kemper/papers/2002J7.pdf · Formal Methods in System Design, 21, 281–315, 2002 c 2002 Kluwer...

Formal Methods in System Design, 21, 281–315, 2002c© 2002 Kluwer Academic Publishers. Manufactured in The Netherlands.

Hierarchical Reachability Graph Generationfor Petri Nets

PETER BUCHHOLZ [email protected] Informatik, TU Dresden, D-01062 Dresden, Germany

PETER KEMPER [email protected] IV, Universitat Dortmund, D-44221 Dortmund, Germany

Received November 18, 1997; Accepted December 3, 2001

Abstract. Reachability analysis is the most general approach to the analysis of Petri nets. Due to the well-known problem of state-space explosion, generation of the reachability set and reachability graph with the knownapproaches often becomes intractable even for moderately sized nets. This paper presents a new method to generateand represent the reachability set and reachability graph of large Petri nets in a compositional and hierarchical way.The representation is related to previously known Kronecker-based representations, and contains the completeinformation about reachable markings and possible transitions. Consequently, all properties that it is possible forthe reachability graph to decide can be decided using the Kronecker representation. The central idea of the newtechnique is a divide and conquer approach. Based on net-level results, nets are decomposed, and reachabilitygraphs for parts are generated and combined. The whole approach can be realized in a completely automated wayand has been integrated in a Petri net-based analysis tool.

Keywords: Petri nets, reachability set, reachability graph, hierarchical structure, invariant analysis

1. Introduction

Petri nets (PNs) are an established formalism for describing and analyzing dynamic systems.Among the large number of available analysis techniques, the generation of the set ofall reachable markings and all possible transitions is the most general approach that istheoretically applicable for every bounded net. The resulting graph is called the reachabilitygraph (RG) or occurrence graph. The set of reachable markings is called the reachability set(RS). Reachable markings of the PN build the vertices of the graph, and transitions describethe edges. Edges may be labeled with the corresponding transition identifiers from the PNdescription. The RG contains the full information about the dynamic behavior of the PNand can be easily analyzed to gain results about the functional behavior as required for theverification of system properties. RGs are generated by an algorithm computing all successormarkings for discovered markings, starting with the initial marking of the net. This approachis conceptually simple and is integrated in most software tools developed for the analysisof PNs. In practice, unfortunately, the size of RGs often grows exponentially with the sizeof the PN in terms of places and tokens. Hence, RG generation is usable only for relativelysmall nets, much smaller than most practically relevant examples are. Consequently, many

282 BUCHHOLZ AND KEMPER

approaches to increasing the size of RGs that can be handled have been published. Weroughly distinguish three groups: (a) exact approaches for full RGs, (b) approaches forreduced RGs that are exact for certain properties, and (c) other approaches, which donot necessarily compute exact results or prove only necessary or sufficient conditions forproperties.

1.1. Approaches for full RGs

Such approaches have two means at hand to face state-space explosion: They employ morehardware resources and/or use sophisticated data structures to represent large RGs.

For the former approach, powerful parallel or distributed computer architectures are em-ployed to increase the available computing power and memory with obvious consequencesfor the size of RGs that can be managed. For example, implementations on various parallelarchitectures are described in [1, 14], and workstation clusters are used for RG generationin [34, 38]. These approaches describe RG exploration for generalized stochastic Petri nets(GSPNs). However, they apply for RG exploration of PNs as well. The general problemof parallel/distributed state-space generation is that an exponentially growing problem isattacked by increasing the available resources at most linearly. Additionally, the problemof an efficient parallelization of RG generation arises. Efficient realization of the RG gen-eration algorithm in a distributed way is non-trivial, since the different distributed tasks aredependent and require synchronization that introduces additional overhead. In particular,the speedup that can be reached by a parallel implementation is model-dependent; thismakes the realization of an efficient, general-purpose, parallel RG generation even harder.

An orthogonal approach is to develop specialized data structures for large RSs and RGs. Arecent technique from the area of hardware verification is known as ordered binary decisiondiagrams (OBDDs). They can be applied if state descriptions can be efficiently encoded asBoolean functions. This is the case for 1-bounded Petri nets [40]. If applied to k-boundedPetri nets, either markings require a binary encoding or OBDDs need to be generalized tohandle natural variables. Development of both approaches has begun; however, for bothapproaches it is still unclear how the additional complexity relates to the efficiency gain ofOBDDs. The key idea of OBDDs is that a state is encoded in a path of a binary tree andthat isomorphic subtrees only need a single representation. Hence, the binary tree is foldedinto a uniquely determined directed acyclic graph. OBDDs have been used successfully onmodels with extremely large RSs [12], but their efficiency is not, in general, guaranteed,and even for suitable models efficiency relies on the order of variables that is required forthe path encoding of a state.

Another data structure for handling large RGs follows from a divide and conquer ap-proach that considers Petri nets as a set of component nets composed via synchronizationof transitions (like a rendez-vous communication). Reference [19] introduces an approachfor colored PNs (CPNs) that generates RGs of components in parallel by taking only lo-cal transitions into account. Additionally, a synchronization graph describing synchronizedtransitions is defined. Interleaving the firing of local and synchronized transitions makesit possible to generate the complete RG or to prove properties holding on the completeRG. In [23, 32], a similar approach combines adjacency matrices of component RGs via

HIERARCHICAL REACHABILITY GRAPH GENERATION FOR PETRI NETS 283

Kronecker operations to achieve a space-efficient representation of the overall RG. In thisconstruction, RS is a subset of the cross-product of component reachability sets. If RSs andthe RGs of the components are known, RS and RG of the PN are completely characterized.In [4], an approach for hierarchical RG generation is proposed for hierarchically structuredCPNs. Much like the previous approach, this approach describes the RG by composingadjacency matrices of component RGs via Kronecker operations. The disadvatage of thesemethods for efficient RG generation is that the component structure has to be defined by themodeler, and all methods are very sensitive to the component structure. In this paper we willimprove this situation and describe an algorithm to deduce a hierarchical net description fora formerly unstructured Petri net. The resulting hierarchical net corresponds to a two-levelhierarchical Kronecker structure of the associated RG.

1.2. Approaches for a reduced RG

An alternative way to handle large RGs is to reduce their size without losing relevantinformation. This idea can be exploited at two different levels.

First, it is possible to simplify the net by reducing the number of places and transitions.The corresponding approaches are called reduction rules, and where described for uncoloredPNs in [3] and subsequently for CPNs in [25]. Reduction rules are defined with respect tothe properties of interest. Thus, it is necessary first to define properties, and then to introducereduction rules that preserve these properties. This approach yields a set of predefined rulesfor a set of predefined properties, as in [3, 25]. The main drawback of reduction rules isthat their applicability is restricted to relatively specific structures. Consequently, the gainobtained by reduction rules is relatively small for most nets, and reduction rules can usuallybe used only as an a priori step that does not solve the problem of large RGs.

The second approach to reducing the size of RGs is to perform the reduction at the levelof reachable markings. Such an approach requires a compositional state-space generationsuch that generation and reduction can be interleaved. Different techniques exploiting thisidea exist. The usual way is to define the complete PN as a collection of interacting com-ponents. Usually, component RGs are much smaller than the complete RG. Thus, RGsfor the components are generated efficiently and are reduced according to some reductionrules that preserve relevant properties. Subsequently, reduced component state spaces arecomposed. In [39], complete component RGs are first generated and then combined andreduced such that important properties like deadlocks or boundedness are preserved. In [45],a compositional analysis method for place-bordered subnets is presented. It is also based onthe interleaving of composition and behavior-preserving reduction. Usually the reductionstep is based on an equivalence definition at the state transition level. Various equivalencerelations that have been defined in the context of process algebras can often also be used foranalyzing Petri nets that were generated by composition of components. In [21], a softwaretool is introduced that uses a process algebra description and incorporates several differentequivalences. For an overview of equivalence notions in the context of Petri nets, we refer to[41]. The general problem of equivalence-based reductions is that the selection of a suitableequivalence has to reflect the properties of interest, and a compositional structure must beknown.


The stubborn set method [46], the sleep set method [24], and combinations thereof, all ofwhich eliminate unnecessary interleavings from RG during generation, fall into this categoryas well. They retain a rich variety of properties and can yield a substantially reduced RG. Afurther approach is to exploit symmetries to reduce RG [15, 31]; this can yield a significantreduction for models that show suitable symmetries. The key idea is that an algorithm needsto consider only one representative per symmetry class, with the obvious consequence thatproperties that require distinction among members of the same symmetry class cannot bedecided. In both methods, some additional computation is necessary during generation ofthe reduced RG, and the CPN has to observe certain structural conditions in order to makethese methods work effectively. The value of techniques that reduce the size of the RG bybehavior-preserving reduction depends on the required results. If relatively detailed resultsare required, most reduction fails or has only a small effect on the size of the RG.

1.3. Other approaches

The supertrace method by Holzmann [28] and variations thereof [29, 47] perform a state-space exploration using bit-state-hashing. The method becomes an approximation if colli-sions occur, so much work has been done on the selection of hash functions that allow fastcomputation and show a low probability of collisions.

In addition to techniques that characterize the complete or reduced RG in an efficient andcompact way, there are several approaches that derive results without generating RS andRG. Usually these approaches yield only partial results, in the sense that we can not formallyprove results; we can only disprove some by finding failure states. These techniques includesimulation and invariant analysis [31].

1.4. Contribution of this paper

In this paper, we introduce an approach that belongs to the first group of approaches: itconsiders the full RG, which is represented in a space-efficient way through compositionof RGs of small components. It differs from previous work, such as that in [4, 32], inthat a compositional structure need not be given as a prerequisite by a user. A key idea isto use introduce implicit, redundant places to gain a more abstract state representation, aconcept also used for a similar purpose in [13] which presents an approach where the modelstructure has to be predefined. In addition, we present an algorithm for deducing a usefulhierarchical structure at the net level before RS exploration of components is performed. Thehierarchical structure at the net level corresponds to a compositional representation of thecomplete RG. Consequently, all properties that can be checked on the RG of the original PNcan be checked on the resulting structure as well. The proposed technique can be completelyautomated for a large class of PNs, including all PNs that are covered by P-invariants. Wepresent the approach here for uncolored PNs to simplify notation. Keeping in mind thatevery CPN with finite color sets can be unfolded to an uncolored PN [31], it is obvious thatthe approach can be applied for a large class of CPNs as well. It is also possible to combinethe approach with behavior-preserving reduction using bisimulation type equivalences asin [21, 36], but this is only very briefly considered in Section 7 of this paper.


The structure of the paper is as follows. In Section 2, the PN class is defined, andreachability and invariant analysis are introduced. An outline of argumentation is given inSection 3. Section 4 presents the definition of regions that divide a PN into subnets. InSection 5 an abstraction operator is described that allows us to abstract from details in thenet description. The abstraction is obtained by implicit places, which are added to a netand correspond to certain subnets. The main argument is that the net extended by implicitplaces has the “same” RS and RG as the original net, such that if we give a hierarchicalrepresentation for the extended net, the representation will fit the original net as well. We alsodescribe how to obtain a high-level net and low-level nets from the extended net by suitableprojections. In Section 6, we introduce a hierarchical and compositional representation ofRS and RG that matches the obtained hierarchical net description. Section 7 shows how toexploit the hierarchical representation for state-based analysis. Section 8 contains a non-trivial example to clarify the advantages of the new approach compared to conventional RGgeneration. We conclude in Section 9.

