- •CONTENTS
- •PREFACE
- •LIST OF FIGURES
- •INTRODUCTION
- •1.1 WHAT IS TIME?
- •1.2 SIMULATION
- •1.3 TESTING
- •1.4 VERIFICATION
- •1.6 USEFUL RESOURCES
- •2.1 SYMBOLIC LOGIC
- •2.1.1 Propositional Logic
- •2.1.2 Predicate Logic
- •2.2 AUTOMATA AND LANGUAGES
- •2.2.1 Languages and Their Representations
- •2.2.2 Finite Automata
- •2.3 HISTORICAL PERSPECTIVE AND RELATED WORK
- •2.4 SUMMARY
- •EXERCISES
- •3.1 DETERMINING COMPUTATION TIME
- •3.2 UNIPROCESSOR SCHEDULING
- •3.2.1 Scheduling Preemptable and Independent Tasks
- •3.2.2 Scheduling Nonpreemptable Tasks
- •3.2.3 Nonpreemptable Tasks with Precedence Constraints
- •3.2.5 Periodic Tasks with Critical Sections: Kernelized Monitor Model
- •3.3 MULTIPROCESSOR SCHEDULING
- •3.3.1 Schedule Representations
- •3.3.3 Scheduling Periodic Tasks
- •3.4 AVAILABLE SCHEDULING TOOLS
- •3.4.2 PerfoRMAx
- •3.4.3 TimeWiz
- •3.6 HISTORICAL PERSPECTIVE AND RELATED WORK
- •3.7 SUMMARY
- •EXERCISES
- •4.1 SYSTEM SPECIFICATION
- •4.2.1 Analysis Complexity
- •4.3 EXTENSIONS TO CTL
- •4.4 APPLICATIONS
- •4.4.1 Analysis Example
- •4.5 COMPLETE CTL MODEL CHECKER IN C
- •4.6 SYMBOLIC MODEL CHECKING
- •4.6.1 Binary Decision Diagrams
- •4.6.2 Symbolic Model Checker
- •4.7.1 Minimum and Maximum Delays
- •4.7.2 Minimum and Maximum Number of Condition Occurrences
- •4.8 AVAILABLE TOOLS
- •4.9 HISTORICAL PERSPECTIVE AND RELATED WORK
- •4.10 SUMMARY
- •EXERCISES
- •VISUAL FORMALISM, STATECHARTS, AND STATEMATE
- •5.1 STATECHARTS
- •5.1.1 Basic Statecharts Features
- •5.1.2 Semantics
- •5.4 STATEMATE
- •5.4.1 Forms Language
- •5.4.2 Information Retrieval and Documentation
- •5.4.3 Code Executions and Analysis
- •5.5 AVAILABLE TOOLS
- •5.6 HISTORICAL PERSPECTIVE AND RELATED WORK
- •5.7 SUMMARY
- •EXERCISES
- •6.1 SPECIFICATION AND SAFETY ASSERTIONS
- •6.4 RESTRICTED RTL FORMULAS
- •6.4.1 Graph Construction
- •6.5 CHECKING FOR UNSATISFIABILITY
- •6.6 EFFICIENT UNSATISFIABILITY CHECK
- •6.6.1 Analysis Complexity and Optimization
- •6.7.2 Timing Properties
- •6.7.3 Timing and Safety Analysis Using RTL
- •6.7.5 RTL Representation Converted to Presburger Arithmetic
- •6.7.6 Constraint Graph Analysis
- •6.8 MODECHART SPECIFICATION LANGUAGE
- •6.8.1 Modes
- •6.8.2 Transitions
- •6.9.1 System Computations
- •6.9.2 Computation Graph
- •6.9.3 Timing Properties
- •6.9.4 Minimum and Maximum Distance Between Endpoints
- •6.9.5 Exclusion and Inclusion of Endpoint and Interval
- •6.10 AVAILABLE TOOLS
- •6.11 HISTORICAL PERSPECTIVE AND RELATED WORK
- •6.12 SUMMARY
- •EXERCISES
- •7.1.1 Timed Executions
- •7.1.2 Timed Traces
- •7.1.3 Composition of Timed Automata
- •7.1.4 MMT Automata
- •7.1.6 Proving Time Bounds with Simulations
- •7.2.1 Untimed Traces
- •7.2.2 Timed Traces
- •7.3.1 Clock Regions
- •7.3.2 Region Automaton
- •7.4 AVAILABLE TOOLS
- •7.5 HISTORICAL PERSPECTIVE AND RELATED WORK
- •7.6 SUMMARY
- •EXERCISES
- •TIMED PETRI NETS
- •8.1 UNTIMED PETRI NETS
- •8.2 PETRI NETS WITH TIME EXTENSIONS
- •8.2.1 Timed Petri Nets
- •8.2.2 Time Petri Nets
- •8.3 TIME ER NETS
- •8.3.1 Strong and Weak Time Models
- •8.5.1 Determining Fireability of Transitions from Classes
- •8.5.2 Deriving Reachable Classes
- •8.6 MILANO GROUP’S APPROACH TO HLTPN ANALYSIS
- •8.6.1 Facilitating Analysis with TRIO
- •8.7 PRACTICALITY: AVAILABLE TOOLS
- •8.8 HISTORICAL PERSPECTIVE AND RELATED WORK
- •8.9 SUMMARY
- •EXERCISES
