SLIDE 1 Robustness of Time Petri Nets under Guard Enlargement 1
P .A Reyniers(1)
elou¨ et(3,4)
(1)Aix-Marseille Universit´
e, CNRS, LIF, UMR 7279, Marseille, France
(2)ENS Cachan Bretagne, Rennes, France (3)IRISA, Rennes, France (4)INRIA Rennnes, France
September 2012
- 1. Work funded by the ANR IMPRO
SLIDE 2 Motivations
Many models have an idealized model of time exact measurement of time, exact and instantaneous firing times, no clock drift, ... But in the real world : ”firing a after 10 ms” may mean ”firing a after 10.0001 ms”’ (clock imprecision) different clocks can measure time on distinct machines with their
... Ensuring M | = φ can improve one’s confidence, but does it say anything about φ in an implementation of M ?
SLIDE 3
Enlargement in timed automata [Puri00]
1 l 2 l 2 x < y > 2 R = { } x R = { } y err x = 0, x := 1 y := 0 2 y > 1 l 2 l 3 1 2 3 1 2 3 1 2 3 1 2
SLIDE 4 Enlargement in timed automata [Puri00]
1 l 2 l 2 x < y > 2 R = { } x R = { } y err 2 y > , x := 1 y := 0 + D
x < D 1 l 2 l 3 1 2 3 1 2 3 1 2 3 1 2
SLIDE 5
Enlargement in timed automata
A = (L, ℓ′, X, E, Inv) L locations, X clocks, E : transitions (l, γ, a, R, l′), Inv invariants. A : semantics of A (Timed Transition System) L(A) : untimed language of A
Reach(A) : reachable locations of A.
A∆ : ∆-enlarged version of A. Lemma 1 (Monotony) Let A be a T.A., ∆ ≤ ∆′ ∈ R≥0. We have A∆ A∆′. Theorem [BouyerMS11] Let A be a T.A, S be a subset of locations of A. One can decide whether there exists ∆ ∈ Q>0 such that Reach(A∆) ∩ S = ∅. Theorem [BouyerMS11] Robust model checking of ω-regular properties (∃?∆ ∈ Q>0, A∆ | = φ) is PSPACE-complete.
SLIDE 6
Summary of the presentation
Questions : Are there similar problems for Time Petri nets ? Can we decide similar results ? Contributions of this work Robustness in Time Petri nets (w.r.t enlargement) Specific robustness issues due to concurrency Robustness issues are in general undecidable for Time Petri nets Identify several decidable subclasses of nets for which robustness is guaranteed or decidable.
SLIDE 7 Outline
1
Time Petri Nets and their Enlargement
2
Robustness problems
3
Robust translation from TPN to TA
4
Robustly bounded TPNs
5
Untimed Language Robustness
6
Conclusion & Future Work
SLIDE 8 Time Petri Nets
Time Petri net (over Σε) N = (P, T , •(.), (.)•, m0, Λ, I) P finite set of places, T finite set of transitions with P ∩ T = ∅,
- (.) ∈ (NP)T : backward incidence mapping,
(.)• ∈ (NP)T is the forward incidence mapping, m0 ∈ NP is the initial marking, Λ : T → Σε labeling function I : T → I(Q≥0) (time constraint) t → I(t) = [α(t), β(t)] (firing interval, can be open). p a b 1 p 2 p (1,4] [2, ) 8 c [0, ) 8
SLIDE 9
Time Petri Nets : semantics
configuration of a TPN : (m, ν) m ∈ NP : marking t is enabled in m if m ≥ •t. En(m) = set of enabled transitions in m. ν : En(m) → R+ (valuation) ν(t) = time elapsed since transition t was last enabled. Admissible configurations ADM(N) = {(m, ν) | ∀t ∈ En(m), ν(t) ∈ I(t)↓}. Configurations in which no enabled transition violates its upper constraint. Note 1 : I(t)↓ = [0, β(t)) or [0, β(t)] Note 2 : Some configurations of ADM(N) are not reachable
SLIDE 10 Time Petri Nets : semantics
Discrete transitions : (m, ν)
t
− → (m′, ν′) t can be fired from (m, ν) if t ∈ En(m) (usual firing rule of PN) ν(t) ∈ I(t) (time constraints satisfied). result of firing : m′ = m − •t + t• t′ is newly enabled by firing of t from m, (noted ↑enabled(t′, m, t)) iff : t′ ∈ En(m − •t + t•) ∧ ((t′ ∈ En(m − •t)) ∨ t = t′) for all ti, ν′(ti) = 0 if ti newly enabled ν(ti) otherwise Timed transitions : (m, ν)
d
− → (m, ν + d) d time units can elapse in (m, ν) iff ∀t ∈ En(m), ν(t) + d ∈ I(t)↓ time can progress when no clock leaves the firing interval of is associated (enabled) transition.