2. Basic definitions and known results

We assume that the reader is familiar with PNs and the related basic concepts. For detailsabout these fundamentals we refer to [30, 31, 37].

Definition 1. A Petri net is a 5 tuple PN = (P, T, I −, I +, M0), where

• P = {p1, . . . , pn} is a finite and non-empty set of places,• T = {t1, . . . , tm} is a finite and non-empty set of transitions (P ∩ T = ∅),• I −, I + : P × T → N are the backward and forward incidence functions, and• M0 : P → N is the initial marking.

The initial marking is a special case of a marking M : P → N. A marking M can beinterpreted as an integer (row) vector that includes for each place p one element to describethe number of tokens on place p.

•t = {p ∈ P | I −(p, t) > 0} gives the set of input places for a transition t , and t• ={p ∈ P | I +(p, t) > 0} gives the set of output places. Analogously we define •p = {t ∈T | I +(p, t) > 0}, p• = {t ∈ T | I −(p, t) > 0}. The notion can directly be extended to sets.In the following, we consider connected nets. Transition t ∈ T is enabled in marking M,iff ∀p ∈ P : M(p) ≥ I −(p, t). Any transition enabled in M can fire, changing the markingof any p ∈ P to marking M ′(p) = M(p) + I +(p, t) − I −(p, t). This will be indicated byM[t > M ′ · M[t> denotes that t is enabled in M and M[> describes the set of enabledtransitions in M . The notations can be easily extended to sequences of transitions instead ofsingle transitions. Firing sequences s ∈ T ∗ define the language L(P N ) = {s ∈ T ∗ | M0[s>}and the set of reachable markings RS(PN) = {M | ∃s ∈ T ∗ : M0[s > M}. The reachabilitygraph RG(P N ) contains one node for each M ∈ RS(PN) and an arc M → M ′, if M[t > M ′

for some t ∈ T . The incidence matrix C is a matrix that contains for each place p ∈ P arow and for each transition t ∈ T a column such that C(p, t) = I +(p, t) − I −(p, t). C canbe used to define net-level properties of a net PN.


Definition 2. A vector x ∈ Zn x �= 0 is a P-invariant, if xC = 0. A PN is covered by

positive P-invariants, if for each place p ∈ P , a P-invariant x ≥ 0 with x(p) > 0 exists.A vector y ∈ Z

m y �= 0 is a T -invariant, if CyT = 0. A PN is covered by positive T -invariants, if for each transition t ∈ T a T -invariant y ≥ 0 with y(t) > 0 exists.

An algorithm for computation of invariants is given in [35]. Although its time complexityis exponential for a worst case, invariant computation is usually much easier than generationof RS and RG. Invariants ensure certain properties, but they do not completely characterizeRS. The following theorem summarizes some classical results.

Theorem 1. For a PN with a set of P-invariants X and a set of T-invariants Y, thefollowing results hold.• If marking M ′ is reachable from marking M, then an integer vector z exists such that

M ′ = M + CzT . This implies that for every M ∈ RS(PN) an integer vector zM withM = M0 + C(zM )T exists.

• If x, x ′ ∈ X and c, c′ ∈ Z then c · x + c′ · x ′ ∈ X. Analogously for Y.• For each reachable marking M the relation MxT = M0xT has to hold for all x ∈ X.• If PN is covered by positive P-invariants, then it is bounded.• If PN is bounded and live, then it is covered by positive T-invariants.

Proof: Proofs can be found in standard books on PNs.

Although invariants offer some insight on the dynamic behavior of the modeled system,they are not usually able to provide the required results. Thus, RS and RG have to begenerated for a detailed analysis. Usually RS is generated first, and the arcs of RG arecomputed in a second step. The following algorithm computes RS for a PN. It terminatesif RS contains a finite number of markings.1

generate RS (PN)RS = U = {M0};while (U �= ∅) do

remove M from U;for all t ∈ M[> do

generate M ′ with M[t> M ′;if (M ′ �∈ RS) then

U = U ∪ M ′;RS = RS ∪ M ′;

fiod

odend

Set U contains markings for which successors have not been generated, whereas RScontains all generated markings. For U a simple data structure like a queue or stack issufficient, since elements only need to be added and removed. For RS a data structure


allowing an efficient membership test is necessary. Consequently, RS can be realized usingan appropriate hash function or a tree-like structure that allows a membership test with aneffort logarithmic in the number of elements. The problem with hashing is the possibilityof collisions. Hence, many software tools use binary trees for the generation of RS.

We briefly analyze the effort required for the generation of RG when a binary tree is usedto store RS. Let n be the number of markings in RS and let n · d be the number of arcsin RG. Hence, the mean number of successors per marking is d. The time required for thegeneration of RS is on the order of d

∑ni=1 log2(i) = d · log2(n!), which is approximately

d ·n · log2(n). Additionally, memory limitations have to be taken into account. Even if moresophisticated data structures are used for RS, the number of markings that can be generatedon a standard workstation lies between 500, 000 and 1, 500, 000. For PNs that include alarge number of places, the value can be much smaller.2 After RS has been generated, thearcs in RG are generated in a second step. RG can be represented by an n × n adjacencymatrix Q. If transition identities are relevant, Q has to contain the required information;however, for reachability analysis, a Boolean entry whose truth value indicates existence ornon-existence of a transition is sufficient.

3. How to obtain a hierarchical net—outline of argumentation

Before we go into the details of generating a hierarchical net description, our goals shouldbe clarified. We consider a problem of exponential complexity (state-space explosion).For this kind of problem, a divide and conquer strategy has been successfully employed,and our approach follows this tradition. The goal is to find a hierarchical structure, i.e., ahigh-level net HN and a set of low-level nets LN1, . . . , LN J that correspond to the originalunstructured PN but divide the complexity among several parts. The construction shouldobserve the following side conditions:

1. Each part of the construction should have an interpretation in terms of a PN. This meansthat HN alone should be a PN. Furthermore, HN should provide an environment fora single LN j such that HN together with LN j yields a PN. Finally HN together withLN1, . . . , LN J is a PN that is equivalent to the original PN.

2. Language and RS of the hierarchical net and the original PN must be equivalent.3. The hierarchical net should have a corresponding hierarchical matrix representation of

its RG that must be space-efficient.

The first condition forces us to use net transformations and projections such that theresulting partition in HN and LN1, . . . , LN J (for an arbitrary but fixed J that is model-dependent) indeed describes a set of PNs. The key idea is to define certain subnets as regionsand add implicit places to the regions of the original PN, such that a low-level net LN j is aregion j plus its implicit places. The high-level net HN is built upon implicit places Pagg

and their pre- and postsets •Pagg ∪ Pagg•. This construction simplifies an argumentation infavor of condition 2, since the HN together with all LN1, . . . , LN J is the original PN plussome additional implicit places, and implicit places by nature do not change the languageor RS.


Once this construction is established, a corresponding hierarchical representation of theadjacency matrix of RG can be defined. The important point is to represent a large RGmatrix by a set of relatively small matrices obtained from HN and LN1, . . . , LN J . For thispurpose Kronecker algebra is used. Kronecker algebra is a matrix algebra whose operatorsallow the combination of these small matrices to achieve an appropriate compositionalrepresentation of the overall matrix. Due to condition 1 we can consider HN in isolationto obtain an RS(HN) and consider each LN j in the context of HN to obtain an RG(LN j ).Each marking of HN represents a set of markings for each LN. Using the relation betweenHN and LN markings, a block structure can be defined on RG’s adjacency matrix, in whichevery block includes transitions between detailed markings that belong to fixed markingsof HN. The detailed submatrix of each block is then obtained from a composition of theRG(LN j ) matrices for each j ∈ {1, . . . , J } with respect to the marking of HN. In summary,the large overall RG is then represented by the much smaller RGs of HN, LN1, . . . , LN J ,such that the Kronecker representation of RG is space-efficient with respect to the RG ofthe original net. In terms of implementation, corresponding data structures allow analysisof PNs with significantly increased RGs compared to conventional techniques.

4. Autonomous regions in PNS

In this section we define parts of a PN that will be replaced by a less detailed representationin an abstraction operation. These parts, which are called regions, have a place border atthe input and a transition output border. A hierachy built upon regions is different to thecommon notion of hierarchy in PNs, that uses refinement of places and transitions [31].However, the definition is natural from a behavior-oriented point of view (see also [16]),because a region describes a part that acts individually. A region communicates with itsenvironment through receipt of tokens from the environment (place-bordered input) andsending of tokens to the environment (transition-bordered output).

Definition 3. A subset Tr ⊆ T of a set of transitions of PN = (P , T , I −, I +, M0) defines asubnet PNr = (Pr , Tr , I −

r , I +r , M0

r ), where Pr = •Tr and I −r , I +

r , M0r are the corresponding

functions of PN restricted to Pr and Tr , respectively. PNr defines a region iff the input bagsof transitions in Tr and in Tx = T \Tr are disjoint, i.e., Pr• = Tr . For a region PNr , the set ofoutput transitions T out

r ⊆ Tr consists of all t ∈ Tr such that I +(p, t) > 0 for some p �∈ Pr .Analogously the set of input transitions is T in

r = {t ∈ T \Tr | ∃p ∈ Pr : I +(p, t) > 0}.

A region describes an autonomous part of a PN that will be used to define a hierarchicalstructure. A region is minimal if it contains no region as a proper subset.3 The concept isillustrated by the following example, which will serve as a running example to accomplishthe line of argumentation.

Example 1. We consider a producer/consumer model, in which a producer A succes-sively fills two buffers B1 and B2. Figure 1 shows the corresponding PN, in which places{p1, p2, p3} describe the state of the producer. Places {p5, p7} are buffer places whosecapacity is limited by places {p4, p6}. Buffer B2 is always filled with pairs of items/tokens,


Figure 1. Producer/consumer model and its partition into minimal regions.

while B1 obtains single tokens. The model contains two consumers of equal behavior. Aconsumer non-deterministically takes tokens from each buffer, but the first buffer is onlyconsidered if two consumers are willing to consume. Places {p8, p9, p10} give the state ofboth consumers. The model is clearly artificial and intended only to illustrate our concepts.Minimal regions in this model are indicated by shaded polygons in figure 1.

Proposition 1. For a PN with regions Nr1, Nr2, . . .

1. minimal regions are disjoint, i.e., if Nr1, Nr2 are minimal and Nr1 �= Nr2 then Pr1∩Pr2 =∅ and Tr1 ∩ Tr2 = ∅,

2. minimal regions define a partition, i.e., for each p ∈ P(t ∈ T ) there exists exactly oneminimal region Nri with p ∈ Pri (t ∈ Tri ),

3. regions are closed under union, i.e., if Nr1, Nr2 are regions then Tr1 ∪ Tr2 defines asubnet Nr that is a region.