- •PROCESS ALGEBRA
- •9.1 UNTIMED PROCESS ALGEBRAS
- •9.2 MILNER’S CALCULUS OF COMMUNICATING SYSTEMS
- •9.2.1 Direct Equivalence of Behavior Programs
- •9.2.2 Congruence of Behavior Programs
- •9.2.3 Equivalence Relations: Bisimulation
- •9.3 TIMED PROCESS ALGEBRAS
- •9.4 ALGEBRA OF COMMUNICATING SHARED RESOURCES
- •9.4.1 Syntax of ACSR
- •9.4.2 Semantics of ACSR: Operational Rules
- •9.4.3 Example Airport Radar System
- •9.5 ANALYSIS AND VERIFICATION
- •9.5.1 Analysis Example
- •9.5.2 Using VERSA
- •9.5.3 Practicality
- •9.6 RELATIONSHIPS TO OTHER APPROACHES
- •9.7 AVAILABLE TOOLS
- •9.8 HISTORICAL PERSPECTIVE AND RELATED WORK
- •9.9 SUMMARY
- •EXERCISES
- •10.3.1 The Declaration Section
- •10.3.2 The CONST Declaration
- •10.3.3 The VAR Declaration
- •10.3.4 The INPUTVAR Declaration
- •10.3.5 The Initialization Section INIT and INPUT
- •10.3.6 The RULES Section
- •10.3.7 The Output Section
- •10.5.1 Analysis Example
- •10.6 THE ANALYSIS PROBLEM
- •10.6.1 Finite Domains
- •10.6.2 Special Form: Compatible Assignment to Constants,
- •10.6.3 The General Analysis Strategy
- •10.8 THE SYNTHESIS PROBLEM
- •10.8.1 Time Complexity of Scheduling Equational
- •10.8.2 The Method of Lagrange Multipliers for Solving the
- •10.9 SPECIFYING TERMINATION CONDITIONS IN ESTELLA
- •10.9.1 Overview of the Analysis Methodology
- •10.9.2 Facility for Specifying Behavioral Constraint Assertions
- •10.10 TWO INDUSTRIAL EXAMPLES
- •10.10.2 Specifying Assertions for Analyzing the FCE Expert System
- •Meta Rules of the Fuel Cell Expert System
- •10.11.1 General Analysis Algorithm
- •10.11.2 Selecting Independent Rule Sets
- •10.11.3 Checking Compatibility Conditions
- •10.12 QUANTITATIVE TIMING ANALYSIS ALGORITHMS
- •10.12.1 Overview
- •10.12.2 The Equational Logic Language
- •10.12.3 Mutual Exclusiveness and Compatibility
- •10.12.5 Program Execution and Response Time
- •10.12.8 Special Form A and Algorithm A
- •10.12.9 Special Form A
- •10.12.10 Special Form D and Algorithm D
- •10.12.11 The General Analysis Algorithm
- •10.12.12 Proofs
- •10.13 HISTORICAL PERSPECTIVE AND RELATED WORK
- •10.14 SUMMARY
- •EXERCISES
- •11.1 THE OPS5 LANGUAGE
- •11.1.1 Overview
- •11.1.2 The Rete Network
- •11.2.1 Static Analysis of Control Paths in OPS5
- •11.2.2 Termination Analysis
- •11.2.3 Timing Analysis
- •11.2.4 Static Analysis
- •11.2.5 WM Generation
- •11.2.6 Implementation and Experiment
- •11.3.1 Introduction
- •11.3.3 Response Time of OPS5 Systems
- •11.3.4 List of Symbols
- •11.3.5 Experimental Results
- •11.3.6 Removing Cycles with the Help of the Programmer
- •11.4 HISTORICAL PERSPECTIVE AND RELATED WORK
- •11.5 SUMMARY
- •EXERCISES
- •12.1 INTRODUCTION
- •12.2 BACKGROUND
- •12.3 BASIC DEFINITIONS
- •12.3.1 EQL Program
- •12.3.4 Derivation of Fixed Points
- •12.4 OPTIMIZATION ALGORITHM
- •12.5 EXPERIMENTAL EVALUATION
- •12.6 COMMENTS ON OPTIMIZATION METHODS
- •12.6.1 Qualitative Comparison of Optimization Methods
- •12.7 HISTORICAL PERSPECTIVE AND RELATED WORK
- •12.8 SUMMARY
- •EXERCISES
- •BIBLIOGRAPHY
- •INDEX
BERTHOMIEU–DIAZ ANALYSIS ALGORITHM FOR TPNS |
227 |
D can be expressed as the solution set of a system of inequalities such that a distinct variable exists for each transition enabled by marking M:
D = t | A · t ≥ b,
where A is a matrix, b is a vector of constants, and t is a vector of variables corresponding to the enabled transitions.
