, they also require that for any reachable marking, the number of available resources does not override the number of initially available resources. In [10] it is proven that for RCWF-nets with a single resource type soundness can be eﬀectively checked in polynomial time. In [13] it is proven that soundness is also decidable in general case (by reducing to the home-space problem). In all mentioned papers resources are assumed to be permanent, i.e. they are used (blocked) and released later on. Resources are never created, nor destroyed. Hence the process state space is explicitly bounded. To study a more general case of arbitrary resource transformations (that can arise, for example, in open and/or adaptive workﬂow systems), in [8] we deﬁned a notion of WF-nets with resources (RWF-nets). RWF-nets extend RCWF-nets from [10] in such a way that resources can be generated or consumed during a process execution without any restrictions (cf. [7]). For RWF-nets we deﬁned notions of resources and controlled resources and studied the problem of soundnesspreserving resource replacement (this problem is important for adaptive workﬂows). Unfortunately, even sound RWF-nets are not bounded in general, hence existing soundness checking algorithms cannot be applied here. In [8] the decidability of soundness for RFW-nets was declared as an open problem. In this paper we consider a restricted case — RWF-nets with a single resource place (1-dim RWF-nets). One resource type is suﬃcient for many practical applications (memory or money are typical examples of such resources). Note that 1-dim RWF-nets are, generally speaking, not bounded and hence this case cannot be reduced to ﬁnite-state WF-nets with resources, such as RCWF- or WFR-nets. In this paper we use graph-theoretic properties of RWF-net control automaton to prove decidability of soundness for marked, as well as unmarked 1-dim RWF-nets. We present also an algorithm for computing minimal sound resource for a given sound 1-dim RWF-net. The paper is organized as follows. In Section 2 basic deﬁnitions of multisets and Petri nets are given. In Section 3 we give deﬁnitions of sound RWF-nets. In Section 4 the class of 1-dim RWF-nets is deﬁned and studied, algorithms for V. Bashkin et al.: Soundness of WF Nets with an Unbounded Resource 63 checking marked soundness, soundness and ﬁnding the minimal sound resource are given. Section 5 contains some conclusions. 2 Preliminaries Let S be a ﬁnite set. A multiset m over a set S is a mapping m : S → Nat, where Nat is the set of natural numbers (including zero), i. e. a multiset may contain several copies of the same element. For two multisets m, m′ we write m ⊆ m′ iﬀ ∀s ∈ S : m(s) ≤ m′ (s) (the inclusion relation). The sum, the union and the subtraction of two multisets m and m′ are deﬁned as usual: ∀s ∈ S : (m + m′ )(s) = m(s) + m′ (s), (m ∪ m′ )(s) = max(m(s), m′ (s)), (m − m′ )(s) = m(s) ⊖ m′ (s) (where ⊖ denotes the truncated subtraction). By M(S) we denote the set of all ﬁnite multisets over S. Non-negative integer vectors are often used to encode multisets. Actually, the set of all multisets over ﬁnite S is a homomorphic image of Nat|S| . Let P and T be nonempty disjoint sets of places and transitions and let F : (P × T ) ∪ (T × P ) → Nat. Then N = (P, T, F ) is a Petri net. A marking in a Petri net is a function M : P → Nat, mapping each place to some natural number (possibly zero). Thus a marking may be considered as a multiset over the set of places. Pictorially, P -elements are represented by circles, T -elements by boxes, and the ﬂow relation F by directed arcs. Places may carry tokens represented by ﬁlled circles. A current marking M is designated by putting M (p) tokens into each place p ∈ P . Tokens residing in a place are often interpreted as resources of some type consumed or produced by a transition ﬁring. A simple example, where tokens represent molecules of hydrogen, oxygen and water respectively is shown in Fig. 1. ✁ ✡ ☎ ✂ ✄ ✆ ☛ ✞ ✝ ☞ ✟ ✠ ✌ Fig. 1. A chemical reaction. For a transition t ∈ T an arc (x, t) is called an input arc, and an arc (t, x) — an output arc; the preset • t and the postset t• are deﬁned as the multisets over P such that • t(p) = F (p, t) and t• (p) = F (t, p) for each p ∈ P . A transition t ∈ T is enabled in a marking M iﬀ ∀p ∈ P M (p) ≥ F (p, t). An enabled transition t may ﬁre yielding a new marking M ′ =def M − • t + t• , i. e. M ′ (p) = M (p) − F (p, t) + 64 PNSE’13 – Petri Nets and Software Engineering t F (t, p) for each p ∈ P (denoted M → M ′ , or just M → M ′ ). We say that M ′ is reachable from M iﬀ there is a sequence M = M1 → M2 → · · · → Mn = M ′ . For a Petri net N by R(N, M0 ) we denote the set of all markings reachable from its initial marking M0 . 3 WF-nets with resources In Petri nets with resources we divide Petri net places into control and resource ones. Definition 1. A Petri net with resources is a tuple N = (Pc , Pr , T, Fc , Fr ), where – – – – – – Pc is a ﬁnite set of control places; Pr is a ﬁnite set of resource places, Pc ∩ Pr = ∅; T is a ﬁnite set of transitions, Pc ∩ T = Pr ∩ T = ∅; Fc : (Pc × T ) ∪ (T × Pc ) → Nat is a multiset of control arcs; Fr : (Pr × T ) ∪ (T × Pr ) → Nat is a multiset of resource arcs; ∀t ∈ T ∃p ∈ Pc : Fc (p, t) + Fc (t, p) > 0 (each transition is incident to some control place). Note that all transitions are necessarily linked to control places — this guarantees the absence of “uncontrolled” resource modiﬁcations. A marking in a Petri net with resources is also divided into control and resource parts. For a multiset c + r, where c ∈ M(Pc ) and r ∈ M(Pr ), we write c|r. Definition 2. For a net N a resource is a multiset over Pr . A controlled resource is a multiset over Pc ∪ Pr . Workﬂow nets (WF-nets) are a special subclass of Petri nets designed for modeling workﬂow processes. To study resource dependencies in workﬂow systems we consider WF-nets with resources. Definition 3. A Petri net with resources N is called a WF-net with resources (RWF-net) iﬀ 1. There is one source place i ∈ Pc and one sink place o ∈ Pc s. t. • i = o• = ∅; 2. Every node from Pc ∪ T is on a path from i to o, and this path consists of nodes from Pc ∪ T. Fig. 2 represents an example of a RWF-net, where resource places r1 and r2 are depicted by ovals, resource arcs — by dotted arrows. Every RWF-net N = (Pc , Pr , T, Fc , Fr ) contains its control subnet Nc = (Pc , T, Fc ), which forms a RWF-net with the empty set of resources. A marked net is a net together with some initial marking. Definition 4. A marked RWF-net (N, c|r) is called sound iﬀ ∀s ∈ M(Pr ), ∀M ∈ R(N, c|r + s) we have: V. Bashkin et al.: Soundness of WF Nets with an Unbounded Resource ✡ ☛ ✝ ✂ 65 ✞ ✄ ☎ ✆ ✁ ✟ ✠ Fig. 2. WF-net wth resources. 1. ∃s′ ∈ M(Pr ) : o|s′ ∈ R(N, M ); 2. c′ |r′ ∈ R(N, M ) ⇒ c′ = o ∨ c′ ∩ o = ∅. Thus soundness for a RWF-net means that, ﬁrst, this workﬂow net can terminate properly from any reachable state, and, additionally, adding any extra resource does not violate the proper termination property. Note that our deﬁnition is substantially diﬀerent from the deﬁnition of sound RCWF-nets (Resource-Constrained Workﬂow net) in [10]. We do not forbid creating and spending of resources. Thus, in RWF-nets resources may be produced and consumed during a process execution. This implies the possible unboundedness of sound RWF-nets. The following statement is analogous to Lemma 5 in [10]. Proposition 1. [7] If a marked RWF-net (N, i|r) is sound, then its control subnet Nc with the initial marking i is also sound. The proof of this proposition is given in the Appendix. The converse statement is not true: there may be RWF-nets with sound control subnets, for which sound resources do not exist. An example of such a net is given in Fig. 3. Let N be a RWF-net. By C(N ) we denote the set of all control markings reachable in Nc , i. e. C(N ) = R(Nc , i). Proposition 2. [7] If a marked RWF-net (N, i|r) is sound, then 1. for any reachable control marking c ∈ C(N ) there exists a resource r′ , such that (N, c|r′ ) is sound; 2. for any two control markings c1 , c2 ∈ C(N ) we have c1 6⊂ c2 and c2 6⊂ c1 . The proof of this proposition is given in the Appendix. 66 PNSE’13 – Petri Nets and Software Engineering ✂ ✁ Fig. 3. RWF-net with a sound control subnet, which is not sound for any resource. Further, we call a RWF-net N sound (without indicating any concrete resource) iﬀ a marked RWF-net (N, i|r) is sound with some initial resource r. From the second statement of Proposition 2 and the well-known Dickson’s lemma we obtain the following Corollary 1. For a sound RWF-net N the set C(N ) of all its reachable control markings is ﬁnite. Note 1. Since the control subnet of a sound RWF-net N is bounded, the set C(N ) can be eﬀectively constructed (e. g. by constructing a coverability tree). Definition 5. Let N be a RWF-net, c ∈ C(N ). We deﬁne: 1. res(c) =def {r ∈ M(Pr ) | (N, c|r) is sound} — the set of all sound resources for c; 2. mres(c) =def {r ∈ res(c) | 6 ∃r′ ∈ res(c) : r′ ⊂ r} — the set of all minimal sound resources for c. Then from Dickson’s Lemma we immediately obtain: Proposition 3. [7] For any sound RWF-net N and any control marking c ∈ C(N ) the set mres(c) is ﬁnite. The questions of computability of mres(c) and decidability of soundness for RWF-nets remain open. In the next section positive answers to these two questions are given for a restricted case — RWF-nets with a single resource place. 4 Soundness of 1-dim RWF-nets Let N = (Pc , Pr , T, Fc , Fr ) be an RWF-net with Pr = {pr }, i.e. with just one resource place. By 1-dim RWF-nets we denote the subclass of RWF-nets with single resources. An example of such a net is given in Fig. 4. In the following sections we consider only 1-dim RWF-nets. If a control subnet of N is not sound, then N is also not sound. So, we suppose that the control subnet of N is sound, and hence bounded. V. Bashkin et al.: Soundness of WF Nets with an Unbounded Resource ✝ ✍ ✞ ✡ ✎ ✏ ✒ 67 ☛ ✓ ✑ ✁ ✂ ✄ ✟ ✠ ☞ ✔ ✖ ☎ ✌ ✕ ✗ ✘ ✆ Fig. 4. 1-dim RWF-net N1 . 4.1 Control automaton It is easy to note that a bounded control subnet can be represented as an equivalent ﬁnite automaton (a transition system). This automaton is an oriented graph with two distinguished nodes – a source node i and a sink node o. In this control automaton states are exactly the elements of C(N ), transitions — transitions of the given net N . But now it will be more convenient to consider t a transition t as a pair (c1 , c2 ) of control states, where c1 → c2 . Every transition t of the automaton is labeled by an integer δ(t), deﬁning a “resource eﬀect” of transition ﬁring. A positive δ(t) means that the ﬁring of t increments the marking of a (single) resource place pr by δ(t), a negative δ(t) means that t is enabled in a state (c|r) iﬀ r(pr ) ≥ |δ(t)|, and that the ﬁring of t decrements the resource by |δ(t)|. Formally, −Fr (pr , t) for Fr (pr , t) > 0; δ(t) =def Fr (t, pr ) for Fr (t, pr ) > 0. The value δ(t) is called an eﬀect of t (denoted Eﬀ (t)). Note that for simplicity we exclude loops, when both Fr (pr , t) > 0 and Fr (t, pr ) > 0; such loops can be simulated by two sequential transitions. A support of t is the amount of the resource required for a ﬁring of t. It is deﬁned as: 0, δ(t) ≥ 0; Supp(t) =def |δ(t)|, δ(t) < 0. Thus, a 1-dim RWF-net N can be transformed into a control automaton Aut(N ), which can be considered as a one-counter net (e.g. [4]) or, alternatively, a 1-dim Vector Addition System with States (VASS [12]) with a speciﬁc workﬂow structure: one source state, one sink state, and every state is reachable from the source state, as well as the sink is reachable from every state. Note that the control automaton Aut(N ) is behaviorally equivalent to N in the branchingtime semantics. 68 PNSE’13 – Petri Nets and Software Engineering Consider an example depicted in Fig. 5. This is a control automaton for the 1-dim RWF-net from Fig. 4. States are denoted by octagons, labelled with the corresponding control markings of the net. Transitions are labelled with the corresponding names and eﬀects. ✵ ✶ ✷ ✸ ✹ ✺ ✯ ✒ ✓ ✔ ✰ ✱ ✲ ✳ ✴ ✕ ✖ ✗ ✘ ✙ ✡ ✣ ✤ ✥ ✦ ✧ ✻ ✂ ☛ ★ ✼ ✽ ✾ ✿ ❀ ✄ ✁ ✍ ✎ ✏ ✑ ☞ ✚ ✩ ☎ ✆ ✝ ✞ ✟ ✪ ✫ ✬ ✭ ✛ ✜ ✌ ✢ ✮ ✠ Fig. 5. Control automaton for N1 . A control automaton (a one-counter net) is a digraph with arcs labeled by integers. Recall some basic notion from graph theory. A walk is an alternating sequence of nodes and arcs, beginning and ending with a node, where each node is incident to both the arc that precedes it and the arc that follows it in the sequence, and where the nodes that precede and follow an arc are the head and the tail of this arc. We consider only non-empty walks, containing at least one arc. A walk is closed if its ﬁrst and last nodes coincide. A path is a walk where no arcs are repeated (nodes may be repeated). A simple path is a path where no nodes are repeated. A cycle is a closed path. A simple cycle is a closed path where no nodes are repeated (except the ﬁrst/last one). A walk in a control automaton corresponds to some sequence of ﬁrings in 1-dim RWF-net. Now we inductively deﬁne an eﬀect and a support of a walk. Intutively, Let t be a transition and σ a walk, such that the ending node of t is the beginning node of the ﬁrst transition of σ. Let tσ denote a walk, constructed by linking t and σ. We deﬁne: Eﬀ (tσ) =def Eﬀ (t) + Eﬀ (σ); Supp(tσ) =def Supp(t) + (Supp(σ) ⊖ Eﬀ (t)), where ⊖ denotes the truncated subtraction. V. Bashkin et al.: Soundness of WF Nets with an Unbounded Resource 69 A positive (resp., negative) walk is a walk with a positive (resp., negative) eﬀect. Obviously, the eﬀect of a cycle does not depend on a choice of a starting node. A node q is called a positive generator, iﬀ there exists a simple positive path from q to q (a simple positive cycle) with a zero support. Lemma 1. Any simple positive cycle contains at least one generator. Proof. Note that without loss of generality we can consider only cycles of even lengths, having alternating positive and negative arcs. Then the proof is straightforward, by induction on the length of a cycle. A node q is called a negative generator, iﬀ there exists a simple negative path θ from q to q (a simple negative cycle), such that Supp(θ) = −Eﬀ (θ). Lemma 2. Any simple negative cycle contains at least one generator. Proof. Similar to the previous lemma. 4.2 Decidability of soundness for marked nets Let (N, i|r0 ) be an initially marked 1-dim RWF-net. By abuse of notation we denote by N also the control automaton of N , represented as a one-counter net. Recall that i ∈ C(N ) denotes the initial control state, r0 ∈ Nat denotes the initial value of a counter (the single resource place), and R(N, (i|r0 )) denotes the set of all reachable states. Note that a marked RWF-net (N, i|r0 ) with a sound control subnet is not sound if and only if it does not always terminate with a ﬁnal control state o for some larger initial resource r0 + s: ∃(c|r) ∈ R(N, i|r0 + s) such that (o|s′ ) 6∈ R(N, c|r) for any s′ ∈ Nat. So we consider both two kinds of possible undesirable (not properly terminating) behaviours of a Petri net, namely, deadlocks and livelocks. Definition 6. A state (c|r) ∈ C(N )×Nat is a deadlock iﬀ c 6= o and there is t no transition t ∈ T s.t. (c|r) → (c′ |r′ ) for some c′ , r′ . A ﬁnite set L ⊂ C(N )×Nat of states is a livelock iﬀ 1. |L| > 1; 2. for any (c|r), (c′ |r′ ) ∈ L there is a ﬁnite transition sequence σ ∈ T ∗ s.t. σ (c|r) → (c′ |r′ ); t 3. for any (c|r) ∈ L and t ∈ T s.t. (c|r) → (c′′ |r′′ ) we have (c′′ |r′′ ) ∈ L. A livelock state is a state that belongs to some livelock. Note that by deﬁnition (o|r) 6∈ L for any r;. 70 PNSE’13 – Petri Nets and Software Engineering t Proposition 4. If a state (c|r) is a deadlock then for any t ∈ T s.t. c → c′ we have Supp(t) > r. Proof. Straightforward. Note that Prop. 4 implies δ(t) < 0 and hence we can reformulate it: Corollary 2. If a state (c|r) is a deadlock then: t 1. ∀t ∈ T s.t. c → c′ for some c′ we have δ(t) < 0; t 2. r < min{|δ(t)| : c → c′ for some c′ }. So deadlocks can occur (1) just for control states with only negative outgoing transitions; (2) only for a ﬁnite number of diﬀerent resources – when there are no enough resources for ﬁring any of the successor transitions. Proposition 5. The set of deadlock states is ﬁnite. Proof. The set of “potential deadlock” control states (nodes with only negative outgoing transitions) is ﬁnite. For a given “potential deadlock” control state the set of applicable deadlock states (natural numbers smaller than the smallest required resource for a successor transition) is also ﬁnite. Hence, all deadlocks can be detected by checking control states with only negative outgoing transitions. Now let us consider livelocks. Proposition 6. If L ⊂ C(N )×Nat is a livelock then there is a state (c|r) ∈ L t and a negative transition t ∈ T with c → c′ , such that δ(t) < −r. Proof. Straightforward, since the control subnet of RWF-net N is sound. Proposition 7. The set of livelocks is ﬁnite. Proof. First note that if (c|r), (c|r + x) ∈ L with x > 0 then L is not a livelock. σ Indeed, in this case the transition sequence (c|r) → (c|r + x) corresponds to a positive cycle, that can generate an inﬁnite number of states — a contradiction to the ﬁniteness of livelocks. So, every control state can occur in a given livelock at most once. Now assume the converse: there are inﬁnitely many livelocks. Then there are inﬁnitely many livelocks with the same set of control states, which diﬀer only in their resource value. Hence, this set includes a livelock with an arbitrarily large resource, and we can take a livelock with a resource big enough to reach the ﬁnal state o. This implies that o belongs to the livelock — a contradiction with the deﬁnition of a livelock. Thus, all livelocks can be easily detected by checking ﬁnite systems of states, closed under transition ﬁrings (strongly connected components) and satisfying the property from Prop. 6. V. Bashkin et al.: Soundness of WF Nets with an Unbounded Resource 71 ✝✟✞✡✠☞☛✍✌✏✎✒✑✔✓✖✕✔✗✒✘✚✙✜✛✏✢✤✣✚✥✧✦✩★✫✪✭✬✡✮✰✯✲✱✚✳✵✴✜✶✸✷✍✹✻✺✸✼✾✽☞✿❁❀✒❂✻❃ ✁ ✂ ✄ ☎ ✆ Fig. 6. Modiﬁed RWF-net N . Theorem 1. Soundness is decidable for marked 1-dim RWF-nets. Proof. The following proof is similar to the proof of decidability of structural soundness in [14]. For a given 1-dim RWF-net N construct the modiﬁed RWF-net N by adding a new initial place i and two new transitions, as depicted in Fig. 6. The original 1-dim RWF-net (N, i|r) is sound iﬀ neither deadlocks nor livelocks are reachable in 1-dim RWF-net (N , i|r) (otherwise some large enough initial resource would produce the same undesirable situation in the given net N ). Since the sets of deadlocks and livelocks are ﬁnite and computable, the problem of soundness of a marked 1-dim RWF-net can be reduced to a ﬁnite number of instances of a reachability problem for a 1-counter Petri net. This reachability problem is decidable. 4.3 Decidability of soundness for unmarked nets Theorem 1 gives us only a semidecision procedure for soundness of a net. One can check the soundness of a given initial marking, but if the answer is negative, it is not known whether there exists a larger sound marking. Definition 7. An unmarked RWF-net N is called sound iﬀ (N, i|r) is sound for some resource r. Corollary 2 gives us only a necessary condition of a deadlock, reachable from some initial marking. Now we prove a stronger theorem, which gives a suﬃcient and necessary condition for existence of a soundness-violating deadlock (i.e. a deadlock that is reachable from an inﬁnite number of diﬀerent initial markings). Theorem 2. An unmarked 1-dim RWF-net is not sound with deadlocks iﬀ there σ exist a deadlock state (c|r), a negative generator q and a simple path q → c such that Eﬀ (σ) ⊖ Supp(σ) ≤ r. 72 PNSE’13 – Petri Nets and Software Engineering Proof. (⇐) It is suﬃcient to show that for any (large enough) initial resource r0 there exists a larger initial resource r0 + x, such that a deadlock is reachable from (i|r0 + x). Consider an arbitrary (large enough) initial resource r0 s.t. τ (i|r0 ) → (q|s) for some path τ and resource s (it is always possible to ﬁnd such a resource since the control net is sound, and therefore any control state is reachable for some suﬃciently large initial resource). Let θ = qc1 . . . cj q be a simple negative cycle with generator q, i.e. Supp(θ) = −Eﬀ (θ). Denote z = s mod Supp(θ) and consider a larger initial resource r0 + z + Supp(σ). We have i|r0 + z + Supp(σ) ↓ τ q|s + z + Supp(σ) ↓ θ (s+z)/Supp(θ) q|Supp(σ) ↓ σ c|Eﬀ (σ) ⊖ Supp(σ) and hence a deadlock. (⇒) Assume the converse: the net is unsound with a deadlock, but for any given deadlock state, it is impossible to ﬁnd a negative generator that satisﬁes the conditions in the theorem. The number of deadlock states is ﬁnite, hence some deadlock state (c|r) is reachable from an inﬁnite number of diﬀerent initial states (initial resource values). Every transition sequence σ = t1 .t2 . . . . .tn from (i|r0 ) to (c|r) corresponds to a walk σ in the control automaton graph. Since there are inﬁnitely many deadlock-generating initial states, the set of corresponding walks is also inﬁnite. Each of these walks can be decomposed into a sequence of alternating simple cycles and acyclic simple paths: σ = τ1 (θ1 )k1 τ2 (θ2 )k2 . . . τn−1 (θn−1 )kn−1 τn . Note that this decomposition is not unique: ababa can be considered both as (ab)2 a and a(ba)2 . To ﬁx ideas, we only consider “decomposition from the right to the left”, so a(ba)2 . Let us show that among these walks there is a walk with a negative last cycle θn−1 . Indeed, if the last cycle is positive (or neutral) with an eﬀect x, we can consider a larger initial resource r0 + x ∗ kn−1 and a shorter walk σ ′ = τ1 (θ1 )k1 τ2 (θ2 )k2 . . . τn−1 τn , V. Bashkin et al.: Soundness of WF Nets with an Unbounded Resource 73 having the same ending — a deadlock. Now, the new walk σ ′ can be decomposed into simple cycles and simple paths, then the last cycle, if it is positive, can be removed by increasing the initial resource, and so on. At the end of this process we will obtain either a walk with a negative “last cycle” or a completely acyclic walk (simple path from i to c). There are only ﬁnitely many acyclic paths in the graph, but inﬁnitely many deadlock-generating initial markings (and hence deadlock-generating walks from i to c), so we necessarily obtain a walk with a negative last cycle. Consider such a deadlock-walk σ ′′ , ending with a suﬃx θk τ, where θ is a negative cycle and τ is acyclic. Let θ = c1 c2 . . . ci . . . cm c1 , where ci is a negative generator (from Lemma 2 such ci always exists). The path (ci . . . cm c1 )τ is simple (remember that we decompose “from the right to the left” and hence θτ cannot contain cycles other than θ). Since the ﬁnal state of the whole walk σ ′′ is (c|r), for any suﬃx φ of σ ′′ we have Eﬀ (φ) ⊖ Supp(φ) ≤ r. It holds for (ci . . . cn c1 )τ as well. But this is a simple path that leads from a negative generator to a deadlock control state – Q.E.D. A result similar to Th. 2 is valid for livelocks: Theorem 3. An unmarked 1-dim RWF-net is not sound with livelocks iﬀ there σ exist a livelock state (c|r), a negative generator q and a simple path q → c such that Eﬀ (σ) ⊖ Supp(σ) ≤ r. Proof. Similar to Th. 2. Corollary 3. Soundness is decidable for unmarked 1-dim RWF-nets. Proof. All simple (negative) cycles can be found by Tarjan algorithm, deadlock and livelock states — by searching for states, satisﬁyng Prop. 4 and Prop. 6 respectively. The set of simple paths is ﬁnite (and easily computable). 4.4 Computability of a minimal sound resource Now we propose a plain (and hence, may be, not the most eﬀective) algorithm for computing the minimal resource r such that (N, i|r) is sound: one tests soundness for incremented values of r until success. Note that this method can be applied only to sound nets, while soundness of the unmarked net can be checked with the algorithm given in Cor. 3. 5 Conclusion In this paper we have investigated the soundness property for workﬂow nets with one (unbounded) resource place. We have proved that soundness is decidable 74 PNSE’13 – Petri Nets and Software Engineering for marked and unmarked nets, and that the minimal sound resource can be eﬀectively computed. Our decision algorithms use the reduction to the reachability problem for unbounded Petri nets and hence cannot be considered eﬃcient. However, the ineﬃciency could be unavoidable, since RWF-nets are expressively rather close to ordinary Petri nets (VASS). Further research will concern decidability of soundness for the general case of RWF-nets. It is also quite interesting to apply some alternative notions of soundness to our inﬁnite-state workﬂow nets. The so-called relaxed soundness is of a particular interest. Relaxed soundness has been proposed as a weaker than soundness property. Some other interesting variants of soundness property are k-soundness, generalized and structural soundness [3]. The authors would like to thank the anonymous reviewers for their helpful comments. References 1. W.M.P. van der Aalst. The Application of Petri Nets to Workﬂow Management. The Journal of Circuits, Systems and Computers, 8(1):21–66, 1998. 2. W.M.P. van der Aalst, K.M. van Hee. Workflow Management: Models, Methods and Systems, MIT Press, 2002. 3. W.M.P. van der Aalst, K.M. van Hee, A.H.M. Hofstede, N. Sidorova, H.M.W. Verbeek, M. Voorhoeve, M.T. Wynn. Soundness of workﬂow nets: classiﬁcation, decidability, and analysis, Formal Aspects of Computing, 23(3):333–363, Springer, 2011. 4. P. A. Abdulla, K. Čerans. Simulation is decidable for one-counter nets. In Proc. CONCUR’98, vol. 1466 of Lecture Notes in Computer Science, pages 253–268, Springer, 1998. 5. K. Barkaoui, L. Petrucci. Structural Analysis of Workﬂow Nets with Shared Resources. In Proc. Workflow Management: Net-based Concepts, Models, Techniques and Tools (WFM98), volume 98/7 of Computing Science Reports, pages 82–95, Eidhoven University of Technology, 1998. 6. K. Barkaoui, R. Ben Ayed, Z. Sbaï. Workﬂow Soundness Veriﬁcation based on Structure Theory of Petri Nets. International Journal of Computing and Information Sciences, Vol. 5, No. 1, 2007. P.51–61. 7. V. A. Bashkin, I. A. Lomazova. Petri Nets and resource bisimulation. Fundamenta Informaticae, Vol. 55, No. 2, 2003. P.101–114, 8. V. A. Bashkin, I. A. Lomazova. Resource equivalence in workﬂow nets. In Proc. Concurrency, Specification and Programming, 2006, volume 1, pages 80–91. Berlin, Humboldt Universitat zu Berlin, 2006. 9. K. van Hee, N. Sidorova, M. Voorhoeve. Generalized Soundness of Workﬂow Nets is Decidable. In Proc. ICATPN 2004, volume 3099 of Lecture Notes in Computer Science, pages 197–216. Springer, 2004. 10. K. van Hee, A. Serebrenik, N. Sidorova, M. Voorhoeve. Soundness of ResourceConstrained Workﬂow Nets. In Proc. ICATPN 2005, volume 3536 of Lecture Notes in Computer Science, pages 250–267. Springer, 2005. V. Bashkin et al.: Soundness of WF Nets with an Unbounded Resource 75 11. K. van Hee, O. Oanea, A. Serebrenik, N. Sidorova, M. Voorhoeve, I.A. Lomazova. Checking Properties of Adaptive Workﬂow Nets. Fundamenta Informaticae, Vol. 79, No. 3, 2007. P.347–362. 12. J. Hopcroft, J.-J. Pansiot. On the reachability problem for 5-dimensional vector addition systems. Theoretical Computer Science, 8(2), 1979, pages 135–159. 13. N. Sidorova, C. Stahl. Soundness for Resource-Contrained Workﬂow Nets is Decidable. In BPM Center Report BPM-12-09, BPMcenter.org, 2012. 14. F. L. Tiplea, D. C. Marinescu. Structural soundness of workﬂow nets is decidable. Information Processing Letters, Vol. 96, pages 54–58. Elsevier, 2005. 6 Appendix Proof of Proposition 1. The proof is by contradiction. Let (N, i|r) be a sound RWF-net and let the net (Nc , i) be not sound. Then there exists a marking c ∈ R(Nc , i), such that either the ﬁnal marking o is not reachable from c, or o ∈ c and c 6= {o}. Since for the control subnet the control marking c is reachable from the initial marking i via some sequence of ﬁrings, we can always take a resource s, suﬃciently large to support the same sequence of ﬁrings for (N, i|r + s) and to reach the same control state c. If for the control subnet the ﬁnal state was not reachable from c, then adding resource places can’t make it reachable for the net with resources, i. e. for (N, i|r + s), in contradiction with the soundness of (N, i|r). If, otherwise, o ∈ c and c 6= {o}, then we also obtain a contradiction with the soundness of (N, i|r), since the control state c is reachable for (N, i|r + s). Proof of Proposition 2. (1) Similarly to the proof of the Proposition 1 we can always take a suﬃciently large initial resource r + s. (2) Suppose this is not true. Assume that for some c1 , c2 ∈ C(N ) we have c2 = c1 +c′ for some c′ 6= ∅. From the ﬁrst statement of this proposition it follows that there exist resources r1 and r2 s. t. RWF-nets (N, c1 |r1 ) and (N, c2 |r2 ) are sound. Then nets (N, c1 |r1 +r2 ) and (N, c2 |r1 +r2 ) are also sound. Thus the ﬁnal marking o|r′ is reachable from the marking c1 |r1 + r2 , and (due to monotonicity property of Petri nets) the marking o + c′ |r′ is reachable from the larger marking c2 |r1 + r2 — contradiction with the soundness for RWF-net (N, c2 |r1 + r2 ). 76 PNSE’13 – Petri Nets and Software Engineering Modeling Distributed Private Key Generation by Composing Petri Nets Luca Bernardinello1 , Görkem Kılınç1 , Elisabetta Mangioni1,2 , and Lucia Pomello1 Dipartimento di Informatica Sistemistica e Comunicazione, Università degli studi di Milano - Bicocca, Viale Sarca, 336 - Ediﬁcio U14 - I-20126 Milano, Italia 2 Istituto per la Dinamica dei Processi Ambientali, Consiglio Nazionale delle Ricerche (CNR-IDPA), Piazza della Scienza, 1 - Ediﬁcio U1 - I-20126 Milano, Italia 1 Abstract. We present a Petri net model of a protocol for the distributed generation of id-based private keys. Those keys can then be used for secure communications. The components of the system are built as reﬁnements of a common interface, by applying a formal operation based on a class of morphisms between Elementary Net Systems. It is then shown that we can derive behavioural properties of the composed system without building it explicitly, by exploiting properties of the given morphisms. Keywords: Petri Nets, morphisms, local state reﬁnement, composition, distributed private key generation 1 Introduction In [1] we proposed a way to compose Elementary Net Systems (ENS) by identifying conditions, places, and events. The identiﬁcation is ruled by a pair of morphisms from the two components to an interface. The interface is an ENS which can be seen as specifying the protocol of interaction between components, or a common abstraction. This framework was ﬁrst deﬁned relying on N-morphisms, originally introduced in [11], [4]. Later, the same operation was deﬁned over a new class of morphisms, called α-morphisms (see [3] and [1]). An α-morphism from an ENS N1 to an ENS N2 corresponds to a relation of reﬁnement: some subnets of N1 reﬁne conditions of N2 . This reﬁnement may require that some events be duplicated. Such morphisms are deﬁned and discussed in Section 3. When composing two ENS, N1 and N2 over an interface NI , the two morphisms towards the interface specify how each component reﬁnes parts of the interface. An uninterpreted example is given in Section 4. One of the claimed advantages of this approach to design is the ability to derive properties of the composed systems from properties of the components and 78 PNSE’13 – Petri Nets and Software Engineering of the morphisms, without the need to actually build and analyse the composed system. Ideally, one would like to derive behavioural properties, like liveness and safety properties, by analyzing only the structure of the models involved, thus avoiding the potentially high cost of computing the reachable markings. This is not always possible. Hence, the method we propose uses some behavioural information about components and interface; however, this is limited to only a part of the models, and does not involve the whole system model. Here, we test these ideas on a protocol for distributed generation of id-based cryptographic keys. The protocol, described in more detail in Section 5, requires the cooperation of several private key generators (PKGs) so that a client can build a private key. Basically, n PKG nodes come together to generate a master key pair consisting of a private and a public key. After that, each PKG node has a share for the master key pair. A client who wants to have a private key applies to k available PKG nodes. Each PKG node calculates a piece of the client’s private key by using the unique id-string of the client and the share of the master private key which is held by that speciﬁc PKG node. On receiving k pieces, the client continues to extract its private key. The so called bulletin board is responsible for the initialization of the components in the system and broadcasting the public parameters. During both the distributed generation of the master key pair and the extraction of the clients’ private keys, a veriﬁcation can be performed by using the commitment values and public keys held and broadcast by the bulletin board. The id-based distributed private key generation protocol was proposed in [5]; an improved version is presented in [6]. In [7], a Petri net model for the protocol to be implemented on industrial control systems is presented. In the next section, basic deﬁnitions related to ENS are recalled. Section 3 recalls the formal deﬁnition of α-morphisms and the properties they preserve or reﬂect and which are used in the rest of the paper. The deﬁnition of an operation of composition of ENS, based on α-morphisms, is informally recalled in Section 4 on the basis of an uninterpreted example. In the same section, the main result relating behavioral properties of the composed system to behavioral properties of its components is recalled. Section 5 presents the distributed private key generation protocol which is modelled by Petri nets in Section 6. In the same section, we analyze behavioural properties of the model. The paper is closed by a short concluding section. 2 Preliminary definitions In this section, we recall the basic deﬁnitions of net theory, in particular Elementary Net Systems and unfoldings [13]. A net is a triple N = (B, E, F ), where B is a set of conditions or local states, E is a set of events or transitions such that B ∩E = ∅ and F ⊆ (B ×E)∪(E ×B) is the ﬂow relation. L. Bernardinello et al.: Distr. Private Key Generation by Composing PNs 79 We adopt the usual graphical notation: conditions are represented by circles, events by boxes and the ﬂow relation by arcs. The set of elements of a net will be denoted by X = B ∪ E. The preset of an element x ∈ X is • x = {y ∈ X|(y, x) ∈ F }; the postset of x is x• = {y ∈ X|(x, y) ∈ F }; the neighbourhood of x is given by • x• = • x ∪ x• . These notations are extended to subsets of elements in the usual way. For any net N we denote the in-elements of N by ◦ N = {x ∈ X : • x = ∅} and the out-elements of N by N ◦ = {x ∈ X : x• = ∅}. A net N ′ = (B ′ , E ′ , F ′ ) is a subnet of N = (B, E, F ) if B ′ ⊆ B, E ′ ⊆ E, and F ′ = F ∩ ((B ′ × E ′ ) ∪ (E ′ × B ′ )). Given a subset of elements A ⊆ X, we say that N (A) is the subnet of N identiﬁed by A if N (A) = (B ∩ A, E ∩ A, F ∩ (A × A)). Given a subset of conditions A ⊆ B, we say that NA is the subnet of N generated by A if NA = (A, • A• , F ∩ ((A ∪ • A• ) × (A ∪ • A• ))). Note that given A ⊆ B, N (A ∪ • A• ) = NA . A State Machine is a connected net such that each event e has exactly one input condition and exactly one output condition: ∀e ∈ E, |• e| = |e• | = 1. Elementary Net (EN) Systems are a basic system model in net theory. An Elementary Net System is a quadruple N = (B, E, F, m0 ), where (B, E, F ) is a net such that B and E are ﬁnite sets, self-loops are not allowed, isolated elements are not allowed, and the initial marking is m0 ⊆ B. A subnet of an EN System N identiﬁed by a subset of conditions A and all its pre and post events, N (A ∪ • A• ), is a Sequential Component of N if N (A ∪ • A• ) is a State Machine and if it has only one token in the initial marking. An EN System is covered by Sequential Components if every condition of the net belongs to at least a Sequential Component. In this case we say that the system is State Machine Decomposable (SMD). Let N = (B, E, F, m0 ) be an EN System, e ∈ E and m ⊆ B. The event e is enabled at m, denoted m [ei, if • e ⊆ m and e• ∩ m = ∅; the occurrence of e at m leads from m to m′ , denoted m [ei m′ , iﬀ m′ = (m \ • e) ∪ e• . Let ǫ denote the empty word in E ∗ . The ﬁring rule is extended to sequences of events by setting m [ǫi m and ∀e ∈ E, ∀w ∈ E ∗ , m [ewi m′ = m [ei m′′ [wim′ ; w is called ﬁring sequence. A subset m ⊆ B is a reachable marking of N if there exists a w ∈ E ∗ such that m0 [wi m. The set of all reachable markings of N is denoted by [m0 i. An EN System is contact-free if ∀e ∈ E, ∀m ∈ [m0 i: • e ⊆ m implies e• ∩ m = ∅. An EN System covered by Sequential Components is contact-free [13]. An event is called dead at a marking m if it is not enabled at any marking reachable from m. A reachable marking m is called dead if no event is enabled at m. An EN System is deadlock-free if no reachable marking is dead. Let N = (B, E, F ) be a net, and let x, y ∈ X. We say that x and y are in conﬂict, denoted by x #N y, if there exist two distinct events ex , ey ∈ E such that ex F ∗ x, ey F ∗ y, and • ex ∩ • ey 6= ∅, where F ∗ is the reﬂexive and transitive closure of F . 80 PNSE’13 – Petri Nets and Software Engineering The semantics of an EN System can be given as its unfolding. The unfolding is an acyclic net, possibly inﬁnite, which records the occurrences of its elements in all possible executions. An occurrence net is a net N = (B, E, F ) such that if e1 , e2 ∈ E, e1 • ∩ e2 • 6= ∅ then e1 = e2 ; F ∗ is a partial order; for any x ∈ X, {y : yF ∗ x} is ﬁnite; #N is irreﬂexive and the minimal elements with respect to F ∗ are conditions. Occurrence nets were introduced in [10]; in [13] they are called branching process nets. A branching process of N is an occurrence net whose elements can be mapped to the elements of N . Let N = (B, E, F, m0 ) be an EN System, and Σ = (P, T, G) be an occurrence net. Let π : P ∪ T → B ∪ E be a map. The pair (Σ, π) is a branching process of N if π(P ) ⊆ B, π(T ) ⊆ E; π restricted to the minimal elements of Σ is a bijection on m0 ; for each t ∈ T , π restricted to • t is injective and π restricted to t• is injective and for each t ∈ T , π(• t) = • (π(t)) and π(t• ) = (π(t))• . The unfolding of an EN System N , denoted by Unf (N ), is the maximal branching process of N , namely the unique, up to isomorphism, branching process such that any other branching process of N is isomorphic to a subnet of Unf (N ). The map associated to the unfolding will be denoted u and called folding. 3 α-morphisms In this section we present the formal deﬁnition of α-morphisms [3, 2] for State Machine Decomposable Elementary Net Systems (SMD-EN Systems) and the structural and behavioural properties α-morphisms preserve and reﬂect. Definition 1. Let Ni = (Bi , Ei , Fi , mi0 ) be a SMD-EN System, for i = 1, 2. An α-morphism from N1 to N2 is a total surjective map ϕ : X1 → X2 such that: 1. 2. 3. 4. 5. ϕ(B1 ) = B2 ; ϕ(m10 ) = m20 ; ∀e1 ∈ E1 , if ϕ(e1 ) ∈ E2 , then ϕ(• e1 ) = • ϕ(e1 ) and ϕ(e1 • ) = ϕ(e1 )• ; ∀e1 ∈ E1 , if ϕ(e1 ) ∈ B2 , then ϕ(• e1 • ) = {ϕ(e1 )}; ∀b2 ∈ B2 (a) N1 (ϕ−1 (b2 )) is an acyclic net; (b) ∀b1 ∈ ◦ N1 (ϕ−1 (b2 )), ϕ(• b1 ) ⊆ • b2 and (• b2 6= ∅ ⇒ • b1 6= ∅); (c) ∀b1 ∈ N1 (ϕ−1 (b2 ))◦ , ϕ(b1 • ) = b2 • ; (d) ∀b1 ∈ ϕ−1 (b2 ) ∩ B1 , (b1 6∈ ◦ N1 (ϕ−1 (b2 )) ⇒ ϕ(• b1 ) = {b2 }) and (b1 6∈ N1 (ϕ−1 (b2 ))◦ ⇒ ϕ(b1 • ) = {b2 }); (e) ∀b1 ∈ ϕ−1 (b2 ) ∩ B1 , there is a sequential component NSC of N1 such that b1 ∈ BSC and ϕ−1 (• b2 • ) ⊆ ESC . We require that the map is total and surjective because N1 reﬁnes the abstract model N2 , and any abstract element must be related to its reﬁnement. L. Bernardinello et al.: Distr. Private Key Generation by Composing PNs 81 In particular, a subset of nodes can be mapped on a single condition b2 ∈ B2 ; in this case, we will call bubble the subnet identiﬁed by this subset, and denote it by N1 (ϕ−1 (b2 )); if more than one element is mapped on b2 , we will say that b2 is reﬁned by ϕ. In-conditions and out-conditions have diﬀerent constraints, 5b and 5c respectively. As required by 5c, choices which are internal to a bubble can not constrain a ﬁnal marking of that bubble: i.e., each out-condition of the bubble must have the same choices of the condition it reﬁnes. Instead, pre-events do not need this strict constraint (5b): hence it is suﬃcient that pre-events of any in-condition are mapped on a subset of the pre-events of the condition it reﬁnes. Moreover, the conditions that are internal to a bubble must have pre-events and post-events which are all mapped to the reﬁned condition b2 , as required by 5d. By requirement 5e, events in the neighbourhood of a bubble are not concurrent, and the same holds for their images. Within a bubble, there can be concurrent events; however, post events are in conﬂict, and ﬁring one of them will empty the bubble [8]. Moreover, given that a bubble can be abstracted by a single condition no input event of a bubble is enabled whenever a token is within the bubble [8]. It is possible to show that the family of SMD-EN Systems together with α-morphisms forms a category [8]. In [8] and [3] structural and behavioral properties preserved or reﬂected by αmorphisms has been studied. In particular, sequential components are reﬂected in the sense that the inverse image of a sequential component is covered by sequential components and α-morphisms preserve reachable markings. Moreover, stronger properties hold under additional constraints. In order to present them, we have to consider the following construction. Given an αmorphism ϕ : N1 → N2 , and a condition b2 ∈ B2 with its reﬁnement, we deﬁne two new auxiliary SMD-EN Systems. The ﬁrst one, denoted S1 (b2 ), contains the following elements: a copy of the subnet which is the reﬁnement of b2 , i.e.: the bubble; its pre and post events in E1 and two new conditions, denoted bin 1 and in out bout . b is pre of all the pre-events, and b is post of all the post-events. The 1 1 1 in initial marking of S1 (b2 ) will be {b1 } or, if there are no pre-events, the initial marking of the bubble in N1 . The second system, denoted S2 (b2 ), contains b2 , its pre- and post-events and two new conditions: bin 2 , which is pre of all the pre-events, and bout , which is post of all the post-events. The initial marking of 2 in S2 (b2 ) will be {b2 } or, if there are no pre-events, the initial marking of b2 . Deﬁne ϕS as a map from S1 (b2 ) to S2 (b2 ), which restricts ϕ to the elements of S1 (b2 ), in S out out and extends it with ϕS (bin 1 ) = b2 and ϕ (b1 ) = b2 . Note that S1 (b2 ) and S S2 (b2 ) are SMD-EN Systems and that ϕ is an α-morphism. Let Unf (S1 (b2 )) be the unfolding of S1 (b2 ), with folding function u : Unf (S1 (b2 )) → S2 (b2 ). Consider the following additional constraints: c1 the initial marking of each bubble is at the start of the bubble itself; formally, for each b2 ∈ B2 one of the following conditions hold: – ϕ−1 (b2 ) ∩ m10 = ∅ or – if • b2 6= ∅ then there is e1 ∈ ϕ−1 (• b2 ) such that ϕ−1 (b2 ) ∩ m10 = e1 • or – if • b2 = ∅ then ϕ−1 (b2 ) ∩ m10 = ◦ ϕ−1 (b2 ); 82 PNSE’13 – Petri Nets and Software Engineering c2 any condition is reﬁned by a subnet such that, when a ﬁnal marking is reached, this one enables events which correspond to the post-events of the reﬁned condition, i.e.: ϕS ◦ u is an α-morphism from Unf (S1 (b2 )) (in which we put a token in the in-condition of the net) to S2 (b2 ); c3 diﬀerent bubbles do not “interfere” with each other; where we say that two bubbles interfere with each other when their images share, at least, a neighbour. Note that the third constraint is not restrictive since the reﬁnement of two interfering conditions can be done in two diﬀerent steps. Under c1, c2, and c3, the following properties can be proved [8]: p1 reachable markings of N2 are reﬂected: for all m2 ∈ m20 , there is m1 ∈ m10 such that ϕ(m1 ) = m2 ; p2 N1 and N2 are weakly bisimilar: by using ϕ, deﬁne two labelling functions such that E2 are all observable, i.e.: l2 is the identity function, and the invisible events of N1 are the ones mapped to conditions; then (N1 , l1 ) and (N2 , l2 ) are weakly bisimilar (N1 , l1 ) ≈ (N2 , l2 ). For a deﬁnition of weak bisimulation of EN Systems see [12] and [9]. 4 Composition based on α-morphisms In this section, we recall the composition of SMD-EN Systems based on αmorphisms as deﬁned in [1], on the basis of an uninterpreted example given in Fig. 1. The two systems to be composed, N1 and N2 , must be mapped onto a common interface, which is another SMD-EN System NI . The interface can be seen, intuitively, as a protocol of interaction, with which the components must comply, or as a common abstraction; in this second view, each component can reﬁne some parts of the common abstraction. The two α-morphisms, from the components to the interface, determine how the two components reﬁne the local states of the interface, and then which elements are to be identiﬁed and which events in the two components have to synchronize. To compose two net systems, each must be canonical with respect to the corresponding morphism towards the interface. We say that a net system is canonical with respect to an α-morphism if each bubble contains a condition, called representation, that corresponds to the abstraction of that bubble. Examples of representations are rN1 (b1 ) and rN2 (b0 ) in Fig. 1. If a system is not canonical, it is always possible to construct its unique (up to isomorphism) canonical version by adding the missing representations, and marking them as their images, or by deleting the multiple ones. Because of the constraints on α-morphisms, and in particular of the ones on sequential components, point 5e of Def. 1, this construction does not modify the behaviour of the original system and the corresponding modiﬁed morphism is still an α-morphism. L. Bernardinello et al.: Distr. Private Key Generation by Composing PNs 83 Fig. 1: An example of composition based on α-morphisms In the example given in Figure 1 the interface NI is a simple sequence of two events. The two components, N1 and N2 , reﬁne two diﬀerent local states, b1 and b0 , each one by a subnet, shown on a gray background. The composed net N = N1 hNI iN2 contains the reﬁnement of each condition of the interface as it is in the two components, but for the representation, plus the condition itself, as we can see for condition b0 and b1 of the example. The rest of the net, not reﬁned by the components, is taken as it is, but for the synchronizations of the events in the neighbourhood of the reﬁnements/bubbles. Such events must be synchronized so that each possible pair composed by one event of a component and one event of the other component must be created, as we can see for events mapped on events e0 and e1 of Fig. 1. Then, also arcs between in- and out-condition of each bubble and its pre and post (synchronized) events must be created accordingly to the components. The initial marking is the union of the ones in the components. By construction, N = N1 hNI iN2 is an EN System, and it is covered by sequential components [8]. This construction leads to the deﬁnition of a map ϕ′i from N = N1 hNI iN2 onto Ni , i = 1, 2, relating each element local to a component to the corresponding 84 PNSE’13 – Petri Nets and Software Engineering representation and projecting synchronized events. In [8] it is proved that this map is an α-morphism and that the following diagram commutes. 9 NI e ϕ1 N1 d ϕ′1 ϕ2 ϕ′2 : N2 N1 hNI iN2 These results say that the composed system reﬁnes both the components, as well as the interface. The main result relating behavioral properties of the composed system to behavioral properties of its components is stated in the following Proposition [8], [2]. Proposition 1. Let Ni = (Bi , Ei , Fi , mi0 ) be an SMD-EN System for i = 1, 2, I. Let ϕi , with i = 1, 2, be an α-morphism from Ni to NI , and let N = N1 hNI iN2 be be the composition of N1 and N2 using ϕ1 and ϕ2 . If N1 is weakly bisimilar to NI then N = N1 hNI iN2 is weakly bisimilar to N2 . Where, the labelling functions are derived from ϕ1 and ϕ′2 , respectively, in such a way that EI and E2 are all observable and the invisible events of E1 and E are the ones which are mapped to conditions by ϕ1 and ϕ′2 , respectively. This result tells us, in particular, that the composition of reﬁnements N1 and N2 , which are weakly bisimilar to a common interface NI , yields a system N which is weakly bisimilar to NI ; and then, since bisimulation preserves deadlockfreeness, it is possible to deduce that N is also deadlock-free by verifying that NI is deadlock-free. Remember that by p2 it is possible to check weak bisimilarity between two systems related by an α-morphism by considering their behaviour only locally, as required by c1, c2, and c3. 5 Distributed private key generation for id-based cryptography In an id-based cryptographic system, unlike in the other public key cryptographic systems, a publicly known string such as e-mail address, domain name, a physical IP address or a combination of more than one strings is used as public key. The idea of id-based cryptography was ﬁrst proposed by Shamir in [14]. The proposed scheme enables users to communicate securely and to verify signatures without exchanging any private or public key. Consequently, there is no need for a certiﬁcation authority to verify the association between public keys and users. Basically, in an id- based cryptographic system there is a private key generator (PKG) which generates private keys for users. A PKG has a key pair which is referred as master key pair consisting of a master private key and a master L. Bernardinello et al.: Distr. Private Key Generation by Composing PNs 85 public key. A PKG generates a private key for a user basically by ﬁrst hashing its publicly known unique identity string then signing hashed id by the master private key. Later, the user can verify its key by using the master public key. Since the PKG can generate private keys for users, it can sign or decrypt a message for any user or it can make users’ private keys public. This problem about private key generation is called the key escrow problem. Distributed private key generation (DPKG) is one of the eﬀective solutions to the key escrow problem. In both schemes [5], [6] secret sharing methods are used for distributing private key generation among multiple PKGs. In a DPKG there is a number of PKG nodes participating while they share the responsibility equally. In our work we followed the identity based distributed private key generation schemes presented in [5] and [6]. For more details about the algorithms and the terminology it is recommended to refer to these citations. The components of a DPKG system are divided into two main groups as PKG nodes and clients. PKG nodes are responsible for generating private keys for clients in a distributed manner. There is also a third component called bulletin board which is responsible for managing the global system variables, collecting the commitments from PKG nodes, calculating the ﬁnal commitment and broadcasting these commitments. We can examine DPKG protocol in three steps: setup, distribution and extraction. Setup is a preparation step to create the system parameters and to get ready for extracting the master key pair distributively and extraction of private keys. In this step, bulletin board is given a security parameter and chooses some system variables according to this given security parameter; it then broadcasts public system parameters to be used by the other system components. It also initializes the commitment values to zero in order to set them to the values it will receive from PKG nodes in the distribution step. Final commitment is also set to zero which will be calculated using the received commitments and it will be broadcast later. Distribution step is illustrated in Figure 2. In this step, n PKG nodes create a master private key together without using any dealer in a way that the key cannot be reconstructed without retrieving k shares from these n PKGs. k is the threshold number of PKG nodes needed to collaborate together in order to construct the key. To do this, an improved version of (n, k) Feldman’s secret sharing scheme stated in [6] is used. The idea behind secret sharing without a dealer is to make each PKG node create a secret of their own and calculate subshares to distribute among other PKG nodes. At the end, each PKG node will have n subshares including the one it calculated for itself. The sum of these subshares will be the share of the PKG node for the master private key. During the calculation of the subshares each PKG node also creates commitments corresponding to the subshares calculated by them. These commitments are sent to the bulletin board to be used by the PKG nodes for the veriﬁcation of the received subshares. Note that, in this DPKG system none of the PKG nodes knows the master secret key since each of them has only a part of it. 86 PNSE’13 – Petri Nets and Software Engineering Fig. 2: Block schema of the distribution step of private key generation. Fig. 3: Block schema of the extraction step. L. Bernardinello et al.: Distr. Private Key Generation by Composing PNs 87 In extraction step, as it is illustrated in Figure 3, a client with identity string ID contacts k available nodes from the PKG nodes pool. Each PKGi signs hashed identity string of the client with its master private key share and returns a private key piece as si H(ID) over a secure and authenticated channel. After receiving k pieces from k available PKG nodes, client constructs its private key. The client can verify the key by using bilinear pairings as it is stated in [6] and [7]. 6 The model of DPKG In this section, we present Petri net model of a simpliﬁed DPKG system with three PKG nodes while the threshold number is two. We ﬁxed these numbers for the simplicity but the generated model is more generic and can easily be modiﬁed for diﬀerent threshold and PKG node number as it will be discussed through this section. Our model consists of the following three nets: NI , NP KG and NC . NI is the common interface between NP KG and NC . It is an abstract model of the whole system which represents the interaction between the main components of the system. This model also includes the abstract behavior of the bulletin board which is basically responsible for managing the global system variables and commitments. NP KG is the net representing the behavior of PKG nodes while NC is the net representing the behavior of clients in the DPKG system. We aim to compose NP KG and NC using NI as the common interface and prove that the composed net NP KG hNI iNC and the interface NI preserve and reﬂect some properties presented in Section 3 since there is an α-morphism both from NP KG to NI and from NC to NI . NI , which is the net representing the interface, is given in Figure 4. This net is an abstract model of the behavior of all three system components: bulletin board, PKG nodes and clients. The system is idle in the beginning. After event init occurs, system components are initialized and all PKG nodes are ready for generating a secret key distributedly. The event init includes the setup step of the protocol which is explained in Section 5. The condition calculate shares represents the whole process including calculating subshares and exchanging between PKG nodes in order to calculate their shares for the master private key. During this, each PKG node chooses a secret polynomial. It calculates the commitment corresponding to its secret polynomial and sends it to the bulleting board. It also calculates n subshares using its polynomial where n is the number of PKG nodes in the system. Each PKG node sends the subshare to the related PKG node. After exchanging is completed each PKG node will have n − 1 subshares sent by other PKG nodes and one subshare of its own. By using these n subshares each PKG node calculates its share. When the condition shares calculated becomes true, it means that all the PKG nodes ﬁnished calculating share and each of them is holding a share. Once PKG nodes have their shares, they can verify their shares using the ﬁnal commitment value which is already calculated during the abstract event calculate shares. If all the shares are correctly veriﬁed, the condition shares ver- 88 PNSE’13 – Petri Nets and Software Engineering Fig. 4: NI , the net representing the interface. iﬁed becomes true so a client can apply for extracting a private key. In this model, event apply includes choosing k available PKG nodes, receiving k pieces and calculating its private key using these pieces. When the condition key is true, the client has a key but we do not know if the key is correct or not by looking in this abstract model. In both cases new request event can occur or the system can continue with a restart which repeats the whole distributed private key generation. In case of a fail during the veriﬁcation of shares, the system is forced to a restart without a key extraction. NI is a live and reversible net which means that from any reachable marking one can always get back to the initial state. These two properties are important because a DPKG system must always be alive to respond to the clients’ key requests and key generation process must be restartable whenever it is needed. The net NI is also covered by sequential components which is a requirement in order to be able to look for an α-morphism. The sequential components covering the net can be shown as lists of conditions: {idle, ready, shares calculated, shares veriﬁed, key, restart requested }, {idle, client, key}. Figure 5 shows the net NP KG . This net reﬁnes the interface with respect to PKG nodes’ behavior. All the elements of NP KG are mapped to the element with the same name in NI but for the subnet circled by dashed line that is L. Bernardinello et al.: Distr. Private Key Generation by Composing PNs Fig. 5: NP KG , the net representing the PKG nodes. 89 90 PNSE’13 – Petri Nets and Software Engineering mapped to a single condition. This subnet forms a bubble which is a reﬁnement of the condition shares calculated in NI . The bubble shows the calculation and exchange of subshares between three PKG nodes and calculation of shares by each PKG node whereas in NI the occurrence of the whole process is abstracted by one condition. If we model a system with n PKG nodes instead of three nodes, only the bubble will grow, the other elements of the net will remain the same. NP KG is also live, reversible and covered by sequential components like NI . It is already shown that the conditions outside the bubble are covered by sequential components. Thus, here we will only show how the bubble is covered by sequential components. After event calculate shares the net branches into three paths and after each event calculate subshares i for i = 1, 2, 3 the net branches again into three paths. This fact results in having nine sequential components inside the bubble. Here we present only some of the sequential components as the lists of conditions that construct the components: {p1, subshare 1-2, subshare 1_2, share 2, shares calculated }, {p1, subshare 1-1, share 1, shares calculated}, {p1, subshare 1-3, subshare 1_3, share 3, shares calculated}. The paths starting with conditions p2 and p3 can also be constructed in the same way. In order to prove that there is an α-morphism from NP KG to NI we have to show that the requirements in Deﬁnition 1 are satisﬁed. To begin with, the initial states of NP KG and NI are related. For all the events in NP KG which are mapped to an event in NI , also the pre-conditions and post conditions of these events are mapped to the pre and post-conditions of the related events in NI . Moreover, for all the events in NP KG that are mapped to a condition in NI , all the pre and post-conditions of that event are also mapped to the same condition in NI . We see that the nets satisfy the ﬁrst four requirements of α-morphism. To continue with, we can see that the bubble in NP KG is acyclic so 5a is satisﬁed. As seen in Figure 5 all the in-elements of the bubble are generated by the only one event entering the bubble which is mapped to the corresponding event in the interface, calculate shares. It is also seen that post-events of the out-condition of the bubble are exactly the same post-events of the corresponding condition in the interface. Thus, 5b and 5c are satisﬁed. 5d is also satisﬁed because the conditions that are internal to the bubble have pre-events and post-events which are all mapped to the reﬁned condition shares calculated in NI but for in and out-elements. Finally, as we already listed the sequential components of the net, it is easy to see that for each condition of the bubble there is a sequential component containing that condition and all the pre and post-events of the bubble, so requirement 5e is satisﬁed. In this way, we proved that there is an α-morphism from NP KG to NI . The net shown in Figure 6, NC , is the net representing the behavior of a client. While it includes the whole abstract model, it reﬁnes the key extraction process of a client. The bubble shown with a dashed line is the reﬁnement of the condition key in the interface NI . In this reﬁnement, receiving two pieces from chosen PKG nodes, calculating the private key and veriﬁcation of it is modeled in more details. In a DPKG system where the threshold number is two, when a client applies for a private key, it receives two pieces from two available PKG nodes. The client can verify the pieces it received. If both pieces are veriﬁed L. Bernardinello et al.: Distr. Private Key Generation by Composing PNs Fig. 6: NC , the net representing the clients. 91 92 PNSE’13 – Petri Nets and Software Engineering then the client can extract its private key by using these pieces and the system reaches a state where extraction is successful. In case at least one of the pieces are not veriﬁed then the condition extraction not successful becomes true. After both failed or successful extraction, the system reaches a state where extraction ended is true and a new key can be requested by the same client or by any other client in the system. Again if we improve the model for threshold value k instead of two, only the bubble will grow but the other elements of the net will remain the same. This net is also live, reversible and covered by sequential components. Here we give the sequential components which are enough to cover the net as lists of conditions: {idle, ready, shares calculated, shares veriﬁed, piece 1, piece 1 veriﬁed, piece 1 not veriﬁed, extraction successful, extraction not successful, extraction ended, restart requested }, {idle, ready, shares calculated, shares veriﬁed, piece 2, piece 2 veriﬁed, piece 2 not veriﬁed, extraction successful, extraction not successful, extraction ended, restart requested}, {client, idle, piece 1, piece 1 veriﬁed, piece 1 not veriﬁed, extraction successful, extraction not successful, extraction ended }. It is very easy to see that the ﬁrst four requirements of α-morphism are already satisﬁed so we can continue with checking the rest of the requirements. The bubble contains no cycles so 5a is satisﬁed. All the in-elements of the bubble are generated by the only one event entering the bubble which is mapped to the corresponding event in the interface, apply. There is also only one post-event of out-condition of the bubble which empties the bubble and this event is mapped to the post-event of key. With these observation it is easy to see that 5b and 5c are satisﬁed. 5d is also satisﬁed because the conditions that are internal to the bubble have pre-events and post-events which are all mapped to the reﬁned condition key in NI but for in and out-elements. Finally, as we already listed the sequential components of the net, it is easy to see that for each condition of the bubble there is a sequential component containing that condition and all the pre and post-events of the bubble, so requirement 5e is satisﬁed. Considering all the requirements, we can say that there is an αmorphism between NC and NI . Now that we proved that there is an α-morphism both from NP KG to NI and from NC and NI , we can prove that the composed net is weakly bisimilar to the interface by showing that some additional requirements which are stated as c1, c2, and c3 in Section 3 are satisﬁed by NP KG and NC . Proposition 1 states that if both of the components are weakly bisimilar to the interface, then the composed net is also weakly bisimilar to the interface. Thus, here we ﬁrst show that NC is weakly bisimilar to the interface NI . To do this, we follow the construction of the two auxiliary nets given in Section 3, i.e., we consider the bubble in NC and the corresponding condition key in NI and we add their pre and post-events to the subnets. We also add two more conditions to each subnet: one condition to be a pre-condition to all pre-events and another condition to be a post-condition to all post-events. Let us name these two subnets as SC (key) and SI (key). Finally, we build the unfolding of L. Bernardinello et al.: Distr. Private Key Generation by Composing PNs 93 Fig. 7: Unf (SC (key)) and SI (key) SC (key), represented as Unf (SC (key)). The resulting nets are shown in Figure 7. We follow the same procedure for NP KG and we get two subnets Unf (SP KG (shares calculated )) and SI (shares calculated) as in Figure 8. When we examine these subnets, we see that no condition of the bubbles is in the initial marking. Any condition is reﬁned by a subnet such that, when a ﬁnal marking is reached, this one enables events which correspond to the post-events of the reﬁned condition, so there is an α-morphism both from Unf (SC (key)) to SI (key) and from Unf (SP KG (shares calculated)) to SI (shares calculated). Thus, c1 and c2 are satisﬁed. Since there is only one bubble in both NP KG and NC , c3 is automatically satisﬁed. Consequently, we can say that the additional properties p1 and p2 are held. Moreover, considering Proposition 1, we can conclude that the composed net NP KG hNI iNC is weakly bisimilar to NI . Knowing that our nets satisfy the requirements of α-morphisms and the other three additional constraints, give us the ensurance that, in addition to weakly bisimulation, the nets preserve another important property stated in p1. The property of reﬂecting reachable markings gives us a big advantage in performing reachability analysis. Instead of analyzing the big composed net with respect to reachability of a speciﬁc marking we can analyze the interface for the corresponding marking in the interface. To give an example, we can consider the existence of the following situation in the composed net NP KG hNI iNC : the 94 PNSE’13 – Petri Nets and Software Engineering Fig. 8: Unf (SP KG (shares calculated)) and SI (shares calculated) condition shares veriﬁed should not be true while there is at least one token in any bubble. Performing a reachability analysis on the composed net is complex in terms of time and space since both the net and the logic formula we have to use to represent the interested global state are big. Instead, the mentioned global state can be easily translated into a global state of the interface, NI . Since each bubble in the composed net is mapped to a condition in the interface, reachability analysis becomes easier. The previously mentioned critical situation is reﬂected in the interface as the following: the condition shares veriﬁed cannot be true while key or shares calculated is true. Performing a reachability analysis for existence of this situation in NI is easier than analyzing the composed net. Moreover, we do not even need to build the composed net. 7 Conclusion We have developed a Petri net model of a protocol for distributed generation of private keys. The model has been obtained by composing two net models on a common interface. The ﬁrst component models the interactions among PKG nodes, while the second component models clients of the key generator. Both components reﬁne a common interface, representing the interactions among components. L. Bernardinello et al.: Distr. Private Key Generation by Composing PNs 95 We have then discussed behavioural properties of the model, directly derivable from properties of the components without generating the composed net. In particular, we have shown that some markings are not reachable. On one hand, we have veriﬁed modeling and analysis capacity of the compositional approach proposed in [2] by means of a real world example. On the other side, we have proposed a model of distributed private key generation protocol by using the compositional approach. We now plan to explore how to extend the approach to other classes of Petri nets, particularly PT nets and high-level nets. With respect to the model, we plan to improve it giving a less abstract speciﬁcation in order to propose a formal veriﬁcation of the protocol and to discuss its weak and strong aspects. Acknowledgements This work was partially supported by MIUR. References 1. Luca Bernardinello, Elisabetta Mangioni, and Lucia Pomello. Composition of Elementary Net Systems based on α-morphisms. In Michael Köhler-Bußmeier, editor, Joint Proc. of LAM’12, WooPS’12, and CompoNet’12, Hamburg, Germany, June 25-26, 2012, volume 853 of CEUR Workshop Proceedings, pages 87–102. CEURWS.org, 2012. 2. Luca Bernardinello, Elisabetta Mangioni, and Lucia Pomello. Local state reﬁnement and composition on elementary net systems: an approach based on morphisms. Transactions on Petri Nets and Other Models of Concurrency (ToPNoC), special issue based on the workshops of Petri nets 2012 (to appear), 2012. 3. Luca Bernardinello, Elisabetta Mangioni, and Lucia Pomello. Local State Reﬁnement on Elementary Net Systems: an Approach Based on Morphisms. In Lawrence Cabac, Michael Duvigneau, and Daniel Moldt, editors, Petri Nets and Software Engineering. International Workshop, PNSE’12, Hamburg, Germany, June 25-26, 2012. Proceedings, volume 851 of CEUR Workshop Proceedings, pages 138–152. CEUR-WS.org, 2012. 4. Luca Bernardinello, Elena Monticelli, and Lucia Pomello. On preserving structural and behavioural properties by composing net systems on interfaces. Fundam. Inform., 80(1-3):31–47, 2007. 5. Dan Boneh and Matthew K. Franklin. Identity-based encryption from the weil pairing. SIAM J. Comput., 32:586–615, 2003. 6. Aniket Kate and Ian Goldberg. Asynchronous distributed private-key generators for identity-based cryptography. IACR Cryptology ePrint Archive, 2009:355, 2009. 7. Gorkem Kilinc, Igor Nai Fovino, Carlo Ferigato, and Ahmet Koltuksuz. A model of distributed key generation for industrial control systems. In 11th Workshop on Discrete Event Systems, volume 11, pages 356–363, Guadalajara, Mexico, 2012. 8. Elisabetta Mangioni. Modularity for system modelling and analysis. PhD thesis, Università degli Studi di Milano-Bicocca, Dottorato di ricerca in Informatica, ciclo 24, 2013. 96 PNSE’13 – Petri Nets and Software Engineering 9. Robin Milner. Communication and concurrency. Prentice-Hall, Inc., Upper Saddle River, NJ, USA, 1989. 10. Mogens Nielsen, Gordon D. Plotkin, and Glynn Winskel. Petri nets, event structures and domains, part i. Theor. Comput. Sci., 13:85–108, 1981. 11. Mogens Nielsen, Grzegorz Rozenberg, and P. S. Thiagarajan. Elementary transition systems. Theor. Comput. Sci., 96(1):3–33, 1992. 12. Lucia Pomello, Grzegorz Rozenberg, and Carla Simone. A survey of equivalence notions for net based systems. In Grzegorz Rozenberg, editor, Advances in Petri Nets: The DEMON Project, volume 609 of Lecture Notes in Computer Science, pages 410–472. Springer, 1992. 13. Grzegorz Rozenberg and Joost Engelfriet. Elementary net systems. In Wolfgang Reisig and Grzegorz Rozenberg, editors, Petri Nets, volume 1491 of Lecture Notes in Computer Science, pages 12–121. Springer, 1996. 14. A. Shamir. Identity-based cryptosystems and signature schemes. Advances in Cryptology: Proceedings of CRYPTO 84, Lecture Notes in Computer Science, 7:47– 53, 1984. Integrating Web Services in Petri Net-based Agent Applications Tobias Betz, Lawrence Cabac, Michael Duvigneau, Thomas Wagner, Matthias Wester-Ebbinghaus University of Hamburg Faculty of Mathematics, Informatics and Natural Sciences Department of Informatics {betz,cabac,duvigne,wagner,wester}@informatik.uni-hamburg.de http://www.informatik.uni-hamburg.de/TGI Abstract. The context of this paper is given through a software engineering approach that uses Petri nets as executable code. We apply the particular understanding that Petri nets are not only used to model systems for design purposes but also to implement system components. Following this approach, we develop complex Petri net-based software applications according to the multi-agent paradigm. Agent-internal as well as agent-spanning processes are implemented directly as (high-level) Petri nets. These nets are essential parts of the resulting software application – alongside other parts (operational and declarative ones), which are implemented using traditional ways of programming. One of our goals is to open our Petri net-based agent framework Mulan/ Capa so that multi-agent applications can communicate and interoperate with other systems – especially with Web-based applications. For this cause, we present a gateway solution to enable Petri net-based applications to access Web services as well as to oﬀer Web services to other applications: the WebGateway. Besides describing the WebGateway extension itself, we use its presentation to demonstrate the practicability of the Petri net-based software engineering approach in general. We emphasize two beneﬁts: (1) Petri net models serve as conceptual models that progressively reﬁne the constructed system from simple models to welldeﬁned speciﬁcations of the systems. This improves the understanding of the systems. (2) Having essential parts of the software system being implemented with Petri nets allows to carry out (partial) veriﬁcation of our application code by means of standard formal methods from the ﬁeld of Petri net theory. Keywords: Web Services, High-Level Petri Nets, Multi-Agent Systems, Mulan, Renew, P∗aose 1 Introduction One of the most frequent requirements for modern software applications is to open the access of the offered functionality to other entities in the World Wide 98 PNSE’13 – Petri Nets and Software Engineering Web. In this paper we address the topic of meeting this requirement for Petrinet based software applications. We present a gateway solution for allowing Petri net-based applications to access Web services as well as offering Web services themselves. The usefulness of Petri nets for software engineering has been recognized in the context of many paradigms like object-orientation [1], components / plugins [7,16,22] or agent-orientation [17,20]. However, in this paper we assume a particular understanding of Petri net-based software. In addition to using Petri nets for design-level artifacts and for verification of certain system properties, we utilize Petri nets as our implementation language. More concretely, we rely on the high-level Petri net formalism of Java reference nets [7,18] that allows to combine multi-level Petri net modeling (according to the nets-withinnets concept [25]) with Java programming. The formalism is supported by the Renew1 tool (http://www.renew.de). We have developed the multi-agent system (MAS) framework Mulan1 based on Java reference nets. It provides a powerful middleware for running distributed multi-agent applications on multiple instances of Renew. In addition, we have developed a Petri net-based agent-oriented software engineering approach (P∗aose1 ) for the construction of such multi-agent applications. With the WebGateway extension, we introduce the latest addition to our Petri net-based software engineering framework Mulan/Capa. While the Mulan model is often referred to as the reference architecture, Capa (Concurrent Agent Platform Architecture) is an extension and implementation of Mulan. Capa [11] provides convenient ontology-based message processing and an infrastructure for FIPA-compliant agent management and IP-based transport services. Capa is, thus, one implementation of the reference architecture Mulan. It allows to integrate Mulan applications into Web-based environments via Web services. This opens Mulan applications in the sense that Mulan agents can now access resources external to the agent world in a uniform way via Web Services instead of having to be equipped with proprietary connectors. In the other direction, Mulan agents publish and offer their own services also as Web services and thus can equally be accessed uniformly from anywhere across the Web. Again, we stress our specific understanding of Petri net-based software, which carries over to the integration with Web services. Usually, work on Petri nets and Web services deals with providing semantics to modeling notations that are used within the Web context, like BPEL [13] and some translations [15]. Our approach is to provide a way to offer Web services that are actually realized by the execution of Petri net models. The other way round, the execution of Petri net-based applications can include the access of arbitrary Web services. The concrete aim of this paper is twofold. Firstly, we introduce the WebGateway itself as a solution for bringing Petri net-based applications and Web services together. Secondly, we use the WebGateway extension as an example 1 For more detailed information about Renew, Mulan and P∗aose see [5] and http: //www.paose.net. L. Cabac et al.: Integrating Web Services in PN-based Agent Applications 99 for the general benefits that underlie our approach of Petri net-based software engineering. We claim that these benefits are basically: 1. We follow an engineering approach, in which we move from conceptual models as design artifacts to refined, technical models as software artifacts. In our opinion, this approach of implementation through specification allows to iteratively build models/code in a documented and comprehensible way. In addition, core features of a system can be determined early on and maintained in further refinements. 