Proof: The proof is straightforward for nets, in which each place has at least one outgoingarc. For other nets, one needs to define an additional region that consists of places with anempty set of output transitions.

Minimal regions can be generated using the simple algorithm shown below.

UT = T ;i = 0;while UT �= ∅ do

remove t ′ from UT;Ti = {t ′};while •UT ∩ •Ti �= ∅ do


remove t with •t ∩ •Ti �= ∅ from UT;Ti = Ti ∪ {t};

od;i = i + 1;

od;

Once the algorithm terminates, sets Ti contain transitions that are used to define regionsaccording to Definition 3 (i.e., (•Ti )• = Ti ).

5. Generation of abstract views

Having defined regions as a way to decompose a net into a number of parts, we now presenta method to introduce abstraction. The goal is to make some transitions internal to a regionand to find a way to abstract from the detailed internal behavior while retaining the externalbehavior sufficiently well. This abstraction from details is used to divide the complexity oflocal behavior from external behavior. Before we introduce the general approach, a verysimple example is used to explain the motivation for the formal steps presented below.Consider the sequence of transitions shown in figure 2(i), in which we want to abstract fromtransition t2. If a = b = 1, it is quite obvious that the net in figure 2(iii) with c = d = 1 canserve as an abstract net that exactly describes the behavior of the original net in terms of t1and t3. In the original net, k firings of t1 will enable k firings of t3 (after k firings of t2). Infigure 2(iii) this constraint is obtained by place p12, which represents p1 and p2. For thegeneral case of a, b > 1, a �= b, values of c and d that make the firing sequences of figure 2(i)and 2(iii) match need not exist. However, consideration of the algebraic transformation thatt2 applies on markings M(p1) and M(p2) allows the deduction of values for c and d suchthat firing sequences of figure 2(i) with respect to t1 and t3 are also firing sequences of figure2(iii). Let lcm(a, b) be the least common multiple of a and b. Then we use c = lcm(a, b)/aand d = lcm(a, b)/b to show that the ratio of firings t3 to t1 is limited by b/a = d/c. So

Figure 2. Simple example net.


far, p12 seems to represent only the information obtained from t2, but arc weights betweent1 and p1, respectively p2 and t3, do not appear in this example, since they all have avalue of 1, which is neutral to multiplication. Of course, the influence of other values isrespected in the formal treatment below. Figure 2(iv) shows how the linear combination ofmatrix rows v1 and v2 yields row v12, from which the incidence functions in figure 2(iii)are taken. Matrix rows originate from an identity matrix and the incidence matrix C , andv12 = v1 · lcm(a, b)/a + v2 · lcm(a, b)/b.

Figure 2(iv) shows that the computation of the abstract net relies on linear algebraicoperations on the incidence vectors, much like the computation of invariants. Assume thatplaces p1 and p2 initially contain tokens. In that case t3 may fire before t1 fires. Thisbehavior has to be captured by the abstract net in figure 2(iii). By defining initial markingM(p12) = c · M(p1) + d · M(p2), we obtain an initial marking for the abstract net thatassures that t3 in figure 2(iii) can fire as many times as t3 in figure 2(i) before t1 fires. Likethe weights of the arcs, the initial marking can be generated from linear combinations ofthe initial markings of the places in the detailed net. Until now we have only consideredthe original and the abstract net; in what follows, we perform an intermediate step first thatresults in the addition of place p12 to the original net. The resulting extended net is shownin figure 2(ii). p12 is a redundant place in the original net; it describes a macro state forthe subnet built by p1, t2, and p2. The abstract net results from the extended net throughdeletion of the detailed parts that are hidden in the abstraction operation.

The following two definitions introduce a formal method for computation of the extendednet. First, the abstraction operation for a single transition is defined; afterwards, sequencesof such abstractions and the generation of the corresponding extended nets are defined. Wewant to enhance information associated with a place with the following kind of vector inorder to represent linear constraints as imposed by t2 in our example:

Definition 4. A p-vector vp for a place p ∈ P is a vector vp ∈ Zn+m with index vp = (x1,

x2, . . . , xn , xn+1, . . . , xn+m). Entries in vp are referenced by vp(x) for x ∈ P ∪ T , placesobtain lower index values.

An aggregation function AG : Zn+m × N

n → N for p-vectors and markings is definedas AG(vp, M) = ∑n

i=1 vp(i) · M(i).A linear combination LC : Z

n+m × Zn+m ×T → Z

n+m of p-vectors va , vb is defined for at ∈ T , if va(t) > 0 and vb(t) < 0 as LC (va, vb, t) = vc/gcd(vc), where vc = ca ·va +cb ·vb

with ca = lcm(| va(t)|, |vb(t)|)/|va(t)| and cb = lcm(| va(t)|, | vb(t)|)/| vb(t)|.

lcm gives the least common multiple of two integers, and gcd of an integer vector is the great-est common divisor of the elements. Note that vc(t) = 0 by construction. Abstracting froma transition gives additional, redundant places. For these places, function AG determinesthe initial markings, and LC defines the incidence functions.

We inductively define extended nets that result from a sequence of net transformationsbased on linear combinations. In each step one transition is made internal to a region.

Definition 5. Let s ∈ T ∗ be a sequence of transitions of a PN, and ε denote the emptysequence. An extended net is a tuple (Ns , Vs , As) inductively defined as follows: (Nε , Vε ,


Aε) is an extended net where Nε = PN, Vε = ∪p∈P vp, Aε = Vε and

vp(x) =

1 if x = p

−I −(p, t) + I +(p, t) if x = t

0 otherwise

For better readability, let New = {v | v = LC(va, vb, t), va, vb ∈ As} be an abbrevia-tion for the resulting new vectors of a linear combination w.r.t. transition t , and Used ={va, vb | v = LC(va, vb, t), va, vb ∈ As} denote the vectors used to generate New for anextended net (Ns , Vs , As).

(Nst, Vst, Ast) is an extended net if (Ns , Vs , As) is an extended net, s ∈ (T \{t})∗ and

Vst = Vs ∪ New

Ast = (As\Used) ∪ New

Pst = Ps ∪ {p | ∃vp ∈ New}Tst = Ts

I −st (x, y) =

I −s (x, y) if x ∈ Ps∑

z∈Pε

vx (z)I −s (z, y) if x �∈ Ps

I +st (x, y) =

I +s (x, y) if x ∈ Ps∑

z∈Pε

vx (z)I +s (z, y) if x �∈ Ps

M0st(p) = AG(vp, M0)

Note that ca , cb ≥ 0 by construction.We additionally distinguish ordinary places Pord

s = Pε from those generated in the exten-sion sequence denoted by Pagg

s = Ps\Pord, such that Ps = Pords ∪ Pagg

s .

The definition separates available vectors As from the total set of vectors Vs in order toensure that vectors are used in at most one step of a sequence s. This restriction is madein order to focus on those linear combinations that are relevant in the following. The nettransformation basically mimics the computation of P-invariants according to [35]. Theextreme case (Ns , Vs , As), in which s ∈ T ∗ contains all transitions t ∈ T exactly once,describes an extended net, in which each P-invariant is realized by a place p ∈ Pagg. Ifan aggregated place p represents a P-invariant, its marking is constant (i.e., I +(p, t) =I −(p, t) for all t ∈ T ). We can interpret the marking of an aggregated place as a macromarking that includes an abstract view of the detailed marking. Since the complete net doesnot exchange tokens with the environment, macro markings that represent P-invariants areinvariant. However, if sequence s contains only a subset of transitions, then it is possiblethat the marking of an aggregated place will represent only a macro marking for a subset ofplaces belonging to a P-invariant. In this case, the marking of the aggregated place changeswhenever tokens are added to or removed from the partial P-invariant it represents. Only


transitions that are not hidden (i.e., that are not part of sequence s) can remove tokens fromor add tokens to places p ∈ Pagg. Since the net transformation follows the computation ofP-invariants, the effort is limited to the effort for computing P-invariants. Fortunately, theeffort is often much smaller, since only a subset of transitions is used in s.

Example 2. The running example contains P-invariants (described as formal sums):

p1 + p2 + p3 = 2 (1)

p4 + p5 = 2 (2)

p6 + p7 = 2 (3)

p8 + p9 + p10 = 2 (4)

and a T -invariant (2 t1, 2 t2, t3, 2 t4, 2 t5, 2 t6, 2 t7). Figure 3 shows the extended netfor sequence s = t1t6t7; Pagg

s = {p11, p12, p13} are hatched and arcs are dotted to in-dicate that they are different from Nε . After the operations for sequence s are performed,the transitions t1, t6, and t7 become internal; all remaining transitions describe interfacesbetween different regions. The minimal regions that are connected via t1, t6, and t7 aremerged; shaded polygons denote the new and larger regions in Ns . p-vectors and corre-sponding linear combinations are given in the table below.

p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 t1 t2 t3 t4 t5 t6 t7

v1 1 0 0 0 0 0 0 0 0 0 1 −1 0 0 0 0 0

v2 0 1 0 0 0 0 0 0 0 0 0 1 −2 0 0 0 0

v3 0 0 1 0 0 0 0 0 0 0 −1 0 2 0 0 0 0

v4 0 0 0 1 0 0 0 0 0 0 0 −1 0 1 0 0 0

v5 0 0 0 0 1 0 0 0 0 0 0 1 0 −1 0 0 0

v6 0 0 0 0 0 1 0 0 0 0 0 0 −2 0 1 0 0

v7 0 0 0 0 0 0 1 0 0 0 0 0 2 0 −1 0 0

v8 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 −1 0

v9 0 0 0 0 0 0 0 0 1 0 0 0 0 −1 −1 1 1

v10 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 −1

v11 = v1 + v3 1 0 1 0 0 0 0 0 0 0 0 −1 2 0 0 0 0

v12 = v8 + v9 0 0 0 0 0 0 0 1 1 0 0 0 0 0 −1 0 1

v13 = v10 + v12 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Note that the definition of extended nets defines arc weights for new arcs connected to newplaces as weighted arcs of the original net. This makes it possible to consider bidirectionalarcs (self-loops) appropriately, as illustrated by the arcs connected to places p12 and p13in figure 3.

The problem in derivation of a hierarchy is finding an appropriate aggration of informa-tion that retains a sufficient set of interesting properties. Before we describe a way to split an


Figure 3. Extended net.

extended net into a high-level net and a set of low-level nets to obtain the desired hierarchy,we formalize the aggregation and then consider the reachability and language invariance ofthe net extension. These are the properties, our hierarchy construction needs to preserve.

A place p ∈ Pagg represents a set of places in Pord. The following Lemma shows that themarking of each aggregated place can be computed as the weighted sum of the markingsof the places from the original net. This result implies that the marking of the original netuniquely determines the marking of all places from Pagg, and that each marking of theplaces Pagg describes a set of markings of places Pord.

Lemma 1. M(p) = AG(vp, M) = ∑z∈Pε

vp(z)M(z) for all p ∈ Paggs and all s ∈ T ∗.

Proof: We consider an induction over transition sequences s; initially, all p ∈ Pordε trivially

fulfill the lemma and Paggε = ∅. For the induction step we consider a p ∈ Pst (s ∈ T ∗, t ∈ T ,

t not in s) that results from vp = ca ·va +cb ·vb, where va , vb ∈ New when extending s by t(the case p ∈ Ps is trivial in Nst, since for these places M0, I −, and I + remain unchanged).

