Robustness of Time Petri Nets under Guard Enlargement 1 .A Reyniers ( - PowerPoint PPT Presentation

Robustness of Time Petri Nets under Guard Enlargement 1 .A Reyniers ( 1 ) S. Akshay ( 2 , 3 , 4 ) et ( 3 , 4 ) C. Jard ( 2 , 3 , 4 ) P L. H´ elou¨ ( 1 ) Aix-Marseille Universit´ e, CNRS, LIF, UMR 7279, Marseille, France ( 2 ) ENS Cachan Bretagne, Rennes, France ( 3 ) IRISA, Rennes, France ( 4 ) INRIA Rennnes, France September 2012 1. Work funded by the ANR IMPRO

Motivations Many models have an idealized model of time exact measurement of time, exact and instantaneous firing times, no clock drift, ... But in the real world : ”firing a after 10 ms” may mean ”firing a after 10.0001 ms”’ (clock imprecision) different clocks can measure time on distinct machines with their own pace (clocks drift) ... Ensuring M | = φ can improve one’s confidence, but does it say anything about φ in an implementation of M ?

Enlargement in timed automata [Puri00] x < 2 R = { } x y > x := 1 x = 0, 2 l l err 1 2 y := 0 y > 2 R = { } y l l 1 2 3 3 2 2 1 1 0 1 2 3 0 1 2 3

Enlargement in timed automata [Puri00] x < 2 + D R = { } x , x := 1 x < D - D y > 2 l l err 1 2 y := 0 y > 2 - D R = { } y l l 1 2 3 3 2 2 1 1 0 1 2 3 0 1 2 3

Enlargement in timed automata A = ( L , ℓ ′ , X , E , Inv ) L locations, X clocks, E : transitions ( l , γ, a , R , l ′ ) , Inv invariants. � A � : semantics of A (Timed Transition System) L ( A ) : untimed language of A Reach ( A ) : reachable locations of A . A ∆ : ∆ -enlarged version of A . Lemma 1 (Monotony) Let A be a T.A., ∆ ≤ ∆ ′ ∈ R ≥ 0 . We have � A ∆ � � � A ∆ ′ � . Theorem [BouyerMS11] Let A be a T.A, S be a subset of locations of A . One can decide whether there exists ∆ ∈ Q > 0 such that Reach ( A ∆ ) ∩ S = ∅ . Theorem [BouyerMS11] Robust model checking of ω -regular properties ( ∃ ?∆ ∈ Q > 0 , A ∆ | = φ ) is PSPACE-complete.

Summary of the presentation Questions : Are there similar problems for Time Petri nets ? Can we decide similar results ? Contributions of this work Robustness in Time Petri nets (w.r.t enlargement) Specific robustness issues due to concurrency Robustness issues are in general undecidable for Time Petri nets Identify several decidable subclasses of nets for which robustness is guaranteed or decidable.

Outline Time Petri Nets and their Enlargement 1 Robustness problems 2 Robust translation from TPN to TA 3 Robustly bounded TPNs 4 Untimed Language Robustness 5 Conclusion & Future Work 6

Time Petri Nets Time Petri net (over Σ ε ) N = ( P , T , • ( . ) , ( . ) • , m 0 , Λ , I ) P finite set of places , T finite set of transitions with P ∩ T = ∅ , • ( . ) ∈ ( N P ) T : backward incidence mapping, ( . ) • ∈ ( N P ) T is the forward incidence mapping, m 0 ∈ N P is the initial marking, Λ : T → Σ ε labeling function I : T �→ I ( Q ≥ 0 ) (time constraint) t �→ I ( t ) = [ α ( t ) , β ( t )] (firing interval, can be open) . [0, ) 8 a p 0 c b (1,4] [2, ) 8 p p 2 1

Time Petri Nets : semantics configuration of a TPN : ( m , ν ) m ∈ N P : marking t is enabled in m if m ≥ • t . En ( m ) = set of enabled transitions in m . ν : En ( m ) �→ R + (valuation) ν ( t ) = time elapsed since transition t was last enabled. Admissible configurations ADM ( N ) = { ( m , ν ) | ∀ t ∈ En ( m ) , ν ( t ) ∈ I ( t ) ↓ } . Configurations in which no enabled transition violates its upper constraint. Note 1 : I ( t ) ↓ = [ 0 , β ( t )) or [ 0 , β ( t )] Note 2 : Some configurations of ADM ( N ) are not reachable

Time Petri Nets : semantics t → ( m ′ , ν ′ ) Discrete transitions : ( m , ν ) − t can be fired from ( m , ν ) if t ∈ En ( m ) (usual firing rule of PN) ν ( t ) ∈ I ( t ) (time constraints satisfied). result of firing : m ′ = m − • t + t • t ′ is newly enabled by firing of t from m , (noted ↑ enabled ( t ′ , m , t ) ) iff : t ′ ∈ En ( m − • t + t • ) ∧ (( t ′ �∈ En ( m − • t )) ∨ t = t ′ ) � 0 if t i newly enabled for all t i , ν ′ ( t i ) = ν ( t i ) otherwise d Timed transitions : ( m , ν ) − → ( m , ν + d ) d time units can elapse in ( m , ν ) iff ∀ t ∈ En ( m ) , ν ( t ) + d ∈ I ( t ) ↓ time can progress when no clock leaves the firing interval of is associated (enabled) transition.