SLIDE 11 Time Petri Nets : semantics
semantics of a TPN N N = (Q, q0, →) where Q = ADM(N), q0 = (m0, 0) → is defined by :
delay moves : (m, ν)
d
− → (m, ν + d) discrete moves : (m, ν)
Λ(t)
− − → (m′, ν′) iff (m, ν)
t
− → (m′, ν′)
L(N) = untimed language of N.(Regular in N bounded) p a b 1 p 2 p (1,4] [2, ) 8 c [0, ) 8
− → •
1
− → •
a
− → •
2
− → •
b
− → • allowed by N
− → •
1
− → •
a
− → •
5
− → •
c
− → • not allowed by N (urgency)
SLIDE 12 Time Petri Nets : undecidability
Theorem 1 (PN UNDEC) Boundedness, Reachability, coverability of a marking are undecidable for TPNs Proof idea : Encode a counter machine M with a TPN NM
qi qj t++ ck qi qj ql t=0, [2, 3] t>0, [0, 1] ck
p q f q f p [0, ) 8 t t' [0, ) 8 N M
Reachability m(p) = :
0 otherwise coverable ⇔ qf is reachable in NM ⇔ M can reach qf /halts Boundedness N is bounded ⇔ NM is bounded ⇔ M is bounded
SLIDE 13
Time Petri nets : enlargement
Enlargement in TPNs Let N = (P, T , •(.), (.)•, m0, Λ, I) i = [α, β] ∈ I be an interval, ∆ ∈ R≥0 i∆ = [ max(0, α − ∆), β + ∆ ] I∆ = {i∆ | i ∈ I} The enlargement of N by ∆ is the net N∆ = (P, T, •(.), (.)•, m0, Λ, I∆) lemma 2 (Monotony) Let N be a TPN and ∆ ≤ ∆′ ∈ R≥0. We have N∆ N∆′. If N verifies a safety property for some perturbation ∆0, it will also verify this property for any ∆ ≤ ∆0.
SLIDE 14 Robustness problems for TPNs
Robust Boundedness Given a bounded TPN N, does there exist ∆ ∈ Q>0 such that N∆ is bounded ? N is robustly bounded if ∆ exists Robust safety : Given a bounded TPN N and a marking m ∈ NP, does there exists ∆ ∈ Q>0 s.t., Reach(N∆) does not cover m. Robust Untimed language preservation : Given a bounded TPN N, does there exist ∆ ∈ Q>0 such that L(N∆) = L(N) ? N0 = p a b 1 p 2 p [1,2) [2,3] L(N0) = {a} For any ∆ > 0 L(N0∆) = {a, b} Such situations are easy to
- check. We can also decide to
work with closed intervals.
SLIDE 15 Robustness problems for TPNs
Robust Boundedness Given a bounded TPN N, does there exist ∆ ∈ Q>0 such that N∆ is bounded ? N is robustly bounded if ∆ exists Robust safety : Given a bounded TPN N and a marking m ∈ NP, does there exists ∆ ∈ Q>0 s.t., Reach(N∆) does not cover m. Robust Untimed language preservation : Given a bounded TPN N, does there exist ∆ ∈ Q>0 such that L(N∆) = L(N) ? N0 = p a b 1 p 2 p [1,2) [2,3] L(N0) = {a} For any ∆ > 0 L(N0∆) = {a, b} Such situations are easy to
- check. We can also decide to
work with closed intervals.
