D EPENDABILITY motivation E NGINEERING time-dependent Petri - - PowerPoint PPT Presentation

dependability engineering with time-dependent Petri nets WS 2018 Y:\Documents\teaching\course-pn\pn_skript_fm\nl10_time.sld.fm 12 - 1 / 41

DEPENDABILITY ENGINEERING

WITH TIME-DEPENDENT

PETRI NETS (“THE PROBLEM IS CHOICE”)

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 2 / 41

CONTENTS ❑ motivation ❑ time-dependent Petri nets

• verview

influence of time on qualitative properties zero test ❑ worst-case evaluation with duration interval nets counter example structural compression of well-formed net parts non-well-formed, but 1-bounded, acyclic, ... general procedure ❑ safety analysis with interval nets unreachability of explicit error states example - concurrent pushers

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 3 / 41

MODEL

CLASSES

context checking by Petri net theory verification by temporal logics performance prediction reliability prediction

PETRI NETS

PLACE/TRANSITION

(COLOURED PN)

TIME-DEPENDENT PN TIME PETRI NET STOCHASTIC

PETRI NET PETRI NET

worst-case evaluation

CONTINUOUS

PETRI NET

ODEs

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 4 / 41

WHICH KIND OF TIME MODEL? (1) ❑ atomic sequential program parts -> transitions

• >

time assigned to transitions ❑ as simple as possible

• >

timed nets [Ramchandani 74]

• >

duration nets (D nets, DPN) ❑ duration nets

• >

constant times assigned to transitions

• >

token reservation

• >

firing consumes time after a or b time units begin of firing end of firing,

<a> <b> <a> <b> <a> <b>

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 5 / 41

IMMEDIATE TRANSITIONS ❑ zero (insignificant) time consumption ❑ time deadlocks (-> ZENONESS) ❑ time deadlock = state from which

• >

no transient state is reachable

• >
• r: no state is reachable

where the system clock is able to advance ❑ infinitely many firings in zero times ❑ inconsistent time constraints ! ❑ How to avoid time deadlocks?

• >

invariants ?

• >

OPEN PROBLEM !

[Starke 95] t3 t2 t1 p2 p3 p1 <0> <0> <1>

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 6 / 41

HOW TO ANALYSE DURATION NETS? ❑ time is running

• >

change of the fire rule pn tpn t may fire

• >

t must fire single step

• >

maximal step ❑ special case: duration of all transitions = 1 time unit

• >

reachability graph construction under the maximal step firing rule ❑ else: transformation into special case

d > 2 d-2 d-2 <1> <1> <1> free <1> <1> <1> <3> free

sandglass

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 7 / 41

THE INFLUENCE OF TIME EXAMPLE 1 (SYSTEM DEADLOCK),

PETRI NET

P2_repeat P1_repeat P2_downB P2_upB P2_downA P2_upA P1_upB P1_downB P1_upA P1_downA b5 a1 b1 b2 b3 b4 B a4 a3 a2 A a5

INA ORD HOM NBM PUR CSV SCF CON SC Ft0 tF0 Fp0 pF0 MG SM FC EFC ES Y Y Y Y N N Y Y N N N N N N N N Y DTP SMC SMD SMA CPI CTI B SB REV DSt BSt DTr DCF L LV L&S N Y Y N Y Y Y Y N Y ? N N N N N

different initial marking !

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 8 / 41

EXAMPLE 1 SYSTEM DEADLOCK, MAX STEP RG = RG(DPN)

DSt (pn) -> not DSt (tpn)

a1, b4, A P1_downA, P2_upB a2, b5, B P1_downB, P2_repeat P1_upB P1_upA, P2_downB P1_repeat, P2_downA P2_upA a3, b1 a4, b1, B a5, b2, A a1, b3

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 9 / 41

EXAMPLE 1 SYSTEM DEADLOCK, REACHABILITY GRAPH

P1_downA P2_repeat P2_repeat P2_repeat P2_repeat P1_ P1_upB P1_upA P1_ P2_upB P2_upB P2_upA P2_downA P1_upA P2_downA P1_downA P2_upA P2_upB P2_repeat P2_repeat P1_repeat P1_repeat P2_upB P1_repeat P2_upA P1_ P2_downA P2_downB P1_repeat P2_downB P1_ P1_upB P2_downB P1_downB P2_downB P1_downA 16 14 10 11 1 2 3 4 12 13 15 1 5 10 14 9 16 8 17 7 6 1 5 19 4 3 17 2 1 18