2. By using Petri nets as code we can verify our application code. Of course, this can only happen within certain limits. Both the nets-within-nets nature of our models and the use of Java inscriptions prohibit a comprehensive verification. Nevertheless, we can define abstractions (e.g. P/T net abstractions) of our program code and verify specific properties (e.g. properties of sound workflows) with respect to them. This allows at least partial verification of our application code (which could possibly be supplemented with unit testing mechanisms for reference nets, cf. Section 8 and [8]). The outline of the paper is as follows. In Section 2, we present the conceptual model of our WebGateway extension for bringing Petri net-based (agentoriented) applications and Web services together. Based on this, we present details of the WebGateway implementation in Section 3. In combination, these two sections demonstrate the benefits and practicability of our implementation through specification approach. In Section 4, we demonstrate how the WebGateway and one particular Petri net-based Web service are deployed in the context of our integrated project management environment (IPME) on a day-to-day basis. Section 5 presents a further insight to the implementation in order to demonstrate the refinement process of the model. We discuss the results of the paper in Section 6, position them in the context of related work in Section 7 before we conclude the paper in Section 8. 2 Conceptual Gateway Architecture The WebGateway extension to our multi-agent framework Mulan/Capa is realized by a WebGateway agent. This agent is coupled to a (jetty) Web Server and thus brings the two worlds of the (Web service-based) Internet and multi-agent systems together. In Section 3, we address technical details of the WebGateway realization. In this section, we focus on the conceptual architecture. Along the way, we demonstrate the usefulness of applying a Petri net-based modeling approach. We progressively refine a simple architectural model to a meaningful and well-defined specification. This specification then represents the basis on which to actually implement the WebGateway agent’s behavior. Due to space limitations, we cannot address the whole functionality of the WebGateway. Instead we concentrate on handling Web requests and responses. Further topics and challenges will be addressed in the following section. 100 PNSE’13 – Petri Nets and Software Engineering Figure 1 illustrates our starting point. In order to provide communication in such a heterogeneous setup consisting of Web and multi-agent system parts, the communication has to be facilitated. The WebGateway provides the translation as an adapter between the two worlds of communication. For this it provides two interfaces: one for Web-based communication and one for FIPA2 -compliant communication. The interfaces are depicted in Figure 1 as white rectangles. The Internet is shown as a cloud and the Mulan reference model (cf. [17]) stands as an exemplary multi-agent system. Figure 1. WebGateway context. In the following we will consecutively refine the WebGateway as a Petri net model. Figure 2 shows the first step of this refinement. The WebGateway’s main functionality of translating messages from one domain to the other is represented as two transitions that are included in the transformation component. The two interfaces are now depicted as transitions.3 Messages may enter through the interface transitions with outgoing arcs, are received on the buffer places and ready for transformation processing. Figure 2. Simple WebGateway architecture model 2 3 Foundation for Intelligent Physical Agents: http://www.fipa.org. The notion of transitions being interfaces ﬁts nicely with an object-oriented paradigm, if one presumes that these (on one side open) transitions are one port of synchronous channels. L. Cabac et al.: Integrating Web Services in PN-based Agent Applications 101 Translation is an important and already technically challenging part (cf. the following section) but by far not the only task of the WebGateway. In addition, it has to make sure that responses are matched to requests across the heterogeneous setup. In our approach the WebGateway keeps a copy of a request message in order to be able to provide this matching. Thus responses can be routed to the right recipient. In Figure 3 an exemplary conversation direction is modeled: a request from the Web to an agent-implemented service. The original request (e.g. from a Web browser) is a JSON message (JavaScript Object Notation). The WebGateway translates this message to FIPA-SL (Semantic Language), which can be understood by agents in the multi-agent system. A copy of the message is kept within the gateway, which allows the gateway to route the response message to the requester after the answer has been translated back from FIPA-SL to JSON. Please note that JSON stands for just one possibility of a Web message’s content. Content types like XML or HTML form data can be translated in a similar fashion. Figure 3. WebGateway architecture model for handling Web-client requests While Figure 3 covers one exemplary interaction type, namely a request sent by a Web-based client to an agent-based service, the WebGateway also provides the possibility that a Web service request is initiated from the agent’s side. In this case an SL encoded request will be translated to (for instance) JSON, a copy of this message will be kept for later routing and the answer from a Web application will be translated from JSON to SL in order to deliver it to the requesting agent. Both initiating directions are supported by the WebGateway and use the same interface as depicted in Figure 4. In addition to the request interactions covered so far, the WebGateway also supports a uni-directional communication (inform interaction), which is not discussed here. While this conceptual Petri net model of the WebGateway architecture shows the basic (internal) behavior of the WebGateway, it neither specifies the interactions between WebGateway and Web applications or agents nor does it present a realistic level of detail for the implementation of the WebGateway agent. These details are covered in the following section. 102 PNSE’13 – Petri Nets and Software Engineering Figure 4. WebGateway architecture for two-way service request handling 3 WebGateway: Integration and Details In order to achieve a concrete implementation of the abstract architecture described in the previous section we need to combine multiple technologies, which are well established in the world of multi-agent systems and Web services. In this section, we describe how those technologies are combined for the implementation of the WebGateway in order to obtain the desired integration of both application domains. For this we present two parts of the adapter functionality of the WebGateway. The first is concerned with the message routing and translation as well as service registration. It focuses on the Web interface side, which is – from the perspective of the muulti-agent system – the external interface. The realization of this interface, which requires the integration of the required technologies, is presented in Section 3.1. The second part focuses on the WebGateway as a part of the agent system and its communication with other agents. Hence, Section 3.2 introduces the communication protocols providegd with the WebGateway. 3.1 Integration of the Required Technologies An initial requirement is that the WebGateway must be able to interact with communication partners of both worlds. For that reason the WebGateway provides two communication interfaces as shown in Figure 5 where we have included the conceptual architecture model from the previous section in order to illustrate its relation to the actual WebGateway implementation. As the WebGateway is realized as an agent itself, the agent interface for communication with other agents is inherently part of the underlying multiagent system framework (Mulan/Capa in our case). Consequently, the ordinary FIPA-compliant agent communication infrastructure of our framework enables L. Cabac et al.: Integrating Web Services in PN-based Agent Applications 103 Figure 5. Integration of the WebGateway in the multi-agent system communication with other agents both on the same platform and on remote platforms. This part can be considered as the WebGateway’s internal communication interface. In addition, the WebGateway agent needs a Web interface that serves the communication with Web services and Web clients. It is realized using a Web server (Jetty, http://www.eclipse.org/jetty). This is where we have extended our framework. For each Mulan/Capa host, one Web server is launched. A Mulan/Capa host may include multiple agent platforms, but typically we have a one-to-one correspondence between a host and a platform. For each platform, a WebGateway agent is launched and connects automatically to the platform’s (/host’s) Web server. This part can be considered as the WebGateway’s external communication interface. The Web server enables communication between the WebGateway agent and Web services/clients using the well established HTTP protocol (Hypertext Transfer Protocol, http://www.w3.org/Protocols) as well as the HTML5 WebSocket protocol (http://dev.w3.org/html5/websockets/). In contrast to HTTP, a WebSocket connection allows to exchange messages asynchronously between client and server. This allows more flexibility for browserbased Web applications and fits quite well with the agent paradigm as it traditionally relies on asynchronous interactions. Besides mediating communication technically, there remain further challenges in order for the WebGateway to really provide a transparent and bidirectional communication between the agent and the Web service world. We identify the following required key features. 1. Routing and management of messages between the different interfaces. 2. Registration and management of agent services that are published as Web services and vice versa. 3. A two-way translation of the supported message encodings. The first mentioned feature is specifically addressed by the conceptual architecture for the WebGateway from the previous section. More (technical) details 104 PNSE’13 – Petri Nets and Software Engineering of our solution concerning the cross-technological tracking and routing of messages can be found in [4]. For the second mentioned feature, our approach supports – and actually is limited to – RESTful Web services. The REpresentational State Transfer (REST) architecture [12] gained increased attention because of its simplicity of publishing and consuming services over the Web. The architecture is based on resources that identify the participants of service interactions and that are addressed with globally unique URIs4 . Such a resource can be manipulated over a uniform interface with a fixed set of operations (GET, POST, PUT, DELETE, etc.) that are traditionally part of the underlying HTTP networking protocol. Resources are also decoupled from their representations so that their content can be accessed in a variety of formats e.g. HTML, JSON5 , XML or even JPEG images. For our purposes, we treat artifacts from the multi-agent world (hosts, platforms, agents, agent services) as REST resources in the Web world. The technical counterparts for these agent-based REST resources on the Web server side are implemented as Java Servlets6 . These are responsible for providing the resource representations and also act as connection endpoints for HTTP and WebSocket connections, forwarding all incoming messages to the responsible WebGateway agent. In [4], we provide more details on addressing agent-based REST resources and on how to provide suitable presentations. The last mentioned feature was also briefly addressed in the previous section (translation between FIPA-SL and JSON/XML/HTML form data). We will not cover this topic here, but again refer to [4]. 3.2 The WebGateway as a Mulan/Capa Agent So far we have mainly focused on Web technologies that are necessary for realizing the WebGateway according to the conceptual architecture presented in the previous section. However, we have already stressed the fact that the WebGateway is actually realized as an agent in our Mulan/Capa framework. We have presented the development approach (P*aose) for Mulan/Capa multiagent systems together with corresponding tools on other occasions (cf. [5,6]). Basically, a Mulan/Capa agent is designed in terms of three aspects: agent knowledge, agent-internal processes, agent-spanning processes. These aspects eventually manifest in three types of software artifacts for agent implementation: a knowledge base, decision components (DCs) for managing agent-internal processes and protocols for managing interactions with other agents. In this paper, we will not comprehensively cover all details of developing the WebGateway agent but provide an overview of the necessary parts. Basically, the conceptual architecture described in Section 2 provides the groundwork, on which the agent’s decision components are designed. In the previous subsection, we have covered the technologies that are needed to flesh out the conceptual architecture in order to arrive at an actual implementation. 4 5 6 Uniform Resource Identiﬁer Javascript Object Notation (JSON) http://www.oracle.com/technetwork/java/index-jsp-135475.html L. Cabac et al.: Integrating Web Services in PN-based Agent Applications 105 One central aspect of agent design is its interactions with other system parts. Interactions between the WebGateway and Web applications take place via HTTP/WebSockets. For interactions between the WebGateway and other agents we have to provide equally well-defined protocols. Basically, the WebGateway agent offers five protocols for this purpose: – WebGateway_registerAgent for registering agent services as Web services. – WebGateway_sendrequest for forwarding request from Web applications to application agents – WebGateway_receiverequest for forwarding request from application agents to Web applications – WebGateway_sendinform and WebGateway_receiveinform for sending inform messages in both directions Figure 6. A model of the export request interaction initiated by a web client. We cannot cover all of these interactions but will turn to one example. Figure 6 shows an AUML diagram for the case of a WebGateway_sendrequest. The AUML (Agent UML, see [9,6]) Interaction Protocol diagrams are derived from Sequence Diagrams. They allow to fold several sequences into one scenario by providing modeling elements for alternatives or concurrency – similar to UML2 Interaction Diagrams. Here, we regard the sample case where a Web application 106 PNSE’13 – Petri Nets and Software Engineering requests the export functionality of an application agent and the WebGateway agent acts as the mediator. We address the export application scenario more deeply in the next section. In the P∗aose approach, we use these AUML diagrams to (semi-)automatically generate the interaction parts for each party as Petri nets (cf. [9]). These resulting protocol nets are then directly used for the implementation of agent interactions. It is important to note that the WebGateway_sendrequest protocol net is generic. Here, it is shown in the context of the export example. But is designed to be applicable for arbitrary requests sent from a Web application to an application agent. For instance, we have developed a web component-based GUI framework for browser applications that relies on exchanging web component events between browsers and agents (so called Agentlets). For each new way of making use of the WebRequest_sendrequest protocol net, the two interaction sides have to fit together. This means that the composition of the WebRequest_sendrequest protocol net and its counterpart protocol net has (at least) to result in a sound protocol.7 4 Application of the WebGateway / Export Example As a real world example we present an application that utilizes the WebGateway’s functionality to provide a Web service. The Export Service takes a representation of a Petri net in the form of a serialized Renew drawing or as PNML and returns an image representation of the model.8 The Diff Service service takes two representations of models and returns a graphical diff [10] of the two models. People can access these Web services directly through a Web page interface. But the main application for the Web services is currently a different one. In the context of software engineering, in which we use our models, a tight integration of available tools ensures the efficiency and therefore the acceptance of the available tools among developers. Thus we have integrated the two Web services in our preferred integrated project management environment (IPME, see [3]). Figure 7 shows a schematic model of the setup of our IPME. The IPME – in this case: Redmine (http://www.redmine.org/) – runs on a standard Web server shown in the center of the model. It includes several plugins for the access of the source code management system (SCM, possibly located on another server) and the Export/Diff Web services (again located on another server). Developers can interact with the source code repositories to introduce new versions 7 8 Although the soundness property is not well-deﬁned for protocol nets, we conceive this property in analogy to soundness of workﬂow nets. In fact the service takes any ﬁle type that can be read by Renew, e.g. Renew nets (.rnw), JHotDraw drawings (.draw), PNML, several diagram types used within P∗aose (.aip,.arm) and also Lola net ﬁles (.net). The Renew import/export system is also extensible, so any envisioned ﬁle type in the context of Petri nets and UML modeling can easily be implemented. L. Cabac et al.: Integrating Web Services in PN-based Agent Applications 107 Figure 7. A schematic architecture for the export Web Service / Redmine plugin. of artifacts, to examine the commit history or to examine differences of the selected versions and so on. Managers as well as developers can in addition use the IPME – besides of using the planning and documentation features – to investigate the source repository comfortably in a Web browser. One main part of the functionality provided by the IPME is that developers and project managers can browse quickly through the source code and choose to display a diff of versions of the source code in a Web browser. However, the default browsing and diffing functionality of IPMEs works on text-based source code only while a large part of our code base is Petri net-based. A textual representation of diagrams – for example in PNML – is not very significant for human readers. Moreover, a text based diff of versions of the diagram’s text representations is completely useless. Thus, the Export and Diff plugins take the text representations for diagrams from the SCM, hand them to the Export and Diff Web services and integrate the returned images smoothly into the Web page-based display for the developer. Figure 8 shows a screenshot of the integration of the Diff Service in the IPME Redmine. The screenshot shows The Redmine user interface in a Web browser. The diff of revisions 9044 and 9545 of the Receiver_chat protocol net is displayed. The differences are highlighted in red (removals) and green (additions).9 All other graphical elements are faded to a foggy gray leaving a shadow of the original net. Consequently, within our development environment the Web services are used by the IPMEs10 and are thus provided to the developers in an automated way. A server instance of Renew is running and provides the Web services using the Mulan/Capa framework with its WebGateway extension. A publicly accessible Export/Diff Web page and a demonstration page of the Redmine integration can be accessed from the P∗aose Web Site (http://www.paose.net/). Figure 9 shows a screenshot of the presented multi-agent application showing an export interaction. The MulanViewer on the left shows the multi-agent system’s status in terms of all started agents, their decision components, knowledge 9 10 In black & white printing the location of the manipulated parts are still recognizable, although it becomes impossible to distinguish removals from additions. We provide plugins for Redmine and Trac (http://trac.edgewall.org/). 108 PNSE’13 – Petri Nets and Software Engineering Figure 8. Screenshot of a diﬀ image integrated in Redmine (Demo). bases and currently executed protocol nets. In the back, parts of the involved nets are shown: these are – from top to bottom – the transformation decision component of the WebGateway and the export protocol net of the Export agent. The sendrequest protocol net of the WebGateway is not shown but listed in the MulanViewer’s tree view. During this interaction the WebGateway sends the request to the Export agent after the request has been received from the Web client. On the right hand side of the screenshot are two frames showing a deep inspection of tokens, which are located as indicated on the highlighted places. The first one shows the request message in FIPA-SL, waiting to be matched with the response for routing purposes (cf. Section 2). The second is the response message, which is just about to be sent from the Export agent to the WebGateway.11 11 Although the messages could also be inspected in String representation, the UML representation is much clearer and more concise. L. Cabac et al.: Integrating Web Services in PN-based Agent Applications 109 Figure 9. A screenshot of the agent application while running the export interaction. The availability and the robustness of the Export and Diff Web services provided through a running instance of a Petri net application shows that our framework is already beyond a pure proof of concept. 5 Implementation Although executable models tend to grow to a size that cannot be presented in all details, we present the implementation of the transformation component in 110 PNSE’13 – Petri Nets and Software Engineering order to discuss the specification refinement that leads to the executable model. Often the process that leads incrementally to the executable model has been presented as implementation through specification. In this executable model we do not discuss the inscriptions and certain technical details such as the preparation and selection of the messages. Figure 10 shows an executable version of the WebGateway Transformation Component as an overview.12 The details of the main parts are presented again in Figure 11. Compared to the abstract model shown in Figure 4 this model shows several refinements. First of all the interfaces – indicated by the dashed boxes – of the component have been duplicated. This results from the fact that our implementation allows for additional communication protocols and two connection types. Figure 10. Implementation of the WebGateway Transformation Component. In the abstract model we described the possibility to serve a typical request protocol. Thus, one party can send a request message and receive an answer to this in the form of an inform message. This protocol may be triggered from either side the web server interface or the agent system interface. Additionally, the implementation also allows for a simple inform message that has not been triggered and does not expect any follow-ups. Consequently, we have three out12 The Petri nets is presented as a whole, in order to show the ﬁnal result of the reﬁnement process. Most of the details, such as declarations are only of minor importance. The main details are presented in a magniﬁed version in Figure 11 for convenient inspection. L. Cabac et al.: Integrating Web Services in PN-based Agent Applications 111 going transitions for these three different communication possibilities (request, inform as answer, simple inform) on each outgoing interface side. Additionally, we included the possibility to connect as a Web service in two possible ways. The first is the well-known http connection, the second, which is a websocket connection, allows for asynchronous communication through a bidirectional permanent connection link. Figure 11. Fragment of the WebGateway Transformation Component. In the center of the net – displayed in more detail in Figure 11 – one can prominently conceive the buffer places that hold the messages for matching answers to request and thus to determine the receiver. The buffer places are filled during the processing of the requests – constituting the first branch leading to the first of an outgoing interface. The answer collects the waiting message during processing – indicated by an arc – leading to the second interface transition. The last interface transition serves for the simple inform message. We have hidden 112 PNSE’13 – Petri Nets and Software Engineering several parts of the original net – indicated by large dotted transitions. These transitions hide message processing and routing as well as the processing of the http answers. 6 Discussion The presented example and the publicly available Web services and Web site demonstrate that the presented application is more than just a proof of concept. Especially the availability of the Export and Diff services as Web services has proven their usefulness in the straight-forward and seamless inclusion within several used instances of IPMEs (internal as well as public). We have also briefly mentioned the realization of Web-based GUIs where Web events related to the GUI components are transmitted between a browser and application agents (Agentlets). While this application of the WebGateway is still under development and still in an experimental stage, we have successfully made use of it in academic projects where students develop browser-based applications for collaboration support. The choice of RESTful Web services in combination with WebSockets brings more flexibility to our gateway than strict WSU stack-based gateways can provide. Currently, we use rather simple service descriptions, which might hinder the automation of service workflows. A possible improvement in this area could be the integration of WADL13 , which plays a similar role for RESTful Web service as WSDL for SOAP Web services. 7 Related Work Service oriented architectures especially in combination with Web applications is currently a popular field in the research community. Hence, the integration of Web services into multi-agent systems is a well researched topic with many interesting solutions. Such an approach that impacts on our introduced architectural design is presented by Greenwood et al. [14]. They introduce a Web Service Integration Gateway Service (WSGIS), which acts as a broker between the service participants and provides translation and routing mechanisms. Shafiq et al. [24] offers a slightly different solution that addresses the interconnection of FIPA-compliant multi-agent systems and Web services. Their approach rely on a middleware software that handles the communication of the service participants without any modification on the respective communication systems. In contrast to theses approaches, which are based on Web services that use the standard WSU14 stack, the approach of Soto [19] makes use of the advantages of Web services that comply with the RESTful architecture [23]. He provides a Web Service Message Transport Service (WSMTS) for JADE platforms that is capable of handling FIPA-SL messages in XML representation. These messages 13 14 Web Application Description Language (WADL): http://java.net/projects/wadl WSDL, SOAP, UDDI (WSU) L. Cabac et al.: Integrating Web Services in PN-based Agent Applications 113 are extended with additional information that ensure an end-to-end communication with only one single message encoding. In this case, agents are able to register themselves with a specific address to publish their services as a REST service. A still problematic issue, concerning the use and composition of RESTful services, is the change of state of a resource and the corresponding update of clients. Especially Web clients have to constantly send GET requests to check if the state has changed, which will result in heavy traffic and unnecessarily high load of Javascript. For a bidirectional communication, as used for instance in a User Interface Framework, Aghaee et al. [2, Section 5.2] recommend the use of W3C WebSockets [26]. The WebSocket API provides a mechanism to sent data in various representations (JSON, XML, etc.) to clients when the resource has changed. An approach concerning the modeling of Web services using high-level Petri nets was given by Moldt et al. [21]. The authors introduce a four layer architecture that focuses on modeling the internal behavior of a Web service and provide a proposal for lifecycle management and interconnection of Web services. With the approach presented in this paper we provide a prerequisite that enables us to verify the soundness of internal Web service processes by examination of agent interactions. In order to examine the composition of Web services we have to extend our approach to the external Web service interactions and their interfaces. A related approach is presented by Wolf [27] and his team at the University of Rostock. They provide formal models based on Petri nets to describe service interfaces and tools15 that support the discovery and synthesis of matching service partners. 8 Conclusion and Future Works In this paper, we present a gateway architecture that makes it possible to interconnect FIPA-compliant multi-agent systems and RESTful Web services. More specifically, it creates a bridge between Petri net-based (Mulan) agents and arbitrary Web service providers or clients. Its suitability for daily use has been proven by coupling image conversion and comparison services (provided by Mulan agents) with an integrated project management environment (running as a classic web server, using these services). Besides its useful functionality, the gateway as an artifact exemplifies the benefits of engineering Petri net-based software. The gateway architecture, its message routing core and its multi-agent interface are modeled and implemented in Java reference nets. We present the design of the core gateway functionality as coarse Petri net models, the integration of concrete functionality into these Petri nets – thus turning them into application code –, and the validation of certain application properties by using well-known Petri net analysis techniques. On the practical side, the gateway broadens the range of applications for FIPA-compliant agents (and especially Mulan agents). Their functionality be15 Service-Technology: http://service-technology.org/tools/ 114 PNSE’13 – Petri Nets and Software Engineering comes available for any Web service client, and they can refer to functionality provided by any other web service. The interaction with web services is restricted to the request-response pattern or just unidirectional information distribution, and thus not as feature-rich as the speech act-based communication in the multiagent world. Nevertheless, these simple interaction patterns form the basis of any complex interaction and can thus be considered as sufficient for everyday use. On the Petri net-based software engineering side, the tools and methods of the P∗aose approach are evolving while we use them for the design and implementation of applications like the WebGateway. A major focus is currently put on validation and testing of the application’s Petri net-based code artifacts. The further use of our approach in future student projects and the continuous advancement of our agent-based collaboration platform will help to improve the gateway functionality and software engineering techniques step by step. References 1. Gul Agha, Fiorella De Cindio, and Grzegorz Rozenberg, editors. Advances in Petri Nets: Concurrent Object-Oriented Programming and Petri Nets, volume 2001 of Lecture Notes in Computer Science. Springer-Verlag, 2001. 2. Saeed Aghaee and Cesare Pautasso. Mashup development with HTML5. In Proceedings of the 3rd and 4th International Workshop on Web APIs and Services Mashups, Mashups ’09/’10, pages 10:1–10:8, New York, NY, USA, 2010. ACM. 3. Tobias Betz, Lawrence Cabac, and Matthias Güttler. Improving the development tool chain in the context of Petri net-based software development. In Michael Duvigneau, Daniel Moldt, and Kunihiko Hiraishi, editors, Petri Nets and Software Engineering. International Workshop PNSE’11, Newcastle upon Tyne, UK, June 2011. Proceedings, volume 723 of CEUR Workshop Proceedings, pages 167–178. CEUR-WS.org, June 2011. 4. Tobias Betz, Lawrence Cabac, and Matthias Wester-Ebbinghaus. Gateway architecture for Web-based agent services. In Franziska Klügl and Sascha Ossowski, editors, Multiagent System Technologies, volume 6973 of Lecture Notes in Computer Science, pages 165–172. Springer Berlin / Heidelberg, 2011. 5. Lawrence Cabac. Modeling Petri Net-Based Multi-Agent Applications, volume 5 of Agent Technology – Theory and Applications. Logos Verlag, Berlin, 2010. 6. Lawrence Cabac, Till Dörges, Michael Duvigneau, Daniel Moldt, Christine Reese, and Matthias Wester-Ebbinghaus. Agent models for concurrent software systems. In Ralph Bergmann and Gabriela Lindemann, editors, Proceedings of the Sixth German Conference on Multiagent System Technologies, MATES’08, volume 5244 of Lecture Notes in Artificial Intelligence, pages 37–48, Berlin Heidelberg New York, 2008. Springer-Verlag. 7. Lawrence Cabac, Michael Duvigneau, Daniel Moldt, and Heiko Rölke. Modeling dynamic architectures using nets-within-nets. In Gianfranco Ciardo and Philippe Darondeau, editors, Applications and Theory of Petri Nets 2005. 26th International Conference, ICATPN 2005, Miami, USA, June 2005. Proceedings, volume 3536 of Lecture Notes in Computer Science, pages 148–167, 2005. 8. Lawrence Cabac, Michael Duvigneau, Daniel Moldt, and Matthias WesterEbbinghaus. Towards unit testing for Java reference nets. In Robin Bergenthum and Jörg Desel, editors, Algorithmen und Werkzeuge für Petrinetze. 18. Workshop AWPN 2011, Hagen, September 2011. Tagungsband, pages 1–6, 2011. L. Cabac et al.: Integrating Web Services in PN-based Agent Applications 115 9. Lawrence Cabac, Daniel Moldt, and Heiko Rölke. A proposal for structuring Petri net-based agent interaction protocols. In Wil van der Aalst and Eike Best, editors, 24th International Conference on Application and Theory of Petri Nets, Eindhoven, Netherlands, June 2003, volume 2679 of Lecture Notes in Computer Science, pages 102–120. Springer-Verlag, June 2003. 10. Lawrence Cabac and Jan Schlüter. ImageNetDiﬀ: A visual aid to support the discovery of diﬀerences in Petri nets. In 15. Workshop Algorithmen und Werkzeuge für Petrinetze, AWPN’08, volume 380 of CEUR Workshop Proceedings, pages 93– 98. Universität Rostock, September 2008. 11. Michael Duvigneau, Daniel Moldt, and Heiko Rölke. Concurrent architecture for a multi-agent platform. In Fausto Giunchiglia, James Odell, and Gerhard Weiß, editors, Agent-Oriented Software Engineering. 3rd International Workshop, AOSE 2002, Bologna. Proceedings, pages 147–159. ACM Press, July 2002. 12. Roy T. Fielding and Richard N. Taylor. Principled design of the modern Web architecture. ACM Trans. Internet Technol., 2:115–150, May 2002. 13. OASIS (Organization for the Advancement of Structured Information Standards). BPEL: Web services business process execution language. Available at: http://bpel.xml.org/, 2012. Release 2.0: http://docs.oasisopen.org/wsbpel/2.0/OS/wsbpel-v2.0-OS.html. 14. D. Greenwood and M. Calisti. Engineering Web service - agent integration. In Systems, Man and Cybernetics, 2004 IEEE International Conference on, volume 2, pages 1918 – 1925 vol.2, october 2004. 15. Sebastian Hinz, Karsten Schmidt, and Christian Stahl. Transforming BPEL to Petri nets. Lecture Notes in Computer Science, 3649:220–235, 2005. 16. Ekkart Kindler, Vladimir Rubin, and Robert Wagner. Component tools: Integrating Petri nets with other formal methods. Lecture Notes in Computer Science : Petri Nets and Other Models of Concurrency - ICATPN 2006, Volume 4024, 2006, pages 37–56, 2006. 17. Michael Köhler, Daniel Moldt, and Heiko Rölke. Modelling the structure and behaviour of Petri net agents. In J.M. Colom and M. Koutny, editors, Proceedings of the 22nd Conference on Application and Theory of Petri Nets 2001, volume 2075 of Lecture Notes in Computer Science, pages 224–241. Springer-Verlag, 2001. 18. Olaf Kummer, Frank Wienberg, Michael Duvigneau, Jörn Schumacher, Michael Köhler, Daniel Moldt, Heiko Rölke, and Rüdiger Valk. An extensible editor and simulation engine for Petri nets: Renew. In Jordi Cortadella and Wolfgang Reisig, editors, Applications and Theory of Petri Nets 2004. 25th International Conference, ICATPN 2004, Bologna, Italy, June 2004. Proceedings, volume 3099 of Lecture Notes in Computer Science, pages 484–493, Berlin Heidelberg New York, June 2004. Springer. 19. Esteban León Soto. Agent communication using Web services, a new ﬁpa message transport service for jade. In Paolo Petta, Jörg Müller, Matthias Klusch, and Michael Georgeﬀ, editors, Multiagent System Technologies, volume 4687 of Lecture Notes in Computer Science, pages 73–84. Springer Berlin / Heidelberg, 2007. 10.1007/978-3-540-74949-3_7. 20. T. Miyamoto and S. Kumagai. An agent net approach to autonomous distributed systems. In Proc. of 1996 IEEE Systems, Man, and Cybernetics, 14-17 October 1996, Beijing, China, pages 3204–3209, October 1996. 21. Daniel Moldt, Sven Oﬀermann, and Jan Ortmann. A Petri net-based architecture for web services. In Lawrence Cavedon, Ryszard Kowalczyk, Zakaria Maamar, David Martin, and Ingo Müller, editors, Workshop on Service-Oriented Computing 116 22. 23. 24. 25. 26. 27. PNSE’13 – Petri Nets and Software Engineering and Agent-Based Engineering, SOCABE 2005, Utrecht, Netherland, July 26, 2005. Proceedings, pages 33–40, 2005. Julia Padberg and Hartmut Ehrig. Petri net modules in the transformation-based component framework. Journal of Logic and Algebraic Programming, Vol 97 (1-2), pages 198–225, 2006. Cesare Pautasso, Olaf Zimmermann, and Frank Leymann. Restful web services vs. “big” web services: making the right architectural decision. In Proceeding of the 17th international conference on World Wide Web, WWW ’08, pages 805–814, New York, NY, USA, 2008. ACM. M. Omair Shaﬁq, Ying Ding, and Dieter Fensel. Bridging multi agent systems and Web services: towards interoperability between software agents and semantic Web services. In Enterprise Distributed Object Computing Conference, 2006. EDOC ’06. 10th IEEE International, pages 85 –96, october 2006. Rüdiger Valk. Object Petri Nets – Using the Nets-within-Nets Paradigm. In Jörg Desel, Wolfgang Reisig, and Grzegorz Rozenberg, editors, Advances in Petri Nets: Lectures on Concurrency and Petri Nets, volume 3098 of Lecture Notes in Computer Science, pages 819–848. Springer-Verlag, Berlin Heidelberg New York, 2004. World Wide Web Consortium (W3C). The websocket api editor’s draft 6. Website, June 2011. http://dev.w3.org/html5/websockets. Karsten Wolf. Does my service have partners? LNCS ToPNoC, 5460(II):152–171, March 2009. Special Issue on Concurrency in Process-Aware Information Systems. Petri nets as a means to validate an architecture for time aware systems Francesco Fiamberti, Daniela Micucci, and Francesco Tisato D.I.S.Co., University of Milano-Bicocca, Viale Sarca 336, 20126, Milano, Italy {francesco.fiamberti, daniela.micucci, francesco.tisato}@disco.unimib.it Abstract. Time aware systems claim for an explicit representation of time-related concepts, so that they can be observed and possibly controlled at run-time. The paper identiﬁes a set of architectural abstractions capturing such concepts related to time and classiﬁes the base activities performed by a time aware system. Our proposal has been formalized using two diﬀerent modeling techniques: UML and Petri nets. The former has been chosen to model the static structure of both the abstractions and the entities performing time aware activities. The latter have been exploited to model the dynamics of a time aware system. Keywords: real-time, architectural abstractions, UML, Petri nets 1 Introduction Time aware systems [1] deal with time-related issues when accomplishing domainrelated tasks. For example, a time aware system includes activities whose activation is time driven, activities that need to reason on timestamped facts, and activities that need to know what time it is. Therefore, time ought to emerge as a ﬁrst-class concept because of its relevance in the application domain. As stated in [2], only recently model-based development has begun focusing on timing aspects of a system in addition to its functional and structural ones. However, the proposed approaches tend to specify the requirements with respect to timing focusing on a speciﬁc solution. Moreover, the satisfaction of timing requirements is veriﬁed only during the test phase of the development process. As stated in [3], this is due to the fact that model-driven approaches applied to embedded systems in early design phases do not always rely on a systematic and rigorous methodology that includes specifying and verifying timing requirements. To overcome the above drawbacks, several modeling techniques have been proposed. MARTE [4] is an UML proﬁle designed to face real-time aspects of a system from a model-based perspective. UML [5] is a standardized generalpurpose modeling language used to specify the artifacts of a software system. A UML proﬁle customizes UML for a speciﬁc purpose or domain by using extension mechanisms able to modify the semantics of the meta-model elements [5]. [6] exploits MARTE (the logical time concept) and the CCSL language [7] to specify the causal and temporal characteristics of the software as well as the hardware 118 PNSE’13 – Petri Nets and Software Engineering parts of the system. However, modeling capabilities need to be supported by tools that directly implement the system. Languages like Giotto [8] and SIGNAL [9] extend existing paradigms to include time-related issues. Close to Giotto, PTIDES [3] is a programming model for distributed embedded systems based on a global, consistent notion of time. However, such approaches allow time-related issues to be managed at compile time only, preventing the temporal behavior of the system from being adaptive. The key idea behind our proposal is that time-related concepts should be ﬁrst-class concepts, which directly turn into basic architectural abstractions [10] supported by a running machine. In this way, it is possible to explicitly treat time-related aspects from the analysis of the requirements to the test phase of the life cycle of a system. Even if UML [5] is a well-known modeling language in the software engineering area, the features of Petri nets [11] make them a suitable tool to model the dynamics of a time aware system. Indeed, when a set of time driven entities must be performed, they must be enabled in a deterministic way. However, once they have been enabled, their actual execution can be nondeterministic, that is, their execution order should have no signiﬁcance and should not aﬀect the system behavior. Therefore, we used UML to describe the architectural abstractions and the time-related activities (static structure), and Petri nets to describe the dynamics of a time aware system. The paper is organized as follows. Section 2 introduces time-related abstractions by means of UML class diagrams. Section 3 identiﬁes the three base entities performing time aware activities by means of UML class and state diagrams. Section 4 discusses the dynamics of a time aware system exploiting Petri nets. Finally, Section 5 presents concluding remarks. 2 Time-related abstractions To give a ﬂavor of the proposed model, the following simpliﬁed example will be used. Consider a road gate equipped with a camera. The gate provides access to an area with traﬃc restrictions. In particular, car transits are only allowed at night and for a restricted set of vehicles. Every second, the camera must acquire a frame, which must be stored with the acquisition timestamp. Finally, the acquired frames are elaborated oﬄine to detect infractions. The described scenario is an example of a time aware system. A time aware system reiﬁes the following time aware activities: – a time driven activity is triggered by events that are assumed to model the ﬂow of time. In the proposed example, the acquisition activity must be time driven in order to acquire frames at predeﬁned time instants. – a time observer activity observes “what time it is”. Thus, the acquisition activity in the example must also be time observer, since it needs the correct timestamp for every acquired frame. – a time conscious activity reasons on facts placed in a temporal context, no matter when the computation is realized. In the example, the infraction F. Fiamberti et al.: PNs as a Means to Validate an Architecture Timer - Duration -duration emitEvent() 119 1 -reference 1 0..* VirtualTimer GroundTimer - internal counter 1 {redefines duration} VirtualDuration - + + count() setDuration(Duration) value -duration Fig. 1: Concepts related to timers detection activity is time conscious, as it performs an oﬄine elaboration of timestamped frames. Drivenness, observability, and consciousness can be enabled by means of three well distinguished architectural abstractions: Timer, Clock, and Timeline. 2.1 Timer A Timer is a cyclic source of events, all of the same type: two successive events deﬁne a duration. A timer generates events by means of its emitEvent operation. A Virtual Timer is a timer whose event generation is constrained by the behavior of its reference timer: it counts (by means of the count operation) the number of events it receives from its reference timer and generates an event when this number equals a predeﬁned value. The duration is specialized to virtual duration. Timers can thus be arranged in hierarchies, in which every descendant timer has exactly one reference timer. The root of every hierarchy is a Ground Timer, which is a timer whose duration is not constrained by the duration of another timer. Therefore, the duration of a ground timer can be interpreted as intervals of the real external time, so that the events generated by a ground timer can be interpreted as marking the advance of time. Finally, the setDuration operation allows the duration of a virtual timer to be modiﬁed, thus varying the speed at which events are generated. Figure 1 sketches the described concepts. 2.2 Clock A Clock counts (by means of its increment operation) the events it receives from the associated timer. The event count is interpreted as the clock’s current time (see Figure 2). Thus, time is not a primitive concept but it is built from events. 2.3 Timeline A Timeline is a data structure (thus intrinsically discrete) constituting a static representation of time as a numbered sequence of grains. A grain is an elementary unit of time identiﬁed by its index and whose interior cannot be inspected. 120 PNSE’13 – Petri Nets and Software Engineering Clock Timer current time emitEvent emitEvent() 1 0..1 increment() Fig. 2: Concepts related to clocks A Time Interval, deﬁned on a timeline, is a subset of contiguous grains belonging to that timeline. A virtual timeline is a timeline whose grains (virtual grains) have a duration that can be expressed as a time interval in the associated reference timeline. Timelines can thus be arranged in hierarchies. The root of every hierarchy is a Ground Timeline, which is a timeline whose grain durations are not constrained by the grains of another timeline. In each hierarchy, the ground timeline is therefore the only one whose grains can be interpreted as an elementary time interval in an arbitrary ground reference time (e.g., the “real” time from the application viewpoint). A Fact is an assertion regarding the system domain. A Timed Fact is a fact associated to a time interval representing the fact’s interval of validity. Therefore, timelines are histories of timed facts. Figure 3 sketches all the described concepts. By connecting a clock with a timeline, it is possible to interpret as present time on the associated timeline the grain whose index equals the clock’s current time (see Figure 4). Every time the clock receives an event from the connected timer, it advances the present time on the corresponding timeline by one grain. The clock also deﬁnes the concepts of past and future in the associated timeline: the grains with index less than current time belong to the past and the grains with index greater than current time belong to the future. 3 Time aware entities The identiﬁed abstractions enable the design of the following time aware entities (see Figure 5), which reify the activities of a time aware system: – Time driven entity: an entity whose activation is triggered by a virtual timer – Time observer entity: an entity that reads current time from clocks – Time conscious entity: an entity that reads/writes timed facts on a timeline without any reference to when such a management is actually realized More articulated behaviors can be obtained by combining the three basic entities. For example, a time driven time conscious entity is an entity that is triggered by a virtual timer (time driven) and reads/writes timed facts (time conscious). 3.1 Time driven entities A time driven entity is associated to its activating timer, and it may be in two states: running and idle. A time driven entity enters the running state when its F. Fiamberti et al.: PNs as a Means to Validate an Architecture TimedFact 121 Fact 0..* 1 is valid in 0..* 1 / TimeInterval defined over 0..* duration 1 VirtualGrain begin 1 end VirtualTimeline 0..* 1 reference 1..* {ordered, redefines grains} Grain index GroundGrain 1 1 Timeline GroundTimeline grains 1..* {ordered, redefines grains} 1..* {ordered} Fig. 3: Concepts related to timelines Grain grains Timeline 1..* {ordered} index present time 0..1 timeline 0..1 advances time clock 0..1 Clock Timer current time emitEvent emitEvent() 1 0..1 increment() Fig. 4: Connection of a clock to a timeline activating timer emits an event. In this state, it performs its domain-dependant operation. At the end of the execution, the entity goes back to the idle state. This simple model assumes that the deadline for an execution coincides with the beginning of the next execution. To adapt the model to the general case where deadlines temporally precede the beginning of the next execution, it is possible to associate a second timer to each time driven entity, as sketched in Figure 6. When the deadline timer emits an event, the associated time driven entity must have already completed the perform operation. It follows that a time driven entity must include an additional state, denoted terminated. 122 PNSE’13 – Petri Nets and Software Engineering Timer Time Driven Entity activated by Clock Time Observer Entity Time Aware Entity reads time from readClocks() Timeline perform() Time Conscious Entity reasons on observe() expose() Fig. 5: Entity classiﬁcation according to the relation with the basic concepts idle running emitEvent() entry / perform [end of execution] emitEvent() terminated Fig. 6: State diagram for a time driven entity 3.2 Time driven time conscious entities Some care must be used to guarantee consistency when designing entities that are both time driven and time conscious. In fact, it is desirable that the behavior of all the entities that are triggered simultaneously does not depend on the order in which the executions are actually managed, which may be aﬀected by lowlevel details such as the number of available cores or the particular scheduling algorithm that is being used. Therefore, it is necessary to guarantee that all the time driven time conscious entities that are triggered simultaneously share the same view of the timelines, to avoid the situation of an entity that reads timed facts written by another entity triggered simultaneously just because the latter was granted higher execution priority by the low-level scheduler. A possible solution is that all entities read timed facts immediately when they are activated by the activating timer and write timed facts only when they receive an event by the deadline timer, even if the actual execution ends before the deadline. The state diagram in Figure 7 enriches Figure 6 by introducing eﬀects in the transitions triggered by timers: the eﬀect of an event from the activating timer is the reading of facts by means of the observe operation, whereas the eﬀect of an event from the deadline timer is the writing of facts by means of the expose operation. In an actual implementation, the concrete component in charge of the execution of entities must guarantee that when the execution of a set of entities is triggered, all the entities read timed facts before any one of F. Fiamberti et al.: PNs as a Means to Validate an Architecture idle 123 running emitEvent() /observe() entry / perform [end of execution] terminated emitEvent() /expose() Fig. 7: State diagram for a time driven time conscious entity them is allowed to start the actual execution, and that every entity writes timed facts only at the deadline for its execution. 4 Time aware systems This section presents the behavior of time aware systems exploiting Petri nets. First, the dynamics of a timer hierarchy will be discussed. Afterwards, the model of the activation of time driven and time conscious entities will be presented. 4.1 Timer hierarchy Before describing a complete timer hierarchy, we will detail the internal behavior of a virtual timer. Figure 8 shows the subnet modeling the timer T2, of duration 3, without descendant timers. In the initial marking, a token is present in place p1. The ﬁrst time a token is put into place Event to T2, transition t1 is enabled and ﬁres, putting a token into both p2 and T2 updated. The structure made of p* and t* works as an internal counter, and the token to T2 updated is needed to allow the external system to be notiﬁed that the timer completed its update operations (simple increment of the internal counter or event generation). When the internal counter equals the timer’s duration, transition Emit event is ﬁred. At the end, a token is put into place T2 updated. If a clock is connected to the timer, after every generated event, the corresponding transition increment clock time is ﬁred before the end of the timer’s update. Note also that the gray arcs in Figure 8 are required for the correct behavior of the Petri net, but do not have any particular time-related semantics. For example, the arcs from the place Event to T2 to transitions t1, t2 and t3 allow such transitions to ﬁre only one at a time, when a token is present in place Event to T2. Figure 9 shows the subnet of T1, a timer with descendants (T3 and T4). Unlike in the previous case, transition Emit event puts tokens into all the places Event to T* of the descendant timers, whose places T* updated are joined in transition Join descendant timers, after which the system’s behavior is the same as in the case without descendant timers. No assumptions are made on the order in which descendant timers are updated. Figure 10 shows a Petri net modeling a four-level hierarchical timer structure. Place Ground timer event receives a token that is interpreted as the ﬂow 124 PNSE’13 – Petri Nets and Software Engineering Event to T2 Emit event p1 p2 t1 p3 t2 t3 Event emitted (increment clock time) T2 updated Fig. 8: Subnet for a timer with no descendants Event to T1 Event to T3 T3 updated Event to T4 T4 updated Emit event T1 updated Join descendant timers Event emitted (increment clock time) Fig. 9: Subnet for a timer with descendants of real time. If the previous update of the system has been completed (a token is present in place All timers updated), transition Start execution is enabled. When the transition is ﬁred, a token is sent to place Event to T* of every virtual timer directly connected to the ground timer, enabling internal update operations. When a timer emits an event, its update can terminate only when all its possible descendant timers’ updates have been triggered and completed. Once the timer has been updated, a token is put into the corresponding place T* updated. Places T* updated are joined in transition Join direct descendants of ground timer, whose ﬁring terminates the atomic update of all timers by putting a token into place All timers updated. This token enables transition Start execution when the next token is produced in place Ground timer event. Thanks to the recursive structure of virtual timers, only direct descendants of the ground timer need to be joined in transition Join direct descendants of ground timer to ensure atomicity of all timers’ updates. In Figure 10, for clarity the details regarding the internal structure of timers have been hidden and represented by means of simple transitions shown in gray. 4.2 Time driven entities Time driven entities can be executed by associating them to timers. Every time a timer emits an event, it sends a signal to all its associated entities, which behave consequently according to their internal state. To make the concepts clear, we F. Fiamberti et al.: PNs as a Means to Validate an Architecture 125 Ground timer event Start new cycle Event to T3 T3 T3 updated Event to T1 T1 T1 updated Event to T5 T5 T5 updated Event to T4 T4 T4 updated Event to T2 T2 Join direct descendants of ground timer All timers updated T2 updated Fig. 10: Example of hierarchical timer structure assume that the relative deadlines of the time driven entities coincide with the beginning of the next execution. Figure 11 sketches an example of such a system, where timers T3, T4, and T5 have been hidden for the sake of readability. The assumption is made that the execution of a time driven entity is an instantaneous action. Thus, if the actual time taken by an entity is not negligible with respect to the smallest time scale in the system, the execution considered here is made only of the (instantaneous) set of operations needed to decouple the actual actions from the main system ﬂow (e.g., the operations needed to start a new thread where threads are available). Figures 12 and 13 show the structures of timers T2 and T1 respectively in presence of time driven entities: when an event is generated, a token is put into place T* time driven entities to be enabled, to enable the execution of the entities associated to T*. Note that habilitation does not mean immediate execution: the actual execution of all the time driven entities can be started only once all the timers have been updated, as will be explained later. To ensure that the entities have been enabled, a token is required in place T* time driven entities enabled for the transition in input to place T* updated to ﬁre. Figure 14 shows how atomicity of all timers’update can be granted. A copy of place All timers updated is available for every subnet modeling a group of time driven entities associated to the same timer. Every entity group has a T* time 126 PNSE’13 – Petri Nets and Software Engineering Ground timer event End of execution Join time driven entities Start new cycle Event to T1 T1 time driven entities enabled T1 time driven entities completed T1 time driven entities to be enabled All timers updated T2 time driven entities enabled T2 time driven entities completed T2 time driven entities to be enabled All timers updated T1 T1 updated Event to T2 T2 T2 updated Join direct descendants of ground timer All timers updated Fig. 11: Time aware system with time driven entities Event to T2 Emit event p1 p2 t1 T2 time driven entities to be enabled p3 t2 t3 Event emitted T2 updated (increment clock time) T2 time driven entities enabled Fig. 12: Subnet for a timer with associated time driven entities driven entities completed place, where the presence of a token indicates that no additional actions are required for the group. This is needed to deal with the (typical) situation where only a subset of all the timers emit an event. All places T* time driven entities completed are initialized with a token, and a token F. Fiamberti et al.: PNs as a Means to Validate an Architecture Event to T1 Event to T3 T3 updated T1 time driven entities to be enabled Emit event Event to T4 T4 updated T1 updated 127 Join descendant timers Event emitted T1 time driven entities enabled (increment clock time) Fig. 13: Subnet for a timer with descendants and associated time driven entities T* time driven entities to be enabled Enable time driven entities T* time driven entities enabled T* time driven entities to be completed Execute time driven entities All timers updated (copy for current timer) T* time driven entities completed Fig. 14: Model of a group of time driven entities is always present at the end of every execution. Only in case of an event from the associated timer, place T* time driven entities completed is cleared as a consequence of the habilitation of time driven entities. In fact, when a token is put into place T* time driven entities to be enabled, transition Enable time driven entities ﬁres, removing the token from place T* time driven entities completed and putting it into place T* time driven entities to be completed. Transition Execute time driven entities is not enabled until a token is present in the current timer’s copy of place All timers updated, that is, until all the timers have been updated. All places T* time driven entities completed are joined in transition Join time driven entities (see Figure 11). At the end of each global timer update, the time driven entity groups that do not require execution (because their timer did not emit an event) already have a token in place T* time driven entities completed. Transition Join time driven entities is not enabled only if some of the time driven entities must still be executed. If this is the case, all the corresponding transitions Execute time driven entities are now enabled, removing the token from place T* time driven entities to be completed and putting it into T* time driven entities completed. No assumptions are made on the possible order in which time driven entities are executed. Once all the executions have been completed, the transition Join time driven entities is enabled. Note that in order to prevent an early ﬁring of this transition in the case where no entity groups need to be executed, a copy of place All timers updated is present as an input to Join time driven entities, so that the global update 128 PNSE’13 – Petri Nets and Software Engineering T* time driven entities to be enabled Enable time driven entities T* time driven entities enabled Facts to be exposed expose Execution enabled observe ( + readClocks ) + perform All timers updated (copy for current timer) T* facts exposed All facts exposed (copy for current timer) T* time driven entities completed Fig. 15: Model of a group of time driven time conscious entities of timers must be terminated ﬁrst even though all the places T* time driven entities completed contain a token. 4.3 Time driven time conscious (observer) entities As stated in subsection 3.2, some care must be used when designing entities that are time driven and time conscious, or time driven, time conscious and time observer. The two cases can be analyzed together, since the diﬀerences are limited to the presence of clocks and to the need to read the relevant clocks’ current times before starting the executions. Figure 15 contains the model of a group of time driven time conscious entities associated to the same timer, while an example of time aware system is shown in Figure 16. As introduced in Subsection 3.2, the sequence of operations of a time driven time conscious entity can be organized in three blocks: expose (that puts on the right timelines the timed facts computed during the previous execution), observe (that reads timed facts from the timelines of interest), and perform (the actual execution of the entity’s actions). Since no constraints are put on the order in which entities are executed, consistency and predictability of the system’s behavior require that timed facts are added on a timeline by an entity only at the end of the time grain of the timer to which the entity is associated, and before any other entity in the system reads facts from the same timelines. So the exposition of all the facts generated by all entities must be realized as an atomic action after all timers have been updated and before the execution of the perform of any time driven time conscious entity. With reference to Figure 15, for every group of entities, place T* facts exposed is initialized with a token. When the associated timer emits an event, the token put into place Time driven entities to be enabled enables transition Enable time driven entities, which removes the tokens from places Time driven entities completed and T* facts exposed, putting a token into Facts to be exposed. Once all the timers have been updated, so that a token is put into the copy of place All timers updated for every group of entities, transition expose is ﬁred, putting a token into the corresponding places T* facts exposed and Execution enabled (whose presence prevents unrequested F. Fiamberti et al.: PNs as a Means to Validate an Architecture 129 Ground timer event Join time driven entities End of execution Start new cycle All facts exposed T1 facts exposed Event to T1 Join fact expositions T1 time driven entities enabled T1 time driven entities completed T1 time driven entities to be enabled All timers updated T1 T1 updated All facts exposed T2 facts exposed Event to T2 T2 time driven entities enabled T2 time driven entities completed T2 time driven entities to be enabled All timers updated T2 T2 updated All facts exposed Join direct descendants of ground timer All timers updated Fig. 16: Time aware system ﬁring of transition observe (+ readClocks) + perform that would be otherwise triggered by the simple presence of a token in place All timers updated). All places T* facts exposed are joined, together with a copy of All timers updated, in transition Join fact expositions. Only after all the expositions have been completed, this transition can ﬁre, putting a token into the copy of 130 PNSE’13 – Petri Nets and Software Engineering Property Y/N Property Y/N Pure (PUR) Ordinary (ORD) Homogeneous (HOM) Non-Blocking Multiplicity (NBM) Conservative (CSV) Structurally Conﬂict-Free (SCF) FT0, TF0, FP0, PF0 Connected (CON) Strongly Connected (SC) Deadlock-Trap Property (DTP) Covered by T-invariants (CTI) No Yes Yes Yes No No Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Covered by P-invariants (CPI) Strongly Covered by T-invariants (SCTI) Structurally Bounded (SB) Bounded (kB) Safe (1-B) Dynamically Conﬂict-Free (DCF) No Dead States (DSt(0)) No Dead Transitions (DTr) Live (LIV) Reversible (Rev) Table 1: Properties of the proposed Petri nets place All facts exposed for all groups of entities. This enables all transitions observe (+ readClocks) + perform (for time observer entities, readClocks is executed on all the clocks of interest before perform), whose ﬁring puts a token into the corresponding place T* time driven entities completed. At this stage, as in the case of pure time driven entities, places Time driven entities completed are joined in transition Join time driven entities, which ﬁres when all the entity executions have been completed. The gray arcs in Figure 16 involve groups of entities: one connects place All facts exposed of each group and transition Join time driven entities, to ensure that tokens do not pile up in these places when the corresponding timer does not emit an event. The other is between transition Join fact expositions and place T* facts exposed of every group, needed to recharge the token for the next execution. 5 Final remarks The time-related abstractions and the dynamics of a time aware system could have been fully described by means of UML diagrams (i.e., class and state to model the basic abstractions and sequence to model the dynamics). Initially, this was the direction we followed, but we soon realized that the resulting sequence diagrams would be complex and diﬃcult to read. So we decided to use Petri nets, because of their suitability to model the dynamics of a system. The obtained result consists in a set of Petri nets that are simpler and more readable with respect to the corresponding UML sequence diagrams, notwithstanding the need for additional places and transitions that do not have an application semantic but are required for the Petri nets to behave correctly. Table 1 summarizes the properties of the proposed Petri nets, as deﬁned in [12,13]. Some of the properties cannot be satisﬁed because of the intrinsic nature of time aware systems (e.g., the proposed nets are not pure because of the presence of loops, which are required to obtain a cyclic behavior). F. Fiamberti et al.: PNs as a Means to Validate an Architecture 131 The proposed models supported the implementation of a Java framework named Time Aware Machine (TAM) [14] that has been used for the experimental testing of the Space Integration Services platform [15]. Currently, the framework is being used in ALARM [16], an architecture based on a time driven mechanism that veriﬁes hypotheses about domain entities against previsions. References 1. Fiamberti, F., Micucci, D., Tisato, F.: An architecture for time-aware systems. In: 2011 IEEE 16th Conference on Emerging Technologies & Factory Automation (ETFA), IEEE (2011) 2. Buckl, C., Gaponova, I., Geisinger, M., Knoll, A., Lee, E.A.: Model-based speciﬁcation of timing requirements. In: Proceedings of the tenth ACM international conference on Embedded software. EMSOFT ’10, ACM (2010) 239–248 3. Zhao, Y., Liu, J., Lee, E.A.: A programming model for Time-Synchronized distributed Real-Time systems. In: 13th IEEE Real Time and Embedded Technology and Applications Symposium, 2007. RTAS ’07, IEEE (2007) 259–268 4. OMG: MARTE Modeling and Analysis of Real-Time and Embedded systems. http://www.omg.org/spec/MARTE/1.1/PDF/ 5. OMG: Uniﬁed Modeling Language (UML), Superstructure. http://www.omg.org/spec/UML/2.4.1/Superstructure/PDF/ 6. Peraldi-Frati, M., DeAntoni, J.: Scheduling multi clock real time systems: From requirements to implementation. In: Object/Component/Service-Oriented RealTime Distributed Computing (ISORC), 2011 14th IEEE International Symposium on. (2011) 50 –57 7. Mallet, F.: Clock constraint speciﬁcation language: specifying clock constraints with UML/MARTE. Innovations in Systems and Software Engineering 4(3) (2008) 309–314 8. Henzinger, T., Horowitz, B., Kirsch, C.: Giotto: a time-triggered language for embedded programming. Proceedings of the IEEE 91(1) (2003) 84–99 9. Gamatié, A., Gautier, T., Guernic, P.L., Talpin, J.P.: Polychronous design of embedded real-time applications. ACM Trans. Softw. Eng. Methodol. 16(2) (2007) 10. Shaw, M., DeLine, R., Klein, D.V., Ross, T.L., Young, D.M., Zelesnik, G.: Abstractions for software architecture and tools to support them. IEEE Transactions on Software Engineering 21(4) (1995) 314–335 11. Murata, T.: Petri nets: Properties, analysis and applications. Proceedings of the IEEE 77(4) (1989) 541–580 12. Starke, P.H.: Analyse von Petri-netz-modellen. Teubner BG GmbH (1990) 13. Starke, P.H.: INA Integrated Net Analyzer. http://www2.informatik.huberlin.de/lehrstuehle/automaten/ina/manual.html 14. Fiamberti, F., Micucci, D., Tisato, F.: An object-oriented application framework for the development of real-time systems. In: 50th International Conference on Objects, Models, Components, Patterns (TOOLS 2012), Springer (2012) 75–90 15. Bernini, D., Fiamberti, F., Micucci, D., Tisato, F.: Architectural Abstractions for Spaces-Based Communication in Smart Environments. Journal of Ambient Intelligence and Smart Environments 4(3) (2012) 16. Fiamberti, F., Micucci, D., Mobilio, M., Tisato, F.: A Layered Architecture based on Previsional Mechanisms. In: ICSOFT 2013 - Proceedings of the 8th International Joint Conference on Software Technologies (accepted for publication). (2013) 132 PNSE’13 – Petri Nets and Software Engineering Part III PNSE’13: Short Presentations A Framework for Efficiently Deciding Language Inclusion for Sound Unlabelled WF-Nets D.M.M. Schunselaar⋆ , H.M.W. Verbeek⋆ , W.M.P. van der Aalst⋆ , and H.A. Reijers⋆ Eindhoven University of Technology, P.O. Box 513, 5600 MB, Eindhoven, The Netherlands {d.m.m.schunselaar, h.m.w.verbeek, w.m.p.v.d.aalst, h.a.reijers}@tue.nl Abstract. We present a framework to eﬃciently check language inclusion between two sound unlabelled WF-nets. That is, to eﬃciently check whether every successfully terminating transition sequence of one sound unlabelled WF-net also is a successfully terminating transition sequence of a second sound unlabelled WF-net. Existing approaches for checking language inclusion are typically based on the underlying transition systems of both nets, and hence are subject to the well-known stateexplosion problem. As a result, these approaches cannot check language inclusion on sound unlabelled WF-nets in polynomial time. Our framework allows for eﬃcient language inclusion checks even if parallelism is present, by comparing speciﬁc net abstractions that can be computed and compared in polynomial time. For sound unlabelled WF-nets that are free-choice and do not contain loops, we prove that our approach is complete. 