in a formula, the current time is assumed. We can define other derived temporal operators based on the Dist operator. The following is a selected list of derived temporal operators:

Futr(F, d) = d ≥ 0 Dist(F, d) future

Past(F, d) = d ≥ 0 Dist(F, −d) past

Lasts(F, d) = d (0 < d < d → Dist(F, d ))F holds over a period of length d

Lasted(F, d) = d (0 < d < d → Dist(F, −d ))F held over a period of length d

Until(A1, A2) = (t > 0 Futr(A2, t) Lasts(A1, t))A1 holds until A2 becomes true

Alw(F) = dDist(F, d)F always holds

AlwF(F) = d(d > 0 → Dist(F, d))F will always hold in the future

AlwP(F) = d(d < 0 → Dist(F, d))F always held in the past

SomP(F) = d(d < 0 Dist(F, d)) F held sometimes in the past

Som(F) = d Dist(F, d) Sometimes F held or will hold

UpToNow(F) = d(d > 0 Past(F, d) Lasted(F, d)) F held for a nonzero time interval that ended at the current instant

Becomes(F) = F UpToNow(¬F) F holds at the current instant but it did not hold for a nonzero interval that preceded the current instant

LastTime(F, t) = Past(F, t) (Lasted(¬F, t)) F occurred for the last time t units ago

The Milano group proposed the dual-language approach to specification and verification using TRIO as a descriptive formalism and Petri nets as an operational formalism. The basic idea is to first axiomatize (or perform an axiomatization of) the operational formalism (the Petri net), that is, to state a formal correspondence between the syntax and semantics of these two formalisms. Then this axiomatization is used to prove that the system modeled by the operational formalism has the descriptive formalism’s properties.

8.7 PRACTICALITY: AVAILABLE TOOLS

The TRIO toolset is a facility for the specification, design, and validation of real-time systems, based on temporal logic. It is used to make the analysis of real-time systems specified as Petri nets more efficient. Ongoing work includes defining a family of languages for the specification of complex, highly structured systems, together with defining a toolset for writing specifications, validating them by means of analysis and simulation, and planning the verification of the implementation via test case generation. The TRIO research group also plans to identify classes of formulas of the language that are decidable algorithmically. Improvement in the user interface

232 TIMED PETRI NETS

includes the implementation of a history checker, a history semiautomatic generator, a graphic editor for histories, and a model generator.

More details about the TRIO toolset can be found at

http://www.elet.polimi.it/section/compeng/se/TRIO/

8.8 HISTORICAL PERSPECTIVE AND RELATED WORK

Petri invented Petri nets to model concurrent systems, and an excellent introduction can be found in [Peterson, 1981]. Peterson also presented a tutorial on Petri nets in [Peterson, 1977].

Ramachandani [Ramchandani, 1974] was the first to introduce timing extensions to classical Petri nets to yield TdPNs. A fixed firing duration is associated with each transition. Merlin [Merlin and Farber, 1976] then invented TPNs with static and dynamic firing intervals. Merlin’s TPNs are more general than TdPNs, so a TdPN can be modeled by a TPN but not vice versa.

[Leveson and Stolzy, 1987] used Petri nets to perform safety analysis of a simple railroad crossing system. In their study, the functional behavior of the system can be modeled by Petri nets, but the absolute timing aspects cannot be adequately modeled.

Jensen proposed colored Petri nets [Jensen, 1987] and Genrich invented predicate/transition nets [Genrich, 1987] to allow tokens to hold values so that items modeled by these tokens can be individually identified. However, these nets are unable to specify timing aspects.

[Ghezzi et al., 1991] developed HLTPNs or ER nets to model time-critical systems. HLTPNs provide a unified framework integrating both functional and timing descriptions. His group [Felder, Mandrioli, and Morzenti, 1994] also proposed the use of both logic and Petri net models to prove properties of real-time systems. [Mandrioli, Morasca, and Morzenti, 1995] presented techniques for automatically generating functional test cases from formal specifications of real-time systems written in the logic language TRIO.

[Bucci and Vicario, 1995] proposed the use of communicating timed Petri nets in a compositional approach to validate time-critical systems. Recently, [Vicario, 2001] presented an enumerative technique to support the reachability and timeliness analysis of dense time–dependent models. Equivalence classes are used for discrete and compact enumeration of the state space. This technique recovers timed reachability properties among states by analyzing the timing constraints embedded within equivalence classes.

[Jones, Landweber, and Lien, 1977] directly proved that the reachability and boundedness problems for Petri nets are undecidable. [Berthomieu and Diaz, 1991] developed an efficient procedure for verifying properties specified in a TPN. More recently, [Hulgaard and Burns, 1995] proposed the use of algebraic techniques to perform efficient timing analysis of a class of Petri nets. [Yoneda et al., 1991] showed how to speed up timing verification using TPNs.