DEAD STATE

19 nodes, 32 arcs

downA downB repeat upA

RG (tpn)

6 nodes, 6 arcs

RG (pn)

INIT STATE

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 10 / 41

THE INFLUENCE OF TIME, EXAMPLE 2

not BND (pn) -> BND (tpn) not DTr (pn) -> DTr (tpn)

consumer service producer

C_wait_m2 S_repeat S_wait_m2 S_wait_m1 P_signal_m2 P_signal_m1 c1 p2 p1 m2 m1 s2 s1

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 11 / 41

EXAMPLE 2, COVERABILITY GRAPH ❑ not BND, simultaneously unbounded in m1 and m2 ❑ LIVE

p1, s1, c1, oo, oo p2, s1, c1, oo, oo p2, s2, c1, oo, oo p1, s2, c1, oo, oo P_signal_m1 P_signal_m2 S_repeat S_repeat P_signal_m1 P_signal_m2 S_wait_m1 S_wait_m2 S_wait_m1 S_wait_m2 C_wait_m2 C_wait_m2 C_wait_m2 C_wait_m2

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 12 / 41

EXAMPLE 2, MAX STEP RG = RG(TPN) ❑ BND,

• >

cycle time(p) = 2

• >

cycle time (s) = 2

• >

cycle time (c) = 1 ❑ not LIVE

• >

TSCC does not contain S_wait_m2

• >

S_wait_m2 is m0-dead p1, s1, c1 p2, s1, c1, m1 p1, s2, c1, m2 P_signal_m1 P_signal_m2 S_repeat P_signal_m1 C_wait_m2 S_wait_m1 TSCC

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 13 / 41

EXAMPLES, SUMMARY ❑ example 1

• >

DSt (pn)

• >

not DSt (tpn) ❑ example 2

• >

not BND (pn) -> BND (tpn)

• >

not DTr (pn)

• >

DTr (tpn) ❑ generally ❑ BUT, for Petri net based system validation, we are only interested in the conclusions PN TPN T → TIME prop(pn) prop(tpn) RG (pn) RG (tpn)

⊇

prop(pn) prop(tpn) ??

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 14 / 41

THE INFLUENCE OF TIME ON QUALITATIVE PROPERTIES TIME-INSENSITIVE RESULTS ❑ BND (pn)

• >

BND (tpn)

• k

❑ not DSt (pn)

• >

not DSt (tpn)

• k

❑ DTrm0 (pn)

• >

DTrm0 (tpn)

• k

TIME-SENSITIVE RESULTS ❑ not BND (pn)

• >

BND (tpn)

• k

❑ DSt (pn)

• >

not DSt (tpn)

• k

❑ live (pn)

• >

not live (tpn) ko ? ❑ REV (pn)

• >

not REV (TPN) ko ? ❑ not REV (pn)

• >

REV (tpn)

• k

SUMMARY ❑ ❑

EF -properties: prop (pn) -> prop (tpn) AG EF-properties: prop (pn) <- prop (tpn)

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 15 / 41

PROBE EFFECT ❑

• bservation -

the system exhibits in test mode other (less) behaviour than in standard operation mode ❑ cause - sw test means (debugger) affect the timing behaviour ❑ result - masking of certain types of system behaviour / bugs

• >

DSt (pn)

• > not DSt (tpn)
• >

live (pn)

• > not live (tpn)
• >

not BND (pn) -> BND (tpn)

• >

not REV (pn) -> REV (tpn) ❑ consequence - systematic & exhaustive testing

• f concurrent systems is generally impossible

❑ wayout - qualitative models considering any timing behaviour

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 16 / 41

TIME-INVARIANT NET STRUCTURES ❑ time-invariant == time independently live ❑ D nets [Starke 90]

• >

homogeneous ES nets ❑ generalization ?