1 Introduction Language inclusion refers to the problem of deciding whether a ﬁrst language is included in a second language, that is, whether every word of the ﬁrst language is also a word in the second language. For this paper, we assume that a language is described by a sound unlabelled WF-net (a subclass of Petri nets), and that every word in the language corresponds to a successfully terminating trace in that WF-net. As a result, the problem can now be rephrased as deciding whether every successfully terminating trace of a ﬁrst sound unlabelled WF-net is also a successfully terminating trace of a second sound unlabelled WF-net. There already is a large body of work on equivalences and/or similarities between Petri nets, e.g., [1–3]. However, in some cases we do not need to decide on language equivalence as language inclusion is already suﬃcient to investigate relevant properties. For example, suppose we have a large repository of Petri nets that are all diﬀerent. To reduce the number of Petri nets we need to maintain, we might want to remove any Petri net that has less behaviour than some other ⋆ This research has been carried out as part of the Conﬁgurable Services for Local Governments (CoSeLoG) project (http://www.win.tue.nl/coselog/). 136 PNSE’13 – Petri Nets and Software Engineering Petri net. This requires us to determine whether the language of a Petri net is included in the language of another Petri net. Conformance checking is another interesting application area for language inclusion. In conformance checking, one seeks to validate an event log against a Petri net, i.e., does every trace in the event log correspond to a successfully terminating transition sequence of the Petri net [4]? If we can create a Petri net that precisely captures the traces from the event log, then this question corresponds to whether the language of this created Petri net is included in the language of the original, given, Petri net. Another interesting application of language inclusion comes from the CoSeLoG project1 . In this project, we are cooperating with municipalities of diﬀerent sizes and with diﬀerent characteristics. If, for instance, a ﬁrst, small, municipality wants to cooperate with a second, large, municipality, then the second municipality might have more generic process models (that is, Petri nets) that also support the ﬁrst municipality. Although, language equivalence is unlikely to hold, language inclusion might very well hold, which is already suﬃcient for a fruitful cooperation. Apart from comparing the Petri nets of these municipalities, we can also combine them into a more generic Petri net [5], and check whether a Petri net of a third municipality is already included in this generic Petri net. If so, then this third municipality can be supported by this generic Petri net as well, while it might not have been supported by the Petri net of the ﬁrst or the second municipality only. In the context of [5], we already have standardised the Petri nets, i.e., same activities names, and same level of abstraction. The main problem with Petri-net-based language inclusion is that it is deﬁned on the state-space underlying the Petri net (encoded as a transition system) and is PSPACE-complete. Due to the state-space explosion problem, such a transition system may be extremely large. Therefore, in general, it is computationally expensive to decide on language inclusion using the underlying transition systems. We present a framework for deciding whether and how Petri-net-based language inclusion can be decided in a more eﬃcient way for sound unlabelled WF-nets. The framework is based on the general pattern: If a sound unlabelled WF-net adheres only to some characteristics (e.g., is acyclic), then we can map this net to an alternative representation using a mapping function λ. Using a comparator ≤λ , we may then eﬃciently decide whether language inclusion holds or not. As an example, Fig. 1 depicts a mapping function that maps every net to its set of transitions. Using the subset operator as comparator, we can already conclude that language inclusion does not hold, i.e., that the transition set of the ﬁrst net is not a subset of the transition set of the second net. For the case, sound unlabelled WF-nets that are free-choice and contain no loops, we prove that our approach is complete. If the net is not free-choice or contains loops, we present mapping functions and corresponding comparators that can signal that language inclusion does not hold. 1 http://www.win.tue.nl/coselog/ D. Schunselaar et al.: Deciding Language Inclusion for SU-WF-Nets B A F E D I ⊆ H λ (set of transitions) {A, B, D, E, F, H, I} ≤λ (⊆) B A C D 137 F E G I H λ (set of transitions) {A, B, C, D, E, F, G, H, I} Fig. 1: General pattern of the framework: First, we map every net to an alternative representation (like its set of transitions); second, by eﬃciently comparing these alternative representations (like the standard subset comparator on the sets of transitions), language inclusion may be decided. The structure of the paper is as follows. In Sect. 2, we present the approaches from literature and present the mappings found in literature. Preliminaries are provided in Sect. 3. Section 4 presents the general framework for our approach, which includes diﬀerent mapping functions and comparators to tackle the language inclusion problem at hand. Finally, the conclusions and directions for future work are elaborated on in Sect. 5. 2 Related Work There are solutions for checking whether the language of a ﬁrst Petri net is included in the language of a second Petri net, see [6–8]. However, these solutions use the transition systems underlying both Petri nets. Unfortunately, these transition systems may become very large in the presence of parallelism. Therefore, as mentioned, we are designing a framework for deciding whether and how Petri-net-based language inclusion can be decided in a more eﬃcient way. An important element of this framework is mapping a net to an alternative representation. In the remainder of this section, we present diﬀerent candidates for such mappings as found in the literature. Note that this list is not exhaustive, but that our framework can easily incorporate other, new, mappings. The ﬁrst mapping we consider is based on the α-relation [9]. The α-relation denotes direct succession between activities and was originally designed for process discovery. In [10], a characterisation is given for the nets discoverable by the α-relation. Extensions have been made to the α-relation in [11] to be able to discover a larger set of nets. The α-relation denotes direct succession, the relation used in behavioural proﬁles [3,12,13] denotes the eventual succession. Based on the behavioural proﬁles, work has been done for language equivalence, but language inclusion has not been addressed. A more generic approach based on behavioural proﬁles is presented in [1], where eventual succession is still considered, but the distance between occurrences of transition is bounded. Using behavioural proﬁles, [14] 138 PNSE’13 – Petri Nets and Software Engineering considers an abstraction, but this abstraction is not language-equivalence preserving, i.e., the language of the abstraction is diﬀerent from the language of the original net. An approach similar to behavioural proﬁles is the approach using causal footprints [15]. Causal footprints denote causality between activities. In [15], causal footprints are used to deduce structural properties of sound WF-nets. Using causal footprints, [16] denotes the similarity between nets. This similarity can be used to deduce language equivalence (similarity of 1), but this approach is not tailored towards language inclusion. Causal nets [4] allow us to model processes in such a way that causality between activities is made explicit. Language inclusion of causal nets has been deﬁned in [17]. Furthermore, [4] presents an operational algorithm to transform a net to a causal net by transforming place and transition into activities. Process nets [18] allow us to encode causal runs. Such a causal run is expressed as a marked graph. The approach was originally designed for the validation of nets. Therefore, no language equivalence or language inclusion is deﬁned on process nets. The last mapping we mention is the mapping from a net to its basis of semipositive transition invariants [19]. The intuitive notion of such an invariant is that if we start at a given marking, and execute all the transitions from the invariant as many times as the invariant indicates, we return to the marking we started with. As such, every behavioural cycle in the Petri net is covered by such an invariant, but this not work the other way around: It may be possible that an invariant does not correspond to any behavioural cycle (due to the fact that we may not have suﬃcient tokens to execute exactly the transitions from the invariant). In this paper, we consider the α-mapping, and the work that has been done on behavioural proﬁles, due to the fact they can be computed eﬃciently (in case of free-choice Petri nets [20]) on the structure of the net. The other abstractions can be used, but some do no always run in a time polynomial with respect to the size of the net. Causal footprints are closely related to behavioural proﬁle. Therefore, using causal footprints yields similar results as using behavioural proﬁles. Hence, we do not use causal footprints. To use causal nets, we would need an approach to deal with the places introduced in the transformation as the same place might have diﬀerent names in diﬀerent process models. To use process nets, we would need an approach to deduce language inclusion between sets of sets of marked graphs. Furthermore, the number of process nets might be exponential in the number of choices, as there is no choice in a marked graph and every trace needs to be encoded in at least one marked graph. Finally, the main problem with semi-positive transition invariants is that the basis of invariant may be exponential in the size of the net. D. Schunselaar et al.: Deciding Language Inclusion for SU-WF-Nets 3 139 Preliminaries We use the following general notions: A denotes the set of actions, and N denotes the set of non-negative integers. First, the notions of language, word of a language, and language inclusion are deﬁned. A word is a sequence of actions from A, a language is a set of words, and a language is included in another language if and only if all the words of the ﬁrst language are part of the second language. Next, we introduce the notion of a transition system, and the language of a transition system. Definition 1 (Transition System). A Transition System T S = (S, →, α, ω) is a tuple where: – – – – S is the set of states, →⊆ S × A × S is the set of transitions, α ∈ S is the initial state, ω ∈ S is the ﬁnal state. A word of a transition system is a sequence of transitions starting from the initial state and ending in the ﬁnal state. The language of a transition system is the set of all words which can be produced by the transitions system. Now we introduce some general Petri net concepts. Definition 2 ((Unlabelled) Petri net). A Petri net N = (P, T, F ) is a tuple where: – P is a set of places, – T ⊆ A is a set of transitions, such that P ∩ T = ∅, – F ⊆ (P × T ) ∪ (T × P ) is a ﬂow relation. SThe preset of a transition/place n, denoted by •n, is the set of places/transitions in i ∈ P ∪ T : (i, n) ∈ F . The S postset of a transition/place n, denoted by n•, is the set of places/transitions in i ∈ P ∪ T : (n, i) ∈ F . A Petri net is free-choice if and only if for every two transitions, either the presets of every two transitions is disjoint, or they are the same. Definition 3 (Bag over Set). Let S be a set. A bag over S is a function from S to the natural numbers N such that only a ﬁnite number of elements from S is assigned a non-zero function value. Note that a ﬁnite set is also a bag, namely the function assigning 1 to every element in the set and 0 otherwise. The set of all bags over S is denoted B(S). For a bag b over S and s ∈ S, b(s) denotes the number of occurrences of s in b, often called the cardinality of s in b. We use brackets to explicitly enumerate a bag and superscripts to denote cardinalities. For example, [a2 , b3 , c] is the bag with two a’s, three b’s and one c; the bag [s2 | P (s)], where P is a predicate on S, contains two elements s for 140 PNSE’13 – Petri Nets and Software Engineering every s such that P (s) holds. The sum of two bags b1 and b2 , denoted b1 + b2 , is deﬁned as [sn | s ∈ S ∧ n = b1 (s) + b2 (s)]. The diﬀerence of two bags b1 and b2 , denoted b1 − b2 , is deﬁned as [sn | s ∈ S ∧ n = (b1 (s) − b2 (s)) max 0]. Bag b1 is a subbag of b2 , denoted b1 ≤ b2 , if and only if ∀s ∈ S : b1 (s) ≤ b2 (s). A marking of a Petri net is a bag over the set of places. A transition t is enabled in a marking M , denoted by M [ti, if and only if the preset of t is a subbag of M . Firing an enabled transition t from a marking M resulting in another marking M ′ is denoted by M [tiM ′ . Marking M ′ is obtained by taking the diﬀerence between M and the preset of t and summing it with the postset of t, i.e. M ′ = M − •t + t•. Definition 4 (Transition System of a Petri net). Let N = (P, T, F ) be a Petri net, let Mi be a marking of N , and let Mo be a marking of N , then the transition system T S = T S(N, Mi , Mo ), belonging to N , is constructed as follows: – α = Mi , – ω = Mo , – S is the smallest set X, such that: • α ∈ X, ω ∈ X, and • if s ∈ X ∧ s[tis′ for some t ∈ T and s′ ∈ B(P ), then s′ ∈ X. – →= {(s1 , t, s2 ) | s1 , s2 ∈ S ∧ t ∈ T ∧ s1 [tis2 }. The language of a Petri net is the language of the transition system as constructed in Def. 4. As mentioned, we limit ourselves to WF-nets [21]. A WF-net has a unique input and output place, i.e., the preset of the input place is empty and the postset of the output place is empty. Furthermore, every transition is on a path between the input place and the output place. With T S(N ), we denote the transition system belonging to the WF-net N with unique input place i and output place o (i.e., T S(N ) = T S(N, [i], [o])). We require a WF-net to be sound [21]. Definition 5 (Soundness [21]). Let N = (P, T, F ) be a WF-net, let T S = (S, →, α, ω) be a transition system belonging to N , i.e., T S = T S(N ), then N is sound if and only if (note that α is [i] and ω is [o]): – ∀m ∈ S : (m, ω) ∈→∗ , where →∗ is the transitive closure of →, – ∀t ∈ T : ∃s, s′ ∈ S : (s, t, s′ ) ∈→. In the remainder of this paper, N denotes the set of all sound unlabelled WF-nets. Note that whenever we say WF-net the unlabelled variant is intended unless stated diﬀerently. As mentioned in the related work section, there exist approaches to compute language inclusion on the transition system. However, this computation does not need to be polynomial in the size of the Petri net. Therefore, we provide in Sect. 4 an approach to deduce language inclusion based on the structure of the Petri net. D. Schunselaar et al.: Deciding Language Inclusion for SU-WF-Nets 4 141 Approach In this section, we determine in which situations language inclusion can be eﬃciently computed on the transition system, and what can be done to avoid using the transition system in other situations. For the latter, we use our framework, i.e., when the net has certain characteristics, this net is mapped onto an alternative representation. Using a comparator, language inclusion can be decided, similar to the example given in the introduction. Whether it is computationally eﬃcient to use the transition system and, if not, which mapping can be used, depends heavily on the constructs used in the Petri nets, i.e., on the characteristics of both nets. For example, if both nets are sequential and acyclic, then language inclusion can be eﬃciently computed on the transition systems. If both nets are acyclic, then the eventually-follows relation between transitions may provide valuable information on language inclusion, where the eventually-follows relation between two transitions denote that the ﬁrst can be followed by the second. The remainder of this section is organised as follows: We ﬁrst deﬁne an abstract mapping, then introduce characteristics, and ﬁnally deﬁne a comparator. Afterwards, we revisit the used (concrete) mappings from literature. Having the concrete mappings in place, the characteristics are deﬁned, and a polynomialtime algorithm is provided to compute these characteristics on the free-choice WF-nets. Using the mappings and characteristics, we provide comparators and accompanying abstractions together, as they are tightly linked. 4.1 Abstract framework In our abstract framework, an abstraction consists of three elements: (1) a mapping function, mapping a Petri net into an abstract representation, (2) a set of characteristics denoting when this abstraction can be applied, and (3) a comparator to compare the abstract representations (mapping to the booleans). The ﬁrst and the last follow straightforward from the previous explanations, but the second requires some extra explanation and mainly on the can be applied part. We say a Petri net adheres to certain characteristics if and only if these characteristics are valid for this Petri net. This allows abstractions to be used when characteristics are added, i.e., the addition of an characteristic does not invalidate the results presented in this paper. Two diﬀerent kinds of abstractions are considered: (1) a positive abstraction between N and N ′ denoting that: If the comparator yields true, N is guaranteed to be language included in N ′ , and (2) a negative abstraction between N and N ′ denoting that: If the comparator yields false, N is guaranteed to be not language included in N ′ . This allows our framework to be more ﬂexible. 4.2 Mappings Having the abstract framework with abstractions in place, we now present the speciﬁc mappings used (based on the reasoning in Sect. 2) in the remainder of 142 PNSE’13 – Petri Nets and Software Engineering A B Fig. 2: Two WF-nets with diﬀerent languages but with the same mapping. this paper. Please note that we do not claim that these mappings are exhaustive: Other mappings may exist that allow for eﬃcient positive and/or negative abstractions that are not covered by this paper. However, these mappings (and corresponding comparator) can be easily added to our framework. The T -mapping provides us with the set of transitions from a WF-net, as explained in the introduction (we denote this set as λT (N )). The α-mapping denotes that two transitions can follow each other directly in a Petri net N , i.e., if (t1 , t2 ) is part of the mapping (denoted by λα (N )), then there is a trace in which t1 is directly followed by t2 . The ∞-mapping denotes that two transitions can follow each other eventually in a Petri net N , i.e., if (t1 , t2 ) is part of the mapping (denoted by λ∞ (N )), then there is a trace in which t1 is eventually followed by t2 . The presence of loops may be problematic for the ∞-mapping. For this reason, we also include the k-mapping (generalisation of the α-mapping), which denotes that there are at most k other activities between two transitions in a Petri net N . As such, this mapping (denoted by λk (N )) corresponds to the eventually-follows-within-k-steps-relation between transitions. As a result, transitions that occur in a loop of length of at least k are not automatically related in both ways by this mapping, e.g., assume a and b are in a loop, then (a, b) in λk (N ) but (b, a) does not need to be in λk (N ) while (b, a) would have been included in λ∞ (N ). These latter three speciﬁc mappings are all based on relations between two transitions, which poses a possible problem if a net only contains traces that contain only a single transition. Clearly, for such a net these follows relations are all empty, which yields equivalent mappings for the nets in Fig. 2. For this reason, we add artiﬁcial start and end activities (⊤, ⊥) to any net. Note that this does not limit the expressivity of the process models. 4.3 Characteristics Since our framework depends on the exact deﬁnition of the characteristics, this section deﬁnes the characteristics of sound WF-nets, and shows that we can compute these characteristics eﬃciently in case of free-choice nets. The sequential characteristic denotes that from a state ﬁring one transition, means the other transitions enabled in the state are no longer enabled. Definition 6 (Sequential Characteristic). Let N = (P, T, F ) ∈ N be a sound WF-net, let T S = (S, →, α, ω) be the transition system belonging to N , i.e., T S = T S(N ), then N is sequential if and only if: ∀t1 , t2 ∈ T, s ∈ S : ¬(•t1 + •t2 ≤ s) D. Schunselaar et al.: Deciding Language Inclusion for SU-WF-Nets 143 The acyclic characteristic denotes that it is not possible to reach a previously visited state. Definition 7 (Acyclic Characteristic). Let N = (P, T, F ) ∈ N be a sound WF-net, let T S = (S, →, α, ω) be the transition system belonging to N , i.e., T S = T S(N ), then N is acyclic if and only if: ∀n ∈ N, s0 , . . . , sn ∈ S, t1 , . . . , tn ∈ T : n < 1 ∨ s0 6= sn ∨ ∃1 ≤ k ≤ n : (sk−1 , tk , sk ) 6∈→. In general, these characteristics are deﬁned on the transition system, and may be ineﬃcient to compute. However, for free-choice nets we can compute them in an eﬃcient way, as the following theorems show. A B C Fig. 3: With the dashed place and arrows, we have a sequential construct, else not. In [1](Def. 26), a polynomial time algorithm is presented to compute the minimal structural successor between places and transitions (MSS) for a free-choice net, i.e., the minimal set of transitions and places between the execution of two transitions. For some characteristics, we require that the considered transitions can follow each other directly, thus a MSS has a size of 1, i.e., only a single place is between the transitions. Consider Fig. 3, without the dashed parts, B and C are non-sequential. However, with the dashed parts, B and C are sequential. In the ﬁrst case, the size of the MSS between A and C is 1, in the latter case the size of the MSS between A and C is 3. Theorem 1. Let N = (P, T, F ) be a sound, free-choice WF-net, then N is sequential if and only if: ∀u1 , u2 , u3 ∈ T : u1 • ∩ • u2 = ∅ ∨ u1 • ∩ • u3 = ∅ ∨ •u2 ∩ •u3 6= ∅ ∨ |MSS(u1 , u2 )| = 6 1 ∨ |MSS(u1 , u3 )| = 6 1. Proof. We need to prove: (∀t1 , t2 ∈ T, s ∈ S : ¬(•t1 + •t2 ≤ s)) ⇔ (∀u1 , u2 , u3 ∈ T : u1 • ∩ • u2 = ∅ ∨ u1 • ∩ • u3 = ∅ ∨ •u2 ∩ •u3 6= ∅ ∨ |MSS(u1 , u2 )| = 6 1 ∨ |MSS(u1 , u3 )| = 6 1). ⇒ We prove this by contradiction, assume the left-hand side is true, but the right-hand side is false, thus ∃u1 , u2 , u3 ∈ T : u1 • ∩ • u2 6= ∅ ∧ u1 • ∩ • u3 6= ∅ ∧ •u2 ∩ •u3 = ∅ ∧ |MSS(u1 , u2 )| = 1 ∧ |MSS(u1 , u3 )| = 1. From the righthand side it follows that u2 and u3 are both enabled after executing u1 (by soundness, we know u1 can ﬁre). Furthermore, u2 and u3 can ﬁre directly after u1 by the M SS, and because their presets are disjoint there is no ordering between u2 and u3 . Hence, there is a state s such that •u2 +•u3 ≤ s. ⇐ Again we prove this by contradiction, assume the right-hand side is true, but the left-hand side is false, thus ∃t1 , t2 ∈ T, s ∈ S : •t1 + •t2 ≤ s. Since 144 PNSE’13 – Petri Nets and Software Engineering we have a sound WF-net, we start with a single token in the input place. This means there is a sequence of transitions to reach a state s where two transitions are enabled say t1 and t2 , let s be the ﬁrst state. Then there is a transition t to reach state s, let t ﬁre from state s′ , i.e., s′ [tis. By the fact that t1 and t2 can ﬁre directly from s, we know that |MSS(t, t1 )| = 1 and |MSS(t, t2 )| = 1. Now it remains to prove that the ﬁrst 3 clauses are false, that is: u1 • ∩ • u2 6= ∅ and u1 • ∩ • u3 6= ∅ and •u2 ∩ •u3 = ∅. • Assume t • ∩ • t1 = ∅, this means that s′ [ti and s′ [t1 i. Then there are two options: •t + •t1 ≤ s′ , this means s′ is an earlier state in which two transitions are enabled (not possible by assumption), and ¬(•t + •t1 ≤ s′ ). We now obtain by free-choiceness that •t = •t1 . From the fact that t1 is still enabled after ﬁring t, and the fact that t • ∩ • t1 = ∅, we obtain that •t + •t1 ≤ s′ , this is not possible due to the free-choiceness and soundness as this allows t1 to ﬁre twice, and hence (by free-choiceness) it is possible to mark the output place with two tokens. • The proof for t • ∩ • t2 goes analogous. • We only have the case where •t1 ∩ •t2 6= ∅, thus •t1 = •t2 . Again by soundness and free-choiceness it follows that t1 can ﬁre twice from state s, hence it is not sound. ⊔ ⊓ Theorem 2. Let N = (P, T, F ) be a sound, free-choice WF-net, then N is acyclic if and only if: ∀t1 , . . . tn ∈ T : •t1 ∩ tn • = ∅ ∨ (∃1 ≤ k < n : tk • ∩ • tk+1 = ∅). Proof. We need to prove: (∀n ∈ N, s0 , . . . , sn ∈ S, t1 , . . . , tn ∈ T : n < 1 ∨ s0 = 6 sn ∨ ∃1 ≤ k ≤ n : (sk−1 , tk , sk ) 6∈→) ⇔ (∀t1 , . . . tn ∈ T : •t1 ∩ tn • = ∅ ∨ (∃1 ≤ k < n : tk • ∩ • tk+1 = ∅)). ⇒ This follows from the free-choice property, i.e., as soon as we can mark a place in the preset of a transition, then this token can only be removed after this transition has been enabled. As a result, if we mark a place in the preset of a previously enabled transition, then we can do this an inﬁnite amount of times as this transition has to be able to ﬁre. Since the state-space is ﬁnite (bounded net due to soundness) this means we have a path to a previously visited state. ⇐ When we do not have a sequence of transition to mark a place again, this means as soon as this place has been marked it will never be marked again. Hence, we cannot revisit a state. ⊔ ⊓ From Thm. 1 and Thm. 2, we can conclude that, for free-choice WF-nets the characteristics can be eﬃciently computed, i.e., in polynomial time. As a result, we can use these characteristics in our framework. D. Schunselaar et al.: Deciding Language Inclusion for SU-WF-Nets 4.4 145 Abstractions This section builds on the previous sections by presenting concrete instantiations of the framework, consisting of selected abstractions, that can be used to eﬃciently decide language inclusion for nets with certain characteristics. Therefore, in the remainder, we display diﬀerent approaches, each tailored towards nets with certain characteristics. We start with the approach which does not require an abstraction of the Petri net. No abstraction needed In case the Petri net is sequential and free-choice, the transition systems will not suﬀer from the state-space-explosion problem. For this reason, we do not need an abstraction, as we can eﬃciently decide the language inclusion problem on the transition systems. Negative abstraction using T -mapping The following negative abstraction is valid for all sound WF-nets. Definition 8 (T -Comparator). Let N = (P, T, F ) and N ′ = (P ′ , T ′ , F ′ ) be sound WF-nets, let λT be the T -mapping, then λT (N ) ≤T λT (N ′ ) if and only if: λT (N ) ⊆ λT (N ′ ) Theorem 3. (λT , ≤T , ∅) is a negative abstraction. Proof. As both nets are sound WF-nets, all transitions of N are included L(N ). That is, for every t ∈ T there exists a trace σ ∈ L(N ) such that t ∈ Clearly, if there exists a transition t ∈ T such that t 6∈ T ′ , then the traces in that contain t are not traces of N ′ . Hence, language inclusion cannot hold. in σ. N ⊔ ⊓ Negative abstraction using α-mapping The following negative abstraction is also valid for all sound WF-nets. However, to our knowledge, only for freechoice WF-nets there is a polynomial-time algorithm to compute the α-mapping. Hence we can use the negative abstraction to eﬃciently decide language inclusion either if we have a free-choice net or if the required α-mappings are given. Definition 9 (α-Comparator). Let N = (P, T, F ), N ′ = (P ′ , T ′ , F ′ ), be sound WF-nets, let λα be the α-mapping, then λα (N ) ≤α λα (N ′ ) if and only if: λα (N ) ⊆ λα (N ′ ) Theorem 4. (λα , ≤α , ∅) is a negative abstraction. Proof. We need to prove that ¬(λα (N ) ≤α λα (N ′ )) ⇒ ¬(L(N ) ⊆ L(N ′ )) which can be rewritten to L(N ) ⊆ L(N ′ ) ⇒ λα (N ) ≤α λα (N ′ ) which follows straightforward from the deﬁnition of λα . ⊔ ⊓ Theorem 4 yields the following result: Given two sound WF-nets and their corresponding α-mappings, Def. 9 can be computed in polynomial time. Hence, Thm. 4 yields in polynomial time whether the language is not included, i.e., if 146 PNSE’13 – Petri Nets and Software Engineering B A C D A B D Fig. 4: Two process models where we have a false positive w.r.t. language inclusion if we simply use inclusion of the α-relation. λα (N ) ⊆ λα (N ′ ) yields false then the inclusion does not hold. In case no αmapping is provided, we can, for free-choice WF-nets, compute the α-mapping eﬃciently and determine if language inclusion does not hold. Using the α-mapping, we did not obtain a positive abstraction, as we cannot do an inclusion of the relations between the diﬀerent process models. Consider the models in Fig. 4. Here, it is easy to see that the relations of the righthand model are a subset of left-hand model. That is, in the left model we have the relations λα (N ) = {(A, B), (A, C), (B, C), (C, B), (B, D), (C, D)}, and in the right model we have the relations: λα (N ′ ) = {(A, B), (B, D)}. However, the word ABD is included in the right model, but not in the left model. The problem is that we are omitting related activities, e.g., the A is followed, in Fig. 4, by a C, while with omitting relations, we also omit these dependencies. Consider Fig. 5, at the bottom, for both models, we have transformed the parallel execution into a sequential execution such that λα (right model) ⊆ λα (left model). In the top two models, we have done the same, but this yields a model allowing words not possible in the other model. So, we need to ﬁnd an inclusion operator, which can either diﬀerentiate between both models or considers both models not to be included in the other. In the ﬁrst case, we have false negatives (see bottom model), in the second case, we have false positive (see top model). The problem is: The α-mapping considers two activities exclusive if they cannot follow each other directly. Hence, we have to look at the transitivity of these relations. Positive abstraction using ∞-mapping In case the WF-net is acyclic, we can use the ∞-mapping instead of the α-mapping. Using this mapping, we can compute the transitive closure of the α-relations to deduce the relations between all activities. However, similar to the α-mapping, a simple inclusion of the sets is not strong enough to deduce language inclusion. Therefore, we need an approach which takes into account the alternatives between diﬀerent activities. Alternative activities are activities which do not occur together in a trace. So, if an activity does not occur in a word, then an alternative activity occurs in that word. Theorem 5. Let N = (P, T, F ) be a sound acyclic free-choice net, then: ∀a ∈ T, σ ∈ L(N ) : a 6∈ σ ⇒ ∃b ∈ T : b ∈ σ ∧ (a, b) 6∈ λ∞ (N ) ∧ (b, a) 6∈ λ∞ (N ). Proof. Assume there is an a ∈ T and a 6∈ σ (by soundness we know a can be executed). This means there is a choice to not execute a. Since we have freechoice nets, this means somewhere there are two transitions t1 , t2 (•t1 = •t2 ), D. Schunselaar et al.: Deciding Language Inclusion for SU-WF-Nets 147 B F A B D C C A H D G E F G H E B A C A B D E C E D Fig. 5: Using the α-relation, we cannot diﬀerentiate between valid transformations from parallel to sequential (bottom) and invalid transformations from parallel to sequential (top). A B ⊤ ⊥ A C D B ⊤ C ⊥ D A C D B ⊤ ⊥ Fig. 6: The left and middle model are language included in the right model without clause 3 in Def. 10. such that after t1 a can still follow, but after executing t2 a cannot follow. Due to the fact that the net is acyclic and free-choice, a cannot precede t2 , i.e., if a can, via ﬁring some transitions, mark the preset of t2 then also the preset of t1 is marked and hence a can execute again. Since a is not in σ, we have chosen t2 , and thus t2 ∈ σ. Also because a cannot follow t2 , and t2 cannot follow a, (a, t2 ) 6∈ λ∞ (N ) ∧ (t2 , a) 6∈ λ∞ (N ). ⊔ ⊓ Now the comparator denotes that the activities have to be the same, the relations have to be a subset (similar to Def. 9), and there is always at least one alternative activity remaining. We have to require clause 3, as this allows us to only remove alternative activities. Consider Fig. 6, the lower model is language included in the right model, and this is valid since an alternative activity for B (namely C) follows A. However, the left model is not language included in the lower model, as there is no alternative activity for C following A. Without clause 3, the comparator would have denoted that the left model is included in the lower model. 148 PNSE’13 – Petri Nets and Software Engineering Definition 10 (∞-Comparator). Let N = (P, T, F ), N ′ = (P ′ , T ′ , F ′ ) be sound FC-nets adhering to the {Acyclic} characterisation, let λ∞ be the ∞mapping, then λ∞ (N ) ≤∞ λ∞ (N ′ ) if and only if: 1. T = T ′ 2. λ∞ (N ) ⊆ λ∞ (N ′ ) 3. (∀(a, b) ∈ λ∞ (N ′ ) : (a, b) ∈ λ∞ (N ) ∨ (b, a) ∈ λ∞ (N ) ∨ (∃c ∈ T : ((a, c) ∈ λ∞ (N ) ∨ (c, a) ∈ λ∞ (N )) ∧ (b, c) 6∈ λ∞ (N ′ ) ∧ (c, b) 6∈ λ∞ (N ′ ))) Theorem 6. (λ∞ , ≤∞ , {Acyclic}) is a positive abstraction. Proof. We need to prove: λ∞ (N ) ≤∞ λ∞ (N ′ ) ⇒ L(N ) ⊆ L(N ′ ). We prove this by contradiction, thus L(N ) 6⊆ L(N ′ ) but λ∞ (N ) ≤∞ λ∞ (N ′ ). By deﬁnition, this means there is a trace σ ∈ L(N ) such that σ 6∈ L(N ′ ). Now it remains to prove that this σ does not exist. We prove this by induction on the preﬁx of the trace. Let σ = ht1 , . . . , tk−1 , tk , . . . , tm i be a trace, the preﬁx of σ (denoted by σprefix ) are transitions before position k (i.e., σprefix = ht1 , . . . , tk−1 i). It remains to show that if the preﬁx of σ corresponds to a preﬁx of a trace σN ′ ∈ L(N ′ ) then tk has to be directly executable in N ′ after having executed this preﬁx. Base case k = 1. In this case, the preﬁx is empty and by deﬁnition we always start with an unique start activity, hence both models can execute ⊤. Inductions hypothesis: assume σprefix = ht1 , . . . tk−1 i corresponds to a preﬁx of a trace in N ′ , then there are two options: (1) tk cannot follow σprefix in N ′ , or (2) tk cannot follow σprefix directly in N ′ , i.e., there is at least on transition in between σprefix and tk . (1) If tk cannot follow σprefix in N ′ , then either tk 6∈ T ′ (not possible due to clause 1) or there is an alternative activity ti ∈ σ (Thm. 5). Note that this alternative activity has to be in σprefix , because else from σprefix it cannot follow that tk cannot follow σprefix in N ′ . This latter option cannot happen due to clause 2 (else (ti , tk ) ∈ λ∞ (N ) but (ti , tk ) 6∈ λ∞ (N ′ )). Hence tk must be able to follow σprefix in N ′ . (2) When tk cannot directly follow σprefix this means there is an activity between σprefix and tk in N ′ . We denote this activity with b ∈ T ′ . We know that (b, tk ) ∈ λ∞ (N ′ ) but also that (tk , b) 6∈ λ∞ (N ′ ) (else b does not need to be between σprefix and tk , by free-choiceness and soundness). Furthermore, by the absence of loops and soundness, we know that b 6∈ σprefix (else b can be followed by b in N ′ ). Then there are two options; (a) either b can follow σprefix in N , or (b) b cannot follow σprefix in N . (a) Since (tk , b) 6∈ λ∞ (N ′ ) it follows from clause 2, that (tk , b) 6∈ λ∞ (N ). This means that if b can follow σprefix in N , it has to be executed before tk is executed. In σ this is not the case, i.e., there is no activity executed between σprefix and tk , and Thm. 5 yields that there has to be an alternative activity for b in σ (note that it does not need to be an alternative activity for b in N ′ ) and by free-choiceness it has to be before tk , thus in σprefix . From this it follows that b cannot follow σprefix in N . We only need to prove that part (b) yields a contradiction. D. Schunselaar et al.: Deciding Language Inclusion for SU-WF-Nets 149 (b) Thm. 5 yields that somewhere we have made a choice in σprefix to not execute b in N , we call the activity after making this choice a. Since σprefix can be followed by b in N ′ , we obtain that (a, b) ∈ λ∞ (N ′ ), but also (a, b) 6∈ λ∞ (N ) (note that (b, a) 6∈ λ∞ (N ), since this violates the acyclic property). From clause 3, we obtain there has to be an activity c such that (a, c) ∈ λ∞ (N ) ∨ (c, a) ∈ λ∞ (N ) and (b, c) 6∈ λ∞ (N ′ ) ∧ (c, b) 6∈ λ∞ (N ′ ). Finally, from Thm. 5, we obtain that there has to be an alternative activity for b in σ, which c also is. Now it remains to show that c is in σprefix . By free-choiceness, we obtain that c has to be executed before tk . If c can be executed after tk , then dependent on the activities chosen before tk , c can either be executed or not, which violates the free-choice property. Since (c, tk ) ∈ λ∞ (N ), it follows that c has to be in σprefix , and thus no b can be between σprefix and tk in N ′ . From this it follows that both models can execute tk directly after preﬁx σprefix , and hence both models are able to perform σ (note that termination is taken care of by including ⊥ as unique end activity) and thus it follows that σ is also in L(N ′ ). Thus by contradiction, we have shown that λ∞ (N ) ≤∞ λ∞ (N ′ ) ⇒ L(N ) ⊆ L(N ′ ). ⊔ ⊓ In case T = T ′ , we can decide language inclusion based on the ∞-mapping. However, in general it is the case that T 6= T ′ . Therefore, we extend our approach to the case in which T ⊂ T ′ . Note that we do not need to consider the case that T ′ ⊂ T as language inclusion cannot hold. In order to achieve T = T ′ , we have the following reduction on N ′ : – Remove all transitions t ∈ (T ′ \ T ) from N ′ – Remove all places not connected to any transition If the reduced net is sound then we can use Def. 10 on the transformed net with T = T ′ . It is easy to see that language inclusion is preserved as we only remove transitions not present in T , i.e., we do not reduce the language w.r.t. the overlap with T . If the resulting model is not sound, then a part of the language of N cannot be part of N ′ . Apart from showing the soundness of the abstraction using the ∞-mapping, we also want to show the completeness. This means that if the language of N is included in N ′ , then our comparator always yields true. Theorem 7. (λ∞ , ≤∞ , {Acyclic}) is complete, i.e., for two acyclic free-choice WF-nets N and N ′ , we have λ∞ (N ) ≤∞ λ∞ (N ′ ) ⇐ L(N ) ⊆ L(N ′ ). Proof. We prove this by contradiction. Assume L(N ) ⊆ L(N ′ ), but λ∞ (N ) ≤∞ λ∞ (N ′ ) does not yield true. Then, at least one of the clauses has to be false. Clause 1 and 2 follow in a straightforward way. Assume clause 1 is false, then there is an activity x ∈ T which is not in T ′ . Since T is sound, this means x occurs in at least one trace and this trace cannot occur in L(N ′ ). Assume clause 2 is false, this means there is a relation between 2 activities x, y ∈ T such that (x, y) ∈ λ∞ (N ), which is not in λ∞ (N ′ ). By deﬁnition, this means there is a word such that 150 PNSE’13 – Petri Nets and Software Engineering D C A D B A B C E E Fig. 7: Two process models where using the ∞-mapping gives a false positive. E B A D A B D C Fig. 8: Naive inclusion does not work for the k-mapping. σ = h. . . , x, . . . , y, . . .i, but this trace cannot be in L(N ′ ), else this relation was also included in λ∞ (N ′ ). Assume clause 3 is not valid, this means that: ∃(a, b) ∈ λ∞ (N ′ ) : (∀c ∈ T : ¬((a, c) ∈ λ∞ (N ) ∨ (c, a) ∈ λ∞ (N )) ∨ (c, b) ∈ λ∞ (N ′ ) ∨ (b, c) ∈ λ∞ (N ′ )) has to hold (negation of the clause 3). Recall that due to ⊤ and ⊥, λ∞ (N ′ ) cannot be empty. We choose an a and b, the universal quantiﬁer denotes that either the activity c is exclusive to a, or can occur together with b in a trace. Thus, there is no alternative for b to occur together with a in the trace. If we chose b = c then we have that either b does not occur with a in a trace in N , or (b, b) ∈ λ∞ (N ′ ) which is not possible due to the acyclicness. Thus, in N ′ a always occurs with b, while in N they are alternatives. Hence, language inclusion cannot hold. We can conclude that Thm. 7 holds, and Def. 10 is complete. ⊔ ⊓ No abstraction using the k-mapping In the most general case, when the characterisation does not pose any constraints, we have the same problems as mentioned earlier, e.g., that a simple inclusion does not work. Furthermore, we now have diﬃculties introduced by the combination of cycles and non-sequential activities, e.g., short loops in the α-mapping. Furthermore, the ∞-mapping has problems with cycles. For instance, see Fig. 7 where both models have the same ∞-mapping. However, the trace ACBDE is included in the right model, but not in the left model. Obviously, with equivalent ∞-mapping, we should have language equivalence, i.e., any comparator denotes that the sets are included in each other. Therefore, we consider the k-mapping. Again, using a naive approach, using the inclusion of relations does not work. Consider, for instance, the models in Fig. 8, where the relations in the right model are a subset of the relations in the left model. D. Schunselaar et al.: Deciding Language Inclusion for SU-WF-Nets 151 G B G C B A F D A F C D E E Fig. 9: For the k-mapping, we cannot ﬁnd a value for k such that it yields that the right model is language included in the left model, but does not yield that the left model is language included in the right model. Table 1: The framework for sound free-choice WF-nets Abstraction Characterisation Pos/Neg Complete Trans. Syst. S Pos X T ∅ Neg α ∅ Neg ∞ A Pos X The problem with looking at k elements in advance is that this k is bounded by the shortest cycle. In other words, if k is larger than the shortest cycle then activities are considered in parallel when they are in sequence. Consider Fig. 9, from which it is clear that the right model is language-included in the left model. However, if we compute the relation between the activities, we need to have a relation between C and E (because present in right model, thus k ≥ 2), but also k < 2 because h...EGC...i is a proper part of a trace due to the cycle, while this would yield that C and E are in parallel in the right model, and thus that the left model is language included in the right model. 4.5 The complete framework In Table 1, the total framework is listed. Trans. Syst. denotes that language inclusion can be eﬃciently computed on the transitions system. T is the negative abstraction only considering transitions. The negative abstraction using the αmapping is listed under α. Finally, ∞ denotes the sound and complete positive abstraction using the ∞-mapping. Under characteristics: A denotes acyclic, and S denotes sequentiality. Pos/Neg denotes if it is a positive or negative approach, and complete denotes if the approach is complete. 5 Conclusion We have presented a framework that supports the decision of language inclusion for sound unlabelled WF-nets in an eﬃcient way. Apart from the framework, 152 PNSE’13 – Petri Nets and Software Engineering we have provided a number of mappings, characterisations, and comparators to be used in the framework. If there is sequentiality present in both WF-nets, the language inclusion problem can be computed in polynomial time in terms of the underlying transition systems. If one of the WF-nets is non-sequential, then our framework may still eﬃciently decide language inclusion using a number of abstractions. The ﬁrst abstraction uses the sets of transitions: If the set of transitions of the ﬁrst net is not a subset of the set of transitions of the second, then the language of the ﬁrst net cannot be included in the language of the second net. The second abstraction uses the directly-follows relation (also called the α-relation) between transitions: If the α-relation of the ﬁrst net is not a subset of the α-relation of the second net, then the language of the ﬁrst net cannot be included in the language of the second net. The third abstraction uses the eventually follows relation (also called the ∞-relation) between transitions: If the ∞-relation of the ﬁrst free-choice net is a subset of the ∞-relation of the second free-choice net, and if some additional structural requirements hold, then the language of the ﬁrst net is included in the language of the second net. For free-choice acyclic nets this third abstraction is complete. In other words, language inclusion can only hold if the ∞-relation of the ﬁrst net is a subset of the ∞-relation of the second net, and if the additional structural requirements hold. In case of free-choice unlabelled WF-nets, all relations can be computed polynomial in the size of the WF-net. On these relations, we mainly perform containment between sets. In the third abstraction, we search for an alternative activity which, naively, entails trying every activity and adds a polynomial factor. Since each of the steps is polynomial in the size of the WF-net, we can conclude that our computations can be done polynomial in the size of the WF-net. The framework cannot eﬃciently decide on language inclusion in all cases. Especially for nets that are (1) non-sequential, (2) are cyclic or are not freechoice, and (3) for which language inclusion is known to hold, our current set of abstractions will not be able to provide an answer in polynomial time. Due to the fact that the comparators of the ﬁrst two abstraction will yield true and the preconditions of the third abstraction are not met. However, we do not claim that our framework is complete. Yet, our framework can be easily extended based on the general pattern provided with new abstractions that may provide eﬃcient answers for cases uncovered by the current abstractions: Given an abstraction, a characterisation, and a comparator, a positive (like the third abstraction) or negative (like the ﬁrst two abstractions) abstraction can be formulated. In some cases, our abstractions can easily be applied to general Petri nets. However, there does not exist, to our knowledge, a polynomial time algorithm to compute the abstractions on general nets. One can argue that computing the abstractions means analysing the behaviour in part or in full. In the future, we plan to extend our framework with abstractions that also can deal with labelled WF-nets and with nets that are cyclic, for example by considering abstractions based on block-structured nets. For block-structured D. Schunselaar et al.: Deciding Language Inclusion for SU-WF-Nets 153 nets (with a single entry and a single exit), the relations (like α and ∞) between transitions can often be derived eﬃciently from the block-structure. Furthermore, we want to quantify the diﬀerence between two languages based on our framework, i.e., if language inclusion does not hold, what portion of the language in not included, and which part of the net is the main reason the language is not included. This can then be used as a quantiﬁcation measure of inclusion between nets, and as a diagnostic result that can be used to align nets in such a way that language inclusion will hold. References 1. Weidlich, M., Werf, J.M.E.M.v.d.: On Proﬁles and Footprints - Relational Semantics for Petri Nets. [22] 148–167 2. Glabbeek, R.J.v., Weijland, W.P.: Branching Time and Abstraction in Bisimulation Semantics. Journal of the ACM (JACM) (1996) 3. Kunze, M., Weidlich, M., Weske, M.: Behavioral Similarity - A Proper Metric. In Rinderle-Ma, S., Toumani, F., Wolf, K., eds.: BPM. Volume 6896 of Lecture Notes in Computer Science., Springer (2011) 166–181 4. Aalst, W.M.P.v.d., Adriansyah, A., Dongen, B.F.v.: Causal Nets: A Modeling Language Tailored towards Process Discovery. In Katoen, J.P., König, B., eds.: CONCUR. Volume 6901 of Lecture Notes in Computer Science., Springer (2011) 28–42 5. Schunselaar, D.M.M., Verbeek, H.M.W., Aalst, W.M.P.v.d., Reijers, H.A.: Creating Sound and Reversible Conﬁgurable Process Models Using CoSeNets. In Abramowicz, W., Kriksciuniene, D., Sakalauskas, V., eds.: BIS. Volume 117 of Lecture Notes in Business Information Processing., Springer (2012) 24–35 6. Clarke Jr., E.M., Grumberg, O., Peled, D.A.: Model Checking. The MIT Press (1999) 7. Abdulla, P.A., Chen, Y.F., Holík, L., Mayr, R., Vojnar, T.: When simulation meets antichains. In Esparza, J., Majumdar, R., eds.: TACAS. Volume 6015 of Lecture Notes in Computer Science., Springer (2010) 158–174 8. Dill, D.L., Hu, A.J., Wong-Toi, H.: Checking for language inclusion using simulation preorders. In Larsen, K.G., Skou, A., eds.: CAV. Volume 575 of Lecture Notes in Computer Science., Springer (1991) 255–265 9. Aalst, W.M.P.v.d., Weijters, A.J.M.M., Maruster, L.: Workﬂow Mining: Discovering Process Models from Event Logs. IEEE Transactions on Knowledge and Data Engineering 16(9) (2004) 1128–1142 10. Badouel, E.: On the α-reconstructibility of workﬂow nets. [22] 128–147 11. Wen, L., van der Aalst, W.M.P., Wang, J., Sun, J.: Mining process models with non-free-choice constructs. Data Mining and Knowledge Discovery 15(2) (2007) 145–180 12. Weidlich, M., Polyvyanyy, A., Mendling, J., Weske, M.: Causal Behavioural Proﬁles - Eﬃcient Computation, Applications, and Evaluation. Fundamenta Informaticae 113(3-4) (2011) 399–435 13. Weidlich, M., Polyvyanyy, A., Desai, N., Mendling, J., Weske, M.: Process compliance analysis based on behavioural proﬁles. Information Systems 36(7) (2011) 1009–1025 154 PNSE’13 – Petri Nets and Software Engineering 14. Smirnov, S., Weidlich, M., Mendling, J.: Business process model abstraction based on behavioral proﬁles. In Maglio, P.P., Weske, M., Yang, J., Fantinato, M., eds.: ICSOC. Volume 6470 of Lecture Notes in Computer Science. (2010) 1–16 15. Dongen, B.F.v., Mendling, J., Aalst, W.M.P.v.d.: Structural Patterns for Soundness of Business Process Models. In: EDOC, IEEE Computer Society (2006) 116– 128 16. Mendling, J., van Dongen, B.F., van der Aalst, W.M.P.: On the degree of behavioral similarity between business process models. In Nüttgens, M., Rump, F.J., Gadatsch, A., eds.: EPK. Volume 303 of CEUR Workshop Proceedings., CEURWS.org (2007) 39–58 17. Solé, M., Carmona, J.: A High-Level Strategy for C-net Discovery. In Brandt, J., Heljanko, K., eds.: ACSD, IEEE Computer Society (2012) 102–111 18. Desel, J.: Validation of process models by construction of process nets. In Aalst, W.M.P.v.d., Desel, J., Oberweis, A., eds.: BPM. Volume 1806 of Lecture Notes in Computer Science., Springer (2000) 110–128 19. Lautenbach, K.: Liveness in Petri Nets. Internal Report of the Gesellschaft für Mathematik und Datenverarbeitung. Bonn, Germany, ISF/75-02-1 (1975) 20. Desel, J., Esparza, J.: Free Choice Petri Nets (Cambridge Tracts in Theoretical Computer Science). Cambridge University Press (1995) 21. Aalst, W.M.P.v.d.: Veriﬁcation of Workﬂow Nets. In Azéma, P., Balbo, G., eds.: ICATPN. Volume 1248 of Lecture Notes in Computer Science., Springer (1997) 407–426 22. Haddad, S., Pomello, L., eds.: Application and Theory of Petri Nets - 33rd International Conference, PETRI NETS 2012, Hamburg, Germany, June 25-29, 2012. Proceedings. In Haddad, S., Pomello, L., eds.: Petri Nets. Volume 7347 of Lecture Notes in Computer Science., Springer (2012) Introducing Catch Arcs to Java Reference Nets Lawrence Cabac, Michael Simon University of Hamburg Faculty of Mathematics, Informatics and Natural Sciences Department of Informatics {cabac,9simon}@informatik.uni-hamburg.de http://www.informatik.uni-hamburg.de/TGI Abstract. Modeling plays an important role during design and development of systems and processes. Petri nets allow for well-deﬁned models that can be executed. For the implementation of these systems, however, still normal programming languages are used. In contrast, modeling languages – also if executable, such as Petri net formalisms – are not deemed ﬁt for implementation. Besides the pragmatic power, one thing that modern programming languages oﬀer and which Petri net formalisms are missing, is exception handling. In this paper we present an approach that includes exception handling for Java reference nets. Our goal is to make the designed systems more robust and reliable. As a consequence, such executable models can be cleanly integrated into real execution environments. Our approach provides the information of an exception being thrown to the level of modeling. We are thus able to model the exception handling explicitly within the model as it is done in many modern programming languages. This extension is conservative and does not alter the normal behavior of the model, leaving the Petri net semantics untouched. We discuss several possible extensions to our approach with respect to the modeling possibilities, the ease of implementation and their pragmatic usefulness. Keywords: High-Level Petri Nets, Reference Nets, Exceptions, Catch Arcs, Renew 1 Introduction High-level Petri net formalisms have often been extended by new primitives. This has been done mostly to improve modeling possibilities. The aim has been to increase comprehensiveness and compactness as in the case of test arcs and inhibitor arcs (see [2]) or flexible arcs (see [8]). We introduce a catch arc as a new primitive, in order to raise the tightness of integration with the inscription language. By this we improve the robustness of our executable models. With the new construct we are able to handle exceptions that might occur during execution of the model. 156 PNSE’13 – Petri Nets and Software Engineering Renew1 has been missing the possibility to handle exceptions on the model level, since it has been created. In this paper, we introduce a new kind of arc – the catch arc – which fills that gap. Its functionality is straight forward: if an exception is thrown during the execution of a transition inscription (in our case Java code) while firing, the exception object is put into the connected place. From this point, the exception can be treated in the model in an appropriate way. This is the reason why we call this arc a catch arc. The arc initiates a sequence of code that – in analogy to a catch statement in Java – follows the catch statement. If no exception occurs, the normal Petri net semantics is followed and the catch arc does not produce any token. We discuss in detail why this arc is suitable for handling exceptions and how the firing of a transition should be aborted on encountering an exception. Furthermore, we discuss a way to implement handling of exceptions that are thrown in one net without having to catch them all separately. The structure of the paper is as follows: we introduce the catch arc and discuss its behavior by the means of Petri net modeling in Section 2. This is the central concept of this paper. Section 3 presents the complex process of the firing of a transition in Renew. It shows the inability to fully abort a transition firing and the consequent limitations on extensions of the Java reference net formalism. These limitations motivate the try arc as a solution. Section 4 introduces the try arc and discusses how a transition firing can be reverted after an exception. Section 5 presents ways to isolate the tokens involved in an erroneous firing for exception handling. Using the catch arc alone is compared to using it in combination with a try arc. Section 6 discusses the (conservative) extension of the catch arc by an expression whose result gets returned on catching an exception. In Section 7 we extend the notion of exception handling from transitions to net instances. 2 The Catch Arc We extend reference nets [6] by adding catch arcs that put an exception into a place as object reference, if one occurred. Avoiding uncaught exceptions in action inscriptions is very complicated: the modeler would need to make sure that all action inscriptions only call Java methods that do not throw exceptions. This is not feasible, as the standard Java methods and well-written Java classes rely heavily on throwing exceptions. We do not want to worry about exceptions in every action inscription, but would rather prefer to have a simple way to handle those in general without having to consider each possible error case. Up until now, the possibility of an exception being thrown was simply not covered by the reference net formalism. Thus, such an event was outside the scope of well-defined behavior of the simulator. On encountering an exception, the ingoing arcs would consume the bound tokens, but no token would be put out by the outgoing arcs. The simulator would log the incident, but ignore it 1 Renew: The Reference Net Workshop [7], http://www.renew.de L. Cabac and M. Simon: Introducing Catch Arcs to Java Reference Nets 157 in any other regard. By adding the possibility to catch and handle exceptions we pull this behavior into the model level. The behavior of the Petri net models itself is not changed as long as no exception occurs. Unfortunately, there is no easy and clean way to completely reset a transition that has already begun to fire, as we will discuss in Section 4. Fig. 1. Usage example. Fig. 1 shows a typical use-case where catch arcs enable the modeler to express safe code with a few simple net elements, instead of modeling complex structures or exporting the error handling functionality to Java helper code. The catch arc can be identified by the catch inscription. The tokens in the places on the left are given, but they may also be dynamically derived by other net segments, for example through a user input dialogue. It is very difficult to ensure that all input tokens to the transition are valid. In this case, there are also external factors that determine the outcome of the action inscription as dbUrl is the URL of a database to open, which might not be available. In a scenario like this, catching exceptions is unavoidable to have a stable system. As already mentioned above, usually the handling of the possibly thrown exceptions is implemented in Java helper code that encapsulates the opening of the connection and catches exceptions on that level. With the catch arc we are not only able to pull the exception handling up to the model level, we also reduce the implementation of wrapper code. In fact, we are able to treat the exceptions as first order concepts within our models. The reference net depicted in Fig. 2 illustrates the operational semantics of catch arcs. The transition holds an action inscription which converts a String into an Integer object. Naturally, this operation throws an exception, if the conversion cannot be achieved due to an invalid argument. Fig. 3 shows the result of executing the net in Fig. 2. The String 6 can be converted to an Integer which is put into output, while the attempt to convert foo throws NumberFormatException which is put out by the catch arc. 158 PNSE’13 – Petri Nets and Software Engineering Fig. 2. Example of a safe String to Integer conversion with a catch arc. Fig. 3. Executed instance of the net in Fig. 2. Fig. 4 is a conceptual model showing the execution semantics of the catch arc, simulated by a reference net model and some possible Java code. This model illustrates the implementation of the catch arc. The ExHandler.wrap(String) method returns the same result as the expression given as String, if no exception is thrown. Otherwise, it returns the thrown exception. Fig. 4. Net without catch arcs behaviorally equivalent to Fig. 2. The transition String to Integer conversion in Fig. 4 is a refinement of the one in Fig. 2. The ExHandler.wrap(String) method is not implemented, but serves to illustrate how a wrapper that catches any error and returns it, or the result would be used to emulate the behavior of catch arcs. The catch arc itself serves as a clear identifier of where the control flow for exception handling starts. All transitions that are dependent on the exception output token, are part of the exception handling control flow. By directing a L. Cabac and M. Simon: Introducing Catch Arcs to Java Reference Nets 159 catch arc to a place that is only used for exceptions, it is easy to separate the control flow. Even though it is made easy, it is up to the modeler to separate the exception handling parts of a reference net from the rest, like any other software architecture design decisions. This is analogous to the catch block of a try-catch-construct in a textual programming language: what is done inside is up to the programmer. There is no difference between code that can be executed inside the catch block or outside. Still it is good practise to separate exception handling code from other code. The place to which a catch arc leads should be regarded in the same way as a catch block in a textual programming language. We implemented an extension to the catch arc, allowing it to be accompanied by an expression. This is further discussed in Section 6. Another possible improvement of the catch arc would be the ability to declare the class of the exception to catch. This would deepen the analogy with the common try-catch programming language construct and would simplify the implementation of different ways to handle different exceptions. On the other hand, this behavior is easy to achieve with guards that check the exception types. These would be inscribed to the transitions which handle the exceptions. Because of the flexibility that guard inscriptions offer, there is no need to catch only some types of exceptions. This refinement of the catch arc could be implemented by an expression that is given as an argument to the catch inscription. It has to evaluate to a (sub)class of java.lang.Throwable (the exception rootclass). A finally statement is not needed in the extended Java reference net formalism. In Java it represents a section of code that is inserted into the control flow of the erroneous as well as the normal execution. It is executed in all cases. In the Java reference net formalism the control flow is explicitly modeled. The catch arcs start the control flow of the erroneous case and the normal output arcs start the control flow of the normal case. In Fig. 2 there is either one token put out to output, or to exception. To introduce some code that gets executed as a finally statement, we introduce a transition that is fired for every token in both places. This can be done using only classic Java reference net elements. 3 Firing a Transition in Renew Table 1 provides an overview of the different steps of Renew’s internal algorithm which fires transitions (compare with [6, Sec. 14.7]). We did not change this algorithm in any arc implementations presented in this paper. Before a transition is fired, a valid binding has to be found in phase 0. During the actual firing, the early executables are applied first. In phase 1 the early executables which mostly represent the ingoing arcs and test arcs, need to lock the associated places. This ensures that the tokens can not be taken by another transition firing. Then they verify that they can still be applied, as concurrent changes to the net instance state could have invalidated the found binding (phase 2). After this, the early executables can finally be executed (phase 3). Then the locks are unlocked again (phase 4) and the firing of the transition is already reported as successful, since the firing can not be aborted anymore (phase 5). In the end, the late executables 160 PNSE’13 – Petri Nets and Software Engineering 0 1 2 3 4 5 6 Binding search (before ﬁring) Lock early executables Verify possibility of applying early executables Execute early executables Unlock early executables Report success Execute late executables Table 1. Order of steps when successfully ﬁring a transition in Renew. can be executed (phase 6). They mostly represent outgoing arcs and action inscriptions. If an exception is thrown while searching for a valid binding of a transition, the corresponding search branch is discarded and the transition will never fire that binding. Phase 0 from Table 1 is never left. If an early executable leads to an exception in phase 2 or 3, the firing of the transition is aborted. In a case where Java code is in an action inscription, on the other hand, it is not evaluated in the binding search (phase 0), but in a late executable (phase 6) after a valid binding was found. The firing can not be reverted and the exception has to be thrown. Early executables are designed to model actions that can be aborted and reverted. They are executed first, so that as much error cases as possible lead to a rollback. Late executables, on the other hand, model actions that can not be reverted. Semantically these can not fail, but they can in practice, if they are not modeled safely, e.g., if an action inscription throws exceptions. Safe modeling is very complex and almost never achieved in practice. Thus, it might be tempting to move as much unsafe actions as possible into the early executables, so that the classic reference net semantics are never violated. However, a transition firing attempt should only be reverted, if the current binding can not be found again. This is possible, if the state of the net instance has evolved after the binding search. An example is a token that is consumed by another thread between the binding search and the current attempt to fire. In this case, the early executable representing the input arc will fail and cause a rollback. On the other hand, if there would be a case, where the current binding can be found again, the Renew simulator would attempt to fire it in an infinite loop. Since in the existing Renew implementation without any new arc implementations all changes of this firing are reverted, this firing itself can not change the net instance’s state. For a modeler who wants to use catch arcs, only action inscriptions are of concern. The exceptions thrown by all other inscribed Java code are already dealt with in the binding search. Renew does not fire bindings that lead to exceptions in the binding search. L. Cabac and M. Simon: Introducing Catch Arcs to Java Reference Nets 4 161 Resetting a Transition Firing after an Exception It is possible to avoid infinite loops when resetting a transition. One way to achieve this, is to have a special token which is consumed if an exception occurs. If only one such token existed, this binding can not be found again until another transition returns it. We created an experimental implementation of this exception input arc, called the try arc. The existence of a try arc does not change the behavior of the classic late executables after an exception has been thrown. This includes that no tokens are put out. Thereafter, the early executables are rolled back, as if the exception had been thrown inside one of them. The try arc does nothing when executed normally, but consumes the bound token when rolled back. This behavior is the reverse of the normal input arcs. With this extension of the simulator the late executables behave like the early executables, because we have implemented a way to revert them. Unfortunately, the possibilities of the try arc have their limits. Action inscriptions with side effects are not handled correctly. In this case, the transition would look reverted, but the side effects could still have occurred. Fig. 5. Net in Fig. 2 extended by a try arc. Fig. 6. One possible executed instance of the net in Fig. 5. Fig. 5 extends the net in Fig. 2 by a try arc. Fig. 6 shows one of two possible executions of this net. In this execution the transition String to Integer conversion was first fired with the string 6 as input. Then foo was tried and the exception has been put out by the catch arc. The corresponding exception class token has been consumed and the rest of the transition firing has been reverted. 162 PNSE’13 – Petri Nets and Software Engineering For this reason, the foo token is put back. The other possible execution of this net is that foo is tried first. In that case, the exception class is removed before 6 can be tried. Fig. 7. Net without try arcs behaviorally equivalent to Fig. 5. In Fig. 7 you can see that the behavior of try arcs can be emulated in the classic Java reference net formalism, extended only by catch arcs. In contrast to the net in Fig. 4, which was used to illustrate the semantics of catch arcs, we do not need any special, difficult to implement wrapper functionality in the Java inscriptions. In fact, this net is executable. First, one of the two strings is taken from input by store backup and passed on as str. The same string is put to the place below as strBak. The places in the triangle between store backup, inner String to Integer conversion and no ex can only hold one token in total at any time. The transition inner String to Integer conversion takes the string, attempts to convert it to an integer and returns the integer to output, or the thrown exception to exception. On the inside, it either returns a generic token to the white place in the lower left, or the catch arc returns another Java reference of the exception to the lower red place. Depending on this outcome, either no ex fires, consumes the just processed input string as strBak and returns the generic token to the place in the triangle, where it was originally, or ex handling fires and puts the input string back to input. In this process, it consumes the class token in try class. If this token is no longer present, store backup can not fire, because of the test arc to try class. This models the inability of String to Integer conversion in Fig. 5 to fire, if the try arc can not bind to an exception class token. Like no ex, ex handling also puts back the generic token. This would enable store backup to fire again, if try class contained another exception class token. The model in Fig. 7 is only behaviorally equivalent to Fig. 5, if there are only Java references to one exception class in try class. It is more flexible, if we want L. Cabac and M. Simon: Introducing Catch Arcs to Java Reference Nets 163 to use more than one class of exceptions as possible token for the try arc. In our current experimental try arc implementation, the try arc is first bound to an exception class token, before the transition starts firing (in phase 0 of Table 1). In every firing the try arc is bound to only one exception class. Thus, the try arc may not reset the transition, even if the class of the thrown exception exists as a token. One scenario, where this problem occurs, is a modification of Fig. 5 with a number of exception classes in try class. In Fig. 7, on the other hand, the ex handling transition can try every class in try class. The Renew simulator would need to be changed considerably to implement this behavior for try arcs. 5 Handling Exceptions In this chapter, we compare using the catch arc alone and along with a try arc to model exception handling. We show that the try arc does not provide a real advantage in this situation. Fig. 8. Net in Fig. 7 modiﬁed to print out error. Fig. 7 illustrates the behavior of the try arcs in Fig. 5. The fact that it is very complex, suggests that try arcs simplify error handling greatly. However, when handling the exception, one would normally want to ensure that it does not occur again. For this purpose, the involved tokens usually need to be identified and separated from the rest for special treatment. An example would be to generate feedback to calling code or the user. In Fig. 7 there is already a transition for exception handling present: ex handling. In order to generate feedback, instead of resetting the firing, we need to remove the output arc from ex handling to input, so no token is put back. We also need to change the arcs from try class to prevent the class token from being consumed. The Java code generating the output can be inscribed to ex handling. This is demonstrated in Fig. 8. 164 PNSE’13 – Petri Nets and Software Engineering If we change the net in Fig. 5 to give feedback, we have more work to do. A possible implementation is presented in Fig. 9, which is very similar to Fig. 8. In both models it is important to reconstruct which input string has induced an exception. For this purpose, the capacity of the input place is restricted to 1. In Fig. 8 there can only be one token in the triangle between store backup, inner String to Integer conversion and no ex. In Fig. 9 there can only be one token in the input place and the place below. In contrast to Fig. 8, there is no need to store another Java reference of the input token, because this token is returned if an exception occurs. For this reason, a transition such as no ex, which is fired if no exception has occurred, is also not needed. Another difference is that the exception class token in try class gets consumed in the event of an exception and has to be replaced by ex handling when the exception is handled. Fig. 9. Net with try arc modiﬁed to print out error (behaviorally equivalent to Fig. 8). 6 Catch Arc with an Expression In order to further the expressiveness and thus simplify the scenarios, in which we would like to retain the tokens involved in an erroneous transition firing, we extended the catch arc by an expression whose result is produced alongside the exception. Similar to input arc inscriptions, this expression has to be fully bound before firing, and can thus not be dependent on any action inscriptions. Fig. 10 emulates the try arc from Fig. 5. Unlike the model in Fig. 7, there is no need to limit the capacity of the input place of the transition, which can throw an exception. The involved input token can be reconstructed from the result of the catch arc’s expression, which gets returned to exception as tuple alongside the exception. L. Cabac and M. Simon: Introducing Catch Arcs to Java Reference Nets 165 Fig. 10. Net without try arcs, but with a catch arc with an expression, behaviorally equivalent to Fig. 5 and 7. Fig. 11. Net in Fig. 10 modiﬁed to print out error (behaviorally equivalent to Fig. 8). Fig. 12. Instance of the net in Fig. 11 after ﬁring. 166 PNSE’13 – Petri Nets and Software Engineering Fig. 11 prints out an error message, exactly like the nets in Fig. 8 and 9. The token put out by the catch arc can be seen in Fig. 12, which shows an executed instance of the former net after firing the transition String to Integer conversion twice. It is a 2-tuple that consists of the thrown exception and the result of the expression. ex handling is a transition that fires after String to Integer conversion in the event of an exception. Because the transition ex handling takes in the string together with the exception, it behaves as if it had the same preset as String to Integer conversion and took the same token. If one wanted to fire a exception handling transition with all the same input token as the original transition, one could accompany the catch arc with a tuple of all input arc inscriptions. 