[Holliday and Vernon, 1987] were among the first to propose a generalized timed Petri net model for performance analysis. More recently, [Balaji et al., 1992] em-

234 TIMED PETRI NETS

reachability graph corresponding to a reachability set, we can represent each state by a node and add a directed edge from state s1 to state s2 if firing a transition enabled in state s1 leads the net to state s2.

Classical Petri nets cannot express the passage of time, such as durations and timeouts. The tokens are also anonymous and thus cannot model named items. They also lack hierarchical decomposition or abstraction mechanisms to properly model large systems. To model realistic real-time systems, several extended versions of Petri nets have been proposed to deal with timing constraints. There are basically two approaches. One associates the notions of time to transitions, and the other associates time values to places.

[Ramchandani, 1974] associated a finite firing time to each transition in a classical Petri net to yield timed Petri nets (TdPNs). More precisely, the firing of a transition now takes time and a transition must fire as soon as it is enabled. TdPNs have been used mainly for performance evaluation. Shortly after, [Merlin and Farber, 1976] developed a more general class of nets called time Petri nets (TPNs). These are Petri nets with labels: two values of time expressed as real numbers, x and y, are associated with each transition where x < y. x is the delay after which and y is the deadline by which to fire the enabled transition. A TPN can model a TdPN but not vice versa.

A TdPN is formally defined as a tuple (P, T, F, V, M0, D) where

P is a finite set of places,

T is a finite, ordered set of transitions t1, . . . , tm ,

V : F → (P, T, F) is the arc multiplicity;

D : T → N assigns to every transition tI a nonnegative real number N indicating the duration of the firing of tI ; and

M0 is the initial marking.

A TdPN follows the earliest firing schedule transition rule: An enabled transition at a time k must fire at this time if there is no conflict. Transitions with no firing durations (D(t) = 0) fire first. When a transition starts firing at time t it removes the corresponding number of tokens from its input places at time t and adds the corresponding number of tokens to its output places at time k + D(t). At any time a maximal set of concurrently enabled transitions (maximal step) is fired.

A TPN is formally defined as a tuple (P, T, B, F, M0, S) where

P is a finite set of places,

T is a finite, ordered set of transitions t1, t2, . . . , tm ,

B is the backward incidence function B : T × P → N , where N is the set of nonnegative integers,

F is the forward incidence function F : T × P → N ,

M0 is the initial marking function M0 : P → N , and

S is the static interval mapping S : T → Q × (Q ∞), where Q is the set of positive rational numbers.

Merlin specified timing constraints on a transition ti using constrained static rational values as follows. Suppose αi S and βi S are rational numbers. Then

S(ti ) = (αi S , βi S ),

where 0 ≤ αS < ∞, 0 ≤ βS ≤ ∞, and αS ≤ βS if βS = ∞ or αS < βS if βS = ∞. The interval (αi S , βi S ) is the static firing interval for transition ti , indicated by the superscript S, where αi S is the static earliest firing time (EFT) and βS is the static latest firing time (LFT). In general, for states other than the initial state, the firing intervals in the firing domain will be different from the static intervals. These dynamic lower and upper bounds are denoted αi and βi , respectively, and are called

simply EFT and LFT, respectively.

Both the static and dynamic lower and upper bounds are relative to the instant at which ti is enabled. If ti is enabled at time θ, then while ti is continuously enabled, it must fire only in the time interval between θ + αi S (or θ + αi ) and θ + βi S (or

θ + βi ).

For modeling real-time systems, EFT corresponds to the delay before a transition can be fired, and LFT is the deadline by which a transition must fire. In Merlin’s model, time can be either discrete or dense. Also, the firing of a transition happens instantaneously; that is, firing a transition takes no time. If no time interval is associated with a transition, this transition is a classical Petri net transition and the time interval can be defined as: (αiS = 0, βi S = ∞). Therefore, TPNs are timed restrictions of Petri nets.

High-level timed Petri nets (HLTPNs), or time environment/relationship nets (TERNs) [Ghezzi et al., 1991], integrate functional and temporal descriptions in the same model. In particular, HLTPNs provide features that can precisely model the identities of a system’s components as well as their logical and timing properties and relationships. A HLTPN is a classical Petri net augmented with the following features.

For each place, a restriction exists on the type of tokens that can mark it; for example, each place has one or more types. If any type of token can mark a place, then this place has the same meaning as in a classical Petri net. Each token has a time-stamp indicating its creation time (or birth date) and a data structure for storing its associated data.

Each transition has a predicate that determines when and how the transition is enabled. This predicate expresses constraints based on the values of the data structures and time-stamps of the tokens in the input places. A transition also has an action that specifies the values of the data to be associated with the tokens produced by the transition firing. This action depends on the data and time-stamps of the tokens removed by the firing. Finally, a transition has a time function that specifies the minimum and maximum firing times. This function also depends on the data and time-stamps of the tokens removed by the firing.

Tokens in environment/relationship (ER) nets are environments, functions that associate values to variables. Each transition has an associated action that specifies