• >

behavioural ES nets ? ❑ troublemaker - confusing combination of channel and control flow conflicts

• > “The problem is choice !”

allowed not allowed

t1 t2 t3 m1 m2

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 17 / 41

CONFUSION ❑ concurrency and conflict overlap

• >
• >

t1 # t2 and t2 # t3, but t1 concurrent to t3 ❑ case 1: t1 < t3

• >

conflict t2 # t3 disappears, firing of t3 does not involve a conflict decision ❑ case 2: t3 < t1

• >

conflict t2 # t3 exists, firing of t3 involves a conflict decision ❑ the interleaving sequences of concurrency may encounter different amount of decisions ❑ an observer outside of the system does not know whether a decision took place or not t1 t2 t3

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 18 / 41

ARE THERE

TIME-INVARIANT SOFTWARE STRUCTURES ?

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 19 / 41

INFLUENCE OF COMMUNICATION PATTERNS ON NET STRUCTURE CLASSES

❑ simplified view

• >

provided, pre- and postprocesses do not access the same communication object from different control points addressing waiting\ direct / semi-direct-by- sender indirect / semi-direct-by- receiver determininistic EFC ES non-deterministic ES ICP known to be time-independently live [Starke 90] i.e. a live net remains live under any constant delay timing.

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 20 / 41

INFLUENCE OF COMMUNICATION PATTERNS ON CONFLICT STRUCTURES

\addressing waiting direct / semi-direct-by- sender indirect / semi-direct-by- receive deterministic no dynamic channel & control flow conflicts appear only separately non-deterministic channel conflicts confusing combination of channel & control flow conflicts possible

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 21 / 41

WHICH KIND OF TIME MODEL ? (2) ❑ adequate characterization of time consumption

• >

alternatives, iterations

• >

time nets, [Merlin 74] interval nets, I nets ❑ structural simplicity, e. g. alternative as duration net interval net (with token reservation) (no token reservation ) (constant times) (interval times) (firing consumes time) (firing itself timeless) working time reaction time ❑ duration interval net, DI net

• >

interval times

• >

with token reservation

• >

firing consumes time

a [ ] b [ ] a a , [ ] 0 0 , [ ] b b , [ ] 0 0 , [ ]

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 22 / 41

NON-STOCHASTIC T-TIME-DEPENDENT PETRI NETS, OVERVIEW

WORKING TIME

(token reservation)

REACTION TIME

(no token reservation) constant timed nets [Ramchandani 74]

• > (working time)

duration nets

D NETS

• / -
• > reaction time

duration nets ? interval

• / -
• > working time

interval nets

DI NETS

time nets [Merlin 74]

• > (reaction time)

interval nets

I NETS

times firing principle

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 23 / 41

RELATION OF TIME-DEPENDENT PETRI NETS

(TRANSITION → TIME)

I NETS D NETS DI NETS

CONJECTURE !

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 24 / 41

TRANSFORMATION DI NET -> I / D NET

(2) t2_free t1_free <5> <4> t1_2 <2> p1 t1_1 <1> <3> p2 t2_free t1_free t2_run t1_run [0,0] [0,0] p1 t1 [1,2] t2 [3,5] p2 p2 t2 [3,5] t1 [1,2] p1

DI NET I NET D NET

t2_3 t2_4 t2_5

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 25 / 41

ZERO TEST FOR TURING POWER

test t5 <1> t4 <1> t3 <1> t2 <1> t1 <1> p pFalse pTrue p test tTrue [1,1] tFalse [2,2] pTrue pFalse pFalse pTrue tFalse tTrue test p

PETRI NET ? I NET D NET

False: t1, t2, t4 True:t1, t2+t3, t5

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 26 / 41

TIME-INVARIANT NET STRUCTURES (I NETS) A live Petri net remains live under any timing, [Popova 95] ❑ if it is persistent, ❑ if the earliest firing time of all transitions is zero ❑ if the latest firing time of all transitions is infinite ❑ if it is an homogeneous & timely homogeneous EFC without purely immediate transitions ❑ if it is an homogeneous & timely homogeneous behaviourally free choice net without purely immediate transitions. pre(t1) pre(t2) -> AG (enabled(t1) ⇔ enabled(t2))

p3 p2 t2 t1 [1,2] [3,4] p3 p2 t2 t1 p1 2 3 [1,3] [2,4]

not homogeneous not timely homogeneous

p2 4 4 p1 2 2 p2 4 4

∩

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 27 / 41

WORST-CASE EVALUATION WITH DI NETS, INPUT PARAMETERS ❑ time consumption of sequential program parts at least l time units (lower bound of duration time, low(tij) = l ) at most m time units (upper bound of duration time, upp(tij) = m )