SLIDE 16 Robustness problems for TPNs
Robust Boundedness Given a bounded TPN N, does there exist ∆ ∈ Q>0 such that N∆ is bounded ? N is robustly bounded if ∆ exists Robust safety : Given a bounded TPN N and a marking m ∈ NP, does there exists ∆ ∈ Q>0 s.t., Reach(N∆) does not cover m. Robust Untimed language preservation : Given a bounded TPN N, does there exist ∆ ∈ Q>0 such that L(N∆) = L(N) ? N0 = p a b 1 p 2 p [1,2) [2,3] L(N0) = {a} For any ∆ > 0 L(N0∆) = {a, b} Such situations are easy to
- check. We can also decide to
work with closed intervals.
SLIDE 17 Robustness problems for TPNs
N1 =
red [2, 3] a [1, 2] a′ [0, 2] t1 [0, 1] t2 [1, 2] b′ [2, 3] b [0, 2] t3 [0, 1] t4 [1, ∞) t
a',b a 1 p b' 2 p 1 2 3 4 5 6 7 8 b' a a',b b' a
red ∈ Reach(N1)
SLIDE 18 Robustness problems for TPNs
N1 =
red [2, 3] a [1, 2] a′ [0, 2] t1 [0, 1] t2 [1, 2] b′ [2, 3] b [0, 2] t3 [0, 1] t4 [1, ∞) t
a' a 1 p b' 2 p 1 2 a,b D D + k. b 33 n+1=n t a' a b' D b 5 D + 2. 6 6 D +
red ∈ Reach(N1) but For any ∆ > 0, red ∈ Reach(N1∆)
SLIDE 19
Undecidability of Robustness
As boundedness, reachability, etc are undecidable : Theorem 2 (PN ROB-UNDEC) Robust boundedness, robust untimed language preservation, and robust safety are undecidable for TPNs p q f q f p
[2, )
8 a b N M a.....a a a
[0, )
8 1 p
[0, 2 ) [0, )
8 N is bounded : N robustly bounded ⇔ ∃∆, N∆ bounded ⇔ NM bounded L(N) = a∗ : N is language robust ⇔ ∃∆, L(N∆) = a∗.b ⇔ qf not reachable in M
SLIDE 20
Robustness problems for TPNs
A subclass that avoids accumulation due to concurrent loops Sequential TPNs A TPN is sequential iff : ∀t ∈ T, I(t) is closed for any (m, ν) ∈ Reach(N), t, t′ fireable from (m, ν) t and t′ are in conflict, (∃p, m(p) < •t(p) + •t′(p)). Properties of STPNs (i) Checking whether a bounded TPN N is sequential is decidable. (ii) If N is a sequential bounded TPN, then it can be translated into a timed automaton which resets every clock on each transition. (iii) If N is sequential, then there exists ∆ ∈ Q>0 such that
Reach(N∆) = Reach(N) and L(N∆) = L(N)
. Can we go beyond sequential nets ?
SLIDE 21
From TPNs to TA
General Idea : fix a set of markings M build an automaton A with M as locations Solve Robustness problems using known results on TAs M and A must be chosen so that results for A can be brought back to N Definition Let N = (P, T, Σε, •(.), (.)•, m0, Λ, I) be a TPN, M ⊆ NP be a set of markings with m0 ∈ M. The M-bounded semantics of N, denoted N|M, is the restriction of N to states {(m, ν) ∈ Q | m ∈ M}. Proposition 2 Let M be a set of markings of a TPN N containing m0. If Reach(N) ⊆ M, then N|M = N.