7 Uncaught Exceptions and Exception Propagation In classic programming languages exceptions propagate outward and escape all code sections, until they are finally caught and handled. If they are not handled in program code, the program crashes on the occurrence of an exception. In Renew’s classic Java reference net formalism exceptions are logged, but otherwise ignored. All ingoing tokens are consumed and no tokens are written out. Since dependency is explicitly modeled in reference nets, it is reasonable to allow those parts of the simulation that are not dependent on the part where the exception occurred, to continue to run. However, a concept of propagating exceptions upwards through a net hierarchy, can be realised. One step of this propagation can be achieved by a transition that binds exception tokens to an uplink, so another net instance which knows the current instance, can extract the exception. Binding to a downlink would also be possible, but then the exception handling net instance must be known to the current instance. (This would more accurately be described as propagating downwards.) It is also possible to have a specific uplink channel to pass on exceptions that are not caught locally (for example :catch(e)). This can be done through a normal net channel that gets bound to all these unhandled exceptions. To achieve this, there can be one place in every net for unhandled exceptions and one transition that binds every token of this place to the uplink of the channel. All transitions without a catch arc receive one to this place. The only exception from this rule is at a transition with an uplink. The exceptions thrown by a firing that involves this transition, can be caught at the transition with the downlink. The place and the transition for unhandled exceptions could be hidden to the modeler, so they are only accessible through the channel. The catch arcs could be created automatically, where there does not already exist one in the model. If the modeler would like to manually mark an exception as unhandled (maybe because the class is not expected), she can add an uplink transition to the channel herself. L. Cabac and M. Simon: Introducing Catch Arcs to Java Reference Nets 8 167 Related Work There are many attempts to model the behavior of exceptions with various modeling languages. This kind of exception modeling includes concepts for expressing the behavior of exceptions that occur in systems. We call these exceptions model intrinsic. Examples are the exception handler in current versions of UML (Unified Modeling Language, current version 2.4.1, see [9, Sec. 12.3.23]) and the attempts to include exception handling to (hierarchical) Petri net formalisms (cf. [3] and [4]). While the above mentioned examples model the behavior of exceptions or errors, we strive for the treatment of exceptions that occur during execution of these models. We call these (execution) extrinsic exceptions. Jannach and Gut [5] discuss the possibilities of exception / error handling in current modeling languages in detail and also point out the difference between modeled exception behavior (intrinsic) and exception handling during model execution (extrinsic). On the side of exception handling of executable models they discuss (among others) the possibilities in workflow execution (e.g., offered by YAWL, compare also with [1]) and WS-BPEL. The focus lies in both cases on the cancellation of processes / workflows and the compensation of undesired results. Cancellation of processes (or process regions) as by the cancel arc in YAWL is tightly related to clear arcs (reset arcs) in Petri net formalisms (i.e. Reset Nets). However, the cancellation / exception trigger comes from within the model – a cancel task has to be modeled explicitly and triggered. In our approach we tighten the integration of the executed model and the underlying expression language. 9 Conclusion and Future Works We presented an approach and a first implementation of the exception handling as an extension of the Java reference net formalism and the Renew simulation engine. The catch arc behavior can be expressed by a combination of net refinement and code wrapper implementation. Our first approach which has been implemented within Renew, constitutes already a powerful and also conservative extension to the execution semantics of Java reference nets. The try arc was discussed as a possible further extension. It was introduced and motivated by the idea of resetting a erroneous transition firing. We have shown that it does not add much to the expressiveness of the formalism in the context of exception handling. We do not plan to incorporate it in our practical implementation. The possibility of adding an expression to a catch arc whose result is returned alongside the exception, is a conservative extension of the original catch arc concept. In difference to the try arc, it greatly adds to the expressive power. It can be used to provide relevant details of the binding, in which a firing of a transition failed and allows for concise net models for detailed exception handling. This concept can also effectively emulate the resetting of an erroneous transition firing and thus, supersedes the try arc concept. Especially the questions of exception propagation in reference net systems and the adequate compensation modeling is, however, not satisfyingly resolved and needs to be further investigated. 168 PNSE’13 – Petri Nets and Software Engineering References 1. Michael James Adams. Facilitating dynamic flexibility and exception handling for workflows. PhD thesis, Queensland University of Technology, 2007. 2. Søren Christensen and Niels Damgaard Hansen. Coloured petri nets extended with place capacities, test arcs and inhibitor arcs. In Marco Ajmone Marsan, editor, Application and Theory of Petri Nets, volume 691 of Lecture Notes in Computer Science, pages 186–205. Springer, 1993. 3. W.L.A. de Oliveira, N. Marranghello, and F. Damiani. Exception handling with petri net for digital systems. In Integrated Circuits and Systems Design, 2002. Proceedings. 15th Symposium on, pages 229–234, 2002. 4. M. Doligalski and M. Adamski. Exceptions handling in hierarchical petri net based speciﬁcation for logic controllers. In Systems Engineering (ICSEng), 2011 21st International Conference on, pages 459–460, 2011. 5. Dietmar Jannach and Alexander Gut. Exception handling in web service processes. In Roland Kaschek and Lois M. L. Delcambre, editors, The Evolution of Conceptual Modeling, volume 6520 of Lecture Notes in Computer Science, pages 225–253. Springer, 2008. 6. Olaf Kummer. Referenznetze. Logos Verlag, Berlin, 2002. 7. Olaf Kummer, Frank Wienberg, Michael Duvigneau, and Lawrence Cabac. Renew – the Reference Net Workshop. Available at: http://www.renew.de/, March 2012. Release 2.3. 8. Wolfgang Reisig. Elements of Distributed Algorithms: Modeling and Analysis with Petri Nets. Springer-Verlag New York, October 1997. 9. UML. Uniﬁed modeling language: Superstructure. http://www.omg.org/spec/UML/ 2.4.1/Superstructure/PDF, August 2011. A System Performance in Presence of Faults Modeling Framework Using AADL and GSPNs Belhassen MAZIGH1 and Kais BEN FADHEL1 Department of Computer Science, Faculty of Science of Monastir, Avenue of the environment, 5019, Monastir - Tunisia belhassen.mazigh@gmail.com Abstract. The increasing complexity of new-generation systems which take into account interactions between hardware and software components, particularly the fault-tolerant systems, raises major preoccupations in various critical application domains.These preoccupations concern principally the modeling and analysis requirements of these systems.Thus, designers are interested in the veriﬁcation of critical proprieties and particularly the Performance and Dependability analysis. In this paper, we present an approach for modeling and analyzing systems with hardware and software components in the presence of faults: an approach based on Architecture Analysis and Design Language (AADL) and Generalized Stochastic Petri Nets (GSPN). This approach starts with the description of the system architecture in AADL. This description is enhanced by the use of two annexes, the existing Error Model Annex and the Activity Model Annex (proposed Annex). By applying existing transformation rules of GSPN models, we build two models: GSPNs Dependability and Performance models. Finally, we apply our composition algorithm, to obtain a global GSPN model allowing to analyze Dependability and Performance measurements. 1 Introduction The quantity and complexity of systems continues to rise and generally the cost of manufacturing these systems is very high. To this end, many modeling and analysis approaches are more and more used in industry with the aim to control this complexity since the design phase. These approaches must be accompanied by languages and tools. An explicit approach presents the building of a GSPN of a complex system from the GSPNs of its components, taking into account the interactions between the components, is presented in [1]. These approaches are referred to as block modeling approach and incremental approach respectively. AADL is among the languages having a growing interest in industry-critical systems. This language has been standardized by the "International Society of Automotive Engineers" (SAE) in 2004 [2, 3] , to facilitate the design and analysis of complex systems, critical, real-time in areas such as avionics, automotive and aerospace [4]. It provides a standardized graphical and textual notation to describe the hardware and software architectures. It is designed to be extensible 170 PNSE’13 – Petri Nets and Software Engineering in order to adapt and analyze architectures execution that the core language does not fully support. The extensions may take the form of new properties and notations speciﬁc to analysis that may be associated with the architectural description in the form of annexes. Among these approaches, the one proposed in [5] allows specialists in AADL to obtain Dependability measures, based on a formal approach. This approach aims to control the construction and validation of Dependability models in the form of GSPN. But in reality the designers want to have a ﬁnal model of the system that allows them to analyze Dependability and Performance which take into account functional and dysfunctional aspects of the system. In this paper we propose an extension to this approach so that the ﬁnal model of the system allows us to analyze the attributes of Dependability and Performance measures. The outline of the paper is as follows. In Section 2, we deﬁne the AADL concepts. Then we present our approach in Section 3 and its application on a simple example in Section 4. We conclude in section 5. 2 AADL concepts The AADL core language is used to analyze the impact of diﬀerent architectural choices on the properties of the system [6] and [7]. An architecture speciﬁcation in AADL describes how components are combined into subsystems and how they interact. Architectures are described hierarchically. Components are the basic bricks of AADL architectures. They are grouped into three categories: 1) software (process, subprogram, data, and thread), 2) hardware (processor, memory, device, bus) and 3) composite (system). AADL components may be composed of sub-components and interconnected through features such as ports. These features specify how the components are interfaced with each other. Each AADL system component has two levels of description: the component type and the component implementation. The type describes how the environment sees that component, i.e., its properties and features. Examples of features are in and out port that represent access points to the component. One or more component implementations may be associated with the same component type. As mentioned in the introduction, AADL is designed to be extensible in order to adapt and analyze architectures execution the core language that does not fully support. The Error Model Annex is a standardized annex [3] that completes description of the capabilities of the core language AADL, providing a textual syntax with a precise semantics to be used to describe the characteristics of Dependability related to AADL architectural models. AADL error models are deﬁned in libraries and can be associated with software and hardware components as well the connection between them. When an error model is associated with a component, it is possible to customize it by setting component-speciﬁc values for the arrival rate or the probability of occurrence of error events and error propagation declared in the error model. In the same way as for AADL components, the error model has two levels of description: the error model type and the error model implementation. The error model type declares a set of error states, error events and error propagation B. Mazigh et al.: System Performance in Presence of Faults 171 circulating through the connections and links between architecture model. In addition, the user can declare properties of type Guard to control the propagation. The error model implementation declares states transitions between states, triggered by events and propagation declared in the error model type [8]. Note that in and out features identify respectively incoming propagation and outgoing propagation. An out propagation occurs in an error model source with property of occurrence speciﬁed by the user. The error model source sends the propagation through all ports and connections of the component to which error model is associated. As a result, out propagation arrives at one or more error models associated with receptor components. If an error model receiver, declares in propagation with the same name as the out propagation received, the in propagation can inﬂuence its behavior. 3 Modeling approach Fig. 1. Proposed Approach We can describe our method, presented in Figure 1, into ﬁve main steps: 1. The ﬁrst step focuses on the modeling of the system architecture in AADL. 172 PNSE’13 – Petri Nets and Software Engineering 2. The second step concentrates on building an AADL Dependability Model and a AADL Performance Model: – Building Dependability model is done by the association of AADL Error models to the components of AADL Architectural Model, see [5] for more details. – Building performance model is done by the association of our AADL Activity models to the components of AADL Architectural Model. An Activity Model is similar to the Error Model, this model works as an Error Model, but the state change is performed by passing from a reliable state to another with integration of performance metrics associated to the properties that must be deﬁned in AADL language. Syntactically it is inspired by the standard Error Model. Activity models are devoted to describe the components activities. 3. The third step is to build two GSPN models, of Dependability and Performance, from two AADL models using the transformation rules presented in [5]. 4. The fourth step is dedicated to the application of our composition algorithm. This algorithm receives as an input two GSPN models, a GSPN model of Dependability and a GSPN model of Performance, each model is composed of sub-networks of components and sub-networks of dependencies. We obtain a global GSPN model which allows to analyze Dependability and Performance measurements for hardware and software systems in the presence of faults. 5. The ﬁfth step is dedicated to analyzing the global GSPN model to obtain measures of Dependability and Performance. This last step is entirely based on classical algorithms for processing GSPN models and it is not the subject of this work, and therefore will not be detailed here. The next section presents the application of our approach to a simple example. 4 Application of our approach To illustrate our approach, we use a simple system constituted by a processor PR which executes a user process P. The processor allocation is made according to the following policy: we deﬁne a quantum of time (e.g. q) for the processor PR. A process P sends an allocation request for the processor PR. If the processor is free then it accepts the request, the process pass to the execution state. The process can pass into a blocking state (blocked) if it expects other resource (e.g. end of an input output). If the execution time is smaller than the quantum then the process completes its task and passes to termination state otherwise the processor interrupt the execution of process, so that another process could be executed (the processor is retained for the current process until the end of quantum). When the process passes into the blocking state the processor can be allocated to another process. The processor is not necessarily free. The process then moves to the ready state. The ready state is the standby state of the processor. It is clear B. Mazigh et al.: System Performance in Presence of Faults 173 that there is a structural dependence between the processor PR and process P. Defects in materials could be propagated and inﬂuence behavior of software associated with it. We will ﬁrst establish an AADL model of Dependability, with the corresponding transformation steps into GSPN and we do the same thing to develop an AADL Performance model. Finally, we apply our composition algorithm to obtain a global Performance model in presence of software and hardware faults. 4.1 Construction of Dependability model Fig. 2. Error Model of hardware component We propose generic error models (without propagation) for the hardware and software components (Figure 2 and 3) inspired by the works [8], [9], [10] and [11]. These two models are respectively associated with the implementation of the processor PR and the process P components. Because the fact that the process P is running on the processor PR, the errors in the processor (hardware faults) can aﬀect the process executed as follows: – If the fault is temporary, it can transmit errors in the process. The error sent by the processor leads the process in state relating to the activation of fault (state ’Detect_ERR’). – If the fault is permanent, this failure has two consequences: stopping the software components and synchronizing the restoration actions since the 174 PNSE’13 – Petri Nets and Software Engineering relaunch of software components is conditioned by the end of the repair of hardware component on which they were executed. Fig. 3. Error Model of software component Figure 4 shows only what is added to the error model associated with the processor in order to describe the structural dependency after a recovery failure. The 1 2 error model type for processors, comp_hard, is completed with lines RO and RO in order to include ’out’ error propagation declarations (’P R_F ailed’,’P R_Ok’), ’P R_F ailed’ causes the processes failures while ’P R_Ok’ is used to synchronize the repair of the processor with the restart of the process. The error model implementation, comp_hard.general, takes into account the sender side of the recovery dependency, it declares one transition triggered by each of the two 11 22 newly introduced ’out’ propagation (see lines RO and RO of Figure 4). When one of the ’out’ propagation occurs, the processor remains in the same state and the propagation remains visible until the processor leaves this state. Figure 5 shows what is added to the error model associated with a process in order to describe the structural dependency. The error model type, comp_sof t, is com- B. Mazigh et al.: System Performance in Presence of Faults 175 Fig. 4. Error Model for processor component pleted with lines L0 , L1 and L2 . Line L0 declares an additional state in which the process is allowed to restart and Lines L1 and L2 declares ’in’ propagation. The error model implementation, comp_sof t.generale, takes into account the recipient side of the structural dependency by declaring ﬁve transitions triggered by the ’in’ propagation ’P R_F ailed’ (see lines L11 , L21 , L31 , L41 and L51 of Figure 5) and leading the process from each state (other than ’F ailed’) to the ’F ailed’ state. The process is authorized to move from the ’F ailed’ state to ’InRestart’ state only when it receives the ’P R_Ok’ propagation (see line L12 of Figure 5). Since the recovery procedure is now engaged by the ’InRestart’ state , the AADL transition (F ailed − [Restart]− > Error_F ree) will be replaced by the transition (F ailed − [P R_Ok]− > InRestart, see line R). Fig. 5. Error Model for process component PNSE’13 – Petri Nets and Software Engineering Fig. 6. Dependability GSPN Model 176 B. Mazigh et al.: System Performance in Presence of Faults 177 By applying transformation rules presented in [5], Figure 6 shows the GSPN obtained when transforming the AADL model corresponding to the process P linked to the processor PR. We note that places with dark circles are places with capacity of one token. 4.2 Construction of Performances model The following section presents the steps for constructing the AADL Performance model with corresponding transformation steps. For more clarity, we model each component (process P or processor PR) in the presence of internal events and ’in’ propagation and then we integrate the ’out’ propagation following the description of the system. Figure 7 shows the activity model associated with the processor. As for the error model, we associate the activity model, processor_P R.imp, to the implementation of the component processor. The processor is initially free. It will be occupied if it receives an allocation request, ’request’. It can go from ’Busy’ state to the ’Exp_termination’ state if the ’End_quantum’ event is activated with a rate λ6h . Or it can pass to the ’F ree’ state if it receives an ’in’ propagation ’F reeP R’. From the ’Exp_termination’ state it can return to its initial state with a rate λ7h . Fig. 7. Activity Model for the processor component The GSPN model of the processor PR (Figure 8) is obtained by applying the transformation rules (incomplete model). Figure 9 shows the Activity Model associated with the process P. Initially, the process is in ’Ready’ state. It passes to ’Execution’ state when it receives an ’in’ propagation ’Grant’ (it means that the processor starts its execution). It can go from ’Execution’ state to a Ready state if it receives an ’in’ propagation 178 PNSE’13 – Petri Nets and Software Engineering Fig. 8. GSPN model for the processor component ’F Q’ (it is temporarily suspended to allow the execution of another process). It passes from the ’Execution’ state to the ’blocked’ state if the ’Even_R’ event is activated with a rate λ11s . When the ’F _Even_R’ event occurs it passes to ’Ready’ state. It can go from the ’Execution’ state to a ’Ready’ state, if the ’End_T ’ event is activated with a rate λ10s . Fig. 9. Activity Model for the process component B. Mazigh et al.: System Performance in Presence of Faults 179 By applying the transformation rules we obtain the GSPN model of the process P (ﬁgure 10, incomplete model). Fig. 10. GSPN model for the process component Figure 11 shows just what is added to the activity model associated with the processor in order to describe the interaction between process P and the processor PR. The activity model type for processor, processor_P R, is completed with lines LO and L1 (see ﬁgure 11) in order to include ’out’ error propagation declarations such as: – Line LO declares an ’out’ propagation ’F Q’, which indicate the end of quantum. Its name matches the name of the ’in’ propagation declared in the activity model type, process_p (see ﬁgure 9). – Line L1 declares an ’out’ propagation ’Grant’, which indicates that the processor has given permission to move the process in ’Execution’ state. Its name matches the name of the ’in’ propagation declared in the activity model type, process_p (see ﬁgure 9). The activity model implementation, processor_P R.imp, declares two transitions (lines L′O and L′1 ) triggered by the newly introduced ’out’ propagation ’F Q’ and ’Grant’. When one of these two ’out’ propagation occurs, the processor remains in the same state and the propagation remains visible until the processor leaves this state. Similarly, Figure 12 shows what is added to the activity model associated with the process in order to describe the interaction between process P and the processor PR. The activity model type for process, process_p, is completed with lines SO and S1 (see ﬁgure 12) in order to include ’out’ error propagation declarations such as : – Line SO declares an ’out’ propagation ’request’, to indicate that the process requires the processor. Its name matches the name of the ’in’ propagation declared in the activity model type, processor_P R (see ﬁgure 7). 180 PNSE’13 – Petri Nets and Software Engineering Fig. 11. Activity Model for processor component with interaction – Line S1 declares an ’out’ propagation ’F reeP R’. Its name matches the name of the ’in’ propagation declared in the activity model type, processor_P R (see ﬁgure 7). The activity model implementation, process_p.general, declares three transitions (lines S3 , S4 and S5 of ﬁgure 12) triggered by the newly introduced ’out’ propagation ’request’ and ’F reeP R’. Fig. 12. Activity Model for process component with interaction Figure 13 shows the GSPN model obtained by applying the transformation rules. Fig. 13. GSPN Model of Performance B. Mazigh et al.: System Performance in Presence of Faults 181 182 4.3 PNSE’13 – Petri Nets and Software Engineering Application of composition algorithm Now after the construction of the Performance and Dependability GSPN models, we apply our composition algorithm on these two models. Each model is composed of components sub-nets and dependencies subnets. Each component has a GSPN model of Dependability and a GSPN model of Performance. The basic idea of this algorithm is to connect each component sub-net of Performance with the corresponding component sub-net of Dependability. This algorithm is deﬁned to ensure that the obtained global GSPN model is correct by construction (bounded, safe and no deadlock). The main steps of our composition algorithm are the following: – For each sub-network component of Performance, if the component has no replicas, we add a bidirectional arc which connects the transitions of Performance model component with the place that represents the initial state of the corresponding Dependability model. This rule reﬂects that if the component is in a state of Performance model, it can move to another state only if there is no activation of a fault. Note that the number of tokens in a sub-net component is always 1 because at a given time a component can be only in one state. It is clear that if there is activation of a temporary fault, after adding a bidirectional arc, the component remains in waiting until the resolution of this fault since transitions in the Performance model are disabled. We note that if there is a place in a Performance model where the activation of a temporary fault does not exist, for all transitions that represent the output transitions of this place, the bidirectional arc is eliminated. In our case if the processor PR in a free state, a temporary fault will never be activated. Now if a permanent fault occurs, the component must regain its initial state. The rule of the link consists in adding timed transitions, and link with a bidirectional arc the initial place of Performance model with the transition Restart of Dependability model. – if the component has replicas, each replica has the same GSPN model of Performance and Dependability. In ﬁrst step, the addition of bidirectional arcs is applied to each replica. Then immediate transitions are added to represent the switching between the GSPN models. By applying this algorithm on our models, we obtain Figure 14 which shows the GSPNs models of processor PR and Figure 15 which shows the GSPN models of the process P. The two models constitute the global model of the studied system. B. Mazigh et al.: System Performance in Presence of Faults Fig. 14. The ﬁrst part of the Global GSPN model: processor model 183 184 PNSE’13 – Petri Nets and Software Engineering Fig. 15. The second part of the Global GSPN model: process model B. Mazigh et al.: System Performance in Presence of Faults 5 185 Conclusion In this paper, we have presented an approach based on AADL and Generalized Stochastic Petri Nets for modeling and analyzing Performance and Dependability of systems in the presence of faults. This approach consists of several steps. After modeling the system architecture in AADL, two AADL models are obtained, Dependability and Performance models. They are transformed in two GSPN models by applying transformation rules presented in [5]. Finally, by applying our algorithm we build the global model related to the studied system. Our composition algorithm was implemented in Java language. From Performance and Dependability models of hardware and software components, our algorithm builds a global GSPN model. The obtained GSPN model is a ﬁle type PNML exchange format which can be analyzed by tools that support this format such as Tina toolbox [12]. In [13] we applied this approach on the ABS anti-lock complex system. References 1. K. Kanoun, M. Borrel, Fault-tolerant system Dependability: Explicit modeling of hardware and software component-interactions, IEEE Transactions on Reliability, 49, (2000). 2. SAE-AS5506. Architecture Analysis and Design Language, SAE, (2004). 3. SAE-AS5506/1, Architecture Analysis and Design Language Annex Volume 1. SAE, (2006). 4. Ana Elena Rugina, Karama Kanoun, Mohamed Kaaniche, System Dependability modeling using AADL langage, 15eme Congres de Maitrise des Risques et de Surete de Fonctionnement, Lille, (2006). 5. Ana-Elena Rugina, Dependability Modeling and Evaluation: From AADL to Stochastic Petri nets, PhD.D. thesis, Institut National Polytechnique de Toulouse, France, (2007). 6. Thomas Vergnaud. Modelisation des Systemes Temps reel Repartis Embarques pour la Generation Automatique d Application Formellement Veriﬁees. PhD thesis, Ecole Nationale Superieure des Telecommunications, (2006). 7. P. Feiler, B. Lewis, and S. Vestal. The SAE Architecture Analysis & Design Language (AADL) A Standard for Engineering Performance Critical Systems. In Proceedings of the 2006 IEEE Conference on Computer Aided Control Systems Design, (2006). 8. Rogerio de Lemos, Cristina Gacek, Alexander B. Romanovsky, Architecting Dependable Systems IV, Lecture Notes in Computer Science 4615, Springer, (2007). 9. Jean-Claude Laprie, Dependable Computing: Concepts, Limits, Challenges, Invited paper to FTCS-25, the 25th IEEE International Symposium on FaultTolerant Computing,Pasadena, California, USA, June 27-30, Special Issue, (1995). 10. M. Borrel, Interactions entre composants materiel et logiciel de systemes tolerant aux fautes - Caracterisation - Formalisation - Modelisation - Application a la surete de fonctionnement du CAUTRA, LAAS-CNRS, These de doctorat, Toulouse, France, (1996). 186 PNSE’13 – Petri Nets and Software Engineering 11. A. Bondavalli, S. Chiaradonna, F. D. Giandomenico, J. Xu, Fault-tolerant system Dependability: Explicit modeling of hardware and software componentinteractions, Journal of Systems Architecture, 49, (2002). 12. B. Berthomieu, P.-O. Ribet, F. Vernadat, The tool TINA – Construction of Abstract State Spaces for Petri Nets and Time Petri Nets, International Journal of Production Research, Vol. 42, No 14,(2004). 13. Kais Ben Fadhel, une approche de modelisation et d’analyse des performances et de la surete de fonctionnement : Transformation d’une speciﬁcation AADL en GSPN, Master de recherche, faculte des sciences de Monastir, Tunisie, (2012). Coloured Petri Nets Refinements C. Choppy, L. Petrucci, and A. Sanogo LIPN, CNRS UMR 7030, Université Paris XIII 99, avenue Jean-Baptiste Clément, F-93430 Villetaneuse, France {Christine.Choppy, Laure.Petrucci, Alfred.Sanogo}@lipn.univ-paris13.fr Abstract. Coloured Petri nets allow for modelling complex concurrent systems, but the speciﬁcation of such systems remains a challenging task. Two approaches are generally used to lessen these diﬃculties: decomposition and reﬁnement. Charles Lakos proposed three kinds of reﬁnements for coloured Petri nets: type reﬁnement, subnet reﬁnement, and node (place or transition) reﬁnement. This paper proposes new rules widening the scope of both type and transition reﬁnements. 1 Introduction Coloured Petri nets are a speciﬁcation language which presents the advantages of both a graphical description, giving an easy understanding of the model, and a formal semantics allowing for formal analysis techniques. However, as is the case for many speciﬁcation languages, the speciﬁcation of a system remains a diﬃcult task. A way to alleviate these diﬃculties consists in using reﬁnement techniques. First, a rather simple model of the system is built, at a high level of abstraction, with few details. This abstract model constitutes a general description of the system. An incremental process of successive reﬁnements is then applied, adding new details in a stepwise manner. The model is thus enhanced until all the expected behaviour and properties are taken into account. At each step, the abstract model is replaced by a reﬁned one. For deﬁning reﬁnements, the following questions should be addressed: – which relation should exist between the abstract and the reﬁned models? – what are the necessary conditions on the coloured Petri net models for this relation to hold? – which transformations of the abstract net satisfy these reﬁnement conditions? Since a model is characterised by its observed behaviour, the comparison between abstract and reﬁned model will rely on it. Several notions of equivalence and order have been proposed in the literature. In particular, Lakos and Lewis [6, 8, 5, 7] propose that “a model R is a reﬁnement of a model A if all behaviour in R has a corresponding behaviour in A” (thus a reﬁnement, while it may introduce further details, cannot introduce behaviours that would be new 188 PNSE’13 – Petri Nets and Software Engineering to the abstract model; this is useful to be able to explore the state space in a modular and still meaningful way). They express this relation between coloured Petri nets as a system morphism (behavioural morphism) from the reﬁned model to the abstract one. Three kinds of reﬁnements were proposed, and the system morphisms deﬁned accordingly: type reﬁnement, subnet reﬁnement and node (place or transition) reﬁnement. Transformation rules on the net structure, the colours and ﬁring modes, that respect these morphisms, complete their work by providing practical reﬁnement mechanisms. This paper extends these coloured Petri nets reﬁnements, and more specifically the type and transition reﬁnements. Type reﬁnement includes two constraints: the subtype relation deﬁned by Liskov and Wing [9] as well as Lakos’ reﬁnement condition. Four operations on types are now permitted: addition of a component in a tuple, constraining a component value, addition and modiﬁcation of functions. The conditions for these operations to satisfy the reﬁnement constraints are checked. For node reﬁnement, a new reﬁnement rule satisfying Lakos’s constraints is introduced: alternate transitions. The paper is organised as follows. In Section 2 deﬁnitions of coloured Petri nets and system morphisms are recalled. Then, Section 3 recalls the reﬁnements deﬁned by Lakos and Section 4 the subtyping relation of Liskov and Wing. Our new reﬁnement rules are then deﬁned and proven correct in Sections 5 and 6. They are implemented in a tool for Petri net design, described in Section 7. 2 Coloured Petri Nets and Morphisms In this section, we recall the necessary deﬁnitions and notations from [6]. 2.1 Coloured Petri Nets For a type universe Σ, we denote the set of functions from one type of Σ to another by ΦΣ = {X → Y | X, Y ∈ Σ} and by µX = {X → N} the set of multisets over a type X ∈ Σ. Definition 1. A coloured Petri net is a tuple N = hP, T, A, C, E, M, Y, M0 i where: 1. 2. 3. 4. 5. 6. 7. 8. P is a set of places; T is a set of transitions such that P ∩ T = ∅; A is a set of arcs such that A ⊆ P × T ∪ T × P ; C is a colour function which associates a type with each place and transition: C : P ∪ T → Σ; E is a function associating an expression with each arc: E : A → ΦΣ with E(p, t), E(t, p) : C(t) → µC(p); M is the set of markings: M = µ{(p, c) | p ∈ P, c ∈ C(p)}; Y is the set of steps: Y = µ{(t, c) | t ∈ T, c ∈ C(t)} M0 ∈ M is the initial marking. C. Choppy, L. Petrucci and A. Sanogo: Coloured Petri Nets Reﬁnements 189 For a node x ∈ P ∪ T , we denote by – • x the preset of x, i.e. • x = {y ∈ P ∪ T |(y, x) ∈ A}; – x• the postset of x, i.e. x• = {y ∈ P ∪ T |(x, y) ∈ A}. In the following, E − denotes the expressions of arcs from places to transitions and E + from transitions to places. The ﬁring rule of a coloured Petri net is now deﬁned. Definition 2. Let N be a coloured Petri net. A step Y ∈ Y is ﬁrable from a marking M ∈ M, denoted M [Y i iﬀ M ≥ E − (Y ). In order to replace a node of a Petri net by a subnet during the reﬁnement process, the connections between these and their environment must be considered. Therefore, we now deﬁne the border nodes on each side, adapted from [6]. Definition 3. Let N be a Petri net, and N ′ a subnet of N . 1. The input border of N ′ is inpbdr (N ′ ) = {x ∈ P ′ ∪T ′ |∃y ∈ (P ∪T )\(P ′ ∪T ′ ) : y ∈ • x}; 2. The output border of N ′ is outbdr (N ′ ) = {x ∈ P ′ ∪T ′ |∃y ∈ (P ∪T )\(P ′ ∪T ′ ) : y ∈ x• }; 3. The border of N ′ is bdr (N ′ ) = inpbdr (N ′ ) ∪ outbdr (N ′ ); 4. The set of input environment nodes of N ′ is inpenv (N ′ ) = {y ∈ (P ∪ T ) \ (P ′ ∪ T ′ )|∃x ∈ P ′ ∪ T ′ : y ∈ • x}; 5. The set of output environment nodes of N ′ is outenv (N ′ ) = {y ∈ (P ∪ T ) \ (P ′ ∪ T ′ )|∃x ∈ P ′ ∪ T ′ : y ∈ x• }; 6. The set of environment nodes of N ′ is env (N ′ ) = inpenv (N ′ ) ∪ outenv (N ′ ). Example: Let us consider the net in Figure 1, with the subnet in the large circle. Its border sets are: – – – – – – 2.2 inpbdr (N ′ ) = {inp 1 , inp 2 }; outbdr (N ′ ) = {out 1 , out 2 }; bdr (N ′ ) = {inp 1 , inp 2 , out 1 , out 2 }; inpenv (N ′ ) = {te 1 , te 2 }; outenv (N ′ ) = {ts 1 , ts 2 }; env (N ′ ) = {te 1 , te 2 , ts 1 , ts 2 }. System Morphisms System morphisms were deﬁned in [6] in order to capture behaviour compatibility between nets. In such a scheme, ﬁring several transitions of Nr can correspond to the ﬁring of a single transition in Na . A step is then said to be complete if all border transitions of Nr \ Na , i.e. the subset that remains after Na has been removed from Nr , are ﬁred with the same ﬁring mode. Definition 4. Let φ : Nr → Na . φ is a system (behavioural) morphism if: 190 PNSE’13 – Petri Nets and Software Engineering te 1 ts 1 inp 1 c c accept 1 offer 1 buf c c accept 2 inp 2 c out 1 c c offer 2 c out 2 te 2 ts 2 Fig. 1. Example of border nodes 1. φ is surjective on Pa , Ta , Aa ; 2. φ is linear and total on the set of markings Mr and the set of steps Yr ; 3. ∀Mr ∈ [M0 ir , ∀Yr ∈ Yr : if Yr is complete, can be decomposed into Y1 , Y2 ... Yn , and is realisable from marking Mr , then φ(Yr ) can be decomposed into φ(Y1 ), φ(Y2 ) ...φ(Yn ), and is realisable from marking φ(Mr ). 4. ∀Mr ∈ [M0 ir , ∀Yr ∈ Yr : Yr is complete ⇒ φ(Mr + Er+ (Yr ) − Er− (Yr )) = φ(Mr ) + φ(Er+ )(φ(Yr )) − φ(Er− )(φ(Yr )). In Deﬁnition 4, (3) indicates that when a step in Nr is decomposable, the corresponding step can be obtained by projection on Na , while (4) states that only the eﬀect of a step can be projected as well. Definition 5. Let φ : Nr → Na be a system morphism. A step Yr in Nr is said to be complete if ∀ta ∈ Ta : ∀tr ∈ bdr (Tr \ Ta ) : Yr (tr ) = φ(Yr )(ta ) 3 Existing Coloured Petri Nets Refinements Three types of coloured Petri nets reﬁnements are deﬁned by Lakos in [6]: type reﬁnement, node reﬁnement, and subnet reﬁnement. 3.1 Type Refinement Type reﬁnement is used when it is necessary to detail further the description of the information carried by tokens, and the transitions’ ﬁring modes. Reﬁne- C. Choppy, L. Petrucci and A. Sanogo: Coloured Petri Nets Reﬁnements 191 ment then consists in replacing an abstract token type by another one, more detailed, called the reﬁned type. The net structure remains unchanged. The type modiﬁcation addressed by Lakos is the addition of a component. 3.2 Subnet Refinement Subnet reﬁnement consists in adding new elements (places, transitions and arcs) to the net. [6] also considers extending type domains for places and transitions in the abstract net, as a subnet reﬁnement. 3.3 Node Refinement Node reﬁnement is used when the modeller wishes to give additional information about one of the net elements (place or transition) by expliciting it further. It can thus be a place reﬁnement if details concern a place (superplace) or transition reﬁnement if a transition is concerned (supertransition). Lakos deﬁned canonical reﬁnements for both of these cases. In its canonical form, a place reﬁnement replaces a place by a place-bordered subnet, whereas a transition reﬁnement replaces a transition by a transitionbordered subnet. 4 The Sub-typing Relation A subtype relation was deﬁned in [9] by Barbara Liskov and Jeannette Wing so that the supertype properties should be preserved by the subtype. The properties considered are invariants (that should be true for any object state) and “historical” properties (true on a state sequence). The substitutability principle states that a subtype object could substitute a supertype object. Types are denoted by a triple hO, V, M i where O is a set of objects, V is a set of values, and M is a set of methods. The type speciﬁcation should contain the following information: – the description of the set of authorised values; – for each method, the description of (i) its signature (number and types of arguments, result type and exceptions list), (ii) its behaviour in terms of preand post-conditions. B. Liskov and J. M. Wing distinguish three kinds of methods, constructors that return a new object of the type, observers that return values of other types, and mutators that modify object values. They also identify two kinds of subtyping relations: – Extension subtype where the subtype extends the supertype by introducing new methods and adding new states (or values). 192 PNSE’13 – Petri Nets and Software Engineering – Constrained subtype where the subtype constrains the supertype with more details on the methods or on the supertype values. When the supertype speciﬁcation keeps open several possibilities, subtyping may reduce or eliminate some of them. Considering the two kinds of subtyping relations above, we consider here the following operations on types: – – – – add a component to a record ﬁx a component value add a method modify a method. These operations on types appear in the subtype relations as follows. 1. Extension Subtype The operations on types considered are the introduction of new methods and/or the addition of new states. – New method introduction • if the method introduced is a constructor, it should take into account the invariant preservation; • if the method introduced is an observer, this has no consequence on the fact that the subtype preserves the supertype properties; • if the method introduced is a mutator, this may have consequences on the fact that the subtype should preserve the supertype properties. After a mutator is invoked, the new object value should belong to the set of authorized type values (according to invariants and historical properties). – Addition of new object states (or adding a new variable in records): this has no eﬀect on properties preservation, and the abstraction function forgets the added variable. 2. Constrained Subtype The operations considered here are constraints on the object values and/or method modiﬁcation with the aim to add more precision. – Constraints on the object values (this may correspond to ﬁxing a variable value in a record). This may be achieved by deﬁning the set of values for the subtype objects as a subset of the supertype values and this preserves the supertype properties. – Method modiﬁcation. This modiﬁcation must comply with the subtyping rules deﬁned in [11], that are a rule on the signature (same number of arguments, contravariance of arguments, covariance of result and exception rule), and a rule on methods. Let us recall that if σ is a subtype of τ and mτ is the τ method corresponding to method mσ of σ : – arguments contravariance states that mτ and mσ should have the same number of arguments, and type αi of the ith argument in mτ should be a subtype of type βi of the corresponding argument in mσ . – either mτ and mσ return a result or do not return a result. If both methods return a result, the result covariance states that the type of the result returned by mσ should be a subtype of the type of the result returned by mτ . C. Choppy, L. Petrucci and A. Sanogo: Coloured Petri Nets Reﬁnements 5 193 New Rules for Type Refinement An initial deﬁnition of type reﬁnement was proposed by Lakos in [6] requiring that all behaviours of the reﬁned type correspond to an abstract behaviour. This constraint will be referred to as LC in the following (Lakos’s constraint). The only operation allowed by Lakos for type reﬁnement is the addition of a component in a tuple. Although this kind of reﬁnement is often used, it is still restrictive in practical cases which allow for more substantial type modiﬁcations and introduction of new operators on existing types. Therefore, in this section, we extend the relation between the reﬁned type and the abstract type by considering the sub-typing relation deﬁned by Liskov and Wing in [10], as well as type modiﬁcations. 5.1 Type modifications and behaviour preserving Data types modiﬁed [arc expressions or methods used in arc expressions modified] Net behaviour may be changed ⇒ check LC Fig. 2. Summary of arc expressions modiﬁcations impact When performing type reﬁnement, the net structure remains unchanged. Hence the only elements which may change the net behaviour are the values of arc expressions, and transitions guards. Arc expressions Subsequently to a type reﬁnement, an arc expression function might be modiﬁed. Figure 2 summarises the impact of type modiﬁcation on arc expressions. In the following, Er denotes arc expressions in the reﬁned net, and Ea the corresponding arc expression in the abstract net. 194 PNSE’13 – Petri Nets and Software Engineering Unchanged arc expressions If the arc expression is the same, i.e. Er = Ea , the following cases may occur: 1. adding a component to a tuple, setting the value of a component, adding a method, are changes that respect LC; 2. modiﬁcation of a method leads to the following situations: – Ea does not refer to a method modiﬁed by the reﬁnement. The values returned by Er and Ea are thus the same, and the net behaviour remains unchanged ; – Ea refers to methods changed by the reﬁnement. Hence, although the expressions are the same, the values returned by Er and Ea may diﬀer. Therefore the behaviour can be diﬀerent as well, and we need to check that the eﬀect of ﬁring for each ﬁring mode in the reﬁned net is the same, once abstracted, as for the corresponding ﬁring in the abstract net. Modiﬁed arc expressions When an arc expression is modiﬁed due to the reﬁnement process, values of Er and Ea may diﬀer, whatever the reﬁnement operation. Hence, adding a component, setting the value of a component, adding a method may all modify the net behaviour. The expression modiﬁcation should be performed so that it satisﬁes LC. Guards associated with transitions Type reﬁnement does not change the expression associated with a guard. However, two cases may occur (see Fig. 3): – the guard does not refer to a method modiﬁed by the type reﬁnement: it has thus no inﬂuence on the transition behaviour; – the guard refers to methods modiﬁed by the type reﬁnement. Hence the values returned by the reﬁned and abstract guard expressions may diﬀer. If the guard returns true in the reﬁned net, it must also return true in the abstract net. 5.2 Example: request for material purchase The net in Fig. 4(a) models a request for material issued from e.g. a service to the accountant. When material is needed, a request is issued. After the accountants check the request, they order the articles. In a ﬁrst approach to modelling the problem, the net describing the overall process can de considered. It uses a neutral colour, as shown in Fig. 4(a). Then additional detail can be introduced, giving characteristics of the article to order, i.e. its number, its designation (name), its origin, the quantity required (qty) and the unitary price. The new type is thus obtained by adding components, as shown in the declarations below and Fig. 4(b). In this case, no arc or guard expression is changed, therefore LC is satisﬁed. It is also consistent with the subtyping conditions. In order to take into account calls for oﬀers when the price is above a certain level, a method is added which returns the total amount of the purchase C. Choppy, L. Petrucci and A. Sanogo: Coloured Petri Nets Reﬁnements 195 Type modiﬁcation [Type methods changed in guards] Check that a guard returning true for a reﬁned marking also returns true for the corresponding abstract marking Fig. 3. Summary of the impact of type reﬁnement on guards and net behaviour DOT DOT Service x Order x Accepted DOT x Buy x Delivered (a) Request for material purchase modelled with the neutral type (DOT) ARTICLE Service y Order y ARTICLE Accepted y Buy y ARTICLE Delivered (b) Request for material purchase modelled with the ARTICLE type ARTICLE_1 ARTICLE_1 Service z Order z Accepted ARTICLE_1 z Buy z Delivered (c) Request for material purchase modelled with the ARTICLE_1 type Fig. 4. Type reﬁnement of a net model of a request for material purchase price ∗qty (see type ART ICLE_1) in the declarations and Fig. 4(c)). This modiﬁcation adds an observer method which returns a value, and is consistent with the subtyping relation. It is not used in arc or guard expressions, and therefore LC holds. Declarations: DOT is a predefined neutral type Colset ARTICLE = record number:NAT * origin:STRING * name:STRING * price:Rat * qty:Rat; Colset ARTICLE_1 = record number:NAT * origin:STRING * name:STRING * price:Rat * qty:Rat; fun amount = (#price ARTICLE_1 * #qty ARTICLE_1)::Rat; var x : DOT; var y : ARTICLE; 196 PNSE’13 – Petri Nets and Software Engineering var var var var z : ARTICLE_1; name : STRING; price : Rat; qty : Rat; 6 New Rules for Transition Refinement: Alternate Transitions The canonical transition reﬁnement proposed by Lakos, ﬁring an abstract transition features ﬁring a set of sequences of reﬁned transitions, starting with transitions from the input border and ending with transitions from the output border of the reﬁned part. The underlying idea of the new reﬁnement we propose here is to replace an abstract transition by a subnet containing alternative transitions plus internal places and transitions. Each of the alternative transitions is abstracted as the original abstract transition. This reﬁnement aims at splitting a transition describing a general behaviour into several exclusive cases which then handle in more detail speciﬁc situations. For example, the net in Fig. 5(b) is a reﬁnement of the one in Fig. 5(a): transition ta is replaced by a subnet Nta . To improve readability, ta has a single input place and a single output place (but this is not a constraint in the general case). Definition 6. Let Nta = (Pta , Tta , Ata , Cta , Eta , Mta , Yta , Mta 0 ) be a subnet. A morphism φ : Nr = (Pr , Tr , Ar , Cr , Er , Mr , Yr , Mr 0 ) → Na = (Pa , Ta , Aa , Ca , Ea , Ma , Ya , Ma 0 ) is a reﬁnement with alternative transitions of ta ∈ Ta , where Nr is the reﬁned net obtained by replacing abstract transition ta by Nta ) in the abstract net Na if: 1. ∀pr ∈ Pr \ Pta : ∀tr ∈ Tr \ Tta : φ(pr ) = pr ∧ φ(tr ) = tr ∧ (pr , tr ) ∈ Ar ⇒ ((pr , tr ) ∈ Aa ∧ Er (pr , tr ) = Ea (pr , tr )) ∧ (tr , pr ) ∈ Ar ⇒ ((tr , pr ) ∈ Aa ∧ Er (tr , pr ) = Ea (tr , pr )). Apart from transition ta the abstract net remains unchanged. 2. Tta = Talternative ∪ Tother The transitions replacing ta are of two kinds: the alternatives, and the others. 3. ∀t ∈ Talternative , • ta = • t \ Pta ∧ ∀p ∈ • ta : Ea (p, ta ) = Er (p, t) All input places of ta are also input places of all alternative transitions, and are the only such abstract places. 4. ∀t ∈ Talternative , t•a = t• \ Pta ∧ ∀p ∈ t•a : Ea (ta , p) = Er (t, p) All output places of ta are also output places of all alternative transitions, and are the only such abstract places. 5. ∀M ∈ Mr : ∀t′ ∈ Talternative : φ(M )[ta > ∧ M [t′ > ⇒ ∀t ∈ Talternative \ {t′ }, ¬(M [ t >) There is at most one alternative transition that is ﬁrable in a given marking (so that the token ﬂow is preserved). This can be ensured by guards or internal places of the Nta subnet. C. Choppy, L. Petrucci and A. Sanogo: Coloured Petri Nets Reﬁnements pin E1 T 197 pout E2 (a) Abstract transition to be reﬁned [guard1 ] talter1 E E1 2 pin pout E E2 1 taltern [guardn ] (b) Reﬁnement of transition ta Fig. 5. Reﬁnement with alternative transitions 6. ∀t ∈ Talternative ∧ ∀c ∈ Cr (t) : φ(1 ‘(t, c)) = 1 ‘(ta , φ(c)) Firing an alternative transition has the same eﬀect as ﬁring ta . Firing a step in the reﬁned net has the same eﬀect as in the abstract net. 7. ∀p ∈ Pr : ∀c ∈ Cr (p) : φ(1 ‘(p, c)) = 1 ‘(p, c) if pr ∈ Pr \ Pta , φ(1 ‘(p, c)) = ∅ otherwise. The internal marking of Nta is ignored by the reﬁnement. Proposition 1. A reﬁnement with alternative transitions φ :Nr → Na is a systems morphism. Proof. According to deﬁnition 6(1) φ is surjective over Pa , Ta , Aa . 198 PNSE’13 – Petri Nets and Software Engineering From (8), the abstract marking is obtained by ignoring the subnet marking. Hence, φ is linear and total over Mr . From (6), the ﬁring of an alternative transition corresponds to ﬁring the abstract transition. Hence, φ is linear and total over Yr . From (6) ∀Yr ∈ Yr , Yr is complete since only one of the alternative transitions can be ﬁred in a given marking. From (3), (4) and (7), ∀Yr ∈ Yr , ∀Mr ∈ Mr si Mr ≥ Er− (Yr ) then φ(Mr ) ≥ φ(Er− )(φ(Yr )) and φ(Mr + Er+ (Yr ) − Er− (Yr )) = φ(Mr ) + φ(Er+ )(φ(Yr )) − φ(Er− )(φ(Yr )). φ(Mr +Er+ (Yr )−Er− (Yr )) is the eﬀect after abstraction of the ﬁring of the reﬁned step Yr from the reﬁned marking Mr and φ(Mr )+φ(Er+ )(φ(Yr ))−φ(Er− )(φ(Yr )) the eﬀect of the ﬁring of the abstract step φ(Ya ) from the abstract marking φ(Ma ). Let us consider again the example of Sect. 5.2, with the abstract net in Fig. 6(a). We now want to explicit the accounting rules: if the amount of the purchase is greater than some limit, a call for oﬀers must be issued (see Fig. 6(b)). Transition Buy has been replaced by two alternative transitions: Direct purchase et Ask oﬀer. ARTICLE_1 ARTICLE_1 Service y Order y ARTICLE_1 y Accepted Buy y Delivered (a) Example abstract net ARTICLE_1 Service y Order y articleARTICLE_1 ARTICLE_1article Accepted Direct Purchase Delivered article.amount() ≤ LIM IT article.amount() > LIM IT article Ask oﬀer article (b) Reﬁned net including the accounting rules Fig. 6. Reﬁnement of the net model for purchases 7 CPN Refiner: Tool Support for Modelling We designed CPN Reﬁner so as to support the development of coloured Petri nets following the approach proposed in [3] and the reﬁnement techniques proposed in this paper. Let us recall that the Petri net development method presented in [3] proposes the following steps: (i) analyse the text describing the problem and extract the C. Choppy, L. Petrucci and A. Sanogo: Coloured Petri Nets Reﬁnements 199 Fig. 7. Workshop example: state observers and transitions events (yielding a state change), state observers, data types, and possibly the modules, (ii) establish the system properties (in particular pre and postconditions of events), (iii) build the coloured Petri net, (iv) check the resulting net properties (some are built-in, but others can be model checked), and update it if necessary. CPN Reﬁner supports both the coloured Petri net development given the (typed) state observers and the events (together with their pre and postconditions), and its reﬁnement. CPN Reﬁner supports node reﬁnement and subnet reﬁnement according to the principles stated in this paper. Type reﬁnement is supported via a mere type modiﬁcation. Figure 7 shows the screen where the user entered the state observers and the events for a workshop example, and the generated Petri net is shown in Figure 8. A reﬁned Petri net obtained through alternate transition reﬁnement is shown in Figure 9. CPN Reﬁner is build using Java Swing (Eclipse), API JDOM to handle the XML resulting ﬁle, library JGraph for the graphical presentation Petri nets. 8 Conclusion and Perspectives Reﬁnement is used to build a more detailed model (the reﬁned model) from an abstract model. Several reﬁnement notions have been proposed for diﬀerent aims and various languages, and the work of Lakos deals with reﬁnement for coloured Petri nets. An important point he states is that a model R is a reﬁnement of a model A if for each behaviour of R there is a corresponding behaviour of A. More speciﬁcally, he deﬁnes three kinds of reﬁnement, type reﬁnement, node 200 PNSE’13 – Petri Nets and Software Engineering Fig. 8. Workshop example: coloured Petri net Fig. 9. Workshop example: reﬁned Petri net C. Choppy, L. Petrucci and A. Sanogo: Coloured Petri Nets Reﬁnements 201 reﬁnement (for places or transitions), and subnet reﬁnement, so as to insure this behaviour correspondence. In this paper, we extend the type reﬁnement and the node reﬁnement proposed by Lakos. For type reﬁnement, we propose two constraints. The subtype relation as deﬁned by Liskov and Wing that should exist between the reﬁned and the abstract type, and Lakos’ reﬁnement relation between the reﬁned and the abstract model. We consider four operations on types, that are to add a component, to ﬁx a component value, to add a method, and to modify a method. We studied the conditions that ensure that these operations guarantee both Liskov and Wing subtyping relation and Lakos reﬁnement relation. We also extend the node reﬁnement with a new rule for transitions reﬁned by alternate transitions. This new rule complies with Lakos’ reﬁnement principle. A model development method was proposed for coloured Petri nets in [3]. We developed a tool, CPN-Reﬁner, for model development of coloured Petri nets following this method, and integrated in this tool the reﬁnement techniques presented here [12]. In the future, we plan to develop large case studies using our method and our tool. We also plan to work on property reﬁnement. Interface with other tools like CPN Tools [1] or CosyVerif [4] is also subject of future work, which should be eased since CPN Reﬁner uses PNML [2]. References 1. CPN Tools Homepage. http://cpntools.org/. 2. PNML reference site. http://pnml.org/. 3. C. Choppy, L. Petrucci, and G. Reggio. Designing coloured Petri net models: a method. In Proc. Workshop on Practical Use of Coloured Petri Nets, 2007. 4. CosyVerif group, The. CosyVerif home page. http://cosyverif.org. 5. Charles Lakos. On the abstraction of coloured Petri nets. In 18th Int. Conference on Application and Theory of Petri Nets ICATPN ’97, volume 1248 of Lecture Notes in Computer Science, pages 42–61. Springer-Verlag, 1997. 6. Charles Lakos. Composing abstractions of coloured Petri nets. In Nielsen, M. and Simpson, D., editors, 21st Int. Conf. on Application and Theory of Petri Nets (ICATPN), volume 1825 of Lecture Notes in Computer Science, pages 323–345. Springer-Verlag, 2000. 7. Charles Lakos and Glenn Lewis. A catalogue of incremental changes for coloured Petri nets. Technical report, Department of Computer Science, University of Adelaide, 1999. 8. Glenn Lewis. Incremental specification and analysis in the context of coloured Petri nets. PhD thesis, University of Hobart, Tasmania, 2002. 9. Barbara Liskov and Jeannette M. Wing. Family values: A semantic notion of subtyping. Technical report, Pittsburgh, PA, USA, 1992. 10. Barbara Liskov and Jeannette M. Wing. A new deﬁnition of the subtype relation. In Proceedings of the 7th European Conference on Object-Oriented Programming, ECOOP ’93, pages 118–141, London, UK, 1993. Springer-Verlag. 11. Barbara H. Liskov and Jeannette M. Wing. A behavioral notion of subtyping. ACM Trans. on Programming Languages and Systems, 16(6):1811–1841, 1994. 12. Alfred Sanogo. Raffinement des réseaux de Petri colorés. PhD thesis, Université Paris 13, 2012. 202 PNSE’13 – Petri Nets and Software Engineering Petri Nets-Based Development of Dynamically Reconfigurable Embedded Systems Tomáš Richta, Vladimı́r Janoušek, Radek Kočı́ Brno University of Technology, Faculty of Information Technology, IT4Innovations Centre of Excellence Božetěchova 2, 612 66 Brno, The Czech Republic {irichta,janousek,koci}@fit.vutbr.cz Abstract. This paper deals with the embedded systems construction process based on the system speciﬁcation modeled as a set of Petri nets. Modeling of the system starts with Workﬂow Petri Nets speciﬁcation describing the main modules and processes within the system. Workﬂow model is then transformed to the multilayered Reference Nets structure, that is ﬁnally used for the code generation of the target system. The main goal of our approach is to provide for dynamic reconﬁgurability of the system deployment according to the changes within its speciﬁcation. Dynamic reconﬁgurability means the possibility of system changes within its runtime. This is achieved by the decomposition of the whole functionality of the system to small interpretable pieces of computation. This approach also introduces several layers of reconﬁgurability using diﬀerent translation rules operating on each layer. The heart of the system lies within the reference nets hosting platform called Petri Nets Operating System (PNOS) that includes the Petri Nets Virtual Machine (PNVM) that performs the very Reference Nets interpretation. Keywords: workﬂow modeling, reference nets, embedded systems, modelbased software engineering, code generation, model transformation 1 Introduction Control systems are important border technology lying between the physical and information world. The whole control process is described as a control loop that consists of reading data from sensors and triggers a number of actuators installed within the physical environment controlled by the system. Most of the control systems are constructed using a set of programmable logic controllers with appropriate suitable software installation. At a higher level of abstraction, programmable logic controller and its software installation could be seen as an embedded system. In this paper the considered target platform for system installation is set of minimalistic and low energy consumption hardware devices, e.g. Atmel microcontrollers equipped with wireless transmission modules that are often used within Wireless Sensor Networks (WSN). 204 PNSE’13 – Petri Nets and Software Engineering A control system implementation could be divided into the hardware and software part. The hardware part starts with selection of the proper set of modules and its installation within the physical environment, including the sensors and actuators attachment. When there are multiple controllers, the hardware part must also take into account the communication among them. The software part then follows with the programming and installation of each control unit with appropriate application that controls hardware. The main purpose of this paper is to describe the software part of this construction process with the focus on dynamic reconﬁgurability of the resulting system using executable models and model continuity approach. The reconﬁgurability is necessary for the ability of the system to adapt itself to changes in environment and also to enable the system maintainer with the possibility to change the system behavior without the necessity of its complete destruction and reconstruction. Because there is strong demand on proper coverage of the system complexity at the beginning of the construction process, there is a need for suitable description tools that preserve the user requirements semantics. During the system lifetime there are also strong demands on its dynamic reconﬁguration according to the new requirements and also according to the changes within the physical environment. The dynamic system speciﬁcation change and following reconﬁguration requirements are not easy to satisfy. Within this paper we introduce our solution of the described problem using the Workﬂow Petri Nets model [1] and MULAN-like multilayered Reference Nets control system structure[5], which is constructed according to the workﬂow model and then translated into the executable form. The system prototype then runs within the target platform simulator that deduces the requirements for the hardware part of system installation. The main characteristics of the system - its dynamic reconﬁgurability is based on the ability of nets to migrate among places as tokens, which was inspired by [5]. The new or modiﬁed nets could be sent over another nets to its target place to change the system behavior. Within our solution, the nets are maintained by Petri Nets Operating System (PNOS) and interpreted using the Petri Nets Virtual Machine (PNVM). Next two sections describe used formalisms and the reconﬁgurable system architecture. The following section describes the whole system development process using a running example, and the last section contains the evaluation and conclusion. 2 2.1 Formalisms and Tools Workflow Management Will van der Aalst deﬁned the way to construct workﬂow models using Petri Nets[1]. His work is also well formally deﬁned and so the workﬂow models could be used for the processes veriﬁcation and validation purposes. The way of modeling the system in this way is also similar to the BPMN workﬂow models, so it could be easily used by the business process modeling experts. For that reason we decided to use the YAWL notation[2] and Workﬂow Nets formalism[1] in T. Richta et al.: Development of Dynamically Reconﬁgurable Systems 205 the beginning of the embedded control system construction process. There are two main concepts from this theory that we use at the moment - basic transition categories (AND-split, AND-join, OR-split and OR-join) and the concept of workﬂow subprocess. 2.2 Reference Nets The second part of the system construction then consists of the transformation of Workﬂow Petri Nets into the multilayered reference Nets model of the system that comply with the nets-within-nets concept deﬁned by Rudiger Valk [3] formalized as Reference Nets[4]. The problem of generating code from formal speciﬁcation to the running prototype of target system is mainly based on the decomposition of the whole net to a set of subnets, which is also called partitioning problem. For this purpose we use similar concept to the MULAN architecture deﬁned by Cabac et al.[5]. This architecture divides the model into four levels of abstraction - infrastructure, agent platform, agents, and protocols. Our architecture is very similar, we use layers for the infrastructure, platform, main processes and subprocess. Each of those layers is mapped to the target platform and the transformation is used for the code generation. The main goal of the architecture is to enable changes within the system speciﬁcation during its run-time. This is mainly achieved by the platform, process and subprocess abstraction levels that specify the functionality of the system. 3 Reconfigurable Architecture Reference Nets allow to construct a system hierarchically, in several levels. Such an idea is a basis of the MULAN (MultiAgent Nets) architecture developed by Cabac et al.[5]. Thanks to the nature of Reference nets, MULAN allows nets to migrate among places in other nets and thus it is possible to dynamically modify functionality of system components, speciﬁed by this kind of nets [5]. We use application-speciﬁc main processes and subprocesses, which are hosted on platform that is considered to be a part of the operating system of the node, PNOS (Petri Nets Operating System). The multi-layered nature of the system and responsibilities of particular levels are described in Figure 1. The main part of the the system is installed over the hardware as a PNOS kernel with platform net, that are both able to host other nets. Each platform then hosts some number of main processes nets that hosts subprocesses. The whole communication is performed by sending messages using serial link. There is also theoretical possibility for subprocesses to contain other subprocesses etc. But presented example does not cover this. The PNOS contains PNVM (Petri Net Virtual Machine) which interprets Petri Nets that are installed in the system in the form of a bytecode called Petri Nets ByteCode (PNBC). PNOS also provides the installed processes with the access to inputs and outputs of the underlying hardware that are connected 206 PNSE’13 – Petri Nets and Software Engineering Subprocesses application bussiness logic Processes app. business logic, install/remove subprocesses, send/receive messages and commands Platform + PNOS kernel install/remove application processes, forward messages to app. processes, interaction with HW and communication infrastructure, interpretation of all reference nets in the system Hardware communication infrastructure - physical interpretation of the whole system Fig. 1. System layers and their responsibility to sensors and actuators, and also with the serial communication port that is connected to the wired or wireless communication module (e.g. ZigBee)[8]. The main net (ﬁrst process) interpreted in PNOS is so called platform net. Platform net is responsible for interpretation of commands which are read from buﬀered serial line. These commands allow to install, instantiate, and uninstall other Petri nets. The Platform also allows to pass messages to the other layers, which are responsible for application-speciﬁc functionality. Since we need reconﬁgurability in all levels, the installation and uninstallation functionality is implemented in each level. 4 The Development Process The whole process of system development is described in Figure 2. It starts with the speciﬁcation of the main system workﬂow and its subprocesses. Resulting workﬂow model is then transformed to the layered architecture and might be further debugged using the Renew reference nets tool [6]. After this, the ﬁnal set of Reference Nets is translated to Petri Nets ByteCode (PNBC) that is then used either for the target prototype simulation using SmallDEVS tool [7] and also to be transfered to the nodes of the system infrastructure. Here it serves as a reconﬁgurable part of the running system. More detailed description of the whole PNOS architecture and functionality could be found in [8]. 4.1 Running Example As a running example, we use a subset of a home automation system. The home automation is partly based on the optimization of the energy consumption from multiple sources. There are diverse primary sources of the energy, but within T. Richta et al.: Development of Dynamically Reconﬁgurable Systems speci cation Graph transformations reference nets production 207 Work ow model PNML initial system speci cation PNML architecture Renew modeling and debugging XSLT translation rules simulation SmallDEVS Model of controlled system Node PNML + inscription Compiler XSLT PNBC/HEX code generation Model of infrastructure PNOS PNBC messages reality Node PNOS Infrastructure Microprocessor messages External Components UART I/O ZigBee Ethernet Native Code + PNBC ... Fig. 2. System construction our example we concern on the photothermic solar energy panels used for warm water and heating circuits energy supply. The home automation problem used as an example is described in more detail in [9], where also some preliminary ideas about the system design and code interpretation principles are proposed. In this paper we present reﬁned and improved version of the design process and its evaluation. Home automation process could be described as an workﬂow model using the Workﬂow Petri Nets described previously. Next section shows the workﬂow model and its description. 4.2 House Workflow Model Within this section, the workﬂow model of the part of house automation system - the photothermic solar panel and hot water storage tank - is described, using the Workﬂow Petri Nets deﬁned by Van der Aalst[1]. The Figure 3 describes two swimlines that represent two modules - solar panel and water tank. Each swimline consists of the main process of the module, that is constructed using a set of subprocesses. Within the solar panel module, there is a task of sending data and measure temperature subprocess. In the water tank module, there is a task of receiving the data and two subprocesses - measure temperature and adapt settings. Measure data subprocess and the receive task are connected with the adapt setting subprocess using the OR transition. Particular subprocesses descriptions are shown in next ﬁgures. 208 PNSE’13 – Petri Nets and Software Engineering Solar Panel Module send measure data Water Tank Module adapt receive measure Fig. 3. House workﬂow example In Figure 4 the measure subprocess was modeled also using the Workﬂow Petri Nets. It consists of two tasks - reading the data and converting it to the temperature value. Reading the data means getting the voltage from the input and the conversion means the necessary calculations to produce the human readable results. Measure Subprocess read convert delay Fig. 4. Measure subprocess net The other subprocess shown on Figure 5 consists of the task of temperatures reading and comparing them to use the result for the adequate reaction of the automation system. If there is higher temperature on the solar panel than within the water tank, corresponding circular pump is started to move the hot water form panel to the tank. In this way the system speciﬁcation is basically deﬁned. But there are some other prerequisites, e.g. we need to know about the technical aspects of reading and writing the input/output data. This information should be obtained from the customer and must be included as a part of the PNOS system. At this moment, these rules are stored in a proprietary format alongside the nets speciﬁcations, T. Richta et al.: Development of Dynamically Reconﬁgurable Systems 209 Adapt Subprocess solar temperature adapt tank temperature Fig. 5. Adapt subprocess net but in future we plan to add them as a next layer of the system called drivers. The following section describes the derived four level reference nets architecture, which is produced from described workﬂow model. The process of conversion of workﬂow model into the multilayered Reference Nets system is done using some coarsely deﬁned rules, but in future it should be based on formally deﬁned translation rules. 