t1 p2 [Starke 95] · t1 p2 p1 p3 dependability engineering with time- dependent Petri nets June...
Transcript of t1 p2 [Starke 95] · t1 p2 p1 p3 dependability engineering with time- dependent Petri nets June...
dependability engineering with time-dependent Petri nets Juni 2004
D:\mh\docs\lv\pn\pn_skript\nl13_time.sld.fm 13 - 1 / 41
DEPENDABILITY ENGINEERING
WITH TIME-DEPENDENT
PETRI NETS
(“THE PROBLEM IS CHOICE”)
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 2 / 41
CONTENTS
❑ motivation
❑ time-dependent Petri netsoverviewinfluence of time on qualitative propertieszero test
❑ worst-case evaluation with duration interval netscounter examplestructural compression of well-formed net partsnon-well-formed, but 1-bounded, acyclic, ...general procedure
❑ safety analysis with interval netsunreachability of explicit error statesexample - concurrent pushers
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 3 / 41
MODEL
CLASSES
context checking byPetri net theory
verification bytemporal logics
performanceprediction
reliabilityprediction
PETRI NETS
PLACE/TRANSITION
(COLOURED PN)
TIME-DEPENDENT PN
NON-STOCHASTIC
STOCHASTIC
PETRI NET
PETRI NET
PETRI NET
worst-caseevaluation
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 4 / 41
WHICH KIND OF
TIME MODEL? (1)
❑ atomic sequential program parts -> transitions
-> time assigned to transitions
❑ as simple as possible
-> timed nets, [Ramchandani 74]
-> duration nets (D nets, DPN)
❑ duration nets
-> constant times assigned to transitions
-> token reservation
-> firing consumes time
after a or b time units
begin offiring
end offiring,
<a>
<b>
<a>
<b>
<a>
<b>
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 5 / 41
IMMEDIATE
TRANSITIONS
❑ zero (insignificant) time consumption
❑ time deadlocks
❑ time deadlock = state from which
-> no transient state is reachable
-> or: no state is reachable where the system clock is able to advance
❑ infinitely many firings in zero times
❑ inconsistent time constraints !
❑ How to avoid time deadlocks?
-> invariants ?
[Starke 95]
t3t2
t1 p2
p3p1
<0>
<0> <1>
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 6 / 41
HOW TO ANALYSE
DURATION NETS?
❑ time is running
-> change of the fire rule
pn tpnt may fire -> t must firesingle step -> maximal step
❑ special case: duration of all transitions = 1 time unit
-> reachability graph constructionunder the maximal step firing rule
❑ else: transformation into special case
d > 2
d-2
d-2<1>
<1>
<1>
lock
<1><1><1>
<3>
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 7 / 41
THE INFLUENCE OF TIME
EXAMPLE 1 (SYSTEM DEADLOCK),PETRI NET
P2_repeatP1_repeat
P2_downB
P2_upB
P2_downA
P2_upAP1_upB
P1_downB
P1_upA
P1_downA
b5
a1b1
b2
b3
b4
B
a4
a3
a2
A
a5
INA
ORD HOM NBM PUR CSV SCF CON SC Ft0 tF0 Fp0 pF0 MG SM FC EFC ES Y Y Y Y N N Y Y N N N N N N N N Y
DTP SMC SMD SMA CPI CTI B SB REV DSt BSt DTr DCF L LV L&S N Y Y N Y Y Y Y N Y ? N N N N N
different initial marking !