A state class contains all possible firing times that may happen from a given reachable marking. With this definition of a state class, we can compactly express the firing domain of the initial state class. The initial class contains the initial state and shows the initial marking as well as the initial static intervals. Whereas expressions of intervals for states are simple, expressions of domains for state classes represent complex relationships between the firing times of several transitions.
8.5.1 Determining Fireability of Transitions from Classes
Since a state class is an aggregate of many related states, we need to define new conditions for firing transitions from a class. Again assume that transition t (i) is the ith transition enabled by marking M, then t (i) is fireable from class C = (M, D) iff the following two conditions hold:
1.t (i) is enabled by marking M, that is, p(M( p) ≥ B(t (i), p)).
2.The firing interval corresponding to t (i) must satisfy the following augmented system of inequalities:
A · t ≥ b
t (i) ≤ t ( j) for all j, j = i
where t ( j) is also the firing interval related to the jth component of vector t. Thus the firing of t (i) must occur before the minimum of all LFTs corresponding to all enabled transitions. A system of inequalities is needed to express these complex relationships since using only the EFTs and LFTs of
the transitions cannot adequately express condition (2).
Example. For the example Petri net in Figure 8.1, the initial class C0 is:
M0 = Pr 1, Pr2, Pr3, Pmutex,
D0 = (all solutions to)1 ≤ δcs1 ≤ 8, 2 ≤ δcs2 ≤ 7, 3 ≤ δcs3 ≤ 6.
Furthermore, the following inequalities must be satisfied to fire tcs1:
δcs1 ≤ δcs2, δcs1 ≤ δcs3.
228 TIMED PETRI NETS
Similarly, tcs2 can fire if
δcs2 ≤ δcs1, δcs2 ≤ δcs3
and tcs3 can fire if
δcs3 ≤ δcs1, δcs3 ≤ δcs2.
Suppose transition tcs1 fires, then the next class C1 is
M1 = Pcs1, Pr 2, Pr 3,
D1 = 1 ≤ δn1 ≤ 2.
We can determine all possible firing times for transitions, including those that remain enabled after a firing, by changing the variables resulting from the translation in the augmented system, as follows. Suppose tcs2 fires at relative time δcs1F . After firing tcs1, the other two enabled transitions tcs2 and tcs3 are disabled. To illustrate this complex scenario, suppose tcs2 and tcs3 remain enabled. This is possible if Pmutex
originally has, say, three tokens. Then tcs2 and tcs3 stay enabled after relative time |
|||||||
δcs1F has elapsed. Thus the new time values δcs |
2 and δcs3 can be calculated by using |
||||||
δi = δi + δcs1F . Therefore, after firing tcs1, we have: |
|
|
|||||
2 ≤ δcs |
2 + δcs1F |
≤ |
7 |
|
(1) |
||
3 ≤ δcs |
3 + δcs1F |
≤ |
6 |
|
(2) |
||
or |
|
|
|
|
|
|
|
2 − δcs1F ≤ δcs |
2 ≤ |
7 − δcs1F |
(3) |
||||
3 − δcs1F ≤ δcs |
3 ≤ |
6 − δcs1F |
(4) |
||||
where |
|
|
|
|
|
|
|
|
1 ≤ δcs |
1F ≤ 3. |
|
(5) |
|||
Inequalities can be rewritten as: |
|
|
|
|
|
|
|
2 − δcs |
2 ≤ δcs |
1F |
≤ 7 − δcs |
2 |
(6) |
||
3 − δcs |
3 ≤ δcs |
1F |
≤ 6 − δcs |
3. |
(7) |
||
To derive the firing times of the next state class and show the relationships between the firing times of tcs2 and tcs3, we eliminate δcs1F from inequalities (6)
and (7): |
|
|
|
0 ≤ δ cs2 |
≤ 6 |
from (3) and (5) |
|
0 ≤ δ cs3 |
≤ 5 |
from (4) and (5) |
|
δ cs3 − δ cs2 |
≤ 1 |
from (6) and (7) |
|
δ cs2 − δ cs3 |
≤ 1 |
from (6) and (7). |
|
MILANO GROUP’S APPROACH TO HLTPN ANALYSIS |
229 |
8.5.2 Deriving Reachable Classes
To construct the reachability graph of classes rather than simple states for a Petri net, we first describe the rules for deriving the next class reachable from a given class by firing a transition.