4.3 Layered Reference Nets Architecture The multilayered system architecture derivation starts with the subprocess nets. In Figure 6 there is the measure subprocess reference net derived from the measure subprocess. This net is constructed adding the initial and ﬁnal uplinks and places. These uplinks serve as a starting and ﬁnishing transitions called from the main process of the module. There are also primitive system functions calls, that operate directly with the underlying operating system. Resulting value token is prepared and sent using uplink : output(). All the subprocess protocol nets are named using the name place and corresponding uplink. Fig. 6. Measure subprocess net The solar panel main process described in Figure 7 is derived from the solar panel swimline in the workﬂow model. It consists of the place, where all the subprocess nets are stored and according to their names are called in particular order. Synchronization place is added between the subprocess protocol nets calls 210 PNSE’13 – Petri Nets and Software Engineering matching the solar panel main process swimline place. The name of the protocol net is derived from the name of the workﬂow subprocess, and it is not necessary to be human readable. Fig. 7. Solar panel main process The measurement subprocess protocol net has already been described, so the last net that remains is the settings adaptation subprocess protocol net. It is described in Figure 8 and communicates with the operating system calling the proper signals according to the decisions made in transitions. Fig. 8. Adapt subprocess net The water tank main process reﬂects the main process in the workﬂow model. It calls all the subnets and performs the synchronization of subprocesses using two temperature places, that are then synchronized within the adapt subprocess. It is described in Figure 9. T. Richta et al.: Development of Dynamically Reconﬁgurable Systems 211 Fig. 9. Water tank main process Above the last net, called infrastructure, there is a part of the underlying operating system called the platform net that describes the main required functions of the operating system needed by the application processes installed on it. The platform net is shown in Figure 10. Finally the infrastructure layer, that is derived from the main workﬂow process description, is shown in Figure 11. In our example, it is very simple. Each swimline represents one place, where the module for hosting the platform, main process and protocols will be placed. The communication between the two subprocesses seated in diﬀerent swimlines is represented here as an communication transition, that should internally call the ﬁnal transition of the send task, that means the : output() downlink and the initial transition of the receive task, that means the : input() downlink. Those transitions are part of the platform layer and are propagated to the subprocesses nets. 4.4 Code Generation Generally, in our approach, each layer of the system can be compiled to target code independently. There are two possibilities: ﬁrst - the target code can be the native code of the controller processor, and second - target code is a bytecode that is interpreted by some virtual machine. Regardless on the way the code is generated, all the abstraction levels communicate with each other using uplinks and downlinks. The diﬀerence is, that levels deployed as interpreted bytecode are more ﬂexible and dynamically changeable than the compiled ones. It is because such a modiﬁcation needs a heavy compiler and (possibly) over-the-air programming of the node, that consumes a lot of energy. On the other hand 212 PNSE’13 – Petri Nets and Software Engineering Fig. 10. Platform net Fig. 11. Infrastructure net it is possible to send the bytecode to the node as data. It thus allows for very high level of dynamic reconﬁgurability in the system runtime. E.g. new version of the measure subprocess is produced, then the corresponding Reference Net is derived and proper bytecode is generated. Finally the new version of the measure net is sent to the relevant node, and installed by its platform net. We currently use the virtual machine and bytecode for all Petri Nets-based code. The only part which is implemented natively, is the PNOS kernel, including PNVM [8]. The example of bytecode follows. It represents simple net that reads data from some sensor and produces relevant output (the net is depicted in Figure 6). In fact, it is a human-readable version of the bytecode. In this representation, numbers are represented as a text and also some spaces and line T. Richta et al.: Development of Dynamically Reconﬁgurable Systems 213 breaks are added. This means that the contents of the code memory is a bit more condensed. Each byte of the code is either an instruction for PNVM, or data. (Nmeasure (measure) (arg/raw/val/name) (Uoutput(val)()(P3(B1)(V1))) (Uinput(arg)()(Y1(B1)(V1)(I1000))) (Uname(name)()(P4(B1)(V1))) (I(O4(B1)(S1))) (Tread(arg/raw) (P1(B1)(V1)) (A(:(V2)(r(V1)))) (O2(B1)(V2))) (Tconvert(raw/val) (P2(B1)(V1)) (A(:(V2)(/(*(V1)(I625))(I10000)))) (O3(B1)(V2)))) The bytecode contains symbols deﬁnitions and places deﬁnitions, allowed by a code for each uplink (U), initialization (I), and each transition (T). Each transition description consists of preconditions (P), guard (G), action (A) and postconditions (O), in a form of instructions for the PNVM. Each data element is a tuple consisting of a type and a value. Variables are declared as a part of transition code and identiﬁed by indexes. When the code of the net template is loaded to code memory of the PNVM, it is indexed in order to allow PNVM to quickly access particular parts of the code, especially places declarations, the uplinks and the transitions code. When the net template is instantiated, a speciﬁc part of runtime memory is allocated according to number of places. At the same time, the net transitions are scheduled for execution. Execution of a transition consists of reading its bytecode and attempting to satisfy all preconditions, downlinks and guards using recursive backtracking algorithm. In guards and actions of transitions it is possible to call primitive operations of the underlying PNOS. Those operations are available in the Reference Nets inscription language as PNOS.operation, e.g., PNOS.readPort("solar1") reads data from virtual port named solar1, PNOS.writePort("pump1",100) writes value to the virtual port named pump1, PNOS.h(m) gets ﬁrst space-separated substring from string m, and PNOS.t(m) returns the rest of the string m without the ﬁrst substring. Those primitive operations are directly mapped to the corresponding bytecode. We use a subset of the Reference Nets inscription language here. It works only on integers and strings as values with corresponding set of basic operations. The important feature of the system is its reconﬁgurability. It is based on operations of the operating system that are designated for manipulations with nets (in the form of PNBC) and their instances. Nets could be sent to a node as a part of the command for its installation. The command is executed by Platform 214 PNSE’13 – Petri Nets and Software Engineering net. Using other commands, the platform can instantiate a net, pass a command to it, destroy a net instance and unload a net template - see Figure 10. The PNOS Platform functionality is described in more detail in [8]. 4.5 Simulation in SmallDEVS PNOS-based nodes can be simulated in SmallDEVS environment [7], together with simulation models of sensors and actuators connected to the controlled physical process, as well as with simulation model of communication infrastructure. While Renew is used for application business logic debugging, SmallDEVS is used for realistic simulation of the system with its surroundings. Execution steps delays are incorporated to the simulation model in order to make simulation as realistic as possible. Statistics gathered from simulation experiments can be used for veriﬁcation purposes and also can support decisions about type of hardware for target system implementation. Hardware-In-the-Loop simulation is also possible. 5 Evaluation For the testing purposes we use the Arduino and Raspberry Pi hardware platforms with XBee modules for wireless communication. The Arduino is enabled with the ATmega328P chip that introduces some important restrictions to the implementation. The main one is the 2kB SRAM memory that makes extensive use of direct Petri Nets interpretation very diﬃcult. There is a strong limitation for the number of nets and also for the complexity of problems solved. For that purposes we consider now for further testing of the system to use the Raspberry Pi platform, that oﬀer much more memory for the interpretation purposes. The energy consumption of the ARM could be reduced by underclocking, that is part of our future work plans. PNVM/PNOS prototype has been implemented in Smalltalk. The implementation resembles the way how it will be implemented in pure C language in order to make ﬁnal implementation easy. Up to now, we do not have C implementation ready, because we are still doing minor improvements to the reference Smalltalk version. Nevertheless, the automated generation of C version of PNVM/PNOS is planned for very near future. With the hardware limitations in mind, we have tested the PNVM/PNOS prototype with a model containing the platform net and other three simple nets (9 transitions in all nets), that are loaded and instantiated successively. The code of nets occupies 718 B, 679 B, 147 B, and 115 B, what is 1659 B of total used memory for code. The simulation generates 4 net instances, containing 14 places. The number of tokens is up to 31, and needs 1547 B of object memory. The history of memory occupation is shown in Figure 12. Peaks in the graph corresponds to receiving a net via serial line and its loading to code memory. To investigate the time consumption of the simulation, we measured the time needed for each step execution. It comprises evaluation of all transitions in all T. Richta et al.: Development of Dynamically Reconﬁgurable Systems Memory size [B] 2000 215 Code Memory Object Memory 1500 1000 500 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 Step Number Fig. 12. Memory usage ten instances. The simulation was executed for 50 times to get average step duration. The history of simulation steps durations is shown in Figure 13. We can see, that the duration increases depending on number of instances because the number of transitions is increasing. Peeks in the graph correspond with net loading, net instantiation, and uplink execution. These experiments has been done on contemporary desktop computer. On Raspberry Pi the step duration is about 100 times higher, because of slower CPU and slower access to the memory. Nevertheless, we suppose that C version of the PNVM/PNOS for Raspberry Pi will run reasonably faster which will make Arduino and Raspberry Pi platforms well usable for Petri nets-speciﬁed control systems. 6 Related Work The use of high-level languages, especially Petri Nets, allows to build and maintain control systems in a quite fast and intuitive way. There are many approaches to relate high-level languages with embedded devices or microcontrollers. One kind of that approaches is applicable in systems with not very limited resources. For example, Java can be used as a high-level language and works on architecture which can be successfully used in embedded systems [10]. To control robot application, hierarchical Petri Nets are used for middleware implementation in a RoboGraph framework [11]. Another approaches are focused to the devices with limited resources. They obviously use high-level languages or models for system design and the implementation is generated, usually into the C code. An examle is a usage of Timed Petri Nets for the synthesis of control software for embedded systems by generating C-code [12] or Sequential Function Charts [13]. All these approaches allow to design systems using high-level languages or models, but they either do not preserve models in the system implementation, 216 PNSE’13 – Petri Nets and Software Engineering Step Time [microseconds] 2500 2000 1500 1000 500 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 Step Number Fig. 13. Time overhead of simulation steps or are not applicable for systems with limited resources. The approach presented in this paper allows not only for design of systems with limted resources, but also for systems implementation using a high-level language, particularly the Nets-within-Nets formalism, allowing for the dynamic reconﬁgurability. 7 Conclusion In this paper, we described the process of system construction based on Petri Nets-based models transformations and target prototype code generation. This process starts with the workﬂow model deﬁned according to the Van der Aalst’s WF-Nets that describe the functionality of the system from the customers point of view. This model is then transformed to the multilayered architecture based on Reference Nets formalism. Each layer of the architecture is then translated to the speciﬁc target representation. The main part of the system is translated to the Petri Nets ByteCode (PNBC), that is interpreted by the Petri Nets Virtual Machine (PNVM) that is part of the Petri Nets Operating System (PNOS) which forms the remaining part of the system. The whole system reconﬁgurability is based on the possibility of PNBC net replacement with the new version where the interpretation after reinstalling starts to perform the new version of the process. In the current version, the reconﬁgurability is considered to work on the granularity of processes and subprocesses. In further research, we plan to focus on more ﬁne grained reconﬁguration, including the platform primitive operations, and also on the processes migration. Acknowledgment This work has been supported by the European Regional Development Fund in the IT4Innovations Centre of Excellence project (CZ.1.05/1.1.00/02.0070), by T. Richta et al.: Development of Dynamically Reconﬁgurable Systems 217 BUT FIT grant FIT-11-1, and by the Ministry of Education, Youth and Sports under the contract MSM 0021630528. References 1. Van der Aalst, W.M.P., Van Hee, K.M. 2002. Workﬂow Management: Models, Methods, and Systems. IT press, Cambridge, MA. 2. Van der Aalst, W.M.P., Ter Hofstede, A.H.M. 2005. YAWL: yet another workﬂow language. Inf. Syst. 30, 4 (June 2005), 245-275. 3. Valk, R. 1998. Petri Nets as Token Objects: An Introduction to Elementary Object Nets. In Proceedings of the 19th International Conference on Application and Theory of Petri Nets (ICATPN ’98), Jrgen Desel and Manuel Silva (Eds.). SpringerVerlag, London, UK, 1-25. 4. Kummer, O. 2001. Introduction to petri nets and reference nets. SozionikAktuell 1:2001 / Rolf von Lüde, Daniel Moldt, Rüdiger Valk (Hrsg.). 5. Cabac, L., Duvigneau, M., Moldt, D., Rölke, H. 2005. Modeling dynamic architectures using nets-within-nets. In Proceedings of the 26th international conference on Applications and Theory of Petri Nets (ICATPN’05), Gianfranco Ciardo and Philippe Darondeau (Eds.). Springer-Verlag, Berlin, Heidelberg, 148-167. 6. Kummer, O., Wienberg, F., Duvigneau, M., Köhler, M., Moldt, D., and Rölke, H. 2003. Renew - the Reference Net Workshop. Tool Demonstrations. Eric Veerbeek (ed.). 24th International Conference on Application and Theory of Petri Nets (ATPN 2003). 7. Češka M., Janoušek V., Vojnar T. PNtalk - A Computerized Tool for Object Oriented Petri Nets Modelling. Lecture Notes in Computer Science, vol. 1333, DE, p. 591-610, ISBN 3-540-63811-3, ISSN 0302-9743, 1997. 8. Richta, T., Janoušek, V. 2013. Operating System for Petri Nets-Speciﬁed Reconﬁgurable Embedded Systems, To appear in: Proceedings of the 14th Computer Aided Systems Theory, Las Palmas de Grand Canaria, LNCS, Springer Verlag. 9. Richta, T., Janoušek, V., Kočı́, R. 2012. Code Generation For Petri Nets-Speciﬁed Reconﬁgurable Distributed Control Systems, In: Proceedings of 15th International Conference on Mechatronics - Mechatronika 2012, Praha, CZ, FEL Č, 2012, s. 263269, ISBN 978-80-01-04985-3. 10. Pizlo, F., Ziarek, L., et al. 2010. High-level programming of embedded hard realtime devices. In Proceedings of the 5th European conference on Computer systems, ACM New York, 69-82. 11. Fernandez, J.L., Sanz, R., Paz, E., Alonso, C. 2008. Using hierarchical binary Petri nets to build robust mobile robot applications: RoboGraph. In IEEE International Conference on Robotics and Automation. 1372-1377. 12. Rust, C., Stappert, F., Kunnemeyer, R. From Timed Petri Nets to Interrupt-Driven Embedded Control Software. In International Conference on Computer, Communication and Control Technologies (CCCT 2003), Orlando, Florida, USA. p. 6. 13. Bayo-Puxan, O., Rafecas-Sabate, J., Gomis-Bellmunt, O., Bergas-Jane, J. 2008. A GRAFCET-compiler methodology for C-programmed microcontrollers, In Assembly Automation, Vol. 28 Iss: 1, Emerald Group Publishing. 55-60. 218 PNSE’13 – Petri Nets and Software Engineering Decomposing Replay Problems: A Case Study H.M.W. Verbeek and W.M.P. van der Aalst Department of Mathematics and Computer Science, Eindhoven University of Technology, The Netherlands {h.m.w.verbeek,w.m.p.v.d.aalst}@tue.nl Abstract. Conformance checking is an important ﬁeld in the process mining area. In brief, conformance checking provides us with insights how well a given process model matches a given event log. To gain these insights, we typically try to replay the event log on the process model. However, this replay problem may be complex and, as a result, may take considerable time. To ease the complexity of the replay, we can decompose the given process model into a collection of (smaller) submodels, and associate a (smaller) sublog to every submodel. Instead of replaying the entire event log on the entire process model, we can then replay the corresponding sublog on every submodel, and combine the results. This paper tests this divide-and-conquer approach on a number of process models and event logs while using existing replay techniques. Results show that the decomposed replay may indeed be faster by orders of magnitude, but that success is not guaranteed, as in some cases a smaller model and a smaller log yield a more complex replay problem. 1 Introduction In the area of process mining, we typically distinguish three diﬀerent ﬁelds: discovery, conformance checking, and enhancement [1]. The discovery ﬁeld is concerned with mining an event log for a process model (for the remainder of this paper, we assume that these process models are represented using Petri nets). We are given an event log, and we try to come up with some process model that nicely represents the observed behavior in the event log. The conformance checking ﬁeld is concerned with checking whether an event log matches a process model. We are given an event log and a process model, and we try to provide insights how well these two match. The enhancement ﬁeld is concerned with enhancing a process model using an event log. We are given an event log and a process model, and we copy data as found in the event log into the process model. A popular enhancement technique is to add durations to a process model based on timestamps in the log. This allows us to detect bottlenecks in a process model. This paper focuses on the conformance checking ﬁeld [10]. As mentioned, for conformance checking, it is vital that we can match the event log with the process model. A popular approach for matching both is to replay the entire event log on the process model. Every trace of the event log is replayed in the process model in such a way that mismatches are minimized in 220 PNSE’13 – Petri Nets and Software Engineering some way. Of course, our aim is to match every event in the trace to a possible action in the process model. However, this is not always possible. In some cases, we cannot match an event to any possible action in the process model, or vice versa, we cannot match an necessary action according to the model to an event in the log. The result of this matching process is an alignment [4] between every trace of the event log and the process model. A situation where the alignment cannot match an event to any action can be considered as a situation where we decided to skip a position in the log during replay. This is referred to as a log move: We handle the event in the log (by skipping it) but do not reﬂect this move in the model. Vice versa, a situation where the alignment cannot match an action to any event can be considered as a situation where we decided to skip the action. Such a situation is referred to as a model move. The remaining situation where an event and an action are matched is referred to as a synchronous move. By associating costs to these situations, we can obtain a best alignment by minimizing these costs. Based on this idea of associating costs, replay techniques have been implemented in the process mining tool ProM 6 [3]. Earlier work [5, 2] has shown that we can apply a divide-and-conquer approach to these cost-based replay techniques. Instead of replaying the entire event log on the entire process model, we ﬁrst decompose the process model into a collection of submodels. Second, we create a sublog from the entire event log for every submodel. Behavior not captured by a submodel will be ﬁltered out of the corresponding sublog, only behavior captured by the submodel will be ﬁltered in. Third, we compute subcosts for every combination of submodel and sublog. Fourth and lasts, we replay every sublog on the corresponding submodel in such a way that the subcosts are minimized. It has been proven that the weighted accumulated subcosts are a lower bound for the actual overall costs [11]. Moreover, the fraction of ﬁtting cases is the same with or without decomposition [11]. As a result, the accumulated subcosts is a lower bound for the actual costs. Conceptually, the entire model can be regarded as a decomposition of itself into a single submodel, with a single sublog. Nevertheless, proper decompositions may exist as well. An example of a (most likely) proper decomposition is the maximal decomposition as described in [2, 11]. This maximal decomposition uses an equivalence class on the arcs in the process model to decompose the model into submodels. This equivalence class corresponds to the smallest relation for which the incident arcs of places, silent transitions, and visible transitions with a non-unique label are equivalent. As a result, the maximal decomposition results in submodels that only have visible transitions with unique labels in common. Nevertheless, other proper decompositions of a process model may exist (like [7]) which may be of interest for the decomposed replay problem. Replaying all sublogs on the corresponding submodels has two possible advantages: 1. It may highlight problematic areas (submodels) in the model, that is, submodels with a bad ﬁtness. This information can hence be used for diagnostic purposes. E. Verbeek et al.: Decomposing Replay Problems: A Case Study 221 2. It may be much faster than replaying the entire log on the entire model, while the fraction of ﬁtting cases is the same for both. Obviously, this may save time while maintaining quality. This paper focuses on the second advantage, that is on the possible speed-up of the entire replay when using divide-and-conquer techniques. As the overall model is bigger than any of its submodels, it is expected that the replay problem of the entire log is more complex than the replay problem of all sublogs. As a result, determining the actual costs may take simply way too much time, while determining a decent lower limit may take an acceptable amount of time. This paper takes four diﬀerent process models with six corresponding diﬀerent event logs, and several ways to decompose the process models into submodels, and checks whether determining the costs of more ﬁne-grained decomposed replay problems are indeed faster than that of more coarse-grained decomposed replay problems. Furthermore, if it is indeed faster, it checks whether the obtained costs are still acceptable. Note that a technique that return a trivial lower bound (like 0) for the costs is very fast, but is not acceptable as we do not gain any insights by such a technique. 2 Preliminaries This section introduces the basic concepts of process models and event logs as used in this paper. Furthermore, it details how we determine the cost associated by replaying an event log on a process model. For the remainder of this paper, we use U to denote the universe of labels. A process model contains a labeled Petri net [9, 8] (P, T, F, l), where P a set of places, T is a set of transitions such that P ∩ T = ∅, F ⊆ (T × P ) ∪ (P × T ) a set of arcs, and l ∈ (T 6→ U ) a partial function that maps a transition onto its label. For function l, we use dom(l) to denote the set of transitions that are mapped onto some label, and rng(l) to denote the set of labels that are mapped onto by some transition. A marking M of a net (P, T, F, l) is a multiset of places, denoted M ∈ B(P ). The input set of a place or transition n ∈ P ∪ T is denoted •n and corresponds to the set of all nodes that have an arc going to n, that is, •n = {n′ |n′ F n}. In a similar way, the output set is deﬁned: n• = {n′ |nF n′ }. Transition t ∈ T is enabled by marking M in net N = (P, T, F, l), denoted as (N, M )[ti, if and only if M contains a token for every place in the input set of t, that is, if and only if M ≤ •t. An enabled transition t ∈ T may ﬁre, which results in a new marking M ′ where a token is removed from every place in the input set of t and a token is added for every place in its output set, that is, M ′ = M − •t+t• . We use (N, M )[ti(N, M ′ ) to denote that transition t is enabled by marking M , and that ﬁring transition t in marking M results in marking M ′ . Let σ = ht1 , t2 , . . . , tn i ∈ T ∗ be a sequence of transitions. (N, M )[σi(N, M ′ ) denotes that there is a set of markings M0 , M1 , . . . , Mn such that M0 = M , Mn = M ′ , and (N, Mi )[ti i(N, Mi+1 ) for 0 ≤ i < n. A marking M ′ is reachable from a marking M if there exists a σ such that (N, M )[σi(N, M ′ ). A transition t ∈ dom(l) is called visible, a transition t 6∈ dom(l) is called invisible. An occurrence of a 222 PNSE’13 – Petri Nets and Software Engineering visible transition t corresponds to an observable activity l(t). We can project a transition sequence σ ∈ T ∗ onto its sequence of observable activities σv ∈ U ∗ in a straightforward way, where all visible activities are mapped onto their labels and all invisible transitions are ignored. We use (N, M )[σv ✄ (N, M ′ ) to denote that there exists a σ ∈ T ∗ such that (N, M )[σi(N, M ′ ) and σ is mapped onto σv . Furthermore, a process contains an initial state and a ﬁnal state, that is a process model P is a triple (N, M0 , Mn ), where N = (P, T, F, l) is a labeled Petri net, M0 ∈ B(P ) is its initial marking, and Mn ∈ B(P ) is its ﬁnal marking. The set of visible traces for a process model P = (N, M0 , Mn ), denoted φ(P), corresponds to the set of sequences of observable activities that start in the initial marking and end in the ﬁnal marking, that is, φ(P) = {σv |(N, M0 )[σv ✄ (N, Mn )}. An event log [1] L is a multiset of traces, where a trace is a sequence of activities. Thus, if A ⊆ U is the set of activities, then σ ∈ A∗ is a trace and L ∈ B(A∗ ) is an event log. An event log L can be projected onto some set of activities A′ , denoted L↾A′ , in a straightforward way: All events not in A′ are ﬁltered out, and all events in A′ are ﬁltered in. The replay problem [4] for an event log L and a process model P can now be described as ﬁnding, for every trace σL ∈ L, the transition sequence σP ∈ T ∗ for which its corresponding sequence of observable activities σP,v ∈ φ(P) matches σL best. To determine which transition ﬁts a trace best, we align σL and σP,v and associate costs to every misaligned transition and/or event. A misaligned transition means that we need to execute a visible transition in the process model that is not reﬂected in the event log, and is called a model move. A misaligned event means that an activity has been executed and logged that is not reﬂected by a corresponding visible transition in the process model, and is called a log move. An aligned transition-event pair means that both the event log and the process model agree on the next activity, and is called a synchronous move. By associating costs to model moves and log moves, and by minimizing the costs, we can determine the transition sequence from the process model that best ﬁts a trace from the event log. For the decomposed replay problem for an event log L and a process model P, we ﬁrst decompose the process model into a collection of smaller process models {P1 , . . . , PM }. Second, we map the costs for replaying the entire log on the entire net to costs for every smaller process model Pi = ((Pi , Ti , Fi , li ), M0,i , Mn,i ). In earlier work [11], we have shown that these costs can be mapped in such away that the accumulated costs for the decomposed replay problem is a lower bound for the costs of the original replay problem. Third, we ﬁlter the log for every smaller process model into a smaller log Li = L↾rng(li ) . Fourth, we replay every smaller log Li on the corresponding smaller process model Pi , using the adapted costs. Fifth and last, we accumulate the resulting costs into a single costs, which is a lower bound for the actual costs. In [11], we have shown how to decompose a process model P = ((P, T, F, l), M0 , Mn ) in such a way that the decomposition is maximal. For this maximal decomposition, we introduce an equivalence class on the arcs of F . Arcs will E. Verbeek et al.: Decomposing Replay Problems: A Case Study 223 Table 1. Characteristics of process models Process model Transitions Places Arcs Labels 12 32 11 58 12 32 14 44 26 74 28 124 8 32 10 36 RepairExample A32 Bpic2012A Bpic2012 end up in the same submodel Pi if and only if they are equivalent, where this equivalence is deﬁned as the smallest relation for which the following rules hold: R1 An incident (input or output) arc of a place is equivalent to all incident arcs of that place. R2 An incident arc of an invisible transition is equivalent to all incident arcs of that transition. R3 An incident arc of a visible transition with a non-unique label (that is, there exist other transitions that have the same label) is equivalent to all incident arcs of all transitions with that label. As a result of these rules, any place, any invisible transition, and any visible transition with non-unique label will be part of a single submodel only, whereas visible transitions with unique labels may be split over diﬀerent submodels. As a result, only these visible transitions with unique label interface between the diﬀerent submodels. In [11], we have proved that this decomposition preserves perfect replay: The entire event log L can be replayed perfectly (that is, no costs and/or mismatches) on process model P if and only if every sublog Li can be replayed perfectly on submodel Pi . Moreover, a trace perfectly ﬁts the overall model if and only if its projection ﬁts each of the submodels. Hence, the fraction of ﬁtting traces can be computed precisely using any decomposition. 3 Case Study Setting For the case study, we will use four diﬀerent process models (RepairExample, A32, Bpic2012A, and Bpic2012) with six corresponding diﬀerent logs (RepairExample, A32f1n00, A32f1n10, A32f1n50, Bpic2012A, and Bpic2012). Table 1 shows the characteristics of these models, whereas Table 2 shows the characteristics of the corresponding logs. The RepairExample model comes with a single event log, which is typically used for demonstration (or tutorial) purposes. The A32 model comes with three event logs, which contain a varying amount of noise. The ﬁrst log, A32f1n00, contains no noise (‘0%’), the second log, A32f1n10, contains some noise (‘10%’), and the third log, A32f1n50, contains much noise (‘50%’). This model and these logs were used to test genetic mining algorithms on their ability to recreate the original model from noisy event logs. The Bpic2012A model and event log stem from the BPI 2012 Challenge log and originate from [6]. Note that this log is 224 PNSE’13 – Petri Nets and Software Engineering Table 2. Characteristics of event logs Event log Cases Events Event Classes RepairExample A32f1n00 A32f1n10 A32f1n50 Bpic2012A Bpic2012 1104 1000 1000 1000 13,087 13,087 11,855 24,510 24,120 22,794 60,849 262,200 12 32 32 32 10 36 Table 3. Replay results of event logs Event log RepairExample A32f1n00 A32f1n10 A32f1n50 Bpic2012A Bpic2012 Running time (in seconds) Costs 0.25 11 17 32 0.59 480 0.197 0.000 0.993 4.521 1.293 14.228 a real-life log, which was obtained from a company. The Bpic2012A event log is obtained by ﬁltering out all events that start with either “O” or “W”, that is, it contains only the events that start with “A”. The corresponding model was hand-made based on results of running the Transition System Miner on this ﬁltered log (cf. [13]). The Bpic2012 model and log also stem from this challenge log. In contrast with the Bpic2012A log, the Bpic2012 log contains all events from the Challenge event log, and some more. These extra events allowed us to mine this log using a passage-based technique, of which the Bpic2012 model is a result [2]. Table 3 shows the results of running the replayer on the six event logs, where running times have been rounded to the two most signiﬁcant digits (this is done throughout the paper). For details on the replayer and other Prom 6 plug-ins used in this case study, we refer to [14]. Note that the absolute values for these running times are not that important for this paper, as we only want to compare them. In the next section, we will compare these results to the results of running the decomposed replayer on these logs. Our goal will be to check whether the decomposed replayer returns still-acceptable costs in better times for certain decompositions. 4 Case Study Results The ﬁrst decomposition we will check for the results, is a near-maximal decomposition. In Section 2, we have detailed a maximal decomposition based on an equivalence class between arcs. In this maximal decomposition, it is possible E. Verbeek et al.: Decomposing Replay Problems: A Case Study 225 Table 4. Decomposed replay results of event logs using near-maximal decomposition Event log RepairExample A32f1n00 A32f1n10 A32f1n50 Bpic2012A Bpic2012 Submodels Running time (in seconds) 6 30 30 30 8 12 (171%) 0.43 (12%) 1.3 (7%) 1.1 (4%) 1.2 (378%) 2.2 DNF Costs (99%) (100%) (45%) (48%) (49%) 0.196 0.000 0.444 2.155 0.629 to have a submodel ((Pi , Ti , Fi , li ), M0,i , Mn,i ) that subsumes some other submodel ((Pj , Tj , Fj , lj ), M0,j , Mn,j ) when it comes down to the labels, that is, rng(li ) ⊆ rng(lj ). A typical submodel where this might happen is the submodel that contains the source (or sink) place in case of a workﬂow net [12]. As every label of the subsumed submodel is contained in the subsuming model, every event of the ‘subsumed’ event log will be contained in the ‘subsuming’ event log. As a result, we can replay (almost for free) the ‘subsumed’ log while replaying the ‘subsuming’ log. For this reason, we add the subsumed submodel to every subsuming submodel (there may be more subsuming submodels), and do not replay the subsumed submodel on its own. The resulting decomposition is called a near-maximal decomposition. Table 4 shows the results of replaying the event logs on the submodels as obtained by the near-maximal decomposition. To enable easy comparison, Table 4 also shows the reduction percentages for both running times and costs (for example, 0.43 seconds is 171% of 0.25 seconds). These results show that the A32 logs are replayed much faster than with the regular replay (though the costs are signiﬁcantly lower), but that the other replays got worse, with the Bpic2012 log as most negative example. For this log, the decomposed replay simply did not ﬁnish (“DNF”), as it eventually ran out of resources (4 GB of memory). From these results, we conclude that decomposing a replay problem need not improve the time required for replay. Figure 1 shows the submodel that was the bottleneck for the decomposed replay of the Bpic2012 log. This submodel contains 12 invisible transitions (the entire net contains 22, so more than half of these invisible transitions ended up in this submodel), of which 3 loop back, 5 source transitions, and 5 sink transitions. As a result, the replay of the corresponding sublog on this speciﬁc submodel is very complex: In any reachable state, there are at least 5 enabled transitions, and in many states there will be some invisible transitions enabled as well). It might help the replay if we restricted the unlimited freedom of these source transitions in some way. For this reason, we introduced a place that eﬀectively restricts the number of tokens, say n, that may be present in the submodel. Initially, this place p contains n tokens. Any transition t in the original submodel is changed in the following way: 226 PNSE’13 – Petri Nets and Software Engineering Fig. 1. Problematic submodel that results from near-maximal decomposition of Bpic2012 – If t has more incoming arcs than outgoing arcs, that is, if | • t| > |t• |, then x outgoing arcs from transition t to place p are added, where x = | • t| − |t • |. – If t has more outgoing arcs then incoming arcs, that is, if |t• | > | • t|, then x incoming arcs from place p to transition t are added, where x = |t • | − | • t|. – If t has as many incoming arcs as outgoing arcs, that is, if |t • | = | • t|, then nothing is added. The exceptions to these rules are the arcs from source places and the arcs to sink places, as these arcs will not be counted. Reason for doing so is that otherwise all n tokens may end up in a sink place, which results in a dead submodel. As a result of applying these changes, every transition in the resulting net has as many incoming arcs as outgoing arcs (excluding source and sink places), and hence the number of tokens in every reachable marking (again excluding source and sink places) is constant, that is, equal to n. This amount of tokens n is determined in such a way that the execution of a source transition can be followed by the execution of a sink transition. Therefore, we will put a single token into the place for a source transition, and as many tokens as needed to ﬁre (once) all other (non-source) transitions in the preset of this place. Figure 2 shows the resulting submodel, where the place in the middle (the one with the many incident arcs) is the place that restricts the otherwise unlimited behavior of the former source transitions. Given the structure of this submodel, this place contains initially a single token, which allows for only a single thread in this submodel during replay. With this change made to the decomposition of the entire net (note that only the behavior of the problematic submodel was restricted in the way as E. Verbeek et al.: Decomposing Replay Problems: A Case Study 227 Fig. 2. Restricted problematic submodel described, other submodels were unaﬀected), the decomposed replay ﬁnished in 470 seconds (98%), with costs of 8.722 (61%). The replay of the problematic submodel took 460 seconds (costs 5.210), which explains the better part of the replay time (please recall that for the decomposed replay we allowed 4 threads to be run simultaneously). Although the decomposed replay now ﬁnished, it ﬁnished in almost the same time as the regular replay with signiﬁcant lower costs. Furthermore, by restricting the behavior of this submodel, we cannot claim anymore that the resulting costs are a lower bound for the actual costs. For this reason, we tried to reduce the number of invisible transitions instead. An invisible transition with single input and single output can be reduced in such a way, that the behavior of the resulting model is not a restriction, but an extension of the behavior of the original model. In general, the single input place of the invisible transition will have input transitions and additional (not counting this invisible transition) output transitions. Likewise, its single output place will have additional input transitions (not counting this invisible transition) and output transitions. In general, a path from such an additional input transition to such an additional output transition will not be possible in the model, as the invisible transition works ‘the wrong way’. However, all other paths are possible, like a path from an input transition to an output transition, and a path from an input transition to an additional output transition. Thus, if we merge the single input place and the single output place, and remove the invisible transition, than we only add behavior in the model. As a result, the replay costs might go down (which is safe for a lower bound), but cannot go up. Figure 3 shows the resulting submodel. With this change made, the decomposed replay ﬁnished in 190 seconds (40%), with costs of 6.676 (47%). The replay of the problematic submodel took 140 228 PNSE’13 – Petri Nets and Software Engineering Fig. 3. Reduced problematic submodel seconds (costs 3.163). The bottleneck submodel is now a diﬀerent submodel, which requires a replay time of 180 seconds. Obviously, the reduction of invisible transitions has led to a 60% decrease in running time (from 480 seconds to 190 seconds), but also to a 53% decrease in the computed costs (from 14.228 to 6.676). As we know that the decomposed replay returns a lower bound for the costs, this decrease in costs is okay, but perhaps we can do better by not reducing all invisible transitions. Possibly, there is some trade-oﬀ somewhere between the invisible transitions to reduce and the decrease in computed costs. For this reason, we again focus on the reduction of an invisible transition. Clearly, if (1) the single input place of an invisible transition has no additional output transitions and (2) the single output place of that invisible transition has no additional input transitions, then the reduction of this invisible transitions leads to no extra behavior. In contrast, if there would be 3 additional output transitions and 4 additional input places, then this reduction would lead to 3 × 4 = 12 possible new paths. If we want to retain as much of the original behavior in the reduced net, then we want to reduce invisible transitions for which the product of the number of additional output transitions and the number of additional input transitions is below some threshold. If this threshold equals 0, then no new paths are allowed, if it is suﬃciently large (say, 100), then any reduction is allowed. To check the eﬀect of this threshold, we have run the decomposed replay for a number of possible thresholds. Table 5 shows the results. Please note that the result of the reduction with some ﬁxed threshold needs not be unique, the resulting net might be non-deterministic. We are aware of this, but want to check its eﬀect anyway. This table indicates that if we set the threshold to 32, that then all invisible transitions will be reduced (running time approx. the same and costs the same). Furthermore, this table indicates that, to get a good lower bound for the costs E. Verbeek et al.: Decomposing Replay Problems: A Case Study 229 Table 5. Eﬀects of reducing invisible transitions on running time and computed costs Threshold 32 16 8 Running time (in seconds) Costs (42%) 200 (58%) 280 (386%) 1900 (47%) 6.676 (50%) 7.091 (55%) 7.849 (if possible at all), we need to spend more running time than we would need for the original (not decomposed) replay problem: To obtain a lower bound for the costs that is slightly above half of the actual costs, we need to spend more than three times as much running time. As a result, we conclude that this reduction technique has its merits (it actually ﬁnishes with costs that are reasonable for the running time required), but that there is no signiﬁcant gain in ﬁne-tuning this technique. A third option to cope with the problematic submodel could be to organize the submodels into submodels that are better suited for the replay at hand. Apparently, the replay techniques we are using have problems with certain submodels (many source transitions, many invisible transitions), so we should try to avoid generating such submodels. For this reason, we propose a slightly changed notion of equivalence, the only change being that the following rule is added: R4 The i-th incoming arc of a visible transition with unique label is equivalent to the i-th outgoing arc of that transition, if both arcs exist. Note that only the fourth rule on visible transitions with unique labels has been added. Also note that we now assume that some order exists among the incident arcs of such a transition, as we link the i-th incoming arc to the i-th outgoing arc, if possible. As a result, again, the result may be non-deterministic. Nevertheless, this approach may help in suppressing submodels with many source transitions, as the result of the fourth rule may be that a submodel with a visible sink transition t is merged with a submodel with a visible source transition t. We use the term near-minimal decomposition to refer to the decomposition that results from these adapted equivalence rules, as many submodels will be linked together using these new rules. Table 6 shows the results for this decomposition. This table shows that we typically obtain good results (costs-wise) using the near-minimal decomposition, but that we sometimes use slightly more time. Furthermore, this table shows that for the Bpic2012A and Bpic2012 event logs the near-minimal decomposition turns out to be the minimal decomposition, as both resulted in only a single submodel. In both cases this is caused because every parallel construct includes invisible transitions (either as split or as join). To be able to split these constructs, we can relax two of the four equivalence rules in such a way that we also allow the decomposition to split invisible transitions in the same way as it splits visible transitions with unique labels: R2’ The i-th incoming arc of an invisible transition is equivalent to the i-th outgoing arc of that transition, if both arcs exist. 230 PNSE’13 – Petri Nets and Software Engineering Table 6. Decomposed replay results of event logs using near-minimal decomposition Event log RepairExample A32f1n00 A32f1n10 A32f1n50 Bpic2012A Bpic2012 Submodels Running time (in seconds) Costs 2 4 4 4 1 1 (136%) 0.31 (18%) 1.9 (13%) 2.1 (10%) 3.1 (125%) 0.74 (101%) 480 (100%) 0.197 (100%) 0.000 (94%) 0.929 (96%) 4.322 (100%) 1.293 (100%) 14.228 Table 7. Decomposed replay results of event logs using near-minimal (with invisible transitions) decomposition Event log Bpic2012A Bpic2012 Submodels Running time (in seconds) Costs 3 3 (391%) 2.3 (83%) 400 (98%) 1.272 (100%) 14.227 This relaxation maintains the property that any perfectly ﬁtting trace in the overall model is a perfectly ﬁtting trace in the submodels (as we are still possible to replay such a perfectly ﬁtting trace in the submodels). However, it may break the property that a perfectly ﬁtting in the submodels is a perfectly ﬁtting trace in the overall model, as the invisible transitions on the border of the submodels may not agree. When replaying a trace on the submodels, such a disagreement will not be noticed, but when replaying it on the overall model, it will be noticed, which leads to a mismatch and extra costs. Table 7 shows the results of this decomposition for the two event logs. Both computed costs are quite good, and the running time of the Bpic2012 log is better than that of the regular replay, but the running time of the Bpic2012A log is worse. Another way to split up the near-minimal decomposition a bit further is to deﬁne a set of (visible) transitions for which the relaxed equivalence does not hold, that is, that assume that all incident arcs are not equivalent. In this paper, we will use the term milestone transitions for such transitions. As a result, we then have the following changes in the rules for equivalence: R2” The i-th incoming arc of an invisible non-milestone transition is equivalent to the i-th outgoing arc of that transition, if both arcs exist. R4” The i-th incoming arc of a visible non-milestone transition with unique label is equivalent to the i-th outgoing arc of that transition, if both arcs exist. Note that the equivalence of milestone transitions is derived from these rules. Initially, incident arcs of milestone transitions are not equivalent, but they may become equivalent if this equivalence is the result of any combination of the four E. Verbeek et al.: Decomposing Replay Problems: A Case Study 231 rules mentioned above. As such, it is still possible that multiple incident arcs for a milestone transition are equivalent. As an example of this milestone decomposition, we have selected six such milestone transitions in the Bpic2012 model: 1. 2. 3. 4. 5. 6. t14402 t16523 W_Beoordelen fraude+SCHEDULE W_Nabellen incomplete dossiers+SCHEDULE W_Valideren aanvraag+COMPLETE W_Valideren aanvraag+START Please note that the ﬁrst two milestone transitions are invisible transitions, which have no counterpart in the event log, whereas the remaining four are visible. Together, the ﬁrst four transitions form a sparsest cut in the model, where the middle two transitions link a submodel containing parallelism to a submodel containing an invisible transitions that allows the former submodel to be started over and over again during replay. Using this decomposition, the decomposed replay takes only 100 seconds (22%) and results in a costs of 11.722 (82%), which is quite acceptable. The left submodel (the large one) took 100 seconds to replay (costs 7.102), the top-right submodel took 97 seconds (costs 2.806), the middleright submodel took 66 seconds (costs 0.951), and the bottom-right submodel (the parallel one) took 2.8 seconds to replay (costs 0.863). Obviously, the fact that we could run the decomposed replay on 4 diﬀerent threads helped a lot in reducing the running time, as the total running time would have taken not 100 but 100 + 96 + 66 + 2.8 ≈ 260 seconds. 5 Tool implementation The decomposed replay has been implemented in the ProM 61 Passage package, which depends on the PNetReplayer package for the replayer. For sake of completeness, we mention that for this case study we have used version 6.1.122 of the former and version 6.1.160 of the latter package. The Passage package contains a number of plug-ins that are relevant for the decomposed replay. Create Decomposed Replay Problem Parameters Using this plug-in, the user can set the parameters which are to be used for both decomposing a model and a log into submodels and sublogs, and the decomposed replay that may follow this decomposition. Both an automated and a manual version exist for this plug-in. The automated version takes a model (a Petri net) and generates default parameters for this model. The manual version takes either a model with default parameters or existing parameters, and allows the user to change these parameters through a dialog. Figure 4 shows this dialog. For additional details on the implementation, we refer to [14]. 1 A nightly build version of ProM 6 containing the required packages can be downloaded from http://www.promtools.org/prom6/nightly. 232 PNSE’13 – Petri Nets and Software Engineering Fig. 4. Dialog for setting decomposed replay parameters Select visible transitions Using this list, the user can select the transitions that are allowed to be present in multiple submodels. Only selected transitions can appear on the interface between diﬀerent submodels. By default, the visible transitions will be selected. Select milestone transitions Using this list, the user can select the milestone transitions. When determining the equivalence classes between the arcs, only the non-selected transitions will be taken into account. By default, the visible transitions will be selected. Select ILP threshold Using this slider, the user can inﬂuence for which submodels the ILP-based replay will be used. This replayer will be used for all submodels for which the number of transitions exceeds this threshold. The non-ILP-based replayer will be used otherwise. By default, this threshold is set to 8. Select max loss Using this slider, the user can inﬂuence to what extend singe-input-single-output invisible transitions are to be reduced. Such a transition will be reduced if the product of its number of additional inputs and its number of additional outputs (that is, the number of new paths) is below this threshold. By default, this threshold is set to 0. Select loss threshold Using this slider, the user can inﬂuence for which submodels single-input-single-output invisible transitions are to be reduced. These transitions are only reduced if the number of transitions in the submodel exceeds this threshold. By default, this threshold is set to E. Verbeek et al.: Decomposing Replay Problems: A Case Study 233 100 (the maximal value), which means that these transitions will only be reduced for very large submodels. Select Thread threshold Using this slider, the user can inﬂuence for which submodels the behavior of the source transitions will be restricted by adding a place. The submodel will only be restricted if the number of transitions in the submodel exceeds this threshold. By default, this threshold is set to 100 (the maximal value), which means that this restricting place will only be added for very large submodels. Select Threads Using this slider, the user can inﬂuence the number of tokens in the place restricting the behavior of (otherwise) source transitions. The number of tokens equals the number set by this slider plus the number of outgoing arcs from this place to non-source transitions. By default, this number is set to 1. Select Runs With this slider, the user can inﬂuence how many times the regular replay and decomposed replay are to be run. The regular replay and decomposed replay will be run as many times as indicated by this slider. Enter label With this textbox, the user can provide a meaningful name to the selected parameter setting. This name will be used by ProM 6 to identify this parameters setting. By default, this name equals the name of the process model preﬁxed by “Parameters for ". Show Replay Costs Using this plug-in, the user can run the regular replay and the decomposed replay as many times as indicated by the parameters that are required as input. Additional inputs are the process model (a Petri net) and the event log. This plug-in will result in an overview that contains the parameter settings (for sake of reference) and the results (both running times and costs for both the regular replay and the decomposed replay, including the running times and costs for the replay of every sublog on the corresponding submodel). Create Decomposed Replay Problem Using this problem, the user can construct a decomposed replay problem. Required inputs are the parameters, the process model (a Petri net), and an event log. Please note that this plug-in only constructs the decomposed replay problem, it does not solve it by actually replaying it. To actually do this replay, the user can select the “Visualize Replay” visualization, which ﬁrst performs the replay and then shows the results. 6 Concluding Remarks In this paper, we have applied our decomposed replay techniques on six event logs and four corresponding process models. For two out of six event logs any decomposed replay we tried took longer than the regular replay. However, for exactly these two event logs the regular replay takes less than a second. The four remaining event logs all take longer than second to replay, where the actual time needed varies from 11 seconds to 480 seconds. For all of these four event logs, 234 PNSE’13 – Petri Nets and Software Engineering Table 8. Result of (decomposed) replay for event logs that take longer than a second to replay Event log Submodels Running time (in seconds) Costs A32f1n00 1 4 11 (18%) 1.9 0.000 (100%) 0.000 A32f1n10 1 4 17 (13%) 2.1 0.993 (94%) 0.929 A32f1n50 1 4 32 (10%) 3.1 4.521 (96%) 4.322 Bpic2012 1 4 480 (22%) 100 14.228 (82%) 11.722 we could achieve better running times at acceptable decreases in costs. Table 8 shows the result of the decomposed replay for these event logs, and compares these results to the results of the regular replay (where there is only a single submodel). Although this shows that we can use decomposed replay to achieve better running times at acceptable costs, there is an issue with the actual decomposition. Especially the Bpic2012 event log has been a hard nut to crack, as the replay of this event log turns out to be very sensitive to the actual decomposition. The replay simply fails to ﬁnish if we decompose the process model and event log in as many submodels and sublogs as possible. Especially the replay of one of the sublogs on its corresponding submodel caused the replay to not ﬁnish. In the paper, we have shown that we can take several approaches to this replay problem. First of all, we can restrict the possible behavior of the problematic submodel. This leads to a replay that ﬁnishes, but not to a costs that is by deﬁnition a lower bound for the actual costs, which is what we need. Second, we can reduce the single-input single-output invisible transitions such that none remains. As a result of this reduction, we possibly introduce new paths (new behaviors) in the resulting submodel, but this is safe as this only lowers the costs. We also tried to ﬁne-tune this reduction of invisible transitions, but that did not help much: The costs did not improve more than the running time of the replay did increase. Third, we can aim for submodels that suit the actual replay techniques we are using in some way. Doing so leads to a decomposed replay that ﬁnishes, although it might decompose the model in a single submodel. To be able to use the decomposed replay technique eﬀectively in practice, we need to be able to come up with a good decomposition that decreases running times while keeping the estimated costs at an acceptable level. We have shown that even for the hard Bpic2012 log this was possible, but we haven’t shown that we can do this for any log. For this, we need more research on what these good decompositions are, how they look like, and how we can derive them from a given model (possibly, given the corresponding event log). As shown, for some E. Verbeek et al.: Decomposing Replay Problems: A Case Study 235 logs, the default (near-maximal ) decomposition works ﬁne, but other logs require more sophisticated decompositions. References 1. W.M.P. van der Aalst. Process Mining: Discovery, Conformance and Enhancement of Business Processes. Springer-Verlag, 2011. 2. W.M.P. van der Aalst. Decomposing Process Mining Problems Using Passages. In S. Haddad and L. Pomello, editors, Applications and Theory of Petri Nets 2012, volume 7347 of Lecture Notes in Computer Science, pages 72–91. Springer-Verlag, 2012. 3. W.M.P. van der Aalst, B.F. van Dongen, C.W. Günther, R.S. Mans, A.K. Alves de Medeiros, A. Rozinat, V. Rubin, M. Song, H.M.W. Verbeek, and A.J.M.M. Weijters. ProM 4.0: Comprehensive Support for Real Process Analysis. In J. Kleijn and A. Yakovlev, editors, Application and Theory of Petri Nets and Other Models of Concurrency (ICATPN 2007), volume 4546 of Lecture Notes in Computer Science, pages 484–494. Springer-Verlag, 2007. 4. A. Adriansyah, B. van Dongen, and W.M.P. van der Aalst. Conformance Checking using Cost-Based Fitness Analysis. In C.H. Chi and P. Johnson, editors, IEEE International Enterprise Computing Conference (EDOC 2011), pages 55–64. IEEE Computer Society, 2011. 5. J. Carmona, J. Cortadella, and M. Kishinevsky. Divide-and-Conquer Strategies for Process Mining. In U. Dayal, J. Eder, J. Koehler, and H. Reijers, editors, Business Process Management (BPM 2009), volume 5701 of Lecture Notes in Computer Science, pages 327–343. Springer-Verlag, 2009. 6. B. F. van Dongen. BPI challenge 2012. Dataset. http://dx.doi.org/10.4121/uuid:3926db30-f712-4394-aebc-75976070e91f, 2012. 7. J. Munoz-Gama, J. Carmon, and W. M. P. van der Aalst. Hierarchical conformance checking of process models based on event logs. In ATPN 2013, LNCS. Springer, 2013. Accepted for publication. 8. T. Murata. Petri Nets: Properties, Analysis and Applications. Proceedings of the IEEE, 77(4):541–580, April 1989. 9. W. Reisig and G. Rozenberg, editors. Lectures on Petri Nets I: Basic Models, volume 1491 of Lecture Notes in Computer Science. Springer-Verlag, 1998. 10. A. Rozinat and W.M.P. van der Aalst. Conformance Checking of Processes Based on Monitoring Real Behavior. Information Systems, 33(1):64–95, 2008. 11. W. M. P. van der Aalst. Decomposing Petri Nets for Process Mining: A Generic Approach. Technical Report BPM-12-20, BPMcenter.org, 2012. 12. Wil van der Aalst, Arya Adriansyah, and Boudewijn van Dongen. Replaying history on process models for conformance checking and performance analysis. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 2(2):182–192, 2012. 13. H. M. W. Verbeek. BPI Challenge 2012: The Transition System Case. In M. La Rosa and P. Soﬀer, editors, BPM 2012 Workshops, volume 132 of LNBIP, pages 225–226. Springer, 2013. 14. H. M. W Verbeek and W. M. P. van der Aalst. Decomposing replay problems: A case study. Technical Report BPM-13-09, BPMcenter.org, 2013. 236 PNSE’13 – Petri Nets and Software Engineering Part IV PNSE’13: Short Papers Building Petri nets tools around Neco compiler Lukasz Fronc and Franck Pommereau {fronc,pommereau}@ibisc.univ-evry.fr IBISC, Université d’Évry/Paris-Saclay IBGBI, 23 boulevard de France 91037 Évry Cedex, France Abstract. This paper presents Neco that is a Petri net compiler: it takes a Petri net as its input and produces as its output an optimised library to eﬃciently explore the state space of this Petri net. Neco is also able to work with LTL formulae and to perform model-checking by using SPOT library. We describe the components of Neco, and in particular the exploration libraries it produces, with the aim that one can use Neco in one’s own projects in order to speedup Petri nets executions. Keywords: Petri nets compilation, optimised transition ﬁring, tools development, explicit state space exploration 1 Introduction Neco is a Petri net compiler: it takes a Petri net as its input and produces as its output a library allowing to explore the Petri net state space. Neco operates on a very general variant of high-level Petri nets based on the Python language (i.e., the values, expressions, etc., decorating a net are expressed in Python) and including various extensions such as inhibitor-, read- and reset-arcs. It can be seen as coloured Petri nets [1] but annotated with the Python language instead of the dialect of ML as it is traditional for coloured Petri nets. Firing transitions of such a high-level Petri net can be accelerated by resorting to a compilation step: this allows to remove most of the data structures that represent the Petri net by inlining the results of querying such structures directly into the generated code. Moreover, instead of relying on generic data structures and algorithms, specialisations can be performed on a per-transition and perplace basis. In particular, Neco can exploit various properties of Petri nets in order to further optimise the representation of a marking (both for execution time and memory consumption), as well as transitions ﬁring algorithms. Finally, Neco is able to type most of the Python code embedded in a Petri net thanks to the typing information on places. This allows to generate eﬃcient C++ code instead of relying on the interpreted Python code. All this yields a substantial speedup in transition ﬁring (and consequently in state-space exploration and explicit model-checking) that was evaluated in [2]. This was also conﬁrmed by the participation of Neco to the model-checking 240 PNSE’13 – Petri Nets and Software Engineering contest (satellite event of the Petri nets 2012 conference) that showed that Neco was able to compete with state-of-the-art tools [3]. The goal of this paper is to introduce the main concepts of Neco and its usage in order to enable tool developers for eﬃciently using the detailed online documentation and exploit Neco in their own projects. This may concern most tools that perform explicit exploration of Petri nets states spaces and take advantage of the speedup that Neco can oﬀer. Neco is free software released under the Gnu lgpl and it can be downloaded from http://code.google.com/p/neco-net-compiler where its documentation is also available, including a tutorial as well as the precise api of libraries generated by Neco and concrete examples. 2 General architecture and usage guidelines Neco is a collection of two compilers, one exploration tool and one model-checker: – neco-compile is the main compiler that produces an exploration engine of a Petri net (a library); – neco-explore is a simple exploration tool that computes state spaces using the engine produced by neco-compile; – neco-check is compiler for LTL formulae that produces a library to handle these formulae; – neco-spot is a LTL model-checker that uses outputs of tools neco-compile and neco-check, as well as SPOT library for model-checking algorithms [4]. As a compiler, Neco has two backends: the Python backend allows to generate Python code while the Cython backend generates annotated Python [5] that can be compiled to C++. Each tool composing Neco is dedicated to a speciﬁc task. Here we focus on compilation but we will also say a few words about the rest. The detailed compilation workﬂow is shown in Figure 1. In this section we assume that we use the Cython backend which is the most eﬃcient one. First we present how the exploration engine is built and how to use it to build statespaces, this part remains globally valid for the Python backend. Next we present how to perform LTL model-checking within Neco, and this part is currently not supported by the Python backend. However, there are also features that are currently only available in the Python backend, like reductions by symmetries [6], thus not yet available for LTL model-checking. 2.1 Exploration engine builder and state-space construction The ﬁrst step using Neco is to create a module that provides exploration primitives: a marking structure, successor functions speciﬁc to transitions, and a global successor function that calls the transition speciﬁc ones [2]. As shown in Figure 2, this exploration engine can be used by a client program (e.g., a model-checker or a simulator) to perform its task. The generated library directly produce info - Python - ABCD - PNML info structures extract compilation trace produce marking marking structure produce functions exploration exploration exploration functions functions functions produce compilation trace compilation trace compilation trace decompose id-atom map net.so neco-explore state space neco-check atomic atomic atomic propositions propositions propositions compile produce check functions LTL formula compile (cython + g++) (cython + g++) main check function checker.so neco-spot counter-example if exists spot formula legend tools external interaction inputs / outputs computations data structures 241 internal interaction Ł. Fronc et al.: Building Petri Nets Tools around Neco Compiler Fig. 1. Compilation pipeline and exploration tools within Neco (Cython backend). neco-compile model 242 PNSE’13 – Petri Nets and Software Engineering embeds code from the model (i.e., Petri net annotations) but also relies on existing data structures (in particular, sets and multisets) forming core libraries, and accesses them through normalized interfaces. Model code itself has very few constraints and may use existing libraries. This is detailed in [2]. client program (e.g., model-checker) hand written by tool programmer exploration engine hand written by modeller data structures: functions: – Marking – succ – init – ··· – succ t1 – ··· model code interfaces predefined code (core lib, model libs) generated by compiler assumed by compiler provided by existing libraries Fig. 2. The exploration engine (plain-line box) and its context (dotted boxes). [2] This module is built using command neco-compile. To do so, Neco takes a Petri net model as input which can be described programmatically in Python using the SNAKES toolkit [7], or using the ABCD formalism [8], or speciﬁed in PNML [9]. Once the model is loaded, some types are inferred allowing to statically type Python code later, which is an important feature because Cython language can produce optimized C++ code from annotated Python code [5]. However, because we allow a high degree of expressivity, all source code cannot be typed and Neco falls back to calling the Python interpreter in such cases. Basically, if a net contains only black tokens, integers or Boolean values, and static strings, as well as collections (tuples, lists, sets, dictionaries) of such values, it will be fully translated into C++. The next step is to produce a marking structure to represent Petri net states. It is optimized based on previously discovered types. This allows to use native types or to generate per-place specialised implementations. Then, we can produce exploration functions speciﬁc to the model (mainly an initial marking function and successor functions), this allows to eﬃciently produce state spaces [2]. An additional step is to produce a compilation trace which contains information about the marking structure and the model. This metadata is essential for consistency preservation among tools, and it prevents the user from having to call each tool with exactly the same options which is error-prone. Ł. Fronc et al.: Building Petri Nets Tools around Neco Compiler 243 The last step is to compile generated code producing a native Python module that is a shared library which can be used from C++ as a regular library as well as from Python as a regular module. This is actually done with Cython compiler and a C++ compiler. State spaces can be built using neco-explore tool. This tool builds sets of reachable states, and reachability graphs using a simple exploration algorithm that aggregates discovered states by repeatedly calling successor functions. 2.2 LTL model checking LTL model checking is performed using SPOT library [4], however, SPOT cannot directly handle atomic propositions appearing in LTL formulae which are speciﬁc to the used formalism. Moreover, because our marking structures are model speciﬁc, we also need to generate an atomic proposition checker module for each compiled net. This is made by neco-check compiler. This tool takes two inputs, a LTL formula in Neco compatible LTL syntax [10], and compilation metadata extracted from an exploration module (previously created with neco-compile). The ﬁrst step is to decompose the formula, extract atomic propositions and map them to unique identiﬁers (“id-atom map” on Figure 1). A simpliﬁed formula where all atomic propositions have been replaced by these identiﬁers is stored as a ﬁle. This way, atomic propositions can be abstracted away leading to a simple interface with the checking module. Basically, the interface is a function check that takes a state and an atomic proposition identiﬁer, and returns the truth value of the atomic proposition at the provided state. The next step is the creation of one check function for each atomic proposition, plus the generic check function exposed to users. During this step, using the compilation trace is essential because we need to create functions that are compatible with the optimized marking structure, and thus be aware of used types and memory layout. Finally the generated code is compiled using Cython compiler and a C++ compiler. The checker module ﬁnalized, it can be used together with the formula ﬁle by neco-spot tool and it will output a counter-example if one exists, i.e., if the formula is not satisﬁed. 3 Perspectives Several new features are already planned for Neco. First, a method to reduce symmetries based on [6] has been already prototyped in the Python backend. We would like to implement it in the Cython backend also to achieve better performance. Next, Neco will be adapted to compute unfoldings à la McMillan using the approach described in [11, chap.6]. This should be feasible by reusing most of the code that Neco already generates to discover bindings. Finally, we would like to implement fast simulation in Neco, which could be a variant of the current exploration algorithm that would compute only one successor for a 244 PNSE’13 – Petri Nets and Software Engineering state instead of all its successors. However, for better performance, we would like to experiment with a co-routine based implementation of Python [12] in order to deﬁne a highly concurrent architecture while avoiding the overhead of using threads. Neco will also participate to the 2013 edition of the model-checking contest. As a side eﬀect, this will lead us to develop new case studies for Neco (i.e., those models that are included in the contest), which will be extended later with more case studies. Based on case studies, we would like to perform extensive benchmarks of the Cython backend by comparing it to a combination of the Python backend with various Python compilers (in particular [13] and [14]) as well as with PyPy implementation of Python that features eﬃcient just-in-time compilation [15]. This should allow either to drop Cython backend if it happens that it is outperformed by other approaches, or, more probably, to deﬁne typical situations where Cython should not be used. In particular, we expect PyPy to be more eﬃcient on Petri nets that embed a lot of Python objects that cannot be converted to eﬃcient C++ code. Finally, we are working on an additional Java backend, allowing to compile Petri nets and LTL formulae to Java code. This will require some internal reorganisation of Neco so its core will become language-agnostic while only the backends will have to deal with language-speciﬁc aspects. Thanks to this work, we expect that more backends will be implemented in the future to handle Petri nets annotated with a wider variety of languages. References 1. Jensen, K., Kristensen, L.: Coloured Petri Nets: Modelling and Validation of Concurrent Systems. Springer (2009) 2. Fronc, L., Pommereau, F.: Optimizing the compilation of Petri nets models. In: Proc. of SUMo’11. Volume 726., CEUR (2011) 3. Kordon, F., Fronc, L., Pommereau, F., et al.: Raw Report on the Model Checking Contest at Petri Nets 2012. Technical report (2012) 4. Duret-Lutz, A.: LTL translation improvements in Spot. In: Proceedings of the 5th International Workshop on Veriﬁcation and Evaluation of Computer and Communication Systems (VECoS’11). Electronic Workshops in Computing, Tunis, Tunisia, British Computer Society (2011) 5. Behnel, S., Bradshaw, R., Citro, C., Dalcin, L., Seljebotn, D., Smith, K.: Cython: The best of both worlds. Computing in Science Engineering 13 (2011) 31 –39 6. Fronc, L.: Eﬀective Marking Equivalence Checking in Systems with Dynamic Process Creation. In: Inﬁnity’12. Electronic Proceedings in Theoretical Computer Science, Paris (2012) 7. Pommereau, F.: Quickly prototyping Petri nets tools with SNAKES. Petri net newsletter (2008) 8. Pommereau, F.: Algebras of coloured Petri nets. LAP LAMBERT Academic Publishing (2010) 9. Hillah, L., Kindler, E., Kordon, F., Petrucci, L., Trèves, N.: A primer on the Petri Net Markup Language and ISO/IEC 15909-2. In: 10th International workshop on Practical Use of Colored Petri Nets and the CPN Tools (CPN’09). (2009) Ł. Fronc et al.: Building Petri Nets Tools around Neco Compiler 245 10. Fronc, L.: Neco net compiler wiki. goo.gl/CXrry (2012) 11. Khomenko, V.: Model checking based on Petri net unfolding preﬁxes. PhD thesis, PhD thesis, School of Computer Science, University of Newcastle upon Tyne (2002) 12. Tismer, C.: Continuations and stackless Python. In: Proceedings of the 8th International Python Conference. (2000) 13. Dufour, M.: Shed skin. http://code.google.com/p/shedskin (2012) 14. Hayen, K.: Nuitka. http://nuitka.net (2012) 15. Bolz, C.F., Cuni, A., Fijalkowski, M., Rigo, A.: Tracing the meta-level: PyPy’s tracing JIT compiler. In: Proc. ICOOOLPS ’09, ACM (2009) 246 PNSE’13 – Petri Nets and Software Engineering RT-Studio: A tool for modular design and analysis of realtime systems using Interpreted Time Petri Nets Rachid Hadjidj and Hanifa Boucheneb Abstract. RT-Studio (Real Time Studio) is an integrated environment for modeling, simulation and automatic verification of realtime systems modeled as networks of Interpreted Time Petri Nets (ITPNs). The tool allows to construct several abstractions for ITPNs suitable to verify reachability, linear and branching properties, in addition to a TCTL model checker. In this paper we describe the ITPN model as a proposed extension to the classical TPN model and describe the modular modeling capabilities of RT-Studio. The classical railroad crossing model is used to illustrate these capabilities. Keywords: Formal verification, Time Petri Nets, timed properties, model checking, simulation 1 Introduction Interpreted Time Petri Nets (ITPNs) are Time Petri Nets (TPNs) [15, 8, 11] we extended with bounded data variables to increase their modeling power and expressiveness. TPNs are Petri nets extended with temporal constraints in the form of time intervals associated with their transitions [15]. A transition can fire if it is enabled and if the time elapsed since it became enabled most recently is within its time interval, but must be fired or disabled if this elapsed time reaches the upper bound of its time interval. With this extension, TPNs are powerful enough to model realtime systems. However, their analysis is much more complicated than simple Petri nets. In fact, the state space of the TPN model is in general infinite due to the continuous aspect of time. Furthermore boundedness is undecidable for this model [5, 4]. Hopefully, a subclass of TPNs called bounded TPNs, for which reachability is decidable, allows to model most useful systems. The analysis and verification of the TPN model is generally performed using model checking techniques. Model checking requires first to represent the behavior of a system as a finite state transition system1 , then specify properties of interest in a temporal logic (LTL, CTL, CTL*,...), and finally explore the state transition system to determine whether these properties hold or not [8, 11–13]. In the field of realtime systems modeling and verification, UPPAAL is one of the best tools available [3]. UPPAAL allows for a modular design of realtime systems using an extension of the Timed Automata (TA) model [2] instead of the TPN model. In this extension, variables can be defined, and both guards and actions can be associated with transitions. In addition to its modeling capabilities, UPPAAL integrates an efficient on the fly model checker (a key success component) for a subset of TCTL [1]. 