We further consider in the extended net Nst an induction over firing sequences σ . Ini-tially M0(p) = ∑

z∈Pεvp(z)M0(z) holds by definition. For the induction step, we con-

sider M0[σ > M[κ > M ′ where the induction assumption ensures that M(p) = ∑z∈pε

vp(z)M(z), and we have to show M ′(p) = ∑

z∈Pεvp(z)M ′(z) after extending σ by a transition κ .

M ′(p) = M(p) − I −(p, κ) + I +(p, κ)

= M(p) −∑z∈Pε

vp(z)I −(z, κ) +∑z∈Pε

vp(z)I +(z, κ)

= M(p) +∑z∈Pε

(ca · va(z) + cb · vb(z))(−I −(z, κ) + I +(z, κ))

according to the definitions of successor marking and extended net. By inductionassumption

M(p) =∑z∈Pε

vp(z)M(z) =∑z∈Pε

(ca · va(z) + cb · vb(z))M(z)


so we can replace M(p) in the equation above. Observe that I −, I + remain invariant forz ∈ Pε , so we obtain:

M ′(p) =∑z∈Pε

(ca · va(z) + cb · vb(z))(M(z) − I −s (z, κ) + I +

s (z, κ))

=∑z∈Pε

(ca · va(z) + cb · vb(z))(M(z) − I −st (z, κ) + I +

st (z, κ))

=∑z∈Pε

vp(z)M ′(z)

The following lemma shows that the extension of the net by places Pagg does not modifythe behavior in terms of transition sequences (i.e., the language of the net) or markings ofplaces Pord. Thus, all places from Pagg are redundant.

Lemma 2. For all s ∈ T ∗ for which an extended net (Ns, Vs, As) is defined, the followingholds:

RS(PN) = RS(PNs)|P

L(PN) = L(PNs)

Proof: The proof is done by induction over sequences s. Initially s = ε is triviallyfulfilled. For the induction step we start with the special case New = Used = ∅, whichdirectly implies equality. This case can occur, e.g., if As = ∅ or if � ∃va , vb ∈ As : va(t) > 0,vb(t) < 0.

For the general case, assume that the lemma holds for a sequence s, we consider theinduction step for sequence st, and we give a proof by contradiction:

case RS(PNε) = RS(PNs)|P ⊂ RS(PNst)|P

∃σ ∈ T ∗ : M0st[σ > Mst but σ not possible in PNs . Hence ∃t ′ ∈ σ , which is not enabled

in PNs . I.e., there is are fewer tokens in a place p ∈ Ps than in Pst. This contradicts thedefinition of the extended nets, because M0, I −, I + are modified only with respect to newplaces.case RS(PNε) = RS(PNs)|P ⊃ RS(PNst)|P

∃σ ∈ T ∗ : M0s [σ > Ms but σ not possible in PNst. Hence ∃t ′ ∈ σ , which is not enabled

in PNst. I.e., there is an insufficient number of tokens in a place p ∈ Pst\Ps . Accordingto Lemma 1, M(p) = ∑

z∈Pεvp(z)M(z). Since I −

st (p, t) = ∑z∈Pε

vp(z)I −z,t and for each

z ∈ Pε : M(z) ≥ I −z,t , we obtain a contradiction.

In summary, equality holds. Equivalence of languages follows by the same line of argu-mentation.

A direct consequence of Lemma 2 is that invariants remain valid, T -invariants because oflanguage equivalence and P-invariants because of additivity of invariants, cf. Theorem 1.Furthermore, for places like p13 in our example, where I +(p13, t) = I −(p13, t) for alltransitions t , we can decide whether a given initial marking M0(p13) ensures that a transition


is dead (due to M0(p13) < I −(p13, t)) or whether the place can safely be omitted (sinceM(p13) ≥ I −(p13, t) for all M ∈ RS). If the former is the case, it is clear that the net isnot live.

So far we have described a way to add places to a net without changing its reachability setor language. The notion of an extended net is only introduced to help explain formally whya hierarchical net indeed includes the reachability set or language of its Nε . The key issuefor a hierarchy is abstraction. At a higher level the state of a subsystem must be representedin less detail than at a lower level. We use aggregated places to obtain an aggregated staterepresentation, and the notion of a subsystem is built on the concept of region. In thefollowing we describe how to split an extended net into a high-level net HN and a set oflow-level nets L1, . . . , L J via the notion of regions.

Let R(Nε) denote the set of minimal regions w.r.t. an extended net (Nε , Vε , Aε). When weextend this net for a transition t ∈ T out

r of a region Nr ∈ R(Nε), then the new places connectNr with regions that contain t•. Consequently, we merge all these regions with Nr ; this yieldsa new region N ′

r according to Proposition 1. Since we start from a partition into regions, theresulting set of regions is a partition again, but this partition is less fine. Transition t becomesinternal in N ′

r , because •t ∪ t• ⊆ P ′r , and new places give an aggregated description of the

internal behavior of N ′r w.r.t. transition t . Following this procedure over a sequence s of

transitions yields (Ns , Vs , As) and a partition into regions, where some regions have internaltransitions and aggregated places. In this situation a decomposition of an extended net intoa high-level net using the aggregated description and a set of low-level nets resulting fromregions with internal behavior gives the two-level hierarchy we aim for. In the high-levelnet, transitions that are internal to some region are no longer visible, and places that areonly connected to internal transitions are also invisible.

More formally, a high-level net for a given extended net (Ns , Vs , As) results from aprojection with respect to As .

Definition 6. Let (Ns , Vs , As) be an extended net; its corresponding high-level net HN =(P H , T H , I H−, I H+, M0H ) is defined by:

P H = {p | vp ∈ As} (5)

T H = •P H ∪ P H• (6)

and I H−, I H+, M0H are the corresponding projections of I −, I +, and M0 w.r.t. P H ∪ T H .

Example 3. Figure 4 shows the high-level net for the extended net of our running examplein figure 3.

The following Lemma shows that the reachability set of the high-level net contains allmarkings of places from P H in the original net.

Lemma 3. Let RS′(Nε) = {M ′ | ∃M ∈ RS(Nε) : ∀p ∈ Ps : M ′(p) = AG(vp, M)} for (Ns,

Vs , As), then

RS′(Nε) ⊆ RS(HN) (7)


Figure 4. High-level net for s = t1t6t7.

Proof: The proof uses the previous lemma about equality for Nε and Ns , and the fact thatHN is deduced by omitting places (releases enabling conditions and thus increases RS) andby omitting transitions that are isolated (since all elements in the pre- and postset of omittedtransitions are used in linear combinations and thus are not contained in As anymore).Isolated transitions have no effect on RS.

P-invariants of HN are linear combinations of P-invariants of Nε ; hence, if Nε is coveredby P-invariants, so is HN. Consequently, we can guarantee finiteness of RS(HN) if Nε iscovered by P-invariants.

Lemma 3 states that the HN indeed considers a more abstract net such that the detailednet can only behave in a way that is consistent with this abstraction/aggregation. The nextstep is to consider single regions in detail. If a region is trivial (i.e., it contains no internaltransitions), then it is part of the HN. For non-trivial regions we define a description thattakes into consideration the detailed region plus the places from Pagg that describe theaggregated state of the region. The resulting net for region r is a low-level net for region r .

Definition 7. A low-level net is a net LN = (P L , T L , I L−, I L+, M0L ) that belongs to aregion r in an extended net (Ns , Vs , As). Let P L = (Pr ∩ P H ) ∪ (Pr ∪ Pε), T L = P L•,(• with respect to Nε).

I L−(p)(t) =

I H−(p)(t) if p ∈ P H\Pε

I −(p)(t) if p ∈ Pε

0 otherwise

I L+(p)(t) =

I H+(p)(t) if p ∈ P H\Pε

I +(p)(t) if p ∈ Pε

0 otherwise

If LN and the corresponding region r H in HN do not differ in their transitions, LN istrivial and can be neglected. Otherwise LN is non-trivial.


An LN for a region r and HN share places Pr ∩ P H �= ∅ and transitions T outr . These

common net elements form an interface that allows the HN to communicate with theLN in an asynchronous manner. The HN puts tokens via transitions t ∈ T in

r onto placesfrom P L , sends signals to the LN, and experiences output behavior through firing oft ∈ T out

r . The notion of hierarchy is justified, since the HN abstracts from the details in-side the LN. Tokens on Pr ∩ P H �= ∅ describe a so-called “macro marking” of the LNthat is visible in the HN, and transitions from T out

r represent the aggregated behavior ofthe LN.

An LN is merged with the HN to allow observation of the detailed behavior. Formally, wedescribe this as an extended LN (EN) as (P E , T E , I E−, I E+, M0E ), where P E = P H ∪ P L ,T E = T H ∪ T L , and I E−, I E+, M0E are defined analogously. An EN is an ordinary PN;RS(EN) and L(EN) are defined as before. An HN provides an environment with which theLN interacts in an asynchronous manner. Reachability of markings in an LN cannot be seenindependently of an HN, so the reachability set RS(LN) of the LN for a given environmentHN needs the notion of EN and results from the projection of RS(EN)|LN . Using the resultsof Lemma 3, we can be certain that the HN allows all interactions between LN and itsenvironment that are possible in the original net, in which HN is replaced by the detaileddescription of all regions. Consequently, we can be certain that all markings on places Pr

that are possible in the original net are also possible in the corresponding EN. The advantageof generating reachability sets/graphs for HN and LN instead of generating the reachabilityset/graph for the original net results from the divide and conquer step that is used here. Sincethe size of RS often grows exponentially with the size of the net, reachability sets for HN orLNs are usually much smaller than the reachability set of the complete net. Consequently,the generation of several small sets is much more efficient than the generation of one hugeset, and often the huge set cannot be generated at all. In the following section we will give ahierarchical/compositional representation of RS(PN) based on RS(HN) and RS(i)|i for eachLN i .

Example 4. Figures 5 and 6 show the extended low-level nets for the two non-trivial low-level nets (indicated by shaded polygons) of our running example. The nets result from theproducer part in which transition t1 becomes internal and from the consumer part in whichtransitions t6 and t7 become internal. For the consumer region, only p13 becomes part of

Figure 5. Low-level net and extended low-level net for the consumer region.


Figure 6. Low-level net and extended low-level net for the producer region.

At1t6t7, because v12 has been used for its construction. The region with transition t3 has nointernal transition.

The LNs are shown on the left sides of figures 5 and 6, and the corresponding ENs areshown on the right side. The isolated description of an LN is not sufficient to describe thedynamics of the PN with respect to the region. However, after embedding LN into HN,yielding EN, a net is obtained that mimics the dynamics of the original net with respect toone region. RS(LN) and RG(LN) for a region r result from the projection of RS(EN) andRG(EN) on the places of region r .