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 8 / 41
EXAMPLE 1SYSTEM DEADLOCK,
MAX STEP RG = RG(DPN)
DSt (pn) -> not DSt (tpn)
a1, b4, A
P1_downA, P2_upB
a2, b5, B
P1_downB, P2_repeat
P1_upB
P1_upA, P2_downB
P1_repeat, P2_downA
P2_upA
a3, b1
a4, b1, B
a5, b2, A
a1, b3
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 9 / 41
EXAMPLE 1SYSTEM DEADLOCK,
REACHABILITY GRAPH
P1_downA
P2_repeat
P2_repeat
P2_repeat
P2_repeat
P1_
P1_upB
P1_upA
P1_
P2_upB
P2_upB
P2_upAP2_downA
P1_upA
P2_downA
P1_downA
P2_upA P2_upB P2_repeat
P2_repeat
P1_repeatP1_repeat
P2_upB
P1_repeat
P2_upA
P1_
P2_downAP2_downB
P1_repeat
P2_downB
P1_
P1_upB
P2_downB
P1_downB
P2_downB
P1_downA
16 14 10
11
1
2
3
4
12
13
15
1
5
1014
9
16
8
17
76
1
5
194
3
17
2
1
18DEAD STATE
19 nodes,32 arcs
downA
downB
repeat
upA
RG (tpn)6 nodes,6 arcs
RG (pn)
INIT STATE
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 10 / 41
THE INFLUENCE OF TIME,EXAMPLE 2
not BND (pn) -> BND (tpn)
not DTr (pn) -> DTr (tpn)
consumer
serviceproducer
C_wait_m2
S_repeat
S_wait_m2
S_wait_m1
P_signal_m2
P_signal_m1
c1
p2
p1
m2
m1
s2
s1
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 11 / 41
EXAMPLE 2,COVERABILITY GRAPH
❑ not BND,simultaneously unbounded in m1 and m2
❑ LIVE
p1, s1, c1, oo, oo
p2, s1, c1, oo, oo
p2, s2, c1, oo, oo
p1, s2, c1, oo, oo
P_signal_m1
P_signal_m2
S_repeat
S_repeat
P_signal_m1
P_signal_m2S_wait_m1
S_wait_m2
S_wait_m1S_wait_m2
C_wait_m2
C_wait_m2
C_wait_m2
C_wait_m2
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 12 / 41
EXAMPLE 2,MAX STEP RG = RG(TPN)
❑ BND,
-> cycle time(p) = 2
-> cycle time (s) = 2
-> cycle time (c) = 1
❑ not LIVE
-> TSCC does not contain S_wait_m2
-> S_wait_m2 is m0-dead
p1, s1, c1
p2, s1, c1, m1
p1, s2, c1, m2
P_signal_m1 P_signal_m2S_repeat
P_signal_m1
C_wait_m2 S_wait_m1
TSCC
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 13 / 41
EXAMPLES,SUMMARY
❑ example 1
-> DSt (pn) -> not DSt (tpn)
❑ example 2
-> not BND (pn) -> BND (tpn)-> not DTr (pn) -> DTr (tpn)
❑ generally
❑ BUT,for Petri net based system validation,we are only interested in the conclusions
PN TPNT → TIME
prop(pn) prop(tpn)
RG (pn) RG (tpn)⊇
prop(pn) prop(tpn)??
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 14 / 41
THE INFLUENCE OF TIME
ON QUALITATIVE PROPERTIES
TIME-INSENSITIVE RESULTS
❑ BND (pn) -> BND (tpn) ✔
❑ not DSt (pn) -> not DSt (tpn) ✔
❑ DTr (pn) -> DTr (tpn) ✔
TIME-SENSITIVE RESULTS
❑ not BND (pn) -> BND (tpn) ✔
❑ DSt (pn) -> not DSt (tpn) ✔
❑ not DTr (pn) -> DTr (tpn) ✘
GENERALLY
❑
❑
E-properties: prop (pn) -> prop (tpn)
-properties: prop (pn) <- prop (tpn)A
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 15 / 41
PROBE EFFECT
❑ observation -the system exhibits in test mode other (less) behavior than in standard operation mode
❑ cause -sw test means (debugger) affect the timing behavior
❑ result -masking of certain types of system behavior / bugs
-> DSt (pn) -> not DSt (tpn)-> live(pn) -> not live (tpn)-> not BND (pn) -> BND (tpn)
❑ consequence -systematic & exhaustive testing of concurrent systems is generally impossible
❑ wayout -qualitative models considering any timing behavior
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 16 / 41
TIME-INVARIANT
NET STRUCTURES
❑ time-invariant == time independently live
❑ D nets [Starke 90]
-> homogenous ES nets
❑ generalization ?
-> behavioral ES nets ?
❑ troublemaker - confusing combination of channel and control flow conflicts
-> “The problem is choice !”
allowed not allowed
t1 t2 t3
m1 m2
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 17 / 41
CONFUSION
❑ concurrency and conflict overlap
->
-> t1 # t2 and t2 # t3,but t1 concurrent to t3
❑ case 1: t1 < t3
-> conflict t2 # t3 disappears,firing of t3 does not involve a conflict decision
❑ case 2: t3 < t1
-> conflict t2 # t3 exists,firing of t3 involves a conflict decision
❑ the interleaving sequences of concurrencymay encounter different amount of decisions
❑ an observer outside of the systemdoes not know whether a decision took place or not
t1
t2
t3
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 18 / 41
ARE THERE
TIME-INVARIANT
SOFTWARE STRUCTURES ?