1 Also called state graph or state space. 248 PNSE’13 – Petri Nets and Software Engineering For the TPN model, many tools exist for modeling, analysis and verification. Some well known tools are Roméo [10] and TINA [6]. But to our knowledge, there is no tool for the TPN model that compares to UPPAAL in terms of modular design, extension with variables and verification performance. TAPAAL2 [9], as an inspiration from UPPAAL, is an interesting reascent addition to the pool of tools dedicated to the modeling and verification of real time systems using a timed extension of Petri Nets. In this extension clocks are associated with tokens and time intervals with arcs. A token cannot pass trough an arc unless its clock is within the time interval of the arc. Time invariants associated with places allow to model urgency. The tool, has good verification performance and a nice graphical user interface capable of component based design. Even if it is a great step forward toward tightening the gap with UPPAAL in terms of providing a similar user experience and modeling power, UPPAAL still has a more powerful modular design capability in addition to the use of variables which TAPAAL2 lacks. RT-Studio presented here, attempts to tighten the gap with UPPAAL even more, by allowing for a similar modular design capability based on the ITPN model. RT-Studio also allows to simulate these models and analyze them using several means. In the ITPN model, each transition has, in addition to a time interval, a guard and a set of update operations on user defined data variables and places markings. An enabled transition can be fired if it is enabled and the guard associated with it is true in the current state of the model. When a transition is fired, its updates are applied. 2 Interpreted Time Petri Nets To increase the modeling power and expressiveness of TPNs , we extended the TPN model with bounded integer variables and associate guards and update actions with transitions. The resulting model is called Interpreted TPN (ITPN). As a consequence, in addition to the normal transition firing requirements, a transition requires also that its guard is true in the current ITPN state. A guard is a condition on the ITPN state defined on its marking, firing intervals of transitions, and the state of associated variables. After a transition t is fired, associated updates are performed. Updates can target variables associated with the ITPN, but also its marking. An update can only target places not attached to t for not conflicting with the usual operational semantics of transition firing. With the new extension, inhibitor arcs and priority on transitions firing can be modeled. Note that if variables associated with an ITPN are always positive then they can be implemented as normal places. Let Q+ , R+ and Z be respectively the set of positive rational numbers, the set of positive real numbers and the set of integers. Let Q+ [ ] be the set of non empty intervals of R+ which bounds are respectively in Q+ and Q+ ∪ {∞}. For an interval I ∈ Q+ [ ], ↓ I and ↑ I denote respectively its lower and upper bounds. Definition 1. Interpreted Time Petri Net (ITPN) An ITPN P is a tuple (P, T, V, P re, P ost, m0 , v0 , Is, G, U ) where: – P is a finite set of places, – T is a finite set of transitions, with P ∩ T = ∅, – V is a finite set of integer variables, with (P ∪ T ) ∩ V = ∅, R. Hadjidj et al.: RT-Studio: A Tool for Modular Design and Analysis 249 – P re and P ost are respectively the backward and forward incidence functions: P × T → N, where N is the set of nonnegative integers, – m0 : P → N, is the initial marking, – v0 : V → Z, is the initial valuation on P variables. – Is : T → Q+ [ ] associates with each transition t an interval [↓ Is(t), ↑ Is(t)] called its static firing interval. The bounds ↓ Is(t) and ↑ Is(t) are called the minimal and maximal static firing delays of t. – G : T → Bool(P), associate with each transition a guard from the set Bool(P). Bool(P) is the set of boolean functions on the set SP of states of P (The ITPN state is defined next). – U : T → U pdate(P), where U pdate(P) is the set of integer functions on the set SP × (P ∪ V ), associates with each transition t an update function on places and variables associated with P. Let M be the set of all markings of P. Let m ∈ M be a marking, and t ∈ T a transition of P. t is said to be enabled in m, iff all tokens required for its firing are present in m, i.e.: ∀p ∈ P, m(p) ≥ P re(p, t). We denote by En(m) the set of all transitions enabled in m. If m results from firing transition tf from another marking, N ew(m, tf ) denotes the set of all newly enabled transitions in m, i.e.: N ew(m, tf ) = {t ∈ En(m)|∃p, m(p) − P ost(p, tf ) < P re(p, t)}. Definition 2. ITPN state The state of ITPN P is a couple (m, v, I), where m is a marking, v is a valuation on the variables of P, and I is an interval function I : En(m) → Q+ [ ] [5]. For a state s = (m, v, I), and t ∈ En(m), I(t) is called the firing interval of t. It is the interval of time where t can fire. The initial state of P is s0 = (m0 , v0 , I0 ), where I0 (t) = Is(t), for all t ∈ En(m0 ). The state of P evolves either by time progression or by firing transitions. When a transition t becomes enabled, its firing interval is set to its static firing interval Is(t). The bounds of this interval decrease synchronously with time, until t is fired or disabled by another firing. t can fire, if the lower bound ↓ I(t) of its firing interval reaches 0 and its guard G(t) evaluates to true in the current state of P, but must be fired, without any additional delay if the upper bound ↑ I(t) of its firing interval reaches 0 while its guard evaluates true. The firing of a transition takes no time. θ Let s = (m, v, I) and s′ = (m′ , v ′ , I ′ ) be two states of P. We write s → s′ , iff state s′ is reachable from state s after a time progression of θ time units (s′ is also denoted s + θ), i.e.:  V  ∃θ ∈ R+ , t∈En(m) θ ≤ ↑ I(t), m′ = m, v ′ = v,  ′ ∀t ∈ En(m′ ), I ′ (t′ ) = [max(↓ I(t′ ) − θ, 0), ↑ I(t′ ) − θ]. t We write s → s′ iff state s′ is immediately reachable from state s by firing transition t. i.e.: 250 PNSE’13 – Petri Nets and Software Engineering  t ∈ En(m),     ↓ I(t) =0 ∧ G(t, s) = true,     m′ (p) = m(p) − P re(p, t) + P ost(p, t) if P re(p, t) 6= 0 ∨ P ost(p, t) 6= 0,  ∀p ∈ P m′ (p) = U (t, s, p) otherwise,  ′  ∀x ∈ V, v (x) = U (t, s, x),     I ′ (t′ ) = Is(t′ ) if t′ ∈ N ew(m′ , t),    ∀t′ ∈ En(m′ ) I ′ (t′ ) = I(t) otherwise. Definition 3. ITPN state space The state space of an ITPN model P is the structure (S, →, s0 ), where: – s0 = (m0 , v0 , I0 ) is the initial state of P, θ t – s → s′ iff either s → s′ for some θ ∈ R+ or s → s′ for some t ∈ T , ∗ ∗ – S = {s|s0 → s}, where → is the reflexive and transitive closure of →, is the set of reachable states of P. 3 Modular design of realtime system RT-Studio uses the concept of programming project2 to allow for a modular design of a realtime system. A project is basically a collection of ITPN components, and a system description file. An ITPN component is actually a template with possible parameters. The system description file is where the system configuration is specified. It consists of a list shared variable declarations and instantiations of ITPN components. Instances of ITPN components within the same project can communicate and synchronize using data variables defined in the system description file, and using shared transitions and shared places. A transition or a place is shared between several ITPNs if it has the same name and set as external (not local) in each one of them. When synchronizing ITPN components instances, shared places with the same name are merged in one single place. The marking of that place is the maximum marking of synchronized places. For transitions, the synchronization is little bit more demanding. A transition meant for synchronization is implicitly associated with a signaling channel having the same name. Transitions which names end with and exclamation mark ’!’ represent send actions on associated channels. Those with names ending with an interrogation mark ’?’ represent receiving actions on associated channels. When instances of ITPN components are synchronized, transitions representing complimentary actions are synchronized by merging each sending transition with a copy of a receiving transition having the same name. A copy of a transition is created by duplicating the transition and all its ingoing and outgoing arcs. Each ITPN component element (place, transition, arc), including the ITPN itself has an extendable list of attributes (properties). When an ITPN component or an ITPN component element is created, a default list of attributes is associated with it. These attributes describe its different features, like the number of tokens for a place, the guard and update actions for a transition, the list of parameters for the ITPN component, 2 A collection of files. R. Hadjidj et al.: RT-Studio: A Tool for Modular Design and Analysis 251 including the visual appearance of ITPN elements like the color, the shape, the border size, etc. The Attribute viewer is a panel for editing, modify and adding new attributes for the currently selected ITPN element. Added attributes can be referred to in guards and updates actions of transitions. Three attribute types are supported in the current version of RT-Studio: number (real value), boolean and string. To analyze a system designed as a project, its system description file need to be compiled. The compilation consists in synchronizing all ITPN components instances in one single ITPN. In the case of any error, error messages are displayed in a message pane at the bottom of the main window, otherwise the synchronized ITPN is generated and displayed in a separate panel and ready to be analyzed if it is self contained3 . Note that a self contained ITPN components can be analyzed without compilation. 4 Functionality RT-Studio’s verification and analysis capabilities can be grouped in three categories: abstract state spaces construction, model checking and simulation. Both known characterizations of the TPN state (interval and clock characterizations) [11] can be used to construct abstractions for ITPN models. For the interval characterization, computed abstractions are: the classical State Class Graph (SCG), the Strong State Class Graph (SSCG) and the Atomic State Class Graph (ASCG) [7]. Both the SCG and the SSCG preserve linear properties, but the SCG is a better alternative for linear properties as it is smaller and faster to compute. On the other hand, the SSCG is used as a starting point in a refinement process to generate the ASCG which preserves branching properties (CTL*). During the refinement, state classes are split by linear constraints so that each state captured in a sub class has a successor in each one of the following classes. Such sub classes are said to be atomic, and atomicity of all classes ensures preservation of CTL* properties [8]. For the clock characterization of states, computed abstractions are: the Concrete State Zone Graph (CSZG) for linear properties [11], and its atomic version, the ACSZG [11] for CTL* properties. Compared with the ASCG, the ACSZG is in general smaller and faster to compute. For reachability properties, RT-Studio implements three contraction techniques (by inclusion, by convex combination and by convex hull) to rapidly generate contracted versions of the SCG, SSCG and CSZG which are suitable to verify reachability properties [11, 14]. It also implements several post contraction operations to further contract abstractions after they are constructed, and a minimizer under bisimulation. After computing any abstraction, RTStudio allow the user to explore and edit it graphically. It also generates some statistics about the abstraction like its size (the number of nodes and edges) and the generation time. To verify properties, RT-Studio implements two model-checkers: a classical CTL model-checker and an innovative TCTL model-checker based on the forward on the fly verification technique described in [12, 13]. Finally, the simulator implemented in RT-studio allows for an assisted and interactive generation of any abstraction. Using the simulator, the user can intervene during the generation process, guide the generator to explore any branch of the state space graph being constructed, and even alter the model 3 A self contained ITPN has no parameters and does not need to be synchronized with other ITPNs. 252 PNSE’13 – Petri Nets and Software Engineering during the simulation if needed. RT-Studio stores a project in a single XML file. It also allows to import or export self contained ITPNs to a text file in a simple format accepted by the TINA toolbox [6]. Generated state spaces can also be exported in a text format supported by many model checkers. Barrier down comin g app lowering L [1,2] down closed down [0,0] m -1 app open m in far 2 2 raising m exit up R [1,2] in_i m m -1 [0,0] exit ex_i [2,4] [3,5] close_i left_i on_i far_i leaving up [0,0] Controller app Train exit Fig. 1. The level crossing TPN model Fig. 2. Screen shots from the project "level crossing model": the controller, the barrier, the train. The picture at the right bottom is the SCG of the model R. Hadjidj et al.: RT-Studio: A Tool for Modular Design and Analysis 253 Fig. 3. RT-Studio interface 5 An illustrative example As an illustrative example, we consider the classical Railroad Crossing model. Components of this system are shown in Figure 1 and also in Figure 2 as screen shots from RT-Studio. The ITPN model of n trains crossing concurrently the road is obtained by synchronously composing the controller model with its parameter m4 set to n, the barrier model, and n instances of the train model. In Figure 2, we can see the system description file for the railroad crossing project where two instances of the train model (Train1 and Train2) are synchronized with one instance of the barrier model (Barrier) and one instance of controller model (Controller). After compiling the project, we obtain the synchronized ITPN of the whole system shown in Figure 3. Note that for clarity, in Figure 3 each transition app is actually the superposition of two app transitions; one synchronized with first train instance, the other one with the second train instance. At the right bottom of Figure 2, we can see the SCG of the synchronized ITPN computed by RT-studio. 4 m is a number of tokens. 254 6 PNSE’13 – Petri Nets and Software Engineering Installation RT-Studio can be downloaded from http://faculty.qu.edu.qa/rhadjidj/rt-studio.aspx. The tool comes in a Zip file that includes three files : RT-studio.jar, realtime.exe, readme.txt, and a directory for examples. RT-studio.jar is a Java executable representing the graphical interface of the tool. realtime.exe is the engine written in C++ for performance. Installing the tool consists in simply unziping the zip file in chosen directory. Double clicking on the file RT-studio.jar launches the tool. On the download web page there are video tutorials that explain how to install and use the tool to model, simulate and verify properties. References 1. R. Alur, C. Courcoubetis, and D. Dill. Model checking in dense real-time. Information and Computation, 104(1):2–34, 1993. 2. R. Alur and D. Dill. Automata for modelling real-time systems. In In Proc. Of ICALP’90, volume 443 of LNCS, pages 322–335. Springer-Verlag, 1990. 3. G. Behrmann, J. Bengtsson, A. David, K. G. Larsen, P. Pettersson, and W. Yi. Uppaal implementation secrets. In In Proc. of FTRTFT-02, pages 3–22, 2002. 4. B. Berthomieu and M. Diaz. Modeling and verification of time dependent systems using time petri nets. IEEE Trans. on Software Eng, 17(3):259–273, 1991. 5. B. Berthomieu and M. Menasche. An enumerative approach for analyzing time petri nets. In In Proc. of IFIP83, volume 9, pages 41–46, September 1983. 6. B. Berthomieu, P.O. Ribet, and F. Vernadat. The tool tina – construction of abstract state spaces for petri nets and time petri nets. In International Journal of Production Research, 2004. 7. B. Berthomieu and F. Vernadat. State class constructions for branching analysis of time petri nets. In In Proc. of TACAS’03, volume 2619 of LNCS, pages 442–457. Springer-Verlag, 2003. 8. H. Boucheneb and R. Hadjidj. Ctl* model checking for time petri nets. Theoretical Computer Science, TCS 353(1-3):208–227, 2006. 9. Alexandre David, Lasse Jacobsen, Morten Jacobsen, Kenneth Yrke Jørgensen, Mikael H. Møller, and Jirí Srba. Tapaal 2.0: Integrated development environment for timed-arc petri nets. In TACAS, pages 492–497, 2012. 10. D. Lime G. Gardey, M. Magnin, and O.H. Roux. Roméo: A tool for analyzing time petri nets. In In 17th International Conference on Computer Aided Verification (CAV’05), 2005. 11. R. Hadjidj. Analyse et validation formelle des systèmes temps réel. Ph.D. Theses,University of Montreal (Ecole plytechnique), 2006. 12. R. Hadjidj and H. Boucheneb. On the fly TCTL model checking for time petri nets using the state class method. In In Proc of ACSD’06, pages 111–120. IEEE Computer Society Press, 2006. 13. R. Hadjidj and H. Boucheneb. On the fly TCTL model checking for time petri nets. Theoretical Computer Science, TCS 410(42):4241–4261, 2009. 14. R. Hadjidj and H. Boucheneb. Efficient reachability analysis for time petri nets. IEEE Transaction on Computers, 60(8):1085–1099, 2011. 15. P. Merlin and D. J. Farber. Recoverability of communication protocols - implication of a theoretical study. IEEE Trans. on Communications, 24(9):1036–1043, 1976. Part V PNSE’13: Poster Abstracts A Tool to Synthesize Intelligible State Machine Models from Choreography using Petri Nets⋆ Toshiyuki Miyamoto1 and Hiroyuki Oimura1 Graduate School of Engineering, Osaka University, Suita, Osaka 565-0871, Japan miyamoto@eei.eng.osaka-u.ac.jp Abstract. Application of service-oriented architecture, which builds the entire system by a combination of independent software components, to a wide variety of computer systems is expected. The problem to synthesize state machine models of the services from a communication diagram representing the overall speciﬁcations of service interaction is known as the choreography realization problem. It should be minded on automatic synthesis that software models should be simple to be understood easily by software engineers. We have proposed a method to synthesize hierarchical state machine models for the choreography realization problem in the last PNSE. In this paper, we present a prototypical tool for the method. In recent years, the internationalization of activities and information technology in the enterprise has intensiﬁed competition between companies. Under such circumstances, service-oriented architecture (SOA)[6] has been attracting attention as the architecture of information systems in the enterprise. In SOA, an information system is built by composing independent software units called services. In SOA, the problem to synthesize the concrete model from an abstract speciﬁcation is known as the choreography realization problem[5]. In which the abstract speciﬁcation, called choreography, is deﬁned as a set of interactions among services, which are given in a dependency relation of messages sent and received; the concrete model is called the service implementation which deﬁnes the behavior of the service. This paper utilizes the communication diagram and the state machine of UML 2.x[4] to describe the choreography and the service implementation, respectively. Bultan and Fu formally introduced the choreography realization problem in [2]. They used collaboration diagrams of UML1.x and showed some conditions for a given choreography to be realizable. In addition, they showed a method to represent the service implementation as the state space in which a state was deﬁned as a set of unsent messages, and they also showed a method to map to a set of ﬁnite state machines. However, it is not intelligible because the number of states increases exponentially as the number of messages increases. ⋆ This work was supported by KAKENHI (23500045). 258 PNSE’13 – Petri Nets and Software Engineering Table 1. Number of simple states(NSS), transitions(NT), and guards(NG) of synthesized state machines. ex 1 2 3 4 5 6 7 service 4 3 4 4 5 6 5 message 10 4 6 7 7 12 10 NSS 32 7 15 17 15 48 23 projection NT NG 52 0 10 0 23 0 25 0 22 0 88 0 32 0 NSS 11 7 8 7 10 16 16 CSCB NT 32 10 15 20 18 36 27 NG 4 0 0 0 0 1 4 Antonio et al. have experimentally evaluated the relationship between metrics and intelligibility of the state machines by measuring time to understand state machines[1]. According to the result, state machines are intelligible the smaller the following metrics: the number of simple states (NSS), the number of transitions (NT), and the number of guards (NG). In [3], we have proposed a method to synthesize hierarchical state machines by using Petri nets from a choreography deﬁned by single communication diagram, where the method is called the CSCB method. So far, we have developed a prototypical tool of the CSCB method and the projection method in [2], and evaluated the CSCB method on several examples. Table 1 shows the results, and the CSCB method is better than the projection method in term of several metrics for the intelligibility by Antonio et al. We, however, found some points to be improved in the algorithm and the intelligibility. We are going to import the prototypical tool into an UML modeling tool as a plug-in and extend the CSCB method so as to synthesize more intelligible machines. References 1. Antonio Cruz-Lemus, J., Genero, M., Piattini, M.: Metrics for UML Statechart Diagrams. In: Genero, M., Piattini, M., Calero, C. (eds.) Metrics for Software Conceptual Models, pp. 237–272. Imperial College Press, London (2005) 2. Bultan, T., Fu, X.: Speciﬁcation of realizable service conversations using collaboration diagrams. Service Oriented Computing and Applications 2(1), 27–39 (2008) 3. Miyamoto, T., Hasegawa, Y.: A Petri Net Approach to Synthesize Intelligible State Machine Models from Choreography. In: International Workshop on Petri Nets and Software Engineering 2012. pp. 222–236 (Jun 2012) 4. OMG: Uniﬁed modeling language, http://www.uml.org/ 5. Su, J., Bultan, T., Fu, X., Zhao, X.: Towards a theory of web service choreographies. In: Proceedings of the 4th international conference on Web services and formal methods. pp. 1–16 (2008) 6. Thomas, E.: Service-Oriented Architecture. Prentice Hall (2004) Transforming Platform Independent CPN Models into Code for the TinyOS Platform: A Case Study of the RPL Protocol Vegard Veiset and Lars Michael Kristensen Department of Computing, Bergen University College Email: vegard.veiset@stud.hib.no,lmkr@hib.no Abstract. TinyOS is a widely used platform for the development of networked embedded systems oﬀering a programming model targeting resource constrained devices. We present a software engineering approach where Coloured Petri Net (CPNs) models are used as a starting point for developing protocol software for the TinyOS platform. The approach consists of ﬁve reﬁnement steps where a platform-independent CPN model is gradually transformed into a platform-speciﬁc model that enables automatic code generation. To evaluate our approach, we use it to obtain an implementation of the IETF RPL routing protocol for sensor networks. Introduction. Model-based software engineering and veriﬁcation have several attractive properties in the development of ﬂexible and reliable software systems. In order to fully leverage modelling investments, it is desireable to use the constructed models also for the implementation of the software on the platform under consideration. Coloured Petri Nets [2] (and Petri Nets in general) constitute a general purpose modelling language supporting platform-independent modelling of concurrent systems. Hence, in most cases, such models are too abstract to be used directly to implement software. In order to bridge the gap between abstract and platform independent CPN models and the implementation of software to be deployed, the concept of pragmatics was introduced in [4]. Pragmatics are syntactical annotations that can be added to a CPN model and used to direct code generation for a speciﬁc platform. The contribution of this paper is an approach [5] that exploits pragmatics in combination with a ﬁve step reﬁnement methodology to enable code generation for the TinyOS platform. Applications for TinyOS [3] are implemented using the nesC programming language (a dialect of C) providing an event-based split-phase programming model. An application written in nesC is organised into a wired set of modules each providing an interface consisting of commands and events. Refinement Steps. The model reﬁnement starts from a platform independent CPN model constructed typically with the aim of specifying the protocol operation and performing model checking of the protocol design. Each step consists of a transformation that uses the constructs of the CPN modelling language to add details to the model. Furthermore, in each step pragmatics are added that direct the code generation performed after the ﬁfth step: 260 PNSE’13 – Petri Nets and Software Engineering Step 1: Component Architecture consists of annotating CPN submodules and substitution transitions corresponding to TinyOS components, and make explicit the interfaces used and provided by components. Step 2: Resolving Interface Conflicts resolves interface conﬂicts allowing components to use multiple instances of an interface. This is done by annotating CPN arcs with information providing locally unique names. Step 3: Component and Interface Signature adds type signatures to components and interfaces by creating explicit submodules for command and events, and by reﬁning colour sets to reﬂect the interface signatures. Step 4: Component Classification further reﬁnes the components by classifying them into four main types: timed, external, boot, and generic. Step 5: Internal Component Behaviour consists of reﬁning the modelling of the individual commands and events such that control ﬂow and data manipulation become explicit and organised into atomic statement blocks. After the ﬁfth reﬁnement step has been performed, the CPN model includes suﬃcient detail to be used as a basis for automated code generation. The RPL Protocol and Code Generation. To evaluate our approach on an industrial-sized example, we have conducted a case study based on the RPL routing protocol [1] developed by the Internet Engineering Task Force. The RPL protocol allows a set of sensor nodes to construct a destination-oriented directed acyclic graph which can be used for multi-hop communication between sensor nodes. To support the automatic code generation for TinyOS, we have developed a software prototype in Java that performs a template-based model-to-text transformation on the models resulting from the ﬁfth reﬁnement step. The software prototype relies on the Access/CPN framework [6] to load CPN models created with CPN Tools. The code generator performs a top-down traversal of the CPN model where code templates are selected according to the pragmatic annotations on the CPN model elements encountered. References 1. T. Winter et. al. RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks. RFC 6550, 2012. Internet Engineering Task Force. 2. K. Jensen, L.M. Kristensen, and L. Wells. Coloured Petri Nets and CPN Tools for Modelling and Validation of Concurrent Systems. International Journal on Software Tools for Technology Transfer, 9(3-4):213–254, 2007. 3. P. Levis. TinyOS Programming. Cambridge University Press, 2009. 4. K. Simonsen, L.M. Kristensen, and E. Kindler. Code Generation for Protocols from CPN Models Annotated with Pragmatics. In Proc. of NWPT’12, volume 403 of Report in Informatics, pages 46–48. University of Bergen, 2012. 5. V. Veiset. An Approach to Semi-Automatic Code Generation for the TinyOS Platform using Coloured Petri Nets. Master’s thesis, Bergen University College, 2013. 6. M. Westergaard. Access/CPN 2.0: A High-Level Interface to CPN Models. In Proc. of ICATPN’11, volume 6709 of LNCS, pages 328–337. Springer, 2011. Editor: Daniel Moldt Proceedings of the International Workshop on Mod eling and B usiness E nvironments ModBE’13 University of Hamburg Department of Informatics These proceedings are published online by the editor as Volume 989 at CEUR Workshop Proceedings ISSN 1613-0073 http://ceur-ws.org/Vol-989 Copyright for the individual papers is held by the papers’ authors. Copying is permitted only for private and academic purposes. This volume is published and copyrighted by its editors. Preface These are the proceedings of the International Workshop on Modeling and Business Environments (ModBE’13) in Milano, Italy, June 24, 2013. It is a co-located event of Petri Nets 2013, the 34th international conference on Applications and Theory of Petri Nets and Concurrency. More information about the workshop can be found at http://www.informatik.uni-hamburg.de/TGI/events/modbe13/ Business environments are a central application domain for modeling approaches. Basic paradigms of these approaches correspond to their central concepts, such as processes, objects, components, agents, services or organizations. Their inherent properties allow an adequate Business/IT-Alignment. Within the models and systems of this alignment several principle notions need to be incorporated, such as distribution, concurrency, correctness and adaptability. In this workshop modeling approaches will be discussed from various perspectives with several means. While ModBE’13 (Modeling and Business Environments) will take place as a satellite event of Petri Nets 2013 other modeling techniques than Petri nets and their means are explicitly welcome. Furthermore, experts from the application domain will challenge the technical and conceptual solutions. ModBE’13 shall provide a forum for researchers from interested communities to investigate, experience, compare, contrast and discuss solutions for modeling in business environments. During the workshop a part of the available time is reserved for a group wise discussion of challenging questions. The program committee consists of: Bernhard Bauer (Germany) Olivier Boissier (France) Fabian Büttner (France) Jean-Michel Bruel (France) Christine Choppy (France) Ernesto Damiani (Italy) Patrick Delfmann (Germany) Susanna Donatelli (Italy) Joaquín Ezpeleta Mateo (Spain) Walid Fdhila (Austria) Michael Felderer (Austria) Luciano García-Bañuelos (Estonia) Holger Giese (Germany) Paolo Giogini (Italy) Vincent Hilaire (France) Lom Messan Hillah (France) Viviana Mascardi (Italy) Maristella Matera (Italy) 266 ModBE’13 – Modeling and Business Environments Florian Matthes (Germany) Jan Mendling (Austria) Daniel Moldt (Germany) (Chair) Ambra Molesini (Italy) Berndt Müller (United Kingdom) Andreas Oberweis (Germany) Andrea Omicini (Italy) Sietse Overbeek (Germany) Alexei Sharpanskykh (The Netherlands) Christophe Sibertin-Blanc (France) Carla Simone (Italy) Ingo Timm (Germany) Ferucio Laurentiu Tiplea (Rumania) Adelinde Uhrmacher (Germany) Ulrich Ultes-Nitsche (Switzerland) Wamberto Vasconcelos (United Kingdom) Jan Martijn van der Werf (The Netherlands) Mathias Weske (Germany) Manuel Wimmer (Austria) We received ﬁve high-quality contributions for which at least four reviews were made. In addition we received two posters. The program committee has accepted three of them for full presentation. Furthermore the committee accepted one papers as short presentations. Two more contributions were accepted as posters. Furthermore, we would like to thank our colleagues in the local organization team at the University of Milano, Italy, for their support. Without the enormous eﬀorts of authors, reviewers, PC members and the organizational team this workshop wouldn’t provide such an interesting booklet. Thanks! Daniel Moldt Hamburg, June 2013 ModBE’13 Proceedings Part VI ModBE’13: Invited Talk Knowledge and Business Intelligence Technologies in CrossEnterprise Environments for Italian Advanced Mechanical Industry Ernesto Damiani and Paolo Ceravolo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Part VII ModBE’13: Long Presentations Optimizing Algebraic Petri Net Model Checking by Slicing Yasir Imtiaz Khan and Matteo Risoldi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 A Proposal for the Modeling of Organizational Structures and Agent Knowledge in MAS Lawrence Cabac, David Mosteller, Matthias Wester-Ebbinghaus . . . . . . . . 295 Mining Declarative Models Using Time Intervals Jan Martijn van der Werf, Ronny Mans and Wil van der Aalst . . . . . . . . 313 Part VIII ModBE’13: Short Presentation Improving Emergency Department Processes Using Coloured Petri Nets Khodakaram Salimifard, Seyed Yaghoub Hosseini and Mohammad Sadegh Moradi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Part IX ModBE’13: Poster Abstracts Advantages of a Full Integration between Agents and Workflows Thomas Wagner and Lawrence Cabac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Cloud Transition for QoS Modeling of Inter-Organizational Workflows Soﬁane Bendoukha and Lawrence Cabac . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Part VI ModBE’13: Invited Talk Knowledge and Business Intelligence Technologies in Cross-Enterprise Environments for Italian Advanced Mechanical Industry Ernesto Damiani and Paolo Ceravolo SESAR Lab, Department of Computer Science, Università degli Studi di Milano, Italy http://sesar.dti.unimi.it Abstract. Today’s industry is pushed by the competitive pressure to revise the business model by opening the organizational boundaries to suppliers, clients and partners. As a side eﬀect, knowledge sharing within the market increases and organizations may lose control on strategical knowledge that can be exploited by competitors. For this reason process monitoring today cannot fail in controlling the collaboration activities established inside and outside the organization. KITE.it is a project, founded by the italian Ministry of Economic Development, aimed at proposing a methodological and technological framework to support the italian mechanical industry in adopting advanced business network approached.1 The Kite framework is aimed at driving the management process in the identiﬁcation of the business values creating the network and in supporting the strategical analysis by monitoring both the operational and collaborative processes. The metric system was designed to integrate in a uniﬁed analysis metrics insisting on the strategical, operational and collaborative level. From the technological point of view this is achieved by decoupling the monitoring format from the execution logs that can be integrated in the Kite model from heterogeneous data sources. 1 Website: http://www.kite-project.it/en GB/home 272 ModBE’13 – Modeling and Business Environments Part VII ModBE’13: Long Presentations Optimizing Algebraic Petri Net Model Checking by Slicing Yasir Imtiaz Khan and Matteo Risoldi University of Luxembourg, Laboratory of Advanced Software Systems 6, rue R. Coudenhove-Kalergi, Luxembourg {yasir.khan,matteo.risoldi}@uni.lu Abstract. High-level Petri nets make models more concise and readable as compared to low-level Petri nets. However, usual veriﬁcation techniques such as state space analysis remain an open challenge for both because of state space explosion. The contribution of this paper is to propose an approach for property based reduction of the state space of Algebraic Petri nets (a variant of high-level Petri nets). To achieve the objective, we propose a slicing algorithm for Algebraic Petri nets (APNSlicing). The proposed algorithm can alleviate state space even for certain strongly connected nets. By construction, it is guaranteed that the state space of sliced net is at most as big as the original net. We exemplify our technique through the running case study of car crash management system. Key words: High-level Petri nets, Model checking, Slicing 1 Introduction Petri nets (PNs) are a well-known low-level formalism for modeling concurrent and distributed systems. Various evolutions of PNs have been created, among others High-level Petri nets (HLPNs), that raise the level of abstraction of PNs by using complex structured data [14]. However, HLPN can be unfolded (i.e., translated) into a behaviourally-equivalent low-level PN. For the analysis of concurrent and distributed systems (including those modeled using PNs or HLPNs) model checking is a common approach, consisting in verifying a property against all possible states of a system. A typical drawback of model checking is its limits with respect to the state space explosion problem: as systems get moderately complex, completely enumerating their states demands a growing amount of resources, which in some cases makes model checking impractical both in terms of time and memory consumption [2, 4, 8, 16]. This is particularly true for HLPN models, as the use of complex data (with possibly large associated data domains) makes the number of states grow very quickly. As a result, an intense ﬁeld of research is targeting to ﬁnd ways to optimize model checking, either by reducing the state space or by improving the performance of model checkers. A technique called PN slicing falls into the ﬁrst category. It proposes to reduce the state space size by syntactically reducing a 276 ModBE’13 – Modeling and Business Environments PN model, taking only the portion of the model that impacts the properties to be veriﬁed. The resultant model will typically have a smaller state space, thus reducing the cost of model checking. Slicing was deﬁned for the ﬁrst time in [17] in the context of program debugging. The proposition was aimed at using program slicing for isolating the program statements that may contain a bug, so that ﬁnding this bug becomes simpler for the programmer. The ﬁrst algorithm about PN slicing presented by Chang et al. [3] slices out all sets of paths in the PN graph, called concurrency sets, such that all paths within the same set should be executed concurrently. Some further reﬁned PN slicing algorithms are proposed in [10–13]. One limitation of the cited approaches is that they only apply to low-level PNs. In order to be applied to HLPNs they need to be adapted to take into account data types. In this work, we propose a slicing algorithm that is adapted to Algebraic Petri nets (APNs, a variant of HLPNs). To the best of our knowledge, there does not exist any algorithm for slicing APNs. The proposed algorithm iteratively builds a subnet from a given APN, according to a slicing criterion that is derived from the property to be veriﬁed. The resulting subnet preserves LT L−X properties under weak fairness assumptions. APN-MODEL REFINING APN-MODEL UNFOLDING APN-MODEL PROPERTY SLICING UNFOLDED APN-MODEL EXTRACTING CRITERION PLACE(S) PERFORMING VERIFICATION ON SLICED APN-MODEL COUNTER EXAMPLE NO PROPERTY FULFILLED? YES NOTIFICATION Fig. 1. Process Flowchart of slicing based veriﬁcation of APN models Fig.1, gives an overview of the proposed approach for slicing based veriﬁcation of APNs using Process Flowchart. At ﬁrst, APN-model is unfolded and then by taking property into an account criterion places are extracted. After- Y. Khan et al.: Optimizing Algebraic Petri Net Model Checking by Slicing 277 wards, slicing is performed for the criterion places. Subsequently, veriﬁcation is performed on the sliced unfolded APNs. The user may use the counterexample to reﬁne the APN-model to correct the property. The rest of the work is structured as follows: we give basic deﬁnitions and concepts of the Algebraic Petri nets (APNs) in section 2. Section 3, illustrates the steps of slicing based veriﬁcation of APN-models shown in Fig.1. Details about the underlying theory and techniques are given for each activity of the process. In the section 4, we discuss related work and a comparison with the existing approaches. A small case study from the domain of crisis management system (a car crash management system) is taken to exemplify the proposed slicing algorithm in section 5. An experimental evaluation of the proposed algorithm is performed in section 6. In the section 7, we draw conclusions and discuss future work concerning to the proposed work. 2 Basic Definitions In this section, we give basic formal deﬁnitions of algebraic speciﬁcations used in this paper. Formal deﬁnitions, propositions, lemmas and theorems are taken as is or with slight modiﬁcations from [6, 12, 14, 15]. Definition 1. A signature Σ = (S,OP) consists of a set S of sorts, OP = (OPw,s )w∈S ∗ ,s∈S is a (S ∗ × S)−sorted set of operation names of OP. For ǫ being the empty word, we call OPǫ,s the set of constant symbols. Definition 2. A set X of Σ-variables is a family X = (Xs )s∈S of variables set, disjoint to OP. Definition 3. The set of terms TOP,s (X) of sort s is inductively deﬁned by: 1. Xs ∪ OPǫ,s ⊆ TOP,s (X); 2. op(t1 , . . . , tn ) ∈ TOP,s (X) for op ∈ OPs1 ,...,sn ,s , n ≥ 1 and ti ∈ TOP,si (X) (for i = 1, . . . , n). S The set TOP,s ≡ TOP,s (∅) contains the ground terms of sort s, TOP (X) ≡ s∈S TOP,s (X) is the set of Σ-terms over X and TOP ≡ TOP (∅) is the set of Σ-ground terms. Definition 4. A Σ-equation of sort s over X is a pair (l,r) of terms l, r ∈ TOP,s (X). Definition 5. An algebraic speciﬁcation SPEC = (Σ,E) consists of a signature Σ = (S,OP) and a set E of Σ-equations. Definition 6. A Σ-algebra A = (SA , OPA ) consist of a family SA = (As )s∈S of domains and a family OPA = (Nop )op∈OP of operations Nop : As1 ×. . . Asn → As for op ∈ OPs1 ...sn ,s if op ∈ OPǫ,s , Nop congruent to an element of As . 278 ModBE’13 – Modeling and Business Environments Definition 7. An assignment of Σ-variables X to a Σ-algebra A is a mapping ass : X → A,with ass(x) ∈ As iﬀ x ∈ Xs . ass is canonically extended to ass : TOP (X) → A, inductively deﬁned by 1. ass(x) ≡ ass(x) for x ∈ X; 2. ass(c) ≡ Nc for c ∈ OPǫ,s ; 3. ass(op(t1 , . . . , tn )) ≡ Nop (ass(t1 )), . . . , ass(tn )) for op(t1 , . . . , tn ) ∈ TOP (X). Definition 8. Let SPEC-algebra is SPEC = (Σ,E) in which all equations in E are valid. Two terms t1 and t2 in TOP (X) are equivalent (t1 ≡E t2 ) iﬀ for all assignments ass : X → A, ass(t1 ) = ass(t2 ). Definition 9. Let B be a set. A multiset over B is a mapping msB : B → N. ǫB is the empty multiset with msB (x) = 0 for all x ∈ B. A multiset is ﬁnite iﬀ {∀b ∈ B | msB (b) 6= 0} is ﬁnite. Definition 10. Let M SB = {msB : B → N} be a set of multisets. The addition function of multisets is denoted by + : M SB × M SB → M SB . Let ms1B , ms2B and ms3B ∈ M SB . (ms1B + ms2B ) = ms3B ⇐⇒ ∀b ∈ B, ms3B (b) = ms1B (b) + ms2B (b). The subtraction function of multisets is denoted by − : M SB ×M SB → M SB . Let ms1B , ms2B and ms3B ∈ M SB . (ms1B − ms2B ) = ms3B ⇐⇒ ∀b ∈ B, ms1B (b) ≥ ms2B (b) ⇒ ∀b ∈ B, ms3B (b) = ms1B (b) − ms2B (b). Definition 11. Let M SB = {msB : B → N} be a set of multisets. Let ms1B , ms2B ∈ M SB . We say that ms1B is smaller than or equal to ms2B (denoted by ms1B ≤ ms2B ) iﬀ ∀b ∈ B, ms1B (b) ≤ ms2B (b). Further, we say that ms1B 6= ms2B iﬀ ∃b ∈ B, ms1B (b) 6= ms2B (b). Otherwise, ms1B = ms2B . Definition 12. A marked Algebraic Petri Net AP N =< SP EC, P, T, F, asg, cond, λ, m0 > consist of ◦ an algebraic speciﬁcation SPEC = (Σ,E), ◦ P and T are ﬁnite and disjoint sets, called places and transitions, resp., ◦ F ⊆ (P × T ) ∪ (T × P ), the elements of which are called arcs, ◦ a sort assignment asg : P → S, ◦ a function, cond : T → Pf in (Σ − equation), assigning to each transition a ﬁnite set of equational conditions. ◦ an arc inscription function λ assigning to every (p,t) or (t,p) in F a ﬁnite multiset over TOP,asg(p) , ◦ an initial marking m0 assigning a ﬁnite multiset over TOP,asg(p) to every place p. Definition 13. The preset of p ∈ P is • p = {t ∈ T |(t, p) ∈ F } and the postset of p is p• = {t ∈ T |(p, t) ∈ F }. The pre and post sets of t ∈ T deﬁned as: • t = {p ∈ P |(p, t) ∈ F } and t• = {p ∈ P |(t, p) ∈ F }. Definition 14. A marking m of an APN assigns to every place p ∈ P a multiset over TOP,asg(p) . Y. Khan et al.: Optimizing Algebraic Petri Net Model Checking by Slicing 279 Definition 15. An occurrence mode is a ground substitution of cond(t), m(p), λ(p, t) and λ(t, p) where p ∈ P, t ∈ T . Obviously, ground substitutions are the syntactical representations of assignments. Definition 16. A transition t ∈ T of an APN is enabled in an occurrence mode at a marking m iﬀ for all p in P with (p,t) ∈ F, λ(p, t) ≤ m(p). If a transition t is enabled in an occurrence mode at a marking m, then t may occur returning the marking m′ , where for all p ∈ P, m′ (p) = m(p) − λ(p, t) + λ(t, p). We write m[tim′ in this case. Definition 17. A ﬁring sequence σ of a marked APN is maximal iﬀ either σ is of inﬁnite length or 6 ∃t ∈ T : m0 ([σti), where |σ| ∈ (N ∪ {∞}). Definition 18. Let σ = t1 , t2 . . . be an inﬁnite ﬁring sequence of APN with mi [ti+1 imi+1 , ∀i, 0 ≤ i. σ permanently enables t ∈ T iﬀ ∃i, 0 ≤ i : ∀j, i ≤ j : mj [ti. 3 Unfolding and Slicing APNs One characteristic of APNs that makes them complex to model check is the use of variables on arcs. Computing variable bindings at runtime is extremely costly. AlPiNA (a symbolic model checker for Algebraic Petri nets) allows the user to deﬁne partial algebraic unfolding and presumed bounds for inﬁnite domains [1], using some aggressive strategies for reducing the size of large data domains. Unfolding generates all possible ﬁring sequences from the initial marking of the APN, though maintaining a partial order of events based on the causal relation induced by the net. Concurrency is preserved. The basic idea of the slicing algorithm is to start by identifying which places in the unfolded APN model are directly concerned by a property. These places constitute the slicing criterion. The algorithm will then take all the transitions that create or consume tokens from the criterion places, plus all the places that are pre-condition for those transitions. This step is iteratively repeated for the latter places, until reaching a ﬁxed point. We reﬁne the slicing construction by distinguishing between reading and non-reading transitions. The conception of reading and non-reading transitions is some what similar notion introduced in [13]. The principle diﬀerence is that we adapt the notion of reading and non-reading transitions in the context of APNs. Informally, reading transitions are not supposed to change the marking of a place. On the other hand non-reading transitions are supposed to change the markings of a place. In our proposed slicing construction, we discard reading transitions and include only non-reading transitions. Formally, we can deﬁne the conception of reading and non-reading transitions such as: Definition 19. Let N be an unfolded APN and t ∈ T be a transition. We call t a reading-transition iﬀ its ﬁring does not change the marking of any place p ∈ (• t ∪ t• ) , i.e., iﬀ ∀p ∈ (• t ∪ t• ), λ(p, t) = λ(t, p). Conversely, we call t a non-reading transition iﬀ λ(p, t) 6= λ(t, p). 280 ModBE’13 – Modeling and Business Environments Due to partial unfolding, there could be some domains that are not unfolded. For some cases, we are still able to identify non-reading transitions even if domains are not unfolded. If for example, we have a case where the multiplicities or cardinalities of terms in λ(p, t), λ(t, p)are diﬀerent then we can immediately state λ(p, t) 6= λ(t, p). But for some cases, we don’t have such a clear indication of the inequality between λ(p, t) and λ(t, p), for example, in the Fig.2, we see that λ(p, t) = 1 + y and λ(t, p) = 2 + x (deﬁned over naturals). Both terms has the same multiplicity and cardinality, so we need to know for which values of the variables it would be a non-reading transition. In general, the evaluation of terms to check their equality for all the values is undecidable. For this particular case, we would like to have a set of constraints from the user. Informally, 1+y P t 0…10 2+x Fig. 2. An example APN model with non-unfolded terms over the arcs a constraints set denoted by CS, is a set of propositional formulas, predicate formulas or any other logical formulas for certain speciﬁc values of variable assignements, describing the conditions under which we can evaluate terms to be equal or not. Consequently, constrains set CS will help to identify under which cases the transitions can be treated as non-reading. A function eval : TOP,s (X) × TOP,s (X) × CS → Bool is used to evaluate the equivalence of terms based on the constraint set. Let us take the same terms shown over the arcs in Fig.2, term1 = 1 + y, term2 = 2 + x and a constraint set CS = {∃y, x ∈ (0, . . . , 2)|y = x + 1} . It is important to note that we are not unfolding the domain but evaluating the terms for some speciﬁc values provided by user to identify reading and non-reading transitions. Of course, the user can provide sparse values too. Let us evaluate the terms term1 and term2 based on the constraints set CS provided. For all those values of x, y for which we get eval function result true are considered to be reading transitions and rest of them are non-reading transitions. It is also important to note that we include this step during the unfolding. The resulting unfolded AP N will contain only non-reading transitions for the unfolded domains as shown in Fig.3. The algorithm proposed in this article assumes that such an unfolding takes place before the slicing. Since this is a step that is involved in the model checking activity anyway, we do not consider this assumption to be adding to the complexity of the algorithm. In this section, we will make an extremely simple example of how the slicing algorithm works, starting from an APN, unfolding it and slicing it. Y. Khan et al.: Optimizing Algebraic Petri Net Model Checking by Slicing 281 P 0…10 1+1 1+0 2+1 2+0 2+0 t1,1 t0,0 t0,1 1+1 1+2 1+0 2+0 2+1 t0,2 1+1 1+2 2+1 t1,0 1+0 1+2 2+1 t1,1 2+2 t1,2 1+1 2+2 2+2 t2,0 t2,2 t2,1 Fig. 3. Resulting unfolded APN after applying the eval function 3.1 Example: Unfolding an APN Fig. 4 shows an APN model. All places and all variables over the arcs are of sort naturals (deﬁned in the algebraic speciﬁcation of the model, and representing the N set). Since the N domain is inﬁnite (or anyway extremely large even in its ﬁnite computer implementations), it is clear that it is impractical to unfold this net by considering all possible bindings of the variables to all possible values in N. However, given the initial marking of the APN and its structure it is easy to see that none of the terms on the arcs (and none of the tokens in the places) will ever assume any natural value above 3. For this reason, following [1], we can set a presumed bound of 3 for the naturals data type, greatly reducing the size of the data domain. By assuming this bound, the unfolding technique in [1] A E [1,2] [1,2] x z t1 t3 x [] y B x x t2 y D [] x+1 C y t4 y+2 y F t5 C[] z [] z G [1] Fig. 4. An example APN model (APNexample) proceeds in three steps. First, the data domains of the variables are unfolded up 282 ModBE’13 – Modeling and Business Environments to the presumed bound. Second, variable bindings are computed, and only that satisfy the transition guards are kept. Third, the computed bindings are used to instantiate a binding-speciﬁc version of the transition. The resulting unfolded APN for this APN model is shown in Fig. 5. The transitions arcs are indexed with the incoming and outgoing values of tokens. A complete explanation of the unfolding algorithm, and in particular the existence of the tokens 4 and 5 between transition t23 , t42 , t43 and place C, F is rather complex and out of the scope of this article. The interested reader can ﬁnd details about the partial unfolding in [1]. 3.2 The slicing algorithm The slicing algorithm starts with an unfolded APN and a slicing criterion Q ⊆ P . Let Q ⊆ P a non empty set called slicing criterion. We can build a slice for an unfolded APN based on Q, using following algorithm: Algorithm 1: APN slicing algorithm APNSlicing(hSP EC, P, T, F, asg, cond, λ, m0 i, Q){ T ′ = {t ∈ T | ∃p ∈ Q : t ∈ (• p ∪ p• ) : λ(p, t) 6= λ(t, p)}; P ′ = Q ∪ {• T ′ } ; Pdone = ∅ ; while ((∃p ∈ (P ′ \ Pdone )) do while (∃t ∈ (• p ∪ p• ) \ T ′ ) : λ(p, t) 6= λ(t, p)) do P ′ = P ′ ∪ {• t}; T ′ = T ′ ∪ {t}; end Pdone = Pdone ∪ {p}; end return hSP EC, P ′ , T ′ , F|P ′ ,T ′ , asg|P ′ , cond|T ′ , λ|P ′ ,T ′ , m0| ′ i; P } Initially, T ′ (representing transitions set of the slice) contains set of all pre and post transitions of the given criterion place. Only non-reading transitions are added to T ′ set. And P′ (representing places set of the slice) contains all preset places of transitions in T ′ . The algorithm then iteratively adds other preset transitions together with their preset places in T ′ and P ′ . Remark that the APNSlicing algorithm has linear time complexity. Considering the APN-Model shown in ﬁg. 4, let us now take an example property and apply our proposed algorithm on it. Informally, we can deﬁne the property: “The values of tokens inside place D are always smaller than 5”. Formally, we can specify the property in LTL as G(∀tokens ∈ D|tokens < 5). For this property, the slicing criterion Q = {D}, as D is the only place concerned by the property. Therefore, the application of APNSlicing(UnfoldedAPN, D) returns SlicedUnfoldedAPN (shown in Fig. 6), which is smaller than the original UnfoldedAPN shown in Fig. 5). Y. Khan et al.: Optimizing Algebraic Petri Net Model Checking by Slicing D 1 1 1 1 2 A [1,2] 2 3 1 1 1 t12 2 t21 t41 3 2 t42 4 t43 5 3 1 1 1 2 3 3 t13 t22 3 3 t32,3 1 3 t33,1 2 3 t33,2 3 3 t33,3 1 t51,1 1 2 1 t51,2 t51,3 3 2 2 C 4 F E [1,2] 1 2 3 t23 3 t32,2 3 2 2 t31,3 t32,1 3 2 1 t31,2 2 2 3 B t31,1 2 2 2 t11 1 1 1 G 2 t52,1 1 2 t52,2 2 3 t52,3 3 3 t53,1 1 t53,2 2 t53,3 3 3 283 3 [1] 1 2 3 1 2 3 Fig. 5. The unfolded example APN model (UnfoldedAPN ) Transitions t31,1 , t31,2 , t31,3 , t31,3 , t32,1 , t32,2 , t32,3 , t33,1 , t33,2 , t33,3 , t51,1 , t51,2 , t51,3 , t52,1 , t52,2 , t52,3 , t53,1 , t53,2 , t53,3 , and places C, E, F, G has been sliced away. The proposed algorithm determines a slice for any given criterion Q ⊆ P and always terminates. It is important to note that the reduction of net size depends on the structure of the net and on the size and position of the slicing criterion within the net. t11 A [1,2] 1 2 1 t12 3 t13 1 t21 B 2 2 3 3 t41 1 t22 D 1 2 2 3 3 t23 t42 t43 Fig. 6. Sliced and Unfolded example APN model (SlicedUnfoldedAPN ) 3.3 Proof of the preservation of properties To allow the veriﬁcation by slice, we have to make restrictions on the formulas and on admissible ﬁring sequences in terms of fairness assumptions. The original Algebraic Petri net has more behaviors than the sliced APN, as we intentionally do not capture all the behaviors. 284 ModBE’13 – Modeling and Business Environments Definition 20. Let A be the set of atomic propositions. Let ϕ, ϕ1 , ϕ2 be LTL formulas. The function scope associates with an LTL formula ϕ the set of atomic propositions used in ϕ i.e. scope : ϕ → PA. scope(a) = {a} for a ∈ A; scope(⊗ϕ) = scope(ϕ) with ⊗ ∈ {¬, X}; scope(ϕ1 ⊗ ϕ2 ) = scope(ϕ1 ) ∪ scope(ϕ2 ) with ⊗ ∈ {∧, U }. Definition 21. Let N be a marked APN. Let N ′ be its sliced net for a slicing criterion Q ⊆ P . Let σ = t1 t2 t3 . . .be a ﬁring sequence of N and mi the markings with mi [ti+1 imi+1 , ∀i, 0 ≤ i < |σ|. σ is slice-fair w.r.t N ′ iﬀ either σ is ﬁnite and m|σ| does not enable any transition t ∈ T ′ ; or σ is inﬁnite and if it permanently enables some t ∈ T ′ , it then ﬁres inﬁnitely often some transition of T ′ (which may or may not be the same as t). Slice-fairness is a very weak fairness notion. Weak fairness determines that every transition t ∈ T of a system, if permanently enabled, has to be ﬁred inﬁnitely often, slice-fairness concerns only the transitions of the slice, not of the entire system net and if a transition t ∈ T of the slice is permanently enabled, some transitions of the slice are required to ﬁre inﬁnitely often but not necessarily t. Definition 22. Let N be a marked APN and ϕ an LTL formula. N |= ϕ slicefairly iﬀ every slice-fair (not necessarily maximal) ﬁring sequence of σ |= ϕ. Definition 23. Let N and N ′ be two marked Algebraic Petri nets with T ′ ⊆ T and P ′ ⊆ P . We deﬁne the function: slice(N,N ′ ) ∈ [(T ∗ ∪ T w ) → (T ′∗ ∪ T ′w )] ∪ ′ [N|P | → N|P | ] such that a ﬁnite or inﬁnite sequence of transitions σ is mapped onto the transition sequence σ ′ with σ ′ being derived from σ by omitting every transition t ∈ T \ T ′ . A marking m of N is projected onto the marking m′ of N ′ with m′ = m |p′ . The function slice is used to project markings and ﬁring sequences of a net N onto the markings and ﬁring sequences of its slices. Proposition 1. Let N be a marked APN. Let N ′ be its sliced net for a slicing criterion Q ⊆ P . Let σ be a weakly fair ﬁring sequence of N. σ is slice fair with respect to N ′ . Proof. Let us assume, σ is not slice-fair. In case σ is ﬁnite this means that m|σ| [ti for a transition t ∈ T ′ . In case σ is inﬁnite, there is permanently enabled transition t ∈ T ′ but all transitions of T ′ are ﬁred ﬁnitely often including t. So both cases contradict the assumption that σ is weakly fair. Lemma 1. Let N be a marked APN and let N ′ be its sliced net for a slicing criterion Q ⊆ P . The coeﬃcients cij of the incidence matrix equal to zero for all places pi ∈ P ′ and transitions tj ∈ T \ T ′ . Proof. Let N ′ be its sliced net for a slicing criterion Q ⊆ P . A transition t ∈ T is also an element of T ′ ⊆ T , if it is a non-reading transition of a place p ∈ P ′ . Thus a transition t ∈ T \ T ′ either is not connected to a place p ∈ P ′ or it is a reading transition. Y. Khan et al.: Optimizing Algebraic Petri Net Model Checking by Slicing 285 Lemma 2. Let N be a marked APN and let N ′ be its sliced net for a slicing criterion Q ⊆ P . Let m be a marking of N and m′ be a marking of N ′ with m′ = m |p′ . m[ti ⇔ m′ [ti, ∀t ∈ T ′ . Proof. Let N ′ be its sliced net for a slicing criterion Q ⊆ P . Since a transition t ∈ T ′ has the same preset places in N and N ′ by the slicing algorithm AP N Slicing, m′ = m |p′ implies m[ti ⇐⇒ m′ [ti. Every ﬁring sequence σ of N projected onto the transitions of T ′ is also a ﬁring sequence of slice net N ′ . The resulting markings m and m′ assign the same number of tokens to places p′ ⊆ P . Proposition 2. Let N be a marked APN and let N ′ be its sliced net for a slicing criterion Q ⊆ P . Let σ be a ﬁring sequence of N and let m be a marking of N . m0 [σim ⇒ m0 |p′ [slice(σ)im |p′ . Proof. We prove this Proposition by induction over the length l of σ. Let N be a marked APN, σ be a ﬁring sequence of N . l = 0: In this case slice(σ) equals ǫ. Thus the initial marking of N and N ′ is generated by ﬁring ǫ. By deﬁntion 23 and the slicing algorithm AP N Slicing, m′0 = m0 |p′ l → l + 1 : Let σ be a ﬁring sequence of length l and ml be a marking of N with m0 [σiml . Let tl+1 be a transition in T and ml+1 a marking of N such that ml [tl+1 iml+1 . By induction hypothesis, m′0 [slice(σ)im′k with ml |p′ = m′k . If tl+1 is an element of T ′ , it follows by Lemma 2, that m′k enables tl+1 , since ml enables tl+1 . The resulting marking m′k+1 is determined by m′k+1 (Pi′ ) = m′k (Pi′ ) + ci l+1 , ∀pi ∈ P ′ and ml+1 is determined by ml+1 (i) = ml (i) + ci l+1 , ∀pi ∈ P ′ . Since ml|P ′ = m′k , it thus follows that mll+1 |P ′ = m′k+1 . If tl+1 is an element of t ∈ T \ T ′ , then it must be a reading transition for all p ∈ P ; slice(σ) = slice(σtl+1 ) and thus m′0 [slice(σtl+1 )im′k a transition t ∈ T \ T ′ can not change the marking of on any place p ∈ P ′ . By Lemma 1 and the resultant markings, mll+1 |P ′ = m′l |P ′ . A ﬁring sequence σ ′ of the slice net N ′ is also a ﬁring sequence of N . The resulting markings of σ ′ on N and N ′ , respectively assigns the same markings to places p ∈ P ′ . Proposition 3. Let N be a marked APN and let N ′ be its sliced net for a slicing criterion Q ⊆ P . Let σ ′ be a ﬁring sequence of N ′ and let m′ be a marking of N ′. m′0 [σ ′ im′ ⇒ ∃m ∈ N|P | : m′ = ml|P ′ ∧ m0 [σ ′ im. Proof. We prove this Proposition by induction over the length l of σ ′ . l = 0: The empty ﬁring sequence generates the marking m0 on N and the marking m′0 , which is deﬁned as m0|P ′ , on N ′ , by deﬁnition 23. l → l + 1: Let σ ′ = t1 . . . tl+1 be ﬁring sequence of N ′ with length l + 1. Let m′l and m′l+1 be markings of N ′ such that m′0 [t1 . . . tl im′l [tl+1 im′l+1 . Let ml be 286 ModBE’13 – Modeling and Business Environments the marking of N with m0 [t1 . . . tl iml and ml|P ′ = m′l , which exists according to the induction hypothesis. Lemma 2, ml enables tl+1 . The marking ml+1 satisﬁes ml+1 (Pi ) = ml (Pi ) + ci l+1 , ∀pi ∈ P ′ and m′l+1 satisﬁes m′l+1 (Pi ) = m′l (Pi ) + ci l+1 , ∀si ∈ P ′ . With ml|P ′ = m′l , it follows that (ml+1 |P ′ ) is equal to m′l+1 . Proposition 4. Let N be a marked APN and let φ be an LT Lx formula such that scope(φ) ⊆ P . Let N ′ be its sliced net for a slicing criterion Q ⊆ P where Q = scope(φ). Let σ be a ﬁring sequence of N . Let us denote the sequence of markings by M(σ). Then, M(σ) |= φ ⇔ M(slice(σ)) |= φ. Proof. We prove this Proposition by induction on the structure of φ. Let σ = t1 t2 . . . and slice(σ) be σ ′ = t′1 t′2 . . .. Let M(σ) = m0 m1 . . . and M(σ ′ ) = m′0 m′1 . . .. φ = true: In this case nothing needs to be shown. φ = ¬ψ, φ = ψ1 ∧ ψ2 : Since the satisﬁability of φ depends on the initial marking of scope(φ) only and scope(φ) ⊆ P ′ ⊆ P , both directions hold. φ = ψ1 U ψ2 : We assume that M(σ ′ ) |= ψ1 U ψ2 . We can divide up σ ′ such that σ ′ = σ1′ σ2′ with m′|σ′ | m′|σ′ |+1 . . . |= ψ2 and ∀i, 0 ≤ i < |σ1′ | : m′i m′i+1 . . . |= 1 1 ψ1 . There are transition sequences σ1 and σ2 such that σ = σ1 σ2 , slice(σ1 ) = σ1′ , slice(σ2 ) = σ2′ and σ1 does not end with a transition t ∈ T \ T ′ . By proposition 2, it follows that m′|σ′ | = (m|σ1 | |P ′ ). Since m′|σ′ | m′|σ′ |+1 . . . |= 1 1 1 ψ2 , m|σ1 | m|σ1 |+1 . . . |= ψ2 by induction hypothesis. Let ̺ be a preﬁx of σ1 such that |̺| < |σ1 |. Let ̺′ be slice(̺). The ﬁring sequence ̺ truncates at least one transition t ∈ T ′ , consequently |̺′ | < |σ1′ |. Since m′|̺′ | m′|̺′ |+1 . . . |= 1 1 ψ1 , m|̺| m|̺|+1 . . . |= ψ1 by the induction hypothesis. Analogously, it can be shown that M(σ) |= ψ1 U ψ2 implies M(σ ′ ) |= ψ1 U ψ2 . Proposition 5. Let N be a marked APN and let N ′ be its sliced net for a slicing criterion Q ⊆ P . Let σ ′ be a maximal ﬁring sequence of N ′ . σ ′ is a slice-fair ﬁring sequence of N . Proof. Let σ ′ = t1 t2 . . .. Let m′i be the marking of N ′ , such that m′i [ti+1 im′i+1 , ∀i, 0 ≤ i < |σ ′ |. By Proposition 3 σ ′ is a ﬁring sequence of N . Let mi be the marking of N , such that mi [ti+1 imi+1 , ∀i, 0 ≤ i < |σ ′ |. In case σ ′ is ﬁnite, m′|σ′ | does not enable any transitions t′ ∈ T ′ . By Lemma 2, m|σ′ | does not enable any transition T ′ ∈ T ′ , If σ ′ is inﬁnite it obviously ﬁres inﬁnitely often a transition t′ ∈ T ′ and thus is slice-fair. Proposition 6. Let N be a marked APN and let N ′ be its sliced net for a slicing criterion Q ⊆ P . Slice(σ) is maximal ﬁring sequence of N ′ . Proof. Let σ = t1 t2 . . . with mi [ti+1 imi+1 , ∀i, 0 ≤ i < |σ|. By Proposition 2, slice(σ) is a ﬁring sequence of N ′ . Let slice(σ) be σ ′ = t′1 t′2 . . . with m′i [t′i+1 im′i+1 , ∀i, 0 ≤ i < |σ|. Let us assume σ ′ is not a maximal ﬁring sequence of N ′ . Thus σ ′ is ﬁnite and there is a transition t′ ∈ T ′ with m′|σ′ | [t′ i. Let σ1 be the smallest preﬁx of σ such that slice(σ1 ) equals σ ′ . Y. Khan et al.: Optimizing Algebraic Petri Net Model Checking by Slicing 287 By Proposition 2 (m|σ1 | |P ′ = m′|σ′ | . By Lemma 2, and the state equation it follows, that (m|σ1 | |P ′ = m′|σ′ |+1 = . . .. So t′ stays enabled for all markings mj with |σ1 | ≤ j ≤ |σ| but is ﬁred ﬁnitely many times only. This is a contradiction to the assumption that σ is slice-fair. Theorem 1. Let N be a marked APN and let φ be an LTL formula such that scope(φ) ⊆ P . Let N ′ be its sliced net for a slicing criterion Q ⊆ P . Let Ψ be an LT L−X formula with scope(Ψ ) ⊆ P . N |= φ slice-fairly ⇒ N ′ |= φ, for an LTL formula φ. N |= Ψ slice-fairly ⇐ N ′ |= Ψ , for an LT L−X formula Ψ . Proof. We ﬁrst show “ N |= φ slice-fairly ⇒ N ′ |= φ ”. Let us assume that N |= φ slice-fairly holds. Let σ ′ be a maximal ﬁring sequence of N ′ . Since σ ′ is a slice-fair ﬁring sequence of N by Proposition 5 M(σ ′ ) |= φ. Let us now assume N ′ |= Ψ . Let σ be a slice-fair ﬁring sequence of N . By Proposition 6, slice(σ) is maximal ﬁring sequence of N ′ and thus satisﬁes Ψ . By Proposition 4, it follows that σ satisﬁes Ψ. Veriﬁcation is possible under interleaving semantics if we assume slice-fairness. A ﬁring sequence σ is fair w.r.t T ′ , if σ is either maximal and if σ eventually permanently enables a t′ ∈ T ′ , a transition t ∈ T ′ will be ﬁred inﬁnitely often, t may not equal t′ . Unfolded APN |= ϕ fairly w.r.t. T ′ holds if all fair ﬁrings sequences of N, more precisely, their corresponding traces satisfy ϕ. 4 Related Work Slicing is a technique used to reduce a model syntactically. The reduced model contains only those parts that may aﬀect the property the model is analyzed for. Slicing Petri nets is gaining much attention in the recent years [3, 10–13]. Mark Weiser introduced the slicing term in [17], and presented slicing as a formalization of an abstraction technique that experienced programmers (unconsciously) use during debugging to minimize the program. The ﬁrst algorithm about Petri net slicing was presented by chang et al [3]. They proposed an algorithm on Petri nets testing that slices out all sets of paths, called concurrency sets, such that all paths within the same set should be executed concurrently. Lee et al. proposed the Petri nets slice approach in order to partition huge place transition net models into manageable modules, so that the partitioned model can be analyzed by compositional reachability analysis technique [9]. Llorens et al. introduced two diﬀerent techniques for dynamic slicing of Petri nets [10]. A slice is said to be static if the input of the program is unknown (this is the case of Weiser’s approach). On the other hand, it is said to be dynamic if a particular input for the program is provided, i.e., a particular computation is considered. In the ﬁrst technique of Llorens et al. the Petri net and an initial marking is taken into account, but produces a slice w.r.t. any possibly ﬁring sequence. The second approach further reduces the computed slice by ﬁxing a particular ﬁring sequence. 288 ModBE’13 – Modeling and Business Environments Astrid Rakow developed two ﬂavors of Petri net slicing, CT L∗−X slicing and Safety slicing in [13]. The key idea behind the construction is to distinguish between reading and non-reading transitions. A reading transition t ∈ T can not change the token count of place p ∈ P while other transitions are nonreading transitions. For CT L∗−X slicing, a subnet is built iteratively by taking all non-reading transitions of a place P together with their input places, starting with given criterion place. And for the Safety slicing a subnet is built by taking only transitions that increase token count on places in P and their input places. CT L∗−X slicing algorithm is fairly conservative. By assuming a very weak fairness assumption on Petri net it approximates the temporal behavior quite accurately by preserving all CT L∗−X properties and for safety slicing focus is on the preservation of stutter-invariant linear safety properties only. We notice that all the constructions are limited to low-level Petri nets. The main diﬀerence between High-level and low-level Petri net is that in high-level Petri nets tokens are no longer black dots, but complex structured data. Whereas in case of low-level Petri nets, all (black) tokens correspond to the same data object. The idea of reading and non-reading transitions introduced in [13] deals only with the token count of places in low-level Petri nets. In Algebraic Petri nets there are properties that may concern to the values of tokens. The main diﬀerence between the existing slicing constructions such as, CT L∗−X , Safety slicing and our is that in CT L∗−X , Safety slicing only transitions are included that change the token count whereas in APNSlicing, we include transitions that change the token values together with the transitions that change the token count. A comparison between APNSlicing, CT L∗−X and safety slicing algorithms is shown in Fig. 7. Slice CTL*-X Preserving all CTL*-X properties assuming a weak fairness assumption Properties are about token count only Designed for Low-level Petri net Safety Slicing Preserving safety properties only Properties are about token count only Designed for Low-level Petri net APNSlicing Preserving all LTL-X properties assuming a weak fairness assumption Properties are about token count and token values Designed for High-level Petri net (APNs) Fig. 7. A comparison between APNSlicing, CT L∗−X and Safety slicing 5 Case Study We took a small case study from the domain of crisis management systems (car crash management system) for the experimental investigation of the proposed Y. Khan et al.: Optimizing Algebraic Petri Net Model Checking by Slicing 289 approach. In a car crash management system (CCMS); reports on a car crash are received and validated, and a Superobserver (i.e., an emergency response team) is assigned to manage each crash. Recording Crisis Data [Fire, Blockage] Superobserver Ready [sobs(YK,Fire)] [$cd] sendcrisis [$sob] [system($cd,false)] ExecutingCrisis System [$sy] [] [system(getcrisistype($sy), true)] assigncrisis isvalidcrisis($sy=true)& invalidsobs($sob, getcrisistype($sy)=true) [assigncrisis($sob,$sy)] [] [$ec] [$sy] sendreport validatecrisis [rp($ec)] ExecutedCrisisReport [] Fig. 8. Car crash APN model The APN Model can be observed in Fig. 8, it represents the semantics of the operation of a car crash management system. This behavioral model contains labeled places and transitions. There are two tokens of type Fire and Blockage in place Recording Crisis Data. These tokens are used to mention which type of data has been recorded. The input arc of transition sendcrisis takes the cd variable as an input from the place Recording Crisis Data and the output arc contains term system(cd,false) of sort sys. Initially, every recoded crisis is set to false. The sendcrisis transition passes recorded crisis to system for further operations. The output arc of validatecrisis contains system(getcrisistype(sy),true) term which sends validated crisis to system. The transition assigncrisishas two guards, ﬁrst one is isvalid(sy)=true that enables to block invalid crisis reporting to be executed for the mission and the second one is isvalid(sob,getcrisestype(sy))=true which is used to block invalid Superobserver (a skilled person for handling crisis situation) to execute the crisis mission. The Superobserver YK will be assigned to handle Fire situation only. The transition assigncrisis contains two input arcs with sob and sy variables and the output arc contains term assigncrisis(sob,sy) of sort crisis. The output arc of transition sendreport contains term rp(ec). This enables to send a report about the executed crisis mission. We refer the interested reader to [7] for the algebraic speciﬁcation of car crash management system. An important safety threat, which we will take into an account in this case study is that the invalid crisis reporting can be hazardous. The invalid crisis reporting is the situation that results from a wrongly reported crisis. The ex- 290 ModBE’13 – Modeling and Business Environments Superobserver Ready validatecrisis(Fire,false),(Fire,true) sendcrisisFire,(Fire,false) Fire sobs(YK,Fire) (Fire,false) (YK,Fire) (Fire,true) Recording Crisis Data ExecutingCrisis System (Fire,false) (Fire,true) Fire,Blockage assigncrisis(Fire,true),(YK,Fire), ((Fire,true),(YK,Fire)) ((Fire,true),(YK,Fire)) (Blockage,false) (Blockage,true) ((Fire,true),(YK,Fire)) (Blockage,false) Blockage sendcrisisBlockage, validatecrisis(Blockage,false), (Blockage,false) (Blockage,true) sendreport((Fire,true),(YK,Fire)),((Fire,true), (YK,Fire)) ((Fire,true),(YK,Fire)) ExecutedCrisisReport Fig. 9. The unfolded car crash APN model ecution of crisis mission based on the wrong reporting can waste both human and physical resources. In principle, it is essential to validate the crisis that it is reported correctly. Another, important threat could be to see the number of crisis that can be sent to place System should not exceed from a certain limit. Informally, we can deﬁne the properties: ϕ1 : All the crisis inside place System are validated eventually. ϕ2 : Place System never contains more than two crisis. Formally we can specify the properties as, let Crises be a set representing recorded crisis in car crash management system. Let isvalid : Crises → BOOL, is a function used to validate the recorded crisis. ϕ1 = F(∀crisis ∈ Crises|isvalid(crisis) = true) ϕ2 = G(|Crises| ≤ 2) In contrast to generate the complete state space for the veriﬁcation of ϕ1 and ϕ2 , we alleviate the state space by applying our proposed algorithm. For both ϕ1 , ϕ2 LTL formulas, scope(ϕ1 ∧ ϕ2 ) ⊆ Q. The criterion place(s) for both properties is System. The unfolded car crash APN model is shown in Fig. 9. The slicing algorithm APNSlicing(Unfolded car crash APN model,System) takes the unfolded car crash APN model and System (an input criterion place) as an input and iteratively builds a sliced net. The sliced unfolded car crash APN model is shown in Fig. 10, places named ExecutedCrisis and ExecutedCrisisreporting together with transition named sendreport are sliced away. From the initial marking of Car Crash APN Model 36 states are reachable, whereas sliced car crash APN model has 27 reachable states. The resultant sub net is suﬃcient to verify both properties (see proof in Theorem 1). 