Obviously, selection of s has a massive impact on the resulting hierarchical net descrip-tion. Determination of “optimal” sequences requires further investigation. At this point wecan only formulate goals and rules of thumb to follow:

1. It is clear that a non-trivial LN results from merging adjacent regions, i.e., if for Ns withregions A, B and t ∈ T out

A , t • ∩B �= ∅ such that t is in s, then all t ′ ∈ T outA , t ′ • ∩B �= ∅

should become elements of s.2. Derivation of a hierarchy uses a divide and conquer strategy. Consequently, a sequence

should yield a set of non-trivial LNs such that complexity is equally distributed over theset. This means that only those regions are merged whose result will not cover a majorityof the net.

3. Aggregated places introduce overhead; in particular, building all linear combinationscan impose an unacceptable increase of net elements. This is the reason that there is anexponential worst-case time complexity of invariant computation. In our case, we havethe freedom to select transitions and consider only a subset of transitions. Hence thosetransitions t are preferred such that |• t | · | t •| w.r.t. Ns is relatively small.

In our implementation of the proposed approach, we have integrated these heuristic rulesto generate appropriate transition sequences. Our first experiences with several examples(e.g., the example presented in Section 8) are very encouraging. The program automaticallychooses a sequence of transitions that partitions complex nets into non-trivial parts and anon-trivial HPN.


6. Hierarchical representations of RS and RG

In the previous section, a method has been introduced to decompose a flat net into partsand to describe the dynamic behavior of the parts by generating the reachability sets andgraphs for the LNs and the HN. Some results can be proved or disproved on the componentreachability sets/graphs with techniques like those described in [4]. However, to provegeneral properties, the complete reachability set/graph has to be known. In the followingtwo sections, we present a methodology to generate and represent RS(PN) and RG(PN)in space- and time-efficient way. The idea is to describe markings or states of PN by acomposition of LN markings related to an HN marking. In a similar way, the reachabilitygraph of PN is described by a set of adjacency matrices, which are defined as the Kroneckerproduct of small adjacency matrices for the LNs. The Kronecker representation is a veryconvenient way to represent huge graphs in a compact form. Additionally, and often moreimportantly, very time- and space-efficient analysis algorithms have been developed forKronecker structures, cf. Section 7.

For notational convenience, we assume that PN is decomposed into one HN and J LNs thatare consecutively numbered 1 through J . Furthermore, we assume that all reachability setsfor the HN and the extended LNs are finite. Consequently, reachability sets are isomorphic tofinite sets of consecutive integers. Let RS(HN) = {0, . . . , nH −1}. Marking Mx correspondsto the x’th marking in RS(HN), and we use x and Mx interchangeably. We can representRG(HN) by an nH ×nH matrix QH with QH (x, y) = t iff Mx [t > My for transition t ∈ T H ,provided that between any two markings in RG(HN) at most one transition exists. If morethan one transition between Mx and My exists, QH (x, y) describes a list of transition indexes.We use for generality the notation t ∈ QH (x, y) for all t with Mx [t > My . QH contains thecomplete description of RS(HN).

The reachability set RS( j) of LN j depends on the environment given by HN. Hence,we consider the EN e that corresponds to j , and define RS( j) as a projection of RS(e) onthe places of j . Since any LN j and the HN share some places P j ∩ P H , we also defineRS( j) as a projection of RS( j) onto places from P j ∩ P H . Markings from RS( j) are macromarkings and allow the partition of RS( j), i.e., markings from RS( j) represent disjointsubsets of RS( j). Macro markings are useful for the generation of RS( j). Full details of anHN are irrelevant at the LN level, and one can redefine transitions of T in

j such that their firingis marking-dependent with respect to RS(HN)|P j ∩P H ⊇ RS( j). Therefore, EN is definedto help obtain a clear notion of RS( j). In practice, however, computation of RS( j) canbe performed more efficiently by using only macro-marking-dependent transitions of T in

j ,since transitions local to HN are ignored. The resulting set RS( j) might contain markingsthat are not in RS(PN), but they can be eliminated in a subsequent step, cf. Section 7.

Let RS( j) = {0, . . . , n j − 1} and let RS( j, x) with x ∈ {0, . . . , n j − 1} denote the set ofmarkings from RS( j) that belong to marking x in RS( j). All markings from a set RS( j, x)are indistinguishable in the HN, i.e., the marking of the places from P H ∩ P j is the same.Since reachability sets are assumed to be finite, each set RS( j, x) can be represented bya set of integers {0, . . . , n j (x) − 1}. A marking Mx ∈ RS(HN) uniquely determines themacro markings for all LNs. We use x j to denote the macro marking of LN j belonging tomarking x , and obtain Mx j = Mx |P H ∩P j .


Markings of PNs can be characterized using J + 1-dimensional integer vectors (xH ,x1, . . . , xJ ), where 0 ≤ xH < nH and 0 ≤ x j < n j (x

jH ) for j ∈ {1, . . . , J }. xH describes a

marking from RS(HN) and x j a marking from RS( j, x jH ), where x j

H describes the macromarking of LN j when the marking of HN equals xH . This implies that MxH |P H ∩P j =Mxj |P H ∩P j . Since the previous relation holds, each integer vector of the previously intro-duced form determines a marking of the extended net. We define a hierarchically generatedreachability set:

RSH (PNs) =⋃

xH ∈RS(HN)

x H ×Jj=1 RS

(j, x j

H

)(8)

Observe that the number of markings in RSH (PNs) equals

nH −1∑x=0

J∏j=1

n j (xj ),

but at most∑nH −1

x=0 (1+∑Jj=1 n j (x j )) markings have to be stored to represent RSH (PNs). A

few reachability sets with a few hundred markings are enough to describe sets with severalmillion or billion markings. To keep the representation compact, it has to be assured thatreachability sets of the LNs are roughly of the same size. Of course, this is hard to assure apriori, but it is possible to generate regions in such a way that they include a similar numberof places and transitions; that is often sufficient to yield reachability sets of a similar sizefor the different regions. The following lemma shows that RSH (PNs) contains all markingsin RS(PNs).

Lemma 4. The hierarchically generated reachability set and the reachability set arerelated as follows.

RS(PNs) ⊆ RSH (PNs) and RS(PN) ⊆ RSH (PNs)|P

Proof: The previous lemmas imply that RS(PNs)|P H ⊆ RS(HN) = RSH (PNs)|P H ,

RS(PNs)|P j ⊆ RS( j) = RSH (PNs)|P j for all j ∈ {1, . . . , J } and for each M ∈ RS(PNs):M |P H ∈ RS(HN), M |P j ∈ RS( j). By construction of the hierarchically generated reachabil-ity set, M ∈ RSH (PNs) follows. The second relation follows since RS(PN) = RS(PNs)|P .

Unfortunately, the reachability set of the original net is not necessarily equal to RSH (PNs);it is only included in the hierarchically generated reachability set. Before we computeRS(PNs) as part of RSH (PNs), the reachability graph is represented in a compact formsimilar to the compact representation of the reachability set.

First of all, we define the effect of transitions locally for LNs. Two different classes oftransitions have to be distinguished with respect to LN j .

• LT j = T j\T H is the set of internal transitions in LN j .• ST j = T in

j ∪ T outj is the set of transitions that describe the communication between LN

j and HN.


The effect of transitions at the marking level is defined using Boolean matrices. As usual,we assume that multiplication of Boolean values is defined as Boolean and and summationas Boolean or. Let Q j

t [x, y] for x, y ∈ RS( j) be an n j (x) × n j (y) matrix describingtransitions in the reachability graph of LN j due to the firing of transition t . Q j

t [x, y](x, y) =1, iff transition t is enabled in marking x ∈ RS j [x] and firing of t yields successor markingy ∈ RS j [y]. All remaining elements in the matrices are 0. Since transitions t ∈ LT j donot modify the marking of the HN, Q j

t [x, y] = 0 for x �= y and t ∈ LT j . Furthermore,we define for t /∈ LT j ∪ ST j : Q j

t [x, y] = In j (x) if x = y, and 0n j (x),n j (y) otherwise. In isan n × n matrix with 1 at the diagonal and 0 elsewhere. 0n,m is an n × m matrix with allelements equal to 0. The reason for this definition is that a transition t /∈ LT j ∪ ST j doesnot modify the marking of LN j and cannot be disabled by LN j . This is exactly describedby matrices I and 0. We define for t ∈ T, x ∈ RS( j) and x ∈ RS( j, x):

q jt (x, x) =

∑y∈RS( j)

∑y∈RS( j,y)

Qit [x, y](x, y).

If q jt (x, x) = 1, then t is enabled by LN j in marking x. For the HN we define q H

t (x) = 1 ift /∈ T H or t ∈ Q H (x, y) for some y ∈ RS(H N ). In all other cases q H

t (x) = 0.The matrices describe the effect of transitions with respect to the HN or a single LN. The

next step is to consider the effect of a transition with respect to the global net. Transition tis enabled in marking x ∈ RSH (PNs) iff

qt (xH , x1, . . . , xJ ) = q Ht (xH )

J∏j=1

q jt

(x j

H , x j) = 1.

It is straightforward to prove this enabling condition. Since q jt (·) ≡ 1 for t /∈ LT j ∪ ST j

and q Ht (·) ≡ 1 for t /∈ T H , enabling depends only on the marking of parts to which the

transition belongs. A transition is enabled if it is enabled in all parts simultaneously. Ina similar way we can characterize transitions between markings. Transition t is enabledin marking (xH , x1, . . . , xJ ) and its firing yields successor marking (yH , y1, . . . , yJ ) ifft ∈ QH (xH , yH ) and

J∏j=1

Q jt (x j , y j ) = 1.

This relation allows us to characterize the reachability graph completely. To do this in amore elegant way, we define Kronecker operations for matrices.

Definition 8. The Kronecker product A ⊗ B of an n A × m A matrix A and an nB × m B

matrix B is defined as a n AnB × m Am B matrix

C =

A(0, 0)B . . . A(0, m A − 1)B...

. . ....

A(n A − 1, 0)B . . . A(n A − 1, m A − 1)B


The Kronecker sum A ⊕ B is defined for square matrices only as

D = A ⊗ InB×nB + In A×n A ⊗ B.

The definition of Kronecker sums/products does not include the data type of the matrixelements. Indeed, all kinds of algebraic semirings can be used. In particular, we considerhere Boolean values as needed for adjacency matrices. Since the Kronecker product isassociative, we can define a generalization for J matrices A j of dimension n j × m j .

C =J⊗

j=1

A j =J∏

j=1

Il j ⊗ A j ⊗ Iu j ,

where l j = ∏ j−1i=1 mi and u j = ∏J

i= j+1 ni . In the same way the Kronecker sum can bedefined for n j = m j as

D =J⊗

j=1

A j =J∑

j=1

Il j ⊗ A j ⊗ Iu j .

Observe that C is a matrix with∏J

j=1 n j rows and∏J

j=1 m j columns that is representedby n j × m j matrices. If we consider the number of non-zero elements in C in terms of thenumber of non-zero elements in A j and denote the number of non-zero elements in a matrixA as nz(A), then we obtain

nz(C) =J∏

j=1

nz(A j ).