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 19 / 41
INFLUENCE OF
COMMUNICATION PATTERNS
ON NET STRUCTURE CLASSES
❑ simplified view
-> provided, pre- and postprocesses do not access the same communication object from different control points
addressingwaiting\
direct /semi-direct-by-
sender
indirect /semi-direct-by-
receiver
determininistic EFC ES
non-deterministic ES ICP
known to be time-independently live [Starke 90]
i.e. a live net remains live under any constant delay timing.
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 20 / 41
INFLUENCE OF
COMMUNICATION PATTERNS
ON CONFLICT STRUCTURES
\addressingwaiting
direct /semi-direct-by-
sender
indirect /semi-direct-by-
receive
deterministic
nodynamic
channel & control flow conflictsappear onlyseparately
non-deterministic
channelconflicts confusing
combination of channel & control
flow conflicts possible
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 21 / 41
WHICH KIND OF
TIME MODEL ? (2)
❑ adequate characterization of time consumption
-> alternatives, iterations
-> time nets, [Merlin 74]interval nets, I nets
❑ structural simplicity, e. g. alternative as
duration net interval net(with token reservation) (no token reservation )(constant times) (interval times)(firing consumes time) (firing itself timeless)
❑ duration interval net, DI net
-> interval times
-> with token reservation
-> firing consumes time
a[ ]
b[ ]
a a,[ ]0 0,[ ]
b b,[ ]0 0,[ ]
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 22 / 41
NON-STOCHASTIC
T-TIME-DEPENDENTPETRI NETS, OVERVIEW
non-preemptive(token reservation)
preemptive(no token
reservation)
constant
timed nets[Ramchandani 74]
-> (non-preemptive)duration nets
D NETS
- / -
-> preemptiveduration nets
interval
- / -
-> non-preemptiveinterval nets
DI NETS
time nets[Merlin 74]
-> (preemptive)interval nets
I NETS
times
firingprinciple
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 23 / 41
RELATION OF
TIME-DEPENDENT PETRI NETS(TRANSITION → TIME)
I NETS
D NETS DI NETS
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 24 / 41
TRANSFORMATION
DI NET -> I / D NET
(2)
t2_free
t1_free
<5>
<4>
t1_2<2>
p1
t1_1<1>
<3>
p2
t2_free
t1_free
t2_run
t1_run
[0,0]
[0,0]p1
t1[1,2]
t2[3,5]
p2
p2
t2[3,5]
t1[1,2]
p1
DI NET
I NET
D NET
t2_3
t2_4
t2_5
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 25 / 41
ZERO TEST FOR
TURING POWER
test
t5<1>
t4<1>
t3<1>
t2<1>
t1<1>p
pFalse
pTrue
ptest
tTrue[1,1]
tFalse[2,2]
pTrue pFalse
pFalsepTrue
tFalsetTrue
test p
PETRI NET ?
I NET
D NET
False: t1, t2, t4True:t1, t2+t3, t5
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 26 / 41
TIME-INVARIANT
NET STRUCTURES (I NETS)
A live Petri net remains live under any timing, [Popova 95]
❑ if it is persistent,
❑ if the earliest firing time of all transitions is zero,
❑ if the latest firing time of all transitions is infinite,
❑ if it is an homogeneous & timely homogeneous EFC without purely immediate transitions
❑ if it is an homogeneous & timely homogeneous behaviourally free choice net without purely immediate transitions.