6 Evaluation In this section, we evaluate our slicing algorithm with the existing benchmark case studies. We measure the eﬀect of slicing in terms of savings of the reachable Y. Khan et al.: Optimizing Algebraic Petri Net Model Checking by Slicing 291 Superobserver Ready validatecrisis(Fire,false),(Fire,true) sendcrisisFire,(Fire,false) sobs(YK,Fire) Fire (Fire,false) (YK,Fire) (Fire,true) Recording Crisis Data System (Fire,false) (Fire,true) Fire,Blockage assigncrisis(Fire,true),(YK,Fire), ((Fire,true),(YK,Fire)) (Blockage,false) (Blockage,true) (Blockage,false) Blockage sendcrisisBlockage, validatecrisis(Blockage,false), (Blockage,false) (Blockage,true) Fig. 10. Sliced and unfolded car crash APN model state space, as the size of the state space usually has a strong impact on time and space needed for model checking. Instead of presenting case studies where our methods work best, it is equally interesting to see where it gives an average or worst case results, so that we will present a comparative evaluation on the benchmark case studies. To evaluate our approach, we made the follwing assumptions: – Evaluation procedure is independent of the temporal properties. In general, it is not feasible to determine which places correspond to the interesting properties. Therefore, we generated slices for each place in the given APN model (later, we take some speciﬁc temporal properties about the APN models under observation) . – We abandoned the initially marked places (we follow [13] to assume that there are not interesting properties concerning to those places). Let us study the results summarized in the table.1, the ﬁrst column shows diﬀerent APNs models under observation. Based on the initial markings, total number of states is shown in the second column. Best reduction and average reduction (shown in the third and fourth column) refers to the biggest and an average achievable reduction in the state space among all possible properties. In the ﬁfth column total number of places is given, for the properties related to these places, our slicing does not reduce the number of states. Finally, the structure of APN models under observation is given. Results clearly indicate the signiﬁcance of slicing; the proposed APNSlicing algorithm can alleviate the state space even for some strongly connected nets. To show that the state space could be reduced for the practically relevant properties. Let us take some speciﬁc examples of the temporal properties from the APN models shown in table.2 and compare the reduction in terms of states by applying the APNSlicing algorithm. For the Daily Routine of two Employees and Boss APN model, for an example, we are interested to verify that: “Every time 292 ModBE’13 – Modeling and Business Environments Table 1. Results on diﬀerent APN models System T.States Bst.Reduct Avg.Reduct W orst P laces N.Type no reduction Complaint Handling 2200 98.01% 40.54% 2 Weak.Connect Divide & Conqure 117863 99.09% 14.22% 1 Weak.Connect Bevarage Vending 136 80.14% 02.15% 2 Weak.Connect 80 93.75% 86.12% zero Str.Connect Simple Protocol 1861 95.91% 39.01% 1 Str.Connect Producer Consumer 372 0.00% 0.00% 5 Str.Connect & Machine Daily Routine of 2 Employees & Boss the boss does not schedule a meeting, he will be at home eventually”. Formally, we can specify the property: ϕ1 = G(N M ⇒ FB1), where “NM" (resp. B1) means “place NM (resp. B1) is not empty". For a Producer Consumer APN model an interesting property could be to verify that: “Buﬀer place is never empty”. Formally, we can specify the property: ϕ2 = G(|Buf f er| > 0). And for a Complaint Handling APN model, we are interested to verify: “All the registered complaints are collected eventually”. Formally, we can specify the property: ϕ3 = G(RecComp ⇒ FCompReg), where “RecComp" (resp. CompReg) means “place RecComp (resp. CompReg) is not empty". Table 2. Results with diﬀerent properties concerning to APN models System Daily Routine of 2 Tot.States Property Crit.Place(s) Percent.Reduction 80 ϕ1 {NM,B1} 75.00% Producer Consumer 372 ϕ2 {Buffer} 0.00% Complaint Handling 2200 ϕ3 {RecComp,RegComp} 50.54% Employees & Boss Let us study the results summarized in the table shown in table. 2, the ﬁrst column represents the system under observation whereas in the second column total number of states are given based on the initially marked places. The third column refers the property that we are looking for the veriﬁcation. In the fourth Y. Khan et al.: Optimizing Algebraic Petri Net Model Checking by Slicing 293 column, places are given that are considered as criterion places, and for those places slices are generated. The ﬁfth column represents the number of states that are reduced (in percentage) after applying APNSlicing algorithm. We can draw the following conclusions from the evaluation results such as: – The choice of the place can have an important inﬂuence on the reduction eﬀects (As the basic idea of slicing is to start from the criterion place and iteratively include all the non-reading transitions together with their input places. The less non-reading transitions attached to the criterion place, the more reduction is possible). – Reduction can vary with respect to the net structure and markings of the places (The slicing refers to the part of a net that concerns to the property, remaining part may have more places and transitions that increase the overall number of states. If slicing removes parts of the net that expose highly concurrent behavior, the savings may be huge and if the slicing removes dead parts of the net, in which transitions are never enabled then there is no eﬀect on the state space). – For certain strongly connected nets slicing may produce a reduced number of states (For all the strongly connected nets that contain reading transitions slicing can produce noteworthy reductions). – Slicing produces best results for not strongly connected nets (By deﬁnition work-ﬂow nets are not strongly connected and since they model work ﬂows, slicing can eﬀectively reduce such nets). 7 Conclusion and Future Work In this work, we developed an Algebraic Petri net reduction approach to alleviate the state space explosion problem for model checking. The proposed work is based on slicing. The presented slicing algorithm (APNSlicing) for Algebraic Petri net guarantees that by construction the state space of sliced net is at most as big as the original net. We showed that the slice allow veriﬁcation and falsiﬁcation if Algebraic Petri net is slice fair. Our results show that slicing can help to alleviate the state space explosion problem of Algebraic Petri net model checking. The future work has twofold objectives; ﬁrst to implement the proposed slicing construction in AlPiNA (Algebraic Petri net analyzer) a symbolic model checker [5]. As discussed in the section 3.1, we are using the same unfolding approach for APNs as AlPiNA. Obviously, this will reduce the eﬀort in terms of implementation. Secondly, we aim to utilize the sliced net when verifying the evolutions of the net. Slicing can serve as a base step to identify those evolutions that do not require re-veriﬁcation. 294 ModBE’13 – Modeling and Business Environments References 1. D. Buchs, S. Hostettler, A. Marechal, A. Linard, and M. Risoldi. Alpina: A symbolic model checker. Springer Berlin Heidelberg, pages 287–296, 2010. 2. J. R. Burch, E. Clarke, K. L. McMillan, D. Dill, and L. J. Hwang. Symbolic model checking: 1020 states and beyond. In Logic in Computer Science, 1990. LICS ’90, Proceedings., Fifth Annual IEEE Symposium on e, pages 428–439, 1990. 3. J. Chang and D. J. Richardson. Static and dynamic speciﬁcation slicing. In In Proceedings of the Fourth Irvine Software Symposium, 1994. 4. E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic veriﬁcation of ﬁnitestate concurrent systems using temporal logic speciﬁcations. ACM Transactions on Programming Languages and Systems, 8:244–263, 1986. 5. S. Hostettler, A. Marechal, A. Linard, M. Risoldi, and D. Buchs. High-level petri net model checking with alpina. Fundamenta Informaticae, 113(3-4):229–264, Aug. 2011. 6. K. Jensen. Coloured petri nets. In W. Brauer, W. Reisig, and G. Rozenberg, editors, Petri Nets: Central Models and Their Properties, volume 254 of Lecture Notes in Computer Science, pages 248–299. Springer Berlin Heidelberg, 1987. 7. Y. I. Khan. A formal approach for engineering resilient car crash management system. Technical Report TR-LASSY-12-05, University of Luxembourg, 2012. 8. L. Lamport. What good is temporal logic. Information processing, 83:657–668, 1983. 9. W. J. Lee, H. N. Kim, S. D. Cha, and Y. R. Kwon. A slicing-based approach to enhance petri net reachability analysis. Journal of Research Practices and Information Technology, 32:131–143, 2000. 10. M. Llorens, J. Oliver, J. Silva, S. Tamarit, and G. Vidal. Dynamic slicing techniques for petri nets. Electron. Notes Theor. Comput. Sci., 223:153–165, Dec. 2008. 11. A. Rakow. Slicing petri nets with an application to workﬂow veriﬁcation. In Proceedings of the 34th conference on Current trends in theory and practice of computer science, SOFSEM’08, pages 436–447, Berlin, Heidelberg, 2008. SpringerVerlag. 12. A. Rakow. Slicing and Reduction Techniques for Model Checking Petri Nets. PhD thesis, University of Oldenburg, 2011. 13. A. Rakow. Safety slicing petri nets. In S. Haddad and L. Pomello, editors, Application and Theory of Petri Nets, volume 7347 of Lecture Notes in Computer Science, pages 268–287. Springer Berlin Heidelberg, 2012. 14. W. Reisig. Petri nets and algebraic speciﬁcations. Theor. Comput. Sci., 80(1):1–34, 1991. 15. K. Schmidt. T–invariants of algebraic petri nets. Informatik– Bericht, 1994. 16. A. Valmari. The state explosion problem. In Lectures on Petri Nets I: Basic Models, Advances in Petri Nets, the volumes are based on the Advanced Course on Petri Nets, pages 429–528, London, UK, UK, 1998. Springer-Verlag. 17. M. Weiser. Program slicing. In Proceedings of the 5th international conference on Software engineering, ICSE ’81, pages 439–449, Piscataway, NJ, USA, 1981. IEEE Press. This work has been supported by the National Research Fund, Luxembourg, Project MOVERE, ref.C09/IS/02. A Proposal for the Modeling of Organizational Structures and Agent Knowledge in MAS Lawrence Cabac, David Mosteller, Matthias Wester-Ebbinghaus University of Hamburg Faculty of Mathematics, Informatics and Natural Sciences Department of Informatics {cabac,2mostell,wester}@informatik.uni-hamburg.de http://www.informatik.uni-hamburg.de/TGI Abstract. One of the most important tasks when developing multiagent systems (MAS) is to determine the overall organizational structure of the system. In this paper we present a service-oriented perspective on the organizational structure of MAS and we present modeling techniques and tools for supporting this perspective. We pursue a model-driven approach and a tight integration between various models on the one hand and between the models and the generated code on the other hand. In particular, we combine ontology modeling and organization structure modeling in a way that we can easily generate the initial content of agent knowledge bases in the form of FIPA semantic language (SL) fragments (depending on what positions the agents occupy in the context of the organizational structure). In addition, this allows the agents to reason about and to communicate about their organizational embedding using the same ontology. Keywords: Renew, Mulan, Paose, Petri nets, multi-agent systems, model-driven development, organizational structure 1 Introduction The modeling of the fundamental organizational structure is one of the central tasks during the development of a multi-agent system (MAS) [9]. While agents are considered autonomous in their actions, they are also supposed to fulﬁll certain functions in relation to the purpose of the overall multi-agent application (MAA). A wide spectrum of approaches for organizing multi-agent systems exists [15] and some of them are quite sophisticated in drawing inspiration from organizing principles of social systems (including multiple organizational modeling dimensions like social structures, tasks, social interactions, norms etc., cf. [1,8]). We argue that at the core of most of these approaches lies the determination of an organizational structure in terms of agent functions and agent dependencies based on functional dependencies. This concerns the questions, which agents are required / allowed to do what (responsibilities / abilities) and to whom they can 296 ModBE’13 – Modeling and Business Environments refer for help in certain cases (support / delegation). Basically, this is a serviceoriented perspective on agent relationships. Agents oﬀer functional services to other agents and in turn require the services of other agents in order to fulﬁll some of their own functionality. We apply this functional and service-oriented perspective for the design of the basic organizational structure of a MAS in our Paose approach (Petri net-based Agent- and Organization-oriented Software Engineering, http://www. paose.net). It provides a general basis for MAS organization that can be extended if necessary.1 We have presented our Paose approach on previous occasions and we have particularly elaborated on the model-driven nature of Paose in [6]. Our multi-agent platform Mulan/Capa [16,22] tightly combines model and code as it is based on a fusion of high-level Petri nets and Java. This allows us to model / implement all processes as directly executable Petri nets. In addition, we use UML-style modeling techniques for development where we need a more declarative perspective than is oﬀered by Petri nets. In this paper, we speciﬁcally refer to the part of Paose that is concerned with modeling organizational structures in terms of agent roles and service dependencies between roles. This part relies on ontology modeling as we explicate the concepts used for organizational structures as an ontology. This has the additional beneﬁt that we can easily translate an organizational structure model into multiple initial knowledge bases for multiple agents (depending on what positions the agents occupy in the organizational structure). The content of the knowledge bases is generated in FIPA semantic language (http://www.fipa.org), which provides the technical basis for agents to reason about and to communicate about their organizational embedding. Compared with our previous work presented in [6,7], we present a considerable rework including new tools. Our revision basically takes care of a better and tighter integration between the tools used as well as between the models and the generated code. In Section 2 we provide an overview of role and service (dependency) modeling in the MAS ﬁeld and motivate our own approach. In Section 3, we present our concrete models and the supporting tools. We place our contribution in the context of our development process Paose and introduce the agent framework Mulan/Capa. We also describe how the tools ﬁt into the model-driven nature of our Paose approach. Section 4 gives an example of our tools in use, demonstrated in a concrete application scenario. We close with a short summary and some aspects of future research and development that builds upon the results presented in this paper in Section 5. 1 For example, we have developed the Sonar model [17,18] for multi-agent teamwork support, where we use a more elaborate model of functional service dependencies between agents based on task delegation structures and a behavior-based notion of service reﬁnement. L. Cabac et al.: Modeling the Organizational Structure of MAS 2 297 Organizational Structures of Multi-Agent Systems In this section we elaborate on our conceptual approach to modeling organizational structures in terms of agent roles and service dependencies. We motivate the use of the two core concepts of roles and services in the context of related work. 2.1 Modeling Agent Roles and Service Dependencies The interest in establishing organizational structures in a MAS has always been an important part of agent research. One can argue that it is an important part of software design in general (although the architecture metaphor is more established than the organization metaphor). However, in the case of MAS this topic becomes even more imperative. Artiﬁcial social agents are regarded as very sophisticated software components with complex knowledge and reasoning mechanisms that often only oﬀer a limited visibility. Consequently, high-level system perspectives are necessary, in which one can abstract from agent-internal details and still comprehend the system on a more abstract level. The concept of a role has been used extensively in this context and has been established as one of the core concepts of agent-oriented software design [19]. Rights and responsibilities are associated with roles independently from the speciﬁc agents that will occupy the roles. Consequently, this leads to a certain degree of predictability and controllability of global MAS behavior without knowing anything about the agents’ internals. Examples of bringing the concept of roles to use (cf. [1]) is to enable as well as constrain agent behavior in terms of (1) which roles belong together to a common group context (allowing acquaintance and communication between group members), (2) deﬁning which roles are expected to be associated with which goals, tasks and necessary capabilities and (3) which roles are supposed to take part in which conversations in which way. Basically, all these eﬀorts boil down to the abstract question what an agent occupying a speciﬁc role is supposed to do just because of it taking on that role. We are mainly interested in an explication of a functional perspective on roles and role relationships. Of special interest is the speciﬁcation of functionality of roles occupants in the context of the wider multi-agent application and the dependencies that exist between diﬀerent role occupants. Thus, we apply a service-oriented perspective on agent roles: Which roles are associated with the provision of which services and on which other services are they dependent? We are aiming at a rather minimalistic model of agent roles and their relationships in terms of service dependencies that can be enriched with more sophisticated concepts if needed (e.g. goal / task hierarchies, conversation guidelines). 2.2 Related Work Not only in agent-oriented approaches to software development the modeling of component dependencies is one of the major challenges. One main problem (also applying to some of the approaches for role-based speciﬁcations mentioned 298 ModBE’13 – Modeling and Business Environments above) is that dependencies are often hidden underneath quite complex speciﬁcations. Ensel and Keller summarize Gopal [13] in the following way: “However, the main problem today lies in the fact that dependencies between services and applications are not made explicit, thus making root cause and impact analysis particularly diﬃcult” [10, p. 148]. Therefore our motivation is to gain the ability to explicitly model dependencies for MAS and our choice is to model component dependencies (agent dependencies) in terms of roles and service dependencies. The actual dependencies between running agents then result from the roles they occupy. In the context of the diﬀerent approaches to software development there exist various ways of handling component dependencies. Some of them are restricted to managing service dependencies by utilizing declarative service descriptions, i.e. using XML [10, p. 148], [24]. From our point of view the more promising approach consists in making use of diagram-based methods. The most obvious beneﬁt lies in the incomparably better visualization of diagram-supported models over declarative service descriptions. This was identiﬁed as a central issue, taking up the above mentioned citation by Ensel and Keller again. On the one hand, the diagram is the means to make the dependencies explicit [3] instead of an implicit declaration located in the conﬁguration ﬁles of the (distributed) components as it is for example the case in OSGI service descriptions [24]. An explicit representation of the dependencies is of special value during the design phase for a developer / administrator. On the other hand, the capabilities of model transformation are given in both possibilities to describe dependencies as model-based and as declarative descriptions. A similar approach was taken in [26] for Web Services and BDI-Agents. Service dependencies are speciﬁed in the model domain and tool support is realized as a Rational Software Modeler extension. “Dependencies between the various components are modeled at the PIM-level and two-way model transformations help us to ensure interoperability at the technical level and consistency at the PIM-level” [26, p. 114]. There are other eﬀorts, which mainly address speciﬁcation of dependencies between agents and Web Services (e.g. [14]) whereas our work is focused on agent relations. Most software developing methodologies contain a technique for modeling some kind of dependencies between their components. The Tropos methodology distinguishes four kinds of dependencies between agents, from hard dependencies (resource) to soft ones (soft-goal). Silva and Castro [23] display how Tropos dependency relations can be expressed in UML for real time systems. Ferber et al. [11] show how the organizational structure of an agent-based system can be modeled using the AGR technique. One of the proposed diagrams, the organizational structure diagram, shows roles, interactions and the relations between roles and interactions. This diagram is comparable to the Roles/Dependencies diagram. In Gaia Zambonelli et al. [25] focus strongly on the organizational modeling. One of the important models is the service model. Our Roles/Dependencies diagram can be regarded as an implementation of the Gaia service model. However, L. Cabac et al.: Modeling the Organizational Structure of MAS 299 Gaia does not recognize hierarchical roles. Padgham and Winikoﬀ [21] explicitly model acquaintances in Prometheus. But from these models they do not derive any agent (role) dependencies. Roles are not modeled in Prometheus, instead the focus lies on agents. The system model in Prometheus gives a good overview of the system comparable with the overview of the Roles/Dependencies diagram. It is much more detailed but does not explicitly show any dependencies except the interaction protocols or messages that connect agents. The structure of the system model reﬂects the one of the acquaintances model. In the following, we introduce our approach for a minimalistic (but extensible) comprehension of organizational structures of MAS in terms of role descriptions and role dependencies based on service relationships. Our previous work covered details on the conceptual side of modeling the basic organizational structure of MAS, introducing modeling techniques [7,5,4] and tools [6]. In our current work we improve the methods and tools by putting an even stronger focus on the model-driven nature of our approach. We pursue a tighter integration of diﬀerent tools and to minimize the gap between the models and the code generated from the models. One speciﬁc beneﬁt of our approach lies in the fact that the metamodel for organizational structures is expressed in the agents’ language – i.e. as an agent ontology. Thus, the agents are able to communicate and reason about their own organizational structures. 3 Role/Dependency Tool Support for Model-Driven Development in PAOSE In the following we point out how the integration of the conceptional basis we introduced in the previous section is established in our Mulan framework and the Paose development process. We introduce two types of diagrams, namely for ontology modeling and for roles/dependencies modeling. They support the discussed features in a clear and intuitive way, making use of well-known constructs from UML. We also present our tool solution to support our model-driven development approach. All our Paose tools are realized as plugins for the highlevel Petri net tool Renew (http://www.renew.de).2 They extend Renew with modeling techniques that are not based on Petri nets. 3.1 The Paose Development Process This section puts the subsequent work into the context of the Paose approach, which aims at the development of Mulan applications. The approach focuses on aspects of distribution, concurrency and model-driven development. The framework Mulan oﬀers the basic artifacts and structuring for the application. Its four layered architecture features as basic artifacts the communication infrastructure, the agent platforms, the agents and the agent internals (protocols, decision components and knowledge bases). With the exception of the communication 2 Renew also provides the virtual machine that executes Mulan applications. 300 ModBE’13 – Modeling and Business Environments infrastructure, all artifacts are implemented as Java Reference nets. Capa extends the Mulan architecture with FIPA-compliant communication features, providing inter-platform (IP-based) agent communication. Also the Mulan applications (MAA) are – similar to the Mulan/Capa framework – implemented in Java Reference nets and Java. They are executed, together with the Mulan/Capa framework, in the Renew virtual machine. While the implementation in Java Reference nets introduces concurrency for Mulan applications, the Capa extension enables the agents to run in distributed environments. Figure 1. The Paose development process and techniques. Modiﬁed from [3, p. 133] The organization of MAS can be explicitly modeled using model-driven techniques [6], as described in the following sections. However, in addition to the organizational structure of the MAA, we apply the agent-oriented view onto the organizational structure of the development team through the metaphor of the multi-agent system of developers [2]. The metaphor provides the perspective that human participants of the development team form an organization, similar to agents in an MAA, and their collaborative eﬀorts constitute the development process, similar to the MAA process. During development the responsibilities for the diverse tasks are distributed among the developers, which allows for concurrent and distributed collaboration as well as explicit identiﬁcation of dependencies between the team participants. In the previous sections we motivated a service-oriented composition of MAS based on roles and service dependencies. Here we argue that developers dependencies result from the organizational structure and the application’s dependencies. These dependencies are also reﬂected in the Paose development process, which consists in iterative repetitions of speciﬁc fundamental steps of design and implementation, as shown in Figure 1. The ﬁgure depicts a simpliﬁed Petri-net process of the Paose design cycle. L. Cabac et al.: Modeling the Organizational Structure of MAS 301 A project starts with the requirements analysis resulting in a coarse design of the overall structure of the MAA. The coarse design identiﬁes essential roles and interactions of the organization. It is used to generate the initial structure (development artifacts) of a project. The main step of an iteration consists of three tasks of modeling and implementation. These are the modeling of interactions, agent roles and ontologies, as well as generating sources from the models and reﬁning the implementation. The integration of the resulting artifacts completes an iteration. In the diagram annotations refer to modeling techniques, which are utilized to carry out a corresponding task and the artifacts, which are generated from the design models. Taking up the aforementioned view on the organization of a development team, the completion of an iteration requires the synchronized, collaborative eﬀort of the participants. In the context of this work we introduce a technique and a tool for the modeling of agent roles. To this end, we utilize the ontology model used in Paose as a meta-model. In this sense the following section describes how our integration approach essentially applies ontology concepts for the design of a new modeling technique and a corresponding tool – in this case the modeling of organizational structures of MAA. 3.2 Integration Approach Within our development process we apply a few presumptions. The approach taken relies on two fundamental ideas. These are the support for the development process by making use of methods from model-driven development (MDD) and the tightening of the integration of models (diagrams), generated code and serialized representations. This leads to a threefold integrative approach that is illustrated in Figure 2 and that we discuss in the following. Integration encompasses three parts: (1) an ontology including multiple concepts, (2) the code generated from the ontology and (3) the serialized representations of concept instances in FIPA Semantic Language (SL) format [12]. Ontologies are modeled using a light-weight technique called Concept Diagram 3 . The concepts deﬁned in the ontology are transformed into Java classes, one class for each concept. Instances of these classes (ontology objects) can be extracted into SL-formatted text. Through an SL parser the serialized SL text representations can be used to instantiate Java ontology objects in the reverse direction. Consequently, we utilize three tools for these three tasks: (1) the ConceptDiagramModeler, (2) the OntologyGenerator and (3) the SL parser. This basic integration approach described so far has several beneﬁts. The development process takes on a model-driven approach, which allows for the speciﬁcation of ontological concepts in a graphical notation. Concept Diagrams are very similar to the widely-used UML Class Diagrams. They are quite intuitively comprehensible and easy to manage. Manipulation of attributes can be carried out directly in the diagram. Additionally, by making use of code 3 An example of a Concept Diagram will be discussed in the context of deﬁning a knowledge base format in the following section (3.3). 302 ModBE’13 – Modeling and Business Environments Figure 2. The three-part basic model of agent knowledge generation and the bi-directional conversion between Java objects and SL text representations for concept instances, the integration of the diﬀerent representations is very tight, i.e. transformation is transparent to a user. By using SL for the text representations of ontology objects we employ an agent-comprehensible format, as Mulan agents use SL text representations for message encoding. In addition, our experience has indicated that SL text is also better human-readable in comparison to an equivalent XML representation and shows a lower overhead. In the following, we show how we apply this method in the case of modeling service dependencies and agent knowledge. 3.3 Concept Diagrams for Role and Knowledge Base Concepts The previous section provides a general overview of our model-driven approach based on the integration of multiple representations. Now we describe how the three basic parts (ontology, Java code, SL text representation) are applied in the case of modeling as well as establishing organizational structures in multi-agent applications (MAA). The model-driven approach starts with the speciﬁcation of an ontology encompassing organizational concepts (roles, services, protocols) and concepts necessary for the generation of agent knowledge from organizational structure models (knowledge base as an aggregation of role deﬁnitions resulting L. Cabac et al.: Modeling the Organizational Structure of MAS 303 from a mapping between agents and roles, in which multiple roles can be assigned to each agent). The ontology we use is shown in Figure 3 as a Concept Diagram. It is created with the ConceptDiagramModeler. Figure 3. A Concept Diagram for agent knowledge base concepts The Concept Diagram serves in a twofold way. First, it deﬁnes all the content types of the agent communication in an application. Second, it serves as a metamodel for the tools that handle the modeled contents. From here on, we rely on further tool support for code generation and conversion between the diﬀerent representations of concepts and concept instances. We use the OntologyGenerator (based on Velocity, http://velocity.apache.org) and the SL parser provided by the Mulan framework. Ontology modeling in terms of Concept Diagrams and code generation from these models is already a part of the Paose development process (cf. [3, p. 173]). Thus, the approach described here for handling organizational structures and agent knowledge ﬁts neatly into the context of our wider work. Basically, Figure 3 can be regarded as capturing the ontology for knowledge bases of Mulan agents (the schema of a knowledge base). It illustrates the modeling technique of Concept Diagrams in terms of inheritance and the use of concepts for the deﬁnition of other concepts (this could also be modeled via associations between diﬀerent concepts). Besides capturing the ontology for knowledge bases, the ontology is also used by the AgentRoleModeler tool presented in the next subsection. Java ontology classes that are generated by the OntologyGenerator tool are specializations of generic ValueTuple (VT) and KeyValueTuple (KVT) classes. VT and KVT structures are the root interfaces of an implementation of the FIPA SL. As mentioned above, by using an SL parser, ontology objects can be instantiated from their SL string representations. This is a feature that lies at the heart of creating agent instances from knowledge base patterns (because knowledgebase is a concept in the diagram from Figure 3 and thus each knowledge base 304 ModBE’13 – Modeling and Business Environments as a whole has an SL representation). Ontology classes provide getters, setters and convenience methods for operations on the data structures. The OntologyGenerator tool is integrated into the build environment of the Mulan framework and the SL parser can be used on the ﬂy in a running Mulan MAA. All in all, this supports our ambition of realizing a tight integration of diﬀerent models, tools and code. Using the knowledge base ontology shown in Figure 3 the following section explains how we model roles and dependencies in multi-agent applications. 3.4 Roles/Dependencies Diagrams Roles and role dependencies are modeled with the AgentRoleModeler tool. The corresponding Roles/Dependencies Diagrams combine notations from Class Diagrams and Communication Diagrams. The tool is embedded in our model-driven development approach. The content of Roles/Dependencies Diagrams (Figure 5) is based on the concepts that were already deﬁned in the ontology from Figure 3. Because of this, the AgentRoleModeler tool allows for the generation of knowledge base descriptions in FIPA SL from Roles/Dependencies Diagrams using the knowledge base ontology from Figure 3 as a meta-model. Thus the concepts from the Concept Diagram reappear as stereotypes in the Roles/Dependencies Diagram. The knowledge base descriptions resulting from a Roles/Dependencies Diagram are used as patterns for the initialization of agent instances in the Mulan multi-agent framework. Renew-Editor-Palette Figure 4. The Renew-Editor-Palette The AgentRoleModeler is a drawing plugin for Renew and adds a custom palette for drawing elements of Roles/Dependencies Diagrams as shown in Figure 4 (the AgentRoleModeler palette is shown at the bottom, under Renew’s standard palettes). The graphical representation of Roles/Dependencies Diagram elements is displayed in Figure 5. The nodes of Roles/Dependencies Diagrams (roles and services) contain the text in FIPA SL format, specifying the corresponding attributes of the element. For a compact representation all drawing elements can be collapsed to a smaller view. This provides a very compact L. Cabac et al.: Modeling the Organizational Structure of MAS 305 and high-level view of an organizational structure in terms of roles and role dependencies based on service dependencies. Expanding the drawing elements allows manipulation of their attributes. Figure 5. Constructs of a Roles/Dependencies Diagram. Following Figure 3, the knowledge base of a Mulan agent contains an arbitrary number of agent role descriptions, depending on which roles the agent occupies. The attributes of agent roles (besides having a role name) are basically of three diﬀerent types: (1) service dependencies, (2) protocol triggers and (3) state descriptions. Such (initial) knowledge base content can be generated from Roles/Dependencies Diagrams. Required and provided services of a role (i.e. hard dependencies) are shown explicitly as independent service nodes and oﬀer / use associations connected to role nodes4 . Protocol triggers are key-value tuples that deﬁne, which conversation protocol (value) an agent should initiate in reaction to incoming messages of a certain message pattern (key). They are not represented in a Roles/Dependencies Diagram as explicit nodes but are inserted directly into the corresponding role description. Further, state descriptions for a role may contain any kind of key-value tuples that shall serve as initial knowledge for role occupants. In addition to this ﬂat speciﬁcation of role dependencies, it is also possible to deﬁne inheritance relationships between roles. This introduces hierarchical relationships. A Roles/Dependencies Diagram contains exactly one node that deﬁnes an agent-role mapping. Basically, this node serves to deﬁne agent types in terms of what roles a speciﬁc agent type should encompass. For each such agent type, a pattern in FIPA SL can be generated that serves as the basis for the initial knowledge of instantiated agents of that type. 4 Refer to [7] for a discussion of our view on hard and soft dependencies. 306 4 ModBE’13 – Modeling and Business Environments Application Aforementioned, we motivate the modeling of organizational structures in MAS. Our approach to modeling organizations grounds on a ontological content deﬁnition, namely the three-part basic model of agent knowledge. We introduced the three-part basic model in Section 3.2. We showed how the concrete realization of a tool for modeling organizations utilizes the ontological content deﬁnition. In this spirit the previous section introduced the notation of the Roles/Dependencies diagram and the AgentRoleModeler tool. We will now use the technique of a Roles/Dependencies diagram to model a sample application. The organizational structure is brought into the MAS by the means of generic knowledge base patterns. In the following example we demonstrate our method of extracting initial agent knowledge and structural information from the graphical model and show how they are brought into the running system. We illustrate the modeling of organizational structures and agent knowledge in sample applications. The AgentRoleModeler tool was developed in the context of a bachelors thesis [20] at the University of Hamburg. After its completion it was used in several student projects for agent-oriented software development. In one of these projects about 20 team members worked on implementing applications for an agent-based collaboration platform. The following example from Figure 6 is taken from this project. It displays the scenario of a chat application, in which agents occur in the roles of chat senders and receivers. Figure 6. ARM of WebChat. Figure 6 shows an instance of a Roles/Dependencies diagram. The model consists in the concepts that were already used in the previous section, introduced in Section 3.2 and illustrated in Figure 5. The Sender/Receiver-Scenario is an example we regularly use to demonstrate the Mulan-Framework in student projects. It consists in two roles, a Sender and a Receiver. Both roles inherit attributes from the generic CapaAgent role, thus they are specializations of this role. We will go into more detail about this later. The Sender is in possession of L. Cabac et al.: Modeling the Organizational Structure of MAS 307 a decision component SenderDC, which enables him to sporadically participate in conversation. He is dependent on a service (ChatMessageReception) allowing him to ﬁnd and address chat partners. The Receiver is a role, which provides such a service, as can be seen by the realization relation between the Receiver role and the ChatMessageReception service. Upon receiving a chat message, the Receiver role reacts by initiating a chat protocol. The role speciﬁcation formalizes reactive behavior as a protocol trigger, which can be seen on the lower right part of the above ﬁgure. A protocol trigger maps a type of message, identiﬁed by a message pattern, to a protocol. Every time a message of the deﬁned type is received, the protocol will be triggered. The chat protocol passes chat messages to a decision component of the Receiver (ReceiverDC) allowing him to process the message. He can carry out internal reasoning about the conversation and decide on his further actions, such as creating a response or initiating a new conversation. The diagram constructs described up to this point make up the Roles/Dependencies model. There is a part we have not yet discussed. The agent-roles mapping construct shown on the upper left formalizes an instance speciﬁcation. It determines, which agents occupy a previously deﬁned set of roles. The agent-roles mapping in this case maps both roles to one type of agent, a ChatterAgent. The reason is that a ChatterAgent should naturally have the ability to do both, send and receive chat messages. The example displays our notion of functional rights and responsibilities in terms of services dependencies. This speciﬁcation of roles and services in form of the Roles/Dependencies diagram can be used to generate initial knowledge base contents for the agent instances dedicated to fulﬁll the corresponding roles. The following example focuses on the succeeding step of extracting the information required to initialize agent instances from the model. Figure 7 shows a fragment of the Roles/Dependencies diagram that basically refers to one of the roles from the example above. The blue-bordered role ﬁgure (round corners) displays the attributes for the role name, protocol triggers and state descriptions. On the right hand side one can see a snippet of the FIPA SL code generated from the Roles/Dependencies diagram. Here, the service provided by the Receiver role (ChatMessageReception) is also included directly in the FIPA SL text. It can also be seen that the FIPA SL fragment contains more than one state descriptions. The additional state descriptions are inherited from the CapaAgent super role. The roles and their mutual service dependencies are compiled into knowledge base patterns. The knowledge base patterns are in FIPA SL text, so they can directly be used to initialize agent instances, as they are speciﬁed in the language (ontology) of Mulan-agents. The example shows how this information is extracted from the model. It also shows how the model can express hierarchies of roles in terms of role specializations, enabling inheritance of attributes. Besides using the specialization relation between role constructs inside one single diagram, the mechanism implemented in the AgentRoleModeler tool also allows using inheritance across diagrams. This is also shown in the above ﬁgure. The CapaAgent role is accessed from the Roles/Dependencies diagram named Agent- 308 ModBE’13 – Modeling and Business Environments Figure 7. Role attributes and FIPA SL code generation. Role. This is denoted by the displayed notation containing double colons. With the support for expressing specializations with the AgentRoleModeler tool it is possible to build graphical models containing hierarchies and compile them into knowledge base patterns, which allows us to project the overall organizational structure onto the MAA. The approach for modeling basic organizational structures of MAS in terms of roles and role relationships ﬁts neatly into the general model-driven nature of our Paose approach. In particular, in this case it helps to generate initial agent knowledge. 5 Conclusion In agent-oriented software engineering and especially in the context of developing Mulan applications two essential design aspects are the modeling of the organizational structures and the initial knowledge of the agents. For the purpose of modeling these fundamental features it requires a conceptional basis as well as corresponding techniques, methods and tools. 5.1 Summary In the context of the Paose approach we utilize the technique of Concept Diagrams and the OntologyGenerator tool to specify ontology concepts in order to design multi-agent applications. In the context of this paper this technique and tool is introduced together with the method of modeling agent roles and service dependencies. Furthermore we present a technique and a supporting tool L. Cabac et al.: Modeling the Organizational Structure of MAS 309 – also implemented as plugin for our IDE Renew – for a light-weight modeling of service dependencies and agent roles. In Section 2 we elaborate on organizational concepts in MAS research and motivate our approach to modeling organizational structures. The main part of our contribution is preceded by an introduction to the Paose development process and the Mulan framework (Section 3.1), which constitute the context of our work. Our approach to modeling roles and dependencies is introduced in three steps. First, we introduce the three-part basic model of our approach (Section 3.2). Second, we illustrate the modeling of ontology concepts utilizing Concept Diagrams and the OntologyGenerator (Section 3.3). Third, we present the modeling of agent roles and dependencies with Roles/Dependencies Diagrams and the AgentRoleModeler (Section 3.4). The presented technique is an occurrence of the Roles/Dependencies Diagram – a Class Diagram that includes notations from Communication Diagrams for the modeling of agent role dependencies – that makes use of the Semantic Language (SL) as a description language for the agents’ initial knowledge base contents. Finally, the techniques and tools presented in the course of this contribution are demonstrated in a application scenario in Section 4. 5.2 Future Work In the context of our current research we elaborate on generalizing the approach that was presented in this paper to a further step. The idea is not only to apply the model-driven approach for code generation, conversion and transformation of models, but to generate special purpose tools from ontology diagrams as well. A step in this direction is generalizing the AgentRoleModeler tool to a generic SLEditor tool. The UI of a current prototype is shown in Figure 8. It displays the previously introduced role description of a Receiver from the Sender/Receiver application in a nested graphical ﬁgure. The outer frame is that of the agent-role. The highlighted constructs (in gray) indicate ValueTuples. This representation allows for displaying any nested structure of KeyValueTuples and ValueTuples. It can be seen as an alternative view to the plain text representation in Semantic Language. Further eﬀorts are being made to utilize an ontology – modeled with the technique of a Concept Diagram – as a meta-model to generate specialized structures and at the same time generate the modeling tools by using the generic SLEditor. We are occasionally confronted with criticism against grounding our work on an outdated infrastructure, because we still rely on the FIPA Semantic Language for the speciﬁcation of MAA. We address this subject with our development plan on extending the SLEditor. With the generic SLEditor tool we can support the modeling of MAA using other languages for content speciﬁcation, such as XML. This can be achieved by extending the ontology to support XML to express knowledge contents. Taking up the Figure 2 from Section 3.2 the three-part basic model of agent knowledge is extended to display an XML ontology of an agent role. The Figure reveals what is required to enable this feature: an XML schema deﬁnition specifying the format of our ontologies and the methods for conversion of representa- 310 ModBE’13 – Modeling and Business Environments Figure 8. Alternative representation of SL content. Figure 9. The three-part basic model of agent knowledge, extended to support XML for content speciﬁcation. tions between XML-Text and Java-Object. They are at this time not integrated in Mulan, but there exist standard tools that support XML conversion. References 1. Olivier Boissier, Jomi Hübner, and Jaime Simão Sichman. Organization oriented programming: From closed to open organizations. In G. O’Hare, A. Ricci, M. O’Grady, and O. Dikenelli, editors, Engineering Societies in the Agents World L. Cabac et al.: Modeling the Organizational Structure of MAS 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 311 VII, volume 4457 of Lecture Notes in Computer Science, pages 86–105. Springer, 2007. Lawrence Cabac. Multi-agent system: A guiding metaphor for the organization of software development projects. In Paolo Petta, editor, Proceedings of the Fifth German Conference on Multiagent System Technologies, volume 4687 of Lecture Notes in Computer Science, pages 1–12, Leipzig, Germany, 2007. Springer-Verlag. Lawrence Cabac. Modeling Petri Net-Based Multi-Agent Applications, volume 5 of Agent Technology – Theory and Applications. Logos Verlag, Berlin, 2010. Lawrence Cabac, Ragna Dirkner, and Daniel Moldt. Modeling with service dependency diagrams. In Daniel Moldt, Ulrich Ultes-Nitsche, and Juan Carlos Augusto, editors, Proceedings of the 6th International Workshop on Modelling, Simulation, Verification and Validation of Enterprise Information Systems, MSVVEIS-2008, In conjunction with ICEIS 2008, Barcelona, Spain, June 2008, pages 109–118, Portugal, 2008. INSTICC PRESS. Lawrence Cabac, Ragna Dirkner, and Heiko Rölke. Modelling service dependencies for the analysis and design of multi-agent applications. In Daniel Moldt, editor, Proceedings of the Fourth International Workshop on Modelling of Objects, Components, and Agents. MOCA’06, number FBI-HH-B-272/06 in Report of the Department of Informatics, pages 291–298, Vogt-Kölln Str. 30, D-22527 Hamburg, Germany, June 2006. University of Hamburg, Department of Informatics. Lawrence Cabac, Till Dörges, Michael Duvigneau, Daniel Moldt, Christine Reese, and Matthias Wester-Ebbinghaus. Agent models for concurrent software systems. In Ralph Bergmann and Gabriela Lindemann, editors, Proceedings of the Sixth German Conference on Multiagent System Technologies, MATES’08, volume 5244 of Lecture Notes in Artificial Intelligence, pages 37–48, Berlin Heidelberg New York, 2008. Springer-Verlag. Lawrence Cabac and Daniel Moldt. Support for modeling roles and dependencies in multi-agent systems. In Michael Köhler-Bußmeier, Daniel Moldt, and Olivier Boissier, editors, Organizational Modelling, International Workshop, OrgMod’09. Proceedings, Technical Reports Université Paris 13, pages 15–33, 99, avenue Jean-Baptiste Clément, 93 430 Villetaneuse, June 2009. Université Paris 13. Preeproceedings available online at http://www.informatik.uni-hamburg. de/TGI/events/orgmod09/#proceedings. Luciano Coutinho, Jaime Sichmann, and Olivier Boissier. Modelling dimensions for agent organizations. In Virginia Dignum, editor, Handbook of Research on MultiAgent Systems: Semantics and Dynamics of Organizational Models, pages 18–50. Information Science Reference, 2009. Virginia Dignum. The role of organization in agent systems. In Virginia Dignum, editor, Handbook of Research on Multi-Agent Systems: Semantics and Dynamics of Organizational Models, pages 1–16. Information Science Reference, 2009. Christian Ensel and Alexander Keller. An approach for managing service dependencies with xml and the resource description framework. Journal of Network and Systems Management, 10:147–170, 2002. Jacques Ferber, Olivier Gutknecht, and Fabien Michel. From agents to organizations: An organizational view of multi-agent systems. In Paolo Giorgini, Jörg P. Müller, and James Odell, editors, Agent-Oriented Software Engineering IV, 4th International Workshop, AOSE 2003, Melbourne, Australia, Ju ly 15, 2003, Revised Papers, volume 2935 of Lecture Notes in Computer Science, pages 214–230. Springer-Verlag, 2003. Foundation for Intelligent Physical Agents (FIPA). FIPA SL Content Language Speciﬁcation. http://www.ﬁpa.org/specs/ﬁpa00008/index.html, 2002. 312 ModBE’13 – Modeling and Business Environments 13. R. Gopal. Layered model for supporting fault isolation and recovery. In Network Operations and Management Symposium, 2000. NOMS 2000. 2000 IEEE/IFIP, pages 729–742. IEEE, 2000. 14. C. Hahn, S. Jacobi, and D. Raber. Enhancing the interoperability between multiagent systems and service-oriented architectures through a model-driven approach. In Web Intelligence and Intelligent Agent Technology (WI-IAT), 2010 IEEE/WIC/ACM International Conference on, volume 2, pages 415–422. IEEE, 2010. 15. Bryan Horling and Victor Lesser. A survey of multi-agent organizational paradigms. The Knowledge Engineering Review, 19(4):281–316, 2005. 16. Michael Köhler, Daniel Moldt, and Heiko Rölke. Modelling the structure and behaviour of Petri net agents. In J.M. Colom and M. Koutny, editors, Proceedings of the 22nd Conference on Application and Theory of Petri Nets 2001, volume 2075 of Lecture Notes in Computer Science, pages 224–241. Springer-Verlag, 2001. 17. Michael Köhler-Bußmeier, Daniel Moldt, and Matthias Wester-Ebbinghaus. A formal model for organisational structures behind process-aware information systems. volume 5460 of Lecture Notes in Computer Science, pages 98–115. Springer-Verlag, 2009. 18. Michael Köhler-Bußmeier, Matthias Wester-Ebbinghaus, and Daniel Moldt. Generating executable multi-agent system prototypes from sonar speciﬁcations. In Nicoletta Fornara and George Vouros, editors, 11th Workshop on Coordination, Organizations, Institutions, and Norms in Agent Systems, COIN@Mallow 2010, pages 82–97, 2010. 19. Xinjun Mao and Eric Yu. Organizational and social concepts in agent oriented software engineering. In James Odell, Paolo Giorgini, and Jörg Müller, editors, Agent-Oriented Software Engineering V, volume 3382 of Lecture Notes in Computer Science, pages 1–15. Springer Berlin / Heidelberg, 2005. 20. David Mosteller. Entwicklung eines Werkzeugs zur Modellierung der initialen Wissensbasen und Rollen-Abhängigkeiten in Multiagentenanwendungen im Kontext von PAOSE / MULAN. Bachelor’s thesis, University of Hamburg, Department of Informatics, December 2010. 21. Lin Padgham and Michael Winikoﬀ. Developing Intelligent Agent Systems : A Practical Guide. Wiley Series in Agent Technology. Chichester [u.a.] : Wiley, 2004. isbn:0-470-86120-7, Pages 225. 22. Heiko Rölke. Modellierung von Agenten und Multiagentensystemen – Grundlagen und Anwendungen, volume 2 of Agent Technology – Theory and Applications. Logos Verlag, Berlin, 2004. 23. Carla T. L. L. Silva and Jaelson Castro. Modeling organizational architectural styles in UML: The tropos case. In Oscar Pastor and Juan Sánchez Díaz, editors, Anais do WER02 - Workshop em Engenharia de Requisitos, pages 162–176, 11 2002. 24. Andre L.C. Tavares and Marco Tulio Valente. A gentle introduction to OSGi. SIGSOFT Softw. Eng. Notes, 33:8:1–8:5, August 2008. 25. Franco Zambonelli, Nicholas Jennings, and Michael Wooldridge. Developing multiagent systems: The Gaia methodology. ACM Transactions on Software Engineering and Methodology, 12(3):317–370, 2003. 26. Ingo Zinnikus, Gorka Benguria, Brian Elvesæter, Klaus Fischer, and Julien Vayssière. A model driven approach to agent-based service-oriented architectures. In Klaus Fischer, Ingo Timm, Elisabeth André, and Ning Zhong, editors, Multiagent System Technologies, volume 4196 of Lecture Notes in Computer Science, pages 110–122. Springer Berlin / Heidelberg, 2006. Mining Declarative Models Using Time Intervals Jan Martijn van der Werf ⋆ , Ronny S. Mans ⋆⋆ , and Wil M.P. van der Aalst Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box 513, 5600 MB Eindhoven, The Netherlands { j.m.e.m.v.d.werf, r.s.mans, w.m.p.v.d.aalst }@tue.nl Abstract. A common problem in process mining is the interpretation of the time stamp of events, e.g., whether it represents the moment of recording, or its occurrence. Often, this interpretation is left implicit. In this paper, we make this interpretation explicit using time intervals: an event occurs somewhere during a time window. The time window may be fine, e.g., a single point in time, or coarse, like a day. As each event is related to an activity within some process, we obtain for each activity a set of intervals in which the activity occurred. Based on these sets of intervals, we define ordering and simultaneousness relations. These relations form the basis of the discovery of a declarative process model describing the behavior in the event log. Keywords: Process mining, time intervals, concurrency theory, declarative process models 1 Introduction Information systems of today collect large amounts of data. For example, banks are saving information about the granting of mortgages and loans, insurance companies are saving information concerning the handling of claims, and hospitals are saving the actions taken to treat patients. Many of the recorded data concern events which have been performed in the context of a certain business process. For each event, different aspects are stored, for example, the activity and case for which the event is raised, its type, and when it has been raised. Process mining [1] aims to extract process knowledge from these recorded events to discover, monitor and improve the actual processes supported by these systems. The information about when the event occurred, for example using the order in which events are recorded, or its recorded timestamp is used to discover, monitor and check the control flow of processes. The implicit assumption many of the process mining algorithms make is that if two events are recorded consecutively, e.g. one is recorded ⋆ ⋆⋆ supported by the PoSecCo project (project no. 257129), partially co-funded by the European Union under the Information and Communication Technologies (ICT) theme of the 7th Framework Programme for R&D (FP7). supported by the Dutch Technology Foundation STW, applied science division of NWO and the Technology Program of the Ministry of Economic Affairs. 314 ModBE’13 – Modeling and Business Environments before the other, or the timestamp of the first is before the latter, they occurred consecutively. However, in many cases, this assumption may not hold, as systems implement log recording differently. So, although time information is recorded, it can be interpreted in many different ways. One interpretation of the timestamp is that it is the time on which the event actually occurred. More likely, many systems implement this as the time on which the event is recorded. Other systems implement logging using a queue system, i.e., the event is placed in the queue, and then written. Thus, if two events occur at the same time, their timestamp may differ as they are written consecutively. A second problem of timestamps is their scale. On the one hand, a too fine time scale introduces causality that in reality does not exist. For example, consider an information system consisting of many different components each with their own logging mechanism. To construct the process of the information system, the recordings of each component need to be combined in a single event log. As a result, one needs to ensure that all components have the same time. On the other hand, a too coarse time scale may falsely introduce concurrency. For example, if the time scale is in days, the order of activities executed on the same day cannot be discovered. A third problem lies in the reliability of the time information. For example, the order based on timestamps of events is more reliable if the same timestamp generator is used. Thus, timestamps of events in the same component are more reliable than when the events are recorded by different components. Another source of unreliability is whether time information depends on user input, such as calendars, or if it is generated by the system. As a result, one should always first check the order in which events occur. One way to resemble this is to use intervals for event occurrences instead of single timestamps. This allows to change the time scale from a very fine scale, such as single points, to very coarse time scales, such as days. For example, an event that occurred on timestamp ‘2013/04/12 12:24:36.3’, can be seen as an interval of a single point, or, if the required time scale under consideration is in days, it can be seen as an event that occurred on April 12, 2013, i.e., in the interval ‘2013/04/12 0:00’ - ‘2013/04/12 23:59:59’. Process mining focuses on the extraction of process knowledge. Whereas process knowledge mainly focuses on the level of activities, systems recordings are on an event level, which is not necessarily the same level, as several events may be raised for the same activity, for example when the activity started or completed. Thus, to be able to reason on the level of activities, events should be combined into activities. Aggregration of events in activities can be done in many ways, such as the life-cycle of activities [1]. Depending on the aggregration, each activity may occur several times, each in its own time interval, resulting in a set of time intervals for each activity. In this paper, we want to make the time intervals in which an activity occurs explicit. Based on a set of intervals for each activity, we reason about which relations can be inferred. For example, do two activities occur simultaneously or do they occur sequentially. As we use intervals instead of single time points, many activities may occur concurrently. Procedural languages, like Petri nets [3], model explicitly the order in which activities occur. For example, places in a Petri net are used to control choices and to reduce the degree of concurrency in a model. As a consequence, concurrency needs J.M.E.M. v.d. Werf et al.: Mining Declarative Models Using Time Intervals 315 to be modelled explicitly, rather than being a language primitive. In a declarative approach, all events may be executed concurrently, unless it is prohibited by constraints. Therefore, we choose a declarative modelling language instead, called Declare [2], and show how a declarative model can be derived from the intervals induced by the timestamps of the events. This paper is structured as follows. In Sec. 2 we introduce the basic notions used throughout the paper. Sec. 3 discusses the role of intervals within an event log. These events and their intervals can be mapped onto activities in many different ways, as shown in Sec. 4. Next, in Sec. 5, we define simultaneousness and causality relations on sets of intervals. Sec. 6 presents a method to build a declarative model based on these interval relations. Last, Sec. 7 concludes the paper. 2 Basic Notions Let S be a set. The powerset of S is denoted by P(S ) = {S ′ | S ′ ⊆ S }. We use |S | for the number of elements in S . Two sets U and V are disjoint if U ∩ V = ∅. We denote the cartesian product of two sets S and T by S × T . On a cartesian product we define two projection functions π1 : S × T → S and π2 : S × T → T such that π1 ((s, t)) = s and π2 ((s, t)) = t for all (s, t) ∈ S × T . We lift the projection function to sets in the standard way. A binary relation R from S to T is defined by R ⊆ (S × T ). For (x, y) ∈ R, we also write x R y. For a relation R ⊆ (S × T ), the inverse relation R−1 is defined as R−1 = {(y, x) ∈ (T × S ) | x R y}. A relation R is called a function if x R y and x R z implies y = z for all x ∈ S and y, z ∈ T . It is called a binary relation over S if R ⊆ (S × S ). A binary relation R is reflexive if x R x for all x ∈ S . It is transitive if x R y and y R z implies x R z for all x, y, z ∈ S . It is reflexive if (x, x) ∈ R for all x ∈ S , and irreflexive if (x, x) < R for all x ∈ S . Relation R is symmetric if x R y implies y R x for all x, y ∈ S and asymmetric if x R y implies ¬y R x for all x, y ∈ S . The relation is antisymmetric if x R y and y R x imply x = y for all x, y ∈ S . The transitive closure of a binary relation R is defined as the smallest relation R+ such that x R+ y if either x = y, or x R+ z and z R y for some z ∈ S . A binary relation R over some set S is an equivalence relation if it is reflexive, symmetric and transitive. A transitive, irreflexive binary relation is called a strict order. It is a preorder, denoted by (S , R), if R is reflexive and transitive. A preorder is a partial order if (S , R) is also antisymmetric. A partial order is called a total order, if in addition also x R y or y R x for all x, y ∈ S . A sequence over S of length n ∈ N is a function σ : {1, . . . , n} → S . If n > 0 and σ(i) = ai for i ∈ {1, . . . , n}, we write σ = ha1 , . . . , an i. The length of a sequence is denoted by |σ|. The sequence of length 0 is called the empty sequence, and is denoted by ǫ. The set of all finite sequences over S is denoted by S ∗ . Let ν, γ ∈ S ∗ be two sequences. Concatenation, denoted by σ = ν; γ is defined as σ : {1, . . . , |ν| + |γ|} → S , such that for 1 ≤ i ≤ |ν|: σ(i) = ν(i), and for |ν| + 1 ≤ i ≤ |ν| + |γ|: σ(i) = γ(i − |ν|). Given a set S and a, possibly infinite set T ⊆ R, a function f : S → T × T is called an interval function if π1 ( f (a)) ≤ π2 ( f (a)) for all a ∈ S . 316 2.1 ModBE’13 – Modeling and Business Environments Event Logs For each user action on the system, an event is raised. An event records its type, for which activity it has been raised, for which case or business process instance, when it was raised, by whom, and the data inserted by the user. Such a recording is called an event log [1]. The set of all possible events, i.e., the event universe is denoted by E. Similarly, we denote the case, attribute and value universes by C, A and V, respectively, such that E, C, A ⊆ V and E, C and A are pairwise disjoint. We assume A ⊆ V to be the (possibly infinite) set of activities. Definition 1 (Event log). An event log is a 3-tuple L = (C, E, #) where – C ⊆ C is a set of case identifiers in the event log; – E ⊆ E is a set of event identifiers in the log; – # : A × (C ∪ E) → P(V) is an attribute mapping. For an attribute n ∈ A we write #n (·) as a shorthand for #(n, ·). The following attributes are always defined: – Each event belongs to exactly one case and each case has at least one event, denoted by the mandatory attribute case ∈ A, i.e., for all events e ∈ E, a case c ∈ C exists with #case (e) = {c}, and for all c ∈ C an event e ∈ E exists with #case (e) = {c}; – Each event belongs to some activity, denoted by the mandatory attribute act ∈ A, i.e., for all events e ∈ E an activity a ∈ A exists such that #act (e) = {a}; – An event may record the time it was recorded using the timestamp attribute time ∈ A, i.e., for all events e ∈ E we have #time (e) = {t} for some timestamp t ∈ T , where T resembles the set of timestamps. 3 Intervals in Event Logs There are many techniques for discovering a process model out of an event log. An extensive overview of available process discovery techniques can be found in [24]. Some examples are the alpha miner [4], the ILP miner [27] and the declarative miner [17]. In many discovery methods, events are considered to be instantaneous: they occur at a single point in time. However, in many information systems, such as electronic patient records, or financial statements, only a date is recorded. Consequently, even if events are considered to occur instantaneously, if they are observed within the same interval, the only conclusion to be drawn is that these occurred simultaneously. The more coarse the chosen time scale (e.g., days, weeks or months), the more events will occur concurrently. Another consequence of a more coarse time scale is that events occur in some time window, rather than occurring at a single moment in time. It is important to note that there are some techniques which do not consider events to be instantaneous. That is, the authors of [15], exploit the fact that activities take time, i.e. each activity has a start and complete event. As a result, parallelism can be detected explicitly. Two activities are considered to occur in parallel if there is at least one case in which the activities overlap in time. In [20], the authors consider the execution of an activity as a time interval based on a starting and ending event. Parallelism is detected J.M.E.M. v.d. Werf et al.: Mining Declarative Models Using Time Intervals 317 Table 1. Example event log, time scale in days date 7-1-2013 8-1-2013 9-1-2013 10-1-2013 11-1-2013 events (1, A) (1, B), (1, E) (2, A), (1, G) (2, E), (2, C), (3, A) (2, G), (3, D) date 14-1-2013 15-1-2013 16-1-2013 17-1-2013 18-1-2013 events (3, G) (4, A) (4, F), (5, A), (6, A) (4, G), (5, D) (5, G), (6, F) (6, G) by identifying two executions in which one activity occurs before the other one, and the other way around. The work described in [21] is comparable to [20], which presents a different control-flow discovery algorithm based on the notion of time intervals. All the aforementioned techniques only use one notion for determining intervals for activities and whether they overlap. In this paper, we study the case where activities occur in multiple intervals within the same execution. Consider the events presented in Tbl. 1 showing for each day the events that occurred. For each event, its case and activity are recorded. The time stamps of these events are in days, e.g., event (1, B) occurred on January 1, 2013, as well as event (1, E). Based on this information, we cannot infer any order between B and E, the only fact that can be inferred is that these events occurred simultaneously. As the time scale is relatively coarse, a first analysis of this event log would be the degree of concurrency. We can build a graph that depicts the intervals on a time scale, as shown in Fig. 1(a). Based on this graph, we derive a concurrency relation I ⊆ E × E, such that a I b if and only if a and b occur within the same time interval. This results in a graph as depicted in Fig. 1(b), where the dashed and solid edges together represent the relation I. For readability, the self loops have been omitted. Note that (A, G) is an edge in the graph, while no case exists in which activities A and G occur simultaneously. Therefore, we can partition the relation I into two relations IS and IG such that a IS b if and only if #case (a) = #case (b), and IG analogously. In Fig. 1(b), the edges of relation IS are solid, the edges of relation IG are dashed. Similarly, the concurrency relation is not transitive with respect to the event log: even though (B, E) and (E, C) are edges in the graph, B, C and E never occur simultaneously in any case. Whereas in Fig. 1(b) an absolute time window is taken, one could also choose to map each event to a relative interval, e.g. the respective day from the start of the day, as shown in Fig. 1(c). To allow such abstractions, we introduce the notion of an event interval mapping function that maps each event onto a time interval. Definition 2 (Event interval mapping function). Let L = (C, E, #) be an event log. A function mL : E → T × T is an event interval mapping function for L if it is an interval function. The default interval mapping function DL : E → T × T of L is defined by DL (e) = (#time (e), #time (e)) for all e ∈ E. Based on the event interval mapping function, two notions of concurrency can be observed: one based on the whole event log, called the concurrency relation, and one based on the individual executions: the simultaneousness relation. Thus, the simultaneousness relation I for an event log L can be defined as the events that occur in the same interval defined by some interval mapping function. 318 ModBE’13 – Modeling and Business Environments C A E (3,A) (1,A) (6,A) (1,B) (2,A) (2,E) (2,G) (3,G) (4,F) (5,D) (6,F) (1,E) (1,G) (2,C) (3,D) (4,A) (5,A) (4,G) (5,G) F B (6,G) G (a) intervals D (b) concurrency graph (5,D) (6,A) (4,F) (6,F) (5,A) (3,D) (5,G) (4,A) (2,C) (4,G) (3,A) (2,E) (2,A) (1,B) (2,G) (1,A) (1,E) (1,G) (3,G) (6,G) (c) Relative time, intervals Fig. 1. Intervals of Tbl. 1 Definition 3 (Concurrency, simultaneousness relation). Let L be an event log, and m a corresponding event interval mapping function. Its concurrency relation I¯m ⊆ E × E is defined by a I¯m b iff π1 (m(a)) ≤ π2 (m(b)) and π1 (m(b)) ≤ π2 (m(a)) for a, b ∈ E. Its simultaneousness relation Im ⊆ E × E is defined by a Im b iff both a I¯m b and #case (a) = #case (b) for a, b ∈ E. In the literature, the graph imposed by the concurrency relation is called the interval graph [11, 16]. Following [11], we can define an ordering relation ≻ that is defined by a ≻ b iff π2 (m(a)) < π1 (m(b)), stating that b “wholly occurs after” a. Relation ≻ is called an interval order [28, 29], as proven in [11]. Definition 4 (Interval order). A binary relation R over some set S is an interval order if a R b and c R d imply a R d or c R b for all a, b, c, d ∈ S . Using intervals in concurrency is not new. For example, Janicki and Koutny [14] show that the notion of interval orders naturally follows from a basic assumption on concurrency: “the observer can state that one event preceded another event, or that two events occurred simultaneously”. The authors show that for finite event logs, events can be interpreted as intervals on a discrete time scale. The authors introduce a model as a set of relations defining (weak) causalities, commutativity and synchronisation. An observation is called a history of a model if the relations induced by the observation coincide with the relations of the model. J.M.E.M. v.d. Werf et al.: Mining Declarative Models Using Time Intervals 319 In [6], Allen defines a set of assertions and properties based on time intervals: “before”, “equal”, “meets”, “overlaps”, “during”, “starts” and “finishes”. Based on these predicates, the authors introduce the assertion “occurs” with two variables: an event and an interval. This approach is often used in the area of artificial intelligence to reason over time using logic programming [7, 22]. 