Kronecker sums and product are a very compact way to represent huge matrices. Implicitly,Kronecker operations realize a linearization of a J-dimensional number. Row indices ofmatrix C or D are computed from the row indices of the matrices A j using the relation

x =J∑

j=1

x j

J∏i= j+1

ni ,

where x is the row index in C or D, x j is the row index in A j , and n j is the number of rowsin A j . In the same way, column indices are computed from the relation

y =J∑

j=1

y j

J∏i= j+1

mi ,

where y is the column index in C or D, y j is the column index in A j , and m j is the numberof columns in A j . These representations are called mixed radix number representations.Obviously, x(y) determines all x j (y j ) and vice versa. For complementary information aboutKronecker operations and mixed radix number schemes, we refer to [22] and recommendto consider an example in which with J = 3 and n j = m j = 10 for all j ∈ {1, 2, 3}.


Mixed radix numbering schemes can also be applied to number markings in RSH (PNs).We use a two-level scheme in which the first number describes the HN marking and the sec-ond number is computed from the numbers of LN markings. Thus, marking (xH , x1, . . . , xJ )receives number (xH , xL ), where

xL =J∑

j=1

x j

J∏i= j+1

ni(xi

H

).

Using this numbering scheme, RGH (PNs) can be represented using Kronecker productsof Boolean matrices. We define QH

t as the adjacency matrix of the reachability graphconsidering only transition t . Using the two-level marking number, QH

t has a block structurewith n2

H block matrices.

QHt =

QHt [0, 0] · · · QH

t [0, nH − 1]...

. . ....

QHt [nH − 1, 0] · · · QH

t [nH − 1, nH − 1]

Submatrix QHt [x, y] includes all transitions between markings that belong to HN marking

x and markings that belong to HN marking y due to transition t in the net. Each submatrixcan be represented as a Kronecker product of LN matrices.

QHt [x, y] =

J⊗j=1

Q jt [x j , y j ] (9)

This form describes a very compact representation of a huge matrix. Since there are moretransitions than just t , the adjacency matrix of RGH (PN) results from a summation over all t :

QH =∑t∈T

QHt .

This equation is useful as it is but we can identify special cases that can be exploitedby algorithms. Internal transitions cause a specific matrix pattern of nonzero elements thatallows to build a simpler structure by a Kronecker sum. Since Qi

t [x, x] equals an identitymatrix for t ∈ LT j , j �= i and Q j

t [x, y] = 0 for x �= y,

QHt [x, y] =

{Il j (x) ⊗ Q j

t [x j , x j ] ⊗ Iu j (x) if x = y

0 otherwise

where l j (x) = ∏ j−1i=1 ni (xi ) and u j (x) = ∏J

i= j+1 ni (xi ). By collecting internal transitionsin one matrix

Q jl [x j , y j ] =

∑t∈LT j

Q jt [x j , y j ],

we obtain the following representation for a submatrix of QH , where internal transitionsare kept separately in a Kronecker sum and other transitions are represented by Kronecker


products as before.

QH [x, y] =

J⊕j=1

Q jl [x j , y j ] +

∑t∈T \∪J

k=1LTk

J⊗j=1

Q jt [x j , y j ] if x = y

∑t∈T \∪J

k=1LTk

J⊗j=1

Q jt [x j , y j ] otherwise

(10)

Equation (10) does not distinguish between different internal transitions of the same LN.If such a distinction is necessary, transitions that have to be visible can be excluded from thesets LT j . In this way, it is possible to keep all relevant information in the representation ofRGH (PNs). The Kronecker representation involves only matrices that describe transitionsfor LNs. As long as the reachability sets of LNs and HN are significantly smaller thanthe complete reachability set, as it is usually the case in a non-trivial decomposition, therepresentation remains compact.

However, the possibility of unreachable markings in Eq. (10) remains. To understandthis, assume that Q is the adjacency matrix of RG(P N ); QH then equals(

Q 0

A B

)

after reordering of markings according to reachability, i.e., markings from RS(PN) ∩RSH (PN) are followed by markings from RSH (P N )\RS(PN). If RS(PN) = RSH (PNs),then matrices A and B disappear. Since the initial marking is part of RS(PN) ∩ RSH (PN),the above representation implies that successors of reachable markings can be computed us-ing matrices QH and, consequently, that reachability analysis can be performed using thesematrices. The following section describes an RS exploration algorithm based in Eq. (10).Kronecker-based algorithms require less memory than conventional analysis algorithmsand are often faster if applied to large examples.

Example 5. The running example is rather small, so we cannot expect practical gain fromrepresenting RS or RG in a compositional way as proposed in this section. However, evenfor this simple example, the representation becomes more compact, and the example allowsus to clarify the general concepts.

The following table summarizes the number of markings in RS and the number of tran-sitions in the RG for the various nets considered here. Obviously, the HN has an RG that issignificantly smaller than that of PN.

RS RG transitions

PN 254 622

HN 27 51

LN 1 18 30

LN 2 45 114


The Kronecker representation requires overall 195 transitions to represent the completereachability graph with 622 transitions. Of course, this comparison does not consider over-head of storing different matrices in the Kronecker representation. However, the overheaddepends on the number of transitions in ∪STi and on the number of LNs. Both quantities arenegligible compared to the number of markings if we consider large nets. The hierarchicallygenerated reachability set RSh includes 270 markings, which means that 16 markings areunreachable. We consider this point in the subsequent section.

7. Hierarchical analysis

A Kronecker representation has advantages for analysis algorithms. In this section wedescribe how to recognize RS(PN) in a Kronecker representation by a search algorithm,Depth-First-Search (DFS) or Breadth-First-Search (BFS). This serves two purposes: a)knowledge of the exact RS(PN) is important for state-based analysis and b) many state-based analysis algorithms are search algorithms as well, e.g., model-checking algorithmsfor computational tree logic (CTL) in [20] are search algorithms and require knowledge ofRS(PN). Reachability analysis for Kronecker representations profits from the fact that thenumbering of markings in RSH (PNs) is a perfect hash function for markings in RS(PN).This was first exploited for the efficient reachability analysis of SGSPNs, a class of gener-alized stochastic PNs consisting of components synchronized via transitions, in the work ofKemper [32]. We can use a similar approach here, but do not necessarily rely on it; see, forexample, [11, 18, 19] for alternatives. For a marking Mx of the HN, let n(x) = ∏J

i=1 ni (xi )be the number of markings in RSh . Let r[x] be a Boolean vector of length n(x) that isused to store results of the reachability analysis. Thus r[xH ](xL ) = 1 indicates that marking(xH , xL ) ∈ RS(PN), and r[xH ](xL ) = 0 indicates after termination that (xH , xL ) �∈ RS(PN).Formally, we use here one Boolean vector per HN marking, but it is obviously possible tostore all these vectors consecutively in a single Boolean vector of appropriate length. Inaddition to the vectors r[x] and the different matrices introduced in the previous section,reachability analysis also requires a set U to store unexplored markings, similar to the setU used in generate RS in Section 2. However, in the current setting, U only has to storeinteger pairs instead of complete marking vectors.

Let (x0H , x0L ) be the number of the initial marking; then r[x0H ](x0L ) is initialized with 1,and all remaining vector components are zero. Additionally, U is initialized with (x0H , x0L ).Then the following algorithm is used to determine reachable markings.

generate structured RS (PN)while (U �= ∅) do

remove (xH , xL ) from U;for j = 1 to J dofor all y j with Q j

l (x j , y j ) = 1 do // compute successor in subnet jyL = xL + (y j − x j ) · l j (xH )if r[xH ](yL ) = 0 then

r[xH ](yL ) = 1;U = U ∪ (xH , yL );


for all yH with QH (xH , yH ) �= ∅ do // compute successor in subnet HNfor all t ∈ QH (xH , yH ) do

yL = xL;for all j with t ∈ T j do

if y jL with Q j

t

[x j

H , y jH

](x j

L , y jL

) = 1 exists then (*)yL = yL + (

y jL − x j

L

) · l j (yH );else

yL = −1 and break;if yL ≥ 0 then

if r[xH ](yL ) = 0 thenr[xH ](yL ) = 1;U = U ∪ (xH , yL );

end

Note that the order in which elements are inserted and removed from U makes thisalgorithm perform DFS or BFS. In the step indicated by (∗), the algorithm exploits the factthat firing of transition t always yields a unique successor marking. Therefore, each rowof a matrix Qi

t can include at most one element. The approach can be easily extended forPNs in which different successor markings are possible. This situation occurs in stochasticnets in which probabilistic output bags for transitions are allowed. Since the algorithmcomputes all successor markings of reachable markings, it is straightforward to prove thatgenerate structured RS generates RS(PN) and terminates when RS(PN) is finite, as is thecase here, since RSH (PNs) is assumed to be finite.

The remaining point is the comparison of generate structured RS (from Section 2) andgenerate RS. As before, we assume that the reachability set contains n markings, and thaton the average, d transitions are possible in each marking. The theoretical time complexityof generate RS is O(nd log2 n) if insert and member functions on RS use log2 n operations.The complexity of generate structured RS is in O(nd), since the Boolean vectors allowus to test in O(1) whether a marking has been reached before. Additionally, the constantsbehind the asymptotic complexity are much lower for generate structured RS. The reason isthat all operations are performed with simple integer operations, while several operations ofgenerate RS are time-consuming. For example, if a new marking M is found in generate RS,a data structure to hold M has to be allocated and inserted into the data structure storingthe already generated markings. Since this data structure is usually a tree, pointers haveto be modified. In generate structured RS the same operation only requires the setting ofa bit in vector r. Thus, we can usually expect an improvement of run times of about twoorders of magnitude for large reachability sets. However, to apply generate structured RS,PN has to be decomposed, and then the reachability sets and matrices for the subnets haveto be generated. The complexity of both problems is, for large nets, much lower than thatof reachability analysis. This can also be seen in the example presented below.

In addition to time complexity, we must also compare space complexity. Of course, thedifference in memory requirements depends on the concrete example. However, if the nethas been decomposed into LNs with roughly identically sized reachability sets, and the sizesof RSH (PNs) and RS(PN) do not differ too much (i.e., not by several orders of magnitude),


then Eq. (8) assures that the size of the LN/HN reachability sets and matrices is negligiblecompared to the size of the complete reachability set and graph. Experiences show thatthe approach allows us to handle much larger reachability sets. An additional advantageof generate structured RS is that we make use of secondary memory in a very efficientway. Since vector r is structured into subvectors, and successor markings are computedconsecutively for subvectors, it is possible to preload required subvectors from secondarymemory.

After the reachability set has been computed by setting the values in vector r, it ispossible to decide on O(1) whether a marking is reachable or not. Furthermore, all successormarkings for a marking can be computed from the Kronecker representation for localtransitions in a constant time and for others in a time at most linear in the number ofsubnets. Since the Kronecker representation includes information about transitions yieldingto successors, even successors reachable by specific transitions can be computed. Based onthese basic steps, standard algorithms for model checking can be applied [20].