AG ( enabled (t1) ⇔ enabled (t2) )
p3p2
t2t1[1,2] [3,4]
p3p2
t2t1
p1
23
[1,3] [2,4]
not homogeneous not timely homogeneousp2
4
4
p1
22
p2
4
4
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 27 / 41
WORST-CASE EVALUATION
WITH DI NETS,INPUT PARAMETERS
❑ time consumption of sequential program partsat least l time units
(lower bound of duration time, low(tij) = l )
at most m time units (upper bound of duration time, upp(tij) = m )
or any (continuous) time in between
measured by monitoring ORcalculated from computer instructions
❑ no explicitbranching probabilities
i jti j = l m[ , ]
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 28 / 41
COMMUNICATION
TIME MODEL
(of communication medium)transmission time
time to
write into
channel
time to
read from
channel
receiving
sending
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 29 / 41
WORST-CASE EVALUATION
WITH DI NETSOUTPUT PARAMETERS
❑ min execution duration (shortest path),
max execution duration(largest path)
❑ esp. valuable for systems which require predictable timing behaviour(to meet given deadlines)
❑ calculations can be based on discrete reachability graph(only integer states)
-> INA
begin end
tbegin end, min max,[ ]=
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 30 / 41
COMPUTATION OF MINIMAL PATH
BY LOWER BOUNDS ONLY,COUNTER EXAMPLE
weimar
fast_train[2,3]
slow_train[10,12]
in_fast_trainin_slow_train
take_fast_train[1,1]
take_slow_train[1,1]
leipzig2leipzig1
berlin2leipzig[4,6]
dresden2leipzig[3,4]
berlindresden
min_duration(dresden, weimar):D net with lower bounds only: 14DI net with lower and upper bounds: 7
-> maximal path by upper bounds only ? (!)
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 31 / 41
COUNTER EXAMPLE
AS D NET
fast_train
<3><12><11>
berlin2leipzig
<6><5><4>
<2>
slow_train
<10>
take_fast_train<1>take_slow_train
<1>
<4>
dresden2leipzig
<3>
weimar
in_fast_trainin_slow_train
leipzig2leipzig1
berlindresden
troublemaker
overlapping time windows ofdresden2leipzig & berlin2leipzig
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 32 / 41
STRUCTURAL COMPRESSION OF
WELL-FORMED NET STRUCTURES,EXAMPLE
endloop[0,0]
a4[3,8]
endpar[1,2]
a7[1,4]
a5[1,1]
a2[3,5]
a6[3,4]
a3[1,5]
a1[2,3]
par[2,3]
p33p23p13
loopendifp12
p11 p31if
init
(0,5)
number of iterations
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 33 / 41
STRUCTURAL COMPRESSION OF
WELL-FORMED NET STRUCTURES,EXAMPLE (CONT.)
endpar[1,2]
a7+endloop[0,20]
a5[1,1]
a2[3,5]
a6[3,4]
a3+a4[1,8]
a1[2,3]
par[2,3]
p33p23p13
loopendifp12
p11 p31if
init
cycle[8,29]
par[2,3]
a1*a2,(a3+a4)*a
[5,24]
endpar[1,2]
endpar[1,2]
a6*(a7+endloop)[3,24]
(a3+a4)*a5[2,9]
a1*a2[5,8]
par[2,3]
init
init
if
p23
p33p23p13
p11 p31if
init
a6*(a7+endloop)
(1)
(2)
(3)
(4)
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 34 / 41
STRUCTURAL COMPRESSION
OF WELL-FORMED NET STRUCTURES,GENERAL
ji
i k j
tik= tkj=
=
=
a b,[ ]
a b,[ ]
c d,[ ]
c d,[ ]
min a c,( ) max b d,( )[ , ]
= c c,[ ]
= a b,[ ]
=
{mlower bound n of iterations givenupper
assumption:
tij
tij
tij =
t''ij=
t'ij
tij
{ }}
tij
j
j
i
i
a c+ b d+[ , ]
m a c+⋅ n b c+⋅[ , ]
tii
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 35 / 41
STRUCTURAL COMPRESSION
OF WELL-FORMED NET STRUCTURES,GENERAL (CONT.)
tij ji
i i’ j’ jtii ti’j’ tjj
tjj
ti2j2
ti1j1
tii j
j2
j1
i2
i1
i
ti’j’ = [ max( low(ti1j1), low(ti2j2) ), max( upp(ti1j1), upp(ti2j2) )]
tij = [ low(tii) + low(ti’j’) + low(tjj), upp(tii) + upp(ti’j’) + upp(tjj)]
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 36 / 41
EXAMPLE - INTERVAL EVALUATION
OF NON-WELL-FORMED STRUCTURES,BUT 1-BOUNDED, ACYCLIC, ...