• r any (continuous) time in between

measured by monitoring OR calculated from computer instructions ❑ no explicit branching probabilities i j tij = l m [ , ]

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 28 / 41

COMMUNICATION TIME MODEL (of communication medium) transmission time time to write into channel time to read from channel receiving sending

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 29 / 41

WORST-CASE EVALUATION WITH DI NETS OUTPUT PARAMETERS ❑ min execution duration (shortest path), max execution duration (largest path) ❑

• esp. valuable for systems

which require predictable timing behaviour (to meet given deadlines) ❑ calculations can be based on discrete reachability graph (only integer states)

• >

INA begin end tbegin end , min max , [ ] =

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 30 / 41

COMPUTATION OF MINIMAL PATH BY LOWER BOUNDS ONLY, COUNTER EXAMPLE

weimar fast_train [2,3] slow_train [10,12] in_fast_train in_slow_train take_fast_train [1,1] take_slow_train [1,1] leipzig2 leipzig1 berlin2leipzig [4,6] dresden2leipzig [3,4] berlin dresden

min_duration(dresden, weimar): D net with lower bounds only: 14 DI net with lower and upper bounds: 7

• > maximal path by upper bounds only ? (!)

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 31 / 41

COUNTER EXAMPLE AS D NET

fast_train <3> <12> <11> berlin2leipzig <6> <5> <4> <2> slow_train <10> take_fast_train <1> take_slow_train <1> <4> dresden2leipzig <3> weimar in_fast_train in_slow_train leipzig2 leipzig1 berlin dresden

troublemaker

• verlapping time windows of

dresden2leipzig & berlin2leipzig

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 32 / 41

STRUCTURAL COMPRESSION OF WELL-FORMED NET STRUCTURES, EXAMPLE

endloop [0,0] a4 [3,8] endpar [1,2] a7 [1,4] a5 [1,1] a2 [3,5] a6 [3,4] a3 [1,5] a1 [2,3] par [2,3] p33 p23 p13 loop endif p12 p11 p31 if init (0,5)

number of iterations

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 33 / 41

STRUCTURAL COMPRESSION OF WELL-FORMED NET STRUCTURES, EXAMPLE (CONT.)

endpar [1,2] a7+endloop [0,20] a5 [1,1] a2 [3,5] a6 [3,4] a3+a4 [1,8] a1 [2,3] par [2,3] p33 p23 p13 loop endif p12 p11 p31 if init cycle [8,29] par [2,3] a1*a2,(a3+a4)*a5 [5,24] endpar [1,2] endpar [1,2] a6*(a7+endloop) [3,24] (a3+a4)*a5 [2,9] a1*a2 [5,8] par [2,3] init init if p23 p33 p23 p13 p11 p31 if init a6*(a7+endloop)

(1) (2) (3) (4)

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 34 / 41

STRUCTURAL COMPRESSION OF WELL-FORMED NET STRUCTURES, GENERAL j i i k j tik= tkj=

= =

a b , [ ] a b , [ ] c d , [ ] c d , [ ] min a c

,

( ) max b d

,

( ) [ , ] = c c , [ ] = a b , [ ]

=

{m

lower bound n

• f iterations given

upper assumption: tij tij tij= t''ij= t'ij tij

{ } }

tij j j i i a c + b d + [ , ] m a c + ⋅ n b c + ⋅ [ , ] tii

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 35 / 41

STRUCTURAL COMPRESSION OF WELL-FORMED NET STRUCTURES, GENERAL (CONT.) tij j i i i’ j’ j tii ti’j’ tjj tjj ti2j2 ti1j1 tii j j2 j1 i2 i1 i ti’j’ = [ max( low(ti1j1), low(ti2j2) ), max( upp(ti1j1), upp(ti2j2) )] tij = [ low(tii) + low(ti’j’) + low(tjj), upp(tii) + upp(ti’j’) + upp(tjj)]

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 36 / 41

EXAMPLE - INTERVAL EVALUATION OF NON-WELL-FORMED STRUCTURES, BUT 1-BOUNDED, ACYCLIC, ...