Example 6. The size of the running example is so small that it is useless to compareruntimes for reachability graph generation. Instead we briefly consider unreachable mark-ings that appear in the hierarchical representation. As already mentioned, RSh contains 270markings, but only 254 of them are reachable. As an example for unreachable markingswe consider markings of the form (0, 1, 1, 2, 0, 0, 2, ∗, ∗, ∗), where the vector includes thenumber of tokens on the places p1–p7. For the places p8–p10 we now consider possiblemarkings. Obviously, all three places are part of a P-invariant such that the sum of tokenson these places must equal 2. In the hierarchical generated reachability set, all possible dis-tributions of 2 tokens over the places p8–p10 are included. However, reachability analysisshows that markings are only reachable in which place p10 is empty.

The reason for this restriction can be understood by considering the behavior of the netin some more detail. A token on p10 implies that t5 fired after t4. But since p6 is empty, t3fired after t5 and, since p2 is non-empty, t1 and t2 also fired after t5. Now, after t2 fired,on p5 there is a token that must be transferred to p4 through a firing of t4. However, thismeans that t4 fired after t5 and p10 has to be empty.

The restriction that assures that p10 is empty when the marking of the places p1–p7 isas shown above is a global restriction that depends on the whole net. Therefore, it is notvisible in an isolated part, and the above-mentioned markings appear in RSh , but reachabilityanalysis shows that they are not reachable and are not part of RS.

Two further optimizations can be used to improve generate structured RS.

7.1. First optimization

As noticed in [32], certain unnecessary interleavings due to internal transitions can beeliminated. The idea is that local transitions in different LNs do not interfere with eachother. If t1 ∈ LTi and t2 ∈ LT j are both enabled in some marking, then the sequences t1t2and t2t1 are both possible and yield an identical successor marking. Consequently, it is onlynecessary to consider one sequence. More generally, for a set T = {t1, . . . , tq} of local


transitions that all belong to different LNs and are enabled in some marking, only thosetransition sequences that are described by a subset of T and in which transitions occur in theorder described in T need to be considered. This reduces the number of interleavings thathave to be considered during reachability analysis from

∑ql=1(q

l )l! to∑q

l=1(ql ). In that way,

the time complexity of reachability analysis can be reduced.

7.2. Second optimization

In [6] an approach is discussed that reduces time and space complexity. The idea is toreduce a priori the marking sets of LN by combining some markings which are always bothreachable or both not reachable. As a simple example consider two markings x, y ∈ RS(i)and a pair of transitions t, t ′ ∈ LTi . If t is enabled in x and its firing yields y, and t ′ isenabled in y yielding successor marking x , then x is reachable whenever y is reachable andvice versa. We call this identical reachability of markings. Obviously, identical reachabilityholds for all markings in an irreducible subset of a matrix Qi

l [x, y]. In [6] it is shown thatthis condition can be further relaxed; however, this extension is beyond the scope of thispaper. Markings that are identically reachable can be aggregated a priori. Aggregation inthis case means that a set of identically reachable markings is replaced by a single aggregatemarking such that all transitions entering or leaving one marking in the subset are replacedby transitions entering/leaving the aggregate marking, and transitions between markings inthe subset are replaced by transitions starting and ending in the aggregate marking. It is easyto perform these transformations by adding within matrices Qi

t all rows and columns thatbelong to markings in the subset to be aggregated. The size of RS(i) and RG(i) is reducedby this aggregation; this implies that the size of RSh(PNs) and the effort for reachabilityanalysis are also reduced. After reachability analysis, we know of each aggregated markingwhether it is reachable or not; from this we can directly conclude reachability of all detailedmarkings that an aggregated marking represents.

Both optimizations depend on the net that is considered. However, for most nets, theeffort for reachability analysis can be reduced significantly.

The analysis described in this section is based on the representation of the completereachability set/graph. Several analysis methods are known that allow us to reduce thesize of RS(PN) and RG(PN) and still prove properties on the reduced system that holdfor the original system. Most of these reduction techniques are based on equivalences andcongruences for compositional models (e.g., in process algebras). The idea is to replacea component with an “equivalent” but less complex component before composition, asdescribed above for the second optimization for a special equivalence relation. It is beyondthe scope of this paper to discuss equivalence reduction in the context of Kronecker algebra.However, as outlined in [4] and shown in the context of stochastic systems in [5], Kroneckerrepresentations are a very convenient way to integrate reduction due to equivalence. If anequivalent representation for an LN at the net level or at the matrix level can be found,then the matrices that describe the equivalent system can be used instead of the originalmatrices for the LN in the Kronecker representations, yielding a reduced representation ofthe RG(PN). Depending on the equivalence relation that is applied, different properties canbe proved or disproved on the reduced RG instead of the original RG. For the computation


of bisimulation-like equivalences and the reduction of LN matrices with respect to suchequivalences, we refer to [5, 11].

8. An application example

The running example we have considered so far is only useful for illustrating formal con-cepts. In order to demonstrate the applicability of our approach, we consider the productioncell of [33], which has been subject to modeling and analysis by a variety of tools and whichis known to be non-trivial. The production cell model originates from an existing productioncell in an industrial setting that physically consists of six components: an elevating rotarytable, two arms of a robot, a traveling crane, and two conveyor belts. The production cellperforms transportation and processes metal plates in a (cyclic) pipeline. A feeding conveyorbelt transports metal plates to the elevating table; the table lifts plates for the robot. The robothas two extendable arms; it uses one to take plates from the table and to insert them into thepress. After plates have been pressed, the robot removes them from the press with its secondarm and puts them onto the second conveyor belt. Originally plates leave the system by thesecond belt, but in order to have a closed system, the crane is installed to put plates fromthe second belt onto the feeding belt, such that the number of plates within the system isconstant. Thanks to the work of Heiner et al. [26, 27], a Petri net model exists that considersprocessing of 5 plates. Refinement is used to organize a model of this size; however, thedynamic behavior of the model is not defined unless all refined subnets are available in fulldetail. This kind of hierarchy is very common for modeling purposes, but useless in termsof analysis. Hence, our analysis starts from a flat Place/Transition net with 231 places and202 transitions.4 From [27] it is known that the net is live and 1-bounded. The reachabilityset contains 1,657,242 markings, and the reachability graph contains 6,746,379 transitions.

The algorithm to derive a hierarchy starts from a partition into minimal regions and con-siders a sequence of transitions s that starts with transitions being internal to a region (whichis the case for 74 transitions in our example). After this initial phase, it selects transitionsthat connect regions in an order that prefers transitions connecting small regions. Figure 7shows how the total number of regions decreases once the inital phase has finished. On theother hand, the number of non-trivial regions initially increases, since the algorithm preferssmall regions, and finally decreases when there are no trivial regions left and non-trivialregions are merged. Table 1 indicates the influence of s on the hierarchical representationof RS; it gives the number of regions (non-trivial and in total), the number of aggregatedplaces Pagg, cardinalities of the hierarchical reachability set RSh , the reachability set of thehigh-level net RS(HN), and the maximal number of markings observed in a low-level net.The quality of the whole construction is shown in column “percent RS(PN),” which givesthe reachable fraction of RSh . Table 2 gives corresponding computation times in secondsfor the computation of the two-level hierarchy as net in column “gen hierarchy”, as a hi-erarchical Kronecker structure in column “gen kron”, and the subsequent computation ofthe reachability set RS(PN) contained in RSh(PN) in column “gen struct RS”; times aregiven as CPU time and user (wall clock) time. These times have been observed on an IntelPentium III PC with 500 MHz CPU, 256 MB main memory running Linux. Obviously,computation times are uncritical if the number of aggregated places does not explode.


Figure 7. Total number of regions, number of non-trivial regions.

It is worth mentioning that it takes about 20 seconds to generate the complete reacha-bility set and reachability graph and represent them in a very space-efficient way. About6 Megabytes memory space are necessary to generate and represent RG and RS. Thesevalues are excellent compared to conventional RG generation algorithms. In [26] the samemodel has been analyzed on a workstation using different PN analysis tools. RG genera-tion with the tool PROD needs about 14 hours (see [26]). The small runtimes and storage

Table 1. Hierarchical representation for sequence s.

|s| reg, total reg, non-tr Pagg RSh RS(HN) Max RS(j) Percent RS(PN)

108 10 9 137 10389356 3298 631 15.95

109 9 8 148 10389356 3225 631 15.95

110 8 8 396 8182196 2109 631 20.25

111 7 7 397 4860218 1414 631 34.10

112 6 6 430 4860218 1361 631 34.10

113 5 5 511 4860218 1303 631 34.10

Table 2. Computation characteristics for sequence s.

gen hierarchy gen kron gen struct RS

|s| CPU user CPU user CPU user

108 0.05 1.0 2.26 2.0 19.82 23.0

109 0.07 1.0 2.32 3.0 17.18 18.0

110 0.32 1.0 4.37 5.0 17.13 17.0

111 0.31 1.0 3.62 4.0 15.16 18.0

112 0.34 1.0 3.68 4.0 13.35 15.0

113 0.40 1.0 4.48 4.0 12.59 14.0


Figure 8. Number of aggregated places, number of non-trivial regions.

requirements show that much larger systems can be handled with the approach. We havealso analyzed an open version of the production cell for which other tools were not able togenerate RS (see [26]). For this version, our method needs about 23 seconds real time togenerate RS with 2,776,936 markings and RG with 13,152,132 arcs.

As already noticed in [27], computation of a generating set of semi-positive P-invariantsis difficult for this net. Our approach is closely related to invariant computation; if wecompute an extended net for a sequence that covers all transitions T , we obtain a generatingset of P-invariants as well. However, this extreme is not suitable, and we consider only asubset of transitions, in order to retain some activity in the HN. From a pragmatic pointof view, the approach allows us to consider those transitions that can be handled withacceptable computational costs and stop the derivation of a hierarchy if it becomes tooexpensive. Figure 8 clearly indicates that a careful selection of transitions can avoid highcomputational costs. However, there is a sharp increase after 108 steps, and the hierarchyderivation stops after 113 steps. For a P-invariant computation, 202 steps are necessary;hence, Figure 8 also illustrates the difficulties of invariant computation observed in [27].According to the results in Table 1, the number of regions and a limit for the number ofaggregated places give suitable parameters to stop the automatic hierarchy generation whenit makes sense to.

9. Conclusions

We have proposed a new approach for the efficient generation and compact representationof reachability sets and graphs of large PNs. In contrast to approaches based on reductionor symmetries, as in [15, 31, 39, 45, 46], the technique yields the full RS and RG. It


can be applied to general nets without any user-defined structure, such as is required in[4, 11, 18, 19, 32]. The structuring of the PN into asynchronously interacting regions isdone automatically by an algorithm that uses a basic step related to invariant computationto make a transition internal to a region. The algorithm considers a sequence of distincttransitions that can be arbitrary in principle. For our implementation we use some heuristicrules in order to structure a net into regions of approximately the same size. The algorithmstops once a user-given number of regions has been obtained. The idea is to divide thecomplexity equally well among HN and LNs, which is most efficient if neither HN norany LN is too complex or too simple. For nets covered by P-invariants, termination isguaranteed; however, we can not ensure termination for general PNs. The problem is thatreachability sets of some part, HN or a LN, can become unbounded, even if the reachabilityset of the complete net is bounded. This problem can not occur for nets that are covered byP-invariants.