4 Activities as Sets of Intervals The interval mapping function on event logs introduced in the previous section induces an interval order on the events in the event log. In this way, approaches like in [9,14] are directly applicable on this interval mapping function. These approaches mainly focus on a single run of a system: each event occurs exactly once. However, process mining mainly focuses on the analysis of the process implied by the activities for which the events in the event log occurred. Different events for the same activity may indicate that the activity has been executed several times. Or, if an event represents the different stadia of some life cycle of activities, like a start and complete type, multiple events occur for the same activity. In [19] an approach is given for identifying pairs of events which denote the start and end of an activity. Thus, a single execution involves multiple occurrences of activities with some duration. Therefore, we search for new relations such that we can describe the relations on activity level, rather than on the level of events. One way to lift the interval functions from events to activities is by defining a relation based on the interval order. Similar to the concurrency and simultaneousness relation, one would obtain two relations R̄ and R such that a R̄ b ⇔ ∃e1 , e2 ∈ E : #act (e1 ) = a ∧ #act (e2 ) = b ∧ e1 ≻ e2 a R b ⇔ ∃e1 , e2 ∈ E : #case (e1 ) = #case (e2 ) ∧ #act (e1 ) = a ∧ #act (e2 ) = b ∧ e1 ≻ e2 In fact, using the default event interval mapping of an event log, relation R coincides with the weak order relation of [25], which allows us to construct a relation set [26] based on intervals. In this paper, we will focus on behavioural relations based on the interval in which an activity is executed. Although the above relation R̄ is transitive, it abstracts away from the observed sequences in the event log. As activities may have multiple occurrence intervals, it is not an interval function. Therefore, we need to generalize the interval function to sets of intervals. Definition 5 (Generalized interval function). Given a set S and a, possibly infinite set T ⊆ R, a function f : S → P(T × T ) is called a generalized interval function if x ≤ y for all (x, y) ∈ f (a) and a ∈ S . A generalized interval function can define a large set of small intervals, or a small set of large intervals. We call this the granularity of the interval function. Given any generalized interval function, we can define its most fine granular interval function, i.e., each point is its own interval, and the most coarse granular interval function, i.e., the conjunction of all intervals. 320 ModBE’13 – Modeling and Business Environments Table 2. Event log of a single case Act. Type Time Act. Type Time A start 1 B start 9 B start 2 D complete 10 B complete 3 B complete 11 C start 4 E complete 12 A complete 5 D start 13 C complete 6 F start 14 D start 7 D complete 15 E start 8 F complete 16 F E D C B A F E D C B A (a) Per instance of the activity (b) Total time Fig. 2. Possible occurrence intervals of Tbl. 2 Definition 6 (Finest and coarsest interval functions). Let f : S → P(T × T ) be a generalized interval function. Its finest interval function, denoted by f ↓: S → P(T ×T ), is defined by f ↓ (s) = {(t, t) | ∃(x, y) ∈ f (s) : x ≤ t ≤ y} The coarsest interval function of f , denoted by f ↑: S → P(T × T ), is defined by: f ↑ (s) = { ( min{ π1 ( f (s) ) }, max{ π2 ( f (s) ) } ) } Consider as an example the event log shown in Tbl. 2 representing the events of a single case. In this example, the time scale is defined as hours since the start of the execution. Many different ways exists to map these events to a generalized interval function on activities. Two example mappings are given in Fig. 2. In the first example, the start and complete events of each activity are used to define the different intervals, whereas in the second example the very first start event of the activity defines the begin of the interval, and the very last complete event of the activity the end of the interval. Observe that in Fig. 2(a) activities B and C have no overlap, whereas in Fig. 2(a) these activities do have overlap. In general, an event log records many different executions. Therefore, we map each execution to its own activity interval function. This results in an activity interval mapping for an event log. As each event belongs to a single activity, we require that an activity interval mapping defines a unique interval for each event in the event log. On the other hand, as an activity may be represented by multiple occurrences, multiple events may be related to the same activity interval. J.M.E.M. v.d. Werf et al.: Mining Declarative Models Using Time Intervals 321 Definition 7 (Activity interval mapping). Let L = (C, E, #) be an event log with corresponding event interval mapping m, let A be a set of activities of L, and let T ⊆ R be the time scale. The function G : C × A → P(T × T ) is called an activity interval mapping iff – each event has a unique corresponding interval, i.e., ∀e ∈ E : ( ∃I ∈ G(#case (e), #act (e)) : m(e) ⊆ I ) ∧ ( ∀I, J ∈ G(#case (e), #act (e)) : (m(e) ⊆ I ∧ m(e) ⊆ J) =⇒ I = J ) – each interval has at least one event occurrence, i.e., ∀a ∈ A, c ∈ C, I ∈ G(c, x) : ∃e ∈ E : #case (e) = c ∧ #act (e) = a ∧ m(e) ⊆ I The default activity interval mapping of an event log L, denoted by L̄ : C × A → T × T , is defined by: L̄(c, a) = {m(e) | ∃e ∈ E : #case (e) = c ∧ #act (e) = a} Many different interval functions can be defined for an event log. As the next corollary shows, such activity interval mappings are related, as intervals may be combined into larger intervals, or split into several smaller intervals. It is simple to see that given some activity interval mapping, its coarsest interval function is also an activity interval mapping. Further, the finest interval function of the minimal activity interval mapping is contained in the finest interval function of the activity interval mapping. Corollary 8. Given an event log L with corresponding event interval mapping m and activity interval function G. Let A be the set of activities in L. Then (1) G ↑is an activity interval mapping, (2) L̄ ↓ ⊆ G ↓, and (3) π1 (G ↑ (a)) ≤ π1 (L̂ ↑ (a)) and π2 (G ↑ (a)) ≥ π2 (L̄ ↑ (a)) for all activities a ∈ A. 5 Relations on Interval Sets In general, a generalized interval function does not define any interval order. Consequently, approaches like in [6, 14] cannot be used to determine causality and similarity relations. In this section, we derive such notions based on the generalized interval function. 5.1 Notions of Simultaneousness In an interval order two intervals are unrelated if one does not wholly occur after the other, and vice versa. With sets of intervals, different degrees of simultaneousness can be defined. The weakest form of simultaneousness is when two elements have some overlapping intervals. For example, in the intervals shown in Fig. 3(a), activities A and B have some intervals that overlap. Note that the relation is not transitive, as shown in the same figure. We say an element s is dependent simultaneous with some other element t if for every interval of s, an overlapping interval of t exists. Thus, everytime s is started, t will be started as well, whereas if t occurs, s does not have to occur. If s always overlaps with t, we say they are strongly dependent. 322 ModBE’13 – Modeling and Business Environments A B C A B C (a) Weakly simultaneous (b) Dependent simultaneous A B C (c) Strongly simultaneous Fig. 3. Simultaneousness relations Definition 9 (Simultaneousness). Let f be a generalized interval function over some set S . Let s, t ∈ S . Then: – s and t are weakly simultaneous, denoted by s ↔ t, if s and t share some interval, i.e., ∃I ∈ f (s), J ∈ f (t) : I ∩ J , ∅; – s is dependently simultaneous with t, denoted by s ⇒ t, if always if s occurs, then t occurs in the same interval, i.e., ∀I ∈ f (s) : ∃J ∈ f (t) : I ∩ J , ∅; – s and t are strongly simultaneous, denoted by s ⇄ t, if s and t always overlap, i.e., s ⇄ t if and only if s ⇒ t and t ⇒ s. Consider again Fig. 3. In Fig. 3(a) we have A ↔ B and B ↔ C but not A ↔ C, in Fig. 3(b) we have A ⇒ B as every interval of A overlaps with some interval of B, B ⇒ C as each interval of B overlaps with some interval of C and A ↔ C but not A ⇒ C as not every interval of A overlaps with an interval of C. Last, in Fig. 3(c) we have A ⇄ B, B ⇄ C and A ⇒ C but not A ⇄ C, as every interval of A overlaps some interval of C but not vice versa. Based on their definitions, it is trivial to see that strong simultaneousness implies dependent simultaneousness which in turn implies weak simultaneousness. Corollary 10. Let f be a generalized interval function over some set S , and let s, t ∈ S . Then (1) s ⇒ t ∧ f (s) , ∅ =⇒ s ↔ t, and (2) ⇄ and ↔ are symmetric and reflexive. As shown in Fig. 3, none of these relations is transitive. Consequently, we cannot obtain equivalence classes based on the intervals. As the relation ⇄ is symmetric and reflexive, it can be used as a dependence relation over the set of activities, which allows us to use Mazurkiewicz trace theory [10] for e.g. synthesis and to check completeness of event logs. 5.2 Notions of Causality Fishburn showed in [11], that given an interval function f , any order ≻ with x ≻ y iff π2 ( f (x)) < π1 ( f (y)), i.e., that the interval of x is wholly after the interval of y, is an interval order. Similarly, the > relation in relation sets [4, 26] states that if a > b but not J.M.E.M. v.d. Werf et al.: Mining Declarative Models Using Time Intervals A B C 323 A B C (a) Wholly succeeded by A B C (b) Succeeded by A B C (c) Strictly succeeded by (d) Preceeded by A B C (e) Strictly preceeded by Fig. 4. Different causal relations based on the intervals b > a, then a and b are causally ordered, i.e., a is followed by b, but b never followed by a. In terms of intervals, similar relations can be defined. Again, as an activity possibly has multiple intervals, we need to adapt the notion of causality to sets of intervals. The first causality relation we introduce is if all intervals of some activity t occur after the intervals of s occurred, i.e., s is wholly succeeded by t. An example is depicted in Fig. 4(a), in which A is wholly succeeded by B and B is wholly succeeded by C. If for each interval of s some interval of t can be found that wholly succeeds the interval of s, we say that s is succeeded by t. In Fig. 4(b), A is always succeeded by B, and B is always succeeded by C. Note that this allows intervals of t to occur simultaneously with intervals of s, or even occurring before s, as shown in Fig. 4(b) where B occurs before A. If s is succeeded by t and they have no overlapping intervals, we say that s is strictly succeeded by t. An example is shown in Fig. 4(c), where A is strictly succeeded by B, and B strictly succeeded by C. Note that whereas the succeeded relation is transitive, the strictly succeeded is not, as A and C have overlap. Symmetrically, if for each interval of t an interval of s can be found that wholly preceeds the interval of t, we say that t is preceeded by s. This allows intervals of s to occur after intervals of t, or even simultaneously, as shown in Fig. 4(d) where B is preceeded by A, and C by B. The relation is called strict, if s and t are not simultaneously. Again, as shown in Fig. 4(e), the strictly preceeded relation is not transitive, as B is strictly preceeded by A, and C by B, but A and C have overlap. This leads to the following notions of causality. Definition 11 (Causality). Let f be a generalized interval function over some set S . Let s, t ∈ S . Then: – s is wholly succeeded by t, denoted by st, if all intervals of t are after the intervals of s, i.e., π2 ( f ↑ (s)) < π1 ( f ↑ (t)); 324 ModBE’13 – Modeling and Business Environments – s is succeeded by t, denoted by s D t, if each interval of s is followed by an interval of t, i.e., ∀(a, b) ∈ f (s) : ∃(c, d) ∈ f (t) : b < c; – s is strictly succeeded by t, denoted by s t, if s D t and not s ↔ t; – t is preceeded by s, denoted by s ⊒ t, if each interval of t is preceeded by an interval of s, i.e. ∀(c, d) ∈ f (t) : ∃(a, b) ∈ f (s) : b < c; – t is strictly preceeded by s, denoted by s = t, if s ⊒ t and not s ↔ t. It is easy to see that the wholly succeeded relation is a strict order. Similarly, the followed by and preceeded by relations are transitive. However, these relations are not irreflexive in general. Only if the set of intervals for some activity is finite, the relations are irreflexive as well, and thus a strict order. If an activity has an infinite set of intervals, then it is succeeded by itself. If some activity is wholly succeeded by some other activity, then it is easy to show that the former activity is strictly succeeded by the latter, and the latter is strictly preceeded by the former. Corollary 12. Let f be a generalized interval function over some set S . Then (1) is a strict order, (2) D, and ⊒ are transitive, and (3) x y =⇒ x y ∧ x = y for all x, y ∈ S . Further, the strictly succeeded by and strictly preceeded by relations are subsets of the succeeded by and preceeded by relations, respectively. Corollary 13. Let f be a generalized interval function over some set S . Then (1) ⊆ D, and (2) = ⊆ ⊒. As for the interval order ≻ defined on events, the wholly succeeded by relation on activities is an interval order, which follows directly from the definitions. Lemma 14 (Wholly succeeded is an interval order). Let f be a generalized interval function over some set S . Then is an interval order. Proof. Let a, b, c, d ∈ S such that a b, and c d. We need to show that either a d or c b holds. Suppose a d does not hold, i.e., π2 ( f ↑ (a)) ≥ π1 ( f ↑ (d)). Then π2 ( f ↑ (c)) < π1 ( f ↑ (d)) ≤ π2 ( f ↑ (a)) < π1 ( f ↑ (b)). Hence, c b. Similarly, suppose c b does not hold, i.e., π2 ( f ↑ (c)) ≥ π1 ( f ↑ (b)). Then π2 ( f ↑ (a)) < π1 ( f ↑ (b)) ≤ π2 ( f ↑ (c)) < π1 ( f ↑ (d)). Hence, a d. ⊔ ⊓ 5.3 Other Control-Flow Relations The simultaneousness and causality relations form the basic building blocks of any process modelling language. Many other control-flow relations can be defined, depending on the needs within the process modelling notation. For example, one can define a nextto relation on activities, defining whether two activities are directly after one another, without any activitiy in between. As for simultaneousness, this can be a weak relation, i.e., for two activities there are intervals next to each other, or a strong relation, i.e., for all intervals. J.M.E.M. v.d. Werf et al.: Mining Declarative Models Using Time Intervals 325 Definition 15 (Next-to relation). Let f be a generalized interval function over some set S . Let s, t ∈ S . We say s is next to t, denoted by s ◦ t, if some interval of s is directly followed by an interval of t, without any occurrence of other activities in between, i.e., ∃(k, l) ∈ f (s), (o, p) ∈ f (t) : ( l < o ∧ ¬(∃u ∈ S : (m, n) ∈ f (u) : l < n ∧ m < o) ) Similarly, s is followed by t, denoted by s • t, if all intervals of s are directly followed by an interval of t, without any occurrence of other activities in between, i.e., ∀(k, l) ∈ f (s) : ( ∃(o, p) ∈ f (t) : l < o ∧ ¬(∃u ∈ S : (m, n) ∈ f (u) : l < n ∧ m < o) ) Naturally, if s is followed by t, then s is also succeeded by t. Corollary 16 (Follows implies succeeded). Let f be a generalized interval function over some set S , and let s, t ∈ S . Then if s • t then also s D t. As activities are represented by sets of intervals, an activity can be enclosed by some other activity, i.e., some activity B always occurs between two intervals of A. We call this relation betweenness. Again, this can be a strong notion, requiring this for all intervals of B, or a weak notion, only requiring the existence of such an interval of B. Definition 17 (Betweenness). Let f be a generalized interval function over some set S . Let s, t ∈ S . We say t is weakly in between s, denoted by s # t, if some interval of t is in between two intervals of s, i.e., ∃(m, n) ∈ f (t), (k, l), (o, p) ∈ f (s) : l < m ∧ n < o. Similarly, we say t is in between s, denoted by s t, if all intervals of t are between two intervals of s, i.e., ∀(m, n) ∈ f (t) : (∃(k, l), (o, p) ∈ f (s) : l < m ∧ n < o). Altough betweenness seems a natural choice, it can be expressed in terms of the basic causality notions defined in Def. 11. Corollary 18 (Betweenness implies basic causality). Let f be a generalized interval function over some set S , and let s, t ∈ S . If s t then s ⊒ t and t D s. 6 Discovering Declarative Models The density of the time scale has a great impact on the level of concurrency in an event log, and hence in the model that describes the allowed behaviour of the executions in the event log. Procedural languages prescribe the order in which activities are supposed to occur. Consequently, concurrency needs to be modelled explicitly in such languages. Instead, we use a declarative approach that has concurrency as a language primitive: activities may occur simultaneous, unless constraints prohibit the execution of the activity. 6.1 Declare Language In this paper, we use the declarative language Declare [2]. The language provides a graphical layout to visualize the activities and constraints in the model. It does not come with a predefined set of language constructs. Instead it offers a set of language constructs called constraint templates, which the user may adapt to its own needs. These constraint templates are based on Linear Time Logic (LTL) [8]. Declare comes with a 326 ModBE’13 – Modeling and Business Environments Table 3. Basic language constructs in Declare Constraint Template Graphically init A init σ(1) = A response (A =⇒ ⋄B) precedence ((¬B) U A) ∨ ¬B non coexistence ¬((⋄A) ∧ (⋄B)) A B A B A B n..m A (n..m) occurrences |{i | σ(i) = A}| ∈ [n..m] ⊆ N Table 4. Newly introduced constraints in Declare Constraint Template Graphically strongly simultaneous A⇄B Dependently simultaneous A ⇒ B wholly succeeded AB strict response AB strict precedence A=B A B A B A B A B A B basic set of language constructs. Tbl. 3 depicts the language constructs from Declare used in this paper. The first constraint template, init, states that the first activity of any sequence, represented by σ, should start with A, where A is a placeholder for the actual activity. Similarly, the response template states that every A should eventually be followed by some activity B. The precedence constraint template expresses that some activity B has to be preceeded by some activity A. With the non coexistence template, it is possible to express that two activities should not occur together in any sequence. Last, we allow to limit the number of times an activity can be executed using the n..m occurrences template, where n ≤ m specifies the minimal and maximal number of times some activity A is executed. 6.2 Interval-Based Constraints The constraints in Declare do not take activity duration into account. Consequently, we need to relate the constructs used in Declare with the simultaneousness and causality relations defined in the previous section. First, consider the response constraint template. This constraint expresses that activity A is always eventually followed by B. This can be interpreted in many different J.M.E.M. v.d. Werf et al.: Mining Declarative Models Using Time Intervals 327 ways, e.g., “once activity A is started, activity B will eventually start”, or “once activity A is finished, activity B will eventually start”. We choose the latter interpretation, i.e., after activity A finished, eventually activity B will start. A second consideration is whether the response and precedence templates should allow the activities in the constraint to occur simultaneously. As the response template is transitive in the Declare language, we allow the activities to overlap. Thus, we interpret the response template with the succeeded by relation introduced in the previous section. Similarly, we interpret the preceeds template as “before activity B starts, activity A should be finished”, which coincides with the preceeds by relation introduced in the previous section. Therefore, the strictly succeeded by and strictly preceeded by relations are added to the Declare language, as shown in Tbl. 4. Although in Declare concurrency is a language primitive, each activity in the model is considered to be instantaneous. The language does not provide any constraint that limits concurrency without destroying it. Thus, the weak simultaneousness relation as presented in the previous section is directly supported in the language. The two stronger simultaneousness relations impose an order on the activities: although the activities may overlap, the other activity must be executed simultaneously. This is expressed by the strongly simultaneous template and dependent simultaneous template as depicted in Tbl. 4. 6.3 Discovery In the previous section, we introduced several notions of simultaneousness and causality. Up to now, these relations only consider a single execution of the system. An event log contains a set of executions that are executed by, most likely, the same process. Hence, to come to a model that describes each of the executions in the event logs, we need to aggregate the relations over the different executions in the event log. In what follows, we sketch a declarative discovery algorithm based on time intervals. Here, it is important to mention that the choice of the generalized interval functions for the activities breaks or makes the approach presented in this paper. Events to interval First step in the approach is to map each event to an interval. In many cases the default event interval mapping, i.e., that maps each event to a singlepoint interval, can be used. In some cases, for example if event logs of multiple systems are combined, a reliability interval can be attached to each interval. Activities to sets of intervals Next step is the construction or discovery of an accurate activity interval mapping. For example, one can fix the granularity of the time scale, make it relative or absolute, and then map each event to the corresponding time interval. Or, one can use the event types to determine the life cycle of an activity, and base the activity interval mapping on this information. Although at first sight this seems to be a trivial step, there are many pitfalls [12]. For example, if two instances of the same activity run simultaneously, which interval should be used to map the activity on? 328 ModBE’13 – Modeling and Business Environments Strongly simultaneousness Wholly succeeded by Dependently simultaneousness Strictly succeeded by Strictly preceeded by Weakly simultaneousness succeeded by preceeded by (a) Simultaneousness (b) Causality Fig. 5. Hierarchy of simultaneousness and causality relations Derive relations Once the activity interval mapping has been established, we can start to derive the different relations. For example, the (n..m) occurrences template can be easily constructed by analyzing the number of occurrences in each of the sequences in the event log. Similarly, the non-coexistence relation can be calculated by a single walk through the sequences of the event log. Next step would be to derive the different simultaneousness relations and causality relations. For this, we use the relation hierarchy as depicted in Fig. 5, which follows directly from Cor. 10 and Cor. 12. An arrow from one relation to another relation means that the former is included in the latter. For example, the strongly simultaneousness relation is included in the dependently simultaneousness relation. The algorithm starts with assuming the strongest relation between each of the activities. By going through the different intervals, relations are weakened, until all intervals of all sequences in the event log have been inspected. The algorithms to derive the simultaneousness and causality relations do not take transitivity into account, which results in models with many constraints, expressing the complete transitive closure of the respective relations. Therefore, these relations need to be reduced, such that the transitive closure of this reduced relations remain the same. For this, standard algorithms as described in [5] can be used. Although at first sight this seems a straightforward task, it is not, as one wants to take the hierarchy of relations into account during the reduction, which is closely related to the “minimum equivalent graph” problem [18], which is NP-hard. Last, we sugar the models using nesting, as has been done in e.g. Dynamic Condition Response Graphs [13]. In this approach, set of nodes having the same constraints are nested in a so called “super nodes”. For the example event log of Tbl. 1, the discovery algorithm that has been sketched above results in the model depicted in Fig. 6. For the activities B, C, and E, we briefly illustrate the steps of the algorithm. In the first step, we take a relative time scale for the activity interval mapping. Moreover, a “start” event denotes the start time of an activity and a “complete” event denotes the end time of an activity. Secondly, all three J.M.E.M. v.d. Werf et al.: Mining Declarative Models Using Time Intervals 0..1 0..1 B C 329 0..1 E 1..1 init 1..1 A G 0..1 0..1 D F Fig. 6. Model discovered from the event log in Tbl. 1 activities occur at most once in each of the sequences of the event log resulting into a 0..1 occurrence relation for each of them. Also, activity A and B never occur together in each sequence. In the third step, it is discovered that activities B and C are strongly simultaneous. Also, the tree activities are all preceeded by activity A and succeeded by activity G. Finally, in the last step, activities B, E and C are nested, as these activities are all preceeded by A, do not coexist with D and F, and are all succeeded by G. 7 Conclusions Timestamps in an event log play an essential role in process mining to determine the order in which events occur. A typical problem in process mining is the impreciseness of these timestamps. In this paper, we overcome this problem by assuming that each event occurs in some time window, i.e., in some interval. As the intervals in an event log are on the level of events, rather than on the level of activities, we have presented an approach based on sets of intervals to represent the occurrences of the activities in the model. On these sets of intervals new notions of simultaneousness and causalities are derived. These notions form the basis to discover declarative models. The simultaneousness relation forms a natural candidate for the dependency relation in Mazurkiewicz traces. In this way, simultaneousness can be used to test the completeness of event logs, by exploring the Mazurkiewicz equivalent traces. Although intervals are a natural choice to overcome the impreciseness of timestamps, choosing the right time window is a hard problem. The events and activities can be mapped to intervals in many different ways. The granularity of the time scale, like milliseconds, hours or days, can be used to define the intervals, the time scale can be relative or absolute. Or, if the event log contains a transition life cycle, like a start and complete event, then the first and last event of each execution can be used to determine the intervals in the activity interval mapping. Empirical research is needed to test, validate and compare the different alternatives. As the proof of the pudding is in the eating, we will implement the presented approach in ProM [23] to perform more case studies to test and fine tune the resulting declarative models. 330 ModBE’13 – Modeling and Business Environments Acknowledgements The authors would like to thank Jetty Klein for the fruitful discussions about paradigms of concurrency and interval orders. References 1. W.M.P. van der Aalst. Process Mining: Discovery, Conformance and Enhancement of Business Processes. Springer-Verlag, Berlin, 2011. 2. W.M.P. van der Aalst, M. Pesic, and M.H. Schonenberg. Declarative workflows: Balancing between flexibility and support. Computer Science - Research and Development, 23:99–113, 2009. 3. W.M.P. van der Aalst and C. Stahl. Modeling Business Processes -Ű A Petri Net-Oriented Approach. The MIT Press, 2011. 4. W.M.P. van der Aalst, A.J.M.M. Weijters, and L. Maruster. Workflow Mining: Discovering Process Models from Event Logs. Knowledge & Data Engineering, 16(9):1128–1142, 2004. 5. A.V. Aho, M. R. Garey, and J. D. Ullman. The Transitive Reduction of a Directed Graph. SIAM Journal on Computing, 1(2):131–137, June 1972. 6. J.F. Allen. Towards a general theory of action and time. Artificial Intelligence, 23(2):123– 154, July 1984. 7. J.F. Allen. Actions and Events in Interval Temporal Logic 1 Introduction. Journal of Logic and Computation, 4:531–579, 1994. 8. E. Clarke and E. Emerson. Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic. In Logics of Programs, volume 131 of LNCS, pages 52– 71. Springer-Verlag, Berlin, 1982. 9. P. Degano and U. Montanari. Concurrent Histories: A Basis for Observing Distributed Systems. Journal of Computer and System Sciences, 34(2-3):422–461, 1987. 10. V. Diekert and G. Rozenberg, editors. The Book of Traces. World Scientific, Singapore, 1995. 11. P.C Fishburn. Interval graphs and interval orders. Discrete Mathematics, 55(2):135–149, July 1985. 12. T. Gschwandtner, J. Gärtner, W. Aigner, and S. Miksch. A Taxonomy of Dirty Time-Oriented Data. In G. Quirchmayr, J. Basl, I. You, and E. Weippl, editors, CD-ARES 2012, volume 7465 of LNCS, pages 58–72. Springer, 2012. 13. T. Hildebrandt, R. Mukkamala, and T. Slaats. Nested dynamic condition response graphs. Fundamentals of Software Engineering, pages 343–350, 2012. 14. R. Janicki and M. Koutny. Structure of concurrency. Theoretical Computer Science, 112(1):5–52, April 1993. 15. Wen. L., J. Wang, W.M.P. van der Aalst, B. Huang, and J. Sun. A Novel Approach for Process Mining based on Event Types. Journal of Intelligent Information Systems, 32:163– 190, 2009. 16. R.D. Luce. Semiorders and a Theory of Utility Discrimination. Econometrica, 24(2):178– 191, 1956. 17. F.M. Maggi, R.P.J.C. Bose, and W.M.P. van der Aalst. Efficient discovery of understandable declarative process models from event logs. In CAiSE, volume 7328 of LNCS, pages 270– 285. Springer-Verlag, Berlin, 2012. 18. D.M. Moyles and G.L. Thompson. An algorithm for finding the minimum equivalent graph of a digraph. Journal of the ACM, pages 455 – 460, 1969. 19. J. Nakatumba and W.M.P. van der Aalst. Analyzing Resource Behavior Using Process Mining. In S. et al. Rinderle-Ma, editor, BPM 2009 Workshops, volume 43 of LNBIP, pages 69–80. Springer, 2009. J.M.E.M. v.d. Werf et al.: Mining Declarative Models Using Time Intervals 331 20. S.S Pinter and M. Golani. Discovering Workflow Models from Activities’ Lifespans. Computers in Industry, 53:283–296, 2004. 21. Y.-L. Qu and T.-S. Zhao. Building Process Models Based on Inverval Logs. In M. Ma, editor, Communication Systems and Information Technology, volume 100 of LNEE, pages 71–78. Springer, 2011. 22. G. Rosu and S. Bensalem. Allen Linear (Interval) Temporal Logic – Translation to LTL and Monitor. In Computer Aided Verification, pages 263–277. Springer, 2006. 23. H.M.W. Verbeek, J.C.A.M. Buijs, B.F. van Dongen, and W.M.P. van der Aalst. XES, XESame, and ProM 6. In Information System Evolution, volume 72, pages 60–75. Springer, 2011. 24. J. de Weerdt, M. de Backer, J. Vanthienen, and B. Baesens. A Multi-dimensional Quality Assessment of State-of-the-Art Process Discovery Algorithms using Real-Life Event Logs. Information Systems, 37:654–676, 2012. 25. M. Weidlich, J. Mendling, and M. Weske. Efficient consistency measurement based on behavioral profiles of process models. IEEE Trans. Software Eng., 37(3):410 – 429, 2011. 26. M. Weidlich and J.M.E.M. van der Werf. On Profiles and Footprints – Relational Semantics for Petri Nets. In Application and Theory of Petri Nets, LNCS, pages 148–167. Springer, 2012. 27. J.M.E.M. van der Werf, B.F. van Dongen, C.A.J. Hurkens, and A. Serebrenik. Process Discovery Using Integer Linear Programming. Fundamenta Informatica, 94(3 – 4):387 – 412, 2009. 28. N. Wiener. A contribution to the theory of relative position. Proceedings of the Cambridge Philosophical Society, 17:441–449, 1914. 29. N. Wiener. A new theory of measurement: A study in the logic of mathematics. Proceedings of the London Mathematical Soc., s2-19(1):181–205, 1921. 332 ModBE’13 – Modeling and Business Environments Part VIII ModBE’13: Short Presentation Improving Emergency Department Processes Using Coloured Petri Nets Khodakaram Salimifard1, Seyed Yaghoub Hosseini2, Mohammad Sadegh Moradi1 1 Industrial Management Department, Persian Gulf University, Bushehr, Iran salimifard@pgu.ac.ir, msadeghmoradi@gmail.com 2 Business Management Department, Persian Gulf University, Bushehr, Iran hosseini@pgu.ac.ir Abstract. With increasing demand for medical services, emergency departments (ED) are facing problems such as overcrowding and dissatisfaction. Improving the key performance indicators of EDs has been the focal point of healthcare management. This paper addresses performance analysis of ED of a general hospital. To this aim, a discrete event dynamic modeling approach is used to model the ED processes. The model employs a hierarchical timed Coloured Petri net framework in a concise and detailed way to capture patient flow and care processes within the ED. The simulation model was validated against historical data and then different types of scenarios were used to assess, compare and improve ED key performance indicators, such as patients waiting time, length of stay (LOS), and resource utilization rate. The proposed model helped the hospital policy makers to configure the ED in a way to improve its efficiency and staff satisfaction. Keywords: Healthcare System, Emergency Department, Coloured Petri Net, Performance Analysis 1 Introduction Emergency departments (ED) are facing different problems which affect their performance. Of these, overcrowding is a common issue around the world which provides EDs patient with long length of stay (LOS), waiting times for receiving services and then dissatisfaction [1]. Although most emergency departments are under growing demand, they often face with insufficient staffing and budget constraints. One solution to this problem is to increase capacity of ED, providing adequate facilities and manpower, but this is not the best approach for solving the problem, and perhaps not achievable [2]. Recently, the need for improvement in ED processes due to cost, overcrowding and safety of patients admitted to a large extent [3].To improve the efficiency and quality of ED processes, different methods were used which include process mapping, demand management, critical path identification, queuing systems, statistical forecasting, balanced scorecard and computer simulation [4]. In the last years, the use of computer simulation to help effective decision making in health care and to improve the medical operations has been rising [5]. One of the main rea- 336 ModBE’13 – Modeling and Business Environments sons that simulation has become a common practice in solving medical problems is its ability to dynamically analyze situations and present to the stakeholders a more realistic view of the system [6]. The main purpose of the use of simulation studies in health care is to reduce waiting times and length of stay for patients, better use of resources and reducing operating cost [7]. Among the various methods for simulation in health care, discrete event simulation is the most used method especially in EDs, and it seems to be a better alternative with less time and cost compared to more traditional statistical methods [8]. This study is intended to present a general simulation model for studying hospital emergency department. For this purpose, we used Coloured Petri Nets modeling and simulation formalism for making a general model of emergency department of a general hospital. In addition to internal processes, external relations between ED and other hospital wards, such as Radiology and Laboratory, is also considered. The main objective of this paper is, hence, to improve ED processes. The problem we are dealing with is ED overcrowding which provide patient with long length of stay and waiting times. The remainder of the paper is organized as follows. Section 2 covers a brief literature review of the application of simulation in emergency departments. Research methodology, simulation model, input data and variables are presented in Section 3. Section 4 focuses on improvement scenarios and results of simulation runs. Finally, the paper is concluded in Section 5. 2 Literature review In the literature, the main focal point of discrete-event simulation models that are used for analysis of hospital emergency department is improving the flow of patients to reduce waiting times. Examples of this include studying patient flow and forecasting ED overcrowding using simulation by Hoot et al. [9], defining buffer concept to reduce waiting times and increase throughput, and comparing amount of improvement gain by buffers by Kolb et al. [10], and Khandekar et al. [11] paper on rearranging sequence of activities of care process in order to reduce waiting times. Another area of ED simulations study focus is on capacity estimation which determines the optimum number of personnel and physical resources such as bed [12], [13] and also ED layout [14]. Improving quality of services and ED processes is another area of study [5], [15]. Although the use of Petri nets in the health sector is less than other fields such as computer networks and production system, but it can be a useful method in this area. Here some related works in this area are presented. Xiong et al. [16], apply petri nets for modeling and analysis of health care process. They used a Petri net model to examine the effect of changes in arrival pattern and resources on performance metrics such as waiting times and resource utilization. Chockalingam et al [17] used Petri nets to model patient and resource flow in a hospital system. Using the Petri net model they obtained a stochastic representation of a metric termed distance to divert which measure the proximity of a hospital to a divert state. Dotoli et al. [18] focused on pulmonology department workflow and drug distribution system and used simulation as a decision support system. They employed a timed Petri net (TPN) framework to describe the workflow in the department. Another example is the work done by Ronny Man et al [19] of using process mining and Petri nets for pre hospital stroke care. In the paper, process mining is used to extract process related information e.g. timing information. Jorgensen et al [20] have used CPN for implementing a new Electronic Patient Record Workﬂow System at two stages. The ﬁrst CPN model is K. Salimifard et al.: Improving Emergency Department Processes 337 used as an execution engine for a graphical animation called EUC and the second CPN model is a Coloured Workﬂow Net (CWN). Together, the EUC and the CWN are used to close the gap between the given requirements speciﬁcation and the realization of these requirements with the help of an IT system. In this paper, care processes of ED are modeled using hierarchical timed CPN. The main focus of the model is on patient flows. The model also concentrates on the inter-department care processes. It is aimed to find a suitable operating scenario to improve some performance metrics of the department. Similar to [17], this paper has considered the relationship between different departments (Labs, Radiology) of the hospital. Performance metrics including waiting time, patient length of stay, and resource utilization are calculated under different operating scenarios. Compared to existing literature, this paper puts more emphasis on using features of CPN (color, time, and hierarchy) to capture the complex nature of the system. 3 Research methodology In this paper, CPN Tools is utilized to create the Coloured Petri net model of the system and to simulate the model to produce desired outputs. CPN Tools [21] is a powerful software tool for modeling and simulation of discrete event systems modeled in CPN. Our choice of using CPNs to model ED patient ﬂow stems from the fact that PNs capture structural properties of the underlying system which we can study and use. Petri nets provide the foundation of the graphical notation and the basic primitives for modeling concurrency and synchronization, conditions which are common in our model. After reviewing a wide range of related literature, an initial model was prepared. Based on the initial model, the generic conceptual model was developed. The generic model aimed to capture the characteristics of an emergency department of a general hospital in Iran. Information required for the modeling and simulation of processes were collected using hospital information system, sampling in ward, and also open interview with employees. In order to simulate the model under different configurations, different types of improvement scenarios were defined and compared against performance criteria. Please note that here the term “Generic” as Gunal and Pidd [22] mentioned means that the model has a defined structure with probability distributions that can be parameterized by the user. The hospital under study is a general hospital in the city of Yazd of Iran. The emergency department of the hospital consists of one triage room, one primary visit room, admission and discharge unit, CPR room, and two inpatient areas with 24 inpatient bed. It works 3 shifts a day with 1 triage nurse, 1 general practitioner (GP), 1 emergency medicine specialist (SP), 1 admission staff and 6 nurses. 3.1 Process flow chart Fig.1. depicts an overall patient flow of Emergency Department of the hospital. This flow chart is depicted based on researcher observation of the process and also domain expert opinion. The process diagram was drawn in such a way that in addition to our hospital it could also be used in other Iranian hospitals. Patients are triaged on arrival at the emergency department. The triage nurse makes an initial evaluation of patient symptoms. Then, according to Emergency Severity Index (ESI), she classifies the patient in one of the 5 levels of emergency. A patient in level 1 is with more acuity while a patient in level 5 is in fact 338 ModBE’13 – Modeling and Business Environments an outpatient with less acuity. After this stage, patient is referred to the GP. The GP determines whether or not the patient requires other care services. Usually, patients with acuity level 5 will leave the ED as soon as the payment cleared. Other patients who need more medical services, such as diagnostic tests, need to be registered and will be directed through the other processes. The final decision about the patient including discharge, inpatient at ED, or being referred to other wards is taken by SP. 3.2 Performance variables For each process improvement project, establishing quantitative measures to implement changes and develop monitoring system for continuous improvement is crucial. In this paper, we investigate three key performance metrics including patients waiting times, length of stay, and ED resource utilization. • Waiting times [min]. It is the mean duration a patient need to spend in the ED waiting room. • Length of stay (LOS) [min]. The total time of staying at ED, from arrival to the time of final decision made by SP. • Resource utilization [%]. Represents the total busy time of resources compared with total working time. 3.3 Data collection Model inputs are distribution functions of ED activities. Random sampling was used to estimate required data for patient’s arrival times and service time for all resources. All distributions determined from the data and used in the model were validated by using Kolmogorov Smirnov goodness of ﬁt test with a 5% signiﬁcance level. Using statistical goodness of fit method, the distribution of processing time of different activities have been defined. K. Salimifard et al.: Improving Emergency Department Processes 339 Fig. 1. Process flow of emergency department Table 1. Simulation input distribution functions Input parameter Patients inter arrival pattern Triage time GP visit time admission SP visit time Distribution Exponential , expel(9) Lognormal , 0.21 + LOGN(0.875, 0.613) Gamma , 1 + GAMM(0.732, 2.2) Lognormal , 0.16 + LOGN(1.11,0.729) Triangular (1,2,3) CPR time Triangular (5,15,30) ED outpatient surgery(OR) Triangular (10,20,30) In cases where there was no possibility of sampling, based on information available in the hospital information system and also hospital staff experience, minimum, average and maximum duration of each activity were chosen as the statistical distribution. 340 3.4 ModBE’13 – Modeling and Business Environments The Hierarchical Timed Petri Net Model of the ED We used Color Petri-nets (CPNs) to model patient ﬂow in an emergency department of a hospital. A PN consists of a set of places, and a set of transitions and arcs that connect place(s) to a transition and vice-versa. Non-negative integers assigned to every place in the net are known as tokens. Overview of Colored Petri Nets. Coloured Petri nets are a discrete-event modeling language combining the capabilities of Petri nets with the capabilities of a high-level programming language. Petri nets are directed, bipartite graphs that can be used to model discrete distributed systems. A CPN as defined by [23] is a nine-tuple 𝐶𝑃𝑁 = (𝑃, 𝑇, 𝐴, Σ, 𝑉, 𝐶, 𝐺, 𝐸, 𝐼), where 𝑃 is a ﬁnite set of place 𝑇 , is a ﬁnite set of transitions 𝑇 such that 𝑃 ∩ 𝑇 = ∅, 𝐴 ⊆ 𝑃×𝑇 ∪ 𝑇×𝑃 is a set of directed arcs, Σ is a ﬁnite set of non-empty color sets, 𝑉 is a ﬁnite set of typed variables such that type [𝑣]𝜖Σ for all variable 𝑣𝜖𝑉 s, 𝐶: 𝑃 → Σ is a color set function that assigns a color set to each place, 𝐺: 𝑇 → 𝐸𝑋𝑃𝑅! is a guard function that assigns a guard to each transition 𝑡 such that type 𝐺 𝑡 = 𝐵𝑜𝑜𝑙 , 𝐸: 𝐴 → 𝐸𝑋𝑃𝑅! is an arc expression function that assigns an arc expression to each arc 𝛼 such that type, 𝐸 𝑎 = 𝑐(𝑝)!" where 𝑝 is the place connected to the arc 𝛼, 𝐼: 𝑃 → 𝐸𝑋𝑃𝑅! is an initialization function that assigns an initialization expression to each place 𝑝 such that type. 𝐼 𝑝 = 𝑐(𝑝)!" . A CP-net has a distinguished initial marking, denoted by 𝑀! , and obtained by evaluating the initialization expressions. The marking can be viewed as a ‘snapshot’ of how tokens are distributed in the PN [24]. The simulation model of ED. Fig.2. shows the key structures of the model. The top layer of the ED model is illustrated in this figure. This layer is the core part of the model. In the model each place (circle) represents the state where patients may to be exposed there (table 2). Entry of each patient to the ED is modeled by a token on the place New Patient (Fig.2). This place has the color set PAT, whose elements are 5-tuples (ESI, at, qtr., wt, pt) consisting of patient Emergency Severity Index (ESI=1,...,5), patient arrival time to the ED (at), an intermediate variable for Calculating wait time (qt), patient wait time for receiving services (wt) and activities process time (pt). In the initial marking, the New Patient has a random integer ESI number Between 1 to 5, an arrival time based on an exponential distribution with mean 9, qt is equal to at and wt and pt are equal to 0. In the ED layer (Fig.2) there are 8 transitions (the rectangles) with tag beside them which called substitution transitions. Each of this transition has a subnet page belong to it that corresponds to one of the considered tasks in the process. To know about the model mechanism in each subnet consider GP visit subnet page as an example (Fig.3).The occurrence of the transition Start visit models the situation where a general Practitioner (resource) changes from being ready to being busy until the transition End visit occurs. Patients wait to seize GP and after stochastic delay (GP visit time) and receiving GP orders, they release that resource and come back to top layer to carry on rest of the process. The other page is as the illustrated mechanism. K. Salimifard et al.: Improving Emergency Department Processes 341 Table 2. Place Description of the ED core layer Place description P1 State for non urgent patient P2 State for urgent patient (CPR needed) P3 Patients visited and need extra services P4 Patients visited and will be discharge P5 Patients admitted P6 Patients admitted and need surgery P7 Number of patients waiting for radiology P8 Number of patients waiting for laboratory P9 Patients have done radiology test P10 Patients have done radiology and also need lab test P11 Surgery result with success P12& P13 Patients with their Lab test result P14 Patients have done radiology and do not need Lab The model contains resources (shown in Table 3) like nurses; physicians etc. in the form of tokens, and patients use these resources according to model logic to receive care. These resource tokens are held by the patients until they move to the next stage. The delay in availability of a resource is represented as non-availability of tokens to advance the patient tokens through the net. This delay increases the number of patient tokens in the system waiting for a resource. Also Sets of variables used on the transitions in Fig. 2 are showed in Table 4. Table 3. Initial resource-token distribution resources places Triage nurse GP Doc admission SP Doctor Radiology staff Laboratory staff CPR equipment tokens 1 1 1 1 6 12 1 342 ModBE’13 – Modeling and Business Environments Table 4. Model variables and description variable description p Represent each patient and carry five attribute: ESI, arrival time, qt, wait time, process time which are assigned to them l determine that patient need laboratory test or not r determine that patient need radiology test or not LR Laboratory result RR Radiology result gp General Practitioner (resource) sp Emergency medicine specialist (resource) K. Salimifard et al.: Improving Emergency Department Processes 343 p@+expTime(9) 1`(1,0,0,0,0)@0 p Triage new patient Triage p PAT NewPatient (p) next patient Arrival PAT p p p2 p1 PAT PAT p p GP visit p p4 GP Visit gp 1`gp@0 p PAT ((p,l,r),or) GP Doc OPAR p3 GP gp ((p,l,r),or) CPR p CPR P_HIGH (p,l,r) p6 p5 Admission PAT [r=notneed] t1 PAT1 (p,l,r) sp p [r=need] (p,l,r) Admission (p,l,r) p7 t2 (p,l,r) (p,l) p8 ED OR sp Radiology PAT4 Radiology p OR (p,l,RR) (p,l) p11 PAT (p,l,RR) LAB p p PAT1 p (p,LR) [result=bernoulli(0.4)] (p,l,RR) t (p,l,RR) 3 p10 LAB p9 PAT2 [l=Y] PAT2 (p,LR,RR) (p,l,RR) t5 p12 if result=0 then 1`p else empty p13 PAT5 [l=N] PAT6 (p,LR) t4 (p,RR) (p,LR,RR) 1`sp@0 SP Doctor sp SP visit p14 (p,RR) SP visit SP if result=1 then 1`p else empty p p PAT3 p p dead PAT inpatient refer PAT PAT discharge p t 6 PAT Fig. 2. Core page of ED simulation model using Coloured Petri net (top layer) In Fig.3 the function on output arc from end visit transition determines whether patients need diagnostic tests (laboratory or radiology) or surgery or to be discharged. In SP visit subnet page shown in Fig.4, the SP Doctor place is a common resource that is shared by three activities in the page. Patients with Lab result, Radiology result or both of them are coming to SP, because SP should decide about them. Patients may need to be inpatient in ED. So go to the ED inpatient place or maybe it is necessary to go to other hospital ward for special care, then go to the refer place. Finally, patient after visit by SP may be discharged, so they go to discharge place in SP visit page. Model validation. We validate ﬁnal results of the simulation model at first by interviewing ED senior managers and nursing staff in order to validate the ﬁnal results of the simulation model. Secondly output of the simulation model is compared with real performance indicators (Table 5) and it shows the validation of our model 344 ModBE’13 – Modeling and Business Environments 1`gp@0 gp I/O gp GP Doc GP p p1 start visit upd_p@+proctime visit (esi,at,qt,wt,pt) room end visit In PAT input (p); output (upd_p,proctime); action startGPVisit(p); PAT (((esi,at,qt,wt,pt),labNEEd(),radNEEd()),OrNEed()) ((p,l,r),or) visit ed ((p,l,r),or) PAT0 [l=N,r=notneed,or=no] t1 t2 p ((p,l,r),or) p4 p3 Out Out PAT OPAR Fig. 3. GP visit page of substitution transition GP visit in ED page (subnet layer) Finally we also used CPN Tools state space graph to investigate whether the model works truly or not. The state space tools are used to calculate state spaces and to generate state space reports. Because our graph is very large, it is not possible to show it here. Table 5. Comparison between simulated and real data. Performance criteria Wait for GP visit Wait for Admission Wait for SP visit ESI 1&2 LOS ESI 3 LOS ESI 4 LOS ESI 5 LOS Simulation output 3.2 5.12 1.15 38.2 185 140 11.5 real data 2.9 5.5 1 37.5 187 136 12 The performance metrics are investigated using 5 different replications with 95% confidence interval. In each case the system is simulated by a long simulation run of 3 years. K. Salimifard et al.: Improving Emergency Department Processes 345 1`sp@0 SP Doctor I/O p12 sp sp PAT5 SP p13 In PAT6 p14 In (p,RR) (p,LR,RR) (p,LR) input (p,LR); output (upd_p,proctime); action startSPVisit1(p,LR); PAT3 In sp input (p,LR,RR); output (upd_p,proctime); action startSPVisit2(p,LR,RR); start visit1 (upd_p,LR)@+proctime start visit2 ((esi,at,qt,wt,pt),LR) PAT5 sp p2 PAT6 p3 end visit1 end visit2 ((esi,at,qt,wt,pt),LR) end visit3 ((esi,at,qt,wt,pt),LR,RR) p4 (p,LR) PAT6 PAT5 ((esi,at,qt,wt,pt),RR) p5 p6 (p,RR) (p,LR) (p,LR,RR) (p,LR,RR) PAT3 ((esi,at,qt,wt,pt),RR) ((esi,at,qt,wt,pt),LR,RR) sp input (p,RR); output (upd_p,proctime); action startSPVisit3(p,RR); (upd_p,RR)@+proctime (upd_p,LR,RR)@+proctime p1 start visit3 sp PAT3 (p,RR) (p,LR,RR) [RR=notok] [LR=natural] t1 [LR=unnatural] t2 t3 t4 t5 t6 [RR=ok] t7 p p p p [LR=natural andalso RR=ok ] p p [LR=unnatural andalso RR=notok ] [LR=unnatural andalso RR=ok orelse LR=natural andalso RR=notok ] p refer Out inpatient PAT Out PAT PAT dicharge Out Fig. 4. SP visit page of substitution transition SP visit in ED page (subnet layer) 4 Improvement scenarios In order to improve processes in terms of system performance metrics, four types of scenarios were defined. These alternate scenarios are validated with domain experts and then were implemented in simulation model. They are as fallow: • Current scenario (benchmark): A – Current state of the ED as a basis for comparisons. • Increase or decrease scenarios. It is, in fact, the most common type of scenario associated with simulation studies. In this scenarios (increase or decrease) number of resources, the number of emergency room doctors, nurses, beds and other physical resources will be changed. In this view, one scenario is defined here: B – Increase an emergency medicine specialist (SP) • Displacement Scenarios. In these scenarios, if possible, an alternative resource will be replaced with available resource. C – Putting in place an emergency medicine specialist instead of GP 346 ModBE’13 – Modeling and Business Environments • Structural scenarios. The purpose of these scenarios is change of the process activities and even delete or add new activities as part of the process. D – Remove triage unit and refer patients for triage and visit to GP • Hybrid scenarios. These scenarios are defined as a combination of two or more than two of the above scenarios. For example, displacement scenarios, and a structural scenario combined to make a hybrid one. E – Replace GP visit and triage activities with a substitute emergency medicine specialist who does these two. In scenario B, we have added 1 specialist to SP Doctor place and then run the simulation model. To implement scenarios D and E, we have to change our basic model. In these scenarios triage and visit is done simultaneously by a substitute doctor (GP or SP). The difference is on the time of visit done by each of them. It’s less for SP than GP. The results of running simulation model with scenarios A to E alongside with their improvement are shown in Table 6. We ran each of the improvement options individually as separate scenario for this purpose. Table 6. Improvement rate of each scenario considering its resources Resources Improvement rate (%) Scenarios GP SP Admission Staff Admission Staff SP GP Wait for GP Wait for SP Wait for Admission ESI 1&2 LOS ESI 3 LOS ESI 4 LOS ESI 5 LOS Resource utilization rate A 1 1 1 62 63.7 58 3.2 5.12 1.1 38 185 140 11.5 B 1 2 1 +9.67 -10.5 0 0 +23 0 +5.2 +2.7 +2.65 0 C - 2 1 +7.25 -1.8 - - -21 -7.2 +5.2 +0.5 +1 +8.7 D 1 1 1 +8 -0.3 +14.5 -65 +0.3 -81 +8.6 +1 +1.42 +19.1 E - 2 1 +11.3 -0.3 - - -2 -81 +9.2 +1.35 +2.15 +21.7 (%) Benchmark scenario, A, represent current situation in terms of three performance measures. Waiting time is one of the effective measures of patient satisfaction. Here are three main areas of patients waiting for service. Current scenario has the lowest waiting for GP. Scenario B and C reduce SP waiting by about 45% and 0.4%. Scenario B reduces admission waiting by 10%. Patients’ length of stay is a measure of ED efficiency and very important in hospital performance evaluation. We compare LOS for patients with different ESI level. ESI 1 and 2 include those patients who need CPR and then go to inpatient. In this level, E has 9.2% improvement. D reduces LOS by about 8.6% and B and C by about 5.2%. Patients with ESI 3 are patients who need two diagnostic tests here include Laboratory and K. Salimifard et al.: Improving Emergency Department Processes 347 Radiology. In this level B, C, D and E reduced LOS by about 2.7%, 0.5%, 1% and 1.35%. Patients with ESI 4 just need one diagnostic test, laboratory or radiology. In this level B, C, D and E reduced LOS by about 2.65%, 1%, 1.42% and 2.15%. Finally, patients with ESI 5 are outpatient and leave ED after GP visit. In this level B, C, D and E reduced LOS by about 0%, 8.7%, 19.1% and 21.7%. Resource utilization represents total busy time of resources to available working time under the simulated conditions.it is a good measure for ED manager in the allocation of resources. Scenario A improves GP utilization by 18%. Scenario B, C, D and E improve admission staff utilization by about 9.67%, 7.25%, 8% and 11.3%. Scenario A has the most SP utilization and other scenarios reduced it. Substituted SP utilization for scenario E is more than C by about 2.1 minute. Also ED staff reaction to our work was positive and they helped us through the work but due to the reluctance of ED managers, we failed to implement the proposed changes in reality. 5 Conclusions and future work In this research a CPN model was developed to analyze the performance of an emergency department. To evaluate the system under different conditions and improve processes, improvement scenarios were defined. These scenarios may not greatly improve the performance of the model parameters, but could be considered as an existing and potential alternative. We compare 5 scenarios by three variables. In table 7, improvement rate of each scenario, considering its resources, presented. To have a better analysis in choosing scenarios, it is necessary to see cost and benefit of each scenario simultaneously. Another option which should be considered is ED’s mission, saving patients with high acuity (ESI 1&2), and scenarios that aim to facilitate this purpose even if they cost more than other, are selected. Among defined scenarios, E and D have more improvement especially about patient with ESI 1&2. Although the cost of scenario E to scenario D is some more, but given the purpose of the improvements resulting from the scenario E, this scenario is selected as major one. In the next stage scenario D due to lower cost and also more overall improvement than the other two scenarios have been chosen as the second better scenario. Based on the model proposed in this paper, it is possible to translate the flow diagram into a Generalized Stochastic Petri net. It would be interesting to compare the results of the two modeling approaches. That is, the exact values of different performance indices can be compared with the simulated values. Because of the hierarchical nature of the model and that every activity has a separate page belong to it; acceptance and use of this model in various conditions may seem easy and by just few change it could be localized. Using Coloured Petri net, we were able to assign different attributes to patients entered into the ED and therefore, the model traces them to calculate performance metrics. The tools and features that are available for simulating CPN models in CPN Tools e.g. hierarchy, functions, guards, state space analysis etc. made it a useful option in simulating complex systems specially healthcare. Future development to this work would be to add other attributes to tokens color such as cost of each activity in the process and engage other wards. Also, it would be of value to consider other resources including beds, facilities and equipment. 348 ModBE’13 – Modeling and Business Environments Reference 1. Buckley, B., Castillo, E., Killeen, J., Guss, D., Chan, T.: Impact of an express admit unit on emergency department length of stay. Journal of emergency medicine 39(5), 669-673 (Nov 2010) 2. Soremekun, O., Takayesu, J., Bohan, S.: Framework for analyzing wait times and other factors that impact patient satisfaction in the energency department. The Journal of Emergency Medicine 41(6), 686-692 (2011) 3. Holden, R.: Lean Thinking in Emergency Departments: A Critical Review. Annals of Emergency Medicine 57(3), 265-278 (2010) 4. Eitel, , Rudkin, S., Malvehy, A., Killeen, J., Pines, J.: Improving service quality by understanding emergency department flow: a white paper and position statement prepared for the american academy of emergency medicine. The Journal of Emergency Medicine 38(1), 70-79 (2010) 5. Zeng, Z., Ma, X., Hu, , Li, J.: A simulation study to improve quality of care in the emergency department of a community hospital. Journal of Emergency Nursing 38(4), 322328 (2011) 6. Baldwin, L., Eldabi, T., Paul, R.: Simulation in healthcare management:a soft approach (MAPIU). Simulation Modelling Practice and Theory 12(7 - 8), 541 - 557 (2004) 7. Alvarez , A., Centeno , : Enhancing simulation models foremergency rooms using VBA. In : Proceedings of the I999 Winter Simulation Conference, New York, NY, USA, vol. 2, pp.1685-1693 (1999) 8. Villamizar, J., Coelli, F., Pereira, W., Almeida, R.: Discrete-event computer simulation methods in the optimisation of a physiotherapy clinic. Physiotherapy 97(1), 71 - 77 (2011) 9. Hoot, N., LeBlanc, , Jones, I., Levin, S., Zhou, , Gadd, C., Aronsky, D.: Forecasting Emergency Department Crowding: A Discrete Event Simulation. Annals of Emergency Medicine 52(2), 116-125 (2008) 10. Kolb , E., Peck , J., Schoening , S., Lee , T.: Reducing emergency department overcrowding – five patient buffer in comparison. In : Proceedings of the 2008 Winter Simulation Conference, Austin, TX, pp.1516-1525 (2008) 11. Khandekar, S., Mari, J., Wang, S., Gandhi, T.: Implementation of Structural Changes to the Care Process in the Emergency Department using Discrete Event Simulation. In : Proceedings of the 2007 Industrial Engineering Research Conference (2007) 12. Nagula, P.: Redesigning the patient care delivery processes at an emergency department., New York (2006) 13. Park, , Park, J., Ntuen, , Kim, D., Johnson, K.: Forecast Driven Simulation Model for Service Quality Improvement of the Emergency Department in the Moses H. Cone Memorial Hospital. The Asian Journal on Quality 9(3) (2008) 14. Khadem, M., Bashir, H., Al-Lawati, Y., Al-Azri, F.: Evaluating the Layout of the Emergency Department of a Public Hospital Using Computer Simulation Modeling: A Case Study. In : Industrial Engineering and Engineering and Management, Singapore, pp.1709-1713 (2008) 15. Gonzilez, , Gonzilez, , Rios, N.: Improving the quality of service in an emergency room using simulation-animation and total quality management. In : Proceedings of the 21st international conference on Computers and industrial engineering, Tarrytown, NY, USA , vol. 33, pp.97-100 (1997) 16. Xiong, , Zhou, M., Manikopoulos, : Modeling and Performance Analysis of Medical K. Salimifard et al.: Improving Emergency Department Processes 349 Services Systems Using Petri Nets. In : Systems, Man, and Cybernetics, San Antonio, TX, pp.2339-2342 (1994) 17. Chockalingam, A., Jayakumar, , Lawley, : A stochastic cotrol approach to avoiding emergencydepartment overcrowding. In : Proceedings of the 2010 Winter Simulation Conference, Baltimore, MD, pp.2399-2411 (2010) 18. Dotoli, M.: Modeling and Management of a Hospital Department via Petri Nets. In : 2010 IEEE Workshop on Health Care Management (WHCM), Venice, pp.1-6 (2010) 19. Mans, R., Schonenberg, H., Leonardi, G., Panzarasa, S., Cavallini, A., Quaglini, S., van der AALST, W.: Process Mining Techniques: an Application to Stroke Care 136. Stud Health Technol Inform (2008) 20. Jørgensen, J., Lassen, K., van der Aalst, W. M.: From task descriptions via Coloured Petri nets towards an implementation of a new electronic patient record workﬂow system. International Journal on Software Tools for Technology Transfer 10(1), 15-28 (2008) 21. CPN Tools. In: AIS group, Eindhoven University of Technology, The Netherlands. (Accessed 2012) Available at: http://www.cpntools.org 22. Günal , M., Pidd , : Moving from specific to generic: Generic modelling in health care. In : Proceedings of the 2007 INFORMS Simulation Society Research Workshop (2007) 23. Jensen, K., Kristensen, L.: Coloured Petri Nets , Modelling and Validation of Concurrent Systems. Springer, Denmark (2009) 24. Jensen, K.: An introduction to the practical Use of coloured Petri nets. Lecture Notes in Computer Sciencee, Springer-Verlag, 1-14 (1996) 350 ModBE’13 – Modeling and Business Environments Part IX ModBE’13: Poster Abstracts Advantages of a Full Integration between Agents and Workflows Thomas Wagner and Lawrence Cabac University of Hamburg, MIN Faculty, Department of Informatics http://www.informatik.uni-hamburg.de/TGI/ Abstract. This poster describes the notion of a full integration of agents and workﬂows. It diﬀerentiates the term from the more common partial integrations already well documented and researched. Finally, the advantages of a full integration are discussed. Multi-agent systems feature a very structure-centric perspective on a software system. Agents are the main modelling abstraction, and other aspects are always seen in relation to them. Workﬂow systems on the other hand feature a very behaviour-centric perspective. The main abstraction here are the workﬂows/processes, which incorporate the data/information about other aspects. An integration of the two concepts agent and workﬂow can oﬀer many advantages. These advantages represent the ﬁrst outcomes in our current research on modelling systems and are the main result presented in this poster. It is possible to diﬀerentiate between two kinds of integrations: partial and full. In a partial integration one of the concepts is used to enhance the other one. This includes agent-based workﬂow management systems (WFMS) and workﬂow-based agent management systems. Partial integrations feature only one of the two concepts main abstraction. This main abstraction may be enhanced and enriched in a number of ways, but still remains, at its core, either an agent or a workﬂow. This limits the potential beneﬁts in a partial integration. A full integration between agents and workﬂows aims to address that limit. In contrast to partial integrations it features both agents and workﬂows incorporated into one main modelling unit. This unit can serve as agent, workﬂow, or a hybrid between the two and can dynamically change its role during runtime. We call these hybrids that provide all the functionality agents and workﬂows would usually provide, including communication and user interaction facilities, entities. Using entities enables a system modeller to dynamically switch and mix structural and behavioural aspects of a system. This allows for a new integrated perspective on the system during development. There are numerous examples of partial integrations. Agent-based WFMS are, for example, presented in [1,2]. A workﬂow-based agent management system is discussed in [3]. All of these make use of both concepts to provide an enhanced modelling experience. They still only oﬀer extended classical workﬂow or agent functionality and do not feature the possibilities of a full integration. To the best of our knowledge there are no examples of full integrations. 354 ModBE’13 – Modeling and Business Environments A full integration between agents and workﬂows exhibits a number of advantages to the system modeller. These assume an eﬃcient and comprehensive implementation of a full integration system (see last paragraphs for outlook). Abstraction The abstraction of the individual concepts into one uniﬁed entity enables a freedom to work with dynamic and hybrid constructs. Entities can operate as agents, workﬂows, or something in between. They can dynamically adapt to the requirements before, acting as an agent at one point and processing like a workﬂow at another. Entities naturally and directly incorporate any and all mechanisms, facilities, and properties of agents and workﬂows. Consequently, providing these characteristics in dynamic ways becomes far easier. Flexibility Allowing a modeller to use agents and workﬂows on the same abstraction level, allows to model a system along the two dimensions structure and behaviour. Classically, only one of these dimensions was in the foreground, while modelling aspects of the other was heavily biased by the original dimension. This two-dimensional modelling enables a modeller to utilise the dynamic interaction between agents and workﬂows on a conceptual level. Simplicity A full integration oﬀers the combined capabilities of agents and workﬂows. It does so by providing simple-to-use and predeﬁned constructs (entities) which allow a modeller to make full use of the strengths of agents and workﬂows. The entities in themselves can be used similarly to agents and workﬂows, but possess a larger spectrum of capabilities. Expressiveness A full integration cannot necessarily express more then the classical paradigms. However, in the classical paradigms complex helper constructs might be necessary to implement more complicated structures available directly in a full integration. This means that a full integration is capable of expressing more constructs in a natural and simple way. Enrichment The enrichment aspect, the main advantage of partial integration, is also applicable in a full integration. In fact, it is even more emphasised, since an entity can be improved from both its agent and workﬂow side. Concerning future work the provision of a comprehensive implementation of a full integration is the main focus. Currently, the work is centred on establishing a working prototype as proof-of-concept. In conclusion, a full integration oﬀers many beneﬁcial advantages in comparison to classical systems. When extensively and eﬃciently implemented, it is a powerful tool for a system modeller to use. References 1. P. Czarnul, M. Matuszek, M. Wójcik, and K. Zalewski. BeesyBees - eﬃcient and reliable execution of service-based workﬂow applications for BeesyCluster using distributed agents. In Proceedings of IMCSIT 2010, pages 173 –180, oct. 2010. 2. F. Hsieh. Collaborative Workﬂow Management in Holonic Multi-Agent Systems. In J. O’Shea et al., editors, Agent and Multi-Agent Systems: Technologies and Applications, volume 6682 of LNCS, pages 383–393. Springer Berlin Heidelberg, 2011. 3. A. Mislevics and J. Grundspenkis. Workﬂow based approach for designing and executing mobile agents. In Digital Information Processing and Communications (ICDIPC), 2012 Second International Conference on, pages 96 –101, july 2012. Cloud Transition for QoS Modeling of Inter-Organizational Workflows Soﬁane Bendoukha and Lawrence Cabac University of Hamburg, Department of Informatics http://www.informatik.uni-hamburg.de/TGI/ Abstract. In this paper we present an architecture for enabling complex workﬂow execution in Cloud-like environments. We focus mainly on modeling concepts and techniques to enhance accessibility to Cloud services by diﬀerent kind of users. Complex workﬂow tasks need in some cases to be mapped to distributed resources and involves the cooperation between several partners. Workﬂow management is critical to a successful long-term Cloud computing strategy. The notion of inter-organizational workﬂow still needs conceptual and technical support especially in complex and dynamic environments like Clouds. New ways to tackle this problem have to be found. Therefore, existing workﬂow architectures need to be adapted for the Cloud and workﬂow management systems (WfMS) should be integrated with Cloud infrastructure and resources [3]. In this paper we use Inter-Cloud Workﬂow Petri Nets (ICWPN), an approach for enabling workﬂows in an (Inter)-Cloud environment. A specialized Cloud Task Transition (CTT) is introduced to facilitate the connection to the Cloud and to support Quality of Service (QoS) management [1]. The CTT (see Fig. 1 (a)) is based on the Workﬂow Task Transition [2], which is the core of the workﬂow net formalism in Renew1 (Reference Net Workshop). Workﬂow modelers specify their requirements as parameters to the CTT in form of tuples (S, Q, I), which correspond respectively to the Cloud service (S) that they want to use (it can be a storage or a compute service), the QoS constraints (Q) consisting of deadlines or costs and input data (I) consisting either of required ﬁles in case of a storage or scripts if they want to execute their codes on the Cloud. Synchronous channels are used to make the connection with the WfMS, which controls the completion of the task. It either initiates the ﬁring or cancels it and all input parameters are put back onto the input places. To see how the CTT is used in practice, we introduce a Cloud-based workﬂow architecture, it is depicted in Fig. 1 (b). It includes three basic layers from top to bottom: user applications layer (UL), middle-ware layer (ML) and the resource layer (RL), which consits mainly of Cloud services. In our approach we view the process of executing an application in an Inter-Cloud environment as a 6-phase process: (1) Users use the oﬀered modeling tools consisting mostly of Renew and the introduced CTT to specify the requirements (Cloud services, QoS constraints, speciﬁc input data) for their applications using Petri nets models. (2) 1 Renew is available at http://www.renew.de 356 ModBE’13 – Modeling and Business Environments (a) The Cloud Transition (b) General Cloud Workﬂow Architecture Fig. 1. Cloud-based Workﬂow Management A list of requirements is created consisting of required services as well as their related QoS constraints. (3) Make a request to the Cloud Service Repository (CSR) which is accessible by the WfMS to achieve workﬂow tasks (4) Based on the above steps (2-3) a decision is made by the Decision Maker who determines whether the workﬂow tasks will be executed locally or using Cloud resources. (5) After that the workﬂow tasks are mapped to the adequate resources. (6) When the workﬂow is deployed, information about Cloud providers and the state of their services are constantly updated. Here we focused primarily on Cloud technologies. Nevertheless, the introduced model (see Fig. 1(b)) can be also applicable to other dynamic domains where distributed resources are shared and dynamically allocated and usually priced. References 1. Soﬁane Bendoukha and Thomas Wagner. Cloud transition: Integrating cloud calls into workﬂow Petri nets. In Lawrence Cabac, Michael Duvigneau, and Daniel Moldt, editors, PNSE, volume 851 of CEUR Workshop Proceedings, June 2012. 2. Thomas Jacob, Olaf Kummer, Daniel Moldt, and Ulrich Ultes-Nitsche. Implementation of workﬂow systems using reference nets – security and operability aspects. In Kurt Jensen, editor, Fourth Workshop and Tutorial on Practical Use of Coloured Petri Nets and the CPN Tools, August 2002. 3. Suraj Pandey, Dileban Karunamoorthy, and Rajkumar Buyya. Workflow Engine for Clouds, pages 321–344. John Wiley & Sons, Inc., 2011.

RELATED PAPERS

RELATED TOPICS

Log In

Application and Theory of Petri Nets and Concurrency

Application and Theory of Petri Nets and Concurrency

Related Papers

RELATED PAPERS

RELATED TOPICS