Given a domain D, the following procedure derives domain D .
1.Add the fireability conditions for transition t ( f ) to the system of inequalities defining domain D, that is, A·t ≥ b, yielding the following augmented system:
A · t ≥ b
t ( f ) ≤ t ( j) for all j, j = f.
Then express all times related to variables t ( f ), j = f , as the sum of the time of the fired transitions t ( f ) and of a new variable t ( j) defined as
t ( j) = t ( j) − t ( f ) for all j, j = f,
and remove variable t ( f ) from the system by deriving new firing intervals and the corresponding constraint relationships as shown earlier. This change of variables yields the following system:
A · t ≥ b
0 ≤ t .
Variables A and b are derived from A and b, respectively, the equations defining the new variables. Fourier’s method is then used to eliminate variable t ( f ).
2.Remove all variables corresponding to the transitions disabled by the firing
of t ( f ) while maintaining the relationships they imply using a similar technique as in (1). These transitions are enabled by M but not enabled by M(·) − B(t ( f ), ·) before computing the new marking.
3.Augment the system of inequalities with new variables such that there is one for each newly enabled transition. These variables are defined to belong to
their static firing intervals. These newly enabled transitions are enabled by M − B(t ( f ), ·) and enabled by M . The final system of inequalities is
A · t ≥ b .
A variable for each transition is enabled by marking M , and the solution set of this system defines D .
8.6 MILANO GROUP’S APPROACH TO HLTPN ANALYSIS
The Politecnico di Milano group, headed by Ghezzi (with original members Mandrioli, Morasca, and Pezze, and later Morzenti, San Pietro, and Silva), sought to develop
230 TIMED PETRI NETS
comprehensive tools to specify and validate large systems using HLTPNs and more recently a logic called TRIO.
Initially, [Ghezzi et al., 1991] do not introduce new analysis techniques, but rather state that HLTPNs/TERNs can be readily analyzed by executing specifications. As with non-timed Petri nets, this is done by first providing an initial marking and then executing a given HLTPN specification to explore the nets’ behaviors. However, this is specification testing and can only uncover potential errors, but cannot guarantee the absence of errors if all possible execution paths are not checked. Furthermore, the number of states to be explored increases drastically with the introduction of time and may be infinite.
Ghezzi et al. also suggest analyzing specifications by first defining general properties of nets which state desirable (or undesirable) behaviors of the specified system, and then employing the specification to prove (or disprove) these properties as theorems. However, most of these properties are undecidable.
More recently, the Milano group developed a tool called Cabernet to support the specification and validation of real-time systems based on HLTPNs. While the underlying analysis mechanism is still mainly based on executing specifications, Cabernet is a more integrated tool compared to others in that it supports the specification of control, data, functionality, and time using HLTPNs. Designers can edit, execute, and analyze HLTPNs using Cabernet’s kernel engine.
Cabernet can perform timed reachability analysis by exploring a time reachability tree. To avoid the problem of exploring a potentially infinite-state reachability tree, it restricts the exploration up to a specified time deadline. Using the axiom stating that time eventually increases, and a suit of symbolic execution techniques, makes the set of states in the timed reachability tree finite. This is practical in proving safety and liveness properties limited to a finite time interval in real-time systems.
To make the analysis more efficient, Cabernet can focus on a specific firing model that may ignore one or more features such as data, functionality, and time. Statecharts/STATEMATE also offers a similar capability in specifying and analyzing state systems. Thus the designer can readily customize Cabernet for a given application. Another feature of Cabernet is that it provides net decomposition, which allows the designer to refine a high-level specification to a detailed one via property-preserving transformation. The correctness of these transformations can be verified by the tool in constant time.
8.6.1 Facilitating Analysis with TRIO
Since verifying even basic properties of time ER nets is undecidable, the Milano group [Ghezzi, Mandrioli, and Morzenti, 1990] introduced a logic called TRIO to facilitate the analysis. TRIO is a first-order logic extended with a temporal domain allowing basic arithmetic and the temporal operator Dist. In this regard, TRIO is similar to Jahanian and Mok’s RTL, which is also a first-order logic augmented with the occurrence function to assign time to occurrences of events and actions.
Given a formula F, Dist(F, t) means that F holds at a time instant t time units from the current time (when this sentence is stated). If the Dist operator is not used