The non-trivial example considered in this paper illustrates our experience with the algo-rithm exercised on a set of examples. The new approach allows the time- and space-efficientgeneration and representation of huge reachability sets and graphs. This is, of course, a steptowards the analysis of complex PNs. The algorithm is implemented and integrated into atoolbox around a common file format for Petri nets [2, 10]. This toolbox includes algorithmsfor LTL and CTL model-checking that use the compact matrix representation. Experiencesshow that this realization of model-checking algorithms allows the efficient analysis of verylarge reachability sets. Additionally, our approach naturally extends to stochastic models[9]; the resulting Kronecker representation can be used for the efficient analysis of SPNsusing numerical analysis techniques. For an overview of these techniques, we refer to [7].The present approach does not use behavior-preserving reductions; however, once a hierar-chical structure is obtained, we foresee that it will be useful to employ behavior-preservingreduction according to some bisimulation type equivalences in order to analyze larger andlarger models.

Notes

1. A slightly extended version catches infinite RS; see coverability graph construction in the PN literature.2. We do not consider here the OBDD techniques that have different characteristics, complexities, and limitations.3. Minimal regions coincide with the equivalence relation of the conflict relation [43].4. We thank J. Spranger for translating the model into the APNN format [2] used in our implementation.

References

1. S. Allmaier, M. Kowarschik, and G. Horton, “State space construction and steady state solution of GSPNson a shared-memory multiprocessor,” in Proc. 7th Int. Workshop on Petri Nets and Performance Models(PNPM’97), IEEE CS Press, 1997, pp. 112–121.

2. F. Bause, P. Kemper, and P. Kritzinger, “Abstract Petri net notation,” Petri Net Newsletter, Vol. 49, pp. 9–27,1995.

3. G. Berthelot, “Transformation and decomposition of nets,” in G. Rozenberg (Ed.), Advances in Petri Nets 85,Springer, 1986. LNCS, Vol. 254.

4. P. Buchholz, “Hierarchical high level Petri nets for complex system analysis,” in R. Valette (Ed.), Applicationand Theory of Petri Nets, Springer, 1994, pp. 119–138. LNCS, Vol. 815.


5. P. Buchholz, “Markovian process algebra: Composition and equivalence,” in U. Herzog and M. Rettelbach(Eds.), Proc. 2nd Workshop on Process Algebras and Performance Modelling, 1994; Arbeitsberichte desIMMD, Vol. 27, No. 4, pp. 11–30, 1994.

6. P. Buchholz, “Hierarchical structuring of superposed GSPNs,” IEEE Trans. on Softw. Eng., Vol. 25, No. 2,pp. 81–90, 1999.

7. P. Buchholz, “Structured analysis approaches for large Markov chains,” Applied Numerical Mathematics, Vol.31, No. 4, pp. 375–404, 1999.

8. P. Buchholz and P. Kemper, “Hierarchical reachability graph generation for Petri nets,” Forschungsbericht Nr.660 des Fachbereichs Informatik der Universitat Dortmund (Germany), 1997.

9. P. Buchholz and P. Kemper, “On generating a hierarchy for GSPN analysis,” ACM Performance EvaluationReview, Vol. 26, No. 2, pp. 5–14, 1998.

10. P. Buchholz and P. Kemper, “A toolbox for the analysis of discrete event dynamic systems,” in N. Halbwachsand D. Peled (Eds.), Computer Aided Verification (CAV’99), Springer, 1999, pp. 483–486, LNCS, Vol.1633.

11. P. Buchholz and P. Kemper, “Efficient computation and representation of large reachability sets for composedautomata,” in R. Boel and G. Stremersch (Eds.), Discrete Event Systems Analysis and Control, KluwerAcademic, 2000, pp. 49–56.

12. J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and J. Hwang, “Symbolic model checking: 1020 statesand beyond,” in Proc. 5th Annual Symposium on Logic in Computer Science, June 1990.

13. J. Campos, S. Donatelli, and J. Silva, “Structured solution of asynchronously communicating stochasticmodules,” IEEE Trans. on Softw. Engineering, Vol. 25, No. 2, pp. 147–165, 1999.

14. S. Caselli, G. Conte, and P. Marenzoni, “Parallel state space exploration for GSPN models,” in G. De Michelisand M. Diaz (Eds.), Application and Theory of Petri Nets 1995, Springer, 1995, pp. 181–200, LNCS, Vol. 935.

15. G. Chiola, C. Dutheillet, G. Franceschini, and S. Haddad, “A symbolic reachability graph for coloured Petrinets,” Theoretical Computer Science, Vol. 176, pp. 39–65, 1997.

16. G. Chiola and A. Ferscha, “Distributed simulation of Petri nets,” IEEE Parallel and Distributed Technology,Vol. 1, pp. 33–50, 1993.

17. S. Christensen and L. Petrucci, “Modular state space analysis of coloured Petri nets,” in G. De Michelis andM. Diaz (Eds.), Application and Theory of Petri Nets, Springer, 1995, pp. 201–217, LNCS, Vol. 935.

18. G. Ciardo, G. Luettgen, and R. Siminiceanu, “Saturation: An efficient iteration strategy for symbolic state-space generation,” in T. Margaria and W. Yi (Eds.), Tools and Algorithms for the Construction and Analysisof Systems (TACAS 2001), Springer, 2001, pp. 328–342, LNCS, Vol. 2031.

19. G. Ciardo and A.S. Miner, “Storage alternatives for large structured state spaces,” in R. Marie, B. Plateau,M. Calzarossa, and G. Rubino (Eds.), Proc. 9th Int. Conf. Modelling Techniques and Tools for ComputerPerformance Evaluation, St. Malo, France, 1997, Springer, 1997, pp. 44–57. LNCS, Vol. 1245.

20. E.M. Clarke, E.A. Emerson, and A.P. Sistla, “Automatic verification of finite-state concurrent systems usingtemporal logic specifications,” ACM Transactions on Programming Languages and Systems, Vol. 8, No. 2,pp. 244–263, 1986.

21. R. Cleaveland, J. Parrow, and B. Steffen, “The concurrency workbench: A semantics based tool for theverification of concurrent systems,” ACM Transactions on Programming Languages and Systems, Vol. 15,No. 1, pp. 36–72, 1993.

22. M. Davio, “Kronecker products and shuffle algebra,” IEEE Trans. on Comp., Vol. 30, pp. 116–125, 1981.23. S. Donatelli, “Superposed generalized stochastic Petri nets: Definition and efficient solution,” in R. Valette

(Ed.), Application and Theory of Petri Nets, Springer, 1994, LNCS, Vol. 815.24. P. Godefroid and P. Wolper, “Using partial orders for the efficient verification of deadlock freedom and safety

properties,” Formal Methods in System Design, Vol. 2, pp. 149–164, 1993.25. S. Haddad, “A reduction theory for coloured Petri nets,” in G. Rozenberg (Ed.), Advances in Petri Nets 1989,

Springer, 1990, pp. 209–235. LNCS, Vol. 424.26. M. Heiner and P. Deusen, “Petri net based design and analysis of reactive systems,” in Proc. 3rd Workshop

on Discrete Event Systems (WoDES’96), pp. 308–313.27. M. Heiner, P. Deussen, and J. Spranger, “A case study in developing control software on manufacturing

systems,” in M. Silva, R. Valette, and K. Takahashi (Eds.), Workshop on Manufacturing and Petri nets, within17th Int. Conf. Application and Theory of Petri Nets, Osaka, Japan, 1996.


28. G.J. Holzmann, “On limits and possibilities of automated protocol analysis,” in Proc. 7th Int. WorkshopProtocol Specification, Testing and Verification, North Holland, 1987.

29. G.J. Holzmann, “An analysis of bitstate hashing,” in Proc. 15th Int. Symp. Protocol Specification, Testing andVerification, IFIP, Chapman & Hall, 1995.

30. K. Jensen, “Coloured Petri nets and the invariant method,” Theor. Comp. Sci., Vol. 14, pp. 317–336, 1981.31. K. Jensen, “Coloured Petri nets,” Vol. 1; Springer, EATCS Monographs (1992).32. P. Kemper, “Reachability analysis based on structured representations,” in J. Billington and W. Reisig (Eds.),

Application and Theory of Petri Nets 1996. Springer, 1996, pp. 269–288. LNCS, Vol. 1091.33. C. Lewerentz and T. Lindner (Eds.), “Formal development reactive systems,” Springer, 1995, LNCS, Vol. 891.34. P. Marenzoni, S. Caselli, and G. Conte, “Analysis of large GSPN models: A distributed solution tool,” in. Proc.

7th Int. Workshop on Petri Nets and Performance Models (PNPM’97), IEEE CS Press, 1997, pp. 122–131.35. J. Martinez and M. Silva, “A simple and fast algorithm to obtain all invariants of a generalized Petri net,” in

Application and Theory of Petri Nets 1981, Springer, IFB 52, 1981.36. R. Milner, “Communication and concurrency,” Prentice Hall, 1989.37. T. Murata, “Petri nets: Properties, analysis and applications,” Proc. of the IEEE, Vol. 77, pp. 541–580, 1989.38. D. Nicol and G. Ciardo, “Automated parallelization of discrete state-space generation,” Journal of Parallel

and Distributed Computing, Vol. 47, pp. 153–167, 1997.39. M. Notomi and T. Murata, “Hierarchical reachability graph generation of bounded Petri nets for concurrent-

software analysis,” IEEE Trans. on Softw. Eng., Vol. 20, pp. 325–336, 1994.40. E. Pastor, O. Roig, J. Cortadella, and R.M. Badia, “Petri net analysis using Boolean manipulation,” in R.

Valette (Ed.), Application and Theory of Petri Nets 1994, Springer, 1994. LNCS, Vol. 815.41. L. Pomello, G. Rozenberg, and C. Simone, “A survey of equivalence relations for net based systems,” in G.

Rozenberg (Ed.), Advances in Petri Nets 1992, Springer, 1992, pp. 410–472. LNCS, Vol. 609.42. Proc. 7th Int. Workshop on Petri Nets and Performance Models (PNPM’97), IEEE CS Press, 1997.43. L. Recalde, E. Teruel, and M. Silva; {SC}∗ ECS: “A class of modular and hierarchical cooperating systems.”

in J. Billington and W. Reisig (Eds.), Application and Theory of Petri Nets 1996, Springer, 1996, pp. 440–459.LNCS, Vol. 1091.

44. R. Valette (Ed.), Application and Theory of Petri Nets, Springer, 1994. LNCS, Vol. 815.45. A. Valmari, “Compositional analysis with place bordered subnets,” in R. Valette (Ed.), Application and Theory

of Petri Nets, Springer, 1994, pp. 531–547. LNCS, Vol. 815.46. A. Valmari, “State of the art report: Stubborn sets,” Petri Net Newsletter, Vol. 46, pp. 6–14, 1994.47. P. Wolper and D. Leroy, “Reliable hashing without collision detection,” in 5th Int. Conf. Computer Aided

Verification, Elounda, Greece, 1993.

kemper/papers/2002J7.pdf · Formal Methods in System Design, 21, 281–315, 2002 c 2002 Kluwer...

Documents

Transcript of kemper/papers/2002J7.pdf · Formal Methods in System Design, 21, 281–315, 2002 c 2002 Kluwer...