t11[3,7]
t10[6,15]
p13
p11
t7[1,1]
t12[4,8]
t4[4,9]
t5[1,11]
t2[1,5]
t8[7,11]
t9[6,9]
t6[4,6]
t3[4,7]
t1[2,6]
t0[1,9]
p6
p8
p4 p5
p2
p12 p10
p9
p7
p3
p1
p0
[Reske 95, p. 92]
[1,9] [1,9]
[3,15]
[7,22]
[2,14] [2,14]
[6,23]
[11,28] [7,24]
[17,37] [14,34] [13,39] [3,25]
[20,46]
[17,39] [14,34]
[18,42]
[18,46] cycle time
[7,23]
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 37 / 41
INTERVAL EVALUATION,GENERAL PROCEDURE
❑ net structure transformation[ first state -> init state ][ last state -> dead state ]resolution of (unlimited) cycles, if any
❑ net type transformation DI net -> I net orDI net -> D net;
❑ determine (set of) state numbers offirst statelast state
of the path to be measured;
❑ evaluation of
reachability graph OR ?
other descriptions of all possible behavioursprefix of branching processesconcurrent automaton
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 38 / 41
EXAMPLE OF
NET STRUCTURETRANSFORMATION
endloop[0,0]
a4[3,8]
endpar[1,2]
a7[1,4]
a5[1,1]
a2[3,5]
a6[3,4]
a3[1,5]
a1[2,3]
par[2,3]
count
end
p33p23p13
loopendifp12
p11 p31if
init
(0,5)
MIN ( pathes(init, any dead state) );MAX ( pathes(init, any dead state) );
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 39 / 41
ENVIRONMENT MODEL,WITH EXPLICIT ERROR STATES
PU
SH
ER
with
err
or s
tate
s
too
_fa
rF
too_
near
F
bas
ic2
near
too_
near
too
_far
ext2
far
R2
_on
R1_
on
bas
icn
orm
ext
bas
ic2n
orm
nor
m2
basi
c
norm
2ext
ext
2no
rm
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 40 / 41
CONCURRENT PUSHERS,(PART OF THE) REACHABILITY GRAPH
step1, R1_on, too_far
init, R1_off, basic
step1, R1_on, ext
tr1; R1_set_on;
step2, R1_on, ext
step3, R1_off, ext
step2, R1_on, too_far
tr2
R1_set_off; tr3
ext2far
ext2far
bad state!
Remark: Only the interesting partsof the markings are shown.
bad state!
-> (preemptive) interval nets
unreachability of bad states,mo-dead(ext2far) if:
lft tr2( ) eft ext2far( ) ∧<
lft R1_set_off( ) eft ext2far( )<
dependability engineering with time-dependent Petri nets June 2004
[email protected] 13 - 41 / 41
REFERENCES
[Bause 96]Bause; F.; Kritzinger, P. S.:Stochastic Petri Nets, An Introduction to the Theory;Vieweg 1996.
[Heiner 97a]Heiner, M., Popova-Zeugmann, P.: Worst-case Analysis of Concurrent Systems with Duration Interval Petri Nets;Proc. 5. Fachtagung Entwurf komplexer Automatisierungssysteme (EKA ’97), Braunschweig,May 1997, pp. 162-179.
[Heiner 97b]Heiner. M.; Popova-Zeugmann, L.:On Integration of Qualitative and Quantitative Analysis of Manufacturing Systems Using PetriNets;Proc. 42. Int. wissenschaftliches Kolloquium (IWK ’97), Ilmenau, September 1997, Vol. 1, pp.557-562.
[Merlin 74]Merlin, P.: A Study of the Recoverability of Communication Protocols; PhD Thesis, Univ. of California, Computer Science Dep., Irvine, 1974.
[Popova 91] Popova, L.: On Time Petri Nets; J. Information Processing and Cybernetics EIK 27(91)4, 227-244.
[Popova 94] Popova-Zeugmann, L.: On Time Invariance in Time Petri Nets; Humboldt University at Berlin, Informatik-Bericht No. 39, December 1994.
[Popova 95] Popova, L.: On Liveness and Boundedness in Time Petri Nets;Proc. CSP ‘95 Workshop, Warsaw, October 1995, pp. 136-145.
[Ramchandani 74]Ramchandani, C.: Analysis of Asynchronous Concurrrent Systems Using Petri Nets; PhD Thesis, MIT, TR 120, Cambridge (Mass.), 1974.
[Starke 90]Starke, P. H.:Analysis of Petri Net Models (in German);B.G.Teubner 1990.
[Starke 95] Starke, P.: A Memo On Time Constraints in Petri Nets; Humboldt-University zu Berlin, Informatik-Bericht Nr. 46, August 1995.