t11 [3,7] t10 [6,15] p13 p11 t7 [1,1] t12 [4,8] t4 [4,9] t5 [1,11] t2 [1,5] t8 [7,11] t9 [6,9] t6 [4,6] t3 [4,7] t1 [2,6] t0 [1,9] p6 p8 p4 p5 p2 p12 p10 p9 p7 p3 p1 p0 [Reske 95, p. 92] [1,9] [1,9] [3,15] [7,22] [2,14] [2,14] [6,23] [11,28] [7,24] [17,37] [14,34] [13,39] [3,25] [20,46] [17,39] [14,34] [18,42] [18,46] cycle time [7,23]

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 37 / 41

INTERVAL EVALUATION, GENERAL PROCEDURE ❑ net structure transformation [ first state -> init state ] [ last state -> dead state ] resolution of (unlimited) cycles, if any ❑ net type transformation DI net

• >

I net

• r

DI net

• >

D net; ❑ determine (set of) state numbers of first state last state

• f the path to be measured;

❑ evaluation of reachability graph

OR ?

• ther descriptions of all possible behaviours

prefix of branching processes concurrent automaton

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 38 / 41

EXAMPLE OF

NET STRUCTURE TRANSFORMATION

endloop [0,0] a4 [3,8] endpar [1,2] a7 [1,4] a5 [1,1] a2 [3,5] a6 [3,4] a3 [1,5] a1 [2,3] par [2,3] count end p33 p23 p13 loop endif p12 p11 p31 if init (0,5)

MIN ( pathes(init, any dead state) ); MAX ( pathes(init, any dead state) );

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 39 / 41

ENVIRONMENT MODEL, WITH EXPLICIT ERROR STATES PUSHER with error states

too_farF too_nearF basic2near too_near too_far ext2far R2_on R1_on basic norm ext basic2norm norm2basic norm2ext ext2norm

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 40 / 41

CONCURRENT PUSHERS,

(PART OF THE) REACHABILITY GRAPH

step1, R1_on, too_far init, R1_off, basic step1, R1_on, ext tr1; R1_set_on; step2, R1_on, ext step3, R1_off, ext step2, R1_on, too_far tr2 R1_set_off; tr3 ext2far ext2far bad state! Remark: Only the interesting parts

• f the markings are shown.

bad state!

• > (preemptive) interval nets

unreachability of bad states, mo-dead(ext2far) if:

lft tr2 ( ) eft ext2far ( ) ∧ < lft R1_set_off ( ) eft ext2far ( ) <

dependability engineering with time-dependent Petri nets WS 2018 monika.heiner@b-tu.de 12 - 41 / 41

REFERENCES

[Bause 96] Bause; F.; Kritzinger, P. S.: Stochastic Petri Nets, An Introduction to the Theory; Vieweg 1996. [Heiner 97a] Heiner, M., Popova-Zeugmann, P.: Worst-case Analysis of Concurrent Systems with Duration Interval Petri Nets;

• Proc. 5. Fachtagung Entwurf komplexer Automatisierungssysteme (EKA ’97), Braunschweig,

May 1997, pp. 162-179. [Heiner 97b]

• Heiner. M.; Popova-Zeugmann, L.:

On Integration of Qualitative and Quantitative Analysis of Manufacturing Systems Using Petri Nets;

• Proc. 42. Int. wissenschaftliches Kolloquium (IWK ’97), Ilmenau, September 1997, Vol. 1, pp.

557-562. [Merlin 74] Merlin, P.: A Study of the Recoverability of Communication Protocols; PhD Thesis, Univ. of California, Computer Science Dep., Irvine, 1974. [Popova 91] Popova, L.: On Time Petri Nets;

• J. Information Processing and Cybernetics EIK 27(91)4, 227-244.

[Popova 94] Popova-Zeugmann, L.: On Time Invariance in Time Petri Nets; Humboldt University at Berlin, Informatik-Bericht No. 39, December 1994. [Popova 95] Popova, L.: On Liveness and Boundedness in Time Petri Nets;

• Proc. CSP ‘95 Workshop, Warsaw, October 1995, pp. 136-145.

[Ramchandani 74] Ramchandani, C.: Analysis of Asynchronous Concurrrent Systems Using Petri Nets; PhD Thesis, MIT, TR 120, Cambridge (Mass.), 1974. [Starke 90] Starke, P. H.: Analysis of Petri Net Models (in German); B.G.Teubner 1990. [Starke 95] Starke, P.: A Memo On Time Constraints in Petri Nets; Humboldt-University zu Berlin, Informatik-Bericht Nr. 46, August 1995.