SLIDE 22
From TPNs to TA
Marking timed automaton (in short) Let N be a TPN, M ⊆ NP be a finite set of markings with m0 ∈ M. Compute AM = (M, m0, X, Σε, E, Inv) locations = set of markings M One clock per transition of T invariants = upper bounds of intervals (enabled transitions) Transition (l, γ, R, t, l′) :
l′ = l − •t + t• guard γ = xt ∈ It reset clocks R : newly enabled transitions
SLIDE 23
From TPNs to TA
p a b 1 p 2 p [1,2) [2,3]
= ⇒
a b x x 1 < 2 < < 3 < 2 R = { } a x R = { } b x m( )=1 m( )=0 p 1 p 2 p m( )=0 m( )=0 m( )=1 p 1 p 2 p m( )=0 m( )=0 m( )=0 p 1 p 2 p m( )=1 a b
Theorem 3 (TA≈PN) Let N be a TPN, M be a finite set of markings containing the initial marking of N, and AM be the marking timed automaton of N over M. Then for all ∆ ∈ Q≥0, we have N∆|M ≈ (AM)∆.
SLIDE 24
Robustly bounded TPNs
Reminder : checking if N is Robustly bounded is undecidable. Reminder 2 : checking if A is Robust is decidable. Reminder 3 For fixed finite M we can compute A ≈ N (on M) Question : How to fix M ? → rely on bounds Definition The class UB of TPN whose underlying net (i.e. same net without time constraint) is bounded . Definition A bounded TPN N is called Reach-Robust if Reach(N∆) = Reach(N) for some ∆ > 0. We denote by RR the class of Reach-Robust TPNs.
SLIDE 25
Robustly bounded TPNs : Results
Proposition 3 The class UB is a decidable subclass of robustly bounded TPNs. For every N ∈ UB, one can construct a finite TA A such that N∆ ≈ A∆ for all ∆ ≥ 0. Theorem 4 (RR-decidable) RR is a decidable subclass of robustly bounded TPNs. Lemma 4 The set of robustly bounded TPNs is recursively enumerable. given a robustly bounded TPN N, we can build effectively a timed automaton A such that there exists ∆0 > 0 for which, ∀0 ≤ ∆ ≤ ∆0, N∆ ≈ A∆. Robustness results on T.A. transfer to robustly bounded TPNs !
SLIDE 26 Robustly bounded TPNs
Lemma 3 (”Bounded” Robustness) Let N be a TPN, and M be a finite set of markings. Determining whether there exists ∆ > 0 such that Reach(N∆) ⊆ M is decidable
(∆ can be effectively computed).
Proof Let M = M ∪ {m′ | ∃m ∈ M, t ∈ T, m′ = m − •t + t•} markings reachable from M in at most one-step in the underlying net.
Reach(N∆) ⊆ M
⇔
Reach((A
M)∆) ⊆ M
⇔
Reach((A
M)∆) ∩ (
M \ M) = ∅ (decidable [Bouyer11])
1 l 2 l a g a : a :R 3 l 7 l a g a : a :R b g b : b :R c g c : c :R 4 l 5 l 6 l a b c c
Theorem 4 obtained by choosing M = Reach(N)
SLIDE 27 Untimed Language Robustness
Definition A bounded TPN N is called Language-Robust if L(N∆) = L(N) for some ∆ > 0. N has distinct labeling iff ∀t = t′ ∈ T, Λ(t) = Λ(t′) We denote by : LR the class of Language-Robust nets LR= (resp. RR=) the subclass of LR (resp. RR) with distinct labeling. Properties
1
RR and LR are incomparable classes of TPNs w.r.t. set inclusion.
2
Membership in LR is undecidable
3
LR= is strictly contained in RR=.