Time Petri Nets : semantics semantics of a TPN N � N � = ( Q , q 0 , → ) where Q = ADM ( N ) , q 0 = ( m 0 , 0 ) → is defined by : d delay moves : ( m , ν ) − → ( m , ν + d ) Λ( t ) t → ( m ′ , ν ′ ) iff ( m , ν ) → ( m ′ , ν ′ ) − − − discrete moves : ( m , ν ) L ( N ) = untimed language of � N � .(Regular in N bounded) a 1 a 2 b • − → • − → • − → • − → • − → • [0, ) 8 allowed by N a p 0 a 1 a 5 c • − → • − → • − → • − → • − → • c not allowed by N b (1,4] [2, ) 8 (urgency) p p 2 1

Time Petri Nets : undecidability Theorem 1 (PN UNDEC) Boundedness, Reachability, coverability of a marking are undecidable for TPNs Proof idea : Encode a counter machine M with a TPN N M N M t' t t ++ t =0 , [2 , 3] q i q j q i q l p p q q 0 [0, ) [0, ) f f 0 8 8 c k q j c k t > 0 , [0 , 1] Reachability Boundedness � N is bounded 1 if p = p f m ( p ) = : coverable ⇔ N M is bounded 0 otherwise ⇔ M is bounded ⇔ q f is reachable in N M ⇔ M can reach q f /halts

Time Petri nets : enlargement Enlargement in TPNs N = ( P , T , • ( . ) , ( . ) • , m 0 , Λ , I ) Let i = [ α, β ] ∈ I be an interval, ∆ ∈ R ≥ 0 i ∆ = [ max ( 0 , α − ∆) , β + ∆ ] I ∆ = { i ∆ | i ∈ I } The enlargement of N by ∆ is the net N ∆ = ( P , T , • ( . ) , ( . ) • , m 0 , Λ , I ∆ ) lemma 2 (Monotony) Let N be a TPN and ∆ ≤ ∆ ′ ∈ R ≥ 0 . We have � N ∆ � � � N ∆ ′ � . If N verifies a safety property for some perturbation ∆ 0 , it will also verify this property for any ∆ ≤ ∆ 0 .

Robustness problems for TPNs Robust Boundedness Given a bounded TPN N , does there exist ∆ ∈ Q > 0 such that N ∆ is bounded ? N is robustly bounded if ∆ exists Robust safety : Given a bounded TPN N and a marking m ∈ N P , does there exists ∆ ∈ Q > 0 s.t., Reach ( N ∆ ) does not cover m . Robust Untimed language preservation : Given a bounded TPN N , does there exist ∆ ∈ Q > 0 such that L ( N ∆ ) = L ( N ) ? p 0 L ( N 0 ) = { a } For any ∆ > 0 L ( N 0 ∆ ) = { a , b } a [1,2) b [2,3] Such situations are easy to check. We can also decide to p p 2 1 work with closed intervals. N 0 =

Robustness problems for TPNs Robust Boundedness Given a bounded TPN N , does there exist ∆ ∈ Q > 0 such that N ∆ is bounded ? N is robustly bounded if ∆ exists Robust safety : Given a bounded TPN N and a marking m ∈ N P , does there exists ∆ ∈ Q > 0 s.t., Reach ( N ∆ ) does not cover m . Robust Untimed language preservation : Given a bounded TPN N , does there exist ∆ ∈ Q > 0 such that L ( N ∆ ) = L ( N ) ? p 0 L ( N 0 ) = { a } For any ∆ > 0 L ( N 0 ∆ ) = { a , b } a [1,2) b [2,3] Such situations are easy to check. We can also decide to p p 2 1 work with closed intervals. N 0 =

Robustness problems for TPNs Robust Boundedness Given a bounded TPN N , does there exist ∆ ∈ Q > 0 such that N ∆ is bounded ? N is robustly bounded if ∆ exists Robust safety : Given a bounded TPN N and a marking m ∈ N P , does there exists ∆ ∈ Q > 0 s.t., Reach ( N ∆ ) does not cover m . Robust Untimed language preservation : Given a bounded TPN N , does there exist ∆ ∈ Q > 0 such that L ( N ∆ ) = L ( N ) ? p 0 L ( N 0 ) = { a } For any ∆ > 0 L ( N 0 ∆ ) = { a , b } a [1,2) b [2,3] Such situations are easy to check. We can also decide to p p 2 1 work with closed intervals. N 0 =

Robustness problems for TPNs [0 , 2] [0 , 2] • t 1 t 3 [1 , 2] a ′ [2 , 3] a [2 , 3] [1 , 2] b ′ b • p 1 p 2 [0 , 1] [1 , ∞ ) [0 , 1] t 2 t t 4 N 1 = red a a',b b' a a a',b b' b' p 1 red �∈ Reach ( N 1 ) p 2 0 1 2 3 4 5 6 7 8

Robustness problems for TPNs [0 , 2] [0 , 2] • t 1 t 3 [1 , 2] a ′ [2 , 3] a [2 , 3] [1 , 2] b ′ b • p 1 p 2 [0 , 1] [1 , ∞ ) [0 , 1] t 2 t t 4 N 1 = red a a a,b b' a' b b' a' b t red �∈ Reach ( N 1 ) p 1 but p For any ∆ > 0 , 2 red ∈ Reach ( N 1 ∆ ) D D 0 1 2 33 + 5 6 6 + 2. n+1=n + k. D D D

Undecidability of Robustness As boundedness, reachability, etc are undecidable : Theorem 2 (PN ROB-UNDEC) Robust boundedness, robust untimed language preservation, and robust safety are undecidable for TPNs p a 1 N M a b a [0, ) a.....a 8 p p q q [2, ) f 0 f 8 [0, ) [0, 2 ) 0 8 L ( N ) = a ∗ : N is bounded : N robustly bounded N is language robust ⇔ ∃ ∆ , N ∆ bounded ∃ ∆ , L ( N ∆ ) = a ∗ . b ⇔ ⇔ N M bounded ⇔ q f not reachable in M