SLIDE 28
Untimed Language Robustness
theorem 5 (LR-DECIDABLE) The class LR= is decidable, i.e., checking if a distinctly labeled bounded TPN is in LR is decidable. proof Check if N is in RR (and therefore in RR=) (decidable Thm. 4) N ∈ RR= : = ⇒ it is not in LR=. N ∈ RR= : finite set of Reachable markings, and N Robustly Bounded.
build A which is timed bisimilar to N for small perturbations. (Lemma 4) A preserves its untimed language under small perturbations iff N does. N ∈ LR= ⇐ ⇒ A is language-robust as L(N) regular, resumes to checking an ω-regular property of A (decidable [Bouyer11])
SLIDE 29 Conclusion
bounded TPN robustly bounded TPN RR UB S
TPN classes RR : reach-robust, LR : language-robust, UB : bounded underlying PNs S : sequential bounded TPNs. TPN classes — : decidable
SLIDE 30 Conclusion
RR LR S UB Without distinct labels
TPN classes RR : reach-robust, LR : language-robust, UB : bounded underlying PNs S : sequential bounded TPNs. TPN classes — : decidable
SLIDE 31 Conclusion
RR LR S UB With distinct labels
TPN classes RR : reach-robust, LR : language-robust, UB : bounded underlying PNs S : sequential bounded TPNs. TPN classes — : decidable
SLIDE 32
Conclusion
Conclusions Robustness in concurrent models slightly differs from robustness in TA Robustness for PN uses TA results Undecidable without restriction robust boundedness decidable for bounded nets. Robust safety decidable for robustly bounded net. Future work positive results in unbounded nets Address problems specifically due to concurrency exploit concurrency to solve robustness
SLIDE 33 Bibliography
- B. Berthomieu and M. Diaz.
Modeling and verification of time dependent systems using time Petri nets. IEEE Trans. in Software Engineering, 17(3) :259–273, 1991. P . Bouyer, N. Markey, and P .-A. Reynier. Robust model-checking of linear-time properties in timed automata. In Proc. of LATIN’06, volume 3887 of LNCS, pages 238–249, 2006. P . Bouyer, N. Markey, and P .-A. Reynier. Robust analysis of timed automata via channel machines. In Proc. of FoSSaCS’08, volume 4962 of LNCS, pages 157–171. Springer, 2008. P . Bouyer, N. Markey, and O. Sankur. Robust model-checking of timed automata via pumping in channel machines. In Proc. of FORMATS’11, volume 6919 of LNCS, pages 97–112, 2011.
- F. Cassez and O. H. Roux.
Structural translation from time petri nets to timed automata. Journal of Systems and Software, 79(10) :1456–1468, 2006.
- D. D’Aprile, S. Donatelli, A. Sangnier, and J. Sproston.
From time Petri nets to timed automata :An untimed approach. In TACAS’07, volume 4424 of LNCS, pages 216–230, 2007.
- M. De Wulf, L. Doyen, N. Markey, and J.-F
. Raskin. Robust safety of timed automata. Formal Methods in System Design, 33(1-3) :45–84, 2008.
SLIDE 34 Bibliography (cont.)
- M. De Wulf, L. Doyen, and J.-F
. Raskin. Systematic implementation of real-time models. In Formal Methods (FM’05), volume 3582 of LNCS, pages 139–156. Springer, 2005.
- G. Gardey, O. H. Roux, and O. F. Roux.
A zone-based method for computing the state space of a time Petri net. In Proc. of FORMATS’03, volume 2791 of LNCS, pages 246–259, 2003.
Model checking of time petri nets using the state class timed automaton. Discrete Event Dynamic Systems, 16(2) :179–205, 2006.
Dynamical properties of timed automata. In DEDS, 10(1-2) :87–113, 2000.
Untimed language preservation in timed systems. In Proc. of MFCS’11, LNCS. Springer, 2011.
anzle, and J.-P . Katoen. The surprising robustness of (closed) timed automata against clock-drift. In TCS, pages 537–553. Springer, 2008.
SLIDE 35 From TPNs to TA
Marking timed automaton Let N = (P, T, Σε, •(.), (.)•, m0, Λ, I) be a TPN, and M ⊆ NP be a finite set of markings such that m0 ∈ M. The marking timed automaton of N over M, is AM = (M, m0, X, Σε, E, Inv), where X = {xt | t ∈ T}, for each m ∈ M, Inv(m) =
t∈En(m) xt ≤ β(t),
m
g,a,R
− − − → m′ ∈ E iff there exists t ∈ T such that
t ∈ En(m), m′ = m − •t + t•, g is the constraint xt ∈ I(t), a = Λ(t) R = {xt′ | t′ ∈↑enabled(t′, m, t) = true}
SLIDE 36 Untimed Language Robustness
Definition A bounded TPN N is called Language-Robust if L(N∆) = L(N) for some ∆ > 0. N has distinct labeling iff ∀t = t′ ∈ T, Λ(t) = Λ(t′) We denote by : LR the class of Language-Robust nets LR= (resp. RR=) the subclass of LR (resp. RR) with distinct labeling. Properties
1
RR and LR are incomparable classes of TPNs w.r.t. set inclusion.
2
Membership in LR is undecidable
3
LR= is strictly contained in RR=.
SLIDE 37 Untimed Language Robustness
Proof
1
easy counterexamples
2
easy corollary of undecidability of language equivalence for TPNs.
3
if N ∈ LR=, then any word w ∈ L(N) corresponds to a unique sequence of transitions, and hence leads to a unique marking of
- N. So if L(N∆) = L(N) for some ∆ > 0, then
Reach(N∆) = Reach(N) for the same ∆. The strictness of
inclusion follows easily : one can easily design a net N in which a single transition t is fireable only under enlargement, but producing no new marking outside Reach(N). Hence, such N is not in LR=, but is still in RR=.
p a b 1 p 2 p [1,2) [2,3] p a b 1 p [1,2) [2,3] p a a 1 p 2 p [1,2) [2,3] LR= RR= but LR RR but LR= RR= and
SLIDE 38 Proof of Lemma 4
Lemma 4
1
The set of robustly bounded TPNs is recursively enumerable.
2
given a robustly bounded TPN N, we can build effectively a timed automaton A such that there exists ∆0 > 0 for which, ∀0 ≤ ∆ ≤ ∆0, N∆ ≈ A∆. proof
1
for N fixed, enumerate all sets of markings : For every M, check ∃?∆ > 0 such that Reach(N∆) ⊆ M (lemma 3). If the anser is Yes, stop and conclude N is robustly bounded.
2
if N is robustly bounded, the semi-algorithm stops on finite set of markings M. We can compute ∆0 such that Reach(N∆0) ⊆ M. Thus for any ∆ ≤ ∆0, we have
Reach(N∆) ⊆ M (Lemma 2 - monotony -). N∆|M = N∆ (proposition 2). N∆|M ≈ (AM)∆ (Theorem 3 (TA≈PN))
Thus, ∀0 ≤ ∆ ≤ ∆0, N∆ ≈ (AM)∆ .
SLIDE 39 Timed automata
Timed automata (over Σε) A = (L, ℓ′, X, E, Inv) L is a finite set of locations, ℓ0 ∈ L is the initial location, X is a finite set of clocks, Inv ∈ Cub(X)L assigns an invariant to each location E ⊆ L × C(X) × Σε × 2X × L is a finite set of edges. (ℓ, γ, a, R, ℓ′) represents a transition from location ℓ to location ℓ′ labeled by a with constraint γ and reset R ⊆ X. semantics A = (Q, q0, →) where Q = {(ℓ, v) ∈ L × (R≥0)X | v | = Inv(ℓ)}, q0 = (ℓ0, 0) and → is defined by : delay moves : (ℓ, v)
d
− → (ℓ, v + d) if d ∈ R≥0 and v + d | = Inv(ℓ) ; discrete moves : (ℓ, v)
a
− → (ℓ′, v′) if there exists some e = (ℓ, γ, a, R, ℓ′) ∈ E s.t. v | = γ and v′ = v[R]. The (untimed) language of A is defined as that of A and is denoted by L(A).
SLIDE 40 Enlargement (timed automata)
1 l 2 l 2 x < y > 2 R = { } x R = { } y err 2 y > , x := 1 y := 0 + D
x < D 1 l 2 l 3 1 2 3 1 2 3 1 2 3 1 2
